5d6483edaa
Commit 852f0048f3 ("RAMBlock: make guest_memfd require uncoordinated
discard") highlighted that subsystems like VFIO may disable RAM block
discard. However, guest_memfd relies on discard operations for page
conversion between private and shared memory, potentially leading to
the stale IOMMU mapping issue when assigning hardware devices to
confidential VMs via shared memory. To address this and allow shared
device assignement, it is crucial to ensure the VFIO system refreshes
its IOMMU mappings.
RamDiscardManager is an existing interface (used by virtio-mem) to
adjust VFIO mappings in relation to VM page assignment. Effectively page
conversion is similar to hot-removing a page in one mode and adding it
back in the other. Therefore, similar actions are required for page
conversion events. Introduce the RamDiscardManager to guest_memfd to
facilitate this process.
Since guest_memfd is not an object, it cannot directly implement the
RamDiscardManager interface. Implementing it in HostMemoryBackend is
not appropriate because guest_memfd is per RAMBlock, and some RAMBlocks
have a memory backend while others do not. Notably, virtual BIOS
RAMBlocks using memory_region_init_ram_guest_memfd() do not have a
backend.
To manage RAMBlocks with guest_memfd, define a new object named
RamBlockAttributes to implement the RamDiscardManager interface. This
object can store the guest_memfd information such as the bitmap for
shared memory and the registered listeners for event notifications. A
new state_change() helper function is provided to notify listeners, such
as VFIO, allowing VFIO to do dynamically DMA map and unmap for the shared
memory according to conversion events. Note that in the current context
of RamDiscardManager for guest_memfd, the shared state is analogous to
being populated, while the private state can be considered discarded for
simplicity. In the future, it would be more complicated if considering
more states like private/shared/discarded at the same time.
In current implementation, memory state tracking is performed at the
host page size granularity, as the minimum conversion size can be one
page per request. Additionally, VFIO expected the DMA mapping for a
specific IOVA to be mapped and unmapped with the same granularity.
Confidential VMs may perform partial conversions, such as conversions on
small regions within a larger one. To prevent such invalid cases and
until support for DMA mapping cut operations is available, all
operations are performed with 4K granularity.
In addition, memory conversion failures cause QEMU to quit rather than
resuming the guest or retrying the operation at present. It would be
future work to add more error handling or rollback mechanisms once
conversion failures are allowed. For example, in-place conversion of
guest_memfd could retry the unmap operation during the conversion from
shared to private. For now, keep the complex error handling out of the
picture as it is not required.
Tested-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Alexey Kardashevskiy <aik@amd.com>
Reviewed-by: Pankaj Gupta <pankaj.gupta@amd.com>
Signed-off-by: Chenyi Qiang <chenyi.qiang@intel.com>
Link: https://lore.kernel.org/r/20250612082747.51539-5-chenyi.qiang@intel.com
[peterx: squash fixup from Chenyi to fix builds]
Signed-off-by: Peter Xu <peterx@redhat.com>
115 lines
3.7 KiB
C
115 lines
3.7 KiB
C
/*
|
|
* Declarations for cpu physical memory functions
|
|
*
|
|
* Copyright 2011 Red Hat, Inc. and/or its affiliates
|
|
*
|
|
* Authors:
|
|
* Avi Kivity <avi@redhat.com>
|
|
*
|
|
* This work is licensed under the terms of the GNU GPL, version 2 or
|
|
* later. See the COPYING file in the top-level directory.
|
|
*
|
|
*/
|
|
|
|
/*
|
|
* This header is for use by exec.c and memory.c ONLY. Do not include it.
|
|
* The functions declared here will be removed soon.
|
|
*/
|
|
|
|
#ifndef SYSTEM_RAMBLOCK_H
|
|
#define SYSTEM_RAMBLOCK_H
|
|
|
|
#include "exec/cpu-common.h"
|
|
#include "qemu/rcu.h"
|
|
#include "exec/ramlist.h"
|
|
#include "system/hostmem.h"
|
|
|
|
#define TYPE_RAM_BLOCK_ATTRIBUTES "ram-block-attributes"
|
|
OBJECT_DECLARE_SIMPLE_TYPE(RamBlockAttributes, RAM_BLOCK_ATTRIBUTES)
|
|
|
|
struct RAMBlock {
|
|
struct rcu_head rcu;
|
|
struct MemoryRegion *mr;
|
|
uint8_t *host;
|
|
uint8_t *colo_cache; /* For colo, VM's ram cache */
|
|
ram_addr_t offset;
|
|
ram_addr_t used_length;
|
|
ram_addr_t max_length;
|
|
void (*resized)(const char*, uint64_t length, void *host);
|
|
uint32_t flags;
|
|
/* Protected by the BQL. */
|
|
char idstr[256];
|
|
/* RCU-enabled, writes protected by the ramlist lock */
|
|
QLIST_ENTRY(RAMBlock) next;
|
|
QLIST_HEAD(, RAMBlockNotifier) ramblock_notifiers;
|
|
Error *cpr_blocker;
|
|
int fd;
|
|
uint64_t fd_offset;
|
|
int guest_memfd;
|
|
size_t page_size;
|
|
/* dirty bitmap used during migration */
|
|
unsigned long *bmap;
|
|
|
|
/*
|
|
* Below fields are only used by mapped-ram migration
|
|
*/
|
|
/* bitmap of pages present in the migration file */
|
|
unsigned long *file_bmap;
|
|
/*
|
|
* offset in the file pages belonging to this ramblock are saved,
|
|
* used only during migration to a file.
|
|
*/
|
|
off_t bitmap_offset;
|
|
uint64_t pages_offset;
|
|
|
|
/* Bitmap of already received pages. Only used on destination side. */
|
|
unsigned long *receivedmap;
|
|
|
|
/*
|
|
* bitmap to track already cleared dirty bitmap. When the bit is
|
|
* set, it means the corresponding memory chunk needs a log-clear.
|
|
* Set this up to non-NULL to enable the capability to postpone
|
|
* and split clearing of dirty bitmap on the remote node (e.g.,
|
|
* KVM). The bitmap will be set only when doing global sync.
|
|
*
|
|
* It is only used during src side of ram migration, and it is
|
|
* protected by the global ram_state.bitmap_mutex.
|
|
*
|
|
* NOTE: this bitmap is different comparing to the other bitmaps
|
|
* in that one bit can represent multiple guest pages (which is
|
|
* decided by the `clear_bmap_shift' variable below). On
|
|
* destination side, this should always be NULL, and the variable
|
|
* `clear_bmap_shift' is meaningless.
|
|
*/
|
|
unsigned long *clear_bmap;
|
|
uint8_t clear_bmap_shift;
|
|
|
|
/*
|
|
* RAM block length that corresponds to the used_length on the migration
|
|
* source (after RAM block sizes were synchronized). Especially, after
|
|
* starting to run the guest, used_length and postcopy_length can differ.
|
|
* Used to register/unregister uffd handlers and as the size of the received
|
|
* bitmap. Receiving any page beyond this length will bail out, as it
|
|
* could not have been valid on the source.
|
|
*/
|
|
ram_addr_t postcopy_length;
|
|
};
|
|
|
|
struct RamBlockAttributes {
|
|
Object parent;
|
|
|
|
RAMBlock *ram_block;
|
|
|
|
/* 1-setting of the bitmap represents ram is populated (shared) */
|
|
unsigned bitmap_size;
|
|
unsigned long *bitmap;
|
|
|
|
QLIST_HEAD(, RamDiscardListener) rdl_list;
|
|
};
|
|
|
|
RamBlockAttributes *ram_block_attributes_create(RAMBlock *ram_block);
|
|
void ram_block_attributes_destroy(RamBlockAttributes *attr);
|
|
int ram_block_attributes_state_change(RamBlockAttributes *attr, uint64_t offset,
|
|
uint64_t size, bool to_discard);
|
|
|
|
#endif
|