During the safety analysis that was done in the context of the
ELISA project by the safety architecture working group some
incorrectnesses were spotted.
This patchset proposes some fixes.
Signed-off-by: Gabriele Paoloni <[email protected]>
Reviewed-by: Tony Luck <[email protected]>
Gabriele Paoloni (4):
x86/mce: do not overwrite no_way_out if mce_end() fails
x86/mce: move the mce_panic() call and kill_it assignments at the
right places
x86/mce: for LMCE panic only if mca_cfg.tolerant < 3
x86/mce: remove redundant call to irq_work_queue()
arch/x86/kernel/cpu/mce/core.c | 28 +++++++++++-----------------
1 file changed, 11 insertions(+), 17 deletions(-)
--
2.20.1
---------------------------------------------------------------------
INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato
Partita I.V.A. e Codice Fiscale 04236760155
Repertorio Economico Amministrativo n. 997124
Registro delle Imprese di Milano nr. 183983/5281/33
Soggetta ad attivita' di direzione e coordinamento di
INTEL CORPORATION, USA
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
Right now in do_machine_check() we have:
__mc_scan_banks()->mce_log()->irq_work_queue(&mce_irq_work)
hence the call of irq_work_queue() below after __mc_scan_banks()
seems redundant. Just remove it.
Signed-off-by: Gabriele Paoloni <[email protected]>
Reviewed-by: Tony Luck <[email protected]>
---
arch/x86/kernel/cpu/mce/core.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
index d16cbb05b09c..f2f7bfc60c67 100644
--- a/arch/x86/kernel/cpu/mce/core.c
+++ b/arch/x86/kernel/cpu/mce/core.c
@@ -1407,9 +1407,6 @@ noinstr void do_machine_check(struct pt_regs *regs)
}
}
- if (worst > 0)
- irq_work_queue(&mce_irq_work);
-
if (worst != MCE_AR_SEVERITY && !kill_it)
goto out;
--
2.20.1
---------------------------------------------------------------------
INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato
Partita I.V.A. e Codice Fiscale 04236760155
Repertorio Economico Amministrativo n. 997124
Registro delle Imprese di Milano nr. 183983/5281/33
Soggetta ad attivita' di direzione e coordinamento di
INTEL CORPORATION, USA
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
Right now for local MCEs we panic(),if needed, right after lmce is
set. For global MCEs mce_reign() takes care of calling mce_panic().
Hence this patch:
- improves readibility by moving the conditional evaluation of
tolerant up to when kill_it is set first
- moves the mce_panic() call up into the statement where mce_end()
fails
Signed-off-by: Gabriele Paoloni <[email protected]>
Reviewed-by: Tony Luck <[email protected]>
---
arch/x86/kernel/cpu/mce/core.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
index b990892c6766..e025ff04438f 100644
--- a/arch/x86/kernel/cpu/mce/core.c
+++ b/arch/x86/kernel/cpu/mce/core.c
@@ -1350,8 +1350,7 @@ noinstr void do_machine_check(struct pt_regs *regs)
* severity is MCE_AR_SEVERITY we have other options.
*/
if (!(m.mcgstatus & MCG_STATUS_RIPV))
- kill_it = 1;
-
+ kill_it = (cfg->tolerant == 3) ? 0 : 1;
/*
* Check if this MCE is signaled to only this logical processor,
* on Intel, Zhaoxin only.
@@ -1384,8 +1383,15 @@ noinstr void do_machine_check(struct pt_regs *regs)
* When there's any problem use only local no_way_out state.
*/
if (!lmce) {
- if (mce_end(order) < 0)
+ if (mce_end(order) < 0) {
no_way_out = no_way_out ? no_way_out : worst >= MCE_PANIC_SEVERITY;
+ /*
+ * mce_reign() has probably failed hence evaluate if we need
+ * to panic
+ */
+ if (no_way_out && mca_cfg.tolerant < 3)
+ mce_panic("Fatal machine check on current CPU", &m, msg);
+ }
} else {
/*
* If there was a fatal machine check we should have
@@ -1401,15 +1407,6 @@ noinstr void do_machine_check(struct pt_regs *regs)
}
}
- /*
- * If tolerant is at an insane level we drop requests to kill
- * processes and continue even when there is no way out.
- */
- if (cfg->tolerant == 3)
- kill_it = 0;
- else if (no_way_out)
- mce_panic("Fatal machine check on current CPU", &m, msg);
-
if (worst > 0)
irq_work_queue(&mce_irq_work);
--
2.20.1
---------------------------------------------------------------------
INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato
Partita I.V.A. e Codice Fiscale 04236760155
Repertorio Economico Amministrativo n. 997124
Registro delle Imprese di Milano nr. 183983/5281/33
Soggetta ad attivita' di direzione e coordinamento di
INTEL CORPORATION, USA
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
On Wed, Nov 18, 2020 at 03:15:50PM +0000, Gabriele Paoloni wrote:
> Right now for local MCEs we panic(),if needed, right after lmce is
> set. For global MCEs mce_reign() takes care of calling mce_panic().
> Hence this patch:
> - improves readibility by moving the conditional evaluation of
> tolerant up to when kill_it is set first
> - moves the mce_panic() call up into the statement where mce_end()
> fails
Pls avoid using "this patch does this and that" in the commit message
but say directly what it does:
- Improve readability ...
- Move mce_panic()...
and so on.
> Signed-off-by: Gabriele Paoloni <[email protected]>
> Reviewed-by: Tony Luck <[email protected]>
> ---
> arch/x86/kernel/cpu/mce/core.c | 21 +++++++++------------
> 1 file changed, 9 insertions(+), 12 deletions(-)
>
> diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
> index b990892c6766..e025ff04438f 100644
> --- a/arch/x86/kernel/cpu/mce/core.c
> +++ b/arch/x86/kernel/cpu/mce/core.c
> @@ -1350,8 +1350,7 @@ noinstr void do_machine_check(struct pt_regs *regs)
> * severity is MCE_AR_SEVERITY we have other options.
> */
> if (!(m.mcgstatus & MCG_STATUS_RIPV))
> - kill_it = 1;
> -
> + kill_it = (cfg->tolerant == 3) ? 0 : 1;
So you just set kill_it using cfg->tolerant...
> /*
> * Check if this MCE is signaled to only this logical processor,
> * on Intel, Zhaoxin only.
> @@ -1384,8 +1383,15 @@ noinstr void do_machine_check(struct pt_regs *regs)
> * When there's any problem use only local no_way_out state.
> */
> if (!lmce) {
> - if (mce_end(order) < 0)
> + if (mce_end(order) < 0) {
> no_way_out = no_way_out ? no_way_out : worst >= MCE_PANIC_SEVERITY;
> + /*
> + * mce_reign() has probably failed hence evaluate if we need
> + * to panic
> + */
> + if (no_way_out && mca_cfg.tolerant < 3)
... but here you're testing cfg->tolerant again.
why not
if (no_way_out && kill_it)
?
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
Hi Boris
> -----Original Message-----
> From: Borislav Petkov <[email protected]>
> Sent: Monday, November 23, 2020 3:28 PM
> To: Paoloni, Gabriele <[email protected]>
> Cc: Luck, Tony <[email protected]>; [email protected];
> [email protected]; [email protected]; [email protected]; linux-
> [email protected]; [email protected]; linux-
> [email protected]
> Subject: Re: [PATCH 2/4] x86/mce: move the mce_panic() call and kill_it
> assignments at the right places
>
> On Wed, Nov 18, 2020 at 03:15:50PM +0000, Gabriele Paoloni wrote:
> > Right now for local MCEs we panic(),if needed, right after lmce is
> > set. For global MCEs mce_reign() takes care of calling mce_panic().
> > Hence this patch:
> > - improves readibility by moving the conditional evaluation of
> > tolerant up to when kill_it is set first
> > - moves the mce_panic() call up into the statement where mce_end()
> > fails
>
> Pls avoid using "this patch does this and that" in the commit message
> but say directly what it does:
>
> - Improve readability ...
>
> - Move mce_panic()...
>
> and so on.
Thanks, I'll fix it in v2
>
> > Signed-off-by: Gabriele Paoloni <[email protected]>
> > Reviewed-by: Tony Luck <[email protected]>
> > ---
> > arch/x86/kernel/cpu/mce/core.c | 21 +++++++++------------
> > 1 file changed, 9 insertions(+), 12 deletions(-)
> >
> > diff --git a/arch/x86/kernel/cpu/mce/core.c
> b/arch/x86/kernel/cpu/mce/core.c
> > index b990892c6766..e025ff04438f 100644
> > --- a/arch/x86/kernel/cpu/mce/core.c
> > +++ b/arch/x86/kernel/cpu/mce/core.c
> > @@ -1350,8 +1350,7 @@ noinstr void do_machine_check(struct pt_regs
> *regs)
> > * severity is MCE_AR_SEVERITY we have other options.
> > */
> > if (!(m.mcgstatus & MCG_STATUS_RIPV))
> > - kill_it = 1;
> > -
> > + kill_it = (cfg->tolerant == 3) ? 0 : 1;
>
> So you just set kill_it using cfg->tolerant...
Well I fist see if RIPV is not set; the I check the tolerance level to see if we need to
kill the user space app...
>
> > /*
> > * Check if this MCE is signaled to only this logical processor,
> > * on Intel, Zhaoxin only.
> > @@ -1384,8 +1383,15 @@ noinstr void do_machine_check(struct pt_regs
> *regs)
> > * When there's any problem use only local no_way_out state.
> > */
> > if (!lmce) {
> > - if (mce_end(order) < 0)
> > + if (mce_end(order) < 0) {
> > no_way_out = no_way_out ? no_way_out : worst >=
> MCE_PANIC_SEVERITY;
> > + /*
> > + * mce_reign() has probably failed hence evaluate if
> we need
> > + * to panic
> > + */
> > + if (no_way_out && mca_cfg.tolerant < 3)
>
> ... but here you're testing cfg->tolerant again.
Yes because the tolerant flag tells me if I need to take action...
>
> why not
>
> if (no_way_out && kill_it)
>
> ?
From my understanding no_way_out and kill_it are different in principles:
no_way_out is telling that an error occurred 'somewhere' in some CPU bank
that requires the system to panic (e.g. PCC=1); kill_it is saying that the execution
cannot be restarted where it left for the local CPU and hence we need to find
an alternative solution as part of the recovery action. In practice it seems to
me that kill_it is used to replace kill_me_maybe with kill_me_now in case
the exception happened in user mode.
So If I where using the statement "if (no_way_out && kill_it)" I would miss
to panic, for example, in cases where no_way_out captured a fatal error
somewhere in other CPUs but RIPV is set for the local CPU...
Thanks
Gab
>
> Thx.
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
---------------------------------------------------------------------
INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato
Partita I.V.A. e Codice Fiscale 04236760155
Repertorio Economico Amministrativo n. 997124
Registro delle Imprese di Milano nr. 183983/5281/33
Soggetta ad attivita' di direzione e coordinamento di
INTEL CORPORATION, USA
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
On Mon, Nov 23, 2020 at 05:06:31PM +0000, Paoloni, Gabriele wrote:
> From my understanding no_way_out and kill_it are different in principles:
> no_way_out is telling that an error occurred 'somewhere' in some CPU bank
> that requires the system to panic (e.g. PCC=1); kill_it is saying that the execution
> cannot be restarted where it left for the local CPU and hence we need to find
> an alternative solution as part of the recovery action. In practice it seems to
> me that kill_it is used to replace kill_me_maybe with kill_me_now in case
> the exception happened in user mode.
Bah, I got confused, sorry about that - you're right.
Btw, that kill_it should probably be called "kill_current_task" or so to
make it more clear.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
> -----Original Message-----
> From: Borislav Petkov <[email protected]>
> Sent: Monday, November 23, 2020 6:19 PM
> To: Paoloni, Gabriele <[email protected]>
> Cc: Luck, Tony <[email protected]>; [email protected];
> [email protected]; [email protected]; [email protected]; linux-
> [email protected]; [email protected]; linux-
> [email protected]
> Subject: Re: [PATCH 2/4] x86/mce: move the mce_panic() call and kill_it
> assignments at the right places
>
> On Mon, Nov 23, 2020 at 05:06:31PM +0000, Paoloni, Gabriele wrote:
> > From my understanding no_way_out and kill_it are different in principles:
> > no_way_out is telling that an error occurred 'somewhere' in some CPU
> bank
> > that requires the system to panic (e.g. PCC=1); kill_it is saying that the
> execution
> > cannot be restarted where it left for the local CPU and hence we need to
> find
> > an alternative solution as part of the recovery action. In practice it seems to
> > me that kill_it is used to replace kill_me_maybe with kill_me_now in case
> > the exception happened in user mode.
>
> Bah, I got confused, sorry about that - you're right.
Well it is not the easiest code to decode ????
>
> Btw, that kill_it should probably be called "kill_current_task" or so to
> make it more clear.
Sure I can add another patch to the set to rename it.
Gab
>
> Thx.
>
> --
> Regards/Gruss,
> Boris.
>
> https://people.kernel.org/tglx/notes-about-netiquette
---------------------------------------------------------------------
INTEL CORPORATION ITALIA S.p.A. con unico socio
Sede: Milanofiori Palazzo E 4
CAP 20094 Assago (MI)
Capitale Sociale Euro 104.000,00 interamente versato
Partita I.V.A. e Codice Fiscale 04236760155
Repertorio Economico Amministrativo n. 997124
Registro delle Imprese di Milano nr. 183983/5281/33
Soggetta ad attivita' di direzione e coordinamento di
INTEL CORPORATION, USA
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
On Mon, Nov 23, 2020 at 05:40:21PM +0000, Paoloni, Gabriele wrote:
> Well it is not the easiest code to decode ????
Tell me about it - that's decades worth of crap being piled ontop. :-)
> Sure I can add another patch to the set to rename it.
Yeah, only if you really want to - that was more a note-to-self to take
care of it eventually.
Thx.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette