From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:22:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:22:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687508.1071063 (Exim 4.92) (envelope-from ) id 1rfuPL-0003i6-61; Fri, 01 Mar 2024 04:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687508.1071063; Fri, 01 Mar 2024 04:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPL-0003hz-3V; Fri, 01 Mar 2024 04:22:03 +0000 Received: by outflank-mailman (input) for mailman id 687508; Fri, 01 Mar 2024 04:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPJ-0003ht-PV for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPJ-0001HV-OL for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuPJ-0004wV-NM for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Uw/rO8sByctsL0fbfFp+pTC8j93Ju1Gnvf67iudR10I=; b=dDdxnVcmXEVEpLobSLDlX5Lk8U rq9h3OGFY5046Ub5kliYCUeRe0iQaDnEYOwTi3LoCGdFtAXKwoPrZ6I9EMaXD5iZ0BRxkrBzOHmIk YNm68qBJwkqzGCay7QbaerxEaXtXgXZqqcvLCCm9DzJeDG1VtXc5pM6DlD7ujHdXTfa4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/livepatch: register livepatch regions when loaded Message-Id: Date: Fri, 01 Mar 2024 04:22:01 +0000 commit a57b4074ab39bee78b6c116277f0a9963bd8e687 Author: Roger Pau Monné AuthorDate: Tue Feb 27 12:25:24 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Feb 28 16:57:25 2024 +0000 xen/livepatch: register livepatch regions when loaded Currently livepatch regions are registered as virtual regions only after the livepatch has been applied. This can lead to issues when using the pre-apply or post-revert hooks, as at that point the livepatch is not in the virtual regions list. If a livepatch pre-apply hook contains a WARN() it would trigger an hypervisor crash, as the code to handle the bug frame won't be able to find the instruction pointer that triggered the #UD in any of the registered virtual regions, and hence crash. Fix this by adding the livepatch payloads as virtual regions as soon as loaded, and only remove them once the payload is unloaded. This requires some changes to the virtual regions code, as the removal of the virtual regions is no longer done in stop machine context, and hence an RCU barrier is added in order to make sure there are no users of the virtual region after it's been removed from the list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 44 +++++++++++++++++--------------------------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 2c4b843827..d7f50e1018 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1071,6 +1071,7 @@ static int build_symbol_table(struct payload *payload, static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); + unregister_virtual_region(&data->region); list_del(&data->list); payload_cnt--; payload_version++; @@ -1170,6 +1171,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->list); INIT_LIST_HEAD(&data->applied_list); + register_virtual_region(&data->region); list_add_tail(&data->list, &payload_list); payload_cnt++; payload_version++; @@ -1386,7 +1388,6 @@ static inline void apply_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_add_tail_rcu(&data->applied_list, &applied_list); - register_virtual_region(&data->region); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1432,7 +1433,6 @@ static inline void revert_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_del_rcu(&data->applied_list); - unregister_virtual_region(&data->region); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index ddac5c9147..cefef3e47e 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -23,14 +23,8 @@ static struct virtual_region core_init __initdata = { }; /* - * RCU locking. Additions are done either at startup (when there is only - * one CPU) or when all CPUs are running without IRQs. - * - * Deletions are bit tricky. We do it when Live Patch (all CPUs running - * without IRQs) or during bootup (when clearing the init). - * - * Hence we use list_del_rcu (which sports an memory fence) and a spinlock - * on deletion. + * RCU locking. Modifications to the list must be done in exclusive mode, and + * hence need to hold the spinlock. * * All readers of virtual_region_list MUST use list_for_each_entry_rcu. */ @@ -58,41 +52,36 @@ const struct virtual_region *find_text_region(unsigned long addr) void register_virtual_region(struct virtual_region *r) { - ASSERT(!local_irq_is_enabled()); + unsigned long flags; + spin_lock_irqsave(&virtual_region_lock, flags); list_add_tail_rcu(&r->list, &virtual_region_list); + spin_unlock_irqrestore(&virtual_region_lock, flags); } -static void remove_virtual_region(struct virtual_region *r) +/* + * Suggest inline so when !CONFIG_LIVEPATCH the function is not left + * unreachable after init code is removed. + */ +static void inline remove_virtual_region(struct virtual_region *r) { unsigned long flags; spin_lock_irqsave(&virtual_region_lock, flags); list_del_rcu(&r->list); spin_unlock_irqrestore(&virtual_region_lock, flags); - /* - * We do not need to invoke call_rcu. - * - * This is due to the fact that on the deletion we have made sure - * to use spinlocks (to guard against somebody else calling - * unregister_virtual_region) and list_deletion spiced with - * memory barrier. - * - * That protects us from corrupting the list as the readers all - * use list_for_each_entry_rcu which is safe against concurrent - * deletions. - */ } +#ifdef CONFIG_LIVEPATCH void unregister_virtual_region(struct virtual_region *r) { - /* Expected to be called from Live Patch - which has IRQs disabled. */ - ASSERT(!local_irq_is_enabled()); - remove_virtual_region(r); + + /* Assert that no CPU might be using the removed region. */ + rcu_barrier(); } -#if defined(CONFIG_LIVEPATCH) && defined(CONFIG_X86) +#ifdef CONFIG_X86 void relax_virtual_region_perms(void) { const struct virtual_region *region; @@ -116,7 +105,8 @@ void tighten_virtual_region_perms(void) PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } -#endif +#endif /* CONFIG_X86 */ +#endif /* CONFIG_LIVEPATCH */ void __init unregister_init_virtual_region(void) { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:22:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687509.1071068 (Exim 4.92) (envelope-from ) id 1rfuPV-0003kW-87; Fri, 01 Mar 2024 04:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687509.1071068; Fri, 01 Mar 2024 04:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPV-0003jx-5C; Fri, 01 Mar 2024 04:22:13 +0000 Received: by outflank-mailman (input) for mailman id 687509; Fri, 01 Mar 2024 04:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPT-0003ji-UI for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPT-0001Hs-TB for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuPT-0004xF-QY for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LUwboPJb44nOMX+4g3hxfHhdrsnIktPitS4a4nsmljY=; b=DC2qHu6Fk60ahVgf7SL6ZnVe/E AOMI7deOZTzE9SJIGiZNSJQCP1N9SKngT514y0EldIQmLniHcfhyu8nRhqNYw+8EB2oxn3xYYS0TK tz/mkZS8ZeHZ8Amk3Ni1iukz25KA6uctU+jU//PPoH2t1Uxos1BIrE5cnkl77iVGULLA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/livepatch: search for symbols in all loaded payloads Message-Id: Date: Fri, 01 Mar 2024 04:22:11 +0000 commit d2daa40fb3ddb8f83e238e57854bd878924cde90 Author: Roger Pau Monné AuthorDate: Tue Feb 27 12:25:25 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Feb 28 16:57:25 2024 +0000 xen/livepatch: search for symbols in all loaded payloads When checking if an address belongs to a patch, or when resolving a symbol, take into account all loaded livepatch payloads, even if not applied. This is required in order for the pre-apply and post-revert hooks to work properly, or else Xen won't detect the instruction pointer belonging to those hooks as being part of the currently active text. Move the RCU handling to be used for payload_list instead of applied_list, as now the calls from trap code will iterate over the payload_list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 49 +++++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index d7f50e1018..14295bae87 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -36,13 +36,14 @@ * caller in schedule_work. */ static DEFINE_SPINLOCK(payload_lock); -static LIST_HEAD(payload_list); - /* - * Patches which have been applied. Need RCU in case we crash (and then - * traps code would iterate via applied_list) when adding entries on the list. + * Need RCU in case we crash (and then traps code would iterate via + * payload_list) when adding entries on the list. */ -static DEFINE_RCU_READ_LOCK(rcu_applied_lock); +static DEFINE_RCU_READ_LOCK(rcu_payload_lock); +static LIST_HEAD(payload_list); + +/* Patches which have been applied. Only modified from stop machine context. */ static LIST_HEAD(applied_list); static unsigned int payload_cnt; @@ -111,12 +112,8 @@ bool is_patch(const void *ptr) const struct payload *data; bool r = false; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( (ptr >= data->rw_addr && ptr < (data->rw_addr + data->rw_size)) || @@ -130,7 +127,7 @@ bool is_patch(const void *ptr) } } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return r; } @@ -166,12 +163,8 @@ static const char *cf_check livepatch_symbols_lookup( const void *va = (const void *)addr; const char *n = NULL; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( va < data->text_addr || va >= (data->text_addr + data->text_size) ) @@ -200,7 +193,7 @@ static const char *cf_check livepatch_symbols_lookup( n = data->symtab[best].name; break; } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return n; } @@ -1072,7 +1065,8 @@ static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); unregister_virtual_region(&data->region); - list_del(&data->list); + list_del_rcu(&data->list); + rcu_barrier(); payload_cnt--; payload_version++; free_payload_data(data); @@ -1172,7 +1166,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->applied_list); register_virtual_region(&data->region); - list_add_tail(&data->list, &payload_list); + list_add_tail_rcu(&data->list, &payload_list); payload_cnt++; payload_version++; } @@ -1383,11 +1377,7 @@ static int apply_payload(struct payload *data) static inline void apply_payload_tail(struct payload *data) { - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_add_tail_rcu(&data->applied_list, &applied_list); + list_add_tail(&data->applied_list, &applied_list); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1427,12 +1417,7 @@ static int revert_payload(struct payload *data) static inline void revert_payload_tail(struct payload *data) { - - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_del_rcu(&data->applied_list); + list_del(&data->applied_list); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:22:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687510.1071072 (Exim 4.92) (envelope-from ) id 1rfuPf-0003nQ-9B; Fri, 01 Mar 2024 04:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687510.1071072; Fri, 01 Mar 2024 04:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPf-0003nJ-6h; Fri, 01 Mar 2024 04:22:23 +0000 Received: by outflank-mailman (input) for mailman id 687510; Fri, 01 Mar 2024 04:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPe-0003n5-1I for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPe-0001I5-0V for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuPd-0004zJ-VP for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EzVrifrbbUJpWMWyeUXW6YC3YRZ+EqNZYrrBITtK80c=; b=Rbhf7WUZ8wixHxb5jcv0IVxEWj Zmd0JcccmASO14OcU4gX1Oblj/kRot143fy9fRZuevuwIr+gXuOaOQmoEQpMOzRvmQUBTlDldKyW5 71dNQ83svGssJA12cdTCRcvFxdN1Zhd7EOOddQCT2QGTdSFqxWCe7otTs4TUrob6M0Xw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/livepatch: fix norevert test attempt to open-code revert Message-Id: Date: Fri, 01 Mar 2024 04:22:21 +0000 commit cdae267ce10d04d71d1687b5701ff2911a96b6dc Author: Roger Pau Monné AuthorDate: Tue Feb 27 12:25:26 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Feb 28 16:57:25 2024 +0000 xen/livepatch: fix norevert test attempt to open-code revert The purpose of the norevert test is to install a dummy handler that replaces the internal Xen revert code, and then perform the revert in the post-revert hook. For that purpose the usage of the previous common_livepatch_revert() is not enough, as that just reverts specific functions, but not the whole state of the payload. Remove both common_livepatch_{apply,revert}() and instead expose revert_payload{,_tail}() in order to perform the patch revert from the post-revert hook. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 41 +++++++++++++++++++++++--- xen/include/xen/livepatch.h | 32 +++----------------- xen/test/livepatch/xen_action_hooks_norevert.c | 22 ++++---------- 3 files changed, 46 insertions(+), 49 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 14295bae87..5a7d5b7be0 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1366,7 +1366,22 @@ static int apply_payload(struct payload *data) ASSERT(!local_irq_is_enabled()); for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_apply(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* If the action has been already executed on this function, do nothing. */ + if ( state->applied == LIVEPATCH_FUNC_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has been already applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_apply(func, state); + state->applied = LIVEPATCH_FUNC_APPLIED; + } arch_livepatch_revive(); @@ -1382,7 +1397,7 @@ static inline void apply_payload_tail(struct payload *data) data->state = LIVEPATCH_STATE_APPLIED; } -static int revert_payload(struct payload *data) +int revert_payload(struct payload *data) { unsigned int i; int rc; @@ -1397,7 +1412,25 @@ static int revert_payload(struct payload *data) } for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_revert(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* + * If the apply action hasn't been executed on this function, do + * nothing. + */ + if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has not been applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_revert(func, state); + state->applied = LIVEPATCH_FUNC_NOT_APPLIED; + } /* * Since we are running with IRQs disabled and the hooks may call common @@ -1415,7 +1448,7 @@ static int revert_payload(struct payload *data) return 0; } -static inline void revert_payload_tail(struct payload *data) +void revert_payload_tail(struct payload *data) { list_del(&data->applied_list); diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index ad0eae28bd..d074a5bebe 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -138,35 +138,11 @@ void arch_livepatch_post_action(void); void arch_livepatch_mask(void); void arch_livepatch_unmask(void); -static inline void common_livepatch_apply(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the action has been already executed on this function, do nothing. */ - if ( state->applied == LIVEPATCH_FUNC_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_apply(func, state); - state->applied = LIVEPATCH_FUNC_APPLIED; -} +/* Only for testing purposes. */ +struct payload; +int revert_payload(struct payload *data); +void revert_payload_tail(struct payload *data); -static inline void common_livepatch_revert(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the apply action hasn't been executed on this function, do nothing. */ - if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_revert(func, state); - state->applied = LIVEPATCH_FUNC_NOT_APPLIED; -} #else /* diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c index c173855192..c5fbab1746 100644 --- a/xen/test/livepatch/xen_action_hooks_norevert.c +++ b/xen/test/livepatch/xen_action_hooks_norevert.c @@ -96,26 +96,14 @@ static int revert_hook(livepatch_payload_t *payload) static void post_revert_hook(livepatch_payload_t *payload) { - int i; + unsigned long flags; printk(KERN_DEBUG "%s: Hook starting.\n", __func__); - for (i = 0; i < payload->nfuncs; i++) - { - const struct livepatch_func *func = &payload->funcs[i]; - struct livepatch_fstate *fstate = &payload->fstate[i]; - - BUG_ON(revert_cnt != 1); - BUG_ON(fstate->applied != LIVEPATCH_FUNC_APPLIED); - - /* Outside of quiesce zone: MAY TRIGGER HOST CRASH/UNDEFINED BEHAVIOR */ - arch_livepatch_quiesce(); - common_livepatch_revert(payload); - arch_livepatch_revive(); - BUG_ON(fstate->applied == LIVEPATCH_FUNC_APPLIED); - - printk(KERN_DEBUG "%s: post reverted: %s\n", __func__, func->name); - } + local_irq_save(flags); + BUG_ON(revert_payload(payload)); + revert_payload_tail(payload); + local_irq_restore(flags); printk(KERN_DEBUG "%s: Hook done.\n", __func__); } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:22:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:22:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687511.1071076 (Exim 4.92) (envelope-from ) id 1rfuPp-0003qC-Aw; Fri, 01 Mar 2024 04:22:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687511.1071076; Fri, 01 Mar 2024 04:22:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPp-0003q4-8B; Fri, 01 Mar 2024 04:22:33 +0000 Received: by outflank-mailman (input) for mailman id 687511; Fri, 01 Mar 2024 04:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPo-0003py-4G for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPo-0001IM-3W for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuPo-0004zw-2a for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Qw1G5hlDkjdcgte/lR1lEZVTZcRysDu/+5LTHF9Xukc=; b=VCc5ivuCem0osxXdi/E9FQKhCt ZSRNlux1zgJoAZlZOrjcbjsPUosvr6qw1xUB3j5UTvT5abcFQCqSMTqGHjdLJX4n1i7W8OFpPbX7H 1+1Gb8zG+cgQzkK71sJhjWqBrsVflRw9yNGjJ0ech6Iy6is/KXkAVJQ4Mfo1qTOJ2/GY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/livepatch: properly build the noapply and norevert tests Message-Id: Date: Fri, 01 Mar 2024 04:22:32 +0000 commit e579677095782c7dec792597ba8b037b7d716b32 Author: Roger Pau Monné AuthorDate: Tue Feb 27 12:25:27 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Feb 28 16:57:25 2024 +0000 xen/livepatch: properly build the noapply and norevert tests It seems the build variables for those tests where copy-pasted from xen_action_hooks_marker-objs and not adjusted to use the correct source files. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/test/livepatch/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile index c258ab0b59..d987a8367f 100644 --- a/xen/test/livepatch/Makefile +++ b/xen/test/livepatch/Makefile @@ -118,12 +118,12 @@ xen_action_hooks_marker-objs := xen_action_hooks_marker.o xen_hello_world_func.o $(obj)/xen_action_hooks_noapply.o: $(obj)/config.h extra-y += xen_action_hooks_noapply.livepatch -xen_action_hooks_noapply-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_noapply-objs := xen_action_hooks_noapply.o xen_hello_world_func.o note.o xen_note.o $(obj)/xen_action_hooks_norevert.o: $(obj)/config.h extra-y += xen_action_hooks_norevert.livepatch -xen_action_hooks_norevert-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_norevert-objs := xen_action_hooks_norevert.o xen_hello_world_func.o note.o xen_note.o EXPECT_BYTES_COUNT := 8 CODE_GET_EXPECT=$(shell $(OBJDUMP) -d --insn-width=1 $(1) | sed -n -e '/<'$(2)'>:$$/,/^$$/ p' | tail -n +2 | head -n $(EXPECT_BYTES_COUNT) | awk '{$$0=$$2; printf "%s", substr($$0,length-1)}' | sed 's/.\{2\}/0x&,/g' | sed 's/^/{/;s/,$$/}/g') -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:22:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:22:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687512.1071079 (Exim 4.92) (envelope-from ) id 1rfuPz-0003t1-C7; Fri, 01 Mar 2024 04:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687512.1071079; Fri, 01 Mar 2024 04:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPz-0003st-9e; Fri, 01 Mar 2024 04:22:43 +0000 Received: by outflank-mailman (input) for mailman id 687512; Fri, 01 Mar 2024 04:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPy-0003sk-7p for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuPy-0001IV-75 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuPy-00050P-5d for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fBiIMo4YgiQQVlnl+8xsfmmCPY9fXl9YhSb9m69gN0E=; b=NNKE66NatYvx/t4EQxEweJslZx kA79PUD5kX510lwUTk8mqkMH++rhpn2Z2Gb60vSIVwe7lwvpIVRSDKuCP5DFT6v33VTlm1dHaEP7m Vr37jo7YFVJhZS92MWtYJaWL/drQqkiHOcpQlYQdi/ZiX+Kt2SLGvYps8C8ghtaHXSII=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/livepatch: group and document payload hooks Message-Id: Date: Fri, 01 Mar 2024 04:22:42 +0000 commit 54fd7b997470e6686667ca8e18f9ba6139efcdea Author: Roger Pau Monné AuthorDate: Tue Feb 27 12:25:28 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Feb 28 16:57:25 2024 +0000 xen/livepatch: group and document payload hooks Group the payload hooks between the pre/post handlers, and the apply/revert replacements. Also attempt to comment the context in which the hooks are executed. No functional change. Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/include/xen/livepatch_payload.h | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/xen/include/xen/livepatch_payload.h b/xen/include/xen/livepatch_payload.h index b9cd4f2096..472d6a4a63 100644 --- a/xen/include/xen/livepatch_payload.h +++ b/xen/include/xen/livepatch_payload.h @@ -82,6 +82,8 @@ struct payload { * collision. Since multiple hooks can be registered, the * .livepatch.hook.load section is a table of functions that will be * executed in series by the livepatch infrastructure at patch load time. + * + * Note the load hook is executed in quiesced context. */ #define LIVEPATCH_LOAD_HOOK(_fn) \ livepatch_loadcall_t *__weak \ @@ -96,14 +98,20 @@ struct payload { livepatch_unloadcall_t *__weak \ const livepatch_unload_data_##_fn __section(".livepatch.hooks.unload") = _fn; +/* + * Pre/Post action hooks. + * + * This hooks are executed before or after the livepatch application. Pre hooks + * can veto the application/revert of the livepatch. They are not executed in + * quiesced context. All of pre and post hooks are considered vetoing, and + * hence filling any of those will block the usage of the REPLACE action. + * + * Each of the hooks below can only be set once per livepatch payload. + */ #define LIVEPATCH_PREAPPLY_HOOK(_fn) \ livepatch_precall_t *__attribute__((weak, used)) \ const livepatch_preapply_data_##_fn __section(".livepatch.hooks.preapply") = _fn; -#define LIVEPATCH_APPLY_HOOK(_fn) \ - livepatch_actioncall_t *__attribute__((weak, used)) \ - const livepatch_apply_data_##_fn __section(".livepatch.hooks.apply") = _fn; - #define LIVEPATCH_POSTAPPLY_HOOK(_fn) \ livepatch_postcall_t *__attribute__((weak, used)) \ const livepatch_postapply_data_##_fn __section(".livepatch.hooks.postapply") = _fn; @@ -112,14 +120,27 @@ struct payload { livepatch_precall_t *__attribute__((weak, used)) \ const livepatch_prerevert_data_##_fn __section(".livepatch.hooks.prerevert") = _fn; -#define LIVEPATCH_REVERT_HOOK(_fn) \ - livepatch_actioncall_t *__attribute__((weak, used)) \ - const livepatch_revert_data_##_fn __section(".livepatch.hooks.revert") = _fn; - #define LIVEPATCH_POSTREVERT_HOOK(_fn) \ livepatch_postcall_t *__attribute__((weak, used)) \ const livepatch_postrevert_data_##_fn __section(".livepatch.hooks.postrevert") = _fn; +/* + * Action replacement hooks. + * + * The following hooks replace the hypervisor implementation for the livepatch + * application and revert routines. When filling the hooks below the native + * apply and revert routines will not be executed, so the provided hooks need + * to make sure the state of the payload after apply or revert is as expected + * by the livepatch logic. + */ +#define LIVEPATCH_APPLY_HOOK(_fn) \ + livepatch_actioncall_t *__attribute__((weak, used)) \ + const livepatch_apply_data_##_fn __section(".livepatch.hooks.apply") = _fn; + +#define LIVEPATCH_REVERT_HOOK(_fn) \ + livepatch_actioncall_t *__attribute__((weak, used)) \ + const livepatch_revert_data_##_fn __section(".livepatch.hooks.revert") = _fn; + #endif /* __XEN_LIVEPATCH_PAYLOAD_H__ */ /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:22:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:22:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687513.1071084 (Exim 4.92) (envelope-from ) id 1rfuQ9-0003w4-FI; Fri, 01 Mar 2024 04:22:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687513.1071084; Fri, 01 Mar 2024 04:22:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQ9-0003vw-CO; Fri, 01 Mar 2024 04:22:53 +0000 Received: by outflank-mailman (input) for mailman id 687513; Fri, 01 Mar 2024 04:22:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQ8-0003vk-BC for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQ8-0001Ic-AW for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuQ8-000512-9J for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:22:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=q9c3E+kPUT6yK0lRknThTDX2YwdXanVNjsdssOLb/lg=; b=ammocORD89okFnsjGzkIYM8U/d +We9xZF0zS9lRJj4xcd0JiL/7sPGFzKcfuVFEMag/q1DTZrWZ6L5McC8pRfIyWdEHe19QMKeHHcMK FUHxKAO0tC4LghcWEy4kROEKa03MNImCmI15vnR4qED/BISBw5VluPw0w9gyGGOuJfo8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libxl: Fix segfault in device_model_spawn_outcome Message-Id: Date: Fri, 01 Mar 2024 04:22:52 +0000 commit d4f3d35f043f6ef29393166b0dd131c8102cf255 Author: Jason Andryuk AuthorDate: Thu Feb 29 08:18:38 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 08:18:38 2024 +0100 libxl: Fix segfault in device_model_spawn_outcome libxl__spawn_qdisk_backend() explicitly sets guest_config to NULL when starting QEMU (the usual launch through libxl__spawn_local_dm() has a guest_config though). Bail early on a NULL guest_config/d_config. This skips the QMP queries for chardevs and VNC, but this xenpv QEMU instance isn't expected to provide those - only qdisk (or 9pfs backends after an upcoming change). Signed-off-by: Jason Andryuk Acked-by: Anthony PERARD --- tools/libs/light/libxl_dm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index dc4c2dfb9f..0b03a7c747 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -3172,8 +3172,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, /* Check if spawn failed */ if (rc) goto out; - - if (d_config->b_info.device_model_version + /* d_config is NULL for xl devd/libxl__spawn_qemu_xenpv_backend(). */ + if (d_config && d_config->b_info.device_model_version == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { rc = libxl__ev_time_register_rel(ao, &dmss->timeout, devise_model_postconfig_timeout, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:23:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:23:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687514.1071088 (Exim 4.92) (envelope-from ) id 1rfuQJ-0003zK-Gi; Fri, 01 Mar 2024 04:23:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687514.1071088; Fri, 01 Mar 2024 04:23:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQJ-0003zC-Dq; Fri, 01 Mar 2024 04:23:03 +0000 Received: by outflank-mailman (input) for mailman id 687514; Fri, 01 Mar 2024 04:23:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQI-0003yt-EB for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQI-0001Iz-DS for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuQI-00051e-Ck for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3xRFLIRx9IgPujHFBML4clXf6Wl4Ekh8gy1M1bdys8A=; b=ywDpl8pJw+6rqMq1TZfuSdo78I A+Z0k0+9pMWSpzsjqBJkZ4EFVlzmkWJv2Q6g+SsI7Kz80UJbQUy5PcZ/6HkEd9uu1bWTM2LhdlYmJ ucFUIqAJGImQc2kyV3ofP0Rkcvn82IAF0abCXwMw/7Gz8wTpVyPlQJdapUTN+UZJyzis=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/memsharing: use an atomic add instead of a cmpxchg loop Message-Id: Date: Fri, 01 Mar 2024 04:23:02 +0000 commit 6d05d529404a7fad1ed277865ceb31273272a23e Author: Jan Beulich AuthorDate: Thu Feb 29 08:19:22 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 08:19:22 2024 +0100 x86/memsharing: use an atomic add instead of a cmpxchg loop The usage of a cmpxchg loop in get_next_handle() is unnecessary, as the same can be achieved with an atomic increment, which is both simpler to read, and avoid any need for a loop. The cmpxchg usage is likely a remnant of 32bit support, which didn't have an instruction to do an atomic 64bit add, and instead a cmpxchg had to be used. Suggested-by: Andrew Cooper Signed-of-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Julien Grall Acked-by: Tamas K Lengyel --- xen/arch/x86/mm/mem_sharing.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index 4f810706a3..fe299a2bf9 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -179,13 +179,7 @@ static void mem_sharing_page_unlock(struct page_info *pg) static shr_handle_t get_next_handle(void) { - /* Get the next handle get_page style */ - uint64_t x, y = next_handle; - do { - x = y; - } - while ( (y = cmpxchg(&next_handle, x, x + 1)) != x ); - return x + 1; + return arch_fetch_and_add(&next_handle, 1) + 1; } static atomic_t nr_saved_mfns = ATOMIC_INIT(0); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:23:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:23:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687515.1071092 (Exim 4.92) (envelope-from ) id 1rfuQT-000427-J8; Fri, 01 Mar 2024 04:23:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687515.1071092; Fri, 01 Mar 2024 04:23:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQT-00041z-FP; Fri, 01 Mar 2024 04:23:13 +0000 Received: by outflank-mailman (input) for mailman id 687515; Fri, 01 Mar 2024 04:23:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQS-00041t-HE for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQS-0001JT-GO for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuQS-000527-Ff for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=seVn6bGphUmnesaVkQttyx7DF2/j5NgADcaw+sxTQ/U=; b=naxp3rr+ia2QvPy/JAjzEeoQjr MQq3V7t5Ki4tNdID4unNla2ERerHu9t9YAkjz/qVZTbpagPrR5zUGknA+nU45ec4DqgdxMVGoETJ8 s6iwQ1Kv/1M9egHWRf0x4dI8GKYqwTZkscZcKuqYf0vSkd8PAqdZwY67AK/+1Mp0xUz0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs: Move function and macro properties in docs/misra Message-Id: Date: Fri, 01 Mar 2024 04:23:12 +0000 commit b36d850c228807287b138b83fe6b198c943c2b66 Author: Simone Ballarin AuthorDate: Tue Feb 27 16:36:30 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 08:20:05 2024 +0100 docs: Move function and macro properties in docs/misra The list of function/macro properties is not MISRA-specific documentation. Their addition was directly motivated to address MISRA findings and they are not used elsewhere. For this reason, this patch moves these properties in docs/misra. This patch also fixes a Sphinx warning caused by the missing inclusion of the rst file in the toctree. Reported-by: Andrew Cooper Fixes: f4519ee8 ("eclair: move function and macro properties outside ECLAIR") Signed-off-by: Simone Ballarin Acked-by: Andrew Cooper --- automation/eclair_analysis/propertyparser.py | 2 +- docs/function_macro_properties.json | 841 --------------------------- docs/function_macro_properties.rst | 58 -- docs/misra/function-macro-properties.json | 841 +++++++++++++++++++++++++++ docs/misra/function-macro-properties.rst | 58 ++ docs/misra/index.rst | 1 + 6 files changed, 901 insertions(+), 900 deletions(-) diff --git a/automation/eclair_analysis/propertyparser.py b/automation/eclair_analysis/propertyparser.py index 0d02f505a6..5059a68fec 100644 --- a/automation/eclair_analysis/propertyparser.py +++ b/automation/eclair_analysis/propertyparser.py @@ -2,7 +2,7 @@ import json import os script_dir = os.path.dirname(__file__) -properties_path = os.path.join(script_dir, "../../docs/function_macro_properties.json") +properties_path = os.path.join(script_dir, "../../docs/misra/function-macro-properties.json") output_path = os.path.join(script_dir, "ECLAIR/call_properties.ecl") with open(properties_path) as fp: diff --git a/docs/function_macro_properties.json b/docs/function_macro_properties.json deleted file mode 100644 index 74058297b5..0000000000 --- a/docs/function_macro_properties.json +++ /dev/null @@ -1,841 +0,0 @@ -{ - "version": "1.0", - "content": [ - { - "type": "function", - "value": "^printk.*$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^debugtrace_printk.*$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^panic.*$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^domain_crash$", - "properties":{ - "pointee_write": "2..=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^(g?d|mm_)?printk$", - "properties":{ - "pointee_write": "2..=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^guest_bug_on_failed$", - "properties":{ - "pointee_write": "1=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^spin_lock_init_prof$", - "properties":{ - "pointee_write": "2=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^sched_test_func$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^dev_(info|warn)$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^PAGING_DEBUG$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^ACPI_(WARNING|ERROR|INFO)$", - "properties":{ - "pointee_write": "1..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^fdt_get_property_by_offset_.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^read_atomic_size.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^device_tree_get_reg.*$", - "properties":{ - "pointee_write": "4..=always", - "pointee_read": "4..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^dt_get_range.*$", - "properties":{ - "pointee_write": "3..=always", - "pointee_read": "3..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^parse_static_mem_prop.*$", - "properties":{ - "pointee_write": "2..=always", - "pointee_read": "2..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^get_ttbr_and_gran_64bit.*$", - "properties":{ - "pointee_write": "1..2=always", - "pointee_read": "1..2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^hvm_emulate_init_once.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^__vmread.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^hvm_pci_decode_addr.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^vpci_mmcfg_decode_addr.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^x86emul_decode.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^unmap_grant_ref.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^arm_smmu_cmdq_build_cmd.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^pci_size_mem_bar.*$", - "properties":{ - "pointee_write": "4=always", - "pointee_read": "4=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^_hvm_read_entry.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^hvm_map_guest_frame_rw.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^guest_cpuid.*$", - "properties":{ - "pointee_write": "4=always", - "pointee_read": "4=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^epte_get_entry_emt.*$", - "properties":{ - "pointee_write": "5=always", - "pointee_read": "5=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^mcheck_mca_logout.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^set_field_in_reg_u32.*$", - "properties":{ - "pointee_write": "5=always", - "pointee_read": "5=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^alloc_affinity_masks.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^xasprintf.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^find_non_smt.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^call_rcu.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^getdomaininfo.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^MAPPING_(INSERT|SEARCH)\\(.*$", - "properties":{ - "pointee_write": "2..=always", - "pointee_read": "2..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^FormatDec.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^FormatHex.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^p2m_get_ioreq_server.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^elf_memset_unchecked.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^set_iommu_pte_present.*$", - "properties":{ - "pointee_write": "7=always", - "pointee_read": "7=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^clear_iommu_pte_present.*$", - "properties":{ - "pointee_write": "4=always", - "pointee_read": "4=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^vcpu_runstate_get.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^va_start.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^sgi_target_init.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^get_hw_residencies.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^x86_cpu_policy_to_featureset.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^simple_strtou?ll?\\(.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^msi_compose_msg.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^print_tainted.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^get_hvm_registers.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^x86_insn_modrm.*$", - "properties":{ - "pointee_write": "2..3=always", - "pointee_read": "2..3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^cpuid_count_leaf.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^rcu_lock_remote_domain_by_id.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^cpuid_count.*$", - "properties":{ - "pointee_write": "3..=always", - "pointee_read": "3..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^.*efi_boot_mem_unused.*$", - "properties":{ - "pointee_write": "1..=always", - "pointee_read": "1..=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^collect_time_info.*$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^setup_xstate_comp.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^map_domain_gfn.*$", - "properties":{ - "pointee_read": "5=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^fdt_getprop.*$", - "properties":{ - "pointee_read": "4=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^fdt_get_name.*$", - "properties":{ - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^fdt_get_property.*$", - "properties":{ - "pointee_read": "4=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^pci_get_host_bridge_segment.*$", - "properties":{ - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^dt_get_property.*$", - "properties":{ - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^dt_property_read_u32.*$", - "properties":{ - "pointee_read": "3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^dt_device_get_paddr.*$", - "properties":{ - "pointee_read": "3..4=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^get_evtchn_dt_property.*$", - "properties":{ - "pointee_write": "2..3=maybe", - "pointee_read": "2..3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^setup_chosen_node.*$", - "properties":{ - "pointee_write": "2..3=maybe", - "pointee_read": "2..3=never", - "taken": "" - } - }, - { - "type": "function", - "value": "^queue_remove_raw.*$", - "properties":{ - "pointee_read": "2=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^memset$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^va_start$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^memcmp$", - "properties":{ - "pointee_write": "1..2=never", - "taken": "" - } - }, - { - "type": "macro", - "value": "^memcpy$", - "properties":{ - "pointee_write": "1=always&&2..=never", - "pointee_read": "1=never&&2..=always", - "taken": "" - } - }, - { - "type": "function", - "value": "^get_cpu_info.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "type": "function", - "value": "^pdx_to_pfn.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "type": "function", - "value": "^is_pci_passthrough_enabled.*$", - "properties":{ - "attribute": "const" - } - }, - { - "type": "function", - "value": "^get_cycles.*$", - "properties":{ - "attribute": "noeffect" - } - }, - { - "type": "function", - "value": "^msi_gflags.*$", - "properties":{ - "attribute": "const" - } - }, - { - "type": "function", - "value": "^hvm_save_size.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "type": "function", - "value": "^cpu_has.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "type": "function", - "value": "^boot_cpu_has.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "type": "function", - "value": "^get_cpu_info.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "type": "function", - "value": "^put_pte_flags.*$", - "properties":{ - "attribute": "const" - } - }, - { - "type": "function", - "value": "^is_pv_cpu.*$", - "properties":{ - "attribute": "pure" - } - }, - { - "description": "Property inferred as a consequence of the semantics of device_tree_get_reg", - "type": "function", - "value": "^acquire_static_memory_bank.*$", - "properties":{ - "pointee_write": "4..=always", - "pointee_read": "4..=never", - "taken": "" - } - }, - { - "description": "Property inferred as a consequence of the semantics of dt_set_cell", - "type": "function", - "value": "^set_interrupt.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "description":"Property inferred as a consequence of the semantics of __p2m_get_mem_access", - "type": "function", - "value": "^p2m_get_mem_access.*$", - "properties":{ - "pointee_write": "3=always", - "pointee_read": "3=never", - "taken": "" - } - }, - { - "description": "This function has alternative definitions with props {write=always,read=never} and {write=never,read=never}", - "type": "function", - "value": "^alloc_cpumask_var.*$", - "properties":{ - "pointee_write": "1=maybe", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "description": "Property inferred as a consequence of the semantics of alloc_cpumask_var", - "type": "function", - "value": "^xenctl_bitmap_to_cpumask.*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "description": "The call to bitmap_and causes the pointee of dstp to be always written", - "type": "function", - "value": "^cpumask_(and|andnot|clear|copy|complement).*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "description": "The call to bitmap_and causes the pointee of dstp to be always written", - "type": "function", - "value": "^bitmap_(andnot|complement|fill).*$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "description": "The .*copy_(to|from).* helpers all have a memcpy-like expectation that the destination is a copy of the source. Furthermore, their uses do initialize the involved variables as needed by futher uses in the caller.", - "type": "macro", - "value": "^(__)?(raw_)?copy_from_(paddr|guest|compat)(_offset)?$", - "properties":{ - "pointee_write": "1=always", - "pointee_read": "1=never", - "taken": "" - } - }, - { - "description":"The .*copy_(to|from).* helpers all have a memcpy-like expectation that the destination is a copy of the source. Furthermore, their uses do initialize the involved variables as needed by futher uses in the caller.", - "type": "macro", - "value": "^(__)?copy_to_(guest|compat)(_offset)?$", - "properties":{ - "pointee_write": "2=always", - "pointee_read": "2=never", - "taken": "" - } - }, - { - "description": "Functions generated by build_atomic_read cannot be considered pure since the input pointer is volatile, but they do not produce any persistent side effect.", - "type": "function", - "value": "^read_u(8|16|32|64|int)_atomic.*$", - "properties":{ - "attribute": "noeffect" - } - }, - { - "description": "Functions generated by TYPE_SAFE are const.", - "type": "function", - "value": "^(mfn|gfn|pfn)_x\\(.*$", - "properties":{ - "attribute": "const" - } - }, - { - "description": "Functions generated by TYPE_SAFE are const.", - "type": "function", - "value": "^_(mfn|gfn|pfn)\\(.*$", - "properties":{ - "attribute": "const" - } - } - ] -} diff --git a/docs/function_macro_properties.rst b/docs/function_macro_properties.rst deleted file mode 100644 index ea6fb5cf1f..0000000000 --- a/docs/function_macro_properties.rst +++ /dev/null @@ -1,58 +0,0 @@ -.. SPDX-License-Identifier: CC-BY-4.0 - -Properties list for Xen -======================= - -Some functions and macros are found to have properties relevant to -the Xen codebase. For this reason, the file docs/properties.json -contains all the needed properties. - -Here is an example of the properties.json file:: - - { - "version": "1.0", - "content": [ - { - "description": "" - "type": "function", // required - "value:": "^printk*.$", // required - "properties":{ - "pointee_write": "1..2=never", - "pointee_read": "", - "taken": "" - "attribute": "" - } - } - ] - } - -Here is an explanation of the fields inside an object of the "content" array: - - - description: a brief description of why the properties apply - - type: this is the kind of the element called: it may be either ``macro`` or ``function`` - - value: must be a regex, starting with ^ and ending with $ and matching function fully - qualified name or macro name. - - properties: a list of properties applied to said function. - Possible values are: - - - pointee_write: indicate the write use for call arguments that correspond to - parameters whose pointee types are non-const - - pointee_read: indicate the read use for call arguments that correspond to - parameters whose pointee types are non-const - - taken: indicates that the specified address arguments may be stored in objects - that persist after the function has ceased to exist (excluding the returned value); - address arguments not listed are never taken - - attribute: attributes a function may have. Possible values are pure, const and noeffect. - - pointee_read and pointee_write use a specific kind of argument, structured as pointee_arg=rw: - - - pointee_arg: argument index for callee. Index 0 refers to the return value, - the indices of the arguments start from 1. It can be either a single value or a range. - - rw: a value that's either always, maybe or never - - - always: for pointee_read: argument pointee is expected to be fully read in the function body, - for pointee_write: argument pointee is fully initialized at function exit - - maybe: for pointee_read: argument pointee may be expected to be read in the function body, - for pointee_write: argument pointee may be written by function body - - never: for pointee_read: argument pointee is not expected to be read in the function body, - for pointee_write: argument pointee is never written by function body diff --git a/docs/misra/function-macro-properties.json b/docs/misra/function-macro-properties.json new file mode 100644 index 0000000000..74058297b5 --- /dev/null +++ b/docs/misra/function-macro-properties.json @@ -0,0 +1,841 @@ +{ + "version": "1.0", + "content": [ + { + "type": "function", + "value": "^printk.*$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^debugtrace_printk.*$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^panic.*$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^domain_crash$", + "properties":{ + "pointee_write": "2..=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^(g?d|mm_)?printk$", + "properties":{ + "pointee_write": "2..=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^guest_bug_on_failed$", + "properties":{ + "pointee_write": "1=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^spin_lock_init_prof$", + "properties":{ + "pointee_write": "2=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^sched_test_func$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^dev_(info|warn)$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^PAGING_DEBUG$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^ACPI_(WARNING|ERROR|INFO)$", + "properties":{ + "pointee_write": "1..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^fdt_get_property_by_offset_.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^read_atomic_size.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^device_tree_get_reg.*$", + "properties":{ + "pointee_write": "4..=always", + "pointee_read": "4..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^dt_get_range.*$", + "properties":{ + "pointee_write": "3..=always", + "pointee_read": "3..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^parse_static_mem_prop.*$", + "properties":{ + "pointee_write": "2..=always", + "pointee_read": "2..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^get_ttbr_and_gran_64bit.*$", + "properties":{ + "pointee_write": "1..2=always", + "pointee_read": "1..2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^hvm_emulate_init_once.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^__vmread.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^hvm_pci_decode_addr.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^vpci_mmcfg_decode_addr.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^x86emul_decode.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^unmap_grant_ref.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^arm_smmu_cmdq_build_cmd.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^pci_size_mem_bar.*$", + "properties":{ + "pointee_write": "4=always", + "pointee_read": "4=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^_hvm_read_entry.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^hvm_map_guest_frame_rw.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^guest_cpuid.*$", + "properties":{ + "pointee_write": "4=always", + "pointee_read": "4=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^epte_get_entry_emt.*$", + "properties":{ + "pointee_write": "5=always", + "pointee_read": "5=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^mcheck_mca_logout.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^set_field_in_reg_u32.*$", + "properties":{ + "pointee_write": "5=always", + "pointee_read": "5=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^alloc_affinity_masks.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^xasprintf.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^find_non_smt.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^call_rcu.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^getdomaininfo.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^MAPPING_(INSERT|SEARCH)\\(.*$", + "properties":{ + "pointee_write": "2..=always", + "pointee_read": "2..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^FormatDec.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^FormatHex.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^p2m_get_ioreq_server.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^elf_memset_unchecked.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^set_iommu_pte_present.*$", + "properties":{ + "pointee_write": "7=always", + "pointee_read": "7=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^clear_iommu_pte_present.*$", + "properties":{ + "pointee_write": "4=always", + "pointee_read": "4=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^vcpu_runstate_get.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^va_start.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^sgi_target_init.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^get_hw_residencies.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^x86_cpu_policy_to_featureset.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^simple_strtou?ll?\\(.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^msi_compose_msg.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^print_tainted.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^get_hvm_registers.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^x86_insn_modrm.*$", + "properties":{ + "pointee_write": "2..3=always", + "pointee_read": "2..3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^cpuid_count_leaf.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^rcu_lock_remote_domain_by_id.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^cpuid_count.*$", + "properties":{ + "pointee_write": "3..=always", + "pointee_read": "3..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^.*efi_boot_mem_unused.*$", + "properties":{ + "pointee_write": "1..=always", + "pointee_read": "1..=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^collect_time_info.*$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^setup_xstate_comp.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^map_domain_gfn.*$", + "properties":{ + "pointee_read": "5=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^fdt_getprop.*$", + "properties":{ + "pointee_read": "4=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^fdt_get_name.*$", + "properties":{ + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^fdt_get_property.*$", + "properties":{ + "pointee_read": "4=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^pci_get_host_bridge_segment.*$", + "properties":{ + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^dt_get_property.*$", + "properties":{ + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^dt_property_read_u32.*$", + "properties":{ + "pointee_read": "3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^dt_device_get_paddr.*$", + "properties":{ + "pointee_read": "3..4=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^get_evtchn_dt_property.*$", + "properties":{ + "pointee_write": "2..3=maybe", + "pointee_read": "2..3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^setup_chosen_node.*$", + "properties":{ + "pointee_write": "2..3=maybe", + "pointee_read": "2..3=never", + "taken": "" + } + }, + { + "type": "function", + "value": "^queue_remove_raw.*$", + "properties":{ + "pointee_read": "2=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^memset$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^va_start$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^memcmp$", + "properties":{ + "pointee_write": "1..2=never", + "taken": "" + } + }, + { + "type": "macro", + "value": "^memcpy$", + "properties":{ + "pointee_write": "1=always&&2..=never", + "pointee_read": "1=never&&2..=always", + "taken": "" + } + }, + { + "type": "function", + "value": "^get_cpu_info.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "type": "function", + "value": "^pdx_to_pfn.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "type": "function", + "value": "^is_pci_passthrough_enabled.*$", + "properties":{ + "attribute": "const" + } + }, + { + "type": "function", + "value": "^get_cycles.*$", + "properties":{ + "attribute": "noeffect" + } + }, + { + "type": "function", + "value": "^msi_gflags.*$", + "properties":{ + "attribute": "const" + } + }, + { + "type": "function", + "value": "^hvm_save_size.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "type": "function", + "value": "^cpu_has.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "type": "function", + "value": "^boot_cpu_has.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "type": "function", + "value": "^get_cpu_info.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "type": "function", + "value": "^put_pte_flags.*$", + "properties":{ + "attribute": "const" + } + }, + { + "type": "function", + "value": "^is_pv_cpu.*$", + "properties":{ + "attribute": "pure" + } + }, + { + "description": "Property inferred as a consequence of the semantics of device_tree_get_reg", + "type": "function", + "value": "^acquire_static_memory_bank.*$", + "properties":{ + "pointee_write": "4..=always", + "pointee_read": "4..=never", + "taken": "" + } + }, + { + "description": "Property inferred as a consequence of the semantics of dt_set_cell", + "type": "function", + "value": "^set_interrupt.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "description":"Property inferred as a consequence of the semantics of __p2m_get_mem_access", + "type": "function", + "value": "^p2m_get_mem_access.*$", + "properties":{ + "pointee_write": "3=always", + "pointee_read": "3=never", + "taken": "" + } + }, + { + "description": "This function has alternative definitions with props {write=always,read=never} and {write=never,read=never}", + "type": "function", + "value": "^alloc_cpumask_var.*$", + "properties":{ + "pointee_write": "1=maybe", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "description": "Property inferred as a consequence of the semantics of alloc_cpumask_var", + "type": "function", + "value": "^xenctl_bitmap_to_cpumask.*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "description": "The call to bitmap_and causes the pointee of dstp to be always written", + "type": "function", + "value": "^cpumask_(and|andnot|clear|copy|complement).*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "description": "The call to bitmap_and causes the pointee of dstp to be always written", + "type": "function", + "value": "^bitmap_(andnot|complement|fill).*$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "description": "The .*copy_(to|from).* helpers all have a memcpy-like expectation that the destination is a copy of the source. Furthermore, their uses do initialize the involved variables as needed by futher uses in the caller.", + "type": "macro", + "value": "^(__)?(raw_)?copy_from_(paddr|guest|compat)(_offset)?$", + "properties":{ + "pointee_write": "1=always", + "pointee_read": "1=never", + "taken": "" + } + }, + { + "description":"The .*copy_(to|from).* helpers all have a memcpy-like expectation that the destination is a copy of the source. Furthermore, their uses do initialize the involved variables as needed by futher uses in the caller.", + "type": "macro", + "value": "^(__)?copy_to_(guest|compat)(_offset)?$", + "properties":{ + "pointee_write": "2=always", + "pointee_read": "2=never", + "taken": "" + } + }, + { + "description": "Functions generated by build_atomic_read cannot be considered pure since the input pointer is volatile, but they do not produce any persistent side effect.", + "type": "function", + "value": "^read_u(8|16|32|64|int)_atomic.*$", + "properties":{ + "attribute": "noeffect" + } + }, + { + "description": "Functions generated by TYPE_SAFE are const.", + "type": "function", + "value": "^(mfn|gfn|pfn)_x\\(.*$", + "properties":{ + "attribute": "const" + } + }, + { + "description": "Functions generated by TYPE_SAFE are const.", + "type": "function", + "value": "^_(mfn|gfn|pfn)\\(.*$", + "properties":{ + "attribute": "const" + } + } + ] +} diff --git a/docs/misra/function-macro-properties.rst b/docs/misra/function-macro-properties.rst new file mode 100644 index 0000000000..ea6fb5cf1f --- /dev/null +++ b/docs/misra/function-macro-properties.rst @@ -0,0 +1,58 @@ +.. SPDX-License-Identifier: CC-BY-4.0 + +Properties list for Xen +======================= + +Some functions and macros are found to have properties relevant to +the Xen codebase. For this reason, the file docs/properties.json +contains all the needed properties. + +Here is an example of the properties.json file:: + + { + "version": "1.0", + "content": [ + { + "description": "" + "type": "function", // required + "value:": "^printk*.$", // required + "properties":{ + "pointee_write": "1..2=never", + "pointee_read": "", + "taken": "" + "attribute": "" + } + } + ] + } + +Here is an explanation of the fields inside an object of the "content" array: + + - description: a brief description of why the properties apply + - type: this is the kind of the element called: it may be either ``macro`` or ``function`` + - value: must be a regex, starting with ^ and ending with $ and matching function fully + qualified name or macro name. + - properties: a list of properties applied to said function. + Possible values are: + + - pointee_write: indicate the write use for call arguments that correspond to + parameters whose pointee types are non-const + - pointee_read: indicate the read use for call arguments that correspond to + parameters whose pointee types are non-const + - taken: indicates that the specified address arguments may be stored in objects + that persist after the function has ceased to exist (excluding the returned value); + address arguments not listed are never taken + - attribute: attributes a function may have. Possible values are pure, const and noeffect. + + pointee_read and pointee_write use a specific kind of argument, structured as pointee_arg=rw: + + - pointee_arg: argument index for callee. Index 0 refers to the return value, + the indices of the arguments start from 1. It can be either a single value or a range. + - rw: a value that's either always, maybe or never + + - always: for pointee_read: argument pointee is expected to be fully read in the function body, + for pointee_write: argument pointee is fully initialized at function exit + - maybe: for pointee_read: argument pointee may be expected to be read in the function body, + for pointee_write: argument pointee may be written by function body + - never: for pointee_read: argument pointee is not expected to be read in the function body, + for pointee_write: argument pointee is never written by function body diff --git a/docs/misra/index.rst b/docs/misra/index.rst index 5068ee5aef..bde9d9cffb 100644 --- a/docs/misra/index.rst +++ b/docs/misra/index.rst @@ -16,3 +16,4 @@ Xen hypervisor code and related documents. documenting-violations exclude-list xen-static-analysis + function-macro-properties -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:23:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:23:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687516.1071096 (Exim 4.92) (envelope-from ) id 1rfuQd-00047E-Lx; Fri, 01 Mar 2024 04:23:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687516.1071096; Fri, 01 Mar 2024 04:23:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQd-000476-JM; Fri, 01 Mar 2024 04:23:23 +0000 Received: by outflank-mailman (input) for mailman id 687516; Fri, 01 Mar 2024 04:23:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQc-00046y-K6 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQc-0001Ja-JS for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuQc-00052W-Ib for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ihmR405JYhEcE7tK+M0fWuU317Sn638q6JAyr02BmBA=; b=pxAVR+kRArvbWBmb0P3xQxlp/U E7FFPzvcNyjpkYuR+19+iV+fS/EHZpQsomyqJcZC1WdCqiCaWHCfLBtgQA0kpz8/4f8qzvGZFlfIT XXeKEk69fivtdKoZd1kaL+O0jcuLf/CC3lZIfFjtwu2AowC4tosmBcHJF7Iv8tjyZpVY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: remove redundant XEN_SHSTK check from reinit_bsp_stack() Message-Id: Date: Fri, 01 Mar 2024 04:23:22 +0000 commit c103bb8ad41aeffbbb990ac60a5b2b0da28c82fd Author: Jan Beulich AuthorDate: Thu Feb 29 08:20:46 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 08:20:46 2024 +0100 x86: remove redundant XEN_SHSTK check from reinit_bsp_stack() As of 72d51813d631 ("x86: amend cpu_has_xen_{ibt,shstk}") this has been integrated into cpu_has_xen_shstk. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- xen/arch/x86/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c index e487591fe0..a21984b1cc 100644 --- a/xen/arch/x86/setup.c +++ b/xen/arch/x86/setup.c @@ -810,7 +810,7 @@ static void __init noreturn reinit_bsp_stack(void) if ( rc ) panic("Error %d setting up PV root page table\n", rc); - if ( IS_ENABLED(CONFIG_XEN_SHSTK) && cpu_has_xen_shstk ) + if ( cpu_has_xen_shstk ) { wrmsrl(MSR_PL0_SSP, (unsigned long)stack + (PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 04:23:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 04:23:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687517.1071100 (Exim 4.92) (envelope-from ) id 1rfuQn-0004AC-Nj; Fri, 01 Mar 2024 04:23:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687517.1071100; Fri, 01 Mar 2024 04:23:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQn-0004A2-Kt; Fri, 01 Mar 2024 04:23:33 +0000 Received: by outflank-mailman (input) for mailman id 687517; Fri, 01 Mar 2024 04:23:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQm-00049s-NW for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfuQm-0001Jh-Mm for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfuQm-00052v-Li for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 04:23:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YnhwIrrTR8P2n7SBVTNcLGghFpwweiMa660fzRUKfpA=; b=liOKzagnebDTkOj3qWzS7wguFT MJMRF9TFNfx2bq4lrztCo20x+InucI7kU/WPa+EGjuOiPMZ4t8KkHlvkA/CjcreNDnkbWKLkiIj8D fT2fZ4T/HRB36fhlgbY9Yh3xCaVl/z5N0tEbuM7OH0zyoNsg2HNiwbp2PUDVVsT5nm7I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/altcall: always use a temporary parameter stashing variable Message-Id: Date: Fri, 01 Mar 2024 04:23:32 +0000 commit c20850540ad6a32f4fc17bde9b01c92b0df18bf0 Author: Roger Pau Monné AuthorDate: Thu Feb 29 08:21:49 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 08:21:49 2024 +0100 x86/altcall: always use a temporary parameter stashing variable The usage in ALT_CALL_ARG() on clang of: register union { typeof(arg) e; const unsigned long r; } ... When `arg` is the first argument to alternative_{,v}call() and const_vlapic_vcpu() is used results in clang 3.5.0 complaining with: arch/x86/hvm/vlapic.c:141:47: error: non-const static data member must be initialized out of line alternative_call(hvm_funcs.test_pir, const_vlapic_vcpu(vlapic), vec) ) Workaround this by pulling `arg1` into a local variable, like it's done for further arguments (arg2, arg3...) Originally arg1 wasn't pulled into a variable because for the a1_ register local variable the possible clobbering as a result of operators on other variables don't matter: https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html#Local-Register-Variables Note clang version 3.8.1 seems to already be fixed and don't require the workaround, but since it's harmless do it uniformly everywhere. Reported-by: Andrew Cooper Fixes: 2ce562b2a413 ('x86/altcall: use a union as register type for function parameters on clang') Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich --- xen/arch/x86/include/asm/alternative.h | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index 3c14db5078..0d3697f1de 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -253,21 +253,24 @@ extern void alternative_branches(void); }) #define alternative_vcall1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ (void)sizeof(func(arg)); \ (void)alternative_callN(1, int, func); \ }) #define alternative_call1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ alternative_callN(1, typeof(func(arg)), func); \ }) #define alternative_vcall2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ (void)sizeof(func(arg1, arg2)); \ @@ -275,17 +278,19 @@ extern void alternative_branches(void); }) #define alternative_call2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ alternative_callN(2, typeof(func(arg1, arg2)), func); \ }) #define alternative_vcall3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -294,9 +299,10 @@ extern void alternative_branches(void); }) #define alternative_call3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -305,10 +311,11 @@ extern void alternative_branches(void); }) #define alternative_vcall4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -318,10 +325,11 @@ extern void alternative_branches(void); }) #define alternative_call4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -332,11 +340,12 @@ extern void alternative_branches(void); }) #define alternative_vcall5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -347,11 +356,12 @@ extern void alternative_branches(void); }) #define alternative_call5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -363,12 +373,13 @@ extern void alternative_branches(void); }) #define alternative_vcall6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -379,12 +390,13 @@ extern void alternative_branches(void); }) #define alternative_call6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 09:22:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 09:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687591.1071254 (Exim 4.92) (envelope-from ) id 1rfz5h-0005gg-0y; Fri, 01 Mar 2024 09:22:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687591.1071254; Fri, 01 Mar 2024 09:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfz5g-0005gY-UV; Fri, 01 Mar 2024 09:22:04 +0000 Received: by outflank-mailman (input) for mailman id 687591; Fri, 01 Mar 2024 09:22:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfz5f-0005gS-P5 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 09:22:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rfz5f-0007rh-Mu for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 09:22:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rfz5f-0007bf-K0 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 09:22:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3sk5231LJX2DM7Nj6jcKUsr3RhuVyhgFKXHos7K178o=; b=PKWgLywrj+RVjMWeZ9SWl2vf/o mXK0/zPmAJ/VJ0mVvQnI2wnQ7YODu24itEHLMCGORrh53DZrwgZH+Sed7rWXUeASeCxhfKwR43Nol OY4BcSTUdZwTYCn5VUsQUaKgeIIQq6gNAWZTiyBf/GsFN6kz3IjrUopjySsriNv2SV/U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs/misra/rules.rst: Fix entry for 20.12 rule Message-Id: Date: Fri, 01 Mar 2024 09:22:03 +0000 commit efad36f1ba18946acecc030166b1a6bebeb88ea2 Author: Michal Orzel AuthorDate: Fri Mar 1 09:49:47 2024 +0100 Commit: Andrew Cooper CommitDate: Fri Mar 1 09:09:54 2024 +0000 docs/misra/rules.rst: Fix entry for 20.12 rule Commit 4cac80e22600 broke the CI cppcheck jobs by adding an entry for a rule 20.12 with "Severity" and "Summary" fields placed in reverse order. This leads to an error as reported by convert_misra_doc.py: No summary for rule 20.12 Fixes: 4cac80e22600 ("docs/misra/rules.rst: add rule 16.6 and 20.12") Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu --- docs/misra/rules.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index c185366966..efea063ab9 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -561,10 +561,10 @@ maintainers if you want to suggest a change. - * - `Rule 20.12 `_ + - Required - A macro parameter used as an operand to the # or ## operators, which is itself subject to further macro replacement, shall only be used as an operand to these operators - - Required - Variadic macros are allowed to violate the rule. * - `Rule 20.13 `_ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687694.1071400 (Exim 4.92) (envelope-from ) id 1rg3Lr-0006Ge-MK; Fri, 01 Mar 2024 13:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687694.1071400; Fri, 01 Mar 2024 13:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Lr-0006GW-Jn; Fri, 01 Mar 2024 13:55:03 +0000 Received: by outflank-mailman (input) for mailman id 687694; Fri, 01 Mar 2024 13:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Lq-0006GL-CT for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Lq-0005Lo-98 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3Lq-0005Cl-7h for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jxaIHQWfLb5vHLGni2kM8trJjsYvurWzN8MvmQ58nkk=; b=6TODAuiJvWgzlvTECUoTasd6By NlwLNYnYfNs+vCCsTTNVFMSUH3U04OgabC32m8jxytbYTnslID9YedR0bWEvlRsiOjttFcNo5Pfzn BtVh+NpyM/8FKe+y6pL4Dx8+ShFJMk+uALS4NLwNQjZLaqUHbo5v7549YPfc3xF/n6fA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/riscv: introduce nospec.h Message-Id: Date: Fri, 01 Mar 2024 13:55:02 +0000 commit 7159164beeb582cb57a3142744d747daae7d59b9 Author: Oleksii Kurochko AuthorDate: Thu Feb 29 16:58:34 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 16:58:34 2024 +0100 xen/riscv: introduce nospec.h From the unpriviliged doc: No standard hints are presently defined. We anticipate standard hints to eventually include memory-system spatial and temporal locality hints, branch prediction hints, thread-scheduling hints, security tags, and instrumentation flags for simulation/emulation. Also, there are no speculation execution barriers. Therefore, functions evaluate_nospec() and block_speculation() should remain empty until a specific platform has an extension to deal with speculation execution. Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/nospec.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/xen/arch/riscv/include/asm/nospec.h b/xen/arch/riscv/include/asm/nospec.h new file mode 100644 index 0000000000..e30f0a781b --- /dev/null +++ b/xen/arch/riscv/include/asm/nospec.h @@ -0,0 +1,25 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +/* Copyright (C) 2024 Vates */ + +#ifndef _ASM_RISCV_NOSPEC_H +#define _ASM_RISCV_NOSPEC_H + +static inline bool evaluate_nospec(bool condition) +{ + return condition; +} + +static inline void block_speculation(void) +{ +} + +#endif /* _ASM_RISCV_NOSPEC_H */ + +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687695.1071405 (Exim 4.92) (envelope-from ) id 1rg3M1-0006IC-O5; Fri, 01 Mar 2024 13:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687695.1071405; Fri, 01 Mar 2024 13:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3M1-0006I4-LF; Fri, 01 Mar 2024 13:55:13 +0000 Received: by outflank-mailman (input) for mailman id 687695; Fri, 01 Mar 2024 13:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3M0-0006Ho-Fp for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3M0-0005MI-F0 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3M0-0005DH-BB for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AtoAuvD6BPa9eFUXHAWRcx52OjDegSVD3slK6xZe8iQ=; b=jBSiQzc1hGJgPLy8PJWQMO5zjg 6VkaQ/ko5AISZjJ1yqL6D9eLvT9YWURxdZ0NEONTHmex09AvNb2ijMwJikXDORaDnCRLOil8qqZVb +BWe/pPxj5vXLPh+ZR8rDYqGojAhsAchtxVLlUoDxHIE0sdyipRr/D2eu2Qz9XoxPYzM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] config: update Mini-OS commit Message-Id: Date: Fri, 01 Mar 2024 13:55:12 +0000 commit 90c0b97e27fa1ab309fa36096c050464bfb4c5f7 Author: Juergen Gross AuthorDate: Thu Feb 29 13:48:25 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 16:59:46 2024 +0100 config: update Mini-OS commit Update the Mini-OS upstream revision. Signed-off-by: Juergen Gross Acked-by: Jan Beulich --- Config.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Config.mk b/Config.mk index 6f6e0425ba..a962f095ca 100644 --- a/Config.mk +++ b/Config.mk @@ -224,7 +224,7 @@ QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git QEMU_UPSTREAM_REVISION ?= master MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git -MINIOS_UPSTREAM_REVISION ?= 2bc8dbb9b6111113d27455cbca318ea337309c04 +MINIOS_UPSTREAM_REVISION ?= b6a5b4d72b88e5c4faed01f5a44505de022860fc SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git SEABIOS_UPSTREAM_REVISION ?= rel-1.16.3 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:55:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687696.1071408 (Exim 4.92) (envelope-from ) id 1rg3MB-0006KU-PB; Fri, 01 Mar 2024 13:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687696.1071408; Fri, 01 Mar 2024 13:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MB-0006KL-Ml; Fri, 01 Mar 2024 13:55:23 +0000 Received: by outflank-mailman (input) for mailman id 687696; Fri, 01 Mar 2024 13:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MA-0006K9-J9 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MA-0005MX-IC for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3MA-0005Dw-HJ for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rg1eCwHwJUMbzOOEMSGZRWEpvCEb4IbqXN6xQzB5lmY=; b=5Yd1a5V089q5nef/12c55PX5uw HjFzFzYyOp8ECNalLTbW7HgUh7EW6C1UY2B16nshMp0qJ2zdjw7+uTujTB0B30LQRqmWymFk+GjxV FV8mb+TexiFET3vv6yqcSakLW3lVudrslv5mSs4iKhAMJ1uSm2VhZp3M5XTB/zSuZxDo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] stubdom: extend xenstore stubdom configs Message-Id: Date: Fri, 01 Mar 2024 13:55:22 +0000 commit 254c6f787cd18929d674c5dd5f3f564a4bb51c72 Author: Juergen Gross AuthorDate: Thu Feb 29 13:48:26 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 16:59:59 2024 +0100 stubdom: extend xenstore stubdom configs Extend the config files of the Xenstore stubdoms to include XENBUS and 9PFRONT items in order to support file based logging. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk Acked-by: Samuel Thibault --- stubdom/xenstore-minios.cfg | 2 +- stubdom/xenstorepvh-minios.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/stubdom/xenstore-minios.cfg b/stubdom/xenstore-minios.cfg index a41704bb6b..239da519b9 100644 --- a/stubdom/xenstore-minios.cfg +++ b/stubdom/xenstore-minios.cfg @@ -3,7 +3,7 @@ CONFIG_NETFRONT=n CONFIG_FBFRONT=n CONFIG_KBDFRONT=n CONFIG_CONSFRONT=n -CONFIG_XENBUS=n CONFIG_LWIP=n +CONFIG_9PFRONT=y CONFIG_BALLOON=y XEN_INTERFACE_VERSION=__XEN_LATEST_INTERFACE_VERSION__ diff --git a/stubdom/xenstorepvh-minios.cfg b/stubdom/xenstorepvh-minios.cfg index 6af51f5753..752b90d7d3 100644 --- a/stubdom/xenstorepvh-minios.cfg +++ b/stubdom/xenstorepvh-minios.cfg @@ -4,7 +4,7 @@ CONFIG_NETFRONT=n CONFIG_FBFRONT=n CONFIG_KBDFRONT=n CONFIG_CONSFRONT=n -CONFIG_XENBUS=n CONFIG_LWIP=n +CONFIG_9PFRONT=y CONFIG_BALLOON=y XEN_INTERFACE_VERSION=__XEN_LATEST_INTERFACE_VERSION__ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:55:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687698.1071412 (Exim 4.92) (envelope-from ) id 1rg3ML-0006NG-Qu; Fri, 01 Mar 2024 13:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687698.1071412; Fri, 01 Mar 2024 13:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3ML-0006N6-OJ; Fri, 01 Mar 2024 13:55:33 +0000 Received: by outflank-mailman (input) for mailman id 687698; Fri, 01 Mar 2024 13:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MK-0006Mw-MO for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MK-0005Mh-Lh for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3MK-0005EM-KQ for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F929ArnQ4qxwlfJN1cDCySo7dd7VyvgyMjxDyYfpjL0=; b=Ili+daiYl1JJRZPwBQVw/txsHZ 8oeRapCeD2Qn4jCspGvgbOn5gNHetwMMt5f7gyJxWnQyB1IjYPshWkEbvJ42xfNXiJH1DNmAn2FsS 3B/83AxrGyKZGIdWVM1uplksQxMs1YRUXGN7oKg1AjHFcPYpFBea2aSU6iA9X9IgrJzI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xenstored: mount 9pfs device in stubdom Message-Id: Date: Fri, 01 Mar 2024 13:55:32 +0000 commit 0a999849c82e9e3c060280cc6c3362f86d96cf26 Author: Juergen Gross AuthorDate: Thu Feb 29 13:48:27 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 17:00:04 2024 +0100 tools/xenstored: mount 9pfs device in stubdom Mount the 9pfs device in stubdom enabling it to use files. This has to happen in a worker thread in order to allow the main thread handling the required Xenstore accesses in parallel. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk Reviewed-by: Julien Grall --- tools/xenstored/core.h | 6 ++++++ tools/xenstored/domain.c | 2 ++ tools/xenstored/minios.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+) diff --git a/tools/xenstored/core.h b/tools/xenstored/core.h index f6af086f01..fe0ee90581 100644 --- a/tools/xenstored/core.h +++ b/tools/xenstored/core.h @@ -36,6 +36,8 @@ #include "list.h" #include "hashtable.h" +#define XENSTORE_LIB_DIR XEN_LIB_DIR "/xenstore" + #ifndef O_CLOEXEC #define O_CLOEXEC 0 /* O_CLOEXEC support is needed for Live Update in the daemon case. */ @@ -399,6 +401,10 @@ void handle_special_fds(void); int get_socket_fd(void); void set_socket_fd(int fd); +#ifdef __MINIOS__ +void mount_9pfs(void); +#endif + /* Close stdin/stdout/stderr to complete daemonize */ void finish_daemonize(void); diff --git a/tools/xenstored/domain.c b/tools/xenstored/domain.c index 1a7d5e9756..64c8fd0cc3 100644 --- a/tools/xenstored/domain.c +++ b/tools/xenstored/domain.c @@ -1236,6 +1236,8 @@ void stubdom_init(void) barf_perror("Failed to initialize stubdom"); xenevtchn_notify(xce_handle, stubdom->port); + + mount_9pfs(); #endif } diff --git a/tools/xenstored/minios.c b/tools/xenstored/minios.c index 22ac8defbd..562a9b4972 100644 --- a/tools/xenstored/minios.c +++ b/tools/xenstored/minios.c @@ -17,10 +17,20 @@ */ #include #include +#include +#include "talloc.h" #include "core.h" #include "utils.h" #include #include +#include +#include +#include +#include + +#define P9_STATE_PATH "device/9pfs/0/state" + +static void *p9_device; void finish_daemonize(void) { @@ -74,3 +84,47 @@ int get_socket_fd(void) void set_socket_fd(int fd) { } + +static void mount_thread(void *p) +{ + xenbus_event_queue events = NULL; + char *err; + char *dummy; + + err = xenbus_watch_path_token(XBT_NIL, P9_STATE_PATH, "9pfs", &events); + if (err) { + log("error \"%s\" when setting watch on \"%s\"\n", err, + P9_STATE_PATH); + free(err); + return; + } + + for (;;) { + xenbus_wait_for_watch(&events); + + /* + * We only care for existence of the state node. + * State changes are handled in init_9pfront(). + */ + err = xenbus_read(XBT_NIL, P9_STATE_PATH, &dummy); + if (!err) + break; + free(err); + } + + free(dummy); + + err = xenbus_unwatch_path_token(XBT_NIL, P9_STATE_PATH, "9pfs"); + if (err) { + log("error \"%s\" when unwatching \"%s\", leaking watch\n", + err, P9_STATE_PATH); + free(err); + } + + p9_device = init_9pfront(0, XENSTORE_LIB_DIR); +} + +void mount_9pfs(void) +{ + create_thread("mount-9pfs", mount_thread, NULL); +} -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:55:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687699.1071417 (Exim 4.92) (envelope-from ) id 1rg3MV-0006QL-Sk; Fri, 01 Mar 2024 13:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687699.1071417; Fri, 01 Mar 2024 13:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MV-0006QE-Pt; Fri, 01 Mar 2024 13:55:43 +0000 Received: by outflank-mailman (input) for mailman id 687699; Fri, 01 Mar 2024 13:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MU-0006Py-Q2 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3MU-0005Mo-PJ for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3MU-0005Em-O0 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IgA//arXbRaDJg+74nLYp/nQO8FKyBAD36z5fySffHs=; b=fnBezOWgImX/OyCrez0ghe4elB EZv5ZL91k3W5hK8+fKaUfGqjKYTb9gD20KS1Lt2U+8N1er3HyaT4Cf99O+nwEPpWwABjWvasTewxj btp8ACyEiTHSFGITzvgbWiqoEEWvYziqsXhvRDVLUmJxkmG4SgaANMS5/AHpPQb/4JR4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xenstored: add helpers for filename handling Message-Id: Date: Fri, 01 Mar 2024 13:55:42 +0000 commit 2a750fcf7de5d39d1144e9db3bde8a91a3829e4a Author: Juergen Gross AuthorDate: Thu Feb 29 13:48:28 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 17:00:09 2024 +0100 tools/xenstored: add helpers for filename handling Add some helpers for handling filenames which might need different implementations between stubdom and daemon environments: - expansion of relative filenames (those are not really defined today, just expand them to be relative to /var/lib/xen/xenstore) - expansion of xenstore_daemon_rundir() (used e.g. for saving the state file in case of live update - needs to be unchanged in the daemon case, but should result in /var/lib/xen/xenstore for stubdom) Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk Reviewed-by: Julien Grall --- tools/xenstored/core.c | 15 +++++++++++++-- tools/xenstored/core.h | 5 ++++- tools/xenstored/lu_daemon.c | 4 ++-- tools/xenstored/minios.c | 5 +++++ tools/xenstored/posix.c | 8 +++++++- 5 files changed, 31 insertions(+), 6 deletions(-) diff --git a/tools/xenstored/core.c b/tools/xenstored/core.c index 48fc787ac1..bada1ad9a2 100644 --- a/tools/xenstored/core.c +++ b/tools/xenstored/core.c @@ -63,7 +63,7 @@ char **orig_argv; LIST_HEAD(connections); int tracefd = -1; bool keep_orphans = false; -char *tracefile = NULL; +const char *tracefile = NULL; static struct hashtable *nodes; unsigned int trace_flags = TRACE_OBJ | TRACE_IO; @@ -137,6 +137,17 @@ void trace_destroy(const void *data, const char *type) trace("obj: DESTROY %s %p\n", type, data); } +/* + * Return an absolute filename. + * In case of a relative filename given as input, prepend XENSTORE_LIB_DIR. + */ +const char *absolute_filename(const void *ctx, const char *filename) +{ + if (filename[0] != '/') + return talloc_asprintf(ctx, XENSTORE_LIB_DIR "/%s", filename); + return talloc_strdup(ctx, filename); +} + void close_log(void) { if (tracefd >= 0) @@ -2759,7 +2770,7 @@ int main(int argc, char *argv[]) #endif if (tracefile) - tracefile = talloc_strdup(NULL, tracefile); + tracefile = absolute_filename(NULL, tracefile); #ifndef NO_LIVE_UPDATE /* Read state in case of live update. */ diff --git a/tools/xenstored/core.h b/tools/xenstored/core.h index fe0ee90581..e58779e88c 100644 --- a/tools/xenstored/core.h +++ b/tools/xenstored/core.h @@ -341,7 +341,7 @@ void close_log(void); extern int orig_argc; extern char **orig_argv; -extern char *tracefile; +extern const char *tracefile; extern int tracefd; /* Trace flag values must be kept in sync with trace_switches[] contents. */ @@ -405,6 +405,9 @@ void set_socket_fd(int fd); void mount_9pfs(void); #endif +const char *xenstore_rundir(void); +const char *absolute_filename(const void *ctx, const char *filename); + /* Close stdin/stdout/stderr to complete daemonize */ void finish_daemonize(void); diff --git a/tools/xenstored/lu_daemon.c b/tools/xenstored/lu_daemon.c index 71bcabadd3..6351111ab0 100644 --- a/tools/xenstored/lu_daemon.c +++ b/tools/xenstored/lu_daemon.c @@ -24,7 +24,7 @@ void lu_get_dump_state(struct lu_dump_state *state) state->size = 0; state->filename = talloc_asprintf(NULL, "%s/state_dump", - xenstore_daemon_rundir()); + xenstore_rundir()); if (!state->filename) barf("Allocation failure"); @@ -65,7 +65,7 @@ FILE *lu_dump_open(const void *ctx) int fd; filename = talloc_asprintf(ctx, "%s/state_dump", - xenstore_daemon_rundir()); + xenstore_rundir()); if (!filename) return NULL; diff --git a/tools/xenstored/minios.c b/tools/xenstored/minios.c index 562a9b4972..e70386f8c7 100644 --- a/tools/xenstored/minios.c +++ b/tools/xenstored/minios.c @@ -128,3 +128,8 @@ void mount_9pfs(void) { create_thread("mount-9pfs", mount_thread, NULL); } + +const char *xenstore_rundir(void) +{ + return XENSTORE_LIB_DIR; +} diff --git a/tools/xenstored/posix.c b/tools/xenstored/posix.c index 496329dfd1..d88c82d972 100644 --- a/tools/xenstored/posix.c +++ b/tools/xenstored/posix.c @@ -326,9 +326,10 @@ void early_init(bool live_update, bool dofork, const char *pidfile) { reopen_log(); - /* Make sure xenstored directory exists. */ + /* Make sure xenstored directories exist. */ /* Errors ignored here, will be reported when we open files */ mkdir(xenstore_daemon_rundir(), 0755); + mkdir(XENSTORE_LIB_DIR, 0755); if (dofork) { openlog("xenstored", 0, LOG_DAEMON); @@ -406,3 +407,8 @@ void set_socket_fd(int fd) { sock = fd; } + +const char *xenstore_rundir(void) +{ + return xenstore_daemon_rundir(); +} -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:55:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:55:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687700.1071420 (Exim 4.92) (envelope-from ) id 1rg3Mf-0006Tz-Tr; Fri, 01 Mar 2024 13:55:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687700.1071420; Fri, 01 Mar 2024 13:55:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Mf-0006Ts-RO; Fri, 01 Mar 2024 13:55:53 +0000 Received: by outflank-mailman (input) for mailman id 687700; Fri, 01 Mar 2024 13:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Me-0006Tb-Tn for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Me-0005Mv-T0 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3Me-0005FF-RT for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2pCk3Jw93koIHe87FV9Z5+qLpGq7Emx5S+BtDhA+muQ=; b=elrfIxUlMJ4GgeaOmj3aFELar2 9n0rcytEUtiAFwcdZ6HK8lmPLODFxdilt8KmzOQOFu93KYfVDPZ1C3Znp7iquY6Px3Wuk117FgxGD FuzGuzhq5d/84TBkwnARpdJol5yw89lNs9MqfnvtqBBv3z0nx5jYOm4QW9UGPSDEvgqI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xenstored: support complete log capabilities in stubdom Message-Id: Date: Fri, 01 Mar 2024 13:55:52 +0000 commit 8937d44628f79e0aa6b6a392fe9a18b2efcd9f4c Author: Juergen Gross AuthorDate: Thu Feb 29 13:48:29 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 17:00:14 2024 +0100 tools/xenstored: support complete log capabilities in stubdom With 9pfs being fully available in Xenstore-stubdom now, there is no reason to not fully support all logging capabilities in stubdom. Open the logfile on stubdom only after the 9pfs file system has been mounted. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk Reviewed-by: Julien Grall Acked-by: Anthony PERARD --- tools/hotplug/Linux/init.d/sysconfig.xencommons.in | 1 - tools/hotplug/Linux/launch-xenstore.in | 1 + tools/xenstored/control.c | 30 +++++++++++----------- tools/xenstored/minios.c | 3 +++ 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/tools/hotplug/Linux/init.d/sysconfig.xencommons.in b/tools/hotplug/Linux/init.d/sysconfig.xencommons.in index 433e4849af..1bdd830d8a 100644 --- a/tools/hotplug/Linux/init.d/sysconfig.xencommons.in +++ b/tools/hotplug/Linux/init.d/sysconfig.xencommons.in @@ -58,7 +58,6 @@ XENSTORED_ARGS= ## Default: Not defined, tracing off # # Log xenstored messages -# Only evaluated if XENSTORETYPE is "daemon". #XENSTORED_TRACE=[yes|on|1] ## Type: integer diff --git a/tools/hotplug/Linux/launch-xenstore.in b/tools/hotplug/Linux/launch-xenstore.in index e854ca1eb8..da4eeca7c5 100644 --- a/tools/hotplug/Linux/launch-xenstore.in +++ b/tools/hotplug/Linux/launch-xenstore.in @@ -98,6 +98,7 @@ test -f @CONFIG_DIR@/@CONFIG_LEAF_DIR@/xencommons && . @CONFIG_DIR@/@CONFIG_LEAF [ -z "$XENSTORE_DOMAIN_SIZE" ] && XENSTORE_DOMAIN_SIZE=8 XENSTORE_DOMAIN_ARGS="$XENSTORE_DOMAIN_ARGS --memory $XENSTORE_DOMAIN_SIZE" [ -z "$XENSTORE_MAX_DOMAIN_SIZE" ] || XENSTORE_DOMAIN_ARGS="$XENSTORE_DOMAIN_ARGS --maxmem $XENSTORE_MAX_DOMAIN_SIZE" + [ -z "$XENSTORED_TRACE" ] || XENSTORE_DOMAIN_ARGS="$XENSTORE_DOMAIN_ARGS -T xenstored-trace.log" echo -n Starting $XENSTORE_DOMAIN_KERNEL... ${LIBEXEC_BIN}/init-xenstore-domain $XENSTORE_DOMAIN_ARGS || exit 1 diff --git a/tools/xenstored/control.c b/tools/xenstored/control.c index b2f64d674f..dae23a5ac0 100644 --- a/tools/xenstored/control.c +++ b/tools/xenstored/control.c @@ -201,19 +201,6 @@ static int do_control_quota_s(const void *ctx, struct connection *conn, return EINVAL; } -#ifdef __MINIOS__ -static int do_control_memreport(const void *ctx, struct connection *conn, - const char **vec, int num) -{ - if (num) - return EINVAL; - - talloc_report_full(NULL, stdout); - - send_ack(conn, XS_CONTROL); - return 0; -} -#else static int do_control_logfile(const void *ctx, struct connection *conn, const char **vec, int num) { @@ -222,13 +209,26 @@ static int do_control_logfile(const void *ctx, struct connection *conn, close_log(); talloc_free(tracefile); - tracefile = talloc_strdup(NULL, vec[0]); + tracefile = absolute_filename(NULL, vec[0]); reopen_log(); send_ack(conn, XS_CONTROL); return 0; } +#ifdef __MINIOS__ +static int do_control_memreport(const void *ctx, struct connection *conn, + const char **vec, int num) +{ + if (num) + return EINVAL; + + talloc_report_full(NULL, stdout); + + send_ack(conn, XS_CONTROL); + return 0; +} +#else static int do_control_memreport(const void *ctx, struct connection *conn, const char **vec, int num) { @@ -309,10 +309,10 @@ static struct cmd_s cmds[] = { "[-c ] [-F] [-t ] \n" " Default timeout is 60 seconds.", 5 }, #endif + { "logfile", do_control_logfile, "" }, #ifdef __MINIOS__ { "memreport", do_control_memreport, "" }, #else - { "logfile", do_control_logfile, "" }, { "memreport", do_control_memreport, "[]" }, #endif { "print", do_control_print, "" }, diff --git a/tools/xenstored/minios.c b/tools/xenstored/minios.c index e70386f8c7..a229954cf4 100644 --- a/tools/xenstored/minios.c +++ b/tools/xenstored/minios.c @@ -122,6 +122,9 @@ static void mount_thread(void *p) } p9_device = init_9pfront(0, XENSTORE_LIB_DIR); + + /* Start logging if selected. */ + reopen_log(); } void mount_9pfs(void) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:56:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:56:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687701.1071425 (Exim 4.92) (envelope-from ) id 1rg3Mp-0006WT-Vt; Fri, 01 Mar 2024 13:56:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687701.1071425; Fri, 01 Mar 2024 13:56:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Mp-0006WM-T0; Fri, 01 Mar 2024 13:56:03 +0000 Received: by outflank-mailman (input) for mailman id 687701; Fri, 01 Mar 2024 13:56:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Mp-0006WB-0B for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Mo-0005NF-Vi for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3Mo-0005GR-V6 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=K1UqGRmYDZLg+z1J7Ia9a7Lm5pNUhyVQ7iqd5yGjdWM=; b=6anWVSMdfJgKAb8wtNucAnLPAK g58F51VOO9rfxT7XldWn58qmZqan0jWDw8XP5KVz/yebu7O/78f13N7GTyI8LhEX9jJ3HT3s7Uh2E KKjIMPrSukwMkBunbQ6DuCIo7TJHfH1o4MMgwYW8D6pako2J8J7K4pst8NFCPpxr9Rec=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xenstored: have a single do_control_memreport() Message-Id: Date: Fri, 01 Mar 2024 13:56:02 +0000 commit d388673d1ba849de6a7a9a135901ea73db2fcf7a Author: Juergen Gross AuthorDate: Thu Feb 29 13:48:30 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 17:00:19 2024 +0100 tools/xenstored: have a single do_control_memreport() With 9pfs now available in Xenstore-stubdom, there is no reason to have distinct do_control_memreport() variants for the daemon and the stubdom implementations. Signed-off-by: Juergen Gross Reviewed-by: Jason Andryuk --- tools/xenstored/control.c | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/tools/xenstored/control.c b/tools/xenstored/control.c index dae23a5ac0..9561289179 100644 --- a/tools/xenstored/control.c +++ b/tools/xenstored/control.c @@ -216,23 +216,11 @@ static int do_control_logfile(const void *ctx, struct connection *conn, return 0; } -#ifdef __MINIOS__ -static int do_control_memreport(const void *ctx, struct connection *conn, - const char **vec, int num) -{ - if (num) - return EINVAL; - - talloc_report_full(NULL, stdout); - - send_ack(conn, XS_CONTROL); - return 0; -} -#else static int do_control_memreport(const void *ctx, struct connection *conn, const char **vec, int num) { FILE *fp; + const char *filename; int fd; if (num > 1) @@ -255,8 +243,12 @@ static int do_control_memreport(const void *ctx, struct connection *conn, if (!fp) close(fd); } - } else - fp = fopen(vec[0], "a"); + } else { + filename = absolute_filename(ctx, vec[0]); + if (!filename) + return ENOMEM; + fp = fopen(filename, "a"); + } if (!fp) return EBADF; @@ -267,7 +259,6 @@ static int do_control_memreport(const void *ctx, struct connection *conn, send_ack(conn, XS_CONTROL); return 0; } -#endif static int do_control_print(const void *ctx, struct connection *conn, const char **vec, int num) @@ -310,11 +301,7 @@ static struct cmd_s cmds[] = { " Default timeout is 60 seconds.", 5 }, #endif { "logfile", do_control_logfile, "" }, -#ifdef __MINIOS__ - { "memreport", do_control_memreport, "" }, -#else { "memreport", do_control_memreport, "[]" }, -#endif { "print", do_control_print, "" }, { "quota", do_control_quota, "[set ||max [-r]]" }, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:56:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:56:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687702.1071429 (Exim 4.92) (envelope-from ) id 1rg3N1-0006Zn-3C; Fri, 01 Mar 2024 13:56:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687702.1071429; Fri, 01 Mar 2024 13:56:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3N1-0006Zf-0V; Fri, 01 Mar 2024 13:56:15 +0000 Received: by outflank-mailman (input) for mailman id 687702; Fri, 01 Mar 2024 13:56:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Mz-0006ZL-2w for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3Mz-0005Ny-2G for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3Mz-0005H7-1X for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+yX1Ln8mMPqTSH4f1kJBC2HCIVdDrzI5MHdaPLRTIUs=; b=4MU87cBLOGqMuRFliUG3UlbRat /SFbswSaVB7G8iwo4N7L4gy8+A8a72/Il/gJ/NGI0QqUfDFh6ApJWl5sICBNDvUa/SGwGj6kEbMps o/0CTBGxXd0ETAxgAmrQRszmLHEk9RFz/Dusy0VyuPFojTPlnagUzPrdMuL13skowYmU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] pci: fix locking around vPCI removal in pci_remove_device() Message-Id: Date: Fri, 01 Mar 2024 13:56:13 +0000 commit 635dd1120a01961a39dce6ad3f09692681379378 Author: Roger Pau Monné AuthorDate: Thu Feb 29 17:00:40 2024 +0100 Commit: Jan Beulich CommitDate: Thu Feb 29 17:00:40 2024 +0100 pci: fix locking around vPCI removal in pci_remove_device() Currently vpci_deassign_device() is called without holding the per-domain pci_lock in pci_remove_device(), which leads to: Assertion 'rw_is_write_locked(&pdev->domain->pci_lock)' failed at ../drivers/vpci/vpci.c:47 [...] Xen call trace: [] R vpci_deassign_device+0x10d/0x1b9 [] S pci_remove_device+0x2b1/0x380 [] F pci_physdev_op+0x197/0x19e [] F do_physdev_op+0x342/0x12aa [] F pv_hypercall+0x58e/0x62b [] F lstar_enter+0x13a/0x140 Move the existing block that removes the device from the domain pdev_list ahead and also issue the call to vpci_deassign_device() there. It's fine to remove the device from the domain list of assigned devices, as further functions only care that the pdev domain field is correctly set to the owner of the device about to be removed. Moving the vpci_deassign_device() past the pci_cleanup_msi() call can be dangerous, as doing the MSI cleanup ahead of having removed the vPCI handlers could lead to stale data in vPCI MSI(-X) internal structures. Fixes: 4f78438b45e2 ('vpci: use per-domain PCI lock to protect vpci structure') Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich Reviewed-by: Stewart Hildebrand --- xen/drivers/passthrough/pci.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 4c0a836486..194701c913 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -817,15 +817,15 @@ int pci_remove_device(u16 seg, u8 bus, u8 devfn) list_for_each_entry ( pdev, &pseg->alldevs_list, alldevs_list ) if ( pdev->bus == bus && pdev->devfn == devfn ) { - vpci_deassign_device(pdev); - pci_cleanup_msi(pdev); - ret = iommu_remove_device(pdev); if ( pdev->domain ) { write_lock(&pdev->domain->pci_lock); + vpci_deassign_device(pdev); list_del(&pdev->domain_list); write_unlock(&pdev->domain->pci_lock); } + pci_cleanup_msi(pdev); + ret = iommu_remove_device(pdev); printk(XENLOG_DEBUG "PCI remove device %pp\n", &pdev->sbdf); free_pdev(pseg, pdev); break; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:56:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:56:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687703.1071433 (Exim 4.92) (envelope-from ) id 1rg3NB-0006cH-4X; Fri, 01 Mar 2024 13:56:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687703.1071433; Fri, 01 Mar 2024 13:56:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NB-0006c9-26; Fri, 01 Mar 2024 13:56:25 +0000 Received: by outflank-mailman (input) for mailman id 687703; Fri, 01 Mar 2024 13:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3N9-0006bz-8V for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3N9-0005O7-59 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3N9-0005Hf-4N for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DaNabeJvwqHi2e7ynYH0pD9KSkS9gsshISKspGc8sTU=; b=QfAofDagruM+2swnkQ8uTa7TJr +Q4sqhGLTaTqERXlen2/PYk/HdxeKVKVzP079oGsCRyF4Tey00+ZR93cJm3rwhmoWTN/P09ENuY5O HaXUIDq5Z4PPqCVu+HBTH8FaiEXV0sYB6TWrFWQRuNi7vIwpHAZgJ7o6Zza+NZBqPiKg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation/eclair: fully deviate MISRA C:2012 Rules 5.7 and 18.7 Message-Id: Date: Fri, 01 Mar 2024 13:56:23 +0000 commit b87697fc1a6fbc3f2e1570af5a58e36a42c333cf Author: Federico Serafini AuthorDate: Fri Feb 23 10:06:59 2024 +0100 Commit: Stefano Stabellini CommitDate: Thu Feb 29 15:23:31 2024 -0800 automation/eclair: fully deviate MISRA C:2012 Rules 5.7 and 18.7 Update ECLAIR configuration to fully deviate Rules 5.7 and 18.7 as agreed during MISRA meeetings. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index fd32ff8a9c..02eae39786 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -107,6 +107,11 @@ number of guest paging levels." -config=MC3R1.R5.6,reports+={deliberate,"any_area(any_loc(file(adopted_r5_6)))"} -doc_end +-doc_begin="The project intentionally reuses tag names in order to have identifiers matching the applicable external specifications as well as established internal conventions. +As there is little possibility for developer confusion not resulting into compilation errors, the risk of renaming outweighs the potential advantages of compliance." +-config=MC3R1.R5.7,reports+={deliberate,"any()"} +-doc_end + # # Series 7. # @@ -373,6 +378,15 @@ explicit comment indicating the fallthrough intention is present." -config=MC3R1.R16.3,reports+={safe, "any_area(end_loc(any_exp(text(^(?s).*/\\* [fF]all ?through.? \\*/.*$,0..1))))"} -doc_end +# +# Series 18. +# + +-doc_begin="Flexible array members are deliberately used and XEN developers are aware of the dangers related to them: +unexpected result when the structure is given as argument to a sizeof() operator and the truncation in assignment between structures." +-config=MC3R1.R18.7,reports+={deliberate, "any()"} +-doc_end + # # Series 20. # -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:56:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:56:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687704.1071437 (Exim 4.92) (envelope-from ) id 1rg3NL-0006eu-67; Fri, 01 Mar 2024 13:56:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687704.1071437; Fri, 01 Mar 2024 13:56:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NL-0006em-3T; Fri, 01 Mar 2024 13:56:35 +0000 Received: by outflank-mailman (input) for mailman id 687704; Fri, 01 Mar 2024 13:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NJ-0006eT-8m for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NJ-0005OJ-7x for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3NJ-0005IH-7B for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FBkG/nJA4B1/O6kpXvjnJu2e2l286/3LAu3uMlJy//s=; b=21QNlA4YnHpi2GE9fYZBsSnRJf 6uO7e7sNFMIb7Z9ZI/a/Dv0IDJEESByUg4+rskAptPFKMhdbajmGEfx8+THkzAm8zt5XEB1/mBoir PwuY7TjVV6m27CGZ0hMQvSPZCqBXKz0CzPaKl8ft4crn3Fk7OJZfbkcp5B7kTHNMnyd4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation/eclair: tag MISRA C:2012 Rule 8.2 as clean Message-Id: Date: Fri, 01 Mar 2024 13:56:33 +0000 commit e1de3a0536c6b0de86d4e7e262903143d0f7c95c Author: Federico Serafini AuthorDate: Fri Feb 23 10:07:00 2024 +0100 Commit: Stefano Stabellini CommitDate: Thu Feb 29 15:23:31 2024 -0800 automation/eclair: tag MISRA C:2012 Rule 8.2 as clean Update ECLAIR configuration to consider Rule 8.2 as clean. Signed-off-by: Federico Serafini Acked-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/tagging.ecl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation/eclair_analysis/ECLAIR/tagging.ecl b/automation/eclair_analysis/ECLAIR/tagging.ecl index 900c532196..a1dea32b21 100644 --- a/automation/eclair_analysis/ECLAIR/tagging.ecl +++ b/automation/eclair_analysis/ECLAIR/tagging.ecl @@ -30,7 +30,7 @@ -doc_begin="Clean guidelines: new violations for these guidelines are not accepted." --service_selector={clean_guidelines_common,"MC3R1.D1.1||MC3R1.D2.1||MC3R1.D4.11||MC3R1.D4.14||MC3R1.R1.1||MC3R1.R1.3||MC3R1.R1.4||MC3R1.R2.2||MC3R1.R3.1||MC3R1.R3.2||MC3R1.R4.1||MC3R1.R4.2||MC3R1.R5.1||MC3R1.R5.2||MC3R1.R5.4||MC3R1.R5.6||MC3R1.R6.1||MC3R1.R6.2||MC3R1.R7.1||MC3R1.R8.1||MC3R1.R8.5||MC3R1.R8.6||MC3R1.R8.8||MC3R1.R8.10||MC3R1.R8.12||MC3R1.R8.14||MC3R1.R9.2||MC3R1.R9.4||MC3R1.R9.5||MC3R1.R12.5||MC3R1.R17.3||MC3R1.R17.4||MC3R1.R17.6||MC3R1.R20.13||MC3R1.R20.14||MC3R1.R21.13||MC3R1.R21.19||MC3R1.R21.21||MC3R1.R22.2||MC3R1.R22.4||MC3R1.R22.5||MC3R1.R22.6" +-service_selector={clean_guidelines_common,"MC3R1.D1.1||MC3R1.D2.1||MC3R1.D4.11||MC3R1.D4.14||MC3R1.R1.1||MC3R1.R1.3||MC3R1.R1.4||MC3R1.R2.2||MC3R1.R3.1||MC3R1.R3.2||MC3R1.R4.1||MC3R1.R4.2||MC3R1.R5.1||MC3R1.R5.2||MC3R1.R5.4||MC3R1.R5.6||MC3R1.R6.1||MC3R1.R6.2||MC3R1.R7.1||MC3R1.R8.1||MC3R1.R8.2||MC3R1.R8.5||MC3R1.R8.6||MC3R1.R8.8||MC3R1.R8.10||MC3R1.R8.12||MC3R1.R8.14||MC3R1.R9.2||MC3R1.R9.4||MC3R1.R9.5||MC3R1.R12.5||MC3R1.R17.3||MC3R1.R17.4||MC3R1.R17.6||MC3R1.R20.13||MC3R1.R20.14||MC3R1.R21.13||MC3R1.R21.19||MC3R1.R21.21||MC3R1.R22.2||MC3R1.R22.4||MC3R1.R22.5||MC3R1.R22.6" } -setq=target,getenv("XEN_TARGET_ARCH") -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 13:56:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 13:56:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687705.1071441 (Exim 4.92) (envelope-from ) id 1rg3NV-0006hg-7f; Fri, 01 Mar 2024 13:56:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687705.1071441; Fri, 01 Mar 2024 13:56:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NV-0006hY-4r; Fri, 01 Mar 2024 13:56:45 +0000 Received: by outflank-mailman (input) for mailman id 687705; Fri, 01 Mar 2024 13:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NT-0006hM-CM for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg3NT-0005OW-BR for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg3NT-0005Ii-A5 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 13:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=J3IqxpGI74dbwC+xrYkCK+jZrWK6KVy3auwG3nQtNFw=; b=sxqkvEwZwprJxsvrw0iTdvG4Jx BB2Im+flv3FmkZzn9PluLTDPj/aiEC3hXpgj8LsZnSeQxDxbaN/aPmE9k9FQZVWVH/vCcUoO9+dWK WzwCPCKna5RJZ09q8tcVhsbxHzf0+EpX+u37HrpOP47ic3RWfjmB/xhmkE7J2YSHHcBI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/misra/rules.rst: add rule 16.6 and 20.12 Message-Id: Date: Fri, 01 Mar 2024 13:56:43 +0000 commit 4cac80e22600d5a38d77c65e9a6507c752efc155 Author: Stefano Stabellini AuthorDate: Tue Feb 13 14:33:32 2024 -0800 Commit: Stefano Stabellini CommitDate: Thu Feb 29 15:24:39 2024 -0800 docs/misra/rules.rst: add rule 16.6 and 20.12 Signed-off-by: Stefano Stabellini Acked-by: Julien Grall --- docs/misra/rules.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index 182331089d..c185366966 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -478,6 +478,12 @@ maintainers if you want to suggest a change. adhere to Rule 16.2 would result in increased complexity and maintenance difficulty, and could potentially introduce bugs. + * - `Rule 16.6 `_ + - Required + - Every switch statement shall have at least two switch-clauses + - Single-clause switches are allowed when they do not involve a + default label. + * - `Rule 16.7 `_ - Required - A switch-expression shall not have essentially Boolean type @@ -554,6 +560,13 @@ maintainers if you want to suggest a change. evaluation - + * - `Rule 20.12 `_ + - A macro parameter used as an operand to the # or ## operators, + which is itself subject to further macro replacement, shall only + be used as an operand to these operators + - Required + - Variadic macros are allowed to violate the rule. + * - `Rule 20.13 `_ - Required - A line whose first token is # shall be a valid preprocessing -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 20:22:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 20:22:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687789.1071589 (Exim 4.92) (envelope-from ) id 1rg9OZ-0001qK-6P; Fri, 01 Mar 2024 20:22:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687789.1071589; Fri, 01 Mar 2024 20:22:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9OZ-0001qC-3Y; Fri, 01 Mar 2024 20:22:15 +0000 Received: by outflank-mailman (input) for mailman id 687789; Fri, 01 Mar 2024 20:22:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9OX-0001q6-LA for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9OX-00064E-KQ for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg9OX-0002QZ-J8 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=51vAWBUmE1t/HjML4pa8ZvePZc4c9xKwtnT2oi+LYfw=; b=RJYRJeEiF4cjoo4pm9dcRzJHZe uB+G3N3+sQzig+boIdxGhQJwDUcz8wwp3JxLv6Jxf9vOG4E2484UC8lmwv+wHtTZkMsSpwp9l4D/0 eI7zgO7HWkUIAPlv74wF9PK/9x3m6d1wW2ssMepHXC3ijDHHagUHQ0Yf1xIMJ1UwvQz8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/cpu-policy: Fix visibility of HTT/CMP_LEGACY in max policies Message-Id: Date: Fri, 01 Mar 2024 20:22:13 +0000 commit e2d8a652251660c3252d92b442e1a9c5d6e6a1e9 Author: Andrew Cooper AuthorDate: Wed Feb 28 20:22:24 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/cpu-policy: Fix visibility of HTT/CMP_LEGACY in max policies The block in recalculate_cpuid_policy() predates the proper split between default and max policies, and was a "slightly max for a toolstack which knows about it" capability. It didn't get transformed properly in Xen 4.14. Because Xen will accept a VM with HTT/CMP_LEGACY seen, they should be visible in the max polices. Keep the default policy matching host settings. This manifested as an incorrectly-rejected migration across XenServer's Xen 4.13 -> 4.17 upgrade, as Xapi is slowly growing the logic to check a VM against the target max policy. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/cpu-policy.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index a4327abd13..609db6946f 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -454,6 +454,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) raw_cpu_policy.feat.clwb ) __set_bit(X86_FEATURE_CLWB, fs); } + + /* + * Topology information inside the guest is entirely at the toolstack's + * discretion, and bears no relationship to the host we're running on. + * + * HTT identifies p->basic.lppp as valid + * CMP_LEGACY identifies p->extd.nc as valid + */ + __set_bit(X86_FEATURE_HTT, fs); + __set_bit(X86_FEATURE_CMP_LEGACY, fs); } static void __init guest_common_default_feature_adjustments(uint32_t *fs) @@ -490,6 +500,18 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) __clear_bit(X86_FEATURE_CLWB, fs); } + /* + * Topology information is at the toolstack's discretion so these are + * unconditionally set in max, but pick a default which matches the host. + */ + __clear_bit(X86_FEATURE_HTT, fs); + if ( cpu_has_htt ) + __set_bit(X86_FEATURE_HTT, fs); + + __clear_bit(X86_FEATURE_CMP_LEGACY, fs); + if ( cpu_has_cmp_legacy ) + __set_bit(X86_FEATURE_CMP_LEGACY, fs); + /* * On certain hardware, speculative or errata workarounds can result in * TSX being placed in "force-abort" mode, where it doesn't actually @@ -837,13 +859,6 @@ void recalculate_cpuid_policy(struct domain *d) } } - /* - * Allow the toolstack to set HTT and CMP_LEGACY. These bits - * affect how to interpret topology information in other cpuid leaves. - */ - __set_bit(X86_FEATURE_HTT, max_fs); - __set_bit(X86_FEATURE_CMP_LEGACY, max_fs); - /* * 32bit PV domains can't use any Long Mode features, and cannot use * SYSCALL on non-AMD hardware. -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 20:22:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 20:22:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687788.1071584 (Exim 4.92) (envelope-from ) id 1rg9OP-0001os-4T; Fri, 01 Mar 2024 20:22:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687788.1071584; Fri, 01 Mar 2024 20:22:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9OP-0001ol-24; Fri, 01 Mar 2024 20:22:05 +0000 Received: by outflank-mailman (input) for mailman id 687788; Fri, 01 Mar 2024 20:22:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9ON-0001of-Oa for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9ON-000644-H2 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg9ON-0002OQ-C6 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RKkgwHm+FB6ILnkfQQYAovChn1BcJayk2Juaxqmr69w=; b=LtjDdvCcc+zpk78U8rWTnHfdEn PdMFGYU4qeG0nz1zj2l+E/497rR4a68I9XDaT9VhHnL+0WxtJw3kvnjw9dAeStGi8sScY5uWi4OYA 9Nl5VvlxPDBSn9SNS2QxeXYq699nR/kMEIEh+D5eoJKGlSgiWiQlR0QPTdOK8Bfud9Lw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/cpu-policy: Hide x2APIC from PV guests Message-Id: Date: Fri, 01 Mar 2024 20:22:03 +0000 commit 5420aa165dfa5fe95dd84bb71cb96c15459935b1 Author: Andrew Cooper AuthorDate: Wed Feb 28 20:21:58 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/cpu-policy: Hide x2APIC from PV guests PV guests can't write to MSR_APIC_BASE (in order to set EXTD), nor can they access any of the x2APIC MSR range. Therefore they mustn't see the x2APIC CPUID bit saying that they can. Right now, the host x2APIC flag filters into PV guests, meaning that PV guests generally see x2APIC except on Zen1-and-older AMD systems. Linux works around this by explicitly hiding the bit itself, and filtering EXTD out of MSR_APIC_BASE reads. NetBSD behaves more in the spirit of PV guests, and entirely ignores the APIC when built as a PV guest. Change the annotation from !A to !S. This has a consequence of stripping it out of both PV featuremasks. However, as existing guests may have seen the bit, set it back into the PV Max policy; a VM which saw the bit and is alive enough to migrate will have ignored it one way or another. Hiding x2APIC does change the contents of leaf 0xb, but as the information is nonsense to begin with, this is likely an improvement on the status quo. Xen's blind assumption that APIC_ID = vCPU_ID * 2 isn't interlinked with the host's topology structure, where a PV guest may see real host values, and the APIC_IDs are useless without an MADT to start with. Dom0 is the only PV VM to get an MADT but it's the host one, meaning the two sets of APIC_IDs are from different address spaces. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/cpu-policy.c | 11 +++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 10079c26ae..a4327abd13 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -537,6 +537,14 @@ static void __init calculate_pv_max_policy(void) for ( i = 0; i < ARRAY_SIZE(fs); ++i ) fs[i] &= pv_max_featuremask[i]; + /* + * Xen at the time of writing (Feb 2024, 4.19 dev cycle) used to leak the + * host x2APIC capability into PV guests, but never supported the guest + * trying to turn x2APIC mode on. Tolerate an incoming VM which saw the + * x2APIC CPUID bit and is alive enough to migrate. + */ + __set_bit(X86_FEATURE_X2APIC, fs); + /* * If Xen isn't virtualising MSR_SPEC_CTRL for PV guests (functional * availability, or admin choice), hide the feature. @@ -830,11 +838,10 @@ void recalculate_cpuid_policy(struct domain *d) } /* - * Allow the toolstack to set HTT, X2APIC and CMP_LEGACY. These bits + * Allow the toolstack to set HTT and CMP_LEGACY. These bits * affect how to interpret topology information in other cpuid leaves. */ __set_bit(X86_FEATURE_HTT, max_fs); - __set_bit(X86_FEATURE_X2APIC, max_fs); __set_bit(X86_FEATURE_CMP_LEGACY, max_fs); /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index be5c1b748e..b230d3a690 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -123,7 +123,7 @@ XEN_CPUFEATURE(PCID, 1*32+17) /*H Process Context ID */ XEN_CPUFEATURE(DCA, 1*32+18) /* Direct Cache Access */ XEN_CPUFEATURE(SSE4_1, 1*32+19) /*A Streaming SIMD Extensions 4.1 */ XEN_CPUFEATURE(SSE4_2, 1*32+20) /*A Streaming SIMD Extensions 4.2 */ -XEN_CPUFEATURE(X2APIC, 1*32+21) /*!A Extended xAPIC */ +XEN_CPUFEATURE(X2APIC, 1*32+21) /*!S Extended xAPIC */ XEN_CPUFEATURE(MOVBE, 1*32+22) /*A movbe instruction */ XEN_CPUFEATURE(POPCNT, 1*32+23) /*A POPCNT instruction */ XEN_CPUFEATURE(TSC_DEADLINE, 1*32+24) /*S TSC Deadline Timer */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 20:22:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 20:22:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687790.1071593 (Exim 4.92) (envelope-from ) id 1rg9Oj-0001sp-84; Fri, 01 Mar 2024 20:22:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687790.1071593; Fri, 01 Mar 2024 20:22:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9Oj-0001si-58; Fri, 01 Mar 2024 20:22:25 +0000 Received: by outflank-mailman (input) for mailman id 687790; Fri, 01 Mar 2024 20:22:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9Oh-0001sW-Qh for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9Oh-00064s-PV for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg9Oh-0002R0-MS for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Q0E8AiKg90r8g+YFi5rPJxNlDFScBIgP1MoNiPEi0DE=; b=pSbO0pe8nnew8ja8+VHF0HTEzI gn8pEcpu8AsU3ySIMtYEERr06yQAZO7o/mKfhIub+Rv7XNY4nXM7Kz8SwkJ783ViQ2f4k/7u4k/7W jt5DWPRW5XS5qEn0W0Exs9L7Zpbq13yGh0MaAffZpOoNeciC4QwYznhyeyNEvu/stHfQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tests/resource: Fix HVM guest in !SHADOW builds Message-Id: Date: Fri, 01 Mar 2024 20:22:23 +0000 commit 0263dc9069ddb66335c72a159e09050b1600e56a Author: Andrew Cooper AuthorDate: Thu Feb 29 20:46:13 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 tests/resource: Fix HVM guest in !SHADOW builds Right now, test-resource always creates HVM Shadow guests. But if Xen has SHADOW compiled out, running the test yields: $./test-resource XENMEM_acquire_resource tests Test x86 PV Created d1 Test grant table Test x86 PVH Skip: 95 - Operation not supported and doesn't really test HVM guests, but doesn't fail either. There's nothing paging-mode-specific about this test, so default to HAP if possible and provide a more specific message if neither HAP or Shadow are available. As we've got physinfo to hand, also provide more specific message about the absence of PV or HVM support. Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné --- tools/tests/resource/test-resource.c | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/tools/tests/resource/test-resource.c b/tools/tests/resource/test-resource.c index 7ae88ea348..1b10be16a6 100644 --- a/tools/tests/resource/test-resource.c +++ b/tools/tests/resource/test-resource.c @@ -20,6 +20,8 @@ static xc_interface *xch; static xenforeignmemory_handle *fh; static xengnttab_handle *gh; +static xc_physinfo_t physinfo; + static void test_gnttab(uint32_t domid, unsigned int nr_frames, unsigned long gfn) { @@ -172,6 +174,37 @@ static void test_domain_configurations(void) printf("Test %s\n", t->name); +#if defined(__x86_64__) || defined(__i386__) + if ( t->create.flags & XEN_DOMCTL_CDF_hvm ) + { + if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_hvm) ) + { + printf(" Skip: HVM not available\n"); + continue; + } + + /* + * On x86, use HAP guests if possible, but skip if neither HAP nor + * SHADOW is available. + */ + if ( physinfo.capabilities & XEN_SYSCTL_PHYSCAP_hap ) + t->create.flags |= XEN_DOMCTL_CDF_hap; + else if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_shadow) ) + { + printf(" Skip: Neither HAP or SHADOW available\n"); + continue; + } + } + else + { + if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_pv) ) + { + printf(" Skip: PV not available\n"); + continue; + } + } +#endif + rc = xc_domain_create(xch, &domid, &t->create); if ( rc ) { @@ -214,6 +247,8 @@ static void test_domain_configurations(void) int main(int argc, char **argv) { + int rc; + printf("XENMEM_acquire_resource tests\n"); xch = xc_interface_open(NULL, NULL, 0); @@ -227,6 +262,10 @@ int main(int argc, char **argv) if ( !gh ) err(1, "xengnttab_open"); + rc = xc_physinfo(xch, &physinfo); + if ( rc ) + err(1, "Failed to obtain physinfo"); + test_domain_configurations(); return !!nr_failures; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 20:22:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 20:22:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687791.1071597 (Exim 4.92) (envelope-from ) id 1rg9Ot-0001vj-BH; Fri, 01 Mar 2024 20:22:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687791.1071597; Fri, 01 Mar 2024 20:22:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9Ot-0001vc-8k; Fri, 01 Mar 2024 20:22:35 +0000 Received: by outflank-mailman (input) for mailman id 687791; Fri, 01 Mar 2024 20:22:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9Or-0001vO-Tp for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9Or-00065B-T6 for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg9Or-0002Ro-Rk for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NrUJyjupXuruBHokmw/5EKuKhXWoicq4Xh6veJfAYHo=; b=s/dbKEXO6B1tcZnmaMGz+p801r nH2PZ90K9OwAo+XWd+DCsYENoNXZVX+tSf1GotXJXFHyEXkJpmibsWcV7NH2jDC6Fhu2sjAd++4Ak VX1bcGRjjQlk9cx0512vSAYRVyRT+/DEnW7UhuoSVKBTiUYKBxsJckDBWMSapcopCTqc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Fri, 01 Mar 2024 20:22:33 +0000 commit de17162cafd27f2865a3102a2ec0f386a02ed03d Author: Andrew Cooper AuthorDate: Thu Feb 29 11:26:40 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 609db6946f..2c6f03057b 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -442,6 +442,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -486,6 +496,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index be16492c68..ad24d0fa88 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -178,6 +178,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index b230d3a690..0374cec3a2 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -262,7 +262,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ @@ -334,7 +334,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Mar 01 20:22:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 01 Mar 2024 20:22:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687792.1071601 (Exim 4.92) (envelope-from ) id 1rg9P3-0001yD-D2; Fri, 01 Mar 2024 20:22:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687792.1071601; Fri, 01 Mar 2024 20:22:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9P3-0001y5-AG; Fri, 01 Mar 2024 20:22:45 +0000 Received: by outflank-mailman (input) for mailman id 687792; Fri, 01 Mar 2024 20:22:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9P2-0001xu-1U for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rg9P2-00065M-0h for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rg9P1-0002Su-Vw for xen-changelog@lists.xenproject.org; Fri, 01 Mar 2024 20:22:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=25fMPK4ETv4mDYw1vSuf7+dVZImuO1xqB/u967gWUag=; b=SJBoEhG9J2MaZRpfRnqflndIXP c0BmehVGzTDw4Khmg+afakTiq0tBGM700Md9wdl8JgCdj4L560Fh/IIIjRh642NyNnTRTyOt2+rrY CDwCMlnP4mc72KMpNo2lvrGgPTwLGe3qyuPf4r/VOu74QNMApGj8+tZimkNL1kf18jHc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mm: re-implement get_page_light() using an atomic increment Message-Id: Date: Fri, 01 Mar 2024 20:22:43 +0000 commit c40bc0576dcc5acd4d7e22ef628eb4642f568533 Author: Roger Pau Monné AuthorDate: Fri Mar 1 13:42:27 2024 +0100 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/mm: re-implement get_page_light() using an atomic increment The current usage of a cmpxchg loop to increase the value of page count is not optimal on amd64, as there's already an instruction to do an atomic add to a 64bit integer. Switch the code in get_page_light() to use an atomic increment, as that avoids a loop construct. This slightly changes the order of the checks, as current code will crash before modifying the page count_info if the conditions are not correct, while with the proposed change the crash will happen immediately after having carried the counter increase. Since we are crashing anyway, I don't believe the re-ordering to have any meaningful impact. Note that the page must already have a non-zero reference count which prevents the flags from changing, and the previous usage of the cmpxchg loop didn't guarantee that the rest of the fields in count_info didn't change while updating the reference count. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/arch/x86/mm.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 4d6d7bfe4f..2aff6d4b53 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2580,16 +2580,10 @@ bool get_page(struct page_info *page, const struct domain *domain) */ static void get_page_light(struct page_info *page) { - unsigned long x, nx, y = page->count_info; + unsigned long old_pgc = arch_fetch_and_add(&page->count_info, 1); - do { - x = y; - nx = x + 1; - BUG_ON(!(x & PGC_count_mask)); /* Not allocated? */ - BUG_ON(!(nx & PGC_count_mask)); /* Overflow? */ - y = cmpxchg(&page->count_info, x, nx); - } - while ( unlikely(y != x) ); + BUG_ON(!(old_pgc & PGC_count_mask)); /* Not allocated? */ + BUG_ON(!((old_pgc + 1) & PGC_count_mask)); /* Overflow? */ } static int validate_page(struct page_info *page, unsigned long type, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Sat Mar 02 01:55:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 02 Mar 2024 01:55:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687828.1071644 (Exim 4.92) (envelope-from ) id 1rgEaf-0005zB-0V; Sat, 02 Mar 2024 01:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687828.1071644; Sat, 02 Mar 2024 01:55:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgEae-0005z3-U3; Sat, 02 Mar 2024 01:55:04 +0000 Received: by outflank-mailman (input) for mailman id 687828; Sat, 02 Mar 2024 01:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgEad-0005yx-JS for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 01:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgEad-00062x-FA for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 01:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rgEad-0003n4-DO for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 01:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=akhE1FN/c8C3OQpKc4Qw+kTzuS3LNqAYMInvtlabqsI=; b=e8HAKAT9P4YuVUSKHWxXp68ayF ggWd/7ilUzpPwtNsAzSOkGZAvQ2nOq10gpJAxo24iENFIXqho58EU8cjM0uokryYb8cLLMrX+k5wv fdQ7ueLcqd5wU6TQj0Cq0NumGInSL/g8fYdk01qWieQML66pFJv2QO5yZb6phlWq9Ubs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs/misra/rules.rst: add rule 14.4 Message-Id: Date: Sat, 02 Mar 2024 01:55:03 +0000 commit 856664f774bd5b66301c5f9022126b61b8cb492d Author: Stefano Stabellini AuthorDate: Tue Feb 13 14:33:34 2024 -0800 Commit: Stefano Stabellini CommitDate: Fri Mar 1 17:44:11 2024 -0800 docs/misra/rules.rst: add rule 14.4 Signed-off-by: Stefano Stabellini Acked-by: Bertrand Marquis --- docs/misra/rules.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index efea063ab9..1e134ccebc 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -462,6 +462,15 @@ maintainers if you want to suggest a change. while(0) and while(1) and alike are allowed. + * - `Rule 14.4 `_ + - Required + - The controlling expression of an if-statement and the controlling + expression of an iteration-statement shall have essentially + Boolean type + - Automatic conversions of integer types to bool are permitted. + Automatic conversions of pointer types to bool are permitted. + This rule still applies to enum types. + * - `Rule 16.3 `_ - Required - An unconditional break statement shall terminate every -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Sat Mar 02 01:55:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 02 Mar 2024 01:55:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687829.1071649 (Exim 4.92) (envelope-from ) id 1rgEap-00060w-23; Sat, 02 Mar 2024 01:55:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687829.1071649; Sat, 02 Mar 2024 01:55:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgEao-00060n-Vb; Sat, 02 Mar 2024 01:55:14 +0000 Received: by outflank-mailman (input) for mailman id 687829; Sat, 02 Mar 2024 01:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgEan-00060h-PA for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 01:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgEan-00063A-Nx for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 01:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rgEan-0003ob-N3 for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 01:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0joMs1VwXawwy691fZqqX21yY7+WLIZSFemS+PuobCs=; b=UVwkD1V6oa21O5xlYprxdpKWVf VJNy6svuPIKtb40rnYIjmnL6U94ABo/ouamOxAefvW4HI/gAjoZ/0Nv3asUHWGYgUqrFL+LoU9CFw agqcw+b/ZkNZZyGNxYm6ihozS6igR46K/s86MGmI5ThU9l2z0v0pXW2aDzb00vyhkHfw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/arm: Fix UBSAN failure in start_xen() Message-Id: Date: Sat, 02 Mar 2024 01:55:13 +0000 commit 6cbccc4071ef49a8c591ecaddfdcb1cc26d28411 Author: Michal Orzel AuthorDate: Thu Feb 8 11:43:39 2024 +0100 Commit: Stefano Stabellini CommitDate: Fri Mar 1 17:46:43 2024 -0800 xen/arm: Fix UBSAN failure in start_xen() When running Xen on arm32, in scenario where Xen is loaded at an address such as boot_phys_offset >= 2GB, UBSAN reports the following: (XEN) UBSAN: Undefined behaviour in arch/arm/setup.c:739:58 (XEN) pointer operation underflowed 00200000 to 86800000 (XEN) Xen WARN at common/ubsan/ubsan.c:172 (XEN) ----[ Xen-4.19-unstable arm32 debug=y ubsan=y Not tainted ]---- ... (XEN) Xen call trace: (XEN) [<0031b4c0>] ubsan.c#ubsan_epilogue+0x18/0xf0 (PC) (XEN) [<0031d134>] __ubsan_handle_pointer_overflow+0xb8/0xd4 (LR) (XEN) [<0031d134>] __ubsan_handle_pointer_overflow+0xb8/0xd4 (XEN) [<004d15a8>] start_xen+0xe0/0xbe0 (XEN) [<0020007c>] head.o#primary_switched+0x4/0x30 The failure is reported for the following line: (paddr_t)(uintptr_t)(_start + boot_phys_offset) This occurs because the compiler treats (ptr + size) with size bigger than PTRDIFF_MAX as undefined behavior. To address this, switch to macro virt_to_maddr(), given the future plans to eliminate boot_phys_offset. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Tested-by: Luca Fancellu Acked-by: Julien Grall (cherry picked from commit e11f5766503c0ff074b4e0f888bbfc931518a169) --- xen/arch/arm/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index 4395640019..9ee19c2bc1 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -1025,7 +1025,7 @@ void __init start_xen(unsigned long boot_phys_offset, /* Register Xen's load address as a boot module. */ xen_bootmodule = add_boot_module(BOOTMOD_XEN, - (paddr_t)(uintptr_t)(_start + boot_phys_offset), + virt_to_maddr(_start), (paddr_t)(uintptr_t)(_end - _start), false); BUG_ON(!xen_bootmodule); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Sat Mar 02 16:33:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 02 Mar 2024 16:33:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687943.1071742 (Exim 4.92) (envelope-from ) id 1rgSIJ-0007XU-Go; Sat, 02 Mar 2024 16:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687943.1071742; Sat, 02 Mar 2024 16:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgSIJ-0007XM-E0; Sat, 02 Mar 2024 16:33:03 +0000 Received: by outflank-mailman (input) for mailman id 687943; Sat, 02 Mar 2024 16:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgSII-0007XG-E5 for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 16:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgSII-0007Yw-BA for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 16:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rgSII-0001LR-6f for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 16:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yNml86KNEPP4IdzYdDfWqD+kZgJlSpZzAra/PUbI6iE=; b=m/DEFCxzUZau89qC0VK4q/FkFW 0wCZRQA8qkTyuoXrpNbRFZAf0nFusjZ4oXbfxUSBv5jBmjCJbckU30BlTN2NQp/xo5F3d+xnn3dSJ ksE8042BUIc+5+je9Kc0roaAAWKFok98Sj4UYWaNPueX5UOFvyLI2ekeG5MyupiATtlg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/misra/rules.rst: Fix entry for 20.12 rule Message-Id: Date: Sat, 02 Mar 2024 16:33:02 +0000 commit efad36f1ba18946acecc030166b1a6bebeb88ea2 Author: Michal Orzel AuthorDate: Fri Mar 1 09:49:47 2024 +0100 Commit: Andrew Cooper CommitDate: Fri Mar 1 09:09:54 2024 +0000 docs/misra/rules.rst: Fix entry for 20.12 rule Commit 4cac80e22600 broke the CI cppcheck jobs by adding an entry for a rule 20.12 with "Severity" and "Summary" fields placed in reverse order. This leads to an error as reported by convert_misra_doc.py: No summary for rule 20.12 Fixes: 4cac80e22600 ("docs/misra/rules.rst: add rule 16.6 and 20.12") Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu --- docs/misra/rules.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index c185366966..efea063ab9 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -561,10 +561,10 @@ maintainers if you want to suggest a change. - * - `Rule 20.12 `_ + - Required - A macro parameter used as an operand to the # or ## operators, which is itself subject to further macro replacement, shall only be used as an operand to these operators - - Required - Variadic macros are allowed to violate the rule. * - `Rule 20.13 `_ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 02 22:44:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 02 Mar 2024 22:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.687980.1071790 (Exim 4.92) (envelope-from ) id 1rgY5L-0004UF-50; Sat, 02 Mar 2024 22:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 687980.1071790; Sat, 02 Mar 2024 22:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgY5L-0004U7-2E; Sat, 02 Mar 2024 22:44:03 +0000 Received: by outflank-mailman (input) for mailman id 687980; Sat, 02 Mar 2024 22:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgY5J-0004U1-Pr for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 22:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rgY5J-0006h5-Od for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 22:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rgY5J-0001se-NL for xen-changelog@lists.xenproject.org; Sat, 02 Mar 2024 22:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MvwROjY6iTOSRNDh59ctQ+dLRtSmSEbMxTZo1MGyYZM=; b=B7W4pZKRfjYNauOWesiPo+wnwB LwRKdQ6Kka7WGXmUCTVWdbGjZVgvUndBuHcoPuZjFMpo5YTQRnHwVDaqHBBEq+0BAhEhI96gVJjCG 4ZihY9/JF0yn+ExV4baU7WzQgy0mA6ipB2go9o1niKn+xO4oNf6xkLtOzgCR/fG1F+bw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/arm: Fix UBSAN failure in start_xen() Message-Id: Date: Sat, 02 Mar 2024 22:44:01 +0000 commit 6cbccc4071ef49a8c591ecaddfdcb1cc26d28411 Author: Michal Orzel AuthorDate: Thu Feb 8 11:43:39 2024 +0100 Commit: Stefano Stabellini CommitDate: Fri Mar 1 17:46:43 2024 -0800 xen/arm: Fix UBSAN failure in start_xen() When running Xen on arm32, in scenario where Xen is loaded at an address such as boot_phys_offset >= 2GB, UBSAN reports the following: (XEN) UBSAN: Undefined behaviour in arch/arm/setup.c:739:58 (XEN) pointer operation underflowed 00200000 to 86800000 (XEN) Xen WARN at common/ubsan/ubsan.c:172 (XEN) ----[ Xen-4.19-unstable arm32 debug=y ubsan=y Not tainted ]---- ... (XEN) Xen call trace: (XEN) [<0031b4c0>] ubsan.c#ubsan_epilogue+0x18/0xf0 (PC) (XEN) [<0031d134>] __ubsan_handle_pointer_overflow+0xb8/0xd4 (LR) (XEN) [<0031d134>] __ubsan_handle_pointer_overflow+0xb8/0xd4 (XEN) [<004d15a8>] start_xen+0xe0/0xbe0 (XEN) [<0020007c>] head.o#primary_switched+0x4/0x30 The failure is reported for the following line: (paddr_t)(uintptr_t)(_start + boot_phys_offset) This occurs because the compiler treats (ptr + size) with size bigger than PTRDIFF_MAX as undefined behavior. To address this, switch to macro virt_to_maddr(), given the future plans to eliminate boot_phys_offset. Signed-off-by: Michal Orzel Reviewed-by: Luca Fancellu Tested-by: Luca Fancellu Acked-by: Julien Grall (cherry picked from commit e11f5766503c0ff074b4e0f888bbfc931518a169) --- xen/arch/arm/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/arm/setup.c b/xen/arch/arm/setup.c index 4395640019..9ee19c2bc1 100644 --- a/xen/arch/arm/setup.c +++ b/xen/arch/arm/setup.c @@ -1025,7 +1025,7 @@ void __init start_xen(unsigned long boot_phys_offset, /* Register Xen's load address as a boot module. */ xen_bootmodule = add_boot_module(BOOTMOD_XEN, - (paddr_t)(uintptr_t)(_start + boot_phys_offset), + virt_to_maddr(_start), (paddr_t)(uintptr_t)(_end - _start), false); BUG_ON(!xen_bootmodule); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Mon Mar 04 09:55:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Mar 2024 09:55:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688250.1072251 (Exim 4.92) (envelope-from ) id 1rh52H-0003r2-8a; Mon, 04 Mar 2024 09:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688250.1072251; Mon, 04 Mar 2024 09:55:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52H-0003qu-5p; Mon, 04 Mar 2024 09:55:05 +0000 Received: by outflank-mailman (input) for mailman id 688250; Mon, 04 Mar 2024 09:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52F-0003qo-RY for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52F-0003wX-Ny for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rh52F-0004af-LI for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Tbrh7m+vdy/anZMFMvb+atS2+MwXtAdGZoMp6m45lz8=; b=H6i6HrUevoGvru4PpPlUmgHcjn sVAZNR8UBSNxFToUlESHmW6Tpq/L4/VkWUY6oiLPp2M6UxGsOb7tAKFmA3eTWbWNRxap8FM1GMOTs n9tVB3sVqNf1p4H/LuSF5RMwSqHNjp4CjxJVxmHp8XAOjXSoq3gl1Yfk6qAcKC2N7ndQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] hvmloader: suppress GNU ld 2.39 warning about RWX load segments Message-Id: Date: Mon, 04 Mar 2024 09:55:03 +0000 commit 2d514678a3b6eacfcee2be0aeb0e45547e4d9100 Author: Jan Beulich AuthorDate: Mon Mar 4 10:43:54 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:43:54 2024 +0100 hvmloader: suppress GNU ld 2.39 warning about RWX load segments This aspect is simply meaningless for this component. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- tools/firmware/hvmloader/Makefile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/firmware/hvmloader/Makefile b/tools/firmware/hvmloader/Makefile index e5de1ade17..84cba171cd 100644 --- a/tools/firmware/hvmloader/Makefile +++ b/tools/firmware/hvmloader/Makefile @@ -20,6 +20,8 @@ XEN_ROOT = $(CURDIR)/../../.. include $(XEN_ROOT)/tools/firmware/Rules.mk +ld-option = $(shell if $(LD) -v $(1) >/dev/null 2>&1; then echo y; else echo n; fi) + # SMBIOS spec requires format mm/dd/yyyy SMBIOS_REL_DATE ?= $(shell date +%m/%d/%Y) @@ -59,6 +61,10 @@ ROMBIOS_ROM := $(ROMBIOS_DIR)/BIOS-bochs-latest ROMS += $(ROMBIOS_ROM) $(STDVGA_ROM) $(CIRRUSVGA_ROM) endif +# Suppress the warning about LOAD segments with RWX permissions, as what we +# build isn't a normal user-mode executable. +LDFLAGS-$(call ld-option,--warn-rwx-segments) := --no-warn-rwx-segments + .PHONY: all all: hvmloader @@ -85,7 +91,7 @@ $(DSDT_FILES): acpi build.o: $(DSDT_FILES) hvmloader: $(OBJS) hvmloader.lds - $(LD) $(LDFLAGS_DIRECT) -N -T hvmloader.lds -o $@ $(OBJS) + $(LD) $(LDFLAGS_DIRECT) $(LDFLAGS-y) -N -T hvmloader.lds -o $@ $(OBJS) roms.inc: $(ROMS) echo "/* Autogenerated file. DO NOT EDIT */" > $@.new -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 04 09:55:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Mar 2024 09:55:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688251.1072255 (Exim 4.92) (envelope-from ) id 1rh52R-0003sv-A5; Mon, 04 Mar 2024 09:55:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688251.1072255; Mon, 04 Mar 2024 09:55:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52R-0003sn-7J; Mon, 04 Mar 2024 09:55:15 +0000 Received: by outflank-mailman (input) for mailman id 688251; Mon, 04 Mar 2024 09:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52P-0003sP-S3 for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52P-0003wh-RA for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rh52P-0004b8-QB for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GZ1ZDiAxOwUJ06jZSIftTFr1AHHUZyueNs+hOEJgQyw=; b=i525MBmA/HkmcQborDnB2txLZq jLbQTJ2oYProZfYR9nHc92cXuc+EgB1tgNv1BTi1ONI/jHAC18AvOvHDg6q4XlqMlBjAzFAO6TSlv GYa7FPJ2BcuS8IFiG+vW1yCSRbIIb7AUVl7e27FtxCHI1akkPGZDerCOsDypG/ludwt8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] arch: move array_index_mask_nospec() Message-Id: Date: Mon, 04 Mar 2024 09:55:13 +0000 commit 9174674c3b4ad5f4a0a0401da25cb27e343b2b38 Author: Jan Beulich AuthorDate: Mon Mar 4 10:45:10 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:45:10 2024 +0100 arch: move array_index_mask_nospec() At the time they were introduced, there were no asm/nospec.h yet, so they were placed in system.h. Move them to nospec.h and drop xen/nospec.h's including of asm/system.h; there's one unrelated #include that needs adding in exchange, on x86. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper Acked-by: Julien Grall --- xen/arch/arm/include/asm/arm32/nospec.h | 31 +++++++++++++++++++++++++++++ xen/arch/arm/include/asm/arm32/system.h | 18 ----------------- xen/arch/arm/include/asm/arm64/nospec.h | 35 +++++++++++++++++++++++++++++++++ xen/arch/arm/include/asm/arm64/system.h | 22 --------------------- xen/arch/arm/include/asm/nospec.h | 8 ++++++++ xen/arch/x86/include/asm/nospec.h | 24 ++++++++++++++++++++++ xen/arch/x86/include/asm/system.h | 24 ---------------------- xen/arch/x86/include/asm/x86_emulate.h | 1 + xen/include/xen/nospec.h | 1 - 9 files changed, 99 insertions(+), 65 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/nospec.h b/xen/arch/arm/include/asm/arm32/nospec.h new file mode 100644 index 0000000000..be3c7712c8 --- /dev/null +++ b/xen/arch/arm/include/asm/arm32/nospec.h @@ -0,0 +1,31 @@ +/* Portions taken from Linux arch arm */ +#ifndef __ASM_ARM32_NOSPEC_H +#define __ASM_ARM32_NOSPEC_H + +#define CSDB ".inst 0xe320f014" + +static inline unsigned long array_index_mask_nospec(unsigned long idx, + unsigned long sz) +{ + unsigned long mask; + + asm volatile( "cmp %1, %2\n" + "sbc %0, %1, %1\n" + CSDB + : "=r" (mask) + : "r" (idx), "Ir" (sz) + : "cc" ); + + return mask; +} +#define array_index_mask_nospec array_index_mask_nospec + +#endif /* __ASM_ARM32_NOSPEC_H */ +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/arch/arm/include/asm/arm32/system.h b/xen/arch/arm/include/asm/arm32/system.h index ab57abfbc5..c617b40438 100644 --- a/xen/arch/arm/include/asm/arm32/system.h +++ b/xen/arch/arm/include/asm/arm32/system.h @@ -48,24 +48,6 @@ static inline int local_fiq_is_enabled(void) return !(flags & PSR_FIQ_MASK); } -#define CSDB ".inst 0xe320f014" - -static inline unsigned long array_index_mask_nospec(unsigned long idx, - unsigned long sz) -{ - unsigned long mask; - - asm volatile( "cmp %1, %2\n" - "sbc %0, %1, %1\n" - CSDB - : "=r" (mask) - : "r" (idx), "Ir" (sz) - : "cc" ); - - return mask; -} -#define array_index_mask_nospec array_index_mask_nospec - #endif /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/nospec.h b/xen/arch/arm/include/asm/arm64/nospec.h new file mode 100644 index 0000000000..2364ca692b --- /dev/null +++ b/xen/arch/arm/include/asm/arm64/nospec.h @@ -0,0 +1,35 @@ +/* Portions taken from Linux arch arm64 */ +#ifndef __ASM_ARM64_NOSPEC_H +#define __ASM_ARM64_NOSPEC_H + +#define csdb() asm volatile ( "hint #20" : : : "memory" ) + +/* + * Generate a mask for array_index__nospec() that is ~0UL when 0 <= idx < sz + * and 0 otherwise. + */ +static inline unsigned long array_index_mask_nospec(unsigned long idx, + unsigned long sz) +{ + unsigned long mask; + + asm volatile ( "cmp %1, %2\n" + "sbc %0, xzr, xzr\n" + : "=r" (mask) + : "r" (idx), "Ir" (sz) + : "cc" ); + csdb(); + + return mask; +} +#define array_index_mask_nospec array_index_mask_nospec + +#endif /* __ASM_ARM64_NOSPEC_H */ +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/arch/arm/include/asm/arm64/system.h b/xen/arch/arm/include/asm/arm64/system.h index 2e36573ac6..2e2ee212a1 100644 --- a/xen/arch/arm/include/asm/arm64/system.h +++ b/xen/arch/arm/include/asm/arm64/system.h @@ -58,28 +58,6 @@ static inline int local_fiq_is_enabled(void) return !(flags & PSR_FIQ_MASK); } -#define csdb() asm volatile ( "hint #20" : : : "memory" ) - -/* - * Generate a mask for array_index__nospec() that is ~0UL when 0 <= idx < sz - * and 0 otherwise. - */ -static inline unsigned long array_index_mask_nospec(unsigned long idx, - unsigned long sz) -{ - unsigned long mask; - - asm volatile ( "cmp %1, %2\n" - "sbc %0, xzr, xzr\n" - : "=r" (mask) - : "r" (idx), "Ir" (sz) - : "cc" ); - csdb(); - - return mask; -} -#define array_index_mask_nospec array_index_mask_nospec - #endif /* * Local variables: diff --git a/xen/arch/arm/include/asm/nospec.h b/xen/arch/arm/include/asm/nospec.h index 51c7aea4f4..efac51fc03 100644 --- a/xen/arch/arm/include/asm/nospec.h +++ b/xen/arch/arm/include/asm/nospec.h @@ -4,6 +4,14 @@ #ifndef _ASM_ARM_NOSPEC_H #define _ASM_ARM_NOSPEC_H +#if defined(CONFIG_ARM_32) +# include +#elif defined(CONFIG_ARM_64) +# include +#else +# error "unknown ARM variant" +#endif + static inline bool evaluate_nospec(bool condition) { return condition; diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 7150e76b87..07606834c4 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -38,6 +38,30 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +/** + * array_index_mask_nospec() - generate a mask that is ~0UL when the + * bounds check succeeds and 0 otherwise + * @index: array element index + * @size: number of elements in array + * + * Returns: + * 0 - (index < size) + */ +static inline unsigned long array_index_mask_nospec(unsigned long index, + unsigned long size) +{ + unsigned long mask; + + asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" + : [mask] "=r" (mask) + : [size] "g" (size), [index] "r" (index) ); + + return mask; +} + +/* Override default implementation in nospec.h. */ +#define array_index_mask_nospec array_index_mask_nospec + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/include/asm/system.h b/xen/arch/x86/include/asm/system.h index debf6bfa17..73cb16ca68 100644 --- a/xen/arch/x86/include/asm/system.h +++ b/xen/arch/x86/include/asm/system.h @@ -224,30 +224,6 @@ static always_inline unsigned long __xadd( #define smp_mb__before_atomic() do { } while (0) #define smp_mb__after_atomic() do { } while (0) -/** - * array_index_mask_nospec() - generate a mask that is ~0UL when the - * bounds check succeeds and 0 otherwise - * @index: array element index - * @size: number of elements in array - * - * Returns: - * 0 - (index < size) - */ -static inline unsigned long array_index_mask_nospec(unsigned long index, - unsigned long size) -{ - unsigned long mask; - - asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" - : [mask] "=r" (mask) - : [size] "g" (size), [index] "r" (index) ); - - return mask; -} - -/* Override default implementation in nospec.h. */ -#define array_index_mask_nospec array_index_mask_nospec - #define local_irq_disable() asm volatile ( "cli" : : : "memory" ) #define local_irq_enable() asm volatile ( "sti" : : : "memory" ) diff --git a/xen/arch/x86/include/asm/x86_emulate.h b/xen/arch/x86/include/asm/x86_emulate.h index c184c0053c..2b75f7f8e2 100644 --- a/xen/arch/x86/include/asm/x86_emulate.h +++ b/xen/arch/x86/include/asm/x86_emulate.h @@ -15,6 +15,7 @@ #include #include #include +#include #include "../../x86_emulate/x86_emulate.h" diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4c250ebbd6 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -7,7 +7,6 @@ #ifndef XEN_NOSPEC_H #define XEN_NOSPEC_H -#include #include /** -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 04 09:55:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Mar 2024 09:55:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688252.1072259 (Exim 4.92) (envelope-from ) id 1rh52b-0003vF-Bb; Mon, 04 Mar 2024 09:55:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688252.1072259; Mon, 04 Mar 2024 09:55:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52b-0003v8-8t; Mon, 04 Mar 2024 09:55:25 +0000 Received: by outflank-mailman (input) for mailman id 688252; Mon, 04 Mar 2024 09:55:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52Z-0003us-V5 for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52Z-0003ww-U9 for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rh52Z-0004bz-TL for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Lngls8ceu3EMFa+BgHjgLoMTMU8hLfasUNGIeHEAHUE=; b=GN8/xnCd5vtScaOWlSWlR8rcTY 1RTzRSjT08odcT3HWgqXTAWhnm04EPSlglUtpgRvxxKrUjg5vpSKBjePvgr5EZAydxHxASxG4KeIL /BligYGF4mOX1G50xI/3S05HY4nKlZpNrLDy2MHKuW/6E+r7AlAlSRU05Wi8AhVqwqZI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: smmuv3: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 04 Mar 2024 09:55:23 +0000 commit 771c4e39632d6d8a36668242bcc71f93cfc2842e Author: Nicola Vetrini AuthorDate: Mon Mar 4 10:46:25 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:46:25 2024 +0100 xen/arm: smmuv3: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/drivers/passthrough/arm/smmu-v3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/drivers/passthrough/arm/smmu-v3.c b/xen/drivers/passthrough/arm/smmu-v3.c index c3ac6d17d1..b1c40c2c0a 100644 --- a/xen/drivers/passthrough/arm/smmu-v3.c +++ b/xen/drivers/passthrough/arm/smmu-v3.c @@ -111,7 +111,7 @@ #define GFP_KERNEL 0 /* Device logger functions */ -#define dev_name(dev) dt_node_full_name(dev->of_node) +#define dev_name(dev) dt_node_full_name((dev)->of_node) #define dev_dbg(dev, fmt, ...) \ printk(XENLOG_DEBUG "SMMUv3: %s: " fmt, dev_name(dev), ## __VA_ARGS__) #define dev_notice(dev, fmt, ...) \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 04 09:55:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Mar 2024 09:55:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688253.1072263 (Exim 4.92) (envelope-from ) id 1rh52l-0003yI-DB; Mon, 04 Mar 2024 09:55:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688253.1072263; Mon, 04 Mar 2024 09:55:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52l-0003yA-AT; Mon, 04 Mar 2024 09:55:35 +0000 Received: by outflank-mailman (input) for mailman id 688253; Mon, 04 Mar 2024 09:55:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52k-0003xz-1W for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52k-0003x3-0o for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rh52k-0004cx-01 for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dXnn65tv0EF6nqMTF1HFFq87nYT4lxpkLiFTEgL/GIw=; b=ikY/1i2T1m9z63DwvxWC2WlvQ6 nIReTpfyG/Y6eF/F/Xokr7DJrNdHtYvi8PG4WVnYg+llVmEKBUhx9/Zr+CKsl9sRDI3bT5pEch8A6 NOIeN0nrbUZwx6Ve1OrRi/CWXeO149tWzzCmnB9qHidRfMykSmK2+OMP7oyRFaSi4ovI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/errno: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 04 Mar 2024 09:55:34 +0000 commit 47fdf9a79f227efe88759765754a830a35239fa4 Author: Nicola Vetrini AuthorDate: Mon Mar 4 10:46:46 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:46:46 2024 +0100 xen/errno: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/xen/errno.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/errno.h b/xen/include/xen/errno.h index 69b28dd3c6..506674701f 100644 --- a/xen/include/xen/errno.h +++ b/xen/include/xen/errno.h @@ -3,7 +3,7 @@ #ifndef __ASSEMBLY__ -#define XEN_ERRNO(name, value) name = value, +#define XEN_ERRNO(name, value) name = (value), enum { #include }; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 04 09:55:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 04 Mar 2024 09:55:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688254.1072267 (Exim 4.92) (envelope-from ) id 1rh52v-000412-Ed; Mon, 04 Mar 2024 09:55:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688254.1072267; Mon, 04 Mar 2024 09:55:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52v-00040t-Bq; Mon, 04 Mar 2024 09:55:45 +0000 Received: by outflank-mailman (input) for mailman id 688254; Mon, 04 Mar 2024 09:55:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52u-00040d-7D for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rh52u-0003xB-5e for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rh52u-0004dO-2w for xen-changelog@lists.xenproject.org; Mon, 04 Mar 2024 09:55:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gVZU5nlzcQZMdvsnbM57QoV87kuaHZ3ZgZx2bSOMSrA=; b=6pki06hmQjCYW1pW0OXfmij+Bt Y5T52FaXQ0BZi9PZ87CZ+xky3aMbvrJRn+yj0USCx+BNE8XLZO3XGNx3oxqUrKtkh8LHlQNyOjMON 24qHFEHORpJSEluTTGi+P08f/3DbFj/Lsz5bFBbFENhZHg/2wPLuq8zKYJB2sVGkbNVE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/tasklet: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 04 Mar 2024 09:55:44 +0000 commit fc84b4a5a37b9250d87ef63983b48e1953bba6d1 Author: Nicola Vetrini AuthorDate: Mon Mar 4 10:47:14 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:47:14 2024 +0100 xen/tasklet: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/tasklet.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/tasklet.h b/xen/include/xen/tasklet.h index 593d6a2400..78760b694a 100644 --- a/xen/include/xen/tasklet.h +++ b/xen/include/xen/tasklet.h @@ -27,7 +27,7 @@ struct tasklet #define _DECLARE_TASKLET(name, func, data, softirq) \ struct tasklet name = { \ - LIST_HEAD_INIT(name.list), -1, softirq, 0, 0, func, data } + LIST_HEAD_INIT((name).list), -1, softirq, 0, 0, func, data } #define DECLARE_TASKLET(name, func, data) \ _DECLARE_TASKLET(name, func, data, 0) #define DECLARE_SOFTIRQ_TASKLET(name, func, data) \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:00:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:00:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688579.1072897 (Exim 4.92) (envelope-from ) id 1rhMuJ-0006k1-Ne; Tue, 05 Mar 2024 05:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688579.1072897; Tue, 05 Mar 2024 05:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuJ-0006jg-Kq; Tue, 05 Mar 2024 05:00:03 +0000 Received: by outflank-mailman (input) for mailman id 688579; Tue, 05 Mar 2024 05:00:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuI-0006Wq-KH for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuI-0001fM-G6 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMuI-0003Lr-CW for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wWEugqPWuyWzHA1itSXA1ivLuUst7YauYOtk7BpYtLs=; b=2D5jqHBgAJxefM3D9WKiix5onc 60Uuvt8/BQu+yidpBpbyvk/OxJjLTsCr3b6fV4/ppJqEVNCwRgM++YwAh9qJRxSA8Nflc4+c8Nqy5 jJYtUVyW4mIZ7XM8Pt6Pp1SzpQ7qnYMIadcmiXNER2+wBCX86aZrEjx3KcR5ADqNSz4Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/cpu-policy: Hide x2APIC from PV guests Message-Id: Date: Tue, 05 Mar 2024 05:00:02 +0000 commit 5420aa165dfa5fe95dd84bb71cb96c15459935b1 Author: Andrew Cooper AuthorDate: Wed Feb 28 20:21:58 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/cpu-policy: Hide x2APIC from PV guests PV guests can't write to MSR_APIC_BASE (in order to set EXTD), nor can they access any of the x2APIC MSR range. Therefore they mustn't see the x2APIC CPUID bit saying that they can. Right now, the host x2APIC flag filters into PV guests, meaning that PV guests generally see x2APIC except on Zen1-and-older AMD systems. Linux works around this by explicitly hiding the bit itself, and filtering EXTD out of MSR_APIC_BASE reads. NetBSD behaves more in the spirit of PV guests, and entirely ignores the APIC when built as a PV guest. Change the annotation from !A to !S. This has a consequence of stripping it out of both PV featuremasks. However, as existing guests may have seen the bit, set it back into the PV Max policy; a VM which saw the bit and is alive enough to migrate will have ignored it one way or another. Hiding x2APIC does change the contents of leaf 0xb, but as the information is nonsense to begin with, this is likely an improvement on the status quo. Xen's blind assumption that APIC_ID = vCPU_ID * 2 isn't interlinked with the host's topology structure, where a PV guest may see real host values, and the APIC_IDs are useless without an MADT to start with. Dom0 is the only PV VM to get an MADT but it's the host one, meaning the two sets of APIC_IDs are from different address spaces. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/cpu-policy.c | 11 +++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 10079c26ae..a4327abd13 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -537,6 +537,14 @@ static void __init calculate_pv_max_policy(void) for ( i = 0; i < ARRAY_SIZE(fs); ++i ) fs[i] &= pv_max_featuremask[i]; + /* + * Xen at the time of writing (Feb 2024, 4.19 dev cycle) used to leak the + * host x2APIC capability into PV guests, but never supported the guest + * trying to turn x2APIC mode on. Tolerate an incoming VM which saw the + * x2APIC CPUID bit and is alive enough to migrate. + */ + __set_bit(X86_FEATURE_X2APIC, fs); + /* * If Xen isn't virtualising MSR_SPEC_CTRL for PV guests (functional * availability, or admin choice), hide the feature. @@ -830,11 +838,10 @@ void recalculate_cpuid_policy(struct domain *d) } /* - * Allow the toolstack to set HTT, X2APIC and CMP_LEGACY. These bits + * Allow the toolstack to set HTT and CMP_LEGACY. These bits * affect how to interpret topology information in other cpuid leaves. */ __set_bit(X86_FEATURE_HTT, max_fs); - __set_bit(X86_FEATURE_X2APIC, max_fs); __set_bit(X86_FEATURE_CMP_LEGACY, max_fs); /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index be5c1b748e..b230d3a690 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -123,7 +123,7 @@ XEN_CPUFEATURE(PCID, 1*32+17) /*H Process Context ID */ XEN_CPUFEATURE(DCA, 1*32+18) /* Direct Cache Access */ XEN_CPUFEATURE(SSE4_1, 1*32+19) /*A Streaming SIMD Extensions 4.1 */ XEN_CPUFEATURE(SSE4_2, 1*32+20) /*A Streaming SIMD Extensions 4.2 */ -XEN_CPUFEATURE(X2APIC, 1*32+21) /*!A Extended xAPIC */ +XEN_CPUFEATURE(X2APIC, 1*32+21) /*!S Extended xAPIC */ XEN_CPUFEATURE(MOVBE, 1*32+22) /*A movbe instruction */ XEN_CPUFEATURE(POPCNT, 1*32+23) /*A POPCNT instruction */ XEN_CPUFEATURE(TSC_DEADLINE, 1*32+24) /*S TSC Deadline Timer */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:00:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688580.1072902 (Exim 4.92) (envelope-from ) id 1rhMuT-0007Az-PI; Tue, 05 Mar 2024 05:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688580.1072902; Tue, 05 Mar 2024 05:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuT-0007Ar-MM; Tue, 05 Mar 2024 05:00:13 +0000 Received: by outflank-mailman (input) for mailman id 688580; Tue, 05 Mar 2024 05:00:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuS-0007Al-KL for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuS-0001kL-JY for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMuS-0003NJ-ID for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+c2HfBdG1EjBOOQ5iYInrQj0VQ83kn/QSnpEypWiUkQ=; b=67p28VNlBKMVqRH0R496vL6Yi8 SSDkf5PmBtpEcgIK4OaVk0JrPwTPhcaUEbhRckboXMvgl2icKfufdcclMX3FkQOtVANNySelsTqnf suNgouldg85fYjQi0i4F31JlC1TN2hJ7gppJLnnZo2g8QkDSm0wnQpuU63ihtMj+zt64=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/cpu-policy: Fix visibility of HTT/CMP_LEGACY in max policies Message-Id: Date: Tue, 05 Mar 2024 05:00:12 +0000 commit e2d8a652251660c3252d92b442e1a9c5d6e6a1e9 Author: Andrew Cooper AuthorDate: Wed Feb 28 20:22:24 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/cpu-policy: Fix visibility of HTT/CMP_LEGACY in max policies The block in recalculate_cpuid_policy() predates the proper split between default and max policies, and was a "slightly max for a toolstack which knows about it" capability. It didn't get transformed properly in Xen 4.14. Because Xen will accept a VM with HTT/CMP_LEGACY seen, they should be visible in the max polices. Keep the default policy matching host settings. This manifested as an incorrectly-rejected migration across XenServer's Xen 4.13 -> 4.17 upgrade, as Xapi is slowly growing the logic to check a VM against the target max policy. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/cpu-policy.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index a4327abd13..609db6946f 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -454,6 +454,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) raw_cpu_policy.feat.clwb ) __set_bit(X86_FEATURE_CLWB, fs); } + + /* + * Topology information inside the guest is entirely at the toolstack's + * discretion, and bears no relationship to the host we're running on. + * + * HTT identifies p->basic.lppp as valid + * CMP_LEGACY identifies p->extd.nc as valid + */ + __set_bit(X86_FEATURE_HTT, fs); + __set_bit(X86_FEATURE_CMP_LEGACY, fs); } static void __init guest_common_default_feature_adjustments(uint32_t *fs) @@ -490,6 +500,18 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) __clear_bit(X86_FEATURE_CLWB, fs); } + /* + * Topology information is at the toolstack's discretion so these are + * unconditionally set in max, but pick a default which matches the host. + */ + __clear_bit(X86_FEATURE_HTT, fs); + if ( cpu_has_htt ) + __set_bit(X86_FEATURE_HTT, fs); + + __clear_bit(X86_FEATURE_CMP_LEGACY, fs); + if ( cpu_has_cmp_legacy ) + __set_bit(X86_FEATURE_CMP_LEGACY, fs); + /* * On certain hardware, speculative or errata workarounds can result in * TSX being placed in "force-abort" mode, where it doesn't actually @@ -837,13 +859,6 @@ void recalculate_cpuid_policy(struct domain *d) } } - /* - * Allow the toolstack to set HTT and CMP_LEGACY. These bits - * affect how to interpret topology information in other cpuid leaves. - */ - __set_bit(X86_FEATURE_HTT, max_fs); - __set_bit(X86_FEATURE_CMP_LEGACY, max_fs); - /* * 32bit PV domains can't use any Long Mode features, and cannot use * SYSCALL on non-AMD hardware. -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:00:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:00:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688581.1072905 (Exim 4.92) (envelope-from ) id 1rhMud-0007DG-Qj; Tue, 05 Mar 2024 05:00:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688581.1072905; Tue, 05 Mar 2024 05:00:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMud-0007D7-Nn; Tue, 05 Mar 2024 05:00:23 +0000 Received: by outflank-mailman (input) for mailman id 688581; Tue, 05 Mar 2024 05:00:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuc-0007Cv-Nv for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuc-0001ke-N7 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMuc-0003Nw-Lj for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=p+M8Q79J19Q0aQxZ4u4nqa4E2HDdLXUVzn/ebohgQaY=; b=rZIACq5OWcRT+LkPxKCgFXc3Uk FGJQlgxkxwNe/MLSLpCm92em5h0RCfhX3Y+GcaVuAIsqNpOKQXlHDEY6DgAOj/1jhOKwFd2Psyz5T zayQdE5X+eY7YPxMjl0ADKU0VpZi8VI1PL8AS3nC0lRJ1ZExiFNp6xs2nyE/H+up3JuM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tests/resource: Fix HVM guest in !SHADOW builds Message-Id: Date: Tue, 05 Mar 2024 05:00:22 +0000 commit 0263dc9069ddb66335c72a159e09050b1600e56a Author: Andrew Cooper AuthorDate: Thu Feb 29 20:46:13 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 tests/resource: Fix HVM guest in !SHADOW builds Right now, test-resource always creates HVM Shadow guests. But if Xen has SHADOW compiled out, running the test yields: $./test-resource XENMEM_acquire_resource tests Test x86 PV Created d1 Test grant table Test x86 PVH Skip: 95 - Operation not supported and doesn't really test HVM guests, but doesn't fail either. There's nothing paging-mode-specific about this test, so default to HAP if possible and provide a more specific message if neither HAP or Shadow are available. As we've got physinfo to hand, also provide more specific message about the absence of PV or HVM support. Signed-off-by: Andrew Cooper Acked-by: Roger Pau Monné --- tools/tests/resource/test-resource.c | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/tools/tests/resource/test-resource.c b/tools/tests/resource/test-resource.c index 7ae88ea348..1b10be16a6 100644 --- a/tools/tests/resource/test-resource.c +++ b/tools/tests/resource/test-resource.c @@ -20,6 +20,8 @@ static xc_interface *xch; static xenforeignmemory_handle *fh; static xengnttab_handle *gh; +static xc_physinfo_t physinfo; + static void test_gnttab(uint32_t domid, unsigned int nr_frames, unsigned long gfn) { @@ -172,6 +174,37 @@ static void test_domain_configurations(void) printf("Test %s\n", t->name); +#if defined(__x86_64__) || defined(__i386__) + if ( t->create.flags & XEN_DOMCTL_CDF_hvm ) + { + if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_hvm) ) + { + printf(" Skip: HVM not available\n"); + continue; + } + + /* + * On x86, use HAP guests if possible, but skip if neither HAP nor + * SHADOW is available. + */ + if ( physinfo.capabilities & XEN_SYSCTL_PHYSCAP_hap ) + t->create.flags |= XEN_DOMCTL_CDF_hap; + else if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_shadow) ) + { + printf(" Skip: Neither HAP or SHADOW available\n"); + continue; + } + } + else + { + if ( !(physinfo.capabilities & XEN_SYSCTL_PHYSCAP_pv) ) + { + printf(" Skip: PV not available\n"); + continue; + } + } +#endif + rc = xc_domain_create(xch, &domid, &t->create); if ( rc ) { @@ -214,6 +247,8 @@ static void test_domain_configurations(void) int main(int argc, char **argv) { + int rc; + printf("XENMEM_acquire_resource tests\n"); xch = xc_interface_open(NULL, NULL, 0); @@ -227,6 +262,10 @@ int main(int argc, char **argv) if ( !gh ) err(1, "xengnttab_open"); + rc = xc_physinfo(xch, &physinfo); + if ( rc ) + err(1, "Failed to obtain physinfo"); + test_domain_configurations(); return !!nr_failures; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:00:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:00:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688582.1072909 (Exim 4.92) (envelope-from ) id 1rhMun-0007FU-Sr; Tue, 05 Mar 2024 05:00:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688582.1072909; Tue, 05 Mar 2024 05:00:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMun-0007FM-Q5; Tue, 05 Mar 2024 05:00:33 +0000 Received: by outflank-mailman (input) for mailman id 688582; Tue, 05 Mar 2024 05:00:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMum-0007FE-Sm for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMum-0001ko-QF for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMum-0003OV-PL for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Y1R29dK99VtjdStGsHmyda4BTWdjUXAc6CvCYFM3ko8=; b=5r+AWvke2sRzTGcCngnmR83NV2 VzEzTAUHcE+RlhvdvPwhqlDPQAsfIEF/3yOAXf9Z5TPm9sORrOzqxzfnnK7qWCQbfAYUW2jD8Bxik j9sKsgbb3nsO3aC3nexY7SfEevUEnZWfsiNmezltGxlYcECMYwXIs8QD+sJOKzTKZHmg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Tue, 05 Mar 2024 05:00:32 +0000 commit de17162cafd27f2865a3102a2ec0f386a02ed03d Author: Andrew Cooper AuthorDate: Thu Feb 29 11:26:40 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 609db6946f..2c6f03057b 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -442,6 +442,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -486,6 +496,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index be16492c68..ad24d0fa88 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -178,6 +178,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index b230d3a690..0374cec3a2 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -262,7 +262,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ @@ -334,7 +334,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:00:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:00:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688583.1072912 (Exim 4.92) (envelope-from ) id 1rhMux-0007Hv-U1; Tue, 05 Mar 2024 05:00:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688583.1072912; Tue, 05 Mar 2024 05:00:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMux-0007Ho-Ra; Tue, 05 Mar 2024 05:00:43 +0000 Received: by outflank-mailman (input) for mailman id 688583; Tue, 05 Mar 2024 05:00:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuw-0007Hc-UE for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMuw-0001kz-TX for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMuw-0003P0-Se for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/mRFuxq9zWbLtHpkF4hvd0N5XReJLfDMno+ixJ0l/qo=; b=vyWHrY3pUoJelfaZ7l2zLqkH/a lOcnAe2hjtcH4QozUOf8qfJ+3JQU30REj++TWzFqA1T6NWx1H2xMQ3i3FIbTDfj9Upr6Pxs81dkvR T09ZTKXdqBgLey0z7IVEeIEJ3C+uPsW+4gg9RbtvNNC1ClZRTUVrLNn0VicL/+49OCvc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mm: re-implement get_page_light() using an atomic increment Message-Id: Date: Tue, 05 Mar 2024 05:00:42 +0000 commit c40bc0576dcc5acd4d7e22ef628eb4642f568533 Author: Roger Pau Monné AuthorDate: Fri Mar 1 13:42:27 2024 +0100 Commit: Andrew Cooper CommitDate: Fri Mar 1 20:14:19 2024 +0000 x86/mm: re-implement get_page_light() using an atomic increment The current usage of a cmpxchg loop to increase the value of page count is not optimal on amd64, as there's already an instruction to do an atomic add to a 64bit integer. Switch the code in get_page_light() to use an atomic increment, as that avoids a loop construct. This slightly changes the order of the checks, as current code will crash before modifying the page count_info if the conditions are not correct, while with the proposed change the crash will happen immediately after having carried the counter increase. Since we are crashing anyway, I don't believe the re-ordering to have any meaningful impact. Note that the page must already have a non-zero reference count which prevents the flags from changing, and the previous usage of the cmpxchg loop didn't guarantee that the rest of the fields in count_info didn't change while updating the reference count. Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/arch/x86/mm.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 4d6d7bfe4f..2aff6d4b53 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2580,16 +2580,10 @@ bool get_page(struct page_info *page, const struct domain *domain) */ static void get_page_light(struct page_info *page) { - unsigned long x, nx, y = page->count_info; + unsigned long old_pgc = arch_fetch_and_add(&page->count_info, 1); - do { - x = y; - nx = x + 1; - BUG_ON(!(x & PGC_count_mask)); /* Not allocated? */ - BUG_ON(!(nx & PGC_count_mask)); /* Overflow? */ - y = cmpxchg(&page->count_info, x, nx); - } - while ( unlikely(y != x) ); + BUG_ON(!(old_pgc & PGC_count_mask)); /* Not allocated? */ + BUG_ON(!((old_pgc + 1) & PGC_count_mask)); /* Overflow? */ } static int validate_page(struct page_info *page, unsigned long type, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:00:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:00:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688584.1072919 (Exim 4.92) (envelope-from ) id 1rhMv9-0007Lm-0p; Tue, 05 Mar 2024 05:00:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688584.1072919; Tue, 05 Mar 2024 05:00:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMv8-0007Le-TE; Tue, 05 Mar 2024 05:00:54 +0000 Received: by outflank-mailman (input) for mailman id 688584; Tue, 05 Mar 2024 05:00:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMv7-0007LK-17 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMv7-0001lA-0K for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMv6-0003PU-Vo for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:00:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yAC/SE1xYGm4a9nRBOSofV/JlEOuVlOKt1+ic1ndAEQ=; b=FurqB41D6WAaOqdhzpGrlEbD5d kgs/+JYtra1ayvB5z9hOFFrjqC4sbfroldg3ooGDT6tLcQu/zeWHtknp53Eg4b3I15iPWL01+4++X ojkBV+n0sTOCQHyYNTP0eD0Zha5Nlkn/O9yA+uDaX+H7q1MnhgZQTVDhwpXwvwrZ8POo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/misra/rules.rst: add rule 14.4 Message-Id: Date: Tue, 05 Mar 2024 05:00:52 +0000 commit 856664f774bd5b66301c5f9022126b61b8cb492d Author: Stefano Stabellini AuthorDate: Tue Feb 13 14:33:34 2024 -0800 Commit: Stefano Stabellini CommitDate: Fri Mar 1 17:44:11 2024 -0800 docs/misra/rules.rst: add rule 14.4 Signed-off-by: Stefano Stabellini Acked-by: Bertrand Marquis --- docs/misra/rules.rst | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/misra/rules.rst b/docs/misra/rules.rst index efea063ab9..1e134ccebc 100644 --- a/docs/misra/rules.rst +++ b/docs/misra/rules.rst @@ -462,6 +462,15 @@ maintainers if you want to suggest a change. while(0) and while(1) and alike are allowed. + * - `Rule 14.4 `_ + - Required + - The controlling expression of an if-statement and the controlling + expression of an iteration-statement shall have essentially + Boolean type + - Automatic conversions of integer types to bool are permitted. + Automatic conversions of pointer types to bool are permitted. + This rule still applies to enum types. + * - `Rule 16.3 `_ - Required - An unconditional break statement shall terminate every -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:01:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:01:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688585.1072921 (Exim 4.92) (envelope-from ) id 1rhMvJ-0007P2-2N; Tue, 05 Mar 2024 05:01:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688585.1072921; Tue, 05 Mar 2024 05:01:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvI-0007Ou-W8; Tue, 05 Mar 2024 05:01:04 +0000 Received: by outflank-mailman (input) for mailman id 688585; Tue, 05 Mar 2024 05:01:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvH-0007Oi-49 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvH-0001la-3Q for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMvH-0003Qq-2W for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tcV1mnpbl0bJqgeWMt2OgHd8ACt394mkNfSfbwMPUYE=; b=wUyxm/gXABBiqk3FTGarOkm1Yw n2YTTpnXDK4oPE69OCJOyBOI7XypRUWLCKv90JUIUXJ7Hf25UsPY105YP6FBG/EpS78dWz+gVGSVI Pdfnxhaz4MfO+Pk3dWmjjqjijzMTZD0OQF5+4Ra5/I76E/HjhbJUrVeA5LxNk0zS2CDA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] hvmloader: suppress GNU ld 2.39 warning about RWX load segments Message-Id: Date: Tue, 05 Mar 2024 05:01:03 +0000 commit 2d514678a3b6eacfcee2be0aeb0e45547e4d9100 Author: Jan Beulich AuthorDate: Mon Mar 4 10:43:54 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:43:54 2024 +0100 hvmloader: suppress GNU ld 2.39 warning about RWX load segments This aspect is simply meaningless for this component. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- tools/firmware/hvmloader/Makefile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/firmware/hvmloader/Makefile b/tools/firmware/hvmloader/Makefile index e5de1ade17..84cba171cd 100644 --- a/tools/firmware/hvmloader/Makefile +++ b/tools/firmware/hvmloader/Makefile @@ -20,6 +20,8 @@ XEN_ROOT = $(CURDIR)/../../.. include $(XEN_ROOT)/tools/firmware/Rules.mk +ld-option = $(shell if $(LD) -v $(1) >/dev/null 2>&1; then echo y; else echo n; fi) + # SMBIOS spec requires format mm/dd/yyyy SMBIOS_REL_DATE ?= $(shell date +%m/%d/%Y) @@ -59,6 +61,10 @@ ROMBIOS_ROM := $(ROMBIOS_DIR)/BIOS-bochs-latest ROMS += $(ROMBIOS_ROM) $(STDVGA_ROM) $(CIRRUSVGA_ROM) endif +# Suppress the warning about LOAD segments with RWX permissions, as what we +# build isn't a normal user-mode executable. +LDFLAGS-$(call ld-option,--warn-rwx-segments) := --no-warn-rwx-segments + .PHONY: all all: hvmloader @@ -85,7 +91,7 @@ $(DSDT_FILES): acpi build.o: $(DSDT_FILES) hvmloader: $(OBJS) hvmloader.lds - $(LD) $(LDFLAGS_DIRECT) -N -T hvmloader.lds -o $@ $(OBJS) + $(LD) $(LDFLAGS_DIRECT) $(LDFLAGS-y) -N -T hvmloader.lds -o $@ $(OBJS) roms.inc: $(ROMS) echo "/* Autogenerated file. DO NOT EDIT */" > $@.new -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:01:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:01:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688586.1072925 (Exim 4.92) (envelope-from ) id 1rhMvT-0007Rg-4D; Tue, 05 Mar 2024 05:01:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688586.1072925; Tue, 05 Mar 2024 05:01:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvT-0007RZ-1O; Tue, 05 Mar 2024 05:01:15 +0000 Received: by outflank-mailman (input) for mailman id 688586; Tue, 05 Mar 2024 05:01:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvR-0007RG-78 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvR-0001mC-6O for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMvR-0003Rf-5h for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gWv6ghDDFs3q4LY6FIWahQPOxOeO7jwsZRBcASfugow=; b=1MBfhZ75pjzDq9NWFdIAPykd+E 33HwOqgGbFfan+XKPuzjPzVx4xt9F2xIa7Bq+fw0sysR0U/PJDBZb2tGdmBdVBb9E/6SX6x1A14Hp Ayq6vRoqWJmQZfjuH0lYldw9T6OKBH8pQxWgVsCNxE3nI0tv7zo/PdIwlOkwkBVdH5Lg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] arch: move array_index_mask_nospec() Message-Id: Date: Tue, 05 Mar 2024 05:01:13 +0000 commit 9174674c3b4ad5f4a0a0401da25cb27e343b2b38 Author: Jan Beulich AuthorDate: Mon Mar 4 10:45:10 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:45:10 2024 +0100 arch: move array_index_mask_nospec() At the time they were introduced, there were no asm/nospec.h yet, so they were placed in system.h. Move them to nospec.h and drop xen/nospec.h's including of asm/system.h; there's one unrelated #include that needs adding in exchange, on x86. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper Acked-by: Julien Grall --- xen/arch/arm/include/asm/arm32/nospec.h | 31 +++++++++++++++++++++++++++++ xen/arch/arm/include/asm/arm32/system.h | 18 ----------------- xen/arch/arm/include/asm/arm64/nospec.h | 35 +++++++++++++++++++++++++++++++++ xen/arch/arm/include/asm/arm64/system.h | 22 --------------------- xen/arch/arm/include/asm/nospec.h | 8 ++++++++ xen/arch/x86/include/asm/nospec.h | 24 ++++++++++++++++++++++ xen/arch/x86/include/asm/system.h | 24 ---------------------- xen/arch/x86/include/asm/x86_emulate.h | 1 + xen/include/xen/nospec.h | 1 - 9 files changed, 99 insertions(+), 65 deletions(-) diff --git a/xen/arch/arm/include/asm/arm32/nospec.h b/xen/arch/arm/include/asm/arm32/nospec.h new file mode 100644 index 0000000000..be3c7712c8 --- /dev/null +++ b/xen/arch/arm/include/asm/arm32/nospec.h @@ -0,0 +1,31 @@ +/* Portions taken from Linux arch arm */ +#ifndef __ASM_ARM32_NOSPEC_H +#define __ASM_ARM32_NOSPEC_H + +#define CSDB ".inst 0xe320f014" + +static inline unsigned long array_index_mask_nospec(unsigned long idx, + unsigned long sz) +{ + unsigned long mask; + + asm volatile( "cmp %1, %2\n" + "sbc %0, %1, %1\n" + CSDB + : "=r" (mask) + : "r" (idx), "Ir" (sz) + : "cc" ); + + return mask; +} +#define array_index_mask_nospec array_index_mask_nospec + +#endif /* __ASM_ARM32_NOSPEC_H */ +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/arch/arm/include/asm/arm32/system.h b/xen/arch/arm/include/asm/arm32/system.h index ab57abfbc5..c617b40438 100644 --- a/xen/arch/arm/include/asm/arm32/system.h +++ b/xen/arch/arm/include/asm/arm32/system.h @@ -48,24 +48,6 @@ static inline int local_fiq_is_enabled(void) return !(flags & PSR_FIQ_MASK); } -#define CSDB ".inst 0xe320f014" - -static inline unsigned long array_index_mask_nospec(unsigned long idx, - unsigned long sz) -{ - unsigned long mask; - - asm volatile( "cmp %1, %2\n" - "sbc %0, %1, %1\n" - CSDB - : "=r" (mask) - : "r" (idx), "Ir" (sz) - : "cc" ); - - return mask; -} -#define array_index_mask_nospec array_index_mask_nospec - #endif /* * Local variables: diff --git a/xen/arch/arm/include/asm/arm64/nospec.h b/xen/arch/arm/include/asm/arm64/nospec.h new file mode 100644 index 0000000000..2364ca692b --- /dev/null +++ b/xen/arch/arm/include/asm/arm64/nospec.h @@ -0,0 +1,35 @@ +/* Portions taken from Linux arch arm64 */ +#ifndef __ASM_ARM64_NOSPEC_H +#define __ASM_ARM64_NOSPEC_H + +#define csdb() asm volatile ( "hint #20" : : : "memory" ) + +/* + * Generate a mask for array_index__nospec() that is ~0UL when 0 <= idx < sz + * and 0 otherwise. + */ +static inline unsigned long array_index_mask_nospec(unsigned long idx, + unsigned long sz) +{ + unsigned long mask; + + asm volatile ( "cmp %1, %2\n" + "sbc %0, xzr, xzr\n" + : "=r" (mask) + : "r" (idx), "Ir" (sz) + : "cc" ); + csdb(); + + return mask; +} +#define array_index_mask_nospec array_index_mask_nospec + +#endif /* __ASM_ARM64_NOSPEC_H */ +/* + * Local variables: + * mode: C + * c-file-style: "BSD" + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ diff --git a/xen/arch/arm/include/asm/arm64/system.h b/xen/arch/arm/include/asm/arm64/system.h index 2e36573ac6..2e2ee212a1 100644 --- a/xen/arch/arm/include/asm/arm64/system.h +++ b/xen/arch/arm/include/asm/arm64/system.h @@ -58,28 +58,6 @@ static inline int local_fiq_is_enabled(void) return !(flags & PSR_FIQ_MASK); } -#define csdb() asm volatile ( "hint #20" : : : "memory" ) - -/* - * Generate a mask for array_index__nospec() that is ~0UL when 0 <= idx < sz - * and 0 otherwise. - */ -static inline unsigned long array_index_mask_nospec(unsigned long idx, - unsigned long sz) -{ - unsigned long mask; - - asm volatile ( "cmp %1, %2\n" - "sbc %0, xzr, xzr\n" - : "=r" (mask) - : "r" (idx), "Ir" (sz) - : "cc" ); - csdb(); - - return mask; -} -#define array_index_mask_nospec array_index_mask_nospec - #endif /* * Local variables: diff --git a/xen/arch/arm/include/asm/nospec.h b/xen/arch/arm/include/asm/nospec.h index 51c7aea4f4..efac51fc03 100644 --- a/xen/arch/arm/include/asm/nospec.h +++ b/xen/arch/arm/include/asm/nospec.h @@ -4,6 +4,14 @@ #ifndef _ASM_ARM_NOSPEC_H #define _ASM_ARM_NOSPEC_H +#if defined(CONFIG_ARM_32) +# include +#elif defined(CONFIG_ARM_64) +# include +#else +# error "unknown ARM variant" +#endif + static inline bool evaluate_nospec(bool condition) { return condition; diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 7150e76b87..07606834c4 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -38,6 +38,30 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +/** + * array_index_mask_nospec() - generate a mask that is ~0UL when the + * bounds check succeeds and 0 otherwise + * @index: array element index + * @size: number of elements in array + * + * Returns: + * 0 - (index < size) + */ +static inline unsigned long array_index_mask_nospec(unsigned long index, + unsigned long size) +{ + unsigned long mask; + + asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" + : [mask] "=r" (mask) + : [size] "g" (size), [index] "r" (index) ); + + return mask; +} + +/* Override default implementation in nospec.h. */ +#define array_index_mask_nospec array_index_mask_nospec + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/include/asm/system.h b/xen/arch/x86/include/asm/system.h index debf6bfa17..73cb16ca68 100644 --- a/xen/arch/x86/include/asm/system.h +++ b/xen/arch/x86/include/asm/system.h @@ -224,30 +224,6 @@ static always_inline unsigned long __xadd( #define smp_mb__before_atomic() do { } while (0) #define smp_mb__after_atomic() do { } while (0) -/** - * array_index_mask_nospec() - generate a mask that is ~0UL when the - * bounds check succeeds and 0 otherwise - * @index: array element index - * @size: number of elements in array - * - * Returns: - * 0 - (index < size) - */ -static inline unsigned long array_index_mask_nospec(unsigned long index, - unsigned long size) -{ - unsigned long mask; - - asm volatile ( "cmp %[size], %[index]; sbb %[mask], %[mask];" - : [mask] "=r" (mask) - : [size] "g" (size), [index] "r" (index) ); - - return mask; -} - -/* Override default implementation in nospec.h. */ -#define array_index_mask_nospec array_index_mask_nospec - #define local_irq_disable() asm volatile ( "cli" : : : "memory" ) #define local_irq_enable() asm volatile ( "sti" : : : "memory" ) diff --git a/xen/arch/x86/include/asm/x86_emulate.h b/xen/arch/x86/include/asm/x86_emulate.h index c184c0053c..2b75f7f8e2 100644 --- a/xen/arch/x86/include/asm/x86_emulate.h +++ b/xen/arch/x86/include/asm/x86_emulate.h @@ -15,6 +15,7 @@ #include #include #include +#include #include "../../x86_emulate/x86_emulate.h" diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4c250ebbd6 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -7,7 +7,6 @@ #ifndef XEN_NOSPEC_H #define XEN_NOSPEC_H -#include #include /** -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:01:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:01:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688587.1072930 (Exim 4.92) (envelope-from ) id 1rhMvd-0007U2-6O; Tue, 05 Mar 2024 05:01:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688587.1072930; Tue, 05 Mar 2024 05:01:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvd-0007Tv-2x; Tue, 05 Mar 2024 05:01:25 +0000 Received: by outflank-mailman (input) for mailman id 688587; Tue, 05 Mar 2024 05:01:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvb-0007Td-9p for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvb-0001mU-99 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMvb-0003Sa-8W for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qIuszDHv3OHmXmsD2ax4Y9fMRR0HSZ7uEjVluT6UT7Y=; b=1fM0HHcNMwd2C9LUqeSO9B50WE sL2Y+j2/GA8dvLT+hecxz/2ZjSiIIbPacwa+Ye4kh868RnF4ZRI/Osv93wgzRANOXew7YBE1hckxN K4me/1lz1tE8R9Bxk2Xv9E4o0szY0hj2mrGOLzY+n1PSK0dA/MAFeCIuu8sY6pp96vpI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: smmuv3: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 05 Mar 2024 05:01:23 +0000 commit 771c4e39632d6d8a36668242bcc71f93cfc2842e Author: Nicola Vetrini AuthorDate: Mon Mar 4 10:46:25 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:46:25 2024 +0100 xen/arm: smmuv3: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/drivers/passthrough/arm/smmu-v3.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/drivers/passthrough/arm/smmu-v3.c b/xen/drivers/passthrough/arm/smmu-v3.c index c3ac6d17d1..b1c40c2c0a 100644 --- a/xen/drivers/passthrough/arm/smmu-v3.c +++ b/xen/drivers/passthrough/arm/smmu-v3.c @@ -111,7 +111,7 @@ #define GFP_KERNEL 0 /* Device logger functions */ -#define dev_name(dev) dt_node_full_name(dev->of_node) +#define dev_name(dev) dt_node_full_name((dev)->of_node) #define dev_dbg(dev, fmt, ...) \ printk(XENLOG_DEBUG "SMMUv3: %s: " fmt, dev_name(dev), ## __VA_ARGS__) #define dev_notice(dev, fmt, ...) \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:01:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:01:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688588.1072932 (Exim 4.92) (envelope-from ) id 1rhMvn-0007WN-7B; Tue, 05 Mar 2024 05:01:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688588.1072932; Tue, 05 Mar 2024 05:01:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvn-0007WH-4T; Tue, 05 Mar 2024 05:01:35 +0000 Received: by outflank-mailman (input) for mailman id 688588; Tue, 05 Mar 2024 05:01:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvl-0007W6-De for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvl-0001mf-C4 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMvl-0003UQ-BI for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Q7ItDliuCBOq4O1pGpOI9TeQ1qDI8q3C+0VRMzcbzuM=; b=3cSisqJt2Wva1h6aA7j4LgfaO7 3cPeBk8Dp4pVYPPjdu0eDOF5XyZ1a3NG8bD79smHCuV5o4oiVuN5ghVx/IOlKfjv/f+8keXjTMbmP Uht0o/Ya0o2SvFhFRmlOkOmQlrywQz5hNvNH8N72iepw5hRcrp2rJQqnz6ZbL4hjXOtY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/errno: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 05 Mar 2024 05:01:33 +0000 commit 47fdf9a79f227efe88759765754a830a35239fa4 Author: Nicola Vetrini AuthorDate: Mon Mar 4 10:46:46 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:46:46 2024 +0100 xen/errno: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/xen/errno.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/errno.h b/xen/include/xen/errno.h index 69b28dd3c6..506674701f 100644 --- a/xen/include/xen/errno.h +++ b/xen/include/xen/errno.h @@ -3,7 +3,7 @@ #ifndef __ASSEMBLY__ -#define XEN_ERRNO(name, value) name = value, +#define XEN_ERRNO(name, value) name = (value), enum { #include }; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 05:01:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 05:01:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688589.1072939 (Exim 4.92) (envelope-from ) id 1rhMvx-0007Yy-9Z; Tue, 05 Mar 2024 05:01:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688589.1072939; Tue, 05 Mar 2024 05:01:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvx-0007Yn-5v; Tue, 05 Mar 2024 05:01:45 +0000 Received: by outflank-mailman (input) for mailman id 688589; Tue, 05 Mar 2024 05:01:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvv-0007YQ-Fc for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhMvv-0001mm-Es for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhMvv-0003Va-EC for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 05:01:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=idX0JoQxoQXnpHSoQHMfNymtQgCLBhrRUtdJUY7CRp4=; b=rqrbbQkTx3g5j9d6XyK6tMAI6F HlXKiVdNtm9BTvdjRh65OflzuWApo8Noody8TgdnJEOQ5yR1n3XoK6dBGR/Y6EfPgyBDzBxXiidb7 uAQkgQ/PsQveVEaGVxp0MiPBCPTLISRdvShrvTONBfMx7Ojdqx973aR/0Lgx56AOGvmo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/tasklet: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 05 Mar 2024 05:01:43 +0000 commit fc84b4a5a37b9250d87ef63983b48e1953bba6d1 Author: Nicola Vetrini AuthorDate: Mon Mar 4 10:47:14 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 4 10:47:14 2024 +0100 xen/tasklet: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/tasklet.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/tasklet.h b/xen/include/xen/tasklet.h index 593d6a2400..78760b694a 100644 --- a/xen/include/xen/tasklet.h +++ b/xen/include/xen/tasklet.h @@ -27,7 +27,7 @@ struct tasklet #define _DECLARE_TASKLET(name, func, data, softirq) \ struct tasklet name = { \ - LIST_HEAD_INIT(name.list), -1, softirq, 0, 0, func, data } + LIST_HEAD_INIT((name).list), -1, softirq, 0, 0, func, data } #define DECLARE_TASKLET(name, func, data) \ _DECLARE_TASKLET(name, func, data, 0) #define DECLARE_SOFTIRQ_TASKLET(name, func, data) \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:11:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:11:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688736.1073214 (Exim 4.92) (envelope-from ) id 1rhShM-0006kd-O6; Tue, 05 Mar 2024 11:11:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688736.1073214; Tue, 05 Mar 2024 11:11:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShM-0006kV-LH; Tue, 05 Mar 2024 11:11:04 +0000 Received: by outflank-mailman (input) for mailman id 688736; Tue, 05 Mar 2024 11:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShL-0006kP-Qa for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShL-0001eZ-OG for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhShL-0000CN-L2 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9yMb/I6RfXwvtpUHTxdUjZDbNYhkpA8eBbPUKWvjqq8=; b=n1yFRplJsWEzPWzhjgUmyM12kL j4sDpC8WUfOnjzt//FKxCl2s6BL+3QSDE5er23DyllI+kL5139DIaHYE/FRRav1OwSv7YiioX+10T EfbyK/K0Sssb/KbBcn1EiNeNv6kd2jp/UC0A7rroLdCxOMIoUjA7NNUbsBJmXZd6kL1w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware Message-Id: Date: Tue, 05 Mar 2024 11:11:03 +0000 commit 3e383bb4137c6ca3058cd55cb867ecc2b7414499 Author: Jan Beulich AuthorDate: Tue Mar 5 11:48:39 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:48:39 2024 +0100 x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware ... or we fail to enable the functionality on the BSP for other reasons. The only place where hardware announcing the feature is recorded is the raw CPU policy/featureset. Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c master date: 2024-01-09 14:06:34 +0100 --- xen/arch/x86/hvm/svm/svm.c | 1 + xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 24c417ca71..ff991c82cf 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -2543,6 +2543,7 @@ const struct hvm_function_table * __init start_svm(void) if ( _svm_cpu_up(true) ) { + setup_clear_cpu_cap(X86_FEATURE_SVM); printk("SVM: failed to initialise.\n"); return NULL; } diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 13719cc923..e382aa16c5 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -2165,6 +2165,23 @@ int __init vmx_vmcs_init(void) if ( !ret ) register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1); + else + { + setup_clear_cpu_cap(X86_FEATURE_VMX); + + /* + * _vmx_vcpu_up() may have made it past feature identification. + * Make sure all dependent features are off as well. + */ + vmx_basic_msr = 0; + vmx_pin_based_exec_control = 0; + vmx_cpu_based_exec_control = 0; + vmx_secondary_exec_control = 0; + vmx_vmexit_control = 0; + vmx_vmentry_control = 0; + vmx_ept_vpid_cap = 0; + vmx_vmfunc = 0; + } return ret; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:11:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688737.1073217 (Exim 4.92) (envelope-from ) id 1rhShW-0006mM-Pa; Tue, 05 Mar 2024 11:11:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688737.1073217; Tue, 05 Mar 2024 11:11:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShW-0006mF-Ml; Tue, 05 Mar 2024 11:11:14 +0000 Received: by outflank-mailman (input) for mailman id 688737; Tue, 05 Mar 2024 11:11:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShV-0006m7-Tt for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShV-0001et-RL for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhShV-0000DD-QR for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FtyBxfP6B9dZWcgiIL9Rt4Hqz6AzJWZ7HH77SlSJduQ=; b=B0ZfWx8wYedr5xtVKac2lf2tLE pr67qGddPHCqYAzZI7gAtvRtUPtJt6kU+4RLuzjhpQNf4PFahdBzjGM1X0FLmsCIChrMeKg67S28w wTMD/FB300qBtmWSCtIxHcLMrl+5/EWBpSyvYuyER+l96KsphfrnE+U37wONabr+i1YQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/sched: Fix UB shift in compat_set_timer_op() Message-Id: Date: Tue, 05 Mar 2024 11:11:13 +0000 commit 57f137053652d5a981ae21f3abe7becc507fe434 Author: Andrew Cooper AuthorDate: Tue Mar 5 11:49:22 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:49:22 2024 +0100 xen/sched: Fix UB shift in compat_set_timer_op() Tamas reported this UBSAN failure from fuzzing: (XEN) ================================================================================ (XEN) UBSAN: Undefined behaviour in common/sched/compat.c:48:37 (XEN) left shift of negative value -2147425536 (XEN) ----[ Xen-4.19-unstable x86_64 debug=y ubsan=y Not tainted ]---- ... (XEN) Xen call trace: (XEN) [] R ubsan.c#ubsan_epilogue+0xa/0xd9 (XEN) [] F __ubsan_handle_shift_out_of_bounds+0x11a/0x1c5 (XEN) [] F compat_set_timer_op+0x41/0x43 (XEN) [] F hvm_do_multicall_call+0x77f/0xa75 (XEN) [] F arch_do_multicall_call+0xec/0xf1 (XEN) [] F do_multicall+0x1dc/0xde3 (XEN) [] F hvm_hypercall+0xa00/0x149a (XEN) [] F vmx_vmexit_handler+0x1596/0x279c (XEN) [] F vmx_asm_vmexit_handler+0xdb/0x200 Left-shifting any negative value is strictly undefined behaviour in C, and the two parameters here come straight from the guest. The fuzzer happened to choose lo 0xf, hi 0x8000e300. Switch everything to be unsigned values, making the shift well defined. As GCC documents: As an extension to the C language, GCC does not use the latitude given in C99 and C11 only to treat certain aspects of signed '<<' as undefined. However, -fsanitize=shift (and -fsanitize=undefined) will diagnose such cases. this was deemed not to need an XSA. Note: The unsigned -> signed conversion for do_set_timer_op()'s s_time_t parameter is also well defined. C makes it implementation defined, and GCC defines it as reduction modulo 2^N to be within range of the new type. Fixes: 2942f45e09fb ("Enable compatibility mode operation for HYPERVISOR_sched_op and HYPERVISOR_set_timer_op.") Reported-by: Tamas K Lengyel Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: ae6d4fd876765e6d623eec67d14f5d0464be09cb master date: 2024-02-01 19:52:44 +0000 --- xen/common/sched/compat.c | 4 ++-- xen/include/hypercall-defs.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/sched/compat.c b/xen/common/sched/compat.c index d718e450d4..dd97593630 100644 --- a/xen/common/sched/compat.c +++ b/xen/common/sched/compat.c @@ -43,9 +43,9 @@ static int compat_poll(struct compat_sched_poll *compat) #include "core.c" -int compat_set_timer_op(uint32_t lo, int32_t hi) +int compat_set_timer_op(uint32_t lo, uint32_t hi) { - return do_set_timer_op(((s64)hi << 32) | lo); + return do_set_timer_op(((uint64_t)hi << 32) | lo); } #endif /* __COMMON_SCHED_COMPAT_C__ */ diff --git a/xen/include/hypercall-defs.c b/xen/include/hypercall-defs.c index 6d361ddfce..47c093acc8 100644 --- a/xen/include/hypercall-defs.c +++ b/xen/include/hypercall-defs.c @@ -134,7 +134,7 @@ xenoprof_op(int op, void *arg) #ifdef CONFIG_COMPAT prefix: compat -set_timer_op(uint32_t lo, int32_t hi) +set_timer_op(uint32_t lo, uint32_t hi) multicall(multicall_entry_compat_t *call_list, uint32_t nr_calls) memory_op(unsigned int cmd, void *arg) #ifdef CONFIG_IOREQ_SERVER -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:11:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:11:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688738.1073222 (Exim 4.92) (envelope-from ) id 1rhShh-0006pd-SD; Tue, 05 Mar 2024 11:11:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688738.1073222; Tue, 05 Mar 2024 11:11:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShh-0006pV-Pc; Tue, 05 Mar 2024 11:11:25 +0000 Received: by outflank-mailman (input) for mailman id 688738; Tue, 05 Mar 2024 11:11:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShg-0006pF-2y for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShg-0001fM-0O for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhShf-0000Dk-TX for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zOCcaPlXmJVQJJlTh5Xrz+ZLk0Qd3UgzIZojqEzPNUc=; b=6+JgKZSkGeTUODqCrHVfCHf4gV cmnm/c2aguuQ0likjMoyDKvBSpgctwOMOsaANTq7JSHw2D12mPH8OgjLd0S8L+h0EPg3zUaul+3Zi Brsrn/jNxsMdmZfKhqSWqmsFc6V2TAcUfewHhnz983MuhGKfkH6ZvssjleFDiqseesHQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec: print the built-in SPECULATIVE_HARDEN_* options Message-Id: Date: Tue, 05 Mar 2024 11:11:23 +0000 commit b7f9168878155e2d29b9b4a3048b0a9a68ed82ed Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:50:16 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:50:16 2024 +0100 x86/spec: print the built-in SPECULATIVE_HARDEN_* options Just like it's done for INDIRECT_THUNK and SHADOW_PAGING. Reported-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 6e9507f7d51fe49df8bc70f83e49ce06c92e4e54 master date: 2024-02-27 14:57:52 +0100 --- xen/arch/x86/spec_ctrl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 01ba59cff7..04e508b622 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -476,13 +476,25 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY + " HARDEN_ARRAY" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH + " HARDEN_BRANCH" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS + " HARDEN_GUEST_ACCESS" #endif "\n"); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:11:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:11:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688739.1073227 (Exim 4.92) (envelope-from ) id 1rhShr-0006sD-U0; Tue, 05 Mar 2024 11:11:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688739.1073227; Tue, 05 Mar 2024 11:11:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShr-0006s3-R4; Tue, 05 Mar 2024 11:11:35 +0000 Received: by outflank-mailman (input) for mailman id 688739; Tue, 05 Mar 2024 11:11:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShq-0006rm-4T for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhShq-0001fY-3f for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhShq-0000EH-2l for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ya+jdFKQHmPzpBfOs60SdPVmCE2XIzUcjLZ6fhNFjTU=; b=mvdbzvtb0BNKIGBHfglpF8xoPg KQb2jfbZRaHp4JDYNbUeHNl4RU5/KEMywPQRWxvkcq+pHVI9AlBO2+mzBq00JMOuiJgYUUHLY//Zi rrlqYDIvIyRP9A2RxXfRlStmnVYoFZH8g0OEc6FyIW2BhnJ1DVjii/XvdLf3a66uSEd4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Message-Id: Date: Tue, 05 Mar 2024 11:11:34 +0000 commit 09b9db0413b1f31f27bece07b2bfa1723b89ace6 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:50:53 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:50:53 2024 +0100 x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Attempt to provide a more helpful error message when the user attempts to set spec-ctrl=bti-thunk option but the support is build-time disabled. While there also adjust the command line documentation to mention CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK. Reported-by: Andrew Cooper Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 8441fa806a3b778867867cd0159fa1722e90397e master date: 2024-02-27 14:58:20 +0100 --- docs/misc/xen-command-line.pandoc | 10 +++++----- xen/arch/x86/spec_ctrl.c | 7 ++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 8e65f8bd18..582d6741d1 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2424,11 +2424,11 @@ guests to use. performance reasons dom0 is unprotected by default. If it is necessary to protect dom0 too, boot with `spec-ctrl=ibpb-entry`. -If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to -select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` -locations. The default thunk is `retpoline` (generally preferred), with the -alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and -`lfence` (an `lfence; jmp *%reg` gadget). +If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be +used to select which of the thunks gets patched into the +`__x86_indirect_thunk_%reg` locations. The default thunk is `retpoline` +(generally preferred), with the alternatives being `jmp` (a `jmp *%reg` gadget, +minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget). On hardware supporting IBRS (Indirect Branch Restricted Speculation), the `ibrs=` option can be used to force or prevent Xen using the feature itself. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 04e508b622..99ecfb3cba 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -241,7 +241,12 @@ static int __init cf_check parse_spec_ctrl(const char *s) { s += 10; - if ( !cmdline_strcmp(s, "retpoline") ) + if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) ) + { + no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss); + rc = -EINVAL; + } + else if ( !cmdline_strcmp(s, "retpoline") ) opt_thunk = THUNK_RETPOLINE; else if ( !cmdline_strcmp(s, "lfence") ) opt_thunk = THUNK_LFENCE; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:11:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:11:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688740.1073229 (Exim 4.92) (envelope-from ) id 1rhSi1-0006uo-V2; Tue, 05 Mar 2024 11:11:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688740.1073229; Tue, 05 Mar 2024 11:11:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSi1-0006uh-Sa; Tue, 05 Mar 2024 11:11:45 +0000 Received: by outflank-mailman (input) for mailman id 688740; Tue, 05 Mar 2024 11:11:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSi0-0006uU-7O for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSi0-0001fj-6d for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSi0-0000Es-5n for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uQrDDN6QqiWz8jkr1NpK/1tgZWTPkBBb/SCurEY1Lsc=; b=wvxuQiL6poL7i394Cfzc5leyDx WseMsz0w1PbLVJk4zb2EEWwP1PgG9+BOQUG7ESyB32XqyhSNlannjj7JRcjbtUh/VKN4Pc8YmpVuz /pr5y1WkKH5fRNLxIeTnumjqvpmmqxdpt5Ds3lULF9DQ6lqa5tYx6kHFQP7zAAdpi/Wc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec: do not print thunk option selection if not built-in Message-Id: Date: Tue, 05 Mar 2024 11:11:44 +0000 commit 7404c25efdc70091817479b80dbbd945e6ab4861 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:51:56 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:51:56 2024 +0100 x86/spec: do not print thunk option selection if not built-in Since the thunk built-in enable is printed as part of the "Compiled-in support:" line, avoid printing anything in "Xen settings:" if the thunk is disabled at build time. Note the BTI-Thunk option printing is also adjusted to print a colon in the same way the other options on the line do. Requested-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 576528a2a742069af203e90c613c5c93e23c9755 master date: 2024-02-27 14:58:40 +0100 --- xen/arch/x86/spec_ctrl.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 99ecfb3cba..a965b6db28 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -504,11 +504,12 @@ static void __init print_details(enum ind_thunk thunk) "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", - thunk == THUNK_NONE ? "N/A" : - thunk == THUNK_RETPOLINE ? "RETPOLINE" : - thunk == THUNK_LFENCE ? "LFENCE" : - thunk == THUNK_JMP ? "JMP" : "?", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + thunk != THUNK_NONE ? "BTI-Thunk: " : "", + thunk == THUNK_NONE ? "" : + thunk == THUNK_RETPOLINE ? "RETPOLINE, " : + thunk == THUNK_LFENCE ? "LFENCE, " : + thunk == THUNK_JMP ? "JMP, " : "?, ", (!boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBRS)) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:11:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:11:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688741.1073234 (Exim 4.92) (envelope-from ) id 1rhSiC-0006xJ-0W; Tue, 05 Mar 2024 11:11:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688741.1073234; Tue, 05 Mar 2024 11:11:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiB-0006xB-U7; Tue, 05 Mar 2024 11:11:55 +0000 Received: by outflank-mailman (input) for mailman id 688741; Tue, 05 Mar 2024 11:11:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiA-0006wz-AK for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiA-0001fw-9d for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSiA-0000FL-8l for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:11:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7DGkNn49DiwkbBlr+/xRSDmEvSdRP6VCclGKW9KccmY=; b=2EJQWvqmFvHlxv5UJOnA16j579 RPyyr0pB1d3Fybhmb7ghM0KBVUpBOebYb+2O4UoouWe2xCymU/HtLnd87DW102Nt+g4nNr0SFYsHt NQF4tTEzfkECLtgSdfFQVTTUybi3xe3E5b5e/Rk6z6VqSKqIthLf29shkNdKCokxF2ls=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/livepatch: register livepatch regions when loaded Message-Id: Date: Tue, 05 Mar 2024 11:11:54 +0000 commit 5382a6a79cb544f2eecc47330b531802f8c52977 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:52:57 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:52:57 2024 +0100 xen/livepatch: register livepatch regions when loaded Currently livepatch regions are registered as virtual regions only after the livepatch has been applied. This can lead to issues when using the pre-apply or post-revert hooks, as at that point the livepatch is not in the virtual regions list. If a livepatch pre-apply hook contains a WARN() it would trigger an hypervisor crash, as the code to handle the bug frame won't be able to find the instruction pointer that triggered the #UD in any of the registered virtual regions, and hence crash. Fix this by adding the livepatch payloads as virtual regions as soon as loaded, and only remove them once the payload is unloaded. This requires some changes to the virtual regions code, as the removal of the virtual regions is no longer done in stop machine context, and hence an RCU barrier is added in order to make sure there are no users of the virtual region after it's been removed from the list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: a57b4074ab39bee78b6c116277f0a9963bd8e687 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 44 +++++++++++++++++--------------------------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index e635606c10..e1964b841a 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1071,6 +1071,7 @@ static int build_symbol_table(struct payload *payload, static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); + unregister_virtual_region(&data->region); list_del(&data->list); payload_cnt--; payload_version++; @@ -1170,6 +1171,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->list); INIT_LIST_HEAD(&data->applied_list); + register_virtual_region(&data->region); list_add_tail(&data->list, &payload_list); payload_cnt++; payload_version++; @@ -1386,7 +1388,6 @@ static inline void apply_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_add_tail_rcu(&data->applied_list, &applied_list); - register_virtual_region(&data->region); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1432,7 +1433,6 @@ static inline void revert_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_del_rcu(&data->applied_list); - unregister_virtual_region(&data->region); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index 5f89703f51..9f12c30efe 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -23,14 +23,8 @@ static struct virtual_region core_init __initdata = { }; /* - * RCU locking. Additions are done either at startup (when there is only - * one CPU) or when all CPUs are running without IRQs. - * - * Deletions are bit tricky. We do it when Live Patch (all CPUs running - * without IRQs) or during bootup (when clearing the init). - * - * Hence we use list_del_rcu (which sports an memory fence) and a spinlock - * on deletion. + * RCU locking. Modifications to the list must be done in exclusive mode, and + * hence need to hold the spinlock. * * All readers of virtual_region_list MUST use list_for_each_entry_rcu. */ @@ -58,41 +52,36 @@ const struct virtual_region *find_text_region(unsigned long addr) void register_virtual_region(struct virtual_region *r) { - ASSERT(!local_irq_is_enabled()); + unsigned long flags; + spin_lock_irqsave(&virtual_region_lock, flags); list_add_tail_rcu(&r->list, &virtual_region_list); + spin_unlock_irqrestore(&virtual_region_lock, flags); } -static void remove_virtual_region(struct virtual_region *r) +/* + * Suggest inline so when !CONFIG_LIVEPATCH the function is not left + * unreachable after init code is removed. + */ +static void inline remove_virtual_region(struct virtual_region *r) { unsigned long flags; spin_lock_irqsave(&virtual_region_lock, flags); list_del_rcu(&r->list); spin_unlock_irqrestore(&virtual_region_lock, flags); - /* - * We do not need to invoke call_rcu. - * - * This is due to the fact that on the deletion we have made sure - * to use spinlocks (to guard against somebody else calling - * unregister_virtual_region) and list_deletion spiced with - * memory barrier. - * - * That protects us from corrupting the list as the readers all - * use list_for_each_entry_rcu which is safe against concurrent - * deletions. - */ } +#ifdef CONFIG_LIVEPATCH void unregister_virtual_region(struct virtual_region *r) { - /* Expected to be called from Live Patch - which has IRQs disabled. */ - ASSERT(!local_irq_is_enabled()); - remove_virtual_region(r); + + /* Assert that no CPU might be using the removed region. */ + rcu_barrier(); } -#if defined(CONFIG_LIVEPATCH) && defined(CONFIG_X86) +#ifdef CONFIG_X86 void relax_virtual_region_perms(void) { const struct virtual_region *region; @@ -116,7 +105,8 @@ void tighten_virtual_region_perms(void) PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } -#endif +#endif /* CONFIG_X86 */ +#endif /* CONFIG_LIVEPATCH */ void __init unregister_init_virtual_region(void) { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:12:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:12:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688742.1073237 (Exim 4.92) (envelope-from ) id 1rhSiM-00070A-1t; Tue, 05 Mar 2024 11:12:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688742.1073237; Tue, 05 Mar 2024 11:12:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiL-000702-Vb; Tue, 05 Mar 2024 11:12:05 +0000 Received: by outflank-mailman (input) for mailman id 688742; Tue, 05 Mar 2024 11:12:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiK-0006zm-DH for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiK-0001gI-CV for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSiK-0000Gb-Bi for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CiYQlOZnMsrT6ajcvTgQBA4FU/x9YGMxBozo6fMH72k=; b=FEu/RCqyfxzccEIpBEeDEIV6MD 95law9ouluq325j1FiRqn2yLDz9cKs6jxI06A3zldcBU0qCs3AChkoFhkYF9Xo3ZykYFBZVovlXO1 XKUMD51KD+k4fSekPZ3UuB4u9q4MqkRDUV9DC66R6Wdc5Gx/XHeFhKckDZnQnWncYHRM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/livepatch: search for symbols in all loaded payloads Message-Id: Date: Tue, 05 Mar 2024 11:12:04 +0000 commit 50a8f74df76b7ce7c35ad97a539f505eb0a9baa6 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:53:05 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:53:05 2024 +0100 xen/livepatch: search for symbols in all loaded payloads When checking if an address belongs to a patch, or when resolving a symbol, take into account all loaded livepatch payloads, even if not applied. This is required in order for the pre-apply and post-revert hooks to work properly, or else Xen won't detect the instruction pointer belonging to those hooks as being part of the currently active text. Move the RCU handling to be used for payload_list instead of applied_list, as now the calls from trap code will iterate over the payload_list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: d2daa40fb3ddb8f83e238e57854bd878924cde90 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 49 +++++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index e1964b841a..135c47e9b8 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -36,13 +36,14 @@ * caller in schedule_work. */ static DEFINE_SPINLOCK(payload_lock); -static LIST_HEAD(payload_list); - /* - * Patches which have been applied. Need RCU in case we crash (and then - * traps code would iterate via applied_list) when adding entries on the list. + * Need RCU in case we crash (and then traps code would iterate via + * payload_list) when adding entries on the list. */ -static DEFINE_RCU_READ_LOCK(rcu_applied_lock); +static DEFINE_RCU_READ_LOCK(rcu_payload_lock); +static LIST_HEAD(payload_list); + +/* Patches which have been applied. Only modified from stop machine context. */ static LIST_HEAD(applied_list); static unsigned int payload_cnt; @@ -111,12 +112,8 @@ bool_t is_patch(const void *ptr) const struct payload *data; bool_t r = 0; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( (ptr >= data->rw_addr && ptr < (data->rw_addr + data->rw_size)) || @@ -130,7 +127,7 @@ bool_t is_patch(const void *ptr) } } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return r; } @@ -166,12 +163,8 @@ static const char *cf_check livepatch_symbols_lookup( const void *va = (const void *)addr; const char *n = NULL; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( va < data->text_addr || va >= (data->text_addr + data->text_size) ) @@ -200,7 +193,7 @@ static const char *cf_check livepatch_symbols_lookup( n = data->symtab[best].name; break; } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return n; } @@ -1072,7 +1065,8 @@ static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); unregister_virtual_region(&data->region); - list_del(&data->list); + list_del_rcu(&data->list); + rcu_barrier(); payload_cnt--; payload_version++; free_payload_data(data); @@ -1172,7 +1166,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->applied_list); register_virtual_region(&data->region); - list_add_tail(&data->list, &payload_list); + list_add_tail_rcu(&data->list, &payload_list); payload_cnt++; payload_version++; } @@ -1383,11 +1377,7 @@ static int apply_payload(struct payload *data) static inline void apply_payload_tail(struct payload *data) { - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_add_tail_rcu(&data->applied_list, &applied_list); + list_add_tail(&data->applied_list, &applied_list); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1427,12 +1417,7 @@ static int revert_payload(struct payload *data) static inline void revert_payload_tail(struct payload *data) { - - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_del_rcu(&data->applied_list); + list_del(&data->applied_list); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:12:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:12:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688743.1073243 (Exim 4.92) (envelope-from ) id 1rhSiW-000738-4q; Tue, 05 Mar 2024 11:12:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688743.1073243; Tue, 05 Mar 2024 11:12:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiW-000730-0q; Tue, 05 Mar 2024 11:12:16 +0000 Received: by outflank-mailman (input) for mailman id 688743; Tue, 05 Mar 2024 11:12:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiU-00072n-Hu for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiU-0001gT-H8 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSiU-0000Ip-Ec for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=K2yoRXrQho8fdL2+Ou6xYEnAhbt9blYSEq6/MH3hHnk=; b=fnMVqvgSdSrGOUHjPdBoVwqCmK 1apoHFjhOxNMXqcGzu4hplGLXsF+ncItodnu/C1ntG4mcAwuizQosVzTMx/aoR3E2F/o+FszPWJGH LnCEg6DfzflmRyAloTxZ609mFM9VSWZeld23a2GUvTIPV3QR2ee6btUDYLJYnx5Krnc4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/livepatch: fix norevert test attempt to open-code revert Message-Id: Date: Tue, 05 Mar 2024 11:12:14 +0000 commit d81bfc7ff887426727504086fa363f91bf8c19f8 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:53:13 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:53:13 2024 +0100 xen/livepatch: fix norevert test attempt to open-code revert The purpose of the norevert test is to install a dummy handler that replaces the internal Xen revert code, and then perform the revert in the post-revert hook. For that purpose the usage of the previous common_livepatch_revert() is not enough, as that just reverts specific functions, but not the whole state of the payload. Remove both common_livepatch_{apply,revert}() and instead expose revert_payload{,_tail}() in order to perform the patch revert from the post-revert hook. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: cdae267ce10d04d71d1687b5701ff2911a96b6dc master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 41 +++++++++++++++++++++++--- xen/include/xen/livepatch.h | 32 +++----------------- xen/test/livepatch/xen_action_hooks_norevert.c | 22 ++++---------- 3 files changed, 46 insertions(+), 49 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 135c47e9b8..0cc048fd83 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1366,7 +1366,22 @@ static int apply_payload(struct payload *data) ASSERT(!local_irq_is_enabled()); for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_apply(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* If the action has been already executed on this function, do nothing. */ + if ( state->applied == LIVEPATCH_FUNC_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has been already applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_apply(func, state); + state->applied = LIVEPATCH_FUNC_APPLIED; + } arch_livepatch_revive(); @@ -1382,7 +1397,7 @@ static inline void apply_payload_tail(struct payload *data) data->state = LIVEPATCH_STATE_APPLIED; } -static int revert_payload(struct payload *data) +int revert_payload(struct payload *data) { unsigned int i; int rc; @@ -1397,7 +1412,25 @@ static int revert_payload(struct payload *data) } for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_revert(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* + * If the apply action hasn't been executed on this function, do + * nothing. + */ + if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has not been applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_revert(func, state); + state->applied = LIVEPATCH_FUNC_NOT_APPLIED; + } /* * Since we are running with IRQs disabled and the hooks may call common @@ -1415,7 +1448,7 @@ static int revert_payload(struct payload *data) return 0; } -static inline void revert_payload_tail(struct payload *data) +void revert_payload_tail(struct payload *data) { list_del(&data->applied_list); diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 537d3d58b6..c9ee58fd37 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -136,35 +136,11 @@ void arch_livepatch_post_action(void); void arch_livepatch_mask(void); void arch_livepatch_unmask(void); -static inline void common_livepatch_apply(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the action has been already executed on this function, do nothing. */ - if ( state->applied == LIVEPATCH_FUNC_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_apply(func, state); - state->applied = LIVEPATCH_FUNC_APPLIED; -} +/* Only for testing purposes. */ +struct payload; +int revert_payload(struct payload *data); +void revert_payload_tail(struct payload *data); -static inline void common_livepatch_revert(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the apply action hasn't been executed on this function, do nothing. */ - if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_revert(func, state); - state->applied = LIVEPATCH_FUNC_NOT_APPLIED; -} #else /* diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c index c173855192..c5fbab1746 100644 --- a/xen/test/livepatch/xen_action_hooks_norevert.c +++ b/xen/test/livepatch/xen_action_hooks_norevert.c @@ -96,26 +96,14 @@ static int revert_hook(livepatch_payload_t *payload) static void post_revert_hook(livepatch_payload_t *payload) { - int i; + unsigned long flags; printk(KERN_DEBUG "%s: Hook starting.\n", __func__); - for (i = 0; i < payload->nfuncs; i++) - { - const struct livepatch_func *func = &payload->funcs[i]; - struct livepatch_fstate *fstate = &payload->fstate[i]; - - BUG_ON(revert_cnt != 1); - BUG_ON(fstate->applied != LIVEPATCH_FUNC_APPLIED); - - /* Outside of quiesce zone: MAY TRIGGER HOST CRASH/UNDEFINED BEHAVIOR */ - arch_livepatch_quiesce(); - common_livepatch_revert(payload); - arch_livepatch_revive(); - BUG_ON(fstate->applied == LIVEPATCH_FUNC_APPLIED); - - printk(KERN_DEBUG "%s: post reverted: %s\n", __func__, func->name); - } + local_irq_save(flags); + BUG_ON(revert_payload(payload)); + revert_payload_tail(payload); + local_irq_restore(flags); printk(KERN_DEBUG "%s: Hook done.\n", __func__); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:12:26 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:12:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688744.1073245 (Exim 4.92) (envelope-from ) id 1rhSig-00076b-6f; Tue, 05 Mar 2024 11:12:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688744.1073245; Tue, 05 Mar 2024 11:12:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSig-00076U-4E; Tue, 05 Mar 2024 11:12:26 +0000 Received: by outflank-mailman (input) for mailman id 688744; Tue, 05 Mar 2024 11:12:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSie-00076J-Ku for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSie-0001gv-KA for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSie-0000JQ-JI for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZcUsuzgghcCoxnO092H0eeKtODG5r9Mheq+VYre/ERg=; b=Y/vufHD4ezqSIapVDXHpL+gt9a 3qW4JWcGNkzjAfRabY1H1MubtTdrRgzkUD3nEwVn206oZ6T+99YVjVn30XRh3dpJWHS/8sCWzesEL FtiMMySUcvGHppJJUr+rH6xbQvN2ZaRPfhO2cfOlexKHa2IJgBzo9Am1wITrr9xDUI7U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen/livepatch: properly build the noapply and norevert tests Message-Id: Date: Tue, 05 Mar 2024 11:12:24 +0000 commit e9516b73e7d499684092c1d345818585403cf190 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:53:22 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:53:22 2024 +0100 xen/livepatch: properly build the noapply and norevert tests It seems the build variables for those tests where copy-pasted from xen_action_hooks_marker-objs and not adjusted to use the correct source files. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: e579677095782c7dec792597ba8b037b7d716b32 master date: 2024-02-28 16:57:25 +0000 --- xen/test/livepatch/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile index c258ab0b59..d987a8367f 100644 --- a/xen/test/livepatch/Makefile +++ b/xen/test/livepatch/Makefile @@ -118,12 +118,12 @@ xen_action_hooks_marker-objs := xen_action_hooks_marker.o xen_hello_world_func.o $(obj)/xen_action_hooks_noapply.o: $(obj)/config.h extra-y += xen_action_hooks_noapply.livepatch -xen_action_hooks_noapply-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_noapply-objs := xen_action_hooks_noapply.o xen_hello_world_func.o note.o xen_note.o $(obj)/xen_action_hooks_norevert.o: $(obj)/config.h extra-y += xen_action_hooks_norevert.livepatch -xen_action_hooks_norevert-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_norevert-objs := xen_action_hooks_norevert.o xen_hello_world_func.o note.o xen_note.o EXPECT_BYTES_COUNT := 8 CODE_GET_EXPECT=$(shell $(OBJDUMP) -d --insn-width=1 $(1) | sed -n -e '/<'$(2)'>:$$/,/^$$/ p' | tail -n +2 | head -n $(EXPECT_BYTES_COUNT) | awk '{$$0=$$2; printf "%s", substr($$0,length-1)}' | sed 's/.\{2\}/0x&,/g' | sed 's/^/{/;s/,$$/}/g') -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:12:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:12:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688745.1073251 (Exim 4.92) (envelope-from ) id 1rhSiq-00079V-9I; Tue, 05 Mar 2024 11:12:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688745.1073251; Tue, 05 Mar 2024 11:12:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiq-00079M-5g; Tue, 05 Mar 2024 11:12:36 +0000 Received: by outflank-mailman (input) for mailman id 688745; Tue, 05 Mar 2024 11:12:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSio-00078y-OE for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSio-0001h8-NU for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSio-0000Jr-MZ for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zYkyDGKn6ibGfQ/UAviE0+8Vof7qjUNNswJu3L6CZHA=; b=dehCvYK46D+NO0kMeUE34IVJnt 5w737mt1086/07MAp78e8UlYQpgLePTykiYUpsdgwZIcUh/DV6qKPhU59LU4ercBIVFssc8OdfJOD lVhucxHke59dHrIF58RbokauUp7qB03N71jsg4Mn5JOQmX3n6FOIyFUvt+PUWDfg0HV4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] libxl: Fix segfault in device_model_spawn_outcome Message-Id: Date: Tue, 05 Mar 2024 11:12:34 +0000 commit 267845a8389d5d34edb2b38a1972f32f51f70b4e Author: Jason Andryuk AuthorDate: Tue Mar 5 11:54:12 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:54:12 2024 +0100 libxl: Fix segfault in device_model_spawn_outcome libxl__spawn_qdisk_backend() explicitly sets guest_config to NULL when starting QEMU (the usual launch through libxl__spawn_local_dm() has a guest_config though). Bail early on a NULL guest_config/d_config. This skips the QMP queries for chardevs and VNC, but this xenpv QEMU instance isn't expected to provide those - only qdisk (or 9pfs backends after an upcoming change). Signed-off-by: Jason Andryuk Acked-by: Anthony PERARD master commit: d4f3d35f043f6ef29393166b0dd131c8102cf255 master date: 2024-02-29 08:18:38 +0100 --- tools/libs/light/libxl_dm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index ed620a9d8e..29b43ed20a 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -3172,8 +3172,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, /* Check if spawn failed */ if (rc) goto out; - - if (d_config->b_info.device_model_version + /* d_config is NULL for xl devd/libxl__spawn_qemu_xenpv_backend(). */ + if (d_config && d_config->b_info.device_model_version == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { rc = libxl__ev_time_register_rel(ao, &dmss->timeout, devise_model_postconfig_timeout, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:12:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:12:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688746.1073255 (Exim 4.92) (envelope-from ) id 1rhSj0-0007By-AO; Tue, 05 Mar 2024 11:12:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688746.1073255; Tue, 05 Mar 2024 11:12:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSj0-0007Bp-76; Tue, 05 Mar 2024 11:12:46 +0000 Received: by outflank-mailman (input) for mailman id 688746; Tue, 05 Mar 2024 11:12:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiy-0007Bd-T8 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSiy-0001hN-SO for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSiy-0000KZ-Pb for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HbX1gxB2rHKmHHR8337vzt6U3/5ZdAmVyXzZVf7lVsE=; b=y7cKpAI8orfU8DEDFBDtcLoGzL /iPBv0AixOfqs1q1U3W+/gjmI5hAvUBD4A562HNgM42I1yDcpYuM+S4GCYFaDz5gUmICuUoR+DEVj ind9F1xy0sSBYNXC4RsB+TX403eiJchrSy5P6bwoVChNnKTN19kNQ2eB3PXoDfnNHM0o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/altcall: always use a temporary parameter stashing variable Message-Id: Date: Tue, 05 Mar 2024 11:12:44 +0000 commit 75221fb0f87e4d7278b0a540bc28a6d0b74afeba Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:54:33 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:54:33 2024 +0100 x86/altcall: always use a temporary parameter stashing variable The usage in ALT_CALL_ARG() on clang of: register union { typeof(arg) e; const unsigned long r; } ... When `arg` is the first argument to alternative_{,v}call() and const_vlapic_vcpu() is used results in clang 3.5.0 complaining with: arch/x86/hvm/vlapic.c:141:47: error: non-const static data member must be initialized out of line alternative_call(hvm_funcs.test_pir, const_vlapic_vcpu(vlapic), vec) ) Workaround this by pulling `arg1` into a local variable, like it's done for further arguments (arg2, arg3...) Originally arg1 wasn't pulled into a variable because for the a1_ register local variable the possible clobbering as a result of operators on other variables don't matter: https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html#Local-Register-Variables Note clang version 3.8.1 seems to already be fixed and don't require the workaround, but since it's harmless do it uniformly everywhere. Reported-by: Andrew Cooper Fixes: 2ce562b2a413 ('x86/altcall: use a union as register type for function parameters on clang') Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich master commit: c20850540ad6a32f4fc17bde9b01c92b0df18bf0 master date: 2024-02-29 08:21:49 +0100 --- xen/arch/x86/include/asm/alternative.h | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index 3c14db5078..0d3697f1de 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -253,21 +253,24 @@ extern void alternative_branches(void); }) #define alternative_vcall1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ (void)sizeof(func(arg)); \ (void)alternative_callN(1, int, func); \ }) #define alternative_call1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ alternative_callN(1, typeof(func(arg)), func); \ }) #define alternative_vcall2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ (void)sizeof(func(arg1, arg2)); \ @@ -275,17 +278,19 @@ extern void alternative_branches(void); }) #define alternative_call2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ alternative_callN(2, typeof(func(arg1, arg2)), func); \ }) #define alternative_vcall3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -294,9 +299,10 @@ extern void alternative_branches(void); }) #define alternative_call3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -305,10 +311,11 @@ extern void alternative_branches(void); }) #define alternative_vcall4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -318,10 +325,11 @@ extern void alternative_branches(void); }) #define alternative_call4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -332,11 +340,12 @@ extern void alternative_branches(void); }) #define alternative_vcall5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -347,11 +356,12 @@ extern void alternative_branches(void); }) #define alternative_call5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -363,12 +373,13 @@ extern void alternative_branches(void); }) #define alternative_vcall6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -379,12 +390,13 @@ extern void alternative_branches(void); }) #define alternative_call6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:12:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:12:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688747.1073257 (Exim 4.92) (envelope-from ) id 1rhSjA-0007Ex-B3; Tue, 05 Mar 2024 11:12:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688747.1073257; Tue, 05 Mar 2024 11:12:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjA-0007Eq-8X; Tue, 05 Mar 2024 11:12:56 +0000 Received: by outflank-mailman (input) for mailman id 688747; Tue, 05 Mar 2024 11:12:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSj8-0007Ed-W7 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSj8-0001ha-VQ for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSj8-0000L7-Ue for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:12:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Okj+Ci4XRo1YGdoWP3j9ExCgYSBm3GNiKq8TSb4CF74=; b=zAYLJqP1PB0PZx7S5zvMEhAgb/ vd39Kj5Y3lxEflzZtOVATgZ4yfY4g65HnuiOOn71HoJIB+Zc9BdvdugzPzLVASB+nNbOhNZGWO3ja vNhd8w6DZv4PFz1uoLj8FVzeOdw5jmuM2hIObsglLMbKuCYdyxn4kXwIaDeyFKhWQqi0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Tue, 05 Mar 2024 11:12:54 +0000 commit fd7cb7a1d0433049d8fc59444d0e91b71728763e Author: Andrew Cooper AuthorDate: Tue Mar 5 11:55:17 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:55:17 2024 +0100 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné master commit: de17162cafd27f2865a3102a2ec0f386a02ed03d master date: 2024-03-01 20:14:19 +0000 --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index bcb17b7ce3..c7c5e99b7b 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -442,6 +442,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -476,6 +486,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 06e1dd7f33..76ef2aeb1d 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -177,6 +177,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 6b6ce2745c..337aaa9c77 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -262,7 +262,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ @@ -329,7 +329,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:13:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:13:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688748.1073261 (Exim 4.92) (envelope-from ) id 1rhSjL-0007Hn-DO; Tue, 05 Mar 2024 11:13:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688748.1073261; Tue, 05 Mar 2024 11:13:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjL-0007Hg-AD; Tue, 05 Mar 2024 11:13:07 +0000 Received: by outflank-mailman (input) for mailman id 688748; Tue, 05 Mar 2024 11:13:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjJ-0007HT-FQ for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjJ-0001hz-Ei for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSjJ-0000O6-Dp for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cIqxGX5z5UZXc5605TwGeqLh/YSxPFhP7gIcjrYSEAI=; b=H8hVigbylqxCEoe4+qHNFUwZ14 q1qjZJeINz80Pysz+bukCZBbemAruf2zAke6ehCMq507F5Du8MeJrYoQ2NSdnLV4PFfUs6Pi2q824 8RlU6Hpv1ffciHv8bwv+B2sDwdfjzhbkfqfYQavaljkwrdAE7ZL66aYrQLcpgvUhyF+g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware Message-Id: Date: Tue, 05 Mar 2024 11:13:05 +0000 commit 9c0d518eb8dc69430e6a8d767bd101dad19b846a Author: Jan Beulich AuthorDate: Tue Mar 5 11:56:31 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:56:31 2024 +0100 x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware ... or we fail to enable the functionality on the BSP for other reasons. The only place where hardware announcing the feature is recorded is the raw CPU policy/featureset. Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c master date: 2024-01-09 14:06:34 +0100 --- xen/arch/x86/hvm/svm/svm.c | 1 + xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index fd32600ae3..3c17464550 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -1669,6 +1669,7 @@ const struct hvm_function_table * __init start_svm(void) if ( _svm_cpu_up(true) ) { + setup_clear_cpu_cap(X86_FEATURE_SVM); printk("SVM: failed to initialise.\n"); return NULL; } diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index bcbecc6945..b5ecc51b43 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -2163,6 +2163,23 @@ int __init vmx_vmcs_init(void) if ( !ret ) register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1); + else + { + setup_clear_cpu_cap(X86_FEATURE_VMX); + + /* + * _vmx_vcpu_up() may have made it past feature identification. + * Make sure all dependent features are off as well. + */ + vmx_basic_msr = 0; + vmx_pin_based_exec_control = 0; + vmx_cpu_based_exec_control = 0; + vmx_secondary_exec_control = 0; + vmx_vmexit_control = 0; + vmx_vmentry_control = 0; + vmx_ept_vpid_cap = 0; + vmx_vmfunc = 0; + } return ret; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:13:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:13:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688749.1073265 (Exim 4.92) (envelope-from ) id 1rhSjU-0007MS-Ft; Tue, 05 Mar 2024 11:13:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688749.1073265; Tue, 05 Mar 2024 11:13:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjU-0007ML-DQ; Tue, 05 Mar 2024 11:13:16 +0000 Received: by outflank-mailman (input) for mailman id 688749; Tue, 05 Mar 2024 11:13:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjT-0007LO-I7 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjT-0001iH-HV for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSjT-0000Oh-Go for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hNujAr98XlFylbcPZjrieVSard5Js018em4SmvnhGGA=; b=yAJWl75b13WBXVygNB8NyIc/Jl 6ykyrkt9a6/aou5PZfY+SmgNuJlJAFgEpvXUD2KUM7jiVrPf5n+SUjD0xIeM516CZOxp6lu/hHnrx +RdA0fAq3H65NjalrKFLWvUJhrA0lUtlYjBOLQSTsQqhZYrUgq3DLb0/N8Udpbs3xMkA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/sched: Fix UB shift in compat_set_timer_op() Message-Id: Date: Tue, 05 Mar 2024 11:13:15 +0000 commit b75bee183210318150e678e14b35224d7c73edb6 Author: Andrew Cooper AuthorDate: Tue Mar 5 11:57:02 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:57:02 2024 +0100 xen/sched: Fix UB shift in compat_set_timer_op() Tamas reported this UBSAN failure from fuzzing: (XEN) ================================================================================ (XEN) UBSAN: Undefined behaviour in common/sched/compat.c:48:37 (XEN) left shift of negative value -2147425536 (XEN) ----[ Xen-4.19-unstable x86_64 debug=y ubsan=y Not tainted ]---- ... (XEN) Xen call trace: (XEN) [] R ubsan.c#ubsan_epilogue+0xa/0xd9 (XEN) [] F __ubsan_handle_shift_out_of_bounds+0x11a/0x1c5 (XEN) [] F compat_set_timer_op+0x41/0x43 (XEN) [] F hvm_do_multicall_call+0x77f/0xa75 (XEN) [] F arch_do_multicall_call+0xec/0xf1 (XEN) [] F do_multicall+0x1dc/0xde3 (XEN) [] F hvm_hypercall+0xa00/0x149a (XEN) [] F vmx_vmexit_handler+0x1596/0x279c (XEN) [] F vmx_asm_vmexit_handler+0xdb/0x200 Left-shifting any negative value is strictly undefined behaviour in C, and the two parameters here come straight from the guest. The fuzzer happened to choose lo 0xf, hi 0x8000e300. Switch everything to be unsigned values, making the shift well defined. As GCC documents: As an extension to the C language, GCC does not use the latitude given in C99 and C11 only to treat certain aspects of signed '<<' as undefined. However, -fsanitize=shift (and -fsanitize=undefined) will diagnose such cases. this was deemed not to need an XSA. Note: The unsigned -> signed conversion for do_set_timer_op()'s s_time_t parameter is also well defined. C makes it implementation defined, and GCC defines it as reduction modulo 2^N to be within range of the new type. Fixes: 2942f45e09fb ("Enable compatibility mode operation for HYPERVISOR_sched_op and HYPERVISOR_set_timer_op.") Reported-by: Tamas K Lengyel Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: ae6d4fd876765e6d623eec67d14f5d0464be09cb master date: 2024-02-01 19:52:44 +0000 --- xen/common/sched/compat.c | 4 ++-- xen/include/hypercall-defs.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/sched/compat.c b/xen/common/sched/compat.c index 040b4caca2..b827fdecb8 100644 --- a/xen/common/sched/compat.c +++ b/xen/common/sched/compat.c @@ -39,9 +39,9 @@ static int compat_poll(struct compat_sched_poll *compat) #include "core.c" -int compat_set_timer_op(u32 lo, s32 hi) +int compat_set_timer_op(uint32_t lo, uint32_t hi) { - return do_set_timer_op(((s64)hi << 32) | lo); + return do_set_timer_op(((uint64_t)hi << 32) | lo); } /* diff --git a/xen/include/hypercall-defs.c b/xen/include/hypercall-defs.c index 1896121074..c442dee284 100644 --- a/xen/include/hypercall-defs.c +++ b/xen/include/hypercall-defs.c @@ -127,7 +127,7 @@ xenoprof_op(int op, void *arg) #ifdef CONFIG_COMPAT prefix: compat -set_timer_op(uint32_t lo, int32_t hi) +set_timer_op(uint32_t lo, uint32_t hi) multicall(multicall_entry_compat_t *call_list, uint32_t nr_calls) memory_op(unsigned int cmd, void *arg) #ifdef CONFIG_IOREQ_SERVER -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:13:26 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:13:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688750.1073270 (Exim 4.92) (envelope-from ) id 1rhSje-0007P7-Ht; Tue, 05 Mar 2024 11:13:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688750.1073270; Tue, 05 Mar 2024 11:13:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSje-0007Oz-Et; Tue, 05 Mar 2024 11:13:26 +0000 Received: by outflank-mailman (input) for mailman id 688750; Tue, 05 Mar 2024 11:13:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjd-0007Op-L9 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjd-0001ih-KT for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSjd-0000P8-Jj for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3MNuMSL/e3JwhRiDyBwRVLCpYfodIvkukBkxQvwa2LY=; b=T8amaCWdpS+991K5WlLbqt/Hyt o0TnG3pyRdtQstvBedV5pRTJ3UAod5EhNHMjeTD625G/EVDBsGETwYKdjifhh7iyXF5SHABeWY8/F kUhFD5zYJCqeLeq3idcExNxPqn7wf0TBoS42bS3X65Gp4EHv2glGoiyMpH1Lli/O7FoE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec: print the built-in SPECULATIVE_HARDEN_* options Message-Id: Date: Tue, 05 Mar 2024 11:13:25 +0000 commit 76ea2aab3652cc34e474de0905f0a9cd4df7d087 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:57:41 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:57:41 2024 +0100 x86/spec: print the built-in SPECULATIVE_HARDEN_* options Just like it's done for INDIRECT_THUNK and SHADOW_PAGING. Reported-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 6e9507f7d51fe49df8bc70f83e49ce06c92e4e54 master date: 2024-02-27 14:57:52 +0100 --- xen/arch/x86/spec_ctrl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 661716d695..93f1cf3bb5 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -488,13 +488,25 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY + " HARDEN_ARRAY" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH + " HARDEN_BRANCH" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS + " HARDEN_GUEST_ACCESS" #endif "\n"); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:13:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:13:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688751.1073274 (Exim 4.92) (envelope-from ) id 1rhSjo-0007Rh-Iy; Tue, 05 Mar 2024 11:13:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688751.1073274; Tue, 05 Mar 2024 11:13:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjo-0007RZ-GK; Tue, 05 Mar 2024 11:13:36 +0000 Received: by outflank-mailman (input) for mailman id 688751; Tue, 05 Mar 2024 11:13:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjn-0007RT-OL for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjn-0001ip-Nb for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSjn-0000Ps-Mt for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8zAlyhpvSKBzSk2h4IFwilHX9HTW34BXPUpCHLgPD0k=; b=rmBXKOGypGyFMEZbaufK4o+j+c cwMAjVdoBd7ZcS2PunkO9zX4AyKKs3CSqZAmOOfwZ1/7+BcmV3FwsRCtbSPo4ADCe40ED8luviE6U cbzLcasdztF8MwqNT9Ug6P/B4FTT6jWaVWMhpO6Uu5BWU6BajqE2FaPJF8wSE0GtQ6n8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Message-Id: Date: Tue, 05 Mar 2024 11:13:35 +0000 commit 693455c3c370e535eb6cd065800ff91e147815fa Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:58:04 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:58:04 2024 +0100 x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Attempt to provide a more helpful error message when the user attempts to set spec-ctrl=bti-thunk option but the support is build-time disabled. While there also adjust the command line documentation to mention CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK. Reported-by: Andrew Cooper Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 8441fa806a3b778867867cd0159fa1722e90397e master date: 2024-02-27 14:58:20 +0100 --- docs/misc/xen-command-line.pandoc | 10 +++++----- xen/arch/x86/spec_ctrl.c | 7 ++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 05f613c71c..2006697226 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2378,11 +2378,11 @@ guests to use. performance reasons dom0 is unprotected by default. If it is necessary to protect dom0 too, boot with `spec-ctrl=ibpb-entry`. -If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to -select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` -locations. The default thunk is `retpoline` (generally preferred), with the -alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and -`lfence` (an `lfence; jmp *%reg` gadget). +If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be +used to select which of the thunks gets patched into the +`__x86_indirect_thunk_%reg` locations. The default thunk is `retpoline` +(generally preferred), with the alternatives being `jmp` (a `jmp *%reg` gadget, +minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget). On hardware supporting IBRS (Indirect Branch Restricted Speculation), the `ibrs=` option can be used to force or prevent Xen using the feature itself. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 93f1cf3bb5..098fa3184d 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -253,7 +253,12 @@ static int __init cf_check parse_spec_ctrl(const char *s) { s += 10; - if ( !cmdline_strcmp(s, "retpoline") ) + if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) ) + { + no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss); + rc = -EINVAL; + } + else if ( !cmdline_strcmp(s, "retpoline") ) opt_thunk = THUNK_RETPOLINE; else if ( !cmdline_strcmp(s, "lfence") ) opt_thunk = THUNK_LFENCE; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:13:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:13:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688752.1073278 (Exim 4.92) (envelope-from ) id 1rhSjy-0007US-KV; Tue, 05 Mar 2024 11:13:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688752.1073278; Tue, 05 Mar 2024 11:13:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjy-0007UK-Hp; Tue, 05 Mar 2024 11:13:46 +0000 Received: by outflank-mailman (input) for mailman id 688752; Tue, 05 Mar 2024 11:13:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjx-0007UB-R9 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSjx-0001iy-QT for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSjx-0000Qa-Po for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vHzeKZTpxZvx0roMUEfUfsq7tt5916Y0wnE8cuGfSLw=; b=Aj36VLTMN8h4HAswsKGxmhN5pp 1/y8QtPVZ2HG0lg5IPkDXFR7a1uoOD2PglikoOvShWX32Blwz4DvofSzE9zHvlXIc5fKBaq4hsh3/ C5wZZOleWRQu510D5eyNAoeApe5ig9eMaFy6/igmztTb/TON/0luVYblmwCHZfo0adyY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec: do not print thunk option selection if not built-in Message-Id: Date: Tue, 05 Mar 2024 11:13:45 +0000 commit 0ce25b46ab2fb53a1b58f7682ca14971453f4f2c Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:58:36 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:58:36 2024 +0100 x86/spec: do not print thunk option selection if not built-in Since the thunk built-in enable is printed as part of the "Compiled-in support:" line, avoid printing anything in "Xen settings:" if the thunk is disabled at build time. Note the BTI-Thunk option printing is also adjusted to print a colon in the same way the other options on the line do. Requested-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 576528a2a742069af203e90c613c5c93e23c9755 master date: 2024-02-27 14:58:40 +0100 --- xen/arch/x86/spec_ctrl.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 098fa3184d..25a18ac598 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -516,11 +516,12 @@ static void __init print_details(enum ind_thunk thunk) "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", - thunk == THUNK_NONE ? "N/A" : - thunk == THUNK_RETPOLINE ? "RETPOLINE" : - thunk == THUNK_LFENCE ? "LFENCE" : - thunk == THUNK_JMP ? "JMP" : "?", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + thunk != THUNK_NONE ? "BTI-Thunk: " : "", + thunk == THUNK_NONE ? "" : + thunk == THUNK_RETPOLINE ? "RETPOLINE, " : + thunk == THUNK_LFENCE ? "LFENCE, " : + thunk == THUNK_JMP ? "JMP, " : "?, ", (!boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBRS)) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:13:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:13:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688753.1073282 (Exim 4.92) (envelope-from ) id 1rhSk8-0007XO-Lm; Tue, 05 Mar 2024 11:13:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688753.1073282; Tue, 05 Mar 2024 11:13:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSk8-0007XH-JJ; Tue, 05 Mar 2024 11:13:56 +0000 Received: by outflank-mailman (input) for mailman id 688753; Tue, 05 Mar 2024 11:13:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSk7-0007X7-Tt for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSk7-0001jB-TF for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSk7-0000R1-Sb for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:13:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cTCEAG373MNTwv8X3O0SPF+RCQJAPLomvEZi3V3MqUM=; b=ORYbS/95logmij3+uLvOEYUUFR dVImF/Phk4mQ5ce9IBtm5pLsvVUkc3Le5OxiAceqKK7lcxoyRbW2wGmj4W79CRk6ArvkpU/c3JyJa ILe8KhD4Tvc7T+t1NafDSYnXEijgjCUdS78mtBnGHCfPOntq9n4cf4BXCbARag47CuVw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/livepatch: register livepatch regions when loaded Message-Id: Date: Tue, 05 Mar 2024 11:13:55 +0000 commit b11917de0cd261a878beaf50c18a689bde0b2f50 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:26 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:26 2024 +0100 xen/livepatch: register livepatch regions when loaded Currently livepatch regions are registered as virtual regions only after the livepatch has been applied. This can lead to issues when using the pre-apply or post-revert hooks, as at that point the livepatch is not in the virtual regions list. If a livepatch pre-apply hook contains a WARN() it would trigger an hypervisor crash, as the code to handle the bug frame won't be able to find the instruction pointer that triggered the #UD in any of the registered virtual regions, and hence crash. Fix this by adding the livepatch payloads as virtual regions as soon as loaded, and only remove them once the payload is unloaded. This requires some changes to the virtual regions code, as the removal of the virtual regions is no longer done in stop machine context, and hence an RCU barrier is added in order to make sure there are no users of the virtual region after it's been removed from the list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: a57b4074ab39bee78b6c116277f0a9963bd8e687 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 44 +++++++++++++++++--------------------------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index c2ae84d18b..537e9f33e4 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1015,6 +1015,7 @@ static int build_symbol_table(struct payload *payload, static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); + unregister_virtual_region(&data->region); list_del(&data->list); payload_cnt--; payload_version++; @@ -1114,6 +1115,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->list); INIT_LIST_HEAD(&data->applied_list); + register_virtual_region(&data->region); list_add_tail(&data->list, &payload_list); payload_cnt++; payload_version++; @@ -1330,7 +1332,6 @@ static inline void apply_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_add_tail_rcu(&data->applied_list, &applied_list); - register_virtual_region(&data->region); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1376,7 +1377,6 @@ static inline void revert_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_del_rcu(&data->applied_list); - unregister_virtual_region(&data->region); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index 5f89703f51..9f12c30efe 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -23,14 +23,8 @@ static struct virtual_region core_init __initdata = { }; /* - * RCU locking. Additions are done either at startup (when there is only - * one CPU) or when all CPUs are running without IRQs. - * - * Deletions are bit tricky. We do it when Live Patch (all CPUs running - * without IRQs) or during bootup (when clearing the init). - * - * Hence we use list_del_rcu (which sports an memory fence) and a spinlock - * on deletion. + * RCU locking. Modifications to the list must be done in exclusive mode, and + * hence need to hold the spinlock. * * All readers of virtual_region_list MUST use list_for_each_entry_rcu. */ @@ -58,41 +52,36 @@ const struct virtual_region *find_text_region(unsigned long addr) void register_virtual_region(struct virtual_region *r) { - ASSERT(!local_irq_is_enabled()); + unsigned long flags; + spin_lock_irqsave(&virtual_region_lock, flags); list_add_tail_rcu(&r->list, &virtual_region_list); + spin_unlock_irqrestore(&virtual_region_lock, flags); } -static void remove_virtual_region(struct virtual_region *r) +/* + * Suggest inline so when !CONFIG_LIVEPATCH the function is not left + * unreachable after init code is removed. + */ +static void inline remove_virtual_region(struct virtual_region *r) { unsigned long flags; spin_lock_irqsave(&virtual_region_lock, flags); list_del_rcu(&r->list); spin_unlock_irqrestore(&virtual_region_lock, flags); - /* - * We do not need to invoke call_rcu. - * - * This is due to the fact that on the deletion we have made sure - * to use spinlocks (to guard against somebody else calling - * unregister_virtual_region) and list_deletion spiced with - * memory barrier. - * - * That protects us from corrupting the list as the readers all - * use list_for_each_entry_rcu which is safe against concurrent - * deletions. - */ } +#ifdef CONFIG_LIVEPATCH void unregister_virtual_region(struct virtual_region *r) { - /* Expected to be called from Live Patch - which has IRQs disabled. */ - ASSERT(!local_irq_is_enabled()); - remove_virtual_region(r); + + /* Assert that no CPU might be using the removed region. */ + rcu_barrier(); } -#if defined(CONFIG_LIVEPATCH) && defined(CONFIG_X86) +#ifdef CONFIG_X86 void relax_virtual_region_perms(void) { const struct virtual_region *region; @@ -116,7 +105,8 @@ void tighten_virtual_region_perms(void) PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } -#endif +#endif /* CONFIG_X86 */ +#endif /* CONFIG_LIVEPATCH */ void __init unregister_init_virtual_region(void) { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:14:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:14:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688754.1073286 (Exim 4.92) (envelope-from ) id 1rhSkI-0007a0-NT; Tue, 05 Mar 2024 11:14:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688754.1073286; Tue, 05 Mar 2024 11:14:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkI-0007Zs-Kk; Tue, 05 Mar 2024 11:14:06 +0000 Received: by outflank-mailman (input) for mailman id 688754; Tue, 05 Mar 2024 11:14:06 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkI-0007Zg-0w for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:06 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkI-0001jZ-0J for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:06 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSkH-0000SH-VQ for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4cmMrvcK4W+JUS3YOt+tH87szPCmZ3XEplmNiZpjxi8=; b=Od0nVL0pCpH11KjBErFOfybwvd xcchXNEc/BFPJBvZpELlV0JJTLKHBXU8A1gLT0+68n84Rctc8l2QVtuIForPLl6hMq0DxNAtLL6wx uwP+NiYDomkBBuM3Y4QxHeUFiAoABMbRWKM82OSFsMlKiQz7O6TCmX4f41S0/+MlSih0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/livepatch: search for symbols in all loaded payloads Message-Id: Date: Tue, 05 Mar 2024 11:14:05 +0000 commit c54cf903b06fb1933fad053cc547580c92c856ea Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:35 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:35 2024 +0100 xen/livepatch: search for symbols in all loaded payloads When checking if an address belongs to a patch, or when resolving a symbol, take into account all loaded livepatch payloads, even if not applied. This is required in order for the pre-apply and post-revert hooks to work properly, or else Xen won't detect the instruction pointer belonging to those hooks as being part of the currently active text. Move the RCU handling to be used for payload_list instead of applied_list, as now the calls from trap code will iterate over the payload_list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: d2daa40fb3ddb8f83e238e57854bd878924cde90 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 49 +++++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 537e9f33e4..a129ab9973 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -36,13 +36,14 @@ * caller in schedule_work. */ static DEFINE_SPINLOCK(payload_lock); -static LIST_HEAD(payload_list); - /* - * Patches which have been applied. Need RCU in case we crash (and then - * traps code would iterate via applied_list) when adding entries on the list. + * Need RCU in case we crash (and then traps code would iterate via + * payload_list) when adding entries on the list. */ -static DEFINE_RCU_READ_LOCK(rcu_applied_lock); +static DEFINE_RCU_READ_LOCK(rcu_payload_lock); +static LIST_HEAD(payload_list); + +/* Patches which have been applied. Only modified from stop machine context. */ static LIST_HEAD(applied_list); static unsigned int payload_cnt; @@ -111,12 +112,8 @@ bool_t is_patch(const void *ptr) const struct payload *data; bool_t r = 0; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( (ptr >= data->rw_addr && ptr < (data->rw_addr + data->rw_size)) || @@ -130,7 +127,7 @@ bool_t is_patch(const void *ptr) } } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return r; } @@ -166,12 +163,8 @@ static const char *cf_check livepatch_symbols_lookup( const void *va = (const void *)addr; const char *n = NULL; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( va < data->text_addr || va >= (data->text_addr + data->text_size) ) @@ -200,7 +193,7 @@ static const char *cf_check livepatch_symbols_lookup( n = data->symtab[best].name; break; } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return n; } @@ -1016,7 +1009,8 @@ static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); unregister_virtual_region(&data->region); - list_del(&data->list); + list_del_rcu(&data->list); + rcu_barrier(); payload_cnt--; payload_version++; free_payload_data(data); @@ -1116,7 +1110,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->applied_list); register_virtual_region(&data->region); - list_add_tail(&data->list, &payload_list); + list_add_tail_rcu(&data->list, &payload_list); payload_cnt++; payload_version++; } @@ -1327,11 +1321,7 @@ static int apply_payload(struct payload *data) static inline void apply_payload_tail(struct payload *data) { - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_add_tail_rcu(&data->applied_list, &applied_list); + list_add_tail(&data->applied_list, &applied_list); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1371,12 +1361,7 @@ static int revert_payload(struct payload *data) static inline void revert_payload_tail(struct payload *data) { - - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_del_rcu(&data->applied_list); + list_del(&data->applied_list); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:14:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:14:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688755.1073291 (Exim 4.92) (envelope-from ) id 1rhSkS-0007dM-Ql; Tue, 05 Mar 2024 11:14:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688755.1073291; Tue, 05 Mar 2024 11:14:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkS-0007dA-Nl; Tue, 05 Mar 2024 11:14:16 +0000 Received: by outflank-mailman (input) for mailman id 688755; Tue, 05 Mar 2024 11:14:16 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkS-0007d2-3n for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:16 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkS-0001lX-3A for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:16 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSkS-0000TN-2T for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:16 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gyNfzmTC53H/2jS2B9Mu61lo2Na0OTy8H/lx3qHhgX4=; b=y1yfAV76IWbgIVrEBTtQc4C2vX qF5ntNWRuSsMK1J60v1ufQ2pfpp6iaXjAyY+h7pLqjJfhfcEOk9I3ef7/Wx7SCzt9ufF4fr8Stjau d/9jN4FhgbIF9xswiuxcQCbudOix0wruRoWRoy/69gJQ9PPrGJyJu7N0hzMqppzF9za0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/livepatch: fix norevert test attempt to open-code revert Message-Id: Date: Tue, 05 Mar 2024 11:14:16 +0000 commit 5564323f643715f9d364df88e0eb9c7d6fd2c22b Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:43 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:43 2024 +0100 xen/livepatch: fix norevert test attempt to open-code revert The purpose of the norevert test is to install a dummy handler that replaces the internal Xen revert code, and then perform the revert in the post-revert hook. For that purpose the usage of the previous common_livepatch_revert() is not enough, as that just reverts specific functions, but not the whole state of the payload. Remove both common_livepatch_{apply,revert}() and instead expose revert_payload{,_tail}() in order to perform the patch revert from the post-revert hook. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: cdae267ce10d04d71d1687b5701ff2911a96b6dc master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 41 +++++++++++++++++++++++--- xen/include/xen/livepatch.h | 32 +++----------------- xen/test/livepatch/xen_action_hooks_norevert.c | 22 ++++---------- 3 files changed, 46 insertions(+), 49 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index a129ab9973..a5068a2217 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1310,7 +1310,22 @@ static int apply_payload(struct payload *data) ASSERT(!local_irq_is_enabled()); for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_apply(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* If the action has been already executed on this function, do nothing. */ + if ( state->applied == LIVEPATCH_FUNC_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has been already applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_apply(func, state); + state->applied = LIVEPATCH_FUNC_APPLIED; + } arch_livepatch_revive(); @@ -1326,7 +1341,7 @@ static inline void apply_payload_tail(struct payload *data) data->state = LIVEPATCH_STATE_APPLIED; } -static int revert_payload(struct payload *data) +int revert_payload(struct payload *data) { unsigned int i; int rc; @@ -1341,7 +1356,25 @@ static int revert_payload(struct payload *data) } for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_revert(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* + * If the apply action hasn't been executed on this function, do + * nothing. + */ + if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has not been applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_revert(func, state); + state->applied = LIVEPATCH_FUNC_NOT_APPLIED; + } /* * Since we are running with IRQs disabled and the hooks may call common @@ -1359,7 +1392,7 @@ static int revert_payload(struct payload *data) return 0; } -static inline void revert_payload_tail(struct payload *data) +void revert_payload_tail(struct payload *data) { list_del(&data->applied_list); diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 537d3d58b6..c9ee58fd37 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -136,35 +136,11 @@ void arch_livepatch_post_action(void); void arch_livepatch_mask(void); void arch_livepatch_unmask(void); -static inline void common_livepatch_apply(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the action has been already executed on this function, do nothing. */ - if ( state->applied == LIVEPATCH_FUNC_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_apply(func, state); - state->applied = LIVEPATCH_FUNC_APPLIED; -} +/* Only for testing purposes. */ +struct payload; +int revert_payload(struct payload *data); +void revert_payload_tail(struct payload *data); -static inline void common_livepatch_revert(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the apply action hasn't been executed on this function, do nothing. */ - if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_revert(func, state); - state->applied = LIVEPATCH_FUNC_NOT_APPLIED; -} #else /* diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c index c173855192..c5fbab1746 100644 --- a/xen/test/livepatch/xen_action_hooks_norevert.c +++ b/xen/test/livepatch/xen_action_hooks_norevert.c @@ -96,26 +96,14 @@ static int revert_hook(livepatch_payload_t *payload) static void post_revert_hook(livepatch_payload_t *payload) { - int i; + unsigned long flags; printk(KERN_DEBUG "%s: Hook starting.\n", __func__); - for (i = 0; i < payload->nfuncs; i++) - { - const struct livepatch_func *func = &payload->funcs[i]; - struct livepatch_fstate *fstate = &payload->fstate[i]; - - BUG_ON(revert_cnt != 1); - BUG_ON(fstate->applied != LIVEPATCH_FUNC_APPLIED); - - /* Outside of quiesce zone: MAY TRIGGER HOST CRASH/UNDEFINED BEHAVIOR */ - arch_livepatch_quiesce(); - common_livepatch_revert(payload); - arch_livepatch_revive(); - BUG_ON(fstate->applied == LIVEPATCH_FUNC_APPLIED); - - printk(KERN_DEBUG "%s: post reverted: %s\n", __func__, func->name); - } + local_irq_save(flags); + BUG_ON(revert_payload(payload)); + revert_payload_tail(payload); + local_irq_restore(flags); printk(KERN_DEBUG "%s: Hook done.\n", __func__); } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:14:26 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:14:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688756.1073294 (Exim 4.92) (envelope-from ) id 1rhSkc-0007fx-Rt; Tue, 05 Mar 2024 11:14:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688756.1073294; Tue, 05 Mar 2024 11:14:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkc-0007fp-PE; Tue, 05 Mar 2024 11:14:26 +0000 Received: by outflank-mailman (input) for mailman id 688756; Tue, 05 Mar 2024 11:14:26 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkc-0007fh-6f for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:26 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkc-0001ll-62 for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:26 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSkc-0000Tv-5G for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:26 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=i3VBQl2B2nVbbc2fFa2RT5gpM9g2HH3EgeHSEwXq47s=; b=tGOwAsOKgtSDbL0WOcOv8wy1HQ iL4fBD035EAevMoomR9K7rbIKkIqsM+R5YdLHa2WOp8WXaCEw75RewgcbhPWr1w4J+KvA77bqIqhw qBbW1AhO0QwWIgMn01/hzheXVey7jTlCD6cTN48Ow/GCd7AXxzExZ0b7ps45PKP6ZJlU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen/livepatch: properly build the noapply and norevert tests Message-Id: Date: Tue, 05 Mar 2024 11:14:26 +0000 commit a59106b27609b6ae2873bd6755949b1258290872 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:51 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:51 2024 +0100 xen/livepatch: properly build the noapply and norevert tests It seems the build variables for those tests where copy-pasted from xen_action_hooks_marker-objs and not adjusted to use the correct source files. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: e579677095782c7dec792597ba8b037b7d716b32 master date: 2024-02-28 16:57:25 +0000 --- xen/test/livepatch/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile index c258ab0b59..d987a8367f 100644 --- a/xen/test/livepatch/Makefile +++ b/xen/test/livepatch/Makefile @@ -118,12 +118,12 @@ xen_action_hooks_marker-objs := xen_action_hooks_marker.o xen_hello_world_func.o $(obj)/xen_action_hooks_noapply.o: $(obj)/config.h extra-y += xen_action_hooks_noapply.livepatch -xen_action_hooks_noapply-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_noapply-objs := xen_action_hooks_noapply.o xen_hello_world_func.o note.o xen_note.o $(obj)/xen_action_hooks_norevert.o: $(obj)/config.h extra-y += xen_action_hooks_norevert.livepatch -xen_action_hooks_norevert-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_norevert-objs := xen_action_hooks_norevert.o xen_hello_world_func.o note.o xen_note.o EXPECT_BYTES_COUNT := 8 CODE_GET_EXPECT=$(shell $(OBJDUMP) -d --insn-width=1 $(1) | sed -n -e '/<'$(2)'>:$$/,/^$$/ p' | tail -n +2 | head -n $(EXPECT_BYTES_COUNT) | awk '{$$0=$$2; printf "%s", substr($$0,length-1)}' | sed 's/.\{2\}/0x&,/g' | sed 's/^/{/;s/,$$/}/g') -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:14:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:14:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688757.1073298 (Exim 4.92) (envelope-from ) id 1rhSkm-0007ik-TF; Tue, 05 Mar 2024 11:14:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688757.1073298; Tue, 05 Mar 2024 11:14:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkm-0007ic-Qf; Tue, 05 Mar 2024 11:14:36 +0000 Received: by outflank-mailman (input) for mailman id 688757; Tue, 05 Mar 2024 11:14:36 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkm-0007iV-9Y for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:36 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkm-0001lx-8t for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSkm-0000UM-8G for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:36 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=x7ejCB2BZi0fbEDwvQxjBDikJbOtiahoxyLgWFJ33Fc=; b=68h2KjWot0o3d48Ejyrnn0/fZW qfNMB/f2WEqI+/wvt87p2dy5T1V5UJ8xQjoCFdYOUrxkmJHH2DtBNOs+MEWEbdZzpw6qIeKljRUSL Lm0s++FNxuzE17sOCIlFeiv+8ggClvWyaWRSWbWaquZYzYuXg61BA+584Sj/Ed+sVUYo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] libxl: Fix segfault in device_model_spawn_outcome Message-Id: Date: Tue, 05 Mar 2024 11:14:36 +0000 commit c4ee68eda9937743527fff41f4ede0f6a3228080 Author: Jason Andryuk AuthorDate: Tue Mar 5 12:00:30 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 12:00:30 2024 +0100 libxl: Fix segfault in device_model_spawn_outcome libxl__spawn_qdisk_backend() explicitly sets guest_config to NULL when starting QEMU (the usual launch through libxl__spawn_local_dm() has a guest_config though). Bail early on a NULL guest_config/d_config. This skips the QMP queries for chardevs and VNC, but this xenpv QEMU instance isn't expected to provide those - only qdisk (or 9pfs backends after an upcoming change). Signed-off-by: Jason Andryuk Acked-by: Anthony PERARD master commit: d4f3d35f043f6ef29393166b0dd131c8102cf255 master date: 2024-02-29 08:18:38 +0100 --- tools/libs/light/libxl_dm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index ed620a9d8e..29b43ed20a 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -3172,8 +3172,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, /* Check if spawn failed */ if (rc) goto out; - - if (d_config->b_info.device_model_version + /* d_config is NULL for xl devd/libxl__spawn_qemu_xenpv_backend(). */ + if (d_config && d_config->b_info.device_model_version == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { rc = libxl__ev_time_register_rel(ao, &dmss->timeout, devise_model_postconfig_timeout, -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:14:47 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:14:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688758.1073302 (Exim 4.92) (envelope-from ) id 1rhSkw-0007lX-V4; Tue, 05 Mar 2024 11:14:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688758.1073302; Tue, 05 Mar 2024 11:14:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkw-0007lO-SC; Tue, 05 Mar 2024 11:14:46 +0000 Received: by outflank-mailman (input) for mailman id 688758; Tue, 05 Mar 2024 11:14:46 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkw-0007lG-CK for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:46 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSkw-0001m5-Bh for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:46 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSkw-0000Ur-Az for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:46 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=p14g10R/raQXr/KdrBaEYcVz/X6b4uT4LZ9roG6AMzo=; b=hZoqwx/Et0aJcBZoGzWPHTMVte 7k04WqDXDIYe/kkJG+HlzCQE8mte0jv5kmh+8JvdiFDZoRNU0h7gOjbFaCrc9i9wrCp8RjiywuAZi qXNhi8dHtCNnTqGrwSrBrXlYYMW4Ei8H4uXf/6WMNd6waDOiwLF8P/NEqLepDIOxJ1og=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/altcall: always use a temporary parameter stashing variable Message-Id: Date: Tue, 05 Mar 2024 11:14:46 +0000 commit 2f49d9f89c14519d4cb1e06ab8370cf4ba50fab7 Author: Roger Pau Monné AuthorDate: Tue Mar 5 12:00:47 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 12:00:47 2024 +0100 x86/altcall: always use a temporary parameter stashing variable The usage in ALT_CALL_ARG() on clang of: register union { typeof(arg) e; const unsigned long r; } ... When `arg` is the first argument to alternative_{,v}call() and const_vlapic_vcpu() is used results in clang 3.5.0 complaining with: arch/x86/hvm/vlapic.c:141:47: error: non-const static data member must be initialized out of line alternative_call(hvm_funcs.test_pir, const_vlapic_vcpu(vlapic), vec) ) Workaround this by pulling `arg1` into a local variable, like it's done for further arguments (arg2, arg3...) Originally arg1 wasn't pulled into a variable because for the a1_ register local variable the possible clobbering as a result of operators on other variables don't matter: https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html#Local-Register-Variables Note clang version 3.8.1 seems to already be fixed and don't require the workaround, but since it's harmless do it uniformly everywhere. Reported-by: Andrew Cooper Fixes: 2ce562b2a413 ('x86/altcall: use a union as register type for function parameters on clang') Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich master commit: c20850540ad6a32f4fc17bde9b01c92b0df18bf0 master date: 2024-02-29 08:21:49 +0100 --- xen/arch/x86/include/asm/alternative.h | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index bcb1dc94f4..fa04481316 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -253,21 +253,24 @@ extern void alternative_branches(void); }) #define alternative_vcall1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ (void)sizeof(func(arg)); \ (void)alternative_callN(1, int, func); \ }) #define alternative_call1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ alternative_callN(1, typeof(func(arg)), func); \ }) #define alternative_vcall2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ (void)sizeof(func(arg1, arg2)); \ @@ -275,17 +278,19 @@ extern void alternative_branches(void); }) #define alternative_call2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ alternative_callN(2, typeof(func(arg1, arg2)), func); \ }) #define alternative_vcall3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -294,9 +299,10 @@ extern void alternative_branches(void); }) #define alternative_call3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -305,10 +311,11 @@ extern void alternative_branches(void); }) #define alternative_vcall4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -318,10 +325,11 @@ extern void alternative_branches(void); }) #define alternative_call4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -332,11 +340,12 @@ extern void alternative_branches(void); }) #define alternative_vcall5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -347,11 +356,12 @@ extern void alternative_branches(void); }) #define alternative_call5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -363,12 +373,13 @@ extern void alternative_branches(void); }) #define alternative_vcall6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -379,12 +390,13 @@ extern void alternative_branches(void); }) #define alternative_call6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 05 11:14:58 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 05 Mar 2024 11:14:58 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688759.1073306 (Exim 4.92) (envelope-from ) id 1rhSl8-0007oW-0G; Tue, 05 Mar 2024 11:14:58 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688759.1073306; Tue, 05 Mar 2024 11:14:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSl7-0007oN-Tl; Tue, 05 Mar 2024 11:14:57 +0000 Received: by outflank-mailman (input) for mailman id 688759; Tue, 05 Mar 2024 11:14:56 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSl6-0007oD-FL for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:56 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhSl6-0001mG-Ed for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:56 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhSl6-0000VN-Du for xen-changelog@lists.xenproject.org; Tue, 05 Mar 2024 11:14:56 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SCeCqRSazXTf5eEgJEMzrJ8GFx2rwLxR0ui5w0L74vM=; b=O6JE/weijHixjmE22tTcbczysU w/zp/gsiuyap5xklUU5T7Maz2RF0V56pEfSS8XHRBFVOpYuXotKdjtzlCLgY45K3lESCjQHanqhGr X2CPqeOCazUH8mwdJpm8hg6sNuK2QWqd1hT8ALCtJzcfiZBnSkeBN5M3H3d9m1HRQKak=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Tue, 05 Mar 2024 11:14:56 +0000 commit 54dacb5c02cba4676879ed077765734326b78e39 Author: Andrew Cooper AuthorDate: Tue Mar 5 12:01:22 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 12:01:22 2024 +0100 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné master commit: de17162cafd27f2865a3102a2ec0f386a02ed03d master date: 2024-03-01 20:14:19 +0000 --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index f0f2c8a1c0..7b875a7221 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -435,6 +435,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -469,6 +479,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 9ef7756593..ec824e8954 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -136,6 +136,7 @@ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 94d211df2f..aec1407613 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -260,7 +260,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ @@ -321,7 +321,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:11:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:11:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688920.1073678 (Exim 4.92) (envelope-from ) id 1rhgkJ-0003BH-HS; Wed, 06 Mar 2024 02:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688920.1073678; Wed, 06 Mar 2024 02:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkJ-0003BA-Ek; Wed, 06 Mar 2024 02:11:03 +0000 Received: by outflank-mailman (input) for mailman id 688920; Wed, 06 Mar 2024 02:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkI-0003B4-37 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkI-0001U9-1y for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgkI-0002LY-0c for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2gE8bOAhrNol9kQCVXjZKRi9cAnmcvjgEB1Hor6bGYM=; b=DnWGlrFsnboCVbuFRIBsH3vgdx m21xCPKRbJ5hy1qI8UozdvrgqTeFHXVTiVadYMOkwcqBir2EHClNhqMpHcW7S2kwDzTkbJ3HemVCy zX+YeAIw9/s9PTHC1e/RJwNPEQyEZPfx4ph9tgcqCEHUd0BMILiZGG8C4xOXwylJoDm4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware Message-Id: Date: Wed, 06 Mar 2024 02:11:02 +0000 commit 9c0d518eb8dc69430e6a8d767bd101dad19b846a Author: Jan Beulich AuthorDate: Tue Mar 5 11:56:31 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:56:31 2024 +0100 x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware ... or we fail to enable the functionality on the BSP for other reasons. The only place where hardware announcing the feature is recorded is the raw CPU policy/featureset. Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c master date: 2024-01-09 14:06:34 +0100 --- xen/arch/x86/hvm/svm/svm.c | 1 + xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index fd32600ae3..3c17464550 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -1669,6 +1669,7 @@ const struct hvm_function_table * __init start_svm(void) if ( _svm_cpu_up(true) ) { + setup_clear_cpu_cap(X86_FEATURE_SVM); printk("SVM: failed to initialise.\n"); return NULL; } diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index bcbecc6945..b5ecc51b43 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -2163,6 +2163,23 @@ int __init vmx_vmcs_init(void) if ( !ret ) register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1); + else + { + setup_clear_cpu_cap(X86_FEATURE_VMX); + + /* + * _vmx_vcpu_up() may have made it past feature identification. + * Make sure all dependent features are off as well. + */ + vmx_basic_msr = 0; + vmx_pin_based_exec_control = 0; + vmx_cpu_based_exec_control = 0; + vmx_secondary_exec_control = 0; + vmx_vmexit_control = 0; + vmx_vmentry_control = 0; + vmx_ept_vpid_cap = 0; + vmx_vmfunc = 0; + } return ret; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:11:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688921.1073682 (Exim 4.92) (envelope-from ) id 1rhgkT-0003D6-Iu; Wed, 06 Mar 2024 02:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688921.1073682; Wed, 06 Mar 2024 02:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkT-0003Cy-GH; Wed, 06 Mar 2024 02:11:13 +0000 Received: by outflank-mailman (input) for mailman id 688921; Wed, 06 Mar 2024 02:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkS-0003Cm-60 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkS-0001UL-5J for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgkS-0002MH-4G for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=n2B6sKF8moA7zmvJnyigEjinADwrmYczQ7LaFOytrYs=; b=ij74FSvb/Jx66q5PYPxOUt1Sgt OrZ7xYmGJ+c8OCv60WhMN7G52OE/k8kiolQpBZKJmU/WVzj9LGDE9cCm/ftQceWE9SvfP5THHDlaX Y3xKCCQFvQRapIafAIeqTVOcuXl0/ZEPt8tBeH0IzYgh2Xwu5CDnjeyzcCopcaIYyjZs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/sched: Fix UB shift in compat_set_timer_op() Message-Id: Date: Wed, 06 Mar 2024 02:11:12 +0000 commit b75bee183210318150e678e14b35224d7c73edb6 Author: Andrew Cooper AuthorDate: Tue Mar 5 11:57:02 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:57:02 2024 +0100 xen/sched: Fix UB shift in compat_set_timer_op() Tamas reported this UBSAN failure from fuzzing: (XEN) ================================================================================ (XEN) UBSAN: Undefined behaviour in common/sched/compat.c:48:37 (XEN) left shift of negative value -2147425536 (XEN) ----[ Xen-4.19-unstable x86_64 debug=y ubsan=y Not tainted ]---- ... (XEN) Xen call trace: (XEN) [] R ubsan.c#ubsan_epilogue+0xa/0xd9 (XEN) [] F __ubsan_handle_shift_out_of_bounds+0x11a/0x1c5 (XEN) [] F compat_set_timer_op+0x41/0x43 (XEN) [] F hvm_do_multicall_call+0x77f/0xa75 (XEN) [] F arch_do_multicall_call+0xec/0xf1 (XEN) [] F do_multicall+0x1dc/0xde3 (XEN) [] F hvm_hypercall+0xa00/0x149a (XEN) [] F vmx_vmexit_handler+0x1596/0x279c (XEN) [] F vmx_asm_vmexit_handler+0xdb/0x200 Left-shifting any negative value is strictly undefined behaviour in C, and the two parameters here come straight from the guest. The fuzzer happened to choose lo 0xf, hi 0x8000e300. Switch everything to be unsigned values, making the shift well defined. As GCC documents: As an extension to the C language, GCC does not use the latitude given in C99 and C11 only to treat certain aspects of signed '<<' as undefined. However, -fsanitize=shift (and -fsanitize=undefined) will diagnose such cases. this was deemed not to need an XSA. Note: The unsigned -> signed conversion for do_set_timer_op()'s s_time_t parameter is also well defined. C makes it implementation defined, and GCC defines it as reduction modulo 2^N to be within range of the new type. Fixes: 2942f45e09fb ("Enable compatibility mode operation for HYPERVISOR_sched_op and HYPERVISOR_set_timer_op.") Reported-by: Tamas K Lengyel Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: ae6d4fd876765e6d623eec67d14f5d0464be09cb master date: 2024-02-01 19:52:44 +0000 --- xen/common/sched/compat.c | 4 ++-- xen/include/hypercall-defs.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/sched/compat.c b/xen/common/sched/compat.c index 040b4caca2..b827fdecb8 100644 --- a/xen/common/sched/compat.c +++ b/xen/common/sched/compat.c @@ -39,9 +39,9 @@ static int compat_poll(struct compat_sched_poll *compat) #include "core.c" -int compat_set_timer_op(u32 lo, s32 hi) +int compat_set_timer_op(uint32_t lo, uint32_t hi) { - return do_set_timer_op(((s64)hi << 32) | lo); + return do_set_timer_op(((uint64_t)hi << 32) | lo); } /* diff --git a/xen/include/hypercall-defs.c b/xen/include/hypercall-defs.c index 1896121074..c442dee284 100644 --- a/xen/include/hypercall-defs.c +++ b/xen/include/hypercall-defs.c @@ -127,7 +127,7 @@ xenoprof_op(int op, void *arg) #ifdef CONFIG_COMPAT prefix: compat -set_timer_op(uint32_t lo, int32_t hi) +set_timer_op(uint32_t lo, uint32_t hi) multicall(multicall_entry_compat_t *call_list, uint32_t nr_calls) memory_op(unsigned int cmd, void *arg) #ifdef CONFIG_IOREQ_SERVER -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:11:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688922.1073685 (Exim 4.92) (envelope-from ) id 1rhgkd-0003FR-KH; Wed, 06 Mar 2024 02:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688922.1073685; Wed, 06 Mar 2024 02:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkd-0003FJ-Hm; Wed, 06 Mar 2024 02:11:23 +0000 Received: by outflank-mailman (input) for mailman id 688922; Wed, 06 Mar 2024 02:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkc-0003F9-8y for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkc-0001Ug-8K for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgkc-0002Mt-7S for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JFqp9pLxbTYL68bL2q7SBSWMHK8IwFyY5WOWxU4LTOY=; b=YmGbyUcMf5+LnEB3viFqLjUQFU pwEMSORQXkIKHaWigcwQnO3rVd689ngfwIx748IxdfGAnhFPqDVZljKNCg0003AreqbeA1tkE3UrS 4icSCBEqQpAnQxR8s48nRr7Hv3i11hkbZsaGld30FX/QofY48AmfSpKlOBtV7LvvmlvI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec: print the built-in SPECULATIVE_HARDEN_* options Message-Id: Date: Wed, 06 Mar 2024 02:11:22 +0000 commit 76ea2aab3652cc34e474de0905f0a9cd4df7d087 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:57:41 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:57:41 2024 +0100 x86/spec: print the built-in SPECULATIVE_HARDEN_* options Just like it's done for INDIRECT_THUNK and SHADOW_PAGING. Reported-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 6e9507f7d51fe49df8bc70f83e49ce06c92e4e54 master date: 2024-02-27 14:57:52 +0100 --- xen/arch/x86/spec_ctrl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 661716d695..93f1cf3bb5 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -488,13 +488,25 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY + " HARDEN_ARRAY" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH + " HARDEN_BRANCH" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS + " HARDEN_GUEST_ACCESS" #endif "\n"); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:11:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688924.1073690 (Exim 4.92) (envelope-from ) id 1rhgkn-0003Hk-M1; Wed, 06 Mar 2024 02:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688924.1073690; Wed, 06 Mar 2024 02:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkn-0003Hc-JF; Wed, 06 Mar 2024 02:11:33 +0000 Received: by outflank-mailman (input) for mailman id 688924; Wed, 06 Mar 2024 02:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkm-0003HQ-C8 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkm-0001V8-BP for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgkm-0002NS-AZ for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3UYHo9hoEkwvjM+B01/WnEc57Gn0T286dykOgFg+h14=; b=vj2M2bmEFb0UT04Q7wmOHuKE5n /SICeb50UmAXyzBohIrCgM7z7NWG//W7uE/dIGIItuhfEw9oxRDdaH/ow+uFxagkr9TncWd0ovRvE +SmT4MjouMtNSFuVfZA1IZ8sFe/fUDasG+T1NInsfHWhH616BCOqAymaBYNKFBYeg+x4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Message-Id: Date: Wed, 06 Mar 2024 02:11:32 +0000 commit 693455c3c370e535eb6cd065800ff91e147815fa Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:58:04 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:58:04 2024 +0100 x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Attempt to provide a more helpful error message when the user attempts to set spec-ctrl=bti-thunk option but the support is build-time disabled. While there also adjust the command line documentation to mention CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK. Reported-by: Andrew Cooper Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 8441fa806a3b778867867cd0159fa1722e90397e master date: 2024-02-27 14:58:20 +0100 --- docs/misc/xen-command-line.pandoc | 10 +++++----- xen/arch/x86/spec_ctrl.c | 7 ++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 05f613c71c..2006697226 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2378,11 +2378,11 @@ guests to use. performance reasons dom0 is unprotected by default. If it is necessary to protect dom0 too, boot with `spec-ctrl=ibpb-entry`. -If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to -select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` -locations. The default thunk is `retpoline` (generally preferred), with the -alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and -`lfence` (an `lfence; jmp *%reg` gadget). +If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be +used to select which of the thunks gets patched into the +`__x86_indirect_thunk_%reg` locations. The default thunk is `retpoline` +(generally preferred), with the alternatives being `jmp` (a `jmp *%reg` gadget, +minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget). On hardware supporting IBRS (Indirect Branch Restricted Speculation), the `ibrs=` option can be used to force or prevent Xen using the feature itself. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 93f1cf3bb5..098fa3184d 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -253,7 +253,12 @@ static int __init cf_check parse_spec_ctrl(const char *s) { s += 10; - if ( !cmdline_strcmp(s, "retpoline") ) + if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) ) + { + no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss); + rc = -EINVAL; + } + else if ( !cmdline_strcmp(s, "retpoline") ) opt_thunk = THUNK_RETPOLINE; else if ( !cmdline_strcmp(s, "lfence") ) opt_thunk = THUNK_LFENCE; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:11:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:11:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688925.1073693 (Exim 4.92) (envelope-from ) id 1rhgkx-0003KO-N5; Wed, 06 Mar 2024 02:11:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688925.1073693; Wed, 06 Mar 2024 02:11:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkx-0003KH-Ki; Wed, 06 Mar 2024 02:11:43 +0000 Received: by outflank-mailman (input) for mailman id 688925; Wed, 06 Mar 2024 02:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkw-0003K2-Fc for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgkw-0001VF-Ep for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgkw-0002Nx-DW for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yjfrVzfrBudaBm21hl0xOwlnEoeprUz7Ok/cr2NI3wg=; b=ROH6Un9JT9LKo6Vz8t2tI6yK/e NfUEAlVZk3FB/zE0+lALxCKaVQzNAvkgkFJknC9yY6rbDxMduVlStD47ss3r4QvJDgcuN2G6bsea/ pckoxlH7W6cvalBx2V/HQ8EGqIpl4Unr3wsddzAkhThBs50TX+9w4WDt/WLrv12+NKTY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec: do not print thunk option selection if not built-in Message-Id: Date: Wed, 06 Mar 2024 02:11:42 +0000 commit 0ce25b46ab2fb53a1b58f7682ca14971453f4f2c Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:58:36 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:58:36 2024 +0100 x86/spec: do not print thunk option selection if not built-in Since the thunk built-in enable is printed as part of the "Compiled-in support:" line, avoid printing anything in "Xen settings:" if the thunk is disabled at build time. Note the BTI-Thunk option printing is also adjusted to print a colon in the same way the other options on the line do. Requested-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 576528a2a742069af203e90c613c5c93e23c9755 master date: 2024-02-27 14:58:40 +0100 --- xen/arch/x86/spec_ctrl.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 098fa3184d..25a18ac598 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -516,11 +516,12 @@ static void __init print_details(enum ind_thunk thunk) "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", - thunk == THUNK_NONE ? "N/A" : - thunk == THUNK_RETPOLINE ? "RETPOLINE" : - thunk == THUNK_LFENCE ? "LFENCE" : - thunk == THUNK_JMP ? "JMP" : "?", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + thunk != THUNK_NONE ? "BTI-Thunk: " : "", + thunk == THUNK_NONE ? "" : + thunk == THUNK_RETPOLINE ? "RETPOLINE, " : + thunk == THUNK_LFENCE ? "LFENCE, " : + thunk == THUNK_JMP ? "JMP, " : "?, ", (!boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBRS)) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:11:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688926.1073697 (Exim 4.92) (envelope-from ) id 1rhgl8-0003O9-PD; Wed, 06 Mar 2024 02:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688926.1073697; Wed, 06 Mar 2024 02:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgl8-0003O2-MH; Wed, 06 Mar 2024 02:11:54 +0000 Received: by outflank-mailman (input) for mailman id 688926; Wed, 06 Mar 2024 02:11:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgl6-0003Nl-If for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgl6-0001VO-I0 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgl6-0002OO-H2 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=G41AlnllUXMG4jOz8zOMYKWGjUIPLzbTkkgXCKueR0I=; b=IDxUcLPRPpjdJgCJ7WpS4OnDHl GuK1MiDEp/55bL5/P/SU19cfNNyvpGqxM9KqqOl/DpBn6f64k66jefAVO6QmSDVqtlOL95vu6Vtg8 GdzYYsa/tomVMZYPvH0PpwPNYxEk9A9fAdBbL1tJDD6niBv9AIzUiizDEitAozSrWJmc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/livepatch: register livepatch regions when loaded Message-Id: Date: Wed, 06 Mar 2024 02:11:52 +0000 commit b11917de0cd261a878beaf50c18a689bde0b2f50 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:26 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:26 2024 +0100 xen/livepatch: register livepatch regions when loaded Currently livepatch regions are registered as virtual regions only after the livepatch has been applied. This can lead to issues when using the pre-apply or post-revert hooks, as at that point the livepatch is not in the virtual regions list. If a livepatch pre-apply hook contains a WARN() it would trigger an hypervisor crash, as the code to handle the bug frame won't be able to find the instruction pointer that triggered the #UD in any of the registered virtual regions, and hence crash. Fix this by adding the livepatch payloads as virtual regions as soon as loaded, and only remove them once the payload is unloaded. This requires some changes to the virtual regions code, as the removal of the virtual regions is no longer done in stop machine context, and hence an RCU barrier is added in order to make sure there are no users of the virtual region after it's been removed from the list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: a57b4074ab39bee78b6c116277f0a9963bd8e687 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 44 +++++++++++++++++--------------------------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index c2ae84d18b..537e9f33e4 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1015,6 +1015,7 @@ static int build_symbol_table(struct payload *payload, static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); + unregister_virtual_region(&data->region); list_del(&data->list); payload_cnt--; payload_version++; @@ -1114,6 +1115,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->list); INIT_LIST_HEAD(&data->applied_list); + register_virtual_region(&data->region); list_add_tail(&data->list, &payload_list); payload_cnt++; payload_version++; @@ -1330,7 +1332,6 @@ static inline void apply_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_add_tail_rcu(&data->applied_list, &applied_list); - register_virtual_region(&data->region); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1376,7 +1377,6 @@ static inline void revert_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_del_rcu(&data->applied_list); - unregister_virtual_region(&data->region); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index 5f89703f51..9f12c30efe 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -23,14 +23,8 @@ static struct virtual_region core_init __initdata = { }; /* - * RCU locking. Additions are done either at startup (when there is only - * one CPU) or when all CPUs are running without IRQs. - * - * Deletions are bit tricky. We do it when Live Patch (all CPUs running - * without IRQs) or during bootup (when clearing the init). - * - * Hence we use list_del_rcu (which sports an memory fence) and a spinlock - * on deletion. + * RCU locking. Modifications to the list must be done in exclusive mode, and + * hence need to hold the spinlock. * * All readers of virtual_region_list MUST use list_for_each_entry_rcu. */ @@ -58,41 +52,36 @@ const struct virtual_region *find_text_region(unsigned long addr) void register_virtual_region(struct virtual_region *r) { - ASSERT(!local_irq_is_enabled()); + unsigned long flags; + spin_lock_irqsave(&virtual_region_lock, flags); list_add_tail_rcu(&r->list, &virtual_region_list); + spin_unlock_irqrestore(&virtual_region_lock, flags); } -static void remove_virtual_region(struct virtual_region *r) +/* + * Suggest inline so when !CONFIG_LIVEPATCH the function is not left + * unreachable after init code is removed. + */ +static void inline remove_virtual_region(struct virtual_region *r) { unsigned long flags; spin_lock_irqsave(&virtual_region_lock, flags); list_del_rcu(&r->list); spin_unlock_irqrestore(&virtual_region_lock, flags); - /* - * We do not need to invoke call_rcu. - * - * This is due to the fact that on the deletion we have made sure - * to use spinlocks (to guard against somebody else calling - * unregister_virtual_region) and list_deletion spiced with - * memory barrier. - * - * That protects us from corrupting the list as the readers all - * use list_for_each_entry_rcu which is safe against concurrent - * deletions. - */ } +#ifdef CONFIG_LIVEPATCH void unregister_virtual_region(struct virtual_region *r) { - /* Expected to be called from Live Patch - which has IRQs disabled. */ - ASSERT(!local_irq_is_enabled()); - remove_virtual_region(r); + + /* Assert that no CPU might be using the removed region. */ + rcu_barrier(); } -#if defined(CONFIG_LIVEPATCH) && defined(CONFIG_X86) +#ifdef CONFIG_X86 void relax_virtual_region_perms(void) { const struct virtual_region *region; @@ -116,7 +105,8 @@ void tighten_virtual_region_perms(void) PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } -#endif +#endif /* CONFIG_X86 */ +#endif /* CONFIG_LIVEPATCH */ void __init unregister_init_virtual_region(void) { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:12:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:12:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688927.1073701 (Exim 4.92) (envelope-from ) id 1rhglH-0003Re-SL; Wed, 06 Mar 2024 02:12:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688927.1073701; Wed, 06 Mar 2024 02:12:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglH-0003Ra-Pj; Wed, 06 Mar 2024 02:12:03 +0000 Received: by outflank-mailman (input) for mailman id 688927; Wed, 06 Mar 2024 02:12:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglG-0003RG-Lo for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglG-0001Vi-Kx for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhglG-0002PP-KC for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IYkbk5IckeibjRiMTSimnx5xO57+2YkiTF5GxndYJAQ=; b=dMQ4z9ddgel6gkVYjWqvip3/rP CJ44fVQ6NUGKZqyktnNuyH9YL7xGxt7ePM+Uy+5hTDdJzLtTGUC09HOBUdCKyRq+Lzw9SH3F8n3rV S8UDPPAr+8b7nlG8ccNCGgXv2JYPFf3ChfRdNKqQLNgG9ownp+pszQ7eDILFNEv4j6gw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/livepatch: search for symbols in all loaded payloads Message-Id: Date: Wed, 06 Mar 2024 02:12:02 +0000 commit c54cf903b06fb1933fad053cc547580c92c856ea Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:35 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:35 2024 +0100 xen/livepatch: search for symbols in all loaded payloads When checking if an address belongs to a patch, or when resolving a symbol, take into account all loaded livepatch payloads, even if not applied. This is required in order for the pre-apply and post-revert hooks to work properly, or else Xen won't detect the instruction pointer belonging to those hooks as being part of the currently active text. Move the RCU handling to be used for payload_list instead of applied_list, as now the calls from trap code will iterate over the payload_list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: d2daa40fb3ddb8f83e238e57854bd878924cde90 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 49 +++++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 537e9f33e4..a129ab9973 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -36,13 +36,14 @@ * caller in schedule_work. */ static DEFINE_SPINLOCK(payload_lock); -static LIST_HEAD(payload_list); - /* - * Patches which have been applied. Need RCU in case we crash (and then - * traps code would iterate via applied_list) when adding entries on the list. + * Need RCU in case we crash (and then traps code would iterate via + * payload_list) when adding entries on the list. */ -static DEFINE_RCU_READ_LOCK(rcu_applied_lock); +static DEFINE_RCU_READ_LOCK(rcu_payload_lock); +static LIST_HEAD(payload_list); + +/* Patches which have been applied. Only modified from stop machine context. */ static LIST_HEAD(applied_list); static unsigned int payload_cnt; @@ -111,12 +112,8 @@ bool_t is_patch(const void *ptr) const struct payload *data; bool_t r = 0; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( (ptr >= data->rw_addr && ptr < (data->rw_addr + data->rw_size)) || @@ -130,7 +127,7 @@ bool_t is_patch(const void *ptr) } } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return r; } @@ -166,12 +163,8 @@ static const char *cf_check livepatch_symbols_lookup( const void *va = (const void *)addr; const char *n = NULL; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( va < data->text_addr || va >= (data->text_addr + data->text_size) ) @@ -200,7 +193,7 @@ static const char *cf_check livepatch_symbols_lookup( n = data->symtab[best].name; break; } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return n; } @@ -1016,7 +1009,8 @@ static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); unregister_virtual_region(&data->region); - list_del(&data->list); + list_del_rcu(&data->list); + rcu_barrier(); payload_cnt--; payload_version++; free_payload_data(data); @@ -1116,7 +1110,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->applied_list); register_virtual_region(&data->region); - list_add_tail(&data->list, &payload_list); + list_add_tail_rcu(&data->list, &payload_list); payload_cnt++; payload_version++; } @@ -1327,11 +1321,7 @@ static int apply_payload(struct payload *data) static inline void apply_payload_tail(struct payload *data) { - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_add_tail_rcu(&data->applied_list, &applied_list); + list_add_tail(&data->applied_list, &applied_list); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1371,12 +1361,7 @@ static int revert_payload(struct payload *data) static inline void revert_payload_tail(struct payload *data) { - - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_del_rcu(&data->applied_list); + list_del(&data->applied_list); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:12:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:12:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688928.1073705 (Exim 4.92) (envelope-from ) id 1rhglR-0003Uk-Ty; Wed, 06 Mar 2024 02:12:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688928.1073705; Wed, 06 Mar 2024 02:12:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglR-0003Ud-RL; Wed, 06 Mar 2024 02:12:13 +0000 Received: by outflank-mailman (input) for mailman id 688928; Wed, 06 Mar 2024 02:12:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglQ-0003UK-OX for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglQ-0001Vr-Np for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhglQ-0002Qi-N6 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Q6/iH2XzQuhODuAgQkKDyLAYySmRnQKfwK7WTJOh964=; b=ruIIWCldcVeV8eWrzbqwqWAzVy nKG4MH6bUHGZ8FBDka+AYxouk8lHOO96OubaohdejXPPXvZozXM4jzn1ZsPK879vmOH1NjobwmMs2 iHo1b4CWCDupny5rpVmZuMmpkvknmSoWVLhBlwTE4ymMTnhnw5gsa8pujkpIUnxiLY1Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/livepatch: fix norevert test attempt to open-code revert Message-Id: Date: Wed, 06 Mar 2024 02:12:12 +0000 commit 5564323f643715f9d364df88e0eb9c7d6fd2c22b Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:43 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:43 2024 +0100 xen/livepatch: fix norevert test attempt to open-code revert The purpose of the norevert test is to install a dummy handler that replaces the internal Xen revert code, and then perform the revert in the post-revert hook. For that purpose the usage of the previous common_livepatch_revert() is not enough, as that just reverts specific functions, but not the whole state of the payload. Remove both common_livepatch_{apply,revert}() and instead expose revert_payload{,_tail}() in order to perform the patch revert from the post-revert hook. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: cdae267ce10d04d71d1687b5701ff2911a96b6dc master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 41 +++++++++++++++++++++++--- xen/include/xen/livepatch.h | 32 +++----------------- xen/test/livepatch/xen_action_hooks_norevert.c | 22 ++++---------- 3 files changed, 46 insertions(+), 49 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index a129ab9973..a5068a2217 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1310,7 +1310,22 @@ static int apply_payload(struct payload *data) ASSERT(!local_irq_is_enabled()); for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_apply(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* If the action has been already executed on this function, do nothing. */ + if ( state->applied == LIVEPATCH_FUNC_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has been already applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_apply(func, state); + state->applied = LIVEPATCH_FUNC_APPLIED; + } arch_livepatch_revive(); @@ -1326,7 +1341,7 @@ static inline void apply_payload_tail(struct payload *data) data->state = LIVEPATCH_STATE_APPLIED; } -static int revert_payload(struct payload *data) +int revert_payload(struct payload *data) { unsigned int i; int rc; @@ -1341,7 +1356,25 @@ static int revert_payload(struct payload *data) } for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_revert(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* + * If the apply action hasn't been executed on this function, do + * nothing. + */ + if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has not been applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_revert(func, state); + state->applied = LIVEPATCH_FUNC_NOT_APPLIED; + } /* * Since we are running with IRQs disabled and the hooks may call common @@ -1359,7 +1392,7 @@ static int revert_payload(struct payload *data) return 0; } -static inline void revert_payload_tail(struct payload *data) +void revert_payload_tail(struct payload *data) { list_del(&data->applied_list); diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 537d3d58b6..c9ee58fd37 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -136,35 +136,11 @@ void arch_livepatch_post_action(void); void arch_livepatch_mask(void); void arch_livepatch_unmask(void); -static inline void common_livepatch_apply(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the action has been already executed on this function, do nothing. */ - if ( state->applied == LIVEPATCH_FUNC_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_apply(func, state); - state->applied = LIVEPATCH_FUNC_APPLIED; -} +/* Only for testing purposes. */ +struct payload; +int revert_payload(struct payload *data); +void revert_payload_tail(struct payload *data); -static inline void common_livepatch_revert(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the apply action hasn't been executed on this function, do nothing. */ - if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_revert(func, state); - state->applied = LIVEPATCH_FUNC_NOT_APPLIED; -} #else /* diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c index c173855192..c5fbab1746 100644 --- a/xen/test/livepatch/xen_action_hooks_norevert.c +++ b/xen/test/livepatch/xen_action_hooks_norevert.c @@ -96,26 +96,14 @@ static int revert_hook(livepatch_payload_t *payload) static void post_revert_hook(livepatch_payload_t *payload) { - int i; + unsigned long flags; printk(KERN_DEBUG "%s: Hook starting.\n", __func__); - for (i = 0; i < payload->nfuncs; i++) - { - const struct livepatch_func *func = &payload->funcs[i]; - struct livepatch_fstate *fstate = &payload->fstate[i]; - - BUG_ON(revert_cnt != 1); - BUG_ON(fstate->applied != LIVEPATCH_FUNC_APPLIED); - - /* Outside of quiesce zone: MAY TRIGGER HOST CRASH/UNDEFINED BEHAVIOR */ - arch_livepatch_quiesce(); - common_livepatch_revert(payload); - arch_livepatch_revive(); - BUG_ON(fstate->applied == LIVEPATCH_FUNC_APPLIED); - - printk(KERN_DEBUG "%s: post reverted: %s\n", __func__, func->name); - } + local_irq_save(flags); + BUG_ON(revert_payload(payload)); + revert_payload_tail(payload); + local_irq_restore(flags); printk(KERN_DEBUG "%s: Hook done.\n", __func__); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:12:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:12:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688929.1073710 (Exim 4.92) (envelope-from ) id 1rhglb-0003XY-Vo; Wed, 06 Mar 2024 02:12:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688929.1073710; Wed, 06 Mar 2024 02:12:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglb-0003XQ-Sv; Wed, 06 Mar 2024 02:12:23 +0000 Received: by outflank-mailman (input) for mailman id 688929; Wed, 06 Mar 2024 02:12:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgla-0003XF-RS for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgla-0001W2-Qm for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgla-0002Rv-Pv for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SMjuiD72pbZXhlXeTFiDiJi1N6eIoLhH5OamHHFA9YQ=; b=SiXvMjbKg8TlFyTOTmnAGQQLiQ jlM6APcreDAvvaWOH292sVaaJfGWan0XBFKOBm5EZRuQnEWrPOVVbm9s0MBBgIDPbBnNw2DpDaC1s 7/dr0+GgfefHpkePDHXIZ0GpaqSEHCdF6mFnuoK4LPOzkyXSqXAM3Y4tc/mWbfAwmRrU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen/livepatch: properly build the noapply and norevert tests Message-Id: Date: Wed, 06 Mar 2024 02:12:22 +0000 commit a59106b27609b6ae2873bd6755949b1258290872 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:59:51 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:59:51 2024 +0100 xen/livepatch: properly build the noapply and norevert tests It seems the build variables for those tests where copy-pasted from xen_action_hooks_marker-objs and not adjusted to use the correct source files. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: e579677095782c7dec792597ba8b037b7d716b32 master date: 2024-02-28 16:57:25 +0000 --- xen/test/livepatch/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile index c258ab0b59..d987a8367f 100644 --- a/xen/test/livepatch/Makefile +++ b/xen/test/livepatch/Makefile @@ -118,12 +118,12 @@ xen_action_hooks_marker-objs := xen_action_hooks_marker.o xen_hello_world_func.o $(obj)/xen_action_hooks_noapply.o: $(obj)/config.h extra-y += xen_action_hooks_noapply.livepatch -xen_action_hooks_noapply-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_noapply-objs := xen_action_hooks_noapply.o xen_hello_world_func.o note.o xen_note.o $(obj)/xen_action_hooks_norevert.o: $(obj)/config.h extra-y += xen_action_hooks_norevert.livepatch -xen_action_hooks_norevert-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_norevert-objs := xen_action_hooks_norevert.o xen_hello_world_func.o note.o xen_note.o EXPECT_BYTES_COUNT := 8 CODE_GET_EXPECT=$(shell $(OBJDUMP) -d --insn-width=1 $(1) | sed -n -e '/<'$(2)'>:$$/,/^$$/ p' | tail -n +2 | head -n $(EXPECT_BYTES_COUNT) | awk '{$$0=$$2; printf "%s", substr($$0,length-1)}' | sed 's/.\{2\}/0x&,/g' | sed 's/^/{/;s/,$$/}/g') -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:12:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:12:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688930.1073715 (Exim 4.92) (envelope-from ) id 1rhglm-0003Zx-1A; Wed, 06 Mar 2024 02:12:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688930.1073715; Wed, 06 Mar 2024 02:12:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgll-0003Zp-UT; Wed, 06 Mar 2024 02:12:33 +0000 Received: by outflank-mailman (input) for mailman id 688930; Wed, 06 Mar 2024 02:12:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglk-0003Zh-UL for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglk-0001Wa-Tk for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhglk-0002SS-Sw for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wVZckWZs/u/FdKWUmoaN8we4zJyGAKYyfMjE16/x528=; b=mjXj/YF/mYt6A3M2dYoK5ukKAA M7MnOPBEL16KXUUh/CZexqpoD5wDsiQCKlcO8YpniGYBZJBHG+z06AN3h1ZbC0YYF2maPFhGufSRQ o+7DqymLTi9sTjpSFMm18v6xvkGvsOdvTWZ3i5BUo9trJ4zyCSmpChJhDU22bA7UqluE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] libxl: Fix segfault in device_model_spawn_outcome Message-Id: Date: Wed, 06 Mar 2024 02:12:32 +0000 commit c4ee68eda9937743527fff41f4ede0f6a3228080 Author: Jason Andryuk AuthorDate: Tue Mar 5 12:00:30 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 12:00:30 2024 +0100 libxl: Fix segfault in device_model_spawn_outcome libxl__spawn_qdisk_backend() explicitly sets guest_config to NULL when starting QEMU (the usual launch through libxl__spawn_local_dm() has a guest_config though). Bail early on a NULL guest_config/d_config. This skips the QMP queries for chardevs and VNC, but this xenpv QEMU instance isn't expected to provide those - only qdisk (or 9pfs backends after an upcoming change). Signed-off-by: Jason Andryuk Acked-by: Anthony PERARD master commit: d4f3d35f043f6ef29393166b0dd131c8102cf255 master date: 2024-02-29 08:18:38 +0100 --- tools/libs/light/libxl_dm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index ed620a9d8e..29b43ed20a 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -3172,8 +3172,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, /* Check if spawn failed */ if (rc) goto out; - - if (d_config->b_info.device_model_version + /* d_config is NULL for xl devd/libxl__spawn_qemu_xenpv_backend(). */ + if (d_config && d_config->b_info.device_model_version == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { rc = libxl__ev_time_register_rel(ao, &dmss->timeout, devise_model_postconfig_timeout, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:12:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:12:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688931.1073718 (Exim 4.92) (envelope-from ) id 1rhglw-0003d2-2k; Wed, 06 Mar 2024 02:12:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688931.1073718; Wed, 06 Mar 2024 02:12:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglv-0003cv-Vw; Wed, 06 Mar 2024 02:12:43 +0000 Received: by outflank-mailman (input) for mailman id 688931; Wed, 06 Mar 2024 02:12:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglv-0003cd-1A for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhglv-0001Wj-0U for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhglu-0002Sx-Vp for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nnqye+HkbqE7fVHnJ2u/y+dkqGq/RPqf68hPZUa7kDU=; b=Cr2TGDAIivdKWNoF/HglSLxdEz dSmmmoNbjzK5Itp+Lv9agnzJD2prTFnbeApl1JYBXP1SL6J7LVDqCCFLT3h3WZlhO0nfq8rmaprZK uGJkBH7C4L3EPLHprgRpP2yGBIgpvio8OMyEls9/W1WWvzIkEZJt/SxWW6hJfZ5HIySU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/altcall: always use a temporary parameter stashing variable Message-Id: Date: Wed, 06 Mar 2024 02:12:42 +0000 commit 2f49d9f89c14519d4cb1e06ab8370cf4ba50fab7 Author: Roger Pau Monné AuthorDate: Tue Mar 5 12:00:47 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 12:00:47 2024 +0100 x86/altcall: always use a temporary parameter stashing variable The usage in ALT_CALL_ARG() on clang of: register union { typeof(arg) e; const unsigned long r; } ... When `arg` is the first argument to alternative_{,v}call() and const_vlapic_vcpu() is used results in clang 3.5.0 complaining with: arch/x86/hvm/vlapic.c:141:47: error: non-const static data member must be initialized out of line alternative_call(hvm_funcs.test_pir, const_vlapic_vcpu(vlapic), vec) ) Workaround this by pulling `arg1` into a local variable, like it's done for further arguments (arg2, arg3...) Originally arg1 wasn't pulled into a variable because for the a1_ register local variable the possible clobbering as a result of operators on other variables don't matter: https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html#Local-Register-Variables Note clang version 3.8.1 seems to already be fixed and don't require the workaround, but since it's harmless do it uniformly everywhere. Reported-by: Andrew Cooper Fixes: 2ce562b2a413 ('x86/altcall: use a union as register type for function parameters on clang') Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich master commit: c20850540ad6a32f4fc17bde9b01c92b0df18bf0 master date: 2024-02-29 08:21:49 +0100 --- xen/arch/x86/include/asm/alternative.h | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index bcb1dc94f4..fa04481316 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -253,21 +253,24 @@ extern void alternative_branches(void); }) #define alternative_vcall1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ (void)sizeof(func(arg)); \ (void)alternative_callN(1, int, func); \ }) #define alternative_call1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ alternative_callN(1, typeof(func(arg)), func); \ }) #define alternative_vcall2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ (void)sizeof(func(arg1, arg2)); \ @@ -275,17 +278,19 @@ extern void alternative_branches(void); }) #define alternative_call2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ alternative_callN(2, typeof(func(arg1, arg2)), func); \ }) #define alternative_vcall3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -294,9 +299,10 @@ extern void alternative_branches(void); }) #define alternative_call3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -305,10 +311,11 @@ extern void alternative_branches(void); }) #define alternative_vcall4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -318,10 +325,11 @@ extern void alternative_branches(void); }) #define alternative_call4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -332,11 +340,12 @@ extern void alternative_branches(void); }) #define alternative_vcall5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -347,11 +356,12 @@ extern void alternative_branches(void); }) #define alternative_call5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -363,12 +373,13 @@ extern void alternative_branches(void); }) #define alternative_vcall6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -379,12 +390,13 @@ extern void alternative_branches(void); }) #define alternative_call6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 02:12:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 02:12:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688932.1073722 (Exim 4.92) (envelope-from ) id 1rhgm6-0003g3-5T; Wed, 06 Mar 2024 02:12:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688932.1073722; Wed, 06 Mar 2024 02:12:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgm6-0003fv-2r; Wed, 06 Mar 2024 02:12:54 +0000 Received: by outflank-mailman (input) for mailman id 688932; Wed, 06 Mar 2024 02:12:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgm5-0003fl-49 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhgm5-0001Wq-3U for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhgm5-0002TV-2m for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 02:12:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rIoMFwm1v4cyPK1y6vSC8iSmV0aJ/y1x0I7vw4n2Oy0=; b=39MviUsZTere4EmJdE32APviBa I9gGVkLVFHkCsYdVmYYxNGbbCcMV++G3UtuHinXb1I1tG1orVum3D7KldRV87WlzSwFxwlWM1qD8c N+0hoE/pbppbGYzDbNx/4US0Vz/x7ZBt4XT0XvHamcnYgb630iURTWzWDXjTPkmyuHYI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Wed, 06 Mar 2024 02:12:53 +0000 commit 54dacb5c02cba4676879ed077765734326b78e39 Author: Andrew Cooper AuthorDate: Tue Mar 5 12:01:22 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 12:01:22 2024 +0100 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné master commit: de17162cafd27f2865a3102a2ec0f386a02ed03d master date: 2024-03-01 20:14:19 +0000 --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index f0f2c8a1c0..7b875a7221 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -435,6 +435,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -469,6 +479,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 9ef7756593..ec824e8954 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -136,6 +136,7 @@ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 94d211df2f..aec1407613 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -260,7 +260,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ @@ -321,7 +321,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:55:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:55:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688940.1073736 (Exim 4.92) (envelope-from ) id 1rhiMy-0007uX-0i; Wed, 06 Mar 2024 03:55:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688940.1073736; Wed, 06 Mar 2024 03:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiMx-0007uP-UK; Wed, 06 Mar 2024 03:55:03 +0000 Received: by outflank-mailman (input) for mailman id 688940; Wed, 06 Mar 2024 03:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiMw-0007uC-7k for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiMw-0003LU-6T for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiMw-00084M-4n for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mGPuZ+d156KswTR3Oxv78QDcpyqGekg0ObzbIX0Dey0=; b=jCRXyd5XqqV4Rt0u7GC6a2+89R 90G6bpmMgAjV6bSY+T2MtsRMygUKbcUyzlKyCPX2zmgW0ZcWxjtv15zYguoZnCCab6DfJYOPh2ETq rF8pkgWV4WFSjOaLT1jAcLPXuQyg6gxnxq/QO+qsoPnui5p94m9rnu9k1tSoSFMml1ns=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware Message-Id: Date: Wed, 06 Mar 2024 03:55:02 +0000 commit 3e383bb4137c6ca3058cd55cb867ecc2b7414499 Author: Jan Beulich AuthorDate: Tue Mar 5 11:48:39 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:48:39 2024 +0100 x86/HVM: hide SVM/VMX when their enabling is prohibited by firmware ... or we fail to enable the functionality on the BSP for other reasons. The only place where hardware announcing the feature is recorded is the raw CPU policy/featureset. Inspired by https://lore.kernel.org/all/20230921114940.957141-1-pbonzini@redhat.com/. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 0b5f149338e35a795bf609ce584640b0977f9e6c master date: 2024-01-09 14:06:34 +0100 --- xen/arch/x86/hvm/svm/svm.c | 1 + xen/arch/x86/hvm/vmx/vmcs.c | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index 24c417ca71..ff991c82cf 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -2543,6 +2543,7 @@ const struct hvm_function_table * __init start_svm(void) if ( _svm_cpu_up(true) ) { + setup_clear_cpu_cap(X86_FEATURE_SVM); printk("SVM: failed to initialise.\n"); return NULL; } diff --git a/xen/arch/x86/hvm/vmx/vmcs.c b/xen/arch/x86/hvm/vmx/vmcs.c index 13719cc923..e382aa16c5 100644 --- a/xen/arch/x86/hvm/vmx/vmcs.c +++ b/xen/arch/x86/hvm/vmx/vmcs.c @@ -2165,6 +2165,23 @@ int __init vmx_vmcs_init(void) if ( !ret ) register_keyhandler('v', vmcs_dump, "dump VT-x VMCSs", 1); + else + { + setup_clear_cpu_cap(X86_FEATURE_VMX); + + /* + * _vmx_vcpu_up() may have made it past feature identification. + * Make sure all dependent features are off as well. + */ + vmx_basic_msr = 0; + vmx_pin_based_exec_control = 0; + vmx_cpu_based_exec_control = 0; + vmx_secondary_exec_control = 0; + vmx_vmexit_control = 0; + vmx_vmentry_control = 0; + vmx_ept_vpid_cap = 0; + vmx_vmfunc = 0; + } return ret; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:55:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:55:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688941.1073739 (Exim 4.92) (envelope-from ) id 1rhiN8-0007wj-1y; Wed, 06 Mar 2024 03:55:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688941.1073739; Wed, 06 Mar 2024 03:55:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiN7-0007wc-Vp; Wed, 06 Mar 2024 03:55:13 +0000 Received: by outflank-mailman (input) for mailman id 688941; Wed, 06 Mar 2024 03:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiN6-0007wL-C9 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiN6-0003Li-BN for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiN6-00084l-8h for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qrjs3pq6LLUlzCpPDDky3hnt3rSDR4f14d+pm7dc338=; b=zKLM1vY4wqj2A+c0W+FnQqcUsc TE6sAHgoqxjD9U8tGCRK4HikwM7vQGvvo557aqLyaOC+gtj1CrLV2IcUeIU/TrFzmCerjJSKEvZD8 tk3wcd3oAblnNEcM3eGbfGjeCYU5CfdWYz5qtEe1JvnLAhaEQDEK8GD4G8eWf6K9E+xQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/sched: Fix UB shift in compat_set_timer_op() Message-Id: Date: Wed, 06 Mar 2024 03:55:12 +0000 commit 57f137053652d5a981ae21f3abe7becc507fe434 Author: Andrew Cooper AuthorDate: Tue Mar 5 11:49:22 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:49:22 2024 +0100 xen/sched: Fix UB shift in compat_set_timer_op() Tamas reported this UBSAN failure from fuzzing: (XEN) ================================================================================ (XEN) UBSAN: Undefined behaviour in common/sched/compat.c:48:37 (XEN) left shift of negative value -2147425536 (XEN) ----[ Xen-4.19-unstable x86_64 debug=y ubsan=y Not tainted ]---- ... (XEN) Xen call trace: (XEN) [] R ubsan.c#ubsan_epilogue+0xa/0xd9 (XEN) [] F __ubsan_handle_shift_out_of_bounds+0x11a/0x1c5 (XEN) [] F compat_set_timer_op+0x41/0x43 (XEN) [] F hvm_do_multicall_call+0x77f/0xa75 (XEN) [] F arch_do_multicall_call+0xec/0xf1 (XEN) [] F do_multicall+0x1dc/0xde3 (XEN) [] F hvm_hypercall+0xa00/0x149a (XEN) [] F vmx_vmexit_handler+0x1596/0x279c (XEN) [] F vmx_asm_vmexit_handler+0xdb/0x200 Left-shifting any negative value is strictly undefined behaviour in C, and the two parameters here come straight from the guest. The fuzzer happened to choose lo 0xf, hi 0x8000e300. Switch everything to be unsigned values, making the shift well defined. As GCC documents: As an extension to the C language, GCC does not use the latitude given in C99 and C11 only to treat certain aspects of signed '<<' as undefined. However, -fsanitize=shift (and -fsanitize=undefined) will diagnose such cases. this was deemed not to need an XSA. Note: The unsigned -> signed conversion for do_set_timer_op()'s s_time_t parameter is also well defined. C makes it implementation defined, and GCC defines it as reduction modulo 2^N to be within range of the new type. Fixes: 2942f45e09fb ("Enable compatibility mode operation for HYPERVISOR_sched_op and HYPERVISOR_set_timer_op.") Reported-by: Tamas K Lengyel Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: ae6d4fd876765e6d623eec67d14f5d0464be09cb master date: 2024-02-01 19:52:44 +0000 --- xen/common/sched/compat.c | 4 ++-- xen/include/hypercall-defs.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/common/sched/compat.c b/xen/common/sched/compat.c index d718e450d4..dd97593630 100644 --- a/xen/common/sched/compat.c +++ b/xen/common/sched/compat.c @@ -43,9 +43,9 @@ static int compat_poll(struct compat_sched_poll *compat) #include "core.c" -int compat_set_timer_op(uint32_t lo, int32_t hi) +int compat_set_timer_op(uint32_t lo, uint32_t hi) { - return do_set_timer_op(((s64)hi << 32) | lo); + return do_set_timer_op(((uint64_t)hi << 32) | lo); } #endif /* __COMMON_SCHED_COMPAT_C__ */ diff --git a/xen/include/hypercall-defs.c b/xen/include/hypercall-defs.c index 6d361ddfce..47c093acc8 100644 --- a/xen/include/hypercall-defs.c +++ b/xen/include/hypercall-defs.c @@ -134,7 +134,7 @@ xenoprof_op(int op, void *arg) #ifdef CONFIG_COMPAT prefix: compat -set_timer_op(uint32_t lo, int32_t hi) +set_timer_op(uint32_t lo, uint32_t hi) multicall(multicall_entry_compat_t *call_list, uint32_t nr_calls) memory_op(unsigned int cmd, void *arg) #ifdef CONFIG_IOREQ_SERVER -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:55:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:55:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688942.1073744 (Exim 4.92) (envelope-from ) id 1rhiNI-0007zc-3V; Wed, 06 Mar 2024 03:55:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688942.1073744; Wed, 06 Mar 2024 03:55:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNI-0007zU-12; Wed, 06 Mar 2024 03:55:24 +0000 Received: by outflank-mailman (input) for mailman id 688942; Wed, 06 Mar 2024 03:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNG-0007zG-G0 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNG-0003Lv-Ew for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiNG-00085H-DY for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lRwv0rvTjq44GtFyMP+DxoZI4TZYNvJuCHUh6G25Cow=; b=E8sEjOQ4dBPbAAR4wpTXs+M9vC pjhnKWCs6yhV+yzDOQ48hE5s1711jk5mHklBleyU9gHPUHNSOmIlOsNHdqRtmcKKJO2RxHvhg3dbS G2Qxj3lcI++x4KTKQQ1MjGWNmwaedoWsKlzmAdvUnjC/zoCWl6jPJIpO2BfxRuRFBiPI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec: print the built-in SPECULATIVE_HARDEN_* options Message-Id: Date: Wed, 06 Mar 2024 03:55:22 +0000 commit b7f9168878155e2d29b9b4a3048b0a9a68ed82ed Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:50:16 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:50:16 2024 +0100 x86/spec: print the built-in SPECULATIVE_HARDEN_* options Just like it's done for INDIRECT_THUNK and SHADOW_PAGING. Reported-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 6e9507f7d51fe49df8bc70f83e49ce06c92e4e54 master date: 2024-02-27 14:57:52 +0100 --- xen/arch/x86/spec_ctrl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 01ba59cff7..04e508b622 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -476,13 +476,25 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_ARRAY + " HARDEN_ARRAY" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_BRANCH + " HARDEN_BRANCH" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS + " HARDEN_GUEST_ACCESS" #endif "\n"); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:55:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:55:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688943.1073748 (Exim 4.92) (envelope-from ) id 1rhiNS-00083C-53; Wed, 06 Mar 2024 03:55:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688943.1073748; Wed, 06 Mar 2024 03:55:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNS-000834-2R; Wed, 06 Mar 2024 03:55:34 +0000 Received: by outflank-mailman (input) for mailman id 688943; Wed, 06 Mar 2024 03:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNQ-00082n-JI for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNQ-0003MZ-IA for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiNQ-00085m-HJ for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yr/uBEBm3vCz1DMZ1wL46kM0r43Mcm7LmBu5zOPsDzA=; b=frSLBhJ1Rz0QmSWyfhr769dZRa QGWmSb2FWHPRmImFNOCQSdTKQYCwzg5PEc6IjLYqB1jHLnfqyurxIwNAPfBUDFtmoGNjFFLF8JcAa 7WJrEXd6vkm/dFLSAPETU4qyR71w67vvqanuo/TxAu4NbYLOJuAVEc/X8N6mgzqWtHZU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Message-Id: Date: Wed, 06 Mar 2024 03:55:32 +0000 commit 09b9db0413b1f31f27bece07b2bfa1723b89ace6 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:50:53 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:50:53 2024 +0100 x86/spec: fix INDIRECT_THUNK option to only be set when build-enabled Attempt to provide a more helpful error message when the user attempts to set spec-ctrl=bti-thunk option but the support is build-time disabled. While there also adjust the command line documentation to mention CONFIG_INDIRECT_THUNK instead of INDIRECT_THUNK. Reported-by: Andrew Cooper Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 8441fa806a3b778867867cd0159fa1722e90397e master date: 2024-02-27 14:58:20 +0100 --- docs/misc/xen-command-line.pandoc | 10 +++++----- xen/arch/x86/spec_ctrl.c | 7 ++++++- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 8e65f8bd18..582d6741d1 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2424,11 +2424,11 @@ guests to use. performance reasons dom0 is unprotected by default. If it is necessary to protect dom0 too, boot with `spec-ctrl=ibpb-entry`. -If Xen was compiled with INDIRECT_THUNK support, `bti-thunk=` can be used to -select which of the thunks gets patched into the `__x86_indirect_thunk_%reg` -locations. The default thunk is `retpoline` (generally preferred), with the -alternatives being `jmp` (a `jmp *%reg` gadget, minimal overhead), and -`lfence` (an `lfence; jmp *%reg` gadget). +If Xen was compiled with `CONFIG_INDIRECT_THUNK` support, `bti-thunk=` can be +used to select which of the thunks gets patched into the +`__x86_indirect_thunk_%reg` locations. The default thunk is `retpoline` +(generally preferred), with the alternatives being `jmp` (a `jmp *%reg` gadget, +minimal overhead), and `lfence` (an `lfence; jmp *%reg` gadget). On hardware supporting IBRS (Indirect Branch Restricted Speculation), the `ibrs=` option can be used to force or prevent Xen using the feature itself. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 04e508b622..99ecfb3cba 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -241,7 +241,12 @@ static int __init cf_check parse_spec_ctrl(const char *s) { s += 10; - if ( !cmdline_strcmp(s, "retpoline") ) + if ( !IS_ENABLED(CONFIG_INDIRECT_THUNK) ) + { + no_config_param("INDIRECT_THUNK", "spec-ctrl", s - 10, ss); + rc = -EINVAL; + } + else if ( !cmdline_strcmp(s, "retpoline") ) opt_thunk = THUNK_RETPOLINE; else if ( !cmdline_strcmp(s, "lfence") ) opt_thunk = THUNK_LFENCE; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:55:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:55:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688944.1073753 (Exim 4.92) (envelope-from ) id 1rhiNc-000869-79; Wed, 06 Mar 2024 03:55:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688944.1073753; Wed, 06 Mar 2024 03:55:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNc-00085z-3r; Wed, 06 Mar 2024 03:55:44 +0000 Received: by outflank-mailman (input) for mailman id 688944; Wed, 06 Mar 2024 03:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNa-00085k-Lo for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNa-0003Mg-L7 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiNa-00086B-KM for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iBxtX6XW2NeZHEGizE1mOXkimx2JySVyOeV4lDWQTKE=; b=EG05PJEZvvsGrVQLu6WnfFQfsL RVf/vqKLEPwuBO9g1stzfk2nR5eYGoAeosiosCPtF29YXnFxAl3Kn4QyoLrjySASK3H+0CvpOU0jI Ek41glX5QOuHrfsMh3hzFl9V14S8PsTEi4MlFGJ8APV0eFuWTXZwzoqhrOClSyWQoTkE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec: do not print thunk option selection if not built-in Message-Id: Date: Wed, 06 Mar 2024 03:55:42 +0000 commit 7404c25efdc70091817479b80dbbd945e6ab4861 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:51:56 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:51:56 2024 +0100 x86/spec: do not print thunk option selection if not built-in Since the thunk built-in enable is printed as part of the "Compiled-in support:" line, avoid printing anything in "Xen settings:" if the thunk is disabled at build time. Note the BTI-Thunk option printing is also adjusted to print a colon in the same way the other options on the line do. Requested-by: Jan Beulich Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich master commit: 576528a2a742069af203e90c613c5c93e23c9755 master date: 2024-02-27 14:58:40 +0100 --- xen/arch/x86/spec_ctrl.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 99ecfb3cba..a965b6db28 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -504,11 +504,12 @@ static void __init print_details(enum ind_thunk thunk) "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", - thunk == THUNK_NONE ? "N/A" : - thunk == THUNK_RETPOLINE ? "RETPOLINE" : - thunk == THUNK_LFENCE ? "LFENCE" : - thunk == THUNK_JMP ? "JMP" : "?", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + thunk != THUNK_NONE ? "BTI-Thunk: " : "", + thunk == THUNK_NONE ? "" : + thunk == THUNK_RETPOLINE ? "RETPOLINE, " : + thunk == THUNK_LFENCE ? "LFENCE, " : + thunk == THUNK_JMP ? "JMP, " : "?, ", (!boot_cpu_has(X86_FEATURE_IBRSB) && !boot_cpu_has(X86_FEATURE_IBRS)) ? "No" : (default_xen_spec_ctrl & SPEC_CTRL_IBRS) ? "IBRS+" : "IBRS-", -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:55:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:55:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688945.1073755 (Exim 4.92) (envelope-from ) id 1rhiNm-00089S-9u; Wed, 06 Mar 2024 03:55:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688945.1073755; Wed, 06 Mar 2024 03:55:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNm-00089J-7E; Wed, 06 Mar 2024 03:55:54 +0000 Received: by outflank-mailman (input) for mailman id 688945; Wed, 06 Mar 2024 03:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNk-000898-Oz for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNk-0003Mp-OA for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiNk-00086g-NI for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1RHsZUa6N1urNQ/djc7oVTrCibHEQ5Czx/1Hax77v2w=; b=GiX0dwBogTZuIzRJUrf+I7E8Vs JhQm5PNU0Ds9zFfNLCFPMeIzgtvDFRrYbLqDmYAJBB8eW/ETRNYbNROIGhbX4ZbHYIDzcWDVpOu1s Z7/BteQNuhyEvIZYA4WMx+8rW1xqhn8I7NfvrMBn2ut96T12Jr7e0NRijIvAwLbK4J1g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/livepatch: register livepatch regions when loaded Message-Id: Date: Wed, 06 Mar 2024 03:55:52 +0000 commit 5382a6a79cb544f2eecc47330b531802f8c52977 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:52:57 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:52:57 2024 +0100 xen/livepatch: register livepatch regions when loaded Currently livepatch regions are registered as virtual regions only after the livepatch has been applied. This can lead to issues when using the pre-apply or post-revert hooks, as at that point the livepatch is not in the virtual regions list. If a livepatch pre-apply hook contains a WARN() it would trigger an hypervisor crash, as the code to handle the bug frame won't be able to find the instruction pointer that triggered the #UD in any of the registered virtual regions, and hence crash. Fix this by adding the livepatch payloads as virtual regions as soon as loaded, and only remove them once the payload is unloaded. This requires some changes to the virtual regions code, as the removal of the virtual regions is no longer done in stop machine context, and hence an RCU barrier is added in order to make sure there are no users of the virtual region after it's been removed from the list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: a57b4074ab39bee78b6c116277f0a9963bd8e687 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 44 +++++++++++++++++--------------------------- 2 files changed, 19 insertions(+), 29 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index e635606c10..e1964b841a 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1071,6 +1071,7 @@ static int build_symbol_table(struct payload *payload, static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); + unregister_virtual_region(&data->region); list_del(&data->list); payload_cnt--; payload_version++; @@ -1170,6 +1171,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->list); INIT_LIST_HEAD(&data->applied_list); + register_virtual_region(&data->region); list_add_tail(&data->list, &payload_list); payload_cnt++; payload_version++; @@ -1386,7 +1388,6 @@ static inline void apply_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_add_tail_rcu(&data->applied_list, &applied_list); - register_virtual_region(&data->region); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1432,7 +1433,6 @@ static inline void revert_payload_tail(struct payload *data) * The applied_list is iterated by the trap code. */ list_del_rcu(&data->applied_list); - unregister_virtual_region(&data->region); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index 5f89703f51..9f12c30efe 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -23,14 +23,8 @@ static struct virtual_region core_init __initdata = { }; /* - * RCU locking. Additions are done either at startup (when there is only - * one CPU) or when all CPUs are running without IRQs. - * - * Deletions are bit tricky. We do it when Live Patch (all CPUs running - * without IRQs) or during bootup (when clearing the init). - * - * Hence we use list_del_rcu (which sports an memory fence) and a spinlock - * on deletion. + * RCU locking. Modifications to the list must be done in exclusive mode, and + * hence need to hold the spinlock. * * All readers of virtual_region_list MUST use list_for_each_entry_rcu. */ @@ -58,41 +52,36 @@ const struct virtual_region *find_text_region(unsigned long addr) void register_virtual_region(struct virtual_region *r) { - ASSERT(!local_irq_is_enabled()); + unsigned long flags; + spin_lock_irqsave(&virtual_region_lock, flags); list_add_tail_rcu(&r->list, &virtual_region_list); + spin_unlock_irqrestore(&virtual_region_lock, flags); } -static void remove_virtual_region(struct virtual_region *r) +/* + * Suggest inline so when !CONFIG_LIVEPATCH the function is not left + * unreachable after init code is removed. + */ +static void inline remove_virtual_region(struct virtual_region *r) { unsigned long flags; spin_lock_irqsave(&virtual_region_lock, flags); list_del_rcu(&r->list); spin_unlock_irqrestore(&virtual_region_lock, flags); - /* - * We do not need to invoke call_rcu. - * - * This is due to the fact that on the deletion we have made sure - * to use spinlocks (to guard against somebody else calling - * unregister_virtual_region) and list_deletion spiced with - * memory barrier. - * - * That protects us from corrupting the list as the readers all - * use list_for_each_entry_rcu which is safe against concurrent - * deletions. - */ } +#ifdef CONFIG_LIVEPATCH void unregister_virtual_region(struct virtual_region *r) { - /* Expected to be called from Live Patch - which has IRQs disabled. */ - ASSERT(!local_irq_is_enabled()); - remove_virtual_region(r); + + /* Assert that no CPU might be using the removed region. */ + rcu_barrier(); } -#if defined(CONFIG_LIVEPATCH) && defined(CONFIG_X86) +#ifdef CONFIG_X86 void relax_virtual_region_perms(void) { const struct virtual_region *region; @@ -116,7 +105,8 @@ void tighten_virtual_region_perms(void) PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } -#endif +#endif /* CONFIG_X86 */ +#endif /* CONFIG_LIVEPATCH */ void __init unregister_init_virtual_region(void) { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:56:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:56:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688946.1073759 (Exim 4.92) (envelope-from ) id 1rhiNw-0008CA-BE; Wed, 06 Mar 2024 03:56:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688946.1073759; Wed, 06 Mar 2024 03:56:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNw-0008C2-8i; Wed, 06 Mar 2024 03:56:04 +0000 Received: by outflank-mailman (input) for mailman id 688946; Wed, 06 Mar 2024 03:56:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNu-0008Bl-Ry for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiNu-0003N9-RB for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiNu-00087u-QM for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PS7OQ2jenGuLAi/5j1Qh8SkfDDzIfgAex2siGq4SANU=; b=yf2PO4X7snKrgm0Bc3YLOu4u9u SLUapW7WMgviKKbukhVYC35trWYc6TU7NZF8mrOnuBzuFDv3MEB6jF34pBWuXSgbMhg/vnVIkahiK MARrfTdyJS/zEpJbI4imXqgsctV89dL/FFBMKmZRZiEvmNfHyfFHg8rolh3IcdsUEKpo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/livepatch: search for symbols in all loaded payloads Message-Id: Date: Wed, 06 Mar 2024 03:56:02 +0000 commit 50a8f74df76b7ce7c35ad97a539f505eb0a9baa6 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:53:05 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:53:05 2024 +0100 xen/livepatch: search for symbols in all loaded payloads When checking if an address belongs to a patch, or when resolving a symbol, take into account all loaded livepatch payloads, even if not applied. This is required in order for the pre-apply and post-revert hooks to work properly, or else Xen won't detect the instruction pointer belonging to those hooks as being part of the currently active text. Move the RCU handling to be used for payload_list instead of applied_list, as now the calls from trap code will iterate over the payload_list. Fixes: 8313c864fa95 ('livepatch: Implement pre-|post- apply|revert hooks') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: d2daa40fb3ddb8f83e238e57854bd878924cde90 master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 49 +++++++++++++++++-------------------------------- 1 file changed, 17 insertions(+), 32 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index e1964b841a..135c47e9b8 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -36,13 +36,14 @@ * caller in schedule_work. */ static DEFINE_SPINLOCK(payload_lock); -static LIST_HEAD(payload_list); - /* - * Patches which have been applied. Need RCU in case we crash (and then - * traps code would iterate via applied_list) when adding entries on the list. + * Need RCU in case we crash (and then traps code would iterate via + * payload_list) when adding entries on the list. */ -static DEFINE_RCU_READ_LOCK(rcu_applied_lock); +static DEFINE_RCU_READ_LOCK(rcu_payload_lock); +static LIST_HEAD(payload_list); + +/* Patches which have been applied. Only modified from stop machine context. */ static LIST_HEAD(applied_list); static unsigned int payload_cnt; @@ -111,12 +112,8 @@ bool_t is_patch(const void *ptr) const struct payload *data; bool_t r = 0; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( (ptr >= data->rw_addr && ptr < (data->rw_addr + data->rw_size)) || @@ -130,7 +127,7 @@ bool_t is_patch(const void *ptr) } } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return r; } @@ -166,12 +163,8 @@ static const char *cf_check livepatch_symbols_lookup( const void *va = (const void *)addr; const char *n = NULL; - /* - * Only RCU locking since this list is only ever changed during apply - * or revert context. And in case it dies there we need an safe list. - */ - rcu_read_lock(&rcu_applied_lock); - list_for_each_entry_rcu ( data, &applied_list, applied_list ) + rcu_read_lock(&rcu_payload_lock); + list_for_each_entry_rcu ( data, &payload_list, list ) { if ( va < data->text_addr || va >= (data->text_addr + data->text_size) ) @@ -200,7 +193,7 @@ static const char *cf_check livepatch_symbols_lookup( n = data->symtab[best].name; break; } - rcu_read_unlock(&rcu_applied_lock); + rcu_read_unlock(&rcu_payload_lock); return n; } @@ -1072,7 +1065,8 @@ static void free_payload(struct payload *data) { ASSERT(spin_is_locked(&payload_lock)); unregister_virtual_region(&data->region); - list_del(&data->list); + list_del_rcu(&data->list); + rcu_barrier(); payload_cnt--; payload_version++; free_payload_data(data); @@ -1172,7 +1166,7 @@ static int livepatch_upload(struct xen_sysctl_livepatch_upload *upload) INIT_LIST_HEAD(&data->applied_list); register_virtual_region(&data->region); - list_add_tail(&data->list, &payload_list); + list_add_tail_rcu(&data->list, &payload_list); payload_cnt++; payload_version++; } @@ -1383,11 +1377,7 @@ static int apply_payload(struct payload *data) static inline void apply_payload_tail(struct payload *data) { - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_add_tail_rcu(&data->applied_list, &applied_list); + list_add_tail(&data->applied_list, &applied_list); data->state = LIVEPATCH_STATE_APPLIED; } @@ -1427,12 +1417,7 @@ static int revert_payload(struct payload *data) static inline void revert_payload_tail(struct payload *data) { - - /* - * We need RCU variant (which has barriers) in case we crash here. - * The applied_list is iterated by the trap code. - */ - list_del_rcu(&data->applied_list); + list_del(&data->applied_list); data->reverted = true; data->state = LIVEPATCH_STATE_CHECKED; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:56:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688947.1073764 (Exim 4.92) (envelope-from ) id 1rhiO6-0008F8-Co; Wed, 06 Mar 2024 03:56:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688947.1073764; Wed, 06 Mar 2024 03:56:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiO6-0008F0-AB; Wed, 06 Mar 2024 03:56:14 +0000 Received: by outflank-mailman (input) for mailman id 688947; Wed, 06 Mar 2024 03:56:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiO4-0008En-V4 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiO4-0003NQ-UK for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiO4-00088U-TW for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wvNv0MUZJq31jPqKkY98vbA9P41dpMOfsXvgSG1I4d8=; b=lAMXa7M8apafV9Jds1jipick/t J2huR0UUX1w5vfZxTiOsmeA27RuauIndThjcgVbjZaoLNsOb/jFcsev3C+XdDiiaJFAb3LmqORSBY 2l46tdhFTo7MK5nZb41YKOmuBG1FfNWzBhmfD8LgCbMwEhiLUMIyryOjhJBI6+LabY7E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/livepatch: fix norevert test attempt to open-code revert Message-Id: Date: Wed, 06 Mar 2024 03:56:12 +0000 commit d81bfc7ff887426727504086fa363f91bf8c19f8 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:53:13 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:53:13 2024 +0100 xen/livepatch: fix norevert test attempt to open-code revert The purpose of the norevert test is to install a dummy handler that replaces the internal Xen revert code, and then perform the revert in the post-revert hook. For that purpose the usage of the previous common_livepatch_revert() is not enough, as that just reverts specific functions, but not the whole state of the payload. Remove both common_livepatch_{apply,revert}() and instead expose revert_payload{,_tail}() in order to perform the patch revert from the post-revert hook. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: cdae267ce10d04d71d1687b5701ff2911a96b6dc master date: 2024-02-28 16:57:25 +0000 --- xen/common/livepatch.c | 41 +++++++++++++++++++++++--- xen/include/xen/livepatch.h | 32 +++----------------- xen/test/livepatch/xen_action_hooks_norevert.c | 22 ++++---------- 3 files changed, 46 insertions(+), 49 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 135c47e9b8..0cc048fd83 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -1366,7 +1366,22 @@ static int apply_payload(struct payload *data) ASSERT(!local_irq_is_enabled()); for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_apply(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* If the action has been already executed on this function, do nothing. */ + if ( state->applied == LIVEPATCH_FUNC_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has been already applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_apply(func, state); + state->applied = LIVEPATCH_FUNC_APPLIED; + } arch_livepatch_revive(); @@ -1382,7 +1397,7 @@ static inline void apply_payload_tail(struct payload *data) data->state = LIVEPATCH_STATE_APPLIED; } -static int revert_payload(struct payload *data) +int revert_payload(struct payload *data) { unsigned int i; int rc; @@ -1397,7 +1412,25 @@ static int revert_payload(struct payload *data) } for ( i = 0; i < data->nfuncs; i++ ) - common_livepatch_revert(&data->funcs[i], &data->fstate[i]); + { + const struct livepatch_func *func = &data->funcs[i]; + struct livepatch_fstate *state = &data->fstate[i]; + + /* + * If the apply action hasn't been executed on this function, do + * nothing. + */ + if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) + { + printk(XENLOG_WARNING LIVEPATCH + "%s: %s has not been applied before\n", + __func__, func->name); + continue; + } + + arch_livepatch_revert(func, state); + state->applied = LIVEPATCH_FUNC_NOT_APPLIED; + } /* * Since we are running with IRQs disabled and the hooks may call common @@ -1415,7 +1448,7 @@ static int revert_payload(struct payload *data) return 0; } -static inline void revert_payload_tail(struct payload *data) +void revert_payload_tail(struct payload *data) { list_del(&data->applied_list); diff --git a/xen/include/xen/livepatch.h b/xen/include/xen/livepatch.h index 537d3d58b6..c9ee58fd37 100644 --- a/xen/include/xen/livepatch.h +++ b/xen/include/xen/livepatch.h @@ -136,35 +136,11 @@ void arch_livepatch_post_action(void); void arch_livepatch_mask(void); void arch_livepatch_unmask(void); -static inline void common_livepatch_apply(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the action has been already executed on this function, do nothing. */ - if ( state->applied == LIVEPATCH_FUNC_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has been already applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_apply(func, state); - state->applied = LIVEPATCH_FUNC_APPLIED; -} +/* Only for testing purposes. */ +struct payload; +int revert_payload(struct payload *data); +void revert_payload_tail(struct payload *data); -static inline void common_livepatch_revert(const struct livepatch_func *func, - struct livepatch_fstate *state) -{ - /* If the apply action hasn't been executed on this function, do nothing. */ - if ( !func->old_addr || state->applied == LIVEPATCH_FUNC_NOT_APPLIED ) - { - printk(XENLOG_WARNING LIVEPATCH "%s: %s has not been applied before\n", - __func__, func->name); - return; - } - - arch_livepatch_revert(func, state); - state->applied = LIVEPATCH_FUNC_NOT_APPLIED; -} #else /* diff --git a/xen/test/livepatch/xen_action_hooks_norevert.c b/xen/test/livepatch/xen_action_hooks_norevert.c index c173855192..c5fbab1746 100644 --- a/xen/test/livepatch/xen_action_hooks_norevert.c +++ b/xen/test/livepatch/xen_action_hooks_norevert.c @@ -96,26 +96,14 @@ static int revert_hook(livepatch_payload_t *payload) static void post_revert_hook(livepatch_payload_t *payload) { - int i; + unsigned long flags; printk(KERN_DEBUG "%s: Hook starting.\n", __func__); - for (i = 0; i < payload->nfuncs; i++) - { - const struct livepatch_func *func = &payload->funcs[i]; - struct livepatch_fstate *fstate = &payload->fstate[i]; - - BUG_ON(revert_cnt != 1); - BUG_ON(fstate->applied != LIVEPATCH_FUNC_APPLIED); - - /* Outside of quiesce zone: MAY TRIGGER HOST CRASH/UNDEFINED BEHAVIOR */ - arch_livepatch_quiesce(); - common_livepatch_revert(payload); - arch_livepatch_revive(); - BUG_ON(fstate->applied == LIVEPATCH_FUNC_APPLIED); - - printk(KERN_DEBUG "%s: post reverted: %s\n", __func__, func->name); - } + local_irq_save(flags); + BUG_ON(revert_payload(payload)); + revert_payload_tail(payload); + local_irq_restore(flags); printk(KERN_DEBUG "%s: Hook done.\n", __func__); } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:56:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:56:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688948.1073768 (Exim 4.92) (envelope-from ) id 1rhiOG-0008Ht-EJ; Wed, 06 Mar 2024 03:56:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688948.1073768; Wed, 06 Mar 2024 03:56:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOG-0008Hl-Bh; Wed, 06 Mar 2024 03:56:24 +0000 Received: by outflank-mailman (input) for mailman id 688948; Wed, 06 Mar 2024 03:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOF-0008HW-1W for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOF-0003NZ-0r for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiOF-00088w-0A for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5vIGD0KAC+G03ua3fYBTokWT6L71GAg/6Ez/FkwC3LY=; b=omxlL1AYchJx+HxdPu16Wrgd0C n2OnEQYHaDNdEBktWAHS0xv55QjgeGYr9oLojiBmwuGYX4VIY8dMSQ0nJe7VYC44wPatZMeVTAWeY MoFWWwW7Br0qoPeHIQBAXHAZv50MadofOmawOvK773IuzrgggF96IL7s0AgF5BMCF4Qg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen/livepatch: properly build the noapply and norevert tests Message-Id: Date: Wed, 06 Mar 2024 03:56:23 +0000 commit e9516b73e7d499684092c1d345818585403cf190 Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:53:22 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:53:22 2024 +0100 xen/livepatch: properly build the noapply and norevert tests It seems the build variables for those tests where copy-pasted from xen_action_hooks_marker-objs and not adjusted to use the correct source files. Fixes: 6047104c3ccc ('livepatch: Add per-function applied/reverted state tracking marker') Signed-off-by: Roger Pau Monné Reviewed-by: Ross Lagerwall master commit: e579677095782c7dec792597ba8b037b7d716b32 master date: 2024-02-28 16:57:25 +0000 --- xen/test/livepatch/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/test/livepatch/Makefile b/xen/test/livepatch/Makefile index c258ab0b59..d987a8367f 100644 --- a/xen/test/livepatch/Makefile +++ b/xen/test/livepatch/Makefile @@ -118,12 +118,12 @@ xen_action_hooks_marker-objs := xen_action_hooks_marker.o xen_hello_world_func.o $(obj)/xen_action_hooks_noapply.o: $(obj)/config.h extra-y += xen_action_hooks_noapply.livepatch -xen_action_hooks_noapply-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_noapply-objs := xen_action_hooks_noapply.o xen_hello_world_func.o note.o xen_note.o $(obj)/xen_action_hooks_norevert.o: $(obj)/config.h extra-y += xen_action_hooks_norevert.livepatch -xen_action_hooks_norevert-objs := xen_action_hooks_marker.o xen_hello_world_func.o note.o xen_note.o +xen_action_hooks_norevert-objs := xen_action_hooks_norevert.o xen_hello_world_func.o note.o xen_note.o EXPECT_BYTES_COUNT := 8 CODE_GET_EXPECT=$(shell $(OBJDUMP) -d --insn-width=1 $(1) | sed -n -e '/<'$(2)'>:$$/,/^$$/ p' | tail -n +2 | head -n $(EXPECT_BYTES_COUNT) | awk '{$$0=$$2; printf "%s", substr($$0,length-1)}' | sed 's/.\{2\}/0x&,/g' | sed 's/^/{/;s/,$$/}/g') -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:56:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:56:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688949.1073771 (Exim 4.92) (envelope-from ) id 1rhiOQ-0008Kd-Fs; Wed, 06 Mar 2024 03:56:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688949.1073771; Wed, 06 Mar 2024 03:56:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOQ-0008KV-D5; Wed, 06 Mar 2024 03:56:34 +0000 Received: by outflank-mailman (input) for mailman id 688949; Wed, 06 Mar 2024 03:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOP-0008KK-4X for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOP-0003Nw-3q for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiOP-00089S-38 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Q8hzY+D38IImKMrh5OWxo4h3xLbJyqhjkyXo16Dtjxs=; b=qPbR+t31vZM1cGY6osiggyXABp pznf6ysbhq535WYClBWVlBh/aXnljF7cbgs5nZiED6wgO656vyY3947uDoDUR3HZUvhY8tjWXakJ4 iIbMxjAvtqiMtnUsJT/O6DLpghRrtDVpRYkiMiGOW36P7ok18dZAqTzqxQBIiG6XCIr4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] libxl: Fix segfault in device_model_spawn_outcome Message-Id: Date: Wed, 06 Mar 2024 03:56:33 +0000 commit 267845a8389d5d34edb2b38a1972f32f51f70b4e Author: Jason Andryuk AuthorDate: Tue Mar 5 11:54:12 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:54:12 2024 +0100 libxl: Fix segfault in device_model_spawn_outcome libxl__spawn_qdisk_backend() explicitly sets guest_config to NULL when starting QEMU (the usual launch through libxl__spawn_local_dm() has a guest_config though). Bail early on a NULL guest_config/d_config. This skips the QMP queries for chardevs and VNC, but this xenpv QEMU instance isn't expected to provide those - only qdisk (or 9pfs backends after an upcoming change). Signed-off-by: Jason Andryuk Acked-by: Anthony PERARD master commit: d4f3d35f043f6ef29393166b0dd131c8102cf255 master date: 2024-02-29 08:18:38 +0100 --- tools/libs/light/libxl_dm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/libs/light/libxl_dm.c b/tools/libs/light/libxl_dm.c index ed620a9d8e..29b43ed20a 100644 --- a/tools/libs/light/libxl_dm.c +++ b/tools/libs/light/libxl_dm.c @@ -3172,8 +3172,8 @@ static void device_model_spawn_outcome(libxl__egc *egc, /* Check if spawn failed */ if (rc) goto out; - - if (d_config->b_info.device_model_version + /* d_config is NULL for xl devd/libxl__spawn_qemu_xenpv_backend(). */ + if (d_config && d_config->b_info.device_model_version == LIBXL_DEVICE_MODEL_VERSION_QEMU_XEN) { rc = libxl__ev_time_register_rel(ao, &dmss->timeout, devise_model_postconfig_timeout, -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:56:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:56:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688950.1073775 (Exim 4.92) (envelope-from ) id 1rhiOa-0008Nq-Iv; Wed, 06 Mar 2024 03:56:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688950.1073775; Wed, 06 Mar 2024 03:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOa-0008Ni-GG; Wed, 06 Mar 2024 03:56:44 +0000 Received: by outflank-mailman (input) for mailman id 688950; Wed, 06 Mar 2024 03:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOZ-0008Na-7R for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOZ-0003O3-6h for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiOZ-00089t-5v for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5plKvOftk3yEy3kVd6wl6jKsJCVZO6TI8G019KTit/Y=; b=Mmf+2xWB+6y9BxMRTXv+b9iCY9 NKtGVChc+HBdEYc1MojlA8GoYckZhfvry4+SenIuOpumY3Cbqdx+6wl5xSEV8qciD3LG9lEwXpiAk NhpZ3yUudyKe6Lbp6su8TABflelZ8nhzqzr87qncghAJDy9+0s4BNZTUfJBkUd8xIhk0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/altcall: always use a temporary parameter stashing variable Message-Id: Date: Wed, 06 Mar 2024 03:56:43 +0000 commit 75221fb0f87e4d7278b0a540bc28a6d0b74afeba Author: Roger Pau Monné AuthorDate: Tue Mar 5 11:54:33 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:54:33 2024 +0100 x86/altcall: always use a temporary parameter stashing variable The usage in ALT_CALL_ARG() on clang of: register union { typeof(arg) e; const unsigned long r; } ... When `arg` is the first argument to alternative_{,v}call() and const_vlapic_vcpu() is used results in clang 3.5.0 complaining with: arch/x86/hvm/vlapic.c:141:47: error: non-const static data member must be initialized out of line alternative_call(hvm_funcs.test_pir, const_vlapic_vcpu(vlapic), vec) ) Workaround this by pulling `arg1` into a local variable, like it's done for further arguments (arg2, arg3...) Originally arg1 wasn't pulled into a variable because for the a1_ register local variable the possible clobbering as a result of operators on other variables don't matter: https://gcc.gnu.org/onlinedocs/gcc/Local-Register-Variables.html#Local-Register-Variables Note clang version 3.8.1 seems to already be fixed and don't require the workaround, but since it's harmless do it uniformly everywhere. Reported-by: Andrew Cooper Fixes: 2ce562b2a413 ('x86/altcall: use a union as register type for function parameters on clang') Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich master commit: c20850540ad6a32f4fc17bde9b01c92b0df18bf0 master date: 2024-02-29 08:21:49 +0100 --- xen/arch/x86/include/asm/alternative.h | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative.h b/xen/arch/x86/include/asm/alternative.h index 3c14db5078..0d3697f1de 100644 --- a/xen/arch/x86/include/asm/alternative.h +++ b/xen/arch/x86/include/asm/alternative.h @@ -253,21 +253,24 @@ extern void alternative_branches(void); }) #define alternative_vcall1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ (void)sizeof(func(arg)); \ (void)alternative_callN(1, int, func); \ }) #define alternative_call1(func, arg) ({ \ - ALT_CALL_ARG(arg, 1); \ + typeof(arg) v1_ = (arg); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_NO_ARG2; \ alternative_callN(1, typeof(func(arg)), func); \ }) #define alternative_vcall2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ (void)sizeof(func(arg1, arg2)); \ @@ -275,17 +278,19 @@ extern void alternative_branches(void); }) #define alternative_call2(func, arg1, arg2) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_NO_ARG3; \ alternative_callN(2, typeof(func(arg1, arg2)), func); \ }) #define alternative_vcall3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -294,9 +299,10 @@ extern void alternative_branches(void); }) #define alternative_call3(func, arg1, arg2, arg3) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_NO_ARG4; \ @@ -305,10 +311,11 @@ extern void alternative_branches(void); }) #define alternative_vcall4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -318,10 +325,11 @@ extern void alternative_branches(void); }) #define alternative_call4(func, arg1, arg2, arg3, arg4) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -332,11 +340,12 @@ extern void alternative_branches(void); }) #define alternative_vcall5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -347,11 +356,12 @@ extern void alternative_branches(void); }) #define alternative_call5(func, arg1, arg2, arg3, arg4, arg5) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -363,12 +373,13 @@ extern void alternative_branches(void); }) #define alternative_vcall6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ @@ -379,12 +390,13 @@ extern void alternative_branches(void); }) #define alternative_call6(func, arg1, arg2, arg3, arg4, arg5, arg6) ({ \ + typeof(arg1) v1_ = (arg1); \ typeof(arg2) v2_ = (arg2); \ typeof(arg3) v3_ = (arg3); \ typeof(arg4) v4_ = (arg4); \ typeof(arg5) v5_ = (arg5); \ typeof(arg6) v6_ = (arg6); \ - ALT_CALL_ARG(arg1, 1); \ + ALT_CALL_ARG(v1_, 1); \ ALT_CALL_ARG(v2_, 2); \ ALT_CALL_ARG(v3_, 3); \ ALT_CALL_ARG(v4_, 4); \ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 03:56:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 03:56:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688951.1073780 (Exim 4.92) (envelope-from ) id 1rhiOk-0008QX-KY; Wed, 06 Mar 2024 03:56:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688951.1073780; Wed, 06 Mar 2024 03:56:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOk-0008QP-Hk; Wed, 06 Mar 2024 03:56:54 +0000 Received: by outflank-mailman (input) for mailman id 688951; Wed, 06 Mar 2024 03:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOj-0008QG-AL for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhiOj-0003OB-9c for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhiOj-0008AO-8v for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 03:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QJwHGv36ERkK72jH10Jl6TJU4IuWGt6jKl6FEzxKTfs=; b=DEjyPAi8yLGOMuwFgmSjnZzv2k rY7NQ8tg6mMJodeU59DwXrzfzAfvr9PXt6VAxlHfix4qDN05BUJN5sjAAYiTjxWSO5HFDLLycZYLX R7NOFZo2phz1xF0wVPjrJBSo72NgFVjDMykij1yiVnBH8EapY+hzG5k1qrXY5Gq6HVRo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Wed, 06 Mar 2024 03:56:53 +0000 commit fd7cb7a1d0433049d8fc59444d0e91b71728763e Author: Andrew Cooper AuthorDate: Tue Mar 5 11:55:17 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 5 11:55:17 2024 +0100 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné master commit: de17162cafd27f2865a3102a2ec0f386a02ed03d master date: 2024-03-01 20:14:19 +0000 --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/arch/x86/include/asm/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index bcb17b7ce3..c7c5e99b7b 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -442,6 +442,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -476,6 +486,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 06e1dd7f33..76ef2aeb1d 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -177,6 +177,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 6b6ce2745c..337aaa9c77 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -262,7 +262,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ @@ -329,7 +329,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 09:22:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 09:22:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688989.1073854 (Exim 4.92) (envelope-from ) id 1rhnTR-0004Dk-Qu; Wed, 06 Mar 2024 09:22:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688989.1073854; Wed, 06 Mar 2024 09:22:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTR-0004Dc-Nx; Wed, 06 Mar 2024 09:22:05 +0000 Received: by outflank-mailman (input) for mailman id 688989; Wed, 06 Mar 2024 09:22:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTQ-0004DW-4G for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTQ-0002XD-2b for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhnTQ-0002GM-14 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0QjsT5bfDlOBFKaLxsPa78GsIpiD843GbKgxsV0tHb8=; b=Yx6nKofPtLJFFAyAA6UJdBZ2Xi 3017PAXQabkMPbqkj8lTjQmfFCjcEW2QR0hq3OIh5fBhJQkCsGQslvT1aDYgA+V91aHRkiixDbTtI hAbJ4uemgKrQwRKEqu5JVKp7hPgEgpzNl4M1gxYVnqXN7M1ZygUTFgnC9cCY4DrMgBm4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Argo: don't obtain excess page references Message-Id: Date: Wed, 06 Mar 2024 09:22:04 +0000 commit cfbcfce494a1c1b1df618e3f06ec5b45352e5fe9 Author: Jan Beulich AuthorDate: Wed Mar 6 10:17:36 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:17:36 2024 +0100 Argo: don't obtain excess page references find_ring_mfn() already holds a page reference when trying to obtain a writable type reference. We shouldn't make assumptions on the general reference count limit being effectively "infinity". Obtain merely a type ref, re-using the general ref by only dropping the previously acquired one in the case of an error. Signed-off-by: Jan Beulich Reviewed-by: Julien Grall --- xen/common/argo.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 5dc5e45c7b..da3d3f325f 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -1425,7 +1425,7 @@ find_ring_mfn(struct domain *d, gfn_t gfn, mfn_t *mfn) switch ( p2mt ) { case p2m_ram_rw: - if ( !get_page_and_type(page, d, PGT_writable_page) ) + if ( !get_page_type(page, PGT_writable_page) ) ret = -EINVAL; break; @@ -1440,7 +1440,8 @@ find_ring_mfn(struct domain *d, gfn_t gfn, mfn_t *mfn) break; } - put_page(page); + if ( unlikely(ret) ) + put_page(page); return ret; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 09:22:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 09:22:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688990.1073858 (Exim 4.92) (envelope-from ) id 1rhnTb-0004FI-SC; Wed, 06 Mar 2024 09:22:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688990.1073858; Wed, 06 Mar 2024 09:22:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTb-0004FA-PT; Wed, 06 Mar 2024 09:22:15 +0000 Received: by outflank-mailman (input) for mailman id 688990; Wed, 06 Mar 2024 09:22:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTa-0004Ew-83 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTa-0002XN-7E for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhnTa-0002IK-4k for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=19ckbdE276wixl3L6lMz556/SbZ2dBVxDF4FAQz9bD0=; b=IU1scsk+MbfLsLYzr0tPXjF+my F12Bjylsc49eYiFNnph7Vvhl1dgsGNJ3zvwTHLUwOVwb+pL8SagYGrhR8kGdJKWGiE+uQfJJwj0a9 DH2IPIA/V+9Oddv/UUwHlKfLwG4JFtq88UlI8qmZU36IVvyAjmTKW7lg6xjuPUSl1JUo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/riscv: introduces acquire, release and full barriers Message-Id: Date: Wed, 06 Mar 2024 09:22:14 +0000 commit 91ed57339129cd95f4764792be21718faeb420f2 Author: Oleksii Kurochko AuthorDate: Wed Mar 6 10:18:33 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:18:33 2024 +0100 xen/riscv: introduces acquire, release and full barriers Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/fence.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/xen/arch/riscv/include/asm/fence.h b/xen/arch/riscv/include/asm/fence.h new file mode 100644 index 0000000000..27f46fa897 --- /dev/null +++ b/xen/arch/riscv/include/asm/fence.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _ASM_RISCV_FENCE_H +#define _ASM_RISCV_FENCE_H + +#define RISCV_ACQUIRE_BARRIER "\tfence r , rw\n" +#define RISCV_RELEASE_BARRIER "\tfence rw, w\n" +#define RISCV_FULL_BARRIER "\tfence rw, rw\n" + +#endif /* _ASM_RISCV_FENCE_H */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 09:22:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 09:22:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688991.1073862 (Exim 4.92) (envelope-from ) id 1rhnTl-0004Hp-Tr; Wed, 06 Mar 2024 09:22:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688991.1073862; Wed, 06 Mar 2024 09:22:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTl-0004Hh-Qw; Wed, 06 Mar 2024 09:22:25 +0000 Received: by outflank-mailman (input) for mailman id 688991; Wed, 06 Mar 2024 09:22:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTk-0004HT-D3 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTk-0002Xm-B4 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhnTk-0002J4-9K for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oD1Ed5uu25UPOhadp12gVtvVKrpnNrDe7FKo6qoFI3c=; b=rNMxnvRguJLDbWezWKZJDq1MBD TlbAr+Etp/+ZY7U7taPLnncvXesx/E8b3NHFXoxegF4GN/pi5145uayxipl2LdGMIclczlm/4qUmH NC+mVnWpPyUP75z4lll1BZnGnJcrjYvAhg/kDHQjoYuLGOVidig2p8J3zRqsuc1pDPIA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] hvmloader/PCI: skip huge BARs in certain calculations Message-Id: Date: Wed, 06 Mar 2024 09:22:24 +0000 commit 57acad12a09ffa490e870ebe17596aad858f0191 Author: Jan Beulich AuthorDate: Wed Mar 6 10:19:29 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:19:29 2024 +0100 hvmloader/PCI: skip huge BARs in certain calculations BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of the lower 2Gb range and the top of the higher 2Gb range have special purpose. Don't even have them influence whether to (perhaps) relocate low RAM. Reported-by: Neowutran Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné --- tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c index 257a6feb61..c3c61ca060 100644 --- a/tools/firmware/hvmloader/pci.c +++ b/tools/firmware/hvmloader/pci.c @@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START; const uint32_t pci_mem_end = RESERVED_MEMBASE; uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; +/* + * BARs larger than this value are put in 64-bit space unconditionally. That + * is, such BARs also don't play into the determination of how big the lowmem + * MMIO hole needs to be. + */ +#define BAR_RELOC_THRESH GB(1) + enum virtual_vga virtual_vga = VGA_none; unsigned long igd_opregion_pgbase = 0; @@ -286,9 +293,11 @@ void pci_setup(void) bars[i].bar_reg = bar_reg; bars[i].bar_sz = bar_sz; - if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == - PCI_BASE_ADDRESS_SPACE_MEMORY) || - (bar_reg == PCI_ROM_ADDRESS) ) + if ( is_64bar && bar_sz > BAR_RELOC_THRESH ) + bar64_relocate = 1; + else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == + PCI_BASE_ADDRESS_SPACE_MEMORY) || + (bar_reg == PCI_ROM_ADDRESS) ) mmio_total += bar_sz; nr_bars++; @@ -367,7 +376,7 @@ void pci_setup(void) pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT; } - if ( mmio_total > (pci_mem_end - pci_mem_start) ) + if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate ) { printf("Low MMIO hole not large enough for all devices," " relocating some BARs to 64-bit\n"); @@ -430,7 +439,8 @@ void pci_setup(void) /* * Relocate to high memory if the total amount of MMIO needed - * is more than the low MMIO available. Because devices are + * is more than the low MMIO available or BARs bigger than + * BAR_RELOC_THRESH are present. Because devices are * processed in order of bar_sz, this will preferentially * relocate larger devices to high memory first. * @@ -446,8 +456,9 @@ void pci_setup(void) * the code here assumes it to be.) * Should either of those two conditions change, this code will break. */ - using_64bar = bars[i].is_64bar && bar64_relocate - && (mmio_total > (mem_resource.max - mem_resource.base)); + using_64bar = bars[i].is_64bar && bar64_relocate && + (mmio_total > (mem_resource.max - mem_resource.base) || + bar_sz > BAR_RELOC_THRESH); bar_data = pci_readl(devfn, bar_reg); if ( (bar_data & PCI_BASE_ADDRESS_SPACE) == @@ -467,7 +478,8 @@ void pci_setup(void) resource = &mem_resource; bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; } - mmio_total -= bar_sz; + if ( bar_sz <= BAR_RELOC_THRESH ) + mmio_total -= bar_sz; } else { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 09:22:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 09:22:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688992.1073866 (Exim 4.92) (envelope-from ) id 1rhnTw-0004LN-0V; Wed, 06 Mar 2024 09:22:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688992.1073866; Wed, 06 Mar 2024 09:22:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTv-0004LF-UD; Wed, 06 Mar 2024 09:22:35 +0000 Received: by outflank-mailman (input) for mailman id 688992; Wed, 06 Mar 2024 09:22:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTu-0004Ku-F8 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnTu-0002YF-ER for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhnTu-0002Jx-DB for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:22:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=d6OQu+rnsXj3Rjj4g6LtkIUkonOIPjFw+0i9aPxOcck=; b=NzGo/MCRjes9fpA9lgiu+jvgFu xd5Wf81t6h2ogNQyQdqdc7QV5cgf9b8WO54vapG0aFz7cEwOi+ytR3ICq+OHXQcP0TCEyQ2UMlV7L ciauV/DBgcESYQ9b/A1C/5nfFC5wVM5R4c4zpDMADTZkxtQBc7DBJZAPzM+E2teCPelQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86: i387.c cleanup Message-Id: Date: Wed, 06 Mar 2024 09:22:34 +0000 commit e7b62fcfd9dd66398dd0d3c79b3bae216db64e97 Author: Wei Liu AuthorDate: Wed Mar 6 10:19:57 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:19:57 2024 +0100 x86: i387.c cleanup Spelling and formatting; no functional change. Signed-off-by: Wei Liu Signed-off-by: Fouad Hilly Acked-by: Jan Beulich --- xen/arch/x86/i387.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/i387.c b/xen/arch/x86/i387.c index d824f2bb52..7a4297cc92 100644 --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -26,7 +26,7 @@ static inline void fpu_xrstor(struct vcpu *v, uint64_t mask) ASSERT(v->arch.xsave_area); /* - * XCR0 normally represents what guest OS set. In case of Xen itself, + * XCR0 normally represents what guest OS set. In case of Xen itself, * we set the accumulated feature mask before doing save/restore. */ ok = set_xcr0(v->arch.xcr0_accum | XSTATE_FP_SSE); @@ -36,7 +36,7 @@ static inline void fpu_xrstor(struct vcpu *v, uint64_t mask) ASSERT(ok); } -/* Restor x87 FPU, MMX, SSE and SSE2 state */ +/* Restore x87 FPU, MMX, SSE and SSE2 state */ static inline void fpu_fxrstor(struct vcpu *v) { const typeof(v->arch.xsave_area->fpu_sse) *fpu_ctxt = v->arch.fpu_ctxt; @@ -307,7 +307,7 @@ void save_fpu_enable(void) int vcpu_init_fpu(struct vcpu *v) { int rc; - + v->arch.fully_eager_fpu = opt_eager_fpu; if ( (rc = xstate_alloc_save_area(v)) != 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 09:44:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 09:44:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.688996.1073880 (Exim 4.92) (envelope-from ) id 1rhnoi-0007UD-Lp; Wed, 06 Mar 2024 09:44:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 688996.1073880; Wed, 06 Mar 2024 09:44:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnoi-0007U5-JD; Wed, 06 Mar 2024 09:44:04 +0000 Received: by outflank-mailman (input) for mailman id 688996; Wed, 06 Mar 2024 09:44:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnoh-0007Tj-C6 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:44:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhnoh-0002zC-BM for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:44:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhnoh-0003Wj-A0 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 09:44:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2w0Dq+/S7lrl/ks1e5AhhEIyiAxHg7i4tzxE4mrraGE=; b=zc8TmmlaeX6S1HOQYB/WNGJYz1 vaBkCMghmPE/wg34Fa05D2TS5vwLOLiEFRJAyLsRMCnHm+t/JWu3VkvOzIqecr+LZCAX6tMbezvKf m4pkXIh4rDoALXfO/c6ZHE1NgBZukQeaew+7P7tkKtRPz8ocWc8hIYZL71pPelmKdS2k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] SUPPORT.md: clarify support of booting 32-bit Xen on ARMv8 Message-Id: Date: Wed, 06 Mar 2024 09:44:03 +0000 commit cd53ee9c41f991bbca75641e647005e013a3eac0 Author: Michal Orzel AuthorDate: Thu Feb 29 13:13:52 2024 +0100 Commit: Julien Grall CommitDate: Wed Mar 6 09:39:45 2024 +0000 SUPPORT.md: clarify support of booting 32-bit Xen on ARMv8 Since commit bd1001db0af1 ("xen/arm: arm32: Allow Xen to boot on unidentified CPUs"), it's been possible to boot 32-bit Xen on ARMv8A CPUs in AArch32 state (assuming HW supports EL2 execution in AArch32). Clarify the support statement and mark it as Tech Preview, as this use case is uncommon and hasn't really been tested/hardened. Signed-off-by: Michal Orzel Acked-by: Julien Grall --- SUPPORT.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SUPPORT.md b/SUPPORT.md index a90d1108c9..7eb6875cfa 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -37,7 +37,8 @@ supported in this document. ### ARM v8 - Status: Supported + Status, Xen in AArch64 mode: Supported + Status, Xen in AArch32 mode: Tech Preview Status, Cortex A57 r0p0-r1p1: Supported, not security supported Status, Cortex A77 r0p0-r1p0: Supported, not security supported -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 12:11:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 12:11:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689117.1074109 (Exim 4.92) (envelope-from ) id 1rhq6z-0003vc-MP; Wed, 06 Mar 2024 12:11:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689117.1074109; Wed, 06 Mar 2024 12:11:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq6z-0003vV-K1; Wed, 06 Mar 2024 12:11:05 +0000 Received: by outflank-mailman (input) for mailman id 689117; Wed, 06 Mar 2024 12:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq6x-0003vH-UN for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq6x-0006Dp-KJ for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhq6x-0004T0-J5 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zfkCR7j9vgMbudERbzhReC6TMmKq9GocDQtV3m5/Xw4=; b=WGeWTBTEmg87o79Ty4a+en1YmO oLUHzzrmNGMeMHJYN+w9qNxMioNHzPKsf/2mvetegxWopj33UksV5nTg6E28JrjRx5rF2W4SMh9H8 xxe4B5fvJAt3O1VHotpojvx8A0CnkHTwj398ce6nL5sGLckfdPhuLg14nEXyLRhmaeRQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/{RISCV,PPC}/xen.lds: Delete duplicate _erodata definitions Message-Id: Date: Wed, 06 Mar 2024 12:11:03 +0000 commit e14fece7d48372d64468717ea3d3e65487a0a4f2 Author: Andrew Cooper AuthorDate: Tue Mar 5 12:21:21 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 6 12:03:36 2024 +0000 xen/{RISCV,PPC}/xen.lds: Delete duplicate _erodata definitions This is bad copy/paste from somewhere. Retain the second _erodata symbol, which follows the Build ID, and matches the other architectures. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Reviewed-by: Oleksii Kurochko Acked-by: Shawn Anastasio --- xen/arch/ppc/xen.lds.S | 1 - xen/arch/riscv/xen.lds.S | 1 - 2 files changed, 2 deletions(-) diff --git a/xen/arch/ppc/xen.lds.S b/xen/arch/ppc/xen.lds.S index 030e1ee37b..05b6db2728 100644 --- a/xen/arch/ppc/xen.lds.S +++ b/xen/arch/ppc/xen.lds.S @@ -60,7 +60,6 @@ SECTIONS VPCI_ARRAY . = ALIGN(POINTER_ALIGN); - _erodata = .; /* End of read-only data */ } :text #if defined(BUILD_ID) diff --git a/xen/arch/riscv/xen.lds.S b/xen/arch/riscv/xen.lds.S index 8510a87c4d..ace6f49c57 100644 --- a/xen/arch/riscv/xen.lds.S +++ b/xen/arch/riscv/xen.lds.S @@ -60,7 +60,6 @@ SECTIONS VPCI_ARRAY . = ALIGN(POINTER_ALIGN); - _erodata = .; /* End of read-only data */ } :text #if defined(BUILD_ID) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 12:11:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 12:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689118.1074114 (Exim 4.92) (envelope-from ) id 1rhq78-0003xy-OJ; Wed, 06 Mar 2024 12:11:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689118.1074114; Wed, 06 Mar 2024 12:11:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq78-0003xq-LQ; Wed, 06 Mar 2024 12:11:14 +0000 Received: by outflank-mailman (input) for mailman id 689118; Wed, 06 Mar 2024 12:11:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq77-0003xa-O9 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq77-0006EA-NQ for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhq77-0004Tj-MN for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uDsg+jLS6omRwPhZFGUXk5BC0xqE8fD133GU+n2wyAo=; b=SJgklgPiMYxCeVad1C7FvP//UJ rBUaGjzM18OJAlnIiuFST32MCj7LQUk0kodJuKaHm4rIBDSXzc9lTHqf8cWIpxy3VXdNCJ3/8KX/c fseLUuJ5XSs2sXth4f++A8AN60FRGGmaUe0gBXqNFnzLuSYjNetsUPAbEWbxJ69jn6kM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] 9pfsd: allow building with old glibc Message-Id: Date: Wed, 06 Mar 2024 12:11:13 +0000 commit f4900d6d69b534a00a2d6f8981a3bd5dc22a7c0b Author: Jan Beulich AuthorDate: Tue Mar 5 15:33:47 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Mar 6 12:03:36 2024 +0000 9pfsd: allow building with old glibc Neither pread() / pwrite() nor O_DIRECTORY are available from glibc 2.11.3 headers without defining (e.g.) _GNU_SOURCE. Supplying the definition unconditionally shouldn't be a problem, seeing that various other tools/ components do so, too. Signed-off-by: Jan Beulich --- tools/9pfsd/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/9pfsd/Makefile b/tools/9pfsd/Makefile index 50573121ed..b5f9703131 100644 --- a/tools/9pfsd/Makefile +++ b/tools/9pfsd/Makefile @@ -5,7 +5,7 @@ XEN_ROOT = $(CURDIR)/../.. include $(XEN_ROOT)/tools/Rules.mk -CFLAGS += $(PTHREAD_CFLAGS) +CFLAGS += $(PTHREAD_CFLAGS) -D_GNU_SOURCE LDFLAGS += $(PTHREAD_LDFLAGS) TARGETS := xen-9pfsd -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 12:11:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 12:11:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689119.1074118 (Exim 4.92) (envelope-from ) id 1rhq7J-00041M-Ps; Wed, 06 Mar 2024 12:11:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689119.1074118; Wed, 06 Mar 2024 12:11:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq7J-00041E-N1; Wed, 06 Mar 2024 12:11:25 +0000 Received: by outflank-mailman (input) for mailman id 689119; Wed, 06 Mar 2024 12:11:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq7H-00040d-W5 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rhq7H-0006EW-Sc for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rhq7H-0004UD-Pe for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 12:11:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=J5bI36NNIHxXmBvqkWWJG547C19gA75JfMpf1bGZDVg=; b=Jy2yxvW1nB4WmTHPhwP1RbTEOx 5utdawzfdiWY1ya1COuPEB6xqHogI3nUhdGKwUwyysxJwMnUQaQrddeUlIxFhF0eKui5EEm4WnGvA JVu4Wa7HP1q2odpfHEXcAMMUJAF/8Gj794vbOntohmyP1ZmfYP6cjk5j+Ygt9K5zNzdU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/xentop: Add VBD3 support to xentop Message-Id: Date: Wed, 06 Mar 2024 12:11:23 +0000 commit 66c8e9b76c61ff52cfc0b186a38208907845d093 Author: Pritha Srivastava AuthorDate: Wed Feb 28 11:39:47 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 6 12:03:36 2024 +0000 tools/xentop: Add VBD3 support to xentop xl now knows how to drive tapdisk, so modify libxenstat to understand vbd3 statistics. Signed-off-by: Pritha Srivastava Signed-off-by: Jorge Martin Signed-off-by: Fouad Hilly Reviewed-by: Anthony PERARD --- tools/libs/stat/xenstat_linux.c | 65 ++++++++++++++++++++++++++++++++++++++++- tools/libs/stat/xenstat_priv.h | 17 +++++++++++ tools/xentop/xentop.c | 1 + 3 files changed, 82 insertions(+), 1 deletion(-) diff --git a/tools/libs/stat/xenstat_linux.c b/tools/libs/stat/xenstat_linux.c index cbba54aa83..b60e3fdcab 100644 --- a/tools/libs/stat/xenstat_linux.c +++ b/tools/libs/stat/xenstat_linux.c @@ -35,6 +35,7 @@ #include "xenstat_priv.h" #define SYSFS_VBD_PATH "/sys/bus/xen-backend/devices" +#define XENSTAT_VBD_TYPE_VBD3 3 struct priv_data { FILE *procnetdev; @@ -390,6 +391,38 @@ void xenstat_uninit_networks(xenstat_handle * handle) fclose(priv->procnetdev); } +static int read_attributes_vbd3(const char *vbd3_path, xenstat_vbd *vbd) +{ + FILE *fp; + struct vbd3_stats vbd3_stats; + + fp = fopen(vbd3_path, "rb"); + + if (fp == NULL) { + return -1; + } + + if (fread(&vbd3_stats, sizeof(struct vbd3_stats), 1, fp) != 1) { + fclose(fp); + return -1; + } + + if (vbd3_stats.version != 1) { + fclose(fp); + return -1; + } + + vbd->oo_reqs = vbd3_stats.oo_reqs; + vbd->rd_reqs = vbd3_stats.read_reqs_submitted; + vbd->rd_sects = vbd3_stats.read_sectors; + vbd->wr_reqs = vbd3_stats.write_reqs_submitted; + vbd->wr_sects = vbd3_stats.write_sectors; + + fclose(fp); + + return 0; +} + static int read_attributes_vbd(const char *vbd_directory, const char *what, char *ret, int cap) { static char file_name[80]; @@ -438,7 +471,7 @@ int xenstat_collect_vbds(xenstat_node * node) int ret; char buf[256]; - ret = sscanf(dp->d_name, "%3s-%u-%u", buf, &domid, &vbd.dev); + ret = sscanf(dp->d_name, "%255[^-]-%u-%u", buf, &domid, &vbd.dev); if (ret != 3) continue; if (!(strstr(buf, "vbd")) && !(strstr(buf, "tap"))) @@ -448,6 +481,8 @@ int xenstat_collect_vbds(xenstat_node * node) vbd.back_type = 1; else if (strcmp(buf,"tap") == 0) vbd.back_type = 2; + else if (strcmp(buf,"vbd3") == 0) + vbd.back_type = XENSTAT_VBD_TYPE_VBD3; else vbd.back_type = 0; @@ -479,6 +514,34 @@ int xenstat_collect_vbds(xenstat_node * node) vbd.error = 1; } } + else if (vbd.back_type == XENSTAT_VBD_TYPE_VBD3) + { + char *td3_pid; + char *path; + + vbd.error = 0; + + if (asprintf(&path, "/local/domain/0/backend/vbd3/%u/%u/kthread-pid", domid, vbd.dev) < 0) + continue; + + td3_pid = xs_read(node->handle->xshandle, XBT_NULL, path, NULL); + + free(path); + + if (td3_pid == NULL) + continue; + + if (asprintf(&path, "/dev/shm/td3-%s/vbd-%u-%u", td3_pid, domid, vbd.dev) < 0) { + free(td3_pid); + continue; + } + + if (read_attributes_vbd3(path, &vbd) < 0) + vbd.error = 1; + + free(td3_pid); + free(path); + } else { vbd.error = 1; diff --git a/tools/libs/stat/xenstat_priv.h b/tools/libs/stat/xenstat_priv.h index 4eb44a8ebb..51ff6862cf 100644 --- a/tools/libs/stat/xenstat_priv.h +++ b/tools/libs/stat/xenstat_priv.h @@ -98,6 +98,23 @@ struct xenstat_vbd { unsigned long long wr_sects; }; +/* Interface provided by https://github.com/xapi-project/blktap */ +struct vbd3_stats { + uint32_t version; + uint32_t __pad; + uint64_t oo_reqs; + uint64_t read_reqs_submitted; + uint64_t read_reqs_completed; + uint64_t read_sectors; + uint64_t read_total_ticks; + uint64_t write_reqs_submitted; + uint64_t write_reqs_completed; + uint64_t write_sectors; + uint64_t write_total_ticks; + uint64_t io_errors; + uint64_t flags; +}; + extern int xenstat_collect_networks(xenstat_node * node); extern void xenstat_uninit_networks(xenstat_handle * handle); extern int xenstat_collect_vbds(xenstat_node * node); diff --git a/tools/xentop/xentop.c b/tools/xentop/xentop.c index 0a2fab7f15..f5a456fd4d 100644 --- a/tools/xentop/xentop.c +++ b/tools/xentop/xentop.c @@ -1124,6 +1124,7 @@ void do_vbd(xenstat_domain *domain) "Unidentified", /* number 0 */ "BlkBack", /* number 1 */ "BlkTap", /* number 2 */ + "Tapdisk3" /* number 3 */ }; num_vbds = xenstat_domain_num_vbds(domain); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 23:33:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 23:33:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689567.1074692 (Exim 4.92) (envelope-from ) id 1ri0ky-00033x-6S; Wed, 06 Mar 2024 23:33:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689567.1074692; Wed, 06 Mar 2024 23:33:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0ky-00033p-3o; Wed, 06 Mar 2024 23:33:04 +0000 Received: by outflank-mailman (input) for mailman id 689567; Wed, 06 Mar 2024 23:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0kw-00033j-BC for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0kw-0004MW-8j for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri0kw-0002Jj-6z for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nkI2OOKy2QSf5Lxi/5Lw+Hs2vi90DT1rcG+IGj/tO+g=; b=60qMMIWj+YdwoUhXqxVwkNSNsa 2CPwXTjnKdQMo1W36KN2oehCs6tSE0G6T131Xy3pSo8ze5Vhgri4e1BwB6kgMXBT4BQJWWrJhS1F0 FdIESe/FlY5QScpUZBe+xO9zKWKT20zuEsjxJ/q43YUoWKjSf8gTMCU2Sme0Vqg7wSgg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Argo: don't obtain excess page references Message-Id: Date: Wed, 06 Mar 2024 23:33:02 +0000 commit cfbcfce494a1c1b1df618e3f06ec5b45352e5fe9 Author: Jan Beulich AuthorDate: Wed Mar 6 10:17:36 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:17:36 2024 +0100 Argo: don't obtain excess page references find_ring_mfn() already holds a page reference when trying to obtain a writable type reference. We shouldn't make assumptions on the general reference count limit being effectively "infinity". Obtain merely a type ref, re-using the general ref by only dropping the previously acquired one in the case of an error. Signed-off-by: Jan Beulich Reviewed-by: Julien Grall --- xen/common/argo.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/argo.c b/xen/common/argo.c index 5dc5e45c7b..da3d3f325f 100644 --- a/xen/common/argo.c +++ b/xen/common/argo.c @@ -1425,7 +1425,7 @@ find_ring_mfn(struct domain *d, gfn_t gfn, mfn_t *mfn) switch ( p2mt ) { case p2m_ram_rw: - if ( !get_page_and_type(page, d, PGT_writable_page) ) + if ( !get_page_type(page, PGT_writable_page) ) ret = -EINVAL; break; @@ -1440,7 +1440,8 @@ find_ring_mfn(struct domain *d, gfn_t gfn, mfn_t *mfn) break; } - put_page(page); + if ( unlikely(ret) ) + put_page(page); return ret; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 23:33:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 23:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689568.1074695 (Exim 4.92) (envelope-from ) id 1ri0l8-0003AL-7g; Wed, 06 Mar 2024 23:33:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689568.1074695; Wed, 06 Mar 2024 23:33:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0l8-0003AE-5F; Wed, 06 Mar 2024 23:33:14 +0000 Received: by outflank-mailman (input) for mailman id 689568; Wed, 06 Mar 2024 23:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0l6-00038Q-DW for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0l6-0004Mh-C0 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri0l6-0002KA-Ay for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=t+ktdmsa+1CMeic96UmfLxDw0uKLywWPs9FSodwZHUE=; b=Cx6xvWTSFiom2V7sv4hDLKMg/6 ZFiAkAP9mJXuMZ1jT7mku14Ae35khtUF5EXYjHmemuqNLRCKRCruOoNHsqcG78ONQxemkV5UeCDMj 1KEnZPMBoF51j5uAX3uQJNHhhcOWBf4kyrL0KRNYNVD350GEPDoiSPKlvKqmMxheaI1s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/riscv: introduces acquire, release and full barriers Message-Id: Date: Wed, 06 Mar 2024 23:33:12 +0000 commit 91ed57339129cd95f4764792be21718faeb420f2 Author: Oleksii Kurochko AuthorDate: Wed Mar 6 10:18:33 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:18:33 2024 +0100 xen/riscv: introduces acquire, release and full barriers Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/fence.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/xen/arch/riscv/include/asm/fence.h b/xen/arch/riscv/include/asm/fence.h new file mode 100644 index 0000000000..27f46fa897 --- /dev/null +++ b/xen/arch/riscv/include/asm/fence.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +#ifndef _ASM_RISCV_FENCE_H +#define _ASM_RISCV_FENCE_H + +#define RISCV_ACQUIRE_BARRIER "\tfence r , rw\n" +#define RISCV_RELEASE_BARRIER "\tfence rw, w\n" +#define RISCV_FULL_BARRIER "\tfence rw, rw\n" + +#endif /* _ASM_RISCV_FENCE_H */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 23:33:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 23:33:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689569.1074700 (Exim 4.92) (envelope-from ) id 1ri0lI-0003HI-9K; Wed, 06 Mar 2024 23:33:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689569.1074700; Wed, 06 Mar 2024 23:33:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lI-0003HA-6e; Wed, 06 Mar 2024 23:33:24 +0000 Received: by outflank-mailman (input) for mailman id 689569; Wed, 06 Mar 2024 23:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lG-0003Gr-Fk for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lG-0004Mu-Eu for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri0lG-0002Kb-E2 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=A0IdpxzR95yHB0/iKAlU912HlWWaLGJNgbhjWLd1jLA=; b=fQ+HXbI8wJ96PI6LpDUgAIH8Sa A0M8XNGSNyPr7lBAp4vv9IbLqiRd2JRcUpWfWh8ve/0alsHzp2m4y59m5ZCuQy2MMZUrB1MID9eMl fh/NOHDfZYzuS8wN2pAdy3h6ijfPlSuHQNnXBVtU/QW8Hz4g0+FLYS89aCgSuH/E1eGY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] hvmloader/PCI: skip huge BARs in certain calculations Message-Id: Date: Wed, 06 Mar 2024 23:33:22 +0000 commit 57acad12a09ffa490e870ebe17596aad858f0191 Author: Jan Beulich AuthorDate: Wed Mar 6 10:19:29 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:19:29 2024 +0100 hvmloader/PCI: skip huge BARs in certain calculations BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of the lower 2Gb range and the top of the higher 2Gb range have special purpose. Don't even have them influence whether to (perhaps) relocate low RAM. Reported-by: Neowutran Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné --- tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c index 257a6feb61..c3c61ca060 100644 --- a/tools/firmware/hvmloader/pci.c +++ b/tools/firmware/hvmloader/pci.c @@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START; const uint32_t pci_mem_end = RESERVED_MEMBASE; uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; +/* + * BARs larger than this value are put in 64-bit space unconditionally. That + * is, such BARs also don't play into the determination of how big the lowmem + * MMIO hole needs to be. + */ +#define BAR_RELOC_THRESH GB(1) + enum virtual_vga virtual_vga = VGA_none; unsigned long igd_opregion_pgbase = 0; @@ -286,9 +293,11 @@ void pci_setup(void) bars[i].bar_reg = bar_reg; bars[i].bar_sz = bar_sz; - if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == - PCI_BASE_ADDRESS_SPACE_MEMORY) || - (bar_reg == PCI_ROM_ADDRESS) ) + if ( is_64bar && bar_sz > BAR_RELOC_THRESH ) + bar64_relocate = 1; + else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == + PCI_BASE_ADDRESS_SPACE_MEMORY) || + (bar_reg == PCI_ROM_ADDRESS) ) mmio_total += bar_sz; nr_bars++; @@ -367,7 +376,7 @@ void pci_setup(void) pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT; } - if ( mmio_total > (pci_mem_end - pci_mem_start) ) + if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate ) { printf("Low MMIO hole not large enough for all devices," " relocating some BARs to 64-bit\n"); @@ -430,7 +439,8 @@ void pci_setup(void) /* * Relocate to high memory if the total amount of MMIO needed - * is more than the low MMIO available. Because devices are + * is more than the low MMIO available or BARs bigger than + * BAR_RELOC_THRESH are present. Because devices are * processed in order of bar_sz, this will preferentially * relocate larger devices to high memory first. * @@ -446,8 +456,9 @@ void pci_setup(void) * the code here assumes it to be.) * Should either of those two conditions change, this code will break. */ - using_64bar = bars[i].is_64bar && bar64_relocate - && (mmio_total > (mem_resource.max - mem_resource.base)); + using_64bar = bars[i].is_64bar && bar64_relocate && + (mmio_total > (mem_resource.max - mem_resource.base) || + bar_sz > BAR_RELOC_THRESH); bar_data = pci_readl(devfn, bar_reg); if ( (bar_data & PCI_BASE_ADDRESS_SPACE) == @@ -467,7 +478,8 @@ void pci_setup(void) resource = &mem_resource; bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; } - mmio_total -= bar_sz; + if ( bar_sz <= BAR_RELOC_THRESH ) + mmio_total -= bar_sz; } else { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 23:33:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 23:33:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689570.1074704 (Exim 4.92) (envelope-from ) id 1ri0lS-0003MU-B0; Wed, 06 Mar 2024 23:33:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689570.1074704; Wed, 06 Mar 2024 23:33:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lS-0003MM-86; Wed, 06 Mar 2024 23:33:34 +0000 Received: by outflank-mailman (input) for mailman id 689570; Wed, 06 Mar 2024 23:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lQ-0003MC-J4 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lQ-0004N4-IK for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri0lQ-0002L2-H2 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=v0J71GLTkWehtAQOvxd66eM0s8LB8LHqll6r3g+7nD8=; b=X0gVv3ZreIsAEnWQffp2VsyeB5 mFVDw3uuo9aTd7j/W59mzjF34iz8JJjGtNBChM0mnnvZPXtxV2DCpGj8k8MSZ3QQSEipgPh9H8i9K U5NM5LEpgqKV7x7jLvw1PKjZKzFJv2fk0E2Yw6Fo4VM2JzwQ+9uwVdw7xvcyQUKcH0yI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: i387.c cleanup Message-Id: Date: Wed, 06 Mar 2024 23:33:32 +0000 commit e7b62fcfd9dd66398dd0d3c79b3bae216db64e97 Author: Wei Liu AuthorDate: Wed Mar 6 10:19:57 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 6 10:19:57 2024 +0100 x86: i387.c cleanup Spelling and formatting; no functional change. Signed-off-by: Wei Liu Signed-off-by: Fouad Hilly Acked-by: Jan Beulich --- xen/arch/x86/i387.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/i387.c b/xen/arch/x86/i387.c index d824f2bb52..7a4297cc92 100644 --- a/xen/arch/x86/i387.c +++ b/xen/arch/x86/i387.c @@ -26,7 +26,7 @@ static inline void fpu_xrstor(struct vcpu *v, uint64_t mask) ASSERT(v->arch.xsave_area); /* - * XCR0 normally represents what guest OS set. In case of Xen itself, + * XCR0 normally represents what guest OS set. In case of Xen itself, * we set the accumulated feature mask before doing save/restore. */ ok = set_xcr0(v->arch.xcr0_accum | XSTATE_FP_SSE); @@ -36,7 +36,7 @@ static inline void fpu_xrstor(struct vcpu *v, uint64_t mask) ASSERT(ok); } -/* Restor x87 FPU, MMX, SSE and SSE2 state */ +/* Restore x87 FPU, MMX, SSE and SSE2 state */ static inline void fpu_fxrstor(struct vcpu *v) { const typeof(v->arch.xsave_area->fpu_sse) *fpu_ctxt = v->arch.fpu_ctxt; @@ -307,7 +307,7 @@ void save_fpu_enable(void) int vcpu_init_fpu(struct vcpu *v) { int rc; - + v->arch.fully_eager_fpu = opt_eager_fpu; if ( (rc = xstate_alloc_save_area(v)) != 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 06 23:33:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 06 Mar 2024 23:33:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689571.1074709 (Exim 4.92) (envelope-from ) id 1ri0lc-0003U7-Cs; Wed, 06 Mar 2024 23:33:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689571.1074709; Wed, 06 Mar 2024 23:33:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0lc-0003Tz-9Y; Wed, 06 Mar 2024 23:33:44 +0000 Received: by outflank-mailman (input) for mailman id 689571; Wed, 06 Mar 2024 23:33:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0la-0003SB-N0 for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri0la-0004NY-MA for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri0la-0002LR-KV for xen-changelog@lists.xenproject.org; Wed, 06 Mar 2024 23:33:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZWnxCdyQEjOYWssRS9HxAW8knJCXmIIydd365NJIy+M=; b=vudhQhINoccXQsAxRv/ZQ/Q4VZ EwTsPzNYkSPAfFj/80KB70x956VQeBkIrJuL6a4/VI3s6CkZYt4xLLpE6XIPL7gP19A5P+DgeV+L1 VOQ81QHGRsr2TMC9EFmnm9kaZLcPLAo+kn9VcLnSWkZWgyiVCRh7ebinWTsuOpyl6M2M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] SUPPORT.md: clarify support of booting 32-bit Xen on ARMv8 Message-Id: Date: Wed, 06 Mar 2024 23:33:42 +0000 commit cd53ee9c41f991bbca75641e647005e013a3eac0 Author: Michal Orzel AuthorDate: Thu Feb 29 13:13:52 2024 +0100 Commit: Julien Grall CommitDate: Wed Mar 6 09:39:45 2024 +0000 SUPPORT.md: clarify support of booting 32-bit Xen on ARMv8 Since commit bd1001db0af1 ("xen/arm: arm32: Allow Xen to boot on unidentified CPUs"), it's been possible to boot 32-bit Xen on ARMv8A CPUs in AArch32 state (assuming HW supports EL2 execution in AArch32). Clarify the support statement and mark it as Tech Preview, as this use case is uncommon and hasn't really been tested/hardened. Signed-off-by: Michal Orzel Acked-by: Julien Grall --- SUPPORT.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SUPPORT.md b/SUPPORT.md index a90d1108c9..7eb6875cfa 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -37,7 +37,8 @@ supported in this document. ### ARM v8 - Status: Supported + Status, Xen in AArch64 mode: Supported + Status, Xen in AArch32 mode: Tech Preview Status, Cortex A57 r0p0-r1p1: Supported, not security supported Status, Cortex A77 r0p0-r1p0: Supported, not security supported -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 08:22:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 08:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689661.1074847 (Exim 4.92) (envelope-from ) id 1ri90u-0005m4-D1; Thu, 07 Mar 2024 08:22:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689661.1074847; Thu, 07 Mar 2024 08:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri90u-0005ly-AU; Thu, 07 Mar 2024 08:22:04 +0000 Received: by outflank-mailman (input) for mailman id 689661; Thu, 07 Mar 2024 08:22:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri90u-0005ls-3N for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri90u-0006Rb-09 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri90t-00008G-V0 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bIru8AoEFSw9lSxav0SzmWr6GM6z5BN0MBqD9i+l/5U=; b=Dewy6dlpqyscLWMIot4C9yyMb6 CAVuXVMSyliFbGYxeNBUZfbHvpisVWPThBGrmKA09nPruOGKLD+f3ty+xH6rTj+jA4+lheMiOnKuN YpObHyMi7rgnd9llXK+fMhA4/0KaWPdyckVH6jr4lFLYOpz/t75J5JAENhidiXMRuVvQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/EFI: correct compiler probing Message-Id: Date: Thu, 07 Mar 2024 08:22:03 +0000 commit 2f7481d59255680c1de98f43467d3862453dd50a Author: Jan Beulich AuthorDate: Thu Mar 7 09:14:55 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:14:55 2024 +0100 x86/EFI: correct compiler probing Passing in $(CFLAGS) means also requesting inclusion of certain headers (via -include command line options). That's particularly xen/config.h, which in turn requires generated/autoconf.h. This has not caused any problems so far only because arch.mk is processed twice, and the missing header on the 1st pass would be there on the 2nd. Having added an inclusion of asm/asm-macros.h to x86'es asm/config.h, the 2nd pass then also fails on an initial, pristine build. As per dd40177c1bc8 ("x86-64/EFI: add CFLAGS to check compile") dropping the use of $(CFLAGS) altogether isn't an option, though. Hence remove the problematic options only. Signed-off-by: Jan Beulich Reviewed-by: Anthony PERARD --- xen/arch/x86/arch.mk | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk index 751fd8d410..4f6c086988 100644 --- a/xen/arch/x86/arch.mk +++ b/xen/arch/x86/arch.mk @@ -87,7 +87,8 @@ efi-check := arch/x86/efi/check $(shell mkdir -p $(dir $(efi-check))) # Check if the compiler supports the MS ABI. -XEN_BUILD_EFI := $(call if-success,$(CC) $(CFLAGS) -c $(srctree)/$(efi-check).c -o $(efi-check).o,y) +XEN_BUILD_EFI := $(call if-success,$(CC) $(filter-out -include %/include/xen/config.h,$(CFLAGS)) \ + -c $(srctree)/$(efi-check).c -o $(efi-check).o,y) # Check if the linker supports PE. EFI_LDFLAGS := $(patsubst -m%,-mi386pep,$(LDFLAGS)) --subsystem=10 -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 08:22:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 08:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689662.1074852 (Exim 4.92) (envelope-from ) id 1ri914-0005oJ-Ea; Thu, 07 Mar 2024 08:22:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689662.1074852; Thu, 07 Mar 2024 08:22:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri914-0005oB-By; Thu, 07 Mar 2024 08:22:14 +0000 Received: by outflank-mailman (input) for mailman id 689662; Thu, 07 Mar 2024 08:22:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri914-0005o5-5s for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri914-0006Rf-56 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri914-0000B3-2F for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wdrjXPzi30Y3wuYHNd2d1lKPwB3o/hjpk36zvdhfK8g=; b=vukar687zXkxNLUmalDYrh1Cae zXuD1i9TzVqgZZaoE7+WCl51vecnnMq+hHYI3CbAmMM22P3Nl8TvFD5EC37GmyNPK7J1ZsTn+jOMD sMOP2ovq2KoyIJUZgPIVv9sbQM+INp4yjyRb8g7VC8HHO0JKYvjB1NwuzkNTcux/20n0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Kbuild: simplify as-insn a little Message-Id: Date: Thu, 07 Mar 2024 08:22:14 +0000 commit 5daf46b439454921c19ca30840bb39424b36444b Author: Jan Beulich AuthorDate: Thu Mar 7 09:15:17 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:15:17 2024 +0100 Kbuild: simplify as-insn a little As of 732571959f17 ("xen/build: use new $(c_flags) and $(a_flags) instead of $(CFLAGS)") -M options aren't part of CFLAGS anymore, and c_flags isn't supposed to be passed to this macro. Drop the now dead part of filtering. Signed-off-by: Jan Beulich Reviewed-by: Anthony PERARD --- xen/scripts/Kbuild.include | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/scripts/Kbuild.include b/xen/scripts/Kbuild.include index c2bd8498e1..c2e4ec811b 100644 --- a/xen/scripts/Kbuild.include +++ b/xen/scripts/Kbuild.include @@ -59,7 +59,7 @@ endef # as-insn: Check whether assembler supports an instruction. # Usage: cflags-y += $(call as-insn,CC FLAGS,"insn",option-yes,option-no) as-insn = $(if $(shell echo 'void _(void) { asm volatile ( $(2) ); }' \ - | $(filter-out -M% %.d -include %/include/xen/config.h,$(1)) \ + | $(filter-out -include %/include/xen/config.h,$(1)) \ -c -x c -o /dev/null - 2>&1),$(4),$(3)) # as-option-add: Conditionally add options to flags -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 08:22:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 08:22:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689663.1074855 (Exim 4.92) (envelope-from ) id 1ri91F-0005qy-Fz; Thu, 07 Mar 2024 08:22:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689663.1074855; Thu, 07 Mar 2024 08:22:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91F-0005qq-DT; Thu, 07 Mar 2024 08:22:25 +0000 Received: by outflank-mailman (input) for mailman id 689663; Thu, 07 Mar 2024 08:22:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91E-0005qf-DC for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91E-0006Rz-CP for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri91E-0000Bc-77 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=euPCs4tPPqoALhUeKPV6sognDqmjGCGiyjaLR8wm0J0=; b=hR4Ueqf+/3a2onBNKn+zNU/O8Y gUPq0ZX6MhuNjz1Nabw+YmfnbTvR87zwUjmfB7TgvDfsd0WleuQ5jmoCVPbNqmWwBn30z+nAHYS0i DajlUxcMmZBxqTgkn+Z8bZfZaVobaC7NrSrn13k94DpNnG2UqoSuOVlYqz9lK/bDdCe4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/asm: add commas to BUILD_BUG_ON Message-Id: Date: Thu, 07 Mar 2024 08:22:24 +0000 commit 9249a441c98ff063c0c065538b419a3bf1dac24a Author: Jan Beulich AuthorDate: Thu Mar 7 09:16:13 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:16:13 2024 +0100 x86/asm: add commas to BUILD_BUG_ON In light of recent observations with how macros are handled by gas, let's play by what we informally set for ourselves as a guideline: Use commas to separate parameters/arguments. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- xen/arch/x86/include/asm/asm_defns.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index cf9573705d..5c8cc2428e 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -82,13 +82,13 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ -.macro BUILD_BUG_ON condstr cond:vararg +.macro BUILD_BUG_ON condstr, cond:vararg .if \cond .error "Condition \"\condstr\" not satisfied" .endif .endm /* preprocessor macro to make error message more user friendly */ -#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond cond +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 08:22:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 08:22:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689664.1074860 (Exim 4.92) (envelope-from ) id 1ri91P-0005u3-Hg; Thu, 07 Mar 2024 08:22:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689664.1074860; Thu, 07 Mar 2024 08:22:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91P-0005tv-Ey; Thu, 07 Mar 2024 08:22:35 +0000 Received: by outflank-mailman (input) for mailman id 689664; Thu, 07 Mar 2024 08:22:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91O-0005tn-Gw for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91O-0006SD-G8 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri91O-0000CE-ER for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=l3uJOakYz1Rn2jbnYySNH6noiHdruz9GLu5oudATvsg=; b=ihg+dWxqpRyNSZTWfq2mWNq+VP gzUeVQNsr0V65Z21mLHOfBIIQ8+i8sRW4rZ4DUNIzMkDmIeClWHmJxI1DsMNnwx3G0mtf52WVBo5I xfqr2QJ0ih6hoRWeiY7xLU9tbgGNXv3pGo+I+3//N276KeAsGGqEJ3DnuQy++C7PmUWM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] CHANGELOG: add an entry for 9pfsd Message-Id: Date: Thu, 07 Mar 2024 08:22:34 +0000 commit 4ad4df0964aa374562fa574d4671d278f54f5d32 Author: Juergen Gross AuthorDate: Thu Mar 7 09:16:53 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:16:53 2024 +0100 CHANGELOG: add an entry for 9pfsd Add an entry to CHANGELOG.md regarding the new xen-9pfsd daemon. Signed-off-by: Juergen Gross Acked-by: Oleksii Kurochko --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9874f9bb0..93fda73c00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - On x86: - Introduce a new x2APIC driver that uses Cluster Logical addressing mode for IPIs and Physical addressing mode for external interrupts. + - Add a new 9pfs backend running as a daemon in dom0. First user is + Xenstore-stubdom now being able to support full Xenstore trace capability. ### Removed - caml-stubdom. It hasn't built since 2014, was pinned to Ocaml 4.02, and has -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 08:22:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 08:22:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689665.1074865 (Exim 4.92) (envelope-from ) id 1ri91Z-0005wr-JT; Thu, 07 Mar 2024 08:22:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689665.1074865; Thu, 07 Mar 2024 08:22:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91Z-0005wj-GO; Thu, 07 Mar 2024 08:22:45 +0000 Received: by outflank-mailman (input) for mailman id 689665; Thu, 07 Mar 2024 08:22:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91Y-0005wZ-Kh for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91Y-0006SK-JG for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri91Y-0000Cs-IF for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gbw1SY8LloWmRNes7+8ZBHBjNBswdZgNEXFQPojMfek=; b=l/1Ir6nWT2cuaiVM97eNPOiRsY QZLAxU9+yyGqdPynqOnr759e7Q8XfYp8i/DdMOcgMA5Vbs+eAiOxFB5t8U17Hn1ODQLWqciuOs3Gq SzruZdBOIgQZWHcEUh9d5rIvYZitz9C7vzec6sF5RMkax/nuk5+uEh7Cs7tr3ojEM7i0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/asm: add commas to further macros definitions/invocations Message-Id: Date: Thu, 07 Mar 2024 08:22:44 +0000 commit 49b664f5bffa3a86734c66491d7dcdebbdecfb26 Author: Jan Beulich AuthorDate: Thu Mar 7 09:17:26 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:17:26 2024 +0100 x86/asm: add commas to further macros definitions/invocations In light of recent observations with how macros are handled by gas, let's play by what we informally set for ourselves as a guideline: Use commas to separate parameters/arguments. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- xen/arch/x86/include/asm/alternative-asm.h | 2 +- xen/arch/x86/include/asm/asm-defns.h | 6 +++--- xen/arch/x86/include/asm/asm_defns.h | 2 +- xen/arch/x86/include/asm/spec_ctrl_asm.h | 2 +- xen/arch/x86/x86_64/compat/entry.S | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative-asm.h b/xen/arch/x86/include/asm/alternative-asm.h index fa21f71dab..4092f5ba70 100644 --- a/xen/arch/x86/include/asm/alternative-asm.h +++ b/xen/arch/x86/include/asm/alternative-asm.h @@ -11,7 +11,7 @@ * enough information for the alternatives patching code to patch an * instruction. See apply_alternatives(). */ -.macro altinstruction_entry orig repl feature orig_len repl_len pad_len +.macro altinstruction_entry orig, repl, feature, orig_len, repl_len, pad_len .long \orig - . .long \repl - . .word \feature diff --git a/xen/arch/x86/include/asm/asm-defns.h b/xen/arch/x86/include/asm/asm-defns.h index 9a7073ced5..0e5f0be768 100644 --- a/xen/arch/x86/include/asm/asm-defns.h +++ b/xen/arch/x86/include/asm/asm-defns.h @@ -29,7 +29,7 @@ BUG /* Shouldn't return */ .endm -.macro INDIRECT_BRANCH insn:req arg:req +.macro INDIRECT_BRANCH insn:req, arg:req /* * Create an indirect branch. insn is one of call/jmp, arg is a single * register. @@ -59,11 +59,11 @@ /* Convenience wrappers. */ .macro INDIRECT_CALL arg:req - INDIRECT_BRANCH call \arg + INDIRECT_BRANCH call, \arg .endm .macro INDIRECT_JMP arg:req - INDIRECT_BRANCH jmp \arg + INDIRECT_BRANCH jmp, \arg .endm #ifdef CONFIG_XEN_IBT diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index 5c8cc2428e..a69fae78b1 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -281,7 +281,7 @@ static always_inline void stac(void) * @compat: R8-R15 don't need reloading, but they are clobbered for added * safety against information leaks. */ -.macro RESTORE_ALL adj=0 compat=0 +.macro RESTORE_ALL adj=0, compat=0 .if !\compat movq UREGS_r15(%rsp), %r15 movq UREGS_r14(%rsp), %r14 diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 6cb7c1b949..aecb91d848 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -104,7 +104,7 @@ .L\@_done: .endm -.macro DO_OVERWRITE_RSB tmp=rax xu +.macro DO_OVERWRITE_RSB tmp=rax, xu /* * Requires nothing * Clobbers \tmp (%rax by default), %rcx diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 2f8fe5ebfb..9951b3e328 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -158,7 +158,7 @@ FUNC(compat_restore_all_guest) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ - RESTORE_ALL adj=8 compat=1 + RESTORE_ALL adj=8, compat=1 .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) END(compat_restore_all_guest) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 08:22:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 08:22:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689666.1074868 (Exim 4.92) (envelope-from ) id 1ri91j-0005zd-Ke; Thu, 07 Mar 2024 08:22:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689666.1074868; Thu, 07 Mar 2024 08:22:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91j-0005zP-Hv; Thu, 07 Mar 2024 08:22:55 +0000 Received: by outflank-mailman (input) for mailman id 689666; Thu, 07 Mar 2024 08:22:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91i-0005zF-Mq for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1ri91i-0006Sj-M9 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1ri91i-0000Dc-LH for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 08:22:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oVw9jcRAP/Fw5LidEWBPzNpvet8kd+NvC9lGLaYyzrw=; b=iNzFJULJi8EaeeiW++F7DVWS1/ hjyp9uhsnrX1KxqMqhK7KVPtfarVEGA2o5mdxSxlhWMlIk7+GMLOiGRXvQm1W/pave1qh1sEon4IX upsRdmDr0yqisUtQefrSXnbxbaZvAIJNPYOV1NyNYg4yTcL1fR5NNQkMznsJsQOVQIyc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] SUPPORT.md: add xen-9pfsd Message-Id: Date: Thu, 07 Mar 2024 08:22:54 +0000 commit 08bb338f09a54d3b39f0d952bbd67461d8e5d0ed Author: Juergen Gross AuthorDate: Thu Mar 7 09:18:04 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:18:04 2024 +0100 SUPPORT.md: add xen-9pfsd Add a support statement for the new xen-9pfsd backend. Set it to "Experimental", as some functionality for Linux guests is missing (only tested to work with Xenstore-stubdom). Signed-off-by: Juergen Gross Acked-by: Jan Beulich --- SUPPORT.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SUPPORT.md b/SUPPORT.md index 7eb6875cfa..510bb02190 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -665,6 +665,7 @@ there is currently no xl support. ### PV 9pfs (backend) Status, QEMU: Tech Preview + Status, xen-9pfsd: Experimental ### PVCalls (backend) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 14:33:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 14:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689935.1075443 (Exim 4.92) (envelope-from ) id 1riEnw-0002Tb-Uk; Thu, 07 Mar 2024 14:33:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689935.1075443; Thu, 07 Mar 2024 14:33:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEnw-0002TT-Rp; Thu, 07 Mar 2024 14:33:04 +0000 Received: by outflank-mailman (input) for mailman id 689935; Thu, 07 Mar 2024 14:33:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEnv-0002TN-G4 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEnv-0002cC-D0 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riEnv-0000QW-AJ for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yIiOa5RSYPo7TQ0Z744mc+Kj1RekgJa5CJzVN7hry/8=; b=XiHxJNPSkkxKrx0vZGAk7ACDma bnk/TrvRgU+U6+kAyezLXuF0zP47oJ3/7WlcAfh+py6wpyrcE48ZxtO3oYbfGWu+/rouP7ccpVd9u jhDEFGwM/SKq3ivzBWaFi2ZU093KKG/ON4fhGkxb2FeiH70iEnBL95ULH7Zl6AtMfLNU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/virtual-region: Rename the start/end fields Message-Id: Date: Thu, 07 Mar 2024 14:33:03 +0000 commit 989556c6f8ca080f5f202417af97d1188b9ba52a Author: Andrew Cooper AuthorDate: Tue Mar 5 11:28:33 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 xen/virtual-region: Rename the start/end fields ... to text_{start,end}. We're about to introduce another start/end pair. Despite it's name, struct virtual_region has always been a module-ish description. Call this out specifically. As minor cleanup, replace ROUNDUP(x, PAGE_SIZE) with the more concise PAGE_ALIGN() ahead of duplicating the example. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 19 ++++++++++--------- xen/include/xen/virtual_region.h | 11 +++++++++-- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 5a7d5b7be0..888beb2732 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -785,8 +785,8 @@ static int prepare_payload(struct payload *payload, region = &payload->region; region->symbols_lookup = livepatch_symbols_lookup; - region->start = payload->text_addr; - region->end = payload->text_addr + payload->text_size; + region->text_start = payload->text_addr; + region->text_end = payload->text_addr + payload->text_size; /* Optional sections. */ for ( i = 0; i < BUGFRAME_NR; i++ ) diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index cefef3e47e..b74030d700 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -11,15 +11,15 @@ static struct virtual_region core = { .list = LIST_HEAD_INIT(core.list), - .start = _stext, - .end = _etext, + .text_start = _stext, + .text_end = _etext, }; /* Becomes irrelevant when __init sections are cleared. */ static struct virtual_region core_init __initdata = { .list = LIST_HEAD_INIT(core_init.list), - .start = _sinittext, - .end = _einittext, + .text_start = _sinittext, + .text_end = _einittext, }; /* @@ -39,7 +39,8 @@ const struct virtual_region *find_text_region(unsigned long addr) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu ( iter, &virtual_region_list, list ) { - if ( (void *)addr >= iter->start && (void *)addr < iter->end ) + if ( (void *)addr >= iter->text_start && + (void *)addr < iter->text_end ) { region = iter; break; @@ -88,8 +89,8 @@ void relax_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) - modify_xen_mappings_lite((unsigned long)region->start, - ROUNDUP((unsigned long)region->end, PAGE_SIZE), + modify_xen_mappings_lite((unsigned long)region->text_start, + PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RWX); rcu_read_unlock(&rcu_virtual_region_lock); } @@ -100,8 +101,8 @@ void tighten_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) - modify_xen_mappings_lite((unsigned long)region->start, - ROUNDUP((unsigned long)region->end, PAGE_SIZE), + modify_xen_mappings_lite((unsigned long)region->text_start, + PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } diff --git a/xen/include/xen/virtual_region.h b/xen/include/xen/virtual_region.h index d053620711..442a45bf1f 100644 --- a/xen/include/xen/virtual_region.h +++ b/xen/include/xen/virtual_region.h @@ -9,11 +9,18 @@ #include #include +/* + * Despite it's name, this is a module(ish) description. + * + * There's one region for the runtime .text/etc, one region for .init during + * boot only, and one region per livepatch. + */ struct virtual_region { struct list_head list; - const void *start; /* Virtual address start. */ - const void *end; /* Virtual address end. */ + + const void *text_start; /* .text virtual address start. */ + const void *text_end; /* .text virtual address end. */ /* If this is NULL the default lookup mechanism is used. */ symbols_lookup_t *symbols_lookup; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 14:33:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 14:33:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689936.1075446 (Exim 4.92) (envelope-from ) id 1riEo6-0002Y7-Vn; Thu, 07 Mar 2024 14:33:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689936.1075446; Thu, 07 Mar 2024 14:33:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEo6-0002Xz-TG; Thu, 07 Mar 2024 14:33:14 +0000 Received: by outflank-mailman (input) for mailman id 689936; Thu, 07 Mar 2024 14:33:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEo5-0002Xp-Kg for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEo5-0002cP-Hu for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riEo5-0000R2-FF for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NykYjhVOAcoWJhkM45h5iYpfGjl34zhiZPEtiTa7XbM=; b=dm2YILzx+AootcTIAe6rk5/TrO Lm+CbMfaQNn3U5lUDvkMCo+DstZY5i+e2W4KI+NH7SwFL6K4z9KangTFxQHSiKnDg/hrQj96T3brn CE363jRXwcNLMFBq9qhFfylEAvqFlCy1TzSDs3jVelU5rwY9UyTtxpxxQ6FR4TwNnQO0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/virtual-region: Include rodata pointers Message-Id: Date: Thu, 07 Mar 2024 14:33:13 +0000 commit ef969144a425e39f5b214a875b5713d0ea8575fb Author: Andrew Cooper AuthorDate: Tue Mar 5 11:35:12 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 xen/virtual-region: Include rodata pointers These are optional. .init doesn't distinguish types of data like this, and livepatches don't necesserily have any .rodata either. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 6 ++++++ xen/common/virtual_region.c | 2 ++ xen/include/xen/virtual_region.h | 3 +++ 3 files changed, 11 insertions(+) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 888beb2732..cabfb63911 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -788,6 +788,12 @@ static int prepare_payload(struct payload *payload, region->text_start = payload->text_addr; region->text_end = payload->text_addr + payload->text_size; + if ( payload->ro_size ) + { + region->rodata_start = payload->ro_addr; + region->rodata_end = payload->ro_addr + payload->ro_size; + } + /* Optional sections. */ for ( i = 0; i < BUGFRAME_NR; i++ ) { diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index b74030d700..d2efe9e114 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -13,6 +13,8 @@ static struct virtual_region core = { .list = LIST_HEAD_INIT(core.list), .text_start = _stext, .text_end = _etext, + .rodata_start = _srodata, + .rodata_end = _erodata, }; /* Becomes irrelevant when __init sections are cleared. */ diff --git a/xen/include/xen/virtual_region.h b/xen/include/xen/virtual_region.h index 442a45bf1f..dcdc95ba49 100644 --- a/xen/include/xen/virtual_region.h +++ b/xen/include/xen/virtual_region.h @@ -22,6 +22,9 @@ struct virtual_region const void *text_start; /* .text virtual address start. */ const void *text_end; /* .text virtual address end. */ + const void *rodata_start; /* .rodata virtual address start (optional). */ + const void *rodata_end; /* .rodata virtual address end. */ + /* If this is NULL the default lookup mechanism is used. */ symbols_lookup_t *symbols_lookup; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 14:33:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 14:33:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689937.1075451 (Exim 4.92) (envelope-from ) id 1riEoH-0002cJ-0w; Thu, 07 Mar 2024 14:33:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689937.1075451; Thu, 07 Mar 2024 14:33:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoG-0002cB-Ug; Thu, 07 Mar 2024 14:33:24 +0000 Received: by outflank-mailman (input) for mailman id 689937; Thu, 07 Mar 2024 14:33:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoF-0002c3-NJ for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoF-0002cg-Kp for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riEoF-0000RT-K1 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=N/yXVv4eR6iTn9uaK77DJ8d3BnT9hyY2fkquANBAJwA=; b=z1BLYMYsIQdXAISK/ghzRrSgJz XWn7XmffgADn+GQ2hlRx63P++A/k5ZAmkCwmrrcWNSKhWkuKzqhOz4gMVR/z+rYWh8AwAwetHOa5q E6HiSvReg+ydN5ZFemXCPH9RueeIjcqrED2PyI33u/Fsltw4BD74p1OUmmSgVTCjAG3o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/livepatch: Relax permissions on rodata too Message-Id: Date: Thu, 07 Mar 2024 14:33:23 +0000 commit b083b1c393dc8961acf0959b1d2e0ad459985ae3 Author: Andrew Cooper AuthorDate: Tue Mar 5 11:39:19 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 x86/livepatch: Relax permissions on rodata too This reinstates the capability to patch .rodata in load/unload hooks, which was lost when we stopped using CR0.WP=0 to patch. This turns out to be rather less of a large TODO than I thought at the time. Fixes: 8676092a0f16 ("x86/livepatch: Fix livepatch application when CET is active") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/arch/x86/livepatch.c | 4 ++-- xen/common/virtual_region.c | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index ee539f001b..4f76127e1f 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -62,7 +62,7 @@ int arch_livepatch_safety_check(void) int noinline arch_livepatch_quiesce(void) { /* - * Relax perms on .text to be RWX, so we can modify them. + * Relax perms on .text/.rodata, so we can modify them. * * This relaxes perms globally, but all other CPUs are waiting on us. */ @@ -75,7 +75,7 @@ int noinline arch_livepatch_quiesce(void) void noinline arch_livepatch_revive(void) { /* - * Reinstate perms on .text to be RX. This also cleans out the dirty + * Reinstate perms on .text/.rodata. This also cleans out the dirty * bits, which matters when CET Shstk is active. * * The other CPUs waiting for us could in principle have re-walked while diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index d2efe9e114..b4325bcda7 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -91,9 +91,15 @@ void relax_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) + { modify_xen_mappings_lite((unsigned long)region->text_start, PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RWX); + if ( region->rodata_start ) + modify_xen_mappings_lite((unsigned long)region->rodata_start, + PAGE_ALIGN((unsigned long)region->rodata_end), + PAGE_HYPERVISOR_RW); + } rcu_read_unlock(&rcu_virtual_region_lock); } @@ -103,9 +109,15 @@ void tighten_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) + { modify_xen_mappings_lite((unsigned long)region->text_start, PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RX); + if ( region->rodata_start ) + modify_xen_mappings_lite((unsigned long)region->rodata_start, + PAGE_ALIGN((unsigned long)region->rodata_end), + PAGE_HYPERVISOR_RO); + } rcu_read_unlock(&rcu_virtual_region_lock); } #endif /* CONFIG_X86 */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 14:33:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 14:33:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689938.1075456 (Exim 4.92) (envelope-from ) id 1riEoR-0002ee-2m; Thu, 07 Mar 2024 14:33:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689938.1075456; Thu, 07 Mar 2024 14:33:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoQ-0002eW-WA; Thu, 07 Mar 2024 14:33:34 +0000 Received: by outflank-mailman (input) for mailman id 689938; Thu, 07 Mar 2024 14:33:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoP-0002eL-Qr for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoP-0002cx-Q1 for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riEoP-0000Rs-Mu for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gQ6P179HxVHSulbUJ0tRubdtDma06HHRWl841AkYN0E=; b=2D6aYjN9bM8KnSsEnOKuJ0zGGi 2NsuX1V6Q0TZWKHgKprhRv8HuNkTnI2vBAwlXuLMsqvFhlAY7ldhdD520a7V1xAgEZ0l4DMBDdwWo uAzwEDShpRiUE44ROt4Y08sLB+K6nJZfRRRyYlxUy8v0lMkNrOYuSSXJTFm8vhs6VExU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: add an entry for tools/9pfsd Message-Id: Date: Thu, 07 Mar 2024 14:33:33 +0000 commit b52c45b1bdf04469495dd046ba15dd35a8becfa5 Author: Juergen Gross AuthorDate: Wed Mar 6 12:16:31 2024 +0100 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 MAINTAINERS: add an entry for tools/9pfsd Add me as the maintainer for the tools/9pfsd directory. Signed-off-by: Juergen Gross Reviewed-by: Andrew Cooper --- MAINTAINERS | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 076cf1e141..323be9363c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -206,6 +206,12 @@ Maintainers List (try to look for most precise areas first) ----------------------------------- +9PFSD +M: Juergen Gross +M: Anthony PERARD +S: Supported +F: tools/9pfsd/ + ACPI M: Jan Beulich S: Supported -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 14:33:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 14:33:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.689939.1075459 (Exim 4.92) (envelope-from ) id 1riEob-0002hC-4O; Thu, 07 Mar 2024 14:33:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 689939.1075459; Thu, 07 Mar 2024 14:33:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEob-0002h4-1X; Thu, 07 Mar 2024 14:33:45 +0000 Received: by outflank-mailman (input) for mailman id 689939; Thu, 07 Mar 2024 14:33:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoa-0002gn-1Z for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riEoZ-0002dC-Ul for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riEoZ-0000Sf-SD for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 14:33:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PMHIwcX15PBqPcYhrcWhrjGKM/GWktArwaW15+ikxtU=; b=pmW2FV4YUm2FqrvEJQjn9ii+A1 rRGtGEeBJ1u3xzdVxjuN6nxKFOkSdfivXpaVdw+FpZF6WTVvxkUhCkK4vA+biLtNHPY7HCv0cG+MQ FdR3hZO3+Qw2tqF4aTlBzPVGdDxJavlkGL6FKv52xyRKPnXol+UuaQcFYXaTeu/mMjmM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/9pfsd: Fix build error caused by strerror_r Message-Id: Date: Thu, 07 Mar 2024 14:33:43 +0000 commit 90173fc5a2a826bbcabde22af405d0a617818b70 Author: Henry Wang AuthorDate: Thu Mar 7 21:56:16 2024 +0800 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 tools/9pfsd: Fix build error caused by strerror_r Below error can be seen when doing Yocto build of the toolstack: | io.c: In function 'p9_error': | io.c:684:5: error: ignoring return value of 'strerror_r' declared with attribute 'warn_unused_result' [-Werror=unused-result] | 684 | strerror_r(err, ring->buffer, ring->ring_size); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | cc1: all warnings being treated as errors Using strerror_r() without special casing different build environments is impossible due to the different return types (int vs char *) depending on the environment. As p9_error() is not on a performance critical path, using strerror() with a mutex ought to be fine. So, fix the build by using strerror() to replace strerror_r(). The steps would then become: Acquire the mutex first, invoke strerror(), copy the string from strerror() to the designated buffer and then drop the mutex. Fixes: f4900d6d69b5 ("9pfsd: allow building with old glibc") Signed-off-by: Henry Wang Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Acked-by: Anthony PERARD --- tools/9pfsd/io.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/tools/9pfsd/io.c b/tools/9pfsd/io.c index adb887c7d9..df1be3df7d 100644 --- a/tools/9pfsd/io.c +++ b/tools/9pfsd/io.c @@ -677,11 +677,28 @@ static bool name_ok(const char *str) return true; } +/* Including the '\0' */ +#define MAX_ERRSTR_LEN 80 static void p9_error(struct ring *ring, uint16_t tag, uint32_t err) { unsigned int erroff; + static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + char *str; + size_t len = 0; + + /* + * While strerror_r() exists, it comes in a POSIX and a GNU flavor. + * Let's try to avoid trying to be clever with determining which + * one it is that the underlying C library offers, when really we + * don't expect this function to be called very often. + */ + pthread_mutex_lock(&mutex); + str = strerror(err); + len = min(strlen(str), (size_t)(MAX_ERRSTR_LEN - 1)); + memcpy(ring->buffer, str, len); + ((char *)ring->buffer)[len] = '\0'; + pthread_mutex_unlock(&mutex); - strerror_r(err, ring->buffer, ring->ring_size); erroff = add_string(ring, ring->buffer, strlen(ring->buffer)); fill_buffer(ring, P9_CMD_ERROR, tag, "SU", erroff != ~0 ? ring->str + erroff : "cannot allocate memory", -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 19:44:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 19:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.690023.1075633 (Exim 4.92) (envelope-from ) id 1riJes-0005zd-VJ; Thu, 07 Mar 2024 19:44:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 690023.1075633; Thu, 07 Mar 2024 19:44:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJes-0005zT-SR; Thu, 07 Mar 2024 19:44:02 +0000 Received: by outflank-mailman (input) for mailman id 690023; Thu, 07 Mar 2024 19:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJer-0005zI-NO for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJer-0003Bj-MB for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riJer-00046n-LG for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=x/6Hg46ELV6nrPzLuVYKRzFVqGETSXw1QmVv1Yg852A=; b=4VQbB5iv3FTJrtCEJduYFHNI4I XSs061Ygii0rtVI1rKTxNdnA23sfhNEpVWXKoncyf0NkNI0yzDnYxF2W72QCs0HBmhu9IjVU4pIlz 5m7s9hjR4rFvtB77MoXu8qGMQEegb5U6GktXFGCLq9IfCOdtxLIcw3gqfBZW3ihPkrNc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/{RISCV,PPC}/xen.lds: Delete duplicate _erodata definitions Message-Id: Date: Thu, 07 Mar 2024 19:44:01 +0000 commit e14fece7d48372d64468717ea3d3e65487a0a4f2 Author: Andrew Cooper AuthorDate: Tue Mar 5 12:21:21 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 6 12:03:36 2024 +0000 xen/{RISCV,PPC}/xen.lds: Delete duplicate _erodata definitions This is bad copy/paste from somewhere. Retain the second _erodata symbol, which follows the Build ID, and matches the other architectures. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Reviewed-by: Oleksii Kurochko Acked-by: Shawn Anastasio --- xen/arch/ppc/xen.lds.S | 1 - xen/arch/riscv/xen.lds.S | 1 - 2 files changed, 2 deletions(-) diff --git a/xen/arch/ppc/xen.lds.S b/xen/arch/ppc/xen.lds.S index 030e1ee37b..05b6db2728 100644 --- a/xen/arch/ppc/xen.lds.S +++ b/xen/arch/ppc/xen.lds.S @@ -60,7 +60,6 @@ SECTIONS VPCI_ARRAY . = ALIGN(POINTER_ALIGN); - _erodata = .; /* End of read-only data */ } :text #if defined(BUILD_ID) diff --git a/xen/arch/riscv/xen.lds.S b/xen/arch/riscv/xen.lds.S index 8510a87c4d..ace6f49c57 100644 --- a/xen/arch/riscv/xen.lds.S +++ b/xen/arch/riscv/xen.lds.S @@ -60,7 +60,6 @@ SECTIONS VPCI_ARRAY . = ALIGN(POINTER_ALIGN); - _erodata = .; /* End of read-only data */ } :text #if defined(BUILD_ID) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 19:44:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 19:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.690024.1075636 (Exim 4.92) (envelope-from ) id 1riJf3-00063X-0Q; Thu, 07 Mar 2024 19:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 690024.1075636; Thu, 07 Mar 2024 19:44:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJf2-00063P-Tz; Thu, 07 Mar 2024 19:44:12 +0000 Received: by outflank-mailman (input) for mailman id 690024; Thu, 07 Mar 2024 19:44:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJf1-000637-Qf for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJf1-0003Bp-PT for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riJf1-00047h-OE for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=TA54JdSYoKv9ZlAd1OpGn+hNdE6gP1LkCBVDCkzUoiE=; b=yMn06DKrZtVK518cjryYHBSRtk H7P6cO780olknos1jbbXFuRC81swM8yZtbd/zsAJc09YDP4HLqObiS8Sge1UyiBP1R7ypRBKIQhru uQ0SW1Dsc6ztOc+sc2GROkEWV3sCDBBzEr+oa25kNc0hHoXW3MN4i0x1skMApjgr04kU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] 9pfsd: allow building with old glibc Message-Id: Date: Thu, 07 Mar 2024 19:44:11 +0000 commit f4900d6d69b534a00a2d6f8981a3bd5dc22a7c0b Author: Jan Beulich AuthorDate: Tue Mar 5 15:33:47 2024 +0100 Commit: Andrew Cooper CommitDate: Wed Mar 6 12:03:36 2024 +0000 9pfsd: allow building with old glibc Neither pread() / pwrite() nor O_DIRECTORY are available from glibc 2.11.3 headers without defining (e.g.) _GNU_SOURCE. Supplying the definition unconditionally shouldn't be a problem, seeing that various other tools/ components do so, too. Signed-off-by: Jan Beulich --- tools/9pfsd/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/9pfsd/Makefile b/tools/9pfsd/Makefile index 50573121ed..b5f9703131 100644 --- a/tools/9pfsd/Makefile +++ b/tools/9pfsd/Makefile @@ -5,7 +5,7 @@ XEN_ROOT = $(CURDIR)/../.. include $(XEN_ROOT)/tools/Rules.mk -CFLAGS += $(PTHREAD_CFLAGS) +CFLAGS += $(PTHREAD_CFLAGS) -D_GNU_SOURCE LDFLAGS += $(PTHREAD_LDFLAGS) TARGETS := xen-9pfsd -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Mar 07 19:44:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 07 Mar 2024 19:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.690025.1075641 (Exim 4.92) (envelope-from ) id 1riJfD-00069m-3X; Thu, 07 Mar 2024 19:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 690025.1075641; Thu, 07 Mar 2024 19:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJfD-00069f-0T; Thu, 07 Mar 2024 19:44:23 +0000 Received: by outflank-mailman (input) for mailman id 690025; Thu, 07 Mar 2024 19:44:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJfB-00068I-To for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1riJfB-0003Dj-Sc for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1riJfB-00048Q-Rj for xen-changelog@lists.xenproject.org; Thu, 07 Mar 2024 19:44:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xm4EhZbSjGInrsjVu5g3HLnyLhfyualWNNM67w0mlDw=; b=H/J2xvuBWZWGfm6nA/APjE2VIK P44+PWuN5eCqnPXnEPSvM/W6wWTc6dWKj9EM2yirp7qqeBV/qIu7oKAm2CsrJyuqAojsmUe+R00Jh LQTdD48G95a//plaUqyre6aNks2ubZkNm5e7TE0+SGInStyAAGPLC9dgCWQyK+tglHiU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xentop: Add VBD3 support to xentop Message-Id: Date: Thu, 07 Mar 2024 19:44:21 +0000 commit 66c8e9b76c61ff52cfc0b186a38208907845d093 Author: Pritha Srivastava AuthorDate: Wed Feb 28 11:39:47 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 6 12:03:36 2024 +0000 tools/xentop: Add VBD3 support to xentop xl now knows how to drive tapdisk, so modify libxenstat to understand vbd3 statistics. Signed-off-by: Pritha Srivastava Signed-off-by: Jorge Martin Signed-off-by: Fouad Hilly Reviewed-by: Anthony PERARD --- tools/libs/stat/xenstat_linux.c | 65 ++++++++++++++++++++++++++++++++++++++++- tools/libs/stat/xenstat_priv.h | 17 +++++++++++ tools/xentop/xentop.c | 1 + 3 files changed, 82 insertions(+), 1 deletion(-) diff --git a/tools/libs/stat/xenstat_linux.c b/tools/libs/stat/xenstat_linux.c index cbba54aa83..b60e3fdcab 100644 --- a/tools/libs/stat/xenstat_linux.c +++ b/tools/libs/stat/xenstat_linux.c @@ -35,6 +35,7 @@ #include "xenstat_priv.h" #define SYSFS_VBD_PATH "/sys/bus/xen-backend/devices" +#define XENSTAT_VBD_TYPE_VBD3 3 struct priv_data { FILE *procnetdev; @@ -390,6 +391,38 @@ void xenstat_uninit_networks(xenstat_handle * handle) fclose(priv->procnetdev); } +static int read_attributes_vbd3(const char *vbd3_path, xenstat_vbd *vbd) +{ + FILE *fp; + struct vbd3_stats vbd3_stats; + + fp = fopen(vbd3_path, "rb"); + + if (fp == NULL) { + return -1; + } + + if (fread(&vbd3_stats, sizeof(struct vbd3_stats), 1, fp) != 1) { + fclose(fp); + return -1; + } + + if (vbd3_stats.version != 1) { + fclose(fp); + return -1; + } + + vbd->oo_reqs = vbd3_stats.oo_reqs; + vbd->rd_reqs = vbd3_stats.read_reqs_submitted; + vbd->rd_sects = vbd3_stats.read_sectors; + vbd->wr_reqs = vbd3_stats.write_reqs_submitted; + vbd->wr_sects = vbd3_stats.write_sectors; + + fclose(fp); + + return 0; +} + static int read_attributes_vbd(const char *vbd_directory, const char *what, char *ret, int cap) { static char file_name[80]; @@ -438,7 +471,7 @@ int xenstat_collect_vbds(xenstat_node * node) int ret; char buf[256]; - ret = sscanf(dp->d_name, "%3s-%u-%u", buf, &domid, &vbd.dev); + ret = sscanf(dp->d_name, "%255[^-]-%u-%u", buf, &domid, &vbd.dev); if (ret != 3) continue; if (!(strstr(buf, "vbd")) && !(strstr(buf, "tap"))) @@ -448,6 +481,8 @@ int xenstat_collect_vbds(xenstat_node * node) vbd.back_type = 1; else if (strcmp(buf,"tap") == 0) vbd.back_type = 2; + else if (strcmp(buf,"vbd3") == 0) + vbd.back_type = XENSTAT_VBD_TYPE_VBD3; else vbd.back_type = 0; @@ -479,6 +514,34 @@ int xenstat_collect_vbds(xenstat_node * node) vbd.error = 1; } } + else if (vbd.back_type == XENSTAT_VBD_TYPE_VBD3) + { + char *td3_pid; + char *path; + + vbd.error = 0; + + if (asprintf(&path, "/local/domain/0/backend/vbd3/%u/%u/kthread-pid", domid, vbd.dev) < 0) + continue; + + td3_pid = xs_read(node->handle->xshandle, XBT_NULL, path, NULL); + + free(path); + + if (td3_pid == NULL) + continue; + + if (asprintf(&path, "/dev/shm/td3-%s/vbd-%u-%u", td3_pid, domid, vbd.dev) < 0) { + free(td3_pid); + continue; + } + + if (read_attributes_vbd3(path, &vbd) < 0) + vbd.error = 1; + + free(td3_pid); + free(path); + } else { vbd.error = 1; diff --git a/tools/libs/stat/xenstat_priv.h b/tools/libs/stat/xenstat_priv.h index 4eb44a8ebb..51ff6862cf 100644 --- a/tools/libs/stat/xenstat_priv.h +++ b/tools/libs/stat/xenstat_priv.h @@ -98,6 +98,23 @@ struct xenstat_vbd { unsigned long long wr_sects; }; +/* Interface provided by https://github.com/xapi-project/blktap */ +struct vbd3_stats { + uint32_t version; + uint32_t __pad; + uint64_t oo_reqs; + uint64_t read_reqs_submitted; + uint64_t read_reqs_completed; + uint64_t read_sectors; + uint64_t read_total_ticks; + uint64_t write_reqs_submitted; + uint64_t write_reqs_completed; + uint64_t write_sectors; + uint64_t write_total_ticks; + uint64_t io_errors; + uint64_t flags; +}; + extern int xenstat_collect_networks(xenstat_node * node); extern void xenstat_uninit_networks(xenstat_handle * handle); extern int xenstat_collect_vbds(xenstat_node * node); diff --git a/tools/xentop/xentop.c b/tools/xentop/xentop.c index 0a2fab7f15..f5a456fd4d 100644 --- a/tools/xentop/xentop.c +++ b/tools/xentop/xentop.c @@ -1124,6 +1124,7 @@ void do_vbd(xenstat_domain *domain) "Unidentified", /* number 0 */ "BlkBack", /* number 1 */ "BlkTap", /* number 2 */ + "Tapdisk3" /* number 3 */ }; num_vbds = xenstat_domain_num_vbds(domain); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 09 02:33:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 09 Mar 2024 02:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.690476.1076503 (Exim 4.92) (envelope-from ) id 1rimWH-0007MR-3L; Sat, 09 Mar 2024 02:33:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 690476.1076503; Sat, 09 Mar 2024 02:33:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rimWH-0007MJ-0i; Sat, 09 Mar 2024 02:33:05 +0000 Received: by outflank-mailman (input) for mailman id 690476; Sat, 09 Mar 2024 02:33:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rimWF-0007MD-WF for xen-changelog@lists.xenproject.org; Sat, 09 Mar 2024 02:33:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rimWF-0006yj-TY for xen-changelog@lists.xenproject.org; Sat, 09 Mar 2024 02:33:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rimWF-0004IL-RQ for xen-changelog@lists.xenproject.org; Sat, 09 Mar 2024 02:33:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wgWTCdGqa1O0mjEGpYn8AZGRIDgbGcI1r+anuKMxJzU=; b=yoQ9oZ3AFwCW9HXVOggjL3GZhP 3vx1pU0I9gN52PK8GeCMSPAeUTRtevncKQviYiDEDaotAA+s4ENjOZFgtMVDDQyc5+Q3Gh6xcLJTI cDiNsKAsElR51WFx6eskJZWJcXHLX6fwo7tIOTeAw61sMtM+7Hy102yB97wo5RTjnWws=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] automation/eclair: add deviation for MISRA C:2012 Rule 16.6 Message-Id: Date: Sat, 09 Mar 2024 02:33:03 +0000 commit ef31ffbc3dc124173fc9420988772fa96bc4bf12 Author: Federico Serafini AuthorDate: Mon Mar 4 11:28:37 2024 +0100 Commit: Stefano Stabellini CommitDate: Fri Mar 8 18:22:49 2024 -0800 automation/eclair: add deviation for MISRA C:2012 Rule 16.6 Update ECLAIR configuration to take into account the deviations agreed during MISRA meetings. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 4 ++++ docs/misra/deviations.rst | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index 02eae39786..9ac3ee4dfd 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -378,6 +378,10 @@ explicit comment indicating the fallthrough intention is present." -config=MC3R1.R16.3,reports+={safe, "any_area(end_loc(any_exp(text(^(?s).*/\\* [fF]all ?through.? \\*/.*$,0..1))))"} -doc_end +-doc_begin="A switch statement with a single switch clause and no default label may be used in place of an equivalent if statement if it is considered to improve readability." +-config=MC3R1.R16.6,switch_clauses+={deliberate, "default(0)"} +-doc_end + # # Series 18. # diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index 123c78e20a..ce855ddae6 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -322,6 +322,12 @@ Deviations related to MISRA C:2012 Rules: - /\* Fallthrough \*/ - /\* Fallthrough. \*/ + * - R16.6 + - A switch statement with a single switch clause and no default label may + be used in place of an equivalent if statement if it is considered to + improve readability. + - Tagged as `deliberate` for ECLAIR. + * - R20.7 - Code violating Rule 20.7 is safe when macro parameters are used: (1) as function arguments; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:44:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691244.1076979 (Exim 4.92) (envelope-from ) id 1rjbGP-0003rF-B3; Mon, 11 Mar 2024 08:44:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691244.1076979; Mon, 11 Mar 2024 08:44:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGP-0003r8-8D; Mon, 11 Mar 2024 08:44:05 +0000 Received: by outflank-mailman (input) for mailman id 691244; Mon, 11 Mar 2024 08:44:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGN-0003r0-Rd for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGN-0005UV-NJ for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbGN-0008PG-Jl for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7VNJtmkKCxJ9P1A6kVwEWwZekLBnJt+CuG46tLjAWeI=; b=hiOt2eUvF8aSSa6m9aF/1z/eZN 1MLAfJcYtJ8uZ+uE+1HQTTY462tp+6d0e/TvscdIOMs/lD8ujP1zgIcygl18oh/mLt8a9/Rks08B5 9BhC3vdLPBcPWYD0O4qmt05iF0MT4K19o8Vnjtp08OxPp4p1T9t28BEpeMV51EqK5Brc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/asm-generic: introduce stub header monitor.h Message-Id: Date: Mon, 11 Mar 2024 08:44:03 +0000 commit 136fff30b3a589147c12c832c84d793ceef41aca Author: Oleksii Kurochko AuthorDate: Mon Mar 11 09:29:25 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:29:25 2024 +0100 xen/asm-generic: introduce stub header monitor.h The header is shared between several archs so it is moved to asm-generic. Switch partly Arm and PPC to asm-generic/monitor.h and only arch_monitor_get_capabilities() left in arch-specific/monitor.h. Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich Acked-by: Tamas K Lengyel Acked-by: Julien Grall Acked-by: Shawn Anastasio --- xen/arch/arm/include/asm/monitor.h | 25 ++------------- xen/arch/ppc/include/asm/monitor.h | 28 +---------------- xen/arch/ppc/stubs.c | 8 ----- xen/include/asm-generic/monitor.h | 64 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 58 deletions(-) diff --git a/xen/arch/arm/include/asm/monitor.h b/xen/arch/arm/include/asm/monitor.h index 7567be66bd..77a3c1a36c 100644 --- a/xen/arch/arm/include/asm/monitor.h +++ b/xen/arch/arm/include/asm/monitor.h @@ -25,34 +25,13 @@ #include #include -static inline -void arch_monitor_allow_userspace(struct domain *d, bool allow_userspace) -{ -} +#define HAS_ARCH_MONITOR_DOMCTL_EVENT -static inline -int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop) -{ - /* No arch-specific monitor ops on ARM. */ - return -EOPNOTSUPP; -} +#include int arch_monitor_domctl_event(struct domain *d, struct xen_domctl_monitor_op *mop); -static inline -int arch_monitor_init_domain(struct domain *d) -{ - /* No arch-specific domain initialization on ARM. */ - return 0; -} - -static inline -void arch_monitor_cleanup_domain(struct domain *d) -{ - /* No arch-specific domain cleanup on ARM. */ -} - static inline uint32_t arch_monitor_get_capabilities(struct domain *d) { uint32_t capabilities = 0; diff --git a/xen/arch/ppc/include/asm/monitor.h b/xen/arch/ppc/include/asm/monitor.h index e5b0282bf1..89000dacc6 100644 --- a/xen/arch/ppc/include/asm/monitor.h +++ b/xen/arch/ppc/include/asm/monitor.h @@ -6,33 +6,7 @@ #include #include -static inline -void arch_monitor_allow_userspace(struct domain *d, bool allow_userspace) -{ -} - -static inline -int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop) -{ - /* No arch-specific monitor ops on PPC. */ - return -EOPNOTSUPP; -} - -int arch_monitor_domctl_event(struct domain *d, - struct xen_domctl_monitor_op *mop); - -static inline -int arch_monitor_init_domain(struct domain *d) -{ - /* No arch-specific domain initialization on PPC. */ - return 0; -} - -static inline -void arch_monitor_cleanup_domain(struct domain *d) -{ - /* No arch-specific domain cleanup on PPC. */ -} +#include static inline uint32_t arch_monitor_get_capabilities(struct domain *d) { diff --git a/xen/arch/ppc/stubs.c b/xen/arch/ppc/stubs.c index a96e45626d..da193839bd 100644 --- a/xen/arch/ppc/stubs.c +++ b/xen/arch/ppc/stubs.c @@ -95,14 +95,6 @@ void arch_get_domain_info(const struct domain *d, BUG_ON("unimplemented"); } -/* monitor.c */ - -int arch_monitor_domctl_event(struct domain *d, - struct xen_domctl_monitor_op *mop) -{ - BUG_ON("unimplemented"); -} - /* smp.c */ void arch_flush_tlb_mask(const cpumask_t *mask) diff --git a/xen/include/asm-generic/monitor.h b/xen/include/asm-generic/monitor.h new file mode 100644 index 0000000000..1ade289099 --- /dev/null +++ b/xen/include/asm-generic/monitor.h @@ -0,0 +1,64 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * include/asm-generic/monitor.h + * + * Arch-specific monitor_op domctl handler. + * + * Copyright (c) 2015 Tamas K Lengyel (tamas@tklengyel.com) + * Copyright (c) 2016, Bitdefender S.R.L. + * + */ + +#ifndef __ASM_GENERIC_MONITOR_H__ +#define __ASM_GENERIC_MONITOR_H__ + +#include +#include + +struct domain; +struct xen_domctl_monitor_op; + +static inline +void arch_monitor_allow_userspace(struct domain *d, bool allow_userspace) +{ +} + +static inline +int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop) +{ + /* No arch-specific monitor ops on GENERIC. */ + return -EOPNOTSUPP; +} + +#ifndef HAS_ARCH_MONITOR_DOMCTL_EVENT +static inline +int arch_monitor_domctl_event(struct domain *d, + struct xen_domctl_monitor_op *mop) +{ + BUG_ON("unimplemented"); +} +#endif + +static inline +int arch_monitor_init_domain(struct domain *d) +{ + /* No arch-specific domain initialization on GENERIC. */ + return 0; +} + +static inline +void arch_monitor_cleanup_domain(struct domain *d) +{ + /* No arch-specific domain cleanup on GENERIC. */ +} + +#endif /* __ASM_GENERIC_MONITOR_H__ */ + +/* + * Local variables: + * mode: C + * c-file-style: BSD + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:44:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:44:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691245.1076983 (Exim 4.92) (envelope-from ) id 1rjbGZ-0003t6-CQ; Mon, 11 Mar 2024 08:44:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691245.1076983; Mon, 11 Mar 2024 08:44:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGZ-0003sz-9z; Mon, 11 Mar 2024 08:44:15 +0000 Received: by outflank-mailman (input) for mailman id 691245; Mon, 11 Mar 2024 08:44:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGX-0003ss-Rm for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGX-0005Uh-Qw for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbGX-0008Qb-Pd for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mAr2SDYUymaVbdXBGp5jcRYxZb3tWYFUdZZfUHbrVRk=; b=FqlHHts7jfXciMonz8rZK5jywH 7a1Gno3kbStJzp9leEEk9ae1zOIIZAnlYlDSGNjjAaYRViubCkAk2bIoW4t3nqqlrvSVmT8E2Y4NK Gnudwzlhr3vsBQTk66ctI8ie364cwtHUPLgaYpeEg6qz9sO++n91ttqIuc1N2HsUJWUU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/mem-access: ifdef inclusion of Message-Id: Date: Mon, 11 Mar 2024 08:44:13 +0000 commit 8ef780a1cf9a9b94e391d779e7e37b3c831223f7 Author: Oleksii Kurochko AuthorDate: Mon Mar 11 09:30:29 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:30:29 2024 +0100 xen/mem-access: ifdef inclusion of ifdefing inclusion of in allows to avoid generation of empty header for the case when !CONFIG_MEM_ACCESS. For Arm it was explicitly added inclusion of for p2m.c and traps.c because they require some functions from which aren't available in case of !CONFIG_MEM_ACCESS. Suggested-by: Jan Beulich Signed-off-by: Oleksii Kurochko Acked-by: Tamas K Lengyel Acked-by: Julien Grall Acked-by: Shawn Anastasio --- xen/arch/arm/p2m.c | 1 + xen/arch/arm/traps.c | 1 + xen/arch/ppc/configs/ppc64_defconfig | 1 + xen/arch/ppc/include/asm/mem_access.h | 5 ----- xen/arch/riscv/configs/tiny64_defconfig | 1 + xen/include/xen/mem_access.h | 2 ++ 6 files changed, 6 insertions(+), 5 deletions(-) diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index b991b76ce4..2465c266e9 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 9c10e8f78c..8ddca643d4 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include diff --git a/xen/arch/ppc/configs/ppc64_defconfig b/xen/arch/ppc/configs/ppc64_defconfig index f7cc075e45..48a053237a 100644 --- a/xen/arch/ppc/configs/ppc64_defconfig +++ b/xen/arch/ppc/configs/ppc64_defconfig @@ -6,6 +6,7 @@ # CONFIG_HYPFS is not set # CONFIG_GRANT_TABLE is not set # CONFIG_SPECULATIVE_HARDEN_ARRAY is not set +# CONFIG_MEM_ACCESS is not set CONFIG_PPC64=y CONFIG_DEBUG=y diff --git a/xen/arch/ppc/include/asm/mem_access.h b/xen/arch/ppc/include/asm/mem_access.h deleted file mode 100644 index e7986dfdbd..0000000000 --- a/xen/arch/ppc/include/asm/mem_access.h +++ /dev/null @@ -1,5 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -#ifndef __ASM_PPC_MEM_ACCESS_H__ -#define __ASM_PPC_MEM_ACCESS_H__ - -#endif /* __ASM_PPC_MEM_ACCESS_H__ */ diff --git a/xen/arch/riscv/configs/tiny64_defconfig b/xen/arch/riscv/configs/tiny64_defconfig index 3c9a2ff941..09defe236b 100644 --- a/xen/arch/riscv/configs/tiny64_defconfig +++ b/xen/arch/riscv/configs/tiny64_defconfig @@ -6,6 +6,7 @@ # CONFIG_HYPFS is not set # CONFIG_GRANT_TABLE is not set # CONFIG_SPECULATIVE_HARDEN_ARRAY is not set +# CONFIG_MEM_ACCESS is not set CONFIG_RISCV_64=y CONFIG_DEBUG=y diff --git a/xen/include/xen/mem_access.h b/xen/include/xen/mem_access.h index 4e4811680d..87d93b31f6 100644 --- a/xen/include/xen/mem_access.h +++ b/xen/include/xen/mem_access.h @@ -33,7 +33,9 @@ */ struct vm_event_st; +#ifdef CONFIG_MEM_ACCESS #include +#endif /* * Additional access types, which are used to further restrict -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:44:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:44:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691246.1076988 (Exim 4.92) (envelope-from ) id 1rjbGj-0003wU-Dy; Mon, 11 Mar 2024 08:44:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691246.1076988; Mon, 11 Mar 2024 08:44:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGj-0003wM-BQ; Mon, 11 Mar 2024 08:44:25 +0000 Received: by outflank-mailman (input) for mailman id 691246; Mon, 11 Mar 2024 08:44:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGh-0003w6-VS for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGh-0005WQ-Ue for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbGh-0008R9-T0 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+2ONVlG5m0I2olP276Ozs5MJGXNm07iBZooJYOhuWls=; b=kCABlX5p94A/ZaCavWj9C4maEU +vd5FXAPkI90ruyPHvus2f3UAztpFkhP4CtrM+5GFVKP8TetMcwU9EYdxS9902P8t4B46yYDBsJZz ttGmOOdQh+gglfBbeE/yZwqji7VsTBApPZbGqX1xHfDYAtnog2aF0j/wj/nZ3sSWFYd4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: drop AMD SVM and Intel VT-x sections Message-Id: Date: Mon, 11 Mar 2024 08:44:23 +0000 commit 8395f275ebd11b4cacb12da09911e7918ccc7518 Author: Jan Beulich AuthorDate: Mon Mar 11 09:31:31 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:31:31 2024 +0100 MAINTAINERS: drop AMD SVM and Intel VT-x sections We'd like to thank the VT-x maintainers for their past contributions, while at the same time we'd like to reflect reality as it has been for quite some time. Have VT-x maintainership (and for symmetry also AMD SVM's) fall back to general x86. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper Acked-by: Roger Pau Monné Acked-by: Kevin Tian --- MAINTAINERS | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 323be9363c..56a6932037 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -226,13 +226,6 @@ M: Andrew Cooper S: Maintained F: xen/drivers/passthrough/amd/ -AMD SVM -M: Jan Beulich -M: Andrew Cooper -S: Supported -F: xen/arch/x86/hvm/svm/ -F: xen/arch/x86/cpu/vpmu_amd.c - ARGO M: Christopher Clark S: Maintained @@ -363,15 +356,6 @@ M: Kevin Tian S: Supported F: xen/drivers/passthrough/vtd/ -INTEL(R) VT FOR X86 (VT-X) -M: Jun Nakajima -M: Kevin Tian -S: Supported -F: xen/arch/x86/cpu/vpmu_intel.c -F: xen/arch/x86/hvm/vmx/ -F: xen/arch/x86/include/asm/hvm/vmx/ -F: xen/arch/x86/mm/p2m-ept.c - IOMMU VENDOR INDEPENDENT CODE M: Jan Beulich M: Paul Durrant -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:44:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:44:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691247.1076992 (Exim 4.92) (envelope-from ) id 1rjbGt-0003zE-FG; Mon, 11 Mar 2024 08:44:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691247.1076992; Mon, 11 Mar 2024 08:44:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGt-0003z6-Cm; Mon, 11 Mar 2024 08:44:35 +0000 Received: by outflank-mailman (input) for mailman id 691247; Mon, 11 Mar 2024 08:44:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGs-0003yr-27 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbGs-0005Wc-1K for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbGs-0008RY-0f for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bVRFTvgdlmJr7xm6peq6hToVLCXSvsWThay/H/33H70=; b=gUvahsZKO8adTJY3fiBMSDLTeT cRxewP2vhWnk4dJHlyYWH15DEuffRDooldjsLQkI7jFrYPqdTxFdDopCK7iFFbW4o7NFlBJdBe7az Zf+NqcmX/uxKWbTq3mzSVsnCdyoElcnosnRoDlEAMVASZH1AwEhYKtRZfdARkaMoHwmA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/domain.h: Centrialize is_domain_direct_mapped() Message-Id: Date: Mon, 11 Mar 2024 08:44:34 +0000 commit 698c35184cfd3c045b96b6c587c9f37f8c47408f Author: Henry Wang AuthorDate: Mon Mar 11 09:32:03 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:32:03 2024 +0100 xen/domain.h: Centrialize is_domain_direct_mapped() Currently direct mapped domain is only supported by the Arm architecture at the domain creation time by setting the CDF_directmap flag. There is not a need for every non-Arm architecture, i.e. x86, RISC-V and PPC, to define a stub is_domain_direct_mapped() in arch header. Move is_domain_direct_mapped() to a centralized place at xen/domain.h and evaluate CDF_directmap for non-Arm architecture to 0. Suggested-by: Jan Beulich Signed-off-by: Henry Wang Reviewed-by: Michal Orzel Reviewed-by: Jan Beulich --- xen/arch/arm/include/asm/domain.h | 2 -- xen/arch/ppc/include/asm/domain.h | 2 -- xen/arch/riscv/include/asm/domain.h | 2 -- xen/arch/x86/include/asm/domain.h | 1 - xen/include/xen/domain.h | 3 +++ 5 files changed, 3 insertions(+), 7 deletions(-) diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h index 8218afb862..f1d72c6e48 100644 --- a/xen/arch/arm/include/asm/domain.h +++ b/xen/arch/arm/include/asm/domain.h @@ -29,8 +29,6 @@ enum domain_type { #define is_64bit_domain(d) (0) #endif -#define is_domain_direct_mapped(d) ((d)->cdf & CDF_directmap) - /* * Is the domain using the host memory layout? * diff --git a/xen/arch/ppc/include/asm/domain.h b/xen/arch/ppc/include/asm/domain.h index 573276d0a8..3a447272c6 100644 --- a/xen/arch/ppc/include/asm/domain.h +++ b/xen/arch/ppc/include/asm/domain.h @@ -10,8 +10,6 @@ struct hvm_domain uint64_t params[HVM_NR_PARAMS]; }; -#define is_domain_direct_mapped(d) ((void)(d), 0) - /* TODO: Implement */ #define guest_mode(r) ({ (void)(r); BUG_ON("unimplemented"); 0; }) diff --git a/xen/arch/riscv/include/asm/domain.h b/xen/arch/riscv/include/asm/domain.h index 0f5dc2be40..027bfa8a93 100644 --- a/xen/arch/riscv/include/asm/domain.h +++ b/xen/arch/riscv/include/asm/domain.h @@ -10,8 +10,6 @@ struct hvm_domain uint64_t params[HVM_NR_PARAMS]; }; -#define is_domain_direct_mapped(d) ((void)(d), 0) - struct arch_vcpu_io { }; diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 622d22bef2..4bd78e3a6d 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -22,7 +22,6 @@ #define is_hvm_pv_evtchn_domain(d) (is_hvm_domain(d) && \ ((d)->arch.hvm.irq->callback_via_type == HVMIRQ_callback_vector || \ (d)->vcpu[0]->arch.hvm.evtchn_upcall_vector)) -#define is_domain_direct_mapped(d) ((void)(d), 0) #define VCPU_TRAP_NONE 0 #define VCPU_TRAP_NMI 1 diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h index b1a4aa6f38..3de5635291 100644 --- a/xen/include/xen/domain.h +++ b/xen/include/xen/domain.h @@ -41,6 +41,8 @@ void arch_get_domain_info(const struct domain *d, #ifdef CONFIG_ARM /* Should domain memory be directly mapped? */ #define CDF_directmap (1U << 1) +#else +#define CDF_directmap 0 #endif /* Is domain memory on static allocation? */ #ifdef CONFIG_STATIC_MEMORY @@ -49,6 +51,7 @@ void arch_get_domain_info(const struct domain *d, #define CDF_staticmem 0 #endif +#define is_domain_direct_mapped(d) ((d)->cdf & CDF_directmap) #define is_domain_using_staticmem(d) ((d)->cdf & CDF_staticmem) /* -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:44:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:44:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691249.1076998 (Exim 4.92) (envelope-from ) id 1rjbH3-00042g-Hc; Mon, 11 Mar 2024 08:44:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691249.1076998; Mon, 11 Mar 2024 08:44:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbH3-00042Y-EA; Mon, 11 Mar 2024 08:44:45 +0000 Received: by outflank-mailman (input) for mailman id 691249; Mon, 11 Mar 2024 08:44:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbH2-00042O-5R for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbH2-0005Wl-4e for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbH2-0008Ry-3R for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RhPyFNd/imDEQuYG48yJfmRoBnPImg/Xd1iSdVIRiCc=; b=MYRPAMFB9fS0PTKcjUUW5xgSgG W3ObqoqfWSg+D7L6Ff1lTj5onGWhfAYDI5Xk5LicNgbVEyUU0DKTE2zT9N+7dZW47QV2Vm32dkqSk DDkNoW021FjeucrViT4L0RaSdjOzVb8S5Suabg1IVrsRz6qDTp8kq7Eyh4Ma69+4+o8M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] features.h: Replace hard tabs Message-Id: Date: Mon, 11 Mar 2024 08:44:44 +0000 commit bf7a2eaede23c749aa0d90e98113a2782ae5f9a6 Author: Jason Andryuk AuthorDate: Mon Mar 11 09:32:51 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:32:51 2024 +0100 features.h: Replace hard tabs Replace hard tabs to match the rest of the file. Fixes: 48a3fd1432 ("domain: expose newly introduced hypercalls as XENFEAT") Signed-off-by: Jason Andryuk Reviewed-by: Stefano Stabellini --- xen/include/public/features.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/public/features.h b/xen/include/public/features.h index 36936f6a4e..4437f25d25 100644 --- a/xen/include/public/features.h +++ b/xen/include/public/features.h @@ -117,8 +117,8 @@ * VCPUOP_register_runstate_phys_area * VCPUOP_register_vcpu_time_phys_area */ -#define XENFEAT_runstate_phys_area 18 -#define XENFEAT_vcpu_time_phys_area 19 +#define XENFEAT_runstate_phys_area 18 +#define XENFEAT_vcpu_time_phys_area 19 #define XENFEAT_NR_SUBMAPS 1 -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:44:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:44:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691250.1077000 (Exim 4.92) (envelope-from ) id 1rjbHD-00045H-Ie; Mon, 11 Mar 2024 08:44:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691250.1077000; Mon, 11 Mar 2024 08:44:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHD-000459-Fa; Mon, 11 Mar 2024 08:44:55 +0000 Received: by outflank-mailman (input) for mailman id 691250; Mon, 11 Mar 2024 08:44:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHC-00044x-99 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHC-0005XI-8K for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbHC-0008SN-6z for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:44:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oVpOvnq2yFy5Yv/YYwc+ncon7KsejRaAPlTKvmkISxA=; b=TpfSfFXID2LX2EPti2ur5wo4ez suCnqynhJVpgJB4Mdi+2reBhIosg+aFfWhBV7NcyCzvOa1357e5mlDjr4eDIrn19kCrgMz+sUeT7M qeSIwHY93xhTST6ipDi7crXpw1XqlNMQ8FvYkUXu7pSsI/n1qe+W1OQgRkHxCOHjS6fE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/x86: bzImage parse kernel_alignment Message-Id: Date: Mon, 11 Mar 2024 08:44:54 +0000 commit c44cac229067faeec8f49247d1cf281723ac2d40 Author: Jason Andryuk AuthorDate: Mon Mar 11 09:33:35 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:33:35 2024 +0100 xen/x86: bzImage parse kernel_alignment Expand bzimage_parse() to return kernel_alignment from the setup_header. This will be needed if loading a PVH kernel at a physical offset to compensate for a reserved E820 region. Signed-off-by: Jason Andryuk Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich --- xen/arch/x86/bzimage.c | 4 +++- xen/arch/x86/hvm/dom0_build.c | 4 +++- xen/arch/x86/include/asm/bzimage.h | 2 +- xen/arch/x86/pv/dom0_build.c | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c index ac4fd428be..0f4cfc49f7 100644 --- a/xen/arch/x86/bzimage.c +++ b/xen/arch/x86/bzimage.c @@ -105,7 +105,7 @@ unsigned long __init bzimage_headroom(void *image_start, } int __init bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len) + unsigned long *image_len, unsigned int *align) { struct setup_header *hdr = (struct setup_header *)(*image_start); int err = bzimage_check(hdr, *image_len); @@ -118,6 +118,8 @@ int __init bzimage_parse(void *image_base, void **image_start, { *image_start += (hdr->setup_sects + 1) * 512 + hdr->payload_offset; *image_len = hdr->payload_length; + if ( align ) + *align = hdr->kernel_alignment; } if ( elf_is_elfbinary(*image_start, *image_len) ) diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c index 0ceda4140b..bbae8a5645 100644 --- a/xen/arch/x86/hvm/dom0_build.c +++ b/xen/arch/x86/hvm/dom0_build.c @@ -548,12 +548,14 @@ static int __init pvh_load_kernel(struct domain *d, const module_t *image, struct elf_binary elf; struct elf_dom_parms parms; paddr_t last_addr; + unsigned int align = 0; struct hvm_start_info start_info = { 0 }; struct hvm_modlist_entry mod = { 0 }; struct vcpu *v = d->vcpu[0]; int rc; - if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) + rc = bzimage_parse(image_base, &image_start, &image_len, &align); + if ( rc != 0 ) { printk("Error trying to detect bz compressed kernel\n"); return rc; diff --git a/xen/arch/x86/include/asm/bzimage.h b/xen/arch/x86/include/asm/bzimage.h index 7ed69d3910..2e04f5cc7b 100644 --- a/xen/arch/x86/include/asm/bzimage.h +++ b/xen/arch/x86/include/asm/bzimage.h @@ -6,6 +6,6 @@ unsigned long bzimage_headroom(void *image_start, unsigned long image_length); int bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len); + unsigned long *image_len, unsigned int *align); #endif /* __X86_BZIMAGE_H__ */ diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index d8043fa58a..e9fa8a9a82 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -416,7 +416,7 @@ int __init dom0_construct_pv(struct domain *d, d->max_pages = ~0U; - if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) + if ( (rc = bzimage_parse(image_base, &image_start, &image_len, NULL)) != 0 ) return rc; if ( (rc = elf_init(&elf, image_start, image_len)) != 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:45:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:45:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691251.1077003 (Exim 4.92) (envelope-from ) id 1rjbHN-00048d-LQ; Mon, 11 Mar 2024 08:45:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691251.1077003; Mon, 11 Mar 2024 08:45:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHN-00048W-Io; Mon, 11 Mar 2024 08:45:05 +0000 Received: by outflank-mailman (input) for mailman id 691251; Mon, 11 Mar 2024 08:45:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHM-00048L-C8 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHM-0005Xx-BP for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbHM-0008T5-Aa for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RRydx3RACeX6Yr5O2bRzG0qBlcJprlvP9KD29JbNdCs=; b=tT7QfJGP1zvc0UZlW82sdY658l dT44GnOMoqTRR+kPKu5JsBoaw2g++YQhtBOPWP/718Pp7rJmk6oU2XDtxr4nWJtLs0Hrjop/Jq7Kw o2qFJxwXPmPh46Y1EmXtXsRu40LhXUgwJvS0N9/NDP2kV56oW+jRRJAgYyy25oAvGPLU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/spinlock: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 11 Mar 2024 08:45:04 +0000 commit 9106769ea95029461bf1e4789b99c441bc3eff14 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:33:55 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:33:55 2024 +0100 xen/spinlock: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/spinlock.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 1cd9120eac..0e6a083dfb 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -94,7 +94,7 @@ struct lock_profile_qhead { int32_t idx; /* index for printout */ }; -#define _LOCK_PROFILE(lockname) { .name = #lockname, .lock = &lockname, } +#define _LOCK_PROFILE(lockname) { .name = #lockname, .lock = &(lockname), } #define _LOCK_PROFILE_PTR(name) \ static struct lock_profile * const __lock_profile_##name \ __used_section(".lockprofile.data") = \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:45:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:45:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691252.1077008 (Exim 4.92) (envelope-from ) id 1rjbHX-0004BU-N2; Mon, 11 Mar 2024 08:45:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691252.1077008; Mon, 11 Mar 2024 08:45:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHX-0004BM-KK; Mon, 11 Mar 2024 08:45:15 +0000 Received: by outflank-mailman (input) for mailman id 691252; Mon, 11 Mar 2024 08:45:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHW-0004Av-FE for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHW-0005YE-EM for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbHW-0008TW-Dc for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vAakAQx8VwlSy+W1REGaMAoltvGVD2Qan9seJ/PSCwk=; b=V3x00OB6XCrv/xR6BDrSb2J8KL R3iGdpmRD5/xnH4TsZEqfMPJLX7HE4vBtlxDrpHhNril6YgArg2lygJXOYQ0jNocd/DjeQ2R7acXC q/G+AXcQ+kddRZwOUQl5RlhSwbnKI95DqkhVraA59g1YaH0HAO5NV6EnsEtg4EtwvKDs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/include: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 11 Mar 2024 08:45:14 +0000 commit e51649b4c21377dd8d1c837a74e5007b082a4375 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:34:14 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:34:14 2024 +0100 xen/include: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/bug.h | 2 +- xen/include/xen/init.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/include/xen/bug.h b/xen/include/xen/bug.h index 2c45c462fc..77fe1e1ba8 100644 --- a/xen/include/xen/bug.h +++ b/xen/include/xen/bug.h @@ -80,7 +80,7 @@ struct bug_frame { [bf_type] "i" (type), \ [bf_ptr] "i" (ptr), \ [bf_msg] "i" (msg), \ - [bf_line_lo] "i" ((line & ((1 << BUG_LINE_LO_WIDTH) - 1)) \ + [bf_line_lo] "i" (((line) & ((1 << BUG_LINE_LO_WIDTH) - 1)) \ << BUG_DISP_WIDTH), \ [bf_line_hi] "i" (((line) >> BUG_LINE_LO_WIDTH) << BUG_DISP_WIDTH) diff --git a/xen/include/xen/init.h b/xen/include/xen/init.h index 1d7c0216bc..0a42238337 100644 --- a/xen/include/xen/init.h +++ b/xen/include/xen/init.h @@ -63,9 +63,9 @@ typedef int (*initcall_t)(void); typedef void (*exitcall_t)(void); #define presmp_initcall(fn) \ - const static initcall_t __initcall_##fn __init_call("presmp") = fn + const static initcall_t __initcall_##fn __init_call("presmp") = (fn) #define __initcall(fn) \ - const static initcall_t __initcall_##fn __init_call("1") = fn + const static initcall_t __initcall_##fn __init_call("1") = (fn) #define __exitcall(fn) \ static exitcall_t __exitcall_##fn __exit_call = fn -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:45:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:45:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691253.1077012 (Exim 4.92) (envelope-from ) id 1rjbHh-0004Ea-P0; Mon, 11 Mar 2024 08:45:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691253.1077012; Mon, 11 Mar 2024 08:45:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHh-0004ET-Lr; Mon, 11 Mar 2024 08:45:25 +0000 Received: by outflank-mailman (input) for mailman id 691253; Mon, 11 Mar 2024 08:45:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHg-0004EH-Hy for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHg-0005YP-H8 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbHg-0008U0-GV for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wVQMCTqpvOOcpH+l/qbhj6B4Y6ez050Qu8WUIhczHFM=; b=2Yer+iRpNbyi7rT6DvxppimdQp 3kXjOLuk2+QmjRFNLbYM6b5HH928B/71sA37sOAmCWe5eOo1ggefGll+JVVAPTspPWXYKeUqlDgpo fA/A+1+OKb8jlcdEsu52gOm2X6thsY5s9XyqKr6G9fIt9O3Ugyo2Pk9dn3OoR1ySRrmQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/param: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 11 Mar 2024 08:45:24 +0000 commit d937b2d1ee75340db4f66b7ed6a9dab1cea0eb41 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:34:45 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:34:45 2024 +0100 xen/param: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/param.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h index 13607e0e50..1bdbab34ab 100644 --- a/xen/include/xen/param.h +++ b/xen/include/xen/param.h @@ -45,42 +45,42 @@ extern const struct kernel_param __setup_start[], __setup_end[]; #define TEMP_NAME(base) _TEMP_NAME(base, __LINE__) #define custom_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_CUSTOM, \ - .par.func = _var } + .par.func = (_var) } #define boolean_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_BOOL, \ .len = sizeof(_var) + \ BUILD_BUG_ON_ZERO(sizeof(_var) != sizeof(bool)), \ - .par.var = &_var } + .par.var = &(_var) } #define integer_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_UINT, \ .len = sizeof(_var), \ - .par.var = &_var } + .par.var = &(_var) } #define size_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_SIZE, \ .len = sizeof(_var), \ - .par.var = &_var } + .par.var = &(_var) } #define string_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_STR, \ .len = sizeof(_var), \ - .par.var = &_var } + .par.var = &(_var) } #define ignore_param(_name) \ - __setup_str TEMP_NAME(__setup_str_ign)[] = _name; \ + __setup_str TEMP_NAME(__setup_str_ign)[] = (_name); \ __kparam TEMP_NAME(__setup_ign) = \ { .name = TEMP_NAME(__setup_str_ign), \ .type = OPT_IGNORE } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:45:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:45:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691254.1077016 (Exim 4.92) (envelope-from ) id 1rjbHr-0004Gr-Qz; Mon, 11 Mar 2024 08:45:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691254.1077016; Mon, 11 Mar 2024 08:45:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHr-0004Gi-Nv; Mon, 11 Mar 2024 08:45:35 +0000 Received: by outflank-mailman (input) for mailman id 691254; Mon, 11 Mar 2024 08:45:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHq-0004Ga-Nd for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbHq-0005Ya-L8 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbHq-0008UP-Jb for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PCXk/AJH0zanfhItxlrFB3c0cICrwerAaWRq2gFPIGw=; b=WFRONBiN2+xtsUodHzLsm+pMe3 7/hk0DtZVCbDbDm/o5CznrOsjQuRdA5xIG23HwaSA+immTgP9HJm4DocdjrryrfhtZSKio7FPaTRQ ozLTKKDcrZ0jCbM6Wlw71wRzlh9E6aU1rdOV9FwXB1h9eDE862IeghcG2zIxKW3CLkms=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: address some violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 11 Mar 2024 08:45:34 +0000 commit 22d0e3487f6a44ad7aa132f25cc41f42e3f546e3 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:35:24 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:35:24 2024 +0100 xen/arm: address some violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/arch/arm/arm64/cpufeature.c | 14 ++++++------- xen/arch/arm/cpuerrata.c | 8 +++---- xen/arch/arm/include/asm/arm64/sysregs.h | 2 +- xen/arch/arm/include/asm/guest_atomics.h | 4 ++-- xen/arch/arm/include/asm/mm.h | 2 +- xen/arch/arm/include/asm/smccc.h | 36 ++++++++++++++++---------------- xen/arch/arm/include/asm/vgic-emul.h | 8 +++---- xen/arch/arm/vcpreg.c | 5 +++-- 8 files changed, 40 insertions(+), 39 deletions(-) diff --git a/xen/arch/arm/arm64/cpufeature.c b/xen/arch/arm/arm64/cpufeature.c index 864413d9cc..6fb8974ade 100644 --- a/xen/arch/arm/arm64/cpufeature.c +++ b/xen/arch/arm/arm64/cpufeature.c @@ -78,13 +78,13 @@ #define __ARM64_FTR_BITS(SIGNED, VISIBLE, STRICT, TYPE, SHIFT, WIDTH, SAFE_VAL) \ { \ - .sign = SIGNED, \ - .visible = VISIBLE, \ - .strict = STRICT, \ - .type = TYPE, \ - .shift = SHIFT, \ - .width = WIDTH, \ - .safe_val = SAFE_VAL, \ + .sign = (SIGNED), \ + .visible = (VISIBLE), \ + .strict = (STRICT), \ + .type = (TYPE), \ + .shift = (SHIFT), \ + .width = (WIDTH), \ + .safe_val = (SAFE_VAL), \ } /* Define a feature with unsigned values */ diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index a28fa6ac78..2b7101ea25 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -461,13 +461,13 @@ static bool has_ssbd_mitigation(const struct arm_cpu_capabilities *entry) #define MIDR_RANGE(model, min, max) \ .matches = is_affected_midr_range, \ - .midr_model = model, \ - .midr_range_min = min, \ - .midr_range_max = max + .midr_model = (model), \ + .midr_range_min = (min), \ + .midr_range_max = (max) #define MIDR_ALL_VERSIONS(model) \ .matches = is_affected_midr_range, \ - .midr_model = model, \ + .midr_model = (model), \ .midr_range_min = 0, \ .midr_range_max = (MIDR_VARIANT_MASK | MIDR_REVISION_MASK) diff --git a/xen/arch/arm/include/asm/arm64/sysregs.h b/xen/arch/arm/include/asm/arm64/sysregs.h index 3fdeb9d8cd..b593e4028b 100644 --- a/xen/arch/arm/include/asm/arm64/sysregs.h +++ b/xen/arch/arm/include/asm/arm64/sysregs.h @@ -465,7 +465,7 @@ /* Access to system registers */ #define WRITE_SYSREG64(v, name) do { \ - uint64_t _r = v; \ + uint64_t _r = (v); \ asm volatile("msr "__stringify(name)", %0" : : "r" (_r)); \ } while (0) #define READ_SYSREG64(name) ({ \ diff --git a/xen/arch/arm/include/asm/guest_atomics.h b/xen/arch/arm/include/asm/guest_atomics.h index a1745f8613..8893eb9a55 100644 --- a/xen/arch/arm/include/asm/guest_atomics.h +++ b/xen/arch/arm/include/asm/guest_atomics.h @@ -32,7 +32,7 @@ static inline void guest_##name(struct domain *d, int nr, volatile void *p) \ perfc_incr(atomics_guest_paused); \ \ domain_pause_nosync(d); \ - name(nr, p); \ + (name)(nr, p); \ domain_unpause(d); \ } @@ -52,7 +52,7 @@ static inline int guest_##name(struct domain *d, int nr, volatile void *p) \ perfc_incr(atomics_guest_paused); \ \ domain_pause_nosync(d); \ - oldbit = name(nr, p); \ + oldbit = (name)(nr, p); \ domain_unpause(d); \ \ return oldbit; \ diff --git a/xen/arch/arm/include/asm/mm.h b/xen/arch/arm/include/asm/mm.h index cbcf3bf147..48538b5337 100644 --- a/xen/arch/arm/include/asm/mm.h +++ b/xen/arch/arm/include/asm/mm.h @@ -250,7 +250,7 @@ static inline void __iomem *ioremap_wc(paddr_t start, size_t len) #define gaddr_to_gfn(ga) _gfn(paddr_to_pfn(ga)) #define mfn_to_maddr(mfn) pfn_to_paddr(mfn_x(mfn)) #define maddr_to_mfn(ma) _mfn(paddr_to_pfn(ma)) -#define vmap_to_mfn(va) maddr_to_mfn(virt_to_maddr((vaddr_t)va)) +#define vmap_to_mfn(va) maddr_to_mfn(virt_to_maddr((vaddr_t)(va))) #define vmap_to_page(va) mfn_to_page(vmap_to_mfn(va)) /* Page-align address and convert to frame number format */ diff --git a/xen/arch/arm/include/asm/smccc.h b/xen/arch/arm/include/asm/smccc.h index 1adcd37443..a289c48b7f 100644 --- a/xen/arch/arm/include/asm/smccc.h +++ b/xen/arch/arm/include/asm/smccc.h @@ -122,56 +122,56 @@ struct arm_smccc_res { #define __constraint_read_7 __constraint_read_6, "r" (r7) #define __declare_arg_0(a0, res) \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1); \ register unsigned long r2 ASM_REG(2); \ register unsigned long r3 ASM_REG(3) #define __declare_arg_1(a0, a1, res) \ - typeof(a1) __a1 = a1; \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + typeof(a1) __a1 = (a1); \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1) = __a1; \ register unsigned long r2 ASM_REG(2); \ register unsigned long r3 ASM_REG(3) #define __declare_arg_2(a0, a1, a2, res) \ - typeof(a1) __a1 = a1; \ - typeof(a2) __a2 = a2; \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + typeof(a1) __a1 = (a1); \ + typeof(a2) __a2 = (a2); \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1) = __a1; \ register unsigned long r2 ASM_REG(2) = __a2; \ register unsigned long r3 ASM_REG(3) #define __declare_arg_3(a0, a1, a2, a3, res) \ - typeof(a1) __a1 = a1; \ - typeof(a2) __a2 = a2; \ - typeof(a3) __a3 = a3; \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + typeof(a1) __a1 = (a1); \ + typeof(a2) __a2 = (a2); \ + typeof(a3) __a3 = (a3); \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1) = __a1; \ register unsigned long r2 ASM_REG(2) = __a2; \ register unsigned long r3 ASM_REG(3) = __a3 #define __declare_arg_4(a0, a1, a2, a3, a4, res) \ - typeof(a4) __a4 = a4; \ + typeof(a4) __a4 = (a4); \ __declare_arg_3(a0, a1, a2, a3, res); \ register unsigned long r4 ASM_REG(4) = __a4 #define __declare_arg_5(a0, a1, a2, a3, a4, a5, res) \ - typeof(a5) __a5 = a5; \ + typeof(a5) __a5 = (a5); \ __declare_arg_4(a0, a1, a2, a3, a4, res); \ register typeof(a5) r5 ASM_REG(5) = __a5 #define __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res) \ - typeof(a6) __a6 = a6; \ + typeof(a6) __a6 = (a6); \ __declare_arg_5(a0, a1, a2, a3, a4, a5, res); \ register typeof(a6) r6 ASM_REG(6) = __a6 #define __declare_arg_7(a0, a1, a2, a3, a4, a5, a6, a7, res) \ - typeof(a7) __a7 = a7; \ + typeof(a7) __a7 = (a7); \ __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res); \ register typeof(a7) r7 ASM_REG(7) = __a7 diff --git a/xen/arch/arm/include/asm/vgic-emul.h b/xen/arch/arm/include/asm/vgic-emul.h index e52fbaa3ec..fd0cfa2175 100644 --- a/xen/arch/arm/include/asm/vgic-emul.h +++ b/xen/arch/arm/include/asm/vgic-emul.h @@ -6,11 +6,11 @@ * a range of registers */ -#define VREG32(reg) reg ... reg + 3 -#define VREG64(reg) reg ... reg + 7 +#define VREG32(reg) (reg) ... ((reg) + 3) +#define VREG64(reg) (reg) ... ((reg) + 7) -#define VRANGE32(start, end) start ... end + 3 -#define VRANGE64(start, end) start ... end + 7 +#define VRANGE32(start, end) (start) ... ((end) + 3) +#define VRANGE64(start, end) (start) ... ((end) + 7) /* * 64 bits registers can be accessible using 32-bit and 64-bit unless diff --git a/xen/arch/arm/vcpreg.c b/xen/arch/arm/vcpreg.c index a2d0500704..019cf34f00 100644 --- a/xen/arch/arm/vcpreg.c +++ b/xen/arch/arm/vcpreg.c @@ -39,7 +39,8 @@ */ #ifdef CONFIG_ARM_64 -#define WRITE_SYSREG_SZ(sz, val, sysreg) WRITE_SYSREG((uint##sz##_t)val, sysreg) +#define WRITE_SYSREG_SZ(sz, val, sysreg) \ + WRITE_SYSREG((uint##sz##_t)(val), sysreg) #else /* * WRITE_SYSREG{32/64} on arm32 is defined as variadic macro which imposes @@ -64,7 +65,7 @@ static bool func(struct cpu_user_regs *regs, type##sz##_t *r, bool read) \ bool cache_enabled = vcpu_has_cache_enabled(v); \ \ GUEST_BUG_ON(read); \ - WRITE_SYSREG_SZ(sz, *r, reg); \ + WRITE_SYSREG_SZ(sz, *(r), reg); \ \ p2m_toggle_cache(v, cache_enabled); \ \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:45:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:45:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691255.1077021 (Exim 4.92) (envelope-from ) id 1rjbI1-0004Jw-T8; Mon, 11 Mar 2024 08:45:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691255.1077021; Mon, 11 Mar 2024 08:45:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbI1-0004Jo-PM; Mon, 11 Mar 2024 08:45:45 +0000 Received: by outflank-mailman (input) for mailman id 691255; Mon, 11 Mar 2024 08:45:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbI0-0004Jd-OW for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbI0-0005Yl-No for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbI0-0008Uq-NG for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JhIJT/LdkhfhKeNHnp/xZKSghYD8Wvl59VuY+rWIH68=; b=kKcA/21WilVhPE5oFux/kJ5SNw Q1Xcqb2XhEs9+HKQ6/WlZVAbDjyxQjUEfUgLXbMT+QFJhxT6sPgsPl99JagKJMsJMtFKA4WC0kUGd kREHySuHeZvBVGcF7spNbwdT8qCskKGz7XFKTaSnxPsKBGPG2DXP7F7KO/D5AfZwsMAw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/irq: parenthesize negative constants Message-Id: Date: Mon, 11 Mar 2024 08:45:44 +0000 commit acb13d1b819e5e3fc1ac217d43f297a7eec5a81e Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:35:50 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:35:50 2024 +0100 x86/irq: parenthesize negative constants These constants are parenthesized to avoid them from possibly influencing the semantics of the constructs where it is used, especially inside macros invocations. This also resolves some violations of MISRA C Rule 20.7 ("Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses"). No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich --- xen/arch/x86/include/asm/irq.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index 082a3d6bbc..7d49f3c190 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -172,16 +172,16 @@ void cleanup_domain_irq_mapping(struct domain *d); void *__ret = radix_tree_lookup(&(d)->arch.irq_pirq, irq); \ __ret ? radix_tree_ptr_to_int(__ret) : 0; \ }) -#define PIRQ_ALLOCATED -1 +#define PIRQ_ALLOCATED (-1) #define domain_pirq_to_emuirq(d, pirq) pirq_field(d, pirq, \ arch.hvm.emuirq, IRQ_UNBOUND) #define domain_emuirq_to_pirq(d, emuirq) ({ \ void *__ret = radix_tree_lookup(&(d)->arch.hvm.emuirq_pirq, emuirq);\ __ret ? radix_tree_ptr_to_int(__ret) : IRQ_UNBOUND; \ }) -#define IRQ_UNBOUND -1 -#define IRQ_PT -2 -#define IRQ_MSI_EMU -3 +#define IRQ_UNBOUND (-1) +#define IRQ_PT (-2) +#define IRQ_MSI_EMU (-3) bool cpu_has_pending_apic_eoi(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:45:57 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:45:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691256.1077023 (Exim 4.92) (envelope-from ) id 1rjbIC-0004NG-Uu; Mon, 11 Mar 2024 08:45:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691256.1077023; Mon, 11 Mar 2024 08:45:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbIC-0004N8-S9; Mon, 11 Mar 2024 08:45:56 +0000 Received: by outflank-mailman (input) for mailman id 691256; Mon, 11 Mar 2024 08:45:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbIA-0004Mu-RX for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbIA-0005ZD-Qr for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbIA-0008VH-Q2 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:45:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DtvR0CMsSjG9+ciT344fM9MbCCaNdAAkSo34Oy8iCXA=; b=qX/8v6fhm9mZ06mM7nLrVUxAkw fp+o5mb3usLUccIr+t36euqfunZWxXJ/eoDuB+Rcx9MHWR7DD2A+LZWN0y3iOAOOoBYNFZbl03BdL RGp4SBTnlZdEtjurRM4Hz0492f4UcJ1K5h8FFg+Scld6zq8RS7wZepqioUM6BjjSfjiU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] arm/smmu: address some violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 11 Mar 2024 08:45:54 +0000 commit e90089db3fab06dc8947fcd64f1ed54569e708a6 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:36:20 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:36:20 2024 +0100 arm/smmu: address some violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/drivers/passthrough/arm/smmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/drivers/passthrough/arm/smmu.c b/xen/drivers/passthrough/arm/smmu.c index 625ed0e419..83196057a9 100644 --- a/xen/drivers/passthrough/arm/smmu.c +++ b/xen/drivers/passthrough/arm/smmu.c @@ -242,7 +242,7 @@ struct arm_smmu_xen_device { struct iommu_group *group; }; -#define dev_archdata(dev) ((struct arm_smmu_xen_device *)dev->iommu) +#define dev_archdata(dev) ((struct arm_smmu_xen_device *)(dev)->iommu) #define dev_iommu_domain(dev) (dev_archdata(dev)->domain) #define dev_iommu_group(dev) (dev_archdata(dev)->group) @@ -627,7 +627,7 @@ struct arm_smmu_master_cfg { }; #define INVALID_SMENDX -1 #define for_each_cfg_sme(cfg, i, idx, num) \ - for (i = 0; idx = cfg->smendx[i], i < num; ++i) + for (i = 0; idx = (cfg)->smendx[i], (i) < (num); ++(i)) struct arm_smmu_master { struct device_node *of_node; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 08:55:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 08:55:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691258.1077027 (Exim 4.92) (envelope-from ) id 1rjbR3-0005cH-Jn; Mon, 11 Mar 2024 08:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691258.1077027; Mon, 11 Mar 2024 08:55:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbR3-0005cA-HL; Mon, 11 Mar 2024 08:55:05 +0000 Received: by outflank-mailman (input) for mailman id 691258; Mon, 11 Mar 2024 08:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbR1-0005c2-OR for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjbR1-0005mb-Lz for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjbR1-0000XZ-L5 for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 08:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0yga6sbPHPQ+3CArdIfJYXQXoizTGGKzoSXjaSHjwmM=; b=hJRMQG8e1ER0cp+0oF5Ql4169x vj7RXYq0e4Dba/X81b76QvJ87LGLcrnnScTaG4nCTMVEFFGtUX9q+fJk0EQVkTUT69d1RY7f80PrU K+Q8lmAlyPBEI5w7BFG2g52+ufFKhsXtDQLGFesWl/8l/ZpIBFwW4KCXUi7ZcDFEj4WE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/ppc: switch PPC to use asm-generic/device.h Message-Id: Date: Mon, 11 Mar 2024 08:55:03 +0000 commit 1396892d801cf148644cd5590be2f143648f9083 Author: Oleksii Kurochko AuthorDate: Mon Mar 11 09:45:45 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:45:45 2024 +0100 xen/ppc: switch PPC to use asm-generic/device.h Signed-off-by: Oleksii Kurochko Acked-by: Shawn Anastasio --- xen/arch/ppc/include/asm/Makefile | 1 + xen/arch/ppc/include/asm/device.h | 53 --------------------------------------- 2 files changed, 1 insertion(+), 53 deletions(-) diff --git a/xen/arch/ppc/include/asm/Makefile b/xen/arch/ppc/include/asm/Makefile index 3fd893f3e0..ced02e26ed 100644 --- a/xen/arch/ppc/include/asm/Makefile +++ b/xen/arch/ppc/include/asm/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0-only generic-y += altp2m.h +generic-y += device.h generic-y += div64.h generic-y += hardirq.h generic-y += hypercall.h diff --git a/xen/arch/ppc/include/asm/device.h b/xen/arch/ppc/include/asm/device.h deleted file mode 100644 index 8253e61d51..0000000000 --- a/xen/arch/ppc/include/asm/device.h +++ /dev/null @@ -1,53 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -#ifndef __ASM_PPC_DEVICE_H__ -#define __ASM_PPC_DEVICE_H__ - -enum device_type -{ - DEV_DT, - DEV_PCI, -}; - -struct device { - enum device_type type; -#ifdef CONFIG_HAS_DEVICE_TREE - struct dt_device_node *of_node; /* Used by drivers imported from Linux */ -#endif -}; - -enum device_class -{ - DEVICE_SERIAL, - DEVICE_IOMMU, - DEVICE_PCI_HOSTBRIDGE, - /* Use for error */ - DEVICE_UNKNOWN, -}; - -struct device_desc { - /* Device name */ - const char *name; - /* Device class */ - enum device_class class; - /* List of devices supported by this driver */ - const struct dt_device_match *dt_match; - /* - * Device initialization. - * - * -EAGAIN is used to indicate that device probing is deferred. - */ - int (*init)(struct dt_device_node *dev, const void *data); -}; - -typedef struct device device_t; - -#define DT_DEVICE_START(name_, namestr_, class_) \ -static const struct device_desc __dev_desc_##name_ __used \ -__section(".dev.info") = { \ - .name = namestr_, \ - .class = class_, \ - -#define DT_DEVICE_END \ -}; - -#endif /* __ASM_PPC_DEVICE_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 11 11:22:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 11 Mar 2024 11:22:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691412.1077362 (Exim 4.92) (envelope-from ) id 1rjdjJ-0001tt-0o; Mon, 11 Mar 2024 11:22:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691412.1077362; Mon, 11 Mar 2024 11:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjdjI-0001tl-U1; Mon, 11 Mar 2024 11:22:04 +0000 Received: by outflank-mailman (input) for mailman id 691412; Mon, 11 Mar 2024 11:22:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjdjI-0001tf-2b for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 11:22:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjdjI-0002uU-0j for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 11:22:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjdjH-00073y-Rv for xen-changelog@lists.xenproject.org; Mon, 11 Mar 2024 11:22:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bPeQ4YHQmZbGO+2Ft/bx0kI53npd+BuGrngLpkwU5mw=; b=emfPzSw30pB2koYxMnc3KGhYjm VJoMdbz0aXlCq7V56k/u9jDDUMGNEj3Zr61jxKbuhl9PaTw0uVuSKd/6WreiKhMmAGNQEr9K5gak5 l6vPoIoPFHFYt8D8Bzo6gk+/axEMCMQ3x++tlKQuwdihrfur3rpK4fjwpz0P3X6nZxlY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() Message-Id: Date: Mon, 11 Mar 2024 11:22:03 +0000 commit 7c81558208de7858251b62f168a449be84305595 Author: Roger Pau Monne AuthorDate: Mon Mar 11 11:54:16 2024 +0100 Commit: Andrew Cooper CommitDate: Mon Mar 11 11:09:42 2024 +0000 x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() The current logic to detect when to switch to the next L1 table is incorrectly using l2_table_offset() in order to notice when the last entry on the current L1 table has been reached. It should instead use l1_table_offset() to check whether the index has wrapped to point to the first entry, and so the next L1 table should be used. Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2aff6d4b53..0c6658298d 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5959,7 +5959,7 @@ void init_or_livepatch modify_xen_mappings_lite( v += 1UL << L1_PAGETABLE_SHIFT; - if ( l2_table_offset(v) == 0 ) + if ( l1_table_offset(v) == 0 ) break; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:33:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691589.1077691 (Exim 4.92) (envelope-from ) id 1rjr0p-0007dC-SI; Tue, 12 Mar 2024 01:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691589.1077691; Tue, 12 Mar 2024 01:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr0p-0007d3-Os; Tue, 12 Mar 2024 01:33:03 +0000 Received: by outflank-mailman (input) for mailman id 691589; Tue, 12 Mar 2024 01:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr0o-0007cx-C8 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr0o-0003ja-AC for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr0o-0000IG-9A for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dIB6hwHe6wlwlIYhHWoLgLBDA6C6fhNnwrOyn38KZAU=; b=uEGV1M/eGtkZIVauGP5b0eUPhA NFYTw1TF3kt6Dybk98aWiBaibe+tWgflYrzDLB4U0zzGq6ia27zsAD05pVuw2bRDTNzMkiVGXS8jE w8uLz2zXgs2XV29PC7+vDX804btf6KZn9AWrweUVHXmtNKKz9cHzMjT+P7qr4uqNR1uY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/EFI: correct compiler probing Message-Id: Date: Tue, 12 Mar 2024 01:33:02 +0000 commit 2f7481d59255680c1de98f43467d3862453dd50a Author: Jan Beulich AuthorDate: Thu Mar 7 09:14:55 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:14:55 2024 +0100 x86/EFI: correct compiler probing Passing in $(CFLAGS) means also requesting inclusion of certain headers (via -include command line options). That's particularly xen/config.h, which in turn requires generated/autoconf.h. This has not caused any problems so far only because arch.mk is processed twice, and the missing header on the 1st pass would be there on the 2nd. Having added an inclusion of asm/asm-macros.h to x86'es asm/config.h, the 2nd pass then also fails on an initial, pristine build. As per dd40177c1bc8 ("x86-64/EFI: add CFLAGS to check compile") dropping the use of $(CFLAGS) altogether isn't an option, though. Hence remove the problematic options only. Signed-off-by: Jan Beulich Reviewed-by: Anthony PERARD --- xen/arch/x86/arch.mk | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/arch.mk b/xen/arch/x86/arch.mk index 751fd8d410..4f6c086988 100644 --- a/xen/arch/x86/arch.mk +++ b/xen/arch/x86/arch.mk @@ -87,7 +87,8 @@ efi-check := arch/x86/efi/check $(shell mkdir -p $(dir $(efi-check))) # Check if the compiler supports the MS ABI. -XEN_BUILD_EFI := $(call if-success,$(CC) $(CFLAGS) -c $(srctree)/$(efi-check).c -o $(efi-check).o,y) +XEN_BUILD_EFI := $(call if-success,$(CC) $(filter-out -include %/include/xen/config.h,$(CFLAGS)) \ + -c $(srctree)/$(efi-check).c -o $(efi-check).o,y) # Check if the linker supports PE. EFI_LDFLAGS := $(patsubst -m%,-mi386pep,$(LDFLAGS)) --subsystem=10 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:33:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691590.1077695 (Exim 4.92) (envelope-from ) id 1rjr0y-0007g5-Tv; Tue, 12 Mar 2024 01:33:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691590.1077695; Tue, 12 Mar 2024 01:33:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr0y-0007fx-Qe; Tue, 12 Mar 2024 01:33:12 +0000 Received: by outflank-mailman (input) for mailman id 691590; Tue, 12 Mar 2024 01:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr0y-0007fd-Gq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr0y-0003je-Fh for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr0y-0000If-CG for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lC8+0YgtfEJT4oMpoHFEWwA9Smy93gYNuOiHU09tRCY=; b=nzir4W6Wujb9osd4H66yYDG0U5 DjUnRJkdT0nIpVsK5ZAgwxOlYeV0sly4oI6SP+y4eYJ+zLQN7AJz53M5qN7OOa0Sz01EjAckxDhaS H1NkcuO6jyof0rin5kF0AQypkTCn/GkqvqePYksjc1FswjpHCX3zPekICHlEmBORDxGo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Kbuild: simplify as-insn a little Message-Id: Date: Tue, 12 Mar 2024 01:33:12 +0000 commit 5daf46b439454921c19ca30840bb39424b36444b Author: Jan Beulich AuthorDate: Thu Mar 7 09:15:17 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:15:17 2024 +0100 Kbuild: simplify as-insn a little As of 732571959f17 ("xen/build: use new $(c_flags) and $(a_flags) instead of $(CFLAGS)") -M options aren't part of CFLAGS anymore, and c_flags isn't supposed to be passed to this macro. Drop the now dead part of filtering. Signed-off-by: Jan Beulich Reviewed-by: Anthony PERARD --- xen/scripts/Kbuild.include | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/scripts/Kbuild.include b/xen/scripts/Kbuild.include index c2bd8498e1..c2e4ec811b 100644 --- a/xen/scripts/Kbuild.include +++ b/xen/scripts/Kbuild.include @@ -59,7 +59,7 @@ endef # as-insn: Check whether assembler supports an instruction. # Usage: cflags-y += $(call as-insn,CC FLAGS,"insn",option-yes,option-no) as-insn = $(if $(shell echo 'void _(void) { asm volatile ( $(2) ); }' \ - | $(filter-out -M% %.d -include %/include/xen/config.h,$(1)) \ + | $(filter-out -include %/include/xen/config.h,$(1)) \ -c -x c -o /dev/null - 2>&1),$(4),$(3)) # as-option-add: Conditionally add options to flags -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:33:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:33:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691591.1077700 (Exim 4.92) (envelope-from ) id 1rjr19-0007jW-Vo; Tue, 12 Mar 2024 01:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691591.1077700; Tue, 12 Mar 2024 01:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr19-0007jP-SF; Tue, 12 Mar 2024 01:33:23 +0000 Received: by outflank-mailman (input) for mailman id 691591; Tue, 12 Mar 2024 01:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr18-0007jD-LC for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr18-0003jt-KP for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr18-0000J4-Hm for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KCGr+J8/FWP5cIQTc+Vtjl2pLalf2OCGzm3/wUelfHM=; b=spnYZfYfjQmuOge3/kLclkKNJ1 NvWP7zckcLk0sUcuRKkQGaIG/1hHUWLwkL/kFe49KE2+P5FH1GiQIUmI/LhxATreHi5Df9U4zpxyf Yk+rf++fzKBogdq10a8kRqaxsZMDJh6Bm3XjV61ETgy8hJZuijayc9xpOtQS8hWWfXSk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/asm: add commas to BUILD_BUG_ON Message-Id: Date: Tue, 12 Mar 2024 01:33:22 +0000 commit 9249a441c98ff063c0c065538b419a3bf1dac24a Author: Jan Beulich AuthorDate: Thu Mar 7 09:16:13 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:16:13 2024 +0100 x86/asm: add commas to BUILD_BUG_ON In light of recent observations with how macros are handled by gas, let's play by what we informally set for ourselves as a guideline: Use commas to separate parameters/arguments. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- xen/arch/x86/include/asm/asm_defns.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index cf9573705d..5c8cc2428e 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -82,13 +82,13 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ -.macro BUILD_BUG_ON condstr cond:vararg +.macro BUILD_BUG_ON condstr, cond:vararg .if \cond .error "Condition \"\condstr\" not satisfied" .endif .endm /* preprocessor macro to make error message more user friendly */ -#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond cond +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:33:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:33:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691592.1077702 (Exim 4.92) (envelope-from ) id 1rjr1K-0007m8-0U; Tue, 12 Mar 2024 01:33:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691592.1077702; Tue, 12 Mar 2024 01:33:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1J-0007m3-Tu; Tue, 12 Mar 2024 01:33:33 +0000 Received: by outflank-mailman (input) for mailman id 691592; Tue, 12 Mar 2024 01:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1I-0007lj-OV for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1I-0003k6-NK for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr1I-0000JT-MV for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LBoghdhOs9hlTkOHg4OjLA2NaoQigGs72aaQsbYjO+A=; b=CPXP3M/k/xTwBAwyMIHj23Vi3c LCBKjrociaM3NdPltq1tuP3tiQAP2/eqBePOfxOfzKp5gZV3OmCkJmCqLI03SLFttSqoXNKWi8e/n qw1FDq+yp9FdQoD7Y9B0J1WPopm+S/dH13wFZ1b2pelMB7b9OTXyk0MMvrmSZ4JniyoU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] CHANGELOG: add an entry for 9pfsd Message-Id: Date: Tue, 12 Mar 2024 01:33:32 +0000 commit 4ad4df0964aa374562fa574d4671d278f54f5d32 Author: Juergen Gross AuthorDate: Thu Mar 7 09:16:53 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:16:53 2024 +0100 CHANGELOG: add an entry for 9pfsd Add an entry to CHANGELOG.md regarding the new xen-9pfsd daemon. Signed-off-by: Juergen Gross Acked-by: Oleksii Kurochko --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f9874f9bb0..93fda73c00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - On x86: - Introduce a new x2APIC driver that uses Cluster Logical addressing mode for IPIs and Physical addressing mode for external interrupts. + - Add a new 9pfs backend running as a daemon in dom0. First user is + Xenstore-stubdom now being able to support full Xenstore trace capability. ### Removed - caml-stubdom. It hasn't built since 2014, was pinned to Ocaml 4.02, and has -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:33:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:33:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691593.1077708 (Exim 4.92) (envelope-from ) id 1rjr1U-0007pF-37; Tue, 12 Mar 2024 01:33:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691593.1077708; Tue, 12 Mar 2024 01:33:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1T-0007p4-Vh; Tue, 12 Mar 2024 01:33:43 +0000 Received: by outflank-mailman (input) for mailman id 691593; Tue, 12 Mar 2024 01:33:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1S-0007ot-Sx for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1S-0003kE-SC for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr1S-0000Js-PT for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iOG3b0L2WAGEvu10B56FKtFov6KFRrRpYnK8BXvi0e4=; b=O4CJeg09NT+dh2kTAUac+ptSRu ZxS15Y/WFvcstys0R1hdQPVoImhPgPOhAv0RM0fn8GSyruhzlfvZ/Og4auAItRQV25Tjkd1OS3+CZ EeoQiK+q4uOg9HRCu/qePBkhg9T/Lbd0V+ahSr0q8LveiGhdGtMswLMPQNWgoUmUnt38=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/asm: add commas to further macros definitions/invocations Message-Id: Date: Tue, 12 Mar 2024 01:33:42 +0000 commit 49b664f5bffa3a86734c66491d7dcdebbdecfb26 Author: Jan Beulich AuthorDate: Thu Mar 7 09:17:26 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:17:26 2024 +0100 x86/asm: add commas to further macros definitions/invocations In light of recent observations with how macros are handled by gas, let's play by what we informally set for ourselves as a guideline: Use commas to separate parameters/arguments. Requested-by: Andrew Cooper Signed-off-by: Jan Beulich Acked-by: Andrew Cooper --- xen/arch/x86/include/asm/alternative-asm.h | 2 +- xen/arch/x86/include/asm/asm-defns.h | 6 +++--- xen/arch/x86/include/asm/asm_defns.h | 2 +- xen/arch/x86/include/asm/spec_ctrl_asm.h | 2 +- xen/arch/x86/x86_64/compat/entry.S | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/include/asm/alternative-asm.h b/xen/arch/x86/include/asm/alternative-asm.h index fa21f71dab..4092f5ba70 100644 --- a/xen/arch/x86/include/asm/alternative-asm.h +++ b/xen/arch/x86/include/asm/alternative-asm.h @@ -11,7 +11,7 @@ * enough information for the alternatives patching code to patch an * instruction. See apply_alternatives(). */ -.macro altinstruction_entry orig repl feature orig_len repl_len pad_len +.macro altinstruction_entry orig, repl, feature, orig_len, repl_len, pad_len .long \orig - . .long \repl - . .word \feature diff --git a/xen/arch/x86/include/asm/asm-defns.h b/xen/arch/x86/include/asm/asm-defns.h index 9a7073ced5..0e5f0be768 100644 --- a/xen/arch/x86/include/asm/asm-defns.h +++ b/xen/arch/x86/include/asm/asm-defns.h @@ -29,7 +29,7 @@ BUG /* Shouldn't return */ .endm -.macro INDIRECT_BRANCH insn:req arg:req +.macro INDIRECT_BRANCH insn:req, arg:req /* * Create an indirect branch. insn is one of call/jmp, arg is a single * register. @@ -59,11 +59,11 @@ /* Convenience wrappers. */ .macro INDIRECT_CALL arg:req - INDIRECT_BRANCH call \arg + INDIRECT_BRANCH call, \arg .endm .macro INDIRECT_JMP arg:req - INDIRECT_BRANCH jmp \arg + INDIRECT_BRANCH jmp, \arg .endm #ifdef CONFIG_XEN_IBT diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index 5c8cc2428e..a69fae78b1 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -281,7 +281,7 @@ static always_inline void stac(void) * @compat: R8-R15 don't need reloading, but they are clobbered for added * safety against information leaks. */ -.macro RESTORE_ALL adj=0 compat=0 +.macro RESTORE_ALL adj=0, compat=0 .if !\compat movq UREGS_r15(%rsp), %r15 movq UREGS_r14(%rsp), %r14 diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 6cb7c1b949..aecb91d848 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -104,7 +104,7 @@ .L\@_done: .endm -.macro DO_OVERWRITE_RSB tmp=rax xu +.macro DO_OVERWRITE_RSB tmp=rax, xu /* * Requires nothing * Clobbers \tmp (%rax by default), %rcx diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 2f8fe5ebfb..9951b3e328 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -158,7 +158,7 @@ FUNC(compat_restore_all_guest) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ - RESTORE_ALL adj=8 compat=1 + RESTORE_ALL adj=8, compat=1 .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) END(compat_restore_all_guest) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:33:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:33:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691594.1077710 (Exim 4.92) (envelope-from ) id 1rjr1e-0007rh-3h; Tue, 12 Mar 2024 01:33:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691594.1077710; Tue, 12 Mar 2024 01:33:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1e-0007rZ-0x; Tue, 12 Mar 2024 01:33:54 +0000 Received: by outflank-mailman (input) for mailman id 691594; Tue, 12 Mar 2024 01:33:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1c-0007rN-W2 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1c-0003lX-VC for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr1c-0000KJ-UH for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:33:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cImDsn3C8h0xPUT+Dg+RWp6/m+TTULqk7Xp7YZBu7+o=; b=NHBJ/q01vesPfXpFua9maPV3Uz xhlw3jWDEWlD/FdoNEAT1383QU7DNFawCeubw95ga/kJ237jR0k33pApKHUkmrYyZCLPSEp/c+BI5 HKQp1tzkrsA3HxkCvrFjH4DLoUIU3FBJy89OAlpyoqpNizGB0T/WpJJzR46s4qv2976A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] SUPPORT.md: add xen-9pfsd Message-Id: Date: Tue, 12 Mar 2024 01:33:52 +0000 commit 08bb338f09a54d3b39f0d952bbd67461d8e5d0ed Author: Juergen Gross AuthorDate: Thu Mar 7 09:18:04 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 7 09:18:04 2024 +0100 SUPPORT.md: add xen-9pfsd Add a support statement for the new xen-9pfsd backend. Set it to "Experimental", as some functionality for Linux guests is missing (only tested to work with Xenstore-stubdom). Signed-off-by: Juergen Gross Acked-by: Jan Beulich --- SUPPORT.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SUPPORT.md b/SUPPORT.md index 7eb6875cfa..510bb02190 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -665,6 +665,7 @@ there is currently no xl support. ### PV 9pfs (backend) Status, QEMU: Tech Preview + Status, xen-9pfsd: Experimental ### PVCalls (backend) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:34:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:34:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691595.1077715 (Exim 4.92) (envelope-from ) id 1rjr1o-0007uc-5U; Tue, 12 Mar 2024 01:34:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691595.1077715; Tue, 12 Mar 2024 01:34:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1o-0007uV-2R; Tue, 12 Mar 2024 01:34:04 +0000 Received: by outflank-mailman (input) for mailman id 691595; Tue, 12 Mar 2024 01:34:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1n-0007uK-2q for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1n-0003lr-22 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr1n-0000LH-18 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dNPXas7WXMlCdObhMKAOAR0FbloWrQIQs6Z3/To00gg=; b=EmbrADc71t6sP7AJTORAzNp96q bEDYbiib5fl7a43w/25vK851f+uatuZgWRMBw4G59X0gWY4iNykVZA8HmxEesrPDkbg2T5LZO7AAh yIt06EAHb8epK974MSWo6LC4YaXSraFLWitWUcz6t+rwBAOen2mPxWdxTHuHcqi/kZfc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/virtual-region: Rename the start/end fields Message-Id: Date: Tue, 12 Mar 2024 01:34:03 +0000 commit 989556c6f8ca080f5f202417af97d1188b9ba52a Author: Andrew Cooper AuthorDate: Tue Mar 5 11:28:33 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 xen/virtual-region: Rename the start/end fields ... to text_{start,end}. We're about to introduce another start/end pair. Despite it's name, struct virtual_region has always been a module-ish description. Call this out specifically. As minor cleanup, replace ROUNDUP(x, PAGE_SIZE) with the more concise PAGE_ALIGN() ahead of duplicating the example. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 4 ++-- xen/common/virtual_region.c | 19 ++++++++++--------- xen/include/xen/virtual_region.h | 11 +++++++++-- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 5a7d5b7be0..888beb2732 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -785,8 +785,8 @@ static int prepare_payload(struct payload *payload, region = &payload->region; region->symbols_lookup = livepatch_symbols_lookup; - region->start = payload->text_addr; - region->end = payload->text_addr + payload->text_size; + region->text_start = payload->text_addr; + region->text_end = payload->text_addr + payload->text_size; /* Optional sections. */ for ( i = 0; i < BUGFRAME_NR; i++ ) diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index cefef3e47e..b74030d700 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -11,15 +11,15 @@ static struct virtual_region core = { .list = LIST_HEAD_INIT(core.list), - .start = _stext, - .end = _etext, + .text_start = _stext, + .text_end = _etext, }; /* Becomes irrelevant when __init sections are cleared. */ static struct virtual_region core_init __initdata = { .list = LIST_HEAD_INIT(core_init.list), - .start = _sinittext, - .end = _einittext, + .text_start = _sinittext, + .text_end = _einittext, }; /* @@ -39,7 +39,8 @@ const struct virtual_region *find_text_region(unsigned long addr) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu ( iter, &virtual_region_list, list ) { - if ( (void *)addr >= iter->start && (void *)addr < iter->end ) + if ( (void *)addr >= iter->text_start && + (void *)addr < iter->text_end ) { region = iter; break; @@ -88,8 +89,8 @@ void relax_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) - modify_xen_mappings_lite((unsigned long)region->start, - ROUNDUP((unsigned long)region->end, PAGE_SIZE), + modify_xen_mappings_lite((unsigned long)region->text_start, + PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RWX); rcu_read_unlock(&rcu_virtual_region_lock); } @@ -100,8 +101,8 @@ void tighten_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) - modify_xen_mappings_lite((unsigned long)region->start, - ROUNDUP((unsigned long)region->end, PAGE_SIZE), + modify_xen_mappings_lite((unsigned long)region->text_start, + PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RX); rcu_read_unlock(&rcu_virtual_region_lock); } diff --git a/xen/include/xen/virtual_region.h b/xen/include/xen/virtual_region.h index d053620711..442a45bf1f 100644 --- a/xen/include/xen/virtual_region.h +++ b/xen/include/xen/virtual_region.h @@ -9,11 +9,18 @@ #include #include +/* + * Despite it's name, this is a module(ish) description. + * + * There's one region for the runtime .text/etc, one region for .init during + * boot only, and one region per livepatch. + */ struct virtual_region { struct list_head list; - const void *start; /* Virtual address start. */ - const void *end; /* Virtual address end. */ + + const void *text_start; /* .text virtual address start. */ + const void *text_end; /* .text virtual address end. */ /* If this is NULL the default lookup mechanism is used. */ symbols_lookup_t *symbols_lookup; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:34:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:34:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691596.1077718 (Exim 4.92) (envelope-from ) id 1rjr1y-0007xa-6y; Tue, 12 Mar 2024 01:34:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691596.1077718; Tue, 12 Mar 2024 01:34:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1y-0007xT-45; Tue, 12 Mar 2024 01:34:14 +0000 Received: by outflank-mailman (input) for mailman id 691596; Tue, 12 Mar 2024 01:34:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1x-0007xM-5k for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr1x-0003m0-54 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr1x-0000M9-4F for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7rzhVntOkZr/4fZLsz9O4j4PAqj3eVVKitk8vgX6Wz0=; b=TTitIqVHf25lmtvxLd5khoORDf nuswNNFI9tUMecrv+mtMyVLMsTqDKtAR6YPe32FRthfcRLkIAuOtcGHPi5y95uwlPmSO6z6e0siaF SOeSOmRojKxBrjBCxMmJiK8vB8B0iCMcUwT7bq27CdFjbAEcmwK3SEmNkzcRQoXfSbf0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/virtual-region: Include rodata pointers Message-Id: Date: Tue, 12 Mar 2024 01:34:13 +0000 commit ef969144a425e39f5b214a875b5713d0ea8575fb Author: Andrew Cooper AuthorDate: Tue Mar 5 11:35:12 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 xen/virtual-region: Include rodata pointers These are optional. .init doesn't distinguish types of data like this, and livepatches don't necesserily have any .rodata either. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/common/livepatch.c | 6 ++++++ xen/common/virtual_region.c | 2 ++ xen/include/xen/virtual_region.h | 3 +++ 3 files changed, 11 insertions(+) diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c index 888beb2732..cabfb63911 100644 --- a/xen/common/livepatch.c +++ b/xen/common/livepatch.c @@ -788,6 +788,12 @@ static int prepare_payload(struct payload *payload, region->text_start = payload->text_addr; region->text_end = payload->text_addr + payload->text_size; + if ( payload->ro_size ) + { + region->rodata_start = payload->ro_addr; + region->rodata_end = payload->ro_addr + payload->ro_size; + } + /* Optional sections. */ for ( i = 0; i < BUGFRAME_NR; i++ ) { diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index b74030d700..d2efe9e114 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -13,6 +13,8 @@ static struct virtual_region core = { .list = LIST_HEAD_INIT(core.list), .text_start = _stext, .text_end = _etext, + .rodata_start = _srodata, + .rodata_end = _erodata, }; /* Becomes irrelevant when __init sections are cleared. */ diff --git a/xen/include/xen/virtual_region.h b/xen/include/xen/virtual_region.h index 442a45bf1f..dcdc95ba49 100644 --- a/xen/include/xen/virtual_region.h +++ b/xen/include/xen/virtual_region.h @@ -22,6 +22,9 @@ struct virtual_region const void *text_start; /* .text virtual address start. */ const void *text_end; /* .text virtual address end. */ + const void *rodata_start; /* .rodata virtual address start (optional). */ + const void *rodata_end; /* .rodata virtual address end. */ + /* If this is NULL the default lookup mechanism is used. */ symbols_lookup_t *symbols_lookup; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:34:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:34:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691597.1077723 (Exim 4.92) (envelope-from ) id 1rjr28-000816-AY; Tue, 12 Mar 2024 01:34:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691597.1077723; Tue, 12 Mar 2024 01:34:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr28-00080z-7A; Tue, 12 Mar 2024 01:34:24 +0000 Received: by outflank-mailman (input) for mailman id 691597; Tue, 12 Mar 2024 01:34:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr27-00080n-8h for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr27-0003mA-7w for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr27-0000NH-79 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HftCf5rvHwMrszG6A+LcxFBYOOIzE+Sh5Igh/8Lc3aI=; b=caw07lj9iTLV58npsyKq9qQJJt Abf/a0ZkCuIL2vBtWZk9yiooSruWC+MghNgJBxibUWiUxs1L+yxO26XGsgC+fArJMCyRpug+Zta4q wN/P+5hh6HJ9D3BF7TyNs1flTO3UCVof3OP2YdpmM4BAHaBVLpGOQbkfogPGQcbO+eyY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/livepatch: Relax permissions on rodata too Message-Id: Date: Tue, 12 Mar 2024 01:34:23 +0000 commit b083b1c393dc8961acf0959b1d2e0ad459985ae3 Author: Andrew Cooper AuthorDate: Tue Mar 5 11:39:19 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 x86/livepatch: Relax permissions on rodata too This reinstates the capability to patch .rodata in load/unload hooks, which was lost when we stopped using CR0.WP=0 to patch. This turns out to be rather less of a large TODO than I thought at the time. Fixes: 8676092a0f16 ("x86/livepatch: Fix livepatch application when CET is active") Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné Reviewed-by: Ross Lagerwall --- xen/arch/x86/livepatch.c | 4 ++-- xen/common/virtual_region.c | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/livepatch.c b/xen/arch/x86/livepatch.c index ee539f001b..4f76127e1f 100644 --- a/xen/arch/x86/livepatch.c +++ b/xen/arch/x86/livepatch.c @@ -62,7 +62,7 @@ int arch_livepatch_safety_check(void) int noinline arch_livepatch_quiesce(void) { /* - * Relax perms on .text to be RWX, so we can modify them. + * Relax perms on .text/.rodata, so we can modify them. * * This relaxes perms globally, but all other CPUs are waiting on us. */ @@ -75,7 +75,7 @@ int noinline arch_livepatch_quiesce(void) void noinline arch_livepatch_revive(void) { /* - * Reinstate perms on .text to be RX. This also cleans out the dirty + * Reinstate perms on .text/.rodata. This also cleans out the dirty * bits, which matters when CET Shstk is active. * * The other CPUs waiting for us could in principle have re-walked while diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index d2efe9e114..b4325bcda7 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -91,9 +91,15 @@ void relax_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) + { modify_xen_mappings_lite((unsigned long)region->text_start, PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RWX); + if ( region->rodata_start ) + modify_xen_mappings_lite((unsigned long)region->rodata_start, + PAGE_ALIGN((unsigned long)region->rodata_end), + PAGE_HYPERVISOR_RW); + } rcu_read_unlock(&rcu_virtual_region_lock); } @@ -103,9 +109,15 @@ void tighten_virtual_region_perms(void) rcu_read_lock(&rcu_virtual_region_lock); list_for_each_entry_rcu( region, &virtual_region_list, list ) + { modify_xen_mappings_lite((unsigned long)region->text_start, PAGE_ALIGN((unsigned long)region->text_end), PAGE_HYPERVISOR_RX); + if ( region->rodata_start ) + modify_xen_mappings_lite((unsigned long)region->rodata_start, + PAGE_ALIGN((unsigned long)region->rodata_end), + PAGE_HYPERVISOR_RO); + } rcu_read_unlock(&rcu_virtual_region_lock); } #endif /* CONFIG_X86 */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:34:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:34:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691598.1077728 (Exim 4.92) (envelope-from ) id 1rjr2I-00083T-Cz; Tue, 12 Mar 2024 01:34:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691598.1077728; Tue, 12 Mar 2024 01:34:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2I-00083K-92; Tue, 12 Mar 2024 01:34:34 +0000 Received: by outflank-mailman (input) for mailman id 691598; Tue, 12 Mar 2024 01:34:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2H-00083B-Bb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2H-0003mL-Am for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr2H-0000OP-A1 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=moJaNq6cv9oZIPVKd94LEuHGZqYWqFSkWyHJy8elYng=; b=PqGRgc03wNHBZ8DOzoH7hlpkUo 2XwAaK8VY2DNlE6AZX9s7u/0oAfAx/xnvO7YCtPl2iDxnD+dLf0Htz7ZCOlXbWtAeY8EK4bbfQb/r DUBZYSU8hEOkgJWChZpv26KAh5pXecilJ0gskkXOjfxnX8yCQT2gXNbnGhClMooV8oos=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: add an entry for tools/9pfsd Message-Id: Date: Tue, 12 Mar 2024 01:34:33 +0000 commit b52c45b1bdf04469495dd046ba15dd35a8becfa5 Author: Juergen Gross AuthorDate: Wed Mar 6 12:16:31 2024 +0100 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 MAINTAINERS: add an entry for tools/9pfsd Add me as the maintainer for the tools/9pfsd directory. Signed-off-by: Juergen Gross Reviewed-by: Andrew Cooper --- MAINTAINERS | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/MAINTAINERS b/MAINTAINERS index 076cf1e141..323be9363c 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -206,6 +206,12 @@ Maintainers List (try to look for most precise areas first) ----------------------------------- +9PFSD +M: Juergen Gross +M: Anthony PERARD +S: Supported +F: tools/9pfsd/ + ACPI M: Jan Beulich S: Supported -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:34:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:34:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691599.1077731 (Exim 4.92) (envelope-from ) id 1rjr2S-00086L-DT; Tue, 12 Mar 2024 01:34:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691599.1077731; Tue, 12 Mar 2024 01:34:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2S-00086E-AR; Tue, 12 Mar 2024 01:34:44 +0000 Received: by outflank-mailman (input) for mailman id 691599; Tue, 12 Mar 2024 01:34:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2R-000865-EI for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2R-0003mW-Db for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr2R-0000PA-Cq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LGvBVaPLR9Vnvm6i2xihrq/WhhTBiUuGCfXWaXEbROU=; b=VC9Kh1RF69AamJnAqIHftqgBqG IDmNHkWASoGNcQqk92PRkGVFVpAPfSl4DP3BHJDPXGQBozEzQIH/kkPpS+L4lrQQKGIAfUCIAr/gK g9LRBntWNuYZe6H5wnXoXBesuurr0lua0VdEL5E+5NOaTxzqb1Qktw1+o5kSPGIeZp1s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/9pfsd: Fix build error caused by strerror_r Message-Id: Date: Tue, 12 Mar 2024 01:34:43 +0000 commit 90173fc5a2a826bbcabde22af405d0a617818b70 Author: Henry Wang AuthorDate: Thu Mar 7 21:56:16 2024 +0800 Commit: Andrew Cooper CommitDate: Thu Mar 7 14:24:42 2024 +0000 tools/9pfsd: Fix build error caused by strerror_r Below error can be seen when doing Yocto build of the toolstack: | io.c: In function 'p9_error': | io.c:684:5: error: ignoring return value of 'strerror_r' declared with attribute 'warn_unused_result' [-Werror=unused-result] | 684 | strerror_r(err, ring->buffer, ring->ring_size); | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | cc1: all warnings being treated as errors Using strerror_r() without special casing different build environments is impossible due to the different return types (int vs char *) depending on the environment. As p9_error() is not on a performance critical path, using strerror() with a mutex ought to be fine. So, fix the build by using strerror() to replace strerror_r(). The steps would then become: Acquire the mutex first, invoke strerror(), copy the string from strerror() to the designated buffer and then drop the mutex. Fixes: f4900d6d69b5 ("9pfsd: allow building with old glibc") Signed-off-by: Henry Wang Reviewed-by: Jan Beulich Reviewed-by: Juergen Gross Acked-by: Anthony PERARD --- tools/9pfsd/io.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/tools/9pfsd/io.c b/tools/9pfsd/io.c index adb887c7d9..df1be3df7d 100644 --- a/tools/9pfsd/io.c +++ b/tools/9pfsd/io.c @@ -677,11 +677,28 @@ static bool name_ok(const char *str) return true; } +/* Including the '\0' */ +#define MAX_ERRSTR_LEN 80 static void p9_error(struct ring *ring, uint16_t tag, uint32_t err) { unsigned int erroff; + static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; + char *str; + size_t len = 0; + + /* + * While strerror_r() exists, it comes in a POSIX and a GNU flavor. + * Let's try to avoid trying to be clever with determining which + * one it is that the underlying C library offers, when really we + * don't expect this function to be called very often. + */ + pthread_mutex_lock(&mutex); + str = strerror(err); + len = min(strlen(str), (size_t)(MAX_ERRSTR_LEN - 1)); + memcpy(ring->buffer, str, len); + ((char *)ring->buffer)[len] = '\0'; + pthread_mutex_unlock(&mutex); - strerror_r(err, ring->buffer, ring->ring_size); erroff = add_string(ring, ring->buffer, strlen(ring->buffer)); fill_buffer(ring, P9_CMD_ERROR, tag, "SU", erroff != ~0 ? ring->str + erroff : "cannot allocate memory", -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:34:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:34:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691600.1077735 (Exim 4.92) (envelope-from ) id 1rjr2c-00088u-Eu; Tue, 12 Mar 2024 01:34:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691600.1077735; Tue, 12 Mar 2024 01:34:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2c-00088m-C2; Tue, 12 Mar 2024 01:34:54 +0000 Received: by outflank-mailman (input) for mailman id 691600; Tue, 12 Mar 2024 01:34:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2b-00088e-HI for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2b-0003n1-GU for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr2b-0000Py-Fm for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:34:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BbbeDjWr18QiL+B+7koiVXboU6Buf4WrMLdanNi1rlI=; b=LdETT52V4U/Xyyj7i0PRo0+eKR FLYd1CYtOkLStPgCclQgbqnND9VJIMCDR2esxXgDUIg/veCepYYbi/s9330HD1eg0bAeLFsoln4AY 4nGr2WEIWDCo/dGF1eK69wP5eLM66rW4E9rAoNjUwyBExP3jbkRkF+O3WbTS1KDobJL8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation/eclair: add deviation for MISRA C:2012 Rule 16.6 Message-Id: Date: Tue, 12 Mar 2024 01:34:53 +0000 commit ef31ffbc3dc124173fc9420988772fa96bc4bf12 Author: Federico Serafini AuthorDate: Mon Mar 4 11:28:37 2024 +0100 Commit: Stefano Stabellini CommitDate: Fri Mar 8 18:22:49 2024 -0800 automation/eclair: add deviation for MISRA C:2012 Rule 16.6 Update ECLAIR configuration to take into account the deviations agreed during MISRA meetings. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 4 ++++ docs/misra/deviations.rst | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index 02eae39786..9ac3ee4dfd 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -378,6 +378,10 @@ explicit comment indicating the fallthrough intention is present." -config=MC3R1.R16.3,reports+={safe, "any_area(end_loc(any_exp(text(^(?s).*/\\* [fF]all ?through.? \\*/.*$,0..1))))"} -doc_end +-doc_begin="A switch statement with a single switch clause and no default label may be used in place of an equivalent if statement if it is considered to improve readability." +-config=MC3R1.R16.6,switch_clauses+={deliberate, "default(0)"} +-doc_end + # # Series 18. # diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index 123c78e20a..ce855ddae6 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -322,6 +322,12 @@ Deviations related to MISRA C:2012 Rules: - /\* Fallthrough \*/ - /\* Fallthrough. \*/ + * - R16.6 + - A switch statement with a single switch clause and no default label may + be used in place of an equivalent if statement if it is considered to + improve readability. + - Tagged as `deliberate` for ECLAIR. + * - R20.7 - Code violating Rule 20.7 is safe when macro parameters are used: (1) as function arguments; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:35:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:35:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691601.1077740 (Exim 4.92) (envelope-from ) id 1rjr2m-0008BB-Gq; Tue, 12 Mar 2024 01:35:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691601.1077740; Tue, 12 Mar 2024 01:35:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2m-0008B3-DU; Tue, 12 Mar 2024 01:35:04 +0000 Received: by outflank-mailman (input) for mailman id 691601; Tue, 12 Mar 2024 01:35:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2l-0008As-KD for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2l-0003nL-JV for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr2l-0000Qy-Ik for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jG2R/lFQ6AUT9PfU8UKMJLjgJj70Cua49dGuIDmSO28=; b=tOCU3goGlpUhuuUfJ5QDZQDGsf JK5uhAopmDQ7Ipe8mTz9WD2futYGYHcx9jttu/Nbb7R2ApDMqUbHmHmOil5/5tcX7e5Snh6DdFTxY Nt3/msmvJRkYquO1/Sd+7v32rcg1hvM0RcJg+mQfHoLPEPxxpxLWJZ4trKLGvirQxC8E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/asm-generic: introduce stub header monitor.h Message-Id: Date: Tue, 12 Mar 2024 01:35:03 +0000 commit 136fff30b3a589147c12c832c84d793ceef41aca Author: Oleksii Kurochko AuthorDate: Mon Mar 11 09:29:25 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:29:25 2024 +0100 xen/asm-generic: introduce stub header monitor.h The header is shared between several archs so it is moved to asm-generic. Switch partly Arm and PPC to asm-generic/monitor.h and only arch_monitor_get_capabilities() left in arch-specific/monitor.h. Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich Acked-by: Tamas K Lengyel Acked-by: Julien Grall Acked-by: Shawn Anastasio --- xen/arch/arm/include/asm/monitor.h | 25 ++------------- xen/arch/ppc/include/asm/monitor.h | 28 +---------------- xen/arch/ppc/stubs.c | 8 ----- xen/include/asm-generic/monitor.h | 64 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 67 insertions(+), 58 deletions(-) diff --git a/xen/arch/arm/include/asm/monitor.h b/xen/arch/arm/include/asm/monitor.h index 7567be66bd..77a3c1a36c 100644 --- a/xen/arch/arm/include/asm/monitor.h +++ b/xen/arch/arm/include/asm/monitor.h @@ -25,34 +25,13 @@ #include #include -static inline -void arch_monitor_allow_userspace(struct domain *d, bool allow_userspace) -{ -} +#define HAS_ARCH_MONITOR_DOMCTL_EVENT -static inline -int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop) -{ - /* No arch-specific monitor ops on ARM. */ - return -EOPNOTSUPP; -} +#include int arch_monitor_domctl_event(struct domain *d, struct xen_domctl_monitor_op *mop); -static inline -int arch_monitor_init_domain(struct domain *d) -{ - /* No arch-specific domain initialization on ARM. */ - return 0; -} - -static inline -void arch_monitor_cleanup_domain(struct domain *d) -{ - /* No arch-specific domain cleanup on ARM. */ -} - static inline uint32_t arch_monitor_get_capabilities(struct domain *d) { uint32_t capabilities = 0; diff --git a/xen/arch/ppc/include/asm/monitor.h b/xen/arch/ppc/include/asm/monitor.h index e5b0282bf1..89000dacc6 100644 --- a/xen/arch/ppc/include/asm/monitor.h +++ b/xen/arch/ppc/include/asm/monitor.h @@ -6,33 +6,7 @@ #include #include -static inline -void arch_monitor_allow_userspace(struct domain *d, bool allow_userspace) -{ -} - -static inline -int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop) -{ - /* No arch-specific monitor ops on PPC. */ - return -EOPNOTSUPP; -} - -int arch_monitor_domctl_event(struct domain *d, - struct xen_domctl_monitor_op *mop); - -static inline -int arch_monitor_init_domain(struct domain *d) -{ - /* No arch-specific domain initialization on PPC. */ - return 0; -} - -static inline -void arch_monitor_cleanup_domain(struct domain *d) -{ - /* No arch-specific domain cleanup on PPC. */ -} +#include static inline uint32_t arch_monitor_get_capabilities(struct domain *d) { diff --git a/xen/arch/ppc/stubs.c b/xen/arch/ppc/stubs.c index a96e45626d..da193839bd 100644 --- a/xen/arch/ppc/stubs.c +++ b/xen/arch/ppc/stubs.c @@ -95,14 +95,6 @@ void arch_get_domain_info(const struct domain *d, BUG_ON("unimplemented"); } -/* monitor.c */ - -int arch_monitor_domctl_event(struct domain *d, - struct xen_domctl_monitor_op *mop) -{ - BUG_ON("unimplemented"); -} - /* smp.c */ void arch_flush_tlb_mask(const cpumask_t *mask) diff --git a/xen/include/asm-generic/monitor.h b/xen/include/asm-generic/monitor.h new file mode 100644 index 0000000000..1ade289099 --- /dev/null +++ b/xen/include/asm-generic/monitor.h @@ -0,0 +1,64 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * include/asm-generic/monitor.h + * + * Arch-specific monitor_op domctl handler. + * + * Copyright (c) 2015 Tamas K Lengyel (tamas@tklengyel.com) + * Copyright (c) 2016, Bitdefender S.R.L. + * + */ + +#ifndef __ASM_GENERIC_MONITOR_H__ +#define __ASM_GENERIC_MONITOR_H__ + +#include +#include + +struct domain; +struct xen_domctl_monitor_op; + +static inline +void arch_monitor_allow_userspace(struct domain *d, bool allow_userspace) +{ +} + +static inline +int arch_monitor_domctl_op(struct domain *d, struct xen_domctl_monitor_op *mop) +{ + /* No arch-specific monitor ops on GENERIC. */ + return -EOPNOTSUPP; +} + +#ifndef HAS_ARCH_MONITOR_DOMCTL_EVENT +static inline +int arch_monitor_domctl_event(struct domain *d, + struct xen_domctl_monitor_op *mop) +{ + BUG_ON("unimplemented"); +} +#endif + +static inline +int arch_monitor_init_domain(struct domain *d) +{ + /* No arch-specific domain initialization on GENERIC. */ + return 0; +} + +static inline +void arch_monitor_cleanup_domain(struct domain *d) +{ + /* No arch-specific domain cleanup on GENERIC. */ +} + +#endif /* __ASM_GENERIC_MONITOR_H__ */ + +/* + * Local variables: + * mode: C + * c-file-style: BSD + * c-basic-offset: 4 + * indent-tabs-mode: nil + * End: + */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:35:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:35:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691602.1077743 (Exim 4.92) (envelope-from ) id 1rjr2w-0008Dv-Hd; Tue, 12 Mar 2024 01:35:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691602.1077743; Tue, 12 Mar 2024 01:35:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2w-0008Dn-F1; Tue, 12 Mar 2024 01:35:14 +0000 Received: by outflank-mailman (input) for mailman id 691602; Tue, 12 Mar 2024 01:35:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2v-0008DZ-NN for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr2v-0003nX-Mc for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr2v-0000Rl-Ls for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6k6w+xOwgp6zt/tsgAOaf00MVzYhnnxx1ns/RYnUjzQ=; b=ncpOYE5LwGJ0kWud2opOKwYLJt GJ22rDd4t+iQQ+ottTFQumActcSB7pI95wc8oSjJj2VZQY0Zfw8Lsy41CgJsr8okz4kXNn7MV/X9z t4NIn/yJkl6tajyx4dPJ/ViQWkOLkDs15Vnuqvhbx0qQlOA7fduYrd3TBgt+cYbBP708=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/mem-access: ifdef inclusion of Message-Id: Date: Tue, 12 Mar 2024 01:35:13 +0000 commit 8ef780a1cf9a9b94e391d779e7e37b3c831223f7 Author: Oleksii Kurochko AuthorDate: Mon Mar 11 09:30:29 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:30:29 2024 +0100 xen/mem-access: ifdef inclusion of ifdefing inclusion of in allows to avoid generation of empty header for the case when !CONFIG_MEM_ACCESS. For Arm it was explicitly added inclusion of for p2m.c and traps.c because they require some functions from which aren't available in case of !CONFIG_MEM_ACCESS. Suggested-by: Jan Beulich Signed-off-by: Oleksii Kurochko Acked-by: Tamas K Lengyel Acked-by: Julien Grall Acked-by: Shawn Anastasio --- xen/arch/arm/p2m.c | 1 + xen/arch/arm/traps.c | 1 + xen/arch/ppc/configs/ppc64_defconfig | 1 + xen/arch/ppc/include/asm/mem_access.h | 5 ----- xen/arch/riscv/configs/tiny64_defconfig | 1 + xen/include/xen/mem_access.h | 2 ++ 6 files changed, 6 insertions(+), 5 deletions(-) diff --git a/xen/arch/arm/p2m.c b/xen/arch/arm/p2m.c index b991b76ce4..2465c266e9 100644 --- a/xen/arch/arm/p2m.c +++ b/xen/arch/arm/p2m.c @@ -7,6 +7,7 @@ #include #include #include +#include #include #include diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 9c10e8f78c..8ddca643d4 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include diff --git a/xen/arch/ppc/configs/ppc64_defconfig b/xen/arch/ppc/configs/ppc64_defconfig index f7cc075e45..48a053237a 100644 --- a/xen/arch/ppc/configs/ppc64_defconfig +++ b/xen/arch/ppc/configs/ppc64_defconfig @@ -6,6 +6,7 @@ # CONFIG_HYPFS is not set # CONFIG_GRANT_TABLE is not set # CONFIG_SPECULATIVE_HARDEN_ARRAY is not set +# CONFIG_MEM_ACCESS is not set CONFIG_PPC64=y CONFIG_DEBUG=y diff --git a/xen/arch/ppc/include/asm/mem_access.h b/xen/arch/ppc/include/asm/mem_access.h deleted file mode 100644 index e7986dfdbd..0000000000 --- a/xen/arch/ppc/include/asm/mem_access.h +++ /dev/null @@ -1,5 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -#ifndef __ASM_PPC_MEM_ACCESS_H__ -#define __ASM_PPC_MEM_ACCESS_H__ - -#endif /* __ASM_PPC_MEM_ACCESS_H__ */ diff --git a/xen/arch/riscv/configs/tiny64_defconfig b/xen/arch/riscv/configs/tiny64_defconfig index 3c9a2ff941..09defe236b 100644 --- a/xen/arch/riscv/configs/tiny64_defconfig +++ b/xen/arch/riscv/configs/tiny64_defconfig @@ -6,6 +6,7 @@ # CONFIG_HYPFS is not set # CONFIG_GRANT_TABLE is not set # CONFIG_SPECULATIVE_HARDEN_ARRAY is not set +# CONFIG_MEM_ACCESS is not set CONFIG_RISCV_64=y CONFIG_DEBUG=y diff --git a/xen/include/xen/mem_access.h b/xen/include/xen/mem_access.h index 4e4811680d..87d93b31f6 100644 --- a/xen/include/xen/mem_access.h +++ b/xen/include/xen/mem_access.h @@ -33,7 +33,9 @@ */ struct vm_event_st; +#ifdef CONFIG_MEM_ACCESS #include +#endif /* * Additional access types, which are used to further restrict -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:35:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:35:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691603.1077747 (Exim 4.92) (envelope-from ) id 1rjr36-0008He-KW; Tue, 12 Mar 2024 01:35:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691603.1077747; Tue, 12 Mar 2024 01:35:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr36-0008HW-Hy; Tue, 12 Mar 2024 01:35:24 +0000 Received: by outflank-mailman (input) for mailman id 691603; Tue, 12 Mar 2024 01:35:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr35-0008HI-Q2 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr35-0003ng-PR for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr35-0000Sc-Oh for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HcHkrrr4fbbLZ8vFtVqfVMUQ93VZVJ0KeqKYJMQZetE=; b=EriL8QcEiE0OW3SZA3FBeQd8QK HSwUdvt2Slyj/bchqfteO1JOdIXATiwvGBdLDOmhdVA3iuphasLNVUgl6ERVcfTAqXOiKPME/F0hn L/+dUyhE8YcmixauGo+6UHsG1GnHUL+JofM4gOsqjn0+4gATQZ/gwfb/lvHMkLS05sbY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: drop AMD SVM and Intel VT-x sections Message-Id: Date: Tue, 12 Mar 2024 01:35:23 +0000 commit 8395f275ebd11b4cacb12da09911e7918ccc7518 Author: Jan Beulich AuthorDate: Mon Mar 11 09:31:31 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:31:31 2024 +0100 MAINTAINERS: drop AMD SVM and Intel VT-x sections We'd like to thank the VT-x maintainers for their past contributions, while at the same time we'd like to reflect reality as it has been for quite some time. Have VT-x maintainership (and for symmetry also AMD SVM's) fall back to general x86. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper Acked-by: Roger Pau Monné Acked-by: Kevin Tian --- MAINTAINERS | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 323be9363c..56a6932037 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -226,13 +226,6 @@ M: Andrew Cooper S: Maintained F: xen/drivers/passthrough/amd/ -AMD SVM -M: Jan Beulich -M: Andrew Cooper -S: Supported -F: xen/arch/x86/hvm/svm/ -F: xen/arch/x86/cpu/vpmu_amd.c - ARGO M: Christopher Clark S: Maintained @@ -363,15 +356,6 @@ M: Kevin Tian S: Supported F: xen/drivers/passthrough/vtd/ -INTEL(R) VT FOR X86 (VT-X) -M: Jun Nakajima -M: Kevin Tian -S: Supported -F: xen/arch/x86/cpu/vpmu_intel.c -F: xen/arch/x86/hvm/vmx/ -F: xen/arch/x86/include/asm/hvm/vmx/ -F: xen/arch/x86/mm/p2m-ept.c - IOMMU VENDOR INDEPENDENT CODE M: Jan Beulich M: Paul Durrant -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:35:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:35:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691604.1077752 (Exim 4.92) (envelope-from ) id 1rjr3G-0008Kt-Mn; Tue, 12 Mar 2024 01:35:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691604.1077752; Tue, 12 Mar 2024 01:35:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3G-0008Kl-Jk; Tue, 12 Mar 2024 01:35:34 +0000 Received: by outflank-mailman (input) for mailman id 691604; Tue, 12 Mar 2024 01:35:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3F-0008Kf-TK for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3F-0003nu-Sc for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr3F-0000Tb-Rk for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8OLGJ0DIbbjS8JQahq6R91ek1SVUU2fkuvkq75vdvQE=; b=DTlSDZQd9kgMnhGfRUJC9ATl08 P8JBKUHT27ZVrzu0XLEHoVWNhRMw0UHujTQ2FZ9J0IYBAw8k+Q9jk2avIo2msk9Y+EgNBKjjG/x/s TkvobYssIjW8XNte9XKvc7g5RoC943MNa0NYyIW0xqBEuzfOkWS4o0q5OZuhsqNMSFkw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/domain.h: Centrialize is_domain_direct_mapped() Message-Id: Date: Tue, 12 Mar 2024 01:35:33 +0000 commit 698c35184cfd3c045b96b6c587c9f37f8c47408f Author: Henry Wang AuthorDate: Mon Mar 11 09:32:03 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:32:03 2024 +0100 xen/domain.h: Centrialize is_domain_direct_mapped() Currently direct mapped domain is only supported by the Arm architecture at the domain creation time by setting the CDF_directmap flag. There is not a need for every non-Arm architecture, i.e. x86, RISC-V and PPC, to define a stub is_domain_direct_mapped() in arch header. Move is_domain_direct_mapped() to a centralized place at xen/domain.h and evaluate CDF_directmap for non-Arm architecture to 0. Suggested-by: Jan Beulich Signed-off-by: Henry Wang Reviewed-by: Michal Orzel Reviewed-by: Jan Beulich --- xen/arch/arm/include/asm/domain.h | 2 -- xen/arch/ppc/include/asm/domain.h | 2 -- xen/arch/riscv/include/asm/domain.h | 2 -- xen/arch/x86/include/asm/domain.h | 1 - xen/include/xen/domain.h | 3 +++ 5 files changed, 3 insertions(+), 7 deletions(-) diff --git a/xen/arch/arm/include/asm/domain.h b/xen/arch/arm/include/asm/domain.h index 8218afb862..f1d72c6e48 100644 --- a/xen/arch/arm/include/asm/domain.h +++ b/xen/arch/arm/include/asm/domain.h @@ -29,8 +29,6 @@ enum domain_type { #define is_64bit_domain(d) (0) #endif -#define is_domain_direct_mapped(d) ((d)->cdf & CDF_directmap) - /* * Is the domain using the host memory layout? * diff --git a/xen/arch/ppc/include/asm/domain.h b/xen/arch/ppc/include/asm/domain.h index 573276d0a8..3a447272c6 100644 --- a/xen/arch/ppc/include/asm/domain.h +++ b/xen/arch/ppc/include/asm/domain.h @@ -10,8 +10,6 @@ struct hvm_domain uint64_t params[HVM_NR_PARAMS]; }; -#define is_domain_direct_mapped(d) ((void)(d), 0) - /* TODO: Implement */ #define guest_mode(r) ({ (void)(r); BUG_ON("unimplemented"); 0; }) diff --git a/xen/arch/riscv/include/asm/domain.h b/xen/arch/riscv/include/asm/domain.h index 0f5dc2be40..027bfa8a93 100644 --- a/xen/arch/riscv/include/asm/domain.h +++ b/xen/arch/riscv/include/asm/domain.h @@ -10,8 +10,6 @@ struct hvm_domain uint64_t params[HVM_NR_PARAMS]; }; -#define is_domain_direct_mapped(d) ((void)(d), 0) - struct arch_vcpu_io { }; diff --git a/xen/arch/x86/include/asm/domain.h b/xen/arch/x86/include/asm/domain.h index 622d22bef2..4bd78e3a6d 100644 --- a/xen/arch/x86/include/asm/domain.h +++ b/xen/arch/x86/include/asm/domain.h @@ -22,7 +22,6 @@ #define is_hvm_pv_evtchn_domain(d) (is_hvm_domain(d) && \ ((d)->arch.hvm.irq->callback_via_type == HVMIRQ_callback_vector || \ (d)->vcpu[0]->arch.hvm.evtchn_upcall_vector)) -#define is_domain_direct_mapped(d) ((void)(d), 0) #define VCPU_TRAP_NONE 0 #define VCPU_TRAP_NMI 1 diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h index b1a4aa6f38..3de5635291 100644 --- a/xen/include/xen/domain.h +++ b/xen/include/xen/domain.h @@ -41,6 +41,8 @@ void arch_get_domain_info(const struct domain *d, #ifdef CONFIG_ARM /* Should domain memory be directly mapped? */ #define CDF_directmap (1U << 1) +#else +#define CDF_directmap 0 #endif /* Is domain memory on static allocation? */ #ifdef CONFIG_STATIC_MEMORY @@ -49,6 +51,7 @@ void arch_get_domain_info(const struct domain *d, #define CDF_staticmem 0 #endif +#define is_domain_direct_mapped(d) ((d)->cdf & CDF_directmap) #define is_domain_using_staticmem(d) ((d)->cdf & CDF_staticmem) /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:35:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:35:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691605.1077755 (Exim 4.92) (envelope-from ) id 1rjr3R-0008Nw-O0; Tue, 12 Mar 2024 01:35:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691605.1077755; Tue, 12 Mar 2024 01:35:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3R-0008Nm-LC; Tue, 12 Mar 2024 01:35:45 +0000 Received: by outflank-mailman (input) for mailman id 691605; Tue, 12 Mar 2024 01:35:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3Q-0008Nc-0h for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3Q-0003o2-00 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr3P-0000UM-Ui for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/6fNKMsBYSt4hzD/9I70paqsTZsAL/5hNDY2Tueyr84=; b=keP9TwM8ymDEQVPYXMh4oo2wTK gg+ZKgARt+nt+lmqK+2Gh0n/RoPcnCocLu/kqohJZpqwDhWBLKOvOjQ3tQUCEDXBjfhWX4YFDU++N vDxyvFE6/2heIdilw5T3+7pXHdQSWVx9URBvgsffjlku/z0CM+fiBwimk9huuNuG2TPQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] features.h: Replace hard tabs Message-Id: Date: Tue, 12 Mar 2024 01:35:43 +0000 commit bf7a2eaede23c749aa0d90e98113a2782ae5f9a6 Author: Jason Andryuk AuthorDate: Mon Mar 11 09:32:51 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:32:51 2024 +0100 features.h: Replace hard tabs Replace hard tabs to match the rest of the file. Fixes: 48a3fd1432 ("domain: expose newly introduced hypercalls as XENFEAT") Signed-off-by: Jason Andryuk Reviewed-by: Stefano Stabellini --- xen/include/public/features.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/public/features.h b/xen/include/public/features.h index 36936f6a4e..4437f25d25 100644 --- a/xen/include/public/features.h +++ b/xen/include/public/features.h @@ -117,8 +117,8 @@ * VCPUOP_register_runstate_phys_area * VCPUOP_register_vcpu_time_phys_area */ -#define XENFEAT_runstate_phys_area 18 -#define XENFEAT_vcpu_time_phys_area 19 +#define XENFEAT_runstate_phys_area 18 +#define XENFEAT_vcpu_time_phys_area 19 #define XENFEAT_NR_SUBMAPS 1 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:35:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:35:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691606.1077760 (Exim 4.92) (envelope-from ) id 1rjr3b-0008Ql-PX; Tue, 12 Mar 2024 01:35:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691606.1077760; Tue, 12 Mar 2024 01:35:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3b-0008Qd-Mb; Tue, 12 Mar 2024 01:35:55 +0000 Received: by outflank-mailman (input) for mailman id 691606; Tue, 12 Mar 2024 01:35:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3a-0008QI-3j for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3a-0003oT-32 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr3a-0000VA-2M for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:35:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ltbdSW0lSYa0Yqk6DBNpEE8zvhKhePh7twD8+oK31ws=; b=yh8rDCJeKzam19Ioe3KgUgJ9uN bi0lA41Go+NI5R56X2ieqIw3mqRUOFcRHP7vtsmsR5xoi9bt1nNskGZcDOazOoxoQ9nuTLL+QGv+C kiu79rFAkSyLniikgDC6eUbFsFWEvh1+mvgWL71rXU5eV0+fIEBtay34aeX4c4oweMQk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/x86: bzImage parse kernel_alignment Message-Id: Date: Tue, 12 Mar 2024 01:35:54 +0000 commit c44cac229067faeec8f49247d1cf281723ac2d40 Author: Jason Andryuk AuthorDate: Mon Mar 11 09:33:35 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:33:35 2024 +0100 xen/x86: bzImage parse kernel_alignment Expand bzimage_parse() to return kernel_alignment from the setup_header. This will be needed if loading a PVH kernel at a physical offset to compensate for a reserved E820 region. Signed-off-by: Jason Andryuk Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich --- xen/arch/x86/bzimage.c | 4 +++- xen/arch/x86/hvm/dom0_build.c | 4 +++- xen/arch/x86/include/asm/bzimage.h | 2 +- xen/arch/x86/pv/dom0_build.c | 2 +- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c index ac4fd428be..0f4cfc49f7 100644 --- a/xen/arch/x86/bzimage.c +++ b/xen/arch/x86/bzimage.c @@ -105,7 +105,7 @@ unsigned long __init bzimage_headroom(void *image_start, } int __init bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len) + unsigned long *image_len, unsigned int *align) { struct setup_header *hdr = (struct setup_header *)(*image_start); int err = bzimage_check(hdr, *image_len); @@ -118,6 +118,8 @@ int __init bzimage_parse(void *image_base, void **image_start, { *image_start += (hdr->setup_sects + 1) * 512 + hdr->payload_offset; *image_len = hdr->payload_length; + if ( align ) + *align = hdr->kernel_alignment; } if ( elf_is_elfbinary(*image_start, *image_len) ) diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c index 0ceda4140b..bbae8a5645 100644 --- a/xen/arch/x86/hvm/dom0_build.c +++ b/xen/arch/x86/hvm/dom0_build.c @@ -548,12 +548,14 @@ static int __init pvh_load_kernel(struct domain *d, const module_t *image, struct elf_binary elf; struct elf_dom_parms parms; paddr_t last_addr; + unsigned int align = 0; struct hvm_start_info start_info = { 0 }; struct hvm_modlist_entry mod = { 0 }; struct vcpu *v = d->vcpu[0]; int rc; - if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) + rc = bzimage_parse(image_base, &image_start, &image_len, &align); + if ( rc != 0 ) { printk("Error trying to detect bz compressed kernel\n"); return rc; diff --git a/xen/arch/x86/include/asm/bzimage.h b/xen/arch/x86/include/asm/bzimage.h index 7ed69d3910..2e04f5cc7b 100644 --- a/xen/arch/x86/include/asm/bzimage.h +++ b/xen/arch/x86/include/asm/bzimage.h @@ -6,6 +6,6 @@ unsigned long bzimage_headroom(void *image_start, unsigned long image_length); int bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len); + unsigned long *image_len, unsigned int *align); #endif /* __X86_BZIMAGE_H__ */ diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index d8043fa58a..e9fa8a9a82 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -416,7 +416,7 @@ int __init dom0_construct_pv(struct domain *d, d->max_pages = ~0U; - if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) + if ( (rc = bzimage_parse(image_base, &image_start, &image_len, NULL)) != 0 ) return rc; if ( (rc = elf_init(&elf, image_start, image_len)) != 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:36:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:36:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691607.1077762 (Exim 4.92) (envelope-from ) id 1rjr3l-0008TJ-Qe; Tue, 12 Mar 2024 01:36:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691607.1077762; Tue, 12 Mar 2024 01:36:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3l-0008TB-O5; Tue, 12 Mar 2024 01:36:05 +0000 Received: by outflank-mailman (input) for mailman id 691607; Tue, 12 Mar 2024 01:36:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3k-0008Sy-6Z for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3k-0003op-5s for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr3k-0000WX-5F for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Hz67wbptyleZZlgQGzMLv9kL/g1mu5444db8xNzI2zQ=; b=AiDaeCZlPgsOmIGgv8R8atHcGi 2XGNOmZD3a8LiOrsApB+ADarOLDGoUb5hf/Vr0goj0EJv92SyeZ82sXSzIMyDZ/SpE87u6WPxPj3f fR1nvtcCpQzZLf5FG5UI+CgcItWFciwH6KHZik89pQw/xYbvi05Fj6pU2ujw0Tr2JyqE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/spinlock: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 12 Mar 2024 01:36:04 +0000 commit 9106769ea95029461bf1e4789b99c441bc3eff14 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:33:55 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:33:55 2024 +0100 xen/spinlock: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/spinlock.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 1cd9120eac..0e6a083dfb 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -94,7 +94,7 @@ struct lock_profile_qhead { int32_t idx; /* index for printout */ }; -#define _LOCK_PROFILE(lockname) { .name = #lockname, .lock = &lockname, } +#define _LOCK_PROFILE(lockname) { .name = #lockname, .lock = &(lockname), } #define _LOCK_PROFILE_PTR(name) \ static struct lock_profile * const __lock_profile_##name \ __used_section(".lockprofile.data") = \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:36:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:36:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691608.1077766 (Exim 4.92) (envelope-from ) id 1rjr3v-0008Vz-Rv; Tue, 12 Mar 2024 01:36:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691608.1077766; Tue, 12 Mar 2024 01:36:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3v-0008Vs-PU; Tue, 12 Mar 2024 01:36:15 +0000 Received: by outflank-mailman (input) for mailman id 691608; Tue, 12 Mar 2024 01:36:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3u-0008Vd-9M for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr3u-0003ot-8i for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr3u-0000XE-85 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WVTvddAcVqCw/Tm46SSqXmE5puQWYC6OWsdLMm8HFOM=; b=skVyheSj0T5o9EBQH8Hodc1uKt c1LO+z20NyqBMyrBC+RxIqBsj/YLLhpvcsirU4yW1oxZdCHKuJbUoq0FA4Jj0KqpuJNDOHj1zLuNW lTe52W9tCTY4mchCNr/Vj/wW+BSS4iMa8tYsCU0gnLqKIjhT1LCZ5SmDQNj3TiLtEeCs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/include: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 12 Mar 2024 01:36:14 +0000 commit e51649b4c21377dd8d1c837a74e5007b082a4375 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:34:14 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:34:14 2024 +0100 xen/include: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/bug.h | 2 +- xen/include/xen/init.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/xen/include/xen/bug.h b/xen/include/xen/bug.h index 2c45c462fc..77fe1e1ba8 100644 --- a/xen/include/xen/bug.h +++ b/xen/include/xen/bug.h @@ -80,7 +80,7 @@ struct bug_frame { [bf_type] "i" (type), \ [bf_ptr] "i" (ptr), \ [bf_msg] "i" (msg), \ - [bf_line_lo] "i" ((line & ((1 << BUG_LINE_LO_WIDTH) - 1)) \ + [bf_line_lo] "i" (((line) & ((1 << BUG_LINE_LO_WIDTH) - 1)) \ << BUG_DISP_WIDTH), \ [bf_line_hi] "i" (((line) >> BUG_LINE_LO_WIDTH) << BUG_DISP_WIDTH) diff --git a/xen/include/xen/init.h b/xen/include/xen/init.h index 1d7c0216bc..0a42238337 100644 --- a/xen/include/xen/init.h +++ b/xen/include/xen/init.h @@ -63,9 +63,9 @@ typedef int (*initcall_t)(void); typedef void (*exitcall_t)(void); #define presmp_initcall(fn) \ - const static initcall_t __initcall_##fn __init_call("presmp") = fn + const static initcall_t __initcall_##fn __init_call("presmp") = (fn) #define __initcall(fn) \ - const static initcall_t __initcall_##fn __init_call("1") = fn + const static initcall_t __initcall_##fn __init_call("1") = (fn) #define __exitcall(fn) \ static exitcall_t __exitcall_##fn __exit_call = fn -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:36:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:36:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691609.1077771 (Exim 4.92) (envelope-from ) id 1rjr45-00007B-TY; Tue, 12 Mar 2024 01:36:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691609.1077771; Tue, 12 Mar 2024 01:36:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr45-000073-Qy; Tue, 12 Mar 2024 01:36:25 +0000 Received: by outflank-mailman (input) for mailman id 691609; Tue, 12 Mar 2024 01:36:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr44-00006p-Ct for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr44-0003p0-CF for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr44-0000Xm-BZ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YZ9QiGkdmRGpEjaBHGc9/r+1zcX3mQkIJAvqQE3t5vY=; b=SWEljNUAeRhR2NldYKZ0lMJR3p 6hW5Wi+Yv5Vux+hHXDqz9KAgk07i91TUQDiMa2YV0SuBqorhT3gM3gYDoiX6UAogbi0pzcZ/+g+U7 8Y7EOxNlOrTGZ+fU0da3nlWbq95+pfUZln6llsgE3GbqrsfKwpOx9rjfIqtfhV92L9eg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/param: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 12 Mar 2024 01:36:24 +0000 commit d937b2d1ee75340db4f66b7ed6a9dab1cea0eb41 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:34:45 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:34:45 2024 +0100 xen/param: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/param.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/xen/include/xen/param.h b/xen/include/xen/param.h index 13607e0e50..1bdbab34ab 100644 --- a/xen/include/xen/param.h +++ b/xen/include/xen/param.h @@ -45,42 +45,42 @@ extern const struct kernel_param __setup_start[], __setup_end[]; #define TEMP_NAME(base) _TEMP_NAME(base, __LINE__) #define custom_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_CUSTOM, \ - .par.func = _var } + .par.func = (_var) } #define boolean_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_BOOL, \ .len = sizeof(_var) + \ BUILD_BUG_ON_ZERO(sizeof(_var) != sizeof(bool)), \ - .par.var = &_var } + .par.var = &(_var) } #define integer_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_UINT, \ .len = sizeof(_var), \ - .par.var = &_var } + .par.var = &(_var) } #define size_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_SIZE, \ .len = sizeof(_var), \ - .par.var = &_var } + .par.var = &(_var) } #define string_param(_name, _var) \ - __setup_str __setup_str_##_var[] = _name; \ + __setup_str __setup_str_##_var[] = (_name); \ __kparam __setup_##_var = \ { .name = __setup_str_##_var, \ .type = OPT_STR, \ .len = sizeof(_var), \ - .par.var = &_var } + .par.var = &(_var) } #define ignore_param(_name) \ - __setup_str TEMP_NAME(__setup_str_ign)[] = _name; \ + __setup_str TEMP_NAME(__setup_str_ign)[] = (_name); \ __kparam TEMP_NAME(__setup_ign) = \ { .name = TEMP_NAME(__setup_str_ign), \ .type = OPT_IGNORE } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:36:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:36:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691610.1077774 (Exim 4.92) (envelope-from ) id 1rjr4G-0000Ak-0L; Tue, 12 Mar 2024 01:36:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691610.1077774; Tue, 12 Mar 2024 01:36:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4F-0000Ac-U2; Tue, 12 Mar 2024 01:36:35 +0000 Received: by outflank-mailman (input) for mailman id 691610; Tue, 12 Mar 2024 01:36:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4E-0000AR-GI for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4E-0003p6-Fa for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr4E-0000Yb-Et for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8EGoGcsjK6y3/ff72qPNqRB8/0FlLoj5FYWyO49odzY=; b=XfY5xI70OqYPgyohtt/K3at1lI QD2+NuwAwLvuiMGWfseE8lsB2WpoZLzh2+IFm8BJho+1C9Ru+AntFMngkgschNcqROLZ6Yx8zT4Yr sH0dDXKsrInsBEbJxPrITrzf/YArBWrYBplSyHPaFEseBqTUTIxPra0i6Vl5XCsfj0Rg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: address some violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 12 Mar 2024 01:36:34 +0000 commit 22d0e3487f6a44ad7aa132f25cc41f42e3f546e3 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:35:24 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:35:24 2024 +0100 xen/arm: address some violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/arch/arm/arm64/cpufeature.c | 14 ++++++------- xen/arch/arm/cpuerrata.c | 8 +++---- xen/arch/arm/include/asm/arm64/sysregs.h | 2 +- xen/arch/arm/include/asm/guest_atomics.h | 4 ++-- xen/arch/arm/include/asm/mm.h | 2 +- xen/arch/arm/include/asm/smccc.h | 36 ++++++++++++++++---------------- xen/arch/arm/include/asm/vgic-emul.h | 8 +++---- xen/arch/arm/vcpreg.c | 5 +++-- 8 files changed, 40 insertions(+), 39 deletions(-) diff --git a/xen/arch/arm/arm64/cpufeature.c b/xen/arch/arm/arm64/cpufeature.c index 864413d9cc..6fb8974ade 100644 --- a/xen/arch/arm/arm64/cpufeature.c +++ b/xen/arch/arm/arm64/cpufeature.c @@ -78,13 +78,13 @@ #define __ARM64_FTR_BITS(SIGNED, VISIBLE, STRICT, TYPE, SHIFT, WIDTH, SAFE_VAL) \ { \ - .sign = SIGNED, \ - .visible = VISIBLE, \ - .strict = STRICT, \ - .type = TYPE, \ - .shift = SHIFT, \ - .width = WIDTH, \ - .safe_val = SAFE_VAL, \ + .sign = (SIGNED), \ + .visible = (VISIBLE), \ + .strict = (STRICT), \ + .type = (TYPE), \ + .shift = (SHIFT), \ + .width = (WIDTH), \ + .safe_val = (SAFE_VAL), \ } /* Define a feature with unsigned values */ diff --git a/xen/arch/arm/cpuerrata.c b/xen/arch/arm/cpuerrata.c index a28fa6ac78..2b7101ea25 100644 --- a/xen/arch/arm/cpuerrata.c +++ b/xen/arch/arm/cpuerrata.c @@ -461,13 +461,13 @@ static bool has_ssbd_mitigation(const struct arm_cpu_capabilities *entry) #define MIDR_RANGE(model, min, max) \ .matches = is_affected_midr_range, \ - .midr_model = model, \ - .midr_range_min = min, \ - .midr_range_max = max + .midr_model = (model), \ + .midr_range_min = (min), \ + .midr_range_max = (max) #define MIDR_ALL_VERSIONS(model) \ .matches = is_affected_midr_range, \ - .midr_model = model, \ + .midr_model = (model), \ .midr_range_min = 0, \ .midr_range_max = (MIDR_VARIANT_MASK | MIDR_REVISION_MASK) diff --git a/xen/arch/arm/include/asm/arm64/sysregs.h b/xen/arch/arm/include/asm/arm64/sysregs.h index 3fdeb9d8cd..b593e4028b 100644 --- a/xen/arch/arm/include/asm/arm64/sysregs.h +++ b/xen/arch/arm/include/asm/arm64/sysregs.h @@ -465,7 +465,7 @@ /* Access to system registers */ #define WRITE_SYSREG64(v, name) do { \ - uint64_t _r = v; \ + uint64_t _r = (v); \ asm volatile("msr "__stringify(name)", %0" : : "r" (_r)); \ } while (0) #define READ_SYSREG64(name) ({ \ diff --git a/xen/arch/arm/include/asm/guest_atomics.h b/xen/arch/arm/include/asm/guest_atomics.h index a1745f8613..8893eb9a55 100644 --- a/xen/arch/arm/include/asm/guest_atomics.h +++ b/xen/arch/arm/include/asm/guest_atomics.h @@ -32,7 +32,7 @@ static inline void guest_##name(struct domain *d, int nr, volatile void *p) \ perfc_incr(atomics_guest_paused); \ \ domain_pause_nosync(d); \ - name(nr, p); \ + (name)(nr, p); \ domain_unpause(d); \ } @@ -52,7 +52,7 @@ static inline int guest_##name(struct domain *d, int nr, volatile void *p) \ perfc_incr(atomics_guest_paused); \ \ domain_pause_nosync(d); \ - oldbit = name(nr, p); \ + oldbit = (name)(nr, p); \ domain_unpause(d); \ \ return oldbit; \ diff --git a/xen/arch/arm/include/asm/mm.h b/xen/arch/arm/include/asm/mm.h index cbcf3bf147..48538b5337 100644 --- a/xen/arch/arm/include/asm/mm.h +++ b/xen/arch/arm/include/asm/mm.h @@ -250,7 +250,7 @@ static inline void __iomem *ioremap_wc(paddr_t start, size_t len) #define gaddr_to_gfn(ga) _gfn(paddr_to_pfn(ga)) #define mfn_to_maddr(mfn) pfn_to_paddr(mfn_x(mfn)) #define maddr_to_mfn(ma) _mfn(paddr_to_pfn(ma)) -#define vmap_to_mfn(va) maddr_to_mfn(virt_to_maddr((vaddr_t)va)) +#define vmap_to_mfn(va) maddr_to_mfn(virt_to_maddr((vaddr_t)(va))) #define vmap_to_page(va) mfn_to_page(vmap_to_mfn(va)) /* Page-align address and convert to frame number format */ diff --git a/xen/arch/arm/include/asm/smccc.h b/xen/arch/arm/include/asm/smccc.h index 1adcd37443..a289c48b7f 100644 --- a/xen/arch/arm/include/asm/smccc.h +++ b/xen/arch/arm/include/asm/smccc.h @@ -122,56 +122,56 @@ struct arm_smccc_res { #define __constraint_read_7 __constraint_read_6, "r" (r7) #define __declare_arg_0(a0, res) \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1); \ register unsigned long r2 ASM_REG(2); \ register unsigned long r3 ASM_REG(3) #define __declare_arg_1(a0, a1, res) \ - typeof(a1) __a1 = a1; \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + typeof(a1) __a1 = (a1); \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1) = __a1; \ register unsigned long r2 ASM_REG(2); \ register unsigned long r3 ASM_REG(3) #define __declare_arg_2(a0, a1, a2, res) \ - typeof(a1) __a1 = a1; \ - typeof(a2) __a2 = a2; \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + typeof(a1) __a1 = (a1); \ + typeof(a2) __a2 = (a2); \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1) = __a1; \ register unsigned long r2 ASM_REG(2) = __a2; \ register unsigned long r3 ASM_REG(3) #define __declare_arg_3(a0, a1, a2, a3, res) \ - typeof(a1) __a1 = a1; \ - typeof(a2) __a2 = a2; \ - typeof(a3) __a3 = a3; \ - struct arm_smccc_res *___res = res; \ - register unsigned long r0 ASM_REG(0) = (uint32_t)a0; \ + typeof(a1) __a1 = (a1); \ + typeof(a2) __a2 = (a2); \ + typeof(a3) __a3 = (a3); \ + struct arm_smccc_res *___res = (res); \ + register unsigned long r0 ASM_REG(0) = (uint32_t)(a0); \ register unsigned long r1 ASM_REG(1) = __a1; \ register unsigned long r2 ASM_REG(2) = __a2; \ register unsigned long r3 ASM_REG(3) = __a3 #define __declare_arg_4(a0, a1, a2, a3, a4, res) \ - typeof(a4) __a4 = a4; \ + typeof(a4) __a4 = (a4); \ __declare_arg_3(a0, a1, a2, a3, res); \ register unsigned long r4 ASM_REG(4) = __a4 #define __declare_arg_5(a0, a1, a2, a3, a4, a5, res) \ - typeof(a5) __a5 = a5; \ + typeof(a5) __a5 = (a5); \ __declare_arg_4(a0, a1, a2, a3, a4, res); \ register typeof(a5) r5 ASM_REG(5) = __a5 #define __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res) \ - typeof(a6) __a6 = a6; \ + typeof(a6) __a6 = (a6); \ __declare_arg_5(a0, a1, a2, a3, a4, a5, res); \ register typeof(a6) r6 ASM_REG(6) = __a6 #define __declare_arg_7(a0, a1, a2, a3, a4, a5, a6, a7, res) \ - typeof(a7) __a7 = a7; \ + typeof(a7) __a7 = (a7); \ __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res); \ register typeof(a7) r7 ASM_REG(7) = __a7 diff --git a/xen/arch/arm/include/asm/vgic-emul.h b/xen/arch/arm/include/asm/vgic-emul.h index e52fbaa3ec..fd0cfa2175 100644 --- a/xen/arch/arm/include/asm/vgic-emul.h +++ b/xen/arch/arm/include/asm/vgic-emul.h @@ -6,11 +6,11 @@ * a range of registers */ -#define VREG32(reg) reg ... reg + 3 -#define VREG64(reg) reg ... reg + 7 +#define VREG32(reg) (reg) ... ((reg) + 3) +#define VREG64(reg) (reg) ... ((reg) + 7) -#define VRANGE32(start, end) start ... end + 3 -#define VRANGE64(start, end) start ... end + 7 +#define VRANGE32(start, end) (start) ... ((end) + 3) +#define VRANGE64(start, end) (start) ... ((end) + 7) /* * 64 bits registers can be accessible using 32-bit and 64-bit unless diff --git a/xen/arch/arm/vcpreg.c b/xen/arch/arm/vcpreg.c index a2d0500704..019cf34f00 100644 --- a/xen/arch/arm/vcpreg.c +++ b/xen/arch/arm/vcpreg.c @@ -39,7 +39,8 @@ */ #ifdef CONFIG_ARM_64 -#define WRITE_SYSREG_SZ(sz, val, sysreg) WRITE_SYSREG((uint##sz##_t)val, sysreg) +#define WRITE_SYSREG_SZ(sz, val, sysreg) \ + WRITE_SYSREG((uint##sz##_t)(val), sysreg) #else /* * WRITE_SYSREG{32/64} on arm32 is defined as variadic macro which imposes @@ -64,7 +65,7 @@ static bool func(struct cpu_user_regs *regs, type##sz##_t *r, bool read) \ bool cache_enabled = vcpu_has_cache_enabled(v); \ \ GUEST_BUG_ON(read); \ - WRITE_SYSREG_SZ(sz, *r, reg); \ + WRITE_SYSREG_SZ(sz, *(r), reg); \ \ p2m_toggle_cache(v, cache_enabled); \ \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:36:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:36:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691611.1077779 (Exim 4.92) (envelope-from ) id 1rjr4Q-0000Dv-1l; Tue, 12 Mar 2024 01:36:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691611.1077779; Tue, 12 Mar 2024 01:36:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4P-0000Dn-VR; Tue, 12 Mar 2024 01:36:45 +0000 Received: by outflank-mailman (input) for mailman id 691611; Tue, 12 Mar 2024 01:36:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4O-0000Da-JU for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4O-0003qp-Iq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr4O-0000Zd-IA for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oo6UFVNTEZXO+EZMPQam9L6zdH5WmzYtjFlfThDAxyg=; b=XgbQfAdwhgY6cSrE8K2vCTs7Wj UB9wI74B9F7KhiGueX8EDqznQq9z8OjrgvmqbMLrznGsnQ94D/ATZDXghBCrA6v+5vicObngF9x0g S/atFOCRCAX1MW4oDK23RZfsJ7DrRHSsLDwPIEXjn2KUb8SQRtGLQ8MbldPvMqH0R0SQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/irq: parenthesize negative constants Message-Id: Date: Tue, 12 Mar 2024 01:36:44 +0000 commit acb13d1b819e5e3fc1ac217d43f297a7eec5a81e Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:35:50 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:35:50 2024 +0100 x86/irq: parenthesize negative constants These constants are parenthesized to avoid them from possibly influencing the semantics of the constructs where it is used, especially inside macros invocations. This also resolves some violations of MISRA C Rule 20.7 ("Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses"). No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich --- xen/arch/x86/include/asm/irq.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index 082a3d6bbc..7d49f3c190 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -172,16 +172,16 @@ void cleanup_domain_irq_mapping(struct domain *d); void *__ret = radix_tree_lookup(&(d)->arch.irq_pirq, irq); \ __ret ? radix_tree_ptr_to_int(__ret) : 0; \ }) -#define PIRQ_ALLOCATED -1 +#define PIRQ_ALLOCATED (-1) #define domain_pirq_to_emuirq(d, pirq) pirq_field(d, pirq, \ arch.hvm.emuirq, IRQ_UNBOUND) #define domain_emuirq_to_pirq(d, emuirq) ({ \ void *__ret = radix_tree_lookup(&(d)->arch.hvm.emuirq_pirq, emuirq);\ __ret ? radix_tree_ptr_to_int(__ret) : IRQ_UNBOUND; \ }) -#define IRQ_UNBOUND -1 -#define IRQ_PT -2 -#define IRQ_MSI_EMU -3 +#define IRQ_UNBOUND (-1) +#define IRQ_PT (-2) +#define IRQ_MSI_EMU (-3) bool cpu_has_pending_apic_eoi(void); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:36:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:36:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691612.1077782 (Exim 4.92) (envelope-from ) id 1rjr4a-0000Gp-32; Tue, 12 Mar 2024 01:36:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691612.1077782; Tue, 12 Mar 2024 01:36:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4a-0000Gi-0Y; Tue, 12 Mar 2024 01:36:56 +0000 Received: by outflank-mailman (input) for mailman id 691612; Tue, 12 Mar 2024 01:36:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4Y-0000GS-MQ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4Y-0003rE-Lo for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr4Y-0000aO-L6 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:36:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4TdioAMRa7XaEFiz5EBv4bCc2OsNYwGr/Bwe1E9fTNs=; b=Ga+NFxFw01GVzQv9tLt5PSRKCJ 0+odktItP4Vkt2j0fDdQ53R7NWlszijGwJvrRNgK9D0BPOUr2jGXDcniKCJMHmP+gJsYxbDq4N0Xg ys9cqIq47dKZwLWqcAmDOVl2yRilCx1JR/Zy73dpaJJcnv0JGYEj0B4e5DWNRi8NAjzo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] arm/smmu: address some violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 12 Mar 2024 01:36:54 +0000 commit e90089db3fab06dc8947fcd64f1ed54569e708a6 Author: Nicola Vetrini AuthorDate: Mon Mar 11 09:36:20 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:36:20 2024 +0100 arm/smmu: address some violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/drivers/passthrough/arm/smmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/drivers/passthrough/arm/smmu.c b/xen/drivers/passthrough/arm/smmu.c index 625ed0e419..83196057a9 100644 --- a/xen/drivers/passthrough/arm/smmu.c +++ b/xen/drivers/passthrough/arm/smmu.c @@ -242,7 +242,7 @@ struct arm_smmu_xen_device { struct iommu_group *group; }; -#define dev_archdata(dev) ((struct arm_smmu_xen_device *)dev->iommu) +#define dev_archdata(dev) ((struct arm_smmu_xen_device *)(dev)->iommu) #define dev_iommu_domain(dev) (dev_archdata(dev)->domain) #define dev_iommu_group(dev) (dev_archdata(dev)->group) @@ -627,7 +627,7 @@ struct arm_smmu_master_cfg { }; #define INVALID_SMENDX -1 #define for_each_cfg_sme(cfg, i, idx, num) \ - for (i = 0; idx = cfg->smendx[i], i < num; ++i) + for (i = 0; idx = (cfg)->smendx[i], (i) < (num); ++(i)) struct arm_smmu_master { struct device_node *of_node; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:37:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:37:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691616.1077797 (Exim 4.92) (envelope-from ) id 1rjr4k-0000a0-GD; Tue, 12 Mar 2024 01:37:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691616.1077797; Tue, 12 Mar 2024 01:37:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4k-0000Zs-DL; Tue, 12 Mar 2024 01:37:06 +0000 Received: by outflank-mailman (input) for mailman id 691616; Tue, 12 Mar 2024 01:37:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4i-0000Z4-PL for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:37:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4i-0003rh-Og for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:37:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr4i-0000ba-O5 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:37:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JFI3zDD2I6lN7ALjiI9xXcLF53lyIFnNrJVtLbjIXnU=; b=0yL7iQLUgNZitGOqkIatZCJW1w /KbblIZrk0U50vUQxiw0omNFbOdEODGsxpsxYxbCzLZybU7JS7p8n27pAh5klFlfFvx71o7HH4HSY SoVXrrZnjjeraE3ErWyMbFIeMXYhp92vbfhikFLxlL2Eq7u4Y/SfkI4oY8FmDQs4dES8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/ppc: switch PPC to use asm-generic/device.h Message-Id: Date: Tue, 12 Mar 2024 01:37:04 +0000 commit 1396892d801cf148644cd5590be2f143648f9083 Author: Oleksii Kurochko AuthorDate: Mon Mar 11 09:45:45 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 11 09:45:45 2024 +0100 xen/ppc: switch PPC to use asm-generic/device.h Signed-off-by: Oleksii Kurochko Acked-by: Shawn Anastasio --- xen/arch/ppc/include/asm/Makefile | 1 + xen/arch/ppc/include/asm/device.h | 53 --------------------------------------- 2 files changed, 1 insertion(+), 53 deletions(-) diff --git a/xen/arch/ppc/include/asm/Makefile b/xen/arch/ppc/include/asm/Makefile index 3fd893f3e0..ced02e26ed 100644 --- a/xen/arch/ppc/include/asm/Makefile +++ b/xen/arch/ppc/include/asm/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0-only generic-y += altp2m.h +generic-y += device.h generic-y += div64.h generic-y += hardirq.h generic-y += hypercall.h diff --git a/xen/arch/ppc/include/asm/device.h b/xen/arch/ppc/include/asm/device.h deleted file mode 100644 index 8253e61d51..0000000000 --- a/xen/arch/ppc/include/asm/device.h +++ /dev/null @@ -1,53 +0,0 @@ -/* SPDX-License-Identifier: GPL-2.0-only */ -#ifndef __ASM_PPC_DEVICE_H__ -#define __ASM_PPC_DEVICE_H__ - -enum device_type -{ - DEV_DT, - DEV_PCI, -}; - -struct device { - enum device_type type; -#ifdef CONFIG_HAS_DEVICE_TREE - struct dt_device_node *of_node; /* Used by drivers imported from Linux */ -#endif -}; - -enum device_class -{ - DEVICE_SERIAL, - DEVICE_IOMMU, - DEVICE_PCI_HOSTBRIDGE, - /* Use for error */ - DEVICE_UNKNOWN, -}; - -struct device_desc { - /* Device name */ - const char *name; - /* Device class */ - enum device_class class; - /* List of devices supported by this driver */ - const struct dt_device_match *dt_match; - /* - * Device initialization. - * - * -EAGAIN is used to indicate that device probing is deferred. - */ - int (*init)(struct dt_device_node *dev, const void *data); -}; - -typedef struct device device_t; - -#define DT_DEVICE_START(name_, namestr_, class_) \ -static const struct device_desc __dev_desc_##name_ __used \ -__section(".dev.info") = { \ - .name = namestr_, \ - .class = class_, \ - -#define DT_DEVICE_END \ -}; - -#endif /* __ASM_PPC_DEVICE_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 01:37:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 01:37:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691617.1077801 (Exim 4.92) (envelope-from ) id 1rjr4u-0000gy-He; Tue, 12 Mar 2024 01:37:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691617.1077801; Tue, 12 Mar 2024 01:37:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4u-0000gq-F7; Tue, 12 Mar 2024 01:37:16 +0000 Received: by outflank-mailman (input) for mailman id 691617; Tue, 12 Mar 2024 01:37:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4s-0000g1-ST for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:37:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rjr4s-0003rp-Rp for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:37:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rjr4s-0000dn-R9 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 01:37:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dmERL4qLU0Zwo9+Lz25yAWZcmLV7PLePTPUhndz8g/A=; b=bPw/CRe9dtoH01XUjalR1a56rN Uh7QO0hgJvT+mHa+K6Z0E8ovc5h+6mW2GopUDwmEZuFu48FmMmYBcJwatbTLzjMMPf6mTG82Px5PW WiOXrSkxOGE7BCUiJk5VjQ/raJSglwAvtq80BTTu3jkP4blsaArqA2GNLS25YIMpg73o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() Message-Id: Date: Tue, 12 Mar 2024 01:37:14 +0000 commit 7c81558208de7858251b62f168a449be84305595 Author: Roger Pau Monne AuthorDate: Mon Mar 11 11:54:16 2024 +0100 Commit: Andrew Cooper CommitDate: Mon Mar 11 11:09:42 2024 +0000 x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() The current logic to detect when to switch to the next L1 table is incorrectly using l2_table_offset() in order to notice when the last entry on the current L1 table has been reached. It should instead use l1_table_offset() to check whether the index has wrapped to point to the first entry, and so the next L1 table should be used. Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2aff6d4b53..0c6658298d 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5959,7 +5959,7 @@ void init_or_livepatch modify_xen_mappings_lite( v += 1UL << L1_PAGETABLE_SHIFT; - if ( l2_table_offset(v) == 0 ) + if ( l1_table_offset(v) == 0 ) break; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 11:11:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 11:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691774.1078101 (Exim 4.92) (envelope-from ) id 1rk02C-0000tO-LF; Tue, 12 Mar 2024 11:11:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691774.1078101; Tue, 12 Mar 2024 11:11:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02C-0000tE-H6; Tue, 12 Mar 2024 11:11:04 +0000 Received: by outflank-mailman (input) for mailman id 691774; Tue, 12 Mar 2024 11:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02B-0000rw-NY for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02B-0007TC-Lw for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk02B-0001Oz-L1 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=o/qgGJRKKC1I63BZy5T+sUa3Qg+PbpU5Ex5zBocRGb8=; b=yVox9GQ/aWxVETzKfwAIIP0LmK zZBrJsOm8QFHIenEn/YMY4Xwj4Wl74jgVCIbMZjsDZ4qNftZre50FBatz3WHHO6A9x6bD54IvC5mG WfgNBTN+xaUbpXfQD/vNJQ/uqir4GvRtJ/tbKYlzK1CAI8Dhrqp0XyJlHI0BAyd9Ybjs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] hvmloader/PCI: skip huge BARs in certain calculations Message-Id: Date: Tue, 12 Mar 2024 11:11:03 +0000 commit 4c84fa6cb66fe66f2c5dad65208c497558ab7d17 Author: Jan Beulich AuthorDate: Tue Mar 12 12:06:57 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:06:57 2024 +0100 hvmloader/PCI: skip huge BARs in certain calculations BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of the lower 2Gb range and the top of the higher 2Gb range have special purpose. Don't even have them influence whether to (perhaps) relocate low RAM. Reported-by: Neowutran Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 57acad12a09ffa490e870ebe17596aad858f0191 master date: 2024-03-06 10:19:29 +0100 --- tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c index 257a6feb61..c3c61ca060 100644 --- a/tools/firmware/hvmloader/pci.c +++ b/tools/firmware/hvmloader/pci.c @@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START; const uint32_t pci_mem_end = RESERVED_MEMBASE; uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; +/* + * BARs larger than this value are put in 64-bit space unconditionally. That + * is, such BARs also don't play into the determination of how big the lowmem + * MMIO hole needs to be. + */ +#define BAR_RELOC_THRESH GB(1) + enum virtual_vga virtual_vga = VGA_none; unsigned long igd_opregion_pgbase = 0; @@ -286,9 +293,11 @@ void pci_setup(void) bars[i].bar_reg = bar_reg; bars[i].bar_sz = bar_sz; - if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == - PCI_BASE_ADDRESS_SPACE_MEMORY) || - (bar_reg == PCI_ROM_ADDRESS) ) + if ( is_64bar && bar_sz > BAR_RELOC_THRESH ) + bar64_relocate = 1; + else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == + PCI_BASE_ADDRESS_SPACE_MEMORY) || + (bar_reg == PCI_ROM_ADDRESS) ) mmio_total += bar_sz; nr_bars++; @@ -367,7 +376,7 @@ void pci_setup(void) pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT; } - if ( mmio_total > (pci_mem_end - pci_mem_start) ) + if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate ) { printf("Low MMIO hole not large enough for all devices," " relocating some BARs to 64-bit\n"); @@ -430,7 +439,8 @@ void pci_setup(void) /* * Relocate to high memory if the total amount of MMIO needed - * is more than the low MMIO available. Because devices are + * is more than the low MMIO available or BARs bigger than + * BAR_RELOC_THRESH are present. Because devices are * processed in order of bar_sz, this will preferentially * relocate larger devices to high memory first. * @@ -446,8 +456,9 @@ void pci_setup(void) * the code here assumes it to be.) * Should either of those two conditions change, this code will break. */ - using_64bar = bars[i].is_64bar && bar64_relocate - && (mmio_total > (mem_resource.max - mem_resource.base)); + using_64bar = bars[i].is_64bar && bar64_relocate && + (mmio_total > (mem_resource.max - mem_resource.base) || + bar_sz > BAR_RELOC_THRESH); bar_data = pci_readl(devfn, bar_reg); if ( (bar_data & PCI_BASE_ADDRESS_SPACE) == @@ -467,7 +478,8 @@ void pci_setup(void) resource = &mem_resource; bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; } - mmio_total -= bar_sz; + if ( bar_sz <= BAR_RELOC_THRESH ) + mmio_total -= bar_sz; } else { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 11:11:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 11:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691775.1078103 (Exim 4.92) (envelope-from ) id 1rk02M-0000wr-MU; Tue, 12 Mar 2024 11:11:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691775.1078103; Tue, 12 Mar 2024 11:11:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02M-0000wj-K0; Tue, 12 Mar 2024 11:11:14 +0000 Received: by outflank-mailman (input) for mailman id 691775; Tue, 12 Mar 2024 11:11:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02L-0000wb-Q7 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02L-0007TG-PO for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk02L-0001Pj-OI for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=F9DIZvUHy9WoV3sjqGQmri2aOJRSlfVuu2v1XOW5ODk=; b=VpquqVz21mOJYeFQIIb7BA/Tsp 3cR1wYqjBMwpObHSDZEHWYcxHd0ctlqIp219iuG8DJ4nsyMFVeTpd8nATnOJzFr77y92RpNBeEvDm CGc1LAwdg7wyvEuIM5kXeF7XSBFCTIy2z6MDoVPPjW6fFJBMIV4K5/qehdXvrdT6iuwk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() Message-Id: Date: Tue, 12 Mar 2024 11:11:13 +0000 commit a96d2d4355d85fc82abd0a3799978db04ee8cff3 Author: Roger Pau Monné AuthorDate: Tue Mar 12 12:07:07 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:07:07 2024 +0100 x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() The current logic to detect when to switch to the next L1 table is incorrectly using l2_table_offset() in order to notice when the last entry on the current L1 table has been reached. It should instead use l1_table_offset() to check whether the index has wrapped to point to the first entry, and so the next L1 table should be used. Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper master commit: 7c81558208de7858251b62f168a449be84305595 master date: 2024-03-11 11:09:42 +0000 --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 39544bd9f9..ab0acbfea6 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5947,7 +5947,7 @@ void init_or_livepatch modify_xen_mappings_lite( v += 1UL << L1_PAGETABLE_SHIFT; - if ( l2_table_offset(v) == 0 ) + if ( l1_table_offset(v) == 0 ) break; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 11:11:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 11:11:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691776.1078106 (Exim 4.92) (envelope-from ) id 1rk02X-00015z-Nw; Tue, 12 Mar 2024 11:11:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691776.1078106; Tue, 12 Mar 2024 11:11:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02X-00015s-LT; Tue, 12 Mar 2024 11:11:25 +0000 Received: by outflank-mailman (input) for mailman id 691776; Tue, 12 Mar 2024 11:11:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02W-00013u-7z for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02W-0007TV-7E for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk02W-0001Qk-4U for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6vWDjxChxa1h25PHOFJuGLeWNGwT9JMnUPOi+Sawtfg=; b=DGhPFgjN69BqKO1jn0aaAL3rOy fSM2A3HIIE/fcwJhce7DkWTPdTgWMs5dcMs73+O43IDkA4UCGV0qSoMVgdTURyAiS+mw7pfL4Immf teJLVN+6ZKUy6d6pIXNFQI3M+fkuBRptGQJP+lvVHDeg1N6ES+IpAX/Zv1KyHTY2Nt90=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] hvmloader/PCI: skip huge BARs in certain calculations Message-Id: Date: Tue, 12 Mar 2024 11:11:24 +0000 commit 1e9808227c10717228969e924cab49cad4af6265 Author: Jan Beulich AuthorDate: Tue Mar 12 12:08:48 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:08:48 2024 +0100 hvmloader/PCI: skip huge BARs in certain calculations BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of the lower 2Gb range and the top of the higher 2Gb range have special purpose. Don't even have them influence whether to (perhaps) relocate low RAM. Reported-by: Neowutran Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 57acad12a09ffa490e870ebe17596aad858f0191 master date: 2024-03-06 10:19:29 +0100 --- tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c index 257a6feb61..c3c61ca060 100644 --- a/tools/firmware/hvmloader/pci.c +++ b/tools/firmware/hvmloader/pci.c @@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START; const uint32_t pci_mem_end = RESERVED_MEMBASE; uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; +/* + * BARs larger than this value are put in 64-bit space unconditionally. That + * is, such BARs also don't play into the determination of how big the lowmem + * MMIO hole needs to be. + */ +#define BAR_RELOC_THRESH GB(1) + enum virtual_vga virtual_vga = VGA_none; unsigned long igd_opregion_pgbase = 0; @@ -286,9 +293,11 @@ void pci_setup(void) bars[i].bar_reg = bar_reg; bars[i].bar_sz = bar_sz; - if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == - PCI_BASE_ADDRESS_SPACE_MEMORY) || - (bar_reg == PCI_ROM_ADDRESS) ) + if ( is_64bar && bar_sz > BAR_RELOC_THRESH ) + bar64_relocate = 1; + else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == + PCI_BASE_ADDRESS_SPACE_MEMORY) || + (bar_reg == PCI_ROM_ADDRESS) ) mmio_total += bar_sz; nr_bars++; @@ -367,7 +376,7 @@ void pci_setup(void) pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT; } - if ( mmio_total > (pci_mem_end - pci_mem_start) ) + if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate ) { printf("Low MMIO hole not large enough for all devices," " relocating some BARs to 64-bit\n"); @@ -430,7 +439,8 @@ void pci_setup(void) /* * Relocate to high memory if the total amount of MMIO needed - * is more than the low MMIO available. Because devices are + * is more than the low MMIO available or BARs bigger than + * BAR_RELOC_THRESH are present. Because devices are * processed in order of bar_sz, this will preferentially * relocate larger devices to high memory first. * @@ -446,8 +456,9 @@ void pci_setup(void) * the code here assumes it to be.) * Should either of those two conditions change, this code will break. */ - using_64bar = bars[i].is_64bar && bar64_relocate - && (mmio_total > (mem_resource.max - mem_resource.base)); + using_64bar = bars[i].is_64bar && bar64_relocate && + (mmio_total > (mem_resource.max - mem_resource.base) || + bar_sz > BAR_RELOC_THRESH); bar_data = pci_readl(devfn, bar_reg); if ( (bar_data & PCI_BASE_ADDRESS_SPACE) == @@ -467,7 +478,8 @@ void pci_setup(void) resource = &mem_resource; bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; } - mmio_total -= bar_sz; + if ( bar_sz <= BAR_RELOC_THRESH ) + mmio_total -= bar_sz; } else { -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 11:11:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 11:11:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691777.1078111 (Exim 4.92) (envelope-from ) id 1rk02h-000190-Pn; Tue, 12 Mar 2024 11:11:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691777.1078111; Tue, 12 Mar 2024 11:11:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02h-00018s-N4; Tue, 12 Mar 2024 11:11:35 +0000 Received: by outflank-mailman (input) for mailman id 691777; Tue, 12 Mar 2024 11:11:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02g-00018f-BN for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk02g-0007Tc-AV for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk02g-0001RF-9i for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 11:11:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4IEOzosLfRm8W/JBwdILgrUX0ZCBetWt48D5c/O31XI=; b=wJlcUJKZ6cyxelz9UUefKSLUfR muJH/erC194P5bE/SQaAGhBNcMO1cRvD+ssASKmWWUMYJgH81GN5P++EQXFZnNxXIT3XPhGkAFOQo w9fEXKkTVPV6Q/TkdxKAkss4d5G7oteTiIAeL3pj8O+MqV9QIm/32Fve70cMyaI8V3bs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() Message-Id: Date: Tue, 12 Mar 2024 11:11:34 +0000 commit 1f94117bec55a7b934fed3dfd3529db624eb441f Author: Roger Pau Monné AuthorDate: Tue Mar 12 12:08:59 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:08:59 2024 +0100 x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() The current logic to detect when to switch to the next L1 table is incorrectly using l2_table_offset() in order to notice when the last entry on the current L1 table has been reached. It should instead use l1_table_offset() to check whether the index has wrapped to point to the first entry, and so the next L1 table should be used. Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper master commit: 7c81558208de7858251b62f168a449be84305595 master date: 2024-03-11 11:09:42 +0000 --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index e884a6fdbd..330c4abcd1 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5963,7 +5963,7 @@ void init_or_livepatch modify_xen_mappings_lite( v += 1UL << L1_PAGETABLE_SHIFT; - if ( l2_table_offset(v) == 0 ) + if ( l1_table_offset(v) == 0 ) break; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:11:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:11:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691987.1078666 (Exim 4.92) (envelope-from ) id 1rk5ea-0007Dz-Op; Tue, 12 Mar 2024 17:11:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691987.1078666; Tue, 12 Mar 2024 17:11:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ea-0007Dr-MJ; Tue, 12 Mar 2024 17:11:04 +0000 Received: by outflank-mailman (input) for mailman id 691987; Tue, 12 Mar 2024 17:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5eZ-0007Dl-L3 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5eZ-0007Fu-I5 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5eZ-0002iF-HE for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KQb6NvZcdZGA57TDiVX/8dpm+hGjS02yHir8Vz9x70A=; b=Ogce+hCqG7ruk83KAaMpF1mmDp 3D1rnPrTVcSaePwuARr8nXItp/Cy6LeHBJQr3etivK532Auh3PhkdhHSX40p9cwrkY4c5aZRIMtC0 gsgx8OdVATUZn63Ktp/wDfM0zjEF2COAbjzLpWTv3t4ijYBMYSahNQH50wJ2P+8WJYuY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Tue, 12 Mar 2024 17:11:03 +0000 commit 475fa20b7384464210f42bad7195f87bd6f1c63f Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++---- xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++++ xen/arch/x86/x86_64/asm-offsets.c | 1 + 3 files changed, 40 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index e3f60d5a82..1bead826ca 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index aecb91d848..ba8e0ae28b 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -152,6 +152,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 02242a9b73..8697404cd0 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_processor_id, struct cpu_info, processor_id); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:11:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:11:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691988.1078671 (Exim 4.92) (envelope-from ) id 1rk5ek-0007Fv-QR; Tue, 12 Mar 2024 17:11:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691988.1078671; Tue, 12 Mar 2024 17:11:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ek-0007Fn-Nm; Tue, 12 Mar 2024 17:11:14 +0000 Received: by outflank-mailman (input) for mailman id 691988; Tue, 12 Mar 2024 17:11:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ej-0007Fd-Lq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ej-0007GM-L1 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5ej-0002jC-KJ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kuZP6elyNaP1Ut897uWTwmfKtELJtgmu4uVnwSfocA8=; b=GXCwzMCTTUtd6Or0KD2ZMbgegY Fk/maghmQTjwzp7zyEBgoZrW1lHxrp3fsvwZLDbTM2Xi4J5h82oMNuvMdG09qePyFFbGYE5hid6CP /c52tpkjq9dONcUR3gHt7tRe630wk8m4Jg/Y8NzBt7WlEDOn/BSxuzfXFNUTFzOpPwmc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Tue, 12 Mar 2024 17:11:13 +0000 commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7 Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 +++++++++++++++++++++----------- xen/arch/x86/x86_64/asm-offsets.c | 13 ++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index ba8e0ae28b..629518cc69 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -159,16 +159,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -286,8 +293,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -367,7 +372,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -395,11 +400,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 8697404cd0..d8903a3ce9 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_processor_id, struct cpu_info, processor_id); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 9951b3e328..631f4f272a 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -159,6 +159,12 @@ FUNC(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8, compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) END(compat_restore_all_guest) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 1b846f3aaf..7d686b7628 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -212,6 +212,9 @@ FUNC_LOCAL(restore_all_guest) #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -224,6 +227,9 @@ LABEL_LOCAL(.Lrestore_rcx_iret_exit_to_guest) iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -688,9 +694,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq END(restore_all_xen) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:11:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:11:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691989.1078675 (Exim 4.92) (envelope-from ) id 1rk5eu-0007IM-Rp; Tue, 12 Mar 2024 17:11:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691989.1078675; Tue, 12 Mar 2024 17:11:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5eu-0007IE-PC; Tue, 12 Mar 2024 17:11:24 +0000 Received: by outflank-mailman (input) for mailman id 691989; Tue, 12 Mar 2024 17:11:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5et-0007I1-Ox for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5et-0007GV-OD for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5et-0002k2-NO for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DiL35wU7/zeEQT0nR0H0z3qbGaJ1SUHOmNKJfh5pfss=; b=YdBdhX0vtRiIPpFEEoeDK96CHz lHCIpTmSNSiM2sOCe09rYX1nf/hfJN4xzVGIFO3TRSHl1i/5XrtGl6eCIVlnScf02j7tTzNa7XERi rM63F/RvALAUIhKQQaDA0aHTpLE8Uc20dUJsAq/gOwJ7yhSTiDCTvcBlNfanrremM38g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Tue, 12 Mar 2024 17:11:23 +0000 commit f7603ca252e4226739eb3129a5290ee3da3f8ea4 Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 02896598df..a54d77528a 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2363,7 +2363,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2388,7 +2388,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2405,11 +2405,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 752225faa6..9cede5361d 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -25,8 +25,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __ro_after_init opt_md_clear_pv = -1; -static int8_t __ro_after_init opt_md_clear_hvm = -1; +static int8_t __ro_after_init opt_verw_pv = -1; +static int8_t __ro_after_init opt_verw_hvm = -1; static int8_t __ro_after_init opt_ibpb_entry_pv = -1; static int8_t __ro_after_init opt_ibpb_entry_hvm = -1; @@ -66,7 +66,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __ro_after_init opt_fb_clear_mmio; +static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -108,8 +108,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -140,14 +140,14 @@ static int __init cf_check parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -192,21 +192,22 @@ static int __init cf_check parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -528,8 +529,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -550,13 +551,13 @@ static void __init print_details(enum ind_thunk thunk) boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || amd_virt_spec_ctrl || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -565,11 +566,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1502,8 +1503,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1866,19 +1867,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1891,12 +1893,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:11:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:11:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691992.1078678 (Exim 4.92) (envelope-from ) id 1rk5f4-0007Ll-Uj; Tue, 12 Mar 2024 17:11:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691992.1078678; Tue, 12 Mar 2024 17:11:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5f4-0007Le-S5; Tue, 12 Mar 2024 17:11:34 +0000 Received: by outflank-mailman (input) for mailman id 691992; Tue, 12 Mar 2024 17:11:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5f3-0007LS-S6 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5f3-0007Gc-RK for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5f3-0002kf-QN for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ckV+nHvb0HRaB0m6rra9HLwYq7aAMFdPkflo6goRTP4=; b=a/i5Y+rooOFTFv0MHVYeRrTUnv xVaF+KQaqMGEj2IqsvhswnC6rMV1aTePyUpuVP0Ijb22P5U2VC9oVAgAOE0Thkoeh+/Eqrwl4ETDJ 53YVERcL0gqUe2XTS+Ty7xFS0bi5R8XS4wBM+RIZYN/QcUAfiI/E+KWaRW9ZEgH/pfsw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Tue, 12 Mar 2024 17:11:33 +0000 commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 9cede5361d..b31b13146f 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1519,7 +1519,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1855,50 +1855,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:11:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:11:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691993.1078683 (Exim 4.92) (envelope-from ) id 1rk5fF-0007Oc-0C; Tue, 12 Mar 2024 17:11:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691993.1078683; Tue, 12 Mar 2024 17:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fE-0007OV-Tf; Tue, 12 Mar 2024 17:11:44 +0000 Received: by outflank-mailman (input) for mailman id 691993; Tue, 12 Mar 2024 17:11:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fD-0007OK-Vr for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fD-0007IL-Ul for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5fD-0002ll-Tt for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nUSL6p+BVgZsYyclzFJThvgJFTxYxqZJ2FKDYLWTH/Q=; b=REF8rYviYDtCJVJdnzAx4FLWhP B8ha7AwElhGYgxOdY0iafID7r3QU8yQVXyK818tiDXpA1v8g+UzStxQ9ix6pv1iXvWyXKpgQF9knl FNmlsTr2KNU9BWjAKMe1EcOkK5U4c5fdXA8Pqblgmm4J+Ln6uTaMrx8s7riECNjhJgQ0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Tue, 12 Mar 2024 17:11:43 +0000 commit fb5b6f6744713410c74cfc12b7176c108e3c9a31 Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/include/asm/cpufeature.h | 3 + xen/arch/x86/include/asm/msr-index.h | 2 + xen/arch/x86/spec_ctrl.c | 100 ++++++++++++++++++++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 111 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 46abdb9140..51efbff579 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -172,7 +172,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -251,7 +251,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 2c6f03057b..2acc27632f 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -451,6 +451,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -510,6 +511,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index ad24d0fa88..9bc553681f 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -182,6 +182,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) @@ -213,6 +214,8 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index fc82afc246..92dd9fa496 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -89,6 +89,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index b31b13146f..0638d9980a 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -12,6 +12,7 @@ #include #include +#include #include #include #include @@ -435,7 +436,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -451,6 +452,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -461,7 +463,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -479,6 +481,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1347,6 +1350,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case INTEL_FAM6_ALDERLAKE: + case INTEL_FAM6_RAPTORLAKE: + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + fallthrough; + case INTEL_FAM6_ALDERLAKE_L: + case INTEL_FAM6_RAPTORLAKE_P: + case INTEL_FAM6_RAPTORLAKE_S: + + case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */ + case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */ + case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */ + case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */ + case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */ + case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1860,6 +1940,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1889,8 +1970,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1922,15 +2007,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1944,7 +2033,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 0374cec3a2..eb9f552948 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -266,6 +266,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /*A AVX512 FP16 instructions */ @@ -343,6 +344,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:11:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:11:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691994.1078686 (Exim 4.92) (envelope-from ) id 1rk5fP-0007Re-1l; Tue, 12 Mar 2024 17:11:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691994.1078686; Tue, 12 Mar 2024 17:11:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fO-0007RX-VH; Tue, 12 Mar 2024 17:11:54 +0000 Received: by outflank-mailman (input) for mailman id 691994; Tue, 12 Mar 2024 17:11:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fO-0007RP-2M for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fO-0007IU-1e for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5fO-0002mH-0d for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:11:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tmsUm7bcTvYMhLaXfBU62HC3S1RZWbU8RcVNU9uqDjY=; b=EhSFtXPcPM0B1FVIZOr7IvsTzT DUlqA1R0xJDaTQUaAxUp5906lDH5XqWf2NBDIui+Kpsgqv9Ik1CPraC3BEx4cveyLaC9RE9vsSxzL n0mgAuAte880q0sgD6piDlXXhX/Itz3YS/Szzn61gB6697ufecOFhkxkEGEEoh1oiui0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Tue, 12 Mar 2024 17:11:54 +0000 commit c4f427ec879e7c0df6d44d02561e8bee838a293e Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index bb29b352ec..3e84960a36 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -93,8 +93,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 9ecddbff5e..1b88a83be8 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *p); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:12:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:12:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691995.1078690 (Exim 4.92) (envelope-from ) id 1rk5fZ-0007VC-4t; Tue, 12 Mar 2024 17:12:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691995.1078690; Tue, 12 Mar 2024 17:12:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fZ-0007V5-2Q; Tue, 12 Mar 2024 17:12:05 +0000 Received: by outflank-mailman (input) for mailman id 691995; Tue, 12 Mar 2024 17:12:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fY-0007Uv-5v for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fY-0007J9-52 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5fY-0002np-4G for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Tfmgx3KQSwvVrzPU1ZewBkwFh42MXH6uWB7Ry0GuOz8=; b=gr5uTjYAWcvCV0JIvT8F1xR4RP x2NU18h9GLuP66CgP/i1dtCQZYmjYxzlg95cm3vmTgjLHTByWI3DLg2Lx/CQu6KIAtU2aSSEJMOkO FTbo9dO7o/iLCWUOJc2gMwDHdXBqlbs9zwaSIw5p8oEW90xWlE4iUA7ccT2HKfhqJS4s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:12:04 +0000 commit 7ef0084418e188d05f338c3e028fbbe8b6924afa Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 2 +- xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++--- xen/common/Kconfig | 17 ++++++++++++++++ xen/include/xen/nospec.h | 15 ++++++++++++++ xen/include/xen/spinlock.h | 37 ++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index a54d77528a..54edbc0fbc 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2366,7 +2366,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2493,6 +2493,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index c3aad21c3b..7e8221fd85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 07606834c4..e058a3bb0e 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -62,6 +62,32 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, /* Override default implementation in nospec.h. */ #define array_index_mask_nospec array_index_mask_nospec +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 0638d9980a..0b670c3ca7 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -53,6 +53,7 @@ int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -121,6 +122,7 @@ static int __init cf_check parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -286,6 +288,16 @@ static int __init cf_check parse_spec_ctrl(const char *s) rc = -EINVAL; } } + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -488,7 +500,8 @@ static void __init print_details(enum ind_thunk thunk) if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || - IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" @@ -504,11 +517,14 @@ static void __init print_details(enum ind_thunk thunk) #endif #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS " HARDEN_GUEST_ACCESS" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk != THUNK_NONE ? "BTI-Thunk: " : "", thunk == THUNK_NONE ? "" : thunk == THUNK_RETPOLINE ? "RETPOLINE, " : @@ -535,7 +551,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1918,6 +1935,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 310ad4229c..a5c3d5a6bf 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -188,6 +188,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config DIT_DEFAULT diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 4c250ebbd6..e8d73f9538 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -69,6 +69,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 0e6a083dfb..8430a888a8 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include @@ -202,13 +203,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -216,7 +234,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -237,8 +255,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:12:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:12:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691996.1078695 (Exim 4.92) (envelope-from ) id 1rk5fj-0007Xl-6i; Tue, 12 Mar 2024 17:12:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691996.1078695; Tue, 12 Mar 2024 17:12:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fj-0007Xd-47; Tue, 12 Mar 2024 17:12:15 +0000 Received: by outflank-mailman (input) for mailman id 691996; Tue, 12 Mar 2024 17:12:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fi-0007XV-8Y for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fi-0007JM-7r for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5fi-0002qL-79 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PDpEQj0x4plYWUYeYmfdCYUbK4lH+moINKv2eejB5do=; b=eBJmkeEhmYX3JoccfQTlQ6R3Eu YsUU1Nc+VVCyNov6WhQhJei7m9kAJb5u3t77m7GIndrsmeC57UKio41qm7qTooyiQ+rFqRx+pLsgb 4iGzjoTvtlikbAof6+1aOW7yD2ipKxgkPkA8p6lD0KKNSGjKNACcDsQ6xO+ZiguIf2RQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:12:14 +0000 commit a1fb15f61692b1fa9945fc51f55471ace49cdd59 Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 18224a4bb5..290602936d 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -66,8 +69,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 08ba46de15..ffff0fad45 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -259,27 +259,49 @@ static inline int _rw_is_write_locked(const rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:12:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:12:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691997.1078699 (Exim 4.92) (envelope-from ) id 1rk5ft-0007aN-8V; Tue, 12 Mar 2024 17:12:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691997.1078699; Tue, 12 Mar 2024 17:12:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ft-0007aF-5c; Tue, 12 Mar 2024 17:12:25 +0000 Received: by outflank-mailman (input) for mailman id 691997; Tue, 12 Mar 2024 17:12:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fs-0007a7-BO for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5fs-0007JX-Ag for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5fs-0002r9-9w for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bY67OCPDlFGfNAQxuZ6O8G1JWuUeuAFPzzP7bomzHDY=; b=WXnzDudYp2rcyhYok/9ARRwmYv +8kCLHsmNOM8BuAMXKpUGHf8YmOc+ch8gZWCLgRyjp4xKbg0jHFsISAVjScx7LacWqTveeT2a5Nl+ e8o/p3UbW6C+K9dnDoKXuKTXi51jEp3qgBu6Mkr1jHvI+ihJavR+JSJgCSlPX6IJzLD8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:12:24 +0000 commit f218daf6d3a3b847736d37c6a6b76031a0d08441 Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 290602936d..f5a249bcc2 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -129,8 +129,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index ffff0fad45..65d88b0ef4 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -338,8 +338,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -374,6 +374,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -430,8 +432,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:12:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:12:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691998.1078703 (Exim 4.92) (envelope-from ) id 1rk5g3-0007d4-AD; Tue, 12 Mar 2024 17:12:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691998.1078703; Tue, 12 Mar 2024 17:12:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5g3-0007cx-7D; Tue, 12 Mar 2024 17:12:35 +0000 Received: by outflank-mailman (input) for mailman id 691998; Tue, 12 Mar 2024 17:12:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5g2-0007cl-Ex for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5g2-0007Je-E8 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5g2-00030e-DT for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RLxzK09UaDQDdNdIvoA7QMSe3Gezqmbb/PsSL/cLI8Y=; b=4husHIU9oNJ9/9y3kFSYtDpQKK T+MFAs0DIrINVMi+kkFsTnR0TZ/2dLpXTKnZbhulUiUb1CNN9yEU11pb56yCKPN6W+6ScsDnOhuhP 2qxg/lhcIcBi54inydpoS3btaelkNCrhIb5D7wlu9rL8H0Bm7QlwIm3PtDVsWwncY4T0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Tue, 12 Mar 2024 17:12:34 +0000 commit 197ecd838a2aaf959a469df3696d4559c4f8b762 Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/include/asm/irq.h | 1 + xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 8f53e88d67..e1d6845a28 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -150,7 +150,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -169,9 +169,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index 7d49f3c190..413994d213 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -151,6 +151,7 @@ void cf_check irq_complete_move(struct irq_desc *desc); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 00b1bc402d..273fff86ba 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -74,8 +74,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -125,8 +125,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == smp_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -137,6 +137,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -150,8 +152,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -166,15 +168,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -309,7 +311,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index bc78c61062..65d31e5523 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -24,7 +24,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index 15aec5dcbb..bbfda2538e 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -45,7 +45,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -349,7 +349,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 37b178a67b..7708930882 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -403,7 +403,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -413,7 +413,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -450,7 +450,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index c5db373972..3e48da1cdd 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 26a196f428..459d1dfb11 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -208,8 +208,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -221,10 +237,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 785177e7fa..a21798b76f 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -239,7 +239,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool timer_lock(struct timer *timer) +static inline bool timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -253,7 +253,8 @@ static inline bool timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -266,8 +267,9 @@ static inline bool timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 194701c913..6a1eda675d 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 8e509e0784..f1472ea1eb 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index 1df1863b13..63e49f0117 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -166,8 +166,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:12:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:12:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.691999.1078707 (Exim 4.92) (envelope-from ) id 1rk5gD-0007gH-DG; Tue, 12 Mar 2024 17:12:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 691999.1078707; Tue, 12 Mar 2024 17:12:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gD-0007g9-Ae; Tue, 12 Mar 2024 17:12:45 +0000 Received: by outflank-mailman (input) for mailman id 691999; Tue, 12 Mar 2024 17:12:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gC-0007g1-K6 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gC-0007Jr-JD for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5gC-00039q-GW for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Av6qcKHPGJMJX82t/DHulLN5VbJj39sJVl1uoo31vq8=; b=tSSLv7jXoLKImHrOQf3d57AtWp 2gcel/OL1yoosyHwFKZxm0RqUt63lvjD15bJWPAsaFwTHd2Krxt8DqZSVorIaa85lM45AiGWJlAFj fqQlmkaYgUJ8UGDOBXrFFHFRFYg1I8r7KoT0oQ/P3YZJuXAj6KFZdlH4iKSJi+0YeJSo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Tue, 12 Mar 2024 17:12:44 +0000 commit 42a572a38e22a97d86a4b648a22597628d5b42e4 Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/include/asm/mm.h | 4 +++- xen/arch/x86/mm.c | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 7d26d9cd2f..65d209d5ff 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -399,7 +399,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 0c6658298d..2ba4c26401 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2034,7 +2034,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2095,7 +2095,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2104,6 +2104,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:12:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:12:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692000.1078710 (Exim 4.92) (envelope-from ) id 1rk5gN-0007kJ-Eq; Tue, 12 Mar 2024 17:12:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692000.1078710; Tue, 12 Mar 2024 17:12:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gN-0007kB-C5; Tue, 12 Mar 2024 17:12:55 +0000 Received: by outflank-mailman (input) for mailman id 692000; Tue, 12 Mar 2024 17:12:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gM-0007k1-NG for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gM-0007K2-MT for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5gM-0003Ir-Lg for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:12:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=L6aAKjKNj2gUa4TzeZ3OQNK7UJTz/ebgv1NBuq/hwto=; b=RJF2wfYKWMr89Q5rnmvaxqxvJz f9C7f+xL9mY7La1sy7Y26u2YwXUtDY7TyRuayT5lhptQZshETCDd7/NWQwV21X7AUyAsc26/edf9v g3Z4LJGRVTp3QAbK7ApL+o4LM/+iozI4cRa7vKR48J4lkVy1d7bkPt+/p00xDSz2iZ9s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86: protect conditional lock taking from speculative execution Message-Id: Date: Tue, 12 Mar 2024 17:12:54 +0000 commit 03cf7ca23e0e876075954c558485b267b7d02406 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2ba4c26401..62f5b811bb 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5018,8 +5018,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5056,8 +5055,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5095,8 +5093,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5127,6 +5124,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5342,8 +5341,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5447,8 +5445,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5489,8 +5486,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5544,8 +5540,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5689,8 +5684,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5749,8 +5743,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5794,8 +5787,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5842,8 +5834,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 273fff86ba..2eae73ac68 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -335,6 +335,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 4dd41193f5..ca24cd4a67 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -281,9 +281,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 8430a888a8..e351fc9995 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -229,6 +229,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:13:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:13:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692001.1078716 (Exim 4.92) (envelope-from ) id 1rk5gY-0007mw-HE; Tue, 12 Mar 2024 17:13:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692001.1078716; Tue, 12 Mar 2024 17:13:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gY-0007mm-Dd; Tue, 12 Mar 2024 17:13:06 +0000 Received: by outflank-mailman (input) for mailman id 692001; Tue, 12 Mar 2024 17:13:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gX-0007me-74 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gX-0007Kd-6F for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5gX-0003Ln-5Z for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1M0v88ruSNmfjRtxoR8HivaxL6VWOBNQUZxz0dKAG70=; b=WaaKu8L6niDDew9igdcsSjnT9Y wup1OiwGhzWQojTAyHZ1GclTSFv15rfiaeHc2b8kfpi+f8RepqKLlvXNX2i2hoymCbTj4GtjjfNQY b40GIgwSaQzLACp2V98U1Fp1/kfJDHZ/7DeGhu5mO5eZv8xx2kYdFcGyVYtEIBQZa1Wc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Tue, 12 Mar 2024 17:13:05 +0000 commit fe1869a569bab56e44c35d1522ee064bab6286da Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 11:36:41 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 +++++++++ xen/arch/x86/x86_64/compat/entry.S | 2 +- xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 57b73a4e62..2fc4d9130a 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info_area.map); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index fcc3a721f1..cb473f08ee 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -15,7 +15,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 9a7b129aa7..968da9d727 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -294,7 +294,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -389,7 +389,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -649,7 +649,7 @@ ret_from_intr: .section .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $X86_EXC_PF, 4(%rsp) + movl $X86_EXC_PF, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp, %rdi call do_early_page_fault @@ -716,7 +716,7 @@ ENTRY(common_interrupt) ENTRY(entry_PF) ENDBR64 - movl $X86_EXC_PF, 4(%rsp) + movl $X86_EXC_PF, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -890,90 +890,90 @@ FATAL_exception_with_ints_disabled: ENTRY(entry_DE) ENDBR64 pushq $0 - movl $X86_EXC_DE, 4(%rsp) + movl $X86_EXC_DE, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_MF) ENDBR64 pushq $0 - movl $X86_EXC_MF, 4(%rsp) + movl $X86_EXC_MF, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_XM) ENDBR64 pushq $0 - movl $X86_EXC_XM, 4(%rsp) + movl $X86_EXC_XM, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_NM) ENDBR64 pushq $0 - movl $X86_EXC_NM, 4(%rsp) + movl $X86_EXC_NM, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_DB) ENDBR64 pushq $0 - movl $X86_EXC_DB, 4(%rsp) + movl $X86_EXC_DB, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(entry_BP) ENDBR64 pushq $0 - movl $X86_EXC_BP, 4(%rsp) + movl $X86_EXC_BP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_OF) ENDBR64 pushq $0 - movl $X86_EXC_OF, 4(%rsp) + movl $X86_EXC_OF, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_BR) ENDBR64 pushq $0 - movl $X86_EXC_BR, 4(%rsp) + movl $X86_EXC_BR, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_UD) ENDBR64 pushq $0 - movl $X86_EXC_UD, 4(%rsp) + movl $X86_EXC_UD, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_TS) ENDBR64 - movl $X86_EXC_TS, 4(%rsp) + movl $X86_EXC_TS, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_NP) ENDBR64 - movl $X86_EXC_NP, 4(%rsp) + movl $X86_EXC_NP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_SS) ENDBR64 - movl $X86_EXC_SS, 4(%rsp) + movl $X86_EXC_SS, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_GP) ENDBR64 - movl $X86_EXC_GP, 4(%rsp) + movl $X86_EXC_GP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_AC) ENDBR64 - movl $X86_EXC_AC, 4(%rsp) + movl $X86_EXC_AC, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_DF) ENDBR64 - movl $X86_EXC_DF, 4(%rsp) + movl $X86_EXC_DF, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -998,7 +998,7 @@ ENTRY(entry_DF) ENTRY(entry_NMI) ENDBR64 pushq $0 - movl $X86_EXC_NMI, 4(%rsp) + movl $X86_EXC_NMI, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1130,7 +1130,7 @@ handle_ist_exception: ENTRY(entry_MC) ENDBR64 pushq $0 - movl $X86_EXC_MC, 4(%rsp) + movl $X86_EXC_MC, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1167,7 +1167,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1181,7 +1181,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:13:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:13:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692002.1078719 (Exim 4.92) (envelope-from ) id 1rk5gi-0007qe-IJ; Tue, 12 Mar 2024 17:13:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692002.1078719; Tue, 12 Mar 2024 17:13:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gi-0007qW-FF; Tue, 12 Mar 2024 17:13:16 +0000 Received: by outflank-mailman (input) for mailman id 692002; Tue, 12 Mar 2024 17:13:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gh-0007qM-9i for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gh-0007Km-8t for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5gh-0003Uy-8I for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=201iPrqW5Lr2ftHGfG3MSOIrmRp4P3q4l9LZT7y76Gw=; b=tmfW8nNzM97tVDLJj7xRab+RVC qdcQhFupIcQyagEs8AeKnd/WYJeYO8ElMY6AZBMvd3McS33ICcMYAzbQ8p6m2suPcnG5uSaJabxAe y76EW7aJO1cw5Sr49I58DA2ha8MyEBogmdb01jHo6tYYQz4I5Cb5cNr4xltAQ7fUZcr0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86: Resync intel-family.h from Linux Message-Id: Date: Tue, 12 Mar 2024 17:13:15 +0000 commit b91c253e81db915f685b29e6947144ab9905388d Author: Andrew Cooper AuthorDate: Tue Feb 27 16:07:39 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 11:36:41 2024 +0000 x86: Resync intel-family.h from Linux From v6.8-rc6 Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 195e75371b13c4f7ecdf7b5c50aed0d02f2d7ce8) --- xen/arch/x86/include/asm/intel-family.h | 38 +++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/intel-family.h b/xen/arch/x86/include/asm/intel-family.h index ffc49151be..b65e9c46b9 100644 --- a/xen/arch/x86/include/asm/intel-family.h +++ b/xen/arch/x86/include/asm/intel-family.h @@ -26,6 +26,9 @@ * _G - parts with extra graphics on * _X - regular server parts * _D - micro server parts + * _N,_P - other mobile parts + * _H - premium mobile parts + * _S - other client parts * * Historical OPTDIFFs: * @@ -37,6 +40,9 @@ * their own names :-( */ +/* Wildcard match for FAM6 so X86_MATCH_INTEL_FAM6_MODEL(ANY) works */ +#define INTEL_FAM6_ANY X86_MODEL_ANY + #define INTEL_FAM6_CORE_YONAH 0x0E #define INTEL_FAM6_CORE2_MEROM 0x0F @@ -93,8 +99,6 @@ #define INTEL_FAM6_ICELAKE_L 0x7E /* Sunny Cove */ #define INTEL_FAM6_ICELAKE_NNPI 0x9D /* Sunny Cove */ -#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ - #define INTEL_FAM6_ROCKETLAKE 0xA7 /* Cypress Cove */ #define INTEL_FAM6_TIGERLAKE_L 0x8C /* Willow Cove */ @@ -102,12 +106,31 @@ #define INTEL_FAM6_SAPPHIRERAPIDS_X 0x8F /* Golden Cove */ +#define INTEL_FAM6_EMERALDRAPIDS_X 0xCF + +#define INTEL_FAM6_GRANITERAPIDS_X 0xAD +#define INTEL_FAM6_GRANITERAPIDS_D 0xAE + +/* "Hybrid" Processors (P-Core/E-Core) */ + +#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ + #define INTEL_FAM6_ALDERLAKE 0x97 /* Golden Cove / Gracemont */ #define INTEL_FAM6_ALDERLAKE_L 0x9A /* Golden Cove / Gracemont */ -#define INTEL_FAM6_RAPTORLAKE 0xB7 +#define INTEL_FAM6_RAPTORLAKE 0xB7 /* Raptor Cove / Enhanced Gracemont */ +#define INTEL_FAM6_RAPTORLAKE_P 0xBA +#define INTEL_FAM6_RAPTORLAKE_S 0xBF + +#define INTEL_FAM6_METEORLAKE 0xAC +#define INTEL_FAM6_METEORLAKE_L 0xAA + +#define INTEL_FAM6_ARROWLAKE_H 0xC5 +#define INTEL_FAM6_ARROWLAKE 0xC6 + +#define INTEL_FAM6_LUNARLAKE_M 0xBD -/* "Small Core" Processors (Atom) */ +/* "Small Core" Processors (Atom/E-Core) */ #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ #define INTEL_FAM6_ATOM_BONNELL_MID 0x26 /* Silverthorne, Lincroft */ @@ -134,6 +157,13 @@ #define INTEL_FAM6_ATOM_TREMONT 0x96 /* Elkhart Lake */ #define INTEL_FAM6_ATOM_TREMONT_L 0x9C /* Jasper Lake */ +#define INTEL_FAM6_ATOM_GRACEMONT 0xBE /* Alderlake N */ + +#define INTEL_FAM6_ATOM_CRESTMONT_X 0xAF /* Sierra Forest */ +#define INTEL_FAM6_ATOM_CRESTMONT 0xB6 /* Grand Ridge */ + +#define INTEL_FAM6_ATOM_DARKMONT_X 0xDD /* Clearwater Forest */ + /* Xeon Phi */ #define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:13:26 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:13:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692004.1078733 (Exim 4.92) (envelope-from ) id 1rk5gs-00088e-SZ; Tue, 12 Mar 2024 17:13:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692004.1078733; Tue, 12 Mar 2024 17:13:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gs-00088W-Po; Tue, 12 Mar 2024 17:13:26 +0000 Received: by outflank-mailman (input) for mailman id 692004; Tue, 12 Mar 2024 17:13:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gr-00084f-CP for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5gr-0007L5-Be for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5gr-0003VU-B3 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/MgG0r8XGUZFlV0gXq/7GfQhk49DD5D8AggVfOMiUEo=; b=cTq0A8oJ520xDFCRmzsS+7mtsE ON7iXLUQKOu8Kk089zuQsl7ZFAvzM/CLo4YdZ9/Mu50RRXpWuqiND9TVQsaEbHfGRUJwmFvlsNYXX 6Z7CSx5MB6OSQZg+EP34rvV3c79/OCirOIRjxPVwGuMEhadPifycLVVqV7uDxOcni6OU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Tue, 12 Mar 2024 17:13:25 +0000 commit 9f89ec65fbe49c3be32a456091097d7ef017d268 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:06 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++---- xen/arch/x86/include/asm/asm_defns.h | 8 +++++++ xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++++ xen/arch/x86/x86_64/asm-offsets.c | 1 + 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index e3f60d5a82..1bead826ca 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index baaaccb26e..56ae26e542 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 6cb7c1b949..525745a066 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -152,6 +152,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 2fc4d9130a..0d33678898 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:13:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:13:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692005.1078738 (Exim 4.92) (envelope-from ) id 1rk5h2-0008EO-V8; Tue, 12 Mar 2024 17:13:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692005.1078738; Tue, 12 Mar 2024 17:13:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5h2-0008EG-RG; Tue, 12 Mar 2024 17:13:36 +0000 Received: by outflank-mailman (input) for mailman id 692005; Tue, 12 Mar 2024 17:13:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5h1-0008Dn-Fx for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5h1-0007LE-FD for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5h1-0003W8-Dv for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7ZCna+w99ZJMD20py5c3im/rCTKkJQQ4b8DNXpRinBI=; b=kZUCnqRUncIIoLfG/pD9xtFVL0 S1L6HmOqbnxJkbjKsrMF8fZC4FicBZf1TbwjBjdKlNMeOYfwcOg5dt1CWTjHR2QRSIY8yJ9n5tD3R 31M7r5E8u0leNtnn2Ae4aqJoEvIsWiTPrOAEDpXlpv4wKgEAuV7weSLvUS+TPZB16V8w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Tue, 12 Mar 2024 17:13:35 +0000 commit 95dd34fdbea5408872d5c244fe268222a4f145d0 Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:50 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 +++++++++++++++++++++----------- xen/arch/x86/x86_64/asm-offsets.c | 13 ++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 525745a066..13acebc75d 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -159,16 +159,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -286,8 +293,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -367,7 +372,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -395,11 +400,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 0d33678898..85c7d0c989 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index cb473f08ee..3bbe3a79a5 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 968da9d727..2c7512130f 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -679,9 +685,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:13:47 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:13:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692006.1078741 (Exim 4.92) (envelope-from ) id 1rk5hC-0008QM-VT; Tue, 12 Mar 2024 17:13:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692006.1078741; Tue, 12 Mar 2024 17:13:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hC-0008QF-St; Tue, 12 Mar 2024 17:13:46 +0000 Received: by outflank-mailman (input) for mailman id 692006; Tue, 12 Mar 2024 17:13:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hB-0008Oj-JA for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hB-0007LL-IS for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5hB-0003Wn-He for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=odB8ipojq8n/xuuYxsepAfN6skz009nIAlWHYNjPXxE=; b=6eFW3u93Wz8ar0aFfSlvOY9GCv 5eYG2dPUDvTxdig4Ar1G/IOe74jsXex3g1tnAOZ/QFl8gSENLtJRDkVzXoRw+4izBZAFT+nt1ULOW KJmePeKtGeZn/is+j6bk4ueAXZ0s18lAPyg7XQ1y+FQYjWaBEapcwSOnktMPXrvU/4tM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Tue, 12 Mar 2024 17:13:45 +0000 commit b7205fc1cbad0c633e92d2d019a02a507467507b Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 582d6741d1..fbf1683924 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2370,7 +2370,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2395,7 +2395,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2412,11 +2412,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index a965b6db28..c42d8cdc22 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -25,8 +25,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __ro_after_init opt_md_clear_pv = -1; -static int8_t __ro_after_init opt_md_clear_hvm = -1; +static int8_t __ro_after_init opt_verw_pv = -1; +static int8_t __ro_after_init opt_verw_hvm = -1; static int8_t __ro_after_init opt_ibpb_entry_pv = -1; static int8_t __ro_after_init opt_ibpb_entry_hvm = -1; @@ -66,7 +66,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __ro_after_init opt_fb_clear_mmio; +static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -108,8 +108,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -140,14 +140,14 @@ static int __init cf_check parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -192,21 +192,22 @@ static int __init cf_check parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -528,8 +529,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -550,13 +551,13 @@ static void __init print_details(enum ind_thunk thunk) boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || amd_virt_spec_ctrl || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -565,11 +566,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1502,8 +1503,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1866,19 +1867,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1891,12 +1893,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:13:57 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:13:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692008.1078746 (Exim 4.92) (envelope-from ) id 1rk5hN-0008Vz-2U; Tue, 12 Mar 2024 17:13:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692008.1078746; Tue, 12 Mar 2024 17:13:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hM-0008Vr-Vk; Tue, 12 Mar 2024 17:13:56 +0000 Received: by outflank-mailman (input) for mailman id 692008; Tue, 12 Mar 2024 17:13:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hL-0008UX-MS for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hL-0007LS-LH for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5hL-0003XG-Kh for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:13:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nwXfDwpi9W6Q92jA2ge5VTBnz9S2zgIGhBVY6p5N/Hw=; b=mBYKPAVP5ltCF4wJqZN4o1EC2c SHvSIcHTzU+BF83TI9LRPNRWrJVSGYY+e2rcF2oLXFIUk3ILDmTzAyqCEeqQ913257GSWBIQzzFAY XQtB16WQq52vYnofZCrdzuxA3K3EZyMB/4QTreZRf4Q8qi+GJj51rO4Vv9AOLFXD2kE4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Tue, 12 Mar 2024 17:13:55 +0000 commit fb85a8fc91f8cfd61d7c7f9742502b223d4024b5 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index c42d8cdc22..a4afcd8570 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1519,7 +1519,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1855,50 +1855,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:14:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:14:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692009.1078748 (Exim 4.92) (envelope-from ) id 1rk5hX-00007H-3V; Tue, 12 Mar 2024 17:14:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692009.1078748; Tue, 12 Mar 2024 17:14:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hX-000079-0z; Tue, 12 Mar 2024 17:14:07 +0000 Received: by outflank-mailman (input) for mailman id 692009; Tue, 12 Mar 2024 17:14:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hV-00006z-PF for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hV-0007MB-OP for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5hV-0003gz-Ng for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5+XG3XrKt4vdm5D/O1+AvPpYqzsLfjekcfyhNLAeXzg=; b=LHcMPD4C64NVrlhD/cZLvZLWoG sHg+pbgKdFyckDvFycpw4NwA+ngHeC38stqXqfHbhw/9v9IKoK6L8ueqf2ZZtaIqjxgjuJEpBBX36 b34/H5LuM4RTPXKnIcqn2BEcttMrDkiQx/v36L7JAEsPXGVUubbMbbmD8ucCnDOWvs8s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Tue, 12 Mar 2024 17:14:05 +0000 commit 908cbd1893e80eb52b92b2c70c2bfd9ffdf6f77b Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/include/asm/cpufeature.h | 3 + xen/arch/x86/include/asm/msr-index.h | 2 + xen/arch/x86/spec_ctrl.c | 100 ++++++++++++++++++++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 111 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 7370f1b56e..52e451a806 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -172,7 +172,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -245,7 +245,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index c7c5e99b7b..12e621b97d 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -451,6 +451,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -500,6 +501,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 76ef2aeb1d..3c57f55de0 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -181,6 +181,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) @@ -208,6 +209,8 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index 82a81bd0a2..85ef28a612 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -89,6 +89,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index a4afcd8570..8165379fed 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -12,6 +12,7 @@ #include #include +#include #include #include #include @@ -435,7 +436,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -451,6 +452,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -461,7 +463,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -479,6 +481,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1347,6 +1350,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case INTEL_FAM6_ALDERLAKE: + case INTEL_FAM6_RAPTORLAKE: + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + fallthrough; + case INTEL_FAM6_ALDERLAKE_L: + case INTEL_FAM6_RAPTORLAKE_P: + case INTEL_FAM6_RAPTORLAKE_S: + + case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */ + case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */ + case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */ + case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */ + case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */ + case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1860,6 +1940,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1889,8 +1970,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1922,15 +2007,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1944,7 +2033,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 337aaa9c77..8e17ef670f 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -266,6 +266,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /*A AVX512 FP16 instructions */ @@ -338,6 +339,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:14:17 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:14:17 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692010.1078752 (Exim 4.92) (envelope-from ) id 1rk5hh-0000AV-55; Tue, 12 Mar 2024 17:14:17 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692010.1078752; Tue, 12 Mar 2024 17:14:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hh-0000AN-2W; Tue, 12 Mar 2024 17:14:17 +0000 Received: by outflank-mailman (input) for mailman id 692010; Tue, 12 Mar 2024 17:14:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hf-00009t-Rw for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hf-0007MJ-RB for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5hf-0003hV-QW for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9HNzRWMza0vjf1o2zIvvkJXtmpTtBnBZOB16Lz+0jDg=; b=KIEfwZ+4qGyU5FyLd2voUBpiA/ RL7zcmPAJPlejMiWNEF09P3WjWokbABxgqsdbrjDU0thqZVGbAwQHMTByvXOgWGBtp23sgaPDH4Mq bltytZdIs/at44qzhIQPLdQxTchBJNbz5XTRnHZHj1ucH+ZtusMuh9Fsg/ykMkWzsP+g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Tue, 12 Mar 2024 17:14:15 +0000 commit bdda600406e5f5c35bcb17b2f9458e2138d7ad46 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 8b9618609f..8bc5f4249d 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -91,8 +91,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:14:27 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:14:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692011.1078757 (Exim 4.92) (envelope-from ) id 1rk5hr-0000Er-85; Tue, 12 Mar 2024 17:14:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692011.1078757; Tue, 12 Mar 2024 17:14:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hr-0000Ej-5G; Tue, 12 Mar 2024 17:14:27 +0000 Received: by outflank-mailman (input) for mailman id 692011; Tue, 12 Mar 2024 17:14:26 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hp-0000EK-Uw for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5hp-0007Mc-UB for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5hp-0003r1-Tc for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7BoVfJjK44EwNfTprMlc5kc7GXQHtPocprbm/zurFFM=; b=hmz6LA1mIhXYj4RdWKKLn9BZqW BL9Empp2Cu7d+Q1PJ70EdeTiacwUWh3GkNzWGwUWaQ6MDyt6NdxAHhfaQb17bVxHunZYRIlRNKS2v 3CvdacWOEwbdBRSQzW8fbmd0PeSIWO92odLs8pHqD3gWLvO8uA0q9ggiHA8sTtUPZeqw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:14:25 +0000 commit 1932973ac9a8c28197ebb24749c73c18cf23f5f1 Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:58:56 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 2 +- xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++--- xen/common/Kconfig | 17 ++++++++++++++++ xen/include/xen/nospec.h | 15 ++++++++++++++ xen/include/xen/spinlock.h | 37 ++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index fbf1683924..3f9f916718 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2373,7 +2373,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2500,6 +2500,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index c3aad21c3b..7e8221fd85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 7150e76b87..0725839e19 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -38,6 +38,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 8165379fed..5dfc4ed69e 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -53,6 +53,7 @@ int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -121,6 +122,7 @@ static int __init cf_check parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -286,6 +288,16 @@ static int __init cf_check parse_spec_ctrl(const char *s) rc = -EINVAL; } } + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -488,7 +500,8 @@ static void __init print_details(enum ind_thunk thunk) if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || - IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" @@ -504,11 +517,14 @@ static void __init print_details(enum ind_thunk thunk) #endif #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS " HARDEN_GUEST_ACCESS" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk != THUNK_NONE ? "BTI-Thunk: " : "", thunk == THUNK_NONE ? "" : thunk == THUNK_RETPOLINE ? "RETPOLINE, " : @@ -535,7 +551,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1918,6 +1935,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 4d6fe05164..3361a6d892 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -188,6 +188,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config DIT_DEFAULT diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index e7a1c1aa89..28fce5615e 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include @@ -195,13 +196,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -209,7 +227,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -230,8 +248,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:14:37 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:14:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692012.1078761 (Exim 4.92) (envelope-from ) id 1rk5i1-0000HN-9g; Tue, 12 Mar 2024 17:14:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692012.1078761; Tue, 12 Mar 2024 17:14:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5i1-0000HE-6x; Tue, 12 Mar 2024 17:14:37 +0000 Received: by outflank-mailman (input) for mailman id 692012; Tue, 12 Mar 2024 17:14:36 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5i0-0000H4-1Q for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:36 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5i0-0007My-0g for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5i0-0003x3-00 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:36 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+of+572lEdMVSihiH6KbJu5X4D9loQyZ3RHK4VuXOB4=; b=xxQi3/vpS5rUnbypvrxqJyMJvp ViRlLT76qiBFEZSrBhweH+SfgaCm5FjliuVFdHpUa0oNInDV4V7uNGL1Ns7nk2gp0lBdGMgSh1Idr oB/TuWOGZN1FGO7waLAbqV2OIUGzBPPyCbkU/VMtmt8Intv7eaz8CzY3iTLFOGI5gCzA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:14:36 +0000 commit e7f0f11c888757e62940ded87b4ab5ebc992764f Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:58:58 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 18224a4bb5..290602936d 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -66,8 +69,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index e0d2b41c5c..9a0d3ec238 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -259,27 +259,49 @@ static inline int _rw_is_write_locked(const rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:14:47 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:14:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692013.1078765 (Exim 4.92) (envelope-from ) id 1rk5iB-0000Ke-B9; Tue, 12 Mar 2024 17:14:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692013.1078765; Tue, 12 Mar 2024 17:14:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iB-0000KW-8U; Tue, 12 Mar 2024 17:14:47 +0000 Received: by outflank-mailman (input) for mailman id 692013; Tue, 12 Mar 2024 17:14:46 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iA-0000KO-4D for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:46 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iA-0007N7-3V for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:46 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5iA-000413-2n for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:46 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XsU4PCfnH6T/VGCWAjxv6zScn0jm+Y2H7x5soseJyHQ=; b=y6P0WrxlAvJ7bKIt53U0U/I1pZ VI6JJT7d7vyx+/Vkdzta0vbPgYThshGuF1PnidmchIwDgwtlGZ+PXwJ6yG1knYgyOBxJr8KvsE91P 8RMF+YMdbO23nOgZlwxzm0liNhxdjNtagf6kcYOO+wzhuyxRHL+qQrAwg1W17laMg/mE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:14:46 +0000 commit 5a13c81542a163718d7cb9b150b0282b7855efde Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:58:58 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 290602936d..f5a249bcc2 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -129,8 +129,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 9a0d3ec238..9e35ee2edf 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -338,8 +338,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -374,6 +374,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -430,8 +432,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:14:57 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:14:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692014.1078768 (Exim 4.92) (envelope-from ) id 1rk5iL-0000N8-Cb; Tue, 12 Mar 2024 17:14:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692014.1078768; Tue, 12 Mar 2024 17:14:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iL-0000N0-9y; Tue, 12 Mar 2024 17:14:57 +0000 Received: by outflank-mailman (input) for mailman id 692014; Tue, 12 Mar 2024 17:14:56 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iK-0000Mq-7d for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:56 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iK-0007NK-6v for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:56 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5iK-00042c-6F for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:14:56 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iuTAGhJT5DirXMZVF7/cHrD+hJL1HAII68JF+iE4SpU=; b=X3H+gn2i6PQ+71DTCfAp0afGtr wR7uJETuUh+yhD8g7D6ZxAKrCqn8Ev9J08IlfoQKs1YxR1fl/62JwFA60idBewm82R3ZfWkGfbcFs g0jxnShRSRBMqQ3bPlhJsWYk1bIo0A2EiN7M5/J4xauYentjUwQddaLqYUTiktmr2uo0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Tue, 12 Mar 2024 17:14:56 +0000 commit 9de8a52b0e09a2491736abbd4a865a06ac2ced7a Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:00:26 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/include/asm/irq.h | 1 + xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 8f53e88d67..e1d6845a28 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -150,7 +150,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -169,9 +169,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index a87af47ece..465ab39bb0 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -174,6 +174,7 @@ void cf_check irq_complete_move(struct irq_desc *desc); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 5a3f96fbaa..5ec080c02f 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -74,8 +74,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -125,8 +125,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -137,6 +137,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -150,8 +152,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -166,15 +168,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -309,7 +311,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 9969eb45fa..9be67b63ce 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -24,7 +24,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index a7a004a084..66f924a7b0 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -45,7 +45,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -351,7 +351,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 89b7811c51..934924cbda 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -403,7 +403,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -413,7 +413,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -450,7 +450,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 901782bbb4..34ad39b9ad 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index c516976c37..3b97f15767 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 0fddfa7487..38eb5fd20d 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -239,7 +239,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -253,7 +253,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -266,8 +267,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index e99837b6e1..2a1e7ee89a 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 8e509e0784..f1472ea1eb 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index 251b8761a8..a71bed36be 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -155,8 +155,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:15:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:15:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692015.1078772 (Exim 4.92) (envelope-from ) id 1rk5iV-0000Q4-Fa; Tue, 12 Mar 2024 17:15:07 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692015.1078772; Tue, 12 Mar 2024 17:15:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iV-0000Px-D8; Tue, 12 Mar 2024 17:15:07 +0000 Received: by outflank-mailman (input) for mailman id 692015; Tue, 12 Mar 2024 17:15:06 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iU-0000Pn-Ai for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:06 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iU-0007O7-9w for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:06 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5iU-0004Ap-9M for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:06 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2tULgcmWDyED85eoFTVExCLGN+viq81oInXm3QcCTfQ=; b=rz8K2k1iX3FrZXfQq0IKv9KGV+ TrlP3+tIPtyQnZ/vLAAXbMDGOlrPSJQnemzBHJc3IjwN4LGm8mBg4ex1n9H6UDXcBdKsUPJ34TBx0 LB773IMk2JRUh1YTUX56SQZ93YTBwyCkHySbc3tkLA5JB6lrVHNeRhXey7T97BfhoH6s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Tue, 12 Mar 2024 17:15:06 +0000 commit e107a8ece71ec4e1bb0092d5beea6cb16a96f7ae Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:00:27 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/include/asm/mm.h | 4 +++- xen/arch/x86/mm.c | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 05dfe35502..d1b1fee99b 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -399,7 +399,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index ab0acbfea6..000fd0fb55 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2017,7 +2017,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2078,7 +2078,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2087,6 +2087,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:15:17 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:15:17 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692016.1078777 (Exim 4.92) (envelope-from ) id 1rk5if-0000Sj-Hb; Tue, 12 Mar 2024 17:15:17 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692016.1078777; Tue, 12 Mar 2024 17:15:17 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5if-0000Sc-Ee; Tue, 12 Mar 2024 17:15:17 +0000 Received: by outflank-mailman (input) for mailman id 692016; Tue, 12 Mar 2024 17:15:16 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ie-0000SP-Do for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:16 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ie-0007OG-D5 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:16 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5ie-0004Bl-CP for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:16 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fCWe6S8NrvET3x57ujlsqUK+jDmNic/+TPaqAolbTJg=; b=sNU5oXJQcoJtAl4atMAu6bUrXv 97JmEmsBuGD95+f3AkI56N8FYRDkgsqceo9cmkNtx9Dss85PNPfvIroRt+m1QzMV2/vKrN4qEDYF0 O+vQ5QxEN08HldubaCHEsDc0IVAHxd/Icnsuhg+N9rMNmRRQYlF39yq4/IJettVKg1cM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86: protect conditional lock taking from speculative execution Message-Id: Date: Tue, 12 Mar 2024 17:15:16 +0000 commit 4da8ca9cb9cfdb92c9dd09d5270ae16a3b2dbc89 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:00:27 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 000fd0fb55..45bfbc2522 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5007,8 +5007,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5045,8 +5044,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5084,8 +5082,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5116,6 +5113,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5331,8 +5330,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5436,8 +5434,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5478,8 +5475,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5533,8 +5529,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5678,8 +5673,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5738,8 +5732,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5783,8 +5776,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5831,8 +5823,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 5ec080c02f..b4960fb90e 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -335,6 +335,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 0983bd71d9..22ab1d606e 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -280,9 +280,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 28fce5615e..c830df3430 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -222,6 +222,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:15:27 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:15:27 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692017.1078780 (Exim 4.92) (envelope-from ) id 1rk5ip-0000WH-J8; Tue, 12 Mar 2024 17:15:27 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692017.1078780; Tue, 12 Mar 2024 17:15:27 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ip-0000WB-GW; Tue, 12 Mar 2024 17:15:27 +0000 Received: by outflank-mailman (input) for mailman id 692017; Tue, 12 Mar 2024 17:15:26 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5io-0000Vx-UC for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:26 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5io-0007ON-TU for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:26 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5io-0004Ns-Sq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:26 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HDM3vzOT7BntznMFRlX0hFmC8p8Y+h02zK8+5a3Ulog=; b=ebjpZm+WvOQfwaJDR1dWYnHR2/ Mvt0cDCbZtMGaAeBrgiuTq2NImnX2Kj1uFdzMhEu5vay0p1fXi/XE0Zqh8eCi0OusaqI3jnyAYxu0 AfgqUPpOtlGCl3qe3m09K+5ZczlN9Koshv1FGWoxAgiSUehqj+VUqmYl+N2DS/waZ9/Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Tue, 12 Mar 2024 17:15:26 +0000 commit e691f99f17198906f813b85dcabafe5addb9a57a Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 +++++++++ xen/arch/x86/x86_64/compat/entry.S | 2 +- xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 287dac101a..31fa63b77f 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 253bb1688c..7c211314d8 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -15,7 +15,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 585b0c9551..412cbeb3ec 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -294,7 +294,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -389,7 +389,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -649,7 +649,7 @@ ret_from_intr: .section .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $TRAP_page_fault, 4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp, %rdi call do_early_page_fault @@ -716,7 +716,7 @@ ENTRY(common_interrupt) ENTRY(page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -892,90 +892,90 @@ FATAL_exception_with_ints_disabled: ENTRY(divide_error) ENDBR64 pushq $0 - movl $TRAP_divide_error,4(%rsp) + movl $TRAP_divide_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_copro_error,4(%rsp) + movl $TRAP_copro_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(simd_coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_simd_error,4(%rsp) + movl $TRAP_simd_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(device_not_available) ENDBR64 pushq $0 - movl $TRAP_no_device,4(%rsp) + movl $TRAP_no_device, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(debug) ENDBR64 pushq $0 - movl $TRAP_debug,4(%rsp) + movl $TRAP_debug, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(int3) ENDBR64 pushq $0 - movl $TRAP_int3,4(%rsp) + movl $TRAP_int3, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(overflow) ENDBR64 pushq $0 - movl $TRAP_overflow,4(%rsp) + movl $TRAP_overflow, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(bounds) ENDBR64 pushq $0 - movl $TRAP_bounds,4(%rsp) + movl $TRAP_bounds, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_op) ENDBR64 pushq $0 - movl $TRAP_invalid_op,4(%rsp) + movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_TSS) ENDBR64 - movl $TRAP_invalid_tss,4(%rsp) + movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(segment_not_present) ENDBR64 - movl $TRAP_no_segment,4(%rsp) + movl $TRAP_no_segment, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(stack_segment) ENDBR64 - movl $TRAP_stack_error,4(%rsp) + movl $TRAP_stack_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(general_protection) ENDBR64 - movl $TRAP_gp_fault,4(%rsp) + movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(alignment_check) ENDBR64 - movl $TRAP_alignment_check,4(%rsp) + movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(double_fault) ENDBR64 - movl $TRAP_double_fault,4(%rsp) + movl $TRAP_double_fault, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1001,7 +1001,7 @@ ENTRY(double_fault) ENTRY(nmi) ENDBR64 pushq $0 - movl $TRAP_nmi,4(%rsp) + movl $TRAP_nmi, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1134,7 +1134,7 @@ handle_ist_exception: ENTRY(machine_check) ENDBR64 pushq $0 - movl $TRAP_machine_check,4(%rsp) + movl $TRAP_machine_check, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1171,7 +1171,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1185,7 +1185,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:15:37 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:15:37 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692018.1078785 (Exim 4.92) (envelope-from ) id 1rk5iz-0000ZN-Kh; Tue, 12 Mar 2024 17:15:37 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692018.1078785; Tue, 12 Mar 2024 17:15:37 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iz-0000ZF-I4; Tue, 12 Mar 2024 17:15:37 +0000 Received: by outflank-mailman (input) for mailman id 692018; Tue, 12 Mar 2024 17:15:37 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iz-0000Z5-0Y for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:37 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5iy-0007Oc-WA for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:36 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5iy-0004OP-Vb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:36 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xSnnWNpDCpe8curjkqwRszblykolWCcmQGmZI3GgwNA=; b=G5xTF1IVSM0AND0D9iUQKOWPD9 V0Ww3evIXdyo4qqeaBZB6F6ZOhV0Ree2yNGlC2z+UdCSmRGOFde56G7uHFMYvRgaDrZRSEJJicyNU ovXrKnPw0M70sho+mBbFwG8znv+1BlLXB1zWdz8TCCW6CNwpgtHimEvOnWj03Tafpx4Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86: Resync intel-family.h from Linux Message-Id: Date: Tue, 12 Mar 2024 17:15:36 +0000 commit abc43cf5a6579f1aa0decf0a2349cdd2d2473117 Author: Andrew Cooper AuthorDate: Tue Feb 27 16:07:39 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86: Resync intel-family.h from Linux From v6.8-rc6 Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 195e75371b13c4f7ecdf7b5c50aed0d02f2d7ce8) --- xen/arch/x86/include/asm/intel-family.h | 38 +++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/intel-family.h b/xen/arch/x86/include/asm/intel-family.h index ffc49151be..b65e9c46b9 100644 --- a/xen/arch/x86/include/asm/intel-family.h +++ b/xen/arch/x86/include/asm/intel-family.h @@ -26,6 +26,9 @@ * _G - parts with extra graphics on * _X - regular server parts * _D - micro server parts + * _N,_P - other mobile parts + * _H - premium mobile parts + * _S - other client parts * * Historical OPTDIFFs: * @@ -37,6 +40,9 @@ * their own names :-( */ +/* Wildcard match for FAM6 so X86_MATCH_INTEL_FAM6_MODEL(ANY) works */ +#define INTEL_FAM6_ANY X86_MODEL_ANY + #define INTEL_FAM6_CORE_YONAH 0x0E #define INTEL_FAM6_CORE2_MEROM 0x0F @@ -93,8 +99,6 @@ #define INTEL_FAM6_ICELAKE_L 0x7E /* Sunny Cove */ #define INTEL_FAM6_ICELAKE_NNPI 0x9D /* Sunny Cove */ -#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ - #define INTEL_FAM6_ROCKETLAKE 0xA7 /* Cypress Cove */ #define INTEL_FAM6_TIGERLAKE_L 0x8C /* Willow Cove */ @@ -102,12 +106,31 @@ #define INTEL_FAM6_SAPPHIRERAPIDS_X 0x8F /* Golden Cove */ +#define INTEL_FAM6_EMERALDRAPIDS_X 0xCF + +#define INTEL_FAM6_GRANITERAPIDS_X 0xAD +#define INTEL_FAM6_GRANITERAPIDS_D 0xAE + +/* "Hybrid" Processors (P-Core/E-Core) */ + +#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ + #define INTEL_FAM6_ALDERLAKE 0x97 /* Golden Cove / Gracemont */ #define INTEL_FAM6_ALDERLAKE_L 0x9A /* Golden Cove / Gracemont */ -#define INTEL_FAM6_RAPTORLAKE 0xB7 +#define INTEL_FAM6_RAPTORLAKE 0xB7 /* Raptor Cove / Enhanced Gracemont */ +#define INTEL_FAM6_RAPTORLAKE_P 0xBA +#define INTEL_FAM6_RAPTORLAKE_S 0xBF + +#define INTEL_FAM6_METEORLAKE 0xAC +#define INTEL_FAM6_METEORLAKE_L 0xAA + +#define INTEL_FAM6_ARROWLAKE_H 0xC5 +#define INTEL_FAM6_ARROWLAKE 0xC6 + +#define INTEL_FAM6_LUNARLAKE_M 0xBD -/* "Small Core" Processors (Atom) */ +/* "Small Core" Processors (Atom/E-Core) */ #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ #define INTEL_FAM6_ATOM_BONNELL_MID 0x26 /* Silverthorne, Lincroft */ @@ -134,6 +157,13 @@ #define INTEL_FAM6_ATOM_TREMONT 0x96 /* Elkhart Lake */ #define INTEL_FAM6_ATOM_TREMONT_L 0x9C /* Jasper Lake */ +#define INTEL_FAM6_ATOM_GRACEMONT 0xBE /* Alderlake N */ + +#define INTEL_FAM6_ATOM_CRESTMONT_X 0xAF /* Sierra Forest */ +#define INTEL_FAM6_ATOM_CRESTMONT 0xB6 /* Grand Ridge */ + +#define INTEL_FAM6_ATOM_DARKMONT_X 0xDD /* Clearwater Forest */ + /* Xeon Phi */ #define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:15:47 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:15:47 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692019.1078789 (Exim 4.92) (envelope-from ) id 1rk5j9-0000cl-Nn; Tue, 12 Mar 2024 17:15:47 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692019.1078789; Tue, 12 Mar 2024 17:15:47 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5j9-0000ce-L8; Tue, 12 Mar 2024 17:15:47 +0000 Received: by outflank-mailman (input) for mailman id 692019; Tue, 12 Mar 2024 17:15:47 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5j9-0000cV-3Z for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:47 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5j9-0007Ok-2m for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:47 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5j9-0004XM-24 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:47 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+yKX9jCbkE20kUNjHnaERfWT8fI94GILEk2ZysUZZAo=; b=dUF6dv6raVqoykCjSZioJvYAnM gK8fFSieCSX38EpuGGV+2f5tRVFs/xi7VDjJSpD5ICxUwbdI/ybKzki45xyf4p8o5oonsOpG61i1E TqUqlrdZ5q3uAAu+FRNQupQJovF/jbACa5tbfMU09c6iNxj7Q6CMH3C12gQGJ+DlHO8Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Tue, 12 Mar 2024 17:15:47 +0000 commit 77f2bec134049aba29b9b459f955022722d10847 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++---- xen/arch/x86/include/asm/asm_defns.h | 8 +++++++ xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++++ xen/arch/x86/x86_64/asm-offsets.c | 1 + 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a13..cdde76e138 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index d9431180cf..abc6822b08 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index f4b8b9d956..ca9cb0f5dd 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -164,6 +164,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 31fa63b77f..a4e94d6930 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:15:57 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:15:57 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692020.1078792 (Exim 4.92) (envelope-from ) id 1rk5jJ-0000fy-PH; Tue, 12 Mar 2024 17:15:57 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692020.1078792; Tue, 12 Mar 2024 17:15:57 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jJ-0000fq-Mo; Tue, 12 Mar 2024 17:15:57 +0000 Received: by outflank-mailman (input) for mailman id 692020; Tue, 12 Mar 2024 17:15:57 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jJ-0000fc-6L for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:57 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jJ-0007Oo-5d for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:57 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5jJ-0004Zi-53 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:15:57 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Hx8s4ltFma/CIueglR+LtbWIhc0S0NLIy0MWtlco0d4=; b=P5EbRqLxmQ2EfwfLhDYy4PXgQ2 ++rdY0tAypCdjV7BiJphvCasVAqk/lYBREGOtov6C2kSI9qypuTJkxidBl0oGEqwfDtCdjcwJDb58 SS5UZU1NSWH6RZJ72SjEXCOrL1/cv5xMZ81TVmb3JZkjXTmMLdCfwNaIA0eI0ixPHZcs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Tue, 12 Mar 2024 17:15:57 +0000 commit 76af773de5d3e68b7140cc9c5343be6746c9101c Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 +++++++++++++++++++++----------- xen/arch/x86/x86_64/asm-offsets.c | 13 ++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index ca9cb0f5dd..97a97b2b82 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -171,16 +171,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -298,8 +305,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -379,7 +384,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -407,11 +412,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index a4e94d6930..4cd5938d7b 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 7c211314d8..3b2fbcd873 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 412cbeb3ec..ef517e2945 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -679,9 +685,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:16:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:16:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692021.1078797 (Exim 4.92) (envelope-from ) id 1rk5jU-0000il-RB; Tue, 12 Mar 2024 17:16:08 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692021.1078797; Tue, 12 Mar 2024 17:16:08 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jU-0000ib-OI; Tue, 12 Mar 2024 17:16:08 +0000 Received: by outflank-mailman (input) for mailman id 692021; Tue, 12 Mar 2024 17:16:07 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jT-0000iS-9y for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:07 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jT-0007PQ-8U for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:07 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5jT-0004in-7x for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:07 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/Y3F6Wf1bwhT86YFBNoU7mOlCRY1Mwl2OjZtxTaoAYA=; b=2r6I260zEliFsRaZC86gHABCqS d8r2+Zt2MmSOunkWJ2BMQdFQSNffkrSBwX1QInWPiLTLPfWkZ63+Pf7fMUpQSaKN2955sgdjxR4hz WJefOzp1Rmddw5dhBU6maGFUHo1oXYkLeWIcGrPmQR1D+JSRGJ9RvpwJf+Wa9mOcv3ZE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Tue, 12 Mar 2024 17:16:07 +0000 commit d55d52961d13d4fcd1441fcfca98f690e687b941 Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 2006697226..d909ec94fe 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2324,7 +2324,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2349,7 +2349,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2366,11 +2366,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 25a18ac598..e12ec9930c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __ro_after_init opt_md_clear_pv = -1; -static int8_t __ro_after_init opt_md_clear_hvm = -1; +static int8_t __ro_after_init opt_verw_pv = -1; +static int8_t __ro_after_init opt_verw_hvm = -1; static int8_t __ro_after_init opt_ibpb_entry_pv = -1; static int8_t __ro_after_init opt_ibpb_entry_hvm = -1; @@ -78,7 +78,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __ro_after_init opt_fb_clear_mmio; +static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -120,8 +120,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -152,14 +152,14 @@ static int __init cf_check parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -204,21 +204,22 @@ static int __init cf_check parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -540,8 +541,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -562,13 +563,13 @@ static void __init print_details(enum ind_thunk thunk) boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || amd_virt_spec_ctrl || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -577,11 +578,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1514,8 +1515,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1878,19 +1879,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1903,12 +1905,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:16:18 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:16:18 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692022.1078800 (Exim 4.92) (envelope-from ) id 1rk5je-0000ls-U6; Tue, 12 Mar 2024 17:16:18 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692022.1078800; Tue, 12 Mar 2024 17:16:18 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5je-0000lk-RM; Tue, 12 Mar 2024 17:16:18 +0000 Received: by outflank-mailman (input) for mailman id 692022; Tue, 12 Mar 2024 17:16:17 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jd-0000lU-C3 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:17 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jd-0007Pa-BL for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:17 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5jd-0004jW-Af for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:17 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jQ9Exp2uvaMcebwwXODr0iGbsX0yx+cn/4a/+f4wXIo=; b=4QnAUkQjt+eMQXevZqXKLvI3yq yFpFLFWse9acSKcNgM9OIqtbf8Mk2JZma8Ue+qQ/LHHQMXjWIrzk3XIrpRigb7so65vJV4jdZO/yq b7NLQxSRDU5HfceVwIpUmDufxdT/A9FV3z56n8G+x8Dp0O+haOAy5jIprplVlKwpy2x8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Tue, 12 Mar 2024 17:16:17 +0000 commit 6663430b442fdf9698bd8e03f701a4547309ad71 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index e12ec9930c..adb6bc74e8 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1531,7 +1531,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1867,50 +1867,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:16:29 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:16:29 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692023.1078805 (Exim 4.92) (envelope-from ) id 1rk5jo-0000oe-Vq; Tue, 12 Mar 2024 17:16:28 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692023.1078805; Tue, 12 Mar 2024 17:16:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jo-0000oW-Sv; Tue, 12 Mar 2024 17:16:28 +0000 Received: by outflank-mailman (input) for mailman id 692023; Tue, 12 Mar 2024 17:16:27 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jn-0000oE-F7 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:27 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jn-0007Ph-EG for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:27 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5jn-0004sW-Dh for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:27 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5dbavsWYrtVJeaqMZBGPWJ5f37YtqfHCG7Kb7/RMec8=; b=Yw80g/xw0toRIIUlkp01nVGLux t+/GwsMFfJ1TBZLBzv9TXICrXXEPQIlGxbU+7BLUIU2UYvD0h/hnrKkGL5CaoA9/fQToB8rCx6E1y bn+IubXjv7wzhrNNvJVUXqsNVC6v+rwUFvsY9NLekqoBPi5urd4ANIStlhdlOdH4VZuM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Tue, 12 Mar 2024 17:16:27 +0000 commit d85481135d87abbbf1feab18b749288fa08b65f2 Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/include/asm/cpufeature.h | 3 + xen/arch/x86/include/asm/msr-index.h | 2 + xen/arch/x86/spec_ctrl.c | 100 ++++++++++++++++++++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 111 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index aefc140d66..5ceea8be07 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -172,7 +172,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -237,7 +237,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 7b875a7221..96c2cee1a8 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -444,6 +444,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -493,6 +494,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index ec824e8954..a6b8af1296 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -140,6 +140,7 @@ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) @@ -161,6 +162,8 @@ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index 6abf7bc34a..9b5f67711f 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -88,6 +88,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index adb6bc74e8..1ee81e2dfe 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -24,6 +24,7 @@ #include #include +#include #include #include #include @@ -447,7 +448,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -463,6 +464,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -473,7 +475,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -491,6 +493,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1359,6 +1362,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case INTEL_FAM6_ALDERLAKE: + case INTEL_FAM6_RAPTORLAKE: + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + fallthrough; + case INTEL_FAM6_ALDERLAKE_L: + case INTEL_FAM6_RAPTORLAKE_P: + case INTEL_FAM6_RAPTORLAKE_S: + + case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */ + case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */ + case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */ + case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */ + case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */ + case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1872,6 +1952,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1901,8 +1982,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1934,15 +2019,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1956,7 +2045,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index aec1407613..113e6cadc1 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -264,6 +264,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /* AVX512 FP16 instructions */ @@ -330,6 +331,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:16:39 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:16:39 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692024.1078809 (Exim 4.92) (envelope-from ) id 1rk5jz-0000rJ-0g; Tue, 12 Mar 2024 17:16:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692024.1078809; Tue, 12 Mar 2024 17:16:38 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jy-0000rB-UO; Tue, 12 Mar 2024 17:16:38 +0000 Received: by outflank-mailman (input) for mailman id 692024; Tue, 12 Mar 2024 17:16:37 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jx-0000r0-I7 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:37 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5jx-0007Pq-HM for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:37 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5jx-0004t1-Gj for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:37 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6c+pRpbr8ptlIJcxbHmaosO3mB9d3FMHLkHw/npzcn4=; b=Y2VrMHnbgdhsAYXF2PLzT8am84 zGnV1ZpvLdsAURt5rEEYTPwOUgAJ/NKDeDTJon6cgvTn9yzC4hCGNtwuX7V5biS8xOwpx4jA8nbHw sanaOfnCYJ03fzrIKoDjUoUdWW3BfzUbjYmk3r1GWyPL/VQ/U1Zp1j0F6NBWIgHKcqU0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/paging: Delete update_cr3()'s do_locking parameter Message-Id: Date: Tue, 12 Mar 2024 17:16:37 +0000 commit bf70ce8b3449c49eb828d5b1f4934a49b00fef35 Author: Andrew Cooper AuthorDate: Wed Sep 20 20:06:53 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/paging: Delete update_cr3()'s do_locking parameter Nicola reports that the XSA-438 fix introduced new MISRA violations because of some incidental tidying it tried to do. The parameter is useless, so resolve the MISRA regression by removing it. hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses it to distinguish internal and external callers and therefore whether the paging lock should be taken. However, we have paging_lock_recursive() for this purpose, which also avoids the ability for the shadow internal callers to accidentally not hold the lock. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Reported-by: Nicola Vetrini Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-acked-by: Henry Wang (cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e) --- xen/arch/x86/include/asm/paging.h | 5 ++--- xen/arch/x86/mm/hap/hap.c | 5 ++--- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/multi.c | 17 ++++++++--------- xen/arch/x86/mm/shadow/none.c | 3 +-- 5 files changed, 14 insertions(+), 18 deletions(-) diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h index 94c590f31a..809ff35d9a 100644 --- a/xen/arch/x86/include/asm/paging.h +++ b/xen/arch/x86/include/asm/paging.h @@ -138,8 +138,7 @@ struct paging_mode { paddr_t ga, uint32_t *pfec, unsigned int *page_order); #endif - pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking, - bool noflush); + pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush); void (*update_paging_modes )(struct vcpu *v); bool (*flush_tlb )(const unsigned long *vcpu_bitmap); @@ -312,7 +311,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v, * as the value to load into the host CR3 to schedule this vcpu */ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush) { - return paging_get_hostmode(v)->update_cr3(v, 1, noflush); + return paging_get_hostmode(v)->update_cr3(v, noflush); } /* Update all the things that are derived from the guest's CR0/CR3/CR4. diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index 57a19c3d59..3ad39a7dd7 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -739,8 +739,7 @@ static bool cf_check hap_invlpg(struct vcpu *v, unsigned long linear) return 1; } -static pagetable_t cf_check hap_update_cr3( - struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t cf_check hap_update_cr3(struct vcpu *v, bool noflush) { v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3]; hvm_update_guest_cr3(v, noflush); @@ -826,7 +825,7 @@ static void cf_check hap_update_paging_modes(struct vcpu *v) } /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ - hap_update_cr3(v, 0, false); + hap_update_cr3(v, false); unlock: paging_unlock(d); diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index c0940f939e..18714dbd02 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -2579,7 +2579,7 @@ static void sh_update_paging_modes(struct vcpu *v) } #endif /* OOS */ - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); } void cf_check shadow_update_paging_modes(struct vcpu *v) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index c92b354a78..e54a507b54 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2506,7 +2506,7 @@ static int cf_check sh_page_fault( * In any case, in the PAE case, the ASSERT is not true; it can * happen because of actions the guest is taking. */ #if GUEST_PAGING_LEVELS == 3 - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); #else ASSERT(d->is_shutting_down); #endif @@ -3224,17 +3224,13 @@ static void cf_check sh_detach_old_tables(struct vcpu *v) } } -static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking, - bool noflush) +static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool noflush) /* Updates vcpu->arch.cr3 after the guest has changed CR3. * Paravirtual guests should set v->arch.guest_table (and guest_table_user, * if appropriate). * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works; * this function will call hvm_update_guest_cr(v, 3) to tell them where the * shadow tables are. - * If do_locking != 0, assume we are being called from outside the - * shadow code, and must take and release the paging lock; otherwise - * that is the caller's responsibility. */ { struct domain *d = v->domain; @@ -3252,7 +3248,11 @@ static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking, return old_entry; } - if ( do_locking ) paging_lock(v->domain); + /* + * This is used externally (with the paging lock not taken) and internally + * by the shadow code (with the lock already taken). + */ + paging_lock_recursive(v->domain); #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) /* Need to resync all the shadow entries on a TLB flush. Resync @@ -3480,8 +3480,7 @@ static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking, shadow_sync_other_vcpus(v); #endif - /* Release the lock, if we took it (otherwise it's the caller's problem) */ - if ( do_locking ) paging_unlock(v->domain); + paging_unlock(v->domain); return old_entry; } diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c index 743c0ffb85..7e4e386cd0 100644 --- a/xen/arch/x86/mm/shadow/none.c +++ b/xen/arch/x86/mm/shadow/none.c @@ -52,8 +52,7 @@ static unsigned long cf_check _gva_to_gfn( } #endif -static pagetable_t cf_check _update_cr3(struct vcpu *v, bool do_locking, - bool noflush) +static pagetable_t cf_check _update_cr3(struct vcpu *v, bool noflush) { ASSERT_UNREACHABLE(); return pagetable_null(); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:16:49 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:16:49 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692025.1078812 (Exim 4.92) (envelope-from ) id 1rk5k9-0000uq-3Y; Tue, 12 Mar 2024 17:16:49 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692025.1078812; Tue, 12 Mar 2024 17:16:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5k9-0000uj-0z; Tue, 12 Mar 2024 17:16:49 +0000 Received: by outflank-mailman (input) for mailman id 692025; Tue, 12 Mar 2024 17:16:47 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5k7-0000uF-Mh for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:47 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5k7-0007Ra-K7 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:47 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5k7-00052l-JR for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:47 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WLwb5yOXqfpO5Amq1mri9z/aOzYJv8tsjxuvKD3hM1A=; b=dKKu8jE9VUJkqnck0IAMQ/SeW8 HJcazTgR6JhaTScKonEjYXpVMti6ixysi3icAdjLSxtLsLVKv5dz19R9K5lHTF5HZfQ1mMGnoQYOI zeHB6fT045vfVbTspiq/rR29goQs0z0v3eglMKJr0Cnz7pX/9RsSs1cdu/q+a14zlhAY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Tue, 12 Mar 2024 17:16:47 +0000 commit 0a53565f1886201cc8a8afe9b2619ee297c20955 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 3dc61bcc3c..211685a5d2 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -80,8 +80,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:16:59 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:16:59 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692026.1078816 (Exim 4.92) (envelope-from ) id 1rk5kJ-0000xU-53; Tue, 12 Mar 2024 17:16:59 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692026.1078816; Tue, 12 Mar 2024 17:16:59 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kJ-0000xN-2U; Tue, 12 Mar 2024 17:16:59 +0000 Received: by outflank-mailman (input) for mailman id 692026; Tue, 12 Mar 2024 17:16:57 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kH-0000x7-OJ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:57 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kH-0007Rk-NY for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:57 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5kH-00053f-Mb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:16:57 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=xn3f724Q1e0p2oh68dAkbX6a+MGv4fYgYayEsSWEmVY=; b=5BxZ7S/0uTFYk9pbQOvKZqRh11 fFW0oP09TKc71L4Qd+uzb5j+BD29uvksyUdIuWP8URiL6zLD9K5UkDdEdqdp/PyvZg0uK2RTsrslk SaGu2TIjVPjl+bBiEIjXdPGiZOb1XdcQaSZhoqsZaXRdecsN5VnzwvjKvRqm5WjKE+4Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:16:57 +0000 commit 9d2f136328aab5537b7180a1b23e171893ebe455 Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 2 +- xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++--- xen/common/Kconfig | 17 ++++++++++++++++ xen/include/xen/nospec.h | 15 ++++++++++++++ xen/include/xen/spinlock.h | 37 ++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index d909ec94fe..e1d56407dd 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2327,7 +2327,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2454,6 +2454,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index c3aad21c3b..7e8221fd85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 7150e76b87..0725839e19 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -38,6 +38,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 1ee81e2dfe..ac21af2c5c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -65,6 +65,7 @@ int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -133,6 +134,7 @@ static int __init cf_check parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -298,6 +300,16 @@ static int __init cf_check parse_spec_ctrl(const char *s) rc = -EINVAL; } } + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -500,7 +512,8 @@ static void __init print_details(enum ind_thunk thunk) if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || - IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" @@ -516,11 +529,14 @@ static void __init print_details(enum ind_thunk thunk) #endif #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS " HARDEN_GUEST_ACCESS" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk != THUNK_NONE ? "BTI-Thunk: " : "", thunk == THUNK_NONE ? "" : thunk == THUNK_RETPOLINE ? "RETPOLINE, " : @@ -547,7 +563,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1930,6 +1947,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index e7794cb7f6..cd73851538 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -173,6 +173,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config DIT_DEFAULT diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 961891bea4..daf48fdea7 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include #include @@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:17:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:17:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692028.1078821 (Exim 4.92) (envelope-from ) id 1rk5kT-00010j-6n; Tue, 12 Mar 2024 17:17:09 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692028.1078821; Tue, 12 Mar 2024 17:17:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kT-00010b-4D; Tue, 12 Mar 2024 17:17:09 +0000 Received: by outflank-mailman (input) for mailman id 692028; Tue, 12 Mar 2024 17:17:07 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kR-00010N-R8 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:07 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kR-0007SP-QS for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:07 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5kR-0005C2-Pe for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:07 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6ahodCQ8yQAPb6oP4jU47MQGpDUvWuWjOKumXms9wfQ=; b=wNfhXEs/rn0Mm0nkaluNbw5M2U EUXfa/cG/joipe3Ll/5D5xBCB6RdSj6grzgxK9JYb5eWlSA19JeQ1f5dr042uxDvMaSpEPSAMBfyD WO1MlfQqCOxEduJ3AWuv69jm7e/LW+1ZrpEOl4C/9coWxhuH9SFNtSapsgmIjW0o08Ys=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:17:07 +0000 commit 7454dad6ee15f9fa6d84fc285d366b86f3d47494 Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index aa15529bbe..cda06b9d6e 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 0cc9167715..fd0458be94 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:17:19 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:17:19 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692029.1078825 (Exim 4.92) (envelope-from ) id 1rk5kd-00013v-8H; Tue, 12 Mar 2024 17:17:19 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692029.1078825; Tue, 12 Mar 2024 17:17:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kd-00013n-5f; Tue, 12 Mar 2024 17:17:19 +0000 Received: by outflank-mailman (input) for mailman id 692029; Tue, 12 Mar 2024 17:17:17 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kb-00013X-UA for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:17 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kb-0007Sb-TN for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:17 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5kb-0005F8-Sd for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:17 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JltwFVCxaUTR0oc+Rzo/irTtYLHoinIvLzL7niTK1cw=; b=M9aiAJJaKOHgELy8GVOYiP5vDI VN0BAYPEUgWHZsuTVoo/VGGwP2QlboKuWd5/JyMViA6nyaWDDhn5MDmuFseiYRHF689ENzh3cdc6g zoP/x6I4JPxMgwgdSBVYg8AX3guBjCWYlZDe3ChfqrLwDjuU2/n4bpZecOyH0dlL6tEE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:17:17 +0000 commit 468a368b2e5a38fc0be8e9e5f475820f7e4a6b4f Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index cda06b9d6e..4da0ed8fad 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index fd0458be94..abe0804bf7 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:17:29 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:17:29 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692030.1078829 (Exim 4.92) (envelope-from ) id 1rk5kn-00017l-BI; Tue, 12 Mar 2024 17:17:29 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692030.1078829; Tue, 12 Mar 2024 17:17:29 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kn-00017d-8V; Tue, 12 Mar 2024 17:17:29 +0000 Received: by outflank-mailman (input) for mailman id 692030; Tue, 12 Mar 2024 17:17:28 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5km-00017T-1P for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:28 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5km-0007Sn-0c for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:28 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5kl-0005OB-WE for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:28 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oTb+3eS0ACp9h69xuFDa6sJnjBt0v3WUS8Xc62ZzmJg=; b=pv6hACYSidHOwaYKOlFTbIKDQJ gH2/hktXpwuE/ZuLp/7pyJPv/0cPE1rn6nwxMNFSaUKv3xos+bKmyGaM1i2QztVnFTOlJ8kXSpLEm don2UMdXHJJu8QL1UIaSBU6BvF+fk6Y7U0n6vn0T/C9+lPlZ4fK+siX0NWCwwiMztXA0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Tue, 12 Mar 2024 17:17:27 +0000 commit 2cc5e57be680a516aa5cdef4281856d09b9d0ea6 Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/include/asm/irq.h | 1 + xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index cb1d81bf9e..66f1095245 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index f6a0207a80..823d627fd0 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -178,6 +178,7 @@ void cf_check irq_complete_move(struct irq_desc *); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index c1523aeccf..265239c49f 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -86,8 +86,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -137,8 +137,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -149,6 +149,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -162,8 +164,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -178,15 +180,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index fc110506dc..99dbcb3101 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -36,7 +36,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index f5e0b12d15..dada9f15f5 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -62,7 +62,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -364,7 +364,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index ee7cc496b8..62a8685cd5 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -410,7 +410,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -420,7 +420,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -457,7 +457,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 078beb1adb..29bbab5ac6 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 0527a8c70d..24a93dd0c1 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 9b5016d5ed..459668d417 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 8c62b14d19..1b3d285166 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 8eae9984a9..dd96e84c69 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index 5975ca2f30..b373f139d1 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -155,8 +155,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool_t __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:17:39 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:17:39 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692031.1078833 (Exim 4.92) (envelope-from ) id 1rk5kx-0001AL-Ch; Tue, 12 Mar 2024 17:17:39 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692031.1078833; Tue, 12 Mar 2024 17:17:39 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kx-0001AD-A3; Tue, 12 Mar 2024 17:17:39 +0000 Received: by outflank-mailman (input) for mailman id 692031; Tue, 12 Mar 2024 17:17:38 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kw-0001A3-4a for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:38 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5kw-0007Su-3r for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:38 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5kw-0005On-39 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:38 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zloBujKdGAV86tv3g1anB+zOJuiPXu9IlPIqymCKe8E=; b=fNAxg7+Mcie5jiYmgRLVYgGPUc L3d5hw5LhilQg3ULcLZw01467RtaOUq9XxG6iEnh/7zx0FCA7NteY+JxTQNG+VJULbBrrC/cQpto/ B7pFPhp9hDMofM9j8wgoMdYeR7OJLmTVvkiS5nc5FfZ+XEs5kZXZqIaG6W3hXU8IOr30=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Tue, 12 Mar 2024 17:17:38 +0000 commit 074b4c8987db235a0b86798810c045f68e4775b6 Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/include/asm/mm.h | 4 +++- xen/arch/x86/mm.c | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index a5d7fdd32e..5845b729c3 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 330c4abcd1..8d19d719bd 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2033,7 +2033,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2094,7 +2094,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2103,6 +2103,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:17:49 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:17:49 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692032.1078836 (Exim 4.92) (envelope-from ) id 1rk5l7-0001DN-E4; Tue, 12 Mar 2024 17:17:49 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692032.1078836; Tue, 12 Mar 2024 17:17:49 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5l7-0001DF-BT; Tue, 12 Mar 2024 17:17:49 +0000 Received: by outflank-mailman (input) for mailman id 692032; Tue, 12 Mar 2024 17:17:48 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5l6-0001D1-7r for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:48 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5l6-0007T5-6w for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:48 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5l6-0005Qe-6K for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:48 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=t7pKneR+Ia9IiNDqRU1YKTRgrhNEiFV4jXNNJNigUlk=; b=bv7+5QFrdARa+fQrw/O6TeVjAH La3hp+QlJy6J2DHdBJvoXTiC7bRJHec2F9By01W5fRaaoOv6GdnxIB3QkBH9i0QL2E4uB/oZ24sgN CpYixuiFYaogpGa+5aGaAerYtgZONwmG7gquufURZoqh62LOoBaTwqQhio/DTRPFvWzQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86: protect conditional lock taking from speculative execution Message-Id: Date: Tue, 12 Mar 2024 17:17:48 +0000 commit 0ebd2e49bcd0f566ba6b9158555942aab8e41332 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 8d19d719bd..d31b8d56ff 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5023,8 +5023,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5061,8 +5060,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5100,8 +5098,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5132,6 +5129,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5347,8 +5346,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5452,8 +5450,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5494,8 +5491,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5549,8 +5545,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5694,8 +5689,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5754,8 +5748,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5799,8 +5792,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5847,8 +5839,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 265239c49f..3ea2d8eb03 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index b28c899b5e..1fa9e01012 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -292,9 +292,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index daf48fdea7..7e75d0e2e7 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:18:00 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:18:00 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692033.1078841 (Exim 4.92) (envelope-from ) id 1rk5lI-0001Gi-H8; Tue, 12 Mar 2024 17:18:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692033.1078841; Tue, 12 Mar 2024 17:18:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lI-0001Ga-EM; Tue, 12 Mar 2024 17:18:00 +0000 Received: by outflank-mailman (input) for mailman id 692033; Tue, 12 Mar 2024 17:17:58 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lG-0001GG-Nv for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:58 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lG-0007TE-N9 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:58 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5lG-0005al-MT for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:17:58 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=COSYpRFxuBrT9g93/W64izPhoRMlKv4g9+mR2gNsYOE=; b=gPcL0cmnHXmQjPTHlFOe6uE8W8 19itj/xuT+pnN4GnyjUfgQgdw+F/qdPMRM8BT5jVWtoieW4HaKeGV9sennP4RHUW/4dpJTVQnqMia Q2N1U6Bk1AfcqA0c9JfU3JpKb16iQa1DTAvbBcqGxqXsecsu0cMRAnoGAXGQ56UMiV7A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Tue, 12 Mar 2024 17:17:58 +0000 commit 91dbe4f238f022945d850c01a76232cb44dedd31 Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 8 18:59:44 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 +++++++++ xen/arch/x86/x86_64/compat/entry.S | 2 +- xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 287dac101a..31fa63b77f 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 253bb1688c..7c211314d8 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -15,7 +15,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 837a31b405..10f11986d8 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -294,7 +294,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -389,7 +389,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -707,7 +707,7 @@ ENTRY(common_interrupt) ENTRY(page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -849,90 +849,90 @@ FATAL_exception_with_ints_disabled: ENTRY(divide_error) ENDBR64 pushq $0 - movl $TRAP_divide_error,4(%rsp) + movl $TRAP_divide_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_copro_error,4(%rsp) + movl $TRAP_copro_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(simd_coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_simd_error,4(%rsp) + movl $TRAP_simd_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(device_not_available) ENDBR64 pushq $0 - movl $TRAP_no_device,4(%rsp) + movl $TRAP_no_device, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(debug) ENDBR64 pushq $0 - movl $TRAP_debug,4(%rsp) + movl $TRAP_debug, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(int3) ENDBR64 pushq $0 - movl $TRAP_int3,4(%rsp) + movl $TRAP_int3, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(overflow) ENDBR64 pushq $0 - movl $TRAP_overflow,4(%rsp) + movl $TRAP_overflow, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(bounds) ENDBR64 pushq $0 - movl $TRAP_bounds,4(%rsp) + movl $TRAP_bounds, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_op) ENDBR64 pushq $0 - movl $TRAP_invalid_op,4(%rsp) + movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_TSS) ENDBR64 - movl $TRAP_invalid_tss,4(%rsp) + movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(segment_not_present) ENDBR64 - movl $TRAP_no_segment,4(%rsp) + movl $TRAP_no_segment, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(stack_segment) ENDBR64 - movl $TRAP_stack_error,4(%rsp) + movl $TRAP_stack_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(general_protection) ENDBR64 - movl $TRAP_gp_fault,4(%rsp) + movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(alignment_check) ENDBR64 - movl $TRAP_alignment_check,4(%rsp) + movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(double_fault) ENDBR64 - movl $TRAP_double_fault,4(%rsp) + movl $TRAP_double_fault, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -958,7 +958,7 @@ ENTRY(double_fault) .pushsection .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp,%rdi call do_early_page_fault @@ -968,7 +968,7 @@ ENTRY(early_page_fault) ENTRY(nmi) ENDBR64 pushq $0 - movl $TRAP_nmi,4(%rsp) + movl $TRAP_nmi, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1075,7 +1075,7 @@ handle_ist_exception: ENTRY(machine_check) ENDBR64 pushq $0 - movl $TRAP_machine_check,4(%rsp) + movl $TRAP_machine_check, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1112,7 +1112,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1126,7 +1126,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:18:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:18:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692034.1078845 (Exim 4.92) (envelope-from ) id 1rk5lS-0001JG-IL; Tue, 12 Mar 2024 17:18:10 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692034.1078845; Tue, 12 Mar 2024 17:18:10 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lS-0001J8-Fl; Tue, 12 Mar 2024 17:18:10 +0000 Received: by outflank-mailman (input) for mailman id 692034; Tue, 12 Mar 2024 17:18:08 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lQ-0001Iu-Rt for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:08 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lQ-0007Tu-R8 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:08 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5lQ-0005bx-PN for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:08 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MC1AbPTGUCWVfhPVUgXqOYnv0wV4p7TelRl1YprYw2U=; b=ixKVOJIaGm1pFmSbzKLQfQnku5 sjrvm51vSO2OQgSp8vroC66Xgva5xCefATdCF4PNgPDB1o8ZHmlJ2Kvp3DWK3NPA/6ZQuIXcIeumC zm1GwEWuB00Zis7Ke0zqIVFoKIvIM9cvbb9MPIr1QlV9JOhCP7mpt6YX3CEJUPSwNwcs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Tue, 12 Mar 2024 17:18:08 +0000 commit 4d2baf9e4c6c308381373d4ad61e6a828c5a20bc Author: Andrew Cooper AuthorDate: Thu Feb 29 11:26:40 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 8 18:59:44 2024 +0000 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné (cherry picked from commit de17162cafd27f2865a3102a2ec0f386a02ed03d) --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/include/asm-x86/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index f38063b667..34f778dbaf 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -434,6 +434,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -468,6 +478,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 1ac3d3a1f9..81ac4d76ee 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -134,6 +134,7 @@ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 0ee1d1d903..2906eaa6c2 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -275,7 +275,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ @@ -329,7 +329,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:18:20 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:18:20 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692035.1078848 (Exim 4.92) (envelope-from ) id 1rk5lc-0001NZ-Jf; Tue, 12 Mar 2024 17:18:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692035.1078848; Tue, 12 Mar 2024 17:18:20 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lc-0001NS-HB; Tue, 12 Mar 2024 17:18:20 +0000 Received: by outflank-mailman (input) for mailman id 692035; Tue, 12 Mar 2024 17:18:19 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lb-0001NI-04 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:19 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5la-0007U4-VZ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:18 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5la-0005ky-TE for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:18 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tXPSB0IC/z3njPThS9L7KOiGDs/bIc9XhJjaxnSU2tg=; b=jPiuDPxTu2+USlB7MIyUzMhIsc uB+yPKMXL354ZJoNadAFPHwemtnED1LT6IlDXvXNwzZN6eeu9yPzt3M3L+r6AgPn8K+RHVmVTqMO/ qY6/c8etkp4bKSxdFGxAKzwifFbqEbti8zZlqDFv4rXcG3h6G/Bixl11dsA6PucpJLQM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Tue, 12 Mar 2024 17:18:18 +0000 commit 3bf73a02cb770682587c1c7e3c254ddb18e7b261 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:15:35 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++++++---- xen/arch/x86/x86_64/asm-offsets.c | 1 + xen/include/asm-x86/asm_defns.h | 8 ++++++++ xen/include/asm-x86/spec_ctrl_asm.h | 7 +++++++ 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a13..cdde76e138 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 31fa63b77f..a4e94d6930 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h index d9431180cf..abc6822b08 100644 --- a/xen/include/asm-x86/asm_defns.h +++ b/xen/include/asm-x86/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index 0e69971f66..e807ff6d1d 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -169,6 +169,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:18:30 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:18:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692036.1078853 (Exim 4.92) (envelope-from ) id 1rk5lm-0001Q9-Lm; Tue, 12 Mar 2024 17:18:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692036.1078853; Tue, 12 Mar 2024 17:18:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lm-0001Q1-Io; Tue, 12 Mar 2024 17:18:30 +0000 Received: by outflank-mailman (input) for mailman id 692036; Tue, 12 Mar 2024 17:18:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ll-0001Pr-3r for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:29 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ll-0007UG-23 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:29 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5ll-0005lP-1V for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:29 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oRkrmvzc2xpmr6Gf8GeNSJs43KjyNRIBvl6nL8jC2P4=; b=QCoLBu/mACDA1i3p97TnqvKCCV jpP0rR+F+lIoCBRgiyachUAPsGcEFpGSVckb2hv3AFpCmBXcFKz3kOP4JERuPSnFNgrCJ4msH90Ue vwoV8P1qL+32ypL+QZ+qXUmTUQ0kdQrCA317NV1UutCFOPj5grl9QLJHMevTblQtBOHQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Tue, 12 Mar 2024 17:18:29 +0000 commit 92e7aab34337aa6b68a506861992822c079ee175 Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:15:35 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/x86_64/asm-offsets.c | 13 +++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++++- xen/include/asm-x86/spec_ctrl_asm.h | 36 ++++++++++++++++++++++++------------ 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index a4e94d6930..4cd5938d7b 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 7c211314d8..3b2fbcd873 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 10f11986d8..9b1fa9ed19 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -670,9 +676,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index e807ff6d1d..6e7725c11f 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -176,16 +176,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -303,8 +310,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -384,7 +389,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -412,11 +417,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:18:40 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:18:40 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692037.1078857 (Exim 4.92) (envelope-from ) id 1rk5lw-0001Ul-OX; Tue, 12 Mar 2024 17:18:40 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692037.1078857; Tue, 12 Mar 2024 17:18:40 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lw-0001Ue-Lv; Tue, 12 Mar 2024 17:18:40 +0000 Received: by outflank-mailman (input) for mailman id 692037; Tue, 12 Mar 2024 17:18:39 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lv-0001US-5m for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:39 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5lv-0007UN-55 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:39 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5lv-0005uO-4K for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:39 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=U5mH3MYBlaKt6s2tXlmjtKZDmSxhdOpD7x51s66aexA=; b=1zHoTO16UfA6qVFFg2VnCWRHuX IcxS6ZLDQDeGter+jyMqgQLZE+hB8vAZG1wTBtPxiCSuaDEHqEYdZ3/joZiVAeVh6mPmMqhn7TWDx 8+wlzdvyRGE/5vTMRkV1Tl4Ao59oX4zsn0NY5ONkBE6nrYtJ4NzQBgfiCLSrV/bAXIew=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Tue, 12 Mar 2024 17:18:39 +0000 commit a7ae8dbd8f4518b3d56d41d32931587b9027bc7b Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:17:47 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index a7a1362bac..029002fa82 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2260,7 +2260,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2285,7 +2285,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2302,11 +2302,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 6e82a126a3..292b5b1c7b 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __read_mostly opt_md_clear_pv = -1; -static int8_t __read_mostly opt_md_clear_hvm = -1; +static int8_t __read_mostly opt_verw_pv = -1; +static int8_t __read_mostly opt_verw_hvm = -1; static int8_t __read_mostly opt_ibpb_entry_pv = -1; static int8_t __read_mostly opt_ibpb_entry_hvm = -1; @@ -77,7 +77,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __read_mostly opt_fb_clear_mmio; +static bool __read_mostly opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -119,8 +119,8 @@ static int __init parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -151,14 +151,14 @@ static int __init parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -203,21 +203,22 @@ static int __init parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -512,8 +513,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -533,11 +534,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -546,11 +547,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1479,8 +1480,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1838,19 +1839,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1863,12 +1865,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:18:50 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:18:50 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692038.1078860 (Exim 4.92) (envelope-from ) id 1rk5m6-0001Yp-Q9; Tue, 12 Mar 2024 17:18:50 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692038.1078860; Tue, 12 Mar 2024 17:18:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5m6-0001Yh-NP; Tue, 12 Mar 2024 17:18:50 +0000 Received: by outflank-mailman (input) for mailman id 692038; Tue, 12 Mar 2024 17:18:49 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5m5-0001YW-8f for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:49 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5m5-0007UZ-7r for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:49 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5m5-0005ur-7E for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:49 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4Xa6rA/na2OkmGa0j5h2W8D4pGH/UCOqzUU89ArVFjw=; b=mdWI4Uj1bRTe3NGhnaOaD016Cy UaAP6iOitGEYLqVRY6tY+qSBWeQLvzMUQjg/msNoTeLbkbumZbYPj/ibrUpKFJcepST2do4pFOv1T MP5+vEB7hEciZEP/YJEcej5KBkS4EjCXaQdAefcph8l0DBDe5cftzNpOHahKP4fiWeF8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Tue, 12 Mar 2024 17:18:49 +0000 commit 638b6b21702ebf5a028a166261e4353d3028c7bd Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:17:48 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 292b5b1c7b..2e80e08716 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1496,7 +1496,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1827,50 +1827,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:19:00 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:19:00 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692039.1078865 (Exim 4.92) (envelope-from ) id 1rk5mG-0001fD-S9; Tue, 12 Mar 2024 17:19:00 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692039.1078865; Tue, 12 Mar 2024 17:19:00 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mG-0001f6-Ot; Tue, 12 Mar 2024 17:19:00 +0000 Received: by outflank-mailman (input) for mailman id 692039; Tue, 12 Mar 2024 17:18:59 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mF-0001dM-Bq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:59 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mF-0007Ug-Au for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:59 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5mF-00063u-AE for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:18:59 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AE7JVJ3RYY1oki8oZh1r271P0jDN54GwfeN+MlR2Rhc=; b=ba/e2014a0l3tSQZXFQyifZB1r Why5hP/bJeRMObO1ONwRAGu4SipfICC1MTwevEbxXvx/7lUIjVgMuwyC0wUem789fe5Um4ELDOsnu PWiBXBleJzvXbiMdx/da5J+AAwhgY5e+76Vhj1JTTGi1KT6pwRm8/nTvwQQzclMfxoks=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Tue, 12 Mar 2024 17:18:59 +0000 commit 762cd5423635a8f0f69eb71ce10c5a62c47247ac Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:21:06 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++-- xen/include/asm-x86/cpufeature.h | 3 + xen/include/asm-x86/msr-index.h | 2 + xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 110 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index c55a6e7678..0c792679e5 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -170,7 +170,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -230,7 +230,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 34f778dbaf..c872afda3e 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -443,6 +443,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -492,6 +493,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 2e80e08716..24bf98a018 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -432,7 +432,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -448,6 +448,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -458,7 +459,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -476,6 +477,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1324,6 +1326,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case 0x97: /* INTEL_FAM6_ALDERLAKE */ + case 0xB7: /* INTEL_FAM6_RAPTORLAKE */ + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + /* fallthrough */ + case 0x9A: /* INTEL_FAM6_ALDERLAKE_L */ + case 0xBA: /* INTEL_FAM6_RAPTORLAKE_P */ + case 0xBF: /* INTEL_FAM6_RAPTORLAKE_S */ + + case 0x5C: /* INTEL_FAM6_ATOM_GOLDMONT */ /* Apollo Lake */ + case 0x5F: /* INTEL_FAM6_ATOM_GOLDMONT_D */ /* Denverton */ + case 0x7A: /* INTEL_FAM6_ATOM_GOLDMONT_PLUS */ /* Gemini Lake */ + case 0x86: /* INTEL_FAM6_ATOM_TREMONT_D */ /* Snow Ridge / Parker Ridge */ + case 0x96: /* INTEL_FAM6_ATOM_TREMONT */ /* Elkhart Lake */ + case 0x9C: /* INTEL_FAM6_ATOM_TREMONT_L */ /* Jasper Lake */ + case 0xBE: /* INTEL_FAM6_ATOM_GRACEMONT */ /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1832,6 +1911,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1861,8 +1941,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1894,15 +1978,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1916,7 +2004,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 81ac4d76ee..1869732bcb 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -138,6 +138,7 @@ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) /* CPUID level 0x00000007:1.eax */ @@ -157,6 +158,8 @@ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h index 8251b8258b..eb6295d8a7 100644 --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -77,6 +77,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 2906eaa6c2..7a9d8d05d3 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -279,6 +279,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ @@ -338,6 +339,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:19:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:19:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692040.1078869 (Exim 4.92) (envelope-from ) id 1rk5mP-0001jo-UT; Tue, 12 Mar 2024 17:19:09 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692040.1078869; Tue, 12 Mar 2024 17:19:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mP-0001jg-Rt; Tue, 12 Mar 2024 17:19:09 +0000 Received: by outflank-mailman (input) for mailman id 692040; Tue, 12 Mar 2024 17:19:09 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mP-0001ja-Ev for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:09 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mP-0007VL-EB for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:09 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5mP-000653-DS for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:09 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=r9sZ8jo5EX2e+w59oSJXPNzxVzZ+ba/Yarg8vhZy3Go=; b=ObaV581L3NntO2lhuIUeaBl0+K fqogFG1DepumsQwER7vrBdABAtrkDetqcxIuafKlY8VC0Mg7qvg3OdlHNaOeKVzOSsVniubWj0pzi ARMrIbR2gL2Ws1faeoJwiY0fb01zRr9lWHpaMl9Hmo1jKc7KVRzkfIZN8eXz9w11LKko=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/paging: Delete update_cr3()'s do_locking parameter Message-Id: Date: Tue, 12 Mar 2024 17:19:09 +0000 commit ac20165f11c1935329ae73eda6b9f90a0b894a67 Author: Andrew Cooper AuthorDate: Wed Sep 20 20:06:53 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:22:42 2024 +0000 x86/paging: Delete update_cr3()'s do_locking parameter Nicola reports that the XSA-438 fix introduced new MISRA violations because of some incidental tidying it tried to do. The parameter is useless, so resolve the MISRA regression by removing it. hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses it to distinguish internal and external callers and therefore whether the paging lock should be taken. However, we have paging_lock_recursive() for this purpose, which also avoids the ability for the shadow internal callers to accidentally not hold the lock. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Reported-by: Nicola Vetrini Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-acked-by: Henry Wang (cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e) --- xen/arch/x86/mm/hap/hap.c | 4 ++-- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/multi.c | 17 ++++++++--------- xen/arch/x86/mm/shadow/none.c | 2 +- xen/include/asm-x86/paging.h | 5 ++--- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index fa479d3d97..63c29da696 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -728,7 +728,7 @@ static bool_t hap_invlpg(struct vcpu *v, unsigned long linear) return 1; } -static pagetable_t hap_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t hap_update_cr3(struct vcpu *v, bool noflush) { v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3]; hvm_update_guest_cr3(v, noflush); @@ -818,7 +818,7 @@ static void hap_update_paging_modes(struct vcpu *v) } /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ - hap_update_cr3(v, 0, false); + hap_update_cr3(v, false); unlock: paging_unlock(d); diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 242b93537f..a8869a3fb7 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -2563,7 +2563,7 @@ static void sh_update_paging_modes(struct vcpu *v) } #endif /* OOS */ - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); } void shadow_update_paging_modes(struct vcpu *v) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index cf3ded70e7..78bb89f1ee 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2499,7 +2499,7 @@ static int sh_page_fault(struct vcpu *v, * In any case, in the PAE case, the ASSERT is not true; it can * happen because of actions the guest is taking. */ #if GUEST_PAGING_LEVELS == 3 - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); #else ASSERT(d->is_shutting_down); #endif @@ -3219,17 +3219,13 @@ sh_detach_old_tables(struct vcpu *v) } } -static pagetable_t -sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t sh_update_cr3(struct vcpu *v, bool noflush) /* Updates vcpu->arch.cr3 after the guest has changed CR3. * Paravirtual guests should set v->arch.guest_table (and guest_table_user, * if appropriate). * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works; * this function will call hvm_update_guest_cr(v, 3) to tell them where the * shadow tables are. - * If do_locking != 0, assume we are being called from outside the - * shadow code, and must take and release the paging lock; otherwise - * that is the caller's responsibility. */ { struct domain *d = v->domain; @@ -3247,7 +3243,11 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) return old_entry; } - if ( do_locking ) paging_lock(v->domain); + /* + * This is used externally (with the paging lock not taken) and internally + * by the shadow code (with the lock already taken). + */ + paging_lock_recursive(v->domain); #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) /* Need to resync all the shadow entries on a TLB flush. Resync @@ -3483,8 +3483,7 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) shadow_sync_other_vcpus(v); #endif - /* Release the lock, if we took it (otherwise it's the caller's problem) */ - if ( do_locking ) paging_unlock(v->domain); + paging_unlock(v->domain); return old_entry; } diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c index 2a5fd409b2..0035369808 100644 --- a/xen/arch/x86/mm/shadow/none.c +++ b/xen/arch/x86/mm/shadow/none.c @@ -52,7 +52,7 @@ static unsigned long _gva_to_gfn(struct vcpu *v, struct p2m_domain *p2m, } #endif -static pagetable_t _update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t _update_cr3(struct vcpu *v, bool noflush) { ASSERT_UNREACHABLE(); return pagetable_null(); diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h index fceb208d36..bd7c7008ae 100644 --- a/xen/include/asm-x86/paging.h +++ b/xen/include/asm-x86/paging.h @@ -138,8 +138,7 @@ struct paging_mode { paddr_t ga, uint32_t *pfec, unsigned int *page_order); #endif - pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking, - bool noflush); + pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush); void (*update_paging_modes )(struct vcpu *v); bool (*flush_tlb )(bool (*flush_vcpu)(void *ctxt, struct vcpu *v), @@ -317,7 +316,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v, * as the value to load into the host CR3 to schedule this vcpu */ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush) { - return paging_get_hostmode(v)->update_cr3(v, 1, noflush); + return paging_get_hostmode(v)->update_cr3(v, noflush); } /* Update all the things that are derived from the guest's CR0/CR3/CR4. -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:19:20 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:19:20 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692041.1078873 (Exim 4.92) (envelope-from ) id 1rk5ma-0001pa-0Q; Tue, 12 Mar 2024 17:19:20 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692041.1078873; Tue, 12 Mar 2024 17:19:19 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mZ-0001pT-TM; Tue, 12 Mar 2024 17:19:19 +0000 Received: by outflank-mailman (input) for mailman id 692041; Tue, 12 Mar 2024 17:19:19 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mZ-0001pI-Hl for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:19 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mZ-0007VU-H0 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:19 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5mZ-0006Dr-GI for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:19 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1bgPQCNXHU6pkQNqZOkYi4cO6ulcbQGj/jH41rMLGkU=; b=eV56TioFbVLd8Hd5Ee5HP91qj6 i7fKhtAitOOctmC719gfr8YPwscXCuraPyH5ioaN9X1iQ3Nw6P5secOpLQSjI/ed5hSn45GXKcdAl wNUfyzOSABo3WJsTnGyqRvUu5zpElso5nUYrR+K3OVbVgIIqCyfD0T/yd8xbCbcoDCOs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Tue, 12 Mar 2024 17:19:19 +0000 commit 0cfea4bc8f6e5a54d2c001089607dd7bf3ceec19 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:22:44 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 3f5c296138..c0b77d563d 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -80,8 +80,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:19:30 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:19:30 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692042.1078877 (Exim 4.92) (envelope-from ) id 1rk5mk-0001uI-1N; Tue, 12 Mar 2024 17:19:30 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692042.1078877; Tue, 12 Mar 2024 17:19:30 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mj-0001uB-Ut; Tue, 12 Mar 2024 17:19:29 +0000 Received: by outflank-mailman (input) for mailman id 692042; Tue, 12 Mar 2024 17:19:29 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mj-0001u3-L4 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:29 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mj-0007Ve-KL for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:29 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5mj-0006NF-JZ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:29 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=e7H61ZeBBnjFXPoc8ZF5WTVcsZZ7REuaNpxsfI4yIhc=; b=wl65ao+hV4IqU4S0BTxj4335Xs 4CnHXCWY7tPZwDm294BioPtdjpEOCCIRdilKd9DKb8ANsMeJqWHf3zC1eP4zzQHFkSNrLffuM2HmK rzqA/OF+QBzea8c4f2Ob3j7CHzCssoa9/Mv8ueN89dgkqfDUHDfML/EjvkB5jDG91fS0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:19:29 +0000 commit 9104de10b2d1f8864b9092ae427023a421696fef Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:37 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++++--- xen/common/Kconfig | 17 +++++++++++++++++ xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 26 ++++++++++++++++++++++++++ xen/include/xen/nospec.h | 15 +++++++++++++++ xen/include/xen/spinlock.h | 37 +++++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 029002fa82..33c32cfc1c 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2263,7 +2263,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2388,6 +2388,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 24bf98a018..0a7af22a9b 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -63,6 +63,7 @@ int8_t __read_mostly opt_ibpb_ctxt_switch = -1; int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = true; +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -131,6 +132,7 @@ static int __init parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -282,6 +284,16 @@ static int __init parse_spec_ctrl(const char *s) opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -481,18 +493,22 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : @@ -518,7 +534,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1889,6 +1906,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index c9f4b7f492..01c70109f5 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -161,6 +161,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config HYPFS diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index 70b93b6b44..7e8221fd85 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 - unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 7150e76b87..0725839e19 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -38,6 +38,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 9fa4e600c1..efdb21ea90 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include #include @@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:19:41 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:19:41 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692043.1078880 (Exim 4.92) (envelope-from ) id 1rk5mv-0001za-36; Tue, 12 Mar 2024 17:19:41 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692043.1078880; Tue, 12 Mar 2024 17:19:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mv-0001zS-0T; Tue, 12 Mar 2024 17:19:41 +0000 Received: by outflank-mailman (input) for mailman id 692043; Tue, 12 Mar 2024 17:19:39 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mt-0001z6-Nt for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:39 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5mt-0007Vr-N6 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:39 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5mt-0006Xn-MR for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:39 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=91ciOhxa62ioDvrufZrSaGPhbUAcz8jHPL3q0ybTCTE=; b=0chnlaWdGNsHOo5Y0OjORFD9bN 8L0PG394/RvpZqoWwxRRiO2wmnhSpOFgVbcoEYwYlu7LCTKS0QbD7QoqNHcWQdCzB91/9SKJyJGIt XzrRw32XQbXnqUVNnjSb1YA5EpRQOsv7mo/oAGdigkfDWaHyosfSDnI5rVrsNFATKGgQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:19:39 +0000 commit f01cfe72203fa60043966dd68c2d8d992e2955bf Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:38 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index dadab372b5..2464f74548 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 0cc9167715..fd0458be94 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:19:51 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:19:51 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692044.1078885 (Exim 4.92) (envelope-from ) id 1rk5n5-00026h-6S; Tue, 12 Mar 2024 17:19:51 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692044.1078885; Tue, 12 Mar 2024 17:19:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5n5-00026Z-3B; Tue, 12 Mar 2024 17:19:51 +0000 Received: by outflank-mailman (input) for mailman id 692044; Tue, 12 Mar 2024 17:19:49 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5n3-000252-Qb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:49 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5n3-0007W4-Pr for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:49 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5n3-0006pa-PH for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:49 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fHej6zCtgcF+mmUvK1FuSHrDKUzmjyC/texIhObjiDc=; b=5xb+0UesKWEYiLNkXK2kSs3PjL h8RjMbVl2rCx1/NRLCC+4PVrbvChdbtECfLdOovRXWugGfFulSHTgeQI6OU1RLCPLsadmKZNpE9ge SsErYgXTsmGTMPiKrs6Ln2mySFNG8fsop+P/RIuq5f2Pke3WAhXA3qaRT5ZIrZUCzTbw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:19:49 +0000 commit 475511953efc8cbe31d410f3f41542ea2b97f080 Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:38 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 2464f74548..703276f4aa 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index fd0458be94..abe0804bf7 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:20:01 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:20:01 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692046.1078898 (Exim 4.92) (envelope-from ) id 1rk5nF-0002So-Fg; Tue, 12 Mar 2024 17:20:01 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692046.1078898; Tue, 12 Mar 2024 17:20:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nF-0002Sh-D7; Tue, 12 Mar 2024 17:20:01 +0000 Received: by outflank-mailman (input) for mailman id 692046; Tue, 12 Mar 2024 17:19:59 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nD-0002Ry-Tv for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:59 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nD-0007WD-TB for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:59 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5nD-00070N-SY for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:19:59 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fSW2vnQO9XKXSDX1PfbThX8r03MroPxE7hjiqWehpiI=; b=ZIsoYGNt2++WevJmiIVvJ2sm7k ZpgCU23BitzJo6vKQc1uln6geebjgnMMkUsxkrcw9sRc+BucaV24UarGjJs9VkhuRKtJIEkOc2fGi BEDkUKpaXQ1YVTbPDqD5N0AE5+RYi7KQ11RcKvMziF1Qu3dnBAq8Vpi6WvYix6XKlLUg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Tue, 12 Mar 2024 17:19:59 +0000 commit dd55a2e6816aa3f0b753385073a5eade5f773d2c Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:38 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/asm-x86/irq.h | 1 + xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 6fdc3e19fe..dd2de574cf 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index d6c073dc5c..cc635a4405 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -88,8 +88,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -139,8 +139,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -151,6 +151,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -164,8 +166,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -180,15 +182,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index a3c9d8a974..c826288408 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -35,7 +35,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index da88ad141a..e5f4e68b88 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -57,7 +57,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -324,7 +324,8 @@ static int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 76272b3c8a..9464cebdd6 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -398,7 +398,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -408,7 +408,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -445,7 +445,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 03ace41540..9e80ad4c74 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 0527a8c70d..24a93dd0c1 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 1bb265ceea..dc831efc79 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 6fc27e7ede..2fd663062a 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/asm-x86/irq.h b/xen/include/asm-x86/irq.h index 7c825e9d9c..d4b2beda79 100644 --- a/xen/include/asm-x86/irq.h +++ b/xen/include/asm-x86/irq.h @@ -177,6 +177,7 @@ extern void irq_complete_move(struct irq_desc *); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 21c95e14fd..18924e69e7 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -105,12 +105,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index ac3880e686..3f1324e5de 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -147,8 +147,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool_t __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:20:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:20:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692047.1078903 (Exim 4.92) (envelope-from ) id 1rk5nP-0003Q7-HH; Tue, 12 Mar 2024 17:20:11 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692047.1078903; Tue, 12 Mar 2024 17:20:11 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nP-0003Pz-EX; Tue, 12 Mar 2024 17:20:11 +0000 Received: by outflank-mailman (input) for mailman id 692047; Tue, 12 Mar 2024 17:20:10 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nO-0003Pa-0e for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:10 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nN-0007Ws-W8 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:09 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5nN-0007Gy-Vb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:09 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JBLTZA0MqeSifiFrnPlHOr6cPJ9P+mKx3w1oy5XGlqk=; b=5MkBxLhDciFsP/lnpj5dbrsHj8 aWl5lx7xenVunfW43+JvVo26gpGZn3+BXNHXToi7nL7vFHYaq7ekOOE5jBcUWjS5m/KMqmTlhvZzn ZLjuANfo1i4JCaPDApNCvU85czOVFhPy4vjznhpf2AK8XYbPLj3oO5yimFIhSAW8wf9Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Tue, 12 Mar 2024 17:20:09 +0000 commit 41d93be76611704bdc73e8fe71c251a6f1da114c Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:39 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/mm.c | 6 ++++-- xen/include/asm-x86/mm.h | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index ea024c1450..2bf1b70985 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2005,7 +2005,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2066,7 +2066,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2075,6 +2075,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index cccef852b4..73d5a98bec 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:20:21 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:20:21 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692049.1078906 (Exim 4.92) (envelope-from ) id 1rk5nZ-0003ay-IN; Tue, 12 Mar 2024 17:20:21 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692049.1078906; Tue, 12 Mar 2024 17:20:21 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nZ-0003ar-Fw; Tue, 12 Mar 2024 17:20:21 +0000 Received: by outflank-mailman (input) for mailman id 692049; Tue, 12 Mar 2024 17:20:20 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nY-0003Za-3o for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:20 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nY-0007X4-36 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:20 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5nY-0007Q1-2P for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:20 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=78E1bd772sjJZip4NLZ01sBwj4wDui7KNt5L4Q54L4Q=; b=r7RNkQpP+tLjpZ/97l18t/tCjv MVWMHoI2gmYiPhOwo3O21qYPSk8CdJrFymeqOdl7BCX58OtZ9lOO4TVzbY/d+hmjFrKrEJPFDcp8y UuwSnrk47yRgXx0lpwaeynH/OK9Ua1wvMf3CiTqZCf1q6gffo7sjewDSYp+C1qg/wInk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.16] x86: protect conditional lock taking from speculative execution Message-Id: Date: Tue, 12 Mar 2024 17:20:20 +0000 commit ea1da2ba8ea7c76a8a3a08d11f7de5acb8b17801 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:39 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2bf1b70985..16287e62af 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5000,8 +5000,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5038,8 +5037,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5077,8 +5075,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5109,6 +5106,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5324,8 +5323,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5429,8 +5427,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5471,8 +5468,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5526,8 +5522,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5671,8 +5666,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5731,8 +5725,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5776,8 +5769,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5824,8 +5816,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index cc635a4405..7eee233b4c 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 2d41446a69..ddd2f861c3 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -514,9 +514,8 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn_l, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index efdb21ea90..8bffb3f4b6 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.16 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:20:31 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:20:31 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692050.1078911 (Exim 4.92) (envelope-from ) id 1rk5nj-0003ev-LF; Tue, 12 Mar 2024 17:20:31 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692050.1078911; Tue, 12 Mar 2024 17:20:31 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nj-0003eo-Il; Tue, 12 Mar 2024 17:20:31 +0000 Received: by outflank-mailman (input) for mailman id 692050; Tue, 12 Mar 2024 17:20:30 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ni-0003ed-KE for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:30 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ni-0007XD-JQ for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:30 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5ni-0007c8-Ib for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:30 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vMxyMUk/0IWVCwGgXfNW3+s1j+7mLQsOxmL96iSt/SQ=; b=PD0dK85hzbkktrnefd/Ijx/V/3 Xazy4wXfwss+XKCjeyRVjVb6YlTgZoQynlv4WKh+gvhRwy9TPhCNDqWm0w1wi1kMzFa7Q74m9nfJn w0S2K2TtTvW3IeJOBHT5wxmE7ySas2rX6GloiMVvoXQBJhpmMn/lHYOqtGFjdqXXZezc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Tue, 12 Mar 2024 17:20:30 +0000 commit e7a37b9b2c86a17869a201955038d33f23f33b57 Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 ++++++++++ xen/arch/x86/x86_64/compat/entry.S | 4 +-- xen/arch/x86/x86_64/entry.S | 68 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 6dbf3bf697..9d105161db 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index cde7702b4c..20603ec4af 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -17,7 +17,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -214,7 +214,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index a086349841..fe052d2792 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -295,7 +295,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -347,7 +347,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -650,7 +650,7 @@ ENTRY(common_interrupt) ENTRY(page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -790,90 +790,90 @@ FATAL_exception_with_ints_disabled: ENTRY(divide_error) ENDBR64 pushq $0 - movl $TRAP_divide_error,4(%rsp) + movl $TRAP_divide_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_copro_error,4(%rsp) + movl $TRAP_copro_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(simd_coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_simd_error,4(%rsp) + movl $TRAP_simd_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(device_not_available) ENDBR64 pushq $0 - movl $TRAP_no_device,4(%rsp) + movl $TRAP_no_device, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(debug) ENDBR64 pushq $0 - movl $TRAP_debug,4(%rsp) + movl $TRAP_debug, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(int3) ENDBR64 pushq $0 - movl $TRAP_int3,4(%rsp) + movl $TRAP_int3, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(overflow) ENDBR64 pushq $0 - movl $TRAP_overflow,4(%rsp) + movl $TRAP_overflow, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(bounds) ENDBR64 pushq $0 - movl $TRAP_bounds,4(%rsp) + movl $TRAP_bounds, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_op) ENDBR64 pushq $0 - movl $TRAP_invalid_op,4(%rsp) + movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_TSS) ENDBR64 - movl $TRAP_invalid_tss,4(%rsp) + movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(segment_not_present) ENDBR64 - movl $TRAP_no_segment,4(%rsp) + movl $TRAP_no_segment, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(stack_segment) ENDBR64 - movl $TRAP_stack_error,4(%rsp) + movl $TRAP_stack_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(general_protection) ENDBR64 - movl $TRAP_gp_fault,4(%rsp) + movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(alignment_check) ENDBR64 - movl $TRAP_alignment_check,4(%rsp) + movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(double_fault) ENDBR64 - movl $TRAP_double_fault,4(%rsp) + movl $TRAP_double_fault, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -899,7 +899,7 @@ ENTRY(double_fault) .pushsection .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp,%rdi call do_early_page_fault @@ -909,7 +909,7 @@ ENTRY(early_page_fault) ENTRY(nmi) ENDBR64 pushq $0 - movl $TRAP_nmi,4(%rsp) + movl $TRAP_nmi, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1011,7 +1011,7 @@ handle_ist_exception: ENTRY(machine_check) ENDBR64 pushq $0 - movl $TRAP_machine_check,4(%rsp) + movl $TRAP_machine_check, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1048,7 +1048,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1062,7 +1062,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:20:41 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:20:41 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692051.1078917 (Exim 4.92) (envelope-from ) id 1rk5nt-0003iN-Nr; Tue, 12 Mar 2024 17:20:41 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692051.1078917; Tue, 12 Mar 2024 17:20:41 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5nt-0003iD-KG; Tue, 12 Mar 2024 17:20:41 +0000 Received: by outflank-mailman (input) for mailman id 692051; Tue, 12 Mar 2024 17:20:40 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ns-0003hx-N4 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:40 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ns-0007XS-MK for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:40 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5ns-0007tB-Li for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:40 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AGh2d2X7P+Dfdq+bUocboUTkIQDiBF38vs3bdaWbHSQ=; b=Mngv47opuK6LGULpZkiOH95WX0 JH7g3fQ60BFyY/7h8Qs7/NeRnfXjq8Yx+TgbJqb8fb+877eNIWUZFHqCO62cKoZGcOAPiAorYh9Kc O38dhjUiITN5YXSN2P72KJaio9NJG/bbOMh5/fMptNxETWb93SfEi5s4A1l7llwPVqIU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Tue, 12 Mar 2024 17:20:40 +0000 commit d50d8d769e4840c68a94c966a9f4ced344c98584 Author: Andrew Cooper AuthorDate: Thu Feb 29 11:26:40 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné (cherry picked from commit de17162cafd27f2865a3102a2ec0f386a02ed03d) --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/include/asm-x86/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 792724db6f..c6cd91db0a 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -434,6 +434,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -468,6 +478,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index ecdc7d9b71..3b116c6dd3 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -137,6 +137,7 @@ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index e434fc9bae..b4f68a59b8 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -273,7 +273,7 @@ XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions * XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ @@ -322,7 +322,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:20:51 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:20:51 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692052.1078919 (Exim 4.92) (envelope-from ) id 1rk5o3-0003le-Ol; Tue, 12 Mar 2024 17:20:51 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692052.1078919; Tue, 12 Mar 2024 17:20:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5o3-0003lW-Lj; Tue, 12 Mar 2024 17:20:51 +0000 Received: by outflank-mailman (input) for mailman id 692052; Tue, 12 Mar 2024 17:20:50 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5o2-0003lM-Pv for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:50 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5o2-0007Xm-P7 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:50 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5o2-00083T-OV for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:20:50 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=45SoXk8bc9EaZBRvMNYZkHgVgvQgV3AMk8TQ1sf3EZw=; b=a1QYFxyvRTETJ+XkRmJuu4MyW4 2n/3cDMVRJU6hWMLWKB23ogi+6ZgL0DL1G00tCYGwzQaJAaGTMKSR0FGv5aHJcK+ezXoSFzXgdNj3 uf224sbPqC25d4KShqQcWoKvbCk4EhYuzhSpu4mdneg8B22Yyh3io8kkNBe5wv+YYZQU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Tue, 12 Mar 2024 17:20:50 +0000 commit eeed8a8ef62af7136b2cee0da00eb00c90d2fec0 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++++++---- xen/arch/x86/x86_64/asm-offsets.c | 1 + xen/include/asm-x86/asm_defns.h | 8 ++++++++ xen/include/asm-x86/spec_ctrl_asm.h | 7 +++++++ 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a13..cdde76e138 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 9d105161db..eb4a619891 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -133,6 +133,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h index d480a4461b..4ab54f41cf 100644 --- a/xen/include/asm-x86/asm_defns.h +++ b/xen/include/asm-x86/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index c47399dbf2..b5e5669436 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -164,6 +164,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:21:01 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:21:01 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692053.1078923 (Exim 4.92) (envelope-from ) id 1rk5oD-0003oq-QD; Tue, 12 Mar 2024 17:21:01 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692053.1078923; Tue, 12 Mar 2024 17:21:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oD-0003og-ND; Tue, 12 Mar 2024 17:21:01 +0000 Received: by outflank-mailman (input) for mailman id 692053; Tue, 12 Mar 2024 17:21:00 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oC-0003oV-Sk for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:00 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oC-0007Xt-Rx for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:00 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5oC-0008K3-RL for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:00 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=h0Nu/VUZV6LbgosrnHJNR25py5oOx0ofatDLDyGwlTc=; b=CSdTvXlkWlJbDZw4c+cUS4p2xD X4MkgHn6f8Rd2cz+7LjLsl7HgFt7Aj/4ftyuLChnzL0Xn707aPYBPXT2Jvbc7ojD5BafV2P+ApJFO Z1WvEC741ZqDOXefLlntcIIg0VL+d9dj9oEFvacofEVx7/KZIDjkoj5p6BhFktbPaNOI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Tue, 12 Mar 2024 17:21:00 +0000 commit d636a6d1d4325f1b448ea7613bce909ccf99420b Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/x86_64/asm-offsets.c | 13 +++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++++- xen/include/asm-x86/spec_ctrl_asm.h | 36 ++++++++++++++++++++++++------------ 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index eb4a619891..e3a38ae967 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -134,6 +142,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 20603ec4af..becc7f1bb2 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -165,6 +165,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index fe052d2792..d855d4d1d7 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -613,9 +619,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index b5e5669436..9650a3aca7 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -171,16 +171,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -298,8 +305,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -379,7 +384,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -407,11 +412,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:21:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:21:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692054.1078927 (Exim 4.92) (envelope-from ) id 1rk5oO-0003s7-Sw; Tue, 12 Mar 2024 17:21:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692054.1078927; Tue, 12 Mar 2024 17:21:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oO-0003rz-QH; Tue, 12 Mar 2024 17:21:12 +0000 Received: by outflank-mailman (input) for mailman id 692054; Tue, 12 Mar 2024 17:21:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oN-0003rm-1Y for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oM-0007YT-Uz for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:10 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5oM-0008Ud-UF for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:10 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RtABLwIqvbmAuL3FriSz++Jcbc6XhyHkT8SisRjS2nw=; b=QbWA/sfyEfDl7sK2W6U4+QY5xv jeM6J5tch5q+AxwFb6S1b6+DYUI7zVj3/zISJxFhLDxuC2y0E3Tn2csEawDUtHqSOgnRi1yS8DTW1 pm1gT9HFVvIFQ7zBPrUd21LHv12I6rncSXa9JAUh9kP+ml7bioZWTQ5qluumwF7ywQ1A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Tue, 12 Mar 2024 17:21:10 +0000 commit a8f99b49075ea30e5a074eb0579609a4ea0a44a3 Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index f3d1009f2d..d020d79dde 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2186,7 +2186,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2211,7 +2211,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2228,11 +2228,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index f75124117b..43449b4c7a 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static bool __initdata opt_rsb_pv = true; static bool __initdata opt_rsb_hvm = true; -static int8_t __read_mostly opt_md_clear_pv = -1; -static int8_t __read_mostly opt_md_clear_hvm = -1; +static int8_t __read_mostly opt_verw_pv = -1; +static int8_t __read_mostly opt_verw_hvm = -1; static int8_t __read_mostly opt_ibpb_entry_pv = -1; static int8_t __read_mostly opt_ibpb_entry_hvm = -1; @@ -77,7 +77,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __read_mostly opt_fb_clear_mmio; +static bool __read_mostly opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -119,8 +119,8 @@ static int __init parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -151,14 +151,14 @@ static int __init parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -203,21 +203,22 @@ static int __init parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -512,8 +513,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -533,11 +534,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -546,11 +547,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1450,8 +1451,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1765,19 +1766,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1790,12 +1792,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:21:22 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:21:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692055.1078930 (Exim 4.92) (envelope-from ) id 1rk5oY-0003uO-UM; Tue, 12 Mar 2024 17:21:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692055.1078930; Tue, 12 Mar 2024 17:21:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oY-0003uG-Rm; Tue, 12 Mar 2024 17:21:22 +0000 Received: by outflank-mailman (input) for mailman id 692055; Tue, 12 Mar 2024 17:21:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oX-0003u4-2M for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oX-0007Ya-1d for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5oX-0000Ky-0s for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2mrQKn+S2R33GyLjW1Uo0D7Uo62e9lw+Ovwh/8gzjZg=; b=ZrVbXSzmzh7JL7+0Q1VKVdq+be c9rsYLaCwPswDZawDqb/udBNl9lgdcwQ9MH2T3WKynlhqkp+2MyJq3s4NoKJNsF62pKQC/qfQVojV wGalk+qCJTi8878MIIx8lLuW9Qdl9RorHa6T27cMKPPUzxd/P9SEoOkSFRPIz1BouF3c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Tue, 12 Mar 2024 17:21:21 +0000 commit 7c69a025f141ada31f5bd1b1a3e35eacd9543e45 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 43449b4c7a..84a382781b 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1467,7 +1467,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1754,50 +1754,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:21:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:21:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692056.1078937 (Exim 4.92) (envelope-from ) id 1rk5oj-0003xg-0r; Tue, 12 Mar 2024 17:21:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692056.1078937; Tue, 12 Mar 2024 17:21:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oi-0003xW-TK; Tue, 12 Mar 2024 17:21:32 +0000 Received: by outflank-mailman (input) for mailman id 692056; Tue, 12 Mar 2024 17:21:31 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oh-0003xB-5Z for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5oh-0007Yn-4p for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5oh-0000VT-4D for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=X1mrbaSFwzE914m4OI4VsTgDBFf7pJmWsL+WiAntPc8=; b=QVmWX+fBYzf+uBFoW8Tf0DDwCQ VM9V6kxGh6r4UOnahUtF757wdk8sF0GWHcfcAzcodHZm0xr5okAKiOgQqRTdlHZwawI17pSWWr5MQ xtwB/yCIMPKJeOVz9X6jjBeOFSOIwbBDSoEMppyz6l3OPXyGJJRxQIshA41S7oo48t4A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Tue, 12 Mar 2024 17:21:31 +0000 commit a8c4726320e89ffa68d60d423ab88e1829b7b535 Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++-- xen/include/asm-x86/cpufeature.h | 3 + xen/include/asm-x86/msr-index.h | 2 + xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 110 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 860ef07352..3faf1e4304 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -169,7 +169,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -224,7 +224,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index c6cd91db0a..c98b8fc93a 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -443,6 +443,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -492,6 +493,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 84a382781b..dd86b89bb1 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -432,7 +432,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -448,6 +448,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -458,7 +459,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -476,6 +477,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1295,6 +1297,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case 0x97: /* INTEL_FAM6_ALDERLAKE */ + case 0xB7: /* INTEL_FAM6_RAPTORLAKE */ + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + /* fallthrough */ + case 0x9A: /* INTEL_FAM6_ALDERLAKE_L */ + case 0xBA: /* INTEL_FAM6_RAPTORLAKE_P */ + case 0xBF: /* INTEL_FAM6_RAPTORLAKE_S */ + + case 0x5C: /* INTEL_FAM6_ATOM_GOLDMONT */ /* Apollo Lake */ + case 0x5F: /* INTEL_FAM6_ATOM_GOLDMONT_D */ /* Denverton */ + case 0x7A: /* INTEL_FAM6_ATOM_GOLDMONT_PLUS */ /* Gemini Lake */ + case 0x86: /* INTEL_FAM6_ATOM_TREMONT_D */ /* Snow Ridge / Parker Ridge */ + case 0x96: /* INTEL_FAM6_ATOM_TREMONT */ /* Elkhart Lake */ + case 0x9C: /* INTEL_FAM6_ATOM_TREMONT_L */ /* Jasper Lake */ + case 0xBE: /* INTEL_FAM6_ATOM_GRACEMONT */ /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1759,6 +1838,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1788,8 +1868,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1821,15 +1905,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1843,7 +1931,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 3b116c6dd3..892af11384 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -141,6 +141,7 @@ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) /* CPUID level 0x00000007:1.eax */ @@ -160,6 +161,8 @@ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h index 8b3ad575db..17abfa0e4a 100644 --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -70,6 +70,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index b4f68a59b8..e027a31d67 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -277,6 +277,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ @@ -331,6 +332,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:21:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:21:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692057.1078938 (Exim 4.92) (envelope-from ) id 1rk5ot-000417-3c; Tue, 12 Mar 2024 17:21:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692057.1078938; Tue, 12 Mar 2024 17:21:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5ot-00040x-0x; Tue, 12 Mar 2024 17:21:43 +0000 Received: by outflank-mailman (input) for mailman id 692057; Tue, 12 Mar 2024 17:21:41 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5or-00040k-8l for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:41 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5or-0007aI-81 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:41 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5or-0000lc-7P for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:41 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=J8ZlqccMNSkfdKtnI7fVZpy/5314D97ErSlnSt87MV4=; b=NvOaTjTv7+8poX11aN14I1x/FD hKzjBZ9skFKeTJezES6OBL+f4S/qSutZttdq4l+wmCrRnTwr3AYuJoZIyuWN1dx2Fc81f9maWxlQa gljFGKao3WqqwJO6o+EP0JPo7PWcGfoSQ8wgganv2Y5xA7N3AUvRDpEgwkSTuEqNBRAo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/paging: Delete update_cr3()'s do_locking parameter Message-Id: Date: Tue, 12 Mar 2024 17:21:41 +0000 commit 8fe0b51384b45aef6cfd9c77be2b949f4d30384a Author: Andrew Cooper AuthorDate: Wed Sep 20 20:06:53 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86/paging: Delete update_cr3()'s do_locking parameter Nicola reports that the XSA-438 fix introduced new MISRA violations because of some incidental tidying it tried to do. The parameter is useless, so resolve the MISRA regression by removing it. hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses it to distinguish internal and external callers and therefore whether the paging lock should be taken. However, we have paging_lock_recursive() for this purpose, which also avoids the ability for the shadow internal callers to accidentally not hold the lock. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Reported-by: Nicola Vetrini Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-acked-by: Henry Wang (cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e) --- xen/arch/x86/mm/hap/hap.c | 4 ++-- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/multi.c | 17 ++++++++--------- xen/arch/x86/mm/shadow/none.c | 2 +- xen/include/asm-x86/paging.h | 5 ++--- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index fa479d3d97..63c29da696 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -728,7 +728,7 @@ static bool_t hap_invlpg(struct vcpu *v, unsigned long linear) return 1; } -static pagetable_t hap_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t hap_update_cr3(struct vcpu *v, bool noflush) { v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3]; hvm_update_guest_cr3(v, noflush); @@ -818,7 +818,7 @@ static void hap_update_paging_modes(struct vcpu *v) } /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ - hap_update_cr3(v, 0, false); + hap_update_cr3(v, false); unlock: paging_unlock(d); diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 04ceca4a52..364d74f595 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -2630,7 +2630,7 @@ static void sh_update_paging_modes(struct vcpu *v) } #endif /* OOS */ - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); } void shadow_update_paging_modes(struct vcpu *v) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index 35d47d6fbb..5f73bba41b 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2884,7 +2884,7 @@ static int sh_page_fault(struct vcpu *v, * In any case, in the PAE case, the ASSERT is not true; it can * happen because of actions the guest is taking. */ #if GUEST_PAGING_LEVELS == 3 - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); #else ASSERT(d->is_shutting_down); #endif @@ -3604,17 +3604,13 @@ sh_detach_old_tables(struct vcpu *v) } } -static pagetable_t -sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t sh_update_cr3(struct vcpu *v, bool noflush) /* Updates vcpu->arch.cr3 after the guest has changed CR3. * Paravirtual guests should set v->arch.guest_table (and guest_table_user, * if appropriate). * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works; * this function will call hvm_update_guest_cr(v, 3) to tell them where the * shadow tables are. - * If do_locking != 0, assume we are being called from outside the - * shadow code, and must take and release the paging lock; otherwise - * that is the caller's responsibility. */ { struct domain *d = v->domain; @@ -3632,7 +3628,11 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) return old_entry; } - if ( do_locking ) paging_lock(v->domain); + /* + * This is used externally (with the paging lock not taken) and internally + * by the shadow code (with the lock already taken). + */ + paging_lock_recursive(v->domain); #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) /* Need to resync all the shadow entries on a TLB flush. Resync @@ -3870,8 +3870,7 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) shadow_sync_other_vcpus(v); #endif - /* Release the lock, if we took it (otherwise it's the caller's problem) */ - if ( do_locking ) paging_unlock(v->domain); + paging_unlock(v->domain); return old_entry; } diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c index 9b9c03ce7e..f80a2ba0f3 100644 --- a/xen/arch/x86/mm/shadow/none.c +++ b/xen/arch/x86/mm/shadow/none.c @@ -50,7 +50,7 @@ static unsigned long _gva_to_gfn(struct vcpu *v, struct p2m_domain *p2m, return gfn_x(INVALID_GFN); } -static pagetable_t _update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t _update_cr3(struct vcpu *v, bool noflush) { ASSERT_UNREACHABLE(); return pagetable_null(); diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h index 5bcdbf93a7..3ad8aab471 100644 --- a/xen/include/asm-x86/paging.h +++ b/xen/include/asm-x86/paging.h @@ -136,8 +136,7 @@ struct paging_mode { unsigned long cr3, paddr_t ga, uint32_t *pfec, unsigned int *page_order); - pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking, - bool noflush); + pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush); void (*update_paging_modes )(struct vcpu *v); bool (*flush_tlb )(bool (*flush_vcpu)(void *ctxt, struct vcpu *v), @@ -311,7 +310,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v, * as the value to load into the host CR3 to schedule this vcpu */ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush) { - return paging_get_hostmode(v)->update_cr3(v, 1, noflush); + return paging_get_hostmode(v)->update_cr3(v, noflush); } /* Update all the things that are derived from the guest's CR0/CR3/CR4. -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:21:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:21:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692058.1078942 (Exim 4.92) (envelope-from ) id 1rk5p3-00044A-4v; Tue, 12 Mar 2024 17:21:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692058.1078942; Tue, 12 Mar 2024 17:21:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5p3-000443-2T; Tue, 12 Mar 2024 17:21:53 +0000 Received: by outflank-mailman (input) for mailman id 692058; Tue, 12 Mar 2024 17:21:51 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5p1-00043l-Ba for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:51 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5p1-0007ak-Ap for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:51 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5p1-0000w5-A8 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:21:51 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=nIUX0fA5K1EEUBzFW3x+RWTneV+xe5dqmytdwPAmUUI=; b=Vwgir23zNEKu89NhSj3RPMVi97 A/8g4Bnc76D73Uk90jAGMyfY6xDZWP5VYH/x8m8u8Oq0upwZYBNhU9plGO6oBIVXSC8//nW8yTBhm l8jNIbf1ROt6cn/4o9oZv4c0X6CtLrnWbTMy4d5oBVuRh/IiVECob7e0VtDpmZ8LOaEM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Tue, 12 Mar 2024 17:21:51 +0000 commit feb60def6680f1a1dbddd32d4f1733b4f7aea549 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 667f9dac83..7fc8a8898a 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -80,8 +80,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:22:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:22:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692059.1078948 (Exim 4.92) (envelope-from ) id 1rk5pD-00046v-76; Tue, 12 Mar 2024 17:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692059.1078948; Tue, 12 Mar 2024 17:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pD-00046n-41; Tue, 12 Mar 2024 17:22:03 +0000 Received: by outflank-mailman (input) for mailman id 692059; Tue, 12 Mar 2024 17:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pB-00046c-Gy for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pB-0007at-Fv for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5pB-0001D4-EY for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=cgPMcMoeXNy3C7ZmTvVH9qNUQ1s2OW8mIJQ8eVzr4LE=; b=uALd4sVgIjlloGaZ5L8nd+i39T 39kyigiTP6Er0NMYaViEgQ1Zzr+pltB2Uqy8wgyweQjiLbkCjuKzOC7/Q7kY9jt02fSOPFOVeP4PX q+sBRzs1Qu8gryLijGh0i6PFCVcAdddYZ8yCs+3PqcM9W0UvtRYHn3ObsCuemfePv2Wc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:22:01 +0000 commit 1b2cc8f9c09696b34d9d985525afa8010a8daa90 Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++++--- xen/common/Kconfig | 17 +++++++++++++++++ xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 26 ++++++++++++++++++++++++++ xen/include/xen/nospec.h | 15 +++++++++++++++ xen/include/xen/spinlock.h | 37 +++++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index d020d79dde..5e63e3d822 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2189,7 +2189,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2314,6 +2314,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index dd86b89bb1..b24c36c99e 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -63,6 +63,7 @@ int8_t __read_mostly opt_ibpb_ctxt_switch = -1; int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; bool __read_mostly opt_branch_harden = true; +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -131,6 +132,7 @@ static int __init parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -282,6 +284,16 @@ static int __init parse_spec_ctrl(const char *s) opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -481,18 +493,22 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : @@ -518,7 +534,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1816,6 +1833,9 @@ void __init init_speculation_mitigations(void) if ( opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index eb953d171e..aa18d423b2 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -129,6 +129,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config HYPFS diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index d993e06e4c..24a182d37f 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 - unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_BRANCH_HARDEN, X86_SYNTH(15)) /* Conditional Branch Hardening */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index f6eb84eee5..e38f56cbe8 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -27,6 +27,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 9fa4e600c1..efdb21ea90 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include #include @@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:22:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692060.1078950 (Exim 4.92) (envelope-from ) id 1rk5pN-00049g-8V; Tue, 12 Mar 2024 17:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692060.1078950; Tue, 12 Mar 2024 17:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pN-00049Y-5Y; Tue, 12 Mar 2024 17:22:13 +0000 Received: by outflank-mailman (input) for mailman id 692060; Tue, 12 Mar 2024 17:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pL-00049M-KN for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pL-0007bf-Je for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5pL-0001O8-Ia for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZVy1OUjC0W/dNrIODlh0//t0Mpss1TmoU0Zt0BaIq3g=; b=th8PEWlRITdZNhyw0iAh7FWurr J5CkVXnGor9A5CEJrRkgbxOwvLhA2qtRS6LZG3Z8BFk8dMcopYKAYB38D4aMTl1z66JjgottESuBb fS5F/BrWq6hze6Wj5yZW/5ACH0uTwDDXOXB3/GrPBxcgRaqIVqMKl42SWRkIxOgVV9bU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:22:11 +0000 commit 05b47a40c0e1522e9d7f52969c5936e39e163fb6 Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index dadab372b5..2464f74548 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 0cc9167715..fd0458be94 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:22:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:22:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692061.1078955 (Exim 4.92) (envelope-from ) id 1rk5pX-0004DU-Az; Tue, 12 Mar 2024 17:22:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692061.1078955; Tue, 12 Mar 2024 17:22:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pX-0004DN-8J; Tue, 12 Mar 2024 17:22:23 +0000 Received: by outflank-mailman (input) for mailman id 692061; Tue, 12 Mar 2024 17:22:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pV-0004D1-NI for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pV-0007bl-Mb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5pV-0001Z9-Ln for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zx24A4dpsjZ+qGqkgzSzgQ43kyXF9erOt/qXHnR/voI=; b=0gH/9jNZHTnimtlq/Nk/h4nFIk PrfU0XNbhyK0gvmgGge7yMHf6TV7UfdfEoyYImMAPRWU1+wMeqlPbE6RyvZLyR8yOlOZ/crfBolli 2zEYXDt5eKsOhto/lSf7i16qLqoebg5wBXe1tBhdKNPV7y7ovmZ8qCAIwPNnGT2XuR8M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Tue, 12 Mar 2024 17:22:21 +0000 commit 4ff3635be2766d3019e4d2aa830792dd503cef88 Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 2464f74548..703276f4aa 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index fd0458be94..abe0804bf7 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:22:32 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:22:32 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692062.1078959 (Exim 4.92) (envelope-from ) id 1rk5pg-0004Fx-Cj; Tue, 12 Mar 2024 17:22:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692062.1078959; Tue, 12 Mar 2024 17:22:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pg-0004Fp-9n; Tue, 12 Mar 2024 17:22:32 +0000 Received: by outflank-mailman (input) for mailman id 692062; Tue, 12 Mar 2024 17:22:31 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pf-0004Fg-R3 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pf-0007br-QB for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5pf-0001pP-PM for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ujy4QxitvLpRrFXAwdJZNdKVlLtKQNFaMuvwsuw7ym0=; b=ziIcBwd+eCL/9kZVP1RDgr2/zP WF9yjyFaqrIxqIHulGK3N44kk5phDT8GZhOVODOcStPlpvHN0Ue50+D0s/5I6y96Y3h8/ng4hxFMW YWOu42wnLs0Thc7yd4CozmEO4WZ0LzLSdPnnXRnpMPZihr9gDI0IdN7Ay5gcAuQ6avXk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Tue, 12 Mar 2024 17:22:31 +0000 commit 2ad38e116e9deb913dcd40d3803a93de5267731e Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 6 +++--- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/asm-x86/irq.h | 1 + xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 41 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 4d4d22b0e7..6c0923a42e 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index d6c073dc5c..cc635a4405 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -88,8 +88,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -139,8 +139,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -151,6 +151,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -164,8 +166,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -180,15 +182,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index c1d2693683..f9a830fb20 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -34,7 +34,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index c94ea74b12..29e1e41eba 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -57,7 +57,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -323,8 +323,8 @@ static long evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc) return rc; } - -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 01e426c67f..60d8ca3ddf 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -397,7 +397,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -407,7 +407,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -444,7 +444,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 03ace41540..9e80ad4c74 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 8c07f033d3..3ac3eac54a 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 1bb265ceea..dc831efc79 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 84d0d2fbab..034b36fc23 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/asm-x86/irq.h b/xen/include/asm-x86/irq.h index 7c825e9d9c..d4b2beda79 100644 --- a/xen/include/asm-x86/irq.h +++ b/xen/include/asm-x86/irq.h @@ -177,6 +177,7 @@ extern void irq_complete_move(struct irq_desc *); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index a0a85cdda8..cdfa3df6f9 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -105,12 +105,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index cd238ae852..5eb8287a31 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -144,8 +144,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool_t __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:22:42 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:22:42 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692063.1078962 (Exim 4.92) (envelope-from ) id 1rk5pq-0004Ig-Dg; Tue, 12 Mar 2024 17:22:42 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692063.1078962; Tue, 12 Mar 2024 17:22:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pq-0004IZ-BI; Tue, 12 Mar 2024 17:22:42 +0000 Received: by outflank-mailman (input) for mailman id 692063; Tue, 12 Mar 2024 17:22:41 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pp-0004IR-Ts for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:41 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pp-0007c1-T6 for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:41 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5pp-000213-SV for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:41 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VUvsC8epUTwb5D4l9voKjjWFp/aSxcYVGesYYlf1o2w=; b=hJBFXL+mOZrALn3TgWL+R2Zeg1 8yxPqRrJEG2GVYO6g57yDWSKIWrKBxxi26so46ZvEKvbGACzVrwgtT2dMHFcCK9idWFRrUz7tCZdG SyoHb5PCWpWmliHKYuSh0RPA1N3i4KBYfs0QDZmg5I2ATDXTzkNTeObBPhASifmxy5FI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Tue, 12 Mar 2024 17:22:41 +0000 commit 9c7cdd55dc05b9500792e3ea1ad4bf88470190ed Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/mm.c | 6 ++++-- xen/include/asm-x86/mm.h | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 44ac8cae76..ad22543d1b 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2004,7 +2004,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2065,7 +2065,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2074,6 +2074,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index cffd0d6425..917fbe29bb 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 17:22:52 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 17:22:52 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692064.1078967 (Exim 4.92) (envelope-from ) id 1rk5q0-0004Lq-FA; Tue, 12 Mar 2024 17:22:52 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692064.1078967; Tue, 12 Mar 2024 17:22:52 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5q0-0004Lj-Ci; Tue, 12 Mar 2024 17:22:52 +0000 Received: by outflank-mailman (input) for mailman id 692064; Tue, 12 Mar 2024 17:22:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5q0-0004LZ-0f for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rk5pz-0007c9-WE for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rk5pz-0002GJ-VX for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 17:22:51 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CWZfoMxGRN+RHWxn5QhGgtnHrX1dJ1rj7PQH047dNZ4=; b=34ktVrWIuf7ofzUwtqa110jab7 tgSk1VXdumw2PpJqCiKxk8tR24ir3ER2NslH8AqdA5us1B3y1HVBhdC9M7WTPFkzo16ATGnpD/pCD /Kp4v4Pxp6+BqrC6JE9zErjjlTCUheHJJXCqBR/9Ajwt99S7XL7ztiVgqFV9vTS1QwPk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.15] x86: protect conditional lock taking from speculative execution Message-Id: Date: Tue, 12 Mar 2024 17:22:51 +0000 commit 0fb100a94d0127910fe1dfa253cb759f6bc11174 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 37 +++++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 34 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index ad22543d1b..ffee1c6bd1 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -4978,8 +4978,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; clear_page(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_paddr(__pa(l3t), __PAGE_HYPERVISOR); @@ -5013,8 +5012,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) if ( !l2t ) return NULL; clear_page(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_paddr(__pa(l2t), __PAGE_HYPERVISOR)); @@ -5046,8 +5044,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) if ( !l1t ) return NULL; clear_page(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_paddr(__pa(l1t), __PAGE_HYPERVISOR)); @@ -5076,6 +5073,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5284,8 +5283,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5384,8 +5382,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5424,8 +5421,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5478,8 +5474,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5614,8 +5609,8 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_from_pfn(l3e_get_pfn(*pl3e) + (i << PAGETABLE_ORDER), l3e_get_flags(*pl3e))); - if ( locking ) - spin_lock(&map_pgdir_lock); + + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5671,8 +5666,8 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l1e_write(&l1t[i], l1e_from_pfn(l2e_get_pfn(*pl2e) + i, l2e_get_flags(*pl2e) & ~_PAGE_PSE)); - if ( locking ) - spin_lock(&map_pgdir_lock); + + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5714,8 +5709,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5760,8 +5754,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index cc635a4405..7eee233b4c 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 107f6778a6..596928e083 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -509,9 +509,8 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn_l, return _mfn(gfn_l); } - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index efdb21ea90..8bffb3f4b6 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.15 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 23:44:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 23:44:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692228.1079140 (Exim 4.92) (envelope-from ) id 1rkBmt-0000A6-40; Tue, 12 Mar 2024 23:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692228.1079140; Tue, 12 Mar 2024 23:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkBmt-00009v-1O; Tue, 12 Mar 2024 23:44:03 +0000 Received: by outflank-mailman (input) for mailman id 692228; Tue, 12 Mar 2024 23:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkBmr-00009p-RW for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 23:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkBmr-0006Zy-Qb for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 23:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkBmr-0003po-OC for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 23:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9lNyKqAUQQ6m6gd1h2gacr7fIS90EPH8aFnKZ7n5xb8=; b=15cUhTL0+nR+UfA1nAGDJsSWkc vfqHP2GeYuWZ9w2gQV+E2sBljUhGBO6pAIPyoIG1IZFgjZES6Td9j6ihAyzNGAzGHFF5Xn/uRK07o cTvIbiwVUymcT8XU8k5E0aXq1ydLBRhkN/Ks7MwGSoD9l557vVAtPye/xxaUINOIVA5s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] hvmloader/PCI: skip huge BARs in certain calculations Message-Id: Date: Tue, 12 Mar 2024 23:44:01 +0000 commit 1e9808227c10717228969e924cab49cad4af6265 Author: Jan Beulich AuthorDate: Tue Mar 12 12:08:48 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:08:48 2024 +0100 hvmloader/PCI: skip huge BARs in certain calculations BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of the lower 2Gb range and the top of the higher 2Gb range have special purpose. Don't even have them influence whether to (perhaps) relocate low RAM. Reported-by: Neowutran Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 57acad12a09ffa490e870ebe17596aad858f0191 master date: 2024-03-06 10:19:29 +0100 --- tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c index 257a6feb61..c3c61ca060 100644 --- a/tools/firmware/hvmloader/pci.c +++ b/tools/firmware/hvmloader/pci.c @@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START; const uint32_t pci_mem_end = RESERVED_MEMBASE; uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; +/* + * BARs larger than this value are put in 64-bit space unconditionally. That + * is, such BARs also don't play into the determination of how big the lowmem + * MMIO hole needs to be. + */ +#define BAR_RELOC_THRESH GB(1) + enum virtual_vga virtual_vga = VGA_none; unsigned long igd_opregion_pgbase = 0; @@ -286,9 +293,11 @@ void pci_setup(void) bars[i].bar_reg = bar_reg; bars[i].bar_sz = bar_sz; - if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == - PCI_BASE_ADDRESS_SPACE_MEMORY) || - (bar_reg == PCI_ROM_ADDRESS) ) + if ( is_64bar && bar_sz > BAR_RELOC_THRESH ) + bar64_relocate = 1; + else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == + PCI_BASE_ADDRESS_SPACE_MEMORY) || + (bar_reg == PCI_ROM_ADDRESS) ) mmio_total += bar_sz; nr_bars++; @@ -367,7 +376,7 @@ void pci_setup(void) pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT; } - if ( mmio_total > (pci_mem_end - pci_mem_start) ) + if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate ) { printf("Low MMIO hole not large enough for all devices," " relocating some BARs to 64-bit\n"); @@ -430,7 +439,8 @@ void pci_setup(void) /* * Relocate to high memory if the total amount of MMIO needed - * is more than the low MMIO available. Because devices are + * is more than the low MMIO available or BARs bigger than + * BAR_RELOC_THRESH are present. Because devices are * processed in order of bar_sz, this will preferentially * relocate larger devices to high memory first. * @@ -446,8 +456,9 @@ void pci_setup(void) * the code here assumes it to be.) * Should either of those two conditions change, this code will break. */ - using_64bar = bars[i].is_64bar && bar64_relocate - && (mmio_total > (mem_resource.max - mem_resource.base)); + using_64bar = bars[i].is_64bar && bar64_relocate && + (mmio_total > (mem_resource.max - mem_resource.base) || + bar_sz > BAR_RELOC_THRESH); bar_data = pci_readl(devfn, bar_reg); if ( (bar_data & PCI_BASE_ADDRESS_SPACE) == @@ -467,7 +478,8 @@ void pci_setup(void) resource = &mem_resource; bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; } - mmio_total -= bar_sz; + if ( bar_sz <= BAR_RELOC_THRESH ) + mmio_total -= bar_sz; } else { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Tue Mar 12 23:44:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 12 Mar 2024 23:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692229.1079143 (Exim 4.92) (envelope-from ) id 1rkBn3-0000CK-5K; Tue, 12 Mar 2024 23:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692229.1079143; Tue, 12 Mar 2024 23:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkBn3-0000CD-2q; Tue, 12 Mar 2024 23:44:13 +0000 Received: by outflank-mailman (input) for mailman id 692229; Tue, 12 Mar 2024 23:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkBn1-0000C5-VS for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 23:44:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkBn1-0006aL-Uk for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 23:44:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkBn1-0003qZ-Sq for xen-changelog@lists.xenproject.org; Tue, 12 Mar 2024 23:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Kiwokr0+GTf+i0qj8eP2HzqDtcC0X20ABRDH0KqgiYM=; b=7Fj58B73Ze9O+gJzMtjcSuJiY8 4+mkZO2J6jTkJTXWeNribrward3xeHwZkwagtTWaPLv1Jn+u82AvuIcDmoVv01tyVYrsnxeE3dRfl HgUckYsbnBhxN8Fj40534PPdxrSYHXkN/bZZX+62YCC7o/4CrdqyZR6iCSWaVldlSHIk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() Message-Id: Date: Tue, 12 Mar 2024 23:44:11 +0000 commit 1f94117bec55a7b934fed3dfd3529db624eb441f Author: Roger Pau Monné AuthorDate: Tue Mar 12 12:08:59 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:08:59 2024 +0100 x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() The current logic to detect when to switch to the next L1 table is incorrectly using l2_table_offset() in order to notice when the last entry on the current L1 table has been reached. It should instead use l1_table_offset() to check whether the index has wrapped to point to the first entry, and so the next L1 table should be used. Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper master commit: 7c81558208de7858251b62f168a449be84305595 master date: 2024-03-11 11:09:42 +0000 --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index e884a6fdbd..330c4abcd1 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5963,7 +5963,7 @@ void init_or_livepatch modify_xen_mappings_lite( v += 1UL << L1_PAGETABLE_SHIFT; - if ( l2_table_offset(v) == 0 ) + if ( l1_table_offset(v) == 0 ) break; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 02:44:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 02:44:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692250.1079169 (Exim 4.92) (envelope-from ) id 1rkEb5-00030o-67; Wed, 13 Mar 2024 02:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692250.1079169; Wed, 13 Mar 2024 02:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkEb5-00030c-3D; Wed, 13 Mar 2024 02:44:03 +0000 Received: by outflank-mailman (input) for mailman id 692250; Wed, 13 Mar 2024 02:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkEb4-00030W-9j for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 02:44:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkEb4-0000cb-6U for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 02:44:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkEb4-0004fv-2X for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 02:44:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fsOaOerQQtCTw+fpdQj4NwdCNd2eMFDOOYInvPqmYIE=; b=Kv9duozfw3s6qZ8kYZokFVhMy1 DBftMwN0pP2ALJmWJpG4uK7TE8o3d/kIe6nmCOgROSBiHnv3TAcUNi3QJdxiYjkU0YiEgiPzb8X+E 2pbil/z5Pi9193jg0Rol7NUAMYkA2M6Z/dfZDHbnkjTkZFFeix7kbUnGA6mGlQYKpqHg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] hvmloader/PCI: skip huge BARs in certain calculations Message-Id: Date: Wed, 13 Mar 2024 02:44:02 +0000 commit 4c84fa6cb66fe66f2c5dad65208c497558ab7d17 Author: Jan Beulich AuthorDate: Tue Mar 12 12:06:57 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:06:57 2024 +0100 hvmloader/PCI: skip huge BARs in certain calculations BARs of size 2Gb and up can't possibly fit below 4Gb: Both the bottom of the lower 2Gb range and the top of the higher 2Gb range have special purpose. Don't even have them influence whether to (perhaps) relocate low RAM. Reported-by: Neowutran Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné master commit: 57acad12a09ffa490e870ebe17596aad858f0191 master date: 2024-03-06 10:19:29 +0100 --- tools/firmware/hvmloader/pci.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/tools/firmware/hvmloader/pci.c b/tools/firmware/hvmloader/pci.c index 257a6feb61..c3c61ca060 100644 --- a/tools/firmware/hvmloader/pci.c +++ b/tools/firmware/hvmloader/pci.c @@ -33,6 +33,13 @@ uint32_t pci_mem_start = HVM_BELOW_4G_MMIO_START; const uint32_t pci_mem_end = RESERVED_MEMBASE; uint64_t pci_hi_mem_start = 0, pci_hi_mem_end = 0; +/* + * BARs larger than this value are put in 64-bit space unconditionally. That + * is, such BARs also don't play into the determination of how big the lowmem + * MMIO hole needs to be. + */ +#define BAR_RELOC_THRESH GB(1) + enum virtual_vga virtual_vga = VGA_none; unsigned long igd_opregion_pgbase = 0; @@ -286,9 +293,11 @@ void pci_setup(void) bars[i].bar_reg = bar_reg; bars[i].bar_sz = bar_sz; - if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == - PCI_BASE_ADDRESS_SPACE_MEMORY) || - (bar_reg == PCI_ROM_ADDRESS) ) + if ( is_64bar && bar_sz > BAR_RELOC_THRESH ) + bar64_relocate = 1; + else if ( ((bar_data & PCI_BASE_ADDRESS_SPACE) == + PCI_BASE_ADDRESS_SPACE_MEMORY) || + (bar_reg == PCI_ROM_ADDRESS) ) mmio_total += bar_sz; nr_bars++; @@ -367,7 +376,7 @@ void pci_setup(void) pci_mem_start = hvm_info->low_mem_pgend << PAGE_SHIFT; } - if ( mmio_total > (pci_mem_end - pci_mem_start) ) + if ( mmio_total > (pci_mem_end - pci_mem_start) || bar64_relocate ) { printf("Low MMIO hole not large enough for all devices," " relocating some BARs to 64-bit\n"); @@ -430,7 +439,8 @@ void pci_setup(void) /* * Relocate to high memory if the total amount of MMIO needed - * is more than the low MMIO available. Because devices are + * is more than the low MMIO available or BARs bigger than + * BAR_RELOC_THRESH are present. Because devices are * processed in order of bar_sz, this will preferentially * relocate larger devices to high memory first. * @@ -446,8 +456,9 @@ void pci_setup(void) * the code here assumes it to be.) * Should either of those two conditions change, this code will break. */ - using_64bar = bars[i].is_64bar && bar64_relocate - && (mmio_total > (mem_resource.max - mem_resource.base)); + using_64bar = bars[i].is_64bar && bar64_relocate && + (mmio_total > (mem_resource.max - mem_resource.base) || + bar_sz > BAR_RELOC_THRESH); bar_data = pci_readl(devfn, bar_reg); if ( (bar_data & PCI_BASE_ADDRESS_SPACE) == @@ -467,7 +478,8 @@ void pci_setup(void) resource = &mem_resource; bar_data &= ~PCI_BASE_ADDRESS_MEM_MASK; } - mmio_total -= bar_sz; + if ( bar_sz <= BAR_RELOC_THRESH ) + mmio_total -= bar_sz; } else { -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 02:44:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 02:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692251.1079172 (Exim 4.92) (envelope-from ) id 1rkEbF-00032W-7P; Wed, 13 Mar 2024 02:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692251.1079172; Wed, 13 Mar 2024 02:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkEbF-00032O-4g; Wed, 13 Mar 2024 02:44:13 +0000 Received: by outflank-mailman (input) for mailman id 692251; Wed, 13 Mar 2024 02:44:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkEbE-00032E-AU for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 02:44:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkEbE-0000cy-9h for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 02:44:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkEbE-0004gm-8o for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 02:44:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wwTxmNCS1SEfSTT66sRkwcd7FYMhm2VKxB2WC5DDcNg=; b=DcN1JTe974hg9U93DJnc98rHFV 6LW/Hgv+GuRAuXf7Pjpgn3PZrR0mDWH8WdhaxcRo2pdeimN9JXrG/pw98pT1EW6mto36eTEkds1QS e5desVkBHUuSoUEWMTUsIXdwN8l6uKLLce/hAgy3rKaHjAz1HdehyNxlEg3rnm89G7kw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() Message-Id: Date: Wed, 13 Mar 2024 02:44:12 +0000 commit a96d2d4355d85fc82abd0a3799978db04ee8cff3 Author: Roger Pau Monné AuthorDate: Tue Mar 12 12:07:07 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 12 12:07:07 2024 +0100 x86/mm: fix detection of last L1 entry in modify_xen_mappings_lite() The current logic to detect when to switch to the next L1 table is incorrectly using l2_table_offset() in order to notice when the last entry on the current L1 table has been reached. It should instead use l1_table_offset() to check whether the index has wrapped to point to the first entry, and so the next L1 table should be used. Fixes: 8676092a0f16 ('x86/livepatch: Fix livepatch application when CET is active') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper master commit: 7c81558208de7858251b62f168a449be84305595 master date: 2024-03-11 11:09:42 +0000 --- xen/arch/x86/mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 39544bd9f9..ab0acbfea6 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5947,7 +5947,7 @@ void init_or_livepatch modify_xen_mappings_lite( v += 1UL << L1_PAGETABLE_SHIFT; - if ( l2_table_offset(v) == 0 ) + if ( l1_table_offset(v) == 0 ) break; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692307.1079270 (Exim 4.92) (envelope-from ) id 1rkLKB-0007hu-Hu; Wed, 13 Mar 2024 09:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692307.1079270; Wed, 13 Mar 2024 09:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKB-0007hm-F9; Wed, 13 Mar 2024 09:55:03 +0000 Received: by outflank-mailman (input) for mailman id 692307; Wed, 13 Mar 2024 09:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKA-0007hg-AU for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKA-0001MU-8r for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLKA-00035q-4R for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EkS962Ck4NfRl7hIC4Mnu7qMTuEk77ewRnhoLm81kF4=; b=XlmRVYCH/wIRg4BiSnXNEEvDoB 1xHuOkSMgg90QjRTbc57vVYbk0lVo/BVWq/eS/u2Pqq4xvpD8ofH0W8BwYnjkDo1tUcYIEhuggq9P 40jHtm5aa+3T7NCdtQhm/uDJ/PNqGXZpRdj0XNJsG5LdOSOad7q7OgODkcL6Vgj5yNTA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Wed, 13 Mar 2024 09:55:02 +0000 commit e7a37b9b2c86a17869a201955038d33f23f33b57 Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 ++++++++++ xen/arch/x86/x86_64/compat/entry.S | 4 +-- xen/arch/x86/x86_64/entry.S | 68 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 6dbf3bf697..9d105161db 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index cde7702b4c..20603ec4af 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -17,7 +17,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -214,7 +214,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index a086349841..fe052d2792 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -295,7 +295,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -347,7 +347,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -650,7 +650,7 @@ ENTRY(common_interrupt) ENTRY(page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -790,90 +790,90 @@ FATAL_exception_with_ints_disabled: ENTRY(divide_error) ENDBR64 pushq $0 - movl $TRAP_divide_error,4(%rsp) + movl $TRAP_divide_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_copro_error,4(%rsp) + movl $TRAP_copro_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(simd_coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_simd_error,4(%rsp) + movl $TRAP_simd_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(device_not_available) ENDBR64 pushq $0 - movl $TRAP_no_device,4(%rsp) + movl $TRAP_no_device, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(debug) ENDBR64 pushq $0 - movl $TRAP_debug,4(%rsp) + movl $TRAP_debug, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(int3) ENDBR64 pushq $0 - movl $TRAP_int3,4(%rsp) + movl $TRAP_int3, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(overflow) ENDBR64 pushq $0 - movl $TRAP_overflow,4(%rsp) + movl $TRAP_overflow, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(bounds) ENDBR64 pushq $0 - movl $TRAP_bounds,4(%rsp) + movl $TRAP_bounds, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_op) ENDBR64 pushq $0 - movl $TRAP_invalid_op,4(%rsp) + movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_TSS) ENDBR64 - movl $TRAP_invalid_tss,4(%rsp) + movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(segment_not_present) ENDBR64 - movl $TRAP_no_segment,4(%rsp) + movl $TRAP_no_segment, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(stack_segment) ENDBR64 - movl $TRAP_stack_error,4(%rsp) + movl $TRAP_stack_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(general_protection) ENDBR64 - movl $TRAP_gp_fault,4(%rsp) + movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(alignment_check) ENDBR64 - movl $TRAP_alignment_check,4(%rsp) + movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(double_fault) ENDBR64 - movl $TRAP_double_fault,4(%rsp) + movl $TRAP_double_fault, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -899,7 +899,7 @@ ENTRY(double_fault) .pushsection .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp,%rdi call do_early_page_fault @@ -909,7 +909,7 @@ ENTRY(early_page_fault) ENTRY(nmi) ENDBR64 pushq $0 - movl $TRAP_nmi,4(%rsp) + movl $TRAP_nmi, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1011,7 +1011,7 @@ handle_ist_exception: ENTRY(machine_check) ENDBR64 pushq $0 - movl $TRAP_machine_check,4(%rsp) + movl $TRAP_machine_check, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1048,7 +1048,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1062,7 +1062,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692308.1079273 (Exim 4.92) (envelope-from ) id 1rkLKL-0007jv-MH; Wed, 13 Mar 2024 09:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692308.1079273; Wed, 13 Mar 2024 09:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKL-0007jo-Ji; Wed, 13 Mar 2024 09:55:13 +0000 Received: by outflank-mailman (input) for mailman id 692308; Wed, 13 Mar 2024 09:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKK-0007jY-I5 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKK-0001MY-FU for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLKK-00036N-B2 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uwPW2hAxvfVga0yv9eRnTtI8B52/UEFONpI22fCBA8g=; b=lANcgRNR5OhOEbu7hz9NO6AW2g QfocFeMw6w1/U07rKKjpRe8Uajrxx79kkNc3+R4Jo5p2qBN3zAX193iG+EqEGgIXcLBXRurGa6PLd zhbeZgZ+sQ5JGiP0IP13Qy04KN2NnnHWb9POSBMeBselFn9TuGRMcLCIJjPLkiZH46Gk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Wed, 13 Mar 2024 09:55:12 +0000 commit d50d8d769e4840c68a94c966a9f4ced344c98584 Author: Andrew Cooper AuthorDate: Thu Feb 29 11:26:40 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné (cherry picked from commit de17162cafd27f2865a3102a2ec0f386a02ed03d) --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/include/asm-x86/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 792724db6f..c6cd91db0a 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -434,6 +434,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -468,6 +478,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index ecdc7d9b71..3b116c6dd3 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -137,6 +137,7 @@ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index e434fc9bae..b4f68a59b8 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -273,7 +273,7 @@ XEN_CPUFEATURE(AVX512_4VNNIW, 9*32+ 2) /*A AVX512 Neural Network Instructions * XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single Precision */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ @@ -322,7 +322,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:55:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692309.1079277 (Exim 4.92) (envelope-from ) id 1rkLKV-0007mP-Nv; Wed, 13 Mar 2024 09:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692309.1079277; Wed, 13 Mar 2024 09:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKV-0007mH-LB; Wed, 13 Mar 2024 09:55:23 +0000 Received: by outflank-mailman (input) for mailman id 692309; Wed, 13 Mar 2024 09:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKU-0007m2-JU for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKU-0001N2-If for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLKU-00036w-Hf for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LYMQlUyEqYWtJo9B7toFsJ3xZh8wCg/4STUv6URIFvs=; b=S1/L3E0pIcT8/cjTfVI2zlgJJQ XAwREzyQ2vBu3FUvtwcX2D4dhrScc1EyqseyPLqQogUE6IVIREf0TSJvPXt7n3nYBNVxAEOBQIgjp HqtnkKY0THUiGCVz3XDmIheMH6CgiL9d5nctohyAra4Uku0HoFqcfDOD8RB8u3rMQGmE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Wed, 13 Mar 2024 09:55:22 +0000 commit eeed8a8ef62af7136b2cee0da00eb00c90d2fec0 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++++++---- xen/arch/x86/x86_64/asm-offsets.c | 1 + xen/include/asm-x86/asm_defns.h | 8 ++++++++ xen/include/asm-x86/spec_ctrl_asm.h | 7 +++++++ 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a13..cdde76e138 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 9d105161db..eb4a619891 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -133,6 +133,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h index d480a4461b..4ab54f41cf 100644 --- a/xen/include/asm-x86/asm_defns.h +++ b/xen/include/asm-x86/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index c47399dbf2..b5e5669436 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -164,6 +164,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:55:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692310.1079281 (Exim 4.92) (envelope-from ) id 1rkLKf-0007pd-PR; Wed, 13 Mar 2024 09:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692310.1079281; Wed, 13 Mar 2024 09:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKf-0007pV-Mi; Wed, 13 Mar 2024 09:55:33 +0000 Received: by outflank-mailman (input) for mailman id 692310; Wed, 13 Mar 2024 09:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKe-0007p8-MW for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKe-0001NB-Lj for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLKe-00037R-Ks for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GtYAhgGbPlm1fVukjPSN1UHixKXjsMz/9MYwW/NT+Ic=; b=FfkHmqaNqgVLRhkyA6Y15b0S0z 3BcWAdjDHSgqIW2rgq5opDYtU1YqGWv/DVV/pLHWWQ/VEZBWbnffDh9qMIdwkQfiUjB9BMI2yzLwP pn1SKzI1ldMa49Xw9nkuIzf7fLq3yRr36US24F1SXHYpX5Fw5CQj+iJT50e64kQMAVh8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Wed, 13 Mar 2024 09:55:32 +0000 commit d636a6d1d4325f1b448ea7613bce909ccf99420b Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/x86_64/asm-offsets.c | 13 +++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++++- xen/include/asm-x86/spec_ctrl_asm.h | 36 ++++++++++++++++++++++++------------ 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index eb4a619891..e3a38ae967 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -134,6 +142,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 20603ec4af..becc7f1bb2 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -165,6 +165,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index fe052d2792..d855d4d1d7 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -613,9 +619,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index b5e5669436..9650a3aca7 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -171,16 +171,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -298,8 +305,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -379,7 +384,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -407,11 +412,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:55:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692311.1079285 (Exim 4.92) (envelope-from ) id 1rkLKp-0007sc-Qa; Wed, 13 Mar 2024 09:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692311.1079285; Wed, 13 Mar 2024 09:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKp-0007sV-OB; Wed, 13 Mar 2024 09:55:43 +0000 Received: by outflank-mailman (input) for mailman id 692311; Wed, 13 Mar 2024 09:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKo-0007sK-Qf for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKo-0001NO-Ps for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLKo-00037v-O5 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=oTW1kwhPPuh5E/6bk4w4zaKrmpV1CzxT5TeZtpgOv1M=; b=v4/LQuGGfCkvEd97pc7WFfQlNF ylB7zBq5s85551m3ombzgsJyk0+BCkDhdSmRrjkYE5bsK9I+elG32NesGFH0gsPksqnOMlnueOiKC Jda80QPSamoN56VjCyyEM8jICFQYi17mIj1VPMjLRBPudADBmWd73BlpYdsdEudYF9ik=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Wed, 13 Mar 2024 09:55:42 +0000 commit a8f99b49075ea30e5a074eb0579609a4ea0a44a3 Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index f3d1009f2d..d020d79dde 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2186,7 +2186,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2211,7 +2211,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2228,11 +2228,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index f75124117b..43449b4c7a 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static bool __initdata opt_rsb_pv = true; static bool __initdata opt_rsb_hvm = true; -static int8_t __read_mostly opt_md_clear_pv = -1; -static int8_t __read_mostly opt_md_clear_hvm = -1; +static int8_t __read_mostly opt_verw_pv = -1; +static int8_t __read_mostly opt_verw_hvm = -1; static int8_t __read_mostly opt_ibpb_entry_pv = -1; static int8_t __read_mostly opt_ibpb_entry_hvm = -1; @@ -77,7 +77,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __read_mostly opt_fb_clear_mmio; +static bool __read_mostly opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -119,8 +119,8 @@ static int __init parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -151,14 +151,14 @@ static int __init parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -203,21 +203,22 @@ static int __init parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -512,8 +513,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -533,11 +534,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -546,11 +547,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1450,8 +1451,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1765,19 +1766,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1790,12 +1792,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:55:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:55:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692312.1079290 (Exim 4.92) (envelope-from ) id 1rkLKz-0007vu-Tm; Wed, 13 Mar 2024 09:55:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692312.1079290; Wed, 13 Mar 2024 09:55:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKz-0007vm-R3; Wed, 13 Mar 2024 09:55:53 +0000 Received: by outflank-mailman (input) for mailman id 692312; Wed, 13 Mar 2024 09:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKy-0007va-Uj for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLKy-0001NZ-Ty for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLKy-00038e-SM for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mmDxhaPpvl2NkuF/dudM0N0AH4bdWhF8mjNz1E4xXAY=; b=e6DH6TSlNENT6Zfb0Ig0auUqE0 C++x8gunpVOOGE55WBYbS/u3jbxhHaUJKwiQDS/Y44FGhR9ER0o19Q0Kk8kN9xkyDUFudZIojZzbw DJ1QWEPFZGSbWlfjrZ3aC+lUDDikPfw2yqY4OBWSj1WqFkpfc+6oFWfE7iwHPq4hYgmg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Wed, 13 Mar 2024 09:55:52 +0000 commit 7c69a025f141ada31f5bd1b1a3e35eacd9543e45 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 43449b4c7a..84a382781b 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1467,7 +1467,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1754,50 +1754,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:56:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:56:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692313.1079294 (Exim 4.92) (envelope-from ) id 1rkLL9-0007ye-VJ; Wed, 13 Mar 2024 09:56:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692313.1079294; Wed, 13 Mar 2024 09:56:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLL9-0007yX-Sh; Wed, 13 Mar 2024 09:56:03 +0000 Received: by outflank-mailman (input) for mailman id 692313; Wed, 13 Mar 2024 09:56:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLL9-0007yO-1f for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLL9-0001Nt-0u for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLL9-00039l-02 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QAlg5y/L0P5mfix8F+IK6Cka0pkEqKRB+gPg8Zdy43E=; b=c+G0q6NLsOneBNMj9raoDszt7j ZCTn8X3uKLXnpQQv0ErKDWtcOrp6uiy3vGXSE182vOv6opYcLLduSknJ18UtKHWXK1rhQA9Jgqt/n IUaWbn4U+f4Pjp73+rNVXMFpsQlzZ2f91tmod8nKHvbRMfKkBosNtrpv1+RXRo3xltBA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Wed, 13 Mar 2024 09:56:03 +0000 commit a8c4726320e89ffa68d60d423ab88e1829b7b535 Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:44 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++-- xen/include/asm-x86/cpufeature.h | 3 + xen/include/asm-x86/msr-index.h | 2 + xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 110 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 860ef07352..3faf1e4304 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -169,7 +169,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -224,7 +224,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index c6cd91db0a..c98b8fc93a 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -443,6 +443,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -492,6 +493,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 84a382781b..dd86b89bb1 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -432,7 +432,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -448,6 +448,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -458,7 +459,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -476,6 +477,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1295,6 +1297,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case 0x97: /* INTEL_FAM6_ALDERLAKE */ + case 0xB7: /* INTEL_FAM6_RAPTORLAKE */ + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + /* fallthrough */ + case 0x9A: /* INTEL_FAM6_ALDERLAKE_L */ + case 0xBA: /* INTEL_FAM6_RAPTORLAKE_P */ + case 0xBF: /* INTEL_FAM6_RAPTORLAKE_S */ + + case 0x5C: /* INTEL_FAM6_ATOM_GOLDMONT */ /* Apollo Lake */ + case 0x5F: /* INTEL_FAM6_ATOM_GOLDMONT_D */ /* Denverton */ + case 0x7A: /* INTEL_FAM6_ATOM_GOLDMONT_PLUS */ /* Gemini Lake */ + case 0x86: /* INTEL_FAM6_ATOM_TREMONT_D */ /* Snow Ridge / Parker Ridge */ + case 0x96: /* INTEL_FAM6_ATOM_TREMONT */ /* Elkhart Lake */ + case 0x9C: /* INTEL_FAM6_ATOM_TREMONT_L */ /* Jasper Lake */ + case 0xBE: /* INTEL_FAM6_ATOM_GRACEMONT */ /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1759,6 +1838,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1788,8 +1868,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1821,15 +1905,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1843,7 +1931,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 3b116c6dd3..892af11384 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -141,6 +141,7 @@ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) /* CPUID level 0x00000007:1.eax */ @@ -160,6 +161,8 @@ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h index 8b3ad575db..17abfa0e4a 100644 --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -70,6 +70,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index b4f68a59b8..e027a31d67 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -277,6 +277,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ @@ -331,6 +332,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:56:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692314.1079298 (Exim 4.92) (envelope-from ) id 1rkLLK-00080w-0l; Wed, 13 Mar 2024 09:56:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692314.1079298; Wed, 13 Mar 2024 09:56:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLJ-00080p-UF; Wed, 13 Mar 2024 09:56:13 +0000 Received: by outflank-mailman (input) for mailman id 692314; Wed, 13 Mar 2024 09:56:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLJ-00080j-4m for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLJ-0001O2-45 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLLJ-0003AI-3O for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KsQxNM/a1a1xL+dIqh4fnfz2kfTsFu1LsNq5te4+xp0=; b=UIV8ptnI+JnRJNER6wtTRULJJw 6+1Uj5YU7TkM/GOBR9O/5I0PdwOWUrabh0G4jwjsFsN77rAqcc8ec9n525QUg6ngxOoPZKkkODpNz LqIzpYL0Ja5jaNecSqmWOZnO8gqUJyiMyJKEGdMe+xY+74e4D6NoCJp5dRIObL1/Spgg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/paging: Delete update_cr3()'s do_locking parameter Message-Id: Date: Wed, 13 Mar 2024 09:56:13 +0000 commit 8fe0b51384b45aef6cfd9c77be2b949f4d30384a Author: Andrew Cooper AuthorDate: Wed Sep 20 20:06:53 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86/paging: Delete update_cr3()'s do_locking parameter Nicola reports that the XSA-438 fix introduced new MISRA violations because of some incidental tidying it tried to do. The parameter is useless, so resolve the MISRA regression by removing it. hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses it to distinguish internal and external callers and therefore whether the paging lock should be taken. However, we have paging_lock_recursive() for this purpose, which also avoids the ability for the shadow internal callers to accidentally not hold the lock. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Reported-by: Nicola Vetrini Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-acked-by: Henry Wang (cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e) --- xen/arch/x86/mm/hap/hap.c | 4 ++-- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/multi.c | 17 ++++++++--------- xen/arch/x86/mm/shadow/none.c | 2 +- xen/include/asm-x86/paging.h | 5 ++--- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index fa479d3d97..63c29da696 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -728,7 +728,7 @@ static bool_t hap_invlpg(struct vcpu *v, unsigned long linear) return 1; } -static pagetable_t hap_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t hap_update_cr3(struct vcpu *v, bool noflush) { v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3]; hvm_update_guest_cr3(v, noflush); @@ -818,7 +818,7 @@ static void hap_update_paging_modes(struct vcpu *v) } /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ - hap_update_cr3(v, 0, false); + hap_update_cr3(v, false); unlock: paging_unlock(d); diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 04ceca4a52..364d74f595 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -2630,7 +2630,7 @@ static void sh_update_paging_modes(struct vcpu *v) } #endif /* OOS */ - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); } void shadow_update_paging_modes(struct vcpu *v) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index 35d47d6fbb..5f73bba41b 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2884,7 +2884,7 @@ static int sh_page_fault(struct vcpu *v, * In any case, in the PAE case, the ASSERT is not true; it can * happen because of actions the guest is taking. */ #if GUEST_PAGING_LEVELS == 3 - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); #else ASSERT(d->is_shutting_down); #endif @@ -3604,17 +3604,13 @@ sh_detach_old_tables(struct vcpu *v) } } -static pagetable_t -sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t sh_update_cr3(struct vcpu *v, bool noflush) /* Updates vcpu->arch.cr3 after the guest has changed CR3. * Paravirtual guests should set v->arch.guest_table (and guest_table_user, * if appropriate). * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works; * this function will call hvm_update_guest_cr(v, 3) to tell them where the * shadow tables are. - * If do_locking != 0, assume we are being called from outside the - * shadow code, and must take and release the paging lock; otherwise - * that is the caller's responsibility. */ { struct domain *d = v->domain; @@ -3632,7 +3628,11 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) return old_entry; } - if ( do_locking ) paging_lock(v->domain); + /* + * This is used externally (with the paging lock not taken) and internally + * by the shadow code (with the lock already taken). + */ + paging_lock_recursive(v->domain); #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) /* Need to resync all the shadow entries on a TLB flush. Resync @@ -3870,8 +3870,7 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) shadow_sync_other_vcpus(v); #endif - /* Release the lock, if we took it (otherwise it's the caller's problem) */ - if ( do_locking ) paging_unlock(v->domain); + paging_unlock(v->domain); return old_entry; } diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c index 9b9c03ce7e..f80a2ba0f3 100644 --- a/xen/arch/x86/mm/shadow/none.c +++ b/xen/arch/x86/mm/shadow/none.c @@ -50,7 +50,7 @@ static unsigned long _gva_to_gfn(struct vcpu *v, struct p2m_domain *p2m, return gfn_x(INVALID_GFN); } -static pagetable_t _update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t _update_cr3(struct vcpu *v, bool noflush) { ASSERT_UNREACHABLE(); return pagetable_null(); diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h index 5bcdbf93a7..3ad8aab471 100644 --- a/xen/include/asm-x86/paging.h +++ b/xen/include/asm-x86/paging.h @@ -136,8 +136,7 @@ struct paging_mode { unsigned long cr3, paddr_t ga, uint32_t *pfec, unsigned int *page_order); - pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking, - bool noflush); + pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush); void (*update_paging_modes )(struct vcpu *v); bool (*flush_tlb )(bool (*flush_vcpu)(void *ctxt, struct vcpu *v), @@ -311,7 +310,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v, * as the value to load into the host CR3 to schedule this vcpu */ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush) { - return paging_get_hostmode(v)->update_cr3(v, 1, noflush); + return paging_get_hostmode(v)->update_cr3(v, noflush); } /* Update all the things that are derived from the guest's CR0/CR3/CR4. -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:56:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:56:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692315.1079303 (Exim 4.92) (envelope-from ) id 1rkLLU-00084I-5T; Wed, 13 Mar 2024 09:56:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692315.1079303; Wed, 13 Mar 2024 09:56:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLU-00084A-1b; Wed, 13 Mar 2024 09:56:24 +0000 Received: by outflank-mailman (input) for mailman id 692315; Wed, 13 Mar 2024 09:56:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLT-000841-7m for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLT-0001OV-6u for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLLT-0003Aj-6A for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CGqiQlY5rp3KRPAOMYtMPk6gk4xQWyXuEGy9YApXrO0=; b=IGY8yAwEOWPKxmqpFZvZCLOhhc oH6u/Xg0tWyRrDrKGvanmGWea/c6sfzmWiB2VP+44M+6aiGcuodKy1KywI1iMgzfYMTPNFW65dj7W Z72yw/+0w4Zw8r3wVOlgZVVz/KbpVgUInaTiIcOu/bdrvgOua4tG7U1m65b7Z9wDkZXU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Wed, 13 Mar 2024 09:56:23 +0000 commit feb60def6680f1a1dbddd32d4f1733b4f7aea549 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 667f9dac83..7fc8a8898a 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -80,8 +80,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:56:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:56:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692316.1079305 (Exim 4.92) (envelope-from ) id 1rkLLe-00087J-5T; Wed, 13 Mar 2024 09:56:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692316.1079305; Wed, 13 Mar 2024 09:56:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLe-00087C-30; Wed, 13 Mar 2024 09:56:34 +0000 Received: by outflank-mailman (input) for mailman id 692316; Wed, 13 Mar 2024 09:56:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLd-000873-Ap for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLd-0001Oc-AB for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLLd-0003BI-9O for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UfiXqlhOS9SqgSTRLb0L8nTnvziFzNMgputcQ57GNmA=; b=1mcfegT3WP2cklyviQfJBzfjdz JIpUiiHxFJ04MLPlMfjgr76msOsWEBweDnEV7xDfg4rZUEs1f8QMWn6SI7K6pbydCAwLtkPd+BfgX WkAP9QOZ/O9n7WKQ/eLo1gyCifyoAg7i46xMkkDE3oRBIG+Sne7ZasFn8RWcEY2UJTlo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 09:56:33 +0000 commit 1b2cc8f9c09696b34d9d985525afa8010a8daa90 Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++++--- xen/common/Kconfig | 17 +++++++++++++++++ xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 26 ++++++++++++++++++++++++++ xen/include/xen/nospec.h | 15 +++++++++++++++ xen/include/xen/spinlock.h | 37 +++++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index d020d79dde..5e63e3d822 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2189,7 +2189,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2314,6 +2314,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index dd86b89bb1..b24c36c99e 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -63,6 +63,7 @@ int8_t __read_mostly opt_ibpb_ctxt_switch = -1; int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; bool __read_mostly opt_branch_harden = true; +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -131,6 +132,7 @@ static int __init parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -282,6 +284,16 @@ static int __init parse_spec_ctrl(const char *s) opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -481,18 +493,22 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : @@ -518,7 +534,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1816,6 +1833,9 @@ void __init init_speculation_mitigations(void) if ( opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index eb953d171e..aa18d423b2 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -129,6 +129,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config HYPFS diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index d993e06e4c..24a182d37f 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 - unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_BRANCH_HARDEN, X86_SYNTH(15)) /* Conditional Branch Hardening */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index f6eb84eee5..e38f56cbe8 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -27,6 +27,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 9fa4e600c1..efdb21ea90 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include #include @@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:56:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:56:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692317.1079310 (Exim 4.92) (envelope-from ) id 1rkLLo-00089z-7N; Wed, 13 Mar 2024 09:56:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692317.1079310; Wed, 13 Mar 2024 09:56:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLo-00089r-4X; Wed, 13 Mar 2024 09:56:44 +0000 Received: by outflank-mailman (input) for mailman id 692317; Wed, 13 Mar 2024 09:56:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLn-00089h-Dh for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLn-0001QL-D4 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLLn-0003Bl-CG for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yo2qSY+OrTArv+Ejah/VaSM8PTzM1TmOxubi/rUW0dk=; b=xVViJNzex+JOAJzTYWiXYtrdSE sWdTExH2LrGu0WJRO2r64t2Co4ZXRxaubLGBsDPIXyrfG3Y/vl0eAUoxhudf6ZkJVdBEY2zD4kZcH VkrWjHv1adLKFmryW8n7lnpnVaUaVSo91zdP8s5yf2qsrneBrveuO7Dx9SSrOZth79fQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 09:56:43 +0000 commit 05b47a40c0e1522e9d7f52969c5936e39e163fb6 Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index dadab372b5..2464f74548 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 0cc9167715..fd0458be94 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:56:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:56:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692318.1079313 (Exim 4.92) (envelope-from ) id 1rkLLz-0008Cu-8U; Wed, 13 Mar 2024 09:56:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692318.1079313; Wed, 13 Mar 2024 09:56:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLz-0008Cn-64; Wed, 13 Mar 2024 09:56:55 +0000 Received: by outflank-mailman (input) for mailman id 692318; Wed, 13 Mar 2024 09:56:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLx-0008CS-GS for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLLx-0001QY-Fj for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLLx-0003CJ-F5 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:56:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tBDQFH8sZx6peVePskSYIdxWmPUV1U5aVMXB3ObLHVQ=; b=QS/w2kwdXifuFQpFOIkEpNF9wf refXe0rwpQVaNjauGNKcTwdjytOLB2yUvVsgMbaZArViTldTSIK6cMQ3QjDiSH8+8XnoYVh5KQfR1 BJ9DxszSvOa9JFAxanfevPIxcM5QhzaOhbxuPZJepF+L0NthxBVbIVVq0UaXc6hHzf6s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 09:56:53 +0000 commit 4ff3635be2766d3019e4d2aa830792dd503cef88 Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 2464f74548..703276f4aa 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index fd0458be94..abe0804bf7 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:57:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:57:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692319.1079318 (Exim 4.92) (envelope-from ) id 1rkLM9-0008GF-BY; Wed, 13 Mar 2024 09:57:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692319.1079318; Wed, 13 Mar 2024 09:57:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLM9-0008G7-8l; Wed, 13 Mar 2024 09:57:05 +0000 Received: by outflank-mailman (input) for mailman id 692319; Wed, 13 Mar 2024 09:57:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLM7-0008Fs-Js for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLM7-0001Qv-J4 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLM7-0003DN-IQ for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SpwfzASJDICkFLHC9g403Ho7ZJ5U/+Bc6LWCwgC+NIM=; b=Bs8owaxUcyvblnGN7PwfxrsxVt wtni/Epm5k7gYUtcwsn2xlwTOE12opySN3rpuEEADH7zFxTohl5osaLH9ubO5uguw0YpRQp3Cx8m8 7Veoygu/x1UQG3OCRKAoE8L/KF2x/e2PiUivU6I43KnzzDrI4+VZXCtRObdKklUH46Rs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Wed, 13 Mar 2024 09:57:03 +0000 commit 2ad38e116e9deb913dcd40d3803a93de5267731e Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 6 +++--- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/asm-x86/irq.h | 1 + xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 41 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 4d4d22b0e7..6c0923a42e 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index d6c073dc5c..cc635a4405 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -88,8 +88,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -139,8 +139,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -151,6 +151,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -164,8 +166,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -180,15 +182,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index c1d2693683..f9a830fb20 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -34,7 +34,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index c94ea74b12..29e1e41eba 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -57,7 +57,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -323,8 +323,8 @@ static long evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc) return rc; } - -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 01e426c67f..60d8ca3ddf 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -397,7 +397,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -407,7 +407,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -444,7 +444,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 03ace41540..9e80ad4c74 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 8c07f033d3..3ac3eac54a 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 1bb265ceea..dc831efc79 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 84d0d2fbab..034b36fc23 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/asm-x86/irq.h b/xen/include/asm-x86/irq.h index 7c825e9d9c..d4b2beda79 100644 --- a/xen/include/asm-x86/irq.h +++ b/xen/include/asm-x86/irq.h @@ -177,6 +177,7 @@ extern void irq_complete_move(struct irq_desc *); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index a0a85cdda8..cdfa3df6f9 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -105,12 +105,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index cd238ae852..5eb8287a31 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -144,8 +144,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool_t __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:57:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:57:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692320.1079322 (Exim 4.92) (envelope-from ) id 1rkLMJ-0008Iq-Ci; Wed, 13 Mar 2024 09:57:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692320.1079322; Wed, 13 Mar 2024 09:57:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLMJ-0008Ii-AB; Wed, 13 Mar 2024 09:57:15 +0000 Received: by outflank-mailman (input) for mailman id 692320; Wed, 13 Mar 2024 09:57:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLMH-0008Ia-Mp for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLMH-0001R3-MA for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLMH-0003Fe-LR for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aCxxgi4vWBID6ht34rqa4ADq81AN+aNKcJzsbwtYenI=; b=yVf4NtOLqoFKUz2BFCVZbp8K5k PS3msAKhzSJi0Cj/bg4/5I/VwcInaP+o11l1nyrfEMqbMwespHzRuAGglYuIWAayOV2sLZuHGS3ZV i2Z3zj9L3Ae1m6UZJPqDeMECXQiDPxxzHIfqJ3+ncqh8JUz1qkzE3+5fpM9db+qug1QI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Wed, 13 Mar 2024 09:57:13 +0000 commit 9c7cdd55dc05b9500792e3ea1ad4bf88470190ed Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/mm.c | 6 ++++-- xen/include/asm-x86/mm.h | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 44ac8cae76..ad22543d1b 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2004,7 +2004,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2065,7 +2065,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2074,6 +2074,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index cffd0d6425..917fbe29bb 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 09:57:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 09:57:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692321.1079325 (Exim 4.92) (envelope-from ) id 1rkLMT-0008Ld-ED; Wed, 13 Mar 2024 09:57:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692321.1079325; Wed, 13 Mar 2024 09:57:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLMT-0008LV-BZ; Wed, 13 Mar 2024 09:57:25 +0000 Received: by outflank-mailman (input) for mailman id 692321; Wed, 13 Mar 2024 09:57:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLMR-0008LJ-QB for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkLMR-0001RS-PT for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkLMR-0003GC-Og for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 09:57:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7Mh1yZNcyKKAxNnUsU38MOUOHiYp47rr7EL9uKDX8vU=; b=5Bxqrr71HwfDiBWLxRngqRfwfN LNg6ZYXfOefobnytgGvvZDBHMtYOQjJ3q6SfJQFq98Q35E7HDfnybXGEnQPo34i+oB5o4k7u7Hble lgIxt53eBQ2Am2Njf9nDL5vFEMlqZUOoH1Ry5Kaavpq3p0htMi6qXEDhMcyogUdxdbLE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.15] x86: protect conditional lock taking from speculative execution Message-Id: Date: Wed, 13 Mar 2024 09:57:23 +0000 commit 0fb100a94d0127910fe1dfa253cb759f6bc11174 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:37:45 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 37 +++++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 34 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index ad22543d1b..ffee1c6bd1 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -4978,8 +4978,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; clear_page(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_paddr(__pa(l3t), __PAGE_HYPERVISOR); @@ -5013,8 +5012,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) if ( !l2t ) return NULL; clear_page(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_paddr(__pa(l2t), __PAGE_HYPERVISOR)); @@ -5046,8 +5044,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) if ( !l1t ) return NULL; clear_page(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_paddr(__pa(l1t), __PAGE_HYPERVISOR)); @@ -5076,6 +5073,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5284,8 +5283,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5384,8 +5382,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5424,8 +5421,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5478,8 +5474,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5614,8 +5609,8 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_from_pfn(l3e_get_pfn(*pl3e) + (i << PAGETABLE_ORDER), l3e_get_flags(*pl3e))); - if ( locking ) - spin_lock(&map_pgdir_lock); + + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5671,8 +5666,8 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l1e_write(&l1t[i], l1e_from_pfn(l2e_get_pfn(*pl2e) + i, l2e_get_flags(*pl2e) & ~_PAGE_PSE)); - if ( locking ) - spin_lock(&map_pgdir_lock); + + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5714,8 +5709,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5760,8 +5754,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index cc635a4405..7eee233b4c 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 107f6778a6..596928e083 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -509,9 +509,8 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn_l, return _mfn(gfn_l); } - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index efdb21ea90..8bffb3f4b6 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.15 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:11:08 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:11:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692372.1079390 (Exim 4.92) (envelope-from ) id 1rkNRn-0001fj-Aj; Wed, 13 Mar 2024 12:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692372.1079390; Wed, 13 Mar 2024 12:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNRn-0001fc-8D; Wed, 13 Mar 2024 12:11:03 +0000 Received: by outflank-mailman (input) for mailman id 692372; Wed, 13 Mar 2024 12:11:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNRm-0001fW-9m for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNRm-00048D-6L for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNRm-00028i-1p for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QxZaiUHX+EjU6w9rT1qMM92kH3MwGGYXFB3DfjKQnME=; b=yDAef7aKpYKNYfcUW2mp2Gt8I5 SryKGHalG/qXurCVSedKpkbHkq9+WdVwGQTkm5TwRA6rbnnyzDUJAcb6v5FKp9yW2+qp6Pkx8EYX2 6gY9y81SPNaXQduyiKV4nsDY9ZHb7HsfCyBKLi4iiCpQGEFRWRL8Bgk4eT4I1B3fBSg4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Wed, 13 Mar 2024 12:11:02 +0000 commit 91dbe4f238f022945d850c01a76232cb44dedd31 Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 8 18:59:44 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 +++++++++ xen/arch/x86/x86_64/compat/entry.S | 2 +- xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 287dac101a..31fa63b77f 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 253bb1688c..7c211314d8 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -15,7 +15,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 837a31b405..10f11986d8 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -294,7 +294,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -389,7 +389,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -707,7 +707,7 @@ ENTRY(common_interrupt) ENTRY(page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -849,90 +849,90 @@ FATAL_exception_with_ints_disabled: ENTRY(divide_error) ENDBR64 pushq $0 - movl $TRAP_divide_error,4(%rsp) + movl $TRAP_divide_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_copro_error,4(%rsp) + movl $TRAP_copro_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(simd_coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_simd_error,4(%rsp) + movl $TRAP_simd_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(device_not_available) ENDBR64 pushq $0 - movl $TRAP_no_device,4(%rsp) + movl $TRAP_no_device, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(debug) ENDBR64 pushq $0 - movl $TRAP_debug,4(%rsp) + movl $TRAP_debug, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(int3) ENDBR64 pushq $0 - movl $TRAP_int3,4(%rsp) + movl $TRAP_int3, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(overflow) ENDBR64 pushq $0 - movl $TRAP_overflow,4(%rsp) + movl $TRAP_overflow, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(bounds) ENDBR64 pushq $0 - movl $TRAP_bounds,4(%rsp) + movl $TRAP_bounds, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_op) ENDBR64 pushq $0 - movl $TRAP_invalid_op,4(%rsp) + movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_TSS) ENDBR64 - movl $TRAP_invalid_tss,4(%rsp) + movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(segment_not_present) ENDBR64 - movl $TRAP_no_segment,4(%rsp) + movl $TRAP_no_segment, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(stack_segment) ENDBR64 - movl $TRAP_stack_error,4(%rsp) + movl $TRAP_stack_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(general_protection) ENDBR64 - movl $TRAP_gp_fault,4(%rsp) + movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(alignment_check) ENDBR64 - movl $TRAP_alignment_check,4(%rsp) + movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(double_fault) ENDBR64 - movl $TRAP_double_fault,4(%rsp) + movl $TRAP_double_fault, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -958,7 +958,7 @@ ENTRY(double_fault) .pushsection .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp,%rdi call do_early_page_fault @@ -968,7 +968,7 @@ ENTRY(early_page_fault) ENTRY(nmi) ENDBR64 pushq $0 - movl $TRAP_nmi,4(%rsp) + movl $TRAP_nmi, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1075,7 +1075,7 @@ handle_ist_exception: ENTRY(machine_check) ENDBR64 pushq $0 - movl $TRAP_machine_check,4(%rsp) + movl $TRAP_machine_check, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1112,7 +1112,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1126,7 +1126,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:11:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692373.1079393 (Exim 4.92) (envelope-from ) id 1rkNRx-0001hP-CB; Wed, 13 Mar 2024 12:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692373.1079393; Wed, 13 Mar 2024 12:11:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNRx-0001hI-9l; Wed, 13 Mar 2024 12:11:13 +0000 Received: by outflank-mailman (input) for mailman id 692373; Wed, 13 Mar 2024 12:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNRw-0001hA-HT for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNRw-00048M-Er for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNRw-00029R-8a for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=wOyM5MiclZL2FduEBQScJQsU8XjwW/kryy5IYVyaqVg=; b=xth00OkRZYybgJAX5vdqcmNonC MmdetMWhz7mV7/t8xNZkbbIes9zlW1SUBuCRBqbcXl9WncBBnZg7WO42LHOBo2U2+7+Qe1GvaA/JU RUCXDJieKBuyJtXQNaMb5A98smX5Iy0szo449dTwDch1iEq15H3/om7PPXJCBN7MtH0o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/cpu-policy: Allow for levelling of VERW side effects Message-Id: Date: Wed, 13 Mar 2024 12:11:12 +0000 commit 4d2baf9e4c6c308381373d4ad61e6a828c5a20bc Author: Andrew Cooper AuthorDate: Thu Feb 29 11:26:40 2024 +0000 Commit: Andrew Cooper CommitDate: Fri Mar 8 18:59:44 2024 +0000 x86/cpu-policy: Allow for levelling of VERW side effects MD_CLEAR and FB_CLEAR need OR-ing across a migrate pool. Allow this, by having them unconditinally set in max, with the host values reflected in default. Annotate the bits as having special properies. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné (cherry picked from commit de17162cafd27f2865a3102a2ec0f386a02ed03d) --- xen/arch/x86/cpu-policy.c | 24 ++++++++++++++++++++++++ xen/include/asm-x86/cpufeature.h | 1 + xen/include/public/arch-x86/cpufeatureset.h | 4 ++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index f38063b667..34f778dbaf 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -434,6 +434,16 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) __set_bit(X86_FEATURE_RSBA, fs); __set_bit(X86_FEATURE_RRSBA, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. With pooling, they mean "you might migrate + * somewhere where scrubbing is necessary", and may need exposing on + * unaffected hardware. This is fine, because the VERW instruction + * has been around since the 286. + */ + __set_bit(X86_FEATURE_MD_CLEAR, fs); + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. @@ -468,6 +478,20 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) cpu_has_rdrand && !is_forced_cpu_cap(X86_FEATURE_RDRAND) ) __clear_bit(X86_FEATURE_RDRAND, fs); + /* + * These bits indicate that the VERW instruction may have gained + * scrubbing side effects. The max policy has them set for migration + * reasons, so reset the default policy back to the host values in + * case we're unaffected. + */ + __clear_bit(X86_FEATURE_MD_CLEAR, fs); + if ( cpu_has_md_clear ) + __set_bit(X86_FEATURE_MD_CLEAR, fs); + + __clear_bit(X86_FEATURE_FB_CLEAR, fs); + if ( cpu_has_fb_clear ) + __set_bit(X86_FEATURE_FB_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 1ac3d3a1f9..81ac4d76ee 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -134,6 +134,7 @@ #define cpu_has_avx512_4fmaps boot_cpu_has(X86_FEATURE_AVX512_4FMAPS) #define cpu_has_avx512_vp2intersect boot_cpu_has(X86_FEATURE_AVX512_VP2INTERSECT) #define cpu_has_srbds_ctrl boot_cpu_has(X86_FEATURE_SRBDS_CTRL) +#define cpu_has_md_clear boot_cpu_has(X86_FEATURE_MD_CLEAR) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 0ee1d1d903..2906eaa6c2 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -275,7 +275,7 @@ XEN_CPUFEATURE(AVX512_4FMAPS, 9*32+ 3) /*A AVX512 Multiply Accumulation Single XEN_CPUFEATURE(FSRM, 9*32+ 4) /*A Fast Short REP MOVS */ XEN_CPUFEATURE(AVX512_VP2INTERSECT, 9*32+8) /*a VP2INTERSECT{D,Q} insns */ XEN_CPUFEATURE(SRBDS_CTRL, 9*32+ 9) /* MSR_MCU_OPT_CTRL and RNGDS_MITG_DIS. */ -XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*A VERW clears microarchitectural buffers */ +XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffers */ XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ @@ -329,7 +329,7 @@ XEN_CPUFEATURE(DOITM, 16*32+12) /* Data Operand Invariant Timing XEN_CPUFEATURE(SBDR_SSDP_NO, 16*32+13) /*A No Shared Buffer Data Read or Sideband Stale Data Propagation */ XEN_CPUFEATURE(FBSDP_NO, 16*32+14) /*A No Fill Buffer Stale Data Propagation */ XEN_CPUFEATURE(PSDP_NO, 16*32+15) /*A No Primary Stale Data Propagation */ -XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*A Fill Buffers cleared by VERW */ +XEN_CPUFEATURE(FB_CLEAR, 16*32+17) /*!A Fill Buffers cleared by VERW */ XEN_CPUFEATURE(FB_CLEAR_CTRL, 16*32+18) /* MSR_OPT_CPU_CTRL.FB_CLEAR_DIS */ XEN_CPUFEATURE(RRSBA, 16*32+19) /*! Restricted RSB Alternative */ XEN_CPUFEATURE(BHI_NO, 16*32+20) /*A No Branch History Injection */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:11:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692374.1079397 (Exim 4.92) (envelope-from ) id 1rkNS7-0001jj-Df; Wed, 13 Mar 2024 12:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692374.1079397; Wed, 13 Mar 2024 12:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNS7-0001je-BB; Wed, 13 Mar 2024 12:11:23 +0000 Received: by outflank-mailman (input) for mailman id 692374; Wed, 13 Mar 2024 12:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNS6-0001jV-Iq for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNS6-00048n-Hz for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNS6-00029q-H2 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1Sg1rKikpKum7I/vKSNbaQjim1hNHF6e9iVeOI1Mb4Q=; b=02dfDENbpSaqxbsqMNBqfGwWve w09IEX57Yoa103xno9FefwnTbr3GOnzQZH33pHLnI7hAakjMhby5Oi+7TeV93sYPEGjiFdXvb7acn zZznUiSMk8LoxqFyGfef0/cWa5Y33s/CuGM9Wsnc5HGpODL28KitCS8lWDewOQ2ZpUGg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Wed, 13 Mar 2024 12:11:22 +0000 commit 3bf73a02cb770682587c1c7e3c254ddb18e7b261 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:15:35 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++++++---- xen/arch/x86/x86_64/asm-offsets.c | 1 + xen/include/asm-x86/asm_defns.h | 8 ++++++++ xen/include/asm-x86/spec_ctrl_asm.h | 7 +++++++ 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a13..cdde76e138 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 31fa63b77f..a4e94d6930 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h index d9431180cf..abc6822b08 100644 --- a/xen/include/asm-x86/asm_defns.h +++ b/xen/include/asm-x86/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index 0e69971f66..e807ff6d1d 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -169,6 +169,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:11:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692375.1079402 (Exim 4.92) (envelope-from ) id 1rkNSH-0001mW-Fy; Wed, 13 Mar 2024 12:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692375.1079402; Wed, 13 Mar 2024 12:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSH-0001mO-Ch; Wed, 13 Mar 2024 12:11:33 +0000 Received: by outflank-mailman (input) for mailman id 692375; Wed, 13 Mar 2024 12:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSG-0001mE-Mj for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSG-00048u-Lz for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNSG-0002AP-KF for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=neIYuB1pzSKBW0vLvzOgxUeEwT0JXUNCJM0TnQK4ucs=; b=rd48Is1rG9qCDQgAWslo9QDKGJ CODBibs/sdyeLtndFF2DEejNKloZPOpp7QxIiox5fv9UpyFs/kJP8SriGO2QlBcpEe97H/GaLPk6f Zqx6KO0Ed6YTUFXyOJsX/jsJyvVmp0diLCB+oMdwZItSqF/GFVkai1hxGAyBieRKqBxA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Wed, 13 Mar 2024 12:11:32 +0000 commit 92e7aab34337aa6b68a506861992822c079ee175 Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:15:35 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/x86_64/asm-offsets.c | 13 +++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++++- xen/include/asm-x86/spec_ctrl_asm.h | 36 ++++++++++++++++++++++++------------ 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index a4e94d6930..4cd5938d7b 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 7c211314d8..3b2fbcd873 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 10f11986d8..9b1fa9ed19 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -670,9 +676,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h index e807ff6d1d..6e7725c11f 100644 --- a/xen/include/asm-x86/spec_ctrl_asm.h +++ b/xen/include/asm-x86/spec_ctrl_asm.h @@ -176,16 +176,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -303,8 +310,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -384,7 +389,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -412,11 +417,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:11:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:11:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692376.1079406 (Exim 4.92) (envelope-from ) id 1rkNSS-0001pz-J0; Wed, 13 Mar 2024 12:11:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692376.1079406; Wed, 13 Mar 2024 12:11:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSS-0001pr-GF; Wed, 13 Mar 2024 12:11:44 +0000 Received: by outflank-mailman (input) for mailman id 692376; Wed, 13 Mar 2024 12:11:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSQ-0001pY-VT for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSQ-0004Ad-R8 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNSQ-0002As-OY for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/971EheDS0gLbVN7jFcYw6s8btJ+cP/lz88Dx0dxcNc=; b=P2z+KhrVlw4OldY4fY/yf3OuNG dyMH15sVI1N9uBsPchxKa4Y2YOXNuUlABLpnYgigkJPaGb1zV2/mIJyny3l9ksd1lscVuS/tCBytn pYDPmUnXn0SkicwIazJlq7lNU9wdN0Qdy+w4+GaAHYFEiemC1GgsX7hXNEX0A5Zkf4gU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Wed, 13 Mar 2024 12:11:42 +0000 commit a7ae8dbd8f4518b3d56d41d32931587b9027bc7b Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:17:47 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index a7a1362bac..029002fa82 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2260,7 +2260,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2285,7 +2285,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2302,11 +2302,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 6e82a126a3..292b5b1c7b 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __read_mostly opt_md_clear_pv = -1; -static int8_t __read_mostly opt_md_clear_hvm = -1; +static int8_t __read_mostly opt_verw_pv = -1; +static int8_t __read_mostly opt_verw_hvm = -1; static int8_t __read_mostly opt_ibpb_entry_pv = -1; static int8_t __read_mostly opt_ibpb_entry_hvm = -1; @@ -77,7 +77,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __read_mostly opt_fb_clear_mmio; +static bool __read_mostly opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -119,8 +119,8 @@ static int __init parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -151,14 +151,14 @@ static int __init parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -203,21 +203,22 @@ static int __init parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -512,8 +513,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -533,11 +534,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -546,11 +547,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1479,8 +1480,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1838,19 +1839,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1863,12 +1865,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:11:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:11:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692377.1079410 (Exim 4.92) (envelope-from ) id 1rkNSc-0001sm-L5; Wed, 13 Mar 2024 12:11:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692377.1079410; Wed, 13 Mar 2024 12:11:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSc-0001se-Hk; Wed, 13 Mar 2024 12:11:54 +0000 Received: by outflank-mailman (input) for mailman id 692377; Wed, 13 Mar 2024 12:11:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSa-0001sU-V5 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSa-0004Ao-UH for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNSa-0002BH-TN for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jqu8sg7kQfCUppr1l+cUrTSsgcNiQ0sYmelDEulCs0U=; b=s1fCK0iUk2OV8wzoA6XRE96veP APJKRDYvx/eEc9UHnbi8UbVSARPzmXwqLYPMvn38JFNTo6mGSnKUKC6vVdeFsJ09eaHD5XhAtfRk5 Ok4AWV94VmzVcqNygIVa8DyjX8otEKk3lhv8S7jTP/tC6svor+eIBbx7Wejnk3PqOvxE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Wed, 13 Mar 2024 12:11:52 +0000 commit 638b6b21702ebf5a028a166261e4353d3028c7bd Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:17:48 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 292b5b1c7b..2e80e08716 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1496,7 +1496,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1827,50 +1827,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:12:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:12:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692378.1079414 (Exim 4.92) (envelope-from ) id 1rkNSm-0001vM-Md; Wed, 13 Mar 2024 12:12:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692378.1079414; Wed, 13 Mar 2024 12:12:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSm-0001vE-JI; Wed, 13 Mar 2024 12:12:04 +0000 Received: by outflank-mailman (input) for mailman id 692378; Wed, 13 Mar 2024 12:12:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSl-0001uy-23 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSl-0004BC-1D for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNSl-0002CN-0N for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VzvNIw8Y0+x7qFzJUcI9Ky1zDVfQQmX2Dd9+mVKDfgE=; b=hJWPE4uDW5uRIee4gFzL6Gvpab Zxlnh5PinTex2Ri50kn7RnS5l/Tw6xNQHiWbSDbyl5nsT/E71Gq3HrN191QwoxOL4qKcAhQaxwKuc iFcc+AxVsPPRHV/klHc17fOsqUAp9DP29cfbdkmrqAGGYFZRyl/kyatbFDyj5Vb5MqTE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Wed, 13 Mar 2024 12:12:03 +0000 commit 762cd5423635a8f0f69eb71ce10c5a62c47247ac Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:21:06 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++-- xen/include/asm-x86/cpufeature.h | 3 + xen/include/asm-x86/msr-index.h | 2 + xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 110 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index c55a6e7678..0c792679e5 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -170,7 +170,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -230,7 +230,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 34f778dbaf..c872afda3e 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -443,6 +443,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -492,6 +493,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 2e80e08716..24bf98a018 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -432,7 +432,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -448,6 +448,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -458,7 +459,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -476,6 +477,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1324,6 +1326,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case 0x97: /* INTEL_FAM6_ALDERLAKE */ + case 0xB7: /* INTEL_FAM6_RAPTORLAKE */ + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + /* fallthrough */ + case 0x9A: /* INTEL_FAM6_ALDERLAKE_L */ + case 0xBA: /* INTEL_FAM6_RAPTORLAKE_P */ + case 0xBF: /* INTEL_FAM6_RAPTORLAKE_S */ + + case 0x5C: /* INTEL_FAM6_ATOM_GOLDMONT */ /* Apollo Lake */ + case 0x5F: /* INTEL_FAM6_ATOM_GOLDMONT_D */ /* Denverton */ + case 0x7A: /* INTEL_FAM6_ATOM_GOLDMONT_PLUS */ /* Gemini Lake */ + case 0x86: /* INTEL_FAM6_ATOM_TREMONT_D */ /* Snow Ridge / Parker Ridge */ + case 0x96: /* INTEL_FAM6_ATOM_TREMONT */ /* Elkhart Lake */ + case 0x9C: /* INTEL_FAM6_ATOM_TREMONT_L */ /* Jasper Lake */ + case 0xBE: /* INTEL_FAM6_ATOM_GRACEMONT */ /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1832,6 +1911,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1861,8 +1941,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1894,15 +1978,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1916,7 +2004,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/asm-x86/cpufeature.h b/xen/include/asm-x86/cpufeature.h index 81ac4d76ee..1869732bcb 100644 --- a/xen/include/asm-x86/cpufeature.h +++ b/xen/include/asm-x86/cpufeature.h @@ -138,6 +138,7 @@ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) /* CPUID level 0x00000007:1.eax */ @@ -157,6 +158,8 @@ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/include/asm-x86/msr-index.h b/xen/include/asm-x86/msr-index.h index 8251b8258b..eb6295d8a7 100644 --- a/xen/include/asm-x86/msr-index.h +++ b/xen/include/asm-x86/msr-index.h @@ -77,6 +77,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 2906eaa6c2..7a9d8d05d3 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -279,6 +279,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*a SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(IBRSB, 9*32+26) /*A IBRS and IBPB support (used by Intel) */ @@ -338,6 +339,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:12:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:12:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692379.1079418 (Exim 4.92) (envelope-from ) id 1rkNSw-0001z2-Pd; Wed, 13 Mar 2024 12:12:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692379.1079418; Wed, 13 Mar 2024 12:12:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSw-0001yu-N1; Wed, 13 Mar 2024 12:12:14 +0000 Received: by outflank-mailman (input) for mailman id 692379; Wed, 13 Mar 2024 12:12:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSv-0001yV-5H for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNSv-0004BM-4U for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNSv-0002Dd-3h for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RCE8qLkapdalnFcCSVF2nh/QmFHoZLw4Ni5PQrzKjUw=; b=rA0WruEIPriQ9dBo+W/FIC+EMc m61kHRiXcImmBPvKVLobvHyJyLk7mU7X4vu25r3xMZK3dZY5C3q2/xx3dTk3eLlXJzIP4nTqNQjBH fo5Tlbtdm7rYq6MNXrG07T+/3J4BSLHBx3ZO6PF7qW9qid7lAuE6ZmgYpKQANzJO8hxE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/paging: Delete update_cr3()'s do_locking parameter Message-Id: Date: Wed, 13 Mar 2024 12:12:13 +0000 commit ac20165f11c1935329ae73eda6b9f90a0b894a67 Author: Andrew Cooper AuthorDate: Wed Sep 20 20:06:53 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:22:42 2024 +0000 x86/paging: Delete update_cr3()'s do_locking parameter Nicola reports that the XSA-438 fix introduced new MISRA violations because of some incidental tidying it tried to do. The parameter is useless, so resolve the MISRA regression by removing it. hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses it to distinguish internal and external callers and therefore whether the paging lock should be taken. However, we have paging_lock_recursive() for this purpose, which also avoids the ability for the shadow internal callers to accidentally not hold the lock. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Reported-by: Nicola Vetrini Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-acked-by: Henry Wang (cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e) --- xen/arch/x86/mm/hap/hap.c | 4 ++-- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/multi.c | 17 ++++++++--------- xen/arch/x86/mm/shadow/none.c | 2 +- xen/include/asm-x86/paging.h | 5 ++--- 5 files changed, 14 insertions(+), 16 deletions(-) diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index fa479d3d97..63c29da696 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -728,7 +728,7 @@ static bool_t hap_invlpg(struct vcpu *v, unsigned long linear) return 1; } -static pagetable_t hap_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t hap_update_cr3(struct vcpu *v, bool noflush) { v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3]; hvm_update_guest_cr3(v, noflush); @@ -818,7 +818,7 @@ static void hap_update_paging_modes(struct vcpu *v) } /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ - hap_update_cr3(v, 0, false); + hap_update_cr3(v, false); unlock: paging_unlock(d); diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index 242b93537f..a8869a3fb7 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -2563,7 +2563,7 @@ static void sh_update_paging_modes(struct vcpu *v) } #endif /* OOS */ - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); } void shadow_update_paging_modes(struct vcpu *v) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index cf3ded70e7..78bb89f1ee 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2499,7 +2499,7 @@ static int sh_page_fault(struct vcpu *v, * In any case, in the PAE case, the ASSERT is not true; it can * happen because of actions the guest is taking. */ #if GUEST_PAGING_LEVELS == 3 - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); #else ASSERT(d->is_shutting_down); #endif @@ -3219,17 +3219,13 @@ sh_detach_old_tables(struct vcpu *v) } } -static pagetable_t -sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t sh_update_cr3(struct vcpu *v, bool noflush) /* Updates vcpu->arch.cr3 after the guest has changed CR3. * Paravirtual guests should set v->arch.guest_table (and guest_table_user, * if appropriate). * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works; * this function will call hvm_update_guest_cr(v, 3) to tell them where the * shadow tables are. - * If do_locking != 0, assume we are being called from outside the - * shadow code, and must take and release the paging lock; otherwise - * that is the caller's responsibility. */ { struct domain *d = v->domain; @@ -3247,7 +3243,11 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) return old_entry; } - if ( do_locking ) paging_lock(v->domain); + /* + * This is used externally (with the paging lock not taken) and internally + * by the shadow code (with the lock already taken). + */ + paging_lock_recursive(v->domain); #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) /* Need to resync all the shadow entries on a TLB flush. Resync @@ -3483,8 +3483,7 @@ sh_update_cr3(struct vcpu *v, bool do_locking, bool noflush) shadow_sync_other_vcpus(v); #endif - /* Release the lock, if we took it (otherwise it's the caller's problem) */ - if ( do_locking ) paging_unlock(v->domain); + paging_unlock(v->domain); return old_entry; } diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c index 2a5fd409b2..0035369808 100644 --- a/xen/arch/x86/mm/shadow/none.c +++ b/xen/arch/x86/mm/shadow/none.c @@ -52,7 +52,7 @@ static unsigned long _gva_to_gfn(struct vcpu *v, struct p2m_domain *p2m, } #endif -static pagetable_t _update_cr3(struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t _update_cr3(struct vcpu *v, bool noflush) { ASSERT_UNREACHABLE(); return pagetable_null(); diff --git a/xen/include/asm-x86/paging.h b/xen/include/asm-x86/paging.h index fceb208d36..bd7c7008ae 100644 --- a/xen/include/asm-x86/paging.h +++ b/xen/include/asm-x86/paging.h @@ -138,8 +138,7 @@ struct paging_mode { paddr_t ga, uint32_t *pfec, unsigned int *page_order); #endif - pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking, - bool noflush); + pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush); void (*update_paging_modes )(struct vcpu *v); bool (*flush_tlb )(bool (*flush_vcpu)(void *ctxt, struct vcpu *v), @@ -317,7 +316,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v, * as the value to load into the host CR3 to schedule this vcpu */ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush) { - return paging_get_hostmode(v)->update_cr3(v, 1, noflush); + return paging_get_hostmode(v)->update_cr3(v, noflush); } /* Update all the things that are derived from the guest's CR0/CR3/CR4. -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:12:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:12:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692380.1079421 (Exim 4.92) (envelope-from ) id 1rkNT6-00021Y-Qu; Wed, 13 Mar 2024 12:12:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692380.1079421; Wed, 13 Mar 2024 12:12:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNT6-00021R-OS; Wed, 13 Mar 2024 12:12:24 +0000 Received: by outflank-mailman (input) for mailman id 692380; Wed, 13 Mar 2024 12:12:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNT5-00021I-8F for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNT5-0004Bm-7R for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNT5-0002Ep-6c for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0LEzB4dw/kn1TQYFv3006PWWr8VTYOfrAR3ZMiHF8oQ=; b=OIC2IMOA2O1Cz3t3hRPFznyRTo w7fNXpC+3yLddQW1hUDlviS4OL4u2w28Ng88CGuK+sdYB3kNs8gj3vpkkz2tQETguzvfoLuWVdt0C OEmMIp6WER2O2iM32lhOrvva3hsZtR7Fx93xMND9+Vhh4vh1eSqPX/BinRJ7pKSuWups=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Wed, 13 Mar 2024 12:12:23 +0000 commit 0cfea4bc8f6e5a54d2c001089607dd7bf3ceec19 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:22:44 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 3f5c296138..c0b77d563d 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -80,8 +80,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:12:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:12:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692381.1079426 (Exim 4.92) (envelope-from ) id 1rkNTG-00023x-So; Wed, 13 Mar 2024 12:12:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692381.1079426; Wed, 13 Mar 2024 12:12:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTG-00023p-Py; Wed, 13 Mar 2024 12:12:34 +0000 Received: by outflank-mailman (input) for mailman id 692381; Wed, 13 Mar 2024 12:12:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTF-00023d-D4 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTF-0004Bx-CL for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNTF-0002FS-9r for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6KvM/xBzkAu6F1bxs6hT6c4MDphsPyHJ1EV8ZWJBLJU=; b=mXWM73Pea5j3m1ih/u7iUjST/i qL26Aa/yR6ObQbgGX8+TN95O18Fj9ArDvCfJauDJfB1MjUyhc4T7TVe3Q6btReCbWu5OSvCzGokhH z/aqrEdlDv2nJo0RPh1qO/Gnj1vFwMmaWj02arHk3FFDB6KyMoyCuQBXm++fckQ+QhZw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 12:12:33 +0000 commit 9104de10b2d1f8864b9092ae427023a421696fef Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:37 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++++--- xen/common/Kconfig | 17 +++++++++++++++++ xen/include/asm-x86/cpufeatures.h | 2 +- xen/include/asm-x86/nospec.h | 26 ++++++++++++++++++++++++++ xen/include/xen/nospec.h | 15 +++++++++++++++ xen/include/xen/spinlock.h | 37 +++++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 029002fa82..33c32cfc1c 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2263,7 +2263,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2388,6 +2388,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 24bf98a018..0a7af22a9b 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -63,6 +63,7 @@ int8_t __read_mostly opt_ibpb_ctxt_switch = -1; int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = true; +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -131,6 +132,7 @@ static int __init parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -282,6 +284,16 @@ static int __init parse_spec_ctrl(const char *s) opt_l1d_flush = val; else if ( (val = parse_boolean("branch-harden", s, ss)) >= 0 ) opt_branch_harden = val; + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -481,18 +493,22 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ - if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) ) + if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" #endif #ifdef CONFIG_SHADOW_PAGING " SHADOW_PAGING" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: BTI-Thunk %s, SPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk == THUNK_NONE ? "N/A" : thunk == THUNK_RETPOLINE ? "RETPOLINE" : thunk == THUNK_LFENCE ? "LFENCE" : @@ -518,7 +534,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1889,6 +1906,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index c9f4b7f492..01c70109f5 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -161,6 +161,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config HYPFS diff --git a/xen/include/asm-x86/cpufeatures.h b/xen/include/asm-x86/cpufeatures.h index 70b93b6b44..7e8221fd85 100644 --- a/xen/include/asm-x86/cpufeatures.h +++ b/xen/include/asm-x86/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 - unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/include/asm-x86/nospec.h b/xen/include/asm-x86/nospec.h index 7150e76b87..0725839e19 100644 --- a/xen/include/asm-x86/nospec.h +++ b/xen/include/asm-x86/nospec.h @@ -38,6 +38,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 9fa4e600c1..efdb21ea90 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include #include @@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:12:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:12:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692382.1079429 (Exim 4.92) (envelope-from ) id 1rkNTQ-00026l-UE; Wed, 13 Mar 2024 12:12:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692382.1079429; Wed, 13 Mar 2024 12:12:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTQ-00026d-Rc; Wed, 13 Mar 2024 12:12:44 +0000 Received: by outflank-mailman (input) for mailman id 692382; Wed, 13 Mar 2024 12:12:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTP-00026S-Fx for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTP-0004C6-FE for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNTP-0002G9-EV for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=eG5gEyw8EnZYVKTm6+I9kaRT4MQAiBwMFzNQ3zcYspk=; b=dyjX4KAd4hztqw8WGr29TkcmVM +Mg906HJnJKZBySWOLWqLGftHNKdxwysyywaD9KPLCJYXnR8btQihomoMHWabAOssY0lAlBDzDZRe c8rPgWMkTOidHox98rR0lCI4i0cireZ6NLkP4R1ZT/c/Na1QfwJLju/CWW/ZFIxjHD94=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 12:12:43 +0000 commit f01cfe72203fa60043966dd68c2d8d992e2955bf Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:38 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index dadab372b5..2464f74548 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 0cc9167715..fd0458be94 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:12:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:12:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692383.1079434 (Exim 4.92) (envelope-from ) id 1rkNTb-0002AT-1f; Wed, 13 Mar 2024 12:12:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692383.1079434; Wed, 13 Mar 2024 12:12:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTa-0002AL-VH; Wed, 13 Mar 2024 12:12:54 +0000 Received: by outflank-mailman (input) for mailman id 692383; Wed, 13 Mar 2024 12:12:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTZ-0002A3-Kn for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTZ-0004CF-IE for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNTZ-0002Gg-HP for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:12:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fafFQscSF8m49i1jU37rrXvBFi68rowjRgPSwPkveeM=; b=deqoEMKCPaVE4ZagUvPf7h8HMn t9rFTnY25jyGIkCB2i5bunxG+ah/S1UUAlxDxh88CuAEy6nscAs6uof3icQ00/OQ7HV7pvYspIC3T 3/v2wNdBQRYPQLzVP7RDfIlLeLrevNuY6gTzwU2p24aXvq8T0enX2zmsiIvuIaufIg/8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 12:12:53 +0000 commit 475511953efc8cbe31d410f3f41542ea2b97f080 Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:38 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 2464f74548..703276f4aa 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index fd0458be94..abe0804bf7 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:13:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:13:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692384.1079438 (Exim 4.92) (envelope-from ) id 1rkNTl-0002DG-3F; Wed, 13 Mar 2024 12:13:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692384.1079438; Wed, 13 Mar 2024 12:13:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTl-0002D8-0Q; Wed, 13 Mar 2024 12:13:05 +0000 Received: by outflank-mailman (input) for mailman id 692384; Wed, 13 Mar 2024 12:13:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTj-0002Cx-MP for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTj-0004Ca-Le for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNTj-0002HS-Kw for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QlEJ56GrMu/4YndarnO3wNH623BR3vkSDVdQEc90Xwg=; b=sOBYEGt1IVzJnr+oef83SSbk1p JKk0eIY6glsj63YyTcds9Y2Z0btd1lugl4YLMhxeHYcdi0JP0WF/oBnPDcqYtRTplGDofJXDETEh+ LGevjjdLoY04gql50gLBQFWKCcmS2DX2JKAoTlXv1PpGXfAgAHltK/kylbvthlgm4c1w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Wed, 13 Mar 2024 12:13:03 +0000 commit dd55a2e6816aa3f0b753385073a5eade5f773d2c Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:38 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/asm-x86/irq.h | 1 + xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 6fdc3e19fe..dd2de574cf 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index d6c073dc5c..cc635a4405 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -88,8 +88,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -139,8 +139,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -151,6 +151,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -164,8 +166,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -180,15 +182,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index a3c9d8a974..c826288408 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -35,7 +35,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index da88ad141a..e5f4e68b88 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -57,7 +57,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -324,7 +324,8 @@ static int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 76272b3c8a..9464cebdd6 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -398,7 +398,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -408,7 +408,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -445,7 +445,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 03ace41540..9e80ad4c74 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 0527a8c70d..24a93dd0c1 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 1bb265ceea..dc831efc79 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 6fc27e7ede..2fd663062a 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/asm-x86/irq.h b/xen/include/asm-x86/irq.h index 7c825e9d9c..d4b2beda79 100644 --- a/xen/include/asm-x86/irq.h +++ b/xen/include/asm-x86/irq.h @@ -177,6 +177,7 @@ extern void irq_complete_move(struct irq_desc *); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 21c95e14fd..18924e69e7 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -105,12 +105,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index ac3880e686..3f1324e5de 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -147,8 +147,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool_t __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:13:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:13:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692385.1079441 (Exim 4.92) (envelope-from ) id 1rkNTv-0002HF-4U; Wed, 13 Mar 2024 12:13:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692385.1079441; Wed, 13 Mar 2024 12:13:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTv-0002H7-1v; Wed, 13 Mar 2024 12:13:15 +0000 Received: by outflank-mailman (input) for mailman id 692385; Wed, 13 Mar 2024 12:13:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTt-0002Gy-PP for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNTt-0004Cj-Oj for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNTt-0002Hr-O1 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RlrQdnth0kud0Z4h47o+/F2lFS1WoDKC5DOSVz2ZwnA=; b=DQklvMHxXI8mk4wix6yclXklj6 GzchNEegHcRaW3ib11l0p6lyTwkoNuKQ5JnIwDcjb0heGEj/Cyh9+OEG6Z6Ow3uWCklH5e5qKKeJE qUeCof2Mv0ZFNAT0mBh2hhf2BK2WINNUah67BSA9K2hGbBgUklAM3amuwp258A6YJ9HY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Wed, 13 Mar 2024 12:13:13 +0000 commit 41d93be76611704bdc73e8fe71c251a6f1da114c Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:39 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/mm.c | 6 ++++-- xen/include/asm-x86/mm.h | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index ea024c1450..2bf1b70985 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2005,7 +2005,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2066,7 +2066,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2075,6 +2075,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) diff --git a/xen/include/asm-x86/mm.h b/xen/include/asm-x86/mm.h index cccef852b4..73d5a98bec 100644 --- a/xen/include/asm-x86/mm.h +++ b/xen/include/asm-x86/mm.h @@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 12:13:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 12:13:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692386.1079446 (Exim 4.92) (envelope-from ) id 1rkNU5-0002Js-68; Wed, 13 Mar 2024 12:13:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692386.1079446; Wed, 13 Mar 2024 12:13:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNU5-0002Jk-3K; Wed, 13 Mar 2024 12:13:25 +0000 Received: by outflank-mailman (input) for mailman id 692386; Wed, 13 Mar 2024 12:13:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNU3-0002JY-Sj for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkNU3-0004DB-Rz for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkNU3-0002IK-RH for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 12:13:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CNGbPJ4R0/TtJBI+N+FjBY92zCOfL5X6V5JxcumQaOk=; b=MVC8pKJHoM9kkn/Imiv9JP/WVW Pq5qFgk2nipIcEhKnljEmHu/NDOFADpO1WU67VTYwT488owXyPBCScuSHHe6y3lC7CQ0hQY9URaT2 I5i9uUNMdk6PH0kt/1++fftziPng7iCmh3XFiY0PV18VFpS+oPC4v2FVy1jNg4eykrPc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.16] x86: protect conditional lock taking from speculative execution Message-Id: Date: Wed, 13 Mar 2024 12:13:23 +0000 commit ea1da2ba8ea7c76a8a3a08d11f7de5acb8b17801 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:26:39 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2bf1b70985..16287e62af 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5000,8 +5000,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5038,8 +5037,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5077,8 +5075,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5109,6 +5106,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5324,8 +5323,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5429,8 +5427,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5471,8 +5468,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5526,8 +5522,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5671,8 +5666,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5731,8 +5725,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5776,8 +5769,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5824,8 +5816,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index cc635a4405..7eee233b4c 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 2d41446a69..ddd2f861c3 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -514,9 +514,8 @@ mfn_t __get_gfn_type_access(struct p2m_domain *p2m, unsigned long gfn_l, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index efdb21ea90..8bffb3f4b6 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.16 From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:44:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:44:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692737.1080138 (Exim 4.92) (envelope-from ) id 1rkTa7-0007jw-By; Wed, 13 Mar 2024 18:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692737.1080138; Wed, 13 Mar 2024 18:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTa7-0007jp-9F; Wed, 13 Mar 2024 18:44:03 +0000 Received: by outflank-mailman (input) for mailman id 692737; Wed, 13 Mar 2024 18:44:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTa5-0007jf-Q2 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTa5-000514-Oz for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTa5-0002Jy-OG for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uil2j6lWKUdOCh+LdAm8dNYIuHAzUcGNGFpJGk9FHLg=; b=ihhhuXfanUj+eu8maMtPm5IJZp o6TX1q4bufZ28UJ7U0KYMoVSdh+QvOuycxE6ceVkVOacyB+CBFtgIsONfHUwLM+uMLE1B/Ob4C2sk uxKw8OVFcw2gJ08CCLLQSHa9J8vTahWH7E1HkG/1a8kUy65+0JIf4fn8sF31yY3ydvto=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Wed, 13 Mar 2024 18:44:01 +0000 commit 475fa20b7384464210f42bad7195f87bd6f1c63f Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++---- xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++++ xen/arch/x86/x86_64/asm-offsets.c | 1 + 3 files changed, 40 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index e3f60d5a82..1bead826ca 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index aecb91d848..ba8e0ae28b 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -152,6 +152,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 02242a9b73..8697404cd0 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_processor_id, struct cpu_info, processor_id); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:44:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:44:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692738.1080142 (Exim 4.92) (envelope-from ) id 1rkTaH-0007m8-E0; Wed, 13 Mar 2024 18:44:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692738.1080142; Wed, 13 Mar 2024 18:44:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaH-0007m1-Ax; Wed, 13 Mar 2024 18:44:13 +0000 Received: by outflank-mailman (input) for mailman id 692738; Wed, 13 Mar 2024 18:44:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaF-0007lp-TK for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaF-00051E-S5 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTaF-0002Ku-RI for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=2wU+ELEe33fhjr2EpELKMaJj9OyIIK5lHWqnI2JbMOs=; b=oTXF4P2fyTXT6PHZ+MXE01aShj wYgBqiF93CuVTWsVozwjFdjGmGd67aGpuAG/vf0Narbqp9J7oiWKutXStkLtEtsj07sBzatuamEMN 2f2z2Mz3GlNLMdWcUyhZsvDdgO7vmq5l13iGURXWiWpKJXmpSd4SfAa5vBii/SiWXnGc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Wed, 13 Mar 2024 18:44:11 +0000 commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7 Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 +++++++++++++++++++++----------- xen/arch/x86/x86_64/asm-offsets.c | 13 ++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index ba8e0ae28b..629518cc69 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -159,16 +159,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -286,8 +293,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -367,7 +372,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -395,11 +400,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 8697404cd0..d8903a3ce9 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_processor_id, struct cpu_info, processor_id); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 9951b3e328..631f4f272a 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -159,6 +159,12 @@ FUNC(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8, compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) END(compat_restore_all_guest) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 1b846f3aaf..7d686b7628 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -212,6 +212,9 @@ FUNC_LOCAL(restore_all_guest) #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -224,6 +227,9 @@ LABEL_LOCAL(.Lrestore_rcx_iret_exit_to_guest) iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -688,9 +694,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq END(restore_all_xen) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:44:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:44:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692739.1080146 (Exim 4.92) (envelope-from ) id 1rkTaR-0007ou-FT; Wed, 13 Mar 2024 18:44:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692739.1080146; Wed, 13 Mar 2024 18:44:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaR-0007on-CY; Wed, 13 Mar 2024 18:44:23 +0000 Received: by outflank-mailman (input) for mailman id 692739; Wed, 13 Mar 2024 18:44:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaQ-0007oU-01 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaP-00051h-VO for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTaP-0002LZ-UZ for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GacH4V/qPWiQEV0WT9MLZL1rBw8hyx6oSLXjaaOr1nA=; b=62+jSZ48DNpqRaI6RAS40Dqdx1 ahNtmrYPT6Bu9GhdCjdi49/wq4hLm+h0a8q5b3UBMJRR5i2tWaZMSYBFMPP9f5pP1u9/gzgQ5Y/v2 Dq4nJsfXkHFt4blTUpYrgm+IwNOG83wqHpSb8+Vk2yGa1Za8vUfyasqMyCau3TWEzpak=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Wed, 13 Mar 2024 18:44:21 +0000 commit f7603ca252e4226739eb3129a5290ee3da3f8ea4 Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 02896598df..a54d77528a 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2363,7 +2363,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2388,7 +2388,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2405,11 +2405,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 752225faa6..9cede5361d 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -25,8 +25,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __ro_after_init opt_md_clear_pv = -1; -static int8_t __ro_after_init opt_md_clear_hvm = -1; +static int8_t __ro_after_init opt_verw_pv = -1; +static int8_t __ro_after_init opt_verw_hvm = -1; static int8_t __ro_after_init opt_ibpb_entry_pv = -1; static int8_t __ro_after_init opt_ibpb_entry_hvm = -1; @@ -66,7 +66,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __ro_after_init opt_fb_clear_mmio; +static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -108,8 +108,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -140,14 +140,14 @@ static int __init cf_check parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -192,21 +192,22 @@ static int __init cf_check parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -528,8 +529,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -550,13 +551,13 @@ static void __init print_details(enum ind_thunk thunk) boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || amd_virt_spec_ctrl || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -565,11 +566,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1502,8 +1503,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1866,19 +1867,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1891,12 +1893,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:44:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:44:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692740.1080150 (Exim 4.92) (envelope-from ) id 1rkTab-0007sC-J8; Wed, 13 Mar 2024 18:44:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692740.1080150; Wed, 13 Mar 2024 18:44:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTab-0007s5-GO; Wed, 13 Mar 2024 18:44:33 +0000 Received: by outflank-mailman (input) for mailman id 692740; Wed, 13 Mar 2024 18:44:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaa-0007rw-30 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTaa-00051p-2D for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTaa-0002Lz-1U for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6iO7r6VkHTGMckV28tPyfbVN8QrnalJ2WQgXWdUV77w=; b=nS7ANYIBGAf42D8SQEpvTNY4KT 92VhPEj1T7Yp5LVo1sEh2gFDr2BbjhwkGvIGxlC09NrR58mm1yaGdaEvmAGHsF1spdUlBc4eB3s/7 fPYTDMzkoZEWjjTkkgTFerYQ0zxvlCF8eecBMJhLVxPvvRdzSsIshdqEZgLqKGnPXJYg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Wed, 13 Mar 2024 18:44:32 +0000 commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 9cede5361d..b31b13146f 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1519,7 +1519,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1855,50 +1855,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:44:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:44:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692741.1080154 (Exim 4.92) (envelope-from ) id 1rkTal-0007uo-LD; Wed, 13 Mar 2024 18:44:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692741.1080154; Wed, 13 Mar 2024 18:44:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTal-0007ug-Hr; Wed, 13 Mar 2024 18:44:43 +0000 Received: by outflank-mailman (input) for mailman id 692741; Wed, 13 Mar 2024 18:44:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTak-0007uN-67 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTak-000520-5I for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTak-0002MO-4g for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=mmih+/3UKovoZryZs1obR1npRh63QlnWdoTYFxkadWg=; b=RWFgXCjGUld5zjF1RnW/36LTdj EBhSwcxVDb3CBE2IEZkElyB5SO51UmuCw0+4tLjtrIoUT80lqfVvk72cv8/42hyqp7ysBDC+dwQ9A BeJZrM0SLRxujECoK7wJg73Ec6dKPgvJAKbLD/kfJIEg+IPz9ts7KXCWRKsD/WfMExD4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Wed, 13 Mar 2024 18:44:42 +0000 commit fb5b6f6744713410c74cfc12b7176c108e3c9a31 Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/include/asm/cpufeature.h | 3 + xen/arch/x86/include/asm/msr-index.h | 2 + xen/arch/x86/spec_ctrl.c | 100 ++++++++++++++++++++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 111 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 46abdb9140..51efbff579 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -172,7 +172,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -251,7 +251,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 2c6f03057b..2acc27632f 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -451,6 +451,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -510,6 +511,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index ad24d0fa88..9bc553681f 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -182,6 +182,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) @@ -213,6 +214,8 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index fc82afc246..92dd9fa496 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -89,6 +89,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index b31b13146f..0638d9980a 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -12,6 +12,7 @@ #include #include +#include #include #include #include @@ -435,7 +436,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -451,6 +452,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -461,7 +463,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -479,6 +481,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1347,6 +1350,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case INTEL_FAM6_ALDERLAKE: + case INTEL_FAM6_RAPTORLAKE: + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + fallthrough; + case INTEL_FAM6_ALDERLAKE_L: + case INTEL_FAM6_RAPTORLAKE_P: + case INTEL_FAM6_RAPTORLAKE_S: + + case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */ + case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */ + case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */ + case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */ + case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */ + case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1860,6 +1940,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1889,8 +1970,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1922,15 +2007,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1944,7 +2033,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 0374cec3a2..eb9f552948 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -266,6 +266,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /*A AVX512 FP16 instructions */ @@ -343,6 +344,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:44:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:44:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692742.1080157 (Exim 4.92) (envelope-from ) id 1rkTav-0007xF-M7; Wed, 13 Mar 2024 18:44:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692742.1080157; Wed, 13 Mar 2024 18:44:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTav-0007x8-JK; Wed, 13 Mar 2024 18:44:53 +0000 Received: by outflank-mailman (input) for mailman id 692742; Wed, 13 Mar 2024 18:44:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTau-0007x2-8r for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTau-00052E-81 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTau-0002Mp-7O for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:44:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DaFOoAvTiEeW+ravodX+DM9MoLNGHunVDqp0CTZmmTQ=; b=25LzsMw+72tyCkv1qMpMobbWZG Op3+/hN0bA/9dShx1hsVAaNAbglN9ZVdARTWtQd33ELhS2eMcIC1QLSarPtZO0pXC67HJAv/5Vr1g p9Ra+08AqUEpuZYGqF3S/WjN7+H1anmRYGY0+QIVechhLMGaYQgfYy/pCOkMtx6vpyBg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Wed, 13 Mar 2024 18:44:52 +0000 commit c4f427ec879e7c0df6d44d02561e8bee838a293e Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index bb29b352ec..3e84960a36 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -93,8 +93,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 9ecddbff5e..1b88a83be8 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *p); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:45:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:45:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692743.1080161 (Exim 4.92) (envelope-from ) id 1rkTb5-00080i-PF; Wed, 13 Mar 2024 18:45:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692743.1080161; Wed, 13 Mar 2024 18:45:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTb5-00080b-Ml; Wed, 13 Mar 2024 18:45:03 +0000 Received: by outflank-mailman (input) for mailman id 692743; Wed, 13 Mar 2024 18:45:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTb4-00080F-CF for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTb4-00052l-BP for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTb4-0002NZ-AZ for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DoUf3Mve2mtxUBbsjzMz6JoyUcSdebBoUFT++yz1vMs=; b=VqhpJtoDuSo+rAoV8MRF7/2PFt s70UjEpFAfx9xQBTu0luS7Yeb/UE6+tKjdSUqx68/VdtcpVKsF9UwNODDZ8hAX7yyuCSlrH+m5714 qeeexRc4J3J+D1ArlEYbf/D1GlKwz2h15GJ5a/+3XNhtdt/mYU2DV24NMgF/UXNtxIHU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 18:45:02 +0000 commit 7ef0084418e188d05f338c3e028fbbe8b6924afa Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 2 +- xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++--- xen/common/Kconfig | 17 ++++++++++++++++ xen/include/xen/nospec.h | 15 ++++++++++++++ xen/include/xen/spinlock.h | 37 ++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index a54d77528a..54edbc0fbc 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2366,7 +2366,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2493,6 +2493,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index c3aad21c3b..7e8221fd85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 07606834c4..e058a3bb0e 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -62,6 +62,32 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, /* Override default implementation in nospec.h. */ #define array_index_mask_nospec array_index_mask_nospec +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 0638d9980a..0b670c3ca7 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -53,6 +53,7 @@ int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -121,6 +122,7 @@ static int __init cf_check parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -286,6 +288,16 @@ static int __init cf_check parse_spec_ctrl(const char *s) rc = -EINVAL; } } + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -488,7 +500,8 @@ static void __init print_details(enum ind_thunk thunk) if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || - IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" @@ -504,11 +517,14 @@ static void __init print_details(enum ind_thunk thunk) #endif #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS " HARDEN_GUEST_ACCESS" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk != THUNK_NONE ? "BTI-Thunk: " : "", thunk == THUNK_NONE ? "" : thunk == THUNK_RETPOLINE ? "RETPOLINE, " : @@ -535,7 +551,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1918,6 +1935,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 310ad4229c..a5c3d5a6bf 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -188,6 +188,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config DIT_DEFAULT diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 4c250ebbd6..e8d73f9538 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -69,6 +69,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 0e6a083dfb..8430a888a8 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include @@ -202,13 +203,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -216,7 +234,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -237,8 +255,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:45:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:45:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692744.1080166 (Exim 4.92) (envelope-from ) id 1rkTbF-00083n-Qu; Wed, 13 Mar 2024 18:45:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692744.1080166; Wed, 13 Mar 2024 18:45:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbF-00083f-OI; Wed, 13 Mar 2024 18:45:13 +0000 Received: by outflank-mailman (input) for mailman id 692744; Wed, 13 Mar 2024 18:45:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbE-00083V-F5 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbE-00052v-EJ for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTbE-0002O6-DZ for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fDcTpzYcT/RXKSir6V1Z1VGMzj6btSQK8iMYAU7ta1Y=; b=dmvET05o9F5HPZZcJkuayd03Kq vuiqd4ubDVuCizd4tx4iIVOXAAvd5g6dPdjuTn1vu3V3QHgnLbgvFbHI5HrlDSNMYnr9GSUJFOiIR 1ST+rn6MtqA0vz7+YkC4KEzaBN11oA1NefTsI1Xr8S7rh8XtqalV7uZnybb+pIazZ2nw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 18:45:12 +0000 commit a1fb15f61692b1fa9945fc51f55471ace49cdd59 Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 18224a4bb5..290602936d 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -66,8 +69,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 08ba46de15..ffff0fad45 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -259,27 +259,49 @@ static inline int _rw_is_write_locked(const rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:45:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:45:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692745.1080171 (Exim 4.92) (envelope-from ) id 1rkTbP-00086e-Sm; Wed, 13 Mar 2024 18:45:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692745.1080171; Wed, 13 Mar 2024 18:45:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbP-00086U-Pr; Wed, 13 Mar 2024 18:45:23 +0000 Received: by outflank-mailman (input) for mailman id 692745; Wed, 13 Mar 2024 18:45:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbO-000867-Ht for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbO-00053I-HC for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTbO-0002Ob-GW for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=X1ARubfpOdVIKZg2kjIbbsHY/CoOqPBOmaZeMHeo1fY=; b=GkyPAqUZeHyFYFvHhg88FDKl0w 3ZeDNnuuOh5oip98ECTRFDO2KkBFu9Qg9v2eqT7DfqvSJzgwLC1QiCDn8CT4ZVVtW++ntU1gz48Qw ypEQPr2gKU1GQrkizbll282wxxbvCzqt6JOjshDNnhZJnl3z+fQdXqcnQtowq6yfzhkQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Wed, 13 Mar 2024 18:45:22 +0000 commit f218daf6d3a3b847736d37c6a6b76031a0d08441 Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 290602936d..f5a249bcc2 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -129,8 +129,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index ffff0fad45..65d88b0ef4 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -338,8 +338,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -374,6 +374,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -430,8 +432,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:45:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:45:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692746.1080173 (Exim 4.92) (envelope-from ) id 1rkTbZ-00089Q-UG; Wed, 13 Mar 2024 18:45:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692746.1080173; Wed, 13 Mar 2024 18:45:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbZ-00089J-RF; Wed, 13 Mar 2024 18:45:33 +0000 Received: by outflank-mailman (input) for mailman id 692746; Wed, 13 Mar 2024 18:45:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbY-000890-LV for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbY-00053T-Km for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTbY-0002P2-K2 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=501WQH0KCIhDSEeegjp+U4OqKJnTXVvOCREqMfTmd88=; b=XlBWDNLggMp32aqjU+3tcy9j2T DG8P1/N6uSG/zBM6CJAzD2op27Qalb5nb/XjNfmJSnkvp//jFfZfmpGbAFDHTD+5dOWoBg8ObNNp6 e3X0551Qf3fNT4WfontxWb//VdR+H/OuIkB/qaM/ACO2WrkKNYWzV7Bxeqoui4C4ekSE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Wed, 13 Mar 2024 18:45:32 +0000 commit 197ecd838a2aaf959a469df3696d4559c4f8b762 Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/include/asm/irq.h | 1 + xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 8f53e88d67..e1d6845a28 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -150,7 +150,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -169,9 +169,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index 7d49f3c190..413994d213 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -151,6 +151,7 @@ void cf_check irq_complete_move(struct irq_desc *desc); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 00b1bc402d..273fff86ba 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -74,8 +74,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -125,8 +125,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == smp_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -137,6 +137,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -150,8 +152,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -166,15 +168,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -309,7 +311,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index bc78c61062..65d31e5523 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -24,7 +24,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index 15aec5dcbb..bbfda2538e 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -45,7 +45,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -349,7 +349,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 37b178a67b..7708930882 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -403,7 +403,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -413,7 +413,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -450,7 +450,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index c5db373972..3e48da1cdd 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 26a196f428..459d1dfb11 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -208,8 +208,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -221,10 +237,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 785177e7fa..a21798b76f 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -239,7 +239,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool timer_lock(struct timer *timer) +static inline bool timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -253,7 +253,8 @@ static inline bool timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -266,8 +267,9 @@ static inline bool timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 194701c913..6a1eda675d 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 8e509e0784..f1472ea1eb 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index 1df1863b13..63e49f0117 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -166,8 +166,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:45:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:45:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692747.1080177 (Exim 4.92) (envelope-from ) id 1rkTbk-0008CY-1O; Wed, 13 Mar 2024 18:45:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692747.1080177; Wed, 13 Mar 2024 18:45:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbj-0008CQ-Ur; Wed, 13 Mar 2024 18:45:43 +0000 Received: by outflank-mailman (input) for mailman id 692747; Wed, 13 Mar 2024 18:45:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbi-0008CH-Ow for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbi-00053g-O7 for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTbi-0002Pn-NN for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=/Jt9Skn5MYfcnlICw1JvM6q5bTlCvqNfULeiFOczTbM=; b=ZYt8wtKuf5RdKDJOfsuhf5MXrw WX4FkuL1gmK82MZZOeZJQ/hKvmci9vkJ62EoKwfmHfwSgBjxVRcG/vjbVxEj4ZR4P80ubOa362H7W eyIMq7TcZvU52ZufGPAH6l+3MSh05Qn7IQLFTuZsMVqaZZAxBb8fcx8fB+YOpFCupBpk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Wed, 13 Mar 2024 18:45:42 +0000 commit 42a572a38e22a97d86a4b648a22597628d5b42e4 Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/include/asm/mm.h | 4 +++- xen/arch/x86/mm.c | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 7d26d9cd2f..65d209d5ff 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -399,7 +399,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 0c6658298d..2ba4c26401 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2034,7 +2034,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2095,7 +2095,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2104,6 +2104,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 13 18:45:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 13 Mar 2024 18:45:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692748.1080181 (Exim 4.92) (envelope-from ) id 1rkTbu-0008FK-2g; Wed, 13 Mar 2024 18:45:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692748.1080181; Wed, 13 Mar 2024 18:45:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbu-0008FC-04; Wed, 13 Mar 2024 18:45:54 +0000 Received: by outflank-mailman (input) for mailman id 692748; Wed, 13 Mar 2024 18:45:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbs-0008Ex-SA for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkTbs-00053n-RH for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkTbs-0002QH-Qd for xen-changelog@lists.xenproject.org; Wed, 13 Mar 2024 18:45:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4mRK1881tYReHKxhBLhSkyTkHDjZJNdN4aXuQ+grEYE=; b=YK9Sj6gjygcQwVFASCSLNCXf// 4sbjStaZJR8zdE8yjJ1lLy1naB0MkGr9P/C/35TbgPpY+/+RtMs6zy9s4Mgymxr2Jm37XFGtS4GjF feHf/RiKeZ7i7PGd8MvX9dYjYmb5iW3lneWefvvZuItVmx3HjAGB17S4I4pmWvPPA1kI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: protect conditional lock taking from speculative execution Message-Id: Date: Wed, 13 Mar 2024 18:45:52 +0000 commit 03cf7ca23e0e876075954c558485b267b7d02406 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:50:04 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 2ba4c26401..62f5b811bb 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5018,8 +5018,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5056,8 +5055,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5095,8 +5093,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5127,6 +5124,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5342,8 +5341,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5447,8 +5445,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5489,8 +5486,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5544,8 +5540,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5689,8 +5684,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5749,8 +5743,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5794,8 +5787,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5842,8 +5834,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 273fff86ba..2eae73ac68 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -335,6 +335,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 4dd41193f5..ca24cd4a67 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -281,9 +281,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 8430a888a8..e351fc9995 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -229,6 +229,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 00:33:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 00:33:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692833.1080347 (Exim 4.92) (envelope-from ) id 1rkZ1t-00077y-VE; Thu, 14 Mar 2024 00:33:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692833.1080347; Thu, 14 Mar 2024 00:33:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZ1t-00077q-Sm; Thu, 14 Mar 2024 00:33:05 +0000 Received: by outflank-mailman (input) for mailman id 692833; Thu, 14 Mar 2024 00:33:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZ1r-00077k-WB for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 00:33:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZ1r-0003EM-U0 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 00:33:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZ1r-0004xQ-T1 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 00:33:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=M1oYd++Y7sdZw1NT3LoQwO0Y4fNe28ZHbAba4+5PpRI=; b=GmIU6OZTp40+uqrvifU9CTjMx4 NwcVzfK1EpfpjqXXHBhi8jDZ6eR8XE0GWk50boURmLf1WDNwzv38iHzBkcdAp1EHH5fGwBrsvNIyN M7CvZW4A2Pw0wKn+UEBt5G3hsyKnfDr68arTOw4e/D+6DpUAiPIGTlGTKzz8RqPwLwQo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] automation/eclair_analysis: deviate certain macros for Rule 20.12 Message-Id: Date: Thu, 14 Mar 2024 00:33:03 +0000 commit 4dc9a8b0606770dc9c6be20ff5a74a9af5fcba70 Author: Nicola Vetrini AuthorDate: Thu Feb 15 14:06:17 2024 +0100 Commit: Stefano Stabellini CommitDate: Wed Mar 13 17:21:51 2024 -0700 automation/eclair_analysis: deviate certain macros for Rule 20.12 Certain macros are allowed to violate the Rule, since their meaning and intended use is well-known to all Xen developers. Variadic macros that rely on the GCC extension for removing a trailing comma when token pasting the variable argument are similarly well-understood and therefore allowed. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 20 ++++++++++++++++++++ docs/misra/deviations.rst | 22 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index 9ac3ee4dfd..53f7623454 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -405,6 +405,26 @@ in assignments." {safe, "left_right(^[(,\\[]$,^[),\\]]$)"} -doc_end +-doc_begin="Uses of variadic macros that have one of their arguments defined as +a macro and used within the body for both ordinary parameter expansion and as an +operand to the # or ## operators have a behavior that is well-understood and +deliberate." +-config=MC3R1.R20.12,macros+={deliberate, "variadic()"} +-doc_end + +-doc_begin="Uses of a macro parameter for ordinary expansion and as an operand +to the # or ## operators within the following macros are deliberate, to provide +useful diagnostic messages to the user." +-config=MC3R1.R20.12,macros+={deliberate, "name(ASSERT||BUILD_BUG_ON||BUILD_BUG_ON_ZERO)"} +-doc_end + +-doc_begin="The helper macro GENERATE_CASE may use a macro parameter for ordinary +expansion and token pasting to improve readability. Only instances where this +leads to a violation of the Rule are deviated." +-file_tag+={deliberate_generate_case, "^xen/arch/arm/vcpreg\\.c$"} +-config=MC3R1.R20.12,macros+={deliberate, "name(GENERATE_CASE)&&loc(file(deliberate_generate_case))"} +-doc_end + # # General # diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index ce855ddae6..6d532a872d 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -336,6 +336,28 @@ Deviations related to MISRA C:2012 Rules: (4) as lhs in assignments. - Tagged as `safe` for ECLAIR. + * - R20.12 + - Variadic macros that use token pasting often employ the gcc extension + `ext_paste_comma`, as detailed in `C-language-toolchain.rst`, which is + not easily replaceable; macros that in addition perform regular argument + expansion on the same argument subject to the # or ## operators violate + the Rule if the argument is a macro. + - Tagged as `deliberate` for ECLAIR. + + * - R20.12 + - Macros that are used for runtime or build-time assertions contain + deliberate uses of an argument as both a regular argument and a + stringification token, to provide useful diagnostic messages. + - Tagged as `deliberate` for ECLAIR. + + * - R20.12 + - GENERATE_CASE is a local helper macro that allows some selected switch + statements to be more compact and readable. As such, the risk of + developer confusion in using such macro is deemed negligible. This + construct is deviated only in Translation Units that present a violation + of the Rule due to uses of this macro. + - Tagged as `deliberate` for ECLAIR. + Other deviations: ----------------- -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:11:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692840.1080367 (Exim 4.92) (envelope-from ) id 1rkZcd-0002fS-QO; Thu, 14 Mar 2024 01:11:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692840.1080367; Thu, 14 Mar 2024 01:11:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcd-0002fL-Nh; Thu, 14 Mar 2024 01:11:03 +0000 Received: by outflank-mailman (input) for mailman id 692840; Thu, 14 Mar 2024 01:11:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcb-0002fD-KL for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcb-0002Cs-JQ for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZcb-00074N-IX for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4RNX968RsnLGYFvgF2XUpjDpFirnoR88M2qgvlq9Tbg=; b=NbOccW43rlpFjZvj8uL70kYfpy I5yVwSd5wAsljNiWjxBX7BnLYBEdIpNnxYQtmZv/FDvRXnOZQg1W89oWVEpVvg8eVyxQgi5bX98+y PFDYOCyazQFD80aUfuZpcfC9so8LBCU7e354crWW0sOFkiy84VqajSCmMMh6pfgCOkEU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Thu, 14 Mar 2024 01:11:01 +0000 commit e691f99f17198906f813b85dcabafe5addb9a57a Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 +++++++++ xen/arch/x86/x86_64/compat/entry.S | 2 +- xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 287dac101a..31fa63b77f 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 253bb1688c..7c211314d8 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -15,7 +15,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 585b0c9551..412cbeb3ec 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -294,7 +294,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -389,7 +389,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -649,7 +649,7 @@ ret_from_intr: .section .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $TRAP_page_fault, 4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp, %rdi call do_early_page_fault @@ -716,7 +716,7 @@ ENTRY(common_interrupt) ENTRY(page_fault) ENDBR64 - movl $TRAP_page_fault,4(%rsp) + movl $TRAP_page_fault, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -892,90 +892,90 @@ FATAL_exception_with_ints_disabled: ENTRY(divide_error) ENDBR64 pushq $0 - movl $TRAP_divide_error,4(%rsp) + movl $TRAP_divide_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_copro_error,4(%rsp) + movl $TRAP_copro_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(simd_coprocessor_error) ENDBR64 pushq $0 - movl $TRAP_simd_error,4(%rsp) + movl $TRAP_simd_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(device_not_available) ENDBR64 pushq $0 - movl $TRAP_no_device,4(%rsp) + movl $TRAP_no_device, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(debug) ENDBR64 pushq $0 - movl $TRAP_debug,4(%rsp) + movl $TRAP_debug, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(int3) ENDBR64 pushq $0 - movl $TRAP_int3,4(%rsp) + movl $TRAP_int3, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(overflow) ENDBR64 pushq $0 - movl $TRAP_overflow,4(%rsp) + movl $TRAP_overflow, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(bounds) ENDBR64 pushq $0 - movl $TRAP_bounds,4(%rsp) + movl $TRAP_bounds, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_op) ENDBR64 pushq $0 - movl $TRAP_invalid_op,4(%rsp) + movl $TRAP_invalid_op, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(invalid_TSS) ENDBR64 - movl $TRAP_invalid_tss,4(%rsp) + movl $TRAP_invalid_tss, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(segment_not_present) ENDBR64 - movl $TRAP_no_segment,4(%rsp) + movl $TRAP_no_segment, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(stack_segment) ENDBR64 - movl $TRAP_stack_error,4(%rsp) + movl $TRAP_stack_error, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(general_protection) ENDBR64 - movl $TRAP_gp_fault,4(%rsp) + movl $TRAP_gp_fault, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(alignment_check) ENDBR64 - movl $TRAP_alignment_check,4(%rsp) + movl $TRAP_alignment_check, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(double_fault) ENDBR64 - movl $TRAP_double_fault,4(%rsp) + movl $TRAP_double_fault, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1001,7 +1001,7 @@ ENTRY(double_fault) ENTRY(nmi) ENDBR64 pushq $0 - movl $TRAP_nmi,4(%rsp) + movl $TRAP_nmi, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1134,7 +1134,7 @@ handle_ist_exception: ENTRY(machine_check) ENDBR64 pushq $0 - movl $TRAP_machine_check,4(%rsp) + movl $TRAP_machine_check, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1171,7 +1171,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1185,7 +1185,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:11:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:11:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692841.1080373 (Exim 4.92) (envelope-from ) id 1rkZcm-0002iX-Tx; Thu, 14 Mar 2024 01:11:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692841.1080373; Thu, 14 Mar 2024 01:11:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcm-0002iN-Ql; Thu, 14 Mar 2024 01:11:12 +0000 Received: by outflank-mailman (input) for mailman id 692841; Thu, 14 Mar 2024 01:11:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcl-0002iD-OU for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcl-0002DD-NC for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZcl-000754-LW for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=e9lJqTepIjlfKx4paSGCtMfBASvFXSU4O8tVO9tPR/0=; b=sFFyrfCwxBzkPVpzlE9SviBUSP wYqvJ2AlpSmxjTPU3o2DsfpUG7sv83LzvnFBk3zoIKUeoGTnxTIfoonl1qSsQZRyYIJHzZqhCYn3n icgQ8A/QdLboniA2K1Sre6rgLTwVJZtRrqCvU3h4n0K0+9xTodPYL2TAP4E1HLc8ntvs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86: Resync intel-family.h from Linux Message-Id: Date: Thu, 14 Mar 2024 01:11:11 +0000 commit abc43cf5a6579f1aa0decf0a2349cdd2d2473117 Author: Andrew Cooper AuthorDate: Tue Feb 27 16:07:39 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86: Resync intel-family.h from Linux From v6.8-rc6 Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 195e75371b13c4f7ecdf7b5c50aed0d02f2d7ce8) --- xen/arch/x86/include/asm/intel-family.h | 38 +++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/intel-family.h b/xen/arch/x86/include/asm/intel-family.h index ffc49151be..b65e9c46b9 100644 --- a/xen/arch/x86/include/asm/intel-family.h +++ b/xen/arch/x86/include/asm/intel-family.h @@ -26,6 +26,9 @@ * _G - parts with extra graphics on * _X - regular server parts * _D - micro server parts + * _N,_P - other mobile parts + * _H - premium mobile parts + * _S - other client parts * * Historical OPTDIFFs: * @@ -37,6 +40,9 @@ * their own names :-( */ +/* Wildcard match for FAM6 so X86_MATCH_INTEL_FAM6_MODEL(ANY) works */ +#define INTEL_FAM6_ANY X86_MODEL_ANY + #define INTEL_FAM6_CORE_YONAH 0x0E #define INTEL_FAM6_CORE2_MEROM 0x0F @@ -93,8 +99,6 @@ #define INTEL_FAM6_ICELAKE_L 0x7E /* Sunny Cove */ #define INTEL_FAM6_ICELAKE_NNPI 0x9D /* Sunny Cove */ -#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ - #define INTEL_FAM6_ROCKETLAKE 0xA7 /* Cypress Cove */ #define INTEL_FAM6_TIGERLAKE_L 0x8C /* Willow Cove */ @@ -102,12 +106,31 @@ #define INTEL_FAM6_SAPPHIRERAPIDS_X 0x8F /* Golden Cove */ +#define INTEL_FAM6_EMERALDRAPIDS_X 0xCF + +#define INTEL_FAM6_GRANITERAPIDS_X 0xAD +#define INTEL_FAM6_GRANITERAPIDS_D 0xAE + +/* "Hybrid" Processors (P-Core/E-Core) */ + +#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ + #define INTEL_FAM6_ALDERLAKE 0x97 /* Golden Cove / Gracemont */ #define INTEL_FAM6_ALDERLAKE_L 0x9A /* Golden Cove / Gracemont */ -#define INTEL_FAM6_RAPTORLAKE 0xB7 +#define INTEL_FAM6_RAPTORLAKE 0xB7 /* Raptor Cove / Enhanced Gracemont */ +#define INTEL_FAM6_RAPTORLAKE_P 0xBA +#define INTEL_FAM6_RAPTORLAKE_S 0xBF + +#define INTEL_FAM6_METEORLAKE 0xAC +#define INTEL_FAM6_METEORLAKE_L 0xAA + +#define INTEL_FAM6_ARROWLAKE_H 0xC5 +#define INTEL_FAM6_ARROWLAKE 0xC6 + +#define INTEL_FAM6_LUNARLAKE_M 0xBD -/* "Small Core" Processors (Atom) */ +/* "Small Core" Processors (Atom/E-Core) */ #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ #define INTEL_FAM6_ATOM_BONNELL_MID 0x26 /* Silverthorne, Lincroft */ @@ -134,6 +157,13 @@ #define INTEL_FAM6_ATOM_TREMONT 0x96 /* Elkhart Lake */ #define INTEL_FAM6_ATOM_TREMONT_L 0x9C /* Jasper Lake */ +#define INTEL_FAM6_ATOM_GRACEMONT 0xBE /* Alderlake N */ + +#define INTEL_FAM6_ATOM_CRESTMONT_X 0xAF /* Sierra Forest */ +#define INTEL_FAM6_ATOM_CRESTMONT 0xB6 /* Grand Ridge */ + +#define INTEL_FAM6_ATOM_DARKMONT_X 0xDD /* Clearwater Forest */ + /* Xeon Phi */ #define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:11:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692842.1080376 (Exim 4.92) (envelope-from ) id 1rkZcw-0002lG-VC; Thu, 14 Mar 2024 01:11:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692842.1080376; Thu, 14 Mar 2024 01:11:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcw-0002l8-SB; Thu, 14 Mar 2024 01:11:22 +0000 Received: by outflank-mailman (input) for mailman id 692842; Thu, 14 Mar 2024 01:11:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcv-0002l0-R6 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZcv-0002DK-QL for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZcv-00075U-PM for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hpe2HIjxzVib/qP7dLlk0giqKnA2jQ5KDDUL5OFSiv8=; b=5z6KxokLj0JDwgWGOg49CsWoyq Uc7yJ2aNwWEMYp7lpzpt4aKBgtLl2R9VN+uyT6vNyaaa2VXyGFgpktUIWrVY0x3fAmJAr44LVPTKZ Csz9xTJqb9EZn8o/Hxee/fljYuqlsKXGVQnx+iuq2UCebkMPQGZF9DdZNTYyans1yAmY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Thu, 14 Mar 2024 01:11:21 +0000 commit 77f2bec134049aba29b9b459f955022722d10847 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++---- xen/arch/x86/include/asm/asm_defns.h | 8 +++++++ xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++++ xen/arch/x86/x86_64/asm-offsets.c | 1 + 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index 5f5de45a13..cdde76e138 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index d9431180cf..abc6822b08 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index f4b8b9d956..ca9cb0f5dd 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -164,6 +164,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 31fa63b77f..a4e94d6930 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:11:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692843.1080380 (Exim 4.92) (envelope-from ) id 1rkZd7-0002nu-01; Thu, 14 Mar 2024 01:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692843.1080380; Thu, 14 Mar 2024 01:11:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZd6-0002nm-Tf; Thu, 14 Mar 2024 01:11:32 +0000 Received: by outflank-mailman (input) for mailman id 692843; Thu, 14 Mar 2024 01:11:31 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZd5-0002ne-UA for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZd5-0002Dk-TN for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZd5-00075u-SZ for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uPguRk6H36ynC6Mb6MWxQ+T6UV3bkCwyTPEIDUIQD8Y=; b=UMesuY3q4UOSEQfSnx9vkxmus5 ipcDD3xS67riIJ2b8vYwwVSPiZKghtWj9s2GgsdrBzf0tPxX0EhBZveYW/tV7nrgSIv/mqTxu9KNa mDkc9w4M+1NMo9MuzTFyOswZHSearaOhNSz/oONHLCL/wMrjZlKiCNjVtCB9OAq/X/VM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Thu, 14 Mar 2024 01:11:31 +0000 commit 76af773de5d3e68b7140cc9c5343be6746c9101c Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 +++++++++++++++++++++----------- xen/arch/x86/x86_64/asm-offsets.c | 13 ++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index ca9cb0f5dd..97a97b2b82 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -171,16 +171,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -298,8 +305,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -379,7 +384,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -407,11 +412,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index a4e94d6930..4cd5938d7b 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index 7c211314d8..3b2fbcd873 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 412cbeb3ec..ef517e2945 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -679,9 +685,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:11:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:11:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692844.1080384 (Exim 4.92) (envelope-from ) id 1rkZdH-0002qv-1Y; Thu, 14 Mar 2024 01:11:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692844.1080384; Thu, 14 Mar 2024 01:11:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdG-0002qn-V7; Thu, 14 Mar 2024 01:11:42 +0000 Received: by outflank-mailman (input) for mailman id 692844; Thu, 14 Mar 2024 01:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdG-0002qa-1Z for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdG-0002FR-0O for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZdF-00076L-Vk for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:41 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=E0jHxIuASMZAqwJfwna24S0zsK973r0XxS65EnpqC1U=; b=FSrt1XEFvaCHPjxVgczat3mnct tQIDqV/pPPMbbQsrxnVoaJh1ichoNWCKQbEADTD85yA4gQTWyd3BOjI8fccHZ74MLs2gkqFTUWgu4 ZnS28zMy/w0LcOup0pUwU/cIVjYv3kFps69YTK75gMeIVnyl44d9619qJ3Da1reaf7RQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Thu, 14 Mar 2024 01:11:41 +0000 commit d55d52961d13d4fcd1441fcfca98f690e687b941 Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 2006697226..d909ec94fe 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2324,7 +2324,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2349,7 +2349,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2366,11 +2366,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 25a18ac598..e12ec9930c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -37,8 +37,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __ro_after_init opt_md_clear_pv = -1; -static int8_t __ro_after_init opt_md_clear_hvm = -1; +static int8_t __ro_after_init opt_verw_pv = -1; +static int8_t __ro_after_init opt_verw_hvm = -1; static int8_t __ro_after_init opt_ibpb_entry_pv = -1; static int8_t __ro_after_init opt_ibpb_entry_hvm = -1; @@ -78,7 +78,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __ro_after_init opt_fb_clear_mmio; +static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -120,8 +120,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -152,14 +152,14 @@ static int __init cf_check parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -204,21 +204,22 @@ static int __init cf_check parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -540,8 +541,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -562,13 +563,13 @@ static void __init print_details(enum ind_thunk thunk) boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || amd_virt_spec_ctrl || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -577,11 +578,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1514,8 +1515,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1878,19 +1879,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1903,12 +1905,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:11:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:11:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692845.1080387 (Exim 4.92) (envelope-from ) id 1rkZdR-0002uD-4O; Thu, 14 Mar 2024 01:11:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692845.1080387; Thu, 14 Mar 2024 01:11:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdR-0002u6-1n; Thu, 14 Mar 2024 01:11:53 +0000 Received: by outflank-mailman (input) for mailman id 692845; Thu, 14 Mar 2024 01:11:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdQ-0002tw-48 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdQ-0002Ff-3N for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZdQ-00076l-2W for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LvUK76QPEDn02heCjKitlDF4azfFyTM86F4rGqPpSVg=; b=O/HsKgub89Q09Bs68TeA2NZGwX Td6A5m6jU+FE/lZZJWTCgnGt5J8kskzr53HojW3oNynrQUyw6Yz8WMwaOFlHVdAQMktTWXb12ytgX 3cm0girLrnRDF8hS/XhHxXcb+KGwTem87ZZQEKNRChD/LhONleMZ2DYBbA5+Hi9CDkCY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Thu, 14 Mar 2024 01:11:52 +0000 commit 6663430b442fdf9698bd8e03f701a4547309ad71 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index e12ec9930c..adb6bc74e8 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1531,7 +1531,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1867,50 +1867,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:12:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:12:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692846.1080392 (Exim 4.92) (envelope-from ) id 1rkZdb-0002wm-61; Thu, 14 Mar 2024 01:12:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692846.1080392; Thu, 14 Mar 2024 01:12:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdb-0002wf-3I; Thu, 14 Mar 2024 01:12:03 +0000 Received: by outflank-mailman (input) for mailman id 692846; Thu, 14 Mar 2024 01:12:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZda-0002wX-9E for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZda-0002Fz-8R for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZda-00077q-5j for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=C8xmHZGbYOf9y0sl96xBqMavBtkz8c1kG1Cxu37x3HQ=; b=Hbn3poyghGxzyc25EzskrpmfEm 5ftsmWJP+TQoyJfcqRU+miEtnW6HdaeWRwC5QwzcqrDySgklECS/1INeI+Jh2yM045BNkId1OWk0F GnN3DNziVFKpNCOaT44WLhEUbTbGta99584NgS5aVtogT0gJofsC83pTWl0Ii/4WP0co=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Thu, 14 Mar 2024 01:12:02 +0000 commit d85481135d87abbbf1feab18b749288fa08b65f2 Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/include/asm/cpufeature.h | 3 + xen/arch/x86/include/asm/msr-index.h | 2 + xen/arch/x86/spec_ctrl.c | 100 ++++++++++++++++++++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 111 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index aefc140d66..5ceea8be07 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -172,7 +172,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -237,7 +237,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 7b875a7221..96c2cee1a8 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -444,6 +444,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -493,6 +494,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index ec824e8954..a6b8af1296 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -140,6 +140,7 @@ #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) @@ -161,6 +162,8 @@ #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index 6abf7bc34a..9b5f67711f 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -88,6 +88,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index adb6bc74e8..1ee81e2dfe 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -24,6 +24,7 @@ #include #include +#include #include #include #include @@ -447,7 +448,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -463,6 +464,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -473,7 +475,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -491,6 +493,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1359,6 +1362,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case INTEL_FAM6_ALDERLAKE: + case INTEL_FAM6_RAPTORLAKE: + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + fallthrough; + case INTEL_FAM6_ALDERLAKE_L: + case INTEL_FAM6_RAPTORLAKE_P: + case INTEL_FAM6_RAPTORLAKE_S: + + case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */ + case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */ + case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */ + case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */ + case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */ + case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1872,6 +1952,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1901,8 +1982,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1934,15 +2019,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1956,7 +2045,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index aec1407613..113e6cadc1 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -264,6 +264,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /* AVX512 FP16 instructions */ @@ -330,6 +331,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:12:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:12:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692847.1080395 (Exim 4.92) (envelope-from ) id 1rkZdl-0002zm-7i; Thu, 14 Mar 2024 01:12:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692847.1080395; Thu, 14 Mar 2024 01:12:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdl-0002zf-52; Thu, 14 Mar 2024 01:12:13 +0000 Received: by outflank-mailman (input) for mailman id 692847; Thu, 14 Mar 2024 01:12:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdk-0002zY-D9 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdk-0002G7-CR for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZdk-00078M-Aw for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=locF6gIuzChZHifqPQdRdtHf38r4jD6NNPUpL9TN9Ys=; b=exsqFJHju+CHNOsYzJGo9Ig71T PEL4hOpdNZK2VxIRXFGRNDimYyQywdW9Yw85X6X86+E4X8dS/vduz+CGvbVo9pu45Mxc32tPlK5fK Bl/NlLBAik64+U/4wo4qWMHNGyKdBketC+eb5mYC+l6CTn9EF+n8Lz6Q7z4LThCR2dMo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/paging: Delete update_cr3()'s do_locking parameter Message-Id: Date: Thu, 14 Mar 2024 01:12:12 +0000 commit bf70ce8b3449c49eb828d5b1f4934a49b00fef35 Author: Andrew Cooper AuthorDate: Wed Sep 20 20:06:53 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/paging: Delete update_cr3()'s do_locking parameter Nicola reports that the XSA-438 fix introduced new MISRA violations because of some incidental tidying it tried to do. The parameter is useless, so resolve the MISRA regression by removing it. hap_update_cr3() discards the parameter entirely, while sh_update_cr3() uses it to distinguish internal and external callers and therefore whether the paging lock should be taken. However, we have paging_lock_recursive() for this purpose, which also avoids the ability for the shadow internal callers to accidentally not hold the lock. Fixes: fb0ff49fe9f7 ("x86/shadow: defer releasing of PV's top-level shadow reference") Reported-by: Nicola Vetrini Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich Release-acked-by: Henry Wang (cherry picked from commit e71157d1ac2a7fbf413130663cf0a93ff9fbcf7e) --- xen/arch/x86/include/asm/paging.h | 5 ++--- xen/arch/x86/mm/hap/hap.c | 5 ++--- xen/arch/x86/mm/shadow/common.c | 2 +- xen/arch/x86/mm/shadow/multi.c | 17 ++++++++--------- xen/arch/x86/mm/shadow/none.c | 3 +-- 5 files changed, 14 insertions(+), 18 deletions(-) diff --git a/xen/arch/x86/include/asm/paging.h b/xen/arch/x86/include/asm/paging.h index 94c590f31a..809ff35d9a 100644 --- a/xen/arch/x86/include/asm/paging.h +++ b/xen/arch/x86/include/asm/paging.h @@ -138,8 +138,7 @@ struct paging_mode { paddr_t ga, uint32_t *pfec, unsigned int *page_order); #endif - pagetable_t (*update_cr3 )(struct vcpu *v, bool do_locking, - bool noflush); + pagetable_t (*update_cr3 )(struct vcpu *v, bool noflush); void (*update_paging_modes )(struct vcpu *v); bool (*flush_tlb )(const unsigned long *vcpu_bitmap); @@ -312,7 +311,7 @@ static inline unsigned long paging_ga_to_gfn_cr3(struct vcpu *v, * as the value to load into the host CR3 to schedule this vcpu */ static inline pagetable_t paging_update_cr3(struct vcpu *v, bool noflush) { - return paging_get_hostmode(v)->update_cr3(v, 1, noflush); + return paging_get_hostmode(v)->update_cr3(v, noflush); } /* Update all the things that are derived from the guest's CR0/CR3/CR4. diff --git a/xen/arch/x86/mm/hap/hap.c b/xen/arch/x86/mm/hap/hap.c index 57a19c3d59..3ad39a7dd7 100644 --- a/xen/arch/x86/mm/hap/hap.c +++ b/xen/arch/x86/mm/hap/hap.c @@ -739,8 +739,7 @@ static bool cf_check hap_invlpg(struct vcpu *v, unsigned long linear) return 1; } -static pagetable_t cf_check hap_update_cr3( - struct vcpu *v, bool do_locking, bool noflush) +static pagetable_t cf_check hap_update_cr3(struct vcpu *v, bool noflush) { v->arch.hvm.hw_cr[3] = v->arch.hvm.guest_cr[3]; hvm_update_guest_cr3(v, noflush); @@ -826,7 +825,7 @@ static void cf_check hap_update_paging_modes(struct vcpu *v) } /* CR3 is effectively updated by a mode change. Flush ASIDs, etc. */ - hap_update_cr3(v, 0, false); + hap_update_cr3(v, false); unlock: paging_unlock(d); diff --git a/xen/arch/x86/mm/shadow/common.c b/xen/arch/x86/mm/shadow/common.c index c0940f939e..18714dbd02 100644 --- a/xen/arch/x86/mm/shadow/common.c +++ b/xen/arch/x86/mm/shadow/common.c @@ -2579,7 +2579,7 @@ static void sh_update_paging_modes(struct vcpu *v) } #endif /* OOS */ - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); } void cf_check shadow_update_paging_modes(struct vcpu *v) diff --git a/xen/arch/x86/mm/shadow/multi.c b/xen/arch/x86/mm/shadow/multi.c index c92b354a78..e54a507b54 100644 --- a/xen/arch/x86/mm/shadow/multi.c +++ b/xen/arch/x86/mm/shadow/multi.c @@ -2506,7 +2506,7 @@ static int cf_check sh_page_fault( * In any case, in the PAE case, the ASSERT is not true; it can * happen because of actions the guest is taking. */ #if GUEST_PAGING_LEVELS == 3 - v->arch.paging.mode->update_cr3(v, 0, false); + v->arch.paging.mode->update_cr3(v, false); #else ASSERT(d->is_shutting_down); #endif @@ -3224,17 +3224,13 @@ static void cf_check sh_detach_old_tables(struct vcpu *v) } } -static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking, - bool noflush) +static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool noflush) /* Updates vcpu->arch.cr3 after the guest has changed CR3. * Paravirtual guests should set v->arch.guest_table (and guest_table_user, * if appropriate). * HVM guests should also make sure hvm_get_guest_cntl_reg(v, 3) works; * this function will call hvm_update_guest_cr(v, 3) to tell them where the * shadow tables are. - * If do_locking != 0, assume we are being called from outside the - * shadow code, and must take and release the paging lock; otherwise - * that is the caller's responsibility. */ { struct domain *d = v->domain; @@ -3252,7 +3248,11 @@ static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking, return old_entry; } - if ( do_locking ) paging_lock(v->domain); + /* + * This is used externally (with the paging lock not taken) and internally + * by the shadow code (with the lock already taken). + */ + paging_lock_recursive(v->domain); #if (SHADOW_OPTIMIZATIONS & SHOPT_OUT_OF_SYNC) /* Need to resync all the shadow entries on a TLB flush. Resync @@ -3480,8 +3480,7 @@ static pagetable_t cf_check sh_update_cr3(struct vcpu *v, bool do_locking, shadow_sync_other_vcpus(v); #endif - /* Release the lock, if we took it (otherwise it's the caller's problem) */ - if ( do_locking ) paging_unlock(v->domain); + paging_unlock(v->domain); return old_entry; } diff --git a/xen/arch/x86/mm/shadow/none.c b/xen/arch/x86/mm/shadow/none.c index 743c0ffb85..7e4e386cd0 100644 --- a/xen/arch/x86/mm/shadow/none.c +++ b/xen/arch/x86/mm/shadow/none.c @@ -52,8 +52,7 @@ static unsigned long cf_check _gva_to_gfn( } #endif -static pagetable_t cf_check _update_cr3(struct vcpu *v, bool do_locking, - bool noflush) +static pagetable_t cf_check _update_cr3(struct vcpu *v, bool noflush) { ASSERT_UNREACHABLE(); return pagetable_null(); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:12:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:12:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692848.1080400 (Exim 4.92) (envelope-from ) id 1rkZdv-00032x-AO; Thu, 14 Mar 2024 01:12:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692848.1080400; Thu, 14 Mar 2024 01:12:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdv-00032p-7r; Thu, 14 Mar 2024 01:12:23 +0000 Received: by outflank-mailman (input) for mailman id 692848; Thu, 14 Mar 2024 01:12:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdu-00032h-G7 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZdu-0002GF-FO for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZdu-0007AK-EW for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=V7Vg4nTAqbD0jgarF18J0cV2OLMNcbqj5ThARFNb3mM=; b=TcCOx1/4lRD77SEqZa6itodo6Y z/SdLin5iNX1VdepSpnjZaqVbVANptsZ4y8SUZGMK8q5b9xG4fdb7YMYTPk0vU+14/QzOxBoNVkGe Ls1ohFy5hIJQcK+QTpSRGTMH7MvkH/fHHjKC84mV8eFAFObCrIDfdrhwR1S/5e1zqCsw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Thu, 14 Mar 2024 01:12:22 +0000 commit 0a53565f1886201cc8a8afe9b2619ee297c20955 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 3dc61bcc3c..211685a5d2 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -80,8 +80,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:12:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:12:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692849.1080404 (Exim 4.92) (envelope-from ) id 1rkZe5-00035e-C3; Thu, 14 Mar 2024 01:12:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692849.1080404; Thu, 14 Mar 2024 01:12:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZe5-00035W-9H; Thu, 14 Mar 2024 01:12:33 +0000 Received: by outflank-mailman (input) for mailman id 692849; Thu, 14 Mar 2024 01:12:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZe4-00035Q-JU for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZe4-0002Gf-IU for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZe4-0007An-Hn for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vTOroEFOFtJd0xwOxAEaTWfPbXiyCpCyu3ncq+7SEc8=; b=10zd9HzOjmE+3NEp0jE9ouEUW0 2nJ3A0m8wc3gzwnEvWoN+2TZaZ4++HmGE1yuxSG/sSUSOJetas02EnsQPEpcpC9Q6h17hYDLAB0hT UI7kY+JuwShYvmpb0SYqy43RXcCtORT0Go8NxqHfBbOuCgMH4hANM6Xf6gbFHqAMeIt4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Thu, 14 Mar 2024 01:12:32 +0000 commit 9d2f136328aab5537b7180a1b23e171893ebe455 Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 2 +- xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++--- xen/common/Kconfig | 17 ++++++++++++++++ xen/include/xen/nospec.h | 15 ++++++++++++++ xen/include/xen/spinlock.h | 37 ++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index d909ec94fe..e1d56407dd 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2327,7 +2327,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2454,6 +2454,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index c3aad21c3b..7e8221fd85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 7150e76b87..0725839e19 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -38,6 +38,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 1ee81e2dfe..ac21af2c5c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -65,6 +65,7 @@ int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -133,6 +134,7 @@ static int __init cf_check parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -298,6 +300,16 @@ static int __init cf_check parse_spec_ctrl(const char *s) rc = -EINVAL; } } + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -500,7 +512,8 @@ static void __init print_details(enum ind_thunk thunk) if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || - IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" @@ -516,11 +529,14 @@ static void __init print_details(enum ind_thunk thunk) #endif #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS " HARDEN_GUEST_ACCESS" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk != THUNK_NONE ? "BTI-Thunk: " : "", thunk == THUNK_NONE ? "" : thunk == THUNK_RETPOLINE ? "RETPOLINE, " : @@ -547,7 +563,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1930,6 +1947,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index e7794cb7f6..cd73851538 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -173,6 +173,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config DIT_DEFAULT diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 961891bea4..daf48fdea7 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include #include @@ -189,13 +190,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -203,7 +221,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -224,8 +242,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:12:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:12:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692850.1080408 (Exim 4.92) (envelope-from ) id 1rkZeF-00038M-DR; Thu, 14 Mar 2024 01:12:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692850.1080408; Thu, 14 Mar 2024 01:12:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeF-00038F-Al; Thu, 14 Mar 2024 01:12:43 +0000 Received: by outflank-mailman (input) for mailman id 692850; Thu, 14 Mar 2024 01:12:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeE-000384-MY for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeE-0002Gq-LP for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZeE-0007BU-Kg for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8lXMsYZh+ui+kKWDYFzK0X2m0mIVxQPZqLouBPkX/i8=; b=ur4B0nlM7ewu/MMxAnEfHFsNxt 0ISfzECwRKP0sX3MEnCg4NzmXPD4k+IInEgxi7tfrmJyTFeQsc+Scy3xs9rgZECJJRpoNoA+0i2nf Cg44MSjntxQqVeF5ya6GXIukx4itkggN3k+0A0gzhIOXl3+P0UcdxrmOxSB/EOn1Plww=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Thu, 14 Mar 2024 01:12:42 +0000 commit 7454dad6ee15f9fa6d84fc285d366b86f3d47494 Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index aa15529bbe..cda06b9d6e 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -64,8 +67,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 0cc9167715..fd0458be94 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -247,27 +247,49 @@ static inline int _rw_is_write_locked(rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:12:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:12:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692851.1080413 (Exim 4.92) (envelope-from ) id 1rkZeP-0003B8-Fw; Thu, 14 Mar 2024 01:12:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692851.1080413; Thu, 14 Mar 2024 01:12:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeP-0003B0-CT; Thu, 14 Mar 2024 01:12:53 +0000 Received: by outflank-mailman (input) for mailman id 692851; Thu, 14 Mar 2024 01:12:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeO-0003As-Qd for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeO-0002Gy-Q1 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZeO-0007C3-NX for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:12:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9Z/BzUr6eCe5p1TZtgixKOXhAJCb1xyv9o7omYLeGOQ=; b=PAd/bjuJdLS2/R5w6JAUpLVZY5 M6vykNb1gg/gs6f9hTk9IyXVZn39jDz6Cg7jTPE43K4DL4V9rNceaqLxNubOGytUpzus2SH1Y/GL2 Vz40MP9sB3lLYMe1Y63/NwGsjOUYafl1+KulgRlxGf5vmkrX8Ayyj27a5QzH4JpHKJ90=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Thu, 14 Mar 2024 01:12:52 +0000 commit 468a368b2e5a38fc0be8e9e5f475820f7e4a6b4f Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index cda06b9d6e..4da0ed8fad 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -125,8 +125,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index fd0458be94..abe0804bf7 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -326,8 +326,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -362,6 +362,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -410,8 +412,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:13:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:13:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692852.1080416 (Exim 4.92) (envelope-from ) id 1rkZea-0003EM-IS; Thu, 14 Mar 2024 01:13:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692852.1080416; Thu, 14 Mar 2024 01:13:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZea-0003EE-Fg; Thu, 14 Mar 2024 01:13:04 +0000 Received: by outflank-mailman (input) for mailman id 692852; Thu, 14 Mar 2024 01:13:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeY-0003E2-UI for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeY-0002HL-TU for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZeY-0007Cr-Sk for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Teb9L1jYK35DenSxU/8jPvbt4f2GWFN/AS37d/vVciY=; b=JFiX68607uOixGWgUDZcWFKWg4 rj+jJb3hHYUai9ypgtWJcuvTdkHtBSNR6xel2kTYiA2n3XTRyuN1unviLsLlE3NhrValUIpWzy5KP 6cSbbcCcOoz9buCFyJGIDLEAhGAkZdjzQv6g8E7aoPHTzO5p2gBzgVj4Y7ObH0lnnpFw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Thu, 14 Mar 2024 01:13:02 +0000 commit 2cc5e57be680a516aa5cdef4281856d09b9d0ea6 Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/include/asm/irq.h | 1 + xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index cb1d81bf9e..66f1095245 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -161,7 +161,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -180,9 +180,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index f6a0207a80..823d627fd0 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -178,6 +178,7 @@ void cf_check irq_complete_move(struct irq_desc *); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index c1523aeccf..265239c49f 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -86,8 +86,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -137,8 +137,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -149,6 +149,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -162,8 +164,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -178,15 +180,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -321,7 +323,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index fc110506dc..99dbcb3101 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -36,7 +36,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index f5e0b12d15..dada9f15f5 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -62,7 +62,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -364,7 +364,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index ee7cc496b8..62a8685cd5 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -410,7 +410,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -420,7 +420,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -457,7 +457,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 078beb1adb..29bbab5ac6 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 0527a8c70d..24a93dd0c1 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 9b5016d5ed..459668d417 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -240,7 +240,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -254,7 +254,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -267,8 +268,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 8c62b14d19..1b3d285166 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 8eae9984a9..dd96e84c69 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index 5975ca2f30..b373f139d1 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -155,8 +155,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool_t __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:13:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:13:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692853.1080420 (Exim 4.92) (envelope-from ) id 1rkZek-0003Ip-K1; Thu, 14 Mar 2024 01:13:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692853.1080420; Thu, 14 Mar 2024 01:13:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZek-0003Ih-HQ; Thu, 14 Mar 2024 01:13:14 +0000 Received: by outflank-mailman (input) for mailman id 692853; Thu, 14 Mar 2024 01:13:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZej-0003IV-0p for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZej-0002HU-09 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZei-0007DK-Vp for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ELPSlFuO9GDv/ilvXzKNlSHCXDYg9VlFEWZ6v6u322w=; b=H8fyNpPpg+/rGAbuFjstOjmCfw 0YD2wKNp/gnJJAiU7OaVP/X7LqYvOrfvi4mVwtzKbHg5FcEeq2zlnuMTw+mDICInN/xjGTZvF5UAj 6ICHn5nrmZgfHHQ/UA4xLVM/3QdGqAJrk2ia08kSFseuorNcBJIY/vxyL9IAR10RVeWs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Thu, 14 Mar 2024 01:13:12 +0000 commit 074b4c8987db235a0b86798810c045f68e4775b6 Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/include/asm/mm.h | 4 +++- xen/arch/x86/mm.c | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index a5d7fdd32e..5845b729c3 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -393,7 +393,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 330c4abcd1..8d19d719bd 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2033,7 +2033,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2094,7 +2094,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2103,6 +2103,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 01:13:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 01:13:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.692854.1080423 (Exim 4.92) (envelope-from ) id 1rkZeu-0003LZ-Lg; Thu, 14 Mar 2024 01:13:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 692854.1080423; Thu, 14 Mar 2024 01:13:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZeu-0003LR-Iv; Thu, 14 Mar 2024 01:13:24 +0000 Received: by outflank-mailman (input) for mailman id 692854; Thu, 14 Mar 2024 01:13:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZet-0003LI-4I for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkZet-0002He-3X for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkZet-0007Dn-2c for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 01:13:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QC45KjhyMz3nZAVSVxgVLk3S3Wu1H8fj4ki/bkRP9dc=; b=Y+S2cqKQRoWm7UIO0P9QrXF9kf lQuFniGBdhwj5U+WqByJAxaHxKjkm9NEpXFbpC+qay6u0d00I0djHinoF+4HTJlAqTzdPSd+SNM+a 7RH3Hr/b0PpMYG8a44Th7WHYAEXGXkBwxi3k2BN2YfpgkOqCWyY2x7RTdBvW3oPRL2wo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86: protect conditional lock taking from speculative execution Message-Id: Date: Thu, 14 Mar 2024 01:13:23 +0000 commit 0ebd2e49bcd0f566ba6b9158555942aab8e41332 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:13:03 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 8d19d719bd..d31b8d56ff 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5023,8 +5023,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5061,8 +5060,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5100,8 +5098,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5132,6 +5129,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5347,8 +5346,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5452,8 +5450,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5494,8 +5491,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5549,8 +5545,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5694,8 +5689,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5754,8 +5748,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5799,8 +5792,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5847,8 +5839,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 265239c49f..3ea2d8eb03 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -347,6 +347,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index b28c899b5e..1fa9e01012 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -292,9 +292,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index daf48fdea7..7e75d0e2e7 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -216,6 +216,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:00:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693194.1080936 (Exim 4.92) (envelope-from ) id 1rkkgn-0002YV-Qk; Thu, 14 Mar 2024 13:00:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693194.1080936; Thu, 14 Mar 2024 13:00:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkgn-0002YG-Lx; Thu, 14 Mar 2024 13:00:05 +0000 Received: by outflank-mailman (input) for mailman id 693194; Thu, 14 Mar 2024 13:00:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkgm-0002J2-DA for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkgm-00008H-AM for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkgm-0001pr-5r for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=4Sn0MJUVPidzCmGolUd+lCSo9ybyo8G+o9gYhTfBPH0=; b=Ya/RKJoGlk5vqFd9wDZHlQDHkV Vi9K9WCxNnNjeCOJzGgg88+vOiUY1mI7sbj1dCcdQ/dNBPDYf/zOXlOSdxlr57hyZEJ4cTcY003ei JTP1mEVoRig/5tRm751HuMxuMtytV01fWExjsNNrRiMuEuEjTXnQo4rdrXRN5bGdaNlg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] restrict concept of pIRQ to x86 Message-Id: Date: Thu, 14 Mar 2024 13:00:04 +0000 commit 13a7b0f9f747b6ecba7a08ea63255093767359c0 Author: Jan Beulich AuthorDate: Thu Mar 14 13:51:19 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:51:19 2024 +0100 restrict concept of pIRQ to x86 ... by way of a new arch-selectable Kconfig control. Note that some smaller pieces of code are left without #ifdef, to keep things better readable. Hence items like ECS_PIRQ, nr_static_irqs, or domain_pirq_to_irq() remain uniformly. As to XEN_DOMCTL_irq_permission - this, despite having a uniformly available wrapper in libxc, is unused on Arm: libxl bypasses those calls, and the Python and OCamL bindings have no users at all. Signed-off-by: Jan Beulich Acked-by: Julien Grall --- docs/misc/xen-command-line.pandoc | 2 +- xen/arch/arm/include/asm/irq.h | 1 - xen/arch/x86/Kconfig | 1 + xen/common/Kconfig | 3 +++ xen/common/domain.c | 14 ++++++++++++++ xen/common/domctl.c | 2 ++ xen/common/event_channel.c | 14 ++++++++++++-- xen/include/xen/sched.h | 2 ++ 8 files changed, 35 insertions(+), 4 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 54edbc0fbc..04f1415fc3 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1165,7 +1165,7 @@ introduced with the Nehalem architecture. intended as an emergency option for people who first chose fast, then change their minds to secure, and wish not to reboot.** -### extra_guest_irqs +### extra_guest_irqs (x86) > `= [][,]` > Default: `32,` diff --git a/xen/arch/arm/include/asm/irq.h b/xen/arch/arm/include/asm/irq.h index c8044b0371..1bae538887 100644 --- a/xen/arch/arm/include/asm/irq.h +++ b/xen/arch/arm/include/asm/irq.h @@ -52,7 +52,6 @@ struct arch_irq_desc { extern const unsigned int nr_irqs; #define nr_static_irqs NR_IRQS -#define arch_hwdom_irqs(domid) NR_IRQS struct irq_desc; struct irqaction; diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 01c6bea480..d6f3128588 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -26,6 +26,7 @@ config X86 select HAS_PASSTHROUGH select HAS_PCI select HAS_PCI_MSI + select HAS_PIRQ select HAS_SCHED_GRANULARITY select HAS_UBSAN select HAS_VPCI if HVM diff --git a/xen/common/Kconfig b/xen/common/Kconfig index a5c3d5a6bf..cff3166ff9 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -71,6 +71,9 @@ config HAS_IOPORTS config HAS_KEXEC bool +config HAS_PIRQ + bool + config HAS_PMAP bool diff --git a/xen/common/domain.c b/xen/common/domain.c index f6f5574996..1f0d23a1e0 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -350,6 +350,8 @@ static int late_hwdom_init(struct domain *d) #endif } +#ifdef CONFIG_HAS_PIRQ + static unsigned int __read_mostly extra_hwdom_irqs; static unsigned int __read_mostly extra_domU_irqs = 32; @@ -364,6 +366,8 @@ static int __init cf_check parse_extra_guest_irqs(const char *s) } custom_param("extra_guest_irqs", parse_extra_guest_irqs); +#endif /* CONFIG_HAS_PIRQ */ + static int __init cf_check parse_dom0_param(const char *s) { const char *ss; @@ -683,6 +687,7 @@ struct domain *domain_create(domid_t domid, if ( is_system_domain(d) && !is_idle_domain(d) ) return d; +#ifdef CONFIG_HAS_PIRQ if ( !is_idle_domain(d) ) { if ( !is_hardware_domain(d) ) @@ -694,6 +699,7 @@ struct domain *domain_create(domid_t domid, radix_tree_init(&d->pirq_tree); } +#endif if ( (err = arch_domain_create(d, config, flags)) != 0 ) goto fail; @@ -793,7 +799,9 @@ struct domain *domain_create(domid_t domid, { evtchn_destroy(d); evtchn_destroy_final(d); +#ifdef CONFIG_HAS_PIRQ radix_tree_destroy(&d->pirq_tree, free_pirq_struct); +#endif } if ( init_status & INIT_watchdog ) watchdog_domain_destroy(d); @@ -1192,7 +1200,9 @@ static void cf_check complete_domain_destroy(struct rcu_head *head) evtchn_destroy_final(d); +#ifdef CONFIG_HAS_PIRQ radix_tree_destroy(&d->pirq_tree, free_pirq_struct); +#endif xfree(d->vcpu); @@ -2058,6 +2068,8 @@ long do_vm_assist(unsigned int cmd, unsigned int type) } #endif +#ifdef CONFIG_HAS_PIRQ + struct pirq *pirq_get_info(struct domain *d, int pirq) { struct pirq *info = pirq_info(d, pirq); @@ -2087,6 +2099,8 @@ void cf_check free_pirq_struct(void *ptr) call_rcu(&pirq->rcu_head, _free_pirq_struct); } +#endif /* CONFIG_HAS_PIRQ */ + struct migrate_info { long (*func)(void *data); void *data; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f5a71ee5f7..d94a9dae91 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -648,6 +648,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; +#ifdef CONFIG_HAS_PIRQ case XEN_DOMCTL_irq_permission: { unsigned int pirq = op->u.irq_permission.pirq, irq; @@ -667,6 +668,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_deny_access(d, irq); break; } +#endif case XEN_DOMCTL_iomem_permission: { diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index bbfda2538e..20f586cf5e 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -566,6 +566,7 @@ static int evtchn_bind_ipi(evtchn_bind_ipi_t *bind) return rc; } +#ifdef CONFIG_HAS_PIRQ static void link_pirq_port(int port, struct evtchn *chn, struct vcpu *v) { @@ -591,9 +592,11 @@ static void unlink_pirq_port(struct evtchn *chn, struct vcpu *v) chn->u.pirq.prev_port; } +#endif /* CONFIG_HAS_PIRQ */ static int evtchn_bind_pirq(evtchn_bind_pirq_t *bind) { +#ifdef CONFIG_HAS_PIRQ struct evtchn *chn; struct domain *d = current->domain; struct vcpu *v = d->vcpu[0]; @@ -663,6 +666,9 @@ static int evtchn_bind_pirq(evtchn_bind_pirq_t *bind) write_unlock(&d->event_lock); return rc; +#else /* !CONFIG_HAS_PIRQ */ + return -EOPNOTSUPP; +#endif } @@ -695,6 +701,7 @@ int evtchn_close(struct domain *d1, int port1, bool guest) case ECS_UNBOUND: break; +#ifdef CONFIG_HAS_PIRQ case ECS_PIRQ: { struct pirq *pirq = pirq_info(d1, chn1->u.pirq.irq); @@ -704,14 +711,13 @@ int evtchn_close(struct domain *d1, int port1, bool guest) pirq_guest_unbind(d1, pirq); pirq->evtchn = 0; pirq_cleanup_check(pirq, d1); -#ifdef CONFIG_X86 if ( is_hvm_domain(d1) && domain_pirq_to_irq(d1, pirq->pirq) > 0 ) unmap_domain_pirq_emuirq(d1, pirq->pirq); -#endif } unlink_pirq_port(chn1, d1->vcpu[chn1->notify_vcpu_id]); break; } +#endif case ECS_VIRQ: { struct vcpu *v; @@ -1121,6 +1127,8 @@ int evtchn_bind_vcpu(evtchn_port_t port, unsigned int vcpu_id) case ECS_INTERDOMAIN: chn->notify_vcpu_id = v->vcpu_id; break; + +#ifdef CONFIG_HAS_PIRQ case ECS_PIRQ: if ( chn->notify_vcpu_id == v->vcpu_id ) break; @@ -1130,6 +1138,8 @@ int evtchn_bind_vcpu(evtchn_port_t port, unsigned int vcpu_id) cpumask_of(v->processor)); link_pirq_port(port, chn, v); break; +#endif + default: rc = -EINVAL; break; diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 37f5922f32..7c6be0931a 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -439,12 +439,14 @@ struct domain struct grant_table *grant_table; +#ifdef CONFIG_HAS_PIRQ /* * Interrupt to event-channel mappings and other per-guest-pirq data. * Protected by the domain's event-channel spinlock. */ struct radix_tree_root pirq_tree; unsigned int nr_pirqs; +#endif unsigned int options; /* copy of createdomain flags */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:00:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:00:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693195.1080938 (Exim 4.92) (envelope-from ) id 1rkkgw-0002jq-QD; Thu, 14 Mar 2024 13:00:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693195.1080938; Thu, 14 Mar 2024 13:00:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkgw-0002jg-NN; Thu, 14 Mar 2024 13:00:14 +0000 Received: by outflank-mailman (input) for mailman id 693195; Thu, 14 Mar 2024 13:00:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkgw-0002ja-EH for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkgw-00008L-DS for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkgw-0001r0-CT for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=UUsjoTJP2N8RdfshiA/dIu3oWRJtlZ5cSojeQJS9xp4=; b=DXxYHwKDmk5eOzxbaKkwr8+Sep assvuUc56ygdwVjTSgUz+13ZMOWZbEqF5MF8cT35ISWKHdiFPIEh245q6VFlZxokU71KvTlI6wJP5 oqpv8CGpA0CkNfZDpOv667Ueozv39ry9AbUHJqAcoREIWt+lExznkCFwoVeSK40bXJWk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mtrr: address violations of MISRA C:2012 Directive 4.10 Message-Id: Date: Thu, 14 Mar 2024 13:00:14 +0000 commit ec2587ab4b2af90d9ad09e52f081b3f7517e55eb Author: Maria Celeste Cesario AuthorDate: Thu Mar 14 13:52:32 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:52:32 2024 +0100 x86/mtrr: address violations of MISRA C:2012 Directive 4.10 Add inclusion guard to address violations of MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order to prevent the contents of a header file being included more than once"). Mechanical change. Signed-off-by: Maria Celeste Cesario Signed-off-by: Simone Ballarin Acked-by: Jan Beulich --- xen/arch/x86/cpu/mtrr/mtrr.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/arch/x86/cpu/mtrr/mtrr.h b/xen/arch/x86/cpu/mtrr/mtrr.h index a9741e0cb0..632bf658be 100644 --- a/xen/arch/x86/cpu/mtrr/mtrr.h +++ b/xen/arch/x86/cpu/mtrr/mtrr.h @@ -1,6 +1,8 @@ /* * local mtrr defines. */ +#ifndef X86_CPU_MTRR_MTRR_H +#define X86_CPU_MTRR_MTRR_H #define MTRR_CHANGE_MASK_FIXED 0x01 #define MTRR_CHANGE_MASK_VARIABLE 0x02 @@ -25,3 +27,5 @@ extern u64 size_or_mask, size_and_mask; extern unsigned int num_var_ranges; void mtrr_state_warn(void); + +#endif /* X86_CPU_MTRR_MTRR_H */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:00:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:00:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693196.1080943 (Exim 4.92) (envelope-from ) id 1rkkh6-0002mO-SP; Thu, 14 Mar 2024 13:00:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693196.1080943; Thu, 14 Mar 2024 13:00:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkh6-0002mF-Os; Thu, 14 Mar 2024 13:00:24 +0000 Received: by outflank-mailman (input) for mailman id 693196; Thu, 14 Mar 2024 13:00:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkh6-0002m9-HF for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkh6-00008Y-GR for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkh6-0001rX-FU for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EI+70gCRLXzRNol7ruhKVe+QIGCAA/2lWgBrmlfeV+0=; b=e8bCkmvLd0HbubytVtlazYxBww ZB6ubwejQ7MrdObpeaWt3hmCt/F8QKcSVTYKRzQySaU3vNN5eXA4AeOqWtOFAkdV7v3IPe05s4S/t DXfE6l+xgNJgsZ0SuemlmyWD1zcYvO4Wm0K7CarWNOuqr4gejYAft4RQVtXAPXR2ZhrU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/lz4: address violations of MISRA C:2012 Directive 4.10 Message-Id: Date: Thu, 14 Mar 2024 13:00:24 +0000 commit 3945b61ddb6b2e9f0226ebe4112d4d81463dfac7 Author: Maria Celeste Cesario AuthorDate: Thu Mar 14 13:52:46 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:52:46 2024 +0100 xen/lz4: address violations of MISRA C:2012 Directive 4.10 Add inclusion guard to address violations of MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order to prevent the contents of a header file being included more than once"). Mechanical change. Signed-off-by: Maria Celeste Cesario Signed-off-by: Simone Ballarin Acked-by: Jan Beulich --- xen/common/lz4/defs.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/xen/common/lz4/defs.h b/xen/common/lz4/defs.h index 6d81113266..ecfbf07f83 100644 --- a/xen/common/lz4/defs.h +++ b/xen/common/lz4/defs.h @@ -8,6 +8,9 @@ * published by the Free Software Foundation. */ +#ifndef COMMON_LZ4_DEFS_H +#define COMMON_LZ4_DEFS_H + #ifdef __XEN__ #include #include @@ -166,3 +169,5 @@ typedef struct _U64_S { u64 v; } U64_S; LZ4_WILDCOPY(s, d, e); \ d = e; \ } while (0) + +#endif /* COMMON_LZ4_DEFS_H */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:00:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:00:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693197.1080948 (Exim 4.92) (envelope-from ) id 1rkkhH-0002sF-Tf; Thu, 14 Mar 2024 13:00:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693197.1080948; Thu, 14 Mar 2024 13:00:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhH-0002s7-QP; Thu, 14 Mar 2024 13:00:35 +0000 Received: by outflank-mailman (input) for mailman id 693197; Thu, 14 Mar 2024 13:00:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhG-0002qV-KB for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhG-000098-JP for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkhG-0001s9-IX for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jgiLNMuE2x3wU3adrdiXr8idHH0M1e7hIHIKjPg5OUI=; b=L+XmUsL5vf2MmbVs7j63zql4uf ghGoB1qUtvj4vZKcQmZ9CrGaFyUAriIWsrHbeSGLCWLyzGzy0CIAZpWZ53cipCVwK1o68s4FJonXw OciRGQDy7rU9DfXlpNm5AaOoW67QmZJkLv/JwqTmPFAAnvYW1G8A3J2nkOOCSe9Agl2c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/compiler: deviate the inline macro for MISRA C Rule 20.4 Message-Id: Date: Thu, 14 Mar 2024 13:00:34 +0000 commit d2686bf96483668b826b6a428679ba03402d4a52 Author: Nicola Vetrini AuthorDate: Thu Mar 14 13:54:14 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:54:14 2024 +0100 xen/compiler: deviate the inline macro for MISRA C Rule 20.4 Rule 20.4 states: "A macro shall not be defined with the same name as a keyword". Defining this macro with the same name as the inline keyword allows for additionally checking that out-of-lined static inline functions end up in the correct section while minimizing churn and has a positive impact on the overall safety. See [1] for additional context on the motivation of this deviation. No functional change. [1] https://lore.kernel.org/xen-devel/adaa6d55-266d-4df8-8967-9340080d17e4@citrix.com/ Signed-off-by: Nicola Vetrini --- docs/misra/deviations.rst | 6 ++++++ docs/misra/safe.json | 8 ++++++++ xen/include/xen/compiler.h | 1 + 3 files changed, 15 insertions(+) diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index 6d532a872d..41fa5b31b0 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -328,6 +328,12 @@ Deviations related to MISRA C:2012 Rules: improve readability. - Tagged as `deliberate` for ECLAIR. + * - R20.4 + - The override of the keyword \"inline\" in xen/compiler.h is present so + that section contents checks pass when the compiler chooses not to + inline a particular function. + - Comment-based deviation. + * - R20.7 - Code violating Rule 20.7 is safe when macro parameters are used: (1) as function arguments; diff --git a/docs/misra/safe.json b/docs/misra/safe.json index 952324f85c..d361d0e65c 100644 --- a/docs/misra/safe.json +++ b/docs/misra/safe.json @@ -28,6 +28,14 @@ }, { "id": "SAF-3-safe", + "analyser": { + "eclair": "MC3R1.R20.4" + }, + "name": "MC3R1.R20.4: allow the definition of a macro with the same name as a keyword in some special cases", + "text": "The definition of a macro with the same name as a keyword can be useful in certain configurations to improve the guarantees that can be provided by Xen. See docs/misra/deviations.rst for a precise rationale for all such cases." + }, + { + "id": "SAF-4-safe", "analyser": {}, "name": "Sentinel", "text": "Next ID to be used" diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h index 16d554f2a5..fc87a2edad 100644 --- a/xen/include/xen/compiler.h +++ b/xen/include/xen/compiler.h @@ -82,6 +82,7 @@ * inline functions not expanded inline get placed in .init.text. */ #include +/* SAF-3-safe MISRA C Rule 20.4: allow section checks to pass when not inlined */ #define inline inline __init #endif -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:00:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:00:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693198.1080950 (Exim 4.92) (envelope-from ) id 1rkkhR-0002wg-Uh; Thu, 14 Mar 2024 13:00:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693198.1080950; Thu, 14 Mar 2024 13:00:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhR-0002wY-Rw; Thu, 14 Mar 2024 13:00:45 +0000 Received: by outflank-mailman (input) for mailman id 693198; Thu, 14 Mar 2024 13:00:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhQ-0002wO-NN for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhQ-00009F-MW for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkhQ-0001si-Ln for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zwBxQZNbxcdTJgA44AzQ6GUjQobHOPbNOVf93ZLTnu8=; b=o4XcRm0Lv/tkNJsDBVswO+0VTI Tzmo568TdFCliOKwE3mYd09N0ECSmcRsNFszwASt8u6Ac+0Ui52I4A/+XrtpVqQ7OscIqH2RjDoML MxHVJCPgPvCkPA6jlfgDZdRLkYoIXcsXSg5SRj+LpkBvfPnyvDgto7JcrVed/gUg2Clo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/svm: Drop the _enabled suffix from vmcb bits Message-Id: Date: Thu, 14 Mar 2024 13:00:44 +0000 commit a6081d0176d558a96678430d9f0602e5918cd0de Author: Vaishali Thakkar AuthorDate: Thu Mar 14 13:54:43 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:54:43 2024 +0100 x86/svm: Drop the _enabled suffix from vmcb bits The suffix is redundant for np/sev/sev-es bits. Drop it to avoid adding extra code volume. Also, while we're here, drop the double negations in one of the instances of _np bit, replace 0/1 with false/true in the use cases of _np and use VMCB accessors instead of open coding. Suggested-by: Andrew Cooper Signed-off-by: Vaishali Thakkar Reviewed-by: Andrew Cooper --- xen/arch/x86/hvm/svm/nestedsvm.c | 14 +++++++------- xen/arch/x86/hvm/svm/svm.c | 2 +- xen/arch/x86/hvm/svm/vmcb.c | 2 +- xen/arch/x86/include/asm/hvm/svm/vmcb.h | 20 ++++++++++---------- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c index e4e01add8c..07630d74d3 100644 --- a/xen/arch/x86/hvm/svm/nestedsvm.c +++ b/xen/arch/x86/hvm/svm/nestedsvm.c @@ -571,7 +571,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs) if ( nestedhvm_paging_mode_hap(v) ) { /* host nested paging + guest nested paging. */ - n2vmcb->_np_enable = 1; + vmcb_set_np(n2vmcb, true); nestedsvm_vmcb_set_nestedp2m(v, ns_vmcb, n2vmcb); @@ -585,7 +585,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs) else if ( paging_mode_hap(v->domain) ) { /* host nested paging + guest shadow paging. */ - n2vmcb->_np_enable = 1; + vmcb_set_np(n2vmcb, true); /* Keep h_cr3 as it is. */ n2vmcb->_h_cr3 = n1vmcb->_h_cr3; /* When l1 guest does shadow paging @@ -601,7 +601,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs) else { /* host shadow paging + guest shadow paging. */ - n2vmcb->_np_enable = 0; + vmcb_set_np(n2vmcb, false); n2vmcb->_h_cr3 = 0x0; /* TODO: Once shadow-shadow paging is in place come back to here @@ -706,7 +706,7 @@ nsvm_vcpu_vmentry(struct vcpu *v, struct cpu_user_regs *regs, } /* nested paging for the guest */ - svm->ns_hap_enabled = !!ns_vmcb->_np_enable; + svm->ns_hap_enabled = vmcb_get_np(ns_vmcb); /* Remember the V_INTR_MASK in hostflags */ svm->ns_hostflags.fields.vintrmask = !!ns_vmcb->_vintr.fields.intr_masking; @@ -1084,7 +1084,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) if ( nestedhvm_paging_mode_hap(v) ) { /* host nested paging + guest nested paging. */ - ns_vmcb->_np_enable = n2vmcb->_np_enable; + vmcb_set_np(ns_vmcb, vmcb_get_np(n2vmcb)); ns_vmcb->_cr3 = n2vmcb->_cr3; /* The vmcb->h_cr3 is the shadowed h_cr3. The original * unshadowed guest h_cr3 is kept in ns_vmcb->h_cr3, @@ -1093,7 +1093,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) else if ( paging_mode_hap(v->domain) ) { /* host nested paging + guest shadow paging. */ - ns_vmcb->_np_enable = 0; + vmcb_set_np(ns_vmcb, false); /* Throw h_cr3 away. Guest is not allowed to set it or * it can break out, otherwise (security hole!) */ ns_vmcb->_h_cr3 = 0x0; @@ -1104,7 +1104,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) else { /* host shadow paging + guest shadow paging. */ - ns_vmcb->_np_enable = 0; + vmcb_set_np(ns_vmcb, false); ns_vmcb->_h_cr3 = 0x0; /* The vmcb->_cr3 is the shadowed cr3. The original * unshadowed guest cr3 is kept in ns_vmcb->_cr3, diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index b551eac807..b1ab0b568b 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -473,7 +473,7 @@ static int svm_vmcb_restore(struct vcpu *v, struct hvm_hw_cpu *c) if ( paging_mode_hap(v->domain) ) { - vmcb_set_np_enable(vmcb, 1); + vmcb_set_np(vmcb, true); vmcb_set_g_pat(vmcb, MSR_IA32_CR_PAT_RESET /* guest PAT */); vmcb_set_h_cr3(vmcb, pagetable_get_paddr(p2m_get_pagetable(p2m))); } diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c index 282fe7cdbe..4e1f61dbe0 100644 --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -133,7 +133,7 @@ static int construct_vmcb(struct vcpu *v) if ( paging_mode_hap(v->domain) ) { - vmcb->_np_enable = 1; /* enable nested paging */ + vmcb_set_np(vmcb, true); /* enable nested paging */ vmcb->_g_pat = MSR_IA32_CR_PAT_RESET; /* guest PAT */ vmcb->_h_cr3 = pagetable_get_paddr( p2m_get_pagetable(p2m_get_hostp2m(v->domain))); diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index 91221ff4e2..bf2b8d9a94 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -385,7 +385,7 @@ typedef union bool iopm:1; /* 1: iopm_base_pa, msrpm_base_pa */ bool asid:1; /* 2: guest_asid */ bool tpr:1; /* 3: vintr */ - bool np:1; /* 4: np_enable, h_cr3, g_pat */ + bool np:1; /* 4: np, h_cr3, g_pat */ bool cr:1; /* 5: cr0, cr3, cr4, efer */ bool dr:1; /* 6: dr6, dr7 */ bool dt:1; /* 7: gdtr, idtr */ @@ -473,12 +473,12 @@ struct vmcb_struct { intinfo_t exit_int_info; /* offset 0x88 */ union { /* offset 0x90 - cleanbit 4 */ struct { - bool _np_enable :1; - bool _sev_enable :1; - bool _sev_es_enable :1; - bool _gmet :1; - bool _np_sss :1; - bool _vte :1; + bool _np :1; + bool _sev :1; + bool _sev_es :1; + bool _gmet :1; + bool _np_sss :1; + bool _vte :1; }; uint64_t _np_ctrl; }; @@ -645,9 +645,9 @@ VMCB_ACCESSORS(msrpm_base_pa, iopm) VMCB_ACCESSORS(guest_asid, asid) VMCB_ACCESSORS(vintr, tpr) VMCB_ACCESSORS(np_ctrl, np) -VMCB_ACCESSORS_(np_enable, bool, np) -VMCB_ACCESSORS_(sev_enable, bool, np) -VMCB_ACCESSORS_(sev_es_enable, bool, np) +VMCB_ACCESSORS_(np, bool, np) +VMCB_ACCESSORS_(sev, bool, np) +VMCB_ACCESSORS_(sev_es, bool, np) VMCB_ACCESSORS_(gmet, bool, np) VMCB_ACCESSORS_(vte, bool, np) VMCB_ACCESSORS(h_cr3, np) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:00:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:00:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693200.1080964 (Exim 4.92) (envelope-from ) id 1rkkhc-0003Ga-BT; Thu, 14 Mar 2024 13:00:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693200.1080964; Thu, 14 Mar 2024 13:00:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhc-0003GS-8b; Thu, 14 Mar 2024 13:00:56 +0000 Received: by outflank-mailman (input) for mailman id 693200; Thu, 14 Mar 2024 13:00:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkha-0003FS-QC for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkha-00009V-PV for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkha-0001tC-Of for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:00:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sj4EcqkvAiX6XR2qU7jlfELklEzhVqA0zyi4vXvC09o=; b=MWXaHJO/X6OnDgToSeHVRgdgEv vMbvqVSFqbtCrVMZV/N1k9IdWNdDKl/kOrJdKM1n9DPtEJo9hIc/6RdVDFGffxpn+z1M2wxBJ5EuK WKFzBy8ggCofprqotDdlON4KiX7LSfCdqZkF87pw/3b5tG5GaeOoH9eSQdtdDTvfgISE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: Remove myself from several subsystems Message-Id: Date: Thu, 14 Mar 2024 13:00:54 +0000 commit 70e549fd4482f5f5e5bad12ea9832dd86b4a1b1e Author: Paul Durrant AuthorDate: Thu Mar 14 13:55:11 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:55:11 2024 +0100 MAINTAINERS: Remove myself from several subsystems I am not as actively involved with the Xen project as I once was so I need to relinquish some of my maintainer responsibilities: IOMMU and I/O emulation. NOTE: Since I am sole maintainer for I/O EMULATION (IOREQ) and X86 I/O EMULATION, these sections are removed. Signed-off-by: Paul Durrant Acked-by: Stefano Stabellini --- MAINTAINERS | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 56a6932037..b2cc3cc392 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -358,7 +358,6 @@ F: xen/drivers/passthrough/vtd/ IOMMU VENDOR INDEPENDENT CODE M: Jan Beulich -M: Paul Durrant R: Roger Pau Monné S: Supported F: xen/drivers/passthrough/ @@ -368,13 +367,6 @@ X: xen/drivers/passthrough/vtd/ X: xen/drivers/passthrough/device_tree.c F: xen/include/xen/iommu.h -I/O EMULATION (IOREQ) -M: Paul Durrant -S: Supported -F: xen/common/ioreq.c -F: xen/include/xen/ioreq.h -F: xen/include/public/hvm/ioreq.h - KCONFIG M: Doug Goldstein S: Supported @@ -608,18 +600,6 @@ F: tools/misc/xen-cpuid.c F: tools/tests/cpu-policy/ F: tools/tests/x86_emulator/ -X86 I/O EMULATION -M: Paul Durrant -S: Supported -F: xen/arch/x86/hvm/emulate.c -F: xen/arch/x86/hvm/intercept.c -F: xen/arch/x86/hvm/io.c -F: xen/arch/x86/hvm/ioreq.c -F: xen/arch/x86/include/asm/hvm/emulate.h -F: xen/arch/x86/include/asm/hvm/io.h -F: xen/arch/x86/include/asm/hvm/ioreq.h -F: xen/arch/x86/include/asm/ioreq.h - X86 MEMORY MANAGEMENT M: Jan Beulich M: Andrew Cooper -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:01:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:01:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693201.1080967 (Exim 4.92) (envelope-from ) id 1rkkhm-0003Ln-CY; Thu, 14 Mar 2024 13:01:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693201.1080967; Thu, 14 Mar 2024 13:01:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhm-0003Lf-9z; Thu, 14 Mar 2024 13:01:06 +0000 Received: by outflank-mailman (input) for mailman id 693201; Thu, 14 Mar 2024 13:01:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhk-0003L6-TE for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:01:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhk-00009q-SV for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:01:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkhk-0001u2-Rj for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:01:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hRcf8NzLqKJzPWMVp/HTTbViDBOVp9d8/mFfe51+MnE=; b=qSZWF1wKXGKHhHdv2H+tZ7HNzF j6pjpiI9vAUF8XsAUSW9g3UBkxBJhPtALzWevQ8cqo7N+VK4bAr43AjrLWiEGH7BjUQh75SsDJfN5 kpQpq+8kKZHUJZOMhBqm8E84hIroHgI0VDdxMsluiNMdPvSXCx9G+Cxet+cjloDH4Z0s=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen: avoid grep fodder define and undef Message-Id: Date: Thu, 14 Mar 2024 13:01:04 +0000 commit 68e008db0cc04f2a829e8fa03bc3433afd0a01f4 Author: Federico Serafini AuthorDate: Thu Mar 14 13:55:27 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:55:27 2024 +0100 xen: avoid grep fodder define and undef Place an "#if 0" before grep fodder #define-s and remove the #undef-s. This addresses violations of MISRA C:2012 Rules 20.5 ("#undef should not be used") and 5.5 ("Identifiers shall be distinct from macro names"). No functional change. Signed-off-by: Federico Serafini Acked-by: Andrew Cooper --- xen/include/xen/iommu.h | 5 +---- xen/include/xen/mm-frame.h | 15 +++------------ 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h index 9621459c63..ef57f31417 100644 --- a/xen/include/xen/iommu.h +++ b/xen/include/xen/iommu.h @@ -33,13 +33,10 @@ TYPE_SAFE(uint64_t, dfn); #define PRI_dfn PRIx64 #define INVALID_DFN _dfn(~0ULL) -#ifndef dfn_t +#if 0 #define dfn_t /* Grep fodder: dfn_t, _dfn() and dfn_x() are defined above */ #define _dfn #define dfn_x -#undef dfn_t -#undef _dfn -#undef dfn_x #endif static inline dfn_t __must_check dfn_add(dfn_t dfn, unsigned long i) diff --git a/xen/include/xen/mm-frame.h b/xen/include/xen/mm-frame.h index c25e836f25..d973aec901 100644 --- a/xen/include/xen/mm-frame.h +++ b/xen/include/xen/mm-frame.h @@ -14,13 +14,10 @@ TYPE_SAFE(unsigned long, mfn); */ #define INVALID_MFN_INITIALIZER { INVALID_MFN_RAW } -#ifndef mfn_t +#if 0 #define mfn_t /* Grep fodder: mfn_t, _mfn() and mfn_x() are defined above */ #define _mfn #define mfn_x -#undef mfn_t -#undef _mfn -#undef mfn_x #endif static inline mfn_t __must_check mfn_add(mfn_t mfn, unsigned long i) @@ -53,13 +50,10 @@ TYPE_SAFE(unsigned long, gfn); */ #define INVALID_GFN_INITIALIZER { INVALID_GFN_RAW } -#ifndef gfn_t +#if 0 #define gfn_t /* Grep fodder: gfn_t, _gfn() and gfn_x() are defined above */ #define _gfn #define gfn_x -#undef gfn_t -#undef _gfn -#undef gfn_x #endif static inline gfn_t __must_check gfn_add(gfn_t gfn, unsigned long i) @@ -85,13 +79,10 @@ static inline bool gfn_eq(gfn_t x, gfn_t y) TYPE_SAFE(unsigned long, pfn); #define PRI_pfn "05lx" -#ifndef pfn_t +#if 0 #define pfn_t /* Grep fodder: pfn_t, _pfn() and pfn_x() are defined above */ #define _pfn #define pfn_x -#undef pfn_t -#undef _pfn -#undef pfn_x #endif #endif /* __XEN_FRAME_NUM_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:01:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:01:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693203.1080972 (Exim 4.92) (envelope-from ) id 1rkkhw-0003Sp-E3; Thu, 14 Mar 2024 13:01:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693203.1080972; Thu, 14 Mar 2024 13:01:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhw-0003Sh-BP; Thu, 14 Mar 2024 13:01:16 +0000 Received: by outflank-mailman (input) for mailman id 693203; Thu, 14 Mar 2024 13:01:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhu-0003SR-WF for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:01:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkhu-00009x-VX for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:01:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkhu-0001up-Uc for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:01:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=V5bpRTY/a2isVxgStxgDXCEwapOBtGZ23LmMeHgDRTQ=; b=3gSvI1h5P4T9V2Wrtz2pScKkU4 GCqVOaJoAw9pSh4RUTMp9sB3axyTogKfwQeSnUiRUci4Kyl/L2tCKkw7+JQzYz/Z2sHLM5AvgjQa8 lqYFcXjuH93TKvscdQAbCTmzDJ48pZqupRUbZNwvjS7bOfoQeoge7WprY2YvSr0XmxoA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/spinlock: remove misra rule 21.1 violations Message-Id: Date: Thu, 14 Mar 2024 13:01:14 +0000 commit af7fed3fdf82981ebbb09628b278df957569333d Author: Juergen Gross AuthorDate: Thu Mar 14 13:55:55 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:55:55 2024 +0100 xen/spinlock: remove misra rule 21.1 violations In xen spinlock code there are several violations of MISRA rule 21.1 (identifiers starting with "__" or "_[A-Z]"). Fix them by using trailing underscores instead. Signed-off-by: Juergen Gross Acked-by: Jan Beulich --- xen/include/xen/spinlock.h | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index e351fc9995..8a443efc19 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -22,7 +22,7 @@ union lock_debug { bool unseen:1; }; }; -#define _LOCK_DEBUG { .val = LOCK_DEBUG_INITVAL } +#define LOCK_DEBUG_ { .val = LOCK_DEBUG_INITVAL } void check_lock(union lock_debug *debug, bool try); void lock_enter(const union lock_debug *debug); void lock_exit(const union lock_debug *debug); @@ -30,7 +30,7 @@ void spin_debug_enable(void); void spin_debug_disable(void); #else union lock_debug { }; -#define _LOCK_DEBUG { } +#define LOCK_DEBUG_ { } #define check_lock(l, t) ((void)0) #define lock_enter(l) ((void)0) #define lock_exit(l) ((void)0) @@ -95,27 +95,27 @@ struct lock_profile_qhead { int32_t idx; /* index for printout */ }; -#define _LOCK_PROFILE(lockname) { .name = #lockname, .lock = &(lockname), } -#define _LOCK_PROFILE_PTR(name) \ - static struct lock_profile * const __lock_profile_##name \ +#define LOCK_PROFILE_(lockname) { .name = #lockname, .lock = &(lockname), } +#define LOCK_PROFILE_PTR_(name) \ + static struct lock_profile * const lock_profile__##name \ __used_section(".lockprofile.data") = \ - &__lock_profile_data_##name -#define _SPIN_LOCK_UNLOCKED(x) { \ + &lock_profile_data__##name +#define SPIN_LOCK_UNLOCKED_(x) { \ .recurse_cpu = SPINLOCK_NO_CPU, \ - .debug =_LOCK_DEBUG, \ + .debug = LOCK_DEBUG_, \ .profile = x, \ } -#define SPIN_LOCK_UNLOCKED _SPIN_LOCK_UNLOCKED(NULL) +#define SPIN_LOCK_UNLOCKED SPIN_LOCK_UNLOCKED_(NULL) #define DEFINE_SPINLOCK(l) \ - spinlock_t l = _SPIN_LOCK_UNLOCKED(NULL); \ - static struct lock_profile __lock_profile_data_##l = _LOCK_PROFILE(l); \ - _LOCK_PROFILE_PTR(l) + spinlock_t l = SPIN_LOCK_UNLOCKED_(NULL); \ + static struct lock_profile lock_profile_data__##l = LOCK_PROFILE_(l); \ + LOCK_PROFILE_PTR_(l) #define spin_lock_init_prof(s, l) \ do { \ struct lock_profile *prof; \ prof = xzalloc(struct lock_profile); \ - (s)->l = (spinlock_t)_SPIN_LOCK_UNLOCKED(prof); \ + (s)->l = (spinlock_t)SPIN_LOCK_UNLOCKED_(prof); \ if ( !prof ) \ { \ printk(XENLOG_WARNING \ @@ -149,7 +149,7 @@ struct lock_profile_qhead { }; #define SPIN_LOCK_UNLOCKED { \ .recurse_cpu = SPINLOCK_NO_CPU, \ - .debug =_LOCK_DEBUG, \ + .debug = LOCK_DEBUG_, \ } #define DEFINE_SPINLOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:11:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693211.1080995 (Exim 4.92) (envelope-from ) id 1rkkrR-00065w-Ii; Thu, 14 Mar 2024 13:11:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693211.1080995; Thu, 14 Mar 2024 13:11:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrR-00065o-G0; Thu, 14 Mar 2024 13:11:05 +0000 Received: by outflank-mailman (input) for mailman id 693211; Thu, 14 Mar 2024 13:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrP-00064R-Gp for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrP-0000MC-Fe for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkrP-0002gS-Dr for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LFVSrVtPh4RnKwmeT+FbLLx4lFBMsaen/GlTdaPMKjA=; b=yJweIRo/g60w209E+HV0v8nXE0 QMTeULX4PKVbYlHWPAuv9Cj0wf85+Tylj+BOuf4wdhKaeN5oUfUmg3U4RGb7r7cVA82h12MT9tiUx R7ofQYkrdiKi4OdVA7ZR3oFR2Bm9hyfYWQtZLSvAuUzln0UaoqOQ2Dg0rzB//mb2q3Ew=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option Message-Id: Date: Thu, 14 Mar 2024 13:11:03 +0000 commit bd06cf74fccc065ea67e9dd8c31e70abad1f0507 Author: Ayan Kumar Halder AuthorDate: Thu Mar 7 12:39:41 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 13:04:25 2024 +0000 xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option There can be situations when the registers cannot be emulated to their full functionality. This can be due to the complexity involved. In such cases, one can emulate those registers as RAZ/WI for example. We call them as partial emulation. Some registers are non-optional and as such there is nothing preventing an OS from accessing them. Instead of injecting undefined exception (which might result in crashing a guest), one may want to prefer a partial emulation to let the guest running (in some cases accepting the fact that it might result in unwanted behavior). A suitable example of this (as seen in subsequent patches) is emulation of DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional registers can be emulated as RAZ/WI and they can be enclosed within CONFIG_PARTIAL_EMULATION. Further, "partial-emulation" command line option allows us to enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION enables support for partial emulation at compile time (i.e. adds code for partial emulation), this option may be enabled or disabled by Yocto or other build systems. However if the build system turns this option on, users can use scripts like Imagebuilder to generate uboot-script which will append "partial-emulation=true" to xen command line to turn on the partial emulation. Thus, it helps to avoid rebuilding xen. By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false". This is done so that Xen supports partial emulation. However, customers are fully aware when they enable partial emulation. It's important to note that enabling such support might result in unwanted/non-spec compliant behavior. Added a note in SUPPORT.md to clarify the security support for partial emulation. Signed-off-by: Ayan Kumar Halder Signed-off-by: Michal Orzel Acked-by: Julien Grall --- SUPPORT.md | 9 +++++++++ docs/misc/xen-command-line.pandoc | 11 +++++++++++ xen/arch/arm/Kconfig | 9 +++++++++ xen/arch/arm/include/asm/traps.h | 6 ++++++ xen/arch/arm/traps.c | 9 +++++++++ 5 files changed, 44 insertions(+) diff --git a/SUPPORT.md b/SUPPORT.md index 510bb02190..ad74f5a329 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -102,6 +102,15 @@ Extension to the GICv3 interrupt controller to support MSI. Status: Experimental +### ARM/Partial Emulation + +Enable partial emulation of registers, otherwise considered unimplemented, +that would normally trigger a fault injection. + + Status: Supported, with caveats + +Only the following system registers are security supported: + ### ARM Scalable Vector Extension (SVE/SVE2) Arm64 domains can use Scalable Vector Extension (SVE/SVE2). diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 04f1415fc3..14cafb462a 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1942,6 +1942,17 @@ This option is ignored in **pv-shim** mode. > Default: `on` +### partial-emulation (arm) +> `= ` + +> Default: `false` + +Flag to enable or disable partial emulation of system/coprocessor registers. +Only effective if CONFIG_PARTIAL_EMULATION is enabled. + +**WARNING: Enabling this option might result in unwanted/non-spec compliant +behavior.** + ### pci = List of [ serr=, perr= ] diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 40f834bb71..f8139a773a 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -234,6 +234,15 @@ config STATIC_EVTCHN This option enables establishing static event channel communication between domains on a dom0less system (domU-domU as well as domU-dom0). +config PARTIAL_EMULATION + bool "Enable partial emulation of system/coprocessor registers" + default y + help + This option enables partial emulation of registers to prevent possible + guests crashing when accessing registers which are not optional but have + not been emulated to their complete functionality. Enabling this might + result in unwanted/non-spec compliant behavior. + endmenu menu "ARM errata workaround via the alternative framework" diff --git a/xen/arch/arm/include/asm/traps.h b/xen/arch/arm/include/asm/traps.h index 883dae368e..9a60dbf70e 100644 --- a/xen/arch/arm/include/asm/traps.h +++ b/xen/arch/arm/include/asm/traps.h @@ -10,6 +10,12 @@ # include #endif +#ifdef CONFIG_PARTIAL_EMULATION +extern bool partial_emulation; +#else +#define partial_emulation false +#endif + /* * GUEST_BUG_ON is intended for checking that the guest state has not been * corrupted in hardware and/or that the hardware behaves as we diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 8ddca643d4..9cffe7f790 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -43,6 +43,15 @@ #include #include +/* + * partial_emulation: If true, partial emulation for system/coprocessor + * registers will be enabled. + */ +#ifdef CONFIG_PARTIAL_EMULATION +bool __ro_after_init partial_emulation = false; +boolean_param("partial-emulation", partial_emulation); +#endif + /* The base of the stack must always be double-word aligned, which means * that both the kernel half of struct cpu_user_regs (which is pushed in * entry.S) and struct cpu_info (which lives at the bottom of a Xen -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:11:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:11:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693212.1080999 (Exim 4.92) (envelope-from ) id 1rkkrb-00069C-K2; Thu, 14 Mar 2024 13:11:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693212.1080999; Thu, 14 Mar 2024 13:11:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrb-000695-HV; Thu, 14 Mar 2024 13:11:15 +0000 Received: by outflank-mailman (input) for mailman id 693212; Thu, 14 Mar 2024 13:11:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrZ-00067U-Jb for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrZ-0000ML-Im for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkrZ-0002i5-Ho for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Kb91+5wgjlRQkM/dTDHQlx00Bx5tHeiiBCQM+lAkUxU=; b=l5QFjyneGuTUSO7NxKOe+2xTAB L6n+/4M/MkE5tyPsMxpEkGKnz0caj4DZpNhuo0QpgZPSyVQyjCWr7tWNJYRpW59PQkIfhXlQ3jgKN 1Zh5zSHRLAajBpHDTfeDCYhI/8HWje8Cgu4oxJz4Fj7TaJEkOzfS2wUekKI/FWhHK7uM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: arm64: Add emulation of Debug Data Transfer Registers Message-Id: Date: Thu, 14 Mar 2024 13:11:13 +0000 commit 43c416d0d81957229b5b5d73be694fb1ba149a3e Author: Michal Orzel AuthorDate: Thu Mar 7 12:39:42 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 13:04:25 2024 +0000 xen/arm: arm64: Add emulation of Debug Data Transfer Registers Currently, if user enables HVC_DCC config option in Linux, it invokes access to debug data transfer registers (i.e. DBGDTRTX_EL0 on arm64, DBGDTRTXINT on arm32). As these registers are not emulated, Xen injects an undefined exception to the guest and Linux crashes. To prevent this crash, introduce a partial emulation of DBGDTR[TR]X_EL0 (these registers share the same encoding) as RAZ/WI and MDCCSR_EL0 as TXfull. Refer ARM DDI 0487J.a ID042523, D19.3.8, DBGDTRTX_EL0 "If TXfull is set to 1, set DTRRX and DTRTX to UNKNOWN". Thus, any OS is expected to read MDCCSR_EL0 and check for TXfull before using DBGDTRTX_EL0. Linux does it via hvc_dcc_init() ---> hvc_dcc_check(), and returns -ENODEV in case TXfull bit is still set after writing a test character. This way we prevent the guest from making use of HVC DCC as a console. Signed-off-by: Michal Orzel Signed-off-by: Ayan Kumar Halder Acked-by: Julien Grall --- SUPPORT.md | 5 +++ xen/arch/arm/arm64/vsysreg.c | 69 +++++++++++++++++++++++++----------- xen/arch/arm/include/asm/arm64/hsr.h | 3 ++ 3 files changed, 56 insertions(+), 21 deletions(-) diff --git a/SUPPORT.md b/SUPPORT.md index ad74f5a329..465f6527c9 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -111,6 +111,11 @@ that would normally trigger a fault injection. Only the following system registers are security supported: + MDCCSR_EL0 + DBGDTR_EL0 + DBGDTRTX_EL0 + DBGDTRRX_EL0 + ### ARM Scalable Vector Extension (SVE/SVE2) Arm64 domains can use Scalable Vector Extension (SVE/SVE2). diff --git a/xen/arch/arm/arm64/vsysreg.c b/xen/arch/arm/arm64/vsysreg.c index b5d54c569b..c73b2c95ce 100644 --- a/xen/arch/arm/arm64/vsysreg.c +++ b/xen/arch/arm/arm64/vsysreg.c @@ -82,6 +82,7 @@ TVM_REG(CONTEXTIDR_EL1) void do_sysreg(struct cpu_user_regs *regs, const union hsr hsr) { + const struct hsr_sysreg sysreg = hsr.sysreg; int regidx = hsr.sysreg.reg; struct vcpu *v = current; @@ -159,9 +160,6 @@ void do_sysreg(struct cpu_user_regs *regs, * * Unhandled: * MDCCINT_EL1 - * DBGDTR_EL0 - * DBGDTRRX_EL0 - * DBGDTRTX_EL0 * OSDTRRX_EL1 * OSDTRTX_EL1 * OSECCR_EL1 @@ -171,12 +169,42 @@ void do_sysreg(struct cpu_user_regs *regs, */ case HSR_SYSREG_MDSCR_EL1: return handle_raz_wi(regs, regidx, hsr.sysreg.read, hsr, 1); + + /* + * Xen doesn't expose a real (or emulated) Debug Communications Channel + * (DCC) to a domain. Yet the Arm ARM implies this is not an optional + * feature. So some domains may start to probe it. For instance, the + * HVC_DCC driver in Linux (since f377775dc083 and at least up to v6.7), + * will try to write some characters and check if the transmit buffer + * has emptied. + */ case HSR_SYSREG_MDCCSR_EL0: /* + * By setting TX status bit (only if partial emulation is enabled) to + * indicate the transmit buffer is full, we would hint the OS that the + * DCC is probably not working. + * + * Bit 29: TX full + * * Accessible at EL0 only if MDSCR_EL1.TDCC is set to 0. We emulate that * register as RAZ/WI above. So RO at both EL0 and EL1. */ - return handle_ro_raz(regs, regidx, hsr.sysreg.read, hsr, 0); + return handle_ro_read_val(regs, regidx, hsr.sysreg.read, hsr, 0, + partial_emulation ? (1U << 29) : 0); + + case HSR_SYSREG_DBGDTR_EL0: + /* DBGDTR[TR]X_EL0 share the same encoding */ + case HSR_SYSREG_DBGDTRTX_EL0: + /* + * Emulate as RAZ/WI (only if partial emulation is enabled) to prevent + * injecting undefined exception. + * Accessible at EL0 only if MDSCR_EL1.TDCC is set to 0. We emulate that + * register as RAZ/WI. + */ + if ( !partial_emulation ) + goto fail; + return handle_raz_wi(regs, regidx, hsr.sysreg.read, hsr, 0); + HSR_SYSREG_DBG_CASES(DBGBVR): HSR_SYSREG_DBG_CASES(DBGBCR): HSR_SYSREG_DBG_CASES(DBGWVR): @@ -394,26 +422,25 @@ void do_sysreg(struct cpu_user_regs *regs, * And all other unknown registers. */ default: - { - const struct hsr_sysreg sysreg = hsr.sysreg; - - gdprintk(XENLOG_ERR, - "%s %d, %d, c%d, c%d, %d %s x%d @ 0x%"PRIregister"\n", - sysreg.read ? "mrs" : "msr", - sysreg.op0, sysreg.op1, - sysreg.crn, sysreg.crm, - sysreg.op2, - sysreg.read ? "=>" : "<=", - sysreg.reg, regs->pc); - gdprintk(XENLOG_ERR, - "unhandled 64-bit sysreg access %#"PRIregister"\n", - hsr.bits & HSR_SYSREG_REGS_MASK); - inject_undef_exception(regs, hsr); - return; - } + goto fail; } regs->pc += 4; + return; + + fail: + gdprintk(XENLOG_ERR, + "%s %d, %d, c%d, c%d, %d %s x%d @ 0x%"PRIregister"\n", + sysreg.read ? "mrs" : "msr", + sysreg.op0, sysreg.op1, + sysreg.crn, sysreg.crm, + sysreg.op2, + sysreg.read ? "=>" : "<=", + sysreg.reg, regs->pc); + gdprintk(XENLOG_ERR, + "unhandled 64-bit sysreg access %#"PRIregister"\n", + hsr.bits & HSR_SYSREG_REGS_MASK); + inject_undef_exception(regs, hsr); } /* diff --git a/xen/arch/arm/include/asm/arm64/hsr.h b/xen/arch/arm/include/asm/arm64/hsr.h index e691d41c17..1495ccddea 100644 --- a/xen/arch/arm/include/asm/arm64/hsr.h +++ b/xen/arch/arm/include/asm/arm64/hsr.h @@ -47,6 +47,9 @@ #define HSR_SYSREG_OSDLR_EL1 HSR_SYSREG(2,0,c1,c3,4) #define HSR_SYSREG_DBGPRCR_EL1 HSR_SYSREG(2,0,c1,c4,4) #define HSR_SYSREG_MDCCSR_EL0 HSR_SYSREG(2,3,c0,c1,0) +#define HSR_SYSREG_DBGDTR_EL0 HSR_SYSREG(2,3,c0,c4,0) +#define HSR_SYSREG_DBGDTRTX_EL0 HSR_SYSREG(2,3,c0,c5,0) +#define HSR_SYSREG_DBGDTRRX_EL0 HSR_SYSREG(2,3,c0,c5,0) #define HSR_SYSREG_DBGBVRn_EL1(n) HSR_SYSREG(2,0,c0,c##n,4) #define HSR_SYSREG_DBGBCRn_EL1(n) HSR_SYSREG(2,0,c0,c##n,5) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 13:11:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 13:11:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693213.1081004 (Exim 4.92) (envelope-from ) id 1rkkrl-0006Ci-Mw; Thu, 14 Mar 2024 13:11:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693213.1081004; Thu, 14 Mar 2024 13:11:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrl-0006Ca-KG; Thu, 14 Mar 2024 13:11:25 +0000 Received: by outflank-mailman (input) for mailman id 693213; Thu, 14 Mar 2024 13:11:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrj-0006CJ-Mf for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkkrj-0000MV-Lo for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkkrj-0002ie-Kv for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 13:11:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EnzzRGu2vDPh7jp8bZajph++1TG4Kj0Wgo6eEa2m1rY=; b=aK4INGTofrVSEiQkaDqDIKTJX6 z+l5/CfAU5KP9pyMIgKXdI06PS6ykeXFLLGB8tRw1aQAQS53kADT4HOlorEVaHkaZM4ICYGnfVyRY a/8sl29KALS1psXJNxTOBG5I129iNoYbl6JEKYbhrWVVU8Rl4Fp2mkisj83ioZVQgbE4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: arm32: Add emulation of Debug Data Transfer Registers Message-Id: Date: Thu, 14 Mar 2024 13:11:23 +0000 commit 77c39a53cf5bfe185b7bff6544c63731513830d3 Author: Ayan Kumar Halder AuthorDate: Thu Mar 7 12:39:43 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 13:04:25 2024 +0000 xen/arm: arm32: Add emulation of Debug Data Transfer Registers When user enables HVC_DCC config option in Linux, it invokes access to debug transfer register (i.e. DBGDTRTXINT). As this register is not emulated, Xen injects an undefined exception to the guest and Linux crashes. To prevent this crash, introduce a partial emulation of DBGDTR[TR]XINT (these registers share the same encoding) as RAZ/WI and DBGDSCRINT as TXfull. Refer ARM DDI 0487J.a ID042523, G8.3.19, DBGDTRTXint: "If TXfull is set to 1, set DTRTX to UNKNOWN". As a pre-requisite, DBGOSLSR should be emulated in the same way as its AArch64 variant (i.e. OSLSR_EL1). This is to ensure that DBGOSLSR.OSLK is 0, which allows us to skip the emulation of DBGDSCREXT (TXfull is treated as UNK/SBZP) and focus on DBGDSCRINT. DBGOSLSR.OSLM[1] is set to 1 to mantain consistency with Arm64. Take the opportunity to fix the minimum EL for DBGDSCRINT, which should be 0. Signed-off-by: Ayan Kumar Halder Signed-off-by: Michal Orzel Acked-by: Julien Grall --- SUPPORT.md | 3 ++ xen/arch/arm/include/asm/cpregs.h | 2 ++ xen/arch/arm/vcpreg.c | 62 +++++++++++++++++++++++++++------------ 3 files changed, 49 insertions(+), 18 deletions(-) diff --git a/SUPPORT.md b/SUPPORT.md index 465f6527c9..58f075538f 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -115,6 +115,9 @@ Only the following system registers are security supported: DBGDTR_EL0 DBGDTRTX_EL0 DBGDTRRX_EL0 + DBGDSCRINT + DBGDTRTXINT + DBGDTRRXINT ### ARM Scalable Vector Extension (SVE/SVE2) diff --git a/xen/arch/arm/include/asm/cpregs.h b/xen/arch/arm/include/asm/cpregs.h index 6b083de204..aec9e8f329 100644 --- a/xen/arch/arm/include/asm/cpregs.h +++ b/xen/arch/arm/include/asm/cpregs.h @@ -75,6 +75,8 @@ #define DBGDIDR p14,0,c0,c0,0 /* Debug ID Register */ #define DBGDSCRINT p14,0,c0,c1,0 /* Debug Status and Control Internal */ #define DBGDSCREXT p14,0,c0,c2,2 /* Debug Status and Control External */ +#define DBGDTRRXINT p14,0,c0,c5,0 /* Debug Data Transfer Register, Receive */ +#define DBGDTRTXINT p14,0,c0,c5,0 /* Debug Data Transfer Register, Transmit */ #define DBGVCR p14,0,c0,c7,0 /* Vector Catch */ #define DBGBVR0 p14,0,c0,c0,4 /* Breakpoint Value 0 */ #define DBGBCR0 p14,0,c0,c0,5 /* Breakpoint Control 0 */ diff --git a/xen/arch/arm/vcpreg.c b/xen/arch/arm/vcpreg.c index 019cf34f00..0b336875a4 100644 --- a/xen/arch/arm/vcpreg.c +++ b/xen/arch/arm/vcpreg.c @@ -494,11 +494,12 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) * ARMv8 (DDI 0487A.d): D1-1509 Table D1-58 * * Unhandled: - * DBGOSLSR * DBGPRCR */ case HSR_CPREG32(DBGOSLAR): return handle_wo_wi(regs, regidx, cp32.read, hsr, 1); + case HSR_CPREG32(DBGOSLSR): + return handle_ro_read_val(regs, regidx, cp32.read, hsr, 1, 1U << 3); case HSR_CPREG32(DBGOSDLR): return handle_raz_wi(regs, regidx, cp32.read, hsr, 1); @@ -510,8 +511,6 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) * * Unhandled: * DBGDCCINT - * DBGDTRRXint - * DBGDTRTXint * DBGWFAR * DBGDTRTXext * DBGDTRRXext, @@ -549,12 +548,27 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) break; } + /* + * Xen doesn't expose a real (or emulated) Debug Communications Channel + * (DCC) to a domain. Yet the Arm ARM implies this is not an optional + * feature. So some domains may start to probe it. For instance, the + * HVC_DCC driver in Linux (since f377775dc083 and at least up to v6.7), + * will try to write some characters and check if the transmit buffer has + * emptied. + */ case HSR_CPREG32(DBGDSCRINT): /* - * Read-only register. Accessible by EL0 if DBGDSCRext.UDCCdis - * is set to 0, which we emulated below. + * By setting TX status bit (only if partial emulation is enabled) to + * indicate the transmit buffer is full, we would hint the OS that the + * DCC is probably not working. + * + * Bit 29: TX full + * + * Accessible at EL0 only if DBGDSCRext.UDCCdis is set to 0. We emulate + * this as RAZ/WI in the next case. So RO at both EL0 and EL1. */ - return handle_ro_raz(regs, regidx, cp32.read, hsr, 1); + return handle_ro_read_val(regs, regidx, cp32.read, hsr, 0, + partial_emulation ? (1U << 29) : 0); case HSR_CPREG32(DBGDSCREXT): /* @@ -563,6 +577,18 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) */ return handle_raz_wi(regs, regidx, cp32.read, hsr, 1); + /* DBGDTR[TR]XINT share the same encoding */ + case HSR_CPREG32(DBGDTRTXINT): + /* + * Emulate as RAZ/WI (only if partial emulation is enabled) to prevent + * injecting undefined exception. + * Accessible at EL0 only if DBGDSCREXT is set to 0. We emulate that + * register as RAZ/WI. + */ + if ( !partial_emulation ) + goto fail; + return handle_raz_wi(regs, regidx, cp32.read, hsr, 0); + case HSR_CPREG32(DBGVCR): case HSR_CPREG32(DBGBVR0): case HSR_CPREG32(DBGBCR0): @@ -592,17 +618,20 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) * And all other unknown registers. */ default: - gdprintk(XENLOG_ERR, - "%s p14, %d, r%d, cr%d, cr%d, %d @ 0x%"PRIregister"\n", - cp32.read ? "mrc" : "mcr", - cp32.op1, cp32.reg, cp32.crn, cp32.crm, cp32.op2, regs->pc); - gdprintk(XENLOG_ERR, "unhandled 32-bit cp14 access %#"PRIregister"\n", - hsr.bits & HSR_CP32_REGS_MASK); - inject_undef_exception(regs, hsr); - return; + goto fail; } advance_pc(regs, hsr); + return; + + fail: + gdprintk(XENLOG_ERR, + "%s p14, %d, r%d, cr%d, cr%d, %d @ 0x%"PRIregister"\n", + cp32.read ? "mrc" : "mcr", + cp32.op1, cp32.reg, cp32.crn, cp32.crm, cp32.op2, regs->pc); + gdprintk(XENLOG_ERR, "unhandled 32-bit cp14 access %#"PRIregister"\n", + hsr.bits & HSR_CP32_REGS_MASK); + inject_undef_exception(regs, hsr); } void do_cp14_64(struct cpu_user_regs *regs, const union hsr hsr) @@ -660,10 +689,7 @@ void do_cp14_dbg(struct cpu_user_regs *regs, const union hsr hsr) * ARMv8 (DDI 0487A.d): D1-1509 Table D1-58 * * Unhandled: - * DBGDTRTXint - * DBGDTRRXint - * - * And all other unknown registers. + * All unknown registers. */ gdprintk(XENLOG_ERR, "%s p14, %d, r%d, r%d, cr%d @ 0x%"PRIregister"\n", -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 18:00:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 18:00:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693431.1081497 (Exim 4.92) (envelope-from ) id 1rkpN7-00084j-2m; Thu, 14 Mar 2024 18:00:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693431.1081497; Thu, 14 Mar 2024 18:00:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkpN6-00084b-Vy; Thu, 14 Mar 2024 18:00:04 +0000 Received: by outflank-mailman (input) for mailman id 693431; Thu, 14 Mar 2024 18:00:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkpN5-0007ou-M6 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 18:00:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkpN5-0006N7-Gz for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 18:00:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkpN5-0005mG-Ep for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 18:00:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aUxt0YxckhvfVDkTh65KH0+LG+yvQGN4JgeqTBvFeKY=; b=CH39l6eQLHM6nxBrLeNeEJWGZF 050dXq7Am+UbyUi0GPmXe/i5ShO/l049sxxiEhK07C/7AdjQXZpXvoT1k1B5QIkkpreTf5iATx6j0 flcY2asHNR0fyN5uAP6ZQ7pPbO5Cph9FTTplLtGsy/D641XmsiszZ5yioOLOLyS4XqMc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] SUPPORT.MD: Fix matrix generation after 43c416d0d819 and 77c39a53cf5b Message-Id: Date: Thu, 14 Mar 2024 18:00:03 +0000 commit d638e304f13a5ef7d125de5ace5f7828a7b25bac Author: Julien Grall AuthorDate: Thu Mar 14 17:39:29 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 17:56:29 2024 +0000 SUPPORT.MD: Fix matrix generation after 43c416d0d819 and 77c39a53cf5b The script docs/support-matrix-generate throw the following error on the latest staging. MDCCSR_EL0 DBGDTR_EL0 DBGDTRTX_EL0 DBGDTRRX_EL0 DBGDSCRINT DBGDTRTXINT DBGDTRRXINT ^ cannot parse status codeblock line: MDCCSR_EL0 ? at docs/parse-support-md line 172, chunk 1. With the current indentation, it looks like the script thinks this is a status code block. Solve the issue by switching to a bullet list. Fixes: 43c416d0d819 ("xen/arm: arm64: Add emulation of Debug Data Transfer Registers") Fixes: 77c39a53cf5b ("xen/arm: arm32: Add emulation of Debug Data Transfer Registers") Signed-off-by: Julien Grall Acked-by: Andrew Cooper --- SUPPORT.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/SUPPORT.md b/SUPPORT.md index 58f075538f..e10d46d924 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -111,13 +111,13 @@ that would normally trigger a fault injection. Only the following system registers are security supported: - MDCCSR_EL0 - DBGDTR_EL0 - DBGDTRTX_EL0 - DBGDTRRX_EL0 - DBGDSCRINT - DBGDTRTXINT - DBGDTRRXINT + * MDCCSR_EL0 + * DBGDTR_EL0 + * DBGDTRTX_EL0 + * DBGDTRRX_EL0 + * DBGDSCRINT + * DBGDTRTXINT + * DBGDTRRXINT ### ARM Scalable Vector Extension (SVE/SVE2) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:22:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:22:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693542.1081772 (Exim 4.92) (envelope-from ) id 1rktSc-0008D0-MW; Thu, 14 Mar 2024 22:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693542.1081772; Thu, 14 Mar 2024 22:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSc-0008Cs-Jv; Thu, 14 Mar 2024 22:22:02 +0000 Received: by outflank-mailman (input) for mailman id 693542; Thu, 14 Mar 2024 22:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSb-0008Cm-TC for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSb-0002nP-KW for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktSb-00033K-JW for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0zEh08z2q54hO1Cw9PHVo/Yqzb8c6G6vWbNhXOB3QZQ=; b=TpHrTsR3u9gcUVxl7YJvUdB9FH gqwjpcoYPZ9NQKiPhpVr3+bd3+R0gfrCWuspgKVT2Fg4BiIeeOvjJNM4+JJ///NFaccfmqMrw1PJY llPnLaXmZ3onJOm6xPbdsWnJtaEENdJ8mIb89rJp0J2JheH3rLwSPhm/6iYcar7qUFKs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/entry: Introduce EFRAME_* constants Message-Id: Date: Thu, 14 Mar 2024 22:22:01 +0000 commit fe1869a569bab56e44c35d1522ee064bab6286da Author: Andrew Cooper AuthorDate: Sat Jan 27 17:52:09 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 11:36:41 2024 +0000 x86/entry: Introduce EFRAME_* constants restore_all_guest() does a lot of manipulation of the stack after popping the GPRs, and uses raw %rsp displacements to do so. Also, almost all entrypaths use raw %rsp displacements prior to pushing GPRs. Provide better mnemonics, to aid readability and reduce the chance of errors when editing. No functional change. The resulting binary is identical. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 37541208f119a9c552c6c6c3246ea61be0d44035) --- xen/arch/x86/x86_64/asm-offsets.c | 17 +++++++++ xen/arch/x86/x86_64/compat/entry.S | 2 +- xen/arch/x86/x86_64/entry.S | 70 +++++++++++++++++++------------------- 3 files changed, 53 insertions(+), 36 deletions(-) diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 57b73a4e62..2fc4d9130a 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -51,6 +51,23 @@ void __dummy__(void) OFFSET(UREGS_kernel_sizeof, struct cpu_user_regs, es); BLANK(); + /* + * EFRAME_* is for the entry/exit logic where %rsp is pointing at + * UREGS_error_code and GPRs are still/already guest values. + */ +#define OFFSET_EF(sym, mem) \ + DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ + offsetof(struct cpu_user_regs, error_code)) + + OFFSET_EF(EFRAME_entry_vector, entry_vector); + OFFSET_EF(EFRAME_rip, rip); + OFFSET_EF(EFRAME_cs, cs); + OFFSET_EF(EFRAME_eflags, eflags); + OFFSET_EF(EFRAME_rsp, rsp); + BLANK(); + +#undef OFFSET_EF + OFFSET(VCPU_processor, struct vcpu, processor); OFFSET(VCPU_domain, struct vcpu, domain); OFFSET(VCPU_vcpu_info, struct vcpu, vcpu_info_area.map); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index fcc3a721f1..cb473f08ee 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -15,7 +15,7 @@ ENTRY(entry_int82) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $HYPERCALL_VECTOR, 4(%rsp) + movl $HYPERCALL_VECTOR, EFRAME_entry_vector(%rsp) SAVE_ALL compat=1 /* DPL1 gate, restricted to 32bit PV guests only. */ SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 9a7b129aa7..968da9d727 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -190,15 +190,15 @@ restore_all_guest: SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL - testw $TRAP_syscall,4(%rsp) + testw $TRAP_syscall, EFRAME_entry_vector(%rsp) jz iret_exit_to_guest - movq 24(%rsp),%r11 # RFLAGS + mov EFRAME_eflags(%rsp), %r11 andq $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), %r11 orq $X86_EFLAGS_IF,%r11 /* Don't use SYSRET path if the return address is not canonical. */ - movq 8(%rsp),%rcx + mov EFRAME_rip(%rsp), %rcx sarq $47,%rcx incl %ecx cmpl $1,%ecx @@ -213,20 +213,20 @@ restore_all_guest: ALTERNATIVE "", rag_clrssbsy, X86_FEATURE_XEN_SHSTK #endif - movq 8(%rsp), %rcx # RIP - cmpw $FLAT_USER_CS32,16(%rsp)# CS - movq 32(%rsp),%rsp # RSP + mov EFRAME_rip(%rsp), %rcx + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) + mov EFRAME_rsp(%rsp), %rsp je 1f sysretq 1: sysretl ALIGN .Lrestore_rcx_iret_exit_to_guest: - movq 8(%rsp), %rcx # RIP + mov EFRAME_rip(%rsp), %rcx /* No special register assumptions. */ iret_exit_to_guest: - andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), 24(%rsp) - orl $X86_EFLAGS_IF,24(%rsp) + andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) + orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -257,7 +257,7 @@ ENTRY(lstar_enter) pushq $FLAT_KERNEL_CS64 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -294,7 +294,7 @@ ENTRY(cstar_enter) pushq $FLAT_USER_CS32 pushq %rcx pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -335,7 +335,7 @@ GLOBAL(sysenter_eflags_saved) pushq $3 /* ring 3 null cs */ pushq $0 /* null rip */ pushq $0 - movl $TRAP_syscall, 4(%rsp) + movl $TRAP_syscall, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -389,7 +389,7 @@ ENTRY(int80_direct_trap) ENDBR64 ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP pushq $0 - movl $0x80, 4(%rsp) + movl $0x80, EFRAME_entry_vector(%rsp) SAVE_ALL SPEC_CTRL_ENTRY_FROM_PV /* Req: %rsp=regs/cpuinfo, %rdx=0, Clob: acd */ @@ -649,7 +649,7 @@ ret_from_intr: .section .init.text, "ax", @progbits ENTRY(early_page_fault) ENDBR64 - movl $X86_EXC_PF, 4(%rsp) + movl $X86_EXC_PF, EFRAME_entry_vector(%rsp) SAVE_ALL movq %rsp, %rdi call do_early_page_fault @@ -716,7 +716,7 @@ ENTRY(common_interrupt) ENTRY(entry_PF) ENDBR64 - movl $X86_EXC_PF, 4(%rsp) + movl $X86_EXC_PF, EFRAME_entry_vector(%rsp) /* No special register assumptions. */ GLOBAL(handle_exception) ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP @@ -890,90 +890,90 @@ FATAL_exception_with_ints_disabled: ENTRY(entry_DE) ENDBR64 pushq $0 - movl $X86_EXC_DE, 4(%rsp) + movl $X86_EXC_DE, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_MF) ENDBR64 pushq $0 - movl $X86_EXC_MF, 4(%rsp) + movl $X86_EXC_MF, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_XM) ENDBR64 pushq $0 - movl $X86_EXC_XM, 4(%rsp) + movl $X86_EXC_XM, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_NM) ENDBR64 pushq $0 - movl $X86_EXC_NM, 4(%rsp) + movl $X86_EXC_NM, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_DB) ENDBR64 pushq $0 - movl $X86_EXC_DB, 4(%rsp) + movl $X86_EXC_DB, EFRAME_entry_vector(%rsp) jmp handle_ist_exception ENTRY(entry_BP) ENDBR64 pushq $0 - movl $X86_EXC_BP, 4(%rsp) + movl $X86_EXC_BP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_OF) ENDBR64 pushq $0 - movl $X86_EXC_OF, 4(%rsp) + movl $X86_EXC_OF, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_BR) ENDBR64 pushq $0 - movl $X86_EXC_BR, 4(%rsp) + movl $X86_EXC_BR, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_UD) ENDBR64 pushq $0 - movl $X86_EXC_UD, 4(%rsp) + movl $X86_EXC_UD, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_TS) ENDBR64 - movl $X86_EXC_TS, 4(%rsp) + movl $X86_EXC_TS, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_NP) ENDBR64 - movl $X86_EXC_NP, 4(%rsp) + movl $X86_EXC_NP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_SS) ENDBR64 - movl $X86_EXC_SS, 4(%rsp) + movl $X86_EXC_SS, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_GP) ENDBR64 - movl $X86_EXC_GP, 4(%rsp) + movl $X86_EXC_GP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_AC) ENDBR64 - movl $X86_EXC_AC, 4(%rsp) + movl $X86_EXC_AC, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_CP) ENDBR64 - movl $X86_EXC_CP, 4(%rsp) + movl $X86_EXC_CP, EFRAME_entry_vector(%rsp) jmp handle_exception ENTRY(entry_DF) ENDBR64 - movl $X86_EXC_DF, 4(%rsp) + movl $X86_EXC_DF, EFRAME_entry_vector(%rsp) /* Set AC to reduce chance of further SMAP faults */ ALTERNATIVE "", stac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -998,7 +998,7 @@ ENTRY(entry_DF) ENTRY(entry_NMI) ENDBR64 pushq $0 - movl $X86_EXC_NMI, 4(%rsp) + movl $X86_EXC_NMI, EFRAME_entry_vector(%rsp) handle_ist_exception: ALTERNATIVE "", clac, X86_FEATURE_XEN_SMAP SAVE_ALL @@ -1130,7 +1130,7 @@ handle_ist_exception: ENTRY(entry_MC) ENDBR64 pushq $0 - movl $X86_EXC_MC, 4(%rsp) + movl $X86_EXC_MC, EFRAME_entry_vector(%rsp) jmp handle_ist_exception /* No op trap handler. Required for kexec crash path. */ @@ -1167,7 +1167,7 @@ autogen_stubs: /* Automatically generated stubs. */ 1: ENDBR64 pushq $0 - movb $vec,4(%rsp) + movb $vec, EFRAME_entry_vector(%rsp) jmp common_interrupt entrypoint 1b @@ -1181,7 +1181,7 @@ autogen_stubs: /* Automatically generated stubs. */ test $8,%spl /* 64bit exception frames are 16 byte aligned, but the word */ jz 2f /* size is 8 bytes. Check whether the processor gave us an */ pushq $0 /* error code, and insert an empty one if not. */ -2: movb $vec,4(%rsp) +2: movb $vec, EFRAME_entry_vector(%rsp) jmp handle_exception entrypoint 1b -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:22:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:22:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693543.1081777 (Exim 4.92) (envelope-from ) id 1rktSm-0008Es-OT; Thu, 14 Mar 2024 22:22:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693543.1081777; Thu, 14 Mar 2024 22:22:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSm-0008Ek-LN; Thu, 14 Mar 2024 22:22:12 +0000 Received: by outflank-mailman (input) for mailman id 693543; Thu, 14 Mar 2024 22:22:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSl-0008Ec-P5 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSl-0002nU-OJ for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktSl-00033u-Mg for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=irD6SlCJvU6Yb1QyGWzrSoJFpIHN+eQuOHvWpF8zpjI=; b=FR3pP7jffdfUdVQIXyUHk23wQA AnAhM6bBLKDnr2m+UBzo05ZcOSdEIK8T/O8YTgYpLDQbKvUC8qn0J/WNLFZ4QYhe52UksaTyrkj71 2SaPu/zQKgWM1EEPXyIu8gmTSZUi6TeUWqIvifEmX022st0oATxLlCXfPIt/+VaAiLfQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86: Resync intel-family.h from Linux Message-Id: Date: Thu, 14 Mar 2024 22:22:11 +0000 commit b91c253e81db915f685b29e6947144ab9905388d Author: Andrew Cooper AuthorDate: Tue Feb 27 16:07:39 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 11:36:41 2024 +0000 x86: Resync intel-family.h from Linux From v6.8-rc6 Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 195e75371b13c4f7ecdf7b5c50aed0d02f2d7ce8) --- xen/arch/x86/include/asm/intel-family.h | 38 +++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/include/asm/intel-family.h b/xen/arch/x86/include/asm/intel-family.h index ffc49151be..b65e9c46b9 100644 --- a/xen/arch/x86/include/asm/intel-family.h +++ b/xen/arch/x86/include/asm/intel-family.h @@ -26,6 +26,9 @@ * _G - parts with extra graphics on * _X - regular server parts * _D - micro server parts + * _N,_P - other mobile parts + * _H - premium mobile parts + * _S - other client parts * * Historical OPTDIFFs: * @@ -37,6 +40,9 @@ * their own names :-( */ +/* Wildcard match for FAM6 so X86_MATCH_INTEL_FAM6_MODEL(ANY) works */ +#define INTEL_FAM6_ANY X86_MODEL_ANY + #define INTEL_FAM6_CORE_YONAH 0x0E #define INTEL_FAM6_CORE2_MEROM 0x0F @@ -93,8 +99,6 @@ #define INTEL_FAM6_ICELAKE_L 0x7E /* Sunny Cove */ #define INTEL_FAM6_ICELAKE_NNPI 0x9D /* Sunny Cove */ -#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ - #define INTEL_FAM6_ROCKETLAKE 0xA7 /* Cypress Cove */ #define INTEL_FAM6_TIGERLAKE_L 0x8C /* Willow Cove */ @@ -102,12 +106,31 @@ #define INTEL_FAM6_SAPPHIRERAPIDS_X 0x8F /* Golden Cove */ +#define INTEL_FAM6_EMERALDRAPIDS_X 0xCF + +#define INTEL_FAM6_GRANITERAPIDS_X 0xAD +#define INTEL_FAM6_GRANITERAPIDS_D 0xAE + +/* "Hybrid" Processors (P-Core/E-Core) */ + +#define INTEL_FAM6_LAKEFIELD 0x8A /* Sunny Cove / Tremont */ + #define INTEL_FAM6_ALDERLAKE 0x97 /* Golden Cove / Gracemont */ #define INTEL_FAM6_ALDERLAKE_L 0x9A /* Golden Cove / Gracemont */ -#define INTEL_FAM6_RAPTORLAKE 0xB7 +#define INTEL_FAM6_RAPTORLAKE 0xB7 /* Raptor Cove / Enhanced Gracemont */ +#define INTEL_FAM6_RAPTORLAKE_P 0xBA +#define INTEL_FAM6_RAPTORLAKE_S 0xBF + +#define INTEL_FAM6_METEORLAKE 0xAC +#define INTEL_FAM6_METEORLAKE_L 0xAA + +#define INTEL_FAM6_ARROWLAKE_H 0xC5 +#define INTEL_FAM6_ARROWLAKE 0xC6 + +#define INTEL_FAM6_LUNARLAKE_M 0xBD -/* "Small Core" Processors (Atom) */ +/* "Small Core" Processors (Atom/E-Core) */ #define INTEL_FAM6_ATOM_BONNELL 0x1C /* Diamondville, Pineview */ #define INTEL_FAM6_ATOM_BONNELL_MID 0x26 /* Silverthorne, Lincroft */ @@ -134,6 +157,13 @@ #define INTEL_FAM6_ATOM_TREMONT 0x96 /* Elkhart Lake */ #define INTEL_FAM6_ATOM_TREMONT_L 0x9C /* Jasper Lake */ +#define INTEL_FAM6_ATOM_GRACEMONT 0xBE /* Alderlake N */ + +#define INTEL_FAM6_ATOM_CRESTMONT_X 0xAF /* Sierra Forest */ +#define INTEL_FAM6_ATOM_CRESTMONT 0xB6 /* Grand Ridge */ + +#define INTEL_FAM6_ATOM_DARKMONT_X 0xDD /* Clearwater Forest */ + /* Xeon Phi */ #define INTEL_FAM6_XEON_PHI_KNL 0x57 /* Knights Landing */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:22:22 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:22:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693544.1081782 (Exim 4.92) (envelope-from ) id 1rktSw-0008IG-Rj; Thu, 14 Mar 2024 22:22:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693544.1081782; Thu, 14 Mar 2024 22:22:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSw-0008I8-OA; Thu, 14 Mar 2024 22:22:22 +0000 Received: by outflank-mailman (input) for mailman id 693544; Thu, 14 Mar 2024 22:22:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSv-0008Hk-S9 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktSv-0002ng-RQ for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktSv-00036p-QN for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uSPXPDnw0ChHZMhNwSIYCp0aWw84B2kXmP/M6mtw8sY=; b=zzP3RqCNQzvft+zr3NysaHc3gn F5ieV5C3lMGZoAIJBMlMnU1WmKoWMjX3By8NAVhS+RxdYssekaqwAjm9YEo8lwPixjEr36LgVNkXR cFl5C1Nx4mjVOmwo8M04aEal8LeeztgtZD6gJANbRI3MzKv9FINqh6mwEyi6YElvvw0A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/vmx: Perform VERW flushing later in the VMExit path Message-Id: Date: Thu, 14 Mar 2024 22:22:21 +0000 commit 9f89ec65fbe49c3be32a456091097d7ef017d268 Author: Andrew Cooper AuthorDate: Fri Jun 23 11:32:00 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:06 2024 +0000 x86/vmx: Perform VERW flushing later in the VMExit path Broken out of the following patch because this change is subtle enough on its own. See it for the rational of why we're moving VERW. As for how, extend the trick already used to hold one condition in flags (RESUME vs LAUNCH) through the POPing of GPRs. Move the MOV CR earlier. Intel specify flags to be undefined across it. Encode the two conditions we want using SF and PF. See the code comment for exactly how. Leave a comment to explain the lack of any content around SPEC_CTRL_EXIT_TO_VMX, but leave the block in place. Sods law says if we delete it, we'll need to reintroduce it. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 475fa20b7384464210f42bad7195f87bd6f1c63f) --- xen/arch/x86/hvm/vmx/entry.S | 36 ++++++++++++++++++++++++++++---- xen/arch/x86/include/asm/asm_defns.h | 8 +++++++ xen/arch/x86/include/asm/spec_ctrl_asm.h | 7 +++++++ xen/arch/x86/x86_64/asm-offsets.c | 1 + 4 files changed, 48 insertions(+), 4 deletions(-) diff --git a/xen/arch/x86/hvm/vmx/entry.S b/xen/arch/x86/hvm/vmx/entry.S index e3f60d5a82..1bead826ca 100644 --- a/xen/arch/x86/hvm/vmx/entry.S +++ b/xen/arch/x86/hvm/vmx/entry.S @@ -87,17 +87,39 @@ UNLIKELY_END(realmode) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ /* SPEC_CTRL_EXIT_TO_VMX Req: %rsp=regs/cpuinfo Clob: */ - DO_SPEC_CTRL_COND_VERW + /* + * All speculation safety work happens to be elsewhere. VERW is after + * popping the GPRs, while restoring the guest MSR_SPEC_CTRL is left + * to the MSR load list. + */ mov VCPU_hvm_guest_cr2(%rbx),%rax + mov %rax, %cr2 + + /* + * We need to perform two conditional actions (VERW, and Resume vs + * Launch) after popping GPRs. With some cunning, we can encode both + * of these in eflags together. + * + * Parity is only calculated over the bottom byte of the answer, while + * Sign is simply the top bit. + * + * Therefore, the final OR instruction ends up producing: + * SF = VCPU_vmx_launched + * PF = !SCF_verw + */ + BUILD_BUG_ON(SCF_verw & ~0xff) + movzbl VCPU_vmx_launched(%rbx), %ecx + shl $31, %ecx + movzbl CPUINFO_spec_ctrl_flags(%rsp), %eax + and $SCF_verw, %eax + or %eax, %ecx pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp - mov %rax,%cr2 - cmpb $0,VCPU_vmx_launched(%rbx) pop %rbx pop %r11 pop %r10 @@ -108,7 +130,13 @@ UNLIKELY_END(realmode) pop %rdx pop %rsi pop %rdi - je .Lvmx_launch + + jpe .L_skip_verw + /* VERW clobbers ZF, but preserves all others, including SF. */ + verw STK_REL(CPUINFO_verw_sel, CPUINFO_error_code)(%rsp) +.L_skip_verw: + + jns .Lvmx_launch /*.Lvmx_resume:*/ VMRESUME diff --git a/xen/arch/x86/include/asm/asm_defns.h b/xen/arch/x86/include/asm/asm_defns.h index baaaccb26e..56ae26e542 100644 --- a/xen/arch/x86/include/asm/asm_defns.h +++ b/xen/arch/x86/include/asm/asm_defns.h @@ -81,6 +81,14 @@ register unsigned long current_stack_pointer asm("rsp"); #ifdef __ASSEMBLY__ +.macro BUILD_BUG_ON condstr, cond:vararg + .if \cond + .error "Condition \"\condstr\" not satisfied" + .endif +.endm +/* preprocessor macro to make error message more user friendly */ +#define BUILD_BUG_ON(cond) BUILD_BUG_ON #cond, cond + #ifdef HAVE_AS_QUOTED_SYM #define SUBSECTION_LBL(tag) \ .ifndef .L.tag; \ diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 6cb7c1b949..525745a066 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -152,6 +152,13 @@ #endif .endm +/* + * Helper to improve the readibility of stack dispacements with %rsp in + * unusual positions. Both @field and @top_of_stack should be constants from + * the same object. @top_of_stack should be where %rsp is currently pointing. + */ +#define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) + .macro DO_SPEC_CTRL_COND_VERW /* * Requires %rsp=cpuinfo diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 2fc4d9130a..0d33678898 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -135,6 +135,7 @@ void __dummy__(void) #endif OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); + OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:22:32 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:22:32 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693545.1081785 (Exim 4.92) (envelope-from ) id 1rktT6-0008LN-Sm; Thu, 14 Mar 2024 22:22:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693545.1081785; Thu, 14 Mar 2024 22:22:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktT6-0008LF-Ph; Thu, 14 Mar 2024 22:22:32 +0000 Received: by outflank-mailman (input) for mailman id 693545; Thu, 14 Mar 2024 22:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktT5-0008L0-VI for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktT5-0002nn-UV for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktT5-00037I-Tb for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QDYGsdVFoxfYBru2orr27VLC1RusCFKWNcCvXyK/8eA=; b=rzliE2K6RD18qTWM4Nd1v91H5N zsPNKw0fpj58LphyqvMYFS1NHqzFwObaPuSInVUpX1/cUVSQsDLOHBBM+jW6c/M/yWU7N/sb+L1ZW rxh6Jq+qWb6YhklGpu8wn2jNenWaGt2+RcfmxlHmwPZN6SWu8W/rK3EXJH1f+22wjz/8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec-ctrl: Perform VERW flushing later in exit paths Message-Id: Date: Thu, 14 Mar 2024 22:22:31 +0000 commit 95dd34fdbea5408872d5c244fe268222a4f145d0 Author: Andrew Cooper AuthorDate: Sat Jan 27 18:20:56 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:50 2024 +0000 x86/spec-ctrl: Perform VERW flushing later in exit paths On parts vulnerable to RFDS, VERW's side effects are extended to scrub all non-architectural entries in various Physical Register Files. To remove all of Xen's values, the VERW must be after popping the GPRs. Rework SPEC_CTRL_COND_VERW to default to an CPUINFO_error_code %rsp position, but with overrides for other contexts. Identify that it clobbers eflags; this is particularly relevant for the SYSRET path. For the IST exit return to Xen, have the main SPEC_CTRL_EXIT_TO_XEN put a shadow copy of spec_ctrl_flags, as GPRs can't be used at the point we want to issue the VERW. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit 0a666cf2cd99df6faf3eebc81a1fc286e4eca4c7) --- xen/arch/x86/include/asm/spec_ctrl_asm.h | 36 +++++++++++++++++++++----------- xen/arch/x86/x86_64/asm-offsets.c | 13 ++++++++++-- xen/arch/x86/x86_64/compat/entry.S | 6 ++++++ xen/arch/x86/x86_64/entry.S | 21 ++++++++++++++++++- 4 files changed, 61 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/spec_ctrl_asm.h b/xen/arch/x86/include/asm/spec_ctrl_asm.h index 525745a066..13acebc75d 100644 --- a/xen/arch/x86/include/asm/spec_ctrl_asm.h +++ b/xen/arch/x86/include/asm/spec_ctrl_asm.h @@ -159,16 +159,23 @@ */ #define STK_REL(field, top_of_stk) ((field) - (top_of_stk)) -.macro DO_SPEC_CTRL_COND_VERW +.macro SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_error_code), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_error_code) /* - * Requires %rsp=cpuinfo + * Requires \scf and \sel as %rsp-relative expressions + * Clobbers eflags + * + * VERW needs to run after guest GPRs have been restored, where only %rsp is + * good to use. Default to expecting %rsp pointing at CPUINFO_error_code. + * Contexts where this is not true must provide an alternative \scf and \sel. * * Issue a VERW for its flushing side effect, if indicated. This is a Spectre * v1 gadget, but the IRET/VMEntry is serialising. */ - testb $SCF_verw, CPUINFO_spec_ctrl_flags(%rsp) + testb $SCF_verw, \scf(%rsp) jz .L\@_verw_skip - verw CPUINFO_verw_sel(%rsp) + verw \sel(%rsp) .L\@_verw_skip: .endm @@ -286,8 +293,6 @@ */ ALTERNATIVE "", DO_SPEC_CTRL_EXIT_TO_GUEST, X86_FEATURE_SC_MSR_PV - DO_SPEC_CTRL_COND_VERW - ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV .endm @@ -367,7 +372,7 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): */ .macro SPEC_CTRL_EXIT_TO_XEN /* - * Requires %r12=ist_exit, %r14=stack_end + * Requires %r12=ist_exit, %r14=stack_end, %rsp=regs * Clobbers %rax, %rbx, %rcx, %rdx */ movzbl STACK_CPUINFO_FIELD(spec_ctrl_flags)(%r14), %ebx @@ -395,11 +400,18 @@ UNLIKELY_DISPATCH_LABEL(\@_serialise): test %r12, %r12 jz .L\@_skip_ist_exit - /* Logically DO_SPEC_CTRL_COND_VERW but without the %rsp=cpuinfo dependency */ - testb $SCF_verw, %bl - jz .L\@_skip_verw - verw STACK_CPUINFO_FIELD(verw_sel)(%r14) -.L\@_skip_verw: + /* + * Stash SCF and verw_sel above eflags in the case of an IST_exit. The + * VERW logic needs to run after guest GPRs have been restored; i.e. where + * we cannot use %r12 or %r14 for the purposes they have here. + * + * When the CPU pushed this exception frame, it zero-extended eflags. + * Therefore it is safe for the VERW logic to look at the stashed SCF + * outside of the ist_exit condition. Also, this stashing won't influence + * any other restore_all_guest() paths. + */ + or $(__HYPERVISOR_DS32 << 16), %ebx + mov %ebx, UREGS_eflags + 4(%rsp) /* EFRAME_shadow_scf/sel */ ALTERNATIVE "", DO_SPEC_CTRL_DIV, X86_FEATURE_SC_DIV diff --git a/xen/arch/x86/x86_64/asm-offsets.c b/xen/arch/x86/x86_64/asm-offsets.c index 0d33678898..85c7d0c989 100644 --- a/xen/arch/x86/x86_64/asm-offsets.c +++ b/xen/arch/x86/x86_64/asm-offsets.c @@ -55,14 +55,22 @@ void __dummy__(void) * EFRAME_* is for the entry/exit logic where %rsp is pointing at * UREGS_error_code and GPRs are still/already guest values. */ -#define OFFSET_EF(sym, mem) \ +#define OFFSET_EF(sym, mem, ...) \ DEFINE(sym, offsetof(struct cpu_user_regs, mem) - \ - offsetof(struct cpu_user_regs, error_code)) + offsetof(struct cpu_user_regs, error_code) __VA_ARGS__) OFFSET_EF(EFRAME_entry_vector, entry_vector); OFFSET_EF(EFRAME_rip, rip); OFFSET_EF(EFRAME_cs, cs); OFFSET_EF(EFRAME_eflags, eflags); + + /* + * These aren't real fields. They're spare space, used by the IST + * exit-to-xen path. + */ + OFFSET_EF(EFRAME_shadow_scf, eflags, +4); + OFFSET_EF(EFRAME_shadow_sel, eflags, +6); + OFFSET_EF(EFRAME_rsp, rsp); BLANK(); @@ -136,6 +144,7 @@ void __dummy__(void) OFFSET(CPUINFO_guest_cpu_user_regs, struct cpu_info, guest_cpu_user_regs); OFFSET(CPUINFO_error_code, struct cpu_info, guest_cpu_user_regs.error_code); + OFFSET(CPUINFO_rip, struct cpu_info, guest_cpu_user_regs.rip); OFFSET(CPUINFO_verw_sel, struct cpu_info, verw_sel); OFFSET(CPUINFO_current_vcpu, struct cpu_info, current_vcpu); OFFSET(CPUINFO_per_cpu_offset, struct cpu_info, per_cpu_offset); diff --git a/xen/arch/x86/x86_64/compat/entry.S b/xen/arch/x86/x86_64/compat/entry.S index cb473f08ee..3bbe3a79a5 100644 --- a/xen/arch/x86/x86_64/compat/entry.S +++ b/xen/arch/x86/x86_64/compat/entry.S @@ -161,6 +161,12 @@ ENTRY(compat_restore_all_guest) SPEC_CTRL_EXIT_TO_PV /* Req: a=spec_ctrl %rsp=regs/cpuinfo, Clob: cd */ RESTORE_ALL adj=8 compat=1 + + /* Account for ev/ec having already been popped off the stack. */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(CPUINFO_spec_ctrl_flags, CPUINFO_rip), \ + sel=STK_REL(CPUINFO_verw_sel, CPUINFO_rip) + .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) diff --git a/xen/arch/x86/x86_64/entry.S b/xen/arch/x86/x86_64/entry.S index 968da9d727..2c7512130f 100644 --- a/xen/arch/x86/x86_64/entry.S +++ b/xen/arch/x86/x86_64/entry.S @@ -214,6 +214,9 @@ restore_all_guest: #endif mov EFRAME_rip(%rsp), %rcx + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + cmpw $FLAT_USER_CS32, EFRAME_cs(%rsp) mov EFRAME_rsp(%rsp), %rsp je 1f @@ -227,6 +230,9 @@ restore_all_guest: iret_exit_to_guest: andl $~(X86_EFLAGS_IOPL | X86_EFLAGS_VM), EFRAME_eflags(%rsp) orl $X86_EFLAGS_IF, EFRAME_eflags(%rsp) + + SPEC_CTRL_COND_VERW /* Req: %rsp=eframe Clob: efl */ + addq $8,%rsp .Lft0: iretq _ASM_PRE_EXTABLE(.Lft0, handle_exception) @@ -679,9 +685,22 @@ UNLIKELY_START(ne, exit_cr3) UNLIKELY_END(exit_cr3) /* WARNING! `ret`, `call *`, `jmp *` not safe beyond this point. */ - SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end, Clob: abcd */ + SPEC_CTRL_EXIT_TO_XEN /* Req: %r12=ist_exit %r14=end %rsp=regs, Clob: abcd */ RESTORE_ALL adj=8 + + /* + * When the CPU pushed this exception frame, it zero-extended eflags. + * For an IST exit, SPEC_CTRL_EXIT_TO_XEN stashed shadow copies of + * spec_ctrl_flags and ver_sel above eflags, as we can't use any GPRs, + * and we're at a random place on the stack, not in a CPUFINFO block. + * + * Account for ev/ec having already been popped off the stack. + */ + SPEC_CTRL_COND_VERW \ + scf=STK_REL(EFRAME_shadow_scf, EFRAME_rip), \ + sel=STK_REL(EFRAME_shadow_sel, EFRAME_rip) + iretq ENTRY(common_interrupt) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:22:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:22:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693546.1081789 (Exim 4.92) (envelope-from ) id 1rktTH-0008OC-Ui; Thu, 14 Mar 2024 22:22:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693546.1081789; Thu, 14 Mar 2024 22:22:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTH-0008O4-RT; Thu, 14 Mar 2024 22:22:43 +0000 Received: by outflank-mailman (input) for mailman id 693546; Thu, 14 Mar 2024 22:22:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTG-0008Nq-4m for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTG-0002oH-1O for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktTG-00037m-0V for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QRkCwKbjARwQOtNkOhnYPeAtTRJamFI8J66Yv1MnM9w=; b=uFB7IYJ40TeDKavX7+esUSISmQ askzhbhY7CZ4GqazJVafJlWC0SWE9DrBbGE01SZOsI6M6pYdMC1U+fI8fsU35afaGm/m6v+e7Tms3 Tpthsx6sNaYepvxtpXbDCfSloHe//SnXskKbZ4DEP0DlqUWoLN+3RGWuVJ00T/AmzK0c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec-ctrl: Rename VERW related options Message-Id: Date: Thu, 14 Mar 2024 22:22:42 +0000 commit b7205fc1cbad0c633e92d2d019a02a507467507b Author: Andrew Cooper AuthorDate: Mon Feb 12 17:50:43 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 x86/spec-ctrl: Rename VERW related options VERW is going to be used for a 3rd purpose, and the existing nomenclature didn't survive the Stale MMIO issues terribly well. Rename the command line option from `md-clear=` to `verw=`. This is more consistent with other options which tend to be named based on what they're doing, not which feature enumeration they use behind the scenes. Retain `md-clear=` as a deprecated alias. Rename opt_md_clear_{pv,hvm} and opt_fb_clear_mmio to opt_verw_{pv,hvm,mmio}, which has a side effect of making spec_ctrl_init_domain() rather clearer to follow. No functional change. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit f7603ca252e4226739eb3129a5290ee3da3f8ea4) --- docs/misc/xen-command-line.pandoc | 15 +++++----- xen/arch/x86/spec_ctrl.c | 62 ++++++++++++++++++++------------------- 2 files changed, 40 insertions(+), 37 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 582d6741d1..fbf1683924 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2370,7 +2370,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). ### spec-ctrl (x86) > `= List of [ , xen=, {pv,hvm}=, -> {msr-sc,rsb,md-clear,ibpb-entry}=|{pv,hvm}=, +> {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, > unpriv-mmio,gds-mit,div-scrub}= ]` @@ -2395,7 +2395,7 @@ in place for guests to use. Use of a positive boolean value for either of these options is invalid. -The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `md-clear=` and `ibpb-entry=` options +The `pv=`, `hvm=`, `msr-sc=`, `rsb=`, `verw=` and `ibpb-entry=` options offer fine grained control over the primitives by Xen. These impact Xen's ability to protect itself, and/or Xen's ability to virtualise support for guests to use. @@ -2412,11 +2412,12 @@ guests to use. guests and if disabled, guests will be unable to use IBRS/STIBP/SSBD/etc. * `rsb=` offers control over whether to overwrite the Return Stack Buffer / Return Address Stack on entry to Xen and on idle. -* `md-clear=` offers control over whether to use VERW to flush - microarchitectural buffers on idle and exit from Xen. *Note: For - compatibility with development versions of this fix, `mds=` is also accepted - on Xen 4.12 and earlier as an alias. Consult vendor documentation in - preference to here.* +* `verw=` offers control over whether to use VERW for its scrubbing side + effects at appropriate privilege transitions. The exact side effects are + microarchitecture and microcode specific. *Note: `md-clear=` is accepted as + a deprecated alias. For compatibility with development versions of XSA-297, + `mds=` is also accepted on Xen 4.12 and earlier as an alias. Consult vendor + documentation in preference to here.* * `ibpb-entry=` offers control over whether IBPB (Indirect Branch Prediction Barrier) is used on entry to Xen. This is used by default on hardware vulnerable to Branch Type Confusion, and hardware vulnerable to Speculative diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index a965b6db28..c42d8cdc22 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -25,8 +25,8 @@ static bool __initdata opt_msr_sc_pv = true; static bool __initdata opt_msr_sc_hvm = true; static int8_t __initdata opt_rsb_pv = -1; static bool __initdata opt_rsb_hvm = true; -static int8_t __ro_after_init opt_md_clear_pv = -1; -static int8_t __ro_after_init opt_md_clear_hvm = -1; +static int8_t __ro_after_init opt_verw_pv = -1; +static int8_t __ro_after_init opt_verw_hvm = -1; static int8_t __ro_after_init opt_ibpb_entry_pv = -1; static int8_t __ro_after_init opt_ibpb_entry_hvm = -1; @@ -66,7 +66,7 @@ static bool __initdata cpu_has_bug_mds; /* Any other M{LP,SB,FB}DS combination. static int8_t __initdata opt_srb_lock = -1; static bool __initdata opt_unpriv_mmio; -static bool __ro_after_init opt_fb_clear_mmio; +static bool __ro_after_init opt_verw_mmio; static int8_t __initdata opt_gds_mit = -1; static int8_t __initdata opt_div_scrub = -1; @@ -108,8 +108,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) disable_common: opt_rsb_pv = false; opt_rsb_hvm = false; - opt_md_clear_pv = 0; - opt_md_clear_hvm = 0; + opt_verw_pv = 0; + opt_verw_hvm = 0; opt_ibpb_entry_pv = 0; opt_ibpb_entry_hvm = 0; opt_ibpb_entry_dom0 = false; @@ -140,14 +140,14 @@ static int __init cf_check parse_spec_ctrl(const char *s) { opt_msr_sc_pv = val; opt_rsb_pv = val; - opt_md_clear_pv = val; + opt_verw_pv = val; opt_ibpb_entry_pv = val; } else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) { opt_msr_sc_hvm = val; opt_rsb_hvm = val; - opt_md_clear_hvm = val; + opt_verw_hvm = val; opt_ibpb_entry_hvm = val; } else if ( (val = parse_boolean("msr-sc", s, ss)) != -1 ) @@ -192,21 +192,22 @@ static int __init cf_check parse_spec_ctrl(const char *s) break; } } - else if ( (val = parse_boolean("md-clear", s, ss)) != -1 ) + else if ( (val = parse_boolean("verw", s, ss)) != -1 || + (val = parse_boolean("md-clear", s, ss)) != -1 ) { switch ( val ) { case 0: case 1: - opt_md_clear_pv = opt_md_clear_hvm = val; + opt_verw_pv = opt_verw_hvm = val; break; case -2: - s += strlen("md-clear="); + s += (*s == 'v') ? strlen("verw=") : strlen("md-clear="); if ( (val = parse_boolean("pv", s, ss)) >= 0 ) - opt_md_clear_pv = val; + opt_verw_pv = val; else if ( (val = parse_boolean("hvm", s, ss)) >= 0 ) - opt_md_clear_hvm = val; + opt_verw_hvm = val; else default: rc = -EINVAL; @@ -528,8 +529,8 @@ static void __init print_details(enum ind_thunk thunk) opt_srb_lock ? " SRB_LOCK+" : " SRB_LOCK-", opt_ibpb_ctxt_switch ? " IBPB-ctxt" : "", opt_l1d_flush ? " L1D_FLUSH" : "", - opt_md_clear_pv || opt_md_clear_hvm || - opt_fb_clear_mmio ? " VERW" : "", + opt_verw_pv || opt_verw_hvm || + opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", opt_branch_harden ? " BRANCH_HARDEN" : ""); @@ -550,13 +551,13 @@ static void __init print_details(enum ind_thunk thunk) boot_cpu_has(X86_FEATURE_SC_RSB_HVM) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) || amd_virt_spec_ctrl || - opt_eager_fpu || opt_md_clear_hvm) ? "" : " None", + opt_eager_fpu || opt_verw_hvm) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_HVM) ? " MSR_SPEC_CTRL" : "", (boot_cpu_has(X86_FEATURE_SC_MSR_HVM) || amd_virt_spec_ctrl) ? " MSR_VIRT_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_HVM) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_hvm ? " MD_CLEAR" : "", + opt_verw_hvm ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_HVM) ? " IBPB-entry" : ""); #endif @@ -565,11 +566,11 @@ static void __init print_details(enum ind_thunk thunk) (boot_cpu_has(X86_FEATURE_SC_MSR_PV) || boot_cpu_has(X86_FEATURE_SC_RSB_PV) || boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) || - opt_eager_fpu || opt_md_clear_pv) ? "" : " None", + opt_eager_fpu || opt_verw_pv) ? "" : " None", boot_cpu_has(X86_FEATURE_SC_MSR_PV) ? " MSR_SPEC_CTRL" : "", boot_cpu_has(X86_FEATURE_SC_RSB_PV) ? " RSB" : "", opt_eager_fpu ? " EAGER_FPU" : "", - opt_md_clear_pv ? " MD_CLEAR" : "", + opt_verw_pv ? " VERW" : "", boot_cpu_has(X86_FEATURE_IBPB_ENTRY_PV) ? " IBPB-entry" : ""); printk(" XPTI (64-bit PV only): Dom0 %s, DomU %s (with%s PCID)\n", @@ -1502,8 +1503,8 @@ void spec_ctrl_init_domain(struct domain *d) { bool pv = is_pv_domain(d); - bool verw = ((pv ? opt_md_clear_pv : opt_md_clear_hvm) || - (opt_fb_clear_mmio && is_iommu_enabled(d))); + bool verw = ((pv ? opt_verw_pv : opt_verw_hvm) || + (opt_verw_mmio && is_iommu_enabled(d))); bool ibpb = ((pv ? opt_ibpb_entry_pv : opt_ibpb_entry_hvm) && (d->domain_id != 0 || opt_ibpb_entry_dom0)); @@ -1866,19 +1867,20 @@ void __init init_speculation_mitigations(void) * the return-to-guest path. */ if ( opt_unpriv_mmio ) - opt_fb_clear_mmio = cpu_has_fb_clear; + opt_verw_mmio = cpu_has_fb_clear; /* * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. * This will only be a token effort for MLPDS/MFBDS when HT is enabled, * but it is somewhat better than nothing. */ - if ( opt_md_clear_pv == -1 ) - opt_md_clear_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); - if ( opt_md_clear_hvm == -1 ) - opt_md_clear_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - boot_cpu_has(X86_FEATURE_MD_CLEAR)); + if ( opt_verw_pv == -1 ) + opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); + + if ( opt_verw_hvm == -1 ) + opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && + cpu_has_md_clear); /* * Enable MDS/MMIO defences as applicable. The Idle blocks need using if @@ -1891,12 +1893,12 @@ void __init init_speculation_mitigations(void) * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) * * After calculating the appropriate idle setting, simplify - * opt_md_clear_hvm to mean just "should we VERW on the way into HVM + * opt_verw_hvm to mean just "should we VERW on the way into HVM * guests", so spec_ctrl_init_domain() can calculate suitable settings. */ - if ( opt_md_clear_pv || opt_md_clear_hvm || opt_fb_clear_mmio ) + if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_md_clear_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:22:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:22:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693549.1081792 (Exim 4.92) (envelope-from ) id 1rktTS-0008RZ-1F; Thu, 14 Mar 2024 22:22:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693549.1081792; Thu, 14 Mar 2024 22:22:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTR-0008RS-V1; Thu, 14 Mar 2024 22:22:53 +0000 Received: by outflank-mailman (input) for mailman id 693549; Thu, 14 Mar 2024 22:22:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTQ-0008RA-5g for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTQ-0002oP-4a for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktTQ-00038a-3b for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:22:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=r4nz5gGNwPYm4HSQ7mZiUyI0C5PjaVACQRcccCLd0vc=; b=RNCGtTzhlRa37gnhmAnFEccwEF 14sDOwoel/BDkX73xp9272w9iSsS6zq6JFC3nB6T1zbIcxDUICZ1BB1GVDxt2RQgkLvOrxCxRaz4j t/Hhbd62LltrGWJ1Cdz0vIcbKoHHlIt5E8tRwlOVGCQl7oiuriOXCHgSbgek3mmYjLlc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec-ctrl: VERW-handling adjustments Message-Id: Date: Thu, 14 Mar 2024 22:22:52 +0000 commit fb85a8fc91f8cfd61d7c7f9742502b223d4024b5 Author: Andrew Cooper AuthorDate: Tue Mar 5 19:33:37 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 x86/spec-ctrl: VERW-handling adjustments ... before we add yet more complexity to this logic. Mostly expanded comments, but with three minor changes. 1) Introduce cpu_has_useful_md_clear to simplify later logic in this patch and future ones. 2) We only ever need SC_VERW_IDLE when SMT is active. If SMT isn't active, then there's no re-partition of pipeline resources based on thread-idleness to worry about. 3) The logic to adjust HVM VERW based on L1D_FLUSH is unmaintainable and, as it turns out, wrong. SKIP_L1DFL is just a hint bit, whereas opt_l1d_flush is the relevant decision of whether to use L1D_FLUSH based on susceptibility and user preference. Rewrite the logic so it can be followed, and incorporate the fact that when FB_CLEAR is visible, L1D_FLUSH isn't a safe substitution. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit 1eb91a8a06230b4b64228c9a380194f8cfe6c5e2) --- xen/arch/x86/spec_ctrl.c | 99 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 26 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index c42d8cdc22..a4afcd8570 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -1519,7 +1519,7 @@ void __init init_speculation_mitigations(void) { enum ind_thunk thunk = THUNK_DEFAULT; bool has_spec_ctrl, ibrs = false, hw_smt_enabled; - bool cpu_has_bug_taa, retpoline_safe; + bool cpu_has_bug_taa, cpu_has_useful_md_clear, retpoline_safe; hw_smt_enabled = check_smt_enabled(); @@ -1855,50 +1855,97 @@ void __init init_speculation_mitigations(void) "enabled. Please assess your configuration and choose an\n" "explicit 'smt=' setting. See XSA-273.\n"); + /* + * A brief summary of VERW-related changes. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * + * Relevant ucodes: + * + * - May 2019, for MDS. Introduces the MD_CLEAR CPUID bit and VERW side + * effects to scrub Store/Load/Fill buffers as applicable. MD_CLEAR + * exists architecturally, even when the side effects have been removed. + * + * Use VERW to scrub on return-to-guest. Parts with L1D_FLUSH to + * mitigate L1TF have the same side effect, so no need to do both. + * + * Various Atoms suffer from Store-buffer sampling only. Store buffers + * are statically partitioned between non-idle threads, so scrubbing is + * wanted when going idle too. + * + * Load ports and Fill buffers are competitively shared between threads. + * SMT must be disabled for VERW scrubbing to be fully effective. + * + * - November 2019, for TAA. Extended VERW side effects to TSX-enabled + * MDS_NO parts. + * + * - February 2022, for Client TSX de-feature. Removed VERW side effects + * from Client CPUs only. + * + * - May 2022, for MMIO Stale Data. (Re)introduced Fill Buffer scrubbing + * on all MMIO-affected parts which didn't already have it for MDS + * reasons, enumerating FB_CLEAR on those parts only. + * + * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing + * side effects as VERW and cannot be used in its place. + */ mds_calculations(); /* - * Parts which enumerate FB_CLEAR are those which are post-MDS_NO and have - * reintroduced the VERW fill buffer flushing side effect because of a - * susceptibility to FBSDP. + * Parts which enumerate FB_CLEAR are those with now-updated microcode + * which weren't susceptible to the original MFBDS (and therefore didn't + * have Fill Buffer scrubbing side effects to begin with, or were Client + * MDS_NO non-TAA_NO parts where the scrubbing was removed), but have had + * the scrubbing reintroduced because of a susceptibility to FBSDP. * * If unprivileged guests have (or will have) MMIO mappings, we can * mitigate cross-domain leakage of fill buffer data by issuing VERW on - * the return-to-guest path. + * the return-to-guest path. This is only a token effort if SMT is + * active. */ if ( opt_unpriv_mmio ) opt_verw_mmio = cpu_has_fb_clear; /* - * By default, enable PV and HVM mitigations on MDS-vulnerable hardware. - * This will only be a token effort for MLPDS/MFBDS when HT is enabled, - * but it is somewhat better than nothing. + * MD_CLEAR is enumerated architecturally forevermore, even after the + * scrubbing side effects have been removed. Create ourselves an version + * which expressed whether we think MD_CLEAR is having any useful side + * effect. + */ + cpu_has_useful_md_clear = (cpu_has_md_clear && + (cpu_has_bug_mds || cpu_has_bug_msbds_only)); + + /* + * By default, use VERW scrubbing on applicable hardware, if we think it's + * going to have an effect. This will only be a token effort for + * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_pv = cpu_has_useful_md_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = ((cpu_has_bug_mds || cpu_has_bug_msbds_only) && - cpu_has_md_clear); + opt_verw_hvm = cpu_has_useful_md_clear; /* - * Enable MDS/MMIO defences as applicable. The Idle blocks need using if - * either the PV or HVM MDS defences are used, or if we may give MMIO - * access to untrusted guests. - * - * HVM is more complicated. The MD_CLEAR microcode extends L1D_FLUSH with - * equivalent semantics to avoid needing to perform both flushes on the - * HVM path. Therefore, we don't need VERW in addition to L1D_FLUSH (for - * MDS mitigations. L1D_FLUSH is not safe for MMIO mitigations.) - * - * After calculating the appropriate idle setting, simplify - * opt_verw_hvm to mean just "should we VERW on the way into HVM - * guests", so spec_ctrl_init_domain() can calculate suitable settings. + * If SMT is active, and we're protecting against MDS or MMIO stale data, + * we need to scrub before going idle as well as on return to guest. + * Various pipeline resources are repartitioned amongst non-idle threads. */ - if ( opt_verw_pv || opt_verw_hvm || opt_verw_mmio ) + if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || + opt_verw_mmio) && hw_smt_enabled ) setup_force_cpu_cap(X86_FEATURE_SC_VERW_IDLE); - opt_verw_hvm &= !cpu_has_skip_l1dfl && !opt_l1d_flush; + + /* + * After calculating the appropriate idle setting, simplify opt_verw_hvm + * to mean just "should we VERW on the way into HVM guests", so + * spec_ctrl_init_domain() can calculate suitable settings. + * + * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the + * only *_CLEAR we can see. + */ + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + opt_verw_hvm = false; /* * Warn the user if they are on MLPDS/MFBDS-vulnerable hardware with HT -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:23:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:23:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693550.1081797 (Exim 4.92) (envelope-from ) id 1rktTc-0008U5-3T; Thu, 14 Mar 2024 22:23:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693550.1081797; Thu, 14 Mar 2024 22:23:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTc-0008Ty-0R; Thu, 14 Mar 2024 22:23:04 +0000 Received: by outflank-mailman (input) for mailman id 693550; Thu, 14 Mar 2024 22:23:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTa-0008Tp-8f for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTa-0002om-7q for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktTa-000398-6z for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hbchQxnTxGB0AnE6B/ZmzKYtwvmPdRElczXr5DdpiPg=; b=OOIiBuPuyJFToqiNh5R5VW5H0A Ra12ZQ7a3tfLrKWdJ2uhz0+XhYgNZzKYIYVldTJM2uIj+bNp1u4nv7TAji/AekiYOCMYfo+NSXwfN g2fewZNCYKeM1ttOaaBKrE0U0kaXlcULufxZJagUDJW95B6PrXLsShH8QxkYAf8jHk7E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spec-ctrl: Mitigation Register File Data Sampling Message-Id: Date: Thu, 14 Mar 2024 22:23:02 +0000 commit 908cbd1893e80eb52b92b2c70c2bfd9ffdf6f77b Author: Andrew Cooper AuthorDate: Thu Jun 22 23:32:19 2023 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 x86/spec-ctrl: Mitigation Register File Data Sampling RFDS affects Atom cores, also branded E-cores, between the Goldmont and Gracemont microarchitectures. This includes Alder Lake and Raptor Lake hybrid clien systems which have a mix of Gracemont and other types of cores. Two new bits have been defined; RFDS_CLEAR to indicate VERW has more side effets, and RFDS_NO to incidate that the system is unaffected. Plenty of unaffected CPUs won't be getting RFDS_NO retrofitted in microcode, so we synthesise it. Alder Lake and Raptor Lake Xeon-E's are unaffected due to their platform configuration, and we must use the Hybrid CPUID bit to distinguish them from their non-Xeon counterparts. Like MD_CLEAR and FB_CLEAR, RFDS_CLEAR needs OR-ing across a resource pool, so set it in the max policies and reflect the host setting in default. This is part of XSA-452 / CVE-2023-28746. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich (cherry picked from commit fb5b6f6744713410c74cfc12b7176c108e3c9a31) --- tools/misc/xen-cpuid.c | 5 +- xen/arch/x86/cpu-policy.c | 5 ++ xen/arch/x86/include/asm/cpufeature.h | 3 + xen/arch/x86/include/asm/msr-index.h | 2 + xen/arch/x86/spec_ctrl.c | 100 ++++++++++++++++++++++++++-- xen/include/public/arch-x86/cpufeatureset.h | 3 + 6 files changed, 111 insertions(+), 7 deletions(-) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 7370f1b56e..52e451a806 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -172,7 +172,7 @@ static const char *const str_7d0[32] = [ 8] = "avx512-vp2intersect", [ 9] = "srbds-ctrl", [10] = "md-clear", [11] = "rtm-always-abort", /* 12 */ [13] = "tsx-force-abort", - [14] = "serialize", + [14] = "serialize", [15] = "hybrid", [16] = "tsxldtrk", [18] = "pconfig", [20] = "cet-ibt", @@ -245,7 +245,8 @@ static const char *const str_m10Al[32] = [20] = "bhi-no", [21] = "xapic-status", /* 22 */ [23] = "ovrclk-status", [24] = "pbrsb-no", [25] = "gds-ctrl", - [26] = "gds-no", + [26] = "gds-no", [27] = "rfds-no", + [28] = "rfds-clear", }; static const char *const str_m10Ah[32] = diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index c7c5e99b7b..12e621b97d 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -451,6 +451,7 @@ static void __init guest_common_max_feature_adjustments(uint32_t *fs) */ __set_bit(X86_FEATURE_MD_CLEAR, fs); __set_bit(X86_FEATURE_FB_CLEAR, fs); + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); /* * The Gather Data Sampling microcode mitigation (August 2023) has an @@ -500,6 +501,10 @@ static void __init guest_common_default_feature_adjustments(uint32_t *fs) if ( cpu_has_fb_clear ) __set_bit(X86_FEATURE_FB_CLEAR, fs); + __clear_bit(X86_FEATURE_RFDS_CLEAR, fs); + if ( cpu_has_rfds_clear ) + __set_bit(X86_FEATURE_RFDS_CLEAR, fs); + /* * The Gather Data Sampling microcode mitigation (August 2023) has an * adverse performance impact on the CLWB instruction on SKX/CLX/CPX. diff --git a/xen/arch/x86/include/asm/cpufeature.h b/xen/arch/x86/include/asm/cpufeature.h index 76ef2aeb1d..3c57f55de0 100644 --- a/xen/arch/x86/include/asm/cpufeature.h +++ b/xen/arch/x86/include/asm/cpufeature.h @@ -181,6 +181,7 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rtm_always_abort boot_cpu_has(X86_FEATURE_RTM_ALWAYS_ABORT) #define cpu_has_tsx_force_abort boot_cpu_has(X86_FEATURE_TSX_FORCE_ABORT) #define cpu_has_serialize boot_cpu_has(X86_FEATURE_SERIALIZE) +#define cpu_has_hybrid boot_cpu_has(X86_FEATURE_HYBRID) #define cpu_has_avx512_fp16 boot_cpu_has(X86_FEATURE_AVX512_FP16) #define cpu_has_arch_caps boot_cpu_has(X86_FEATURE_ARCH_CAPS) @@ -208,6 +209,8 @@ static inline bool boot_cpu_has(unsigned int feat) #define cpu_has_rrsba boot_cpu_has(X86_FEATURE_RRSBA) #define cpu_has_gds_ctrl boot_cpu_has(X86_FEATURE_GDS_CTRL) #define cpu_has_gds_no boot_cpu_has(X86_FEATURE_GDS_NO) +#define cpu_has_rfds_no boot_cpu_has(X86_FEATURE_RFDS_NO) +#define cpu_has_rfds_clear boot_cpu_has(X86_FEATURE_RFDS_CLEAR) /* Synthesized. */ #define cpu_has_arch_perfmon boot_cpu_has(X86_FEATURE_ARCH_PERFMON) diff --git a/xen/arch/x86/include/asm/msr-index.h b/xen/arch/x86/include/asm/msr-index.h index 82a81bd0a2..85ef28a612 100644 --- a/xen/arch/x86/include/asm/msr-index.h +++ b/xen/arch/x86/include/asm/msr-index.h @@ -89,6 +89,8 @@ #define ARCH_CAPS_PBRSB_NO (_AC(1, ULL) << 24) #define ARCH_CAPS_GDS_CTRL (_AC(1, ULL) << 25) #define ARCH_CAPS_GDS_NO (_AC(1, ULL) << 26) +#define ARCH_CAPS_RFDS_NO (_AC(1, ULL) << 27) +#define ARCH_CAPS_RFDS_CLEAR (_AC(1, ULL) << 28) #define MSR_FLUSH_CMD 0x0000010b #define FLUSH_CMD_L1D (_AC(1, ULL) << 0) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index a4afcd8570..8165379fed 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -12,6 +12,7 @@ #include #include +#include #include #include #include @@ -435,7 +436,7 @@ static void __init print_details(enum ind_thunk thunk) * Hardware read-only information, stating immunity to certain issues, or * suggestions of which mitigation to use. */ - printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware hints:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (caps & ARCH_CAPS_RDCL_NO) ? " RDCL_NO" : "", (caps & ARCH_CAPS_EIBRS) ? " EIBRS" : "", (caps & ARCH_CAPS_RSBA) ? " RSBA" : "", @@ -451,6 +452,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_FB_CLEAR) ? " FB_CLEAR" : "", (caps & ARCH_CAPS_PBRSB_NO) ? " PBRSB_NO" : "", (caps & ARCH_CAPS_GDS_NO) ? " GDS_NO" : "", + (caps & ARCH_CAPS_RFDS_NO) ? " RFDS_NO" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_ALWAYS)) ? " IBRS_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_STIBP_ALWAYS)) ? " STIBP_ALWAYS" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS_FAST)) ? " IBRS_FAST" : "", @@ -461,7 +463,7 @@ static void __init print_details(enum ind_thunk thunk) (e21a & cpufeat_mask(X86_FEATURE_SRSO_NO)) ? " SRSO_NO" : ""); /* Hardware features which need driving to mitigate issues. */ - printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s\n", + printk(" Hardware features:%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n", (e8b & cpufeat_mask(X86_FEATURE_IBPB)) || (_7d0 & cpufeat_mask(X86_FEATURE_IBRSB)) ? " IBPB" : "", (e8b & cpufeat_mask(X86_FEATURE_IBRS)) || @@ -479,6 +481,7 @@ static void __init print_details(enum ind_thunk thunk) (caps & ARCH_CAPS_TSX_CTRL) ? " TSX_CTRL" : "", (caps & ARCH_CAPS_FB_CLEAR_CTRL) ? " FB_CLEAR_CTRL" : "", (caps & ARCH_CAPS_GDS_CTRL) ? " GDS_CTRL" : "", + (caps & ARCH_CAPS_RFDS_CLEAR) ? " RFDS_CLEAR" : "", (e21a & cpufeat_mask(X86_FEATURE_SBPB)) ? " SBPB" : ""); /* Compiled-in support which pertains to mitigations. */ @@ -1347,6 +1350,83 @@ static __init void mds_calculations(void) } } +/* + * Register File Data Sampling affects Atom cores from the Goldmont to + * Gracemont microarchitectures. The March 2024 microcode adds RFDS_NO to + * some but not all unaffected parts, and RFDS_CLEAR to affected parts still + * in support. + * + * Alder Lake and Raptor Lake client CPUs have a mix of P cores + * (Golden/Raptor Cove, not vulnerable) and E cores (Gracemont, + * vulnerable), and both enumerate RFDS_CLEAR. + * + * Both exist in a Xeon SKU, which has the E cores (Gracemont) disabled by + * platform configuration, and enumerate RFDS_NO. + * + * With older parts, or with out-of-date microcode, synthesise RFDS_NO when + * safe to do so. + * + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html + */ +static void __init rfds_calculations(void) +{ + /* RFDS is only known to affect Intel Family 6 processors at this time. */ + if ( boot_cpu_data.x86_vendor != X86_VENDOR_INTEL || + boot_cpu_data.x86 != 6 ) + return; + + /* + * If RFDS_NO or RFDS_CLEAR are visible, we've either got suitable + * microcode, or an RFDS-aware hypervisor is levelling us in a pool. + */ + if ( cpu_has_rfds_no || cpu_has_rfds_clear ) + return; + + /* If we're virtualised, don't attempt to synthesise RFDS_NO. */ + if ( cpu_has_hypervisor ) + return; + + /* + * Not all CPUs are expected to get a microcode update enumerating one of + * RFDS_{NO,CLEAR}, or we might have out-of-date microcode. + */ + switch ( boot_cpu_data.x86_model ) + { + case INTEL_FAM6_ALDERLAKE: + case INTEL_FAM6_RAPTORLAKE: + /* + * Alder Lake and Raptor Lake might be a client SKU (with the + * Gracemont cores active, and therefore vulnerable) or might be a + * server SKU (with the Gracemont cores disabled, and therefore not + * vulnerable). + * + * See if the CPU identifies as hybrid to distinguish the two cases. + */ + if ( !cpu_has_hybrid ) + break; + fallthrough; + case INTEL_FAM6_ALDERLAKE_L: + case INTEL_FAM6_RAPTORLAKE_P: + case INTEL_FAM6_RAPTORLAKE_S: + + case INTEL_FAM6_ATOM_GOLDMONT: /* Apollo Lake */ + case INTEL_FAM6_ATOM_GOLDMONT_D: /* Denverton */ + case INTEL_FAM6_ATOM_GOLDMONT_PLUS: /* Gemini Lake */ + case INTEL_FAM6_ATOM_TREMONT_D: /* Snow Ridge / Parker Ridge */ + case INTEL_FAM6_ATOM_TREMONT: /* Elkhart Lake */ + case INTEL_FAM6_ATOM_TREMONT_L: /* Jasper Lake */ + case INTEL_FAM6_ATOM_GRACEMONT: /* Alder Lake N */ + return; + } + + /* + * We appear to be on an unaffected CPU which didn't enumerate RFDS_NO, + * perhaps because of it's age or because of out-of-date microcode. + * Synthesise it. + */ + setup_force_cpu_cap(X86_FEATURE_RFDS_NO); +} + static bool __init cpu_has_gds(void) { /* @@ -1860,6 +1940,7 @@ void __init init_speculation_mitigations(void) * * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/intel-analysis-microarchitectural-data-sampling.html * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html + * https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html * * Relevant ucodes: * @@ -1889,8 +1970,12 @@ void __init init_speculation_mitigations(void) * * If FB_CLEAR is enumerated, L1D_FLUSH does not have the same scrubbing * side effects as VERW and cannot be used in its place. + * + * - March 2023, for RFDS. Enumerate RFDS_CLEAR to mean that VERW now + * scrubs non-architectural entries from certain register files. */ mds_calculations(); + rfds_calculations(); /* * Parts which enumerate FB_CLEAR are those with now-updated microcode @@ -1922,15 +2007,19 @@ void __init init_speculation_mitigations(void) * MLPDS/MFBDS when SMT is enabled. */ if ( opt_verw_pv == -1 ) - opt_verw_pv = cpu_has_useful_md_clear; + opt_verw_pv = cpu_has_useful_md_clear || cpu_has_rfds_clear; if ( opt_verw_hvm == -1 ) - opt_verw_hvm = cpu_has_useful_md_clear; + opt_verw_hvm = cpu_has_useful_md_clear || cpu_has_rfds_clear; /* * If SMT is active, and we're protecting against MDS or MMIO stale data, * we need to scrub before going idle as well as on return to guest. * Various pipeline resources are repartitioned amongst non-idle threads. + * + * We don't need to scrub on idle for RFDS. There are no affected cores + * which support SMT, despite there being affected cores in hybrid systems + * which have SMT elsewhere in the platform. */ if ( ((cpu_has_useful_md_clear && (opt_verw_pv || opt_verw_hvm)) || opt_verw_mmio) && hw_smt_enabled ) @@ -1944,7 +2033,8 @@ void __init init_speculation_mitigations(void) * It is only safe to use L1D_FLUSH in place of VERW when MD_CLEAR is the * only *_CLEAR we can see. */ - if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear ) + if ( opt_l1d_flush && cpu_has_md_clear && !cpu_has_fb_clear && + !cpu_has_rfds_clear ) opt_verw_hvm = false; /* diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index 337aaa9c77..8e17ef670f 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -266,6 +266,7 @@ XEN_CPUFEATURE(MD_CLEAR, 9*32+10) /*!A VERW clears microarchitectural buffe XEN_CPUFEATURE(RTM_ALWAYS_ABORT, 9*32+11) /*! June 2021 TSX defeaturing in microcode. */ XEN_CPUFEATURE(TSX_FORCE_ABORT, 9*32+13) /* MSR_TSX_FORCE_ABORT.RTM_ABORT */ XEN_CPUFEATURE(SERIALIZE, 9*32+14) /*A SERIALIZE insn */ +XEN_CPUFEATURE(HYBRID, 9*32+15) /* Heterogeneous platform */ XEN_CPUFEATURE(TSXLDTRK, 9*32+16) /*a TSX load tracking suspend/resume insns */ XEN_CPUFEATURE(CET_IBT, 9*32+20) /* CET - Indirect Branch Tracking */ XEN_CPUFEATURE(AVX512_FP16, 9*32+23) /*A AVX512 FP16 instructions */ @@ -338,6 +339,8 @@ XEN_CPUFEATURE(OVRCLK_STATUS, 16*32+23) /* MSR_OVERCLOCKING_STATUS */ XEN_CPUFEATURE(PBRSB_NO, 16*32+24) /*A No Post-Barrier RSB predictions */ XEN_CPUFEATURE(GDS_CTRL, 16*32+25) /* MCU_OPT_CTRL.GDS_MIT_{DIS,LOCK} */ XEN_CPUFEATURE(GDS_NO, 16*32+26) /*A No Gather Data Sampling */ +XEN_CPUFEATURE(RFDS_NO, 16*32+27) /*A No Register File Data Sampling */ +XEN_CPUFEATURE(RFDS_CLEAR, 16*32+28) /*!A Register File(s) cleared by VERW */ /* Intel-defined CPU features, MSR_ARCH_CAPS 0x10a.edx, word 17 */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:23:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:23:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693551.1081800 (Exim 4.92) (envelope-from ) id 1rktTm-00006c-4o; Thu, 14 Mar 2024 22:23:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693551.1081800; Thu, 14 Mar 2024 22:23:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTm-00006V-2H; Thu, 14 Mar 2024 22:23:14 +0000 Received: by outflank-mailman (input) for mailman id 693551; Thu, 14 Mar 2024 22:23:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTk-000063-BW for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTk-0002ot-Aq for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktTk-00039f-A2 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sc+Sip1uGcgqSLlQIoOROn7e5mFGKkgQZQcywA0FQVY=; b=Eq5DHAdlILEp2hUDtPEVlyw79L 4Q7CG/8OBabJ1gui0h+Q+skrrWkqydIGR8rjKmj8zG+VUXcGcw3RcR1TAROCqNY3fQOHRvVQhcxMT Giq68ryuxJMlCnfPvzfMbUgTT+8tupClILNvkP/BfCSHbEicV5oKMAMy2SCNdBZquTvw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] xen: Swap order of actions in the FREE*() macros Message-Id: Date: Thu, 14 Mar 2024 22:23:12 +0000 commit bdda600406e5f5c35bcb17b2f9458e2138d7ad46 Author: Andrew Cooper AuthorDate: Fri Feb 2 00:39:42 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:55:52 2024 +0000 xen: Swap order of actions in the FREE*() macros Wherever possible, it is a good idea to NULL out the visible reference to an object prior to freeing it. The FREE*() macros already collect together both parts, making it easy to adjust. This has a marginal code generation improvement, as some of the calls to the free() function can be tailcall optimised. No functional change. Signed-off-by: Andrew Cooper Acked-by: Jan Beulich (cherry picked from commit c4f427ec879e7c0df6d44d02561e8bee838a293e) --- xen/include/xen/mm.h | 3 ++- xen/include/xen/xmalloc.h | 7 ++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h index 8b9618609f..8bc5f4249d 100644 --- a/xen/include/xen/mm.h +++ b/xen/include/xen/mm.h @@ -91,8 +91,9 @@ bool scrub_free_pages(void); /* Free an allocation, and zero the pointer to it. */ #define FREE_XENHEAP_PAGES(p, o) do { \ - free_xenheap_pages(p, o); \ + void *_ptr_ = (p); \ (p) = NULL; \ + free_xenheap_pages(_ptr_, o); \ } while ( false ) #define FREE_XENHEAP_PAGE(p) FREE_XENHEAP_PAGES(p, 0) diff --git a/xen/include/xen/xmalloc.h b/xen/include/xen/xmalloc.h index 16979a117c..d857298011 100644 --- a/xen/include/xen/xmalloc.h +++ b/xen/include/xen/xmalloc.h @@ -66,9 +66,10 @@ extern void xfree(void *); /* Free an allocation, and zero the pointer to it. */ -#define XFREE(p) do { \ - xfree(p); \ - (p) = NULL; \ +#define XFREE(p) do { \ + void *_ptr_ = (p); \ + (p) = NULL; \ + xfree(_ptr_); \ } while ( false ) /* Underlying functions */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:23:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:23:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693552.1081805 (Exim 4.92) (envelope-from ) id 1rktTw-0000Al-7q; Thu, 14 Mar 2024 22:23:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693552.1081805; Thu, 14 Mar 2024 22:23:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTw-0000Ad-52; Thu, 14 Mar 2024 22:23:24 +0000 Received: by outflank-mailman (input) for mailman id 693552; Thu, 14 Mar 2024 22:23:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTu-00009p-FP for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktTu-0002p3-Ea for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktTu-0003AE-DG for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aadm1jBf50W2kktAfNQY0iCHcQXfSJCzrdUi3x/KZEE=; b=S9M50snz13cqLT3fwnE99xFI5I 75V9sG8DGuP/jV/8gRG69SoMPTk+VlcuHW1o0/LrRY2fXdzg5ou3lntKjNfys7cP10ODMpw4+TQTz cadZt7M3AuhpbklV5VPXTM7gJtC/tlmaKsTSXibXocKFIvHdPxluIY7hQQBmlyKZiKjM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/spinlock: introduce support for blocking speculation into critical regions Message-Id: Date: Thu, 14 Mar 2024 22:23:22 +0000 commit 1932973ac9a8c28197ebb24749c73c18cf23f5f1 Author: Roger Pau Monné AuthorDate: Tue Feb 13 13:08:05 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:58:56 2024 +0000 x86/spinlock: introduce support for blocking speculation into critical regions Introduce a new Kconfig option to block speculation into lock protected critical regions. The Kconfig option is enabled by default, but the mitigation won't be engaged unless it's explicitly enabled in the command line using `spec-ctrl=lock-harden`. Convert the spinlock acquire macros into always-inline functions, and introduce a speculation barrier after the lock has been taken. Note the speculation barrier is not placed inside the implementation of the spin lock functions, as to prevent speculation from falling through the call to the lock functions resulting in the barrier also being skipped. trylock variants are protected using a construct akin to the existing evaluate_nospec(). This patch only implements the speculation barrier for x86. Note spin locks are the only locking primitive taken care in this change, further locking primitives will be adjusted by separate changes. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 7ef0084418e188d05f338c3e028fbbe8b6924afa) --- docs/misc/xen-command-line.pandoc | 7 ++++++- xen/arch/x86/include/asm/cpufeatures.h | 2 +- xen/arch/x86/include/asm/nospec.h | 26 ++++++++++++++++++++++++ xen/arch/x86/spec_ctrl.c | 26 +++++++++++++++++++++--- xen/common/Kconfig | 17 ++++++++++++++++ xen/include/xen/nospec.h | 15 ++++++++++++++ xen/include/xen/spinlock.h | 37 ++++++++++++++++++++++++++++------ 7 files changed, 119 insertions(+), 11 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index fbf1683924..3f9f916718 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -2373,7 +2373,7 @@ By default SSBD will be mitigated at runtime (i.e `ssbd=runtime`). > {msr-sc,rsb,verw,ibpb-entry}=|{pv,hvm}=, > bti-thunk=retpoline|lfence|jmp, {ibrs,ibpb,ssbd,psfd, > eager-fpu,l1d-flush,branch-harden,srb-lock, -> unpriv-mmio,gds-mit,div-scrub}= ]` +> unpriv-mmio,gds-mit,div-scrub,lock-harden}= ]` Controls for speculative execution sidechannel mitigations. By default, Xen will pick the most appropriate mitigations based on compiled in support, @@ -2500,6 +2500,11 @@ On all hardware, the `div-scrub=` option can be used to force or prevent Xen from mitigating the DIV-leakage vulnerability. By default, Xen will mitigate DIV-leakage on hardware believed to be vulnerable. +If Xen is compiled with `CONFIG_SPECULATIVE_HARDEN_LOCK`, the `lock-harden=` +boolean can be used to force or prevent Xen from using speculation barriers to +protect lock critical regions. This mitigation won't be engaged by default, +and needs to be explicitly enabled on the command line. + ### sync_console > `= ` diff --git a/xen/arch/x86/include/asm/cpufeatures.h b/xen/arch/x86/include/asm/cpufeatures.h index c3aad21c3b..7e8221fd85 100644 --- a/xen/arch/x86/include/asm/cpufeatures.h +++ b/xen/arch/x86/include/asm/cpufeatures.h @@ -24,7 +24,7 @@ XEN_CPUFEATURE(APERFMPERF, X86_SYNTH( 8)) /* APERFMPERF */ XEN_CPUFEATURE(MFENCE_RDTSC, X86_SYNTH( 9)) /* MFENCE synchronizes RDTSC */ XEN_CPUFEATURE(XEN_SMEP, X86_SYNTH(10)) /* SMEP gets used by Xen itself */ XEN_CPUFEATURE(XEN_SMAP, X86_SYNTH(11)) /* SMAP gets used by Xen itself */ -/* Bit 12 unused. */ +XEN_CPUFEATURE(SC_NO_LOCK_HARDEN, X86_SYNTH(12)) /* (Disable) Lock critical region hardening */ XEN_CPUFEATURE(IND_THUNK_LFENCE, X86_SYNTH(13)) /* Use IND_THUNK_LFENCE */ XEN_CPUFEATURE(IND_THUNK_JMP, X86_SYNTH(14)) /* Use IND_THUNK_JMP */ XEN_CPUFEATURE(SC_NO_BRANCH_HARDEN, X86_SYNTH(15)) /* (Disable) Conditional branch hardening */ diff --git a/xen/arch/x86/include/asm/nospec.h b/xen/arch/x86/include/asm/nospec.h index 7150e76b87..0725839e19 100644 --- a/xen/arch/x86/include/asm/nospec.h +++ b/xen/arch/x86/include/asm/nospec.h @@ -38,6 +38,32 @@ static always_inline void block_speculation(void) barrier_nospec_true(); } +static always_inline void arch_block_lock_speculation(void) +{ + alternative("lfence", "", X86_FEATURE_SC_NO_LOCK_HARDEN); +} + +/* Allow to insert a read memory barrier into conditionals */ +static always_inline bool barrier_lock_true(void) +{ + alternative("lfence #nospec-true", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return true; +} + +static always_inline bool barrier_lock_false(void) +{ + alternative("lfence #nospec-false", "", X86_FEATURE_SC_NO_LOCK_HARDEN); + return false; +} + +static always_inline bool arch_lock_evaluate_nospec(bool condition) +{ + if ( condition ) + return barrier_lock_true(); + else + return barrier_lock_false(); +} + #endif /* _ASM_X86_NOSPEC_H */ /* diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 8165379fed..5dfc4ed69e 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -53,6 +53,7 @@ int8_t __read_mostly opt_eager_fpu = -1; int8_t __read_mostly opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); +static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; uint8_t __read_mostly default_xen_spec_ctrl; @@ -121,6 +122,7 @@ static int __init cf_check parse_spec_ctrl(const char *s) opt_ssbd = false; opt_l1d_flush = 0; opt_branch_harden = false; + opt_lock_harden = false; opt_srb_lock = 0; opt_unpriv_mmio = false; opt_gds_mit = 0; @@ -286,6 +288,16 @@ static int __init cf_check parse_spec_ctrl(const char *s) rc = -EINVAL; } } + else if ( (val = parse_boolean("lock-harden", s, ss)) >= 0 ) + { + if ( IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) + opt_lock_harden = val; + else + { + no_config_param("SPECULATIVE_HARDEN_LOCK", "spec-ctrl", s, ss); + rc = -EINVAL; + } + } else if ( (val = parse_boolean("srb-lock", s, ss)) >= 0 ) opt_srb_lock = val; else if ( (val = parse_boolean("unpriv-mmio", s, ss)) >= 0 ) @@ -488,7 +500,8 @@ static void __init print_details(enum ind_thunk thunk) if ( IS_ENABLED(CONFIG_INDIRECT_THUNK) || IS_ENABLED(CONFIG_SHADOW_PAGING) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_ARRAY) || IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH) || - IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) ) + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS) || + IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_LOCK) ) printk(" Compiled-in support:" #ifdef CONFIG_INDIRECT_THUNK " INDIRECT_THUNK" @@ -504,11 +517,14 @@ static void __init print_details(enum ind_thunk thunk) #endif #ifdef CONFIG_SPECULATIVE_HARDEN_GUEST_ACCESS " HARDEN_GUEST_ACCESS" +#endif +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + " HARDEN_LOCK" #endif "\n"); /* Settings for Xen's protection, irrespective of guests. */ - printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s\n", + printk(" Xen settings: %s%sSPEC_CTRL: %s%s%s%s%s, Other:%s%s%s%s%s%s%s\n", thunk != THUNK_NONE ? "BTI-Thunk: " : "", thunk == THUNK_NONE ? "" : thunk == THUNK_RETPOLINE ? "RETPOLINE, " : @@ -535,7 +551,8 @@ static void __init print_details(enum ind_thunk thunk) opt_verw_pv || opt_verw_hvm || opt_verw_mmio ? " VERW" : "", opt_div_scrub ? " DIV" : "", - opt_branch_harden ? " BRANCH_HARDEN" : ""); + opt_branch_harden ? " BRANCH_HARDEN" : "", + opt_lock_harden ? " LOCK_HARDEN" : ""); /* L1TF diagnostics, printed if vulnerable or PV shadowing is in use. */ if ( cpu_has_bug_l1tf || opt_pv_l1tf_hwdom || opt_pv_l1tf_domu ) @@ -1918,6 +1935,9 @@ void __init init_speculation_mitigations(void) if ( !opt_branch_harden ) setup_force_cpu_cap(X86_FEATURE_SC_NO_BRANCH_HARDEN); + if ( !opt_lock_harden ) + setup_force_cpu_cap(X86_FEATURE_SC_NO_LOCK_HARDEN); + /* * We do not disable HT by default on affected hardware. * diff --git a/xen/common/Kconfig b/xen/common/Kconfig index 4d6fe05164..3361a6d892 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -188,6 +188,23 @@ config SPECULATIVE_HARDEN_GUEST_ACCESS If unsure, say Y. +config SPECULATIVE_HARDEN_LOCK + bool "Speculative lock context hardening" + default y + depends on X86 + help + Contemporary processors may use speculative execution as a + performance optimisation, but this can potentially be abused by an + attacker to leak data via speculative sidechannels. + + One source of data leakage is via speculative accesses to lock + critical regions. + + This option is disabled by default at run time, and needs to be + enabled on the command line. + + If unsure, say Y. + endmenu config DIT_DEFAULT diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index 76255bc46e..4552846403 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -70,6 +70,21 @@ static inline unsigned long array_index_mask_nospec(unsigned long index, #define array_access_nospec(array, index) \ (array)[array_index_nospec(index, ARRAY_SIZE(array))] +static always_inline void block_lock_speculation(void) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + arch_block_lock_speculation(); +#endif +} + +static always_inline bool lock_evaluate_nospec(bool condition) +{ +#ifdef CONFIG_SPECULATIVE_HARDEN_LOCK + return arch_lock_evaluate_nospec(condition); +#endif + return condition; +} + #endif /* XEN_NOSPEC_H */ /* diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index e7a1c1aa89..28fce5615e 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -1,6 +1,7 @@ #ifndef __SPINLOCK_H__ #define __SPINLOCK_H__ +#include #include #include @@ -195,13 +196,30 @@ int _spin_trylock_recursive(spinlock_t *lock); void _spin_lock_recursive(spinlock_t *lock); void _spin_unlock_recursive(spinlock_t *lock); -#define spin_lock(l) _spin_lock(l) -#define spin_lock_cb(l, c, d) _spin_lock_cb(l, c, d) -#define spin_lock_irq(l) _spin_lock_irq(l) +static always_inline void spin_lock(spinlock_t *l) +{ + _spin_lock(l); + block_lock_speculation(); +} + +static always_inline void spin_lock_cb(spinlock_t *l, void (*c)(void *data), + void *d) +{ + _spin_lock_cb(l, c, d); + block_lock_speculation(); +} + +static always_inline void spin_lock_irq(spinlock_t *l) +{ + _spin_lock_irq(l); + block_lock_speculation(); +} + #define spin_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _spin_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define spin_unlock(l) _spin_unlock(l) @@ -209,7 +227,7 @@ void _spin_unlock_recursive(spinlock_t *lock); #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) #define spin_is_locked(l) _spin_is_locked(l) -#define spin_trylock(l) _spin_trylock(l) +#define spin_trylock(l) lock_evaluate_nospec(_spin_trylock(l)) #define spin_trylock_irqsave(lock, flags) \ ({ \ @@ -230,8 +248,15 @@ void _spin_unlock_recursive(spinlock_t *lock); * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) _spin_trylock_recursive(l) -#define spin_lock_recursive(l) _spin_lock_recursive(l) +#define spin_trylock_recursive(l) \ + lock_evaluate_nospec(_spin_trylock_recursive(l)) + +static always_inline void spin_lock_recursive(spinlock_t *l) +{ + _spin_lock_recursive(l); + block_lock_speculation(); +} + #define spin_unlock_recursive(l) _spin_unlock_recursive(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:23:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:23:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693553.1081809 (Exim 4.92) (envelope-from ) id 1rktU6-0000Dp-8u; Thu, 14 Mar 2024 22:23:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693553.1081809; Thu, 14 Mar 2024 22:23:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktU6-0000Di-6V; Thu, 14 Mar 2024 22:23:34 +0000 Received: by outflank-mailman (input) for mailman id 693553; Thu, 14 Mar 2024 22:23:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktU4-0000DM-I5 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktU4-0002pD-HQ for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktU4-0003Aj-Gg for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hJcEx2OowGSoj3ELUGHR/uXkWERWwaW8NxBphY1oE40=; b=xPdyHpnsFGdJTEQTivLqfbivZH vrkuFXlCDu0DKyPFULZZfST8H7o4N/L1OqMMQTUvjKOfhgmRWNT221mOjM0R3ybyAaSb9eDiLJoMQ Tbq5CFoesJGoSskLg33yyhJzHcRTsOXhEApxN9vMgGuanBPnqri2ogs8bkbAWRU8+3jk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Thu, 14 Mar 2024 22:23:32 +0000 commit e7f0f11c888757e62940ded87b4ab5ebc992764f Author: Roger Pau Monné AuthorDate: Tue Feb 13 16:08:52 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:58:58 2024 +0000 rwlock: introduce support for blocking speculation into critical regions Introduce inline wrappers as required and add direct calls to block_lock_speculation() in order to prevent speculation into the rwlock protected critical regions. Note the rwlock primitives are adjusted to use the non speculation safe variants of the spinlock handlers, as a speculation barrier is added in the rwlock calling wrappers. trylock variants are protected by using lock_evaluate_nospec(). This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit a1fb15f61692b1fa9945fc51f55471ace49cdd59) --- xen/common/rwlock.c | 14 +++++++++++--- xen/include/xen/rwlock.h | 34 ++++++++++++++++++++++++++++------ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 18224a4bb5..290602936d 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -34,8 +34,11 @@ void queue_read_lock_slowpath(rwlock_t *lock) /* * Put the reader into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. */ - spin_lock(&lock->lock); + _spin_lock(&lock->lock); /* * At the head of the wait queue now, wait until the writer state @@ -66,8 +69,13 @@ void queue_write_lock_slowpath(rwlock_t *lock) { u32 cnts; - /* Put the writer into the wait queue. */ - spin_lock(&lock->lock); + /* + * Put the writer into the wait queue. + * + * Use the speculation unsafe helper, as it's the caller responsibility to + * issue a speculation barrier if required. + */ + _spin_lock(&lock->lock); /* Try to acquire the lock directly if no reader is present. */ if ( !atomic_read(&lock->cnts) && diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index e0d2b41c5c..9a0d3ec238 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -259,27 +259,49 @@ static inline int _rw_is_write_locked(const rwlock_t *lock) return (atomic_read(&lock->cnts) & _QW_WMASK) == _QW_LOCKED; } -#define read_lock(l) _read_lock(l) -#define read_lock_irq(l) _read_lock_irq(l) +static always_inline void read_lock(rwlock_t *l) +{ + _read_lock(l); + block_lock_speculation(); +} + +static always_inline void read_lock_irq(rwlock_t *l) +{ + _read_lock_irq(l); + block_lock_speculation(); +} + #define read_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _read_lock_irqsave(l)); \ + block_lock_speculation(); \ }) #define read_unlock(l) _read_unlock(l) #define read_unlock_irq(l) _read_unlock_irq(l) #define read_unlock_irqrestore(l, f) _read_unlock_irqrestore(l, f) -#define read_trylock(l) _read_trylock(l) +#define read_trylock(l) lock_evaluate_nospec(_read_trylock(l)) + +static always_inline void write_lock(rwlock_t *l) +{ + _write_lock(l); + block_lock_speculation(); +} + +static always_inline void write_lock_irq(rwlock_t *l) +{ + _write_lock_irq(l); + block_lock_speculation(); +} -#define write_lock(l) _write_lock(l) -#define write_lock_irq(l) _write_lock_irq(l) #define write_lock_irqsave(l, f) \ ({ \ BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ ((f) = _write_lock_irqsave(l)); \ + block_lock_speculation(); \ }) -#define write_trylock(l) _write_trylock(l) +#define write_trylock(l) lock_evaluate_nospec(_write_trylock(l)) #define write_unlock(l) _write_unlock(l) #define write_unlock_irq(l) _write_unlock_irq(l) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:23:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:23:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693557.1081823 (Exim 4.92) (envelope-from ) id 1rktUG-0000YV-IZ; Thu, 14 Mar 2024 22:23:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693557.1081823; Thu, 14 Mar 2024 22:23:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUG-0000YQ-Fe; Thu, 14 Mar 2024 22:23:44 +0000 Received: by outflank-mailman (input) for mailman id 693557; Thu, 14 Mar 2024 22:23:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUE-0000XV-LC for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUE-0002pf-KV for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktUE-0003BA-Jb for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XGJEYtt/KU6kij7bsFWz58Imr7rW3IvrNMz+cmCvvo4=; b=poDeEdnH+5dyUhs6Y6x77lUWzs lckcdNkmpAHGH2Syvy/LQNCE5pAGDp6KGUQ+STanHvtulikcsmpX/+c3DxCZ+INY4uQ0ZI8PozPYW IF+Fs+SUgR4jVsbLyMMxlhTGbVVlTF6xl8tQSZGoRWgq8/yoL4/nu/Tao+3xEidaVXKE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] percpu-rwlock: introduce support for blocking speculation into critical regions Message-Id: Date: Thu, 14 Mar 2024 22:23:42 +0000 commit 5a13c81542a163718d7cb9b150b0282b7855efde Author: Roger Pau Monné AuthorDate: Tue Feb 13 17:57:38 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 15:58:58 2024 +0000 percpu-rwlock: introduce support for blocking speculation into critical regions Add direct calls to block_lock_speculation() where required in order to prevent speculation into the lock protected critical regions. Also convert _percpu_read_lock() from inline to always_inline. Note that _percpu_write_lock() has been modified the use the non speculation safe of the locking primites, as a speculation is added unconditionally by the calling wrapper. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit f218daf6d3a3b847736d37c6a6b76031a0d08441) --- xen/common/rwlock.c | 6 +++++- xen/include/xen/rwlock.h | 14 ++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/xen/common/rwlock.c b/xen/common/rwlock.c index 290602936d..f5a249bcc2 100644 --- a/xen/common/rwlock.c +++ b/xen/common/rwlock.c @@ -129,8 +129,12 @@ void _percpu_write_lock(percpu_rwlock_t **per_cpudata, /* * First take the write lock to protect against other writers or slow * path readers. + * + * Note we use the speculation unsafe variant of write_lock(), as the + * calling wrapper already adds a speculation barrier after the lock has + * been taken. */ - write_lock(&percpu_rwlock->rwlock); + _write_lock(&percpu_rwlock->rwlock); /* Now set the global variable so that readers start using read_lock. */ percpu_rwlock->writer_activating = 1; diff --git a/xen/include/xen/rwlock.h b/xen/include/xen/rwlock.h index 9a0d3ec238..9e35ee2edf 100644 --- a/xen/include/xen/rwlock.h +++ b/xen/include/xen/rwlock.h @@ -338,8 +338,8 @@ static inline void _percpu_rwlock_owner_check(percpu_rwlock_t **per_cpudata, #define percpu_rwlock_resource_init(l, owner) \ (*(l) = (percpu_rwlock_t)PERCPU_RW_LOCK_UNLOCKED(&get_per_cpu_var(owner))) -static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, - percpu_rwlock_t *percpu_rwlock) +static always_inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, + percpu_rwlock_t *percpu_rwlock) { /* Validate the correct per_cpudata variable has been provided. */ _percpu_rwlock_owner_check(per_cpudata, percpu_rwlock); @@ -374,6 +374,8 @@ static inline void _percpu_read_lock(percpu_rwlock_t **per_cpudata, } else { + /* Other branch already has a speculation barrier in read_lock(). */ + block_lock_speculation(); /* All other paths have implicit check_lock() calls via read_lock(). */ check_lock(&percpu_rwlock->rwlock.lock.debug, false); } @@ -430,8 +432,12 @@ static inline void _percpu_write_unlock(percpu_rwlock_t **per_cpudata, _percpu_read_lock(&get_per_cpu_var(percpu), lock) #define percpu_read_unlock(percpu, lock) \ _percpu_read_unlock(&get_per_cpu_var(percpu), lock) -#define percpu_write_lock(percpu, lock) \ - _percpu_write_lock(&get_per_cpu_var(percpu), lock) + +#define percpu_write_lock(percpu, lock) \ +({ \ + _percpu_write_lock(&get_per_cpu_var(percpu), lock); \ + block_lock_speculation(); \ +}) #define percpu_write_unlock(percpu, lock) \ _percpu_write_unlock(&get_per_cpu_var(percpu), lock) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:23:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:23:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693558.1081827 (Exim 4.92) (envelope-from ) id 1rktUQ-0000jS-KY; Thu, 14 Mar 2024 22:23:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693558.1081827; Thu, 14 Mar 2024 22:23:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUQ-0000jL-H4; Thu, 14 Mar 2024 22:23:54 +0000 Received: by outflank-mailman (input) for mailman id 693558; Thu, 14 Mar 2024 22:23:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUO-0000io-Or for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUO-0002pn-O2 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktUO-0003C3-NM for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:23:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BvQoNonKtko5ZWEL2ms0PbIzp3krZStwGE33eM+YDFs=; b=uBPkXQAk8mEQ64GOgRCHe9ZEsj guwSSPbvdQxivn5jiO420uj5+oA5jKK0v3C/1wLiHYw8v9eiNEDUIuWK2sxFug76k6NzHr8dC6x28 ZpzMXVmaH116+FvqY09LBRiq7uw44PFTO1OUMj+y9TDn8WhvPhwdwLUVErM913+0HAVY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] locking: attempt to ensure lock wrappers are always inline Message-Id: Date: Thu, 14 Mar 2024 22:23:52 +0000 commit 9de8a52b0e09a2491736abbd4a865a06ac2ced7a Author: Roger Pau Monné AuthorDate: Mon Mar 4 14:29:36 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:00:26 2024 +0000 locking: attempt to ensure lock wrappers are always inline In order to prevent the locking speculation barriers from being inside of `call`ed functions that could be speculatively bypassed. While there also add an extra locking barrier to _mm_write_lock() in the branch taken when the lock is already held. Note some functions are switched to use the unsafe variants (without speculation barrier) of the locking primitives, but a speculation barrier is always added to the exposed public lock wrapping helper. That's the case with sched_spin_lock_double() or pcidevs_lock() for example. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 197ecd838a2aaf959a469df3696d4559c4f8b762) --- xen/arch/x86/hvm/vpt.c | 10 +++++++--- xen/arch/x86/include/asm/irq.h | 1 + xen/arch/x86/mm/mm-locks.h | 28 +++++++++++++++------------- xen/arch/x86/mm/p2m-pod.c | 2 +- xen/common/event_channel.c | 5 +++-- xen/common/grant_table.c | 6 +++--- xen/common/sched/core.c | 19 ++++++++++++------- xen/common/sched/private.h | 26 ++++++++++++++++++++++++-- xen/common/timer.c | 8 +++++--- xen/drivers/passthrough/pci.c | 5 +++-- xen/include/xen/event.h | 4 ++-- xen/include/xen/pci.h | 8 ++++++-- 12 files changed, 82 insertions(+), 40 deletions(-) diff --git a/xen/arch/x86/hvm/vpt.c b/xen/arch/x86/hvm/vpt.c index 8f53e88d67..e1d6845a28 100644 --- a/xen/arch/x86/hvm/vpt.c +++ b/xen/arch/x86/hvm/vpt.c @@ -150,7 +150,7 @@ static int pt_irq_masked(struct periodic_time *pt) * pt->vcpu field, because another thread holding the pt_migrate lock * may already be spinning waiting for your vcpu lock. */ -static void pt_vcpu_lock(struct vcpu *v) +static always_inline void pt_vcpu_lock(struct vcpu *v) { spin_lock(&v->arch.hvm.tm_lock); } @@ -169,9 +169,13 @@ static void pt_vcpu_unlock(struct vcpu *v) * need to take an additional lock that protects against pt->vcpu * changing. */ -static void pt_lock(struct periodic_time *pt) +static always_inline void pt_lock(struct periodic_time *pt) { - read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); + /* + * Use the speculation unsafe variant for the first lock, as the following + * lock taking helper already includes a speculation barrier. + */ + _read_lock(&pt->vcpu->domain->arch.hvm.pl_time->pt_migrate); spin_lock(&pt->vcpu->arch.hvm.tm_lock); } diff --git a/xen/arch/x86/include/asm/irq.h b/xen/arch/x86/include/asm/irq.h index a87af47ece..465ab39bb0 100644 --- a/xen/arch/x86/include/asm/irq.h +++ b/xen/arch/x86/include/asm/irq.h @@ -174,6 +174,7 @@ void cf_check irq_complete_move(struct irq_desc *desc); extern struct irq_desc *irq_desc; +/* Not speculation safe, only used for AP bringup. */ void lock_vector_lock(void); void unlock_vector_lock(void); diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 5a3f96fbaa..5ec080c02f 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -74,8 +74,8 @@ static inline void _set_lock_level(int l) this_cpu(mm_lock_level) = l; } -static inline void _mm_lock(const struct domain *d, mm_lock_t *l, - const char *func, int level, int rec) +static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, + const char *func, int level, int rec) { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); @@ -125,8 +125,8 @@ static inline int mm_write_locked_by_me(mm_rwlock_t *l) return (l->locker == get_processor_id()); } -static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, - const char *func, int level) +static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, + const char *func, int level) { if ( !mm_write_locked_by_me(l) ) { @@ -137,6 +137,8 @@ static inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, l->unlock_level = _get_lock_level(); _set_lock_level(_lock_level(d, level)); } + else + block_speculation(); l->recurse_count++; } @@ -150,8 +152,8 @@ static inline void mm_write_unlock(mm_rwlock_t *l) percpu_write_unlock(p2m_percpu_rwlock, &l->lock); } -static inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, - int level) +static always_inline void _mm_read_lock(const struct domain *d, mm_rwlock_t *l, + int level) { _check_lock_level(d, level); percpu_read_lock(p2m_percpu_rwlock, &l->lock); @@ -166,15 +168,15 @@ static inline void mm_read_unlock(mm_rwlock_t *l) /* This wrapper uses the line number to express the locking order below */ #define declare_mm_lock(name) \ - static inline void mm_lock_##name(const struct domain *d, mm_lock_t *l, \ - const char *func, int rec) \ + static always_inline void mm_lock_##name( \ + const struct domain *d, mm_lock_t *l, const char *func, int rec) \ { _mm_lock(d, l, func, MM_LOCK_ORDER_##name, rec); } #define declare_mm_rwlock(name) \ - static inline void mm_write_lock_##name(const struct domain *d, \ - mm_rwlock_t *l, const char *func) \ + static always_inline void mm_write_lock_##name( \ + const struct domain *d, mm_rwlock_t *l, const char *func) \ { _mm_write_lock(d, l, func, MM_LOCK_ORDER_##name); } \ - static inline void mm_read_lock_##name(const struct domain *d, \ - mm_rwlock_t *l) \ + static always_inline void mm_read_lock_##name(const struct domain *d, \ + mm_rwlock_t *l) \ { _mm_read_lock(d, l, MM_LOCK_ORDER_##name); } /* These capture the name of the calling function */ #define mm_lock(name, d, l) mm_lock_##name(d, l, __func__, 0) @@ -309,7 +311,7 @@ declare_mm_lock(altp2mlist) #define MM_LOCK_ORDER_altp2m 40 declare_mm_rwlock(altp2m); -static inline void p2m_lock(struct p2m_domain *p) +static always_inline void p2m_lock(struct p2m_domain *p) { if ( p2m_is_altp2m(p) ) mm_write_lock(altp2m, p->domain, &p->lock); diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 9969eb45fa..9be67b63ce 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -24,7 +24,7 @@ #define superpage_aligned(_x) (((_x)&(SUPERPAGE_PAGES-1))==0) /* Enforce lock ordering when grabbing the "external" page_alloc lock */ -static inline void lock_page_alloc(struct p2m_domain *p2m) +static always_inline void lock_page_alloc(struct p2m_domain *p2m) { page_alloc_mm_pre_lock(p2m->domain); spin_lock(&(p2m->domain->page_alloc_lock)); diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index a7a004a084..66f924a7b0 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -45,7 +45,7 @@ * just assume the event channel is free or unbound at the moment when the * evtchn_read_trylock() returns false. */ -static inline void evtchn_write_lock(struct evtchn *evtchn) +static always_inline void evtchn_write_lock(struct evtchn *evtchn) { write_lock(&evtchn->lock); @@ -351,7 +351,8 @@ int evtchn_alloc_unbound(evtchn_alloc_unbound_t *alloc, evtchn_port_t port) return rc; } -static void double_evtchn_lock(struct evtchn *lchn, struct evtchn *rchn) +static always_inline void double_evtchn_lock(struct evtchn *lchn, + struct evtchn *rchn) { ASSERT(lchn != rchn); diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c index 89b7811c51..934924cbda 100644 --- a/xen/common/grant_table.c +++ b/xen/common/grant_table.c @@ -403,7 +403,7 @@ static inline void act_set_gfn(struct active_grant_entry *act, gfn_t gfn) static DEFINE_PERCPU_RWLOCK_GLOBAL(grant_rwlock); -static inline void grant_read_lock(struct grant_table *gt) +static always_inline void grant_read_lock(struct grant_table *gt) { percpu_read_lock(grant_rwlock, >->lock); } @@ -413,7 +413,7 @@ static inline void grant_read_unlock(struct grant_table *gt) percpu_read_unlock(grant_rwlock, >->lock); } -static inline void grant_write_lock(struct grant_table *gt) +static always_inline void grant_write_lock(struct grant_table *gt) { percpu_write_lock(grant_rwlock, >->lock); } @@ -450,7 +450,7 @@ nr_active_grant_frames(struct grant_table *gt) return num_act_frames_from_sha_frames(nr_grant_frames(gt)); } -static inline struct active_grant_entry * +static always_inline struct active_grant_entry * active_entry_acquire(struct grant_table *t, grant_ref_t e) { struct active_grant_entry *act; diff --git a/xen/common/sched/core.c b/xen/common/sched/core.c index 901782bbb4..34ad39b9ad 100644 --- a/xen/common/sched/core.c +++ b/xen/common/sched/core.c @@ -348,23 +348,28 @@ uint64_t get_cpu_idle_time(unsigned int cpu) * This avoids dead- or live-locks when this code is running on both * cpus at the same time. */ -static void sched_spin_lock_double(spinlock_t *lock1, spinlock_t *lock2, - unsigned long *flags) +static always_inline void sched_spin_lock_double( + spinlock_t *lock1, spinlock_t *lock2, unsigned long *flags) { + /* + * In order to avoid extra overhead, use the locking primitives without the + * speculation barrier, and introduce a single barrier here. + */ if ( lock1 == lock2 ) { - spin_lock_irqsave(lock1, *flags); + *flags = _spin_lock_irqsave(lock1); } else if ( lock1 < lock2 ) { - spin_lock_irqsave(lock1, *flags); - spin_lock(lock2); + *flags = _spin_lock_irqsave(lock1); + _spin_lock(lock2); } else { - spin_lock_irqsave(lock2, *flags); - spin_lock(lock1); + *flags = _spin_lock_irqsave(lock2); + _spin_lock(lock1); } + block_lock_speculation(); } static void sched_spin_unlock_double(spinlock_t *lock1, spinlock_t *lock2, diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index c516976c37..3b97f15767 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -207,8 +207,24 @@ DECLARE_PER_CPU(cpumask_t, cpumask_scratch); #define cpumask_scratch (&this_cpu(cpumask_scratch)) #define cpumask_scratch_cpu(c) (&per_cpu(cpumask_scratch, c)) +/* + * Deal with _spin_lock_irqsave() returning the flags value instead of storing + * it in a passed parameter. + */ +#define _sched_spinlock0(lock, irq) _spin_lock##irq(lock) +#define _sched_spinlock1(lock, irq, arg) ({ \ + BUILD_BUG_ON(sizeof(arg) != sizeof(unsigned long)); \ + (arg) = _spin_lock##irq(lock); \ +}) + +#define _sched_spinlock__(nr) _sched_spinlock ## nr +#define _sched_spinlock_(nr) _sched_spinlock__(nr) +#define _sched_spinlock(lock, irq, args...) \ + _sched_spinlock_(count_args(args))(lock, irq, ## args) + #define sched_lock(kind, param, cpu, irq, arg...) \ -static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ +static always_inline spinlock_t \ +*kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ { \ for ( ; ; ) \ { \ @@ -220,10 +236,16 @@ static inline spinlock_t *kind##_schedule_lock##irq(param EXTRA_TYPE(arg)) \ * \ * It may also be the case that v->processor may change but the \ * lock may be the same; this will succeed in that case. \ + * \ + * Use the speculation unsafe locking helper, there's a speculation \ + * barrier before returning to the caller. \ */ \ - spin_lock##irq(lock, ## arg); \ + _sched_spinlock(lock, irq, ## arg); \ if ( likely(lock == get_sched_res(cpu)->schedule_lock) ) \ + { \ + block_lock_speculation(); \ return lock; \ + } \ spin_unlock##irq(lock, ## arg); \ } \ } diff --git a/xen/common/timer.c b/xen/common/timer.c index 0fddfa7487..38eb5fd20d 100644 --- a/xen/common/timer.c +++ b/xen/common/timer.c @@ -239,7 +239,7 @@ static inline void deactivate_timer(struct timer *timer) list_add(&timer->inactive, &per_cpu(timers, timer->cpu).inactive); } -static inline bool_t timer_lock(struct timer *timer) +static inline bool_t timer_lock_unsafe(struct timer *timer) { unsigned int cpu; @@ -253,7 +253,8 @@ static inline bool_t timer_lock(struct timer *timer) rcu_read_unlock(&timer_cpu_read_lock); return 0; } - spin_lock(&per_cpu(timers, cpu).lock); + /* Use the speculation unsafe variant, the wrapper has the barrier. */ + _spin_lock(&per_cpu(timers, cpu).lock); if ( likely(timer->cpu == cpu) ) break; spin_unlock(&per_cpu(timers, cpu).lock); @@ -266,8 +267,9 @@ static inline bool_t timer_lock(struct timer *timer) #define timer_lock_irqsave(t, flags) ({ \ bool_t __x; \ local_irq_save(flags); \ - if ( !(__x = timer_lock(t)) ) \ + if ( !(__x = timer_lock_unsafe(t)) ) \ local_irq_restore(flags); \ + block_lock_speculation(); \ __x; \ }) diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index e99837b6e1..2a1e7ee89a 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -52,9 +52,10 @@ struct pci_seg { static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; -void pcidevs_lock(void) +/* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ +void pcidevs_lock_unsafe(void) { - spin_lock_recursive(&_pcidevs_lock); + _spin_lock_recursive(&_pcidevs_lock); } void pcidevs_unlock(void) diff --git a/xen/include/xen/event.h b/xen/include/xen/event.h index 8e509e0784..f1472ea1eb 100644 --- a/xen/include/xen/event.h +++ b/xen/include/xen/event.h @@ -114,12 +114,12 @@ void notify_via_xen_event_channel(struct domain *ld, int lport); #define bucket_from_port(d, p) \ ((group_from_port(d, p))[((p) % EVTCHNS_PER_GROUP) / EVTCHNS_PER_BUCKET]) -static inline void evtchn_read_lock(struct evtchn *evtchn) +static always_inline void evtchn_read_lock(struct evtchn *evtchn) { read_lock(&evtchn->lock); } -static inline bool evtchn_read_trylock(struct evtchn *evtchn) +static always_inline bool evtchn_read_trylock(struct evtchn *evtchn) { return read_trylock(&evtchn->lock); } diff --git a/xen/include/xen/pci.h b/xen/include/xen/pci.h index 251b8761a8..a71bed36be 100644 --- a/xen/include/xen/pci.h +++ b/xen/include/xen/pci.h @@ -155,8 +155,12 @@ struct pci_dev { * devices, it also sync the access to the msi capability that is not * interrupt handling related (the mask bit register). */ - -void pcidevs_lock(void); +void pcidevs_lock_unsafe(void); +static always_inline void pcidevs_lock(void) +{ + pcidevs_lock_unsafe(); + block_lock_speculation(); +} void pcidevs_unlock(void); bool __must_check pcidevs_locked(void); -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:24:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:24:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693560.1081831 (Exim 4.92) (envelope-from ) id 1rktUa-0000ow-NE; Thu, 14 Mar 2024 22:24:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693560.1081831; Thu, 14 Mar 2024 22:24:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUa-0000oo-KM; Thu, 14 Mar 2024 22:24:04 +0000 Received: by outflank-mailman (input) for mailman id 693560; Thu, 14 Mar 2024 22:24:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUY-0000oN-Rt for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:24:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUY-0002qB-RA for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:24:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktUY-0003DF-QO for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:24:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BKwIUZnDzcej3QJejvshcA8w4Ks3aJSVlRLoKIuopIs=; b=V6AND+Gp/dcqAOjwtLrD4DxiK7 kfz5gT0Ri2z3yTCy0TNpQylspoWiE/5jd/1AwvKkG4N6p0WASWzYQkMlwp6af0o4i1eh+jgrTofIt Xq+F/lf6cotFfFguNe3IHakTMchGGi/y1WcWfuvbBsm7eximzh9WSeZkQ9LjKFqzNlEA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/mm: add speculation barriers to open coded locks Message-Id: Date: Thu, 14 Mar 2024 22:24:02 +0000 commit e107a8ece71ec4e1bb0092d5beea6cb16a96f7ae Author: Roger Pau Monné AuthorDate: Mon Mar 4 18:08:48 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:00:27 2024 +0000 x86/mm: add speculation barriers to open coded locks Add a speculation barrier to the clearly identified open-coded lock taking functions. Note that the memory sharing page_lock() replacement (_page_lock()) is left as-is, as the code is experimental and not security supported. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 42a572a38e22a97d86a4b648a22597628d5b42e4) --- xen/arch/x86/include/asm/mm.h | 4 +++- xen/arch/x86/mm.c | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 05dfe35502..d1b1fee99b 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -399,7 +399,9 @@ const struct platform_bad_page *get_platform_badpages(unsigned int *array_size); * The use of PGT_locked in mem_sharing does not collide, since mem_sharing is * only supported for hvm guests, which do not have PV PTEs updated. */ -int page_lock(struct page_info *page); +int page_lock_unsafe(struct page_info *page); +#define page_lock(pg) lock_evaluate_nospec(page_lock_unsafe(pg)) + void page_unlock(struct page_info *page); void put_page_type(struct page_info *page); diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index ab0acbfea6..000fd0fb55 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -2017,7 +2017,7 @@ static inline bool current_locked_page_ne_check(struct page_info *page) { #define current_locked_page_ne_check(x) true #endif -int page_lock(struct page_info *page) +int page_lock_unsafe(struct page_info *page) { unsigned long x, nx; @@ -2078,7 +2078,7 @@ void page_unlock(struct page_info *page) * l3t_lock(), so to avoid deadlock we must avoid grabbing them in * reverse order. */ -static void l3t_lock(struct page_info *page) +static always_inline void l3t_lock(struct page_info *page) { unsigned long x, nx; @@ -2087,6 +2087,8 @@ static void l3t_lock(struct page_info *page) cpu_relax(); nx = x | PGT_locked; } while ( cmpxchg(&page->u.inuse.type_info, x, nx) != x ); + + block_lock_speculation(); } static void l3t_unlock(struct page_info *page) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 14 22:24:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 14 Mar 2024 22:24:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693561.1081834 (Exim 4.92) (envelope-from ) id 1rktUk-0000sy-OM; Thu, 14 Mar 2024 22:24:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693561.1081834; Thu, 14 Mar 2024 22:24:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUk-0000sr-Lv; Thu, 14 Mar 2024 22:24:14 +0000 Received: by outflank-mailman (input) for mailman id 693561; Thu, 14 Mar 2024 22:24:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUi-0000sa-V8 for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:24:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rktUi-0002qI-UN for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:24:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rktUi-0003E8-Ta for xen-changelog@lists.xenproject.org; Thu, 14 Mar 2024 22:24:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SaLDA9M5DSOP25IVDxyf+2xUCLD7F3LWgyg9lQLOC+s=; b=i2uj38995S/vRcBDYBom4ib6q/ wF+ZdBycv5tmLy5qqaoMaGLDA2hYTcCadj9/enaw9m/WL4UF81G8NQChhEtoWa06fpxJ908IbNotu FCYUVEErnbPbG7i0qmCsu9eYnWVLUULwOI/4/ULRqeDtCjc+ZU0JddKiNP8z722QWohI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86: protect conditional lock taking from speculative execution Message-Id: Date: Thu, 14 Mar 2024 22:24:12 +0000 commit 4da8ca9cb9cfdb92c9dd09d5270ae16a3b2dbc89 Author: Roger Pau Monné AuthorDate: Mon Mar 4 16:24:21 2024 +0100 Commit: Andrew Cooper CommitDate: Tue Mar 12 16:00:27 2024 +0000 x86: protect conditional lock taking from speculative execution Conditionally taken locks that use the pattern: if ( lock ) spin_lock(...); Need an else branch in order to issue an speculation barrier in the else case, just like it's done in case the lock needs to be acquired. eval_nospec() could be used on the condition itself, but that would result in a double barrier on the branch where the lock is taken. Introduce a new pair of helpers, {gfn,spin}_lock_if() that can be used to conditionally take a lock in a speculation safe way. This is part of XSA-453 / CVE-2024-2193 Signed-off-by: Roger Pau Monné Reviewed-by: Jan Beulich (cherry picked from commit 03cf7ca23e0e876075954c558485b267b7d02406) --- xen/arch/x86/mm.c | 35 +++++++++++++---------------------- xen/arch/x86/mm/mm-locks.h | 9 +++++++++ xen/arch/x86/mm/p2m.c | 5 ++--- xen/include/xen/spinlock.h | 8 ++++++++ 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 000fd0fb55..45bfbc2522 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5007,8 +5007,7 @@ static l3_pgentry_t *virt_to_xen_l3e(unsigned long v) if ( !l3t ) return NULL; UNMAP_DOMAIN_PAGE(l3t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l4e_get_flags(*pl4e) & _PAGE_PRESENT) ) { l4_pgentry_t l4e = l4e_from_mfn(l3mfn, __PAGE_HYPERVISOR); @@ -5045,8 +5044,7 @@ static l2_pgentry_t *virt_to_xen_l2e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l3e_get_flags(*pl3e) & _PAGE_PRESENT) ) { l3e_write(pl3e, l3e_from_mfn(l2mfn, __PAGE_HYPERVISOR)); @@ -5084,8 +5082,7 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) return NULL; } UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( !(l2e_get_flags(*pl2e) & _PAGE_PRESENT) ) { l2e_write(pl2e, l2e_from_mfn(l1mfn, __PAGE_HYPERVISOR)); @@ -5116,6 +5113,8 @@ l1_pgentry_t *virt_to_xen_l1e(unsigned long v) do { \ if ( locking ) \ l3t_lock(page); \ + else \ + block_lock_speculation(); \ } while ( false ) #define L3T_UNLOCK(page) \ @@ -5331,8 +5330,7 @@ int map_pages_to_xen( if ( l3e_get_flags(ol3e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5436,8 +5434,7 @@ int map_pages_to_xen( if ( l2e_get_flags(*pl2e) & _PAGE_GLOBAL ) flush_flags |= FLUSH_TLB_GLOBAL; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5478,8 +5475,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l1_pgentry_t *l1t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol2e = *pl2e; /* @@ -5533,8 +5529,7 @@ int map_pages_to_xen( unsigned long base_mfn; const l2_pgentry_t *l2t; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); ol3e = *pl3e; /* @@ -5678,8 +5673,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l3e_get_flags(*pl3e))); UNMAP_DOMAIN_PAGE(l2t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l3e_get_flags(*pl3e) & _PAGE_PRESENT) && (l3e_get_flags(*pl3e) & _PAGE_PSE) ) { @@ -5738,8 +5732,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) l2e_get_flags(*pl2e) & ~_PAGE_PSE)); UNMAP_DOMAIN_PAGE(l1t); - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); if ( (l2e_get_flags(*pl2e) & _PAGE_PRESENT) && (l2e_get_flags(*pl2e) & _PAGE_PSE) ) { @@ -5783,8 +5776,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) */ if ( (nf & _PAGE_PRESENT) || ((v != e) && (l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L2E may be already cleared, or set to a superpage, by @@ -5831,8 +5823,7 @@ int modify_xen_mappings(unsigned long s, unsigned long e, unsigned int nf) if ( (nf & _PAGE_PRESENT) || ((v != e) && (l2_table_offset(v) + l1_table_offset(v) != 0)) ) continue; - if ( locking ) - spin_lock(&map_pgdir_lock); + spin_lock_if(locking, &map_pgdir_lock); /* * L3E may be already cleared, or set to a superpage, by diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 5ec080c02f..b4960fb90e 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -335,6 +335,15 @@ static inline void p2m_unlock(struct p2m_domain *p) #define p2m_locked_by_me(p) mm_write_locked_by_me(&(p)->lock) #define gfn_locked_by_me(p,g) p2m_locked_by_me(p) +static always_inline void gfn_lock_if(bool condition, struct p2m_domain *p2m, + gfn_t gfn, unsigned int order) +{ + if ( condition ) + gfn_lock(p2m, gfn, order); + else + block_lock_speculation(); +} + /* PoD lock (per-p2m-table) * * Protects private PoD data structs: entry and cache diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index 0983bd71d9..22ab1d606e 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -280,9 +280,8 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, if ( q & P2M_UNSHARE ) q |= P2M_ALLOC; - if ( locked ) - /* Grab the lock here, don't release until put_gfn */ - gfn_lock(p2m, gfn, 0); + /* Grab the lock here, don't release until put_gfn */ + gfn_lock_if(locked, p2m, gfn, 0); mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 28fce5615e..c830df3430 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -222,6 +222,14 @@ static always_inline void spin_lock_irq(spinlock_t *l) block_lock_speculation(); \ }) +/* Conditionally take a spinlock in a speculation safe way. */ +static always_inline void spin_lock_if(bool condition, spinlock_t *l) +{ + if ( condition ) + _spin_lock(l); + block_lock_speculation(); +} + #define spin_unlock(l) _spin_unlock(l) #define spin_unlock_irq(l) _spin_unlock_irq(l) #define spin_unlock_irqrestore(l, f) _spin_unlock_irqrestore(l, f) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:11:07 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:11:07 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693627.1081980 (Exim 4.92) (envelope-from ) id 1rkzqQ-0004Am-Ub; Fri, 15 Mar 2024 05:11:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693627.1081980; Fri, 15 Mar 2024 05:11:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqQ-0004Af-SE; Fri, 15 Mar 2024 05:11:02 +0000 Received: by outflank-mailman (input) for mailman id 693627; Fri, 15 Mar 2024 05:11:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqP-0004AZ-S6 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqP-0001Yx-RI for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzqP-0008Ef-QM for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BNgV+hdV+WvNODHwKXMDqMYnX9WXXV8A0WS09eSntrQ=; b=bt3skk5SUVG1sYodNuq6BkWOGk qsq5eerB5aLMYH3LcWM6lctcN0GkQZd5DxmS/zoRLMl3Z/U1by+IktDvZnXKcM+fyfzAJtNQHieee mBY/RQnLasuyXKlZiOqiXrY727Ja41eYfHV966w/Na/4CgCelcEZaKLhBxNsSPoFaCkk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation/eclair_analysis: deviate certain macros for Rule 20.12 Message-Id: Date: Fri, 15 Mar 2024 05:11:01 +0000 commit 4dc9a8b0606770dc9c6be20ff5a74a9af5fcba70 Author: Nicola Vetrini AuthorDate: Thu Feb 15 14:06:17 2024 +0100 Commit: Stefano Stabellini CommitDate: Wed Mar 13 17:21:51 2024 -0700 automation/eclair_analysis: deviate certain macros for Rule 20.12 Certain macros are allowed to violate the Rule, since their meaning and intended use is well-known to all Xen developers. Variadic macros that rely on the GCC extension for removing a trailing comma when token pasting the variable argument are similarly well-understood and therefore allowed. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 20 ++++++++++++++++++++ docs/misra/deviations.rst | 22 ++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index 9ac3ee4dfd..53f7623454 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -405,6 +405,26 @@ in assignments." {safe, "left_right(^[(,\\[]$,^[),\\]]$)"} -doc_end +-doc_begin="Uses of variadic macros that have one of their arguments defined as +a macro and used within the body for both ordinary parameter expansion and as an +operand to the # or ## operators have a behavior that is well-understood and +deliberate." +-config=MC3R1.R20.12,macros+={deliberate, "variadic()"} +-doc_end + +-doc_begin="Uses of a macro parameter for ordinary expansion and as an operand +to the # or ## operators within the following macros are deliberate, to provide +useful diagnostic messages to the user." +-config=MC3R1.R20.12,macros+={deliberate, "name(ASSERT||BUILD_BUG_ON||BUILD_BUG_ON_ZERO)"} +-doc_end + +-doc_begin="The helper macro GENERATE_CASE may use a macro parameter for ordinary +expansion and token pasting to improve readability. Only instances where this +leads to a violation of the Rule are deviated." +-file_tag+={deliberate_generate_case, "^xen/arch/arm/vcpreg\\.c$"} +-config=MC3R1.R20.12,macros+={deliberate, "name(GENERATE_CASE)&&loc(file(deliberate_generate_case))"} +-doc_end + # # General # diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index ce855ddae6..6d532a872d 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -336,6 +336,28 @@ Deviations related to MISRA C:2012 Rules: (4) as lhs in assignments. - Tagged as `safe` for ECLAIR. + * - R20.12 + - Variadic macros that use token pasting often employ the gcc extension + `ext_paste_comma`, as detailed in `C-language-toolchain.rst`, which is + not easily replaceable; macros that in addition perform regular argument + expansion on the same argument subject to the # or ## operators violate + the Rule if the argument is a macro. + - Tagged as `deliberate` for ECLAIR. + + * - R20.12 + - Macros that are used for runtime or build-time assertions contain + deliberate uses of an argument as both a regular argument and a + stringification token, to provide useful diagnostic messages. + - Tagged as `deliberate` for ECLAIR. + + * - R20.12 + - GENERATE_CASE is a local helper macro that allows some selected switch + statements to be more compact and readable. As such, the risk of + developer confusion in using such macro is deemed negligible. This + construct is deviated only in Translation Units that present a violation + of the Rule due to uses of this macro. + - Tagged as `deliberate` for ECLAIR. + Other deviations: ----------------- -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:11:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693628.1081984 (Exim 4.92) (envelope-from ) id 1rkzqb-0004D4-06; Fri, 15 Mar 2024 05:11:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693628.1081984; Fri, 15 Mar 2024 05:11:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqa-0004Cw-Td; Fri, 15 Mar 2024 05:11:12 +0000 Received: by outflank-mailman (input) for mailman id 693628; Fri, 15 Mar 2024 05:11:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqa-0004Cj-13 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqZ-0001ZA-Vc for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzqZ-0008Fd-Tu for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gRoOLfzZdKSSuzeP7FXFTDRE+tpZahhg7TnamgU/NQI=; b=ojsL/2skUYjz0b+bAKXBWqozxB yavW+4gHdaF0DT1lv8WWnJzYldylvd7mCa/mrNp4VOg908VAsW+NjpBJG2hMuwxKqdscA8kDcwL/f 2RFszw1YIfl7DkKYAJB+0sYND+SWYtfYVkulXqcUGA8GK2F8la79Ktb157GZAMKp3700=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] restrict concept of pIRQ to x86 Message-Id: Date: Fri, 15 Mar 2024 05:11:11 +0000 commit 13a7b0f9f747b6ecba7a08ea63255093767359c0 Author: Jan Beulich AuthorDate: Thu Mar 14 13:51:19 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:51:19 2024 +0100 restrict concept of pIRQ to x86 ... by way of a new arch-selectable Kconfig control. Note that some smaller pieces of code are left without #ifdef, to keep things better readable. Hence items like ECS_PIRQ, nr_static_irqs, or domain_pirq_to_irq() remain uniformly. As to XEN_DOMCTL_irq_permission - this, despite having a uniformly available wrapper in libxc, is unused on Arm: libxl bypasses those calls, and the Python and OCamL bindings have no users at all. Signed-off-by: Jan Beulich Acked-by: Julien Grall --- docs/misc/xen-command-line.pandoc | 2 +- xen/arch/arm/include/asm/irq.h | 1 - xen/arch/x86/Kconfig | 1 + xen/common/Kconfig | 3 +++ xen/common/domain.c | 14 ++++++++++++++ xen/common/domctl.c | 2 ++ xen/common/event_channel.c | 14 ++++++++++++-- xen/include/xen/sched.h | 2 ++ 8 files changed, 35 insertions(+), 4 deletions(-) diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 54edbc0fbc..04f1415fc3 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1165,7 +1165,7 @@ introduced with the Nehalem architecture. intended as an emergency option for people who first chose fast, then change their minds to secure, and wish not to reboot.** -### extra_guest_irqs +### extra_guest_irqs (x86) > `= [][,]` > Default: `32,` diff --git a/xen/arch/arm/include/asm/irq.h b/xen/arch/arm/include/asm/irq.h index c8044b0371..1bae538887 100644 --- a/xen/arch/arm/include/asm/irq.h +++ b/xen/arch/arm/include/asm/irq.h @@ -52,7 +52,6 @@ struct arch_irq_desc { extern const unsigned int nr_irqs; #define nr_static_irqs NR_IRQS -#define arch_hwdom_irqs(domid) NR_IRQS struct irq_desc; struct irqaction; diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig index 01c6bea480..d6f3128588 100644 --- a/xen/arch/x86/Kconfig +++ b/xen/arch/x86/Kconfig @@ -26,6 +26,7 @@ config X86 select HAS_PASSTHROUGH select HAS_PCI select HAS_PCI_MSI + select HAS_PIRQ select HAS_SCHED_GRANULARITY select HAS_UBSAN select HAS_VPCI if HVM diff --git a/xen/common/Kconfig b/xen/common/Kconfig index a5c3d5a6bf..cff3166ff9 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -71,6 +71,9 @@ config HAS_IOPORTS config HAS_KEXEC bool +config HAS_PIRQ + bool + config HAS_PMAP bool diff --git a/xen/common/domain.c b/xen/common/domain.c index f6f5574996..1f0d23a1e0 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -350,6 +350,8 @@ static int late_hwdom_init(struct domain *d) #endif } +#ifdef CONFIG_HAS_PIRQ + static unsigned int __read_mostly extra_hwdom_irqs; static unsigned int __read_mostly extra_domU_irqs = 32; @@ -364,6 +366,8 @@ static int __init cf_check parse_extra_guest_irqs(const char *s) } custom_param("extra_guest_irqs", parse_extra_guest_irqs); +#endif /* CONFIG_HAS_PIRQ */ + static int __init cf_check parse_dom0_param(const char *s) { const char *ss; @@ -683,6 +687,7 @@ struct domain *domain_create(domid_t domid, if ( is_system_domain(d) && !is_idle_domain(d) ) return d; +#ifdef CONFIG_HAS_PIRQ if ( !is_idle_domain(d) ) { if ( !is_hardware_domain(d) ) @@ -694,6 +699,7 @@ struct domain *domain_create(domid_t domid, radix_tree_init(&d->pirq_tree); } +#endif if ( (err = arch_domain_create(d, config, flags)) != 0 ) goto fail; @@ -793,7 +799,9 @@ struct domain *domain_create(domid_t domid, { evtchn_destroy(d); evtchn_destroy_final(d); +#ifdef CONFIG_HAS_PIRQ radix_tree_destroy(&d->pirq_tree, free_pirq_struct); +#endif } if ( init_status & INIT_watchdog ) watchdog_domain_destroy(d); @@ -1192,7 +1200,9 @@ static void cf_check complete_domain_destroy(struct rcu_head *head) evtchn_destroy_final(d); +#ifdef CONFIG_HAS_PIRQ radix_tree_destroy(&d->pirq_tree, free_pirq_struct); +#endif xfree(d->vcpu); @@ -2058,6 +2068,8 @@ long do_vm_assist(unsigned int cmd, unsigned int type) } #endif +#ifdef CONFIG_HAS_PIRQ + struct pirq *pirq_get_info(struct domain *d, int pirq) { struct pirq *info = pirq_info(d, pirq); @@ -2087,6 +2099,8 @@ void cf_check free_pirq_struct(void *ptr) call_rcu(&pirq->rcu_head, _free_pirq_struct); } +#endif /* CONFIG_HAS_PIRQ */ + struct migrate_info { long (*func)(void *data); void *data; diff --git a/xen/common/domctl.c b/xen/common/domctl.c index f5a71ee5f7..d94a9dae91 100644 --- a/xen/common/domctl.c +++ b/xen/common/domctl.c @@ -648,6 +648,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) } break; +#ifdef CONFIG_HAS_PIRQ case XEN_DOMCTL_irq_permission: { unsigned int pirq = op->u.irq_permission.pirq, irq; @@ -667,6 +668,7 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl) ret = irq_deny_access(d, irq); break; } +#endif case XEN_DOMCTL_iomem_permission: { diff --git a/xen/common/event_channel.c b/xen/common/event_channel.c index bbfda2538e..20f586cf5e 100644 --- a/xen/common/event_channel.c +++ b/xen/common/event_channel.c @@ -566,6 +566,7 @@ static int evtchn_bind_ipi(evtchn_bind_ipi_t *bind) return rc; } +#ifdef CONFIG_HAS_PIRQ static void link_pirq_port(int port, struct evtchn *chn, struct vcpu *v) { @@ -591,9 +592,11 @@ static void unlink_pirq_port(struct evtchn *chn, struct vcpu *v) chn->u.pirq.prev_port; } +#endif /* CONFIG_HAS_PIRQ */ static int evtchn_bind_pirq(evtchn_bind_pirq_t *bind) { +#ifdef CONFIG_HAS_PIRQ struct evtchn *chn; struct domain *d = current->domain; struct vcpu *v = d->vcpu[0]; @@ -663,6 +666,9 @@ static int evtchn_bind_pirq(evtchn_bind_pirq_t *bind) write_unlock(&d->event_lock); return rc; +#else /* !CONFIG_HAS_PIRQ */ + return -EOPNOTSUPP; +#endif } @@ -695,6 +701,7 @@ int evtchn_close(struct domain *d1, int port1, bool guest) case ECS_UNBOUND: break; +#ifdef CONFIG_HAS_PIRQ case ECS_PIRQ: { struct pirq *pirq = pirq_info(d1, chn1->u.pirq.irq); @@ -704,14 +711,13 @@ int evtchn_close(struct domain *d1, int port1, bool guest) pirq_guest_unbind(d1, pirq); pirq->evtchn = 0; pirq_cleanup_check(pirq, d1); -#ifdef CONFIG_X86 if ( is_hvm_domain(d1) && domain_pirq_to_irq(d1, pirq->pirq) > 0 ) unmap_domain_pirq_emuirq(d1, pirq->pirq); -#endif } unlink_pirq_port(chn1, d1->vcpu[chn1->notify_vcpu_id]); break; } +#endif case ECS_VIRQ: { struct vcpu *v; @@ -1121,6 +1127,8 @@ int evtchn_bind_vcpu(evtchn_port_t port, unsigned int vcpu_id) case ECS_INTERDOMAIN: chn->notify_vcpu_id = v->vcpu_id; break; + +#ifdef CONFIG_HAS_PIRQ case ECS_PIRQ: if ( chn->notify_vcpu_id == v->vcpu_id ) break; @@ -1130,6 +1138,8 @@ int evtchn_bind_vcpu(evtchn_port_t port, unsigned int vcpu_id) cpumask_of(v->processor)); link_pirq_port(port, chn, v); break; +#endif + default: rc = -EINVAL; break; diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 37f5922f32..7c6be0931a 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -439,12 +439,14 @@ struct domain struct grant_table *grant_table; +#ifdef CONFIG_HAS_PIRQ /* * Interrupt to event-channel mappings and other per-guest-pirq data. * Protected by the domain's event-channel spinlock. */ struct radix_tree_root pirq_tree; unsigned int nr_pirqs; +#endif unsigned int options; /* copy of createdomain flags */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:11:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:11:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693630.1081991 (Exim 4.92) (envelope-from ) id 1rkzql-0004G2-3P; Fri, 15 Mar 2024 05:11:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693630.1081991; Fri, 15 Mar 2024 05:11:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzql-0004Fu-0H; Fri, 15 Mar 2024 05:11:23 +0000 Received: by outflank-mailman (input) for mailman id 693630; Fri, 15 Mar 2024 05:11:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqk-0004Fm-3B for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqk-0001ZK-2O for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzqk-0008GU-1S for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Zcb4zEig60ktsrlaG403tYsUJZ3lguW3YmlbLf/EwOY=; b=NkKDbJAigP92kK6I5Ju329RG1+ VsAHzhsBF9Bmt9sveY6NDwB8cziyNRiAsAAwO/i2JeIlrTBEsyDEyGZ5if1nJKaYDbLRYEUL3R7af X3BHBWz3N+w/6nYq9rQ+n/mHXYa9vBF5OiK3lGm4HU7/n12Ob8dg1YwL+6INDwNqSSzw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mtrr: address violations of MISRA C:2012 Directive 4.10 Message-Id: Date: Fri, 15 Mar 2024 05:11:22 +0000 commit ec2587ab4b2af90d9ad09e52f081b3f7517e55eb Author: Maria Celeste Cesario AuthorDate: Thu Mar 14 13:52:32 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:52:32 2024 +0100 x86/mtrr: address violations of MISRA C:2012 Directive 4.10 Add inclusion guard to address violations of MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order to prevent the contents of a header file being included more than once"). Mechanical change. Signed-off-by: Maria Celeste Cesario Signed-off-by: Simone Ballarin Acked-by: Jan Beulich --- xen/arch/x86/cpu/mtrr/mtrr.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xen/arch/x86/cpu/mtrr/mtrr.h b/xen/arch/x86/cpu/mtrr/mtrr.h index a9741e0cb0..632bf658be 100644 --- a/xen/arch/x86/cpu/mtrr/mtrr.h +++ b/xen/arch/x86/cpu/mtrr/mtrr.h @@ -1,6 +1,8 @@ /* * local mtrr defines. */ +#ifndef X86_CPU_MTRR_MTRR_H +#define X86_CPU_MTRR_MTRR_H #define MTRR_CHANGE_MASK_FIXED 0x01 #define MTRR_CHANGE_MASK_VARIABLE 0x02 @@ -25,3 +27,5 @@ extern u64 size_or_mask, size_and_mask; extern unsigned int num_var_ranges; void mtrr_state_warn(void); + +#endif /* X86_CPU_MTRR_MTRR_H */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:11:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:11:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693631.1081995 (Exim 4.92) (envelope-from ) id 1rkzqv-0004Iv-5U; Fri, 15 Mar 2024 05:11:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693631.1081995; Fri, 15 Mar 2024 05:11:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqv-0004In-1g; Fri, 15 Mar 2024 05:11:33 +0000 Received: by outflank-mailman (input) for mailman id 693631; Fri, 15 Mar 2024 05:11:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqu-0004IX-60 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzqu-0001ZR-5D for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzqu-0008Gx-4U for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=+kEpAMOD6Be6IOvtIEsVfLe7DAUbU/TVEeKQo8/iXwM=; b=Vqjygqikx5Ua5tnpdnWtOEAe4a /uEPAaqL91Xuv3fb5iqYwxghUgWQ+Z9JlZjwVJi1JJdrfL5WA6s74pGDanEy2j8TTjZeZ8B1QMup+ o1VjwTiXtJia9Vprt6RyYyxeRkOXdOu1qnErxFLDyCLdW04Df8mGNECguEu2PefxnW0c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/lz4: address violations of MISRA C:2012 Directive 4.10 Message-Id: Date: Fri, 15 Mar 2024 05:11:32 +0000 commit 3945b61ddb6b2e9f0226ebe4112d4d81463dfac7 Author: Maria Celeste Cesario AuthorDate: Thu Mar 14 13:52:46 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:52:46 2024 +0100 xen/lz4: address violations of MISRA C:2012 Directive 4.10 Add inclusion guard to address violations of MISRA C:2012 Directive 4.10 ("Precautions shall be taken in order to prevent the contents of a header file being included more than once"). Mechanical change. Signed-off-by: Maria Celeste Cesario Signed-off-by: Simone Ballarin Acked-by: Jan Beulich --- xen/common/lz4/defs.h | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/xen/common/lz4/defs.h b/xen/common/lz4/defs.h index 6d81113266..ecfbf07f83 100644 --- a/xen/common/lz4/defs.h +++ b/xen/common/lz4/defs.h @@ -8,6 +8,9 @@ * published by the Free Software Foundation. */ +#ifndef COMMON_LZ4_DEFS_H +#define COMMON_LZ4_DEFS_H + #ifdef __XEN__ #include #include @@ -166,3 +169,5 @@ typedef struct _U64_S { u64 v; } U64_S; LZ4_WILDCOPY(s, d, e); \ d = e; \ } while (0) + +#endif /* COMMON_LZ4_DEFS_H */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:11:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:11:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693632.1081997 (Exim 4.92) (envelope-from ) id 1rkzr5-0004MH-5k; Fri, 15 Mar 2024 05:11:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693632.1081997; Fri, 15 Mar 2024 05:11:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzr5-0004M9-39; Fri, 15 Mar 2024 05:11:43 +0000 Received: by outflank-mailman (input) for mailman id 693632; Fri, 15 Mar 2024 05:11:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzr4-0004M3-92 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzr4-0001b9-8H for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzr4-0008HQ-7N for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=sIqh7dP4GM4brXex0WIlkY2X7fna3yaKoMDSld36Fao=; b=WFLtFlLqGElku9jTv80KCA0pMM K7z1hbMyOvPPm7Fs+lLXHa+2nEdm4LZy7xAvC1YjqZx2fg+kzYR73/oQMYo3MUU+O6VENSA/GBw1R h+XvLoDl+/UR3MOKM3v0p41gVOH8S3eVzYKiiHkfchN1yypc0kWhqe+6SUmROtHkJJ+U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/compiler: deviate the inline macro for MISRA C Rule 20.4 Message-Id: Date: Fri, 15 Mar 2024 05:11:42 +0000 commit d2686bf96483668b826b6a428679ba03402d4a52 Author: Nicola Vetrini AuthorDate: Thu Mar 14 13:54:14 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:54:14 2024 +0100 xen/compiler: deviate the inline macro for MISRA C Rule 20.4 Rule 20.4 states: "A macro shall not be defined with the same name as a keyword". Defining this macro with the same name as the inline keyword allows for additionally checking that out-of-lined static inline functions end up in the correct section while minimizing churn and has a positive impact on the overall safety. See [1] for additional context on the motivation of this deviation. No functional change. [1] https://lore.kernel.org/xen-devel/adaa6d55-266d-4df8-8967-9340080d17e4@citrix.com/ Signed-off-by: Nicola Vetrini --- docs/misra/deviations.rst | 6 ++++++ docs/misra/safe.json | 8 ++++++++ xen/include/xen/compiler.h | 1 + 3 files changed, 15 insertions(+) diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index 6d532a872d..41fa5b31b0 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -328,6 +328,12 @@ Deviations related to MISRA C:2012 Rules: improve readability. - Tagged as `deliberate` for ECLAIR. + * - R20.4 + - The override of the keyword \"inline\" in xen/compiler.h is present so + that section contents checks pass when the compiler chooses not to + inline a particular function. + - Comment-based deviation. + * - R20.7 - Code violating Rule 20.7 is safe when macro parameters are used: (1) as function arguments; diff --git a/docs/misra/safe.json b/docs/misra/safe.json index 952324f85c..d361d0e65c 100644 --- a/docs/misra/safe.json +++ b/docs/misra/safe.json @@ -28,6 +28,14 @@ }, { "id": "SAF-3-safe", + "analyser": { + "eclair": "MC3R1.R20.4" + }, + "name": "MC3R1.R20.4: allow the definition of a macro with the same name as a keyword in some special cases", + "text": "The definition of a macro with the same name as a keyword can be useful in certain configurations to improve the guarantees that can be provided by Xen. See docs/misra/deviations.rst for a precise rationale for all such cases." + }, + { + "id": "SAF-4-safe", "analyser": {}, "name": "Sentinel", "text": "Next ID to be used" diff --git a/xen/include/xen/compiler.h b/xen/include/xen/compiler.h index 16d554f2a5..fc87a2edad 100644 --- a/xen/include/xen/compiler.h +++ b/xen/include/xen/compiler.h @@ -82,6 +82,7 @@ * inline functions not expanded inline get placed in .init.text. */ #include +/* SAF-3-safe MISRA C Rule 20.4: allow section checks to pass when not inlined */ #define inline inline __init #endif -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:11:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:11:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693633.1082001 (Exim 4.92) (envelope-from ) id 1rkzrF-0004PR-7d; Fri, 15 Mar 2024 05:11:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693633.1082001; Fri, 15 Mar 2024 05:11:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrF-0004PJ-4X; Fri, 15 Mar 2024 05:11:53 +0000 Received: by outflank-mailman (input) for mailman id 693633; Fri, 15 Mar 2024 05:11:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrE-0004P7-CH for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrE-0001bd-BS for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzrE-0008Hr-Ak for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:11:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=z21ZujeHnVcAviXCvso1xO7B+qxadMURJXbat8btC/g=; b=Km7hL6McOMYEHoi84/2H4vYsU7 Ryf3EBIY6w2tBngfcUPGChpIzplDdCO3beFjxc+ecBSCBWiIYhC9jSzVykKjf1ysanb2ihpUQ5bDn wQweN5im2IKJKx9bXT9Z8RAhBTgj2j5xSUYqCcyoj0f6mhw33OvV2iDy3OddEYh6LvkM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/svm: Drop the _enabled suffix from vmcb bits Message-Id: Date: Fri, 15 Mar 2024 05:11:52 +0000 commit a6081d0176d558a96678430d9f0602e5918cd0de Author: Vaishali Thakkar AuthorDate: Thu Mar 14 13:54:43 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:54:43 2024 +0100 x86/svm: Drop the _enabled suffix from vmcb bits The suffix is redundant for np/sev/sev-es bits. Drop it to avoid adding extra code volume. Also, while we're here, drop the double negations in one of the instances of _np bit, replace 0/1 with false/true in the use cases of _np and use VMCB accessors instead of open coding. Suggested-by: Andrew Cooper Signed-off-by: Vaishali Thakkar Reviewed-by: Andrew Cooper --- xen/arch/x86/hvm/svm/nestedsvm.c | 14 +++++++------- xen/arch/x86/hvm/svm/svm.c | 2 +- xen/arch/x86/hvm/svm/vmcb.c | 2 +- xen/arch/x86/include/asm/hvm/svm/vmcb.h | 20 ++++++++++---------- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c index e4e01add8c..07630d74d3 100644 --- a/xen/arch/x86/hvm/svm/nestedsvm.c +++ b/xen/arch/x86/hvm/svm/nestedsvm.c @@ -571,7 +571,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs) if ( nestedhvm_paging_mode_hap(v) ) { /* host nested paging + guest nested paging. */ - n2vmcb->_np_enable = 1; + vmcb_set_np(n2vmcb, true); nestedsvm_vmcb_set_nestedp2m(v, ns_vmcb, n2vmcb); @@ -585,7 +585,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs) else if ( paging_mode_hap(v->domain) ) { /* host nested paging + guest shadow paging. */ - n2vmcb->_np_enable = 1; + vmcb_set_np(n2vmcb, true); /* Keep h_cr3 as it is. */ n2vmcb->_h_cr3 = n1vmcb->_h_cr3; /* When l1 guest does shadow paging @@ -601,7 +601,7 @@ static int nsvm_vmcb_prepare4vmrun(struct vcpu *v, struct cpu_user_regs *regs) else { /* host shadow paging + guest shadow paging. */ - n2vmcb->_np_enable = 0; + vmcb_set_np(n2vmcb, false); n2vmcb->_h_cr3 = 0x0; /* TODO: Once shadow-shadow paging is in place come back to here @@ -706,7 +706,7 @@ nsvm_vcpu_vmentry(struct vcpu *v, struct cpu_user_regs *regs, } /* nested paging for the guest */ - svm->ns_hap_enabled = !!ns_vmcb->_np_enable; + svm->ns_hap_enabled = vmcb_get_np(ns_vmcb); /* Remember the V_INTR_MASK in hostflags */ svm->ns_hostflags.fields.vintrmask = !!ns_vmcb->_vintr.fields.intr_masking; @@ -1084,7 +1084,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) if ( nestedhvm_paging_mode_hap(v) ) { /* host nested paging + guest nested paging. */ - ns_vmcb->_np_enable = n2vmcb->_np_enable; + vmcb_set_np(ns_vmcb, vmcb_get_np(n2vmcb)); ns_vmcb->_cr3 = n2vmcb->_cr3; /* The vmcb->h_cr3 is the shadowed h_cr3. The original * unshadowed guest h_cr3 is kept in ns_vmcb->h_cr3, @@ -1093,7 +1093,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) else if ( paging_mode_hap(v->domain) ) { /* host nested paging + guest shadow paging. */ - ns_vmcb->_np_enable = 0; + vmcb_set_np(ns_vmcb, false); /* Throw h_cr3 away. Guest is not allowed to set it or * it can break out, otherwise (security hole!) */ ns_vmcb->_h_cr3 = 0x0; @@ -1104,7 +1104,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) else { /* host shadow paging + guest shadow paging. */ - ns_vmcb->_np_enable = 0; + vmcb_set_np(ns_vmcb, false); ns_vmcb->_h_cr3 = 0x0; /* The vmcb->_cr3 is the shadowed cr3. The original * unshadowed guest cr3 is kept in ns_vmcb->_cr3, diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index b551eac807..b1ab0b568b 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -473,7 +473,7 @@ static int svm_vmcb_restore(struct vcpu *v, struct hvm_hw_cpu *c) if ( paging_mode_hap(v->domain) ) { - vmcb_set_np_enable(vmcb, 1); + vmcb_set_np(vmcb, true); vmcb_set_g_pat(vmcb, MSR_IA32_CR_PAT_RESET /* guest PAT */); vmcb_set_h_cr3(vmcb, pagetable_get_paddr(p2m_get_pagetable(p2m))); } diff --git a/xen/arch/x86/hvm/svm/vmcb.c b/xen/arch/x86/hvm/svm/vmcb.c index 282fe7cdbe..4e1f61dbe0 100644 --- a/xen/arch/x86/hvm/svm/vmcb.c +++ b/xen/arch/x86/hvm/svm/vmcb.c @@ -133,7 +133,7 @@ static int construct_vmcb(struct vcpu *v) if ( paging_mode_hap(v->domain) ) { - vmcb->_np_enable = 1; /* enable nested paging */ + vmcb_set_np(vmcb, true); /* enable nested paging */ vmcb->_g_pat = MSR_IA32_CR_PAT_RESET; /* guest PAT */ vmcb->_h_cr3 = pagetable_get_paddr( p2m_get_pagetable(p2m_get_hostp2m(v->domain))); diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index 91221ff4e2..bf2b8d9a94 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -385,7 +385,7 @@ typedef union bool iopm:1; /* 1: iopm_base_pa, msrpm_base_pa */ bool asid:1; /* 2: guest_asid */ bool tpr:1; /* 3: vintr */ - bool np:1; /* 4: np_enable, h_cr3, g_pat */ + bool np:1; /* 4: np, h_cr3, g_pat */ bool cr:1; /* 5: cr0, cr3, cr4, efer */ bool dr:1; /* 6: dr6, dr7 */ bool dt:1; /* 7: gdtr, idtr */ @@ -473,12 +473,12 @@ struct vmcb_struct { intinfo_t exit_int_info; /* offset 0x88 */ union { /* offset 0x90 - cleanbit 4 */ struct { - bool _np_enable :1; - bool _sev_enable :1; - bool _sev_es_enable :1; - bool _gmet :1; - bool _np_sss :1; - bool _vte :1; + bool _np :1; + bool _sev :1; + bool _sev_es :1; + bool _gmet :1; + bool _np_sss :1; + bool _vte :1; }; uint64_t _np_ctrl; }; @@ -645,9 +645,9 @@ VMCB_ACCESSORS(msrpm_base_pa, iopm) VMCB_ACCESSORS(guest_asid, asid) VMCB_ACCESSORS(vintr, tpr) VMCB_ACCESSORS(np_ctrl, np) -VMCB_ACCESSORS_(np_enable, bool, np) -VMCB_ACCESSORS_(sev_enable, bool, np) -VMCB_ACCESSORS_(sev_es_enable, bool, np) +VMCB_ACCESSORS_(np, bool, np) +VMCB_ACCESSORS_(sev, bool, np) +VMCB_ACCESSORS_(sev_es, bool, np) VMCB_ACCESSORS_(gmet, bool, np) VMCB_ACCESSORS_(vte, bool, np) VMCB_ACCESSORS(h_cr3, np) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:12:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:12:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693634.1082006 (Exim 4.92) (envelope-from ) id 1rkzrP-0004SU-9H; Fri, 15 Mar 2024 05:12:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693634.1082006; Fri, 15 Mar 2024 05:12:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrP-0004SL-68; Fri, 15 Mar 2024 05:12:03 +0000 Received: by outflank-mailman (input) for mailman id 693634; Fri, 15 Mar 2024 05:12:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrO-0004SB-Fi for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrO-0001by-E8 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzrO-0008JI-DX for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QSY77X6HoRFb9+tgbbErs4FQ9U2Hp0083phHKwjnMXU=; b=DyLOIxQ+lvqPgQ4x7pbQyMg6ty Xqrnb4IYR2geGU4cLNKdC2f0tbxTOXEze6S7aamUIj9uoxGHi02/MHFLOcWbtqW9+TqB81XNfRj97 fZKEIOvXYAa5Z7IAkouccZRQNSy/Oxr4pAzph7A9vYKWl31mOHZ+9dgJk49/ww9gb5sQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: Remove myself from several subsystems Message-Id: Date: Fri, 15 Mar 2024 05:12:02 +0000 commit 70e549fd4482f5f5e5bad12ea9832dd86b4a1b1e Author: Paul Durrant AuthorDate: Thu Mar 14 13:55:11 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:55:11 2024 +0100 MAINTAINERS: Remove myself from several subsystems I am not as actively involved with the Xen project as I once was so I need to relinquish some of my maintainer responsibilities: IOMMU and I/O emulation. NOTE: Since I am sole maintainer for I/O EMULATION (IOREQ) and X86 I/O EMULATION, these sections are removed. Signed-off-by: Paul Durrant Acked-by: Stefano Stabellini --- MAINTAINERS | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 56a6932037..b2cc3cc392 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -358,7 +358,6 @@ F: xen/drivers/passthrough/vtd/ IOMMU VENDOR INDEPENDENT CODE M: Jan Beulich -M: Paul Durrant R: Roger Pau Monné S: Supported F: xen/drivers/passthrough/ @@ -368,13 +367,6 @@ X: xen/drivers/passthrough/vtd/ X: xen/drivers/passthrough/device_tree.c F: xen/include/xen/iommu.h -I/O EMULATION (IOREQ) -M: Paul Durrant -S: Supported -F: xen/common/ioreq.c -F: xen/include/xen/ioreq.h -F: xen/include/public/hvm/ioreq.h - KCONFIG M: Doug Goldstein S: Supported @@ -608,18 +600,6 @@ F: tools/misc/xen-cpuid.c F: tools/tests/cpu-policy/ F: tools/tests/x86_emulator/ -X86 I/O EMULATION -M: Paul Durrant -S: Supported -F: xen/arch/x86/hvm/emulate.c -F: xen/arch/x86/hvm/intercept.c -F: xen/arch/x86/hvm/io.c -F: xen/arch/x86/hvm/ioreq.c -F: xen/arch/x86/include/asm/hvm/emulate.h -F: xen/arch/x86/include/asm/hvm/io.h -F: xen/arch/x86/include/asm/hvm/ioreq.h -F: xen/arch/x86/include/asm/ioreq.h - X86 MEMORY MANAGEMENT M: Jan Beulich M: Andrew Cooper -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:12:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:12:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693635.1082009 (Exim 4.92) (envelope-from ) id 1rkzra-0004VK-AH; Fri, 15 Mar 2024 05:12:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693635.1082009; Fri, 15 Mar 2024 05:12:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzra-0004VD-7a; Fri, 15 Mar 2024 05:12:14 +0000 Received: by outflank-mailman (input) for mailman id 693635; Fri, 15 Mar 2024 05:12:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrY-0004V2-Hn for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrY-0001c6-H0 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzrY-0008Jw-GH for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=v+79WwSTNG88bBgMvsuBw934C/lByidFzXxhB2L2Qns=; b=llBaWP4We9QMfvZaCghnLMwrf8 lQaHZ8wN2aElSjoaeHUfrXmJNIyXumNF+/xQFctdyxTK1oejOUJtUwkdctBpdY7UqAWu/lRC/HIP4 CzKzKJUplNwCXh+MSHSz5h6QbhIhu1zI2IgtappdCKbAb9SROVArWtcn7eZru9Jwwn4M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen: avoid grep fodder define and undef Message-Id: Date: Fri, 15 Mar 2024 05:12:12 +0000 commit 68e008db0cc04f2a829e8fa03bc3433afd0a01f4 Author: Federico Serafini AuthorDate: Thu Mar 14 13:55:27 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:55:27 2024 +0100 xen: avoid grep fodder define and undef Place an "#if 0" before grep fodder #define-s and remove the #undef-s. This addresses violations of MISRA C:2012 Rules 20.5 ("#undef should not be used") and 5.5 ("Identifiers shall be distinct from macro names"). No functional change. Signed-off-by: Federico Serafini Acked-by: Andrew Cooper --- xen/include/xen/iommu.h | 5 +---- xen/include/xen/mm-frame.h | 15 +++------------ 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h index 9621459c63..ef57f31417 100644 --- a/xen/include/xen/iommu.h +++ b/xen/include/xen/iommu.h @@ -33,13 +33,10 @@ TYPE_SAFE(uint64_t, dfn); #define PRI_dfn PRIx64 #define INVALID_DFN _dfn(~0ULL) -#ifndef dfn_t +#if 0 #define dfn_t /* Grep fodder: dfn_t, _dfn() and dfn_x() are defined above */ #define _dfn #define dfn_x -#undef dfn_t -#undef _dfn -#undef dfn_x #endif static inline dfn_t __must_check dfn_add(dfn_t dfn, unsigned long i) diff --git a/xen/include/xen/mm-frame.h b/xen/include/xen/mm-frame.h index c25e836f25..d973aec901 100644 --- a/xen/include/xen/mm-frame.h +++ b/xen/include/xen/mm-frame.h @@ -14,13 +14,10 @@ TYPE_SAFE(unsigned long, mfn); */ #define INVALID_MFN_INITIALIZER { INVALID_MFN_RAW } -#ifndef mfn_t +#if 0 #define mfn_t /* Grep fodder: mfn_t, _mfn() and mfn_x() are defined above */ #define _mfn #define mfn_x -#undef mfn_t -#undef _mfn -#undef mfn_x #endif static inline mfn_t __must_check mfn_add(mfn_t mfn, unsigned long i) @@ -53,13 +50,10 @@ TYPE_SAFE(unsigned long, gfn); */ #define INVALID_GFN_INITIALIZER { INVALID_GFN_RAW } -#ifndef gfn_t +#if 0 #define gfn_t /* Grep fodder: gfn_t, _gfn() and gfn_x() are defined above */ #define _gfn #define gfn_x -#undef gfn_t -#undef _gfn -#undef gfn_x #endif static inline gfn_t __must_check gfn_add(gfn_t gfn, unsigned long i) @@ -85,13 +79,10 @@ static inline bool gfn_eq(gfn_t x, gfn_t y) TYPE_SAFE(unsigned long, pfn); #define PRI_pfn "05lx" -#ifndef pfn_t +#if 0 #define pfn_t /* Grep fodder: pfn_t, _pfn() and pfn_x() are defined above */ #define _pfn #define pfn_x -#undef pfn_t -#undef _pfn -#undef pfn_x #endif #endif /* __XEN_FRAME_NUM_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 15 05:12:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 15 Mar 2024 05:12:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.693636.1082012 (Exim 4.92) (envelope-from ) id 1rkzrk-0004Y3-Bx; Fri, 15 Mar 2024 05:12:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 693636.1082012; Fri, 15 Mar 2024 05:12:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzrk-0004Xw-9F; Fri, 15 Mar 2024 05:12:24 +0000 Received: by outflank-mailman (input) for mailman id 693636; Fri, 15 Mar 2024 05:12:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzri-0004Xk-Ki for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rkzri-0001cD-Jo for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rkzri-0008M7-J7 for xen-changelog@lists.xenproject.org; Fri, 15 Mar 2024 05:12:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fWu10TkmLZeO6Co3BM30KFs6M6IgpN6CQ+tvKa02LCk=; b=1S88CCnkcqDbLOKtEu8OBBCmtD Iq2gI50J1IWws4nltJXDCcPW5KckNqO6E3ZJdvxgEzWRdTLqmS93ZIkkvPQiYoTxpiIf7W/42z093 nmmzuzbL/KEpXCah1FTRMFgLfiUqbYtzOa/Kdn7YiRQ0f3WsBLRn1YlcMWFsFOfWIVSM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/spinlock: remove misra rule 21.1 violations Message-Id: Date: Fri, 15 Mar 2024 05:12:22 +0000 commit af7fed3fdf82981ebbb09628b278df957569333d Author: Juergen Gross AuthorDate: Thu Mar 14 13:55:55 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 14 13:55:55 2024 +0100 xen/spinlock: remove misra rule 21.1 violations In xen spinlock code there are several violations of MISRA rule 21.1 (identifiers starting with "__" or "_[A-Z]"). Fix them by using trailing underscores instead. Signed-off-by: Juergen Gross Acked-by: Jan Beulich --- xen/include/xen/spinlock.h | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index e351fc9995..8a443efc19 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -22,7 +22,7 @@ union lock_debug { bool unseen:1; }; }; -#define _LOCK_DEBUG { .val = LOCK_DEBUG_INITVAL } +#define LOCK_DEBUG_ { .val = LOCK_DEBUG_INITVAL } void check_lock(union lock_debug *debug, bool try); void lock_enter(const union lock_debug *debug); void lock_exit(const union lock_debug *debug); @@ -30,7 +30,7 @@ void spin_debug_enable(void); void spin_debug_disable(void); #else union lock_debug { }; -#define _LOCK_DEBUG { } +#define LOCK_DEBUG_ { } #define check_lock(l, t) ((void)0) #define lock_enter(l) ((void)0) #define lock_exit(l) ((void)0) @@ -95,27 +95,27 @@ struct lock_profile_qhead { int32_t idx; /* index for printout */ }; -#define _LOCK_PROFILE(lockname) { .name = #lockname, .lock = &(lockname), } -#define _LOCK_PROFILE_PTR(name) \ - static struct lock_profile * const __lock_profile_##name \ +#define LOCK_PROFILE_(lockname) { .name = #lockname, .lock = &(lockname), } +#define LOCK_PROFILE_PTR_(name) \ + static struct lock_profile * const lock_profile__##name \ __used_section(".lockprofile.data") = \ - &__lock_profile_data_##name -#define _SPIN_LOCK_UNLOCKED(x) { \ + &lock_profile_data__##name +#define SPIN_LOCK_UNLOCKED_(x) { \ .recurse_cpu = SPINLOCK_NO_CPU, \ - .debug =_LOCK_DEBUG, \ + .debug = LOCK_DEBUG_, \ .profile = x, \ } -#define SPIN_LOCK_UNLOCKED _SPIN_LOCK_UNLOCKED(NULL) +#define SPIN_LOCK_UNLOCKED SPIN_LOCK_UNLOCKED_(NULL) #define DEFINE_SPINLOCK(l) \ - spinlock_t l = _SPIN_LOCK_UNLOCKED(NULL); \ - static struct lock_profile __lock_profile_data_##l = _LOCK_PROFILE(l); \ - _LOCK_PROFILE_PTR(l) + spinlock_t l = SPIN_LOCK_UNLOCKED_(NULL); \ + static struct lock_profile lock_profile_data__##l = LOCK_PROFILE_(l); \ + LOCK_PROFILE_PTR_(l) #define spin_lock_init_prof(s, l) \ do { \ struct lock_profile *prof; \ prof = xzalloc(struct lock_profile); \ - (s)->l = (spinlock_t)_SPIN_LOCK_UNLOCKED(prof); \ + (s)->l = (spinlock_t)SPIN_LOCK_UNLOCKED_(prof); \ if ( !prof ) \ { \ printk(XENLOG_WARNING \ @@ -149,7 +149,7 @@ struct lock_profile_qhead { }; #define SPIN_LOCK_UNLOCKED { \ .recurse_cpu = SPINLOCK_NO_CPU, \ - .debug =_LOCK_DEBUG, \ + .debug = LOCK_DEBUG_, \ } #define DEFINE_SPINLOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 16 01:22:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 16 Mar 2024 01:22:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694126.1083033 (Exim 4.92) (envelope-from ) id 1rlIkM-0000v9-MQ; Sat, 16 Mar 2024 01:22:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694126.1083033; Sat, 16 Mar 2024 01:22:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkM-0000v1-JG; Sat, 16 Mar 2024 01:22:02 +0000 Received: by outflank-mailman (input) for mailman id 694126; Sat, 16 Mar 2024 01:22:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkL-0000uv-Om for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkL-0000Jo-Ni for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rlIkL-0002Gr-Lb for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=drrYK2sn+MHfPGHQhTa24asF0KE+C7laeLJIm57uXwI=; b=DSNlcwRzHCWQRapbPJ2+ew9AUm PJpkU0pvSxKwkoH1QjGSBx0lCkrZ7MIHBxQf+vWuZH6lvrkN5u9QmNL4C+hNiX/3ifoyv8ibbOoZB 2ypLkxbtHU/UMa6kBDJIx3eMddFR2PvsaUFaqazMZC48+DbjpiGgJiJzARXymFlwMTHI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option Message-Id: Date: Sat, 16 Mar 2024 01:22:01 +0000 commit bd06cf74fccc065ea67e9dd8c31e70abad1f0507 Author: Ayan Kumar Halder AuthorDate: Thu Mar 7 12:39:41 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 13:04:25 2024 +0000 xen/arm: Introduce CONFIG_PARTIAL_EMULATION and "partial-emulation" cmd option There can be situations when the registers cannot be emulated to their full functionality. This can be due to the complexity involved. In such cases, one can emulate those registers as RAZ/WI for example. We call them as partial emulation. Some registers are non-optional and as such there is nothing preventing an OS from accessing them. Instead of injecting undefined exception (which might result in crashing a guest), one may want to prefer a partial emulation to let the guest running (in some cases accepting the fact that it might result in unwanted behavior). A suitable example of this (as seen in subsequent patches) is emulation of DBGDTRTX_EL0 (on Arm64) and DBGDTRTXINT(on Arm32). These non-optional registers can be emulated as RAZ/WI and they can be enclosed within CONFIG_PARTIAL_EMULATION. Further, "partial-emulation" command line option allows us to enable/disable partial emulation at run time. While CONFIG_PARTIAL_EMULATION enables support for partial emulation at compile time (i.e. adds code for partial emulation), this option may be enabled or disabled by Yocto or other build systems. However if the build system turns this option on, users can use scripts like Imagebuilder to generate uboot-script which will append "partial-emulation=true" to xen command line to turn on the partial emulation. Thus, it helps to avoid rebuilding xen. By default, "CONFIG_PARTIAL_EMULATION=y" and "partial-emulation=false". This is done so that Xen supports partial emulation. However, customers are fully aware when they enable partial emulation. It's important to note that enabling such support might result in unwanted/non-spec compliant behavior. Added a note in SUPPORT.md to clarify the security support for partial emulation. Signed-off-by: Ayan Kumar Halder Signed-off-by: Michal Orzel Acked-by: Julien Grall --- SUPPORT.md | 9 +++++++++ docs/misc/xen-command-line.pandoc | 11 +++++++++++ xen/arch/arm/Kconfig | 9 +++++++++ xen/arch/arm/include/asm/traps.h | 6 ++++++ xen/arch/arm/traps.c | 9 +++++++++ 5 files changed, 44 insertions(+) diff --git a/SUPPORT.md b/SUPPORT.md index 510bb02190..ad74f5a329 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -102,6 +102,15 @@ Extension to the GICv3 interrupt controller to support MSI. Status: Experimental +### ARM/Partial Emulation + +Enable partial emulation of registers, otherwise considered unimplemented, +that would normally trigger a fault injection. + + Status: Supported, with caveats + +Only the following system registers are security supported: + ### ARM Scalable Vector Extension (SVE/SVE2) Arm64 domains can use Scalable Vector Extension (SVE/SVE2). diff --git a/docs/misc/xen-command-line.pandoc b/docs/misc/xen-command-line.pandoc index 04f1415fc3..14cafb462a 100644 --- a/docs/misc/xen-command-line.pandoc +++ b/docs/misc/xen-command-line.pandoc @@ -1942,6 +1942,17 @@ This option is ignored in **pv-shim** mode. > Default: `on` +### partial-emulation (arm) +> `= ` + +> Default: `false` + +Flag to enable or disable partial emulation of system/coprocessor registers. +Only effective if CONFIG_PARTIAL_EMULATION is enabled. + +**WARNING: Enabling this option might result in unwanted/non-spec compliant +behavior.** + ### pci = List of [ serr=, perr= ] diff --git a/xen/arch/arm/Kconfig b/xen/arch/arm/Kconfig index 40f834bb71..f8139a773a 100644 --- a/xen/arch/arm/Kconfig +++ b/xen/arch/arm/Kconfig @@ -234,6 +234,15 @@ config STATIC_EVTCHN This option enables establishing static event channel communication between domains on a dom0less system (domU-domU as well as domU-dom0). +config PARTIAL_EMULATION + bool "Enable partial emulation of system/coprocessor registers" + default y + help + This option enables partial emulation of registers to prevent possible + guests crashing when accessing registers which are not optional but have + not been emulated to their complete functionality. Enabling this might + result in unwanted/non-spec compliant behavior. + endmenu menu "ARM errata workaround via the alternative framework" diff --git a/xen/arch/arm/include/asm/traps.h b/xen/arch/arm/include/asm/traps.h index 883dae368e..9a60dbf70e 100644 --- a/xen/arch/arm/include/asm/traps.h +++ b/xen/arch/arm/include/asm/traps.h @@ -10,6 +10,12 @@ # include #endif +#ifdef CONFIG_PARTIAL_EMULATION +extern bool partial_emulation; +#else +#define partial_emulation false +#endif + /* * GUEST_BUG_ON is intended for checking that the guest state has not been * corrupted in hardware and/or that the hardware behaves as we diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index 8ddca643d4..9cffe7f790 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -43,6 +43,15 @@ #include #include +/* + * partial_emulation: If true, partial emulation for system/coprocessor + * registers will be enabled. + */ +#ifdef CONFIG_PARTIAL_EMULATION +bool __ro_after_init partial_emulation = false; +boolean_param("partial-emulation", partial_emulation); +#endif + /* The base of the stack must always be double-word aligned, which means * that both the kernel half of struct cpu_user_regs (which is pushed in * entry.S) and struct cpu_info (which lives at the bottom of a Xen -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 16 01:22:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 16 Mar 2024 01:22:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694127.1083037 (Exim 4.92) (envelope-from ) id 1rlIkW-0000x6-NM; Sat, 16 Mar 2024 01:22:12 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694127.1083037; Sat, 16 Mar 2024 01:22:12 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkW-0000wz-Ko; Sat, 16 Mar 2024 01:22:12 +0000 Received: by outflank-mailman (input) for mailman id 694127; Sat, 16 Mar 2024 01:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkV-0000wr-V2 for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkV-0000Jt-TY for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rlIkV-0002HV-Q0 for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RL91e0g/evm7fyAg7Kg1//PhiiGU7cvMreA//CKjTDg=; b=qS6p1n2Ci9nNZW3yUPflyl4FFg RE29cXWaifxSDORIMjrD48HDtNpRAdCDbD3QTzZWNMAEbh6Q4McTgk7UViwRkRxG4hS4Zsq1VhP+a nZn9X9ni5hBXDU81mtg2Z2OhDafMTlIDbV2jGUMLg7P4vOBklzq9AIuFJXPVac0uvXg4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: arm64: Add emulation of Debug Data Transfer Registers Message-Id: Date: Sat, 16 Mar 2024 01:22:11 +0000 commit 43c416d0d81957229b5b5d73be694fb1ba149a3e Author: Michal Orzel AuthorDate: Thu Mar 7 12:39:42 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 13:04:25 2024 +0000 xen/arm: arm64: Add emulation of Debug Data Transfer Registers Currently, if user enables HVC_DCC config option in Linux, it invokes access to debug data transfer registers (i.e. DBGDTRTX_EL0 on arm64, DBGDTRTXINT on arm32). As these registers are not emulated, Xen injects an undefined exception to the guest and Linux crashes. To prevent this crash, introduce a partial emulation of DBGDTR[TR]X_EL0 (these registers share the same encoding) as RAZ/WI and MDCCSR_EL0 as TXfull. Refer ARM DDI 0487J.a ID042523, D19.3.8, DBGDTRTX_EL0 "If TXfull is set to 1, set DTRRX and DTRTX to UNKNOWN". Thus, any OS is expected to read MDCCSR_EL0 and check for TXfull before using DBGDTRTX_EL0. Linux does it via hvc_dcc_init() ---> hvc_dcc_check(), and returns -ENODEV in case TXfull bit is still set after writing a test character. This way we prevent the guest from making use of HVC DCC as a console. Signed-off-by: Michal Orzel Signed-off-by: Ayan Kumar Halder Acked-by: Julien Grall --- SUPPORT.md | 5 +++ xen/arch/arm/arm64/vsysreg.c | 69 +++++++++++++++++++++++++----------- xen/arch/arm/include/asm/arm64/hsr.h | 3 ++ 3 files changed, 56 insertions(+), 21 deletions(-) diff --git a/SUPPORT.md b/SUPPORT.md index ad74f5a329..465f6527c9 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -111,6 +111,11 @@ that would normally trigger a fault injection. Only the following system registers are security supported: + MDCCSR_EL0 + DBGDTR_EL0 + DBGDTRTX_EL0 + DBGDTRRX_EL0 + ### ARM Scalable Vector Extension (SVE/SVE2) Arm64 domains can use Scalable Vector Extension (SVE/SVE2). diff --git a/xen/arch/arm/arm64/vsysreg.c b/xen/arch/arm/arm64/vsysreg.c index b5d54c569b..c73b2c95ce 100644 --- a/xen/arch/arm/arm64/vsysreg.c +++ b/xen/arch/arm/arm64/vsysreg.c @@ -82,6 +82,7 @@ TVM_REG(CONTEXTIDR_EL1) void do_sysreg(struct cpu_user_regs *regs, const union hsr hsr) { + const struct hsr_sysreg sysreg = hsr.sysreg; int regidx = hsr.sysreg.reg; struct vcpu *v = current; @@ -159,9 +160,6 @@ void do_sysreg(struct cpu_user_regs *regs, * * Unhandled: * MDCCINT_EL1 - * DBGDTR_EL0 - * DBGDTRRX_EL0 - * DBGDTRTX_EL0 * OSDTRRX_EL1 * OSDTRTX_EL1 * OSECCR_EL1 @@ -171,12 +169,42 @@ void do_sysreg(struct cpu_user_regs *regs, */ case HSR_SYSREG_MDSCR_EL1: return handle_raz_wi(regs, regidx, hsr.sysreg.read, hsr, 1); + + /* + * Xen doesn't expose a real (or emulated) Debug Communications Channel + * (DCC) to a domain. Yet the Arm ARM implies this is not an optional + * feature. So some domains may start to probe it. For instance, the + * HVC_DCC driver in Linux (since f377775dc083 and at least up to v6.7), + * will try to write some characters and check if the transmit buffer + * has emptied. + */ case HSR_SYSREG_MDCCSR_EL0: /* + * By setting TX status bit (only if partial emulation is enabled) to + * indicate the transmit buffer is full, we would hint the OS that the + * DCC is probably not working. + * + * Bit 29: TX full + * * Accessible at EL0 only if MDSCR_EL1.TDCC is set to 0. We emulate that * register as RAZ/WI above. So RO at both EL0 and EL1. */ - return handle_ro_raz(regs, regidx, hsr.sysreg.read, hsr, 0); + return handle_ro_read_val(regs, regidx, hsr.sysreg.read, hsr, 0, + partial_emulation ? (1U << 29) : 0); + + case HSR_SYSREG_DBGDTR_EL0: + /* DBGDTR[TR]X_EL0 share the same encoding */ + case HSR_SYSREG_DBGDTRTX_EL0: + /* + * Emulate as RAZ/WI (only if partial emulation is enabled) to prevent + * injecting undefined exception. + * Accessible at EL0 only if MDSCR_EL1.TDCC is set to 0. We emulate that + * register as RAZ/WI. + */ + if ( !partial_emulation ) + goto fail; + return handle_raz_wi(regs, regidx, hsr.sysreg.read, hsr, 0); + HSR_SYSREG_DBG_CASES(DBGBVR): HSR_SYSREG_DBG_CASES(DBGBCR): HSR_SYSREG_DBG_CASES(DBGWVR): @@ -394,26 +422,25 @@ void do_sysreg(struct cpu_user_regs *regs, * And all other unknown registers. */ default: - { - const struct hsr_sysreg sysreg = hsr.sysreg; - - gdprintk(XENLOG_ERR, - "%s %d, %d, c%d, c%d, %d %s x%d @ 0x%"PRIregister"\n", - sysreg.read ? "mrs" : "msr", - sysreg.op0, sysreg.op1, - sysreg.crn, sysreg.crm, - sysreg.op2, - sysreg.read ? "=>" : "<=", - sysreg.reg, regs->pc); - gdprintk(XENLOG_ERR, - "unhandled 64-bit sysreg access %#"PRIregister"\n", - hsr.bits & HSR_SYSREG_REGS_MASK); - inject_undef_exception(regs, hsr); - return; - } + goto fail; } regs->pc += 4; + return; + + fail: + gdprintk(XENLOG_ERR, + "%s %d, %d, c%d, c%d, %d %s x%d @ 0x%"PRIregister"\n", + sysreg.read ? "mrs" : "msr", + sysreg.op0, sysreg.op1, + sysreg.crn, sysreg.crm, + sysreg.op2, + sysreg.read ? "=>" : "<=", + sysreg.reg, regs->pc); + gdprintk(XENLOG_ERR, + "unhandled 64-bit sysreg access %#"PRIregister"\n", + hsr.bits & HSR_SYSREG_REGS_MASK); + inject_undef_exception(regs, hsr); } /* diff --git a/xen/arch/arm/include/asm/arm64/hsr.h b/xen/arch/arm/include/asm/arm64/hsr.h index e691d41c17..1495ccddea 100644 --- a/xen/arch/arm/include/asm/arm64/hsr.h +++ b/xen/arch/arm/include/asm/arm64/hsr.h @@ -47,6 +47,9 @@ #define HSR_SYSREG_OSDLR_EL1 HSR_SYSREG(2,0,c1,c3,4) #define HSR_SYSREG_DBGPRCR_EL1 HSR_SYSREG(2,0,c1,c4,4) #define HSR_SYSREG_MDCCSR_EL0 HSR_SYSREG(2,3,c0,c1,0) +#define HSR_SYSREG_DBGDTR_EL0 HSR_SYSREG(2,3,c0,c4,0) +#define HSR_SYSREG_DBGDTRTX_EL0 HSR_SYSREG(2,3,c0,c5,0) +#define HSR_SYSREG_DBGDTRRX_EL0 HSR_SYSREG(2,3,c0,c5,0) #define HSR_SYSREG_DBGBVRn_EL1(n) HSR_SYSREG(2,0,c0,c##n,4) #define HSR_SYSREG_DBGBCRn_EL1(n) HSR_SYSREG(2,0,c0,c##n,5) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 16 01:22:22 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 16 Mar 2024 01:22:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694128.1083040 (Exim 4.92) (envelope-from ) id 1rlIkg-0000zq-PB; Sat, 16 Mar 2024 01:22:22 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694128.1083040; Sat, 16 Mar 2024 01:22:22 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkg-0000zi-MV; Sat, 16 Mar 2024 01:22:22 +0000 Received: by outflank-mailman (input) for mailman id 694128; Sat, 16 Mar 2024 01:22:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkg-0000zW-1h for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkg-0000K4-0q for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rlIkf-0002JX-Vp for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XU7Yi8Mrry3oW4BeiGmsZdMFkj7snDtGMBLEepkq2K0=; b=3ZAWg10q8OCqRs56PjkCv2gIZd 7TYkGL27rqyBE9QWzXJvwdxPa5NANUvKPtSQDyiprceIeTNTyra4mjrTtdC7rCPdTvhPa7A92/Gbm HKB97grJC3i6r5R5Dhjfpg6SFYM12RE8pwD+jWAqCqip9S+vsbz4ebVXygTjhWIsA6Ws=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: arm32: Add emulation of Debug Data Transfer Registers Message-Id: Date: Sat, 16 Mar 2024 01:22:21 +0000 commit 77c39a53cf5bfe185b7bff6544c63731513830d3 Author: Ayan Kumar Halder AuthorDate: Thu Mar 7 12:39:43 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 13:04:25 2024 +0000 xen/arm: arm32: Add emulation of Debug Data Transfer Registers When user enables HVC_DCC config option in Linux, it invokes access to debug transfer register (i.e. DBGDTRTXINT). As this register is not emulated, Xen injects an undefined exception to the guest and Linux crashes. To prevent this crash, introduce a partial emulation of DBGDTR[TR]XINT (these registers share the same encoding) as RAZ/WI and DBGDSCRINT as TXfull. Refer ARM DDI 0487J.a ID042523, G8.3.19, DBGDTRTXint: "If TXfull is set to 1, set DTRTX to UNKNOWN". As a pre-requisite, DBGOSLSR should be emulated in the same way as its AArch64 variant (i.e. OSLSR_EL1). This is to ensure that DBGOSLSR.OSLK is 0, which allows us to skip the emulation of DBGDSCREXT (TXfull is treated as UNK/SBZP) and focus on DBGDSCRINT. DBGOSLSR.OSLM[1] is set to 1 to mantain consistency with Arm64. Take the opportunity to fix the minimum EL for DBGDSCRINT, which should be 0. Signed-off-by: Ayan Kumar Halder Signed-off-by: Michal Orzel Acked-by: Julien Grall --- SUPPORT.md | 3 ++ xen/arch/arm/include/asm/cpregs.h | 2 ++ xen/arch/arm/vcpreg.c | 62 +++++++++++++++++++++++++++------------ 3 files changed, 49 insertions(+), 18 deletions(-) diff --git a/SUPPORT.md b/SUPPORT.md index 465f6527c9..58f075538f 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -115,6 +115,9 @@ Only the following system registers are security supported: DBGDTR_EL0 DBGDTRTX_EL0 DBGDTRRX_EL0 + DBGDSCRINT + DBGDTRTXINT + DBGDTRRXINT ### ARM Scalable Vector Extension (SVE/SVE2) diff --git a/xen/arch/arm/include/asm/cpregs.h b/xen/arch/arm/include/asm/cpregs.h index 6b083de204..aec9e8f329 100644 --- a/xen/arch/arm/include/asm/cpregs.h +++ b/xen/arch/arm/include/asm/cpregs.h @@ -75,6 +75,8 @@ #define DBGDIDR p14,0,c0,c0,0 /* Debug ID Register */ #define DBGDSCRINT p14,0,c0,c1,0 /* Debug Status and Control Internal */ #define DBGDSCREXT p14,0,c0,c2,2 /* Debug Status and Control External */ +#define DBGDTRRXINT p14,0,c0,c5,0 /* Debug Data Transfer Register, Receive */ +#define DBGDTRTXINT p14,0,c0,c5,0 /* Debug Data Transfer Register, Transmit */ #define DBGVCR p14,0,c0,c7,0 /* Vector Catch */ #define DBGBVR0 p14,0,c0,c0,4 /* Breakpoint Value 0 */ #define DBGBCR0 p14,0,c0,c0,5 /* Breakpoint Control 0 */ diff --git a/xen/arch/arm/vcpreg.c b/xen/arch/arm/vcpreg.c index 019cf34f00..0b336875a4 100644 --- a/xen/arch/arm/vcpreg.c +++ b/xen/arch/arm/vcpreg.c @@ -494,11 +494,12 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) * ARMv8 (DDI 0487A.d): D1-1509 Table D1-58 * * Unhandled: - * DBGOSLSR * DBGPRCR */ case HSR_CPREG32(DBGOSLAR): return handle_wo_wi(regs, regidx, cp32.read, hsr, 1); + case HSR_CPREG32(DBGOSLSR): + return handle_ro_read_val(regs, regidx, cp32.read, hsr, 1, 1U << 3); case HSR_CPREG32(DBGOSDLR): return handle_raz_wi(regs, regidx, cp32.read, hsr, 1); @@ -510,8 +511,6 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) * * Unhandled: * DBGDCCINT - * DBGDTRRXint - * DBGDTRTXint * DBGWFAR * DBGDTRTXext * DBGDTRRXext, @@ -549,12 +548,27 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) break; } + /* + * Xen doesn't expose a real (or emulated) Debug Communications Channel + * (DCC) to a domain. Yet the Arm ARM implies this is not an optional + * feature. So some domains may start to probe it. For instance, the + * HVC_DCC driver in Linux (since f377775dc083 and at least up to v6.7), + * will try to write some characters and check if the transmit buffer has + * emptied. + */ case HSR_CPREG32(DBGDSCRINT): /* - * Read-only register. Accessible by EL0 if DBGDSCRext.UDCCdis - * is set to 0, which we emulated below. + * By setting TX status bit (only if partial emulation is enabled) to + * indicate the transmit buffer is full, we would hint the OS that the + * DCC is probably not working. + * + * Bit 29: TX full + * + * Accessible at EL0 only if DBGDSCRext.UDCCdis is set to 0. We emulate + * this as RAZ/WI in the next case. So RO at both EL0 and EL1. */ - return handle_ro_raz(regs, regidx, cp32.read, hsr, 1); + return handle_ro_read_val(regs, regidx, cp32.read, hsr, 0, + partial_emulation ? (1U << 29) : 0); case HSR_CPREG32(DBGDSCREXT): /* @@ -563,6 +577,18 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) */ return handle_raz_wi(regs, regidx, cp32.read, hsr, 1); + /* DBGDTR[TR]XINT share the same encoding */ + case HSR_CPREG32(DBGDTRTXINT): + /* + * Emulate as RAZ/WI (only if partial emulation is enabled) to prevent + * injecting undefined exception. + * Accessible at EL0 only if DBGDSCREXT is set to 0. We emulate that + * register as RAZ/WI. + */ + if ( !partial_emulation ) + goto fail; + return handle_raz_wi(regs, regidx, cp32.read, hsr, 0); + case HSR_CPREG32(DBGVCR): case HSR_CPREG32(DBGBVR0): case HSR_CPREG32(DBGBCR0): @@ -592,17 +618,20 @@ void do_cp14_32(struct cpu_user_regs *regs, const union hsr hsr) * And all other unknown registers. */ default: - gdprintk(XENLOG_ERR, - "%s p14, %d, r%d, cr%d, cr%d, %d @ 0x%"PRIregister"\n", - cp32.read ? "mrc" : "mcr", - cp32.op1, cp32.reg, cp32.crn, cp32.crm, cp32.op2, regs->pc); - gdprintk(XENLOG_ERR, "unhandled 32-bit cp14 access %#"PRIregister"\n", - hsr.bits & HSR_CP32_REGS_MASK); - inject_undef_exception(regs, hsr); - return; + goto fail; } advance_pc(regs, hsr); + return; + + fail: + gdprintk(XENLOG_ERR, + "%s p14, %d, r%d, cr%d, cr%d, %d @ 0x%"PRIregister"\n", + cp32.read ? "mrc" : "mcr", + cp32.op1, cp32.reg, cp32.crn, cp32.crm, cp32.op2, regs->pc); + gdprintk(XENLOG_ERR, "unhandled 32-bit cp14 access %#"PRIregister"\n", + hsr.bits & HSR_CP32_REGS_MASK); + inject_undef_exception(regs, hsr); } void do_cp14_64(struct cpu_user_regs *regs, const union hsr hsr) @@ -660,10 +689,7 @@ void do_cp14_dbg(struct cpu_user_regs *regs, const union hsr hsr) * ARMv8 (DDI 0487A.d): D1-1509 Table D1-58 * * Unhandled: - * DBGDTRTXint - * DBGDTRRXint - * - * And all other unknown registers. + * All unknown registers. */ gdprintk(XENLOG_ERR, "%s p14, %d, r%d, r%d, cr%d @ 0x%"PRIregister"\n", -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 16 01:22:32 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 16 Mar 2024 01:22:32 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694129.1083044 (Exim 4.92) (envelope-from ) id 1rlIkq-00012j-Qh; Sat, 16 Mar 2024 01:22:32 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694129.1083044; Sat, 16 Mar 2024 01:22:32 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkq-00012a-O0; Sat, 16 Mar 2024 01:22:32 +0000 Received: by outflank-mailman (input) for mailman id 694129; Sat, 16 Mar 2024 01:22:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkq-00012P-8y for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rlIkq-0000KC-5v for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rlIkq-0002Jw-2p for xen-changelog@lists.xenproject.org; Sat, 16 Mar 2024 01:22:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=tM48AXrgrI5UJRplgXwdXlY1G/m6zB0cH8V3tPUZz+M=; b=4KaYeuAlAniPaVA6r5EQMRnK+5 /j1LA7gGP1d7D2Sxpmrb5hkeahN2vUOc61eyaCRoxEB9D9JbeDwcyTDhF+1q+18AjAajRhOcqtng6 jwMlUa8ZE8RAWCbxHgMvWuvZHcBzOUHIUFfCGV65YKj30mmsV/pcKifLFQTixHE5eyoE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] SUPPORT.MD: Fix matrix generation after 43c416d0d819 and 77c39a53cf5b Message-Id: Date: Sat, 16 Mar 2024 01:22:32 +0000 commit d638e304f13a5ef7d125de5ace5f7828a7b25bac Author: Julien Grall AuthorDate: Thu Mar 14 17:39:29 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 14 17:56:29 2024 +0000 SUPPORT.MD: Fix matrix generation after 43c416d0d819 and 77c39a53cf5b The script docs/support-matrix-generate throw the following error on the latest staging. MDCCSR_EL0 DBGDTR_EL0 DBGDTRTX_EL0 DBGDTRRX_EL0 DBGDSCRINT DBGDTRTXINT DBGDTRRXINT ^ cannot parse status codeblock line: MDCCSR_EL0 ? at docs/parse-support-md line 172, chunk 1. With the current indentation, it looks like the script thinks this is a status code block. Solve the issue by switching to a bullet list. Fixes: 43c416d0d819 ("xen/arm: arm64: Add emulation of Debug Data Transfer Registers") Fixes: 77c39a53cf5b ("xen/arm: arm32: Add emulation of Debug Data Transfer Registers") Signed-off-by: Julien Grall Acked-by: Andrew Cooper --- SUPPORT.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/SUPPORT.md b/SUPPORT.md index 58f075538f..e10d46d924 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -111,13 +111,13 @@ that would normally trigger a fault injection. Only the following system registers are security supported: - MDCCSR_EL0 - DBGDTR_EL0 - DBGDTRTX_EL0 - DBGDTRRX_EL0 - DBGDSCRINT - DBGDTRTXINT - DBGDTRRXINT + * MDCCSR_EL0 + * DBGDTR_EL0 + * DBGDTRTX_EL0 + * DBGDTRRX_EL0 + * DBGDSCRINT + * DBGDTRTXINT + * DBGDTRRXINT ### ARM Scalable Vector Extension (SVE/SVE2) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 08:33:08 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 08:33:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694550.1083375 (Exim 4.92) (envelope-from ) id 1rm8Qa-0000WG-VY; Mon, 18 Mar 2024 08:33:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694550.1083375; Mon, 18 Mar 2024 08:33:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rm8Qa-0000W8-T1; Mon, 18 Mar 2024 08:33:04 +0000 Received: by outflank-mailman (input) for mailman id 694550; Mon, 18 Mar 2024 08:33:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rm8QZ-0000W2-DD for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 08:33:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rm8QZ-0004k7-9M for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 08:33:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rm8QZ-0004Bc-7x for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 08:33:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fn5is5TlcKYvvq+N713/H4G5oW+zcgV6ngBgqvAwjNg=; b=aicEd1EjyL6QEAJSPARFYQZn8J /yk7k/DYtiD8iS008h5YGOTP2tRhF0GrtgNyyfWdImhty5hT7bSbw1F7oRQTvP2knHZcD8JADOi1K jhJ+cmSexhM7tDZNvCjeCT2liwG9FgdynRJ1HwXJwM14rlfJbHjA6yzn57u4q27enoRc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] update Xen version to 4.18.1 Message-Id: Date: Mon, 18 Mar 2024 08:33:03 +0000 commit ea82c8cdbfe5a6e3bb6071cb71433502e3e565cf Author: Jan Beulich AuthorDate: Mon Mar 18 09:27:49 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 09:27:49 2024 +0100 update Xen version to 4.18.1 --- Config.mk | 6 +++--- xen/Makefile | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Config.mk b/Config.mk index 2a3e16d0bd..477f287a6c 100644 --- a/Config.mk +++ b/Config.mk @@ -221,10 +221,10 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= qemu-xen-4.18.0 +QEMU_UPSTREAM_REVISION ?= qemu-xen-4.18.1 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git -MINIOS_UPSTREAM_REVISION ?= xen-RELEASE-4.18.0 +MINIOS_UPSTREAM_REVISION ?= xen-RELEASE-4.18.1 SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git SEABIOS_UPSTREAM_REVISION ?= rel-1.16.2 @@ -233,7 +233,7 @@ ETHERBOOT_NICS ?= rtl8139 8086100e QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git -QEMU_TRADITIONAL_REVISION ?= xen-4.18.0 +QEMU_TRADITIONAL_REVISION ?= xen-4.18.1 # Specify which qemu-dm to use. This may be `ioemu' to use the old # Mercurial in-tree version, or a local directory, or a git URL. diff --git a/xen/Makefile b/xen/Makefile index fdf9fd3f22..0ec1e6555f 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 18 -export XEN_EXTRAVERSION ?= .1-pre$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .1$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:55:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:55:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694669.1083646 (Exim 4.92) (envelope-from ) id 1rmCW9-0001mU-Ci; Mon, 18 Mar 2024 12:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694669.1083646; Mon, 18 Mar 2024 12:55:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCW9-0001mM-9z; Mon, 18 Mar 2024 12:55:05 +0000 Received: by outflank-mailman (input) for mailman id 694669; Mon, 18 Mar 2024 12:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCW7-0001lg-Cd for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCW7-0000o0-BH for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCW7-0001Ue-AL for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YELQ6zhSRBXPJwcuLMbhuKmynsByX7lPAvM7bCB2zco=; b=WLooSXA2xvuOFdvbBLctsVBT96 GcbCzq+/JSarwHwEdLz8okIYITAdhciGZWktbf/CCnj6fxFThu0VYwRFY2E/82/QtE3jCPeRKl3V7 AhrW2oTIC3eueF7v219K2fQ+dI/ubJNUzn5iJz9RyXJNluTko99vhDXDP0VjXaEbZFLM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/svm: Drop the suffix _guest from vmcb bit Message-Id: Date: Mon, 18 Mar 2024 12:55:03 +0000 commit 2f09f797ba43f1182cf5ce24e9ef63cd148d385e Author: Vaishali Thakkar AuthorDate: Mon Mar 18 13:49:46 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:49:46 2024 +0100 x86/svm: Drop the suffix _guest from vmcb bit The suffix _guest is redundant for asid bit. Drop it to avoid adding extra code volume. While we're here, replace 0/1 with false/true and use VMCB accessors instead of open coding. Suggested-by: Andrew Cooper Signed-off-by: Vaishali Thakkar Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/svm/asid.c | 6 +++--- xen/arch/x86/hvm/svm/nestedsvm.c | 8 ++++---- xen/arch/x86/hvm/svm/svmdebug.c | 4 ++-- xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 2 +- xen/arch/x86/include/asm/hvm/svm/vmcb.h | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/hvm/svm/asid.c b/xen/arch/x86/hvm/svm/asid.c index 28e0dbc176..7977a8e86b 100644 --- a/xen/arch/x86/hvm/svm/asid.c +++ b/xen/arch/x86/hvm/svm/asid.c @@ -37,14 +37,14 @@ void svm_asid_handle_vmrun(void) /* ASID 0 indicates that ASIDs are disabled. */ if ( p_asid->asid == 0 ) { - vmcb_set_guest_asid(vmcb, 1); + vmcb_set_asid(vmcb, true); vmcb->tlb_control = cpu_has_svm_flushbyasid ? TLB_CTRL_FLUSH_ASID : TLB_CTRL_FLUSH_ALL; return; } - if ( vmcb_get_guest_asid(vmcb) != p_asid->asid ) - vmcb_set_guest_asid(vmcb, p_asid->asid); + if ( vmcb_get_asid(vmcb) != p_asid->asid ) + vmcb_set_asid(vmcb, p_asid->asid); vmcb->tlb_control = !need_flush ? TLB_CTRL_NO_FLUSH : diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c index 07630d74d3..a8d5f4ee95 100644 --- a/xen/arch/x86/hvm/svm/nestedsvm.c +++ b/xen/arch/x86/hvm/svm/nestedsvm.c @@ -157,7 +157,7 @@ int cf_check nsvm_vcpu_reset(struct vcpu *v) svm->ns_hap_enabled = 0; svm->ns_vmcb_guestcr3 = 0; svm->ns_vmcb_hostcr3 = 0; - svm->ns_guest_asid = 0; + svm->ns_asid = 0; svm->ns_hostflags.bytes = 0; svm->ns_vmexit.exitinfo1 = 0; svm->ns_vmexit.exitinfo2 = 0; @@ -698,11 +698,11 @@ nsvm_vcpu_vmentry(struct vcpu *v, struct cpu_user_regs *regs, /* Convert explicitely to boolean. Deals with l1 guests * that use flush-by-asid w/o checking the cpuid bits */ nv->nv_flushp2m = !!ns_vmcb->tlb_control; - if ( svm->ns_guest_asid != ns_vmcb->_guest_asid ) + if ( svm->ns_asid != vmcb_get_asid(ns_vmcb)) { nv->nv_flushp2m = 1; hvm_asid_flush_vcpu_asid(&vcpu_nestedhvm(v).nv_n2asid); - svm->ns_guest_asid = ns_vmcb->_guest_asid; + svm->ns_asid = vmcb_get_asid(ns_vmcb); } /* nested paging for the guest */ @@ -1046,7 +1046,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) /* Keep it. It's maintainted by the l1 guest. */ /* ASID */ - /* ns_vmcb->_guest_asid = n2vmcb->_guest_asid; */ + /* vmcb_set_asid(ns_vmcb, vmcb_get_asid(n2vmcb)); */ /* TLB control */ ns_vmcb->tlb_control = 0; diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c index 24358c6eea..0d714c728c 100644 --- a/xen/arch/x86/hvm/svm/svmdebug.c +++ b/xen/arch/x86/hvm/svm/svmdebug.c @@ -51,8 +51,8 @@ void svm_vmcb_dump(const char *from, const struct vmcb_struct *vmcb) vmcb->exitcode, vmcb->exit_int_info.raw); printk("exitinfo1 = %#"PRIx64" exitinfo2 = %#"PRIx64"\n", vmcb->exitinfo1, vmcb->exitinfo2); - printk("np_ctrl = %#"PRIx64" guest_asid = %#x\n", - vmcb_get_np_ctrl(vmcb), vmcb_get_guest_asid(vmcb)); + printk("np_ctrl = %#"PRIx64" asid = %#x\n", + vmcb_get_np_ctrl(vmcb), vmcb_get_asid(vmcb)); printk("virtual vmload/vmsave = %d, virt_ext = %#"PRIx64"\n", vmcb->virt_ext.fields.vloadsave_enable, vmcb->virt_ext.bytes); printk("cpl = %d efer = %#"PRIx64" star = %#"PRIx64" lstar = %#"PRIx64"\n", diff --git a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h index 406fc082b1..7767cd6080 100644 --- a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h +++ b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h @@ -51,7 +51,7 @@ struct nestedsvm { * the l1 guest nested page table */ uint64_t ns_vmcb_guestcr3, ns_vmcb_hostcr3; - uint32_t ns_guest_asid; + uint32_t ns_asid; bool ns_hap_enabled; diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index bf2b8d9a94..0396d10b90 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -383,7 +383,7 @@ typedef union bool intercepts:1; /* 0: cr/dr/exception/general intercepts, * pause_filter_count, tsc_offset */ bool iopm:1; /* 1: iopm_base_pa, msrpm_base_pa */ - bool asid:1; /* 2: guest_asid */ + bool asid:1; /* 2: asid */ bool tpr:1; /* 3: vintr */ bool np:1; /* 4: np, h_cr3, g_pat */ bool cr:1; /* 5: cr0, cr3, cr4, efer */ @@ -413,7 +413,7 @@ struct vmcb_struct { u64 _iopm_base_pa; /* offset 0x40 - cleanbit 1 */ u64 _msrpm_base_pa; /* offset 0x48 - cleanbit 1 */ u64 _tsc_offset; /* offset 0x50 - cleanbit 0 */ - u32 _guest_asid; /* offset 0x58 - cleanbit 2 */ + u32 _asid; /* offset 0x58 - cleanbit 2 */ u8 tlb_control; /* offset 0x5C - TLB_CTRL_* */ u8 res07[3]; vintr_t _vintr; /* offset 0x60 - cleanbit 3 */ @@ -642,7 +642,7 @@ VMCB_ACCESSORS(pause_filter_thresh, intercepts) VMCB_ACCESSORS(tsc_offset, intercepts) VMCB_ACCESSORS(iopm_base_pa, iopm) VMCB_ACCESSORS(msrpm_base_pa, iopm) -VMCB_ACCESSORS(guest_asid, asid) +VMCB_ACCESSORS(asid, asid) VMCB_ACCESSORS(vintr, tpr) VMCB_ACCESSORS(np_ctrl, np) VMCB_ACCESSORS_(np, bool, np) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:55:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:55:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694670.1083650 (Exim 4.92) (envelope-from ) id 1rmCWJ-0001rf-EG; Mon, 18 Mar 2024 12:55:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694670.1083650; Mon, 18 Mar 2024 12:55:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWJ-0001rX-BV; Mon, 18 Mar 2024 12:55:15 +0000 Received: by outflank-mailman (input) for mailman id 694670; Mon, 18 Mar 2024 12:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWH-0001qo-IY for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWH-0000o5-Hp for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCWH-0001VW-DP for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LOdLXY6vuRW1l0KMfUO7wEI3y0IT2QToZc/c1radRNM=; b=2h7JUjCqrLHkPKtTmFynVz8+2w 4S6qyHdJhFIhPnZzm3/WYBJXuWYRkM3Y8lRRAtWEe9KGbxCflrz+QuN+qin0nyaYbgqDqW+51eJNz 6WEZNBGedmuQLqx4f8NReD/0g14HAmxCKLtex6gjnJtVyjMEWk/yWKNRBYbKeZsVtz7g=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/svmdebug: Print np, sev and sev_es vmcb bits Message-Id: Date: Mon, 18 Mar 2024 12:55:13 +0000 commit 53b5208de8f3151be0729e6ac49c9b616c07c5ff Author: Vaishali Thakkar AuthorDate: Mon Mar 18 13:50:33 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:50:33 2024 +0100 x86/svmdebug: Print np, sev and sev_es vmcb bits Currently only raw _np_ctrl is being printed. It can be informational to know about which particular bits are enabled. So, this commit adds the bit-by-bit decode for np, sev and sev_es bits. Note that while, only np is enabled in certain scenarios at the moment, work for enabling sev and sev_es is in progress. And it'll be useful to have this information as part of svmdebug. Signed-off-by: Vaishali Thakkar Acked-by: Jan Beulich --- xen/arch/x86/hvm/svm/svmdebug.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c index 0d714c728c..9d3badcf5d 100644 --- a/xen/arch/x86/hvm/svm/svmdebug.c +++ b/xen/arch/x86/hvm/svm/svmdebug.c @@ -51,8 +51,11 @@ void svm_vmcb_dump(const char *from, const struct vmcb_struct *vmcb) vmcb->exitcode, vmcb->exit_int_info.raw); printk("exitinfo1 = %#"PRIx64" exitinfo2 = %#"PRIx64"\n", vmcb->exitinfo1, vmcb->exitinfo2); - printk("np_ctrl = %#"PRIx64" asid = %#x\n", - vmcb_get_np_ctrl(vmcb), vmcb_get_asid(vmcb)); + printk("asid = %#x np_ctrl = %#"PRIx64":%s%s%s\n", + vmcb_get_asid(vmcb), vmcb_get_np_ctrl(vmcb), + vmcb_get_np(vmcb) ? " NP" : "", + vmcb_get_sev(vmcb) ? " SEV" : "", + vmcb_get_sev_es(vmcb) ? " SEV_ES" : ""); printk("virtual vmload/vmsave = %d, virt_ext = %#"PRIx64"\n", vmcb->virt_ext.fields.vloadsave_enable, vmcb->virt_ext.bytes); printk("cpl = %d efer = %#"PRIx64" star = %#"PRIx64" lstar = %#"PRIx64"\n", -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:55:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:55:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694673.1083654 (Exim 4.92) (envelope-from ) id 1rmCWT-00023m-Fy; Mon, 18 Mar 2024 12:55:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694673.1083654; Mon, 18 Mar 2024 12:55:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWT-00023e-D0; Mon, 18 Mar 2024 12:55:25 +0000 Received: by outflank-mailman (input) for mailman id 694673; Mon, 18 Mar 2024 12:55:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWR-000218-Me for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWR-0000oG-Lp for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCWR-0001W9-Js for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PSYUEn1dFQDlPck3pIBFEHp5Oz22tEAono53Lu0UmY0=; b=XX3gZ18bXI96yktQXNsBfDy2TK slx2stHCMLILUbEw72y9rdPIgzwvNqSAzFYbTN6ZQTCgG358HCSjZLLQZ/9pl6fyr/b3e6JXwr/hC rAAj2YlryFxVWt7FG1TfcY1KqGjWrAZjEgiLyfRfS+3lWX/ztfWD+sRDduVVGp31B79Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] perfc: add pseudo-keyword fallthrough Message-Id: Date: Mon, 18 Mar 2024 12:55:23 +0000 commit 8a8d5c22afc515020669d9479b97e4ddda26d2b5 Author: Federico Serafini AuthorDate: Mon Mar 18 13:51:17 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:51:17 2024 +0100 perfc: add pseudo-keyword fallthrough Add pseudo-keyword fallthrough to make explicit the intention of the code and meet requirements to deviate MISRA C:2012 Rule 16.3 ("An unconditional `break' statement shall terminate every switch-clause"). No functional change. Signed-off-by: Federico Serafini Acked-by: Jan Beulich --- xen/common/perfc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/common/perfc.c b/xen/common/perfc.c index 7400667bf0..80480aa776 100644 --- a/xen/common/perfc.c +++ b/xen/common/perfc.c @@ -134,6 +134,7 @@ void cf_check perfc_reset(unsigned char key) case TYPE_SINGLE: for_each_online_cpu ( cpu ) per_cpu(perfcounters, cpu)[j] = 0; + fallthrough; case TYPE_S_SINGLE: ++j; break; @@ -141,6 +142,7 @@ void cf_check perfc_reset(unsigned char key) for_each_online_cpu ( cpu ) memset(per_cpu(perfcounters, cpu) + j, 0, perfc_info[i].nr_elements * sizeof(perfc_t)); + fallthrough; case TYPE_S_ARRAY: j += perfc_info[i].nr_elements; break; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:55:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:55:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694674.1083657 (Exim 4.92) (envelope-from ) id 1rmCWd-0002Al-H2; Mon, 18 Mar 2024 12:55:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694674.1083657; Mon, 18 Mar 2024 12:55:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWd-0002Ae-EZ; Mon, 18 Mar 2024 12:55:35 +0000 Received: by outflank-mailman (input) for mailman id 694674; Mon, 18 Mar 2024 12:55:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWb-000283-RG for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWb-0000oS-QS for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCWb-0001Ws-Nu for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6txXbhir2dW6CThEynG+YQLWIWaIJbeuE39VMLL7xQg=; b=irMcfdQ3JwODzZyhJ2grjqv+iG SrbO3UVRntykqhvDwYNUH9jO50g0rD11hrjPFdjQULi/Ylkkv2NbUhUNBFuUKT70JEmgJq+LB3R6O Obgwrhfxw+V3+Nu3m4YbW2ZWfqtPYZG7h0K2y6RsaI6TU1WxRDE+yhGPnH8o2i/1BVAY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: drop AMD IOMMU and Intel VT-d sections Message-Id: Date: Mon, 18 Mar 2024 12:55:33 +0000 commit ad52857efcd6e662f4ef75bc9d27368c8b99f1a5 Author: Jan Beulich AuthorDate: Mon Mar 18 13:52:09 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:52:09 2024 +0100 MAINTAINERS: drop AMD IOMMU and Intel VT-d sections We'd like to thank Kevin, so far the VT-d maintainer, for his past contributions, while at the same time we'd like to reflect reality as it has been for quite some time. Have VT-d maintainership (and for symmetry also AMD IOMMU's) fall back to the maintainers of general x86. This also brings things in sync with how they are for Arm. While touching the X86 section also append two so far missing slashes. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper Acked-by: Kevin Tian --- MAINTAINERS | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index b2cc3cc392..f294a80e65 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -220,12 +220,6 @@ F: xen/drivers/acpi/ F: xen/include/acpi/ F: tools/libacpi/ -AMD IOMMU -M: Jan Beulich -M: Andrew Cooper -S: Maintained -F: xen/drivers/passthrough/amd/ - ARGO M: Christopher Clark S: Maintained @@ -351,11 +345,6 @@ S: Odd Fixes F: xen/arch/x86/include/asm/tboot.h F: xen/arch/x86/tboot.c -INTEL(R) VT FOR DIRECTED I/O (VT-D) -M: Kevin Tian -S: Supported -F: xen/drivers/passthrough/vtd/ - IOMMU VENDOR INDEPENDENT CODE M: Jan Beulich R: Roger Pau Monné @@ -587,9 +576,11 @@ R: Wei Liu S: Supported L: xen-devel@lists.xenproject.org F: xen/arch/x86/ +F: xen/drivers/passthrough/amd/ +F: xen/drivers/passthrough/vtd/ F: xen/include/public/arch-x86/ -F: xen/include/xen/lib/x86 -F: xen/lib/x86 +F: xen/include/xen/lib/x86/ +F: xen/lib/x86/ F: xen/tools/gen-cpuid.py F: tools/firmware/hvmloader/ F: tools/firmware/rombios/ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:55:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:55:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694675.1083662 (Exim 4.92) (envelope-from ) id 1rmCWn-0002E0-Iq; Mon, 18 Mar 2024 12:55:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694675.1083662; Mon, 18 Mar 2024 12:55:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWn-0002Dt-Fy; Mon, 18 Mar 2024 12:55:45 +0000 Received: by outflank-mailman (input) for mailman id 694675; Mon, 18 Mar 2024 12:55:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWl-0002Da-UG for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWl-0000ot-TS for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCWl-0001XZ-SZ for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iFAmHTYRHWyeya4FOGZ0yesqe72YcR/BN+7i1aYmfn0=; b=LkdcJZprHJudEqdKIYq0yy3oID O4nZLO3LrME+u1Xsp/kJh2C+36IBytaFmw3IHQRhn0CrYzjtSFBa1ucz+fd/0Xob9x508rlPhw+ng jR7DxjrEH7GdL/zERLN1GAjwNKDsKWzQ5vQ44cDgiZBCk/YxSZQqFKtokrJL3PhcmyHM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] MAINTAINERS: remove myself from various positions Message-Id: Date: Mon, 18 Mar 2024 12:55:43 +0000 commit a5b90a90eee4709a3fe434e7da83b8421528e8fe Author: Wei Liu AuthorDate: Mon Mar 18 13:52:35 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:52:35 2024 +0100 MAINTAINERS: remove myself from various positions I have not been active in the Xen community for some time. Update the MAINTAINERS file to reflect reality. Signed-off-by: Wei Liu Acked-by: Stefano Stabellini --- MAINTAINERS | 8 -------- 1 file changed, 8 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index f294a80e65..1bd22fd75f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -376,7 +376,6 @@ F: xen/arch/x86/machine_kexec.c F: xen/arch/x86/x86_64/kexec_reloc.S LIBS -M: Wei Liu M: Anthony PERARD R: Juergen Gross S: Supported @@ -411,7 +410,6 @@ F: xen/test/livepatch/* MINI-OS M: Samuel Thibault M: Juergen Gross -R: Wei Liu S: Supported L: minios-devel@lists.xenproject.org T: git https://xenbits.xenproject.org/git-http/mini-os.git @@ -425,7 +423,6 @@ F: tools/ocaml/ OVMF UPSTREAM M: Anthony PERARD -M: Wei Liu S: Supported T: git https://xenbits.xenproject.org/git-http/ovmf.git @@ -510,7 +507,6 @@ F: xen/arch/arm/include/asm/tee F: xen/arch/arm/tee/ TOOLSTACK -M: Wei Liu M: Anthony PERARD S: Supported F: autogen.sh @@ -572,7 +568,6 @@ X86 ARCHITECTURE M: Jan Beulich M: Andrew Cooper M: Roger Pau Monné -R: Wei Liu S: Supported L: xen-devel@lists.xenproject.org F: xen/arch/x86/ @@ -617,7 +612,6 @@ F: xen/arch/x86/mm/shadow/ X86 VIRIDIAN ENLIGHTENMENTS M: Paul Durrant -M: Wei Liu S: Supported F: xen/arch/x86/guest/hyperv/ F: xen/arch/x86/hvm/viridian/ @@ -627,7 +621,6 @@ F: xen/arch/x86/include/asm/guest/hyperv-tlfs.h F: xen/arch/x86/include/asm/hvm/viridian.h XENSTORE -M: Wei Liu M: Juergen Gross R: Julien Grall S: Supported @@ -673,7 +666,6 @@ M: George Dunlap M: Jan Beulich M: Julien Grall M: Stefano Stabellini -M: Wei Liu L: xen-devel@lists.xenproject.org S: Supported F: * -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:55:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:55:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694676.1083666 (Exim 4.92) (envelope-from ) id 1rmCWx-0002H9-KE; Mon, 18 Mar 2024 12:55:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694676.1083666; Mon, 18 Mar 2024 12:55:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWx-0002H1-HR; Mon, 18 Mar 2024 12:55:55 +0000 Received: by outflank-mailman (input) for mailman id 694676; Mon, 18 Mar 2024 12:55:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWw-0002Go-4X for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCWw-0000p0-3o for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCWv-0001Y7-Vf for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:55:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6/jPAgK69mb4iZQcP+RvuEFlBVKXyN+Rz3JbRne6RO0=; b=EMUlxak4+3jWIl4RJyTs1w7f0w ecd7wg76s4O9ZK0ZRc88TKX5yITqlmRrr9DQORQzeTuaqwhEE+0IUL6qz/UEfnwb3VMiEUfXrosHm bY0I0ErA2MORgs6ANPE7/5eOmeE7h1WDLHRv+VG+8wGbJVEOWwszibsBvYvtoEy0eW2Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] automation/eclair: allow parameter name "unused" Message-Id: Date: Mon, 18 Mar 2024 12:55:53 +0000 commit f93d8dd5198c1ac0a4be5c7fb1b5a997d5c42a97 Author: Federico Serafini AuthorDate: Mon Mar 18 13:52:53 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:52:53 2024 +0100 automation/eclair: allow parameter name "unused" Update ECLAIR configuration of MISRA C:2012 Rule 8.3 to deviate violations involving parameter name "unused" (with an optional numeric suffix): it makes explicit the intention of not using such parameter within the function. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 4 ++++ docs/misra/deviations.rst | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index 53f7623454..de9ba723fb 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -167,6 +167,10 @@ const-qualified." -config=MC3R1.R8.3,reports+={deliberate,"any_area(any_loc(file(adopted_decompress_r8_3)))&&any_area(any_loc(file(^xen/include/xen/decompress\\.h$)))"} -doc_end +-doc_begin="Parameter name \"unused\" (with an optional numeric suffix) is deliberate and makes explicit the intention of not using such parameter within the function." +-config=MC3R1.R8.3,reports+={deliberate, "any_area(^.*parameter `unused[0-9]*'.*$)"} +-doc_end + -doc_begin="The following file is imported from Linux: ignore for now." -file_tag+={adopted_time_r8_3,"^xen/arch/x86/time\\.c$"} -config=MC3R1.R8.3,reports+={deliberate,"any_area(any_loc(file(adopted_time_r8_3)))&&(any_area(any_loc(file(^xen/include/xen/time\\.h$)))||any_area(any_loc(file(^xen/arch/x86/include/asm/setup\\.h$))))"} diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index 41fa5b31b0..eb5ef2bd9d 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -157,6 +157,12 @@ Deviations related to MISRA C:2012 Rules: - xen/common/unxz.c - xen/common/unzstd.c + * - R8.3 + - Parameter name "unused" (with an optional numeric suffix) is deliberate + and makes explicit the intention of not using such parameter within the + function. + - Tagged as `deliberate` for ECLAIR. + * - R8.4 - The definitions present in the files 'asm-offsets.c' for any architecture are used to generate definitions for asm modules, and are not called by -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:56:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:56:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694677.1083670 (Exim 4.92) (envelope-from ) id 1rmCX7-0002KX-Lf; Mon, 18 Mar 2024 12:56:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694677.1083670; Mon, 18 Mar 2024 12:56:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCX7-0002KQ-It; Mon, 18 Mar 2024 12:56:05 +0000 Received: by outflank-mailman (input) for mailman id 694677; Mon, 18 Mar 2024 12:56:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCX6-0002K5-7N for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:56:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCX6-0000pK-6d for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:56:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCX6-0001ZF-5t for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:56:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BaalQwrzE7Ct3LItw685vGOeNHcb7XvhyHmbZarnLe4=; b=j3aIk5O2uisJpyZCv/EWONxolR OwY07s9V6Iq1pev4kaVB59ThbCQPLrnt8Fftli9XjkOC1c28fSTpkWkWHtCKXDIa5FQuCNMU3qak8 VKlWroUTwnw1eK+d+aGgVIVNZQhoS8ZXts3fRoF+ap/P4cZInZ9vrEI4nPLd56D/CKbY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/sched: address violations of MISRA C Rule 20.7 Message-Id: Date: Mon, 18 Mar 2024 12:56:04 +0000 commit d92a67b60c038ebb0f0b83a7f1ce5ad359e052d6 Author: Nicola Vetrini AuthorDate: Mon Mar 18 13:53:07 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:53:07 2024 +0100 xen/sched: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: George Dunlap --- xen/common/sched/private.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 459d1dfb11..c0e7c96d24 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -540,7 +540,7 @@ static inline void sched_unit_unpause(const struct sched_unit *unit) } #define REGISTER_SCHEDULER(x) static const struct scheduler *x##_entry \ - __used_section(".data.schedulers") = &x + __used_section(".data.schedulers") = &(x) struct cpupool { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 18 12:56:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 18 Mar 2024 12:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.694678.1083675 (Exim 4.92) (envelope-from ) id 1rmCXG-0002OD-Ox; Mon, 18 Mar 2024 12:56:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 694678.1083675; Mon, 18 Mar 2024 12:56:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCXG-0002O5-M5; Mon, 18 Mar 2024 12:56:14 +0000 Received: by outflank-mailman (input) for mailman id 694678; Mon, 18 Mar 2024 12:56:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCXG-0002Nz-AF for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:56:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmCXG-0000pa-9X for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:56:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmCXG-0001iC-8l for xen-changelog@lists.xenproject.org; Mon, 18 Mar 2024 12:56:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Zqist/FoiHuzk6G9bCDZTtHNLWy14uCXjBYfDlueLUU=; b=B+1V3mNnQKlSS6S0Gj0KbeZCjq jMWPltOgx9JJCukd+piMsMGAVghhKcHh+Ny9NEpmP5UQxtIyHO9yw9o2GMwwRRHDA7fGewcg6dWz7 G5B1VjZVKzumFJdiM89rwZJwDDN+C4SvBrS6ciKg+mbUMDZ8EtfZxLaHXuktTOwOsBi8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mm: use block_lock_speculation() in _mm_write_lock() Message-Id: Date: Mon, 18 Mar 2024 12:56:14 +0000 commit 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430 Author: Jan Beulich AuthorDate: Mon Mar 18 13:53:37 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:53:37 2024 +0100 x86/mm: use block_lock_speculation() in _mm_write_lock() I can only guess that using block_speculation() there was a leftover from, earlier on, SPECULATIVE_HARDEN_LOCK depending on SPECULATIVE_HARDEN_BRANCH. Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- xen/arch/x86/mm/mm-locks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 2eae73ac68..b098bbfae8 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -138,7 +138,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, _set_lock_level(_lock_level(d, level)); } else - block_speculation(); + block_lock_speculation(); l->recurse_count++; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 03:33:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 03:33:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695193.1084754 (Exim 4.92) (envelope-from ) id 1rmQDn-0004WS-Ie; Tue, 19 Mar 2024 03:33:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695193.1084754; Tue, 19 Mar 2024 03:33:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmQDn-0004WF-FY; Tue, 19 Mar 2024 03:33:03 +0000 Received: by outflank-mailman (input) for mailman id 695193; Tue, 19 Mar 2024 03:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmQDm-0004VB-0t for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 03:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmQDl-0000Rf-WD for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 03:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmQDl-00075N-SQ for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 03:33:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kTTmincNzV2sbeHev8OU070VeO5vqMcW3IkR1Sl5WW8=; b=DCeaZXSKobb/mDIZGjdPWEC/Wy icyZgCPHWCyb1tsr5fOchHCQACsKFp4m3H0rsJIXosH95RyIDnZryKoIthjnvp1FLAio3CEohYlrV ja4Ei2GOw38RQOb80zAoAodYPq0JvyE5tIYEOY4W2+G5pBqMfbSqJUrKITB4WOzmPHdc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] update Xen version to 4.18.1 Message-Id: Date: Tue, 19 Mar 2024 03:33:01 +0000 commit ea82c8cdbfe5a6e3bb6071cb71433502e3e565cf Author: Jan Beulich AuthorDate: Mon Mar 18 09:27:49 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 09:27:49 2024 +0100 update Xen version to 4.18.1 --- Config.mk | 6 +++--- xen/Makefile | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Config.mk b/Config.mk index 2a3e16d0bd..477f287a6c 100644 --- a/Config.mk +++ b/Config.mk @@ -221,10 +221,10 @@ OVMF_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/ovmf.git OVMF_UPSTREAM_REVISION ?= ba91d0292e593df8528b66f99c1b0b14fadc8e16 QEMU_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/qemu-xen.git -QEMU_UPSTREAM_REVISION ?= qemu-xen-4.18.0 +QEMU_UPSTREAM_REVISION ?= qemu-xen-4.18.1 MINIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/mini-os.git -MINIOS_UPSTREAM_REVISION ?= xen-RELEASE-4.18.0 +MINIOS_UPSTREAM_REVISION ?= xen-RELEASE-4.18.1 SEABIOS_UPSTREAM_URL ?= https://xenbits.xen.org/git-http/seabios.git SEABIOS_UPSTREAM_REVISION ?= rel-1.16.2 @@ -233,7 +233,7 @@ ETHERBOOT_NICS ?= rtl8139 8086100e QEMU_TRADITIONAL_URL ?= https://xenbits.xen.org/git-http/qemu-xen-traditional.git -QEMU_TRADITIONAL_REVISION ?= xen-4.18.0 +QEMU_TRADITIONAL_REVISION ?= xen-4.18.1 # Specify which qemu-dm to use. This may be `ioemu' to use the old # Mercurial in-tree version, or a local directory, or a git URL. diff --git a/xen/Makefile b/xen/Makefile index fdf9fd3f22..0ec1e6555f 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 18 -export XEN_EXTRAVERSION ?= .1-pre$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .1$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:33:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:33:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695287.1084923 (Exim 4.92) (envelope-from ) id 1rmWmG-0004N5-TD; Tue, 19 Mar 2024 10:33:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695287.1084923; Tue, 19 Mar 2024 10:33:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmG-0004My-Qo; Tue, 19 Mar 2024 10:33:04 +0000 Received: by outflank-mailman (input) for mailman id 695287; Tue, 19 Mar 2024 10:33:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmG-0004Ms-91 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmG-00016e-6i for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWmG-0002lV-3Z for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RRF/NXyqxRwvFMcj+gLezcprZkwx9lPXimMsT/+Fdgc=; b=okfh8EpOCusjXKok7FqCRqJo9x YEyPEVXZ+xXTi5fjCUNJoU/2+Dwtv366zPJ0sysJEFYKkJ1DuGXcWSOHT1zo0tVEtQhpriSoWV8Rz ejIrr2DXqft34cg4LaOB4FBhG5HSWG24hNNSNVY2w4y5pN8NtK4dpTJRse9wRIgIaqE4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] IOMMU: store name for extra reserved device memory Message-Id: Date: Tue, 19 Mar 2024 10:33:04 +0000 commit a97de92e76a62e786cb8a3b5cd75f9df5c96e8e6 Author: Marek Marczykowski-Górecki AuthorDate: Tue Mar 19 11:23:06 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:23:06 2024 +0100 IOMMU: store name for extra reserved device memory It will be useful for error reporting in a subsequent patch. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Jan Beulich --- xen/drivers/char/xhci-dbc.c | 3 ++- xen/drivers/passthrough/iommu.c | 5 ++++- xen/include/xen/iommu.h | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/xen/drivers/char/xhci-dbc.c b/xen/drivers/char/xhci-dbc.c index 3bf389be7d..8e2037f1a5 100644 --- a/xen/drivers/char/xhci-dbc.c +++ b/xen/drivers/char/xhci-dbc.c @@ -1421,7 +1421,8 @@ void __init xhci_dbc_uart_init(void) iommu_add_extra_reserved_device_memory( PFN_DOWN(virt_to_maddr(&dbc_dma_bufs)), PFN_UP(sizeof(dbc_dma_bufs)), - uart->dbc.sbdf); + uart->dbc.sbdf, + "XHCI console"); serial_register_uart(SERHND_XHCI, &dbc_uart_driver, &dbc_uart); } } diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c index 996c31be12..03587c0cd6 100644 --- a/xen/drivers/passthrough/iommu.c +++ b/xen/drivers/passthrough/iommu.c @@ -682,6 +682,7 @@ struct extra_reserved_range { unsigned long start; unsigned long nr; pci_sbdf_t sbdf; + const char *name; }; static unsigned int __initdata nr_extra_reserved_ranges; static struct extra_reserved_range __initdata @@ -689,7 +690,8 @@ static struct extra_reserved_range __initdata int __init iommu_add_extra_reserved_device_memory(unsigned long start, unsigned long nr, - pci_sbdf_t sbdf) + pci_sbdf_t sbdf, + const char *name) { unsigned int idx; @@ -700,6 +702,7 @@ int __init iommu_add_extra_reserved_device_memory(unsigned long start, extra_reserved_ranges[idx].start = start; extra_reserved_ranges[idx].nr = nr; extra_reserved_ranges[idx].sbdf = sbdf; + extra_reserved_ranges[idx].name = name; return 0; } diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h index ef57f31417..a9c9457c07 100644 --- a/xen/include/xen/iommu.h +++ b/xen/include/xen/iommu.h @@ -326,7 +326,8 @@ struct iommu_ops { */ extern int iommu_add_extra_reserved_device_memory(unsigned long start, unsigned long nr, - pci_sbdf_t sbdf); + pci_sbdf_t sbdf, + const char *name); /* * To be called by specific IOMMU driver during initialization, * to fetch ranges registered with iommu_add_extra_reserved_device_memory(). -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:33:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695288.1084927 (Exim 4.92) (envelope-from ) id 1rmWmQ-0004QM-Uu; Tue, 19 Mar 2024 10:33:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695288.1084927; Tue, 19 Mar 2024 10:33:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmQ-0004QE-SF; Tue, 19 Mar 2024 10:33:14 +0000 Received: by outflank-mailman (input) for mailman id 695288; Tue, 19 Mar 2024 10:33:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmQ-0004Q8-Cx for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmQ-00016j-C3 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWmQ-0002ly-9J for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=stFWBpZYAwjhgp1KVUJLkDeC4Z/FXiW5PFimEW8s0mQ=; b=4sWCr46FV81YV0ukmahaIO07uY c4RvA/KQjaE3OCg09rSUxkZhBugcCbGe4423hFRMNtXSCsLPC2nRJqJPnXLqoasT3qZqj3iZd2c+D Rz9LHV61VKyOUOQ0iPsBdRWNxK1nHdT1hP5z5ccyfrZBU8Ng6uZjdSP0slQzm5aydgb4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/spinlock: introduce new type for recursive spinlocks Message-Id: Date: Tue, 19 Mar 2024 10:33:14 +0000 commit 475080b6b2010d1c7671896c9caad4d360c4df9b Author: Juergen Gross AuthorDate: Tue Mar 19 11:23:53 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:23:53 2024 +0100 xen/spinlock: introduce new type for recursive spinlocks Introduce a new type "rspinlock_t" to be used for recursive spinlocks. For now it is only an alias of spinlock_t, so both types can still be used for recursive spinlocks. This will be changed later, though. Switch all recursive spinlocks to the new type. Define the initializer helpers and use them where appropriate. Signed-off-by: Juergen Gross Acked-by: Julien Grall Acked-by: Jan Beulich --- xen/arch/x86/include/asm/mm.h | 2 +- xen/arch/x86/mm/mm-locks.h | 2 +- xen/common/domain.c | 4 ++-- xen/common/ioreq.c | 2 +- xen/drivers/char/console.c | 4 ++-- xen/drivers/passthrough/pci.c | 2 +- xen/include/xen/sched.h | 6 +++--- xen/include/xen/spinlock.h | 19 +++++++++++++++---- 8 files changed, 26 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 65d209d5ff..98b66edaca 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -597,7 +597,7 @@ unsigned long domain_get_maximum_gpfn(struct domain *d); /* Definition of an mm lock: spinlock with extra fields for debugging */ typedef struct mm_lock { - spinlock_t lock; + rspinlock_t lock; int unlock_level; int locker; /* processor which holds the lock */ const char *locker_function; /* func that took it */ diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index b098bbfae8..62ec897295 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -20,7 +20,7 @@ DECLARE_PERCPU_RWLOCK_GLOBAL(p2m_percpu_rwlock); static inline void mm_lock_init(mm_lock_t *l) { - spin_lock_init(&l->lock); + rspin_lock_init(&l->lock); l->locker = -1; l->locker_function = "nobody"; l->unlock_level = 0; diff --git a/xen/common/domain.c b/xen/common/domain.c index 1f0d23a1e0..9b42eee44a 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -631,8 +631,8 @@ struct domain *domain_create(domid_t domid, atomic_set(&d->refcnt, 1); RCU_READ_LOCK_INIT(&d->rcu_lock); - spin_lock_init_prof(d, domain_lock); - spin_lock_init_prof(d, page_alloc_lock); + rspin_lock_init_prof(d, domain_lock); + rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index 62b907f4c4..652c18a9b5 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -1331,7 +1331,7 @@ unsigned int ioreq_broadcast(ioreq_t *p, bool buffered) void ioreq_domain_init(struct domain *d) { - spin_lock_init(&d->ioreq_server.lock); + rspin_lock_init(&d->ioreq_server.lock); arch_ioreq_domain_init(d); } diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index d2cb0530b2..6a88a0b32c 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -119,7 +119,7 @@ static int __read_mostly sercon_handle = -1; int8_t __read_mostly opt_console_xen; /* console=xen */ #endif -static DEFINE_SPINLOCK(console_lock); +static DEFINE_RSPINLOCK(console_lock); /* * To control the amount of printing, thresholds are added. @@ -1177,7 +1177,7 @@ void console_force_unlock(void) { watchdog_disable(); spin_debug_disable(); - spin_lock_init(&console_lock); + rspin_lock_init(&console_lock); serial_force_unlock(sercon_handle); console_locks_busted = 1; console_start_sync(); diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 6a1eda675d..b6b2196ab0 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -50,7 +50,7 @@ struct pci_seg { } bus2bridge[MAX_BUSES]; }; -static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; +static DEFINE_RSPINLOCK(_pcidevs_lock); /* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ void pcidevs_lock_unsafe(void) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 7c6be0931a..36c6925640 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -376,9 +376,9 @@ struct domain rcu_read_lock_t rcu_lock; - spinlock_t domain_lock; + rspinlock_t domain_lock; - spinlock_t page_alloc_lock; /* protects all the following fields */ + rspinlock_t page_alloc_lock; /* protects all the following fields */ struct page_list_head page_list; /* linked list */ struct page_list_head extra_page_list; /* linked list (size extra_pages) */ struct page_list_head xenpage_list; /* linked list (size xenheap_pages) */ @@ -622,7 +622,7 @@ struct domain #ifdef CONFIG_IOREQ_SERVER /* Lock protects all other values in the sub-struct */ struct { - spinlock_t lock; + rspinlock_t lock; struct ioreq_server *server[MAX_NR_IOREQ_SERVERS]; } ioreq_server; #endif diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 8a443efc19..bbf12b93c4 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -46,7 +46,7 @@ union lock_debug { }; lock profiling on: Global locks which should be subject to profiling must be declared via - DEFINE_SPINLOCK. + DEFINE_[R]SPINLOCK. For locks in structures further measures are necessary: - the structure definition must include a profile_head with exactly this @@ -57,7 +57,7 @@ union lock_debug { }; - the single locks which are subject to profiling have to be initialized via - spin_lock_init_prof(ptr, lock); + [r]spin_lock_init_prof(ptr, lock); with ptr being the main structure pointer and lock the spinlock field @@ -110,12 +110,16 @@ struct lock_profile_qhead { spinlock_t l = SPIN_LOCK_UNLOCKED_(NULL); \ static struct lock_profile lock_profile_data__##l = LOCK_PROFILE_(l); \ LOCK_PROFILE_PTR_(l) +#define DEFINE_RSPINLOCK(l) \ + rspinlock_t l = SPIN_LOCK_UNLOCKED_(NULL); \ + static struct lock_profile lock_profile_data__##l = LOCK_PROFILE_(l); \ + LOCK_PROFILE_PTR_(l) -#define spin_lock_init_prof(s, l) \ +#define spin_lock_init_prof__(s, l, locktype) \ do { \ struct lock_profile *prof; \ prof = xzalloc(struct lock_profile); \ - (s)->l = (spinlock_t)SPIN_LOCK_UNLOCKED_(prof); \ + (s)->l = (locktype)SPIN_LOCK_UNLOCKED_(prof); \ if ( !prof ) \ { \ printk(XENLOG_WARNING \ @@ -129,6 +133,9 @@ struct lock_profile_qhead { (s)->profile_head.elem_q = prof; \ } while( 0 ) +#define spin_lock_init_prof(s, l) spin_lock_init_prof__(s, l, spinlock_t) +#define rspin_lock_init_prof(s, l) spin_lock_init_prof__(s, l, rspinlock_t) + void _lock_profile_register_struct( int32_t type, struct lock_profile_qhead *qhead, int32_t idx); void _lock_profile_deregister_struct(int32_t type, @@ -152,8 +159,10 @@ struct lock_profile_qhead { }; .debug = LOCK_DEBUG_, \ } #define DEFINE_SPINLOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED +#define DEFINE_RSPINLOCK(l) rspinlock_t l = SPIN_LOCK_UNLOCKED #define spin_lock_init_prof(s, l) spin_lock_init(&((s)->l)) +#define rspin_lock_init_prof(s, l) rspin_lock_init(&((s)->l)) #define lock_profile_register_struct(type, ptr, idx) #define lock_profile_deregister_struct(type, ptr) #define spinlock_profile_printall(key) @@ -183,8 +192,10 @@ typedef struct spinlock { #endif } spinlock_t; +typedef spinlock_t rspinlock_t; #define spin_lock_init(l) (*(l) = (spinlock_t)SPIN_LOCK_UNLOCKED) +#define rspin_lock_init(l) (*(l) = (rspinlock_t)SPIN_LOCK_UNLOCKED) void _spin_lock(spinlock_t *lock); void _spin_lock_cb(spinlock_t *lock, void (*cb)(void *data), void *data); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:33:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:33:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695289.1084931 (Exim 4.92) (envelope-from ) id 1rmWmb-0004Sh-0J; Tue, 19 Mar 2024 10:33:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695289.1084931; Tue, 19 Mar 2024 10:33:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWma-0004SZ-Tg; Tue, 19 Mar 2024 10:33:24 +0000 Received: by outflank-mailman (input) for mailman id 695289; Tue, 19 Mar 2024 10:33:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWma-0004SQ-GX for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWma-00016w-Fq for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWma-0002mU-F0 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=XY4NeM/xCRrs9cztF+veg5ktf/udqMDjzXNi1zcP568=; b=R40jhQDrK+EmiDKephT8nODYXK 5J2Dm4hp7Sr9RAGaj7Y74CW+iTVFA5Ie9YMn2/XDeGjWLXoYXCkYPBzksqoxjuI3eDX8R8G/LoC9i tFpy7MCgeLexq1w3273gtNGMchaO+Uf4OvMG5g1MSiorntfrJM0zD3oHQ4cEjJ/yPDc8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/spinlock: rename recursive lock functions Message-Id: Date: Tue, 19 Mar 2024 10:33:24 +0000 commit c9aca2a1f6aef647d1bb71b9a465120336596085 Author: Juergen Gross AuthorDate: Tue Mar 19 11:25:07 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:25:07 2024 +0100 xen/spinlock: rename recursive lock functions Rename the recursive spin_lock() functions by replacing the trailing "_recursive" with a leading "r". Switch the parameter to be a pointer to rspinlock_t. Suggested-by: Jan Beulich Signed-off-by: Juergen Gross Acked-by: Julien Grall Acked-by: Jan Beulich --- xen/arch/arm/domain.c | 4 ++-- xen/arch/x86/domain.c | 8 +++---- xen/arch/x86/mm/mem_sharing.c | 8 +++---- xen/arch/x86/mm/mm-locks.h | 4 ++-- xen/common/ioreq.c | 52 +++++++++++++++++++++---------------------- xen/common/page_alloc.c | 12 +++++----- xen/common/spinlock.c | 12 +++++----- xen/drivers/char/console.c | 12 +++++----- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xen/sched.h | 4 ++-- xen/include/xen/spinlock.h | 18 +++++++-------- 11 files changed, 68 insertions(+), 70 deletions(-) diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index 5e7a7f3e7e..f38cb5e04c 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -987,7 +987,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) int ret = 0; /* Use a recursive lock, as we may enter 'free_domheap_page'. */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); page_list_for_each_safe( page, tmp, list ) { @@ -1014,7 +1014,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) } out: - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); return ret; } diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index bda853e3c9..a11c55f921 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1323,7 +1323,7 @@ int arch_set_info_guest( { bool done = false; - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); for ( i = 0; ; ) { @@ -1344,7 +1344,7 @@ int arch_set_info_guest( break; } - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); if ( !done ) return -ERESTART; @@ -2183,7 +2183,7 @@ static int relinquish_memory( int ret = 0; /* Use a recursive lock, as we may enter 'free_domheap_page'. */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); while ( (page = page_list_remove_head(list)) ) { @@ -2324,7 +2324,7 @@ static int relinquish_memory( page_list_move(list, &d->arch.relmem_list); out: - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); return ret; } diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index fe299a2bf9..f58576c702 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -682,7 +682,7 @@ static int page_make_sharable(struct domain *d, int rc = 0; bool drop_dom_ref = false; - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); if ( d->is_dying ) { @@ -725,7 +725,7 @@ static int page_make_sharable(struct domain *d, } out: - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); if ( drop_dom_ref ) put_domain(d); @@ -1936,7 +1936,7 @@ int mem_sharing_fork_reset(struct domain *d, bool reset_state, goto state; /* need recursive lock because we will free pages */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); page_list_for_each_safe(page, tmp, &d->page_list) { shr_handle_t sh; @@ -1965,7 +1965,7 @@ int mem_sharing_fork_reset(struct domain *d, bool reset_state, put_page_alloc_ref(page); put_page_and_type(page); } - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); state: if ( reset_state ) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 62ec897295..a695a28324 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -79,7 +79,7 @@ static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); - spin_lock_recursive(&l->lock); + rspin_lock(&l->lock); if ( l->lock.recurse_cnt == 1 ) { l->locker_function = func; @@ -202,7 +202,7 @@ static inline void mm_unlock(mm_lock_t *l) l->locker_function = "nobody"; _set_lock_level(l->unlock_level); } - spin_unlock_recursive(&l->lock); + rspin_unlock(&l->lock); } static inline void mm_enforce_order_unlock(int unlock_level, diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index 652c18a9b5..1257a3d972 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -329,7 +329,7 @@ bool is_ioreq_server_page(struct domain *d, const struct page_info *page) unsigned int id; bool found = false; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); FOR_EACH_IOREQ_SERVER(d, id, s) { @@ -340,7 +340,7 @@ bool is_ioreq_server_page(struct domain *d, const struct page_info *page) } } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return found; } @@ -658,7 +658,7 @@ static int ioreq_server_create(struct domain *d, int bufioreq_handling, return -ENOMEM; domain_pause(d); - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); for ( i = 0; i < MAX_NR_IOREQ_SERVERS; i++ ) { @@ -686,13 +686,13 @@ static int ioreq_server_create(struct domain *d, int bufioreq_handling, if ( id ) *id = i; - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); domain_unpause(d); return 0; fail: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); domain_unpause(d); xfree(s); @@ -704,7 +704,7 @@ static int ioreq_server_destroy(struct domain *d, ioservid_t id) struct ioreq_server *s; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -736,7 +736,7 @@ static int ioreq_server_destroy(struct domain *d, ioservid_t id) rc = 0; out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -749,7 +749,7 @@ static int ioreq_server_get_info(struct domain *d, ioservid_t id, struct ioreq_server *s; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -783,7 +783,7 @@ static int ioreq_server_get_info(struct domain *d, ioservid_t id, rc = 0; out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -796,7 +796,7 @@ int ioreq_server_get_frame(struct domain *d, ioservid_t id, ASSERT(is_hvm_domain(d)); - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -834,7 +834,7 @@ int ioreq_server_get_frame(struct domain *d, ioservid_t id, } out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -850,7 +850,7 @@ static int ioreq_server_map_io_range(struct domain *d, ioservid_t id, if ( start > end ) return -EINVAL; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -886,7 +886,7 @@ static int ioreq_server_map_io_range(struct domain *d, ioservid_t id, rc = rangeset_add_range(r, start, end); out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -902,7 +902,7 @@ static int ioreq_server_unmap_io_range(struct domain *d, ioservid_t id, if ( start > end ) return -EINVAL; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -938,7 +938,7 @@ static int ioreq_server_unmap_io_range(struct domain *d, ioservid_t id, rc = rangeset_remove_range(r, start, end); out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -963,7 +963,7 @@ int ioreq_server_map_mem_type(struct domain *d, ioservid_t id, if ( flags & ~XEN_DMOP_IOREQ_MEM_ACCESS_WRITE ) return -EINVAL; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -978,7 +978,7 @@ int ioreq_server_map_mem_type(struct domain *d, ioservid_t id, rc = arch_ioreq_server_map_mem_type(d, s, flags); out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); if ( rc == 0 ) arch_ioreq_server_map_mem_type_completed(d, s, flags); @@ -992,7 +992,7 @@ static int ioreq_server_set_state(struct domain *d, ioservid_t id, struct ioreq_server *s; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -1016,7 +1016,7 @@ static int ioreq_server_set_state(struct domain *d, ioservid_t id, rc = 0; out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -1026,7 +1026,7 @@ int ioreq_server_add_vcpu_all(struct domain *d, struct vcpu *v) unsigned int id; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); FOR_EACH_IOREQ_SERVER(d, id, s) { @@ -1035,7 +1035,7 @@ int ioreq_server_add_vcpu_all(struct domain *d, struct vcpu *v) goto fail; } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return 0; @@ -1050,7 +1050,7 @@ int ioreq_server_add_vcpu_all(struct domain *d, struct vcpu *v) ioreq_server_remove_vcpu(s, v); } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -1060,12 +1060,12 @@ void ioreq_server_remove_vcpu_all(struct domain *d, struct vcpu *v) struct ioreq_server *s; unsigned int id; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); FOR_EACH_IOREQ_SERVER(d, id, s) ioreq_server_remove_vcpu(s, v); - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); } void ioreq_server_destroy_all(struct domain *d) @@ -1076,7 +1076,7 @@ void ioreq_server_destroy_all(struct domain *d) if ( !arch_ioreq_server_destroy_all(d) ) return; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); /* No need to domain_pause() as the domain is being torn down */ @@ -1094,7 +1094,7 @@ void ioreq_server_destroy_all(struct domain *d) xfree(s); } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); } struct ioreq_server *ioreq_server_select(struct domain *d, diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 2ec17df9b4..b4e0ef3a4c 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -2500,7 +2500,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) if ( unlikely(is_xen_heap_page(pg)) ) { /* NB. May recursively lock from relinquish_memory(). */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); for ( i = 0; i < (1 << order); i++ ) arch_free_heap_page(d, &pg[i]); @@ -2508,7 +2508,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) d->xenheap_pages -= 1 << order; drop_dom_ref = (d->xenheap_pages == 0); - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); } else { @@ -2517,7 +2517,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) if ( likely(d) && likely(d != dom_cow) ) { /* NB. May recursively lock from relinquish_memory(). */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); for ( i = 0; i < (1 << order); i++ ) { @@ -2540,7 +2540,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) drop_dom_ref = !domain_adjust_tot_pages(d, -(1 << order)); - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); /* * Normally we expect a domain to clear pages before freeing them, @@ -2756,7 +2756,7 @@ void free_domstatic_page(struct page_info *page) ASSERT_ALLOC_CONTEXT(); /* NB. May recursively lock from relinquish_memory(). */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); arch_free_heap_page(d, page); @@ -2767,7 +2767,7 @@ void free_domstatic_page(struct page_info *page) /* Add page on the resv_page_list *after* it has been freed. */ page_list_add_tail(page, &d->resv_page_list); - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); if ( drop_dom_ref ) put_domain(d); diff --git a/xen/common/spinlock.c b/xen/common/spinlock.c index 09028af864..11e13e1259 100644 --- a/xen/common/spinlock.c +++ b/xen/common/spinlock.c @@ -436,7 +436,7 @@ void _spin_barrier(spinlock_t *lock) smp_mb(); } -int _spin_trylock_recursive(spinlock_t *lock) +bool _rspin_trylock(rspinlock_t *lock) { unsigned int cpu = smp_processor_id(); @@ -448,8 +448,8 @@ int _spin_trylock_recursive(spinlock_t *lock) if ( likely(lock->recurse_cpu != cpu) ) { - if ( !spin_trylock(lock) ) - return 0; + if ( !_spin_trylock(lock) ) + return false; lock->recurse_cpu = cpu; } @@ -457,10 +457,10 @@ int _spin_trylock_recursive(spinlock_t *lock) ASSERT(lock->recurse_cnt < SPINLOCK_MAX_RECURSE); lock->recurse_cnt++; - return 1; + return true; } -void _spin_lock_recursive(spinlock_t *lock) +void _rspin_lock(rspinlock_t *lock) { unsigned int cpu = smp_processor_id(); @@ -475,7 +475,7 @@ void _spin_lock_recursive(spinlock_t *lock) lock->recurse_cnt++; } -void _spin_unlock_recursive(spinlock_t *lock) +void _rspin_unlock(rspinlock_t *lock) { if ( likely(--lock->recurse_cnt == 0) ) { diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index 6a88a0b32c..eca17b55b4 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -919,7 +919,7 @@ static void vprintk_common(const char *prefix, const char *fmt, va_list args) /* console_lock can be acquired recursively from __printk_ratelimit(). */ local_irq_save(flags); - spin_lock_recursive(&console_lock); + rspin_lock(&console_lock); state = &this_cpu(state); (void)vsnprintf(buf, sizeof(buf), fmt, args); @@ -955,7 +955,7 @@ static void vprintk_common(const char *prefix, const char *fmt, va_list args) state->continued = 1; } - spin_unlock_recursive(&console_lock); + rspin_unlock(&console_lock); local_irq_restore(flags); } @@ -1162,14 +1162,14 @@ unsigned long console_lock_recursive_irqsave(void) unsigned long flags; local_irq_save(flags); - spin_lock_recursive(&console_lock); + rspin_lock(&console_lock); return flags; } void console_unlock_recursive_irqrestore(unsigned long flags) { - spin_unlock_recursive(&console_lock); + rspin_unlock(&console_lock); local_irq_restore(flags); } @@ -1230,12 +1230,12 @@ int __printk_ratelimit(int ratelimit_ms, int ratelimit_burst) char lost_str[8]; snprintf(lost_str, sizeof(lost_str), "%d", lost); /* console_lock may already be acquired by printk(). */ - spin_lock_recursive(&console_lock); + rspin_lock(&console_lock); printk_start_of_line("(XEN) "); __putstr("printk: "); __putstr(lost_str); __putstr(" messages suppressed.\n"); - spin_unlock_recursive(&console_lock); + rspin_unlock(&console_lock); } local_irq_restore(flags); return 1; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index b6b2196ab0..4fcc7e2cde 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -55,12 +55,12 @@ static DEFINE_RSPINLOCK(_pcidevs_lock); /* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ void pcidevs_lock_unsafe(void) { - _spin_lock_recursive(&_pcidevs_lock); + _rspin_lock(&_pcidevs_lock); } void pcidevs_unlock(void) { - spin_unlock_recursive(&_pcidevs_lock); + rspin_unlock(&_pcidevs_lock); } bool pcidevs_locked(void) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 36c6925640..132b841995 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -358,8 +358,8 @@ struct sched_unit { (v) = (v)->next_in_list ) /* Per-domain lock can be recursively acquired in fault handlers. */ -#define domain_lock(d) spin_lock_recursive(&(d)->domain_lock) -#define domain_unlock(d) spin_unlock_recursive(&(d)->domain_lock) +#define domain_lock(d) rspin_lock(&(d)->domain_lock) +#define domain_unlock(d) rspin_unlock(&(d)->domain_lock) struct evtchn_port_ops; diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index bbf12b93c4..50f6580f52 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -210,10 +210,6 @@ int _spin_is_locked(const spinlock_t *lock); int _spin_trylock(spinlock_t *lock); void _spin_barrier(spinlock_t *lock); -int _spin_trylock_recursive(spinlock_t *lock); -void _spin_lock_recursive(spinlock_t *lock); -void _spin_unlock_recursive(spinlock_t *lock); - static always_inline void spin_lock(spinlock_t *l) { _spin_lock(l); @@ -268,21 +264,23 @@ static always_inline void spin_lock_if(bool condition, spinlock_t *l) #define spin_barrier(l) _spin_barrier(l) /* - * spin_[un]lock_recursive(): Use these forms when the lock can (safely!) be + * rspin_[un]lock(): Use these forms when the lock can (safely!) be * reentered recursively on the same CPU. All critical regions that may form * part of a recursively-nested set must be protected by these forms. If there * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) \ - lock_evaluate_nospec(_spin_trylock_recursive(l)) +bool _rspin_trylock(rspinlock_t *lock); +void _rspin_lock(rspinlock_t *lock); +void _rspin_unlock(rspinlock_t *lock); -static always_inline void spin_lock_recursive(spinlock_t *l) +static always_inline void rspin_lock(rspinlock_t *lock) { - _spin_lock_recursive(l); + _rspin_lock(lock); block_lock_speculation(); } -#define spin_unlock_recursive(l) _spin_unlock_recursive(l) +#define rspin_trylock(l) lock_evaluate_nospec(_rspin_trylock(l)) +#define rspin_unlock(l) _rspin_unlock(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:33:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:33:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695290.1084935 (Exim 4.92) (envelope-from ) id 1rmWml-0004W3-3n; Tue, 19 Mar 2024 10:33:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695290.1084935; Tue, 19 Mar 2024 10:33:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWml-0004Vv-0q; Tue, 19 Mar 2024 10:33:35 +0000 Received: by outflank-mailman (input) for mailman id 695290; Tue, 19 Mar 2024 10:33:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmk-0004Vn-Jo for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmk-000176-J1 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWmk-0002mv-I1 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0fJ8eLv/QJIebBNNEN3UHl7jFl7GZf4zqocY47epbos=; b=l2H4fWDCd3en2UORbb9xoUH+zr joug0fgr9bju5w6l2NzLFT1gdYDSJc9TSurMUugEZAq0KRmW0yE3a84pjOF/zhKWKuJuQm841X25h C3jI67RYY3fIXwYF8DPHk4mnT7GoRylLwfqUmVC5NoPoGjcLNm8cQa4NdiSaLVYrwFnM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/spinlock: add rspin_[un]lock_irq[save|restore]() Message-Id: Date: Tue, 19 Mar 2024 10:33:34 +0000 commit cc3e8df542ed1edc275a8cedd1e9de43d971eb09 Author: Juergen Gross AuthorDate: Tue Mar 19 11:25:59 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:25:59 2024 +0100 xen/spinlock: add rspin_[un]lock_irq[save|restore]() Instead of special casing rspin_lock_irqsave() and rspin_unlock_irqrestore() for the console lock, add those functions to spinlock handling and use them where needed. Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich --- xen/common/spinlock.c | 16 ++++++++++++++++ xen/drivers/char/console.c | 6 ++---- xen/include/xen/spinlock.h | 9 +++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/xen/common/spinlock.c b/xen/common/spinlock.c index 11e13e1259..0e628b3513 100644 --- a/xen/common/spinlock.c +++ b/xen/common/spinlock.c @@ -475,6 +475,16 @@ void _rspin_lock(rspinlock_t *lock) lock->recurse_cnt++; } +unsigned long _rspin_lock_irqsave(rspinlock_t *lock) +{ + unsigned long flags; + + local_irq_save(flags); + _rspin_lock(lock); + + return flags; +} + void _rspin_unlock(rspinlock_t *lock) { if ( likely(--lock->recurse_cnt == 0) ) @@ -484,6 +494,12 @@ void _rspin_unlock(rspinlock_t *lock) } } +void _rspin_unlock_irqrestore(rspinlock_t *lock, unsigned long flags) +{ + _rspin_unlock(lock); + local_irq_restore(flags); +} + #ifdef CONFIG_DEBUG_LOCK_PROFILE struct lock_profile_anc { diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index eca17b55b4..ccd5f8cc14 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -1161,16 +1161,14 @@ unsigned long console_lock_recursive_irqsave(void) { unsigned long flags; - local_irq_save(flags); - rspin_lock(&console_lock); + rspin_lock_irqsave(&console_lock, flags); return flags; } void console_unlock_recursive_irqrestore(unsigned long flags) { - rspin_unlock(&console_lock); - local_irq_restore(flags); + rspin_unlock_irqrestore(&console_lock, flags); } void console_force_unlock(void) diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 50f6580f52..89af52b822 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -272,7 +272,15 @@ static always_inline void spin_lock_if(bool condition, spinlock_t *l) */ bool _rspin_trylock(rspinlock_t *lock); void _rspin_lock(rspinlock_t *lock); +#define rspin_lock_irqsave(l, f) \ + ({ \ + BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ + (f) = _rspin_lock_irqsave(l); \ + block_lock_speculation(); \ + }) +unsigned long _rspin_lock_irqsave(rspinlock_t *lock); void _rspin_unlock(rspinlock_t *lock); +void _rspin_unlock_irqrestore(rspinlock_t *lock, unsigned long flags); static always_inline void rspin_lock(rspinlock_t *lock) { @@ -282,5 +290,6 @@ static always_inline void rspin_lock(rspinlock_t *lock) #define rspin_trylock(l) lock_evaluate_nospec(_rspin_trylock(l)) #define rspin_unlock(l) _rspin_unlock(l) +#define rspin_unlock_irqrestore(l, f) _rspin_unlock_irqrestore(l, f) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:33:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:33:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695291.1084939 (Exim 4.92) (envelope-from ) id 1rmWmw-0004Yh-4v; Tue, 19 Mar 2024 10:33:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695291.1084939; Tue, 19 Mar 2024 10:33:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmw-0004YZ-2I; Tue, 19 Mar 2024 10:33:46 +0000 Received: by outflank-mailman (input) for mailman id 695291; Tue, 19 Mar 2024 10:33:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmu-0004YO-QO for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWmu-00017F-Nh for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWmu-0002nM-LB for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=d+AEraolVRTKnkgQnqFdtHric5NQUt0QUBlQpKw+P7Q=; b=DBwpqlR4+tdgm4C16EeMDGJX8a 5Mopz4LpPoweLUPqmQzboSdQJD/VMPk0MJMSVDNe4eXwqCF0OV5Syjuw7jlUxsKgQFOY47o654zMJ QQ2QsahIB4ufPSknx6QoauIgY6Ys7IlGrO/175BZyqX7fwJkPNAwf3gkGUNjC47eLiZQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/spinlock: make struct lock_profile rspinlock_t aware Message-Id: Date: Tue, 19 Mar 2024 10:33:44 +0000 commit b053075d1a7b99dc65c42753016d5a3f852b825d Author: Juergen Gross AuthorDate: Tue Mar 19 11:26:34 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:26:34 2024 +0100 xen/spinlock: make struct lock_profile rspinlock_t aware Struct lock_profile contains a pointer to the spinlock it is associated with. Prepare support of differing spinlock_t and rspinlock_t types by adding a type indicator of the pointer. Use the highest bit of the block_cnt member for this indicator in order to not grow the struct while hurting only the slow path with slightly less performant code. Note that this requires a cast when printing the value in order to be format compliant. Signed-off-by: Juergen Gross Acked-by: Alejandro Vallejo Acked-by: Julien Grall --- xen/common/spinlock.c | 28 ++++++++++++++++++++-------- xen/include/xen/spinlock.h | 14 ++++++++++---- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/xen/common/spinlock.c b/xen/common/spinlock.c index 0e628b3513..874ed762b4 100644 --- a/xen/common/spinlock.c +++ b/xen/common/spinlock.c @@ -538,19 +538,31 @@ static void spinlock_profile_iterate(lock_profile_subfunc *sub, void *par) static void cf_check spinlock_profile_print_elem(struct lock_profile *data, int32_t type, int32_t idx, void *par) { - struct spinlock *lock = data->lock; + unsigned int cpu; + unsigned int lockval; + + if ( data->is_rlock ) + { + cpu = data->ptr.rlock->debug.cpu; + lockval = data->ptr.rlock->tickets.head_tail; + } + else + { + cpu = data->ptr.lock->debug.cpu; + lockval = data->ptr.lock->tickets.head_tail; + } printk("%s ", lock_profile_ancs[type].name); if ( type != LOCKPROF_TYPE_GLOBAL ) printk("%d ", idx); - printk("%s: addr=%p, lockval=%08x, ", data->name, lock, - lock->tickets.head_tail); - if ( lock->debug.cpu == SPINLOCK_NO_CPU ) + printk("%s: addr=%p, lockval=%08x, ", data->name, data->ptr.lock, lockval); + if ( cpu == SPINLOCK_NO_CPU ) printk("not locked\n"); else - printk("cpu=%d\n", lock->debug.cpu); - printk(" lock:%" PRId64 "(%" PRI_stime "), block:%" PRId64 "(%" PRI_stime ")\n", - data->lock_cnt, data->time_hold, data->block_cnt, data->time_block); + printk("cpu=%u\n", cpu); + printk(" lock:%" PRIu64 "(%" PRI_stime "), block:%" PRIu64 "(%" PRI_stime ")\n", + data->lock_cnt, data->time_hold, (uint64_t)data->block_cnt, + data->time_block); } void cf_check spinlock_profile_printall(unsigned char key) @@ -680,7 +692,7 @@ static int __init cf_check lock_prof_init(void) { (*q)->next = lock_profile_glb_q.elem_q; lock_profile_glb_q.elem_q = *q; - (*q)->lock->profile = *q; + (*q)->ptr.lock->profile = *q; } _lock_profile_register_struct(LOCKPROF_TYPE_GLOBAL, diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 89af52b822..593cba640e 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -77,13 +77,19 @@ union lock_debug { }; */ struct spinlock; +/* Temporary hack until a dedicated struct rspinlock is existing. */ +#define rspinlock spinlock struct lock_profile { struct lock_profile *next; /* forward link */ const char *name; /* lock name */ - struct spinlock *lock; /* the lock itself */ + union { + struct spinlock *lock; /* the lock itself */ + struct rspinlock *rlock; /* the recursive lock itself */ + } ptr; uint64_t lock_cnt; /* # of complete locking ops */ - uint64_t block_cnt; /* # of complete wait for lock */ + uint64_t block_cnt:63; /* # of complete wait for lock */ + bool is_rlock:1; /* use rlock pointer */ s_time_t time_hold; /* cumulated lock time */ s_time_t time_block; /* cumulated wait time */ s_time_t time_locked; /* system time of last locking */ @@ -95,7 +101,7 @@ struct lock_profile_qhead { int32_t idx; /* index for printout */ }; -#define LOCK_PROFILE_(lockname) { .name = #lockname, .lock = &(lockname), } +#define LOCK_PROFILE_(lockname) { .name = #lockname, .ptr.lock = &(lockname), } #define LOCK_PROFILE_PTR_(name) \ static struct lock_profile * const lock_profile__##name \ __used_section(".lockprofile.data") = \ @@ -128,7 +134,7 @@ struct lock_profile_qhead { break; \ } \ prof->name = #l; \ - prof->lock = &(s)->l; \ + prof->ptr.lock = &(s)->l; \ prof->next = (s)->profile_head.elem_q; \ (s)->profile_head.elem_q = prof; \ } while( 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:33:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:33:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695292.1084943 (Exim 4.92) (envelope-from ) id 1rmWn6-0004bg-6n; Tue, 19 Mar 2024 10:33:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695292.1084943; Tue, 19 Mar 2024 10:33:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWn6-0004bY-3q; Tue, 19 Mar 2024 10:33:56 +0000 Received: by outflank-mailman (input) for mailman id 695292; Tue, 19 Mar 2024 10:33:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWn4-0004bN-RS for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWn4-00017M-Qb for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWn4-0002nl-Pn for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:33:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=38Ozy7p+h0Z14GlKXpdlRtaTvV7YVx2SmLW5n5w6TTM=; b=PgGKVg3/gITOV+/evhaACYdEWd +VCoXpzQ+O6ed4Ib7Qfh5U4qMze08grWbmq81fnJUV0c0B7sw6y5sqY22eMakbw9rKWfZfb0duMRL Jb+jmSUXwfzYzqw0zQVe3t1KjeWEz2C/4NjKigis8vqIpaI41KB/2C9ggMGFsI2gFGUM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] amd/iommu: clean up unused guest iommu related functions Message-Id: Date: Tue, 19 Mar 2024 10:33:54 +0000 commit a02174c6c8851913a81a5a0916357b6b2fa4258d Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:27:07 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:27:07 2024 +0100 amd/iommu: clean up unused guest iommu related functions Delete unused functions from 'iommu_guest.c'. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich --- xen/drivers/passthrough/amd/iommu.h | 7 +- xen/drivers/passthrough/amd/iommu_cmd.c | 7 - xen/drivers/passthrough/amd/iommu_guest.c | 762 +----------------------------- 3 files changed, 2 insertions(+), 774 deletions(-) diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 1b62c083ba..65de88217c 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -346,12 +346,7 @@ void cf_check amd_iommu_crash_shutdown(void); /* guest iommu support */ #ifdef CONFIG_HVM -void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[]); -void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]); -void guest_iommu_add_event_log(struct domain *d, u32 entry[]); -int guest_iommu_init(struct domain* d); -void guest_iommu_destroy(struct domain *d); -int guest_iommu_set_base(struct domain *d, uint64_t base); +void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]); #else static inline void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]) {} #endif diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c index 49b9fcac94..83c525b84f 100644 --- a/xen/drivers/passthrough/amd/iommu_cmd.c +++ b/xen/drivers/passthrough/amd/iommu_cmd.c @@ -389,10 +389,3 @@ void amd_iommu_flush_all_caches(struct amd_iommu *iommu) invalidate_iommu_all(iommu); flush_command_buffer(iommu, 0); } - -void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[]) -{ - send_iommu_command(iommu, cmd); - /* TBD: Timeout selection may require peeking into cmd[]. */ - flush_command_buffer(iommu, 0); -} diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c index 4c4252eea1..19bd2e5d8e 100644 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ b/xen/drivers/passthrough/amd/iommu_guest.c @@ -20,28 +20,7 @@ #include "iommu.h" -#define IOMMU_MMIO_SIZE 0x8000 -#define IOMMU_MMIO_PAGE_NR 0x8 -#define RING_BF_LENGTH_MASK 0x0F000000 -#define RING_BF_LENGTH_SHIFT 24 - -#define PASMAX_9_bit 0x8 -#define GUEST_CR3_1_LEVEL 0x0 -#define GUEST_ADDRESS_SIZE_6_LEVEL 0x2 -#define HOST_ADDRESS_SIZE_6_LEVEL 0x2 - #define reg_to_u64(reg) (((uint64_t)reg.hi << 32) | reg.lo ) -#define u64_to_reg(reg, val) \ - do \ - { \ - (reg)->lo = (u32)(val); \ - (reg)->hi = (val) >> 32; \ - } while (0) - -static unsigned int get_machine_bdf(struct domain *d, uint16_t guest_bdf) -{ - return guest_bdf; -} static uint16_t get_guest_bdf(struct domain *d, uint16_t machine_bdf) { @@ -53,62 +32,6 @@ static inline struct guest_iommu *domain_iommu(struct domain *d) return dom_iommu(d)->arch.amd.g_iommu; } -static inline struct guest_iommu *vcpu_iommu(struct vcpu *v) -{ - return dom_iommu(v->domain)->arch.amd.g_iommu; -} - -static void guest_iommu_enable(struct guest_iommu *iommu) -{ - iommu->enabled = 1; -} - -static void guest_iommu_disable(struct guest_iommu *iommu) -{ - iommu->enabled = 0; -} - -/* - * The Guest CR3 Table is a table written by the guest kernel, pointing at - * gCR3 values for PASID transactions to use. The Device Table Entry points - * at a system physical address. - * - * However, these helpers deliberately use untyped parameters without - * reference to gfn/mfn because they are used both for programming the real - * IOMMU, and interpreting a guests programming of its vIOMMU. - */ -static uint64_t dte_get_gcr3_table(const struct amd_iommu_dte *dte) -{ - return (((uint64_t)dte->gcr3_trp_51_31 << 31) | - (dte->gcr3_trp_30_15 << 15) | - (dte->gcr3_trp_14_12 << 12)); -} - -static void dte_set_gcr3_table(struct amd_iommu_dte *dte, uint16_t dom_id, - uint64_t addr, bool gv, uint8_t glx) -{ -#define GCR3_MASK(hi, lo) (((1UL << ((hi) + 1)) - 1) & ~((1UL << (lo)) - 1)) - - /* I bit must be set when gcr3 is enabled */ - dte->i = true; - - dte->gcr3_trp_14_12 = MASK_EXTR(addr, GCR3_MASK(14, 12)); - dte->gcr3_trp_30_15 = MASK_EXTR(addr, GCR3_MASK(30, 15)); - dte->gcr3_trp_51_31 = MASK_EXTR(addr, GCR3_MASK(51, 31)); - - dte->domain_id = dom_id; - dte->glx = glx; - dte->gv = gv; - -#undef GCR3_MASK -} - -static unsigned int host_domid(struct domain *d, uint64_t g_domid) -{ - /* Only support one PPR device in guest for now */ - return d->domain_id; -} - static unsigned long get_gfn_from_base_reg(uint64_t base_raw) { base_raw &= PADDR_MASK; @@ -146,24 +69,6 @@ static unsigned long guest_iommu_get_table_mfn(struct domain *d, return mfn; } -static void guest_iommu_enable_dev_table(struct guest_iommu *iommu) -{ - uint32_t length_raw = get_field_from_reg_u32(iommu->dev_table.reg_base.lo, - IOMMU_DEV_TABLE_SIZE_MASK, - IOMMU_DEV_TABLE_SIZE_SHIFT); - iommu->dev_table.size = (length_raw + 1) * PAGE_SIZE; -} - -static void guest_iommu_enable_ring_buffer(struct guest_iommu *iommu, - struct guest_buffer *buffer, - uint32_t entry_size) -{ - uint32_t length_raw = get_field_from_reg_u32(buffer->reg_base.hi, - RING_BF_LENGTH_MASK, - RING_BF_LENGTH_SHIFT); - buffer->size = entry_size << length_raw; -} - void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) { uint16_t gdev_id; @@ -184,7 +89,7 @@ void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) if ( tail >= iommu->ppr_log.size || head >= iommu->ppr_log.size ) { AMD_IOMMU_DEBUG("Error: guest iommu ppr log overflows\n"); - guest_iommu_disable(iommu); + iommu->enabled = 0; return; } @@ -213,668 +118,3 @@ void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) guest_iommu_deliver_msi(d); } - -void guest_iommu_add_event_log(struct domain *d, u32 entry[]) -{ - uint16_t dev_id; - unsigned long mfn, tail, head; - event_entry_t *log; - struct guest_iommu *iommu; - - if ( !is_hvm_domain(d) ) - return; - - iommu = domain_iommu(d); - if ( !iommu ) - return; - - tail = iommu->event_log.reg_tail.lo; - head = iommu->event_log.reg_head.lo; - - if ( tail >= iommu->event_log.size || head >= iommu->event_log.size ) - { - AMD_IOMMU_DEBUG("Error: guest iommu event overflows\n"); - guest_iommu_disable(iommu); - return; - } - - mfn = guest_iommu_get_table_mfn(d, reg_to_u64(iommu->event_log.reg_base), - tail); - ASSERT(mfn_valid(_mfn(mfn))); - - log = map_domain_page(_mfn(mfn)) + (tail & ~PAGE_MASK); - - /* re-write physical device id into virtual device id */ - dev_id = get_guest_bdf(d, iommu_get_devid_from_cmd(entry[0])); - iommu_set_devid_to_cmd(&entry[0], dev_id); - memcpy(log, entry, sizeof(event_entry_t)); - - /* Now shift event log tail pointer */ - tail += sizeof(event_entry_t); - if ( tail >= iommu->event_log.size ) - { - tail = 0; - iommu->reg_status.lo |= IOMMU_STATUS_EVENT_LOG_OVERFLOW; - } - - iommu->event_log.reg_tail.lo = tail; - unmap_domain_page(log); - - guest_iommu_deliver_msi(d); -} - -static int do_complete_ppr_request(struct domain *d, cmd_entry_t *cmd) -{ - uint16_t dev_id; - struct amd_iommu *iommu; - - dev_id = get_machine_bdf(d, iommu_get_devid_from_cmd(cmd->data[0])); - iommu = find_iommu_for_device(0, dev_id); - - if ( !iommu ) - { - AMD_IOMMU_DEBUG("%s: Fail to find iommu for bdf %x\n", - __func__, dev_id); - return -ENODEV; - } - - /* replace virtual device id into physical */ - iommu_set_devid_to_cmd(&cmd->data[0], dev_id); - amd_iommu_send_guest_cmd(iommu, cmd->data); - - return 0; -} - -static int do_invalidate_pages(struct domain *d, cmd_entry_t *cmd) -{ - uint16_t gdom_id, hdom_id; - struct amd_iommu *iommu = NULL; - - gdom_id = get_field_from_reg_u32(cmd->data[1], - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_MASK, - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_SHIFT); - - hdom_id = host_domid(d, gdom_id); - set_field_in_reg_u32(hdom_id, cmd->data[1], - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_MASK, - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_SHIFT, &cmd->data[1]); - - for_each_amd_iommu ( iommu ) - amd_iommu_send_guest_cmd(iommu, cmd->data); - - return 0; -} - -static int do_invalidate_all(struct domain *d, cmd_entry_t *cmd) -{ - struct amd_iommu *iommu = NULL; - - for_each_amd_iommu ( iommu ) - amd_iommu_flush_all_pages(d); - - return 0; -} - -static int do_invalidate_iotlb_pages(struct domain *d, cmd_entry_t *cmd) -{ - struct amd_iommu *iommu; - uint16_t dev_id; - - dev_id = get_machine_bdf(d, iommu_get_devid_from_cmd(cmd->data[0])); - - iommu = find_iommu_for_device(0, dev_id); - if ( !iommu ) - { - AMD_IOMMU_DEBUG("%s: Fail to find iommu for bdf %x\n", - __func__, dev_id); - return -ENODEV; - } - - iommu_set_devid_to_cmd(&cmd->data[0], dev_id); - amd_iommu_send_guest_cmd(iommu, cmd->data); - - return 0; -} - -static int do_completion_wait(struct domain *d, cmd_entry_t *cmd) -{ - bool com_wait_int, i, s; - struct guest_iommu *iommu; - unsigned long gfn; - p2m_type_t p2mt; - - iommu = domain_iommu(d); - - i = cmd->data[0] & IOMMU_COMP_WAIT_I_FLAG_MASK; - s = cmd->data[0] & IOMMU_COMP_WAIT_S_FLAG_MASK; - - if ( i ) - iommu->reg_status.lo |= IOMMU_STATUS_COMP_WAIT_INT; - - if ( s ) - { - uint64_t gaddr_lo, gaddr_hi, gaddr_64, data; - void *vaddr; - - data = (uint64_t)cmd->data[3] << 32 | cmd->data[2]; - gaddr_lo = get_field_from_reg_u32(cmd->data[0], - IOMMU_COMP_WAIT_ADDR_LOW_MASK, - IOMMU_COMP_WAIT_ADDR_LOW_SHIFT); - gaddr_hi = get_field_from_reg_u32(cmd->data[1], - IOMMU_COMP_WAIT_ADDR_HIGH_MASK, - IOMMU_COMP_WAIT_ADDR_HIGH_SHIFT); - - gaddr_64 = (gaddr_hi << 32) | (gaddr_lo << 3); - - gfn = gaddr_64 >> PAGE_SHIFT; - vaddr = map_domain_page(get_gfn(d, gfn ,&p2mt)); - put_gfn(d, gfn); - - write_u64_atomic((uint64_t *)(vaddr + (gaddr_64 & (PAGE_SIZE-1))), - data); - unmap_domain_page(vaddr); - } - - com_wait_int = iommu->reg_status.lo & IOMMU_STATUS_COMP_WAIT_INT; - - if ( iommu->reg_ctrl.com_wait_int_en && com_wait_int ) - guest_iommu_deliver_msi(d); - - return 0; -} - -static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) -{ - uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid; - struct amd_iommu_dte *gdte, *mdte, *dte_base; - struct amd_iommu *iommu = NULL; - struct guest_iommu *g_iommu; - uint64_t gcr3_gfn, gcr3_mfn; - uint8_t glx, gv; - unsigned long dte_mfn, flags; - p2m_type_t p2mt; - - g_iommu = domain_iommu(d); - gbdf = iommu_get_devid_from_cmd(cmd->data[0]); - mbdf = get_machine_bdf(d, gbdf); - - /* Guest can only update DTEs for its passthru devices */ - if ( mbdf == 0 || gbdf == 0 ) - return 0; - - /* Sometimes guest invalidates devices from non-exists dtes */ - if ( (gbdf * sizeof(struct amd_iommu_dte)) > g_iommu->dev_table.size ) - return 0; - - dte_mfn = guest_iommu_get_table_mfn(d, - reg_to_u64(g_iommu->dev_table.reg_base), - sizeof(struct amd_iommu_dte) * gbdf); - ASSERT(mfn_valid(_mfn(dte_mfn))); - - /* Read guest dte information */ - dte_base = map_domain_page(_mfn(dte_mfn)); - - gdte = &dte_base[gbdf % (PAGE_SIZE / sizeof(struct amd_iommu_dte))]; - - gdom_id = gdte->domain_id; - gcr3_gfn = dte_get_gcr3_table(gdte) >> PAGE_SHIFT; - glx = gdte->glx; - gv = gdte->gv; - - unmap_domain_page(dte_base); - - /* Do not update host dte before gcr3 has been set */ - if ( gcr3_gfn == 0 ) - return 0; - - gcr3_mfn = mfn_x(get_gfn(d, gcr3_gfn, &p2mt)); - put_gfn(d, gcr3_gfn); - - ASSERT(mfn_valid(_mfn(gcr3_mfn))); - - iommu = find_iommu_for_device(0, mbdf); - if ( !iommu ) - { - AMD_IOMMU_DEBUG("%s: Fail to find iommu for bdf %x!\n", - __func__, mbdf); - return -ENODEV; - } - - /* Setup host device entry */ - hdom_id = host_domid(d, gdom_id); - req_id = get_dma_requestor_id(iommu->seg, mbdf); - dte_base = iommu->dev_table.buffer; - mdte = &dte_base[req_id]; - prev_domid = mdte->domain_id; - - spin_lock_irqsave(&iommu->lock, flags); - dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx); - - spin_unlock_irqrestore(&iommu->lock, flags); - - amd_iommu_flush_device(iommu, req_id, prev_domid); - - return 0; -} - -static void cf_check guest_iommu_process_command(void *data) -{ - unsigned long opcode, tail, head, cmd_mfn; - cmd_entry_t *cmd; - struct domain *d = data; - struct guest_iommu *iommu; - - iommu = domain_iommu(d); - - if ( !iommu->enabled ) - return; - - head = iommu->cmd_buffer.reg_head.lo; - tail = iommu->cmd_buffer.reg_tail.lo; - - /* Tail pointer is rolled over by guest driver, value outside - * cmd_buffer_entries cause iommu disabled - */ - - if ( tail >= iommu->cmd_buffer.size || head >= iommu->cmd_buffer.size ) - { - AMD_IOMMU_DEBUG("Error: guest iommu cmd buffer overflows\n"); - guest_iommu_disable(iommu); - return; - } - - while ( head != tail ) - { - int ret = 0; - - cmd_mfn = guest_iommu_get_table_mfn(d, - reg_to_u64(iommu->cmd_buffer.reg_base), - head); - ASSERT(mfn_valid(_mfn(cmd_mfn))); - - cmd = map_domain_page(_mfn(cmd_mfn)) + (head & ~PAGE_MASK); - - opcode = get_field_from_reg_u32(cmd->data[1], - IOMMU_CMD_OPCODE_MASK, - IOMMU_CMD_OPCODE_SHIFT); - switch ( opcode ) - { - case IOMMU_CMD_COMPLETION_WAIT: - ret = do_completion_wait(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_DEVTAB_ENTRY: - ret = do_invalidate_dte(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_IOMMU_PAGES: - ret = do_invalidate_pages(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_IOTLB_PAGES: - ret = do_invalidate_iotlb_pages(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_INT_TABLE: - break; - case IOMMU_CMD_COMPLETE_PPR_REQUEST: - ret = do_complete_ppr_request(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_IOMMU_ALL: - ret = do_invalidate_all(d, cmd); - break; - default: - AMD_IOMMU_DEBUG("CMD: Unknown command cmd_type = %lx " - "head = %ld\n", opcode, head); - break; - } - - unmap_domain_page(cmd); - head += sizeof(cmd_entry_t); - if ( head >= iommu->cmd_buffer.size ) - head = 0; - if ( ret ) - guest_iommu_disable(iommu); - } - - /* Now shift cmd buffer head pointer */ - iommu->cmd_buffer.reg_head.lo = head; - return; -} - -static int guest_iommu_write_ctrl(struct guest_iommu *iommu, uint64_t val) -{ - union amd_iommu_control newctrl = { .raw = val }; - - if ( newctrl.iommu_en ) - { - guest_iommu_enable(iommu); - guest_iommu_enable_dev_table(iommu); - } - - if ( newctrl.iommu_en && newctrl.cmd_buf_en ) - { - guest_iommu_enable_ring_buffer(iommu, &iommu->cmd_buffer, - sizeof(cmd_entry_t)); - /* Enable iommu command processing */ - tasklet_schedule(&iommu->cmd_buffer_tasklet); - } - - if ( newctrl.iommu_en && newctrl.event_log_en ) - { - guest_iommu_enable_ring_buffer(iommu, &iommu->event_log, - sizeof(event_entry_t)); - iommu->reg_status.lo |= IOMMU_STATUS_EVENT_LOG_RUN; - iommu->reg_status.lo &= ~IOMMU_STATUS_EVENT_LOG_OVERFLOW; - } - - if ( newctrl.iommu_en && newctrl.ppr_en && newctrl.ppr_log_en ) - { - guest_iommu_enable_ring_buffer(iommu, &iommu->ppr_log, - sizeof(ppr_entry_t)); - iommu->reg_status.lo |= IOMMU_STATUS_PPR_LOG_RUN; - iommu->reg_status.lo &= ~IOMMU_STATUS_PPR_LOG_OVERFLOW; - } - - if ( newctrl.iommu_en && iommu->reg_ctrl.cmd_buf_en && - !newctrl.cmd_buf_en ) - { - /* Disable iommu command processing */ - tasklet_kill(&iommu->cmd_buffer_tasklet); - } - - if ( iommu->reg_ctrl.event_log_en && !newctrl.event_log_en ) - iommu->reg_status.lo &= ~IOMMU_STATUS_EVENT_LOG_RUN; - - if ( iommu->reg_ctrl.iommu_en && !newctrl.iommu_en ) - guest_iommu_disable(iommu); - - iommu->reg_ctrl = newctrl; - - return 0; -} - -static uint64_t iommu_mmio_read64(struct guest_iommu *iommu, - unsigned long offset) -{ - uint64_t val; - - switch ( offset ) - { - case IOMMU_DEV_TABLE_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->dev_table.reg_base); - break; - case IOMMU_CMD_BUFFER_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->cmd_buffer.reg_base); - break; - case IOMMU_EVENT_LOG_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->event_log.reg_base); - break; - case IOMMU_PPR_LOG_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->ppr_log.reg_base); - break; - case IOMMU_CMD_BUFFER_HEAD_OFFSET: - val = reg_to_u64(iommu->cmd_buffer.reg_head); - break; - case IOMMU_CMD_BUFFER_TAIL_OFFSET: - val = reg_to_u64(iommu->cmd_buffer.reg_tail); - break; - case IOMMU_EVENT_LOG_HEAD_OFFSET: - val = reg_to_u64(iommu->event_log.reg_head); - break; - case IOMMU_EVENT_LOG_TAIL_OFFSET: - val = reg_to_u64(iommu->event_log.reg_tail); - break; - case IOMMU_PPR_LOG_HEAD_OFFSET: - val = reg_to_u64(iommu->ppr_log.reg_head); - break; - case IOMMU_PPR_LOG_TAIL_OFFSET: - val = reg_to_u64(iommu->ppr_log.reg_tail); - break; - case IOMMU_CONTROL_MMIO_OFFSET: - val = iommu->reg_ctrl.raw; - break; - case IOMMU_STATUS_MMIO_OFFSET: - val = reg_to_u64(iommu->reg_status); - break; - case IOMMU_EXT_FEATURE_MMIO_OFFSET: - val = iommu->reg_ext_feature.raw; - break; - - default: - AMD_IOMMU_DEBUG("Guest reads unknown mmio offset = %lx\n", offset); - val = 0; - break; - } - - return val; -} - -static int cf_check guest_iommu_mmio_read( - struct vcpu *v, unsigned long addr, unsigned int len, unsigned long *pval) -{ - struct guest_iommu *iommu = vcpu_iommu(v); - unsigned long offset; - uint64_t val; - uint32_t mmio, shift; - uint64_t mask = 0; - - offset = addr - iommu->mmio_base; - - if ( unlikely((offset & (len - 1 )) || (len > 8)) ) - { - AMD_IOMMU_DEBUG("iommu mmio read access is not aligned:" - " offset = %lx, len = %x\n", offset, len); - return X86EMUL_UNHANDLEABLE; - } - - mask = (len == 8) ? ~0ULL : (1ULL << (len * 8)) - 1; - shift = (offset & 7u) * 8; - - /* mmio access is always aligned on 8-byte boundary */ - mmio = offset & (~7u); - - spin_lock(&iommu->lock); - val = iommu_mmio_read64(iommu, mmio); - spin_unlock(&iommu->lock); - - *pval = (val >> shift ) & mask; - - return X86EMUL_OKAY; -} - -static void guest_iommu_mmio_write64(struct guest_iommu *iommu, - unsigned long offset, uint64_t val) -{ - switch ( offset ) - { - case IOMMU_DEV_TABLE_BASE_LOW_OFFSET: - u64_to_reg(&iommu->dev_table.reg_base, val); - break; - case IOMMU_CMD_BUFFER_BASE_LOW_OFFSET: - u64_to_reg(&iommu->cmd_buffer.reg_base, val); - break; - case IOMMU_EVENT_LOG_BASE_LOW_OFFSET: - u64_to_reg(&iommu->event_log.reg_base, val); - break; - case IOMMU_PPR_LOG_BASE_LOW_OFFSET: - u64_to_reg(&iommu->ppr_log.reg_base, val); - break; - case IOMMU_CONTROL_MMIO_OFFSET: - guest_iommu_write_ctrl(iommu, val); - break; - case IOMMU_CMD_BUFFER_HEAD_OFFSET: - iommu->cmd_buffer.reg_head.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_CMD_BUFFER_TAIL_OFFSET: - iommu->cmd_buffer.reg_tail.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - tasklet_schedule(&iommu->cmd_buffer_tasklet); - break; - case IOMMU_EVENT_LOG_HEAD_OFFSET: - iommu->event_log.reg_head.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_EVENT_LOG_TAIL_OFFSET: - iommu->event_log.reg_tail.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_PPR_LOG_HEAD_OFFSET: - iommu->ppr_log.reg_head.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_PPR_LOG_TAIL_OFFSET: - iommu->ppr_log.reg_tail.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_STATUS_MMIO_OFFSET: - val &= IOMMU_STATUS_EVENT_LOG_OVERFLOW | - IOMMU_STATUS_EVENT_LOG_INT | - IOMMU_STATUS_COMP_WAIT_INT | - IOMMU_STATUS_PPR_LOG_OVERFLOW | - IOMMU_STATUS_PPR_LOG_INT | - IOMMU_STATUS_GAPIC_LOG_OVERFLOW | - IOMMU_STATUS_GAPIC_LOG_INT; - u64_to_reg(&iommu->reg_status, reg_to_u64(iommu->reg_status) & ~val); - break; - - default: - AMD_IOMMU_DEBUG("guest writes unknown mmio offset = %lx," - " val = %" PRIx64 "\n", offset, val); - break; - } -} - -static int cf_check guest_iommu_mmio_write( - struct vcpu *v, unsigned long addr, unsigned int len, unsigned long val) -{ - struct guest_iommu *iommu = vcpu_iommu(v); - unsigned long offset; - uint64_t reg_old, mmio; - uint32_t shift; - uint64_t mask = 0; - - offset = addr - iommu->mmio_base; - - if ( unlikely((offset & (len - 1)) || (len > 8)) ) - { - AMD_IOMMU_DEBUG("iommu mmio write access is not aligned:" - " offset = %lx, len = %x\n", offset, len); - return X86EMUL_UNHANDLEABLE; - } - - mask = (len == 8) ? ~0ULL : (1ULL << (len * 8)) - 1; - shift = (offset & 7) * 8; - - /* mmio access is always aligned on 8-byte boundary */ - mmio = offset & ~7; - - spin_lock(&iommu->lock); - - reg_old = iommu_mmio_read64(iommu, mmio); - reg_old &= ~(mask << shift); - val = reg_old | ((val & mask) << shift); - guest_iommu_mmio_write64(iommu, mmio, val); - - spin_unlock(&iommu->lock); - - return X86EMUL_OKAY; -} - -int guest_iommu_set_base(struct domain *d, uint64_t base) -{ - p2m_type_t t; - struct guest_iommu *iommu = domain_iommu(d); - - if ( !iommu ) - return -EACCES; - - iommu->mmio_base = base; - base >>= PAGE_SHIFT; - - for ( int i = 0; i < IOMMU_MMIO_PAGE_NR; i++ ) - { - unsigned long gfn = base + i; - - get_gfn_query(d, gfn, &t); - p2m_change_type_one(d, gfn, t, p2m_mmio_dm); - put_gfn(d, gfn); - } - - return 0; -} - -/* Initialize mmio read only bits */ -static void guest_iommu_reg_init(struct guest_iommu *iommu) -{ - union amd_iommu_ext_features ef = { - /* Support prefetch */ - .flds.pref_sup = 1, - /* Support PPR log */ - .flds.ppr_sup = 1, - /* Support guest translation */ - .flds.gt_sup = 1, - /* Support invalidate all command */ - .flds.ia_sup = 1, - /* Host translation size has 6 levels */ - .flds.hats = HOST_ADDRESS_SIZE_6_LEVEL, - /* Guest translation size has 6 levels */ - .flds.gats = GUEST_ADDRESS_SIZE_6_LEVEL, - /* Single level gCR3 */ - .flds.glx_sup = GUEST_CR3_1_LEVEL, - /* 9 bit PASID */ - .flds.pas_max = PASMAX_9_bit, - }; - - iommu->reg_ext_feature = ef; -} - -static int cf_check guest_iommu_mmio_range(struct vcpu *v, unsigned long addr) -{ - struct guest_iommu *iommu = vcpu_iommu(v); - - return iommu && addr >= iommu->mmio_base && - addr < iommu->mmio_base + IOMMU_MMIO_SIZE; -} - -static const struct hvm_mmio_ops iommu_mmio_ops = { - .check = guest_iommu_mmio_range, - .read = guest_iommu_mmio_read, - .write = guest_iommu_mmio_write -}; - -/* Domain specific initialization */ -int guest_iommu_init(struct domain* d) -{ - struct guest_iommu *iommu; - struct domain_iommu *hd = dom_iommu(d); - - if ( !is_hvm_domain(d) || !is_iommu_enabled(d) || !iommuv2_enabled || - !has_viommu(d) ) - return 0; - - iommu = xzalloc(struct guest_iommu); - if ( !iommu ) - { - AMD_IOMMU_DEBUG("Error allocating guest iommu structure.\n"); - return 1; - } - - guest_iommu_reg_init(iommu); - iommu->mmio_base = ~0ULL; - iommu->domain = d; - hd->arch.amd.g_iommu = iommu; - - tasklet_init(&iommu->cmd_buffer_tasklet, guest_iommu_process_command, d); - - spin_lock_init(&iommu->lock); - - register_mmio_handler(d, &iommu_mmio_ops); - - return 0; -} - -void guest_iommu_destroy(struct domain *d) -{ - struct guest_iommu *iommu; - - iommu = domain_iommu(d); - if ( !iommu ) - return; - - tasklet_kill(&iommu->cmd_buffer_tasklet); - xfree(iommu); - - dom_iommu(d)->arch.amd.g_iommu = NULL; -} -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:34:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:34:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695293.1084946 (Exim 4.92) (envelope-from ) id 1rmWnG-0004ek-9G; Tue, 19 Mar 2024 10:34:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695293.1084946; Tue, 19 Mar 2024 10:34:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnG-0004ed-6q; Tue, 19 Mar 2024 10:34:06 +0000 Received: by outflank-mailman (input) for mailman id 695293; Tue, 19 Mar 2024 10:34:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnE-0004eQ-W1 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnE-00017z-VH for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWnE-0002oo-Sg for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=h84lnF785Eh2EtrNfN82OcwiiuNDcnc0JYKe+e/A4bc=; b=YWC8QWzzUH/8KjkLHnBYqNtwQe rE6ImHHNlXLFCXYZxVbGa0m0NJPX8qkdhRxr6/f8oG12H4Cn8K6p/PblvmyCGMl3phfzJpL3zVVGg ahYvAGuKPwYq9JoEfTdWFvpUqD2Ki8RTeYymatwTw8oaHnX9E9W5xt6lxAt7SAdmbxzI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/cpufeature: add parentheses to comply with Rule 20.7 Message-Id: Date: Tue, 19 Mar 2024 10:34:04 +0000 commit 9979cc594acecd8b22384c06f520447a955b4857 Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:27:29 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:27:29 2024 +0100 x86/cpufeature: add parentheses to comply with Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/arch/x86/include/asm/cpufeatureset.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/include/asm/cpufeatureset.h b/xen/arch/x86/include/asm/cpufeatureset.h index f179229f19..a9c51bc514 100644 --- a/xen/arch/x86/include/asm/cpufeatureset.h +++ b/xen/arch/x86/include/asm/cpufeatureset.h @@ -5,7 +5,7 @@ #include -#define XEN_CPUFEATURE(name, value) X86_FEATURE_##name = value, +#define XEN_CPUFEATURE(name, value) X86_FEATURE_##name = (value), enum { #include #include -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:34:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:34:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695294.1084950 (Exim 4.92) (envelope-from ) id 1rmWnQ-0004hf-Al; Tue, 19 Mar 2024 10:34:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695294.1084950; Tue, 19 Mar 2024 10:34:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnQ-0004hY-8D; Tue, 19 Mar 2024 10:34:16 +0000 Received: by outflank-mailman (input) for mailman id 695294; Tue, 19 Mar 2024 10:34:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnP-0004hJ-4Y for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnP-00018A-3p for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWnP-0002ph-18 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:15 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=yaFuuWGNKgKWQz8K2m47MO75XZP+dPL85SCueoWvHNo=; b=J2qHUU1ejxpLtK5ykhXalRbTNY RVuxyzVc15kd5nZ8ahpz5S7RUQq2IhBBHtbgLbxtTM/t7Gpfhx2SSD9tRF/s6RgmuhWcKd6b7xmDd qQ0Q5+KYOwB1gAIhzwj+gBX82cRbjiKOyNLse/hKp2VUV8kMAK3Rdrz79+7/TyFvlfeM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/device_tree: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 19 Mar 2024 10:34:15 +0000 commit b51d7f39dc73618c015439dab1f81a86074c591d Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:27:58 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:27:58 2024 +0100 xen/device_tree: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/device_tree.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/device_tree.h b/xen/include/xen/device_tree.h index 6fe2fa8b21..e6287305a7 100644 --- a/xen/include/xen/device_tree.h +++ b/xen/include/xen/device_tree.h @@ -250,7 +250,7 @@ dt_find_interrupt_controller(const struct dt_device_match *matches); for ( pp = (dn)->properties; (pp) != NULL; pp = (pp)->next ) #define dt_for_each_device_node(dt, dn) \ - for ( dn = dt; (dn) != NULL; dn = (dn)->allnext ) + for ( dn = (dt); (dn) != NULL; dn = (dn)->allnext ) #define dt_for_each_child_node(dt, dn) \ for ( dn = (dt)->child; (dn) != NULL; dn = (dn)->sibling ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:34:26 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:34:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695295.1084954 (Exim 4.92) (envelope-from ) id 1rmWna-0004kT-CL; Tue, 19 Mar 2024 10:34:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695295.1084954; Tue, 19 Mar 2024 10:34:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWna-0004kL-9g; Tue, 19 Mar 2024 10:34:26 +0000 Received: by outflank-mailman (input) for mailman id 695295; Tue, 19 Mar 2024 10:34:25 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnZ-0004kA-74 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:25 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnZ-00018K-6P for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:25 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWnZ-0002qp-5q for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:25 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6yuQ+BCiPVYlMlX4oZ4jpAAEoY8Kzr9UsnC6e7X2Fss=; b=iXkL3dDgOPI2gmQO4x1oCPkj1q LpxcgdnpaTuNO3Bk2gkVosYk/2MaFXWSHF6Cpl6Bep7CFQIUHKMobyKUG/lDOrrYffo2QgxDOsDW9 UZ/2z7gtwrFVny3FeUtR6Nts5e4sOfEnlltZWnvZDv/mtCvWCyz2siOMGUNjy6IcrciA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] EFI: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 19 Mar 2024 10:34:25 +0000 commit 8e7207d512aa96cd55177b29656610150ed577a5 Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:28:28 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:28:28 2024 +0100 EFI: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/efi/efierr.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/efi/efierr.h b/xen/include/efi/efierr.h index dfd3d3cf48..cdca210414 100644 --- a/xen/include/efi/efierr.h +++ b/xen/include/efi/efierr.h @@ -22,7 +22,7 @@ Revision History #define EFIWARN(a) (a) -#define EFI_ERROR(a) (((INTN) a) < 0) +#define EFI_ERROR(a) ((INTN)(a) < 0) #define EFI_SUCCESS 0 -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:34:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:34:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695296.1084959 (Exim 4.92) (envelope-from ) id 1rmWnk-0004nd-Dr; Tue, 19 Mar 2024 10:34:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695296.1084959; Tue, 19 Mar 2024 10:34:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnk-0004nV-B7; Tue, 19 Mar 2024 10:34:36 +0000 Received: by outflank-mailman (input) for mailman id 695296; Tue, 19 Mar 2024 10:34:35 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnj-0004nL-A0 for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:35 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnj-00018V-9G for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:35 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWnj-0002rc-8Y for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:35 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=MNquDyL5R5a4KyxRjmo1bx6BF1nUrTQXau7RI8QjLTE=; b=mPMOcSCoxsiMFi0RQ4XEgayZNm 39Igbd4O4LFlu0ftKoT8kE6ah8Z/JICqBtZPDcPsbqwMfhuNz9aLT3OS/cgfRb1VWqhIJVBQlcpeL Jw/HT3RlI25FFNMjIHpUwz6ivo8nnuQXouRnYSAV6bS9yAR5BzvnWn1IJjKDtbPOuBPQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/arm: smmu: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 19 Mar 2024 10:34:35 +0000 commit 88822d5fbd30782bb79bfee85f58bf9e2e8f18b7 Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:28:44 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:28:44 2024 +0100 xen/arm: smmu: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/drivers/passthrough/arm/smmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/drivers/passthrough/arm/smmu.c b/xen/drivers/passthrough/arm/smmu.c index 83196057a9..f2cee82f55 100644 --- a/xen/drivers/passthrough/arm/smmu.c +++ b/xen/drivers/passthrough/arm/smmu.c @@ -326,7 +326,7 @@ static struct iommu_group *iommu_group_get(struct device *dev) */ #define ARM_SMMU_GR0_NS(smmu) \ ((smmu)->base + \ - ((smmu->options & ARM_SMMU_OPT_SECURE_CFG_ACCESS) \ + (((smmu)->options & ARM_SMMU_OPT_SECURE_CFG_ACCESS) \ ? 0x400 : 0)) /* Page table bits */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:34:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:34:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695297.1084963 (Exim 4.92) (envelope-from ) id 1rmWnu-0004qM-FJ; Tue, 19 Mar 2024 10:34:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695297.1084963; Tue, 19 Mar 2024 10:34:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnu-0004qE-Cf; Tue, 19 Mar 2024 10:34:46 +0000 Received: by outflank-mailman (input) for mailman id 695297; Tue, 19 Mar 2024 10:34:45 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnt-0004q1-Cb for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:45 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWnt-00018c-Bv for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:45 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWnt-0002sc-BE for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:45 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9H51IvtkZ9FLNkhT+fDvjQOIyby5Ns4CaH1/i677n50=; b=FO7KUi+t3AqTL7GtmTckUgpZ9r b3IZLYXLFAefwOnqNjfBuHhLSVxjBzl5QJCtwOK00KCuqH2IirNLoUOnBvZKgxnsGUg/GCuS6U9qE YLwAjEWgEeC5us/1bOPI5d3p0SX+sico81A9XvvPYBiqWe27KUaFQZDSbzo+cv/QGZ+8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/notifier: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 19 Mar 2024 10:34:45 +0000 commit 239b72d874705525a1ee6c13cf2e487cbd1d186a Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:29:12 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:29:12 2024 +0100 xen/notifier: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/xen/notifier.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/notifier.h b/xen/include/xen/notifier.h index 2a952484df..05359e8a85 100644 --- a/xen/include/xen/notifier.h +++ b/xen/include/xen/notifier.h @@ -34,7 +34,7 @@ struct notifier_head { }; #define NOTIFIER_HEAD(name) \ - struct notifier_head name = { .head = LIST_HEAD_INIT(name.head) } + struct notifier_head name = { .head = LIST_HEAD_INIT((name).head) } void notifier_chain_register( -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:34:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:34:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695298.1084967 (Exim 4.92) (envelope-from ) id 1rmWo4-0004sh-Gf; Tue, 19 Mar 2024 10:34:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695298.1084967; Tue, 19 Mar 2024 10:34:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWo4-0004sZ-E5; Tue, 19 Mar 2024 10:34:56 +0000 Received: by outflank-mailman (input) for mailman id 695298; Tue, 19 Mar 2024 10:34:55 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWo3-0004sP-FK for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:55 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWo3-000195-Ea for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:55 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWo3-0002tP-Dv for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:34:55 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=0s/isD036LCGm6VW0SArM/9k+kDCsxiUjXDeNy66shM=; b=ZMO4rtePVEvyPweWtuBqydEE/v NlQU+qVLqPE08whhd+wq/9MViDVdvxYrukmcQ2qg9V2AJulEAnyO8goeTSD8dUWDhr9asHFbic0TK QkFj3/tQElE7vHed/Xnz7bdARTJmCgxlHJs3J0JHUXAKfSUuFeCUV3u71i3Oflbb0oyk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/wait: address violations of MISRA C Rule 20.7 Message-Id: Date: Tue, 19 Mar 2024 10:34:55 +0000 commit d9e709e8c05c66b6802f1801b0eacc0a2bc06e6d Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:30:01 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:30:01 2024 +0100 xen/wait: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/xen/wait.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/xen/wait.h b/xen/include/xen/wait.h index 6eb7667d9c..1c68bc564b 100644 --- a/xen/include/xen/wait.h +++ b/xen/include/xen/wait.h @@ -40,12 +40,12 @@ do { \ if ( condition ) \ break; \ for ( ; ; ) { \ - prepare_to_wait(&wq); \ + prepare_to_wait(&(wq)); \ if ( condition ) \ break; \ wait(); \ } \ - finish_wait(&wq); \ + finish_wait(&(wq)); \ } while (0) /* Private functions. */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 10:35:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 10:35:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695299.1084971 (Exim 4.92) (envelope-from ) id 1rmWoE-0004vO-II; Tue, 19 Mar 2024 10:35:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695299.1084971; Tue, 19 Mar 2024 10:35:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWoE-0004vG-FW; Tue, 19 Mar 2024 10:35:06 +0000 Received: by outflank-mailman (input) for mailman id 695299; Tue, 19 Mar 2024 10:35:05 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWoD-0004v7-Hn for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:35:05 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmWoD-00019P-HC for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:35:05 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmWoD-0002ug-GY for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 10:35:05 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IZOZiHxLdXNXS7U7nKphEv1unTzNdC2YELeKF8M8iXU=; b=5paG1PhR3sHwtb1O/JtdXCUT6V wfHCJzv8jl7F0Sde4URF9Dz4n8Fq2LQsM9EaKO/JC+RqcbN8o/jlJLnn+PGy5+dDnX7diYg0jW05N uciJogzlUroPhcuYn/mFmf+3lF/Dlr6omtwQ0/ZzvQjMI1TBeWir/pktZT9MZTaWnqh4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/nospec: Include Message-Id: Date: Tue, 19 Mar 2024 10:35:05 +0000 commit d2276b86e5eb8dd2617d917f7b49cdd1f29ac299 Author: Michal Orzel AuthorDate: Tue Mar 19 11:30:30 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:30:30 2024 +0100 xen/nospec: Include After introduction of lock_evaluate_nospec() using bool type, building Xen on Arm with UBSAN enabled fails: In file included from ./include/xen/spinlock.h:4, from common/ubsan/ubsan.c:13: ./include/xen/nospec.h:79:22: error: unknown type name ‘bool’ 79 | static always_inline bool lock_evaluate_nospec(bool condition) There is no issue on x86, as xen/stdbool.h is included somewhere along the asm/nospec.h path, which is not the case for other architectures. Fixes: 7ef0084418e1 ("x86/spinlock: introduce support for blocking speculation into critical regions") Signed-off-by: Michal Orzel Acked-by: Jan Beulich --- xen/include/xen/nospec.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index e8d73f9538..9fb15aa26a 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -7,6 +7,8 @@ #ifndef XEN_NOSPEC_H #define XEN_NOSPEC_H +#include + #include /** -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 18:44:22 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 18:44:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695587.1085417 (Exim 4.92) (envelope-from ) id 1rmeRa-0004G1-I6; Tue, 19 Mar 2024 18:44:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695587.1085417; Tue, 19 Mar 2024 18:44:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRa-0004Fu-Ff; Tue, 19 Mar 2024 18:44:14 +0000 Received: by outflank-mailman (input) for mailman id 695587; Tue, 19 Mar 2024 18:44:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRZ-0004Fo-IW for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRZ-0002FG-Hq for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmeRZ-0007qp-FR for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qj4a7aJIvmD+uWHqAMK6VCVcObyJZBwFpi75SKBGfkM=; b=jigfW5vKvdeyT9BrxHDvJaXjes litLIMRFvq8IRLmxfQ1qtdKsoJ/+nw98QbCeCfFU7BUiVoNGgBckx8hMYMo8kVmaelmvsHH7dytEg nor77cuQvk5SlJW7AFYHEsYbCcQlbhco0+4SMHg6dbPSEvwe/2M+ynHpUZpI3KCb3/64=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Message-Id: Date: Tue, 19 Mar 2024 18:44:13 +0000 commit f658321374687c7339235e1ac643e0427acff717 Author: Andrew Cooper AuthorDate: Tue Mar 19 13:29:30 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 19 18:29:37 2024 +0000 x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Right now, if the user requests the watchdog on the command line, setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog worked. Reuse nmi_perfctr_msr to identify when the watchdog has been configured. Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity checks are complete. Turn setup_p4_watchdog() into a void function, matching the others. If the watchdog isn't set up, inform the user and override to NMI_NONE, which will prevent check_nmi_watchdog() from claiming that all CPUs are stuck. e.g.: (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0 (XEN) Failed to configure NMI watchdog (XEN) Brought up 512 CPUs (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/nmi.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 8994c50cb5..33f77a9204 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -319,8 +319,6 @@ static void setup_p6_watchdog(unsigned counter) { unsigned int evntsel; - nmi_perfctr_msr = MSR_P6_PERFCTR(0); - if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa ) nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK); if ( !nmi_p6_event_width ) @@ -330,6 +328,8 @@ static void setup_p6_watchdog(unsigned counter) nmi_p6_event_width > BITS_PER_LONG ) return; + nmi_perfctr_msr = MSR_P6_PERFCTR(0); + clear_msr_range(MSR_P6_EVNTSEL(0), 2); clear_msr_range(MSR_P6_PERFCTR(0), 2); @@ -345,13 +345,13 @@ static void setup_p6_watchdog(unsigned counter) wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0); } -static int setup_p4_watchdog(void) +static void setup_p4_watchdog(void) { uint64_t misc_enable; rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL)) - return 0; + return; nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0; nmi_p4_cccr_val = P4_NMI_IQ_CCCR0; @@ -374,13 +374,12 @@ static int setup_p4_watchdog(void) clear_msr_range(0x3E0, 2); clear_msr_range(MSR_P4_BPU_CCCR0, 18); clear_msr_range(MSR_P4_BPU_PERFCTR0, 18); - + wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0); wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE); write_watchdog_counter("P4_IQ_COUNTER0"); apic_write(APIC_LVTPC, APIC_DM_NMI); wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val); - return 1; } void setup_apic_nmi_watchdog(void) @@ -395,8 +394,6 @@ void setup_apic_nmi_watchdog(void) case 0xf ... 0x19: setup_k7_watchdog(); break; - default: - return; } break; case X86_VENDOR_INTEL: @@ -407,14 +404,16 @@ void setup_apic_nmi_watchdog(void) : CORE_EVENT_CPU_CLOCKS_NOT_HALTED); break; case 15: - if (!setup_p4_watchdog()) - return; + setup_p4_watchdog(); break; - default: - return; } break; - default: + } + + if ( nmi_perfctr_msr == 0 ) + { + printk(XENLOG_WARNING "Failed to configure NMI watchdog\n"); + nmi_watchdog = NMI_NONE; return; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 18:44:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 18:44:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695588.1085421 (Exim 4.92) (envelope-from ) id 1rmeRl-0004Hq-K1; Tue, 19 Mar 2024 18:44:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695588.1085421; Tue, 19 Mar 2024 18:44:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRl-0004Hi-H9; Tue, 19 Mar 2024 18:44:25 +0000 Received: by outflank-mailman (input) for mailman id 695588; Tue, 19 Mar 2024 18:44:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRj-0004HW-Lj for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRj-0002FN-Kx for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmeRj-0007rI-Ju for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LovKZ0PbpDt7wEt8MRAlyXF+WpQo0vZQ3SiYKmIb0G0=; b=hLKKsg89wmNRkgZTFtYkF1nleg JB6PmTx8QILCxBTdRYk9vaNCgtygR25Jb08v8zjZ3GYKfXv8afd8cHRgDvzD1lJdH9daorTjqucz6 eil0mOnfDxNFpgMm0tJRfaOfcHB7f2CKnxr0F+G2jLG4k0t+i4SnJsOyLSA8ahvec6IE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/boot: Support the watchdog on newer AMD systems Message-Id: Date: Tue, 19 Mar 2024 18:44:23 +0000 commit 131892e0dcc1265b621c2b7d844cb9e7c3a4404f Author: Andrew Cooper AuthorDate: Tue Mar 19 14:11:12 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 19 18:29:37 2024 +0000 x86/boot: Support the watchdog on newer AMD systems The MSRs used by setup_k7_watchdog() are architectural in 64bit. The Unit Select (0x76, cycles not in halt state) isn't, but it hasn't changed in 25 years, making this a trend likely to continue. Drop the family check. If the Unit Select does happen to change meaning in the future, check_nmi_watchdog() will still notice the watchdog not operating as expected. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/nmi.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 33f77a9204..f6329cb027 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -387,15 +387,12 @@ void setup_apic_nmi_watchdog(void) if ( nmi_watchdog == NMI_NONE ) return; - switch (boot_cpu_data.x86_vendor) { + switch ( boot_cpu_data.x86_vendor ) + { case X86_VENDOR_AMD: - switch (boot_cpu_data.x86) { - case 6: - case 0xf ... 0x19: - setup_k7_watchdog(); - break; - } + setup_k7_watchdog(); break; + case X86_VENDOR_INTEL: switch (boot_cpu_data.x86) { case 6: -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Tue Mar 19 18:44:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Tue, 19 Mar 2024 18:44:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695589.1085426 (Exim 4.92) (envelope-from ) id 1rmeRv-0004KY-LI; Tue, 19 Mar 2024 18:44:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695589.1085426; Tue, 19 Mar 2024 18:44:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRv-0004KQ-Id; Tue, 19 Mar 2024 18:44:35 +0000 Received: by outflank-mailman (input) for mailman id 695589; Tue, 19 Mar 2024 18:44:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRt-0004K8-PF for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmeRt-0002FZ-Nq for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmeRt-0007sG-Mx for xen-changelog@lists.xenproject.org; Tue, 19 Mar 2024 18:44:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=SvIejmVgdDcixrSfq5FtvZz9XLg25dDvhy24vtdAzjc=; b=5ICtt4iNwFmxO7F44E5BCCWf2N 6eDbCDIelEXkkfJJ6FkE5Pda2LVZtt/wlfXOsx0iimYp6D7hsNPrr4nkGrjiQdGgQ58/Hh4x5XBjD lo/NlRxbQa9iNzd7DIJERRG+VF4Oc96L1YX6kxpwMh+VlUdOSIExC5ghRj6kaImFRF1o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/vpci: Improve code generation in mask_write() Message-Id: Date: Tue, 19 Mar 2024 18:44:33 +0000 commit 188fa82305e72b725473db9146e20cc9abf7bff3 Author: Andrew Cooper AuthorDate: Fri Mar 15 11:31:33 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 19 18:29:37 2024 +0000 xen/vpci: Improve code generation in mask_write() The use of __clear_bit() forces dmask to be spilled to the stack, and interferes with the compiler heuristcs for some upcoming improvements to the ffs() code generation. First, shrink dmask to just the active vectors by making out the upper bits. This replaces the "i < msi->vectors" part of the loop condition. Next, use a simple while() loop with "clear bottom bit" expressed in plane C, which affords the optimiser a far better understanding of what the loop is doing. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/drivers/vpci/msi.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/drivers/vpci/msi.c b/xen/drivers/vpci/msi.c index d3aa5df089..30adcf7df0 100644 --- a/xen/drivers/vpci/msi.c +++ b/xen/drivers/vpci/msi.c @@ -169,13 +169,15 @@ static void cf_check mask_write( if ( msi->enabled ) { - unsigned int i; + /* Skip changes to vectors which aren't enabled. */ + dmask &= (~0U >> (32 - msi->vectors)); - for ( i = ffs(dmask) - 1; dmask && i < msi->vectors; - i = ffs(dmask) - 1 ) + while ( dmask ) { + unsigned int i = ffs(dmask) - 1; + vpci_msi_arch_mask(msi, pdev, i, (val >> i) & 1); - __clear_bit(i, &dmask); + dmask &= (dmask - 1); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:00:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:00:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695703.1085623 (Exim 4.92) (envelope-from ) id 1rmpvf-0003Cc-Dc; Wed, 20 Mar 2024 07:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695703.1085623; Wed, 20 Mar 2024 07:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvf-0003CH-AK; Wed, 20 Mar 2024 07:00:03 +0000 Received: by outflank-mailman (input) for mailman id 695703; Wed, 20 Mar 2024 07:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvd-0002wl-PO for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvd-0007ZV-Ld for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpvd-0001cs-Jc for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bNFg5kvfjkKMCJuFlZpf1TWULBmPUy1G9egrbP252is=; b=P0BZDnqtQGBrpC8XwHzeBQdT4b qgBsdv7dMCbRVz4AZYw1merktet+SiEcfhYPeI+fY1C44X0YsRpJIv+To9dFztyqOWKsWy5t7m1iD u/HtnH19PPZY+dbBnsyCWQ0LIFWP9WTLCLZysucZ9T2+hL1r1zik8G+MWCCm1oX3DA5I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/svm: Drop the suffix _guest from vmcb bit Message-Id: Date: Wed, 20 Mar 2024 07:00:01 +0000 commit 2f09f797ba43f1182cf5ce24e9ef63cd148d385e Author: Vaishali Thakkar AuthorDate: Mon Mar 18 13:49:46 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:49:46 2024 +0100 x86/svm: Drop the suffix _guest from vmcb bit The suffix _guest is redundant for asid bit. Drop it to avoid adding extra code volume. While we're here, replace 0/1 with false/true and use VMCB accessors instead of open coding. Suggested-by: Andrew Cooper Signed-off-by: Vaishali Thakkar Reviewed-by: Jan Beulich --- xen/arch/x86/hvm/svm/asid.c | 6 +++--- xen/arch/x86/hvm/svm/nestedsvm.c | 8 ++++---- xen/arch/x86/hvm/svm/svmdebug.c | 4 ++-- xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 2 +- xen/arch/x86/include/asm/hvm/svm/vmcb.h | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/hvm/svm/asid.c b/xen/arch/x86/hvm/svm/asid.c index 28e0dbc176..7977a8e86b 100644 --- a/xen/arch/x86/hvm/svm/asid.c +++ b/xen/arch/x86/hvm/svm/asid.c @@ -37,14 +37,14 @@ void svm_asid_handle_vmrun(void) /* ASID 0 indicates that ASIDs are disabled. */ if ( p_asid->asid == 0 ) { - vmcb_set_guest_asid(vmcb, 1); + vmcb_set_asid(vmcb, true); vmcb->tlb_control = cpu_has_svm_flushbyasid ? TLB_CTRL_FLUSH_ASID : TLB_CTRL_FLUSH_ALL; return; } - if ( vmcb_get_guest_asid(vmcb) != p_asid->asid ) - vmcb_set_guest_asid(vmcb, p_asid->asid); + if ( vmcb_get_asid(vmcb) != p_asid->asid ) + vmcb_set_asid(vmcb, p_asid->asid); vmcb->tlb_control = !need_flush ? TLB_CTRL_NO_FLUSH : diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c index 07630d74d3..a8d5f4ee95 100644 --- a/xen/arch/x86/hvm/svm/nestedsvm.c +++ b/xen/arch/x86/hvm/svm/nestedsvm.c @@ -157,7 +157,7 @@ int cf_check nsvm_vcpu_reset(struct vcpu *v) svm->ns_hap_enabled = 0; svm->ns_vmcb_guestcr3 = 0; svm->ns_vmcb_hostcr3 = 0; - svm->ns_guest_asid = 0; + svm->ns_asid = 0; svm->ns_hostflags.bytes = 0; svm->ns_vmexit.exitinfo1 = 0; svm->ns_vmexit.exitinfo2 = 0; @@ -698,11 +698,11 @@ nsvm_vcpu_vmentry(struct vcpu *v, struct cpu_user_regs *regs, /* Convert explicitely to boolean. Deals with l1 guests * that use flush-by-asid w/o checking the cpuid bits */ nv->nv_flushp2m = !!ns_vmcb->tlb_control; - if ( svm->ns_guest_asid != ns_vmcb->_guest_asid ) + if ( svm->ns_asid != vmcb_get_asid(ns_vmcb)) { nv->nv_flushp2m = 1; hvm_asid_flush_vcpu_asid(&vcpu_nestedhvm(v).nv_n2asid); - svm->ns_guest_asid = ns_vmcb->_guest_asid; + svm->ns_asid = vmcb_get_asid(ns_vmcb); } /* nested paging for the guest */ @@ -1046,7 +1046,7 @@ nsvm_vmcb_prepare4vmexit(struct vcpu *v, struct cpu_user_regs *regs) /* Keep it. It's maintainted by the l1 guest. */ /* ASID */ - /* ns_vmcb->_guest_asid = n2vmcb->_guest_asid; */ + /* vmcb_set_asid(ns_vmcb, vmcb_get_asid(n2vmcb)); */ /* TLB control */ ns_vmcb->tlb_control = 0; diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c index 24358c6eea..0d714c728c 100644 --- a/xen/arch/x86/hvm/svm/svmdebug.c +++ b/xen/arch/x86/hvm/svm/svmdebug.c @@ -51,8 +51,8 @@ void svm_vmcb_dump(const char *from, const struct vmcb_struct *vmcb) vmcb->exitcode, vmcb->exit_int_info.raw); printk("exitinfo1 = %#"PRIx64" exitinfo2 = %#"PRIx64"\n", vmcb->exitinfo1, vmcb->exitinfo2); - printk("np_ctrl = %#"PRIx64" guest_asid = %#x\n", - vmcb_get_np_ctrl(vmcb), vmcb_get_guest_asid(vmcb)); + printk("np_ctrl = %#"PRIx64" asid = %#x\n", + vmcb_get_np_ctrl(vmcb), vmcb_get_asid(vmcb)); printk("virtual vmload/vmsave = %d, virt_ext = %#"PRIx64"\n", vmcb->virt_ext.fields.vloadsave_enable, vmcb->virt_ext.bytes); printk("cpl = %d efer = %#"PRIx64" star = %#"PRIx64" lstar = %#"PRIx64"\n", diff --git a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h index 406fc082b1..7767cd6080 100644 --- a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h +++ b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h @@ -51,7 +51,7 @@ struct nestedsvm { * the l1 guest nested page table */ uint64_t ns_vmcb_guestcr3, ns_vmcb_hostcr3; - uint32_t ns_guest_asid; + uint32_t ns_asid; bool ns_hap_enabled; diff --git a/xen/arch/x86/include/asm/hvm/svm/vmcb.h b/xen/arch/x86/include/asm/hvm/svm/vmcb.h index bf2b8d9a94..0396d10b90 100644 --- a/xen/arch/x86/include/asm/hvm/svm/vmcb.h +++ b/xen/arch/x86/include/asm/hvm/svm/vmcb.h @@ -383,7 +383,7 @@ typedef union bool intercepts:1; /* 0: cr/dr/exception/general intercepts, * pause_filter_count, tsc_offset */ bool iopm:1; /* 1: iopm_base_pa, msrpm_base_pa */ - bool asid:1; /* 2: guest_asid */ + bool asid:1; /* 2: asid */ bool tpr:1; /* 3: vintr */ bool np:1; /* 4: np, h_cr3, g_pat */ bool cr:1; /* 5: cr0, cr3, cr4, efer */ @@ -413,7 +413,7 @@ struct vmcb_struct { u64 _iopm_base_pa; /* offset 0x40 - cleanbit 1 */ u64 _msrpm_base_pa; /* offset 0x48 - cleanbit 1 */ u64 _tsc_offset; /* offset 0x50 - cleanbit 0 */ - u32 _guest_asid; /* offset 0x58 - cleanbit 2 */ + u32 _asid; /* offset 0x58 - cleanbit 2 */ u8 tlb_control; /* offset 0x5C - TLB_CTRL_* */ u8 res07[3]; vintr_t _vintr; /* offset 0x60 - cleanbit 3 */ @@ -642,7 +642,7 @@ VMCB_ACCESSORS(pause_filter_thresh, intercepts) VMCB_ACCESSORS(tsc_offset, intercepts) VMCB_ACCESSORS(iopm_base_pa, iopm) VMCB_ACCESSORS(msrpm_base_pa, iopm) -VMCB_ACCESSORS(guest_asid, asid) +VMCB_ACCESSORS(asid, asid) VMCB_ACCESSORS(vintr, tpr) VMCB_ACCESSORS(np_ctrl, np) VMCB_ACCESSORS_(np, bool, np) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:00:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695704.1085626 (Exim 4.92) (envelope-from ) id 1rmpvp-0003lh-EK; Wed, 20 Mar 2024 07:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695704.1085626; Wed, 20 Mar 2024 07:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvp-0003lW-BZ; Wed, 20 Mar 2024 07:00:13 +0000 Received: by outflank-mailman (input) for mailman id 695704; Wed, 20 Mar 2024 07:00:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvn-0003lM-Sd for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvn-0007cE-Ph for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpvn-0002ou-OF for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8ClKjTXngIU3rJ7MLNmdM/csyQ4883mJCoACAsw+Hz0=; b=uqVgDVAhJS4lnLYsyX2rwNrjw2 vyqi3xKtctcYaRY29V64t59A5sCprQGXOSC8T9Zewhgrh08XNmihDxQVzaY0Cfqwo/lm3zrj0LDfC WqXQtpGH+l8T0aYRlWOuNhzYh4KcNGJp2+eHDeL7TkgdeC6mFzqdk7TUhIWJR1qkSaM4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/svmdebug: Print np, sev and sev_es vmcb bits Message-Id: Date: Wed, 20 Mar 2024 07:00:11 +0000 commit 53b5208de8f3151be0729e6ac49c9b616c07c5ff Author: Vaishali Thakkar AuthorDate: Mon Mar 18 13:50:33 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:50:33 2024 +0100 x86/svmdebug: Print np, sev and sev_es vmcb bits Currently only raw _np_ctrl is being printed. It can be informational to know about which particular bits are enabled. So, this commit adds the bit-by-bit decode for np, sev and sev_es bits. Note that while, only np is enabled in certain scenarios at the moment, work for enabling sev and sev_es is in progress. And it'll be useful to have this information as part of svmdebug. Signed-off-by: Vaishali Thakkar Acked-by: Jan Beulich --- xen/arch/x86/hvm/svm/svmdebug.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/xen/arch/x86/hvm/svm/svmdebug.c b/xen/arch/x86/hvm/svm/svmdebug.c index 0d714c728c..9d3badcf5d 100644 --- a/xen/arch/x86/hvm/svm/svmdebug.c +++ b/xen/arch/x86/hvm/svm/svmdebug.c @@ -51,8 +51,11 @@ void svm_vmcb_dump(const char *from, const struct vmcb_struct *vmcb) vmcb->exitcode, vmcb->exit_int_info.raw); printk("exitinfo1 = %#"PRIx64" exitinfo2 = %#"PRIx64"\n", vmcb->exitinfo1, vmcb->exitinfo2); - printk("np_ctrl = %#"PRIx64" asid = %#x\n", - vmcb_get_np_ctrl(vmcb), vmcb_get_asid(vmcb)); + printk("asid = %#x np_ctrl = %#"PRIx64":%s%s%s\n", + vmcb_get_asid(vmcb), vmcb_get_np_ctrl(vmcb), + vmcb_get_np(vmcb) ? " NP" : "", + vmcb_get_sev(vmcb) ? " SEV" : "", + vmcb_get_sev_es(vmcb) ? " SEV_ES" : ""); printk("virtual vmload/vmsave = %d, virt_ext = %#"PRIx64"\n", vmcb->virt_ext.fields.vloadsave_enable, vmcb->virt_ext.bytes); printk("cpl = %d efer = %#"PRIx64" star = %#"PRIx64" lstar = %#"PRIx64"\n", -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:00:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:00:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695705.1085630 (Exim 4.92) (envelope-from ) id 1rmpvz-0003nw-FM; Wed, 20 Mar 2024 07:00:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695705.1085630; Wed, 20 Mar 2024 07:00:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvz-0003no-Ct; Wed, 20 Mar 2024 07:00:23 +0000 Received: by outflank-mailman (input) for mailman id 695705; Wed, 20 Mar 2024 07:00:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvx-0003ng-TR for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpvx-0007cU-Sf for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpvx-0003Cx-Rs for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NsoiwWUYMl/6lxPJyEvBjF18XNJ1TNlzXF2dY3TmRwg=; b=g8oIM94iwN/SNxt3U7nFtx8uxx +rVgkuBB0BXHUfIqD5J5YD21yNJHK/mwyZYlh7WMKopWDpgDprO/FDhVOyECbLBuZgMu3QGRnxBh9 6/N09J7hE2uaCLvHPdbMP9fqfi0oYgax/kldILYfpZRI3gPgv/P88GsLV5w1eqHFC3i0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] perfc: add pseudo-keyword fallthrough Message-Id: Date: Wed, 20 Mar 2024 07:00:21 +0000 commit 8a8d5c22afc515020669d9479b97e4ddda26d2b5 Author: Federico Serafini AuthorDate: Mon Mar 18 13:51:17 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:51:17 2024 +0100 perfc: add pseudo-keyword fallthrough Add pseudo-keyword fallthrough to make explicit the intention of the code and meet requirements to deviate MISRA C:2012 Rule 16.3 ("An unconditional `break' statement shall terminate every switch-clause"). No functional change. Signed-off-by: Federico Serafini Acked-by: Jan Beulich --- xen/common/perfc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/common/perfc.c b/xen/common/perfc.c index 7400667bf0..80480aa776 100644 --- a/xen/common/perfc.c +++ b/xen/common/perfc.c @@ -134,6 +134,7 @@ void cf_check perfc_reset(unsigned char key) case TYPE_SINGLE: for_each_online_cpu ( cpu ) per_cpu(perfcounters, cpu)[j] = 0; + fallthrough; case TYPE_S_SINGLE: ++j; break; @@ -141,6 +142,7 @@ void cf_check perfc_reset(unsigned char key) for_each_online_cpu ( cpu ) memset(per_cpu(perfcounters, cpu) + j, 0, perfc_info[i].nr_elements * sizeof(perfc_t)); + fallthrough; case TYPE_S_ARRAY: j += perfc_info[i].nr_elements; break; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:00:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:00:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695706.1085634 (Exim 4.92) (envelope-from ) id 1rmpw9-0003qi-Gm; Wed, 20 Mar 2024 07:00:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695706.1085634; Wed, 20 Mar 2024 07:00:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpw9-0003qb-EI; Wed, 20 Mar 2024 07:00:33 +0000 Received: by outflank-mailman (input) for mailman id 695706; Wed, 20 Mar 2024 07:00:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpw8-0003qG-2X for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpw8-0007cr-00 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpw7-0003Dc-Un for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Wyo6/ueelS3U4/Q/ioPtRvY5U4UIrmxfH83OProvYbc=; b=PgLKiICQuh9Qkrda3hja8MwxnB Vnb6Zx2zFz2eF7dDQ0KpDvWPU7Si7b5a/h+FmTcyiQyyTGB+ZuscyyEEm0vAIyuGziJMD2PAJ6MnD MarVUWFAklaadGWT3Hvo08v3RoPD7IRLjIttxQO7BFKSw5C14IcRqwXyTdakhJ6q57Ks=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: drop AMD IOMMU and Intel VT-d sections Message-Id: Date: Wed, 20 Mar 2024 07:00:31 +0000 commit ad52857efcd6e662f4ef75bc9d27368c8b99f1a5 Author: Jan Beulich AuthorDate: Mon Mar 18 13:52:09 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:52:09 2024 +0100 MAINTAINERS: drop AMD IOMMU and Intel VT-d sections We'd like to thank Kevin, so far the VT-d maintainer, for his past contributions, while at the same time we'd like to reflect reality as it has been for quite some time. Have VT-d maintainership (and for symmetry also AMD IOMMU's) fall back to the maintainers of general x86. This also brings things in sync with how they are for Arm. While touching the X86 section also append two so far missing slashes. Signed-off-by: Jan Beulich Acked-by: Andrew Cooper Acked-by: Kevin Tian --- MAINTAINERS | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index b2cc3cc392..f294a80e65 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -220,12 +220,6 @@ F: xen/drivers/acpi/ F: xen/include/acpi/ F: tools/libacpi/ -AMD IOMMU -M: Jan Beulich -M: Andrew Cooper -S: Maintained -F: xen/drivers/passthrough/amd/ - ARGO M: Christopher Clark S: Maintained @@ -351,11 +345,6 @@ S: Odd Fixes F: xen/arch/x86/include/asm/tboot.h F: xen/arch/x86/tboot.c -INTEL(R) VT FOR DIRECTED I/O (VT-D) -M: Kevin Tian -S: Supported -F: xen/drivers/passthrough/vtd/ - IOMMU VENDOR INDEPENDENT CODE M: Jan Beulich R: Roger Pau Monné @@ -587,9 +576,11 @@ R: Wei Liu S: Supported L: xen-devel@lists.xenproject.org F: xen/arch/x86/ +F: xen/drivers/passthrough/amd/ +F: xen/drivers/passthrough/vtd/ F: xen/include/public/arch-x86/ -F: xen/include/xen/lib/x86 -F: xen/lib/x86 +F: xen/include/xen/lib/x86/ +F: xen/lib/x86/ F: xen/tools/gen-cpuid.py F: tools/firmware/hvmloader/ F: tools/firmware/rombios/ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:00:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:00:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695707.1085638 (Exim 4.92) (envelope-from ) id 1rmpwJ-0003tw-Jl; Wed, 20 Mar 2024 07:00:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695707.1085638; Wed, 20 Mar 2024 07:00:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwJ-0003to-H9; Wed, 20 Mar 2024 07:00:43 +0000 Received: by outflank-mailman (input) for mailman id 695707; Wed, 20 Mar 2024 07:00:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwI-0003tb-3Z for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwI-0007dA-2s for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpwI-0003ED-28 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RZPwxUCv1l5vs1C50CTxjZMRsw3FvuTyoEjsDoP0gcI=; b=EvsjnkGRV/ctoow7u+ayr2Gndv lNMIVwmZqyrVXVjoFEdUNSxwxLLyCPkAr9bT9F+DifP712YOe4p4altHbEs0OEMhCIwDSMJ/pFuCz qjcP4KRCpqX37IhKawazyTMngK2NhIhmjUss4QrYicnGe8iij/8Pf3wBeFJh1s2ol5GA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] MAINTAINERS: remove myself from various positions Message-Id: Date: Wed, 20 Mar 2024 07:00:42 +0000 commit a5b90a90eee4709a3fe434e7da83b8421528e8fe Author: Wei Liu AuthorDate: Mon Mar 18 13:52:35 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:52:35 2024 +0100 MAINTAINERS: remove myself from various positions I have not been active in the Xen community for some time. Update the MAINTAINERS file to reflect reality. Signed-off-by: Wei Liu Acked-by: Stefano Stabellini --- MAINTAINERS | 8 -------- 1 file changed, 8 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index f294a80e65..1bd22fd75f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -376,7 +376,6 @@ F: xen/arch/x86/machine_kexec.c F: xen/arch/x86/x86_64/kexec_reloc.S LIBS -M: Wei Liu M: Anthony PERARD R: Juergen Gross S: Supported @@ -411,7 +410,6 @@ F: xen/test/livepatch/* MINI-OS M: Samuel Thibault M: Juergen Gross -R: Wei Liu S: Supported L: minios-devel@lists.xenproject.org T: git https://xenbits.xenproject.org/git-http/mini-os.git @@ -425,7 +423,6 @@ F: tools/ocaml/ OVMF UPSTREAM M: Anthony PERARD -M: Wei Liu S: Supported T: git https://xenbits.xenproject.org/git-http/ovmf.git @@ -510,7 +507,6 @@ F: xen/arch/arm/include/asm/tee F: xen/arch/arm/tee/ TOOLSTACK -M: Wei Liu M: Anthony PERARD S: Supported F: autogen.sh @@ -572,7 +568,6 @@ X86 ARCHITECTURE M: Jan Beulich M: Andrew Cooper M: Roger Pau Monné -R: Wei Liu S: Supported L: xen-devel@lists.xenproject.org F: xen/arch/x86/ @@ -617,7 +612,6 @@ F: xen/arch/x86/mm/shadow/ X86 VIRIDIAN ENLIGHTENMENTS M: Paul Durrant -M: Wei Liu S: Supported F: xen/arch/x86/guest/hyperv/ F: xen/arch/x86/hvm/viridian/ @@ -627,7 +621,6 @@ F: xen/arch/x86/include/asm/guest/hyperv-tlfs.h F: xen/arch/x86/include/asm/hvm/viridian.h XENSTORE -M: Wei Liu M: Juergen Gross R: Julien Grall S: Supported @@ -673,7 +666,6 @@ M: George Dunlap M: Jan Beulich M: Julien Grall M: Stefano Stabellini -M: Wei Liu L: xen-devel@lists.xenproject.org S: Supported F: * -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:00:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:00:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695708.1085642 (Exim 4.92) (envelope-from ) id 1rmpwT-0003ww-LP; Wed, 20 Mar 2024 07:00:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695708.1085642; Wed, 20 Mar 2024 07:00:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwT-0003wn-IW; Wed, 20 Mar 2024 07:00:53 +0000 Received: by outflank-mailman (input) for mailman id 695708; Wed, 20 Mar 2024 07:00:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwS-0003wa-6j for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwS-0007dM-5x for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpwS-0003El-54 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:00:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=V/jfZ9HFZmv3v17bJoWMfqLg29Ptd2H6ti/8XFU4WjA=; b=fgO+eEaz5KQ8p92fCQDfeCPQt1 gjCt/oxgu2XybyYwjAbxkCE/Dp5FV5/N9aoXy7gFVQVlfO/d6BhBqe55kFF3LyZrpwCgGjinCs3kB Zg+R+zNtQsdiU2YPdIKKeVXJu6sL/dY/uWNJLzLmsr2uGHyqPkWB506AStFmOx3cMvg0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] automation/eclair: allow parameter name "unused" Message-Id: Date: Wed, 20 Mar 2024 07:00:52 +0000 commit f93d8dd5198c1ac0a4be5c7fb1b5a997d5c42a97 Author: Federico Serafini AuthorDate: Mon Mar 18 13:52:53 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:52:53 2024 +0100 automation/eclair: allow parameter name "unused" Update ECLAIR configuration of MISRA C:2012 Rule 8.3 to deviate violations involving parameter name "unused" (with an optional numeric suffix): it makes explicit the intention of not using such parameter within the function. Signed-off-by: Federico Serafini Reviewed-by: Stefano Stabellini --- automation/eclair_analysis/ECLAIR/deviations.ecl | 4 ++++ docs/misra/deviations.rst | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/automation/eclair_analysis/ECLAIR/deviations.ecl b/automation/eclair_analysis/ECLAIR/deviations.ecl index 53f7623454..de9ba723fb 100644 --- a/automation/eclair_analysis/ECLAIR/deviations.ecl +++ b/automation/eclair_analysis/ECLAIR/deviations.ecl @@ -167,6 +167,10 @@ const-qualified." -config=MC3R1.R8.3,reports+={deliberate,"any_area(any_loc(file(adopted_decompress_r8_3)))&&any_area(any_loc(file(^xen/include/xen/decompress\\.h$)))"} -doc_end +-doc_begin="Parameter name \"unused\" (with an optional numeric suffix) is deliberate and makes explicit the intention of not using such parameter within the function." +-config=MC3R1.R8.3,reports+={deliberate, "any_area(^.*parameter `unused[0-9]*'.*$)"} +-doc_end + -doc_begin="The following file is imported from Linux: ignore for now." -file_tag+={adopted_time_r8_3,"^xen/arch/x86/time\\.c$"} -config=MC3R1.R8.3,reports+={deliberate,"any_area(any_loc(file(adopted_time_r8_3)))&&(any_area(any_loc(file(^xen/include/xen/time\\.h$)))||any_area(any_loc(file(^xen/arch/x86/include/asm/setup\\.h$))))"} diff --git a/docs/misra/deviations.rst b/docs/misra/deviations.rst index 41fa5b31b0..eb5ef2bd9d 100644 --- a/docs/misra/deviations.rst +++ b/docs/misra/deviations.rst @@ -157,6 +157,12 @@ Deviations related to MISRA C:2012 Rules: - xen/common/unxz.c - xen/common/unzstd.c + * - R8.3 + - Parameter name "unused" (with an optional numeric suffix) is deliberate + and makes explicit the intention of not using such parameter within the + function. + - Tagged as `deliberate` for ECLAIR. + * - R8.4 - The definitions present in the files 'asm-offsets.c' for any architecture are used to generate definitions for asm modules, and are not called by -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:01:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:01:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695709.1085646 (Exim 4.92) (envelope-from ) id 1rmpwd-00041E-MT; Wed, 20 Mar 2024 07:01:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695709.1085646; Wed, 20 Mar 2024 07:01:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwd-000416-Jt; Wed, 20 Mar 2024 07:01:03 +0000 Received: by outflank-mailman (input) for mailman id 695709; Wed, 20 Mar 2024 07:01:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwc-00040q-9c for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwc-0007dn-8u for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpwc-0003FV-8D for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=6ytUf0KDIX8eMAdalEaA3Ozdk+SjI4fejv+I/0I21yE=; b=O0RmY3aIGbcC/D+/B2sRjPTt2t 90QhetOqxyeJR7h5SA8PDqwcaNalekNvjTwPGEHpQc5k4DX87DfdWmgKn8QvtYpCtAxLPa3v52loZ 9o4aUiAGgCZ+7X9xh2RyURXBALaQ1fTbECmz945zSSMixg8Vx0dtdcdTEK0IdpklSdH4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/sched: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:01:02 +0000 commit d92a67b60c038ebb0f0b83a7f1ce5ad359e052d6 Author: Nicola Vetrini AuthorDate: Mon Mar 18 13:53:07 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:53:07 2024 +0100 xen/sched: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: George Dunlap --- xen/common/sched/private.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/sched/private.h b/xen/common/sched/private.h index 459d1dfb11..c0e7c96d24 100644 --- a/xen/common/sched/private.h +++ b/xen/common/sched/private.h @@ -540,7 +540,7 @@ static inline void sched_unit_unpause(const struct sched_unit *unit) } #define REGISTER_SCHEDULER(x) static const struct scheduler *x##_entry \ - __used_section(".data.schedulers") = &x + __used_section(".data.schedulers") = &(x) struct cpupool { -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:01:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:01:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695710.1085650 (Exim 4.92) (envelope-from ) id 1rmpwn-00044L-Nv; Wed, 20 Mar 2024 07:01:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695710.1085650; Wed, 20 Mar 2024 07:01:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwn-00044D-LR; Wed, 20 Mar 2024 07:01:13 +0000 Received: by outflank-mailman (input) for mailman id 695710; Wed, 20 Mar 2024 07:01:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwm-00043u-CT for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwm-0007eC-Bj for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpwm-0003Fu-B4 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=IBEzUqN5zYyHu+Ud1LGkki9uJzEVZpGIJxjZtZxG3T0=; b=v29u6F/utjJintYl7+7vwLWgrI 8o2y1rmeuDoe8EBw+Oy+fvpvay4d8PwTNGQv2YNkeTzxfaxKC+OfMyurBn78o2yMZ6cg7RmZ+GBuG Jt219Gy1ydweunP9lIxLpROiGF8pJPfHFS5ehgG6fLaHHoj5jN9bcmpdTezQDBXAqDb8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mm: use block_lock_speculation() in _mm_write_lock() Message-Id: Date: Wed, 20 Mar 2024 07:01:12 +0000 commit 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430 Author: Jan Beulich AuthorDate: Mon Mar 18 13:53:37 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 18 13:53:37 2024 +0100 x86/mm: use block_lock_speculation() in _mm_write_lock() I can only guess that using block_speculation() there was a leftover from, earlier on, SPECULATIVE_HARDEN_LOCK depending on SPECULATIVE_HARDEN_BRANCH. Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper --- xen/arch/x86/mm/mm-locks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 2eae73ac68..b098bbfae8 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -138,7 +138,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, _set_lock_level(_lock_level(d, level)); } else - block_speculation(); + block_lock_speculation(); l->recurse_count++; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:01:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:01:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695712.1085654 (Exim 4.92) (envelope-from ) id 1rmpwx-00047D-Q0; Wed, 20 Mar 2024 07:01:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695712.1085654; Wed, 20 Mar 2024 07:01:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpwx-000476-Mx; Wed, 20 Mar 2024 07:01:23 +0000 Received: by outflank-mailman (input) for mailman id 695712; Wed, 20 Mar 2024 07:01:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpww-00046l-Fg for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpww-0007eR-F0 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpww-0003Gr-E8 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qfeiozONKMwKVffl92DzE1vCLhF+STufDm2OVBN9qo4=; b=W3fpkPmyJ7ulBcWas1dUgp2YmR YHUCB4ho5afRYI+ua0/aFN1Cjc26AmKT8kB0GOrnXlc1sk6op8WMbsmRt04sUxODIUTPmhZFPqgkm 2LEmKvp5wMxCxmvwOwzU7JaMarfi7cPeMOjH4ZsR94+R824XLtfdPIY1Lu8wKSKoOPtI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] IOMMU: store name for extra reserved device memory Message-Id: Date: Wed, 20 Mar 2024 07:01:22 +0000 commit a97de92e76a62e786cb8a3b5cd75f9df5c96e8e6 Author: Marek Marczykowski-Górecki AuthorDate: Tue Mar 19 11:23:06 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:23:06 2024 +0100 IOMMU: store name for extra reserved device memory It will be useful for error reporting in a subsequent patch. Signed-off-by: Marek Marczykowski-Górecki Acked-by: Jan Beulich --- xen/drivers/char/xhci-dbc.c | 3 ++- xen/drivers/passthrough/iommu.c | 5 ++++- xen/include/xen/iommu.h | 3 ++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/xen/drivers/char/xhci-dbc.c b/xen/drivers/char/xhci-dbc.c index 3bf389be7d..8e2037f1a5 100644 --- a/xen/drivers/char/xhci-dbc.c +++ b/xen/drivers/char/xhci-dbc.c @@ -1421,7 +1421,8 @@ void __init xhci_dbc_uart_init(void) iommu_add_extra_reserved_device_memory( PFN_DOWN(virt_to_maddr(&dbc_dma_bufs)), PFN_UP(sizeof(dbc_dma_bufs)), - uart->dbc.sbdf); + uart->dbc.sbdf, + "XHCI console"); serial_register_uart(SERHND_XHCI, &dbc_uart_driver, &dbc_uart); } } diff --git a/xen/drivers/passthrough/iommu.c b/xen/drivers/passthrough/iommu.c index 996c31be12..03587c0cd6 100644 --- a/xen/drivers/passthrough/iommu.c +++ b/xen/drivers/passthrough/iommu.c @@ -682,6 +682,7 @@ struct extra_reserved_range { unsigned long start; unsigned long nr; pci_sbdf_t sbdf; + const char *name; }; static unsigned int __initdata nr_extra_reserved_ranges; static struct extra_reserved_range __initdata @@ -689,7 +690,8 @@ static struct extra_reserved_range __initdata int __init iommu_add_extra_reserved_device_memory(unsigned long start, unsigned long nr, - pci_sbdf_t sbdf) + pci_sbdf_t sbdf, + const char *name) { unsigned int idx; @@ -700,6 +702,7 @@ int __init iommu_add_extra_reserved_device_memory(unsigned long start, extra_reserved_ranges[idx].start = start; extra_reserved_ranges[idx].nr = nr; extra_reserved_ranges[idx].sbdf = sbdf; + extra_reserved_ranges[idx].name = name; return 0; } diff --git a/xen/include/xen/iommu.h b/xen/include/xen/iommu.h index ef57f31417..a9c9457c07 100644 --- a/xen/include/xen/iommu.h +++ b/xen/include/xen/iommu.h @@ -326,7 +326,8 @@ struct iommu_ops { */ extern int iommu_add_extra_reserved_device_memory(unsigned long start, unsigned long nr, - pci_sbdf_t sbdf); + pci_sbdf_t sbdf, + const char *name); /* * To be called by specific IOMMU driver during initialization, * to fetch ranges registered with iommu_add_extra_reserved_device_memory(). -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:01:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:01:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695713.1085659 (Exim 4.92) (envelope-from ) id 1rmpx7-0004AG-SU; Wed, 20 Mar 2024 07:01:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695713.1085659; Wed, 20 Mar 2024 07:01:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpx7-0004A7-Oi; Wed, 20 Mar 2024 07:01:33 +0000 Received: by outflank-mailman (input) for mailman id 695713; Wed, 20 Mar 2024 07:01:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpx6-00049w-J7 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpx6-0007ec-IP for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpx6-0003Hg-Hh for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=D+FKYOkFvsbB6ZyF+AGn91xiWXxZ21rGv6vo96QsZuY=; b=19qHfemn17fDBdheDEEmFHKt6c MdunLhBuWZDjkaX1+uIMTPDNRboJP5X0r0EC33FDrWqdWAp9DQdQKZSObSMVizEdZNXRgLIjCNtwM nZAIML3WpBVvz+ZGVqSv0c5ZdT58ZpzofHfH5J0Q3pa421OV2u99ct9f+EWO2OqqcKKI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/spinlock: introduce new type for recursive spinlocks Message-Id: Date: Wed, 20 Mar 2024 07:01:32 +0000 commit 475080b6b2010d1c7671896c9caad4d360c4df9b Author: Juergen Gross AuthorDate: Tue Mar 19 11:23:53 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:23:53 2024 +0100 xen/spinlock: introduce new type for recursive spinlocks Introduce a new type "rspinlock_t" to be used for recursive spinlocks. For now it is only an alias of spinlock_t, so both types can still be used for recursive spinlocks. This will be changed later, though. Switch all recursive spinlocks to the new type. Define the initializer helpers and use them where appropriate. Signed-off-by: Juergen Gross Acked-by: Julien Grall Acked-by: Jan Beulich --- xen/arch/x86/include/asm/mm.h | 2 +- xen/arch/x86/mm/mm-locks.h | 2 +- xen/common/domain.c | 4 ++-- xen/common/ioreq.c | 2 +- xen/drivers/char/console.c | 4 ++-- xen/drivers/passthrough/pci.c | 2 +- xen/include/xen/sched.h | 6 +++--- xen/include/xen/spinlock.h | 19 +++++++++++++++---- 8 files changed, 26 insertions(+), 15 deletions(-) diff --git a/xen/arch/x86/include/asm/mm.h b/xen/arch/x86/include/asm/mm.h index 65d209d5ff..98b66edaca 100644 --- a/xen/arch/x86/include/asm/mm.h +++ b/xen/arch/x86/include/asm/mm.h @@ -597,7 +597,7 @@ unsigned long domain_get_maximum_gpfn(struct domain *d); /* Definition of an mm lock: spinlock with extra fields for debugging */ typedef struct mm_lock { - spinlock_t lock; + rspinlock_t lock; int unlock_level; int locker; /* processor which holds the lock */ const char *locker_function; /* func that took it */ diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index b098bbfae8..62ec897295 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -20,7 +20,7 @@ DECLARE_PERCPU_RWLOCK_GLOBAL(p2m_percpu_rwlock); static inline void mm_lock_init(mm_lock_t *l) { - spin_lock_init(&l->lock); + rspin_lock_init(&l->lock); l->locker = -1; l->locker_function = "nobody"; l->unlock_level = 0; diff --git a/xen/common/domain.c b/xen/common/domain.c index 1f0d23a1e0..9b42eee44a 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -631,8 +631,8 @@ struct domain *domain_create(domid_t domid, atomic_set(&d->refcnt, 1); RCU_READ_LOCK_INIT(&d->rcu_lock); - spin_lock_init_prof(d, domain_lock); - spin_lock_init_prof(d, page_alloc_lock); + rspin_lock_init_prof(d, domain_lock); + rspin_lock_init_prof(d, page_alloc_lock); spin_lock_init(&d->hypercall_deadlock_mutex); INIT_PAGE_LIST_HEAD(&d->page_list); INIT_PAGE_LIST_HEAD(&d->extra_page_list); diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index 62b907f4c4..652c18a9b5 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -1331,7 +1331,7 @@ unsigned int ioreq_broadcast(ioreq_t *p, bool buffered) void ioreq_domain_init(struct domain *d) { - spin_lock_init(&d->ioreq_server.lock); + rspin_lock_init(&d->ioreq_server.lock); arch_ioreq_domain_init(d); } diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index d2cb0530b2..6a88a0b32c 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -119,7 +119,7 @@ static int __read_mostly sercon_handle = -1; int8_t __read_mostly opt_console_xen; /* console=xen */ #endif -static DEFINE_SPINLOCK(console_lock); +static DEFINE_RSPINLOCK(console_lock); /* * To control the amount of printing, thresholds are added. @@ -1177,7 +1177,7 @@ void console_force_unlock(void) { watchdog_disable(); spin_debug_disable(); - spin_lock_init(&console_lock); + rspin_lock_init(&console_lock); serial_force_unlock(sercon_handle); console_locks_busted = 1; console_start_sync(); diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index 6a1eda675d..b6b2196ab0 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -50,7 +50,7 @@ struct pci_seg { } bus2bridge[MAX_BUSES]; }; -static spinlock_t _pcidevs_lock = SPIN_LOCK_UNLOCKED; +static DEFINE_RSPINLOCK(_pcidevs_lock); /* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ void pcidevs_lock_unsafe(void) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 7c6be0931a..36c6925640 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -376,9 +376,9 @@ struct domain rcu_read_lock_t rcu_lock; - spinlock_t domain_lock; + rspinlock_t domain_lock; - spinlock_t page_alloc_lock; /* protects all the following fields */ + rspinlock_t page_alloc_lock; /* protects all the following fields */ struct page_list_head page_list; /* linked list */ struct page_list_head extra_page_list; /* linked list (size extra_pages) */ struct page_list_head xenpage_list; /* linked list (size xenheap_pages) */ @@ -622,7 +622,7 @@ struct domain #ifdef CONFIG_IOREQ_SERVER /* Lock protects all other values in the sub-struct */ struct { - spinlock_t lock; + rspinlock_t lock; struct ioreq_server *server[MAX_NR_IOREQ_SERVERS]; } ioreq_server; #endif diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 8a443efc19..bbf12b93c4 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -46,7 +46,7 @@ union lock_debug { }; lock profiling on: Global locks which should be subject to profiling must be declared via - DEFINE_SPINLOCK. + DEFINE_[R]SPINLOCK. For locks in structures further measures are necessary: - the structure definition must include a profile_head with exactly this @@ -57,7 +57,7 @@ union lock_debug { }; - the single locks which are subject to profiling have to be initialized via - spin_lock_init_prof(ptr, lock); + [r]spin_lock_init_prof(ptr, lock); with ptr being the main structure pointer and lock the spinlock field @@ -110,12 +110,16 @@ struct lock_profile_qhead { spinlock_t l = SPIN_LOCK_UNLOCKED_(NULL); \ static struct lock_profile lock_profile_data__##l = LOCK_PROFILE_(l); \ LOCK_PROFILE_PTR_(l) +#define DEFINE_RSPINLOCK(l) \ + rspinlock_t l = SPIN_LOCK_UNLOCKED_(NULL); \ + static struct lock_profile lock_profile_data__##l = LOCK_PROFILE_(l); \ + LOCK_PROFILE_PTR_(l) -#define spin_lock_init_prof(s, l) \ +#define spin_lock_init_prof__(s, l, locktype) \ do { \ struct lock_profile *prof; \ prof = xzalloc(struct lock_profile); \ - (s)->l = (spinlock_t)SPIN_LOCK_UNLOCKED_(prof); \ + (s)->l = (locktype)SPIN_LOCK_UNLOCKED_(prof); \ if ( !prof ) \ { \ printk(XENLOG_WARNING \ @@ -129,6 +133,9 @@ struct lock_profile_qhead { (s)->profile_head.elem_q = prof; \ } while( 0 ) +#define spin_lock_init_prof(s, l) spin_lock_init_prof__(s, l, spinlock_t) +#define rspin_lock_init_prof(s, l) spin_lock_init_prof__(s, l, rspinlock_t) + void _lock_profile_register_struct( int32_t type, struct lock_profile_qhead *qhead, int32_t idx); void _lock_profile_deregister_struct(int32_t type, @@ -152,8 +159,10 @@ struct lock_profile_qhead { }; .debug = LOCK_DEBUG_, \ } #define DEFINE_SPINLOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED +#define DEFINE_RSPINLOCK(l) rspinlock_t l = SPIN_LOCK_UNLOCKED #define spin_lock_init_prof(s, l) spin_lock_init(&((s)->l)) +#define rspin_lock_init_prof(s, l) rspin_lock_init(&((s)->l)) #define lock_profile_register_struct(type, ptr, idx) #define lock_profile_deregister_struct(type, ptr) #define spinlock_profile_printall(key) @@ -183,8 +192,10 @@ typedef struct spinlock { #endif } spinlock_t; +typedef spinlock_t rspinlock_t; #define spin_lock_init(l) (*(l) = (spinlock_t)SPIN_LOCK_UNLOCKED) +#define rspin_lock_init(l) (*(l) = (rspinlock_t)SPIN_LOCK_UNLOCKED) void _spin_lock(spinlock_t *lock); void _spin_lock_cb(spinlock_t *lock, void (*cb)(void *data), void *data); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:01:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:01:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695714.1085662 (Exim 4.92) (envelope-from ) id 1rmpxH-0004Dt-US; Wed, 20 Mar 2024 07:01:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695714.1085662; Wed, 20 Mar 2024 07:01:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxH-0004Dm-Rq; Wed, 20 Mar 2024 07:01:43 +0000 Received: by outflank-mailman (input) for mailman id 695714; Wed, 20 Mar 2024 07:01:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxG-0004DV-Mn for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxG-0007gR-M7 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpxG-0003IT-LN for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jn+rOOnhiqr53Gh4Z4xG4JnEamh+NjVMDRsh78m/Qu0=; b=C5YkFzpK2apLkLlsV1uV5mgsJR A4tRoReE/0lRwDgUcDU2pYrA5zvYkaJzv0zlFsSBPuemPCFjRiTszQZGVZ4nek0W04tJnnNCxd8jL hSYpTg/UL+oTHV40ZErFlmUoW3HS2PxpDPZbQ7DVAxbVMpsH/EQgqTqzZfe1XisoNkZs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/spinlock: rename recursive lock functions Message-Id: Date: Wed, 20 Mar 2024 07:01:42 +0000 commit c9aca2a1f6aef647d1bb71b9a465120336596085 Author: Juergen Gross AuthorDate: Tue Mar 19 11:25:07 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:25:07 2024 +0100 xen/spinlock: rename recursive lock functions Rename the recursive spin_lock() functions by replacing the trailing "_recursive" with a leading "r". Switch the parameter to be a pointer to rspinlock_t. Suggested-by: Jan Beulich Signed-off-by: Juergen Gross Acked-by: Julien Grall Acked-by: Jan Beulich --- xen/arch/arm/domain.c | 4 ++-- xen/arch/x86/domain.c | 8 +++---- xen/arch/x86/mm/mem_sharing.c | 8 +++---- xen/arch/x86/mm/mm-locks.h | 4 ++-- xen/common/ioreq.c | 52 +++++++++++++++++++++---------------------- xen/common/page_alloc.c | 12 +++++----- xen/common/spinlock.c | 12 +++++----- xen/drivers/char/console.c | 12 +++++----- xen/drivers/passthrough/pci.c | 4 ++-- xen/include/xen/sched.h | 4 ++-- xen/include/xen/spinlock.h | 18 +++++++-------- 11 files changed, 68 insertions(+), 70 deletions(-) diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c index 5e7a7f3e7e..f38cb5e04c 100644 --- a/xen/arch/arm/domain.c +++ b/xen/arch/arm/domain.c @@ -987,7 +987,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) int ret = 0; /* Use a recursive lock, as we may enter 'free_domheap_page'. */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); page_list_for_each_safe( page, tmp, list ) { @@ -1014,7 +1014,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list) } out: - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); return ret; } diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c index bda853e3c9..a11c55f921 100644 --- a/xen/arch/x86/domain.c +++ b/xen/arch/x86/domain.c @@ -1323,7 +1323,7 @@ int arch_set_info_guest( { bool done = false; - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); for ( i = 0; ; ) { @@ -1344,7 +1344,7 @@ int arch_set_info_guest( break; } - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); if ( !done ) return -ERESTART; @@ -2183,7 +2183,7 @@ static int relinquish_memory( int ret = 0; /* Use a recursive lock, as we may enter 'free_domheap_page'. */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); while ( (page = page_list_remove_head(list)) ) { @@ -2324,7 +2324,7 @@ static int relinquish_memory( page_list_move(list, &d->arch.relmem_list); out: - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); return ret; } diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c index fe299a2bf9..f58576c702 100644 --- a/xen/arch/x86/mm/mem_sharing.c +++ b/xen/arch/x86/mm/mem_sharing.c @@ -682,7 +682,7 @@ static int page_make_sharable(struct domain *d, int rc = 0; bool drop_dom_ref = false; - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); if ( d->is_dying ) { @@ -725,7 +725,7 @@ static int page_make_sharable(struct domain *d, } out: - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); if ( drop_dom_ref ) put_domain(d); @@ -1936,7 +1936,7 @@ int mem_sharing_fork_reset(struct domain *d, bool reset_state, goto state; /* need recursive lock because we will free pages */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); page_list_for_each_safe(page, tmp, &d->page_list) { shr_handle_t sh; @@ -1965,7 +1965,7 @@ int mem_sharing_fork_reset(struct domain *d, bool reset_state, put_page_alloc_ref(page); put_page_and_type(page); } - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); state: if ( reset_state ) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 62ec897295..a695a28324 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -79,7 +79,7 @@ static always_inline void _mm_lock(const struct domain *d, mm_lock_t *l, { if ( !((mm_locked_by_me(l)) && rec) ) _check_lock_level(d, level); - spin_lock_recursive(&l->lock); + rspin_lock(&l->lock); if ( l->lock.recurse_cnt == 1 ) { l->locker_function = func; @@ -202,7 +202,7 @@ static inline void mm_unlock(mm_lock_t *l) l->locker_function = "nobody"; _set_lock_level(l->unlock_level); } - spin_unlock_recursive(&l->lock); + rspin_unlock(&l->lock); } static inline void mm_enforce_order_unlock(int unlock_level, diff --git a/xen/common/ioreq.c b/xen/common/ioreq.c index 652c18a9b5..1257a3d972 100644 --- a/xen/common/ioreq.c +++ b/xen/common/ioreq.c @@ -329,7 +329,7 @@ bool is_ioreq_server_page(struct domain *d, const struct page_info *page) unsigned int id; bool found = false; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); FOR_EACH_IOREQ_SERVER(d, id, s) { @@ -340,7 +340,7 @@ bool is_ioreq_server_page(struct domain *d, const struct page_info *page) } } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return found; } @@ -658,7 +658,7 @@ static int ioreq_server_create(struct domain *d, int bufioreq_handling, return -ENOMEM; domain_pause(d); - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); for ( i = 0; i < MAX_NR_IOREQ_SERVERS; i++ ) { @@ -686,13 +686,13 @@ static int ioreq_server_create(struct domain *d, int bufioreq_handling, if ( id ) *id = i; - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); domain_unpause(d); return 0; fail: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); domain_unpause(d); xfree(s); @@ -704,7 +704,7 @@ static int ioreq_server_destroy(struct domain *d, ioservid_t id) struct ioreq_server *s; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -736,7 +736,7 @@ static int ioreq_server_destroy(struct domain *d, ioservid_t id) rc = 0; out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -749,7 +749,7 @@ static int ioreq_server_get_info(struct domain *d, ioservid_t id, struct ioreq_server *s; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -783,7 +783,7 @@ static int ioreq_server_get_info(struct domain *d, ioservid_t id, rc = 0; out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -796,7 +796,7 @@ int ioreq_server_get_frame(struct domain *d, ioservid_t id, ASSERT(is_hvm_domain(d)); - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -834,7 +834,7 @@ int ioreq_server_get_frame(struct domain *d, ioservid_t id, } out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -850,7 +850,7 @@ static int ioreq_server_map_io_range(struct domain *d, ioservid_t id, if ( start > end ) return -EINVAL; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -886,7 +886,7 @@ static int ioreq_server_map_io_range(struct domain *d, ioservid_t id, rc = rangeset_add_range(r, start, end); out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -902,7 +902,7 @@ static int ioreq_server_unmap_io_range(struct domain *d, ioservid_t id, if ( start > end ) return -EINVAL; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -938,7 +938,7 @@ static int ioreq_server_unmap_io_range(struct domain *d, ioservid_t id, rc = rangeset_remove_range(r, start, end); out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -963,7 +963,7 @@ int ioreq_server_map_mem_type(struct domain *d, ioservid_t id, if ( flags & ~XEN_DMOP_IOREQ_MEM_ACCESS_WRITE ) return -EINVAL; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -978,7 +978,7 @@ int ioreq_server_map_mem_type(struct domain *d, ioservid_t id, rc = arch_ioreq_server_map_mem_type(d, s, flags); out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); if ( rc == 0 ) arch_ioreq_server_map_mem_type_completed(d, s, flags); @@ -992,7 +992,7 @@ static int ioreq_server_set_state(struct domain *d, ioservid_t id, struct ioreq_server *s; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); s = get_ioreq_server(d, id); @@ -1016,7 +1016,7 @@ static int ioreq_server_set_state(struct domain *d, ioservid_t id, rc = 0; out: - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -1026,7 +1026,7 @@ int ioreq_server_add_vcpu_all(struct domain *d, struct vcpu *v) unsigned int id; int rc; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); FOR_EACH_IOREQ_SERVER(d, id, s) { @@ -1035,7 +1035,7 @@ int ioreq_server_add_vcpu_all(struct domain *d, struct vcpu *v) goto fail; } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return 0; @@ -1050,7 +1050,7 @@ int ioreq_server_add_vcpu_all(struct domain *d, struct vcpu *v) ioreq_server_remove_vcpu(s, v); } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); return rc; } @@ -1060,12 +1060,12 @@ void ioreq_server_remove_vcpu_all(struct domain *d, struct vcpu *v) struct ioreq_server *s; unsigned int id; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); FOR_EACH_IOREQ_SERVER(d, id, s) ioreq_server_remove_vcpu(s, v); - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); } void ioreq_server_destroy_all(struct domain *d) @@ -1076,7 +1076,7 @@ void ioreq_server_destroy_all(struct domain *d) if ( !arch_ioreq_server_destroy_all(d) ) return; - spin_lock_recursive(&d->ioreq_server.lock); + rspin_lock(&d->ioreq_server.lock); /* No need to domain_pause() as the domain is being torn down */ @@ -1094,7 +1094,7 @@ void ioreq_server_destroy_all(struct domain *d) xfree(s); } - spin_unlock_recursive(&d->ioreq_server.lock); + rspin_unlock(&d->ioreq_server.lock); } struct ioreq_server *ioreq_server_select(struct domain *d, diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 2ec17df9b4..b4e0ef3a4c 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -2500,7 +2500,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) if ( unlikely(is_xen_heap_page(pg)) ) { /* NB. May recursively lock from relinquish_memory(). */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); for ( i = 0; i < (1 << order); i++ ) arch_free_heap_page(d, &pg[i]); @@ -2508,7 +2508,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) d->xenheap_pages -= 1 << order; drop_dom_ref = (d->xenheap_pages == 0); - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); } else { @@ -2517,7 +2517,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) if ( likely(d) && likely(d != dom_cow) ) { /* NB. May recursively lock from relinquish_memory(). */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); for ( i = 0; i < (1 << order); i++ ) { @@ -2540,7 +2540,7 @@ void free_domheap_pages(struct page_info *pg, unsigned int order) drop_dom_ref = !domain_adjust_tot_pages(d, -(1 << order)); - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); /* * Normally we expect a domain to clear pages before freeing them, @@ -2756,7 +2756,7 @@ void free_domstatic_page(struct page_info *page) ASSERT_ALLOC_CONTEXT(); /* NB. May recursively lock from relinquish_memory(). */ - spin_lock_recursive(&d->page_alloc_lock); + rspin_lock(&d->page_alloc_lock); arch_free_heap_page(d, page); @@ -2767,7 +2767,7 @@ void free_domstatic_page(struct page_info *page) /* Add page on the resv_page_list *after* it has been freed. */ page_list_add_tail(page, &d->resv_page_list); - spin_unlock_recursive(&d->page_alloc_lock); + rspin_unlock(&d->page_alloc_lock); if ( drop_dom_ref ) put_domain(d); diff --git a/xen/common/spinlock.c b/xen/common/spinlock.c index 09028af864..11e13e1259 100644 --- a/xen/common/spinlock.c +++ b/xen/common/spinlock.c @@ -436,7 +436,7 @@ void _spin_barrier(spinlock_t *lock) smp_mb(); } -int _spin_trylock_recursive(spinlock_t *lock) +bool _rspin_trylock(rspinlock_t *lock) { unsigned int cpu = smp_processor_id(); @@ -448,8 +448,8 @@ int _spin_trylock_recursive(spinlock_t *lock) if ( likely(lock->recurse_cpu != cpu) ) { - if ( !spin_trylock(lock) ) - return 0; + if ( !_spin_trylock(lock) ) + return false; lock->recurse_cpu = cpu; } @@ -457,10 +457,10 @@ int _spin_trylock_recursive(spinlock_t *lock) ASSERT(lock->recurse_cnt < SPINLOCK_MAX_RECURSE); lock->recurse_cnt++; - return 1; + return true; } -void _spin_lock_recursive(spinlock_t *lock) +void _rspin_lock(rspinlock_t *lock) { unsigned int cpu = smp_processor_id(); @@ -475,7 +475,7 @@ void _spin_lock_recursive(spinlock_t *lock) lock->recurse_cnt++; } -void _spin_unlock_recursive(spinlock_t *lock) +void _rspin_unlock(rspinlock_t *lock) { if ( likely(--lock->recurse_cnt == 0) ) { diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index 6a88a0b32c..eca17b55b4 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -919,7 +919,7 @@ static void vprintk_common(const char *prefix, const char *fmt, va_list args) /* console_lock can be acquired recursively from __printk_ratelimit(). */ local_irq_save(flags); - spin_lock_recursive(&console_lock); + rspin_lock(&console_lock); state = &this_cpu(state); (void)vsnprintf(buf, sizeof(buf), fmt, args); @@ -955,7 +955,7 @@ static void vprintk_common(const char *prefix, const char *fmt, va_list args) state->continued = 1; } - spin_unlock_recursive(&console_lock); + rspin_unlock(&console_lock); local_irq_restore(flags); } @@ -1162,14 +1162,14 @@ unsigned long console_lock_recursive_irqsave(void) unsigned long flags; local_irq_save(flags); - spin_lock_recursive(&console_lock); + rspin_lock(&console_lock); return flags; } void console_unlock_recursive_irqrestore(unsigned long flags) { - spin_unlock_recursive(&console_lock); + rspin_unlock(&console_lock); local_irq_restore(flags); } @@ -1230,12 +1230,12 @@ int __printk_ratelimit(int ratelimit_ms, int ratelimit_burst) char lost_str[8]; snprintf(lost_str, sizeof(lost_str), "%d", lost); /* console_lock may already be acquired by printk(). */ - spin_lock_recursive(&console_lock); + rspin_lock(&console_lock); printk_start_of_line("(XEN) "); __putstr("printk: "); __putstr(lost_str); __putstr(" messages suppressed.\n"); - spin_unlock_recursive(&console_lock); + rspin_unlock(&console_lock); } local_irq_restore(flags); return 1; diff --git a/xen/drivers/passthrough/pci.c b/xen/drivers/passthrough/pci.c index b6b2196ab0..4fcc7e2cde 100644 --- a/xen/drivers/passthrough/pci.c +++ b/xen/drivers/passthrough/pci.c @@ -55,12 +55,12 @@ static DEFINE_RSPINLOCK(_pcidevs_lock); /* Do not use, as it has no speculation barrier, use pcidevs_lock() instead. */ void pcidevs_lock_unsafe(void) { - _spin_lock_recursive(&_pcidevs_lock); + _rspin_lock(&_pcidevs_lock); } void pcidevs_unlock(void) { - spin_unlock_recursive(&_pcidevs_lock); + rspin_unlock(&_pcidevs_lock); } bool pcidevs_locked(void) diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h index 36c6925640..132b841995 100644 --- a/xen/include/xen/sched.h +++ b/xen/include/xen/sched.h @@ -358,8 +358,8 @@ struct sched_unit { (v) = (v)->next_in_list ) /* Per-domain lock can be recursively acquired in fault handlers. */ -#define domain_lock(d) spin_lock_recursive(&(d)->domain_lock) -#define domain_unlock(d) spin_unlock_recursive(&(d)->domain_lock) +#define domain_lock(d) rspin_lock(&(d)->domain_lock) +#define domain_unlock(d) rspin_unlock(&(d)->domain_lock) struct evtchn_port_ops; diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index bbf12b93c4..50f6580f52 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -210,10 +210,6 @@ int _spin_is_locked(const spinlock_t *lock); int _spin_trylock(spinlock_t *lock); void _spin_barrier(spinlock_t *lock); -int _spin_trylock_recursive(spinlock_t *lock); -void _spin_lock_recursive(spinlock_t *lock); -void _spin_unlock_recursive(spinlock_t *lock); - static always_inline void spin_lock(spinlock_t *l) { _spin_lock(l); @@ -268,21 +264,23 @@ static always_inline void spin_lock_if(bool condition, spinlock_t *l) #define spin_barrier(l) _spin_barrier(l) /* - * spin_[un]lock_recursive(): Use these forms when the lock can (safely!) be + * rspin_[un]lock(): Use these forms when the lock can (safely!) be * reentered recursively on the same CPU. All critical regions that may form * part of a recursively-nested set must be protected by these forms. If there * are any critical regions that cannot form part of such a set, they can use * standard spin_[un]lock(). */ -#define spin_trylock_recursive(l) \ - lock_evaluate_nospec(_spin_trylock_recursive(l)) +bool _rspin_trylock(rspinlock_t *lock); +void _rspin_lock(rspinlock_t *lock); +void _rspin_unlock(rspinlock_t *lock); -static always_inline void spin_lock_recursive(spinlock_t *l) +static always_inline void rspin_lock(rspinlock_t *lock) { - _spin_lock_recursive(l); + _rspin_lock(lock); block_lock_speculation(); } -#define spin_unlock_recursive(l) _spin_unlock_recursive(l) +#define rspin_trylock(l) lock_evaluate_nospec(_rspin_trylock(l)) +#define rspin_unlock(l) _rspin_unlock(l) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:01:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:01:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695715.1085666 (Exim 4.92) (envelope-from ) id 1rmpxS-0004Gh-0C; Wed, 20 Mar 2024 07:01:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695715.1085666; Wed, 20 Mar 2024 07:01:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxR-0004GZ-Th; Wed, 20 Mar 2024 07:01:53 +0000 Received: by outflank-mailman (input) for mailman id 695715; Wed, 20 Mar 2024 07:01:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxQ-0004GT-Q2 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxQ-0007gm-PI for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpxQ-0003JM-OX for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:01:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=jmYvLdaq2KU4Yw2pn3q8fP7WuzUO/T3yxosSjtqltG0=; b=iDu2aeK+kE9xMNXD7QJTIlev6I jL/aa+gSLEX5Lrbd67HvLpcTPOGnrA80C3q3C0Jw3UHGCzJ8FKKvujkSAg0IVfZwh3Z+/h9CdrURI oFBedr/Am3unn0ci/h99FmqxQhpql14gDK42HPg0vyzd0ke5JitTUYGrk2Mt0RB27y4M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/spinlock: add rspin_[un]lock_irq[save|restore]() Message-Id: Date: Wed, 20 Mar 2024 07:01:52 +0000 commit cc3e8df542ed1edc275a8cedd1e9de43d971eb09 Author: Juergen Gross AuthorDate: Tue Mar 19 11:25:59 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:25:59 2024 +0100 xen/spinlock: add rspin_[un]lock_irq[save|restore]() Instead of special casing rspin_lock_irqsave() and rspin_unlock_irqrestore() for the console lock, add those functions to spinlock handling and use them where needed. Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich --- xen/common/spinlock.c | 16 ++++++++++++++++ xen/drivers/char/console.c | 6 ++---- xen/include/xen/spinlock.h | 9 +++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/xen/common/spinlock.c b/xen/common/spinlock.c index 11e13e1259..0e628b3513 100644 --- a/xen/common/spinlock.c +++ b/xen/common/spinlock.c @@ -475,6 +475,16 @@ void _rspin_lock(rspinlock_t *lock) lock->recurse_cnt++; } +unsigned long _rspin_lock_irqsave(rspinlock_t *lock) +{ + unsigned long flags; + + local_irq_save(flags); + _rspin_lock(lock); + + return flags; +} + void _rspin_unlock(rspinlock_t *lock) { if ( likely(--lock->recurse_cnt == 0) ) @@ -484,6 +494,12 @@ void _rspin_unlock(rspinlock_t *lock) } } +void _rspin_unlock_irqrestore(rspinlock_t *lock, unsigned long flags) +{ + _rspin_unlock(lock); + local_irq_restore(flags); +} + #ifdef CONFIG_DEBUG_LOCK_PROFILE struct lock_profile_anc { diff --git a/xen/drivers/char/console.c b/xen/drivers/char/console.c index eca17b55b4..ccd5f8cc14 100644 --- a/xen/drivers/char/console.c +++ b/xen/drivers/char/console.c @@ -1161,16 +1161,14 @@ unsigned long console_lock_recursive_irqsave(void) { unsigned long flags; - local_irq_save(flags); - rspin_lock(&console_lock); + rspin_lock_irqsave(&console_lock, flags); return flags; } void console_unlock_recursive_irqrestore(unsigned long flags) { - rspin_unlock(&console_lock); - local_irq_restore(flags); + rspin_unlock_irqrestore(&console_lock, flags); } void console_force_unlock(void) diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 50f6580f52..89af52b822 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -272,7 +272,15 @@ static always_inline void spin_lock_if(bool condition, spinlock_t *l) */ bool _rspin_trylock(rspinlock_t *lock); void _rspin_lock(rspinlock_t *lock); +#define rspin_lock_irqsave(l, f) \ + ({ \ + BUILD_BUG_ON(sizeof(f) != sizeof(unsigned long)); \ + (f) = _rspin_lock_irqsave(l); \ + block_lock_speculation(); \ + }) +unsigned long _rspin_lock_irqsave(rspinlock_t *lock); void _rspin_unlock(rspinlock_t *lock); +void _rspin_unlock_irqrestore(rspinlock_t *lock, unsigned long flags); static always_inline void rspin_lock(rspinlock_t *lock) { @@ -282,5 +290,6 @@ static always_inline void rspin_lock(rspinlock_t *lock) #define rspin_trylock(l) lock_evaluate_nospec(_rspin_trylock(l)) #define rspin_unlock(l) _rspin_unlock(l) +#define rspin_unlock_irqrestore(l, f) _rspin_unlock_irqrestore(l, f) #endif /* __SPINLOCK_H__ */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:02:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:02:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695716.1085670 (Exim 4.92) (envelope-from ) id 1rmpxc-0004Je-2h; Wed, 20 Mar 2024 07:02:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695716.1085670; Wed, 20 Mar 2024 07:02:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxb-0004JW-V8; Wed, 20 Mar 2024 07:02:03 +0000 Received: by outflank-mailman (input) for mailman id 695716; Wed, 20 Mar 2024 07:02:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxa-0004JD-Ss for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxa-0007hC-SC for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpxa-0003Kq-RS for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=m6mTk6lyq6i2wHxUxiF6l80Px8lIl8aHW3QFzxsQmXI=; b=wqBI+B/iSms3aBPVeyuOzOH/jM iGgeQ4LDlKSTvjhIhAFCLbfLl/7LhzktA2mnjmTeeYt3M2M6EHwFOsitDhM0moWmB5H1ucyLGnOp8 q8YTF+1j28XhvWjPV3qzTu/uVinx6FmXfYxgCu1lMne867qXjKHUSPOpQiv/Ww0lNXzY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/spinlock: make struct lock_profile rspinlock_t aware Message-Id: Date: Wed, 20 Mar 2024 07:02:02 +0000 commit b053075d1a7b99dc65c42753016d5a3f852b825d Author: Juergen Gross AuthorDate: Tue Mar 19 11:26:34 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:26:34 2024 +0100 xen/spinlock: make struct lock_profile rspinlock_t aware Struct lock_profile contains a pointer to the spinlock it is associated with. Prepare support of differing spinlock_t and rspinlock_t types by adding a type indicator of the pointer. Use the highest bit of the block_cnt member for this indicator in order to not grow the struct while hurting only the slow path with slightly less performant code. Note that this requires a cast when printing the value in order to be format compliant. Signed-off-by: Juergen Gross Acked-by: Alejandro Vallejo Acked-by: Julien Grall --- xen/common/spinlock.c | 28 ++++++++++++++++++++-------- xen/include/xen/spinlock.h | 14 ++++++++++---- 2 files changed, 30 insertions(+), 12 deletions(-) diff --git a/xen/common/spinlock.c b/xen/common/spinlock.c index 0e628b3513..874ed762b4 100644 --- a/xen/common/spinlock.c +++ b/xen/common/spinlock.c @@ -538,19 +538,31 @@ static void spinlock_profile_iterate(lock_profile_subfunc *sub, void *par) static void cf_check spinlock_profile_print_elem(struct lock_profile *data, int32_t type, int32_t idx, void *par) { - struct spinlock *lock = data->lock; + unsigned int cpu; + unsigned int lockval; + + if ( data->is_rlock ) + { + cpu = data->ptr.rlock->debug.cpu; + lockval = data->ptr.rlock->tickets.head_tail; + } + else + { + cpu = data->ptr.lock->debug.cpu; + lockval = data->ptr.lock->tickets.head_tail; + } printk("%s ", lock_profile_ancs[type].name); if ( type != LOCKPROF_TYPE_GLOBAL ) printk("%d ", idx); - printk("%s: addr=%p, lockval=%08x, ", data->name, lock, - lock->tickets.head_tail); - if ( lock->debug.cpu == SPINLOCK_NO_CPU ) + printk("%s: addr=%p, lockval=%08x, ", data->name, data->ptr.lock, lockval); + if ( cpu == SPINLOCK_NO_CPU ) printk("not locked\n"); else - printk("cpu=%d\n", lock->debug.cpu); - printk(" lock:%" PRId64 "(%" PRI_stime "), block:%" PRId64 "(%" PRI_stime ")\n", - data->lock_cnt, data->time_hold, data->block_cnt, data->time_block); + printk("cpu=%u\n", cpu); + printk(" lock:%" PRIu64 "(%" PRI_stime "), block:%" PRIu64 "(%" PRI_stime ")\n", + data->lock_cnt, data->time_hold, (uint64_t)data->block_cnt, + data->time_block); } void cf_check spinlock_profile_printall(unsigned char key) @@ -680,7 +692,7 @@ static int __init cf_check lock_prof_init(void) { (*q)->next = lock_profile_glb_q.elem_q; lock_profile_glb_q.elem_q = *q; - (*q)->lock->profile = *q; + (*q)->ptr.lock->profile = *q; } _lock_profile_register_struct(LOCKPROF_TYPE_GLOBAL, diff --git a/xen/include/xen/spinlock.h b/xen/include/xen/spinlock.h index 89af52b822..593cba640e 100644 --- a/xen/include/xen/spinlock.h +++ b/xen/include/xen/spinlock.h @@ -77,13 +77,19 @@ union lock_debug { }; */ struct spinlock; +/* Temporary hack until a dedicated struct rspinlock is existing. */ +#define rspinlock spinlock struct lock_profile { struct lock_profile *next; /* forward link */ const char *name; /* lock name */ - struct spinlock *lock; /* the lock itself */ + union { + struct spinlock *lock; /* the lock itself */ + struct rspinlock *rlock; /* the recursive lock itself */ + } ptr; uint64_t lock_cnt; /* # of complete locking ops */ - uint64_t block_cnt; /* # of complete wait for lock */ + uint64_t block_cnt:63; /* # of complete wait for lock */ + bool is_rlock:1; /* use rlock pointer */ s_time_t time_hold; /* cumulated lock time */ s_time_t time_block; /* cumulated wait time */ s_time_t time_locked; /* system time of last locking */ @@ -95,7 +101,7 @@ struct lock_profile_qhead { int32_t idx; /* index for printout */ }; -#define LOCK_PROFILE_(lockname) { .name = #lockname, .lock = &(lockname), } +#define LOCK_PROFILE_(lockname) { .name = #lockname, .ptr.lock = &(lockname), } #define LOCK_PROFILE_PTR_(name) \ static struct lock_profile * const lock_profile__##name \ __used_section(".lockprofile.data") = \ @@ -128,7 +134,7 @@ struct lock_profile_qhead { break; \ } \ prof->name = #l; \ - prof->lock = &(s)->l; \ + prof->ptr.lock = &(s)->l; \ prof->next = (s)->profile_head.elem_q; \ (s)->profile_head.elem_q = prof; \ } while( 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:02:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:02:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695717.1085673 (Exim 4.92) (envelope-from ) id 1rmpxm-0004Mw-5T; Wed, 20 Mar 2024 07:02:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695717.1085673; Wed, 20 Mar 2024 07:02:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxm-0004Mp-2v; Wed, 20 Mar 2024 07:02:14 +0000 Received: by outflank-mailman (input) for mailman id 695717; Wed, 20 Mar 2024 07:02:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxk-0004MY-Vy for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxk-0007hf-V6 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpxk-0003MP-UP for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=gFKf6fvWR2UZfC7wldSDbcSnuBjBZQYY5z+rFbTwXeU=; b=cqt3bnKNUGmRVQmxCuiVkccRZN Ze0aUsAYtoYXzfJS8NGRzqe/kwWxr3bBUIl+csQplMzMIfpHzQbWwQmTU7D1IGpc/LgwstPMNdVFB DX8jWVYellFwgcWpg0ka+/SovDweUOIEY3w1K52YsbaT58rWNYVLMKZcIPabr0vSIvsw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] amd/iommu: clean up unused guest iommu related functions Message-Id: Date: Wed, 20 Mar 2024 07:02:12 +0000 commit a02174c6c8851913a81a5a0916357b6b2fa4258d Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:27:07 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:27:07 2024 +0100 amd/iommu: clean up unused guest iommu related functions Delete unused functions from 'iommu_guest.c'. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini Acked-by: Jan Beulich --- xen/drivers/passthrough/amd/iommu.h | 7 +- xen/drivers/passthrough/amd/iommu_cmd.c | 7 - xen/drivers/passthrough/amd/iommu_guest.c | 762 +----------------------------- 3 files changed, 2 insertions(+), 774 deletions(-) diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 1b62c083ba..65de88217c 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -346,12 +346,7 @@ void cf_check amd_iommu_crash_shutdown(void); /* guest iommu support */ #ifdef CONFIG_HVM -void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[]); -void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]); -void guest_iommu_add_event_log(struct domain *d, u32 entry[]); -int guest_iommu_init(struct domain* d); -void guest_iommu_destroy(struct domain *d); -int guest_iommu_set_base(struct domain *d, uint64_t base); +void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]); #else static inline void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]) {} #endif diff --git a/xen/drivers/passthrough/amd/iommu_cmd.c b/xen/drivers/passthrough/amd/iommu_cmd.c index 49b9fcac94..83c525b84f 100644 --- a/xen/drivers/passthrough/amd/iommu_cmd.c +++ b/xen/drivers/passthrough/amd/iommu_cmd.c @@ -389,10 +389,3 @@ void amd_iommu_flush_all_caches(struct amd_iommu *iommu) invalidate_iommu_all(iommu); flush_command_buffer(iommu, 0); } - -void amd_iommu_send_guest_cmd(struct amd_iommu *iommu, u32 cmd[]) -{ - send_iommu_command(iommu, cmd); - /* TBD: Timeout selection may require peeking into cmd[]. */ - flush_command_buffer(iommu, 0); -} diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c index 4c4252eea1..19bd2e5d8e 100644 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ b/xen/drivers/passthrough/amd/iommu_guest.c @@ -20,28 +20,7 @@ #include "iommu.h" -#define IOMMU_MMIO_SIZE 0x8000 -#define IOMMU_MMIO_PAGE_NR 0x8 -#define RING_BF_LENGTH_MASK 0x0F000000 -#define RING_BF_LENGTH_SHIFT 24 - -#define PASMAX_9_bit 0x8 -#define GUEST_CR3_1_LEVEL 0x0 -#define GUEST_ADDRESS_SIZE_6_LEVEL 0x2 -#define HOST_ADDRESS_SIZE_6_LEVEL 0x2 - #define reg_to_u64(reg) (((uint64_t)reg.hi << 32) | reg.lo ) -#define u64_to_reg(reg, val) \ - do \ - { \ - (reg)->lo = (u32)(val); \ - (reg)->hi = (val) >> 32; \ - } while (0) - -static unsigned int get_machine_bdf(struct domain *d, uint16_t guest_bdf) -{ - return guest_bdf; -} static uint16_t get_guest_bdf(struct domain *d, uint16_t machine_bdf) { @@ -53,62 +32,6 @@ static inline struct guest_iommu *domain_iommu(struct domain *d) return dom_iommu(d)->arch.amd.g_iommu; } -static inline struct guest_iommu *vcpu_iommu(struct vcpu *v) -{ - return dom_iommu(v->domain)->arch.amd.g_iommu; -} - -static void guest_iommu_enable(struct guest_iommu *iommu) -{ - iommu->enabled = 1; -} - -static void guest_iommu_disable(struct guest_iommu *iommu) -{ - iommu->enabled = 0; -} - -/* - * The Guest CR3 Table is a table written by the guest kernel, pointing at - * gCR3 values for PASID transactions to use. The Device Table Entry points - * at a system physical address. - * - * However, these helpers deliberately use untyped parameters without - * reference to gfn/mfn because they are used both for programming the real - * IOMMU, and interpreting a guests programming of its vIOMMU. - */ -static uint64_t dte_get_gcr3_table(const struct amd_iommu_dte *dte) -{ - return (((uint64_t)dte->gcr3_trp_51_31 << 31) | - (dte->gcr3_trp_30_15 << 15) | - (dte->gcr3_trp_14_12 << 12)); -} - -static void dte_set_gcr3_table(struct amd_iommu_dte *dte, uint16_t dom_id, - uint64_t addr, bool gv, uint8_t glx) -{ -#define GCR3_MASK(hi, lo) (((1UL << ((hi) + 1)) - 1) & ~((1UL << (lo)) - 1)) - - /* I bit must be set when gcr3 is enabled */ - dte->i = true; - - dte->gcr3_trp_14_12 = MASK_EXTR(addr, GCR3_MASK(14, 12)); - dte->gcr3_trp_30_15 = MASK_EXTR(addr, GCR3_MASK(30, 15)); - dte->gcr3_trp_51_31 = MASK_EXTR(addr, GCR3_MASK(51, 31)); - - dte->domain_id = dom_id; - dte->glx = glx; - dte->gv = gv; - -#undef GCR3_MASK -} - -static unsigned int host_domid(struct domain *d, uint64_t g_domid) -{ - /* Only support one PPR device in guest for now */ - return d->domain_id; -} - static unsigned long get_gfn_from_base_reg(uint64_t base_raw) { base_raw &= PADDR_MASK; @@ -146,24 +69,6 @@ static unsigned long guest_iommu_get_table_mfn(struct domain *d, return mfn; } -static void guest_iommu_enable_dev_table(struct guest_iommu *iommu) -{ - uint32_t length_raw = get_field_from_reg_u32(iommu->dev_table.reg_base.lo, - IOMMU_DEV_TABLE_SIZE_MASK, - IOMMU_DEV_TABLE_SIZE_SHIFT); - iommu->dev_table.size = (length_raw + 1) * PAGE_SIZE; -} - -static void guest_iommu_enable_ring_buffer(struct guest_iommu *iommu, - struct guest_buffer *buffer, - uint32_t entry_size) -{ - uint32_t length_raw = get_field_from_reg_u32(buffer->reg_base.hi, - RING_BF_LENGTH_MASK, - RING_BF_LENGTH_SHIFT); - buffer->size = entry_size << length_raw; -} - void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) { uint16_t gdev_id; @@ -184,7 +89,7 @@ void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) if ( tail >= iommu->ppr_log.size || head >= iommu->ppr_log.size ) { AMD_IOMMU_DEBUG("Error: guest iommu ppr log overflows\n"); - guest_iommu_disable(iommu); + iommu->enabled = 0; return; } @@ -213,668 +118,3 @@ void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) guest_iommu_deliver_msi(d); } - -void guest_iommu_add_event_log(struct domain *d, u32 entry[]) -{ - uint16_t dev_id; - unsigned long mfn, tail, head; - event_entry_t *log; - struct guest_iommu *iommu; - - if ( !is_hvm_domain(d) ) - return; - - iommu = domain_iommu(d); - if ( !iommu ) - return; - - tail = iommu->event_log.reg_tail.lo; - head = iommu->event_log.reg_head.lo; - - if ( tail >= iommu->event_log.size || head >= iommu->event_log.size ) - { - AMD_IOMMU_DEBUG("Error: guest iommu event overflows\n"); - guest_iommu_disable(iommu); - return; - } - - mfn = guest_iommu_get_table_mfn(d, reg_to_u64(iommu->event_log.reg_base), - tail); - ASSERT(mfn_valid(_mfn(mfn))); - - log = map_domain_page(_mfn(mfn)) + (tail & ~PAGE_MASK); - - /* re-write physical device id into virtual device id */ - dev_id = get_guest_bdf(d, iommu_get_devid_from_cmd(entry[0])); - iommu_set_devid_to_cmd(&entry[0], dev_id); - memcpy(log, entry, sizeof(event_entry_t)); - - /* Now shift event log tail pointer */ - tail += sizeof(event_entry_t); - if ( tail >= iommu->event_log.size ) - { - tail = 0; - iommu->reg_status.lo |= IOMMU_STATUS_EVENT_LOG_OVERFLOW; - } - - iommu->event_log.reg_tail.lo = tail; - unmap_domain_page(log); - - guest_iommu_deliver_msi(d); -} - -static int do_complete_ppr_request(struct domain *d, cmd_entry_t *cmd) -{ - uint16_t dev_id; - struct amd_iommu *iommu; - - dev_id = get_machine_bdf(d, iommu_get_devid_from_cmd(cmd->data[0])); - iommu = find_iommu_for_device(0, dev_id); - - if ( !iommu ) - { - AMD_IOMMU_DEBUG("%s: Fail to find iommu for bdf %x\n", - __func__, dev_id); - return -ENODEV; - } - - /* replace virtual device id into physical */ - iommu_set_devid_to_cmd(&cmd->data[0], dev_id); - amd_iommu_send_guest_cmd(iommu, cmd->data); - - return 0; -} - -static int do_invalidate_pages(struct domain *d, cmd_entry_t *cmd) -{ - uint16_t gdom_id, hdom_id; - struct amd_iommu *iommu = NULL; - - gdom_id = get_field_from_reg_u32(cmd->data[1], - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_MASK, - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_SHIFT); - - hdom_id = host_domid(d, gdom_id); - set_field_in_reg_u32(hdom_id, cmd->data[1], - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_MASK, - IOMMU_INV_IOMMU_PAGES_DOMAIN_ID_SHIFT, &cmd->data[1]); - - for_each_amd_iommu ( iommu ) - amd_iommu_send_guest_cmd(iommu, cmd->data); - - return 0; -} - -static int do_invalidate_all(struct domain *d, cmd_entry_t *cmd) -{ - struct amd_iommu *iommu = NULL; - - for_each_amd_iommu ( iommu ) - amd_iommu_flush_all_pages(d); - - return 0; -} - -static int do_invalidate_iotlb_pages(struct domain *d, cmd_entry_t *cmd) -{ - struct amd_iommu *iommu; - uint16_t dev_id; - - dev_id = get_machine_bdf(d, iommu_get_devid_from_cmd(cmd->data[0])); - - iommu = find_iommu_for_device(0, dev_id); - if ( !iommu ) - { - AMD_IOMMU_DEBUG("%s: Fail to find iommu for bdf %x\n", - __func__, dev_id); - return -ENODEV; - } - - iommu_set_devid_to_cmd(&cmd->data[0], dev_id); - amd_iommu_send_guest_cmd(iommu, cmd->data); - - return 0; -} - -static int do_completion_wait(struct domain *d, cmd_entry_t *cmd) -{ - bool com_wait_int, i, s; - struct guest_iommu *iommu; - unsigned long gfn; - p2m_type_t p2mt; - - iommu = domain_iommu(d); - - i = cmd->data[0] & IOMMU_COMP_WAIT_I_FLAG_MASK; - s = cmd->data[0] & IOMMU_COMP_WAIT_S_FLAG_MASK; - - if ( i ) - iommu->reg_status.lo |= IOMMU_STATUS_COMP_WAIT_INT; - - if ( s ) - { - uint64_t gaddr_lo, gaddr_hi, gaddr_64, data; - void *vaddr; - - data = (uint64_t)cmd->data[3] << 32 | cmd->data[2]; - gaddr_lo = get_field_from_reg_u32(cmd->data[0], - IOMMU_COMP_WAIT_ADDR_LOW_MASK, - IOMMU_COMP_WAIT_ADDR_LOW_SHIFT); - gaddr_hi = get_field_from_reg_u32(cmd->data[1], - IOMMU_COMP_WAIT_ADDR_HIGH_MASK, - IOMMU_COMP_WAIT_ADDR_HIGH_SHIFT); - - gaddr_64 = (gaddr_hi << 32) | (gaddr_lo << 3); - - gfn = gaddr_64 >> PAGE_SHIFT; - vaddr = map_domain_page(get_gfn(d, gfn ,&p2mt)); - put_gfn(d, gfn); - - write_u64_atomic((uint64_t *)(vaddr + (gaddr_64 & (PAGE_SIZE-1))), - data); - unmap_domain_page(vaddr); - } - - com_wait_int = iommu->reg_status.lo & IOMMU_STATUS_COMP_WAIT_INT; - - if ( iommu->reg_ctrl.com_wait_int_en && com_wait_int ) - guest_iommu_deliver_msi(d); - - return 0; -} - -static int do_invalidate_dte(struct domain *d, cmd_entry_t *cmd) -{ - uint16_t gbdf, mbdf, req_id, gdom_id, hdom_id, prev_domid; - struct amd_iommu_dte *gdte, *mdte, *dte_base; - struct amd_iommu *iommu = NULL; - struct guest_iommu *g_iommu; - uint64_t gcr3_gfn, gcr3_mfn; - uint8_t glx, gv; - unsigned long dte_mfn, flags; - p2m_type_t p2mt; - - g_iommu = domain_iommu(d); - gbdf = iommu_get_devid_from_cmd(cmd->data[0]); - mbdf = get_machine_bdf(d, gbdf); - - /* Guest can only update DTEs for its passthru devices */ - if ( mbdf == 0 || gbdf == 0 ) - return 0; - - /* Sometimes guest invalidates devices from non-exists dtes */ - if ( (gbdf * sizeof(struct amd_iommu_dte)) > g_iommu->dev_table.size ) - return 0; - - dte_mfn = guest_iommu_get_table_mfn(d, - reg_to_u64(g_iommu->dev_table.reg_base), - sizeof(struct amd_iommu_dte) * gbdf); - ASSERT(mfn_valid(_mfn(dte_mfn))); - - /* Read guest dte information */ - dte_base = map_domain_page(_mfn(dte_mfn)); - - gdte = &dte_base[gbdf % (PAGE_SIZE / sizeof(struct amd_iommu_dte))]; - - gdom_id = gdte->domain_id; - gcr3_gfn = dte_get_gcr3_table(gdte) >> PAGE_SHIFT; - glx = gdte->glx; - gv = gdte->gv; - - unmap_domain_page(dte_base); - - /* Do not update host dte before gcr3 has been set */ - if ( gcr3_gfn == 0 ) - return 0; - - gcr3_mfn = mfn_x(get_gfn(d, gcr3_gfn, &p2mt)); - put_gfn(d, gcr3_gfn); - - ASSERT(mfn_valid(_mfn(gcr3_mfn))); - - iommu = find_iommu_for_device(0, mbdf); - if ( !iommu ) - { - AMD_IOMMU_DEBUG("%s: Fail to find iommu for bdf %x!\n", - __func__, mbdf); - return -ENODEV; - } - - /* Setup host device entry */ - hdom_id = host_domid(d, gdom_id); - req_id = get_dma_requestor_id(iommu->seg, mbdf); - dte_base = iommu->dev_table.buffer; - mdte = &dte_base[req_id]; - prev_domid = mdte->domain_id; - - spin_lock_irqsave(&iommu->lock, flags); - dte_set_gcr3_table(mdte, hdom_id, gcr3_mfn << PAGE_SHIFT, gv, glx); - - spin_unlock_irqrestore(&iommu->lock, flags); - - amd_iommu_flush_device(iommu, req_id, prev_domid); - - return 0; -} - -static void cf_check guest_iommu_process_command(void *data) -{ - unsigned long opcode, tail, head, cmd_mfn; - cmd_entry_t *cmd; - struct domain *d = data; - struct guest_iommu *iommu; - - iommu = domain_iommu(d); - - if ( !iommu->enabled ) - return; - - head = iommu->cmd_buffer.reg_head.lo; - tail = iommu->cmd_buffer.reg_tail.lo; - - /* Tail pointer is rolled over by guest driver, value outside - * cmd_buffer_entries cause iommu disabled - */ - - if ( tail >= iommu->cmd_buffer.size || head >= iommu->cmd_buffer.size ) - { - AMD_IOMMU_DEBUG("Error: guest iommu cmd buffer overflows\n"); - guest_iommu_disable(iommu); - return; - } - - while ( head != tail ) - { - int ret = 0; - - cmd_mfn = guest_iommu_get_table_mfn(d, - reg_to_u64(iommu->cmd_buffer.reg_base), - head); - ASSERT(mfn_valid(_mfn(cmd_mfn))); - - cmd = map_domain_page(_mfn(cmd_mfn)) + (head & ~PAGE_MASK); - - opcode = get_field_from_reg_u32(cmd->data[1], - IOMMU_CMD_OPCODE_MASK, - IOMMU_CMD_OPCODE_SHIFT); - switch ( opcode ) - { - case IOMMU_CMD_COMPLETION_WAIT: - ret = do_completion_wait(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_DEVTAB_ENTRY: - ret = do_invalidate_dte(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_IOMMU_PAGES: - ret = do_invalidate_pages(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_IOTLB_PAGES: - ret = do_invalidate_iotlb_pages(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_INT_TABLE: - break; - case IOMMU_CMD_COMPLETE_PPR_REQUEST: - ret = do_complete_ppr_request(d, cmd); - break; - case IOMMU_CMD_INVALIDATE_IOMMU_ALL: - ret = do_invalidate_all(d, cmd); - break; - default: - AMD_IOMMU_DEBUG("CMD: Unknown command cmd_type = %lx " - "head = %ld\n", opcode, head); - break; - } - - unmap_domain_page(cmd); - head += sizeof(cmd_entry_t); - if ( head >= iommu->cmd_buffer.size ) - head = 0; - if ( ret ) - guest_iommu_disable(iommu); - } - - /* Now shift cmd buffer head pointer */ - iommu->cmd_buffer.reg_head.lo = head; - return; -} - -static int guest_iommu_write_ctrl(struct guest_iommu *iommu, uint64_t val) -{ - union amd_iommu_control newctrl = { .raw = val }; - - if ( newctrl.iommu_en ) - { - guest_iommu_enable(iommu); - guest_iommu_enable_dev_table(iommu); - } - - if ( newctrl.iommu_en && newctrl.cmd_buf_en ) - { - guest_iommu_enable_ring_buffer(iommu, &iommu->cmd_buffer, - sizeof(cmd_entry_t)); - /* Enable iommu command processing */ - tasklet_schedule(&iommu->cmd_buffer_tasklet); - } - - if ( newctrl.iommu_en && newctrl.event_log_en ) - { - guest_iommu_enable_ring_buffer(iommu, &iommu->event_log, - sizeof(event_entry_t)); - iommu->reg_status.lo |= IOMMU_STATUS_EVENT_LOG_RUN; - iommu->reg_status.lo &= ~IOMMU_STATUS_EVENT_LOG_OVERFLOW; - } - - if ( newctrl.iommu_en && newctrl.ppr_en && newctrl.ppr_log_en ) - { - guest_iommu_enable_ring_buffer(iommu, &iommu->ppr_log, - sizeof(ppr_entry_t)); - iommu->reg_status.lo |= IOMMU_STATUS_PPR_LOG_RUN; - iommu->reg_status.lo &= ~IOMMU_STATUS_PPR_LOG_OVERFLOW; - } - - if ( newctrl.iommu_en && iommu->reg_ctrl.cmd_buf_en && - !newctrl.cmd_buf_en ) - { - /* Disable iommu command processing */ - tasklet_kill(&iommu->cmd_buffer_tasklet); - } - - if ( iommu->reg_ctrl.event_log_en && !newctrl.event_log_en ) - iommu->reg_status.lo &= ~IOMMU_STATUS_EVENT_LOG_RUN; - - if ( iommu->reg_ctrl.iommu_en && !newctrl.iommu_en ) - guest_iommu_disable(iommu); - - iommu->reg_ctrl = newctrl; - - return 0; -} - -static uint64_t iommu_mmio_read64(struct guest_iommu *iommu, - unsigned long offset) -{ - uint64_t val; - - switch ( offset ) - { - case IOMMU_DEV_TABLE_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->dev_table.reg_base); - break; - case IOMMU_CMD_BUFFER_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->cmd_buffer.reg_base); - break; - case IOMMU_EVENT_LOG_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->event_log.reg_base); - break; - case IOMMU_PPR_LOG_BASE_LOW_OFFSET: - val = reg_to_u64(iommu->ppr_log.reg_base); - break; - case IOMMU_CMD_BUFFER_HEAD_OFFSET: - val = reg_to_u64(iommu->cmd_buffer.reg_head); - break; - case IOMMU_CMD_BUFFER_TAIL_OFFSET: - val = reg_to_u64(iommu->cmd_buffer.reg_tail); - break; - case IOMMU_EVENT_LOG_HEAD_OFFSET: - val = reg_to_u64(iommu->event_log.reg_head); - break; - case IOMMU_EVENT_LOG_TAIL_OFFSET: - val = reg_to_u64(iommu->event_log.reg_tail); - break; - case IOMMU_PPR_LOG_HEAD_OFFSET: - val = reg_to_u64(iommu->ppr_log.reg_head); - break; - case IOMMU_PPR_LOG_TAIL_OFFSET: - val = reg_to_u64(iommu->ppr_log.reg_tail); - break; - case IOMMU_CONTROL_MMIO_OFFSET: - val = iommu->reg_ctrl.raw; - break; - case IOMMU_STATUS_MMIO_OFFSET: - val = reg_to_u64(iommu->reg_status); - break; - case IOMMU_EXT_FEATURE_MMIO_OFFSET: - val = iommu->reg_ext_feature.raw; - break; - - default: - AMD_IOMMU_DEBUG("Guest reads unknown mmio offset = %lx\n", offset); - val = 0; - break; - } - - return val; -} - -static int cf_check guest_iommu_mmio_read( - struct vcpu *v, unsigned long addr, unsigned int len, unsigned long *pval) -{ - struct guest_iommu *iommu = vcpu_iommu(v); - unsigned long offset; - uint64_t val; - uint32_t mmio, shift; - uint64_t mask = 0; - - offset = addr - iommu->mmio_base; - - if ( unlikely((offset & (len - 1 )) || (len > 8)) ) - { - AMD_IOMMU_DEBUG("iommu mmio read access is not aligned:" - " offset = %lx, len = %x\n", offset, len); - return X86EMUL_UNHANDLEABLE; - } - - mask = (len == 8) ? ~0ULL : (1ULL << (len * 8)) - 1; - shift = (offset & 7u) * 8; - - /* mmio access is always aligned on 8-byte boundary */ - mmio = offset & (~7u); - - spin_lock(&iommu->lock); - val = iommu_mmio_read64(iommu, mmio); - spin_unlock(&iommu->lock); - - *pval = (val >> shift ) & mask; - - return X86EMUL_OKAY; -} - -static void guest_iommu_mmio_write64(struct guest_iommu *iommu, - unsigned long offset, uint64_t val) -{ - switch ( offset ) - { - case IOMMU_DEV_TABLE_BASE_LOW_OFFSET: - u64_to_reg(&iommu->dev_table.reg_base, val); - break; - case IOMMU_CMD_BUFFER_BASE_LOW_OFFSET: - u64_to_reg(&iommu->cmd_buffer.reg_base, val); - break; - case IOMMU_EVENT_LOG_BASE_LOW_OFFSET: - u64_to_reg(&iommu->event_log.reg_base, val); - break; - case IOMMU_PPR_LOG_BASE_LOW_OFFSET: - u64_to_reg(&iommu->ppr_log.reg_base, val); - break; - case IOMMU_CONTROL_MMIO_OFFSET: - guest_iommu_write_ctrl(iommu, val); - break; - case IOMMU_CMD_BUFFER_HEAD_OFFSET: - iommu->cmd_buffer.reg_head.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_CMD_BUFFER_TAIL_OFFSET: - iommu->cmd_buffer.reg_tail.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - tasklet_schedule(&iommu->cmd_buffer_tasklet); - break; - case IOMMU_EVENT_LOG_HEAD_OFFSET: - iommu->event_log.reg_head.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_EVENT_LOG_TAIL_OFFSET: - iommu->event_log.reg_tail.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_PPR_LOG_HEAD_OFFSET: - iommu->ppr_log.reg_head.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_PPR_LOG_TAIL_OFFSET: - iommu->ppr_log.reg_tail.lo = val & IOMMU_RING_BUFFER_PTR_MASK; - break; - case IOMMU_STATUS_MMIO_OFFSET: - val &= IOMMU_STATUS_EVENT_LOG_OVERFLOW | - IOMMU_STATUS_EVENT_LOG_INT | - IOMMU_STATUS_COMP_WAIT_INT | - IOMMU_STATUS_PPR_LOG_OVERFLOW | - IOMMU_STATUS_PPR_LOG_INT | - IOMMU_STATUS_GAPIC_LOG_OVERFLOW | - IOMMU_STATUS_GAPIC_LOG_INT; - u64_to_reg(&iommu->reg_status, reg_to_u64(iommu->reg_status) & ~val); - break; - - default: - AMD_IOMMU_DEBUG("guest writes unknown mmio offset = %lx," - " val = %" PRIx64 "\n", offset, val); - break; - } -} - -static int cf_check guest_iommu_mmio_write( - struct vcpu *v, unsigned long addr, unsigned int len, unsigned long val) -{ - struct guest_iommu *iommu = vcpu_iommu(v); - unsigned long offset; - uint64_t reg_old, mmio; - uint32_t shift; - uint64_t mask = 0; - - offset = addr - iommu->mmio_base; - - if ( unlikely((offset & (len - 1)) || (len > 8)) ) - { - AMD_IOMMU_DEBUG("iommu mmio write access is not aligned:" - " offset = %lx, len = %x\n", offset, len); - return X86EMUL_UNHANDLEABLE; - } - - mask = (len == 8) ? ~0ULL : (1ULL << (len * 8)) - 1; - shift = (offset & 7) * 8; - - /* mmio access is always aligned on 8-byte boundary */ - mmio = offset & ~7; - - spin_lock(&iommu->lock); - - reg_old = iommu_mmio_read64(iommu, mmio); - reg_old &= ~(mask << shift); - val = reg_old | ((val & mask) << shift); - guest_iommu_mmio_write64(iommu, mmio, val); - - spin_unlock(&iommu->lock); - - return X86EMUL_OKAY; -} - -int guest_iommu_set_base(struct domain *d, uint64_t base) -{ - p2m_type_t t; - struct guest_iommu *iommu = domain_iommu(d); - - if ( !iommu ) - return -EACCES; - - iommu->mmio_base = base; - base >>= PAGE_SHIFT; - - for ( int i = 0; i < IOMMU_MMIO_PAGE_NR; i++ ) - { - unsigned long gfn = base + i; - - get_gfn_query(d, gfn, &t); - p2m_change_type_one(d, gfn, t, p2m_mmio_dm); - put_gfn(d, gfn); - } - - return 0; -} - -/* Initialize mmio read only bits */ -static void guest_iommu_reg_init(struct guest_iommu *iommu) -{ - union amd_iommu_ext_features ef = { - /* Support prefetch */ - .flds.pref_sup = 1, - /* Support PPR log */ - .flds.ppr_sup = 1, - /* Support guest translation */ - .flds.gt_sup = 1, - /* Support invalidate all command */ - .flds.ia_sup = 1, - /* Host translation size has 6 levels */ - .flds.hats = HOST_ADDRESS_SIZE_6_LEVEL, - /* Guest translation size has 6 levels */ - .flds.gats = GUEST_ADDRESS_SIZE_6_LEVEL, - /* Single level gCR3 */ - .flds.glx_sup = GUEST_CR3_1_LEVEL, - /* 9 bit PASID */ - .flds.pas_max = PASMAX_9_bit, - }; - - iommu->reg_ext_feature = ef; -} - -static int cf_check guest_iommu_mmio_range(struct vcpu *v, unsigned long addr) -{ - struct guest_iommu *iommu = vcpu_iommu(v); - - return iommu && addr >= iommu->mmio_base && - addr < iommu->mmio_base + IOMMU_MMIO_SIZE; -} - -static const struct hvm_mmio_ops iommu_mmio_ops = { - .check = guest_iommu_mmio_range, - .read = guest_iommu_mmio_read, - .write = guest_iommu_mmio_write -}; - -/* Domain specific initialization */ -int guest_iommu_init(struct domain* d) -{ - struct guest_iommu *iommu; - struct domain_iommu *hd = dom_iommu(d); - - if ( !is_hvm_domain(d) || !is_iommu_enabled(d) || !iommuv2_enabled || - !has_viommu(d) ) - return 0; - - iommu = xzalloc(struct guest_iommu); - if ( !iommu ) - { - AMD_IOMMU_DEBUG("Error allocating guest iommu structure.\n"); - return 1; - } - - guest_iommu_reg_init(iommu); - iommu->mmio_base = ~0ULL; - iommu->domain = d; - hd->arch.amd.g_iommu = iommu; - - tasklet_init(&iommu->cmd_buffer_tasklet, guest_iommu_process_command, d); - - spin_lock_init(&iommu->lock); - - register_mmio_handler(d, &iommu_mmio_ops); - - return 0; -} - -void guest_iommu_destroy(struct domain *d) -{ - struct guest_iommu *iommu; - - iommu = domain_iommu(d); - if ( !iommu ) - return; - - tasklet_kill(&iommu->cmd_buffer_tasklet); - xfree(iommu); - - dom_iommu(d)->arch.amd.g_iommu = NULL; -} -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:02:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:02:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695718.1085678 (Exim 4.92) (envelope-from ) id 1rmpxx-0004PT-7J; Wed, 20 Mar 2024 07:02:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695718.1085678; Wed, 20 Mar 2024 07:02:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxx-0004PL-4U; Wed, 20 Mar 2024 07:02:25 +0000 Received: by outflank-mailman (input) for mailman id 695718; Wed, 20 Mar 2024 07:02:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxv-0004P7-2L for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpxv-0007hp-1j for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpxv-0003O0-10 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GCYDd/km3w18zKwUcy6cMY9FwL7VX2fNLtMI1nn4aVE=; b=Vq7lhuZVf1OzJEB7Midf724PAg MxX5jIEDVNqH+fKXPy1nzMfEY5YjRj7/5oIhIXjsrDmJ2PyhzvbCI1K8CKywlQ4gEcjLpLtEljqTL JwWbaLKQdqCmZnVSmxZT3ucdHn2yMHsu5PE8BgSxiF9Usn/w8cN46PoxgmL3/mcjFl18=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/cpufeature: add parentheses to comply with Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:02:23 +0000 commit 9979cc594acecd8b22384c06f520447a955b4857 Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:27:29 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:27:29 2024 +0100 x86/cpufeature: add parentheses to comply with Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/arch/x86/include/asm/cpufeatureset.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/include/asm/cpufeatureset.h b/xen/arch/x86/include/asm/cpufeatureset.h index f179229f19..a9c51bc514 100644 --- a/xen/arch/x86/include/asm/cpufeatureset.h +++ b/xen/arch/x86/include/asm/cpufeatureset.h @@ -5,7 +5,7 @@ #include -#define XEN_CPUFEATURE(name, value) X86_FEATURE_##name = value, +#define XEN_CPUFEATURE(name, value) X86_FEATURE_##name = (value), enum { #include #include -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:02:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:02:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695719.1085681 (Exim 4.92) (envelope-from ) id 1rmpy7-0004SZ-9v; Wed, 20 Mar 2024 07:02:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695719.1085681; Wed, 20 Mar 2024 07:02:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpy7-0004SR-7E; Wed, 20 Mar 2024 07:02:35 +0000 Received: by outflank-mailman (input) for mailman id 695719; Wed, 20 Mar 2024 07:02:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpy5-0004SF-5M for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpy5-0007i1-4b for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpy5-0003Oq-3y for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fYmB0lNXGaXusVGslj1kOIh8eJ79d8Iz4/AIxIvZNOU=; b=oXbks5M2mLIWHOEPVMiCESzIEO HUAcCAyG2eUZItPESfdvZ+xiholEY7tIs3nH14DjPQD8tYVro3tMcRoEyrfZoaKMYO21e2JoMq+nP fGkE+V7zy2MII9BnG6eCDkh5CoaG4OAWZhhLEWGrub2q/ff7nAEWI5ZHxwUNUciKP2yA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/device_tree: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:02:33 +0000 commit b51d7f39dc73618c015439dab1f81a86074c591d Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:27:58 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:27:58 2024 +0100 xen/device_tree: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/include/xen/device_tree.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/device_tree.h b/xen/include/xen/device_tree.h index 6fe2fa8b21..e6287305a7 100644 --- a/xen/include/xen/device_tree.h +++ b/xen/include/xen/device_tree.h @@ -250,7 +250,7 @@ dt_find_interrupt_controller(const struct dt_device_match *matches); for ( pp = (dn)->properties; (pp) != NULL; pp = (pp)->next ) #define dt_for_each_device_node(dt, dn) \ - for ( dn = dt; (dn) != NULL; dn = (dn)->allnext ) + for ( dn = (dt); (dn) != NULL; dn = (dn)->allnext ) #define dt_for_each_child_node(dt, dn) \ for ( dn = (dt)->child; (dn) != NULL; dn = (dn)->sibling ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:02:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:02:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695720.1085685 (Exim 4.92) (envelope-from ) id 1rmpyH-0004Um-B9; Wed, 20 Mar 2024 07:02:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695720.1085685; Wed, 20 Mar 2024 07:02:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyH-0004Uf-8h; Wed, 20 Mar 2024 07:02:45 +0000 Received: by outflank-mailman (input) for mailman id 695720; Wed, 20 Mar 2024 07:02:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyF-0004UQ-82 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyF-0007iI-7P for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpyF-0003Pg-6i for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Tr0CQx7LHe+Yyq/xbspiWHP4Llt47tP5X6W06DTu3x8=; b=yL/LBh8N8EcVWMt9P3AyYvfG3g en4MuEv2C0LzsJR+QVZipWU/e342eBA0aoHJ2cvOcXFAAvrt/+mlU6eI0chbePZ9YLrHXcc92VAkG G+yB7+xcxt+Y8mhCwfXXZeI83nRdcvz90pjqgFqeaC8QoZqwSvYpW3JfKkq9g+aLAn34=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] EFI: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:02:43 +0000 commit 8e7207d512aa96cd55177b29656610150ed577a5 Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:28:28 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:28:28 2024 +0100 EFI: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/efi/efierr.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/efi/efierr.h b/xen/include/efi/efierr.h index dfd3d3cf48..cdca210414 100644 --- a/xen/include/efi/efierr.h +++ b/xen/include/efi/efierr.h @@ -22,7 +22,7 @@ Revision History #define EFIWARN(a) (a) -#define EFI_ERROR(a) (((INTN) a) < 0) +#define EFI_ERROR(a) ((INTN)(a) < 0) #define EFI_SUCCESS 0 -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:02:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:02:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695721.1085690 (Exim 4.92) (envelope-from ) id 1rmpyQ-0004Yl-Cx; Wed, 20 Mar 2024 07:02:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695721.1085690; Wed, 20 Mar 2024 07:02:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyQ-0004Yd-A9; Wed, 20 Mar 2024 07:02:54 +0000 Received: by outflank-mailman (input) for mailman id 695721; Wed, 20 Mar 2024 07:02:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyP-0004YT-Bh for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyP-0007iX-B1 for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpyP-0003QV-9d for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:02:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NgbNcU7jnmjgVCi6O4d1XCZDWUw9H3Okt4r090AGmCw=; b=ESzRxWlKU42hUmnoW9cLNY7h2h fTEe/RkQ2olw23L7VG8TrnL2fVTt5tuD+8p+jshktZX50HIMThFwFtICzhwFHV8vnpL5WUxskwRZc 3vD+bJ45T24BoI37vaecEibK3bTNtxNI/j2piHBWwzKKA3s9k0G6ofElxoCpz0PSXxlI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/arm: smmu: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:02:53 +0000 commit 88822d5fbd30782bb79bfee85f58bf9e2e8f18b7 Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:28:44 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:28:44 2024 +0100 xen/arm: smmu: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini --- xen/drivers/passthrough/arm/smmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/drivers/passthrough/arm/smmu.c b/xen/drivers/passthrough/arm/smmu.c index 83196057a9..f2cee82f55 100644 --- a/xen/drivers/passthrough/arm/smmu.c +++ b/xen/drivers/passthrough/arm/smmu.c @@ -326,7 +326,7 @@ static struct iommu_group *iommu_group_get(struct device *dev) */ #define ARM_SMMU_GR0_NS(smmu) \ ((smmu)->base + \ - ((smmu->options & ARM_SMMU_OPT_SECURE_CFG_ACCESS) \ + (((smmu)->options & ARM_SMMU_OPT_SECURE_CFG_ACCESS) \ ? 0x400 : 0)) /* Page table bits */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:03:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:03:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695722.1085693 (Exim 4.92) (envelope-from ) id 1rmpya-0004bT-E5; Wed, 20 Mar 2024 07:03:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695722.1085693; Wed, 20 Mar 2024 07:03:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpya-0004bM-Bc; Wed, 20 Mar 2024 07:03:04 +0000 Received: by outflank-mailman (input) for mailman id 695722; Wed, 20 Mar 2024 07:03:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyZ-0004bD-EZ for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyZ-0007j0-Dq for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpyZ-0003RJ-DA for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dljo3y7jm8cNvsnD58Q0T0bFs4/OJyWLfHaCYZExIuo=; b=pkO5E5h4aRveXvCx+VkGzjePl6 WV4jHGzaGPjVHibHtlKFeourWBHXgV8uwrxsB0iqakXw7YqeN+w6FKH6159aBof/YRyvHhFuGkAv0 gcp+uYypEOoq+gFKxQ0wISUlWSjjQOtp4KejD1VzLO9PLUfmHGnEtUfEnIKqXNuvfe9U=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/notifier: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:03:03 +0000 commit 239b72d874705525a1ee6c13cf2e487cbd1d186a Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:29:12 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:29:12 2024 +0100 xen/notifier: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/xen/notifier.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/xen/notifier.h b/xen/include/xen/notifier.h index 2a952484df..05359e8a85 100644 --- a/xen/include/xen/notifier.h +++ b/xen/include/xen/notifier.h @@ -34,7 +34,7 @@ struct notifier_head { }; #define NOTIFIER_HEAD(name) \ - struct notifier_head name = { .head = LIST_HEAD_INIT(name.head) } + struct notifier_head name = { .head = LIST_HEAD_INIT((name).head) } void notifier_chain_register( -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:03:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:03:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695723.1085697 (Exim 4.92) (envelope-from ) id 1rmpyk-0004fY-Fc; Wed, 20 Mar 2024 07:03:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695723.1085697; Wed, 20 Mar 2024 07:03:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyk-0004fQ-D6; Wed, 20 Mar 2024 07:03:14 +0000 Received: by outflank-mailman (input) for mailman id 695723; Wed, 20 Mar 2024 07:03:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyj-0004fG-HO for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyj-0007jT-Ga for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpyj-0003Rk-Fx for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Iq+97hYYZzf4aJw6H1AbNsqELAuPnlNbeUMmkvLbGkw=; b=I4Eg5i1DNH6Vpm0oXxdOIaTbS0 NhnFh++rbjydfTqXxplYYST7DYRmw+/eciopT8yxwqTfQFxb56doZf1DOlJTrqKVLr0JOWoshpkwk Km7hzk+FiV2AJ+2AlHxL/OQ8LuG3/gV+4w72N0e6OqDXLR/RNObOIdP67EbMRKvI5rqo=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/wait: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 20 Mar 2024 07:03:13 +0000 commit d9e709e8c05c66b6802f1801b0eacc0a2bc06e6d Author: Nicola Vetrini AuthorDate: Tue Mar 19 11:30:01 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:30:01 2024 +0100 xen/wait: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/xen/wait.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/xen/wait.h b/xen/include/xen/wait.h index 6eb7667d9c..1c68bc564b 100644 --- a/xen/include/xen/wait.h +++ b/xen/include/xen/wait.h @@ -40,12 +40,12 @@ do { \ if ( condition ) \ break; \ for ( ; ; ) { \ - prepare_to_wait(&wq); \ + prepare_to_wait(&(wq)); \ if ( condition ) \ break; \ wait(); \ } \ - finish_wait(&wq); \ + finish_wait(&(wq)); \ } while (0) /* Private functions. */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 07:03:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 07:03:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695727.1085711 (Exim 4.92) (envelope-from ) id 1rmpyu-0004yY-P1; Wed, 20 Mar 2024 07:03:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695727.1085711; Wed, 20 Mar 2024 07:03:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyu-0004yP-MZ; Wed, 20 Mar 2024 07:03:24 +0000 Received: by outflank-mailman (input) for mailman id 695727; Wed, 20 Mar 2024 07:03:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyt-0004xv-Jy for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmpyt-0007jo-JI for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmpyt-0003SL-Ih for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 07:03:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PWKltTYkwLfQq09a/dYABpghl0ZBWoBd606jMjyBmMc=; b=YSHOAWJp2Yvs8YoYHqKrq2+Io8 2595ORhnsvSvU+9WUL7Fp8U1KFOhHOkTOAmNKIzTE4PCJBRNmVzRYtxBefRuAl7qMbKJ6rjZyM3EZ p3RJhIavfurWEfLy10ziWKOOD6UVzVOaTf0yKYirc2XAAmzmDhi+9YwKQZ4TjTAdA/jk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/nospec: Include Message-Id: Date: Wed, 20 Mar 2024 07:03:23 +0000 commit d2276b86e5eb8dd2617d917f7b49cdd1f29ac299 Author: Michal Orzel AuthorDate: Tue Mar 19 11:30:30 2024 +0100 Commit: Jan Beulich CommitDate: Tue Mar 19 11:30:30 2024 +0100 xen/nospec: Include After introduction of lock_evaluate_nospec() using bool type, building Xen on Arm with UBSAN enabled fails: In file included from ./include/xen/spinlock.h:4, from common/ubsan/ubsan.c:13: ./include/xen/nospec.h:79:22: error: unknown type name ‘bool’ 79 | static always_inline bool lock_evaluate_nospec(bool condition) There is no issue on x86, as xen/stdbool.h is included somewhere along the asm/nospec.h path, which is not the case for other architectures. Fixes: 7ef0084418e1 ("x86/spinlock: introduce support for blocking speculation into critical regions") Signed-off-by: Michal Orzel Acked-by: Jan Beulich --- xen/include/xen/nospec.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/include/xen/nospec.h b/xen/include/xen/nospec.h index e8d73f9538..9fb15aa26a 100644 --- a/xen/include/xen/nospec.h +++ b/xen/include/xen/nospec.h @@ -7,6 +7,8 @@ #ifndef XEN_NOSPEC_H #define XEN_NOSPEC_H +#include + #include /** -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 09:00:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 09:00:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.695817.1085969 (Exim 4.92) (envelope-from ) id 1rmrno-0007hH-6v; Wed, 20 Mar 2024 09:00:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 695817.1085969; Wed, 20 Mar 2024 09:00:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmrno-0007gt-44; Wed, 20 Mar 2024 09:00:04 +0000 Received: by outflank-mailman (input) for mailman id 695817; Wed, 20 Mar 2024 09:00:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmrnn-0007V8-6F for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 09:00:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rmrnn-00026Y-5O for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 09:00:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rmrnn-0001WT-4Y for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 09:00:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=YWd/UEg195YaGO4WHjrGBb/rbfB1HAzMRwix1PLGr7E=; b=WhFuvK7FVmlvoGL1zB8ljX8PxJ mvm02uis3C6B/gjNbKCvZcx1v9WrvPBzvM1yVVYSMksrdz1updLlWdxbPEqRd2Io/tpX4vdhAPUbJ ShHF48PUcB6JlDrErotla9hj4oKE2SJVFaef7vNHt/Q6bL+Zhj3/jaKBq0QOKuYVbxnc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] docs/parse-support-md: Handle BulletList Message-Id: Date: Wed, 20 Mar 2024 09:00:03 +0000 commit eaafbd11344a8ec32309fe58a6e529fe1c34d62e Author: Anthony PERARD AuthorDate: Tue Mar 19 15:15:09 2024 +0000 Commit: Julien Grall CommitDate: Wed Mar 20 08:58:59 2024 +0000 docs/parse-support-md: Handle BulletList Commit d638e304f13a introduced a bullet list, but parse-support-md choke on it as it doesn't know what to do about it. Introduce ri_BulletList() so that r_content() will find this new function and call it instead of calling process_unknown(). Reported-by: Julien Grall Fixes: d638e304f13a ("SUPPORT.MD: Fix matrix generation after 43c416d0d819 and 77c39a53cf5b") Signed-off-by: Anthony PERARD Tested-by: Julien Grall Acked-by: Julien Grall --- docs/parse-support-md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/parse-support-md b/docs/parse-support-md index a397637639..b04f62da37 100755 --- a/docs/parse-support-md +++ b/docs/parse-support-md @@ -218,6 +218,13 @@ sub ri_DefinitionList { } } +sub ri_BulletList { + # Assume a paragraph introduce this bullet list, which would mean that + # ri_Para() has already been called, and there's nothing else to do about + # the caveat. + return; +} + sub process_unknown { my ($c, $e) = @_; $had_unknown = Dumper($e); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 22:33:22 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 22:33:22 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696149.1086794 (Exim 4.92) (envelope-from ) id 1rn4Uj-00087q-Qh; Wed, 20 Mar 2024 22:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696149.1086794; Wed, 20 Mar 2024 22:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4Uj-00087j-OD; Wed, 20 Mar 2024 22:33:13 +0000 Received: by outflank-mailman (input) for mailman id 696149; Wed, 20 Mar 2024 22:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4Ui-00087P-Ag for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4Ui-0000yg-9P for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rn4Ui-0007M0-8O for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8znP/s9RnfU2mKrlOujo6TaGEnnCbaSg5lyAj5fGKgI=; b=OPfDqLK9ZHF/Etp50UWkT4W+dR iuMpcMoXiXqZwO/EJ0QqIolxXPZ1D+PGfHcNv9RnfsNkc3XxYJWRWDhqDsjrAxNmsz+FQCbFgFqBB tAVghCJy1pR90MJrSXEc7JqB+ORNjGLcCVsxFVnN7b9FgZRoxiFe4HZR6ZvY7Ngd01ns=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Message-Id: Date: Wed, 20 Mar 2024 22:33:12 +0000 commit f658321374687c7339235e1ac643e0427acff717 Author: Andrew Cooper AuthorDate: Tue Mar 19 13:29:30 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 19 18:29:37 2024 +0000 x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Right now, if the user requests the watchdog on the command line, setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog worked. Reuse nmi_perfctr_msr to identify when the watchdog has been configured. Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity checks are complete. Turn setup_p4_watchdog() into a void function, matching the others. If the watchdog isn't set up, inform the user and override to NMI_NONE, which will prevent check_nmi_watchdog() from claiming that all CPUs are stuck. e.g.: (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0 (XEN) Failed to configure NMI watchdog (XEN) Brought up 512 CPUs (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/nmi.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 8994c50cb5..33f77a9204 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -319,8 +319,6 @@ static void setup_p6_watchdog(unsigned counter) { unsigned int evntsel; - nmi_perfctr_msr = MSR_P6_PERFCTR(0); - if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa ) nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK); if ( !nmi_p6_event_width ) @@ -330,6 +328,8 @@ static void setup_p6_watchdog(unsigned counter) nmi_p6_event_width > BITS_PER_LONG ) return; + nmi_perfctr_msr = MSR_P6_PERFCTR(0); + clear_msr_range(MSR_P6_EVNTSEL(0), 2); clear_msr_range(MSR_P6_PERFCTR(0), 2); @@ -345,13 +345,13 @@ static void setup_p6_watchdog(unsigned counter) wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0); } -static int setup_p4_watchdog(void) +static void setup_p4_watchdog(void) { uint64_t misc_enable; rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL)) - return 0; + return; nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0; nmi_p4_cccr_val = P4_NMI_IQ_CCCR0; @@ -374,13 +374,12 @@ static int setup_p4_watchdog(void) clear_msr_range(0x3E0, 2); clear_msr_range(MSR_P4_BPU_CCCR0, 18); clear_msr_range(MSR_P4_BPU_PERFCTR0, 18); - + wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0); wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE); write_watchdog_counter("P4_IQ_COUNTER0"); apic_write(APIC_LVTPC, APIC_DM_NMI); wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val); - return 1; } void setup_apic_nmi_watchdog(void) @@ -395,8 +394,6 @@ void setup_apic_nmi_watchdog(void) case 0xf ... 0x19: setup_k7_watchdog(); break; - default: - return; } break; case X86_VENDOR_INTEL: @@ -407,14 +404,16 @@ void setup_apic_nmi_watchdog(void) : CORE_EVENT_CPU_CLOCKS_NOT_HALTED); break; case 15: - if (!setup_p4_watchdog()) - return; + setup_p4_watchdog(); break; - default: - return; } break; - default: + } + + if ( nmi_perfctr_msr == 0 ) + { + printk(XENLOG_WARNING "Failed to configure NMI watchdog\n"); + nmi_watchdog = NMI_NONE; return; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 22:33:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 22:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696150.1086799 (Exim 4.92) (envelope-from ) id 1rn4Ut-00089L-SF; Wed, 20 Mar 2024 22:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696150.1086799; Wed, 20 Mar 2024 22:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4Ut-00089D-Pa; Wed, 20 Mar 2024 22:33:23 +0000 Received: by outflank-mailman (input) for mailman id 696150; Wed, 20 Mar 2024 22:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4Us-000891-Da for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4Us-0000z7-Ch for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rn4Us-0007Mi-BV for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FfnGEflb7+T+IDePApAajp5ZvjDq14aL230gXhjErLo=; b=NegF63WFKrNeSKKZol3cEl/uRl asTA4LbWSF+j5YM0lGNlcdlRfxzMkSOAQA4Xy2EWFfXV4fDOVbl2HG6vj8S5B+qr7rcQFqxMEW4Dp MJgOEkcFX5W/Kw7lCHAnx3qpqVlkUAIIBjQh0Nnc66hRms1jh1ak3+nc6atuocTgKymc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/boot: Support the watchdog on newer AMD systems Message-Id: Date: Wed, 20 Mar 2024 22:33:22 +0000 commit 131892e0dcc1265b621c2b7d844cb9e7c3a4404f Author: Andrew Cooper AuthorDate: Tue Mar 19 14:11:12 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 19 18:29:37 2024 +0000 x86/boot: Support the watchdog on newer AMD systems The MSRs used by setup_k7_watchdog() are architectural in 64bit. The Unit Select (0x76, cycles not in halt state) isn't, but it hasn't changed in 25 years, making this a trend likely to continue. Drop the family check. If the Unit Select does happen to change meaning in the future, check_nmi_watchdog() will still notice the watchdog not operating as expected. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/nmi.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 33f77a9204..f6329cb027 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -387,15 +387,12 @@ void setup_apic_nmi_watchdog(void) if ( nmi_watchdog == NMI_NONE ) return; - switch (boot_cpu_data.x86_vendor) { + switch ( boot_cpu_data.x86_vendor ) + { case X86_VENDOR_AMD: - switch (boot_cpu_data.x86) { - case 6: - case 0xf ... 0x19: - setup_k7_watchdog(); - break; - } + setup_k7_watchdog(); break; + case X86_VENDOR_INTEL: switch (boot_cpu_data.x86) { case 6: -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 20 22:33:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 20 Mar 2024 22:33:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696151.1086803 (Exim 4.92) (envelope-from ) id 1rn4V3-0008Bn-To; Wed, 20 Mar 2024 22:33:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696151.1086803; Wed, 20 Mar 2024 22:33:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4V3-0008Bf-R2; Wed, 20 Mar 2024 22:33:33 +0000 Received: by outflank-mailman (input) for mailman id 696151; Wed, 20 Mar 2024 22:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4V2-0008BV-Gp for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rn4V2-0000zR-Fy for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rn4V2-0007NA-Eh for xen-changelog@lists.xenproject.org; Wed, 20 Mar 2024 22:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=T7mjG4m2vvo00Rzf6o10nhV1TnOGNNR5m9QDXcJc3RM=; b=5gop9CGD6Vkbw/JrCleg03f7ca bxDSDPcoTDuCvzEhUZQsvgPQc8iDH563Yhh09gXOLt4wK1QJVtfuy+BS0srTmOIc83YTmZV8J0SZY y5Uz3UhFLN8pDQbSgnaoAWL9RNpCq78smy0EybyEqgdP3UvhpLmRhqVc9W+WSiYn+zqs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/vpci: Improve code generation in mask_write() Message-Id: Date: Wed, 20 Mar 2024 22:33:32 +0000 commit 188fa82305e72b725473db9146e20cc9abf7bff3 Author: Andrew Cooper AuthorDate: Fri Mar 15 11:31:33 2024 +0000 Commit: Andrew Cooper CommitDate: Tue Mar 19 18:29:37 2024 +0000 xen/vpci: Improve code generation in mask_write() The use of __clear_bit() forces dmask to be spilled to the stack, and interferes with the compiler heuristcs for some upcoming improvements to the ffs() code generation. First, shrink dmask to just the active vectors by making out the upper bits. This replaces the "i < msi->vectors" part of the loop condition. Next, use a simple while() loop with "clear bottom bit" expressed in plane C, which affords the optimiser a far better understanding of what the loop is doing. Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/drivers/vpci/msi.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/drivers/vpci/msi.c b/xen/drivers/vpci/msi.c index d3aa5df089..30adcf7df0 100644 --- a/xen/drivers/vpci/msi.c +++ b/xen/drivers/vpci/msi.c @@ -169,13 +169,15 @@ static void cf_check mask_write( if ( msi->enabled ) { - unsigned int i; + /* Skip changes to vectors which aren't enabled. */ + dmask &= (~0U >> (32 - msi->vectors)); - for ( i = ffs(dmask) - 1; dmask && i < msi->vectors; - i = ffs(dmask) - 1 ) + while ( dmask ) { + unsigned int i = ffs(dmask) - 1; + vpci_msi_arch_mask(msi, pdev, i, (val >> i) & 1); - __clear_bit(i, &dmask); + dmask &= (dmask - 1); } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 08:55:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 08:55:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696251.1086990 (Exim 4.92) (envelope-from ) id 1rnECW-0002cm-Ob; Thu, 21 Mar 2024 08:55:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696251.1086990; Thu, 21 Mar 2024 08:55:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECW-0002ce-Lq; Thu, 21 Mar 2024 08:55:04 +0000 Received: by outflank-mailman (input) for mailman id 696251; Thu, 21 Mar 2024 08:55:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECW-0002cY-Br for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECW-0004yz-7Q for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnECW-0002mp-6N for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vWV6sPcIsxugX1y9s+LY5BLzqsMdEQWGJ1nOTRkJ+zY=; b=vHgWppp9fOpTc6pHiLAPoHBAOs TTLBKTw7NkeHJND+UIPWkdifKFBeDwfzcQ32i/wjP/aBl32FMxbmFsrOT8aOxT4Xp8W8BITufnAqe dvSMUH9TsjdyTMOU/g6JYPDE9xTJ4zCTIxQNwoEqqAFHOS+impaKZHTDjjNPMN0+KShg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/xl_parse: remove message for tsc mode string Message-Id: Date: Thu, 21 Mar 2024 08:55:04 +0000 commit 6eb13b6b1d984af87460f60f2c0cbc5c059b8402 Author: Elliott Mitchell AuthorDate: Thu Mar 21 09:46:13 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:46:13 2024 +0100 tools/xl_parse: remove message for tsc mode string Normal behavior is to be silent. Generating a message for the preferred input can be mistaken for an error. As such remove this message to match other conditions. Signed-off-by: Elliott Mitchell Acked-by: Anthony PERARD --- tools/xl/xl_parse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c index 80ffe85f5e..ab09d0288b 100644 --- a/tools/xl/xl_parse.c +++ b/tools/xl/xl_parse.c @@ -1660,7 +1660,6 @@ void parse_config_data(const char *config_source, } b_info->tsc_mode = l; } else if (!xlu_cfg_get_string(config, "tsc_mode", &buf, 0)) { - fprintf(stderr, "got a tsc mode string: \"%s\"\n", buf); if (libxl_tsc_mode_from_string(buf, &b_info->tsc_mode)) { fprintf(stderr, "ERROR: invalid value \"%s\" for \"tsc_mode\"\n", buf); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 08:55:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 08:55:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696252.1086993 (Exim 4.92) (envelope-from ) id 1rnECg-0002ep-Q2; Thu, 21 Mar 2024 08:55:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696252.1086993; Thu, 21 Mar 2024 08:55:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECg-0002eh-NK; Thu, 21 Mar 2024 08:55:14 +0000 Received: by outflank-mailman (input) for mailman id 696252; Thu, 21 Mar 2024 08:55:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECg-0002eb-Co for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECg-0004z7-By for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnECg-0002nU-9d for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BLHpZVtWognpSW/gIV3Tcb89tasQfnphKfYtAPvuaDg=; b=aK9cn9AsftciB9uWSEhBf3CCFY 7aEyPztuQy/C2gnu3DrpReaBWQFOYxEQtmCeTsK86S8WtI9w7t/ThES2ufhk7EgS0+2TRgmoP3jTA aZqgyRYtC2pbS4XIFSozqQXwXnli0fiJ+fATmqU5NApZAKiwQYmbtCLEy5f5PoKyasw4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/page_alloc: introduce preserved page flags macro Message-Id: Date: Thu, 21 Mar 2024 08:55:14 +0000 commit 75214d5e53f60a7b19e90ebdb090c20044a052ca Author: Carlo Nonato AuthorDate: Thu Mar 21 09:46:42 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:46:42 2024 +0100 xen/page_alloc: introduce preserved page flags macro PGC_static and PGC_extra needs to be preserved when assigning a page. Define a new macro that groups those flags and use it instead of or'ing every time. To make preserved flags even more meaningful, they are kept also when switching state in mark_page_free(). Signed-off-by: Carlo Nonato Reviewed-by: Jan Beulich --- xen/common/page_alloc.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index b4e0ef3a4c..97788a52a7 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -157,6 +157,8 @@ #define PGC_static 0 #endif +#define PGC_preserved (PGC_extra | PGC_static) + #ifndef PGT_TYPE_INFO_INITIALIZER #define PGT_TYPE_INFO_INITIALIZER 0 #endif @@ -1423,11 +1425,11 @@ static bool mark_page_free(struct page_info *pg, mfn_t mfn) { case PGC_state_inuse: BUG_ON(pg->count_info & PGC_broken); - pg->count_info = PGC_state_free; + pg->count_info = PGC_state_free | (pg->count_info & PGC_preserved); break; case PGC_state_offlining: - pg->count_info = (pg->count_info & PGC_broken) | + pg->count_info = (pg->count_info & (PGC_broken | PGC_preserved)) | PGC_state_offlined; pg_offlined = true; break; @@ -2362,7 +2364,7 @@ int assign_pages( for ( i = 0; i < nr; i++ ) { - ASSERT(!(pg[i].count_info & ~(PGC_extra | PGC_static))); + ASSERT(!(pg[i].count_info & ~PGC_preserved)); if ( pg[i].count_info & PGC_extra ) extra_pages++; } @@ -2422,7 +2424,7 @@ int assign_pages( page_set_owner(&pg[i], d); smp_wmb(); /* Domain pointer must be visible before updating refcnt. */ pg[i].count_info = - (pg[i].count_info & (PGC_extra | PGC_static)) | PGC_allocated | 1; + (pg[i].count_info & PGC_preserved) | PGC_allocated | 1; page_list_add_tail(&pg[i], page_to_list(d, &pg[i])); } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 08:55:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 08:55:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696253.1086998 (Exim 4.92) (envelope-from ) id 1rnECr-0002hU-RV; Thu, 21 Mar 2024 08:55:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696253.1086998; Thu, 21 Mar 2024 08:55:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECr-0002hM-Ov; Thu, 21 Mar 2024 08:55:25 +0000 Received: by outflank-mailman (input) for mailman id 696253; Thu, 21 Mar 2024 08:55:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECq-0002hA-Hd for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnECq-0004zF-H0 for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnECq-0002nz-EB for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=22oaS3WH5cOjskphxhdEBIVXk9mZH6S4+zZE+xG9fQQ=; b=TPOsUjEcT0SPxyVDWkxDpI7+At mhmXjfo4ekuargDzUeYjs4SB8fkqCrJIHRfy+CqKvChofWJlGjdEbPCmUuWL0lgzhI9LxzFO3rk7K Q4bcW/xvEIjnrBYXAOJU88J4r3ZCMjpoRtVA293WHRabgeF1n7MS5B1+jdiOyeAzE1ok=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/page_alloc: introduce page flag to stop buddy merging Message-Id: Date: Thu, 21 Mar 2024 08:55:24 +0000 commit f5c2b6da26d9becd5a1a03fcd3e5c950301030a2 Author: Carlo Nonato AuthorDate: Thu Mar 21 09:47:21 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:47:21 2024 +0100 xen/page_alloc: introduce page flag to stop buddy merging Add a new PGC_no_buddy_merge flag that prevents the buddy algorithm in free_heap_pages() from merging pages that have it set. As of now, only PGC_static has this feature, but future work can extend it easier than before. Suggested-by: Jan Beulich Signed-off-by: Carlo Nonato Reviewed-by: Jan Beulich --- xen/common/page_alloc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 97788a52a7..a1c57fe1d9 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -158,6 +158,7 @@ #endif #define PGC_preserved (PGC_extra | PGC_static) +#define PGC_no_buddy_merge PGC_static #ifndef PGT_TYPE_INFO_INITIALIZER #define PGT_TYPE_INFO_INITIALIZER 0 @@ -1503,7 +1504,7 @@ static void free_heap_pages( /* Merge with predecessor block? */ if ( !mfn_valid(page_to_mfn(predecessor)) || !page_state_is(predecessor, free) || - (predecessor->count_info & PGC_static) || + (predecessor->count_info & PGC_no_buddy_merge) || (PFN_ORDER(predecessor) != order) || (page_to_nid(predecessor) != node) ) break; @@ -1527,7 +1528,7 @@ static void free_heap_pages( /* Merge with successor block? */ if ( !mfn_valid(page_to_mfn(successor)) || !page_state_is(successor, free) || - (successor->count_info & PGC_static) || + (successor->count_info & PGC_no_buddy_merge) || (PFN_ORDER(successor) != order) || (page_to_nid(successor) != node) ) break; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 08:55:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 08:55:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696254.1087001 (Exim 4.92) (envelope-from ) id 1rnED1-0002kC-Sz; Thu, 21 Mar 2024 08:55:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696254.1087001; Thu, 21 Mar 2024 08:55:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnED1-0002k4-QO; Thu, 21 Mar 2024 08:55:35 +0000 Received: by outflank-mailman (input) for mailman id 696254; Thu, 21 Mar 2024 08:55:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnED0-0002js-Li for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnED0-0004zk-K9 for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnED0-0002oR-JH for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Biq1t9E1M79PVQZ9dre5IXdjudMYj6hpNodMD8WHd8M=; b=uhk6O/bwYVHVOvBnppqJsxuTu9 nxA47QbPWovGeSRbBm7rE3WUI1LxGZuI/z9RG4mj5pQVGIHdeHkG/CknL54ZD2fPZGWy3us7fyWGl 6V2o0bv9FMavhC7Iuc64C/syYOeFLt10FSk7Yi+MpOEqsLFqtjZkDGDHUfVyiCZgghI8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/PoD: tie together P2M update and increment of entry count Message-Id: Date: Thu, 21 Mar 2024 08:55:34 +0000 commit cc950c49ae6a6690f7fc3041a1f43122c250d250 Author: Jan Beulich AuthorDate: Thu Mar 21 09:48:10 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:48:10 2024 +0100 x86/PoD: tie together P2M update and increment of entry count When not holding the PoD lock across the entire region covering P2M update and stats update, the entry count - if to be incorrect at all - should indicate too large a value in preference to a too small one, to avoid functions bailing early when they find the count is zero. However, instead of moving the increment ahead (and adjust back upon failure), extend the PoD-locked region. Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 65d31e5523..674f321cf6 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1348,19 +1348,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l, } } + /* + * P2M update and stats increment need to collectively be under PoD lock, + * to prevent code elsewhere observing PoD entry count being zero despite + * there actually still being PoD entries (created by the p2m_set_entry() + * invocation below). + */ + pod_lock(p2m); + /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_populate_on_demand, p2m->default_access); if ( rc == 0 ) { - pod_lock(p2m); p2m->pod.entry_count += 1UL << order; p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); + } + + pod_unlock(p2m); + if ( rc == 0 ) ioreq_request_mapcache_invalidate(d); - } else if ( order ) { /* -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 08:55:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 08:55:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696255.1087006 (Exim 4.92) (envelope-from ) id 1rnEDB-0002md-UW; Thu, 21 Mar 2024 08:55:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696255.1087006; Thu, 21 Mar 2024 08:55:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnEDB-0002mV-Rs; Thu, 21 Mar 2024 08:55:45 +0000 Received: by outflank-mailman (input) for mailman id 696255; Thu, 21 Mar 2024 08:55:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnEDA-0002mM-Pe for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnEDA-000504-Op for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnEDA-0002oq-ML for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=s/+aKxxTEozHusn3L8QXOiEgD5sRxFD6TtjKYCieThQ=; b=D7boWCTtZrS1R98dw/8sc1VK6J tkkyC+1Cecpj+PEM/ASJmP1GiNr9TIYo9XwkfSRE4WZRXpTxD3qQ7hadhKFtpV9M4i415IIK2INzj Ut6yDdyZlDW1chqGH1pDGfk9qU86lCH0AYIbrGsV7w+S6//a9JFLxfsbrVAdx8RSEs6Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] AMD/IOMMU: drop remaining guest-IOMMU bits too Message-Id: Date: Thu, 21 Mar 2024 08:55:44 +0000 commit 10e8d824b76f55dde7c1793f48d76d4ff9df5e0a Author: Jan Beulich AuthorDate: Thu Mar 21 09:48:49 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:48:49 2024 +0100 AMD/IOMMU: drop remaining guest-IOMMU bits too With a02174c6c885 ("amd/iommu: clean up unused guest iommu related functions") having removed the sole place where d->g_iommu would be set to non-NULL, guest_iommu_add_ppr_log() will unconditionally bail the latest from its 2nd if(). With it dropped, all other stuff in the file is unused, too. Delete iommu_guest.c altogether. Further delete struct guest{_buffer,_dev_table,_iommu{,_msi}} as well as struct mmio_reg for being unused with the unused g_iommu also dropped from struct arch_iommu. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné --- xen/arch/x86/include/asm/iommu.h | 1 - xen/drivers/passthrough/amd/Makefile | 1 - xen/drivers/passthrough/amd/iommu.h | 58 --------------- xen/drivers/passthrough/amd/iommu_guest.c | 120 ------------------------------ xen/drivers/passthrough/amd/iommu_init.c | 2 +- 5 files changed, 1 insertion(+), 181 deletions(-) diff --git a/xen/arch/x86/include/asm/iommu.h b/xen/arch/x86/include/asm/iommu.h index 2b97cb442e..8dc464fbd3 100644 --- a/xen/arch/x86/include/asm/iommu.h +++ b/xen/arch/x86/include/asm/iommu.h @@ -52,7 +52,6 @@ struct arch_iommu struct { unsigned int paging_mode; struct page_info *root_table; - struct guest_iommu *g_iommu; } amd; }; }; diff --git a/xen/drivers/passthrough/amd/Makefile b/xen/drivers/passthrough/amd/Makefile index a3aecd26ef..415146fcdb 100644 --- a/xen/drivers/passthrough/amd/Makefile +++ b/xen/drivers/passthrough/amd/Makefile @@ -5,4 +5,3 @@ obj-y += pci_amd_iommu.o obj-bin-y += iommu_acpi.init.o obj-y += iommu_intr.o obj-y += iommu_cmd.o -obj-$(CONFIG_HVM) += iommu_guest.o diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 65de88217c..a86ed55333 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -145,57 +145,6 @@ int iterate_ivrs_entries(int (*handler)(const struct amd_iommu *iommu, struct ivrs_mappings *map, uint16_t bdf)); -/* iommu tables in guest space */ -struct mmio_reg { - uint32_t lo; - uint32_t hi; -}; - -struct guest_dev_table { - struct mmio_reg reg_base; - uint32_t size; -}; - -struct guest_buffer { - struct mmio_reg reg_base; - struct mmio_reg reg_tail; - struct mmio_reg reg_head; - uint32_t size; -}; - -struct guest_iommu_msi { - uint8_t vector; - uint8_t dest; - uint8_t dest_mode; - uint8_t delivery_mode; - uint8_t trig_mode; -}; - -/* virtual IOMMU structure */ -struct guest_iommu { - - struct domain *domain; - spinlock_t lock; - bool enabled; - - struct guest_dev_table dev_table; - struct guest_buffer cmd_buffer; - struct guest_buffer event_log; - struct guest_buffer ppr_log; - - struct tasklet cmd_buffer_tasklet; - - uint64_t mmio_base; /* MMIO base address */ - - /* MMIO regs */ - union amd_iommu_control reg_ctrl; /* MMIO offset 0018h */ - struct mmio_reg reg_status; /* MMIO offset 2020h */ - union amd_iommu_ext_features reg_ext_feature; /* MMIO offset 0030h */ - - /* guest interrupt settings */ - struct guest_iommu_msi msi; -}; - extern bool iommuv2_enabled; struct acpi_ivrs_hardware; @@ -344,13 +293,6 @@ void cf_check amd_iommu_resume(void); int __must_check cf_check amd_iommu_suspend(void); void cf_check amd_iommu_crash_shutdown(void); -/* guest iommu support */ -#ifdef CONFIG_HVM -void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]); -#else -static inline void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]) {} -#endif - static inline u32 get_field_from_reg_u32(u32 reg_value, u32 mask, u32 shift) { u32 field; diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c deleted file mode 100644 index 19bd2e5d8e..0000000000 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (C) 2011 Advanced Micro Devices, Inc. - * Author: Wei Wang - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; If not, see . - */ - -#include - -#include "iommu.h" - -#define reg_to_u64(reg) (((uint64_t)reg.hi << 32) | reg.lo ) - -static uint16_t get_guest_bdf(struct domain *d, uint16_t machine_bdf) -{ - return machine_bdf; -} - -static inline struct guest_iommu *domain_iommu(struct domain *d) -{ - return dom_iommu(d)->arch.amd.g_iommu; -} - -static unsigned long get_gfn_from_base_reg(uint64_t base_raw) -{ - base_raw &= PADDR_MASK; - ASSERT ( base_raw != 0 ); - return base_raw >> PAGE_SHIFT; -} - -static void guest_iommu_deliver_msi(struct domain *d) -{ - uint8_t vector, dest, dest_mode, delivery_mode, trig_mode; - struct guest_iommu *iommu = domain_iommu(d); - - vector = iommu->msi.vector; - dest = iommu->msi.dest; - dest_mode = iommu->msi.dest_mode; - delivery_mode = iommu->msi.delivery_mode; - trig_mode = iommu->msi.trig_mode; - - vmsi_deliver(d, vector, dest, dest_mode, delivery_mode, trig_mode); -} - -static unsigned long guest_iommu_get_table_mfn(struct domain *d, - uint64_t base_raw, - unsigned int pos) -{ - unsigned long idx, gfn, mfn; - p2m_type_t p2mt; - - gfn = get_gfn_from_base_reg(base_raw); - idx = pos >> PAGE_SHIFT; - - mfn = mfn_x(get_gfn(d, gfn + idx, &p2mt)); - put_gfn(d, gfn); - - return mfn; -} - -void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) -{ - uint16_t gdev_id; - unsigned long mfn, tail, head; - ppr_entry_t *log; - struct guest_iommu *iommu; - - if ( !is_hvm_domain(d) ) - return; - - iommu = domain_iommu(d); - if ( !iommu ) - return; - - tail = iommu->ppr_log.reg_tail.lo; - head = iommu->ppr_log.reg_head.lo; - - if ( tail >= iommu->ppr_log.size || head >= iommu->ppr_log.size ) - { - AMD_IOMMU_DEBUG("Error: guest iommu ppr log overflows\n"); - iommu->enabled = 0; - return; - } - - mfn = guest_iommu_get_table_mfn(d, reg_to_u64(iommu->ppr_log.reg_base), - tail); - ASSERT(mfn_valid(_mfn(mfn))); - - log = map_domain_page(_mfn(mfn)) + (tail & ~PAGE_MASK); - - /* Convert physical device id back into virtual device id */ - gdev_id = get_guest_bdf(d, iommu_get_devid_from_cmd(entry[0])); - iommu_set_devid_to_cmd(&entry[0], gdev_id); - - memcpy(log, entry, sizeof(ppr_entry_t)); - - /* Now shift ppr log tail pointer */ - tail += sizeof(ppr_entry_t); - if ( tail >= iommu->ppr_log.size ) - { - tail = 0; - iommu->reg_status.lo |= IOMMU_STATUS_PPR_LOG_OVERFLOW; - } - - iommu->ppr_log.reg_tail.lo = tail; - unmap_domain_page(log); - - guest_iommu_deliver_msi(d); -} diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c index b32da1a28d..358c8cbad9 100644 --- a/xen/drivers/passthrough/amd/iommu_init.c +++ b/xen/drivers/passthrough/amd/iommu_init.c @@ -646,7 +646,7 @@ static void cf_check parse_ppr_log_entry(struct amd_iommu *iommu, u32 entry[]) pcidevs_unlock(); if ( pdev ) - guest_iommu_add_ppr_log(pdev->domain, entry); + /* guest_iommu_add_ppr_log(pdev->domain, entry) */; } static void iommu_check_ppr_log(struct amd_iommu *iommu) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 08:55:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 08:55:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696256.1087010 (Exim 4.92) (envelope-from ) id 1rnEDM-0002q6-1B; Thu, 21 Mar 2024 08:55:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696256.1087010; Thu, 21 Mar 2024 08:55:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnEDL-0002py-Ul; Thu, 21 Mar 2024 08:55:55 +0000 Received: by outflank-mailman (input) for mailman id 696256; Thu, 21 Mar 2024 08:55:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnEDK-0002pj-ST for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnEDK-00050I-Rn for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnEDK-0002pK-Qx for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 08:55:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FOLLda/iHIPA4Sgx9mVfHcKr63AcNngH2wEnFQAMydA=; b=nPX3/M83oONR5cJqSTZLpHk6V1 Q3Z3EdBkm5jei2toHhZ2DAtG/V9pKzxRcwzV7MybuRq/4yoPjOuqxwVFSuzfv4LcKcWHbMoJltgJd 4TJDAXpa83BS2OvRKWSYWlRB36d2bUOJOK5agg9TcIPyWa5gZUSz2quzu39ZSQBCTfOE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/ppc: Ensure ELF sections' physical load addresses start at 0x0 Message-Id: Date: Thu, 21 Mar 2024 08:55:54 +0000 commit 97b90f9bf2e5c93e0f61c927fa2bc8a56a213faa Author: Shawn Anastasio AuthorDate: Thu Mar 21 09:49:20 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:49:20 2024 +0100 xen/ppc: Ensure ELF sections' physical load addresses start at 0x0 Some boot mechanisms, including the new linux file_load kexec systemcall used by system firmware v2.10 on RaptorCS systems will try to honor the physical address field of the ELF LOAD section header, which will fail when the address is based off of XEN_VIRT_START (0xc000000000000000). To ensure that the physical address of the LOAD section header starts at 0x0, move x86's DECL_SECTION macro to xen.lds.h and use it to declare all sections. Signed-off-by: Shawn Anastasio Acked-by: Andrew Cooper --- xen/arch/ppc/xen.lds.S | 27 +++++++++++++++------------ xen/arch/x86/xen.lds.S | 6 +----- xen/include/xen/xen.lds.h | 10 ++++++++++ 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/xen/arch/ppc/xen.lds.S b/xen/arch/ppc/xen.lds.S index 05b6db2728..8840a00446 100644 --- a/xen/arch/ppc/xen.lds.S +++ b/xen/arch/ppc/xen.lds.S @@ -4,6 +4,9 @@ OUTPUT_ARCH(powerpc:common64) ENTRY(start) +/* Used by the DECL_SECTION() macro to calculate physical load addresses */ +#define __XEN_VIRT_START XEN_VIRT_START + PHDRS { text PT_LOAD ; @@ -17,7 +20,7 @@ SECTIONS . = XEN_VIRT_START; _start = .; - .text : { + DECL_SECTION(.text) { _stext = .; /* Text section */ *(.text.header) @@ -40,7 +43,7 @@ SECTIONS } :text . = ALIGN(PAGE_SIZE); - .rodata : { + DECL_SECTION(.rodata) { _srodata = .; /* Read-only data */ /* Bug frames table */ __start_bug_frames = .; @@ -64,7 +67,7 @@ SECTIONS #if defined(BUILD_ID) . = ALIGN(4); - .note.gnu.build-id : { + DECL_SECTION(.note.gnu.build-id) { __note_gnu_build_id_start = .; *(.note.gnu.build-id) __note_gnu_build_id_end = .; @@ -73,19 +76,19 @@ SECTIONS _erodata = .; /* End of read-only data */ . = ALIGN(PAGE_SIZE); - .data.ro_after_init : { + DECL_SECTION(.data.ro_after_init) { __ro_after_init_start = .; *(.data.ro_after_init) . = ALIGN(PAGE_SIZE); __ro_after_init_end = .; } :text - .data.read_mostly : { + DECL_SECTION(.data.read_mostly) { *(.data.read_mostly) } :text . = ALIGN(PAGE_SIZE); - .data : { /* Data */ + DECL_SECTION(.data) { /* Data */ *(.data.page_aligned) . = ALIGN(8); __start_schedulers_array = .; @@ -100,7 +103,7 @@ SECTIONS . = ALIGN(PAGE_SIZE); /* Init code and data */ __init_begin = .; - .init.text : { + DECL_SECTION(.init.text) { _sinittext = .; *(.init.text) _einittext = .; @@ -108,7 +111,7 @@ SECTIONS } :text . = ALIGN(PAGE_SIZE); - .init.data : { + DECL_SECTION(init.data) { *(.init.rodata) *(.init.rodata.*) @@ -137,18 +140,18 @@ SECTIONS __ctors_end = .; } :text - .got : { + DECL_SECTION(.got) { *(.got .toc) } :text - .got.plt : { + DECL_SECTION(.got.plt) { *(.got.plt) } :text . = ALIGN(POINTER_ALIGN); __init_end = .; - .bss : { /* BSS */ + DECL_SECTION(.bss) { /* BSS */ __bss_start = .; *(.bss.stack_aligned) *(.bss.page_aligned) @@ -168,7 +171,7 @@ SECTIONS _end = . ; /* Section for the device tree blob (if any). */ - .dtb : { *(.dtb) } :text + DECL_SECTION(.dtb) { *(.dtb) } :text DWARF2_DEBUG_SECTIONS diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index 8930e14fc4..1ef6645128 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -12,6 +12,7 @@ #define FORMAT "pei-x86-64" #undef __XEN_VIRT_START +#undef DECL_SECTION #define __XEN_VIRT_START __image_base__ #define DECL_SECTION(x) x : @@ -20,11 +21,6 @@ ENTRY(efi_start) #else /* !EFI */ #define FORMAT "elf64-x86-64" -#ifdef CONFIG_LD_IS_GNU -# define DECL_SECTION(x) x : AT(ADDR(#x) - __XEN_VIRT_START) -#else -# define DECL_SECTION(x) x : AT(ADDR(x) - __XEN_VIRT_START) -#endif ENTRY(start_pa) diff --git a/xen/include/xen/xen.lds.h b/xen/include/xen/xen.lds.h index 06b7110837..be90f5ca0f 100644 --- a/xen/include/xen/xen.lds.h +++ b/xen/include/xen/xen.lds.h @@ -5,6 +5,16 @@ * Common macros to be used in architecture specific linker scripts. */ +/* + * Declare a section whose load address is based at PA 0 rather than + * Xen's virtual base address. + */ +#ifdef CONFIG_LD_IS_GNU +# define DECL_SECTION(x) x : AT(ADDR(#x) - __XEN_VIRT_START) +#else +# define DECL_SECTION(x) x : AT(ADDR(x) - __XEN_VIRT_START) +#endif + /* * To avoid any confusion, please note that the EFI macro does not correspond * to EFI support and is used when linking a native EFI (i.e. PE/COFF) binary, -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 11:55:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 11:55:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696359.1087229 (Exim 4.92) (envelope-from ) id 1rnH0j-0003Jq-1q; Thu, 21 Mar 2024 11:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696359.1087229; Thu, 21 Mar 2024 11:55:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnH0i-0003Ji-VM; Thu, 21 Mar 2024 11:55:04 +0000 Received: by outflank-mailman (input) for mailman id 696359; Thu, 21 Mar 2024 11:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnH0h-0003Jc-T1 for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 11:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnH0h-0008Ng-MM for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 11:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnH0h-0001Or-LM for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 11:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=keDwL+3aEpXidprjenuamwhIioWmM3scrF/E0IzE6Fs=; b=VnzuilHlVpdJAzu/lcOAckI/dx W4aZ+ZJi+9ubf8SlVazfJg6qbgzZSJoN0COpwaOxC1Das9sutitqsc30Etqmyk4PRDf69kXO7nHLq FkzY9Ss1p1LgvlUapfltvQemqh4hN5/jUjMhM+NfB8b+MK1oADxUwJLWawsGHdaa94UU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/p2m: Coding style cleanup Message-Id: Date: Thu, 21 Mar 2024 11:55:03 +0000 commit 5205bda5f11cc03ca62ad2bb6c34bf738bbb3247 Author: Andrew Cooper AuthorDate: Mon Oct 22 14:53:26 2018 +0100 Commit: Andrew Cooper CommitDate: Thu Mar 21 11:38:02 2024 +0000 x86/p2m: Coding style cleanup No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/include/asm/p2m.h | 78 ++++++++++++++++++++++++------------------ xen/arch/x86/mm/p2m.c | 38 +++++++++++--------- 2 files changed, 67 insertions(+), 49 deletions(-) diff --git a/xen/arch/x86/include/asm/p2m.h b/xen/arch/x86/include/asm/p2m.h index 6ada585eaa..111badf89a 100644 --- a/xen/arch/x86/include/asm/p2m.h +++ b/xen/arch/x86/include/asm/p2m.h @@ -30,9 +30,9 @@ extern bool opt_hap_1gb, opt_hap_2mb; /* - * The upper levels of the p2m pagetable always contain full rights; all + * The upper levels of the p2m pagetable always contain full rights; all * variation in the access control bits is made in the level-1 PTEs. - * + * * In addition to the phys-to-machine translation, each p2m PTE contains * *type* information about the gfn it translates, helping Xen to decide * on the correct course of action when handling a page-fault to that @@ -43,8 +43,8 @@ extern bool opt_hap_1gb, opt_hap_2mb; */ /* - * AMD IOMMU: When we share p2m table with iommu, bit 52 -bit 58 in pte - * cannot be non-zero, otherwise, hardware generates io page faults when + * AMD IOMMU: When we share p2m table with iommu, bit 52 -bit 58 in pte + * cannot be non-zero, otherwise, hardware generates io page faults when * device access those pages. Therefore, p2m_ram_rw has to be defined as 0. */ typedef enum { @@ -286,8 +286,10 @@ struct p2m_domain { unsigned int defer_flush; bool need_flush; - /* If true, and an access fault comes in and there is no vm_event listener, - * pause domain. Otherwise, remove access restrictions. */ + /* + * If true, and an access fault comes in and there is no vm_event + * listener, pause domain. Otherwise, remove access restrictions. + */ bool access_required; /* Highest guest frame that's ever been mapped in the p2m */ @@ -300,13 +302,15 @@ struct p2m_domain { unsigned long min_remapped_gfn; unsigned long max_remapped_gfn; - /* Populate-on-demand variables + /* + * Populate-on-demand variables * All variables are protected with the pod lock. We cannot rely on * the p2m lock if it's turned into a fine-grained lock. - * We only use the domain page_alloc lock for additions and + * We only use the domain page_alloc lock for additions and * deletions to the domain's page list. Because we use it nested * within the PoD lock, we enforce it's ordering (by remembering - * the unlock level in the arch_domain sub struct). */ + * the unlock level in the arch_domain sub struct). + */ struct { struct page_list_head super, /* List of superpages */ single; /* Non-super lists */ @@ -476,13 +480,15 @@ static inline mfn_t __nonnull(3, 4) _get_gfn_type_access( return p2m_get_gfn_type_access(p2m, gfn, t, a, q, page_order, locked); } -/* Read a particular P2M table, mapping pages as we go. Most callers +/* + * Read a particular P2M table, mapping pages as we go. Most callers * should _not_ call this directly; use the other get_gfn* functions * below unless you know you want to walk a p2m that isn't a domain's * main one. - * If the lookup succeeds, the return value is != INVALID_MFN and + * If the lookup succeeds, the return value is != INVALID_MFN and * *page_order is filled in with the order of the superpage (if any) that - * the entry was found in. */ + * the entry was found in. + */ static inline mfn_t __nonnull(3, 4) get_gfn_type_access( struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t, p2m_access_t *a, p2m_query_t q, unsigned int *page_order) @@ -516,10 +522,11 @@ static inline void put_gfn(struct domain *d, unsigned long gfn) p2m_put_gfn(p2m_get_hostp2m(d), _gfn(gfn)); } -/* The intent of the "unlocked" accessor is to have the caller not worry about - * put_gfn. They apply to very specific situations: debug printk's, dumps - * during a domain crash, or to peek at a p2m entry/type. Caller is not - * holding the p2m entry exclusively during or after calling this. +/* + * The intent of the "unlocked" accessor is to have the caller not worry about + * put_gfn. They apply to very specific situations: debug printk's, dumps + * during a domain crash, or to peek at a p2m entry/type. Caller is not + * holding the p2m entry exclusively during or after calling this. * * This is also used in the shadow code whenever the paging lock is * held -- in those cases, the caller is protected against concurrent @@ -530,8 +537,8 @@ static inline void put_gfn(struct domain *d, unsigned long gfn) * Any other type of query can cause a change in the p2m and may need to * perform locking. */ -static inline mfn_t get_gfn_query_unlocked(struct domain *d, - unsigned long gfn, +static inline mfn_t get_gfn_query_unlocked(struct domain *d, + unsigned long gfn, p2m_type_t *t) { p2m_access_t a; @@ -539,11 +546,13 @@ static inline mfn_t get_gfn_query_unlocked(struct domain *d, NULL, 0); } -/* Atomically look up a GFN and take a reference count on the backing page. +/* + * Atomically look up a GFN and take a reference count on the backing page. * This makes sure the page doesn't get freed (or shared) underfoot, * and should be used by any path that intends to write to the backing page. * Returns NULL if the page is not backed by RAM. - * The caller is responsible for calling put_page() afterwards. */ + * The caller is responsible for calling put_page() afterwards. + */ struct page_info *p2m_get_page_from_gfn(struct p2m_domain *p2m, gfn_t gfn, p2m_type_t *t, p2m_access_t *a, p2m_query_t q); @@ -589,9 +598,7 @@ int altp2m_get_effective_entry(struct p2m_domain *ap2m, gfn_t gfn, mfn_t *mfn, /* Init the datastructures for later use by the p2m code */ int p2m_init(struct domain *d); -/* Allocate a new p2m table for a domain. - * - * Returns 0 for success or -errno. */ +/* Allocate a new p2m table for a domain. Returns 0 for success or -errno. */ int p2m_alloc_table(struct p2m_domain *p2m); /* Return all the p2m resources to Xen. */ @@ -630,11 +637,11 @@ static inline void p2m_flush_hardware_cached_dirty(struct domain *d) {} #endif /* Change types across all p2m entries in a domain */ -void p2m_change_entry_type_global(struct domain *d, +void p2m_change_entry_type_global(struct domain *d, p2m_type_t ot, p2m_type_t nt); /* Change types across a range of p2m entries (start ... end-1) */ -void p2m_change_type_range(struct domain *d, +void p2m_change_type_range(struct domain *d, unsigned long start, unsigned long end, p2m_type_t ot, p2m_type_t nt); @@ -672,7 +679,7 @@ int p2m_add_identity_entry(struct domain *d, unsigned long gfn_l, p2m_access_t p2ma, unsigned int flag); int p2m_remove_identity_entry(struct domain *d, unsigned long gfn_l); -/* +/* * Populate-on-demand */ @@ -756,7 +763,7 @@ void p2m_mem_paging_populate(struct domain *d, gfn_t gfn); struct vm_event_st; void p2m_mem_paging_resume(struct domain *d, struct vm_event_st *rsp); -/* +/* * Internal functions, only called by other p2m code */ @@ -807,12 +814,17 @@ extern void audit_p2m(struct domain *d, /* Extract the type from the PTE flags that store it */ static inline p2m_type_t p2m_flags_to_type(unsigned int flags) { - /* For AMD IOMMUs we need to use type 0 for plain RAM, but we need - * to make sure that an entirely empty PTE doesn't have RAM type */ - if ( flags == 0 ) + /* + * For AMD IOMMUs we need to use type 0 for plain RAM, but we need + * to make sure that an entirely empty PTE doesn't have RAM type. + */ + if ( flags == 0 ) return p2m_invalid; - /* AMD IOMMUs use bits 9-11 to encode next io page level and bits - * 59-62 for iommu flags so we can't use them to store p2m type info. */ + + /* + * AMD IOMMUs use bits 9-11 to encode next io page level and bits + * 59-62 for iommu flags so we can't use them to store p2m type info. + */ return (flags >> 12) & 0x7f; } @@ -841,7 +853,7 @@ static inline p2m_type_t p2m_recalc_type(bool recalc, p2m_type_t t, int p2m_pt_handle_deferred_changes(uint64_t gpa); /* - * Nested p2m: shadow p2m tables used for nested HVM virtualization + * Nested p2m: shadow p2m tables used for nested HVM virtualization */ /* Flushes specified p2m table */ diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index ca24cd4a67..4c5a79eb53 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -252,7 +252,8 @@ void p2m_flush_hardware_cached_dirty(struct domain *d) */ void p2m_tlb_flush_sync(struct p2m_domain *p2m) { - if ( p2m->need_flush ) { + if ( p2m->need_flush ) + { p2m->need_flush = 0; p2m->tlb_flush(p2m); } @@ -263,7 +264,8 @@ void p2m_tlb_flush_sync(struct p2m_domain *p2m) */ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m) { - if ( p2m->need_flush ) { + if ( p2m->need_flush ) + { p2m->need_flush = 0; mm_write_unlock(&p2m->lock); p2m->tlb_flush(p2m); @@ -304,7 +306,7 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); } - if (unlikely((p2m_is_broken(*t)))) + if ( unlikely(p2m_is_broken(*t)) ) { /* Return invalid_mfn to avoid caller's access */ mfn = INVALID_MFN; @@ -655,6 +657,7 @@ p2m_add_page(struct domain *d, gfn_t gfn, mfn_t mfn, mfn_x(omfn), ot, a, mfn_x(mfn) + i, t, p2m->default_access); domain_crash(d); + return -EPERM; } else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) ) @@ -774,7 +777,7 @@ out: * Resets the access permissions. */ int p2m_change_type_one(struct domain *d, unsigned long gfn_l, - p2m_type_t ot, p2m_type_t nt) + p2m_type_t ot, p2m_type_t nt) { p2m_access_t a; p2m_type_t pt; @@ -907,6 +910,7 @@ void p2m_change_type_range(struct domain *d, unsigned int i; for ( i = 0; i < MAX_ALTP2M; i++ ) + { if ( d->arch.altp2m_eptp[i] != mfn_x(INVALID_MFN) ) { struct p2m_domain *altp2m = d->arch.altp2m_p2m[i]; @@ -915,6 +919,7 @@ void p2m_change_type_range(struct domain *d, change_type_range(altp2m, start, end, ot, nt); p2m_unlock(altp2m); } + } } hostp2m->defer_nested_flush = false; if ( nestedhvm_enabled(d) ) @@ -978,6 +983,7 @@ int p2m_finish_type_change(struct domain *d, unsigned int i; for ( i = 0; i < MAX_ALTP2M; i++ ) + { if ( d->arch.altp2m_eptp[i] != mfn_x(INVALID_MFN) ) { struct p2m_domain *altp2m = d->arch.altp2m_p2m[i]; @@ -989,6 +995,7 @@ int p2m_finish_type_change(struct domain *d, if ( rc < 0 ) goto out; } + } } out: @@ -1311,7 +1318,7 @@ static struct p2m_domain * p2m_getlru_nestedp2m(struct domain *d, struct p2m_domain *p2m) { struct list_head *lru_list = &p2m_get_hostp2m(d)->np2m_list; - + ASSERT(!list_empty(lru_list)); if ( p2m == NULL ) @@ -1458,13 +1465,12 @@ p2m_get_nestedp2m_locked(struct vcpu *v) /* Mask out low bits; this avoids collisions with P2M_BASE_EADDR */ np2m_base &= ~(0xfffULL); - if (nv->nv_flushp2m && nv->nv_p2m) { + if ( nv->nv_flushp2m && nv->nv_p2m ) nv->nv_p2m = NULL; - } nestedp2m_lock(d); p2m = nv->nv_p2m; - if ( p2m ) + if ( p2m ) { p2m_lock(p2m); if ( p2m->np2m_base == np2m_base ) @@ -1522,7 +1528,7 @@ struct p2m_domain *p2m_get_nestedp2m(struct vcpu *v) struct p2m_domain * p2m_get_p2m(struct vcpu *v) { - if (!nestedhvm_is_n2(v)) + if ( !nestedhvm_is_n2(v) ) return p2m_get_hostp2m(v->domain); return p2m_get_nestedp2m(v); @@ -2203,8 +2209,8 @@ int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn, #if P2M_AUDIT void audit_p2m(struct domain *d, uint64_t *orphans, - uint64_t *m2p_bad, - uint64_t *p2m_bad) + uint64_t *m2p_bad, + uint64_t *p2m_bad) { struct page_info *page; struct domain *od; @@ -2223,7 +2229,7 @@ void audit_p2m(struct domain *d, p2m_lock(p2m); pod_lock(p2m); - if (p2m->audit_p2m) + if ( p2m->audit_p2m ) pmbad = p2m->audit_p2m(p2m); /* Audit part two: walk the domain's page allocation list, checking @@ -2249,14 +2255,14 @@ void audit_p2m(struct domain *d, { orphans_count++; P2M_PRINTK("orphaned guest page: mfn=%#lx has invalid gfn\n", - mfn); + mfn); continue; } if ( SHARED_M2P(gfn) ) { P2M_PRINTK("shared mfn (%lx) on domain page list!\n", - mfn); + mfn); continue; } @@ -2278,13 +2284,13 @@ void audit_p2m(struct domain *d, p2m_put_gfn(p2m, _gfn(gfn)); P2M_PRINTK("OK: mfn=%#lx, gfn=%#lx, p2mfn=%#lx\n", - mfn, gfn, mfn_x(p2mfn)); + mfn, gfn, mfn_x(p2mfn)); } spin_unlock(&d->page_alloc_lock); pod_unlock(p2m); p2m_unlock(p2m); - + P2M_PRINTK("p2m audit complete\n"); if ( orphans_count | mpbad | pmbad ) P2M_PRINTK("p2m audit found %lu orphans\n", orphans_count); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 11:55:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 11:55:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696360.1087234 (Exim 4.92) (envelope-from ) id 1rnH0t-0003Lp-3N; Thu, 21 Mar 2024 11:55:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696360.1087234; Thu, 21 Mar 2024 11:55:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnH0t-0003Lh-0d; Thu, 21 Mar 2024 11:55:15 +0000 Received: by outflank-mailman (input) for mailman id 696360; Thu, 21 Mar 2024 11:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnH0r-0003LU-R2 for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 11:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnH0r-0008Nl-QL for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 11:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnH0r-0001PO-Oe for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 11:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kN5Vl+qaccVjpV09hpnWuZS7ZJ7mc0JYVaxaFLy0sq8=; b=L51qfuZT8M0ZgbWYuDyvC0rkwa Lg6ASZ17wMNlSRheFz6X5mIzfoQ2PotsDj1W/CqTG0W0XlYN9LGilEnWWaw9gLUWR9rFTatzEkhbE 3EKtbfZKBS3fSBmgG4tyovZEhX0tS6Ceny3QLdfwuekh3v4cKs5RM/omKhml3HtKNYeM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/cpuid: More AMD features Message-Id: Date: Thu, 21 Mar 2024 11:55:13 +0000 commit ee973396f008ff0de2836b7ca100ce822740fa41 Author: Andrew Cooper AuthorDate: Mon Mar 18 18:07:05 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 21 11:38:03 2024 +0000 x86/cpuid: More AMD features All of these are informational and require no further logic changes in Xen to support. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- tools/misc/xen-cpuid.c | 5 +++++ xen/include/public/arch-x86/cpufeatureset.h | 8 ++++++++ xen/tools/gen-cpuid.py | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 51efbff579..8893547beb 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -91,6 +91,7 @@ static const char *const str_e1c[32] = [24] = "perfctr-nb", /* [25] */ [26] = "dbx", [27] = "perftsc", [28] = "pcx-l2i", [29] = "monitorx", + [30] = "addr-msk-ext", }; static const char *const str_7b0[32] = @@ -199,11 +200,15 @@ static const char *const str_7a1[32] = static const char *const str_e21a[32] = { + [ 0] = "no-nest-bp", [ 1] = "fs-gs-ns", [ 2] = "lfence+", [ 6] = "nscb", [ 8] = "auto-ibrs", + [10] = "amd-fsrs", [11] = "amd-fsrc", /* 16 */ [17] = "cpuid-user-dis", + [18] = "epsf", [19] = "fsrsc", + [20] = "amd-prefetchi", /* 26 */ [27] = "sbpb", [28] = "ibpb-brtype", [29] = "srso-no", diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index eb9f552948..3de7c0383f 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -168,6 +168,7 @@ XEN_CPUFEATURE(TBM, 3*32+21) /*A trailing bit manipulations */ XEN_CPUFEATURE(TOPOEXT, 3*32+22) /* topology extensions CPUID leafs */ XEN_CPUFEATURE(DBEXT, 3*32+26) /*A data breakpoint extension */ XEN_CPUFEATURE(MONITORX, 3*32+29) /* MONITOR extension (MONITORX/MWAITX) */ +XEN_CPUFEATURE(ADDR_MSK_EXT, 3*32+30) /*A Address Mask Extentions */ /* Intel-defined CPU features, CPUID level 0x0000000D:1.eax, word 4 */ XEN_CPUFEATURE(XSAVEOPT, 4*32+ 0) /*A XSAVEOPT instruction */ @@ -290,10 +291,17 @@ XEN_CPUFEATURE(WRMSRNS, 10*32+19) /*S WRMSR Non-Serialising */ XEN_CPUFEATURE(AVX_IFMA, 10*32+23) /*A AVX-IFMA Instructions */ /* AMD-defined CPU features, CPUID level 0x80000021.eax, word 11 */ +XEN_CPUFEATURE(NO_NEST_BP, 11*32+ 0) /*A No Nested Data Breakpoints */ +XEN_CPUFEATURE(FS_GS_NS, 11*32+ 1) /*S FS/GS base MSRs non-serialising */ XEN_CPUFEATURE(LFENCE_DISPATCH, 11*32+ 2) /*A LFENCE always serializing */ XEN_CPUFEATURE(NSCB, 11*32+ 6) /*A Null Selector Clears Base (and limit too) */ XEN_CPUFEATURE(AUTO_IBRS, 11*32+ 8) /*S Automatic IBRS */ +XEN_CPUFEATURE(AMD_FSRS, 11*32+10) /*A Fast Short REP STOSB */ +XEN_CPUFEATURE(AMD_FSRC, 11*32+11) /*A Fast Short REP CMPSB */ XEN_CPUFEATURE(CPUID_USER_DIS, 11*32+17) /* CPUID disable for CPL > 0 software */ +XEN_CPUFEATURE(EPSF, 11*32+18) /*A Enhanced Predictive Store Forwarding */ +XEN_CPUFEATURE(FSRSC, 11*32+19) /*A Fast Short REP SCASB */ +XEN_CPUFEATURE(AMD_PREFETCHI, 11*32+20) /*A PREFETCHIT{0,1} Instructions */ XEN_CPUFEATURE(SBPB, 11*32+27) /*A Selective Branch Predictor Barrier */ XEN_CPUFEATURE(IBPB_BRTYPE, 11*32+28) /*A IBPB flushes Branch Type predictions too */ XEN_CPUFEATURE(SRSO_NO, 11*32+29) /*A Hardware not vulenrable to Speculative Return Stack Overflow */ diff --git a/xen/tools/gen-cpuid.py b/xen/tools/gen-cpuid.py index 25d329ce48..bf3f9ec01e 100755 --- a/xen/tools/gen-cpuid.py +++ b/xen/tools/gen-cpuid.py @@ -329,6 +329,10 @@ def crunch_numbers(state): # In principle the TSXLDTRK insns could also be considered independent. RTM: [TSXLDTRK], + # Enhanced Predictive Store-Forwarding is a informational note on top + # of PSF. + PSFD: [EPSF], + # The ARCH_CAPS CPUID bit enumerates the availability of the whole register. ARCH_CAPS: list(range(RDCL_NO, RDCL_NO + 64)), -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 12:44:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 12:44:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696388.1087281 (Exim 4.92) (envelope-from ) id 1rnHm7-0004zB-LS; Thu, 21 Mar 2024 12:44:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696388.1087281; Thu, 21 Mar 2024 12:44:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnHm7-0004z3-Ip; Thu, 21 Mar 2024 12:44:03 +0000 Received: by outflank-mailman (input) for mailman id 696388; Thu, 21 Mar 2024 12:44:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnHm5-0004yx-TL for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 12:44:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnHm5-0000n1-IS for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 12:44:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnHm5-000457-HU for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 12:44:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ULM+6BPssAvPQ5qkkE91rcik3J6U+ndTGTld44v7jFA=; b=Jsb8wC7uElJBt7kQaVBD4V1yj1 QYgz0TgYJaTBdIq0soi0WPB9C1C6lZ1btwc/nMLyhpeWjwch78uke4duEJ/YyvBKBeyjrkK7E4HLK jY/SiIDtM98n3xS1qOQbFnr6hVW2P8VzyedZQW85YUJE2ivd3Z7kjj+xaaogpVMbB9jU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] docs/parse-support-md: Handle BulletList Message-Id: Date: Thu, 21 Mar 2024 12:44:01 +0000 commit eaafbd11344a8ec32309fe58a6e529fe1c34d62e Author: Anthony PERARD AuthorDate: Tue Mar 19 15:15:09 2024 +0000 Commit: Julien Grall CommitDate: Wed Mar 20 08:58:59 2024 +0000 docs/parse-support-md: Handle BulletList Commit d638e304f13a introduced a bullet list, but parse-support-md choke on it as it doesn't know what to do about it. Introduce ri_BulletList() so that r_content() will find this new function and call it instead of calling process_unknown(). Reported-by: Julien Grall Fixes: d638e304f13a ("SUPPORT.MD: Fix matrix generation after 43c416d0d819 and 77c39a53cf5b") Signed-off-by: Anthony PERARD Tested-by: Julien Grall Acked-by: Julien Grall --- docs/parse-support-md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/parse-support-md b/docs/parse-support-md index a397637639..b04f62da37 100755 --- a/docs/parse-support-md +++ b/docs/parse-support-md @@ -218,6 +218,13 @@ sub ri_DefinitionList { } } +sub ri_BulletList { + # Assume a paragraph introduce this bullet list, which would mean that + # ri_Para() has already been called, and there's nothing else to do about + # the caveat. + return; +} + sub process_unknown { my ($c, $e) = @_; $had_unknown = Dumper($e); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Thu Mar 21 16:11:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 21 Mar 2024 16:11:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696486.1087483 (Exim 4.92) (envelope-from ) id 1rnL0T-0004xw-IV; Thu, 21 Mar 2024 16:11:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696486.1087483; Thu, 21 Mar 2024 16:11:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnL0T-0004xo-FR; Thu, 21 Mar 2024 16:11:05 +0000 Received: by outflank-mailman (input) for mailman id 696486; Thu, 21 Mar 2024 16:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnL0R-0004xd-Ky for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 16:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnL0R-0005GO-IP for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 16:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnL0R-0007HU-Hh for xen-changelog@lists.xenproject.org; Thu, 21 Mar 2024 16:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=E6+tpDteNhgmmBhH1SnwZ/fKE/7pplGSVE2W36Eqfvc=; b=oE7q9PfO/ozzfKDcBblEn8G81C XqfM2i6Da9mQClpyjktXhgwl/i508Ah7YiljJdRAnhPBuBZjgHhpMBY4l5tIl5WMllZIi1sbbYD1z b3u4Qigf0bhYAEaYMAYsimxS616e/5+lcQjmy/GG/LT7ZIn2qzJohFT7T8FyQ9+ZXcfk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Revert "xen/page_alloc: introduce preserved page flags macro" Message-Id: Date: Thu, 21 Mar 2024 16:11:03 +0000 commit cbe393b709e0c6c3e2b10c3ac69fbea0abd530fe Author: Julien Grall AuthorDate: Thu Mar 21 16:02:25 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 21 16:02:25 2024 +0000 Revert "xen/page_alloc: introduce preserved page flags macro" Osstest is reporting a crash: Mar 21 12:00:29.533676 (XEN) pg[0] MFN 2211c5 c=0x2c00000000000000 o=0 v=0xe40000010007ffff t=0x24 Mar 21 12:00:42.829785 (XEN) Xen BUG at common/page_alloc.c:1033 Mar 21 12:00:42.829829 (XEN) ----[ Xen-4.19-unstable x86_64 debug=y Not tainted ]---- Mar 21 12:00:42.829857 (XEN) CPU: 12 Mar 21 12:00:42.841571 (XEN) RIP: e008:[] common/page_alloc.c#alloc_heap_pages+0x37f/0x6e2 Mar 21 12:00:42.841609 (XEN) RFLAGS: 0000000000010282 CONTEXT: hypervisor (d0v8) Mar 21 12:00:42.853654 (XEN) rax: ffff83023e3ed06c rbx: 000000000007ffff rcx: 0000000000000028 Mar 21 12:00:42.853689 (XEN) rdx: ffff83047bec7fff rsi: ffff83023e3ea3e8 rdi: ffff83023e3ea3e0 Mar 21 12:00:42.865657 (XEN) rbp: ffff83047bec7c10 rsp: ffff83047bec7b98 r8: 0000000000000000 Mar 21 12:00:42.877647 (XEN) r9: 0000000000000001 r10: 000000000000000c r11: 0000000000000010 Mar 21 12:00:42.877682 (XEN) r12: 0000000000000001 r13: 0000000000000000 r14: ffff82e0044238a0 Mar 21 12:00:42.889652 (XEN) r15: 0000000000000000 cr0: 0000000080050033 cr4: 0000000000372660 Mar 21 12:00:42.901651 (XEN) cr3: 000000046fe34000 cr2: 00007fb72757610b Mar 21 12:00:42.901685 (XEN) fsb: 00007fb726def380 gsb: ffff88801f200000 gss: 0000000000000000 Mar 21 12:00:42.913646 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008 Mar 21 12:00:42.913680 (XEN) Xen code around (common/page_alloc.c#alloc_heap_pages+0x37f/0x6e2): Mar 21 12:00:42.925645 (XEN) d1 1c 00 e8 ad dd 02 00 <0f> 0b 48 85 c9 79 36 0f 0b 41 89 cd 48 c7 47 f0 Mar 21 12:00:42.937649 (XEN) Xen stack trace from rsp=ffff83047bec7b98: Mar 21 12:00:42.937683 (XEN) 0000000000000024 000000007bec7c20 0000000000000001 ffff83046ccda000 Mar 21 12:00:42.949653 (XEN) ffff82e000000021 0000000000000016 0000000000000000 0000000000000000 Mar 21 12:00:42.949687 (XEN) 0000000000000000 0000000000000000 0000000000000028 0000000000000021 Mar 21 12:00:42.961652 (XEN) ffff83046ccda000 0000000000000000 00007d2000000000 ffff83047bec7c48 Mar 21 12:00:42.961687 (XEN) ffff82d0402302ff ffff83046ccda000 0000000000000100 0000000000000000 Mar 21 12:00:42.973655 (XEN) ffff82d0405f0080 00007d2000000000 ffff83047bec7c80 ffff82d0402f626c Mar 21 12:00:42.985656 (XEN) ffff83046ccda000 ffff83046ccda640 0000000000000000 0000000000000000 Mar 21 12:00:42.985690 (XEN) ffff83046ccda220 ffff83047bec7cb0 ffff82d0402f65a0 ffff83046ccda000 Mar 21 12:00:42.997662 (XEN) 0000000000000000 0000000000000000 0000000000000000 ffff83047bec7cc0 Mar 21 12:00:43.009660 (XEN) ffff82d040311f8a ffff83047bec7ce0 ffff82d0402bd543 ffff83046ccda000 Mar 21 12:00:43.009695 (XEN) ffff83047bec7dc8 ffff83047bec7d08 ffff82d04032c524 ffff83046ccda000 Mar 21 12:00:43.021653 (XEN) ffff83047bec7dc8 0000000000000002 ffff83047bec7d58 ffff82d040206750 Mar 21 12:00:43.033642 (XEN) 0000000000000000 ffff82d040233fe5 ffff83047bec7d48 0000000000000000 Mar 21 12:00:43.033678 (XEN) 0000000000000002 00007fb72767f010 ffff82d0405e9120 0000000000000001 Mar 21 12:00:43.045654 (XEN) ffff83047bec7e70 ffff82d040240728 0000000000000007 ffff83023e3b3000 Mar 21 12:00:43.045690 (XEN) 0000000000000246 ffff83023e2efa90 ffff83023e38e000 ffff83023e2efb40 Mar 21 12:00:43.057609 (XEN) 0000000000000007 ffff83023e3afb80 0000000000000206 ffff83047bec7dc0 Mar 21 12:00:43.069662 (XEN) 0000001600000001 000000000000ffff e75aaa8d0000000c ac0d6d864e487f62 Mar 21 12:00:43.069697 (XEN) 000000037fa48d76 0000000200000000 ffffffff000003ff 00000002ffffffff Mar 21 12:00:43.081647 (XEN) 0000000000000000 00000000000001ff 0000000000000000 0000000000000000 Mar 21 12:00:43.093646 (XEN) Xen call trace: Mar 21 12:00:43.093677 (XEN) [] R common/page_alloc.c#alloc_heap_pages+0x37f/0x6e2 Mar 21 12:00:43.093705 (XEN) [] F alloc_domheap_pages+0x17d/0x1e4 Mar 21 12:00:43.105652 (XEN) [] F hap_set_allocation+0x73/0x23c Mar 21 12:00:43.105685 (XEN) [] F hap_enable+0x138/0x33c Mar 21 12:00:43.117646 (XEN) [] F paging_enable+0x2d/0x45 Mar 21 12:00:43.117679 (XEN) [] F hvm_domain_initialise+0x185/0x428 Mar 21 12:00:43.129652 (XEN) [] F arch_domain_create+0x3e7/0x4c1 Mar 21 12:00:43.129687 (XEN) [] F domain_create+0x4cc/0x7e2 Mar 21 12:00:43.141665 (XEN) [] F do_domctl+0x1850/0x192d Mar 21 12:00:43.141699 (XEN) [] F pv_hypercall+0x617/0x6b5 Mar 21 12:00:43.153656 (XEN) [] F lstar_enter+0x13a/0x140 Mar 21 12:00:43.153689 (XEN) Mar 21 12:00:43.153711 (XEN) Mar 21 12:00:43.153731 (XEN) **************************************** Mar 21 12:00:43.165647 (XEN) Panic on CPU 12: Mar 21 12:00:43.165678 (XEN) Xen BUG at common/page_alloc.c:1033 Mar 21 12:00:43.165703 (XEN) **************************************** Mar 21 12:00:43.177633 (XEN) Mar 21 12:00:43.177662 (XEN) Manual reset required ('noreboot' specified) This reverts commit 75214d5e53f60a7b19e90ebdb090c20044a052ca. Signed-off-by: Julien Grall --- xen/common/page_alloc.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index a1c57fe1d9..28c510d666 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -157,7 +157,6 @@ #define PGC_static 0 #endif -#define PGC_preserved (PGC_extra | PGC_static) #define PGC_no_buddy_merge PGC_static #ifndef PGT_TYPE_INFO_INITIALIZER @@ -1426,11 +1425,11 @@ static bool mark_page_free(struct page_info *pg, mfn_t mfn) { case PGC_state_inuse: BUG_ON(pg->count_info & PGC_broken); - pg->count_info = PGC_state_free | (pg->count_info & PGC_preserved); + pg->count_info = PGC_state_free; break; case PGC_state_offlining: - pg->count_info = (pg->count_info & (PGC_broken | PGC_preserved)) | + pg->count_info = (pg->count_info & PGC_broken) | PGC_state_offlined; pg_offlined = true; break; @@ -2365,7 +2364,7 @@ int assign_pages( for ( i = 0; i < nr; i++ ) { - ASSERT(!(pg[i].count_info & ~PGC_preserved)); + ASSERT(!(pg[i].count_info & ~(PGC_extra | PGC_static))); if ( pg[i].count_info & PGC_extra ) extra_pages++; } @@ -2425,7 +2424,7 @@ int assign_pages( page_set_owner(&pg[i], d); smp_wmb(); /* Domain pointer must be visible before updating refcnt. */ pg[i].count_info = - (pg[i].count_info & PGC_preserved) | PGC_allocated | 1; + (pg[i].count_info & (PGC_extra | PGC_static)) | PGC_allocated | 1; page_list_add_tail(&pg[i], page_to_list(d, &pg[i])); } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:55:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:55:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696743.1087897 (Exim 4.92) (envelope-from ) id 1rnbc6-0003xu-Hl; Fri, 22 Mar 2024 09:55:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696743.1087897; Fri, 22 Mar 2024 09:55:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbc6-0003xm-El; Fri, 22 Mar 2024 09:55:02 +0000 Received: by outflank-mailman (input) for mailman id 696743; Fri, 22 Mar 2024 09:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbc5-0003xg-MP for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbc5-0007wT-La for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbc5-00030h-Iq for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8DjuIODsrU/13rwrHCJfzhUsY1YgM/3Dv/7HEyVLIs8=; b=AsycUNm9jAYuJXWEuoc/A5rVYN 9GdWiKspG3eITEEZ11wDIyuAzveS/6/FoMCuoMjHBdY1fUg9WUWRM4QkOI2RBCUJXt1GGuAf+XkGP fmUkTQNSYS94pEMcTXQAm1lslTmHg+hqzCM+T8qHOhuTbCP9FSrnn3UFTlzRePRIoNQA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/xl_parse: remove message for tsc mode string Message-Id: Date: Fri, 22 Mar 2024 09:55:01 +0000 commit 6eb13b6b1d984af87460f60f2c0cbc5c059b8402 Author: Elliott Mitchell AuthorDate: Thu Mar 21 09:46:13 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:46:13 2024 +0100 tools/xl_parse: remove message for tsc mode string Normal behavior is to be silent. Generating a message for the preferred input can be mistaken for an error. As such remove this message to match other conditions. Signed-off-by: Elliott Mitchell Acked-by: Anthony PERARD --- tools/xl/xl_parse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/xl/xl_parse.c b/tools/xl/xl_parse.c index 80ffe85f5e..ab09d0288b 100644 --- a/tools/xl/xl_parse.c +++ b/tools/xl/xl_parse.c @@ -1660,7 +1660,6 @@ void parse_config_data(const char *config_source, } b_info->tsc_mode = l; } else if (!xlu_cfg_get_string(config, "tsc_mode", &buf, 0)) { - fprintf(stderr, "got a tsc mode string: \"%s\"\n", buf); if (libxl_tsc_mode_from_string(buf, &b_info->tsc_mode)) { fprintf(stderr, "ERROR: invalid value \"%s\" for \"tsc_mode\"\n", buf); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696744.1087901 (Exim 4.92) (envelope-from ) id 1rnbcH-0003zs-Iy; Fri, 22 Mar 2024 09:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696744.1087901; Fri, 22 Mar 2024 09:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcH-0003zk-GA; Fri, 22 Mar 2024 09:55:13 +0000 Received: by outflank-mailman (input) for mailman id 696744; Fri, 22 Mar 2024 09:55:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcF-0003zc-T1 for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcF-0007wb-QS for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbcF-00031L-Nq for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fzsNtJD+GBkdWY9maI+O/x4GUoA/xHBve5d247HqdhE=; b=d39m0dmSVXINnuqTPTfsUyd1Me Ku/NNLAKq66TsmzEPPhsM+Iia9oGq+OKNimzqcUr1dHu4HFFa2SeJ/3ojrwoQDLFPFhYJjd2HbQ2X CHvU6pXo0G1eQPWst70e+sWcDbC6vcXcuclGqoYnLtV7NUBd0EJsrkHZK4ykpUhBWnV4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/page_alloc: introduce preserved page flags macro Message-Id: Date: Fri, 22 Mar 2024 09:55:11 +0000 commit 75214d5e53f60a7b19e90ebdb090c20044a052ca Author: Carlo Nonato AuthorDate: Thu Mar 21 09:46:42 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:46:42 2024 +0100 xen/page_alloc: introduce preserved page flags macro PGC_static and PGC_extra needs to be preserved when assigning a page. Define a new macro that groups those flags and use it instead of or'ing every time. To make preserved flags even more meaningful, they are kept also when switching state in mark_page_free(). Signed-off-by: Carlo Nonato Reviewed-by: Jan Beulich --- xen/common/page_alloc.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index b4e0ef3a4c..97788a52a7 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -157,6 +157,8 @@ #define PGC_static 0 #endif +#define PGC_preserved (PGC_extra | PGC_static) + #ifndef PGT_TYPE_INFO_INITIALIZER #define PGT_TYPE_INFO_INITIALIZER 0 #endif @@ -1423,11 +1425,11 @@ static bool mark_page_free(struct page_info *pg, mfn_t mfn) { case PGC_state_inuse: BUG_ON(pg->count_info & PGC_broken); - pg->count_info = PGC_state_free; + pg->count_info = PGC_state_free | (pg->count_info & PGC_preserved); break; case PGC_state_offlining: - pg->count_info = (pg->count_info & PGC_broken) | + pg->count_info = (pg->count_info & (PGC_broken | PGC_preserved)) | PGC_state_offlined; pg_offlined = true; break; @@ -2362,7 +2364,7 @@ int assign_pages( for ( i = 0; i < nr; i++ ) { - ASSERT(!(pg[i].count_info & ~(PGC_extra | PGC_static))); + ASSERT(!(pg[i].count_info & ~PGC_preserved)); if ( pg[i].count_info & PGC_extra ) extra_pages++; } @@ -2422,7 +2424,7 @@ int assign_pages( page_set_owner(&pg[i], d); smp_wmb(); /* Domain pointer must be visible before updating refcnt. */ pg[i].count_info = - (pg[i].count_info & (PGC_extra | PGC_static)) | PGC_allocated | 1; + (pg[i].count_info & PGC_preserved) | PGC_allocated | 1; page_list_add_tail(&pg[i], page_to_list(d, &pg[i])); } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:55:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696745.1087905 (Exim 4.92) (envelope-from ) id 1rnbcR-00043A-LX; Fri, 22 Mar 2024 09:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696745.1087905; Fri, 22 Mar 2024 09:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcR-000430-IH; Fri, 22 Mar 2024 09:55:23 +0000 Received: by outflank-mailman (input) for mailman id 696745; Fri, 22 Mar 2024 09:55:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcP-00042N-UP for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcP-0007wl-Tf for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbcP-00031y-Sf for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bxA0mlg4Cn2qN7xBLewSbcj0xwPufiCWmq9yNF+fmFY=; b=KPXfJkYIf5+RzQkmqKrhOf1SXn 1XGetX1fx0dswQ8TDTP3bnz27AJNydjEsgOYUhl9DinMfDevcW60rI//sEpZrCaePITSxzPXrQnlx 1BFhYMJ1Ge22olPcLa3UXcuSs4yzScxwkDiJZH+Z4Z+kaloKDucFovHCc5ITWHItgtck=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/page_alloc: introduce page flag to stop buddy merging Message-Id: Date: Fri, 22 Mar 2024 09:55:21 +0000 commit f5c2b6da26d9becd5a1a03fcd3e5c950301030a2 Author: Carlo Nonato AuthorDate: Thu Mar 21 09:47:21 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:47:21 2024 +0100 xen/page_alloc: introduce page flag to stop buddy merging Add a new PGC_no_buddy_merge flag that prevents the buddy algorithm in free_heap_pages() from merging pages that have it set. As of now, only PGC_static has this feature, but future work can extend it easier than before. Suggested-by: Jan Beulich Signed-off-by: Carlo Nonato Reviewed-by: Jan Beulich --- xen/common/page_alloc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 97788a52a7..a1c57fe1d9 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -158,6 +158,7 @@ #endif #define PGC_preserved (PGC_extra | PGC_static) +#define PGC_no_buddy_merge PGC_static #ifndef PGT_TYPE_INFO_INITIALIZER #define PGT_TYPE_INFO_INITIALIZER 0 @@ -1503,7 +1504,7 @@ static void free_heap_pages( /* Merge with predecessor block? */ if ( !mfn_valid(page_to_mfn(predecessor)) || !page_state_is(predecessor, free) || - (predecessor->count_info & PGC_static) || + (predecessor->count_info & PGC_no_buddy_merge) || (PFN_ORDER(predecessor) != order) || (page_to_nid(predecessor) != node) ) break; @@ -1527,7 +1528,7 @@ static void free_heap_pages( /* Merge with successor block? */ if ( !mfn_valid(page_to_mfn(successor)) || !page_state_is(successor, free) || - (successor->count_info & PGC_static) || + (successor->count_info & PGC_no_buddy_merge) || (PFN_ORDER(successor) != order) || (page_to_nid(successor) != node) ) break; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:55:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:55:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696746.1087909 (Exim 4.92) (envelope-from ) id 1rnbcb-00046F-Mi; Fri, 22 Mar 2024 09:55:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696746.1087909; Fri, 22 Mar 2024 09:55:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcb-000467-Jx; Fri, 22 Mar 2024 09:55:33 +0000 Received: by outflank-mailman (input) for mailman id 696746; Fri, 22 Mar 2024 09:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbca-00045w-2v for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbca-0007wt-2C for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbcZ-00032P-Vo for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=InyqP2z4BZ8ooT/Ed67R5RiT4xDA3rjdyPbs7WlxI3s=; b=TWwsAaTNYdQ2EKX5uwRAiY1whh XcDhQ+kSc0V3214bIug0Q59Bp9pFDnrU8vp4LxjxwXfzfWJtiePKoMDsdIb5Voacr2Fd9dKJB/SXy rG+47U2Mra1ZtebNdljh67lvKybdOnOsYu5INu+BYL+4Gy8PGZZeXDOGO9u3MWy92AIk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/PoD: tie together P2M update and increment of entry count Message-Id: Date: Fri, 22 Mar 2024 09:55:31 +0000 commit cc950c49ae6a6690f7fc3041a1f43122c250d250 Author: Jan Beulich AuthorDate: Thu Mar 21 09:48:10 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:48:10 2024 +0100 x86/PoD: tie together P2M update and increment of entry count When not holding the PoD lock across the entire region covering P2M update and stats update, the entry count - if to be incorrect at all - should indicate too large a value in preference to a too small one, to avoid functions bailing early when they find the count is zero. However, instead of moving the increment ahead (and adjust back upon failure), extend the PoD-locked region. Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") Signed-off-by: Jan Beulich Reviewed-by: George Dunlap --- xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 65d31e5523..674f321cf6 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1348,19 +1348,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l, } } + /* + * P2M update and stats increment need to collectively be under PoD lock, + * to prevent code elsewhere observing PoD entry count being zero despite + * there actually still being PoD entries (created by the p2m_set_entry() + * invocation below). + */ + pod_lock(p2m); + /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_populate_on_demand, p2m->default_access); if ( rc == 0 ) { - pod_lock(p2m); p2m->pod.entry_count += 1UL << order; p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); + } + + pod_unlock(p2m); + if ( rc == 0 ) ioreq_request_mapcache_invalidate(d); - } else if ( order ) { /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:55:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:55:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696747.1087912 (Exim 4.92) (envelope-from ) id 1rnbcl-00048t-OH; Fri, 22 Mar 2024 09:55:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696747.1087912; Fri, 22 Mar 2024 09:55:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcl-00048m-LS; Fri, 22 Mar 2024 09:55:43 +0000 Received: by outflank-mailman (input) for mailman id 696747; Fri, 22 Mar 2024 09:55:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbck-00048c-62 for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbck-0007xC-5H for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbck-00032x-4O for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=orD1wHaATWuBueE/zYwtLa/LgGk1auwGsoIl3dqAYqk=; b=NRgqbz+L0xf1UPscuvfhbgJlEa 2ojY2Je1a6aHQRKOWRhvbWiwEFI5IqvsNqwSopyq6awsPZt5skf7ZiciiuFmykunqmErYufCOT/pS IdM2l5V4jcepIcJRuN5vAfL5HXQL+BklcpzdbC7IwSrbAlLahmt39wY43U8ik/4uzW/Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] AMD/IOMMU: drop remaining guest-IOMMU bits too Message-Id: Date: Fri, 22 Mar 2024 09:55:42 +0000 commit 10e8d824b76f55dde7c1793f48d76d4ff9df5e0a Author: Jan Beulich AuthorDate: Thu Mar 21 09:48:49 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:48:49 2024 +0100 AMD/IOMMU: drop remaining guest-IOMMU bits too With a02174c6c885 ("amd/iommu: clean up unused guest iommu related functions") having removed the sole place where d->g_iommu would be set to non-NULL, guest_iommu_add_ppr_log() will unconditionally bail the latest from its 2nd if(). With it dropped, all other stuff in the file is unused, too. Delete iommu_guest.c altogether. Further delete struct guest{_buffer,_dev_table,_iommu{,_msi}} as well as struct mmio_reg for being unused with the unused g_iommu also dropped from struct arch_iommu. Signed-off-by: Jan Beulich Acked-by: Roger Pau Monné --- xen/arch/x86/include/asm/iommu.h | 1 - xen/drivers/passthrough/amd/Makefile | 1 - xen/drivers/passthrough/amd/iommu.h | 58 --------------- xen/drivers/passthrough/amd/iommu_guest.c | 120 ------------------------------ xen/drivers/passthrough/amd/iommu_init.c | 2 +- 5 files changed, 1 insertion(+), 181 deletions(-) diff --git a/xen/arch/x86/include/asm/iommu.h b/xen/arch/x86/include/asm/iommu.h index 2b97cb442e..8dc464fbd3 100644 --- a/xen/arch/x86/include/asm/iommu.h +++ b/xen/arch/x86/include/asm/iommu.h @@ -52,7 +52,6 @@ struct arch_iommu struct { unsigned int paging_mode; struct page_info *root_table; - struct guest_iommu *g_iommu; } amd; }; }; diff --git a/xen/drivers/passthrough/amd/Makefile b/xen/drivers/passthrough/amd/Makefile index a3aecd26ef..415146fcdb 100644 --- a/xen/drivers/passthrough/amd/Makefile +++ b/xen/drivers/passthrough/amd/Makefile @@ -5,4 +5,3 @@ obj-y += pci_amd_iommu.o obj-bin-y += iommu_acpi.init.o obj-y += iommu_intr.o obj-y += iommu_cmd.o -obj-$(CONFIG_HVM) += iommu_guest.o diff --git a/xen/drivers/passthrough/amd/iommu.h b/xen/drivers/passthrough/amd/iommu.h index 65de88217c..a86ed55333 100644 --- a/xen/drivers/passthrough/amd/iommu.h +++ b/xen/drivers/passthrough/amd/iommu.h @@ -145,57 +145,6 @@ int iterate_ivrs_entries(int (*handler)(const struct amd_iommu *iommu, struct ivrs_mappings *map, uint16_t bdf)); -/* iommu tables in guest space */ -struct mmio_reg { - uint32_t lo; - uint32_t hi; -}; - -struct guest_dev_table { - struct mmio_reg reg_base; - uint32_t size; -}; - -struct guest_buffer { - struct mmio_reg reg_base; - struct mmio_reg reg_tail; - struct mmio_reg reg_head; - uint32_t size; -}; - -struct guest_iommu_msi { - uint8_t vector; - uint8_t dest; - uint8_t dest_mode; - uint8_t delivery_mode; - uint8_t trig_mode; -}; - -/* virtual IOMMU structure */ -struct guest_iommu { - - struct domain *domain; - spinlock_t lock; - bool enabled; - - struct guest_dev_table dev_table; - struct guest_buffer cmd_buffer; - struct guest_buffer event_log; - struct guest_buffer ppr_log; - - struct tasklet cmd_buffer_tasklet; - - uint64_t mmio_base; /* MMIO base address */ - - /* MMIO regs */ - union amd_iommu_control reg_ctrl; /* MMIO offset 0018h */ - struct mmio_reg reg_status; /* MMIO offset 2020h */ - union amd_iommu_ext_features reg_ext_feature; /* MMIO offset 0030h */ - - /* guest interrupt settings */ - struct guest_iommu_msi msi; -}; - extern bool iommuv2_enabled; struct acpi_ivrs_hardware; @@ -344,13 +293,6 @@ void cf_check amd_iommu_resume(void); int __must_check cf_check amd_iommu_suspend(void); void cf_check amd_iommu_crash_shutdown(void); -/* guest iommu support */ -#ifdef CONFIG_HVM -void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]); -#else -static inline void guest_iommu_add_ppr_log(struct domain *d, uint32_t entry[]) {} -#endif - static inline u32 get_field_from_reg_u32(u32 reg_value, u32 mask, u32 shift) { u32 field; diff --git a/xen/drivers/passthrough/amd/iommu_guest.c b/xen/drivers/passthrough/amd/iommu_guest.c deleted file mode 100644 index 19bd2e5d8e..0000000000 --- a/xen/drivers/passthrough/amd/iommu_guest.c +++ /dev/null @@ -1,120 +0,0 @@ -/* - * Copyright (C) 2011 Advanced Micro Devices, Inc. - * Author: Wei Wang - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; If not, see . - */ - -#include - -#include "iommu.h" - -#define reg_to_u64(reg) (((uint64_t)reg.hi << 32) | reg.lo ) - -static uint16_t get_guest_bdf(struct domain *d, uint16_t machine_bdf) -{ - return machine_bdf; -} - -static inline struct guest_iommu *domain_iommu(struct domain *d) -{ - return dom_iommu(d)->arch.amd.g_iommu; -} - -static unsigned long get_gfn_from_base_reg(uint64_t base_raw) -{ - base_raw &= PADDR_MASK; - ASSERT ( base_raw != 0 ); - return base_raw >> PAGE_SHIFT; -} - -static void guest_iommu_deliver_msi(struct domain *d) -{ - uint8_t vector, dest, dest_mode, delivery_mode, trig_mode; - struct guest_iommu *iommu = domain_iommu(d); - - vector = iommu->msi.vector; - dest = iommu->msi.dest; - dest_mode = iommu->msi.dest_mode; - delivery_mode = iommu->msi.delivery_mode; - trig_mode = iommu->msi.trig_mode; - - vmsi_deliver(d, vector, dest, dest_mode, delivery_mode, trig_mode); -} - -static unsigned long guest_iommu_get_table_mfn(struct domain *d, - uint64_t base_raw, - unsigned int pos) -{ - unsigned long idx, gfn, mfn; - p2m_type_t p2mt; - - gfn = get_gfn_from_base_reg(base_raw); - idx = pos >> PAGE_SHIFT; - - mfn = mfn_x(get_gfn(d, gfn + idx, &p2mt)); - put_gfn(d, gfn); - - return mfn; -} - -void guest_iommu_add_ppr_log(struct domain *d, u32 entry[]) -{ - uint16_t gdev_id; - unsigned long mfn, tail, head; - ppr_entry_t *log; - struct guest_iommu *iommu; - - if ( !is_hvm_domain(d) ) - return; - - iommu = domain_iommu(d); - if ( !iommu ) - return; - - tail = iommu->ppr_log.reg_tail.lo; - head = iommu->ppr_log.reg_head.lo; - - if ( tail >= iommu->ppr_log.size || head >= iommu->ppr_log.size ) - { - AMD_IOMMU_DEBUG("Error: guest iommu ppr log overflows\n"); - iommu->enabled = 0; - return; - } - - mfn = guest_iommu_get_table_mfn(d, reg_to_u64(iommu->ppr_log.reg_base), - tail); - ASSERT(mfn_valid(_mfn(mfn))); - - log = map_domain_page(_mfn(mfn)) + (tail & ~PAGE_MASK); - - /* Convert physical device id back into virtual device id */ - gdev_id = get_guest_bdf(d, iommu_get_devid_from_cmd(entry[0])); - iommu_set_devid_to_cmd(&entry[0], gdev_id); - - memcpy(log, entry, sizeof(ppr_entry_t)); - - /* Now shift ppr log tail pointer */ - tail += sizeof(ppr_entry_t); - if ( tail >= iommu->ppr_log.size ) - { - tail = 0; - iommu->reg_status.lo |= IOMMU_STATUS_PPR_LOG_OVERFLOW; - } - - iommu->ppr_log.reg_tail.lo = tail; - unmap_domain_page(log); - - guest_iommu_deliver_msi(d); -} diff --git a/xen/drivers/passthrough/amd/iommu_init.c b/xen/drivers/passthrough/amd/iommu_init.c index b32da1a28d..358c8cbad9 100644 --- a/xen/drivers/passthrough/amd/iommu_init.c +++ b/xen/drivers/passthrough/amd/iommu_init.c @@ -646,7 +646,7 @@ static void cf_check parse_ppr_log_entry(struct amd_iommu *iommu, u32 entry[]) pcidevs_unlock(); if ( pdev ) - guest_iommu_add_ppr_log(pdev->domain, entry); + /* guest_iommu_add_ppr_log(pdev->domain, entry) */; } static void iommu_check_ppr_log(struct amd_iommu *iommu) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:55:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:55:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696748.1087916 (Exim 4.92) (envelope-from ) id 1rnbcv-0004CN-Qn; Fri, 22 Mar 2024 09:55:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696748.1087916; Fri, 22 Mar 2024 09:55:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcv-0004CG-OL; Fri, 22 Mar 2024 09:55:53 +0000 Received: by outflank-mailman (input) for mailman id 696748; Fri, 22 Mar 2024 09:55:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcu-0004C7-98 for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbcu-0007xZ-8K for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbcu-00033q-7i for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:55:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VXwwsRW3Q5iK2ivF+S4gyHrkf58zzvuR2KJawBPNDCs=; b=kMU/tcUpV9egcy9DsLGzGcTQ5I yNNgFEdtiDm+1zPPmQuyK6FVIeMxrjvCV1yGFddtDXtka7e368MHF2hlKiHbpM997oRg1FDHaJEJg oLbCZL1ZZ2X5P+639yiG0jXSqhTZevs9oe1y9IJIbF1aLa9voLEUM3qX0ZxPl82WAN88=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/ppc: Ensure ELF sections' physical load addresses start at 0x0 Message-Id: Date: Fri, 22 Mar 2024 09:55:52 +0000 commit 97b90f9bf2e5c93e0f61c927fa2bc8a56a213faa Author: Shawn Anastasio AuthorDate: Thu Mar 21 09:49:20 2024 +0100 Commit: Jan Beulich CommitDate: Thu Mar 21 09:49:20 2024 +0100 xen/ppc: Ensure ELF sections' physical load addresses start at 0x0 Some boot mechanisms, including the new linux file_load kexec systemcall used by system firmware v2.10 on RaptorCS systems will try to honor the physical address field of the ELF LOAD section header, which will fail when the address is based off of XEN_VIRT_START (0xc000000000000000). To ensure that the physical address of the LOAD section header starts at 0x0, move x86's DECL_SECTION macro to xen.lds.h and use it to declare all sections. Signed-off-by: Shawn Anastasio Acked-by: Andrew Cooper --- xen/arch/ppc/xen.lds.S | 27 +++++++++++++++------------ xen/arch/x86/xen.lds.S | 6 +----- xen/include/xen/xen.lds.h | 10 ++++++++++ 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/xen/arch/ppc/xen.lds.S b/xen/arch/ppc/xen.lds.S index 05b6db2728..8840a00446 100644 --- a/xen/arch/ppc/xen.lds.S +++ b/xen/arch/ppc/xen.lds.S @@ -4,6 +4,9 @@ OUTPUT_ARCH(powerpc:common64) ENTRY(start) +/* Used by the DECL_SECTION() macro to calculate physical load addresses */ +#define __XEN_VIRT_START XEN_VIRT_START + PHDRS { text PT_LOAD ; @@ -17,7 +20,7 @@ SECTIONS . = XEN_VIRT_START; _start = .; - .text : { + DECL_SECTION(.text) { _stext = .; /* Text section */ *(.text.header) @@ -40,7 +43,7 @@ SECTIONS } :text . = ALIGN(PAGE_SIZE); - .rodata : { + DECL_SECTION(.rodata) { _srodata = .; /* Read-only data */ /* Bug frames table */ __start_bug_frames = .; @@ -64,7 +67,7 @@ SECTIONS #if defined(BUILD_ID) . = ALIGN(4); - .note.gnu.build-id : { + DECL_SECTION(.note.gnu.build-id) { __note_gnu_build_id_start = .; *(.note.gnu.build-id) __note_gnu_build_id_end = .; @@ -73,19 +76,19 @@ SECTIONS _erodata = .; /* End of read-only data */ . = ALIGN(PAGE_SIZE); - .data.ro_after_init : { + DECL_SECTION(.data.ro_after_init) { __ro_after_init_start = .; *(.data.ro_after_init) . = ALIGN(PAGE_SIZE); __ro_after_init_end = .; } :text - .data.read_mostly : { + DECL_SECTION(.data.read_mostly) { *(.data.read_mostly) } :text . = ALIGN(PAGE_SIZE); - .data : { /* Data */ + DECL_SECTION(.data) { /* Data */ *(.data.page_aligned) . = ALIGN(8); __start_schedulers_array = .; @@ -100,7 +103,7 @@ SECTIONS . = ALIGN(PAGE_SIZE); /* Init code and data */ __init_begin = .; - .init.text : { + DECL_SECTION(.init.text) { _sinittext = .; *(.init.text) _einittext = .; @@ -108,7 +111,7 @@ SECTIONS } :text . = ALIGN(PAGE_SIZE); - .init.data : { + DECL_SECTION(init.data) { *(.init.rodata) *(.init.rodata.*) @@ -137,18 +140,18 @@ SECTIONS __ctors_end = .; } :text - .got : { + DECL_SECTION(.got) { *(.got .toc) } :text - .got.plt : { + DECL_SECTION(.got.plt) { *(.got.plt) } :text . = ALIGN(POINTER_ALIGN); __init_end = .; - .bss : { /* BSS */ + DECL_SECTION(.bss) { /* BSS */ __bss_start = .; *(.bss.stack_aligned) *(.bss.page_aligned) @@ -168,7 +171,7 @@ SECTIONS _end = . ; /* Section for the device tree blob (if any). */ - .dtb : { *(.dtb) } :text + DECL_SECTION(.dtb) { *(.dtb) } :text DWARF2_DEBUG_SECTIONS diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S index 8930e14fc4..1ef6645128 100644 --- a/xen/arch/x86/xen.lds.S +++ b/xen/arch/x86/xen.lds.S @@ -12,6 +12,7 @@ #define FORMAT "pei-x86-64" #undef __XEN_VIRT_START +#undef DECL_SECTION #define __XEN_VIRT_START __image_base__ #define DECL_SECTION(x) x : @@ -20,11 +21,6 @@ ENTRY(efi_start) #else /* !EFI */ #define FORMAT "elf64-x86-64" -#ifdef CONFIG_LD_IS_GNU -# define DECL_SECTION(x) x : AT(ADDR(#x) - __XEN_VIRT_START) -#else -# define DECL_SECTION(x) x : AT(ADDR(x) - __XEN_VIRT_START) -#endif ENTRY(start_pa) diff --git a/xen/include/xen/xen.lds.h b/xen/include/xen/xen.lds.h index 06b7110837..be90f5ca0f 100644 --- a/xen/include/xen/xen.lds.h +++ b/xen/include/xen/xen.lds.h @@ -5,6 +5,16 @@ * Common macros to be used in architecture specific linker scripts. */ +/* + * Declare a section whose load address is based at PA 0 rather than + * Xen's virtual base address. + */ +#ifdef CONFIG_LD_IS_GNU +# define DECL_SECTION(x) x : AT(ADDR(#x) - __XEN_VIRT_START) +#else +# define DECL_SECTION(x) x : AT(ADDR(x) - __XEN_VIRT_START) +#endif + /* * To avoid any confusion, please note that the EFI macro does not correspond * to EFI support and is used when linking a native EFI (i.e. PE/COFF) binary, -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:56:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:56:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696749.1087920 (Exim 4.92) (envelope-from ) id 1rnbd5-0004FA-SU; Fri, 22 Mar 2024 09:56:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696749.1087920; Fri, 22 Mar 2024 09:56:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbd5-0004F3-Pv; Fri, 22 Mar 2024 09:56:03 +0000 Received: by outflank-mailman (input) for mailman id 696749; Fri, 22 Mar 2024 09:56:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbd4-0004Er-CX for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbd4-0007xu-Bl for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbd4-00034x-Ab for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=QhM2KGp+HDZI8Adt9xqY4JIO8B8G/HhyFTBO9kR6epM=; b=XUQhkYcGJjScqWPRfg3uqFkxse dXIqL2H6dVurPViVEvNMQXL+ZEdJVSmLrzieR30xsle9A8BPD/wvoMt3m3d1FJxInZSqq3794vxRu P0hmK7Lrn/0faGBwtU6R/SfRqUOmT6y26bGTxx8keTtq273esiU3RJ9DlbmJ3UMERm6E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/p2m: Coding style cleanup Message-Id: Date: Fri, 22 Mar 2024 09:56:02 +0000 commit 5205bda5f11cc03ca62ad2bb6c34bf738bbb3247 Author: Andrew Cooper AuthorDate: Mon Oct 22 14:53:26 2018 +0100 Commit: Andrew Cooper CommitDate: Thu Mar 21 11:38:02 2024 +0000 x86/p2m: Coding style cleanup No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/include/asm/p2m.h | 78 ++++++++++++++++++++++++------------------ xen/arch/x86/mm/p2m.c | 38 +++++++++++--------- 2 files changed, 67 insertions(+), 49 deletions(-) diff --git a/xen/arch/x86/include/asm/p2m.h b/xen/arch/x86/include/asm/p2m.h index 6ada585eaa..111badf89a 100644 --- a/xen/arch/x86/include/asm/p2m.h +++ b/xen/arch/x86/include/asm/p2m.h @@ -30,9 +30,9 @@ extern bool opt_hap_1gb, opt_hap_2mb; /* - * The upper levels of the p2m pagetable always contain full rights; all + * The upper levels of the p2m pagetable always contain full rights; all * variation in the access control bits is made in the level-1 PTEs. - * + * * In addition to the phys-to-machine translation, each p2m PTE contains * *type* information about the gfn it translates, helping Xen to decide * on the correct course of action when handling a page-fault to that @@ -43,8 +43,8 @@ extern bool opt_hap_1gb, opt_hap_2mb; */ /* - * AMD IOMMU: When we share p2m table with iommu, bit 52 -bit 58 in pte - * cannot be non-zero, otherwise, hardware generates io page faults when + * AMD IOMMU: When we share p2m table with iommu, bit 52 -bit 58 in pte + * cannot be non-zero, otherwise, hardware generates io page faults when * device access those pages. Therefore, p2m_ram_rw has to be defined as 0. */ typedef enum { @@ -286,8 +286,10 @@ struct p2m_domain { unsigned int defer_flush; bool need_flush; - /* If true, and an access fault comes in and there is no vm_event listener, - * pause domain. Otherwise, remove access restrictions. */ + /* + * If true, and an access fault comes in and there is no vm_event + * listener, pause domain. Otherwise, remove access restrictions. + */ bool access_required; /* Highest guest frame that's ever been mapped in the p2m */ @@ -300,13 +302,15 @@ struct p2m_domain { unsigned long min_remapped_gfn; unsigned long max_remapped_gfn; - /* Populate-on-demand variables + /* + * Populate-on-demand variables * All variables are protected with the pod lock. We cannot rely on * the p2m lock if it's turned into a fine-grained lock. - * We only use the domain page_alloc lock for additions and + * We only use the domain page_alloc lock for additions and * deletions to the domain's page list. Because we use it nested * within the PoD lock, we enforce it's ordering (by remembering - * the unlock level in the arch_domain sub struct). */ + * the unlock level in the arch_domain sub struct). + */ struct { struct page_list_head super, /* List of superpages */ single; /* Non-super lists */ @@ -476,13 +480,15 @@ static inline mfn_t __nonnull(3, 4) _get_gfn_type_access( return p2m_get_gfn_type_access(p2m, gfn, t, a, q, page_order, locked); } -/* Read a particular P2M table, mapping pages as we go. Most callers +/* + * Read a particular P2M table, mapping pages as we go. Most callers * should _not_ call this directly; use the other get_gfn* functions * below unless you know you want to walk a p2m that isn't a domain's * main one. - * If the lookup succeeds, the return value is != INVALID_MFN and + * If the lookup succeeds, the return value is != INVALID_MFN and * *page_order is filled in with the order of the superpage (if any) that - * the entry was found in. */ + * the entry was found in. + */ static inline mfn_t __nonnull(3, 4) get_gfn_type_access( struct p2m_domain *p2m, unsigned long gfn, p2m_type_t *t, p2m_access_t *a, p2m_query_t q, unsigned int *page_order) @@ -516,10 +522,11 @@ static inline void put_gfn(struct domain *d, unsigned long gfn) p2m_put_gfn(p2m_get_hostp2m(d), _gfn(gfn)); } -/* The intent of the "unlocked" accessor is to have the caller not worry about - * put_gfn. They apply to very specific situations: debug printk's, dumps - * during a domain crash, or to peek at a p2m entry/type. Caller is not - * holding the p2m entry exclusively during or after calling this. +/* + * The intent of the "unlocked" accessor is to have the caller not worry about + * put_gfn. They apply to very specific situations: debug printk's, dumps + * during a domain crash, or to peek at a p2m entry/type. Caller is not + * holding the p2m entry exclusively during or after calling this. * * This is also used in the shadow code whenever the paging lock is * held -- in those cases, the caller is protected against concurrent @@ -530,8 +537,8 @@ static inline void put_gfn(struct domain *d, unsigned long gfn) * Any other type of query can cause a change in the p2m and may need to * perform locking. */ -static inline mfn_t get_gfn_query_unlocked(struct domain *d, - unsigned long gfn, +static inline mfn_t get_gfn_query_unlocked(struct domain *d, + unsigned long gfn, p2m_type_t *t) { p2m_access_t a; @@ -539,11 +546,13 @@ static inline mfn_t get_gfn_query_unlocked(struct domain *d, NULL, 0); } -/* Atomically look up a GFN and take a reference count on the backing page. +/* + * Atomically look up a GFN and take a reference count on the backing page. * This makes sure the page doesn't get freed (or shared) underfoot, * and should be used by any path that intends to write to the backing page. * Returns NULL if the page is not backed by RAM. - * The caller is responsible for calling put_page() afterwards. */ + * The caller is responsible for calling put_page() afterwards. + */ struct page_info *p2m_get_page_from_gfn(struct p2m_domain *p2m, gfn_t gfn, p2m_type_t *t, p2m_access_t *a, p2m_query_t q); @@ -589,9 +598,7 @@ int altp2m_get_effective_entry(struct p2m_domain *ap2m, gfn_t gfn, mfn_t *mfn, /* Init the datastructures for later use by the p2m code */ int p2m_init(struct domain *d); -/* Allocate a new p2m table for a domain. - * - * Returns 0 for success or -errno. */ +/* Allocate a new p2m table for a domain. Returns 0 for success or -errno. */ int p2m_alloc_table(struct p2m_domain *p2m); /* Return all the p2m resources to Xen. */ @@ -630,11 +637,11 @@ static inline void p2m_flush_hardware_cached_dirty(struct domain *d) {} #endif /* Change types across all p2m entries in a domain */ -void p2m_change_entry_type_global(struct domain *d, +void p2m_change_entry_type_global(struct domain *d, p2m_type_t ot, p2m_type_t nt); /* Change types across a range of p2m entries (start ... end-1) */ -void p2m_change_type_range(struct domain *d, +void p2m_change_type_range(struct domain *d, unsigned long start, unsigned long end, p2m_type_t ot, p2m_type_t nt); @@ -672,7 +679,7 @@ int p2m_add_identity_entry(struct domain *d, unsigned long gfn_l, p2m_access_t p2ma, unsigned int flag); int p2m_remove_identity_entry(struct domain *d, unsigned long gfn_l); -/* +/* * Populate-on-demand */ @@ -756,7 +763,7 @@ void p2m_mem_paging_populate(struct domain *d, gfn_t gfn); struct vm_event_st; void p2m_mem_paging_resume(struct domain *d, struct vm_event_st *rsp); -/* +/* * Internal functions, only called by other p2m code */ @@ -807,12 +814,17 @@ extern void audit_p2m(struct domain *d, /* Extract the type from the PTE flags that store it */ static inline p2m_type_t p2m_flags_to_type(unsigned int flags) { - /* For AMD IOMMUs we need to use type 0 for plain RAM, but we need - * to make sure that an entirely empty PTE doesn't have RAM type */ - if ( flags == 0 ) + /* + * For AMD IOMMUs we need to use type 0 for plain RAM, but we need + * to make sure that an entirely empty PTE doesn't have RAM type. + */ + if ( flags == 0 ) return p2m_invalid; - /* AMD IOMMUs use bits 9-11 to encode next io page level and bits - * 59-62 for iommu flags so we can't use them to store p2m type info. */ + + /* + * AMD IOMMUs use bits 9-11 to encode next io page level and bits + * 59-62 for iommu flags so we can't use them to store p2m type info. + */ return (flags >> 12) & 0x7f; } @@ -841,7 +853,7 @@ static inline p2m_type_t p2m_recalc_type(bool recalc, p2m_type_t t, int p2m_pt_handle_deferred_changes(uint64_t gpa); /* - * Nested p2m: shadow p2m tables used for nested HVM virtualization + * Nested p2m: shadow p2m tables used for nested HVM virtualization */ /* Flushes specified p2m table */ diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c index ca24cd4a67..4c5a79eb53 100644 --- a/xen/arch/x86/mm/p2m.c +++ b/xen/arch/x86/mm/p2m.c @@ -252,7 +252,8 @@ void p2m_flush_hardware_cached_dirty(struct domain *d) */ void p2m_tlb_flush_sync(struct p2m_domain *p2m) { - if ( p2m->need_flush ) { + if ( p2m->need_flush ) + { p2m->need_flush = 0; p2m->tlb_flush(p2m); } @@ -263,7 +264,8 @@ void p2m_tlb_flush_sync(struct p2m_domain *p2m) */ void p2m_unlock_and_tlb_flush(struct p2m_domain *p2m) { - if ( p2m->need_flush ) { + if ( p2m->need_flush ) + { p2m->need_flush = 0; mm_write_unlock(&p2m->lock); p2m->tlb_flush(p2m); @@ -304,7 +306,7 @@ mfn_t p2m_get_gfn_type_access(struct p2m_domain *p2m, gfn_t gfn, mfn = p2m->get_entry(p2m, gfn, t, a, q, page_order, NULL); } - if (unlikely((p2m_is_broken(*t)))) + if ( unlikely(p2m_is_broken(*t)) ) { /* Return invalid_mfn to avoid caller's access */ mfn = INVALID_MFN; @@ -655,6 +657,7 @@ p2m_add_page(struct domain *d, gfn_t gfn, mfn_t mfn, mfn_x(omfn), ot, a, mfn_x(mfn) + i, t, p2m->default_access); domain_crash(d); + return -EPERM; } else if ( p2m_is_ram(ot) && !p2m_is_paged(ot) ) @@ -774,7 +777,7 @@ out: * Resets the access permissions. */ int p2m_change_type_one(struct domain *d, unsigned long gfn_l, - p2m_type_t ot, p2m_type_t nt) + p2m_type_t ot, p2m_type_t nt) { p2m_access_t a; p2m_type_t pt; @@ -907,6 +910,7 @@ void p2m_change_type_range(struct domain *d, unsigned int i; for ( i = 0; i < MAX_ALTP2M; i++ ) + { if ( d->arch.altp2m_eptp[i] != mfn_x(INVALID_MFN) ) { struct p2m_domain *altp2m = d->arch.altp2m_p2m[i]; @@ -915,6 +919,7 @@ void p2m_change_type_range(struct domain *d, change_type_range(altp2m, start, end, ot, nt); p2m_unlock(altp2m); } + } } hostp2m->defer_nested_flush = false; if ( nestedhvm_enabled(d) ) @@ -978,6 +983,7 @@ int p2m_finish_type_change(struct domain *d, unsigned int i; for ( i = 0; i < MAX_ALTP2M; i++ ) + { if ( d->arch.altp2m_eptp[i] != mfn_x(INVALID_MFN) ) { struct p2m_domain *altp2m = d->arch.altp2m_p2m[i]; @@ -989,6 +995,7 @@ int p2m_finish_type_change(struct domain *d, if ( rc < 0 ) goto out; } + } } out: @@ -1311,7 +1318,7 @@ static struct p2m_domain * p2m_getlru_nestedp2m(struct domain *d, struct p2m_domain *p2m) { struct list_head *lru_list = &p2m_get_hostp2m(d)->np2m_list; - + ASSERT(!list_empty(lru_list)); if ( p2m == NULL ) @@ -1458,13 +1465,12 @@ p2m_get_nestedp2m_locked(struct vcpu *v) /* Mask out low bits; this avoids collisions with P2M_BASE_EADDR */ np2m_base &= ~(0xfffULL); - if (nv->nv_flushp2m && nv->nv_p2m) { + if ( nv->nv_flushp2m && nv->nv_p2m ) nv->nv_p2m = NULL; - } nestedp2m_lock(d); p2m = nv->nv_p2m; - if ( p2m ) + if ( p2m ) { p2m_lock(p2m); if ( p2m->np2m_base == np2m_base ) @@ -1522,7 +1528,7 @@ struct p2m_domain *p2m_get_nestedp2m(struct vcpu *v) struct p2m_domain * p2m_get_p2m(struct vcpu *v) { - if (!nestedhvm_is_n2(v)) + if ( !nestedhvm_is_n2(v) ) return p2m_get_hostp2m(v->domain); return p2m_get_nestedp2m(v); @@ -2203,8 +2209,8 @@ int p2m_altp2m_propagate_change(struct domain *d, gfn_t gfn, #if P2M_AUDIT void audit_p2m(struct domain *d, uint64_t *orphans, - uint64_t *m2p_bad, - uint64_t *p2m_bad) + uint64_t *m2p_bad, + uint64_t *p2m_bad) { struct page_info *page; struct domain *od; @@ -2223,7 +2229,7 @@ void audit_p2m(struct domain *d, p2m_lock(p2m); pod_lock(p2m); - if (p2m->audit_p2m) + if ( p2m->audit_p2m ) pmbad = p2m->audit_p2m(p2m); /* Audit part two: walk the domain's page allocation list, checking @@ -2249,14 +2255,14 @@ void audit_p2m(struct domain *d, { orphans_count++; P2M_PRINTK("orphaned guest page: mfn=%#lx has invalid gfn\n", - mfn); + mfn); continue; } if ( SHARED_M2P(gfn) ) { P2M_PRINTK("shared mfn (%lx) on domain page list!\n", - mfn); + mfn); continue; } @@ -2278,13 +2284,13 @@ void audit_p2m(struct domain *d, p2m_put_gfn(p2m, _gfn(gfn)); P2M_PRINTK("OK: mfn=%#lx, gfn=%#lx, p2mfn=%#lx\n", - mfn, gfn, mfn_x(p2mfn)); + mfn, gfn, mfn_x(p2mfn)); } spin_unlock(&d->page_alloc_lock); pod_unlock(p2m); p2m_unlock(p2m); - + P2M_PRINTK("p2m audit complete\n"); if ( orphans_count | mpbad | pmbad ) P2M_PRINTK("p2m audit found %lu orphans\n", orphans_count); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:56:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:56:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696750.1087925 (Exim 4.92) (envelope-from ) id 1rnbdF-0004Ho-UG; Fri, 22 Mar 2024 09:56:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696750.1087925; Fri, 22 Mar 2024 09:56:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbdF-0004Hg-RU; Fri, 22 Mar 2024 09:56:13 +0000 Received: by outflank-mailman (input) for mailman id 696750; Fri, 22 Mar 2024 09:56:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbdE-0004HS-Fa for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbdE-0007y7-Eo for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbdE-00035T-Dy for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5+gwJvSPnkAzapM20/U1kq6uhPQSVW5r7mtsTxtZpJs=; b=lTJbFrzlw9D6bqp/zOcNEV0xKG Fft78RcusldVY0um6eEdKkEII5cbBaamMckplpOvVUM5r0if4XrFxQ1x3hSI0VV29W8HswCGDRWkA jchRec3Wroum10UfWcV2bB4cLeYcaSihB5rDzFxmKPMuc8cnYChTWQtX3JfoxHEqIaQY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/cpuid: More AMD features Message-Id: Date: Fri, 22 Mar 2024 09:56:12 +0000 commit ee973396f008ff0de2836b7ca100ce822740fa41 Author: Andrew Cooper AuthorDate: Mon Mar 18 18:07:05 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 21 11:38:03 2024 +0000 x86/cpuid: More AMD features All of these are informational and require no further logic changes in Xen to support. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- tools/misc/xen-cpuid.c | 5 +++++ xen/include/public/arch-x86/cpufeatureset.h | 8 ++++++++ xen/tools/gen-cpuid.py | 4 ++++ 3 files changed, 17 insertions(+) diff --git a/tools/misc/xen-cpuid.c b/tools/misc/xen-cpuid.c index 51efbff579..8893547beb 100644 --- a/tools/misc/xen-cpuid.c +++ b/tools/misc/xen-cpuid.c @@ -91,6 +91,7 @@ static const char *const str_e1c[32] = [24] = "perfctr-nb", /* [25] */ [26] = "dbx", [27] = "perftsc", [28] = "pcx-l2i", [29] = "monitorx", + [30] = "addr-msk-ext", }; static const char *const str_7b0[32] = @@ -199,11 +200,15 @@ static const char *const str_7a1[32] = static const char *const str_e21a[32] = { + [ 0] = "no-nest-bp", [ 1] = "fs-gs-ns", [ 2] = "lfence+", [ 6] = "nscb", [ 8] = "auto-ibrs", + [10] = "amd-fsrs", [11] = "amd-fsrc", /* 16 */ [17] = "cpuid-user-dis", + [18] = "epsf", [19] = "fsrsc", + [20] = "amd-prefetchi", /* 26 */ [27] = "sbpb", [28] = "ibpb-brtype", [29] = "srso-no", diff --git a/xen/include/public/arch-x86/cpufeatureset.h b/xen/include/public/arch-x86/cpufeatureset.h index eb9f552948..3de7c0383f 100644 --- a/xen/include/public/arch-x86/cpufeatureset.h +++ b/xen/include/public/arch-x86/cpufeatureset.h @@ -168,6 +168,7 @@ XEN_CPUFEATURE(TBM, 3*32+21) /*A trailing bit manipulations */ XEN_CPUFEATURE(TOPOEXT, 3*32+22) /* topology extensions CPUID leafs */ XEN_CPUFEATURE(DBEXT, 3*32+26) /*A data breakpoint extension */ XEN_CPUFEATURE(MONITORX, 3*32+29) /* MONITOR extension (MONITORX/MWAITX) */ +XEN_CPUFEATURE(ADDR_MSK_EXT, 3*32+30) /*A Address Mask Extentions */ /* Intel-defined CPU features, CPUID level 0x0000000D:1.eax, word 4 */ XEN_CPUFEATURE(XSAVEOPT, 4*32+ 0) /*A XSAVEOPT instruction */ @@ -290,10 +291,17 @@ XEN_CPUFEATURE(WRMSRNS, 10*32+19) /*S WRMSR Non-Serialising */ XEN_CPUFEATURE(AVX_IFMA, 10*32+23) /*A AVX-IFMA Instructions */ /* AMD-defined CPU features, CPUID level 0x80000021.eax, word 11 */ +XEN_CPUFEATURE(NO_NEST_BP, 11*32+ 0) /*A No Nested Data Breakpoints */ +XEN_CPUFEATURE(FS_GS_NS, 11*32+ 1) /*S FS/GS base MSRs non-serialising */ XEN_CPUFEATURE(LFENCE_DISPATCH, 11*32+ 2) /*A LFENCE always serializing */ XEN_CPUFEATURE(NSCB, 11*32+ 6) /*A Null Selector Clears Base (and limit too) */ XEN_CPUFEATURE(AUTO_IBRS, 11*32+ 8) /*S Automatic IBRS */ +XEN_CPUFEATURE(AMD_FSRS, 11*32+10) /*A Fast Short REP STOSB */ +XEN_CPUFEATURE(AMD_FSRC, 11*32+11) /*A Fast Short REP CMPSB */ XEN_CPUFEATURE(CPUID_USER_DIS, 11*32+17) /* CPUID disable for CPL > 0 software */ +XEN_CPUFEATURE(EPSF, 11*32+18) /*A Enhanced Predictive Store Forwarding */ +XEN_CPUFEATURE(FSRSC, 11*32+19) /*A Fast Short REP SCASB */ +XEN_CPUFEATURE(AMD_PREFETCHI, 11*32+20) /*A PREFETCHIT{0,1} Instructions */ XEN_CPUFEATURE(SBPB, 11*32+27) /*A Selective Branch Predictor Barrier */ XEN_CPUFEATURE(IBPB_BRTYPE, 11*32+28) /*A IBPB flushes Branch Type predictions too */ XEN_CPUFEATURE(SRSO_NO, 11*32+29) /*A Hardware not vulenrable to Speculative Return Stack Overflow */ diff --git a/xen/tools/gen-cpuid.py b/xen/tools/gen-cpuid.py index 25d329ce48..bf3f9ec01e 100755 --- a/xen/tools/gen-cpuid.py +++ b/xen/tools/gen-cpuid.py @@ -329,6 +329,10 @@ def crunch_numbers(state): # In principle the TSXLDTRK insns could also be considered independent. RTM: [TSXLDTRK], + # Enhanced Predictive Store-Forwarding is a informational note on top + # of PSF. + PSFD: [EPSF], + # The ARCH_CAPS CPUID bit enumerates the availability of the whole register. ARCH_CAPS: list(range(RDCL_NO, RDCL_NO + 64)), -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 22 09:56:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 22 Mar 2024 09:56:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.696752.1087928 (Exim 4.92) (envelope-from ) id 1rnbdP-0004L0-Vz; Fri, 22 Mar 2024 09:56:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 696752.1087928; Fri, 22 Mar 2024 09:56:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbdP-0004Kp-T1; Fri, 22 Mar 2024 09:56:23 +0000 Received: by outflank-mailman (input) for mailman id 696752; Fri, 22 Mar 2024 09:56:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbdO-0004Kd-IP for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rnbdO-0007yI-Hg for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rnbdO-000361-Gs for xen-changelog@lists.xenproject.org; Fri, 22 Mar 2024 09:56:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AAL/JgSpbkDcVsvjrN6GSgJmb4PlNcCYGXrUT+1hKD4=; b=HwCo/4ZW2KGe9z0Df5/fOI3X39 R05SpQkjEpmE9K2A+SjooEQwfzxuzhOuIF5vEz+MF4sBHXxw5+qDwofOUtWg4DKE0oZMY8tlF8QNs 5vZ2lb+qvOU21XbMfeiQoNDmjOs2eCgXBLQlaNOyq+Mqy2/t6ooMIrWsQB0iK6g3SX5Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Revert "xen/page_alloc: introduce preserved page flags macro" Message-Id: Date: Fri, 22 Mar 2024 09:56:22 +0000 commit cbe393b709e0c6c3e2b10c3ac69fbea0abd530fe Author: Julien Grall AuthorDate: Thu Mar 21 16:02:25 2024 +0000 Commit: Julien Grall CommitDate: Thu Mar 21 16:02:25 2024 +0000 Revert "xen/page_alloc: introduce preserved page flags macro" Osstest is reporting a crash: Mar 21 12:00:29.533676 (XEN) pg[0] MFN 2211c5 c=0x2c00000000000000 o=0 v=0xe40000010007ffff t=0x24 Mar 21 12:00:42.829785 (XEN) Xen BUG at common/page_alloc.c:1033 Mar 21 12:00:42.829829 (XEN) ----[ Xen-4.19-unstable x86_64 debug=y Not tainted ]---- Mar 21 12:00:42.829857 (XEN) CPU: 12 Mar 21 12:00:42.841571 (XEN) RIP: e008:[] common/page_alloc.c#alloc_heap_pages+0x37f/0x6e2 Mar 21 12:00:42.841609 (XEN) RFLAGS: 0000000000010282 CONTEXT: hypervisor (d0v8) Mar 21 12:00:42.853654 (XEN) rax: ffff83023e3ed06c rbx: 000000000007ffff rcx: 0000000000000028 Mar 21 12:00:42.853689 (XEN) rdx: ffff83047bec7fff rsi: ffff83023e3ea3e8 rdi: ffff83023e3ea3e0 Mar 21 12:00:42.865657 (XEN) rbp: ffff83047bec7c10 rsp: ffff83047bec7b98 r8: 0000000000000000 Mar 21 12:00:42.877647 (XEN) r9: 0000000000000001 r10: 000000000000000c r11: 0000000000000010 Mar 21 12:00:42.877682 (XEN) r12: 0000000000000001 r13: 0000000000000000 r14: ffff82e0044238a0 Mar 21 12:00:42.889652 (XEN) r15: 0000000000000000 cr0: 0000000080050033 cr4: 0000000000372660 Mar 21 12:00:42.901651 (XEN) cr3: 000000046fe34000 cr2: 00007fb72757610b Mar 21 12:00:42.901685 (XEN) fsb: 00007fb726def380 gsb: ffff88801f200000 gss: 0000000000000000 Mar 21 12:00:42.913646 (XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008 Mar 21 12:00:42.913680 (XEN) Xen code around (common/page_alloc.c#alloc_heap_pages+0x37f/0x6e2): Mar 21 12:00:42.925645 (XEN) d1 1c 00 e8 ad dd 02 00 <0f> 0b 48 85 c9 79 36 0f 0b 41 89 cd 48 c7 47 f0 Mar 21 12:00:42.937649 (XEN) Xen stack trace from rsp=ffff83047bec7b98: Mar 21 12:00:42.937683 (XEN) 0000000000000024 000000007bec7c20 0000000000000001 ffff83046ccda000 Mar 21 12:00:42.949653 (XEN) ffff82e000000021 0000000000000016 0000000000000000 0000000000000000 Mar 21 12:00:42.949687 (XEN) 0000000000000000 0000000000000000 0000000000000028 0000000000000021 Mar 21 12:00:42.961652 (XEN) ffff83046ccda000 0000000000000000 00007d2000000000 ffff83047bec7c48 Mar 21 12:00:42.961687 (XEN) ffff82d0402302ff ffff83046ccda000 0000000000000100 0000000000000000 Mar 21 12:00:42.973655 (XEN) ffff82d0405f0080 00007d2000000000 ffff83047bec7c80 ffff82d0402f626c Mar 21 12:00:42.985656 (XEN) ffff83046ccda000 ffff83046ccda640 0000000000000000 0000000000000000 Mar 21 12:00:42.985690 (XEN) ffff83046ccda220 ffff83047bec7cb0 ffff82d0402f65a0 ffff83046ccda000 Mar 21 12:00:42.997662 (XEN) 0000000000000000 0000000000000000 0000000000000000 ffff83047bec7cc0 Mar 21 12:00:43.009660 (XEN) ffff82d040311f8a ffff83047bec7ce0 ffff82d0402bd543 ffff83046ccda000 Mar 21 12:00:43.009695 (XEN) ffff83047bec7dc8 ffff83047bec7d08 ffff82d04032c524 ffff83046ccda000 Mar 21 12:00:43.021653 (XEN) ffff83047bec7dc8 0000000000000002 ffff83047bec7d58 ffff82d040206750 Mar 21 12:00:43.033642 (XEN) 0000000000000000 ffff82d040233fe5 ffff83047bec7d48 0000000000000000 Mar 21 12:00:43.033678 (XEN) 0000000000000002 00007fb72767f010 ffff82d0405e9120 0000000000000001 Mar 21 12:00:43.045654 (XEN) ffff83047bec7e70 ffff82d040240728 0000000000000007 ffff83023e3b3000 Mar 21 12:00:43.045690 (XEN) 0000000000000246 ffff83023e2efa90 ffff83023e38e000 ffff83023e2efb40 Mar 21 12:00:43.057609 (XEN) 0000000000000007 ffff83023e3afb80 0000000000000206 ffff83047bec7dc0 Mar 21 12:00:43.069662 (XEN) 0000001600000001 000000000000ffff e75aaa8d0000000c ac0d6d864e487f62 Mar 21 12:00:43.069697 (XEN) 000000037fa48d76 0000000200000000 ffffffff000003ff 00000002ffffffff Mar 21 12:00:43.081647 (XEN) 0000000000000000 00000000000001ff 0000000000000000 0000000000000000 Mar 21 12:00:43.093646 (XEN) Xen call trace: Mar 21 12:00:43.093677 (XEN) [] R common/page_alloc.c#alloc_heap_pages+0x37f/0x6e2 Mar 21 12:00:43.093705 (XEN) [] F alloc_domheap_pages+0x17d/0x1e4 Mar 21 12:00:43.105652 (XEN) [] F hap_set_allocation+0x73/0x23c Mar 21 12:00:43.105685 (XEN) [] F hap_enable+0x138/0x33c Mar 21 12:00:43.117646 (XEN) [] F paging_enable+0x2d/0x45 Mar 21 12:00:43.117679 (XEN) [] F hvm_domain_initialise+0x185/0x428 Mar 21 12:00:43.129652 (XEN) [] F arch_domain_create+0x3e7/0x4c1 Mar 21 12:00:43.129687 (XEN) [] F domain_create+0x4cc/0x7e2 Mar 21 12:00:43.141665 (XEN) [] F do_domctl+0x1850/0x192d Mar 21 12:00:43.141699 (XEN) [] F pv_hypercall+0x617/0x6b5 Mar 21 12:00:43.153656 (XEN) [] F lstar_enter+0x13a/0x140 Mar 21 12:00:43.153689 (XEN) Mar 21 12:00:43.153711 (XEN) Mar 21 12:00:43.153731 (XEN) **************************************** Mar 21 12:00:43.165647 (XEN) Panic on CPU 12: Mar 21 12:00:43.165678 (XEN) Xen BUG at common/page_alloc.c:1033 Mar 21 12:00:43.165703 (XEN) **************************************** Mar 21 12:00:43.177633 (XEN) Mar 21 12:00:43.177662 (XEN) Manual reset required ('noreboot' specified) This reverts commit 75214d5e53f60a7b19e90ebdb090c20044a052ca. Signed-off-by: Julien Grall --- xen/common/page_alloc.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index a1c57fe1d9..28c510d666 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -157,7 +157,6 @@ #define PGC_static 0 #endif -#define PGC_preserved (PGC_extra | PGC_static) #define PGC_no_buddy_merge PGC_static #ifndef PGT_TYPE_INFO_INITIALIZER @@ -1426,11 +1425,11 @@ static bool mark_page_free(struct page_info *pg, mfn_t mfn) { case PGC_state_inuse: BUG_ON(pg->count_info & PGC_broken); - pg->count_info = PGC_state_free | (pg->count_info & PGC_preserved); + pg->count_info = PGC_state_free; break; case PGC_state_offlining: - pg->count_info = (pg->count_info & (PGC_broken | PGC_preserved)) | + pg->count_info = (pg->count_info & PGC_broken) | PGC_state_offlined; pg_offlined = true; break; @@ -2365,7 +2364,7 @@ int assign_pages( for ( i = 0; i < nr; i++ ) { - ASSERT(!(pg[i].count_info & ~PGC_preserved)); + ASSERT(!(pg[i].count_info & ~(PGC_extra | PGC_static))); if ( pg[i].count_info & PGC_extra ) extra_pages++; } @@ -2425,7 +2424,7 @@ int assign_pages( page_set_owner(&pg[i], d); smp_wmb(); /* Domain pointer must be visible before updating refcnt. */ pg[i].count_info = - (pg[i].count_info & PGC_preserved) | PGC_allocated | 1; + (pg[i].count_info & (PGC_extra | PGC_static)) | PGC_allocated | 1; page_list_add_tail(&pg[i], page_to_list(d, &pg[i])); } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 09:55:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 09:55:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697670.1088669 (Exim 4.92) (envelope-from ) id 1roh2m-0000HN-Ud; Mon, 25 Mar 2024 09:55:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697670.1088669; Mon, 25 Mar 2024 09:55:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh2m-0000HG-SD; Mon, 25 Mar 2024 09:55:04 +0000 Received: by outflank-mailman (input) for mailman id 697670; Mon, 25 Mar 2024 09:55:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh2l-0000HA-Tq for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh2l-00079z-MF for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roh2l-0002lt-JK for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=piEOmm/DxzwJULbs/bbD+n8HbOgkAGJBECwDc3quRww=; b=jsGgOIKyJGeZ3JOT9ltq+btusN GitBDA6NvwawapiRWo+GwVXtsfxFkc1+gz5yNNlExYOFhoTepsNm0cvuqdZiW/5j8mV9H+6NguTj+ 8y6wpnKfBHxJzKxVpIdyND7wbhXHK+M0gP+VAO4KJMGqO2aMTvlhBCK+ycqhVuJzNL+w=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] EFI: Introduce inline stub for efi_enabled on !X86 && !ARM Message-Id: Date: Mon, 25 Mar 2024 09:55:03 +0000 commit 5095b610df73a668d72a13eb0d0d4230862fa9b3 Author: Shawn Anastasio AuthorDate: Mon Mar 25 10:47:15 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:47:15 2024 +0100 EFI: Introduce inline stub for efi_enabled on !X86 && !ARM On architectures with no EFI support, define an inline stub implementation of efi_enabled in efi.h that always returns false. Suggested-by: Jan Beulich Signed-off-by: Shawn Anastasio Acked-by: Julien Grall --- xen/include/xen/efi.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 942d2e9491..160804e294 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -31,7 +31,15 @@ union compat_pf_efi_info; struct xenpf_efi_runtime_call; struct compat_pf_efi_runtime_call; +#if defined(CONFIG_X86) || defined(CONFIG_ARM) bool efi_enabled(unsigned int feature); +#else +static inline bool efi_enabled(unsigned int feature) +{ + return false; +} +#endif + void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); bool efi_rs_using_pgtables(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 09:55:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 09:55:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697671.1088673 (Exim 4.92) (envelope-from ) id 1roh2w-0000Je-W7; Mon, 25 Mar 2024 09:55:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697671.1088673; Mon, 25 Mar 2024 09:55:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh2w-0000JX-Tf; Mon, 25 Mar 2024 09:55:14 +0000 Received: by outflank-mailman (input) for mailman id 697671; Mon, 25 Mar 2024 09:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh2v-0000JO-U5 for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh2v-0007A7-RW for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roh2v-0002mM-OK for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=hEK8QewpTEkPOYHNCN2GmQa51IayOnJNvJnVsbTO6fI=; b=GiUejgoQE4Vh17A7u5SdcsErqT sAQGL3U2oaG80T57uraxKi8uiW+KNTrBGn1Iwb2eCC3pK2DNxWYMKHll2xY18fib+Me0mBGn0YlcJ j3cKXIn6rUAikMpJbmlKZe6pGXoXJyVqpmdtbm0kkSy/bYuYN4JBvua5yucg9Bk5Gitc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/riscv: add minimal stuff to processor.h to build full Xen Message-Id: Date: Mon, 25 Mar 2024 09:55:13 +0000 commit d654612e985297fe745f3260295ffd34f5b01b2d Author: Oleksii Kurochko AuthorDate: Mon Mar 25 10:47:49 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:47:49 2024 +0100 xen/riscv: add minimal stuff to processor.h to build full Xen The cpu_relax() function, introduced in this commit, is anticipated to support _zihintpause by the CPU. Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/processor.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/xen/arch/riscv/include/asm/processor.h b/xen/arch/riscv/include/asm/processor.h index 6db681d805..6846151717 100644 --- a/xen/arch/riscv/include/asm/processor.h +++ b/xen/arch/riscv/include/asm/processor.h @@ -12,6 +12,9 @@ #ifndef __ASSEMBLY__ +/* TODO: need to be implemeted */ +#define smp_processor_id() 0 + /* On stack VCPU state */ struct cpu_user_regs { @@ -53,6 +56,23 @@ struct cpu_user_regs unsigned long pregs; }; +/* TODO: need to implement */ +#define cpu_to_core(cpu) 0 +#define cpu_to_socket(cpu) 0 + +static inline void cpu_relax(void) +{ +#ifdef __riscv_zihintpause + /* Reduce instruction retirement. */ + __asm__ __volatile__ ( "pause" ); +#else + /* Encoding of the pause instruction */ + __asm__ __volatile__ ( ".insn 0x0100000F" ); +#endif + + barrier(); +} + static inline void wfi(void) { __asm__ __volatile__ ("wfi"); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 09:55:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 09:55:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697672.1088679 (Exim 4.92) (envelope-from ) id 1roh37-0000MY-1z; Mon, 25 Mar 2024 09:55:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697672.1088679; Mon, 25 Mar 2024 09:55:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh36-0000MQ-V8; Mon, 25 Mar 2024 09:55:24 +0000 Received: by outflank-mailman (input) for mailman id 697672; Mon, 25 Mar 2024 09:55:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh35-0000ME-VS for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh35-0007AG-Uh for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roh35-0002mt-Ti for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=G9COYD5/yI58+QwQbkOc17a+XHiReSCkMk47Yfm/hkQ=; b=Fa9wGV2eub9dy4o0y7L60C40xW Eky8wh1K/6r1tzLp/VRZPd9/KNfwWrH5o3UEqLQo9NCVDQs1fACpgMxAqEtUvTBQR6XaguUufWm29 BQyrAWiHWPqTjAnMsCsgq9ltSY+giOJnSXKPqn7IBUbQEYOWWr4Vseiev7/j/WH3XUH0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/vcpu: relax VCPUOP_initialise restriction for non-PV vCPUs Message-Id: Date: Mon, 25 Mar 2024 09:55:23 +0000 commit 03e484a4f6fbf833f5b6fba3b8cebf43ca433f3a Author: Roger Pau Monné AuthorDate: Mon Mar 25 10:48:23 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:48:23 2024 +0100 x86/vcpu: relax VCPUOP_initialise restriction for non-PV vCPUs There's no reason to force HVM guests to have a valid vcpu_info area when initializing a vCPU, as the vCPU can also be brought online using the local APIC, and on that path there's no requirement for vcpu_info to be setup ahead of the bring up. Note an HVM vCPU can operate normally without making use of vcpu_info, and in fact does so when brought up via the local APIC. Restrict the check against dummy_vcpu_info to only apply to PV guests. Fixes: 192df6f9122d ('x86: allow HVM guests to use hypercalls to bring up vCPUs') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/common/compat/domain.c | 2 +- xen/common/domain.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c index 7ff238cc26..6b4afc8232 100644 --- a/xen/common/compat/domain.c +++ b/xen/common/compat/domain.c @@ -49,7 +49,7 @@ int compat_common_vcpu_op(int cmd, struct vcpu *v, { case VCPUOP_initialise: { - if ( v->vcpu_info_area.map == &dummy_vcpu_info ) + if ( is_pv_domain(d) && v->vcpu_info_area.map == &dummy_vcpu_info ) return -EINVAL; #ifdef CONFIG_HVM diff --git a/xen/common/domain.c b/xen/common/domain.c index 9b42eee44a..ceb44c8266 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1827,7 +1827,7 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) switch ( cmd ) { case VCPUOP_initialise: - if ( v->vcpu_info_area.map == &dummy_vcpu_info ) + if ( is_pv_domain(d) && v->vcpu_info_area.map == &dummy_vcpu_info ) return -EINVAL; rc = arch_initialise_vcpu(v, arg); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 09:55:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 09:55:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697673.1088682 (Exim 4.92) (envelope-from ) id 1roh3H-0000Pa-3G; Mon, 25 Mar 2024 09:55:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697673.1088682; Mon, 25 Mar 2024 09:55:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh3H-0000PR-0L; Mon, 25 Mar 2024 09:55:35 +0000 Received: by outflank-mailman (input) for mailman id 697673; Mon, 25 Mar 2024 09:55:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh3G-0000PG-2E for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh3G-0007AT-1R for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roh3G-0002nL-0S for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=dtAEd2sFQLytheRoSqI0/TcQWyMJo+GOAKuuIjmb8LE=; b=BFRuBxihhXoTsLtOYeYDbi2b3u 8/o4910sTx2Yr5Ywxeo981ZpV/FkvFLFn4WH/BylFTROCsRlrpvIi8HIEA/OaVcW2ZcsagbKgYTii lLsNQ0hgLOyjE6RlXwHHGCu7CAo4wxE5KrpqsuluWZtkd6gedelYhh7DObDT8ZLpLXHw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/console: add comment about external console lock helper Message-Id: Date: Mon, 25 Mar 2024 09:55:34 +0000 commit 4b60085b6e3f8c3afea88685198bb310c332e90e Author: Roger Pau Monné AuthorDate: Mon Mar 25 10:49:07 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:49:07 2024 +0100 xen/console: add comment about external console lock helper The current console_lock_recursive_irqsave() implementation is not speculation safe, however it's only used to prevent interleaved output. Note this in the function declaration in order for callers to be aware of the limitation. No functional change. Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich --- xen/include/xen/console.h | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/include/xen/console.h b/xen/include/xen/console.h index 68759862e8..6dfbade3ec 100644 --- a/xen/include/xen/console.h +++ b/xen/include/xen/console.h @@ -20,6 +20,7 @@ void console_init_postirq(void); void console_endboot(void); int console_has(const char *device); +/* Not speculation safe - only used to prevent interleaving of output. */ unsigned long console_lock_recursive_irqsave(void); void console_unlock_recursive_irqrestore(unsigned long flags); void console_force_unlock(void); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 09:55:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 09:55:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697674.1088686 (Exim 4.92) (envelope-from ) id 1roh3R-0000SK-4N; Mon, 25 Mar 2024 09:55:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697674.1088686; Mon, 25 Mar 2024 09:55:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh3R-0000SC-1j; Mon, 25 Mar 2024 09:55:45 +0000 Received: by outflank-mailman (input) for mailman id 697674; Mon, 25 Mar 2024 09:55:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh3Q-0000S0-59 for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roh3Q-0007Av-4R for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roh3Q-0002nk-3c for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 09:55:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=9gxpbqRqPctiFpEsV7R4v2VnL90PleNAveQWZTCUC30=; b=hhedTXP4hnutFfg2AVPFiNPMkx vJxypXvqrQA2DgMFnM92Qid2W0dcW0OOUBm5wYhCfZEACIxT4pJxii6UnFBM62WjlCL+B9h9ufrH0 E6OZ+FcunOPVAfvV/7rCO9GPln4bBpyiM/uGr6oh58VwUY+uivQO9OMb/C2Z8X7e5JO8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/xsm: add parentheses to comply with MISRA C Rule 20.7 Message-Id: Date: Mon, 25 Mar 2024 09:55:44 +0000 commit 6f6de10ade5ade907f9e3f3c72b7b18f7852d9ff Author: Nicola Vetrini AuthorDate: Mon Mar 25 10:49:19 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:49:19 2024 +0100 xen/xsm: add parentheses to comply with MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini Acked-by: Daniel P. Smith --- xen/include/xsm/dummy.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8671af1ba4..88039fdd22 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -58,7 +58,7 @@ void __xsm_action_mismatch_detected(void); #define XSM_DEFAULT_ARG /* */ #define XSM_DEFAULT_VOID void -#define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action +#define XSM_ASSERT_ACTION(def) xsm_default_t action = (def); (void)action #else /* CONFIG_XSM */ @@ -71,7 +71,7 @@ void __xsm_action_mismatch_detected(void); #define XSM_INLINE always_inline #define XSM_DEFAULT_ARG xsm_default_t action, #define XSM_DEFAULT_VOID xsm_default_t action -#define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action) +#define XSM_ASSERT_ACTION(def) LINKER_BUG_ON((def) != action) #endif /* CONFIG_XSM */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 19:33:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 19:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697863.1089058 (Exim 4.92) (envelope-from ) id 1roq4H-0006yA-1Z; Mon, 25 Mar 2024 19:33:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697863.1089058; Mon, 25 Mar 2024 19:33:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4G-0006y2-Uy; Mon, 25 Mar 2024 19:33:12 +0000 Received: by outflank-mailman (input) for mailman id 697863; Mon, 25 Mar 2024 19:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4G-0006xg-BK for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4G-0001C7-AX for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roq4G-0004ye-9j for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=Ovl+IyPi3iQG8N9KMhIY7ObMXxGQZdLAZQ5q12sBJIY=; b=PmKydQv6u+pGTJLndW/ddoAnmQ rol2GYBpg+bNuH07XdDjBB+ixSabUjszlXtA+utzV5hfkdPH662F5GiGbNQsjkJ7BFaVnr15s52Ps 1znduiqW4C9StTNzPm+Xm1yLW4r8FtUuvugIivcTmwYtWB5F5wr97RFvUdXyWYCRwe7Y=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/riscv: add minimal stuff to processor.h to build full Xen Message-Id: Date: Mon, 25 Mar 2024 19:33:12 +0000 commit d654612e985297fe745f3260295ffd34f5b01b2d Author: Oleksii Kurochko AuthorDate: Mon Mar 25 10:47:49 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:47:49 2024 +0100 xen/riscv: add minimal stuff to processor.h to build full Xen The cpu_relax() function, introduced in this commit, is anticipated to support _zihintpause by the CPU. Signed-off-by: Oleksii Kurochko Acked-by: Jan Beulich --- xen/arch/riscv/include/asm/processor.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/xen/arch/riscv/include/asm/processor.h b/xen/arch/riscv/include/asm/processor.h index 6db681d805..6846151717 100644 --- a/xen/arch/riscv/include/asm/processor.h +++ b/xen/arch/riscv/include/asm/processor.h @@ -12,6 +12,9 @@ #ifndef __ASSEMBLY__ +/* TODO: need to be implemeted */ +#define smp_processor_id() 0 + /* On stack VCPU state */ struct cpu_user_regs { @@ -53,6 +56,23 @@ struct cpu_user_regs unsigned long pregs; }; +/* TODO: need to implement */ +#define cpu_to_core(cpu) 0 +#define cpu_to_socket(cpu) 0 + +static inline void cpu_relax(void) +{ +#ifdef __riscv_zihintpause + /* Reduce instruction retirement. */ + __asm__ __volatile__ ( "pause" ); +#else + /* Encoding of the pause instruction */ + __asm__ __volatile__ ( ".insn 0x0100000F" ); +#endif + + barrier(); +} + static inline void wfi(void) { __asm__ __volatile__ ("wfi"); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 19:33:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 19:33:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697862.1089054 (Exim 4.92) (envelope-from ) id 1roq46-0006v3-W5; Mon, 25 Mar 2024 19:33:02 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697862.1089054; Mon, 25 Mar 2024 19:33:02 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq46-0006uw-TO; Mon, 25 Mar 2024 19:33:02 +0000 Received: by outflank-mailman (input) for mailman id 697862; Mon, 25 Mar 2024 19:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq46-0006uq-K8 for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq46-0001C3-7e for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roq46-0004xn-6K for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=pUyoimeiT9/oXdZDA06F0AzvkrEslJHrJrEleMle2rQ=; b=lPxbzAKbA+B+MnGeoP4Fkn3CXa QdZp3Ioj123NGND3YCF2ZPI+iQgfq0aynwp3zCSSnlIdqJheoFFHAiDv/wABuXQLY4tvy5Oq3lrTR E2H6JOMuU2XmAsprGuNsvW2GKS1cXXs0Q2ks6WIwHteKa70Y6zEqB0LzT33r+QyuS6Bk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] EFI: Introduce inline stub for efi_enabled on !X86 && !ARM Message-Id: Date: Mon, 25 Mar 2024 19:33:02 +0000 commit 5095b610df73a668d72a13eb0d0d4230862fa9b3 Author: Shawn Anastasio AuthorDate: Mon Mar 25 10:47:15 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:47:15 2024 +0100 EFI: Introduce inline stub for efi_enabled on !X86 && !ARM On architectures with no EFI support, define an inline stub implementation of efi_enabled in efi.h that always returns false. Suggested-by: Jan Beulich Signed-off-by: Shawn Anastasio Acked-by: Julien Grall --- xen/include/xen/efi.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/xen/include/xen/efi.h b/xen/include/xen/efi.h index 942d2e9491..160804e294 100644 --- a/xen/include/xen/efi.h +++ b/xen/include/xen/efi.h @@ -31,7 +31,15 @@ union compat_pf_efi_info; struct xenpf_efi_runtime_call; struct compat_pf_efi_runtime_call; +#if defined(CONFIG_X86) || defined(CONFIG_ARM) bool efi_enabled(unsigned int feature); +#else +static inline bool efi_enabled(unsigned int feature) +{ + return false; +} +#endif + void efi_init_memory(void); bool efi_boot_mem_unused(unsigned long *start, unsigned long *end); bool efi_rs_using_pgtables(void); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 19:33:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 19:33:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697864.1089062 (Exim 4.92) (envelope-from ) id 1roq4R-00070u-3J; Mon, 25 Mar 2024 19:33:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697864.1089062; Mon, 25 Mar 2024 19:33:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4R-00070m-0L; Mon, 25 Mar 2024 19:33:23 +0000 Received: by outflank-mailman (input) for mailman id 697864; Mon, 25 Mar 2024 19:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4Q-00070e-Fv for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4Q-0001CM-EN for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roq4Q-0004zX-Cb for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=aCfDI/8MKIu6aRsYB9h0Oceg+l9ym3yxxA1EzlG2K1A=; b=AuBagwmRSXOs9cPS/b/47aO4i5 bq14I2h/FSXWfYCN7d4zRtYRR8dnDNkk+M1gkCDezBrCi4ewGyx5xXaQ1HI4LMASS45nkaZcUKi6n wYbU0RLbwLzjmCPKjRpXR66XVE+ziFbEbaMNHR7MVqOOrhj5iC3z3TSdP/zqKY5JccM4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/vcpu: relax VCPUOP_initialise restriction for non-PV vCPUs Message-Id: Date: Mon, 25 Mar 2024 19:33:22 +0000 commit 03e484a4f6fbf833f5b6fba3b8cebf43ca433f3a Author: Roger Pau Monné AuthorDate: Mon Mar 25 10:48:23 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:48:23 2024 +0100 x86/vcpu: relax VCPUOP_initialise restriction for non-PV vCPUs There's no reason to force HVM guests to have a valid vcpu_info area when initializing a vCPU, as the vCPU can also be brought online using the local APIC, and on that path there's no requirement for vcpu_info to be setup ahead of the bring up. Note an HVM vCPU can operate normally without making use of vcpu_info, and in fact does so when brought up via the local APIC. Restrict the check against dummy_vcpu_info to only apply to PV guests. Fixes: 192df6f9122d ('x86: allow HVM guests to use hypercalls to bring up vCPUs') Signed-off-by: Roger Pau Monné Reviewed-by: Andrew Cooper --- xen/common/compat/domain.c | 2 +- xen/common/domain.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/common/compat/domain.c b/xen/common/compat/domain.c index 7ff238cc26..6b4afc8232 100644 --- a/xen/common/compat/domain.c +++ b/xen/common/compat/domain.c @@ -49,7 +49,7 @@ int compat_common_vcpu_op(int cmd, struct vcpu *v, { case VCPUOP_initialise: { - if ( v->vcpu_info_area.map == &dummy_vcpu_info ) + if ( is_pv_domain(d) && v->vcpu_info_area.map == &dummy_vcpu_info ) return -EINVAL; #ifdef CONFIG_HVM diff --git a/xen/common/domain.c b/xen/common/domain.c index 9b42eee44a..ceb44c8266 100644 --- a/xen/common/domain.c +++ b/xen/common/domain.c @@ -1827,7 +1827,7 @@ long common_vcpu_op(int cmd, struct vcpu *v, XEN_GUEST_HANDLE_PARAM(void) arg) switch ( cmd ) { case VCPUOP_initialise: - if ( v->vcpu_info_area.map == &dummy_vcpu_info ) + if ( is_pv_domain(d) && v->vcpu_info_area.map == &dummy_vcpu_info ) return -EINVAL; rc = arch_initialise_vcpu(v, arg); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 19:33:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 19:33:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697865.1089065 (Exim 4.92) (envelope-from ) id 1roq4b-00073h-4J; Mon, 25 Mar 2024 19:33:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697865.1089065; Mon, 25 Mar 2024 19:33:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4b-00073Z-1m; Mon, 25 Mar 2024 19:33:33 +0000 Received: by outflank-mailman (input) for mailman id 697865; Mon, 25 Mar 2024 19:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4a-00073T-KI for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4a-0001CV-Hd for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roq4a-00050M-GO for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=LDrH1AKzA9w7CzRmlarIy90Q7D56WAho6rBLz2dKDn0=; b=dSowrz5u/LtOS4mrPrXBgDTxEz gEl85ysiaS+0fRzc67lK2QOsEgHR1KeVdJgpYFARTqMHJzkMGGyitUWOY2XcNuvsK/FoGePnehmma Vhq72qy7Ciil6v/j5NbV6E0X3o7FNe47+CNgxQtZYQjJcP5XamGSSoYu6IUHpxIptDnQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/console: add comment about external console lock helper Message-Id: Date: Mon, 25 Mar 2024 19:33:32 +0000 commit 4b60085b6e3f8c3afea88685198bb310c332e90e Author: Roger Pau Monné AuthorDate: Mon Mar 25 10:49:07 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:49:07 2024 +0100 xen/console: add comment about external console lock helper The current console_lock_recursive_irqsave() implementation is not speculation safe, however it's only used to prevent interleaved output. Note this in the function declaration in order for callers to be aware of the limitation. No functional change. Signed-off-by: Roger Pau Monné Acked-by: Jan Beulich --- xen/include/xen/console.h | 1 + 1 file changed, 1 insertion(+) diff --git a/xen/include/xen/console.h b/xen/include/xen/console.h index 68759862e8..6dfbade3ec 100644 --- a/xen/include/xen/console.h +++ b/xen/include/xen/console.h @@ -20,6 +20,7 @@ void console_init_postirq(void); void console_endboot(void); int console_has(const char *device); +/* Not speculation safe - only used to prevent interleaving of output. */ unsigned long console_lock_recursive_irqsave(void); void console_unlock_recursive_irqrestore(unsigned long flags); void console_force_unlock(void); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Mon Mar 25 19:33:43 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Mon, 25 Mar 2024 19:33:43 +0000 Received: from list by lists.xenproject.org with outflank-mailman.697866.1089070 (Exim 4.92) (envelope-from ) id 1roq4l-00076O-63; Mon, 25 Mar 2024 19:33:43 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 697866.1089070; Mon, 25 Mar 2024 19:33:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4l-00076G-3J; Mon, 25 Mar 2024 19:33:43 +0000 Received: by outflank-mailman (input) for mailman id 697866; Mon, 25 Mar 2024 19:33:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4k-00076A-LO for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1roq4k-0001Cv-Kd for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1roq4k-00051B-Ji for xen-changelog@lists.xenproject.org; Mon, 25 Mar 2024 19:33:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ZhCFDn3lIHZt0SPXb/Siwik2mfH3jYDFv6HFajrYDII=; b=0M+qSj91llr4gDDC757ivFxbVO LUk8QPzbo3Hjqk2cJTtqw7V4R4ZupttLGuCOrKxLdMqHXLym5MEUAb8soxSz5CRmjTCkfI4JY5qSu ztDvu5DMBZk2kzqIJrsmX6TVZDso7Ir8uqXkJvuPDyd29RDOfZhskYZzwDI5ywyfutSM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/xsm: add parentheses to comply with MISRA C Rule 20.7 Message-Id: Date: Mon, 25 Mar 2024 19:33:42 +0000 commit 6f6de10ade5ade907f9e3f3c72b7b18f7852d9ff Author: Nicola Vetrini AuthorDate: Mon Mar 25 10:49:19 2024 +0100 Commit: Jan Beulich CommitDate: Mon Mar 25 10:49:19 2024 +0100 xen/xsm: add parentheses to comply with MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Stefano Stabellini Acked-by: Daniel P. Smith --- xen/include/xsm/dummy.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/include/xsm/dummy.h b/xen/include/xsm/dummy.h index 8671af1ba4..88039fdd22 100644 --- a/xen/include/xsm/dummy.h +++ b/xen/include/xsm/dummy.h @@ -58,7 +58,7 @@ void __xsm_action_mismatch_detected(void); #define XSM_DEFAULT_ARG /* */ #define XSM_DEFAULT_VOID void -#define XSM_ASSERT_ACTION(def) xsm_default_t action = def; (void)action +#define XSM_ASSERT_ACTION(def) xsm_default_t action = (def); (void)action #else /* CONFIG_XSM */ @@ -71,7 +71,7 @@ void __xsm_action_mismatch_detected(void); #define XSM_INLINE always_inline #define XSM_DEFAULT_ARG xsm_default_t action, #define XSM_DEFAULT_VOID xsm_default_t action -#define XSM_ASSERT_ACTION(def) LINKER_BUG_ON(def != action) +#define XSM_ASSERT_ACTION(def) LINKER_BUG_ON((def) != action) #endif /* CONFIG_XSM */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:22:08 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:22:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698343.1089915 (Exim 4.92) (envelope-from ) id 1rpOXs-00084g-FT; Wed, 27 Mar 2024 08:22:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698343.1089915; Wed, 27 Mar 2024 08:22:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOXs-00084Z-Cw; Wed, 27 Mar 2024 08:22:04 +0000 Received: by outflank-mailman (input) for mailman id 698343; Wed, 27 Mar 2024 08:22:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOXr-00084P-OT for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOXr-0001Gz-Il for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOXr-0004Hx-Gw for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=7lsJMT0qAeDIDwjz/6vezzvjy4fiyYF+fxm0r1NSyLI=; b=cbVsx+QdtQqYVxAoPSM79zfjTa 3c/n/QwY6ws/ACa9R62DylrRh5pwRhQINibesDKasbHfxs+NcdYJhZ0S/J5HxeHDb7t84m7Uo6WL6 YQQAmd+CW9++xdGacvEeM6dpv8ZUPFxoS77veFyUPptJGAksxKoxzcXK4Hfj2uwbyzWc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/list: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 27 Mar 2024 08:22:03 +0000 commit 12a3b90c2ae4998c389e53d1f68cbdba5914adce Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:09:50 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:09:50 2024 +0100 xen/list: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Jan Beulich --- xen/include/xen/list.h | 143 ++++++++++++++++++++++++------------------------- 1 file changed, 71 insertions(+), 72 deletions(-) diff --git a/xen/include/xen/list.h b/xen/include/xen/list.h index b5eab3a1eb..6506ac4089 100644 --- a/xen/include/xen/list.h +++ b/xen/include/xen/list.h @@ -452,7 +452,7 @@ static inline void list_splice_init(struct list_head *list, * @head: the head for your list. */ #define list_for_each(pos, head) \ - for (pos = (head)->next; pos != (head); pos = pos->next) + for ((pos) = (head)->next; (pos) != (head); (pos) = (pos)->next) /** * list_for_each_prev - iterate over a list backwards @@ -460,7 +460,7 @@ static inline void list_splice_init(struct list_head *list, * @head: the head for your list. */ #define list_for_each_prev(pos, head) \ - for (pos = (head)->prev; pos != (head); pos = pos->prev) + for ((pos) = (head)->prev; (pos) != (head); (pos) = (pos)->prev) /** * list_for_each_safe - iterate over a list safe against removal of list entry @@ -468,9 +468,9 @@ static inline void list_splice_init(struct list_head *list, * @n: another &struct list_head to use as temporary storage * @head: the head for your list. */ -#define list_for_each_safe(pos, n, head) \ - for (pos = (head)->next, n = pos->next; pos != (head); \ - pos = n, n = pos->next) +#define list_for_each_safe(pos, n, head) \ + for ((pos) = (head)->next, (n) = (pos)->next; (pos) != (head); \ + (pos) = (n), (n) = (pos)->next) /** * list_for_each_backwards_safe - iterate backwards over a list safe @@ -479,9 +479,9 @@ static inline void list_splice_init(struct list_head *list, * @n: another &struct list_head to use as temporary storage * @head: the head for your list. */ -#define list_for_each_backwards_safe(pos, n, head) \ - for ( pos = (head)->prev, n = pos->prev; pos != (head); \ - pos = n, n = pos->prev ) +#define list_for_each_backwards_safe(pos, n, head) \ + for ( (pos) = (head)->prev, (n) = (pos)->prev; (pos) != (head); \ + (pos) = (n), (n) = (pos)->prev ) /** * list_for_each_entry - iterate over list of given type @@ -490,9 +490,9 @@ static inline void list_splice_init(struct list_head *list, * @member: the name of the list_struct within the struct. */ #define list_for_each_entry(pos, head, member) \ - for (pos = list_entry((head)->next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) + for ((pos) = list_entry((head)->next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_entry_reverse - iterate backwards over list of given type. @@ -501,9 +501,9 @@ static inline void list_splice_init(struct list_head *list, * @member: the name of the list_struct within the struct. */ #define list_for_each_entry_reverse(pos, head, member) \ - for (pos = list_entry((head)->prev, typeof(*pos), member); \ - &pos->member != (head); \ - pos = list_entry(pos->member.prev, typeof(*pos), member)) + for ((pos) = list_entry((head)->prev, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.prev, typeof(*(pos)), member)) /** * list_prepare_entry - prepare a pos entry for use in @@ -516,7 +516,7 @@ static inline void list_splice_init(struct list_head *list, * list_for_each_entry_continue. */ #define list_prepare_entry(pos, head, member) \ - ((pos) ? : list_entry(head, typeof(*pos), member)) + ((pos) ? : list_entry(head, typeof(*(pos)), member)) /** * list_for_each_entry_continue - continue iteration over list of given type @@ -527,10 +527,10 @@ static inline void list_splice_init(struct list_head *list, * Continue to iterate over list of given type, continuing after * the current position. */ -#define list_for_each_entry_continue(pos, head, member) \ - for (pos = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) +#define list_for_each_entry_continue(pos, head, member) \ + for ((pos) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_entry_from - iterate over list of given type from the @@ -542,8 +542,8 @@ static inline void list_splice_init(struct list_head *list, * Iterate over list of given type, continuing from current position. */ #define list_for_each_entry_from(pos, head, member) \ - for (; &pos->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) + for (; &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_entry_safe - iterate over list of given type safe @@ -554,10 +554,10 @@ static inline void list_splice_init(struct list_head *list, * @member: the name of the list_struct within the struct. */ #define list_for_each_entry_safe(pos, n, head, member) \ - for (pos = list_entry((head)->next, typeof(*pos), member), \ - n = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.next, typeof(*n), member)) + for ((pos) = list_entry((head)->next, typeof(*(pos)), member), \ + (n) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.next, typeof(*(n)), member)) /** * list_for_each_entry_safe_continue @@ -569,11 +569,11 @@ static inline void list_splice_init(struct list_head *list, * Iterate over list of given type, continuing after current point, * safe against removal of list entry. */ -#define list_for_each_entry_safe_continue(pos, n, head, member) \ - for (pos = list_entry(pos->member.next, typeof(*pos), member), \ - n = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.next, typeof(*n), member)) +#define list_for_each_entry_safe_continue(pos, n, head, member) \ + for ((pos) = list_entry((pos)->member.next, typeof(*(pos)), member), \ + (n) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.next, typeof(*(n)), member)) /** * list_for_each_entry_safe_from @@ -586,9 +586,9 @@ static inline void list_splice_init(struct list_head *list, * removal of list entry. */ #define list_for_each_entry_safe_from(pos, n, head, member) \ - for (n = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.next, typeof(*n), member)) + for ((n) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.next, typeof(*(n)), member)) /** * list_for_each_entry_safe_reverse @@ -601,10 +601,10 @@ static inline void list_splice_init(struct list_head *list, * of list entry. */ #define list_for_each_entry_safe_reverse(pos, n, head, member) \ - for (pos = list_entry((head)->prev, typeof(*pos), member), \ - n = list_entry(pos->member.prev, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.prev, typeof(*n), member)) + for ((pos) = list_entry((head)->prev, typeof(*(pos)), member), \ + (n) = list_entry((pos)->member.prev, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.prev, typeof(*(n)), member)) /** * list_for_each_rcu - iterate over an rcu-protected list @@ -616,14 +616,14 @@ static inline void list_splice_init(struct list_head *list, * as long as the traversal is guarded by rcu_read_lock(). */ #define list_for_each_rcu(pos, head) \ - for (pos = (head)->next; \ + for ((pos) = (head)->next; \ rcu_dereference(pos) != (head); \ - pos = pos->next) + (pos) = (pos)->next) #define __list_for_each_rcu(pos, head) \ - for (pos = (head)->next; \ + for ((pos) = (head)->next; \ rcu_dereference(pos) != (head); \ - pos = pos->next) + (pos) = (pos)->next) /** * list_for_each_safe_rcu @@ -638,9 +638,9 @@ static inline void list_splice_init(struct list_head *list, * as long as the traversal is guarded by rcu_read_lock(). */ #define list_for_each_safe_rcu(pos, n, head) \ - for (pos = (head)->next; \ - n = rcu_dereference(pos)->next, pos != (head); \ - pos = n) + for ((pos) = (head)->next; \ + (n) = rcu_dereference(pos)->next, (pos) != (head); \ + (pos) = (n)) /** * list_for_each_entry_rcu - iterate over rcu list of given type @@ -653,9 +653,9 @@ static inline void list_splice_init(struct list_head *list, * as long as the traversal is guarded by rcu_read_lock(). */ #define list_for_each_entry_rcu(pos, head, member) \ - for (pos = list_entry((head)->next, typeof(*pos), member); \ + for ((pos) = list_entry((head)->next, typeof(*(pos)), member); \ &rcu_dereference(pos)->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_continue_rcu @@ -899,11 +899,11 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, #define hlist_entry(ptr, type, member) container_of(ptr,type,member) #define hlist_for_each(pos, head) \ - for (pos = (head)->first; pos; pos = pos->next) + for ((pos) = (head)->first; (pos); (pos) = (pos)->next) -#define hlist_for_each_safe(pos, n, head) \ - for (pos = (head)->first; pos && ({ n = pos->next; 1; }); \ - pos = n) +#define hlist_for_each_safe(pos, n, head) \ + for ((pos) = (head)->first; (pos) && ({ (n) = (pos)->next; 1; }); \ + (pos) = (n)) /** * hlist_for_each_entry - iterate over list of given type @@ -913,10 +913,10 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @member: the name of the hlist_node within the struct. */ #define hlist_for_each_entry(tpos, pos, head, member) \ - for (pos = (head)->first; \ - pos && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) + for ((pos) = (head)->first; \ + (pos) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) /** * hlist_for_each_entry_continue - iterate over a hlist continuing @@ -925,11 +925,11 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @pos: the &struct hlist_node to use as a loop cursor. * @member: the name of the hlist_node within the struct. */ -#define hlist_for_each_entry_continue(tpos, pos, member) \ - for (pos = (pos)->next; \ - pos && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) +#define hlist_for_each_entry_continue(tpos, pos, member) \ + for ((pos) = (pos)->next; \ + (pos) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) /** * hlist_for_each_entry_from - iterate over a hlist continuing from @@ -938,10 +938,10 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @pos: the &struct hlist_node to use as a loop cursor. * @member: the name of the hlist_node within the struct. */ -#define hlist_for_each_entry_from(tpos, pos, member) \ - for (; pos && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) +#define hlist_for_each_entry_from(tpos, pos, member) \ + for (; (pos) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) /** * hlist_for_each_entry_safe - iterate over list of given type safe @@ -952,11 +952,11 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @head: the head for your list. * @member: the name of the hlist_node within the struct. */ -#define hlist_for_each_entry_safe(tpos, pos, n, head, member) \ - for (pos = (head)->first; \ - pos && ({ n = pos->next; 1; }) && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = n) +#define hlist_for_each_entry_safe(tpos, pos, n, head, member) \ + for ((pos) = (head)->first; \ + (pos) && ({ n = (pos)->next; 1; }) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (n)) /** @@ -971,10 +971,9 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * as long as the traversal is guarded by rcu_read_lock(). */ #define hlist_for_each_entry_rcu(tpos, pos, head, member) \ - for (pos = (head)->first; \ + for ((pos) = (head)->first; \ rcu_dereference(pos) && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) #endif /* __XEN_LIST_H__ */ - -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:22:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:22:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698344.1089919 (Exim 4.92) (envelope-from ) id 1rpOY2-00086o-H2; Wed, 27 Mar 2024 08:22:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698344.1089919; Wed, 27 Mar 2024 08:22:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOY2-00086h-EY; Wed, 27 Mar 2024 08:22:14 +0000 Received: by outflank-mailman (input) for mailman id 698344; Wed, 27 Mar 2024 08:22:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOY1-00086X-Ml for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOY1-0001HR-Lu for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOY1-0004Jp-Kx for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lbnUgC3YJgLkMNg/9qWVYQhbxPYtKncM/q8zxO/en5M=; b=RjagaF1+yxM8ovS/cIVYCOG7Qj SdgygTWtx/UZcY2LAd2pQX9Rn4oR7wTsCxIZRRirJZga1YStPxAgsHUVuFYWbLjmqovx/2Ghcq426 dH9TasYcvS+n4qKflYVjgw+WB94c5+Japy+8DLTe6hWe0d8pt7kyUVZbfpKXnquZCidQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xentrace: address violation of MISRA C Rule 20.7 Message-Id: Date: Wed, 27 Mar 2024 08:22:13 +0000 commit 7757981d94b78714a579b0983fa906b83d3bcd27 Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:10:23 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:10:23 2024 +0100 xentrace: address violation of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/public/trace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/public/trace.h b/xen/include/public/trace.h index 62a179971d..3c9f9c3c18 100644 --- a/xen/include/public/trace.h +++ b/xen/include/public/trace.h @@ -67,7 +67,7 @@ #define TRC_SCHED_CLASS_EVT(_c, _e) \ ( ( TRC_SCHED_CLASS | \ ((TRC_SCHED_##_c << TRC_SCHED_ID_SHIFT) & TRC_SCHED_ID_MASK) ) + \ - (_e & TRC_SCHED_EVT_MASK) ) + ((_e) & TRC_SCHED_EVT_MASK) ) /* Trace classes for DOM0 operations */ #define TRC_DOM0_DOMOPS 0x00041000 /* Domains manipulations */ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:22:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:22:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698345.1089924 (Exim 4.92) (envelope-from ) id 1rpOYC-00089X-Iv; Wed, 27 Mar 2024 08:22:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698345.1089924; Wed, 27 Mar 2024 08:22:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYC-00089Q-Fy; Wed, 27 Mar 2024 08:22:24 +0000 Received: by outflank-mailman (input) for mailman id 698345; Wed, 27 Mar 2024 08:22:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYB-00089B-Q1 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYB-0001HY-PG for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOYB-0004KM-Nz for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=uIZ0nUNP+E0DuSVweGsar6h76cnaHbZC2L4Z3LvPyVU=; b=YDEkPl0/qadZNBxoRSmWOTDQft YZ0zNG1mM9BKf74srW80Bn/2LBjYRfWvIzpIsdslCqrm0ruTL/wSKTVDWCqgIdvK9fWkNEoJcZOff s5RaceWJ6CYK4lBZ35nNH9My6/s8YpzU+wzBr5ddyusdkiSOHNLcqwyN8yrscP1sZNRM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen: address MISRA C Rule 20.7 violation in generated hypercall Message-Id: Date: Wed, 27 Mar 2024 08:22:23 +0000 commit cab6de6a95bbded2435a9474a2ec1b730f209262 Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:11:03 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:11:03 2024 +0100 xen: address MISRA C Rule 20.7 violation in generated hypercall MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Jan Beulich --- xen/scripts/gen_hypercall.awk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/scripts/gen_hypercall.awk b/xen/scripts/gen_hypercall.awk index 9f7cfa298a..1a7e051fde 100644 --- a/xen/scripts/gen_hypercall.awk +++ b/xen/scripts/gen_hypercall.awk @@ -277,7 +277,7 @@ END { if (call[i] == ca && call_prio[i] == p_list[pl]) { fnd++; if (fnd == 1) - printf(" if ( num == __HYPERVISOR_%s ) \\\n", fn[call_fn[i]]); + printf(" if ( (num) == __HYPERVISOR_%s ) \\\n", fn[call_fn[i]]); else printf(" else \\\n"); do_call(call_fn[i], call_p[i]); @@ -290,7 +290,7 @@ END { } else { for (i = 1; i <= nc; i++) if (call[i] == ca && call_prio[i] == p_list[pl]) { - printf("if ( likely(num == __HYPERVISOR_%s) ) \\\n", fn[call_fn[i]]); + printf("if ( likely((num) == __HYPERVISOR_%s) ) \\\n", fn[call_fn[i]]); do_call(call_fn[i], call_p[i]); } } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:22:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:22:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698346.1089927 (Exim 4.92) (envelope-from ) id 1rpOYN-0008Cq-K1; Wed, 27 Mar 2024 08:22:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698346.1089927; Wed, 27 Mar 2024 08:22:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYN-0008Ci-HU; Wed, 27 Mar 2024 08:22:35 +0000 Received: by outflank-mailman (input) for mailman id 698346; Wed, 27 Mar 2024 08:22:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYL-0008CS-TA for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYL-0001Hf-SQ for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOYL-0004L2-RQ for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=96pGBgVK/Yur+QKCmQy7pQBUQUALRGzPn5nhHrw0OSU=; b=OKM30+yPPS5ozUbarzAiHeFHHW QwajtlsnSME4OwGzrqn5cjGRbSrNjmk0MbdIo848Fe8fzOXLWQfLNBxCO9kvT+PPF5U0WPOf/T7eu DlhrHpNS692Bx/nhd67G3opVXDlIRyy0emU/b0aZQcaEI4BX+bfdzTAQmOW+qeFg32WU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/page_alloc: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 27 Mar 2024 08:22:33 +0000 commit e2eeb1b753bb90865c05948f7836f119e12ceb0e Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:12:06 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:12:06 2024 +0100 xen/page_alloc: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should either gain additional parentheses or have their expressions simplified to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/common/page_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 28c510d666..c94834d71b 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -150,7 +150,7 @@ #include #else #define p2m_pod_offline_or_broken_hit(pg) 0 -#define p2m_pod_offline_or_broken_replace(pg) BUG_ON(pg != NULL) +#define p2m_pod_offline_or_broken_replace(pg) BUG_ON(pg) #endif #ifndef PGC_static -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:22:45 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:22:45 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698347.1089933 (Exim 4.92) (envelope-from ) id 1rpOYX-0008G8-Me; Wed, 27 Mar 2024 08:22:45 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698347.1089933; Wed, 27 Mar 2024 08:22:45 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYX-0008Fz-J0; Wed, 27 Mar 2024 08:22:45 +0000 Received: by outflank-mailman (input) for mailman id 698347; Wed, 27 Mar 2024 08:22:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYW-0008Fl-0K for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYV-0001Hp-Vd for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOYV-0004LW-Uk for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=12V8ak7PrOgBm9vE0qAGiK+9PNLXdIQmy7xtzd12Gec=; b=lYHT2cFvuN2/1Txa2BKS9w+OVi oROf4aI9nJbX1WDO7H41M59BS2MDb7qoTob1CJ8i8BQTTH0BWa6zL46V4eDQswOww3eb3AYdqTSvm txgbf+2u9RvTdtwzx1YOJT2SuucROjzl9AHB61TNExKSnarWfxPA6egJL8sXNTqriAKE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/hvm: address violations of Rule 20.7 Message-Id: Date: Wed, 27 Mar 2024 08:22:43 +0000 commit a65d9988add1a97f4eebfddfbe5e6fb111b8116a Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:12:30 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:12:30 2024 +0100 x86/hvm: address violations of Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should either gain additional parentheses or have their expressions simplified to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/arch/x86/hvm/hvm.c | 6 +++--- xen/arch/x86/include/asm/hvm/save.h | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index c75959588c..0ce45b177c 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1066,9 +1066,9 @@ static int cf_check hvm_load_cpu_ctxt(struct domain *d, hvm_domain_context_t *h) /* Older Xen versions used to save the segment arbytes directly * from the VMCS on Intel hosts. Detect this and rearrange them * into the struct segment_register format. */ -#define UNFOLD_ARBYTES(_r) \ - if ( (_r & 0xf000) && !(_r & 0x0f00) ) \ - _r = ((_r & 0xff) | ((_r >> 4) & 0xf00)) +#define UNFOLD_ARBYTES(_r) \ + if ( ((_r) & 0xf000) && !((_r) & 0x0f00) ) \ + (_r) = (((_r) & 0xff) | (((_r) >> 4) & 0xf00)) UNFOLD_ARBYTES(ctxt.cs_arbytes); UNFOLD_ARBYTES(ctxt.ds_arbytes); UNFOLD_ARBYTES(ctxt.es_arbytes); diff --git a/xen/arch/x86/include/asm/hvm/save.h b/xen/arch/x86/include/asm/hvm/save.h index 04a47ffcc4..8149aa113c 100644 --- a/xen/arch/x86/include/asm/hvm/save.h +++ b/xen/arch/x86/include/asm/hvm/save.h @@ -128,9 +128,9 @@ static int __init cf_check __hvm_register_##_x##_save_and_restore(void) \ { \ hvm_register_savevm(HVM_SAVE_CODE(_x), \ #_x, \ - &_save, \ + _save, \ check, \ - &_load, \ + _load, \ (_num) * (HVM_SAVE_LENGTH(_x) \ + sizeof (struct hvm_save_descriptor)), \ _k); \ -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:22:55 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:22:55 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698348.1089935 (Exim 4.92) (envelope-from ) id 1rpOYh-0008Jl-PD; Wed, 27 Mar 2024 08:22:55 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698348.1089935; Wed, 27 Mar 2024 08:22:55 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYh-0008Jd-Mh; Wed, 27 Mar 2024 08:22:55 +0000 Received: by outflank-mailman (input) for mailman id 698348; Wed, 27 Mar 2024 08:22:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYg-0008JI-2p for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYg-0001Hw-27 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOYg-0004M6-1T for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:22:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=FsMpzRTviP+HzhVfmgLVsTvPY+Uln89s7pxAHkGXbNs=; b=xtKnTB50BT/za0U+ONn0hRtj+r KFRl05zkt5BCzpW3Qacm+d3MNtICxjFUZoKmgaWWmoYUGlHLKzcN8wdb+v8L31lAjMtwOXYSpcQaJ HouoRKbqaoPzMXOE1tJltZYlyz3PGabg35jWfi5Z3UVzTtgjgRFDyxYkCsAGcdNgtoYY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/public: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 27 Mar 2024 08:22:54 +0000 commit f6a413994882a6fef2d40e52998582fd2d595fdf Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:12:58 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:12:58 2024 +0100 x86/public: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/public/arch-x86/xen.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/public/arch-x86/xen.h b/xen/include/public/arch-x86/xen.h index c0f4551247..a9a87d9b50 100644 --- a/xen/include/public/arch-x86/xen.h +++ b/xen/include/public/arch-x86/xen.h @@ -36,7 +36,7 @@ #define __XEN_GUEST_HANDLE(name) __guest_handle_ ## name #define XEN_GUEST_HANDLE(name) __XEN_GUEST_HANDLE(name) #define XEN_GUEST_HANDLE_PARAM(name) XEN_GUEST_HANDLE(name) -#define set_xen_guest_handle_raw(hnd, val) do { (hnd).p = val; } while (0) +#define set_xen_guest_handle_raw(hnd, val) do { (hnd).p = (val); } while (0) #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val) #if defined(__i386__) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:23:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:23:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698349.1089940 (Exim 4.92) (envelope-from ) id 1rpOYr-0008Mj-Qo; Wed, 27 Mar 2024 08:23:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698349.1089940; Wed, 27 Mar 2024 08:23:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYr-0008Mb-O8; Wed, 27 Mar 2024 08:23:05 +0000 Received: by outflank-mailman (input) for mailman id 698349; Wed, 27 Mar 2024 08:23:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYq-0008MT-5n for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOYq-0001IJ-58 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOYq-0004Mg-4K for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=u2Uji5B3xisQCm/3QRBUGKXJXmGkiFLrA/U8g8Ax5Vw=; b=C4dad+5V/8D/T/uqQTxB+V5afR MEFl1klMkzT61GQnpoFmKQ4EjxDNJHXuwuhEVql3PHc5k7URomdtlq2tGGMorLe8YFgYri6Z4aywL Is3dltj/DLttjl9je0BUntlY1j9X28iyhXG/elGh610BRuG0XCGE0J8Hju3BB/Sn6D0M=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] Revert "xen/x86: bzImage parse kernel_alignment" Message-Id: Date: Wed, 27 Mar 2024 08:23:04 +0000 commit 8802230bfa39af8eb0ea7aa7e622e2b86002771a Author: Jason Andryuk AuthorDate: Wed Mar 27 09:13:34 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:13:34 2024 +0100 Revert "xen/x86: bzImage parse kernel_alignment" A new ELF note will specify the alignment for a relocatable PVH kernel. ELF notes are suitable for vmlinux and other ELF files, so this Linux-specific bzImage parsing in unnecessary. This reverts commit c44cac229067faeec8f49247d1cf281723ac2d40. Signed-off-by: Jason Andryuk Acked-by: Jan Beulich --- xen/arch/x86/bzimage.c | 4 +--- xen/arch/x86/hvm/dom0_build.c | 4 +--- xen/arch/x86/include/asm/bzimage.h | 2 +- xen/arch/x86/pv/dom0_build.c | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c index 0f4cfc49f7..ac4fd428be 100644 --- a/xen/arch/x86/bzimage.c +++ b/xen/arch/x86/bzimage.c @@ -105,7 +105,7 @@ unsigned long __init bzimage_headroom(void *image_start, } int __init bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len, unsigned int *align) + unsigned long *image_len) { struct setup_header *hdr = (struct setup_header *)(*image_start); int err = bzimage_check(hdr, *image_len); @@ -118,8 +118,6 @@ int __init bzimage_parse(void *image_base, void **image_start, { *image_start += (hdr->setup_sects + 1) * 512 + hdr->payload_offset; *image_len = hdr->payload_length; - if ( align ) - *align = hdr->kernel_alignment; } if ( elf_is_elfbinary(*image_start, *image_len) ) diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c index bbae8a5645..0ceda4140b 100644 --- a/xen/arch/x86/hvm/dom0_build.c +++ b/xen/arch/x86/hvm/dom0_build.c @@ -548,14 +548,12 @@ static int __init pvh_load_kernel(struct domain *d, const module_t *image, struct elf_binary elf; struct elf_dom_parms parms; paddr_t last_addr; - unsigned int align = 0; struct hvm_start_info start_info = { 0 }; struct hvm_modlist_entry mod = { 0 }; struct vcpu *v = d->vcpu[0]; int rc; - rc = bzimage_parse(image_base, &image_start, &image_len, &align); - if ( rc != 0 ) + if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) { printk("Error trying to detect bz compressed kernel\n"); return rc; diff --git a/xen/arch/x86/include/asm/bzimage.h b/xen/arch/x86/include/asm/bzimage.h index 2e04f5cc7b..7ed69d3910 100644 --- a/xen/arch/x86/include/asm/bzimage.h +++ b/xen/arch/x86/include/asm/bzimage.h @@ -6,6 +6,6 @@ unsigned long bzimage_headroom(void *image_start, unsigned long image_length); int bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len, unsigned int *align); + unsigned long *image_len); #endif /* __X86_BZIMAGE_H__ */ diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index e9fa8a9a82..d8043fa58a 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -416,7 +416,7 @@ int __init dom0_construct_pv(struct domain *d, d->max_pages = ~0U; - if ( (rc = bzimage_parse(image_base, &image_start, &image_len, NULL)) != 0 ) + if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) return rc; if ( (rc = elf_init(&elf, image_start, image_len)) != 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:23:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:23:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698350.1089944 (Exim 4.92) (envelope-from ) id 1rpOZ1-0008R6-SB; Wed, 27 Mar 2024 08:23:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698350.1089944; Wed, 27 Mar 2024 08:23:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZ1-0008Qy-Pb; Wed, 27 Mar 2024 08:23:15 +0000 Received: by outflank-mailman (input) for mailman id 698350; Wed, 27 Mar 2024 08:23:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZ0-0008Qi-8c for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZ0-0001Ig-7u for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOZ0-0004NM-7F for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KWS16gxTPF/1XHEfCeALB5eDUEaflP2talSseSWCJBg=; b=YEbzNGt0hRNXaf5GQQkbPvYmX6 PS2chfPiFTFn97g2k3YPuF1P5YXQodBuyiNGZlUgbwuy/XyGulX3SbnKOopafw648StGv4/xhc66w ANUdvqrkXwxkuCQrM2DFus+DOVEFh3wGt6JDw1L+lVfOQvz74KoqRC7h6k0pwAKCFUuc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] libelf: Expand ELF note printing Message-Id: Date: Wed, 27 Mar 2024 08:23:14 +0000 commit 7d8c9b4e8d0f3382c647289256f1573d6afa7e46 Author: Jason Andryuk AuthorDate: Wed Mar 27 09:13:55 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:13:55 2024 +0100 libelf: Expand ELF note printing The XEN_ELFNOTE_L1_MFN_VALID is an array of pairs of values, but it is printed as: (XEN) ELF: note: L1_MFN_VALID = 0 This is a limitation of only printing either string or numeric values. Switch from the boolean to an enum which allows more flexibility in printing the values. Introduce ELFNOTE_NAME to only print the name without a value like: (XEN) ELF: note: L1_MFN_VALID Details can optionally be printed for specific notes. Signed-off-by: Jason Andryuk Reviewed-by: Jan Beulich --- xen/common/libelf/libelf-dominfo.c | 61 ++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c index a13a5e4db6..0cdb419b8a 100644 --- a/xen/common/libelf/libelf-dominfo.c +++ b/xen/common/libelf/libelf-dominfo.c @@ -101,26 +101,30 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, /* *INDENT-OFF* */ static const struct { const char *name; - bool str; + enum { + ELFNOTE_INT, + ELFNOTE_STRING, + ELFNOTE_NAME, + } type; } note_desc[] = { - [XEN_ELFNOTE_ENTRY] = { "ENTRY", 0}, - [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", 0}, - [XEN_ELFNOTE_VIRT_BASE] = { "VIRT_BASE", 0}, - [XEN_ELFNOTE_INIT_P2M] = { "INIT_P2M", 0}, - [XEN_ELFNOTE_PADDR_OFFSET] = { "PADDR_OFFSET", 0}, - [XEN_ELFNOTE_HV_START_LOW] = { "HV_START_LOW", 0}, - [XEN_ELFNOTE_XEN_VERSION] = { "XEN_VERSION", 1}, - [XEN_ELFNOTE_GUEST_OS] = { "GUEST_OS", 1}, - [XEN_ELFNOTE_GUEST_VERSION] = { "GUEST_VERSION", 1}, - [XEN_ELFNOTE_LOADER] = { "LOADER", 1}, - [XEN_ELFNOTE_PAE_MODE] = { "PAE_MODE", 1}, - [XEN_ELFNOTE_FEATURES] = { "FEATURES", 1}, - [XEN_ELFNOTE_SUPPORTED_FEATURES] = { "SUPPORTED_FEATURES", 0}, - [XEN_ELFNOTE_BSD_SYMTAB] = { "BSD_SYMTAB", 1}, - [XEN_ELFNOTE_L1_MFN_VALID] = { "L1_MFN_VALID", false }, - [XEN_ELFNOTE_SUSPEND_CANCEL] = { "SUSPEND_CANCEL", 0 }, - [XEN_ELFNOTE_MOD_START_PFN] = { "MOD_START_PFN", 0 }, - [XEN_ELFNOTE_PHYS32_ENTRY] = { "PHYS32_ENTRY", 0 }, + [XEN_ELFNOTE_ENTRY] = { "ENTRY", ELFNOTE_INT }, + [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", ELFNOTE_INT }, + [XEN_ELFNOTE_VIRT_BASE] = { "VIRT_BASE", ELFNOTE_INT }, + [XEN_ELFNOTE_INIT_P2M] = { "INIT_P2M", ELFNOTE_INT }, + [XEN_ELFNOTE_PADDR_OFFSET] = { "PADDR_OFFSET", ELFNOTE_INT }, + [XEN_ELFNOTE_HV_START_LOW] = { "HV_START_LOW", ELFNOTE_INT }, + [XEN_ELFNOTE_XEN_VERSION] = { "XEN_VERSION", ELFNOTE_STRING }, + [XEN_ELFNOTE_GUEST_OS] = { "GUEST_OS", ELFNOTE_STRING }, + [XEN_ELFNOTE_GUEST_VERSION] = { "GUEST_VERSION", ELFNOTE_STRING }, + [XEN_ELFNOTE_LOADER] = { "LOADER", ELFNOTE_STRING }, + [XEN_ELFNOTE_PAE_MODE] = { "PAE_MODE", ELFNOTE_STRING }, + [XEN_ELFNOTE_FEATURES] = { "FEATURES", ELFNOTE_STRING }, + [XEN_ELFNOTE_SUPPORTED_FEATURES] = { "SUPPORTED_FEATURES", ELFNOTE_INT }, + [XEN_ELFNOTE_BSD_SYMTAB] = { "BSD_SYMTAB", ELFNOTE_STRING }, + [XEN_ELFNOTE_L1_MFN_VALID] = { "L1_MFN_VALID", ELFNOTE_NAME }, + [XEN_ELFNOTE_SUSPEND_CANCEL] = { "SUSPEND_CANCEL", ELFNOTE_INT }, + [XEN_ELFNOTE_MOD_START_PFN] = { "MOD_START_PFN", ELFNOTE_INT }, + [XEN_ELFNOTE_PHYS32_ENTRY] = { "PHYS32_ENTRY", ELFNOTE_INT }, }; /* *INDENT-ON* */ @@ -136,8 +140,9 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, return 0; } - if ( note_desc[type].str ) + switch ( note_desc[type].type ) { + case ELFNOTE_STRING : str = elf_strval(elf, elf_note_desc(elf, note)); if (str == NULL) /* elf_strval will mark elf broken if it fails so no need to log */ @@ -145,13 +150,19 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, elf_msg(elf, "ELF: note: %s = \"%s\"\n", note_desc[type].name, str); parms->elf_notes[type].type = XEN_ENT_STR; parms->elf_notes[type].data.str = str; - } - else - { + break; + + case ELFNOTE_INT: val = elf_note_numeric(elf, note); elf_msg(elf, "ELF: note: %s = %#" PRIx64 "\n", note_desc[type].name, val); parms->elf_notes[type].type = XEN_ENT_LONG; parms->elf_notes[type].data.num = val; + break; + + case ELFNOTE_NAME: + /* NB: Newline emitted further down. */ + elf_msg(elf, "ELF: note: %s", note_desc[type].name); + break; } parms->elf_notes[type].name = note_desc[type].name; @@ -218,6 +229,10 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, parms->phys_entry = val; break; } + + if ( note_desc[type].type == ELFNOTE_NAME) + elf_msg(elf, "\n"); + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:23:25 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:23:25 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698351.1089947 (Exim 4.92) (envelope-from ) id 1rpOZB-0008TX-TW; Wed, 27 Mar 2024 08:23:25 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698351.1089947; Wed, 27 Mar 2024 08:23:25 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZB-0008TQ-R3; Wed, 27 Mar 2024 08:23:25 +0000 Received: by outflank-mailman (input) for mailman id 698351; Wed, 27 Mar 2024 08:23:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZA-0008TG-Bn for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZA-0001Iq-Ac for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOZA-0004Np-9v for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=bG5DnAImHiqzjCNNRTNteY3dvdcIMnZ7rxnAHC/ivOU=; b=zMn+CGOAm3pPs+/JqDuEMz+jmJ Jre9N1ICDoqnc0wm4Usk6fQ2zGjc6zH0EmQHQxeG9EpVc14/953Lb2QqoIdR/Rm2+1AXUZPyxx2dh yjVtNmF1Tc7o8rbaA8wyamSCijAEH+KN3SQ0ay7Tvx0amyCCbvoc6puWfT3oPzMA2F8E=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/elfnote: Specify ELF Notes are x86-specific Message-Id: Date: Wed, 27 Mar 2024 08:23:24 +0000 commit 853c71dfbf520a84158d23803de8e29d08c957bb Author: Jason Andryuk AuthorDate: Wed Mar 27 09:14:17 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:14:17 2024 +0100 xen/elfnote: Specify ELF Notes are x86-specific The Xen ELF Notes are only used with x86. libelf's elf_xen_note_check() exits early for ARM binaries with "ELF: Not bothering with notes on ARM". Add a comment to the top of elfnote.h specifying that Notes are only used with x86 binaries. This is to avoid adding disclaimers for individual notes. Signed-off-by: Jason Andryuk Acked-by: Jan Beulich --- xen/include/public/elfnote.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/include/public/elfnote.h b/xen/include/public/elfnote.h index 8bf54d035b..1d84b05f44 100644 --- a/xen/include/public/elfnote.h +++ b/xen/include/public/elfnote.h @@ -24,6 +24,8 @@ * * String values (for non-legacy) are NULL terminated ASCII, also known * as ASCIZ type. + * + * Xen only uses ELF Notes contained in x86 binaries. */ /* -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 08:23:35 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 08:23:35 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698352.1089952 (Exim 4.92) (envelope-from ) id 1rpOZL-0008WJ-V7; Wed, 27 Mar 2024 08:23:35 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698352.1089952; Wed, 27 Mar 2024 08:23:35 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZL-0008WC-Sa; Wed, 27 Mar 2024 08:23:35 +0000 Received: by outflank-mailman (input) for mailman id 698352; Wed, 27 Mar 2024 08:23:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZK-0008W0-EV for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpOZK-0001Iz-DP for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpOZK-0004Oj-Ci for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 08:23:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=h/d6Ng9ez+lEfX8d7djI4ZNu4DtERGYKF7k7BMXJx/0=; b=3ung9uOAUmZzOSCSPatAKV6ujz U5VHMtl0WQZ73ITQpUL5xa16Sht5nE3/wHKxw5XZUl6DGEAoPsJiSh1QusDrmqKFMwJ7L8SBS6txk dzP8rMoS5kDQGoXDhc4noT9qmo24+j8ziJBZq9/Bcxfh8ALxFBV8w8VOlvqw4aMn5fVI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] xen/efi: efibind: address violations of MISRA C Rule 20.7 Message-Id: Date: Wed, 27 Mar 2024 08:23:34 +0000 commit e3883336bb5abba2ec2231618f5b64f61b099b1e Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:20:29 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:20:29 2024 +0100 xen/efi: efibind: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/arch/arm/include/asm/arm64/efibind.h | 4 ++-- xen/arch/x86/include/asm/x86_64/efibind.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/arch/arm/include/asm/arm64/efibind.h b/xen/arch/arm/include/asm/arm64/efibind.h index f13eadd4f0..a1323d452e 100644 --- a/xen/arch/arm/include/asm/arm64/efibind.h +++ b/xen/arch/arm/include/asm/arm64/efibind.h @@ -22,9 +22,9 @@ Revision History #pragma pack() #endif -#define EFIERR(a) (0x8000000000000000ULL | a) +#define EFIERR(a) (0x8000000000000000ULL | (a)) #define EFI_ERROR_MASK 0x8000000000000000ULL -#define EFIERR_OEM(a) (0xc000000000000000ULL | a) +#define EFIERR_OEM(a) (0xc000000000000000ULL | (a)) #define BAD_POINTER 0xFBFBFBFBFBFBFBFBULL #define MAX_ADDRESS 0xFFFFFFFFFFFFFFFFULL diff --git a/xen/arch/x86/include/asm/x86_64/efibind.h b/xen/arch/x86/include/asm/x86_64/efibind.h index e23cd16cb6..28bc18c24b 100644 --- a/xen/arch/x86/include/asm/x86_64/efibind.h +++ b/xen/arch/x86/include/asm/x86_64/efibind.h @@ -117,9 +117,9 @@ typedef uint64_t UINTN; #endif #endif -#define EFIERR(a) (0x8000000000000000 | a) +#define EFIERR(a) (0x8000000000000000 | (a)) #define EFI_ERROR_MASK 0x8000000000000000 -#define EFIERR_OEM(a) (0xc000000000000000 | a) +#define EFIERR_OEM(a) (0xc000000000000000 | (a)) #define BAD_POINTER 0xFBFBFBFBFBFBFBFB -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:33:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698446.1090088 (Exim 4.92) (envelope-from ) id 1rpRWj-0001Zp-Ug; Wed, 27 Mar 2024 11:33:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698446.1090088; Wed, 27 Mar 2024 11:33:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRWj-0001Zi-S9; Wed, 27 Mar 2024 11:33:05 +0000 Received: by outflank-mailman (input) for mailman id 698446; Wed, 27 Mar 2024 11:33:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRWi-0001Za-BR for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRWh-0004jp-Vx for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRWh-0006Wb-Uy for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=u1ZsqpG67A8SFx5ves6lJ6QwN+U+ZWTp6b12x3q4rvM=; b=hMK4bmMi0dSqjU7fK+tca+s1dm wiRxJWFgp7em67bfegJJ3MxTMYYHVaiiM21cy4zSZBTCz/8yqpfjj4IsAck6v5xGO+P7SVwQNWs/H gNKf4L35jvZIXUQCP0n4ICsQSN79YzmO2jkLWXl+bYLXrw9dbDFN6BXE90uCw9mdv7Vs=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] update Xen version to 4.18.2-pre Message-Id: Date: Wed, 27 Mar 2024 11:33:03 +0000 commit 3d67ba0371f9c6f6f7c5346994da6571f3ed8b57 Author: Jan Beulich AuthorDate: Wed Mar 27 12:19:29 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:19:29 2024 +0100 update Xen version to 4.18.2-pre --- xen/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/Makefile b/xen/Makefile index 0ec1e6555f..affeef69da 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 18 -export XEN_EXTRAVERSION ?= .1$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .2-pre$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:33:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:33:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698447.1090092 (Exim 4.92) (envelope-from ) id 1rpRWu-0001dR-0H; Wed, 27 Mar 2024 11:33:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698447.1090092; Wed, 27 Mar 2024 11:33:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRWt-0001dJ-Ta; Wed, 27 Mar 2024 11:33:15 +0000 Received: by outflank-mailman (input) for mailman id 698447; Wed, 27 Mar 2024 11:33:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRWs-0001cz-6t for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRWs-0004k9-4Q for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRWs-0006XN-1l for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CQ/4WdNmIFioAWQlSLJAD7uOPNjyAPXJlD/L3uop2kk=; b=w1jHYG0o6vj2bY6drTDEJ6rdad oh2OgBwTvuQZbdINCDnEF9E/bZDPeqLcz1j6jILzfAqpnET/Dc6jYt088UvKh+2+bBUQp3ioAEMtd Mxi+G6fpWxb74NXTkBOA2iR25EzK7ysNMjc8m7vT4Fy70dk5lcRDyUUH61zxmfdYAeuA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/mm: use block_lock_speculation() in _mm_write_lock() Message-Id: Date: Wed, 27 Mar 2024 11:33:14 +0000 commit 62d9ca19f9f50451c94d69050a5eaffd98ac1c20 Author: Jan Beulich AuthorDate: Wed Mar 27 12:20:05 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:20:05 2024 +0100 x86/mm: use block_lock_speculation() in _mm_write_lock() I can only guess that using block_speculation() there was a leftover from, earlier on, SPECULATIVE_HARDEN_LOCK depending on SPECULATIVE_HARDEN_BRANCH. Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper master commit: 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430 master date: 2024-03-18 13:53:37 +0100 --- xen/arch/x86/mm/mm-locks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index b4960fb90e..30eb5dfd60 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -138,7 +138,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, _set_lock_level(_lock_level(d, level)); } else - block_speculation(); + block_lock_speculation(); l->recurse_count++; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:33:26 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:33:26 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698448.1090096 (Exim 4.92) (envelope-from ) id 1rpRX4-0001gf-3G; Wed, 27 Mar 2024 11:33:26 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698448.1090096; Wed, 27 Mar 2024 11:33:26 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRX4-0001gY-0F; Wed, 27 Mar 2024 11:33:26 +0000 Received: by outflank-mailman (input) for mailman id 698448; Wed, 27 Mar 2024 11:33:24 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRX2-0001gG-8D for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:24 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRX2-0004kO-7R for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:24 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRX2-0006Xq-6X for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:24 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=iSoIlD7IGS5w8KiRtAB7CFbaGxDfe7q3lfLzCiE2PMI=; b=FocK/UpKbC4moXs+AceRqS/nNO uuEAhS7YNxDML76kY6rGecHBoIAB67dh96FmPkD9vLNvtGWoX30p922auYXx1CkTY6MYzIFwUEgwD 0ClAB9ZeVJUDQnT1YnTXiUvZ1zmvbpNpbxIfdHsbocx0nWJLiwtZUIukh77JwLU0lsJU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Message-Id: Date: Wed, 27 Mar 2024 11:33:24 +0000 commit cb7b84d3d50d13d9762ce96cd03a06becc0ecf9b Author: Andrew Cooper AuthorDate: Wed Mar 27 12:20:58 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:20:58 2024 +0100 x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Right now, if the user requests the watchdog on the command line, setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog worked. Reuse nmi_perfctr_msr to identify when the watchdog has been configured. Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity checks are complete. Turn setup_p4_watchdog() into a void function, matching the others. If the watchdog isn't set up, inform the user and override to NMI_NONE, which will prevent check_nmi_watchdog() from claiming that all CPUs are stuck. e.g.: (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0 (XEN) Failed to configure NMI watchdog (XEN) Brought up 512 CPUs (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: f658321374687c7339235e1ac643e0427acff717 master date: 2024-03-19 18:29:37 +0000 --- xen/arch/x86/nmi.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index dc79c25e3f..ac4e7c9bdf 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -324,8 +324,6 @@ static void setup_p6_watchdog(unsigned counter) { unsigned int evntsel; - nmi_perfctr_msr = MSR_P6_PERFCTR(0); - if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa ) nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK); if ( !nmi_p6_event_width ) @@ -335,6 +333,8 @@ static void setup_p6_watchdog(unsigned counter) nmi_p6_event_width > BITS_PER_LONG ) return; + nmi_perfctr_msr = MSR_P6_PERFCTR(0); + clear_msr_range(MSR_P6_EVNTSEL(0), 2); clear_msr_range(MSR_P6_PERFCTR(0), 2); @@ -350,13 +350,13 @@ static void setup_p6_watchdog(unsigned counter) wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0); } -static int setup_p4_watchdog(void) +static void setup_p4_watchdog(void) { uint64_t misc_enable; rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL)) - return 0; + return; nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0; nmi_p4_cccr_val = P4_NMI_IQ_CCCR0; @@ -379,13 +379,12 @@ static int setup_p4_watchdog(void) clear_msr_range(0x3E0, 2); clear_msr_range(MSR_P4_BPU_CCCR0, 18); clear_msr_range(MSR_P4_BPU_PERFCTR0, 18); - + wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0); wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE); write_watchdog_counter("P4_IQ_COUNTER0"); apic_write(APIC_LVTPC, APIC_DM_NMI); wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val); - return 1; } void setup_apic_nmi_watchdog(void) @@ -400,8 +399,6 @@ void setup_apic_nmi_watchdog(void) case 0xf ... 0x19: setup_k7_watchdog(); break; - default: - return; } break; case X86_VENDOR_INTEL: @@ -412,14 +409,16 @@ void setup_apic_nmi_watchdog(void) : CORE_EVENT_CPU_CLOCKS_NOT_HALTED); break; case 15: - if (!setup_p4_watchdog()) - return; + setup_p4_watchdog(); break; - default: - return; } break; - default: + } + + if ( nmi_perfctr_msr == 0 ) + { + printk(XENLOG_WARNING "Failed to configure NMI watchdog\n"); + nmi_watchdog = NMI_NONE; return; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:33:36 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:33:36 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698449.1090099 (Exim 4.92) (envelope-from ) id 1rpRXE-0001jF-4V; Wed, 27 Mar 2024 11:33:36 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698449.1090099; Wed, 27 Mar 2024 11:33:36 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXE-0001j8-1r; Wed, 27 Mar 2024 11:33:36 +0000 Received: by outflank-mailman (input) for mailman id 698449; Wed, 27 Mar 2024 11:33:34 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXC-0001io-Bt for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:34 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXC-0004kX-B9 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:34 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRXC-0006Ya-9b for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:34 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JDA48nrVMAEZbPoy+pHeXnKCA7sXWQY5ahriC8/REJI=; b=aJUCAqy1GMjjCumNvgVo5jj6d0 +VUuSGiucQXdT6elSwDRDhbe03qpxBGjCW/WHZFW++3O+wpCgvsIfwlexqo8VZsdTdxoP38lb/DAp br19Fui3CAc8GJNpeyZOijVTssZAZ23L7f1qwmhfWhsjjVaisHuzHj3J0S/war6mA0FA=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] x86/PoD: tie together P2M update and increment of entry count Message-Id: Date: Wed, 27 Mar 2024 11:33:34 +0000 commit c9ea3b49a5d546a7c786dd0a0caec00c9c7f2633 Author: Jan Beulich AuthorDate: Wed Mar 27 12:21:24 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:21:24 2024 +0100 x86/PoD: tie together P2M update and increment of entry count When not holding the PoD lock across the entire region covering P2M update and stats update, the entry count - if to be incorrect at all - should indicate too large a value in preference to a too small one, to avoid functions bailing early when they find the count is zero. However, instead of moving the increment ahead (and adjust back upon failure), extend the PoD-locked region. Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") Signed-off-by: Jan Beulich Reviewed-by: George Dunlap master commit: cc950c49ae6a6690f7fc3041a1f43122c250d250 master date: 2024-03-21 09:48:10 +0100 --- xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 9be67b63ce..40a4be8315 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1359,19 +1359,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l, } } + /* + * P2M update and stats increment need to collectively be under PoD lock, + * to prevent code elsewhere observing PoD entry count being zero despite + * there actually still being PoD entries (created by the p2m_set_entry() + * invocation below). + */ + pod_lock(p2m); + /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_populate_on_demand, p2m->default_access); if ( rc == 0 ) { - pod_lock(p2m); p2m->pod.entry_count += 1UL << order; p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); + } + + pod_unlock(p2m); + if ( rc == 0 ) ioreq_request_mapcache_invalidate(d); - } else if ( order ) { /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:33:46 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:33:46 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698450.1090103 (Exim 4.92) (envelope-from ) id 1rpRXO-0001mf-67; Wed, 27 Mar 2024 11:33:46 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698450.1090103; Wed, 27 Mar 2024 11:33:46 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXO-0001mW-3R; Wed, 27 Mar 2024 11:33:46 +0000 Received: by outflank-mailman (input) for mailman id 698450; Wed, 27 Mar 2024 11:33:44 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXM-0001mN-OQ for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:44 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXM-0004ke-Nk for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:44 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRXM-0006Zq-Mx for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:44 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=DGTO3zxaTTpUNi4z3Qa953NtwW7XEiBMEZxppWytB5A=; b=HAqbIN9ksyQfiFnaNPoWcMj0Jg dIk/O6iGg1n+gPCLxtuuRcquBN97g4nItBzH4AdPaPA+3ZXfF3j9GpYxmCp93vDPkriR2HczYEoqp 1lTf+1t0bpz7wnIIoT8Bgtkz9aoA1iCojHVYzXlBwoPhlySLYwkuxx0HuRbisTB9EK2A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] tools: ipxe: update for fixing build with GCC12 Message-Id: Date: Wed, 27 Mar 2024 11:33:44 +0000 commit a01c0b0f9691a8350e74938329892f949669119e Author: Olaf Hering AuthorDate: Wed Mar 27 12:27:03 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:27:03 2024 +0100 tools: ipxe: update for fixing build with GCC12 Use a snapshot which includes commit b0ded89e917b48b73097d3b8b88dfa3afb264ed0 ("[build] Disable dangling pointer checking for GCC"), which fixes build with gcc12. Signed-off-by: Olaf Hering Acked-by: Andrew Cooper master commit: 18a36b4a9b088875486cfe33a2d4a8ae7eb4ab47 master date: 2023-04-25 23:47:45 +0100 --- tools/firmware/etherboot/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile index 4bc3633ba3..7a56fe8014 100644 --- a/tools/firmware/etherboot/Makefile +++ b/tools/firmware/etherboot/Makefile @@ -11,7 +11,7 @@ IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git endif # put an updated tar.gz on xenbits after changes to this variable -IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb +IPXE_GIT_TAG := 1d1cf74a5e58811822bee4b3da3cff7282fcdfca IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:33:56 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:33:56 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698451.1090107 (Exim 4.92) (envelope-from ) id 1rpRXY-0001p1-7H; Wed, 27 Mar 2024 11:33:56 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698451.1090107; Wed, 27 Mar 2024 11:33:56 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXY-0001ou-4p; Wed, 27 Mar 2024 11:33:56 +0000 Received: by outflank-mailman (input) for mailman id 698451; Wed, 27 Mar 2024 11:33:54 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXW-0001oj-TF for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:54 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXW-0004kl-Qi for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:54 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRXW-0006aL-Pv for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:33:54 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=GblemMYDAc79ZrmFvWIZk5tH2g9HYSAYoZMkPSivEM8=; b=5C/JPuZtkRDfNol8YGlL9AI0wI I8ckOz98od57wAf2lM5LZL7rxAbwfq0VO3Kb9QER3Gd/iwX/nh25RCVFZmqj0zYPjMHjx6QKdZA/C FuAFfBEXlc0v+sS8YAIGlFV2L8jgCOsGyQqcw580vndkCxyDn1O4CCW74EZDsBrqUhWI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/mm: use block_lock_speculation() in _mm_write_lock() Message-Id: Date: Wed, 27 Mar 2024 11:33:54 +0000 commit a153b8b42e9027ba3057bc7c8bf55e4d71e86ec3 Author: Jan Beulich AuthorDate: Wed Mar 27 12:28:24 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:28:24 2024 +0100 x86/mm: use block_lock_speculation() in _mm_write_lock() I can only guess that using block_speculation() there was a leftover from, earlier on, SPECULATIVE_HARDEN_LOCK depending on SPECULATIVE_HARDEN_BRANCH. Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper master commit: 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430 master date: 2024-03-18 13:53:37 +0100 --- xen/arch/x86/mm/mm-locks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 3ea2d8eb03..7d6e4d2a7c 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -150,7 +150,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, _set_lock_level(_lock_level(d, level)); } else - block_speculation(); + block_lock_speculation(); l->recurse_count++; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:34:06 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:34:06 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698452.1090111 (Exim 4.92) (envelope-from ) id 1rpRXi-0001rh-8w; Wed, 27 Mar 2024 11:34:06 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698452.1090111; Wed, 27 Mar 2024 11:34:06 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXi-0001rb-6I; Wed, 27 Mar 2024 11:34:06 +0000 Received: by outflank-mailman (input) for mailman id 698452; Wed, 27 Mar 2024 11:34:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXg-0001rP-U3 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:34:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXg-0004l5-TN for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:34:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRXg-0006bX-Sh for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:34:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=8bmKlstVPqgopDqqvHu3hLEras0C4wJxOEeRJ3beP8w=; b=a15rzjzAl4qDwOnxYSlJGE3Zp8 xtFzMm3GRxJQCWZXdIAEaMioEwjSI8Wz80tuRUboj9RQpllyOrb7j5WgW0IZgWifmge3FmSm+GDL7 3WGki+RYZUumf0WPmV13imItbsJ9L4Jd7cfEJ8YSKkhg+d+Ijec0RUG9JMhYkOSbWfS4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Message-Id: Date: Wed, 27 Mar 2024 11:34:04 +0000 commit 471b53c6a092940f3629990d9ca946aa22bd8535 Author: Andrew Cooper AuthorDate: Wed Mar 27 12:29:11 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:29:11 2024 +0100 x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Right now, if the user requests the watchdog on the command line, setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog worked. Reuse nmi_perfctr_msr to identify when the watchdog has been configured. Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity checks are complete. Turn setup_p4_watchdog() into a void function, matching the others. If the watchdog isn't set up, inform the user and override to NMI_NONE, which will prevent check_nmi_watchdog() from claiming that all CPUs are stuck. e.g.: (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0 (XEN) Failed to configure NMI watchdog (XEN) Brought up 512 CPUs (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: f658321374687c7339235e1ac643e0427acff717 master date: 2024-03-19 18:29:37 +0000 --- xen/arch/x86/nmi.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 7656023748..7c9591b65e 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -323,8 +323,6 @@ static void setup_p6_watchdog(unsigned counter) { unsigned int evntsel; - nmi_perfctr_msr = MSR_P6_PERFCTR(0); - if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa ) nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK); if ( !nmi_p6_event_width ) @@ -334,6 +332,8 @@ static void setup_p6_watchdog(unsigned counter) nmi_p6_event_width > BITS_PER_LONG ) return; + nmi_perfctr_msr = MSR_P6_PERFCTR(0); + clear_msr_range(MSR_P6_EVNTSEL(0), 2); clear_msr_range(MSR_P6_PERFCTR(0), 2); @@ -349,13 +349,13 @@ static void setup_p6_watchdog(unsigned counter) wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0); } -static int setup_p4_watchdog(void) +static void setup_p4_watchdog(void) { uint64_t misc_enable; rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL)) - return 0; + return; nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0; nmi_p4_cccr_val = P4_NMI_IQ_CCCR0; @@ -378,13 +378,12 @@ static int setup_p4_watchdog(void) clear_msr_range(0x3E0, 2); clear_msr_range(MSR_P4_BPU_CCCR0, 18); clear_msr_range(MSR_P4_BPU_PERFCTR0, 18); - + wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0); wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE); write_watchdog_counter("P4_IQ_COUNTER0"); apic_write(APIC_LVTPC, APIC_DM_NMI); wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val); - return 1; } void setup_apic_nmi_watchdog(void) @@ -399,8 +398,6 @@ void setup_apic_nmi_watchdog(void) case 0xf ... 0x19: setup_k7_watchdog(); break; - default: - return; } break; case X86_VENDOR_INTEL: @@ -411,14 +408,16 @@ void setup_apic_nmi_watchdog(void) : CORE_EVENT_CPU_CLOCKS_NOT_HALTED); break; case 15: - if (!setup_p4_watchdog()) - return; + setup_p4_watchdog(); break; - default: - return; } break; - default: + } + + if ( nmi_perfctr_msr == 0 ) + { + printk(XENLOG_WARNING "Failed to configure NMI watchdog\n"); + nmi_watchdog = NMI_NONE; return; } -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:34:16 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:34:16 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698453.1090115 (Exim 4.92) (envelope-from ) id 1rpRXs-0001u9-AH; Wed, 27 Mar 2024 11:34:16 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698453.1090115; Wed, 27 Mar 2024 11:34:16 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXs-0001u1-7j; Wed, 27 Mar 2024 11:34:16 +0000 Received: by outflank-mailman (input) for mailman id 698453; Wed, 27 Mar 2024 11:34:15 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXr-0001tm-0j for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:34:15 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRXr-0004lY-00 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:34:15 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRXq-0006ca-VR for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:34:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=VWYW/7pomOKzsFyp0zOLUn35eWa7SNnXPlFehiuycfM=; b=MoSLxjBMhr83Q/Ar/02wvALtp3 uzdQhWoxaLQ2yD6rJaVyaqfHhQMd/HXzSqNquLd1d3TX2wCIt/xAd4OhBc4vz/OP0NFYHLCDePHIU eXUgZu2Z/bAogiSStxfc9B4JpX2NQeyQVUqM6gptPVjndaWOc8yVPqvhr1rkroD+OjSM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] x86/PoD: tie together P2M update and increment of entry count Message-Id: Date: Wed, 27 Mar 2024 11:34:14 +0000 commit bfb69205376d94ff91b09a337c47fb665ee12da3 Author: Jan Beulich AuthorDate: Wed Mar 27 12:29:33 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:29:33 2024 +0100 x86/PoD: tie together P2M update and increment of entry count When not holding the PoD lock across the entire region covering P2M update and stats update, the entry count - if to be incorrect at all - should indicate too large a value in preference to a too small one, to avoid functions bailing early when they find the count is zero. However, instead of moving the increment ahead (and adjust back upon failure), extend the PoD-locked region. Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") Signed-off-by: Jan Beulich Reviewed-by: George Dunlap master commit: cc950c49ae6a6690f7fc3041a1f43122c250d250 master date: 2024-03-21 09:48:10 +0100 --- xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 99dbcb3101..e903db9d93 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1370,19 +1370,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l, } } + /* + * P2M update and stats increment need to collectively be under PoD lock, + * to prevent code elsewhere observing PoD entry count being zero despite + * there actually still being PoD entries (created by the p2m_set_entry() + * invocation below). + */ + pod_lock(p2m); + /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_populate_on_demand, p2m->default_access); if ( rc == 0 ) { - pod_lock(p2m); p2m->pod.entry_count += 1UL << order; p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); + } + + pod_unlock(p2m); + if ( rc == 0 ) ioreq_request_mapcache_invalidate(d); - } else if ( order ) { /* -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:55:08 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:55:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698476.1090181 (Exim 4.92) (envelope-from ) id 1rpRs1-0000Ns-9m; Wed, 27 Mar 2024 11:55:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698476.1090181; Wed, 27 Mar 2024 11:55:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRs1-0000Nd-69; Wed, 27 Mar 2024 11:55:05 +0000 Received: by outflank-mailman (input) for mailman id 698476; Wed, 27 Mar 2024 11:55:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRrz-0000NV-VI for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:55:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRrz-00057W-OF for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:55:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRrz-0007rf-Jn for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:55:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WW0sBq17XSpX/TK2ovaazylgrQefGYT/Pj5Vr18WWu8=; b=HhBdbir8SKYGwUN72UgLzDcbum TKCasUCtD6T9y/QTuH1D5jBUiab7JgLyE9dRJrZvbb3+X14Pkv2aqYDC/bBlczVQT+PD3IlD8pJpQ CvIG/FEuKlx3swoA96dMuGLeXdXc+JpGmshbU7jR6mJHztFRhrYTyiKiH/AoDHlTSNEg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86: Move SVM features exposed to guest into hvm_max_cpu_policy Message-Id: Date: Wed, 27 Mar 2024 11:55:03 +0000 commit 4f8b0e94d7ca941876760abe29b31e17e3f593ce Author: George Dunlap AuthorDate: Mon Feb 26 16:10:07 2024 +0000 Commit: George Dunlap CommitDate: Wed Mar 27 11:44:52 2024 +0000 x86: Move SVM features exposed to guest into hvm_max_cpu_policy Currently (nested) SVM features we're willing to expose to the guest are defined in calculate_host_policy, and stored in host_cpu_policy. This is the wrong place for this; move it into calculate_hvm_max_policy(), and store it in hvm_max_cpu_policy. Signed-off-by: George Dunlap Reviewed-by: Jan Beulich --- xen/arch/x86/cpu-policy.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 2acc27632f..bd047456eb 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -398,19 +398,6 @@ static void __init calculate_host_policy(void) if ( vpmu_mode == XENPMU_MODE_OFF ) p->basic.raw[0xa] = EMPTY_LEAF; - if ( p->extd.svm ) - { - /* Clamp to implemented features which require hardware support. */ - p->extd.raw[0xa].d &= ((1u << SVM_FEATURE_NPT) | - (1u << SVM_FEATURE_LBRV) | - (1u << SVM_FEATURE_NRIPS) | - (1u << SVM_FEATURE_PAUSEFILTER) | - (1u << SVM_FEATURE_DECODEASSISTS)); - /* Enable features which are always emulated. */ - p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) | - (1u << SVM_FEATURE_TSCRATEMSR)); - } - /* 0x000000ce MSR_INTEL_PLATFORM_INFO */ /* probe_cpuid_faulting() sanity checks presence of MISC_FEATURES_ENABLES */ p->platform_info.cpuid_faulting = cpu_has_cpuid_faulting; @@ -741,6 +728,23 @@ static void __init calculate_hvm_max_policy(void) if ( !cpu_has_vmx ) __clear_bit(X86_FEATURE_PKS, fs); + /* + * Make adjustments to possible (nested) virtualization features exposed + * to the guest + */ + if ( p->extd.svm ) + { + /* Clamp to implemented features which require hardware support. */ + p->extd.raw[0xa].d &= ((1u << SVM_FEATURE_NPT) | + (1u << SVM_FEATURE_LBRV) | + (1u << SVM_FEATURE_NRIPS) | + (1u << SVM_FEATURE_PAUSEFILTER) | + (1u << SVM_FEATURE_DECODEASSISTS)); + /* Enable features which are always emulated. */ + p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) | + (1u << SVM_FEATURE_TSCRATEMSR)); + } + guest_common_max_feature_adjustments(fs); guest_common_feature_adjustments(fs); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 11:55:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 11:55:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698477.1090184 (Exim 4.92) (envelope-from ) id 1rpRsB-0000RF-CV; Wed, 27 Mar 2024 11:55:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698477.1090184; Wed, 27 Mar 2024 11:55:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRsB-0000R5-9d; Wed, 27 Mar 2024 11:55:15 +0000 Received: by outflank-mailman (input) for mailman id 698477; Wed, 27 Mar 2024 11:55:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRs9-0000Qj-SD for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:55:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpRs9-00057u-RQ for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:55:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpRs9-0007sM-QX for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 11:55:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=zZh1g5EpJCF90JCj9mWkNNF7+5u3JfCnrWax8HBNO0E=; b=gvEmiU3gRLGZmzn8gGmYe5rjW2 1b63X5yod2fCfaMJTCujLGeqk7hJXue99SjDXk9pxz+SAGsmoKqN52Por2465ARAE4og4yiy+c0f1 j+xOf5Y8UFT5nNjKBI1a+C8nUwzNug9NwZlePHVk4BVqqrxGan8DJc1t3EoZ7mbMd3TY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] nestedsvm: Disable TscRateMSR Message-Id: Date: Wed, 27 Mar 2024 11:55:13 +0000 commit 0cd50753eb40ca5f00ea1ced9f80ce5f478e560c Author: George Dunlap AuthorDate: Fri Jan 19 09:27:54 2024 +0000 Commit: George Dunlap CommitDate: Wed Mar 27 11:44:52 2024 +0000 nestedsvm: Disable TscRateMSR The primary purpose of TSC scaling, from our perspective, is to maintain the fiction of an "invariant TSC" across migrates between platforms with different clock speeds. On AMD, the TscRateMSR CPUID bit is unconditionally enabled in the "host cpuid", even if the hardware doesn't actually support it. According to c/s fd14a1943c4 ("nestedsvm: Support TSC Rate MSR"), testing showed that emulating TSC scaling in an L1 was more expensive than emulating TSC scaling on an L0 (due to extra sets of vmexit / vmenter). However, the current implementation seems to be broken. First of all, the final L2 scaling ratio should be a composition of the L0 scaling ratio and the L1 scaling ratio; there's no indication this is being done anywhere. Secondly, it's not clear that the L1 tsc scaling ratio actually affects the L0 tsc scaling ratio. The stored value (ns_tscratio) is used to affect the tsc *offset*, but doesn't seem to actually be factored into d->hvm.tsc_scaling_ratio. (Which shouldn't be per-domain anyway, but per-vcpu.) Having the *offset* scaled according to the nested scaling without the actual RDTSC itself also being scaled has got to produce inconsistent results. For now, just disable the functionality entirely until we can implement it properly: - Don't set TSCRATEMSR in the HVM max CPUID policy - Remove MSR_AMD64_TSC_RATIO emulation handling, so that the guest guests a #GP if it tries to access them (as it should when TSCRATEMSR is clear) - Remove ns_tscratio from struct nestedhvm, and all code that touches it Unfortunately this means ripping out the scaling calculation stuff as well, since it's only used in the nested case; it's there in the git tree if we need it for reference when we re-introduce it. Signed-off-by: George Dunlap Acked-by: Jan Beulich --- xen/arch/x86/cpu-policy.c | 3 +- xen/arch/x86/hvm/svm/nestedsvm.c | 2 - xen/arch/x86/hvm/svm/svm.c | 57 ---------------------------- xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 5 --- 4 files changed, 1 insertion(+), 66 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index bd047456eb..5952ff20e6 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -741,8 +741,7 @@ static void __init calculate_hvm_max_policy(void) (1u << SVM_FEATURE_PAUSEFILTER) | (1u << SVM_FEATURE_DECODEASSISTS)); /* Enable features which are always emulated. */ - p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) | - (1u << SVM_FEATURE_TSCRATEMSR)); + p->extd.raw[0xa].d |= (1u << SVM_FEATURE_VMCBCLEAN); } guest_common_max_feature_adjustments(fs); diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c index a8d5f4ee95..b50bfe6a28 100644 --- a/xen/arch/x86/hvm/svm/nestedsvm.c +++ b/xen/arch/x86/hvm/svm/nestedsvm.c @@ -146,8 +146,6 @@ int cf_check nsvm_vcpu_reset(struct vcpu *v) svm->ns_msr_hsavepa = INVALID_PADDR; svm->ns_ovvmcb_pa = INVALID_PADDR; - svm->ns_tscratio = DEFAULT_TSC_RATIO; - svm->ns_cr_intercepts = 0; svm->ns_dr_intercepts = 0; svm->ns_exception_intercepts = 0; diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index b1ab0b568b..6a47c5915c 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -777,43 +777,6 @@ static int cf_check svm_get_guest_pat(struct vcpu *v, u64 *gpat) return 1; } -static uint64_t scale_tsc(uint64_t host_tsc, uint64_t ratio) -{ - uint64_t mult, frac, scaled_host_tsc; - - if ( ratio == DEFAULT_TSC_RATIO ) - return host_tsc; - - /* - * Suppose the most significant 32 bits of host_tsc and ratio are - * tsc_h and mult, and the least 32 bits of them are tsc_l and frac, - * then - * host_tsc * ratio * 2^-32 - * = host_tsc * (mult * 2^32 + frac) * 2^-32 - * = host_tsc * mult + (tsc_h * 2^32 + tsc_l) * frac * 2^-32 - * = host_tsc * mult + tsc_h * frac + ((tsc_l * frac) >> 32) - * - * Multiplications in the last two terms are between 32-bit integers, - * so both of them can fit in 64-bit integers. - * - * Because mult is usually less than 10 in practice, it's very rare - * that host_tsc * mult can overflow a 64-bit integer. - */ - mult = ratio >> 32; - frac = ratio & ((1ULL << 32) - 1); - scaled_host_tsc = host_tsc * mult; - scaled_host_tsc += (host_tsc >> 32) * frac; - scaled_host_tsc += ((host_tsc & ((1ULL << 32) - 1)) * frac) >> 32; - - return scaled_host_tsc; -} - -static uint64_t svm_get_tsc_offset(uint64_t host_tsc, uint64_t guest_tsc, - uint64_t ratio) -{ - return guest_tsc - scale_tsc(host_tsc, ratio); -} - static void cf_check svm_set_tsc_offset(struct vcpu *v, u64 offset, u64 at_tsc) { struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; @@ -832,18 +795,8 @@ static void cf_check svm_set_tsc_offset(struct vcpu *v, u64 offset, u64 at_tsc) if ( nestedhvm_vcpu_in_guestmode(v) ) { - struct nestedsvm *svm = &vcpu_nestedsvm(v); - n2_tsc_offset = vmcb_get_tsc_offset(n2vmcb) - vmcb_get_tsc_offset(n1vmcb); - if ( svm->ns_tscratio != DEFAULT_TSC_RATIO ) - { - uint64_t guest_tsc = hvm_get_guest_tsc_fixed(v, at_tsc); - - n2_tsc_offset = svm_get_tsc_offset(guest_tsc, - guest_tsc + n2_tsc_offset, - svm->ns_tscratio); - } vmcb_set_tsc_offset(n1vmcb, offset); } @@ -1921,10 +1874,6 @@ static int cf_check svm_msr_read_intercept( *msr_content = nsvm->ns_msr_hsavepa; break; - case MSR_AMD64_TSC_RATIO: - *msr_content = nsvm->ns_tscratio; - break; - case MSR_AMD_OSVW_ID_LENGTH: case MSR_AMD_OSVW_STATUS: if ( !d->arch.cpuid->extd.osvw ) @@ -2103,12 +2052,6 @@ static int cf_check svm_msr_write_intercept( goto gpf; break; - case MSR_AMD64_TSC_RATIO: - if ( msr_content & TSC_RATIO_RSVD_BITS ) - goto gpf; - nsvm->ns_tscratio = msr_content; - break; - case MSR_IA32_MCx_MISC(4): /* Threshold register */ case MSR_F10_MC4_MISC1 ... MSR_F10_MC4_MISC3: /* diff --git a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h index 7767cd6080..205989e800 100644 --- a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h +++ b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h @@ -18,11 +18,6 @@ struct nestedsvm { */ uint64_t ns_ovvmcb_pa; - /* virtual tscratio holding the value l1 guest writes to the - * MSR_AMD64_TSC_RATIO MSR. - */ - uint64_t ns_tscratio; - /* Cached real intercepts of the l2 guest */ uint32_t ns_cr_intercepts; uint32_t ns_dr_intercepts; -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 16:11:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 16:11:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698641.1090588 (Exim 4.92) (envelope-from ) id 1rpVrl-000753-D1; Wed, 27 Mar 2024 16:11:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698641.1090588; Wed, 27 Mar 2024 16:11:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpVrl-00074v-AP; Wed, 27 Mar 2024 16:11:05 +0000 Received: by outflank-mailman (input) for mailman id 698641; Wed, 27 Mar 2024 16:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpVrj-00073J-Gw for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpVrj-0001wG-89 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpVrj-00031C-6j for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AfapWdCD1dmIFxqatug30EPTNBKKG/+yPFHfgxJfyjA=; b=PYBa3wXhF5ouoH+nKLsWaBiQC9 CO1KxqWRtbIiVY/fO1TkqixwFnPS0bmTl6sBVfjhZc3/+a+0b3+HQwdC49skVXNG89Wka5pot00Ar W2gTlPBYuLdb3eroyCL86u4TGgpBog6ufWgqz6n9Zq+c4Oy39pMF7xedItjfXoQd9Bv0=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] tools/oxenstored: Re-format Message-Id: Date: Wed, 27 Mar 2024 16:11:03 +0000 commit 8f85af65af76727692b9c2dea4f470f503432d2f Author: Andrew Cooper AuthorDate: Mon Feb 26 10:47:29 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:00:47 2024 +0000 tools/oxenstored: Re-format Rerun make format. Fixes: b6cf604207fd ("tools/oxenstored: Use Map instead of Hashtbl for quotas") Signed-off-by: Andrew Cooper Reviewed-by: Edwin Török --- tools/ocaml/xenstored/quota.ml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 1f652040d8..082cd25f26 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -55,13 +55,13 @@ let _check quota id size = raise Data_too_big ); if id > 0 then - try - let entry = DomidMap.find id quota.cur in - if entry >= quota.maxent then ( - warn "domain %u cannot create entry: quota reached" id; - raise Limit_reached - ) - with Not_found -> () + try + let entry = DomidMap.find id quota.cur in + if entry >= quota.maxent then ( + warn "domain %u cannot create entry: quota reached" id; + raise Limit_reached + ) + with Not_found -> () let check quota id size = if !activate then @@ -88,4 +88,4 @@ let merge orig_quota mod_quota dest_quota = | diff -> update_entry dest id diff (* update with [x=x+diff] *) in {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur} - (* dest_quota = dest_quota + (mod_quota - orig_quota) *) +(* dest_quota = dest_quota + (mod_quota - orig_quota) *) -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 16:22:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 16:22:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698643.1090591 (Exim 4.92) (envelope-from ) id 1rpW2P-0000p9-60; Wed, 27 Mar 2024 16:22:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698643.1090591; Wed, 27 Mar 2024 16:22:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpW2P-0000p2-3X; Wed, 27 Mar 2024 16:22:05 +0000 Received: by outflank-mailman (input) for mailman id 698643; Wed, 27 Mar 2024 16:22:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpW2N-0000ou-Jv for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:22:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpW2N-0002M5-Hk for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:22:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpW2N-0003Yo-F2 for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:22:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=1cPG/bO4c+IYA+CzUR9srAv4Z310F+piXITnH5qIv6c=; b=vC8hihnF23RUWm61X5pdXWyFYJ n4Lnrbd3ta2156UxHunlc44pveTgLCubfO6q6b7Va5iRDQovd+mRIX1vMWqNFEkrxsdIdOHVU4PCx lQ7Hb2pOmy0KMqYHqNRjDspJ1M0Plxovc69Id6JXnnGQrFevl0RrDCFUktM4jl89xYv4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] tools/oxenstored: Use Map instead of Hashtbl for quotas Message-Id: Date: Wed, 27 Mar 2024 16:22:03 +0000 commit 3f3158fc3233acb96507503430330af27c4a979d Author: Edwin Török AuthorDate: Wed Jan 31 10:52:55 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:05:30 2024 +0000 tools/oxenstored: Use Map instead of Hashtbl for quotas On a stress test running 1000 VMs flamegraphs have shown that `oxenstored` spends a large amount of time in `Hashtbl.copy` and the GC. Hashtable complexity: * read/write: O(1) average * copy: O(domains) -- copying the entire table Map complexity: * read/write: O(log n) worst case * copy: O(1) -- a word copy We always perform at least one 'copy' when processing each xenstore packet (regardless whether it is a readonly operation or inside a transaction or not), so the actual complexity per packet is: * Hashtbl: O(domains) * Map: O(log domains) Maps are the clear winner, and a better fit for the immutable xenstore tree. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit b6cf604207fd0a04451a48f2ce6d05fb66c612ab) tools/oxenstored: Re-format Rerun make format. Fixes: b6cf604207fd ("tools/oxenstored: Use Map instead of Hashtbl for quotas") Signed-off-by: Andrew Cooper Reviewed-by: Edwin Török (cherry picked from commit 8f85af65af76727692b9c2dea4f470f503432d2f) --- tools/ocaml/xenstored/quota.ml | 73 ++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 300d78a50b..27810b7567 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -23,66 +23,69 @@ let activate = ref true let maxent = ref (1000) let maxsize = ref (2048) +module Domid = struct + type t = Xenctrl.domid + let compare (a:t) (b:t) = compare a b +end + +module DomidMap = Map.Make(Domid) + type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - cur: (Xenctrl.domid, int) Hashtbl.t; (* current domains quota *) + mutable cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = - if Hashtbl.mem quota.cur domid - then Printf.sprintf "dom%i quota: %i/%i" domid (Hashtbl.find quota.cur domid) quota.maxent - else Printf.sprintf "dom%i quota: not set" domid + try + Printf.sprintf "dom%i quota: %i/%i" domid (DomidMap.find domid quota.cur) quota.maxent + with Not_found -> + Printf.sprintf "dom%i quota: not set" domid let create () = - { maxent = !maxent; maxsize = !maxsize; cur = Hashtbl.create 100; } + { maxent = !maxent; maxsize = !maxsize; cur = DomidMap.empty; } -let copy quota = { quota with cur = (Hashtbl.copy quota.cur) } +let copy quota = { quota with cur = quota.cur } -let del quota id = Hashtbl.remove quota.cur id +let del quota id = { quota with cur = DomidMap.remove id quota.cur } let _check quota id size = if size > quota.maxsize then ( warn "domain %u err create entry: data too big %d" id size; raise Data_too_big ); - if id > 0 && Hashtbl.mem quota.cur id then - let entry = Hashtbl.find quota.cur id in - if entry >= quota.maxent then ( - warn "domain %u cannot create entry: quota reached" id; - raise Limit_reached - ) + if id > 0 then + try + let entry = DomidMap.find id quota.cur in + if entry >= quota.maxent then ( + warn "domain %u cannot create entry: quota reached" id; + raise Limit_reached + ) + with Not_found -> () let check quota id size = if !activate then _check quota id size -let get_entry quota id = Hashtbl.find quota.cur id +let find_or_zero quota_cur id = + try DomidMap.find id quota_cur with Not_found -> 0 -let set_entry quota id nb = - if nb = 0 - then Hashtbl.remove quota.cur id - else begin - if Hashtbl.mem quota.cur id then - Hashtbl.replace quota.cur id nb - else - Hashtbl.add quota.cur id nb - end +let update_entry quota_cur id diff = + let nb = diff + find_or_zero quota_cur id in + if nb = 0 then DomidMap.remove id quota_cur + else DomidMap.add id nb quota_cur let del_entry quota id = - try - let nb = get_entry quota id in - set_entry quota id (nb - 1) - with Not_found -> () + quota.cur <- update_entry quota.cur id (-1) let add_entry quota id = - let nb = try get_entry quota id with Not_found -> 0 in - set_entry quota id (nb + 1) - -let add quota diff = - Hashtbl.iter (fun id nb -> set_entry quota id (get_entry quota id + nb)) diff.cur + quota.cur <- update_entry quota.cur id (+1) let merge orig_quota mod_quota dest_quota = - Hashtbl.iter (fun id nb -> let diff = nb - (try get_entry orig_quota id with Not_found -> 0) in - if diff <> 0 then - set_entry dest_quota id ((try get_entry dest_quota id with Not_found -> 0) + diff)) mod_quota.cur + let fold_merge id nb dest = + match nb - find_or_zero orig_quota.cur id with + | 0 -> dest (* not modified *) + | diff -> update_entry dest id diff (* update with [x=x+diff] *) + in + dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur +(* dest_quota = dest_quota + (mod_quota - orig_quota) *) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 16:22:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 16:22:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698644.1090596 (Exim 4.92) (envelope-from ) id 1rpW2Z-0000r1-7e; Wed, 27 Mar 2024 16:22:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698644.1090596; Wed, 27 Mar 2024 16:22:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpW2Z-0000qu-53; Wed, 27 Mar 2024 16:22:15 +0000 Received: by outflank-mailman (input) for mailman id 698644; Wed, 27 Mar 2024 16:22:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpW2X-0000qi-Ok for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:22:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpW2X-0002Mf-LE for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:22:13 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpW2X-0003ai-Jw for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:22:13 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=JUfvWinHrR4CuXIK6T05TqdOPoK9WhY+DTZNkzMlsTw=; b=0xOyCZZvzRfgOPpX8vGQ5cv/3j /BTLdE/5ZO+dzIo+L3CrS5C+KlSyzgB3PFcpRNGziQwUMwFZ6zUhbHvR8KzpmJblCDssk9qob23GQ XtftMltvm1vDAr59xsyylY5PGI7CagMA3tiie870sPY4aqMlsEBYBm5r0u+hXv8v72A4=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.18] tools/oxenstored: Make Quota.t pure Message-Id: Date: Wed, 27 Mar 2024 16:22:13 +0000 commit 0a8b92d0a47797ec4d70c7fd7b05abbc135b51dc Author: Edwin Török AuthorDate: Wed Jan 31 10:52:56 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:06:20 2024 +0000 tools/oxenstored: Make Quota.t pure Now that we no longer have a hashtable inside we can make Quota.t pure, and push the mutable update to its callers. Store.t already had a mutable Quota.t field. No functional change. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit 098d868e52ac0165b7f36e22b767ea70cef70054) --- tools/ocaml/xenstored/quota.ml | 8 ++++---- tools/ocaml/xenstored/store.ml | 17 ++++++++++------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 27810b7567..082cd25f26 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -33,7 +33,7 @@ module DomidMap = Map.Make(Domid) type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - mutable cur: int DomidMap.t; (* current domains quota *) + cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = @@ -76,10 +76,10 @@ let update_entry quota_cur id diff = else DomidMap.add id nb quota_cur let del_entry quota id = - quota.cur <- update_entry quota.cur id (-1) + {quota with cur = update_entry quota.cur id (-1)} let add_entry quota id = - quota.cur <- update_entry quota.cur id (+1) + {quota with cur = update_entry quota.cur id (+1)} let merge orig_quota mod_quota dest_quota = let fold_merge id nb dest = @@ -87,5 +87,5 @@ let merge orig_quota mod_quota dest_quota = | 0 -> dest (* not modified *) | diff -> update_entry dest id diff (* update with [x=x+diff] *) in - dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur + {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur} (* dest_quota = dest_quota + (mod_quota - orig_quota) *) diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml index 38a4945372..9b8dd2812d 100644 --- a/tools/ocaml/xenstored/store.ml +++ b/tools/ocaml/xenstored/store.ml @@ -85,7 +85,9 @@ module Node = struct raise Define.Permission_denied; end - let rec recurse fct node = fct node; SymbolMap.iter (fun _ -> recurse fct) node.children + let rec recurse fct node acc = + let acc = fct node acc in + SymbolMap.fold (fun _ -> recurse fct) node.children acc (** [recurse_filter_map f tree] applies [f] on each node in the tree recursively, possibly removing some nodes. @@ -408,7 +410,7 @@ let dump_buffer store = dump_store_buf store.root let set_node store path node orig_quota mod_quota = let root = Path.set_node store.root path node in store.root <- root; - Quota.merge orig_quota mod_quota store.quota + store.quota <- Quota.merge orig_quota mod_quota store.quota let write store perm path value = let node, existing = get_deepest_existing_node store path in @@ -422,7 +424,7 @@ let write store perm path value = let root, node_created = path_write store perm path value in store.root <- root; if node_created - then Quota.add_entry store.quota owner + then store.quota <- Quota.add_entry store.quota owner let mkdir store perm path = let node, existing = get_deepest_existing_node store path in @@ -431,7 +433,7 @@ let mkdir store perm path = if not (existing || (Perms.Connection.is_dom0 perm)) then Quota.check store.quota owner 0; store.root <- path_mkdir store perm path; if not existing then - Quota.add_entry store.quota owner + store.quota <- Quota.add_entry store.quota owner let rm store perm path = let rmed_node = Path.get_node store.root path in @@ -439,7 +441,7 @@ let rm store perm path = | None -> raise Define.Doesnt_exist | Some rmed_node -> store.root <- path_rm store perm path; - Node.recurse (fun node -> Quota.del_entry store.quota (Node.get_owner node)) rmed_node + store.quota <- Node.recurse (fun node quota -> Quota.del_entry quota (Node.get_owner node)) rmed_node store.quota let setperms store perm path nperms = match Path.get_node store.root path with @@ -450,8 +452,9 @@ let setperms store perm path nperms = if not ((old_owner = new_owner) || (Perms.Connection.is_dom0 perm)) then raise Define.Permission_denied; store.root <- path_setperms store perm path nperms; - Quota.del_entry store.quota old_owner; - Quota.add_entry store.quota new_owner + store.quota <- + let quota = Quota.del_entry store.quota old_owner in + Quota.add_entry quota new_owner let reset_permissions store domid = Logging.info "store|node" "Cleaning up xenstore ACLs for domid %d" domid; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.18 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 16:44:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 16:44:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698659.1090629 (Exim 4.92) (envelope-from ) id 1rpWNh-0005sp-Dg; Wed, 27 Mar 2024 16:44:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698659.1090629; Wed, 27 Mar 2024 16:44:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpWNh-0005si-BC; Wed, 27 Mar 2024 16:44:05 +0000 Received: by outflank-mailman (input) for mailman id 698659; Wed, 27 Mar 2024 16:44:04 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpWNg-0005sc-Ct for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:44:04 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpWNg-0002pk-4X for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:44:04 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpWNg-0004m8-1m for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:44:04 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=ym+90b4TRCFxdpzI/czj2+4CzA/jQdYP+qcUlIja6Ks=; b=U7hOjwkvOw2xivW3FCooleZavM 30Lc0xPyZoWlDzRYC2AgZyVJHAbcX0A1ir+x81JXpuQHRmep3/1zHBabDxjo2Zsjo0GtQEXXGOZ2N ZgKHHt7TlipT9TWMYh4CWky1A+u3qsoMsbgXvcuG9wv1g2TP/o7ErgaKaqGfnN1mGrws=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] tools/oxenstored: Use Map instead of Hashtbl for quotas Message-Id: Date: Wed, 27 Mar 2024 16:44:04 +0000 commit 7abd305607938b846da1a37dd1bda7bf7d47dba5 Author: Edwin Török AuthorDate: Wed Jan 31 10:52:55 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:23:10 2024 +0000 tools/oxenstored: Use Map instead of Hashtbl for quotas On a stress test running 1000 VMs flamegraphs have shown that `oxenstored` spends a large amount of time in `Hashtbl.copy` and the GC. Hashtable complexity: * read/write: O(1) average * copy: O(domains) -- copying the entire table Map complexity: * read/write: O(log n) worst case * copy: O(1) -- a word copy We always perform at least one 'copy' when processing each xenstore packet (regardless whether it is a readonly operation or inside a transaction or not), so the actual complexity per packet is: * Hashtbl: O(domains) * Map: O(log domains) Maps are the clear winner, and a better fit for the immutable xenstore tree. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit b6cf604207fd0a04451a48f2ce6d05fb66c612ab) --- tools/ocaml/xenstored/quota.ml | 65 ++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 6e3d6401ae..ee8dd22581 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -23,66 +23,69 @@ let activate = ref true let maxent = ref (1000) let maxsize = ref (2048) +module Domid = struct + type t = Xenctrl.domid + let compare (a:t) (b:t) = compare a b +end + +module DomidMap = Map.Make(Domid) + type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - cur: (Xenctrl.domid, int) Hashtbl.t; (* current domains quota *) + mutable cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = - if Hashtbl.mem quota.cur domid - then Printf.sprintf "dom%i quota: %i/%i" domid (Hashtbl.find quota.cur domid) quota.maxent - else Printf.sprintf "dom%i quota: not set" domid + try + Printf.sprintf "dom%i quota: %i/%i" domid (DomidMap.find domid quota.cur) quota.maxent + with Not_found -> + Printf.sprintf "dom%i quota: not set" domid let create () = - { maxent = !maxent; maxsize = !maxsize; cur = Hashtbl.create 100; } + { maxent = !maxent; maxsize = !maxsize; cur = DomidMap.empty; } -let copy quota = { quota with cur = (Hashtbl.copy quota.cur) } +let copy quota = { quota with cur = quota.cur } -let del quota id = Hashtbl.remove quota.cur id +let del quota id = { quota with cur = DomidMap.remove id quota.cur } let _check quota id size = if size > quota.maxsize then ( warn "domain %u err create entry: data too big %d" id size; raise Data_too_big ); - if id > 0 && Hashtbl.mem quota.cur id then - let entry = Hashtbl.find quota.cur id in + if id > 0 then + try + let entry = DomidMap.find id quota.cur in if entry >= quota.maxent then ( warn "domain %u cannot create entry: quota reached" id; raise Limit_reached ) + with Not_found -> () let check quota id size = if !activate then _check quota id size -let get_entry quota id = Hashtbl.find quota.cur id +let find_or_zero quota_cur id = + try DomidMap.find id quota_cur with Not_found -> 0 -let set_entry quota id nb = - if nb = 0 - then Hashtbl.remove quota.cur id - else begin - if Hashtbl.mem quota.cur id then - Hashtbl.replace quota.cur id nb - else - Hashtbl.add quota.cur id nb - end +let update_entry quota_cur id diff = + let nb = diff + find_or_zero quota_cur id in + if nb = 0 then DomidMap.remove id quota_cur + else DomidMap.add id nb quota_cur let del_entry quota id = - try - let nb = get_entry quota id in - set_entry quota id (nb - 1) - with Not_found -> () + quota.cur <- update_entry quota.cur id (-1) let add_entry quota id = - let nb = try get_entry quota id with Not_found -> 0 in - set_entry quota id (nb + 1) - -let add quota diff = - Hashtbl.iter (fun id nb -> set_entry quota id (get_entry quota id + nb)) diff.cur + quota.cur <- update_entry quota.cur id (+1) let merge orig_quota mod_quota dest_quota = - Hashtbl.iter (fun id nb -> let diff = nb - (try get_entry orig_quota id with Not_found -> 0) in - if diff <> 0 then - set_entry dest_quota id ((try get_entry dest_quota id with Not_found -> 0) + diff)) mod_quota.cur + let fold_merge id nb dest = + match nb - find_or_zero orig_quota.cur id with + | 0 -> dest (* not modified *) + | diff -> update_entry dest id diff (* update with [x=x+diff] *) + in + dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur + (* dest_quota = dest_quota + (mod_quota - orig_quota) *) -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Wed Mar 27 16:44:15 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Wed, 27 Mar 2024 16:44:15 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698660.1090633 (Exim 4.92) (envelope-from ) id 1rpWNr-0005ud-Fj; Wed, 27 Mar 2024 16:44:15 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698660.1090633; Wed, 27 Mar 2024 16:44:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpWNr-0005uW-DG; Wed, 27 Mar 2024 16:44:15 +0000 Received: by outflank-mailman (input) for mailman id 698660; Wed, 27 Mar 2024 16:44:14 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpWNq-0005uK-8K for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:44:14 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpWNq-0002qD-7T for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:44:14 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpWNq-0004n1-6b for xen-changelog@lists.xenproject.org; Wed, 27 Mar 2024 16:44:14 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=I63Hyo2Zu7zJhb/l5a/2JjZYy1wVjTJgdiG0uoOGdqU=; b=krrNYEYwi/dMQFsDsIX/dRHGIi d++6raeItwjsE+ZUSPTTAF1NKFS9MiuI+qLJQ3EM5C5VkZh9m/pLVwRoSGwU/eVpQ0mdVSsnXi/Xu L4IaC1C3XnRBVXOkfaVIaGf4RYT/d8OZvbg2ODGcR0fGlkTSKa6ET0pzTCH4B1iLcaB8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging-4.17] tools/oxenstored: Make Quota.t pure Message-Id: Date: Wed, 27 Mar 2024 16:44:14 +0000 commit f38a815a54000ca51ff5165b2863d60b6bbea49c Author: Edwin Török AuthorDate: Wed Jan 31 10:52:56 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:25:43 2024 +0000 tools/oxenstored: Make Quota.t pure Now that we no longer have a hashtable inside we can make Quota.t pure, and push the mutable update to its callers. Store.t already had a mutable Quota.t field. No functional change. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit 098d868e52ac0165b7f36e22b767ea70cef70054) --- tools/ocaml/xenstored/quota.ml | 8 ++++---- tools/ocaml/xenstored/store.ml | 17 ++++++++++------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index ee8dd22581..b3ab678c72 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -33,7 +33,7 @@ module DomidMap = Map.Make(Domid) type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - mutable cur: int DomidMap.t; (* current domains quota *) + cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = @@ -76,10 +76,10 @@ let update_entry quota_cur id diff = else DomidMap.add id nb quota_cur let del_entry quota id = - quota.cur <- update_entry quota.cur id (-1) + {quota with cur = update_entry quota.cur id (-1)} let add_entry quota id = - quota.cur <- update_entry quota.cur id (+1) + {quota with cur = update_entry quota.cur id (+1)} let merge orig_quota mod_quota dest_quota = let fold_merge id nb dest = @@ -87,5 +87,5 @@ let merge orig_quota mod_quota dest_quota = | 0 -> dest (* not modified *) | diff -> update_entry dest id diff (* update with [x=x+diff] *) in - dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur + {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur} (* dest_quota = dest_quota + (mod_quota - orig_quota) *) diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml index c94dbf3a62..5dd965db15 100644 --- a/tools/ocaml/xenstored/store.ml +++ b/tools/ocaml/xenstored/store.ml @@ -85,7 +85,9 @@ let check_owner node connection = raise Define.Permission_denied; end -let rec recurse fct node = fct node; SymbolMap.iter (fun _ -> recurse fct) node.children +let rec recurse fct node acc = + let acc = fct node acc in + SymbolMap.fold (fun _ -> recurse fct) node.children acc (** [recurse_filter_map f tree] applies [f] on each node in the tree recursively, possibly removing some nodes. @@ -408,7 +410,7 @@ let dump_buffer store = dump_store_buf store.root let set_node store path node orig_quota mod_quota = let root = Path.set_node store.root path node in store.root <- root; - Quota.merge orig_quota mod_quota store.quota + store.quota <- Quota.merge orig_quota mod_quota store.quota let write store perm path value = let node, existing = get_deepest_existing_node store path in @@ -422,7 +424,7 @@ let write store perm path value = let root, node_created = path_write store perm path value in store.root <- root; if node_created - then Quota.add_entry store.quota owner + then store.quota <- Quota.add_entry store.quota owner let mkdir store perm path = let node, existing = get_deepest_existing_node store path in @@ -431,7 +433,7 @@ let mkdir store perm path = if not (existing || (Perms.Connection.is_dom0 perm)) then Quota.check store.quota owner 0; store.root <- path_mkdir store perm path; if not existing then - Quota.add_entry store.quota owner + store.quota <- Quota.add_entry store.quota owner let rm store perm path = let rmed_node = Path.get_node store.root path in @@ -439,7 +441,7 @@ let rm store perm path = | None -> raise Define.Doesnt_exist | Some rmed_node -> store.root <- path_rm store perm path; - Node.recurse (fun node -> Quota.del_entry store.quota (Node.get_owner node)) rmed_node + store.quota <- Node.recurse (fun node quota -> Quota.del_entry quota (Node.get_owner node)) rmed_node store.quota let setperms store perm path nperms = match Path.get_node store.root path with @@ -450,8 +452,9 @@ let setperms store perm path nperms = if not ((old_owner = new_owner) || (Perms.Connection.is_dom0 perm)) then raise Define.Permission_denied; store.root <- path_setperms store perm path nperms; - Quota.del_entry store.quota old_owner; - Quota.add_entry store.quota new_owner + store.quota <- + let quota = Quota.del_entry store.quota old_owner in + Quota.add_entry quota new_owner let reset_permissions store domid = Logging.info "store|node" "Cleaning up xenstore ACLs for domid %d" domid; -- generated by git-patchbot for /home/xen/git/xen.git#staging-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 10:55:08 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 10:55:08 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698892.1091124 (Exim 4.92) (envelope-from ) id 1rpnPT-0005MZ-1b; Thu, 28 Mar 2024 10:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698892.1091124; Thu, 28 Mar 2024 10:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPS-0005MR-VD; Thu, 28 Mar 2024 10:55:02 +0000 Received: by outflank-mailman (input) for mailman id 698892; Thu, 28 Mar 2024 10:55:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPS-0005MJ-5l for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPS-0007Y9-0P for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpnPR-0000rG-Tf for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=fxWCPv8BwKSCt3sB0U/mFJtvuQDnLWVQsmcwctWpeow=; b=pUN2Msuy2Ap8rhyKoqqCs6o/PB NXRfKOtyWustc1KbpzRut3QjgYnFKJ2m70FrnFRL4F46nBy4uc395kh2CWp9V/8E0PZAl/FKzoe6t n5pYf7VTQ6U7rM0/sCkRDEMZvYGdaHRbZ9xr0fn4CnhJuTmHPmgVWQSo9Yo5RCCO2Ouc=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools: ipxe: update for fixing build with GCC12 Message-Id: Date: Thu, 28 Mar 2024 10:55:01 +0000 commit a01c0b0f9691a8350e74938329892f949669119e Author: Olaf Hering AuthorDate: Wed Mar 27 12:27:03 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:27:03 2024 +0100 tools: ipxe: update for fixing build with GCC12 Use a snapshot which includes commit b0ded89e917b48b73097d3b8b88dfa3afb264ed0 ("[build] Disable dangling pointer checking for GCC"), which fixes build with gcc12. Signed-off-by: Olaf Hering Acked-by: Andrew Cooper master commit: 18a36b4a9b088875486cfe33a2d4a8ae7eb4ab47 master date: 2023-04-25 23:47:45 +0100 --- tools/firmware/etherboot/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/firmware/etherboot/Makefile b/tools/firmware/etherboot/Makefile index 4bc3633ba3..7a56fe8014 100644 --- a/tools/firmware/etherboot/Makefile +++ b/tools/firmware/etherboot/Makefile @@ -11,7 +11,7 @@ IPXE_GIT_URL ?= git://git.ipxe.org/ipxe.git endif # put an updated tar.gz on xenbits after changes to this variable -IPXE_GIT_TAG := 3c040ad387099483102708bb1839110bc788cefb +IPXE_GIT_TAG := 1d1cf74a5e58811822bee4b3da3cff7282fcdfca IPXE_TARBALL_URL ?= $(XEN_EXTFILES_URL)/ipxe-git-$(IPXE_GIT_TAG).tar.gz -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 10:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 10:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698893.1091127 (Exim 4.92) (envelope-from ) id 1rpnPd-0005OO-3E; Thu, 28 Mar 2024 10:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698893.1091127; Thu, 28 Mar 2024 10:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPd-0005OH-0M; Thu, 28 Mar 2024 10:55:13 +0000 Received: by outflank-mailman (input) for mailman id 698893; Thu, 28 Mar 2024 10:55:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPc-0005O9-64 for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPc-0007YJ-3Z for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpnPc-0000rj-2d for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=rb2GG9KiFIfPXy4fOsf0u70F30QOKodpChcfOnC/6Dk=; b=5nky8BFJkUEAxXh+9WvHjM6Zyy Vp88jO9zTH1W/I3PDVbIY5M1sGXVhELVEcp5bWtbhk4f+G6c9YgOp8VPKRPgV+J5eeSWI+92ysmJs wYTiEJYNwOwjOTJBctntRshFKasjIN4Dve98DF21LQ8a4hz95j4gwxImnDscftOaMT1I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/mm: use block_lock_speculation() in _mm_write_lock() Message-Id: Date: Thu, 28 Mar 2024 10:55:12 +0000 commit a153b8b42e9027ba3057bc7c8bf55e4d71e86ec3 Author: Jan Beulich AuthorDate: Wed Mar 27 12:28:24 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:28:24 2024 +0100 x86/mm: use block_lock_speculation() in _mm_write_lock() I can only guess that using block_speculation() there was a leftover from, earlier on, SPECULATIVE_HARDEN_LOCK depending on SPECULATIVE_HARDEN_BRANCH. Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper master commit: 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430 master date: 2024-03-18 13:53:37 +0100 --- xen/arch/x86/mm/mm-locks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index 3ea2d8eb03..7d6e4d2a7c 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -150,7 +150,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, _set_lock_level(_lock_level(d, level)); } else - block_speculation(); + block_lock_speculation(); l->recurse_count++; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 10:55:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 10:55:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698894.1091131 (Exim 4.92) (envelope-from ) id 1rpnPn-0005Qn-4N; Thu, 28 Mar 2024 10:55:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698894.1091131; Thu, 28 Mar 2024 10:55:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPn-0005Qf-1t; Thu, 28 Mar 2024 10:55:23 +0000 Received: by outflank-mailman (input) for mailman id 698894; Thu, 28 Mar 2024 10:55:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPm-0005QX-7I for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPm-0007YU-6X for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpnPm-0000sb-5b for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=n+eEpYZ7/P3rHfhuW+EUTg5QWhl7Q3K66bNVpvgBPUY=; b=RoVdU8m74z/JrzEgs2MtPGBDOc bB4V3ET03rX1rgNRVbYMtc7vM5zsVVrjzxe/gPssdXELi/HciMY6v94hZERrSF6W3JBrKcbzPlmUS 8bcNCUj0nIpuyJH4pIJ3JZAdHnqUKjYFAo8bPZ/KOqgn3dwS+V9zACLZcVrZKAEUzm68=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Message-Id: Date: Thu, 28 Mar 2024 10:55:22 +0000 commit 471b53c6a092940f3629990d9ca946aa22bd8535 Author: Andrew Cooper AuthorDate: Wed Mar 27 12:29:11 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:29:11 2024 +0100 x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Right now, if the user requests the watchdog on the command line, setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog worked. Reuse nmi_perfctr_msr to identify when the watchdog has been configured. Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity checks are complete. Turn setup_p4_watchdog() into a void function, matching the others. If the watchdog isn't set up, inform the user and override to NMI_NONE, which will prevent check_nmi_watchdog() from claiming that all CPUs are stuck. e.g.: (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0 (XEN) Failed to configure NMI watchdog (XEN) Brought up 512 CPUs (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: f658321374687c7339235e1ac643e0427acff717 master date: 2024-03-19 18:29:37 +0000 --- xen/arch/x86/nmi.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index 7656023748..7c9591b65e 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -323,8 +323,6 @@ static void setup_p6_watchdog(unsigned counter) { unsigned int evntsel; - nmi_perfctr_msr = MSR_P6_PERFCTR(0); - if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa ) nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK); if ( !nmi_p6_event_width ) @@ -334,6 +332,8 @@ static void setup_p6_watchdog(unsigned counter) nmi_p6_event_width > BITS_PER_LONG ) return; + nmi_perfctr_msr = MSR_P6_PERFCTR(0); + clear_msr_range(MSR_P6_EVNTSEL(0), 2); clear_msr_range(MSR_P6_PERFCTR(0), 2); @@ -349,13 +349,13 @@ static void setup_p6_watchdog(unsigned counter) wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0); } -static int setup_p4_watchdog(void) +static void setup_p4_watchdog(void) { uint64_t misc_enable; rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL)) - return 0; + return; nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0; nmi_p4_cccr_val = P4_NMI_IQ_CCCR0; @@ -378,13 +378,12 @@ static int setup_p4_watchdog(void) clear_msr_range(0x3E0, 2); clear_msr_range(MSR_P4_BPU_CCCR0, 18); clear_msr_range(MSR_P4_BPU_PERFCTR0, 18); - + wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0); wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE); write_watchdog_counter("P4_IQ_COUNTER0"); apic_write(APIC_LVTPC, APIC_DM_NMI); wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val); - return 1; } void setup_apic_nmi_watchdog(void) @@ -399,8 +398,6 @@ void setup_apic_nmi_watchdog(void) case 0xf ... 0x19: setup_k7_watchdog(); break; - default: - return; } break; case X86_VENDOR_INTEL: @@ -411,14 +408,16 @@ void setup_apic_nmi_watchdog(void) : CORE_EVENT_CPU_CLOCKS_NOT_HALTED); break; case 15: - if (!setup_p4_watchdog()) - return; + setup_p4_watchdog(); break; - default: - return; } break; - default: + } + + if ( nmi_perfctr_msr == 0 ) + { + printk(XENLOG_WARNING "Failed to configure NMI watchdog\n"); + nmi_watchdog = NMI_NONE; return; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 10:55:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 10:55:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698895.1091135 (Exim 4.92) (envelope-from ) id 1rpnPy-0005UI-5k; Thu, 28 Mar 2024 10:55:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698895.1091135; Thu, 28 Mar 2024 10:55:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPy-0005UB-3K; Thu, 28 Mar 2024 10:55:34 +0000 Received: by outflank-mailman (input) for mailman id 698895; Thu, 28 Mar 2024 10:55:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPw-0005Tr-AZ for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpnPw-0007Yr-9n for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpnPw-0000t3-8j for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 10:55:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=AxToAD1NKA3HvUu/Fko4Yd2IhSwZv8V9bfPk5g+Kf3k=; b=hdMdG2R6dL34yjUn/lFxGnMCdL tJeJYZDB9NTQ6q8seESzFIO1+fLUGXHx2KFZwk5A/e1tlQvVOOPh4GlMqewOyxV8tnxho2fGOKPCM AXrz5cQYYt82wbBUATdSrAt9Of1W+Fss2dZo1fejRKrGh00aHInBjCJvmZbE1wu0auKI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] x86/PoD: tie together P2M update and increment of entry count Message-Id: Date: Thu, 28 Mar 2024 10:55:32 +0000 commit bfb69205376d94ff91b09a337c47fb665ee12da3 Author: Jan Beulich AuthorDate: Wed Mar 27 12:29:33 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:29:33 2024 +0100 x86/PoD: tie together P2M update and increment of entry count When not holding the PoD lock across the entire region covering P2M update and stats update, the entry count - if to be incorrect at all - should indicate too large a value in preference to a too small one, to avoid functions bailing early when they find the count is zero. However, instead of moving the increment ahead (and adjust back upon failure), extend the PoD-locked region. Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") Signed-off-by: Jan Beulich Reviewed-by: George Dunlap master commit: cc950c49ae6a6690f7fc3041a1f43122c250d250 master date: 2024-03-21 09:48:10 +0100 --- xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 99dbcb3101..e903db9d93 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1370,19 +1370,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l, } } + /* + * P2M update and stats increment need to collectively be under PoD lock, + * to prevent code elsewhere observing PoD entry count being zero despite + * there actually still being PoD entries (created by the p2m_set_entry() + * invocation below). + */ + pod_lock(p2m); + /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_populate_on_demand, p2m->default_access); if ( rc == 0 ) { - pod_lock(p2m); p2m->pod.entry_count += 1UL << order; p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); + } + + pod_unlock(p2m); + if ( rc == 0 ) ioreq_request_mapcache_invalidate(d); - } else if ( order ) { /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 11:44:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 11:44:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.698910.1091159 (Exim 4.92) (envelope-from ) id 1rpoAu-0004t2-TJ; Thu, 28 Mar 2024 11:44:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 698910.1091159; Thu, 28 Mar 2024 11:44:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpoAu-0004su-Qo; Thu, 28 Mar 2024 11:44:04 +0000 Received: by outflank-mailman (input) for mailman id 698910; Thu, 28 Mar 2024 11:44:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpoAt-0004so-MI for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 11:44:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpoAt-0008NS-Dr for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 11:44:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpoAt-0003nR-Cp for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 11:44:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=PYQ5tJW6js1MDFw8EhdT0DQ9qjm5eJ1COJb2ZEC/JZY=; b=vPdTDb0WZyEQvUloSnjlIvCuLR rUxo/oubVTpmJN2R/aVQrTQOgqUBbgIduNUjcmSJVmi7nb6qi9cHPwuGsMViF+4YEMtpLYWvKzmfp N9kV3StetLO+ooPQ3iDGTWWMTa/VWTYLKJBVJ/vJibGes3lHQ+EbJ+T/1YHqu1iQpBhk=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/mm: Refine address alignment checks in modify_xen_mappings_lite() Message-Id: Date: Thu, 28 Mar 2024 11:44:03 +0000 commit 3c9e76cd875e12c88cfc8f0b2770c525da8d6894 Author: Andrew Cooper AuthorDate: Tue Mar 19 19:38:48 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 28 11:25:07 2024 +0000 x86/mm: Refine address alignment checks in modify_xen_mappings_lite() Require 's' to be superpage aligned if given over a superpage mapping. This is expected to be the case in practice, and prevents v getting misaligned over superpages during the processing loop. Remove the requirement for 'e' to be page aligned. All this is doing is forcing work for the caller just to satisfy an assertion. Reported-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/mm.c | 11 +++++++---- xen/common/virtual_region.c | 8 ++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 62f5b811bb..631da8d7d2 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5900,9 +5900,10 @@ int destroy_xen_mappings(unsigned long s, unsigned long e) * * Must be limited to XEN_VIRT_{START,END}, i.e. over l2_xenmap[]. * Must be called with present flags, and over present mappings. - * It is the callers responsibility to not pass s or e in the middle of - * superpages if changing the permission on the whole superpage is going to be - * a problem. + * Must be called with 's' on a page/superpage boundary. + * + * 'e' has no alignment requirements, but the whole page/superpage containing + * the non-inclusive boundary will be updated. */ void init_or_livepatch modify_xen_mappings_lite( unsigned long s, unsigned long e, unsigned int nf) @@ -5917,7 +5918,7 @@ void init_or_livepatch modify_xen_mappings_lite( ASSERT(flags & _PAGE_PRESENT); ASSERT(IS_ALIGNED(s, PAGE_SIZE) && s >= XEN_VIRT_START); - ASSERT(IS_ALIGNED(e, PAGE_SIZE) && e <= XEN_VIRT_END); + ASSERT(e <= XEN_VIRT_END); while ( v < e ) { @@ -5929,6 +5930,8 @@ void init_or_livepatch modify_xen_mappings_lite( if ( l2e_get_flags(l2e) & _PAGE_PSE ) { + ASSERT(IS_ALIGNED(v, 1UL << L2_PAGETABLE_SHIFT)); + l2e_write_atomic(pl2e, l2e_from_intpte((l2e.l2 & ~fm) | flags)); v += 1UL << L2_PAGETABLE_SHIFT; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index b4325bcda7..142f21e181 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -93,11 +93,11 @@ void relax_virtual_region_perms(void) list_for_each_entry_rcu( region, &virtual_region_list, list ) { modify_xen_mappings_lite((unsigned long)region->text_start, - PAGE_ALIGN((unsigned long)region->text_end), + (unsigned long)region->text_end, PAGE_HYPERVISOR_RWX); if ( region->rodata_start ) modify_xen_mappings_lite((unsigned long)region->rodata_start, - PAGE_ALIGN((unsigned long)region->rodata_end), + (unsigned long)region->rodata_end, PAGE_HYPERVISOR_RW); } rcu_read_unlock(&rcu_virtual_region_lock); @@ -111,11 +111,11 @@ void tighten_virtual_region_perms(void) list_for_each_entry_rcu( region, &virtual_region_list, list ) { modify_xen_mappings_lite((unsigned long)region->text_start, - PAGE_ALIGN((unsigned long)region->text_end), + (unsigned long)region->text_end, PAGE_HYPERVISOR_RX); if ( region->rodata_start ) modify_xen_mappings_lite((unsigned long)region->rodata_start, - PAGE_ALIGN((unsigned long)region->rodata_end), + (unsigned long)region->rodata_end, PAGE_HYPERVISOR_RO); } rcu_read_unlock(&rcu_virtual_region_lock); -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 16:00:12 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 16:00:12 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699032.1091519 (Exim 4.92) (envelope-from ) id 1rpsAd-0007jG-91; Thu, 28 Mar 2024 16:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699032.1091519; Thu, 28 Mar 2024 16:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAd-0007in-4f; Thu, 28 Mar 2024 16:00:03 +0000 Received: by outflank-mailman (input) for mailman id 699032; Thu, 28 Mar 2024 16:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAb-00076h-Oc for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAb-0005jr-J7 for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpsAb-0000iJ-I3 for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=BT1zp4EPD+zSmIQLZgd2YhDOKR9BRUARbVqwELjyZts=; b=ST6NODzgD2pw7aoyqXn8pkgKro wMr9EhAVoVDFrLgaFXMe8qW+jTx/kc2AWg33tSfuJKnPOGHgKxizZmRRV7fzCa4vkWCf3xlPIBPMM r9rhlP91TG2adXvQ0rTf3QSTtC/GvzLK5GM/eNt2UE5WId/+RWWk0SHN2H8nSVWqA65o=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] update Xen version to 4.18.2-pre Message-Id: Date: Thu, 28 Mar 2024 16:00:01 +0000 commit 3d67ba0371f9c6f6f7c5346994da6571f3ed8b57 Author: Jan Beulich AuthorDate: Wed Mar 27 12:19:29 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:19:29 2024 +0100 update Xen version to 4.18.2-pre --- xen/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/Makefile b/xen/Makefile index 0ec1e6555f..affeef69da 100644 --- a/xen/Makefile +++ b/xen/Makefile @@ -6,7 +6,7 @@ this-makefile := $(call lastword,$(MAKEFILE_LIST)) # All other places this is stored (eg. compile.h) should be autogenerated. export XEN_VERSION = 4 export XEN_SUBVERSION = 18 -export XEN_EXTRAVERSION ?= .1$(XEN_VENDORVERSION) +export XEN_EXTRAVERSION ?= .2-pre$(XEN_VENDORVERSION) export XEN_FULLVERSION = $(XEN_VERSION).$(XEN_SUBVERSION)$(XEN_EXTRAVERSION) -include xen-version -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 16:00:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 16:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699033.1091521 (Exim 4.92) (envelope-from ) id 1rpsAn-0008Sg-8w; Thu, 28 Mar 2024 16:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699033.1091521; Thu, 28 Mar 2024 16:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAn-0008SY-68; Thu, 28 Mar 2024 16:00:13 +0000 Received: by outflank-mailman (input) for mailman id 699033; Thu, 28 Mar 2024 16:00:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAl-0008S8-Mp for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAl-00064R-MA for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpsAl-0000js-LO for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NJuAgYEqz8peJxLhc3d/n8AUfYeLl6FMlqMgFSluJXc=; b=Z3IvZg+VqRGseObIVSOfWm57GH 2i+sKXng/B294DqStkpopvkrUleuIrmq9u6eRckNEuJVHgZgx18dQ7ss7O++h2MPkqiycAcizSIH6 MrGO3gyecsXNuseYgfrpH9wp1mMH343jn43DxTx2Ed6N5OHKW87IRNdkNnLC/ljvNjWE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/mm: use block_lock_speculation() in _mm_write_lock() Message-Id: Date: Thu, 28 Mar 2024 16:00:11 +0000 commit 62d9ca19f9f50451c94d69050a5eaffd98ac1c20 Author: Jan Beulich AuthorDate: Wed Mar 27 12:20:05 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:20:05 2024 +0100 x86/mm: use block_lock_speculation() in _mm_write_lock() I can only guess that using block_speculation() there was a leftover from, earlier on, SPECULATIVE_HARDEN_LOCK depending on SPECULATIVE_HARDEN_BRANCH. Fixes: 197ecd838a2a ("locking: attempt to ensure lock wrappers are always inline") Signed-off-by: Jan Beulich Reviewed-by: Andrew Cooper master commit: 62018f08708a5ff6ef8fc8ff2aaaac46e5a60430 master date: 2024-03-18 13:53:37 +0100 --- xen/arch/x86/mm/mm-locks.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/mm/mm-locks.h b/xen/arch/x86/mm/mm-locks.h index b4960fb90e..30eb5dfd60 100644 --- a/xen/arch/x86/mm/mm-locks.h +++ b/xen/arch/x86/mm/mm-locks.h @@ -138,7 +138,7 @@ static always_inline void _mm_write_lock(const struct domain *d, mm_rwlock_t *l, _set_lock_level(_lock_level(d, level)); } else - block_speculation(); + block_lock_speculation(); l->recurse_count++; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 16:00:23 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 16:00:23 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699034.1091527 (Exim 4.92) (envelope-from ) id 1rpsAx-00007N-Bs; Thu, 28 Mar 2024 16:00:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699034.1091527; Thu, 28 Mar 2024 16:00:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAx-00007C-7W; Thu, 28 Mar 2024 16:00:23 +0000 Received: by outflank-mailman (input) for mailman id 699034; Thu, 28 Mar 2024 16:00:21 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAv-0008Vl-QP for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:21 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsAv-00064m-Pd for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:21 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpsAv-0000kV-OH for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:21 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5vBChd9RfElvY/m0UR+nYehznK11EugCb3mP+iZMpZQ=; b=jknGgEQMe5wdceUl+5IpejViUw d3ivDDfhyOCvwDd0tFLYdjEFk+BX4qHLlosCZtgd0+46r5YPNOfA599Yd7NQJxtsvrdteBJb1pAgE J7FP9KPGEnZW9OZoRp+e0YJH0tk7vw/Tu8ZYyVpNLJTAMIDYlTpRyIHff/XNL2jqrCFE=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Message-Id: Date: Thu, 28 Mar 2024 16:00:21 +0000 commit cb7b84d3d50d13d9762ce96cd03a06becc0ecf9b Author: Andrew Cooper AuthorDate: Wed Mar 27 12:20:58 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:20:58 2024 +0100 x86/boot: Fix setup_apic_nmi_watchdog() to fail more cleanly Right now, if the user requests the watchdog on the command line, setup_apic_nmi_watchdog() will blindly assume that setting up the watchdog worked. Reuse nmi_perfctr_msr to identify when the watchdog has been configured. Rearrange setup_p6_watchdog() to not set nmi_perfctr_msr until the sanity checks are complete. Turn setup_p4_watchdog() into a void function, matching the others. If the watchdog isn't set up, inform the user and override to NMI_NONE, which will prevent check_nmi_watchdog() from claiming that all CPUs are stuck. e.g.: (XEN) alt table ffff82d040697c38 -> ffff82d0406a97f0 (XEN) Failed to configure NMI watchdog (XEN) Brought up 512 CPUs (XEN) Scheduling granularity: cpu, 1 CPU per sched-resource Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich master commit: f658321374687c7339235e1ac643e0427acff717 master date: 2024-03-19 18:29:37 +0000 --- xen/arch/x86/nmi.c | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/nmi.c b/xen/arch/x86/nmi.c index dc79c25e3f..ac4e7c9bdf 100644 --- a/xen/arch/x86/nmi.c +++ b/xen/arch/x86/nmi.c @@ -324,8 +324,6 @@ static void setup_p6_watchdog(unsigned counter) { unsigned int evntsel; - nmi_perfctr_msr = MSR_P6_PERFCTR(0); - if ( !nmi_p6_event_width && current_cpu_data.cpuid_level >= 0xa ) nmi_p6_event_width = MASK_EXTR(cpuid_eax(0xa), P6_EVENT_WIDTH_MASK); if ( !nmi_p6_event_width ) @@ -335,6 +333,8 @@ static void setup_p6_watchdog(unsigned counter) nmi_p6_event_width > BITS_PER_LONG ) return; + nmi_perfctr_msr = MSR_P6_PERFCTR(0); + clear_msr_range(MSR_P6_EVNTSEL(0), 2); clear_msr_range(MSR_P6_PERFCTR(0), 2); @@ -350,13 +350,13 @@ static void setup_p6_watchdog(unsigned counter) wrmsr(MSR_P6_EVNTSEL(0), evntsel, 0); } -static int setup_p4_watchdog(void) +static void setup_p4_watchdog(void) { uint64_t misc_enable; rdmsrl(MSR_IA32_MISC_ENABLE, misc_enable); if (!(misc_enable & MSR_IA32_MISC_ENABLE_PERF_AVAIL)) - return 0; + return; nmi_perfctr_msr = MSR_P4_IQ_PERFCTR0; nmi_p4_cccr_val = P4_NMI_IQ_CCCR0; @@ -379,13 +379,12 @@ static int setup_p4_watchdog(void) clear_msr_range(0x3E0, 2); clear_msr_range(MSR_P4_BPU_CCCR0, 18); clear_msr_range(MSR_P4_BPU_PERFCTR0, 18); - + wrmsrl(MSR_P4_CRU_ESCR0, P4_NMI_CRU_ESCR0); wrmsrl(MSR_P4_IQ_CCCR0, P4_NMI_IQ_CCCR0 & ~P4_CCCR_ENABLE); write_watchdog_counter("P4_IQ_COUNTER0"); apic_write(APIC_LVTPC, APIC_DM_NMI); wrmsrl(MSR_P4_IQ_CCCR0, nmi_p4_cccr_val); - return 1; } void setup_apic_nmi_watchdog(void) @@ -400,8 +399,6 @@ void setup_apic_nmi_watchdog(void) case 0xf ... 0x19: setup_k7_watchdog(); break; - default: - return; } break; case X86_VENDOR_INTEL: @@ -412,14 +409,16 @@ void setup_apic_nmi_watchdog(void) : CORE_EVENT_CPU_CLOCKS_NOT_HALTED); break; case 15: - if (!setup_p4_watchdog()) - return; + setup_p4_watchdog(); break; - default: - return; } break; - default: + } + + if ( nmi_perfctr_msr == 0 ) + { + printk(XENLOG_WARNING "Failed to configure NMI watchdog\n"); + nmi_watchdog = NMI_NONE; return; } -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 16:00:33 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 16:00:33 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699035.1091529 (Exim 4.92) (envelope-from ) id 1rpsB7-0000Fc-BS; Thu, 28 Mar 2024 16:00:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699035.1091529; Thu, 28 Mar 2024 16:00:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsB7-0000FV-8v; Thu, 28 Mar 2024 16:00:33 +0000 Received: by outflank-mailman (input) for mailman id 699035; Thu, 28 Mar 2024 16:00:31 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsB5-0000FF-TS for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:31 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpsB5-00065C-Sb for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:31 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpsB5-0000ku-Ri for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 16:00:31 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=WOm+iDhVC7UxReNpoIbrNOuz30+YNQ3PsaY5XzoGGsU=; b=0T6YVAmrHi090r0kErM+gNvgFF 360uJhCX+B9IDrBAEplpS5MawbRwo9ftcC+DlhugDMtB4nwi+aa0OaDROb7cm7aqmWKU3lB14hK7Z 8k4HsgryRkgxxDITmJY2ZAyocbYsbK3JXPIVqWAl6548tkKR8FkXECPqjcjyPrvia12Q=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] x86/PoD: tie together P2M update and increment of entry count Message-Id: Date: Thu, 28 Mar 2024 16:00:31 +0000 commit c9ea3b49a5d546a7c786dd0a0caec00c9c7f2633 Author: Jan Beulich AuthorDate: Wed Mar 27 12:21:24 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 12:21:24 2024 +0100 x86/PoD: tie together P2M update and increment of entry count When not holding the PoD lock across the entire region covering P2M update and stats update, the entry count - if to be incorrect at all - should indicate too large a value in preference to a too small one, to avoid functions bailing early when they find the count is zero. However, instead of moving the increment ahead (and adjust back upon failure), extend the PoD-locked region. Fixes: 99af3cd40b6e ("x86/mm: Rework locking in the PoD layer") Signed-off-by: Jan Beulich Reviewed-by: George Dunlap master commit: cc950c49ae6a6690f7fc3041a1f43122c250d250 master date: 2024-03-21 09:48:10 +0100 --- xen/arch/x86/mm/p2m-pod.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c index 9be67b63ce..40a4be8315 100644 --- a/xen/arch/x86/mm/p2m-pod.c +++ b/xen/arch/x86/mm/p2m-pod.c @@ -1359,19 +1359,28 @@ mark_populate_on_demand(struct domain *d, unsigned long gfn_l, } } + /* + * P2M update and stats increment need to collectively be under PoD lock, + * to prevent code elsewhere observing PoD entry count being zero despite + * there actually still being PoD entries (created by the p2m_set_entry() + * invocation below). + */ + pod_lock(p2m); + /* Now, actually do the two-way mapping */ rc = p2m_set_entry(p2m, gfn, INVALID_MFN, order, p2m_populate_on_demand, p2m->default_access); if ( rc == 0 ) { - pod_lock(p2m); p2m->pod.entry_count += 1UL << order; p2m->pod.entry_count -= pod_count; BUG_ON(p2m->pod.entry_count < 0); - pod_unlock(p2m); + } + + pod_unlock(p2m); + if ( rc == 0 ) ioreq_request_mapcache_invalidate(d); - } else if ( order ) { /* -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 20:11:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 20:11:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699178.1091846 (Exim 4.92) (envelope-from ) id 1rpw5Z-0006gP-4I; Thu, 28 Mar 2024 20:11:05 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699178.1091846; Thu, 28 Mar 2024 20:11:05 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpw5Z-0006gH-1U; Thu, 28 Mar 2024 20:11:05 +0000 Received: by outflank-mailman (input) for mailman id 699178; Thu, 28 Mar 2024 20:11:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpw5X-0006eY-M5 for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:11:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpw5X-00037q-Ca for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:11:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpw5X-0004Fd-Ba for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:11:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=NIS+FDt9Y3x9b0SNjapqYNnoF9qx+IcC2BXSKuTQ82M=; b=dxfXNGy5Ie0RpcSES06xQFagUF JZfAJSZvXzCuxC1Gc8XfZVfv0Tay4B1tmswCucyM0Wxp0z0KNY7WTRQci2nSQ430lOSqrymy8KSNl mSJI+pMib3krYp4OERHRkT5ScTFYJfSB1SPmLjZOLfTHFl8sStbxxOZ+S/NhzcolNZ3c=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen staging] x86/spec-ctrl: Move __read_mostly data into __ro_after_init Message-Id: Date: Thu, 28 Mar 2024 20:11:03 +0000 commit 7a09966e7b2823b70f6d56d0cf66c11124f4a3c1 Author: Andrew Cooper AuthorDate: Thu Mar 28 12:38:32 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 28 19:59:34 2024 +0000 x86/spec-ctrl: Move __read_mostly data into __ro_after_init These variables predate the introduction of __ro_after_init, but all qualify. Update them to be consistent with the rest of the file. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/spec_ctrl.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 0b670c3ca7..6a889db70c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -49,18 +49,18 @@ bool __ro_after_init opt_ssbd; static int8_t __initdata opt_psfd = -1; int8_t __ro_after_init opt_ibpb_ctxt_switch = -1; -int8_t __read_mostly opt_eager_fpu = -1; -int8_t __read_mostly opt_l1d_flush = -1; +int8_t __ro_after_init opt_eager_fpu = -1; +int8_t __ro_after_init opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; -uint8_t __read_mostly default_xen_spec_ctrl; -uint8_t __read_mostly default_spec_ctrl_flags; +uint8_t __ro_after_init default_xen_spec_ctrl; +uint8_t __ro_after_init default_spec_ctrl_flags; -paddr_t __read_mostly l1tf_addr_mask, __read_mostly l1tf_safe_maddr; -bool __read_mostly cpu_has_bug_l1tf; +paddr_t __ro_after_init l1tf_addr_mask, __ro_after_init l1tf_safe_maddr; +bool __ro_after_init cpu_has_bug_l1tf; static unsigned int __initdata l1d_maxphysaddr; static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */ @@ -316,8 +316,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) } custom_param("spec-ctrl", parse_spec_ctrl); -int8_t __read_mostly opt_xpti_hwdom = -1; -int8_t __read_mostly opt_xpti_domu = -1; +int8_t __ro_after_init opt_xpti_hwdom = -1; +int8_t __ro_after_init opt_xpti_domu = -1; static __init void xpti_init_default(void) { @@ -381,8 +381,8 @@ static int __init cf_check parse_xpti(const char *s) } custom_param("xpti", parse_xpti); -int8_t __read_mostly opt_pv_l1tf_hwdom = -1; -int8_t __read_mostly opt_pv_l1tf_domu = -1; +int8_t __ro_after_init opt_pv_l1tf_hwdom = -1; +int8_t __ro_after_init opt_pv_l1tf_domu = -1; static int __init cf_check parse_pv_l1tf(const char *s) { -- generated by git-patchbot for /home/xen/git/xen.git#staging From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 20:22:05 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 20:22:05 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699183.1091860 (Exim 4.92) (envelope-from ) id 1rpwGB-00014a-5T; Thu, 28 Mar 2024 20:22:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699183.1091860; Thu, 28 Mar 2024 20:22:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpwGB-00014S-2n; Thu, 28 Mar 2024 20:22:03 +0000 Received: by outflank-mailman (input) for mailman id 699183; Thu, 28 Mar 2024 20:22:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpwGA-000146-3d for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:22:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpwGA-0003O8-2i for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:22:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpwG9-0004fP-V8 for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:22:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=lT9MFQoFWf2Y3Q+XAdhyK3chJv3whUQge/rIzVzjkLk=; b=Dy6lxm/Ie/IDeOOSiG9EVqKZib ihtOC2LISv04Hr/AFWTP57kYmECxNRVPXer/mDl3UBpYogYgjT8PASUTm6PUPn+0RsPYxkVtZ730y zH0EzZOt03C8rRw0UvrJOTDZHz8o260AJE/8CRnBHH3YpeTzC4h8fTlP63ruuFBytURU=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/oxenstored: Use Map instead of Hashtbl for quotas Message-Id: Date: Thu, 28 Mar 2024 20:22:01 +0000 commit 7abd305607938b846da1a37dd1bda7bf7d47dba5 Author: Edwin Török AuthorDate: Wed Jan 31 10:52:55 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:23:10 2024 +0000 tools/oxenstored: Use Map instead of Hashtbl for quotas On a stress test running 1000 VMs flamegraphs have shown that `oxenstored` spends a large amount of time in `Hashtbl.copy` and the GC. Hashtable complexity: * read/write: O(1) average * copy: O(domains) -- copying the entire table Map complexity: * read/write: O(log n) worst case * copy: O(1) -- a word copy We always perform at least one 'copy' when processing each xenstore packet (regardless whether it is a readonly operation or inside a transaction or not), so the actual complexity per packet is: * Hashtbl: O(domains) * Map: O(log domains) Maps are the clear winner, and a better fit for the immutable xenstore tree. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit b6cf604207fd0a04451a48f2ce6d05fb66c612ab) --- tools/ocaml/xenstored/quota.ml | 65 ++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 6e3d6401ae..ee8dd22581 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -23,66 +23,69 @@ let activate = ref true let maxent = ref (1000) let maxsize = ref (2048) +module Domid = struct + type t = Xenctrl.domid + let compare (a:t) (b:t) = compare a b +end + +module DomidMap = Map.Make(Domid) + type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - cur: (Xenctrl.domid, int) Hashtbl.t; (* current domains quota *) + mutable cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = - if Hashtbl.mem quota.cur domid - then Printf.sprintf "dom%i quota: %i/%i" domid (Hashtbl.find quota.cur domid) quota.maxent - else Printf.sprintf "dom%i quota: not set" domid + try + Printf.sprintf "dom%i quota: %i/%i" domid (DomidMap.find domid quota.cur) quota.maxent + with Not_found -> + Printf.sprintf "dom%i quota: not set" domid let create () = - { maxent = !maxent; maxsize = !maxsize; cur = Hashtbl.create 100; } + { maxent = !maxent; maxsize = !maxsize; cur = DomidMap.empty; } -let copy quota = { quota with cur = (Hashtbl.copy quota.cur) } +let copy quota = { quota with cur = quota.cur } -let del quota id = Hashtbl.remove quota.cur id +let del quota id = { quota with cur = DomidMap.remove id quota.cur } let _check quota id size = if size > quota.maxsize then ( warn "domain %u err create entry: data too big %d" id size; raise Data_too_big ); - if id > 0 && Hashtbl.mem quota.cur id then - let entry = Hashtbl.find quota.cur id in + if id > 0 then + try + let entry = DomidMap.find id quota.cur in if entry >= quota.maxent then ( warn "domain %u cannot create entry: quota reached" id; raise Limit_reached ) + with Not_found -> () let check quota id size = if !activate then _check quota id size -let get_entry quota id = Hashtbl.find quota.cur id +let find_or_zero quota_cur id = + try DomidMap.find id quota_cur with Not_found -> 0 -let set_entry quota id nb = - if nb = 0 - then Hashtbl.remove quota.cur id - else begin - if Hashtbl.mem quota.cur id then - Hashtbl.replace quota.cur id nb - else - Hashtbl.add quota.cur id nb - end +let update_entry quota_cur id diff = + let nb = diff + find_or_zero quota_cur id in + if nb = 0 then DomidMap.remove id quota_cur + else DomidMap.add id nb quota_cur let del_entry quota id = - try - let nb = get_entry quota id in - set_entry quota id (nb - 1) - with Not_found -> () + quota.cur <- update_entry quota.cur id (-1) let add_entry quota id = - let nb = try get_entry quota id with Not_found -> 0 in - set_entry quota id (nb + 1) - -let add quota diff = - Hashtbl.iter (fun id nb -> set_entry quota id (get_entry quota id + nb)) diff.cur + quota.cur <- update_entry quota.cur id (+1) let merge orig_quota mod_quota dest_quota = - Hashtbl.iter (fun id nb -> let diff = nb - (try get_entry orig_quota id with Not_found -> 0) in - if diff <> 0 then - set_entry dest_quota id ((try get_entry dest_quota id with Not_found -> 0) + diff)) mod_quota.cur + let fold_merge id nb dest = + match nb - find_or_zero orig_quota.cur id with + | 0 -> dest (* not modified *) + | diff -> update_entry dest id diff (* update with [x=x+diff] *) + in + dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur + (* dest_quota = dest_quota + (mod_quota - orig_quota) *) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Thu Mar 28 20:22:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Thu, 28 Mar 2024 20:22:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699184.1091864 (Exim 4.92) (envelope-from ) id 1rpwGL-00016r-6j; Thu, 28 Mar 2024 20:22:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699184.1091864; Thu, 28 Mar 2024 20:22:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpwGL-00016j-4G; Thu, 28 Mar 2024 20:22:13 +0000 Received: by outflank-mailman (input) for mailman id 699184; Thu, 28 Mar 2024 20:22:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpwGK-00016Y-6r for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:22:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rpwGK-0003OH-5e for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:22:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rpwGK-0004g9-4l for xen-changelog@lists.xenproject.org; Thu, 28 Mar 2024 20:22:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=vdmi1vx5ExhJ0a949+dDYA+1Lssxin2tpUBIxbdlGSk=; b=M/Y+wmgnp+QuiazYtJOPVWzmyM qpRSA8pWmjkcWnSvUJ++pvIVVaW2J+37r/KHfv2tv/LaysChD++fcymGZTZ/cA981SUiiZsH9YrHW RNbU8iZtrL9O7fJFFbj/CL4XERAo3u1LV3OjedpyoLF3eebWr/z7zDvL6FGZ0Ne40OXQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.17] tools/oxenstored: Make Quota.t pure Message-Id: Date: Thu, 28 Mar 2024 20:22:12 +0000 commit f38a815a54000ca51ff5165b2863d60b6bbea49c Author: Edwin Török AuthorDate: Wed Jan 31 10:52:56 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:25:43 2024 +0000 tools/oxenstored: Make Quota.t pure Now that we no longer have a hashtable inside we can make Quota.t pure, and push the mutable update to its callers. Store.t already had a mutable Quota.t field. No functional change. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit 098d868e52ac0165b7f36e22b767ea70cef70054) --- tools/ocaml/xenstored/quota.ml | 8 ++++---- tools/ocaml/xenstored/store.ml | 17 ++++++++++------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index ee8dd22581..b3ab678c72 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -33,7 +33,7 @@ module DomidMap = Map.Make(Domid) type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - mutable cur: int DomidMap.t; (* current domains quota *) + cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = @@ -76,10 +76,10 @@ let update_entry quota_cur id diff = else DomidMap.add id nb quota_cur let del_entry quota id = - quota.cur <- update_entry quota.cur id (-1) + {quota with cur = update_entry quota.cur id (-1)} let add_entry quota id = - quota.cur <- update_entry quota.cur id (+1) + {quota with cur = update_entry quota.cur id (+1)} let merge orig_quota mod_quota dest_quota = let fold_merge id nb dest = @@ -87,5 +87,5 @@ let merge orig_quota mod_quota dest_quota = | 0 -> dest (* not modified *) | diff -> update_entry dest id diff (* update with [x=x+diff] *) in - dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur + {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur} (* dest_quota = dest_quota + (mod_quota - orig_quota) *) diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml index c94dbf3a62..5dd965db15 100644 --- a/tools/ocaml/xenstored/store.ml +++ b/tools/ocaml/xenstored/store.ml @@ -85,7 +85,9 @@ let check_owner node connection = raise Define.Permission_denied; end -let rec recurse fct node = fct node; SymbolMap.iter (fun _ -> recurse fct) node.children +let rec recurse fct node acc = + let acc = fct node acc in + SymbolMap.fold (fun _ -> recurse fct) node.children acc (** [recurse_filter_map f tree] applies [f] on each node in the tree recursively, possibly removing some nodes. @@ -408,7 +410,7 @@ let dump_buffer store = dump_store_buf store.root let set_node store path node orig_quota mod_quota = let root = Path.set_node store.root path node in store.root <- root; - Quota.merge orig_quota mod_quota store.quota + store.quota <- Quota.merge orig_quota mod_quota store.quota let write store perm path value = let node, existing = get_deepest_existing_node store path in @@ -422,7 +424,7 @@ let write store perm path value = let root, node_created = path_write store perm path value in store.root <- root; if node_created - then Quota.add_entry store.quota owner + then store.quota <- Quota.add_entry store.quota owner let mkdir store perm path = let node, existing = get_deepest_existing_node store path in @@ -431,7 +433,7 @@ let mkdir store perm path = if not (existing || (Perms.Connection.is_dom0 perm)) then Quota.check store.quota owner 0; store.root <- path_mkdir store perm path; if not existing then - Quota.add_entry store.quota owner + store.quota <- Quota.add_entry store.quota owner let rm store perm path = let rmed_node = Path.get_node store.root path in @@ -439,7 +441,7 @@ let rm store perm path = | None -> raise Define.Doesnt_exist | Some rmed_node -> store.root <- path_rm store perm path; - Node.recurse (fun node -> Quota.del_entry store.quota (Node.get_owner node)) rmed_node + store.quota <- Node.recurse (fun node quota -> Quota.del_entry quota (Node.get_owner node)) rmed_node store.quota let setperms store perm path nperms = match Path.get_node store.root path with @@ -450,8 +452,9 @@ let setperms store perm path nperms = if not ((old_owner = new_owner) || (Perms.Connection.is_dom0 perm)) then raise Define.Permission_denied; store.root <- path_setperms store perm path nperms; - Quota.del_entry store.quota old_owner; - Quota.add_entry store.quota new_owner + store.quota <- + let quota = Quota.del_entry store.quota old_owner in + Quota.add_entry quota new_owner let reset_permissions store domid = Logging.info "store|node" "Cleaning up xenstore ACLs for domid %d" domid; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.17 From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:33:10 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:33:10 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699332.1092101 (Exim 4.92) (envelope-from ) id 1rq9Xk-0000eF-Gq; Fri, 29 Mar 2024 10:33:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699332.1092101; Fri, 29 Mar 2024 10:33:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Xk-0000e7-E5; Fri, 29 Mar 2024 10:33:04 +0000 Received: by outflank-mailman (input) for mailman id 699332; Fri, 29 Mar 2024 10:33:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Xi-0000e1-A8 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Xi-00026C-9D for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Xi-0007Tk-5z for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HeOcZNHaw23YnmIq5496icoVNbR99cfaFtXIfocm5gc=; b=YWQaO+RBSS4rOghU0nNxnIwBHL mWT8ZfUJF18DtaluYJJfC5EqsKP32nZ6+oPPQg2NfgoRxDy4+SDMLEKDTsJ3b9U1xLXd/HhbwlMqw SyIFPd2dg3V+RXnLg+KLiKq0dJxD/8F8ug//3XkZ2UI6j6wtxv9NdbpNvJarhQC0OfOI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/list: address violations of MISRA C Rule 20.7 Message-Id: Date: Fri, 29 Mar 2024 10:33:02 +0000 commit 12a3b90c2ae4998c389e53d1f68cbdba5914adce Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:09:50 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:09:50 2024 +0100 xen/list: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Jan Beulich --- xen/include/xen/list.h | 143 ++++++++++++++++++++++++------------------------- 1 file changed, 71 insertions(+), 72 deletions(-) diff --git a/xen/include/xen/list.h b/xen/include/xen/list.h index b5eab3a1eb..6506ac4089 100644 --- a/xen/include/xen/list.h +++ b/xen/include/xen/list.h @@ -452,7 +452,7 @@ static inline void list_splice_init(struct list_head *list, * @head: the head for your list. */ #define list_for_each(pos, head) \ - for (pos = (head)->next; pos != (head); pos = pos->next) + for ((pos) = (head)->next; (pos) != (head); (pos) = (pos)->next) /** * list_for_each_prev - iterate over a list backwards @@ -460,7 +460,7 @@ static inline void list_splice_init(struct list_head *list, * @head: the head for your list. */ #define list_for_each_prev(pos, head) \ - for (pos = (head)->prev; pos != (head); pos = pos->prev) + for ((pos) = (head)->prev; (pos) != (head); (pos) = (pos)->prev) /** * list_for_each_safe - iterate over a list safe against removal of list entry @@ -468,9 +468,9 @@ static inline void list_splice_init(struct list_head *list, * @n: another &struct list_head to use as temporary storage * @head: the head for your list. */ -#define list_for_each_safe(pos, n, head) \ - for (pos = (head)->next, n = pos->next; pos != (head); \ - pos = n, n = pos->next) +#define list_for_each_safe(pos, n, head) \ + for ((pos) = (head)->next, (n) = (pos)->next; (pos) != (head); \ + (pos) = (n), (n) = (pos)->next) /** * list_for_each_backwards_safe - iterate backwards over a list safe @@ -479,9 +479,9 @@ static inline void list_splice_init(struct list_head *list, * @n: another &struct list_head to use as temporary storage * @head: the head for your list. */ -#define list_for_each_backwards_safe(pos, n, head) \ - for ( pos = (head)->prev, n = pos->prev; pos != (head); \ - pos = n, n = pos->prev ) +#define list_for_each_backwards_safe(pos, n, head) \ + for ( (pos) = (head)->prev, (n) = (pos)->prev; (pos) != (head); \ + (pos) = (n), (n) = (pos)->prev ) /** * list_for_each_entry - iterate over list of given type @@ -490,9 +490,9 @@ static inline void list_splice_init(struct list_head *list, * @member: the name of the list_struct within the struct. */ #define list_for_each_entry(pos, head, member) \ - for (pos = list_entry((head)->next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) + for ((pos) = list_entry((head)->next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_entry_reverse - iterate backwards over list of given type. @@ -501,9 +501,9 @@ static inline void list_splice_init(struct list_head *list, * @member: the name of the list_struct within the struct. */ #define list_for_each_entry_reverse(pos, head, member) \ - for (pos = list_entry((head)->prev, typeof(*pos), member); \ - &pos->member != (head); \ - pos = list_entry(pos->member.prev, typeof(*pos), member)) + for ((pos) = list_entry((head)->prev, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.prev, typeof(*(pos)), member)) /** * list_prepare_entry - prepare a pos entry for use in @@ -516,7 +516,7 @@ static inline void list_splice_init(struct list_head *list, * list_for_each_entry_continue. */ #define list_prepare_entry(pos, head, member) \ - ((pos) ? : list_entry(head, typeof(*pos), member)) + ((pos) ? : list_entry(head, typeof(*(pos)), member)) /** * list_for_each_entry_continue - continue iteration over list of given type @@ -527,10 +527,10 @@ static inline void list_splice_init(struct list_head *list, * Continue to iterate over list of given type, continuing after * the current position. */ -#define list_for_each_entry_continue(pos, head, member) \ - for (pos = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) +#define list_for_each_entry_continue(pos, head, member) \ + for ((pos) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_entry_from - iterate over list of given type from the @@ -542,8 +542,8 @@ static inline void list_splice_init(struct list_head *list, * Iterate over list of given type, continuing from current position. */ #define list_for_each_entry_from(pos, head, member) \ - for (; &pos->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) + for (; &(pos)->member != (head); \ + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_entry_safe - iterate over list of given type safe @@ -554,10 +554,10 @@ static inline void list_splice_init(struct list_head *list, * @member: the name of the list_struct within the struct. */ #define list_for_each_entry_safe(pos, n, head, member) \ - for (pos = list_entry((head)->next, typeof(*pos), member), \ - n = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.next, typeof(*n), member)) + for ((pos) = list_entry((head)->next, typeof(*(pos)), member), \ + (n) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.next, typeof(*(n)), member)) /** * list_for_each_entry_safe_continue @@ -569,11 +569,11 @@ static inline void list_splice_init(struct list_head *list, * Iterate over list of given type, continuing after current point, * safe against removal of list entry. */ -#define list_for_each_entry_safe_continue(pos, n, head, member) \ - for (pos = list_entry(pos->member.next, typeof(*pos), member), \ - n = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.next, typeof(*n), member)) +#define list_for_each_entry_safe_continue(pos, n, head, member) \ + for ((pos) = list_entry((pos)->member.next, typeof(*(pos)), member), \ + (n) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.next, typeof(*(n)), member)) /** * list_for_each_entry_safe_from @@ -586,9 +586,9 @@ static inline void list_splice_init(struct list_head *list, * removal of list entry. */ #define list_for_each_entry_safe_from(pos, n, head, member) \ - for (n = list_entry(pos->member.next, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.next, typeof(*n), member)) + for ((n) = list_entry((pos)->member.next, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.next, typeof(*(n)), member)) /** * list_for_each_entry_safe_reverse @@ -601,10 +601,10 @@ static inline void list_splice_init(struct list_head *list, * of list entry. */ #define list_for_each_entry_safe_reverse(pos, n, head, member) \ - for (pos = list_entry((head)->prev, typeof(*pos), member), \ - n = list_entry(pos->member.prev, typeof(*pos), member); \ - &pos->member != (head); \ - pos = n, n = list_entry(n->member.prev, typeof(*n), member)) + for ((pos) = list_entry((head)->prev, typeof(*(pos)), member), \ + (n) = list_entry((pos)->member.prev, typeof(*(pos)), member); \ + &(pos)->member != (head); \ + (pos) = (n), (n) = list_entry((n)->member.prev, typeof(*(n)), member)) /** * list_for_each_rcu - iterate over an rcu-protected list @@ -616,14 +616,14 @@ static inline void list_splice_init(struct list_head *list, * as long as the traversal is guarded by rcu_read_lock(). */ #define list_for_each_rcu(pos, head) \ - for (pos = (head)->next; \ + for ((pos) = (head)->next; \ rcu_dereference(pos) != (head); \ - pos = pos->next) + (pos) = (pos)->next) #define __list_for_each_rcu(pos, head) \ - for (pos = (head)->next; \ + for ((pos) = (head)->next; \ rcu_dereference(pos) != (head); \ - pos = pos->next) + (pos) = (pos)->next) /** * list_for_each_safe_rcu @@ -638,9 +638,9 @@ static inline void list_splice_init(struct list_head *list, * as long as the traversal is guarded by rcu_read_lock(). */ #define list_for_each_safe_rcu(pos, n, head) \ - for (pos = (head)->next; \ - n = rcu_dereference(pos)->next, pos != (head); \ - pos = n) + for ((pos) = (head)->next; \ + (n) = rcu_dereference(pos)->next, (pos) != (head); \ + (pos) = (n)) /** * list_for_each_entry_rcu - iterate over rcu list of given type @@ -653,9 +653,9 @@ static inline void list_splice_init(struct list_head *list, * as long as the traversal is guarded by rcu_read_lock(). */ #define list_for_each_entry_rcu(pos, head, member) \ - for (pos = list_entry((head)->next, typeof(*pos), member); \ + for ((pos) = list_entry((head)->next, typeof(*(pos)), member); \ &rcu_dereference(pos)->member != (head); \ - pos = list_entry(pos->member.next, typeof(*pos), member)) + (pos) = list_entry((pos)->member.next, typeof(*(pos)), member)) /** * list_for_each_continue_rcu @@ -899,11 +899,11 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, #define hlist_entry(ptr, type, member) container_of(ptr,type,member) #define hlist_for_each(pos, head) \ - for (pos = (head)->first; pos; pos = pos->next) + for ((pos) = (head)->first; (pos); (pos) = (pos)->next) -#define hlist_for_each_safe(pos, n, head) \ - for (pos = (head)->first; pos && ({ n = pos->next; 1; }); \ - pos = n) +#define hlist_for_each_safe(pos, n, head) \ + for ((pos) = (head)->first; (pos) && ({ (n) = (pos)->next; 1; }); \ + (pos) = (n)) /** * hlist_for_each_entry - iterate over list of given type @@ -913,10 +913,10 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @member: the name of the hlist_node within the struct. */ #define hlist_for_each_entry(tpos, pos, head, member) \ - for (pos = (head)->first; \ - pos && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) + for ((pos) = (head)->first; \ + (pos) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) /** * hlist_for_each_entry_continue - iterate over a hlist continuing @@ -925,11 +925,11 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @pos: the &struct hlist_node to use as a loop cursor. * @member: the name of the hlist_node within the struct. */ -#define hlist_for_each_entry_continue(tpos, pos, member) \ - for (pos = (pos)->next; \ - pos && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) +#define hlist_for_each_entry_continue(tpos, pos, member) \ + for ((pos) = (pos)->next; \ + (pos) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) /** * hlist_for_each_entry_from - iterate over a hlist continuing from @@ -938,10 +938,10 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @pos: the &struct hlist_node to use as a loop cursor. * @member: the name of the hlist_node within the struct. */ -#define hlist_for_each_entry_from(tpos, pos, member) \ - for (; pos && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) +#define hlist_for_each_entry_from(tpos, pos, member) \ + for (; (pos) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) /** * hlist_for_each_entry_safe - iterate over list of given type safe @@ -952,11 +952,11 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * @head: the head for your list. * @member: the name of the hlist_node within the struct. */ -#define hlist_for_each_entry_safe(tpos, pos, n, head, member) \ - for (pos = (head)->first; \ - pos && ({ n = pos->next; 1; }) && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = n) +#define hlist_for_each_entry_safe(tpos, pos, n, head, member) \ + for ((pos) = (head)->first; \ + (pos) && ({ n = (pos)->next; 1; }) && \ + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (n)) /** @@ -971,10 +971,9 @@ static inline void hlist_add_after_rcu(struct hlist_node *prev, * as long as the traversal is guarded by rcu_read_lock(). */ #define hlist_for_each_entry_rcu(tpos, pos, head, member) \ - for (pos = (head)->first; \ + for ((pos) = (head)->first; \ rcu_dereference(pos) && \ - ({ tpos = hlist_entry(pos, typeof(*tpos), member); 1;}); \ - pos = pos->next) + ({ tpos = hlist_entry(pos, typeof(*(tpos)), member); 1;}); \ + (pos) = (pos)->next) #endif /* __XEN_LIST_H__ */ - -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:33:14 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:33:14 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699333.1092105 (Exim 4.92) (envelope-from ) id 1rq9Xu-0000i6-IL; Fri, 29 Mar 2024 10:33:14 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699333.1092105; Fri, 29 Mar 2024 10:33:14 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Xu-0000hy-Fh; Fri, 29 Mar 2024 10:33:14 +0000 Received: by outflank-mailman (input) for mailman id 699333; Fri, 29 Mar 2024 10:33:12 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Xs-0000he-Et for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:12 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Xs-00026G-E4 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Xs-0007UN-BP for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=RRYjoNjnSLi9CdJ9zTxKJxFRpBsDAv7gnwpiWdZXZgw=; b=SuH6ZuwN3iGUpF60F/7+hNwAiw YD9i3nhb1q7Tr26j+DU6k0L/a12+6J/8TpZQWgGt1AR1IoiG0gZTw8UKyPF7b2RHaqdWVGE1HBKiO aNp8NkjZAUELNDoAEq8DOpBreSx0yTPmFXpRWVE5khfzwPaImih8NNbdmdp0yU5c6PJI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xentrace: address violation of MISRA C Rule 20.7 Message-Id: Date: Fri, 29 Mar 2024 10:33:12 +0000 commit 7757981d94b78714a579b0983fa906b83d3bcd27 Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:10:23 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:10:23 2024 +0100 xentrace: address violation of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/public/trace.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/public/trace.h b/xen/include/public/trace.h index 62a179971d..3c9f9c3c18 100644 --- a/xen/include/public/trace.h +++ b/xen/include/public/trace.h @@ -67,7 +67,7 @@ #define TRC_SCHED_CLASS_EVT(_c, _e) \ ( ( TRC_SCHED_CLASS | \ ((TRC_SCHED_##_c << TRC_SCHED_ID_SHIFT) & TRC_SCHED_ID_MASK) ) + \ - (_e & TRC_SCHED_EVT_MASK) ) + ((_e) & TRC_SCHED_EVT_MASK) ) /* Trace classes for DOM0 operations */ #define TRC_DOM0_DOMOPS 0x00041000 /* Domains manipulations */ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:33:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:33:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699334.1092109 (Exim 4.92) (envelope-from ) id 1rq9Y4-0000kk-Jm; Fri, 29 Mar 2024 10:33:24 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699334.1092109; Fri, 29 Mar 2024 10:33:24 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Y4-0000kc-H5; Fri, 29 Mar 2024 10:33:24 +0000 Received: by outflank-mailman (input) for mailman id 699334; Fri, 29 Mar 2024 10:33:22 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Y2-0000kO-Ja for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:22 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Y2-00026V-Gw for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:22 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Y2-0007Um-G5 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:22 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=eBjPTK2BC1FOFNbqA/767ll2lRAhE3h4KsV4D2J5VLg=; b=2ft7/OJsty48Khl5YUDYs9yxD6 JhNWfRGbhCAVcsS1W5RoNerYcOkIeWoFQW0Ix80vNV4eD0MlsTvuYR029RNJLbM5+gquUF+CMC/l7 hF1rmCDpYZgs6CgiEeoYwlbGQNYYqKZmZ98bJQpvWhbl2nqS0SJGIcIg0VZyvPqjvPJw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen: address MISRA C Rule 20.7 violation in generated hypercall Message-Id: Date: Fri, 29 Mar 2024 10:33:22 +0000 commit cab6de6a95bbded2435a9474a2ec1b730f209262 Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:11:03 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:11:03 2024 +0100 xen: address MISRA C Rule 20.7 violation in generated hypercall MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Reviewed-by: Jan Beulich --- xen/scripts/gen_hypercall.awk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/xen/scripts/gen_hypercall.awk b/xen/scripts/gen_hypercall.awk index 9f7cfa298a..1a7e051fde 100644 --- a/xen/scripts/gen_hypercall.awk +++ b/xen/scripts/gen_hypercall.awk @@ -277,7 +277,7 @@ END { if (call[i] == ca && call_prio[i] == p_list[pl]) { fnd++; if (fnd == 1) - printf(" if ( num == __HYPERVISOR_%s ) \\\n", fn[call_fn[i]]); + printf(" if ( (num) == __HYPERVISOR_%s ) \\\n", fn[call_fn[i]]); else printf(" else \\\n"); do_call(call_fn[i], call_p[i]); @@ -290,7 +290,7 @@ END { } else { for (i = 1; i <= nc; i++) if (call[i] == ca && call_prio[i] == p_list[pl]) { - printf("if ( likely(num == __HYPERVISOR_%s) ) \\\n", fn[call_fn[i]]); + printf("if ( likely((num) == __HYPERVISOR_%s) ) \\\n", fn[call_fn[i]]); do_call(call_fn[i], call_p[i]); } } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:33:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:33:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699335.1092113 (Exim 4.92) (envelope-from ) id 1rq9YE-0000nV-L1; Fri, 29 Mar 2024 10:33:34 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699335.1092113; Fri, 29 Mar 2024 10:33:34 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YE-0000nN-IU; Fri, 29 Mar 2024 10:33:34 +0000 Received: by outflank-mailman (input) for mailman id 699335; Fri, 29 Mar 2024 10:33:32 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YC-0000n7-Km for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:32 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YC-00026g-K2 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:32 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9YC-0007VC-J9 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:32 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=qvjbJMLVTH+Wt60yI1oPwoXrVsGbKUWe4/3bFg9vWOc=; b=fIGnXs1jTw9FsJheKRTdyKAKqU /CCPyVloGYnWNAHwueLbwKAyUXdJo7bO8f25/SmkkYNrnhuZq2W7K87idYf1KVXfvhm3Qv7n4lr1N xWcMuqrb/opOjbrB3iuJLyySEUdibK1L4P/IiJrwNMgzsBtz9VsBu4q95wd2N8OZkic8=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/page_alloc: address violations of MISRA C Rule 20.7 Message-Id: Date: Fri, 29 Mar 2024 10:33:32 +0000 commit e2eeb1b753bb90865c05948f7836f119e12ceb0e Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:12:06 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:12:06 2024 +0100 xen/page_alloc: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should either gain additional parentheses or have their expressions simplified to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/common/page_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c index 28c510d666..c94834d71b 100644 --- a/xen/common/page_alloc.c +++ b/xen/common/page_alloc.c @@ -150,7 +150,7 @@ #include #else #define p2m_pod_offline_or_broken_hit(pg) 0 -#define p2m_pod_offline_or_broken_replace(pg) BUG_ON(pg != NULL) +#define p2m_pod_offline_or_broken_replace(pg) BUG_ON(pg) #endif #ifndef PGC_static -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:33:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:33:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699336.1092118 (Exim 4.92) (envelope-from ) id 1rq9YO-0000px-N0; Fri, 29 Mar 2024 10:33:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699336.1092118; Fri, 29 Mar 2024 10:33:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YO-0000pp-Jw; Fri, 29 Mar 2024 10:33:44 +0000 Received: by outflank-mailman (input) for mailman id 699336; Fri, 29 Mar 2024 10:33:42 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YM-0000pb-O5 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:42 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YM-000273-NE for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:42 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9YM-0007Vl-MM for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:42 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=p528Aej+AFQmgIP+4lTZpPgj+W7IvVW546uimXqhUVs=; b=FDouN/QtKZTm5it1YZhItlwJ8+ xAObqyfie6R+kEi5Sv1RNGYmwp1ct6ctVTPR9MXPrXYsSt9NPm77bkpaehGdxv4C3R2TmbdJMCGSw 5POUHoN63lPzwduhy+YTP3ePiMkrGPIIQ+K0DqrfZUIgLsbun1sAmO+mm2xIX5NvkG58=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/hvm: address violations of Rule 20.7 Message-Id: Date: Fri, 29 Mar 2024 10:33:42 +0000 commit a65d9988add1a97f4eebfddfbe5e6fb111b8116a Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:12:30 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:12:30 2024 +0100 x86/hvm: address violations of Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should either gain additional parentheses or have their expressions simplified to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/arch/x86/hvm/hvm.c | 6 +++--- xen/arch/x86/include/asm/hvm/save.h | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/xen/arch/x86/hvm/hvm.c b/xen/arch/x86/hvm/hvm.c index c75959588c..0ce45b177c 100644 --- a/xen/arch/x86/hvm/hvm.c +++ b/xen/arch/x86/hvm/hvm.c @@ -1066,9 +1066,9 @@ static int cf_check hvm_load_cpu_ctxt(struct domain *d, hvm_domain_context_t *h) /* Older Xen versions used to save the segment arbytes directly * from the VMCS on Intel hosts. Detect this and rearrange them * into the struct segment_register format. */ -#define UNFOLD_ARBYTES(_r) \ - if ( (_r & 0xf000) && !(_r & 0x0f00) ) \ - _r = ((_r & 0xff) | ((_r >> 4) & 0xf00)) +#define UNFOLD_ARBYTES(_r) \ + if ( ((_r) & 0xf000) && !((_r) & 0x0f00) ) \ + (_r) = (((_r) & 0xff) | (((_r) >> 4) & 0xf00)) UNFOLD_ARBYTES(ctxt.cs_arbytes); UNFOLD_ARBYTES(ctxt.ds_arbytes); UNFOLD_ARBYTES(ctxt.es_arbytes); diff --git a/xen/arch/x86/include/asm/hvm/save.h b/xen/arch/x86/include/asm/hvm/save.h index 04a47ffcc4..8149aa113c 100644 --- a/xen/arch/x86/include/asm/hvm/save.h +++ b/xen/arch/x86/include/asm/hvm/save.h @@ -128,9 +128,9 @@ static int __init cf_check __hvm_register_##_x##_save_and_restore(void) \ { \ hvm_register_savevm(HVM_SAVE_CODE(_x), \ #_x, \ - &_save, \ + _save, \ check, \ - &_load, \ + _load, \ (_num) * (HVM_SAVE_LENGTH(_x) \ + sizeof (struct hvm_save_descriptor)), \ _k); \ -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:33:53 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:33:53 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699337.1092120 (Exim 4.92) (envelope-from ) id 1rq9YX-0000tZ-Pu; Fri, 29 Mar 2024 10:33:53 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699337.1092120; Fri, 29 Mar 2024 10:33:53 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YX-0000tS-NU; Fri, 29 Mar 2024 10:33:53 +0000 Received: by outflank-mailman (input) for mailman id 699337; Fri, 29 Mar 2024 10:33:52 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YW-0000tG-St for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:52 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9YW-00027A-QF for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:52 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9YW-0007WS-PJ for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:33:52 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HfiuyKiUGv7u4q7m8PNMcIHTyqtWfPRN5QgqEgDUrOU=; b=0Iuitb2amWqBIQb8XqjhKbpLBY 7CizLbNBufx8ZdqkxaHep+z13+lL/gRykjgsG8Af1X3enuypHLkxBSqciQnD58ax6YHXOUs4ESDeE UXK1FpDrN4K1LecCkEDnBbZd2Vljr0V6DATInVcemVWopjpCbtVGwptpUlg1L0OfCDmw=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/public: address violations of MISRA C Rule 20.7 Message-Id: Date: Fri, 29 Mar 2024 10:33:52 +0000 commit f6a413994882a6fef2d40e52998582fd2d595fdf Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:12:58 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:12:58 2024 +0100 x86/public: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/include/public/arch-x86/xen.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/include/public/arch-x86/xen.h b/xen/include/public/arch-x86/xen.h index c0f4551247..a9a87d9b50 100644 --- a/xen/include/public/arch-x86/xen.h +++ b/xen/include/public/arch-x86/xen.h @@ -36,7 +36,7 @@ #define __XEN_GUEST_HANDLE(name) __guest_handle_ ## name #define XEN_GUEST_HANDLE(name) __XEN_GUEST_HANDLE(name) #define XEN_GUEST_HANDLE_PARAM(name) XEN_GUEST_HANDLE(name) -#define set_xen_guest_handle_raw(hnd, val) do { (hnd).p = val; } while (0) +#define set_xen_guest_handle_raw(hnd, val) do { (hnd).p = (val); } while (0) #define set_xen_guest_handle(hnd, val) set_xen_guest_handle_raw(hnd, val) #if defined(__i386__) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:34:03 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:34:03 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699338.1092125 (Exim 4.92) (envelope-from ) id 1rq9Yh-0000vs-Rl; Fri, 29 Mar 2024 10:34:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699338.1092125; Fri, 29 Mar 2024 10:34:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Yh-0000vk-P2; Fri, 29 Mar 2024 10:34:03 +0000 Received: by outflank-mailman (input) for mailman id 699338; Fri, 29 Mar 2024 10:34:02 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Yg-0000vc-UH for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:02 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Yg-00027U-TJ for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:02 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Yg-0007XQ-ST for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:02 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=3lpVc4kPeXjPYlidAemVGIQapy0leluKO6jhWQSl2Ho=; b=K0bJR34rZAHIugPBZDmFgOy7za 1HHOZFW7JO0WzBShd4wh4jndBMIsUOVrS0ie1PpGwBjN01yN6Z1IIA43J26Vdzy9uLW5TBL76+U2C eX0mGEf/h7ApVGtCD6vNEExLn+cIs+/KTcYvow+42JQk1FwSk+ySB39bc0WDDdylH/0A=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] Revert "xen/x86: bzImage parse kernel_alignment" Message-Id: Date: Fri, 29 Mar 2024 10:34:02 +0000 commit 8802230bfa39af8eb0ea7aa7e622e2b86002771a Author: Jason Andryuk AuthorDate: Wed Mar 27 09:13:34 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:13:34 2024 +0100 Revert "xen/x86: bzImage parse kernel_alignment" A new ELF note will specify the alignment for a relocatable PVH kernel. ELF notes are suitable for vmlinux and other ELF files, so this Linux-specific bzImage parsing in unnecessary. This reverts commit c44cac229067faeec8f49247d1cf281723ac2d40. Signed-off-by: Jason Andryuk Acked-by: Jan Beulich --- xen/arch/x86/bzimage.c | 4 +--- xen/arch/x86/hvm/dom0_build.c | 4 +--- xen/arch/x86/include/asm/bzimage.h | 2 +- xen/arch/x86/pv/dom0_build.c | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/xen/arch/x86/bzimage.c b/xen/arch/x86/bzimage.c index 0f4cfc49f7..ac4fd428be 100644 --- a/xen/arch/x86/bzimage.c +++ b/xen/arch/x86/bzimage.c @@ -105,7 +105,7 @@ unsigned long __init bzimage_headroom(void *image_start, } int __init bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len, unsigned int *align) + unsigned long *image_len) { struct setup_header *hdr = (struct setup_header *)(*image_start); int err = bzimage_check(hdr, *image_len); @@ -118,8 +118,6 @@ int __init bzimage_parse(void *image_base, void **image_start, { *image_start += (hdr->setup_sects + 1) * 512 + hdr->payload_offset; *image_len = hdr->payload_length; - if ( align ) - *align = hdr->kernel_alignment; } if ( elf_is_elfbinary(*image_start, *image_len) ) diff --git a/xen/arch/x86/hvm/dom0_build.c b/xen/arch/x86/hvm/dom0_build.c index bbae8a5645..0ceda4140b 100644 --- a/xen/arch/x86/hvm/dom0_build.c +++ b/xen/arch/x86/hvm/dom0_build.c @@ -548,14 +548,12 @@ static int __init pvh_load_kernel(struct domain *d, const module_t *image, struct elf_binary elf; struct elf_dom_parms parms; paddr_t last_addr; - unsigned int align = 0; struct hvm_start_info start_info = { 0 }; struct hvm_modlist_entry mod = { 0 }; struct vcpu *v = d->vcpu[0]; int rc; - rc = bzimage_parse(image_base, &image_start, &image_len, &align); - if ( rc != 0 ) + if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) { printk("Error trying to detect bz compressed kernel\n"); return rc; diff --git a/xen/arch/x86/include/asm/bzimage.h b/xen/arch/x86/include/asm/bzimage.h index 2e04f5cc7b..7ed69d3910 100644 --- a/xen/arch/x86/include/asm/bzimage.h +++ b/xen/arch/x86/include/asm/bzimage.h @@ -6,6 +6,6 @@ unsigned long bzimage_headroom(void *image_start, unsigned long image_length); int bzimage_parse(void *image_base, void **image_start, - unsigned long *image_len, unsigned int *align); + unsigned long *image_len); #endif /* __X86_BZIMAGE_H__ */ diff --git a/xen/arch/x86/pv/dom0_build.c b/xen/arch/x86/pv/dom0_build.c index e9fa8a9a82..d8043fa58a 100644 --- a/xen/arch/x86/pv/dom0_build.c +++ b/xen/arch/x86/pv/dom0_build.c @@ -416,7 +416,7 @@ int __init dom0_construct_pv(struct domain *d, d->max_pages = ~0U; - if ( (rc = bzimage_parse(image_base, &image_start, &image_len, NULL)) != 0 ) + if ( (rc = bzimage_parse(image_base, &image_start, &image_len)) != 0 ) return rc; if ( (rc = elf_init(&elf, image_start, image_len)) != 0 ) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:34:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:34:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699339.1092128 (Exim 4.92) (envelope-from ) id 1rq9Yr-0000z2-T7; Fri, 29 Mar 2024 10:34:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699339.1092128; Fri, 29 Mar 2024 10:34:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Yr-0000yu-QT; Fri, 29 Mar 2024 10:34:13 +0000 Received: by outflank-mailman (input) for mailman id 699339; Fri, 29 Mar 2024 10:34:13 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Yr-0000yj-0f for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:13 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Yq-00027b-WB for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:12 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Yq-0007Xz-VQ for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:12 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=OrlPxNdv6A8Q7ZUeWljJNmaXflb30sAHX2AViBVQETU=; b=c1GP7PJ6nGz89MSRQo3htjQhJ5 5/PWUUZqWDn+QeXJ6NNBAHmrTGsjzhpbT8W7TGJ6ycPdF7cv1BLrzGf5r42qHNU1kN/HyIedvnlgD upDVrfe12+U+mCNMeYC5T7Csky9T+bsBe0pxW/mbwCqpKjoGju4A87JBrsKns7DTfJHQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] libelf: Expand ELF note printing Message-Id: Date: Fri, 29 Mar 2024 10:34:12 +0000 commit 7d8c9b4e8d0f3382c647289256f1573d6afa7e46 Author: Jason Andryuk AuthorDate: Wed Mar 27 09:13:55 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:13:55 2024 +0100 libelf: Expand ELF note printing The XEN_ELFNOTE_L1_MFN_VALID is an array of pairs of values, but it is printed as: (XEN) ELF: note: L1_MFN_VALID = 0 This is a limitation of only printing either string or numeric values. Switch from the boolean to an enum which allows more flexibility in printing the values. Introduce ELFNOTE_NAME to only print the name without a value like: (XEN) ELF: note: L1_MFN_VALID Details can optionally be printed for specific notes. Signed-off-by: Jason Andryuk Reviewed-by: Jan Beulich --- xen/common/libelf/libelf-dominfo.c | 61 ++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 23 deletions(-) diff --git a/xen/common/libelf/libelf-dominfo.c b/xen/common/libelf/libelf-dominfo.c index a13a5e4db6..0cdb419b8a 100644 --- a/xen/common/libelf/libelf-dominfo.c +++ b/xen/common/libelf/libelf-dominfo.c @@ -101,26 +101,30 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, /* *INDENT-OFF* */ static const struct { const char *name; - bool str; + enum { + ELFNOTE_INT, + ELFNOTE_STRING, + ELFNOTE_NAME, + } type; } note_desc[] = { - [XEN_ELFNOTE_ENTRY] = { "ENTRY", 0}, - [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", 0}, - [XEN_ELFNOTE_VIRT_BASE] = { "VIRT_BASE", 0}, - [XEN_ELFNOTE_INIT_P2M] = { "INIT_P2M", 0}, - [XEN_ELFNOTE_PADDR_OFFSET] = { "PADDR_OFFSET", 0}, - [XEN_ELFNOTE_HV_START_LOW] = { "HV_START_LOW", 0}, - [XEN_ELFNOTE_XEN_VERSION] = { "XEN_VERSION", 1}, - [XEN_ELFNOTE_GUEST_OS] = { "GUEST_OS", 1}, - [XEN_ELFNOTE_GUEST_VERSION] = { "GUEST_VERSION", 1}, - [XEN_ELFNOTE_LOADER] = { "LOADER", 1}, - [XEN_ELFNOTE_PAE_MODE] = { "PAE_MODE", 1}, - [XEN_ELFNOTE_FEATURES] = { "FEATURES", 1}, - [XEN_ELFNOTE_SUPPORTED_FEATURES] = { "SUPPORTED_FEATURES", 0}, - [XEN_ELFNOTE_BSD_SYMTAB] = { "BSD_SYMTAB", 1}, - [XEN_ELFNOTE_L1_MFN_VALID] = { "L1_MFN_VALID", false }, - [XEN_ELFNOTE_SUSPEND_CANCEL] = { "SUSPEND_CANCEL", 0 }, - [XEN_ELFNOTE_MOD_START_PFN] = { "MOD_START_PFN", 0 }, - [XEN_ELFNOTE_PHYS32_ENTRY] = { "PHYS32_ENTRY", 0 }, + [XEN_ELFNOTE_ENTRY] = { "ENTRY", ELFNOTE_INT }, + [XEN_ELFNOTE_HYPERCALL_PAGE] = { "HYPERCALL_PAGE", ELFNOTE_INT }, + [XEN_ELFNOTE_VIRT_BASE] = { "VIRT_BASE", ELFNOTE_INT }, + [XEN_ELFNOTE_INIT_P2M] = { "INIT_P2M", ELFNOTE_INT }, + [XEN_ELFNOTE_PADDR_OFFSET] = { "PADDR_OFFSET", ELFNOTE_INT }, + [XEN_ELFNOTE_HV_START_LOW] = { "HV_START_LOW", ELFNOTE_INT }, + [XEN_ELFNOTE_XEN_VERSION] = { "XEN_VERSION", ELFNOTE_STRING }, + [XEN_ELFNOTE_GUEST_OS] = { "GUEST_OS", ELFNOTE_STRING }, + [XEN_ELFNOTE_GUEST_VERSION] = { "GUEST_VERSION", ELFNOTE_STRING }, + [XEN_ELFNOTE_LOADER] = { "LOADER", ELFNOTE_STRING }, + [XEN_ELFNOTE_PAE_MODE] = { "PAE_MODE", ELFNOTE_STRING }, + [XEN_ELFNOTE_FEATURES] = { "FEATURES", ELFNOTE_STRING }, + [XEN_ELFNOTE_SUPPORTED_FEATURES] = { "SUPPORTED_FEATURES", ELFNOTE_INT }, + [XEN_ELFNOTE_BSD_SYMTAB] = { "BSD_SYMTAB", ELFNOTE_STRING }, + [XEN_ELFNOTE_L1_MFN_VALID] = { "L1_MFN_VALID", ELFNOTE_NAME }, + [XEN_ELFNOTE_SUSPEND_CANCEL] = { "SUSPEND_CANCEL", ELFNOTE_INT }, + [XEN_ELFNOTE_MOD_START_PFN] = { "MOD_START_PFN", ELFNOTE_INT }, + [XEN_ELFNOTE_PHYS32_ENTRY] = { "PHYS32_ENTRY", ELFNOTE_INT }, }; /* *INDENT-ON* */ @@ -136,8 +140,9 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, return 0; } - if ( note_desc[type].str ) + switch ( note_desc[type].type ) { + case ELFNOTE_STRING : str = elf_strval(elf, elf_note_desc(elf, note)); if (str == NULL) /* elf_strval will mark elf broken if it fails so no need to log */ @@ -145,13 +150,19 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, elf_msg(elf, "ELF: note: %s = \"%s\"\n", note_desc[type].name, str); parms->elf_notes[type].type = XEN_ENT_STR; parms->elf_notes[type].data.str = str; - } - else - { + break; + + case ELFNOTE_INT: val = elf_note_numeric(elf, note); elf_msg(elf, "ELF: note: %s = %#" PRIx64 "\n", note_desc[type].name, val); parms->elf_notes[type].type = XEN_ENT_LONG; parms->elf_notes[type].data.num = val; + break; + + case ELFNOTE_NAME: + /* NB: Newline emitted further down. */ + elf_msg(elf, "ELF: note: %s", note_desc[type].name); + break; } parms->elf_notes[type].name = note_desc[type].name; @@ -218,6 +229,10 @@ elf_errorstatus elf_xen_parse_note(struct elf_binary *elf, parms->phys_entry = val; break; } + + if ( note_desc[type].type == ELFNOTE_NAME) + elf_msg(elf, "\n"); + return 0; } -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:34:24 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:34:24 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699340.1092133 (Exim 4.92) (envelope-from ) id 1rq9Z1-00011g-Us; Fri, 29 Mar 2024 10:34:23 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699340.1092133; Fri, 29 Mar 2024 10:34:23 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Z1-00011Y-Rx; Fri, 29 Mar 2024 10:34:23 +0000 Received: by outflank-mailman (input) for mailman id 699340; Fri, 29 Mar 2024 10:34:23 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Z1-00011O-3R for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:23 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Z1-00027l-2j for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:23 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Z1-0007YW-21 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:23 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=y+sK+ZyQRWq4kBm1TO5ImWl8/yAPpmOLBAtvEjGT5XU=; b=bStvCSMQuHlWw6jrLSnYKhCWzl EdnEdaXvwZp8+UNDAjaHs5A0rEKkOVO7U7gMDxQzd9QAndFGzfwQm7SsRiAjNMoK8Ta4kSYm2f56b pfetWXWj/lym4mt2JNFPdUSDD/XnC8KDTbQTvRt4QgB6ooYKgTKHjlEv0gXBGtvHi3wY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/elfnote: Specify ELF Notes are x86-specific Message-Id: Date: Fri, 29 Mar 2024 10:34:23 +0000 commit 853c71dfbf520a84158d23803de8e29d08c957bb Author: Jason Andryuk AuthorDate: Wed Mar 27 09:14:17 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:14:17 2024 +0100 xen/elfnote: Specify ELF Notes are x86-specific The Xen ELF Notes are only used with x86. libelf's elf_xen_note_check() exits early for ARM binaries with "ELF: Not bothering with notes on ARM". Add a comment to the top of elfnote.h specifying that Notes are only used with x86 binaries. This is to avoid adding disclaimers for individual notes. Signed-off-by: Jason Andryuk Acked-by: Jan Beulich --- xen/include/public/elfnote.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/xen/include/public/elfnote.h b/xen/include/public/elfnote.h index 8bf54d035b..1d84b05f44 100644 --- a/xen/include/public/elfnote.h +++ b/xen/include/public/elfnote.h @@ -24,6 +24,8 @@ * * String values (for non-legacy) are NULL terminated ASCII, also known * as ASCIZ type. + * + * Xen only uses ELF Notes contained in x86 binaries. */ /* -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:34:34 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:34:34 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699341.1092137 (Exim 4.92) (envelope-from ) id 1rq9ZB-00014Y-WB; Fri, 29 Mar 2024 10:34:33 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699341.1092137; Fri, 29 Mar 2024 10:34:33 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZB-00014Q-TT; Fri, 29 Mar 2024 10:34:33 +0000 Received: by outflank-mailman (input) for mailman id 699341; Fri, 29 Mar 2024 10:34:33 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZB-00014H-8J for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:33 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZB-00027u-7W for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:33 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9ZB-0007ZK-4o for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:33 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=eJqqcN/6mu//C7AtBPJ2h5nToTydlsqxAqjX0xUOguE=; b=xgnDnTyJLVeEKGC3W9JdLzhwtN 29SzzAj7CA2RBOdeIz16LYfxF6glIqpfob8WWWR/3/VCfKSIVS/C5J70lXObMb3rizZnYHkwECY6O KHIp8dYASxvOKSc9z/DCp6OnjW/0FBRhIgqyCkuKPA9TaTJKTv0uy12xT5kRzQrKF8AQ=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] xen/efi: efibind: address violations of MISRA C Rule 20.7 Message-Id: Date: Fri, 29 Mar 2024 10:34:33 +0000 commit e3883336bb5abba2ec2231618f5b64f61b099b1e Author: Nicola Vetrini AuthorDate: Wed Mar 27 09:20:29 2024 +0100 Commit: Jan Beulich CommitDate: Wed Mar 27 09:20:29 2024 +0100 xen/efi: efibind: address violations of MISRA C Rule 20.7 MISRA C Rule 20.7 states: "Expressions resulting from the expansion of macro parameters shall be enclosed in parentheses". Therefore, some macro definitions should gain additional parentheses to ensure that all current and future users will be safe with respect to expansions that can possibly alter the semantics of the passed-in macro parameter. No functional change. Signed-off-by: Nicola Vetrini Acked-by: Jan Beulich --- xen/arch/arm/include/asm/arm64/efibind.h | 4 ++-- xen/arch/x86/include/asm/x86_64/efibind.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/xen/arch/arm/include/asm/arm64/efibind.h b/xen/arch/arm/include/asm/arm64/efibind.h index f13eadd4f0..a1323d452e 100644 --- a/xen/arch/arm/include/asm/arm64/efibind.h +++ b/xen/arch/arm/include/asm/arm64/efibind.h @@ -22,9 +22,9 @@ Revision History #pragma pack() #endif -#define EFIERR(a) (0x8000000000000000ULL | a) +#define EFIERR(a) (0x8000000000000000ULL | (a)) #define EFI_ERROR_MASK 0x8000000000000000ULL -#define EFIERR_OEM(a) (0xc000000000000000ULL | a) +#define EFIERR_OEM(a) (0xc000000000000000ULL | (a)) #define BAD_POINTER 0xFBFBFBFBFBFBFBFBULL #define MAX_ADDRESS 0xFFFFFFFFFFFFFFFFULL diff --git a/xen/arch/x86/include/asm/x86_64/efibind.h b/xen/arch/x86/include/asm/x86_64/efibind.h index e23cd16cb6..28bc18c24b 100644 --- a/xen/arch/x86/include/asm/x86_64/efibind.h +++ b/xen/arch/x86/include/asm/x86_64/efibind.h @@ -117,9 +117,9 @@ typedef uint64_t UINTN; #endif #endif -#define EFIERR(a) (0x8000000000000000 | a) +#define EFIERR(a) (0x8000000000000000 | (a)) #define EFI_ERROR_MASK 0x8000000000000000 -#define EFIERR_OEM(a) (0xc000000000000000 | a) +#define EFIERR_OEM(a) (0xc000000000000000 | (a)) #define BAD_POINTER 0xFBFBFBFBFBFBFBFB -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:34:44 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:34:44 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699342.1092141 (Exim 4.92) (envelope-from ) id 1rq9ZM-00017S-1D; Fri, 29 Mar 2024 10:34:44 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699342.1092141; Fri, 29 Mar 2024 10:34:44 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZL-00017K-Us; Fri, 29 Mar 2024 10:34:43 +0000 Received: by outflank-mailman (input) for mailman id 699342; Fri, 29 Mar 2024 10:34:43 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZL-00017A-BM for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:43 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZL-00028Q-AU for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:43 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9ZL-0007Zt-9k for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:43 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=KLdVf4/8Oj+QjYONZ4C/qeL3NL5cEMAZugTkgYMqBo4=; b=siXXzstsXOV2nWAgjUa8gdTtMP XVN6eSjknbaUpT/enjo2er58mqtnwM2ToTTg5tc4FIC6IYIE4jc+f0/+icz92EXFhxATRz44Lifit 5oq4cdo0AnjIVS2L3vS21E9m9pE0i8pBUDMo94vX5xGckpmE1Irz7tRF4MGJMMth/u2I=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86: Move SVM features exposed to guest into hvm_max_cpu_policy Message-Id: Date: Fri, 29 Mar 2024 10:34:43 +0000 commit 4f8b0e94d7ca941876760abe29b31e17e3f593ce Author: George Dunlap AuthorDate: Mon Feb 26 16:10:07 2024 +0000 Commit: George Dunlap CommitDate: Wed Mar 27 11:44:52 2024 +0000 x86: Move SVM features exposed to guest into hvm_max_cpu_policy Currently (nested) SVM features we're willing to expose to the guest are defined in calculate_host_policy, and stored in host_cpu_policy. This is the wrong place for this; move it into calculate_hvm_max_policy(), and store it in hvm_max_cpu_policy. Signed-off-by: George Dunlap Reviewed-by: Jan Beulich --- xen/arch/x86/cpu-policy.c | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index 2acc27632f..bd047456eb 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -398,19 +398,6 @@ static void __init calculate_host_policy(void) if ( vpmu_mode == XENPMU_MODE_OFF ) p->basic.raw[0xa] = EMPTY_LEAF; - if ( p->extd.svm ) - { - /* Clamp to implemented features which require hardware support. */ - p->extd.raw[0xa].d &= ((1u << SVM_FEATURE_NPT) | - (1u << SVM_FEATURE_LBRV) | - (1u << SVM_FEATURE_NRIPS) | - (1u << SVM_FEATURE_PAUSEFILTER) | - (1u << SVM_FEATURE_DECODEASSISTS)); - /* Enable features which are always emulated. */ - p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) | - (1u << SVM_FEATURE_TSCRATEMSR)); - } - /* 0x000000ce MSR_INTEL_PLATFORM_INFO */ /* probe_cpuid_faulting() sanity checks presence of MISC_FEATURES_ENABLES */ p->platform_info.cpuid_faulting = cpu_has_cpuid_faulting; @@ -741,6 +728,23 @@ static void __init calculate_hvm_max_policy(void) if ( !cpu_has_vmx ) __clear_bit(X86_FEATURE_PKS, fs); + /* + * Make adjustments to possible (nested) virtualization features exposed + * to the guest + */ + if ( p->extd.svm ) + { + /* Clamp to implemented features which require hardware support. */ + p->extd.raw[0xa].d &= ((1u << SVM_FEATURE_NPT) | + (1u << SVM_FEATURE_LBRV) | + (1u << SVM_FEATURE_NRIPS) | + (1u << SVM_FEATURE_PAUSEFILTER) | + (1u << SVM_FEATURE_DECODEASSISTS)); + /* Enable features which are always emulated. */ + p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) | + (1u << SVM_FEATURE_TSCRATEMSR)); + } + guest_common_max_feature_adjustments(fs); guest_common_feature_adjustments(fs); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:34:54 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:34:54 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699343.1092144 (Exim 4.92) (envelope-from ) id 1rq9ZW-0001AB-2e; Fri, 29 Mar 2024 10:34:54 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699343.1092144; Fri, 29 Mar 2024 10:34:54 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZW-0001A4-04; Fri, 29 Mar 2024 10:34:54 +0000 Received: by outflank-mailman (input) for mailman id 699343; Fri, 29 Mar 2024 10:34:53 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZV-00019v-EQ for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:53 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9ZV-00028d-Dd for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:53 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9ZV-0007ae-Cv for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:34:53 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=CBZM/Sz+4li2pRqlHhUtCgC/Ybh32Xk1CHc9DVpnc8U=; b=Zu9o/iMm7uuBUKADqXloADlXLb ZQDwwGfIvhr2Fqoejs2tbqTt9OfLZ3IeOGwuhkuIyyMIytsk+xbCIZnRcrfZJJlA/F6iJ4Slduo1r z4Doi+KxMimgYOMwzssw8NZr7fn1VVSDrAFp/pm6CCOanpuAh1W9ZINt1U7ErAOrKeMI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] nestedsvm: Disable TscRateMSR Message-Id: Date: Fri, 29 Mar 2024 10:34:53 +0000 commit 0cd50753eb40ca5f00ea1ced9f80ce5f478e560c Author: George Dunlap AuthorDate: Fri Jan 19 09:27:54 2024 +0000 Commit: George Dunlap CommitDate: Wed Mar 27 11:44:52 2024 +0000 nestedsvm: Disable TscRateMSR The primary purpose of TSC scaling, from our perspective, is to maintain the fiction of an "invariant TSC" across migrates between platforms with different clock speeds. On AMD, the TscRateMSR CPUID bit is unconditionally enabled in the "host cpuid", even if the hardware doesn't actually support it. According to c/s fd14a1943c4 ("nestedsvm: Support TSC Rate MSR"), testing showed that emulating TSC scaling in an L1 was more expensive than emulating TSC scaling on an L0 (due to extra sets of vmexit / vmenter). However, the current implementation seems to be broken. First of all, the final L2 scaling ratio should be a composition of the L0 scaling ratio and the L1 scaling ratio; there's no indication this is being done anywhere. Secondly, it's not clear that the L1 tsc scaling ratio actually affects the L0 tsc scaling ratio. The stored value (ns_tscratio) is used to affect the tsc *offset*, but doesn't seem to actually be factored into d->hvm.tsc_scaling_ratio. (Which shouldn't be per-domain anyway, but per-vcpu.) Having the *offset* scaled according to the nested scaling without the actual RDTSC itself also being scaled has got to produce inconsistent results. For now, just disable the functionality entirely until we can implement it properly: - Don't set TSCRATEMSR in the HVM max CPUID policy - Remove MSR_AMD64_TSC_RATIO emulation handling, so that the guest guests a #GP if it tries to access them (as it should when TSCRATEMSR is clear) - Remove ns_tscratio from struct nestedhvm, and all code that touches it Unfortunately this means ripping out the scaling calculation stuff as well, since it's only used in the nested case; it's there in the git tree if we need it for reference when we re-introduce it. Signed-off-by: George Dunlap Acked-by: Jan Beulich --- xen/arch/x86/cpu-policy.c | 3 +- xen/arch/x86/hvm/svm/nestedsvm.c | 2 - xen/arch/x86/hvm/svm/svm.c | 57 ---------------------------- xen/arch/x86/include/asm/hvm/svm/nestedsvm.h | 5 --- 4 files changed, 1 insertion(+), 66 deletions(-) diff --git a/xen/arch/x86/cpu-policy.c b/xen/arch/x86/cpu-policy.c index bd047456eb..5952ff20e6 100644 --- a/xen/arch/x86/cpu-policy.c +++ b/xen/arch/x86/cpu-policy.c @@ -741,8 +741,7 @@ static void __init calculate_hvm_max_policy(void) (1u << SVM_FEATURE_PAUSEFILTER) | (1u << SVM_FEATURE_DECODEASSISTS)); /* Enable features which are always emulated. */ - p->extd.raw[0xa].d |= ((1u << SVM_FEATURE_VMCBCLEAN) | - (1u << SVM_FEATURE_TSCRATEMSR)); + p->extd.raw[0xa].d |= (1u << SVM_FEATURE_VMCBCLEAN); } guest_common_max_feature_adjustments(fs); diff --git a/xen/arch/x86/hvm/svm/nestedsvm.c b/xen/arch/x86/hvm/svm/nestedsvm.c index a8d5f4ee95..b50bfe6a28 100644 --- a/xen/arch/x86/hvm/svm/nestedsvm.c +++ b/xen/arch/x86/hvm/svm/nestedsvm.c @@ -146,8 +146,6 @@ int cf_check nsvm_vcpu_reset(struct vcpu *v) svm->ns_msr_hsavepa = INVALID_PADDR; svm->ns_ovvmcb_pa = INVALID_PADDR; - svm->ns_tscratio = DEFAULT_TSC_RATIO; - svm->ns_cr_intercepts = 0; svm->ns_dr_intercepts = 0; svm->ns_exception_intercepts = 0; diff --git a/xen/arch/x86/hvm/svm/svm.c b/xen/arch/x86/hvm/svm/svm.c index b1ab0b568b..6a47c5915c 100644 --- a/xen/arch/x86/hvm/svm/svm.c +++ b/xen/arch/x86/hvm/svm/svm.c @@ -777,43 +777,6 @@ static int cf_check svm_get_guest_pat(struct vcpu *v, u64 *gpat) return 1; } -static uint64_t scale_tsc(uint64_t host_tsc, uint64_t ratio) -{ - uint64_t mult, frac, scaled_host_tsc; - - if ( ratio == DEFAULT_TSC_RATIO ) - return host_tsc; - - /* - * Suppose the most significant 32 bits of host_tsc and ratio are - * tsc_h and mult, and the least 32 bits of them are tsc_l and frac, - * then - * host_tsc * ratio * 2^-32 - * = host_tsc * (mult * 2^32 + frac) * 2^-32 - * = host_tsc * mult + (tsc_h * 2^32 + tsc_l) * frac * 2^-32 - * = host_tsc * mult + tsc_h * frac + ((tsc_l * frac) >> 32) - * - * Multiplications in the last two terms are between 32-bit integers, - * so both of them can fit in 64-bit integers. - * - * Because mult is usually less than 10 in practice, it's very rare - * that host_tsc * mult can overflow a 64-bit integer. - */ - mult = ratio >> 32; - frac = ratio & ((1ULL << 32) - 1); - scaled_host_tsc = host_tsc * mult; - scaled_host_tsc += (host_tsc >> 32) * frac; - scaled_host_tsc += ((host_tsc & ((1ULL << 32) - 1)) * frac) >> 32; - - return scaled_host_tsc; -} - -static uint64_t svm_get_tsc_offset(uint64_t host_tsc, uint64_t guest_tsc, - uint64_t ratio) -{ - return guest_tsc - scale_tsc(host_tsc, ratio); -} - static void cf_check svm_set_tsc_offset(struct vcpu *v, u64 offset, u64 at_tsc) { struct vmcb_struct *vmcb = v->arch.hvm.svm.vmcb; @@ -832,18 +795,8 @@ static void cf_check svm_set_tsc_offset(struct vcpu *v, u64 offset, u64 at_tsc) if ( nestedhvm_vcpu_in_guestmode(v) ) { - struct nestedsvm *svm = &vcpu_nestedsvm(v); - n2_tsc_offset = vmcb_get_tsc_offset(n2vmcb) - vmcb_get_tsc_offset(n1vmcb); - if ( svm->ns_tscratio != DEFAULT_TSC_RATIO ) - { - uint64_t guest_tsc = hvm_get_guest_tsc_fixed(v, at_tsc); - - n2_tsc_offset = svm_get_tsc_offset(guest_tsc, - guest_tsc + n2_tsc_offset, - svm->ns_tscratio); - } vmcb_set_tsc_offset(n1vmcb, offset); } @@ -1921,10 +1874,6 @@ static int cf_check svm_msr_read_intercept( *msr_content = nsvm->ns_msr_hsavepa; break; - case MSR_AMD64_TSC_RATIO: - *msr_content = nsvm->ns_tscratio; - break; - case MSR_AMD_OSVW_ID_LENGTH: case MSR_AMD_OSVW_STATUS: if ( !d->arch.cpuid->extd.osvw ) @@ -2103,12 +2052,6 @@ static int cf_check svm_msr_write_intercept( goto gpf; break; - case MSR_AMD64_TSC_RATIO: - if ( msr_content & TSC_RATIO_RSVD_BITS ) - goto gpf; - nsvm->ns_tscratio = msr_content; - break; - case MSR_IA32_MCx_MISC(4): /* Threshold register */ case MSR_F10_MC4_MISC1 ... MSR_F10_MC4_MISC3: /* diff --git a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h index 7767cd6080..205989e800 100644 --- a/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h +++ b/xen/arch/x86/include/asm/hvm/svm/nestedsvm.h @@ -18,11 +18,6 @@ struct nestedsvm { */ uint64_t ns_ovvmcb_pa; - /* virtual tscratio holding the value l1 guest writes to the - * MSR_AMD64_TSC_RATIO MSR. - */ - uint64_t ns_tscratio; - /* Cached real intercepts of the l2 guest */ uint32_t ns_cr_intercepts; uint32_t ns_dr_intercepts; -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 10:35:04 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 10:35:04 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699344.1092149 (Exim 4.92) (envelope-from ) id 1rq9Zg-0001DY-5d; Fri, 29 Mar 2024 10:35:04 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699344.1092149; Fri, 29 Mar 2024 10:35:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Zg-0001DP-2q; Fri, 29 Mar 2024 10:35:04 +0000 Received: by outflank-mailman (input) for mailman id 699344; Fri, 29 Mar 2024 10:35:03 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Zf-0001DH-HM for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:35:03 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rq9Zf-00028x-Gb for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:35:03 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rq9Zf-0007bd-Fl for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 10:35:03 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=kK/4KaDCHwlnBA8r6ClfJ6Bud4MhVMBP9/eWv48UwkQ=; b=2yIMCqzu8gWt8utDQzq+2JTfNn rpoEjBGLOm2MMySVguixbm5NtAO3H2WdIeeRaKXNUcmDcHzS7ZaV0wprKsPiw4/X0dZnPb4EH9ww7 z7wU4zUrhu6xPPKRtYEif4f7kZUozEEI3C4VcoTtyE5AuXy1J0MKfuRTN+QpLXXG2w/k=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] tools/oxenstored: Re-format Message-Id: Date: Fri, 29 Mar 2024 10:35:03 +0000 commit 8f85af65af76727692b9c2dea4f470f503432d2f Author: Andrew Cooper AuthorDate: Mon Feb 26 10:47:29 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:00:47 2024 +0000 tools/oxenstored: Re-format Rerun make format. Fixes: b6cf604207fd ("tools/oxenstored: Use Map instead of Hashtbl for quotas") Signed-off-by: Andrew Cooper Reviewed-by: Edwin Török --- tools/ocaml/xenstored/quota.ml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 1f652040d8..082cd25f26 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -55,13 +55,13 @@ let _check quota id size = raise Data_too_big ); if id > 0 then - try - let entry = DomidMap.find id quota.cur in - if entry >= quota.maxent then ( - warn "domain %u cannot create entry: quota reached" id; - raise Limit_reached - ) - with Not_found -> () + try + let entry = DomidMap.find id quota.cur in + if entry >= quota.maxent then ( + warn "domain %u cannot create entry: quota reached" id; + raise Limit_reached + ) + with Not_found -> () let check quota id size = if !activate then @@ -88,4 +88,4 @@ let merge orig_quota mod_quota dest_quota = | diff -> update_entry dest id diff (* update with [x=x+diff] *) in {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur} - (* dest_quota = dest_quota + (mod_quota - orig_quota) *) +(* dest_quota = dest_quota + (mod_quota - orig_quota) *) -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 18:55:11 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 18:55:11 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699468.1092253 (Exim 4.92) (envelope-from ) id 1rqHNX-0008Ad-5I; Fri, 29 Mar 2024 18:55:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699468.1092253; Fri, 29 Mar 2024 18:55:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqHNX-0008AV-2c; Fri, 29 Mar 2024 18:55:03 +0000 Received: by outflank-mailman (input) for mailman id 699468; Fri, 29 Mar 2024 18:55:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqHNV-0008AP-Ow for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 18:55:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqHNV-000461-E4 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 18:55:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rqHNV-00040z-Cz for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 18:55:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=V9Wo7r06tgNYIYAUzyiviIM8KW56rtqKYB+yYkAOoBs=; b=Oc1rzqOgfdc5qmncU3MIpWRkzx aduK9eUWNabnztff6OoNiMk6u7DHj4GtD9rXMYO/SbrXFJas3+s9OdYmV8n09IwoU4FitAAzPh2+n eTrVI8e/EMDo3PMBqPdxaVkJtQv095tTMrxGJx6UAUTaIyXLcRuohygpE8WRXAizrXhM=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] tools/oxenstored: Use Map instead of Hashtbl for quotas Message-Id: Date: Fri, 29 Mar 2024 18:55:01 +0000 commit 3f3158fc3233acb96507503430330af27c4a979d Author: Edwin Török AuthorDate: Wed Jan 31 10:52:55 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:05:30 2024 +0000 tools/oxenstored: Use Map instead of Hashtbl for quotas On a stress test running 1000 VMs flamegraphs have shown that `oxenstored` spends a large amount of time in `Hashtbl.copy` and the GC. Hashtable complexity: * read/write: O(1) average * copy: O(domains) -- copying the entire table Map complexity: * read/write: O(log n) worst case * copy: O(1) -- a word copy We always perform at least one 'copy' when processing each xenstore packet (regardless whether it is a readonly operation or inside a transaction or not), so the actual complexity per packet is: * Hashtbl: O(domains) * Map: O(log domains) Maps are the clear winner, and a better fit for the immutable xenstore tree. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit b6cf604207fd0a04451a48f2ce6d05fb66c612ab) tools/oxenstored: Re-format Rerun make format. Fixes: b6cf604207fd ("tools/oxenstored: Use Map instead of Hashtbl for quotas") Signed-off-by: Andrew Cooper Reviewed-by: Edwin Török (cherry picked from commit 8f85af65af76727692b9c2dea4f470f503432d2f) --- tools/ocaml/xenstored/quota.ml | 73 ++++++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 35 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 300d78a50b..27810b7567 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -23,66 +23,69 @@ let activate = ref true let maxent = ref (1000) let maxsize = ref (2048) +module Domid = struct + type t = Xenctrl.domid + let compare (a:t) (b:t) = compare a b +end + +module DomidMap = Map.Make(Domid) + type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - cur: (Xenctrl.domid, int) Hashtbl.t; (* current domains quota *) + mutable cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = - if Hashtbl.mem quota.cur domid - then Printf.sprintf "dom%i quota: %i/%i" domid (Hashtbl.find quota.cur domid) quota.maxent - else Printf.sprintf "dom%i quota: not set" domid + try + Printf.sprintf "dom%i quota: %i/%i" domid (DomidMap.find domid quota.cur) quota.maxent + with Not_found -> + Printf.sprintf "dom%i quota: not set" domid let create () = - { maxent = !maxent; maxsize = !maxsize; cur = Hashtbl.create 100; } + { maxent = !maxent; maxsize = !maxsize; cur = DomidMap.empty; } -let copy quota = { quota with cur = (Hashtbl.copy quota.cur) } +let copy quota = { quota with cur = quota.cur } -let del quota id = Hashtbl.remove quota.cur id +let del quota id = { quota with cur = DomidMap.remove id quota.cur } let _check quota id size = if size > quota.maxsize then ( warn "domain %u err create entry: data too big %d" id size; raise Data_too_big ); - if id > 0 && Hashtbl.mem quota.cur id then - let entry = Hashtbl.find quota.cur id in - if entry >= quota.maxent then ( - warn "domain %u cannot create entry: quota reached" id; - raise Limit_reached - ) + if id > 0 then + try + let entry = DomidMap.find id quota.cur in + if entry >= quota.maxent then ( + warn "domain %u cannot create entry: quota reached" id; + raise Limit_reached + ) + with Not_found -> () let check quota id size = if !activate then _check quota id size -let get_entry quota id = Hashtbl.find quota.cur id +let find_or_zero quota_cur id = + try DomidMap.find id quota_cur with Not_found -> 0 -let set_entry quota id nb = - if nb = 0 - then Hashtbl.remove quota.cur id - else begin - if Hashtbl.mem quota.cur id then - Hashtbl.replace quota.cur id nb - else - Hashtbl.add quota.cur id nb - end +let update_entry quota_cur id diff = + let nb = diff + find_or_zero quota_cur id in + if nb = 0 then DomidMap.remove id quota_cur + else DomidMap.add id nb quota_cur let del_entry quota id = - try - let nb = get_entry quota id in - set_entry quota id (nb - 1) - with Not_found -> () + quota.cur <- update_entry quota.cur id (-1) let add_entry quota id = - let nb = try get_entry quota id with Not_found -> 0 in - set_entry quota id (nb + 1) - -let add quota diff = - Hashtbl.iter (fun id nb -> set_entry quota id (get_entry quota id + nb)) diff.cur + quota.cur <- update_entry quota.cur id (+1) let merge orig_quota mod_quota dest_quota = - Hashtbl.iter (fun id nb -> let diff = nb - (try get_entry orig_quota id with Not_found -> 0) in - if diff <> 0 then - set_entry dest_quota id ((try get_entry dest_quota id with Not_found -> 0) + diff)) mod_quota.cur + let fold_merge id nb dest = + match nb - find_or_zero orig_quota.cur id with + | 0 -> dest (* not modified *) + | diff -> update_entry dest id diff (* update with [x=x+diff] *) + in + dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur +(* dest_quota = dest_quota + (mod_quota - orig_quota) *) -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Fri Mar 29 18:55:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Fri, 29 Mar 2024 18:55:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699470.1092258 (Exim 4.92) (envelope-from ) id 1rqHNh-0008CF-7M; Fri, 29 Mar 2024 18:55:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699470.1092258; Fri, 29 Mar 2024 18:55:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqHNh-0008C7-45; Fri, 29 Mar 2024 18:55:13 +0000 Received: by outflank-mailman (input) for mailman id 699470; Fri, 29 Mar 2024 18:55:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqHNf-0008C1-IF for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 18:55:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqHNf-00046I-HU for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 18:55:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rqHNf-00041a-G8 for xen-changelog@lists.xenproject.org; Fri, 29 Mar 2024 18:55:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=EZg8k+aApnL9qZH6RN9ffo6WNwlaQBA12MtY/CTnK2A=; b=I9LRyDebzbicsBKH8Yo6q4tK7l m4l9+rpm4orQi11szwml3v1MvKSF8ERrm6N9k5bQ6XdHWD4LmzOMrcglVf1HIKkpG0Dfe5P5bFKB7 BCq2Ojjqvg7/k+xQ/fMQjX8xRz2Eb09My6WShsL137YsqztcB0biOn7pEvOUxPM5xjhI=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen stable-4.18] tools/oxenstored: Make Quota.t pure Message-Id: Date: Fri, 29 Mar 2024 18:55:11 +0000 commit 0a8b92d0a47797ec4d70c7fd7b05abbc135b51dc Author: Edwin Török AuthorDate: Wed Jan 31 10:52:56 2024 +0000 Commit: Andrew Cooper CommitDate: Wed Mar 27 16:06:20 2024 +0000 tools/oxenstored: Make Quota.t pure Now that we no longer have a hashtable inside we can make Quota.t pure, and push the mutable update to its callers. Store.t already had a mutable Quota.t field. No functional change. Signed-off-by: Edwin Török Acked-by: Christian Lindig (cherry picked from commit 098d868e52ac0165b7f36e22b767ea70cef70054) --- tools/ocaml/xenstored/quota.ml | 8 ++++---- tools/ocaml/xenstored/store.ml | 17 ++++++++++------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/tools/ocaml/xenstored/quota.ml b/tools/ocaml/xenstored/quota.ml index 27810b7567..082cd25f26 100644 --- a/tools/ocaml/xenstored/quota.ml +++ b/tools/ocaml/xenstored/quota.ml @@ -33,7 +33,7 @@ module DomidMap = Map.Make(Domid) type t = { maxent: int; (* max entities per domU *) maxsize: int; (* max size of data store in one node *) - mutable cur: int DomidMap.t; (* current domains quota *) + cur: int DomidMap.t; (* current domains quota *) } let to_string quota domid = @@ -76,10 +76,10 @@ let update_entry quota_cur id diff = else DomidMap.add id nb quota_cur let del_entry quota id = - quota.cur <- update_entry quota.cur id (-1) + {quota with cur = update_entry quota.cur id (-1)} let add_entry quota id = - quota.cur <- update_entry quota.cur id (+1) + {quota with cur = update_entry quota.cur id (+1)} let merge orig_quota mod_quota dest_quota = let fold_merge id nb dest = @@ -87,5 +87,5 @@ let merge orig_quota mod_quota dest_quota = | 0 -> dest (* not modified *) | diff -> update_entry dest id diff (* update with [x=x+diff] *) in - dest_quota.cur <- DomidMap.fold fold_merge mod_quota.cur dest_quota.cur + {dest_quota with cur = DomidMap.fold fold_merge mod_quota.cur dest_quota.cur} (* dest_quota = dest_quota + (mod_quota - orig_quota) *) diff --git a/tools/ocaml/xenstored/store.ml b/tools/ocaml/xenstored/store.ml index 38a4945372..9b8dd2812d 100644 --- a/tools/ocaml/xenstored/store.ml +++ b/tools/ocaml/xenstored/store.ml @@ -85,7 +85,9 @@ module Node = struct raise Define.Permission_denied; end - let rec recurse fct node = fct node; SymbolMap.iter (fun _ -> recurse fct) node.children + let rec recurse fct node acc = + let acc = fct node acc in + SymbolMap.fold (fun _ -> recurse fct) node.children acc (** [recurse_filter_map f tree] applies [f] on each node in the tree recursively, possibly removing some nodes. @@ -408,7 +410,7 @@ let dump_buffer store = dump_store_buf store.root let set_node store path node orig_quota mod_quota = let root = Path.set_node store.root path node in store.root <- root; - Quota.merge orig_quota mod_quota store.quota + store.quota <- Quota.merge orig_quota mod_quota store.quota let write store perm path value = let node, existing = get_deepest_existing_node store path in @@ -422,7 +424,7 @@ let write store perm path value = let root, node_created = path_write store perm path value in store.root <- root; if node_created - then Quota.add_entry store.quota owner + then store.quota <- Quota.add_entry store.quota owner let mkdir store perm path = let node, existing = get_deepest_existing_node store path in @@ -431,7 +433,7 @@ let mkdir store perm path = if not (existing || (Perms.Connection.is_dom0 perm)) then Quota.check store.quota owner 0; store.root <- path_mkdir store perm path; if not existing then - Quota.add_entry store.quota owner + store.quota <- Quota.add_entry store.quota owner let rm store perm path = let rmed_node = Path.get_node store.root path in @@ -439,7 +441,7 @@ let rm store perm path = | None -> raise Define.Doesnt_exist | Some rmed_node -> store.root <- path_rm store perm path; - Node.recurse (fun node -> Quota.del_entry store.quota (Node.get_owner node)) rmed_node + store.quota <- Node.recurse (fun node quota -> Quota.del_entry quota (Node.get_owner node)) rmed_node store.quota let setperms store perm path nperms = match Path.get_node store.root path with @@ -450,8 +452,9 @@ let setperms store perm path nperms = if not ((old_owner = new_owner) || (Perms.Connection.is_dom0 perm)) then raise Define.Permission_denied; store.root <- path_setperms store perm path nperms; - Quota.del_entry store.quota old_owner; - Quota.add_entry store.quota new_owner + store.quota <- + let quota = Quota.del_entry store.quota old_owner in + Quota.add_entry quota new_owner let reset_permissions store domid = Logging.info "store|node" "Cleaning up xenstore ACLs for domid %d" domid; -- generated by git-patchbot for /home/xen/git/xen.git#stable-4.18 From xen-changelog-bounces@lists.xenproject.org Sat Mar 30 19:00:09 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 30 Mar 2024 19:00:09 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699632.1092317 (Exim 4.92) (envelope-from ) id 1rqdvv-0003Ik-4f; Sat, 30 Mar 2024 19:00:03 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699632.1092317; Sat, 30 Mar 2024 19:00:03 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqdvv-0003Ia-1e; Sat, 30 Mar 2024 19:00:03 +0000 Received: by outflank-mailman (input) for mailman id 699632; Sat, 30 Mar 2024 19:00:01 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqdvt-00033V-N2 for xen-changelog@lists.xenproject.org; Sat, 30 Mar 2024 19:00:01 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqdvt-0001Pg-Ly for xen-changelog@lists.xenproject.org; Sat, 30 Mar 2024 19:00:01 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rqdvt-0002As-L3 for xen-changelog@lists.xenproject.org; Sat, 30 Mar 2024 19:00:01 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=5v8cSYfsX1RrTf3Eb5jwMvksVVKDjANRc2B9EqwsnK8=; b=ahGqUAYNiQ0wz16dix9aMMCUE7 oVPtsscjmQ4ZQsLnIrDtX0DPg9m1EVoGRJU1Lvo3Kefda9teN3n1OK3NHophxg939Bu7Gk94VEcUD hLNZKoizalcTiRdWvSoeqmcTMv0jvF0dAW8cMnD2UxQmyKyEjf28gu4LvWbIDEm1Kfrg=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/mm: Refine address alignment checks in modify_xen_mappings_lite() Message-Id: Date: Sat, 30 Mar 2024 19:00:01 +0000 commit 3c9e76cd875e12c88cfc8f0b2770c525da8d6894 Author: Andrew Cooper AuthorDate: Tue Mar 19 19:38:48 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 28 11:25:07 2024 +0000 x86/mm: Refine address alignment checks in modify_xen_mappings_lite() Require 's' to be superpage aligned if given over a superpage mapping. This is expected to be the case in practice, and prevents v getting misaligned over superpages during the processing loop. Remove the requirement for 'e' to be page aligned. All this is doing is forcing work for the caller just to satisfy an assertion. Reported-by: Jan Beulich Signed-off-by: Andrew Cooper Reviewed-by: Roger Pau Monné --- xen/arch/x86/mm.c | 11 +++++++---- xen/common/virtual_region.c | 8 ++++---- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c index 62f5b811bb..631da8d7d2 100644 --- a/xen/arch/x86/mm.c +++ b/xen/arch/x86/mm.c @@ -5900,9 +5900,10 @@ int destroy_xen_mappings(unsigned long s, unsigned long e) * * Must be limited to XEN_VIRT_{START,END}, i.e. over l2_xenmap[]. * Must be called with present flags, and over present mappings. - * It is the callers responsibility to not pass s or e in the middle of - * superpages if changing the permission on the whole superpage is going to be - * a problem. + * Must be called with 's' on a page/superpage boundary. + * + * 'e' has no alignment requirements, but the whole page/superpage containing + * the non-inclusive boundary will be updated. */ void init_or_livepatch modify_xen_mappings_lite( unsigned long s, unsigned long e, unsigned int nf) @@ -5917,7 +5918,7 @@ void init_or_livepatch modify_xen_mappings_lite( ASSERT(flags & _PAGE_PRESENT); ASSERT(IS_ALIGNED(s, PAGE_SIZE) && s >= XEN_VIRT_START); - ASSERT(IS_ALIGNED(e, PAGE_SIZE) && e <= XEN_VIRT_END); + ASSERT(e <= XEN_VIRT_END); while ( v < e ) { @@ -5929,6 +5930,8 @@ void init_or_livepatch modify_xen_mappings_lite( if ( l2e_get_flags(l2e) & _PAGE_PSE ) { + ASSERT(IS_ALIGNED(v, 1UL << L2_PAGETABLE_SHIFT)); + l2e_write_atomic(pl2e, l2e_from_intpte((l2e.l2 & ~fm) | flags)); v += 1UL << L2_PAGETABLE_SHIFT; diff --git a/xen/common/virtual_region.c b/xen/common/virtual_region.c index b4325bcda7..142f21e181 100644 --- a/xen/common/virtual_region.c +++ b/xen/common/virtual_region.c @@ -93,11 +93,11 @@ void relax_virtual_region_perms(void) list_for_each_entry_rcu( region, &virtual_region_list, list ) { modify_xen_mappings_lite((unsigned long)region->text_start, - PAGE_ALIGN((unsigned long)region->text_end), + (unsigned long)region->text_end, PAGE_HYPERVISOR_RWX); if ( region->rodata_start ) modify_xen_mappings_lite((unsigned long)region->rodata_start, - PAGE_ALIGN((unsigned long)region->rodata_end), + (unsigned long)region->rodata_end, PAGE_HYPERVISOR_RW); } rcu_read_unlock(&rcu_virtual_region_lock); @@ -111,11 +111,11 @@ void tighten_virtual_region_perms(void) list_for_each_entry_rcu( region, &virtual_region_list, list ) { modify_xen_mappings_lite((unsigned long)region->text_start, - PAGE_ALIGN((unsigned long)region->text_end), + (unsigned long)region->text_end, PAGE_HYPERVISOR_RX); if ( region->rodata_start ) modify_xen_mappings_lite((unsigned long)region->rodata_start, - PAGE_ALIGN((unsigned long)region->rodata_end), + (unsigned long)region->rodata_end, PAGE_HYPERVISOR_RO); } rcu_read_unlock(&rcu_virtual_region_lock); -- generated by git-patchbot for /home/xen/git/xen.git#master From xen-changelog-bounces@lists.xenproject.org Sat Mar 30 19:00:13 2024 Return-path: Envelope-to: archives@lists.xen.org Delivery-date: Sat, 30 Mar 2024 19:00:13 +0000 Received: from list by lists.xenproject.org with outflank-mailman.699633.1092321 (Exim 4.92) (envelope-from ) id 1rqdw5-00040U-5j; Sat, 30 Mar 2024 19:00:13 +0000 X-Outflank-Mailman: Message body and most headers restored to incoming version Received: by outflank-mailman (output) from mailman id 699633.1092321; Sat, 30 Mar 2024 19:00:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqdw5-00040N-34; Sat, 30 Mar 2024 19:00:13 +0000 Received: by outflank-mailman (input) for mailman id 699633; Sat, 30 Mar 2024 19:00:11 +0000 Received: from mail.xenproject.org ([104.130.215.37]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqdw3-0003xV-Qj for xen-changelog@lists.xenproject.org; Sat, 30 Mar 2024 19:00:11 +0000 Received: from xenbits.xenproject.org ([104.239.192.120]) by mail.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1rqdw3-0001SH-Pp for xen-changelog@lists.xenproject.org; Sat, 30 Mar 2024 19:00:11 +0000 Received: from xen by xenbits.xenproject.org with local (Exim 4.92) (envelope-from ) id 1rqdw3-0002CN-OE for xen-changelog@lists.xenproject.org; Sat, 30 Mar 2024 19:00:11 +0000 X-BeenThere: xen-changelog@lists.xenproject.org List-Id: "Change log for Mercurial \(receive only\)" List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-changelog-bounces@lists.xenproject.org Precedence: list Sender: "Xen-changelog" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=xen.org; s=20200302mail; h=Date:Message-Id:Subject:Reply-To:To:From; bh=HnKYFvm/j3kBUyx914UAcgnnIxxg64U+lEfYk1oHhAQ=; b=FCKu/D71lT1lA4kQMrfA7ln09f rwYb3mXg0vPRnf6onmwIqLA+ChIS0aoOYvfZXWI+xls2YWQ51/rfYfRbnTGbfqH9AhLzjNnW/y1pZ 94qvUMf8Zq8v1rNnxewAy1TjUQvmUrBl1OXDBepEvE+OxHLzlVeDt0oqDHo19a5yfpTY=; From: patchbot@xen.org To: xen-changelog@lists.xenproject.org Reply-To: xen-devel@lists.xenproject.org Subject: [xen master] x86/spec-ctrl: Move __read_mostly data into __ro_after_init Message-Id: Date: Sat, 30 Mar 2024 19:00:11 +0000 commit 7a09966e7b2823b70f6d56d0cf66c11124f4a3c1 Author: Andrew Cooper AuthorDate: Thu Mar 28 12:38:32 2024 +0000 Commit: Andrew Cooper CommitDate: Thu Mar 28 19:59:34 2024 +0000 x86/spec-ctrl: Move __read_mostly data into __ro_after_init These variables predate the introduction of __ro_after_init, but all qualify. Update them to be consistent with the rest of the file. No functional change. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- xen/arch/x86/spec_ctrl.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/xen/arch/x86/spec_ctrl.c b/xen/arch/x86/spec_ctrl.c index 0b670c3ca7..6a889db70c 100644 --- a/xen/arch/x86/spec_ctrl.c +++ b/xen/arch/x86/spec_ctrl.c @@ -49,18 +49,18 @@ bool __ro_after_init opt_ssbd; static int8_t __initdata opt_psfd = -1; int8_t __ro_after_init opt_ibpb_ctxt_switch = -1; -int8_t __read_mostly opt_eager_fpu = -1; -int8_t __read_mostly opt_l1d_flush = -1; +int8_t __ro_after_init opt_eager_fpu = -1; +int8_t __ro_after_init opt_l1d_flush = -1; static bool __initdata opt_branch_harden = IS_ENABLED(CONFIG_SPECULATIVE_HARDEN_BRANCH); static bool __initdata opt_lock_harden; bool __initdata bsp_delay_spec_ctrl; -uint8_t __read_mostly default_xen_spec_ctrl; -uint8_t __read_mostly default_spec_ctrl_flags; +uint8_t __ro_after_init default_xen_spec_ctrl; +uint8_t __ro_after_init default_spec_ctrl_flags; -paddr_t __read_mostly l1tf_addr_mask, __read_mostly l1tf_safe_maddr; -bool __read_mostly cpu_has_bug_l1tf; +paddr_t __ro_after_init l1tf_addr_mask, __ro_after_init l1tf_safe_maddr; +bool __ro_after_init cpu_has_bug_l1tf; static unsigned int __initdata l1d_maxphysaddr; static bool __initdata cpu_has_bug_msbds_only; /* => minimal HT impact. */ @@ -316,8 +316,8 @@ static int __init cf_check parse_spec_ctrl(const char *s) } custom_param("spec-ctrl", parse_spec_ctrl); -int8_t __read_mostly opt_xpti_hwdom = -1; -int8_t __read_mostly opt_xpti_domu = -1; +int8_t __ro_after_init opt_xpti_hwdom = -1; +int8_t __ro_after_init opt_xpti_domu = -1; static __init void xpti_init_default(void) { @@ -381,8 +381,8 @@ static int __init cf_check parse_xpti(const char *s) } custom_param("xpti", parse_xpti); -int8_t __read_mostly opt_pv_l1tf_hwdom = -1; -int8_t __read_mostly opt_pv_l1tf_domu = -1; +int8_t __ro_after_init opt_pv_l1tf_hwdom = -1; +int8_t __ro_after_init opt_pv_l1tf_domu = -1; static int __init cf_check parse_pv_l1tf(const char *s) { -- generated by git-patchbot for /home/xen/git/xen.git#master