|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v11 1/3] xen/domain: unify domain ID allocation
On Mon Jul 28, 2025 at 8:34 PM CEST, dmkhn wrote:
> From: Denis Mukhin <dmukhin@xxxxxxxx>
>
> Currently, there are two different domain ID allocation implementations:
>
> 1) Sequential IDs allocation in dom0less Arm code based on max_init_domid;
>
> 2) Sequential IDs allocation in XEN_DOMCTL_createdomain; does not use
> max_init_domid (both Arm and x86).
>
> The domain ID allocation covers dom0 or late hwdom, predefined domains,
> post-boot domains, excluding Xen system domains (domid >=
> DOMID_FIRST_RESERVED).
>
> It makes sense to have a common helper code for such task across architectures
> (Arm and x86) and between dom0less / toolstack domU allocation.
>
> Note, fixing dependency on max_init_domid is out of scope of this patch.
I can see why. The console switch code is a bit annoying. It's unfortunate it
relies on that global for the early wraparound.
>
> Wrap the domain ID allocation as an arch-independent function domid_alloc() in
> new common/domid.c based on the bitmap.
>
> Allocation algorithm:
> - If an explicit domain ID is provided, verify its availability and use it if
> ID is not used;
> - If DOMID_INVALID is provided, search the range [1..DOMID_FIRST_RESERVED-1],
> starting from the last used ID. IDs are not wrapped around in dom0less case.
> Implementation guarantees that two consecutive calls will never return the
> same ID. ID#0 is reserved for the first boot domain (currently, dom0) and
> excluded from the allocation range.
>
> Remove is_free_domid() helper as it is not needed now.
>
> No functional change intended.
>
> Signed-off-by: Denis Mukhin <dmukhin@xxxxxxxx>
> ---
> Changes since v10:
> - fixup #ifdefs in domid_alloc()
> - corrected use of domid_free() in domain_destroy()
> - rebased
> - moved domid_{alloc,free}() to common/domid.c so the functional test could be
> added later
> ---
> xen/arch/arm/domain_build.c | 7 +-
> xen/arch/x86/setup.c | 7 +-
> xen/common/Makefile | 1 +
> xen/common/device-tree/dom0less-build.c | 15 ++--
> xen/common/domain.c | 2 +
> xen/common/domctl.c | 42 ++---------
> xen/common/domid.c | 93 +++++++++++++++++++++++++
> xen/include/xen/domain.h | 3 +
> 8 files changed, 122 insertions(+), 48 deletions(-)
> create mode 100644 xen/common/domid.c
>
> diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
> index 463ae4474d30..789f2b9d3ce7 100644
> --- a/xen/arch/arm/domain_build.c
> +++ b/xen/arch/arm/domain_build.c
> @@ -2050,6 +2050,7 @@ void __init create_dom0(void)
> .grant_opts = XEN_DOMCTL_GRANT_version(opt_gnttab_max_version),
> };
> unsigned int flags = CDF_privileged | CDF_hardware;
> + domid_t domid;
> int rc;
>
> /* The vGIC for DOM0 is exactly emulating the hardware GIC */
> @@ -2074,7 +2075,11 @@ void __init create_dom0(void)
> if ( !llc_coloring_enabled )
> flags |= CDF_directmap;
>
> - dom0 = domain_create(0, &dom0_cfg, flags);
> + domid = domid_alloc(0);
> + if ( domid == DOMID_INVALID )
> + panic("Error allocating domain ID 0\n");
> +
> + dom0 = domain_create(domid, &dom0_cfg, flags);
> if ( IS_ERR(dom0) )
> panic("Error creating domain 0 (rc = %ld)\n", PTR_ERR(dom0));
>
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index 1543dd251cc6..2ff7c28c277b 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -1047,8 +1047,11 @@ static struct domain *__init create_dom0(struct
> boot_info *bi)
> if ( iommu_enabled )
> dom0_cfg.flags |= XEN_DOMCTL_CDF_iommu;
>
> - /* Create initial domain. Not d0 for pvshim. */
> - bd->domid = get_initial_domain_id();
> + /* Allocate initial domain ID. Not d0 for pvshim. */
> + bd->domid = domid_alloc(get_initial_domain_id());
> + if ( bd->domid == DOMID_INVALID )
> + panic("Error allocating domain ID %d\n", get_initial_domain_id());
> +
> d = domain_create(bd->domid, &dom0_cfg,
> pv_shim ? 0 : CDF_privileged | CDF_hardware);
> if ( IS_ERR(d) )
> diff --git a/xen/common/Makefile b/xen/common/Makefile
> index c316957fcb36..0c7d0f5d46e1 100644
> --- a/xen/common/Makefile
> +++ b/xen/common/Makefile
> @@ -11,6 +11,7 @@ obj-$(filter-out $(CONFIG_X86),$(CONFIG_ACPI)) += device.o
> obj-$(CONFIG_DEVICE_TREE_PARSE) += device-tree/
> obj-$(CONFIG_IOREQ_SERVER) += dm.o
> obj-y += domain.o
> +obj-y += domid.o
> obj-y += event_2l.o
> obj-y += event_channel.o
> obj-$(CONFIG_EVTCHN_FIFO) += event_fifo.o
> diff --git a/xen/common/device-tree/dom0less-build.c
> b/xen/common/device-tree/dom0less-build.c
> index 6bb038111de9..1f9461d0e738 100644
> --- a/xen/common/device-tree/dom0less-build.c
> +++ b/xen/common/device-tree/dom0less-build.c
> @@ -833,21 +833,20 @@ void __init create_domUs(void)
> {
> struct kernel_info ki = KERNEL_INFO_INIT;
> int rc = parse_dom0less_node(node, &ki.bd);
> + domid_t domid;
>
> if ( rc == -ENOENT )
> continue;
> if ( rc )
> panic("Malformed DTB: Invalid domain %s\n", dt_node_name(node));
>
> - if ( (max_init_domid + 1) >= DOMID_FIRST_RESERVED )
> - panic("No more domain IDs available\n");
> + domid = domid_alloc(DOMID_INVALID);
> + if ( domid == DOMID_INVALID )
> + panic("Error allocating ID for domain %s\n", dt_node_name(node));
> + if ( max_init_domid < domid )
> + max_init_domid = domid;
nit: This is open-coding max_init_domid = max(max_init_domid, domid);
>
> - /*
> - * The variable max_init_domid is initialized with zero, so here it's
> - * very important to use the pre-increment operator to call
> - * domain_create() with a domid > 0. (domid == 0 is reserved for
> Dom0)
> - */
> - ki.bd.d = domain_create(++max_init_domid,
> + ki.bd.d = domain_create(domid,
> &ki.bd.create_cfg, ki.bd.create_flags);
nit: With this change, the wrapped line can be unfolded into a single one.
> if ( IS_ERR(ki.bd.d) )
> panic("Error creating domain %s (rc = %ld)\n",
> diff --git a/xen/common/domain.c b/xen/common/domain.c
> index 3c65cca5b0ff..23dbc1f46c78 100644
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -1466,6 +1466,8 @@ void domain_destroy(struct domain *d)
> /* Remove from the domlist/hash. */
> domlist_remove(d);
>
> + domid_free(d->domain_id);
> +
> /* Schedule RCU asynchronous completion of domain destroy. */
> call_rcu(&d->rcu, complete_domain_destroy);
> }
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index f2a7caaf853c..5509998aa139 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -51,20 +51,6 @@ static int xenctl_bitmap_to_nodemask(nodemask_t *nodemask,
> MAX_NUMNODES);
> }
q
> -static inline int is_free_domid(domid_t dom)
> -{
> - struct domain *d;
> -
> - if ( dom >= DOMID_FIRST_RESERVED )
> - return 0;
> -
> - if ( (d = rcu_lock_domain_by_id(dom)) == NULL )
> - return 1;
> -
> - rcu_unlock_domain(d);
> - return 0;
> -}
> -
> void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info)
> {
> struct vcpu *v;
> @@ -423,36 +409,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t)
> u_domctl)
>
> case XEN_DOMCTL_createdomain:
> {
> - domid_t dom;
> - static domid_t rover = 0;
> + domid_t domid = domid_alloc(op->domain);
>
> - dom = op->domain;
> - if ( (dom > 0) && (dom < DOMID_FIRST_RESERVED) )
> + if ( domid == DOMID_INVALID )
> {
> ret = -EEXIST;
> - if ( !is_free_domid(dom) )
> - break;
> - }
> - else
> - {
> - for ( dom = rover + 1; dom != rover; dom++ )
> - {
> - if ( dom == DOMID_FIRST_RESERVED )
> - dom = 1;
> - if ( is_free_domid(dom) )
> - break;
> - }
> -
> - ret = -ENOMEM;
> - if ( dom == rover )
> - break;
> -
> - rover = dom;
> + break;
> }
>
> - d = domain_create(dom, &op->u.createdomain, false);
> + d = domain_create(domid, &op->u.createdomain, false);
> if ( IS_ERR(d) )
> {
> + domid_free(domid);
> ret = PTR_ERR(d);
> d = NULL;
> break;
> diff --git a/xen/common/domid.c b/xen/common/domid.c
> new file mode 100644
> index 000000000000..e553ab6e5468
> --- /dev/null
> +++ b/xen/common/domid.c
> @@ -0,0 +1,93 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Domain ID allocator.
> + * Covers dom0 or late hwdom, predefined domains, post-boot domains; excludes
> + * Xen system domains (ID >= DOMID_FIRST_RESERVED).
> + *
> + * Copyright 2025 Ford Motor Company
> + */
> +
> +#include <xen/domain.h>
> +
> +static DEFINE_SPINLOCK(domid_lock);
> +static DECLARE_BITMAP(domid_bitmap, DOMID_FIRST_RESERVED);
> +
> +/*
q + * Allocate domain ID.
> + *
> + * @param[in] domid Exact domain ID within [0..DOMID_FIRST_RESERVED-1] range
> or
nit: [in] is inconsequential, not being a pointer.
> + * DOMID_INVALID for exhaustive search within
> + * [1..DOMID_FIRST_RESERVED-1].
> + * @return Valid domain ID in case of successful allocation,
> + * DOMID_INVALID - otherwise.
> + */
> +domid_t cf_check domid_alloc(domid_t domid)
Why cf_check? That's only needed when using indirection (i.e) function pointers
so the call works with IBT. I don't think that's needed here?
> +{
> + static domid_t domid_last;
> +
> + spin_lock(&domid_lock);
> +
> + /* Exact match. */
> + if ( domid < DOMID_FIRST_RESERVED )
> + {
> + if ( __test_and_set_bit(domid, domid_bitmap) )
> + domid = DOMID_INVALID;
> + }
> + /*
> + * Exhaustive search.
> + *
> + * Domain ID#0 is reserved for the first boot domain (e.g. control
> domain)
> + * and excluded from allocation.
> + *
> + * In dom0less build, domains are not dynamically destroyed, so there's
> no
> + * need to do a wraparound of the IDs.
> + */
> +#ifdef CONFIG_DOM0LESS_BOOT
> + else if ( domid_last + 1 >= DOMID_FIRST_RESERVED )
> + domid = DOMID_INVALID;
> +#endif
This hunk with the guards breaks dom0less-capable Xen booting a non-dom0less
system (which effectively means any defconfig arm build). dom0 boots must wrap
around, irrespective of whether that same build could boot from a DTB.
The point of not wrapping around is merely a conservative check to ensure
dom0less-build can find a free domid by bump-allocating. This is already the
case with your code, so there's no need to special-case dom0less.
Just remove it.
> + else
> + {
> + domid = find_next_zero_bit(domid_bitmap,
> + DOMID_FIRST_RESERVED,
> + domid_last + 1);
> +#ifndef CONFIG_DOM0LESS_BOOT
> + ASSERT(domid <= DOMID_FIRST_RESERVED);
> + if ( domid == DOMID_FIRST_RESERVED )
> + domid = find_next_zero_bit(domid_bitmap,
> + DOMID_FIRST_RESERVED,
> + 1);
> +#endif
Like before, this must be without the ifdef guards. Otherwise it breaks
non-dom0less runs on dom0less-enabled builds.
> +
> + if ( domid < DOMID_FIRST_RESERVED )
> + {
> + __set_bit(domid, domid_bitmap);
> + domid_last = domid;
> + }
> + else
> + domid = DOMID_INVALID;
> + }
> +
> + spin_unlock(&domid_lock);
> +
> + return domid;
> +}
> +
> +void cf_check domid_free(domid_t domid)
> +{
> + ASSERT(domid <= DOMID_FIRST_RESERVED);
> +
> + spin_lock(&domid_lock);
Might be worth asserting the bit is set. That way we'll catch XSAs in CI if
we try to incorrectly move the current calls to domid_free().
> + __clear_bit(domid, domid_bitmap);
> + spin_unlock(&domid_lock);
> +}
> +
> +/*
> + * Local variables:
> + * mode: C
> + * c-file-style: "BSD"
> + * c-basic-offset: 4
> + * tab-width: 4
> + * indent-tabs-mode: nil
> + * End:
> + */
> diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h
> index e10baf2615fd..31946bb1b653 100644
> --- a/xen/include/xen/domain.h
> +++ b/xen/include/xen/domain.h
> @@ -38,6 +38,9 @@ void arch_get_domain_info(const struct domain *d,
>
> domid_t get_initial_domain_id(void);
>
> +domid_t cf_check domid_alloc(domid_t domid);
> +void cf_check domid_free(domid_t domid);
Neither of them should need the cf_check. Also, could you perhaps move the
explanation of how the allocation scheme works from the commit message into
the domid_alloc() prototype? That way callers can reason about the API without
git-blaming to find out.
> +
> /* CDF_* constant. Internal flags for domain creation. */
> /* Is this a privileged domain? */
> #define CDF_privileged (1U << 0)
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |