| Message ID | cover.1598042152.git.anchalag@amazon.com |
|---|---|
| Headers | show |
| Series | Fix PM hibernation in Xen guests | expand |
On 8/21/20 6:25 PM, Anchal Agarwal wrote: > From: Munehisa Kamata <kamatam@amazon.com> > > Guest hibernation is different from xen suspend/resume/live migration. > Xen save/restore does not use pm_ops as is needed by guest hibernation. > Hibernation in guest follows ACPI path and is guest inititated , the > hibernation image is saved within guest as compared to later modes > which are xen toolstack assisted and image creation/storage is in > control of hypervisor/host machine. > To differentiate between Xen suspend and PM hibernation, keep track > of the on-going suspend mode by mainly using a new API to keep track of > SHUTDOWN_SUSPEND state. > Introduce a simple function that keeps track of on-going suspend mode > so that PM hibernation code can behave differently according to the > current suspend mode. > Since Xen suspend doesn't have corresponding PM event, its main logic > is modfied to acquire pm_mutex. lock_system_sleep() is not taking this mutex. > > Though, accquirng pm_mutex is still right thing to do, we may > see deadlock if PM hibernation is interrupted by Xen suspend. > PM hibernation depends on xenwatch thread to process xenbus state > transactions, but the thread will sleep to wait pm_mutex which is > already held by PM hibernation context in the scenario. Xen shutdown > code may need some changes to avoid the issue. Is it Xen's shutdown or suspend code that needs to address this? (Or I may not understand what the problem is that you are describing) > > + > +static int xen_pm_notifier(struct notifier_block *notifier, > + unsigned long pm_event, void *unused) > +{ > + int ret; > + > + switch (pm_event) { > + case PM_SUSPEND_PREPARE: > + case PM_HIBERNATION_PREPARE: > + /* Guest hibernation is not supported for aarch64 currently*/ > + if (IS_ENABLED(CONFIG_ARM64)) { > + ret = NOTIFY_BAD; > + break; > + } Indentation. > + case PM_RESTORE_PREPARE: > + case PM_POST_SUSPEND: > + case PM_POST_HIBERNATION: > + case PM_POST_RESTORE: > + default: > + ret = NOTIFY_OK; > + } > + return ret; > +}; This whole routine now is if (IS_ENABLED(CONFIG_ARM64)) return NOTIFY_BAD; return NOTIFY_OK; isn't it? > + > +static struct notifier_block xen_pm_notifier_block = { > + .notifier_call = xen_pm_notifier > +}; > + > +static int xen_setup_pm_notifier(void) > +{ > + if (!xen_hvm_domain() || xen_initial_domain()) > + return -ENODEV; I don't think this works anymore. In the past your notifier would set suspend_mode (or something) but now it really doesn't do anything except reports an error in some (ARM) cases. So I think you should move this check into the notifier. (And BTW I still think PM_SUSPEND_PREPARE should return an error too. The fact that we are using "suspend" in xen routine names is irrelevant) -boris > + return register_pm_notifier(&xen_pm_notifier_block); > +} > +
On 8/21/20 6:27 PM, Anchal Agarwal wrote: > From: Munehisa Kamata <kamatam@amazon.com> > > Add Xen PVHVM specific system core callbacks for PM > hibernation support. The callbacks suspend and resume > Xen primitives like shared_info, pvclock and grant table. > These syscore_ops are specifically for domU hibernation. > xen_suspend() calls syscore_suspend() during Xen suspend > operation however, during xen suspend lock_system_sleep() > lock is taken and thus system cannot trigger hibernation. > These system core callbacks will be called only from the > hibernation context. Well, they can be called from Xen suspend too, which is why you have the checks in the beginning. -boris
On Sun, Sep 13, 2020 at 11:43:30AM -0400, boris.ostrovsky@oracle.com wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > On 8/21/20 6:25 PM, Anchal Agarwal wrote: > > From: Munehisa Kamata <kamatam@amazon.com> > > > > Guest hibernation is different from xen suspend/resume/live migration. > > Xen save/restore does not use pm_ops as is needed by guest hibernation. > > Hibernation in guest follows ACPI path and is guest inititated , the > > hibernation image is saved within guest as compared to later modes > > which are xen toolstack assisted and image creation/storage is in > > control of hypervisor/host machine. > > To differentiate between Xen suspend and PM hibernation, keep track > > of the on-going suspend mode by mainly using a new API to keep track of > > SHUTDOWN_SUSPEND state. > > Introduce a simple function that keeps track of on-going suspend mode > > so that PM hibernation code can behave differently according to the > > current suspend mode. > > Since Xen suspend doesn't have corresponding PM event, its main logic > > is modfied to acquire pm_mutex. > > > lock_system_sleep() is not taking this mutex. > Yes, I just realized that the commit 55f2503c ("PM / reboot: Eliminate race between reboot and suspend") changed its name to system_transition_mutex. I think I missed that change somehow and assumed its still pm_mutex. Will fix the description. > > > > > Though, accquirng pm_mutex is still right thing to do, we may > > see deadlock if PM hibernation is interrupted by Xen suspend. > > PM hibernation depends on xenwatch thread to process xenbus state > > transactions, but the thread will sleep to wait pm_mutex which is > > already held by PM hibernation context in the scenario. Xen shutdown > > code may need some changes to avoid the issue. > > > > Is it Xen's shutdown or suspend code that needs to address this? (Or I > may not understand what the problem is that you are describing) > Its Xen suspend code I think. If we do not take the system_transition_mutex in do_suspend then if hibernation is triggered in parallel to xen suspend there could be issues. Now this is still theoretical in my case and I havent been able to reproduce such a race. So the approach the original author took was to take this lock which to me seems right. And its Xen suspend and not Xen Shutdown. So basically if this scenario happens I am of the view one of other will fail to occur then how do we recover or avoid this at all. Does that answer your question? > > > > > + > > +static int xen_pm_notifier(struct notifier_block *notifier, > > + unsigned long pm_event, void *unused) > > +{ > > + int ret; > > + > > + switch (pm_event) { > > + case PM_SUSPEND_PREPARE: > > + case PM_HIBERNATION_PREPARE: > > + /* Guest hibernation is not supported for aarch64 currently*/ > > + if (IS_ENABLED(CONFIG_ARM64)) { > > + ret = NOTIFY_BAD; > > + break; > > + } > > Indentation. > > > + case PM_RESTORE_PREPARE: > > + case PM_POST_SUSPEND: > > + case PM_POST_HIBERNATION: > > + case PM_POST_RESTORE: > > + default: > > + ret = NOTIFY_OK; > > + } > > + return ret; > > +}; > > > This whole routine now is > > if (IS_ENABLED(CONFIG_ARM64)) > return NOTIFY_BAD; > > return NOTIFY_OK; > > isn't it? > Yes. > > > + > > +static struct notifier_block xen_pm_notifier_block = { > > + .notifier_call = xen_pm_notifier > > +}; > > + > > +static int xen_setup_pm_notifier(void) > > +{ > > + if (!xen_hvm_domain() || xen_initial_domain()) > > + return -ENODEV; > > > I don't think this works anymore. What do you mean? The first check is for xen domain types and other is for architecture support. The reason I put this check here is because I wanted to segregate the two. I do not want to register this notifier at all for !hmv guest and also if its an initial control domain. The arm check only lands in notifier because once hibernate() api is called -> calls pm_notifier_call_chain for PM_HIBERNATION_PREPARE this will fail for aarch64. Once we have support for aarch64 this notifier can go away altogether. Is there any other reason I may be missing why we should move this check to notifier? > > In the past your notifier would set suspend_mode (or something) but now > it really doesn't do anything except reports an error in some (ARM) cases. > > So I think you should move this check into the notifier. > > (And BTW I still think PM_SUSPEND_PREPARE should return an error too. > The fact that we are using "suspend" in xen routine names is irrelevant) > I may have send "not-updated" version of the notifier's function change. + switch (pm_event) { + case PM_HIBERNATION_PREPARE: + /* Guest hibernation is not supported for aarch64 currently*/ + if (IS_ENABLED(CONFIG_ARM64)) { + ret = NOTIFY_BAD; + break; + } + case PM_RESTORE_PREPARE: + case PM_POST_RESTORE: + case PM_POST_HIBERNATION: + default: + ret = NOTIFY_OK; + } With the above path PM_SUSPEND_PREPARE will go all together. Does that resolves this issue? I wanted to get rid of all SUSPEND_* as they are not needed here clearly. The only reason I kept it there is if someone tries to trigger hibernation on ARM instances they should get an error. As I am not sure about the current behavior. There may be a better way to not invoke hibernation on ARM DomU's and get rid of this block all together. Again, sorry for sending in the half baked fix. My workspace switch may have caused the error. > > > > -boris > Anchal > > > > + return register_pm_notifier(&xen_pm_notifier_block); > > +} > > +
On 9/14/20 5:47 PM, Anchal Agarwal wrote: > On Sun, Sep 13, 2020 at 11:43:30AM -0400, boris.ostrovsky@oracle.com wrote: >> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. >> >> >> >> On 8/21/20 6:25 PM, Anchal Agarwal wrote: >>> Though, accquirng pm_mutex is still right thing to do, we may >>> see deadlock if PM hibernation is interrupted by Xen suspend. >>> PM hibernation depends on xenwatch thread to process xenbus state >>> transactions, but the thread will sleep to wait pm_mutex which is >>> already held by PM hibernation context in the scenario. Xen shutdown >>> code may need some changes to avoid the issue. >> >> >> Is it Xen's shutdown or suspend code that needs to address this? (Or I >> may not understand what the problem is that you are describing) >> > Its Xen suspend code I think. If we do not take the system_transition_mutex > in do_suspend then if hibernation is triggered in parallel to xen suspend there > could be issues. But you *are* taking this mutex to avoid this exact race, aren't you? > Now this is still theoretical in my case and I havent been able > to reproduce such a race. So the approach the original author took was to take > this lock which to me seems right. > And its Xen suspend and not Xen Shutdown. So basically if this scenario > happens I am of the view one of other will fail to occur then how do we recover > or avoid this at all. > > Does that answer your question? > >>> + >>> +static int xen_setup_pm_notifier(void) >>> +{ >>> + if (!xen_hvm_domain() || xen_initial_domain()) >>> + return -ENODEV; >> >> I don't think this works anymore. > What do you mean? > The first check is for xen domain types and other is for architecture support. > The reason I put this check here is because I wanted to segregate the two. > I do not want to register this notifier at all for !hmv guest and also if its > an initial control domain. > The arm check only lands in notifier because once hibernate() api is called -> > calls pm_notifier_call_chain for PM_HIBERNATION_PREPARE this will fail for > aarch64. > Once we have support for aarch64 this notifier can go away altogether. > > Is there any other reason I may be missing why we should move this check to > notifier? Not registering this notifier is equivalent to having it return NOTIFY_OK. In your earlier versions just returning NOTIFY_OK was not sufficient for hibernation to proceed since the notifier would also need to set suspend_mode appropriately. But now your notifier essentially filters out unsupported configurations. And so if it is not called your configuration (e.g. PV domain) will be considered supported. >> In the past your notifier would set suspend_mode (or something) but now >> it really doesn't do anything except reports an error in some (ARM) cases. >> >> So I think you should move this check into the notifier. >> (And BTW I still think PM_SUSPEND_PREPARE should return an error too. >> The fact that we are using "suspend" in xen routine names is irrelevant) >> > I may have send "not-updated" version of the notifier's function change. > > + switch (pm_event) { > + case PM_HIBERNATION_PREPARE: > + /* Guest hibernation is not supported for aarch64 currently*/ > + if (IS_ENABLED(CONFIG_ARM64)) { > + ret = NOTIFY_BAD; > + break; > + } > + case PM_RESTORE_PREPARE: > + case PM_POST_RESTORE: > + case PM_POST_HIBERNATION: > + default: > + ret = NOTIFY_OK; > + } There is no difference on x86 between this code and what you sent earlier. In both instances PM_SUSPEND_PREPARE will return NOTIFY_OK. On ARM this code will allow suspend to proceed (which is not what we want). -boris > > With the above path PM_SUSPEND_PREPARE will go all together. Does that > resolves this issue? I wanted to get rid of all SUSPEND_* as they are not needed > here clearly. > The only reason I kept it there is if someone tries to trigger hibernation on > ARM instances they should get an error. As I am not sure about the current > behavior. There may be a better way to not invoke hibernation on ARM DomU's and > get rid of this block all together. > > Again, sorry for sending in the half baked fix. My workspace switch may have > caused the error. >> >> >> -boris >> > Anchal >> >>> + return register_pm_notifier(&xen_pm_notifier_block); >>> +} >>> +
On Mon, Sep 14, 2020 at 08:24:22PM -0400, boris.ostrovsky@oracle.com wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > On 9/14/20 5:47 PM, Anchal Agarwal wrote: > > On Sun, Sep 13, 2020 at 11:43:30AM -0400, boris.ostrovsky@oracle.com wrote: > >> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > >> > >> > >> > >> On 8/21/20 6:25 PM, Anchal Agarwal wrote: > >>> Though, accquirng pm_mutex is still right thing to do, we may > >>> see deadlock if PM hibernation is interrupted by Xen suspend. > >>> PM hibernation depends on xenwatch thread to process xenbus state > >>> transactions, but the thread will sleep to wait pm_mutex which is > >>> already held by PM hibernation context in the scenario. Xen shutdown > >>> code may need some changes to avoid the issue. > >> > >> > >> Is it Xen's shutdown or suspend code that needs to address this? (Or I > >> may not understand what the problem is that you are describing) > >> > > Its Xen suspend code I think. If we do not take the system_transition_mutex > > in do_suspend then if hibernation is triggered in parallel to xen suspend there > > could be issues. > > > But you *are* taking this mutex to avoid this exact race, aren't you? yes, in that case this race should not occur and either one of it should fail gracefully. > > > > Now this is still theoretical in my case and I havent been able > > to reproduce such a race. So the approach the original author took was to take > > this lock which to me seems right. > > And its Xen suspend and not Xen Shutdown. So basically if this scenario > > happens I am of the view one of other will fail to occur then how do we recover > > or avoid this at all. > > > > Does that answer your question? > > > > > >>> + > >>> +static int xen_setup_pm_notifier(void) > >>> +{ > >>> + if (!xen_hvm_domain() || xen_initial_domain()) > >>> + return -ENODEV; > >> > >> I don't think this works anymore. > > What do you mean? > > The first check is for xen domain types and other is for architecture support. > > The reason I put this check here is because I wanted to segregate the two. > > I do not want to register this notifier at all for !hmv guest and also if its > > an initial control domain. > > The arm check only lands in notifier because once hibernate() api is called -> > > calls pm_notifier_call_chain for PM_HIBERNATION_PREPARE this will fail for > > aarch64. > > Once we have support for aarch64 this notifier can go away altogether. > > > > Is there any other reason I may be missing why we should move this check to > > notifier? > > > Not registering this notifier is equivalent to having it return NOTIFY_OK. > How is that different from current behavior? > > In your earlier versions just returning NOTIFY_OK was not sufficient for > hibernation to proceed since the notifier would also need to set > suspend_mode appropriately. But now your notifier essentially filters > out unsupported configurations. And so if it is not called your > configuration (e.g. PV domain) will be considered supported. > I am sorry if I am having a bit of hard time understanding this. How will it be considered supported when its not even registered? My understanding is if its not registered, it will not land in notifier call chain which is invoked in pm_notifier_call_chain(). As Roger, mentioned in last series none of this should be a part of PVH dom0 hibernation as its not tested but this series should also not break anything. If I register this notifier for PVH dom0 and return error later that will alter the current behavior right? If a pm_notifier for pvh dom0 is not registered then it will not land in the notifier call chain and system will work as before this series. If I look for unsupported configurations, then !hvm domain is also one but we filter that out at the beginning and don't even bother about it. Unless you mean guest running VMs itself? [Trying to read between the lines may not be the case though] > > >> In the past your notifier would set suspend_mode (or something) but now > >> it really doesn't do anything except reports an error in some (ARM) cases. > >> > >> So I think you should move this check into the notifier. > >> (And BTW I still think PM_SUSPEND_PREPARE should return an error too. > >> The fact that we are using "suspend" in xen routine names is irrelevant) > >> > > I may have send "not-updated" version of the notifier's function change. > > > > + switch (pm_event) { > > + case PM_HIBERNATION_PREPARE: > > + /* Guest hibernation is not supported for aarch64 currently*/ > > + if (IS_ENABLED(CONFIG_ARM64)) { > > + ret = NOTIFY_BAD; > > + break; > > + } > > + case PM_RESTORE_PREPARE: > > + case PM_POST_RESTORE: > > + case PM_POST_HIBERNATION: > > + default: > > + ret = NOTIFY_OK; > > + } > > > There is no difference on x86 between this code and what you sent > earlier. In both instances PM_SUSPEND_PREPARE will return NOTIFY_OK. > > > On ARM this code will allow suspend to proceed (which is not what we want). > Ok, I think I may have overlooked arm code. I will fix that. > > -boris > Thanks, Anchal > > > > > With the above path PM_SUSPEND_PREPARE will go all together. Does that > > resolves this issue? I wanted to get rid of all SUSPEND_* as they are not needed > > here clearly. > > The only reason I kept it there is if someone tries to trigger hibernation on > > ARM instances they should get an error. As I am not sure about the current > > behavior. There may be a better way to not invoke hibernation on ARM DomU's and > > get rid of this block all together. > > > > Again, sorry for sending in the half baked fix. My workspace switch may have > > caused the error. > >> > >> > >> -boris > >> > > Anchal > >> > >>> + return register_pm_notifier(&xen_pm_notifier_block); > >>> +} > >>> +
>> >> >>>>> + >>>>> +static int xen_setup_pm_notifier(void) >>>>> +{ >>>>> + if (!xen_hvm_domain() || xen_initial_domain()) >>>>> + return -ENODEV; >>>> >>>> I don't think this works anymore. >>> What do you mean? >>> The first check is for xen domain types and other is for architecture support. >>> The reason I put this check here is because I wanted to segregate the two. >>> I do not want to register this notifier at all for !hmv guest and also if its >>> an initial control domain. >>> The arm check only lands in notifier because once hibernate() api is called -> >>> calls pm_notifier_call_chain for PM_HIBERNATION_PREPARE this will fail for >>> aarch64. >>> Once we have support for aarch64 this notifier can go away altogether. >>> >>> Is there any other reason I may be missing why we should move this check to >>> notifier? >> >> >> Not registering this notifier is equivalent to having it return NOTIFY_OK. >> > How is that different from current behavior? >> >> In your earlier versions just returning NOTIFY_OK was not sufficient for >> hibernation to proceed since the notifier would also need to set >> suspend_mode appropriately. But now your notifier essentially filters >> out unsupported configurations. And so if it is not called your >> configuration (e.g. PV domain) will be considered supported. >> > I am sorry if I am having a bit of hard time understanding this. > How will it be considered supported when its not even registered? My > understanding is if its not registered, it will not land in notifier call chain > which is invoked in pm_notifier_call_chain(). Returning an error from xen_setup_pm_notifier() doesn't have any effect on whether hibernation will start. It's the notifier that can stop it. > > As Roger, mentioned in last series none of this should be a part of PVH dom0 > hibernation as its not tested but this series should also not break anything. > If I register this notifier for PVH dom0 and return error later that will alter > the current behavior right? > > If a pm_notifier for pvh dom0 is not registered then it will not land in the > notifier call chain and system will work as before this series. > If I look for unsupported configurations, then !hvm domain is also one but we > filter that out at the beginning and don't even bother about it. > > Unless you mean guest running VMs itself? [Trying to read between the lines may > not be the case though] In hibernate(): error = __pm_notifier_call_chain(PM_HIBERNATION_PREPARE, -1, &nr_calls); if (error) { nr_calls--; goto Exit; } Is you don't have notifier registered (as will be the case with PV domains and dom0) you won't get an error and proceed with hibernation. (And now I actually suspect it didn't work even with your previous patches) But something like this I think will do what you want: static int xen_pm_notifier(struct notifier_block *notifier, unsigned long pm_event, void *unused) { if (IS_ENABLED(CONFIG_ARM64) || !xen_hvm_domain() || xen_initial_domain() || (pm_event == PM_SUSPEND_PREPARE)) { if ((pm_event == PM_SUSPEND_PREPARE) || (pm_event == PM_HIBERNATION_PREPARE)) pr_warn("%s is not supported for this guest", (pm_event == PM_SUSPEND_PREPARE) ? "Suspend" : "Hibernation"); return NOTIFY_BAD; return NOTIFY_OK; } static int xen_setup_pm_notifier(void) { return register_pm_notifier(&xen_pm_notifier_block); } I tried to see if there is a way to prevent hibernation without using notifiers (like having a global flag or something) but didn't find anything obvious. Perhaps others can point to a simpler way of doing this. -boris
On 9/21/20 5:54 PM, Anchal Agarwal wrote: > Thanks for the above suggestion. You are right I didn't find a way to declare > a global state either. I just broke the above check in 2 so that once we have > support for ARM we should be able to remove aarch64 condition easily. Let me > know if I am missing nay corner cases with this one. > > static int xen_pm_notifier(struct notifier_block *notifier, > unsigned long pm_event, void *unused) > { > int ret = NOTIFY_OK; > if (!xen_hvm_domain() || xen_initial_domain()) > ret = NOTIFY_BAD; > if(IS_ENABLED(CONFIG_ARM64) && (pm_event == PM_SUSPEND_PREPARE || pm_event == HIBERNATION_PREPARE)) > ret = NOTIFY_BAD; > > return ret; > } This will allow PM suspend to proceed on x86. -boris
On Tue, Sep 22, 2020 at 12:18:05PM -0400, boris.ostrovsky@oracle.com wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > On 9/21/20 5:54 PM, Anchal Agarwal wrote: > > Thanks for the above suggestion. You are right I didn't find a way to declare > > a global state either. I just broke the above check in 2 so that once we have > > support for ARM we should be able to remove aarch64 condition easily. Let me > > know if I am missing nay corner cases with this one. > > > > static int xen_pm_notifier(struct notifier_block *notifier, > > unsigned long pm_event, void *unused) > > { > > int ret = NOTIFY_OK; > > if (!xen_hvm_domain() || xen_initial_domain()) > > ret = NOTIFY_BAD; > > if(IS_ENABLED(CONFIG_ARM64) && (pm_event == PM_SUSPEND_PREPARE || pm_event == HIBERNATION_PREPARE)) > > ret = NOTIFY_BAD; > > > > return ret; > > } > > > > This will allow PM suspend to proceed on x86. Right!! Missed it. Also, wrt KASLR stuff, that issue is still seen sometimes but I haven't had bandwidth to dive deep into the issue and fix it. I seem to have lost your email in my inbox hence covering the question here. > > > -boris >
On 9/25/20 3:04 PM, Anchal Agarwal wrote: > On Tue, Sep 22, 2020 at 11:17:36PM +0000, Anchal Agarwal wrote: >> On Tue, Sep 22, 2020 at 12:18:05PM -0400, boris.ostrovsky@oracle.com wrote: >>> CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. >>> >>> >>> >>> On 9/21/20 5:54 PM, Anchal Agarwal wrote: >>>> Thanks for the above suggestion. You are right I didn't find a way to declare >>>> a global state either. I just broke the above check in 2 so that once we have >>>> support for ARM we should be able to remove aarch64 condition easily. Let me >>>> know if I am missing nay corner cases with this one. >>>> >>>> static int xen_pm_notifier(struct notifier_block *notifier, >>>> unsigned long pm_event, void *unused) >>>> { >>>> int ret = NOTIFY_OK; >>>> if (!xen_hvm_domain() || xen_initial_domain()) >>>> ret = NOTIFY_BAD; >>>> if(IS_ENABLED(CONFIG_ARM64) && (pm_event == PM_SUSPEND_PREPARE || pm_event == HIBERNATION_PREPARE)) >>>> ret = NOTIFY_BAD; >>>> >>>> return ret; >>>> } >>> >>> >>> This will allow PM suspend to proceed on x86. >> Right!! Missed it. >> Also, wrt KASLR stuff, that issue is still seen sometimes but I haven't had >> bandwidth to dive deep into the issue and fix it. So what's the plan there? You first mentioned this issue early this year and judged by your response it is not clear whether you will ever spend time looking at it. >> I seem to have lost your email >> in my inbox hence covering the question here. >>> > Can I add your Reviewed-by or Signed-off-by to it? Are you asking me to add my R-b to the broken code above? -boris
>>>>>>> Also, wrt KASLR stuff, that issue is still seen sometimes but I haven't had >>>>>>> bandwidth to dive deep into the issue and fix it. >>>> So what's the plan there? You first mentioned this issue early this year and judged by your response it is not clear whether you will ever spend time looking at it. >>>> >>> I do want to fix it and did do some debugging earlier this year just haven't >>> gotten back to it. Also, wanted to understand if the issue is a blocker to this >>> series? >> >> Integrating code with known bugs is less than ideal. >> > So for this series to be accepted, KASLR needs to be fixed along with other > comments of course? Yes, please. >>> I had some theories when debugging around this like if the random base address picked by kaslr for the >>> resuming kernel mismatches the suspended kernel and just jogging my memory, I didn't find that as the case. >>> Another hunch was if physical address of registered vcpu info at boot is different from what suspended kernel >>> has and that can cause CPU's to get stuck when coming online. >> >> I'd think if this were the case you'd have 100% failure rate. And we are also re-registering vcpu info on xen restore and I am not aware of any failures due to KASLR. >> > What I meant there wrt VCPU info was that VCPU info is not unregistered during hibernation, > so Xen still remembers the old physical addresses for the VCPU information, created by the > booting kernel. But since the hibernation kernel may have different physical > addresses for VCPU info and if mismatch happens, it may cause issues with resume. > During hibernation, the VCPU info register hypercall is not invoked again. I still don't think that's the cause but it's certainly worth having a look. -boris
On Thu, Oct 01, 2020 at 08:43:58AM -0400, boris.ostrovsky@oracle.com wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > >>>>>>> Also, wrt KASLR stuff, that issue is still seen sometimes but I haven't had > >>>>>>> bandwidth to dive deep into the issue and fix it. > >>>> So what's the plan there? You first mentioned this issue early this year and judged by your response it is not clear whether you will ever spend time looking at it. > >>>> > >>> I do want to fix it and did do some debugging earlier this year just haven't > >>> gotten back to it. Also, wanted to understand if the issue is a blocker to this > >>> series? > >> > >> Integrating code with known bugs is less than ideal. > >> > > So for this series to be accepted, KASLR needs to be fixed along with other > > comments of course? > > > Yes, please. > > > > >>> I had some theories when debugging around this like if the random base address picked by kaslr for the > >>> resuming kernel mismatches the suspended kernel and just jogging my memory, I didn't find that as the case. > >>> Another hunch was if physical address of registered vcpu info at boot is different from what suspended kernel > >>> has and that can cause CPU's to get stuck when coming online. > >> > >> I'd think if this were the case you'd have 100% failure rate. And we are also re-registering vcpu info on xen restore and I am not aware of any failures due to KASLR. > >> > > What I meant there wrt VCPU info was that VCPU info is not unregistered during hibernation, > > so Xen still remembers the old physical addresses for the VCPU information, created by the > > booting kernel. But since the hibernation kernel may have different physical > > addresses for VCPU info and if mismatch happens, it may cause issues with resume. > > During hibernation, the VCPU info register hypercall is not invoked again. > > > I still don't think that's the cause but it's certainly worth having a look. > Hi Boris, Apologies for picking this up after last year. I did some dive deep on the above statement and that is indeed the case that's happening. I did some debugging around KASLR and hibernation using reboot mode. I observed in my debug prints that whenever vcpu_info* address for secondary vcpu assigned in xen_vcpu_setup at boot is different than what is in the image, resume gets stuck for that vcpu in bringup_cpu(). That means we have different addresses for &per_cpu(xen_vcpu_info, cpu) at boot and after control jumps into the image. I failed to get any prints after it got stuck in bringup_cpu() and I do not have an option to send a sysrq signal to the guest or rather get a kdump. This change is not observed in every hibernate-resume cycle. I am not sure if this is a bug or an expected behavior. Also, I am contemplating the idea that it may be a bug in xen code getting triggered only when KASLR is enabled but I do not have substantial data to prove that. Is this a coincidence that this always happens for 1st vcpu? Moreover, since hypervisor is not aware that guest is hibernated and it looks like a regular shutdown to dom0 during reboot mode, will re-registering vcpu_info for secondary vcpu's even plausible? I could definitely use some advice to debug this further. Some printk's from my debugging: At Boot: xen_vcpu_setup: xen_have_vcpu_info_placement=1 cpu=1, vcpup=0xffff9e548fa560e0, info.mfn=3996246 info.offset=224, Image Loads: It ends up in the condition: xen_vcpu_setup() { ... if (xen_hvm_domain()) { if (per_cpu(xen_vcpu, cpu) == &per_cpu(xen_vcpu_info, cpu)) return 0; } ... } xen_vcpu_setup: checking mfn on resume cpu=1, info.mfn=3934806 info.offset=224, &per_cpu(xen_vcpu_info, cpu)=0xffff9d7240a560e0 This is tested on c4.2xlarge [8vcpu 15GB mem] instance with 5.10 kernel running in the guest. Thanks, Anchal. > > -boris > >
On 5/21/21 1:26 AM, Anchal Agarwal wrote: >>> What I meant there wrt VCPU info was that VCPU info is not unregistered during hibernation, >>> so Xen still remembers the old physical addresses for the VCPU information, created by the >>> booting kernel. But since the hibernation kernel may have different physical >>> addresses for VCPU info and if mismatch happens, it may cause issues with resume. >>> During hibernation, the VCPU info register hypercall is not invoked again. >> >> I still don't think that's the cause but it's certainly worth having a look. >> > Hi Boris, > Apologies for picking this up after last year. > I did some dive deep on the above statement and that is indeed the case that's happening. > I did some debugging around KASLR and hibernation using reboot mode. > I observed in my debug prints that whenever vcpu_info* address for secondary vcpu assigned > in xen_vcpu_setup at boot is different than what is in the image, resume gets stuck for that vcpu > in bringup_cpu(). That means we have different addresses for &per_cpu(xen_vcpu_info, cpu) at boot and after > control jumps into the image. > > I failed to get any prints after it got stuck in bringup_cpu() and > I do not have an option to send a sysrq signal to the guest or rather get a kdump. xenctx and xen-hvmctx might be helpful. > This change is not observed in every hibernate-resume cycle. I am not sure if this is a bug or an > expected behavior. > Also, I am contemplating the idea that it may be a bug in xen code getting triggered only when > KASLR is enabled but I do not have substantial data to prove that. > Is this a coincidence that this always happens for 1st vcpu? > Moreover, since hypervisor is not aware that guest is hibernated and it looks like a regular shutdown to dom0 during reboot mode, > will re-registering vcpu_info for secondary vcpu's even plausible? I think I am missing how this is supposed to work (maybe we've talked about this but it's been many months since then). You hibernate the guest and it writes the state to swap. The guest is then shut down? And what's next? How do you wake it up? -boris > I could definitely use some advice to debug this further. > > > Some printk's from my debugging: > > At Boot: > > xen_vcpu_setup: xen_have_vcpu_info_placement=1 cpu=1, vcpup=0xffff9e548fa560e0, info.mfn=3996246 info.offset=224, > > Image Loads: > It ends up in the condition: > xen_vcpu_setup() > { > ... > if (xen_hvm_domain()) { > if (per_cpu(xen_vcpu, cpu) == &per_cpu(xen_vcpu_info, cpu)) > return 0; > } > ... > } > > xen_vcpu_setup: checking mfn on resume cpu=1, info.mfn=3934806 info.offset=224, &per_cpu(xen_vcpu_info, cpu)=0xffff9d7240a560e0 > > This is tested on c4.2xlarge [8vcpu 15GB mem] instance with 5.10 kernel running > in the guest. > > Thanks, > Anchal. >> -boris >> >>
On Tue, May 25, 2021 at 06:23:35PM -0400, Boris Ostrovsky wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > On 5/21/21 1:26 AM, Anchal Agarwal wrote: > >>> What I meant there wrt VCPU info was that VCPU info is not unregistered during hibernation, > >>> so Xen still remembers the old physical addresses for the VCPU information, created by the > >>> booting kernel. But since the hibernation kernel may have different physical > >>> addresses for VCPU info and if mismatch happens, it may cause issues with resume. > >>> During hibernation, the VCPU info register hypercall is not invoked again. > >> > >> I still don't think that's the cause but it's certainly worth having a look. > >> > > Hi Boris, > > Apologies for picking this up after last year. > > I did some dive deep on the above statement and that is indeed the case that's happening. > > I did some debugging around KASLR and hibernation using reboot mode. > > I observed in my debug prints that whenever vcpu_info* address for secondary vcpu assigned > > in xen_vcpu_setup at boot is different than what is in the image, resume gets stuck for that vcpu > > in bringup_cpu(). That means we have different addresses for &per_cpu(xen_vcpu_info, cpu) at boot and after > > control jumps into the image. > > > > I failed to get any prints after it got stuck in bringup_cpu() and > > I do not have an option to send a sysrq signal to the guest or rather get a kdump. > > > xenctx and xen-hvmctx might be helpful. > > > > This change is not observed in every hibernate-resume cycle. I am not sure if this is a bug or an > > expected behavior. > > Also, I am contemplating the idea that it may be a bug in xen code getting triggered only when > > KASLR is enabled but I do not have substantial data to prove that. > > Is this a coincidence that this always happens for 1st vcpu? > > Moreover, since hypervisor is not aware that guest is hibernated and it looks like a regular shutdown to dom0 during reboot mode, > > will re-registering vcpu_info for secondary vcpu's even plausible? > > > I think I am missing how this is supposed to work (maybe we've talked about this but it's been many months since then). You hibernate the guest and it writes the state to swap. The guest is then shut down? And what's next? How do you wake it up? > > > -boris > To resume a guest, guest boots up as the fresh guest and then software_resume() is called which if finds a stored hibernation image, quiesces the devices and loads the memory contents from the image. The control then transfers to the targeted kernel. This further disables non boot cpus,sycore_suspend/resume callbacks are invoked which sets up the shared_info, pvclock, grant tables etc. Since the vcpu_info pointer for each non-boot cpu is already registered, the hypercall does not happen again when bringing up the non boot cpus. This leads to inconsistencies as pointed out earlier when KASLR is enabled. Thanks, Anchal > > > > I could definitely use some advice to debug this further. > > > > > > Some printk's from my debugging: > > > > At Boot: > > > > xen_vcpu_setup: xen_have_vcpu_info_placement=1 cpu=1, vcpup=0xffff9e548fa560e0, info.mfn=3996246 info.offset=224, > > > > Image Loads: > > It ends up in the condition: > > xen_vcpu_setup() > > { > > ... > > if (xen_hvm_domain()) { > > if (per_cpu(xen_vcpu, cpu) == &per_cpu(xen_vcpu_info, cpu)) > > return 0; > > } > > ... > > } > > > > xen_vcpu_setup: checking mfn on resume cpu=1, info.mfn=3934806 info.offset=224, &per_cpu(xen_vcpu_info, cpu)=0xffff9d7240a560e0 > > > > This is tested on c4.2xlarge [8vcpu 15GB mem] instance with 5.10 kernel running > > in the guest. > > > > Thanks, > > Anchal. > >> -boris > >> > >>
On 5/28/21 5:50 PM, Anchal Agarwal wrote: > That only fails during boot but not after the control jumps into the image. The > non boot cpus are brought offline(freeze_secondary_cpus) and then online via cpu hotplug path. In that case xen_vcpu_setup doesn't invokes the hypercall again. OK, that makes sense --- by that time VCPUs have already been registered. What I don't understand though is why resume doesn't fail every time --- xen_vcpu and xen_vcpu_info should be different practically always, shouldn't they? Do you observe successful resumes when the hypercall fails? > > Another line of thought is something what kexec does to come around this problem > is to abuse soft_reset and issue it during syscore_resume or may be before the image get loaded. > I haven't experimented with that yet as I am assuming there has to be a way to re-register vcpus during resume. Right, that sounds like it should work. -boris
On Tue, Jun 01, 2021 at 10:18:36AM -0400, Boris Ostrovsky wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > On 5/28/21 5:50 PM, Anchal Agarwal wrote: > > > That only fails during boot but not after the control jumps into the image. The > > non boot cpus are brought offline(freeze_secondary_cpus) and then online via cpu hotplug path. In that case xen_vcpu_setup doesn't invokes the hypercall again. > > > OK, that makes sense --- by that time VCPUs have already been registered. What I don't understand though is why resume doesn't fail every time --- xen_vcpu and xen_vcpu_info should be different practically always, shouldn't they? Do you observe successful resumes when the hypercall fails? > > The resume won't fail because in the image the xen_vcpu and xen_vcpu_info are same. These are the same values that got in there during saving of the hibernation image. So whatever xen_vcpu got as a value during boot time registration on resume is essentially lost once the jump into the saved kernel image happens. Interesting part is if KASLR is not enabled boot time vcpup mfn is same as in the image. Once you enable KASLR this value changes sometimes and whenever that happens resume gets stuck. Does that make sense? No it does not resume successfully if hypercall fails because I was trying to explicitly reset vcpu and invoke hypercall. I am just wondering why does restore logic fails to work here or probably I am missing a critical piece here. > > > > Another line of thought is something what kexec does to come around this problem > > is to abuse soft_reset and issue it during syscore_resume or may be before the image get loaded. > > I haven't experimented with that yet as I am assuming there has to be a way to re-register vcpus during resume. > > > Right, that sounds like it should work. > You mean soft reset or re-register vcpu? -Anchal > > -boris > >
On 6/2/21 3:37 PM, Anchal Agarwal wrote: > On Tue, Jun 01, 2021 at 10:18:36AM -0400, Boris Ostrovsky wrote: >> > The resume won't fail because in the image the xen_vcpu and xen_vcpu_info are > same. These are the same values that got in there during saving of the > hibernation image. So whatever xen_vcpu got as a value during boot time registration on resume is > essentially lost once the jump into the saved kernel image happens. Interesting > part is if KASLR is not enabled boot time vcpup mfn is same as in the image. Do you start the your guest right after you've hibernated it? What happens if you create (and keep running) a few other guests in-between? mfn would likely be different then I'd think. > Once you enable KASLR this value changes sometimes and whenever that happens > resume gets stuck. Does that make sense? > > No it does not resume successfully if hypercall fails because I was trying to > explicitly reset vcpu and invoke hypercall. > I am just wondering why does restore logic fails to work here or probably I am > missing a critical piece here. If you are not using KASLR then xen_vcpu_info is at the same address every time you boot. So whatever you registered before hibernating stays the same when you boot second time and register again, and so successful comparison in xen_vcpu_setup() works. (Mostly by chance.) But if KASLR is on then this comparison not failing should cause xen_vcpu pointer in the loaded image to become bogus because xen_vcpu is now registered for a different xen_vcpu_info address during boot. >>> Another line of thought is something what kexec does to come around this problem >>> is to abuse soft_reset and issue it during syscore_resume or may be before the image get loaded. >>> I haven't experimented with that yet as I am assuming there has to be a way to re-register vcpus during resume. >> >> Right, that sounds like it should work. >> > You mean soft reset or re-register vcpu? Doing something along the lines of a soft reset. It should allow you to re-register. Not sure how you can use it without Xen changes though. -boris
On Thu, Jun 03, 2021 at 04:11:46PM -0400, Boris Ostrovsky wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. > > > > On 6/2/21 3:37 PM, Anchal Agarwal wrote: > > On Tue, Jun 01, 2021 at 10:18:36AM -0400, Boris Ostrovsky wrote: > >> > > The resume won't fail because in the image the xen_vcpu and xen_vcpu_info are > > same. These are the same values that got in there during saving of the > > hibernation image. So whatever xen_vcpu got as a value during boot time registration on resume is > > essentially lost once the jump into the saved kernel image happens. Interesting > > part is if KASLR is not enabled boot time vcpup mfn is same as in the image. > > > Do you start the your guest right after you've hibernated it? What happens if you create (and keep running) a few other guests in-between? mfn would likely be different then I'd think. > > Yes, I just run it in loops on a single guest and I am able to see the issue in 20-40 iterations sometime may be sooner. Yeah, you could be right and this could definitely happen more often depending what's happening on dom0 side. > > Once you enable KASLR this value changes sometimes and whenever that happens > > resume gets stuck. Does that make sense? > > > > No it does not resume successfully if hypercall fails because I was trying to > > explicitly reset vcpu and invoke hypercall. > > I am just wondering why does restore logic fails to work here or probably I am > > missing a critical piece here. > > > If you are not using KASLR then xen_vcpu_info is at the same address every time you boot. So whatever you registered before hibernating stays the same when you boot second time and register again, and so successful comparison in xen_vcpu_setup() works. (Mostly by chance.) > That's what I thought so too. > > But if KASLR is on then this comparison not failing should cause xen_vcpu pointer in the loaded image to become bogus because xen_vcpu is now registered for a different xen_vcpu_info address during boot. > The reason for that I think is once you jump into the image that information is getting lost. But there is some residue somewhere that's causing the resume to fail. I haven't been able to pinpoint the exact field value that may be causing that issue. Correct me if I am wrong here, but even if hypothetically I put a hack to tell the kernel somehow re-register vcpu it won't pass because there is no hypercall to unregister it in first place? Can the resumed kernel use the new values in that case [Now this is me just throwing wild guesses!!] > > >>> Another line of thought is something what kexec does to come around this problem > >>> is to abuse soft_reset and issue it during syscore_resume or may be before the image get loaded. > >>> I haven't experimented with that yet as I am assuming there has to be a way to re-register vcpus during resume. > >> > >> Right, that sounds like it should work. > >> > > You mean soft reset or re-register vcpu? > > > Doing something along the lines of a soft reset. It should allow you to re-register. Not sure how you can use it without Xen changes though. > No not without xen changes. It won't work. I will have xen changes in place to test that on our infrastructure. -- Anchal > > > -boris >
On 6/3/21 7:27 PM, Anchal Agarwal wrote: > On Thu, Jun 03, 2021 at 04:11:46PM -0400, Boris Ostrovsky wrote: > >> But if KASLR is on then this comparison not failing should cause xen_vcpu pointer in the loaded image to become bogus because xen_vcpu is now registered for a different xen_vcpu_info address during boot. >> > The reason for that I think is once you jump into the image that information is > getting lost. But there is some residue somewhere that's causing the resume to > fail. I haven't been able to pinpoint the exact field value that may be causing > that issue. xen_vcpu now points to address which is not where the hypervisor thinks vcpu_info should be. > Correct me if I am wrong here, but even if hypothetically I put a hack to tell the kernel > somehow re-register vcpu it won't pass because there is no hypercall to > unregister it in first place? Right. You will be shown the door in map_vcpu_info(): if ( !mfn_eq(v->vcpu_info_mfn, INVALID_MFN) ) return -EINVAL; > Can the resumed kernel use the new values in that > case [Now this is me just throwing wild guesses!!] I don't think so --- hypervisor is now pointing to a random location in your image. -boris
Hello, This series fixes PM hibernation for hvm guests running on xen hypervisor. The running guest could now be hibernated and resumed successfully at a later time. The fixes for PM hibernation are added to block and network device drivers i.e xen-blkfront and xen-netfront. Any other driver that needs to add S4 support if not already, can follow same method of introducing freeze/thaw/restore callbacks. The patches had been tested against upstream kernel and xen4.11. Large scale testing is also done on Xen based Amazon EC2 instances. All this testing involved running memory exhausting workload in the background. Doing guest hibernation does not involve any support from hypervisor and this way guest has complete control over its state. Infrastructure restrictions for saving up guest state can be overcome by guest initiated hibernation. These patches were send out as RFC before and all the feedback had been incorporated in the patches. The last v1 & v2 could be found here: [v1]: https://lkml.org/lkml/2020/5/19/1312 [v2]: https://lkml.org/lkml/2020/7/2/995 All comments and feedback from v2 had been incorporated in v3 series. Known issues: 1.KASLR causes intermittent hibernation failures. VM fails to resumes and has to be restarted. I will investigate this issue separately and shouldn't be a blocker for this patch series. 2. During hibernation, I observed sometimes that freezing of tasks fails due to busy XFS workqueuei[xfs-cil/xfs-sync]. This is also intermittent may be 1 out of 200 runs and hibernation is aborted in this case. Re-trying hibernation may work. Also, this is a known issue with hibernation and some filesystems like XFS has been discussed by the community for years with not an effectve resolution at this point. Testing How to: --------------- 1. Setup xen hypervisor on a physical machine[ I used Ubuntu 16.04 +upstream xen-4.11] 2. Bring up a HVM guest w/t kernel compiled with hibernation patches [I used ubuntu18.04 netboot bionic images and also Amazon Linux on-prem images]. 3. Create a swap file size=RAM size 4. Update grub parameters and reboot 5. Trigger pm-hibernation from within the VM Example: Set up a file-backed swap space. Swap file size>=Total memory on the system sudo dd if=/dev/zero of=/swap bs=$(( 1024 * 1024 )) count=4096 # 4096MiB sudo chmod 600 /swap sudo mkswap /swap sudo swapon /swap Update resume device/resume offset in grub if using swap file: resume=/dev/xvda1 resume_offset=200704 no_console_suspend=1 Execute: -------- sudo pm-hibernate OR echo disk > /sys/power/state && echo reboot > /sys/power/disk Compute resume offset code: " #!/usr/bin/env python import sys import array import fcntl #swap file f = open(sys.argv[1], 'r') buf = array.array('L', [0]) #FIBMAP ret = fcntl.ioctl(f.fileno(), 0x01, buf) print buf[0] " Aleksei Besogonov (1): PM / hibernate: update the resume offset on SNAPSHOT_SET_SWAP_AREA Anchal Agarwal (4): x86/xen: Introduce new function to map HYPERVISOR_shared_info on Resume x86/xen: save and restore steal clock during PM hibernation xen: Introduce wrapper for save/restore sched clock offset xen: Update sched clock offset to avoid system instability in hibernation Munehisa Kamata (5): xen/manage: keep track of the on-going suspend mode xenbus: add freeze/thaw/restore callbacks support x86/xen: add system core suspend and resume callbacks xen-blkfront: add callbacks for PM suspend and hibernation xen-netfront: add callbacks for PM suspend and hibernation Thomas Gleixner (1): genirq: Shutdown irq chips in suspend/resume during hibernation arch/x86/xen/enlighten_hvm.c | 7 +++ arch/x86/xen/suspend.c | 63 ++++++++++++++++++++ arch/x86/xen/time.c | 15 ++++- arch/x86/xen/xen-ops.h | 3 + drivers/block/xen-blkfront.c | 122 ++++++++++++++++++++++++++++++++++++-- drivers/net/xen-netfront.c | 96 +++++++++++++++++++++++++++++- drivers/xen/events/events_base.c | 1 + drivers/xen/manage.c | 46 ++++++++++++++ drivers/xen/xenbus/xenbus_probe.c | 96 +++++++++++++++++++++++++----- include/linux/irq.h | 2 + include/xen/xen-ops.h | 3 + include/xen/xenbus.h | 3 + kernel/irq/chip.c | 2 +- kernel/irq/internals.h | 1 + kernel/irq/pm.c | 31 +++++++--- kernel/power/user.c | 7 ++- 16 files changed, 464 insertions(+), 34 deletions(-)