Received: by 2002:a05:6a10:87d6:0:0:0:0 with SMTP id g22csp598595pxr; Mon, 11 Apr 2022 02:08:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzX8E+DQqmdg0rReUGEurfjnUg7FxnaebNZhwFgBTldH0Jq2sCMYBWmDaoiN4fAkZBpljMH X-Received: by 2002:aa7:d54e:0:b0:41d:6172:b12 with SMTP id u14-20020aa7d54e000000b0041d61720b12mr12580080edr.390.1649668084701; Mon, 11 Apr 2022 02:08:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649668084; cv=none; d=google.com; s=arc-20160816; b=xHpVsPU9UVT7OVpdZQjnirehthEokUO8ZzsSb2vIHVxWzXusmMbP+tL4R7HIRH8brH jngzh1EplcWIrZNTGcmQACob5nnGs2WTltzu9f2ttnrBEOy2GfEcYUasJr2yuRbbGJwe xUoxaaW5VRaTfUDNqdzl949iFWnoAK20CTymmnaIAuz48pPCi6k6JpmcVq73v/CKH46I 2dUi0/fovrcSbPjxh5/EhFpQ+bDNFvPeASK/0Onf8T/knMTJkGC03o28E67/Bswut6eA p3O0d4E8ZUmIPFOkhqfwx0qAEX9wU0On0QkXdpAT9aCrBJX6e6PPGW+hrNWnuqjNL4/o CfyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=51flGqzSKRI/baYvYaYcP1WjHYs11xFCLb/uZQO1gio=; b=EoPn+NmTUHYxOaXG3kJM2Yl2xbZNO+gWbbfVKAboYT6+hiUge7nBY4lHApvjXuOmMr evS52Y47oDX4RVxYQo+rsX0k8gLCct0ydtkrv0GAXoJOWOTXS0rwq55Ee4ENLCU15xa6 Ydz9occsFKYCSZCloK9u2lV+Fgy6lrHD0CVrf/S+pCcZvIhdf4ROulrYU8FKM9Q3DRCU eBeMNzkJvCytBRJrTPmF4BpcGOtZ19YaafBEbOJMUoZiKnBOf5J5auknXR+0CXN0MpJb L2Zljb8gUwAeAlhTfTwBtOtQs2VESzi2xgODZwZB8Ih/cVmjaR9DcUSePNQPT37kPai9 kW+w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hs3-20020a1709073e8300b006e7f5e5c677si8461667ejc.969.2022.04.11.02.07.39; Mon, 11 Apr 2022 02:08:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236370AbiDIJ0p (ORCPT + 99 others); Sat, 9 Apr 2022 05:26:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229964AbiDIJ0o (ORCPT ); Sat, 9 Apr 2022 05:26:44 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0AFB6338 for ; Sat, 9 Apr 2022 02:24:28 -0700 (PDT) Received: from kwepemi100006.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4Kb8lz6ZmhzgY8S; Sat, 9 Apr 2022 17:22:39 +0800 (CST) Received: from kwepemm600017.china.huawei.com (7.193.23.234) by kwepemi100006.china.huawei.com (7.221.188.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Sat, 9 Apr 2022 17:24:26 +0800 Received: from [10.174.179.234] (10.174.179.234) by kwepemm600017.china.huawei.com (7.193.23.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.21; Sat, 9 Apr 2022 17:24:25 +0800 Message-ID: Date: Sat, 9 Apr 2022 17:24:24 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.6.1 Subject: Re: [RFC PATCH -next V2 7/7] arm64: add pagecache reading to machine check safe To: Robin Murphy , Mark Rutland , CC: Andrew Morton , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , Catalin Marinas , Will Deacon , Alexander Viro , , "H. Peter Anvin" , , , , Kefeng Wang , References: <20220406091311.3354723-1-tongtiangen@huawei.com> <20220406091311.3354723-8-tongtiangen@huawei.com> From: Tong Tiangen In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.234] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600017.china.huawei.com (7.193.23.234) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2022/4/8 19:11, Robin Murphy 写道: > On 2022-04-08 03:43, Tong Tiangen wrote: >> >> >> 在 2022/4/7 23:53, Robin Murphy 写道: >>> On 2022-04-07 15:56, Tong Tiangen wrote: >>>> >>>> >>>> 在 2022/4/6 19:27, Mark Rutland 写道: >>>>> On Wed, Apr 06, 2022 at 09:13:11AM +0000, Tong Tiangen wrote: >>>>>> When user process reading file, the data is cached in pagecache and >>>>>> the data belongs to the user process, When machine check error is >>>>>> encountered during pagecache reading, killing the user process and >>>>>> isolate the user page with hardware memory errors is a more >>>>>> reasonable >>>>>> choice than kernel panic. >>>>>> >>>>>> The __arch_copy_mc_to_user() in copy_to_user_mc.S is largely borrows >>>>>> from __arch_copy_to_user() in copy_to_user.S and the main difference >>>>>> is __arch_copy_mc_to_user() add the extable entry to support machine >>>>>> check safe. >>>>> >>>>> As with prior patches, *why* is the distinction necessary? >>>>> >>>>> This patch adds a bunch of conditional logic, but *structurally* it >>>>> doesn't >>>>> alter the handling to be substantially different for the MC and >>>>> non-MC cases. >>>>> >>>>> This seems like pointless duplication that just makes it harder to >>>>> maintain >>>>> this code. >>>>> >>>>> Thanks, >>>>> Mark. >>>> >>>> Agreed, The implementation here looks a little ugly and harder to >>>> maintain. >>>> >>>> The purpose of my doing this is not all copy_to_user can be recovered. >>>> >>>> A memory error is consumed when reading pagecache using copy_to_user. >>>> I think in this scenario, only the process is affected because it >>>> can't read >>>> pagecache data correctly. Just kill the process and don't need the >>>> whole >>>> kernel panic. >>>> >>>> So I need two different copy_to_user implementation, one is existing >>>> __arch_copy_to_user, >>>> this function will panic when consuming memory errors. The other one >>>> is this new helper >>>> __arch_copy_mc_to_user, this interface is used when reading >>>> pagecache. It can recover from >>>> consume memory error. >>> >>> OK, but do we really need two almost-identical implementations of >>> every function where the only difference is how the exception table >>> entries are annotated? Could the exception handler itself just figure >>> out who owns the page where the fault occurred and decide what action >>> to take as appropriate? >>> >>> Robin. >>> >> >> Thank you, Robin. >> >> I added this call path in this patchset: do_sea() -> >> fixup_exception(), the purpose is to provide a chance for sea fault to >> fixup (refer patch 3/7). >> >> If fixup successful, panic can be avoided. Otherwise, panic can be >> eliminated according to the original logic. >> >> fixup_exception() will set regs->pc and jump to regs->pc when the >> context recovery of an exception occurs. >> >> If mc-safe-fixup added to  __arch_copy_to_user(),  in *non pagecache >> reading* scenario encount memory error when call __arch_copy_to_user() >> , do_sea() -> fixup_exception() will not return fail and will miss the >> panic logic in do_sea(). >> >> So I add new helper __arch_copy_mc_to_user()  and add mc-safe-fixup to >> this helper, which can be used in the required scenarios. At present, >> there is only one pagecache reading scenario, other scenarios need to >> be developed. >> >> This is my current confusion. Of course, I will think about the >> solution to  solve the duplicate code problem. > > Right, but if the point is that faults in pagecahe pages are special, > surely __do_kernel_fault() could ultimately figure out from the address > whether that's the case or not? > > In general, if the principle is that whether a fault is recoverable or > not depends on what was being accessed, then to me it seems > fundamentally more robust to base that decision on details of the fault > that actually occurred, rather than what the caller thought it was > supposed to be doing at the time. > > Thanks, > Robin. > . According to Mark's suggestion, all uaccess can be recovered, including copy_to_user(), so there is no need to add new helper __arch_mc_copy_to_user()。 Thanks, Tong.