Details

Reviewers

jhb
mav
kib

Commits

rG94df301ac27e: Wait longer for a previous IPI to be sent
rG2f32a971b7f9: Wait longer for a previous IPI to be sent

Summary

When sending an IPI, if a previous IPI is still pending delivery,
native_lapic_ipi_vectored() waits for the previous IPI to be sent.
We've seen a few inexplicable panics with the current timeout of 50 ms.
Increase the timeout to 1 second and make it tunable.

No hardware specification mentions a timeout in this case; I checked
the Intel SDM, Intel MP spec, and Intel x2APIC spec. Linux and illumos
wait forever. In Linux, see __default_send_IPI_shortcut() in
arch/x86/kernel/apic/ipi.c. In illumos, see apic_send_ipi() in
usr/src/uts/i86pc/io/pcplusmp/apic_common.c. However, misbehaving hardware
could hang the system if we wait forever.

MFC after: 1 week
Sponsored by: Dell EMC Isilon

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

vangyzen created this revision.Apr 22 2021, 10:46 PM

Herald added subscribers: dab, badger, imp. · View Herald TranscriptApr 22 2021, 10:46 PM

vangyzen requested review of this revision.Apr 22 2021, 10:46 PM

Harbormaster completed remote builds in B38822: Diff 88020.Apr 22 2021, 10:46 PM

I don't have specific objections. I can't recall I ever saw this panic and not sure how the interrupt delivery can take more that 50ms. But it reminds me that we do have spinlock timeout, which is also not required. Do you see any benefits from this comparing to just increasing the timeout back to 1s as it was before f418f79ce299 to keep ability to debug misbehaving hardware?

On one hand I agree that hardware might need some time to recover from previous send. On the other hand, you already mentioned that the patch effectively changes the mode of reporting of faulty hardware from some visible panic to silent hang. Perhaps it would triple some 'spinlock held too long' panic later. Why do you think it would be useful for your situation?

That said, why don't you use x2APIC mode?

IMO you should change the hardcoded constant into the sysctl/tunable controlled variable.

In D29942#671819, @mav wrote:

I don't have specific objections. I can't recall I ever saw this panic and not sure how the interrupt delivery can take more that 50ms. But it reminds me that we do have spinlock timeout, which is also not required. Do you see any benefits from this comparing to just increasing the timeout back to 1s as it was before f418f79ce299 to keep ability to debug misbehaving hardware?

In D29942#671908, @kib wrote:

On one hand I agree that hardware might need some time to recover from previous send. On the other hand, you already mentioned that the patch effectively changes the mode of reporting of faulty hardware from some visible panic to silent hang. Perhaps it would triple some 'spinlock held too long' panic later. Why do you think it would be useful for your situation?

That said, why don't you use x2APIC mode?

IMO you should change the hardcoded constant into the sysctl/tunable controlled variable.

I'll add the sysctl/tunable and increase the default to 1s.

Since the most popular bare-metal Unix doesn't have a timeout, misbehaving hardware must not be very common. However, a long, tunable timeout is a perfectly reasonable hedge.

We do use x2APIC on recent platforms, but we still hit this rare panic on older generations.

add sysctl/tunable and wait 1s by default

Harbormaster completed remote builds in B38868: Diff 88176.Apr 26 2021, 3:09 PM

vangyzen retitled this revision from Wait forever for a previous IPI to be sent to Wait longer for a previous IPI to be sent.Apr 26 2021, 3:12 PM

vangyzen edited the summary of this revision. (Show Details)

kib added inline comments.Apr 26 2021, 3:18 PM

sys/x86/x86/local_apic.c
217	It is not an IPI timeout. There is some frivolous naming of the internal variable, but for user it is definitely confusing. I think the name should be something like APIC ready timeout, and perhaps the description should mention that it is only for xAPIC.