Re: [PATCH mlx5-next 2/7] vfio: Add an API to check migration state transition validity

From: Max Gurtovoy
Date: Wed Sep 29 2021 - 06:57:29 EST

Next message: Will Deacon: "Re: [RFC] arm64: mm: update max_pfn after memory hotplug"
Previous message: Colin King: "[PATCH] drm/msm/dp: Remove redundant initialization of variable bpp"
In reply to: Jason Gunthorpe: "Re: [PATCH mlx5-next 2/7] vfio: Add an API to check migration state transition validity"
Next in thread: Max Gurtovoy: "Re: [PATCH mlx5-next 2/7] vfio: Add an API to check migration state transition validity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 9/28/2021 10:19 PM, Alex Williamson wrote:

On Mon, 27 Sep 2021 20:12:39 -0300
Jason Gunthorpe <jgg@xxxxxxxx> wrote:

On Mon, Sep 27, 2021 at 04:46:48PM -0600, Alex Williamson wrote:

+ enum { MAX_STATE = VFIO_DEVICE_STATE_RESUMING };
+ static const u8 vfio_from_state_table[MAX_STATE + 1][MAX_STATE + 1] = {
+ [VFIO_DEVICE_STATE_STOP] = {
+ [VFIO_DEVICE_STATE_RUNNING] = 1,
+ [VFIO_DEVICE_STATE_RESUMING] = 1,
+ },

Our state transition diagram is pretty weak on reachable transitions
out of the _STOP state, why do we select only these two as valid?

I have no particular opinion on specific states here, however adding
more states means more stuff for drivers to implement and more risk
driver writers will mess up this uAPI.

It looks like state transitions were largely discussed in v9 and v10 of
the migration proposals:

https://lore.kernel.org/all/1573578220-7530-2-git-send-email-kwankhede@xxxxxxxxxx/
https://lore.kernel.org/all/1576527700-21805-2-git-send-email-kwankhede@xxxxxxxxxx/

I'm not seeing that we really excluded many transitions there.

So only on those grounds I'd suggest to keep this to the minimum
needed instead of the maximum logically possible..

Also, probably the FSM comment from the uapi header file should be
moved into a function comment above this function?

It's not clear this function shouldn't be anything more than:

if (new_state > MAX_STATE || old_state > MAX_STATE)
return false; /* exited via device reset, */
/* entered via transition fault */

return true;

That's still only 5 fully interconnected states to work between, and
potentially a 6th if we decide _RESUMING|_RUNNING is valid for a device
supporting post-copy.

In defining the device state, we tried to steer away from defining it
in terms of the QEMU migration API, but rather as a set of controls
that could be used to support that API to leave us some degree of
independence that QEMU implementation might evolve.

The state machine is not related to QEMU specifically.

The state machine defines an agreement between user application (let's say QEMU) and VFIO.

If a user application would like to move, for example, from RESUMING to SAVING state, then the kernel should fail. I don't that there is a device that can support it.

If you prefer we check this inside our mlx5 vfio driver, we can do it. But we think that this is a common logic according to the defined FSM.

Do you prefer code duplication in vendor vfio-pci drivers ?

To that extent, it actually seems easier for a device implementation to
focus on bit definition rather than the state machine node.

I'd also vote that any clarification of state validity and transitions
belongs in the uAPI header and a transition test function should
reference that header as the source of truth, rather than the other way
around. Thanks,

Yes, I guess this is possible.

Alex

Next message: Will Deacon: "Re: [RFC] arm64: mm: update max_pfn after memory hotplug"
Previous message: Colin King: "[PATCH] drm/msm/dp: Remove redundant initialization of variable bpp"
In reply to: Jason Gunthorpe: "Re: [PATCH mlx5-next 2/7] vfio: Add an API to check migration state transition validity"
Next in thread: Max Gurtovoy: "Re: [PATCH mlx5-next 2/7] vfio: Add an API to check migration state transition validity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]