Public bug reported: BugLink: https://bugs.launchpad.net/bugs/2054218
[Impact] Running perf against a QEMU/kvm process results in the guest suffering a page fault in trying to store Precise Event Based Sampling (PEBS) records for the host. This affects both using perf against a single process, in which it crashes the targeted guest, or using perf system wide, in which it crashes all running guests on the system. The issue was introduced in 6.0 by: commit c59a1f106f5cd4843c097069ff1bb2ad72103a67 Author: Like Xu <like...@linux.intel.com> Date: Mon Apr 11 18:19:36 2022 +0800 Subject: KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c59a1f106f5cd4843c097069ff1bb2ad72103a67 This affects all 6.2 and 6.5 kernels. There is no known workaround, apart from not using perf on affected systems. [Fix] The issue was fixed in 6.7 by: commit 971079464001c6856186ca137778e534d983174a Author: Paolo Bonzini <pbonz...@redhat.com> Date: Thu Jan 4 16:15:17 2024 +0100 Subject: KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=971079464001c6856186ca137778e534d983174a This reinstates the logic for setting MSR_CORE_PERF_GLOBAL_CTRL to what it was before "KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS". - .guest = intel_ctrl & (~cpuc->intel_ctrl_host_mask | ~pebs_mask), + .guest = intel_ctrl & ~cpuc->intel_ctrl_host_mask & ~pebs_mask, The faulty logic includes any bit that isn't both marked as exclude_guest and using PEBS, while it should really be excluding PEBS from the host. [Testcase] Start a bare metal server. Enable KVM, start a few VMs. The VMs can be idle, they don't require any workload. $ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils uvtool $ sudo reboot $ ssh-keygen $ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-b release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-c release=jammy arch=amd64 $ virsh list Id Name State ------------------------- 2 jammy-a running 3 jammy-b running 4 jammy-c running $ uvt-kvm ssh jammy-a Check it works. $ ps aux | grep qemu Find the pid of jammy-a $ perf top -p $PID $ virsh console jammy-a Escape character is ^] (Ctrl + ]) [ 357.793039] BUG: unable to handle page fault for address: fffffe49178c6028 $ uvt-kvm ssh jammy-a (no response) Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf379502-test If you install it, then running perf against the PID of qemu processes will no longer crash the guest, and they will be accessible by SSH afterward. [Where problems could occur] We are rearranging the logic of setting the PEBS MSRs, which affects processor sampling of events. This will affect any profiling tools running against KVM based virtual machines, namely perf against QEMU. If a regression were to occur, running perf against a VM could cause it to page fault and subsequently crash, resulting in downtime. The only workaround will be to disable all profiling tools until a fix is available. ** Affects: linux (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: linux (Ubuntu Mantic) Importance: Medium Assignee: Matthew Ruffell (mruffell) Status: In Progress ** Tags: mantic sts ** Also affects: linux (Ubuntu Mantic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Mantic) Status: New => In Progress ** Changed in: linux (Ubuntu) Status: New => Fix Released ** Changed in: linux (Ubuntu Mantic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Mantic) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Description changed: - BugLink: https://bugs.launchpad.net/bugs/ + BugLink: https://bugs.launchpad.net/bugs/2054218 [Impact] Running perf against a QEMU/kvm process results in the guest suffering a page fault in trying to store Precise Event Based Sampling (PEBS) records for the host. This affects both using perf against a single process, in which it crashes the targeted guest, or using perf system wide, in which it crashes all running guests on the system. The issue was introduced in 6.0 by: commit c59a1f106f5cd4843c097069ff1bb2ad72103a67 Author: Like Xu <like...@linux.intel.com> Date: Mon Apr 11 18:19:36 2022 +0800 Subject: KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c59a1f106f5cd4843c097069ff1bb2ad72103a67 This affects all 6.2 and 6.5 kernels. There is no known workaround, apart from not using perf on affected systems. [Fix] The issue was fixed in 6.7 by: commit 971079464001c6856186ca137778e534d983174a Author: Paolo Bonzini <pbonz...@redhat.com> Date: Thu Jan 4 16:15:17 2024 +0100 Subject: KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=971079464001c6856186ca137778e534d983174a This reinstates the logic for setting MSR_CORE_PERF_GLOBAL_CTRL to what it was before "KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS". - .guest = intel_ctrl & (~cpuc->intel_ctrl_host_mask | ~pebs_mask), + .guest = intel_ctrl & ~cpuc->intel_ctrl_host_mask & ~pebs_mask, The faulty logic includes any bit that isn't both marked as exclude_guest and using PEBS, while it should really be excluding PEBS from the host. [Testcase] Start a bare metal server. Enable KVM, start a few VMs. The VMs can be idle, they don't require any workload. $ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils uvtool $ sudo reboot $ ssh-keygen $ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-b release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-c release=jammy arch=amd64 $ virsh list - Id Name State + Id Name State ------------------------- - 2 jammy-a running - 3 jammy-b running - 4 jammy-c running + 2 jammy-a running + 3 jammy-b running + 4 jammy-c running $ uvt-kvm ssh jammy-a Check it works. $ ps aux | grep qemu Find the pid of jammy-a $ perf top -p $PID $ virsh console jammy-a Escape character is ^] (Ctrl + ]) [ 357.793039] BUG: unable to handle page fault for address: fffffe49178c6028 $ uvt-kvm ssh jammy-a (no response) Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf379502-test If you install it, then running perf against the PID of qemu processes will no longer crash the guest, and they will be accessible by SSH afterward. [Where problems could occur] We are rearranging the logic of setting the PEBS MSRs, which affects processor sampling of events. This will affect any profiling tools running against KVM based virtual machines, namely perf against QEMU. If a regression were to occur, running perf against a VM could cause it to page fault and subsequently crash, resulting in downtime. The only workaround will be to disable all profiling tools until a fix is available. ** Tags added: mantic sts -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2054218 Title: kvm: Running perf against qemu processes results in page fault inside guest Status in linux package in Ubuntu: Fix Released Status in linux source package in Mantic: In Progress Bug description: BugLink: https://bugs.launchpad.net/bugs/2054218 [Impact] Running perf against a QEMU/kvm process results in the guest suffering a page fault in trying to store Precise Event Based Sampling (PEBS) records for the host. This affects both using perf against a single process, in which it crashes the targeted guest, or using perf system wide, in which it crashes all running guests on the system. The issue was introduced in 6.0 by: commit c59a1f106f5cd4843c097069ff1bb2ad72103a67 Author: Like Xu <like...@linux.intel.com> Date: Mon Apr 11 18:19:36 2022 +0800 Subject: KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c59a1f106f5cd4843c097069ff1bb2ad72103a67 This affects all 6.2 and 6.5 kernels. There is no known workaround, apart from not using perf on affected systems. [Fix] The issue was fixed in 6.7 by: commit 971079464001c6856186ca137778e534d983174a Author: Paolo Bonzini <pbonz...@redhat.com> Date: Thu Jan 4 16:15:17 2024 +0100 Subject: KVM: x86/pmu: fix masking logic for MSR_CORE_PERF_GLOBAL_CTRL Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=971079464001c6856186ca137778e534d983174a This reinstates the logic for setting MSR_CORE_PERF_GLOBAL_CTRL to what it was before "KVM: x86/pmu: Add IA32_PEBS_ENABLE MSR emulation for extended PEBS". - .guest = intel_ctrl & (~cpuc->intel_ctrl_host_mask | ~pebs_mask), + .guest = intel_ctrl & ~cpuc->intel_ctrl_host_mask & ~pebs_mask, The faulty logic includes any bit that isn't both marked as exclude_guest and using PEBS, while it should really be excluding PEBS from the host. [Testcase] Start a bare metal server. Enable KVM, start a few VMs. The VMs can be idle, they don't require any workload. $ sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils uvtool $ sudo reboot $ ssh-keygen $ uvt-simplestreams-libvirt sync --source http://cloud-images.ubuntu.com/daily release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-a release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-b release=jammy arch=amd64 $ uvt-kvm create --cpu 4 --memory 4096 --disk 10 jammy-c release=jammy arch=amd64 $ virsh list Id Name State ------------------------- 2 jammy-a running 3 jammy-b running 4 jammy-c running $ uvt-kvm ssh jammy-a Check it works. $ ps aux | grep qemu Find the pid of jammy-a $ perf top -p $PID $ virsh console jammy-a Escape character is ^] (Ctrl + ]) [ 357.793039] BUG: unable to handle page fault for address: fffffe49178c6028 $ uvt-kvm ssh jammy-a (no response) Test packages are available in the following ppa: https://launchpad.net/~mruffell/+archive/ubuntu/sf379502-test If you install it, then running perf against the PID of qemu processes will no longer crash the guest, and they will be accessible by SSH afterward. [Where problems could occur] We are rearranging the logic of setting the PEBS MSRs, which affects processor sampling of events. This will affect any profiling tools running against KVM based virtual machines, namely perf against QEMU. If a regression were to occur, running perf against a VM could cause it to page fault and subsequently crash, resulting in downtime. The only workaround will be to disable all profiling tools until a fix is available. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2054218/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
