| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Jan 2016 14:32:43 -0800 From: Andy Lutomirski <luto@...capital.net> To: Tony Luck <tony.luck@...il.com> Cc: Dan Williams <dan.j.williams@...el.com>, Borislav Petkov <bp@...en8.de>, X86 ML <x86@...nel.org>, "linux-mm@...ck.org" <linux-mm@...ck.org>, Robert <elliott@....com>, Andrew Morton <akpm@...ux-foundation.org>, Ingo Molnar <mingo@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, linux-nvdimm <linux-nvdimm@...1.01.org> Subject: Re: [PATCH v8 1/3] x86: Expand exception table to allow new handling options On Jan 9, 2016 11:51 AM, "Tony Luck" <tony.luck@...il.com> wrote: > > > Oh, I see. Is it the case that the MC code can't cleanly handle the > > case where the error was nominally recoverable but the kernel doesn't > > know how to recover from it due to the lack of a handler that's okay > > with it, because the handler's refusal to handle the fault wouldn't be > > known until too late? > > The code is just too clunky right now. We have a table driven > severity calculator that we invoke on each machine check bank > that has some valid data to report. Part of that calculation is > "what context am I in?". Which happens earlier in the sequence > than "Is MCi_STATUS.MCACOD some known recoverable type". > If I invoke the fixup code I'll change regs->ip right away ... even > if I'm executing on some innocent bystander processor that wasn't > the source of the machine check (the bystanders on the same > socket can usually see something logged in one of the memory > controller banks). Makes sense, sort of. But even if there is an MC fixup registered, don't you still have to make sure to execute it on the actual victim CPU? After all, you don't want to fail an mcsafe copy just because a different CPU coincidentally machine checked while the mcsafe copy has the recoverable RIP value. > > There are definitely some cleanups that should be done > in this code (e.g. figuring our context just once, not once > per bank). But I'm pretty sure I'll always want to know > "am I executing an instruction with a #MC recoverable > handler?" in a way that doesn't actually invoke the recovery. What's wrong with: Step 1: determine that the HW context is, in principle, recoverable. Step 2: ask the handler to try to recover. Step 3: if the handler doesn't recover, panic I'm not saying that restructuring the code like this should be a prerequisite for merging this, but I'm wondering whether it would make sense at some point in the future. --Andy
Powered by blists - more mailing lists