From: dmkhn@proton.me
To: "Roger Pau Monné" <roger.pau@citrix.com>
Cc: xen-devel@lists.xenproject.org, alejandro.garciavallejo@amd.com,
andrew.cooper3@citrix.com, anthony.perard@vates.tech,
jbeulich@suse.com, julien@xen.org, michal.orzel@amd.com,
sstabellini@kernel.org, dmukhin@ford.com
Subject: Re: [PATCH v13 1/3] xen/domain: unify domain ID allocation
Date: Thu, 07 Aug 2025 01:16:45 +0000 [thread overview]
Message-ID: <aJP+d6FxbFsk63ws@kraken> (raw)
In-Reply-To: <aJIJXX4yO0zC8898@macbook.local>
On Tue, Aug 05, 2025 at 03:38:37PM +0200, Roger Pau Monné wrote:
> On Wed, Jul 30, 2025 at 05:40:54PM +0000, dmkhn@proton.me wrote:
> > From: Denis Mukhin <dmukhin@ford.com>
> >
> > Currently, there are two different domain ID allocation implementations:
> >
> > 1) Sequential IDs allocation in dom0less Arm code based on max_init_domid;
> >
> > 2) Sequential IDs allocation in XEN_DOMCTL_createdomain; does not use
> > max_init_domid (both Arm and x86).
> >
> > The domain ID allocation covers dom0 or late hwdom, predefined domains,
> > post-boot domains, excluding Xen system domains (domid >=
> > DOMID_FIRST_RESERVED).
> >
> > It makes sense to have a common helper code for such task across architectures
> > (Arm and x86) and between dom0less / toolstack domU allocation.
> >
> > Note, fixing dependency on max_init_domid is out of scope of this patch.
> >
> > Wrap the domain ID allocation as an arch-independent function domid_alloc() in
> > new common/domid.c based on the bitmap.
> >
> > Allocation algorithm:
> > - If an explicit domain ID is provided, verify its availability and use it if
> > ID is not used;
> > - If DOMID_INVALID is provided, search the range [1..DOMID_FIRST_RESERVED-1],
> > starting from the last used ID.
> > Implementation guarantees that two consecutive calls will never return the
> > same ID. ID#0 is reserved for the first boot domain (currently, dom0) and
> > excluded from the allocation range.
> >
> > Remove is_free_domid() helper as it is not needed now.
> >
> > No functional change intended.
> >
> > Signed-off-by: Denis Mukhin <dmukhin@ford.com>
> > Reviewed-by: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
> > ---
> > Changes since v12:
> > - updated comment for domid_alloc() and commit message
> > - added Alejandro's R-b
> > ---
> > xen/arch/arm/domain_build.c | 7 +-
> > xen/arch/x86/setup.c | 7 +-
> > xen/common/Makefile | 1 +
> > xen/common/device-tree/dom0less-build.c | 15 ++--
> > xen/common/domain.c | 2 +
> > xen/common/domctl.c | 42 ++---------
> > xen/common/domid.c | 94 +++++++++++++++++++++++++
> > xen/include/xen/domain.h | 3 +
> > 8 files changed, 124 insertions(+), 47 deletions(-)
> > create mode 100644 xen/common/domid.c
> >
> > diff --git a/xen/arch/arm/domain_build.c b/xen/arch/arm/domain_build.c
> > index 463ae4474d30..789f2b9d3ce7 100644
> > --- a/xen/arch/arm/domain_build.c
> > +++ b/xen/arch/arm/domain_build.c
> > @@ -2050,6 +2050,7 @@ void __init create_dom0(void)
> > .grant_opts = XEN_DOMCTL_GRANT_version(opt_gnttab_max_version),
> > };
> > unsigned int flags = CDF_privileged | CDF_hardware;
> > + domid_t domid;
> > int rc;
> >
> > /* The vGIC for DOM0 is exactly emulating the hardware GIC */
> > @@ -2074,7 +2075,11 @@ void __init create_dom0(void)
> > if ( !llc_coloring_enabled )
> > flags |= CDF_directmap;
> >
> > - dom0 = domain_create(0, &dom0_cfg, flags);
> > + domid = domid_alloc(0);
> > + if ( domid == DOMID_INVALID )
> > + panic("Error allocating domain ID 0\n");
> > +
> > + dom0 = domain_create(domid, &dom0_cfg, flags);
> > if ( IS_ERR(dom0) )
> > panic("Error creating domain 0 (rc = %ld)\n", PTR_ERR(dom0));
> >
> > diff --git a/xen/arch/x86/setup.c b/xen/arch/x86/setup.c
> > index 1543dd251cc6..2ff7c28c277b 100644
> > --- a/xen/arch/x86/setup.c
> > +++ b/xen/arch/x86/setup.c
> > @@ -1047,8 +1047,11 @@ static struct domain *__init create_dom0(struct boot_info *bi)
> > if ( iommu_enabled )
> > dom0_cfg.flags |= XEN_DOMCTL_CDF_iommu;
> >
> > - /* Create initial domain. Not d0 for pvshim. */
> > - bd->domid = get_initial_domain_id();
> > + /* Allocate initial domain ID. Not d0 for pvshim. */
> > + bd->domid = domid_alloc(get_initial_domain_id());
> > + if ( bd->domid == DOMID_INVALID )
> > + panic("Error allocating domain ID %d\n", get_initial_domain_id());
>
> Nit: in other error messages in the same function we handle the domid
> as an unsigned integer, so %u probably wants using here. Unless you
> have an explicit intention to print IDs >= DOMID_FIRST_RESERVED as
> negative integers?
No negative integers, that should be %u
Thanks!
>
> > +
> > d = domain_create(bd->domid, &dom0_cfg,
> > pv_shim ? 0 : CDF_privileged | CDF_hardware);
> > if ( IS_ERR(d) )
> > diff --git a/xen/common/Makefile b/xen/common/Makefile
> > index c316957fcb36..0c7d0f5d46e1 100644
> > --- a/xen/common/Makefile
> > +++ b/xen/common/Makefile
> > @@ -11,6 +11,7 @@ obj-$(filter-out $(CONFIG_X86),$(CONFIG_ACPI)) += device.o
> > obj-$(CONFIG_DEVICE_TREE_PARSE) += device-tree/
> > obj-$(CONFIG_IOREQ_SERVER) += dm.o
> > obj-y += domain.o
> > +obj-y += domid.o
> > obj-y += event_2l.o
> > obj-y += event_channel.o
> > obj-$(CONFIG_EVTCHN_FIFO) += event_fifo.o
> > diff --git a/xen/common/device-tree/dom0less-build.c b/xen/common/device-tree/dom0less-build.c
> > index 6bb038111de9..f4b6b515d2d2 100644
> > --- a/xen/common/device-tree/dom0less-build.c
> > +++ b/xen/common/device-tree/dom0less-build.c
> > @@ -833,6 +833,7 @@ void __init create_domUs(void)
> > {
> > struct kernel_info ki = KERNEL_INFO_INIT;
> > int rc = parse_dom0less_node(node, &ki.bd);
> > + domid_t domid;
> >
> > if ( rc == -ENOENT )
> > continue;
> > @@ -842,13 +843,13 @@ void __init create_domUs(void)
> > if ( (max_init_domid + 1) >= DOMID_FIRST_RESERVED )
> > panic("No more domain IDs available\n");
> >
> > - /*
> > - * The variable max_init_domid is initialized with zero, so here it's
> > - * very important to use the pre-increment operator to call
> > - * domain_create() with a domid > 0. (domid == 0 is reserved for Dom0)
> > - */
> > - ki.bd.d = domain_create(++max_init_domid,
> > - &ki.bd.create_cfg, ki.bd.create_flags);
> > + domid = domid_alloc(DOMID_INVALID);
> > + if ( domid == DOMID_INVALID )
> > + panic("Error allocating ID for domain %s\n", dt_node_name(node));
> > +
> > + max_init_domid = max(max_init_domid, domid);
> > +
> > + ki.bd.d = domain_create(domid, &ki.bd.create_cfg, ki.bd.create_flags);
> > if ( IS_ERR(ki.bd.d) )
> > panic("Error creating domain %s (rc = %ld)\n",
> > dt_node_name(node), PTR_ERR(ki.bd.d));
> > diff --git a/xen/common/domain.c b/xen/common/domain.c
> > index 5241a1629eeb..12fbab01cd8e 100644
> > --- a/xen/common/domain.c
> > +++ b/xen/common/domain.c
> > @@ -1473,6 +1473,8 @@ void domain_destroy(struct domain *d)
> > /* Remove from the domlist/hash. */
> > domlist_remove(d);
> >
> > + domid_free(d->domain_id);
>
> The domlist removal above still allows current users to continue
> "operating" on the domain until the next RCU. Should for safety the
> freeing of the domid be deferred to _domain_destroy(), which is
> executed in RCU context, and thus ensures there are no current users
> of the removed domain?
>
> I cannot think of a specific scenario where this could be dangerous
> right now, but deferring to RCU context together with the final
> cleanup seems safer overall.
I agree, _domain_destroy() is the place for domid_free().
>
> > +
> > /* Schedule RCU asynchronous completion of domain destroy. */
> > call_rcu(&d->rcu, complete_domain_destroy);
> > }
> > diff --git a/xen/common/domctl.c b/xen/common/domctl.c
> > index f2a7caaf853c..5509998aa139 100644
> > --- a/xen/common/domctl.c
> > +++ b/xen/common/domctl.c
> > @@ -51,20 +51,6 @@ static int xenctl_bitmap_to_nodemask(nodemask_t *nodemask,
> > MAX_NUMNODES);
> > }
> >
> > -static inline int is_free_domid(domid_t dom)
> > -{
> > - struct domain *d;
> > -
> > - if ( dom >= DOMID_FIRST_RESERVED )
> > - return 0;
> > -
> > - if ( (d = rcu_lock_domain_by_id(dom)) == NULL )
> > - return 1;
> > -
> > - rcu_unlock_domain(d);
> > - return 0;
> > -}
> > -
> > void getdomaininfo(struct domain *d, struct xen_domctl_getdomaininfo *info)
> > {
> > struct vcpu *v;
> > @@ -423,36 +409,18 @@ long do_domctl(XEN_GUEST_HANDLE_PARAM(xen_domctl_t) u_domctl)
> >
> > case XEN_DOMCTL_createdomain:
> > {
> > - domid_t dom;
> > - static domid_t rover = 0;
> > + domid_t domid = domid_alloc(op->domain);
> >
> > - dom = op->domain;
> > - if ( (dom > 0) && (dom < DOMID_FIRST_RESERVED) )
> > + if ( domid == DOMID_INVALID )
>
> This is a change in behavior AFAICT, as you now allow
> XEN_DOMCTL_createdomain to possibly create a domain with domid 0 (if
> it's available). Currently op->domain == 0 is handled as op->domain
> == DOMID_FIRST_RESERVED. You either need to adjust the code here, so
> that you do:
>
> domid_t domid = domid_alloc(op->domain ?: DOMID_FIRST_RESERVED);
>
> Or domid_alloc() needs to be adjusted to handle an input domid == 0 as
> it handles DOMID_FIRST_RESERVED.
Thanks!
I will adjust code in do_domctl().
>
> > {
> > ret = -EEXIST;
> > - if ( !is_free_domid(dom) )
> > - break;
> > - }
> > - else
> > - {
> > - for ( dom = rover + 1; dom != rover; dom++ )
> > - {
> > - if ( dom == DOMID_FIRST_RESERVED )
> > - dom = 1;
> > - if ( is_free_domid(dom) )
> > - break;
> > - }
> > -
> > - ret = -ENOMEM;
> > - if ( dom == rover )
> > - break;
> > -
> > - rover = dom;
> > + break;
> > }
> >
> > - d = domain_create(dom, &op->u.createdomain, false);
> > + d = domain_create(domid, &op->u.createdomain, false);
> > if ( IS_ERR(d) )
> > {
> > + domid_free(domid);
> > ret = PTR_ERR(d);
> > d = NULL;
> > break;
> > diff --git a/xen/common/domid.c b/xen/common/domid.c
> > new file mode 100644
> > index 000000000000..e727dcaf0793
> > --- /dev/null
> > +++ b/xen/common/domid.c
> > @@ -0,0 +1,94 @@
> > +/* SPDX-License-Identifier: GPL-2.0-only */
> > +/*
> > + * Domain ID allocator.
> > + *
> > + * Covers dom0 or late hwdom, predefined domains, post-boot domains.
> > + * Excludes Xen system domains (ID >= DOMID_FIRST_RESERVED).
> > + *
> > + * Copyright 2025 Ford Motor Company
> > + */
> > +
> > +#include <xen/domain.h>
> > +
> > +static DEFINE_SPINLOCK(domid_lock);
> > +static DECLARE_BITMAP(domid_bitmap, DOMID_FIRST_RESERVED);
> > +
> > +/*
> > + * Allocate domain ID.
> > + *
> > + * @param domid Domain ID hint:
> > + * - If an explicit domain ID is provided, verify its availability and use it
> > + * if ID is not used;
> > + * - If DOMID_INVALID is provided, search [1..DOMID_FIRST_RESERVED-1] range,
> > + * starting from the last used ID. Implementation guarantees that two
> > + * consecutive calls will never return the same ID. ID#0 is reserved for
> > + * the first boot domain (currently, dom0) and excluded from the allocation
> > + * range.
> > + * @return Valid domain ID in case of successful allocation,
> > + * DOMID_INVALID - otherwise.
> > + */
> > +domid_t domid_alloc(domid_t domid)
> > +{
> > + static domid_t domid_last;
> > +
> > + spin_lock(&domid_lock);
> > +
> > + /* Exact match. */
> > + if ( domid < DOMID_FIRST_RESERVED )
> > + {
> > + if ( __test_and_set_bit(domid, domid_bitmap) )
> > + domid = DOMID_INVALID;
> > + }
> > + /*
> > + * Exhaustive search.
> > + *
> > + * Domain ID#0 is reserved for the first boot domain (e.g. control domain)
> > + * and excluded from allocation.
> > + */
> > + else
> > + {
> > + domid = find_next_zero_bit(domid_bitmap,
> > + DOMID_FIRST_RESERVED,
> > + domid_last + 1);
> > + if ( domid == DOMID_FIRST_RESERVED )
>
> Nit: you could further gate this second search to domid_last != 0, as
> otherwise the first search has already scanned the whole bitmap.
Ack.
>
> > + domid = find_next_zero_bit(domid_bitmap,
> > + DOMID_FIRST_RESERVED,
> > + 1);
>
> Nit: you could possibly limit this second search to (domid_last + 1)
> size, as you have already searched from [domid_last + 1,
> DOMID_FIRST_RESERVED], and the bitmap couldn't have changed as the
> lock is being held.
Ack.
>
> Thanks, Roger.
next prev parent reply other threads:[~2025-08-07 1:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-30 17:40 [PATCH v13 0/3] xen/domain: domain ID allocation dmkhn
2025-07-30 17:40 ` [PATCH v13 1/3] xen/domain: unify " dmkhn
2025-08-05 13:38 ` Roger Pau Monné
2025-08-07 1:16 ` dmkhn [this message]
2025-07-30 17:41 ` [PATCH v13 2/3] tools/tests: introduce unit tests for domain ID allocator dmkhn
2025-08-05 14:15 ` Roger Pau Monné
2025-08-07 2:12 ` dmkhn
2025-07-30 17:41 ` [PATCH v13 3/3] xen/domain: update create_dom0() messages dmkhn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJP+d6FxbFsk63ws@kraken \
--to=dmkhn@proton.me \
--cc=alejandro.garciavallejo@amd.com \
--cc=andrew.cooper3@citrix.com \
--cc=anthony.perard@vates.tech \
--cc=dmukhin@ford.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=michal.orzel@amd.com \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.