common/multicall: Increase debugability for bad hypercalls

While investigating an issue (in a new codepath I'd introduced, as it turns
out), leaving interrupts disabled manifested as a subsequent op in the
multicall failing a check_lock() test.

The codepath would have hit the ASSERT_NOT_IN_ATOMIC on the return-to-guest
path, had it not hit the check_lock() first.

Call ASSERT_NOT_IN_ATOMIC() after each operation in the multicall, to make
failures more obvious.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Julien Grall <julien.grall@linaro.org>

diff --git a/xen/common/multicall.c b/xen/common/multicall.c
index c7af4e01566c8430800c1e09332710ccc1b5f3bf..5a199ebf8f85715a9776abf14501f780f93b9c8e 100644 (file)
--- a/xen/common/multicall.c
+++ b/xen/common/multicall.c
@@ -66,6 +66,13 @@ do_multicall(
 
         disp = arch_do_multicall_call(mcs);
 
+        /*
+         * In the unlikely event that a hypercall has left interrupts,
+         * spinlocks, or other things in a bad way, continuing the multicall
+         * will typically lead to far more subtle issues to debug.
+         */
+        ASSERT_NOT_IN_ATOMIC();
+
 #ifndef NDEBUG
         {
             /*