Series comparison

-[PATCH RFC 00/11] migration/block: disk activation rewrite
+[PATCH v2 0/6] migration/block: disk activation rewrite
+CI: https://gitlab.com/peterx/qemu/-/pipelines/1577280033
+ (note: it's a pipeline of two patchsets, to save CI credits and time)
+v1: https://lore.kernel.org/r/20241204005138.702289-1-peterx@redhat.com
+This is v2 of the series, removing RFC tag, because my goal is to have them
+(or some newer version) merged.
+The major change is I merged last three patches, and did quite some changes
+here and there, to make sure the global disk activation status is always
+consistent.  The whole idea is still the same.  I say changelog won't help.
+I also temporarily dropped Fabiano's ping-pong test cases to avoid
+different versions floating on the list (as I know a new version is coming
+at some point. Fabiano: you're taking over the 10.0 pulls, so I assume
+you're aware so there's no concern on order of merges).  I'll review the
+test cases separately when they're ready, but this series is still tested
+with that pingpong test and it keeps working.
 I started looking at this problem as a whole when reviewing Fabiano's
 series, especially the patch (for a QEMU crash [1]):
 https://lore.kernel.org/r/20241125144612.16194-5-farosas@suse.de
 The proposed patch could work, but it's unwanted to add such side effect to
 migration.  So I start to think about whether we can provide a cleaner
-approach, at least remove that "we must active the disk for migration"
+approach, because migration doesn't need the disks to be active to work at
-dependency, because migration really don't need the disks to be active..
+all.  Hence we should try to avoid adding a migration ABI (which doesn't
 matter now, but may matter some day) into prepare phase on disk activation
 status.  Migration should happen with disks inactivated.
 It's also a pure wish that, if bdrv_inactivate_all() could be benign to be
-called even if all disks are already inactive.  Then problem also gone.
+called even if all disks are already inactive.  Then the bug is also gone.
 After all, similar call on bdrv_activate_all() upon all-active disks is all
-fine.  I hope that wish could still be fair.
+fine.  I hope that wish could still be fair.  But I don't know well on
 block layer to say anything meaningful.
 And when I was looking at that, I found more things spread all over the
 place on disk activation.  I decided to clean all of them up, while
 hopefully fixing the QEMU crash [1] too.
-So this is what I came up with as of today.  Marking RFC as of now, just to
+For this v2, I did some more tests, I want to make sure all the past paths
-collect some feedbacks first.  At least I'd like to go with one more patch
+keep working at least on failure or cancel races, also in postcopy failure
-to deprecate late-block-active - not deprecating its function, but make it
+cases.  So I did below and they all run pass (when I said "emulated" below,
-always happen (which is the default as of now for Libvirt), which should
+I meant I hacked something to trigger those race / rare failures, because
-hopefully be migration-ABI-safe.
+they aren't easy to trigger with vanilla binary):
-With the help of Fabiano's test cases, I at least am sure this series works
+- Tested generic migrate_cancel during precopy, disk activation won't be
-for the ping pong migrations, and all existing qtests.
+  affected.  Disk status reports correct values in tracepoints.
-Let me know, thanks.
+- Test Fabiano's ping-pong migration tests on PAUSED state VM.
 - Emulated precopy failure before sending non-iterable, disk inactivation
   won't happen, and also activation won't trigger after migration cleanups
   (even if activation on top of activate disk is benign, I checked traces
   to make sure it'll provide consistent disk status, skipping activation).
 - Emulated precopy failure right after sending non-iterable. Disks will be
   inactivated, but then can be reactivated properly before VM starts.
 - Emulated postcopy failure when sending the packed data (which is after
   disk invalidated), and making sure src VM will get back to live properly,
   re-activate the disks before starting.
 - Emulated concurrent migrate_cancel at the end of migration_completion()
   of precopy, after disk inactivated.  Disks can be reactivated properly.
   NOTE: here if dest QEMU didn't quit before migrate_cancel,
   bdrv_activate_all() can crash src QEMU.  This behavior should be the same
   before/after this patch.
 Comments welcomed, thanks.
 [1] https://gitlab.com/qemu-project/qemu/-/issues/2395
-Fabiano Rosas (4):
+Peter Xu (6):
   tests/qtest/migration: Move more code under only_target
   tests/qtest/migration: Don't use hardcoded strings for -serial
   tests/qtest/migration: Support cleaning up only one side of migration
   tests/qtest/migration: Test successive migrations
 Peter Xu (7):
   migration: Add helper to get target runstate
+  qmp/cont: Only activate disks if migration completed
   migration/block: Make late-block-active the default
   migration/block: Apply late-block-active behavior to postcopy
   migration/block: Fix possible race with block_inactive
-  migration/block: Merge block reactivations for fail/cancel
+  migration/block: Rewrite disk activation
   migration/block: Extend the migration_block_* API to dest side
   migration/block: Apply the migration_block_* API to postcopy
- migration/migration.h           |  33 ++++-
+ include/migration/misc.h |   4 ++
- tests/qtest/migration-helpers.h |   2 +
+ migration/migration.h    |   6 +-
- migration/migration.c           | 177 +++++++++++-----------
+ migration/block-active.c |  94 +++++++++++++++++++++++++++
- migration/savevm.c              |  32 ++--
+ migration/colo.c         |   2 +-
- tests/qtest/migration-helpers.c |   8 +
+ migration/migration.c    | 136 +++++++++++++++------------------------
- tests/qtest/migration-test.c    | 252 +++++++++++++++++++++++++-------
+ migration/savevm.c       |  46 ++++++-------
-files changed, 344 insertions(+), 160 deletions(-)
+ monitor/qmp-cmds.c       |  22 +++----
  migration/meson.build    |   1 +
  migration/trace-events   |   3 +
 files changed, 188 insertions(+), 126 deletions(-)
  create mode 100644 migration/block-active.c
 --
 .47.0

-[PATCH RFC 01/11] migration: Add helper to get target runstate
+[PATCH v2 1/6] migration: Add helper to get target runstate
 In 99% cases, after QEMU migrates to dest host, it tries to detect the
 target VM runstate using global_state_get_runstate().
 There's one outlier so far which is Xen that won't send global state.
 That's the major reason why global_state_received() check was always there
 together with global_state_get_runstate().
 However it's utterly confusing why global_state_received() has anything to
 do with "let's start VM or not".
 Provide a helper to explain it, then we have an unified entry for getting
 the target dest QEMU runstate after migration.
 Suggested-by: Fabiano Rosas <farosas@suse.de>
 Signed-off-by: Peter Xu <peterx@redhat.com>
 ---
  migration/migration.c | 21 +++++++++++++++++----
 file changed, 17 insertions(+), 4 deletions(-)
 diff --git a/migration/migration.c b/migration/migration.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -XXX,XX +XXX,XX @@ static bool migration_needs_multiple_sockets(void)
      return migrate_multifd() || migrate_postcopy_preempt();
  }
 +static RunState migration_get_target_runstate(void)
 +{
 +    /*
 +     * When the global state is not migrated, it means we don't know the
 +     * runstate of the src QEMU.  We don't have much choice but assuming
 +     * the VM is running.  NOTE: this is pretty rare case, so far only Xen
 +     * uses it.
 +     */
 +    if (!global_state_received()) {
 +        return RUN_STATE_RUNNING;
 +    }
 +
 +    return global_state_get_runstate();
 +}
 +
  static bool transport_supports_multi_channels(MigrationAddress *addr)
  {
      if (addr->transport == MIGRATION_ADDRESS_TYPE_SOCKET) {
 @@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
       * unless we really are starting the VM.
       */
      if (!migrate_late_block_activate() ||
 -         (autostart && (!global_state_received() ||
 -            runstate_is_live(global_state_get_runstate())))) {
 +        (autostart && runstate_is_live(migration_get_target_runstate()))) {
          /* Make sure all file formats throw away their mutable metadata.
           * If we get an error here, just don't restart the VM yet. */
          bdrv_activate_all(&local_err);
 @@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
      dirty_bitmap_mig_before_vm_start();
 -    if (!global_state_received() ||
 -        runstate_is_live(global_state_get_runstate())) {
 +    if (runstate_is_live(migration_get_target_runstate())) {
          if (autostart) {
              vm_start();
          } else {
 --
 .47.0

-[PATCH RFC 08/11] tests/qtest/migration: Move more code under only_target
+[PATCH v2 2/6] qmp/cont: Only activate disks if migration completed
-From: Fabiano Rosas <farosas@suse.de>
+As the comment says, the activation of disks is for the case where
 migration has completed, rather than when QEMU is still during
 migration (RUN_STATE_INMIGRATE).
-The only_target option's purpose is to make sure only the destination
+Move the code over to reflect what the comment is describing.
 QTestState machine is initialized. This allows the test code to retain
 an already initialized source machine (e.g. for doing ping pong
 migration).
-We have drifted from that a bit when adding new code, so move some
+Cc: Kevin Wolf <kwolf@redhat.com>
-lines under only_target to restore the functionality.
+Cc: Markus Armbruster <armbru@redhat.com>
 Signed-off-by: Fabiano Rosas <farosas@suse.de>
 Link: https://lore.kernel.org/r/20241125144612.16194-2-farosas@suse.de
 Signed-off-by: Peter Xu <peterx@redhat.com>
 ---
- tests/qtest/migration-test.c | 44 ++++++++++++++++++++----------------
+ monitor/qmp-cmds.c | 26 ++++++++++++++------------
-file changed, 25 insertions(+), 19 deletions(-)
+file changed, 14 insertions(+), 12 deletions(-)
-diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
+diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/migration-test.c
+--- a/monitor/qmp-cmds.c
-+++ b/tests/qtest/migration-test.c
++++ b/monitor/qmp-cmds.c
-@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
+@@ -XXX,XX +XXX,XX @@ void qmp_cont(Error **errp)
      g_autofree gchar *arch_target = NULL;
      /* options for source and target */
      g_autofree gchar *arch_opts = NULL;
 -    g_autofree gchar *cmd_source = NULL;
      g_autofree gchar *cmd_target = NULL;
      const gchar *ignore_stderr;
      g_autofree char *shmem_opts = NULL;
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
          }
      }
--    dst_state = (QTestMigrationState) { };
+-    /* Continuing after completed migration. Images have been inactivated to
--    src_state = (QTestMigrationState) { };
+-     * allow the destination to take control. Need to get control back now.
-     bootfile_create(tmpfs, args->suspend_me);
+-     *
--    src_state.suspend_me = args->suspend_me;
+-     * If there are no inactive block nodes (e.g. because the VM was just
+-     * paused rather than completing a migration), bdrv_inactivate_all() simply
-     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
+-     * doesn't do anything. */
-         memory_size = "150M";
+-    bdrv_activate_all(&local_err);
-@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
+-    if (local_err) {
+-        error_propagate(errp, local_err);
-     g_test_message("Using machine type: %s", machine);
+-        return;
+-    }
--    cmd_source = g_strdup_printf("-accel kvm%s -accel tcg "
+-
--                                 "-machine %s,%s "
+     if (runstate_check(RUN_STATE_INMIGRATE)) {
--                                 "-name source,debug-threads=on "
+         autostart = 1;
--                                 "-m %s "
+     } else {
--                                 "-serial file:%s/src_serial "
++        /*
--                                 "%s %s %s %s %s",
++         * Continuing after completed migration. Images have been
--                                 kvm_opts ? kvm_opts : "",
++         * inactivated to allow the destination to take control. Need to
--                                 machine, machine_opts,
++         * get control back now.
--                                 memory_size, tmpfs,
++         *
--                                 arch_opts ? arch_opts : "",
++         * If there are no inactive block nodes (e.g. because the VM was
--                                 arch_source ? arch_source : "",
++         * just paused rather than completing a migration),
--                                 shmem_opts ? shmem_opts : "",
++         * bdrv_inactivate_all() simply doesn't do anything.
--                                 args->opts_source ? args->opts_source : "",
++         */
--                                 ignore_stderr);
++        bdrv_activate_all(&local_err);
-     if (!args->only_target) {
++        if (local_err) {
-+        g_autofree gchar *cmd_source = NULL;
++            error_propagate(errp, local_err);
-+
++            return;
-+        src_state = (QTestMigrationState) { };
++        }
-+        src_state.suspend_me = args->suspend_me;
+         vm_start();
 +
 +        cmd_source = g_strdup_printf("-accel kvm%s -accel tcg "
 +                                     "-machine %s,%s "
 +                                     "-name source,debug-threads=on "
 +                                     "-m %s "
 +                                     "-serial file:%s/src_serial "
 +                                     "%s %s %s %s %s",
 +                                     kvm_opts ? kvm_opts : "",
 +                                     machine, machine_opts,
 +                                     memory_size, tmpfs,
 +                                     arch_opts ? arch_opts : "",
 +                                     arch_source ? arch_source : "",
 +                                     shmem_opts ? shmem_opts : "",
 +                                     args->opts_source ? args->opts_source : "",
 +                                     ignore_stderr);
 +
          *from = qtest_init_with_env(QEMU_ENV_SRC, cmd_source);
          qtest_qmp_set_event_callback(*from,
                                       migrate_watch_for_events,
                                       &src_state);
      }
+ }
 +    dst_state = (QTestMigrationState) { };
 +
      cmd_target = g_strdup_printf("-accel kvm%s -accel tcg "
                                   "-machine %s,%s "
                                   "-name target,debug-threads=on "
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
       * Always enable migration events.  Libvirt always uses it, let's try
       * to mimic as closer as that.
       */
 -    migrate_set_capability(*from, "events", true);
 +    if (!args->only_target) {
 +        migrate_set_capability(*from, "events", true);
 +    }
      migrate_set_capability(*to, "events", true);
      return 0;
 --
 .47.0

-[PATCH RFC 02/11] migration/block: Make late-block-active the default
+[PATCH v2 3/6] migration/block: Make late-block-active the default
 Migration capability 'late-block-active' controls when the block drives
 will be activated.  If enabled, block drives will only be activated until
 VM starts, either src runstate was "live" (RUNNING, or SUSPENDED), or it'll
 be postponed until qmp_cont().
 Let's do this unconditionally.  There's no harm to delay activation of
 block drives.  Meanwhile there's no ABI breakage if dest does it, because
 src QEMU has nothing to do with it, so it's no concern on ABI breakage.
 IIUC we could avoid introducing this cap when introducing it before, but
 now it's still not too late to just always do it.  Cap now prone to
 removal, but it'll be for later patches.
 Signed-off-by: Peter Xu <peterx@redhat.com>
 ---
  migration/migration.c | 38 +++++++++++++++++++-------------------
 file changed, 19 insertions(+), 19 deletions(-)
 diff --git a/migration/migration.c b/migration/migration.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
      trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
 -    /* If capability late_block_activate is set:
 -     * Only fire up the block code now if we're going to restart the
 -     * VM, else 'cont' will do it.
 -     * This causes file locking to happen; so we don't want it to happen
 -     * unless we really are starting the VM.
 -     */
 -    if (!migrate_late_block_activate() ||
 -        (autostart && runstate_is_live(migration_get_target_runstate()))) {
 -        /* Make sure all file formats throw away their mutable metadata.
 -         * If we get an error here, just don't restart the VM yet. */
 -        bdrv_activate_all(&local_err);
 -        if (local_err) {
 -            error_report_err(local_err);
 -            local_err = NULL;
 -            autostart = false;
 -        }
 -    }
 -
      /*
       * This must happen after all error conditions are dealt with and
       * we're sure the VM is going to be running on this host.
 @@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
      if (runstate_is_live(migration_get_target_runstate())) {
          if (autostart) {
 -            vm_start();
 +            /*
 +             * Block activation is always delayed until VM starts, either
 +             * here (which means we need to start the dest VM right now..),
 +             * or until qmp_cont() later.
 +             *
 +             * We used to have cap 'late-block-activate' but now we do this
 +             * unconditionally, as it has no harm but only benefit.  E.g.,
 +             * it's not part of migration ABI on the time of disk activation.
 +             *
 +             * Make sure all file formats throw away their mutable
 +             * metadata.  If error, don't restart the VM yet.
 +             */
 +            bdrv_activate_all(&local_err);
 +            if (local_err) {
 +                error_report_err(local_err);
 +                local_err = NULL;
 +            } else {
 +                vm_start();
 +            }
          } else {
              runstate_set(RUN_STATE_PAUSED);
          }
 --
 .47.0

-[PATCH RFC 03/11] migration/block: Apply late-block-active behavior to postcopy
+[PATCH v2 4/6] migration/block: Apply late-block-active behavior to postcopy
 ...
 for postcopy unconditionally, just like precopy.  After this patch, we
 should have unified the behavior across all.
 Signed-off-by: Peter Xu <peterx@redhat.com>
 ---
- migration/savevm.c | 23 ++++++++++-------------
+ migration/savevm.c | 25 ++++++++++++-------------
-file changed, 10 insertions(+), 13 deletions(-)
+file changed, 12 insertions(+), 13 deletions(-)
 diff --git a/migration/savevm.c b/migration/savevm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/savevm.c
 +++ b/migration/savevm.c
 ...
      dirty_bitmap_mig_before_vm_start();
      if (autostart) {
 -        /* Hold onto your hats, starting the CPU */
 -        vm_start();
-+        /* Make sure all file formats throw away their mutable metadata.
++        /*
-+         * If we get an error here, just don't restart the VM yet. */
++         * Make sure all file formats throw away their mutable metadata.
 +         * If we get an error here, just don't restart the VM yet.
 +         */
 +        bdrv_activate_all(&local_err);
 +        trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
 +        if (local_err) {
 +            error_report_err(local_err);
 +            local_err = NULL;
 ...

-[PATCH RFC 04/11] migration/block: Fix possible race with block_inactive
+[PATCH v2 5/6] migration/block: Fix possible race with block_inactive
 Src QEMU sets block_inactive=true very early before the invalidation takes
 place.  It means if something wrong happened during setting the flag but
 before reaching qemu_savevm_state_complete_precopy_non_iterable() where it
 did the invalidation work, it'll make block_inactive flag inconsistent.
 For example, think about when qemu_savevm_state_complete_precopy_iterable()
 can fail: it will have block_inactive set to true even if all block drives
 are active.
 Fix that by only update the flag after the invalidation is done.
 No Fixes for any commit, because it's not an issue if bdrv_activate_all()
 is re-entrant upon all-active disks - false positive block_inactive can
 bring nothing more than "trying to active the blocks but they're already
 active".  However let's still do it right to avoid the inconsistent flag
 v.s. reality.
 Signed-off-by: Peter Xu <peterx@redhat.com>
 ---
  migration/migration.c | 9 +++------
  migration/savevm.c    | 2 ++
 files changed, 5 insertions(+), 6 deletions(-)
 diff --git a/migration/migration.c b/migration/migration.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
 @@ -XXX,XX +XXX,XX @@ static int migration_completion_precopy(MigrationState *s,
          goto out_unlock;
      }
 -    /*
 -     * Inactivate disks except in COLO, and track that we have done so in order
 -     * to remember to reactivate them if migration fails or is cancelled.
 -     */
 -    s->block_inactive = !migrate_colo();
      migration_rate_set(RATE_LIMIT_DISABLED);
 +
 +    /* Inactivate disks except in COLO */
      ret = qemu_savevm_state_complete_precopy(s->to_dst_file, false,
 -                                             s->block_inactive);
 +                                             !migrate_colo());
  out_unlock:
      bql_unlock();
      return ret;
 diff --git a/migration/savevm.c b/migration/savevm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/savevm.c
 +++ b/migration/savevm.c
 @@ -XXX,XX +XXX,XX @@ int qemu_savevm_state_complete_precopy_non_iterable(QEMUFile *f,
              qemu_file_set_error(f, ret);
              return ret;
          }
 +        /* Remember that we did this */
 +        s->block_inactive = true;
      }
      if (!in_postcopy) {
          /* Postcopy stream will still be going */
 --
 .47.0

-[PATCH RFC 05/11] migration/block: Merge block reactivations for fail/cancel
+[PATCH v2 6/6] migration/block: Rewrite disk activation
+This patch proposes a flag to maintain disk activation status globally.  It
+mostly rewrites disk activation mgmt for QEMU, including COLO and QMP
+command xen_save_devices_state.
+Backgrounds
+===========
+We have two problems on disk activations, one resolved, one not.
+Problem 1: disk activation recover (for switchover interruptions)
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 When migration is either cancelled or failed during switchover, especially
 when after the disks are inactivated, QEMU needs to remember re-activate
 the disks again before vm starts.
 It used to be done separately in two paths: one in qmp_migrate_cancel(),
 the other one in the failure path of migration_completion().
 It used to be fixed in different commits, all over the places in QEMU.  So
-these are the ones I see at least:
+these are the relevant changes I saw, I'm not sure if it's complete list:
  - In 2016, commit fe904ea824 ("migration: regain control of images when
    migration fails to complete")
  - In 2017, commit 1d2acc3162 ("migration: re-active images while migration
    been canceled after inactive them")
  - In 2023, commit 6dab4c93ec ("migration: Attempt disk reactivation in
    more failure scenarios")
-We could have done better on trying to solve this once and for all.  Now it
+Now since we have a slightly better picture maybe we can unify the
-might be a good chance because we have a better whole picture now.
+reactivation in a single path.
-Put both of the error cases together now into migration_iteration_finish(),
+One side benefit of doing so is, we can move the disk operation outside QMP
-which will be invoked for either of the scenario.
+command "migrate_cancel".  It's possible that in the future we may want to
+make "migrate_cancel" be OOB-compatible, while that requires the command
-At the meantime, cleanup block_inactive in a few ways:
+doesn't need BQL in the first place.  This will already do that and make
+migrate_cancel command lightweight.
-  - Rename it to block_active, which is easier to follow..
+Problem 2: disk invalidation on top of invalidated disks
-  - Maintain the flag for the whole lifecycle of QEMU.  Otherwise it's not
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    clear on when the flag is valid or not.
+This is an unresolved bug for current QEMU.  Link in "Resolves:" at the
-  - Put it together with the operations, rather than updating the flag
+end.  It turns out besides the src switchover phase (problem 1 above), QEMU
-    separately.
+also needs to remember block activation on destination.
-Now we set the flag to TRUE from the start, showing block ownership of a
+Consider two continuous migration in a row, where the VM was always paused.
-fresh started QEMU (but so far only used in migration module).  Then it can
+In that scenario, the disks are not activated even until migration
-be modified by migration switchover code if invalidation happened.  With
+completed in the 1st round.  When the 2nd round starts, if QEMU doesn't
-that, the flag always reflects the correct block ownership.
+know the status of the disks, it needs to try inactivate the disk again.
-NOTE: it can always be racy if there's concurrent operation to change the
+Here the issue is the block layer API bdrv_inactivate_all() will crash a
-block activation status (e.g., qmp_cont() right after migration failure but
+QEMU if invoked on already inactive disks for the 2nd migration.  For
-right before block re-activate happens), but that's not avoidable even
+detail, see the bug link at the end.
-before this patch, so it's not part of the goal that this patch would like
-to achieve, so put aside as of now.
+Implementation
+==============
 This patch proposes to maintain disk activation with a global flag, so we
 know:
   - If we used to inactivate disks for migration, but migration got
   cancelled, or failed, QEMU will know it should reactivate the disks.
   - On incoming side, if the disks are never activated but then another
   migration is triggered, QEMU should be able to tell that inactivate is
   not needed for the 2nd migration.
 We used to have disk_inactive, but it only solves the 1st issue, not the
 nd.  Also, it's done in completely separate paths so it's extremely hard
 to follow either how the flag changes, or the duration that the flag is
 valid, and when we will reactivate the disks.
 Convert the existing disk_inactive flag into that global flag (also invert
 its naming), and maintain the disk activation status for the whole
 lifecycle of qemu.  That includes the incoming QEMU.
 Put both of the error cases of source migration (failure, cancelled)
 together into migration_iteration_finish(), which will be invoked for
 either of the scenario.  So from that part QEMU should behave the same as
 before.  However with such global maintenance on disk activation status, we
 not only cleanup quite a few temporary paths that we try to maintain the
 disk activation status (e.g. in postcopy code), meanwhile it fixes the
 crash for problem 2 in one shot.
 For freshly started QEMU, the flag is initialized to TRUE showing that the
 QEMU owns the disks by default.
 For incoming migrated QEMU, the flag will be initialized to FALSE once and
 for all showing that the dest QEMU doesn't own the disks until switchover.
 That is guaranteed by the "once" variable.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2395
 Signed-off-by: Peter Xu <peterx@redhat.com>
 ---
- migration/migration.h | 20 +++++++++-
+ include/migration/misc.h |  4 ++
- migration/migration.c | 86 +++++++++++++++++++++++++------------------
+ migration/migration.h    |  6 +--
- migration/savevm.c    | 11 ++----
+ migration/block-active.c | 94 ++++++++++++++++++++++++++++++++++++++++
-files changed, 72 insertions(+), 45 deletions(-)
+ migration/colo.c         |  2 +-
+ migration/migration.c    | 80 ++++++++--------------------------
  migration/savevm.c       | 33 ++++++--------
  monitor/qmp-cmds.c       |  8 +---
  migration/meson.build    |  1 +
  migration/trace-events   |  3 ++
 files changed, 140 insertions(+), 91 deletions(-)
  create mode 100644 migration/block-active.c
 diff --git a/include/migration/misc.h b/include/migration/misc.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/migration/misc.h
 +++ b/include/migration/misc.h
@@ -XXX,XX +XXX,XX @@ bool migration_incoming_postcopy_advised(void);
  /* True if background snapshot is active */
  bool migration_in_bg_snapshot(void);
 +/* Wrapper for block active/inactive operations */
 +bool migration_block_activate(Error **errp);
 +bool migration_block_inactivate(void);
 +
  #endif
 diff --git a/migration/migration.h b/migration/migration.h
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/migration.h
 +++ b/migration/migration.h
 @@ -XXX,XX +XXX,XX @@ struct MigrationState {
      /* Flag set once the migration thread is running (and needs joining) */
      bool migration_thread_running;
 -    /* Flag set once the migration thread called bdrv_inactivate_all */
 -    bool block_inactive;
-+    /*
+-
 +     * Migration-only cache to remember the block layer activation status.
 +     * Protected by BQL.
 +     *
 +     * We need this because..
 +     *
 +     * - Migration can fail after block devices are invalidated (during
 +     *   switchover phase).  When that happens, we need to be able to
 +     *   recover the block drive status by re-activating them.
 +     *
 +     * For freshly started QEMU, block_active is initialized to TRUE
 +     * reflecting the scenario where QEMU owns block device ownerships.
 +     */
 +    bool block_active;
      /* Migration is waiting for guest to unplug device */
      QemuSemaphore wait_unplug_sem;
 @@ -XXX,XX +XXX,XX @@ void migration_bitmap_sync_precopy(bool last_stage);
  /* migration/block-dirty-bitmap.c */
  void dirty_bitmap_mig_init(void);
-+/* Wrapper for block active/inactive operations */
++/* migration/block-active.c */
-+bool migration_block_activate(MigrationState *s);
++void migration_block_active_setup(bool active);
 +bool migration_block_inactivate(MigrationState *s);
 +
  #endif
-diff --git a/migration/migration.c b/migration/migration.c
+diff --git a/migration/block-active.c b/migration/block-active.c
-index XXXXXXX..XXXXXXX 100644
+new file mode 100644
---- a/migration/migration.c
+index XXXXXXX..XXXXXXX
-+++ b/migration/migration.c
+--- /dev/null
-@@ -XXX,XX +XXX,XX @@ static void migration_downtime_end(MigrationState *s)
++++ b/migration/block-active.c
-     trace_vmstate_downtime_checkpoint("src-downtime-end");
+@@ -XXX,XX +XXX,XX @@
- }
++/*
++ * Block activation tracking for migration purpose
-+bool migration_block_activate(MigrationState *s)
++ *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + *
 + * Copyright (C) 2024 Red Hat, Inc.
 + */
 +#include "qemu/osdep.h"
 +#include "block/block.h"
 +#include "qapi/error.h"
 +#include "migration/migration.h"
 +#include "qemu/error-report.h"
 +#include "trace.h"
 +
 +/*
 + * Migration-only cache to remember the block layer activation status.
 + * Protected by BQL.
 + *
 + * We need this because..
 + *
 + * - Migration can fail after block devices are invalidated (during
 + *   switchover phase).  When that happens, we need to be able to recover
 + *   the block drive status by re-activating them.
 + *
 + * - Currently bdrv_inactivate_all() is not safe to be invoked on top of
 + *   invalidated drives (even if bdrv_activate_all() is actually safe to be
 + *   called any time!).  It means remembering this could help migration to
 + *   make sure it won't invalidate twice in a row, crashing QEMU.  It can
 + *   happen when we migrate a PAUSED VM from host1 to host2, then migrate
 + *   again to host3 without starting it.  TODO: a cleaner solution is to
 + *   allow safe invoke of bdrv_inactivate_all() at anytime, like
 + *   bdrv_activate_all().
 + *
 + * For freshly started QEMU, the flag is initialized to TRUE reflecting the
 + * scenario where QEMU owns block device ownerships.
 + *
 + * For incoming QEMU taking a migration stream, the flag is initialized to
 + * FALSE reflecting that the incoming side doesn't own the block devices,
 + * not until switchover happens.
 + */
 +static bool migration_block_active;
 +
 +/* Setup the disk activation status */
 +void migration_block_active_setup(bool active)
 +{
-+    Error *local_err = NULL;
++    migration_block_active = active;
 +}
 +
 +bool migration_block_activate(Error **errp)
 +{
 +    ERRP_GUARD();
 +
 +    assert(bql_locked());
 +
-+    if (s->block_active) {
++    if (migration_block_active) {
 +        trace_migration_block_activation("active-skipped");
 +        return true;
 +    }
 +
-+    bdrv_activate_all(&local_err);
++    trace_migration_block_activation("active");
-+    if (local_err) {
++
-+        error_report_err(local_err);
++    bdrv_activate_all(errp);
 +    if (*errp) {
 +        error_report_err(error_copy(*errp));
 +        return false;
 +    }
 +
-+    s->block_active = true;
++    migration_block_active = true;
 +    return true;
 +}
 +
-+bool migration_block_inactivate(MigrationState *s)
++bool migration_block_inactivate(void)
 +{
 +    int ret;
 +
 +    assert(bql_locked());
 +
-+    if (!s->block_active) {
++    if (!migration_block_active) {
 +        trace_migration_block_activation("inactive-skipped");
 +        return true;
 +    }
 +
++    trace_migration_block_activation("inactive");
++
 +    ret = bdrv_inactivate_all();
 +    if (ret) {
-+        error_report("%s: bdrv_inactivate_all() failed: %d\n",
++        error_report("%s: bdrv_inactivate_all() failed: %d",
 +                     __func__, ret);
 +        return false;
 +    }
 +
-+    s->block_active = false;
++    migration_block_active = false;
 +    return true;
 +}
-+
+diff --git a/migration/colo.c b/migration/colo.c
- static bool migration_needs_multiple_sockets(void)
+index XXXXXXX..XXXXXXX 100644
 --- a/migration/colo.c
 +++ b/migration/colo.c
@@ -XXX,XX +XXX,XX @@ static void *colo_process_incoming_thread(void *opaque)
      /* Make sure all file formats throw away their mutable metadata */
      bql_lock();
 -    bdrv_activate_all(&local_err);
 +    migration_block_activate(&local_err);
      bql_unlock();
      if (local_err) {
          error_report_err(local_err);
 diff --git a/migration/migration.c b/migration/migration.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/migration.c
 +++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static void qemu_start_incoming_migration(const char *uri, bool has_channels,
  static void process_incoming_migration_bh(void *opaque)
  {
-     return migrate_multifd() || migrate_postcopy_preempt();
+-    Error *local_err = NULL;
      MigrationIncomingState *mis = opaque;
      trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
               * Make sure all file formats throw away their mutable
               * metadata.  If error, don't restart the VM yet.
               */
 -            bdrv_activate_all(&local_err);
 -            if (local_err) {
 -                error_report_err(local_err);
 -                local_err = NULL;
 -            } else {
 +            if (migration_block_activate(NULL)) {
                  vm_start();
              }
          } else {
 @@ -XXX,XX +XXX,XX @@ static void migrate_fd_cancel(MigrationState *s)
              }
          }
      }
 -    if (s->state == MIGRATION_STATUS_CANCELLING && s->block_inactive) {
 ...
 -        }
 -    }
  }
  void migration_add_notifier_mode(NotifierWithReturn *notify,
+@@ -XXX,XX +XXX,XX @@ void qmp_migrate_incoming(const char *uri, bool has_channels,
+         return;
+     }
++    /*
++     * Newly setup incoming QEMU.  Mark the block active state to reflect
++     * that the src currently owns the disks.
++     */
++    migration_block_active_setup(false);
++
+     once = false;
+ }
+@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
+     QIOChannelBuffer *bioc;
+     QEMUFile *fb;
+     uint64_t bandwidth = migrate_max_postcopy_bandwidth();
+-    bool restart_block = false;
+     int cur_state = MIGRATION_STATUS_ACTIVE;
+     if (migrate_postcopy_preempt()) {
+@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
+         goto fail;
+     }
+-    ret = bdrv_inactivate_all();
+-    if (ret < 0) {
+-        error_setg_errno(errp, -ret, "%s: Failed in bdrv_inactivate_all()",
+-                         __func__);
++    if (!migration_block_inactivate()) {
++        error_setg(errp, "%s: Failed in bdrv_inactivate_all()", __func__);
+         goto fail;
+     }
+-    restart_block = true;
+     /*
+      * Cause any non-postcopiable, but iterative devices to
+@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
+         goto fail_closefb;
+     }
+-    restart_block = false;
+-
+     /* Now send that blob */
+     if (qemu_savevm_send_packaged(ms->to_dst_file, bioc->data, bioc->usage)) {
+         error_setg(errp, "%s: Failed to send packaged data", __func__);
+@@ -XXX,XX +XXX,XX @@ fail_closefb:
+ fail:
+     migrate_set_state(&ms->state, MIGRATION_STATUS_POSTCOPY_ACTIVE,
+                           MIGRATION_STATUS_FAILED);
+-    if (restart_block) {
+-        /* A failure happened early enough that we know the destination hasn't
+-         * accessed block devices, so we're safe to recover.
+-         */
+-        Error *local_err = NULL;
+-
+-        bdrv_activate_all(&local_err);
+-        if (local_err) {
+-            error_report_err(local_err);
+-        }
+-    }
++    migration_block_activate(NULL);
+     migration_call_notifiers(ms, MIG_EVENT_PRECOPY_FAILED, NULL);
+     bql_unlock();
+     return -1;
 @@ -XXX,XX +XXX,XX @@ static void migration_completion_postcopy(MigrationState *s)
      trace_migration_completion_postcopy_end_after_complete();
  }
 -static void migration_completion_failed(MigrationState *s,
 ...
      case MIGRATION_STATUS_CANCELLING:
 +        /*
 +         * Re-activate the block drives if they're inactivated.  Note, COLO
 +         * shouldn't use block_active at all, so it should be no-op there.
 +         */
-+        migration_block_activate(s);
++        migration_block_activate(NULL);
          if (runstate_is_live(s->vm_old_state)) {
              if (!runstate_check(RUN_STATE_SHUTDOWN)) {
                  vm_start();
 @@ -XXX,XX +XXX,XX @@ static void migration_instance_init(Object *obj)
      ms->state = MIGRATION_STATUS_NONE;
      ms->mbps = -1;
      ms->pages_per_second = -1;
 +    /* Freshly started QEMU owns all the block devices */
-+    ms->block_active = true;
++    migration_block_active_setup(true);
      qemu_sem_init(&ms->pause_sem, 0);
      qemu_mutex_init(&ms->error_mutex);
 diff --git a/migration/savevm.c b/migration/savevm.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/savevm.c
 +++ b/migration/savevm.c
 @@ -XXX,XX +XXX,XX @@ int qemu_savevm_state_complete_precopy_non_iterable(QEMUFile *f,
+     }
      if (inactivate_disks) {
-         /* Inactivate before sending QEMU_VM_EOF so that the
+-        /* Inactivate before sending QEMU_VM_EOF so that the
-          * bdrv_activate_all() on the other end won't fail. */
+-         * bdrv_activate_all() on the other end won't fail. */
 -        ret = bdrv_inactivate_all();
 -        if (ret) {
 -            error_setg(&local_err, "%s: bdrv_inactivate_all() failed (%d)",
 -                       __func__, ret);
-+        if (!migration_block_inactivate(ms)) {
++        /*
 +         * Inactivate before sending QEMU_VM_EOF so that the
 +         * bdrv_activate_all() on the other end won't fail.
 +         */
 +        if (!migration_block_inactivate()) {
 +            error_setg(&local_err, "%s: bdrv_inactivate_all() failed",
 +                       __func__);
              migrate_set_error(ms, local_err);
              error_report_err(local_err);
 -            qemu_file_set_error(f, ret);
 ...
 -        /* Remember that we did this */
 -        s->block_inactive = true;
      }
      if (!in_postcopy) {
          /* Postcopy stream will still be going */
+@@ -XXX,XX +XXX,XX @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis)
+ static void loadvm_postcopy_handle_run_bh(void *opaque)
+ {
+-    Error *local_err = NULL;
+     MigrationIncomingState *mis = opaque;
+     trace_vmstate_downtime_checkpoint("dst-postcopy-bh-enter");
+@@ -XXX,XX +XXX,XX @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
+          * Make sure all file formats throw away their mutable metadata.
+          * If we get an error here, just don't restart the VM yet.
+          */
+-        bdrv_activate_all(&local_err);
++        bool success = migration_block_activate(NULL);
++
+         trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
+-        if (local_err) {
+-            error_report_err(local_err);
+-            local_err = NULL;
+-        } else {
++
++        if (success) {
+             vm_start();
+         }
+     } else {
+@@ -XXX,XX +XXX,XX @@ void qmp_xen_save_devices_state(const char *filename, bool has_live, bool live,
+          * side of the migration take control of the images.
+          */
+         if (live && !saved_vm_running) {
+-            ret = bdrv_inactivate_all();
+-            if (ret) {
+-                error_setg(errp, "%s: bdrv_inactivate_all() failed (%d)",
+-                           __func__, ret);
+-            }
++            migration_block_inactivate();
+         }
+     }
+diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
+index XXXXXXX..XXXXXXX 100644
+--- a/monitor/qmp-cmds.c
++++ b/monitor/qmp-cmds.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qapi/type-helpers.h"
+ #include "hw/mem/memory-device.h"
+ #include "hw/intc/intc.h"
++#include "migration/misc.h"
+ NameInfo *qmp_query_name(Error **errp)
+ {
+@@ -XXX,XX +XXX,XX @@ void qmp_cont(Error **errp)
+          * Continuing after completed migration. Images have been
+          * inactivated to allow the destination to take control. Need to
+          * get control back now.
+-         *
+-         * If there are no inactive block nodes (e.g. because the VM was
+-         * just paused rather than completing a migration),
+-         * bdrv_inactivate_all() simply doesn't do anything.
+          */
+-        bdrv_activate_all(&local_err);
+-        if (local_err) {
++        if (!migration_block_activate(&local_err)) {
+             error_propagate(errp, local_err);
+             return;
+         }
+diff --git a/migration/meson.build b/migration/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/migration/meson.build
++++ b/migration/meson.build
+@@ -XXX,XX +XXX,XX @@ migration_files = files(
+ system_ss.add(files(
+   'block-dirty-bitmap.c',
++  'block-active.c',
+   'channel.c',
+   'channel-block.c',
+   'cpu-throttle.c',
+diff --git a/migration/trace-events b/migration/trace-events
+index XXXXXXX..XXXXXXX 100644
+--- a/migration/trace-events
++++ b/migration/trace-events
+@@ -XXX,XX +XXX,XX @@ migration_pagecache_insert(void) "Error allocating page"
+ # cpu-throttle.c
+ cpu_throttle_set(int new_throttle_pct)  "set guest CPU throttled by %d%%"
+ cpu_throttle_dirty_sync(void) ""
++
++# block-active.c
++migration_block_activation(const char *name) "%s"
 --
 .47.0

-[PATCH RFC 06/11] migration/block: Extend the migration_block_* API to dest side
+Deleted patch
-Extend the usage of such API to the receiver side, because such status
-maintenance is also necessary there.
-It's needed to avoid bdrv_inactivate_all() not being invoked when the
-drives are already inactive.  When invoked, it can crash QEMU.  See the
-issue link for more information.
-So it means we need to start remember the block activation status not only
-on src, but also on dest.
-One thing tricky here is, when we need to consider incoming QEMU, we need
-to also consider its initial status as incoming side.  Due to the fact that
-before switchover the incoming QEMU doesn't own the disks, we need to set
-initial state to FALSE for a incoming QEMU.  In this case, postcopy recover
-doesn't count.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2395
-Signed-off-by: Peter Xu <peterx@redhat.com>
----
- migration/migration.h | 13 +++++++++++++
- migration/migration.c | 13 +++++++------
-files changed, 20 insertions(+), 6 deletions(-)
-diff --git a/migration/migration.h b/migration/migration.h
-index XXXXXXX..XXXXXXX 100644
---- a/migration/migration.h
-+++ b/migration/migration.h
-@@ -XXX,XX +XXX,XX @@ struct MigrationState {
-      *   switchover phase).  When that happens, we need to be able to
-      *   recover the block drive status by re-activating them.
-      *
-+     * - Currently bdrv_inactivate_all() is not safe to be invoked on top
-+     *   of invalidated drives (even if bdrv_activate_all() is actually
-+     *   safe to be called any time!).  It means remembering this could
-+     *   help migration to make sure it won't invalidate twice in a row,
-+     *   crashing QEMU.  It can happen when we migrate a PAUSED VM from
-+     *   host1 to host2, then migrate again to host3 without starting it.
-+     *   TODO: a cleaner solution is to allow safe invoke of
-+     *   bdrv_inactivate_all() at anytime, like bdrv_activate_all().
-+     *
-      * For freshly started QEMU, block_active is initialized to TRUE
-      * reflecting the scenario where QEMU owns block device ownerships.
-+     *
-+     * For incoming QEMU taking a migration stream, block_active is set to
-+     * FALSE reflecting that the incoming side doesn't own the block
-+     * devices, not until switchover happens.
-      */
-     bool block_active;
-diff --git a/migration/migration.c b/migration/migration.c
-index XXXXXXX..XXXXXXX 100644
---- a/migration/migration.c
-+++ b/migration/migration.c
-@@ -XXX,XX +XXX,XX @@ migration_incoming_state_setup(MigrationIncomingState *mis, Error **errp)
-         return false;
-     }
-+    /*
-+     * Newly setup QEMU, prepared for incoming migration.  Mark the block
-+     * active state to reflect that the src currently owns the disks.
-+     */
-+    migrate_get_current()->block_active = false;
-+
-     migrate_set_state(&mis->state, current, MIGRATION_STATUS_SETUP);
-     return true;
- }
-@@ -XXX,XX +XXX,XX @@ static void qemu_start_incoming_migration(const char *uri, bool has_channels,
- static void process_incoming_migration_bh(void *opaque)
- {
--    Error *local_err = NULL;
-     MigrationIncomingState *mis = opaque;
-     trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
-@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
-              * Make sure all file formats throw away their mutable
-              * metadata.  If error, don't restart the VM yet.
-              */
--            bdrv_activate_all(&local_err);
--            if (local_err) {
--                error_report_err(local_err);
--                local_err = NULL;
--            } else {
-+            if (migration_block_activate(migrate_get_current())) {
-                 vm_start();
-             }
-         } else {
---
-.47.0

-[PATCH RFC 07/11] migration/block: Apply the migration_block_* API to postcopy
+Deleted patch
-Postcopy also has similar error handling for re-activation of block
-devices.  Use the same API as precopy to do the re-activation, for both src
-& dst sides.
-Signed-off-by: Peter Xu <peterx@redhat.com>
----
- migration/migration.c | 22 +++-------------------
- migration/savevm.c    | 10 ++++------
-files changed, 7 insertions(+), 25 deletions(-)
-diff --git a/migration/migration.c b/migration/migration.c
-index XXXXXXX..XXXXXXX 100644
---- a/migration/migration.c
-+++ b/migration/migration.c
-@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
-     QIOChannelBuffer *bioc;
-     QEMUFile *fb;
-     uint64_t bandwidth = migrate_max_postcopy_bandwidth();
--    bool restart_block = false;
-     int cur_state = MIGRATION_STATUS_ACTIVE;
-     if (migrate_postcopy_preempt()) {
-@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
-         goto fail;
-     }
--    ret = bdrv_inactivate_all();
--    if (ret < 0) {
--        error_setg_errno(errp, -ret, "%s: Failed in bdrv_inactivate_all()",
--                         __func__);
-+    if (!migration_block_inactivate(ms)) {
-+        error_setg(errp, "%s: Failed in bdrv_inactivate_all()", __func__);
-         goto fail;
-     }
--    restart_block = true;
-     /*
-      * Cause any non-postcopiable, but iterative devices to
-@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
-         goto fail_closefb;
-     }
--    restart_block = false;
--
-     /* Now send that blob */
-     if (qemu_savevm_send_packaged(ms->to_dst_file, bioc->data, bioc->usage)) {
-         error_setg(errp, "%s: Failed to send packaged data", __func__);
-@@ -XXX,XX +XXX,XX @@ fail_closefb:
- fail:
-     migrate_set_state(&ms->state, MIGRATION_STATUS_POSTCOPY_ACTIVE,
-                           MIGRATION_STATUS_FAILED);
--    if (restart_block) {
--        /* A failure happened early enough that we know the destination hasn't
--         * accessed block devices, so we're safe to recover.
--         */
--        Error *local_err = NULL;
--
--        bdrv_activate_all(&local_err);
--        if (local_err) {
--            error_report_err(local_err);
--        }
--    }
-+    migration_block_activate(ms);
-     migration_call_notifiers(ms, MIG_EVENT_PRECOPY_FAILED, NULL);
-     bql_unlock();
-     return -1;
-diff --git a/migration/savevm.c b/migration/savevm.c
-index XXXXXXX..XXXXXXX 100644
---- a/migration/savevm.c
-+++ b/migration/savevm.c
-@@ -XXX,XX +XXX,XX @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis)
- static void loadvm_postcopy_handle_run_bh(void *opaque)
- {
--    Error *local_err = NULL;
-     MigrationIncomingState *mis = opaque;
-     trace_vmstate_downtime_checkpoint("dst-postcopy-bh-enter");
-@@ -XXX,XX +XXX,XX @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
-     if (autostart) {
-         /* Make sure all file formats throw away their mutable metadata.
-          * If we get an error here, just don't restart the VM yet. */
--        bdrv_activate_all(&local_err);
-+        bool success = migration_block_activate(migrate_get_current());
-+
-         trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
--        if (local_err) {
--            error_report_err(local_err);
--            local_err = NULL;
--        } else {
-+
-+        if (success) {
-             vm_start();
-         }
-     } else {
---
-.47.0

-[PATCH RFC 09/11] tests/qtest/migration: Don't use hardcoded strings for -serial
+Deleted patch
-From: Fabiano Rosas <farosas@suse.de>
-Stop using hardcoded strings for -serial so we can in the next patches
-perform more than one migration in a row. Having the serial path
-hardcoded means we cannot reuse the code when dst becomes the new src.
-Signed-off-by: Fabiano Rosas <farosas@suse.de>
-Link: https://lore.kernel.org/r/20241125144612.16194-3-farosas@suse.de
-Signed-off-by: Peter Xu <peterx@redhat.com>
----
- tests/qtest/migration-helpers.h |  2 +
- tests/qtest/migration-helpers.c |  8 ++++
- tests/qtest/migration-test.c    | 68 ++++++++++++++++++---------------
-files changed, 48 insertions(+), 30 deletions(-)
-diff --git a/tests/qtest/migration-helpers.h b/tests/qtest/migration-helpers.h
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/migration-helpers.h
-+++ b/tests/qtest/migration-helpers.h
-@@ -XXX,XX +XXX,XX @@ typedef struct QTestMigrationState {
-     bool resume_seen;
-     bool suspend_seen;
-     bool suspend_me;
-+    char *serial;
- } QTestMigrationState;
- bool migrate_watch_for_events(QTestState *who, const char *name,
-@@ -XXX,XX +XXX,XX @@ static inline bool probe_o_direct_support(const char *tmpfs)
- #endif
- void migration_test_add(const char *path, void (*fn)(void));
- void migration_event_wait(QTestState *s, const char *target);
-+char *migrate_get_unique_serial(const char *tmpfs);
- #endif /* MIGRATION_HELPERS_H */
-diff --git a/tests/qtest/migration-helpers.c b/tests/qtest/migration-helpers.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/migration-helpers.c
-+++ b/tests/qtest/migration-helpers.c
-@@ -XXX,XX +XXX,XX @@ void migration_event_wait(QTestState *s, const char *target)
-         qobject_unref(response);
-     } while (!found);
- }
-+
-+char *migrate_get_unique_serial(const char *tmpfs)
-+{
-+    static int i;
-+
-+    assert(i < INT_MAX);
-+    return g_strdup_printf("%s/serial_%d", tmpfs, i++);
-+}
-diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/migration-test.c
-+++ b/tests/qtest/migration-test.c
-@@ -XXX,XX +XXX,XX @@ static void bootfile_create(char *dir, bool suspend_me)
-  * we get an 'A' followed by an endless string of 'B's
-  * but on the destination we won't have the A (unless we enabled suspend/resume)
-  */
--static void wait_for_serial(const char *side)
-+static void wait_for_serial(const char *serialpath)
- {
--    g_autofree char *serialpath = g_strdup_printf("%s/%s", tmpfs, side);
-     FILE *serialfile = fopen(serialpath, "r");
-     do {
-@@ -XXX,XX +XXX,XX @@ static void wait_for_serial(const char *side)
-             break;
-         default:
--            fprintf(stderr, "Unexpected %d on %s serial\n", readvalue, side);
-+            fprintf(stderr, "Unexpected %d on %s\n", readvalue, serialpath);
-             g_assert_not_reached();
-         }
-     } while (true);
-@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
-         src_state = (QTestMigrationState) { };
-         src_state.suspend_me = args->suspend_me;
-+        src_state.serial = migrate_get_unique_serial(tmpfs);
-         cmd_source = g_strdup_printf("-accel kvm%s -accel tcg "
-                                      "-machine %s,%s "
-                                      "-name source,debug-threads=on "
-                                      "-m %s "
--                                     "-serial file:%s/src_serial "
-+                                     "-serial file:%s "
-                                      "%s %s %s %s %s",
-                                      kvm_opts ? kvm_opts : "",
-                                      machine, machine_opts,
--                                     memory_size, tmpfs,
-+                                     memory_size, src_state.serial,
-                                      arch_opts ? arch_opts : "",
-                                      arch_source ? arch_source : "",
-                                      shmem_opts ? shmem_opts : "",
-@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
-     }
-     dst_state = (QTestMigrationState) { };
-+    dst_state.serial = migrate_get_unique_serial(tmpfs);
-     cmd_target = g_strdup_printf("-accel kvm%s -accel tcg "
-                                  "-machine %s,%s "
-                                  "-name target,debug-threads=on "
-                                  "-m %s "
--                                 "-serial file:%s/dest_serial "
-+                                 "-serial file:%s "
-                                  "-incoming %s "
-                                  "%s %s %s %s %s",
-                                  kvm_opts ? kvm_opts : "",
-                                  machine, machine_opts,
--                                 memory_size, tmpfs, uri,
-+                                 memory_size, dst_state.serial, uri,
-                                  arch_opts ? arch_opts : "",
-                                  arch_target ? arch_target : "",
-                                  shmem_opts ? shmem_opts : "",
-@@ -XXX,XX +XXX,XX @@ static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
-     qtest_quit(to);
-     cleanup("migsocket");
--    cleanup("src_serial");
--    cleanup("dest_serial");
-+    unlink(src_state.serial);
-+    g_free(src_state.serial);
-+    unlink(dst_state.serial);
-+    g_free(dst_state.serial);
-     cleanup(FILE_TEST_FILENAME);
- }
-@@ -XXX,XX +XXX,XX @@ static int migrate_postcopy_prepare(QTestState **from_ptr,
-                              "                'port': '0' } } ] } }");
-     /* Wait for the first serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     wait_for_suspend(from, &src_state);
-     migrate_qmp(from, to, NULL, NULL, "{}");
-@@ -XXX,XX +XXX,XX @@ static void migrate_postcopy_complete(QTestState *from, QTestState *to,
-     }
-     /* Make sure we get at least one "B" on destination */
--    wait_for_serial("dest_serial");
-+    wait_for_serial(dst_state.serial);
-     if (uffd_feature_thread_id) {
-         read_blocktime(to);
-@@ -XXX,XX +XXX,XX @@ static void test_precopy_common(MigrateCommon *args)
-     /* Wait for the first serial output from the source */
-     if (args->result == MIG_TEST_SUCCEED) {
--        wait_for_serial("src_serial");
-+        wait_for_serial(src_state.serial);
-         wait_for_suspend(from, &src_state);
-     }
-@@ -XXX,XX +XXX,XX @@ static void test_precopy_common(MigrateCommon *args)
-             qtest_qmp_assert_success(to, "{'execute': 'system_wakeup'}");
-         }
--        wait_for_serial("dest_serial");
-+        wait_for_serial(dst_state.serial);
-     }
- finish:
-@@ -XXX,XX +XXX,XX @@ static void test_file_common(MigrateCommon *args, bool stop_src)
-     }
-     migrate_ensure_converge(from);
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     if (stop_src) {
-         qtest_qmp_assert_success(from, "{ 'execute' : 'stop'}");
-@@ -XXX,XX +XXX,XX @@ static void test_file_common(MigrateCommon *args, bool stop_src)
-     }
-     wait_for_resume(to, &dst_state);
--    wait_for_serial("dest_serial");
-+    wait_for_serial(dst_state.serial);
-     if (check_offset) {
-         file_check_offset_region();
-@@ -XXX,XX +XXX,XX @@ static void test_ignore_shared(void)
-     migrate_set_capability(to, "x-ignore-shared", true);
-     /* Wait for the first serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     migrate_qmp(from, to, uri, NULL, "{}");
-@@ -XXX,XX +XXX,XX @@ static void test_ignore_shared(void)
-     qtest_qmp_eventwait(to, "RESUME");
--    wait_for_serial("dest_serial");
-+    wait_for_serial(dst_state.serial);
-     wait_for_migration_complete(from);
-     /* Check whether shared RAM has been really skipped */
-@@ -XXX,XX +XXX,XX @@ static void do_test_validate_uuid(MigrateStart *args, bool should_fail)
-     migrate_set_capability(from, "validate-uuid", true);
-     /* Wait for the first serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     migrate_qmp(from, to, uri, NULL, "{}");
-@@ -XXX,XX +XXX,XX @@ static void do_test_validate_uri_channel(MigrateCommon *args)
-     }
-     /* Wait for the first serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     /*
-      * 'uri' and 'channels' validation is checked even before the migration
-@@ -XXX,XX +XXX,XX @@ static void test_migrate_auto_converge(void)
-     migrate_set_capability(from, "pause-before-switchover", true);
-     /* Wait for the first serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     migrate_qmp(from, to, uri, NULL, "{}");
-@@ -XXX,XX +XXX,XX @@ static void test_migrate_auto_converge(void)
-     qtest_qmp_eventwait(to, "RESUME");
--    wait_for_serial("dest_serial");
-+    wait_for_serial(dst_state.serial);
-     wait_for_migration_complete(from);
-     test_migrate_end(from, to, true);
-@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
-     migrate_incoming_qmp(to, "tcp:127.0.0.1:0", "{}");
-     /* Wait for the first serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
-     migrate_qmp(from, to, NULL, NULL, "{}");
-@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
-     /* Make sure QEMU process "to" exited */
-     qtest_set_expected_status(to, EXIT_FAILURE);
-     qtest_wait_qemu(to);
--    qtest_quit(to);
-+    unlink(dst_state.serial);
-+    g_free(dst_state.serial);
-     /*
-      * Ensure the source QEMU finishes its cancellation process before we
-@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
-     wait_for_stop(from, &src_state);
-     qtest_qmp_eventwait(to2, "RESUME");
--    wait_for_serial("dest_serial");
-+    wait_for_serial(dst_state.serial);
-     wait_for_migration_complete(from);
-     test_migrate_end(from, to2, true);
- }
-@@ -XXX,XX +XXX,XX @@ static QTestState *dirtylimit_start_vm(void)
-     QTestState *vm = NULL;
-     g_autofree gchar *cmd = NULL;
-+    src_state = (QTestMigrationState) { };
-+    src_state.serial = migrate_get_unique_serial(tmpfs);
-+
-     bootfile_create(tmpfs, false);
-     cmd = g_strdup_printf("-accel kvm,dirty-ring-size=4096 "
-                           "-name dirtylimit-test,debug-threads=on "
-                           "-m 150M -smp 1 "
--                          "-serial file:%s/vm_serial "
-+                          "-serial file:%s "
-                           "-drive file=%s,format=raw ",
--                          tmpfs, bootpath);
-+                          src_state.serial, bootpath);
-     vm = qtest_init(cmd);
-     return vm;
-@@ -XXX,XX +XXX,XX @@ static QTestState *dirtylimit_start_vm(void)
- static void dirtylimit_stop_vm(QTestState *vm)
- {
-     qtest_quit(vm);
--    cleanup("vm_serial");
-+    unlink(src_state.serial);
-+    g_free(src_state.serial);
- }
- static void test_vcpu_dirty_limit(void)
-@@ -XXX,XX +XXX,XX @@ static void test_vcpu_dirty_limit(void)
-     vm = dirtylimit_start_vm();
-     /* Wait for the first serial output from the vm*/
--    wait_for_serial("vm_serial");
-+    wait_for_serial(src_state.serial);
-     /* Do dirtyrate measurement with calc time equals 1s */
-     calc_dirty_rate(vm, 1);
-@@ -XXX,XX +XXX,XX @@ static void migrate_dirty_limit_wait_showup(QTestState *from,
-     migrate_set_capability(from, "pause-before-switchover", true);
-     /* Wait for the serial output from the source */
--    wait_for_serial("src_serial");
-+    wait_for_serial(src_state.serial);
- }
- /*
-@@ -XXX,XX +XXX,XX @@ static void test_migrate_dirty_limit(void)
-     qtest_qmp_eventwait(to, "RESUME");
--    wait_for_serial("dest_serial");
-+    wait_for_serial(dst_state.serial);
-     wait_for_migration_complete(from);
-     test_migrate_end(from, to, true);
---
-.47.0

-[PATCH RFC 10/11] tests/qtest/migration: Support cleaning up only one side of migration
+Deleted patch
-From: Fabiano Rosas <farosas@suse.de>
-We don't always want to cleanup both VMs at the same time. One example
-is the multifd cancel test, where there's a second migration reusing
-the source VM. The next patches will add another instance, keeping the
-destination VM instead.
-Extract the cleanup routine from test_migrate_end() into another
-function so it can be reused.
-Signed-off-by: Fabiano Rosas <farosas@suse.de>
-Link: https://lore.kernel.org/r/20241125144612.16194-4-farosas@suse.de
-Signed-off-by: Peter Xu <peterx@redhat.com>
----
- tests/qtest/migration-test.c | 35 +++++++++++++++++++++--------------
-file changed, 21 insertions(+), 14 deletions(-)
-diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/migration-test.c
-+++ b/tests/qtest/migration-test.c
-@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
-     return 0;
- }
-+static void migrate_cleanup(QTestState *from, QTestState *to)
-+{
-+    if (from) {
-+        qtest_quit(from);
-+        unlink(src_state.serial);
-+        g_free(src_state.serial);
-+    }
-+
-+    if (to) {
-+        qtest_quit(to);
-+        unlink(dst_state.serial);
-+        g_free(dst_state.serial);
-+    }
-+
-+    cleanup("migsocket");
-+    cleanup(FILE_TEST_FILENAME);
-+}
-+
- static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
- {
-     unsigned char dest_byte_a, dest_byte_b, dest_byte_c, dest_byte_d;
--    qtest_quit(from);
--
--    if (test_dest) {
-+    if (to && test_dest) {
-         qtest_memread(to, start_address, &dest_byte_a, 1);
-         /* Destination still running, wait for a byte to change */
-@@ -XXX,XX +XXX,XX @@ static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
-         check_guests_ram(to);
-     }
--    qtest_quit(to);
--
--    cleanup("migsocket");
--    unlink(src_state.serial);
--    g_free(src_state.serial);
--    unlink(dst_state.serial);
--    g_free(dst_state.serial);
--    cleanup(FILE_TEST_FILENAME);
-+    migrate_cleanup(from, to);
- }
- #ifdef CONFIG_GNUTLS
-@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
-     /* Make sure QEMU process "to" exited */
-     qtest_set_expected_status(to, EXIT_FAILURE);
--    qtest_wait_qemu(to);
--    unlink(dst_state.serial);
--    g_free(dst_state.serial);
-+    migrate_cleanup(NULL, to);
-     /*
-      * Ensure the source QEMU finishes its cancellation process before we
---
-.47.0

-[PATCH RFC 11/11] tests/qtest/migration: Test successive migrations
+Deleted patch
-From: Fabiano Rosas <farosas@suse.de>
-Add a framework for running migrations back and forth between two
-guests (aka ping-pong migration). We have seen a couple of bugs that
-only reproduce when a guest is migrated and the destination machine is
-used as the source of a new migration.
-Add a simple test that does 2 migrations and another test that uses
-the late-block-activate capability, which is one area where a bug has
-been found.
-Note that this does not reuse any of the existing tests
-(e.g. test_precopy_common), because there is too much ambiguity
-regarding how to handle the hooks, args->result, stop/continue, etc.
-Signed-off-by: Fabiano Rosas <farosas@suse.de>
-Link: https://lore.kernel.org/r/20241125144612.16194-6-farosas@suse.de
-Signed-off-by: Peter Xu <peterx@redhat.com>
----
- tests/qtest/migration-test.c | 121 +++++++++++++++++++++++++++++++++++
-file changed, 121 insertions(+)
-diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/migration-test.c
-+++ b/tests/qtest/migration-test.c
-@@ -XXX,XX +XXX,XX @@ finish:
-     test_migrate_end(from, to, args->result == MIG_TEST_SUCCEED);
- }
-+static void migrate_dst_becomes_src(QTestState **from, QTestState **to,
-+                                    QTestMigrationState *src_state,
-+                                    QTestMigrationState *dst_state)
-+{
-+    *from = *to;
-+
-+    *src_state = (QTestMigrationState) { };
-+    src_state->serial = dst_state->serial;
-+    qtest_qmp_set_event_callback(*from, migrate_watch_for_events, src_state);
-+
-+    src_state->stop_seen = dst_state->stop_seen;
-+}
-+
-+static void test_precopy_ping_pong_common(MigrateCommon *args, int n,
-+                                          bool late_block_activate)
-+{
-+    QTestState *from, *to;
-+    bool keep_paused = false;
-+
-+    g_assert(!args->live);
-+
-+    g_test_message("Migrating back and forth %d times", n);
-+
-+    for (int i = 0; i < n; i++) {
-+        g_test_message("%s (%d/%d)", i % 2 ? "pong" : "ping", i + 1, n);
-+
-+        if (test_migrate_start(&from, &to, args->listen_uri, &args->start)) {
-+            return;
-+        }
-+
-+        if (late_block_activate) {
-+            migrate_set_capability(from, "late-block-activate", true);
-+            migrate_set_capability(to, "late-block-activate", true);
-+
-+            /*
-+             * The late-block-activate capability expects that the
-+             * management layer will issue a qmp_continue command on
-+             * the destination once the migration finishes. In order
-+             * to test the capability properly, make sure the test is
-+             * not issuing spurious continue commands.
-+             */
-+            keep_paused = true;
-+        }
-+
-+        if (!src_state.stop_seen) {
-+            wait_for_serial(src_state.serial);
-+        }
-+
-+        /* because of !args->live */
-+        qtest_qmp_assert_success(from, "{ 'execute' : 'stop'}");
-+        wait_for_stop(from, &src_state);
-+
-+        migrate_ensure_converge(from);
-+        migrate_qmp(from, to, args->connect_uri, args->connect_channels, "{}");
-+
-+        wait_for_migration_complete(from);
-+        wait_for_migration_complete(to);
-+
-+        /* note check_guests_ram() requires a stopped guest */
-+        check_guests_ram(to);
-+
-+        if (keep_paused) {
-+            /*
-+             * Nothing issued continue on the destination, reflect
-+             * that the guest is paused in the dst_state.
-+             */
-+            dst_state.stop_seen = true;
-+        } else {
-+            qtest_qmp_assert_success(to, "{ 'execute' : 'cont'}");
-+            wait_for_serial(dst_state.serial);
-+            dst_state.stop_seen = false;
-+        }
-+
-+        /*
-+         * Last iteration, let the guest run to make sure there's no
-+         * memory corruption. The test_migrate_end() below will check
-+         * the memory one last time.
-+         */
-+        if (i == n - 1) {
-+            qtest_qmp_assert_success(to, "{ 'execute' : 'cont'}");
-+            wait_for_serial(dst_state.serial);
-+            dst_state.stop_seen = false;
-+            break;
-+        }
-+
-+        /*
-+         * Prepare for migrating back: clear the original source and
-+         * switch source & destination.
-+         */
-+        migrate_cleanup(from, NULL);
-+        migrate_dst_becomes_src(&from, &to, &src_state, &dst_state);
-+
-+        args->start.only_target = true;
-+    }
-+
-+    test_migrate_end(from, to, true);
-+}
-+
- static void file_dirty_offset_region(void)
- {
-     g_autofree char *path = g_strdup_printf("%s/%s", tmpfs, FILE_TEST_FILENAME);
-@@ -XXX,XX +XXX,XX @@ static void test_migrate_dirty_limit(void)
-     test_migrate_end(from, to, true);
- }
-+static void test_precopy_ping_pong(void)
-+{
-+    MigrateCommon args = {
-+        .listen_uri = "tcp:127.0.0.1:0",
-+    };
-+
-+    test_precopy_ping_pong_common(&args, 2, false);
-+}
-+
-+static void test_precopy_ping_pong_late_block(void)
-+{
-+    MigrateCommon args = {
-+        .listen_uri = "tcp:127.0.0.1:0",
-+    };
-+
-+    test_precopy_ping_pong_common(&args, 2, true);
-+}
-+
- static bool kvm_dirty_ring_supported(void)
- {
- #if defined(__linux__) && defined(HOST_X86_64)
-@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
-         }
-     }
-+    migration_test_add("/migration/precopy/ping-pong/plain",
-+                       test_precopy_ping_pong);
-+    migration_test_add("/migration/precopy/ping-pong/late-block-activate",
-+                       test_precopy_ping_pong_late_block);
-+
-     ret = g_test_run();
-     g_assert_cmpint(ret, ==, 0);
---
-.47.0

I started looking at this problem as a whole when reviewing Fabiano's
series, especially the patch (for a QEMU crash [1]):

https://lore.kernel.org/r/20241125144612.16194-5-farosas@suse.de

The proposed patch could work, but it's unwanted to add such side effect to
migration.  So I start to think about whether we can provide a cleaner
approach, at least remove that "we must active the disk for migration"
dependency, because migration really don't need the disks to be active..

It's also a pure wish that, if bdrv_inactivate_all() could be benign to be
called even if all disks are already inactive.  Then problem also gone.
After all, similar call on bdrv_activate_all() upon all-active disks is all
fine.  I hope that wish could still be fair.

And when I was looking at that, I found more things spread all over the
place on disk activation.  I decided to clean all of them up, while
hopefully fixing the QEMU crash [1] too.

So this is what I came up with as of today.  Marking RFC as of now, just to
collect some feedbacks first.  At least I'd like to go with one more patch
to deprecate late-block-active - not deprecating its function, but make it
always happen (which is the default as of now for Libvirt), which should
hopefully be migration-ABI-safe.

With the help of Fabiano's test cases, I at least am sure this series works
for the ping pong migrations, and all existing qtests.

Let me know, thanks.

[1] https://gitlab.com/qemu-project/qemu/-/issues/2395

Fabiano Rosas (4):
  tests/qtest/migration: Move more code under only_target
  tests/qtest/migration: Don't use hardcoded strings for -serial
  tests/qtest/migration: Support cleaning up only one side of migration
  tests/qtest/migration: Test successive migrations

Peter Xu (7):
  migration: Add helper to get target runstate
  migration/block: Make late-block-active the default
  migration/block: Apply late-block-active behavior to postcopy
  migration/block: Fix possible race with block_inactive
  migration/block: Merge block reactivations for fail/cancel
  migration/block: Extend the migration_block_* API to dest side
  migration/block: Apply the migration_block_* API to postcopy

migration/migration.h           |  33 ++++-
 tests/qtest/migration-helpers.h |   2 +
 migration/migration.c           | 177 +++++++++++-----------
 migration/savevm.c              |  32 ++--
 tests/qtest/migration-helpers.c |   8 +
 tests/qtest/migration-test.c    | 252 +++++++++++++++++++++++++-------
 6 files changed, 344 insertions(+), 160 deletions(-)

-- 
2.47.0

In 99% cases, after QEMU migrates to dest host, it tries to detect the
target VM runstate using global_state_get_runstate().

There's one outlier so far which is Xen that won't send global state.
That's the major reason why global_state_received() check was always there
together with global_state_get_runstate().

However it's utterly confusing why global_state_received() has anything to
do with "let's start VM or not".

Provide a helper to explain it, then we have an unified entry for getting
the target dest QEMU runstate after migration.

Suggested-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static bool migration_needs_multiple_sockets(void)
     return migrate_multifd() || migrate_postcopy_preempt();
 }
 
+static RunState migration_get_target_runstate(void)
+{
+    /*
+     * When the global state is not migrated, it means we don't know the
+     * runstate of the src QEMU.  We don't have much choice but assuming
+     * the VM is running.  NOTE: this is pretty rare case, so far only Xen
+     * uses it.
+     */
+    if (!global_state_received()) {
+        return RUN_STATE_RUNNING;
+    }
+
+    return global_state_get_runstate();
+}
+
 static bool transport_supports_multi_channels(MigrationAddress *addr)
 {
     if (addr->transport == MIGRATION_ADDRESS_TYPE_SOCKET) {
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
      * unless we really are starting the VM.
      */
     if (!migrate_late_block_activate() ||
-         (autostart && (!global_state_received() ||
-            runstate_is_live(global_state_get_runstate())))) {
+        (autostart && runstate_is_live(migration_get_target_runstate()))) {
         /* Make sure all file formats throw away their mutable metadata.
          * If we get an error here, just don't restart the VM yet. */
         bdrv_activate_all(&local_err);
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
 
     dirty_bitmap_mig_before_vm_start();
 
-    if (!global_state_received() ||
-        runstate_is_live(global_state_get_runstate())) {
+    if (runstate_is_live(migration_get_target_runstate())) {
         if (autostart) {
             vm_start();
         } else {
-- 
2.47.0

Migration capability 'late-block-active' controls when the block drives
will be activated.  If enabled, block drives will only be activated until
VM starts, either src runstate was "live" (RUNNING, or SUSPENDED), or it'll
be postponed until qmp_cont().

Let's do this unconditionally.  There's no harm to delay activation of
block drives.  Meanwhile there's no ABI breakage if dest does it, because
src QEMU has nothing to do with it, so it's no concern on ABI breakage.

IIUC we could avoid introducing this cap when introducing it before, but
now it's still not too late to just always do it.  Cap now prone to
removal, but it'll be for later patches.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
 
     trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
 
-    /* If capability late_block_activate is set:
-     * Only fire up the block code now if we're going to restart the
-     * VM, else 'cont' will do it.
-     * This causes file locking to happen; so we don't want it to happen
-     * unless we really are starting the VM.
-     */
-    if (!migrate_late_block_activate() ||
-        (autostart && runstate_is_live(migration_get_target_runstate()))) {
-        /* Make sure all file formats throw away their mutable metadata.
-         * If we get an error here, just don't restart the VM yet. */
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-            local_err = NULL;
-            autostart = false;
-        }
-    }
-
     /*
      * This must happen after all error conditions are dealt with and
      * we're sure the VM is going to be running on this host.
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
 
     if (runstate_is_live(migration_get_target_runstate())) {
         if (autostart) {
-            vm_start();
+            /*
+             * Block activation is always delayed until VM starts, either
+             * here (which means we need to start the dest VM right now..),
+             * or until qmp_cont() later.
+             *
+             * We used to have cap 'late-block-activate' but now we do this
+             * unconditionally, as it has no harm but only benefit.  E.g.,
+             * it's not part of migration ABI on the time of disk activation.
+             *
+             * Make sure all file formats throw away their mutable
+             * metadata.  If error, don't restart the VM yet.
+             */
+            bdrv_activate_all(&local_err);
+            if (local_err) {
+                error_report_err(local_err);
+                local_err = NULL;
+            } else {
+                vm_start();
+            }
         } else {
             runstate_set(RUN_STATE_PAUSED);
         }
-- 
2.47.0

Postcopy never cared about late-block-active.  However there's no mention
in the capability that it doesn't apply to postcopy.

Considering that we _assumed_ late activation is always good, do that too
for postcopy unconditionally, just like precopy.  After this patch, we
should have unified the behavior across all.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/savevm.c | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
 
     trace_vmstate_downtime_checkpoint("dst-postcopy-bh-announced");
 
-    /* Make sure all file formats throw away their mutable metadata.
-     * If we get an error here, just don't restart the VM yet. */
-    bdrv_activate_all(&local_err);
-    if (local_err) {
-        error_report_err(local_err);
-        local_err = NULL;
-        autostart = false;
-    }
-
-    trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
-
     dirty_bitmap_mig_before_vm_start();
 
     if (autostart) {
-        /* Hold onto your hats, starting the CPU */
-        vm_start();
+        /* Make sure all file formats throw away their mutable metadata.
+         * If we get an error here, just don't restart the VM yet. */
+        bdrv_activate_all(&local_err);
+        trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
+        if (local_err) {
+            error_report_err(local_err);
+            local_err = NULL;
+        } else {
+            vm_start();
+        }
     } else {
         /* leave it paused and let management decide when to start the CPU */
         runstate_set(RUN_STATE_PAUSED);
-- 
2.47.0

Src QEMU sets block_inactive=true very early before the invalidation takes
place.  It means if something wrong happened during setting the flag but
before reaching qemu_savevm_state_complete_precopy_non_iterable() where it
did the invalidation work, it'll make block_inactive flag inconsistent.

For example, think about when qemu_savevm_state_complete_precopy_iterable()
can fail: it will have block_inactive set to true even if all block drives
are active.

Fix that by only update the flag after the invalidation is done.

No Fixes for any commit, because it's not an issue if bdrv_activate_all()
is re-entrant upon all-active disks - false positive block_inactive can
bring nothing more than "trying to active the blocks but they're already
active".  However let's still do it right to avoid the inconsistent flag
v.s. reality.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 9 +++------
 migration/savevm.c    | 2 ++
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static int migration_completion_precopy(MigrationState *s,
         goto out_unlock;
     }
 
-    /*
-     * Inactivate disks except in COLO, and track that we have done so in order
-     * to remember to reactivate them if migration fails or is cancelled.
-     */
-    s->block_inactive = !migrate_colo();
     migration_rate_set(RATE_LIMIT_DISABLED);
+
+    /* Inactivate disks except in COLO */
     ret = qemu_savevm_state_complete_precopy(s->to_dst_file, false,
-                                             s->block_inactive);
+                                             !migrate_colo());
 out_unlock:
     bql_unlock();
     return ret;
diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ int qemu_savevm_state_complete_precopy_non_iterable(QEMUFile *f,
             qemu_file_set_error(f, ret);
             return ret;
         }
+        /* Remember that we did this */
+        s->block_inactive = true;
     }
     if (!in_postcopy) {
         /* Postcopy stream will still be going */
-- 
2.47.0

When migration is either cancelled or failed during switchover, especially
when after the disks are inactivated, QEMU needs to remember re-activate
the disks again before vm starts.

It used to be done separately in two paths: one in qmp_migrate_cancel(),
the other one in the failure path of migration_completion().

It used to be fixed in different commits, all over the places in QEMU.  So
these are the ones I see at least:

- In 2016, commit fe904ea824 ("migration: regain control of images when
   migration fails to complete")

- In 2017, commit 1d2acc3162 ("migration: re-active images while migration
   been canceled after inactive them")

- In 2023, commit 6dab4c93ec ("migration: Attempt disk reactivation in
   more failure scenarios")

We could have done better on trying to solve this once and for all.  Now it
might be a good chance because we have a better whole picture now.

Put both of the error cases together now into migration_iteration_finish(),
which will be invoked for either of the scenario.

At the meantime, cleanup block_inactive in a few ways:

- Rename it to block_active, which is easier to follow..

- Maintain the flag for the whole lifecycle of QEMU.  Otherwise it's not
    clear on when the flag is valid or not.

- Put it together with the operations, rather than updating the flag
    separately.

Now we set the flag to TRUE from the start, showing block ownership of a
fresh started QEMU (but so far only used in migration module).  Then it can
be modified by migration switchover code if invalidation happened.  With
that, the flag always reflects the correct block ownership.

NOTE: it can always be racy if there's concurrent operation to change the
block activation status (e.g., qmp_cont() right after migration failure but
right before block re-activate happens), but that's not avoidable even
before this patch, so it's not part of the goal that this patch would like
to achieve, so put aside as of now.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.h | 20 +++++++++-
 migration/migration.c | 86 +++++++++++++++++++++++++------------------
 migration/savevm.c    | 11 ++----
 3 files changed, 72 insertions(+), 45 deletions(-)

diff --git a/migration/migration.h b/migration/migration.h
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.h
+++ b/migration/migration.h
@@ -XXX,XX +XXX,XX @@ struct MigrationState {
     /* Flag set once the migration thread is running (and needs joining) */
     bool migration_thread_running;
 
-    /* Flag set once the migration thread called bdrv_inactivate_all */
-    bool block_inactive;
+    /*
+     * Migration-only cache to remember the block layer activation status.
+     * Protected by BQL.
+     *
+     * We need this because..
+     *
+     * - Migration can fail after block devices are invalidated (during
+     *   switchover phase).  When that happens, we need to be able to
+     *   recover the block drive status by re-activating them.
+     *
+     * For freshly started QEMU, block_active is initialized to TRUE
+     * reflecting the scenario where QEMU owns block device ownerships.
+     */
+    bool block_active;
 
     /* Migration is waiting for guest to unplug device */
     QemuSemaphore wait_unplug_sem;
@@ -XXX,XX +XXX,XX @@ void migration_bitmap_sync_precopy(bool last_stage);
 /* migration/block-dirty-bitmap.c */
 void dirty_bitmap_mig_init(void);
 
+/* Wrapper for block active/inactive operations */
+bool migration_block_activate(MigrationState *s);
+bool migration_block_inactivate(MigrationState *s);
+
 #endif
diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static void migration_downtime_end(MigrationState *s)
     trace_vmstate_downtime_checkpoint("src-downtime-end");
 }
 
+bool migration_block_activate(MigrationState *s)
+{
+    Error *local_err = NULL;
+
+    assert(bql_locked());
+
+    if (s->block_active) {
+        return true;
+    }
+
+    bdrv_activate_all(&local_err);
+    if (local_err) {
+        error_report_err(local_err);
+        return false;
+    }
+
+    s->block_active = true;
+    return true;
+}
+
+bool migration_block_inactivate(MigrationState *s)
+{
+    int ret;
+
+    assert(bql_locked());
+
+    if (!s->block_active) {
+        return true;
+    }
+
+    ret = bdrv_inactivate_all();
+    if (ret) {
+        error_report("%s: bdrv_inactivate_all() failed: %d\n",
+                     __func__, ret);
+        return false;
+    }
+
+    s->block_active = false;
+    return true;
+}
+
 static bool migration_needs_multiple_sockets(void)
 {
     return migrate_multifd() || migrate_postcopy_preempt();
@@ -XXX,XX +XXX,XX @@ static void migrate_fd_cancel(MigrationState *s)
             }
         }
     }
-    if (s->state == MIGRATION_STATUS_CANCELLING && s->block_inactive) {
-        Error *local_err = NULL;
-
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-        } else {
-            s->block_inactive = false;
-        }
-    }
 }
 
 void migration_add_notifier_mode(NotifierWithReturn *notify,
@@ -XXX,XX +XXX,XX @@ static void migration_completion_postcopy(MigrationState *s)
     trace_migration_completion_postcopy_end_after_complete();
 }
 
-static void migration_completion_failed(MigrationState *s,
-                                        int current_active_state)
-{
-    if (s->block_inactive && (s->state == MIGRATION_STATUS_ACTIVE ||
-                              s->state == MIGRATION_STATUS_DEVICE)) {
-        /*
-         * If not doing postcopy, vm_start() will be called: let's
-         * regain control on images.
-         */
-        Error *local_err = NULL;
-
-        bql_lock();
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-        } else {
-            s->block_inactive = false;
-        }
-        bql_unlock();
-    }
-
-    migrate_set_state(&s->state, current_active_state,
-                      MIGRATION_STATUS_FAILED);
-}
-
 /**
  * migration_completion: Used by migration_thread when there's not much left.
  *   The caller 'breaks' the loop when this returns.
@@ -XXX,XX +XXX,XX @@ fail:
         error_free(local_err);
     }
 
-    migration_completion_failed(s, current_active_state);
+    migrate_set_state(&s->state, current_active_state,
+                      MIGRATION_STATUS_FAILED);
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static void migration_iteration_finish(MigrationState *s)
     case MIGRATION_STATUS_FAILED:
     case MIGRATION_STATUS_CANCELLED:
     case MIGRATION_STATUS_CANCELLING:
+        /*
+         * Re-activate the block drives if they're inactivated.  Note, COLO
+         * shouldn't use block_active at all, so it should be no-op there.
+         */
+        migration_block_activate(s);
         if (runstate_is_live(s->vm_old_state)) {
             if (!runstate_check(RUN_STATE_SHUTDOWN)) {
                 vm_start();
@@ -XXX,XX +XXX,XX @@ static void migration_instance_init(Object *obj)
     ms->state = MIGRATION_STATUS_NONE;
     ms->mbps = -1;
     ms->pages_per_second = -1;
+    /* Freshly started QEMU owns all the block devices */
+    ms->block_active = true;
     qemu_sem_init(&ms->pause_sem, 0);
     qemu_mutex_init(&ms->error_mutex);
 
diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ int qemu_savevm_state_complete_precopy_non_iterable(QEMUFile *f,
     if (inactivate_disks) {
         /* Inactivate before sending QEMU_VM_EOF so that the
          * bdrv_activate_all() on the other end won't fail. */
-        ret = bdrv_inactivate_all();
-        if (ret) {
-            error_setg(&local_err, "%s: bdrv_inactivate_all() failed (%d)",
-                       __func__, ret);
+        if (!migration_block_inactivate(ms)) {
+            error_setg(&local_err, "%s: bdrv_inactivate_all() failed",
+                       __func__);
             migrate_set_error(ms, local_err);
             error_report_err(local_err);
-            qemu_file_set_error(f, ret);
+            qemu_file_set_error(f, -EFAULT);
             return ret;
         }
-        /* Remember that we did this */
-        s->block_inactive = true;
     }
     if (!in_postcopy) {
         /* Postcopy stream will still be going */
-- 
2.47.0

Extend the usage of such API to the receiver side, because such status
maintenance is also necessary there.

It's needed to avoid bdrv_inactivate_all() not being invoked when the
drives are already inactive.  When invoked, it can crash QEMU.  See the
issue link for more information.

So it means we need to start remember the block activation status not only
on src, but also on dest.

One thing tricky here is, when we need to consider incoming QEMU, we need
to also consider its initial status as incoming side.  Due to the fact that
before switchover the incoming QEMU doesn't own the disks, we need to set
initial state to FALSE for a incoming QEMU.  In this case, postcopy recover
doesn't count.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2395
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.h | 13 +++++++++++++
 migration/migration.c | 13 +++++++------
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/migration/migration.h b/migration/migration.h
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.h
+++ b/migration/migration.h
@@ -XXX,XX +XXX,XX @@ struct MigrationState {
      *   switchover phase).  When that happens, we need to be able to
      *   recover the block drive status by re-activating them.
      *
+     * - Currently bdrv_inactivate_all() is not safe to be invoked on top
+     *   of invalidated drives (even if bdrv_activate_all() is actually
+     *   safe to be called any time!).  It means remembering this could
+     *   help migration to make sure it won't invalidate twice in a row,
+     *   crashing QEMU.  It can happen when we migrate a PAUSED VM from
+     *   host1 to host2, then migrate again to host3 without starting it.
+     *   TODO: a cleaner solution is to allow safe invoke of
+     *   bdrv_inactivate_all() at anytime, like bdrv_activate_all().
+     *
      * For freshly started QEMU, block_active is initialized to TRUE
      * reflecting the scenario where QEMU owns block device ownerships.
+     *
+     * For incoming QEMU taking a migration stream, block_active is set to
+     * FALSE reflecting that the incoming side doesn't own the block
+     * devices, not until switchover happens.
      */
     bool block_active;
 
diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ migration_incoming_state_setup(MigrationIncomingState *mis, Error **errp)
         return false;
     }
 
+    /*
+     * Newly setup QEMU, prepared for incoming migration.  Mark the block
+     * active state to reflect that the src currently owns the disks.
+     */
+    migrate_get_current()->block_active = false;
+
     migrate_set_state(&mis->state, current, MIGRATION_STATUS_SETUP);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static void qemu_start_incoming_migration(const char *uri, bool has_channels,
 
 static void process_incoming_migration_bh(void *opaque)
 {
-    Error *local_err = NULL;
     MigrationIncomingState *mis = opaque;
 
     trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
              * Make sure all file formats throw away their mutable
              * metadata.  If error, don't restart the VM yet.
              */
-            bdrv_activate_all(&local_err);
-            if (local_err) {
-                error_report_err(local_err);
-                local_err = NULL;
-            } else {
+            if (migration_block_activate(migrate_get_current())) {
                 vm_start();
             }
         } else {
-- 
2.47.0

Postcopy also has similar error handling for re-activation of block
devices.  Use the same API as precopy to do the re-activation, for both src
& dst sides.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 22 +++-------------------
 migration/savevm.c    | 10 ++++------
 2 files changed, 7 insertions(+), 25 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
     QIOChannelBuffer *bioc;
     QEMUFile *fb;
     uint64_t bandwidth = migrate_max_postcopy_bandwidth();
-    bool restart_block = false;
     int cur_state = MIGRATION_STATUS_ACTIVE;
 
     if (migrate_postcopy_preempt()) {
@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
         goto fail;
     }
 
-    ret = bdrv_inactivate_all();
-    if (ret < 0) {
-        error_setg_errno(errp, -ret, "%s: Failed in bdrv_inactivate_all()",
-                         __func__);
+    if (!migration_block_inactivate(ms)) {
+        error_setg(errp, "%s: Failed in bdrv_inactivate_all()", __func__);
         goto fail;
     }
-    restart_block = true;
 
     /*
      * Cause any non-postcopiable, but iterative devices to
@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
         goto fail_closefb;
     }
 
-    restart_block = false;
-
     /* Now send that blob */
     if (qemu_savevm_send_packaged(ms->to_dst_file, bioc->data, bioc->usage)) {
         error_setg(errp, "%s: Failed to send packaged data", __func__);
@@ -XXX,XX +XXX,XX @@ fail_closefb:
 fail:
     migrate_set_state(&ms->state, MIGRATION_STATUS_POSTCOPY_ACTIVE,
                           MIGRATION_STATUS_FAILED);
-    if (restart_block) {
-        /* A failure happened early enough that we know the destination hasn't
-         * accessed block devices, so we're safe to recover.
-         */
-        Error *local_err = NULL;
-
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-        }
-    }
+    migration_block_activate(ms);
     migration_call_notifiers(ms, MIG_EVENT_PRECOPY_FAILED, NULL);
     bql_unlock();
     return -1;
diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis)
 
 static void loadvm_postcopy_handle_run_bh(void *opaque)
 {
-    Error *local_err = NULL;
     MigrationIncomingState *mis = opaque;
 
     trace_vmstate_downtime_checkpoint("dst-postcopy-bh-enter");
@@ -XXX,XX +XXX,XX @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
     if (autostart) {
         /* Make sure all file formats throw away their mutable metadata.
          * If we get an error here, just don't restart the VM yet. */
-        bdrv_activate_all(&local_err);
+        bool success = migration_block_activate(migrate_get_current());
+
         trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
-        if (local_err) {
-            error_report_err(local_err);
-            local_err = NULL;
-        } else {
+
+        if (success) {
             vm_start();
         }
     } else {
-- 
2.47.0

From: Fabiano Rosas <farosas@suse.de>

The only_target option's purpose is to make sure only the destination
QTestState machine is initialized. This allows the test code to retain
an already initialized source machine (e.g. for doing ping pong
migration).

We have drifted from that a bit when adding new code, so move some
lines under only_target to restore the functionality.

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20241125144612.16194-2-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 tests/qtest/migration-test.c | 44 ++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 19 deletions(-)

diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
     g_autofree gchar *arch_target = NULL;
     /* options for source and target */
     g_autofree gchar *arch_opts = NULL;
-    g_autofree gchar *cmd_source = NULL;
     g_autofree gchar *cmd_target = NULL;
     const gchar *ignore_stderr;
     g_autofree char *shmem_opts = NULL;
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
         }
     }
 
-    dst_state = (QTestMigrationState) { };
-    src_state = (QTestMigrationState) { };
     bootfile_create(tmpfs, args->suspend_me);
-    src_state.suspend_me = args->suspend_me;
 
     if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
         memory_size = "150M";
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
 
     g_test_message("Using machine type: %s", machine);
 
-    cmd_source = g_strdup_printf("-accel kvm%s -accel tcg "
-                                 "-machine %s,%s "
-                                 "-name source,debug-threads=on "
-                                 "-m %s "
-                                 "-serial file:%s/src_serial "
-                                 "%s %s %s %s %s",
-                                 kvm_opts ? kvm_opts : "",
-                                 machine, machine_opts,
-                                 memory_size, tmpfs,
-                                 arch_opts ? arch_opts : "",
-                                 arch_source ? arch_source : "",
-                                 shmem_opts ? shmem_opts : "",
-                                 args->opts_source ? args->opts_source : "",
-                                 ignore_stderr);
     if (!args->only_target) {
+        g_autofree gchar *cmd_source = NULL;
+
+        src_state = (QTestMigrationState) { };
+        src_state.suspend_me = args->suspend_me;
+
+        cmd_source = g_strdup_printf("-accel kvm%s -accel tcg "
+                                     "-machine %s,%s "
+                                     "-name source,debug-threads=on "
+                                     "-m %s "
+                                     "-serial file:%s/src_serial "
+                                     "%s %s %s %s %s",
+                                     kvm_opts ? kvm_opts : "",
+                                     machine, machine_opts,
+                                     memory_size, tmpfs,
+                                     arch_opts ? arch_opts : "",
+                                     arch_source ? arch_source : "",
+                                     shmem_opts ? shmem_opts : "",
+                                     args->opts_source ? args->opts_source : "",
+                                     ignore_stderr);
+
         *from = qtest_init_with_env(QEMU_ENV_SRC, cmd_source);
         qtest_qmp_set_event_callback(*from,
                                      migrate_watch_for_events,
                                      &src_state);
     }
 
+    dst_state = (QTestMigrationState) { };
+
     cmd_target = g_strdup_printf("-accel kvm%s -accel tcg "
                                  "-machine %s,%s "
                                  "-name target,debug-threads=on "
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
      * Always enable migration events.  Libvirt always uses it, let's try
      * to mimic as closer as that.
      */
-    migrate_set_capability(*from, "events", true);
+    if (!args->only_target) {
+        migrate_set_capability(*from, "events", true);
+    }
     migrate_set_capability(*to, "events", true);
 
     return 0;
-- 
2.47.0

From: Fabiano Rosas <farosas@suse.de>

Stop using hardcoded strings for -serial so we can in the next patches
perform more than one migration in a row. Having the serial path
hardcoded means we cannot reuse the code when dst becomes the new src.

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20241125144612.16194-3-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 tests/qtest/migration-helpers.h |  2 +
 tests/qtest/migration-helpers.c |  8 ++++
 tests/qtest/migration-test.c    | 68 ++++++++++++++++++---------------
 3 files changed, 48 insertions(+), 30 deletions(-)

diff --git a/tests/qtest/migration-helpers.h b/tests/qtest/migration-helpers.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/migration-helpers.h
+++ b/tests/qtest/migration-helpers.h
@@ -XXX,XX +XXX,XX @@ typedef struct QTestMigrationState {
     bool resume_seen;
     bool suspend_seen;
     bool suspend_me;
+    char *serial;
 } QTestMigrationState;
 
 bool migrate_watch_for_events(QTestState *who, const char *name,
@@ -XXX,XX +XXX,XX @@ static inline bool probe_o_direct_support(const char *tmpfs)
 #endif
 void migration_test_add(const char *path, void (*fn)(void));
 void migration_event_wait(QTestState *s, const char *target);
+char *migrate_get_unique_serial(const char *tmpfs);
 
 #endif /* MIGRATION_HELPERS_H */
diff --git a/tests/qtest/migration-helpers.c b/tests/qtest/migration-helpers.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/migration-helpers.c
+++ b/tests/qtest/migration-helpers.c
@@ -XXX,XX +XXX,XX @@ void migration_event_wait(QTestState *s, const char *target)
         qobject_unref(response);
     } while (!found);
 }
+
+char *migrate_get_unique_serial(const char *tmpfs)
+{
+    static int i;
+
+    assert(i < INT_MAX);
+    return g_strdup_printf("%s/serial_%d", tmpfs, i++);
+}
diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -XXX,XX +XXX,XX @@ static void bootfile_create(char *dir, bool suspend_me)
  * we get an 'A' followed by an endless string of 'B's
  * but on the destination we won't have the A (unless we enabled suspend/resume)
  */
-static void wait_for_serial(const char *side)
+static void wait_for_serial(const char *serialpath)
 {
-    g_autofree char *serialpath = g_strdup_printf("%s/%s", tmpfs, side);
     FILE *serialfile = fopen(serialpath, "r");
 
     do {
@@ -XXX,XX +XXX,XX @@ static void wait_for_serial(const char *side)
             break;
 
         default:
-            fprintf(stderr, "Unexpected %d on %s serial\n", readvalue, side);
+            fprintf(stderr, "Unexpected %d on %s\n", readvalue, serialpath);
             g_assert_not_reached();
         }
     } while (true);
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
 
         src_state = (QTestMigrationState) { };
         src_state.suspend_me = args->suspend_me;
+        src_state.serial = migrate_get_unique_serial(tmpfs);
 
         cmd_source = g_strdup_printf("-accel kvm%s -accel tcg "
                                      "-machine %s,%s "
                                      "-name source,debug-threads=on "
                                      "-m %s "
-                                     "-serial file:%s/src_serial "
+                                     "-serial file:%s "
                                      "%s %s %s %s %s",
                                      kvm_opts ? kvm_opts : "",
                                      machine, machine_opts,
-                                     memory_size, tmpfs,
+                                     memory_size, src_state.serial,
                                      arch_opts ? arch_opts : "",
                                      arch_source ? arch_source : "",
                                      shmem_opts ? shmem_opts : "",
@@ -XXX,XX +XXX,XX @@ static int test_migrate_start(QTestState **from, QTestState **to,
     }
 
     dst_state = (QTestMigrationState) { };
+    dst_state.serial = migrate_get_unique_serial(tmpfs);
 
     cmd_target = g_strdup_printf("-accel kvm%s -accel tcg "
                                  "-machine %s,%s "
                                  "-name target,debug-threads=on "
                                  "-m %s "
-                                 "-serial file:%s/dest_serial "
+                                 "-serial file:%s "
                                  "-incoming %s "
                                  "%s %s %s %s %s",
                                  kvm_opts ? kvm_opts : "",
                                  machine, machine_opts,
-                                 memory_size, tmpfs, uri,
+                                 memory_size, dst_state.serial, uri,
                                  arch_opts ? arch_opts : "",
                                  arch_target ? arch_target : "",
                                  shmem_opts ? shmem_opts : "",
@@ -XXX,XX +XXX,XX @@ static void test_migrate_end(QTestState *from, QTestState *to, bool test_dest)
     qtest_quit(to);
 
     cleanup("migsocket");
-    cleanup("src_serial");
-    cleanup("dest_serial");
+    unlink(src_state.serial);
+    g_free(src_state.serial);
+    unlink(dst_state.serial);
+    g_free(dst_state.serial);
     cleanup(FILE_TEST_FILENAME);
 }
 
@@ -XXX,XX +XXX,XX @@ static int migrate_postcopy_prepare(QTestState **from_ptr,
                              "                'port': '0' } } ] } }");
 
     /* Wait for the first serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
     wait_for_suspend(from, &src_state);
 
     migrate_qmp(from, to, NULL, NULL, "{}");
@@ -XXX,XX +XXX,XX @@ static void migrate_postcopy_complete(QTestState *from, QTestState *to,
     }
 
     /* Make sure we get at least one "B" on destination */
-    wait_for_serial("dest_serial");
+    wait_for_serial(dst_state.serial);
 
     if (uffd_feature_thread_id) {
         read_blocktime(to);
@@ -XXX,XX +XXX,XX @@ static void test_precopy_common(MigrateCommon *args)
 
     /* Wait for the first serial output from the source */
     if (args->result == MIG_TEST_SUCCEED) {
-        wait_for_serial("src_serial");
+        wait_for_serial(src_state.serial);
         wait_for_suspend(from, &src_state);
     }
 
@@ -XXX,XX +XXX,XX @@ static void test_precopy_common(MigrateCommon *args)
             qtest_qmp_assert_success(to, "{'execute': 'system_wakeup'}");
         }
 
-        wait_for_serial("dest_serial");
+        wait_for_serial(dst_state.serial);
     }
 
 finish:
@@ -XXX,XX +XXX,XX @@ static void test_file_common(MigrateCommon *args, bool stop_src)
     }
 
     migrate_ensure_converge(from);
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 
     if (stop_src) {
         qtest_qmp_assert_success(from, "{ 'execute' : 'stop'}");
@@ -XXX,XX +XXX,XX @@ static void test_file_common(MigrateCommon *args, bool stop_src)
     }
     wait_for_resume(to, &dst_state);
 
-    wait_for_serial("dest_serial");
+    wait_for_serial(dst_state.serial);
 
     if (check_offset) {
         file_check_offset_region();
@@ -XXX,XX +XXX,XX @@ static void test_ignore_shared(void)
     migrate_set_capability(to, "x-ignore-shared", true);
 
     /* Wait for the first serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 
     migrate_qmp(from, to, uri, NULL, "{}");
 
@@ -XXX,XX +XXX,XX @@ static void test_ignore_shared(void)
 
     qtest_qmp_eventwait(to, "RESUME");
 
-    wait_for_serial("dest_serial");
+    wait_for_serial(dst_state.serial);
     wait_for_migration_complete(from);
 
     /* Check whether shared RAM has been really skipped */
@@ -XXX,XX +XXX,XX @@ static void do_test_validate_uuid(MigrateStart *args, bool should_fail)
     migrate_set_capability(from, "validate-uuid", true);
 
     /* Wait for the first serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 
     migrate_qmp(from, to, uri, NULL, "{}");
 
@@ -XXX,XX +XXX,XX @@ static void do_test_validate_uri_channel(MigrateCommon *args)
     }
 
     /* Wait for the first serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 
     /*
      * 'uri' and 'channels' validation is checked even before the migration
@@ -XXX,XX +XXX,XX @@ static void test_migrate_auto_converge(void)
     migrate_set_capability(from, "pause-before-switchover", true);
 
     /* Wait for the first serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 
     migrate_qmp(from, to, uri, NULL, "{}");
 
@@ -XXX,XX +XXX,XX @@ static void test_migrate_auto_converge(void)
 
     qtest_qmp_eventwait(to, "RESUME");
 
-    wait_for_serial("dest_serial");
+    wait_for_serial(dst_state.serial);
     wait_for_migration_complete(from);
 
     test_migrate_end(from, to, true);
@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
     migrate_incoming_qmp(to, "tcp:127.0.0.1:0", "{}");
 
     /* Wait for the first serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 
     migrate_qmp(from, to, NULL, NULL, "{}");
 
@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
     /* Make sure QEMU process "to" exited */
     qtest_set_expected_status(to, EXIT_FAILURE);
     qtest_wait_qemu(to);
-    qtest_quit(to);
+    unlink(dst_state.serial);
+    g_free(dst_state.serial);
 
     /*
      * Ensure the source QEMU finishes its cancellation process before we
@@ -XXX,XX +XXX,XX @@ static void test_multifd_tcp_cancel(void)
     wait_for_stop(from, &src_state);
     qtest_qmp_eventwait(to2, "RESUME");
 
-    wait_for_serial("dest_serial");
+    wait_for_serial(dst_state.serial);
     wait_for_migration_complete(from);
     test_migrate_end(from, to2, true);
 }
@@ -XXX,XX +XXX,XX @@ static QTestState *dirtylimit_start_vm(void)
     QTestState *vm = NULL;
     g_autofree gchar *cmd = NULL;
 
+    src_state = (QTestMigrationState) { };
+    src_state.serial = migrate_get_unique_serial(tmpfs);
+
     bootfile_create(tmpfs, false);
     cmd = g_strdup_printf("-accel kvm,dirty-ring-size=4096 "
                           "-name dirtylimit-test,debug-threads=on "
                           "-m 150M -smp 1 "
-                          "-serial file:%s/vm_serial "
+                          "-serial file:%s "
                           "-drive file=%s,format=raw ",
-                          tmpfs, bootpath);
+                          src_state.serial, bootpath);
 
     vm = qtest_init(cmd);
     return vm;
@@ -XXX,XX +XXX,XX @@ static QTestState *dirtylimit_start_vm(void)
 static void dirtylimit_stop_vm(QTestState *vm)
 {
     qtest_quit(vm);
-    cleanup("vm_serial");
+    unlink(src_state.serial);
+    g_free(src_state.serial);
 }
 
 static void test_vcpu_dirty_limit(void)
@@ -XXX,XX +XXX,XX @@ static void test_vcpu_dirty_limit(void)
     vm = dirtylimit_start_vm();
 
     /* Wait for the first serial output from the vm*/
-    wait_for_serial("vm_serial");
+    wait_for_serial(src_state.serial);
 
     /* Do dirtyrate measurement with calc time equals 1s */
     calc_dirty_rate(vm, 1);
@@ -XXX,XX +XXX,XX @@ static void migrate_dirty_limit_wait_showup(QTestState *from,
     migrate_set_capability(from, "pause-before-switchover", true);
 
     /* Wait for the serial output from the source */
-    wait_for_serial("src_serial");
+    wait_for_serial(src_state.serial);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void test_migrate_dirty_limit(void)
 
     qtest_qmp_eventwait(to, "RESUME");
 
-    wait_for_serial("dest_serial");
+    wait_for_serial(dst_state.serial);
     wait_for_migration_complete(from);
 
     test_migrate_end(from, to, true);
-- 
2.47.0

From: Fabiano Rosas <farosas@suse.de>

We don't always want to cleanup both VMs at the same time. One example
is the multifd cancel test, where there's a second migration reusing
the source VM. The next patches will add another instance, keeping the
destination VM instead.

Extract the cleanup routine from test_migrate_end() into another
function so it can be reused.

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20241125144612.16194-4-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 tests/qtest/migration-test.c | 35 +++++++++++++++++++++--------------
 1 file changed, 21 insertions(+), 14 deletions(-)

From: Fabiano Rosas <farosas@suse.de>

Add a framework for running migrations back and forth between two
guests (aka ping-pong migration). We have seen a couple of bugs that
only reproduce when a guest is migrated and the destination machine is
used as the source of a new migration.

Add a simple test that does 2 migrations and another test that uses
the late-block-activate capability, which is one area where a bug has
been found.

Note that this does not reuse any of the existing tests
(e.g. test_precopy_common), because there is too much ambiguity
regarding how to handle the hooks, args->result, stop/continue, etc.

Signed-off-by: Fabiano Rosas <farosas@suse.de>
Link: https://lore.kernel.org/r/20241125144612.16194-6-farosas@suse.de
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 tests/qtest/migration-test.c | 121 +++++++++++++++++++++++++++++++++++
 1 file changed, 121 insertions(+)

diff --git a/tests/qtest/migration-test.c b/tests/qtest/migration-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/migration-test.c
+++ b/tests/qtest/migration-test.c
@@ -XXX,XX +XXX,XX @@ finish:
     test_migrate_end(from, to, args->result == MIG_TEST_SUCCEED);
 }
 
+static void migrate_dst_becomes_src(QTestState **from, QTestState **to,
+                                    QTestMigrationState *src_state,
+                                    QTestMigrationState *dst_state)
+{
+    *from = *to;
+
+    *src_state = (QTestMigrationState) { };
+    src_state->serial = dst_state->serial;
+    qtest_qmp_set_event_callback(*from, migrate_watch_for_events, src_state);
+
+    src_state->stop_seen = dst_state->stop_seen;
+}
+
+static void test_precopy_ping_pong_common(MigrateCommon *args, int n,
+                                          bool late_block_activate)
+{
+    QTestState *from, *to;
+    bool keep_paused = false;
+
+    g_assert(!args->live);
+
+    g_test_message("Migrating back and forth %d times", n);
+
+    for (int i = 0; i < n; i++) {
+        g_test_message("%s (%d/%d)", i % 2 ? "pong" : "ping", i + 1, n);
+
+        if (test_migrate_start(&from, &to, args->listen_uri, &args->start)) {
+            return;
+        }
+
+        if (late_block_activate) {
+            migrate_set_capability(from, "late-block-activate", true);
+            migrate_set_capability(to, "late-block-activate", true);
+
+            /*
+             * The late-block-activate capability expects that the
+             * management layer will issue a qmp_continue command on
+             * the destination once the migration finishes. In order
+             * to test the capability properly, make sure the test is
+             * not issuing spurious continue commands.
+             */
+            keep_paused = true;
+        }
+
+        if (!src_state.stop_seen) {
+            wait_for_serial(src_state.serial);
+        }
+
+        /* because of !args->live */
+        qtest_qmp_assert_success(from, "{ 'execute' : 'stop'}");
+        wait_for_stop(from, &src_state);
+
+        migrate_ensure_converge(from);
+        migrate_qmp(from, to, args->connect_uri, args->connect_channels, "{}");
+
+        wait_for_migration_complete(from);
+        wait_for_migration_complete(to);
+
+        /* note check_guests_ram() requires a stopped guest */
+        check_guests_ram(to);
+
+        if (keep_paused) {
+            /*
+             * Nothing issued continue on the destination, reflect
+             * that the guest is paused in the dst_state.
+             */
+            dst_state.stop_seen = true;
+        } else {
+            qtest_qmp_assert_success(to, "{ 'execute' : 'cont'}");
+            wait_for_serial(dst_state.serial);
+            dst_state.stop_seen = false;
+        }
+
+        /*
+         * Last iteration, let the guest run to make sure there's no
+         * memory corruption. The test_migrate_end() below will check
+         * the memory one last time.
+         */
+        if (i == n - 1) {
+            qtest_qmp_assert_success(to, "{ 'execute' : 'cont'}");
+            wait_for_serial(dst_state.serial);
+            dst_state.stop_seen = false;
+            break;
+        }
+
+        /*
+         * Prepare for migrating back: clear the original source and
+         * switch source & destination.
+         */
+        migrate_cleanup(from, NULL);
+        migrate_dst_becomes_src(&from, &to, &src_state, &dst_state);
+
+        args->start.only_target = true;
+    }
+
+    test_migrate_end(from, to, true);
+}
+
 static void file_dirty_offset_region(void)
 {
     g_autofree char *path = g_strdup_printf("%s/%s", tmpfs, FILE_TEST_FILENAME);
@@ -XXX,XX +XXX,XX @@ static void test_migrate_dirty_limit(void)
     test_migrate_end(from, to, true);
 }
 
+static void test_precopy_ping_pong(void)
+{
+    MigrateCommon args = {
+        .listen_uri = "tcp:127.0.0.1:0",
+    };
+
+    test_precopy_ping_pong_common(&args, 2, false);
+}
+
+static void test_precopy_ping_pong_late_block(void)
+{
+    MigrateCommon args = {
+        .listen_uri = "tcp:127.0.0.1:0",
+    };
+
+    test_precopy_ping_pong_common(&args, 2, true);
+}
+
 static bool kvm_dirty_ring_supported(void)
 {
 #if defined(__linux__) && defined(HOST_X86_64)
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
         }
     }
 
+    migration_test_add("/migration/precopy/ping-pong/plain",
+                       test_precopy_ping_pong);
+    migration_test_add("/migration/precopy/ping-pong/late-block-activate",
+                       test_precopy_ping_pong_late_block);
+
     ret = g_test_run();
 
     g_assert_cmpint(ret, ==, 0);
-- 
2.47.0

CI: https://gitlab.com/peterx/qemu/-/pipelines/1577280033
 (note: it's a pipeline of two patchsets, to save CI credits and time)

v1: https://lore.kernel.org/r/20241204005138.702289-1-peterx@redhat.com

This is v2 of the series, removing RFC tag, because my goal is to have them
(or some newer version) merged.

The major change is I merged last three patches, and did quite some changes
here and there, to make sure the global disk activation status is always
consistent.  The whole idea is still the same.  I say changelog won't help.

I also temporarily dropped Fabiano's ping-pong test cases to avoid
different versions floating on the list (as I know a new version is coming
at some point. Fabiano: you're taking over the 10.0 pulls, so I assume
you're aware so there's no concern on order of merges).  I'll review the
test cases separately when they're ready, but this series is still tested
with that pingpong test and it keeps working.

I started looking at this problem as a whole when reviewing Fabiano's
series, especially the patch (for a QEMU crash [1]):

https://lore.kernel.org/r/20241125144612.16194-5-farosas@suse.de

The proposed patch could work, but it's unwanted to add such side effect to
migration.  So I start to think about whether we can provide a cleaner
approach, because migration doesn't need the disks to be active to work at
all.  Hence we should try to avoid adding a migration ABI (which doesn't
matter now, but may matter some day) into prepare phase on disk activation
status.  Migration should happen with disks inactivated.

It's also a pure wish that, if bdrv_inactivate_all() could be benign to be
called even if all disks are already inactive.  Then the bug is also gone.
After all, similar call on bdrv_activate_all() upon all-active disks is all
fine.  I hope that wish could still be fair.  But I don't know well on
block layer to say anything meaningful.

And when I was looking at that, I found more things spread all over the
place on disk activation.  I decided to clean all of them up, while
hopefully fixing the QEMU crash [1] too.

For this v2, I did some more tests, I want to make sure all the past paths
keep working at least on failure or cancel races, also in postcopy failure
cases.  So I did below and they all run pass (when I said "emulated" below,
I meant I hacked something to trigger those race / rare failures, because
they aren't easy to trigger with vanilla binary):

- Tested generic migrate_cancel during precopy, disk activation won't be
  affected.  Disk status reports correct values in tracepoints.

- Test Fabiano's ping-pong migration tests on PAUSED state VM.

- Emulated precopy failure before sending non-iterable, disk inactivation
  won't happen, and also activation won't trigger after migration cleanups
  (even if activation on top of activate disk is benign, I checked traces
  to make sure it'll provide consistent disk status, skipping activation).

- Emulated precopy failure right after sending non-iterable. Disks will be
  inactivated, but then can be reactivated properly before VM starts.

- Emulated postcopy failure when sending the packed data (which is after
  disk invalidated), and making sure src VM will get back to live properly,
  re-activate the disks before starting.

- Emulated concurrent migrate_cancel at the end of migration_completion()
  of precopy, after disk inactivated.  Disks can be reactivated properly.

NOTE: here if dest QEMU didn't quit before migrate_cancel,
  bdrv_activate_all() can crash src QEMU.  This behavior should be the same
  before/after this patch.

Comments welcomed, thanks.

[1] https://gitlab.com/qemu-project/qemu/-/issues/2395

Peter Xu (6):
  migration: Add helper to get target runstate
  qmp/cont: Only activate disks if migration completed
  migration/block: Make late-block-active the default
  migration/block: Apply late-block-active behavior to postcopy
  migration/block: Fix possible race with block_inactive
  migration/block: Rewrite disk activation

include/migration/misc.h |   4 ++
 migration/migration.h    |   6 +-
 migration/block-active.c |  94 +++++++++++++++++++++++++++
 migration/colo.c         |   2 +-
 migration/migration.c    | 136 +++++++++++++++------------------------
 migration/savevm.c       |  46 ++++++-------
 monitor/qmp-cmds.c       |  22 +++----
 migration/meson.build    |   1 +
 migration/trace-events   |   3 +
 9 files changed, 188 insertions(+), 126 deletions(-)
 create mode 100644 migration/block-active.c

-- 
2.47.0

In 99% cases, after QEMU migrates to dest host, it tries to detect the
target VM runstate using global_state_get_runstate().

There's one outlier so far which is Xen that won't send global state.
That's the major reason why global_state_received() check was always there
together with global_state_get_runstate().

However it's utterly confusing why global_state_received() has anything to
do with "let's start VM or not".

Provide a helper to explain it, then we have an unified entry for getting
the target dest QEMU runstate after migration.

Suggested-by: Fabiano Rosas <farosas@suse.de>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static bool migration_needs_multiple_sockets(void)
     return migrate_multifd() || migrate_postcopy_preempt();
 }
 
+static RunState migration_get_target_runstate(void)
+{
+    /*
+     * When the global state is not migrated, it means we don't know the
+     * runstate of the src QEMU.  We don't have much choice but assuming
+     * the VM is running.  NOTE: this is pretty rare case, so far only Xen
+     * uses it.
+     */
+    if (!global_state_received()) {
+        return RUN_STATE_RUNNING;
+    }
+
+    return global_state_get_runstate();
+}
+
 static bool transport_supports_multi_channels(MigrationAddress *addr)
 {
     if (addr->transport == MIGRATION_ADDRESS_TYPE_SOCKET) {
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
      * unless we really are starting the VM.
      */
     if (!migrate_late_block_activate() ||
-         (autostart && (!global_state_received() ||
-            runstate_is_live(global_state_get_runstate())))) {
+        (autostart && runstate_is_live(migration_get_target_runstate()))) {
         /* Make sure all file formats throw away their mutable metadata.
          * If we get an error here, just don't restart the VM yet. */
         bdrv_activate_all(&local_err);
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
 
     dirty_bitmap_mig_before_vm_start();
 
-    if (!global_state_received() ||
-        runstate_is_live(global_state_get_runstate())) {
+    if (runstate_is_live(migration_get_target_runstate())) {
         if (autostart) {
             vm_start();
         } else {
-- 
2.47.0

As the comment says, the activation of disks is for the case where
migration has completed, rather than when QEMU is still during
migration (RUN_STATE_INMIGRATE).

Move the code over to reflect what the comment is describing.

Cc: Kevin Wolf <kwolf@redhat.com>
Cc: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 monitor/qmp-cmds.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
index XXXXXXX..XXXXXXX 100644
--- a/monitor/qmp-cmds.c
+++ b/monitor/qmp-cmds.c
@@ -XXX,XX +XXX,XX @@ void qmp_cont(Error **errp)
         }
     }
 
-    /* Continuing after completed migration. Images have been inactivated to
-     * allow the destination to take control. Need to get control back now.
-     *
-     * If there are no inactive block nodes (e.g. because the VM was just
-     * paused rather than completing a migration), bdrv_inactivate_all() simply
-     * doesn't do anything. */
-    bdrv_activate_all(&local_err);
-    if (local_err) {
-        error_propagate(errp, local_err);
-        return;
-    }
-
     if (runstate_check(RUN_STATE_INMIGRATE)) {
         autostart = 1;
     } else {
+        /*
+         * Continuing after completed migration. Images have been
+         * inactivated to allow the destination to take control. Need to
+         * get control back now.
+         *
+         * If there are no inactive block nodes (e.g. because the VM was
+         * just paused rather than completing a migration),
+         * bdrv_inactivate_all() simply doesn't do anything.
+         */
+        bdrv_activate_all(&local_err);
+        if (local_err) {
+            error_propagate(errp, local_err);
+            return;
+        }
         vm_start();
     }
 }
-- 
2.47.0

IIUC we could avoid introducing this cap when introducing it before, but
now it's still not too late to just always do it.  Cap now prone to
removal, but it'll be for later patches.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
 
     trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
 
-    /* If capability late_block_activate is set:
-     * Only fire up the block code now if we're going to restart the
-     * VM, else 'cont' will do it.
-     * This causes file locking to happen; so we don't want it to happen
-     * unless we really are starting the VM.
-     */
-    if (!migrate_late_block_activate() ||
-        (autostart && runstate_is_live(migration_get_target_runstate()))) {
-        /* Make sure all file formats throw away their mutable metadata.
-         * If we get an error here, just don't restart the VM yet. */
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-            local_err = NULL;
-            autostart = false;
-        }
-    }
-
     /*
      * This must happen after all error conditions are dealt with and
      * we're sure the VM is going to be running on this host.
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
 
     if (runstate_is_live(migration_get_target_runstate())) {
         if (autostart) {
-            vm_start();
+            /*
+             * Block activation is always delayed until VM starts, either
+             * here (which means we need to start the dest VM right now..),
+             * or until qmp_cont() later.
+             *
+             * We used to have cap 'late-block-activate' but now we do this
+             * unconditionally, as it has no harm but only benefit.  E.g.,
+             * it's not part of migration ABI on the time of disk activation.
+             *
+             * Make sure all file formats throw away their mutable
+             * metadata.  If error, don't restart the VM yet.
+             */
+            bdrv_activate_all(&local_err);
+            if (local_err) {
+                error_report_err(local_err);
+                local_err = NULL;
+            } else {
+                vm_start();
+            }
         } else {
             runstate_set(RUN_STATE_PAUSED);
         }
-- 
2.47.0

Postcopy never cared about late-block-active.  However there's no mention
in the capability that it doesn't apply to postcopy.

Considering that we _assumed_ late activation is always good, do that too
for postcopy unconditionally, just like precopy.  After this patch, we
should have unified the behavior across all.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/savevm.c | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
 
     trace_vmstate_downtime_checkpoint("dst-postcopy-bh-announced");
 
-    /* Make sure all file formats throw away their mutable metadata.
-     * If we get an error here, just don't restart the VM yet. */
-    bdrv_activate_all(&local_err);
-    if (local_err) {
-        error_report_err(local_err);
-        local_err = NULL;
-        autostart = false;
-    }
-
-    trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
-
     dirty_bitmap_mig_before_vm_start();
 
     if (autostart) {
-        /* Hold onto your hats, starting the CPU */
-        vm_start();
+        /*
+         * Make sure all file formats throw away their mutable metadata.
+         * If we get an error here, just don't restart the VM yet.
+         */
+        bdrv_activate_all(&local_err);
+        trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
+        if (local_err) {
+            error_report_err(local_err);
+            local_err = NULL;
+        } else {
+            vm_start();
+        }
     } else {
         /* leave it paused and let management decide when to start the CPU */
         runstate_set(RUN_STATE_PAUSED);
-- 
2.47.0

For example, think about when qemu_savevm_state_complete_precopy_iterable()
can fail: it will have block_inactive set to true even if all block drives
are active.

Fix that by only update the flag after the invalidation is done.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 migration/migration.c | 9 +++------
 migration/savevm.c    | 2 ++
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static int migration_completion_precopy(MigrationState *s,
         goto out_unlock;
     }
 
-    /*
-     * Inactivate disks except in COLO, and track that we have done so in order
-     * to remember to reactivate them if migration fails or is cancelled.
-     */
-    s->block_inactive = !migrate_colo();
     migration_rate_set(RATE_LIMIT_DISABLED);
+
+    /* Inactivate disks except in COLO */
     ret = qemu_savevm_state_complete_precopy(s->to_dst_file, false,
-                                             s->block_inactive);
+                                             !migrate_colo());
 out_unlock:
     bql_unlock();
     return ret;
diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ int qemu_savevm_state_complete_precopy_non_iterable(QEMUFile *f,
             qemu_file_set_error(f, ret);
             return ret;
         }
+        /* Remember that we did this */
+        s->block_inactive = true;
     }
     if (!in_postcopy) {
         /* Postcopy stream will still be going */
-- 
2.47.0

This patch proposes a flag to maintain disk activation status globally.  It
mostly rewrites disk activation mgmt for QEMU, including COLO and QMP
command xen_save_devices_state.

Backgrounds
===========

We have two problems on disk activations, one resolved, one not.

Problem 1: disk activation recover (for switchover interruptions)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When migration is either cancelled or failed during switchover, especially
when after the disks are inactivated, QEMU needs to remember re-activate
the disks again before vm starts.

It used to be done separately in two paths: one in qmp_migrate_cancel(),
the other one in the failure path of migration_completion().

It used to be fixed in different commits, all over the places in QEMU.  So
these are the relevant changes I saw, I'm not sure if it's complete list:

- In 2016, commit fe904ea824 ("migration: regain control of images when
   migration fails to complete")

- In 2017, commit 1d2acc3162 ("migration: re-active images while migration
   been canceled after inactive them")

- In 2023, commit 6dab4c93ec ("migration: Attempt disk reactivation in
   more failure scenarios")

Now since we have a slightly better picture maybe we can unify the
reactivation in a single path.

One side benefit of doing so is, we can move the disk operation outside QMP
command "migrate_cancel".  It's possible that in the future we may want to
make "migrate_cancel" be OOB-compatible, while that requires the command
doesn't need BQL in the first place.  This will already do that and make
migrate_cancel command lightweight.

Problem 2: disk invalidation on top of invalidated disks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This is an unresolved bug for current QEMU.  Link in "Resolves:" at the
end.  It turns out besides the src switchover phase (problem 1 above), QEMU
also needs to remember block activation on destination.

Consider two continuous migration in a row, where the VM was always paused.
In that scenario, the disks are not activated even until migration
completed in the 1st round.  When the 2nd round starts, if QEMU doesn't
know the status of the disks, it needs to try inactivate the disk again.

Here the issue is the block layer API bdrv_inactivate_all() will crash a
QEMU if invoked on already inactive disks for the 2nd migration.  For
detail, see the bug link at the end.

Implementation
==============

This patch proposes to maintain disk activation with a global flag, so we
know:

- If we used to inactivate disks for migration, but migration got
  cancelled, or failed, QEMU will know it should reactivate the disks.

- On incoming side, if the disks are never activated but then another
  migration is triggered, QEMU should be able to tell that inactivate is
  not needed for the 2nd migration.

We used to have disk_inactive, but it only solves the 1st issue, not the
2nd.  Also, it's done in completely separate paths so it's extremely hard
to follow either how the flag changes, or the duration that the flag is
valid, and when we will reactivate the disks.

Convert the existing disk_inactive flag into that global flag (also invert
its naming), and maintain the disk activation status for the whole
lifecycle of qemu.  That includes the incoming QEMU.

Put both of the error cases of source migration (failure, cancelled)
together into migration_iteration_finish(), which will be invoked for
either of the scenario.  So from that part QEMU should behave the same as
before.  However with such global maintenance on disk activation status, we
not only cleanup quite a few temporary paths that we try to maintain the
disk activation status (e.g. in postcopy code), meanwhile it fixes the
crash for problem 2 in one shot.

For freshly started QEMU, the flag is initialized to TRUE showing that the
QEMU owns the disks by default.

For incoming migrated QEMU, the flag will be initialized to FALSE once and
for all showing that the dest QEMU doesn't own the disks until switchover.
That is guaranteed by the "once" variable.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2395
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 include/migration/misc.h |  4 ++
 migration/migration.h    |  6 +--
 migration/block-active.c | 94 ++++++++++++++++++++++++++++++++++++++++
 migration/colo.c         |  2 +-
 migration/migration.c    | 80 ++++++++--------------------------
 migration/savevm.c       | 33 ++++++--------
 monitor/qmp-cmds.c       |  8 +---
 migration/meson.build    |  1 +
 migration/trace-events   |  3 ++
 9 files changed, 140 insertions(+), 91 deletions(-)
 create mode 100644 migration/block-active.c

diff --git a/include/migration/misc.h b/include/migration/misc.h
index XXXXXXX..XXXXXXX 100644
--- a/include/migration/misc.h
+++ b/include/migration/misc.h
@@ -XXX,XX +XXX,XX @@ bool migration_incoming_postcopy_advised(void);
 /* True if background snapshot is active */
 bool migration_in_bg_snapshot(void);
 
+/* Wrapper for block active/inactive operations */
+bool migration_block_activate(Error **errp);
+bool migration_block_inactivate(void);
+
 #endif
diff --git a/migration/migration.h b/migration/migration.h
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.h
+++ b/migration/migration.h
@@ -XXX,XX +XXX,XX @@ struct MigrationState {
     /* Flag set once the migration thread is running (and needs joining) */
     bool migration_thread_running;
 
-    /* Flag set once the migration thread called bdrv_inactivate_all */
-    bool block_inactive;
-
     /* Migration is waiting for guest to unplug device */
     QemuSemaphore wait_unplug_sem;
 
@@ -XXX,XX +XXX,XX @@ void migration_bitmap_sync_precopy(bool last_stage);
 /* migration/block-dirty-bitmap.c */
 void dirty_bitmap_mig_init(void);
 
+/* migration/block-active.c */
+void migration_block_active_setup(bool active);
+
 #endif
diff --git a/migration/block-active.c b/migration/block-active.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/migration/block-active.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Block activation tracking for migration purpose
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * Copyright (C) 2024 Red Hat, Inc.
+ */
+#include "qemu/osdep.h"
+#include "block/block.h"
+#include "qapi/error.h"
+#include "migration/migration.h"
+#include "qemu/error-report.h"
+#include "trace.h"
+
+/*
+ * Migration-only cache to remember the block layer activation status.
+ * Protected by BQL.
+ *
+ * We need this because..
+ *
+ * - Migration can fail after block devices are invalidated (during
+ *   switchover phase).  When that happens, we need to be able to recover
+ *   the block drive status by re-activating them.
+ *
+ * - Currently bdrv_inactivate_all() is not safe to be invoked on top of
+ *   invalidated drives (even if bdrv_activate_all() is actually safe to be
+ *   called any time!).  It means remembering this could help migration to
+ *   make sure it won't invalidate twice in a row, crashing QEMU.  It can
+ *   happen when we migrate a PAUSED VM from host1 to host2, then migrate
+ *   again to host3 without starting it.  TODO: a cleaner solution is to
+ *   allow safe invoke of bdrv_inactivate_all() at anytime, like
+ *   bdrv_activate_all().
+ *
+ * For freshly started QEMU, the flag is initialized to TRUE reflecting the
+ * scenario where QEMU owns block device ownerships.
+ *
+ * For incoming QEMU taking a migration stream, the flag is initialized to
+ * FALSE reflecting that the incoming side doesn't own the block devices,
+ * not until switchover happens.
+ */
+static bool migration_block_active;
+
+/* Setup the disk activation status */
+void migration_block_active_setup(bool active)
+{
+    migration_block_active = active;
+}
+
+bool migration_block_activate(Error **errp)
+{
+    ERRP_GUARD();
+
+    assert(bql_locked());
+
+    if (migration_block_active) {
+        trace_migration_block_activation("active-skipped");
+        return true;
+    }
+
+    trace_migration_block_activation("active");
+
+    bdrv_activate_all(errp);
+    if (*errp) {
+        error_report_err(error_copy(*errp));
+        return false;
+    }
+
+    migration_block_active = true;
+    return true;
+}
+
+bool migration_block_inactivate(void)
+{
+    int ret;
+
+    assert(bql_locked());
+
+    if (!migration_block_active) {
+        trace_migration_block_activation("inactive-skipped");
+        return true;
+    }
+
+    trace_migration_block_activation("inactive");
+
+    ret = bdrv_inactivate_all();
+    if (ret) {
+        error_report("%s: bdrv_inactivate_all() failed: %d",
+                     __func__, ret);
+        return false;
+    }
+
+    migration_block_active = false;
+    return true;
+}
diff --git a/migration/colo.c b/migration/colo.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/colo.c
+++ b/migration/colo.c
@@ -XXX,XX +XXX,XX @@ static void *colo_process_incoming_thread(void *opaque)
 
     /* Make sure all file formats throw away their mutable metadata */
     bql_lock();
-    bdrv_activate_all(&local_err);
+    migration_block_activate(&local_err);
     bql_unlock();
     if (local_err) {
         error_report_err(local_err);
diff --git a/migration/migration.c b/migration/migration.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/migration.c
+++ b/migration/migration.c
@@ -XXX,XX +XXX,XX @@ static void qemu_start_incoming_migration(const char *uri, bool has_channels,
 
 static void process_incoming_migration_bh(void *opaque)
 {
-    Error *local_err = NULL;
     MigrationIncomingState *mis = opaque;
 
     trace_vmstate_downtime_checkpoint("dst-precopy-bh-enter");
@@ -XXX,XX +XXX,XX @@ static void process_incoming_migration_bh(void *opaque)
              * Make sure all file formats throw away their mutable
              * metadata.  If error, don't restart the VM yet.
              */
-            bdrv_activate_all(&local_err);
-            if (local_err) {
-                error_report_err(local_err);
-                local_err = NULL;
-            } else {
+            if (migration_block_activate(NULL)) {
                 vm_start();
             }
         } else {
@@ -XXX,XX +XXX,XX @@ static void migrate_fd_cancel(MigrationState *s)
             }
         }
     }
-    if (s->state == MIGRATION_STATUS_CANCELLING && s->block_inactive) {
-        Error *local_err = NULL;
-
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-        } else {
-            s->block_inactive = false;
-        }
-    }
 }
 
 void migration_add_notifier_mode(NotifierWithReturn *notify,
@@ -XXX,XX +XXX,XX @@ void qmp_migrate_incoming(const char *uri, bool has_channels,
         return;
     }
 
+    /*
+     * Newly setup incoming QEMU.  Mark the block active state to reflect
+     * that the src currently owns the disks.
+     */
+    migration_block_active_setup(false);
+
     once = false;
 }
 
@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
     QIOChannelBuffer *bioc;
     QEMUFile *fb;
     uint64_t bandwidth = migrate_max_postcopy_bandwidth();
-    bool restart_block = false;
     int cur_state = MIGRATION_STATUS_ACTIVE;
 
     if (migrate_postcopy_preempt()) {
@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
         goto fail;
     }
 
-    ret = bdrv_inactivate_all();
-    if (ret < 0) {
-        error_setg_errno(errp, -ret, "%s: Failed in bdrv_inactivate_all()",
-                         __func__);
+    if (!migration_block_inactivate()) {
+        error_setg(errp, "%s: Failed in bdrv_inactivate_all()", __func__);
         goto fail;
     }
-    restart_block = true;
 
     /*
      * Cause any non-postcopiable, but iterative devices to
@@ -XXX,XX +XXX,XX @@ static int postcopy_start(MigrationState *ms, Error **errp)
         goto fail_closefb;
     }
 
-    restart_block = false;
-
     /* Now send that blob */
     if (qemu_savevm_send_packaged(ms->to_dst_file, bioc->data, bioc->usage)) {
         error_setg(errp, "%s: Failed to send packaged data", __func__);
@@ -XXX,XX +XXX,XX @@ fail_closefb:
 fail:
     migrate_set_state(&ms->state, MIGRATION_STATUS_POSTCOPY_ACTIVE,
                           MIGRATION_STATUS_FAILED);
-    if (restart_block) {
-        /* A failure happened early enough that we know the destination hasn't
-         * accessed block devices, so we're safe to recover.
-         */
-        Error *local_err = NULL;
-
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-        }
-    }
+    migration_block_activate(NULL);
     migration_call_notifiers(ms, MIG_EVENT_PRECOPY_FAILED, NULL);
     bql_unlock();
     return -1;
@@ -XXX,XX +XXX,XX @@ static void migration_completion_postcopy(MigrationState *s)
     trace_migration_completion_postcopy_end_after_complete();
 }
 
-static void migration_completion_failed(MigrationState *s,
-                                        int current_active_state)
-{
-    if (s->block_inactive && (s->state == MIGRATION_STATUS_ACTIVE ||
-                              s->state == MIGRATION_STATUS_DEVICE)) {
-        /*
-         * If not doing postcopy, vm_start() will be called: let's
-         * regain control on images.
-         */
-        Error *local_err = NULL;
-
-        bql_lock();
-        bdrv_activate_all(&local_err);
-        if (local_err) {
-            error_report_err(local_err);
-        } else {
-            s->block_inactive = false;
-        }
-        bql_unlock();
-    }
-
-    migrate_set_state(&s->state, current_active_state,
-                      MIGRATION_STATUS_FAILED);
-}
-
 /**
  * migration_completion: Used by migration_thread when there's not much left.
  *   The caller 'breaks' the loop when this returns.
@@ -XXX,XX +XXX,XX @@ fail:
         error_free(local_err);
     }
 
-    migration_completion_failed(s, current_active_state);
+    migrate_set_state(&s->state, current_active_state,
+                      MIGRATION_STATUS_FAILED);
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static void migration_iteration_finish(MigrationState *s)
     case MIGRATION_STATUS_FAILED:
     case MIGRATION_STATUS_CANCELLED:
     case MIGRATION_STATUS_CANCELLING:
+        /*
+         * Re-activate the block drives if they're inactivated.  Note, COLO
+         * shouldn't use block_active at all, so it should be no-op there.
+         */
+        migration_block_activate(NULL);
         if (runstate_is_live(s->vm_old_state)) {
             if (!runstate_check(RUN_STATE_SHUTDOWN)) {
                 vm_start();
@@ -XXX,XX +XXX,XX @@ static void migration_instance_init(Object *obj)
     ms->state = MIGRATION_STATUS_NONE;
     ms->mbps = -1;
     ms->pages_per_second = -1;
+    /* Freshly started QEMU owns all the block devices */
+    migration_block_active_setup(true);
     qemu_sem_init(&ms->pause_sem, 0);
     qemu_mutex_init(&ms->error_mutex);
 
diff --git a/migration/savevm.c b/migration/savevm.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/savevm.c
+++ b/migration/savevm.c
@@ -XXX,XX +XXX,XX @@ int qemu_savevm_state_complete_precopy_non_iterable(QEMUFile *f,
     }
 
     if (inactivate_disks) {
-        /* Inactivate before sending QEMU_VM_EOF so that the
-         * bdrv_activate_all() on the other end won't fail. */
-        ret = bdrv_inactivate_all();
-        if (ret) {
-            error_setg(&local_err, "%s: bdrv_inactivate_all() failed (%d)",
-                       __func__, ret);
+        /*
+         * Inactivate before sending QEMU_VM_EOF so that the
+         * bdrv_activate_all() on the other end won't fail.
+         */
+        if (!migration_block_inactivate()) {
+            error_setg(&local_err, "%s: bdrv_inactivate_all() failed",
+                       __func__);
             migrate_set_error(ms, local_err);
             error_report_err(local_err);
-            qemu_file_set_error(f, ret);
+            qemu_file_set_error(f, -EFAULT);
             return ret;
         }
-        /* Remember that we did this */
-        s->block_inactive = true;
     }
     if (!in_postcopy) {
         /* Postcopy stream will still be going */
@@ -XXX,XX +XXX,XX @@ static int loadvm_postcopy_handle_listen(MigrationIncomingState *mis)
 
 static void loadvm_postcopy_handle_run_bh(void *opaque)
 {
-    Error *local_err = NULL;
     MigrationIncomingState *mis = opaque;
 
     trace_vmstate_downtime_checkpoint("dst-postcopy-bh-enter");
@@ -XXX,XX +XXX,XX @@ static void loadvm_postcopy_handle_run_bh(void *opaque)
          * Make sure all file formats throw away their mutable metadata.
          * If we get an error here, just don't restart the VM yet.
          */
-        bdrv_activate_all(&local_err);
+        bool success = migration_block_activate(NULL);
+
         trace_vmstate_downtime_checkpoint("dst-postcopy-bh-cache-invalidated");
-        if (local_err) {
-            error_report_err(local_err);
-            local_err = NULL;
-        } else {
+
+        if (success) {
             vm_start();
         }
     } else {
@@ -XXX,XX +XXX,XX @@ void qmp_xen_save_devices_state(const char *filename, bool has_live, bool live,
          * side of the migration take control of the images.
          */
         if (live && !saved_vm_running) {
-            ret = bdrv_inactivate_all();
-            if (ret) {
-                error_setg(errp, "%s: bdrv_inactivate_all() failed (%d)",
-                           __func__, ret);
-            }
+            migration_block_inactivate();
         }
     }
 
diff --git a/monitor/qmp-cmds.c b/monitor/qmp-cmds.c
index XXXXXXX..XXXXXXX 100644
--- a/monitor/qmp-cmds.c
+++ b/monitor/qmp-cmds.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/type-helpers.h"
 #include "hw/mem/memory-device.h"
 #include "hw/intc/intc.h"
+#include "migration/misc.h"
 
 NameInfo *qmp_query_name(Error **errp)
 {
@@ -XXX,XX +XXX,XX @@ void qmp_cont(Error **errp)
          * Continuing after completed migration. Images have been
          * inactivated to allow the destination to take control. Need to
          * get control back now.
-         *
-         * If there are no inactive block nodes (e.g. because the VM was
-         * just paused rather than completing a migration),
-         * bdrv_inactivate_all() simply doesn't do anything.
          */
-        bdrv_activate_all(&local_err);
-        if (local_err) {
+        if (!migration_block_activate(&local_err)) {
             error_propagate(errp, local_err);
             return;
         }
diff --git a/migration/meson.build b/migration/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/migration/meson.build
+++ b/migration/meson.build
@@ -XXX,XX +XXX,XX @@ migration_files = files(
 
 system_ss.add(files(
   'block-dirty-bitmap.c',
+  'block-active.c',
   'channel.c',
   'channel-block.c',
   'cpu-throttle.c',
diff --git a/migration/trace-events b/migration/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/migration/trace-events
+++ b/migration/trace-events
@@ -XXX,XX +XXX,XX @@ migration_pagecache_insert(void) "Error allocating page"
 # cpu-throttle.c
 cpu_throttle_set(int new_throttle_pct)  "set guest CPU throttled by %d%%"
 cpu_throttle_dirty_sync(void) ""
+
+# block-active.c
+migration_block_activation(const char *name) "%s"
-- 
2.47.0