From patchwork Thu Apr 17 12:57:24 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Campbell X-Patchwork-Id: 28582 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ob0-f198.google.com (mail-ob0-f198.google.com [209.85.214.198]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 204F8206A6 for ; Thu, 17 Apr 2014 12:59:39 +0000 (UTC) Received: by mail-ob0-f198.google.com with SMTP id va2sf1942067obc.9 for ; Thu, 17 Apr 2014 05:59:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:from:to:date:message-id :mime-version:cc:subject:precedence:list-id:list-unsubscribe :list-post:list-help:list-subscribe:sender:errors-to :x-original-sender:x-original-authentication-results:mailing-list :list-archive:content-type:content-transfer-encoding; bh=FB8vpW/jhtky8cj5qNFBVW5PTu7iO0mypfTzwhAkS74=; b=MM2Yb5w33ooM193X9pnfqP5YUij63r4G3QcSBYrJLRnK3OBz0fdYV42yOn5ugIp0j3 R/0tpKSdbWkc0U2YPToexPCYHntSD3F/HOYkLuzIpYobtDdV/iBs5j5LyuMmjz02gpwn bAPepQa6CoML9SG7mqYe8muDQgxdAzKtSax407VC5Rb7l/XzNiibKdR414R/mCAirA8Y HM5CPS3jWNU+nNetREuZrnhmOdq58+qKJp42IOhn/24jYO+576/6CHLXMjOWWfnZe4Z3 oBbGi6xaL3ZFOYMsUfkBSVh+tzA1L5cJciR7HCu7W6wVg0/9PVt7QP1qKDGJ1l8jS59c rSzA== X-Gm-Message-State: ALoCoQlVMDxCr7MWuTzsdwlMbECODWyEwEFx2JTCvYHaRBmTUf6otWbuOP5jkc+eXoSyv5eWxt+n X-Received: by 10.50.50.2 with SMTP id y2mr7723311ign.1.1397739579544; Thu, 17 Apr 2014 05:59:39 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.37.164 with SMTP id r33ls501745qgr.2.gmail; Thu, 17 Apr 2014 05:59:39 -0700 (PDT) X-Received: by 10.58.49.10 with SMTP id q10mr11512620ven.5.1397739579397; Thu, 17 Apr 2014 05:59:39 -0700 (PDT) Received: from mail-ve0-f170.google.com (mail-ve0-f170.google.com [209.85.128.170]) by mx.google.com with ESMTPS id y7si3772602veb.198.2014.04.17.05.59.39 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 17 Apr 2014 05:59:39 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.128.170 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.128.170; Received: by mail-ve0-f170.google.com with SMTP id pa12so440907veb.15 for ; Thu, 17 Apr 2014 05:59:39 -0700 (PDT) X-Received: by 10.220.161.8 with SMTP id p8mr8512389vcx.4.1397739579289; Thu, 17 Apr 2014 05:59:39 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.220.221.72 with SMTP id ib8csp33280vcb; Thu, 17 Apr 2014 05:59:38 -0700 (PDT) X-Received: by 10.52.34.4 with SMTP id v4mr182756vdi.42.1397739578790; Thu, 17 Apr 2014 05:59:38 -0700 (PDT) Received: from lists.xen.org (lists.xen.org. [50.57.142.19]) by mx.google.com with ESMTPS id dy7si4434799vec.126.2014.04.17.05.59.38 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 17 Apr 2014 05:59:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of xen-devel-bounces@lists.xen.org designates 50.57.142.19 as permitted sender) client-ip=50.57.142.19; Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Walsh-00081d-Bu; Thu, 17 Apr 2014 12:57:31 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1Walsf-00081V-J9 for xen-devel@lists.xen.org; Thu, 17 Apr 2014 12:57:29 +0000 Received: from [85.158.137.68:40175] by server-10.bemta-3.messagelabs.com id 75/83-16608-8BFCF435; Thu, 17 Apr 2014 12:57:28 +0000 X-Env-Sender: Ian.Campbell@citrix.com X-Msg-Ref: server-13.tower-31.messagelabs.com!1397739446!7604041!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n X-StarScan-Received: X-StarScan-Version: 6.11.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 26769 invoked from network); 17 Apr 2014 12:57:27 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-13.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 17 Apr 2014 12:57:27 -0000 X-IronPort-AV: E=Sophos;i="4.97,879,1389744000"; d="scan'208";a="120861728" Received: from accessns.citrite.net (HELO FTLPEX01CL02.citrite.net) ([10.9.154.239]) by FTLPIPO02.CITRIX.COM with ESMTP; 17 Apr 2014 12:57:25 +0000 Received: from norwich.cam.xci-test.com (10.80.248.129) by smtprelay.citrix.com (10.13.107.79) with Microsoft SMTP Server id 14.3.123.3; Thu, 17 Apr 2014 08:57:25 -0400 Received: from drall.uk.xensource.com ([10.80.16.71] helo=drall.uk.xensource.com.) by norwich.cam.xci-test.com with esmtp (Exim 4.72) (envelope-from ) id 1Walsb-0004oi-1S; Thu, 17 Apr 2014 12:57:25 +0000 From: Ian Campbell To: Date: Thu, 17 Apr 2014 13:57:24 +0100 Message-ID: <1397739444-31407-1-git-send-email-ian.campbell@citrix.com> X-Mailer: git-send-email 1.7.10.4 MIME-Version: 1.0 X-DLP: MIA2 Cc: keir@xen.org, julien.grall@linaro.org, tim@xen.org, Ian Campbell , stefano.stabellini@eu.citrix.com Subject: [Xen-devel] [PATCH xen v3] xen: arm: fully implement multicall interface. X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: List-Unsubscribe: , List-Post: , List-Help: , List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: ian.campbell@citrix.com X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.128.170 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Archive: I'm not sure what I was smoking at the time of 5d74ad1a082e "xen: arm: implement do_multicall_call for both 32 and 64-bit" but it is obviously insufficient since it doesn't actually wire up the hypercall. Before doing so we need to make the usual adjustments for ARM and turn the unsigned longs into xen_ulong_t. There is no difference in the resulting structure for x86. There are knock on changes to the trace interface, but again they are nops on x86. For 32-bit ARM guests we require that the arguments which they pass to a hypercall via a multicall do not use the upper bits of xen_ulong_t and kill them if they violate this. This should ensure that no ABI surprises can be silently lurking when running on a 32-bit hypervisor waiting to pounce when the same kernel is run on a 64-bit hypervisor. Killing the guest is harsh but it will be far easier to relax the restriction if it turns out to cause problems than to tighten it up if we were lax to begin with. In the interests of clarity and always using explicitly sized types change the unsigned int in the hypercall arguments to a uint32_t. There is no actual change here on any platform. We should consider backporting this to 4.4.1 in case a guest decides they want to use a multicall in common code e.g. I suggested such a thing while reviewing a netback change recently. Signed-off-by: Ian Campbell Cc: keir@xen.org Reviewed-by: Jan Beulich Acked-by: George Dunlap Acked-by: Julien Grall --- v3: - use domain_crash not domain_crash_synchronous - likely/unlikely dependency already in staging. v2: - update compat version of __trace_multicall_call too - update xen.h on requirements when sizeof(xen_ulong_t) > sizeof(a register) - kill 32-bit guests which do not follow those requirements. After the conversation on v1 I decided that starting out harsh and relaxing if it becomes a problem was easier than discovering a mistake later. --- xen/arch/arm/traps.c | 28 ++++++++++++++++++++++++++-- xen/common/compat/multicall.c | 2 +- xen/common/multicall.c | 4 ++-- xen/common/trace.c | 2 +- xen/include/public/xen.h | 10 ++++++---- xen/include/xen/trace.h | 2 +- 6 files changed, 37 insertions(+), 11 deletions(-) diff --git a/xen/arch/arm/traps.c b/xen/arch/arm/traps.c index a7edc4e..8ed2509 100644 --- a/xen/arch/arm/traps.c +++ b/xen/arch/arm/traps.c @@ -17,6 +17,7 @@ */ #include +#include #include #include #include @@ -1012,6 +1013,7 @@ static arm_hypercall_t arm_hypercall_table[] = { HYPERCALL(sysctl, 2), HYPERCALL(hvm_op, 2), HYPERCALL(grant_table_op, 3), + HYPERCALL(multicall, 2), HYPERCALL_ARM(vcpu_op, 3), }; @@ -1159,6 +1161,24 @@ static void do_trap_hypercall(struct cpu_user_regs *regs, register_t *nr, #endif } +static bool_t check_multicall_32bit_clean(struct multicall_entry *multi) +{ + int i; + + for ( i = 0; i < arm_hypercall_table[multi->op].nr_args; i++ ) + { + if ( unlikely(multi->args[i] & 0xffffffff00000000ULL) ) + { + printk("%pv: multicall argument %d is not 32-bit clean %"PRIx64"\n", + current, i, multi->args[i]); + domain_crash(current->domain); + return false; + } + } + + return true; +} + void do_multicall_call(struct multicall_entry *multi) { arm_hypercall_fn_t call = NULL; @@ -1176,9 +1196,13 @@ void do_multicall_call(struct multicall_entry *multi) return; } + if ( is_32bit_domain(current->domain) && + !check_multicall_32bit_clean(multi) ) + return; + multi->result = call(multi->args[0], multi->args[1], - multi->args[2], multi->args[3], - multi->args[4]); + multi->args[2], multi->args[3], + multi->args[4]); } /* diff --git a/xen/common/compat/multicall.c b/xen/common/compat/multicall.c index 95c047a..2af8aef 100644 --- a/xen/common/compat/multicall.c +++ b/xen/common/compat/multicall.c @@ -29,7 +29,7 @@ DEFINE_XEN_GUEST_HANDLE(multicall_entry_compat_t); static void __trace_multicall_call(multicall_entry_t *call) { - unsigned long args[6]; + xen_ulong_t args[6]; int i; for ( i = 0; i < ARRAY_SIZE(args); i++ ) diff --git a/xen/common/multicall.c b/xen/common/multicall.c index e66c798..fa9d910 100644 --- a/xen/common/multicall.c +++ b/xen/common/multicall.c @@ -35,10 +35,10 @@ static void trace_multicall_call(multicall_entry_t *call) ret_t do_multicall( - XEN_GUEST_HANDLE_PARAM(multicall_entry_t) call_list, unsigned int nr_calls) + XEN_GUEST_HANDLE_PARAM(multicall_entry_t) call_list, uint32_t nr_calls) { struct mc_state *mcs = ¤t->mc_state; - unsigned int i; + uint32_t i; int rc = 0; if ( unlikely(__test_and_set_bit(_MCSF_in_multicall, &mcs->flags)) ) diff --git a/xen/common/trace.c b/xen/common/trace.c index 1814165..f651cf3 100644 --- a/xen/common/trace.c +++ b/xen/common/trace.c @@ -817,7 +817,7 @@ unlock: } void __trace_hypercall(uint32_t event, unsigned long op, - const unsigned long *args) + const xen_ulong_t *args) { struct __packed { uint32_t op; diff --git a/xen/include/public/xen.h b/xen/include/public/xen.h index 8c5697e..a6a2092 100644 --- a/xen/include/public/xen.h +++ b/xen/include/public/xen.h @@ -541,13 +541,15 @@ DEFINE_XEN_GUEST_HANDLE(mmu_update_t); /* * ` enum neg_errnoval * ` HYPERVISOR_multicall(multicall_entry_t call_list[], - * ` unsigned int nr_calls); + * ` uint32_t nr_calls); * - * NB. The fields are natural register size for this architecture. + * NB. The fields are logically the natural register size for this + * architecture. In cases where xen_ulong_t is larger than this then + * any unused bits in the upper portion must be zero. */ struct multicall_entry { - unsigned long op, result; - unsigned long args[6]; + xen_ulong_t op, result; + xen_ulong_t args[6]; }; typedef struct multicall_entry multicall_entry_t; DEFINE_XEN_GUEST_HANDLE(multicall_entry_t); diff --git a/xen/include/xen/trace.h b/xen/include/xen/trace.h index 3b8a7b3..12966ea 100644 --- a/xen/include/xen/trace.h +++ b/xen/include/xen/trace.h @@ -45,7 +45,7 @@ static inline void trace_var(u32 event, int cycles, int extra, } void __trace_hypercall(uint32_t event, unsigned long op, - const unsigned long *args); + const xen_ulong_t *args); /* Convenience macros for calling the trace function. */ #define TRACE_0D(_e) \