Received: by 2002:a05:6a10:144:0:0:0:0 with SMTP id 4csp199329pxw; Fri, 8 Apr 2022 05:23:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz9dYFsvG7cn1aF2MT9KijxlzcOWybdVmR6Zv5uEC53YlPT57S9v1XGhkfb0SQ7XmCv44m/ X-Received: by 2002:a05:6a00:2312:b0:505:6560:b5d3 with SMTP id h18-20020a056a00231200b005056560b5d3mr8935681pfh.11.1649420592826; Fri, 08 Apr 2022 05:23:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649420592; cv=none; d=google.com; s=arc-20160816; b=tsjK3/Bm0nyonw4ookNBh49UqeeSKGSsDqiS/Va85+PPbot1SHKizwatx/ejQ4EYyz zLjcRgDlLM0nsQlNYQc4OLlm1KpE9aMst4uvhBz5c7WRL3+CVyMtanVClpETv+FIC8dC p2HoWQAPKd4bIobWXdkqa4Xm59ybZP+QCMxAtqFZQAiSQ9PH1GxT4Jb2vVcaFMO2uo55 xwkht/XWI5VbbrROnG6KTX+3xYse93XV6nuS99KEGzN9Bu0v5qLkwfFPPz51q0uSpzth v6uyzldU9YHeSIbhCD1MQ/9jXlLsaqQ3ji+kun+d2Z6VFS7sOoxCmOM6ztmGd+JYucc8 VmJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=Hcs1NPgUCxGkhJEK730mzwILDuKIzwq0jvPqFXeiRhQ=; b=tSoL6TKfTE95ogfPoZEM9zIiwqYhDf5tFKmaDZjEA8pWB96xxH5U60SdWJfk1wyo13 X+yCVz6Jbc8jn8GHZFlCYM4JuRrfsaZZeWRoij+sacjy0q3ZzautmnCpvpFiDkLYcsVK +/V1/hmTX0CUoBKYYTzC/IF4nZq0WeBi9GwIIb/Yg41bzijD8MPYVGixEJ3peO+I8OwK m8lYOLTH0r6gJ6ltI0jf+zTE+OjrQWVb/4HwBigaEL9yFG9nkgZYeLz9WtL0A+LQS2h0 YdWlydGQAqynOwmxtSXTau7Uy0NHOtSG5qjyPqaHdXL9CzoQDlcB6B7EflCpNicl+wG1 xgJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h1-20020a056a001a4100b004fa3a8e0062si953732pfv.281.2022.04.08.05.22.59; Fri, 08 Apr 2022 05:23:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231462AbiDHLNU (ORCPT + 99 others); Fri, 8 Apr 2022 07:13:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36046 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229688AbiDHLNT (ORCPT ); Fri, 8 Apr 2022 07:13:19 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3CA66AAB56 for ; Fri, 8 Apr 2022 04:11:15 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B9AED11FB; Fri, 8 Apr 2022 04:11:14 -0700 (PDT) Received: from [10.57.41.19] (unknown [10.57.41.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 00B843F73B; Fri, 8 Apr 2022 04:11:11 -0700 (PDT) Message-ID: Date: Fri, 8 Apr 2022 12:11:06 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [RFC PATCH -next V2 7/7] arm64: add pagecache reading to machine check safe Content-Language: en-GB To: Tong Tiangen , Mark Rutland , james.morse@arm.com Cc: Andrew Morton , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Catalin Marinas , Will Deacon , Alexander Viro , x86@kernel.org, "H. Peter Anvin" , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Kefeng Wang References: <20220406091311.3354723-1-tongtiangen@huawei.com> <20220406091311.3354723-8-tongtiangen@huawei.com> From: Robin Murphy In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.7 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-04-08 03:43, Tong Tiangen wrote: > > > 在 2022/4/7 23:53, Robin Murphy 写道: >> On 2022-04-07 15:56, Tong Tiangen wrote: >>> >>> >>> 在 2022/4/6 19:27, Mark Rutland 写道: >>>> On Wed, Apr 06, 2022 at 09:13:11AM +0000, Tong Tiangen wrote: >>>>> When user process reading file, the data is cached in pagecache and >>>>> the data belongs to the user process, When machine check error is >>>>> encountered during pagecache reading, killing the user process and >>>>> isolate the user page with hardware memory errors is a more reasonable >>>>> choice than kernel panic. >>>>> >>>>> The __arch_copy_mc_to_user() in copy_to_user_mc.S is largely borrows >>>>> from __arch_copy_to_user() in copy_to_user.S and the main difference >>>>> is __arch_copy_mc_to_user() add the extable entry to support machine >>>>> check safe. >>>> >>>> As with prior patches, *why* is the distinction necessary? >>>> >>>> This patch adds a bunch of conditional logic, but *structurally* it >>>> doesn't >>>> alter the handling to be substantially different for the MC and >>>> non-MC cases. >>>> >>>> This seems like pointless duplication that just makes it harder to >>>> maintain >>>> this code. >>>> >>>> Thanks, >>>> Mark. >>> >>> Agreed, The implementation here looks a little ugly and harder to >>> maintain. >>> >>> The purpose of my doing this is not all copy_to_user can be recovered. >>> >>> A memory error is consumed when reading pagecache using copy_to_user. >>> I think in this scenario, only the process is affected because it >>> can't read >>> pagecache data correctly. Just kill the process and don't need the whole >>> kernel panic. >>> >>> So I need two different copy_to_user implementation, one is existing >>> __arch_copy_to_user, >>> this function will panic when consuming memory errors. The other one >>> is this new helper >>> __arch_copy_mc_to_user, this interface is used when reading >>> pagecache. It can recover from >>> consume memory error. >> >> OK, but do we really need two almost-identical implementations of >> every function where the only difference is how the exception table >> entries are annotated? Could the exception handler itself just figure >> out who owns the page where the fault occurred and decide what action >> to take as appropriate? >> >> Robin. >> > > Thank you, Robin. > > I added this call path in this patchset: do_sea() -> fixup_exception(), > the purpose is to provide a chance for sea fault to fixup (refer patch > 3/7). > > If fixup successful, panic can be avoided. Otherwise, panic can be > eliminated according to the original logic. > > fixup_exception() will set regs->pc and jump to regs->pc when the > context recovery of an exception occurs. > > If mc-safe-fixup added to  __arch_copy_to_user(),  in *non pagecache > reading* scenario encount memory error when call __arch_copy_to_user() , > do_sea() -> fixup_exception() will not return fail and will miss the > panic logic in do_sea(). > > So I add new helper __arch_copy_mc_to_user()  and add mc-safe-fixup to > this helper, which can be used in the required scenarios. At present, > there is only one pagecache reading scenario, other scenarios need to be > developed. > > This is my current confusion. Of course, I will think about the solution > to  solve the duplicate code problem. Right, but if the point is that faults in pagecahe pages are special, surely __do_kernel_fault() could ultimately figure out from the address whether that's the case or not? In general, if the principle is that whether a fault is recoverable or not depends on what was being accessed, then to me it seems fundamentally more robust to base that decision on details of the fault that actually occurred, rather than what the caller thought it was supposed to be doing at the time. Thanks, Robin.