Xen project Mailing List

Re: [PATCH] OvmfPkg: End timer interrupt later to avoid stack overflow under load

To: Laszlo Ersek <lersek@xxxxxxxxxx>, <devel@xxxxxxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Igor Druzhinin <igor.druzhinin@xxxxxxxxxx>

Date: Wed, 17 Jun 2020 04:16:32 +0100

Authentication-results: esa6.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: julien@xxxxxxx, jordan.l.justen@xxxxxxxxx, Ray Ni <ray.ni@xxxxxxxxx>, ard.biesheuvel@xxxxxxx, anthony.perard@xxxxxxxxxx, Paolo Bonzini <pbonzini@xxxxxxxxxx>

Delivery-date: Wed, 17 Jun 2020 03:16:46 +0000

Ironport-sdr: uQjg1G0HvWxXWfGi5qH+NbnaYb7nco842zSXOWROgXsraU0tqCAnSMctSOGz8ZWTnN6Sre2lyY ShwG2mKWSKGsRkivYDUisV0EFyZkEQhIXs5C//Y+K2puS2TC3L1Aqeh6tOZr1vZFSsucHcImel OExCxLoTaRumjDNqRxUvX1F8MqUB54+IK6UTH9I5LES+ykWuTjHiW2LHocFN/b9hv6eKel4ELr SPRHCSqwVjEjv2xp7QifZk5E+hNxTYKkV0qrqhlk79gHDWP7E0VEtcarQGt10UJdSCvElT47NY HE4=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 16/06/2020 19:42, Laszlo Ersek wrote > If I understand correctly, TimerInterruptHandler() > [OvmfPkg/8254TimerDxe/Timer.c] currently does the following: > > - RaiseTPL (TPL_HIGH_LEVEL) --> mask interrupts from being delivered > > - mLegacy8259->EndOfInterrupt() --> permit the PIC to generate further > interrupts (= make them pending) > > - RestoreTPL() --> unmask interrupts (allow delivery) > > RestoreTPL() is always expected to invoke handlers (on its own stack) > that have just been unmasked, so that behavior is not unexpected, in my > opinion. Yes, this is where I'd like to have a confirmation - opening a window for uncontrollable number of nested interrupts with a small stack looks dangerous. > What seems unexpected is the queueing of a huge number of timer > interrupts. I would think a timer interrupt is either pending or not > pending (i.e. if it's already pending, then the next generated interrupt > is coalesced, not queued). While there would still be a window between > the EOI and the unmasking, I don't think it would normally allow for a > *huge* number of queued interrupts (and consequently a stack overflow). It's not a window between EOI and unmasking but the very fact vCPU is descheduled for a considerable amount of time that causes backlog of timer interrupts to build up. This is Xen default behavior and is configurable (there are several timer modes including coalescing you mention). That is done for compatibility with some guests basing time accounting on the number of periodic interrupts they receive. > So I basically see the root of the problem in the interrupts being > queued rather than coalesced. I'm pretty unfamiliar with this x86 area > (= the 8259 PIC in general), but the following wiki article seems to > agree with my suspicion: > > https://wiki.osdev.org/8259_PIC#How_does_the_8259_PIC_chip_work.3F > > [...] and whether there's an interrupt already pending. If the > channel is unmasked and there's no interrupt pending, the PIC will > raise the interrupt line [...] > > Can we say that the interrupt queueing (as opposed to coalescing) is a > Xen issue? I can admit that the whole issue might be Xen specific if that form of timer mode is not used in QEMU-KVM. What mode is typical there then? We might consider switching Xen to a different mode if so, as I believe those guests are not in support for many years. > (Hmmm... maybe the hypervisor *has* to queue the timer interrupts, > otherwise some of them would simply be lost, and the guest would lose > track of time.) > > Either way, I'm not sure what the best approach is. This driver was > moved under OvmfPkg from PcAtChipsetPkg in commit 1a3ffdff82e6 > ("OvmfPkg: Copy 8254TimerDxe driver from PcAtChipsetPkg", 2019-04-11). > HpetTimerDxe also lives under PcAtChipsetPkg. > > So I think I'll have to rely on the expertise of Ray here (CC'd). Also note that since the issue might be Xen specific we might want to try to fix it in XenTimer only - I modified 8254Timer due to the fact Xen is still present in general config (but that should soon go away). > Also, I recall a recent-ish QEMU commit that seems vaguely related > (i.e., to timer interrupt coalescing -- see 7a3e29b12f5a, "mc146818rtc: > fix timer interrupt reinjection again", 2019-11-19), so I'm CC'ing Paolo > too. Hmm that looks more like a RTC implementation specific issue. > Some more comments / questions below: > >> >> diff --git a/OvmfPkg/8254TimerDxe/Timer.c b/OvmfPkg/8254TimerDxe/Timer.c >> index 67e22f5..fd1691b 100644 >> --- a/OvmfPkg/8254TimerDxe/Timer.c >> +++ b/OvmfPkg/8254TimerDxe/Timer.c >> @@ -79,8 +79,6 @@ TimerInterruptHandler ( >> >> OriginalTPL = gBS->RaiseTPL (TPL_HIGH_LEVEL); >> >> - mLegacy8259->EndOfInterrupt (mLegacy8259, Efi8259Irq0); >> - >> if (mTimerNotifyFunction != NULL) { >> // >> // @bug : This does not handle missed timer interrupts >> @@ -89,6 +87,9 @@ TimerInterruptHandler ( >> } >> >> gBS->RestoreTPL (OriginalTPL); >> + >> + DisableInterrupts (); >> + mLegacy8259->EndOfInterrupt (mLegacy8259, Efi8259Irq0); >> } > > So this briefly (temporarily) unmasks interrupt delivery (between > RestoreTPL() and DisableInterrupts()) while the PIC is still blocked > from generating more, and then unblocks the PIC. > > It looks plausible for preventing the unbounded recursion per se, but > why is it safe to leave the function with interrupts disabled? Before > the patch, that didn't use to be the case. Quickly looking through the code it appears to me the first thing that caller does after interrupt handler - it clears interrupt flag to make sure those disabled. So I don't see any assumption that interrupts should be enabled on exiting. But I might not know about all of the possible combinations here. Igor

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.