Xen project Mailing List

Re: [PATCH] xen/page_alloc: Simplify domain_adjust_tot_pages

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 26 Feb 2025 15:28:53 +0100

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Alejandro Vallejo <alejandro.vallejo@xxxxxxxxx>

Delivery-date: Wed, 26 Feb 2025 14:29:18 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Feb 26, 2025 at 03:08:33PM +0100, Jan Beulich wrote: > On 26.02.2025 14:56, Roger Pau Monné wrote: > > On Mon, Feb 24, 2025 at 01:27:24PM +0000, Alejandro Vallejo wrote: > >> --- a/xen/common/page_alloc.c > >> +++ b/xen/common/page_alloc.c > >> @@ -490,13 +490,11 @@ static long outstanding_claims; /* total outstanding > >> claims by all domains */ > >> > >> unsigned long domain_adjust_tot_pages(struct domain *d, long pages) > >> { > >> - long dom_before, dom_after, dom_claimed, sys_before, sys_after; > >> - > >> ASSERT(rspin_is_locked(&d->page_alloc_lock)); > >> d->tot_pages += pages; > >> > >> /* > >> - * can test d->claimed_pages race-free because it can only change > >> + * can test d->outstanding_pages race-free because it can only change > >> * if d->page_alloc_lock and heap_lock are both held, see also > >> * domain_set_outstanding_pages below > >> */ > >> @@ -504,17 +502,16 @@ unsigned long domain_adjust_tot_pages(struct domain > >> *d, long pages) > >> goto out; > > > > I think you can probably short-circuit the logic below if pages == 0? > > (and avoid taking the heap_lock) > > Are there callers passing in 0? Not sure, but if there are no callers expected we might add an ASSERT to that effect then. > >> spin_lock(&heap_lock); > >> - /* adjust domain outstanding pages; may not go negative */ > >> - dom_before = d->outstanding_pages; > >> - dom_after = dom_before - pages; > >> - BUG_ON(dom_before < 0); > >> - dom_claimed = dom_after < 0 ? 0 : dom_after; > >> - d->outstanding_pages = dom_claimed; > >> - /* flag accounting bug if system outstanding_claims would go negative > >> */ > >> - sys_before = outstanding_claims; > >> - sys_after = sys_before - (dom_before - dom_claimed); > >> - BUG_ON(sys_after < 0); > >> - outstanding_claims = sys_after; > >> + BUG_ON(outstanding_claims < d->outstanding_pages); > >> + if ( pages > 0 && d->outstanding_pages < pages ) > >> + { > >> + /* `pages` exceeds the domain's outstanding count. Zero it out. */ > >> + outstanding_claims -= d->outstanding_pages; > >> + d->outstanding_pages = 0; > >> + } else { > >> + outstanding_claims -= pages; > >> + d->outstanding_pages -= pages; > > > > I wonder if it's intentional for a pages < 0 value to modify > > outstanding_claims and d->outstanding_pages, I think those values > > should only be set from domain_set_outstanding_pages(). > > domain_adjust_tot_pages() should only decrease the value, but never > > increase either outstanding_claims or d->outstanding_pages. > > > > At best the behavior is inconsistent, because once > > d->outstanding_pages reaches 0 there will be no further modification > > from domain_adjust_tot_pages(). > > Right, at that point the claim has run out. While freeing pages with an > active claim means that the claim gets bigger (which naturally needs > reflecting in the global). domain_adjust_tot_pages() is not exclusively called when freeing pages, see steal_page() for example. When called from steal_page() it's wrong to increase the claim, as it assumes that the page removed from d->tot_pages is freed, but that's not the case. The domain might end up in a situation where the claim is bigger than the available amount of memory. Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.