On Tue, Feb 03, 2026 at 04:00:09PM +0100, Jan Beulich wrote:
> On 30.01.2026 15:57, Roger Pau Monne wrote:
> > @@ -1117,6 +1130,14 @@ static struct page_info *alloc_heap_pages(
> > scrub_one_page(&pg[i], cold);
> >
> > dirty_cnt++;
> > +
> > + /*
> > + * Use SYS_STATE_smp_boot explicitly; ahead of that state
> > + * interrupts are disabled.
> > + */
> > + if ( system_state == SYS_STATE_smp_boot &&
> > + !(dirty_cnt & 0xff) )
> > + process_pending_softirqs();
> > }
> > else
> > check_one_page(&pg[i]);
>
> Coming back to this, I see two possible issues. One is that on x86 enabling
> of IRQs happens a bit earlier than setting of SYS_STATE_smp_boot. Maybe this
> isn't really a problem right now, but it could become one if the "wrong"
> thing is inserted into that window in __start_xen().
Even if IRQs are enabled a bit earlier, the watchdog is only setup
after SYS_STATE_smp_boot state is set.
> The other is that only x86 actually ever sets that state.
TBH we have never seen the watchdog triggering during initial domain
creation, so the workaround added here was out of caution. There's a
certain amount of contention required for the watchdog to trigger, and
that scenario doesn't happen during boot, as domain creation is
serialized.
I could maybe gate the softirq processing as:
if ( system_state < SYS_STATE_active && local_irq_enabled() &&
!(dirty_cnt & 0xff) )
process_pending_softirqs();
Or completely avoid softirq processing in alloc_heap_pages().
Thanks, Roger.
