diff mbox series

xen/mm.h: add helper function to test-and-clear _PGC_allocated

Message ID 20190710161733.39119-1-paul.durrant@citrix.com (mailing list archive)
State Superseded
Headers show
Series xen/mm.h: add helper function to test-and-clear _PGC_allocated | expand

Commit Message

Paul Durrant July 10, 2019, 4:17 p.m. UTC
The _PGC_allocated flag is set on a page when it is assigned to a domain
along with an initial reference count of 1. To clear this initial
reference count it is necessary to test-and-clear _PGC_allocated and then
only drop the reference if the test-and-clear succeeds. This is open-
coded in many places. It is also unsafe to test-and-clear _PGC_allocated
unless the caller holds an additional reference.

This patch adds a helper function, clear_assignment_reference(), to
replace all the open-coded test-and-clear/put_page occurrences and
incorporates in that an ASSERTion that an additional page reference is
held.

Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
---
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Julien Grall <julien.grall@arm.com>
Cc: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Ian Jackson <ian.jackson@eu.citrix.com>
Cc: Jan Beulich <jbeulich@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Tim Deegan <tim@xen.org>
Cc: Wei Liu <wl@xen.org>
Cc: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: Tamas K Lengyel <tamas@tklengyel.com>
Cc: George Dunlap <george.dunlap@eu.citrix.com>
---
 xen/arch/arm/domain.c         |  4 +---
 xen/arch/x86/domain.c         |  3 +--
 xen/arch/x86/hvm/ioreq.c      | 11 ++---------
 xen/arch/x86/mm.c             |  3 +--
 xen/arch/x86/mm/mem_sharing.c |  9 +++------
 xen/arch/x86/mm/p2m-pod.c     |  4 +---
 xen/arch/x86/mm/p2m.c         |  3 +--
 xen/common/grant_table.c      |  3 +--
 xen/common/memory.c           |  5 ++---
 xen/common/xenoprof.c         |  3 +--
 xen/include/xen/mm.h          | 11 +++++++++++
 11 files changed, 25 insertions(+), 34 deletions(-)

Comments

Jan Beulich July 10, 2019, 10:53 p.m. UTC | #1
On 10.07.2019 18:17, Paul Durrant wrote:
> @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
>       unmap_domain_page_global(iorp->va);
>       iorp->va = NULL;
>   
> -    /*
> -     * Check whether we need to clear the allocation reference before
> -     * dropping the explicit references taken by get_page_and_type().
> -     */
> -    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> -        put_page(page);
> -
> +    clear_assignment_reference(page);
>       put_page_and_type(page);
>   }

Is there a specific reason you drop the comment? It doesn't become
less relevant than when it was added, does it?

> --- a/xen/include/xen/mm.h
> +++ b/xen/include/xen/mm.h
> @@ -658,4 +658,15 @@ static inline void share_xen_page_with_privileged_guests(
>       share_xen_page_with_guest(page, dom_xen, flags);
>   }
>   
> +static inline void clear_assignment_reference(struct page_info *page)

I think the function should have 'page' in it's name. Perhaps
page_deassign() / page_dealloc() are also misleading, but how
about page_put_alloc() or page_put_alloc_ref()?

> +{
> +    /*
> +     * It is unsafe to clear _PGC_allocated without holding an additional
> +     * reference.
> +     */
> +    ASSERT((page->count_info & PGC_count_mask) > 1);

While this isn't really in line with our goal of wanting to limit
damage also in release builds, I agree that there's no really good
alternative here. Crashing the owner of the page wouldn't help
much, and bailing from the function wouldn't necessarily be better
either. Hence I think this would better be BUG_ON().

> +    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> +        put_page(page);
> +}

On the whole I have to admit I'm not entirely convinced the "open-
coding" as you call it (to me it's not really open-coding as long as
there is no helper) is such a bad thing here: Without the helper it
is slightly more obvious at the use sites what's actually going on.
But maybe that's indeed just me.

Jan
Paul Durrant July 15, 2019, 8:45 a.m. UTC | #2
> -----Original Message-----
> From: Jan Beulich <JBeulich@suse.com>
> Sent: 10 July 2019 23:53
> To: Paul Durrant <Paul.Durrant@citrix.com>
> Cc: xen-devel@lists.xenproject.org; Julien Grall <julien.grall@arm.com>; Andrew Cooper
> <Andrew.Cooper3@citrix.com>; Roger Pau Monne <roger.pau@citrix.com>; Volodymyr Babchuk
> <Volodymyr_Babchuk@epam.com>; George Dunlap <George.Dunlap@citrix.com>; Ian Jackson
> <Ian.Jackson@citrix.com>; Stefano Stabellini <sstabellini@kernel.org>; Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com>; Tamas K Lengyel <tamas@tklengyel.com>; Tim (Xen.org) <tim@xen.org>; Wei Liu
> <wl@xen.org>
> Subject: Re: [Xen-devel] [PATCH] xen/mm.h: add helper function to test-and-clear _PGC_allocated
> 
> On 10.07.2019 18:17, Paul Durrant wrote:
> > @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
> >       unmap_domain_page_global(iorp->va);
> >       iorp->va = NULL;
> >
> > -    /*
> > -     * Check whether we need to clear the allocation reference before
> > -     * dropping the explicit references taken by get_page_and_type().
> > -     */
> > -    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> > -        put_page(page);
> > -
> > +    clear_assignment_reference(page);
> >       put_page_and_type(page);
> >   }
> 
> Is there a specific reason you drop the comment? It doesn't become
> less relevant than when it was added, does it?

Not sure, since what's actually going on is now internal to the function. If I change the function name to clear_allocation_reference() then I think the comment probably becomes extraneous.

> 
> > --- a/xen/include/xen/mm.h
> > +++ b/xen/include/xen/mm.h
> > @@ -658,4 +658,15 @@ static inline void share_xen_page_with_privileged_guests(
> >       share_xen_page_with_guest(page, dom_xen, flags);
> >   }
> >
> > +static inline void clear_assignment_reference(struct page_info *page)
> 
> I think the function should have 'page' in it's name. Perhaps
> page_deassign() / page_dealloc() are also misleading, but how
> about page_put_alloc() or page_put_alloc_ref()?
> 

Ok, I think page_put_alloc_ref() is most descriptive (particularly w.r.t. the above discussion).

> > +{
> > +    /*
> > +     * It is unsafe to clear _PGC_allocated without holding an additional
> > +     * reference.
> > +     */
> > +    ASSERT((page->count_info & PGC_count_mask) > 1);
> 
> While this isn't really in line with our goal of wanting to limit
> damage also in release builds, I agree that there's no really good
> alternative here. Crashing the owner of the page wouldn't help
> much, and bailing from the function wouldn't necessarily be better
> either. Hence I think this would better be BUG_ON().

Ok.

> 
> > +    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> > +        put_page(page);
> > +}
> 
> On the whole I have to admit I'm not entirely convinced the "open-
> coding" as you call it (to me it's not really open-coding as long as
> there is no helper) is such a bad thing here: Without the helper it
> is slightly more obvious at the use sites what's actually going on.
> But maybe that's indeed just me.

I still think a helper is better, but I'll add a comment to describe what it is doing.

  Paul

> 
> Jan
Jan Beulich July 15, 2019, 9:18 a.m. UTC | #3
On 15.07.2019 10:45, Paul Durrant wrote:
>> From: Jan Beulich <JBeulich@suse.com>
>> Sent: 10 July 2019 23:53
>>
>> On 10.07.2019 18:17, Paul Durrant wrote:
>>> @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
>>>        unmap_domain_page_global(iorp->va);
>>>        iorp->va = NULL;
>>>
>>> -    /*
>>> -     * Check whether we need to clear the allocation reference before
>>> -     * dropping the explicit references taken by get_page_and_type().
>>> -     */
>>> -    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
>>> -        put_page(page);
>>> -
>>> +    clear_assignment_reference(page);
>>>        put_page_and_type(page);
>>>    }
>>
>> Is there a specific reason you drop the comment? It doesn't become
>> less relevant than when it was added, does it?
> 
> Not sure, since what's actually going on is now internal to the function.
> If I change the function name to clear_allocation_reference() then I
> think the comment probably becomes extraneous.

Well, the perspective I'm taking is that the ordering constraint
wrt put_page_and_type() doesn't go away and is a relevant part of
what the comment talks about.

Jan
Paul Durrant July 15, 2019, 9:39 a.m. UTC | #4
> -----Original Message-----
> From: Jan Beulich <JBeulich@suse.com>
> Sent: 15 July 2019 10:18
> To: Paul Durrant <Paul.Durrant@citrix.com>
> Cc: JulienGrall <julien.grall@arm.com>; Andrew Cooper <Andrew.Cooper3@citrix.com>; George Dunlap
> <George.Dunlap@citrix.com>; Ian Jackson <Ian.Jackson@citrix.com>; Roger Pau Monne
> <roger.pau@citrix.com>; Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>; Stefano Stabellini
> <sstabellini@kernel.org>; xen-devel@lists.xenproject.org; Konrad Rzeszutek Wilk
> <konrad.wilk@oracle.com>; Tamas K Lengyel <tamas@tklengyel.com>; Tim (Xen.org) <tim@xen.org>; Wei Liu
> <wl@xen.org>
> Subject: Re: [Xen-devel] [PATCH] xen/mm.h: add helper function to test-and-clear _PGC_allocated
> 
> On 15.07.2019 10:45, Paul Durrant wrote:
> >> From: Jan Beulich <JBeulich@suse.com>
> >> Sent: 10 July 2019 23:53
> >>
> >> On 10.07.2019 18:17, Paul Durrant wrote:
> >>> @@ -418,13 +417,7 @@ static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
> >>>        unmap_domain_page_global(iorp->va);
> >>>        iorp->va = NULL;
> >>>
> >>> -    /*
> >>> -     * Check whether we need to clear the allocation reference before
> >>> -     * dropping the explicit references taken by get_page_and_type().
> >>> -     */
> >>> -    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
> >>> -        put_page(page);
> >>> -
> >>> +    clear_assignment_reference(page);
> >>>        put_page_and_type(page);
> >>>    }
> >>
> >> Is there a specific reason you drop the comment? It doesn't become
> >> less relevant than when it was added, does it?
> >
> > Not sure, since what's actually going on is now internal to the function.
> > If I change the function name to clear_allocation_reference() then I
> > think the comment probably becomes extraneous.
> 
> Well, the perspective I'm taking is that the ordering constraint
> wrt put_page_and_type() doesn't go away and is a relevant part of
> what the comment talks about.

Ok. Would you be happy fixing the comment to your taste on commit then, as I'm not sure exactly what you want to say?

  Paul

> 
> Jan
diff mbox series

Patch

diff --git a/xen/arch/arm/domain.c b/xen/arch/arm/domain.c
index 4f44d5c742..78700d6f08 100644
--- a/xen/arch/arm/domain.c
+++ b/xen/arch/arm/domain.c
@@ -926,9 +926,7 @@  static int relinquish_memory(struct domain *d, struct page_list_head *list)
              */
             continue;
 
-        if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-            put_page(page);
-
+        clear_assignment_reference(page);
         put_page(page);
 
         if ( hypercall_preempt_check() )
diff --git a/xen/arch/x86/domain.c b/xen/arch/x86/domain.c
index 147f96a09e..c8c51d5f76 100644
--- a/xen/arch/x86/domain.c
+++ b/xen/arch/x86/domain.c
@@ -1939,8 +1939,7 @@  static int relinquish_memory(
             BUG();
         }
 
-        if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-            put_page(page);
+        clear_assignment_reference(page);
 
         /*
          * Forcibly invalidate top-most, still valid page tables at this point
diff --git a/xen/arch/x86/hvm/ioreq.c b/xen/arch/x86/hvm/ioreq.c
index 7a80cfb28b..129f9fddbc 100644
--- a/xen/arch/x86/hvm/ioreq.c
+++ b/xen/arch/x86/hvm/ioreq.c
@@ -398,8 +398,7 @@  static int hvm_alloc_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
     return 0;
 
  fail:
-    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-        put_page(page);
+    clear_assignment_reference(page);
     put_page_and_type(page);
 
     return -ENOMEM;
@@ -418,13 +417,7 @@  static void hvm_free_ioreq_mfn(struct hvm_ioreq_server *s, bool buf)
     unmap_domain_page_global(iorp->va);
     iorp->va = NULL;
 
-    /*
-     * Check whether we need to clear the allocation reference before
-     * dropping the explicit references taken by get_page_and_type().
-     */
-    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-        put_page(page);
-
+    clear_assignment_reference(page);
     put_page_and_type(page);
 }
 
diff --git a/xen/arch/x86/mm.c b/xen/arch/x86/mm.c
index df2c0130f1..9fe66a6d26 100644
--- a/xen/arch/x86/mm.c
+++ b/xen/arch/x86/mm.c
@@ -498,8 +498,7 @@  void share_xen_page_with_guest(struct page_info *page, struct domain *d,
 
 void free_shared_domheap_page(struct page_info *page)
 {
-    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-        put_page(page);
+    clear_assignment_reference(page);
     if ( !test_and_clear_bit(_PGC_xen_heap, &page->count_info) )
         ASSERT_UNREACHABLE();
     page->u.inuse.type_info = 0;
diff --git a/xen/arch/x86/mm/mem_sharing.c b/xen/arch/x86/mm/mem_sharing.c
index f16a3f5324..7a643aed53 100644
--- a/xen/arch/x86/mm/mem_sharing.c
+++ b/xen/arch/x86/mm/mem_sharing.c
@@ -1000,8 +1000,7 @@  static int share_pages(struct domain *sd, gfn_t sgfn, shr_handle_t sh,
     mem_sharing_page_unlock(firstpg);
 
     /* Free the client page */
-    if(test_and_clear_bit(_PGC_allocated, &cpage->count_info))
-        put_page(cpage);
+    clear_assignment_reference(cpage);
     put_page(cpage);
 
     /* We managed to free a domain page. */
@@ -1082,8 +1081,7 @@  int mem_sharing_add_to_physmap(struct domain *sd, unsigned long sgfn, shr_handle
                     ret = -EOVERFLOW;
                     goto err_unlock;
                 }
-                if ( test_and_clear_bit(_PGC_allocated, &cpage->count_info) )
-                    put_page(cpage);
+                clear_assignment_reference(cpage);
                 put_page(cpage);
             }
         }
@@ -1177,8 +1175,7 @@  int __mem_sharing_unshare_page(struct domain *d,
                 domain_crash(d);
                 return -EOVERFLOW;
             }
-            if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-                put_page(page);
+            clear_assignment_reference(page);
             put_page(page);
         }
         put_gfn(d, gfn);
diff --git a/xen/arch/x86/mm/p2m-pod.c b/xen/arch/x86/mm/p2m-pod.c
index 4313863066..2e22764950 100644
--- a/xen/arch/x86/mm/p2m-pod.c
+++ b/xen/arch/x86/mm/p2m-pod.c
@@ -274,9 +274,7 @@  p2m_pod_set_cache_target(struct p2m_domain *p2m, unsigned long pod_target, int p
             if ( test_and_clear_bit(_PGT_pinned, &(page+i)->u.inuse.type_info) )
                 put_page_and_type(page + i);
 
-            if ( test_and_clear_bit(_PGC_allocated, &(page+i)->count_info) )
-                put_page(page + i);
-
+            clear_assignment_reference(page + i);
             put_page(page + i);
 
             if ( preemptible && pod_target != p2m->pod.count &&
diff --git a/xen/arch/x86/mm/p2m.c b/xen/arch/x86/mm/p2m.c
index 4c9954867c..ce6859d51b 100644
--- a/xen/arch/x86/mm/p2m.c
+++ b/xen/arch/x86/mm/p2m.c
@@ -1609,8 +1609,7 @@  int p2m_mem_paging_evict(struct domain *d, unsigned long gfn_l)
         goto out_put;
 
     /* Decrement guest domain's ref count of the page */
-    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-        put_page(page);
+    clear_assignment_reference(page);
 
     /* Remove mapping from p2m table */
     ret = p2m_set_entry(p2m, gfn, INVALID_MFN, PAGE_ORDER_4K,
diff --git a/xen/common/grant_table.c b/xen/common/grant_table.c
index e6a0f30a4b..5ae85e3dad 100644
--- a/xen/common/grant_table.c
+++ b/xen/common/grant_table.c
@@ -1707,8 +1707,7 @@  gnttab_unpopulate_status_frames(struct domain *d, struct grant_table *gt)
         }
 
         BUG_ON(page_get_owner(pg) != d);
-        if ( test_and_clear_bit(_PGC_allocated, &pg->count_info) )
-            put_page(pg);
+        clear_assignment_reference(pg);
 
         if ( pg->count_info & ~PGC_xen_heap )
         {
diff --git a/xen/common/memory.c b/xen/common/memory.c
index 03db7bfa9e..ab19a4ca86 100644
--- a/xen/common/memory.c
+++ b/xen/common/memory.c
@@ -388,9 +388,8 @@  int guest_remove_page(struct domain *d, unsigned long gmfn)
      * For this purpose (and to match populate_physmap() behavior), the page
      * is kept allocated.
      */
-    if ( !rc && !is_domain_direct_mapped(d) &&
-         test_and_clear_bit(_PGC_allocated, &page->count_info) )
-        put_page(page);
+    if ( !rc && !is_domain_direct_mapped(d) )
+        clear_assignment_reference(page);
 
     put_page(page);
 
diff --git a/xen/common/xenoprof.c b/xen/common/xenoprof.c
index 8a72e382e6..262d537074 100644
--- a/xen/common/xenoprof.c
+++ b/xen/common/xenoprof.c
@@ -173,8 +173,7 @@  unshare_xenoprof_page_with_guest(struct xenoprof *x)
         struct page_info *page = mfn_to_page(mfn_add(mfn, i));
 
         BUG_ON(page_get_owner(page) != current->domain);
-        if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
-            put_page(page);
+        clear_assignment_reference(page);
     }
 }
 
diff --git a/xen/include/xen/mm.h b/xen/include/xen/mm.h
index a57974ae51..1c36c74b8c 100644
--- a/xen/include/xen/mm.h
+++ b/xen/include/xen/mm.h
@@ -658,4 +658,15 @@  static inline void share_xen_page_with_privileged_guests(
     share_xen_page_with_guest(page, dom_xen, flags);
 }
 
+static inline void clear_assignment_reference(struct page_info *page)
+{
+    /*
+     * It is unsafe to clear _PGC_allocated without holding an additional
+     * reference.
+     */
+    ASSERT((page->count_info & PGC_count_mask) > 1);
+    if ( test_and_clear_bit(_PGC_allocated, &page->count_info) )
+        put_page(page);
+}
+
 #endif /* __XEN_MM_H__ */