On 26.02.2025 15:28, Roger Pau Monné wrote:
> On Wed, Feb 26, 2025 at 03:08:33PM +0100, Jan Beulich wrote:
>> On 26.02.2025 14:56, Roger Pau Monné wrote:
>>> On Mon, Feb 24, 2025 at 01:27:24PM +0000, Alejandro Vallejo wrote:
>>>> --- a/xen/common/page_alloc.c
>>>> +++ b/xen/common/page_alloc.c
>>>> @@ -490,13 +490,11 @@ static long outstanding_claims; /* total outstanding
>>>> claims by all domains */
>>>>
>>>> unsigned long domain_adjust_tot_pages(struct domain *d, long pages)
>>>> {
>>>> - long dom_before, dom_after, dom_claimed, sys_before, sys_after;
>>>> -
>>>> ASSERT(rspin_is_locked(&d->page_alloc_lock));
>>>> d->tot_pages += pages;
>>>>
>>>> /*
>>>> - * can test d->claimed_pages race-free because it can only change
>>>> + * can test d->outstanding_pages race-free because it can only change
>>>> * if d->page_alloc_lock and heap_lock are both held, see also
>>>> * domain_set_outstanding_pages below
>>>> */
>>>> @@ -504,17 +502,16 @@ unsigned long domain_adjust_tot_pages(struct domain
>>>> *d, long pages)
>>>> goto out;
>>>
>>> I think you can probably short-circuit the logic below if pages == 0?
>>> (and avoid taking the heap_lock)
>>
>> Are there callers passing in 0?
>
> Not sure, but if there are no callers expected we might add an ASSERT
> to that effect then.
>
>>>> spin_lock(&heap_lock);
>>>> - /* adjust domain outstanding pages; may not go negative */
>>>> - dom_before = d->outstanding_pages;
>>>> - dom_after = dom_before - pages;
>>>> - BUG_ON(dom_before < 0);
>>>> - dom_claimed = dom_after < 0 ? 0 : dom_after;
>>>> - d->outstanding_pages = dom_claimed;
>>>> - /* flag accounting bug if system outstanding_claims would go negative
>>>> */
>>>> - sys_before = outstanding_claims;
>>>> - sys_after = sys_before - (dom_before - dom_claimed);
>>>> - BUG_ON(sys_after < 0);
>>>> - outstanding_claims = sys_after;
>>>> + BUG_ON(outstanding_claims < d->outstanding_pages);
>>>> + if ( pages > 0 && d->outstanding_pages < pages )
>>>> + {
>>>> + /* `pages` exceeds the domain's outstanding count. Zero it out. */
>>>> + outstanding_claims -= d->outstanding_pages;
>>>> + d->outstanding_pages = 0;
>>>> + } else {
>>>> + outstanding_claims -= pages;
>>>> + d->outstanding_pages -= pages;
>>>
>>> I wonder if it's intentional for a pages < 0 value to modify
>>> outstanding_claims and d->outstanding_pages, I think those values
>>> should only be set from domain_set_outstanding_pages().
>>> domain_adjust_tot_pages() should only decrease the value, but never
>>> increase either outstanding_claims or d->outstanding_pages.
>>>
>>> At best the behavior is inconsistent, because once
>>> d->outstanding_pages reaches 0 there will be no further modification
>>> from domain_adjust_tot_pages().
>>
>> Right, at that point the claim has run out. While freeing pages with an
>> active claim means that the claim gets bigger (which naturally needs
>> reflecting in the global).
>
> domain_adjust_tot_pages() is not exclusively called when freeing
> pages, see steal_page() for example.
Or also when pages were allocated. steal_page() ...
> When called from steal_page() it's wrong to increase the claim, as
> it assumes that the page removed from d->tot_pages is freed, but
> that's not the case. The domain might end up in a situation where
> the claim is bigger than the available amount of memory.
... is a case that likely wasn't considered when the feature was added.
I never really liked this; I'd be quite happy to see it ripped out, as
long as we'd be reasonably certain it isn't in active use by people.
Jan
