Re: [Qemu-devel] [PATCH] hostmem-file: add a property 'notrunc' to avoid data corruption

[Haozhong Zhang <haozhong.zhang@intel.com>]

On 10/21/16 13:07 +0200, Igor Mammedov wrote:
>On Fri, 21 Oct 2016 15:22:10 +0800
>Haozhong Zhang <haozhong.zhang@intel.com> wrote:
>
>> On 10/20/16 17:35 +0200, Igor Mammedov wrote:
>> >On Thu, 20 Oct 2016 12:47:34 -0200
>> >Eduardo Habkost <ehabkost@redhat.com> wrote:
>> >
>> >> On Thu, Oct 20, 2016 at 04:15:21PM +0200, Igor Mammedov wrote:
>> >> > On Thu, 20 Oct 2016 11:56:10 -0200
>> >> > Eduardo Habkost <ehabkost@redhat.com> wrote:
>> >> >
>> >> > > On Thu, Oct 20, 2016 at 03:42:15PM +0200, Igor Mammedov wrote:
>> >> > > > On Thu, 20 Oct 2016 21:11:38 +0800
>> >> > > > Haozhong Zhang <haozhong.zhang@intel.com> wrote:
>> >> > > >
>> >> > > > > On 10/20/16 14:34 +0200, Igor Mammedov wrote:
>> >> > > > > >On Thu, 20 Oct 2016 14:13:01 +0800
>> >> > > > > >Haozhong Zhang <haozhong.zhang@intel.com> wrote:
>> >> > > > > >
>> >> > > > > >> If a file is used as the backend of memory-backend-file and its size is
>> >> > > > > >> not identical to the property 'size', the file will be truncated. For a
>> >> > > > > >> file used as the backend of vNVDIMM, its data is expected to be
>> >> > > > > >> persistent and the truncation may corrupt the existing data.
>> >> > > > > >I wonder if it's possible just skip 'size' property in your case instead
>> >> > > > > >'notrunc' property. That way if size is not present one'd get actual size
>> >> > > > > >using get_file_size() and set 'size' to it?
>> >> > > > > >And if 'size' is provided and 'size' != file_size then error out.
>> >> > > > > >
>> >> > > > >
>> >> > > > > I don't know how this can be implemented in QEMU. Specially, how does
>> >> > > > > the memory-backend-file know it's used for vNVDIMM, so that it can
>> >> > > > > skip the 'size' property?
>> >> > > > Does memory-backend-file needs to know that it's used by NVDIMM?
>> >> > > > Looking at nvdimm_realize it doesn't as it's assumes
>> >> > > >   hostemem_size == pmem_size + label_size
>> >> > > >
>> >> > > > I'd make hostmem_file.size optional and take size from file
>> >> > > > and if 'size' is specified explictly require it to mach file size.
>> >> > > > It's generic and has nothing to do with nvdimm.
>> >> > >
>> >> > > We can take size from file, or take size from the
>> >> > > host_memory_backend_get_memory() callers.
>> >> > >
>> >> > > Enumerating all sizes that QEMU can use as input:
>> >> > >
>> >> > > A) Backend file size
>> >> > > B) memory backend "size" option
>> >> > > C) frontend-provided size (-numa size, -m, or pc-dimm "size"
>> >> > >     property)
>> >> > -numa size affect only anon memory not backend backed one, for
>> >> > backend baked memory we use memdev where size comes from backend
>> >> >
>> >> > pc-dimm.size is readonly and isn't supposed to influence backend.size
>> >> >
>> >> > I'd drop C option
>> >>
>> >> If C is not present, it should be, as it affects the guest ABI
>> >> (and the ABI must never depend on the host you are running or
>> >> backend configuration, only on the frontend configuration).
>> >I've meant that C should not affect behavior of backend.
>> >
>> >> If we are dropping -numa size in favor of the
>> >> memory-backend-provided size, that's a bug.
>> >-numa size is not applicable here as it's not using backends,
>> >when backends are used it's -numa memdev instead in which case
>> >   numa_info[nodenr].node_mem = object_property_get_int(o, "size", NULL);
>> >
>> >>
>> >> >
>> >> > >
>> >> > > My suggestion is:
>> >> > > * B should be optional.
>> >> > > * If B is omitted, we should never truncate the file to a smaller
>> >> > >   size.
>> >> > i.e. derive backend.size from filesize if possible (i.e. not hugepages)
>> >> >
>> >> > > * If B is omitted, we can use C as the size when mapping the
>> >> > >   file.
>> >> > frontend size is the size that's mapped into guest address space.
>> >> > it should not influence backend's size in backward direction.
>> >> > You may notice pc-dimm.size is not user settable (readonly) property.
>> >>
>> >> Frontend size will not influence backend size, it will just
>> >> affect the size of the memory region the frontend code will ask
>> >> the backend to provide.
>> >>
>> >> In other words: I believe host_memory_backend_get_memory() needs
>> >> a 'size' argument, and that memory allocation could be optionally
>> >> delayed to the host_memory_backend_get_memory() call. This way,
>> >> we don't need a backend size at all, unless we want the backend
>> >> to truncate files or preallocate memory for us.
>> >To not complicate things I'd keep current behavior of
>> >  host_memory_backend_get_memory()
>> >i.e return MR for all the baked memory and then frontend
>> >can split and map it into guest address space as it sees fit
>> >using aliases for non trivial cases taking in account frontend's
>> >own size/label_size/whatnot properties.
>> >That's what NVDIMM does now, it gets MR for whole file and
>> >the splits it on data and label areas and maps into GA only
>> >data part using memory_region_init_alias().
>> >
>>
>> As NVDIMM label is mentioned here, I realize a case that extending
>> file size would fail:
>>
>> NVDIMM labels record the namespace information of the data area and
>> should be persistently stored. The current vNVDIMM implementation in
>> QEMU always stores and finds those labels at the end of the given
>> backend storage. If a larger size B is given and the backend file is
>> extended, QEMU will not be able to find the labels stored on the
>> original file, and hence cannot present the same namespaces to guest.
>>
>> This problem can fixed by deferring the allocation to
>> host_memory_backend_get_memory(), and adding a parameter 'notrunc' to
>> it to specify the truncation behavior. If no truncation is specified
>> and B > A, QEMU will report error and stop.
>Lets not go there (I mean extending/deferring) and keep thing simple,
>backend object should be completely initialized upon completion of
>host_memory_backend_memory_complete() (including creation/mapping of
>whatever memory it's backed by) or fail if it can't do so.
>
>
>How about following behavior:
>
> 1) memory-backend-file,mem-path=/some_dir,size=2G
>    - uses truncate to extend temporary file created in "mem-path" to 'size'
>    for this case to work 'size' is mandatory
>
> 2) memory-backend-file,mem-path=/existing_file,size=2G
>    - uses truncate to extend/shrink file "mem-path" to 'size'
>    for this case 'size' could be made optional,
>    if we take in account that backend could be used as persistent
>    storage then shrinking or extending "mem-path" would be corruption
>    as backend has no idea about internal layout if mapped file.
>    We can do something like this here:
>
>    if (is_size_opt_provided and size_of(mem-path) != 0) {
>       error_out with "mem-path=foo size XXX doesn't match 'size=xxx' option"
>    } else if (is_size_opt_provided and size_of(mem-path) == 0) {
>       // may be we don't need this case and
>       // just fold this in above error case
>       truncate(mem-path) // extend/shrink
>    } else {
>      set_size_opt(size_of(mem-path))
>    }

Agree. Let's wait for Eduardo's comments. If he has no objection, I'll
prepare a patch in this way.

Thanks,
Haozhong