Root/Documentation/vm/hwpoison.txt

1What is hwpoison?
2
3Upcoming Intel CPUs have support for recovering from some memory errors
4(``MCA recovery''). This requires the OS to declare a page "poisoned",
5kill the processes associated with it and avoid using it in the future.
6
7This patchkit implements the necessary infrastructure in the VM.
8
9To quote the overview comment:
10
11 * High level machine check handler. Handles pages reported by the
12 * hardware as being corrupted usually due to a 2bit ECC memory or cache
13 * failure.
14 *
15 * This focusses on pages detected as corrupted in the background.
16 * When the current CPU tries to consume corruption the currently
17 * running process can just be killed directly instead. This implies
18 * that if the error cannot be handled for some reason it's safe to
19 * just ignore it because no corruption has been consumed yet. Instead
20 * when that happens another machine check will happen.
21 *
22 * Handles page cache pages in various states. The tricky part
23 * here is that we can access any page asynchronous to other VM
24 * users, because memory failures could happen anytime and anywhere,
25 * possibly violating some of their assumptions. This is why this code
26 * has to be extremely careful. Generally it tries to use normal locking
27 * rules, as in get the standard locks, even if that means the
28 * error handling takes potentially a long time.
29 *
30 * Some of the operations here are somewhat inefficient and have non
31 * linear algorithmic complexity, because the data structures have not
32 * been optimized for this case. This is in particular the case
33 * for the mapping from a vma to a process. Since this case is expected
34 * to be rare we hope we can get away with this.
35
36The code consists of a the high level handler in mm/memory-failure.c,
37a new page poison bit and various checks in the VM to handle poisoned
38pages.
39
40The main target right now is KVM guests, but it works for all kinds
41of applications. KVM support requires a recent qemu-kvm release.
42
43For the KVM use there was need for a new signal type so that
44KVM can inject the machine check into the guest with the proper
45address. This in theory allows other applications to handle
46memory failures too. The expection is that near all applications
47won't do that, but some very specialized ones might.
48
49---
50
51There are two (actually three) modi memory failure recovery can be in:
52
53vm.memory_failure_recovery sysctl set to zero:
54    All memory failures cause a panic. Do not attempt recovery.
55    (on x86 this can be also affected by the tolerant level of the
56    MCE subsystem)
57
58early kill
59    (can be controlled globally and per process)
60    Send SIGBUS to the application as soon as the error is detected
61    This allows applications who can process memory errors in a gentle
62    way (e.g. drop affected object)
63    This is the mode used by KVM qemu.
64
65late kill
66    Send SIGBUS when the application runs into the corrupted page.
67    This is best for memory error unaware applications and default
68    Note some pages are always handled as late kill.
69
70---
71
72User control:
73
74vm.memory_failure_recovery
75    See sysctl.txt
76
77vm.memory_failure_early_kill
78    Enable early kill mode globally
79
80PR_MCE_KILL
81    Set early/late kill mode/revert to system default
82    arg1: PR_MCE_KILL_CLEAR: Revert to system default
83    arg1: PR_MCE_KILL_SET: arg2 defines thread specific mode
84        PR_MCE_KILL_EARLY: Early kill
85        PR_MCE_KILL_LATE: Late kill
86        PR_MCE_KILL_DEFAULT: Use system global default
87PR_MCE_KILL_GET
88    return current mode
89
90
91---
92
93Testing:
94
95madvise(MADV_HWPOISON, ....)
96    (as root)
97    Poison a page in the process for testing
98
99
100hwpoison-inject module through debugfs
101
102/sys/debug/hwpoison/
103
104corrupt-pfn
105
106Inject hwpoison fault at PFN echoed into this file. This does
107some early filtering to avoid corrupted unintended pages in test suites.
108
109unpoison-pfn
110
111Software-unpoison page at PFN echoed into this file. This
112way a page can be reused again.
113This only works for Linux injected failures, not for real
114memory failures.
115
116Note these injection interfaces are not stable and might change between
117kernel versions
118
119corrupt-filter-dev-major
120corrupt-filter-dev-minor
121
122Only handle memory failures to pages associated with the file system defined
123by block device major/minor. -1U is the wildcard value.
124This should be only used for testing with artificial injection.
125
126corrupt-filter-memcg
127
128Limit injection to pages owned by memgroup. Specified by inode number
129of the memcg.
130
131Example:
132        mkdir /sys/fs/cgroup/mem/hwpoison
133
134        usemem -m 100 -s 1000 &
135        echo `jobs -p` > /sys/fs/cgroup/mem/hwpoison/tasks
136
137        memcg_ino=$(ls -id /sys/fs/cgroup/mem/hwpoison | cut -f1 -d' ')
138        echo $memcg_ino > /debug/hwpoison/corrupt-filter-memcg
139
140        page-types -p `pidof init` --hwpoison # shall do nothing
141        page-types -p `pidof usemem` --hwpoison # poison its pages
142
143corrupt-filter-flags-mask
144corrupt-filter-flags-value
145
146When specified, only poison pages if ((page_flags & mask) == value).
147This allows stress testing of many kinds of pages. The page_flags
148are the same as in /proc/kpageflags. The flag bits are defined in
149include/linux/kernel-page-flags.h and documented in
150Documentation/vm/pagemap.txt
151
152Architecture specific MCE injector
153
154x86 has mce-inject, mce-test
155
156Some portable hwpoison test programs in mce-test, see blow.
157
158---
159
160References:
161
162http://halobates.de/mce-lc09-2.pdf
163    Overview presentation from LinuxCon 09
164
165git://git.kernel.org/pub/scm/utils/cpu/mce/mce-test.git
166    Test suite (hwpoison specific portable tests in tsrc)
167
168git://git.kernel.org/pub/scm/utils/cpu/mce/mce-inject.git
169    x86 specific injector
170
171
172---
173
174Limitations:
175
176- Not all page types are supported and never will. Most kernel internal
177objects cannot be recovered, only LRU pages for now.
178- Right now hugepage support is missing.
179
180---
181Andi Kleen, Oct 2009
182
183

Archive Download this file



interactive