On Wed, Jul 21 2021 at 22:32, Christoph Hellwig wrote: > On Wed, Jul 21, 2021 at 10:14:25PM +0200, Thomas Gleixner wrote: >> https://lore.kernel.org/r/87o8bxcuxv.ffs@xxxxxxxxxxxxxxxxxxxxxxx >> >> TLDR: virtio allocates ONE irq on msix_enable() and then when the >> guest OOps, sorry that should have been VFIO not virtio. >> actually unmasks another entry (e.g. request_irq()), it tears down the >> allocated one and set's up two. On the third one this repeats .... >> >> There are only two options: >> >> 1) allocate everything upfront, which is undesired >> 2) append entries, which might need locking, but I'm still trying to >> avoid that >> >> There is another problem vs. vector exhaustion which can't be fixed that >> way, but that's a different story. > > FTI, NVMe is similar. We need one IRQ to setup the admin queue, > which is used to query/set how many I/O queues are supported. Just > two steps though and not unbound. That's fine because that's controlled by the driver consistently and it (hopefully) makes sure that the admin queue is quiesced before everything is torn down after the initial query. But that's not the case for VFIO. It tears down all in use interrupts and the guest driver is completely oblivious of that. Assume the following situation: 1) VM boots with 8 present CPUs and 16 possible CPUs 2) The passed through card (PF or VF) supports multiqueue and the driver uses managed interrupts which e.g. allocates one queue and one interrupt per possible CPU. Initial setup requests all the interrupts, but only the first 8 queue interrupts are unmasked and therefore reallocated by the host which works by some definition of works because the device is quiet at that point. 3) Host admin plugs the other 8 CPUs into the guest Onlining these CPUs in the guest will unmask the dormant managed queue interrupts and cause the host to allocate the remaining 8 per queue interrupts one by one thereby tearing down _all_ previously allocated ones and then allocating one more than before. Assume that while this goes on the guest has I/O running on the already online CPUs and their associated queues. Depending on the device this either will lose interrupts or reroute them to the legacy INTx which is not handled. This might in the best case result in a few "timedout" requests, but I managed it at least once to make the device go into lala land state, i.e. it did not recover. The above can be fixed by adding an 'append' mode to the MSI code. But that does not fix the overcommit issue where the host runs out of vector space. The result is simply that the guest does not know and just continues to work on device/queues which will never ever recieve an interrupt (again). I got educated that all of this is considered unlikely and my argument that the concept of unlikely simply does not exist at cloud scale got ignored. Sure, I know it's VIRT and therefore not subject to common sense. Thanks, tglx
