diff options
author | gVisor bot <gvisor-bot@google.com> | 2021-03-03 18:43:27 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-03-03 18:43:27 +0000 |
commit | aae5455fe381c4cbc956f61c971284ee05c52dfc (patch) | |
tree | 2b1cb0233968680dcd0374f20ee826cf311bda95 /pkg/sentry/platform/kvm | |
parent | e2599d556573b05eb3714c1e791fa29431dc3d3f (diff) | |
parent | a9441aea2780da8c93da1c73da860219f98438de (diff) |
Merge release-20210301.0-5-ga9441aea2 (automated)
Diffstat (limited to 'pkg/sentry/platform/kvm')
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill.go | 6 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill_amd64.go | 5 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go | 10 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill_arm64.go | 5 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go | 16 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill_fault.go | 12 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/bluepill_unsafe.go | 18 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/filters_amd64.go | 14 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/filters_arm64.go | 12 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/kvm.go | 10 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/kvm_amd64_unsafe.go | 15 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/kvm_arm64_unsafe.go | 5 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/machine.go | 18 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/machine_amd64.go | 32 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/machine_amd64_unsafe.go | 48 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/machine_arm64_unsafe.go | 32 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/machine_unsafe.go | 34 | ||||
-rw-r--r-- | pkg/sentry/platform/kvm/physical_map.go | 10 |
18 files changed, 149 insertions, 153 deletions
diff --git a/pkg/sentry/platform/kvm/bluepill.go b/pkg/sentry/platform/kvm/bluepill.go index 2c970162e..fd1131638 100644 --- a/pkg/sentry/platform/kvm/bluepill.go +++ b/pkg/sentry/platform/kvm/bluepill.go @@ -17,8 +17,8 @@ package kvm import ( "fmt" "reflect" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/safecopy" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -41,7 +41,7 @@ var ( // // We use SIGCHLD because it is not masked by the runtime, and // it will be ignored properly by other parts of the kernel. - bounceSignal = syscall.SIGCHLD + bounceSignal = unix.SIGCHLD // bounceSignalMask has only bounceSignal set. bounceSignalMask = uint64(1 << (uint64(bounceSignal) - 1)) @@ -62,7 +62,7 @@ var ( // //go:nosplit func redpill() { - syscall.RawSyscall(^uintptr(0), 0, 0, 0) + unix.RawSyscall(^uintptr(0), 0, 0, 0) } // dieHandler is called by dieTrampoline. diff --git a/pkg/sentry/platform/kvm/bluepill_amd64.go b/pkg/sentry/platform/kvm/bluepill_amd64.go index 83a4766fb..f4b9a5321 100644 --- a/pkg/sentry/platform/kvm/bluepill_amd64.go +++ b/pkg/sentry/platform/kvm/bluepill_amd64.go @@ -17,15 +17,14 @@ package kvm import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) var ( // The action for bluepillSignal is changed by sigaction(). - bluepillSignal = syscall.SIGSEGV + bluepillSignal = unix.SIGSEGV ) // bluepillArchEnter is called during bluepillEnter. diff --git a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go index 0063e947b..198bafdea 100644 --- a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go +++ b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go @@ -17,9 +17,9 @@ package kvm import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) @@ -68,8 +68,8 @@ func getHypercallID(addr uintptr) int { func bluepillStopGuest(c *vCPU) { // Interrupt: we must have requested an interrupt // window; set the interrupt line. - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_INTERRUPT, uintptr(unsafe.Pointer(&bounce))); errno != 0 { @@ -83,8 +83,8 @@ func bluepillStopGuest(c *vCPU) { // //go:nosplit func bluepillSigBus(c *vCPU) { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_NMI, 0); errno != 0 { throw("NMI injection failed") diff --git a/pkg/sentry/platform/kvm/bluepill_arm64.go b/pkg/sentry/platform/kvm/bluepill_arm64.go index 6846abee9..e26b7da8d 100644 --- a/pkg/sentry/platform/kvm/bluepill_arm64.go +++ b/pkg/sentry/platform/kvm/bluepill_arm64.go @@ -17,15 +17,14 @@ package kvm import ( - "syscall" - + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) var ( // The action for bluepillSignal is changed by sigaction(). - bluepillSignal = syscall.SIGILL + bluepillSignal = unix.SIGILL // vcpuSErrBounce is the event of system error for bouncing KVM. vcpuSErrBounce = kvmVcpuEvents{ diff --git a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go index dbbf2a897..07fc4f216 100644 --- a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go +++ b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go @@ -17,9 +17,9 @@ package kvm import ( - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/sentry/arch" ) @@ -80,8 +80,8 @@ func getHypercallID(addr uintptr) int { // //go:nosplit func bluepillStopGuest(c *vCPU) { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_VCPU_EVENTS, uintptr(unsafe.Pointer(&vcpuSErrBounce))); errno != 0 { @@ -94,12 +94,12 @@ func bluepillStopGuest(c *vCPU) { //go:nosplit func bluepillSigBus(c *vCPU) { // Host must support ARM64_HAS_RAS_EXTN. - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_VCPU_EVENTS, uintptr(unsafe.Pointer(&vcpuSErrNMI))); errno != 0 { - if errno == syscall.EINVAL { + if errno == unix.EINVAL { throw("No ARM64_HAS_RAS_EXTN feature in host.") } throw("nmi sErr injection failed") @@ -110,8 +110,8 @@ func bluepillSigBus(c *vCPU) { // //go:nosplit func bluepillExtDabt(c *vCPU) { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_VCPU_EVENTS, uintptr(unsafe.Pointer(&vcpuExtDabt))); errno != 0 { diff --git a/pkg/sentry/platform/kvm/bluepill_fault.go b/pkg/sentry/platform/kvm/bluepill_fault.go index a182e4f22..37c53fa02 100644 --- a/pkg/sentry/platform/kvm/bluepill_fault.go +++ b/pkg/sentry/platform/kvm/bluepill_fault.go @@ -16,8 +16,8 @@ package kvm import ( "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/usermem" ) @@ -40,7 +40,7 @@ const ( // //go:nosplit func yield() { - syscall.RawSyscall(syscall.SYS_SCHED_YIELD, 0, 0, 0) + unix.RawSyscall(unix.SYS_SCHED_YIELD, 0, 0, 0) } // calculateBluepillFault calculates the fault address range. @@ -112,16 +112,16 @@ func handleBluepillFault(m *machine, physical uintptr, phyRegions []physicalRegi atomic.StoreUint32(&m.nextSlot, slot) switch errno { - case syscall.EEXIST: + case unix.EEXIST: // The region already exists. It's possible that we raced with // another vCPU here. We just revert nextSlot and return true, // because this must have been satisfied by some other vCPU. return virtualStart + (physical - physicalStart), true - case syscall.EINVAL: + case unix.EINVAL: throw("set memory region failed; out of slots") - case syscall.ENOMEM: + case unix.ENOMEM: throw("set memory region failed: out of memory") - case syscall.EFAULT: + case unix.EFAULT: throw("set memory region failed: invalid physical range") default: throw("set memory region failed: unknown reason") diff --git a/pkg/sentry/platform/kvm/bluepill_unsafe.go b/pkg/sentry/platform/kvm/bluepill_unsafe.go index 55da6dd95..6f87236ad 100644 --- a/pkg/sentry/platform/kvm/bluepill_unsafe.go +++ b/pkg/sentry/platform/kvm/bluepill_unsafe.go @@ -21,9 +21,9 @@ package kvm import ( "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/sentry/arch" ) @@ -102,23 +102,23 @@ func bluepillHandler(context unsafe.Pointer) { } for { - _, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(c.fd), _KVM_RUN, 0) // escapes: no. + _, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(c.fd), _KVM_RUN, 0) // escapes: no. switch errno { case 0: // Expected case. - case syscall.EINTR: + case unix.EINTR: // First, we process whatever pending signal // interrupted KVM. Since we're in a signal handler // currently, all signals are masked and the signal // must have been delivered directly to this thread. - timeout := syscall.Timespec{} - sig, _, errno := syscall.RawSyscall6( // escapes: no. - syscall.SYS_RT_SIGTIMEDWAIT, + timeout := unix.Timespec{} + sig, _, errno := unix.RawSyscall6( // escapes: no. + unix.SYS_RT_SIGTIMEDWAIT, uintptr(unsafe.Pointer(&bounceSignalMask)), 0, // siginfo. uintptr(unsafe.Pointer(&timeout)), // timeout. 8, // sigset size. 0, 0) - if errno == syscall.EAGAIN { + if errno == unix.EAGAIN { continue } if errno != 0 { @@ -140,7 +140,7 @@ func bluepillHandler(context unsafe.Pointer) { c.runData.requestInterruptWindow = 1 continue // Rerun vCPU. } - case syscall.EFAULT: + case unix.EFAULT: // If a fault is not serviceable due to the host // backing pages having page permissions, instead of an // MMIO exit we receive EFAULT from the run ioctl. We @@ -148,7 +148,7 @@ func bluepillHandler(context unsafe.Pointer) { // mode and have interrupts disabled. bluepillSigBus(c) continue // Rerun vCPU. - case syscall.ENOSYS: + case unix.ENOSYS: bluepillHandleEnosys(c) continue default: diff --git a/pkg/sentry/platform/kvm/filters_amd64.go b/pkg/sentry/platform/kvm/filters_amd64.go index d3d216aa5..a78be3403 100644 --- a/pkg/sentry/platform/kvm/filters_amd64.go +++ b/pkg/sentry/platform/kvm/filters_amd64.go @@ -15,8 +15,6 @@ package kvm import ( - "syscall" - "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -26,17 +24,17 @@ import ( // SyscallFilters returns syscalls made exclusively by the KVM platform. func (*KVM) SyscallFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_ARCH_PRCTL: {}, - syscall.SYS_IOCTL: {}, + unix.SYS_ARCH_PRCTL: {}, + unix.SYS_IOCTL: {}, unix.SYS_MEMBARRIER: []seccomp.Rule{ { seccomp.EqualTo(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED), seccomp.EqualTo(0), }, }, - syscall.SYS_MMAP: {}, - syscall.SYS_RT_SIGSUSPEND: {}, - syscall.SYS_RT_SIGTIMEDWAIT: {}, - 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. + unix.SYS_MMAP: {}, + unix.SYS_RT_SIGSUSPEND: {}, + unix.SYS_RT_SIGTIMEDWAIT: {}, + 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. } } diff --git a/pkg/sentry/platform/kvm/filters_arm64.go b/pkg/sentry/platform/kvm/filters_arm64.go index 21abc2a3d..4e5b91048 100644 --- a/pkg/sentry/platform/kvm/filters_arm64.go +++ b/pkg/sentry/platform/kvm/filters_arm64.go @@ -15,8 +15,6 @@ package kvm import ( - "syscall" - "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" @@ -26,16 +24,16 @@ import ( // SyscallFilters returns syscalls made exclusively by the KVM platform. func (*KVM) SyscallFilters() seccomp.SyscallRules { return seccomp.SyscallRules{ - syscall.SYS_IOCTL: {}, + unix.SYS_IOCTL: {}, unix.SYS_MEMBARRIER: []seccomp.Rule{ { seccomp.EqualTo(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED), seccomp.EqualTo(0), }, }, - syscall.SYS_MMAP: {}, - syscall.SYS_RT_SIGSUSPEND: {}, - syscall.SYS_RT_SIGTIMEDWAIT: {}, - 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. + unix.SYS_MMAP: {}, + unix.SYS_RT_SIGSUSPEND: {}, + unix.SYS_RT_SIGTIMEDWAIT: {}, + 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host. } } diff --git a/pkg/sentry/platform/kvm/kvm.go b/pkg/sentry/platform/kvm/kvm.go index 7bdf57436..92c05a9ad 100644 --- a/pkg/sentry/platform/kvm/kvm.go +++ b/pkg/sentry/platform/kvm/kvm.go @@ -18,8 +18,8 @@ package kvm import ( "fmt" "os" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/ring0/pagetables" "gvisor.dev/gvisor/pkg/sentry/platform" @@ -77,7 +77,7 @@ var ( // OpenDevice opens the KVM device at /dev/kvm and returns the File. func OpenDevice() (*os.File, error) { - f, err := os.OpenFile("/dev/kvm", syscall.O_RDWR, 0) + f, err := os.OpenFile("/dev/kvm", unix.O_RDWR, 0) if err != nil { return nil, fmt.Errorf("error opening /dev/kvm: %v", err) } @@ -99,11 +99,11 @@ func New(deviceFile *os.File) (*KVM, error) { // Create a new VM fd. var ( vm uintptr - errno syscall.Errno + errno unix.Errno ) for { - vm, _, errno = syscall.Syscall(syscall.SYS_IOCTL, fd, _KVM_CREATE_VM, 0) - if errno == syscall.EINTR { + vm, _, errno = unix.Syscall(unix.SYS_IOCTL, fd, _KVM_CREATE_VM, 0) + if errno == unix.EINTR { continue } if errno != 0 { diff --git a/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go b/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go index 46c4b9113..0c43d72f4 100644 --- a/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go +++ b/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go @@ -18,8 +18,9 @@ package kvm import ( "fmt" - "syscall" "unsafe" + + "golang.org/x/sys/unix" ) var ( @@ -30,7 +31,7 @@ var ( func updateSystemValues(fd int) error { // Extract the mmap size. - sz, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) + sz, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) if errno != 0 { return fmt.Errorf("getting VCPU mmap size: %v", errno) } @@ -39,19 +40,19 @@ func updateSystemValues(fd int) error { runDataSize = int(sz) // Must do the dance to figure out the number of entries. - _, _, errno = syscall.RawSyscall( - syscall.SYS_IOCTL, + _, _, errno = unix.RawSyscall( + unix.SYS_IOCTL, uintptr(fd), _KVM_GET_SUPPORTED_CPUID, uintptr(unsafe.Pointer(&cpuidSupported))) - if errno != 0 && errno != syscall.ENOMEM { + if errno != 0 && errno != unix.ENOMEM { // Some other error occurred. return fmt.Errorf("getting supported CPUID: %v", errno) } // The number should now be correct. - _, _, errno = syscall.RawSyscall( - syscall.SYS_IOCTL, + _, _, errno = unix.RawSyscall( + unix.SYS_IOCTL, uintptr(fd), _KVM_GET_SUPPORTED_CPUID, uintptr(unsafe.Pointer(&cpuidSupported))) diff --git a/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go b/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go index 48ccf8474..f07a9f34d 100644 --- a/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go +++ b/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go @@ -18,7 +18,8 @@ package kvm import ( "fmt" - "syscall" + + "golang.org/x/sys/unix" ) var ( @@ -28,7 +29,7 @@ var ( func updateSystemValues(fd int) error { // Extract the mmap size. - sz, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) + sz, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0) if errno != 0 { return fmt.Errorf("getting VCPU mmap size: %v", errno) } diff --git a/pkg/sentry/platform/kvm/machine.go b/pkg/sentry/platform/kvm/machine.go index 1ece1b8d8..0e4cf01e1 100644 --- a/pkg/sentry/platform/kvm/machine.go +++ b/pkg/sentry/platform/kvm/machine.go @@ -18,8 +18,8 @@ import ( "fmt" "runtime" "sync/atomic" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/atomicbitops" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/procid" @@ -153,7 +153,7 @@ type dieState struct { func (m *machine) newVCPU() *vCPU { // Create the vCPU. id := int(atomic.AddUint32(&m.nextID, 1) - 1) - fd, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CREATE_VCPU, uintptr(id)) + fd, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CREATE_VCPU, uintptr(id)) if errno != 0 { panic(fmt.Sprintf("error creating new vCPU: %v", errno)) } @@ -193,7 +193,7 @@ func newMachine(vm int) (*machine, error) { m.available.L = &m.mu // Pull the maximum vCPUs. - maxVCPUs, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_VCPUS) + maxVCPUs, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_VCPUS) if errno != 0 { m.maxVCPUs = _KVM_NR_VCPUS } else { @@ -205,7 +205,7 @@ func newMachine(vm int) (*machine, error) { m.kernel.Init(m.maxVCPUs) // Pull the maximum slots. - maxSlots, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_MEMSLOTS) + maxSlots, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_MEMSLOTS) if errno != 0 { m.maxSlots = _KVM_NR_MEMSLOTS } else { @@ -357,13 +357,13 @@ func (m *machine) Destroy() { panic(fmt.Sprintf("error unmapping rundata: %v", err)) } } - if err := syscall.Close(int(c.fd)); err != nil { + if err := unix.Close(int(c.fd)); err != nil { panic(fmt.Sprintf("error closing vCPU fd: %v", err)) } } // vCPUs are gone: teardown machine state. - if err := syscall.Close(m.fd); err != nil { + if err := unix.Close(m.fd); err != nil { panic(fmt.Sprintf("error closing VM fd: %v", err)) } } @@ -546,7 +546,7 @@ func (c *vCPU) NotifyInterrupt() { } // pid is used below in bounce. -var pid = syscall.Getpid() +var pid = unix.Getpid() // bounce forces a return to the kernel or to host mode. // @@ -588,9 +588,9 @@ func (c *vCPU) bounce(forceGuestExit bool) { // under memory pressure. Since we already // marked ourselves as a waiter, we need to // ensure that a signal is actually delivered. - if err := syscall.Tgkill(pid, int(atomic.LoadUint64(&c.tid)), bounceSignal); err == nil { + if err := unix.Tgkill(pid, int(atomic.LoadUint64(&c.tid)), bounceSignal); err == nil { break - } else if err.(syscall.Errno) == syscall.EAGAIN { + } else if err.(unix.Errno) == unix.EAGAIN { continue } else { // Nothing else should be returned by tgkill. diff --git a/pkg/sentry/platform/kvm/machine_amd64.go b/pkg/sentry/platform/kvm/machine_amd64.go index 59c752d73..6e583baa3 100644 --- a/pkg/sentry/platform/kvm/machine_amd64.go +++ b/pkg/sentry/platform/kvm/machine_amd64.go @@ -21,8 +21,8 @@ import ( "math/big" "reflect" "runtime/debug" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/cpuid" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/ring0/pagetables" @@ -36,8 +36,8 @@ import ( func (m *machine) initArchState() error { // Set the legacy TSS address. This address is covered by the reserved // range (up to 4GB). In fact, this is a main reason it exists. - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(m.fd), _KVM_SET_TSS_ADDR, uintptr(reservedMemory-(3*usermem.PageSize))); errno != 0 { @@ -297,13 +297,13 @@ func (c *vCPU) fault(signal int32, info *arch.SignalInfo) (usermem.AccessType, e func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) (usermem.AccessType, error) { // Check for canonical addresses. if regs := switchOpts.Registers; !ring0.IsCanonical(regs.Rip) { - return nonCanonical(regs.Rip, int32(syscall.SIGSEGV), info) + return nonCanonical(regs.Rip, int32(unix.SIGSEGV), info) } else if !ring0.IsCanonical(regs.Rsp) { - return nonCanonical(regs.Rsp, int32(syscall.SIGBUS), info) + return nonCanonical(regs.Rsp, int32(unix.SIGBUS), info) } else if !ring0.IsCanonical(regs.Fs_base) { - return nonCanonical(regs.Fs_base, int32(syscall.SIGBUS), info) + return nonCanonical(regs.Fs_base, int32(unix.SIGBUS), info) } else if !ring0.IsCanonical(regs.Gs_base) { - return nonCanonical(regs.Gs_base, int32(syscall.SIGBUS), info) + return nonCanonical(regs.Gs_base, int32(unix.SIGBUS), info) } // Assign PCIDs. @@ -332,11 +332,11 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) return usermem.NoAccess, nil case ring0.PageFault: - return c.fault(int32(syscall.SIGSEGV), info) + return c.fault(int32(unix.SIGSEGV), info) case ring0.Debug, ring0.Breakpoint: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGTRAP), + Signo: int32(unix.SIGTRAP), Code: 1, // TRAP_BRKPT (breakpoint). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -348,7 +348,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) ring0.InvalidTSS, ring0.StackSegmentFault: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGSEGV), + Signo: int32(unix.SIGSEGV), Code: arch.SignalInfoKernel, } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -362,7 +362,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.InvalidOpcode: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGILL), + Signo: int32(unix.SIGILL), Code: 1, // ILL_ILLOPC (illegal opcode). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -370,7 +370,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.DivideByZero: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGFPE), + Signo: int32(unix.SIGFPE), Code: 1, // FPE_INTDIV (divide by zero). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -378,7 +378,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.Overflow: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGFPE), + Signo: int32(unix.SIGFPE), Code: 2, // FPE_INTOVF (integer overflow). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -387,7 +387,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.X87FloatingPointException, ring0.SIMDFloatingPointException: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGFPE), + Signo: int32(unix.SIGFPE), Code: 7, // FPE_FLTINV (invalid operation). } info.SetAddr(switchOpts.Registers.Rip) // Include address. @@ -398,7 +398,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) case ring0.AlignmentCheck: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGBUS), + Signo: int32(unix.SIGBUS), Code: 2, // BUS_ADRERR (physical address does not exist). } return usermem.NoAccess, platform.ErrContextSignal @@ -409,7 +409,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) // really not. This could happen, e.g. if some file is // truncated (and would generate a SIGBUS) and we map it // directly into the instance. - return c.fault(int32(syscall.SIGBUS), info) + return c.fault(int32(unix.SIGBUS), info) case ring0.DeviceNotAvailable, ring0.DoubleFault, diff --git a/pkg/sentry/platform/kvm/machine_amd64_unsafe.go b/pkg/sentry/platform/kvm/machine_amd64_unsafe.go index b430f92c6..83bcc7406 100644 --- a/pkg/sentry/platform/kvm/machine_amd64_unsafe.go +++ b/pkg/sentry/platform/kvm/machine_amd64_unsafe.go @@ -19,9 +19,9 @@ package kvm import ( "fmt" "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -31,15 +31,15 @@ import ( // //go:nosplit func (c *vCPU) loadSegments(tid uint64) { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_ARCH_PRCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_ARCH_PRCTL, linux.ARCH_GET_FS, uintptr(unsafe.Pointer(&c.CPU.Registers().Fs_base)), 0); errno != 0 { throw("getting FS segment") } - if _, _, errno := syscall.RawSyscall( - syscall.SYS_ARCH_PRCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_ARCH_PRCTL, linux.ARCH_GET_GS, uintptr(unsafe.Pointer(&c.CPU.Registers().Gs_base)), 0); errno != 0 { @@ -50,8 +50,8 @@ func (c *vCPU) loadSegments(tid uint64) { // setCPUID sets the CPUID to be used by the guest. func (c *vCPU) setCPUID() error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_CPUID2, uintptr(unsafe.Pointer(&cpuidSupported))); errno != 0 { @@ -64,8 +64,8 @@ func (c *vCPU) setCPUID() error { // // If mustSucceed is true, then this function panics on error. func (c *vCPU) getTSCFreq() (uintptr, error) { - rawFreq, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + rawFreq, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_TSC_KHZ, 0 /* ignored */) @@ -77,8 +77,8 @@ func (c *vCPU) getTSCFreq() (uintptr, error) { // setTSCFreq sets the TSC frequency. func (c *vCPU) setTSCFreq(freq uintptr) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_TSC_KHZ, freq /* khz */); errno != 0 { @@ -95,8 +95,8 @@ func (c *vCPU) setTSC(value uint64) error { } registers.entries[0].index = _MSR_IA32_TSC registers.entries[0].data = value - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_MSRS, uintptr(unsafe.Pointer(®isters))); errno != 0 { @@ -108,9 +108,9 @@ func (c *vCPU) setTSC(value uint64) error { // setUserRegisters sets user registers in the vCPU. // //go:nosplit -func (c *vCPU) setUserRegisters(uregs *userRegs) syscall.Errno { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, +func (c *vCPU) setUserRegisters(uregs *userRegs) unix.Errno { + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_REGS, uintptr(unsafe.Pointer(uregs))); errno != 0 { @@ -124,9 +124,9 @@ func (c *vCPU) setUserRegisters(uregs *userRegs) syscall.Errno { // This is safe to call from a nosplit context. // //go:nosplit -func (c *vCPU) getUserRegisters(uregs *userRegs) syscall.Errno { - if _, _, errno := syscall.RawSyscall( // escapes: no. - syscall.SYS_IOCTL, +func (c *vCPU) getUserRegisters(uregs *userRegs) unix.Errno { + if _, _, errno := unix.RawSyscall( // escapes: no. + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_REGS, uintptr(unsafe.Pointer(uregs))); errno != 0 { @@ -137,8 +137,8 @@ func (c *vCPU) getUserRegisters(uregs *userRegs) syscall.Errno { // setSystemRegisters sets system registers. func (c *vCPU) setSystemRegisters(sregs *systemRegs) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_SREGS, uintptr(unsafe.Pointer(sregs))); errno != 0 { @@ -150,9 +150,9 @@ func (c *vCPU) setSystemRegisters(sregs *systemRegs) error { // getSystemRegisters sets system registers. // //go:nosplit -func (c *vCPU) getSystemRegisters(sregs *systemRegs) syscall.Errno { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, +func (c *vCPU) getSystemRegisters(sregs *systemRegs) unix.Errno { + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_SREGS, uintptr(unsafe.Pointer(sregs))); errno != 0 { diff --git a/pkg/sentry/platform/kvm/machine_arm64_unsafe.go b/pkg/sentry/platform/kvm/machine_arm64_unsafe.go index 78cbd9701..059aa43d0 100644 --- a/pkg/sentry/platform/kvm/machine_arm64_unsafe.go +++ b/pkg/sentry/platform/kvm/machine_arm64_unsafe.go @@ -20,9 +20,9 @@ import ( "fmt" "reflect" "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/ring0/pagetables" "gvisor.dev/gvisor/pkg/sentry/arch" @@ -39,8 +39,8 @@ var vcpuInit kvmVcpuInit // initArchState initializes architecture-specific state. func (m *machine) initArchState() error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(m.fd), _KVM_ARM_PREFERRED_TARGET, uintptr(unsafe.Pointer(&vcpuInit))); errno != 0 { @@ -62,8 +62,8 @@ func (c *vCPU) initArchState() error { regGet.addr = uint64(reflect.ValueOf(&dataGet).Pointer()) vcpuInit.features[0] |= (1 << _KVM_ARM_VCPU_PSCI_0_2) - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_ARM_VCPU_INIT, uintptr(unsafe.Pointer(&vcpuInit))); errno != 0 { @@ -186,8 +186,8 @@ func (c *vCPU) loadSegments(tid uint64) { } func (c *vCPU) setOneRegister(reg *kvmOneReg) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_ONE_REG, uintptr(unsafe.Pointer(reg))); errno != 0 { @@ -197,8 +197,8 @@ func (c *vCPU) setOneRegister(reg *kvmOneReg) error { } func (c *vCPU) getOneRegister(reg *kvmOneReg) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_GET_ONE_REG, uintptr(unsafe.Pointer(reg))); errno != 0 { @@ -211,9 +211,9 @@ func (c *vCPU) getOneRegister(reg *kvmOneReg) error { func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) (usermem.AccessType, error) { // Check for canonical addresses. if regs := switchOpts.Registers; !ring0.IsCanonical(regs.Pc) { - return nonCanonical(regs.Pc, int32(syscall.SIGSEGV), info) + return nonCanonical(regs.Pc, int32(unix.SIGSEGV), info) } else if !ring0.IsCanonical(regs.Sp) { - return nonCanonical(regs.Sp, int32(syscall.SIGSEGV), info) + return nonCanonical(regs.Sp, int32(unix.SIGSEGV), info) } // Assign PCIDs. @@ -247,23 +247,23 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) // Fast path: system call executed. return usermem.NoAccess, nil case ring0.PageFault: - return c.fault(int32(syscall.SIGSEGV), info) + return c.fault(int32(unix.SIGSEGV), info) case ring0.El0ErrNMI: - return c.fault(int32(syscall.SIGBUS), info) + return c.fault(int32(unix.SIGBUS), info) case ring0.Vector(bounce): // ring0.VirtualizationException. return usermem.NoAccess, platform.ErrContextInterrupt case ring0.El0SyncUndef: - return c.fault(int32(syscall.SIGILL), info) + return c.fault(int32(unix.SIGILL), info) case ring0.El0SyncDbg: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGTRAP), + Signo: int32(unix.SIGTRAP), Code: 1, // TRAP_BRKPT (breakpoint). } info.SetAddr(switchOpts.Registers.Pc) // Include address. return usermem.AccessType{}, platform.ErrContextSignal case ring0.El0SyncSpPc: *info = arch.SignalInfo{ - Signo: int32(syscall.SIGBUS), + Signo: int32(unix.SIGBUS), Code: 2, // BUS_ADRERR (physical address does not exist). } return usermem.NoAccess, platform.ErrContextSignal diff --git a/pkg/sentry/platform/kvm/machine_unsafe.go b/pkg/sentry/platform/kvm/machine_unsafe.go index c322551d2..49e1c7136 100644 --- a/pkg/sentry/platform/kvm/machine_unsafe.go +++ b/pkg/sentry/platform/kvm/machine_unsafe.go @@ -23,9 +23,9 @@ import ( "fmt" "math" "sync/atomic" - "syscall" "unsafe" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/abi/linux" ) @@ -41,7 +41,7 @@ func exitsyscall() // directly (instead of wrapping in an error) to avoid allocations. // //go:nosplit -func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, flags uint32) syscall.Errno { +func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, flags uint32) unix.Errno { userRegion := userMemoryRegion{ slot: uint32(slot), flags: uint32(flags), @@ -51,8 +51,8 @@ func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, f } // Set the region. - _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(m.fd), _KVM_SET_USER_MEMORY_REGION, uintptr(unsafe.Pointer(&userRegion))) @@ -61,12 +61,12 @@ func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, f // mapRunData maps the vCPU run data. func mapRunData(fd int) (*runData, error) { - r, _, errno := syscall.RawSyscall6( - syscall.SYS_MMAP, + r, _, errno := unix.RawSyscall6( + unix.SYS_MMAP, 0, uintptr(runDataSize), - syscall.PROT_READ|syscall.PROT_WRITE, - syscall.MAP_SHARED, + unix.PROT_READ|unix.PROT_WRITE, + unix.MAP_SHARED, uintptr(fd), 0) if errno != 0 { @@ -77,8 +77,8 @@ func mapRunData(fd int) (*runData, error) { // unmapRunData unmaps the vCPU run data. func unmapRunData(r *runData) error { - if _, _, errno := syscall.RawSyscall( - syscall.SYS_MUNMAP, + if _, _, errno := unix.RawSyscall( + unix.SYS_MUNMAP, uintptr(unsafe.Pointer(r)), uintptr(runDataSize), 0); errno != 0 { @@ -115,8 +115,8 @@ func (a *atomicAddressSpace) get() *addressSpace { // //go:nosplit func (c *vCPU) notify() { - _, _, errno := syscall.RawSyscall6( // escapes: no. - syscall.SYS_FUTEX, + _, _, errno := unix.RawSyscall6( // escapes: no. + unix.SYS_FUTEX, uintptr(unsafe.Pointer(&c.state)), linux.FUTEX_WAKE|linux.FUTEX_PRIVATE_FLAG, math.MaxInt32, // Number of waiters. @@ -133,13 +133,13 @@ func (c *vCPU) notify() { // // This panics on error. func (c *vCPU) waitUntilNot(state uint32) { - _, _, errno := syscall.Syscall6( - syscall.SYS_FUTEX, + _, _, errno := unix.Syscall6( + unix.SYS_FUTEX, uintptr(unsafe.Pointer(&c.state)), linux.FUTEX_WAIT|linux.FUTEX_PRIVATE_FLAG, uintptr(state), 0, 0, 0) - if errno != 0 && errno != syscall.EINTR && errno != syscall.EAGAIN { + if errno != 0 && errno != unix.EINTR && errno != unix.EAGAIN { panic("futex wait error") } } @@ -159,8 +159,8 @@ func (c *vCPU) setSignalMask() error { data.length = 8 // Fixed sigset size. data.mask1 = ^uint32(bounceSignalMask & 0xffffffff) data.mask2 = ^uint32(bounceSignalMask >> 32) - if _, _, errno := syscall.RawSyscall( - syscall.SYS_IOCTL, + if _, _, errno := unix.RawSyscall( + unix.SYS_IOCTL, uintptr(c.fd), _KVM_SET_SIGNAL_MASK, uintptr(unsafe.Pointer(&data))); errno != 0 { diff --git a/pkg/sentry/platform/kvm/physical_map.go b/pkg/sentry/platform/kvm/physical_map.go index 8bdec93ae..7376d8b8d 100644 --- a/pkg/sentry/platform/kvm/physical_map.go +++ b/pkg/sentry/platform/kvm/physical_map.go @@ -17,8 +17,8 @@ package kvm import ( "fmt" "sort" - "syscall" + "golang.org/x/sys/unix" "gvisor.dev/gvisor/pkg/log" "gvisor.dev/gvisor/pkg/ring0" "gvisor.dev/gvisor/pkg/usermem" @@ -90,12 +90,12 @@ func fillAddressSpace() (excludedRegions []region) { required := uintptr(requiredAddr) current := required // Attempted mmap size. for filled := uintptr(0); filled < required && current > 0; { - addr, _, errno := syscall.RawSyscall6( - syscall.SYS_MMAP, + addr, _, errno := unix.RawSyscall6( + unix.SYS_MMAP, 0, // Suggested address. current, - syscall.PROT_NONE, - syscall.MAP_ANONYMOUS|syscall.MAP_PRIVATE|syscall.MAP_NORESERVE, + unix.PROT_NONE, + unix.MAP_ANONYMOUS|unix.MAP_PRIVATE|unix.MAP_NORESERVE, 0, 0) if errno != 0 { // Attempt half the size; overflow not possible. |