[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [RFC PATCH] xen/memory: Introduce a hypercall to provide unallocated space
On 28/07/2021 17:18, Oleksandr Tyshchenko wrote: > From: Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx> > > Add XENMEM_get_unallocated_space hypercall which purpose is to > query hypervisor to find regions of guest physical address space > which are unused and can be used to create grant/foreign mappings > instead of wasting real pages from the domain memory for > establishing these mappings. The problem with the current Linux > on Xen on Arm behaviour is if we want to map some guest memory > regions in advance or to perform cache mappings in the backend > we might run out of memory in the host (see XSA-300). > This of course, depends on the both host and guest memory sizes. > > The "unallocated space" can't be figured out precisely by > the domain on Arm without hypervisor involvement: > - not all device I/O regions are known by the time domain starts > creating grant/foreign mappings > - the Dom0 is not aware of memory regions used for the identity > mappings needed for the PV drivers to work > In both cases we might end up re-using these regions by > a mistake. So, the hypervisor which maintains the P2M for the domain > is in the best position to provide "unallocated space". I'm afraid this does not improve the situation. If a guest follows the advice from XENMEM_get_unallocated_space, and subsequently a new IO or identity region appears, everything will explode, because the "safe area" wasn't actually safe. The safe range *must* be chosen by the toolstack, because nothing else can do it safely or correctly. Once a safe range (or ranges) has been chosen, any subsequent action which overlaps with the ranges must be rejected, as it will violate the guarantees provided. Furthermore, the ranges should be made available to the guest via normal memory map means. On x86, this is via the E820 table, and on ARM I presume the DTB. There is no need for a new hypercall. > > The arch code is in charge of finding these regions and filling > in corresponding array in new helper arch_get_unallocated_space(). > > This patch implements common and Arm parts, the x86 specific bits > are left uniplemented for now. Leaving x86 for now is fine by me. > diff --git a/xen/arch/arm/mm.c b/xen/arch/arm/mm.c > index 0e07335..8a70fe0 100644 > --- a/xen/arch/arm/mm.c > +++ b/xen/arch/arm/mm.c > @@ -1635,6 +1635,24 @@ unsigned long get_upper_mfn_bound(void) > return max_page - 1; > } > > +#define GPFN_ALIGN_TO_GB(x) (((x) + (1UL << 18) - 1) & (~((1UL << 18) - 1))) > + > +int arch_get_unallocated_space(struct domain *d, > + struct xen_unallocated_region *regions, > + unsigned int *nr_regions) > +{ > + /* > + * Everything not mapped into P2M could be treated as unused. Taking into > + * the account that we have a lot of unallocated space above > max_mapped_gfn > + * and in order to simplify things, just provide a single 8GB memory > + * region aligned to 1GB boundary for now. > + */ > + regions->start_gpfn = GPFN_ALIGN_TO_GB(domain_get_maximum_gpfn(d) + 1); To drive home my earlier point, this is racy and cannot be fixed in Xen. You don't (and cannot) hold the p2m lock until the guest has acted upon the information provided, so it is guaranteed stale by the time the guest can inspect the results. In the concurrent meantime, a wide range of operations can change max_gpfn. The only way to get a value the guest can use is to choose it before hand, and have Xen enforce that the nominated range(s) remain safe. ~Andrew
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |