Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp98186ybf; Wed, 26 Feb 2020 09:29:21 -0800 (PST) X-Google-Smtp-Source: APXvYqyX7IlJ40uknu7UAE/KrsOmH0FkO7KVwB8Ydan0uV+U289f4z+IAc/jl0wTTxvoEWjwPO0p X-Received: by 2002:aca:4587:: with SMTP id s129mr66377oia.124.1582738160790; Wed, 26 Feb 2020 09:29:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582738160; cv=none; d=google.com; s=arc-20160816; b=FLi6gupfrtDZMxxNVZHEukmbMm9aufOJ5DfK342oOxmy7BdhR61Ik9kzGzygLjkhbJ yJcetI/jBWuv8GIrp5ouTxnus1A1n0yKrKNFqjqoiGtDBuyOzCmK5NsiOhwE461d1uwU 4y+twB75VPcV6pHT4iN6HjSpv9yMRysY0BnKjTJutV9MTKc32jGmWSzEK9sp5Jvn0n9w 2PmYS2o5P6KmMiB+QXe87FoxGlnTbWYcA9uJ3kUg746YFwmOBMvjYiTviYomwPwkvqqa 9XVhBunRC5CxVwLYaD3uSoIYaFlY2KozxISfYqQw7yhk+suTJxjf/dahfDShNiuOKfmg v9uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:in-reply-to:cc:references:message-id :date:subject:mime-version:from:content-transfer-encoding :dkim-signature; bh=TYxMlchDsWTzAQqGtuUFORye8gi+lk3xkZ5bdDiqvoM=; b=wsi8+duHh0ysR5C9SzRzOrywnJceNv8mJohI0uUOs/AdXqqj6HelDuQGvofionylJf wrHlGhRDcAb2IWaav6OukD+DQ9PMl6+Q9S8YeRyOPPj8csTQN2aHGFsJ1nx3wh3VYEBK gmHNJ5lkyu+/1z8Feyk198nmSrGrh78mQEpFl6sc7L9EeckJZOovM+LSuJG0yXa3ncbh uytIa/y5OQrETh154iNp3APoWi6jUTjd9W2U0ePGllv0IP+MrmG1JFL1XABsz5x/qXpM uJ6jtWeAfasV4/JXvBAYpmC6f7fO7suUtEPVY1dtUo9Tkc7yvijoDL1J/mPOcePCSmSj 03MA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=Z4CoA9hn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t1si108940otq.148.2020.02.26.09.29.07; Wed, 26 Feb 2020 09:29:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=Z4CoA9hn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726876AbgBZR24 (ORCPT + 99 others); Wed, 26 Feb 2020 12:28:56 -0500 Received: from mail-pl1-f196.google.com ([209.85.214.196]:39858 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726579AbgBZR24 (ORCPT ); Wed, 26 Feb 2020 12:28:56 -0500 Received: by mail-pl1-f196.google.com with SMTP id g6so1548929plp.6 for ; Wed, 26 Feb 2020 09:28:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=TYxMlchDsWTzAQqGtuUFORye8gi+lk3xkZ5bdDiqvoM=; b=Z4CoA9hnh8L+jurDjpxZJ+BydF+KwYOVQwMeI1DYu2jiEeFQKzTv4rvpSxQOPsx3Hr hEgibzcYv/CTe8u3rlY8ggjlctUSPs2FAnPLGOcImY3cSv6QNY3/rY6wj3O7ZYb2ULMd WL9SwrA2LrIVm++UwaLrlDXT1utPVNHpUPgyd+xHu9mhJ4EPT30ufg0NtuY2JIZIw892 BWLpr5FuVa9qYUhTML2MiRvz/Jdgsb6mS49BdPo6ZO7hlAS3d/NG/Z9Cbgmr5VjLgOze jajQnvkZzEhYpUGq5RUTYk0DUdThV7uP3Fr1kNUd1uuGhuaJbcmCFQZ36POgCJRF5F/f gwVw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=TYxMlchDsWTzAQqGtuUFORye8gi+lk3xkZ5bdDiqvoM=; b=mqWPqlfud52eMXYiYSRsqikJ9Nh2u9UuuJyM/ejDJQyvgZHkkRlJOY+99QMBivJZvv kr8WMwE3DWJU9YT1yTAwPHeWTZTBq2Wof050iLj+AqsAc4IrFVtWL7ZgtRnH4NATDE7o 66mpS400PMKuu30qS70bbkMLOyiHvDsNyhqbqpLlymGWNIX+AJJjx8t/NRbnoMDA/HTF 35oD/9UI8o8dxe9t0kpDKmBVJXaMzKm6xQ81iBeA9669X/vZY4NfWsAkBMu9eBbSGVUC 0FcU+SLD/ErmSFx1P0iIYBf6yjKvkjwESZ8cfqxp9NAQ2zC3GCy0KLIQGnqOe9OghFKJ ENfw== X-Gm-Message-State: APjAAAWesSoLYbG0e2GPx1up3KM0HScDeu4lMRojxKcOv26lfZbFFyQE qq/Rhq4ovk5y9LS7RebC6gG8Sw== X-Received: by 2002:a17:90a:da03:: with SMTP id e3mr142130pjv.57.1582738133792; Wed, 26 Feb 2020 09:28:53 -0800 (PST) Received: from ?IPv6:2601:646:c200:1ef2:55da:f727:3bee:8a? ([2601:646:c200:1ef2:55da:f727:3bee:8a]) by smtp.gmail.com with ESMTPSA id g24sm3775110pfk.92.2020.02.26.09.28.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 26 Feb 2020 09:28:53 -0800 (PST) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable From: Andy Lutomirski Mime-Version: 1.0 (1.0) Subject: Re: [patch 02/10] x86/mce: Disable tracing and kprobes on do_machine_check() Date: Wed, 26 Feb 2020 09:28:51 -0800 Message-Id: References: <20200226160818.GY18400@hirez.programming.kicks-ass.net> Cc: Andy Lutomirski , Frederic Weisbecker , Thomas Gleixner , LKML , X86 ML , Steven Rostedt , Brian Gerst , Juergen Gross , Paolo Bonzini , Arnd Bergmann In-Reply-To: <20200226160818.GY18400@hirez.programming.kicks-ass.net> To: Peter Zijlstra X-Mailer: iPhone Mail (17D50) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Feb 26, 2020, at 8:08 AM, Peter Zijlstra wrote: >=20 > =EF=BB=BFOn Wed, Feb 26, 2020 at 07:10:01AM -0800, Andy Lutomirski wrote: >>> On Wed, Feb 26, 2020 at 5:28 AM Peter Zijlstra wr= ote: >>>> On Tue, Feb 25, 2020 at 09:29:00PM -0800, Andy Lutomirski wrote: >>>=20 >>>>>> +void notrace do_machine_check(struct pt_regs *regs, long error_code)= >>>>>> { >>>>>> DECLARE_BITMAP(valid_banks, MAX_NR_BANKS); >>>>>> DECLARE_BITMAP(toclear, MAX_NR_BANKS); >>>>>> @@ -1360,6 +1366,7 @@ void do_machine_check(struct pt_regs *re >>>>>> ist_exit(regs); >>>>>> } >>>>>> EXPORT_SYMBOL_GPL(do_machine_check); >>>>>> +NOKPROBE_SYMBOL(do_machine_check); >>>>>=20 >>>>> That won't protect all the function called by do_machine_check(), righ= t? >>>>> There are lots of them. >>>>>=20 >>>>=20 >>>> It at least means we can survive to run actual C code in >>>> do_machine_check(), which lets us try to mitigate this issue further. >>>> PeterZ has patches for that, and maybe this series fixes it later on. >>>> (I'm reading in order!) >>>=20 >>> Yeah, I don't cover that either. Making the kernel completely kprobe >>> safe is _lots_ more work I think. >>>=20 >>> We really need some form of automation for this :/ The current situation= >>> is completely nonsatisfactory. >>=20 >> I've looked at too many patches lately and lost track a bit of which >> is which. Shouldn't a simple tracing_disable() or similar in >> do_machine_check() be sufficient? >=20 > It entirely depends on what the goal is :-/ On the one hand I see why > people might want function tracing / kprobes enabled, OTOH it's all > mighty frigging scary. Any tracing/probing/whatever on an MCE has the > potential to make a bad situation worse -- not unlike the same on #DF. >=20 > The same with that compiler instrumentation crap; allowing kprobes on > *SAN code has the potential to inject probes in arbitrary random code. > At the same time, if you're running a kernel with that on and injecting > kprobes in it, you're welcome to own the remaining pieces. >=20 Agreed. > How far do we want to go? At some point I think we'll have to give > people rope, show then the knot and leave them be. If someone puts a kprobe on some TLB flush thing and an MCE does memory fail= ure handling, it would be polite to avoid crashing. OTOH the x86 memory fai= lure story is *so* bad that I=E2=80=99m not sure how well we can ever really= expect this to work. I think we should aim to get the entry part correct, and if the meat of the f= unction explodes, so be it. >=20 >> We'd maybe want automation to check >> everything before it. We still need to survive hitting a kprobe int3, >> but that shouldn't have recursion issues. >=20 > Right, so I think avoiding the obvious recursion issues is a more > tractable problem and yes some 'safe' spot annotation should be enough > to get automation working for that -- mostly.