From: "Cédric Le Goater" <clg@redhat.com>
To: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>,
Peter Xu <peterx@redhat.com>, Fabiano Rosas <farosas@suse.de>
Cc: "Alex Williamson" <alex.williamson@redhat.com>,
"Eric Blake" <eblake@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Daniel P . Berrangé" <berrange@redhat.com>,
"Avihai Horon" <avihaih@nvidia.com>,
"Joao Martins" <joao.m.martins@oracle.com>,
qemu-devel@nongnu.org
Subject: Re: [PATCH v5 34/36] vfio/migration: Max in-flight VFIO device state buffer count limit
Date: Thu, 27 Feb 2025 07:48:39 +0100 [thread overview]
Message-ID: <11ecf7fb-55f6-4606-b635-e53dbcc71dbc@redhat.com> (raw)
In-Reply-To: <719b309bb7bc13542d14e6ce0026cb9bb67e9f31.1739994627.git.maciej.szmigiero@oracle.com>
On 2/19/25 21:34, Maciej S. Szmigiero wrote:
> From: "Maciej S. Szmigiero" <maciej.szmigiero@oracle.com>
>
> Allow capping the maximum count of in-flight VFIO device state buffers
> queued at the destination, otherwise a malicious QEMU source could
> theoretically cause the target QEMU to allocate unlimited amounts of memory
> for buffers-in-flight.
>
> Since this is not expected to be a realistic threat in most of VFIO live
> migration use cases and the right value depends on the particular setup
> disable the limit by default by setting it to UINT64_MAX.
>
> Signed-off-by: Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
> ---
> hw/vfio/migration-multifd.c | 14 ++++++++++++++
> hw/vfio/pci.c | 2 ++
> include/hw/vfio/vfio-common.h | 1 +
> 3 files changed, 17 insertions(+)
>
> diff --git a/hw/vfio/migration-multifd.c b/hw/vfio/migration-multifd.c
> index 18a5ff964a37..04aa3f4a6596 100644
> --- a/hw/vfio/migration-multifd.c
> +++ b/hw/vfio/migration-multifd.c
> @@ -53,6 +53,7 @@ typedef struct VFIOMultifd {
> QemuMutex load_bufs_mutex; /* Lock order: this lock -> BQL */
> uint32_t load_buf_idx;
> uint32_t load_buf_idx_last;
> + uint32_t load_buf_queued_pending_buffers;
> } VFIOMultifd;
>
> static void vfio_state_buffer_clear(gpointer data)
> @@ -121,6 +122,15 @@ static bool vfio_load_state_buffer_insert(VFIODevice *vbasedev,
>
> assert(packet->idx >= multifd->load_buf_idx);
>
> + multifd->load_buf_queued_pending_buffers++;
> + if (multifd->load_buf_queued_pending_buffers >
> + vbasedev->migration_max_queued_buffers) {
> + error_setg(errp,
> + "queuing state buffer %" PRIu32 " would exceed the max of %" PRIu64,
> + packet->idx, vbasedev->migration_max_queued_buffers);
> + return false;
> + }
> +
> lb->data = g_memdup2(&packet->data, packet_total_size - sizeof(*packet));
> lb->len = packet_total_size - sizeof(*packet);
> lb->is_present = true;
> @@ -374,6 +384,9 @@ static bool vfio_load_bufs_thread(void *opaque, bool *should_quit, Error **errp)
> goto ret_signal;
> }
>
> + assert(multifd->load_buf_queued_pending_buffers > 0);
> + multifd->load_buf_queued_pending_buffers--;
> +
> if (multifd->load_buf_idx == multifd->load_buf_idx_last - 1) {
> trace_vfio_load_state_device_buffer_end(vbasedev->name);
> }
> @@ -408,6 +421,7 @@ VFIOMultifd *vfio_multifd_new(void)
>
> multifd->load_buf_idx = 0;
> multifd->load_buf_idx_last = UINT32_MAX;
> + multifd->load_buf_queued_pending_buffers = 0;
> qemu_cond_init(&multifd->load_bufs_buffer_ready_cond);
>
> multifd->load_bufs_thread_running = false;
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index 9111805ae06c..247418f0fce2 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -3383,6 +3383,8 @@ static const Property vfio_pci_dev_properties[] = {
> vbasedev.migration_multifd_transfer,
> qdev_prop_on_off_auto_mutable, OnOffAuto,
> .set_default = true, .defval.i = ON_OFF_AUTO_AUTO),
> + DEFINE_PROP_UINT64("x-migration-max-queued-buffers", VFIOPCIDevice,
> + vbasedev.migration_max_queued_buffers, UINT64_MAX),
UINT64_MAX doesn't make sense to me. What would be a reasonable value ?
Have you monitored the max ? Should we collect some statistics on this
value and raise a warning if a high water mark is reached ? I think
this would more useful.
> DEFINE_PROP_BOOL("migration-events", VFIOPCIDevice,
> vbasedev.migration_events, false),
> DEFINE_PROP_BOOL("x-no-mmap", VFIOPCIDevice, vbasedev.no_mmap, false),
Please add property documentation in vfio_pci_dev_class_init()
Thanks,
C.
> diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h
> index 3006931accf6..30a5bb9af61b 100644
> --- a/include/hw/vfio/vfio-common.h
> +++ b/include/hw/vfio/vfio-common.h
> @@ -155,6 +155,7 @@ typedef struct VFIODevice {
> bool ram_block_discard_allowed;
> OnOffAuto enable_migration;
> OnOffAuto migration_multifd_transfer;
> + uint64_t migration_max_queued_buffers;
> bool migration_events;
> VFIODeviceOps *ops;
> unsigned int num_irqs;
>
next prev parent reply other threads:[~2025-02-27 6:49 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-19 20:33 [PATCH v5 00/36] Multifd 🔀 device state transfer support with VFIO consumer Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 01/36] migration: Clarify that {load, save}_cleanup handlers can run without setup Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 02/36] thread-pool: Remove thread_pool_submit() function Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 03/36] thread-pool: Rename AIO pool functions to *_aio() and data types to *Aio Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 04/36] thread-pool: Implement generic (non-AIO) pool support Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 05/36] migration: Add MIG_CMD_SWITCHOVER_START and its load handler Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 06/36] migration: Add qemu_loadvm_load_state_buffer() and its handler Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 07/36] migration: postcopy_ram_listen_thread() should take BQL for some calls Maciej S. Szmigiero
2025-02-25 17:16 ` Peter Xu
2025-02-25 21:08 ` Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 08/36] error: define g_autoptr() cleanup function for the Error type Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 09/36] migration: Add thread pool of optional load threads Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 10/36] migration/multifd: Split packet into header and RAM data Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 11/36] migration/multifd: Device state transfer support - receive side Maciej S. Szmigiero
2025-03-02 12:42 ` Avihai Horon
2025-03-03 22:14 ` Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 12/36] migration/multifd: Make multifd_send() thread safe Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 13/36] migration/multifd: Add an explicit MultiFDSendData destructor Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 14/36] migration/multifd: Device state transfer support - send side Maciej S. Szmigiero
2025-03-02 12:46 ` Avihai Horon
2025-03-03 22:15 ` Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 15/36] migration/multifd: Make MultiFDSendData a struct Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 16/36] migration/multifd: Add multifd_device_state_supported() Maciej S. Szmigiero
2025-02-19 20:33 ` [PATCH v5 17/36] migration: Add save_live_complete_precopy_thread handler Maciej S. Szmigiero
2025-02-26 16:43 ` Peter Xu
2025-03-04 21:50 ` Maciej S. Szmigiero
2025-03-04 22:03 ` Peter Xu
2025-02-19 20:34 ` [PATCH v5 18/36] vfio/migration: Add load_device_config_state_start trace event Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 19/36] vfio/migration: Convert bytes_transferred counter to atomic Maciej S. Szmigiero
2025-02-26 7:52 ` Cédric Le Goater
2025-02-26 13:55 ` Maciej S. Szmigiero
2025-02-26 15:56 ` Cédric Le Goater
2025-02-26 16:20 ` Cédric Le Goater
2025-02-19 20:34 ` [PATCH v5 20/36] vfio/migration: Add vfio_add_bytes_transferred() Maciej S. Szmigiero
2025-02-26 8:06 ` Cédric Le Goater
2025-02-26 15:45 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 21/36] vfio/migration: Move migration channel flags to vfio-common.h header file Maciej S. Szmigiero
2025-02-26 8:19 ` Cédric Le Goater
2025-02-19 20:34 ` [PATCH v5 22/36] vfio/migration: Multifd device state transfer support - basic types Maciej S. Szmigiero
2025-02-26 8:52 ` Cédric Le Goater
2025-02-26 16:06 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 23/36] vfio/migration: Multifd device state transfer support - VFIOStateBuffer(s) Maciej S. Szmigiero
2025-02-26 8:54 ` Cédric Le Goater
2025-03-02 13:00 ` Avihai Horon
2025-03-02 15:14 ` Maciej S. Szmigiero
2025-03-03 6:42 ` Cédric Le Goater
2025-03-03 22:14 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 24/36] vfio/migration: Multifd device state transfer - add support checking function Maciej S. Szmigiero
2025-02-26 8:54 ` Cédric Le Goater
2025-02-19 20:34 ` [PATCH v5 25/36] vfio/migration: Multifd device state transfer support - receive init/cleanup Maciej S. Szmigiero
2025-02-26 10:14 ` Cédric Le Goater
2025-02-26 17:22 ` Cédric Le Goater
2025-02-26 17:28 ` Maciej S. Szmigiero
2025-02-26 17:28 ` Cédric Le Goater
2025-02-27 22:00 ` Maciej S. Szmigiero
2025-02-26 17:46 ` Cédric Le Goater
2025-02-27 22:00 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 26/36] vfio/migration: Multifd device state transfer support - received buffers queuing Maciej S. Szmigiero
2025-02-26 10:43 ` Cédric Le Goater
2025-02-26 21:04 ` Maciej S. Szmigiero
2025-02-28 8:09 ` Cédric Le Goater
2025-02-28 20:47 ` Maciej S. Szmigiero
2025-03-02 13:12 ` Avihai Horon
2025-03-03 22:15 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 27/36] vfio/migration: Multifd device state transfer support - load thread Maciej S. Szmigiero
2025-02-26 13:49 ` Cédric Le Goater
2025-02-26 21:05 ` Maciej S. Szmigiero
2025-02-28 9:11 ` Cédric Le Goater
2025-02-28 20:48 ` Maciej S. Szmigiero
2025-03-02 14:19 ` Avihai Horon
2025-03-03 22:16 ` Maciej S. Szmigiero
2025-03-02 14:15 ` Avihai Horon
2025-03-03 22:16 ` Maciej S. Szmigiero
2025-03-04 11:21 ` Avihai Horon
2025-02-19 20:34 ` [PATCH v5 28/36] vfio/migration: Multifd device state transfer support - config loading support Maciej S. Szmigiero
2025-02-26 13:52 ` Cédric Le Goater
2025-02-26 21:05 ` Maciej S. Szmigiero
2025-03-02 14:25 ` Avihai Horon
2025-03-03 22:17 ` Maciej S. Szmigiero
2025-03-04 7:41 ` Cédric Le Goater
2025-03-04 21:50 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 29/36] migration/qemu-file: Define g_autoptr() cleanup function for QEMUFile Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 30/36] vfio/migration: Multifd device state transfer support - send side Maciej S. Szmigiero
2025-02-26 16:43 ` Cédric Le Goater
2025-02-26 21:05 ` Maciej S. Szmigiero
2025-02-28 9:13 ` Cédric Le Goater
2025-02-28 20:49 ` Maciej S. Szmigiero
2025-03-02 14:41 ` Avihai Horon
2025-03-03 22:17 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 31/36] vfio/migration: Add x-migration-multifd-transfer VFIO property Maciej S. Szmigiero
2025-02-27 6:45 ` Cédric Le Goater
2025-03-02 14:48 ` Avihai Horon
2025-03-03 22:17 ` Maciej S. Szmigiero
2025-03-04 11:29 ` Avihai Horon
2025-03-04 21:50 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 32/36] vfio/migration: Make x-migration-multifd-transfer VFIO property mutable Maciej S. Szmigiero
2025-02-26 17:59 ` Cédric Le Goater
2025-02-26 21:05 ` Maciej S. Szmigiero
2025-02-28 8:44 ` Cédric Le Goater
2025-02-28 20:47 ` Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 33/36] hw/core/machine: Add compat for x-migration-multifd-transfer VFIO property Maciej S. Szmigiero
2025-02-26 17:59 ` Cédric Le Goater
2025-02-19 20:34 ` [PATCH v5 34/36] vfio/migration: Max in-flight VFIO device state buffer count limit Maciej S. Szmigiero
2025-02-27 6:48 ` Cédric Le Goater [this message]
2025-02-27 22:01 ` Maciej S. Szmigiero
2025-02-28 8:53 ` Cédric Le Goater
2025-02-28 20:48 ` Maciej S. Szmigiero
2025-03-02 14:53 ` Avihai Horon
2025-03-02 14:54 ` Maciej S. Szmigiero
2025-03-02 14:59 ` Maciej S. Szmigiero
2025-03-02 16:28 ` Avihai Horon
2025-02-19 20:34 ` [PATCH v5 35/36] vfio/migration: Add x-migration-load-config-after-iter VFIO property Maciej S. Szmigiero
2025-02-19 20:34 ` [PATCH v5 36/36] vfio/migration: Update VFIO migration documentation Maciej S. Szmigiero
2025-02-27 6:59 ` Cédric Le Goater
2025-02-27 22:01 ` Maciej S. Szmigiero
2025-02-28 10:05 ` Cédric Le Goater
2025-02-28 20:49 ` Maciej S. Szmigiero
2025-02-28 23:38 ` Fabiano Rosas
2025-03-03 9:34 ` Cédric Le Goater
2025-03-03 22:14 ` Maciej S. Szmigiero
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=11ecf7fb-55f6-4606-b635-e53dbcc71dbc@redhat.com \
--to=clg@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=armbru@redhat.com \
--cc=avihaih@nvidia.com \
--cc=berrange@redhat.com \
--cc=eblake@redhat.com \
--cc=farosas@suse.de \
--cc=joao.m.martins@oracle.com \
--cc=mail@maciej.szmigiero.name \
--cc=peterx@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.