| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 8 Nov 2021 21:00:27 +0000
From: Jane Chu <jane.chu@...cle.com>
To: "Darrick J. Wong" <djwong@...nel.org>
CC: "david@...morbit.com" <david@...morbit.com>,
"dan.j.williams@...el.com" <dan.j.williams@...el.com>,
"hch@...radead.org" <hch@...radead.org>,
"vishal.l.verma@...el.com" <vishal.l.verma@...el.com>,
"dave.jiang@...el.com" <dave.jiang@...el.com>,
"agk@...hat.com" <agk@...hat.com>,
"snitzer@...hat.com" <snitzer@...hat.com>,
"dm-devel@...hat.com" <dm-devel@...hat.com>,
"ira.weiny@...el.com" <ira.weiny@...el.com>,
"willy@...radead.org" <willy@...radead.org>,
"vgoyal@...hat.com" <vgoyal@...hat.com>,
"linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org>,
"nvdimm@...ts.linux.dev" <nvdimm@...ts.linux.dev>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-xfs@...r.kernel.org" <linux-xfs@...r.kernel.org>
Subject: Re: [PATCH v2 2/2] dax,pmem: Implement pmem based dax data recovery
On 11/5/2021 7:04 PM, Darrick J. Wong wrote:
<snip>
>> @@ -303,20 +303,85 @@ static long pmem_dax_direct_access(struct dax_device *dax_dev,
>> }
>>
>> /*
>> - * Use the 'no check' versions of copy_from_iter_flushcache() and
>> - * copy_mc_to_iter() to bypass HARDENED_USERCOPY overhead. Bounds
>> - * checking, both file offset and device offset, is handled by
>> - * dax_iomap_actor()
>> + * Even though the 'no check' versions of copy_from_iter_flushcache()
>> + * and copy_mc_to_iter() are used to bypass HARDENED_USERCOPY overhead,
>> + * 'read'/'write' aren't always safe when poison is consumed. They happen
>> + * to be safe because the 'read'/'write' range has been guaranteed
>> + * be free of poison(s) by a prior call to dax_direct_access() on the
>> + * caller stack.
>> + * But on a data recovery code path, the 'read'/'write' range is expected
>> + * to contain poison(s), and so poison(s) is explicit checked, such that
>> + * 'read' can fetch data from clean page(s) up till the first poison is
>> + * encountered, and 'write' requires the range be page aligned in order
>> + * to restore the poisoned page's memory type back to "rw" after clearing
>> + * the poison(s).
>> + * In the event of poison related failure, (size_t) -EIO is returned and
>> + * caller may check the return value after casting it to (ssize_t).
>> + *
>> + * TODO: add support for CPUs that support MOVDIR64B instruction for
>> + * faster poison clearing, and possibly smaller error blast radius.
>
> I get that it's still early days yet for whatever pmem stuff is going on
> for 5.17, but I feel like this ought to be a separate function called by
> pmem_copy_from_iter, with this huge comment attached to that recovery
> function.
Thanks, will refactor both functions.
>
>> */
>> static size_t pmem_copy_from_iter(struct dax_device *dax_dev, pgoff_t pgoff,
>> void *addr, size_t bytes, struct iov_iter *i, int mode)
>> {
>> + phys_addr_t pmem_off;
>> + size_t len, lead_off;
>> + struct pmem_device *pmem = dax_get_private(dax_dev);
>> + struct device *dev = pmem->bb.dev;
>> +
>> + if (unlikely(mode == DAX_OP_RECOVERY)) {
>> + lead_off = (unsigned long)addr & ~PAGE_MASK;
>> + len = PFN_PHYS(PFN_UP(lead_off + bytes));
>> + if (is_bad_pmem(&pmem->bb, PFN_PHYS(pgoff) / 512, len)) {
>> + if (lead_off || !(PAGE_ALIGNED(bytes))) {
>> + dev_warn(dev, "Found poison, but addr(%p) and/or bytes(%#lx) not page aligned\n",
>> + addr, bytes);
>> + return (size_t) -EIO;
>> + }
>> + pmem_off = PFN_PHYS(pgoff) + pmem->data_offset;
>> + if (pmem_clear_poison(pmem, pmem_off, bytes) !=
>> + BLK_STS_OK)
>> + return (size_t) -EIO;
>
> Looks reasonable enough to me, though you might want to restructure this
> to reduce the amount of indent.
Agreed.
>
> FWIW I dislike how is_bad_pmem mixes units (sector_t vs. bytes), that
> was seriously confusing. But I guess that's a weird quirk of the
> badblocks API and .... ugh.
>
> (I dunno, can we at least clean up the nvdimm parts and some day replace
> the badblocks backend with something that can handle more than 16
> records? interval_tree is more than up to that task, I know, I use it
> for xfs online fsck...)
Let me look into this and get back to you.
>
>> + }
>> + }
>> +
>> return _copy_from_iter_flushcache(addr, bytes, i);
>> }
>>
>> static size_t pmem_copy_to_iter(struct dax_device *dax_dev, pgoff_t pgoff,
>> void *addr, size_t bytes, struct iov_iter *i, int mode)
>> {
>> + int num_bad;
>> + size_t len, lead_off;
>> + unsigned long bad_pfn;
>> + bool bad_pmem = false;
>> + size_t adj_len = bytes;
>> + sector_t sector, first_bad;
>> + struct pmem_device *pmem = dax_get_private(dax_dev);
>> + struct device *dev = pmem->bb.dev;
>> +
>> + if (unlikely(mode == DAX_OP_RECOVERY)) {
>> + sector = PFN_PHYS(pgoff) / 512;
>> + lead_off = (unsigned long)addr & ~PAGE_MASK;
>> + len = PFN_PHYS(PFN_UP(lead_off + bytes));
>> + if (pmem->bb.count)
>> + bad_pmem = !!badblocks_check(&pmem->bb, sector,
>> + len / 512, &first_bad, &num_bad);
>> + if (bad_pmem) {
>> + bad_pfn = PHYS_PFN(first_bad * 512);
>> + if (bad_pfn == pgoff) {
>> + dev_warn(dev, "Found poison in page: pgoff(%#lx)\n",
>> + pgoff);
>> + return -EIO;
>> + }
>> + adj_len = PFN_PHYS(bad_pfn - pgoff) - lead_off;
>> + dev_WARN_ONCE(dev, (adj_len > bytes),
>> + "out-of-range first_bad?");
>> + }
>> + if (adj_len == 0)
>> + return (size_t) -EIO;
>
> Uh, are we supposed to adjust bytes here or something?
Because we're trying to read as much data as possible...
What is your concern here?
thanks!
-jane
>
> --D
>
>> + }
>> +
>> return _copy_mc_to_iter(addr, bytes, i);
>> }
>>
Powered by blists - more mailing lists