From: Stefan Hajnoczi <stefanha@redhat.com>
To: Alexander Mikhalitsyn <alexander@mihalicyn.com>
Cc: qemu-devel@nongnu.org, "Kevin Wolf" <kwolf@redhat.com>,
qemu-block@nongnu.org, "Fam Zheng" <fam@euphon.net>,
"Stéphane Graber" <stgraber@stgraber.org>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Laurent Vivier" <lvivier@redhat.com>,
"Jesper Devantier" <foss@defmacro.it>,
"Klaus Jensen" <its@irrelevant.dk>,
"Fabiano Rosas" <farosas@suse.de>,
"Zhao Liu" <zhao1.liu@intel.com>,
"Keith Busch" <kbusch@kernel.org>, "Peter Xu" <peterx@redhat.com>,
"Hanna Reitz" <hreitz@redhat.com>,
"Alexander Mikhalitsyn" <aleksandr.mikhalitsyn@futurfusion.io>
Subject: Re: [PATCH v6 6/8] hw/nvme: add basic live migration support
Date: Mon, 27 Apr 2026 17:03:43 -0400 [thread overview]
Message-ID: <20260427210343.GG218226@fedora> (raw)
In-Reply-To: <20260419130139.15554-7-alexander@mihalicyn.com>
[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]
On Sun, Apr 19, 2026 at 03:01:37PM +0200, Alexander Mikhalitsyn wrote:
> @@ -4903,6 +4916,25 @@ static void nvme_init_sq(NvmeSQueue *sq, NvmeCtrl *n, uint64_t dma_addr,
> __nvme_init_sq(sq);
> }
>
> +static void nvme_restore_sq(NvmeSQueue *sq_from)
> +{
> + NvmeCtrl *n = sq_from->ctrl;
> + NvmeSQueue *sq = sq_from;
> +
> + if (sq_from->sqid == 0) {
> + sq = &n->admin_sq;
docs/devel/migration/main.rst says:
- The destination should treat an incoming migration stream as hostile
(which we do to varying degrees in the existing code). Check that offsets
into buffers and the like can't cause overruns. Fail the incoming migration
in the case of a corrupted stream like this.
Can a corrupt/malicious device state reach this point multiple times
(i.e. several sqid 0 queues are stored in the device state)? If yes,
then input validation would be good here to avoid undefined behavior
later in the sq code.
The same issue may apply to duplicate sqids in general. It seems safest
to reject them during restore.
> + sq->ctrl = n;
> + sq->dma_addr = sq_from->dma_addr;
> + sq->sqid = sq_from->sqid;
> + sq->size = sq_from->size;
> + sq->cqid = sq_from->cqid;
> + sq->head = sq_from->head;
> + sq->tail = sq_from->tail;
> + }
> +
> + __nvme_init_sq(sq);
> +}
> +
> static uint16_t nvme_create_sq(NvmeCtrl *n, NvmeRequest *req)
> {
> NvmeSQueue *sq;
> @@ -5605,6 +5637,39 @@ static void nvme_init_cq(NvmeCQueue *cq, NvmeCtrl *n, uint64_t dma_addr,
> __nvme_init_cq(cq);
> }
>
> +static void copy_cq_req_list(NvmeCQueue *cq_to, NvmeCQueue *cq_from)
This moves the NvmeRequests rather than copying them. Rename to
move_cq_req_list()?
> +{
> + NvmeRequest *req, *next;
> +
> + QTAILQ_FOREACH_SAFE(req, &cq_from->req_list, entry, next) {
> + QTAILQ_REMOVE(&cq_from->req_list, req, entry);
> + QTAILQ_INSERT_TAIL(&cq_to->req_list, req, entry);
> + }
> +}
> +
> +static void nvme_restore_cq(NvmeCQueue *cq_from)
> +{
> + NvmeCtrl *n = cq_from->ctrl;
> + NvmeCQueue *cq = cq_from;
> +
> + if (cq_from->cqid == 0) {
> + cq = &n->admin_cq;
Same question about duplicate CQs in corrupt/malicious device states.
I reviewed the new draining (busy wait removal). I'll leave the rest for
Klaus because I'm not that familiar with the NVMe emulation code.
Stefan
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2026-04-27 21:06 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-19 13:01 [PATCH v6 0/8] hw/nvme: add basic live migration support Alexander Mikhalitsyn
2026-04-19 13:01 ` [PATCH v6 1/8] tests/functional/migration: add VM launch/configure hooks Alexander Mikhalitsyn
2026-04-19 13:01 ` [PATCH v6 2/8] hw/nvme: add migration blockers for non-supported cases Alexander Mikhalitsyn
2026-04-19 13:01 ` [PATCH v6 3/8] hw/nvme: split nvme_init_sq/nvme_init_cq into helpers Alexander Mikhalitsyn
2026-04-29 6:20 ` Klaus Jensen
2026-04-19 13:01 ` [PATCH v6 4/8] hw/nvme: set CQE.sq_id earlier in nvme_process_sq Alexander Mikhalitsyn
2026-04-29 6:18 ` Klaus Jensen
2026-04-19 13:01 ` [PATCH v6 5/8] hw/nvme: unmap req->sg earlier in nvme_enqueue_req_completion Alexander Mikhalitsyn
2026-04-29 6:19 ` Klaus Jensen
2026-04-19 13:01 ` [PATCH v6 6/8] hw/nvme: add basic live migration support Alexander Mikhalitsyn
2026-04-27 21:03 ` Stefan Hajnoczi [this message]
2026-04-28 15:38 ` Alexander Mikhalitsyn
2026-04-19 13:01 ` [PATCH v6 7/8] tests/functional/x86_64: add migration test for NVMe device Alexander Mikhalitsyn
2026-04-19 13:01 ` [PATCH v6 8/8] tests/qtest/nvme-test: add migration test with full CQ Alexander Mikhalitsyn
2026-04-27 20:00 ` Stefan Hajnoczi
2026-04-28 15:55 ` Alexander Mikhalitsyn
2026-04-28 16:13 ` Stefan Hajnoczi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260427210343.GG218226@fedora \
--to=stefanha@redhat.com \
--cc=aleksandr.mikhalitsyn@futurfusion.io \
--cc=alexander@mihalicyn.com \
--cc=fam@euphon.net \
--cc=farosas@suse.de \
--cc=foss@defmacro.it \
--cc=hreitz@redhat.com \
--cc=its@irrelevant.dk \
--cc=kbusch@kernel.org \
--cc=kwolf@redhat.com \
--cc=lvivier@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=philmd@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=stgraber@stgraber.org \
--cc=zhao1.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.