CVE# CVE-2021-23905
Add Null pointer check in init vq ring and add vq ring descriptor
check in case cause Nullpointer exception.
Tracked-On: #5355
Signed-off-by: Liu Long <long.liu@intel.com>
Reviewed-by: Wang, Yu1 <yu1.wang@intel.com>
Only free rb_entry when we remove this entry from the rb tree, otherwise, a
page fault would trigger when next rb itreation would access the freed rb_entry.
Tracked-On: #6056
Signed-off-by: Li Fei1 <fei1.li@intel.com>
Unifies the logs to pr_* interfaces instead of printf for better log management.
Tracked-On: #5267
Signed-off-by: Sun Peng <peng.p.sun@intel.com>
Reviewed-by: Chi Mingqiang <mingqiang.chi@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
- re-arange the code to make static code analysis tool happy.
- If no valid conversion could be performed, a zero value is returned
(0L) from strtol(), so add a sanity check "isdigit(cp[0])" to ensure
that it won't unexpectedly parse CPU 0 if the string starts or ends
with the valid delimiters ',' or '-', for example:
-- cpu_affinity 1,
-- cpu_affinity ,1
Tracked-On: #4616
Signed-off-by: Zide Chen <zide.chen@intel.com>
To remove the limit of 4MB ramdisk size simply adjust layout
dynamically according to ramdisk size rounded up to a 4K boundary.
This enables ramdisk based virtual machines which tend to have
large ramdisk memory requirements (128MB and above).
Tracked-On: #4840
Signed-off-by: Helmut Buchsbaum <helmut.buchsbaum@opensource.tttech-industrial.com>
add logs for vm state transition to help
analyze some problems.
Tracked-On: #4098
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
The 'pause/continue' acrnctl cmd is never used and their action are not
defined for ACRN VMs. Devicemodel minitor doesn't need to handle these 2
msg, should be removed.
Tracked-On: #4790
Signed-off-by: Tao Yuhong <yuhong.tao@intel.com>
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
Reviewed-by: Yan, Like <like.yan@intel.com>
Remove the 'p' argument from the list as it is now obsolete and there is no
implementation for it in the code.
Tracked-On: #4732
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
User has a chance to specify VCPU affinity through acrn-dm command line
argument. Examples of the command line:
3 PCPUs: 1/2/3
--cpu_affinity 1-3
5 PCPUs: 2/3/6/7/8
--cpu_affinity 2,3,6-8
8 PCPUs: 2/3/6/7/9/10/11/12
--cpu_affinity 2,3,6-7,9,10-12
The specified pCPUs must be included in the guest VM's statically
defined vm_config[].cpu_affinity_bitmap.
Tracked-On: #4616
Signed-off-by: Zide Chen <zide.chen@intel.com>
now VM state transition only allows VM_PAUSED to
VM_POWERED_OFF, this patch call vm_pause before vm_destroy
in some vm failure cases.
Tracked-On: #4320
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Jason Chen CJ <jason.cj.chen@intel.com>
1) remove state machine
2) remove retry mechanism
3) pm thread only use to transmit data,not parse detailed message.
v1-->v2:
remove delay in pm_monitor_loop
Tracked-On: #4446
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Reviewed-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Yuhong Tao <yuhong.tao@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
it will send shutdown command to life_mngr on SOS
after the UOS has poweroff itself
Tracked-On: #4446
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
when acrn-dm received shutdown command, it will call this api
to send shutdown command to life_mngr running on SOS via socket.
Tracked-On: #4446
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
it will send "acked" message to UOS if it receives
"shutdown" command from UOS, then wait UOS poweroff itself,
it will send shutdown to life_mngr running on SOS to
shutdown system.
Tracked-On: #4446
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Reviewed-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
Change shutdown_uos_thread to pm_monitor thread,
the shutdown_uos_thread can do:
--send shutdown request to UOS
--receive acked message from UOS
the pm_monitor can do:
--send shutdown request to UOS
--receive acked message from UOS
--receive shutdown request from UOS
Tracked-On: #4446
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
set the attributes during pm-vuart initialization
to avoid the pm-vuart in an indefinite state.
Currently we have implemented S5 triggered by SOS,
these patch series both support S5 triggered by SOS and RTVM.
the fully steps for S5 triggered by SOS:
1) S5-Trigger: it initiates the platform shutdown actions;
it calls “acrnctl stop vmX” to do that,
and check the VM's status, power-off SOS itself.
2) acrnctl will send “stop” to “acrn-dm”
3) acrn-dm will send “shutdown” command to VMx by v-UART.
4) when life-cycle manager in VMx receives the “shutdown” command,
it will give an “acked” to acrn-dm, and then poweroff itself.
the fully steps for S5 triggered by RTVM:
1) S5-Trigger in RTVM: it initiates the platform shutdown actions;
it’ll send shutdown command for platform shutdown to
life-cycle manager
2) when life-cycle manager in RTVM receive the message,
it will send “shutdown” command to acrn-dm in SOS by v-UART.
3) when acrn-dm receives the “shutdown” command from RTVM,
it will give an “acked” to RTVM, RTVM’s life-cycle manager can
power off itself
4) acrn-dm will send “shutdown” command to its own life-cycle manager
by socket.
5) when life-cycle manager in SOS receives the “shutdown” command,
it can call “s5_trigger” script to shutdown platform.
Tracked-On: #4446
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Reviewed-by: Minggui Cao <minggui.cao@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
Let the ACRN HV to do this in shutdown sequence. In this case, the RTVM could be
still alive if something wrong happened to cause the DM died.
Tracked-On: #4428
Signed-off-by: Li Fei1 <fei1.li@intel.com>
If the guest is RTVM, dm process exit doesn't mean RTVM is
shutdown. Only shutdown_vm in hypervisor guarantee RTVM is
shutodwn. So we should avoid touch guest memory content
from DM if the guest is RTVM.
Tracked-On: #4428
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Wang, Yu1 <yu1.wang@intel.com>
Now we split passthrough PCI device from DM to HV, we could remove all the passthrough
PCI device unused code.
Tracked-On: #4371
Signed-off-by: Li Fei1 <fei1.li@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Add assign/deassign PCI device ioctl APIs assign a PCI device from SOS to
post-launched VM or deassign a PCI device from post-launched VM to SOS. This patch
is prepared for spliting passthrough PCI device from DM to HV.
The old assign/deassign ptdev APIs will be discarded.
Tracked-On: #4371
Signed-off-by: Li Fei1 <fei1.li@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
gop driver and uos IGD driver will use
graphics stolen memory(gsm) when enable GVT-d.
This patch pass-thru gsm to uos gpu.
After set physical GPU gsm size 64MB in host BIOS:
Here is the steps:
(1) set gsm gpa(guest physical addrress) 0xDB000000;
(2) get gsm hpa(host physical addrress);
(3) build EPT mapping for gsm.
v1 -> v2:
* initialize the EPT mapping for passthrough GPU gsm region
in passthru_init instead of reading the BDSM config space
v2 -> v3:
* add EPT unmap when deinit
* change some micro name
Tracked-On: #4360
Signed-off-by: Junming Liu <junming.liu@intel.com>
Reviewed-by: Zhao Yakui <yakui.zhao@intel.com>
Reviewed-by: Liu XinYun <xinyun.liu@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Reviewed-by: Wu Binbin <binbin.wu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
use acrn-dm logger function instread of perror,
this helps the stability testing log capture.
Tracked-On: #4098
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Do reset for passthrough PCI device by default when assigning it to post-launched
VM:
1. modify opt "reset" to "no_reset" -- could enable no_reset for debug only
2. remove "ptdev_no_reset" opt. It could be replaced by setting "no_reset" for
each passthrough device.
Tracked-On: #3465
Signed-off-by: Li Fei1 <fei1.li@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
This patch refactors the CMD_OPT_LAPIC_PT case branch
to explicity add the dependency of option RTVM at the
same branch, it is decoupled from the next case branch
to comply with strict code standard and improve the
code readability.
Tracked-On: #4283
Signed-off-by: Gary <gordon.king@intel.com>
The current design has the following problem:
gvt uses some pci bar regions,
but ACRN-DM isn't aware of these regions.
So ACRN-DM may allocate these regions for other pci devices,
which will result in other pci devices bar regions
overlap with gvt bar regions.
The new design is the following:
(1) ACRN-DM reads gvt bar regions
which are provided by physical gpu;
(2) ACRN-DM reserves gvt bar regions
v6 -> v7:
* use array to store reserved bar regions
* rename some struct and func
v5 -> v6:
* rename enable_gvt to gvt_enabled
* add a interface to reserve bar regions
* reserve gvt bar regions
Tracked-On: projectacrn#4005
Signed-off-by: Junming Liu <junming.liu@intel.com>
Reviewed-by: Zhao Yakui <yakui.zhao@intel.com>
Reviewed-by: Liu XinYun <xinyun.liu@intel.com>
Reviewed-by: Shuo A Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
use acrn-dm logger function instread of fprintf,
this helps the stability testing log capture.
Tracked-On: #4098
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Cao Minggui <minggui.cao@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Use acrn-dm logger function instread of printf,
this helps the stability testing log capture.
Tracked-On: #4098
Signed-off-by: Mingqiang Chi <mingqiang.chi@intel.com>
Reviewed-by: Cao Minggui <minggui.cao@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Lock should be held till all the mmap operations are done. This is to
avoid the mmap failure when multiple guests are created concurrently.
For example consider the following case in which vm1 and vm2 are
created by acrnd concurrently:
- vm1 is created with 4G+2M memory.
- 4G+2M memory is reserved in hugetlb now and vm1 continues to
allocate memory for the lowmem without lock held.
- 2G memory is allocated by vm1 for its lowmem, and 2G+2M memory
is available in hugetlb.
- At this time vm2 is created with 1G+2M memory. It finds that enough
memory is reserved (2G+2M), so it does not try to reserve more
memory.
- vm2 allocates some memory for its lowmem/highmem/ovmf.
- vm1 tries to allocate memory for its highmem/ovmf, the allocation
will fail. vm1 creation failed in this case.
Tracked-On: #3947
Signed-off-by: Jian Jun Chen <jian.jun.chen@intel.com>
Reviewed-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
In acrn_load_elf(), file pointer 'fp' is kept in
open state before exiting if 'load_elf32()' is executed,
this patch is to fix this bug.
Tracked-On: #3817
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
After Windows 10, version 1607, the cross-signed drivers are forbiden
to load when secure boot is enabled.
Details please refer to
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later-
That means the kvm-guest-drivers-windows can't work when secure boot enabled.
So we found another windows virtio FE drivers from Oracle to resolve this issue
but have to change another subsystem vendor ID for the virtio BE services.
This patch introduces a new DM CMD line "--windows" to launch WaaG with Oracle virtio devices including
virtio-blk, virtio-net, virtio-input instead Redhat. It can make virtio-blk, virtio-net and virtio-input
devices work when WaaG enabling secure boot.
Tracked-On: #3583
Signed-off-by: Yuan Liu <yuan1.liu@intel.com>
Reviewed-by: Eddie Dong <eddie.dong@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
Currently, DM only access /sys/kernel/mm/hugepages/hugepages-2048kB/
entries according to its own huge page requirement. So it could have
following race issue:
DM1 DM2
read nr pages
read nr pages
write DM2 nr pages
write DM1 nr pages
Suppose we should write DM1 + DM2 nr page to kernel sysfs interface
to reserve enough huge page (DM1 + DM2). But actually only reserve
huge page requested by DM1. Which could trigger one VM can't boot.
We can easily hit this issue if we enable multiple UOS auto boot
because more than one VM are started at almost same time.
We add file lock to make sure huge page reserving in DM atomic.
Tracked-On: #3729
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Wang Yu <yu1.wang@intel.com>
Remove the guest cpu number option '-c', as the guest cpu number is
defined in hypervisor vm configuration file, and the number can be
return by vm_create().
Tracked-On: #3663
Signed-off-by: Conghui Chen <conghui.chen@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
Now, we pre-define VM configuration statically in HV. So HV can create
vcpus instead of DM when VM create.
This patch get the created vcpu_num from HV. vm_create_vcpu can be
removed later if kernel can get vcpu_num correctly without
IC_CREATE_VCPU ioctl.
v4: Keep vm_create_vcpu in DM for compatbility. We might remove it when
kernel is ready.
Tracked-On: #3663
Signed-off-by: Shuo A Liu <shuo.a.liu@intel.com>
if RTVM, now we assume it can't be shutdown forcely by SOS, so
add check condition to avoid that.
Tracked-On: #3564
Signed-off-by: Minggui Cao <minggui.cao@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
vuart can be used as communication channel between VMs;
here vuart used to control vm's power off flow; control command
is from SOS to UOS
Tracked-On: #3564
Signed-off-by: Minggui Cao <minggui.cao@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
Now, we have two ways to notify guest about power managment
event:
- ioc on MRB platforms
- ACPI power button on other platforms
And we hardcode which one is used now.
In coming change, we will add UART based guest notify method.
We add dm command option to select which method will be used
when launch UOS.
Tracked-On: #3564
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
Reviewed-by: Yuan Liu <yuan1.liu@intel.com>
Acked-by: Wang Yu <yu1.wang@intel.com>
Remove the '-p' ("pincpu" option) from the help displayed when calling 'acrn-dm
-h'.
Tracked-On: #3600
Signed-off-by: Geoffroy Van Cutsem <geoffroy.vancutsem@intel.com>
Change hardcode of vcpu number to the real value when process VM's IO
request in DM, so we can handle all requests from different vcpus.
Tracked-On: #3425
Signed-off-by: Shuo A Liu <shuo.a.liu@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
According to $(LINUX_SRC)/Documentation/x86/boot.txt, the header
of bzimage has setup sector number in offset 0x1f1. We don't
need to scan the SETUP_SIG and detect the setup sector number
actually which is not documented in x86 boot protocol.
Tracked-On: #3619
Signed-off-by: Yin Fengwei <fengwei.yin@intel.com>
Acked-by: Yu Wang <yu1.wang@intel.com>
ACRN-DM does not support "pincpu" option to pin 'vcpu' to 'hostcpu', ACRN support vcpu to pcpu static mapping
via vm_config.
This commit removes the "pincpu" option.
Tracked-On: #3600
Signed-off-by: Yan, Like <like.yan@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
When someone send DM message DM_STOP, with a non-zero data.acrnd_stop.force
value, DM set suspend mode to VM_SUSPEND_POWEROFF directly, that will
cause DM quit main loop. That can force stop VM
Tracked-On: #3484
Signed-off-by: Tao Yuhong <yuhong.tao@intel.com>
Reviewed-by: Yan, Like <like.yan@intel.com>
To support modification of OVMF NV storage, add an option "w" for
--ovmf to write the changed OVMF NV data section back to the OVMF image
from guest memory before deinit operations. This will enable persistent
EFI variables. Only option "w" is supported, dm will exit if passing
invalid option. It expects OVMF NV storage writeback with option "w"
when power off or reboot the UOS, poweroff, cold and warm reboot in EFI
shell and when dm recieves SIGINT and SIGHUP.
Tracked-On: #3413
Signed-off-by: Yang, Yu-chu <yu-chu.yang@intel.com>
Reviewed-by:Eddie Dong <eddie.dong@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
In order to support OVMF NV storage writeback, the High BIOS region in
the guest will behave as RAM and can be modified by OVMF itself. Give
the guest write permission to this page.
Tracked-On: #3413
Signed-off-by: Peter Fang <peter.fang@intel.com>
Acked-by: Yin Fengwei <fengwei.yin@intel.com>
Current hugetlbfs code has a limitation on file path length.
The path string comprises of mount path + vm name.
Something like /run/hugepage/acrn/huge_lv1/vm1.
To this UUID (32 bytes) is added and the total path length
should be less than 128.
This works fine but in cases where the VM name is large as
in case kata, this check fails. Kata passes a sandbox-id
as VM name and so path + 32 for UUID easily exceed 128 bytes.
“/run/hugepage/acrn/huge_lv1/
sandbox-6d455fa48788eae82dee42410fc3d38849c2a5196f930b3d6944805aed8d24c7"
To address this, increase the size of MAX_PATH_LEN from
128 to 256 bytes.
Tracked-On: #3379
Signed-off-by: Vijay Dhanraj <vijay.dhanraj@intel.com>
Acked-by: Anthony Xu <anthony.xu@intel.com>
- check input by condition check, instead of assert.
- remove redundant header file including for some files.
Tracked-On: #3252
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Reviewed-by: Shuo Liu <shuo.a.liu@intel.com>
