Andrew Cooper
2013-Feb-14 13:00 UTC
[PATCH v3] hvm: Allow triple fault to imply crash rather than reboot
While the triple fault action on native hardware will result in a system
reset, any modern operating system can and will make use of less violent
reboot methods. As a result, the most likely cause of a triple fault is a
fatal software bug.
This patch allows the toolstack to indicate that a triple fault should mean a
crash rather than a reboot. The default of reboot still remains the same.
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
--
Changes since v2:
* Allow any SHUTDOWN_* values to be set
Changes since v1:
* "reboot" -> "reset"
* v->domain -> d
diff -r 63594ce1708f -r dc98663be34e xen/arch/x86/hvm/hvm.c
--- a/xen/arch/x86/hvm/hvm.c
+++ b/xen/arch/x86/hvm/hvm.c
@@ -540,6 +540,7 @@ int hvm_domain_initialise(struct domain
hvm_init_guest_time(d);
d->arch.hvm_domain.params[HVM_PARAM_HPET_ENABLED] = 1;
+ d->arch.hvm_domain.params[HVM_PARAM_TRIPLE_FAULT_REASON] =
SHUTDOWN_reboot;
hvm_init_cacheattr_region_list(d);
@@ -1244,9 +1245,13 @@ void hvm_hlt(unsigned long rflags)
void hvm_triple_fault(void)
{
struct vcpu *v = current;
+ struct domain *d = v->domain;
+ u8 reason = d->arch.hvm_domain.params[HVM_PARAM_TRIPLE_FAULT_REASON];
+
gdprintk(XENLOG_INFO, "Triple fault on VCPU%d - "
- "invoking HVM system reset.\n", v->vcpu_id);
- domain_shutdown(v->domain, SHUTDOWN_reboot);
+ "invoking HVM shutdown action %"PRIu8".\n",
+ v->vcpu_id, reason);
+ domain_shutdown(d, reason);
}
void hvm_inject_trap(struct hvm_trap *trap)
@@ -3929,6 +3934,10 @@ long do_hvm_op(unsigned long op, XEN_GUE
case HVM_PARAM_BUFIOREQ_EVTCHN:
rc = -EINVAL;
break;
+ case HVM_PARAM_TRIPLE_FAULT_REASON:
+ if ( a.value > SHUTDOWN_MAX )
+ rc = -EINVAL;
+ break;
}
if ( rc == 0 )
diff -r 63594ce1708f -r dc98663be34e xen/include/public/hvm/params.h
--- a/xen/include/public/hvm/params.h
+++ b/xen/include/public/hvm/params.h
@@ -142,6 +142,9 @@
#define HVM_PARAM_ACCESS_RING_PFN 28
#define HVM_PARAM_SHARING_RING_PFN 29
-#define HVM_NR_PARAMS 31
+/* SHUTDOWN_* action in case of a triple fault */
+#define HVM_PARAM_TRIPLE_FAULT_REASON 31
+
+#define HVM_NR_PARAMS 32
#endif /* __XEN_PUBLIC_HVM_PARAMS_H__ */
diff -r 63594ce1708f -r dc98663be34e xen/include/public/sched.h
--- a/xen/include/public/sched.h
+++ b/xen/include/public/sched.h
@@ -158,6 +158,7 @@ DEFINE_XEN_GUEST_HANDLE(sched_watchdog_t
#define SHUTDOWN_suspend 2 /* Clean up, save suspend info, kill. */
#define SHUTDOWN_crash 3 /* Tell controller we''ve crashed.
*/
#define SHUTDOWN_watchdog 4 /* Restart because watchdog time expired. */
+#define SHUTDOWN_MAX 4 /* Maximum valid shutdown reason. */
/* ` } */
#endif /* __XEN_PUBLIC_SCHED_H__ */
Keir Fraser
2013-Feb-14 13:42 UTC
Re: [PATCH v3] hvm: Allow triple fault to imply crash rather than reboot
On 14/02/2013 13:00, "Andrew Cooper" <andrew.cooper3@citrix.com> wrote:> While the triple fault action on native hardware will result in a system > reset, any modern operating system can and will make use of less violent > reboot methods. As a result, the most likely cause of a triple fault is a > fatal software bug. > > This patch allows the toolstack to indicate that a triple fault should mean a > crash rather than a reboot. The default of reboot still remains the same. > > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>Acked-by: Keir Fraser <keir@xen.org>> -- > Changes since v2: > * Allow any SHUTDOWN_* values to be set > Changes since v1: > * "reboot" -> "reset" > * v->domain -> d > > diff -r 63594ce1708f -r dc98663be34e xen/arch/x86/hvm/hvm.c > --- a/xen/arch/x86/hvm/hvm.c > +++ b/xen/arch/x86/hvm/hvm.c > @@ -540,6 +540,7 @@ int hvm_domain_initialise(struct domain > hvm_init_guest_time(d); > > d->arch.hvm_domain.params[HVM_PARAM_HPET_ENABLED] = 1; > + d->arch.hvm_domain.params[HVM_PARAM_TRIPLE_FAULT_REASON] > SHUTDOWN_reboot; > > hvm_init_cacheattr_region_list(d); > > @@ -1244,9 +1245,13 @@ void hvm_hlt(unsigned long rflags) > void hvm_triple_fault(void) > { > struct vcpu *v = current; > + struct domain *d = v->domain; > + u8 reason = d->arch.hvm_domain.params[HVM_PARAM_TRIPLE_FAULT_REASON]; > + > gdprintk(XENLOG_INFO, "Triple fault on VCPU%d - " > - "invoking HVM system reset.\n", v->vcpu_id); > - domain_shutdown(v->domain, SHUTDOWN_reboot); > + "invoking HVM shutdown action %"PRIu8".\n", > + v->vcpu_id, reason); > + domain_shutdown(d, reason); > } > > void hvm_inject_trap(struct hvm_trap *trap) > @@ -3929,6 +3934,10 @@ long do_hvm_op(unsigned long op, XEN_GUE > case HVM_PARAM_BUFIOREQ_EVTCHN: > rc = -EINVAL; > break; > + case HVM_PARAM_TRIPLE_FAULT_REASON: > + if ( a.value > SHUTDOWN_MAX ) > + rc = -EINVAL; > + break; > } > > if ( rc == 0 ) > diff -r 63594ce1708f -r dc98663be34e xen/include/public/hvm/params.h > --- a/xen/include/public/hvm/params.h > +++ b/xen/include/public/hvm/params.h > @@ -142,6 +142,9 @@ > #define HVM_PARAM_ACCESS_RING_PFN 28 > #define HVM_PARAM_SHARING_RING_PFN 29 > > -#define HVM_NR_PARAMS 31 > +/* SHUTDOWN_* action in case of a triple fault */ > +#define HVM_PARAM_TRIPLE_FAULT_REASON 31 > + > +#define HVM_NR_PARAMS 32 > > #endif /* __XEN_PUBLIC_HVM_PARAMS_H__ */ > diff -r 63594ce1708f -r dc98663be34e xen/include/public/sched.h > --- a/xen/include/public/sched.h > +++ b/xen/include/public/sched.h > @@ -158,6 +158,7 @@ DEFINE_XEN_GUEST_HANDLE(sched_watchdog_t > #define SHUTDOWN_suspend 2 /* Clean up, save suspend info, kill. > */ > #define SHUTDOWN_crash 3 /* Tell controller we''ve crashed. > */ > #define SHUTDOWN_watchdog 4 /* Restart because watchdog time expired. > */ > +#define SHUTDOWN_MAX 4 /* Maximum valid shutdown reason. > */ > /* ` } */ > > #endif /* __XEN_PUBLIC_SCHED_H__ */