* [PATCH 0/4] x86/xen Several unassociated fixes
@ 2015-06-02 14:04 Andrew Cooper
  2015-06-02 14:04 ` [PATCH 1/4] x86/apic: Disable the LAPIC later in smp_send_stop() Andrew Cooper
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Andrew Cooper @ 2015-06-02 14:04 UTC (permalink / raw)
  To: Xen-devel; +Cc: Andrew Cooper
While investigating a separate issue on Broadwell hardware, we encountered a
cascade crash, with 3 indepent issues.  For anyone interested, the full
backtrace was:
(XEN) Xen SMAP violation
(XEN) ----[ Xen-4.5.0-xs101665-d  x86_64  debug=y  Not tainted ]----
(XEN) CPU:    15
(XEN) RIP:    e008:[<ffff82d08018c12f>] memcpy+0x17/0x1b
(XEN) RFLAGS: 0000000000010202   CONTEXT: hypervisor (d0v0)
(XEN) rax: 00007ffe632f6eb8   rbx: ffff830286d1a000   rcx: 0000000000000004
(XEN) rdx: 0000000000000004   rsi: ffff820040054dd8   rdi: 00007ffe632f6eb8
(XEN) rbp: ffff83043cbc7c48   rsp: ffff83043cbc7c48   r8:  fffff060011802af
(XEN) r9:  000000000000002c   r10: ffff82d08024e0e0   r11: 0000000000000282
(XEN) r12: 0000000000000004   r13: 00000000002508f6   r14: ffffffffffffffff
(XEN) r15: ffff820040054dd8   cr0: 000000008005003b   cr4: 00000000003126f0
(XEN) cr3: 000000043c02b000   cr2: 00007ffe632f6eb8
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen stack trace from rsp=ffff83043cbc7c48:
(XEN)    ffff83043cbc7ce8 ffff82d0801619e6 ffff83043cbc0000 ffff83043cbc7c78
(XEN)    ffff83043cbc7cb0 ffff83043cbc7cb4 0000000000000000 ffff83043cbc7cac
(XEN)    0000000000000000 00007ffe632f6eb8 0000000400000000 00000000ec83fdd8
(XEN)    ffff82d000000001 0000000000858f5d ffff83043cbc7d08 00000000006091e0
(XEN)    0000000000000000 00000000006091e0 ffff83043cbc7e38 ffff830286d1a000
(XEN)    ffff83043cbc7da8 ffff82d080163494 4000000000000000 ffff83043cbc0000
(XEN)    ffff83043cbc7d18 ffff82e010ac11e0 0000000000000001 ffff880106a0a150
(XEN)    0000000000000001 ffff83043c57c000 ffff82e010ac11e0 0000000000000001
(XEN)    ffff83043cbc7e58 ffff82d08018229a ffff82d08018dca8 ffff82d080349e58
(XEN)    ffff82d080349e50 0000000000000000 0000000000000202 ffff830286d1a000
(XEN)    0000000000000000 00000000006091e0 0000000000000000 0000000000000000
(XEN)    ffff83043cbc7ef8 ffff82d080106760 ffff8300784f0000 0000000200007ff0
(XEN)    ffff82d000000000 ffff880106a0a980 0000000000000000 0000000000000000
(XEN)    0000000000000000 ffff83007b7d6000 ffff8300784f0000 00031fd4c88a1167
(XEN)    000000003cbc7e28 ffffffff0000000f 0000000000858f5d ffff88003ffb9788
(XEN)    ffff82d08018cd97 ffff8300784f0208 0000000a000003e8 0000000000000059
(XEN)    0000000000000000 00000000ec83fdd8 00007ffe632f6eb8 0000000000000004
(XEN)    0000000000000004 0000000000000000 0000000000000000 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 0000000000000000
(XEN) Xen call trace:
(XEN)    [<ffff82d08018c12f>] memcpy+0x17/0x1b
(XEN)    [<ffff82d0801619e6>] dbg_rw_mem+0x2f6/0x360
(XEN)    [<ffff82d080163494>] arch_do_domctl+0x19c0/0x25f4
(XEN)    [<ffff82d080106760>] do_domctl+0x1b4b/0x1edb
(XEN)    [<ffff82d080233fcb>] syscall_enter+0xeb/0x145
(XEN) 
(XEN) Faulting linear address: 00007ffe632f6eb8
(XEN) Pagetable walk from 00007ffe632f6eb8:
(XEN)  L4[0x0ff] = 000000084ed00067 00000000000312ff
(XEN)  L3[0x1f9] = 000000040b104067 0000000000104513
(XEN)  L2[0x119] = 000000050f511067 000000000010457c 
(XEN)  L1[0x0f6] = 800000087d665167 0000000000101dcc
(XEN) 
(XEN) ****************************************
(XEN) Panic on CPU 15:
(XEN) FATAL TRAP: vector = 14 (page fault)
(XEN) [error_code=0003] 
(XEN) ****************************************
(XEN) 
(XEN) Reboot in five seconds...
(XEN) Executing kexec image on cpu15
(XEN) Assertion 'local_irq_is_enabled()' failed at smp.c:223
(XEN) ----[ Xen-4.5.0-xs101665-d  x86_64  debug=y  Not tainted ]----
(XEN) CPU:    15
(XEN) RIP:    e008:[<ffff82d08018a0d3>] flush_area_mask+0x7/0x134
(XEN) RFLAGS: 0000000000050046   CONTEXT: hypervisor (d0v0)
(XEN) rax: 0000000000040046   rbx: ffff82e008b2faa0   rcx: 0000000000000000
(XEN) rdx: 0000000000000100   rsi: 0000000000000000   rdi: ffff83043cbc78c0
(XEN) rbp: ffff83043cbc7918   rsp: ffff83043cbc78a0   r8:  0000000000000000
(XEN) r9:  0000000000000038   r10: 0000000000000040   r11: ffff82d080310ba0
(XEN) r12: ffff82d0803492c0   r13: 00000000225692e4   r14: ffff83043cbc78c0
(XEN) r15: 00000000000000c0   cr0: 000000008005003b   cr4: 00000000003126f0
(XEN) cr3: 000000043c02b000   cr2: 00007ffe632f6eb8
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: e010   cs: e008
(XEN) Xen stack trace from rsp=ffff83043cbc78a0:
(XEN)    ffff82d08011eb63 0000000000000000 0000001500000028 ffff82d080299c20
(XEN)    d7fffffffff55de9 00000000000000f7 0000000000000000 0000000000000000
(XEN)    0000000000000003 ffff83043cbc78f8 0000000000000000 0000000000000028
(XEN)    0000000000000000 0000000000000000 000ffffffffff000 ffff83043cbc7958
(XEN)    ffff82d08011f7c6 ffff83043cbc7940 0000000000000000 ffff82cfffb74000
(XEN)    000ffff82cfffb74 ffff83043c57c001 000ffffffffff000 ffff83043cbc7978
(XEN)    ffff82d08011f8ab ffff830078693fe8 ffff830078693fe8 ffff83043cbc7988
(XEN)    ffff82d080178e08 ffff83043cbc79b8 ffff82d08017926b ffff830078693fe8
(XEN)    0000000000000001 000ffff82cfffb74 ffff83043c57c000 ffff83043cbc7a58
(XEN)    ffff82d080179bff ffff83043cbc7a20 00000000000001e3 00000000000001e3
(XEN)    0000000080275c48 00007ffe632f6eb8 0000000000000163 ffff83043cbc7a10
(XEN)    ffff8300786959f8 0000016301040282 0000000000000001 000000000007864d
(XEN)    ffff82cfffb74000 ffff83043cbc7a58 ffff82d08024dff0 000000000000000f
(XEN)    00007ffe632f6eb8 ffff83043c57c000 0000000000000003 ffff83043cbc7a68
(XEN)    ffff82d080185a23 ffff83043cbc7a88 ffff82d0801a6fd4 0000000000000003
(XEN)    ffff82d080275c48 ffff83043cbc7aa8 ffff82d0801172bb 0000000000040206
(XEN)    0000000000040286 ffff83043cbc7b18 ffff82d0801479b7 800000087d665167
(XEN)    0000000000000028 ffff83043cbc7b28 ffff83043cbc7ad8 ffff83043cbc7b18
(XEN)    000000000000000e ffff82d08026441c 0000000000000003 ffff82d080260830
(XEN)    0000000000000005 ffff83043cbc7b98 000000000000000e ffff83043cbc7b48
(XEN) Xen call trace:
(XEN)    [<ffff82d08018a0d3>] flush_area_mask+0x7/0x134
(XEN)    [<ffff82d08011f7c6>] alloc_domheap_pages+0xa9/0x12a
(XEN)    [<ffff82d08011f8ab>] alloc_xenheap_pages+0x64/0xdb
(XEN)    [<ffff82d080178e08>] alloc_xen_pagetable+0x1c/0xa0
(XEN)    [<ffff82d08017926b>] virt_to_xen_l1e+0x38/0x1be
(XEN)    [<ffff82d080179bff>] map_pages_to_xen+0x80e/0xfd9
(XEN)    [<ffff82d080185a23>] __set_fixmap+0x2c/0x2e
(XEN)    [<ffff82d0801a6fd4>] machine_crash_shutdown+0x186/0x2b2
(XEN)    [<ffff82d0801172bb>] kexec_crash+0x3f/0x5b
(XEN)    [<ffff82d0801479b7>] panic+0x100/0x118
(XEN)    [<ffff82d08019002b>] set_guest_machinecheck_trapbounce+0/0x6d
(XEN)    [<ffff82d080195c15>] do_page_fault+0x40b/0x541
(XEN)    [<ffff82d0802345e0>] handle_exception_saved+0x2e/0x6c
(XEN)    [<ffff82d08018c12f>] memcpy+0x17/0x1b
(XEN)    [<ffff82d0801619e6>] dbg_rw_mem+0x2f6/0x360
(XEN)    [<ffff82d080163494>] arch_do_domctl+0x19c0/0x25f4
(XEN)    [<ffff82d080106760>] do_domctl+0x1b4b/0x1edb
(XEN)    [<ffff82d080233fcb>] syscall_enter+0xeb/0x145
(XEN) 
(XEN) 
(XEN) ****************************************
(XEN) Panic on CPU 15:
(XEN) Assertion 'local_irq_is_enabled()' failed at smp.c:223
(XEN) ****************************************
(XEN) 
(XEN) Reboot in five seconds...
(XEN) Reentered the crash path.  Something is very broken
(XEN) ----[ Xen-4.5.0-xs101665-d  x86_64  debug=y  Not tainted ]----
(XEN) CPU:    0
(XEN) RIP:    e008:[<ffff82d0801606f6>] disconnect_bsp_APIC+0x48/0x11d
(XEN) RFLAGS: 0000000000010002   CONTEXT: hypervisor
(XEN) rax: 0000000000010000   rbx: 000000000000000a   rcx: 000000000000080f
(XEN) rdx: ffff82cfffdf8010   rsi: 00000000ffffffff   rdi: 0000000000000000
(XEN) rbp: ffff82d0802f7c88   rsp: ffff82d0802f7c70   r8:  ffff82cffffff000
(XEN) r9:  ffff82cffffff000   r10: 0000000000000000   r11: 0000ffff0000ffff
(XEN) r12: ffff82d0802876e0   r13: 00000000000000fb   r14: 0000000000000008
(XEN) r15: 0000000000000020   cr0: 0000000080050033   cr4: 00000000003126f0
(XEN) cr3: 0000000078696000   cr2: 00000000080a15a5
(XEN) ds: 007b   es: 007b   fs: 00d8   gs: 00e0   ss: 0000   cs: e008
(XEN) Xen stack trace from rsp=ffff82d0802f7c70:
(XEN)    ffff82d08016ee92 ffff82d0802f7c88 ffff82d08018a2f7 ffff82d0802f7ca8
(XEN)    ffff82d08018a385 0000000000000000 ffff82d0802f7dd8 ffff82d0802f7cf8
(XEN)    ffff82d080189c08 ffff82d08012fa69 00001388802987e0 00000008802f7d08
(XEN)    0000000000000000 0000000000000000 ffff82d0802f7dd8 00000000000000fb
(XEN)    0000000000000008 ffff82d0802f7d08 ffff82d080189dbc ffff82d0802f7d28
(XEN)    ffff82d08012f8db 0000000000000206 0000000000000000 ffff82d0802f7d38
(XEN)    ffff82d08018a42a ffff82d0802f7dc8 ffff82d080173cbf 00000000000000b7
(XEN)    00000000000000b7 ffff83043ffe8340 ffff82d0802f7e20 ffff82d080122525
(XEN)    ffff82d0802f7d80 80000000802f7de4 0000000000000000 ffff82d0802f7db0
(XEN)    ffff82d08018cd97 000004ff00018e70 00031fd4fcd6d182 ffff83043cb75ea0
(XEN)    ffff83043cb75f58 0000000000000008 0000000000000020 00007d2f7fd08207
(XEN)    ffff82d080234502 0000000000000020 0000000000000008 ffff83043cb75f58
(XEN)    ffff83043cb75ea0 ffff82d0802f7ef0 00031fd4fcd6d182 00031fd51743b23e
(XEN)    00031fd4fcd66712 ffff82d080349a40 0000000000000001 ffff82d080348ea0
(XEN)    20c49ba5e353f7cf ffff82d0802f0000 00031fd4fcd6738e ffff83043cb75ec8
(XEN)    000000fb00000000 ffff82d0801afd2e 000000000000e008 0000000000000202
(XEN)    ffff82d0802f7e80 0000000000000000 ffff82d080320000 00031fd4fb0ca772
(XEN)    ffff82d0802f0000 0000000000000000 ffff82d0802f7ee0 0000000000000000
(XEN)    0000000000000000 0000114e0000717f ffff830078943000 ffff82d0802f0000
(XEN)    ffff830078943000 00000000ffffffff ffff83043cb63000 ffff83043cb63f10
(XEN) Xen call trace:
(XEN)    [<ffff82d0801606f6>] disconnect_bsp_APIC+0x48/0x11d
(XEN)    [<ffff82d08018a385>] smp_send_stop+0x5b/0x67
(XEN)    [<ffff82d080189c08>] machine_restart+0x8d/0x236
(XEN)    [<ffff82d080189dbc>] __machine_restart+0xb/0xf
(XEN)    [<ffff82d08012f8db>] smp_call_function_interrupt+0x95/0xca
(XEN)    [<ffff82d08018a42a>] call_function_interrupt+0x35/0x3b
(XEN)    [<ffff82d080173cbf>] do_IRQ+0x95/0x635
(XEN)    [<ffff82d080234502>] common_interrupt+0x62/0x70
(XEN)    [<ffff82d0801afd2e>] mwait_idle+0x294/0x2e8
(XEN)    [<ffff82d080164cf6>] idle_loop+0x51/0x70
(XEN) 
(XEN) 
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) GENERAL PROTECTION FAULT
(XEN) [error_code=0000]
(XEN) ****************************************
(XEN) 
(XEN) Reboot in five seconds...
Andrew Cooper (4):
  x86/apic: Disable the LAPIC later in smp_send_stop()
  xen/crash: Don't use set_fixmap() in the crash path
  x86/debugger: Use copy_to/from_guest() in dbg_rw_guest_mem()
  x86/memcpy: Reduce code size
 xen/arch/x86/crash.c           |    9 +++-----
 xen/arch/x86/debug.c           |   45 +++++++++++++++++++++++-----------------
 xen/arch/x86/domctl.c          |   14 ++++++-------
 xen/arch/x86/smp.c             |    2 +-
 xen/arch/x86/string.c          |    2 +-
 xen/include/asm-x86/debugger.h |    7 +++----
 6 files changed, 41 insertions(+), 38 deletions(-)
-- 
1.7.10.4
^ permalink raw reply	[flat|nested] 5+ messages in thread* [PATCH 1/4] x86/apic: Disable the LAPIC later in smp_send_stop() 2015-06-02 14:04 [PATCH 0/4] x86/xen Several unassociated fixes Andrew Cooper @ 2015-06-02 14:04 ` Andrew Cooper 2015-06-02 14:04 ` [PATCH 2/4] xen/crash: Don't use set_fixmap() in the crash path Andrew Cooper ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Andrew Cooper @ 2015-06-02 14:04 UTC (permalink / raw) To: Xen-devel; +Cc: Andrew Cooper, Jan Beulich __stop_this_cpu() may reset the LAPIC mode back from x2apic to xapic, but will leave x2apic_enabled alone. This may cause disconnect_bsp_APIC() in disable_IO_APIC() to suffer a #GP fault. Disabling the LAPIC can safely be deferred to being the last action. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Jan Beulich <JBeulich@suse.com> --- I still think that x2apic_enabled is not appropriate an appropriate predicate for apic_read/write() to use. Currently LAPIC mode is inherently a per-pcpu properly rather than a global properly, and can result in all kinds of fun depending on the exact nature of the crash. In this example, had the original crash attempt got further before reentering, x2apic_enabled would have already changed, and smp_call_function() higher would have failed to IPI the other cpus (by trying to drive the LAPIC in xapic mode when it was actually in x2apic mode). --- xen/arch/x86/smp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/smp.c b/xen/arch/x86/smp.c index 06a833e..8caa0bc 100644 --- a/xen/arch/x86/smp.c +++ b/xen/arch/x86/smp.c @@ -311,9 +311,9 @@ void smp_send_stop(void) mdelay(1); local_irq_disable(); - __stop_this_cpu(); disable_IO_APIC(); hpet_disable(); + __stop_this_cpu(); local_irq_enable(); } -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/4] xen/crash: Don't use set_fixmap() in the crash path 2015-06-02 14:04 [PATCH 0/4] x86/xen Several unassociated fixes Andrew Cooper 2015-06-02 14:04 ` [PATCH 1/4] x86/apic: Disable the LAPIC later in smp_send_stop() Andrew Cooper @ 2015-06-02 14:04 ` Andrew Cooper 2015-06-02 14:04 ` [PATCH 3/4] x86/debugger: Use copy_to/from_guest() in dbg_rw_guest_mem() Andrew Cooper 2015-06-02 14:04 ` [PATCH 4/4] x86/memcpy: Reduce code size Andrew Cooper 3 siblings, 0 replies; 5+ messages in thread From: Andrew Cooper @ 2015-06-02 14:04 UTC (permalink / raw) To: Xen-devel; +Cc: Andrew Cooper, Jan Beulich Experimentally, this can result in memory allocation, and in particular a failed assertion that interrupts are enabled when performing a TLB flush. (XEN) Assertion 'local_irq_is_enabled()' failed at smp.c:223 <snip> (XEN) [<ffff82d08018a0d3>] flush_area_mask+0x7/0x134 (XEN) [<ffff82d08011f7c6>] alloc_domheap_pages+0xa9/0x12a (XEN) [<ffff82d08011f8ab>] alloc_xenheap_pages+0x64/0xdb (XEN) [<ffff82d080178e08>] alloc_xen_pagetable+0x1c/0xa0 (XEN) [<ffff82d08017926b>] virt_to_xen_l1e+0x38/0x1be (XEN) [<ffff82d080179bff>] map_pages_to_xen+0x80e/0xfd9 (XEN) [<ffff82d080185a23>] __set_fixmap+0x2c/0x2e (XEN) [<ffff82d0801a6fd4>] machine_crash_shutdown+0x186/0x2b2 (XEN) [<ffff82d0801172bb>] kexec_crash+0x3f/0x5b (XEN) [<ffff82d0801479b7>] panic+0x100/0x118 (XEN) [<ffff82d08019002b>] set_guest_machinecheck_trapbounce+0/0x6d (XEN) [<ffff82d080195c15>] do_page_fault+0x40b/0x541 (XEN) [<ffff82d0802345e0>] handle_exception_saved+0x2e/0x6c Instead, use the directmap mapping which are writable and involve far less complexity than set_fixmap() Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Jan Beulich <JBeulich@suse.com> --- xen/arch/x86/crash.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/xen/arch/x86/crash.c b/xen/arch/x86/crash.c index eb7be9c..501e18e 100644 --- a/xen/arch/x86/crash.c +++ b/xen/arch/x86/crash.c @@ -140,13 +140,10 @@ static void nmi_shootdown_cpus(void) * Ideally would be: * exception_table[TRAP_nmi] = &do_nmi_crash; * - * but the exception_table is read only. Borrow an unused fixmap entry - * to construct a writable mapping. + * but the exception_table is read only. Access it via its directmap + * mappings. */ - set_fixmap(FIX_TBOOT_MAP_ADDRESS, __pa(&exception_table[TRAP_nmi])); - write_atomic((unsigned long *) - (fix_to_virt(FIX_TBOOT_MAP_ADDRESS) + - ((unsigned long)&exception_table[TRAP_nmi] & ~PAGE_MASK)), + write_atomic((unsigned long*)__va(__pa(&exception_table[TRAP_nmi])), (unsigned long)&do_nmi_crash); /* Ensure the new callback function is set before sending out the NMI. */ -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/4] x86/debugger: Use copy_to/from_guest() in dbg_rw_guest_mem() 2015-06-02 14:04 [PATCH 0/4] x86/xen Several unassociated fixes Andrew Cooper 2015-06-02 14:04 ` [PATCH 1/4] x86/apic: Disable the LAPIC later in smp_send_stop() Andrew Cooper 2015-06-02 14:04 ` [PATCH 2/4] xen/crash: Don't use set_fixmap() in the crash path Andrew Cooper @ 2015-06-02 14:04 ` Andrew Cooper 2015-06-02 14:04 ` [PATCH 4/4] x86/memcpy: Reduce code size Andrew Cooper 3 siblings, 0 replies; 5+ messages in thread From: Andrew Cooper @ 2015-06-02 14:04 UTC (permalink / raw) To: Xen-devel; +Cc: Andrew Cooper, Jan Beulich Using gdbsx on Broadwell systems suffers a SMAP violation because dbg_rw_guest_mem() uses memcpy() with a userspace pointer. The functions dbg_rw_mem() and dbg_rw_guest_mem() have been updated to pass 'void * __user' pointers which indicates their nature clearly. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Jan Beulich <JBeulich@suse.com> --- After these changes, 'gdbsx -c' works as well as it did before (i.e. not at all, for the stack trace), but doesn't take Xen down with it. There are other issues in this area, and XEN_DOMCTL_gdbsx_guestmemio is certainly not fit yet for removal from the XSA-77 exclusion list. --- xen/arch/x86/debug.c | 45 +++++++++++++++++++++++----------------- xen/arch/x86/domctl.c | 14 ++++++------- xen/include/asm-x86/debugger.h | 7 +++---- 3 files changed, 36 insertions(+), 30 deletions(-) diff --git a/xen/arch/x86/debug.c b/xen/arch/x86/debug.c index 435bd40..801dcf2 100644 --- a/xen/arch/x86/debug.c +++ b/xen/arch/x86/debug.c @@ -41,6 +41,9 @@ #define DBGP2(...) ((void)0) #endif +typedef unsigned long dbgva_t; +typedef unsigned char dbgbyte_t; + /* Returns: mfn for the given (hvm guest) vaddr */ static unsigned long dbg_hvm_va2mfn(dbgva_t vaddr, struct domain *dp, int toaddr, @@ -154,13 +157,14 @@ } /* Returns: number of bytes remaining to be copied */ -static int -dbg_rw_guest_mem(dbgva_t addr, dbgbyte_t *buf, int len, struct domain *dp, - int toaddr, uint64_t pgd3) +unsigned int dbg_rw_guest_mem(struct domain *dp, void * __user gaddr, + void * __user buf, unsigned int len, + bool_t toaddr, uint64_t pgd3) { while ( len > 0 ) { char *va; + unsigned long addr = (unsigned long)gaddr; unsigned long mfn, gfn = INVALID_GFN, pagecnt; pagecnt = min_t(long, PAGE_SIZE - (addr & ~PAGE_MASK), len); @@ -176,12 +180,12 @@ if ( toaddr ) { - memcpy(va, buf, pagecnt); /* va = buf */ + copy_from_user(va, buf, pagecnt); /* va = buf */ paging_mark_dirty(dp, mfn); } else { - memcpy(buf, va, pagecnt); /* buf = va */ + copy_to_user(buf, va, pagecnt); /* buf = va */ } unmap_domain_page(va); @@ -203,27 +207,30 @@ * pgd3: value of init_mm.pgd[3] in guest. see above. * Returns: number of bytes remaining to be copied. */ -int -dbg_rw_mem(dbgva_t addr, dbgbyte_t *buf, int len, domid_t domid, int toaddr, - uint64_t pgd3) +unsigned int dbg_rw_mem(void * __user addr, void * __user buf, + unsigned int len, domid_t domid, bool_t toaddr, + uint64_t pgd3) { - struct domain *dp = get_domain_by_id(domid); - int hyp = (domid == DOMID_IDLE); + DBGP2("gmem:addr:%lx buf:%p len:$%u domid:%d toaddr:%x\n", + addr, buf, len, domid, toaddr); - DBGP2("gmem:addr:%lx buf:%p len:$%d domid:%x toaddr:%x dp:%p\n", - addr, buf, len, domid, toaddr, dp); - if ( hyp ) + if ( domid == DOMID_IDLE ) { if ( toaddr ) - len = __copy_to_user((void *)addr, buf, len); + len = __copy_to_user(addr, buf, len); else - len = __copy_from_user(buf, (void *)addr, len); + len = __copy_from_user(buf, addr, len); } - else if ( dp ) + else { - if ( !dp->is_dying ) /* make sure guest is still there */ - len= dbg_rw_guest_mem(addr, buf, len, dp, toaddr, pgd3); - put_domain(dp); + struct domain *d = get_domain_by_id(domid); + + if ( d ) + { + if ( !d->is_dying ) + len = dbg_rw_guest_mem(d, addr, buf, len, toaddr, pgd3); + put_domain(d); + } } DBGP2("gmem:exit:len:$%d\n", len); diff --git a/xen/arch/x86/domctl.c b/xen/arch/x86/domctl.c index e9f76d0..1d3854f 100644 --- a/xen/arch/x86/domctl.c +++ b/xen/arch/x86/domctl.c @@ -37,14 +37,14 @@ #include <asm/debugger.h> #include <asm/psr.h> -static int gdbsx_guest_mem_io( - domid_t domid, struct xen_domctl_gdbsx_memio *iop) +static int gdbsx_guest_mem_io(domid_t domid, struct xen_domctl_gdbsx_memio *iop) { - ulong l_uva = (ulong)iop->uva; - iop->remain = dbg_rw_mem( - (dbgva_t)iop->gva, (dbgbyte_t *)l_uva, iop->len, domid, - iop->gwr, iop->pgd3val); - return (iop->remain ? -EFAULT : 0); + void * __user gva = (void *)iop->gva, * __user uva = (void *)iop->uva; + + iop->remain = dbg_rw_mem(gva, uva, iop->len, domid, + !!iop->gwr, iop->pgd3val); + + return iop->remain ? -EFAULT : 0; } #define MAX_IOPORTS 0x10000 diff --git a/xen/include/asm-x86/debugger.h b/xen/include/asm-x86/debugger.h index 0408bec..33f4700 100644 --- a/xen/include/asm-x86/debugger.h +++ b/xen/include/asm-x86/debugger.h @@ -82,9 +82,8 @@ static inline int debugger_trap_entry( return 0; } -typedef unsigned long dbgva_t; -typedef unsigned char dbgbyte_t; -extern int dbg_rw_mem(dbgva_t addr, dbgbyte_t *buf, int len, - domid_t domid, int toaddr, uint64_t pgd3); +unsigned int dbg_rw_mem(void * __user addr, void * __user buf, + unsigned int len, domid_t domid, bool_t toaddr, + uint64_t pgd3); #endif /* __X86_DEBUGGER_H__ */ -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 4/4] x86/memcpy: Reduce code size 2015-06-02 14:04 [PATCH 0/4] x86/xen Several unassociated fixes Andrew Cooper ` (2 preceding siblings ...) 2015-06-02 14:04 ` [PATCH 3/4] x86/debugger: Use copy_to/from_guest() in dbg_rw_guest_mem() Andrew Cooper @ 2015-06-02 14:04 ` Andrew Cooper 3 siblings, 0 replies; 5+ messages in thread From: Andrew Cooper @ 2015-06-02 14:04 UTC (permalink / raw) To: Xen-devel; +Cc: Andrew Cooper, Jan Beulich 'n % BYTES_PER_LONG' is at most 7, and doesn't need a 64bit register mov. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> CC: Jan Beulich <JBeulich@suse.com> --- Admittedly very trivial, but no need to be wasteful --- xen/arch/x86/string.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/xen/arch/x86/string.c b/xen/arch/x86/string.c index 3af0ea8..043ae66 100644 --- a/xen/arch/x86/string.c +++ b/xen/arch/x86/string.c @@ -15,7 +15,7 @@ void *memcpy(void *dest, const void *src, size_t n) asm volatile ( " rep ; movs"__OS" ; " - " mov %4,%3 ; " + " mov %k4,%k3 ; " " rep ; movsb " : "=&c" (d0), "=&D" (d1), "=&S" (d2) : "0" (n/BYTES_PER_LONG), "r" (n%BYTES_PER_LONG), "1" (dest), "2" (src) -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-06-02 14:04 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-06-02 14:04 [PATCH 0/4] x86/xen Several unassociated fixes Andrew Cooper 2015-06-02 14:04 ` [PATCH 1/4] x86/apic: Disable the LAPIC later in smp_send_stop() Andrew Cooper 2015-06-02 14:04 ` [PATCH 2/4] xen/crash: Don't use set_fixmap() in the crash path Andrew Cooper 2015-06-02 14:04 ` [PATCH 3/4] x86/debugger: Use copy_to/from_guest() in dbg_rw_guest_mem() Andrew Cooper 2015-06-02 14:04 ` [PATCH 4/4] x86/memcpy: Reduce code size Andrew Cooper
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).