| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 10 May 2024 15:29:48 -0400
From: Peter Xu <peterx@...hat.com>
To: Axel Rasmussen <axelrasmussen@...gle.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
"Aneesh Kumar K.V" <aneesh.kumar@...nel.org>,
Borislav Petkov <bp@...en8.de>,
Christophe Leroy <christophe.leroy@...roup.eu>,
Dave Hansen <dave.hansen@...ux.intel.com>,
David Hildenbrand <david@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Helge Deller <deller@....de>,
Ingo Molnar <mingo@...hat.com>,
"James E.J. Bottomley" <James.Bottomley@...senpartnership.com>,
John Hubbard <jhubbard@...dia.com>,
Liu Shixin <liushixin2@...wei.com>,
"Matthew Wilcox (Oracle)" <willy@...radead.org>,
Michael Ellerman <mpe@...erman.id.au>,
Muchun Song <muchun.song@...ux.dev>,
"Naveen N. Rao" <naveen.n.rao@...ux.ibm.com>,
Nicholas Piggin <npiggin@...il.com>,
Oscar Salvador <osalvador@...e.de>,
Peter Zijlstra <peterz@...radead.org>,
Suren Baghdasaryan <surenb@...gle.com>,
Thomas Gleixner <tglx@...utronix.de>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, linux-parisc@...r.kernel.org,
linuxppc-dev@...ts.ozlabs.org, x86@...nel.org
Subject: Re: [PATCH v2 1/1] arch/fault: don't print logs for pte marker
poison errors
On Fri, May 10, 2024 at 11:29:26AM -0700, Axel Rasmussen wrote:
> For real MCEs, various architectures print log messages when poisoned
> memory is accessed (which results in a SIGBUS). These messages can be
> important for users to understand the issue.
>
> On the other hand, we have two other cases: swapin errors and simulated
> poisons via UFFDIO_POISON. These cases also result in SIGBUS, but they
> aren't "real" hardware memory poisoning events, so we want to avoid
> logging MCE error messages to dmesg for these events. This avoids
> spamming the kernel log, and possibly drowning out real events with
> these other cases.
>
> To identify this situation, add a new VM_FAULT_HWPOISON_SILENT flag.
> This is expected to be set *in addition to* one of the existing
> VM_FAULT_HWPOISON or VM_FAULT_HWPOISON_LARGE flags (which are mutually
> exclusive).
>
> Reviewed-by: John Hubbard <jhubbard@...dia.com>
> Signed-off-by: Axel Rasmussen <axelrasmussen@...gle.com>
Acked-by: Peter Xu <peterx@...hat.com>
One nicpick below.
> ---
> arch/parisc/mm/fault.c | 7 +++++--
> arch/powerpc/mm/fault.c | 6 ++++--
> arch/x86/mm/fault.c | 6 ++++--
> include/linux/mm_types.h | 34 ++++++++++++++++++++--------------
> mm/hugetlb.c | 3 ++-
> mm/memory.c | 2 +-
> 6 files changed, 36 insertions(+), 22 deletions(-)
>
> diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
> index c39de84e98b0..6c5e8d6498bf 100644
> --- a/arch/parisc/mm/fault.c
> +++ b/arch/parisc/mm/fault.c
> @@ -400,9 +400,12 @@ void do_page_fault(struct pt_regs *regs, unsigned long code,
> #ifdef CONFIG_MEMORY_FAILURE
> if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
> unsigned int lsb = 0;
> - printk(KERN_ERR
> +
> + if (!(fault & VM_FAULT_HWPOISON_SILENT)) {
> + pr_err(
> "MCE: Killing %s:%d due to hardware memory corruption fault at %08lx\n",
> - tsk->comm, tsk->pid, address);
> + tsk->comm, tsk->pid, address);
> + }
> /*
> * Either small page or large page may be poisoned.
> * In other words, VM_FAULT_HWPOISON_LARGE and
> diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
> index 215690452495..c43bb6193a80 100644
> --- a/arch/powerpc/mm/fault.c
> +++ b/arch/powerpc/mm/fault.c
> @@ -147,8 +147,10 @@ static int do_sigbus(struct pt_regs *regs, unsigned long address,
> if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
> unsigned int lsb = 0; /* shutup gcc */
>
> - pr_err("MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
> - current->comm, current->pid, address);
> + if (!(fault & VM_FAULT_HWPOISON_SILENT)) {
> + pr_err("MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
> + current->comm, current->pid, address);
> + }
>
> if (fault & VM_FAULT_HWPOISON_LARGE)
> lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index 67b18adc75dd..9ae5cc6bd933 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -964,9 +964,11 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
> struct task_struct *tsk = current;
> unsigned lsb = 0;
>
> - pr_err(
> + if (!(fault & VM_FAULT_HWPOISON_SILENT)) {
> + pr_err(
> "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
> - tsk->comm, tsk->pid, address);
> + tsk->comm, tsk->pid, address);
> + }
> if (fault & VM_FAULT_HWPOISON_LARGE)
> lsb = hstate_index_to_shift(VM_FAULT_GET_HINDEX(fault));
> if (fault & VM_FAULT_HWPOISON)
> diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
> index 24323c7d0bd4..7663a2725341 100644
> --- a/include/linux/mm_types.h
> +++ b/include/linux/mm_types.h
> @@ -1224,6 +1224,10 @@ typedef __bitwise unsigned int vm_fault_t;
> * @VM_FAULT_HWPOISON_LARGE: Hit poisoned large page. Index encoded
> * in upper bits
> * @VM_FAULT_SIGSEGV: segmentation fault
> + * @VM_FAULT_HWPOISON_SILENT Hit a poisoned pte marker, which should not be
> + * logged to dmesg since it's something besides a
> + * real hardware memory error (swapin error,
> + * simulated poison via UFFDIO_POISON, etc.).
IMHO we shouldn't mention that detail, but only state the effect which is
to not report the event to syslog.
There's no hard rule that a pte marker can't reflect a real page poison in
the future even MCE. Actually I still remember most places don't care
about the pfn in the hwpoison swap entry so maybe we can even do it? But
that's another story regardless..
And also not report swapin error is, IMHO, only because arch errors said
"MCE" in the error logs which may not apply here. Logically speaking
swapin error should also be reported so admin knows better on why a proc is
killed. Now it can still confuse the admin if it really happens, iiuc.
> * @VM_FAULT_NOPAGE: ->fault installed the pte, not return page
> * @VM_FAULT_LOCKED: ->fault locked the returned page
> * @VM_FAULT_RETRY: ->fault blocked, must retry
> @@ -1237,20 +1241,21 @@ typedef __bitwise unsigned int vm_fault_t;
> *
> */
> enum vm_fault_reason {
> - VM_FAULT_OOM = (__force vm_fault_t)0x000001,
> - VM_FAULT_SIGBUS = (__force vm_fault_t)0x000002,
> - VM_FAULT_MAJOR = (__force vm_fault_t)0x000004,
> - VM_FAULT_HWPOISON = (__force vm_fault_t)0x000010,
> - VM_FAULT_HWPOISON_LARGE = (__force vm_fault_t)0x000020,
> - VM_FAULT_SIGSEGV = (__force vm_fault_t)0x000040,
> - VM_FAULT_NOPAGE = (__force vm_fault_t)0x000100,
> - VM_FAULT_LOCKED = (__force vm_fault_t)0x000200,
> - VM_FAULT_RETRY = (__force vm_fault_t)0x000400,
> - VM_FAULT_FALLBACK = (__force vm_fault_t)0x000800,
> - VM_FAULT_DONE_COW = (__force vm_fault_t)0x001000,
> - VM_FAULT_NEEDDSYNC = (__force vm_fault_t)0x002000,
> - VM_FAULT_COMPLETED = (__force vm_fault_t)0x004000,
> - VM_FAULT_HINDEX_MASK = (__force vm_fault_t)0x0f0000,
> + VM_FAULT_OOM = (__force vm_fault_t)0x000001,
> + VM_FAULT_SIGBUS = (__force vm_fault_t)0x000002,
> + VM_FAULT_MAJOR = (__force vm_fault_t)0x000004,
> + VM_FAULT_HWPOISON = (__force vm_fault_t)0x000010,
> + VM_FAULT_HWPOISON_LARGE = (__force vm_fault_t)0x000020,
> + VM_FAULT_SIGSEGV = (__force vm_fault_t)0x000040,
> + VM_FAULT_HWPOISON_SILENT = (__force vm_fault_t)0x000080,
> + VM_FAULT_NOPAGE = (__force vm_fault_t)0x000100,
> + VM_FAULT_LOCKED = (__force vm_fault_t)0x000200,
> + VM_FAULT_RETRY = (__force vm_fault_t)0x000400,
> + VM_FAULT_FALLBACK = (__force vm_fault_t)0x000800,
> + VM_FAULT_DONE_COW = (__force vm_fault_t)0x001000,
> + VM_FAULT_NEEDDSYNC = (__force vm_fault_t)0x002000,
> + VM_FAULT_COMPLETED = (__force vm_fault_t)0x004000,
> + VM_FAULT_HINDEX_MASK = (__force vm_fault_t)0x0f0000,
> };
>
> /* Encode hstate index for a hwpoisoned large page */
> @@ -1268,6 +1273,7 @@ enum vm_fault_reason {
> { VM_FAULT_HWPOISON, "HWPOISON" }, \
> { VM_FAULT_HWPOISON_LARGE, "HWPOISON_LARGE" }, \
> { VM_FAULT_SIGSEGV, "SIGSEGV" }, \
> + { VM_FAULT_HWPOISON_SILENT, "HWPOISON_SILENT" }, \
> { VM_FAULT_NOPAGE, "NOPAGE" }, \
> { VM_FAULT_LOCKED, "LOCKED" }, \
> { VM_FAULT_RETRY, "RETRY" }, \
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 6be78e7d4f6e..91517cd7f44c 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6485,7 +6485,8 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
> pte_marker_get(pte_to_swp_entry(vmf.orig_pte));
>
> if (marker & PTE_MARKER_POISONED) {
> - ret = VM_FAULT_HWPOISON_LARGE |
> + ret = VM_FAULT_HWPOISON_SILENT |
> + VM_FAULT_HWPOISON_LARGE |
> VM_FAULT_SET_HINDEX(hstate_index(h));
> goto out_mutex;
> }
> diff --git a/mm/memory.c b/mm/memory.c
> index eea6e4984eae..721c0731cef2 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -3938,7 +3938,7 @@ static vm_fault_t handle_pte_marker(struct vm_fault *vmf)
>
> /* Higher priority than uffd-wp when data corrupted */
> if (marker & PTE_MARKER_POISONED)
> - return VM_FAULT_HWPOISON;
> + return VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_SILENT;
>
> if (pte_marker_entry_uffd_wp(entry))
> return pte_marker_handle_uffd_wp(vmf);
> --
> 2.45.0.118.g7fe29c98d7-goog
>
>
--
Peter Xu
Powered by blists - more mailing lists