Xen project Mailing List

Re: Virtio in Xen on Arm (based on IOREQ concept)

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Wed, 22 Jul 2020 13:10:12 +0200

Authentication-results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Andrushchenko <andr2000@xxxxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Oleksandr <olekstysh@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Artem Mygaiev <joculator@xxxxxxxxx>

Delivery-date: Wed, 22 Jul 2020 11:10:30 +0000

Ironport-sdr: ZG31tbawB5/Eq/9daThEF2uzrwsb7VITyweO1+27mKyi/iZDQ9Y6YSjPn/1/N/iURG3cmoYYk4 TAS1xw7iMwBvyiaXsCo72ZBFEcdTfr/gpmC7OtNCCta/hJ4I0uAnBHJSG4bQc9Q119kKFRFEyr 7EdrxVbD8qgJEtrMyRLJ127SpHEWirl2nUbmCWgLQyG6E1mY0RBd+mbP4iamrb5n98eAn3D9dj z9h2AFcXEsPFErCPBBxFSPvHQElZw6d7rhrnIMhPWw07P92R2Sxl0UVIZnBVpM1sF8rvOcmQO6 NbY=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, Jul 22, 2020 at 11:47:18AM +0100, Julien Grall wrote: > Hi Roger, > > On 22/07/2020 09:21, Roger Pau Monné wrote: > > On Tue, Jul 21, 2020 at 10:12:40PM +0100, Julien Grall wrote: > > > Hi Oleksandr, > > > > > > On 21/07/2020 19:16, Oleksandr wrote: > > > > > > > > On 21.07.20 17:27, Julien Grall wrote: > > > > > On a similar topic, I am a bit surprised you didn't encounter memory > > > > > exhaustion when trying to use virtio. Because on how Linux currently > > > > > works (see XSA-300), the backend domain as to have a least as much > > > > > RAM as the domain it serves. For instance, you have serve two > > > > > domains with 1GB of RAM each, then your backend would need at least > > > > > 2GB + some for its own purpose. > > > > > > > > > > This probably wants to be resolved by allowing foreign mapping to be > > > > > "paging" out as you would for memory assigned to a userspace. > > > > > > > > Didn't notice the last sentence initially. Could you please explain your > > > > idea in detail if possible. Does it mean if implemented it would be > > > > feasible to map all guest memory regardless of how much memory the guest > > > > has? > > > > > > > > Avoiding map/unmap memory each guest request would allow us to have > > > > better performance (of course with taking care of the fact that guest > > > > memory layout could be changed)... > > > > > > I will explain that below. Before let me comment on KVM first. > > > > > > > Actually what I understand looking at kvmtool is the fact it does not > > > > map/unmap memory dynamically, just calculate virt addresses according to > > > > the gfn provided. > > > > > > The memory management between KVM and Xen is quite different. In the case > > > of > > > KVM, the guest RAM is effectively memory from the userspace (allocated via > > > mmap) and then shared with the guest. > > > > > > From the userspace PoV, the guest memory will always be accessible from > > > the > > > same virtual region. However, behind the scene, the pages may not always > > > reside in memory. They are basically managed the same way as "normal" > > > userspace memory. > > > > > > In the case of Xen, we are basically stealing a guest physical page > > > allocated via kmalloc() and provide no facilities for Linux to reclaim the > > > page if it needs to do it before the userspace decide to unmap the foreign > > > mapping. > > > > > > I think it would be good to handle the foreing mapping the same way as > > > userspace memory. By that I mean, that Linux could reclaim the physical > > > page > > > used by the foreing mapping if it needs to. > > > > > > The process for reclaiming the page would look like: > > > 1) Unmap the foreign page > > > 2) Ballon in the backend domain physical address used by the foreing > > > mapping (allocate the page in the physmap) > > > > > > The next time the userspace is trying to access the foreign page, Linux > > > will > > > receive a data abort that would result to: > > > 1) Allocate a backend domain physical page > > > 2) Balloon out the physical address (remove the page from the > > > physmap) > > > 3) Map the foreing mapping at the new guest physical address > > > 4) Map the guest physical page in the userspace address space > > > > This is going to shatter all the super pages in the stage-2 > > translation. > > Yes, but this is nothing really new as ballooning would result to (AFAICT) > the same behavior on Linux. > > > > > > With this approach, we should be able to have backend domain that can > > > handle > > > frontend domain without require a lot of memory. > > > > Linux on x86 has the option to use empty hotplug memory ranges to map > > foreign memory: the balloon driver hotplugs an unpopulated physical > > memory range that's not made available to the OS free memory allocator > > and it's just used as scratch space to map foreign memory. Not sure > > whether Arm has something similar, or if it could be implemented. > > We already discussed that last year :). This was attempted in the past (I > was still at Citrix) and indefinitely paused for Arm. > > /proc/iomem can be incomplete on Linux if we didn't load a driver for all > the devices. This means that Linux doesn't have the full view of what is > physical range is freed. > > Additionally, in the case of Dom0, all the regions corresponding to the host > RAM are unusable when using the SMMU. This is because we would do 1:1 > mapping for the foreign mapping as well. Right, that's a PITA because on x86 PVH dom0 I was planning to use those RAM regions as scratch space for foreign mapping lacking a better alternative ATM. > It might be possible to take advantage of the direct mapping property if > Linux do some bookeeping. Although, this wouldn't work for 32-bit Dom0 using > short page tables (e.g some version of Debian does) as it may not be able to > access all the host RAM. Whether we still care about is a different > situation :). > > For all the other domains, I think we would want the toolstack to provide a > region that can be safely used for foreign mapping (similar to what we > already do for the grant-table). Yes, that would be the plan on x86 also - have some way for the hypervisor to report safe ranges where a domU can create foreign mappings. > > > > You can still use the map-on-fault behaviour as above, but I would > > recommend that you try to limit the number of hypercalls issued. > > Having to issue a single hypercall for each page fault it's going to > > be slow, so I would instead use mmap batch to map the hole range in > > unpopulated physical memory and then the OS fault handler just needs to > > fill the page tables with the corresponding address. > IIUC your proposal, you are assuming that you will have enough free space in > the physical address space to map the foreign mapping. > > However that amount of free space is not unlimited and may be quite small > (see above). It would be fairly easy to exhaust it given that a userspace > application can map many times the same guest physical address. > > So I still think we need to be able to allow Linux to swap a foreign page > with another page. Right, but you will have to be careful to make sure physical addresses are not swapped while being used for IO with devices, as in that case you won't get a recoverable fault. This is safe now because physical mappings created by privcmd are never swapped out, but if you go the route you propose you will have to figure a way to correctly populate physical ranges used for IO with devices, even when the CPU hasn't accessed them. Relying solely on CPU page faults to populate them will not be enough, as the CPU won't necessarily access all the pages that would be send to devices for IO. Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.