1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Watchdog support on powerpc systems. 4 * 5 * Copyright 2017, IBM Corporation. 6 * 7 * This uses code from arch/sparc/kernel/nmi.c and kernel/watchdog.c 8 */ 9 10 #define pr_fmt(fmt) "watchdog: " fmt 11 12 #include <linux/kernel.h> 13 #include <linux/param.h> 14 #include <linux/init.h> 15 #include <linux/percpu.h> 16 #include <linux/cpu.h> 17 #include <linux/nmi.h> 18 #include <linux/module.h> 19 #include <linux/export.h> 20 #include <linux/kprobes.h> 21 #include <linux/hardirq.h> 22 #include <linux/reboot.h> 23 #include <linux/slab.h> 24 #include <linux/kdebug.h> 25 #include <linux/sched/debug.h> 26 #include <linux/delay.h> 27 #include <linux/processor.h> 28 #include <linux/smp.h> 29 30 #include <asm/interrupt.h> 31 #include <asm/paca.h> 32 #include <asm/nmi.h> 33 34 /* 35 * The powerpc watchdog ensures that each CPU is able to service timers. 36 * The watchdog sets up a simple timer on each CPU to run once per timer 37 * period, and updates a per-cpu timestamp and a "pending" cpumask. This is 38 * the heartbeat. 39 * 40 * Then there are two systems to check that the heartbeat is still running. 41 * The local soft-NMI, and the SMP checker. 42 * 43 * The soft-NMI checker can detect lockups on the local CPU. When interrupts 44 * are disabled with local_irq_disable(), platforms that use soft-masking 45 * can leave hardware interrupts enabled and handle them with a masked 46 * interrupt handler. The masked handler can send the timer interrupt to the 47 * watchdog's soft_nmi_interrupt(), which appears to Linux as an NMI 48 * interrupt, and can be used to detect CPUs stuck with IRQs disabled. 49 * 50 * The soft-NMI checker will compare the heartbeat timestamp for this CPU 51 * with the current time, and take action if the difference exceeds the 52 * watchdog threshold. 53 * 54 * The limitation of the soft-NMI watchdog is that it does not work when 55 * interrupts are hard disabled or otherwise not being serviced. This is 56 * solved by also having a SMP watchdog where all CPUs check all other 57 * CPUs heartbeat. 58 * 59 * The SMP checker can detect lockups on other CPUs. A global "pending" 60 * cpumask is kept, containing all CPUs which enable the watchdog. Each 61 * CPU clears their pending bit in their heartbeat timer. When the bitmask 62 * becomes empty, the last CPU to clear its pending bit updates a global 63 * timestamp and refills the pending bitmask. 64 * 65 * In the heartbeat timer, if any CPU notices that the global timestamp has 66 * not been updated for a period exceeding the watchdog threshold, then it 67 * means the CPU(s) with their bit still set in the pending mask have had 68 * their heartbeat stop, and action is taken. 69 * 70 * Some platforms implement true NMI IPIs, which can be used by the SMP 71 * watchdog to detect an unresponsive CPU and pull it out of its stuck 72 * state with the NMI IPI, to get crash/debug data from it. This way the 73 * SMP watchdog can detect hardware interrupts off lockups. 74 */ 75 76 static cpumask_t wd_cpus_enabled __read_mostly; 77 78 static u64 wd_panic_timeout_tb __read_mostly; /* timebase ticks until panic */ 79 static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */ 80 81 static u64 wd_timer_period_ms __read_mostly; /* interval between heartbeat */ 82 83 static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer); 84 static DEFINE_PER_CPU(u64, wd_timer_tb); 85 86 /* SMP checker bits */ 87 static unsigned long __wd_smp_lock; 88 static unsigned long __wd_reporting; 89 static unsigned long __wd_nmi_output; 90 static cpumask_t wd_smp_cpus_pending; 91 static cpumask_t wd_smp_cpus_stuck; 92 static u64 wd_smp_last_reset_tb; 93 94 #ifdef CONFIG_PPC_PSERIES 95 static u64 wd_timeout_pct; 96 #endif 97 98 /* 99 * Try to take the exclusive watchdog action / NMI IPI / printing lock. 100 * wd_smp_lock must be held. If this fails, we should return and wait 101 * for the watchdog to kick in again (or another CPU to trigger it). 102 * 103 * Importantly, if hardlockup_panic is set, wd_try_report failure should 104 * not delay the panic, because whichever other CPU is reporting will 105 * call panic. 106 */ 107 static bool wd_try_report(void) 108 { 109 if (__wd_reporting) 110 return false; 111 __wd_reporting = 1; 112 return true; 113 } 114 115 /* End printing after successful wd_try_report. wd_smp_lock not required. */ 116 static void wd_end_reporting(void) 117 { 118 smp_mb(); /* End printing "critical section" */ 119 WARN_ON_ONCE(__wd_reporting == 0); 120 WRITE_ONCE(__wd_reporting, 0); 121 } 122 123 static inline void wd_smp_lock(unsigned long *flags) 124 { 125 /* 126 * Avoid locking layers if possible. 127 * This may be called from low level interrupt handlers at some 128 * point in future. 129 */ 130 raw_local_irq_save(*flags); 131 hard_irq_disable(); /* Make it soft-NMI safe */ 132 while (unlikely(test_and_set_bit_lock(0, &__wd_smp_lock))) { 133 raw_local_irq_restore(*flags); 134 spin_until_cond(!test_bit(0, &__wd_smp_lock)); 135 raw_local_irq_save(*flags); 136 hard_irq_disable(); 137 } 138 } 139 140 static inline void wd_smp_unlock(unsigned long *flags) 141 { 142 clear_bit_unlock(0, &__wd_smp_lock); 143 raw_local_irq_restore(*flags); 144 } 145 146 static void wd_lockup_ipi(struct pt_regs *regs) 147 { 148 int cpu = raw_smp_processor_id(); 149 u64 tb = get_tb(); 150 151 pr_emerg("CPU %d Hard LOCKUP\n", cpu); 152 pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n", 153 cpu, tb, per_cpu(wd_timer_tb, cpu), 154 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000); 155 print_modules(); 156 print_irqtrace_events(current); 157 if (regs) 158 show_regs(regs); 159 else 160 dump_stack(); 161 162 /* 163 * __wd_nmi_output must be set after we printk from NMI context. 164 * 165 * printk from NMI context defers printing to the console to irq_work. 166 * If that NMI was taken in some code that is hard-locked, then irqs 167 * are disabled so irq_work will never fire. That can result in the 168 * hard lockup messages being delayed (indefinitely, until something 169 * else kicks the console drivers). 170 * 171 * Setting __wd_nmi_output will cause another CPU to notice and kick 172 * the console drivers for us. 173 * 174 * xchg is not needed here (it could be a smp_mb and store), but xchg 175 * gives the memory ordering and atomicity required. 176 */ 177 xchg(&__wd_nmi_output, 1); 178 179 /* Do not panic from here because that can recurse into NMI IPI layer */ 180 } 181 182 static bool set_cpu_stuck(int cpu) 183 { 184 cpumask_set_cpu(cpu, &wd_smp_cpus_stuck); 185 cpumask_clear_cpu(cpu, &wd_smp_cpus_pending); 186 /* 187 * See wd_smp_clear_cpu_pending() 188 */ 189 smp_mb(); 190 if (cpumask_empty(&wd_smp_cpus_pending)) { 191 wd_smp_last_reset_tb = get_tb(); 192 cpumask_andnot(&wd_smp_cpus_pending, 193 &wd_cpus_enabled, 194 &wd_smp_cpus_stuck); 195 return true; 196 } 197 return false; 198 } 199 200 static void watchdog_smp_panic(int cpu) 201 { 202 static cpumask_t wd_smp_cpus_ipi; // protected by reporting 203 unsigned long flags; 204 u64 tb, last_reset; 205 int c; 206 207 wd_smp_lock(&flags); 208 /* Double check some things under lock */ 209 tb = get_tb(); 210 last_reset = wd_smp_last_reset_tb; 211 if ((s64)(tb - last_reset) < (s64)wd_smp_panic_timeout_tb) 212 goto out; 213 if (cpumask_test_cpu(cpu, &wd_smp_cpus_pending)) 214 goto out; 215 if (!wd_try_report()) 216 goto out; 217 for_each_online_cpu(c) { 218 if (!cpumask_test_cpu(c, &wd_smp_cpus_pending)) 219 continue; 220 if (c == cpu) 221 continue; // should not happen 222 223 __cpumask_set_cpu(c, &wd_smp_cpus_ipi); 224 if (set_cpu_stuck(c)) 225 break; 226 } 227 if (cpumask_empty(&wd_smp_cpus_ipi)) { 228 wd_end_reporting(); 229 goto out; 230 } 231 wd_smp_unlock(&flags); 232 233 pr_emerg("CPU %d detected hard LOCKUP on other CPUs %*pbl\n", 234 cpu, cpumask_pr_args(&wd_smp_cpus_ipi)); 235 pr_emerg("CPU %d TB:%lld, last SMP heartbeat TB:%lld (%lldms ago)\n", 236 cpu, tb, last_reset, tb_to_ns(tb - last_reset) / 1000000); 237 238 if (!sysctl_hardlockup_all_cpu_backtrace) { 239 /* 240 * Try to trigger the stuck CPUs, unless we are going to 241 * get a backtrace on all of them anyway. 242 */ 243 for_each_cpu(c, &wd_smp_cpus_ipi) { 244 smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000); 245 __cpumask_clear_cpu(c, &wd_smp_cpus_ipi); 246 } 247 } else { 248 trigger_allbutself_cpu_backtrace(); 249 cpumask_clear(&wd_smp_cpus_ipi); 250 } 251 252 if (hardlockup_panic) 253 nmi_panic(NULL, "Hard LOCKUP"); 254 255 wd_end_reporting(); 256 257 return; 258 259 out: 260 wd_smp_unlock(&flags); 261 } 262 263 static void wd_smp_clear_cpu_pending(int cpu) 264 { 265 if (!cpumask_test_cpu(cpu, &wd_smp_cpus_pending)) { 266 if (unlikely(cpumask_test_cpu(cpu, &wd_smp_cpus_stuck))) { 267 struct pt_regs *regs = get_irq_regs(); 268 unsigned long flags; 269 270 pr_emerg("CPU %d became unstuck TB:%lld\n", 271 cpu, get_tb()); 272 print_irqtrace_events(current); 273 if (regs) 274 show_regs(regs); 275 else 276 dump_stack(); 277 278 wd_smp_lock(&flags); 279 cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck); 280 wd_smp_unlock(&flags); 281 } else { 282 /* 283 * The last CPU to clear pending should have reset the 284 * watchdog so we generally should not find it empty 285 * here if our CPU was clear. However it could happen 286 * due to a rare race with another CPU taking the 287 * last CPU out of the mask concurrently. 288 * 289 * We can't add a warning for it. But just in case 290 * there is a problem with the watchdog that is causing 291 * the mask to not be reset, try to kick it along here. 292 */ 293 if (unlikely(cpumask_empty(&wd_smp_cpus_pending))) 294 goto none_pending; 295 } 296 return; 297 } 298 299 /* 300 * All other updates to wd_smp_cpus_pending are performed under 301 * wd_smp_lock. All of them are atomic except the case where the 302 * mask becomes empty and is reset. This will not happen here because 303 * cpu was tested to be in the bitmap (above), and a CPU only clears 304 * its own bit. _Except_ in the case where another CPU has detected a 305 * hard lockup on our CPU and takes us out of the pending mask. So in 306 * normal operation there will be no race here, no problem. 307 * 308 * In the lockup case, this atomic clear-bit vs a store that refills 309 * other bits in the accessed word wll not be a problem. The bit clear 310 * is atomic so it will not cause the store to get lost, and the store 311 * will never set this bit so it will not overwrite the bit clear. The 312 * only way for a stuck CPU to return to the pending bitmap is to 313 * become unstuck itself. 314 */ 315 cpumask_clear_cpu(cpu, &wd_smp_cpus_pending); 316 317 /* 318 * Order the store to clear pending with the load(s) to check all 319 * words in the pending mask to check they are all empty. This orders 320 * with the same barrier on another CPU. This prevents two CPUs 321 * clearing the last 2 pending bits, but neither seeing the other's 322 * store when checking if the mask is empty, and missing an empty 323 * mask, which ends with a false positive. 324 */ 325 smp_mb(); 326 if (cpumask_empty(&wd_smp_cpus_pending)) { 327 unsigned long flags; 328 329 none_pending: 330 /* 331 * Double check under lock because more than one CPU could see 332 * a clear mask with the lockless check after clearing their 333 * pending bits. 334 */ 335 wd_smp_lock(&flags); 336 if (cpumask_empty(&wd_smp_cpus_pending)) { 337 wd_smp_last_reset_tb = get_tb(); 338 cpumask_andnot(&wd_smp_cpus_pending, 339 &wd_cpus_enabled, 340 &wd_smp_cpus_stuck); 341 } 342 wd_smp_unlock(&flags); 343 } 344 } 345 346 static void watchdog_timer_interrupt(int cpu) 347 { 348 u64 tb = get_tb(); 349 350 per_cpu(wd_timer_tb, cpu) = tb; 351 352 wd_smp_clear_cpu_pending(cpu); 353 354 if ((s64)(tb - wd_smp_last_reset_tb) >= (s64)wd_smp_panic_timeout_tb) 355 watchdog_smp_panic(cpu); 356 357 if (__wd_nmi_output && xchg(&__wd_nmi_output, 0)) { 358 /* 359 * Something has called printk from NMI context. It might be 360 * stuck, so this triggers a flush that will get that 361 * printk output to the console. 362 * 363 * See wd_lockup_ipi. 364 */ 365 printk_trigger_flush(); 366 } 367 } 368 369 DEFINE_INTERRUPT_HANDLER_NMI(soft_nmi_interrupt) 370 { 371 unsigned long flags; 372 int cpu = raw_smp_processor_id(); 373 u64 tb; 374 375 /* should only arrive from kernel, with irqs disabled */ 376 WARN_ON_ONCE(!arch_irq_disabled_regs(regs)); 377 378 if (!cpumask_test_cpu(cpu, &wd_cpus_enabled)) 379 return 0; 380 381 __this_cpu_inc(irq_stat.soft_nmi_irqs); 382 383 tb = get_tb(); 384 if (tb - per_cpu(wd_timer_tb, cpu) >= wd_panic_timeout_tb) { 385 /* 386 * Taking wd_smp_lock here means it is a soft-NMI lock, which 387 * means we can't take any regular or irqsafe spin locks while 388 * holding this lock. This is why timers can't printk while 389 * holding the lock. 390 */ 391 wd_smp_lock(&flags); 392 if (cpumask_test_cpu(cpu, &wd_smp_cpus_stuck)) { 393 wd_smp_unlock(&flags); 394 return 0; 395 } 396 if (!wd_try_report()) { 397 wd_smp_unlock(&flags); 398 /* Couldn't report, try again in 100ms */ 399 mtspr(SPRN_DEC, 100 * tb_ticks_per_usec * 1000); 400 return 0; 401 } 402 403 set_cpu_stuck(cpu); 404 405 wd_smp_unlock(&flags); 406 407 pr_emerg("CPU %d self-detected hard LOCKUP @ %pS\n", 408 cpu, (void *)regs->nip); 409 pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n", 410 cpu, tb, per_cpu(wd_timer_tb, cpu), 411 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000); 412 print_modules(); 413 print_irqtrace_events(current); 414 show_regs(regs); 415 416 xchg(&__wd_nmi_output, 1); // see wd_lockup_ipi 417 418 if (sysctl_hardlockup_all_cpu_backtrace) 419 trigger_allbutself_cpu_backtrace(); 420 421 if (hardlockup_panic) 422 nmi_panic(regs, "Hard LOCKUP"); 423 424 wd_end_reporting(); 425 } 426 /* 427 * We are okay to change DEC in soft_nmi_interrupt because the masked 428 * handler has marked a DEC as pending, so the timer interrupt will be 429 * replayed as soon as local irqs are enabled again. 430 */ 431 if (wd_panic_timeout_tb < 0x7fffffff) 432 mtspr(SPRN_DEC, wd_panic_timeout_tb); 433 434 return 0; 435 } 436 437 static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer) 438 { 439 int cpu = smp_processor_id(); 440 441 if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED)) 442 return HRTIMER_NORESTART; 443 444 if (!cpumask_test_cpu(cpu, &watchdog_cpumask)) 445 return HRTIMER_NORESTART; 446 447 watchdog_timer_interrupt(cpu); 448 449 hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms)); 450 451 return HRTIMER_RESTART; 452 } 453 454 void arch_touch_nmi_watchdog(void) 455 { 456 unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000; 457 int cpu = smp_processor_id(); 458 u64 tb; 459 460 if (!cpumask_test_cpu(cpu, &watchdog_cpumask)) 461 return; 462 463 tb = get_tb(); 464 if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) { 465 per_cpu(wd_timer_tb, cpu) = tb; 466 wd_smp_clear_cpu_pending(cpu); 467 } 468 } 469 EXPORT_SYMBOL(arch_touch_nmi_watchdog); 470 471 static void start_watchdog(void *arg) 472 { 473 struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer); 474 int cpu = smp_processor_id(); 475 unsigned long flags; 476 477 if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) { 478 WARN_ON(1); 479 return; 480 } 481 482 if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED)) 483 return; 484 485 if (!cpumask_test_cpu(cpu, &watchdog_cpumask)) 486 return; 487 488 wd_smp_lock(&flags); 489 cpumask_set_cpu(cpu, &wd_cpus_enabled); 490 if (cpumask_weight(&wd_cpus_enabled) == 1) { 491 cpumask_set_cpu(cpu, &wd_smp_cpus_pending); 492 wd_smp_last_reset_tb = get_tb(); 493 } 494 wd_smp_unlock(&flags); 495 496 *this_cpu_ptr(&wd_timer_tb) = get_tb(); 497 498 hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL); 499 hrtimer->function = watchdog_timer_fn; 500 hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms), 501 HRTIMER_MODE_REL_PINNED); 502 } 503 504 static int start_watchdog_on_cpu(unsigned int cpu) 505 { 506 return smp_call_function_single(cpu, start_watchdog, NULL, true); 507 } 508 509 static void stop_watchdog(void *arg) 510 { 511 struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer); 512 int cpu = smp_processor_id(); 513 unsigned long flags; 514 515 if (!cpumask_test_cpu(cpu, &wd_cpus_enabled)) 516 return; /* Can happen in CPU unplug case */ 517 518 hrtimer_cancel(hrtimer); 519 520 wd_smp_lock(&flags); 521 cpumask_clear_cpu(cpu, &wd_cpus_enabled); 522 wd_smp_unlock(&flags); 523 524 wd_smp_clear_cpu_pending(cpu); 525 } 526 527 static int stop_watchdog_on_cpu(unsigned int cpu) 528 { 529 return smp_call_function_single(cpu, stop_watchdog, NULL, true); 530 } 531 532 static void watchdog_calc_timeouts(void) 533 { 534 u64 threshold = watchdog_thresh; 535 536 #ifdef CONFIG_PPC_PSERIES 537 threshold += (READ_ONCE(wd_timeout_pct) * threshold) / 100; 538 #endif 539 540 wd_panic_timeout_tb = threshold * ppc_tb_freq; 541 542 /* Have the SMP detector trigger a bit later */ 543 wd_smp_panic_timeout_tb = wd_panic_timeout_tb * 3 / 2; 544 545 /* 2/5 is the factor that the perf based detector uses */ 546 wd_timer_period_ms = watchdog_thresh * 1000 * 2 / 5; 547 } 548 549 void watchdog_nmi_stop(void) 550 { 551 int cpu; 552 553 for_each_cpu(cpu, &wd_cpus_enabled) 554 stop_watchdog_on_cpu(cpu); 555 } 556 557 void watchdog_nmi_start(void) 558 { 559 int cpu; 560 561 watchdog_calc_timeouts(); 562 for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask) 563 start_watchdog_on_cpu(cpu); 564 } 565 566 /* 567 * Invoked from core watchdog init. 568 */ 569 int __init watchdog_nmi_probe(void) 570 { 571 int err; 572 573 err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN, 574 "powerpc/watchdog:online", 575 start_watchdog_on_cpu, 576 stop_watchdog_on_cpu); 577 if (err < 0) { 578 pr_warn("could not be initialized"); 579 return err; 580 } 581 return 0; 582 } 583 584 #ifdef CONFIG_PPC_PSERIES 585 void watchdog_nmi_set_timeout_pct(u64 pct) 586 { 587 pr_info("Set the NMI watchdog timeout factor to %llu%%\n", pct); 588 WRITE_ONCE(wd_timeout_pct, pct); 589 lockup_detector_reconfigure(); 590 } 591 #endif 592