Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp955127iob; Fri, 13 May 2022 17:36:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxSvnQJPj3D0Un7e5yxrk/ru0BiAtZj7+riB68+GC/dIgviC4uxAgSw1mwmmCpJ+fLs+PjO X-Received: by 2002:adf:ed01:0:b0:20c:c137:aaeb with SMTP id a1-20020adfed01000000b0020cc137aaebmr5898243wro.638.1652488610330; Fri, 13 May 2022 17:36:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652488610; cv=none; d=google.com; s=arc-20160816; b=KBU+HDTvAW+BjhZfoAPTlZuXcyDu+8iQvgXuWI56elTobWhUK5iiXSjgLgqRv8zuIy ldnoOpEmFMicvIg7bgnAdrIC2lHnMcqrClvUaoMI4Qbx2ZFVgi5OR54G3TAZici934Vd awJjINXCvuvL2XZ5yII9n/TyHfJSHwE5h1xErqJ+mbOHE0NkCgBmtCG3WIbo8v566d74 How0UkHrQ1ZB4+Y++eKkJ9IPRNIbX0oztk9Tw+EaNQObA5r0ucvBFFkbKWbQdkIdoYhY R+UKzsSuXm2/C6ZbJqsZTGJqq99pzWzQMpbfWUQp+x6Aszouj2NMOkns8EH54VuTQQ3D Zxrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=rlYrdWlQV+W7F/v+3smgZcvJcsP4OxIjbYasN29Dtw8=; b=L39H/tdJqlq+rsl8blwA5E39yotntFsLi8iVbD5P4Tg/uB+iY5p7NQTkr3Zz45Htuy CxvXRsqRQhd5LxI4xr2DMBtbU3rpdZGyA6Rcb0skcEEle04qZ1MjJhEgCnwDLGVZiHoG i/481QcDULUW9kc4WYyasZbreiivTmfU9iJ2q4eF2W3yF6lqXoB5T3narIE7e1oTLyK2 nxTl0R86IoBBIrQ/lZgNee1mhC7uq3L1hs7GzDw/8ZJFUTf9v4/Bq2Q58Edhj96WS8UV 42S9kLtPuWMpfegROATM34gM5PAT9atUnbySWXIDUrKxpuyyKHeo91AkdP9Tr6isX9U5 jDkw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id m9-20020a056000180900b0020ae6e847casi3569468wrh.150.2022.05.13.17.36.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 17:36:50 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 47D7933B276; Fri, 13 May 2022 16:27:23 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1381216AbiEMP02 (ORCPT + 99 others); Fri, 13 May 2022 11:26:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233504AbiEMP0X (ORCPT ); Fri, 13 May 2022 11:26:23 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6807215803 for ; Fri, 13 May 2022 08:26:22 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 0AB9A113E; Fri, 13 May 2022 08:26:22 -0700 (PDT) Received: from lakrids (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 3D19A3F73D; Fri, 13 May 2022 08:26:19 -0700 (PDT) Date: Fri, 13 May 2022 16:26:16 +0100 From: Mark Rutland To: Tong Tiangen Cc: James Morse , Andrew Morton , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Robin Murphy , Dave Hansen , Catalin Marinas , Will Deacon , Alexander Viro , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , x86@kernel.org, "H . Peter Anvin" , linuxppc-dev@lists.ozlabs.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Kefeng Wang , Xie XiuQi , Guohanjun Subject: Re: [PATCH -next v4 3/7] arm64: add support for machine check error safe Message-ID: References: <20220420030418.3189040-1-tongtiangen@huawei.com> <20220420030418.3189040-4-tongtiangen@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220420030418.3189040-4-tongtiangen@huawei.com> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 20, 2022 at 03:04:14AM +0000, Tong Tiangen wrote: > During the processing of arm64 kernel hardware memory errors(do_sea()), if > the errors is consumed in the kernel, the current processing is panic. > However, it is not optimal. > > Take uaccess for example, if the uaccess operation fails due to memory > error, only the user process will be affected, kill the user process > and isolate the user page with hardware memory errors is a better choice. Conceptually, I'm fine with the idea of constraining what we do for a true uaccess, but I don't like the implementation of this at all, and I think we first need to clean up the arm64 extable usage to clearly distinguish a uaccess from another access. > This patch only enable machine error check framework, it add exception > fixup before kernel panic in do_sea() and only limit the consumption of > hardware memory errors in kernel mode triggered by user mode processes. > If fixup successful, panic can be avoided. > > Consistent with PPC/x86, it is implemented by CONFIG_ARCH_HAS_COPY_MC. > > Also add copy_mc_to_user() in include/linux/uaccess.h, this helper is > called when CONFIG_ARCH_HAS_COPOY_MC is open. > > Signed-off-by: Tong Tiangen > --- > arch/arm64/Kconfig | 1 + > arch/arm64/include/asm/extable.h | 1 + > arch/arm64/mm/extable.c | 17 +++++++++++++++++ > arch/arm64/mm/fault.c | 27 ++++++++++++++++++++++++++- > include/linux/uaccess.h | 9 +++++++++ > 5 files changed, 54 insertions(+), 1 deletion(-) > > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index d9325dd95eba..012e38309955 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -19,6 +19,7 @@ config ARM64 > select ARCH_ENABLE_SPLIT_PMD_PTLOCK if PGTABLE_LEVELS > 2 > select ARCH_ENABLE_THP_MIGRATION if TRANSPARENT_HUGEPAGE > select ARCH_HAS_CACHE_LINE_SIZE > + select ARCH_HAS_COPY_MC if ACPI_APEI_GHES > select ARCH_HAS_CURRENT_STACK_POINTER > select ARCH_HAS_DEBUG_VIRTUAL > select ARCH_HAS_DEBUG_VM_PGTABLE > diff --git a/arch/arm64/include/asm/extable.h b/arch/arm64/include/asm/extable.h > index 72b0e71cc3de..f80ebd0addfd 100644 > --- a/arch/arm64/include/asm/extable.h > +++ b/arch/arm64/include/asm/extable.h > @@ -46,4 +46,5 @@ bool ex_handler_bpf(const struct exception_table_entry *ex, > #endif /* !CONFIG_BPF_JIT */ > > bool fixup_exception(struct pt_regs *regs); > +bool fixup_exception_mc(struct pt_regs *regs); > #endif > diff --git a/arch/arm64/mm/extable.c b/arch/arm64/mm/extable.c > index 489455309695..4f0083a550d4 100644 > --- a/arch/arm64/mm/extable.c > +++ b/arch/arm64/mm/extable.c > @@ -9,6 +9,7 @@ > > #include > #include > +#include > > static inline unsigned long > get_ex_fixup(const struct exception_table_entry *ex) > @@ -84,3 +85,19 @@ bool fixup_exception(struct pt_regs *regs) > > BUG(); > } > + > +bool fixup_exception_mc(struct pt_regs *regs) > +{ > + const struct exception_table_entry *ex; > + > + ex = search_exception_tables(instruction_pointer(regs)); > + if (!ex) > + return false; > + > + /* > + * This is not complete, More Machine check safe extable type can > + * be processed here. > + */ > + > + return false; > +} This is at best misnamed; It doesn't actually apply the fixup, it just searches for one. > diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c > index 77341b160aca..a9e6fb1999d1 100644 > --- a/arch/arm64/mm/fault.c > +++ b/arch/arm64/mm/fault.c > @@ -695,6 +695,29 @@ static int do_bad(unsigned long far, unsigned int esr, struct pt_regs *regs) > return 1; /* "fault" */ > } > > +static bool arm64_do_kernel_sea(unsigned long addr, unsigned int esr, > + struct pt_regs *regs, int sig, int code) > +{ > + if (!IS_ENABLED(CONFIG_ARCH_HAS_COPY_MC)) > + return false; > + > + if (user_mode(regs) || !current->mm) > + return false; > + > + if (apei_claim_sea(regs) < 0) > + return false; > + > + if (!fixup_exception_mc(regs)) > + return false; > + > + set_thread_esr(0, esr); > + > + arm64_force_sig_fault(sig, code, addr, > + "Uncorrected hardware memory error in kernel-access\n"); > + > + return true; > +} > + > static int do_sea(unsigned long far, unsigned int esr, struct pt_regs *regs) > { > const struct fault_info *inf; > @@ -720,7 +743,9 @@ static int do_sea(unsigned long far, unsigned int esr, struct pt_regs *regs) > */ > siaddr = untagged_addr(far); > } > - arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr); > + > + if (!arm64_do_kernel_sea(siaddr, esr, regs, inf->sig, inf->code)) > + arm64_notify_die(inf->name, regs, inf->sig, inf->code, siaddr, esr); > > return 0; > } > diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h > index 546179418ffa..884661b29c17 100644 > --- a/include/linux/uaccess.h > +++ b/include/linux/uaccess.h > @@ -174,6 +174,15 @@ copy_mc_to_kernel(void *dst, const void *src, size_t cnt) > } > #endif > > +#ifndef copy_mc_to_user > +static inline unsigned long __must_check > +copy_mc_to_user(void *dst, const void *src, size_t cnt) > +{ > + check_object_size(src, cnt, true); > + return raw_copy_to_user(dst, src, cnt); > +} > +#endif Why do we need a special copy_mc_to_user() ? Why are we not making *every* true uaccess recoverable? That way the regular copy_to_user() would just work. Thanks, Mark.