| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jun 2024 18:33:44 +0100
From: Robin Murphy <robin.murphy@....com>
To: Rob Clark <robdclark@...il.com>
Cc: iommu@...ts.linux.dev, linux-arm-msm@...r.kernel.org,
Stephen Boyd <swboyd@...omium.org>, Rob Clark <robdclark@...omium.org>,
Will Deacon <will@...nel.org>, Joerg Roedel <joro@...tes.org>,
Jason Gunthorpe <jgg@...pe.ca>, Jerry Snitselaar <jsnitsel@...hat.com>,
Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>,
Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
"moderated list:ARM SMMU DRIVERS" <linux-arm-kernel@...ts.infradead.org>,
open list <linux-kernel@...r.kernel.org>,
Pranjal Shrivastava <praan@...gle.com>
Subject: Re: [PATCH] iommu/arm-smmu: Pretty-print context fault related regs
On 2024-06-17 5:18 pm, Rob Clark wrote:
> On Mon, Jun 17, 2024 at 6:07 AM Robin Murphy <robin.murphy@....com> wrote:
>>
>> On 04/06/2024 4:01 pm, Rob Clark wrote:
>>> From: Rob Clark <robdclark@...omium.org>
>>>
>>> Parse out the bitfields for easier-to-read fault messages.
>>>
>>> Signed-off-by: Rob Clark <robdclark@...omium.org>
>>> ---
>>> Stephen was wanting easier to read fault messages.. so I typed this up.
>>>
>>> Resend with the new iommu list address
>>>
>>> drivers/iommu/arm/arm-smmu/arm-smmu.c | 53 +++++++++++++++++++++++++--
>>> drivers/iommu/arm/arm-smmu/arm-smmu.h | 5 +++
>>> 2 files changed, 54 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c
>>> index c572d877b0e1..06712d73519c 100644
>>> --- a/drivers/iommu/arm/arm-smmu/arm-smmu.c
>>> +++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c
>>> @@ -411,6 +411,8 @@ static irqreturn_t arm_smmu_context_fault(int irq, void *dev)
>>> unsigned long iova;
>>> struct arm_smmu_domain *smmu_domain = dev;
>>> struct arm_smmu_device *smmu = smmu_domain->smmu;
>>> + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL,
>>> + DEFAULT_RATELIMIT_BURST);
>>> int idx = smmu_domain->cfg.cbndx;
>>> int ret;
>>>
>>> @@ -425,10 +427,53 @@ static irqreturn_t arm_smmu_context_fault(int irq, void *dev)
>>> ret = report_iommu_fault(&smmu_domain->domain, NULL, iova,
>>> fsynr & ARM_SMMU_FSYNR0_WNR ? IOMMU_FAULT_WRITE : IOMMU_FAULT_READ);
>>>
>>> - if (ret == -ENOSYS)
>>> - dev_err_ratelimited(smmu->dev,
>>> - "Unhandled context fault: fsr=0x%x, iova=0x%08lx, fsynr=0x%x, cbfrsynra=0x%x, cb=%d\n",
>>> - fsr, iova, fsynr, cbfrsynra, idx);
>>> + if (ret == -ENOSYS && __ratelimit(&rs)) {
>>> + static const struct {
>>> + u32 mask; const char *name;
>>> + } fsr_bits[] = {
>>> + { ARM_SMMU_FSR_MULTI, "MULTI" },
>>> + { ARM_SMMU_FSR_SS, "SS" },
>>> + { ARM_SMMU_FSR_UUT, "UUT" },
>>> + { ARM_SMMU_FSR_ASF, "ASF" },
>>> + { ARM_SMMU_FSR_TLBLKF, "TLBLKF" },
>>> + { ARM_SMMU_FSR_TLBMCF, "TLBMCF" },
>>> + { ARM_SMMU_FSR_EF, "EF" },
>>> + { ARM_SMMU_FSR_PF, "PF" },
>>> + { ARM_SMMU_FSR_AFF, "AFF" },
>>> + { ARM_SMMU_FSR_TF, "TF" },
>>> + }, fsynr0_bits[] = {
>>> + { ARM_SMMU_FSYNR0_WNR, "WNR" },
>>> + { ARM_SMMU_FSYNR0_PNU, "PNU" },
>>> + { ARM_SMMU_FSYNR0_IND, "IND" },
>>> + { ARM_SMMU_FSYNR0_NSATTR, "NSATTR" },
>>> + { ARM_SMMU_FSYNR0_PTWF, "PTWF" },
>>> + { ARM_SMMU_FSYNR0_AFR, "AFR" },
>>> + };
>>> +
>>> + pr_err("%s %s: Unhandled context fault: fsr=0x%x (",
>>> + dev_driver_string(smmu->dev), dev_name(smmu->dev), fsr);
>>> +
>>> + for (int i = 0, n = 0; i < ARRAY_SIZE(fsr_bits); i++) {
>>> + if (fsr & fsr_bits[i].mask) {
>>> + pr_cont("%s%s", (n > 0) ? "|" : "", fsr_bits[i].name);
>>
>> Given that SMMU faults have a high likelihood of correlating with other
>> errors, e.g. the initiating device also reporting that it got an abort
>> back, this much pr_cont is a recipe for an unreadable mess. Furthermore,
>> just imagine how "helpful" this would be when faults in two contexts are
>> reported by two different CPUs at the same time ;)
>
> It looks like arm_smmu_context_fault() is only used with non-threaded
> irq's. And this fallback is only used if driver doesn't register it's
> own fault handler. So I don't think this will be a problem.
You don't think two different IRQs can fire on two different CPUs at the
same time (or close to)? It's already bad enough when multiple CPUs
panic and one has to pick apart line-by-line interleaving of the
registers/stacktraces - imagine how much more utterly unusable that
would be with bits of different dumps randomly pr_cont'ed together onto
the same line(s)...
Even when unrelated stuff gets interleaved because other CPUs just
happen to be calling printk() at the same time for unrelated reasons
it's still annoying, and pr_cont makes a bigger mess than not.
>> I'd prefer to retain the original message as-is, so there is at least
>> still an unambiguous "atomic" view of a fault's entire state, then
>> follow it with a decode more in the style of arm64's ESR logging. TBH I
>> also wouldn't disapprove of hiding the additional decode behind a
>> command-line/runtime parameter, since a fault storm can cripple a system
>> enough as it is, without making the interrupt handler spend even longer
>> printing to a potentially slow console.
>
> It _is_ ratelimited. But we could perhaps use a higher loglevel (pr_debug?)
Yeah, I'd have no complaint with pr_debug/dev_dbg either, if that suits
your use case. True that the ratelimit may typically mitigate the
overall impact, but still in the worst case with a sufficiently slow
console and/or a sufficiently large amount to print per __ratelimit()
call, it can end up being slow enough to stay below the threshold. Don't
ask me how I know that :)
Thanks,
Robin.
Powered by blists - more mailing lists