Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp6058082rdb; Mon, 18 Sep 2023 02:51:37 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHTEFMvVvJv5KFviU7Wo+khBLiWguvPv3x035iuN02VKxqhT6DnnhfW8ssnlzXVYKwudHUa X-Received: by 2002:a05:6358:528e:b0:123:5664:e493 with SMTP id g14-20020a056358528e00b001235664e493mr12130759rwa.27.1695030697581; Mon, 18 Sep 2023 02:51:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695030697; cv=none; d=google.com; s=arc-20160816; b=MATjPdCcktjjSk3u9qnmZBwX4x3shP8dnDEZz5rVamxLhvcC+3Y+Gyr47cisgbjKjJ UWAv9/CyCfQX3yugJ9luQYnyOT/9Z3jkO5fNnLgWzzc+DKh+LpFUfvQBRNCWWUgaxp3W lx1Aheq26n19sAGPnMUBRTByid6TuC0NaqYxpWm5haG/eXa9GogWZVT2Cqh80mn16bnT eUxtjNfHKLDsj0PDFKOISX2HqSq/kxa1IRvIvXoJLDagU5ki/nhBAoRQDUlMO+WPDuct JcYzG1ZJw1atVTgoipd0Fd5Tp/NzQaCEO/uehE5aOjt9fz36FLzagbKvNggaqB3Bgkfe wrZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject:from :content-language:user-agent:mime-version:date:message-id; bh=UCJXDeqjGMbfnnRRqUZ4DRXfea8uNL1r5U3LNrwGuAg=; fh=X3w7G6zNPaDuZcNzPwXQfL+JxBcM4lXmBrOgebxbFb4=; b=I1/fTuX4RBaKYnOrLmw1qjDde5wkyYMqTpnYgTgmRoPGQOk4J0d/CIvGrUwb+2ImYC wStuYeCemmVw8pw43q++nUAqNkAIIUeZw+kEQ/7lH7QwWi+2LbBce954qxEhDhIA8+cU B7dHcZc5Vtx+9yj34vNWtBYVL90vdXhPiJhdTJFK393M07QwEo8I2hf1JtWlwFiTuysK jIXCuSfeH0RHxBYDWnJvIHJRzn3j2diI/1eKU7jtU9/7AAldSui0pPsQ2uQrAtIXFugG aUNzJICubz+9KtxJAbXCKNsZPbPCqWPT0x/kALrmQ/eTsSt5zfhfvAdfrN0DgiNmAZkS C2ZQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id f20-20020a631014000000b0054fdb18c877si7724408pgl.607.2023.09.18.02.51.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Sep 2023 02:51:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 5E230806B05C; Mon, 18 Sep 2023 02:42:53 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241087AbjIRJmF (ORCPT + 99 others); Mon, 18 Sep 2023 05:42:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56890 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233492AbjIRJlh (ORCPT ); Mon, 18 Sep 2023 05:41:37 -0400 Received: from out30-100.freemail.mail.aliyun.com (out30-100.freemail.mail.aliyun.com [115.124.30.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0ABB7CCD; Mon, 18 Sep 2023 02:40:03 -0700 (PDT) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R131e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046060;MF=xueshuai@linux.alibaba.com;NM=1;PH=DS;RN=14;SR=0;TI=SMTPD_---0VsKThJJ_1695029998; Received: from 30.240.112.49(mailfrom:xueshuai@linux.alibaba.com fp:SMTPD_---0VsKThJJ_1695029998) by smtp.aliyun-inc.com; Mon, 18 Sep 2023 17:40:00 +0800 Message-ID: Date: Mon, 18 Sep 2023 17:39:58 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.14.0 Content-Language: en-US From: Shuai Xue Subject: Questions: Should kernel panic when PCIe fatal error occurs? To: "lenb@kernel.org" , "james.morse@arm.com" , "Rafael J. Wysocki" , "bp@alien8.de" , mahesh@linux.ibm.com, bhelgaas@google.com, Jonathan Cameron , gregkh@linuxfoundation.org Cc: "linux-acpi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "linuxppc-dev@lists.ozlabs.org" , Linux PCI , Shuai Xue , Baolin Wang Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Mon, 18 Sep 2023 02:42:53 -0700 (PDT) Hi, all folks, Error reporting and recovery are one of the important features of PCIe, and the kernel has been supporting them since version 2.6, 17 years ago. I am very curious about the expected behavior of the software. I first recap the error classification and then list my questions bellow it. ## Recap: Error classification - Fatal Errors Fatal errors are uncorrectable error conditions which render the particular Link and related hardware unreliable. For Fatal errors, a reset of the components on the Link may be required to return to reliable operation. Platform handling of Fatal errors, and any efforts to limit the effects of these errors, is platform implementation specific. (PCIe 6.0.1, sec 6.2.2.2.1 Fatal Errors). - Non-Fatal Errors Non-fatal errors are uncorrectable errors which cause a particular transaction to be unreliable but the Link is otherwise fully functional. Isolating Non-fatal from Fatal errors provides Requester/Receiver logic in a device or system management software the opportunity to recover from the error without resetting the components on the Link and disturbing other transactions in progress. Devices not associated with the transaction in error are not impacted by the error. (PCIe 6.0.1, sec 6.2.2.2.1 Non-Fatal Errors). ## What the kernel do? The Linux kernel supports both the OS native and firmware first modes in AER and DPC drivers. The error recovery API is defined in `struct pci_error_handlers`, and the recovery process is performed in several stages in pcie_do_recovery(). One main difference in handling PCIe errors is that the kernel only resets the link when a fatal error is detected. ## Questions 1. Should kernel panic when fatal errors occur without AER recovery? IMHO, the answer is NO. The AER driver handles both fatal and non-fatal errors, and I have not found any panic changes in the recovery path in OS native mode. As far as I know, on many X86 platforms, struct `acpi_hest_generic_status::error_severity` is set as CPER_SEV_FATAL in firmware first mode. As a result, kernel will panic immediately in ghes_proc() when fatal AER errors occur, and there is no chance to handle the error and perform recovery in AER driver. For fatal and non-fatal errors, struct `acpi_hest_generic_status::error_severity` should as CPER_SEV_RECOVERABLE, and struct `acpi_hest_generic_data::error_severity` should reflect its real severity. Then, the kernel is equivalent to handling PCIe errors in Firmware first mode as it does in OS native mode. Please correct me if I am wrong. However, I have changed my mind on this issue as I encounter a case where a error propagation is detected due to fatal DLLP (Data Link Protocol Error) error. A DLLP error occurred in the Compute node, causing the node to panic because `struct acpi_hest_generic_status::error_severity` was set as CPER_SEV_FATAL. However, data corruption was still detected in the storage node by CRC. 2. Should kernel panic when AER recovery failed? This question is actually a TODO that was added when the AER driver was first upstreamed 17 years ago, and it is still relevant today. The kernel does not proactively panic regardless of the error types occurring in OS native mode. The DLLP error propagation case indicates that the kernel might should panic when recovery failed? 3. Should DPC be enabled by default to contain fatal and non-fatal error? According to the PCIe specification, DPC halts PCIe traffic below a Downstream Port after an unmasked uncorrectable error is detected at or below the Port, avoiding the potential spread of any data corruption. The kernel configures DPC to be triggered only on ERR_FATAL. Literally speaking, only fatal error have the potential spread of any data corruption? In addition, the AER Severity is programable by the Uncorrectable Error Severity Register (Offset 0Ch in PCIe AER cap). If a default fatal error, e.g. DLLP, set as non-fatal, DPC will not be triggered. Looking forward to any comments and reply :) Thank you. Best Regards, Shuai [1] https://github.com/torvalds/linux/commit/6c2b374d74857e892080ee726184ec1d15e7d4e4#diff-fea64904d30501b59d2e948189bbedc476fc270ed4c15e4ae29d7f0efd06771aR438