On Tue, Jul 28, 2020 at 06:06:25PM +0100, Andrew Cooper wrote: > On 28/07/2020 17:59, Roger Pau Monné wrote: > > On Tue, Jul 28, 2020 at 05:48:23PM +0100, Julien Grall wrote: > >> Hi, > >> > >> On 27/07/2020 10:13, Roger Pau Monne wrote: > >>> To be used in order to create foreign mappings. This is based on the > >>> ZONE_DEVICE facility which is used by persistent memory devices in > >>> order to create struct pages and kernel virtual mappings for the IOMEM > >>> areas of such devices. Note that on kernels without support for > >>> ZONE_DEVICE Xen will fallback to use ballooned pages in order to > >>> create foreign mappings. > >>> > >>> The newly added helpers use the same parameters as the existing > >>> {alloc/free}_xenballooned_pages functions, which allows for in-place > >>> replacement of the callers. Once a memory region has been added to be > >>> used as scratch mapping space it will no longer be released, and pages > >>> returned are kept in a linked list. This allows to have a buffer of > >>> pages and prevents resorting to frequent additions and removals of > >>> regions. > >>> > >>> If enabled (because ZONE_DEVICE is supported) the usage of the new > >>> functionality untangles Xen balloon and RAM hotplug from the usage of > >>> unpopulated physical memory ranges to map foreign pages, which is the > >>> correct thing to do in order to avoid mappings of foreign pages depend > >>> on memory hotplug. > >> I think this is going to break Dom0 on Arm if the kernel has been built with > >> hotplug. This is because you may end up to re-use region that will be used > >> for the 1:1 mapping of a foreign map. > >> > >> Note that I don't know whether hotplug has been tested on Xen on Arm yet. So > >> it might be possible to be already broken. > >> > >> Meanwhile, my suggestion would be to make the use of hotplug in the balloon > >> code conditional (maybe using CONFIG_ARM64 and CONFIG_ARM)? > > Right, this feature (allocation of unpopulated memory separated from > > the balloon driver) is currently gated on CONFIG_ZONE_DEVICE, which I > > think could be used on Arm. > > > > IMO the right solution seems to be to subtract the physical memory > > regions that can be used for the identity mappings of foreign pages > > (all RAM on the system AFAICT) from iomem_resource, as that would make > > this and the memory hotplug done in the balloon driver safe? > > The right solution is a mechanism for translated guests to query Xen to > find regions of guest physical address space which are unused, and can > be safely be used for foreign/grant/other mappings. > > Please don't waste any more time applying more duct tape to a broken > system, and instead spend the time organising some proper foundations. The piece added here (using ZONE_DEVICE) will be relevant when Xen can provide the space to map foreign pages, it's just that right now it relies on iomem_resource instead of a Xen specific resource map that should be provided by the hypervisor. It should indeed be fixed, but right now this patch should allow a PVH dom0 to work slightly better. When Xen provides such areas Linux just needs to populate a custom Xen resource with them and use it instead of iomem_resurce. The Arm stuff I'm certainly not familiar with, and can't provide much insight on that. If it's best to just disable it and continue to rely on ballooned out pages that's fine. Roger.