Hi Boris, On 22/01/2019 10:51, Borislav Petkov wrote: > On Mon, Dec 10, 2018 at 07:15:13PM +0000, James Morse wrote: >> What happens if we miss MF_ACTION_REQUIRED? > > AFAICU, the logic is to force-send a signal to the user process, i.e., > force_sig_info() which cannot be ignored. IOW, an "enlightened" process > would know how to do recovery action from a memory error. > > VS the action optional thing which you can handle at your leisure. > So the question boils down to what kind of severity do the errors > reported through SEA have? I mean, if the hw would go the trouble to do > the synchronous reporting, then something important must've happened and > it wants us to know about it and handle it. Before v8.2 we assumed these were fatal for the thread, it couldn't make progress. Since v8.2 we get a value from the CPU, the severity values are, (the flippant summary is obviously mine!): * Recoverable: "You're about to step in it, fix it or die" * Uncontainable: "It was here, but it escaped, we dont know where it went, panic!" * Restartable/Corrected: "its fine, pretend this didn't happen" Firmware should duplicate these values into the CPER severity fields. >> Surely the page still gets unmapped as its PG_Poisoned, an AO signal >> may be pending, but if user-space touches the page it will get an AR >> signal. Is this just about removing an extra AO signal to user-space? If we miss MF_ACTION_REQUIRED, the page still gets unmapped from user-space, and user-space gets an AO signal. With this patch it takes that signal before it continues. If it ignores it, the access gets a translation-fault->EHWPOISON->AR signal from the arch code. ... so missing the flag gives us an extra signal. I'm not convinced this results in any observable difference. >> If we do need this, I'd like to pick it up from the CPER records, as x86's >> NOTIFY_NMI looks like it covers both AO/AR cases. (as does NOTIFY_SDEI). The >> Master/Target abort or Invalid-address types in the memory-error-section CPER >> records look like the best bet. > > Right, and we do all kinds of severity mapping there aka ghes_severity() > so that'll be a good start, methinks. The options are those 'aborts' in the memory error. These must have been a result of some request. If we get a CPU error structure as part of the same block, it may have a cache/bus error structure, which has a precise bit that tells us whether this is a co-incidence. (but linux doesn't support any of those structures today) Thanks, James
