Re: [Qemu-devel] [PATCH v11] kvm: notify host when the guest is panicked

[Hu Tao]

On Tue, Oct 30, 2012 at 10:30:02PM -0400, Sasha Levin wrote:
> On Tue, Oct 30, 2012 at 9:48 PM, Wen Congyang <address@hidden> wrote:
> > At 10/31/2012 09:12 AM, Marcelo Tosatti Wrote:
> >> It has been asked earlier why a simple virtio device is not usable
> >> for this (with no response IIRC).
> >
> > 1. We can't use virtio device when the kernel is booting.
> 
> So the issue here is the small window between the point the guest
> becomes "self aware" and to the point virtio drivers are loaded,
> right?
> 
> I agree that if something happens during that interval, a
> "virtio-notifier" driver won't catch that, but anything beyond that is
> better done with a virtio driver, so how is the generic infrastructure
> added in this patch useful to anything beyond detecting panics in that
> initial interval?

Another point is dependency. To make panic notification more reliable,
we have to reduce its dependency on other parts of kernel as possible as
we can.

> 
> > 2. The virtio's driver can be built as a module, and if it is not loaded
> >    and the kernel is panicked, there is no way to notify the host.
> 
> Even if the suggested virtio-notifier driver is built as a module, it
> would get auto-loaded when the guest is booting, so I'm not sure about
> this point?
> 
> > 3. I/O port is more reliable than virtio device.
> >    If virtio's driver has some bug, and it cause kernel panicked, we can't
> >    use it. The I/O port is more reliable because it only depends on notifier
> >    chain(If we use virtio device, it also depends on notifier chain).
> 
> This is like suggesting that we let KVM emulate virtio-blk on it's
> own, parallel to the virtio implementation, so that even if there's a
> problem with virtio-blk, KVM can emulate a virtio-blk on it's own.

Not the same. On virtio-blk, if we can make use of virtio, why not? If
there is a problem of virtio-blk but caused by virtio itself, just fix
it in virtio.

But in the case of panic notification, more dependency means more
chances of failure of panic notification. Say, if we use a virtio device
to do panic notification, then we will fail if: virtio itself has
problems, virtio for some reason can't be deployed(neither built-in or
as a module), or guest doesn't support virtio, etc.

We choose IO because compared to virtio device, it is not that heavy and
less problematic.

> 
> Furthermore, why stop at virtio? What if the KVM code has a bug and it
> doesn't pass IO properly? Or the x86 code? we still want panic
> notifications if that happens...

Better ideas are welcome.

-- 
Thanks,
Hu Tao