xen/arch/arm/domain.c | 4 +--- xen/arch/x86/domain.c | 3 +-- xen/arch/x86/hvm/ioreq.c | 11 ++--------- xen/arch/x86/mm.c | 3 +-- xen/arch/x86/mm/mem_sharing.c | 9 +++------ xen/arch/x86/mm/p2m-pod.c | 4 +--- xen/arch/x86/mm/p2m.c | 3 +-- xen/common/grant_table.c | 3 +-- xen/common/memory.c | 5 ++--- xen/common/xenoprof.c | 3 +-- xen/include/xen/mm.h | 11 +++++++++++ 11 files changed, 25 insertions(+), 34 deletions(-)
The _PGC_allocated flag is set on a page when it is assigned to a domain
along with an initial reference count of 1. To clear this initial
reference count it is necessary to test-and-clear _PGC_allocated and then
only drop the reference if the test-and-clear succeeds. This is open-
coded in many places. It is also unsafe to test-and-clear _PGC_allocated
unless the caller holds an additional reference.
This patch adds a helper function, clear_assignment_reference(), to
replace all the open-coded test-and-clear/put_page occurrences and
incorporates in that an ASSERTion that an additional page reference is
held.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
---
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Julien Grall <julien.grall@arm.com>
Cc: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Tim Deegan <tim@xen.org>
Cc: Wei Liu <wl@xen.org>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: Tamas K Lengyel <tamas@tklengyel.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
---
xen/arch/arm/domain.c | 4 +---
xen/arch/x86/domain.c | 3 +--
xen/arch/x86/hvm/ioreq.c | 11 ++---------
xen/arch/x86/mm.c | 3 +--
xen/arch/x86/mm/mem_sharing.c | 9 +++------
xen/arch/x86/mm/p2m-pod.c | 4 +---
xen/arch/x86/mm/p2m.c | 3 +--
xen/common/grant_table.c | 3 +--
xen/common/memory.c | 5 ++---
xen/common/xenoprof.c | 3 +--
xen/include/xen/mm.h | 11 +++++++++++
11 files changed, 25 insertions(+), 34 deletions(-)
diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index 4f44d5c742..78700d6f08 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -926,9 +926,7 @@ static int relinquish_memory(struct domain *d, struct page_list_head *list)
*/
continue;
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
-
+ clear_assignment_reference(page);
put_page(page);
if ( hypercall_preempt_check() )
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 147f96a09e..c8c51d5f76 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -1939,8 +1939,7 @@ static int relinquish_memory(
BUG();
}
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ clear_assignment_reference(page);
/*
* Forcibly invalidate top-most, still valid page tables at this point
diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 7a80cfb28b..129f9fddbc 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -398,8 +398,7 @@ static int hvm_alloc_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
return 0;
fail:
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ clear_assignment_reference(page);
put_page_and_type(page);
return -ENOMEM;
@@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
unmap_domain_page_global(iorp->va);
iorp->va = NULL;
- /*
- * Check whether we need to clear the allocation reference before
- * dropping the explicit references taken by get_page_and_type().
- */
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
-
+ clear_assignment_reference(page);
put_page_and_type(page);
}
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index df2c0130f1..9fe66a6d26 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -498,8 +498,7 @@ void share_xen_page_with_guest(struct page_info *page, struct domain *d,
void free_shared_domheap_page(struct page_info *page)
{
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ clear_assignment_reference(page);
if ( !test_and_clear_bit(_PGC_xen_heap, &page->count_info) )
ASSERT_UNREACHABLE();
page->u.inuse.type_info = 0;
diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c
index f16a3f5324..7a643aed53 100644
--- a/xen/arch/x86/mm/mem_sharing.c
+++ b/xen/arch/x86/mm/mem_sharing.c
@@ -1000,8 +1000,7 @@ static int share_pages(struct domain *sd, gfn_t sgfn, shr_handle_t sh,
mem_sharing_page_unlock(firstpg);
/* Free the client page */
- if(test_and_clear_bit(_PGC_allocated, &cpage->count_info))
- put_page(cpage);
+ clear_assignment_reference(cpage);
put_page(cpage);
/* We managed to free a domain page. */
@@ -1082,8 +1081,7 @@ int mem_sharing_add_to_physmap(struct domain *sd, unsigned long sgfn, shr_handle
ret = -EOVERFLOW;
goto err_unlock;
}
- if ( test_and_clear_bit(_PGC_allocated, &cpage->count_info) )
- put_page(cpage);
+ clear_assignment_reference(cpage);
put_page(cpage);
}
}
@@ -1177,8 +1175,7 @@ int __mem_sharing_unshare_page(struct domain *d,
domain_crash(d);
return -EOVERFLOW;
}
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ clear_assignment_reference(page);
put_page(page);
}
put_gfn(d, gfn);
diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
index 4313863066..2e22764950 100644
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -274,9 +274,7 @@ p2m_pod_set_cache_target(struct p2m_domain *p2m, unsigned long pod_target, int p
if ( test_and_clear_bit(_PGT_pinned, &(page+i)->u.inuse.type_info) )
put_page_and_type(page + i);
- if ( test_and_clear_bit(_PGC_allocated, &(page+i)->count_info) )
- put_page(page + i);
-
+ clear_assignment_reference(page + i);
put_page(page + i);
if ( preemptible && pod_target != p2m->pod.count &&
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 4c9954867c..ce6859d51b 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1609,8 +1609,7 @@ int p2m_mem_paging_evict(struct domain *d, unsigned long gfn_l)
goto out_put;
/* Decrement guest domain's ref count of the page */
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ clear_assignment_reference(page);
/* Remove mapping from p2m table */
ret = p2m_set_entry(p2m, gfn, INVALID_MFN, PAGE_ORDER_4K,
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index e6a0f30a4b..5ae85e3dad 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1707,8 +1707,7 @@ gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
}
BUG_ON(page_get_owner(pg) != d);
- if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
- put_page(pg);
+ clear_assignment_reference(pg);
if ( pg->count_info & ~PGC_xen_heap )
{
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 03db7bfa9e..ab19a4ca86 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -388,9 +388,8 @@ int guest_remove_page(struct domain *d, unsigned long gmfn)
* For this purpose (and to match populate_physmap() behavior), the page
* is kept allocated.
*/
- if ( !rc && !is_domain_direct_mapped(d) &&
- test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ if ( !rc && !is_domain_direct_mapped(d) )
+ clear_assignment_reference(page);
put_page(page);
diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
index 8a72e382e6..262d537074 100644
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -173,8 +173,7 @@ unshare_xenoprof_page_with_guest(struct xenoprof *x)
struct page_info *page = mfn_to_page(mfn_add(mfn, i));
BUG_ON(page_get_owner(page) != current->domain);
- if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
- put_page(page);
+ clear_assignment_reference(page);
}
}
diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h
index a57974ae51..1c36c74b8c 100644
--- a/xen/include/xen/mm.h
+++ b/xen/include/xen/mm.h
@@ -658,4 +658,15 @@ static inline void share_xen_page_with_privileged_guests(
share_xen_page_with_guest(page, dom_xen, flags);
}
+static inline void clear_assignment_reference(struct page_info *page)
+{
+ /*
+ * It is unsafe to clear _PGC_allocated without holding an additional
+ * reference.
+ */
+ ASSERT((page->count_info & PGC_count_mask) > 1);
+ if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
+ put_page(page);
+}
+
#endif /* __XEN_MM_H__ */
--
2.20.1.2.gb21ebb671
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-develOn 10.07.2019 18:17, Paul Durrant wrote:
> @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
> unmap_domain_page_global(iorp->va);
> iorp->va = NULL;
>
> - /*
> - * Check whether we need to clear the allocation reference before
> - * dropping the explicit references taken by get_page_and_type().
> - */
> - if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> - put_page(page);
> -
> + clear_assignment_reference(page);
> put_page_and_type(page);
> }
Is there a specific reason you drop the comment? It doesn't become
less relevant than when it was added, does it?
> --- a/xen/include/xen/mm.h
> +++ b/xen/include/xen/mm.h
> @@ -658,4 +658,15 @@ static inline void share_xen_page_with_privileged_guests(
> share_xen_page_with_guest(page, dom_xen, flags);
> }
>
> +static inline void clear_assignment_reference(struct page_info *page)
I think the function should have 'page' in it's name. Perhaps
page_deassign() / page_dealloc() are also misleading, but how
about page_put_alloc() or page_put_alloc_ref()?
> +{
> + /*
> + * It is unsafe to clear _PGC_allocated without holding an additional
> + * reference.
> + */
> + ASSERT((page->count_info & PGC_count_mask) > 1);
While this isn't really in line with our goal of wanting to limit
damage also in release builds, I agree that there's no really good
alternative here. Crashing the owner of the page wouldn't help
much, and bailing from the function wouldn't necessarily be better
either. Hence I think this would better be BUG_ON().
> + if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> + put_page(page);
> +}
On the whole I have to admit I'm not entirely convinced the "open-
coding" as you call it (to me it's not really open-coding as long as
there is no helper) is such a bad thing here: Without the helper it
is slightly more obvious at the use sites what's actually going on.
But maybe that's indeed just me.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
> -----Original Message-----
> From: Jan Beulich <JBeulich@suse.com>
> Sent: 10 July 2019 23:53
> To: Paul Durrant <Paul.Durrant@citrix.com>
> Cc: xen-devel@lists.xenproject.org; Julien Grall <julien.grall@arm.com>; Andrew Cooper
> <Andrew.Cooper3@citrix.com>; Roger Pau Monne <roger.pau@citrix.com>; Volodymyr Babchuk
> <Volodymyr_Babchuk@epam.com>; George Dunlap <George.Dunlap@citrix.com>; Ian Jackson
> <Ian.Jackson@citrix.com>; Stefano Stabellini <sstabellini@kernel.org>; Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com>; Tamas K Lengyel <tamas@tklengyel.com>; Tim (Xen.org) <tim@xen.org>; Wei Liu
> <wl@xen.org>
> Subject: Re: [Xen-devel] [PATCH] xen/mm.h: add helper function to test-and-clear _PGC_allocated
>
> On 10.07.2019 18:17, Paul Durrant wrote:
> > @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
> > unmap_domain_page_global(iorp->va);
> > iorp->va = NULL;
> >
> > - /*
> > - * Check whether we need to clear the allocation reference before
> > - * dropping the explicit references taken by get_page_and_type().
> > - */
> > - if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> > - put_page(page);
> > -
> > + clear_assignment_reference(page);
> > put_page_and_type(page);
> > }
>
> Is there a specific reason you drop the comment? It doesn't become
> less relevant than when it was added, does it?
Not sure, since what's actually going on is now internal to the function. If I change the function name to clear_allocation_reference() then I think the comment probably becomes extraneous.
>
> > --- a/xen/include/xen/mm.h
> > +++ b/xen/include/xen/mm.h
> > @@ -658,4 +658,15 @@ static inline void share_xen_page_with_privileged_guests(
> > share_xen_page_with_guest(page, dom_xen, flags);
> > }
> >
> > +static inline void clear_assignment_reference(struct page_info *page)
>
> I think the function should have 'page' in it's name. Perhaps
> page_deassign() / page_dealloc() are also misleading, but how
> about page_put_alloc() or page_put_alloc_ref()?
>
Ok, I think page_put_alloc_ref() is most descriptive (particularly w.r.t. the above discussion).
> > +{
> > + /*
> > + * It is unsafe to clear _PGC_allocated without holding an additional
> > + * reference.
> > + */
> > + ASSERT((page->count_info & PGC_count_mask) > 1);
>
> While this isn't really in line with our goal of wanting to limit
> damage also in release builds, I agree that there's no really good
> alternative here. Crashing the owner of the page wouldn't help
> much, and bailing from the function wouldn't necessarily be better
> either. Hence I think this would better be BUG_ON().
Ok.
>
> > + if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> > + put_page(page);
> > +}
>
> On the whole I have to admit I'm not entirely convinced the "open-
> coding" as you call it (to me it's not really open-coding as long as
> there is no helper) is such a bad thing here: Without the helper it
> is slightly more obvious at the use sites what's actually going on.
> But maybe that's indeed just me.
I still think a helper is better, but I'll add a comment to describe what it is doing.
Paul
>
> Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
On 15.07.2019 10:45, Paul Durrant wrote: >> From: Jan Beulich <JBeulich@suse.com> >> Sent: 10 July 2019 23:53 >> >> On 10.07.2019 18:17, Paul Durrant wrote: >>> @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf) >>> unmap_domain_page_global(iorp->va); >>> iorp->va = NULL; >>> >>> - /* >>> - * Check whether we need to clear the allocation reference before >>> - * dropping the explicit references taken by get_page_and_type(). >>> - */ >>> - if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) >>> - put_page(page); >>> - >>> + clear_assignment_reference(page); >>> put_page_and_type(page); >>> } >> >> Is there a specific reason you drop the comment? It doesn't become >> less relevant than when it was added, does it? > > Not sure, since what's actually going on is now internal to the function. > If I change the function name to clear_allocation_reference() then I > think the comment probably becomes extraneous. Well, the perspective I'm taking is that the ordering constraint wrt put_page_and_type() doesn't go away and is a relevant part of what the comment talks about. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
> -----Original Message----- > From: Jan Beulich <JBeulich@suse.com> > Sent: 15 July 2019 10:18 > To: Paul Durrant <Paul.Durrant@citrix.com> > Cc: JulienGrall <julien.grall@arm.com>; Andrew Cooper <Andrew.Cooper3@citrix.com>; George Dunlap > <George.Dunlap@citrix.com>; Ian Jackson <Ian.Jackson@citrix.com>; Roger Pau Monne > <roger.pau@citrix.com>; Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>; Stefano Stabellini > <sstabellini@kernel.org>; xen-devel@lists.xenproject.org; Konrad Rzeszutek Wilk > <konrad.wilk@oracle.com>; Tamas K Lengyel <tamas@tklengyel.com>; Tim (Xen.org) <tim@xen.org>; Wei Liu > <wl@xen.org> > Subject: Re: [Xen-devel] [PATCH] xen/mm.h: add helper function to test-and-clear _PGC_allocated > > On 15.07.2019 10:45, Paul Durrant wrote: > >> From: Jan Beulich <JBeulich@suse.com> > >> Sent: 10 July 2019 23:53 > >> > >> On 10.07.2019 18:17, Paul Durrant wrote: > >>> @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf) > >>> unmap_domain_page_global(iorp->va); > >>> iorp->va = NULL; > >>> > >>> - /* > >>> - * Check whether we need to clear the allocation reference before > >>> - * dropping the explicit references taken by get_page_and_type(). > >>> - */ > >>> - if ( test_and_clear_bit(_PGC_allocated, &page->count_info) ) > >>> - put_page(page); > >>> - > >>> + clear_assignment_reference(page); > >>> put_page_and_type(page); > >>> } > >> > >> Is there a specific reason you drop the comment? It doesn't become > >> less relevant than when it was added, does it? > > > > Not sure, since what's actually going on is now internal to the function. > > If I change the function name to clear_allocation_reference() then I > > think the comment probably becomes extraneous. > > Well, the perspective I'm taking is that the ordering constraint > wrt put_page_and_type() doesn't go away and is a relevant part of > what the comment talks about. Ok. Would you be happy fixing the comment to your taste on commit then, as I'm not sure exactly what you want to say? Paul > > Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
© 2016 - 2026 Red Hat, Inc.