lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 9 Jan 2016 10:00:18 -0800
From:	Andy Lutomirski <luto@...capital.net>
To:	Tony Luck <tony.luck@...il.com>
Cc:	Ingo Molnar <mingo@...nel.org>, Borislav Petkov <bp@...en8.de>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Andy Lutomirski <luto@...nel.org>,
	Dan Williams <dan.j.williams@...el.com>,
	Robert <elliott@....com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"linux-mm@...ck.org" <linux-mm@...ck.org>,
	linux-nvdimm <linux-nvdimm@...1.01.org>, X86 ML <x86@...nel.org>
Subject: Re: [PATCH v8 1/3] x86: Expand exception table to allow new handling options

On Sat, Jan 9, 2016 at 9:45 AM, Tony Luck <tony.luck@...il.com> wrote:
> On Fri, Jan 8, 2016 at 5:52 PM, Andy Lutomirski <luto@...capital.net> wrote:
>> Also, I think it would be nicer if the machine check code would invoke
>> the handler regardless of which handler (or class) is selected.  Then
>> the handlers that don't want to handle #MC can just reject them.
>
> The machine check code is currently a two pass process.
>
> First we scan all the machine check banks (on all processors
> at the moment because machine checks are broadcast). We
> assess the severity of all errors found.
>
> Then we take action. Panic if the most severe error was fatal,
> recover if not.
>
> This patch series tweaks the severity calculation. In-kernel
> errors at IPs with a EXTABLE_CLASS_FAULT handler are
> now ranked as recoverable. All other kernel errors remain
> fatal.
>
> I don't think it is right to unconditionally execute the fix code in the
> severity assessment phase.

I would argue that unconditionally calling the handler would be
cleaner.  The handler would return 0 or false to indicate that it
refuses to fix the exception.

This is similar to the logic that, for regular user memory access, we
shouldn't fix up faults other than #PF.  Given that we're adding
flexible handler callbacks, lets push all the "is this an acceptable
fault to fix up" down into the callback.  Does that make sense?

>
> Perhaps later we can revisit the two pass process?

Oh, I see.  Is it the case that the MC code can't cleanly handle the
case where the error was nominally recoverable but the kernel doesn't
know how to recover from it due to the lack of a handler that's okay
with it, because the handler's refusal to handle the fault wouldn't be
known until too late?

--Andy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ