1 // SPDX-License-Identifier: GPL-2.0 2 3 #define pr_fmt(fmt) "x86/split lock detection: " fmt 4 5 #include <linux/semaphore.h> 6 #include <linux/workqueue.h> 7 #include <linux/delay.h> 8 #include <linux/cpuhotplug.h> 9 #include <asm/cpu_device_id.h> 10 #include <asm/cmdline.h> 11 #include <asm/traps.h> 12 #include <asm/cpu.h> 13 #include <asm/msr.h> 14 15 enum split_lock_detect_state { 16 sld_off = 0, 17 sld_warn, 18 sld_fatal, 19 sld_ratelimit, 20 }; 21 22 /* 23 * Default to sld_off because most systems do not support split lock detection. 24 * sld_state_setup() will switch this to sld_warn on systems that support 25 * split lock/bus lock detect, unless there is a command line override. 26 */ 27 static enum split_lock_detect_state sld_state __ro_after_init = sld_off; 28 static u64 msr_test_ctrl_cache __ro_after_init; 29 30 /* 31 * With a name like MSR_TEST_CTL it should go without saying, but don't touch 32 * MSR_TEST_CTL unless the CPU is one of the whitelisted models. Writing it 33 * on CPUs that do not support SLD can cause fireworks, even when writing '0'. 34 */ 35 static bool cpu_model_supports_sld __ro_after_init; 36 37 static const struct { 38 const char *option; 39 enum split_lock_detect_state state; 40 } sld_options[] __initconst = { 41 { "off", sld_off }, 42 { "warn", sld_warn }, 43 { "fatal", sld_fatal }, 44 { "ratelimit:", sld_ratelimit }, 45 }; 46 47 static struct ratelimit_state bld_ratelimit; 48 49 static unsigned int sysctl_sld_mitigate = 1; 50 static DEFINE_SEMAPHORE(buslock_sem, 1); 51 52 #ifdef CONFIG_PROC_SYSCTL 53 static const struct ctl_table sld_sysctls[] = { 54 { 55 .procname = "split_lock_mitigate", 56 .data = &sysctl_sld_mitigate, 57 .maxlen = sizeof(unsigned int), 58 .mode = 0644, 59 .proc_handler = proc_douintvec_minmax, 60 .extra1 = SYSCTL_ZERO, 61 .extra2 = SYSCTL_ONE, 62 }, 63 }; 64 65 static int __init sld_mitigate_sysctl_init(void) 66 { 67 register_sysctl_init("kernel", sld_sysctls); 68 return 0; 69 } 70 71 late_initcall(sld_mitigate_sysctl_init); 72 #endif 73 74 static inline bool match_option(const char *arg, int arglen, const char *opt) 75 { 76 int len = strlen(opt), ratelimit; 77 78 if (strncmp(arg, opt, len)) 79 return false; 80 81 /* 82 * Min ratelimit is 1 bus lock/sec. 83 * Max ratelimit is 1000 bus locks/sec. 84 */ 85 if (sscanf(arg, "ratelimit:%d", &ratelimit) == 1 && 86 ratelimit > 0 && ratelimit <= 1000) { 87 ratelimit_state_init(&bld_ratelimit, HZ, ratelimit); 88 ratelimit_set_flags(&bld_ratelimit, RATELIMIT_MSG_ON_RELEASE); 89 return true; 90 } 91 92 return len == arglen; 93 } 94 95 static bool split_lock_verify_msr(bool on) 96 { 97 u64 ctrl, tmp; 98 99 if (rdmsrq_safe(MSR_TEST_CTRL, &ctrl)) 100 return false; 101 if (on) 102 ctrl |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 103 else 104 ctrl &= ~MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 105 if (wrmsrq_safe(MSR_TEST_CTRL, ctrl)) 106 return false; 107 rdmsrq(MSR_TEST_CTRL, tmp); 108 return ctrl == tmp; 109 } 110 111 static void __init sld_state_setup(void) 112 { 113 enum split_lock_detect_state state = sld_warn; 114 char arg[20]; 115 int i, ret; 116 117 if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) && 118 !boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 119 return; 120 121 ret = cmdline_find_option(boot_command_line, "split_lock_detect", 122 arg, sizeof(arg)); 123 if (ret >= 0) { 124 for (i = 0; i < ARRAY_SIZE(sld_options); i++) { 125 if (match_option(arg, ret, sld_options[i].option)) { 126 state = sld_options[i].state; 127 break; 128 } 129 } 130 } 131 sld_state = state; 132 } 133 134 static void __init __split_lock_setup(void) 135 { 136 if (!split_lock_verify_msr(false)) { 137 pr_info("MSR access failed: Disabled\n"); 138 return; 139 } 140 141 rdmsrq(MSR_TEST_CTRL, msr_test_ctrl_cache); 142 143 if (!split_lock_verify_msr(true)) { 144 pr_info("MSR access failed: Disabled\n"); 145 return; 146 } 147 148 /* Restore the MSR to its cached value. */ 149 wrmsrq(MSR_TEST_CTRL, msr_test_ctrl_cache); 150 151 setup_force_cpu_cap(X86_FEATURE_SPLIT_LOCK_DETECT); 152 } 153 154 /* 155 * MSR_TEST_CTRL is per core, but we treat it like a per CPU MSR. Locking 156 * is not implemented as one thread could undo the setting of the other 157 * thread immediately after dropping the lock anyway. 158 */ 159 static void sld_update_msr(bool on) 160 { 161 u64 test_ctrl_val = msr_test_ctrl_cache; 162 163 if (on) 164 test_ctrl_val |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 165 166 wrmsrq(MSR_TEST_CTRL, test_ctrl_val); 167 } 168 169 void split_lock_init(void) 170 { 171 /* 172 * #DB for bus lock handles ratelimit and #AC for split lock is 173 * disabled. 174 */ 175 if (sld_state == sld_ratelimit) { 176 split_lock_verify_msr(false); 177 return; 178 } 179 180 if (cpu_model_supports_sld) 181 split_lock_verify_msr(sld_state != sld_off); 182 } 183 184 static void __split_lock_reenable_unlock(struct work_struct *work) 185 { 186 sld_update_msr(true); 187 up(&buslock_sem); 188 } 189 190 static DECLARE_DELAYED_WORK(sl_reenable_unlock, __split_lock_reenable_unlock); 191 192 static void __split_lock_reenable(struct work_struct *work) 193 { 194 sld_update_msr(true); 195 } 196 /* 197 * In order for each CPU to schedule its delayed work independently of the 198 * others, delayed work struct must be per-CPU. This is not required when 199 * sysctl_sld_mitigate is enabled because of the semaphore that limits 200 * the number of simultaneously scheduled delayed works to 1. 201 */ 202 static DEFINE_PER_CPU(struct delayed_work, sl_reenable); 203 204 /* 205 * Per-CPU delayed_work can't be statically initialized properly because 206 * the struct address is unknown. Thus per-CPU delayed_work structures 207 * have to be initialized during kernel initialization and after calling 208 * setup_per_cpu_areas(). 209 */ 210 static int __init setup_split_lock_delayed_work(void) 211 { 212 unsigned int cpu; 213 214 for_each_possible_cpu(cpu) { 215 struct delayed_work *work = per_cpu_ptr(&sl_reenable, cpu); 216 217 INIT_DELAYED_WORK(work, __split_lock_reenable); 218 } 219 220 return 0; 221 } 222 pure_initcall(setup_split_lock_delayed_work); 223 224 /* 225 * If a CPU goes offline with pending delayed work to re-enable split lock 226 * detection then the delayed work will be executed on some other CPU. That 227 * handles releasing the buslock_sem, but because it executes on a 228 * different CPU probably won't re-enable split lock detection. This is a 229 * problem on HT systems since the sibling CPU on the same core may then be 230 * left running with split lock detection disabled. 231 * 232 * Unconditionally re-enable detection here. 233 */ 234 static int splitlock_cpu_offline(unsigned int cpu) 235 { 236 sld_update_msr(true); 237 238 return 0; 239 } 240 241 static void split_lock_warn(unsigned long ip) 242 { 243 struct delayed_work *work; 244 int cpu; 245 unsigned int saved_sld_mitigate = READ_ONCE(sysctl_sld_mitigate); 246 247 if (!current->reported_split_lock) 248 pr_warn_ratelimited("#AC: %s/%d took a split_lock trap at address: 0x%lx\n", 249 current->comm, current->pid, ip); 250 current->reported_split_lock = 1; 251 252 if (saved_sld_mitigate) { 253 /* 254 * misery factor #1: 255 * sleep 10ms before trying to execute split lock. 256 */ 257 if (msleep_interruptible(10) > 0) 258 return; 259 /* 260 * Misery factor #2: 261 * only allow one buslocked disabled core at a time. 262 */ 263 if (down_interruptible(&buslock_sem) == -EINTR) 264 return; 265 } 266 267 cpu = get_cpu(); 268 work = saved_sld_mitigate ? &sl_reenable_unlock : per_cpu_ptr(&sl_reenable, cpu); 269 schedule_delayed_work_on(cpu, work, 2); 270 271 /* Disable split lock detection on this CPU to make progress */ 272 sld_update_msr(false); 273 put_cpu(); 274 } 275 276 bool handle_guest_split_lock(unsigned long ip) 277 { 278 if (sld_state == sld_warn) { 279 split_lock_warn(ip); 280 return true; 281 } 282 283 pr_warn_once("#AC: %s/%d %s split_lock trap at address: 0x%lx\n", 284 current->comm, current->pid, 285 sld_state == sld_fatal ? "fatal" : "bogus", ip); 286 287 current->thread.error_code = 0; 288 current->thread.trap_nr = X86_TRAP_AC; 289 force_sig_fault(SIGBUS, BUS_ADRALN, NULL); 290 return false; 291 } 292 EXPORT_SYMBOL_GPL(handle_guest_split_lock); 293 294 void bus_lock_init(void) 295 { 296 u64 val; 297 298 if (!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 299 return; 300 301 rdmsrq(MSR_IA32_DEBUGCTLMSR, val); 302 303 if ((boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) && 304 (sld_state == sld_warn || sld_state == sld_fatal)) || 305 sld_state == sld_off) { 306 /* 307 * Warn and fatal are handled by #AC for split lock if #AC for 308 * split lock is supported. 309 */ 310 val &= ~DEBUGCTLMSR_BUS_LOCK_DETECT; 311 } else { 312 val |= DEBUGCTLMSR_BUS_LOCK_DETECT; 313 } 314 315 wrmsrq(MSR_IA32_DEBUGCTLMSR, val); 316 } 317 318 bool handle_user_split_lock(struct pt_regs *regs, long error_code) 319 { 320 if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal) 321 return false; 322 split_lock_warn(regs->ip); 323 return true; 324 } 325 326 void handle_bus_lock(struct pt_regs *regs) 327 { 328 switch (sld_state) { 329 case sld_off: 330 break; 331 case sld_ratelimit: 332 /* Enforce no more than bld_ratelimit bus locks/sec. */ 333 while (!__ratelimit(&bld_ratelimit)) 334 msleep(20); 335 /* Warn on the bus lock. */ 336 fallthrough; 337 case sld_warn: 338 pr_warn_ratelimited("#DB: %s/%d took a bus_lock trap at address: 0x%lx\n", 339 current->comm, current->pid, regs->ip); 340 break; 341 case sld_fatal: 342 force_sig_fault(SIGBUS, BUS_ADRALN, NULL); 343 break; 344 } 345 } 346 347 /* 348 * CPU models that are known to have the per-core split-lock detection 349 * feature even though they do not enumerate IA32_CORE_CAPABILITIES. 350 */ 351 static const struct x86_cpu_id split_lock_cpu_ids[] __initconst = { 352 X86_MATCH_VFM(INTEL_ICELAKE_X, 0), 353 X86_MATCH_VFM(INTEL_ICELAKE_L, 0), 354 X86_MATCH_VFM(INTEL_ICELAKE_D, 0), 355 {} 356 }; 357 358 static void __init split_lock_setup(struct cpuinfo_x86 *c) 359 { 360 const struct x86_cpu_id *m; 361 u64 ia32_core_caps; 362 363 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) 364 return; 365 366 /* Check for CPUs that have support but do not enumerate it: */ 367 m = x86_match_cpu(split_lock_cpu_ids); 368 if (m) 369 goto supported; 370 371 if (!cpu_has(c, X86_FEATURE_CORE_CAPABILITIES)) 372 return; 373 374 /* 375 * Not all bits in MSR_IA32_CORE_CAPS are architectural, but 376 * MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT is. All CPUs that set 377 * it have split lock detection. 378 */ 379 rdmsrq(MSR_IA32_CORE_CAPS, ia32_core_caps); 380 if (ia32_core_caps & MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT) 381 goto supported; 382 383 /* CPU is not in the model list and does not have the MSR bit: */ 384 return; 385 386 supported: 387 cpu_model_supports_sld = true; 388 __split_lock_setup(); 389 } 390 391 static void sld_state_show(void) 392 { 393 if (!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT) && 394 !boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) 395 return; 396 397 switch (sld_state) { 398 case sld_off: 399 pr_info("disabled\n"); 400 break; 401 case sld_warn: 402 if (boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) { 403 pr_info("#AC: crashing the kernel on kernel split_locks and warning on user-space split_locks\n"); 404 if (cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, 405 "x86/splitlock", NULL, splitlock_cpu_offline) < 0) 406 pr_warn("No splitlock CPU offline handler\n"); 407 } else if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) { 408 pr_info("#DB: warning on user-space bus_locks\n"); 409 } 410 break; 411 case sld_fatal: 412 if (boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) { 413 pr_info("#AC: crashing the kernel on kernel split_locks and sending SIGBUS on user-space split_locks\n"); 414 } else if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) { 415 pr_info("#DB: sending SIGBUS on user-space bus_locks%s\n", 416 boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) ? 417 " from non-WB" : ""); 418 } 419 break; 420 case sld_ratelimit: 421 if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 422 pr_info("#DB: setting system wide bus lock rate limit to %u/sec\n", bld_ratelimit.burst); 423 break; 424 } 425 } 426 427 void __init sld_setup(struct cpuinfo_x86 *c) 428 { 429 split_lock_setup(c); 430 sld_state_setup(); 431 sld_state_show(); 432 } 433