From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B5447EB64D7 for ; Wed, 28 Jun 2023 12:38:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 28D2B8D0002; Wed, 28 Jun 2023 08:38:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 23E2C8D0001; Wed, 28 Jun 2023 08:38:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0DEAF8D0002; Wed, 28 Jun 2023 08:38:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id EF99C8D0001 for ; Wed, 28 Jun 2023 08:38:27 -0400 (EDT) Received: from smtpin20.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id B84D71A0122 for ; Wed, 28 Jun 2023 12:38:27 +0000 (UTC) X-FDA: 80952109854.20.E89708E Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by imf13.hostedemail.com (Postfix) with ESMTP id 75F3520015 for ; Wed, 28 Jun 2023 12:38:25 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=S4xhR6kB; dmarc=pass (policy=none) header.from=intel.com; spf=none (imf13.hostedemail.com: domain of kirill.shutemov@linux.intel.com has no SPF policy when checking 192.55.52.88) smtp.mailfrom=kirill.shutemov@linux.intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1687955905; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=7BbNTbXLhsj+bBEVrn009KygE8TEkVa/MJFKPULDIDA=; b=rDrnMhtn/WVQ8QNKBgB9xH9uhocsEB4BN3EHhyOgfkVOroNIQJfMb3cTtKzN+BjImkCZZA 1ZTUj0ML2uXKx7e+ITsTl2Mo7NvIptKT/aFC/ZAXbmWxHfaD07GLJ/ezxkNiOdgxxdpyeP MqD94YYUjyckyp6+pWVVBOVLC4lw3S8= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=S4xhR6kB; dmarc=pass (policy=none) header.from=intel.com; spf=none (imf13.hostedemail.com: domain of kirill.shutemov@linux.intel.com has no SPF policy when checking 192.55.52.88) smtp.mailfrom=kirill.shutemov@linux.intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1687955905; a=rsa-sha256; cv=none; b=LYG4CP02YXC+aHa8Yef+nYr+s15lz5X+f6PDyNsxltR5JdzcY7A0659mCaARRszzO+hfn4 pptiY5X0siZ+94mNUFSHL8J7Ne2MXG3t4JUmbRABgxj2hZcWiU77j3/ilcIvLFRDUdbRdS eWbuHL5vVZbn2QOYWfjPhWxxf62wVCM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1687955905; x=1719491905; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=vmEK/YbRpjOHK6AGLBfzc3yNkSj1WJuJ8VXyPYLSm8g=; b=S4xhR6kBAo1M/6rnamu4VsZgdGxH4nU0I7ENUk3h5GBeYBJ4XaaQe3xM 6vnKgjmAPGQDO30yjIQU5Bd0ymFbekOR8FmdzDCqtat5bIevLGCgBhoiT 2ELLpMotW5XGyBLKdlCa053yLKAUciM9zYmH9KvVE29kYwLoIZKxGD43z cu0gyYDhMpfRpUmd3uy99mvrAgVMgAiMjt/VAMG69sEDjN8E+fMRAnHQT 35G6gQO+OP2uTzGiQH4VW9q7E5UfFKeMItRgmrKjwXRoFF/AJE5gXd0Xi isnaNLtS1vRHMPJVdEbOXPb6EsWMdrLAm1xy+0+rA/wzQ1wFYrtobJXpl g==; X-IronPort-AV: E=McAfee;i="6600,9927,10754"; a="392555615" X-IronPort-AV: E=Sophos;i="6.01,165,1684825200"; d="scan'208";a="392555615" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jun 2023 05:38:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10754"; a="711035986" X-IronPort-AV: E=Sophos;i="6.01,165,1684825200"; d="scan'208";a="711035986" Received: from rajritu-mobl2.ger.corp.intel.com (HELO box.shutemov.name) ([10.249.47.187]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jun 2023 05:38:13 -0700 Received: by box.shutemov.name (Postfix, from userid 1000) id 56CF41095C8; Wed, 28 Jun 2023 15:38:09 +0300 (+03) Date: Wed, 28 Jun 2023 15:38:09 +0300 From: kirill.shutemov@linux.intel.com To: Kai Huang Cc: linux-kernel@vger.kernel.org, kvm@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org, dave.hansen@intel.com, tony.luck@intel.com, peterz@infradead.org, tglx@linutronix.de, bp@alien8.de, mingo@redhat.com, hpa@zytor.com, seanjc@google.com, pbonzini@redhat.com, david@redhat.com, dan.j.williams@intel.com, rafael.j.wysocki@intel.com, ashok.raj@intel.com, reinette.chatre@intel.com, len.brown@intel.com, ak@linux.intel.com, isaku.yamahata@intel.com, ying.huang@intel.com, chao.gao@intel.com, sathyanarayanan.kuppuswamy@linux.intel.com, nik.borisov@suse.com, bagasdotme@gmail.com, sagis@google.com, imammedo@redhat.com Subject: Re: [PATCH v12 21/22] x86/mce: Improve error log of kernel space TDX #MC due to erratum Message-ID: <20230628123809.ax7q7moxpavbibed@box.shutemov.name> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Stat-Signature: kmcnfz5p1segtprfusjxeuxuk9b6gcxh X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 75F3520015 X-HE-Tag: 1687955905-839736 X-HE-Meta: U2FsdGVkX1/g6whTGtxYnkm2LAI+FRhRnPLA+qO8XypPfCkb13um7ftP9bo0BRFW6yxgJ7/blsqfOAsAg+aNRLForOzr3c6g3CaAAyw1ePIt4BVVOeM8S702X+gV4VLhRku+7I50WNv2c/ljAZO3w9Tm81fGvHEBA7Fn40eImD426Pcgf+HNIMlIjrkv8Ma+OxBw56qJAvPMEX6t0KfSA0eD1UrVXBN1++xld+GMQ0gjdcn3BdnzlQk+uDCB0TKRFhUIJ4A+oGrzix9VMIPeTZ3hoCvl9qAu4NpU3c+7W05Irlgdx/7EM9kgkFpLa9WOtSEpLAj5ymMD+rLxEWvNI9hvVDQReWAJM194NQyhHB/kdFLru+D8wLXt/MQOkKfxseG8xu/KLXzjSKhXGDCHRC8Affg34+UAWIZitW71G4yrUcOJC7oZZSbWMKTZuGpJJJ44sn+UinWbNyfvkOyqSJ9gUqBAWJKbT65EJWFhwk/siOd72H+7CEMhmsErWzpwWiQ/dbvyWEzRTPJ1XuLy4EoeG+zCtge9t8D//iUA1GeVAnX8kKEXE7Em1ioEFSkELqoifzJp8gpGFXLfw+LFKtmrL8UG65DYBLn4ipHjfz/UFdbpjqX0s5lbNTOmZkbH7PVL38VHY/HJDm6T0CdzYSZH0UKcq7fZPrULANB3UrTuyTUNeSwvtoH5ZVv6Vjfo3ZqlVO3OBGyZ/jGV/8b1QHoeE6igRLPAZOYoWsy2NiSx9Sj1SNqJB/XRv8ciEUz8gSrEKNnYO59RtDJg4WkVEYTKmLyhnpTEuihrJT5BovBPq0j2qF8ExCLgebvLugLIdjqzabiQqmcRUGr0v1RWoQkxoBgx7LK10vDW43BiFEcfyBNRQnkXqWNni9XbmGJ6k116ZOegKhJD5bSdVRRnwRTJEXvw465/VisELu0hoRp6A/Us32O3s5RemueDmKdHWNGbLigqQMO6pYHjk+9 M3DxUrSk zg1lzXV8gg6v5VXRc5IgbHFlwGTAe+gT5a8nnmlWjXsER3q80SybBEX8bk6fHAIz0BdB2LxQc3Q0N7RzwOGEWDV61IAJjkI+1GsAYmWKcPXls9wle/HusrxP5ql4SPfWrIoTi4wkXbEhnmFI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Jun 27, 2023 at 02:12:51AM +1200, Kai Huang wrote: > The first few generations of TDX hardware have an erratum. Triggering > it in Linux requires some kind of kernel bug involving relatively exotic > memory writes to TDX private memory and will manifest via > spurious-looking machine checks when reading the affected memory. > > == Background == > > Virtually all kernel memory accesses operations happen in full > cachelines. In practice, writing a "byte" of memory usually reads a 64 > byte cacheline of memory, modifies it, then writes the whole line back. > Those operations do not trigger this problem. > > This problem is triggered by "partial" writes where a write transaction > of less than cacheline lands at the memory controller. The CPU does > these via non-temporal write instructions (like MOVNTI), or through > UC/WC memory mappings. The issue can also be triggered away from the > CPU by devices doing partial writes via DMA. > > == Problem == > > A partial write to a TDX private memory cacheline will silently "poison" > the line. Subsequent reads will consume the poison and generate a > machine check. According to the TDX hardware spec, neither of these > things should have happened. > > To add insult to injury, the Linux machine code will present these as a > literal "Hardware error" when they were, in fact, a software-triggered > issue. > > == Solution == > > In the end, this issue is hard to trigger. Rather than do something > rash (and incomplete) like unmap TDX private memory from the direct map, > improve the machine check handler. > > Currently, the #MC handler doesn't distinguish whether the memory is > TDX private memory or not but just dump, for instance, below message: > > [...] mce: [Hardware Error]: CPU 147: Machine Check Exception: f Bank 1: bd80000000100134 > [...] mce: [Hardware Error]: RIP 10: {__tlb_remove_page_size+0x10/0xa0} > ... > [...] mce: [Hardware Error]: Run the above through 'mcelog --ascii' > [...] mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel > [...] Kernel panic - not syncing: Fatal local machine check > > Which says "Hardware Error" and "Data load in unrecoverable area of > kernel". > > Ideally, it's better for the log to say "software bug around TDX private > memory" instead of "Hardware Error". But in reality the real hardware > memory error can happen, and sadly such software-triggered #MC cannot be > distinguished from the real hardware error. Also, the error message is > used by userspace tool 'mcelog' to parse, so changing the output may > break userspace. > > So keep the "Hardware Error". The "Data load in unrecoverable area of > kernel" is also helpful, so keep it too. > > Instead of modifying above error log, improve the error log by printing > additional TDX related message to make the log like: > > ... > [...] mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel > [...] mce: [Hardware Error]: Machine Check: TDX private memory error. Possible kernel bug. > > Adding this additional message requires determination of whether the > memory page is TDX private memory. There is no existing infrastructure > to do that. Add an interface to query the TDX module to fill this gap. > > == Impact == > > This issue requires some kind of kernel bug to trigger. > > TDX private memory should never be mapped UC/WC. A partial write > originating from these mappings would require *two* bugs, first mapping > the wrong page, then writing the wrong memory. It would also be > detectable using traditional memory corruption techniques like > DEBUG_PAGEALLOC. > > MOVNTI (and friends) could cause this issue with something like a simple > buffer overrun or use-after-free on the direct map. It should also be > detectable with normal debug techniques. > > The one place where this might get nasty would be if the CPU read data > then wrote back the same data. That would trigger this problem but > would not, for instance, set off mechanisms like slab redzoning because > it doesn't actually corrupt data. > > With an IOMMU at least, the DMA exposure is similar to the UC/WC issue. > TDX private memory would first need to be incorrectly mapped into the > I/O space and then a later DMA to that mapping would actually cause the > poisoning event. > > Signed-off-by: Kai Huang Reviewed-by: Kirill A. Shutemov -- Kiryl Shutsemau / Kirill A. Shutemov