[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/arm: skip holes in physical address space when setting up frametable

  • To: "Orzel, Michal" <Michal.Orzel@xxxxxxx>
  • From: Luca Fancellu <Luca.Fancellu@xxxxxxx>
  • Date: Tue, 21 Apr 2026 10:41:49 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=amd.com smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
  • Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p72l46oHHumCb46GB/T/xSFovc1gGQdn9po47lRcqsE=; b=N3amsmHNhe4SXZvJ3ltNpWTw8MOTgQui5T+tg46cVLPZaDNTa1pgTjcVewfFCozBoO090FQbjUzhhYEdOeYdTsnczS60v9ZpPgX+2x/PEA5lNgP2C7193d1af1Bv0fMERAzW9D91dZsYJXo4303qQ105fAdVdiVu86fMAoZnJXoMk441P9SnpupYih+pWhgtKTTyRExcOZoeNjmspvn8tuFR4rJJw8kN2naGt2ecikl0FMmRl5/zpuLCP2AyF6WjwHBA8hZhz4nohVyPxzoQcviUxwik+63d+hG5O4hXK7FGPF/0rrUmXYQ4Kd2NGN7g+Hn7raVGQd9YMrOlaue/EQ==
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p72l46oHHumCb46GB/T/xSFovc1gGQdn9po47lRcqsE=; b=HfryHPze25mQ7VIXq2fYYdsQcH+W2iXiATAclLIt8Sh8LpoWfq78l5oDVNDbPYdkB2umwZnmLcyI8xLUWgNWe5kKbb8ZJS04YL0C27Y/fn4NNeHQYZPCVm7GcdbO5CUtGgWR4mFb8ryF80q74sZq5q4FFIT8RVW8RONrtq9WWvb6beMQe2V5NXjC608KTsgHI6dz7qLAJ4se9eyRE/CyVY6MxgjMLxoK+9ZTWHHJyub+Y9L7XMiAvWR3anZhAkCO4/5hIxJOTBCIPYoZtF8zqUkpNaB0b+F+uX2PRMnAf/0SMF4WbEgk2EZnCLgoWYaWvfqTuwLgMmznZ/v2wlgMDw==
  • Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=LefkrvrH5DIPzLUBzd+zoOLoSAF9F+lCSOAX6Zd+//MUAFU96wkvQ8kELgOCpQqsvyejEn1QT5SeY71oed8DJeqdbedPir9X0fYXLN88InqyxA4ywDWPXEAL3GFy+50RpPgJIvvVwwc6fG1Igd9vpm3W8bDgBp+RdlY1srdoWvaeBPkShKt+gwj8PBOty+EnTMIIqXgUeQSvimSIpAXVhZnonBVgFf7necV7I9l/WZ/NWMHW7rzw/AV3BoK3xL6sxA1pJtT4Xjl8mmlJzV47k2QANH5Euso8upYbUgb0vgs8WZAlTgQ3wq2shIrB2+Kn2eViJPoxkVrWc47nH7uYrA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=oRyqNKviY8WHKTP7MTmnxEfVj67uWxXH8G3o6pGbhOmQgujzOhNzJGF8031ZUYl8i1vmTbXsSWdQOGLNOwZM5KHIRPFBWzZUhCLhwYJGe2KoGG1hdovdf1hsUohn22lFC0D5EtQya1rb1NjoTPbCw2CKSLwlcs0qmlx1Ce+Kh0q/ukIVr4V9jy4Ds4QxK9q1eFC/WJaPB0Yx5BsPuAM3eReEND6e2rR/StFHsD5GCCCGkxedVOhaW/oBXAHIedzSXzeSWseQbVPuT1zxXsyxTDVrzmyd1HM1ksW7KYnQTVz6rZNXtDGHzKIIPikQDL0IhYeZOaEo5nZmmp2QRwLIrg==
  • Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"; dkim=pass header.s=selector1 header.d=arm.com header.i="@arm.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"
  • Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Bertrand Marquis <Bertrand.Marquis@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>
  • Delivery-date: Tue, 21 Apr 2026 10:43:12 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Nodisclaimer: true
  • Thread-index: AQHczko4909b0LdR6E6hEGKgM2/tzrXjJWsAgAASSYCABMl7gIABVuYAgAACHIA=
  • Thread-topic: [PATCH] xen/arm: skip holes in physical address space when setting up frametable
Hi Michal,

> On 21 Apr 2026, at 11:33, Orzel, Michal <Michal.Orzel@xxxxxxx> wrote:
> 
> 
> 
> On 20/04/2026 16:06, Luca Fancellu wrote:
>> HI Michal,
>> 
>>>>> +void __init init_frametable(paddr_t ram_start)
>>>>> +{
>>>>> +    unsigned int sidx, nidx, max_idx;
>>>>> 
>>>>>   /*
>>>>>    * The size of paddr_t should be sufficient for the complete range of
>>>>> @@ -26,24 +47,34 @@ void __init setup_frametable_mappings(paddr_t ps, 
>>>>> paddr_t pe)
>>>>>   BUILD_BUG_ON((sizeof(paddr_t) * BITS_PER_BYTE) < PADDR_BITS);
>>>>>   BUILD_BUG_ON(sizeof(struct page_info) != PAGE_INFO_SIZE);
>>>>> 
>>>>> -    if ( frametable_size > FRAMETABLE_SIZE )
>>>>> -        panic("The frametable cannot cover the physical region 
>>>>> %#"PRIpaddr" - %#"PRIpaddr"\n",
>>>>> -              ps, pe);
>>>>> +    max_idx = DIV_ROUND_UP(max_pdx, PDX_GROUP_COUNT);
>>>>> +    frametable_base_pdx = mfn_to_pdx(maddr_to_mfn(ram_start));
>>>>> 
>>>>> -    frametable_base_pdx = mfn_to_pdx(maddr_to_mfn(ps));
>>>>> -    /* Round up to 2M or 32M boundary, as appropriate. */
>>>>> -    frametable_size = ROUNDUP(frametable_size, mapping_size);
>>>>> -    base_mfn = alloc_boot_pages(frametable_size >> PAGE_SHIFT, 
>>>>> 32<<(20-12));
>>>>> +    /*
>>>>> +     * pdx_to_page(pdx_s) in init_frametable_chunk must be page-aligned
>>>>> +     * for map_pages_to_xen(). Aligning to PDX_GROUP_COUNT guarantees 
>>>>> this
>>>>> +     * because PDX_GROUP_COUNT * sizeof(page_info) is always a multiple 
>>>>> of
>>>>> +     * PAGE_SIZE by construction.
>>>>> +     */
>>>>> +    frametable_base_pdx = ROUNDDOWN(frametable_base_pdx, 
>>>>> PDX_GROUP_COUNT);
>>>> 
>>>> We are now rounding down frametable_base_pdx which before this patch it 
>>>> was the start of the ram,
>>>> but in xen/xen/arch/arm/include/asm/mm.h, mfn_valid(mfn) is using 
>>>> frametable_base_pdx to check for
>>>> mfn validity, this means that we could pass an mfn before the start of the 
>>>> ram and if __mfn_valid is happy,
>>>> we are getting a regression.
>>>> 
>>>> Can this happen or am I missing something?
>>> mfn_valid() can indeed return true for an MFN below ram_start that falls
>>> in the same PDX group, but this is safe. init_frametable_chunk() maps
>>> and zeroes the frametable for that range, so mfn_to_page() won't fault.
>>> The zeroed page_info has count_info == 0 and no owner, so any get_page()
>>> call on it will fail — the page is effectively inert.
>> 
>> Yes, I’ve checked and many path relying on mfn_valid() go also through 
>> mfn_to_page()
>> and/or get_page(), there is only one in process_shm() that potentially could 
>> add a shared memory page
>> given that we are relaxing mfn_valid now.
> We are not relaxing mfn_valid now. It has never meant to mean RAM. It means 
> the
> MFN has a corresponding frame table entry with struct page_info. This is what
> it's comment says.

Thanks for the clarification, I was under the impression that on Arm it 
signified mfn points to a real host ram
portion, the comment above Arm implementation doesn’t help either :)

> 
> Static shmem is safe for ghost MFN. In prepare_staticmem_pages() we have a 
> check
> for count_info that for ghost MFN is 0.
> 
>> 
>> I’m trying also to follow is_iomem_page(), to check if subsequent 
>> mfn_to_page() fail safely, but I think that depending
>> on that (mfn_valid) the page will be only treated differently, not sure if 
>> it’s a latent bug to leave mfn_valid() as it is.\
> On Arm, is_iomem_page() is just !mfn_valid(), so yes, ghost MFNs
> would be classified as not IOMEM. But this is harmless because is_iomem_page()
> on ARM is only called from grant table paths that operate on pages obrtained 
> by
> get_page(), so no Arm code can reach is_iomem_page with a ghost MFN.
> 
>> 
>> Would it be valid to have something like mfn_to_page() != 0 to be part of 
>> mfn_valid() to ensure it’s a real host ram page?
>> I’m truly asking here because I didn’t check if it’s doable.
> As already said, mfn_valid was never supposed to mean RAM page. It is just 
> that
> on ARM the two happened to coincide until this patch.
> 
>> 
>> Otherwise we could split the round down and the frametable_base_pdx in this 
>> way maybe?
> I don't think we need this extra complexity for something that is safe and has
> always been in use. We've never had mfn_valid == RAM guarantee.

Thanks for checking my points, I think it’s all clear to me now.

Reviewed-by: Luca Fancellu <luca.fancellu@xxxxxxx>

Cheers,
Luca

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.