On Tue, Feb 20, 2024 at 12:03:15PM +0000, Parav Pandit wrote: > > > From: Michael S. Tsirkin <mst@xxxxxxxxxx> > > Sent: Monday, February 19, 2024 4:17 PM > > > > On Mon, Feb 19, 2024 at 10:39:36AM +0000, Parav Pandit wrote: > > > > From: Michael S. Tsirkin <mst@xxxxxxxxxx> > > > > Sent: Monday, February 19, 2024 1:45 PM > > > > > > > > On Mon, Feb 19, 2024 at 03:14:54AM +0000, Parav Pandit wrote: > > > > > Hi Ming, > > > > > > > > > > > From: Ming Lei <ming.lei@xxxxxxxxxx> > > > > > > Sent: Sunday, February 18, 2024 6:57 PM > > > > > > > > > > > > On Sat, Feb 17, 2024 at 08:08:48PM +0200, Parav Pandit wrote: > > > > > > > When the PCI device is surprise removed, requests won't > > > > > > > complete from the device. These IOs are never completed and > > > > > > > disk deletion hangs indefinitely. > > > > > > > > > > > > > > Fix it by aborting the IOs which the device will never > > > > > > > complete when the VQ is broken. > > > > > > > > > > > > > > With this fix now fio completes swiftly. > > > > > > > An alternative of IO timeout has been considered, however when > > > > > > > the driver knows about unresponsive block device, swiftly > > > > > > > clearing them enables users and upper layers to react quickly. > > > > > > > > > > > > > > Verified with multiple device unplug cycles with pending IOs > > > > > > > in virtio used ring and some pending with device. > > > > > > > > > > > > > > In future instead of VQ broken, a more elegant method can be used. > > > > > > > At the moment the patch is kept to its minimal changes given > > > > > > > its urgency to fix broken kernels. > > > > > > > > > > > > > > Fixes: 43bb40c5b926 ("virtio_pci: Support surprise removal of > > > > > > > virtio pci device") > > > > > > > Cc: stable@xxxxxxxxxxxxxxx > > > > > > > Reported-by: lirongqing@xxxxxxxxx > > > > > > > Closes: > > > > > > > https://lore.kernel.org/virtualization/c45dd68698cd47238c55fb7 > > > > > > > 3ca9 > > > > > > > b474 > > > > > > > 1@xxxxxxxxx/ > > > > > > > Co-developed-by: Chaitanya Kulkarni <kch@xxxxxxxxxx> > > > > > > > Signed-off-by: Chaitanya Kulkarni <kch@xxxxxxxxxx> > > > > > > > Signed-off-by: Parav Pandit <parav@xxxxxxxxxx> > > > > > > > --- > > > > > > > drivers/block/virtio_blk.c | 54 > > > > > > > ++++++++++++++++++++++++++++++++++++++ > > > > > > > 1 file changed, 54 insertions(+) > > > > > > > > > > > > > > diff --git a/drivers/block/virtio_blk.c > > > > > > > b/drivers/block/virtio_blk.c index 2bf14a0e2815..59b49899b229 > > > > > > > 100644 > > > > > > > --- a/drivers/block/virtio_blk.c > > > > > > > +++ b/drivers/block/virtio_blk.c > > > > > > > @@ -1562,10 +1562,64 @@ static int virtblk_probe(struct > > > > > > > virtio_device > > > > > > *vdev) > > > > > > > return err; > > > > > > > } > > > > > > > > > > > > > > +static bool virtblk_cancel_request(struct request *rq, void *data) { > > > > > > > + struct virtblk_req *vbr = blk_mq_rq_to_pdu(rq); > > > > > > > + > > > > > > > + vbr->in_hdr.status = VIRTIO_BLK_S_IOERR; > > > > > > > + if (blk_mq_request_started(rq) && > > !blk_mq_request_completed(rq)) > > > > > > > + blk_mq_complete_request(rq); > > > > > > > + > > > > > > > + return true; > > > > > > > +} > > > > > > > + > > > > > > > +static void virtblk_cleanup_reqs(struct virtio_blk *vblk) { > > > > > > > + struct virtio_blk_vq *blk_vq; > > > > > > > + struct request_queue *q; > > > > > > > + struct virtqueue *vq; > > > > > > > + unsigned long flags; > > > > > > > + int i; > > > > > > > + > > > > > > > + vq = vblk->vqs[0].vq; > > > > > > > + if (!virtqueue_is_broken(vq)) > > > > > > > + return; > > > > > > > + > > > > > > > > > > > > What if the surprise happens after the above check? > > > > > > > > > > > > > > > > > In that small timing window, the race still exists. > > > > > > > > > > I think, blk_mq_quiesce_queue(q); should move up before > > > > > cleanup_reqs() > > > > regardless of surprise case along with other below changes. > > > > > > > > > > Additionally, for non-surprise case, better to have a graceful > > > > > timeout to > > > > complete already queued requests. > > > > > In absence of timeout scheme for this regression, shall we only > > > > > complete the > > > > requests which the device has already completed (instead of waiting > > > > for the grace time)? > > > > > There was past work from Chaitanaya, for the graceful timeout. > > > > > > > > > > The sequence for the fix I have in mind is: > > > > > 1. quiesce the queue > > > > > 2. complete all requests which has completed, with its status 3. > > > > > stop the transport (queues) 4. complete remaining pending requests > > > > > with error status > > > > > > > > > > This should work regardless of surprise case. > > > > > An additional/optional graceful timeout on non-surprise case can > > > > > be helpful > > > > for #2. > > > > > > > > > > WDYT? > > > > > > > > All this is unnecessarily hard for drivers... I am thinking maybe > > > > after we set broken we should go ahead and invoke all callbacks. > > > > > > Yes, #2 is about invoking the callbacks. > > > > > > The issue is not with setting the flag broken. As Ming pointed, the issue is : > > we may miss setting the broken. > > > > > > So if we did get callbacks, we'd be able to test broken flag in the callback. > > > Yes, getting callbacks is fine. > But when the device is surprise removed, we wont get the callbacks and completions are missed. exactly and then we should trigger them ourselves. > > > Without graceful time out it is straight forward code, just rearrangement of > > APIs in this patch with existing code. > > > > > > The question is : it is really if we really care for that grace period when the > > device or driver is already on its exit path and VQ is not broken. > > > If we don't wait for the request in progress, is it ok? > > > > > > > If we are talking about physical hardware, it seems quite possible that removal > > triggers then user gets impatient and yanks the card out. > > > Yes, regardless of surprise or not, completing the remaining IOs is just good enough. > Device is anyway on its exit path, so completing 10 commands vs 12, does not make a lot of difference with extra complexity of timeout. > > So better to not complicate the driver, at least not when adding Fixes tag patch. > > > > > > > interrupt handling core is not making it easy for us - we must > > > > disable real interrupts if we do, and in the past we failed to do it. > > > > See e.g. > > > > > > > > > > > > commit eb4cecb453a19b34d5454b49532e09e9cb0c1529 > > > > Author: Jason Wang <jasowang@xxxxxxxxxx> > > > > Date: Wed Mar 23 11:15:24 2022 +0800 > > > > > > > > Revert "virtio_pci: harden MSI-X interrupts" > > > > > > > > This reverts commit 9e35276a5344f74d4a3600fc4100b3dd251d5c56. > > > > Issue > > > > were reported for the drivers that are using affinity managed IRQ > > > > where manually toggling IRQ status is not expected. And we forget to > > > > enable the interrupts in the restore path as well. > > > > > > > > In the future, we will rework on the interrupt hardening. > > > > > > > > Fixes: 9e35276a5344 ("virtio_pci: harden MSI-X interrupts") > > > > > > > > > > > > > > > > If someone can figure out a way to make toggling interrupt state > > > > play nice with affinity managed interrupts, that would solve a host of > > issues I feel. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > Ming