Re: [PATCH v2 02/17] mm: introduce xvmalloc() et al and use for grant table allocations

[Jan Beulich <jbeulich@xxxxxxxx>]

On 25.11.2020 20:48, Stefano Stabellini wrote:
> On Wed, 25 Nov 2020, Jan Beulich wrote:
>> On 25.11.2020 13:15, Julien Grall wrote:
>>> On 23/11/2020 14:23, Jan Beulich wrote:
>>>> All of the array allocations in grant_table_init() can exceed a page's
>>>> worth of memory, which xmalloc()-based interfaces aren't really suitable
>>>> for after boot. We also don't need any of these allocations to be
>>>> physically contiguous.. Introduce interfaces dynamically switching
>>>> between xmalloc() et al and vmalloc() et al, based on requested size,
>>>> and use them instead.
>>>>
>>>> All the wrappers in the new header get cloned mostly verbatim from
>>>> xmalloc.h, with the sole adjustment to switch unsigned long to size_t
>>>> for sizes and to unsigned int for alignments.
>>>>
>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>> ---
>>>> v2: Actually edit a copy-and-pasted comment in xvmalloc.h which was
>>>>      meant to be edited from the beginning.
>>>> ---
>>>> I'm unconvinced of the mentioning of "physically contiguous" in the
>>>> comment at the top of the new header: I don't think xmalloc() provides
>>>> such a guarantee. Any use assuming so would look (latently) broken to
>>>> me.
>>>
>>> I haven't had the chance to reply to the first version about this. So I 
>>> will reply here to avoid confusion.
>>>
>>> I can at least spot one user in Arm that would use xmalloc() that way 
>>> (see the allocation of itt_addr in arch/arm/gic-v3-its.c).
>>
>> And I surely wouldn't have spotted this, even if I had tried
>> to find "offenders", i.e. as said before not wanting to alter
>> the behavior of existing code (beyond the explicit changes
>> done here) was ...
>>
>>> AFAIK, the memory is for the sole purpose of the ITS and should not be 
>>> accessed by Xen. So I think we can replace by a new version of 
>>> alloc_domheap_pages().
>>>
>>> However, I still question the usefulness of introducing yet another way 
>>> to allocate memory (we already have alloc_xenheap_pages(), xmalloc(), 
>>> alloc_domheap_pages(), vmap()) if you think users cannot rely on 
>>> xmalloc() to allocate memory physically contiguous.
>>
>> ... the reason to introduce a separate new interface. Plus of
>> course this parallels what Linux has.
>>
>>> It definitely makes more difficult to figure out when to use xmalloc() 
>>> vs xvalloc().
>>
>> I don't see the difficulty:
>> - if you need physically contiguous memory, use alloc_xen*_pages(),
>> - if you know the allocation size is always no more than a page,
>>   use xmalloc(),
> 
> What if you need memory physically contiguous but not necessarily an
> order of pages, such as for instance 5200 bytes?

This case is, I think, rare enough (in particular in Xen) that the
waste of space can be tolerated imo.

> If xmalloc can't do physically contiguous allocations, we need something
> else that does physically contiguous allocations not only at page
> granularity, right?

Well, we first need to settle on what guarantees xmalloc() is meant
to provide. It may be just me assuming it doesn't provide the same
ones which Linux'es kmalloc() makes. I'm first and foremost
judging by the comment near the top of xmalloc.h, which compares
with malloc() / free(), not kmalloc() / kfree().

> The other issue is semantics. If xmalloc is unable to allocate more than
> a page of contiguous memory, then it is identical to vmalloc from the
> caller's point of view: both xmalloc and vmalloc return a virtual
> address for an allocation that might not be physically contiguous.

Almost. vmalloc() puts guard pages around the allocation and
guarantees page alignment.

> Maybe we should get rid of xmalloc entirely and improve the
> implementation of vmalloc so that it falls back to xmalloc for
> sub-page allocations. Which in fact is almost the same thing that you
> did.

This would break callers assuming page alignment (and - shouldn't
be an issue in practice - granularity). If anything, as Julien
did suggest, we could modify xmalloc() accordingly, but then of
course making sure we also honor alignment requests beyond page
size.

Neither of these is the goal here, hence this "intermediate"
implementation, which is only almost "redundant".

>> - if you know the allocation size is always more than a page, use
>>   vmalloc(),
>> - otherwise use xvmalloc(). Exceptions may of course apply, i.e.
>> this is just a rule of thumb.
>>
>>> I would like to hear an opinion from the other maintainers.
>>
>> Let's hope at least one will voice theirs.
> 
> If we take a step back, I think we only really need two memory
> allocators:
> 
> 1) one that allocates physically contiguous memory
> 2) one that allocates non-physically contiguous memory
> 
> That's it, right?
> 
> In addition to that, I understand it could be convient to have a little
> wrapper that automatically chooses between 1) and 2) depending on
> circumstances.
> 
> But if the circumstance is just size < PAGE_SIZE then I don't think we
> need any convenience wrappers: we should just be able to call 2), which
> is vmalloc, once we improve the vmalloc implementation.
> 
> Or do you see any reasons to keep the current vmalloc implementation as
> is for sub-page allocations?

See my "Almost. ..." above.

As an aside, I also find it quite puzzling that in one of the rare
cases where I propose to clone an interface from Linux without much
deviation from their model, I get objections. It typically was the
other way around in the past ...

Jan