On 18.09.2017 09:43, Christian Borntraeger wrote: > > > On 09/15/2017 04:36 PM, Thomas Huth wrote: >> On 29.03.2017 16:25, Christian Borntraeger wrote: >>> On 03/29/2017 04:21 PM, Thomas Huth wrote: >>>> On 24.03.2017 10:39, Christian Borntraeger wrote: >>>>> On 03/24/2017 10:26 AM, Thomas Huth wrote: >>>>>> When running QEMU with KVM under z/VM, the memory for the guest >>>>>> is allocated via legacy_s390_alloc() since the KVM_CAP_S390_COW >>>>>> extension is not supported on z/VM. legacy_s390_alloc() then uses >>>>>> mmap(... PROT_EXEC ...) for the guest memory - but this does not >>>>>> work when running with SELinux enabled, mmap() fails and QEMU aborts >>>>>> with the following error message: >>>>>> >>>>>> cannot set up guest memory 's390.ram': Permission denied >>>>>> >>>>>> Looking at the other allocator function qemu_anon_ram_alloc(), it >>>>>> seems like PROT_EXEC is normally not needed for allocating the >>>>>> guest RAM, and indeed, the guest also starts successfully under >>>>>> z/VM when we remove the PROT_EXEC from the legacy_s390_alloc() >>>>>> function. So let's get rid of that flag here to be able to run >>>>>> with SELinux under z/VM, too. >>>>> >>>>> Older z/VM versions do not provide the enhanced suppression on protection >>>>> facility, which would result in guest failures as soon as the kernel >>>>> starts dirty pages tracking by write protecting the pages via the page >>>>> table. Some kernel release back (last time I checked) the PROT_EXEC was >>>>> necessary to prevent the dirty pages tracking from taking place. So this >>>>> patch would break KVM in that case. >>>>> >>>>> Newer z/VMs (e.g. 6.3) do provide ESOP. SO the question is, >>>>> why is KVM_CAP_S390_COW not set? >>>> >>>> I now had another look at this, and seems like the ESOP bit is indeed >>>> not set in S390_lowcore.machine_flags here. According to /proc/sysinfo, >>>> z/VM is version 6.1.0 here, so I guess that's just too old for ESOP? >>> >>> Yes, this was introduced with z/VM 6.3 >> >> FWIW, the last version without ESOP, z/VM 6.2, is now end of life, >> according to: http://www.vm.ibm.com/techinfo/lpmigr/vmleos.html >> ... so I guess we could remove the legacy_s390_alloc() function now? > > > I recently learned that you can buy some extended z/VM support not sure how > long this will be available. In addition, ESOP was added with z10, so > if we still care about z9 and older then this would break things on > very very old boxes.
I wonder if that is really relevant anymore. Existing user on such machines (I doubt there are many) can simply stick to QEMU <= 2.10. Or do we actually expect people with such old environments to use latest and grates QEMU versions? We could add an error message an error out. > > The pain/risk-to-break ratio seems to suggest to keep this "hack" > for a while. -- Thanks, David
