Re: [PATCH net-next 0/5] Expose grace period delay for devlink health reporter

From: Tariq Toukan
Date: Thu Jul 24 2025 - 06:46:43 EST

Next message: Hardevsinh Palaniya: "[PATCH v5 0/2] media: i2c: Add ov2735 camera sensor driver"
Previous message: Maciej Wieczor-Retman: "[RESEND PATCH v3] x86: Clear feature bits disabled at compile-time"
Next in thread: Jakub Kicinski: "Re: [PATCH net-next 0/5] Expose grace period delay for devlink health reporter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 19/07/2025 3:47, Jakub Kicinski wrote:

On Thu, 17 Jul 2025 19:07:17 +0300 Tariq Toukan wrote:

Currently, the devlink health reporter initiates the grace period
immediately after recovering an error, which blocks further recovery
attempts until the grace period concludes. Since additional errors
are not generally expected during this short interval, any new error
reported during the grace period is not only rejected but also causes
the reporter to enter an error state that requires manual intervention.

This approach poses a problem in scenarios where a single root cause
triggers multiple related errors in quick succession - for example,
a PCI issue affecting multiple hardware queues. Because these errors
are closely related and occur rapidly, it is more effective to handle
them together rather than handling only the first one reported and
blocking any subsequent recovery attempts. Furthermore, setting the
reporter to an error state in this context can be misleading, as these
multiple errors are manifestations of a single underlying issue, making
it unlike the general case where additional errors are not expected
during the grace period.

To resolve this, introduce a configurable grace period delay attribute
to the devlink health reporter. This delay starts when the first error
is recovered and lasts for a user-defined duration. Once this grace
period delay expires, the actual grace period begins. After the grace
period ends, a new reported error will start the same flow again.

Timeline summary:

----|--------|------------------------------/----------------------/--
error is error is grace period delay grace period
reported recovered (recoveries allowed) (recoveries blocked)

With grace period delay, create a time window during which recovery
attempts are permitted, allowing all reported errors to be handled
sequentially before the grace period starts. Once the grace period
begins, it prevents any further error recoveries until it ends.

We are rate limiting recoveries, the "networking solution" to the
problem you're describing would be to introduce a burst size.
Some kind of poor man's token bucket filter.

Could you say more about what designs were considered and why this
one was chosen?

Please see below.
If no more comments, I'll add the below to the cover letter and re-spin.

Regards,
Tariq

Design alternatives considered:

1. Recover all queues upon any error:
A brute-force approach that recovers all queues on any error.
While simple, it is overly aggressive and disrupts unaffected queues
unnecessarily. Also, because this is handled entirely within the
driver, it leads to a driver-specific implementation rather than a
generic one.

2. Per-queue reporter:
This design would isolate recovery handling per SQ or RQ, effectively
removing interdependencies between queues. While conceptually clean,
it introduces significant scalability challenges as the number of
queues grows, as well as synchronization challenges across multiple
reporters.

3. Error aggregation with delayed handling:
Errors arriving during the grace period are saved and processed after
it ends. While addressing the issue of related errors whose recovery
is aborted as grace period started, this adds complexity due to
synchronization needs and contradicts the assumption that no errors
should occur during a healthy system’s grace period. Also, this
breaks the important role of grace period in preventing an infinite
loop of immediate error detection following recovery. In such cases
we want to stop.

4. Allowing a fixed burst of errors before starting grace period:
Allows a set number of recoveries before the grace period begins.
However, it also requires limiting the error reporting window.
To keep the design simple, the burst threshold becomes redundant.

The grace period delay design was chosen for its simplicity and
precision in addressing the problem at hand. It effectively captures
the temporal correlation of related errors and aligns with the original
intent of the grace period as a stabilization window where further
errors are unexpected, and if they do occur, they indicate an abnormal
system state.

Next message: Hardevsinh Palaniya: "[PATCH v5 0/2] media: i2c: Add ov2735 camera sensor driver"
Previous message: Maciej Wieczor-Retman: "[RESEND PATCH v3] x86: Clear feature bits disabled at compile-time"
Next in thread: Jakub Kicinski: "Re: [PATCH net-next 0/5] Expose grace period delay for devlink health reporter"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]