On 28/07/2020 17:59, Roger Pau Monné wrote: > On Tue, Jul 28, 2020 at 05:48:23PM +0100, Julien Grall wrote: >> Hi, >> >> On 27/07/2020 10:13, Roger Pau Monne wrote: >>> To be used in order to create foreign mappings. This is based on the >>> ZONE_DEVICE facility which is used by persistent memory devices in >>> order to create struct pages and kernel virtual mappings for the IOMEM >>> areas of such devices. Note that on kernels without support for >>> ZONE_DEVICE Xen will fallback to use ballooned pages in order to >>> create foreign mappings. >>> >>> The newly added helpers use the same parameters as the existing >>> {alloc/free}_xenballooned_pages functions, which allows for in-place >>> replacement of the callers. Once a memory region has been added to be >>> used as scratch mapping space it will no longer be released, and pages >>> returned are kept in a linked list. This allows to have a buffer of >>> pages and prevents resorting to frequent additions and removals of >>> regions. >>> >>> If enabled (because ZONE_DEVICE is supported) the usage of the new >>> functionality untangles Xen balloon and RAM hotplug from the usage of >>> unpopulated physical memory ranges to map foreign pages, which is the >>> correct thing to do in order to avoid mappings of foreign pages depend >>> on memory hotplug. >> I think this is going to break Dom0 on Arm if the kernel has been built with >> hotplug. This is because you may end up to re-use region that will be used >> for the 1:1 mapping of a foreign map. >> >> Note that I don't know whether hotplug has been tested on Xen on Arm yet. So >> it might be possible to be already broken. >> >> Meanwhile, my suggestion would be to make the use of hotplug in the balloon >> code conditional (maybe using CONFIG_ARM64 and CONFIG_ARM)? > Right, this feature (allocation of unpopulated memory separated from > the balloon driver) is currently gated on CONFIG_ZONE_DEVICE, which I > think could be used on Arm. > > IMO the right solution seems to be to subtract the physical memory > regions that can be used for the identity mappings of foreign pages > (all RAM on the system AFAICT) from iomem_resource, as that would make > this and the memory hotplug done in the balloon driver safe? The right solution is a mechanism for translated guests to query Xen to find regions of guest physical address space which are unused, and can be safely be used for foreign/grant/other mappings. Please don't waste any more time applying more duct tape to a broken system, and instead spend the time organising some proper foundations. ~Andrew