Re: [PATCH 1/5] HWPOISON: define VM_FAULT_HWPOISON to 0 whenfeature is disabled
From: Ingo Molnar
Date: Fri Jun 12 2009 - 09:18:40 EST
* Wu Fengguang <fengguang.wu@xxxxxxxxx> wrote:
> Hi Ingo,
>
> On Fri, Jun 12, 2009 at 07:22:58PM +0800, Ingo Molnar wrote:
> >
> > * Wu Fengguang <fengguang.wu@xxxxxxxxx> wrote:
> >
> > > So as to eliminate one #ifdef in the c source.
> > >
> > > Proposed by Nick Piggin.
> > >
> > > CC: Nick Piggin <npiggin@xxxxxxx>
> > > Signed-off-by: Wu Fengguang <fengguang.wu@xxxxxxxxx>
> > > ---
> > > arch/x86/mm/fault.c | 3 +--
> > > include/linux/mm.h | 7 ++++++-
> > > 2 files changed, 7 insertions(+), 3 deletions(-)
> > >
> > > --- sound-2.6.orig/arch/x86/mm/fault.c
> > > +++ sound-2.6/arch/x86/mm/fault.c
> > > @@ -819,14 +819,13 @@ do_sigbus(struct pt_regs *regs, unsigned
> > > tsk->thread.error_code = error_code;
> > > tsk->thread.trap_no = 14;
> > >
> > > -#ifdef CONFIG_MEMORY_FAILURE
> > > if (fault & VM_FAULT_HWPOISON) {
> > > printk(KERN_ERR
> > > "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
> > > tsk->comm, tsk->pid, address);
> > > code = BUS_MCEERR_AR;
> > > }
> > > -#endif
> >
> > Btw., anything like this should happen in close cooperation with
> > the x86 tree, not as some pure MM feature. I dont see Cc:s and
> > nothing that indicates that realization. What's going on here?
>
> Ah sorry for the ignorance! Andi has a nice overview of the big
> picture here: http://lkml.org/lkml/2009/6/3/371
>
> In the above chunk, the process is trying to access the already
> corrupted page and thus shall be killed, otherwise it will either
> silently consume corrupted data, or will trigger another (deadly)
> MCE event and bring down the whole machine.
This seems like trying to handle a failure mode that cannot be and
shouldnt be 'handled' really. If there's an 'already corrupted' page
then the box should go down hard and fast, and we should not risk
_even more user data corruption_ by trying to 'continue' in the hope
of having hit some 'harmless' user process that can be killed ...
So i find the whole feature rather dubious - what's the point? We
should panic at this point - we just corrupted user data so that
piece of hardware cannot be trusted. Nor can any subsequent kernel
bug messages be trusted.
Do we really want this in the core Linux VM and in the architecture
pagefault handling code and elsewhere? Am i the only one who finds
this concept of 'handling' user data corruption rather dubious?
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/