| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Jun 2009 09:51:31 +0200 From: Nick Piggin <npiggin@...e.de> To: Russ Anderson <rja@....com> Cc: Ingo Molnar <mingo@...e.hu>, Linus Torvalds <torvalds@...ux-foundation.org>, Wu Fengguang <fengguang.wu@...el.com>, Thomas Gleixner <tglx@...utronix.de>, "H. Peter Anvin" <hpa@...or.com>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Andrew Morton <akpm@...ux-foundation.org>, LKML <linux-kernel@...r.kernel.org>, Hugh Dickins <hugh.dickins@...cali.co.uk>, Andi Kleen <andi@...stfloor.org>, "riel@...hat.com" <riel@...hat.com>, "chris.mason@...cle.com" <chris.mason@...cle.com>, "linux-mm@...ck.org" <linux-mm@...ck.org> Subject: Re: [PATCH 1/5] HWPOISON: define VM_FAULT_HWPOISON to 0 when feature is disabled On Tue, Jun 16, 2009 at 03:27:26PM -0500, Russ Anderson wrote: > On Mon, Jun 15, 2009 at 08:52:32AM +0200, Nick Piggin wrote: > > On Fri, Jun 12, 2009 at 05:35:01PM +0200, Ingo Molnar wrote: > > > * Linus Torvalds <torvalds@...ux-foundation.org> wrote: > > > > On Fri, 12 Jun 2009, Ingo Molnar wrote: > > > > > > > > > > This seems like trying to handle a failure mode that cannot be > > > > > and shouldnt be 'handled' really. If there's an 'already > > > > > corrupted' page then the box should go down hard and fast, and > > > > > we should not risk _even more user data corruption_ by trying to > > > > > 'continue' in the hope of having hit some 'harmless' user > > > > > process that can be killed ... > > > > > > > > No, the box should _not_ go down hard-and-fast. That's the last > > > > thing we should *ever* do. > > > > > > > > We need to log it. Often at a user level (ie we want to make sure > > > > it actually hits syslog, possibly goes out the network, maybe pops > > > > up a window, whatever). > > > > > > > > Shutting down the machine is the last thing we ever want to do. > > > > > > > > The whole "let's panic" mentality is a disease. > > > > > > No doubt about that - and i'm removing BUG_ON()s and panic()s > > > wherever i can and havent added a single new one myself in the past > > > 5 years or so, its a disease. > > > > In HA failover systems you often do want to panic ASAP (after logging > > to serial cosole I guess) if anything like this happens so the system > > can be rebooted with minimal chance of data corruption spreading. > > The whole point of hardware data poisoning is to avoid having to > panic the system due to the potential of undetected data corruption, > because the corrupt data is always marked bad. This has worked > well on ia64 where applications that encounter bad data are killed > and the memory poisoned and not reallocated, avoiding a system panic. > > This has been used at customer sites for a few years. The type > customers that really check their data. It is nice to see > the hardware poison feature moving to the x86 "mainstream". So long as you can get an MCE and panic if the corrupt data actually gets consumed anywhere, then yes a "corrupt data detected but not consumed" exception would not require a panic. I don't know enough about the arch details to know what kinds of exceptions happen when. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists