summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/platform/kvm
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2021-03-03 18:43:27 +0000
committergVisor bot <gvisor-bot@google.com>2021-03-03 18:43:27 +0000
commitaae5455fe381c4cbc956f61c971284ee05c52dfc (patch)
tree2b1cb0233968680dcd0374f20ee826cf311bda95 /pkg/sentry/platform/kvm
parente2599d556573b05eb3714c1e791fa29431dc3d3f (diff)
parenta9441aea2780da8c93da1c73da860219f98438de (diff)
Merge release-20210301.0-5-ga9441aea2 (automated)
Diffstat (limited to 'pkg/sentry/platform/kvm')
-rw-r--r--pkg/sentry/platform/kvm/bluepill.go6
-rw-r--r--pkg/sentry/platform/kvm/bluepill_amd64.go5
-rw-r--r--pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go10
-rw-r--r--pkg/sentry/platform/kvm/bluepill_arm64.go5
-rw-r--r--pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go16
-rw-r--r--pkg/sentry/platform/kvm/bluepill_fault.go12
-rw-r--r--pkg/sentry/platform/kvm/bluepill_unsafe.go18
-rw-r--r--pkg/sentry/platform/kvm/filters_amd64.go14
-rw-r--r--pkg/sentry/platform/kvm/filters_arm64.go12
-rw-r--r--pkg/sentry/platform/kvm/kvm.go10
-rw-r--r--pkg/sentry/platform/kvm/kvm_amd64_unsafe.go15
-rw-r--r--pkg/sentry/platform/kvm/kvm_arm64_unsafe.go5
-rw-r--r--pkg/sentry/platform/kvm/machine.go18
-rw-r--r--pkg/sentry/platform/kvm/machine_amd64.go32
-rw-r--r--pkg/sentry/platform/kvm/machine_amd64_unsafe.go48
-rw-r--r--pkg/sentry/platform/kvm/machine_arm64_unsafe.go32
-rw-r--r--pkg/sentry/platform/kvm/machine_unsafe.go34
-rw-r--r--pkg/sentry/platform/kvm/physical_map.go10
18 files changed, 149 insertions, 153 deletions
diff --git a/pkg/sentry/platform/kvm/bluepill.go b/pkg/sentry/platform/kvm/bluepill.go
index 2c970162e..fd1131638 100644
--- a/pkg/sentry/platform/kvm/bluepill.go
+++ b/pkg/sentry/platform/kvm/bluepill.go
@@ -17,8 +17,8 @@ package kvm
import (
"fmt"
"reflect"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/safecopy"
"gvisor.dev/gvisor/pkg/sentry/arch"
@@ -41,7 +41,7 @@ var (
//
// We use SIGCHLD because it is not masked by the runtime, and
// it will be ignored properly by other parts of the kernel.
- bounceSignal = syscall.SIGCHLD
+ bounceSignal = unix.SIGCHLD
// bounceSignalMask has only bounceSignal set.
bounceSignalMask = uint64(1 << (uint64(bounceSignal) - 1))
@@ -62,7 +62,7 @@ var (
//
//go:nosplit
func redpill() {
- syscall.RawSyscall(^uintptr(0), 0, 0, 0)
+ unix.RawSyscall(^uintptr(0), 0, 0, 0)
}
// dieHandler is called by dieTrampoline.
diff --git a/pkg/sentry/platform/kvm/bluepill_amd64.go b/pkg/sentry/platform/kvm/bluepill_amd64.go
index 83a4766fb..f4b9a5321 100644
--- a/pkg/sentry/platform/kvm/bluepill_amd64.go
+++ b/pkg/sentry/platform/kvm/bluepill_amd64.go
@@ -17,15 +17,14 @@
package kvm
import (
- "syscall"
-
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/sentry/arch"
)
var (
// The action for bluepillSignal is changed by sigaction().
- bluepillSignal = syscall.SIGSEGV
+ bluepillSignal = unix.SIGSEGV
)
// bluepillArchEnter is called during bluepillEnter.
diff --git a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go
index 0063e947b..198bafdea 100644
--- a/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go
+++ b/pkg/sentry/platform/kvm/bluepill_amd64_unsafe.go
@@ -17,9 +17,9 @@
package kvm
import (
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/sentry/arch"
)
@@ -68,8 +68,8 @@ func getHypercallID(addr uintptr) int {
func bluepillStopGuest(c *vCPU) {
// Interrupt: we must have requested an interrupt
// window; set the interrupt line.
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_INTERRUPT,
uintptr(unsafe.Pointer(&bounce))); errno != 0 {
@@ -83,8 +83,8 @@ func bluepillStopGuest(c *vCPU) {
//
//go:nosplit
func bluepillSigBus(c *vCPU) {
- if _, _, errno := syscall.RawSyscall( // escapes: no.
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall( // escapes: no.
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_NMI, 0); errno != 0 {
throw("NMI injection failed")
diff --git a/pkg/sentry/platform/kvm/bluepill_arm64.go b/pkg/sentry/platform/kvm/bluepill_arm64.go
index 6846abee9..e26b7da8d 100644
--- a/pkg/sentry/platform/kvm/bluepill_arm64.go
+++ b/pkg/sentry/platform/kvm/bluepill_arm64.go
@@ -17,15 +17,14 @@
package kvm
import (
- "syscall"
-
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/sentry/arch"
)
var (
// The action for bluepillSignal is changed by sigaction().
- bluepillSignal = syscall.SIGILL
+ bluepillSignal = unix.SIGILL
// vcpuSErrBounce is the event of system error for bouncing KVM.
vcpuSErrBounce = kvmVcpuEvents{
diff --git a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go
index dbbf2a897..07fc4f216 100644
--- a/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go
+++ b/pkg/sentry/platform/kvm/bluepill_arm64_unsafe.go
@@ -17,9 +17,9 @@
package kvm
import (
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/sentry/arch"
)
@@ -80,8 +80,8 @@ func getHypercallID(addr uintptr) int {
//
//go:nosplit
func bluepillStopGuest(c *vCPU) {
- if _, _, errno := syscall.RawSyscall( // escapes: no.
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall( // escapes: no.
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_VCPU_EVENTS,
uintptr(unsafe.Pointer(&vcpuSErrBounce))); errno != 0 {
@@ -94,12 +94,12 @@ func bluepillStopGuest(c *vCPU) {
//go:nosplit
func bluepillSigBus(c *vCPU) {
// Host must support ARM64_HAS_RAS_EXTN.
- if _, _, errno := syscall.RawSyscall( // escapes: no.
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall( // escapes: no.
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_VCPU_EVENTS,
uintptr(unsafe.Pointer(&vcpuSErrNMI))); errno != 0 {
- if errno == syscall.EINVAL {
+ if errno == unix.EINVAL {
throw("No ARM64_HAS_RAS_EXTN feature in host.")
}
throw("nmi sErr injection failed")
@@ -110,8 +110,8 @@ func bluepillSigBus(c *vCPU) {
//
//go:nosplit
func bluepillExtDabt(c *vCPU) {
- if _, _, errno := syscall.RawSyscall( // escapes: no.
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall( // escapes: no.
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_VCPU_EVENTS,
uintptr(unsafe.Pointer(&vcpuExtDabt))); errno != 0 {
diff --git a/pkg/sentry/platform/kvm/bluepill_fault.go b/pkg/sentry/platform/kvm/bluepill_fault.go
index a182e4f22..37c53fa02 100644
--- a/pkg/sentry/platform/kvm/bluepill_fault.go
+++ b/pkg/sentry/platform/kvm/bluepill_fault.go
@@ -16,8 +16,8 @@ package kvm
import (
"sync/atomic"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/usermem"
)
@@ -40,7 +40,7 @@ const (
//
//go:nosplit
func yield() {
- syscall.RawSyscall(syscall.SYS_SCHED_YIELD, 0, 0, 0)
+ unix.RawSyscall(unix.SYS_SCHED_YIELD, 0, 0, 0)
}
// calculateBluepillFault calculates the fault address range.
@@ -112,16 +112,16 @@ func handleBluepillFault(m *machine, physical uintptr, phyRegions []physicalRegi
atomic.StoreUint32(&m.nextSlot, slot)
switch errno {
- case syscall.EEXIST:
+ case unix.EEXIST:
// The region already exists. It's possible that we raced with
// another vCPU here. We just revert nextSlot and return true,
// because this must have been satisfied by some other vCPU.
return virtualStart + (physical - physicalStart), true
- case syscall.EINVAL:
+ case unix.EINVAL:
throw("set memory region failed; out of slots")
- case syscall.ENOMEM:
+ case unix.ENOMEM:
throw("set memory region failed: out of memory")
- case syscall.EFAULT:
+ case unix.EFAULT:
throw("set memory region failed: invalid physical range")
default:
throw("set memory region failed: unknown reason")
diff --git a/pkg/sentry/platform/kvm/bluepill_unsafe.go b/pkg/sentry/platform/kvm/bluepill_unsafe.go
index 55da6dd95..6f87236ad 100644
--- a/pkg/sentry/platform/kvm/bluepill_unsafe.go
+++ b/pkg/sentry/platform/kvm/bluepill_unsafe.go
@@ -21,9 +21,9 @@ package kvm
import (
"sync/atomic"
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/sentry/arch"
)
@@ -102,23 +102,23 @@ func bluepillHandler(context unsafe.Pointer) {
}
for {
- _, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(c.fd), _KVM_RUN, 0) // escapes: no.
+ _, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(c.fd), _KVM_RUN, 0) // escapes: no.
switch errno {
case 0: // Expected case.
- case syscall.EINTR:
+ case unix.EINTR:
// First, we process whatever pending signal
// interrupted KVM. Since we're in a signal handler
// currently, all signals are masked and the signal
// must have been delivered directly to this thread.
- timeout := syscall.Timespec{}
- sig, _, errno := syscall.RawSyscall6( // escapes: no.
- syscall.SYS_RT_SIGTIMEDWAIT,
+ timeout := unix.Timespec{}
+ sig, _, errno := unix.RawSyscall6( // escapes: no.
+ unix.SYS_RT_SIGTIMEDWAIT,
uintptr(unsafe.Pointer(&bounceSignalMask)),
0, // siginfo.
uintptr(unsafe.Pointer(&timeout)), // timeout.
8, // sigset size.
0, 0)
- if errno == syscall.EAGAIN {
+ if errno == unix.EAGAIN {
continue
}
if errno != 0 {
@@ -140,7 +140,7 @@ func bluepillHandler(context unsafe.Pointer) {
c.runData.requestInterruptWindow = 1
continue // Rerun vCPU.
}
- case syscall.EFAULT:
+ case unix.EFAULT:
// If a fault is not serviceable due to the host
// backing pages having page permissions, instead of an
// MMIO exit we receive EFAULT from the run ioctl. We
@@ -148,7 +148,7 @@ func bluepillHandler(context unsafe.Pointer) {
// mode and have interrupts disabled.
bluepillSigBus(c)
continue // Rerun vCPU.
- case syscall.ENOSYS:
+ case unix.ENOSYS:
bluepillHandleEnosys(c)
continue
default:
diff --git a/pkg/sentry/platform/kvm/filters_amd64.go b/pkg/sentry/platform/kvm/filters_amd64.go
index d3d216aa5..a78be3403 100644
--- a/pkg/sentry/platform/kvm/filters_amd64.go
+++ b/pkg/sentry/platform/kvm/filters_amd64.go
@@ -15,8 +15,6 @@
package kvm
import (
- "syscall"
-
"golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
@@ -26,17 +24,17 @@ import (
// SyscallFilters returns syscalls made exclusively by the KVM platform.
func (*KVM) SyscallFilters() seccomp.SyscallRules {
return seccomp.SyscallRules{
- syscall.SYS_ARCH_PRCTL: {},
- syscall.SYS_IOCTL: {},
+ unix.SYS_ARCH_PRCTL: {},
+ unix.SYS_IOCTL: {},
unix.SYS_MEMBARRIER: []seccomp.Rule{
{
seccomp.EqualTo(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED),
seccomp.EqualTo(0),
},
},
- syscall.SYS_MMAP: {},
- syscall.SYS_RT_SIGSUSPEND: {},
- syscall.SYS_RT_SIGTIMEDWAIT: {},
- 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host.
+ unix.SYS_MMAP: {},
+ unix.SYS_RT_SIGSUSPEND: {},
+ unix.SYS_RT_SIGTIMEDWAIT: {},
+ 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host.
}
}
diff --git a/pkg/sentry/platform/kvm/filters_arm64.go b/pkg/sentry/platform/kvm/filters_arm64.go
index 21abc2a3d..4e5b91048 100644
--- a/pkg/sentry/platform/kvm/filters_arm64.go
+++ b/pkg/sentry/platform/kvm/filters_arm64.go
@@ -15,8 +15,6 @@
package kvm
import (
- "syscall"
-
"golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
@@ -26,16 +24,16 @@ import (
// SyscallFilters returns syscalls made exclusively by the KVM platform.
func (*KVM) SyscallFilters() seccomp.SyscallRules {
return seccomp.SyscallRules{
- syscall.SYS_IOCTL: {},
+ unix.SYS_IOCTL: {},
unix.SYS_MEMBARRIER: []seccomp.Rule{
{
seccomp.EqualTo(linux.MEMBARRIER_CMD_PRIVATE_EXPEDITED),
seccomp.EqualTo(0),
},
},
- syscall.SYS_MMAP: {},
- syscall.SYS_RT_SIGSUSPEND: {},
- syscall.SYS_RT_SIGTIMEDWAIT: {},
- 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host.
+ unix.SYS_MMAP: {},
+ unix.SYS_RT_SIGSUSPEND: {},
+ unix.SYS_RT_SIGTIMEDWAIT: {},
+ 0xffffffffffffffff: {}, // KVM uses syscall -1 to transition to host.
}
}
diff --git a/pkg/sentry/platform/kvm/kvm.go b/pkg/sentry/platform/kvm/kvm.go
index 7bdf57436..92c05a9ad 100644
--- a/pkg/sentry/platform/kvm/kvm.go
+++ b/pkg/sentry/platform/kvm/kvm.go
@@ -18,8 +18,8 @@ package kvm
import (
"fmt"
"os"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/ring0/pagetables"
"gvisor.dev/gvisor/pkg/sentry/platform"
@@ -77,7 +77,7 @@ var (
// OpenDevice opens the KVM device at /dev/kvm and returns the File.
func OpenDevice() (*os.File, error) {
- f, err := os.OpenFile("/dev/kvm", syscall.O_RDWR, 0)
+ f, err := os.OpenFile("/dev/kvm", unix.O_RDWR, 0)
if err != nil {
return nil, fmt.Errorf("error opening /dev/kvm: %v", err)
}
@@ -99,11 +99,11 @@ func New(deviceFile *os.File) (*KVM, error) {
// Create a new VM fd.
var (
vm uintptr
- errno syscall.Errno
+ errno unix.Errno
)
for {
- vm, _, errno = syscall.Syscall(syscall.SYS_IOCTL, fd, _KVM_CREATE_VM, 0)
- if errno == syscall.EINTR {
+ vm, _, errno = unix.Syscall(unix.SYS_IOCTL, fd, _KVM_CREATE_VM, 0)
+ if errno == unix.EINTR {
continue
}
if errno != 0 {
diff --git a/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go b/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go
index 46c4b9113..0c43d72f4 100644
--- a/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go
+++ b/pkg/sentry/platform/kvm/kvm_amd64_unsafe.go
@@ -18,8 +18,9 @@ package kvm
import (
"fmt"
- "syscall"
"unsafe"
+
+ "golang.org/x/sys/unix"
)
var (
@@ -30,7 +31,7 @@ var (
func updateSystemValues(fd int) error {
// Extract the mmap size.
- sz, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0)
+ sz, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0)
if errno != 0 {
return fmt.Errorf("getting VCPU mmap size: %v", errno)
}
@@ -39,19 +40,19 @@ func updateSystemValues(fd int) error {
runDataSize = int(sz)
// Must do the dance to figure out the number of entries.
- _, _, errno = syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ _, _, errno = unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(fd),
_KVM_GET_SUPPORTED_CPUID,
uintptr(unsafe.Pointer(&cpuidSupported)))
- if errno != 0 && errno != syscall.ENOMEM {
+ if errno != 0 && errno != unix.ENOMEM {
// Some other error occurred.
return fmt.Errorf("getting supported CPUID: %v", errno)
}
// The number should now be correct.
- _, _, errno = syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ _, _, errno = unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(fd),
_KVM_GET_SUPPORTED_CPUID,
uintptr(unsafe.Pointer(&cpuidSupported)))
diff --git a/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go b/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go
index 48ccf8474..f07a9f34d 100644
--- a/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go
+++ b/pkg/sentry/platform/kvm/kvm_arm64_unsafe.go
@@ -18,7 +18,8 @@ package kvm
import (
"fmt"
- "syscall"
+
+ "golang.org/x/sys/unix"
)
var (
@@ -28,7 +29,7 @@ var (
func updateSystemValues(fd int) error {
// Extract the mmap size.
- sz, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0)
+ sz, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(fd), _KVM_GET_VCPU_MMAP_SIZE, 0)
if errno != 0 {
return fmt.Errorf("getting VCPU mmap size: %v", errno)
}
diff --git a/pkg/sentry/platform/kvm/machine.go b/pkg/sentry/platform/kvm/machine.go
index 1ece1b8d8..0e4cf01e1 100644
--- a/pkg/sentry/platform/kvm/machine.go
+++ b/pkg/sentry/platform/kvm/machine.go
@@ -18,8 +18,8 @@ import (
"fmt"
"runtime"
"sync/atomic"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/atomicbitops"
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/pkg/procid"
@@ -153,7 +153,7 @@ type dieState struct {
func (m *machine) newVCPU() *vCPU {
// Create the vCPU.
id := int(atomic.AddUint32(&m.nextID, 1) - 1)
- fd, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CREATE_VCPU, uintptr(id))
+ fd, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CREATE_VCPU, uintptr(id))
if errno != 0 {
panic(fmt.Sprintf("error creating new vCPU: %v", errno))
}
@@ -193,7 +193,7 @@ func newMachine(vm int) (*machine, error) {
m.available.L = &m.mu
// Pull the maximum vCPUs.
- maxVCPUs, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_VCPUS)
+ maxVCPUs, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_VCPUS)
if errno != 0 {
m.maxVCPUs = _KVM_NR_VCPUS
} else {
@@ -205,7 +205,7 @@ func newMachine(vm int) (*machine, error) {
m.kernel.Init(m.maxVCPUs)
// Pull the maximum slots.
- maxSlots, _, errno := syscall.RawSyscall(syscall.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_MEMSLOTS)
+ maxSlots, _, errno := unix.RawSyscall(unix.SYS_IOCTL, uintptr(m.fd), _KVM_CHECK_EXTENSION, _KVM_CAP_MAX_MEMSLOTS)
if errno != 0 {
m.maxSlots = _KVM_NR_MEMSLOTS
} else {
@@ -357,13 +357,13 @@ func (m *machine) Destroy() {
panic(fmt.Sprintf("error unmapping rundata: %v", err))
}
}
- if err := syscall.Close(int(c.fd)); err != nil {
+ if err := unix.Close(int(c.fd)); err != nil {
panic(fmt.Sprintf("error closing vCPU fd: %v", err))
}
}
// vCPUs are gone: teardown machine state.
- if err := syscall.Close(m.fd); err != nil {
+ if err := unix.Close(m.fd); err != nil {
panic(fmt.Sprintf("error closing VM fd: %v", err))
}
}
@@ -546,7 +546,7 @@ func (c *vCPU) NotifyInterrupt() {
}
// pid is used below in bounce.
-var pid = syscall.Getpid()
+var pid = unix.Getpid()
// bounce forces a return to the kernel or to host mode.
//
@@ -588,9 +588,9 @@ func (c *vCPU) bounce(forceGuestExit bool) {
// under memory pressure. Since we already
// marked ourselves as a waiter, we need to
// ensure that a signal is actually delivered.
- if err := syscall.Tgkill(pid, int(atomic.LoadUint64(&c.tid)), bounceSignal); err == nil {
+ if err := unix.Tgkill(pid, int(atomic.LoadUint64(&c.tid)), bounceSignal); err == nil {
break
- } else if err.(syscall.Errno) == syscall.EAGAIN {
+ } else if err.(unix.Errno) == unix.EAGAIN {
continue
} else {
// Nothing else should be returned by tgkill.
diff --git a/pkg/sentry/platform/kvm/machine_amd64.go b/pkg/sentry/platform/kvm/machine_amd64.go
index 59c752d73..6e583baa3 100644
--- a/pkg/sentry/platform/kvm/machine_amd64.go
+++ b/pkg/sentry/platform/kvm/machine_amd64.go
@@ -21,8 +21,8 @@ import (
"math/big"
"reflect"
"runtime/debug"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/cpuid"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/ring0/pagetables"
@@ -36,8 +36,8 @@ import (
func (m *machine) initArchState() error {
// Set the legacy TSS address. This address is covered by the reserved
// range (up to 4GB). In fact, this is a main reason it exists.
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(m.fd),
_KVM_SET_TSS_ADDR,
uintptr(reservedMemory-(3*usermem.PageSize))); errno != 0 {
@@ -297,13 +297,13 @@ func (c *vCPU) fault(signal int32, info *arch.SignalInfo) (usermem.AccessType, e
func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) (usermem.AccessType, error) {
// Check for canonical addresses.
if regs := switchOpts.Registers; !ring0.IsCanonical(regs.Rip) {
- return nonCanonical(regs.Rip, int32(syscall.SIGSEGV), info)
+ return nonCanonical(regs.Rip, int32(unix.SIGSEGV), info)
} else if !ring0.IsCanonical(regs.Rsp) {
- return nonCanonical(regs.Rsp, int32(syscall.SIGBUS), info)
+ return nonCanonical(regs.Rsp, int32(unix.SIGBUS), info)
} else if !ring0.IsCanonical(regs.Fs_base) {
- return nonCanonical(regs.Fs_base, int32(syscall.SIGBUS), info)
+ return nonCanonical(regs.Fs_base, int32(unix.SIGBUS), info)
} else if !ring0.IsCanonical(regs.Gs_base) {
- return nonCanonical(regs.Gs_base, int32(syscall.SIGBUS), info)
+ return nonCanonical(regs.Gs_base, int32(unix.SIGBUS), info)
}
// Assign PCIDs.
@@ -332,11 +332,11 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
return usermem.NoAccess, nil
case ring0.PageFault:
- return c.fault(int32(syscall.SIGSEGV), info)
+ return c.fault(int32(unix.SIGSEGV), info)
case ring0.Debug, ring0.Breakpoint:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGTRAP),
+ Signo: int32(unix.SIGTRAP),
Code: 1, // TRAP_BRKPT (breakpoint).
}
info.SetAddr(switchOpts.Registers.Rip) // Include address.
@@ -348,7 +348,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
ring0.InvalidTSS,
ring0.StackSegmentFault:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGSEGV),
+ Signo: int32(unix.SIGSEGV),
Code: arch.SignalInfoKernel,
}
info.SetAddr(switchOpts.Registers.Rip) // Include address.
@@ -362,7 +362,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
case ring0.InvalidOpcode:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGILL),
+ Signo: int32(unix.SIGILL),
Code: 1, // ILL_ILLOPC (illegal opcode).
}
info.SetAddr(switchOpts.Registers.Rip) // Include address.
@@ -370,7 +370,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
case ring0.DivideByZero:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGFPE),
+ Signo: int32(unix.SIGFPE),
Code: 1, // FPE_INTDIV (divide by zero).
}
info.SetAddr(switchOpts.Registers.Rip) // Include address.
@@ -378,7 +378,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
case ring0.Overflow:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGFPE),
+ Signo: int32(unix.SIGFPE),
Code: 2, // FPE_INTOVF (integer overflow).
}
info.SetAddr(switchOpts.Registers.Rip) // Include address.
@@ -387,7 +387,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
case ring0.X87FloatingPointException,
ring0.SIMDFloatingPointException:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGFPE),
+ Signo: int32(unix.SIGFPE),
Code: 7, // FPE_FLTINV (invalid operation).
}
info.SetAddr(switchOpts.Registers.Rip) // Include address.
@@ -398,7 +398,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
case ring0.AlignmentCheck:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGBUS),
+ Signo: int32(unix.SIGBUS),
Code: 2, // BUS_ADRERR (physical address does not exist).
}
return usermem.NoAccess, platform.ErrContextSignal
@@ -409,7 +409,7 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
// really not. This could happen, e.g. if some file is
// truncated (and would generate a SIGBUS) and we map it
// directly into the instance.
- return c.fault(int32(syscall.SIGBUS), info)
+ return c.fault(int32(unix.SIGBUS), info)
case ring0.DeviceNotAvailable,
ring0.DoubleFault,
diff --git a/pkg/sentry/platform/kvm/machine_amd64_unsafe.go b/pkg/sentry/platform/kvm/machine_amd64_unsafe.go
index b430f92c6..83bcc7406 100644
--- a/pkg/sentry/platform/kvm/machine_amd64_unsafe.go
+++ b/pkg/sentry/platform/kvm/machine_amd64_unsafe.go
@@ -19,9 +19,9 @@ package kvm
import (
"fmt"
"sync/atomic"
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
)
@@ -31,15 +31,15 @@ import (
//
//go:nosplit
func (c *vCPU) loadSegments(tid uint64) {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_ARCH_PRCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_ARCH_PRCTL,
linux.ARCH_GET_FS,
uintptr(unsafe.Pointer(&c.CPU.Registers().Fs_base)),
0); errno != 0 {
throw("getting FS segment")
}
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_ARCH_PRCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_ARCH_PRCTL,
linux.ARCH_GET_GS,
uintptr(unsafe.Pointer(&c.CPU.Registers().Gs_base)),
0); errno != 0 {
@@ -50,8 +50,8 @@ func (c *vCPU) loadSegments(tid uint64) {
// setCPUID sets the CPUID to be used by the guest.
func (c *vCPU) setCPUID() error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_CPUID2,
uintptr(unsafe.Pointer(&cpuidSupported))); errno != 0 {
@@ -64,8 +64,8 @@ func (c *vCPU) setCPUID() error {
//
// If mustSucceed is true, then this function panics on error.
func (c *vCPU) getTSCFreq() (uintptr, error) {
- rawFreq, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ rawFreq, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_GET_TSC_KHZ,
0 /* ignored */)
@@ -77,8 +77,8 @@ func (c *vCPU) getTSCFreq() (uintptr, error) {
// setTSCFreq sets the TSC frequency.
func (c *vCPU) setTSCFreq(freq uintptr) error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_TSC_KHZ,
freq /* khz */); errno != 0 {
@@ -95,8 +95,8 @@ func (c *vCPU) setTSC(value uint64) error {
}
registers.entries[0].index = _MSR_IA32_TSC
registers.entries[0].data = value
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_MSRS,
uintptr(unsafe.Pointer(&registers))); errno != 0 {
@@ -108,9 +108,9 @@ func (c *vCPU) setTSC(value uint64) error {
// setUserRegisters sets user registers in the vCPU.
//
//go:nosplit
-func (c *vCPU) setUserRegisters(uregs *userRegs) syscall.Errno {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+func (c *vCPU) setUserRegisters(uregs *userRegs) unix.Errno {
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_REGS,
uintptr(unsafe.Pointer(uregs))); errno != 0 {
@@ -124,9 +124,9 @@ func (c *vCPU) setUserRegisters(uregs *userRegs) syscall.Errno {
// This is safe to call from a nosplit context.
//
//go:nosplit
-func (c *vCPU) getUserRegisters(uregs *userRegs) syscall.Errno {
- if _, _, errno := syscall.RawSyscall( // escapes: no.
- syscall.SYS_IOCTL,
+func (c *vCPU) getUserRegisters(uregs *userRegs) unix.Errno {
+ if _, _, errno := unix.RawSyscall( // escapes: no.
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_GET_REGS,
uintptr(unsafe.Pointer(uregs))); errno != 0 {
@@ -137,8 +137,8 @@ func (c *vCPU) getUserRegisters(uregs *userRegs) syscall.Errno {
// setSystemRegisters sets system registers.
func (c *vCPU) setSystemRegisters(sregs *systemRegs) error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_SREGS,
uintptr(unsafe.Pointer(sregs))); errno != 0 {
@@ -150,9 +150,9 @@ func (c *vCPU) setSystemRegisters(sregs *systemRegs) error {
// getSystemRegisters sets system registers.
//
//go:nosplit
-func (c *vCPU) getSystemRegisters(sregs *systemRegs) syscall.Errno {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+func (c *vCPU) getSystemRegisters(sregs *systemRegs) unix.Errno {
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_GET_SREGS,
uintptr(unsafe.Pointer(sregs))); errno != 0 {
diff --git a/pkg/sentry/platform/kvm/machine_arm64_unsafe.go b/pkg/sentry/platform/kvm/machine_arm64_unsafe.go
index 78cbd9701..059aa43d0 100644
--- a/pkg/sentry/platform/kvm/machine_arm64_unsafe.go
+++ b/pkg/sentry/platform/kvm/machine_arm64_unsafe.go
@@ -20,9 +20,9 @@ import (
"fmt"
"reflect"
"sync/atomic"
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/ring0/pagetables"
"gvisor.dev/gvisor/pkg/sentry/arch"
@@ -39,8 +39,8 @@ var vcpuInit kvmVcpuInit
// initArchState initializes architecture-specific state.
func (m *machine) initArchState() error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(m.fd),
_KVM_ARM_PREFERRED_TARGET,
uintptr(unsafe.Pointer(&vcpuInit))); errno != 0 {
@@ -62,8 +62,8 @@ func (c *vCPU) initArchState() error {
regGet.addr = uint64(reflect.ValueOf(&dataGet).Pointer())
vcpuInit.features[0] |= (1 << _KVM_ARM_VCPU_PSCI_0_2)
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_ARM_VCPU_INIT,
uintptr(unsafe.Pointer(&vcpuInit))); errno != 0 {
@@ -186,8 +186,8 @@ func (c *vCPU) loadSegments(tid uint64) {
}
func (c *vCPU) setOneRegister(reg *kvmOneReg) error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_ONE_REG,
uintptr(unsafe.Pointer(reg))); errno != 0 {
@@ -197,8 +197,8 @@ func (c *vCPU) setOneRegister(reg *kvmOneReg) error {
}
func (c *vCPU) getOneRegister(reg *kvmOneReg) error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_GET_ONE_REG,
uintptr(unsafe.Pointer(reg))); errno != 0 {
@@ -211,9 +211,9 @@ func (c *vCPU) getOneRegister(reg *kvmOneReg) error {
func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo) (usermem.AccessType, error) {
// Check for canonical addresses.
if regs := switchOpts.Registers; !ring0.IsCanonical(regs.Pc) {
- return nonCanonical(regs.Pc, int32(syscall.SIGSEGV), info)
+ return nonCanonical(regs.Pc, int32(unix.SIGSEGV), info)
} else if !ring0.IsCanonical(regs.Sp) {
- return nonCanonical(regs.Sp, int32(syscall.SIGSEGV), info)
+ return nonCanonical(regs.Sp, int32(unix.SIGSEGV), info)
}
// Assign PCIDs.
@@ -247,23 +247,23 @@ func (c *vCPU) SwitchToUser(switchOpts ring0.SwitchOpts, info *arch.SignalInfo)
// Fast path: system call executed.
return usermem.NoAccess, nil
case ring0.PageFault:
- return c.fault(int32(syscall.SIGSEGV), info)
+ return c.fault(int32(unix.SIGSEGV), info)
case ring0.El0ErrNMI:
- return c.fault(int32(syscall.SIGBUS), info)
+ return c.fault(int32(unix.SIGBUS), info)
case ring0.Vector(bounce): // ring0.VirtualizationException.
return usermem.NoAccess, platform.ErrContextInterrupt
case ring0.El0SyncUndef:
- return c.fault(int32(syscall.SIGILL), info)
+ return c.fault(int32(unix.SIGILL), info)
case ring0.El0SyncDbg:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGTRAP),
+ Signo: int32(unix.SIGTRAP),
Code: 1, // TRAP_BRKPT (breakpoint).
}
info.SetAddr(switchOpts.Registers.Pc) // Include address.
return usermem.AccessType{}, platform.ErrContextSignal
case ring0.El0SyncSpPc:
*info = arch.SignalInfo{
- Signo: int32(syscall.SIGBUS),
+ Signo: int32(unix.SIGBUS),
Code: 2, // BUS_ADRERR (physical address does not exist).
}
return usermem.NoAccess, platform.ErrContextSignal
diff --git a/pkg/sentry/platform/kvm/machine_unsafe.go b/pkg/sentry/platform/kvm/machine_unsafe.go
index c322551d2..49e1c7136 100644
--- a/pkg/sentry/platform/kvm/machine_unsafe.go
+++ b/pkg/sentry/platform/kvm/machine_unsafe.go
@@ -23,9 +23,9 @@ import (
"fmt"
"math"
"sync/atomic"
- "syscall"
"unsafe"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/abi/linux"
)
@@ -41,7 +41,7 @@ func exitsyscall()
// directly (instead of wrapping in an error) to avoid allocations.
//
//go:nosplit
-func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, flags uint32) syscall.Errno {
+func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, flags uint32) unix.Errno {
userRegion := userMemoryRegion{
slot: uint32(slot),
flags: uint32(flags),
@@ -51,8 +51,8 @@ func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, f
}
// Set the region.
- _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(m.fd),
_KVM_SET_USER_MEMORY_REGION,
uintptr(unsafe.Pointer(&userRegion)))
@@ -61,12 +61,12 @@ func (m *machine) setMemoryRegion(slot int, physical, length, virtual uintptr, f
// mapRunData maps the vCPU run data.
func mapRunData(fd int) (*runData, error) {
- r, _, errno := syscall.RawSyscall6(
- syscall.SYS_MMAP,
+ r, _, errno := unix.RawSyscall6(
+ unix.SYS_MMAP,
0,
uintptr(runDataSize),
- syscall.PROT_READ|syscall.PROT_WRITE,
- syscall.MAP_SHARED,
+ unix.PROT_READ|unix.PROT_WRITE,
+ unix.MAP_SHARED,
uintptr(fd),
0)
if errno != 0 {
@@ -77,8 +77,8 @@ func mapRunData(fd int) (*runData, error) {
// unmapRunData unmaps the vCPU run data.
func unmapRunData(r *runData) error {
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_MUNMAP,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_MUNMAP,
uintptr(unsafe.Pointer(r)),
uintptr(runDataSize),
0); errno != 0 {
@@ -115,8 +115,8 @@ func (a *atomicAddressSpace) get() *addressSpace {
//
//go:nosplit
func (c *vCPU) notify() {
- _, _, errno := syscall.RawSyscall6( // escapes: no.
- syscall.SYS_FUTEX,
+ _, _, errno := unix.RawSyscall6( // escapes: no.
+ unix.SYS_FUTEX,
uintptr(unsafe.Pointer(&c.state)),
linux.FUTEX_WAKE|linux.FUTEX_PRIVATE_FLAG,
math.MaxInt32, // Number of waiters.
@@ -133,13 +133,13 @@ func (c *vCPU) notify() {
//
// This panics on error.
func (c *vCPU) waitUntilNot(state uint32) {
- _, _, errno := syscall.Syscall6(
- syscall.SYS_FUTEX,
+ _, _, errno := unix.Syscall6(
+ unix.SYS_FUTEX,
uintptr(unsafe.Pointer(&c.state)),
linux.FUTEX_WAIT|linux.FUTEX_PRIVATE_FLAG,
uintptr(state),
0, 0, 0)
- if errno != 0 && errno != syscall.EINTR && errno != syscall.EAGAIN {
+ if errno != 0 && errno != unix.EINTR && errno != unix.EAGAIN {
panic("futex wait error")
}
}
@@ -159,8 +159,8 @@ func (c *vCPU) setSignalMask() error {
data.length = 8 // Fixed sigset size.
data.mask1 = ^uint32(bounceSignalMask & 0xffffffff)
data.mask2 = ^uint32(bounceSignalMask >> 32)
- if _, _, errno := syscall.RawSyscall(
- syscall.SYS_IOCTL,
+ if _, _, errno := unix.RawSyscall(
+ unix.SYS_IOCTL,
uintptr(c.fd),
_KVM_SET_SIGNAL_MASK,
uintptr(unsafe.Pointer(&data))); errno != 0 {
diff --git a/pkg/sentry/platform/kvm/physical_map.go b/pkg/sentry/platform/kvm/physical_map.go
index 8bdec93ae..7376d8b8d 100644
--- a/pkg/sentry/platform/kvm/physical_map.go
+++ b/pkg/sentry/platform/kvm/physical_map.go
@@ -17,8 +17,8 @@ package kvm
import (
"fmt"
"sort"
- "syscall"
+ "golang.org/x/sys/unix"
"gvisor.dev/gvisor/pkg/log"
"gvisor.dev/gvisor/pkg/ring0"
"gvisor.dev/gvisor/pkg/usermem"
@@ -90,12 +90,12 @@ func fillAddressSpace() (excludedRegions []region) {
required := uintptr(requiredAddr)
current := required // Attempted mmap size.
for filled := uintptr(0); filled < required && current > 0; {
- addr, _, errno := syscall.RawSyscall6(
- syscall.SYS_MMAP,
+ addr, _, errno := unix.RawSyscall6(
+ unix.SYS_MMAP,
0, // Suggested address.
current,
- syscall.PROT_NONE,
- syscall.MAP_ANONYMOUS|syscall.MAP_PRIVATE|syscall.MAP_NORESERVE,
+ unix.PROT_NONE,
+ unix.MAP_ANONYMOUS|unix.MAP_PRIVATE|unix.MAP_NORESERVE,
0, 0)
if errno != 0 {
// Attempt half the size; overflow not possible.