Re: [PATCH v2 3/5] KVM: irqfd: Postpone resamplefd notify for oneshot interrupts

[Marc Zyngier <maz@kernel.org>]

On Tue, 09 Aug 2022 21:45:25 +0100,
Eric Auger <eric.auger@redhat.com> wrote:
> 
> Hi Dmytro,
> 
> On 8/5/22 21:39, Dmytro Maluka wrote:
> > The existing KVM mechanism for forwarding of level-triggered interrupts
> > using resample eventfd doesn't work quite correctly in the case of
> > interrupts that are handled in a Linux guest as oneshot interrupts
> > (IRQF_ONESHOT). Such an interrupt is acked to the device in its
> > threaded irq handler, i.e. later than it is acked to the interrupt
> > controller (EOI at the end of hardirq), not earlier.
> >
> > Linux keeps such interrupt masked until its threaded handler finishes,
> > to prevent the EOI from re-asserting an unacknowledged interrupt.
> > However, with KVM + vfio (or whatever is listening on the resamplefd)
> > we don't check that the interrupt is still masked in the guest at the
> > moment of EOI. Resamplefd is notified regardless, so vfio prematurely
> > unmasks the host physical IRQ, thus a new (unwanted) physical interrupt
> > is generated in the host and queued for injection to the guest.
> >
> > The fact that the virtual IRQ is still masked doesn't prevent this new
> > physical IRQ from being propagated to the guest, because:
> >
> > 1. It is not guaranteed that the vIRQ will remain masked by the time
> >    when vfio signals the trigger eventfd.
> > 2. KVM marks this IRQ as pending (e.g. setting its bit in the virtual
> >    IRR register of IOAPIC on x86), so after the vIRQ is unmasked, this
> >    new pending interrupt is injected by KVM to the guest anyway.
> >
> > There are observed at least 2 user-visible issues caused by those
> > extra erroneous pending interrupts for oneshot irq in the guest:
> >
> > 1. System suspend aborted due to a pending wakeup interrupt from
> >    ChromeOS EC (drivers/platform/chrome/cros_ec.c).
> > 2. Annoying "invalid report id data" errors from ELAN0000 touchpad
> >    (drivers/input/mouse/elan_i2c_core.c), flooding the guest dmesg
> >    every time the touchpad is touched.
> >
> > This patch fixes the issue on x86 by checking if the interrupt is
> > unmasked when we receive irq ack (EOI) and, in case if it's masked,
> > postponing resamplefd notify until the guest unmasks it.
> >
> > It doesn't fix the issue for other archs yet, since it relies on KVM
> > irq mask notifiers functionality which currently works only on x86.
> > On other archs we can register mask notifiers but they are never called.
> > So on other archs resampler->masked is always false, so the behavior is
> > the same as before this patch.

The core issue seems that you would like to be able to retire a
interrupt from what has been queued into the guest by a previous
resampling (because the line has effectively dropped in the meantime).

On arm64, it would be easy enough to sample the pending state of the
physical line and adjust the state of the virtual interrupt
accordingly. This would at least have the advantage of preserving the
illusion of an interrupt being directly routed to the guest and its
pending state being preserved between EOI and unmask.

It isn't perfect either though as, assuming the guest can ack the
interrupt on the device without exiting, the line would still appear
as pending until the next exit, possibly the unmask.

	M.

-- 
Without deviation from the norm, progress is not possible.