Commit 5da8e4a6 authored by Dan Williams's avatar Dan Williams Committed by Borislav Petkov
Browse files

x86/copy_mc: Introduce copy_mc_enhanced_fast_string() 



The motivations to go rework memcpy_mcsafe() are that the benefit of
doing slow and careful copies is obviated on newer CPUs, and that the
current opt-in list of CPUs to instrument recovery is broken relative to
those CPUs.  There is no need to keep an opt-in list up to date on an
ongoing basis if pmem/dax operations are instrumented for recovery by
default. With recovery enabled by default the old "mcsafe_key" opt-in to
careful copying can be made a "fragile" opt-out. Where the "fragile"
list takes steps to not consume poison across cachelines.

The discussion with Linus made clear that the current "_mcsafe" suffix
was imprecise to a fault. The operations that are needed by pmem/dax are
to copy from a source address that might throw #MC to a destination that
may write-fault, if it is a user page.

So copy_to_user_mcsafe() becomes copy_mc_to_user() to indicate
the separate precautions taken on source and destination.
copy_mc_to_kernel() is introduced as a non-SMAP version that does not
expect write-faults on the destination, but is still prepared to abort
with an error code upon taking #MC.

The original copy_mc_fragile() implementation had negative performance
implications since it did not use the fast-string instruction sequence
to perform copies. For this reason copy_mc_to_kernel() fell back to
plain memcpy() to preserve performance on platforms that did not indicate
the capability to recover from machine check exceptions. However, that
capability detection was not architectural and now that some platforms
can recover from fast-string consumption of memory errors the memcpy()
fallback now causes these more capable platforms to fail.

Introduce copy_mc_enhanced_fast_string() as the fast default
implementation of copy_mc_to_kernel() and finalize the transition of
copy_mc_fragile() to be a platform quirk to indicate 'copy-carefully'.
With this in place, copy_mc_to_kernel() is fast and recovery-ready by
default regardless of hardware capability.

Thanks to Vivek for identifying that copy_user_generic() is not suitable
as the copy_mc_to_user() backend since the #MC handler explicitly checks
ex_has_fault_handler(). Thanks to the 0day robot for catching a
performance bug in the x86/copy_mc_to_user implementation.

 [ bp: Add the "why" for this change from the 0/2th message, massage. ]

Fixes: 92b0729c ("x86/mm, x86/mce: Add memcpy_mcsafe()")
Reported-by: default avatarErwin Tsaur <erwin.tsaur@intel.com>
Reported-by: default avatar0day robot <lkp@intel.com>
Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
Reviewed-by: default avatarTony Luck <tony.luck@intel.com>
Tested-by: default avatarErwin Tsaur <erwin.tsaur@intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/160195562556.2163339.18063423034951948973.stgit@dwillia2-desk3.amr.corp.intel.com
parent ec6347bb

arch/x86/lib/copy_mc.c

+23 −9
Original line number Diff line number Diff line
@@ -45,6 +45,8 @@ void enable_copy_mc_fragile(void) 
#define copy_mc_fragile_enabled (0)

#endif



unsigned long copy_mc_enhanced_fast_string(void *dst, const void *src, unsigned len);



/**

 * copy_mc_to_kernel - memory copy that handles source exceptions

 *
@@ -52,9 +54,11 @@ void enable_copy_mc_fragile(void) 
 * @src:	source address

 * @len:	number of bytes to copy

 *

 * Call into the 'fragile' version on systems that have trouble

 * actually do machine check recovery. Everyone else can just

 * use memcpy().

 * Call into the 'fragile' version on systems that benefit from avoiding

 * corner case poison consumption scenarios, For example, accessing

 * poison across 2 cachelines with a single instruction. Almost all

 * other uses case can use copy_mc_enhanced_fast_string() for a fast

 * recoverable copy, or fallback to plain memcpy.

 *

 * Return 0 for success, or number of bytes not copied if there was an

 * exception.
@@ -63,6 +67,8 @@ unsigned long __must_check copy_mc_to_kernel(void *dst, const void *src, unsigne 
{

	if (copy_mc_fragile_enabled)

		return copy_mc_fragile(dst, src, len);

	if (static_cpu_has(X86_FEATURE_ERMS))

		return copy_mc_enhanced_fast_string(dst, src, len);

	memcpy(dst, src, len);

	return 0;

}
@@ -72,11 +78,19 @@ unsigned long __must_check copy_mc_to_user(void *dst, const void *src, unsigned 
{

	unsigned long ret;



	if (!copy_mc_fragile_enabled)

		return copy_user_generic(dst, src, len);



	if (copy_mc_fragile_enabled) {

		__uaccess_begin();

		ret = copy_mc_fragile(dst, src, len);

		__uaccess_end();

		return ret;

	}



	if (static_cpu_has(X86_FEATURE_ERMS)) {

		__uaccess_begin();

		ret = copy_mc_enhanced_fast_string(dst, src, len);

		__uaccess_end();

		return ret;

	}



	return copy_user_generic(dst, src, len);

}

arch/x86/lib/copy_mc_64.S

+36 −0
Original line number Diff line number Diff line
@@ -124,4 +124,40 @@ EXPORT_SYMBOL_GPL(copy_mc_fragile) 
	_ASM_EXTABLE(.L_write_words, .E_write_words)

	_ASM_EXTABLE(.L_write_trailing_bytes, .E_trailing_bytes)

#endif /* CONFIG_X86_MCE */



/*

 * copy_mc_enhanced_fast_string - memory copy with exception handling

 *

 * Fast string copy + fault / exception handling. If the CPU does

 * support machine check exception recovery, but does not support

 * recovering from fast-string exceptions then this CPU needs to be

 * added to the copy_mc_fragile_key set of quirks. Otherwise, absent any

 * machine check recovery support this version should be no slower than

 * standard memcpy.

 */

SYM_FUNC_START(copy_mc_enhanced_fast_string)

	movq %rdi, %rax

	movq %rdx, %rcx

.L_copy:

	rep movsb

	/* Copy successful. Return zero */

	xorl %eax, %eax

	ret

SYM_FUNC_END(copy_mc_enhanced_fast_string)



	.section .fixup, "ax"

.E_copy:

	/*

	 * On fault %rcx is updated such that the copy instruction could

	 * optionally be restarted at the fault position, i.e. it

	 * contains 'bytes remaining'. A non-zero return indicates error

	 * to copy_mc_generic() users, or indicate short transfers to

	 * user-copy routines.

	 */

	movq %rcx, %rax

	ret



	.previous



	_ASM_EXTABLE_FAULT(.L_copy, .E_copy)

#endif /* !CONFIG_UML */

tools/objtool/check.c

+1 −0
Original line number Diff line number Diff line
@@ -550,6 +550,7 @@ static const char *uaccess_safe_builtin[] = { 
	"csum_partial_copy_generic",

	"copy_mc_fragile",

	"copy_mc_fragile_handle_tail",

	"copy_mc_enhanced_fast_string",

	"ftrace_likely_update", /* CONFIG_TRACE_BRANCH_PROFILING */

	NULL

};

CRA Git | Maintained and supported by SUSTech CRA and CCSE