1 // SPDX-License-Identifier: GPL-2.0 2 3 #define pr_fmt(fmt) "x86/split lock detection: " fmt 4 5 #include <linux/semaphore.h> 6 #include <linux/workqueue.h> 7 #include <linux/delay.h> 8 #include <linux/cpuhotplug.h> 9 #include <linux/kvm_types.h> 10 #include <asm/cpu_device_id.h> 11 #include <asm/cmdline.h> 12 #include <asm/traps.h> 13 #include <asm/cpu.h> 14 #include <asm/msr.h> 15 16 enum split_lock_detect_state { 17 sld_off = 0, 18 sld_warn, 19 sld_fatal, 20 sld_ratelimit, 21 }; 22 23 /* 24 * Default to sld_off because most systems do not support split lock detection. 25 * sld_state_setup() will switch this to sld_warn on systems that support 26 * split lock/bus lock detect, unless there is a command line override. 27 */ 28 static enum split_lock_detect_state sld_state __ro_after_init = sld_off; 29 static u64 msr_test_ctrl_cache __ro_after_init; 30 31 /* 32 * With a name like MSR_TEST_CTL it should go without saying, but don't touch 33 * MSR_TEST_CTL unless the CPU is one of the whitelisted models. Writing it 34 * on CPUs that do not support SLD can cause fireworks, even when writing '0'. 35 */ 36 static bool cpu_model_supports_sld __ro_after_init; 37 38 static const struct { 39 const char *option; 40 enum split_lock_detect_state state; 41 } sld_options[] __initconst = { 42 { "off", sld_off }, 43 { "warn", sld_warn }, 44 { "fatal", sld_fatal }, 45 { "ratelimit:", sld_ratelimit }, 46 }; 47 48 static struct ratelimit_state bld_ratelimit; 49 50 static unsigned int sysctl_sld_mitigate = 1; 51 static DEFINE_SEMAPHORE(buslock_sem, 1); 52 53 #ifdef CONFIG_PROC_SYSCTL 54 static const struct ctl_table sld_sysctls[] = { 55 { 56 .procname = "split_lock_mitigate", 57 .data = &sysctl_sld_mitigate, 58 .maxlen = sizeof(unsigned int), 59 .mode = 0644, 60 .proc_handler = proc_douintvec_minmax, 61 .extra1 = SYSCTL_ZERO, 62 .extra2 = SYSCTL_ONE, 63 }, 64 }; 65 66 static int __init sld_mitigate_sysctl_init(void) 67 { 68 register_sysctl_init("kernel", sld_sysctls); 69 return 0; 70 } 71 72 late_initcall(sld_mitigate_sysctl_init); 73 #endif 74 75 static inline bool match_option(const char *arg, int arglen, const char *opt) 76 { 77 int len = strlen(opt), ratelimit; 78 79 if (strncmp(arg, opt, len)) 80 return false; 81 82 /* 83 * Min ratelimit is 1 bus lock/sec. 84 * Max ratelimit is 1000 bus locks/sec. 85 */ 86 if (sscanf(arg, "ratelimit:%d", &ratelimit) == 1 && 87 ratelimit > 0 && ratelimit <= 1000) { 88 ratelimit_state_init(&bld_ratelimit, HZ, ratelimit); 89 ratelimit_set_flags(&bld_ratelimit, RATELIMIT_MSG_ON_RELEASE); 90 return true; 91 } 92 93 return len == arglen; 94 } 95 96 static bool split_lock_verify_msr(bool on) 97 { 98 u64 ctrl, tmp; 99 100 if (rdmsrq_safe(MSR_TEST_CTRL, &ctrl)) 101 return false; 102 if (on) 103 ctrl |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 104 else 105 ctrl &= ~MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 106 if (wrmsrq_safe(MSR_TEST_CTRL, ctrl)) 107 return false; 108 rdmsrq(MSR_TEST_CTRL, tmp); 109 return ctrl == tmp; 110 } 111 112 static void __init sld_state_setup(void) 113 { 114 enum split_lock_detect_state state = sld_warn; 115 char arg[20]; 116 int i, ret; 117 118 if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) && 119 !boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 120 return; 121 122 ret = cmdline_find_option(boot_command_line, "split_lock_detect", 123 arg, sizeof(arg)); 124 if (ret >= 0) { 125 for (i = 0; i < ARRAY_SIZE(sld_options); i++) { 126 if (match_option(arg, ret, sld_options[i].option)) { 127 state = sld_options[i].state; 128 break; 129 } 130 } 131 } 132 sld_state = state; 133 } 134 135 static void __init __split_lock_setup(void) 136 { 137 if (!split_lock_verify_msr(false)) { 138 pr_info("MSR access failed: Disabled\n"); 139 return; 140 } 141 142 rdmsrq(MSR_TEST_CTRL, msr_test_ctrl_cache); 143 144 if (!split_lock_verify_msr(true)) { 145 pr_info("MSR access failed: Disabled\n"); 146 return; 147 } 148 149 /* Restore the MSR to its cached value. */ 150 wrmsrq(MSR_TEST_CTRL, msr_test_ctrl_cache); 151 152 setup_force_cpu_cap(X86_FEATURE_SPLIT_LOCK_DETECT); 153 } 154 155 /* 156 * MSR_TEST_CTRL is per core, but we treat it like a per CPU MSR. Locking 157 * is not implemented as one thread could undo the setting of the other 158 * thread immediately after dropping the lock anyway. 159 */ 160 static void sld_update_msr(bool on) 161 { 162 u64 test_ctrl_val = msr_test_ctrl_cache; 163 164 if (on) 165 test_ctrl_val |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 166 167 wrmsrq(MSR_TEST_CTRL, test_ctrl_val); 168 } 169 170 void split_lock_init(void) 171 { 172 /* 173 * #DB for bus lock handles ratelimit and #AC for split lock is 174 * disabled. 175 */ 176 if (sld_state == sld_ratelimit) { 177 split_lock_verify_msr(false); 178 return; 179 } 180 181 if (cpu_model_supports_sld) 182 split_lock_verify_msr(sld_state != sld_off); 183 } 184 185 static void __split_lock_reenable_unlock(struct work_struct *work) 186 { 187 sld_update_msr(true); 188 up(&buslock_sem); 189 } 190 191 static DECLARE_DELAYED_WORK(sl_reenable_unlock, __split_lock_reenable_unlock); 192 193 static void __split_lock_reenable(struct work_struct *work) 194 { 195 sld_update_msr(true); 196 } 197 /* 198 * In order for each CPU to schedule its delayed work independently of the 199 * others, delayed work struct must be per-CPU. This is not required when 200 * sysctl_sld_mitigate is enabled because of the semaphore that limits 201 * the number of simultaneously scheduled delayed works to 1. 202 */ 203 static DEFINE_PER_CPU(struct delayed_work, sl_reenable); 204 205 /* 206 * Per-CPU delayed_work can't be statically initialized properly because 207 * the struct address is unknown. Thus per-CPU delayed_work structures 208 * have to be initialized during kernel initialization and after calling 209 * setup_per_cpu_areas(). 210 */ 211 static int __init setup_split_lock_delayed_work(void) 212 { 213 unsigned int cpu; 214 215 for_each_possible_cpu(cpu) { 216 struct delayed_work *work = per_cpu_ptr(&sl_reenable, cpu); 217 218 INIT_DELAYED_WORK(work, __split_lock_reenable); 219 } 220 221 return 0; 222 } 223 pure_initcall(setup_split_lock_delayed_work); 224 225 /* 226 * If a CPU goes offline with pending delayed work to re-enable split lock 227 * detection then the delayed work will be executed on some other CPU. That 228 * handles releasing the buslock_sem, but because it executes on a 229 * different CPU probably won't re-enable split lock detection. This is a 230 * problem on HT systems since the sibling CPU on the same core may then be 231 * left running with split lock detection disabled. 232 * 233 * Unconditionally re-enable detection here. 234 */ 235 static int splitlock_cpu_offline(unsigned int cpu) 236 { 237 sld_update_msr(true); 238 239 return 0; 240 } 241 242 static void split_lock_warn(unsigned long ip) 243 { 244 struct delayed_work *work; 245 int cpu; 246 unsigned int saved_sld_mitigate = READ_ONCE(sysctl_sld_mitigate); 247 248 if (!current->reported_split_lock) 249 pr_warn_ratelimited("#AC: %s/%d took a split_lock trap at address: 0x%lx\n", 250 current->comm, current->pid, ip); 251 current->reported_split_lock = 1; 252 253 if (saved_sld_mitigate) { 254 /* 255 * misery factor #1: 256 * sleep 10ms before trying to execute split lock. 257 */ 258 if (msleep_interruptible(10) > 0) 259 return; 260 /* 261 * Misery factor #2: 262 * only allow one buslocked disabled core at a time. 263 */ 264 if (down_interruptible(&buslock_sem) == -EINTR) 265 return; 266 } 267 268 cpu = get_cpu(); 269 work = saved_sld_mitigate ? &sl_reenable_unlock : per_cpu_ptr(&sl_reenable, cpu); 270 schedule_delayed_work_on(cpu, work, 2); 271 272 /* Disable split lock detection on this CPU to make progress */ 273 sld_update_msr(false); 274 put_cpu(); 275 } 276 277 bool handle_guest_split_lock(unsigned long ip) 278 { 279 if (sld_state == sld_warn) { 280 split_lock_warn(ip); 281 return true; 282 } 283 284 pr_warn_once("#AC: %s/%d %s split_lock trap at address: 0x%lx\n", 285 current->comm, current->pid, 286 sld_state == sld_fatal ? "fatal" : "bogus", ip); 287 288 current->thread.error_code = 0; 289 current->thread.trap_nr = X86_TRAP_AC; 290 force_sig_fault(SIGBUS, BUS_ADRALN, NULL); 291 return false; 292 } 293 EXPORT_SYMBOL_FOR_KVM(handle_guest_split_lock); 294 295 void bus_lock_init(void) 296 { 297 u64 val; 298 299 if (!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 300 return; 301 302 rdmsrq(MSR_IA32_DEBUGCTLMSR, val); 303 304 if ((boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) && 305 (sld_state == sld_warn || sld_state == sld_fatal)) || 306 sld_state == sld_off) { 307 /* 308 * Warn and fatal are handled by #AC for split lock if #AC for 309 * split lock is supported. 310 */ 311 val &= ~DEBUGCTLMSR_BUS_LOCK_DETECT; 312 } else { 313 val |= DEBUGCTLMSR_BUS_LOCK_DETECT; 314 } 315 316 wrmsrq(MSR_IA32_DEBUGCTLMSR, val); 317 } 318 319 bool handle_user_split_lock(struct pt_regs *regs, long error_code) 320 { 321 if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal) 322 return false; 323 split_lock_warn(regs->ip); 324 return true; 325 } 326 327 void handle_bus_lock(struct pt_regs *regs) 328 { 329 switch (sld_state) { 330 case sld_off: 331 break; 332 case sld_ratelimit: 333 /* Enforce no more than bld_ratelimit bus locks/sec. */ 334 while (!__ratelimit(&bld_ratelimit)) 335 msleep(20); 336 /* Warn on the bus lock. */ 337 fallthrough; 338 case sld_warn: 339 pr_warn_ratelimited("#DB: %s/%d took a bus_lock trap at address: 0x%lx\n", 340 current->comm, current->pid, regs->ip); 341 break; 342 case sld_fatal: 343 force_sig_fault(SIGBUS, BUS_ADRALN, NULL); 344 break; 345 } 346 } 347 348 /* 349 * CPU models that are known to have the per-core split-lock detection 350 * feature even though they do not enumerate IA32_CORE_CAPABILITIES. 351 */ 352 static const struct x86_cpu_id split_lock_cpu_ids[] __initconst = { 353 X86_MATCH_VFM(INTEL_ICELAKE_X, 0), 354 X86_MATCH_VFM(INTEL_ICELAKE_L, 0), 355 X86_MATCH_VFM(INTEL_ICELAKE_D, 0), 356 {} 357 }; 358 359 static void __init split_lock_setup(struct cpuinfo_x86 *c) 360 { 361 const struct x86_cpu_id *m; 362 u64 ia32_core_caps; 363 364 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) 365 return; 366 367 /* Check for CPUs that have support but do not enumerate it: */ 368 m = x86_match_cpu(split_lock_cpu_ids); 369 if (m) 370 goto supported; 371 372 if (!cpu_has(c, X86_FEATURE_CORE_CAPABILITIES)) 373 return; 374 375 /* 376 * Not all bits in MSR_IA32_CORE_CAPS are architectural, but 377 * MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT is. All CPUs that set 378 * it have split lock detection. 379 */ 380 rdmsrq(MSR_IA32_CORE_CAPS, ia32_core_caps); 381 if (ia32_core_caps & MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT) 382 goto supported; 383 384 /* CPU is not in the model list and does not have the MSR bit: */ 385 return; 386 387 supported: 388 cpu_model_supports_sld = true; 389 __split_lock_setup(); 390 } 391 392 static void sld_state_show(void) 393 { 394 if (!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT) && 395 !boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) 396 return; 397 398 switch (sld_state) { 399 case sld_off: 400 pr_info("disabled\n"); 401 break; 402 case sld_warn: 403 if (boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) { 404 pr_info("#AC: crashing the kernel on kernel split_locks and warning on user-space split_locks\n"); 405 if (cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, 406 "x86/splitlock", NULL, splitlock_cpu_offline) < 0) 407 pr_warn("No splitlock CPU offline handler\n"); 408 } else if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) { 409 pr_info("#DB: warning on user-space bus_locks\n"); 410 } 411 break; 412 case sld_fatal: 413 if (boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) { 414 pr_info("#AC: crashing the kernel on kernel split_locks and sending SIGBUS on user-space split_locks\n"); 415 } else if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) { 416 pr_info("#DB: sending SIGBUS on user-space bus_locks%s\n", 417 boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) ? 418 " from non-WB" : ""); 419 } 420 break; 421 case sld_ratelimit: 422 if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 423 pr_info("#DB: setting system wide bus lock rate limit to %u/sec\n", bld_ratelimit.burst); 424 break; 425 } 426 } 427 428 void __init sld_setup(struct cpuinfo_x86 *c) 429 { 430 split_lock_setup(c); 431 sld_state_setup(); 432 sld_state_show(); 433 } 434