Re: [PATCH v2 1/6] x86/mce: Take action on UCNA/Deferred errors again

From: Luck, Tony
Date: Fri Jan 10 2020 - 13:45:38 EST


On Fri, Jan 10, 2020 at 10:50:04AM +0100, Borislav Petkov wrote:
> On Fri, Jan 03, 2020 at 04:07:17PM +0100, Jan H. Schönherr wrote:
> > Commit fa92c5869426 ("x86, mce: Support memory error recovery for both
> > UCNA and Deferred error in machine_check_poll") added handling of UCNA
> > and Deferred errors by adding them to the ring for SRAO errors.
> >
> > Later, commit fd4cf79fcc4b ("x86/mce: Remove the MCE ring for Action
> > Optional errors") switched storage from the SRAO ring to the unified
> > pool that is still in use today. In order to only act on the intended
> > errors, a filter for MCE_AO_SEVERITY is used -- effectively removing
> > handling of UCNA/Deferred errors again.
> >
> > Extend the severity filter to include UCNA/Deferred errors again.
> > Also, generalize the naming of the notifier from SRAO to UC to capture
> > the extended scope.
> >
> > Note, that this change may cause a message like the following to appear,
> > as the same address may be reported as SRAO and as UCNA:
> >
> > Memory failure: 0x5fe3284: already hardware poisoned
> >
> > Technically, this is a return to previous behavior.
> >
> > Fixes: fd4cf79fcc4b ("x86/mce: Remove the MCE ring for Action Optional errors")
> > Signed-off-by: Jan H. Schönherr <jschoenh@xxxxxxxxx>
>
> Tony, ACK?

Acked-by: Tony Luck <tony.luck@xxxxxxxxx>

> Also, do you want it in stable@ so that it gets backported?

That's a tricky question. We have changing behavior (UCNA pages offlined,
then a few kernel versions stopped doing this, now we are going to start
doing it again. But is it really a _BUG_ that needs backporting to stable?
I'm leaning towards "no it isn't". But could perhaps be convinced to change
my mind if somebody has a good reason for wanting it there.

Is there something to put in the tags to stop this being autoselected
for backport because it has a Fixes: tag?

> I'm wondering if in the memory_failure error() case, we should hand it
> down to the remaining notifiers.
>
> Which also begs the question in light of this clumsy notifier counting:
>
> How about we have the default notifier *unconditionally* print the MCE?
> I.e., if the error has reached it, it would print it. If not and some
> other notifier consumed it, it will get handled differently.
>
> This way we won't need any special counting of notifiers and special
> reg/unreg of notifiers etc.
>
> IOW, the logic would be:
>
> If something consumes the error, then it doesn't get printed. Notifier
> does NOTIFY_STOP.
>
> If nothing consumes it or something looks at it and decides that it
> should still get printed, then the last catch-all notifier callback does
> that.

I totally agree that counting notifiers is clumsy. Also less than
ideal is the concept that any notifier on the chain can declare:
"I fixed it"
and prevent any other notifiers from even seeing it. Well the concept
is good, but it is overused.

I think we may do better with a field in the "struct mce" that is being
passed to each where notifiers can wiggle some bits (semantics to be
defined later) which can tell subsequent notifiers what sort of actions
have been taken.
E.g. the SRAO/UCNA notifier can say "I took this page offline"
the dev_mcelog one can say "I think I handed to a process that has /dev/mcelog open"
EDAC drivers can say "I decoded the address and printed something"
CEC can say: "I silently counted this corrected error", or "error exceeded
threshold and I took the page offline".

The default notifier can print to console if nobody set a bit to say
that the error had been somehow logged.

-Tony