aboutsummaryrefslogtreecommitdiff
path: root/hw/xen
AgeCommit message (Collapse)AuthorFilesLines
2015-11-06xen: fix invalid assertionPaolo Bonzini1-2/+2
Asserting "true" is not that useful. Reported by Coverity. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-10-26Qemu/Xen: Fix early freeing MSIX MMIO memory regionLan Tianyu4-2/+22
msix->mmio is added to XenPCIPassthroughState's object as property. object_finalize_child_property is called for XenPCIPassthroughState's object, which calls object_property_del_all, which is going to try to delete msix->mmio. object_finalize_child_property() will access msix->mmio's obj. But the whole msix struct has already been freed by xen_pt_msix_delete. This will cause segment fault when msix->mmio has been overwritten. This patch is to fix the issue. Signed-off-by: Lan Tianyu <tianyu.lan@intel.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-11typofixes - v4Veres Lajos1-1/+1
Signed-off-by: Veres Lajos <vlajos@gmail.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-11maint: avoid useless "if (foo) free(foo)" patternDaniel P. Berrange1-3/+1
The free() and g_free() functions both happily accept NULL on any platform QEMU builds on. As such putting a conditional 'if (foo)' check before calls to 'free(foo)' merely serves to bloat the lines of code. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-09-10xen/pt: Don't slurp wholesale the PCI configuration registersKonrad Rzeszutek Wilk1-6/+1
Instead we have the emulation registers ->init functions which consult the host values to see what the initial value should be and they are responsible for populating the dev.config. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Check for return values for xen_host_pci_[get|set] in initKonrad Rzeszutek Wilk1-8/+16
and if we have failures we call xen_pt_destroy introduced in 'xen/pt: Move bulk of xen_pt_unregister_device in its own routine.' and free all of the allocated structures. Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Move bulk of xen_pt_unregister_device in its own routine.Konrad Rzeszutek Wilk1-58/+63
This way we can call it if we fail during init. This code movement introduces no changes. Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Make xen_pt_unregister_device idempotentKonrad Rzeszutek Wilk4-6/+22
To deal with xen_host_pci_[set|get]_ functions returning error values and clearing ourselves in the init function we should make the .exit (xen_pt_unregister_device) function be idempotent in case the generic code starts calling .exit (or for fun does it before calling .init!). Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Log xen_host_pci_get/set errors in MSI code.Konrad Rzeszutek Wilk1-4/+14
We seem to only use these functions when de-activating the MSI - so just log errors. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Log xen_host_pci_get in two init functionsKonrad Rzeszutek Wilk1-0/+9
To help with troubleshooting in the field. Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Remove XenPTReg->data field.Konrad Rzeszutek Wilk2-30/+49
We do not want to have two entries to cache the guest configuration registers: XenPTReg->data and dev.config. Instead we want to use only the dev.config. To do without much complications we rip out the ->data field and replace it with an pointer to the dev.config. This way we have the type-checking (uint8_t, uint16_t, etc) and as well and pre-computed location. Alternatively we could compute the offset in dev.config by using the XenPTRRegInfo and XenPTRegGroup every time but this way we have the pre-computed values. This change also exposes some mis-use: - In 'xen_pt_status_reg_init' we used u32 for the Capabilities Pointer register, but said register is an an u16. - In 'xen_pt_msgdata_reg_write' we used u32 but should have only use u16. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Check if reg->init function sets the 'data' past the reg->sizeKonrad Rzeszutek Wilk1-2/+8
It should never happen, but in case it does (an developer adds a new register and the 'init_val' expands past the register size) we want to report. The code will only write up to reg->size so there is no runtime danger of the register spilling across other ones - however to catch this sort of thing we still return an error. Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Sync up the dev.config and data values.Konrad Rzeszutek Wilk1-1/+58
For a passthrough device we maintain a state of emulated registers value contained within d->config. We also consult the host registers (and apply ro and write masks) whenever the guest access the registers. This is done in xen_pt_pci_write_config and xen_pt_pci_read_config. Also in this picture we call pci_default_write_config which updates the d->config and if the d->config[PCI_COMMAND] register has PCI_COMMAND_MEMORY (or PCI_COMMAND_IO) acts on those changes. On startup the d->config[PCI_COMMAND] are the host values, not what the guest initial values should be, which is exactly what we do _not_ want to do for 64-bit BARs when the guest just wants to read the size of the BAR. Huh you say? To get the size of 64-bit memory space BARs, the guest has to calculate ((BAR[x] & 0xFFFFFFF0) + ((BAR[x+1] & 0xFFFFFFFF) << 32)) which means it has to do two writes of ~0 to BARx and BARx+1. prior to this patch and with XSA120-addendum patch (Linux kernel) the PCI_COMMAND register is copied from the host it can have PCI_COMMAND_MEMORY bit set which means that QEMU will try to update the hypervisor's P2M with BARx+1 value to ~0 (0xffffffff) (to sync the guest state to host) instead of just having xen_pt_pci_write_config and xen_pt_bar_reg_write apply the proper masks and return the size to the guest. To thwart this, this patch syncs up the host values with the guest values taking into account the emu_mask (bit set means we emulate, PCI_COMMAND_MEMORY and PCI_COMMAND_IO are set). That is we copy the host values - masking out any bits which we will emulate. Then merge it with the initial emulation register values. Lastly this value is then copied both in dev.config _and_ XenPTReg->data field. There is also reg->size accounting taken into consideration that ends up being used in patch. xen/pt: Check if reg->init function sets the 'data' past the reg->size This fixes errors such as these: (XEN) memory_map:add: dom2 gfn=fffe0 mfn=fbce0 nr=20 (DEBUG) 189 pci dev 04:0 BAR16 wrote ~0. (DEBUG) 200 pci dev 04:0 BAR16 read 0x0fffe0004. (XEN) memory_map:remove: dom2 gfn=fffe0 mfn=fbce0 nr=20 (DEBUG) 204 pci dev 04:0 BAR16 wrote 0x0fffe0004. (DEBUG) 217 pci dev 04:0 BAR16 read upper 0x000000000. (XEN) memory_map:add: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20 (XEN) p2m.c:883:d0v0 p2m_set_entry failed! mfn=ffffffffffffffff rc:-22 (XEN) memory_map:fail: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20 ret:-22 (XEN) memory_map:remove: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20 (XEN) p2m.c:920:d0v0 gfn_to_mfn failed! gfn=ffffffff00000 type:4 (XEN) p2m.c:920:d0v0 gfn_to_mfn failed! gfn=ffffffff00001 type:4 .. (XEN) memory_map: error -22 removing dom2 access to [fbce0,fbcff] (DEBUG) 222 pci dev 04:0 BAR16 read upper 0x0ffffffff. (XEN) memory_map:remove: dom2 gfn=ffffffff00000 mfn=fbce0 nr=20 (XEN) memory_map: error -22 removing dom2 access to [fbce0,fbcff] [The DEBUG is to illustate what the hvmloader was doing] Also we swap from xen_host_pci_long to using xen_host_pci_get_[byte,word,long]. Otherwise we get: xen_pt_config_reg_init: Offset 0x0004 mismatch! Emulated=0x0000, host=0x2300017, syncing to 0x2300014. xen_pt_config_reg_init: Error: Offset 0x0004:0x2300014 expands past register size(2)! which is not surprising. We read the value as an 32-bit (from host), then operate it as a 16-bit - and the remainder is left unchanged. We end up writing the value as 16-bit (so 0014) to dev.config (as we use proper xen_set_host_[byte,word,long] so we don't spill to other registers) but in XenPTReg->data it is as 32-bit (0x2300014)! It is harmless as the read/write functions end up using an size mask and never modify the bits past 16-bit (reg->size is 2). This patch fixes the warnings by reading the value using the proper size. Note that the check for size is still left in-case the developer sets bits past the reg->size in the ->init routines. The author tried to fiddle with QEMU_BUILD_BUG to make this work but failed. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reported-by: Sander Eikelenboom <linux@eikelenboom.it> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Use xen_host_pci_get_[byte|word] instead of dev.configKonrad Rzeszutek Wilk2-28/+73
During init time we treat the dev.config area as a cache of the host view. However during execution time we treat it as guest view (by the generic PCI API). We need to sync Xen's code to the generic PCI API view. This is the first step by replacing all of the code that uses dev.config or pci_get_[byte|word] to get host value to actually use the xen_host_pci_get_[byte|word] functions. Interestingly in 'xen_pt_ptr_reg_init' we also needed to swap reg_field from uint32_t to uint8_t - since the access is only for one byte not four bytes. We can split this as a seperate patch however we would have to use a cast to thwart compiler warnings in the meantime. We also truncated 'flags' to 'flag' to make the code fit within the 80 characters. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Use XEN_PT_LOG properly to guard against compiler warnings.Konrad Rzeszutek Wilk1-1/+1
If XEN_PT_LOGGING_ENABLED is enabled the XEN_PT_LOG macros start using the first argument. Which means if within the function there is only one user of the argument ('d') and XEN_PT_LOGGING_ENABLED is not set, we get compiler warnings. This is not the case now but with the "xen/pt: Use xen_host_pci_get_[byte|word] instead of dev.config" we will hit - so this sync up the function to the rest of them. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt/msi: Add the register value when printing logging and error messagesKonrad Rzeszutek Wilk1-3/+3
We would like to know what the MSI register value is to help in troubleshooting in the field. As such modify the logging logic to include such details in xen_pt_msgctrl_reg_write. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: xen_host_pci_config_read returns -errno, not -1 on failureKonrad Rzeszutek Wilk1-1/+1
However the init routines assume that on errors the return code is -1 (as the libxc API is) - while those xen_host_* routines follow another paradigm - negative errno on return, 0 on success. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Make xen_pt_msi_set_enable staticKonrad Rzeszutek Wilk2-2/+1
As we do not use it outside our code. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen/pt: Update comments with proper function name.Konrad Rzeszutek Wilk1-2/+2
It has changed but the comments still refer to the old names. Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen, gfx passthrough: add opregion mappingTiejun Chen3-3/+136
The OpRegion shouldn't be mapped 1:1 because the address in the host can't be used in the guest directly. This patch traps read and write access to the opregion of the Intel GPU config space (offset 0xfc). The original patch is from Jean Guyader <jean.guyader@eu.citrix.com> Signed-off-by: Tiejun Chen <tiejun.chen@intel.com> Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen, gfx passthrough: register a isa bridgeTiejun Chen1-0/+22
Currently we just register this isa bridge when we use IGD passthrough in Xen side. Signed-off-by: Tiejun Chen <tiejun.chen@intel.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen, gfx passthrough: retrieve VGA BIOS to workTiejun Chen3-0/+94
Now we retrieve VGA bios like kvm stuff in qemu but we need to fix Device Identification in case if its not matched with the real IGD device since Seabios is always trying to compare this ID to work out VGA BIOS. Signed-off-by: Tiejun Chen <tiejun.chen@intel.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-09-10xen, gfx passthrough: basic graphics passthrough supportTiejun Chen6-1/+131
basic gfx passthrough support: - add a vga type for gfx passthrough - register/unregister legacy VGA I/O ports and MMIOs for passthrough GFX Signed-off-by: Tiejun Chen <tiejun.chen@intel.com> Signed-off-by: Yang Zhang <yang.z.zhang@Intel.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-23Merge remote-tracking branch ↵Peter Maydell2-5/+9
'remotes/mjt/tags/pull-trivial-patches-2015-06-23' into staging trivial patches for 2015-06-23 # gpg: Signature made Tue Jun 23 18:23:45 2015 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" * remotes/mjt/tags/pull-trivial-patches-2015-06-23: (21 commits) util/qemu-sockets: improve ai_flag hints for ipv6 hosts hw/display/tcx.c: Fix memory leak hw/display/cg3.c: Fix memory leak Makefile: Add "make ctags" Makefile: Fix "make cscope TAGS" qemu-options: Use @itemx where appropriate qemu-options: Improve -global documentation throttle: Fix typo in the documentation of block_set_io_throttle hw/display/qxl-logger.c: Constify some variable configure: rearrange --help and consolidate enable/disable together libcacard: pkgconfig: tidy dependent libs vt82c686: QOMify xen_pt: QOMify wdt_i6300esb: QOMify piix4: QOMify piix: piix3 QOMify pci-assign: QOMify Print error when failing to load PCI config data Grammar: 'as to'->'as for' remove libdecnumber/dpd/decimal128Local.h ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-06-23xen_pt: QOMifyGonglei2-5/+9
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Tested-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-06-23Merge remote-tracking branch 'remotes/sstabellini/tags/xen-220615-3' into ↵Peter Maydell4-44/+46
staging xen-220615, more SOB lines # gpg: Signature made Tue Jun 23 17:19:08 2015 BST using RSA key ID 70E1AE90 # gpg: Good signature from "Stefano Stabellini <stefano.stabellini@eu.citrix.com>" * remotes/sstabellini/tags/xen-220615-3: Revert "xen-hvm: increase maxmem before calling xc_domain_populate_physmap" xen/pass-through: constify some static data xen/pass-through: log errno values rather than function return ones xen/pass-through: ROM BAR handling adjustments xen/pass-through: fold host PCI command register writes Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-06-23xen/pass-through: constify some static dataJan Beulich2-6/+5
This is done indirectly by adjusting two typedefs and helps emphasizing that the respective tables aren't supposed to be modified at runtime (as they may be shared between devices). Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-23xen/pass-through: log errno values rather than function return onesJan Beulich2-25/+25
Functions setting errno commonly return just -1, which is of no particular use in the log file. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-23xen/pass-through: ROM BAR handling adjustmentsJan Beulich2-6/+14
Expecting the ROM BAR to be written with an all ones value when sizing the region is wrong - the low bit has another meaning (enable/disable) and bits 1..10 are reserved. The PCI spec also mandates writing all ones to just the address portion of the register. Use suitable constants also for initializing the ROM BAR register field description. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com>
2015-06-23xen/pass-through: fold host PCI command register writesJan Beulich1-7/+2
The code introduced to address XSA-126 allows simplification of other code in xen_pt_initfn(): All we need to do is update "cmd" suitably, as it'll be written back to the host register near the end of the function anyway. Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com>
2015-06-12xen_backend: Remove unused error handling of qemu_set_fd_handlerFam Zheng1-3/+1
The function cannot fail, so the check is superfluous. Signed-off-by: Fam Zheng <famz@redhat.com> Message-id: 1433400324-7358-12-git-send-email-famz@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2015-06-02xen/pt: unknown PCI config space fields should be read-onlyJan Beulich3-3/+35
... by default. Add a per-device "permissive" mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). This is part of XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>)
2015-06-02xen/pt: add a few PCI config space field descriptionsJan Beulich1-0/+28
Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com>
2015-06-02xen/pt: mark reserved bits in PCI config space fieldsJan Beulich2-5/+11
The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com>
2015-06-02xen/pt: mark all PCIe capability bits read-onlyJan Beulich1-1/+1
xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-02xen/pt: split out calculation of throughable mask in PCI config space handlingJan Beulich1-31/+20
This is just to avoid having to adjust that calculation later in multiple places. Note that including ->ro_mask in get_throughable_mask()'s calculation is only an apparent (i.e. benign) behavioral change: For r/o fields it doesn't matter > whether they get passed through - either the same flag is also set in emu_mask (then there's no change at all) or the field is r/o in hardware (and hence a write won't change it anyway). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Anthony PERARD <anthony.perard@citrix.com>
2015-06-02xen/pt: correctly handle PM status bitJan Beulich1-1/+2
xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-02xen/pt: consolidate PM capability emu_maskJan Beulich1-21/+4
There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being retained in order to allow later patches to be less intrusive. This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com>
2015-06-02xen/MSI: don't open-code pass-through of enable bit modificationsJan Beulich1-8/+2
Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). Note that the fiddling with the enable bit shouldn't really be done by qemu, but making this work right (via libxc and the hypervisor) will require more extensive changes, which can be postponed until after the security issue got addressed. This is a preparatory patch for XSA-131. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-02xen/MSI-X: limit error messagesJan Beulich2-5/+8
Limit error messages resulting from bad guest behavior to avoid allowing the guest to cause the control domain's disk to fill. The first message in pci_msix_write() can simply be deleted, as this is indeed bad guest behavior, but such out of bounds writes don't really need to be logged. The second one is more problematic, as there guest behavior may only appear to be wrong: For one, the old logic didn't take the mask-all bit into account. And then this shouldn't depend on host device state (i.e. the host may have masked the entry without the guest having done so). Plus these writes shouldn't be dropped even when an entry is unmasked. Instead, if they can't be made take effect right away, they should take effect on the next unmasking or enabling operation - the specification explicitly describes such caching behavior. Until we can validly drop the message (implementing such caching/latching behavior), issue the message just once per MSI-X table entry. Note that the log message in pci_msix_read() similar to the one being removed here is not an issue: "addr" being of unsigned type, and the maximum size of the MSI-X table being 32k, entry_nr simply can't be negative and hence the conditonal guarding issuing of the message will never be true. This is XSA-130. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-02xen: don't allow guest to control MSI mask registerJan Beulich1-10/+88
It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. This is XSA-129. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-06-02xen: properly gate host writes of modified PCI CFG contentsJan Beulich3-10/+21
The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. This fixes a secondary issue at once: We obviously shouldn't make any host write attempt when already the host read failed. This is XSA-128. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
2015-04-09xen: limit guest control of PCI command registerJan Beulich2-27/+13
Otherwise the guest can abuse that control to cause e.g. PCIe Unsupported Request responses (by disabling memory and/or I/O decoding and subsequently causing [CPU side] accesses to the respective address ranges), which (depending on system configuration) may be fatal to the host. This is CVE-2015-2756 / XSA-126. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> Message-id: alpine.DEB.2.02.1503311510300.7690@kaball.uk.xensource.com Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2015-03-10xen-pt: fix Out-of-bounds readGonglei1-1/+1
The array length of s->real_device.io_regions[] is "PCI_NUM_REGIONS - 1". Signed-off-by: Gonglei <arei.gonglei@huawei.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-03-10xen-pt: fix Negative array index readGonglei1-4/+2
Coverity spot: Function xen_pt_bar_offset_to_index() may return a negative value (-1) which is used as an index to d->io_regions[] down the line. Let's pass index directly as an argument to xen_pt_bar_reg_parse(). Signed-off-by: Gonglei <arei.gonglei@huawei.com> Acked-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2015-01-13xen-pt: Fix PCI devices re-attach failedLiang Li1-1/+1
Use the 'xl pci-attach $DomU $BDF' command to attach more than one PCI devices to the guest, then detach the devices with 'xl pci-detach $DomU $BDF', after that, re-attach these PCI devices again, an error message will be reported like following: libxl: error: libxl_qmp.c:287:qmp_handle_error_response: receive an error message from QMP server: Duplicate ID 'pci-pt-03_10.1' for device. If using the 'address_space_memory' as the parameter of 'memory_listener_register', 'xen_pt_region_del' will not be called if the memory region's name is not 'xen-pci-pt-*' when the devices is detached. This will cause the device's related QemuOpts object not be released properly. Using the device's address space can avoid such issue, because the calling count of 'xen_pt_region_add' when attaching and the calling count of 'xen_pt_region_del' when detaching is the same, so all the memory region ref and unref by the 'xen_pt_region_add' and 'xen_pt_region_del' can be released properly. Signed-off-by: Liang Li <liang.z.li@intel.com> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Reported-by: Longtao Pang <longtaox.pang@intel.com>
2014-10-20hw: Convert from BlockDriverState to BlockBackend, mostlyMarkus Armbruster1-0/+1
Device models should access their block backends only through the block-backend.h API. Convert them, and drop direct includes of inappropriate headers. Just four uses of BlockDriverState are left: * The Xen paravirtual block device backend (xen_disk.c) opens images itself when set up via xenbus, bypassing blockdev.c. I figure it should go through qmp_blockdev_add() instead. * Device model "usb-storage" prompts for keys. No other device model does, and this one probably shouldn't do it, either. * ide_issue_trim_cb() uses bdrv_aio_discard() instead of blk_aio_discard() because it fishes its backend out of a BlockAIOCB, which has only the BlockDriverState. * PC87312State has an unused BlockDriverState[] member. The next two commits take care of the latter two. Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Kevin Wolf <kwolf@redhat.com>
2014-08-18memory: remove memory_region_destroyPaolo Bonzini2-22/+0
The function is empty after the previous patch, so remove it. Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-07-07xen_backend: introduce xenstore_read_uint64 and xenstore_read_fe_uint64Stefano Stabellini1-0/+18
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
2014-05-07Merge remote-tracking branch 'remotes/mjt/tags/trivial-patches-2014-05-07' ↵Peter Maydell1-1/+0
into staging trivial patches for 2014-05-07 # gpg: Signature made Wed 07 May 2014 18:01:15 BST using RSA key ID A4C3D7DB # gpg: Good signature from "Michael Tokarev <mjt@tls.msk.ru>" # gpg: aka "Michael Tokarev <mjt@corpit.ru>" # gpg: aka "Michael Tokarev <mjt@debian.org>" # gpg: WARNING: This key is not certified with a trusted signature! # gpg: There is no indication that the signature belongs to the owner. # Primary key fingerprint: 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 # Subkey fingerprint: 6F67 E18E 7C91 C5B1 5514 66A7 BEE5 9D74 A4C3 D7DB * remotes/mjt/tags/trivial-patches-2014-05-07: (21 commits) libcacard: remove unnecessary EOL from debug prints docs/memory.txt: Fix document on MMIO operations readline: Sort completions before printing them. readline: use g_strndup instead of open-coding it qmp: report path ambiguity error libcacard: replace pstrcpy() with memcpy() glib: move g_poll() replacement into glib-compat.h do not call g_thread_init() for glib >= 2.31 hw/9pfs: Add include file for exported symbol xen: remove unused global, xen_xcg hw: Add missing 'static' attributes qemu-timer: Add missing 'static' attribute ui: Add missing 'static' attribute monitor: Add missing 'static' attribute hw/s390x: Add missing 'static' attribute hw/mips: Add missing 'static' and 'const' attributes hw/9pfs: Add missing 'static' attributes arch_init: Be sure of only one exit entry with DPRINTF() for ram_load() tests/tcg: Fix compilation of test_path qga: Fix typo (plural) in comment ... Signed-off-by: Peter Maydell <peter.maydell@linaro.org>