From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id EDF462033D1B7 for ; Wed, 2 May 2018 09:19:32 -0700 (PDT) Received: from mail-wm0-f51.google.com (mail-wm0-f51.google.com [74.125.82.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6EAD423687 for ; Wed, 2 May 2018 16:19:32 +0000 (UTC) Received: by mail-wm0-f51.google.com with SMTP id w194so1787679wmf.2 for ; Wed, 02 May 2018 09:19:32 -0700 (PDT) MIME-Version: 1.0 References: <152520750404.36522.15462513519590065300.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: From: Andy Lutomirski Date: Wed, 02 May 2018 16:19:20 +0000 Message-ID: Subject: Re: [PATCH 0/6] use memcpy_mcsafe() for copy_to_iter() List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" To: Linus Torvalds Cc: Tony Luck , Andrew Morton , linux-nvdimm , Peter Zijlstra , X86 ML , LKML , Ingo Molnar , Borislav Petkov , Al Viro , Thomas Gleixner List-ID: On Tue, May 1, 2018 at 8:34 PM Linus Torvalds wrote: > On Tue, May 1, 2018 at 8:22 PM Dan Williams > wrote: > > All that to say that having a typical RAM page covering poisoned pmem > > would complicate the 'clear badblocks' implementation. > Ugh, ok. > I guess the good news is that your patches aren't so big, and don't really > affect anything else. I pondered this a bit. Doing better might be a big pain in the arse. The interesting case is where ordinary kernel code (memcpy, plain old memory operands, etc) access faulty pmem. This means that there's no extable entry around. If we actually try to recover, we have a few problems: - We can't sanely skip the instruction without causing random errors. - If the access was through the kernel direct map, then we could plausibly remap a different page in place of the faulty page. The problem is that, if the page is *writable* and we share it between more than one faulty page, then we're enabling a giant information leak. But we still need to figure out how we're supposed to invalidate the old mapping from a random, potentially atomic context. - If the access is through kmap or similar, then we're talking about modifying a PTE out from under kernel code that really isn't expecting us to modify it. - How are we supposed to signal the process or fail a syscall? The fault could have come from interrupt context, softirq context, kernel thread context, etc, and figuring out who's to blame seems quite awkward and fragile. All that being said, I suspect that we still have issues even with accesses to user VAs that are protected by extable entries. The whole #MC mechanism is a supremely shitty interface for recoverable errors (especially on Intel), and I'm a bit scared of what happens if the offending access is, say, inside a perf NMI. Dan, is there any chance you could put some pressure on the architecture folks to invent an entirely new, less shitty way to tell the OS about recoverable memory errors? And to make it testable by normal people? Needing big metal EINJ hardware to test the house of cards that is #MC is just awful and means that there are few enough kernel developers that are actually able to test that I can probably count them on one hand. And I'm not one of them... _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751932AbeEBQTm (ORCPT ); Wed, 2 May 2018 12:19:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:50440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751279AbeEBQTd (ORCPT ); Wed, 2 May 2018 12:19:33 -0400 X-Google-Smtp-Source: AB8JxZrfIY/JsJU7ATfTWllx7ST6gQi06DWhP4uiOGUCSSu5cOtu1QLqBcd6eGqkRLM2QbCXHf1SysyK7mxNRSxeZX0= MIME-Version: 1.0 References: <152520750404.36522.15462513519590065300.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: From: Andy Lutomirski Date: Wed, 02 May 2018 16:19:20 +0000 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 0/6] use memcpy_mcsafe() for copy_to_iter() To: Linus Torvalds Cc: Dan Williams , linux-nvdimm , Tony Luck , Peter Zijlstra , Borislav Petkov , X86 ML , Thomas Gleixner , Ingo Molnar , Al Viro , Andrew Morton , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 1, 2018 at 8:34 PM Linus Torvalds wrote: > On Tue, May 1, 2018 at 8:22 PM Dan Williams > wrote: > > All that to say that having a typical RAM page covering poisoned pmem > > would complicate the 'clear badblocks' implementation. > Ugh, ok. > I guess the good news is that your patches aren't so big, and don't really > affect anything else. I pondered this a bit. Doing better might be a big pain in the arse. The interesting case is where ordinary kernel code (memcpy, plain old memory operands, etc) access faulty pmem. This means that there's no extable entry around. If we actually try to recover, we have a few problems: - We can't sanely skip the instruction without causing random errors. - If the access was through the kernel direct map, then we could plausibly remap a different page in place of the faulty page. The problem is that, if the page is *writable* and we share it between more than one faulty page, then we're enabling a giant information leak. But we still need to figure out how we're supposed to invalidate the old mapping from a random, potentially atomic context. - If the access is through kmap or similar, then we're talking about modifying a PTE out from under kernel code that really isn't expecting us to modify it. - How are we supposed to signal the process or fail a syscall? The fault could have come from interrupt context, softirq context, kernel thread context, etc, and figuring out who's to blame seems quite awkward and fragile. All that being said, I suspect that we still have issues even with accesses to user VAs that are protected by extable entries. The whole #MC mechanism is a supremely shitty interface for recoverable errors (especially on Intel), and I'm a bit scared of what happens if the offending access is, say, inside a perf NMI. Dan, is there any chance you could put some pressure on the architecture folks to invent an entirely new, less shitty way to tell the OS about recoverable memory errors? And to make it testable by normal people? Needing big metal EINJ hardware to test the house of cards that is #MC is just awful and means that there are few enough kernel developers that are actually able to test that I can probably count them on one hand. And I'm not one of them...