Merge pull request #1 from xen-project/staging #5

blackskygg · 2017-08-05T04:03:52Z

sync with upstream

…hysmap This is for the proposal "Allow setting up shared memory areas between VMs from xl config file". See: https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Then plan is to use XENMEM_add_to_physmap_batch to map the shared pages from one domU to another and use XENMEM_remove_from_physmap to cancel the sharing. A wrapper to XENMEM_add_to_physmap_batch was added in the following commit: commit 20e725e Now add the wrapper to XENMEM_remove_from_physmap. Signed-off-by: Zhongze Liu <[email protected]> Reviewed-by: Stefano Stabellini <[email protected]> Acked-by: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected] V4: * change domid_t to uint32_t

The existing XENMAPSPACE_gmfn_foreign subop of XENMEM_add_to_physmap forbids a Dom0 to map memory pages from one DomU to another, which restricts some useful yet not dangerous use cases -- such as sharing pages among DomU's so that they can do shm-based communication. This patch introduces XENMAPSPACE_gmfn_share to address this inconvenience, which is mostly the same as XENMAPSPACE_gmfn_foreign but has its own xsm check. Specifically, the patch: * Introduces a new av permission MMU__SHARE_MEM to denote if two domains can share memory by using the new subop; * Introduces xsm_map_gmfn_share() to check if (current) has proper permission over (t) AND MMU__SHARE_MEM is allowed between (d) and (t); * Modify the default xen.te to allow MMU__SHARE_MEM for normal domains that allow grant mapping/event channels. The new subop is marked unsupported for x86 because calling p2m_add_foregin on two DomU's is currently not supported on x86. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Daniel De Graaf <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected] V3: * Change several if statements to the GCC '... = a ?: b' extention. * lookup the current domain in the hooks instead of passing it as an arg V4: * eliminate the duplicated (c) over (d) check * Added a new subop instead of modifying the old subop

…gions Add a new structure to the IDL familiy to represent static shared memory regions as proposed in the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). And deleted some trailing white spaces. [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Reviewed-by: Stefano Stabellini <[email protected]> Acked-by: Wei Liu <[email protected]> Cc: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]

Add libxl__sshm_add to map shared pages from one DomU to another, The mapping process involves the follwing steps: * Set defaults and check for further errors in the static_shm configs: overlapping areas, invalid ranges, duplicated master domain, no master domain etc. * Write infomation of static shared memory areas into the appropriate xenstore paths. * Use xc_domain_add_to_physmap_batch to do the page sharing. * Set the refcount of the shared region accordingly Temporarily mark this as unsupported on x86 because calling p2m_add_foreign on two domU's is currently not allowd on x86 (see the comments in x86/mm/p2m.c:p2m_add_foreign for more details). This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected] V3: * unmap the successfully mapped pages whenever rc != 0 V4: * use XENMAPSPACE_gmfn_share instead of *_gmfn_foreign

…truction Add libxl__sshm_del to unmap static shared memory areas mapped by libxl__sshm_add during domain creation. The unmapping process is: * For a master: decrease the refcount of the sshm region, if the refcount reaches 0, cleanup the whole sshm path. * For a slave: unmap the shared pages, and cleanup related xs entries. decrease the refcount of the sshm region, if the refcount reaches 0, cleanup the whole sshm path. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]

…g files Add the parsing utils for the newly introduced libxl_static_sshm struct to the libxl/libxlu_* family. And add realated parsing code in xl to parse the struct from xl config files. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file" (see [1]). [1] https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Wei Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]

Add docs to document the motivation, usage, use cases and other relevant information about the static shared memory feature. This is for the proposal "Allow setting up shared memory areas between VMs from xl config file". See: https://lists.xen.org/archives/html/xen-devel/2017-08/msg03242.html Signed-off-by: Zhongze Liu <[email protected]> Cc: Ian Jackson <[email protected]> Cc: Wei Liu <[email protected]> Cc: Stefano Stabellini <[email protected]> Cc: Julien Grall <[email protected]> Cc: [email protected]

Initialises basic data structures and performs teardown of argo state for domain shutdown. Inclusion of the Argo implementation is dependent on CONFIG_ARGO. Introduces a new Xen command line parameter 'argo': bool to enable/disable the argo hypercall. Defaults to disabled. New headers: public/argo.h: with definions of addresses and ring structure, including indexes for atomic update for communication between domain and hypervisor. xen/argo.h: to expose the hooks for integration into domain lifecycle: argo_init: per-domain init of argo data structures for domain_create. argo_destroy: teardown for domain_destroy and the error exit path of domain_create. argo_soft_reset: reset of domain state for domain_soft_reset. Adds two new fields to struct domain: rwlock_t argo_lock; struct argo_domain *argo; In accordance with recent work on _domain_destroy, argo_destroy is idempotent. It will tear down: all rings registered by this domain, all rings where this domain is the single sender (ie. specified partner, non-wildcard rings), and all pending notifications where this domain is awaiting signal about available space in the rings of other domains. A count will be maintained of the number of rings that a domain has registered in order to limit it below the fixed maximum limit defined here. Macros are defined to verify the internal locking state within the argo implementation. The macros are ASSERTed on entry to functions to validate and document the required lock state prior to calling. The software license on the public header is the BSD license, standard procedure for the public Xen headers. The public header was originally posted under a GPL license at: [1]: https://lists.xenproject.org/archives/html/xen-devel/2013-05/msg02710.html The following ACK by Lars Kurth is to confirm that only people being employees of Citrix contributed to the header files in the series posted at [1] and that thus the copyright of the files in question is fully owned by Citrix. The ACK also confirms that Citrix is happy for the header files to be published under a BSD license in this series (which is based on [1]). Signed-off-by: Christopher Clark <[email protected]> Acked-by: Lars Kurth <[email protected]> Reviewed-by: Ross Philipson <[email protected]> This version contains FIXMEs for 4.12: * Replace the hash function to get better distribution across buckets. - Don't use casts in the replacement function. - Drop the use of array_index_nospec. * since argo_destroy is in _domain_destroy, remove it from domain_kill v3 xen-project#4 Andrew: use xzalloc for struct argo_domain in argo_init v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#4 Andrew: don't truncate args do_argo_op printk v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for hypercall arg types v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 xen-project#4 Jan: reorder call to argo_init_domain in argo_init v3 xen-project#4 Jan: ring_remove_mfns: zero count before freeing arrays v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v3 xen-project#4 Roger: remove unused and confusing d->argo_lock v3 xen-project#4 Roger: add simple inlines in xen/argo.h, drop ifdef CONFIG_ARGO v3 xen-project#4 Roger: simpler return -EOPNOTSUPP in do_argo_op v3 xen-project#4 Roger: add const to domain arg to ring_remove_info v3 xen-project#4 Roger: use XFREE v3 xen-project#4 Roger: newline fix in wildcard_pending_list_remove v3 xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 xen-project#4 Roger: drop npages struct member in argo_ring_info; use len v3 xen-project#4 Roger/Jan: drop many fixed width types in internal structs v3 xen-project#4 Jason/Jan: drop pad and fixed width type in pending_ent struct v3 xen-project#4 Eric: moved ring_find_info from register op into this commit v3 moved hash_index function, nospec include from register op to this commit v3 moved XEN_ARGO_DOMID_ANY defn from register op into this commit v3 added #include <xen/sched.h> to <xen/argo.h> for domain struct defn v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 Added Ross's Reviewed-by. v2 rewrite locking explanation comment v2 header copyright line now includes 2019 v2 self: use ring_info backpointer in pending_ent to maintain npending v2 self: rename all_rings_remove_info to domain_rings_remove_all v2 feedback Jan: drop cookie, implement teardown v2 self: add npending to track number of pending entries per ring v2 self: amend comment on locking; drop section comments v2 cookie_eq: test low bits first and use likely on high bits v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 self: drop pending_remove_ent, inline at single call site v1 feedback Roger, Jan: drop argo prefix on static functions v2 xen-project#4 Lars: add Acked-by and details to commit message. v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v2 bugfix: xsm use in soft-reset prior to introduction v2 feedback #9 Jan: drop 'message' from do_argo_message_op v1 xen-project#5 feedback Paul: init/destroy unsigned, brackets and whitespace fixes v1 xen-project#5 feedback Paul: Use mfn_eq for comparing mfns. v1 xen-project#5 feedback Paul: init/destroy : use currd v1 xen-project#6 (xen-project#5) feedback Jan: init/destroy: s/ENOSYS/EOPNOTSUPP/ v1 xen-project#6 feedback Paul: Folded patch 6 into patch 5. v1 xen-project#6 feedback Jan: drop opt_argo_enabled initializer v1 $6 feedback Jan: s/ENOSYS/EOPNOTSUPP/g and drop useless dprintk v1. xen-project#5 feedback Paul: change the license on public header to BSD - ack from Lars at Citrix. v1. self, Jan: drop unnecessary xen include from sched.h v1. self, Jan: drop inclusion of public argo.h in private one v1. self, Jan: add include of public argo.h to argo.c v1. self, Jan: drop fwd decl of argo_domain in priv header v1. Paul/self/Jan: add data structures to xlat.lst and compat/argo.h to Makefile v1. self: removed allocation of event channel since switching to VIRQ v1. self: drop types.h include from private argo.h v1: reorder public argo include position v1: #13 feedback Jan: public namespace: prefix with xen v1: self: rename pending ent "id" to "domain_id" v1: self: add domain_cookie to ent struct v1. #15 feedback Jan: make cmd unsigned v1. #15 feedback Jan: make i loop variable unsigned v1: self: adjust dprintks in init, destroy v1: #18 feedback Jan: meld max ring count limit v1: self: use type not struct in public defn, affects compat gen header v1: feedback #15 Jan: handle upper-halves of hypercall args v1: add comment explaining the 'magic' field v1: self + Jan feedback: implement soft reset v1: feedback #13 Roger: use ASSERT_UNREACHABLE

The register op is used by a domain to register a region of memory for receiving messages from either a specified other domain, or, if specifying a wildcard, any domain. This operation creates a mapping within Xen's private address space that will remain resident for the lifetime of the ring. In subsequent commits, the hypervisor will use this mapping to copy data from a sending domain into this registered ring, making it accessible to the domain that registered the ring to receive data. Wildcard any-sender rings are default disabled and registration will be refused with EPERM unless they have been specifically enabled with the argo-mac boot option introduced here. The reason why the default for wildcard rings is 'deny' is that there is currently no means to protect the ring from DoS by a noisy domain spamming the ring, affecting other domains ability to send to it. This will be addressed with XSM policy controls in subsequent work. Since denying access to any-sender rings is a significant functional constraint, a new bootparam is provided to enable overriding this: "argo-mac" variable has allowed values: 'permissive' and 'enforcing'. Even though this is a boolean variable, use these descriptive strings in order to make it obvious to an administrator that this has potential security impact. The p2m type of the memory supplied by the guest for the ring must be p2m_ram_rw and the memory will be pinned as PGT_writable_page while the ring is registered. xen_argo_gfn_t type is defined and is 64-bit on all architectures which assists with avoiding the need for compat code to translate hypercall args. This hypercall op and its interface currently only supports 4K-sized pages. array_index_nospec is used to guard the result of the ring id hash function. This is out of an abundance of caution, since this is a very basic hash function and it operates upon values supplied by the guest just before being used as an array index. Signed-off-by: Christopher Clark <[email protected]> -This version contains FIXMEs for 4.12: * find_ring_mfn: investigate using check_get_page_from_gfn() and rewrite this function using it or with adopted logic * shrink critical sections: move acquire/release of the global lock. * simplify the out label path when lock release has been moved. * - drop use of unsigned long type as hypercall args: not compat-friendly * - drop UL suffix on XEN_ARGO_REGISTER_FLAG_MASK * - guard XEN_ARGO_REGISTER_FLAG_MASK (perhaps framed by "#ifdef __XEN__") * - define XEN_ARGO_REGISTER_FLAG_MASK in terms of other flags defined * register_ring: pull write_unlock up above the cleanup actions above and add another label to aborb the two separate put_domain() calls on the error paths. -end FIXME v3 xen-project#7 Jan: comment: minimum ring size is based on minimum-sized message v3 xen-project#4 Andrew: reference CONFIG_ARGO in the command line documentation v3 xen-project#7 Jan: register_ring: fold else, if into else-if to drop indent v3 xen-project#7 Jan: remove no longer used guest_handle_is_aligned macros v3 xen-project#7 Jan: remove dead code from find_ring_mfns v3 xen-project#7 Jan: fix format string indention in printks v3 xen-project#7 Jan: remove redundant bounds check on npage in find_ring_mfns v3 xen-project#8 self/Roger: improve dprintk output in find_ring_info like find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#7 Jan: use array_index_nospec in ring_map_page v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 xen-project#7 Jan: drop unneeded parentheses from ROUNDUP_MESSAGE defn v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#3 meld compat check for hypercall arg register struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback xen-project#7 Eric: fix header max ring size comment units v3 feedback xen-project#4 Roger: mfn_mapping: void* instead of uint8_t* v3 use %u for printing unsigned ints in find_ring_mfns v3 feedback xen-project#4 Jan: uint32_t -> unsigned int for npage in register_ring v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 : register_ring: uint32_t -> unsigned int for private_tx_ptr v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: use opt_argo_mac_permissive : a boolean opt v3 feedback xen-project#4 Roger: reorder #includes to alphabetical order v3 feedback xen-project#7 Roger: drop comment re: Intel EPT/AMD NPT for write-only mapping v3 feedback xen-project#7 Roger: drop ptr arithmetic in update_tx_ptr, use ring struct cast v3 feedback xen-project#7 Roger: drop newline in ring_map_page v3 feedback xen-project#7 Roger: drop unneeded null check before xfree v3 feedback xen-project#7 Roger: use return and drop out label in register_ring v3 Stefano: add 4K page constraint to header file comment & commit msg v3 Julien/Stefano: 4K granularity ok: use 64-bit gfns in register interface v2 self: disallow ring resize via reregister v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: move hash_index function below locking comment v2 self: OVERHAUL v2 self/Jan: remove use of magic verification field and tidy up v2 self: merge max and min ring size check clauses v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v2 feedback #9, Jan: use the argo-mac bootparam at point of introduction v2 feedback #9, Jan: rename boot opt variable to comply with convention v2 feedback #9, Jan: rename the argo_mac bootparam to argo-mac v2 feedback #9 Jan: document argo boot opt in xen-command-line.markdown v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback Roger: s/pfn/gfn/ and retire always-64-bit type v2. feedback Jan: document the argo-mac boot opt v2. feedback Jan: simplify re-register, drop mappings v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 #13 feedback, Jan: register op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#13) feedback Paul: register op: use currd in do_message_op v1 #13 feedback, Paul: register op: use mfn_eq comparator v1 xen-project#5 (#13) feedback Paul: register op: use currd in argo_register_ring v1 #13 feedback Paul: register op: whitespace, unsigned, bounds check v1 #13 feedback Paul: use of hex in limit constant definition v1 #13 feedback Paul, register op: set nmfns on loop termination v1 #13 feedback Paul: register op: do/while -> gotos, reindent v1 argo_ring_map_page: drop uint32_t for unsigned int v1. #13 feedback Julien: use page descriptors instead of gpfns. - adds ABI support for pages with different granularity. v1 feedback #13, Paul: adjust log level of message v1 feedback #13, Paul: use gprintk for guest-triggered warning v1 feedback #13, Paul: gprintk and XENLOG_DEBUG for ring registration v1 feedback #13, Paul: use gprintk for errs in argo_ring_map_page v1 feedback #13, Paul: use ENOMEM if global mapping fails v1 feedback Paul: overflow check before shift v1: add define for copy_field_to_guest_errno v1: fix gprintk use for ARM as its defn dislikes split format strings v1: use copy_field_to_guest_errno v1 feedback #13, Jan: argo_hash_fn: no inline, rename, change type v1 feedback #13, Paul, Jan: EFAULT -> ENOMEM in argo_ring_map_page v1 feedback #13, Jan: rename page var in argo_ring_map_page v1 feedback #13, Jan: switch uint8_t* to void* and drop cast v1 feedback #13, Jan: switch memory barrier to smp_wmb v1 feedback #13, Jan: make 'ring' comment comply with single-line style v1 feedback #13, Jan: use xzalloc_array, drop loop NULL init v1 feedback #13, Jan: init bool with false rather than 0 v1 feedback #13 Jan: use __copy; define and use __copy_field_to_guest_errno v1 feedback #13, Jan: use xzalloc, drop individual init zeroes v1 feedback #13, Jan: prefix public namespace with xen v1 feedback #13, Jan: blank line after op case in do_argo_message_op v1 self: reflow comment in argo_ring_map_page to within 80 char len v1 feedback #13, Roger: use true not 1 in assign to update_tx_ptr bool v1 feedback #21, Jan: fold in the array_index_nospec hash function guards v1 feedback #18, Jan: fold the max ring count limit into the series v1 self: use unsigned long type for XEN_ARGO_REGISTER_FLAG_MASK v1: feedback #15 Jan: handle upper-halves of hypercall args v1. feedback #13 Jan: add comment re: page alignment v1. self: confirm ring magic presence in supplied page array v1. feedback #13 Jan: add comment re: minimum ring size v1. feedback #13 Roger: use ASSERT_UNREACHABLE v1. feedback Roger: add comment to hash function

Takes a single argument: a handle to the ring unregistration struct, which specifies the port and partner domain id or wildcard. The ring's entry is removed from the hashtable of registered rings; any entries for pending notifications are removed; and the ring is unmapped from Xen's address space. If the ring had been registered to communicate with a single specified domain (ie. a non-wildcard ring) then the partner domain state is removed from the partner domain's argo send_info hash table. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#8 Jan: pull xfree out of exclusive critical sections in unregister_ring v3 xen-project#8 Jan: rename send_find_info to find_send_info v3 xen-project#7 Jan: rename ring_find_info to find_ring_info v3 xen-project#8 Roger: use return and remove the out label in unregister_ring v3 xen-project#8 Roger: better debug output in send_find_info v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat check for unregister_ring struct v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v3 feedback xen-project#7 Roger: const the argo_ring_id structs in send_find_info v2 feedback Jan: drop cookie, implement teardown v2 feedback Jan: drop message from argo_message_op v2 self: OVERHAUL v2 self: reorder logic to shorten critical section v1 #13 feedback Jan: revise use of guest_handle_okay vs __copy ops v1 feedback Roger, Jan: drop argo prefix on static functions v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 xen-project#5 (#14) feedback Paul: use currd in do_argo_message_op v1 xen-project#5 (#14) feedback Paul: full use currd in argo_unregister_ring v1 #13 (#14) feedback Paul: replace do/while with goto; reindent v1 self: add blank lines in unregister case in do_argo_message_op v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after op case in do_argo_message_op v1: #14 feedback Jan: replace domain id override with validation v1: #18 feedback Jan: meld the ring count limit into the series v1: feedback #15 Jan: verify zero in unused hypercall args

sendv operation is invoked to perform a synchronous send of buffers contained in iovs to a remote domain's registered ring. It takes: * A destination address (domid, port) for the ring to send to. It performs a most-specific match lookup, to allow for wildcard. * A source address, used to inform the destination of where to reply. * The address of an array of iovs containing the data to send * .. and the length of that array of iovs * and a 32-bit message type, available to communicate message context data (eg. kernel-to-kernel, separate from the application data). If insufficient space exists in the destination ring, it will return -EAGAIN and Xen will notify the caller when sufficient space becomes available. Accesses to the ring indices are appropriately atomic. The rings are mapped into Xen's private address space to write as needed and the mappings are retained for later use. Fixed-size types are used in some areas within this code where caution around avoiding integer overflow is important. Notifications are sent to guests via VIRQ and send_guest_global_virq is exposed in the change to enable argo to call it. VIRQ_ARGO_MESSAGE is claimed from the VIRQ previously reserved for this purpose (#11). The VIRQ notification method is used rather than sending events using evtchn functions directly because: * no current event channel type is an exact fit for the intended behaviour. ECS_IPI is closest, but it disallows migration to other VCPUs which is not necessarily a requirement for Argo. * at the point of argo_init, allocation of an event channel is complicated by none of the guest VCPUs being initialized yet and the event channel logic expects that a valid event channel has a present VCPU. * at the point of signalling a notification, the VIRQ logic is already defensive: if d->vcpu[0] is NULL, the notification is just silently dropped, whereas the evtchn_send logic is not so defensive: vcpu[0] must not be NULL, otherwise a null pointer dereference occurs. Using a VIRQ removes the need for the guest to query to determine which event channel notifications will be delivered on. This is also likely to simplify establishing future L0/L1 nested hypervisor argo communication. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: rename ring_find_info* to find_ring_info* v3 xen-project#7 Jan: fix numeric entries in printk format strings v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld compat struct checking for hypercall args v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 feedback #09 Eric: fix len & offset sanity check in memcpy_to_guest_ring v3 feedback xen-project#4 Roger: newline fix in wildcard_pending_list_insert v3 feedback xen-project#4 Roger: drop npages struct member, calculate from len v3 #09 Roger: simplify EFAULT return in memcpy_to_guest_ring v3 #09 Roger: add newline before return in get_sanitized_ring v3 #09 Roger: replace while with for loop in iov_count v3 #09 Roger: drop 0 in struct init in ringbuf_insert v3 #09 Roger: comment for XEN_ARGO_MAXIOV: warn of stack overflow risk v3 #09 Roger: simplify while loop: for instead in ringbuf_insert v3 #09 Roger: drop out label for returns in ringbuf_insert v3 #09 Roger: drop newline in pending_queue v3 #09 Roger: replace second goto label with error path unlock in sendv v3 #09 Jason: check iov_len vs MAX_ARGO_MESSAGE_SIZE in iov_count v3 #09 Jason: check padding is zeroed in sendv op v3 #09 Jason: memcpy_to_guest_ring: simpler code with better loop v2 self: use ring_info backpointer in pending_ent to maintain npending v2 feedback Jan: drop cookie, implement teardown v2 self: pending_queue: reap stale ents when in need of space v2 self: pending_requeue: reclaim ents for stale domains v2.feedback Jan: only override sender domid if DOMID_ANY v2 feedback Jan: drop message from argo_message_op v2 self: check npending vs maximum limit v2 self: get_sanitized_ring instead of get_rx_ptr v2 feedback v1#13 Jan: remove double read from ringbuf insert, lower MAX_IOV v2 self: make iov_count const v2 self: iov_count : return EMSGSIZE for message too big v2 self: OVERHAUL v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v1 feedback #13 Jan: drop guest_handle_okay when using copy_from_guest - reorder do_argo_op logic v2 self: add _hnd suffix to iovs variable name to indicate guest handle type v2 self: replace use of XEN_GUEST_HANDLE_NULL with two existing macros v1 #15 feedback, Jan: sendv op : s/ECONNREFUSED/ESRCH/ v1 xen-project#5 (#15) feedback Paul: sendv: use currd in do_argo_message_op v1 #13 (#15) feedback Paul: sendv op: do/while reindent only v1 #13 (#15) feedback Paul: sendv op: do/while: argo_ringbuf_insert to goto style v1 #13 (#15) feedback Paul: sendv op: do/while: reindent only again v1 #13 (#15) feedback Paul: sendv op: do/while : goto v1 #15 feedback Paul: sendv op: make page var: unsigned v1 #15 feedback Paul: sendv op: new local var for PAGE_SIZE - offset v1 xen-project#8 feedback Jan: XEN_GUEST_HANDLE : C89 compliance v1 rebase after switching register op from pfns to page descriptors v1 self: move iov DEFINE_XEN_GUEST_HANDLE out of public header into argo.c v1 #13 (#15) feedback Paul: fix loglevel for guest-triggered messages v1 : add compat xlat.lst entries v1 self: switched notification to send_guest_global_virq instead of event v1: fix gprintk use for ARM as its defn dislikes split format strings v1: init len variable to satisfy ARM compiler initialized checking v1 #13 feedback Jan: rename page var v1:#14 feedback Jan: uint8_t* -> void* v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: blank line after case op in do_argo_message_op v1: #15 feedback Jan: add comments explaining why the writes don't overrun v1: self: add ASSERT to support comment that overrun cannot happen v1: self: fail on short writes where guest manipulated the iov_lens v1: self: rename ent id to domain_id v1: self: add moan for iov rewrite v1. feedback #15 Jan: require the pad bits are zero v1. feedback #15 Jan: drop NULL check in argo_signal_domain as now using VIRQ v1. self: store domain_cookie in pending ent v1. feedback #15 Jan: use unsigned where possible v1. feedback Jan: use handle type for iov_base in public iov interface v1. self: log whenever visible error occurs v1 feedback #15, Jan: drop unnecessary mb v1 self: only update internal tx_ptr if able to return success and update the visible tx_ptr v1 self: log on failure to map ring to update visible tx_ptr v1 feedback #15 Jan: add comment re: notification size policy v1 self/Roger? remove errant space after sizeof v1. feedback #15 Jan: require iov pad be zero v1. self: rename iov_base to iov_hnd for handle in public iov interface v1: feedback #15 Jan: handle upper-halves of hypercall args; changes some types in function signatures to match. v1: self: add dprintk to sendv v1: self: add debug output to argo_iov_count v1. feedback #14 Jan: blank line before return in argo_iov_count v1 feedback #15 Jan: verify src id, not override

Queries for data about space availability in registered rings and causes notification to be sent when space has become available. The hypercall op populates a supplied data structure with information about ring state, and if insufficient space is currently available in a given ring, the hypervisor will record the domain's expressed interest and notify it when it observes that space has become available. Checks for free space occur when this notify op is invoked, so it may be intentionally invoked with no data structure to populate (ie. a NULL argument) to trigger such a check and consequent notifications. Limit the maximum number of notify requests in a single operation to a simple fixed limit of 256. Signed-off-by: Christopher Clark <[email protected]> v3 xen-project#7 Jan: fix format string indention in printks v3 (general) Jan: drop fixed width types for ringbuf_payload_space v3 xen-project#7 Jan: rename ring_find_info_by_match to find_ring_info_by_match v3 xen-project#7 Jan: fix numeric entries in printk format strings v3: ringbuf_payload_space: simpler return 0 if get_sanitized_ring fails v3 #10 Roger: simplify ringbuf_payload_space for empty rings v3 #10 Roger: ringbuf_payload_space: add comment to explain how ret < INT32_MAX v3 #10 Roger: drop out label, use return -EFAULT in fill_ring_data v3 #10 Roger: add newline in signal_domid v3 #10 Roger: move find functions to top of file and drop prototypes v3 xen-project#4 Jan: meld the compat hypercall arg checking v3 xen-project#4 Roger/Jan: make lock names clearer and assert their state v3 xen-project#4 Jan: port -> aport with type; distinguish argo port from evtchn v3 self: drop braces in foreach of notify_check_pending v3 feedback Roger/Jan: ASSERT currd is current->domain or use 'd' variable name v2 feedback Jan: drop cookie, implement teardown v2 notify: add flag to indicate ring is shared v2 argument name for fill_ring_data arg is now currd v2 self: check ring size vs request and flag error rather than queue signal v2 feedback Jan: drop 'message' from 'argo_message_op' v2 self: simplify signal_domid, drop unnecessary label + goto v2 self: skip the cookie check in pending_cancel v2 self: implement npending limit on number of pending entries v1 feedback #16 Jan: sanitize_ring in ringbuf_payload_space v2 self: inline fill_ring_data_array v2 self: avoid retesting dst_d for put_domain v2 self/Jan: remove use of magic verification field and tidy up v1 feedback #16 Jan: remove testing of magic in guest-supplied structure v2 self: s/argo_pending_ent/pending_ent/g v2 feedback v1#13 Roger: use OS-supplied roundup; drop from public header v1,2 feedback Jan/Roger/Paul: drop errno returning guest access functions v1 feedback Roger, Jan: drop argo prefix on static functions v2 self: reduce indentation via goto out if arg NULL v1 feedback #13 Jan: resolve checking of array handle and use of __copy v1 xen-project#5 (#16) feedback Paul: notify op: use currd in do_argo_message_op v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_notify_check_pending v1 xen-project#5 (#16) feedback Paul: notify op: use currd in argo_fill_ring_data_array v1 #13 (#16) feedback Paul: notify op: do/while: reindent only v1 #13 (#16) feedback Paul: notify op: do/while: goto v1 : add compat xlat.lst entries v1: add definition for copy_field_from_guest_errno v1 #13 feedback Jan: make 'ring data' comment comply with single-line style v1 feedback #13 Jan: use __copy; so define and use __copy_field_to_guest_errno v1: #13 feedback Jan: public namespace: prefix with xen v1: #13 feedback Jan: add blank line after case in do_argo_message_op v1: self: rename ent id to domain_id v1: self: ent id-> domain_id v1: self: drop signal if domain_cookie mismatches v1. feedback #15 Jan: make loop i unsigned v1. self: drop unnecessary mb() in argo_notify_check_pending v1. self: add blank line v1 #16 feedback Jan: const domain arg to +argo_fill_ring_data v1. feedback #15 Jan: check unusued hypercall args are zero v1 feedback #16 Jan: add comment on space available signal policy v1. feedback #16 Jan: move declr, drop braces, lower indent v1. feedback #18 Jan: meld the resource limits into the main commit v1. feedback #16 Jan: clarify use of magic field v1. self: use single copy to read notify ring data struct v1: argo_fill_ring_data: fix dprintk types for port field v1: self: use %x for printing port as per other print sites v1. feedback Jan: add comments explaining ring full vs empty v1. following Jan: fix argo_ringbuf_payload_space calculation for empty ring

Will inhibit initialization of the domain's argo data structure to prevent receiving any messages or notifications and access to any of the argo hypercall operations. Signed-off-by: Christopher Clark <[email protected]> Acked-by: Daniel De Graaf <[email protected]> v3 Daniel/Jan: add to the default xsm policy for enable v3 Add Daniel's Acked-by v3 xen-project#4 Jason/Roger: soft_reset: can assume reinit is ok if d->argo set v2 self: fix xsm use in soft-reset prior to introduction v1 xen-project#5 (#17) feedback Paul: XSM control for any access: use currd v1 #16 feedback Jan: apply const to function signatures