From: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
To: <dmkhn@proton.me>, <xen-devel@lists.xenproject.org>
Cc: <andrew.cooper3@citrix.com>, <anthony.perard@vates.tech>,
<jbeulich@suse.com>, <julien@xen.org>, <michal.orzel@amd.com>,
<roger.pau@citrix.com>, <sstabellini@kernel.org>,
<dmukhin@ford.com>
Subject: Re: [PATCH v11 1/3] xen/domain: unify domain ID allocation
Date: Tue, 29 Jul 2025 12:34:25 +0200 [thread overview]
Message-ID: <DBOGZOES2A5Q.20Y3MK677M83D@amd.com> (raw)
In-Reply-To: <20250728183427.1013975-2-dmukhin@ford.com>
On Mon Jul 28, 2025 at 8:34 PM CEST, dmkhn wrote:
> From: Denis Mukhin <dmukhin@ford.com>
>
> Currently, there are two different domain ID allocation implementations:
>
> 1) Sequential IDs allocation in dom0less Arm code based on max_init_domid;
>
> 2) Sequential IDs allocation in XEN_DOMCTL_createdomain; does not use
> max_init_domid (both Arm and x86).
>
> The domain ID allocation covers dom0 or late hwdom, predefined domains,
> post-boot domains, excluding Xen system domains (domid >=
> DOMID_FIRST_RESERVED).
>
> It makes sense to have a common helper code for such task across architectures
> (Arm and x86) and between dom0less / toolstack domU allocation.
>
> Note, fixing dependency on max_init_domid is out of scope of this patch.
I can see why. The console switch code is a bit annoying. It's unfortunate it
relies on that global for the early wraparound.
>
> Wrap the domain ID allocation as an arch-independent function domid_alloc() in
> new common/domid.c based on the bitmap.
>
> Allocation algorithm:
> - If an explicit domain ID is provided, verify its availability and use it if
> ID is not used;
> - If DOMID_INVALID is provided, search the range [1..DOMID_FIRST_RESERVED-1],
> starting from the last used ID. IDs are not wrapped around in dom0less case.
> Implementation guarantees that two consecutive calls will never return the
> same ID. ID#0 is reserved for the first boot domain (currently, dom0) and
> excluded from the allocation range.
>
> Remove is_free_domid() helper as it is not needed now.
>
> No functional change intended.
>
> Signed-off-by: Denis Mukhin <dmukhin@ford.com>
> ---
> Changes since v10:
> - fixup #ifdefs in domid_alloc()
> - corrected use of domid_free() in domain_destroy()
> - rebased
> - moved domid_{alloc,free}() to common/domid.c so the functional test could be
> added later
> ---
> xen/arch/arm/domain_build.c | 7 +-
> xen/arch/x86/setup.c | 7 +-
> xen/common/Makefile | 1 +
> xen/common/device-tree/dom0less-build.c | 15 ++--
> xen/common/domain.c | 2 +
> xen/common/domctl.c | 42 ++---------
> xen/common/domid.c | 93 +++++++++++++++++++++++++
> xen/include/xen/domain.h | 3 +
> 8 files changed, 122 insertions(+), 48 deletions(-)
> create mode 100644 xen/common/domid.c
>
> diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
> index 463ae4474d30..789f2b9d3ce7 100644
> --- a/xen/arch/arm/domain_build.c
> +++ b/xen/arch/arm/domain_build.c
> @@ -2050,6 +2050,7 @@ void __init create_dom0(void)
> .grant_opts = XEN_DOMCTL_GRANT_version(opt_gnttab_max_version),
> };
> unsigned int flags = CDF_privileged | CDF_hardware;
> + domid_t domid;
> int rc;
>
> /* The vGIC for DOM0 is exactly emulating the hardware GIC */
> @@ -2074,7 +2075,11 @@ void __init create_dom0(void)
> if ( !llc_coloring_enabled )
> flags |= CDF_directmap;
>
> - dom0 = domain_create(0, &dom0_cfg, flags);
> + domid = domid_alloc(0);
> + if ( domid == DOMID_INVALID )
> + panic("Error allocating domain ID 0\n");
> +
> + dom0 = domain_create(domid, &dom0_cfg, flags);
> if ( IS_ERR(dom0) )
> panic("Error creating domain 0 (rc = %ld)\n", PTR_ERR(dom0));
>
> diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> index 1543dd251cc6..2ff7c28c277b 100644
> --- a/xen/arch/x86/setup.c
> +++ b/xen/arch/x86/setup.c
> @@ -1047,8 +1047,11 @@ static struct domain *__init create_dom0(struct boot_info *bi)
> if ( iommu_enabled )
> dom0_cfg.flags |= XEN_DOMCTL_CDF_iommu;
>
> - /* Create initial domain. Not d0 for pvshim. */
> - bd->domid = get_initial_domain_id();
> + /* Allocate initial domain ID. Not d0 for pvshim. */
> + bd->domid = domid_alloc(get_initial_domain_id());
> + if ( bd->domid == DOMID_INVALID )
> + panic("Error allocating domain ID %d\n", get_initial_domain_id());
> +
> d = domain_create(bd->domid, &dom0_cfg,
> pv_shim ? 0 : CDF_privileged | CDF_hardware);
> if ( IS_ERR(d) )
> diff --git a/xen/common/Makefile b/xen/common/Makefile
> index c316957fcb36..0c7d0f5d46e1 100644
> --- a/xen/common/Makefile
> +++ b/xen/common/Makefile
> @@ -11,6 +11,7 @@ obj-$(filter-out $(CONFIG_X86),$(CONFIG_ACPI)) += device.o
> obj-$(CONFIG_DEVICE_TREE_PARSE) += device-tree/
> obj-$(CONFIG_IOREQ_SERVER) += dm.o
> obj-y += domain.o
> +obj-y += domid.o
> obj-y += event_2l.o
> obj-y += event_channel.o
> obj-$(CONFIG_EVTCHN_FIFO) += event_fifo.o
> diff --git a/xen/common/device-tree/dom0less-build.c b/xen/common/device-tree/dom0less-build.c
> index 6bb038111de9..1f9461d0e738 100644
> --- a/xen/common/device-tree/dom0less-build.c
> +++ b/xen/common/device-tree/dom0less-build.c
> @@ -833,21 +833,20 @@ void __init create_domUs(void)
> {
> struct kernel_info ki = KERNEL_INFO_INIT;
> int rc = parse_dom0less_node(node, &ki.bd);
> + domid_t domid;
>
> if ( rc == -ENOENT )
> continue;
> if ( rc )
> panic("Malformed DTB: Invalid domain %s\n", dt_node_name(node));
>
> - if ( (max_init_domid + 1) >= DOMID_FIRST_RESERVED )
> - panic("No more domain IDs available\n");
> + domid = domid_alloc(DOMID_INVALID);
> + if ( domid == DOMID_INVALID )
> + panic("Error allocating ID for domain %s\n", dt_node_name(node));
> + if ( max_init_domid < domid )
> + max_init_domid = domid;
nit: This is open-coding max_init_domid = max(max_init_domid, domid);
>
> - /*
> - * The variable max_init_domid is initialized with zero, so here it's
> - * very important to use the pre-increment operator to call
> - * domain_create() with a domid > 0. (domid == 0 is reserved for Dom0)
> - */
> - ki.bd.d = domain_create(++max_init_domid,
> + ki.bd.d = domain_create(domid,
> &ki.bd.create_cfg, ki.bd.create_flags);
nit: With this change, the wrapped line can be unfolded into a single one.
> if ( IS_ERR(ki.bd.d) )
> panic("Error creating domain %s (rc = %ld)\n",
> diff --git a/xen/common/domain.c b/xen/common/domain.c
> index 3c65cca5b0ff..23dbc1f46c78 100644
> --- a/xen/common/domain.c
> +++ b/xen/common/domain.c
> @@ -1466,6 +1466,8 @@ void domain_destroy(struct domain *d)
> /* Remove from the domlist/hash. */
> domlist_remove(d);
>
> + domid_free(d->domain_id);
> +
> /* Schedule RCU asynchronous completion of domain destroy. */
> call_rcu(&d->rcu, complete_domain_destroy);
> }
> diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> index f2a7caaf853c..5509998aa139 100644
> --- a/xen/common/domctl.c
> +++ b/xen/common/domctl.c
> @@ -51,20 +51,6 @@ static int xenctl_bitmap_to_nodemask(nodemask_t *nodemask,
> MAX_NUMNODES);
> }
q
> -static inline int is_free_domid(domid_t dom)
> -{
> - struct domain *d;
> -
> - if ( dom >= DOMID_FIRST_RESERVED )
> - return 0;
> -
> - if ( (d = rcu_lock_domain_by_id(dom)) == NULL )
> - return 1;
> -
> - rcu_unlock_domain(d);
> - return 0;
> -}
> -
> void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info)
> {
> struct vcpu *v;
> @@ -423,36 +409,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
>
> case XEN_DOMCTL_createdomain:
> {
> - domid_t dom;
> - static domid_t rover = 0;
> + domid_t domid = domid_alloc(op->domain);
>
> - dom = op->domain;
> - if ( (dom > 0) && (dom < DOMID_FIRST_RESERVED) )
> + if ( domid == DOMID_INVALID )
> {
> ret = -EEXIST;
> - if ( !is_free_domid(dom) )
> - break;
> - }
> - else
> - {
> - for ( dom = rover + 1; dom != rover; dom++ )
> - {
> - if ( dom == DOMID_FIRST_RESERVED )
> - dom = 1;
> - if ( is_free_domid(dom) )
> - break;
> - }
> -
> - ret = -ENOMEM;
> - if ( dom == rover )
> - break;
> -
> - rover = dom;
> + break;
> }
>
> - d = domain_create(dom, &op->u.createdomain, false);
> + d = domain_create(domid, &op->u.createdomain, false);
> if ( IS_ERR(d) )
> {
> + domid_free(domid);
> ret = PTR_ERR(d);
> d = NULL;
> break;
> diff --git a/xen/common/domid.c b/xen/common/domid.c
> new file mode 100644
> index 000000000000..e553ab6e5468
> --- /dev/null
> +++ b/xen/common/domid.c
> @@ -0,0 +1,93 @@
> +/* SPDX-License-Identifier: GPL-2.0-only */
> +/*
> + * Domain ID allocator.
> + * Covers dom0 or late hwdom, predefined domains, post-boot domains; excludes
> + * Xen system domains (ID >= DOMID_FIRST_RESERVED).
> + *
> + * Copyright 2025 Ford Motor Company
> + */
> +
> +#include <xen/domain.h>
> +
> +static DEFINE_SPINLOCK(domid_lock);
> +static DECLARE_BITMAP(domid_bitmap, DOMID_FIRST_RESERVED);
> +
> +/*
q + * Allocate domain ID.
> + *
> + * @param[in] domid Exact domain ID within [0..DOMID_FIRST_RESERVED-1] range or
nit: [in] is inconsequential, not being a pointer.
> + * DOMID_INVALID for exhaustive search within
> + * [1..DOMID_FIRST_RESERVED-1].
> + * @return Valid domain ID in case of successful allocation,
> + * DOMID_INVALID - otherwise.
> + */
> +domid_t cf_check domid_alloc(domid_t domid)
Why cf_check? That's only needed when using indirection (i.e) function pointers
so the call works with IBT. I don't think that's needed here?
> +{
> + static domid_t domid_last;
> +
> + spin_lock(&domid_lock);
> +
> + /* Exact match. */
> + if ( domid < DOMID_FIRST_RESERVED )
> + {
> + if ( __test_and_set_bit(domid, domid_bitmap) )
> + domid = DOMID_INVALID;
> + }
> + /*
> + * Exhaustive search.
> + *
> + * Domain ID#0 is reserved for the first boot domain (e.g. control domain)
> + * and excluded from allocation.
> + *
> + * In dom0less build, domains are not dynamically destroyed, so there's no
> + * need to do a wraparound of the IDs.
> + */
> +#ifdef CONFIG_DOM0LESS_BOOT
> + else if ( domid_last + 1 >= DOMID_FIRST_RESERVED )
> + domid = DOMID_INVALID;
> +#endif
This hunk with the guards breaks dom0less-capable Xen booting a non-dom0less
system (which effectively means any defconfig arm build). dom0 boots must wrap
around, irrespective of whether that same build could boot from a DTB.
The point of not wrapping around is merely a conservative check to ensure
dom0less-build can find a free domid by bump-allocating. This is already the
case with your code, so there's no need to special-case dom0less.
Just remove it.
> + else
> + {
> + domid = find_next_zero_bit(domid_bitmap,
> + DOMID_FIRST_RESERVED,
> + domid_last + 1);
> +#ifndef CONFIG_DOM0LESS_BOOT
> + ASSERT(domid <= DOMID_FIRST_RESERVED);
> + if ( domid == DOMID_FIRST_RESERVED )
> + domid = find_next_zero_bit(domid_bitmap,
> + DOMID_FIRST_RESERVED,
> + 1);
> +#endif
Like before, this must be without the ifdef guards. Otherwise it breaks
non-dom0less runs on dom0less-enabled builds.
> +
> + if ( domid < DOMID_FIRST_RESERVED )
> + {
> + __set_bit(domid, domid_bitmap);
> + domid_last = domid;
> + }
> + else
> + domid = DOMID_INVALID;
> + }
> +
> + spin_unlock(&domid_lock);
> +
> + return domid;
> +}
> +
> +void cf_check domid_free(domid_t domid)
> +{
> + ASSERT(domid <= DOMID_FIRST_RESERVED);
> +
> + spin_lock(&domid_lock);
Might be worth asserting the bit is set. That way we'll catch XSAs in CI if
we try to incorrectly move the current calls to domid_free().
> + __clear_bit(domid, domid_bitmap);
> + spin_unlock(&domid_lock);
> +}
> +
> +/*
> + * Local variables:
> + * mode: C
> + * c-file-style: "BSD"
> + * c-basic-offset: 4
> + * tab-width: 4
> + * indent-tabs-mode: nil
> + * End:
> + */
> diff --git a/xen/include/xen/domain.h b/xen/include/xen/domain.h
> index e10baf2615fd..31946bb1b653 100644
> --- a/xen/include/xen/domain.h
> +++ b/xen/include/xen/domain.h
> @@ -38,6 +38,9 @@ void arch_get_domain_info(const struct domain *d,
>
> domid_t get_initial_domain_id(void);
>
> +domid_t cf_check domid_alloc(domid_t domid);
> +void cf_check domid_free(domid_t domid);
Neither of them should need the cf_check. Also, could you perhaps move the
explanation of how the allocation scheme works from the commit message into
the domid_alloc() prototype? That way callers can reason about the API without
git-blaming to find out.
> +
> /* CDF_* constant. Internal flags for domain creation. */
> /* Is this a privileged domain? */
> #define CDF_privileged (1U << 0)
next prev parent reply other threads:[~2025-07-29 10:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-28 18:34 [PATCH v11 0/3] xen/domain: domain ID allocation dmkhn
2025-07-28 18:34 ` [PATCH v11 1/3] xen/domain: unify " dmkhn
2025-07-29 10:34 ` Alejandro Vallejo [this message]
2025-07-29 23:53 ` dmkhn
2025-07-28 18:34 ` [PATCH v11 2/3] tools/tests: introduce unit tests for domain ID allocator dmkhn
2025-07-28 18:34 ` [PATCH v11 3/3] xen/domain: update create_dom0() messages dmkhn
2025-07-29 8:11 ` Jan Beulich
2025-07-29 23:54 ` dmkhn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DBOGZOES2A5Q.20Y3MK677M83D@amd.com \
--to=alejandro.garciavallejo@amd.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=dmkhn@proton.me \
--cc=dmukhin@ford.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=michal.orzel@amd.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.