subject:"Re\: \[Qemu\-devel\] \[PULL 22\/25\] target\/i386\: kvm\: Add nested migration blocker only when kernel lacks required capabilities"

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-07-10 Thread Jan Kiszka

On 10.07.19 18:34, Paolo Bonzini wrote:
> On 10/07/19 18:08, Jan Kiszka wrote:
>> On 10.07.19 16:40, Paolo Bonzini wrote:
>>> On 08/07/19 20:31, Jan Kiszka wrote:
> -if (cpu_has_nested_virt(env) && !env->nested_state) {
> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
>  error_report("Guest enabled nested virtualization but kernel "
>  "does not support saving of nested state");
>  return -EINVAL;
>
 Starting with this commit latest (bisection issue...), running Jailhouse 
 in a
 guest first stalls L1 (looks like we lose interrupts), and if I try to 
 reset
 that VM, I lose my host as well:
>>>
>>> If 5.2 is still broken, can you gather a dump of KVM_SET_NESTED_STATE's
>>> payload?
>>
>> savevm or is there a dump function in QEMU or the kernel?
> 
> There is qemu_hexdump.
> 

Here are two states taken during the vmport loop:

2: nested_state: :  01 00 00 00  80 10 00 00  00 00 24 3a  00 00 00 00 
..$:
2: nested_state: 0010:  00 10 24 3a  00 00 00 00  00 00 00 00  00 00 00 00 
..$:
2: nested_state: 0020:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0030:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0040:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0050:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0060:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0070:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0080:  d0 7e e5 11  00 00 00 00  01 00 00 00  00 00 00 00 
.~..
2: nested_state: 0090:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 00a0:  00 00 00 00  00 00 00 00  00 70 25 3a  00 00 00 00 
.p%:
2: nested_state: 00b0:  00 80 25 3a  00 00 00 00  00 f0 00 3a  00 00 00 00 
..%:...:
2: nested_state: 00c0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 00d0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 00e0:  00 00 00 00  00 00 00 00  00 50 01 3a  00 00 00 00 
.P.:
2: nested_state: 00f0:  00 00 00 00  00 00 00 00  1e e0 22 3a  00 00 00 00 
..":
2: nested_state: 0100:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0110:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0120:  00 00 00 00  00 00 00 00  10 00 00 00  01 00 00 00 

2: nested_state: 0130:  ff ff ff ff  ff ff ff ff  00 00 00 00  00 00 00 00 

2: nested_state: 0140:  06 01 07 00  06 01 07 00  01 0d 00 00  00 00 00 00 

2: nested_state: 0150:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0160:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0170:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0180:  06 01 07 00  00 00 00 00  00 05 00 00  00 00 00 00 

2: nested_state: 0190:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 01a0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 01b0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 01c0:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 01d0:  00 00 00 00  00 00 00 00  30 00 00 60  ff ff ff ff 
0..`
2: nested_state: 01e0:  00 00 00 00  00 00 00 00  33 00 05 80  00 00 00 00 
3...
2: nested_state: 01f0:  a0 26 04 00  00 00 00 00  00 00 00 00  00 00 00 00 
.&..
2: nested_state: 0200:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0210:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0220:  00 00 00 00  00 00 00 00  33 00 05 80  00 00 00 00 
3...
2: nested_state: 0230:  00 20 6f 32  00 00 00 00  a0 26 04 00  00 00 00 00 . 
o2.&..
2: nested_state: 0240:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0250:  00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0260:  00 97 c4 ec  b4 7f 00 00  00 00 00 00  00 00 00 00 

2: nested_state: 0270:  00 00 00 00  00 00 00 00  00 90 06 00  00 fe ff ff 

2: nested_state: 0280:  00 70 06 00  00 fe ff ff  00 00 00 00  00 fe ff ff 
.p..
2: nested_state: 0290:  00 04 00 00  00 00 00 00  88 33 16 8a  fd 7f 00 00 
.3..
2: nested_state: 02a0:  e4 d4 70 e6  b4 7f 00 00  17 32 00 00  00 00 00 00 
..p..2..
2: nested_state: 02b0:  00 00 00 00  00 00 00 00  00 82 06

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-07-10 Thread Paolo Bonzini

On 10/07/19 18:08, Jan Kiszka wrote:
> On 10.07.19 16:40, Paolo Bonzini wrote:
>> On 08/07/19 20:31, Jan Kiszka wrote:
 -if (cpu_has_nested_virt(env) && !env->nested_state) {
 +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
  error_report("Guest enabled nested virtualization but kernel "
  "does not support saving of nested state");
  return -EINVAL;

>>> Starting with this commit latest (bisection issue...), running Jailhouse in 
>>> a
>>> guest first stalls L1 (looks like we lose interrupts), and if I try to reset
>>> that VM, I lose my host as well:
>>
>> If 5.2 is still broken, can you gather a dump of KVM_SET_NESTED_STATE's
>> payload?
> 
> savevm or is there a dump function in QEMU or the kernel?

There is qemu_hexdump.

Paolo

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-07-10 Thread Jan Kiszka

On 10.07.19 16:40, Paolo Bonzini wrote:
> On 08/07/19 20:31, Jan Kiszka wrote:
>>> -if (cpu_has_nested_virt(env) && !env->nested_state) {
>>> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
>>>  error_report("Guest enabled nested virtualization but kernel "
>>>  "does not support saving of nested state");
>>>  return -EINVAL;
>>>
>> Starting with this commit latest (bisection issue...), running Jailhouse in a
>> guest first stalls L1 (looks like we lose interrupts), and if I try to reset
>> that VM, I lose my host as well:
> 
> If 5.2 is still broken, can you gather a dump of KVM_SET_NESTED_STATE's
> payload?

savevm or is there a dump function in QEMU or the kernel?

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-07-10 Thread Paolo Bonzini

On 08/07/19 20:31, Jan Kiszka wrote:
>> -if (cpu_has_nested_virt(env) && !env->nested_state) {
>> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
>>  error_report("Guest enabled nested virtualization but kernel "
>>  "does not support saving of nested state");
>>  return -EINVAL;
>>
> Starting with this commit latest (bisection issue...), running Jailhouse in a
> guest first stalls L1 (looks like we lose interrupts), and if I try to reset
> that VM, I lose my host as well:

If 5.2 is still broken, can you gather a dump of KVM_SET_NESTED_STATE's
payload?

Paolo

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-07-08 Thread Jan Kiszka

On 08.07.19 20:31, Jan Kiszka wrote:
> 
> On 21.06.19 13:30, Paolo Bonzini wrote:
>> From: Liran Alon 
>>
>> Previous commits have added support for migration of nested virtualization
>> workloads. This was done by utilising two new KVM capabilities:
>> KVM_CAP_NESTED_STATE and KVM_CAP_EXCEPTION_PAYLOAD. Both which are
>> required in order to correctly migrate such workloads.
>>
>> Therefore, change code to add a migration blocker for vCPUs exposed with
>> Intel VMX or AMD SVM in case one of these kernel capabilities is
>> missing.
>>
>> Signed-off-by: Liran Alon 
>> Reviewed-by: Maran Wilson 
>> Message-Id: <20190619162140.133674-11-liran.a...@oracle.com>
>> Signed-off-by: Paolo Bonzini 
>> ---
>>  target/i386/kvm.c | 9 +++--
>>  target/i386/machine.c | 2 +-
>>  2 files changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
>> index c931e9d..e4b4f57 100644
>> --- a/target/i386/kvm.c
>> +++ b/target/i386/kvm.c
>> @@ -1640,9 +1640,14 @@ int kvm_arch_init_vcpu(CPUState *cs)
>>!!(c->ecx & CPUID_EXT_SMX);
>>  }
>>  
>> -if (cpu_has_nested_virt(env) && !nested_virt_mig_blocker) {
>> +if (cpu_has_vmx(env) && !nested_virt_mig_blocker &&
>> +((kvm_max_nested_state_length() <= 0) || !has_exception_payload)) {
>>  error_setg(_virt_mig_blocker,
>> -   "Nested virtualization does not support live migration 
>> yet");
>> +   "Kernel do not provide required capabilities for "
>> +   "nested virtualization migration. "
>> +   "(CAP_NESTED_STATE=%d, CAP_EXCEPTION_PAYLOAD=%d)",
>> +   kvm_max_nested_state_length() > 0,
>> +   has_exception_payload);
>>  r = migrate_add_blocker(nested_virt_mig_blocker, _err);
>>  if (local_err) {
>>  error_report_err(local_err);
>> diff --git a/target/i386/machine.c b/target/i386/machine.c
>> index fc49e5a..851b249 100644
>> --- a/target/i386/machine.c
>> +++ b/target/i386/machine.c
>> @@ -233,7 +233,7 @@ static int cpu_pre_save(void *opaque)
>>  
>>  #ifdef CONFIG_KVM
>>  /* Verify we have nested virtualization state from kernel if required */
>> -if (cpu_has_nested_virt(env) && !env->nested_state) {
>> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
>>  error_report("Guest enabled nested virtualization but kernel "
>>  "does not support saving of nested state");
>>  return -EINVAL;
>>
> 
> Starting with this commit latest (bisection issue...), running Jailhouse in a
> guest first stalls L1 (looks like we lose interrupts), and if I try to reset
> that VM, I lose my host as well:
> 
> kvm: vmptrld   (null)/6eb9 failed
> kvm: vmclear fail:   (null)/6eb9
> 
> and then things start to lock up because we seem to lose the CPUs the guest 
> was
> running on. Once I had this in the logs:
> 
> rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 7-... } 15040
> jiffies s: 4673 root: 0x80/.
> rcu: blocking rcu_node structures:
> Task dump for CPU 7:
> qemu-system-x86 R  running task0 17413  17345 0x0008
> Call Trace:
>  ? x86_virt_spec_ctrl+0x7/0xe0
>  ? vmx_vcpu_run.part.0+0x2a4/0xfa0 [kvm_intel]
>  ? vcpu_enter_guest+0x349/0xe80 [kvm]
>  ? kvm_arch_vcpu_ioctl_run+0xff/0x550 [kvm]
>  ? kvm_vcpu_ioctl+0x20d/0x590 [kvm]
>  ? get_futex_key+0x35d/0x3b0
>  ? do_vfs_ioctl+0x447/0x640
>  ? do_futex+0x157/0x1d0
>  ? ksys_ioctl+0x5e/0x90
>  ? __x64_sys_ioctl+0x16/0x20
>  ? do_syscall_64+0x60/0x120
>  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> This was on a 5.1.16 distro kernel. Currently rebuilding 5.2 vanilla.
> 
> Looks like we have up to two critical bugs here...
> 
> Jan
> 

It turns out it's actually patch 20 that introduces the problem. Maybe it is
only the kernel, but I rather suspect a combination of userspace not providing
the right state (specifically on reset) and the kernel accepting that.

Continuing the search on 5.2 now.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-07-08 Thread Jan Kiszka



On 21.06.19 13:30, Paolo Bonzini wrote:
> From: Liran Alon 
> 
> Previous commits have added support for migration of nested virtualization
> workloads. This was done by utilising two new KVM capabilities:
> KVM_CAP_NESTED_STATE and KVM_CAP_EXCEPTION_PAYLOAD. Both which are
> required in order to correctly migrate such workloads.
> 
> Therefore, change code to add a migration blocker for vCPUs exposed with
> Intel VMX or AMD SVM in case one of these kernel capabilities is
> missing.
> 
> Signed-off-by: Liran Alon 
> Reviewed-by: Maran Wilson 
> Message-Id: <20190619162140.133674-11-liran.a...@oracle.com>
> Signed-off-by: Paolo Bonzini 
> ---
>  target/i386/kvm.c | 9 +++--
>  target/i386/machine.c | 2 +-
>  2 files changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
> index c931e9d..e4b4f57 100644
> --- a/target/i386/kvm.c
> +++ b/target/i386/kvm.c
> @@ -1640,9 +1640,14 @@ int kvm_arch_init_vcpu(CPUState *cs)
>!!(c->ecx & CPUID_EXT_SMX);
>  }
>  
> -if (cpu_has_nested_virt(env) && !nested_virt_mig_blocker) {
> +if (cpu_has_vmx(env) && !nested_virt_mig_blocker &&
> +((kvm_max_nested_state_length() <= 0) || !has_exception_payload)) {
>  error_setg(_virt_mig_blocker,
> -   "Nested virtualization does not support live migration 
> yet");
> +   "Kernel do not provide required capabilities for "
> +   "nested virtualization migration. "
> +   "(CAP_NESTED_STATE=%d, CAP_EXCEPTION_PAYLOAD=%d)",
> +   kvm_max_nested_state_length() > 0,
> +   has_exception_payload);
>  r = migrate_add_blocker(nested_virt_mig_blocker, _err);
>  if (local_err) {
>  error_report_err(local_err);
> diff --git a/target/i386/machine.c b/target/i386/machine.c
> index fc49e5a..851b249 100644
> --- a/target/i386/machine.c
> +++ b/target/i386/machine.c
> @@ -233,7 +233,7 @@ static int cpu_pre_save(void *opaque)
>  
>  #ifdef CONFIG_KVM
>  /* Verify we have nested virtualization state from kernel if required */
> -if (cpu_has_nested_virt(env) && !env->nested_state) {
> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
>  error_report("Guest enabled nested virtualization but kernel "
>  "does not support saving of nested state");
>  return -EINVAL;
> 

Starting with this commit latest (bisection issue...), running Jailhouse in a
guest first stalls L1 (looks like we lose interrupts), and if I try to reset
that VM, I lose my host as well:

kvm: vmptrld   (null)/6eb9 failed
kvm: vmclear fail:   (null)/6eb9

and then things start to lock up because we seem to lose the CPUs the guest was
running on. Once I had this in the logs:

rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 7-... } 15040
jiffies s: 4673 root: 0x80/.
rcu: blocking rcu_node structures:
Task dump for CPU 7:
qemu-system-x86 R  running task0 17413  17345 0x0008
Call Trace:
 ? x86_virt_spec_ctrl+0x7/0xe0
 ? vmx_vcpu_run.part.0+0x2a4/0xfa0 [kvm_intel]
 ? vcpu_enter_guest+0x349/0xe80 [kvm]
 ? kvm_arch_vcpu_ioctl_run+0xff/0x550 [kvm]
 ? kvm_vcpu_ioctl+0x20d/0x590 [kvm]
 ? get_futex_key+0x35d/0x3b0
 ? do_vfs_ioctl+0x447/0x640
 ? do_futex+0x157/0x1d0
 ? ksys_ioctl+0x5e/0x90
 ? __x64_sys_ioctl+0x16/0x20
 ? do_syscall_64+0x60/0x120
 ? entry_SYSCALL_64_after_hwframe+0x49/0xbe

This was on a 5.1.16 distro kernel. Currently rebuilding 5.2 vanilla.

Looks like we have up to two critical bugs here...

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-06-21 Thread Liran Alon

> On 21 Jun 2019, at 20:27, Paolo Bonzini  wrote:
> 
> On 21/06/19 17:07, Liran Alon wrote:
>>> So, overall I prefer not to block migration.
>> I’m not sure I agree.
>> It is quite likely that vCPU is currently in guest-mode while you are 
>> migrating…
>> A good hypervisor tries to maximise CPU time to be in guest-mode rather than 
>> host-mode. :)
> 
> True, but it is even more likely that they are not using KVM at all and
> just happen to have the CPUID flag set. :)
> 
> Paolo

Since QEMU commit 75d373ef9729 ("target-i386: Disable SVM by default in KVM 
mode"),
An AMD vCPU that is virtualized by KVM don’t expose SVM by default. Even if you 
use "-cpu host".
Therefore, it is unlikely that vCPU expose SVM CPUID flag when user is not 
running any nSVM
workload inside guest. Unless I’m missing something obvious.
Otherwise, I would have agreed with you.

-Liran

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-06-21 Thread Paolo Bonzini

On 21/06/19 17:07, Liran Alon wrote:
>> So, overall I prefer not to block migration.
> I’m not sure I agree.
> It is quite likely that vCPU is currently in guest-mode while you are 
> migrating…
> A good hypervisor tries to maximise CPU time to be in guest-mode rather than 
> host-mode. :)

True, but it is even more likely that they are not using KVM at all and
just happen to have the CPUID flag set. :)

Paolo

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-06-21 Thread Liran Alon




> On 21 Jun 2019, at 18:02, Paolo Bonzini  wrote:
> 
> On 21/06/19 14:39, Liran Alon wrote:
>>> On 21 Jun 2019, at 14:30, Paolo Bonzini  wrote:
>>> 
>>> From: Liran Alon 
>>> 
>>> Previous commits have added support for migration of nested virtualization
>>> workloads. This was done by utilising two new KVM capabilities:
>>> KVM_CAP_NESTED_STATE and KVM_CAP_EXCEPTION_PAYLOAD. Both which are
>>> required in order to correctly migrate such workloads.
>>> 
>>> Therefore, change code to add a migration blocker for vCPUs exposed with
>>> Intel VMX or AMD SVM in case one of these kernel capabilities is
>>> missing.
>>> 
>>> Signed-off-by: Liran Alon 
>>> Reviewed-by: Maran Wilson 
>>> Message-Id: <20190619162140.133674-11-liran.a...@oracle.com>
>>> Signed-off-by: Paolo Bonzini 
>>> ---
>>> target/i386/kvm.c | 9 +++--
>>> target/i386/machine.c | 2 +-
>>> 2 files changed, 8 insertions(+), 3 deletions(-)
>>> 
>>> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
>>> index c931e9d..e4b4f57 100644
>>> --- a/target/i386/kvm.c
>>> +++ b/target/i386/kvm.c
>>> @@ -1640,9 +1640,14 @@ int kvm_arch_init_vcpu(CPUState *cs)
>>>  !!(c->ecx & CPUID_EXT_SMX);
>>>}
>>> 
>>> -if (cpu_has_nested_virt(env) && !nested_virt_mig_blocker) {
>>> +if (cpu_has_vmx(env) && !nested_virt_mig_blocker &&
>> 
>> The change here from cpu_has_nested_virt(env) to cpu_has_vmx(env) is not 
>> clear.
>> We should explicitly explain that it’s because we still wish to preserve 
>> backwards-compatability
>> to migrating AMD vCPU exposed with SVM.
>> 
>> In addition, commit ("target/i386: kvm: Block migration for vCPUs exposed 
>> with nested virtualization")
>> doesn’t make sense in case we still want to allow migrating AMD vCPU exposed 
>> with SVM.
>> 
>> Since QEMU commit 75d373ef9729 ("target-i386: Disable SVM by default in KVM 
>> mode"),
>> machine-types since v2.2 don’t expose AMD SVM by default.
>> Therefore, my personal opinion on this is that it’s fine to block migration 
>> in this case.
> 
> I totally missed that commit.  My bad.
> 
> Actually, now that I think about it SVM *will* have some state while
> running in guest mode, namely:
> 
> - the NPT page table root
> 
> - the L1 CR4.PAE, EFER.LMA and EFER.NXE bits, which determine the format
> of the NPT12 page tables
> 
> These are covered by the existing vmstate_svm_npt subsection.
> 
> On the other hand, the lack of something like VMXON/VMCS12 state means
> that AMD already sorta works unless you're migrating while in guest
> mode.  For Intel, just execute VMXON before migration, and starting any
> VM after migration is doomed.

True.

> 
> So, overall I prefer not to block migration.

I’m not sure I agree.
It is quite likely that vCPU is currently in guest-mode while you are migrating…
A good hypervisor tries to maximise CPU time to be in guest-mode rather than 
host-mode. :)

I prefer to block migration and once we formally complete the implementation of 
SVM nested state,
we can modify QEMU code such that migration of vCPU exposed with SVM will work 
in case
nested-state states that guest is in host-mode.

> 
>>> +((kvm_max_nested_state_length() <= 0) || !has_exception_payload)) {
>>>error_setg(_virt_mig_blocker,
>>> -   "Nested virtualization does not support live migration 
>>> yet");
>>> +   "Kernel do not provide required capabilities for “
>> 
>> As Maran have noted, we should change this “do not” to “does not”.
>> Sorry for my bad English grammer. :)
>> 
>>> +   "nested virtualization migration. "
>>> +   "(CAP_NESTED_STATE=%d, CAP_EXCEPTION_PAYLOAD=%d)",
>>> +   kvm_max_nested_state_length() > 0,
>>> +   has_exception_payload);
>>>r = migrate_add_blocker(nested_virt_mig_blocker, _err);
>>>if (local_err) {
>>>error_report_err(local_err);
>>> diff --git a/target/i386/machine.c b/target/i386/machine.c
>>> index fc49e5a..851b249 100644
>>> --- a/target/i386/machine.c
>>> +++ b/target/i386/machine.c
>>> @@ -233,7 +233,7 @@ static int cpu_pre_save(void *opaque)
>>> 
>>> #ifdef CONFIG_KVM
>>>/* Verify we have nested virtualization state from kernel if required */
>>> -if (cpu_has_nested_virt(env) && !env->nested_state) {
>>> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
>> 
>> Good catch regarding adding kvm_enabled() here.
> 
> Caught by "make check", not by me!

Ah nice to know :) Thanks for the tip.

> 
>> But I think this should have been added to commit ("target/i386: kvm: Add 
>> support for save and restore nested state”).
> 
> This commit is where bisection broke. :)
> 
> Paolo

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-06-21 Thread Paolo Bonzini

On 21/06/19 14:39, Liran Alon wrote:
>> On 21 Jun 2019, at 14:30, Paolo Bonzini  wrote:
>>
>> From: Liran Alon 
>>
>> Previous commits have added support for migration of nested virtualization
>> workloads. This was done by utilising two new KVM capabilities:
>> KVM_CAP_NESTED_STATE and KVM_CAP_EXCEPTION_PAYLOAD. Both which are
>> required in order to correctly migrate such workloads.
>>
>> Therefore, change code to add a migration blocker for vCPUs exposed with
>> Intel VMX or AMD SVM in case one of these kernel capabilities is
>> missing.
>>
>> Signed-off-by: Liran Alon 
>> Reviewed-by: Maran Wilson 
>> Message-Id: <20190619162140.133674-11-liran.a...@oracle.com>
>> Signed-off-by: Paolo Bonzini 
>> ---
>> target/i386/kvm.c | 9 +++--
>> target/i386/machine.c | 2 +-
>> 2 files changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
>> index c931e9d..e4b4f57 100644
>> --- a/target/i386/kvm.c
>> +++ b/target/i386/kvm.c
>> @@ -1640,9 +1640,14 @@ int kvm_arch_init_vcpu(CPUState *cs)
>>   !!(c->ecx & CPUID_EXT_SMX);
>> }
>>
>> -if (cpu_has_nested_virt(env) && !nested_virt_mig_blocker) {
>> +if (cpu_has_vmx(env) && !nested_virt_mig_blocker &&
> 
> The change here from cpu_has_nested_virt(env) to cpu_has_vmx(env) is not 
> clear.
> We should explicitly explain that it’s because we still wish to preserve 
> backwards-compatability
> to migrating AMD vCPU exposed with SVM.
> 
> In addition, commit ("target/i386: kvm: Block migration for vCPUs exposed 
> with nested virtualization")
> doesn’t make sense in case we still want to allow migrating AMD vCPU exposed 
> with SVM.
> 
> Since QEMU commit 75d373ef9729 ("target-i386: Disable SVM by default in KVM 
> mode"),
> machine-types since v2.2 don’t expose AMD SVM by default.
> Therefore, my personal opinion on this is that it’s fine to block migration 
> in this case.

I totally missed that commit.  My bad.

Actually, now that I think about it SVM *will* have some state while
running in guest mode, namely:

- the NPT page table root

- the L1 CR4.PAE, EFER.LMA and EFER.NXE bits, which determine the format
of the NPT12 page tables

These are covered by the existing vmstate_svm_npt subsection.

On the other hand, the lack of something like VMXON/VMCS12 state means
that AMD already sorta works unless you're migrating while in guest
mode.  For Intel, just execute VMXON before migration, and starting any
VM after migration is doomed.

So, overall I prefer not to block migration.

>> +((kvm_max_nested_state_length() <= 0) || !has_exception_payload)) {
>> error_setg(_virt_mig_blocker,
>> -   "Nested virtualization does not support live migration 
>> yet");
>> +   "Kernel do not provide required capabilities for “
> 
> As Maran have noted, we should change this “do not” to “does not”.
> Sorry for my bad English grammer. :)
> 
>> +   "nested virtualization migration. "
>> +   "(CAP_NESTED_STATE=%d, CAP_EXCEPTION_PAYLOAD=%d)",
>> +   kvm_max_nested_state_length() > 0,
>> +   has_exception_payload);
>> r = migrate_add_blocker(nested_virt_mig_blocker, _err);
>> if (local_err) {
>> error_report_err(local_err);
>> diff --git a/target/i386/machine.c b/target/i386/machine.c
>> index fc49e5a..851b249 100644
>> --- a/target/i386/machine.c
>> +++ b/target/i386/machine.c
>> @@ -233,7 +233,7 @@ static int cpu_pre_save(void *opaque)
>>
>> #ifdef CONFIG_KVM
>> /* Verify we have nested virtualization state from kernel if required */
>> -if (cpu_has_nested_virt(env) && !env->nested_state) {
>> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {
> 
> Good catch regarding adding kvm_enabled() here.

Caught by "make check", not by me!

> But I think this should have been added to commit ("target/i386: kvm: Add 
> support for save and restore nested state”).

This commit is where bisection broke. :)

Paolo

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

2019-06-21 Thread Liran Alon




> On 21 Jun 2019, at 14:30, Paolo Bonzini  wrote:
> 
> From: Liran Alon 
> 
> Previous commits have added support for migration of nested virtualization
> workloads. This was done by utilising two new KVM capabilities:
> KVM_CAP_NESTED_STATE and KVM_CAP_EXCEPTION_PAYLOAD. Both which are
> required in order to correctly migrate such workloads.
> 
> Therefore, change code to add a migration blocker for vCPUs exposed with
> Intel VMX or AMD SVM in case one of these kernel capabilities is
> missing.
> 
> Signed-off-by: Liran Alon 
> Reviewed-by: Maran Wilson 
> Message-Id: <20190619162140.133674-11-liran.a...@oracle.com>
> Signed-off-by: Paolo Bonzini 
> ---
> target/i386/kvm.c | 9 +++--
> target/i386/machine.c | 2 +-
> 2 files changed, 8 insertions(+), 3 deletions(-)
> 
> diff --git a/target/i386/kvm.c b/target/i386/kvm.c
> index c931e9d..e4b4f57 100644
> --- a/target/i386/kvm.c
> +++ b/target/i386/kvm.c
> @@ -1640,9 +1640,14 @@ int kvm_arch_init_vcpu(CPUState *cs)
>   !!(c->ecx & CPUID_EXT_SMX);
> }
> 
> -if (cpu_has_nested_virt(env) && !nested_virt_mig_blocker) {
> +if (cpu_has_vmx(env) && !nested_virt_mig_blocker &&

The change here from cpu_has_nested_virt(env) to cpu_has_vmx(env) is not clear.
We should explicitly explain that it’s because we still wish to preserve 
backwards-compatability
to migrating AMD vCPU exposed with SVM.

In addition, commit ("target/i386: kvm: Block migration for vCPUs exposed with 
nested virtualization")
doesn’t make sense in case we still want to allow migrating AMD vCPU exposed 
with SVM.

Since QEMU commit 75d373ef9729 ("target-i386: Disable SVM by default in KVM 
mode"),
machine-types since v2.2 don’t expose AMD SVM by default.
Therefore, my personal opinion on this is that it’s fine to block migration in 
this case.

> +((kvm_max_nested_state_length() <= 0) || !has_exception_payload)) {
> error_setg(_virt_mig_blocker,
> -   "Nested virtualization does not support live migration 
> yet");
> +   "Kernel do not provide required capabilities for “

As Maran have noted, we should change this “do not” to “does not”.
Sorry for my bad English grammer. :)

> +   "nested virtualization migration. "
> +   "(CAP_NESTED_STATE=%d, CAP_EXCEPTION_PAYLOAD=%d)",
> +   kvm_max_nested_state_length() > 0,
> +   has_exception_payload);
> r = migrate_add_blocker(nested_virt_mig_blocker, _err);
> if (local_err) {
> error_report_err(local_err);
> diff --git a/target/i386/machine.c b/target/i386/machine.c
> index fc49e5a..851b249 100644
> --- a/target/i386/machine.c
> +++ b/target/i386/machine.c
> @@ -233,7 +233,7 @@ static int cpu_pre_save(void *opaque)
> 
> #ifdef CONFIG_KVM
> /* Verify we have nested virtualization state from kernel if required */
> -if (cpu_has_nested_virt(env) && !env->nested_state) {
> +if (kvm_enabled() && cpu_has_vmx(env) && !env->nested_state) {

Good catch regarding adding kvm_enabled() here.
But I think this should have been added to commit ("target/i386: kvm: Add 
support for save and restore nested state”).

-Liran

> error_report("Guest enabled nested virtualization but kernel "
> "does not support saving of nested state");
> return -EINVAL;
> -- 
> 1.8.3.1
> 
>

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

Re: [Qemu-devel] [PULL 22/25] target/i386: kvm: Add nested migration blocker only when kernel lacks required capabilities

11 matches

Site Navigation

Mail list logo

Footer information