Re: Should arm64 have a custom crash shutdown handler?

[Mark Rutland]

On Thu, May 05, 2022 at 03:52:24PM +0200, Vitaly Kuznetsov wrote:
> "Guilherme G. Piccoli" <gpiccoli@xxxxxxxxxx> writes:
> 
> > On 05/05/2022 09:53, Mark Rutland wrote:
> >> [...]
> >> Looking at those, the cleanup work is all arch-specific. What exactly would we
> >> need to do on arm64, and why does it need to happen at that point specifically?
> >> On arm64 we don't expect as much paravirtualization as on x86, so it's not
> >> clear to me whether we need anything at all.
> >> 
> >>> Anyway, the idea here was to gather a feedback on how "receptive" arm64
> >>> community would be to allow such customization, appreciated your feedback =)
> >> 
> >> ... and are you trying to do this for Hyper-V or just using that as an example?
> >> 
> >> I think we're not going to be very receptive without a more concrete example of
> >> what you want.
> >> 
> >> What exactly do *you* need, and *why*? Is that for Hyper-V or another hypervisor?
> >> 
> >> Thanks
> >> Mark.
> >
> > Hi Mark, my plan would be doing that for Hyper-V - kind of the same
> > code, almost. For example, in hv_crash_handler() there is a stimer
> > clean-up and the vmbus unload - my understanding is that this same code
> > would need to run in arm64. Michael Kelley is CCed, he was discussing
> > with me in the panic notifiers thread and may elaborate more on the needs.
> >
> > But also (not related with my specific plan), I've seen KVM quiesce code
> > on x86 as well [see kvm_crash_shutdown() on arch/x86] , I'm not sure if
> > this is necessary for arm64 or if this already executing in some
> > abstracted form, I didn't dig deep - probably Vitaly is aware of that,
> > hence I've CCed him here.
> 
> Speaking about the difference between reboot notifiers call chain and
> machine_ops.crash_shutdown for KVM/x86, the main difference is that
> reboot notifier is called on some CPU while the VM is fully functional,
> this way we may e.g. still use IPIs (see kvm_pv_reboot_notify() doing
> on_each_cpu()). When we're in a crash situation,
> machine_ops.crash_shutdown is called on the CPU which crashed. We can't
> count on IPIs still being functional so we do the very basic minimum so
> *this* CPU can boot kdump kernel. There's no guarantee other CPUs can
> still boot but normally we do kdump with 'nprocs=1'.

Sure; IIUC the IPI problem doesn't apply to arm64, though, since that doesn't
use a PV mechanism (and practically speaking will either be GICv2 or GICv3).

> For Hyper-V, the situation is similar: hv_crash_handler() intitiates
> VMbus unload on the crashing CPU only, there's no mechanism to do
> 'global' unload so other CPUs will likely not be able to connect Vmbus
> devices in kdump kernel but this should not be necessary.

Given kdump is best-effort (and we can't rely on secondary CPUs even making it
into the kdump kernel), I also don't think that should be necessary.

> There's a crash_kexec_post_notifiers mechanism which can be used instead
> but it's disabled by default so using machine_ops.crash_shutdown is
> better.

Another option is to defer this to the kdump kernel. On arm64 at least, we know
if we're in a kdump kernel early on, and can reset some state based upon that.

Looking at x86's hyperv_cleanup(), everything relevant to arm64 can be deferred
to just before the kdump kernel detects and initializes anything relating to
hyperv. So AFAICT we could have hyperv_init() check is_kdump_kernel() prior to
the first hypercall, and do the cleanup/reset there.

Maybe we need more data for the vmbus bits? ... if so it seems that could blow
up anyway when the first kernel was tearing down.

Thanks,
Mark.