On Wed, Apr 02, 2025 at 10:36:21PM +0200, David Hildenbrand wrote:
> If we finds a vq without a name in our input array in
> virtio_ccw_find_vqs(), we treat it as "non-existing" and set the vq pointer
> to NULL; we will not call virtio_ccw_setup_vq() to allocate/setup a vq.
>
> Consequently, we create only a queue if it actually exists (name != NULL)
> and assign an incremental queue index to each such existing queue.
>
> However, in virtio_ccw_register_adapter_ind()->get_airq_indicator() we
> will not ignore these "non-existing queues", but instead assign an airq
> indicator to them.
>
> Besides never releasing them in virtio_ccw_drop_indicators() (because
> there is no virtqueue), the bigger issue seems to be that there will be a
> disagreement between the device and the Linux guest about the airq
> indicator to be used for notifying a queue, because the indicator bit
> for adapter I/O interrupt is derived from the queue index.
>
> The virtio spec states under "Setting Up Two-Stage Queue Indicators":
>
> ... indicator contains the guest address of an area wherein the
> indicators for the devices are contained, starting at bit_nr, one
> bit per virtqueue of the device.
>
> And further in "Notification via Adapter I/O Interrupts":
>
> For notifying the driver of virtqueue buffers, the device sets the
> bit in the guest-provided indicator area at the corresponding
> offset.
>
> For example, QEMU uses in virtio_ccw_notify() the queue index (passed as
> "vector") to select the relevant indicator bit. If a queue does not exist,
> it does not have a corresponding indicator bit assigned, because it
> effectively doesn't have a queue index.
>
> Using a virtio-balloon-ccw device under QEMU with free-page-hinting
> disabled ("free-page-hint=off") but free-page-reporting enabled
> ("free-page-reporting=on") will result in free page reporting
> not working as expected: in the virtio_balloon driver, we'll be stuck
> forever in virtballoon_free_page_report()->wait_event(), because the
> waitqueue will not be woken up as the notification from the device is
> lost: it would use the wrong indicator bit.
>
> Free page reporting stops working and we get splats (when configured to
> detect hung wqs) like:
>
> INFO: task kworker/1:3:463 blocked for more than 61 seconds.
> Not tainted 6.14.0 #4
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:3 [...]
> Workqueue: events page_reporting_process
> Call Trace:
> [<000002f404e6dfb2>] __schedule+0x402/0x1640
> [<000002f404e6f22e>] schedule+0x3e/0xe0
> [<000002f3846a88fa>] virtballoon_free_page_report+0xaa/0x110
> [virtio_balloon]
> [<000002f40435c8a4>] page_reporting_process+0x2e4/0x740
> [<000002f403fd3ee2>] process_one_work+0x1c2/0x400
> [<000002f403fd4b96>] worker_thread+0x296/0x420
> [<000002f403fe10b4>] kthread+0x124/0x290
> [<000002f403f4e0dc>] __ret_from_fork+0x3c/0x60
> [<000002f404e77272>] ret_from_fork+0xa/0x38
>
> There was recently a discussion [1] whether the "holes" should be
> treated differently again, effectively assigning also non-existing
> queues a queue index: that should also fix the issue, but requires other
> workarounds to not break existing setups.
>
> Let's fix it without affecting existing setups for now by properly ignoring
> the non-existing queues, so the indicator bits will match the queue
> indexes.
>
> [1] https://lore.kernel.org/all/[email protected]/
>
> Fixes: a229989d975e ("virtio: don't allocate vqs when names[i] = NULL")
> Reported-by: Chandra Merla <[email protected]>
> Cc: <[email protected]>
> Cc: Cornelia Huck <[email protected]>
> Cc: Thomas Huth <[email protected]>
> Cc: Halil Pasic <[email protected]>
> Cc: Eric Farman <[email protected]>
> Cc: Heiko Carstens <[email protected]>
> Cc: Vasily Gorbik <[email protected]>
> Cc: Alexander Gordeev <[email protected]>
> Cc: Christian Borntraeger <[email protected]>
> Cc: Sven Schnelle <[email protected]>
> Cc: "Michael S. Tsirkin" <[email protected]>
> Cc: Wei Wang <[email protected]>
> Signed-off-by: David Hildenbrand <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]>
feel free to merge.
> ---
> drivers/s390/virtio/virtio_ccw.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/s390/virtio/virtio_ccw.c
> b/drivers/s390/virtio/virtio_ccw.c
> index 21fa7ac849e5c..4904b831c0a75 100644
> --- a/drivers/s390/virtio/virtio_ccw.c
> +++ b/drivers/s390/virtio/virtio_ccw.c
> @@ -302,11 +302,17 @@ static struct airq_info *new_airq_info(int index)
> static unsigned long *get_airq_indicator(struct virtqueue *vqs[], int nvqs,
> u64 *first, void **airq_info)
> {
> - int i, j;
> + int i, j, queue_idx, highest_queue_idx = -1;
> struct airq_info *info;
> unsigned long *indicator_addr = NULL;
> unsigned long bit, flags;
>
> + /* Array entries without an actual queue pointer must be ignored. */
> + for (i = 0; i < nvqs; i++) {
> + if (vqs[i])
> + highest_queue_idx++;
> + }
> +
> for (i = 0; i < MAX_AIRQ_AREAS && !indicator_addr; i++) {
> mutex_lock(&airq_areas_lock);
> if (!airq_areas[i])
> @@ -316,7 +322,7 @@ static unsigned long *get_airq_indicator(struct virtqueue
> *vqs[], int nvqs,
> if (!info)
> return NULL;
> write_lock_irqsave(&info->lock, flags);
> - bit = airq_iv_alloc(info->aiv, nvqs);
> + bit = airq_iv_alloc(info->aiv, highest_queue_idx + 1);
> if (bit == -1UL) {
> /* Not enough vacancies. */
> write_unlock_irqrestore(&info->lock, flags);
> @@ -325,8 +331,10 @@ static unsigned long *get_airq_indicator(struct
> virtqueue *vqs[], int nvqs,
> *first = bit;
> *airq_info = info;
> indicator_addr = info->aiv->vector;
> - for (j = 0; j < nvqs; j++) {
> - airq_iv_set_ptr(info->aiv, bit + j,
> + for (j = 0, queue_idx = 0; j < nvqs; j++) {
> + if (!vqs[j])
> + continue;
> + airq_iv_set_ptr(info->aiv, bit + queue_idx++,
> (unsigned long)vqs[j]);
> }
> write_unlock_irqrestore(&info->lock, flags);
> --
> 2.48.1
