[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v1 2/2] domctl: Handle some of XEN_DOMCTL_shadow_op without the domctl lock
- To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
- Date: Wed, 10 Jun 2026 10:50:38 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/+qm1leoAjrT8y99LtftJEiKLFqQvkzOA5UvxrdnIvE=; b=Zz3kBNKzTrfNrRRnEQrPVG4MqJZFgBcfbkv5G0odFPCBFlAUiTjyi9jgJNefN3qzyjhuat+6yaV8OZO/7cdKt2vxFScNJ1++4WJLNgUS1oh5BuFQMS/ulkFWhyvjwtV/U1fNPWgYu/t4LzCCneU/XLzCrUhG2ux9qmGNFTq/hJvI13tHsYslEstB7CY+ouLGhsp+L9bHtfhoE5MFxDWpTWjOo6GQT6bsB5ESyvmLDNY7Wx2RV8xl6jJooXr/diwda9aWfl9mjxi+eDQyHCytNruUo91uUDbUvyt13tQM4VdrL/SoRMbaRMKKoDaSgZCSipPqiFYAArsOuX0gLjsuLw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=F1MZCMxYatQqdaLGRA/llyOFTPhdDB7sXjp0Gp8mgR1UovuRHKNrimPAgC/71bpC53qcPt1OK6GYZygiJY8sUpgBuZNIORhC9hL5v1Ln5Xsm2s/cEMPm6Q5SBsxR2OFqtJTojsnzZr/pMdQE/MQ0Mv3HR4teyOq9rvP+9PWnEU6kKieGlFvBs0BeIdvhsfo8fYZNsDDSLk5EKxBihlDc6Nfy3Q5WGyLCP3cAlgyr0Pv6dzVmlSDgQPrJOkAeB17NDf5x5P1aee9ba5tt30KB6wPok85rlpKbON7/xwmw+TRKvpTrb3h/9FSTFxbwboJFlGj+m++0fvtN1cINo5f0+g==
- Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Wed, 10 Jun 2026 09:50:56 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 6/10/26 9:35 AM, Roger Pau Monné wrote:
On Tue, Jun 09, 2026 at 04:15:28PM +0100, Ross Lagerwall wrote:
Handle XEN_DOMCTL_SHADOW_OP_{CLEAN,PEEK} without taking the domctl lock.
This is safe because for these subops, the paging lock is mostly held
which prevents it from operating concurrently on the same domain. There
are some parts that are called without the paging lock held:
* hvm_mapped_guest_frames_mark_dirty() - The function itself takes a
spinlock so is protected from concurrent calls. In any case, it will
mark all the pages dirty as required.
* domain_pause() - The toolstack cannot unpause the domain while in
paging_log_dirty_op() because the toolstack's pause/unpause ops have
a separate ref count.
* p2m_flush_hardware_cached_dirty() - This is called elsewhere without
the domctl lock held so holding it wouldn't achieve anything. It
should be fine as long as it is called at least once.
* log_dirty.ops->clean() - If the callback is hap_clean_dirty_bitmap(),
then it will hold the p2m lock while modifying the table. If the
callback is sh_clean_dirty_bitmap(), it will hold the paging lock
while modifying the table. In both cases, this is OK.
* domain_unpause() - Same as the earlier domain_pause().
You could join both into a single domain_{,un}pause() bullet point.
Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx>
---
xen/arch/x86/mm/paging.c | 8 ++++++--
xen/common/domctl.c | 12 ++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/xen/arch/x86/mm/paging.c b/xen/arch/x86/mm/paging.c
index 1a5822808620..bfb5b423a0dd 100644
--- a/xen/arch/x86/mm/paging.c
+++ b/xen/arch/x86/mm/paging.c
@@ -746,11 +746,15 @@ long do_paging_domctl_cont(
ret = xsm_domctl(XSM_OTHER, d, &op);
if ( !ret )
{
- if ( domctl_lock_acquire() )
+ bool lock = !(op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN ||
+ op.u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK);
+
+ if ( !lock || domctl_lock_acquire() )
{
ret = paging_domctl(d, &op.u.shadow_op, u_domctl, 1);
- domctl_lock_release();
+ if ( lock )
+ domctl_lock_release();
}
else
ret = -ERESTART;
diff --git a/xen/common/domctl.c b/xen/common/domctl.c
index 35144d95b808..a3888c4e87d4 100644
--- a/xen/common/domctl.c
+++ b/xen/common/domctl.c
@@ -559,6 +559,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t)
u_domctl)
ret = arch_do_domctl(op, d, u_domctl);
goto domctl_out_unlock_domonly;
+ case XEN_DOMCTL_shadow_op:
+ if ( op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_CLEAN ||
+ op->u.shadow_op.op == XEN_DOMCTL_SHADOW_OP_PEEK )
+ {
+ ret = xsm_domctl(XSM_OTHER, d, op);
+ if ( ret )
+ goto domctl_out_unlock_domonly;
+
+ ret = arch_do_domctl(op, d, u_domctl);
+ goto domctl_out_unlock_domonly;
+ }
+ fallthrough;
Newline, and I would use break rather than fallthrough, if further
cases are added below you don't what to fallthrough, and there's
nothing to do in the default case anyway.
Yes, not sure what I was thinking here. break makes far more sense.
Can this adjustment be done when committing?
See for example how this is similar to XEN_DOMCTL_vm_event_op which
also handles some sub-ops without a lock and uses a break instead of a
fallthrough.
FWIW, I would also put the XEN_DOMCTL_shadow_op case after
XEN_DOMCTL_get_device_group and ahead of the
XEN_DOMCTL_ioport_permission block, but that's just my taste.
I don't have a preference here, either is fine.
Thanks,
Ross
|
