All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Lutomirski <luto@amacapital.net>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>,
	Frederic Weisbecker <frederic@kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
	Steven Rostedt <rostedt@goodmis.org>,
	Brian Gerst <brgerst@gmail.com>, Juergen Gross <JGross@suse.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Arnd Bergmann <arnd@arndb.de>
Subject: Re: [patch 02/10] x86/mce: Disable tracing and kprobes on do_machine_check()
Date: Wed, 26 Feb 2020 09:28:51 -0800	[thread overview]
Message-ID: <C06C32B4-BD69-4287-BC67-C3E225061A46@amacapital.net> (raw)
In-Reply-To: <20200226160818.GY18400@hirez.programming.kicks-ass.net>



> On Feb 26, 2020, at 8:08 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> 
> On Wed, Feb 26, 2020 at 07:10:01AM -0800, Andy Lutomirski wrote:
>>> On Wed, Feb 26, 2020 at 5:28 AM Peter Zijlstra <peterz@infradead.org> wrote:
>>>> On Tue, Feb 25, 2020 at 09:29:00PM -0800, Andy Lutomirski wrote:
>>> 
>>>>>> +void notrace do_machine_check(struct pt_regs *regs, long error_code)
>>>>>> {
>>>>>>   DECLARE_BITMAP(valid_banks, MAX_NR_BANKS);
>>>>>>   DECLARE_BITMAP(toclear, MAX_NR_BANKS);
>>>>>> @@ -1360,6 +1366,7 @@ void do_machine_check(struct pt_regs *re
>>>>>>   ist_exit(regs);
>>>>>> }
>>>>>> EXPORT_SYMBOL_GPL(do_machine_check);
>>>>>> +NOKPROBE_SYMBOL(do_machine_check);
>>>>> 
>>>>> That won't protect all the function called by do_machine_check(), right?
>>>>> There are lots of them.
>>>>> 
>>>> 
>>>> It at least means we can survive to run actual C code in
>>>> do_machine_check(), which lets us try to mitigate this issue further.
>>>> PeterZ has patches for that, and maybe this series fixes it later on.
>>>> (I'm reading in order!)
>>> 
>>> Yeah, I don't cover that either. Making the kernel completely kprobe
>>> safe is _lots_ more work I think.
>>> 
>>> We really need some form of automation for this :/ The current situation
>>> is completely nonsatisfactory.
>> 
>> I've looked at too many patches lately and lost track a bit of which
>> is which.  Shouldn't a simple tracing_disable() or similar in
>> do_machine_check() be sufficient?
> 
> It entirely depends on what the goal is :-/ On the one hand I see why
> people might want function tracing / kprobes enabled, OTOH it's all
> mighty frigging scary. Any tracing/probing/whatever on an MCE has the
> potential to make a bad situation worse -- not unlike the same on #DF.
> 
> The same with that compiler instrumentation crap; allowing kprobes on
> *SAN code has the potential to inject probes in arbitrary random code.
> At the same time, if you're running a kernel with that on and injecting
> kprobes in it, you're welcome to own the remaining pieces.
> 

Agreed.

> How far do we want to go? At some point I think we'll have to give
> people rope, show then the knot and leave them be.

If someone puts a kprobe on some TLB flush thing and an MCE does memory failure handling, it would be polite to avoid crashing.  OTOH the x86 memory failure story is *so* bad that I’m not sure how well we can ever really expect this to work.

I think we should aim to get the entry part correct, and if the meat of the function explodes, so be it.

> 
>> We'd maybe want automation to check
>> everything before it.  We still need to survive hitting a kprobe int3,
>> but that shouldn't have recursion issues.
> 
> Right, so I think avoiding the obvious recursion issues is a more
> tractable problem and yes some 'safe' spot annotation should be enough
> to get automation working for that -- mostly.

  reply	other threads:[~2020-02-26 17:28 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-25 21:36 [patch 00/10] x86/entry: Consolidation - Part I Thomas Gleixner
2020-02-25 21:36 ` [patch 01/10] x86/entry/32: Add missing ASM_CLAC to general_protection entry Thomas Gleixner
2020-02-26  1:00   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 02/10] x86/mce: Disable tracing and kprobes on do_machine_check() Thomas Gleixner
2020-02-26  1:13   ` Frederic Weisbecker
2020-02-26  5:29     ` Andy Lutomirski
2020-02-26 13:28       ` Peter Zijlstra
2020-02-26 15:10         ` Andy Lutomirski
2020-02-26 16:08           ` Peter Zijlstra
2020-02-26 17:28             ` Andy Lutomirski [this message]
2020-02-26 18:42               ` Borislav Petkov
2020-02-26 18:59                 ` Peter Zijlstra
2020-02-26 19:09                   ` Andy Lutomirski
2020-02-26 20:59                     ` Steven Rostedt
2020-02-26 11:18   ` Borislav Petkov
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Andy Lutomirski
2020-02-25 21:36 ` [patch 03/10] x86/entry/32: Force MCE through do_mce() Thomas Gleixner
2020-02-26  1:11   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 04/10] x86/traps: Remove pointless irq enable from do_spurious_interrupt_bug() Thomas Gleixner
2020-02-26  1:19   ` Frederic Weisbecker
2020-02-25 21:36 ` [patch 05/10] x86/traps: Document do_spurious_interrupt_bug() Thomas Gleixner
2020-02-26 17:08   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 06/10] x86/traps: Remove redundant declaration of do_double_fault() Thomas Gleixner
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 07/10] x86/irq: Remove useless return value from do_IRQ() Thomas Gleixner
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 08/10] x86/entry/32: Remove the 0/-1 distinction from exception entries Thomas Gleixner
2020-02-26  5:34   ` Andy Lutomirski
2020-02-26 18:42     ` Thomas Gleixner
2020-02-26 18:57       ` Andy Lutomirski
2020-02-26 19:15         ` Thomas Gleixner
2020-02-27 14:24           ` [patch V2 " Thomas Gleixner
2020-02-29 11:49             ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 09/10] x86/entry/entry_32: Route int3 through common_exception Thomas Gleixner
2020-02-26 17:35   ` Frederic Weisbecker
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-25 21:36 ` [patch 10/10] x86/traps: Stop using ist_enter/exit() in do_int3() Thomas Gleixner
2020-02-27 14:15   ` [tip: x86/entry] " tip-bot2 for Thomas Gleixner
2020-02-27 14:33   ` tip-bot2 for Andy Lutomirski
2020-02-26  5:26 ` [patch 00/10] x86/entry: Consolidation - Part I Andy Lutomirski
2020-02-26  5:35 ` Andy Lutomirski
2020-02-27 11:01 ` Alexandre Chartre

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=C06C32B4-BD69-4287-BC67-C3E225061A46@amacapital.net \
    --to=luto@amacapital.net \
    --cc=JGross@suse.com \
    --cc=arnd@arndb.de \
    --cc=brgerst@gmail.com \
    --cc=frederic@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=peterz@infradead.org \
    --cc=rostedt@goodmis.org \
    --cc=tglx@linutronix.de \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.