kdump fail due to an IRQ storm
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Trusty |
Won't Fix
|
High
|
Guilherme G. Piccoli | ||
Xenial |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Bionic |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Cosmic |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Disco |
Fix Released
|
High
|
Guilherme G. Piccoli |
Bug Description
[Impact]
* A kexec/crash kernel might get stuck and fail to boot
(for crash kernel, kdump fails to collect a crashdump)
if a PCI device is buggy/stuck/looping and triggers a
continuous flood of MSI(X) interrupts (that the kernel
does not yet know about).
* This fix allowed to obtain crashdumps when debugging a
heavy-load scenario, in which a (heavy-loaded) network
adapter wouldn't stop triggering MSI-X interrupts ever
after panic()->kdump kicked in.
* This fix disables MSI(X) in all PCI devices on early
boot (this is OK as it's (re-)enabled normally later)
with a kernel cmdline parameter (disabled by default).
[Test Case]
* A synthetic test-case is not yet available, however,
this particular system/workload triggered the problem
consistently, and it was used for development/
* We'll update this bug once a synthetic test-case is
available; we're working on patching QEMU for this.
* $ cat /proc/cmdline
<...> pci=clearmsi
$ dmesg | grep 'Clearing MSI'
[ 0.000000] Clearing MSI/MSI-X enable bits early in boot (quirk)
* The comparison of 'dmesg -t | sort' has been reviewed
between option disabled/enabled on boot & kexec modes,
and only expected differences found (MHz, PIDs, MIPS).
[Regression Potential]
* The potential area for regressions is early boot,
particularly effects of applying quirks during PCI
bus scan, which is changed/broader w/ these patches.
* However, all quirks are applied based on PCI ID
matching, so would only apply if actually targeting
a new device.
* Moreover, the new quirk is only applied based on
a kernel cmdline parameter that is disabled by
default, which constraints even more when this
is actually in effect.
[Other Info]
* The patch series is still under review/discussion
upstream, but it's relatively important for Ubuntu
users at this point, and after internal discussions
we decided to submit it for SRU.
* These are links to the linux-pci archive with the
patches [1, 2, 3]
[1] [PATCH 1/3] x86/quirks: Scan all busses for early PCI quirks
https://<email address hidden>/
[2] [PATCH 2/3] x86/PCI: Export find_cap() to be used in early PCI code
https://<email address hidden>/
[3] [PATCH 3/3] x86/quirks: Add parameter to clear MSIs early on boot
https://<email address hidden>/
[Original Description]
We have reports of a kdump failure in Ubuntu (in x86 machine) that was narrowed down to a MSI irq storm coming from a PCI network device.
The bug manifests as a lack of progress in the boot process of the kdump kernel, and a storm of kernel messages like:
[...]
[ 342.265294] do_IRQ: 0.155 No irq handler for vector
[ 342.266916] do_IRQ: 0.155 No irq handler for vector
[ 347.258422] do_IRQ: 14053260 callbacks suppressed
[...]
The root cause of the issue is that the kdump kernel kexec process does not ensure PCI devices are reset and/or MSI capabilities are disabled, so a PCI device could produce a huge amount of PCI irqs which would take all the processing time for the CPU (specially since we restrict the kdump kernel to use one single CPU only).
This was tested using upstream kernel version 4.18, and the problem reproduces.
In the specific test scenario, the PCI NIC was an "Intel 82599ES 10-Gigabit [8086:10fb]" that was used in SR-IOV PCI passthrough mode (vfio_pci), under high load on the guest.
CVE References
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
Changed in linux (Ubuntu Trusty): | |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Xenial): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Trusty): | |
status: | New → Confirmed |
description: | updated |
tags: | added: patch |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Cosmic): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | Confirmed → Fix Released |
tags: | added: cscc |
During the investigation, we've noticed that PCI specification mentions the need of MSI/MSI-X capability to be disabled during a system boot/reset; from PCI Local Bus specification 3.0, sections 6.8.1.3 and 6.8.2.3: "[...] MSI Enable: This bit’s state after reset is 0 (MSI is disabled)."
PCI layer in the Linux kernel ensures this bit is 0 during its initialization [0], but for our case it is too late, give we had an IRQ storm during early stages in the kdump kernel boot process.
The idea to resolve the issue was then to disable MSI/MSI-X early in boot, using the early-quirks infrastructure in arch/x86, which proved to be a successful approach.
Patches will be attached here soon.
[0] https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ tree/drivers/ pci/probe. c?h=v4. 18#n1511