Re: [Xen-devel] [PATCH v4 3/3] x86/ioreq server: Add HVMOP to map guest ram with p2m_ioreq_server to an ioreq server.

[Yu Zhang <yu.c.zhang@xxxxxxxxxxxxxxx>]

On 6/22/2016 5:47 PM, George Dunlap wrote:
> On 22/06/16 10:29, Jan Beulich wrote:
> > > > > On 22.06.16 at 11:16, <george.dunlap@xxxxxxxxxx> wrote:
> > > On 22/06/16 07:39, Jan Beulich wrote:
> > > > > > > On 21.06.16 at 16:38, <george.dunlap@xxxxxxxxxx> wrote:
> > > > > On 21/06/16 10:47, Jan Beulich wrote:
> > > > > > > > > > And then - didn't we mean to disable that part of XenGT during
> > > > > > > > > > migration, i.e. temporarily accept the higher performance
> > > > > > > > > > overhead without the p2m_ioreq_server entries? In which case
> > > > > > > > > > flipping everything back to p2m_ram_rw after (completed or
> > > > > > > > > > canceled) migration would be exactly what we want. The (new
> > > > > > > > > > or previous) ioreq server should attach only afterwards, and
> > > > > > > > > > can then freely re-establish any p2m_ioreq_server entries it
> > > > > > > > > > deems necessary.
> > > > > > > > > Well, I agree this part of XenGT should be disabled during migration.
> > > > > > > > > But in such
> > > > > > > > > case I think it's device model's job to trigger the p2m type
> > > > > > > > > flipping(i.e. by calling
> > > > > > > > > HVMOP_set_mem_type).
> > > > > > > > I agree - this would seem to be the simpler model here, despite (as
> > > > > > > > George validly says) the more consistent model would be for the
> > > > > > > > hypervisor to do the cleanup. Such cleanup would imo be reasonable
> > > > > > > > only if there was an easy way for the hypervisor to enumerate all
> > > > > > > > p2m_ioreq_server pages.
> > > > > > > Well, for me, the "easy way" means we should avoid traversing the whole ept
> > > > > > > paging structure all at once, right?
> > > > > > Yes.
> > > > > Does calling p2m_change_entry_type_global() not satisfy this requirement?
> > > > Not really - that addresses the "low overhead" aspect, but not the
> > > > "enumerate all such entries" one.
> > > I'm sorry, I think I'm missing something here.  What do we need the
> > > enumeration for?
> > We'd need that if we were to do the cleanup in the hypervisor (as
> > we can't rely on all p2m entry re-calculation to have happened by
> > the time a new ioreq server registers for the type).
> So you're afraid of this sequence of events?
> 1) Server A de-registered, triggering a ioreq_server -> ram_rw type change
> 2) gfn N is marked as misconfigured
> 3) Server B registers and marks gfn N as ioreq_server
> 4) When N is accessed, the misconfiguration is resolved incorrectly to
> ram_rw
>
> But that can't happen, because misconfigured entries are resolved before
> setting a p2m entry; so at step 3, gfn N will be first set to
> (non-misconfigured) ram_rw, then changed to (non-misconfigured)
> ioreq_server.
>
> Or is there another sequence of events that I'm missing?
Thanks for your reply, George. :)
If no log dirty is triggered during this process, your sequence is correct.
However, if log dirty is triggered, we'll met problems. I have described 
this
in previous mails :

http://lists.xenproject.org/archives/html/xen-devel/2016-06/msg02426.html
on Jun 20

and

http://lists.xenproject.org/archives/html/xen-devel/2016-06/msg02575.html
on Jun 21

> > > > > Well I had in principle already agreed to letting this be the interface
> > > > > on the previous round of patches; we're having this discussion because
> > > > > you (Jan) asked about what happens if an ioreq server is de-registered
> > > > > while there are still outstanding p2m types. :-)
> > > > Indeed. Yet so far I understood you didn't like de-registration to
> > > > both not do the cleanup itself and fail if there are outstanding
> > > > entries.
> > > No, I think regarding deregistering while there were outstanding
> > > entries, I said the opposite -- that there's no point in failing the
> > > de-registration, because a poorly-behaved ioreq server may just ignore
> > > the error code and exit anyway.  Although, thinking on it again, I
> > > suppose that an error code would allow a buggy ioreq server to know that
> > > it had screwed up somewhere.
> > Not exactly, I think: The failed de-registration ought to lead to failure
> > of an attempt to register another ioreq server (or the same one again),
> > which should make the issue quickly noticable.
> Hmm... yes, the more I think about it the more it seems like allowing
> p2m entries from a previous ioreq server to be already set when there's
> a new ioreq server registration is digging a hole for future people to
> fall into.  Paul and Yu Zhang are the most likely people to fall into
> that hole, so I haven't been arguing strenuously so far against it, but
> given that I'm not yet convinced that fixing it is that difficult, at
Taking the live migration into consideration, I admit I still have not 
found any light-
weighted solution to fix this. :)

Thanks
Yu

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel