User accounting and enforcement was never finished. tedu the thing
until someone wants to pick it up and finish it.
Originally found by Matthew Martin.
ok mlarkin@, kn@. input from tb@.
The intent of the i8254 read-back command is (most likely) to permit
simultaneously latching two or three counters at once along with their
statuses.
To simulate this, we should compute olatch from one timestamp per
read-back command, not one timestamp per counter.
Improved with a tweak by dv@.
Link: https://marc.info/?l=openbsd-tech&m=166213670605453&w=2
ok dv@ mlarkin@
Simplify things by sending any io exits from IN/OUT instructions
to userland instead of trying to emulate anything in the kernel.
vmm was sending most pertinent exits to vmd anyways, so this
functionally changes little.
An added benefit is this solves an issue reported by tb@ where i386
OpenBSD guests would probe for a pc keyboard repeatedly and cause
excessive vm exits. (The emulation in vmm was not properly handling
these port reads.)
While here, make the assignment of the VEI_DIR_{IN,OUT} enum values
not assume the underlying integer the compiler may assign.
ok mlarkin@
Provide the basic information required for a userland assist in
emulating instructions touching mmio regions, sending as much
information as is provided by the host hardware.
No decode or assist provided at the moment by vmd(8).
ok mlarkin@
When inspecting if a gpa falls into a known memory range, vmd was
considering it valid 1 byte past the end resulting in selecting the
wrong starting range for the search.
ok mlarkin@
Newer Linux kernels call into the bios to perform a reboot and our
version of SeaBIOS assumes there's a "copy" of the bios ending at
4g. When SeaBIOS reads from this area, since vmd doesn't perform
mmio yet, guests terminate with an unhandled fault.
Carve out some space ending at 4g and copy the bios there. Technically
we could load garbage there, but give SeaBIOS what it wants for
now.
ok mlarkin@
Rebooting a received vm resulted in vmd(8) exiting as a result of
flawed state tracking in the parent process.
When stopping a vm, clear the VM_RECEIVE_STATE flag. When starting
a vm, make sure the parent process collapses any existing memory
ranges after the vm is sent to the vmm process (responsible for
launching the vm).
ok mlarkin@
Continue converting other parts to storing data in bytes instead
of MB. In this case, the logic for disk sizes was being scaled.
This fixes issues reported by Martin Vahlensieck where vmctl could
no longer create disks larger than 7 MiB after previous commits to
change storing memory sizes as bytes.
While this keeps the vm memory limit check in vmctl's size parser,
it skips the limit check for disks. The error messages adjust
accordingly and this removes the double error message logging.
Update comments and function types accordingly.
ok marlkin@
At different points in the vm lifecycle vmm(4), vmctl(8), and vmd(8)
refer to a vm's memory range sizes in either bytes or megabytes.
This is needlessly complex.
Switch to using bytes everywhere and adjust types and constants
accordingly. While this makes it possible to specify vm's with
memory in fractions of megabytes, the logic requiring whole
megabyte values remains.
Feedback from deraadt@, mlarkin@, and Matthew Martin.
ok mlarkin@
vmd(8)'s get_info_vm() mallocs vm_info_result structs when using
the VMM_IOC_INFO ioctl. The error paths failed to free the resulting
objects.
Diff adapted from suggestions by jca@. ok mlarkin@.
A few of the vioscsi functions have debug logging in DPRINTF's and
are the only use of some declared variables. This tucks any debug-only
variables into the DPRINTF or behind an #if DEBUG.
ok from deraadt@ caveated I don't add code before any declarations.
With recent changes to login.conf(5) to restrict daemon datasize
to a finite value, users can now hit resource limits when attempting
to start a vm.
This change fixes the error path when hitting the limit. vmd(8)
will no longer abort and memory error messages are relayed to the
user.
While here, address potential under-reads/writes using atomicio
when relaying data between the child vm process and vmd's vmm
process.
Original diff from tedu@. OK mlarkin@.
to the caller instead of most probably crashing because of a NULL pointer
access. This fixes also another -Wunused-but-set-variable warning.
OK benno@ dv@
macro-build a replacement for sccsid, and was done without any concern
for namespace damage. Unfortunately this practice started infecting
other code as others were unaware they didn't need the file.
ok millert guenther
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
viornd did not mask the descriptor value in the avialable ring
allowing guest values to read past the end of the descriptor table.
While here, change fatal to fatalx because errno is not set.
Reported by Ilja van Sprundel
ok mlarkin@
Guest can cause out of bounds read with a malformed descriptor. In same
loop, also fix a chunk size calculation.
Reported by Ilja van Sprundel.
ok mlarkin@
Refactor config_setvm to directly return error code on failure
instead of returning -1 and setting errno. It was setting unsupported
values not defined in <errno.h>.
OK mlarkin@
Remove legacy state handling on the ns8250 and virtio network devices
originally put in place before using libevent for async device
events. The vcpu thread doesn't need to process device data as it is
handled by the libevent thread.
This has the benefit of simplifying some of the message passing
between threads introduced to the ns8250 uart since both the vcpu
and libevent threads were processing read events.
No functional change intended. Tested by many, including abieber@,
weerd@, Mischa Peters, and Matthias Schmidt. (Thanks.)
OK mlarkin@
The original implementation of the virtio network device assumed a
driver would only provide a 2-descriptor chain for receiving packets.
The virtio spec allows for variable length chains and drivers, in
practice, construct them when they use a sufficiently large MTU.
This change lets the device use variable length chains provided by
the driver, thus allowing for drivers to set an MTU up to the
underlying host-side tap(4)'s limit of TUNMRU (16384).
Size limitations are now enforced on both tx and rx-side dropping
anything violating the underlying tap(4) min and max limits.
More work is needed to increase the read(2) buffer in use by vmd
to prevent packet truncation.
OK mlarkin@
Linux guests like to issue VIRTIO_BLK_T_GET_ID commands in attempts
to read the device serial number. It's not part of the virtio spec,
but has been part of QEMU and Bhyve for multiple years. It will be
landing in the next version of virtio (1.2), so this stubs out
handling for the request type. The added benefit is it helps squelch
log noise from Linux guests.
For now, no serial number is set and the request status is set to
VIRTIO_BLK_S_UNSUPP to tell the driver we don't support it.
While here, swap the response to VIRTIO_BLK_T_FLUSH{,_OUT} to be
also returning VIRTIO_BLK_S_UNSUPP. It's not negotiated nor
implemented. Lastly, add checks for validating the vioblk device
is only reading/writing descriptors with approrpriate read/write-only
flags per the virtio spec.
With input from claudio@, OK mlarkin@
Lots of organic growth other the years lead to unnecessary includes
(proc.h everywhere) and odd dependencies between header files. This
cleans things up a bit to help with upcoming cleanup around dhcp
code.
No functional change.
"go for it" mlarkin@
No need for each case in the switch block to have the same logic
for updating the used ring and writing the state back to the guest.
Move it outside the switch. No functional change.
ok mlarkin@
Instead of translating imsg types, update vmclt(8) to handle receiving
IMSG_VMDOP_TERMINATE_VM_EVENT messages on vm termination.
This finishes the work previously committed for supporting multiple
waiters or the cancellation of a client waiting on a vm shutdown.
vmd no longer needs to translate an IMSG_VMDOP_TERMINATE_VM_RESPONSE
into an *_EVENT.
ok mlarkin@
A sufficiently large dhcp packet can cause a stack overflow in vmd's
internal dhcp server used for providing ip addresses to local guest
interfaces. (This does not affect non-local interfaces.)
The primary changes drop larger packets and change the memory copying
logic to use a compile-time constant. The dhcp option processing
also additional prevention for out of bound reads.
While here, improve construction of the dhcp response's hostname
handling to guard against overflowing the response dhcp options.
Vulnerability reported by Maxime Villard.
ok claudio@
Provide a default value of a zero'd mac address so a user can still
specify the interface should be "locked" (only transmitting ethernet
packets with a matching source address). vmd will assign a random
address at vm launch.
As an example, this is now valid:
vm "name" {
interface {
locked lladdr
}
...
}
From Martin Vahlensieck
ok claudio@
dv
jmc
martijn
cheloha
stsp
guenther
mlarkin
claudio
deraadt
sthen
jan
naddy