From nobody Tue Dec 16 11:12:19 2025 Received: from out30-99.freemail.mail.aliyun.com (out30-99.freemail.mail.aliyun.com [115.124.30.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88C39155333; Wed, 12 Mar 2025 11:28:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.99 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741778942; cv=none; b=SqueT6fOUF7oJ2HvGec0in1XLxDNjQvVKa9bZ5qhYe3mgOVk4wdWcSJ8B1R+oEqsOWkYosThUNoxqRB45SbZU9ihyR6vEiB5+n/HDJANMHltThdhgk9xahTKshj4Hiw4RRP04Z6KLFoEa11pamBAlEzrdzk23dJWCxXpS6BseHw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741778942; c=relaxed/simple; bh=bT/nJAXFmHd6EnGcFSBetthh2ryHhFLbX5hC7UrIWz4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=EcsR8kpaASEdUUbs3jXnYbC67fJ0Ne2So3dzCXYYlsMnNYoGX9uJV5O/ERc7AUyCptaybiKo9QE6hEvXqi+YRXiI9xPB4OlhxF5Kp5V0gNo7qV5skeUjmeKtvF1Ve5BH02J7tHDM4fXvBGsXSKGr6Fujwf1kNiwbKU4vwrXzE9A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=XiiHiyJS; arc=none smtp.client-ip=115.124.30.99 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="XiiHiyJS" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1741778936; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=vDfxkI5giWrkXyBcohVPuoNEY+c5llJuxem0Ij3I5bc=; b=XiiHiyJSasEU+6GzgSOkMpeqxWs8aKhkUP8/a8RZW/3/EgoAXmRQnEuNEjj4zWl2BU3Po6pZLFvc1yc7SsKvCKX+h6k7EM0nA663hA1OJetrB4DapwAbB2sQTtZHYCHlsBT9DUQViNu3/Jkl8fIuK4NNajH2O3WtstZodvhrlzo= Received: from localhost.localdomain(mailfrom:xueshuai@linux.alibaba.com fp:SMTPD_---0WRCdv11_1741778934 cluster:ay36) by smtp.aliyun-inc.com; Wed, 12 Mar 2025 19:28:54 +0800 From: Shuai Xue To: akpm@linux-foundation.org, linmiaohe@huawei.com, nao.horiguchi@gmail.com Cc: tony.luck@intel.com, bp@alien8.de, peterz@infradead.org, catalin.marinas@arm.com, yazen.ghannam@amd.com, tglx@linutronix.de, mingo@redhat.com, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, jpoimboe@kernel.org, linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, baolin.wang@linux.alibaba.com, tianruidong@linux.alibaba.com, xueshuai@linux.alibaba.com Subject: [PATCH v4 1/3] x86/mce: Use is_copy_from_user() to determine copy-from-user context Date: Wed, 12 Mar 2025 19:28:50 +0800 Message-ID: <20250312112852.82415-2-xueshuai@linux.alibaba.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20250312112852.82415-1-xueshuai@linux.alibaba.com> References: <20250312112852.82415-1-xueshuai@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit 4c132d1d844a ("x86/futex: Remove .fixup usage") introduced a new extable fixup type, EX_TYPE_EFAULT_REG, and commit 4c132d1d844a ("x86/futex: Remove .fixup usage") updated the extable fixup type for copy-from-user operations, changing it from EX_TYPE_UACCESS to EX_TYPE_EFAULT_REG. The error context for copy-from-user operations no longer functions as an in-kernel recovery context. Consequently, the error context for copy-from-user operations no longer functions as an in-kernel recovery context, resulting in kernel panics with the message: "Machine check: Data load in unrecoverable area of kernel." To address this, it is crucial to identify if an error context involves a read operation from user memory. The function is_copy_from_user() can be utilized to determine: - the current operation is copy - when reading user memory When these conditions are met, is_copy_from_user() will return true, confirming that it is indeed a direct copy from user memory. This check is essential for correctly handling the context of errors in these operations without relying on the extable fixup types that previously allowed for in-kernel recovery. So, use is_copy_from_user() to determine if a context is copy user directly. Fixes: 4c132d1d844a ("x86/futex: Remove .fixup usage") Suggested-by: Peter Zijlstra Signed-off-by: Shuai Xue Acked-by: Borislav Petkov (AMD) Tested-by: Tony Luck Cc: stable@vger.kernel.org --- arch/x86/kernel/cpu/mce/severity.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/s= everity.c index dac4d64dfb2a..2235a7477436 100644 --- a/arch/x86/kernel/cpu/mce/severity.c +++ b/arch/x86/kernel/cpu/mce/severity.c @@ -300,13 +300,12 @@ static noinstr int error_context(struct mce *m, struc= t pt_regs *regs) copy_user =3D is_copy_from_user(regs); instrumentation_end(); =20 - switch (fixup_type) { - case EX_TYPE_UACCESS: - if (!copy_user) - return IN_KERNEL; - m->kflags |=3D MCE_IN_KERNEL_COPYIN; - fallthrough; + if (copy_user) { + m->kflags |=3D MCE_IN_KERNEL_COPYIN | MCE_IN_KERNEL_RECOV; + return IN_KERNEL_RECOV; + } =20 + switch (fixup_type) { case EX_TYPE_FAULT_MCE_SAFE: case EX_TYPE_DEFAULT_MCE_SAFE: m->kflags |=3D MCE_IN_KERNEL_RECOV; --=20 2.39.3 From nobody Tue Dec 16 11:12:19 2025 Received: from out30-110.freemail.mail.aliyun.com (out30-110.freemail.mail.aliyun.com [115.124.30.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49CE1241109; Wed, 12 Mar 2025 11:29:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.110 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741778948; cv=none; b=GZ5ZX4J1WtA7iyM5jJWh2wPzOqaCClEtVM4lQpPui3O/gQr7kMtXJ5OvIuvwZUILM7gr3eQHdTyjVwATrdz0Gvx1McceQNCNNkmN2cRDvoJMYe+ilwng1krF38ppMB/Vt/eXBrpl/rsBS/vvdLNsc+FJ699AW9LCveuEkG6itxk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741778948; c=relaxed/simple; bh=Y/+cR4hSH3W8GnEHVfKTpi6KgYPJIsatZB1YI6j8hCY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=b5uMtMrjA0ZtBSUo8ht4PqGOo8ymdqGF8PnRWTjZhm5iY8n1/AXR8kJZKQBgZR8PoyzNJSUttNopm1dpnJm2Ku1AoFkRL0JvFiJIX7hMwpPqdfwRJbXVVWuCzX6sVXEkk3VbLOkQB9l5306wBBon0GpDj8AAbv+t1bTkqKqvAVA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=P1upmFou; arc=none smtp.client-ip=115.124.30.110 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="P1upmFou" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1741778937; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=bbkn64ghX0689OXQU9V6jOFRXnCMdCl48Q1ObBbcJ48=; b=P1upmFouRfxdLGsORVIZuJdLlx0UD09zTqyu3WGwJxTHeWFUWMN6/sOP4FQc2azr57PFriXc7C0M1q0frJJHHSK/CXAwvkcH4cPUK9DcqPKxG7SmLGc//CAeJ9APVdmcZ8NBUktjZwEQYDyVZnd6P8x6m8ytVqpcqnWkHoCmDoY= Received: from localhost.localdomain(mailfrom:xueshuai@linux.alibaba.com fp:SMTPD_---0WRCdv1J_1741778935 cluster:ay36) by smtp.aliyun-inc.com; Wed, 12 Mar 2025 19:28:55 +0800 From: Shuai Xue To: akpm@linux-foundation.org, linmiaohe@huawei.com, nao.horiguchi@gmail.com Cc: tony.luck@intel.com, bp@alien8.de, peterz@infradead.org, catalin.marinas@arm.com, yazen.ghannam@amd.com, tglx@linutronix.de, mingo@redhat.com, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, jpoimboe@kernel.org, linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, baolin.wang@linux.alibaba.com, tianruidong@linux.alibaba.com, xueshuai@linux.alibaba.com Subject: [PATCH v4 2/3] mm/hwpoison: Do not send SIGBUS to processes with recovered clean pages Date: Wed, 12 Mar 2025 19:28:51 +0800 Message-ID: <20250312112852.82415-3-xueshuai@linux.alibaba.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20250312112852.82415-1-xueshuai@linux.alibaba.com> References: <20250312112852.82415-1-xueshuai@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When an uncorrected memory error is consumed there is a race between the CMCI from the memory controller reporting an uncorrected error with a UCNA signature, and the core reporting and SRAR signature machine check when the data is about to be consumed. - Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1] Prior to Icelake memory controllers reported patrol scrub events that detected a previously unseen uncorrected error in memory by signaling a broadcast machine check with an SRAO (Software Recoverable Action Optional) signature in the machine check bank. This was overkill because it's not an urgent problem that no core is on the verge of consuming that bad data. It's also found that multi SRAO UCE may cause nested MCE interrupts and finally become an IERR. Hence, Intel downgrades the machine check bank signature of patrol scrub from SRAO to UCNA (Uncorrected, No Action required), and signal changed to #CMCI. Just to add to the confusion, Linux does take an action (in uc_decode_notifier()) to try to offline the page despite the UC*NA* signature name. - Background: why #CMCI and #MCE race when poison is consuming in Intel pla= tform [1] Having decided that CMCI/UCNA is the best action for patrol scrub errors, the memory controller uses it for reads too. But the memory controller is executing asynchronously from the core, and can't tell the difference between a "real" read and a speculative read. So it will do CMCI/UCNA if an error is found in any read. Thus: 1) Core is clever and thinks address A is needed soon, issues a speculative= read. 2) Core finds it is going to use address A soon after sending the read requ= est 3) The CMCI from the memory controller is in a race with MCE from the core that will soon try to retire the load from address A. Quite often (because speculation has got better) the CMCI from the memory controller is delivered before the core is committed to the instruction reading address A, so the interrupt is taken, and Linux offlines the page (marking it as poison). - Why user process is killed for instr case Commit 046545a661af ("mm/hwpoison: fix error page recovered but reported "not recovered"") tries to fix noise message "Memory error not recovered" and skips duplicate SIGBUSs due to the race. But it also introduced a bug that kill_accessing_process() return -EHWPOISON for instr case, as result, kill_me_maybe() send a SIGBUS to user process. If the CMCI wins that race, the page is marked poisoned when uc_decode_notifier() calls memory_failure(). For dirty pages, memory_failure() invokes try_to_unmap() with the TTU_HWPOISON flag, converting the PTE to a hwpoison entry. As a result, kill_accessing_process(): - call walk_page_range() and return 1 regardless of whether try_to_unmap() succeeds or fails, - call kill_proc() to make sure a SIGBUS is sent - return -EHWPOISON to indicate that SIGBUS is already sent to the process and kill_me_maybe() doesn't have to send it again. However, for clean pages, the TTU_HWPOISON flag is cleared, leaving the PTE unchanged and not converted to a hwpoison entry. Conversely, for clean pages where PTE entries are not marked as hwpoison, kill_accessing_process() returns -EFAULT, causing kill_me_maybe() to send a SIGBUS. Console log looks like this: Memory failure: 0x827ca68: corrupted page was clean: dropped without si= de effects Memory failure: 0x827ca68: recovery action for clean LRU page: Recovered Memory failure: 0x827ca68: already hardware poisoned mce: Memory error not recovered To fix it, return 0 for "corrupted page was clean", preventing an unnecessary SIGBUS to user process. [1] https://lore.kernel.org/lkml/20250217063335.22257-1-xueshuai@linux.alib= aba.com/T/#mba94f1305b3009dd340ce4114d3221fe810d1871 Fixes: 046545a661af ("mm/hwpoison: fix error page recovered but reported "n= ot recovered"") Signed-off-by: Shuai Xue Tested-by: Tony Luck Acked-by: Miaohe Lin Cc: stable@vger.kernel.org --- mm/memory-failure.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index 995a15eb67e2..b037952565be 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -881,12 +881,17 @@ static int kill_accessing_process(struct task_struct = *p, unsigned long pfn, mmap_read_lock(p->mm); ret =3D walk_page_range(p->mm, 0, TASK_SIZE, &hwpoison_walk_ops, (void *)&priv); + /* + * ret =3D 1 when CMCI wins, regardless of whether try_to_unmap() + * succeeds or fails, then kill the process with SIGBUS. + * ret =3D 0 when poison page is a clean page and it's dropped, no + * SIGBUS is needed. + */ if (ret =3D=3D 1 && priv.tk.addr) kill_proc(&priv.tk, pfn, flags); - else - ret =3D 0; mmap_read_unlock(p->mm); - return ret > 0 ? -EHWPOISON : -EFAULT; + + return ret > 0 ? -EHWPOISON : 0; } =20 /* --=20 2.39.3 From nobody Tue Dec 16 11:12:19 2025 Received: from out30-133.freemail.mail.aliyun.com (out30-133.freemail.mail.aliyun.com [115.124.30.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0917E240611; Wed, 12 Mar 2025 11:29:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.133 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741778947; cv=none; b=i2qWBfrCPyEPt3YU/MKRzzrWciOWUGqylLu7bzAUoKejacr/p1/fWeFGX763n+RrQ+OLe64+/U6RGPsnQv6+xlnC81sqsRlo/4Z6mh45FB4xnNELlndImuW3tN5Y4TZe0NHNgISkH2xVWwKpoSEJnlhp9yr4/mgPQUKybVue7oo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741778947; c=relaxed/simple; bh=1B0zyuHbHYrUKZmiLC1az+QZbD/z8RspdhdW/A2QVtE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cWMU63j0HNMJb9+1/7GYU0GYZahDc2NHvqz/U2io3qHOEsp9Yu7NH4oj2OnPYZ3qhVP9a03MJAfbcdgCUGsgMpmS6KCkRRCrQknR5xsF3thsuh0AgEuPe+KRh9H/MDUQoFJMyZylA1jd+X6j6KaSRSwnNUBuV0BPGlPkJnHwixs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=l+osHe5E; arc=none smtp.client-ip=115.124.30.133 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="l+osHe5E" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1741778937; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=R4Y2pmrTYmO5bH57hWQGBotlkwzT7/jOJNJhq77FZVM=; b=l+osHe5E+0x5kCoyi8YGZ0mXf1/uREkuaJcqA2kJcZ5Ho4EG/+9mToEviln35roYuyOtXNX14tzoodWdO0KLWOIacPW1zbAj9E0clrUZO08pV6DRXtMKOLPQpO7QV0xsYjV4VnA2Kjpf0DEPs3qVJytouyUCre3xXii1wz9tsr4= Received: from localhost.localdomain(mailfrom:xueshuai@linux.alibaba.com fp:SMTPD_---0WRCdv1i_1741778935 cluster:ay36) by smtp.aliyun-inc.com; Wed, 12 Mar 2025 19:28:56 +0800 From: Shuai Xue To: akpm@linux-foundation.org, linmiaohe@huawei.com, nao.horiguchi@gmail.com Cc: tony.luck@intel.com, bp@alien8.de, peterz@infradead.org, catalin.marinas@arm.com, yazen.ghannam@amd.com, tglx@linutronix.de, mingo@redhat.com, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, jpoimboe@kernel.org, linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, baolin.wang@linux.alibaba.com, tianruidong@linux.alibaba.com, xueshuai@linux.alibaba.com Subject: [PATCH v4 3/3] mm: memory-failure: Enhance comments for return value of memory_failure() Date: Wed, 12 Mar 2025 19:28:52 +0800 Message-ID: <20250312112852.82415-4-xueshuai@linux.alibaba.com> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20250312112852.82415-1-xueshuai@linux.alibaba.com> References: <20250312112852.82415-1-xueshuai@linux.alibaba.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The comments for the return value of memory_failure are not complete, supplement the comments. Signed-off-by: Shuai Xue Reviewed-by: Jarkko Sakkinen Reviewed-by: Jonathan Cameron Reviewed-by: Yazen Ghannam Reviewed-by: Jane Chu Acked-by: Miaohe Lin Tested-by: Tony Luck --- mm/memory-failure.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/mm/memory-failure.c b/mm/memory-failure.c index b037952565be..8649849bcdb4 100644 --- a/mm/memory-failure.c +++ b/mm/memory-failure.c @@ -2216,9 +2216,13 @@ static void kill_procs_now(struct page *p, unsigned = long pfn, int flags, * Must run in process context (e.g. a work queue) with interrupts * enabled and no spinlocks held. * - * Return: 0 for successfully handled the memory error, - * -EOPNOTSUPP for hwpoison_filter() filtered the error event, - * < 0(except -EOPNOTSUPP) on failure. + * Return: + * 0 - success, + * -ENXIO - memory not managed by the kernel + * -EOPNOTSUPP - hwpoison_filter() filtered the error event, + * -EHWPOISON - the page was already poisoned, potentially + * kill process, + * other negative values - failure. */ int memory_failure(unsigned long pfn, int flags) { --=20 2.39.3