All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>,
	Frederic Weisbecker <frederic@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Brian Gerst <brgerst@gmail.com>, Juergen Gross <JGross@suse.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Arnd Bergmann <arnd@arndb.de>
Subject: Re: [patch 02/10] x86/mce: Disable tracing and kprobes on do_machine_check()
Date: Wed, 26 Feb 2020 09:28:51 -0800	[thread overview]
Message-ID: <C06C32B4-BD69-4287-BC67-C3E225061A46@amacapital.net> (raw)
In-Reply-To: <20200226160818.GY18400@hirez.programming.kicks-ass.net>



> On Feb 26, 2020, at 8:08 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> 
> On Wed, Feb 26, 2020 at 07:10:01AM -0800, Andy Lutomirski wrote:
>>> On Wed, Feb 26, 2020 at 5:28 AM Peter Zijlstra <peterz@infradead.org> wrote:
>>>> On Tue, Feb 25, 2020 at 09:29:00PM -0800, Andy Lutomirski wrote:
>>> 
>>>>>> +void notrace do_machine_check(struct pt_regs *regs, long error_code)
>>>>>> {
>>>>>>   DECLARE_BITMAP(valid_banks, MAX_NR_BANKS);
>>>>>>   DECLARE_BITMAP(toclear, MAX_NR_BANKS);
>>>>>> @@ -1360,6 +1366,7 @@ void do_machine_check(struct pt_regs *re
>>>>>>   ist_exit(regs);
>>>>>> }
>>>>>> EXPORT_SYMBOL_GPL(do_machine_check);
>>>>>> +NOKPROBE_SYMBOL(do_machine_check);
>>>>> 
>>>>> That won't protect all the function called by do_machine_check(), right?
>>>>> There are lots of them.
>>>>> 
>>>> 
>>>> It at least means we can survive to run actual C code in
>>>> do_machine_check(), which lets us try to mitigate this issue further.
>>>> PeterZ has patches for that, and maybe this series fixes it later on.
>>>> (I'm reading in order!)
>>> 
>>> Yeah, I don't cover that either. Making the kernel completely kprobe
>>> safe is _lots_ more work I think.
>>> 
>>> We really need some form of automation for this :/ The current situation
>>> is completely nonsatisfactory.
>> 
>> I've looked at too many patches lately and lost track a bit of which
>> is which.  Shouldn't a simple tracing_disable() or similar in
>> do_machine_check() be sufficient?
> 
> It entirely depends on what the goal is :-/ On the one hand I see why
> people might want function tracing / kprobes enabled, OTOH it's all
> mighty frigging scary. Any tracing/probing/whatever on an MCE has the
> potential to make a bad situation worse -- not unlike the same on #DF.
> 
> The same with that compiler instrumentation crap; allowing kprobes on
> *SAN code has the potential to inject probes in arbitrary random code.
> At the same time, if you're running a kernel with that on and injecting
> kprobes in it, you're welcome to own the remaining pieces.
> 

Agreed.

> How far do we want to go? At some point I think we'll have to give
> people rope, show then the knot and leave them be.

If someone puts a kprobe on some TLB flush thing and an MCE does memory failure handling, it would be polite to avoid crashing.  OTOH the x86 memory failure story is *so* bad that I’m not sure how well we can ever really expect this to work.

I think we should aim to get the entry part correct, and if the meat of the function explodes, so be it.

> 
>> We'd maybe want automation to check
>> everything before it.  We still need to survive hitting a kprobe int3,
>> but that shouldn't have recursion issues.
> 
> Right, so I think avoiding the obvious recursion issues is a more
> tractable problem and yes some 'safe' spot annotation should be enough
> to get automation working for that -- mostly.

  reply	other threads:[~2020-02-26 17:28 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-25 21:36 [patch 00/10] x86/entry: Consolidation - Part I Thomas Gleixner
2020-02-25 21:36 ` [patch 01/10] x86/entry/32: Add missing ASM_CLAC to general_protection entry Thomas Gleixner
2020-02-26  1:00   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 02/10] x86/mce: Disable tracing and kprobes on do_machine_check() Thomas Gleixner
2020-02-26  1:13   ` Frederic Weisbecker
2020-02-26  5:29     ` Andy Lutomirski
2020-02-26 13:28       ` Peter Zijlstra
2020-02-26 15:10         ` Andy Lutomirski
2020-02-26 16:08           ` Peter Zijlstra
2020-02-26 17:28             ` Andy Lutomirski [this message]
2020-02-26 18:42               ` Borislav Petkov
2020-02-26 18:59                 ` Peter Zijlstra
2020-02-26 19:09                   ` Andy Lutomirski
2020-02-26 20:59                     ` Steven Rostedt
2020-02-26 11:18   ` Borislav Petkov
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Andy Lutomirski
2020-02-25 21:36 ` [patch 03/10] x86/entry/32: Force MCE through do_mce() Thomas Gleixner
2020-02-26  1:11   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 04/10] x86/traps: Remove pointless irq enable from do_spurious_interrupt_bug() Thomas Gleixner
2020-02-26  1:19   ` Frederic Weisbecker
2020-02-25 21:36 ` [patch 05/10] x86/traps: Document do_spurious_interrupt_bug() Thomas Gleixner
2020-02-26 17:08   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 06/10] x86/traps: Remove redundant declaration of do_double_fault() Thomas Gleixner
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 07/10] x86/irq: Remove useless return value from do_IRQ() Thomas Gleixner
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 08/10] x86/entry/32: Remove the 0/-1 distinction from exception entries Thomas Gleixner
2020-02-26  5:34   ` Andy Lutomirski
2020-02-26 18:42     ` Thomas Gleixner
2020-02-26 18:57       ` Andy Lutomirski
2020-02-26 19:15         ` Thomas Gleixner
2020-02-27 14:24           ` [patch V2 " Thomas Gleixner
2020-02-29 11:49             ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 09/10] x86/entry/entry_32: Route int3 through common_exception Thomas Gleixner
2020-02-26 17:35   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 10/10] x86/traps: Stop using ist_enter/exit() in do_int3() Thomas Gleixner
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-27 14:33   ` tip-bot2 for Andy Lutomirski
2020-02-26  5:26 ` [patch 00/10] x86/entry: Consolidation - Part I Andy Lutomirski
2020-02-26  5:35 ` Andy Lutomirski
2020-02-27 11:01 ` Alexandre Chartre

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=C06C32B4-BD69-4287-BC67-C3E225061A46@amacapital.net \
    --to=luto@amacapital.net \
    --cc=JGross@suse.com \
    --cc=arnd@arndb.de \
    --cc=brgerst@gmail.com \
    --cc=frederic@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    --subject='Re: [patch 02/10] x86/mce: Disable tracing and kprobes on do_machine_check()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.