[PATCH v10 clocksource 0/7] Do not mark clocks unstable due to delays for v5.13

From: Paul E. McKenney
Date: Sun Apr 25 2021 - 18:45:47 EST


Hello!

If there is a sufficient delay between reading the watchdog clock and the
clock under test, the clock under test will be marked unstable through no
fault of its own. This series checks for this, doing limited retries
to get a good set of clock reads. If the clock is marked unstable
and is marked as being per-CPU, cross-CPU synchronization is checked.
This series also provides delay injection, which may be enabled via
kernel boot parameters to test the checking for delays.

Note that "sufficient delay" can be provided by SMIs, NMIs, and of course
vCPU preemption.

1. Provide module parameters to inject delays in watchdog.

2. Retry clock read if long delays detected.

3. Check per-CPU clock synchronization when marked unstable.

4. Provide a module parameter to fuzz per-CPU clock checking.

5. Limit number of CPUs checked for clock synchronization.

6. Forgive tsc_early pre-calibration drift.

7. Reduce the clock-skew limit to 200us and the maximum permissible
clock read delay to 50us.

Changes since v9:

o Forgive tsc_early drift, based on feedback from Feng Tang; Xing,
Zhengjun; and Thomas Gleixner.

o Improve CPU selection for clock-synchronization checking.

Link: https://lore.kernel.org/lkml/20210419045155.GA596058@paulmck-ThinkPad-P17-Gen-1/

Changes since v8, based on Thomas Gleixner feedback:

o Reduced clock-skew threshold to 200us and delay limit to 50us.

o Split out a cs_watchdog_read() function.

o Removed the pointless CLOCK_SOURCE_VERIFY_PERCPU from kvm_clock.

o Initialized cs_nsec_max and cs_nsec_min to avoid firsttime checks.

Link: https://lore.kernel.org/lkml/20210414043435.GA2812539@paulmck-ThinkPad-P17-Gen-1/

Changes since v7, based on Thomas Gleixner feedback:

o Fix embarrassing git-format-patch operator error.

o Merge pairwise clock-desynchronization checking into the checking
of per-CPU clock synchronization when marked unstable.

o Do selective per-CPU checking rather than blindly checking all
CPUs. Provide a clocksource.verify_n_cpus kernel boot parameter
to control this behavior, with the value -1 choosing the old
check-all-CPUs behavior. The default is to randomly check 8 CPUs.

o Fix the clock-desynchronization checking to avoid a potential
use-after-free error for dynamically allocated clocksource
structures.

o Remove redundance "wdagain_nsec < 0" from clocksource_watchdog()
clocksource skew checking.

o Update commit logs and do code-style updates.

Link: https://lore.kernel.org/lkml/20210106004013.GA11179@paulmck-ThinkPad-P72/

Changes since v5:

o Rebased to v5.12-rc5.

Changes since v4:

o Rebased to v5.12-rc1.

Changes since v3:

o Rebased to v5.11.

o Apply Randy Dunlap feedback.

Changes since v2:

o Rebased to v5.11-rc6.

o Updated Cc: list.

Changes since v1:

o Applied feedback from Rik van Riel.

o Rebased to v5.11-rc3.

o Stripped "RFC" from the subject lines.

Thanx, Paul

------------------------------------------------------------------------

Documentation/admin-guide/kernel-parameters.txt | 32 +++
b/Documentation/admin-guide/kernel-parameters.txt | 16 +
b/arch/x86/kernel/tsc.c | 3
b/include/linux/clocksource.h | 2
b/kernel/time/clocksource.c | 23 ++
kernel/time/clocksource.c | 201 ++++++++++++++++++++--
6 files changed, 263 insertions(+), 14 deletions(-)