[PATCH] xen: Remove domain_crash_synchronous() completely

[PATCH] xen: Remove domain_crash_synchronous() completely

[Andrew Cooper]

domain_crash_synchronous() is unsafe to use in general as it may leave
spinlocks held, temporary memory allocated, etc.

With domain_crash_synchronous() removed from the ARM code in 4.11, take the
opportunity to remove the infrastructure completely by opencoding the softirq
loop in the remaining callsites, all of which are destined for deletion.

None of these sites are at risk of having a pending ioreq to qemu, which means
that the vcpu_end_shutdown_deferral() isn't necessary.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
---
CC: Jan Beulich <JBeulich@suse.com>
CC: Stefano Stabellini <sstabellini@kernel.org>
CC: Julien Grall <julien.grall@arm.com>
CC: Wei Liu <wei.liu2@citrix.com>
CC: Roger Pau Monné <roger.pau@citrix.com>

asm_domain_crash_synchronous() will be removed by my "lift exception frame
logic up into C" series, while the waitqueue callers will be removed when the
vm_event ring mapping infrastructure is complete.
---
 xen/arch/x86/traps.c    |  5 ++++-
 xen/common/domain.c     | 11 -----------
 xen/common/wait.c       | 13 ++++++++++---
 xen/include/xen/sched.h | 10 ----------
 4 files changed, 14 insertions(+), 25 deletions(-)

diff --git a/xen/arch/x86/traps.c b/xen/arch/x86/traps.c
index 789d7ff..ddff346 100644
--- a/xen/arch/x86/traps.c
+++ b/xen/arch/x86/traps.c
@@ -2215,7 +2215,10 @@ void asm_domain_crash_synchronous(unsigned long addr)
     printk("domain_crash_sync called from entry.S: fault at %p %pS\n",
            _p(addr), _p(addr));
 
-    __domain_crash_synchronous();
+    __domain_crash(current->domain);
+
+    for ( ; ; )
+        do_softirq();
 }
 
 /*
diff --git a/xen/common/domain.c b/xen/common/domain.c
index 08ca4b1..749722b 100644
--- a/xen/common/domain.c
+++ b/xen/common/domain.c
@@ -700,17 +700,6 @@ void __domain_crash(struct domain *d)
 }
 
 
-void __domain_crash_synchronous(void)
-{
-    __domain_crash(current->domain);
-
-    vcpu_end_shutdown_deferral(current);
-
-    for ( ; ; )
-        do_softirq();
-}
-
-
 int domain_shutdown(struct domain *d, u8 reason)
 {
     struct vcpu *v;
diff --git a/xen/common/wait.c b/xen/common/wait.c
index a57bc10..4f830a1 100644
--- a/xen/common/wait.c
+++ b/xen/common/wait.c
@@ -20,6 +20,7 @@
  */
 
 #include <xen/sched.h>
+#include <xen/softirq.h>
 #include <xen/wait.h>
 #include <xen/errno.h>
 
@@ -135,7 +136,10 @@ static void __prepare_to_wait(struct waitqueue_vcpu *wqv)
     if ( vcpu_set_hard_affinity(curr, cpumask_of(wqv->wakeup_cpu)) )
     {
         gdprintk(XENLOG_ERR, "Unable to set vcpu affinity\n");
-        domain_crash_synchronous();
+        domain_crash(current->domain);
+
+        for ( ; ; )
+            do_softirq();
     }
 
     /* Hand-rolled setjmp(). */
@@ -166,7 +170,10 @@ static void __prepare_to_wait(struct waitqueue_vcpu *wqv)
     if ( unlikely(wqv->esp == 0) )
     {
         gdprintk(XENLOG_ERR, "Stack too large in %s\n", __func__);
-        domain_crash_synchronous();
+        domain_crash(current->domain);
+
+        for ( ; ; )
+            do_softirq();
     }
 
     cpu_info->guest_cpu_user_regs.entry_vector = entry_vector;
@@ -196,7 +203,7 @@ void check_wakeup_from_wait(void)
         if ( vcpu_set_hard_affinity(curr, cpumask_of(wqv->wakeup_cpu)) )
         {
             gdprintk(XENLOG_ERR, "Unable to set vcpu affinity\n");
-            domain_crash_synchronous();
+            domain_crash(current->domain);
         }
         wait(); /* takes us back into the scheduler */
     }
diff --git a/xen/include/xen/sched.h b/xen/include/xen/sched.h
index 851f11e..3c35473 100644
--- a/xen/include/xen/sched.h
+++ b/xen/include/xen/sched.h
@@ -617,16 +617,6 @@ void __domain_crash(struct domain *d);
 } while (0)
 
 /*
- * Mark current domain as crashed and synchronously deschedule from the local
- * processor. This function never returns.
- */
-void noreturn __domain_crash_synchronous(void);
-#define domain_crash_synchronous() do {                                   \
-    printk("domain_crash_sync called from %s:%d\n", __FILE__, __LINE__);  \
-    __domain_crash_synchronous();                                         \
-} while (0)
-
-/*
  * Called from assembly code, with an optional address to help indicate why
  * the crash occured.  If addr is 0, look up address from last extable
  * redirection.
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] xen: Remove domain_crash_synchronous() completely

[Jan Beulich]

>>> On 01.08.18 at 15:29, <andrew.cooper3@citrix.com> wrote:
> domain_crash_synchronous() is unsafe to use in general as it may leave
> spinlocks held, temporary memory allocated, etc.
> 
> With domain_crash_synchronous() removed from the ARM code in 4.11, take the
> opportunity to remove the infrastructure completely by opencoding the softirq
> loop in the remaining callsites, all of which are destined for deletion.
> 
> None of these sites are at risk of having a pending ioreq to qemu, which means
> that the vcpu_end_shutdown_deferral() isn't necessary.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Jan Beulich <jbeulich@suse.com>



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] xen: Remove domain_crash_synchronous() completely

[Roger Pau Monné]

On Wed, Aug 01, 2018 at 02:29:35PM +0100, Andrew Cooper wrote:
> domain_crash_synchronous() is unsafe to use in general as it may leave
> spinlocks held, temporary memory allocated, etc.
> 
> With domain_crash_synchronous() removed from the ARM code in 4.11, take the
> opportunity to remove the infrastructure completely by opencoding the softirq
> loop in the remaining callsites, all of which are destined for deletion.
> 
> None of these sites are at risk of having a pending ioreq to qemu, which means
> that the vcpu_end_shutdown_deferral() isn't necessary.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>

Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

This however removes the printk with the file an line number from
where the domain_crash was called. I don't think it's a big issue
because each call site already has a message.

Roger.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] xen: Remove domain_crash_synchronous() completely

[Andrew Cooper]

On 01/08/18 14:50, Roger Pau Monné wrote:
> On Wed, Aug 01, 2018 at 02:29:35PM +0100, Andrew Cooper wrote:
>> domain_crash_synchronous() is unsafe to use in general as it may leave
>> spinlocks held, temporary memory allocated, etc.
>>
>> With domain_crash_synchronous() removed from the ARM code in 4.11, take the
>> opportunity to remove the infrastructure completely by opencoding the softirq
>> loop in the remaining callsites, all of which are destined for deletion.
>>
>> None of these sites are at risk of having a pending ioreq to qemu, which means
>> that the vcpu_end_shutdown_deferral() isn't necessary.
>>
>> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
>
> This however removes the printk with the file an line number from
> where the domain_crash was called. I don't think it's a big issue
> because each call site already has a message.

Removing the line number was the basis of this work originally.  It is a
problem for livepatching, as it causes excessively large binary deltas.

A followup which I've yet to refresh from its previous posting changes
domain_crash() to take a string to force all users to provide an
intelligent error, and swaps __LINE__ for __file__

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Re: [PATCH] xen: Remove domain_crash_synchronous() completely

[Paul Durrant]

> -----Original Message-----
> From: Xen-devel [mailto:xen-devel-bounces@lists.xenproject.org] On Behalf
> Of Roger Pau Monné
> Sent: 01 August 2018 14:50
> To: Andrew Cooper <Andrew.Cooper3@citrix.com>
> Cc: Julien Grall <julien.grall@arm.com>; Stefano Stabellini
> <sstabellini@kernel.org>; Wei Liu <wei.liu2@citrix.com>; Jan Beulich
> <JBeulich@suse.com>; Xen-devel <xen-devel@lists.xen.org>
> Subject: Re: [Xen-devel] [PATCH] xen: Remove
> domain_crash_synchronous() completely
> 
> On Wed, Aug 01, 2018 at 02:29:35PM +0100, Andrew Cooper wrote:
> > domain_crash_synchronous() is unsafe to use in general as it may leave
> > spinlocks held, temporary memory allocated, etc.
> >
> > With domain_crash_synchronous() removed from the ARM code in 4.11,
> take the
> > opportunity to remove the infrastructure completely by opencoding the
> softirq
> > loop in the remaining callsites, all of which are destined for deletion.
> >
> > None of these sites are at risk of having a pending ioreq to qemu, which
> means
> > that the vcpu_end_shutdown_deferral() isn't necessary.
> >
> > Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> 
> Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
> 
> This however removes the printk with the file an line number from
> where the domain_crash was called. I don't think it's a big issue
> because each call site already has a message.

There are many places which call domain_crash() without any other logging so such crashes will certainly get harder to diagnose.

  Paul

> 
> Roger.
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xenproject.org
> https://lists.xenproject.org/mailman/listinfo/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel