Re: [PATCH v3 02/22] x86,mce: Delete ist_begin_non_atomic()

From: Andy Lutomirski
Date: Wed Feb 19 2020 - 17:12:29 EST

On Wed, Feb 19, 2020 at 9:34 AM Peter Zijlstra <peterz@xxxxxxxxxxxxx> wrote:
> On Wed, Feb 19, 2020 at 09:21:48AM -0800, Andy Lutomirski wrote:
> > On Wed, Feb 19, 2020 at 9:13 AM Borislav Petkov <bp@xxxxxxxxx> wrote:
> > >
> > > On Wed, Feb 19, 2020 at 03:47:26PM +0100, Peter Zijlstra wrote:
> > > > Subject: Re: [PATCH v3 02/22] x86,mce: Delete ist_begin_non_atomic()
> > >
> > > x86/mce: ...
> > >
> > > > It is an abomination; and in prepration of removing the whole
> > > > ist_enter() thing, it needs to go.
> > > >
> > > > Convert #MC over to using task_work_add() instead; it will run the
> > > > same code slightly later, on the return to user path of the same
> > > > exception.
> > >
> > > That's fine because the error happened in userspace.
> >
> > Unless there is a signal pending and the signal setup code is about to
> > hit the same failed memory. I suppose we can just treat cases like
> > this as "oh well, time to kill the whole system".
> >
> > But we should genuinely agree that we're okay with deferring this handling.
> It doesn't delay much. The moment it does that local_irq_enable() it's
> subject to preemption, just like it is on the return to user path.
> Do you really want to create code that unwinds enough of nmi_enter() to
> get you to a preemptible context? *shudder*

Well, there's another way to approach this:

void notrace nonothing do_machine_check(struct pt_regs *regs)
if (user_mode(regs))

void do_sane_machine_check(regs)
nothing special here. just a regular exception, more or less.

void do_awful_macine_check(regs)
basically an NMI. No funny business, no recovery possible.
task_work_add() not allowed.

Or, even better, depending on how tglx's series shakes out, we could
build on this patch:

and actually have two separate do_machine_check entry points. So we'd
do, roughly:

idtentry_ist ... normal_stack_entry=do_sane_machine_check

and now there's no chance for confusion.

All of the above has some issues when Tony decides that he wants to
recover from specially annotated recoverable kernel memory accesses.
Then task_word_add() is a nonstarter, but the current
stack-switch-from-usermode *also* doesn't work. I floated the idea of
also doing the stack switch if we come from an IF=1 context, but
that's starting to get nasty.

One big question here: are memory failure #MC exceptions synchronous
or can they be delayed? If we get a memory failure, is it possible
that the #MC hits some random context and not the actual context where
the error occurred?

I suppose the general consideration I'm trying to get at is: is
task_work_add() actually useful at all here? For the case when a
kernel thread does memcpy_mcsafe() or similar, task work registered
using task_work_add() will never run.