From: James Morse <james.morse@arm.com>
To: Anshuman Khandual <anshuman.khandual@arm.com>
Cc: kexec@lists.infradead.org, linux-mm@kvack.org,
linux-arm-kernel@lists.infradead.org,
Eric Biederman <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Bhupesh Sharma <bhsharma@redhat.com>
Subject: Re: [PATCH 1/3] kexec: Prevent removal of memory in use by a loaded kexec image
Date: Fri, 27 Mar 2020 15:46:56 +0000 [thread overview]
Message-ID: <edbaab77-8d89-46ed-a93e-5b76f457c1af@arm.com> (raw)
In-Reply-To: <c4764e40-96d5-e2e4-6479-dc8d167e25e0@arm.com>
Hi Anshuman,
On 3/27/20 12:43 AM, Anshuman Khandual wrote:
> On 03/26/2020 11:37 PM, James Morse wrote:
>> An image loaded for kexec is not stored in place, instead its segments
>> are scattered through memory, and are re-assembled when needed. In the
>> meantime, the target memory may have been removed.
>>
>> Because mm is not aware that this memory is still in use, it allows it
>> to be removed.
> Why the isolation process does not fail when these pages are currently
> being used by kexec ?
Kexec isn't using them right now, but it will once kexec is triggered.
Those physical addresses are held in some internal kexec data structures until
kexec is triggered.
>> Add a memory notifier to prevent the removal of memory regions that
>> overlap with a loaded kexec image segment. e.g., when triggered from the
>> Qemu console:
>> | kexec_core: memory region in use
>> | memory memory32: Offline failed.
>
> Yes this is definitely an added protection for these kexec loaded kernels
> memory areas from being offlined but I would have expected the preceding
> offlining to have failed as well.
kexec hasn't allocate the memory, part of the regions user-space may specify for
the next kernel may be in use. There is nothing to stop the memory being used in
the meantime.
Any other way of doing this would prevent us saying why it failed.
Like this, the user can spot the 'kexec: Memory region in use message', and
unload kexec.
>> diff --git a/kernel/kexec_core.c b/kernel/kexec_core.c
>> index c19c0dad1ebe..ba1d91e868ca 100644
>> --- a/kernel/kexec_core.c
>> +++ b/kernel/kexec_core.c
>> @@ -1219,3 +1222,56 @@ void __weak arch_kexec_protect_crashkres(void)
>>
>> void __weak arch_kexec_unprotect_crashkres(void)
>> {}
>> +
>> +/*
>> + * If user-space wants to offline memory that is in use by a loaded kexec
>> + * image, it should unload the image first.
>> + */
> Probably this would need kexec user manual and related system call man pages
> update as well.
I can't see anything relevant under Documentation. (kdump yes, kexec no...)
>> +static int mem_remove_cb(struct notifier_block *nb, unsigned long action,
>> + void *data)
>> +{
>> + int rv = NOTIFY_OK, i;
>> + struct memory_notify *arg = data;
>> + unsigned long pfn = arg->start_pfn;
>> + unsigned long nr_segments, sstart, send;
>> + unsigned long end_pfn = arg->start_pfn + arg->nr_pages;
>> +
>> + might_sleep();
>
> Required ?
Habit, and I think best practice. We take a mutex, so might_sleep(), but we also
conditionally return before lockdep would see the mutex. Having this annotation
means a dangerous change to the way this is called triggers a warning without
having to test memory hotplug explicitly.
>> +
>> + if (action != MEM_GOING_OFFLINE)
>> + return NOTIFY_DONE;
>> +
>> + mutex_lock(&kexec_mutex);
>> + if (kexec_image) {
>> + nr_segments = kexec_image->nr_segments;
>> +
>> + for (i = 0; i < nr_segments; i++) {
>> + sstart = PFN_DOWN(kexec_image->segment[i].mem);
>> + send = PFN_UP(kexec_image->segment[i].mem +
>> + kexec_image->segment[i].memsz);
>> +
>> + if ((pfn <= sstart && sstart < end_pfn) ||
>> + (pfn <= send && send < end_pfn)) {
>> + pr_warn("Memory region in use\n");
>> + rv = NOTIFY_BAD;
>> + break;
>> + }
>> + }
>> + }
>> + mutex_unlock(&kexec_mutex);
>> +
>> + return rv;
>
> Variable 'rv' is redundant, should use NOTIFY_[BAD|OK] directly instead.
You'd prefer a mutex_unlock() in the middle of the loop? ... or goto?
(I'm not convinced)
>> +}
>> +
>> +static struct notifier_block mem_remove_nb = {
>> + .notifier_call = mem_remove_cb,
>> +};
>> +
>> +static int __init register_mem_remove_cb(void)
>> +{
>> + if (IS_ENABLED(CONFIG_MEMORY_HOTPLUG))
>
> Should not all these new code here be wrapped with CONFIG_MEMORY_HOTREMOVE
> to reduce the scope as well as final code size when the config is disabled.
The compiler is really good at this. "if (false)" means this is all dead code,
and static means its not exported, so the compiler is free to remove it.
Not #ifdef-ing it makes it much more readable, and means the compiler checks its
valid C before it removes it. This avoids weird header include problems that
only show up on some rand-config builds.
Thanks,
James
>> + return register_memory_notifier(&mem_remove_nb);
>> +
>> + return 0;
>> +}
>> +device_initcall(register_mem_remove_cb);
>>
>
next prev parent reply other threads:[~2020-03-27 15:47 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 18:07 [PATCH 0/3] kexec/memory_hotplug: Prevent removal and accidental use James Morse
2020-03-26 18:07 ` [PATCH 1/3] kexec: Prevent removal of memory in use by a loaded kexec image James Morse
2020-03-27 0:43 ` Anshuman Khandual
2020-03-27 2:54 ` Baoquan He
2020-03-27 15:46 ` James Morse [this message]
2020-03-27 2:34 ` Baoquan He
2020-03-27 9:30 ` David Hildenbrand
2020-03-27 16:56 ` James Morse
2020-03-27 17:06 ` David Hildenbrand
2020-03-27 18:07 ` James Morse
2020-03-27 18:52 ` David Hildenbrand
2020-03-30 13:00 ` James Morse
2020-03-30 13:13 ` David Hildenbrand
2020-03-30 17:17 ` James Morse
2020-03-30 18:14 ` David Hildenbrand
2020-04-10 19:10 ` Andrew Morton
2020-04-11 3:44 ` Baoquan He
2020-04-11 9:30 ` Russell King - ARM Linux admin
2020-04-11 9:58 ` David Hildenbrand
2020-04-12 5:35 ` Baoquan He
2020-04-12 8:08 ` Russell King - ARM Linux admin
2020-04-12 19:52 ` Eric W. Biederman
2020-04-12 20:37 ` Bhupesh SHARMA
2020-04-13 2:37 ` Baoquan He
2020-04-13 13:15 ` Eric W. Biederman
2020-04-13 23:01 ` Andrew Morton
2020-04-14 6:13 ` Eric W. Biederman
2020-04-14 6:40 ` Baoquan He
2020-04-14 6:51 ` Baoquan He
2020-04-14 8:00 ` David Hildenbrand
2020-04-14 9:22 ` Baoquan He
2020-04-14 9:37 ` David Hildenbrand
2020-04-14 14:39 ` Baoquan He
2020-04-14 14:49 ` David Hildenbrand
2020-04-15 2:35 ` Baoquan He
2020-04-16 13:31 ` David Hildenbrand
2020-04-16 14:02 ` Baoquan He
2020-04-16 14:09 ` David Hildenbrand
2020-04-16 14:36 ` Baoquan He
2020-04-16 14:47 ` David Hildenbrand
2020-04-21 13:29 ` David Hildenbrand
2020-04-21 13:57 ` David Hildenbrand
2020-04-21 13:59 ` Eric W. Biederman
2020-04-21 14:30 ` David Hildenbrand
2020-04-22 9:17 ` Baoquan He
2020-04-22 9:24 ` David Hildenbrand
2020-04-22 9:57 ` Baoquan He
2020-04-22 10:05 ` David Hildenbrand
2020-04-22 10:36 ` Baoquan He
2020-04-14 9:16 ` Dave Young
2020-04-14 9:38 ` Dave Young
2020-04-14 7:05 ` David Hildenbrand
2020-04-14 16:55 ` James Morse
2020-04-14 17:41 ` David Hildenbrand
2020-04-15 20:33 ` Eric W. Biederman
2020-04-22 12:28 ` James Morse
2020-04-22 15:25 ` Eric W. Biederman
2020-04-22 16:40 ` David Hildenbrand
2020-04-23 16:29 ` Eric W. Biederman
2020-04-24 7:39 ` David Hildenbrand
2020-04-24 7:41 ` David Hildenbrand
2020-05-01 16:55 ` James Morse
2020-03-26 18:07 ` [PATCH 2/3] mm/memory_hotplug: Allow arch override of non boot memory resource names James Morse
2020-03-27 9:59 ` David Hildenbrand
2020-03-27 15:39 ` James Morse
2020-03-30 13:23 ` David Hildenbrand
2020-03-30 17:17 ` James Morse
2020-04-02 5:49 ` Dave Young
2020-04-02 6:12 ` piliu
2020-04-14 17:21 ` James Morse
2020-04-15 20:36 ` Eric W. Biederman
2020-04-22 12:14 ` James Morse
2020-05-09 0:45 ` Andrew Morton
2020-05-11 8:35 ` David Hildenbrand
2020-03-26 18:07 ` [PATCH 3/3] arm64: memory: Give hotplug memory a different resource name James Morse
2020-03-30 19:01 ` David Hildenbrand
2020-04-15 20:37 ` Eric W. Biederman
2020-04-22 12:14 ` James Morse
2020-03-27 2:11 ` [PATCH 0/3] kexec/memory_hotplug: Prevent removal and accidental use Baoquan He
2020-03-27 15:40 ` James Morse
2020-03-27 9:27 ` David Hildenbrand
2020-03-27 15:42 ` James Morse
2020-03-30 13:18 ` David Hildenbrand
2020-03-30 13:55 ` Baoquan He
2020-03-30 17:17 ` James Morse
2020-03-31 3:46 ` Dave Young
2020-04-14 17:31 ` James Morse
2020-03-31 3:38 ` Dave Young
2020-04-15 20:29 ` Eric W. Biederman
2020-04-22 12:14 ` James Morse
2020-04-22 13:04 ` Eric W. Biederman
2020-04-22 15:40 ` James Morse
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=edbaab77-8d89-46ed-a93e-5b76f457c1af@arm.com \
--to=james.morse@arm.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=bhsharma@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=ebiederm@xmission.com \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mm@kvack.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox