2126623 – [QEMU7.1] Guest kernel panic with Call Trace with intel-iommu irq remapping enabled and more than 8 vCPUs

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2126623 - [QEMU7.1] Guest kernel panic with Call Trace with intel-iommu irq remapping enabled and more than 8 vCPUs

Summary: [QEMU7.1] Guest kernel panic with Call Trace with intel-iommu irq remapping ...

Keywords:
Status:	CLOSED DUPLICATE of bug 2126095
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Peter Xu
QA Contact:	jinl
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-09-14 07:17 UTC by liunana
Modified:	2022-09-23 10:35 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-22 08:54:30 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-133893	0	None	None	None	2022-09-14 07:18:44 UTC

Description liunana 2022-09-14 07:17:07 UTC

Description of problem:
Guest kernel panic while rebooting after hotplug/unplug cpu


Version-Release number of selected component (if applicable):
    Host: 
        dell-per750-22.lab.eng.pek2.redhat.com
        5.14.0-162.el9.x86_64
        qemu-kvm-7.1.0-1.el9.x86_64
   Guest:   5.14.0-162.el9.x86_64


How reproducible: 6/6


Steps to Reproduce:
1. Boot vm with "-smp 1,maxcpus=24,cores=24,threads=1,dies=1,sockets=1 "

2. Hotplug all vCPU devices
{'execute': 'device_add', 'arguments': OrderedDict([('id', 'vcpu1'), ('driver', 'Icelake-Server-x86_64-cpu'), ('socket-id', 0), ('die-id', 0), ('core-id', 1), ('thread-id', 0)]), 'id': '7Bjj2TzR'}

3. Reboot guest


Guest kernel panic with Call Trace:
2022-09-13 10:40:25: [    2.613580] fbcon: bochs-drmdrmfb (fb0) is primary device
2022-09-13 10:40:25: [    2.616248] Console: switching to colour frame buffer device 160x50
2022-09-13 10:40:25: [    2.620359] bochs-drm 0000:00:02.0: [drm] fb0: bochs-drmdrmfb frame buffer device
2022-09-13 10:40:26: [    2.898303] ata1: SATA link down (SStatus 0 SControl 300)
2022-09-13 10:40:26: [    2.899050] ata5: SATA link down (SStatus 0 SControl 300)
2022-09-13 10:40:26: [    2.906331] ata2: SATA link down (SStatus 0 SControl 300)
2022-09-13 10:40:26: [    2.907063] ata6: SATA link down (SStatus 0 SControl 300)
2022-09-13 10:40:26: [    2.907796] ata3: SATA link down (SStatus 0 SControl 300)
2022-09-13 10:40:26: [    2.908510] ata4: SATA link down (SStatus 0 SControl 300)
2022-09-13 10:42:25: [[0;1;31mFAILED[0m] Failed to start [0;1;39mWait for uomplete Device Initialization[0m.
2022-09-13 10:42:25: See 'systemctl status systemd-udev-settle.service' for details.
2022-09-13 10:42:25:          Starting [0;1;39mDevice-Mapper Multipath Device Controller[0m...
2022-09-13 10:42:25: [[0;32m  OK  [0m] Started [0;1;39mDevice-Mapper Multipath Device Controller[0m.
2022-09-13 10:44:30: [  247.028702] INFO: task kworker/u48:2:135 blocked for more than 122 seconds.
2022-09-13 10:44:30: [  247.029484]       Not tainted 5.14.0-162.el9.x86_64 #1
2022-09-13 10:44:30: [  247.030049] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
2022-09-13 10:44:30: [  247.030889] task:kworker/u48:2   state:D stack:    0 pid:  135 ppid:     2 flags:0x00004000
2022-09-13 10:44:30: [  247.031785] Workqueue: events_unbound async_run_entry_fn
2022-09-13 10:44:30: [  247.032359] Call Trace:
2022-09-13 10:44:30: [  247.032627]  __schedule+0x206/0x580
2022-09-13 10:44:30: [  247.033040]  ? try_to_wake_up+0x1e5/0x550
2022-09-13 10:44:30: [  247.033475]  schedule+0x43/0xa0
2022-09-13 10:44:30: [  247.033827]  async_synchronize_cookie_domain+0xe4/0x120
2022-09-13 10:44:30: [  247.034384]  ? dequeue_task_stop+0x70/0x70
2022-09-13 10:44:30: [  247.034837]  async_port_probe+0x48/0x70 [libata]
2022-09-13 10:44:30: [  247.035353]  async_run_entry_fn+0x2d/0x130
2022-09-13 10:44:30: [  247.036291]  process_one_work+0x1e5/0x3c0
2022-09-13 10:44:30: [  247.037205]  worker_thread+0x50/0x3b0
2022-09-13 10:44:30: [  247.038070]  ? rescuer_thread+0x380/0x380
2022-09-13 10:44:30: [  247.038942]  kthread+0x146/0x170
2022-09-13 10:44:30: [  247.039692]  ? set_kthread_struct+0x50/0x50
2022-09-13 10:44:30: [  247.040534]  ret_from_fork+0x1f/0x30
2022-09-13 10:44:30: [  247.041395] INFO: task kworker/u48:3:136 blocked for more than 122 seconds.
2022-09-13 10:44:30: [  247.042611]       Not tainted 5.14.0-162.el9.x86_64 #1

Expected results:
Guest reboot successfully without error.

Additional info:
[1] Can't reproduce this issue with qemu-kvm-7.0.0-12.el9, mark this as regression.
  
[Full guest kernel log]
http://fileshare.englab.nay.redhat.com/pub/logs/7003520/test-results/39-Host_RHEL.m9.u2.ovmf.qcow2.virtio_scsi.up.virtio_net.Guest.RHEL.9.2.0.x86_64.io-github-autotest-qemu.cpu_device_hotplug_maximum.offline_vcpu.max_core.q35/serial-serial0-avocado-vt-vm1.log

Comment 1 liunana 2022-09-15 03:00:59 UTC

Hi Igor,


Would you please help to take a look this bug?
Is this cause related to cpu hotplug?

Thanks a lot!


Best regards
Nana Liu

Comment 2 Igor Mammedov 2022-09-19 13:21:44 UTC

(In reply to liunana from comment #1)
> Hi Igor,
> 
> 
> Would you please help to take a look this bug?
> Is this cause related to cpu hotplug?

it could be or it could be something else.

Anyways BZ doesn't have enough info to reproduce,
you shall always provide used complete QEMU command line (all of it).

So far with seabios/q35 it works for me.


> 
> Thanks a lot!
> 
> 
> Best regards
> Nana Liu

Comment 3 liunana 2022-09-20 16:27:02 UTC

(In reply to Igor Mammedov from comment #2)
> (In reply to liunana from comment #1)
> > Hi Igor,
> > 
> > 
> > Would you please help to take a look this bug?
> > Is this cause related to cpu hotplug?
> 
> it could be or it could be something else.
> 
> Anyways BZ doesn't have enough info to reproduce,
> you shall always provide used complete QEMU command line (all of it).
> 
My apologies.

> So far with seabios/q35 it works for me.
> 
I can reproduce this issue both with a OVMF vm and a q35/seabios vm.

Test Env:
Host:
    5.14.0-163.el9.x86_64
    qemu-kvm-7.1.0-1.el9.x86_64
    edk2-ovmf-20220526git16779ede2d36-3.el9.noarch
    Model name:            Intel(R) Xeon(R) Silver 4310 CPU @ 2.10GHz
    dell-per750-05.lab.eng.pek2.redhat.com
Guest: 
    ovmf +  5.14.0-163.el9.x86_64
    q35/seabios + 5.14.0-162.2.1.el9.x86_64


[1] QEMU command line
/usr/libexec/qemu-kvm \
    -name 'avocado-vt-vm1'  \
    -sandbox on  \
    -blockdev node-name=file_ovmf_code,driver=file,filename=/usr/share/OVMF/OVMF_CODE.secboot.fd,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_ovmf_code,driver=raw,read-only=on,file=file_ovmf_code \
    -blockdev node-name=file_ovmf_vars,driver=file,filename=/home/kar/workspace/root/avocado/data/avocado-vt/avocado-vt-vm1_rhel920-64-virtio-scsi_qcow2_filesystem_VARS.fd,auto-read-only=on,discard=unmap \
    -blockdev node-name=drive_ovmf_vars,driver=raw,read-only=off,file=file_ovmf_vars \
    -machine q35,kernel-irqchip=split,memory-backend=mem-machine_mem,pflash0=drive_ovmf_code,pflash1=drive_ovmf_vars \
    -device pcie-root-port,id=pcie-root-port-0,multifunction=on,bus=pcie.0,addr=0x1,chassis=1 \
    -device pcie-pci-bridge,id=pcie-pci-bridge-0,addr=0x0,bus=pcie-root-port-0  \
    -nodefaults \
    -device intel-iommu,intremap=on,device-iotlb=on \
    -device VGA,bus=pcie.0,addr=0x2 \
    -m 14336 \
    -object memory-backend-ram,size=14336M,id=mem-machine_mem  \
    -smp 1,maxcpus=24,cores=1,threads=1,dies=1,sockets=24 \
    -cpu 'Icelake-Server',hle=off,rtm=off,kvm_pv_unhalt=on \
    -chardev socket,server=on,wait=off,path=/tmp/monitor-qmp,id=qmp_id_qmpmonitor1  \
    -mon chardev=qmp_id_qmpmonitor1,mode=control \
    -device pvpanic,ioport=0x505,id=idKkFI4J \
    -chardev socket,server=on,wait=off,path=/tmp/serial-serial0,id=chardev_serial0 \
    -device isa-serial,id=serial0,chardev=chardev_serial0  \
    -device pcie-root-port,id=pcie-root-port-1,port=0x1,addr=0x1.0x1,bus=pcie.0,chassis=2 \
    -device qemu-xhci,id=usb1,bus=pcie-root-port-1,addr=0x0 \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
    -device pcie-root-port,id=pcie-root-port-2,port=0x2,addr=0x1.0x2,bus=pcie.0,chassis=3 \
    -device virtio-scsi-pci,id=virtio_scsi_pci0,bus=pcie-root-port-2,addr=0x0 \
    -blockdev node-name=file_image1,driver=file,auto-read-only=on,discard=unmap,aio=threads,filename=/home/kvm_autotest_root/images/rhel920-64-virtio-scsi.qcow2,cache.direct=on,cache.no-flush=off \
    -blockdev node-name=drive_image1,driver=qcow2,read-only=off,cache.direct=on,cache.no-flush=off,file=file_image1 \
    -device scsi-hd,id=image1,drive=drive_image1,write-cache=on \
    -device pcie-root-port,id=pcie-root-port-3,port=0x3,addr=0x1.0x3,bus=pcie.0,chassis=4 \
    -device virtio-net-pci,mac=9a:6a:9c:ed:24:f7,id=idAduWDJ,netdev=idW7JxBY,bus=pcie-root-port-3,addr=0x0 \
    -netdev tap,id=idW7JxBY,vhost=on \
    -vnc :0  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot menu=off,order=cdn,once=c,strict=off \
    -monitor stdio \


[2]
1. Can't recover vm with qemu command 'system_reset'. VM still is in panic status.

2. Can't reproduce this issue if I remove the IOMMU device '-device intel-iommu,intremap=on,device-iotlb=on'.

3. When booting ovmf vm with ' -smp 1,maxcpus=12,cores=1,threads=1,dies=1,sockets=12' to reproduce this issue, guest will keep loading at booting phase after rebooting and can't boot up successfully, but without Call Trace messages.

4. Full guest panic log please refer to Additional info --> [Full guest kernel log] in Description.


[3] Hotpulg vcpu scripts, execute command "./loop.sh 23"  (./loop.sh $number_vcpus)
# cat loop.sh 
#!/bin/sh
declare -i sockets=$1
echo -e "\nGenerate topolopy for vcpu hotplug $1 sockets! \n"
declare -i a=1

for i in `seq 0 $sockets`;do 
	if [ "$a" -eq "$sockets" ];then
                echo -e '\n{ "execute": "qmp_capabilities" }{ "execute": "device_add","arguments":{"driver":"Icelake-Server-x86_64-cpu","core-id": 0, "thread-id": 0, "socket-id": '$a', "die-id": 0,"id":"cpu'$a'"}}'
                echo '{ "execute": "qmp_capabilities" }{ "execute": "device_add","arguments":{"driver":"Icelake-Server-x86_64-cpu","core-id": 0, "thread-id": 0, "socket-id": '$a', "die-id": 0,"id":"cpu'$a'"}}' | nc -U /tmp/monitor-qmp
		exit 0
	fi

        echo -e "\nhotplug vcpu id : cpu$a"
        echo -e '{ "execute": "device_add","arguments":{"driver":"Icelake-Server-x86_64-cpu","core-id": 0, "thread-id": 0, "socket-id": '$a', "die-id": 0,"id":"cpu'$a'"}}'
        echo '{ "execute": "qmp_capabilities" }{ "execute": "device_add","arguments":{"driver":"Icelake-Server-x86_64-cpu","core-id": 0, "thread-id": 0, "socket-id": '$a', "die-id": 0,"id":"cpu'$a'"}}' | nc -U /tmp/monitor-qmp
	sleep 3
	a=$a+1
done
echo "topolopy generate done"


Could you please help to check this? 
Any unclear information please let me know, thanks for your time.


Best regards
Nana Liu

Comment 4 Igor Mammedov 2022-09-21 13:02:18 UTC

I sort of able to reproduce hang at boot time, simplified CLI
        -enable-kvm \
        -nodefaults \
	-m 4G \
	-M q35,kernel-irqchip=split \
       	-cpu Nehalem,hle=off,rtm=off,kvm_pv_unhalt=on \
       	-smp 9 \
       	-device intel-iommu,intremap=on \
	-serial file:/tmp/serial-serial0 \
	-drive if=virtio,file=rhel9.2.qcow2

i.e. it doesn't depend on CPU hotplug nor CPU model,
it seems that irq remapping is broken when guest is booted
with more than 8 vCPUs.

It's typically stuck at storage initialization or accessing it.

Host kernel:
5.14.0-162.el9.x86_64
guest kernel:
5.14.0-162.el9.x86_64

The same happens with RHEL8 host kernel:
4.18.0-415.el8.x86_64

On QEMU side (upstream) it bisects to:
commit 77250171bdc02aee1 (intel_iommu: Fix irqchip / X2APIC configuration checks)

It's IOMMU stuff and I'm not sure if it's kernel or QEMU to blame (CCing IOMMU folks),
Peter could you take over this BZ?

Comment 5 Peter Xu 2022-09-21 16:14:05 UTC

(In reply to Igor Mammedov from comment #4)
> On QEMU side (upstream) it bisects to:
> commit 77250171bdc02aee1 (intel_iommu: Fix irqchip / X2APIC configuration
> checks)
> 
> It's IOMMU stuff and I'm not sure if it's kernel or QEMU to blame (CCing
> IOMMU folks),
> Peter could you take over this BZ?

Thanks for digging into it, Igor.

I think 77250171bdc02aee1 is probably wrong in that it skipped calling kvm_enable_x2apic() even if intr_eim==ON, so no matter whether n_vcpus>255 we need to enable x2apic in KVM, afaict.  It means we'll declare EIM capability everywhere (e.g. in VT-d ECAP register) but KVM didn't really enable EIM at all.  It doesn't really sound correct.

For example, if we attach eim=off to the intel-iommu cmdline it'll start to work for 9-255 vcpus again for me.

I'll post a patch shortly to partly revert the patch.

Comment 6 Peter Xu 2022-09-21 18:10:16 UTC

https://lore.kernel.org/qemu-devel/20220921161227.57259-1-peterx@redhat.com/T/#u

Comment 7 CongLi 2022-09-22 08:54:30 UTC


*** This bug has been marked as a duplicate of bug 2126095 ***

Note You need to log in before you can comment on or make changes to this bug.