Hi,
There is an issue with i915 on Xen PV (dom0). The end result is a lot of
glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
(this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
with "modesetting" driver.
After some iterations of debugging, we narrowed it down to i915 handling
caching. The main difference is that PAT is setup differently on Xen PV
than on native Linux. Normally, Linux does have appropriate abstraction
for that, but apparently something related to i915 doesn't play well
with it. The specific difference is:
native linux:
x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
xen pv:
x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
~~ ~~ ~~ ~~
The specific impact depends on kernel version and the hardware. The most
severe issues I see on >=ADL, but some older hardware is affected too -
sometimes only if composition is disabled in the window manager.
Some more information is collected at
https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
duplicates...).
Kind-of related commit is here:
https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
there too.
Any ideas?
The issue can be easily reproduced without Xen too, by adjusting PAT in
Linux:
-----8<-----
diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
index 66a209f7eb86..319ab60c8d8c 100644
--- a/arch/x86/mm/pat/memtype.c
+++ b/arch/x86/mm/pat/memtype.c
@@ -400,8 +400,8 @@ void pat_init(void)
* The reserved slots are unused, but mapped to their
* corresponding types in the presence of PAT errata.
*/
- pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
- PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
+ pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
+ PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
}
if (!pat_bp_initialized) {
-----8<-----
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> Hi,
>
> There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> with "modesetting" driver.
>
> After some iterations of debugging, we narrowed it down to i915 handling
> caching. The main difference is that PAT is setup differently on Xen PV
> than on native Linux. Normally, Linux does have appropriate abstraction
> for that, but apparently something related to i915 doesn't play well
> with it. The specific difference is:
> native linux:
> x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> xen pv:
> x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> ~~ ~~ ~~ ~~
>
> The specific impact depends on kernel version and the hardware. The most
> severe issues I see on >=ADL, but some older hardware is affected too -
> sometimes only if composition is disabled in the window manager.
> Some more information is collected at
> https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> duplicates...).
>
> Kind-of related commit is here:
> https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> there too.
>
> Any ideas?
>
> The issue can be easily reproduced without Xen too, by adjusting PAT in
> Linux:
> -----8<-----
> diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> index 66a209f7eb86..319ab60c8d8c 100644
> --- a/arch/x86/mm/pat/memtype.c
> +++ b/arch/x86/mm/pat/memtype.c
> @@ -400,8 +400,8 @@ void pat_init(void)
> * The reserved slots are unused, but mapped to their
> * corresponding types in the presence of PAT errata.
> */
> - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> }
>
> if (!pat_bp_initialized) {
> -----8<-----
>
Hello, can anyone help please?
Intel's CI has taken this reproducer of the bug, and confirmed the
regression.
https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
We're reasonably confident that it is an i915 bug (given the repro with
no Xen in the mix), but we're out of any further ideas.
Thanks,
~Andrew
On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > Hi,
> >
> > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > with "modesetting" driver.
> >
> > After some iterations of debugging, we narrowed it down to i915 handling
> > caching. The main difference is that PAT is setup differently on Xen PV
> > than on native Linux. Normally, Linux does have appropriate abstraction
> > for that, but apparently something related to i915 doesn't play well
> > with it. The specific difference is:
> > native linux:
> > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > xen pv:
> > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > ~~ ~~ ~~ ~~
> >
> > The specific impact depends on kernel version and the hardware. The most
> > severe issues I see on >=ADL, but some older hardware is affected too -
> > sometimes only if composition is disabled in the window manager.
> > Some more information is collected at
> > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > duplicates...).
> >
> > Kind-of related commit is here:
> > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > there too.
> >
> > Any ideas?
> >
> > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > Linux:
> > -----8<-----
> > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > index 66a209f7eb86..319ab60c8d8c 100644
> > --- a/arch/x86/mm/pat/memtype.c
> > +++ b/arch/x86/mm/pat/memtype.c
> > @@ -400,8 +400,8 @@ void pat_init(void)
> > * The reserved slots are unused, but mapped to their
> > * corresponding types in the presence of PAT errata.
> > */
> > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > }
> >
> > if (!pat_bp_initialized) {
> > -----8<-----
> >
>
> Hello, can anyone help please?
>
> Intel's CI has taken this reproducer of the bug, and confirmed the
> regression.
> https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
>
> We're reasonably confident that it is an i915 bug (given the repro with
> no Xen in the mix), but we're out of any further ideas.
I don't think we have any code that assumes anything about the PAT,
apart from WC being available (which seems like it should still be
the case with your modified PAT). I suppose you'll just have to
start digging from pgprot_writecombine()/noncached() and make sure
everything ends up using the correct PAT entry.
--
Ville Syrjälä
Intel
On Thu, Dec 22, 2022 at 10:29:57AM +0200, Ville Syrjälä wrote:
> On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> > On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > > Hi,
> > >
> > > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > > with "modesetting" driver.
> > >
> > > After some iterations of debugging, we narrowed it down to i915 handling
> > > caching. The main difference is that PAT is setup differently on Xen PV
> > > than on native Linux. Normally, Linux does have appropriate abstraction
> > > for that, but apparently something related to i915 doesn't play well
> > > with it. The specific difference is:
> > > native linux:
> > > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > > xen pv:
> > > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > > ~~ ~~ ~~ ~~
> > >
> > > The specific impact depends on kernel version and the hardware. The most
> > > severe issues I see on >=ADL, but some older hardware is affected too -
> > > sometimes only if composition is disabled in the window manager.
> > > Some more information is collected at
> > > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > > duplicates...).
> > >
> > > Kind-of related commit is here:
> > > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > > there too.
> > >
> > > Any ideas?
> > >
> > > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > > Linux:
> > > -----8<-----
> > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > > index 66a209f7eb86..319ab60c8d8c 100644
> > > --- a/arch/x86/mm/pat/memtype.c
> > > +++ b/arch/x86/mm/pat/memtype.c
> > > @@ -400,8 +400,8 @@ void pat_init(void)
> > > * The reserved slots are unused, but mapped to their
> > > * corresponding types in the presence of PAT errata.
> > > */
> > > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > > }
> > >
> > > if (!pat_bp_initialized) {
> > > -----8<-----
> > >
> >
> > Hello, can anyone help please?
> >
> > Intel's CI has taken this reproducer of the bug, and confirmed the
> > regression.
> > https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> >
> > We're reasonably confident that it is an i915 bug (given the repro with
> > no Xen in the mix), but we're out of any further ideas.
>
> I don't think we have any code that assumes anything about the PAT,
> apart from WC being available (which seems like it should still be
> the case with your modified PAT). I suppose you'll just have to
> start digging from pgprot_writecombine()/noncached() and make sure
> everything ends up using the correct PAT entry.
I tried several approach to this, without success. Here is an update on
debugging (reported also on #intel-gfx live):
I did several tests with different PAT configuration (by modifying Xen
that sets the MSR). Full table is at https://pad.itl.space/sheet/#/2/sheet/view/HD1qT2Zf44Ha36TJ3wj2YL+PchsTidyNTFepW5++ZKM/
Some highlights:
- 1=WC, 4=WT - good
- 1=WT, 4=WC - bad
- 1=WT, 3=WC (4=WC too) - good
- 1=WT, 5=WC - good
So, for me it seems WC at index 4 is problematic for some reason.
Next, I tried to trap all the places in arch/x86/xen/mmu_pv.c that
write PTEs and verify requested cache attributes. There, it seems all
the requested WC are properly translated (using either index 1, 3, 4, or
5 according to PAT settings). And then after reading PTE back, it indeed
seems to be correctly set. I didn't added reading back after
HYPERVISOR_update_va_mapping, but verified it isn't used for setting WC.
Using the same method, I also checked that indexes that aren't supposed
to be used (for example index 4 when both 3 and 4 are WC) indeed are not
used. So, the hypothesis that specific indexes are hardcoded somewhere
is unlikely.
This all looks very weird to me. Any ideas?
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
On Mon, Jan 02, 2023 at 12:24:54AM +0100, Marek Marczykowski-Górecki wrote:
> On Thu, Dec 22, 2022 at 10:29:57AM +0200, Ville Syrjälä wrote:
> > On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> > > On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > > > Hi,
> > > >
> > > > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > > > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > > > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > > > with "modesetting" driver.
> > > >
> > > > After some iterations of debugging, we narrowed it down to i915 handling
> > > > caching. The main difference is that PAT is setup differently on Xen PV
> > > > than on native Linux. Normally, Linux does have appropriate abstraction
> > > > for that, but apparently something related to i915 doesn't play well
> > > > with it. The specific difference is:
> > > > native linux:
> > > > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > > > xen pv:
> > > > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > > > ~~ ~~ ~~ ~~
> > > >
> > > > The specific impact depends on kernel version and the hardware. The most
> > > > severe issues I see on >=ADL, but some older hardware is affected too -
> > > > sometimes only if composition is disabled in the window manager.
> > > > Some more information is collected at
> > > > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > > > duplicates...).
> > > >
> > > > Kind-of related commit is here:
> > > > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > > > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > > > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > > > there too.
> > > >
> > > > Any ideas?
> > > >
> > > > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > > > Linux:
> > > > -----8<-----
> > > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > > > index 66a209f7eb86..319ab60c8d8c 100644
> > > > --- a/arch/x86/mm/pat/memtype.c
> > > > +++ b/arch/x86/mm/pat/memtype.c
> > > > @@ -400,8 +400,8 @@ void pat_init(void)
> > > > * The reserved slots are unused, but mapped to their
> > > > * corresponding types in the presence of PAT errata.
> > > > */
> > > > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > > > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > > > }
> > > >
> > > > if (!pat_bp_initialized) {
> > > > -----8<-----
> > > >
> > >
> > > Hello, can anyone help please?
> > >
> > > Intel's CI has taken this reproducer of the bug, and confirmed the
> > > regression.
> > > https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> > >
> > > We're reasonably confident that it is an i915 bug (given the repro with
> > > no Xen in the mix), but we're out of any further ideas.
> >
> > I don't think we have any code that assumes anything about the PAT,
> > apart from WC being available (which seems like it should still be
> > the case with your modified PAT). I suppose you'll just have to
> > start digging from pgprot_writecombine()/noncached() and make sure
> > everything ends up using the correct PAT entry.
>
> I tried several approach to this, without success. Here is an update on
> debugging (reported also on #intel-gfx live):
>
> I did several tests with different PAT configuration (by modifying Xen
> that sets the MSR). Full table is at https://pad.itl.space/sheet/#/2/sheet/view/HD1qT2Zf44Ha36TJ3wj2YL+PchsTidyNTFepW5++ZKM/
> Some highlights:
> - 1=WC, 4=WT - good
> - 1=WT, 4=WC - bad
> - 1=WT, 3=WC (4=WC too) - good
> - 1=WT, 5=WC - good
>
> So, for me it seems WC at index 4 is problematic for some reason.
>
> Next, I tried to trap all the places in arch/x86/xen/mmu_pv.c that
> write PTEs and verify requested cache attributes. There, it seems all
> the requested WC are properly translated (using either index 1, 3, 4, or
> 5 according to PAT settings). And then after reading PTE back, it indeed
> seems to be correctly set. I didn't added reading back after
> HYPERVISOR_update_va_mapping, but verified it isn't used for setting WC.
>
> Using the same method, I also checked that indexes that aren't supposed
> to be used (for example index 4 when both 3 and 4 are WC) indeed are not
> used. So, the hypothesis that specific indexes are hardcoded somewhere
> is unlikely.
>
> This all looks very weird to me. Any ideas?
Old CPUs have had hardware errata that caused the top bit of the PAT
entry to be ignored in certain cases. Could modern CPUs be ignoring
this bit when accessing iGPU memory or registers? With WC at position
4, this would cause WC to be treated as WB, which is consistent with the
observed behavior. WC at position 3 would not be impacted, and WC at
position 5 would be treated as WT which I expect to be safe. One way to
test this is to test 1=WB, 5=WC. If my hypothesis is correct, this
should trigger the bug, even if entry 1 in the PAT is unused because
entry 0 is also WB.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
On Sun, Jan 01, 2023 at 07:03:18PM -0500, Demi Marie Obenour wrote:
> On Mon, Jan 02, 2023 at 12:24:54AM +0100, Marek Marczykowski-Górecki wrote:
> > On Thu, Dec 22, 2022 at 10:29:57AM +0200, Ville Syrjälä wrote:
> > > On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> > > > On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > > > > Hi,
> > > > >
> > > > > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > > > > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > > > > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > > > > with "modesetting" driver.
> > > > >
> > > > > After some iterations of debugging, we narrowed it down to i915 handling
> > > > > caching. The main difference is that PAT is setup differently on Xen PV
> > > > > than on native Linux. Normally, Linux does have appropriate abstraction
> > > > > for that, but apparently something related to i915 doesn't play well
> > > > > with it. The specific difference is:
> > > > > native linux:
> > > > > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > > > > xen pv:
> > > > > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > > > > ~~ ~~ ~~ ~~
> > > > >
> > > > > The specific impact depends on kernel version and the hardware. The most
> > > > > severe issues I see on >=ADL, but some older hardware is affected too -
> > > > > sometimes only if composition is disabled in the window manager.
> > > > > Some more information is collected at
> > > > > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > > > > duplicates...).
> > > > >
> > > > > Kind-of related commit is here:
> > > > > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > > > > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > > > > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > > > > there too.
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > > > > Linux:
> > > > > -----8<-----
> > > > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > > > > index 66a209f7eb86..319ab60c8d8c 100644
> > > > > --- a/arch/x86/mm/pat/memtype.c
> > > > > +++ b/arch/x86/mm/pat/memtype.c
> > > > > @@ -400,8 +400,8 @@ void pat_init(void)
> > > > > * The reserved slots are unused, but mapped to their
> > > > > * corresponding types in the presence of PAT errata.
> > > > > */
> > > > > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > > > > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > > > > }
> > > > >
> > > > > if (!pat_bp_initialized) {
> > > > > -----8<-----
> > > > >
> > > >
> > > > Hello, can anyone help please?
> > > >
> > > > Intel's CI has taken this reproducer of the bug, and confirmed the
> > > > regression.
> > > > https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> > > >
> > > > We're reasonably confident that it is an i915 bug (given the repro with
> > > > no Xen in the mix), but we're out of any further ideas.
> > >
> > > I don't think we have any code that assumes anything about the PAT,
> > > apart from WC being available (which seems like it should still be
> > > the case with your modified PAT). I suppose you'll just have to
> > > start digging from pgprot_writecombine()/noncached() and make sure
> > > everything ends up using the correct PAT entry.
> >
> > I tried several approach to this, without success. Here is an update on
> > debugging (reported also on #intel-gfx live):
> >
> > I did several tests with different PAT configuration (by modifying Xen
> > that sets the MSR). Full table is at https://pad.itl.space/sheet/#/2/sheet/view/HD1qT2Zf44Ha36TJ3wj2YL+PchsTidyNTFepW5++ZKM/
> > Some highlights:
> > - 1=WC, 4=WT - good
> > - 1=WT, 4=WC - bad
> > - 1=WT, 3=WC (4=WC too) - good
> > - 1=WT, 5=WC - good
> >
> > So, for me it seems WC at index 4 is problematic for some reason.
> >
> > Next, I tried to trap all the places in arch/x86/xen/mmu_pv.c that
> > write PTEs and verify requested cache attributes. There, it seems all
> > the requested WC are properly translated (using either index 1, 3, 4, or
> > 5 according to PAT settings). And then after reading PTE back, it indeed
> > seems to be correctly set. I didn't added reading back after
> > HYPERVISOR_update_va_mapping, but verified it isn't used for setting WC.
> >
> > Using the same method, I also checked that indexes that aren't supposed
> > to be used (for example index 4 when both 3 and 4 are WC) indeed are not
> > used. So, the hypothesis that specific indexes are hardcoded somewhere
> > is unlikely.
> >
> > This all looks very weird to me. Any ideas?
>
> Old CPUs have had hardware errata that caused the top bit of the PAT
> entry to be ignored in certain cases. Could modern CPUs be ignoring
> this bit when accessing iGPU memory or registers? With WC at position
> 4, this would cause WC to be treated as WB, which is consistent with the
> observed behavior. WC at position 3 would not be impacted, and WC at
> position 5 would be treated as WT which I expect to be safe. One way to
> test this is to test 1=WB, 5=WC. If my hypothesis is correct, this
> should trigger the bug, even if entry 1 in the PAT is unused because
> entry 0 is also WB.
This looks like a very probable situation, indeed 1=WB, 5=WC does
trigger the bug! Specifically this layout:
WB WB UC- UC WP WC WT UC
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
On Mon, Jan 02, 2023 at 02:00:51AM +0100, Marek Marczykowski-Górecki wrote:
> On Sun, Jan 01, 2023 at 07:03:18PM -0500, Demi Marie Obenour wrote:
> > On Mon, Jan 02, 2023 at 12:24:54AM +0100, Marek Marczykowski-Górecki wrote:
> > > On Thu, Dec 22, 2022 at 10:29:57AM +0200, Ville Syrjälä wrote:
> > > > On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> > > > > On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > > > > > Hi,
> > > > > >
> > > > > > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > > > > > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > > > > > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > > > > > with "modesetting" driver.
> > > > > >
> > > > > > After some iterations of debugging, we narrowed it down to i915 handling
> > > > > > caching. The main difference is that PAT is setup differently on Xen PV
> > > > > > than on native Linux. Normally, Linux does have appropriate abstraction
> > > > > > for that, but apparently something related to i915 doesn't play well
> > > > > > with it. The specific difference is:
> > > > > > native linux:
> > > > > > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > > > > > xen pv:
> > > > > > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > > > > > ~~ ~~ ~~ ~~
> > > > > >
> > > > > > The specific impact depends on kernel version and the hardware. The most
> > > > > > severe issues I see on >=ADL, but some older hardware is affected too -
> > > > > > sometimes only if composition is disabled in the window manager.
> > > > > > Some more information is collected at
> > > > > > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > > > > > duplicates...).
> > > > > >
> > > > > > Kind-of related commit is here:
> > > > > > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > > > > > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > > > > > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > > > > > there too.
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > > > > > Linux:
> > > > > > -----8<-----
> > > > > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > > > > > index 66a209f7eb86..319ab60c8d8c 100644
> > > > > > --- a/arch/x86/mm/pat/memtype.c
> > > > > > +++ b/arch/x86/mm/pat/memtype.c
> > > > > > @@ -400,8 +400,8 @@ void pat_init(void)
> > > > > > * The reserved slots are unused, but mapped to their
> > > > > > * corresponding types in the presence of PAT errata.
> > > > > > */
> > > > > > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > > > > > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > > > > > }
> > > > > >
> > > > > > if (!pat_bp_initialized) {
> > > > > > -----8<-----
> > > > > >
> > > > >
> > > > > Hello, can anyone help please?
> > > > >
> > > > > Intel's CI has taken this reproducer of the bug, and confirmed the
> > > > > regression.
> > > > > https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> > > > >
> > > > > We're reasonably confident that it is an i915 bug (given the repro with
> > > > > no Xen in the mix), but we're out of any further ideas.
> > > >
> > > > I don't think we have any code that assumes anything about the PAT,
> > > > apart from WC being available (which seems like it should still be
> > > > the case with your modified PAT). I suppose you'll just have to
> > > > start digging from pgprot_writecombine()/noncached() and make sure
> > > > everything ends up using the correct PAT entry.
> > >
> > > I tried several approach to this, without success. Here is an update on
> > > debugging (reported also on #intel-gfx live):
> > >
> > > I did several tests with different PAT configuration (by modifying Xen
> > > that sets the MSR). Full table is at https://pad.itl.space/sheet/#/2/sheet/view/HD1qT2Zf44Ha36TJ3wj2YL+PchsTidyNTFepW5++ZKM/
> > > Some highlights:
> > > - 1=WC, 4=WT - good
> > > - 1=WT, 4=WC - bad
> > > - 1=WT, 3=WC (4=WC too) - good
> > > - 1=WT, 5=WC - good
> > >
> > > So, for me it seems WC at index 4 is problematic for some reason.
> > >
> > > Next, I tried to trap all the places in arch/x86/xen/mmu_pv.c that
> > > write PTEs and verify requested cache attributes. There, it seems all
> > > the requested WC are properly translated (using either index 1, 3, 4, or
> > > 5 according to PAT settings). And then after reading PTE back, it indeed
> > > seems to be correctly set. I didn't added reading back after
> > > HYPERVISOR_update_va_mapping, but verified it isn't used for setting WC.
> > >
> > > Using the same method, I also checked that indexes that aren't supposed
> > > to be used (for example index 4 when both 3 and 4 are WC) indeed are not
> > > used. So, the hypothesis that specific indexes are hardcoded somewhere
> > > is unlikely.
> > >
> > > This all looks very weird to me. Any ideas?
> >
> > Old CPUs have had hardware errata that caused the top bit of the PAT
> > entry to be ignored in certain cases. Could modern CPUs be ignoring
> > this bit when accessing iGPU memory or registers? With WC at position
> > 4, this would cause WC to be treated as WB, which is consistent with the
> > observed behavior. WC at position 3 would not be impacted, and WC at
> > position 5 would be treated as WT which I expect to be safe. One way to
> > test this is to test 1=WB, 5=WC. If my hypothesis is correct, this
> > should trigger the bug, even if entry 1 in the PAT is unused because
> > entry 0 is also WB.
>
> This looks like a very probable situation, indeed 1=WB, 5=WC does
> trigger the bug! Specifically this layout:
>
> WB WB UC- UC WP WC WT UC
What about WB WT WB UC WB WP WC UC- and WB WT WT UC WB WP WC UC-? Those
only differ in entry 2, which will not be used as it duplicates entry 0
or 1. Therefore, architecturally, these should behave identically. If
I am correct, the second will work fine, but the first will trigger the
bug.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
On Sun, Jan 01, 2023 at 08:17:52PM -0500, Demi Marie Obenour wrote:
> On Mon, Jan 02, 2023 at 02:00:51AM +0100, Marek Marczykowski-Górecki wrote:
> > On Sun, Jan 01, 2023 at 07:03:18PM -0500, Demi Marie Obenour wrote:
> > > On Mon, Jan 02, 2023 at 12:24:54AM +0100, Marek Marczykowski-Górecki wrote:
> > > > On Thu, Dec 22, 2022 at 10:29:57AM +0200, Ville Syrjälä wrote:
> > > > > On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> > > > > > On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > > > > > > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > > > > > > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > > > > > > with "modesetting" driver.
> > > > > > >
> > > > > > > After some iterations of debugging, we narrowed it down to i915 handling
> > > > > > > caching. The main difference is that PAT is setup differently on Xen PV
> > > > > > > than on native Linux. Normally, Linux does have appropriate abstraction
> > > > > > > for that, but apparently something related to i915 doesn't play well
> > > > > > > with it. The specific difference is:
> > > > > > > native linux:
> > > > > > > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > > > > > > xen pv:
> > > > > > > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > > > > > > ~~ ~~ ~~ ~~
> > > > > > >
> > > > > > > The specific impact depends on kernel version and the hardware. The most
> > > > > > > severe issues I see on >=ADL, but some older hardware is affected too -
> > > > > > > sometimes only if composition is disabled in the window manager.
> > > > > > > Some more information is collected at
> > > > > > > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > > > > > > duplicates...).
> > > > > > >
> > > > > > > Kind-of related commit is here:
> > > > > > > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > > > > > > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > > > > > > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > > > > > > there too.
> > > > > > >
> > > > > > > Any ideas?
> > > > > > >
> > > > > > > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > > > > > > Linux:
> > > > > > > -----8<-----
> > > > > > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > > > > > > index 66a209f7eb86..319ab60c8d8c 100644
> > > > > > > --- a/arch/x86/mm/pat/memtype.c
> > > > > > > +++ b/arch/x86/mm/pat/memtype.c
> > > > > > > @@ -400,8 +400,8 @@ void pat_init(void)
> > > > > > > * The reserved slots are unused, but mapped to their
> > > > > > > * corresponding types in the presence of PAT errata.
> > > > > > > */
> > > > > > > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > > > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > > > > > > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > > > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > > > > > > }
> > > > > > >
> > > > > > > if (!pat_bp_initialized) {
> > > > > > > -----8<-----
> > > > > > >
> > > > > >
> > > > > > Hello, can anyone help please?
> > > > > >
> > > > > > Intel's CI has taken this reproducer of the bug, and confirmed the
> > > > > > regression.
> > > > > > https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> > > > > >
> > > > > > We're reasonably confident that it is an i915 bug (given the repro with
> > > > > > no Xen in the mix), but we're out of any further ideas.
> > > > >
> > > > > I don't think we have any code that assumes anything about the PAT,
> > > > > apart from WC being available (which seems like it should still be
> > > > > the case with your modified PAT). I suppose you'll just have to
> > > > > start digging from pgprot_writecombine()/noncached() and make sure
> > > > > everything ends up using the correct PAT entry.
> > > >
> > > > I tried several approach to this, without success. Here is an update on
> > > > debugging (reported also on #intel-gfx live):
> > > >
> > > > I did several tests with different PAT configuration (by modifying Xen
> > > > that sets the MSR). Full table is at https://pad.itl.space/sheet/#/2/sheet/view/HD1qT2Zf44Ha36TJ3wj2YL+PchsTidyNTFepW5++ZKM/
> > > > Some highlights:
> > > > - 1=WC, 4=WT - good
> > > > - 1=WT, 4=WC - bad
> > > > - 1=WT, 3=WC (4=WC too) - good
> > > > - 1=WT, 5=WC - good
> > > >
> > > > So, for me it seems WC at index 4 is problematic for some reason.
> > > >
> > > > Next, I tried to trap all the places in arch/x86/xen/mmu_pv.c that
> > > > write PTEs and verify requested cache attributes. There, it seems all
> > > > the requested WC are properly translated (using either index 1, 3, 4, or
> > > > 5 according to PAT settings). And then after reading PTE back, it indeed
> > > > seems to be correctly set. I didn't added reading back after
> > > > HYPERVISOR_update_va_mapping, but verified it isn't used for setting WC.
> > > >
> > > > Using the same method, I also checked that indexes that aren't supposed
> > > > to be used (for example index 4 when both 3 and 4 are WC) indeed are not
> > > > used. So, the hypothesis that specific indexes are hardcoded somewhere
> > > > is unlikely.
> > > >
> > > > This all looks very weird to me. Any ideas?
> > >
> > > Old CPUs have had hardware errata that caused the top bit of the PAT
> > > entry to be ignored in certain cases. Could modern CPUs be ignoring
> > > this bit when accessing iGPU memory or registers? With WC at position
> > > 4, this would cause WC to be treated as WB, which is consistent with the
> > > observed behavior. WC at position 3 would not be impacted, and WC at
> > > position 5 would be treated as WT which I expect to be safe. One way to
> > > test this is to test 1=WB, 5=WC. If my hypothesis is correct, this
> > > should trigger the bug, even if entry 1 in the PAT is unused because
> > > entry 0 is also WB.
> >
> > This looks like a very probable situation, indeed 1=WB, 5=WC does
> > trigger the bug! Specifically this layout:
> >
> > WB WB UC- UC WP WC WT UC
>
> What about WB WT WB UC WB WP WC UC- and WB WT WT UC WB WP WC UC-? Those
> only differ in entry 2, which will not be used as it duplicates entry 0
> or 1. Therefore, architecturally, these should behave identically. If
> I am correct, the second will work fine, but the first will trigger the
> bug.
Also worth testing:
WB UC- UC WB WB WP WT WC
WB UC- UC UC WB WP WT WC
These differ only in (unused) entry 3.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
On Sun, Jan 01, 2023 at 08:48:13PM -0500, Demi Marie Obenour wrote:
> On Sun, Jan 01, 2023 at 08:17:52PM -0500, Demi Marie Obenour wrote:
> > On Mon, Jan 02, 2023 at 02:00:51AM +0100, Marek Marczykowski-Górecki wrote:
> > > On Sun, Jan 01, 2023 at 07:03:18PM -0500, Demi Marie Obenour wrote:
> > > > On Mon, Jan 02, 2023 at 12:24:54AM +0100, Marek Marczykowski-Górecki wrote:
> > > > > On Thu, Dec 22, 2022 at 10:29:57AM +0200, Ville Syrjälä wrote:
> > > > > > On Fri, Dec 16, 2022 at 03:30:13PM +0000, Andrew Cooper wrote:
> > > > > > > On 08/12/2022 1:55 pm, Marek Marczykowski-Górecki wrote:
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > There is an issue with i915 on Xen PV (dom0). The end result is a lot of
> > > > > > > > glitches, like here: https://openqa.qubes-os.org/tests/54748#step/startup/8
> > > > > > > > (this one is on ADL, Linux 6.1-rc7 as a Xen PV dom0). It's using Xorg
> > > > > > > > with "modesetting" driver.
> > > > > > > >
> > > > > > > > After some iterations of debugging, we narrowed it down to i915 handling
> > > > > > > > caching. The main difference is that PAT is setup differently on Xen PV
> > > > > > > > than on native Linux. Normally, Linux does have appropriate abstraction
> > > > > > > > for that, but apparently something related to i915 doesn't play well
> > > > > > > > with it. The specific difference is:
> > > > > > > > native linux:
> > > > > > > > x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
> > > > > > > > xen pv:
> > > > > > > > x86/PAT: Configuration [0-7]: WB WT UC- UC WC WP UC UC
> > > > > > > > ~~ ~~ ~~ ~~
> > > > > > > >
> > > > > > > > The specific impact depends on kernel version and the hardware. The most
> > > > > > > > severe issues I see on >=ADL, but some older hardware is affected too -
> > > > > > > > sometimes only if composition is disabled in the window manager.
> > > > > > > > Some more information is collected at
> > > > > > > > https://github.com/QubesOS/qubes-issues/issues/4782 (and few linked
> > > > > > > > duplicates...).
> > > > > > > >
> > > > > > > > Kind-of related commit is here:
> > > > > > > > https://github.com/torvalds/linux/commit/bdd8b6c98239cad ("drm/i915:
> > > > > > > > replace X86_FEATURE_PAT with pat_enabled()") - it is the place where
> > > > > > > > i915 explicitly checks for PAT support, so I'm cc-ing people mentioned
> > > > > > > > there too.
> > > > > > > >
> > > > > > > > Any ideas?
> > > > > > > >
> > > > > > > > The issue can be easily reproduced without Xen too, by adjusting PAT in
> > > > > > > > Linux:
> > > > > > > > -----8<-----
> > > > > > > > diff --git a/arch/x86/mm/pat/memtype.c b/arch/x86/mm/pat/memtype.c
> > > > > > > > index 66a209f7eb86..319ab60c8d8c 100644
> > > > > > > > --- a/arch/x86/mm/pat/memtype.c
> > > > > > > > +++ b/arch/x86/mm/pat/memtype.c
> > > > > > > > @@ -400,8 +400,8 @@ void pat_init(void)
> > > > > > > > * The reserved slots are unused, but mapped to their
> > > > > > > > * corresponding types in the presence of PAT errata.
> > > > > > > > */
> > > > > > > > - pat = PAT(0, WB) | PAT(1, WC) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > > > > - PAT(4, WB) | PAT(5, WP) | PAT(6, UC_MINUS) | PAT(7, WT);
> > > > > > > > + pat = PAT(0, WB) | PAT(1, WT) | PAT(2, UC_MINUS) | PAT(3, UC) |
> > > > > > > > + PAT(4, WC) | PAT(5, WP) | PAT(6, UC) | PAT(7, UC);
> > > > > > > > }
> > > > > > > >
> > > > > > > > if (!pat_bp_initialized) {
> > > > > > > > -----8<-----
> > > > > > > >
> > > > > > >
> > > > > > > Hello, can anyone help please?
> > > > > > >
> > > > > > > Intel's CI has taken this reproducer of the bug, and confirmed the
> > > > > > > regression.
> > > > > > > https://lore.kernel.org/intel-gfx/Y5Hst0bCxQDTN7lK@mail-itl/T/#m4480c15a0d117dce6210562eb542875e757647fb
> > > > > > >
> > > > > > > We're reasonably confident that it is an i915 bug (given the repro with
> > > > > > > no Xen in the mix), but we're out of any further ideas.
> > > > > >
> > > > > > I don't think we have any code that assumes anything about the PAT,
> > > > > > apart from WC being available (which seems like it should still be
> > > > > > the case with your modified PAT). I suppose you'll just have to
> > > > > > start digging from pgprot_writecombine()/noncached() and make sure
> > > > > > everything ends up using the correct PAT entry.
> > > > >
> > > > > I tried several approach to this, without success. Here is an update on
> > > > > debugging (reported also on #intel-gfx live):
> > > > >
> > > > > I did several tests with different PAT configuration (by modifying Xen
> > > > > that sets the MSR). Full table is at https://pad.itl.space/sheet/#/2/sheet/view/HD1qT2Zf44Ha36TJ3wj2YL+PchsTidyNTFepW5++ZKM/
> > > > > Some highlights:
> > > > > - 1=WC, 4=WT - good
> > > > > - 1=WT, 4=WC - bad
> > > > > - 1=WT, 3=WC (4=WC too) - good
> > > > > - 1=WT, 5=WC - good
> > > > >
> > > > > So, for me it seems WC at index 4 is problematic for some reason.
> > > > >
> > > > > Next, I tried to trap all the places in arch/x86/xen/mmu_pv.c that
> > > > > write PTEs and verify requested cache attributes. There, it seems all
> > > > > the requested WC are properly translated (using either index 1, 3, 4, or
> > > > > 5 according to PAT settings). And then after reading PTE back, it indeed
> > > > > seems to be correctly set. I didn't added reading back after
> > > > > HYPERVISOR_update_va_mapping, but verified it isn't used for setting WC.
> > > > >
> > > > > Using the same method, I also checked that indexes that aren't supposed
> > > > > to be used (for example index 4 when both 3 and 4 are WC) indeed are not
> > > > > used. So, the hypothesis that specific indexes are hardcoded somewhere
> > > > > is unlikely.
> > > > >
> > > > > This all looks very weird to me. Any ideas?
> > > >
> > > > Old CPUs have had hardware errata that caused the top bit of the PAT
> > > > entry to be ignored in certain cases. Could modern CPUs be ignoring
> > > > this bit when accessing iGPU memory or registers? With WC at position
> > > > 4, this would cause WC to be treated as WB, which is consistent with the
> > > > observed behavior. WC at position 3 would not be impacted, and WC at
> > > > position 5 would be treated as WT which I expect to be safe. One way to
> > > > test this is to test 1=WB, 5=WC. If my hypothesis is correct, this
> > > > should trigger the bug, even if entry 1 in the PAT is unused because
> > > > entry 0 is also WB.
> > >
> > > This looks like a very probable situation, indeed 1=WB, 5=WC does
> > > trigger the bug! Specifically this layout:
> > >
> > > WB WB UC- UC WP WC WT UC
> >
> > What about WB WT WB UC WB WP WC UC- and WB WT WT UC WB WP WC UC-? Those
> > only differ in entry 2, which will not be used as it duplicates entry 0
> > or 1. Therefore, architecturally, these should behave identically. If
> > I am correct, the second will work fine, but the first will trigger the
> > bug.
Bingo! This also behaves as predicted.
So, it indeed looks like the _PAGE_PAT bit is ignored by the hardware,
even though set in relevant PTEs.
> Also worth testing:
>
> WB UC- UC WB WB WP WT WC
> WB UC- UC UC WB WP WT WC
>
> These differ only in (unused) entry 3.
I'll skip this, as I think it's pretty clear what will be the result.
But if somebody else think it's worth testing anyway, let me know.
--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
© 2016 - 2024 Red Hat, Inc.