Merge branch 'main' into fix/kvmclock_ctrl_test

Author: roypat

CHANGELOG.md

@@ -45,6 +45,10 @@ and this project adheres to
 - [#5007](https://github.com/firecracker-microvm/firecracker/pull/5007): Fixed
   watchdog softlockup warning on x86_64 guests when a vCPU is paused during GDB
   debugging.
+- [#5021](https://github.com/firecracker-microvm/firecracker/pull/5021) If a
+  balloon device is inflated post UFFD-backed snapshot restore, Firecracker now
+  causes `remove` UFFD messages to be sent to the UFFD handler. Previously, no
+  such message would be sent.
 
 ## [1.10.1]
 
@@ -118,7 +122,8 @@ and this project adheres to
   VMGenID support for microVMs running on ARM hosts with 6.1 guest kernels.
   Support for VMGenID via DeviceTree bindings exists only on mainline 6.10 Linux
   onwards. Users of Firecracker will need to backport the relevant patches on
-  top of their 6.1 kernels to make use of the feature.
+  top of their 6.1 kernels to make use of the feature. As a result, Firecracker
+  snapshot version is now 3.0.0
 - [#4732](https://github.com/firecracker-microvm/firecracker/pull/4732),
   [#4733](https://github.com/firecracker-microvm/firecracker/pull/4733),
   [#4741](https://github.com/firecracker-microvm/firecracker/pull/4741),

Cargo.lock

@@ -25,6 +25,8 @@
   - [Secure and insecure usage examples](#usage-examples)
   - [Reusing snapshotted states securely](#reusing-snapshotted-states-securely)
 - [Vsock device limitation](#vsock-device-limitation)
+- [VMGenID device limitation](#vmgenid-device-limitation)
+- [Where can I resume my snapshots?](#where-can-i-resume-my-snapshots)
 
 ## About microVM snapshotting
 
@@ -638,28 +640,19 @@ might not be able to handle the injected notification and crash. We suggest to
 users that they take snapshots only after the guest kernel has completed
 booting, to avoid this issue.
 
-## Snapshot compatibility across kernel versions
+## Where can I resume my snapshots?
 
-We have a mechanism in place to experiment with snapshot compatibility across
-supported host kernel versions by generating snapshot artifacts through
-[this test](../../tests/integration_tests/functional/test_snapshot_phase1.py)
-and checking devices' functionality using
-[this test](../../tests/integration_tests/functional/test_snapshot_restore_cross_kernel.py).
-The test restores the snapshot and ensures that all the devices set-up (network
-devices, disk, vsock, balloon and MMDS) are operational post-load.
+Snapshots must be resumed on an software and hardware configuration which is
+identical to what they were generated on. However, in limited cases, snapshots
+can be resumed on identical hardware instances where they were taken on, but
+using newer host kernel versions. While we do not provide any guarantees on this
+setup (and do not recommend doing this in production), we are currently aware of
+the compatibility table reported below:
 
-In those tests the instance is fixed, except some combinations where we also
-test across the same CPU family (Intel x86, Gravitons). In general cross-CPU
-snapshots [are not supported](./versioning.md#cpu-model)
+| .metal instance type | taken on host kernel | restored on host kernel |
+| -------------------- | -------------------- | ----------------------- |
+| {c5n,m5n,m6i,m6a}    | 5.10                 | 6.1                     |
 
-The tables below reflect the snapshot compatibility observed on the AWS
-instances we support.
-
-**all** means all currently supported Intel/AMD/ARM metal instances (m6g, m7g,
-m5n, c5n, m6i, m6a). It does not mean cross-instance, i.e. a snapshot taken on
-m6i won't work on an m6g instance.
-
-| *CPU family* | *taken on host kernel* | *restored on host kernel* | *working?* |
-| ------------ | ---------------------- | ------------------------- | ---------- |
-| **x86_64**   | 5.10                   | 6.1                       | Y          |
-| **x86_64**   | 6.1                    | 5.10                      | N          |
+For example, a snapshot taken on a m6i.metal host running a 5.10 host kernel can
+be restored on a different m6i.metal host running a 6.1 host kernel (but not
+vice versa), but could not be restored on a c5n.metal host.

docs/snapshotting/snapshot-support.md

@@ -14,7 +14,7 @@ clap = { version = "4.5.27", features = ["derive"] }
 itertools = "0.14.0"
 proc-macro2 = { version = "1.0.93", features = ["span-locations"] }
 quote = "1.0.38"
-syn = { version = "2.0.96", features = ["full", "extra-traits", "visit", "visit-mut", "printing"] } 
+syn = { version = "2.0.98", features = ["full", "extra-traits", "visit", "visit-mut", "printing"] } 
 walkdir = "2.5.0"
 
 [dev-dependencies]

src/clippy-tracing/Cargo.toml

@@ -15,7 +15,7 @@ displaydoc = "0.2.5"
 libc = "0.2.169"
 log-instrument = { path = "../log-instrument", optional = true }
 serde = { version = "1.0.217", features = ["derive"] }
-serde_json = "1.0.137"
+serde_json = "1.0.138"
 thiserror = "2.0.11"
 
 vmm = { path = "../vmm" }

src/cpu-template-helper/Cargo.toml

@@ -24,7 +24,7 @@ micro_http = { git = "https://github.com/firecracker-microvm/micro-http" }
 
 serde = { version = "1.0.217", features = ["derive"] }
 serde_derive = "1.0.136"
-serde_json = "1.0.137"
+serde_json = "1.0.138"
 thiserror = "2.0.11"
 timerfd = "1.6.0"
 utils = { path = "../utils" }
@@ -43,7 +43,7 @@ userfaultfd = "0.8.1"
 [build-dependencies]
 seccompiler = { path = "../seccompiler" }
 serde = { version = "1.0.217" }
-serde_json = "1.0.137"
+serde_json = "1.0.138"
 
 [features]
 tracing = ["log-instrument", "utils/tracing", "vmm/tracing"]

src/firecracker/Cargo.toml

@@ -36,7 +36,7 @@ fn main() {
             userfaultfd::Event::Pagefault { .. } => {
                 for region in uffd_handler.mem_regions.clone() {
                     uffd_handler
-                        .serve_pf(region.mapping.base_host_virt_addr as _, region.mapping.size)
+                        .serve_pf(region.mapping.base_host_virt_addr as _, region.mapping.size);
                 }
             }
             _ => panic!("Unexpected event on userfaultfd"),

src/firecracker/examples/uffd/fault_all_handler.rs

@@ -116,7 +116,7 @@ impl UffdHandler {
         }
     }
 
-    pub fn serve_pf(&mut self, addr: *mut u8, len: usize) {
+    pub fn serve_pf(&mut self, addr: *mut u8, len: usize) -> bool {
         // Find the start of the page that the current faulting address belongs to.
         let dst = (addr as usize & !(self.page_size - 1)) as *mut libc::c_void;
         let fault_page_addr = dst as u64;
@@ -133,14 +133,18 @@ impl UffdHandler {
                 //    event was received. This can be a consequence of guest reclaiming back its
                 //    memory from the host (through balloon device)
                 Some(MemPageState::Uninitialized) | Some(MemPageState::FromFile) => {
-                    let (start, end) = self.populate_from_file(region, fault_page_addr, len);
-                    self.update_mem_state_mappings(start, end, MemPageState::FromFile);
-                    return;
+                    match self.populate_from_file(region, fault_page_addr, len) {
+                        Some((start, end)) => {
+                            self.update_mem_state_mappings(start, end, MemPageState::FromFile)
+                        }
+                        None => return false,
+                    }
+                    return true;
                 }
                 Some(MemPageState::Removed) | Some(MemPageState::Anonymous) => {
                     let (start, end) = self.zero_out(fault_page_addr);
                     self.update_mem_state_mappings(start, end, MemPageState::Anonymous);
-                    return;
+                    return true;
                 }
                 None => {}
             }
@@ -152,20 +156,39 @@ impl UffdHandler {
         );
     }
 
-    fn populate_from_file(&self, region: &MemRegion, dst: u64, len: usize) -> (u64, u64) {
+    fn populate_from_file(&self, region: &MemRegion, dst: u64, len: usize) -> Option<(u64, u64)> {
         let offset = dst - region.mapping.base_host_virt_addr;
         let src = self.backing_buffer as u64 + region.mapping.offset + offset;
 
         let ret = unsafe {
-            self.uffd
-                .copy(src as *const _, dst as *mut _, len, true)
-                .expect("Uffd copy failed")
+            match self.uffd.copy(src as *const _, dst as *mut _, len, true) {
+                Ok(value) => value,
+                // Catch EAGAIN errors, which occur when a `remove` event lands in the UFFD
+                // queue while we're processing `pagefault` events.
+                // The weird cast is because the `bytes_copied` field is based on the
+                // `uffdio_copy->copy` field, which is a signed 64 bit integer, and if something
+                // goes wrong, it gets set to a -errno code. However, uffd-rs always casts this
+                // value to an unsigned `usize`, which scrambled the errno.
+                Err(Error::PartiallyCopied(bytes_copied))
+                    if bytes_copied == 0 || bytes_copied == (-libc::EAGAIN) as usize =>
+                {
+                    return None
+                }
+                Err(Error::CopyFailed(errno))
+                    if std::io::Error::from(errno).raw_os_error().unwrap() == libc::EEXIST =>
+                {
+                    len
+                }
+                Err(e) => {
+                    panic!("Uffd copy failed: {e:?}");
+                }
+            }
         };
 
         // Make sure the UFFD copied some bytes.
         assert!(ret > 0);
 
-        (dst, dst + len as u64)
+        Some((dst, dst + len as u64))
     }
 
     fn zero_out(&mut self, addr: u64) -> (u64, u64) {

src/firecracker/examples/uffd/uffd_utils.rs

@@ -26,24 +26,79 @@ fn main() {
     let mut runtime = Runtime::new(stream, file);
     runtime.install_panic_hook();
     runtime.run(|uffd_handler: &mut UffdHandler| {
-        // Read an event from the userfaultfd.
-        let event = uffd_handler
-            .read_event()
-            .expect("Failed to read uffd_msg")
-            .expect("uffd_msg not ready");
-
-        // We expect to receive either a Page Fault or Removed
-        // event (if the balloon device is enabled).
-        match event {
-            userfaultfd::Event::Pagefault { addr, .. } => {
-                uffd_handler.serve_pf(addr.cast(), uffd_handler.page_size)
+        // !DISCLAIMER!
+        // When using UFFD together with the balloon device, this handler needs to deal with
+        // `remove` and `pagefault` events. There are multiple things to keep in mind in
+        // such setups:
+        //
+        // As long as any `remove` event is pending in the UFFD queue, all ioctls return EAGAIN
+        // -----------------------------------------------------------------------------------
+        //
+        // This means we cannot process UFFD events simply one-by-one anymore - if a `remove` event
+        // arrives, we need to pre-fetch all other events up to the `remove` event, to unblock the
+        // UFFD, and then go back to the process the pre-fetched events.
+        //
+        // UFFD might receive events in not in their causal order
+        // -----------------------------------------------------
+        //
+        // For example, the guest
+        // kernel might first respond to a balloon inflation by freeing some memory, and
+        // telling Firecracker about this. Firecracker will then madvise(MADV_DONTNEED) the
+        // free memory range, which causes a `remove` event to be sent to UFFD. Then, the
+        // guest kernel might immediately fault the page in again (for example because
+        // default_on_oom was set). which causes a `pagefault` event to be sent to UFFD.
+        //
+        // However, the pagefault will be triggered from inside KVM on the vCPU thread, while the
+        // balloon device is handled by Firecracker on its VMM thread. This means that potentially
+        // this handler can receive the `pagefault` _before_ the `remove` event.
+        //
+        // This means that the simple "greedy" strategy of simply prefetching _all_ UFFD events
+        // to make sure no `remove` event is blocking us can result in the handler acting on
+        // the `pagefault` event before the `remove` message (despite the `remove` event being
+        // in the causal past of the `pagefault` event), which means that we will fault in a page
+        // from the snapshot file, while really we should be faulting in a zero page.
+        //
+        // In this example handler, we ignore this problem, to avoid
+        // complexity (under the assumption that the guest kernel will zero a newly faulted in
+        // page anyway). A production handler will most likely want to ensure that `remove`
+        // events for a specific range are always handled before `pagefault` events.
+        //
+        // Lastly, we still need to deal with the race condition where a `remove` event arrives
+        // in the UFFD queue after we got done reading all events, in which case we need to go
+        // back to reading more events before we can continue processing `pagefault`s.
+        let mut deferred_events = Vec::new();
+
+        loop {
+            // First, try events that we couldn't handle last round
+            let mut events_to_handle = Vec::from_iter(deferred_events.drain(..));
+
+            // Read all events from the userfaultfd.
+            while let Some(event) = uffd_handler.read_event().expect("Failed to read uffd_msg") {
+                events_to_handle.push(event);
+            }
+
+            for event in events_to_handle.drain(..) {
+                // We expect to receive either a Page Fault or `remove`
+                // event (if the balloon device is enabled).
+                match event {
+                    userfaultfd::Event::Pagefault { addr, .. } => {
+                        if !uffd_handler.serve_pf(addr.cast(), uffd_handler.page_size) {
+                            deferred_events.push(event);
+                        }
+                    }
+                    userfaultfd::Event::Remove { start, end } => uffd_handler
+                        .update_mem_state_mappings(start as u64, end as u64, MemPageState::Removed),
+                    _ => panic!("Unexpected event on userfaultfd"),
+                }
+            }
+
+            // We assume that really only the above removed/pagefault interaction can result in
+            // deferred events. In that scenario, the loop will always terminate (unless
+            // newly arriving `remove` events end up indefinitely blocking it, but there's nothing
+            // we can do about that, and it's a largely theoretical problem).
+            if deferred_events.is_empty() {
+                break;
             }
-            userfaultfd::Event::Remove { start, end } => uffd_handler.update_mem_state_mappings(
-                start as u64,
-                end as u64,
-                MemPageState::Removed,
-            ),
-            _ => panic!("Unexpected event on userfaultfd"),
         }
     });
 }

src/firecracker/examples/uffd/valid_handler.rs

@@ -13,7 +13,7 @@ bench = false
 [dependencies]
 proc-macro2 = "1.0.93"
 quote = "1.0.38"
-syn = { version = "2.0.96", features = ["full", "extra-traits"] }
+syn = { version = "2.0.98", features = ["full", "extra-traits"] }
 
 [lints]
 workspace = true