| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 28 Jun 2022 15:51:33 +0800
From: Muchun Song <songmuchun@...edance.com>
To: HORIGUCHI NAOYA(堀口 直也)
<naoya.horiguchi@....com>
Cc: Naoya Horiguchi <nao.horiguchi@...il.com>,
"linux-mm@...ck.org" <linux-mm@...ck.org>,
Andrew Morton <akpm@...ux-foundation.org>,
David Hildenbrand <david@...hat.com>,
Mike Kravetz <mike.kravetz@...cle.com>,
Miaohe Lin <linmiaohe@...wei.com>,
Liu Shixin <liushixin2@...wei.com>,
Yang Shi <shy828301@...il.com>,
Oscar Salvador <osalvador@...e.de>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 4/9] mm, hwpoison, hugetlb: support saving mechanism
of raw error pages
On Tue, Jun 28, 2022 at 02:26:47PM +0800, Muchun Song wrote:
> On Tue, Jun 28, 2022 at 02:41:22AM +0000, HORIGUCHI NAOYA(堀口 直也) wrote:
> > On Mon, Jun 27, 2022 at 05:26:01PM +0800, Muchun Song wrote:
> > > On Fri, Jun 24, 2022 at 08:51:48AM +0900, Naoya Horiguchi wrote:
> > > > From: Naoya Horiguchi <naoya.horiguchi@....com>
> > > >
> > > > When handling memory error on a hugetlb page, the error handler tries to
> > > > dissolve and turn it into 4kB pages. If it's successfully dissolved,
> > > > PageHWPoison flag is moved to the raw error page, so that's all right.
> > > > However, dissolve sometimes fails, then the error page is left as
> > > > hwpoisoned hugepage. It's useful if we can retry to dissolve it to save
> > > > healthy pages, but that's not possible now because the information about
> > > > where the raw error pages is lost.
> > > >
> > > > Use the private field of a few tail pages to keep that information. The
> > > > code path of shrinking hugepage pool uses this info to try delayed dissolve.
> > > > In order to remember multiple errors in a hugepage, a singly-linked list
> > > > originated from SUBPAGE_INDEX_HWPOISON-th tail page is constructed. Only
> > > > simple operations (adding an entry or clearing all) are required and the
> > > > list is assumed not to be very long, so this simple data structure should
> > > > be enough.
> > > >
> > > > If we failed to save raw error info, the hwpoison hugepage has errors on
> > > > unknown subpage, then this new saving mechanism does not work any more,
> > > > so disable saving new raw error info and freeing hwpoison hugepages.
> > > >
> > > > Signed-off-by: Naoya Horiguchi <naoya.horiguchi@....com>
> > >
> > > Thanks for your work on this. I have several quesions below.
> > >
> > ...
> >
> > > > @@ -1499,6 +1499,97 @@ static int try_to_split_thp_page(struct page *page, const char *msg)
> > > > }
> > > >
> > > > #ifdef CONFIG_HUGETLB_PAGE
> > > > +/*
> > > > + * Struct raw_hwp_page represents information about "raw error page",
> > > > + * constructing singly linked list originated from ->private field of
> > > > + * SUBPAGE_INDEX_HWPOISON-th tail page.
> > > > + */
> > > > +struct raw_hwp_page {
> > > > + struct llist_node node;
> > > > + struct page *page;
> > > > +};
> > > > +
> > > > +static inline struct llist_head *raw_hwp_list_head(struct page *hpage)
> > > > +{
> > > > + return (struct llist_head *)&page_private(hpage + SUBPAGE_INDEX_HWPOISON);
> > > > +}
> > > > +
> > > > +static inline int raw_hwp_unreliable(struct page *hpage)
> > > > +{
> > > > + return page_private(hpage + SUBPAGE_INDEX_HWPOISON_UNRELIABLE);
> > > > +}
> > > > +
> > > > +static inline void set_raw_hwp_unreliable(struct page *hpage)
> > > > +{
> > > > + set_page_private(hpage + SUBPAGE_INDEX_HWPOISON_UNRELIABLE, 1);
> > > > +}
> > >
> > > Why not use HPAGEFLAG(HwpoisonUnreliable, hwpoison_unreliable) directly?
> > >
> >
> > OK, that sounds better, I'll do it.
> >
> > > > +
> > > > +/*
> > > > + * about race consideration
> > > > + */
> > > > +static inline int hugetlb_set_page_hwpoison(struct page *hpage,
> > > > + struct page *page)
> > > > +{
> > > > + struct llist_head *head;
> > > > + struct raw_hwp_page *raw_hwp;
> > > > + struct llist_node *t, *tnode;
> > > > + int ret;
> > > > +
> > > > + /*
> > > > + * Once the hwpoison hugepage has lost reliable raw error info,
> > > > + * there is little mean to keep additional error info precisely,
> > > > + * so skip to add additional raw error info.
> > > > + */
> > > > + if (raw_hwp_unreliable(hpage))
> > > > + return -EHWPOISON;
> > > > + head = raw_hwp_list_head(hpage);
> > > > + llist_for_each_safe(tnode, t, head->first) {
> > > > + struct raw_hwp_page *p = container_of(tnode, struct raw_hwp_page, node);
> > > > +
> > > > + if (p->page == page)
> > > > + return -EHWPOISON;
> > > > + }
> > > > +
> > > > + ret = TestSetPageHWPoison(hpage) ? -EHWPOISON : 0;
> > > > + /* the first error event will be counted in action_result(). */
> > > > + if (ret)
> > > > + num_poisoned_pages_inc();
> > > > +
> > > > + raw_hwp = kmalloc(sizeof(struct raw_hwp_page), GFP_KERNEL);
> > >
> > > This function can be called in atomic context, GFP_ATOMIC should be used
> > > here.
> >
> > OK, I'll use GFP_ATOMIC.
> >
> > >
> > > > + if (raw_hwp) {
> > > > + raw_hwp->page = page;
> > > > + llist_add(&raw_hwp->node, head);
> > >
> > > The maximum amount of items in the list is one, right?
> >
> > The maximum is the number of subpages in the hugepage (512 for 2MB hugepage,
> > 262144 for 1GB hugepage).
> >
>
> You are right. I have missed something yesterday.
>
> > >
> > > > + } else {
> > > > + /*
> > > > + * Failed to save raw error info. We no longer trace all
> > > > + * hwpoisoned subpages, and we need refuse to free/dissolve
> > > > + * this hwpoisoned hugepage.
> > > > + */
> > > > + set_raw_hwp_unreliable(hpage);
> > > > + return ret;
> > > > + }
> > > > + return ret;
> > > > +}
> > > > +
> > > > +inline int hugetlb_clear_page_hwpoison(struct page *hpage)
> > > > +{
> > > > + struct llist_head *head;
> > > > + struct llist_node *t, *tnode;
> > > > +
> > > > + if (raw_hwp_unreliable(hpage))
> > > > + return -EBUSY;
> > >
> > > IIUC, we use head page's PageHWPoison to synchronize hugetlb_clear_page_hwpoison()
> > > and hugetlb_set_page_hwpoison(), right? If so, who can set hwp_unreliable here?
> >
> > Sorry if I might miss your point, but raw_hwp_unreliable is set when
> > allocating raw_hwp_page failed. hugetlb_set_page_hwpoison() can be called
>
> Sorry. I have missed this. Thanks for your clarification.
>
> > multiple times on a hugepage and if one of the calls fails, the hwpoisoned
> > hugepage becomes unreliable.
> >
> > BTW, as you pointed out above, if we switch to passing GFP_ATOMIC to kmalloc(),
> > the kmalloc() never fails, so we no longer have to implement this unreliable
>
> No. kmalloc() with GFP_ATOMIC can fail unless I miss something important.
>
> > flag, so things get simpler.
> >
> > >
> > > > + ClearPageHWPoison(hpage);
> > > > + head = raw_hwp_list_head(hpage);
> > > > + llist_for_each_safe(tnode, t, head->first) {
> > >
> > > Is it possible that a new item is added hugetlb_set_page_hwpoison() and we do not
> > > traverse it (we have cleared page's PageHWPoison)? Then we ignored a real hwpoison
> > > page, right?
> >
> > Maybe you are mentioning the race like below. Yes, that's possible.
> >
>
> Sorry, ignore my previous comments, I'm thinking something wrong.
>
> > CPU 0 CPU 1
> >
> > free_huge_page
> > lock hugetlb_lock
> > ClearHPageMigratable
> remove_hugetlb_page()
> // the page is non-HugeTLB now
> > unlock hugetlb_lock
> > get_huge_page_for_hwpoison
> > lock hugetlb_lock
> > __get_huge_page_for_hwpoison
>
> // cannot reach here since it is not a HugeTLB page now.
> // So this race is impossible. Then we fallback to normal
> // page handling. Seems there is a new issue here.
> //
> // memory_failure()
> // try_memory_failure_hugetlb()
> // if (hugetlb)
> // goto unlock_mutex;
> // if (TestSetPageHWPoison(p)) {
> // // This non-HugeTLB page's vmemmap is still optimized.
>
> Setting COMPOUND_PAGE_DTOR after hugetlb_vmemmap_restore() might fix this
^^^
I mean hugetlb_vmemmap_alloc().
> issue, but we will encounter this race as you mentioned below.
>
> Thanks.
>
> > hugetlb_set_page_hwpoison
> > allocate raw_hwp_page
> > TestSetPageHWPoison
> > update_and_free_page
> > __update_and_free_page
> > if (PageHWPoison)
> > hugetlb_clear_page_hwpoison
> > TestClearPageHWPoison
> > // remove all list items
> > llist_add
> > unlock hugetlb_lock
> >
> >
> > The end result seems not critical (leaking raced raw_hwp_page?), but
> > we need fix.
> >
> > >
> > > > + struct raw_hwp_page *p = container_of(tnode, struct raw_hwp_page, node);
> > > > +
> > > > + SetPageHWPoison(p->page);
> > > > + kfree(p);
> > > > + }
> > > > + llist_del_all(head);
> > >
> > > If the above issue exists, moving ClearPageHWPoison(hpage) to here could
> > > fix it. We should clear PageHWPoison carefully since the head page is
> > > also can be poisoned.
> >
> > The reason why I put ClearPageHWPoison(hpage) before llist_for_each_safe()
> > was that raw error page can be the head page. But this can be solved
> > with some additional code to remember whether raw_hwp_page list has an item
> > associated with the head page.
> >
> > Or another approach in my mind now is to call hugetlb_clear_page_hwpoison()
> > with taking mf_mutex.
> >
> > >
> > > Thanks.
> >
> > Thank you for valuable feedbacks.
> >
> > - Naoya Horiguchi
> >
> > >
> > > > + return 0;
> > > > +}
> > > > +
> > > > /*
> > > > * Called from hugetlb code with hugetlb_lock held.
> > > > *
> > > > @@ -1533,7 +1624,7 @@ int __get_huge_page_for_hwpoison(unsigned long pfn, int flags)
> > > > goto out;
> > > > }
> > > >
> > > > - if (TestSetPageHWPoison(head)) {
> > > > + if (hugetlb_set_page_hwpoison(head, page)) {
> > > > ret = -EHWPOISON;
> > > > goto out;
> > > > }
> > > > @@ -1585,7 +1676,7 @@ static int try_memory_failure_hugetlb(unsigned long pfn, int flags, int *hugetlb
> > > > lock_page(head);
> > > >
> > > > if (hwpoison_filter(p)) {
> > > > - ClearPageHWPoison(head);
> > > > + hugetlb_clear_page_hwpoison(head);
> > > > res = -EOPNOTSUPP;
> > > > goto out;
> > > > }
> > > > --
> > > > 2.25.1
> > > >
> > > >
>
Powered by blists - more mailing lists