[PATCH 02/11] ACPI / APEI: Generalise the estatus queue's add/remove and notify code
From: james.morse@arm.com (James Morse)
Date: 2018-03-19 14:31:58
Also in:
kvmarm, linux-acpi, linux-mm
Possibly related (same subject, not in this thread)
- 2018-03-01 · Re: [PATCH 02/11] ACPI / APEI: Generalise the estatus queue's add/remove and notify code · Borislav Petkov <bp@alien8.de>
- 2018-02-23 · Re: [PATCH 02/11] ACPI / APEI: Generalise the estatus queue's add/remove and notify code · James Morse <james.morse@arm.com>
- 2018-02-20 · Re: [PATCH 02/11] ACPI / APEI: Generalise the estatus queue's add/remove and notify code · Punit Agrawal <hidden>
- 2018-02-15 · [PATCH 02/11] ACPI / APEI: Generalise the estatus queue's add/remove and notify code · James Morse <james.morse@arm.com>
Hi Borislav, On 08/03/18 10:44, Borislav Petkov wrote:
On Wed, Mar 07, 2018 at 06:15:02PM +0000, James Morse wrote:quoted
Today its just x86 and arm64. arm64 doesn't have a hook to do this. I'm happy to add an empty declaration or leave it under an ifdef until someone complains about any behaviour I missed!So I did some more staring at the code and I think oops_begin() is needed mainly, as you point out, to prevent two oops messages from interleaving. And yap, the other stuff with printk() is not true anymore because the commit which added oops_begin(): 81e88fdc432a ("ACPI, APEI, Generic Hardware Error Source POLL/IRQ/NMI notification type support") still saw an NMI-unsafe printk. Which is long taken care of now. So only the interleaving issue remains. Which begs the question: how are you guys preventing the interleaving on arm64? Because arch/arm64/kernel/traps.c:200 grabs the die_lock too, so interleaving can happen on arm64 too, AFAICT.
die() messages are stopped from interleaving with each other by that die_lock. panic()s atomic_cmpxchg() then panic_smp_self_stop() means panic() is first-past-the-post. So our problem is interleaving of the two. The sequence is roughly: 1. oops_begin(); // I'm going to panic() 2. printk(some stuff); 3. panic(); Everything we print at (2) gets batched up by vprintk_nmi(), and is only printed from (3) when we call printk_safe_flush_on_panic(). ... and now I spot there are two calls to printk_safe_flush_on_panic(), one of which happens before any smp_send_stop() calls. This means we can get interleaving with panic() as we flush the printk_safe buffer before smp_send_stop(), and even if we change that a remote CPU may refuse to die. (Both x86 and arm64 have timeouts in their smp_send_stop() code).
And by that logic, you should technically grab that lock here too in _in_nmi_notify_one().
I don't think the die_lock really helps here, do we really want to wait for a remote CPU to finish printing an OOPs about user-space's bad memory accesses, before we bring the machine down due to this system-wide fatal RAS error? The presence of firmware-first means we know this error, and any other oops are unrelated. Grabbing the die_lock doesn't stop remote CPUs printing messages via a mechanism other than die()/_in_nmi_notify_one(). I think oops_begin() is just plastering over a problem. (how come this exclusion isn't done by oops_enter()/oops_exit()?) Isn't oops_begin() trying to guarantee any messages printk()d by this CPU appear 'with' the subsequent panic()? I can't see any way to stop a remote CPU from messing this up by printk()ing in a loop with interrupts masked, preventing us from smp_send_stop()ing it, and making it difficult to take the lock. I'd like to leave this under the x86-ifdef for now. For arm64 it would be an APEI specific arch hook to stop the arch code from printing some messages, meanwhile the rest of the kernel is unaffected. I suspect this sort of thing really needs support from printk(). (maybe some printk() severity that mutes other CPUs, or redirects them to the printk_safe buffer). Thanks, James