Re: [PATCH 1/5] HWPOISON: define VM_FAULT_HWPOISON to 0 when feature is disabled
From: Nick Piggin
Date: Wed Jun 17 2009 - 03:51:42 EST
On Tue, Jun 16, 2009 at 03:27:26PM -0500, Russ Anderson wrote:
> On Mon, Jun 15, 2009 at 08:52:32AM +0200, Nick Piggin wrote:
> > On Fri, Jun 12, 2009 at 05:35:01PM +0200, Ingo Molnar wrote:
> > > * Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> > > > On Fri, 12 Jun 2009, Ingo Molnar wrote:
> > > > >
> > > > > This seems like trying to handle a failure mode that cannot be
> > > > > and shouldnt be 'handled' really. If there's an 'already
> > > > > corrupted' page then the box should go down hard and fast, and
> > > > > we should not risk _even more user data corruption_ by trying to
> > > > > 'continue' in the hope of having hit some 'harmless' user
> > > > > process that can be killed ...
> > > >
> > > > No, the box should _not_ go down hard-and-fast. That's the last
> > > > thing we should *ever* do.
> > > >
> > > > We need to log it. Often at a user level (ie we want to make sure
> > > > it actually hits syslog, possibly goes out the network, maybe pops
> > > > up a window, whatever).
> > > >
> > > > Shutting down the machine is the last thing we ever want to do.
> > > >
> > > > The whole "let's panic" mentality is a disease.
> > >
> > > No doubt about that - and i'm removing BUG_ON()s and panic()s
> > > wherever i can and havent added a single new one myself in the past
> > > 5 years or so, its a disease.
> > In HA failover systems you often do want to panic ASAP (after logging
> > to serial cosole I guess) if anything like this happens so the system
> > can be rebooted with minimal chance of data corruption spreading.
> The whole point of hardware data poisoning is to avoid having to
> panic the system due to the potential of undetected data corruption,
> because the corrupt data is always marked bad. This has worked
> well on ia64 where applications that encounter bad data are killed
> and the memory poisoned and not reallocated, avoiding a system panic.
> This has been used at customer sites for a few years. The type
> customers that really check their data. It is nice to see
> the hardware poison feature moving to the x86 "mainstream".
So long as you can get an MCE and panic if the corrupt data
actually gets consumed anywhere, then yes a "corrupt data
detected but not consumed" exception would not require a
I don't know enough about the arch details to know what kinds
of exceptions happen when.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/