2021-11-24 20:53:58

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 0/6] xen: Add support of extended regions (safe ranges) on Arm

From: Oleksandr Tyshchenko <[email protected]>

Hello all.

You can find the RFC-V2 patch series at [1],[2].

The corresponding Xen support (for both Dom0 and DomU) is already committed and
is available in mainline Xen since the following commit:
57f87857dc2de452a796d6bad4f476510efd2aba libxl/arm: Add handling of extended regions for DomU

The extended region (safe range) is a region of guest physical address space
which is unused and could be safely used to create grant/foreign mappings instead
of ballooning out real RAM pages to obtain a physical address space for creating
these mappings (which simply results in wasting domain memory and shattering super
pages in P2M table).

The problem is that we cannot follow Linux advise which memory ranges are unused
on Arm as there might be some identity mappings in P2M table (stage 2) the guest is not
aware of or not all device I/O regions might be known (registered) by the time the guest
starts creating grant/foreign mappings. This is why we need some hints from the hypervisor
which knows all details in advance to be able to choose extended regions (which won't
clash with other resources).

The extended regions are chosen at the domain creation time and advertised to it via
"reg" property under hypervisor node in the guest device-tree [3]. As region 0 is reserved
for grant table space (always present), the indexes for extended regions are 1...N.
No device tree bindings update is needed, guest infers the presence of extended regions
from the number of regions in "reg" property.

Please note the following:
- The ACPI case is not covered for now
- patch series was created in a way to retain existing behavior on x86

The patch series is based on v5.16-rc2 and also available at [4], it was fully
tested on Arm64.

[1] https://lore.kernel.org/all/[email protected]/
https://lore.kernel.org/all/[email protected]/

[2] https://lore.kernel.org/all/[email protected]/

[3] https://xenbits.xen.org/gitweb/?p=xen.git;a=blob_plain;f=docs/misc/arm/device-tree/guest.txt;hb=refs/heads/master

[4] https://github.com/otyshchenko1/linux/commits/map_opt_ml6

Oleksandr Tyshchenko (6):
xen/unpopulated-alloc: Drop check for virt_addr_valid() in fill_list()
arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT
xen/balloon: Bring alloc(free)_xenballooned_pages helpers back
xen/unpopulated-alloc: Add mechanism to use Xen resource
arm/xen: Read extended regions from DT and init Xen resource
dt-bindings: xen: Clarify "reg" purpose

Documentation/devicetree/bindings/arm/xen.txt | 12 ++-
arch/arm/xen/enlighten.c | 132 ++++++++++++++++++++++++--
drivers/xen/Kconfig | 2 +-
drivers/xen/balloon.c | 20 ++--
drivers/xen/unpopulated-alloc.c | 84 ++++++++++++++--
include/xen/balloon.h | 3 +
include/xen/xen.h | 16 ++++
7 files changed, 239 insertions(+), 30 deletions(-)

--
2.7.4



2021-11-24 20:54:02

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 1/6] xen/unpopulated-alloc: Drop check for virt_addr_valid() in fill_list()

From: Oleksandr Tyshchenko <[email protected]>

If memremap_pages() succeeds the range is guaranteed to have proper page
table, there is no need for an additional virt_addr_valid() check.

Signed-off-by: Oleksandr Tyshchenko <[email protected]>
Reviewed-by: Boris Ostrovsky <[email protected]>
---
Changes RFC -> V2:
- new patch, instead of
"[RFC PATCH 1/2] arm64: mm: Make virt_addr_valid to check for pfn_valid again"

Changes V2 -> V3:
- add Boris' R-b
---
drivers/xen/unpopulated-alloc.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/drivers/xen/unpopulated-alloc.c b/drivers/xen/unpopulated-alloc.c
index 87e6b7d..a03dc5b 100644
--- a/drivers/xen/unpopulated-alloc.c
+++ b/drivers/xen/unpopulated-alloc.c
@@ -85,7 +85,6 @@ static int fill_list(unsigned int nr_pages)
for (i = 0; i < alloc_pages; i++) {
struct page *pg = virt_to_page(vaddr + PAGE_SIZE * i);

- BUG_ON(!virt_addr_valid(vaddr + PAGE_SIZE * i));
pg->zone_device_data = page_list;
page_list = pg;
list_count++;
--
2.7.4


2021-11-24 20:54:04

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 2/6] arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT

From: Oleksandr Tyshchenko <[email protected]>

Read the start address of the grant table space from DT
(region 0).

This patch mostly restores behaviour before commit 3cf4095d7446
("arm/xen: Use xen_xlate_map_ballooned_pages to setup grant table")
but trying not to break the ACPI support added after that commit.
So the patch touches DT part only and leaves the ACPI part with
xen_xlate_map_ballooned_pages(). Also in order to make a code more
resilient use a fallback to xen_xlate_map_ballooned_pages() if grant
table region wasn't found.

This is a preparation for using Xen extended region feature
where unused regions of guest physical address space (provided
by the hypervisor) will be used to create grant/foreign/whatever
mappings instead of wasting real RAM pages from the domain memory
for establishing these mappings.

The immediate benefit of this change:
- Avoid superpage shattering in Xen P2M when establishing
stage-2 mapping (GFN <-> MFN) for the grant table space
- Avoid wasting real RAM pages (reducing the amount of memory
usuable) for mapping grant table space
- The grant table space is always mapped at the exact
same place (region 0 is reserved for the grant table)

Signed-off-by: Oleksandr Tyshchenko <[email protected]>
---
Changes RFC -> V2:
- new patch

Changes V2 -> V3:
- add __read_mostly specifier to xen_grant_frames
- retain a fallback to xen_xlate_map_ballooned_pages() if
xen_grant_frames is invalid
- process xen_events_irq before xen_grant_frames in
xen_dt_guest_init()
- update patch description
---
arch/arm/xen/enlighten.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
index 7619fbf..3fb3384 100644
--- a/arch/arm/xen/enlighten.c
+++ b/arch/arm/xen/enlighten.c
@@ -59,6 +59,9 @@ unsigned long xen_released_pages;
struct xen_memory_region xen_extra_mem[XEN_EXTRA_MEM_MAX_REGIONS] __initdata;

static __read_mostly unsigned int xen_events_irq;
+static __read_mostly phys_addr_t xen_grant_frames;
+
+#define GRANT_TABLE_INDEX 0

uint32_t xen_start_flags;
EXPORT_SYMBOL(xen_start_flags);
@@ -303,6 +306,7 @@ static void __init xen_acpi_guest_init(void)
static void __init xen_dt_guest_init(void)
{
struct device_node *xen_node;
+ struct resource res;

xen_node = of_find_compatible_node(NULL, NULL, "xen,xen");
if (!xen_node) {
@@ -311,13 +315,19 @@ static void __init xen_dt_guest_init(void)
}

xen_events_irq = irq_of_parse_and_map(xen_node, 0);
+
+ if (of_address_to_resource(xen_node, GRANT_TABLE_INDEX, &res)) {
+ pr_err("Xen grant table region is not found\n");
+ return;
+ }
+ xen_grant_frames = res.start;
}

static int __init xen_guest_init(void)
{
struct xen_add_to_physmap xatp;
struct shared_info *shared_info_page = NULL;
- int cpu;
+ int rc, cpu;

if (!xen_domain())
return 0;
@@ -370,12 +380,16 @@ static int __init xen_guest_init(void)
for_each_possible_cpu(cpu)
per_cpu(xen_vcpu_id, cpu) = cpu;

- xen_auto_xlat_grant_frames.count = gnttab_max_grant_frames();
- if (xen_xlate_map_ballooned_pages(&xen_auto_xlat_grant_frames.pfn,
- &xen_auto_xlat_grant_frames.vaddr,
- xen_auto_xlat_grant_frames.count)) {
+ if (!acpi_disabled || !xen_grant_frames) {
+ xen_auto_xlat_grant_frames.count = gnttab_max_grant_frames();
+ rc = xen_xlate_map_ballooned_pages(&xen_auto_xlat_grant_frames.pfn,
+ &xen_auto_xlat_grant_frames.vaddr,
+ xen_auto_xlat_grant_frames.count);
+ } else
+ rc = gnttab_setup_auto_xlat_frames(xen_grant_frames);
+ if (rc) {
free_percpu(xen_vcpu_info);
- return -ENOMEM;
+ return rc;
}
gnttab_init();

--
2.7.4


2021-11-24 20:54:06

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 3/6] xen/balloon: Bring alloc(free)_xenballooned_pages helpers back

From: Oleksandr Tyshchenko <[email protected]>

This patch rolls back some of the changes introduced by commit
121f2faca2c0a "xen/balloon: rename alloc/free_xenballooned_pages"
in order to make possible to still allocate xenballooned pages
if CONFIG_XEN_UNPOPULATED_ALLOC is enabled.

On Arm the unpopulated pages will be allocated on top of extended
regions provided by Xen via device-tree (the subsequent patches
will add required bits to support unpopulated-alloc feature on Arm).
The problem is that extended regions feature has been introduced
into Xen quite recently (during 4.16 release cycle). So this
effectively means that Linux must only use unpopulated-alloc on Arm
if it is running on "new Xen" which advertises these regions.
But, it will only be known after parsing the "hypervisor" node
at boot time, so before doing that we cannot assume anything.

In order to keep working if CONFIG_XEN_UNPOPULATED_ALLOC is enabled
and the extended regions are not advertised (Linux is running on
"old Xen", etc) we need the fallback to alloc_xenballooned_pages().

This way we wouldn't reduce the amount of memory usable (wasting
RAM pages) for any of the external mappings anymore (and eliminate
XSA-300) with "new Xen", but would be still functional ballooning
out RAM pages with "old Xen".

Also rename alloc(free)_xenballooned_pages to xen_alloc(free)_ballooned_pages
and make xen_alloc(free)_unpopulated_pages static inline in xen.h
if CONFIG_XEN_UNPOPULATED_ALLOC is disabled.

Signed-off-by: Oleksandr Tyshchenko <[email protected]>
Reviewed-by: Stefano Stabellini <[email protected]>
---
@Stefano, I decided to retain your R-b after making a minor
change (make xen_alloc(free)_unpopulated_pages static inline
in xen.h if CONFIG_XEN_UNPOPULATED_ALLOC is disabled).
Please let me know if you think otherwise.

Changes V2 -> V3:
- new patch
---
drivers/xen/balloon.c | 20 +++++++++-----------
include/xen/balloon.h | 3 +++
include/xen/xen.h | 14 ++++++++++++++
3 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
index ba2ea11..a2c4fc49 100644
--- a/drivers/xen/balloon.c
+++ b/drivers/xen/balloon.c
@@ -581,7 +581,6 @@ void balloon_set_new_target(unsigned long target)
}
EXPORT_SYMBOL_GPL(balloon_set_new_target);

-#ifndef CONFIG_XEN_UNPOPULATED_ALLOC
static int add_ballooned_pages(unsigned int nr_pages)
{
enum bp_state st;
@@ -610,12 +609,12 @@ static int add_ballooned_pages(unsigned int nr_pages)
}

/**
- * xen_alloc_unpopulated_pages - get pages that have been ballooned out
+ * xen_alloc_ballooned_pages - get pages that have been ballooned out
* @nr_pages: Number of pages to get
* @pages: pages returned
* @return 0 on success, error otherwise
*/
-int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
+int xen_alloc_ballooned_pages(unsigned int nr_pages, struct page **pages)
{
unsigned int pgno = 0;
struct page *page;
@@ -652,23 +651,23 @@ int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
return 0;
out_undo:
mutex_unlock(&balloon_mutex);
- xen_free_unpopulated_pages(pgno, pages);
+ xen_free_ballooned_pages(pgno, pages);
/*
- * NB: free_xenballooned_pages will only subtract pgno pages, but since
+ * NB: xen_free_ballooned_pages will only subtract pgno pages, but since
* target_unpopulated is incremented with nr_pages at the start we need
* to remove the remaining ones also, or accounting will be screwed.
*/
balloon_stats.target_unpopulated -= nr_pages - pgno;
return ret;
}
-EXPORT_SYMBOL(xen_alloc_unpopulated_pages);
+EXPORT_SYMBOL(xen_alloc_ballooned_pages);

/**
- * xen_free_unpopulated_pages - return pages retrieved with get_ballooned_pages
+ * xen_free_ballooned_pages - return pages retrieved with get_ballooned_pages
* @nr_pages: Number of pages
* @pages: pages to return
*/
-void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
+void xen_free_ballooned_pages(unsigned int nr_pages, struct page **pages)
{
unsigned int i;

@@ -687,9 +686,9 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)

mutex_unlock(&balloon_mutex);
}
-EXPORT_SYMBOL(xen_free_unpopulated_pages);
+EXPORT_SYMBOL(xen_free_ballooned_pages);

-#if defined(CONFIG_XEN_PV)
+#if defined(CONFIG_XEN_PV) && !defined(CONFIG_XEN_UNPOPULATED_ALLOC)
static void __init balloon_add_region(unsigned long start_pfn,
unsigned long pages)
{
@@ -712,7 +711,6 @@ static void __init balloon_add_region(unsigned long start_pfn,
balloon_stats.total_pages += extra_pfn_end - start_pfn;
}
#endif
-#endif

static int __init balloon_init(void)
{
diff --git a/include/xen/balloon.h b/include/xen/balloon.h
index e93d4f0..f78a6cc 100644
--- a/include/xen/balloon.h
+++ b/include/xen/balloon.h
@@ -26,6 +26,9 @@ extern struct balloon_stats balloon_stats;

void balloon_set_new_target(unsigned long target);

+int xen_alloc_ballooned_pages(unsigned int nr_pages, struct page **pages);
+void xen_free_ballooned_pages(unsigned int nr_pages, struct page **pages);
+
#ifdef CONFIG_XEN_BALLOON
void xen_balloon_init(void);
#else
diff --git a/include/xen/xen.h b/include/xen/xen.h
index 9f031b5..86c5b37 100644
--- a/include/xen/xen.h
+++ b/include/xen/xen.h
@@ -52,7 +52,21 @@ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
extern u64 xen_saved_max_mem_size;
#endif

+#ifdef CONFIG_XEN_UNPOPULATED_ALLOC
int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages);
void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages);
+#else
+#include <xen/balloon.h>
+static inline int xen_alloc_unpopulated_pages(unsigned int nr_pages,
+ struct page **pages)
+{
+ return xen_alloc_ballooned_pages(nr_pages, pages);
+}
+static inline void xen_free_unpopulated_pages(unsigned int nr_pages,
+ struct page **pages)
+{
+ xen_free_ballooned_pages(nr_pages, pages);
+}
+#endif

#endif /* _XEN_XEN_H */
--
2.7.4


2021-11-24 20:54:10

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource

From: Oleksandr Tyshchenko <[email protected]>

The main reason of this change is that unpopulated-alloc
code cannot be used in its current form on Arm, but there
is a desire to reuse it to avoid wasting real RAM pages
for the grant/foreign mappings.

The problem is that system "iomem_resource" is used for
the address space allocation, but the really unallocated
space can't be figured out precisely by the domain on Arm
without hypervisor involvement. For example, not all device
I/O regions are known by the time domain starts creating
grant/foreign mappings. And following the advise from
"iomem_resource" we might end up reusing these regions by
a mistake. So, the hypervisor which maintains the P2M for
the domain is in the best position to provide unused regions
of guest physical address space which could be safely used
to create grant/foreign mappings.

Introduce new helper arch_xen_unpopulated_init() which purpose
is to create specific Xen resource based on the memory regions
provided by the hypervisor to be used as unused space for Xen
scratch pages. If arch doesn't define arch_xen_unpopulated_init()
the default "iomem_resource" will be used.

Update the arguments list of allocate_resource() in fill_list()
to always allocate a region from the hotpluggable range
(maximum possible addressable physical memory range for which
the linear mapping could be created). If arch doesn't define
arch_get_mappable_range() the default range (0,-1) will be used.

The behaviour on x86 won't be changed by current patch as both
arch_xen_unpopulated_init() and arch_get_mappable_range()
are not implemented for it.

Also fallback to allocate xenballooned pages (balloon out RAM
pages) if we do not have any suitable resource to work with
(target_resource is invalid) and as the result we won't be able
to provide unpopulated pages on a request.

Signed-off-by: Oleksandr Tyshchenko <[email protected]>
---
Please note the following:
for V3 arch_xen_unpopulated_init() was moved to init() as was agreed
and gained __init specifier. So the target_resource is initialized there.

With current patch series applied if CONFIG_XEN_UNPOPULATED_ALLOC
is enabled:

1. On Arm, under normal circumstances, the xen_alloc_unpopulated_pages()
won't be called “before” arch_xen_unpopulated_init(). It will only be
called "before" when either ACPI is in use or something wrong happened
with DT (and we failed to read xen_grant_frames), so we fallback to
xen_xlate_map_ballooned_pages() in arm/xen/enlighten.c:xen_guest_init(),
please see "arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT"
for details. But in that case, I think, it doesn't matter much whether
xen_alloc_unpopulated_pages() is called "before" of "after" target_resource
initialization, as we don't have extended regions in place the target_resource
will remain invalid even after initialization, so xen_alloc_ballooned_pages()
will be used in both scenarios.

2. On x86, I am not quite sure which modes use unpopulated-alloc (PVH?),
but it looks like xen_alloc_unpopulated_pages() can (and will) be called
“before” arch_xen_unpopulated_init().
At least, I see that xen_xlate_map_ballooned_pages() is called in
x86/xen/grant-table.c:xen_pvh_gnttab_setup(). According to the initcall
levels for both xen_pvh_gnttab_setup() and init() I expect the former
to be called earlier.
If it is true, the sentence in the commit description which mentions
that “behaviour on x86 is not changed” is not precise. I don’t think
it would be correct to fallback to xen_alloc_ballooned_pages() just
because we haven’t initialized target_resource yet (on x86 it is just
assigning it iomem_resource), at least this doesn't look like an expected
behaviour and unlikely would be welcome.

I am wondering whether it would be better to move arch_xen_unpopulated_init()
to a dedicated init() marked with an appropriate initcall level (early_initcall?)
to make sure it will always be called *before* xen_xlate_map_ballooned_pages().
What do you think?

Changes RFC -> V2:
- new patch, instead of
"[RFC PATCH 2/2] xen/unpopulated-alloc: Query hypervisor to provide unallocated space"

Changes V2 -> V3:
- update patch description and comments in code
- modify arch_xen_unpopulated_init() to pass target_resource as an argument
and update default helper to assign iomem_resource to it, also drop
xen_resource as it will be located in arch code in the future
- allocate region from hotpluggable range instead of hardcoded range (0,-1)
in fill_list()
- use %pR specifier in error message
- do not call unpopulated_init() at runtime from xen_alloc_unpopulated_pages(),
drop an extra helper and call arch_xen_unpopulated_init() directly from __init()
- include linux/ioport.h instead of forward declaration of struct resource
- replace insert_resource() with request_resource() in fill_list()
- add __init specifier to arch_xen_unpopulated_init()
---
drivers/xen/unpopulated-alloc.c | 83 +++++++++++++++++++++++++++++++++++++----
include/xen/xen.h | 2 +
2 files changed, 78 insertions(+), 7 deletions(-)

diff --git a/drivers/xen/unpopulated-alloc.c b/drivers/xen/unpopulated-alloc.c
index a03dc5b..07d3578 100644
--- a/drivers/xen/unpopulated-alloc.c
+++ b/drivers/xen/unpopulated-alloc.c
@@ -8,6 +8,7 @@

#include <asm/page.h>

+#include <xen/balloon.h>
#include <xen/page.h>
#include <xen/xen.h>

@@ -15,13 +16,29 @@ static DEFINE_MUTEX(list_lock);
static struct page *page_list;
static unsigned int list_count;

+static struct resource *target_resource;
+
+/*
+ * If arch is not happy with system "iomem_resource" being used for
+ * the region allocation it can provide it's own view by creating specific
+ * Xen resource with unused regions of guest physical address space provided
+ * by the hypervisor.
+ */
+int __weak __init arch_xen_unpopulated_init(struct resource **res)
+{
+ *res = &iomem_resource;
+
+ return 0;
+}
+
static int fill_list(unsigned int nr_pages)
{
struct dev_pagemap *pgmap;
- struct resource *res;
+ struct resource *res, *tmp_res = NULL;
void *vaddr;
unsigned int i, alloc_pages = round_up(nr_pages, PAGES_PER_SECTION);
- int ret = -ENOMEM;
+ struct range mhp_range;
+ int ret;

res = kzalloc(sizeof(*res), GFP_KERNEL);
if (!res)
@@ -30,14 +47,40 @@ static int fill_list(unsigned int nr_pages)
res->name = "Xen scratch";
res->flags = IORESOURCE_MEM | IORESOURCE_BUSY;

- ret = allocate_resource(&iomem_resource, res,
- alloc_pages * PAGE_SIZE, 0, -1,
+ mhp_range = mhp_get_pluggable_range(true);
+
+ ret = allocate_resource(target_resource, res,
+ alloc_pages * PAGE_SIZE, mhp_range.start, mhp_range.end,
PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
if (ret < 0) {
pr_err("Cannot allocate new IOMEM resource\n");
goto err_resource;
}

+ /*
+ * Reserve the region previously allocated from Xen resource to avoid
+ * re-using it by someone else.
+ */
+ if (target_resource != &iomem_resource) {
+ tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
+ if (!res) {
+ ret = -ENOMEM;
+ goto err_insert;
+ }
+
+ tmp_res->name = res->name;
+ tmp_res->start = res->start;
+ tmp_res->end = res->end;
+ tmp_res->flags = res->flags;
+
+ ret = request_resource(&iomem_resource, tmp_res);
+ if (ret < 0) {
+ pr_err("Cannot request resource %pR (%d)\n", tmp_res, ret);
+ kfree(tmp_res);
+ goto err_insert;
+ }
+ }
+
pgmap = kzalloc(sizeof(*pgmap), GFP_KERNEL);
if (!pgmap) {
ret = -ENOMEM;
@@ -95,6 +138,11 @@ static int fill_list(unsigned int nr_pages)
err_memremap:
kfree(pgmap);
err_pgmap:
+ if (tmp_res) {
+ release_resource(tmp_res);
+ kfree(tmp_res);
+ }
+err_insert:
release_resource(res);
err_resource:
kfree(res);
@@ -112,6 +160,14 @@ int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
unsigned int i;
int ret = 0;

+ /*
+ * Fallback to default behavior if we do not have any suitable resource
+ * to allocate required region from and as the result we won't be able to
+ * construct pages.
+ */
+ if (!target_resource)
+ return xen_alloc_ballooned_pages(nr_pages, pages);
+
mutex_lock(&list_lock);
if (list_count < nr_pages) {
ret = fill_list(nr_pages - list_count);
@@ -159,6 +215,11 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
{
unsigned int i;

+ if (!target_resource) {
+ xen_free_ballooned_pages(nr_pages, pages);
+ return;
+ }
+
mutex_lock(&list_lock);
for (i = 0; i < nr_pages; i++) {
pages[i]->zone_device_data = page_list;
@@ -169,9 +230,11 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
}
EXPORT_SYMBOL(xen_free_unpopulated_pages);

-#ifdef CONFIG_XEN_PV
static int __init init(void)
{
+ int ret;
+
+#ifdef CONFIG_XEN_PV
unsigned int i;

if (!xen_domain())
@@ -196,8 +259,14 @@ static int __init init(void)
list_count++;
}
}
+#endif

- return 0;
+ ret = arch_xen_unpopulated_init(&target_resource);
+ if (ret) {
+ pr_err("xen:unpopulated: Cannot initialize target resource\n");
+ target_resource = NULL;
+ }
+
+ return ret;
}
subsys_initcall(init);
-#endif
diff --git a/include/xen/xen.h b/include/xen/xen.h
index 86c5b37..a99bab8 100644
--- a/include/xen/xen.h
+++ b/include/xen/xen.h
@@ -55,6 +55,8 @@ extern u64 xen_saved_max_mem_size;
#ifdef CONFIG_XEN_UNPOPULATED_ALLOC
int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages);
void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages);
+#include <linux/ioport.h>
+int arch_xen_unpopulated_init(struct resource **res);
#else
#include <xen/balloon.h>
static inline int xen_alloc_unpopulated_pages(unsigned int nr_pages,
--
2.7.4


2021-11-24 20:54:13

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 5/6] arm/xen: Read extended regions from DT and init Xen resource

From: Oleksandr Tyshchenko <[email protected]>

This patch implements arch_xen_unpopulated_init() on Arm where
the extended regions (if any) are gathered from DT and inserted
into specific Xen resource to be used as unused address space
for Xen scratch pages by unpopulated-alloc code.

The extended region (safe range) is a region of guest physical
address space which is unused and could be safely used to create
grant/foreign mappings instead of wasting real RAM pages from
the domain memory for establishing these mappings.

The extended regions are chosen by the hypervisor at the domain
creation time and advertised to it via "reg" property under
hypervisor node in the guest device-tree. As region 0 is reserved
for grant table space (always present), the indexes for extended
regions are 1...N.

If arch_xen_unpopulated_init() fails for some reason the default
behaviour will be restored (allocate xenballooned pages).

This patch also removes XEN_UNPOPULATED_ALLOC dependency on x86.

Signed-off-by: Oleksandr Tyshchenko <[email protected]>
---
Changes RFC -> V2:
- new patch, instead of
"[RFC PATCH 2/2] xen/unpopulated-alloc: Query hypervisor to provide unallocated space"

Changes V2 -> V3:
- update comments in code
- drop the checks that a region is within the hotpluggable range,
now the common code takes care of
- update arch_xen_unpopulated_init() according to interface change,
move xen_resource here, etc
- use %pR specifier in error message
- bait out in arch_xen_unpopulated_init() if !acpi_disabled
- update checks in second loop in arch_xen_unpopulated_init()
for the sake of clarity
---
arch/arm/xen/enlighten.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++
drivers/xen/Kconfig | 2 +-
2 files changed, 107 insertions(+), 1 deletion(-)

diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
index 3fb3384..019caa6 100644
--- a/arch/arm/xen/enlighten.c
+++ b/arch/arm/xen/enlighten.c
@@ -62,6 +62,7 @@ static __read_mostly unsigned int xen_events_irq;
static __read_mostly phys_addr_t xen_grant_frames;

#define GRANT_TABLE_INDEX 0
+#define EXT_REGION_INDEX 1

uint32_t xen_start_flags;
EXPORT_SYMBOL(xen_start_flags);
@@ -303,6 +304,111 @@ static void __init xen_acpi_guest_init(void)
#endif
}

+#ifdef CONFIG_XEN_UNPOPULATED_ALLOC
+/*
+ * A type-less specific Xen resource which contains extended regions
+ * (unused regions of guest physical address space provided by the hypervisor).
+ */
+static struct resource xen_resource = {
+ .name = "Xen unused space",
+};
+
+int __init arch_xen_unpopulated_init(struct resource **res)
+{
+ struct device_node *np;
+ struct resource *regs, *tmp_res;
+ uint64_t min_gpaddr = -1, max_gpaddr = 0;
+ unsigned int i, nr_reg = 0;
+ int rc;
+
+ if (!xen_domain())
+ return -ENODEV;
+
+ if (!acpi_disabled)
+ return -ENODEV;
+
+ np = of_find_compatible_node(NULL, NULL, "xen,xen");
+ if (WARN_ON(!np))
+ return -ENODEV;
+
+ /* Skip region 0 which is reserved for grant table space */
+ while (of_get_address(np, nr_reg + EXT_REGION_INDEX, NULL, NULL))
+ nr_reg++;
+
+ if (!nr_reg) {
+ pr_err("No extended regions are found\n");
+ return -EINVAL;
+ }
+
+ regs = kcalloc(nr_reg, sizeof(*regs), GFP_KERNEL);
+ if (!regs)
+ return -ENOMEM;
+
+ /*
+ * Create resource from extended regions provided by the hypervisor to be
+ * used as unused address space for Xen scratch pages.
+ */
+ for (i = 0; i < nr_reg; i++) {
+ rc = of_address_to_resource(np, i + EXT_REGION_INDEX, &regs[i]);
+ if (rc)
+ goto err;
+
+ if (max_gpaddr < regs[i].end)
+ max_gpaddr = regs[i].end;
+ if (min_gpaddr > regs[i].start)
+ min_gpaddr = regs[i].start;
+ }
+
+ xen_resource.start = min_gpaddr;
+ xen_resource.end = max_gpaddr;
+
+ /*
+ * Mark holes between extended regions as unavailable. The rest of that
+ * address space will be available for the allocation.
+ */
+ for (i = 1; i < nr_reg; i++) {
+ resource_size_t start, end;
+
+ /* There is an overlap between regions */
+ if (regs[i - 1].end + 1 > regs[i].start) {
+ rc = -EINVAL;
+ goto err;
+ }
+
+ /* There is no hole between regions */
+ if (regs[i - 1].end + 1 == regs[i].start)
+ continue;
+
+ start = regs[i - 1].end + 1;
+ end = regs[i].start - 1;
+
+ tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
+ if (!tmp_res) {
+ rc = -ENOMEM;
+ goto err;
+ }
+
+ tmp_res->name = "Unavailable space";
+ tmp_res->start = start;
+ tmp_res->end = end;
+
+ rc = insert_resource(&xen_resource, tmp_res);
+ if (rc) {
+ pr_err("Cannot insert resource %pR (%d)\n", tmp_res, rc);
+ kfree(tmp_res);
+ goto err;
+ }
+ }
+
+ *res = &xen_resource;
+
+err:
+ kfree(regs);
+
+ return rc;
+}
+#endif
+
static void __init xen_dt_guest_init(void)
{
struct device_node *xen_node;
diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
index a1b11c62..553b614 100644
--- a/drivers/xen/Kconfig
+++ b/drivers/xen/Kconfig
@@ -321,7 +321,7 @@ config XEN_FRONT_PGDIR_SHBUF

config XEN_UNPOPULATED_ALLOC
bool "Use unpopulated memory ranges for guest mappings"
- depends on X86 && ZONE_DEVICE
+ depends on ZONE_DEVICE
default XEN_BACKEND || XEN_GNTDEV || XEN_DOM0
help
Use unpopulated memory ranges in order to create mappings for guest
--
2.7.4


2021-11-24 20:54:16

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: [PATCH V3 6/6] dt-bindings: xen: Clarify "reg" purpose

From: Oleksandr Tyshchenko <[email protected]>

Xen on Arm has gained new support recently to calculate and report
extended regions (unused address space) safe to use for external
mappings. These regions are reported via "reg" property under
"hypervisor" node in the guest device-tree. As region 0 is reserved
for grant table space (always present), the indexes for extended
regions are 1...N.

No device-tree bindings update is needed (except clarifying the text)
as guest infers the presence of extended regions from the number
of regions in "reg" property.

Signed-off-by: Oleksandr Tyshchenko <[email protected]>
---
According to the recent update to Xen's guest.txt:
https://xenbits.xen.org/gitweb/?p=xen.git;a=blob_plain;f=docs/misc/arm/device-tree/guest.txt;hb=refs/heads/master

Changes V2 -> V3:
- new patch
---
Documentation/devicetree/bindings/arm/xen.txt | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Documentation/devicetree/bindings/arm/xen.txt b/Documentation/devicetree/bindings/arm/xen.txt
index db5c56d..156fe10b 100644
--- a/Documentation/devicetree/bindings/arm/xen.txt
+++ b/Documentation/devicetree/bindings/arm/xen.txt
@@ -7,10 +7,14 @@ the following properties:
compatible = "xen,xen-<version>", "xen,xen";
where <version> is the version of the Xen ABI of the platform.

-- reg: specifies the base physical address and size of a region in
- memory where the grant table should be mapped to, using an
- HYPERVISOR_memory_op hypercall. The memory region is large enough to map
- the whole grant table (it is larger or equal to gnttab_max_grant_frames()).
+- reg: specifies the base physical address and size of the regions in memory
+ where the special resources should be mapped to, using an HYPERVISOR_memory_op
+ hypercall.
+ Region 0 is reserved for mapping grant table, it must be always present.
+ The memory region is large enough to map the whole grant table (it is larger
+ or equal to gnttab_max_grant_frames()).
+ Regions 1...N are extended regions (unused address space) for mapping foreign
+ GFNs and grants, they might be absent if there is nothing to expose.
This property is unnecessary when booting Dom0 using ACPI.

- interrupts: the interrupt used by Xen to inject event notifications.
--
2.7.4


2021-11-24 23:35:54

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 2/6] arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT

On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <[email protected]>
>
> Read the start address of the grant table space from DT
> (region 0).
>
> This patch mostly restores behaviour before commit 3cf4095d7446
> ("arm/xen: Use xen_xlate_map_ballooned_pages to setup grant table")
> but trying not to break the ACPI support added after that commit.
> So the patch touches DT part only and leaves the ACPI part with
> xen_xlate_map_ballooned_pages(). Also in order to make a code more
> resilient use a fallback to xen_xlate_map_ballooned_pages() if grant
> table region wasn't found.
>
> This is a preparation for using Xen extended region feature
> where unused regions of guest physical address space (provided
> by the hypervisor) will be used to create grant/foreign/whatever
> mappings instead of wasting real RAM pages from the domain memory
> for establishing these mappings.
>
> The immediate benefit of this change:
> - Avoid superpage shattering in Xen P2M when establishing
> stage-2 mapping (GFN <-> MFN) for the grant table space
> - Avoid wasting real RAM pages (reducing the amount of memory
> usuable) for mapping grant table space
> - The grant table space is always mapped at the exact
> same place (region 0 is reserved for the grant table)
>
> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
> ---
> Changes RFC -> V2:
> - new patch
>
> Changes V2 -> V3:
> - add __read_mostly specifier to xen_grant_frames
> - retain a fallback to xen_xlate_map_ballooned_pages() if
> xen_grant_frames is invalid
> - process xen_events_irq before xen_grant_frames in
> xen_dt_guest_init()
> - update patch description
> ---
> arch/arm/xen/enlighten.c | 26 ++++++++++++++++++++------
> 1 file changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
> index 7619fbf..3fb3384 100644
> --- a/arch/arm/xen/enlighten.c
> +++ b/arch/arm/xen/enlighten.c
> @@ -59,6 +59,9 @@ unsigned long xen_released_pages;
> struct xen_memory_region xen_extra_mem[XEN_EXTRA_MEM_MAX_REGIONS] __initdata;
>
> static __read_mostly unsigned int xen_events_irq;
> +static __read_mostly phys_addr_t xen_grant_frames;
> +
> +#define GRANT_TABLE_INDEX 0
>
> uint32_t xen_start_flags;
> EXPORT_SYMBOL(xen_start_flags);
> @@ -303,6 +306,7 @@ static void __init xen_acpi_guest_init(void)
> static void __init xen_dt_guest_init(void)
> {
> struct device_node *xen_node;
> + struct resource res;
>
> xen_node = of_find_compatible_node(NULL, NULL, "xen,xen");
> if (!xen_node) {
> @@ -311,13 +315,19 @@ static void __init xen_dt_guest_init(void)
> }
>
> xen_events_irq = irq_of_parse_and_map(xen_node, 0);
> +
> + if (of_address_to_resource(xen_node, GRANT_TABLE_INDEX, &res)) {
> + pr_err("Xen grant table region is not found\n");
> + return;
> + }
> + xen_grant_frames = res.start;
> }
>
> static int __init xen_guest_init(void)
> {
> struct xen_add_to_physmap xatp;
> struct shared_info *shared_info_page = NULL;
> - int cpu;
> + int rc, cpu;
>
> if (!xen_domain())
> return 0;
> @@ -370,12 +380,16 @@ static int __init xen_guest_init(void)
> for_each_possible_cpu(cpu)
> per_cpu(xen_vcpu_id, cpu) = cpu;
>
> - xen_auto_xlat_grant_frames.count = gnttab_max_grant_frames();
> - if (xen_xlate_map_ballooned_pages(&xen_auto_xlat_grant_frames.pfn,
> - &xen_auto_xlat_grant_frames.vaddr,
> - xen_auto_xlat_grant_frames.count)) {
> + if (!acpi_disabled || !xen_grant_frames) {

I realize now that we only need:

if (!xen_grant_frames) {

with that:

Reviewed-by: Stefano Stabellini <[email protected]>



> + xen_auto_xlat_grant_frames.count = gnttab_max_grant_frames();
> + rc = xen_xlate_map_ballooned_pages(&xen_auto_xlat_grant_frames.pfn,
> + &xen_auto_xlat_grant_frames.vaddr,
> + xen_auto_xlat_grant_frames.count);
> + } else
> + rc = gnttab_setup_auto_xlat_frames(xen_grant_frames);
> + if (rc) {
> free_percpu(xen_vcpu_info);
> - return -ENOMEM;
> + return rc;
> }
> gnttab_init();

2021-11-24 23:36:41

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 3/6] xen/balloon: Bring alloc(free)_xenballooned_pages helpers back

On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <[email protected]>
>
> This patch rolls back some of the changes introduced by commit
> 121f2faca2c0a "xen/balloon: rename alloc/free_xenballooned_pages"
> in order to make possible to still allocate xenballooned pages
> if CONFIG_XEN_UNPOPULATED_ALLOC is enabled.
>
> On Arm the unpopulated pages will be allocated on top of extended
> regions provided by Xen via device-tree (the subsequent patches
> will add required bits to support unpopulated-alloc feature on Arm).
> The problem is that extended regions feature has been introduced
> into Xen quite recently (during 4.16 release cycle). So this
> effectively means that Linux must only use unpopulated-alloc on Arm
> if it is running on "new Xen" which advertises these regions.
> But, it will only be known after parsing the "hypervisor" node
> at boot time, so before doing that we cannot assume anything.
>
> In order to keep working if CONFIG_XEN_UNPOPULATED_ALLOC is enabled
> and the extended regions are not advertised (Linux is running on
> "old Xen", etc) we need the fallback to alloc_xenballooned_pages().
>
> This way we wouldn't reduce the amount of memory usable (wasting
> RAM pages) for any of the external mappings anymore (and eliminate
> XSA-300) with "new Xen", but would be still functional ballooning
> out RAM pages with "old Xen".
>
> Also rename alloc(free)_xenballooned_pages to xen_alloc(free)_ballooned_pages
> and make xen_alloc(free)_unpopulated_pages static inline in xen.h
> if CONFIG_XEN_UNPOPULATED_ALLOC is disabled.
>
> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
> Reviewed-by: Stefano Stabellini <[email protected]>
> ---
> @Stefano, I decided to retain your R-b after making a minor
> change (make xen_alloc(free)_unpopulated_pages static inline
> in xen.h if CONFIG_XEN_UNPOPULATED_ALLOC is disabled).
> Please let me know if you think otherwise.

That's fine


> Changes V2 -> V3:
> - new patch
> ---
> drivers/xen/balloon.c | 20 +++++++++-----------
> include/xen/balloon.h | 3 +++
> include/xen/xen.h | 14 ++++++++++++++
> 3 files changed, 26 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c
> index ba2ea11..a2c4fc49 100644
> --- a/drivers/xen/balloon.c
> +++ b/drivers/xen/balloon.c
> @@ -581,7 +581,6 @@ void balloon_set_new_target(unsigned long target)
> }
> EXPORT_SYMBOL_GPL(balloon_set_new_target);
>
> -#ifndef CONFIG_XEN_UNPOPULATED_ALLOC
> static int add_ballooned_pages(unsigned int nr_pages)
> {
> enum bp_state st;
> @@ -610,12 +609,12 @@ static int add_ballooned_pages(unsigned int nr_pages)
> }
>
> /**
> - * xen_alloc_unpopulated_pages - get pages that have been ballooned out
> + * xen_alloc_ballooned_pages - get pages that have been ballooned out
> * @nr_pages: Number of pages to get
> * @pages: pages returned
> * @return 0 on success, error otherwise
> */
> -int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
> +int xen_alloc_ballooned_pages(unsigned int nr_pages, struct page **pages)
> {
> unsigned int pgno = 0;
> struct page *page;
> @@ -652,23 +651,23 @@ int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
> return 0;
> out_undo:
> mutex_unlock(&balloon_mutex);
> - xen_free_unpopulated_pages(pgno, pages);
> + xen_free_ballooned_pages(pgno, pages);
> /*
> - * NB: free_xenballooned_pages will only subtract pgno pages, but since
> + * NB: xen_free_ballooned_pages will only subtract pgno pages, but since
> * target_unpopulated is incremented with nr_pages at the start we need
> * to remove the remaining ones also, or accounting will be screwed.
> */
> balloon_stats.target_unpopulated -= nr_pages - pgno;
> return ret;
> }
> -EXPORT_SYMBOL(xen_alloc_unpopulated_pages);
> +EXPORT_SYMBOL(xen_alloc_ballooned_pages);
>
> /**
> - * xen_free_unpopulated_pages - return pages retrieved with get_ballooned_pages
> + * xen_free_ballooned_pages - return pages retrieved with get_ballooned_pages
> * @nr_pages: Number of pages
> * @pages: pages to return
> */
> -void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
> +void xen_free_ballooned_pages(unsigned int nr_pages, struct page **pages)
> {
> unsigned int i;
>
> @@ -687,9 +686,9 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
>
> mutex_unlock(&balloon_mutex);
> }
> -EXPORT_SYMBOL(xen_free_unpopulated_pages);
> +EXPORT_SYMBOL(xen_free_ballooned_pages);
>
> -#if defined(CONFIG_XEN_PV)
> +#if defined(CONFIG_XEN_PV) && !defined(CONFIG_XEN_UNPOPULATED_ALLOC)
> static void __init balloon_add_region(unsigned long start_pfn,
> unsigned long pages)
> {
> @@ -712,7 +711,6 @@ static void __init balloon_add_region(unsigned long start_pfn,
> balloon_stats.total_pages += extra_pfn_end - start_pfn;
> }
> #endif
> -#endif
>
> static int __init balloon_init(void)
> {
> diff --git a/include/xen/balloon.h b/include/xen/balloon.h
> index e93d4f0..f78a6cc 100644
> --- a/include/xen/balloon.h
> +++ b/include/xen/balloon.h
> @@ -26,6 +26,9 @@ extern struct balloon_stats balloon_stats;
>
> void balloon_set_new_target(unsigned long target);
>
> +int xen_alloc_ballooned_pages(unsigned int nr_pages, struct page **pages);
> +void xen_free_ballooned_pages(unsigned int nr_pages, struct page **pages);
> +
> #ifdef CONFIG_XEN_BALLOON
> void xen_balloon_init(void);
> #else
> diff --git a/include/xen/xen.h b/include/xen/xen.h
> index 9f031b5..86c5b37 100644
> --- a/include/xen/xen.h
> +++ b/include/xen/xen.h
> @@ -52,7 +52,21 @@ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
> extern u64 xen_saved_max_mem_size;
> #endif
>
> +#ifdef CONFIG_XEN_UNPOPULATED_ALLOC
> int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages);
> void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages);
> +#else
> +#include <xen/balloon.h>
> +static inline int xen_alloc_unpopulated_pages(unsigned int nr_pages,
> + struct page **pages)
> +{
> + return xen_alloc_ballooned_pages(nr_pages, pages);
> +}
> +static inline void xen_free_unpopulated_pages(unsigned int nr_pages,
> + struct page **pages)
> +{
> + xen_free_ballooned_pages(nr_pages, pages);
> +}
> +#endif
>
> #endif /* _XEN_XEN_H */
> --
> 2.7.4
>

2021-11-25 01:05:49

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource

On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <[email protected]>
>
> The main reason of this change is that unpopulated-alloc
> code cannot be used in its current form on Arm, but there
> is a desire to reuse it to avoid wasting real RAM pages
> for the grant/foreign mappings.
>
> The problem is that system "iomem_resource" is used for
> the address space allocation, but the really unallocated
> space can't be figured out precisely by the domain on Arm
> without hypervisor involvement. For example, not all device
> I/O regions are known by the time domain starts creating
> grant/foreign mappings. And following the advise from
> "iomem_resource" we might end up reusing these regions by
> a mistake. So, the hypervisor which maintains the P2M for
> the domain is in the best position to provide unused regions
> of guest physical address space which could be safely used
> to create grant/foreign mappings.
>
> Introduce new helper arch_xen_unpopulated_init() which purpose
> is to create specific Xen resource based on the memory regions
> provided by the hypervisor to be used as unused space for Xen
> scratch pages. If arch doesn't define arch_xen_unpopulated_init()
> the default "iomem_resource" will be used.
>
> Update the arguments list of allocate_resource() in fill_list()
> to always allocate a region from the hotpluggable range
> (maximum possible addressable physical memory range for which
> the linear mapping could be created). If arch doesn't define
> arch_get_mappable_range() the default range (0,-1) will be used.
>
> The behaviour on x86 won't be changed by current patch as both
> arch_xen_unpopulated_init() and arch_get_mappable_range()
> are not implemented for it.
>
> Also fallback to allocate xenballooned pages (balloon out RAM
> pages) if we do not have any suitable resource to work with
> (target_resource is invalid) and as the result we won't be able
> to provide unpopulated pages on a request.
>
> Signed-off-by: Oleksandr Tyshchenko <[email protected]>


Reviewed-by: Stefano Stabellini <[email protected]>


> ---
> Please note the following:
> for V3 arch_xen_unpopulated_init() was moved to init() as was agreed
> and gained __init specifier. So the target_resource is initialized there.
>
> With current patch series applied if CONFIG_XEN_UNPOPULATED_ALLOC
> is enabled:
>
> 1. On Arm, under normal circumstances, the xen_alloc_unpopulated_pages()
> won't be called “before” arch_xen_unpopulated_init(). It will only be
> called "before" when either ACPI is in use or something wrong happened
> with DT (and we failed to read xen_grant_frames), so we fallback to
> xen_xlate_map_ballooned_pages() in arm/xen/enlighten.c:xen_guest_init(),
> please see "arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT"
> for details. But in that case, I think, it doesn't matter much whether
> xen_alloc_unpopulated_pages() is called "before" of "after" target_resource
> initialization, as we don't have extended regions in place the target_resource
> will remain invalid even after initialization, so xen_alloc_ballooned_pages()
> will be used in both scenarios.
>
> 2. On x86, I am not quite sure which modes use unpopulated-alloc (PVH?),
> but it looks like xen_alloc_unpopulated_pages() can (and will) be called
> “before” arch_xen_unpopulated_init().
> At least, I see that xen_xlate_map_ballooned_pages() is called in
> x86/xen/grant-table.c:xen_pvh_gnttab_setup(). According to the initcall
> levels for both xen_pvh_gnttab_setup() and init() I expect the former
> to be called earlier.
> If it is true, the sentence in the commit description which mentions
> that “behaviour on x86 is not changed” is not precise. I don’t think
> it would be correct to fallback to xen_alloc_ballooned_pages() just
> because we haven’t initialized target_resource yet (on x86 it is just
> assigning it iomem_resource), at least this doesn't look like an expected
> behaviour and unlikely would be welcome.
>
> I am wondering whether it would be better to move arch_xen_unpopulated_init()
> to a dedicated init() marked with an appropriate initcall level (early_initcall?)
> to make sure it will always be called *before* xen_xlate_map_ballooned_pages().
> What do you think?
>
> Changes RFC -> V2:
> - new patch, instead of
> "[RFC PATCH 2/2] xen/unpopulated-alloc: Query hypervisor to provide unallocated space"
>
> Changes V2 -> V3:
> - update patch description and comments in code
> - modify arch_xen_unpopulated_init() to pass target_resource as an argument
> and update default helper to assign iomem_resource to it, also drop
> xen_resource as it will be located in arch code in the future
> - allocate region from hotpluggable range instead of hardcoded range (0,-1)
> in fill_list()
> - use %pR specifier in error message
> - do not call unpopulated_init() at runtime from xen_alloc_unpopulated_pages(),
> drop an extra helper and call arch_xen_unpopulated_init() directly from __init()
> - include linux/ioport.h instead of forward declaration of struct resource
> - replace insert_resource() with request_resource() in fill_list()
> - add __init specifier to arch_xen_unpopulated_init()
> ---
> drivers/xen/unpopulated-alloc.c | 83 +++++++++++++++++++++++++++++++++++++----
> include/xen/xen.h | 2 +
> 2 files changed, 78 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/xen/unpopulated-alloc.c b/drivers/xen/unpopulated-alloc.c
> index a03dc5b..07d3578 100644
> --- a/drivers/xen/unpopulated-alloc.c
> +++ b/drivers/xen/unpopulated-alloc.c
> @@ -8,6 +8,7 @@
>
> #include <asm/page.h>
>
> +#include <xen/balloon.h>
> #include <xen/page.h>
> #include <xen/xen.h>
>
> @@ -15,13 +16,29 @@ static DEFINE_MUTEX(list_lock);
> static struct page *page_list;
> static unsigned int list_count;
>
> +static struct resource *target_resource;
> +
> +/*
> + * If arch is not happy with system "iomem_resource" being used for
> + * the region allocation it can provide it's own view by creating specific
> + * Xen resource with unused regions of guest physical address space provided
> + * by the hypervisor.
> + */
> +int __weak __init arch_xen_unpopulated_init(struct resource **res)
> +{
> + *res = &iomem_resource;
> +
> + return 0;
> +}
> +
> static int fill_list(unsigned int nr_pages)
> {
> struct dev_pagemap *pgmap;
> - struct resource *res;
> + struct resource *res, *tmp_res = NULL;
> void *vaddr;
> unsigned int i, alloc_pages = round_up(nr_pages, PAGES_PER_SECTION);
> - int ret = -ENOMEM;
> + struct range mhp_range;
> + int ret;
>
> res = kzalloc(sizeof(*res), GFP_KERNEL);
> if (!res)
> @@ -30,14 +47,40 @@ static int fill_list(unsigned int nr_pages)
> res->name = "Xen scratch";
> res->flags = IORESOURCE_MEM | IORESOURCE_BUSY;
>
> - ret = allocate_resource(&iomem_resource, res,
> - alloc_pages * PAGE_SIZE, 0, -1,
> + mhp_range = mhp_get_pluggable_range(true);
> +
> + ret = allocate_resource(target_resource, res,
> + alloc_pages * PAGE_SIZE, mhp_range.start, mhp_range.end,
> PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
> if (ret < 0) {
> pr_err("Cannot allocate new IOMEM resource\n");
> goto err_resource;
> }
>
> + /*
> + * Reserve the region previously allocated from Xen resource to avoid
> + * re-using it by someone else.
> + */
> + if (target_resource != &iomem_resource) {
> + tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
> + if (!res) {
> + ret = -ENOMEM;
> + goto err_insert;
> + }
> +
> + tmp_res->name = res->name;
> + tmp_res->start = res->start;
> + tmp_res->end = res->end;
> + tmp_res->flags = res->flags;
> +
> + ret = request_resource(&iomem_resource, tmp_res);
> + if (ret < 0) {
> + pr_err("Cannot request resource %pR (%d)\n", tmp_res, ret);
> + kfree(tmp_res);
> + goto err_insert;
> + }
> + }
> +
> pgmap = kzalloc(sizeof(*pgmap), GFP_KERNEL);
> if (!pgmap) {
> ret = -ENOMEM;
> @@ -95,6 +138,11 @@ static int fill_list(unsigned int nr_pages)
> err_memremap:
> kfree(pgmap);
> err_pgmap:
> + if (tmp_res) {
> + release_resource(tmp_res);
> + kfree(tmp_res);
> + }
> +err_insert:
> release_resource(res);
> err_resource:
> kfree(res);
> @@ -112,6 +160,14 @@ int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
> unsigned int i;
> int ret = 0;
>
> + /*
> + * Fallback to default behavior if we do not have any suitable resource
> + * to allocate required region from and as the result we won't be able to
> + * construct pages.
> + */
> + if (!target_resource)
> + return xen_alloc_ballooned_pages(nr_pages, pages);
> +
> mutex_lock(&list_lock);
> if (list_count < nr_pages) {
> ret = fill_list(nr_pages - list_count);
> @@ -159,6 +215,11 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
> {
> unsigned int i;
>
> + if (!target_resource) {
> + xen_free_ballooned_pages(nr_pages, pages);
> + return;
> + }
> +
> mutex_lock(&list_lock);
> for (i = 0; i < nr_pages; i++) {
> pages[i]->zone_device_data = page_list;
> @@ -169,9 +230,11 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
> }
> EXPORT_SYMBOL(xen_free_unpopulated_pages);
>
> -#ifdef CONFIG_XEN_PV
> static int __init init(void)
> {
> + int ret;
> +
> +#ifdef CONFIG_XEN_PV
> unsigned int i;
>
> if (!xen_domain())
> @@ -196,8 +259,14 @@ static int __init init(void)
> list_count++;
> }
> }
> +#endif
>
> - return 0;
> + ret = arch_xen_unpopulated_init(&target_resource);
> + if (ret) {
> + pr_err("xen:unpopulated: Cannot initialize target resource\n");
> + target_resource = NULL;
> + }
> +
> + return ret;
> }
> subsys_initcall(init);
> -#endif
> diff --git a/include/xen/xen.h b/include/xen/xen.h
> index 86c5b37..a99bab8 100644
> --- a/include/xen/xen.h
> +++ b/include/xen/xen.h
> @@ -55,6 +55,8 @@ extern u64 xen_saved_max_mem_size;
> #ifdef CONFIG_XEN_UNPOPULATED_ALLOC
> int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages);
> void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages);
> +#include <linux/ioport.h>
> +int arch_xen_unpopulated_init(struct resource **res);
> #else
> #include <xen/balloon.h>
> static inline int xen_alloc_unpopulated_pages(unsigned int nr_pages,
> --
> 2.7.4
>

2021-11-25 01:09:13

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 5/6] arm/xen: Read extended regions from DT and init Xen resource

On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <[email protected]>
>
> This patch implements arch_xen_unpopulated_init() on Arm where
> the extended regions (if any) are gathered from DT and inserted
> into specific Xen resource to be used as unused address space
> for Xen scratch pages by unpopulated-alloc code.
>
> The extended region (safe range) is a region of guest physical
> address space which is unused and could be safely used to create
> grant/foreign mappings instead of wasting real RAM pages from
> the domain memory for establishing these mappings.
>
> The extended regions are chosen by the hypervisor at the domain
> creation time and advertised to it via "reg" property under
> hypervisor node in the guest device-tree. As region 0 is reserved
> for grant table space (always present), the indexes for extended
> regions are 1...N.
>
> If arch_xen_unpopulated_init() fails for some reason the default
> behaviour will be restored (allocate xenballooned pages).
>
> This patch also removes XEN_UNPOPULATED_ALLOC dependency on x86.
>
> Signed-off-by: Oleksandr Tyshchenko <[email protected]>

Reviewed-by: Stefano Stabellini <[email protected]>


> ---
> Changes RFC -> V2:
> - new patch, instead of
> "[RFC PATCH 2/2] xen/unpopulated-alloc: Query hypervisor to provide unallocated space"
>
> Changes V2 -> V3:
> - update comments in code
> - drop the checks that a region is within the hotpluggable range,
> now the common code takes care of
> - update arch_xen_unpopulated_init() according to interface change,
> move xen_resource here, etc
> - use %pR specifier in error message
> - bait out in arch_xen_unpopulated_init() if !acpi_disabled
> - update checks in second loop in arch_xen_unpopulated_init()
> for the sake of clarity
> ---
> arch/arm/xen/enlighten.c | 106 +++++++++++++++++++++++++++++++++++++++++++++++
> drivers/xen/Kconfig | 2 +-
> 2 files changed, 107 insertions(+), 1 deletion(-)
>
> diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
> index 3fb3384..019caa6 100644
> --- a/arch/arm/xen/enlighten.c
> +++ b/arch/arm/xen/enlighten.c
> @@ -62,6 +62,7 @@ static __read_mostly unsigned int xen_events_irq;
> static __read_mostly phys_addr_t xen_grant_frames;
>
> #define GRANT_TABLE_INDEX 0
> +#define EXT_REGION_INDEX 1
>
> uint32_t xen_start_flags;
> EXPORT_SYMBOL(xen_start_flags);
> @@ -303,6 +304,111 @@ static void __init xen_acpi_guest_init(void)
> #endif
> }
>
> +#ifdef CONFIG_XEN_UNPOPULATED_ALLOC
> +/*
> + * A type-less specific Xen resource which contains extended regions
> + * (unused regions of guest physical address space provided by the hypervisor).
> + */
> +static struct resource xen_resource = {
> + .name = "Xen unused space",
> +};
> +
> +int __init arch_xen_unpopulated_init(struct resource **res)
> +{
> + struct device_node *np;
> + struct resource *regs, *tmp_res;
> + uint64_t min_gpaddr = -1, max_gpaddr = 0;
> + unsigned int i, nr_reg = 0;
> + int rc;
> +
> + if (!xen_domain())
> + return -ENODEV;
> +
> + if (!acpi_disabled)
> + return -ENODEV;
> +
> + np = of_find_compatible_node(NULL, NULL, "xen,xen");
> + if (WARN_ON(!np))
> + return -ENODEV;
> +
> + /* Skip region 0 which is reserved for grant table space */
> + while (of_get_address(np, nr_reg + EXT_REGION_INDEX, NULL, NULL))
> + nr_reg++;
> +
> + if (!nr_reg) {
> + pr_err("No extended regions are found\n");
> + return -EINVAL;
> + }
> +
> + regs = kcalloc(nr_reg, sizeof(*regs), GFP_KERNEL);
> + if (!regs)
> + return -ENOMEM;
> +
> + /*
> + * Create resource from extended regions provided by the hypervisor to be
> + * used as unused address space for Xen scratch pages.
> + */
> + for (i = 0; i < nr_reg; i++) {
> + rc = of_address_to_resource(np, i + EXT_REGION_INDEX, &regs[i]);
> + if (rc)
> + goto err;
> +
> + if (max_gpaddr < regs[i].end)
> + max_gpaddr = regs[i].end;
> + if (min_gpaddr > regs[i].start)
> + min_gpaddr = regs[i].start;
> + }
> +
> + xen_resource.start = min_gpaddr;
> + xen_resource.end = max_gpaddr;
> +
> + /*
> + * Mark holes between extended regions as unavailable. The rest of that
> + * address space will be available for the allocation.
> + */
> + for (i = 1; i < nr_reg; i++) {
> + resource_size_t start, end;
> +
> + /* There is an overlap between regions */
> + if (regs[i - 1].end + 1 > regs[i].start) {
> + rc = -EINVAL;
> + goto err;
> + }
> +
> + /* There is no hole between regions */
> + if (regs[i - 1].end + 1 == regs[i].start)
> + continue;
> +
> + start = regs[i - 1].end + 1;
> + end = regs[i].start - 1;
> +
> + tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
> + if (!tmp_res) {
> + rc = -ENOMEM;
> + goto err;
> + }
> +
> + tmp_res->name = "Unavailable space";
> + tmp_res->start = start;
> + tmp_res->end = end;
> +
> + rc = insert_resource(&xen_resource, tmp_res);
> + if (rc) {
> + pr_err("Cannot insert resource %pR (%d)\n", tmp_res, rc);
> + kfree(tmp_res);
> + goto err;
> + }
> + }
> +
> + *res = &xen_resource;
> +
> +err:
> + kfree(regs);
> +
> + return rc;
> +}
> +#endif
> +
> static void __init xen_dt_guest_init(void)
> {
> struct device_node *xen_node;
> diff --git a/drivers/xen/Kconfig b/drivers/xen/Kconfig
> index a1b11c62..553b614 100644
> --- a/drivers/xen/Kconfig
> +++ b/drivers/xen/Kconfig
> @@ -321,7 +321,7 @@ config XEN_FRONT_PGDIR_SHBUF
>
> config XEN_UNPOPULATED_ALLOC
> bool "Use unpopulated memory ranges for guest mappings"
> - depends on X86 && ZONE_DEVICE
> + depends on ZONE_DEVICE
> default XEN_BACKEND || XEN_GNTDEV || XEN_DOM0
> help
> Use unpopulated memory ranges in order to create mappings for guest

2021-11-25 01:11:55

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 6/6] dt-bindings: xen: Clarify "reg" purpose

On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <[email protected]>
>
> Xen on Arm has gained new support recently to calculate and report
> extended regions (unused address space) safe to use for external
> mappings. These regions are reported via "reg" property under
> "hypervisor" node in the guest device-tree. As region 0 is reserved
> for grant table space (always present), the indexes for extended
> regions are 1...N.
>
> No device-tree bindings update is needed (except clarifying the text)
> as guest infers the presence of extended regions from the number
> of regions in "reg" property.
>
> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
> ---
> According to the recent update to Xen's guest.txt:
> https://xenbits.xen.org/gitweb/?p=xen.git;a=blob_plain;f=docs/misc/arm/device-tree/guest.txt;hb=refs/heads/master
>
> Changes V2 -> V3:
> - new patch
> ---
> Documentation/devicetree/bindings/arm/xen.txt | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/Documentation/devicetree/bindings/arm/xen.txt b/Documentation/devicetree/bindings/arm/xen.txt
> index db5c56d..156fe10b 100644
> --- a/Documentation/devicetree/bindings/arm/xen.txt
> +++ b/Documentation/devicetree/bindings/arm/xen.txt
> @@ -7,10 +7,14 @@ the following properties:
> compatible = "xen,xen-<version>", "xen,xen";
> where <version> is the version of the Xen ABI of the platform.
>
> -- reg: specifies the base physical address and size of a region in
> - memory where the grant table should be mapped to, using an
> - HYPERVISOR_memory_op hypercall. The memory region is large enough to map
> - the whole grant table (it is larger or equal to gnttab_max_grant_frames()).
> +- reg: specifies the base physical address and size of the regions in memory
> + where the special resources should be mapped to, using an HYPERVISOR_memory_op
> + hypercall.
> + Region 0 is reserved for mapping grant table, it must be always present.
> + The memory region is large enough to map the whole grant table (it is larger
> + or equal to gnttab_max_grant_frames()).
> + Regions 1...N are extended regions (unused address space) for mapping foreign
> + GFNs and grants, they might be absent if there is nothing to expose.
> This property is unnecessary when booting Dom0 using ACPI.

I would remove the last sentence about ACPI as the initialization is not
done via the xen,xen device tree node in that case anyway.

With that change:

Reviewed-by: Stefano Stabellini <[email protected]>

2021-11-25 11:45:52

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: Re: [PATCH V3 2/6] arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT


On 25.11.21 01:35, Stefano Stabellini wrote:

Hi Stefano


> On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
>> From: Oleksandr Tyshchenko <[email protected]>
>>
>> Read the start address of the grant table space from DT
>> (region 0).
>>
>> This patch mostly restores behaviour before commit 3cf4095d7446
>> ("arm/xen: Use xen_xlate_map_ballooned_pages to setup grant table")
>> but trying not to break the ACPI support added after that commit.
>> So the patch touches DT part only and leaves the ACPI part with
>> xen_xlate_map_ballooned_pages(). Also in order to make a code more
>> resilient use a fallback to xen_xlate_map_ballooned_pages() if grant
>> table region wasn't found.
>>
>> This is a preparation for using Xen extended region feature
>> where unused regions of guest physical address space (provided
>> by the hypervisor) will be used to create grant/foreign/whatever
>> mappings instead of wasting real RAM pages from the domain memory
>> for establishing these mappings.
>>
>> The immediate benefit of this change:
>> - Avoid superpage shattering in Xen P2M when establishing
>> stage-2 mapping (GFN <-> MFN) for the grant table space
>> - Avoid wasting real RAM pages (reducing the amount of memory
>> usuable) for mapping grant table space
>> - The grant table space is always mapped at the exact
>> same place (region 0 is reserved for the grant table)
>>
>> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
>> ---
>> Changes RFC -> V2:
>> - new patch
>>
>> Changes V2 -> V3:
>> - add __read_mostly specifier to xen_grant_frames
>> - retain a fallback to xen_xlate_map_ballooned_pages() if
>> xen_grant_frames is invalid
>> - process xen_events_irq before xen_grant_frames in
>> xen_dt_guest_init()
>> - update patch description
>> ---
>> arch/arm/xen/enlighten.c | 26 ++++++++++++++++++++------
>> 1 file changed, 20 insertions(+), 6 deletions(-)
>>
>> diff --git a/arch/arm/xen/enlighten.c b/arch/arm/xen/enlighten.c
>> index 7619fbf..3fb3384 100644
>> --- a/arch/arm/xen/enlighten.c
>> +++ b/arch/arm/xen/enlighten.c
>> @@ -59,6 +59,9 @@ unsigned long xen_released_pages;
>> struct xen_memory_region xen_extra_mem[XEN_EXTRA_MEM_MAX_REGIONS] __initdata;
>>
>> static __read_mostly unsigned int xen_events_irq;
>> +static __read_mostly phys_addr_t xen_grant_frames;
>> +
>> +#define GRANT_TABLE_INDEX 0
>>
>> uint32_t xen_start_flags;
>> EXPORT_SYMBOL(xen_start_flags);
>> @@ -303,6 +306,7 @@ static void __init xen_acpi_guest_init(void)
>> static void __init xen_dt_guest_init(void)
>> {
>> struct device_node *xen_node;
>> + struct resource res;
>>
>> xen_node = of_find_compatible_node(NULL, NULL, "xen,xen");
>> if (!xen_node) {
>> @@ -311,13 +315,19 @@ static void __init xen_dt_guest_init(void)
>> }
>>
>> xen_events_irq = irq_of_parse_and_map(xen_node, 0);
>> +
>> + if (of_address_to_resource(xen_node, GRANT_TABLE_INDEX, &res)) {
>> + pr_err("Xen grant table region is not found\n");
>> + return;
>> + }
>> + xen_grant_frames = res.start;
>> }
>>
>> static int __init xen_guest_init(void)
>> {
>> struct xen_add_to_physmap xatp;
>> struct shared_info *shared_info_page = NULL;
>> - int cpu;
>> + int rc, cpu;
>>
>> if (!xen_domain())
>> return 0;
>> @@ -370,12 +380,16 @@ static int __init xen_guest_init(void)
>> for_each_possible_cpu(cpu)
>> per_cpu(xen_vcpu_id, cpu) = cpu;
>>
>> - xen_auto_xlat_grant_frames.count = gnttab_max_grant_frames();
>> - if (xen_xlate_map_ballooned_pages(&xen_auto_xlat_grant_frames.pfn,
>> - &xen_auto_xlat_grant_frames.vaddr,
>> - xen_auto_xlat_grant_frames.count)) {
>> + if (!acpi_disabled || !xen_grant_frames) {
> I realize now that we only need:
>
> if (!xen_grant_frames) {

Indeed, the first part of the check looks superfluous, will do.


>
> with that:
>
> Reviewed-by: Stefano Stabellini <[email protected]>

Thanks!


>
>
>
>> + xen_auto_xlat_grant_frames.count = gnttab_max_grant_frames();
>> + rc = xen_xlate_map_ballooned_pages(&xen_auto_xlat_grant_frames.pfn,
>> + &xen_auto_xlat_grant_frames.vaddr,
>> + xen_auto_xlat_grant_frames.count);
>> + } else
>> + rc = gnttab_setup_auto_xlat_frames(xen_grant_frames);
>> + if (rc) {
>> free_percpu(xen_vcpu_info);
>> - return -ENOMEM;
>> + return rc;
>> }
>> gnttab_init();

--
Regards,

Oleksandr Tyshchenko


2021-11-25 12:23:42

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: Re: [PATCH V3 6/6] dt-bindings: xen: Clarify "reg" purpose


On 25.11.21 03:09, Stefano Stabellini wrote:

Hi Stefano

> On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
>> From: Oleksandr Tyshchenko <[email protected]>
>>
>> Xen on Arm has gained new support recently to calculate and report
>> extended regions (unused address space) safe to use for external
>> mappings. These regions are reported via "reg" property under
>> "hypervisor" node in the guest device-tree. As region 0 is reserved
>> for grant table space (always present), the indexes for extended
>> regions are 1...N.
>>
>> No device-tree bindings update is needed (except clarifying the text)
>> as guest infers the presence of extended regions from the number
>> of regions in "reg" property.
>>
>> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
>> ---
>> According to the recent update to Xen's guest.txt:
>> https://xenbits.xen.org/gitweb/?p=xen.git;a=blob_plain;f=docs/misc/arm/device-tree/guest.txt;hb=refs/heads/master
>>
>> Changes V2 -> V3:
>> - new patch
>> ---
>> Documentation/devicetree/bindings/arm/xen.txt | 12 ++++++++----
>> 1 file changed, 8 insertions(+), 4 deletions(-)
>>
>> diff --git a/Documentation/devicetree/bindings/arm/xen.txt b/Documentation/devicetree/bindings/arm/xen.txt
>> index db5c56d..156fe10b 100644
>> --- a/Documentation/devicetree/bindings/arm/xen.txt
>> +++ b/Documentation/devicetree/bindings/arm/xen.txt
>> @@ -7,10 +7,14 @@ the following properties:
>> compatible = "xen,xen-<version>", "xen,xen";
>> where <version> is the version of the Xen ABI of the platform.
>>
>> -- reg: specifies the base physical address and size of a region in
>> - memory where the grant table should be mapped to, using an
>> - HYPERVISOR_memory_op hypercall. The memory region is large enough to map
>> - the whole grant table (it is larger or equal to gnttab_max_grant_frames()).
>> +- reg: specifies the base physical address and size of the regions in memory
>> + where the special resources should be mapped to, using an HYPERVISOR_memory_op
>> + hypercall.
>> + Region 0 is reserved for mapping grant table, it must be always present.
>> + The memory region is large enough to map the whole grant table (it is larger
>> + or equal to gnttab_max_grant_frames()).
>> + Regions 1...N are extended regions (unused address space) for mapping foreign
>> + GFNs and grants, they might be absent if there is nothing to expose.
>> This property is unnecessary when booting Dom0 using ACPI.
> I would remove the last sentence about ACPI as the initialization is not
> done via the xen,xen device tree node in that case anyway.

Agree, will do. I assume, the similar sentence for the "interrupts"
property down the text wants removing as well.


>
> With that change:
>
> Reviewed-by: Stefano Stabellini <[email protected]>

Thanks!


--
Regards,

Oleksandr Tyshchenko


2021-11-25 14:04:47

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource


On 25.11.21 03:03, Stefano Stabellini wrote:

Hi Stefano, all

> On Wed, 24 Nov 2021, Oleksandr Tyshchenko wrote:
>> From: Oleksandr Tyshchenko <[email protected]>
>>
>> The main reason of this change is that unpopulated-alloc
>> code cannot be used in its current form on Arm, but there
>> is a desire to reuse it to avoid wasting real RAM pages
>> for the grant/foreign mappings.
>>
>> The problem is that system "iomem_resource" is used for
>> the address space allocation, but the really unallocated
>> space can't be figured out precisely by the domain on Arm
>> without hypervisor involvement. For example, not all device
>> I/O regions are known by the time domain starts creating
>> grant/foreign mappings. And following the advise from
>> "iomem_resource" we might end up reusing these regions by
>> a mistake. So, the hypervisor which maintains the P2M for
>> the domain is in the best position to provide unused regions
>> of guest physical address space which could be safely used
>> to create grant/foreign mappings.
>>
>> Introduce new helper arch_xen_unpopulated_init() which purpose
>> is to create specific Xen resource based on the memory regions
>> provided by the hypervisor to be used as unused space for Xen
>> scratch pages. If arch doesn't define arch_xen_unpopulated_init()
>> the default "iomem_resource" will be used.
>>
>> Update the arguments list of allocate_resource() in fill_list()
>> to always allocate a region from the hotpluggable range
>> (maximum possible addressable physical memory range for which
>> the linear mapping could be created). If arch doesn't define
>> arch_get_mappable_range() the default range (0,-1) will be used.
>>
>> The behaviour on x86 won't be changed by current patch as both
>> arch_xen_unpopulated_init() and arch_get_mappable_range()
>> are not implemented for it.
>>
>> Also fallback to allocate xenballooned pages (balloon out RAM
>> pages) if we do not have any suitable resource to work with
>> (target_resource is invalid) and as the result we won't be able
>> to provide unpopulated pages on a request.
>>
>> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
>
> Reviewed-by: Stefano Stabellini <[email protected]>

Thanks!


What still worries me is a concern with x86's xen_pvh_gnttab_setup() I
described in post commit remark ...


>
>
>> ---
>> Please note the following:
>> for V3 arch_xen_unpopulated_init() was moved to init() as was agreed
>> and gained __init specifier. So the target_resource is initialized there.
>>
>> With current patch series applied if CONFIG_XEN_UNPOPULATED_ALLOC
>> is enabled:
>>
>> 1. On Arm, under normal circumstances, the xen_alloc_unpopulated_pages()
>> won't be called “before” arch_xen_unpopulated_init(). It will only be
>> called "before" when either ACPI is in use or something wrong happened
>> with DT (and we failed to read xen_grant_frames), so we fallback to
>> xen_xlate_map_ballooned_pages() in arm/xen/enlighten.c:xen_guest_init(),
>> please see "arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT"
>> for details. But in that case, I think, it doesn't matter much whether
>> xen_alloc_unpopulated_pages() is called "before" of "after" target_resource
>> initialization, as we don't have extended regions in place the target_resource
>> will remain invalid even after initialization, so xen_alloc_ballooned_pages()
>> will be used in both scenarios.
>>
>> 2. On x86, I am not quite sure which modes use unpopulated-alloc (PVH?),
>> but it looks like xen_alloc_unpopulated_pages() can (and will) be called
>> “before” arch_xen_unpopulated_init().
>> At least, I see that xen_xlate_map_ballooned_pages() is called in
>> x86/xen/grant-table.c:xen_pvh_gnttab_setup(). According to the initcall
>> levels for both xen_pvh_gnttab_setup() and init() I expect the former
>> to be called earlier.
>> If it is true, the sentence in the commit description which mentions
>> that “behaviour on x86 is not changed” is not precise. I don’t think
>> it would be correct to fallback to xen_alloc_ballooned_pages() just
>> because we haven’t initialized target_resource yet (on x86 it is just
>> assigning it iomem_resource), at least this doesn't look like an expected
>> behaviour and unlikely would be welcome.
>>
>> I am wondering whether it would be better to move arch_xen_unpopulated_init()
>> to a dedicated init() marked with an appropriate initcall level (early_initcall?)
>> to make sure it will always be called *before* xen_xlate_map_ballooned_pages().
>> What do you think?

   ... here (#2). Or I really missed something and there wouldn't be an
issue?


>>
>> Changes RFC -> V2:
>> - new patch, instead of
>> "[RFC PATCH 2/2] xen/unpopulated-alloc: Query hypervisor to provide unallocated space"
>>
>> Changes V2 -> V3:
>> - update patch description and comments in code
>> - modify arch_xen_unpopulated_init() to pass target_resource as an argument
>> and update default helper to assign iomem_resource to it, also drop
>> xen_resource as it will be located in arch code in the future
>> - allocate region from hotpluggable range instead of hardcoded range (0,-1)
>> in fill_list()
>> - use %pR specifier in error message
>> - do not call unpopulated_init() at runtime from xen_alloc_unpopulated_pages(),
>> drop an extra helper and call arch_xen_unpopulated_init() directly from __init()
>> - include linux/ioport.h instead of forward declaration of struct resource
>> - replace insert_resource() with request_resource() in fill_list()
>> - add __init specifier to arch_xen_unpopulated_init()
>> ---
>> drivers/xen/unpopulated-alloc.c | 83 +++++++++++++++++++++++++++++++++++++----
>> include/xen/xen.h | 2 +
>> 2 files changed, 78 insertions(+), 7 deletions(-)
>>
>> diff --git a/drivers/xen/unpopulated-alloc.c b/drivers/xen/unpopulated-alloc.c
>> index a03dc5b..07d3578 100644
>> --- a/drivers/xen/unpopulated-alloc.c
>> +++ b/drivers/xen/unpopulated-alloc.c
>> @@ -8,6 +8,7 @@
>>
>> #include <asm/page.h>
>>
>> +#include <xen/balloon.h>
>> #include <xen/page.h>
>> #include <xen/xen.h>
>>
>> @@ -15,13 +16,29 @@ static DEFINE_MUTEX(list_lock);
>> static struct page *page_list;
>> static unsigned int list_count;
>>
>> +static struct resource *target_resource;
>> +
>> +/*
>> + * If arch is not happy with system "iomem_resource" being used for
>> + * the region allocation it can provide it's own view by creating specific
>> + * Xen resource with unused regions of guest physical address space provided
>> + * by the hypervisor.
>> + */
>> +int __weak __init arch_xen_unpopulated_init(struct resource **res)
>> +{
>> + *res = &iomem_resource;
>> +
>> + return 0;
>> +}
>> +
>> static int fill_list(unsigned int nr_pages)
>> {
>> struct dev_pagemap *pgmap;
>> - struct resource *res;
>> + struct resource *res, *tmp_res = NULL;
>> void *vaddr;
>> unsigned int i, alloc_pages = round_up(nr_pages, PAGES_PER_SECTION);
>> - int ret = -ENOMEM;
>> + struct range mhp_range;
>> + int ret;
>>
>> res = kzalloc(sizeof(*res), GFP_KERNEL);
>> if (!res)
>> @@ -30,14 +47,40 @@ static int fill_list(unsigned int nr_pages)
>> res->name = "Xen scratch";
>> res->flags = IORESOURCE_MEM | IORESOURCE_BUSY;
>>
>> - ret = allocate_resource(&iomem_resource, res,
>> - alloc_pages * PAGE_SIZE, 0, -1,
>> + mhp_range = mhp_get_pluggable_range(true);
>> +
>> + ret = allocate_resource(target_resource, res,
>> + alloc_pages * PAGE_SIZE, mhp_range.start, mhp_range.end,
>> PAGES_PER_SECTION * PAGE_SIZE, NULL, NULL);
>> if (ret < 0) {
>> pr_err("Cannot allocate new IOMEM resource\n");
>> goto err_resource;
>> }
>>
>> + /*
>> + * Reserve the region previously allocated from Xen resource to avoid
>> + * re-using it by someone else.
>> + */
>> + if (target_resource != &iomem_resource) {
>> + tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
>> + if (!res) {
>> + ret = -ENOMEM;
>> + goto err_insert;
>> + }
>> +
>> + tmp_res->name = res->name;
>> + tmp_res->start = res->start;
>> + tmp_res->end = res->end;
>> + tmp_res->flags = res->flags;
>> +
>> + ret = request_resource(&iomem_resource, tmp_res);
>> + if (ret < 0) {
>> + pr_err("Cannot request resource %pR (%d)\n", tmp_res, ret);
>> + kfree(tmp_res);
>> + goto err_insert;
>> + }
>> + }
>> +
>> pgmap = kzalloc(sizeof(*pgmap), GFP_KERNEL);
>> if (!pgmap) {
>> ret = -ENOMEM;
>> @@ -95,6 +138,11 @@ static int fill_list(unsigned int nr_pages)
>> err_memremap:
>> kfree(pgmap);
>> err_pgmap:
>> + if (tmp_res) {
>> + release_resource(tmp_res);
>> + kfree(tmp_res);
>> + }
>> +err_insert:
>> release_resource(res);
>> err_resource:
>> kfree(res);
>> @@ -112,6 +160,14 @@ int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages)
>> unsigned int i;
>> int ret = 0;
>>
>> + /*
>> + * Fallback to default behavior if we do not have any suitable resource
>> + * to allocate required region from and as the result we won't be able to
>> + * construct pages.
>> + */
>> + if (!target_resource)
>> + return xen_alloc_ballooned_pages(nr_pages, pages);
>> +
>> mutex_lock(&list_lock);
>> if (list_count < nr_pages) {
>> ret = fill_list(nr_pages - list_count);
>> @@ -159,6 +215,11 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
>> {
>> unsigned int i;
>>
>> + if (!target_resource) {
>> + xen_free_ballooned_pages(nr_pages, pages);
>> + return;
>> + }
>> +
>> mutex_lock(&list_lock);
>> for (i = 0; i < nr_pages; i++) {
>> pages[i]->zone_device_data = page_list;
>> @@ -169,9 +230,11 @@ void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages)
>> }
>> EXPORT_SYMBOL(xen_free_unpopulated_pages);
>>
>> -#ifdef CONFIG_XEN_PV
>> static int __init init(void)
>> {
>> + int ret;
>> +
>> +#ifdef CONFIG_XEN_PV
>> unsigned int i;
>>
>> if (!xen_domain())
>> @@ -196,8 +259,14 @@ static int __init init(void)
>> list_count++;
>> }
>> }
>> +#endif
>>
>> - return 0;
>> + ret = arch_xen_unpopulated_init(&target_resource);
>> + if (ret) {
>> + pr_err("xen:unpopulated: Cannot initialize target resource\n");
>> + target_resource = NULL;
>> + }
>> +
>> + return ret;
>> }
>> subsys_initcall(init);
>> -#endif
>> diff --git a/include/xen/xen.h b/include/xen/xen.h
>> index 86c5b37..a99bab8 100644
>> --- a/include/xen/xen.h
>> +++ b/include/xen/xen.h
>> @@ -55,6 +55,8 @@ extern u64 xen_saved_max_mem_size;
>> #ifdef CONFIG_XEN_UNPOPULATED_ALLOC
>> int xen_alloc_unpopulated_pages(unsigned int nr_pages, struct page **pages);
>> void xen_free_unpopulated_pages(unsigned int nr_pages, struct page **pages);
>> +#include <linux/ioport.h>
>> +int arch_xen_unpopulated_init(struct resource **res);
>> #else
>> #include <xen/balloon.h>
>> static inline int xen_alloc_unpopulated_pages(unsigned int nr_pages,
>> --
>> 2.7.4

--
Regards,

Oleksandr Tyshchenko


2021-11-26 15:20:05

by Boris Ostrovsky

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource


On 11/24/21 3:53 PM, Oleksandr Tyshchenko wrote:
> + if (target_resource != &iomem_resource) {
> + tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
> + if (!res) {


If (!tmp_res)


> + ret = -ENOMEM;
> + goto err_insert;
> + }

2021-11-26 15:30:28

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource


On 26.11.21 17:17, Boris Ostrovsky wrote:

Hi Boris


>
> On 11/24/21 3:53 PM, Oleksandr Tyshchenko wrote:
>> +    if (target_resource != &iomem_resource) {
>> +        tmp_res = kzalloc(sizeof(*tmp_res), GFP_KERNEL);
>> +        if (!res) {
>
>
> If (!tmp_res)


Good catch, thank you!


>
>
>> +            ret = -ENOMEM;
>> +            goto err_insert;
>> +        }

--
Regards,

Oleksandr Tyshchenko


2021-11-29 01:03:24

by Rob Herring (Arm)

[permalink] [raw]
Subject: Re: [PATCH V3 6/6] dt-bindings: xen: Clarify "reg" purpose

On Wed, 24 Nov 2021 22:53:43 +0200, Oleksandr Tyshchenko wrote:
> From: Oleksandr Tyshchenko <[email protected]>
>
> Xen on Arm has gained new support recently to calculate and report
> extended regions (unused address space) safe to use for external
> mappings. These regions are reported via "reg" property under
> "hypervisor" node in the guest device-tree. As region 0 is reserved
> for grant table space (always present), the indexes for extended
> regions are 1...N.
>
> No device-tree bindings update is needed (except clarifying the text)
> as guest infers the presence of extended regions from the number
> of regions in "reg" property.
>
> Signed-off-by: Oleksandr Tyshchenko <[email protected]>
> ---
> According to the recent update to Xen's guest.txt:
> https://xenbits.xen.org/gitweb/?p=xen.git;a=blob_plain;f=docs/misc/arm/device-tree/guest.txt;hb=refs/heads/master
>
> Changes V2 -> V3:
> - new patch
> ---
> Documentation/devicetree/bindings/arm/xen.txt | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>

Acked-by: Rob Herring <[email protected]>

2021-12-07 23:37:01

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource

On Thu, 25 Nov 2021, Oleksandr wrote:
> > > Please note the following:
> > > for V3 arch_xen_unpopulated_init() was moved to init() as was agreed
> > > and gained __init specifier. So the target_resource is initialized there.
> > >
> > > With current patch series applied if CONFIG_XEN_UNPOPULATED_ALLOC
> > > is enabled:
> > >
> > > 1. On Arm, under normal circumstances, the xen_alloc_unpopulated_pages()
> > > won't be called “before” arch_xen_unpopulated_init(). It will only be
> > > called "before" when either ACPI is in use or something wrong happened
> > > with DT (and we failed to read xen_grant_frames), so we fallback to
> > > xen_xlate_map_ballooned_pages() in arm/xen/enlighten.c:xen_guest_init(),
> > > please see "arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT"
> > > for details. But in that case, I think, it doesn't matter much whether
> > > xen_alloc_unpopulated_pages() is called "before" of "after"
> > > target_resource
> > > initialization, as we don't have extended regions in place the
> > > target_resource
> > > will remain invalid even after initialization, so
> > > xen_alloc_ballooned_pages()
> > > will be used in both scenarios.
> > >
> > > 2. On x86, I am not quite sure which modes use unpopulated-alloc (PVH?),
> > > but it looks like xen_alloc_unpopulated_pages() can (and will) be called
> > > “before” arch_xen_unpopulated_init().
> > > At least, I see that xen_xlate_map_ballooned_pages() is called in
> > > x86/xen/grant-table.c:xen_pvh_gnttab_setup(). According to the initcall
> > > levels for both xen_pvh_gnttab_setup() and init() I expect the former
> > > to be called earlier.
> > > If it is true, the sentence in the commit description which mentions
> > > that “behaviour on x86 is not changed” is not precise. I don’t think
> > > it would be correct to fallback to xen_alloc_ballooned_pages() just
> > > because we haven’t initialized target_resource yet (on x86 it is just
> > > assigning it iomem_resource), at least this doesn't look like an expected
> > > behaviour and unlikely would be welcome.
> > >
> > > I am wondering whether it would be better to move
> > > arch_xen_unpopulated_init()
> > > to a dedicated init() marked with an appropriate initcall level
> > > (early_initcall?)
> > > to make sure it will always be called *before*
> > > xen_xlate_map_ballooned_pages().
> > > What do you think?
>
>    ... here (#2). Or I really missed something and there wouldn't be an issue?

Yes, I see your point. Yeah, it makes sense to make sure that
drivers/xen/unpopulated-alloc.c:init is executed before
xen_pvh_gnttab_setup.

If we move it to early_initcall, then we end up running it before
xen_guest_init on ARM. But that might be fine: it looks like it should
work OK and would also allow us to execute xen_xlate_map_ballooned_pages
with target_resource already set.

So I'd say go for it :)

2021-12-09 00:04:17

by Oleksandr Tyshchenko

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource


On 08.12.21 01:36, Stefano Stabellini wrote:


Hi Stefano

> On Thu, 25 Nov 2021, Oleksandr wrote:
>>>> Please note the following:
>>>> for V3 arch_xen_unpopulated_init() was moved to init() as was agreed
>>>> and gained __init specifier. So the target_resource is initialized there.
>>>>
>>>> With current patch series applied if CONFIG_XEN_UNPOPULATED_ALLOC
>>>> is enabled:
>>>>
>>>> 1. On Arm, under normal circumstances, the xen_alloc_unpopulated_pages()
>>>> won't be called “before” arch_xen_unpopulated_init(). It will only be
>>>> called "before" when either ACPI is in use or something wrong happened
>>>> with DT (and we failed to read xen_grant_frames), so we fallback to
>>>> xen_xlate_map_ballooned_pages() in arm/xen/enlighten.c:xen_guest_init(),
>>>> please see "arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for DT"
>>>> for details. But in that case, I think, it doesn't matter much whether
>>>> xen_alloc_unpopulated_pages() is called "before" of "after"
>>>> target_resource
>>>> initialization, as we don't have extended regions in place the
>>>> target_resource
>>>> will remain invalid even after initialization, so
>>>> xen_alloc_ballooned_pages()
>>>> will be used in both scenarios.
>>>>
>>>> 2. On x86, I am not quite sure which modes use unpopulated-alloc (PVH?),
>>>> but it looks like xen_alloc_unpopulated_pages() can (and will) be called
>>>> “before” arch_xen_unpopulated_init().
>>>> At least, I see that xen_xlate_map_ballooned_pages() is called in
>>>> x86/xen/grant-table.c:xen_pvh_gnttab_setup(). According to the initcall
>>>> levels for both xen_pvh_gnttab_setup() and init() I expect the former
>>>> to be called earlier.
>>>> If it is true, the sentence in the commit description which mentions
>>>> that “behaviour on x86 is not changed” is not precise. I don’t think
>>>> it would be correct to fallback to xen_alloc_ballooned_pages() just
>>>> because we haven’t initialized target_resource yet (on x86 it is just
>>>> assigning it iomem_resource), at least this doesn't look like an expected
>>>> behaviour and unlikely would be welcome.
>>>>
>>>> I am wondering whether it would be better to move
>>>> arch_xen_unpopulated_init()
>>>> to a dedicated init() marked with an appropriate initcall level
>>>> (early_initcall?)
>>>> to make sure it will always be called *before*
>>>> xen_xlate_map_ballooned_pages().
>>>> What do you think?
>>    ... here (#2). Or I really missed something and there wouldn't be an issue?
> Yes, I see your point. Yeah, it makes sense to make sure that
> drivers/xen/unpopulated-alloc.c:init is executed before
> xen_pvh_gnttab_setup.
>
> If we move it to early_initcall, then we end up running it before
> xen_guest_init on ARM. But that might be fine: it looks like it should
> work OK and would also allow us to execute xen_xlate_map_ballooned_pages
> with target_resource already set.
>
> So I'd say go for it :)


Thank you for the confirmation! In order to be on the safe side, I would
probably leave drivers/xen/unpopulated-alloc.c:init as is, I mean with
current subsys initcall level (it expects the extra memory regions to be
already filled)
and create a separate unpopulated_init() to put
arch_xen_unpopulated_init() into. Something like the following:

static int __init unpopulated_init(void)
{
    int ret;

    if (!xen_domain())
        return -ENODEV;

    ret = arch_xen_unpopulated_init(&target_resource);
    if (ret) {
        pr_err("xen:unpopulated: Cannot initialize target resource\n");
        target_resource = NULL;
    }

    return ret;
}
early_initcall(unpopulated_init);




--
Regards,

Oleksandr Tyshchenko


2021-12-09 00:59:37

by Stefano Stabellini

[permalink] [raw]
Subject: Re: [PATCH V3 4/6] xen/unpopulated-alloc: Add mechanism to use Xen resource

On Thu, 9 Dec 2021, Oleksandr wrote:
> On 08.12.21 01:36, Stefano Stabellini wrote:
> Hi Stefano
>
> > On Thu, 25 Nov 2021, Oleksandr wrote:
> > > > > Please note the following:
> > > > > for V3 arch_xen_unpopulated_init() was moved to init() as was agreed
> > > > > and gained __init specifier. So the target_resource is initialized
> > > > > there.
> > > > >
> > > > > With current patch series applied if CONFIG_XEN_UNPOPULATED_ALLOC
> > > > > is enabled:
> > > > >
> > > > > 1. On Arm, under normal circumstances, the
> > > > > xen_alloc_unpopulated_pages()
> > > > > won't be called “before” arch_xen_unpopulated_init(). It will only be
> > > > > called "before" when either ACPI is in use or something wrong happened
> > > > > with DT (and we failed to read xen_grant_frames), so we fallback to
> > > > > xen_xlate_map_ballooned_pages() in
> > > > > arm/xen/enlighten.c:xen_guest_init(),
> > > > > please see "arm/xen: Switch to use gnttab_setup_auto_xlat_frames() for
> > > > > DT"
> > > > > for details. But in that case, I think, it doesn't matter much whether
> > > > > xen_alloc_unpopulated_pages() is called "before" of "after"
> > > > > target_resource
> > > > > initialization, as we don't have extended regions in place the
> > > > > target_resource
> > > > > will remain invalid even after initialization, so
> > > > > xen_alloc_ballooned_pages()
> > > > > will be used in both scenarios.
> > > > >
> > > > > 2. On x86, I am not quite sure which modes use unpopulated-alloc
> > > > > (PVH?),
> > > > > but it looks like xen_alloc_unpopulated_pages() can (and will) be
> > > > > called
> > > > > “before” arch_xen_unpopulated_init().
> > > > > At least, I see that xen_xlate_map_ballooned_pages() is called in
> > > > > x86/xen/grant-table.c:xen_pvh_gnttab_setup(). According to the
> > > > > initcall
> > > > > levels for both xen_pvh_gnttab_setup() and init() I expect the former
> > > > > to be called earlier.
> > > > > If it is true, the sentence in the commit description which mentions
> > > > > that “behaviour on x86 is not changed” is not precise. I don’t think
> > > > > it would be correct to fallback to xen_alloc_ballooned_pages() just
> > > > > because we haven’t initialized target_resource yet (on x86 it is just
> > > > > assigning it iomem_resource), at least this doesn't look like an
> > > > > expected
> > > > > behaviour and unlikely would be welcome.
> > > > >
> > > > > I am wondering whether it would be better to move
> > > > > arch_xen_unpopulated_init()
> > > > > to a dedicated init() marked with an appropriate initcall level
> > > > > (early_initcall?)
> > > > > to make sure it will always be called *before*
> > > > > xen_xlate_map_ballooned_pages().
> > > > > What do you think?
> > >    ... here (#2). Or I really missed something and there wouldn't be an
> > > issue?
> > Yes, I see your point. Yeah, it makes sense to make sure that
> > drivers/xen/unpopulated-alloc.c:init is executed before
> > xen_pvh_gnttab_setup.
> >
> > If we move it to early_initcall, then we end up running it before
> > xen_guest_init on ARM. But that might be fine: it looks like it should
> > work OK and would also allow us to execute xen_xlate_map_ballooned_pages
> > with target_resource already set.
> >
> > So I'd say go for it :)
>
>
> Thank you for the confirmation! In order to be on the safe side, I would
> probably leave drivers/xen/unpopulated-alloc.c:init as is, I mean with current
> subsys initcall level (it expects the extra memory regions to be already
> filled)
> and create a separate unpopulated_init() to put arch_xen_unpopulated_init()
> into. Something like the following:
>
> static int __init unpopulated_init(void)
> {
>     int ret;
>
>     if (!xen_domain())
>         return -ENODEV;
>
>     ret = arch_xen_unpopulated_init(&target_resource);
>     if (ret) {
>         pr_err("xen:unpopulated: Cannot initialize target resource\n");
>         target_resource = NULL;
>     }
>
>     return ret;
> }
> early_initcall(unpopulated_init);

Sounds good