xref: /openbmc/qemu/migration/ram.c (revision 8e6c718a)
1 /*
2  * QEMU System Emulator
3  *
4  * Copyright (c) 2003-2008 Fabrice Bellard
5  * Copyright (c) 2011-2015 Red Hat Inc
6  *
7  * Authors:
8  *  Juan Quintela <quintela@redhat.com>
9  *
10  * Permission is hereby granted, free of charge, to any person obtaining a copy
11  * of this software and associated documentation files (the "Software"), to deal
12  * in the Software without restriction, including without limitation the rights
13  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
14  * copies of the Software, and to permit persons to whom the Software is
15  * furnished to do so, subject to the following conditions:
16  *
17  * The above copyright notice and this permission notice shall be included in
18  * all copies or substantial portions of the Software.
19  *
20  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
21  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
22  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
23  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
24  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
25  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
26  * THE SOFTWARE.
27  */
28 
29 #include "qemu/osdep.h"
30 #include "qemu/cutils.h"
31 #include "qemu/bitops.h"
32 #include "qemu/bitmap.h"
33 #include "qemu/madvise.h"
34 #include "qemu/main-loop.h"
35 #include "xbzrle.h"
36 #include "ram-compress.h"
37 #include "ram.h"
38 #include "migration.h"
39 #include "migration-stats.h"
40 #include "migration/register.h"
41 #include "migration/misc.h"
42 #include "qemu-file.h"
43 #include "postcopy-ram.h"
44 #include "page_cache.h"
45 #include "qemu/error-report.h"
46 #include "qapi/error.h"
47 #include "qapi/qapi-types-migration.h"
48 #include "qapi/qapi-events-migration.h"
49 #include "qapi/qmp/qerror.h"
50 #include "trace.h"
51 #include "exec/ram_addr.h"
52 #include "exec/target_page.h"
53 #include "qemu/rcu_queue.h"
54 #include "migration/colo.h"
55 #include "block.h"
56 #include "sysemu/cpu-throttle.h"
57 #include "savevm.h"
58 #include "qemu/iov.h"
59 #include "multifd.h"
60 #include "sysemu/runstate.h"
61 #include "options.h"
62 
63 #include "hw/boards.h" /* for machine_dump_guest_core() */
64 
65 #if defined(__linux__)
66 #include "qemu/userfaultfd.h"
67 #endif /* defined(__linux__) */
68 
69 /***********************************************************/
70 /* ram save/restore */
71 
72 /*
73  * RAM_SAVE_FLAG_ZERO used to be named RAM_SAVE_FLAG_COMPRESS, it
74  * worked for pages that were filled with the same char.  We switched
75  * it to only search for the zero value.  And to avoid confusion with
76  * RAM_SAVE_FLAG_COMPRESS_PAGE just rename it.
77  */
78 /*
79  * RAM_SAVE_FLAG_FULL was obsoleted in 2009, it can be reused now
80  */
81 #define RAM_SAVE_FLAG_FULL     0x01
82 #define RAM_SAVE_FLAG_ZERO     0x02
83 #define RAM_SAVE_FLAG_MEM_SIZE 0x04
84 #define RAM_SAVE_FLAG_PAGE     0x08
85 #define RAM_SAVE_FLAG_EOS      0x10
86 #define RAM_SAVE_FLAG_CONTINUE 0x20
87 #define RAM_SAVE_FLAG_XBZRLE   0x40
88 /* 0x80 is reserved in qemu-file.h for RAM_SAVE_FLAG_HOOK */
89 #define RAM_SAVE_FLAG_COMPRESS_PAGE    0x100
90 #define RAM_SAVE_FLAG_MULTIFD_FLUSH    0x200
91 /* We can't use any flag that is bigger than 0x200 */
92 
93 int (*xbzrle_encode_buffer_func)(uint8_t *, uint8_t *, int,
94      uint8_t *, int) = xbzrle_encode_buffer;
95 #if defined(CONFIG_AVX512BW_OPT)
96 #include "qemu/cpuid.h"
97 static void __attribute__((constructor)) init_cpu_flag(void)
98 {
99     unsigned max = __get_cpuid_max(0, NULL);
100     int a, b, c, d;
101     if (max >= 1) {
102         __cpuid(1, a, b, c, d);
103          /* We must check that AVX is not just available, but usable.  */
104         if ((c & bit_OSXSAVE) && (c & bit_AVX) && max >= 7) {
105             int bv;
106             __asm("xgetbv" : "=a"(bv), "=d"(d) : "c"(0));
107             __cpuid_count(7, 0, a, b, c, d);
108            /* 0xe6:
109             *  XCR0[7:5] = 111b (OPMASK state, upper 256-bit of ZMM0-ZMM15
110             *                    and ZMM16-ZMM31 state are enabled by OS)
111             *  XCR0[2:1] = 11b (XMM state and YMM state are enabled by OS)
112             */
113             if ((bv & 0xe6) == 0xe6 && (b & bit_AVX512BW)) {
114                 xbzrle_encode_buffer_func = xbzrle_encode_buffer_avx512;
115             }
116         }
117     }
118 }
119 #endif
120 
121 XBZRLECacheStats xbzrle_counters;
122 
123 /* used by the search for pages to send */
124 struct PageSearchStatus {
125     /* The migration channel used for a specific host page */
126     QEMUFile    *pss_channel;
127     /* Last block from where we have sent data */
128     RAMBlock *last_sent_block;
129     /* Current block being searched */
130     RAMBlock    *block;
131     /* Current page to search from */
132     unsigned long page;
133     /* Set once we wrap around */
134     bool         complete_round;
135     /* Whether we're sending a host page */
136     bool          host_page_sending;
137     /* The start/end of current host page.  Invalid if host_page_sending==false */
138     unsigned long host_page_start;
139     unsigned long host_page_end;
140 };
141 typedef struct PageSearchStatus PageSearchStatus;
142 
143 /* struct contains XBZRLE cache and a static page
144    used by the compression */
145 static struct {
146     /* buffer used for XBZRLE encoding */
147     uint8_t *encoded_buf;
148     /* buffer for storing page content */
149     uint8_t *current_buf;
150     /* Cache for XBZRLE, Protected by lock. */
151     PageCache *cache;
152     QemuMutex lock;
153     /* it will store a page full of zeros */
154     uint8_t *zero_target_page;
155     /* buffer used for XBZRLE decoding */
156     uint8_t *decoded_buf;
157 } XBZRLE;
158 
159 static void XBZRLE_cache_lock(void)
160 {
161     if (migrate_xbzrle()) {
162         qemu_mutex_lock(&XBZRLE.lock);
163     }
164 }
165 
166 static void XBZRLE_cache_unlock(void)
167 {
168     if (migrate_xbzrle()) {
169         qemu_mutex_unlock(&XBZRLE.lock);
170     }
171 }
172 
173 /**
174  * xbzrle_cache_resize: resize the xbzrle cache
175  *
176  * This function is called from migrate_params_apply in main
177  * thread, possibly while a migration is in progress.  A running
178  * migration may be using the cache and might finish during this call,
179  * hence changes to the cache are protected by XBZRLE.lock().
180  *
181  * Returns 0 for success or -1 for error
182  *
183  * @new_size: new cache size
184  * @errp: set *errp if the check failed, with reason
185  */
186 int xbzrle_cache_resize(uint64_t new_size, Error **errp)
187 {
188     PageCache *new_cache;
189     int64_t ret = 0;
190 
191     /* Check for truncation */
192     if (new_size != (size_t)new_size) {
193         error_setg(errp, QERR_INVALID_PARAMETER_VALUE, "cache size",
194                    "exceeding address space");
195         return -1;
196     }
197 
198     if (new_size == migrate_xbzrle_cache_size()) {
199         /* nothing to do */
200         return 0;
201     }
202 
203     XBZRLE_cache_lock();
204 
205     if (XBZRLE.cache != NULL) {
206         new_cache = cache_init(new_size, TARGET_PAGE_SIZE, errp);
207         if (!new_cache) {
208             ret = -1;
209             goto out;
210         }
211 
212         cache_fini(XBZRLE.cache);
213         XBZRLE.cache = new_cache;
214     }
215 out:
216     XBZRLE_cache_unlock();
217     return ret;
218 }
219 
220 static bool postcopy_preempt_active(void)
221 {
222     return migrate_postcopy_preempt() && migration_in_postcopy();
223 }
224 
225 bool ramblock_is_ignored(RAMBlock *block)
226 {
227     return !qemu_ram_is_migratable(block) ||
228            (migrate_ignore_shared() && qemu_ram_is_shared(block));
229 }
230 
231 #undef RAMBLOCK_FOREACH
232 
233 int foreach_not_ignored_block(RAMBlockIterFunc func, void *opaque)
234 {
235     RAMBlock *block;
236     int ret = 0;
237 
238     RCU_READ_LOCK_GUARD();
239 
240     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
241         ret = func(block, opaque);
242         if (ret) {
243             break;
244         }
245     }
246     return ret;
247 }
248 
249 static void ramblock_recv_map_init(void)
250 {
251     RAMBlock *rb;
252 
253     RAMBLOCK_FOREACH_NOT_IGNORED(rb) {
254         assert(!rb->receivedmap);
255         rb->receivedmap = bitmap_new(rb->max_length >> qemu_target_page_bits());
256     }
257 }
258 
259 int ramblock_recv_bitmap_test(RAMBlock *rb, void *host_addr)
260 {
261     return test_bit(ramblock_recv_bitmap_offset(host_addr, rb),
262                     rb->receivedmap);
263 }
264 
265 bool ramblock_recv_bitmap_test_byte_offset(RAMBlock *rb, uint64_t byte_offset)
266 {
267     return test_bit(byte_offset >> TARGET_PAGE_BITS, rb->receivedmap);
268 }
269 
270 void ramblock_recv_bitmap_set(RAMBlock *rb, void *host_addr)
271 {
272     set_bit_atomic(ramblock_recv_bitmap_offset(host_addr, rb), rb->receivedmap);
273 }
274 
275 void ramblock_recv_bitmap_set_range(RAMBlock *rb, void *host_addr,
276                                     size_t nr)
277 {
278     bitmap_set_atomic(rb->receivedmap,
279                       ramblock_recv_bitmap_offset(host_addr, rb),
280                       nr);
281 }
282 
283 #define  RAMBLOCK_RECV_BITMAP_ENDING  (0x0123456789abcdefULL)
284 
285 /*
286  * Format: bitmap_size (8 bytes) + whole_bitmap (N bytes).
287  *
288  * Returns >0 if success with sent bytes, or <0 if error.
289  */
290 int64_t ramblock_recv_bitmap_send(QEMUFile *file,
291                                   const char *block_name)
292 {
293     RAMBlock *block = qemu_ram_block_by_name(block_name);
294     unsigned long *le_bitmap, nbits;
295     uint64_t size;
296 
297     if (!block) {
298         error_report("%s: invalid block name: %s", __func__, block_name);
299         return -1;
300     }
301 
302     nbits = block->postcopy_length >> TARGET_PAGE_BITS;
303 
304     /*
305      * Make sure the tmp bitmap buffer is big enough, e.g., on 32bit
306      * machines we may need 4 more bytes for padding (see below
307      * comment). So extend it a bit before hand.
308      */
309     le_bitmap = bitmap_new(nbits + BITS_PER_LONG);
310 
311     /*
312      * Always use little endian when sending the bitmap. This is
313      * required that when source and destination VMs are not using the
314      * same endianness. (Note: big endian won't work.)
315      */
316     bitmap_to_le(le_bitmap, block->receivedmap, nbits);
317 
318     /* Size of the bitmap, in bytes */
319     size = DIV_ROUND_UP(nbits, 8);
320 
321     /*
322      * size is always aligned to 8 bytes for 64bit machines, but it
323      * may not be true for 32bit machines. We need this padding to
324      * make sure the migration can survive even between 32bit and
325      * 64bit machines.
326      */
327     size = ROUND_UP(size, 8);
328 
329     qemu_put_be64(file, size);
330     qemu_put_buffer(file, (const uint8_t *)le_bitmap, size);
331     /*
332      * Mark as an end, in case the middle part is screwed up due to
333      * some "mysterious" reason.
334      */
335     qemu_put_be64(file, RAMBLOCK_RECV_BITMAP_ENDING);
336     qemu_fflush(file);
337 
338     g_free(le_bitmap);
339 
340     if (qemu_file_get_error(file)) {
341         return qemu_file_get_error(file);
342     }
343 
344     return size + sizeof(size);
345 }
346 
347 /*
348  * An outstanding page request, on the source, having been received
349  * and queued
350  */
351 struct RAMSrcPageRequest {
352     RAMBlock *rb;
353     hwaddr    offset;
354     hwaddr    len;
355 
356     QSIMPLEQ_ENTRY(RAMSrcPageRequest) next_req;
357 };
358 
359 /* State of RAM for migration */
360 struct RAMState {
361     /*
362      * PageSearchStatus structures for the channels when send pages.
363      * Protected by the bitmap_mutex.
364      */
365     PageSearchStatus pss[RAM_CHANNEL_MAX];
366     /* UFFD file descriptor, used in 'write-tracking' migration */
367     int uffdio_fd;
368     /* total ram size in bytes */
369     uint64_t ram_bytes_total;
370     /* Last block that we have visited searching for dirty pages */
371     RAMBlock *last_seen_block;
372     /* Last dirty target page we have sent */
373     ram_addr_t last_page;
374     /* last ram version we have seen */
375     uint32_t last_version;
376     /* How many times we have dirty too many pages */
377     int dirty_rate_high_cnt;
378     /* these variables are used for bitmap sync */
379     /* last time we did a full bitmap_sync */
380     int64_t time_last_bitmap_sync;
381     /* bytes transferred at start_time */
382     uint64_t bytes_xfer_prev;
383     /* number of dirty pages since start_time */
384     uint64_t num_dirty_pages_period;
385     /* xbzrle misses since the beginning of the period */
386     uint64_t xbzrle_cache_miss_prev;
387     /* Amount of xbzrle pages since the beginning of the period */
388     uint64_t xbzrle_pages_prev;
389     /* Amount of xbzrle encoded bytes since the beginning of the period */
390     uint64_t xbzrle_bytes_prev;
391     /* Are we really using XBZRLE (e.g., after the first round). */
392     bool xbzrle_started;
393     /* Are we on the last stage of migration */
394     bool last_stage;
395     /* compression statistics since the beginning of the period */
396     /* amount of count that no free thread to compress data */
397     uint64_t compress_thread_busy_prev;
398     /* amount bytes after compression */
399     uint64_t compressed_size_prev;
400     /* amount of compressed pages */
401     uint64_t compress_pages_prev;
402 
403     /* total handled target pages at the beginning of period */
404     uint64_t target_page_count_prev;
405     /* total handled target pages since start */
406     uint64_t target_page_count;
407     /* number of dirty bits in the bitmap */
408     uint64_t migration_dirty_pages;
409     /*
410      * Protects:
411      * - dirty/clear bitmap
412      * - migration_dirty_pages
413      * - pss structures
414      */
415     QemuMutex bitmap_mutex;
416     /* The RAMBlock used in the last src_page_requests */
417     RAMBlock *last_req_rb;
418     /* Queue of outstanding page requests from the destination */
419     QemuMutex src_page_req_mutex;
420     QSIMPLEQ_HEAD(, RAMSrcPageRequest) src_page_requests;
421 };
422 typedef struct RAMState RAMState;
423 
424 static RAMState *ram_state;
425 
426 static NotifierWithReturnList precopy_notifier_list;
427 
428 /* Whether postcopy has queued requests? */
429 static bool postcopy_has_request(RAMState *rs)
430 {
431     return !QSIMPLEQ_EMPTY_ATOMIC(&rs->src_page_requests);
432 }
433 
434 void precopy_infrastructure_init(void)
435 {
436     notifier_with_return_list_init(&precopy_notifier_list);
437 }
438 
439 void precopy_add_notifier(NotifierWithReturn *n)
440 {
441     notifier_with_return_list_add(&precopy_notifier_list, n);
442 }
443 
444 void precopy_remove_notifier(NotifierWithReturn *n)
445 {
446     notifier_with_return_remove(n);
447 }
448 
449 int precopy_notify(PrecopyNotifyReason reason, Error **errp)
450 {
451     PrecopyNotifyData pnd;
452     pnd.reason = reason;
453     pnd.errp = errp;
454 
455     return notifier_with_return_list_notify(&precopy_notifier_list, &pnd);
456 }
457 
458 uint64_t ram_bytes_remaining(void)
459 {
460     return ram_state ? (ram_state->migration_dirty_pages * TARGET_PAGE_SIZE) :
461                        0;
462 }
463 
464 void ram_transferred_add(uint64_t bytes)
465 {
466     if (runstate_is_running()) {
467         stat64_add(&mig_stats.precopy_bytes, bytes);
468     } else if (migration_in_postcopy()) {
469         stat64_add(&mig_stats.postcopy_bytes, bytes);
470     } else {
471         stat64_add(&mig_stats.downtime_bytes, bytes);
472     }
473     stat64_add(&mig_stats.transferred, bytes);
474 }
475 
476 struct MigrationOps {
477     int (*ram_save_target_page)(RAMState *rs, PageSearchStatus *pss);
478 };
479 typedef struct MigrationOps MigrationOps;
480 
481 MigrationOps *migration_ops;
482 
483 static int ram_save_host_page_urgent(PageSearchStatus *pss);
484 
485 /* NOTE: page is the PFN not real ram_addr_t. */
486 static void pss_init(PageSearchStatus *pss, RAMBlock *rb, ram_addr_t page)
487 {
488     pss->block = rb;
489     pss->page = page;
490     pss->complete_round = false;
491 }
492 
493 /*
494  * Check whether two PSSs are actively sending the same page.  Return true
495  * if it is, false otherwise.
496  */
497 static bool pss_overlap(PageSearchStatus *pss1, PageSearchStatus *pss2)
498 {
499     return pss1->host_page_sending && pss2->host_page_sending &&
500         (pss1->host_page_start == pss2->host_page_start);
501 }
502 
503 /**
504  * save_page_header: write page header to wire
505  *
506  * If this is the 1st block, it also writes the block identification
507  *
508  * Returns the number of bytes written
509  *
510  * @pss: current PSS channel status
511  * @block: block that contains the page we want to send
512  * @offset: offset inside the block for the page
513  *          in the lower bits, it contains flags
514  */
515 static size_t save_page_header(PageSearchStatus *pss, QEMUFile *f,
516                                RAMBlock *block, ram_addr_t offset)
517 {
518     size_t size, len;
519     bool same_block = (block == pss->last_sent_block);
520 
521     if (same_block) {
522         offset |= RAM_SAVE_FLAG_CONTINUE;
523     }
524     qemu_put_be64(f, offset);
525     size = 8;
526 
527     if (!same_block) {
528         len = strlen(block->idstr);
529         qemu_put_byte(f, len);
530         qemu_put_buffer(f, (uint8_t *)block->idstr, len);
531         size += 1 + len;
532         pss->last_sent_block = block;
533     }
534     return size;
535 }
536 
537 /**
538  * mig_throttle_guest_down: throttle down the guest
539  *
540  * Reduce amount of guest cpu execution to hopefully slow down memory
541  * writes. If guest dirty memory rate is reduced below the rate at
542  * which we can transfer pages to the destination then we should be
543  * able to complete migration. Some workloads dirty memory way too
544  * fast and will not effectively converge, even with auto-converge.
545  */
546 static void mig_throttle_guest_down(uint64_t bytes_dirty_period,
547                                     uint64_t bytes_dirty_threshold)
548 {
549     uint64_t pct_initial = migrate_cpu_throttle_initial();
550     uint64_t pct_increment = migrate_cpu_throttle_increment();
551     bool pct_tailslow = migrate_cpu_throttle_tailslow();
552     int pct_max = migrate_max_cpu_throttle();
553 
554     uint64_t throttle_now = cpu_throttle_get_percentage();
555     uint64_t cpu_now, cpu_ideal, throttle_inc;
556 
557     /* We have not started throttling yet. Let's start it. */
558     if (!cpu_throttle_active()) {
559         cpu_throttle_set(pct_initial);
560     } else {
561         /* Throttling already on, just increase the rate */
562         if (!pct_tailslow) {
563             throttle_inc = pct_increment;
564         } else {
565             /* Compute the ideal CPU percentage used by Guest, which may
566              * make the dirty rate match the dirty rate threshold. */
567             cpu_now = 100 - throttle_now;
568             cpu_ideal = cpu_now * (bytes_dirty_threshold * 1.0 /
569                         bytes_dirty_period);
570             throttle_inc = MIN(cpu_now - cpu_ideal, pct_increment);
571         }
572         cpu_throttle_set(MIN(throttle_now + throttle_inc, pct_max));
573     }
574 }
575 
576 void mig_throttle_counter_reset(void)
577 {
578     RAMState *rs = ram_state;
579 
580     rs->time_last_bitmap_sync = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
581     rs->num_dirty_pages_period = 0;
582     rs->bytes_xfer_prev = stat64_get(&mig_stats.transferred);
583 }
584 
585 /**
586  * xbzrle_cache_zero_page: insert a zero page in the XBZRLE cache
587  *
588  * @rs: current RAM state
589  * @current_addr: address for the zero page
590  *
591  * Update the xbzrle cache to reflect a page that's been sent as all 0.
592  * The important thing is that a stale (not-yet-0'd) page be replaced
593  * by the new data.
594  * As a bonus, if the page wasn't in the cache it gets added so that
595  * when a small write is made into the 0'd page it gets XBZRLE sent.
596  */
597 static void xbzrle_cache_zero_page(RAMState *rs, ram_addr_t current_addr)
598 {
599     /* We don't care if this fails to allocate a new cache page
600      * as long as it updated an old one */
601     cache_insert(XBZRLE.cache, current_addr, XBZRLE.zero_target_page,
602                  stat64_get(&mig_stats.dirty_sync_count));
603 }
604 
605 #define ENCODING_FLAG_XBZRLE 0x1
606 
607 /**
608  * save_xbzrle_page: compress and send current page
609  *
610  * Returns: 1 means that we wrote the page
611  *          0 means that page is identical to the one already sent
612  *          -1 means that xbzrle would be longer than normal
613  *
614  * @rs: current RAM state
615  * @pss: current PSS channel
616  * @current_data: pointer to the address of the page contents
617  * @current_addr: addr of the page
618  * @block: block that contains the page we want to send
619  * @offset: offset inside the block for the page
620  */
621 static int save_xbzrle_page(RAMState *rs, PageSearchStatus *pss,
622                             uint8_t **current_data, ram_addr_t current_addr,
623                             RAMBlock *block, ram_addr_t offset)
624 {
625     int encoded_len = 0, bytes_xbzrle;
626     uint8_t *prev_cached_page;
627     QEMUFile *file = pss->pss_channel;
628     uint64_t generation = stat64_get(&mig_stats.dirty_sync_count);
629 
630     if (!cache_is_cached(XBZRLE.cache, current_addr, generation)) {
631         xbzrle_counters.cache_miss++;
632         if (!rs->last_stage) {
633             if (cache_insert(XBZRLE.cache, current_addr, *current_data,
634                              generation) == -1) {
635                 return -1;
636             } else {
637                 /* update *current_data when the page has been
638                    inserted into cache */
639                 *current_data = get_cached_data(XBZRLE.cache, current_addr);
640             }
641         }
642         return -1;
643     }
644 
645     /*
646      * Reaching here means the page has hit the xbzrle cache, no matter what
647      * encoding result it is (normal encoding, overflow or skipping the page),
648      * count the page as encoded. This is used to calculate the encoding rate.
649      *
650      * Example: 2 pages (8KB) being encoded, first page encoding generates 2KB,
651      * 2nd page turns out to be skipped (i.e. no new bytes written to the
652      * page), the overall encoding rate will be 8KB / 2KB = 4, which has the
653      * skipped page included. In this way, the encoding rate can tell if the
654      * guest page is good for xbzrle encoding.
655      */
656     xbzrle_counters.pages++;
657     prev_cached_page = get_cached_data(XBZRLE.cache, current_addr);
658 
659     /* save current buffer into memory */
660     memcpy(XBZRLE.current_buf, *current_data, TARGET_PAGE_SIZE);
661 
662     /* XBZRLE encoding (if there is no overflow) */
663     encoded_len = xbzrle_encode_buffer_func(prev_cached_page, XBZRLE.current_buf,
664                                             TARGET_PAGE_SIZE, XBZRLE.encoded_buf,
665                                             TARGET_PAGE_SIZE);
666 
667     /*
668      * Update the cache contents, so that it corresponds to the data
669      * sent, in all cases except where we skip the page.
670      */
671     if (!rs->last_stage && encoded_len != 0) {
672         memcpy(prev_cached_page, XBZRLE.current_buf, TARGET_PAGE_SIZE);
673         /*
674          * In the case where we couldn't compress, ensure that the caller
675          * sends the data from the cache, since the guest might have
676          * changed the RAM since we copied it.
677          */
678         *current_data = prev_cached_page;
679     }
680 
681     if (encoded_len == 0) {
682         trace_save_xbzrle_page_skipping();
683         return 0;
684     } else if (encoded_len == -1) {
685         trace_save_xbzrle_page_overflow();
686         xbzrle_counters.overflow++;
687         xbzrle_counters.bytes += TARGET_PAGE_SIZE;
688         return -1;
689     }
690 
691     /* Send XBZRLE based compressed page */
692     bytes_xbzrle = save_page_header(pss, pss->pss_channel, block,
693                                     offset | RAM_SAVE_FLAG_XBZRLE);
694     qemu_put_byte(file, ENCODING_FLAG_XBZRLE);
695     qemu_put_be16(file, encoded_len);
696     qemu_put_buffer(file, XBZRLE.encoded_buf, encoded_len);
697     bytes_xbzrle += encoded_len + 1 + 2;
698     /*
699      * Like compressed_size (please see update_compress_thread_counts),
700      * the xbzrle encoded bytes don't count the 8 byte header with
701      * RAM_SAVE_FLAG_CONTINUE.
702      */
703     xbzrle_counters.bytes += bytes_xbzrle - 8;
704     ram_transferred_add(bytes_xbzrle);
705 
706     return 1;
707 }
708 
709 /**
710  * pss_find_next_dirty: find the next dirty page of current ramblock
711  *
712  * This function updates pss->page to point to the next dirty page index
713  * within the ramblock to migrate, or the end of ramblock when nothing
714  * found.  Note that when pss->host_page_sending==true it means we're
715  * during sending a host page, so we won't look for dirty page that is
716  * outside the host page boundary.
717  *
718  * @pss: the current page search status
719  */
720 static void pss_find_next_dirty(PageSearchStatus *pss)
721 {
722     RAMBlock *rb = pss->block;
723     unsigned long size = rb->used_length >> TARGET_PAGE_BITS;
724     unsigned long *bitmap = rb->bmap;
725 
726     if (ramblock_is_ignored(rb)) {
727         /* Points directly to the end, so we know no dirty page */
728         pss->page = size;
729         return;
730     }
731 
732     /*
733      * If during sending a host page, only look for dirty pages within the
734      * current host page being send.
735      */
736     if (pss->host_page_sending) {
737         assert(pss->host_page_end);
738         size = MIN(size, pss->host_page_end);
739     }
740 
741     pss->page = find_next_bit(bitmap, size, pss->page);
742 }
743 
744 static void migration_clear_memory_region_dirty_bitmap(RAMBlock *rb,
745                                                        unsigned long page)
746 {
747     uint8_t shift;
748     hwaddr size, start;
749 
750     if (!rb->clear_bmap || !clear_bmap_test_and_clear(rb, page)) {
751         return;
752     }
753 
754     shift = rb->clear_bmap_shift;
755     /*
756      * CLEAR_BITMAP_SHIFT_MIN should always guarantee this... this
757      * can make things easier sometimes since then start address
758      * of the small chunk will always be 64 pages aligned so the
759      * bitmap will always be aligned to unsigned long. We should
760      * even be able to remove this restriction but I'm simply
761      * keeping it.
762      */
763     assert(shift >= 6);
764 
765     size = 1ULL << (TARGET_PAGE_BITS + shift);
766     start = QEMU_ALIGN_DOWN((ram_addr_t)page << TARGET_PAGE_BITS, size);
767     trace_migration_bitmap_clear_dirty(rb->idstr, start, size, page);
768     memory_region_clear_dirty_bitmap(rb->mr, start, size);
769 }
770 
771 static void
772 migration_clear_memory_region_dirty_bitmap_range(RAMBlock *rb,
773                                                  unsigned long start,
774                                                  unsigned long npages)
775 {
776     unsigned long i, chunk_pages = 1UL << rb->clear_bmap_shift;
777     unsigned long chunk_start = QEMU_ALIGN_DOWN(start, chunk_pages);
778     unsigned long chunk_end = QEMU_ALIGN_UP(start + npages, chunk_pages);
779 
780     /*
781      * Clear pages from start to start + npages - 1, so the end boundary is
782      * exclusive.
783      */
784     for (i = chunk_start; i < chunk_end; i += chunk_pages) {
785         migration_clear_memory_region_dirty_bitmap(rb, i);
786     }
787 }
788 
789 /*
790  * colo_bitmap_find_diry:find contiguous dirty pages from start
791  *
792  * Returns the page offset within memory region of the start of the contiguout
793  * dirty page
794  *
795  * @rs: current RAM state
796  * @rb: RAMBlock where to search for dirty pages
797  * @start: page where we start the search
798  * @num: the number of contiguous dirty pages
799  */
800 static inline
801 unsigned long colo_bitmap_find_dirty(RAMState *rs, RAMBlock *rb,
802                                      unsigned long start, unsigned long *num)
803 {
804     unsigned long size = rb->used_length >> TARGET_PAGE_BITS;
805     unsigned long *bitmap = rb->bmap;
806     unsigned long first, next;
807 
808     *num = 0;
809 
810     if (ramblock_is_ignored(rb)) {
811         return size;
812     }
813 
814     first = find_next_bit(bitmap, size, start);
815     if (first >= size) {
816         return first;
817     }
818     next = find_next_zero_bit(bitmap, size, first + 1);
819     assert(next >= first);
820     *num = next - first;
821     return first;
822 }
823 
824 static inline bool migration_bitmap_clear_dirty(RAMState *rs,
825                                                 RAMBlock *rb,
826                                                 unsigned long page)
827 {
828     bool ret;
829 
830     /*
831      * Clear dirty bitmap if needed.  This _must_ be called before we
832      * send any of the page in the chunk because we need to make sure
833      * we can capture further page content changes when we sync dirty
834      * log the next time.  So as long as we are going to send any of
835      * the page in the chunk we clear the remote dirty bitmap for all.
836      * Clearing it earlier won't be a problem, but too late will.
837      */
838     migration_clear_memory_region_dirty_bitmap(rb, page);
839 
840     ret = test_and_clear_bit(page, rb->bmap);
841     if (ret) {
842         rs->migration_dirty_pages--;
843     }
844 
845     return ret;
846 }
847 
848 static void dirty_bitmap_clear_section(MemoryRegionSection *section,
849                                        void *opaque)
850 {
851     const hwaddr offset = section->offset_within_region;
852     const hwaddr size = int128_get64(section->size);
853     const unsigned long start = offset >> TARGET_PAGE_BITS;
854     const unsigned long npages = size >> TARGET_PAGE_BITS;
855     RAMBlock *rb = section->mr->ram_block;
856     uint64_t *cleared_bits = opaque;
857 
858     /*
859      * We don't grab ram_state->bitmap_mutex because we expect to run
860      * only when starting migration or during postcopy recovery where
861      * we don't have concurrent access.
862      */
863     if (!migration_in_postcopy() && !migrate_background_snapshot()) {
864         migration_clear_memory_region_dirty_bitmap_range(rb, start, npages);
865     }
866     *cleared_bits += bitmap_count_one_with_offset(rb->bmap, start, npages);
867     bitmap_clear(rb->bmap, start, npages);
868 }
869 
870 /*
871  * Exclude all dirty pages from migration that fall into a discarded range as
872  * managed by a RamDiscardManager responsible for the mapped memory region of
873  * the RAMBlock. Clear the corresponding bits in the dirty bitmaps.
874  *
875  * Discarded pages ("logically unplugged") have undefined content and must
876  * not get migrated, because even reading these pages for migration might
877  * result in undesired behavior.
878  *
879  * Returns the number of cleared bits in the RAMBlock dirty bitmap.
880  *
881  * Note: The result is only stable while migrating (precopy/postcopy).
882  */
883 static uint64_t ramblock_dirty_bitmap_clear_discarded_pages(RAMBlock *rb)
884 {
885     uint64_t cleared_bits = 0;
886 
887     if (rb->mr && rb->bmap && memory_region_has_ram_discard_manager(rb->mr)) {
888         RamDiscardManager *rdm = memory_region_get_ram_discard_manager(rb->mr);
889         MemoryRegionSection section = {
890             .mr = rb->mr,
891             .offset_within_region = 0,
892             .size = int128_make64(qemu_ram_get_used_length(rb)),
893         };
894 
895         ram_discard_manager_replay_discarded(rdm, &section,
896                                              dirty_bitmap_clear_section,
897                                              &cleared_bits);
898     }
899     return cleared_bits;
900 }
901 
902 /*
903  * Check if a host-page aligned page falls into a discarded range as managed by
904  * a RamDiscardManager responsible for the mapped memory region of the RAMBlock.
905  *
906  * Note: The result is only stable while migrating (precopy/postcopy).
907  */
908 bool ramblock_page_is_discarded(RAMBlock *rb, ram_addr_t start)
909 {
910     if (rb->mr && memory_region_has_ram_discard_manager(rb->mr)) {
911         RamDiscardManager *rdm = memory_region_get_ram_discard_manager(rb->mr);
912         MemoryRegionSection section = {
913             .mr = rb->mr,
914             .offset_within_region = start,
915             .size = int128_make64(qemu_ram_pagesize(rb)),
916         };
917 
918         return !ram_discard_manager_is_populated(rdm, &section);
919     }
920     return false;
921 }
922 
923 /* Called with RCU critical section */
924 static void ramblock_sync_dirty_bitmap(RAMState *rs, RAMBlock *rb)
925 {
926     uint64_t new_dirty_pages =
927         cpu_physical_memory_sync_dirty_bitmap(rb, 0, rb->used_length);
928 
929     rs->migration_dirty_pages += new_dirty_pages;
930     rs->num_dirty_pages_period += new_dirty_pages;
931 }
932 
933 /**
934  * ram_pagesize_summary: calculate all the pagesizes of a VM
935  *
936  * Returns a summary bitmap of the page sizes of all RAMBlocks
937  *
938  * For VMs with just normal pages this is equivalent to the host page
939  * size. If it's got some huge pages then it's the OR of all the
940  * different page sizes.
941  */
942 uint64_t ram_pagesize_summary(void)
943 {
944     RAMBlock *block;
945     uint64_t summary = 0;
946 
947     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
948         summary |= block->page_size;
949     }
950 
951     return summary;
952 }
953 
954 uint64_t ram_get_total_transferred_pages(void)
955 {
956     return stat64_get(&mig_stats.normal_pages) +
957         stat64_get(&mig_stats.zero_pages) +
958         compression_counters.pages + xbzrle_counters.pages;
959 }
960 
961 static void migration_update_rates(RAMState *rs, int64_t end_time)
962 {
963     uint64_t page_count = rs->target_page_count - rs->target_page_count_prev;
964     double compressed_size;
965 
966     /* calculate period counters */
967     stat64_set(&mig_stats.dirty_pages_rate,
968                rs->num_dirty_pages_period * 1000 /
969                (end_time - rs->time_last_bitmap_sync));
970 
971     if (!page_count) {
972         return;
973     }
974 
975     if (migrate_xbzrle()) {
976         double encoded_size, unencoded_size;
977 
978         xbzrle_counters.cache_miss_rate = (double)(xbzrle_counters.cache_miss -
979             rs->xbzrle_cache_miss_prev) / page_count;
980         rs->xbzrle_cache_miss_prev = xbzrle_counters.cache_miss;
981         unencoded_size = (xbzrle_counters.pages - rs->xbzrle_pages_prev) *
982                          TARGET_PAGE_SIZE;
983         encoded_size = xbzrle_counters.bytes - rs->xbzrle_bytes_prev;
984         if (xbzrle_counters.pages == rs->xbzrle_pages_prev || !encoded_size) {
985             xbzrle_counters.encoding_rate = 0;
986         } else {
987             xbzrle_counters.encoding_rate = unencoded_size / encoded_size;
988         }
989         rs->xbzrle_pages_prev = xbzrle_counters.pages;
990         rs->xbzrle_bytes_prev = xbzrle_counters.bytes;
991     }
992 
993     if (migrate_compress()) {
994         compression_counters.busy_rate = (double)(compression_counters.busy -
995             rs->compress_thread_busy_prev) / page_count;
996         rs->compress_thread_busy_prev = compression_counters.busy;
997 
998         compressed_size = compression_counters.compressed_size -
999                           rs->compressed_size_prev;
1000         if (compressed_size) {
1001             double uncompressed_size = (compression_counters.pages -
1002                                     rs->compress_pages_prev) * TARGET_PAGE_SIZE;
1003 
1004             /* Compression-Ratio = Uncompressed-size / Compressed-size */
1005             compression_counters.compression_rate =
1006                                         uncompressed_size / compressed_size;
1007 
1008             rs->compress_pages_prev = compression_counters.pages;
1009             rs->compressed_size_prev = compression_counters.compressed_size;
1010         }
1011     }
1012 }
1013 
1014 static void migration_trigger_throttle(RAMState *rs)
1015 {
1016     uint64_t threshold = migrate_throttle_trigger_threshold();
1017     uint64_t bytes_xfer_period =
1018         stat64_get(&mig_stats.transferred) - rs->bytes_xfer_prev;
1019     uint64_t bytes_dirty_period = rs->num_dirty_pages_period * TARGET_PAGE_SIZE;
1020     uint64_t bytes_dirty_threshold = bytes_xfer_period * threshold / 100;
1021 
1022     /* During block migration the auto-converge logic incorrectly detects
1023      * that ram migration makes no progress. Avoid this by disabling the
1024      * throttling logic during the bulk phase of block migration. */
1025     if (migrate_auto_converge() && !blk_mig_bulk_active()) {
1026         /* The following detection logic can be refined later. For now:
1027            Check to see if the ratio between dirtied bytes and the approx.
1028            amount of bytes that just got transferred since the last time
1029            we were in this routine reaches the threshold. If that happens
1030            twice, start or increase throttling. */
1031 
1032         if ((bytes_dirty_period > bytes_dirty_threshold) &&
1033             (++rs->dirty_rate_high_cnt >= 2)) {
1034             trace_migration_throttle();
1035             rs->dirty_rate_high_cnt = 0;
1036             mig_throttle_guest_down(bytes_dirty_period,
1037                                     bytes_dirty_threshold);
1038         }
1039     }
1040 }
1041 
1042 static void migration_bitmap_sync(RAMState *rs, bool last_stage)
1043 {
1044     RAMBlock *block;
1045     int64_t end_time;
1046 
1047     stat64_add(&mig_stats.dirty_sync_count, 1);
1048 
1049     if (!rs->time_last_bitmap_sync) {
1050         rs->time_last_bitmap_sync = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
1051     }
1052 
1053     trace_migration_bitmap_sync_start();
1054     memory_global_dirty_log_sync(last_stage);
1055 
1056     qemu_mutex_lock(&rs->bitmap_mutex);
1057     WITH_RCU_READ_LOCK_GUARD() {
1058         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
1059             ramblock_sync_dirty_bitmap(rs, block);
1060         }
1061         stat64_set(&mig_stats.dirty_bytes_last_sync, ram_bytes_remaining());
1062     }
1063     qemu_mutex_unlock(&rs->bitmap_mutex);
1064 
1065     memory_global_after_dirty_log_sync();
1066     trace_migration_bitmap_sync_end(rs->num_dirty_pages_period);
1067 
1068     end_time = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
1069 
1070     /* more than 1 second = 1000 millisecons */
1071     if (end_time > rs->time_last_bitmap_sync + 1000) {
1072         migration_trigger_throttle(rs);
1073 
1074         migration_update_rates(rs, end_time);
1075 
1076         rs->target_page_count_prev = rs->target_page_count;
1077 
1078         /* reset period counters */
1079         rs->time_last_bitmap_sync = end_time;
1080         rs->num_dirty_pages_period = 0;
1081         rs->bytes_xfer_prev = stat64_get(&mig_stats.transferred);
1082     }
1083     if (migrate_events()) {
1084         uint64_t generation = stat64_get(&mig_stats.dirty_sync_count);
1085         qapi_event_send_migration_pass(generation);
1086     }
1087 }
1088 
1089 static void migration_bitmap_sync_precopy(RAMState *rs, bool last_stage)
1090 {
1091     Error *local_err = NULL;
1092 
1093     /*
1094      * The current notifier usage is just an optimization to migration, so we
1095      * don't stop the normal migration process in the error case.
1096      */
1097     if (precopy_notify(PRECOPY_NOTIFY_BEFORE_BITMAP_SYNC, &local_err)) {
1098         error_report_err(local_err);
1099         local_err = NULL;
1100     }
1101 
1102     migration_bitmap_sync(rs, last_stage);
1103 
1104     if (precopy_notify(PRECOPY_NOTIFY_AFTER_BITMAP_SYNC, &local_err)) {
1105         error_report_err(local_err);
1106     }
1107 }
1108 
1109 void ram_release_page(const char *rbname, uint64_t offset)
1110 {
1111     if (!migrate_release_ram() || !migration_in_postcopy()) {
1112         return;
1113     }
1114 
1115     ram_discard_range(rbname, offset, TARGET_PAGE_SIZE);
1116 }
1117 
1118 /**
1119  * save_zero_page_to_file: send the zero page to the file
1120  *
1121  * Returns the size of data written to the file, 0 means the page is not
1122  * a zero page
1123  *
1124  * @pss: current PSS channel
1125  * @block: block that contains the page we want to send
1126  * @offset: offset inside the block for the page
1127  */
1128 static int save_zero_page_to_file(PageSearchStatus *pss, QEMUFile *file,
1129                                   RAMBlock *block, ram_addr_t offset)
1130 {
1131     uint8_t *p = block->host + offset;
1132     int len = 0;
1133 
1134     if (buffer_is_zero(p, TARGET_PAGE_SIZE)) {
1135         len += save_page_header(pss, file, block, offset | RAM_SAVE_FLAG_ZERO);
1136         qemu_put_byte(file, 0);
1137         len += 1;
1138         ram_release_page(block->idstr, offset);
1139     }
1140     return len;
1141 }
1142 
1143 /**
1144  * save_zero_page: send the zero page to the stream
1145  *
1146  * Returns the number of pages written.
1147  *
1148  * @pss: current PSS channel
1149  * @block: block that contains the page we want to send
1150  * @offset: offset inside the block for the page
1151  */
1152 static int save_zero_page(PageSearchStatus *pss, QEMUFile *f, RAMBlock *block,
1153                           ram_addr_t offset)
1154 {
1155     int len = save_zero_page_to_file(pss, f, block, offset);
1156 
1157     if (len) {
1158         stat64_add(&mig_stats.zero_pages, 1);
1159         ram_transferred_add(len);
1160         return 1;
1161     }
1162     return -1;
1163 }
1164 
1165 /*
1166  * @pages: the number of pages written by the control path,
1167  *        < 0 - error
1168  *        > 0 - number of pages written
1169  *
1170  * Return true if the pages has been saved, otherwise false is returned.
1171  */
1172 static bool control_save_page(PageSearchStatus *pss, RAMBlock *block,
1173                               ram_addr_t offset, int *pages)
1174 {
1175     uint64_t bytes_xmit = 0;
1176     int ret;
1177 
1178     *pages = -1;
1179     ret = ram_control_save_page(pss->pss_channel, block->offset, offset,
1180                                 TARGET_PAGE_SIZE, &bytes_xmit);
1181     if (ret == RAM_SAVE_CONTROL_NOT_SUPP) {
1182         return false;
1183     }
1184 
1185     if (bytes_xmit) {
1186         ram_transferred_add(bytes_xmit);
1187         *pages = 1;
1188     }
1189 
1190     if (ret == RAM_SAVE_CONTROL_DELAYED) {
1191         return true;
1192     }
1193 
1194     if (bytes_xmit > 0) {
1195         stat64_add(&mig_stats.normal_pages, 1);
1196     } else if (bytes_xmit == 0) {
1197         stat64_add(&mig_stats.zero_pages, 1);
1198     }
1199 
1200     return true;
1201 }
1202 
1203 /*
1204  * directly send the page to the stream
1205  *
1206  * Returns the number of pages written.
1207  *
1208  * @pss: current PSS channel
1209  * @block: block that contains the page we want to send
1210  * @offset: offset inside the block for the page
1211  * @buf: the page to be sent
1212  * @async: send to page asyncly
1213  */
1214 static int save_normal_page(PageSearchStatus *pss, RAMBlock *block,
1215                             ram_addr_t offset, uint8_t *buf, bool async)
1216 {
1217     QEMUFile *file = pss->pss_channel;
1218 
1219     ram_transferred_add(save_page_header(pss, pss->pss_channel, block,
1220                                          offset | RAM_SAVE_FLAG_PAGE));
1221     if (async) {
1222         qemu_put_buffer_async(file, buf, TARGET_PAGE_SIZE,
1223                               migrate_release_ram() &&
1224                               migration_in_postcopy());
1225     } else {
1226         qemu_put_buffer(file, buf, TARGET_PAGE_SIZE);
1227     }
1228     ram_transferred_add(TARGET_PAGE_SIZE);
1229     stat64_add(&mig_stats.normal_pages, 1);
1230     return 1;
1231 }
1232 
1233 /**
1234  * ram_save_page: send the given page to the stream
1235  *
1236  * Returns the number of pages written.
1237  *          < 0 - error
1238  *          >=0 - Number of pages written - this might legally be 0
1239  *                if xbzrle noticed the page was the same.
1240  *
1241  * @rs: current RAM state
1242  * @block: block that contains the page we want to send
1243  * @offset: offset inside the block for the page
1244  */
1245 static int ram_save_page(RAMState *rs, PageSearchStatus *pss)
1246 {
1247     int pages = -1;
1248     uint8_t *p;
1249     bool send_async = true;
1250     RAMBlock *block = pss->block;
1251     ram_addr_t offset = ((ram_addr_t)pss->page) << TARGET_PAGE_BITS;
1252     ram_addr_t current_addr = block->offset + offset;
1253 
1254     p = block->host + offset;
1255     trace_ram_save_page(block->idstr, (uint64_t)offset, p);
1256 
1257     XBZRLE_cache_lock();
1258     if (rs->xbzrle_started && !migration_in_postcopy()) {
1259         pages = save_xbzrle_page(rs, pss, &p, current_addr,
1260                                  block, offset);
1261         if (!rs->last_stage) {
1262             /* Can't send this cached data async, since the cache page
1263              * might get updated before it gets to the wire
1264              */
1265             send_async = false;
1266         }
1267     }
1268 
1269     /* XBZRLE overflow or normal page */
1270     if (pages == -1) {
1271         pages = save_normal_page(pss, block, offset, p, send_async);
1272     }
1273 
1274     XBZRLE_cache_unlock();
1275 
1276     return pages;
1277 }
1278 
1279 static int ram_save_multifd_page(QEMUFile *file, RAMBlock *block,
1280                                  ram_addr_t offset)
1281 {
1282     if (multifd_queue_page(file, block, offset) < 0) {
1283         return -1;
1284     }
1285     stat64_add(&mig_stats.normal_pages, 1);
1286 
1287     return 1;
1288 }
1289 
1290 static void
1291 update_compress_thread_counts(const CompressParam *param, int bytes_xmit)
1292 {
1293     ram_transferred_add(bytes_xmit);
1294 
1295     if (param->result == RES_ZEROPAGE) {
1296         stat64_add(&mig_stats.zero_pages, 1);
1297         return;
1298     }
1299 
1300     /* 8 means a header with RAM_SAVE_FLAG_CONTINUE. */
1301     compression_counters.compressed_size += bytes_xmit - 8;
1302     compression_counters.pages++;
1303 }
1304 
1305 static bool save_page_use_compression(RAMState *rs);
1306 
1307 static int send_queued_data(CompressParam *param)
1308 {
1309     PageSearchStatus *pss = &ram_state->pss[RAM_CHANNEL_PRECOPY];
1310     MigrationState *ms = migrate_get_current();
1311     QEMUFile *file = ms->to_dst_file;
1312     int len = 0;
1313 
1314     RAMBlock *block = param->block;
1315     ram_addr_t offset = param->offset;
1316 
1317     if (param->result == RES_NONE) {
1318         return 0;
1319     }
1320 
1321     assert(block == pss->last_sent_block);
1322 
1323     if (param->result == RES_ZEROPAGE) {
1324         assert(qemu_file_buffer_empty(param->file));
1325         len += save_page_header(pss, file, block, offset | RAM_SAVE_FLAG_ZERO);
1326         qemu_put_byte(file, 0);
1327         len += 1;
1328         ram_release_page(block->idstr, offset);
1329     } else if (param->result == RES_COMPRESS) {
1330         assert(!qemu_file_buffer_empty(param->file));
1331         len += save_page_header(pss, file, block,
1332                                 offset | RAM_SAVE_FLAG_COMPRESS_PAGE);
1333         len += qemu_put_qemu_file(file, param->file);
1334     } else {
1335         abort();
1336     }
1337 
1338     update_compress_thread_counts(param, len);
1339 
1340     return len;
1341 }
1342 
1343 static void ram_flush_compressed_data(RAMState *rs)
1344 {
1345     if (!save_page_use_compression(rs)) {
1346         return;
1347     }
1348 
1349     flush_compressed_data(send_queued_data);
1350 }
1351 
1352 #define PAGE_ALL_CLEAN 0
1353 #define PAGE_TRY_AGAIN 1
1354 #define PAGE_DIRTY_FOUND 2
1355 /**
1356  * find_dirty_block: find the next dirty page and update any state
1357  * associated with the search process.
1358  *
1359  * Returns:
1360  *         <0: An error happened
1361  *         PAGE_ALL_CLEAN: no dirty page found, give up
1362  *         PAGE_TRY_AGAIN: no dirty page found, retry for next block
1363  *         PAGE_DIRTY_FOUND: dirty page found
1364  *
1365  * @rs: current RAM state
1366  * @pss: data about the state of the current dirty page scan
1367  * @again: set to false if the search has scanned the whole of RAM
1368  */
1369 static int find_dirty_block(RAMState *rs, PageSearchStatus *pss)
1370 {
1371     /* Update pss->page for the next dirty bit in ramblock */
1372     pss_find_next_dirty(pss);
1373 
1374     if (pss->complete_round && pss->block == rs->last_seen_block &&
1375         pss->page >= rs->last_page) {
1376         /*
1377          * We've been once around the RAM and haven't found anything.
1378          * Give up.
1379          */
1380         return PAGE_ALL_CLEAN;
1381     }
1382     if (!offset_in_ramblock(pss->block,
1383                             ((ram_addr_t)pss->page) << TARGET_PAGE_BITS)) {
1384         /* Didn't find anything in this RAM Block */
1385         pss->page = 0;
1386         pss->block = QLIST_NEXT_RCU(pss->block, next);
1387         if (!pss->block) {
1388             if (!migrate_multifd_flush_after_each_section()) {
1389                 QEMUFile *f = rs->pss[RAM_CHANNEL_PRECOPY].pss_channel;
1390                 int ret = multifd_send_sync_main(f);
1391                 if (ret < 0) {
1392                     return ret;
1393                 }
1394                 qemu_put_be64(f, RAM_SAVE_FLAG_MULTIFD_FLUSH);
1395                 qemu_fflush(f);
1396             }
1397             /*
1398              * If memory migration starts over, we will meet a dirtied page
1399              * which may still exists in compression threads's ring, so we
1400              * should flush the compressed data to make sure the new page
1401              * is not overwritten by the old one in the destination.
1402              *
1403              * Also If xbzrle is on, stop using the data compression at this
1404              * point. In theory, xbzrle can do better than compression.
1405              */
1406             ram_flush_compressed_data(rs);
1407 
1408             /* Hit the end of the list */
1409             pss->block = QLIST_FIRST_RCU(&ram_list.blocks);
1410             /* Flag that we've looped */
1411             pss->complete_round = true;
1412             /* After the first round, enable XBZRLE. */
1413             if (migrate_xbzrle()) {
1414                 rs->xbzrle_started = true;
1415             }
1416         }
1417         /* Didn't find anything this time, but try again on the new block */
1418         return PAGE_TRY_AGAIN;
1419     } else {
1420         /* We've found something */
1421         return PAGE_DIRTY_FOUND;
1422     }
1423 }
1424 
1425 /**
1426  * unqueue_page: gets a page of the queue
1427  *
1428  * Helper for 'get_queued_page' - gets a page off the queue
1429  *
1430  * Returns the block of the page (or NULL if none available)
1431  *
1432  * @rs: current RAM state
1433  * @offset: used to return the offset within the RAMBlock
1434  */
1435 static RAMBlock *unqueue_page(RAMState *rs, ram_addr_t *offset)
1436 {
1437     struct RAMSrcPageRequest *entry;
1438     RAMBlock *block = NULL;
1439 
1440     if (!postcopy_has_request(rs)) {
1441         return NULL;
1442     }
1443 
1444     QEMU_LOCK_GUARD(&rs->src_page_req_mutex);
1445 
1446     /*
1447      * This should _never_ change even after we take the lock, because no one
1448      * should be taking anything off the request list other than us.
1449      */
1450     assert(postcopy_has_request(rs));
1451 
1452     entry = QSIMPLEQ_FIRST(&rs->src_page_requests);
1453     block = entry->rb;
1454     *offset = entry->offset;
1455 
1456     if (entry->len > TARGET_PAGE_SIZE) {
1457         entry->len -= TARGET_PAGE_SIZE;
1458         entry->offset += TARGET_PAGE_SIZE;
1459     } else {
1460         memory_region_unref(block->mr);
1461         QSIMPLEQ_REMOVE_HEAD(&rs->src_page_requests, next_req);
1462         g_free(entry);
1463         migration_consume_urgent_request();
1464     }
1465 
1466     return block;
1467 }
1468 
1469 #if defined(__linux__)
1470 /**
1471  * poll_fault_page: try to get next UFFD write fault page and, if pending fault
1472  *   is found, return RAM block pointer and page offset
1473  *
1474  * Returns pointer to the RAMBlock containing faulting page,
1475  *   NULL if no write faults are pending
1476  *
1477  * @rs: current RAM state
1478  * @offset: page offset from the beginning of the block
1479  */
1480 static RAMBlock *poll_fault_page(RAMState *rs, ram_addr_t *offset)
1481 {
1482     struct uffd_msg uffd_msg;
1483     void *page_address;
1484     RAMBlock *block;
1485     int res;
1486 
1487     if (!migrate_background_snapshot()) {
1488         return NULL;
1489     }
1490 
1491     res = uffd_read_events(rs->uffdio_fd, &uffd_msg, 1);
1492     if (res <= 0) {
1493         return NULL;
1494     }
1495 
1496     page_address = (void *)(uintptr_t) uffd_msg.arg.pagefault.address;
1497     block = qemu_ram_block_from_host(page_address, false, offset);
1498     assert(block && (block->flags & RAM_UF_WRITEPROTECT) != 0);
1499     return block;
1500 }
1501 
1502 /**
1503  * ram_save_release_protection: release UFFD write protection after
1504  *   a range of pages has been saved
1505  *
1506  * @rs: current RAM state
1507  * @pss: page-search-status structure
1508  * @start_page: index of the first page in the range relative to pss->block
1509  *
1510  * Returns 0 on success, negative value in case of an error
1511 */
1512 static int ram_save_release_protection(RAMState *rs, PageSearchStatus *pss,
1513         unsigned long start_page)
1514 {
1515     int res = 0;
1516 
1517     /* Check if page is from UFFD-managed region. */
1518     if (pss->block->flags & RAM_UF_WRITEPROTECT) {
1519         void *page_address = pss->block->host + (start_page << TARGET_PAGE_BITS);
1520         uint64_t run_length = (pss->page - start_page) << TARGET_PAGE_BITS;
1521 
1522         /* Flush async buffers before un-protect. */
1523         qemu_fflush(pss->pss_channel);
1524         /* Un-protect memory range. */
1525         res = uffd_change_protection(rs->uffdio_fd, page_address, run_length,
1526                 false, false);
1527     }
1528 
1529     return res;
1530 }
1531 
1532 /* ram_write_tracking_available: check if kernel supports required UFFD features
1533  *
1534  * Returns true if supports, false otherwise
1535  */
1536 bool ram_write_tracking_available(void)
1537 {
1538     uint64_t uffd_features;
1539     int res;
1540 
1541     res = uffd_query_features(&uffd_features);
1542     return (res == 0 &&
1543             (uffd_features & UFFD_FEATURE_PAGEFAULT_FLAG_WP) != 0);
1544 }
1545 
1546 /* ram_write_tracking_compatible: check if guest configuration is
1547  *   compatible with 'write-tracking'
1548  *
1549  * Returns true if compatible, false otherwise
1550  */
1551 bool ram_write_tracking_compatible(void)
1552 {
1553     const uint64_t uffd_ioctls_mask = BIT(_UFFDIO_WRITEPROTECT);
1554     int uffd_fd;
1555     RAMBlock *block;
1556     bool ret = false;
1557 
1558     /* Open UFFD file descriptor */
1559     uffd_fd = uffd_create_fd(UFFD_FEATURE_PAGEFAULT_FLAG_WP, false);
1560     if (uffd_fd < 0) {
1561         return false;
1562     }
1563 
1564     RCU_READ_LOCK_GUARD();
1565 
1566     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
1567         uint64_t uffd_ioctls;
1568 
1569         /* Nothing to do with read-only and MMIO-writable regions */
1570         if (block->mr->readonly || block->mr->rom_device) {
1571             continue;
1572         }
1573         /* Try to register block memory via UFFD-IO to track writes */
1574         if (uffd_register_memory(uffd_fd, block->host, block->max_length,
1575                 UFFDIO_REGISTER_MODE_WP, &uffd_ioctls)) {
1576             goto out;
1577         }
1578         if ((uffd_ioctls & uffd_ioctls_mask) != uffd_ioctls_mask) {
1579             goto out;
1580         }
1581     }
1582     ret = true;
1583 
1584 out:
1585     uffd_close_fd(uffd_fd);
1586     return ret;
1587 }
1588 
1589 static inline void populate_read_range(RAMBlock *block, ram_addr_t offset,
1590                                        ram_addr_t size)
1591 {
1592     const ram_addr_t end = offset + size;
1593 
1594     /*
1595      * We read one byte of each page; this will preallocate page tables if
1596      * required and populate the shared zeropage on MAP_PRIVATE anonymous memory
1597      * where no page was populated yet. This might require adaption when
1598      * supporting other mappings, like shmem.
1599      */
1600     for (; offset < end; offset += block->page_size) {
1601         char tmp = *((char *)block->host + offset);
1602 
1603         /* Don't optimize the read out */
1604         asm volatile("" : "+r" (tmp));
1605     }
1606 }
1607 
1608 static inline int populate_read_section(MemoryRegionSection *section,
1609                                         void *opaque)
1610 {
1611     const hwaddr size = int128_get64(section->size);
1612     hwaddr offset = section->offset_within_region;
1613     RAMBlock *block = section->mr->ram_block;
1614 
1615     populate_read_range(block, offset, size);
1616     return 0;
1617 }
1618 
1619 /*
1620  * ram_block_populate_read: preallocate page tables and populate pages in the
1621  *   RAM block by reading a byte of each page.
1622  *
1623  * Since it's solely used for userfault_fd WP feature, here we just
1624  *   hardcode page size to qemu_real_host_page_size.
1625  *
1626  * @block: RAM block to populate
1627  */
1628 static void ram_block_populate_read(RAMBlock *rb)
1629 {
1630     /*
1631      * Skip populating all pages that fall into a discarded range as managed by
1632      * a RamDiscardManager responsible for the mapped memory region of the
1633      * RAMBlock. Such discarded ("logically unplugged") parts of a RAMBlock
1634      * must not get populated automatically. We don't have to track
1635      * modifications via userfaultfd WP reliably, because these pages will
1636      * not be part of the migration stream either way -- see
1637      * ramblock_dirty_bitmap_exclude_discarded_pages().
1638      *
1639      * Note: The result is only stable while migrating (precopy/postcopy).
1640      */
1641     if (rb->mr && memory_region_has_ram_discard_manager(rb->mr)) {
1642         RamDiscardManager *rdm = memory_region_get_ram_discard_manager(rb->mr);
1643         MemoryRegionSection section = {
1644             .mr = rb->mr,
1645             .offset_within_region = 0,
1646             .size = rb->mr->size,
1647         };
1648 
1649         ram_discard_manager_replay_populated(rdm, &section,
1650                                              populate_read_section, NULL);
1651     } else {
1652         populate_read_range(rb, 0, rb->used_length);
1653     }
1654 }
1655 
1656 /*
1657  * ram_write_tracking_prepare: prepare for UFFD-WP memory tracking
1658  */
1659 void ram_write_tracking_prepare(void)
1660 {
1661     RAMBlock *block;
1662 
1663     RCU_READ_LOCK_GUARD();
1664 
1665     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
1666         /* Nothing to do with read-only and MMIO-writable regions */
1667         if (block->mr->readonly || block->mr->rom_device) {
1668             continue;
1669         }
1670 
1671         /*
1672          * Populate pages of the RAM block before enabling userfault_fd
1673          * write protection.
1674          *
1675          * This stage is required since ioctl(UFFDIO_WRITEPROTECT) with
1676          * UFFDIO_WRITEPROTECT_MODE_WP mode setting would silently skip
1677          * pages with pte_none() entries in page table.
1678          */
1679         ram_block_populate_read(block);
1680     }
1681 }
1682 
1683 static inline int uffd_protect_section(MemoryRegionSection *section,
1684                                        void *opaque)
1685 {
1686     const hwaddr size = int128_get64(section->size);
1687     const hwaddr offset = section->offset_within_region;
1688     RAMBlock *rb = section->mr->ram_block;
1689     int uffd_fd = (uintptr_t)opaque;
1690 
1691     return uffd_change_protection(uffd_fd, rb->host + offset, size, true,
1692                                   false);
1693 }
1694 
1695 static int ram_block_uffd_protect(RAMBlock *rb, int uffd_fd)
1696 {
1697     assert(rb->flags & RAM_UF_WRITEPROTECT);
1698 
1699     /* See ram_block_populate_read() */
1700     if (rb->mr && memory_region_has_ram_discard_manager(rb->mr)) {
1701         RamDiscardManager *rdm = memory_region_get_ram_discard_manager(rb->mr);
1702         MemoryRegionSection section = {
1703             .mr = rb->mr,
1704             .offset_within_region = 0,
1705             .size = rb->mr->size,
1706         };
1707 
1708         return ram_discard_manager_replay_populated(rdm, &section,
1709                                                     uffd_protect_section,
1710                                                     (void *)(uintptr_t)uffd_fd);
1711     }
1712     return uffd_change_protection(uffd_fd, rb->host,
1713                                   rb->used_length, true, false);
1714 }
1715 
1716 /*
1717  * ram_write_tracking_start: start UFFD-WP memory tracking
1718  *
1719  * Returns 0 for success or negative value in case of error
1720  */
1721 int ram_write_tracking_start(void)
1722 {
1723     int uffd_fd;
1724     RAMState *rs = ram_state;
1725     RAMBlock *block;
1726 
1727     /* Open UFFD file descriptor */
1728     uffd_fd = uffd_create_fd(UFFD_FEATURE_PAGEFAULT_FLAG_WP, true);
1729     if (uffd_fd < 0) {
1730         return uffd_fd;
1731     }
1732     rs->uffdio_fd = uffd_fd;
1733 
1734     RCU_READ_LOCK_GUARD();
1735 
1736     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
1737         /* Nothing to do with read-only and MMIO-writable regions */
1738         if (block->mr->readonly || block->mr->rom_device) {
1739             continue;
1740         }
1741 
1742         /* Register block memory with UFFD to track writes */
1743         if (uffd_register_memory(rs->uffdio_fd, block->host,
1744                 block->max_length, UFFDIO_REGISTER_MODE_WP, NULL)) {
1745             goto fail;
1746         }
1747         block->flags |= RAM_UF_WRITEPROTECT;
1748         memory_region_ref(block->mr);
1749 
1750         /* Apply UFFD write protection to the block memory range */
1751         if (ram_block_uffd_protect(block, uffd_fd)) {
1752             goto fail;
1753         }
1754 
1755         trace_ram_write_tracking_ramblock_start(block->idstr, block->page_size,
1756                 block->host, block->max_length);
1757     }
1758 
1759     return 0;
1760 
1761 fail:
1762     error_report("ram_write_tracking_start() failed: restoring initial memory state");
1763 
1764     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
1765         if ((block->flags & RAM_UF_WRITEPROTECT) == 0) {
1766             continue;
1767         }
1768         uffd_unregister_memory(rs->uffdio_fd, block->host, block->max_length);
1769         /* Cleanup flags and remove reference */
1770         block->flags &= ~RAM_UF_WRITEPROTECT;
1771         memory_region_unref(block->mr);
1772     }
1773 
1774     uffd_close_fd(uffd_fd);
1775     rs->uffdio_fd = -1;
1776     return -1;
1777 }
1778 
1779 /**
1780  * ram_write_tracking_stop: stop UFFD-WP memory tracking and remove protection
1781  */
1782 void ram_write_tracking_stop(void)
1783 {
1784     RAMState *rs = ram_state;
1785     RAMBlock *block;
1786 
1787     RCU_READ_LOCK_GUARD();
1788 
1789     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
1790         if ((block->flags & RAM_UF_WRITEPROTECT) == 0) {
1791             continue;
1792         }
1793         uffd_unregister_memory(rs->uffdio_fd, block->host, block->max_length);
1794 
1795         trace_ram_write_tracking_ramblock_stop(block->idstr, block->page_size,
1796                 block->host, block->max_length);
1797 
1798         /* Cleanup flags and remove reference */
1799         block->flags &= ~RAM_UF_WRITEPROTECT;
1800         memory_region_unref(block->mr);
1801     }
1802 
1803     /* Finally close UFFD file descriptor */
1804     uffd_close_fd(rs->uffdio_fd);
1805     rs->uffdio_fd = -1;
1806 }
1807 
1808 #else
1809 /* No target OS support, stubs just fail or ignore */
1810 
1811 static RAMBlock *poll_fault_page(RAMState *rs, ram_addr_t *offset)
1812 {
1813     (void) rs;
1814     (void) offset;
1815 
1816     return NULL;
1817 }
1818 
1819 static int ram_save_release_protection(RAMState *rs, PageSearchStatus *pss,
1820         unsigned long start_page)
1821 {
1822     (void) rs;
1823     (void) pss;
1824     (void) start_page;
1825 
1826     return 0;
1827 }
1828 
1829 bool ram_write_tracking_available(void)
1830 {
1831     return false;
1832 }
1833 
1834 bool ram_write_tracking_compatible(void)
1835 {
1836     assert(0);
1837     return false;
1838 }
1839 
1840 int ram_write_tracking_start(void)
1841 {
1842     assert(0);
1843     return -1;
1844 }
1845 
1846 void ram_write_tracking_stop(void)
1847 {
1848     assert(0);
1849 }
1850 #endif /* defined(__linux__) */
1851 
1852 /**
1853  * get_queued_page: unqueue a page from the postcopy requests
1854  *
1855  * Skips pages that are already sent (!dirty)
1856  *
1857  * Returns true if a queued page is found
1858  *
1859  * @rs: current RAM state
1860  * @pss: data about the state of the current dirty page scan
1861  */
1862 static bool get_queued_page(RAMState *rs, PageSearchStatus *pss)
1863 {
1864     RAMBlock  *block;
1865     ram_addr_t offset;
1866     bool dirty;
1867 
1868     do {
1869         block = unqueue_page(rs, &offset);
1870         /*
1871          * We're sending this page, and since it's postcopy nothing else
1872          * will dirty it, and we must make sure it doesn't get sent again
1873          * even if this queue request was received after the background
1874          * search already sent it.
1875          */
1876         if (block) {
1877             unsigned long page;
1878 
1879             page = offset >> TARGET_PAGE_BITS;
1880             dirty = test_bit(page, block->bmap);
1881             if (!dirty) {
1882                 trace_get_queued_page_not_dirty(block->idstr, (uint64_t)offset,
1883                                                 page);
1884             } else {
1885                 trace_get_queued_page(block->idstr, (uint64_t)offset, page);
1886             }
1887         }
1888 
1889     } while (block && !dirty);
1890 
1891     if (!block) {
1892         /*
1893          * Poll write faults too if background snapshot is enabled; that's
1894          * when we have vcpus got blocked by the write protected pages.
1895          */
1896         block = poll_fault_page(rs, &offset);
1897     }
1898 
1899     if (block) {
1900         /*
1901          * We want the background search to continue from the queued page
1902          * since the guest is likely to want other pages near to the page
1903          * it just requested.
1904          */
1905         pss->block = block;
1906         pss->page = offset >> TARGET_PAGE_BITS;
1907 
1908         /*
1909          * This unqueued page would break the "one round" check, even is
1910          * really rare.
1911          */
1912         pss->complete_round = false;
1913     }
1914 
1915     return !!block;
1916 }
1917 
1918 /**
1919  * migration_page_queue_free: drop any remaining pages in the ram
1920  * request queue
1921  *
1922  * It should be empty at the end anyway, but in error cases there may
1923  * be some left.  in case that there is any page left, we drop it.
1924  *
1925  */
1926 static void migration_page_queue_free(RAMState *rs)
1927 {
1928     struct RAMSrcPageRequest *mspr, *next_mspr;
1929     /* This queue generally should be empty - but in the case of a failed
1930      * migration might have some droppings in.
1931      */
1932     RCU_READ_LOCK_GUARD();
1933     QSIMPLEQ_FOREACH_SAFE(mspr, &rs->src_page_requests, next_req, next_mspr) {
1934         memory_region_unref(mspr->rb->mr);
1935         QSIMPLEQ_REMOVE_HEAD(&rs->src_page_requests, next_req);
1936         g_free(mspr);
1937     }
1938 }
1939 
1940 /**
1941  * ram_save_queue_pages: queue the page for transmission
1942  *
1943  * A request from postcopy destination for example.
1944  *
1945  * Returns zero on success or negative on error
1946  *
1947  * @rbname: Name of the RAMBLock of the request. NULL means the
1948  *          same that last one.
1949  * @start: starting address from the start of the RAMBlock
1950  * @len: length (in bytes) to send
1951  */
1952 int ram_save_queue_pages(const char *rbname, ram_addr_t start, ram_addr_t len)
1953 {
1954     RAMBlock *ramblock;
1955     RAMState *rs = ram_state;
1956 
1957     stat64_add(&mig_stats.postcopy_requests, 1);
1958     RCU_READ_LOCK_GUARD();
1959 
1960     if (!rbname) {
1961         /* Reuse last RAMBlock */
1962         ramblock = rs->last_req_rb;
1963 
1964         if (!ramblock) {
1965             /*
1966              * Shouldn't happen, we can't reuse the last RAMBlock if
1967              * it's the 1st request.
1968              */
1969             error_report("ram_save_queue_pages no previous block");
1970             return -1;
1971         }
1972     } else {
1973         ramblock = qemu_ram_block_by_name(rbname);
1974 
1975         if (!ramblock) {
1976             /* We shouldn't be asked for a non-existent RAMBlock */
1977             error_report("ram_save_queue_pages no block '%s'", rbname);
1978             return -1;
1979         }
1980         rs->last_req_rb = ramblock;
1981     }
1982     trace_ram_save_queue_pages(ramblock->idstr, start, len);
1983     if (!offset_in_ramblock(ramblock, start + len - 1)) {
1984         error_report("%s request overrun start=" RAM_ADDR_FMT " len="
1985                      RAM_ADDR_FMT " blocklen=" RAM_ADDR_FMT,
1986                      __func__, start, len, ramblock->used_length);
1987         return -1;
1988     }
1989 
1990     /*
1991      * When with postcopy preempt, we send back the page directly in the
1992      * rp-return thread.
1993      */
1994     if (postcopy_preempt_active()) {
1995         ram_addr_t page_start = start >> TARGET_PAGE_BITS;
1996         size_t page_size = qemu_ram_pagesize(ramblock);
1997         PageSearchStatus *pss = &ram_state->pss[RAM_CHANNEL_POSTCOPY];
1998         int ret = 0;
1999 
2000         qemu_mutex_lock(&rs->bitmap_mutex);
2001 
2002         pss_init(pss, ramblock, page_start);
2003         /*
2004          * Always use the preempt channel, and make sure it's there.  It's
2005          * safe to access without lock, because when rp-thread is running
2006          * we should be the only one who operates on the qemufile
2007          */
2008         pss->pss_channel = migrate_get_current()->postcopy_qemufile_src;
2009         assert(pss->pss_channel);
2010 
2011         /*
2012          * It must be either one or multiple of host page size.  Just
2013          * assert; if something wrong we're mostly split brain anyway.
2014          */
2015         assert(len % page_size == 0);
2016         while (len) {
2017             if (ram_save_host_page_urgent(pss)) {
2018                 error_report("%s: ram_save_host_page_urgent() failed: "
2019                              "ramblock=%s, start_addr=0x"RAM_ADDR_FMT,
2020                              __func__, ramblock->idstr, start);
2021                 ret = -1;
2022                 break;
2023             }
2024             /*
2025              * NOTE: after ram_save_host_page_urgent() succeeded, pss->page
2026              * will automatically be moved and point to the next host page
2027              * we're going to send, so no need to update here.
2028              *
2029              * Normally QEMU never sends >1 host page in requests, so
2030              * logically we don't even need that as the loop should only
2031              * run once, but just to be consistent.
2032              */
2033             len -= page_size;
2034         };
2035         qemu_mutex_unlock(&rs->bitmap_mutex);
2036 
2037         return ret;
2038     }
2039 
2040     struct RAMSrcPageRequest *new_entry =
2041         g_new0(struct RAMSrcPageRequest, 1);
2042     new_entry->rb = ramblock;
2043     new_entry->offset = start;
2044     new_entry->len = len;
2045 
2046     memory_region_ref(ramblock->mr);
2047     qemu_mutex_lock(&rs->src_page_req_mutex);
2048     QSIMPLEQ_INSERT_TAIL(&rs->src_page_requests, new_entry, next_req);
2049     migration_make_urgent_request();
2050     qemu_mutex_unlock(&rs->src_page_req_mutex);
2051 
2052     return 0;
2053 }
2054 
2055 static bool save_page_use_compression(RAMState *rs)
2056 {
2057     if (!migrate_compress()) {
2058         return false;
2059     }
2060 
2061     /*
2062      * If xbzrle is enabled (e.g., after first round of migration), stop
2063      * using the data compression. In theory, xbzrle can do better than
2064      * compression.
2065      */
2066     if (rs->xbzrle_started) {
2067         return false;
2068     }
2069 
2070     return true;
2071 }
2072 
2073 /*
2074  * try to compress the page before posting it out, return true if the page
2075  * has been properly handled by compression, otherwise needs other
2076  * paths to handle it
2077  */
2078 static bool save_compress_page(RAMState *rs, PageSearchStatus *pss,
2079                                RAMBlock *block, ram_addr_t offset)
2080 {
2081     if (!save_page_use_compression(rs)) {
2082         return false;
2083     }
2084 
2085     /*
2086      * When starting the process of a new block, the first page of
2087      * the block should be sent out before other pages in the same
2088      * block, and all the pages in last block should have been sent
2089      * out, keeping this order is important, because the 'cont' flag
2090      * is used to avoid resending the block name.
2091      *
2092      * We post the fist page as normal page as compression will take
2093      * much CPU resource.
2094      */
2095     if (block != pss->last_sent_block) {
2096         ram_flush_compressed_data(rs);
2097         return false;
2098     }
2099 
2100     if (compress_page_with_multi_thread(block, offset, send_queued_data) > 0) {
2101         return true;
2102     }
2103 
2104     compression_counters.busy++;
2105     return false;
2106 }
2107 
2108 /**
2109  * ram_save_target_page_legacy: save one target page
2110  *
2111  * Returns the number of pages written
2112  *
2113  * @rs: current RAM state
2114  * @pss: data about the page we want to send
2115  */
2116 static int ram_save_target_page_legacy(RAMState *rs, PageSearchStatus *pss)
2117 {
2118     RAMBlock *block = pss->block;
2119     ram_addr_t offset = ((ram_addr_t)pss->page) << TARGET_PAGE_BITS;
2120     int res;
2121 
2122     if (control_save_page(pss, block, offset, &res)) {
2123         return res;
2124     }
2125 
2126     if (save_compress_page(rs, pss, block, offset)) {
2127         return 1;
2128     }
2129 
2130     res = save_zero_page(pss, pss->pss_channel, block, offset);
2131     if (res > 0) {
2132         /* Must let xbzrle know, otherwise a previous (now 0'd) cached
2133          * page would be stale
2134          */
2135         if (rs->xbzrle_started) {
2136             XBZRLE_cache_lock();
2137             xbzrle_cache_zero_page(rs, block->offset + offset);
2138             XBZRLE_cache_unlock();
2139         }
2140         return res;
2141     }
2142 
2143     /*
2144      * Do not use multifd in postcopy as one whole host page should be
2145      * placed.  Meanwhile postcopy requires atomic update of pages, so even
2146      * if host page size == guest page size the dest guest during run may
2147      * still see partially copied pages which is data corruption.
2148      */
2149     if (migrate_multifd() && !migration_in_postcopy()) {
2150         return ram_save_multifd_page(pss->pss_channel, block, offset);
2151     }
2152 
2153     return ram_save_page(rs, pss);
2154 }
2155 
2156 /* Should be called before sending a host page */
2157 static void pss_host_page_prepare(PageSearchStatus *pss)
2158 {
2159     /* How many guest pages are there in one host page? */
2160     size_t guest_pfns = qemu_ram_pagesize(pss->block) >> TARGET_PAGE_BITS;
2161 
2162     pss->host_page_sending = true;
2163     if (guest_pfns <= 1) {
2164         /*
2165          * This covers both when guest psize == host psize, or when guest
2166          * has larger psize than the host (guest_pfns==0).
2167          *
2168          * For the latter, we always send one whole guest page per
2169          * iteration of the host page (example: an Alpha VM on x86 host
2170          * will have guest psize 8K while host psize 4K).
2171          */
2172         pss->host_page_start = pss->page;
2173         pss->host_page_end = pss->page + 1;
2174     } else {
2175         /*
2176          * The host page spans over multiple guest pages, we send them
2177          * within the same host page iteration.
2178          */
2179         pss->host_page_start = ROUND_DOWN(pss->page, guest_pfns);
2180         pss->host_page_end = ROUND_UP(pss->page + 1, guest_pfns);
2181     }
2182 }
2183 
2184 /*
2185  * Whether the page pointed by PSS is within the host page being sent.
2186  * Must be called after a previous pss_host_page_prepare().
2187  */
2188 static bool pss_within_range(PageSearchStatus *pss)
2189 {
2190     ram_addr_t ram_addr;
2191 
2192     assert(pss->host_page_sending);
2193 
2194     /* Over host-page boundary? */
2195     if (pss->page >= pss->host_page_end) {
2196         return false;
2197     }
2198 
2199     ram_addr = ((ram_addr_t)pss->page) << TARGET_PAGE_BITS;
2200 
2201     return offset_in_ramblock(pss->block, ram_addr);
2202 }
2203 
2204 static void pss_host_page_finish(PageSearchStatus *pss)
2205 {
2206     pss->host_page_sending = false;
2207     /* This is not needed, but just to reset it */
2208     pss->host_page_start = pss->host_page_end = 0;
2209 }
2210 
2211 /*
2212  * Send an urgent host page specified by `pss'.  Need to be called with
2213  * bitmap_mutex held.
2214  *
2215  * Returns 0 if save host page succeeded, false otherwise.
2216  */
2217 static int ram_save_host_page_urgent(PageSearchStatus *pss)
2218 {
2219     bool page_dirty, sent = false;
2220     RAMState *rs = ram_state;
2221     int ret = 0;
2222 
2223     trace_postcopy_preempt_send_host_page(pss->block->idstr, pss->page);
2224     pss_host_page_prepare(pss);
2225 
2226     /*
2227      * If precopy is sending the same page, let it be done in precopy, or
2228      * we could send the same page in two channels and none of them will
2229      * receive the whole page.
2230      */
2231     if (pss_overlap(pss, &ram_state->pss[RAM_CHANNEL_PRECOPY])) {
2232         trace_postcopy_preempt_hit(pss->block->idstr,
2233                                    pss->page << TARGET_PAGE_BITS);
2234         return 0;
2235     }
2236 
2237     do {
2238         page_dirty = migration_bitmap_clear_dirty(rs, pss->block, pss->page);
2239 
2240         if (page_dirty) {
2241             /* Be strict to return code; it must be 1, or what else? */
2242             if (migration_ops->ram_save_target_page(rs, pss) != 1) {
2243                 error_report_once("%s: ram_save_target_page failed", __func__);
2244                 ret = -1;
2245                 goto out;
2246             }
2247             sent = true;
2248         }
2249         pss_find_next_dirty(pss);
2250     } while (pss_within_range(pss));
2251 out:
2252     pss_host_page_finish(pss);
2253     /* For urgent requests, flush immediately if sent */
2254     if (sent) {
2255         qemu_fflush(pss->pss_channel);
2256     }
2257     return ret;
2258 }
2259 
2260 /**
2261  * ram_save_host_page: save a whole host page
2262  *
2263  * Starting at *offset send pages up to the end of the current host
2264  * page. It's valid for the initial offset to point into the middle of
2265  * a host page in which case the remainder of the hostpage is sent.
2266  * Only dirty target pages are sent. Note that the host page size may
2267  * be a huge page for this block.
2268  *
2269  * The saving stops at the boundary of the used_length of the block
2270  * if the RAMBlock isn't a multiple of the host page size.
2271  *
2272  * The caller must be with ram_state.bitmap_mutex held to call this
2273  * function.  Note that this function can temporarily release the lock, but
2274  * when the function is returned it'll make sure the lock is still held.
2275  *
2276  * Returns the number of pages written or negative on error
2277  *
2278  * @rs: current RAM state
2279  * @pss: data about the page we want to send
2280  */
2281 static int ram_save_host_page(RAMState *rs, PageSearchStatus *pss)
2282 {
2283     bool page_dirty, preempt_active = postcopy_preempt_active();
2284     int tmppages, pages = 0;
2285     size_t pagesize_bits =
2286         qemu_ram_pagesize(pss->block) >> TARGET_PAGE_BITS;
2287     unsigned long start_page = pss->page;
2288     int res;
2289 
2290     if (ramblock_is_ignored(pss->block)) {
2291         error_report("block %s should not be migrated !", pss->block->idstr);
2292         return 0;
2293     }
2294 
2295     /* Update host page boundary information */
2296     pss_host_page_prepare(pss);
2297 
2298     do {
2299         page_dirty = migration_bitmap_clear_dirty(rs, pss->block, pss->page);
2300 
2301         /* Check the pages is dirty and if it is send it */
2302         if (page_dirty) {
2303             /*
2304              * Properly yield the lock only in postcopy preempt mode
2305              * because both migration thread and rp-return thread can
2306              * operate on the bitmaps.
2307              */
2308             if (preempt_active) {
2309                 qemu_mutex_unlock(&rs->bitmap_mutex);
2310             }
2311             tmppages = migration_ops->ram_save_target_page(rs, pss);
2312             if (tmppages >= 0) {
2313                 pages += tmppages;
2314                 /*
2315                  * Allow rate limiting to happen in the middle of huge pages if
2316                  * something is sent in the current iteration.
2317                  */
2318                 if (pagesize_bits > 1 && tmppages > 0) {
2319                     migration_rate_limit();
2320                 }
2321             }
2322             if (preempt_active) {
2323                 qemu_mutex_lock(&rs->bitmap_mutex);
2324             }
2325         } else {
2326             tmppages = 0;
2327         }
2328 
2329         if (tmppages < 0) {
2330             pss_host_page_finish(pss);
2331             return tmppages;
2332         }
2333 
2334         pss_find_next_dirty(pss);
2335     } while (pss_within_range(pss));
2336 
2337     pss_host_page_finish(pss);
2338 
2339     res = ram_save_release_protection(rs, pss, start_page);
2340     return (res < 0 ? res : pages);
2341 }
2342 
2343 /**
2344  * ram_find_and_save_block: finds a dirty page and sends it to f
2345  *
2346  * Called within an RCU critical section.
2347  *
2348  * Returns the number of pages written where zero means no dirty pages,
2349  * or negative on error
2350  *
2351  * @rs: current RAM state
2352  *
2353  * On systems where host-page-size > target-page-size it will send all the
2354  * pages in a host page that are dirty.
2355  */
2356 static int ram_find_and_save_block(RAMState *rs)
2357 {
2358     PageSearchStatus *pss = &rs->pss[RAM_CHANNEL_PRECOPY];
2359     int pages = 0;
2360 
2361     /* No dirty page as there is zero RAM */
2362     if (!rs->ram_bytes_total) {
2363         return pages;
2364     }
2365 
2366     /*
2367      * Always keep last_seen_block/last_page valid during this procedure,
2368      * because find_dirty_block() relies on these values (e.g., we compare
2369      * last_seen_block with pss.block to see whether we searched all the
2370      * ramblocks) to detect the completion of migration.  Having NULL value
2371      * of last_seen_block can conditionally cause below loop to run forever.
2372      */
2373     if (!rs->last_seen_block) {
2374         rs->last_seen_block = QLIST_FIRST_RCU(&ram_list.blocks);
2375         rs->last_page = 0;
2376     }
2377 
2378     pss_init(pss, rs->last_seen_block, rs->last_page);
2379 
2380     while (true){
2381         if (!get_queued_page(rs, pss)) {
2382             /* priority queue empty, so just search for something dirty */
2383             int res = find_dirty_block(rs, pss);
2384             if (res != PAGE_DIRTY_FOUND) {
2385                 if (res == PAGE_ALL_CLEAN) {
2386                     break;
2387                 } else if (res == PAGE_TRY_AGAIN) {
2388                     continue;
2389                 } else if (res < 0) {
2390                     pages = res;
2391                     break;
2392                 }
2393             }
2394         }
2395         pages = ram_save_host_page(rs, pss);
2396         if (pages) {
2397             break;
2398         }
2399     }
2400 
2401     rs->last_seen_block = pss->block;
2402     rs->last_page = pss->page;
2403 
2404     return pages;
2405 }
2406 
2407 static uint64_t ram_bytes_total_with_ignored(void)
2408 {
2409     RAMBlock *block;
2410     uint64_t total = 0;
2411 
2412     RCU_READ_LOCK_GUARD();
2413 
2414     RAMBLOCK_FOREACH_MIGRATABLE(block) {
2415         total += block->used_length;
2416     }
2417     return total;
2418 }
2419 
2420 uint64_t ram_bytes_total(void)
2421 {
2422     RAMBlock *block;
2423     uint64_t total = 0;
2424 
2425     RCU_READ_LOCK_GUARD();
2426 
2427     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
2428         total += block->used_length;
2429     }
2430     return total;
2431 }
2432 
2433 static void xbzrle_load_setup(void)
2434 {
2435     XBZRLE.decoded_buf = g_malloc(TARGET_PAGE_SIZE);
2436 }
2437 
2438 static void xbzrle_load_cleanup(void)
2439 {
2440     g_free(XBZRLE.decoded_buf);
2441     XBZRLE.decoded_buf = NULL;
2442 }
2443 
2444 static void ram_state_cleanup(RAMState **rsp)
2445 {
2446     if (*rsp) {
2447         migration_page_queue_free(*rsp);
2448         qemu_mutex_destroy(&(*rsp)->bitmap_mutex);
2449         qemu_mutex_destroy(&(*rsp)->src_page_req_mutex);
2450         g_free(*rsp);
2451         *rsp = NULL;
2452     }
2453 }
2454 
2455 static void xbzrle_cleanup(void)
2456 {
2457     XBZRLE_cache_lock();
2458     if (XBZRLE.cache) {
2459         cache_fini(XBZRLE.cache);
2460         g_free(XBZRLE.encoded_buf);
2461         g_free(XBZRLE.current_buf);
2462         g_free(XBZRLE.zero_target_page);
2463         XBZRLE.cache = NULL;
2464         XBZRLE.encoded_buf = NULL;
2465         XBZRLE.current_buf = NULL;
2466         XBZRLE.zero_target_page = NULL;
2467     }
2468     XBZRLE_cache_unlock();
2469 }
2470 
2471 static void ram_save_cleanup(void *opaque)
2472 {
2473     RAMState **rsp = opaque;
2474     RAMBlock *block;
2475 
2476     /* We don't use dirty log with background snapshots */
2477     if (!migrate_background_snapshot()) {
2478         /* caller have hold iothread lock or is in a bh, so there is
2479          * no writing race against the migration bitmap
2480          */
2481         if (global_dirty_tracking & GLOBAL_DIRTY_MIGRATION) {
2482             /*
2483              * do not stop dirty log without starting it, since
2484              * memory_global_dirty_log_stop will assert that
2485              * memory_global_dirty_log_start/stop used in pairs
2486              */
2487             memory_global_dirty_log_stop(GLOBAL_DIRTY_MIGRATION);
2488         }
2489     }
2490 
2491     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
2492         g_free(block->clear_bmap);
2493         block->clear_bmap = NULL;
2494         g_free(block->bmap);
2495         block->bmap = NULL;
2496     }
2497 
2498     xbzrle_cleanup();
2499     compress_threads_save_cleanup();
2500     ram_state_cleanup(rsp);
2501     g_free(migration_ops);
2502     migration_ops = NULL;
2503 }
2504 
2505 static void ram_state_reset(RAMState *rs)
2506 {
2507     int i;
2508 
2509     for (i = 0; i < RAM_CHANNEL_MAX; i++) {
2510         rs->pss[i].last_sent_block = NULL;
2511     }
2512 
2513     rs->last_seen_block = NULL;
2514     rs->last_page = 0;
2515     rs->last_version = ram_list.version;
2516     rs->xbzrle_started = false;
2517 }
2518 
2519 #define MAX_WAIT 50 /* ms, half buffered_file limit */
2520 
2521 /* **** functions for postcopy ***** */
2522 
2523 void ram_postcopy_migrated_memory_release(MigrationState *ms)
2524 {
2525     struct RAMBlock *block;
2526 
2527     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
2528         unsigned long *bitmap = block->bmap;
2529         unsigned long range = block->used_length >> TARGET_PAGE_BITS;
2530         unsigned long run_start = find_next_zero_bit(bitmap, range, 0);
2531 
2532         while (run_start < range) {
2533             unsigned long run_end = find_next_bit(bitmap, range, run_start + 1);
2534             ram_discard_range(block->idstr,
2535                               ((ram_addr_t)run_start) << TARGET_PAGE_BITS,
2536                               ((ram_addr_t)(run_end - run_start))
2537                                 << TARGET_PAGE_BITS);
2538             run_start = find_next_zero_bit(bitmap, range, run_end + 1);
2539         }
2540     }
2541 }
2542 
2543 /**
2544  * postcopy_send_discard_bm_ram: discard a RAMBlock
2545  *
2546  * Callback from postcopy_each_ram_send_discard for each RAMBlock
2547  *
2548  * @ms: current migration state
2549  * @block: RAMBlock to discard
2550  */
2551 static void postcopy_send_discard_bm_ram(MigrationState *ms, RAMBlock *block)
2552 {
2553     unsigned long end = block->used_length >> TARGET_PAGE_BITS;
2554     unsigned long current;
2555     unsigned long *bitmap = block->bmap;
2556 
2557     for (current = 0; current < end; ) {
2558         unsigned long one = find_next_bit(bitmap, end, current);
2559         unsigned long zero, discard_length;
2560 
2561         if (one >= end) {
2562             break;
2563         }
2564 
2565         zero = find_next_zero_bit(bitmap, end, one + 1);
2566 
2567         if (zero >= end) {
2568             discard_length = end - one;
2569         } else {
2570             discard_length = zero - one;
2571         }
2572         postcopy_discard_send_range(ms, one, discard_length);
2573         current = one + discard_length;
2574     }
2575 }
2576 
2577 static void postcopy_chunk_hostpages_pass(MigrationState *ms, RAMBlock *block);
2578 
2579 /**
2580  * postcopy_each_ram_send_discard: discard all RAMBlocks
2581  *
2582  * Utility for the outgoing postcopy code.
2583  *   Calls postcopy_send_discard_bm_ram for each RAMBlock
2584  *   passing it bitmap indexes and name.
2585  * (qemu_ram_foreach_block ends up passing unscaled lengths
2586  *  which would mean postcopy code would have to deal with target page)
2587  *
2588  * @ms: current migration state
2589  */
2590 static void postcopy_each_ram_send_discard(MigrationState *ms)
2591 {
2592     struct RAMBlock *block;
2593 
2594     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
2595         postcopy_discard_send_init(ms, block->idstr);
2596 
2597         /*
2598          * Deal with TPS != HPS and huge pages.  It discard any partially sent
2599          * host-page size chunks, mark any partially dirty host-page size
2600          * chunks as all dirty.  In this case the host-page is the host-page
2601          * for the particular RAMBlock, i.e. it might be a huge page.
2602          */
2603         postcopy_chunk_hostpages_pass(ms, block);
2604 
2605         /*
2606          * Postcopy sends chunks of bitmap over the wire, but it
2607          * just needs indexes at this point, avoids it having
2608          * target page specific code.
2609          */
2610         postcopy_send_discard_bm_ram(ms, block);
2611         postcopy_discard_send_finish(ms);
2612     }
2613 }
2614 
2615 /**
2616  * postcopy_chunk_hostpages_pass: canonicalize bitmap in hostpages
2617  *
2618  * Helper for postcopy_chunk_hostpages; it's called twice to
2619  * canonicalize the two bitmaps, that are similar, but one is
2620  * inverted.
2621  *
2622  * Postcopy requires that all target pages in a hostpage are dirty or
2623  * clean, not a mix.  This function canonicalizes the bitmaps.
2624  *
2625  * @ms: current migration state
2626  * @block: block that contains the page we want to canonicalize
2627  */
2628 static void postcopy_chunk_hostpages_pass(MigrationState *ms, RAMBlock *block)
2629 {
2630     RAMState *rs = ram_state;
2631     unsigned long *bitmap = block->bmap;
2632     unsigned int host_ratio = block->page_size / TARGET_PAGE_SIZE;
2633     unsigned long pages = block->used_length >> TARGET_PAGE_BITS;
2634     unsigned long run_start;
2635 
2636     if (block->page_size == TARGET_PAGE_SIZE) {
2637         /* Easy case - TPS==HPS for a non-huge page RAMBlock */
2638         return;
2639     }
2640 
2641     /* Find a dirty page */
2642     run_start = find_next_bit(bitmap, pages, 0);
2643 
2644     while (run_start < pages) {
2645 
2646         /*
2647          * If the start of this run of pages is in the middle of a host
2648          * page, then we need to fixup this host page.
2649          */
2650         if (QEMU_IS_ALIGNED(run_start, host_ratio)) {
2651             /* Find the end of this run */
2652             run_start = find_next_zero_bit(bitmap, pages, run_start + 1);
2653             /*
2654              * If the end isn't at the start of a host page, then the
2655              * run doesn't finish at the end of a host page
2656              * and we need to discard.
2657              */
2658         }
2659 
2660         if (!QEMU_IS_ALIGNED(run_start, host_ratio)) {
2661             unsigned long page;
2662             unsigned long fixup_start_addr = QEMU_ALIGN_DOWN(run_start,
2663                                                              host_ratio);
2664             run_start = QEMU_ALIGN_UP(run_start, host_ratio);
2665 
2666             /* Clean up the bitmap */
2667             for (page = fixup_start_addr;
2668                  page < fixup_start_addr + host_ratio; page++) {
2669                 /*
2670                  * Remark them as dirty, updating the count for any pages
2671                  * that weren't previously dirty.
2672                  */
2673                 rs->migration_dirty_pages += !test_and_set_bit(page, bitmap);
2674             }
2675         }
2676 
2677         /* Find the next dirty page for the next iteration */
2678         run_start = find_next_bit(bitmap, pages, run_start);
2679     }
2680 }
2681 
2682 /**
2683  * ram_postcopy_send_discard_bitmap: transmit the discard bitmap
2684  *
2685  * Transmit the set of pages to be discarded after precopy to the target
2686  * these are pages that:
2687  *     a) Have been previously transmitted but are now dirty again
2688  *     b) Pages that have never been transmitted, this ensures that
2689  *        any pages on the destination that have been mapped by background
2690  *        tasks get discarded (transparent huge pages is the specific concern)
2691  * Hopefully this is pretty sparse
2692  *
2693  * @ms: current migration state
2694  */
2695 void ram_postcopy_send_discard_bitmap(MigrationState *ms)
2696 {
2697     RAMState *rs = ram_state;
2698 
2699     RCU_READ_LOCK_GUARD();
2700 
2701     /* This should be our last sync, the src is now paused */
2702     migration_bitmap_sync(rs, false);
2703 
2704     /* Easiest way to make sure we don't resume in the middle of a host-page */
2705     rs->pss[RAM_CHANNEL_PRECOPY].last_sent_block = NULL;
2706     rs->last_seen_block = NULL;
2707     rs->last_page = 0;
2708 
2709     postcopy_each_ram_send_discard(ms);
2710 
2711     trace_ram_postcopy_send_discard_bitmap();
2712 }
2713 
2714 /**
2715  * ram_discard_range: discard dirtied pages at the beginning of postcopy
2716  *
2717  * Returns zero on success
2718  *
2719  * @rbname: name of the RAMBlock of the request. NULL means the
2720  *          same that last one.
2721  * @start: RAMBlock starting page
2722  * @length: RAMBlock size
2723  */
2724 int ram_discard_range(const char *rbname, uint64_t start, size_t length)
2725 {
2726     trace_ram_discard_range(rbname, start, length);
2727 
2728     RCU_READ_LOCK_GUARD();
2729     RAMBlock *rb = qemu_ram_block_by_name(rbname);
2730 
2731     if (!rb) {
2732         error_report("ram_discard_range: Failed to find block '%s'", rbname);
2733         return -1;
2734     }
2735 
2736     /*
2737      * On source VM, we don't need to update the received bitmap since
2738      * we don't even have one.
2739      */
2740     if (rb->receivedmap) {
2741         bitmap_clear(rb->receivedmap, start >> qemu_target_page_bits(),
2742                      length >> qemu_target_page_bits());
2743     }
2744 
2745     return ram_block_discard_range(rb, start, length);
2746 }
2747 
2748 /*
2749  * For every allocation, we will try not to crash the VM if the
2750  * allocation failed.
2751  */
2752 static int xbzrle_init(void)
2753 {
2754     Error *local_err = NULL;
2755 
2756     if (!migrate_xbzrle()) {
2757         return 0;
2758     }
2759 
2760     XBZRLE_cache_lock();
2761 
2762     XBZRLE.zero_target_page = g_try_malloc0(TARGET_PAGE_SIZE);
2763     if (!XBZRLE.zero_target_page) {
2764         error_report("%s: Error allocating zero page", __func__);
2765         goto err_out;
2766     }
2767 
2768     XBZRLE.cache = cache_init(migrate_xbzrle_cache_size(),
2769                               TARGET_PAGE_SIZE, &local_err);
2770     if (!XBZRLE.cache) {
2771         error_report_err(local_err);
2772         goto free_zero_page;
2773     }
2774 
2775     XBZRLE.encoded_buf = g_try_malloc0(TARGET_PAGE_SIZE);
2776     if (!XBZRLE.encoded_buf) {
2777         error_report("%s: Error allocating encoded_buf", __func__);
2778         goto free_cache;
2779     }
2780 
2781     XBZRLE.current_buf = g_try_malloc(TARGET_PAGE_SIZE);
2782     if (!XBZRLE.current_buf) {
2783         error_report("%s: Error allocating current_buf", __func__);
2784         goto free_encoded_buf;
2785     }
2786 
2787     /* We are all good */
2788     XBZRLE_cache_unlock();
2789     return 0;
2790 
2791 free_encoded_buf:
2792     g_free(XBZRLE.encoded_buf);
2793     XBZRLE.encoded_buf = NULL;
2794 free_cache:
2795     cache_fini(XBZRLE.cache);
2796     XBZRLE.cache = NULL;
2797 free_zero_page:
2798     g_free(XBZRLE.zero_target_page);
2799     XBZRLE.zero_target_page = NULL;
2800 err_out:
2801     XBZRLE_cache_unlock();
2802     return -ENOMEM;
2803 }
2804 
2805 static int ram_state_init(RAMState **rsp)
2806 {
2807     *rsp = g_try_new0(RAMState, 1);
2808 
2809     if (!*rsp) {
2810         error_report("%s: Init ramstate fail", __func__);
2811         return -1;
2812     }
2813 
2814     qemu_mutex_init(&(*rsp)->bitmap_mutex);
2815     qemu_mutex_init(&(*rsp)->src_page_req_mutex);
2816     QSIMPLEQ_INIT(&(*rsp)->src_page_requests);
2817     (*rsp)->ram_bytes_total = ram_bytes_total();
2818 
2819     /*
2820      * Count the total number of pages used by ram blocks not including any
2821      * gaps due to alignment or unplugs.
2822      * This must match with the initial values of dirty bitmap.
2823      */
2824     (*rsp)->migration_dirty_pages = (*rsp)->ram_bytes_total >> TARGET_PAGE_BITS;
2825     ram_state_reset(*rsp);
2826 
2827     return 0;
2828 }
2829 
2830 static void ram_list_init_bitmaps(void)
2831 {
2832     MigrationState *ms = migrate_get_current();
2833     RAMBlock *block;
2834     unsigned long pages;
2835     uint8_t shift;
2836 
2837     /* Skip setting bitmap if there is no RAM */
2838     if (ram_bytes_total()) {
2839         shift = ms->clear_bitmap_shift;
2840         if (shift > CLEAR_BITMAP_SHIFT_MAX) {
2841             error_report("clear_bitmap_shift (%u) too big, using "
2842                          "max value (%u)", shift, CLEAR_BITMAP_SHIFT_MAX);
2843             shift = CLEAR_BITMAP_SHIFT_MAX;
2844         } else if (shift < CLEAR_BITMAP_SHIFT_MIN) {
2845             error_report("clear_bitmap_shift (%u) too small, using "
2846                          "min value (%u)", shift, CLEAR_BITMAP_SHIFT_MIN);
2847             shift = CLEAR_BITMAP_SHIFT_MIN;
2848         }
2849 
2850         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
2851             pages = block->max_length >> TARGET_PAGE_BITS;
2852             /*
2853              * The initial dirty bitmap for migration must be set with all
2854              * ones to make sure we'll migrate every guest RAM page to
2855              * destination.
2856              * Here we set RAMBlock.bmap all to 1 because when rebegin a
2857              * new migration after a failed migration, ram_list.
2858              * dirty_memory[DIRTY_MEMORY_MIGRATION] don't include the whole
2859              * guest memory.
2860              */
2861             block->bmap = bitmap_new(pages);
2862             bitmap_set(block->bmap, 0, pages);
2863             block->clear_bmap_shift = shift;
2864             block->clear_bmap = bitmap_new(clear_bmap_size(pages, shift));
2865         }
2866     }
2867 }
2868 
2869 static void migration_bitmap_clear_discarded_pages(RAMState *rs)
2870 {
2871     unsigned long pages;
2872     RAMBlock *rb;
2873 
2874     RCU_READ_LOCK_GUARD();
2875 
2876     RAMBLOCK_FOREACH_NOT_IGNORED(rb) {
2877             pages = ramblock_dirty_bitmap_clear_discarded_pages(rb);
2878             rs->migration_dirty_pages -= pages;
2879     }
2880 }
2881 
2882 static void ram_init_bitmaps(RAMState *rs)
2883 {
2884     /* For memory_global_dirty_log_start below.  */
2885     qemu_mutex_lock_iothread();
2886     qemu_mutex_lock_ramlist();
2887 
2888     WITH_RCU_READ_LOCK_GUARD() {
2889         ram_list_init_bitmaps();
2890         /* We don't use dirty log with background snapshots */
2891         if (!migrate_background_snapshot()) {
2892             memory_global_dirty_log_start(GLOBAL_DIRTY_MIGRATION);
2893             migration_bitmap_sync_precopy(rs, false);
2894         }
2895     }
2896     qemu_mutex_unlock_ramlist();
2897     qemu_mutex_unlock_iothread();
2898 
2899     /*
2900      * After an eventual first bitmap sync, fixup the initial bitmap
2901      * containing all 1s to exclude any discarded pages from migration.
2902      */
2903     migration_bitmap_clear_discarded_pages(rs);
2904 }
2905 
2906 static int ram_init_all(RAMState **rsp)
2907 {
2908     if (ram_state_init(rsp)) {
2909         return -1;
2910     }
2911 
2912     if (xbzrle_init()) {
2913         ram_state_cleanup(rsp);
2914         return -1;
2915     }
2916 
2917     ram_init_bitmaps(*rsp);
2918 
2919     return 0;
2920 }
2921 
2922 static void ram_state_resume_prepare(RAMState *rs, QEMUFile *out)
2923 {
2924     RAMBlock *block;
2925     uint64_t pages = 0;
2926 
2927     /*
2928      * Postcopy is not using xbzrle/compression, so no need for that.
2929      * Also, since source are already halted, we don't need to care
2930      * about dirty page logging as well.
2931      */
2932 
2933     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
2934         pages += bitmap_count_one(block->bmap,
2935                                   block->used_length >> TARGET_PAGE_BITS);
2936     }
2937 
2938     /* This may not be aligned with current bitmaps. Recalculate. */
2939     rs->migration_dirty_pages = pages;
2940 
2941     ram_state_reset(rs);
2942 
2943     /* Update RAMState cache of output QEMUFile */
2944     rs->pss[RAM_CHANNEL_PRECOPY].pss_channel = out;
2945 
2946     trace_ram_state_resume_prepare(pages);
2947 }
2948 
2949 /*
2950  * This function clears bits of the free pages reported by the caller from the
2951  * migration dirty bitmap. @addr is the host address corresponding to the
2952  * start of the continuous guest free pages, and @len is the total bytes of
2953  * those pages.
2954  */
2955 void qemu_guest_free_page_hint(void *addr, size_t len)
2956 {
2957     RAMBlock *block;
2958     ram_addr_t offset;
2959     size_t used_len, start, npages;
2960     MigrationState *s = migrate_get_current();
2961 
2962     /* This function is currently expected to be used during live migration */
2963     if (!migration_is_setup_or_active(s->state)) {
2964         return;
2965     }
2966 
2967     for (; len > 0; len -= used_len, addr += used_len) {
2968         block = qemu_ram_block_from_host(addr, false, &offset);
2969         if (unlikely(!block || offset >= block->used_length)) {
2970             /*
2971              * The implementation might not support RAMBlock resize during
2972              * live migration, but it could happen in theory with future
2973              * updates. So we add a check here to capture that case.
2974              */
2975             error_report_once("%s unexpected error", __func__);
2976             return;
2977         }
2978 
2979         if (len <= block->used_length - offset) {
2980             used_len = len;
2981         } else {
2982             used_len = block->used_length - offset;
2983         }
2984 
2985         start = offset >> TARGET_PAGE_BITS;
2986         npages = used_len >> TARGET_PAGE_BITS;
2987 
2988         qemu_mutex_lock(&ram_state->bitmap_mutex);
2989         /*
2990          * The skipped free pages are equavalent to be sent from clear_bmap's
2991          * perspective, so clear the bits from the memory region bitmap which
2992          * are initially set. Otherwise those skipped pages will be sent in
2993          * the next round after syncing from the memory region bitmap.
2994          */
2995         migration_clear_memory_region_dirty_bitmap_range(block, start, npages);
2996         ram_state->migration_dirty_pages -=
2997                       bitmap_count_one_with_offset(block->bmap, start, npages);
2998         bitmap_clear(block->bmap, start, npages);
2999         qemu_mutex_unlock(&ram_state->bitmap_mutex);
3000     }
3001 }
3002 
3003 /*
3004  * Each of ram_save_setup, ram_save_iterate and ram_save_complete has
3005  * long-running RCU critical section.  When rcu-reclaims in the code
3006  * start to become numerous it will be necessary to reduce the
3007  * granularity of these critical sections.
3008  */
3009 
3010 /**
3011  * ram_save_setup: Setup RAM for migration
3012  *
3013  * Returns zero to indicate success and negative for error
3014  *
3015  * @f: QEMUFile where to send the data
3016  * @opaque: RAMState pointer
3017  */
3018 static int ram_save_setup(QEMUFile *f, void *opaque)
3019 {
3020     RAMState **rsp = opaque;
3021     RAMBlock *block;
3022     int ret;
3023 
3024     if (compress_threads_save_setup()) {
3025         return -1;
3026     }
3027 
3028     /* migration has already setup the bitmap, reuse it. */
3029     if (!migration_in_colo_state()) {
3030         if (ram_init_all(rsp) != 0) {
3031             compress_threads_save_cleanup();
3032             return -1;
3033         }
3034     }
3035     (*rsp)->pss[RAM_CHANNEL_PRECOPY].pss_channel = f;
3036 
3037     WITH_RCU_READ_LOCK_GUARD() {
3038         qemu_put_be64(f, ram_bytes_total_with_ignored()
3039                          | RAM_SAVE_FLAG_MEM_SIZE);
3040 
3041         RAMBLOCK_FOREACH_MIGRATABLE(block) {
3042             qemu_put_byte(f, strlen(block->idstr));
3043             qemu_put_buffer(f, (uint8_t *)block->idstr, strlen(block->idstr));
3044             qemu_put_be64(f, block->used_length);
3045             if (migrate_postcopy_ram() && block->page_size !=
3046                                           qemu_host_page_size) {
3047                 qemu_put_be64(f, block->page_size);
3048             }
3049             if (migrate_ignore_shared()) {
3050                 qemu_put_be64(f, block->mr->addr);
3051             }
3052         }
3053     }
3054 
3055     ram_control_before_iterate(f, RAM_CONTROL_SETUP);
3056     ram_control_after_iterate(f, RAM_CONTROL_SETUP);
3057 
3058     migration_ops = g_malloc0(sizeof(MigrationOps));
3059     migration_ops->ram_save_target_page = ram_save_target_page_legacy;
3060     ret = multifd_send_sync_main(f);
3061     if (ret < 0) {
3062         return ret;
3063     }
3064 
3065     if (!migrate_multifd_flush_after_each_section()) {
3066         qemu_put_be64(f, RAM_SAVE_FLAG_MULTIFD_FLUSH);
3067     }
3068 
3069     qemu_put_be64(f, RAM_SAVE_FLAG_EOS);
3070     qemu_fflush(f);
3071 
3072     return 0;
3073 }
3074 
3075 /**
3076  * ram_save_iterate: iterative stage for migration
3077  *
3078  * Returns zero to indicate success and negative for error
3079  *
3080  * @f: QEMUFile where to send the data
3081  * @opaque: RAMState pointer
3082  */
3083 static int ram_save_iterate(QEMUFile *f, void *opaque)
3084 {
3085     RAMState **temp = opaque;
3086     RAMState *rs = *temp;
3087     int ret = 0;
3088     int i;
3089     int64_t t0;
3090     int done = 0;
3091 
3092     if (blk_mig_bulk_active()) {
3093         /* Avoid transferring ram during bulk phase of block migration as
3094          * the bulk phase will usually take a long time and transferring
3095          * ram updates during that time is pointless. */
3096         goto out;
3097     }
3098 
3099     /*
3100      * We'll take this lock a little bit long, but it's okay for two reasons.
3101      * Firstly, the only possible other thread to take it is who calls
3102      * qemu_guest_free_page_hint(), which should be rare; secondly, see
3103      * MAX_WAIT (if curious, further see commit 4508bd9ed8053ce) below, which
3104      * guarantees that we'll at least released it in a regular basis.
3105      */
3106     qemu_mutex_lock(&rs->bitmap_mutex);
3107     WITH_RCU_READ_LOCK_GUARD() {
3108         if (ram_list.version != rs->last_version) {
3109             ram_state_reset(rs);
3110         }
3111 
3112         /* Read version before ram_list.blocks */
3113         smp_rmb();
3114 
3115         ram_control_before_iterate(f, RAM_CONTROL_ROUND);
3116 
3117         t0 = qemu_clock_get_ns(QEMU_CLOCK_REALTIME);
3118         i = 0;
3119         while ((ret = migration_rate_exceeded(f)) == 0 ||
3120                postcopy_has_request(rs)) {
3121             int pages;
3122 
3123             if (qemu_file_get_error(f)) {
3124                 break;
3125             }
3126 
3127             pages = ram_find_and_save_block(rs);
3128             /* no more pages to sent */
3129             if (pages == 0) {
3130                 done = 1;
3131                 break;
3132             }
3133 
3134             if (pages < 0) {
3135                 qemu_file_set_error(f, pages);
3136                 break;
3137             }
3138 
3139             rs->target_page_count += pages;
3140 
3141             /*
3142              * During postcopy, it is necessary to make sure one whole host
3143              * page is sent in one chunk.
3144              */
3145             if (migrate_postcopy_ram()) {
3146                 ram_flush_compressed_data(rs);
3147             }
3148 
3149             /*
3150              * we want to check in the 1st loop, just in case it was the 1st
3151              * time and we had to sync the dirty bitmap.
3152              * qemu_clock_get_ns() is a bit expensive, so we only check each
3153              * some iterations
3154              */
3155             if ((i & 63) == 0) {
3156                 uint64_t t1 = (qemu_clock_get_ns(QEMU_CLOCK_REALTIME) - t0) /
3157                               1000000;
3158                 if (t1 > MAX_WAIT) {
3159                     trace_ram_save_iterate_big_wait(t1, i);
3160                     break;
3161                 }
3162             }
3163             i++;
3164         }
3165     }
3166     qemu_mutex_unlock(&rs->bitmap_mutex);
3167 
3168     /*
3169      * Must occur before EOS (or any QEMUFile operation)
3170      * because of RDMA protocol.
3171      */
3172     ram_control_after_iterate(f, RAM_CONTROL_ROUND);
3173 
3174 out:
3175     if (ret >= 0
3176         && migration_is_setup_or_active(migrate_get_current()->state)) {
3177         if (migrate_multifd_flush_after_each_section()) {
3178             ret = multifd_send_sync_main(rs->pss[RAM_CHANNEL_PRECOPY].pss_channel);
3179             if (ret < 0) {
3180                 return ret;
3181             }
3182         }
3183 
3184         qemu_put_be64(f, RAM_SAVE_FLAG_EOS);
3185         qemu_fflush(f);
3186         ram_transferred_add(8);
3187 
3188         ret = qemu_file_get_error(f);
3189     }
3190     if (ret < 0) {
3191         return ret;
3192     }
3193 
3194     return done;
3195 }
3196 
3197 /**
3198  * ram_save_complete: function called to send the remaining amount of ram
3199  *
3200  * Returns zero to indicate success or negative on error
3201  *
3202  * Called with iothread lock
3203  *
3204  * @f: QEMUFile where to send the data
3205  * @opaque: RAMState pointer
3206  */
3207 static int ram_save_complete(QEMUFile *f, void *opaque)
3208 {
3209     RAMState **temp = opaque;
3210     RAMState *rs = *temp;
3211     int ret = 0;
3212 
3213     rs->last_stage = !migration_in_colo_state();
3214 
3215     WITH_RCU_READ_LOCK_GUARD() {
3216         if (!migration_in_postcopy()) {
3217             migration_bitmap_sync_precopy(rs, true);
3218         }
3219 
3220         ram_control_before_iterate(f, RAM_CONTROL_FINISH);
3221 
3222         /* try transferring iterative blocks of memory */
3223 
3224         /* flush all remaining blocks regardless of rate limiting */
3225         qemu_mutex_lock(&rs->bitmap_mutex);
3226         while (true) {
3227             int pages;
3228 
3229             pages = ram_find_and_save_block(rs);
3230             /* no more blocks to sent */
3231             if (pages == 0) {
3232                 break;
3233             }
3234             if (pages < 0) {
3235                 ret = pages;
3236                 break;
3237             }
3238         }
3239         qemu_mutex_unlock(&rs->bitmap_mutex);
3240 
3241         ram_flush_compressed_data(rs);
3242         ram_control_after_iterate(f, RAM_CONTROL_FINISH);
3243     }
3244 
3245     if (ret < 0) {
3246         return ret;
3247     }
3248 
3249     ret = multifd_send_sync_main(rs->pss[RAM_CHANNEL_PRECOPY].pss_channel);
3250     if (ret < 0) {
3251         return ret;
3252     }
3253 
3254     if (!migrate_multifd_flush_after_each_section()) {
3255         qemu_put_be64(f, RAM_SAVE_FLAG_MULTIFD_FLUSH);
3256     }
3257     qemu_put_be64(f, RAM_SAVE_FLAG_EOS);
3258     qemu_fflush(f);
3259 
3260     return 0;
3261 }
3262 
3263 static void ram_state_pending_estimate(void *opaque, uint64_t *must_precopy,
3264                                        uint64_t *can_postcopy)
3265 {
3266     RAMState **temp = opaque;
3267     RAMState *rs = *temp;
3268 
3269     uint64_t remaining_size = rs->migration_dirty_pages * TARGET_PAGE_SIZE;
3270 
3271     if (migrate_postcopy_ram()) {
3272         /* We can do postcopy, and all the data is postcopiable */
3273         *can_postcopy += remaining_size;
3274     } else {
3275         *must_precopy += remaining_size;
3276     }
3277 }
3278 
3279 static void ram_state_pending_exact(void *opaque, uint64_t *must_precopy,
3280                                     uint64_t *can_postcopy)
3281 {
3282     MigrationState *s = migrate_get_current();
3283     RAMState **temp = opaque;
3284     RAMState *rs = *temp;
3285 
3286     uint64_t remaining_size = rs->migration_dirty_pages * TARGET_PAGE_SIZE;
3287 
3288     if (!migration_in_postcopy() && remaining_size < s->threshold_size) {
3289         qemu_mutex_lock_iothread();
3290         WITH_RCU_READ_LOCK_GUARD() {
3291             migration_bitmap_sync_precopy(rs, false);
3292         }
3293         qemu_mutex_unlock_iothread();
3294         remaining_size = rs->migration_dirty_pages * TARGET_PAGE_SIZE;
3295     }
3296 
3297     if (migrate_postcopy_ram()) {
3298         /* We can do postcopy, and all the data is postcopiable */
3299         *can_postcopy += remaining_size;
3300     } else {
3301         *must_precopy += remaining_size;
3302     }
3303 }
3304 
3305 static int load_xbzrle(QEMUFile *f, ram_addr_t addr, void *host)
3306 {
3307     unsigned int xh_len;
3308     int xh_flags;
3309     uint8_t *loaded_data;
3310 
3311     /* extract RLE header */
3312     xh_flags = qemu_get_byte(f);
3313     xh_len = qemu_get_be16(f);
3314 
3315     if (xh_flags != ENCODING_FLAG_XBZRLE) {
3316         error_report("Failed to load XBZRLE page - wrong compression!");
3317         return -1;
3318     }
3319 
3320     if (xh_len > TARGET_PAGE_SIZE) {
3321         error_report("Failed to load XBZRLE page - len overflow!");
3322         return -1;
3323     }
3324     loaded_data = XBZRLE.decoded_buf;
3325     /* load data and decode */
3326     /* it can change loaded_data to point to an internal buffer */
3327     qemu_get_buffer_in_place(f, &loaded_data, xh_len);
3328 
3329     /* decode RLE */
3330     if (xbzrle_decode_buffer(loaded_data, xh_len, host,
3331                              TARGET_PAGE_SIZE) == -1) {
3332         error_report("Failed to load XBZRLE page - decode error!");
3333         return -1;
3334     }
3335 
3336     return 0;
3337 }
3338 
3339 /**
3340  * ram_block_from_stream: read a RAMBlock id from the migration stream
3341  *
3342  * Must be called from within a rcu critical section.
3343  *
3344  * Returns a pointer from within the RCU-protected ram_list.
3345  *
3346  * @mis: the migration incoming state pointer
3347  * @f: QEMUFile where to read the data from
3348  * @flags: Page flags (mostly to see if it's a continuation of previous block)
3349  * @channel: the channel we're using
3350  */
3351 static inline RAMBlock *ram_block_from_stream(MigrationIncomingState *mis,
3352                                               QEMUFile *f, int flags,
3353                                               int channel)
3354 {
3355     RAMBlock *block = mis->last_recv_block[channel];
3356     char id[256];
3357     uint8_t len;
3358 
3359     if (flags & RAM_SAVE_FLAG_CONTINUE) {
3360         if (!block) {
3361             error_report("Ack, bad migration stream!");
3362             return NULL;
3363         }
3364         return block;
3365     }
3366 
3367     len = qemu_get_byte(f);
3368     qemu_get_buffer(f, (uint8_t *)id, len);
3369     id[len] = 0;
3370 
3371     block = qemu_ram_block_by_name(id);
3372     if (!block) {
3373         error_report("Can't find block %s", id);
3374         return NULL;
3375     }
3376 
3377     if (ramblock_is_ignored(block)) {
3378         error_report("block %s should not be migrated !", id);
3379         return NULL;
3380     }
3381 
3382     mis->last_recv_block[channel] = block;
3383 
3384     return block;
3385 }
3386 
3387 static inline void *host_from_ram_block_offset(RAMBlock *block,
3388                                                ram_addr_t offset)
3389 {
3390     if (!offset_in_ramblock(block, offset)) {
3391         return NULL;
3392     }
3393 
3394     return block->host + offset;
3395 }
3396 
3397 static void *host_page_from_ram_block_offset(RAMBlock *block,
3398                                              ram_addr_t offset)
3399 {
3400     /* Note: Explicitly no check against offset_in_ramblock(). */
3401     return (void *)QEMU_ALIGN_DOWN((uintptr_t)(block->host + offset),
3402                                    block->page_size);
3403 }
3404 
3405 static ram_addr_t host_page_offset_from_ram_block_offset(RAMBlock *block,
3406                                                          ram_addr_t offset)
3407 {
3408     return ((uintptr_t)block->host + offset) & (block->page_size - 1);
3409 }
3410 
3411 void colo_record_bitmap(RAMBlock *block, ram_addr_t *normal, uint32_t pages)
3412 {
3413     qemu_mutex_lock(&ram_state->bitmap_mutex);
3414     for (int i = 0; i < pages; i++) {
3415         ram_addr_t offset = normal[i];
3416         ram_state->migration_dirty_pages += !test_and_set_bit(
3417                                                 offset >> TARGET_PAGE_BITS,
3418                                                 block->bmap);
3419     }
3420     qemu_mutex_unlock(&ram_state->bitmap_mutex);
3421 }
3422 
3423 static inline void *colo_cache_from_block_offset(RAMBlock *block,
3424                              ram_addr_t offset, bool record_bitmap)
3425 {
3426     if (!offset_in_ramblock(block, offset)) {
3427         return NULL;
3428     }
3429     if (!block->colo_cache) {
3430         error_report("%s: colo_cache is NULL in block :%s",
3431                      __func__, block->idstr);
3432         return NULL;
3433     }
3434 
3435     /*
3436     * During colo checkpoint, we need bitmap of these migrated pages.
3437     * It help us to decide which pages in ram cache should be flushed
3438     * into VM's RAM later.
3439     */
3440     if (record_bitmap) {
3441         colo_record_bitmap(block, &offset, 1);
3442     }
3443     return block->colo_cache + offset;
3444 }
3445 
3446 /**
3447  * ram_handle_compressed: handle the zero page case
3448  *
3449  * If a page (or a whole RDMA chunk) has been
3450  * determined to be zero, then zap it.
3451  *
3452  * @host: host address for the zero page
3453  * @ch: what the page is filled from.  We only support zero
3454  * @size: size of the zero page
3455  */
3456 void ram_handle_compressed(void *host, uint8_t ch, uint64_t size)
3457 {
3458     if (ch != 0 || !buffer_is_zero(host, size)) {
3459         memset(host, ch, size);
3460     }
3461 }
3462 
3463 static void colo_init_ram_state(void)
3464 {
3465     ram_state_init(&ram_state);
3466 }
3467 
3468 /*
3469  * colo cache: this is for secondary VM, we cache the whole
3470  * memory of the secondary VM, it is need to hold the global lock
3471  * to call this helper.
3472  */
3473 int colo_init_ram_cache(void)
3474 {
3475     RAMBlock *block;
3476 
3477     WITH_RCU_READ_LOCK_GUARD() {
3478         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3479             block->colo_cache = qemu_anon_ram_alloc(block->used_length,
3480                                                     NULL, false, false);
3481             if (!block->colo_cache) {
3482                 error_report("%s: Can't alloc memory for COLO cache of block %s,"
3483                              "size 0x" RAM_ADDR_FMT, __func__, block->idstr,
3484                              block->used_length);
3485                 RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3486                     if (block->colo_cache) {
3487                         qemu_anon_ram_free(block->colo_cache, block->used_length);
3488                         block->colo_cache = NULL;
3489                     }
3490                 }
3491                 return -errno;
3492             }
3493             if (!machine_dump_guest_core(current_machine)) {
3494                 qemu_madvise(block->colo_cache, block->used_length,
3495                              QEMU_MADV_DONTDUMP);
3496             }
3497         }
3498     }
3499 
3500     /*
3501     * Record the dirty pages that sent by PVM, we use this dirty bitmap together
3502     * with to decide which page in cache should be flushed into SVM's RAM. Here
3503     * we use the same name 'ram_bitmap' as for migration.
3504     */
3505     if (ram_bytes_total()) {
3506         RAMBlock *block;
3507 
3508         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3509             unsigned long pages = block->max_length >> TARGET_PAGE_BITS;
3510             block->bmap = bitmap_new(pages);
3511         }
3512     }
3513 
3514     colo_init_ram_state();
3515     return 0;
3516 }
3517 
3518 /* TODO: duplicated with ram_init_bitmaps */
3519 void colo_incoming_start_dirty_log(void)
3520 {
3521     RAMBlock *block = NULL;
3522     /* For memory_global_dirty_log_start below. */
3523     qemu_mutex_lock_iothread();
3524     qemu_mutex_lock_ramlist();
3525 
3526     memory_global_dirty_log_sync(false);
3527     WITH_RCU_READ_LOCK_GUARD() {
3528         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3529             ramblock_sync_dirty_bitmap(ram_state, block);
3530             /* Discard this dirty bitmap record */
3531             bitmap_zero(block->bmap, block->max_length >> TARGET_PAGE_BITS);
3532         }
3533         memory_global_dirty_log_start(GLOBAL_DIRTY_MIGRATION);
3534     }
3535     ram_state->migration_dirty_pages = 0;
3536     qemu_mutex_unlock_ramlist();
3537     qemu_mutex_unlock_iothread();
3538 }
3539 
3540 /* It is need to hold the global lock to call this helper */
3541 void colo_release_ram_cache(void)
3542 {
3543     RAMBlock *block;
3544 
3545     memory_global_dirty_log_stop(GLOBAL_DIRTY_MIGRATION);
3546     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3547         g_free(block->bmap);
3548         block->bmap = NULL;
3549     }
3550 
3551     WITH_RCU_READ_LOCK_GUARD() {
3552         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3553             if (block->colo_cache) {
3554                 qemu_anon_ram_free(block->colo_cache, block->used_length);
3555                 block->colo_cache = NULL;
3556             }
3557         }
3558     }
3559     ram_state_cleanup(&ram_state);
3560 }
3561 
3562 /**
3563  * ram_load_setup: Setup RAM for migration incoming side
3564  *
3565  * Returns zero to indicate success and negative for error
3566  *
3567  * @f: QEMUFile where to receive the data
3568  * @opaque: RAMState pointer
3569  */
3570 static int ram_load_setup(QEMUFile *f, void *opaque)
3571 {
3572     xbzrle_load_setup();
3573     ramblock_recv_map_init();
3574 
3575     return 0;
3576 }
3577 
3578 static int ram_load_cleanup(void *opaque)
3579 {
3580     RAMBlock *rb;
3581 
3582     RAMBLOCK_FOREACH_NOT_IGNORED(rb) {
3583         qemu_ram_block_writeback(rb);
3584     }
3585 
3586     xbzrle_load_cleanup();
3587 
3588     RAMBLOCK_FOREACH_NOT_IGNORED(rb) {
3589         g_free(rb->receivedmap);
3590         rb->receivedmap = NULL;
3591     }
3592 
3593     return 0;
3594 }
3595 
3596 /**
3597  * ram_postcopy_incoming_init: allocate postcopy data structures
3598  *
3599  * Returns 0 for success and negative if there was one error
3600  *
3601  * @mis: current migration incoming state
3602  *
3603  * Allocate data structures etc needed by incoming migration with
3604  * postcopy-ram. postcopy-ram's similarly names
3605  * postcopy_ram_incoming_init does the work.
3606  */
3607 int ram_postcopy_incoming_init(MigrationIncomingState *mis)
3608 {
3609     return postcopy_ram_incoming_init(mis);
3610 }
3611 
3612 /**
3613  * ram_load_postcopy: load a page in postcopy case
3614  *
3615  * Returns 0 for success or -errno in case of error
3616  *
3617  * Called in postcopy mode by ram_load().
3618  * rcu_read_lock is taken prior to this being called.
3619  *
3620  * @f: QEMUFile where to send the data
3621  * @channel: the channel to use for loading
3622  */
3623 int ram_load_postcopy(QEMUFile *f, int channel)
3624 {
3625     int flags = 0, ret = 0;
3626     bool place_needed = false;
3627     bool matches_target_page_size = false;
3628     MigrationIncomingState *mis = migration_incoming_get_current();
3629     PostcopyTmpPage *tmp_page = &mis->postcopy_tmp_pages[channel];
3630 
3631     while (!ret && !(flags & RAM_SAVE_FLAG_EOS)) {
3632         ram_addr_t addr;
3633         void *page_buffer = NULL;
3634         void *place_source = NULL;
3635         RAMBlock *block = NULL;
3636         uint8_t ch;
3637         int len;
3638 
3639         addr = qemu_get_be64(f);
3640 
3641         /*
3642          * If qemu file error, we should stop here, and then "addr"
3643          * may be invalid
3644          */
3645         ret = qemu_file_get_error(f);
3646         if (ret) {
3647             break;
3648         }
3649 
3650         flags = addr & ~TARGET_PAGE_MASK;
3651         addr &= TARGET_PAGE_MASK;
3652 
3653         trace_ram_load_postcopy_loop(channel, (uint64_t)addr, flags);
3654         if (flags & (RAM_SAVE_FLAG_ZERO | RAM_SAVE_FLAG_PAGE |
3655                      RAM_SAVE_FLAG_COMPRESS_PAGE)) {
3656             block = ram_block_from_stream(mis, f, flags, channel);
3657             if (!block) {
3658                 ret = -EINVAL;
3659                 break;
3660             }
3661 
3662             /*
3663              * Relying on used_length is racy and can result in false positives.
3664              * We might place pages beyond used_length in case RAM was shrunk
3665              * while in postcopy, which is fine - trying to place via
3666              * UFFDIO_COPY/UFFDIO_ZEROPAGE will never segfault.
3667              */
3668             if (!block->host || addr >= block->postcopy_length) {
3669                 error_report("Illegal RAM offset " RAM_ADDR_FMT, addr);
3670                 ret = -EINVAL;
3671                 break;
3672             }
3673             tmp_page->target_pages++;
3674             matches_target_page_size = block->page_size == TARGET_PAGE_SIZE;
3675             /*
3676              * Postcopy requires that we place whole host pages atomically;
3677              * these may be huge pages for RAMBlocks that are backed by
3678              * hugetlbfs.
3679              * To make it atomic, the data is read into a temporary page
3680              * that's moved into place later.
3681              * The migration protocol uses,  possibly smaller, target-pages
3682              * however the source ensures it always sends all the components
3683              * of a host page in one chunk.
3684              */
3685             page_buffer = tmp_page->tmp_huge_page +
3686                           host_page_offset_from_ram_block_offset(block, addr);
3687             /* If all TP are zero then we can optimise the place */
3688             if (tmp_page->target_pages == 1) {
3689                 tmp_page->host_addr =
3690                     host_page_from_ram_block_offset(block, addr);
3691             } else if (tmp_page->host_addr !=
3692                        host_page_from_ram_block_offset(block, addr)) {
3693                 /* not the 1st TP within the HP */
3694                 error_report("Non-same host page detected on channel %d: "
3695                              "Target host page %p, received host page %p "
3696                              "(rb %s offset 0x"RAM_ADDR_FMT" target_pages %d)",
3697                              channel, tmp_page->host_addr,
3698                              host_page_from_ram_block_offset(block, addr),
3699                              block->idstr, addr, tmp_page->target_pages);
3700                 ret = -EINVAL;
3701                 break;
3702             }
3703 
3704             /*
3705              * If it's the last part of a host page then we place the host
3706              * page
3707              */
3708             if (tmp_page->target_pages ==
3709                 (block->page_size / TARGET_PAGE_SIZE)) {
3710                 place_needed = true;
3711             }
3712             place_source = tmp_page->tmp_huge_page;
3713         }
3714 
3715         switch (flags & ~RAM_SAVE_FLAG_CONTINUE) {
3716         case RAM_SAVE_FLAG_ZERO:
3717             ch = qemu_get_byte(f);
3718             /*
3719              * Can skip to set page_buffer when
3720              * this is a zero page and (block->page_size == TARGET_PAGE_SIZE).
3721              */
3722             if (ch || !matches_target_page_size) {
3723                 memset(page_buffer, ch, TARGET_PAGE_SIZE);
3724             }
3725             if (ch) {
3726                 tmp_page->all_zero = false;
3727             }
3728             break;
3729 
3730         case RAM_SAVE_FLAG_PAGE:
3731             tmp_page->all_zero = false;
3732             if (!matches_target_page_size) {
3733                 /* For huge pages, we always use temporary buffer */
3734                 qemu_get_buffer(f, page_buffer, TARGET_PAGE_SIZE);
3735             } else {
3736                 /*
3737                  * For small pages that matches target page size, we
3738                  * avoid the qemu_file copy.  Instead we directly use
3739                  * the buffer of QEMUFile to place the page.  Note: we
3740                  * cannot do any QEMUFile operation before using that
3741                  * buffer to make sure the buffer is valid when
3742                  * placing the page.
3743                  */
3744                 qemu_get_buffer_in_place(f, (uint8_t **)&place_source,
3745                                          TARGET_PAGE_SIZE);
3746             }
3747             break;
3748         case RAM_SAVE_FLAG_COMPRESS_PAGE:
3749             tmp_page->all_zero = false;
3750             len = qemu_get_be32(f);
3751             if (len < 0 || len > compressBound(TARGET_PAGE_SIZE)) {
3752                 error_report("Invalid compressed data length: %d", len);
3753                 ret = -EINVAL;
3754                 break;
3755             }
3756             decompress_data_with_multi_threads(f, page_buffer, len);
3757             break;
3758         case RAM_SAVE_FLAG_MULTIFD_FLUSH:
3759             multifd_recv_sync_main();
3760             break;
3761         case RAM_SAVE_FLAG_EOS:
3762             /* normal exit */
3763             if (migrate_multifd_flush_after_each_section()) {
3764                 multifd_recv_sync_main();
3765             }
3766             break;
3767         default:
3768             error_report("Unknown combination of migration flags: 0x%x"
3769                          " (postcopy mode)", flags);
3770             ret = -EINVAL;
3771             break;
3772         }
3773 
3774         /* Got the whole host page, wait for decompress before placing. */
3775         if (place_needed) {
3776             ret |= wait_for_decompress_done();
3777         }
3778 
3779         /* Detect for any possible file errors */
3780         if (!ret && qemu_file_get_error(f)) {
3781             ret = qemu_file_get_error(f);
3782         }
3783 
3784         if (!ret && place_needed) {
3785             if (tmp_page->all_zero) {
3786                 ret = postcopy_place_page_zero(mis, tmp_page->host_addr, block);
3787             } else {
3788                 ret = postcopy_place_page(mis, tmp_page->host_addr,
3789                                           place_source, block);
3790             }
3791             place_needed = false;
3792             postcopy_temp_page_reset(tmp_page);
3793         }
3794     }
3795 
3796     return ret;
3797 }
3798 
3799 static bool postcopy_is_running(void)
3800 {
3801     PostcopyState ps = postcopy_state_get();
3802     return ps >= POSTCOPY_INCOMING_LISTENING && ps < POSTCOPY_INCOMING_END;
3803 }
3804 
3805 /*
3806  * Flush content of RAM cache into SVM's memory.
3807  * Only flush the pages that be dirtied by PVM or SVM or both.
3808  */
3809 void colo_flush_ram_cache(void)
3810 {
3811     RAMBlock *block = NULL;
3812     void *dst_host;
3813     void *src_host;
3814     unsigned long offset = 0;
3815 
3816     memory_global_dirty_log_sync(false);
3817     qemu_mutex_lock(&ram_state->bitmap_mutex);
3818     WITH_RCU_READ_LOCK_GUARD() {
3819         RAMBLOCK_FOREACH_NOT_IGNORED(block) {
3820             ramblock_sync_dirty_bitmap(ram_state, block);
3821         }
3822     }
3823 
3824     trace_colo_flush_ram_cache_begin(ram_state->migration_dirty_pages);
3825     WITH_RCU_READ_LOCK_GUARD() {
3826         block = QLIST_FIRST_RCU(&ram_list.blocks);
3827 
3828         while (block) {
3829             unsigned long num = 0;
3830 
3831             offset = colo_bitmap_find_dirty(ram_state, block, offset, &num);
3832             if (!offset_in_ramblock(block,
3833                                     ((ram_addr_t)offset) << TARGET_PAGE_BITS)) {
3834                 offset = 0;
3835                 num = 0;
3836                 block = QLIST_NEXT_RCU(block, next);
3837             } else {
3838                 unsigned long i = 0;
3839 
3840                 for (i = 0; i < num; i++) {
3841                     migration_bitmap_clear_dirty(ram_state, block, offset + i);
3842                 }
3843                 dst_host = block->host
3844                          + (((ram_addr_t)offset) << TARGET_PAGE_BITS);
3845                 src_host = block->colo_cache
3846                          + (((ram_addr_t)offset) << TARGET_PAGE_BITS);
3847                 memcpy(dst_host, src_host, TARGET_PAGE_SIZE * num);
3848                 offset += num;
3849             }
3850         }
3851     }
3852     qemu_mutex_unlock(&ram_state->bitmap_mutex);
3853     trace_colo_flush_ram_cache_end();
3854 }
3855 
3856 /**
3857  * ram_load_precopy: load pages in precopy case
3858  *
3859  * Returns 0 for success or -errno in case of error
3860  *
3861  * Called in precopy mode by ram_load().
3862  * rcu_read_lock is taken prior to this being called.
3863  *
3864  * @f: QEMUFile where to send the data
3865  */
3866 static int ram_load_precopy(QEMUFile *f)
3867 {
3868     MigrationIncomingState *mis = migration_incoming_get_current();
3869     int flags = 0, ret = 0, invalid_flags = 0, len = 0, i = 0;
3870     /* ADVISE is earlier, it shows the source has the postcopy capability on */
3871     bool postcopy_advised = migration_incoming_postcopy_advised();
3872     if (!migrate_compress()) {
3873         invalid_flags |= RAM_SAVE_FLAG_COMPRESS_PAGE;
3874     }
3875 
3876     while (!ret && !(flags & RAM_SAVE_FLAG_EOS)) {
3877         ram_addr_t addr, total_ram_bytes;
3878         void *host = NULL, *host_bak = NULL;
3879         uint8_t ch;
3880 
3881         /*
3882          * Yield periodically to let main loop run, but an iteration of
3883          * the main loop is expensive, so do it each some iterations
3884          */
3885         if ((i & 32767) == 0 && qemu_in_coroutine()) {
3886             aio_co_schedule(qemu_get_current_aio_context(),
3887                             qemu_coroutine_self());
3888             qemu_coroutine_yield();
3889         }
3890         i++;
3891 
3892         addr = qemu_get_be64(f);
3893         flags = addr & ~TARGET_PAGE_MASK;
3894         addr &= TARGET_PAGE_MASK;
3895 
3896         if (flags & invalid_flags) {
3897             if (flags & invalid_flags & RAM_SAVE_FLAG_COMPRESS_PAGE) {
3898                 error_report("Received an unexpected compressed page");
3899             }
3900 
3901             ret = -EINVAL;
3902             break;
3903         }
3904 
3905         if (flags & (RAM_SAVE_FLAG_ZERO | RAM_SAVE_FLAG_PAGE |
3906                      RAM_SAVE_FLAG_COMPRESS_PAGE | RAM_SAVE_FLAG_XBZRLE)) {
3907             RAMBlock *block = ram_block_from_stream(mis, f, flags,
3908                                                     RAM_CHANNEL_PRECOPY);
3909 
3910             host = host_from_ram_block_offset(block, addr);
3911             /*
3912              * After going into COLO stage, we should not load the page
3913              * into SVM's memory directly, we put them into colo_cache firstly.
3914              * NOTE: We need to keep a copy of SVM's ram in colo_cache.
3915              * Previously, we copied all these memory in preparing stage of COLO
3916              * while we need to stop VM, which is a time-consuming process.
3917              * Here we optimize it by a trick, back-up every page while in
3918              * migration process while COLO is enabled, though it affects the
3919              * speed of the migration, but it obviously reduce the downtime of
3920              * back-up all SVM'S memory in COLO preparing stage.
3921              */
3922             if (migration_incoming_colo_enabled()) {
3923                 if (migration_incoming_in_colo_state()) {
3924                     /* In COLO stage, put all pages into cache temporarily */
3925                     host = colo_cache_from_block_offset(block, addr, true);
3926                 } else {
3927                    /*
3928                     * In migration stage but before COLO stage,
3929                     * Put all pages into both cache and SVM's memory.
3930                     */
3931                     host_bak = colo_cache_from_block_offset(block, addr, false);
3932                 }
3933             }
3934             if (!host) {
3935                 error_report("Illegal RAM offset " RAM_ADDR_FMT, addr);
3936                 ret = -EINVAL;
3937                 break;
3938             }
3939             if (!migration_incoming_in_colo_state()) {
3940                 ramblock_recv_bitmap_set(block, host);
3941             }
3942 
3943             trace_ram_load_loop(block->idstr, (uint64_t)addr, flags, host);
3944         }
3945 
3946         switch (flags & ~RAM_SAVE_FLAG_CONTINUE) {
3947         case RAM_SAVE_FLAG_MEM_SIZE:
3948             /* Synchronize RAM block list */
3949             total_ram_bytes = addr;
3950             while (!ret && total_ram_bytes) {
3951                 RAMBlock *block;
3952                 char id[256];
3953                 ram_addr_t length;
3954 
3955                 len = qemu_get_byte(f);
3956                 qemu_get_buffer(f, (uint8_t *)id, len);
3957                 id[len] = 0;
3958                 length = qemu_get_be64(f);
3959 
3960                 block = qemu_ram_block_by_name(id);
3961                 if (block && !qemu_ram_is_migratable(block)) {
3962                     error_report("block %s should not be migrated !", id);
3963                     ret = -EINVAL;
3964                 } else if (block) {
3965                     if (length != block->used_length) {
3966                         Error *local_err = NULL;
3967 
3968                         ret = qemu_ram_resize(block, length,
3969                                               &local_err);
3970                         if (local_err) {
3971                             error_report_err(local_err);
3972                         }
3973                     }
3974                     /* For postcopy we need to check hugepage sizes match */
3975                     if (postcopy_advised && migrate_postcopy_ram() &&
3976                         block->page_size != qemu_host_page_size) {
3977                         uint64_t remote_page_size = qemu_get_be64(f);
3978                         if (remote_page_size != block->page_size) {
3979                             error_report("Mismatched RAM page size %s "
3980                                          "(local) %zd != %" PRId64,
3981                                          id, block->page_size,
3982                                          remote_page_size);
3983                             ret = -EINVAL;
3984                         }
3985                     }
3986                     if (migrate_ignore_shared()) {
3987                         hwaddr addr = qemu_get_be64(f);
3988                         if (ramblock_is_ignored(block) &&
3989                             block->mr->addr != addr) {
3990                             error_report("Mismatched GPAs for block %s "
3991                                          "%" PRId64 "!= %" PRId64,
3992                                          id, (uint64_t)addr,
3993                                          (uint64_t)block->mr->addr);
3994                             ret = -EINVAL;
3995                         }
3996                     }
3997                     ram_control_load_hook(f, RAM_CONTROL_BLOCK_REG,
3998                                           block->idstr);
3999                 } else {
4000                     error_report("Unknown ramblock \"%s\", cannot "
4001                                  "accept migration", id);
4002                     ret = -EINVAL;
4003                 }
4004 
4005                 total_ram_bytes -= length;
4006             }
4007             break;
4008 
4009         case RAM_SAVE_FLAG_ZERO:
4010             ch = qemu_get_byte(f);
4011             ram_handle_compressed(host, ch, TARGET_PAGE_SIZE);
4012             break;
4013 
4014         case RAM_SAVE_FLAG_PAGE:
4015             qemu_get_buffer(f, host, TARGET_PAGE_SIZE);
4016             break;
4017 
4018         case RAM_SAVE_FLAG_COMPRESS_PAGE:
4019             len = qemu_get_be32(f);
4020             if (len < 0 || len > compressBound(TARGET_PAGE_SIZE)) {
4021                 error_report("Invalid compressed data length: %d", len);
4022                 ret = -EINVAL;
4023                 break;
4024             }
4025             decompress_data_with_multi_threads(f, host, len);
4026             break;
4027 
4028         case RAM_SAVE_FLAG_XBZRLE:
4029             if (load_xbzrle(f, addr, host) < 0) {
4030                 error_report("Failed to decompress XBZRLE page at "
4031                              RAM_ADDR_FMT, addr);
4032                 ret = -EINVAL;
4033                 break;
4034             }
4035             break;
4036         case RAM_SAVE_FLAG_MULTIFD_FLUSH:
4037             multifd_recv_sync_main();
4038             break;
4039         case RAM_SAVE_FLAG_EOS:
4040             /* normal exit */
4041             if (migrate_multifd_flush_after_each_section()) {
4042                 multifd_recv_sync_main();
4043             }
4044             break;
4045         case RAM_SAVE_FLAG_HOOK:
4046             ram_control_load_hook(f, RAM_CONTROL_HOOK, NULL);
4047             break;
4048         default:
4049             error_report("Unknown combination of migration flags: 0x%x", flags);
4050             ret = -EINVAL;
4051         }
4052         if (!ret) {
4053             ret = qemu_file_get_error(f);
4054         }
4055         if (!ret && host_bak) {
4056             memcpy(host_bak, host, TARGET_PAGE_SIZE);
4057         }
4058     }
4059 
4060     ret |= wait_for_decompress_done();
4061     return ret;
4062 }
4063 
4064 static int ram_load(QEMUFile *f, void *opaque, int version_id)
4065 {
4066     int ret = 0;
4067     static uint64_t seq_iter;
4068     /*
4069      * If system is running in postcopy mode, page inserts to host memory must
4070      * be atomic
4071      */
4072     bool postcopy_running = postcopy_is_running();
4073 
4074     seq_iter++;
4075 
4076     if (version_id != 4) {
4077         return -EINVAL;
4078     }
4079 
4080     /*
4081      * This RCU critical section can be very long running.
4082      * When RCU reclaims in the code start to become numerous,
4083      * it will be necessary to reduce the granularity of this
4084      * critical section.
4085      */
4086     WITH_RCU_READ_LOCK_GUARD() {
4087         if (postcopy_running) {
4088             /*
4089              * Note!  Here RAM_CHANNEL_PRECOPY is the precopy channel of
4090              * postcopy migration, we have another RAM_CHANNEL_POSTCOPY to
4091              * service fast page faults.
4092              */
4093             ret = ram_load_postcopy(f, RAM_CHANNEL_PRECOPY);
4094         } else {
4095             ret = ram_load_precopy(f);
4096         }
4097     }
4098     trace_ram_load_complete(ret, seq_iter);
4099 
4100     return ret;
4101 }
4102 
4103 static bool ram_has_postcopy(void *opaque)
4104 {
4105     RAMBlock *rb;
4106     RAMBLOCK_FOREACH_NOT_IGNORED(rb) {
4107         if (ramblock_is_pmem(rb)) {
4108             info_report("Block: %s, host: %p is a nvdimm memory, postcopy"
4109                          "is not supported now!", rb->idstr, rb->host);
4110             return false;
4111         }
4112     }
4113 
4114     return migrate_postcopy_ram();
4115 }
4116 
4117 /* Sync all the dirty bitmap with destination VM.  */
4118 static int ram_dirty_bitmap_sync_all(MigrationState *s, RAMState *rs)
4119 {
4120     RAMBlock *block;
4121     QEMUFile *file = s->to_dst_file;
4122     int ramblock_count = 0;
4123 
4124     trace_ram_dirty_bitmap_sync_start();
4125 
4126     RAMBLOCK_FOREACH_NOT_IGNORED(block) {
4127         qemu_savevm_send_recv_bitmap(file, block->idstr);
4128         trace_ram_dirty_bitmap_request(block->idstr);
4129         ramblock_count++;
4130     }
4131 
4132     trace_ram_dirty_bitmap_sync_wait();
4133 
4134     /* Wait until all the ramblocks' dirty bitmap synced */
4135     while (ramblock_count--) {
4136         qemu_sem_wait(&s->rp_state.rp_sem);
4137     }
4138 
4139     trace_ram_dirty_bitmap_sync_complete();
4140 
4141     return 0;
4142 }
4143 
4144 static void ram_dirty_bitmap_reload_notify(MigrationState *s)
4145 {
4146     qemu_sem_post(&s->rp_state.rp_sem);
4147 }
4148 
4149 /*
4150  * Read the received bitmap, revert it as the initial dirty bitmap.
4151  * This is only used when the postcopy migration is paused but wants
4152  * to resume from a middle point.
4153  */
4154 int ram_dirty_bitmap_reload(MigrationState *s, RAMBlock *block)
4155 {
4156     int ret = -EINVAL;
4157     /* from_dst_file is always valid because we're within rp_thread */
4158     QEMUFile *file = s->rp_state.from_dst_file;
4159     unsigned long *le_bitmap, nbits = block->used_length >> TARGET_PAGE_BITS;
4160     uint64_t local_size = DIV_ROUND_UP(nbits, 8);
4161     uint64_t size, end_mark;
4162 
4163     trace_ram_dirty_bitmap_reload_begin(block->idstr);
4164 
4165     if (s->state != MIGRATION_STATUS_POSTCOPY_RECOVER) {
4166         error_report("%s: incorrect state %s", __func__,
4167                      MigrationStatus_str(s->state));
4168         return -EINVAL;
4169     }
4170 
4171     /*
4172      * Note: see comments in ramblock_recv_bitmap_send() on why we
4173      * need the endianness conversion, and the paddings.
4174      */
4175     local_size = ROUND_UP(local_size, 8);
4176 
4177     /* Add paddings */
4178     le_bitmap = bitmap_new(nbits + BITS_PER_LONG);
4179 
4180     size = qemu_get_be64(file);
4181 
4182     /* The size of the bitmap should match with our ramblock */
4183     if (size != local_size) {
4184         error_report("%s: ramblock '%s' bitmap size mismatch "
4185                      "(0x%"PRIx64" != 0x%"PRIx64")", __func__,
4186                      block->idstr, size, local_size);
4187         ret = -EINVAL;
4188         goto out;
4189     }
4190 
4191     size = qemu_get_buffer(file, (uint8_t *)le_bitmap, local_size);
4192     end_mark = qemu_get_be64(file);
4193 
4194     ret = qemu_file_get_error(file);
4195     if (ret || size != local_size) {
4196         error_report("%s: read bitmap failed for ramblock '%s': %d"
4197                      " (size 0x%"PRIx64", got: 0x%"PRIx64")",
4198                      __func__, block->idstr, ret, local_size, size);
4199         ret = -EIO;
4200         goto out;
4201     }
4202 
4203     if (end_mark != RAMBLOCK_RECV_BITMAP_ENDING) {
4204         error_report("%s: ramblock '%s' end mark incorrect: 0x%"PRIx64,
4205                      __func__, block->idstr, end_mark);
4206         ret = -EINVAL;
4207         goto out;
4208     }
4209 
4210     /*
4211      * Endianness conversion. We are during postcopy (though paused).
4212      * The dirty bitmap won't change. We can directly modify it.
4213      */
4214     bitmap_from_le(block->bmap, le_bitmap, nbits);
4215 
4216     /*
4217      * What we received is "received bitmap". Revert it as the initial
4218      * dirty bitmap for this ramblock.
4219      */
4220     bitmap_complement(block->bmap, block->bmap, nbits);
4221 
4222     /* Clear dirty bits of discarded ranges that we don't want to migrate. */
4223     ramblock_dirty_bitmap_clear_discarded_pages(block);
4224 
4225     /* We'll recalculate migration_dirty_pages in ram_state_resume_prepare(). */
4226     trace_ram_dirty_bitmap_reload_complete(block->idstr);
4227 
4228     /*
4229      * We succeeded to sync bitmap for current ramblock. If this is
4230      * the last one to sync, we need to notify the main send thread.
4231      */
4232     ram_dirty_bitmap_reload_notify(s);
4233 
4234     ret = 0;
4235 out:
4236     g_free(le_bitmap);
4237     return ret;
4238 }
4239 
4240 static int ram_resume_prepare(MigrationState *s, void *opaque)
4241 {
4242     RAMState *rs = *(RAMState **)opaque;
4243     int ret;
4244 
4245     ret = ram_dirty_bitmap_sync_all(s, rs);
4246     if (ret) {
4247         return ret;
4248     }
4249 
4250     ram_state_resume_prepare(rs, s->to_dst_file);
4251 
4252     return 0;
4253 }
4254 
4255 void postcopy_preempt_shutdown_file(MigrationState *s)
4256 {
4257     qemu_put_be64(s->postcopy_qemufile_src, RAM_SAVE_FLAG_EOS);
4258     qemu_fflush(s->postcopy_qemufile_src);
4259 }
4260 
4261 static SaveVMHandlers savevm_ram_handlers = {
4262     .save_setup = ram_save_setup,
4263     .save_live_iterate = ram_save_iterate,
4264     .save_live_complete_postcopy = ram_save_complete,
4265     .save_live_complete_precopy = ram_save_complete,
4266     .has_postcopy = ram_has_postcopy,
4267     .state_pending_exact = ram_state_pending_exact,
4268     .state_pending_estimate = ram_state_pending_estimate,
4269     .load_state = ram_load,
4270     .save_cleanup = ram_save_cleanup,
4271     .load_setup = ram_load_setup,
4272     .load_cleanup = ram_load_cleanup,
4273     .resume_prepare = ram_resume_prepare,
4274 };
4275 
4276 static void ram_mig_ram_block_resized(RAMBlockNotifier *n, void *host,
4277                                       size_t old_size, size_t new_size)
4278 {
4279     PostcopyState ps = postcopy_state_get();
4280     ram_addr_t offset;
4281     RAMBlock *rb = qemu_ram_block_from_host(host, false, &offset);
4282     Error *err = NULL;
4283 
4284     if (ramblock_is_ignored(rb)) {
4285         return;
4286     }
4287 
4288     if (!migration_is_idle()) {
4289         /*
4290          * Precopy code on the source cannot deal with the size of RAM blocks
4291          * changing at random points in time - especially after sending the
4292          * RAM block sizes in the migration stream, they must no longer change.
4293          * Abort and indicate a proper reason.
4294          */
4295         error_setg(&err, "RAM block '%s' resized during precopy.", rb->idstr);
4296         migration_cancel(err);
4297         error_free(err);
4298     }
4299 
4300     switch (ps) {
4301     case POSTCOPY_INCOMING_ADVISE:
4302         /*
4303          * Update what ram_postcopy_incoming_init()->init_range() does at the
4304          * time postcopy was advised. Syncing RAM blocks with the source will
4305          * result in RAM resizes.
4306          */
4307         if (old_size < new_size) {
4308             if (ram_discard_range(rb->idstr, old_size, new_size - old_size)) {
4309                 error_report("RAM block '%s' discard of resized RAM failed",
4310                              rb->idstr);
4311             }
4312         }
4313         rb->postcopy_length = new_size;
4314         break;
4315     case POSTCOPY_INCOMING_NONE:
4316     case POSTCOPY_INCOMING_RUNNING:
4317     case POSTCOPY_INCOMING_END:
4318         /*
4319          * Once our guest is running, postcopy does no longer care about
4320          * resizes. When growing, the new memory was not available on the
4321          * source, no handler needed.
4322          */
4323         break;
4324     default:
4325         error_report("RAM block '%s' resized during postcopy state: %d",
4326                      rb->idstr, ps);
4327         exit(-1);
4328     }
4329 }
4330 
4331 static RAMBlockNotifier ram_mig_ram_notifier = {
4332     .ram_block_resized = ram_mig_ram_block_resized,
4333 };
4334 
4335 void ram_mig_init(void)
4336 {
4337     qemu_mutex_init(&XBZRLE.lock);
4338     register_savevm_live("ram", 0, 4, &savevm_ram_handlers, &ram_state);
4339     ram_block_notifier_add(&ram_mig_ram_notifier);
4340 }
4341