1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * linux/kernel/panic.c 4 * 5 * Copyright (C) 1991, 1992 Linus Torvalds 6 */ 7 8 /* 9 * This function is used through-out the kernel (including mm and fs) 10 * to indicate a major problem. 11 */ 12 #include <linux/debug_locks.h> 13 #include <linux/sched/debug.h> 14 #include <linux/interrupt.h> 15 #include <linux/kgdb.h> 16 #include <linux/kmsg_dump.h> 17 #include <linux/kallsyms.h> 18 #include <linux/notifier.h> 19 #include <linux/vt_kern.h> 20 #include <linux/module.h> 21 #include <linux/random.h> 22 #include <linux/ftrace.h> 23 #include <linux/reboot.h> 24 #include <linux/delay.h> 25 #include <linux/kexec.h> 26 #include <linux/panic_notifier.h> 27 #include <linux/sched.h> 28 #include <linux/string_helpers.h> 29 #include <linux/sysrq.h> 30 #include <linux/init.h> 31 #include <linux/nmi.h> 32 #include <linux/console.h> 33 #include <linux/bug.h> 34 #include <linux/ratelimit.h> 35 #include <linux/debugfs.h> 36 #include <linux/sysfs.h> 37 #include <linux/context_tracking.h> 38 #include <linux/seq_buf.h> 39 #include <linux/sys_info.h> 40 #include <trace/events/error_report.h> 41 #include <asm/sections.h> 42 #include <kunit/test-bug.h> 43 44 #define PANIC_TIMER_STEP 100 45 #define PANIC_BLINK_SPD 18 46 #define PANIC_MSG_BUFSZ 1024 47 48 #ifdef CONFIG_SMP 49 /* 50 * Should we dump all CPUs backtraces in an oops event? 51 * Defaults to 0, can be changed via sysctl. 52 */ 53 static unsigned int __read_mostly sysctl_oops_all_cpu_backtrace; 54 #else 55 #define sysctl_oops_all_cpu_backtrace 0 56 #endif /* CONFIG_SMP */ 57 58 int panic_on_oops = IS_ENABLED(CONFIG_PANIC_ON_OOPS); 59 static unsigned long tainted_mask = 60 IS_ENABLED(CONFIG_RANDSTRUCT) ? (1 << TAINT_RANDSTRUCT) : 0; 61 static int pause_on_oops; 62 static int pause_on_oops_flag; 63 static DEFINE_SPINLOCK(pause_on_oops_lock); 64 bool crash_kexec_post_notifiers; 65 int panic_on_warn __read_mostly; 66 unsigned long panic_on_taint; 67 bool panic_on_taint_nousertaint = false; 68 static unsigned int warn_limit __read_mostly; 69 static bool panic_console_replay; 70 71 bool panic_triggering_all_cpu_backtrace; 72 static bool panic_this_cpu_backtrace_printed; 73 74 int panic_timeout = CONFIG_PANIC_TIMEOUT; 75 EXPORT_SYMBOL_GPL(panic_timeout); 76 77 unsigned long panic_print; 78 79 static int panic_force_cpu = -1; 80 81 ATOMIC_NOTIFIER_HEAD(panic_notifier_list); 82 83 EXPORT_SYMBOL(panic_notifier_list); 84 85 static void panic_print_deprecated(void) 86 { 87 pr_info_once("Kernel: The 'panic_print' parameter is now deprecated. Please use 'panic_sys_info' and 'panic_console_replay' instead.\n"); 88 } 89 90 #ifdef CONFIG_SYSCTL 91 92 /* 93 * Taint values can only be increased 94 * This means we can safely use a temporary. 95 */ 96 static int proc_taint(const struct ctl_table *table, int write, 97 void *buffer, size_t *lenp, loff_t *ppos) 98 { 99 struct ctl_table t; 100 unsigned long tmptaint = get_taint(); 101 int err; 102 103 if (write && !capable(CAP_SYS_ADMIN)) 104 return -EPERM; 105 106 t = *table; 107 t.data = &tmptaint; 108 err = proc_doulongvec_minmax(&t, write, buffer, lenp, ppos); 109 if (err < 0) 110 return err; 111 112 if (write) { 113 int i; 114 115 /* 116 * If we are relying on panic_on_taint not producing 117 * false positives due to userspace input, bail out 118 * before setting the requested taint flags. 119 */ 120 if (panic_on_taint_nousertaint && (tmptaint & panic_on_taint)) 121 return -EINVAL; 122 123 /* 124 * Poor man's atomic or. Not worth adding a primitive 125 * to everyone's atomic.h for this 126 */ 127 for (i = 0; i < TAINT_FLAGS_COUNT; i++) 128 if ((1UL << i) & tmptaint) 129 add_taint(i, LOCKDEP_STILL_OK); 130 } 131 132 return err; 133 } 134 135 static int sysctl_panic_print_handler(const struct ctl_table *table, int write, 136 void *buffer, size_t *lenp, loff_t *ppos) 137 { 138 if (write) 139 panic_print_deprecated(); 140 return proc_doulongvec_minmax(table, write, buffer, lenp, ppos); 141 } 142 143 static const struct ctl_table kern_panic_table[] = { 144 #ifdef CONFIG_SMP 145 { 146 .procname = "oops_all_cpu_backtrace", 147 .data = &sysctl_oops_all_cpu_backtrace, 148 .maxlen = sizeof(int), 149 .mode = 0644, 150 .proc_handler = proc_dointvec_minmax, 151 .extra1 = SYSCTL_ZERO, 152 .extra2 = SYSCTL_ONE, 153 }, 154 #endif 155 { 156 .procname = "tainted", 157 .maxlen = sizeof(long), 158 .mode = 0644, 159 .proc_handler = proc_taint, 160 }, 161 { 162 .procname = "panic", 163 .data = &panic_timeout, 164 .maxlen = sizeof(int), 165 .mode = 0644, 166 .proc_handler = proc_dointvec, 167 }, 168 { 169 .procname = "panic_on_oops", 170 .data = &panic_on_oops, 171 .maxlen = sizeof(int), 172 .mode = 0644, 173 .proc_handler = proc_dointvec, 174 }, 175 { 176 .procname = "panic_print", 177 .data = &panic_print, 178 .maxlen = sizeof(unsigned long), 179 .mode = 0644, 180 .proc_handler = sysctl_panic_print_handler, 181 }, 182 { 183 .procname = "panic_on_warn", 184 .data = &panic_on_warn, 185 .maxlen = sizeof(int), 186 .mode = 0644, 187 .proc_handler = proc_dointvec_minmax, 188 .extra1 = SYSCTL_ZERO, 189 .extra2 = SYSCTL_ONE, 190 }, 191 { 192 .procname = "warn_limit", 193 .data = &warn_limit, 194 .maxlen = sizeof(warn_limit), 195 .mode = 0644, 196 .proc_handler = proc_douintvec, 197 }, 198 #if (defined(CONFIG_X86_32) || defined(CONFIG_PARISC)) && \ 199 defined(CONFIG_DEBUG_STACKOVERFLOW) 200 { 201 .procname = "panic_on_stackoverflow", 202 .data = &sysctl_panic_on_stackoverflow, 203 .maxlen = sizeof(int), 204 .mode = 0644, 205 .proc_handler = proc_dointvec, 206 }, 207 #endif 208 { 209 .procname = "panic_sys_info", 210 .data = &panic_print, 211 .maxlen = sizeof(panic_print), 212 .mode = 0644, 213 .proc_handler = sysctl_sys_info_handler, 214 }, 215 }; 216 217 static __init int kernel_panic_sysctls_init(void) 218 { 219 register_sysctl_init("kernel", kern_panic_table); 220 return 0; 221 } 222 late_initcall(kernel_panic_sysctls_init); 223 #endif 224 225 /* The format is "panic_sys_info=tasks,mem,locks,ftrace,..." */ 226 static int __init setup_panic_sys_info(char *buf) 227 { 228 /* There is no risk of race in kernel boot phase */ 229 panic_print = sys_info_parse_param(buf); 230 return 1; 231 } 232 __setup("panic_sys_info=", setup_panic_sys_info); 233 234 static atomic_t warn_count = ATOMIC_INIT(0); 235 236 #ifdef CONFIG_SYSFS 237 static ssize_t warn_count_show(struct kobject *kobj, struct kobj_attribute *attr, 238 char *page) 239 { 240 return sysfs_emit(page, "%d\n", atomic_read(&warn_count)); 241 } 242 243 static struct kobj_attribute warn_count_attr = __ATTR_RO(warn_count); 244 245 static __init int kernel_panic_sysfs_init(void) 246 { 247 sysfs_add_file_to_group(kernel_kobj, &warn_count_attr.attr, NULL); 248 return 0; 249 } 250 late_initcall(kernel_panic_sysfs_init); 251 #endif 252 253 static long no_blink(int state) 254 { 255 return 0; 256 } 257 258 /* Returns how long it waited in ms */ 259 long (*panic_blink)(int state); 260 EXPORT_SYMBOL(panic_blink); 261 262 /* 263 * Stop ourself in panic -- architecture code may override this 264 */ 265 void __weak __noreturn panic_smp_self_stop(void) 266 { 267 while (1) 268 cpu_relax(); 269 } 270 271 /* 272 * Stop ourselves in NMI context if another CPU has already panicked. Arch code 273 * may override this to prepare for crash dumping, e.g. save regs info. 274 */ 275 void __weak __noreturn nmi_panic_self_stop(struct pt_regs *regs) 276 { 277 panic_smp_self_stop(); 278 } 279 280 /* 281 * Stop other CPUs in panic. Architecture dependent code may override this 282 * with more suitable version. For example, if the architecture supports 283 * crash dump, it should save registers of each stopped CPU and disable 284 * per-CPU features such as virtualization extensions. 285 */ 286 void __weak crash_smp_send_stop(void) 287 { 288 static int cpus_stopped; 289 290 /* 291 * This function can be called twice in panic path, but obviously 292 * we execute this only once. 293 */ 294 if (cpus_stopped) 295 return; 296 297 /* 298 * Note smp_send_stop is the usual smp shutdown function, which 299 * unfortunately means it may not be hardened to work in a panic 300 * situation. 301 */ 302 smp_send_stop(); 303 cpus_stopped = 1; 304 } 305 306 atomic_t panic_cpu = ATOMIC_INIT(PANIC_CPU_INVALID); 307 atomic_t panic_redirect_cpu = ATOMIC_INIT(PANIC_CPU_INVALID); 308 309 #if defined(CONFIG_SMP) && defined(CONFIG_CRASH_DUMP) 310 static char *panic_force_buf; 311 312 static int __init panic_force_cpu_setup(char *str) 313 { 314 int cpu; 315 316 if (!str) 317 return -EINVAL; 318 319 if (kstrtoint(str, 0, &cpu) || cpu < 0 || cpu >= nr_cpu_ids) { 320 pr_warn("panic_force_cpu: invalid value '%s'\n", str); 321 return -EINVAL; 322 } 323 324 panic_force_cpu = cpu; 325 return 0; 326 } 327 early_param("panic_force_cpu", panic_force_cpu_setup); 328 329 static int __init panic_force_cpu_late_init(void) 330 { 331 if (panic_force_cpu < 0) 332 return 0; 333 334 panic_force_buf = kmalloc(PANIC_MSG_BUFSZ, GFP_KERNEL); 335 336 return 0; 337 } 338 late_initcall(panic_force_cpu_late_init); 339 340 static void do_panic_on_target_cpu(void *info) 341 { 342 panic("%s", (char *)info); 343 } 344 345 /** 346 * panic_smp_redirect_cpu - Redirect panic to target CPU 347 * @target_cpu: CPU that should handle the panic 348 * @msg: formatted panic message 349 * 350 * Default implementation uses IPI. Architectures with NMI support 351 * can override this for more reliable delivery. 352 * 353 * Return: 0 on success, negative errno on failure 354 */ 355 int __weak panic_smp_redirect_cpu(int target_cpu, void *msg) 356 { 357 static call_single_data_t panic_csd; 358 359 panic_csd.func = do_panic_on_target_cpu; 360 panic_csd.info = msg; 361 362 return smp_call_function_single_async(target_cpu, &panic_csd); 363 } 364 365 /** 366 * panic_try_force_cpu - Redirect panic to a specific CPU for crash kernel 367 * @fmt: panic message format string 368 * @args: arguments for format string 369 * 370 * Some platforms require panic handling to occur on a specific CPU 371 * for the crash kernel to function correctly. This function redirects 372 * panic handling to the CPU specified via the panic_force_cpu= boot parameter. 373 * 374 * Returns false if panic should proceed on current CPU. 375 * Returns true if panic was redirected. 376 */ 377 __printf(1, 0) 378 static bool panic_try_force_cpu(const char *fmt, va_list args) 379 { 380 int this_cpu = raw_smp_processor_id(); 381 int old_cpu = PANIC_CPU_INVALID; 382 const char *msg; 383 384 /* Feature not enabled via boot parameter */ 385 if (panic_force_cpu < 0) 386 return false; 387 388 /* Already on target CPU - proceed normally */ 389 if (this_cpu == panic_force_cpu) 390 return false; 391 392 /* Target CPU is offline, can't redirect */ 393 if (!cpu_online(panic_force_cpu)) { 394 pr_warn("panic: target CPU %d is offline, continuing on CPU %d\n", 395 panic_force_cpu, this_cpu); 396 return false; 397 } 398 399 /* Another panic already in progress */ 400 if (panic_in_progress()) 401 return false; 402 403 /* 404 * Only one CPU can do the redirect. Use atomic cmpxchg to ensure 405 * we don't race with another CPU also trying to redirect. 406 */ 407 if (!atomic_try_cmpxchg(&panic_redirect_cpu, &old_cpu, this_cpu)) 408 return false; 409 410 /* 411 * Use dynamically allocated buffer if available, otherwise 412 * fall back to static message for early boot panics or allocation failure. 413 */ 414 if (panic_force_buf) { 415 vsnprintf(panic_force_buf, PANIC_MSG_BUFSZ, fmt, args); 416 msg = panic_force_buf; 417 } else { 418 msg = "Redirected panic (buffer unavailable)"; 419 } 420 421 console_verbose(); 422 bust_spinlocks(1); 423 424 pr_emerg("panic: Redirecting from CPU %d to CPU %d for crash kernel.\n", 425 this_cpu, panic_force_cpu); 426 427 /* Dump original CPU before redirecting */ 428 if (!test_taint(TAINT_DIE) && 429 oops_in_progress <= 1 && 430 IS_ENABLED(CONFIG_DEBUG_BUGVERBOSE)) { 431 dump_stack(); 432 } 433 434 if (panic_smp_redirect_cpu(panic_force_cpu, (void *)msg) != 0) { 435 atomic_set(&panic_redirect_cpu, PANIC_CPU_INVALID); 436 pr_warn("panic: failed to redirect to CPU %d, continuing on CPU %d\n", 437 panic_force_cpu, this_cpu); 438 return false; 439 } 440 441 /* IPI/NMI sent, this CPU should stop */ 442 return true; 443 } 444 #else 445 __printf(1, 0) 446 static inline bool panic_try_force_cpu(const char *fmt, va_list args) 447 { 448 return false; 449 } 450 #endif /* CONFIG_SMP && CONFIG_CRASH_DUMP */ 451 452 bool panic_try_start(void) 453 { 454 int old_cpu, this_cpu; 455 456 /* 457 * Only one CPU is allowed to execute the crash_kexec() code as with 458 * panic(). Otherwise parallel calls of panic() and crash_kexec() 459 * may stop each other. To exclude them, we use panic_cpu here too. 460 */ 461 old_cpu = PANIC_CPU_INVALID; 462 this_cpu = raw_smp_processor_id(); 463 464 return atomic_try_cmpxchg(&panic_cpu, &old_cpu, this_cpu); 465 } 466 EXPORT_SYMBOL(panic_try_start); 467 468 void panic_reset(void) 469 { 470 atomic_set(&panic_cpu, PANIC_CPU_INVALID); 471 } 472 EXPORT_SYMBOL(panic_reset); 473 474 bool panic_in_progress(void) 475 { 476 return unlikely(atomic_read(&panic_cpu) != PANIC_CPU_INVALID); 477 } 478 EXPORT_SYMBOL(panic_in_progress); 479 480 /* Return true if a panic is in progress on the current CPU. */ 481 bool panic_on_this_cpu(void) 482 { 483 /* 484 * We can use raw_smp_processor_id() here because it is impossible for 485 * the task to be migrated to the panic_cpu, or away from it. If 486 * panic_cpu has already been set, and we're not currently executing on 487 * that CPU, then we never will be. 488 */ 489 return unlikely(atomic_read(&panic_cpu) == raw_smp_processor_id()); 490 } 491 EXPORT_SYMBOL(panic_on_this_cpu); 492 493 /* 494 * Return true if a panic is in progress on a remote CPU. 495 * 496 * On true, the local CPU should immediately release any printing resources 497 * that may be needed by the panic CPU. 498 */ 499 bool panic_on_other_cpu(void) 500 { 501 return (panic_in_progress() && !panic_on_this_cpu()); 502 } 503 EXPORT_SYMBOL(panic_on_other_cpu); 504 505 /* 506 * A variant of panic() called from NMI context. We return if we've already 507 * panicked on this CPU. If another CPU already panicked, loop in 508 * nmi_panic_self_stop() which can provide architecture dependent code such 509 * as saving register state for crash dump. 510 */ 511 void nmi_panic(struct pt_regs *regs, const char *msg) 512 { 513 if (panic_try_start()) 514 panic("%s", msg); 515 else if (panic_on_other_cpu()) 516 nmi_panic_self_stop(regs); 517 } 518 EXPORT_SYMBOL(nmi_panic); 519 520 void check_panic_on_warn(const char *origin) 521 { 522 unsigned int limit; 523 524 if (panic_on_warn) 525 panic("%s: panic_on_warn set ...\n", origin); 526 527 limit = READ_ONCE(warn_limit); 528 if (atomic_inc_return(&warn_count) >= limit && limit) 529 panic("%s: system warned too often (kernel.warn_limit is %d)", 530 origin, limit); 531 } 532 533 static void panic_trigger_all_cpu_backtrace(void) 534 { 535 /* Temporary allow non-panic CPUs to write their backtraces. */ 536 panic_triggering_all_cpu_backtrace = true; 537 538 if (panic_this_cpu_backtrace_printed) 539 trigger_allbutcpu_cpu_backtrace(raw_smp_processor_id()); 540 else 541 trigger_all_cpu_backtrace(); 542 543 panic_triggering_all_cpu_backtrace = false; 544 } 545 546 /* 547 * Helper that triggers the NMI backtrace (if set in panic_print) 548 * and then performs the secondary CPUs shutdown - we cannot have 549 * the NMI backtrace after the CPUs are off! 550 */ 551 static void panic_other_cpus_shutdown(bool crash_kexec) 552 { 553 if (panic_print & SYS_INFO_ALL_BT) 554 panic_trigger_all_cpu_backtrace(); 555 556 /* 557 * Note that smp_send_stop() is the usual SMP shutdown function, 558 * which unfortunately may not be hardened to work in a panic 559 * situation. If we want to do crash dump after notifier calls 560 * and kmsg_dump, we will need architecture dependent extra 561 * bits in addition to stopping other CPUs, hence we rely on 562 * crash_smp_send_stop() for that. 563 */ 564 if (!crash_kexec) 565 smp_send_stop(); 566 else 567 crash_smp_send_stop(); 568 } 569 570 /** 571 * vpanic - halt the system 572 * @fmt: The text string to print 573 * @args: Arguments for the format string 574 * 575 * Display a message, then perform cleanups. This function never returns. 576 */ 577 void vpanic(const char *fmt, va_list args) 578 { 579 static char buf[PANIC_MSG_BUFSZ]; 580 long i, i_next = 0, len; 581 int state = 0; 582 bool _crash_kexec_post_notifiers = crash_kexec_post_notifiers; 583 584 if (panic_on_warn) { 585 /* 586 * This thread may hit another WARN() in the panic path. 587 * Resetting this prevents additional WARN() from panicking the 588 * system on this thread. Other threads are blocked by the 589 * panic_mutex in panic(). 590 */ 591 panic_on_warn = 0; 592 } 593 594 /* 595 * Disable local interrupts. This will prevent panic_smp_self_stop 596 * from deadlocking the first cpu that invokes the panic, since 597 * there is nothing to prevent an interrupt handler (that runs 598 * after setting panic_cpu) from invoking panic() again. 599 */ 600 local_irq_disable(); 601 preempt_disable_notrace(); 602 603 /* Redirect panic to target CPU if configured via panic_force_cpu=. */ 604 if (panic_try_force_cpu(fmt, args)) { 605 /* 606 * Mark ourselves offline so panic_other_cpus_shutdown() won't wait 607 * for us on architectures that check num_online_cpus(). 608 */ 609 set_cpu_online(smp_processor_id(), false); 610 panic_smp_self_stop(); 611 } 612 /* 613 * It's possible to come here directly from a panic-assertion and 614 * not have preempt disabled. Some functions called from here want 615 * preempt to be disabled. No point enabling it later though... 616 * 617 * Only one CPU is allowed to execute the panic code from here. For 618 * multiple parallel invocations of panic, all other CPUs either 619 * stop themself or will wait until they are stopped by the 1st CPU 620 * with smp_send_stop(). 621 * 622 * cmpxchg success means this is the 1st CPU which comes here, 623 * so go ahead. 624 * `old_cpu == this_cpu' means we came from nmi_panic() which sets 625 * panic_cpu to this CPU. In this case, this is also the 1st CPU. 626 */ 627 /* atomic_try_cmpxchg updates old_cpu on failure */ 628 if (panic_try_start()) { 629 /* go ahead */ 630 } else if (panic_on_other_cpu()) 631 panic_smp_self_stop(); 632 633 console_verbose(); 634 bust_spinlocks(1); 635 len = vscnprintf(buf, sizeof(buf), fmt, args); 636 637 if (len && buf[len - 1] == '\n') 638 buf[len - 1] = '\0'; 639 640 pr_emerg("Kernel panic - not syncing: %s\n", buf); 641 /* 642 * Avoid nested stack-dumping if a panic occurs during oops processing 643 */ 644 if (atomic_read(&panic_redirect_cpu) != PANIC_CPU_INVALID && 645 panic_force_cpu == raw_smp_processor_id()) { 646 pr_emerg("panic: Redirected from CPU %d, skipping stack dump.\n", 647 atomic_read(&panic_redirect_cpu)); 648 } else if (test_taint(TAINT_DIE) || oops_in_progress > 1) { 649 panic_this_cpu_backtrace_printed = true; 650 } else if (IS_ENABLED(CONFIG_DEBUG_BUGVERBOSE)) { 651 dump_stack(); 652 panic_this_cpu_backtrace_printed = true; 653 } 654 655 /* 656 * If kgdb is enabled, give it a chance to run before we stop all 657 * the other CPUs or else we won't be able to debug processes left 658 * running on them. 659 */ 660 kgdb_panic(buf); 661 662 /* 663 * If we have crashed and we have a crash kernel loaded let it handle 664 * everything else. 665 * If we want to run this after calling panic_notifiers, pass 666 * the "crash_kexec_post_notifiers" option to the kernel. 667 * 668 * Bypass the panic_cpu check and call __crash_kexec directly. 669 */ 670 if (!_crash_kexec_post_notifiers) 671 __crash_kexec(NULL); 672 673 panic_other_cpus_shutdown(_crash_kexec_post_notifiers); 674 675 printk_legacy_allow_panic_sync(); 676 677 /* 678 * Run any panic handlers, including those that might need to 679 * add information to the kmsg dump output. 680 */ 681 atomic_notifier_call_chain(&panic_notifier_list, 0, buf); 682 683 sys_info(panic_print); 684 685 kmsg_dump_desc(KMSG_DUMP_PANIC, buf); 686 687 /* 688 * If you doubt kdump always works fine in any situation, 689 * "crash_kexec_post_notifiers" offers you a chance to run 690 * panic_notifiers and dumping kmsg before kdump. 691 * Note: since some panic_notifiers can make crashed kernel 692 * more unstable, it can increase risks of the kdump failure too. 693 * 694 * Bypass the panic_cpu check and call __crash_kexec directly. 695 */ 696 if (_crash_kexec_post_notifiers) 697 __crash_kexec(NULL); 698 699 console_unblank(); 700 701 /* 702 * We may have ended up stopping the CPU holding the lock (in 703 * smp_send_stop()) while still having some valuable data in the console 704 * buffer. Try to acquire the lock then release it regardless of the 705 * result. The release will also print the buffers out. Locks debug 706 * should be disabled to avoid reporting bad unlock balance when 707 * panic() is not being callled from OOPS. 708 */ 709 debug_locks_off(); 710 console_flush_on_panic(CONSOLE_FLUSH_PENDING); 711 712 if ((panic_print & SYS_INFO_PANIC_CONSOLE_REPLAY) || 713 panic_console_replay) 714 console_flush_on_panic(CONSOLE_REPLAY_ALL); 715 716 if (!panic_blink) 717 panic_blink = no_blink; 718 719 if (panic_timeout > 0) { 720 /* 721 * Delay timeout seconds before rebooting the machine. 722 * We can't use the "normal" timers since we just panicked. 723 */ 724 pr_emerg("Rebooting in %d seconds..\n", panic_timeout); 725 726 for (i = 0; i < panic_timeout * 1000; i += PANIC_TIMER_STEP) { 727 touch_nmi_watchdog(); 728 if (i >= i_next) { 729 i += panic_blink(state ^= 1); 730 i_next = i + 3600 / PANIC_BLINK_SPD; 731 } 732 mdelay(PANIC_TIMER_STEP); 733 } 734 } 735 if (panic_timeout != 0) { 736 /* 737 * This will not be a clean reboot, with everything 738 * shutting down. But if there is a chance of 739 * rebooting the system it will be rebooted. 740 */ 741 if (panic_reboot_mode != REBOOT_UNDEFINED) 742 reboot_mode = panic_reboot_mode; 743 emergency_restart(); 744 } 745 #ifdef __sparc__ 746 { 747 extern int stop_a_enabled; 748 /* Make sure the user can actually press Stop-A (L1-A) */ 749 stop_a_enabled = 1; 750 pr_emerg("Press Stop-A (L1-A) from sun keyboard or send break\n" 751 "twice on console to return to the boot prom\n"); 752 } 753 #endif 754 #if defined(CONFIG_S390) 755 disabled_wait(); 756 #endif 757 pr_emerg("---[ end Kernel panic - not syncing: %s ]---\n", buf); 758 759 /* Do not scroll important messages printed above */ 760 suppress_printk = 1; 761 762 /* 763 * The final messages may not have been printed if in a context that 764 * defers printing (such as NMI) and irq_work is not available. 765 * Explicitly flush the kernel log buffer one last time. 766 */ 767 console_flush_on_panic(CONSOLE_FLUSH_PENDING); 768 nbcon_atomic_flush_unsafe(); 769 770 local_irq_enable(); 771 for (i = 0; ; i += PANIC_TIMER_STEP) { 772 touch_softlockup_watchdog(); 773 if (i >= i_next) { 774 i += panic_blink(state ^= 1); 775 i_next = i + 3600 / PANIC_BLINK_SPD; 776 } 777 mdelay(PANIC_TIMER_STEP); 778 } 779 } 780 EXPORT_SYMBOL(vpanic); 781 782 /* Identical to vpanic(), except it takes variadic arguments instead of va_list */ 783 void panic(const char *fmt, ...) 784 { 785 va_list args; 786 787 va_start(args, fmt); 788 vpanic(fmt, args); 789 va_end(args); 790 } 791 EXPORT_SYMBOL(panic); 792 793 #define TAINT_FLAG(taint, _c_true, _c_false) \ 794 [ TAINT_##taint ] = { \ 795 .c_true = _c_true, .c_false = _c_false, \ 796 .desc = #taint, \ 797 } 798 799 /* 800 * NOTE: if you modify the taint_flags or TAINT_FLAGS_COUNT, 801 * please also modify tools/debugging/kernel-chktaint and 802 * Documentation/admin-guide/tainted-kernels.rst, including its 803 * small shell script that prints the TAINT_FLAGS_COUNT bits of 804 * /proc/sys/kernel/tainted. 805 * 806 * Also, update INIT_TAINT_BUF_MAX below. 807 */ 808 const struct taint_flag taint_flags[TAINT_FLAGS_COUNT] = { 809 TAINT_FLAG(PROPRIETARY_MODULE, 'P', 'G'), 810 TAINT_FLAG(FORCED_MODULE, 'F', ' '), 811 TAINT_FLAG(CPU_OUT_OF_SPEC, 'S', ' '), 812 TAINT_FLAG(FORCED_RMMOD, 'R', ' '), 813 TAINT_FLAG(MACHINE_CHECK, 'M', ' '), 814 TAINT_FLAG(BAD_PAGE, 'B', ' '), 815 TAINT_FLAG(USER, 'U', ' '), 816 TAINT_FLAG(DIE, 'D', ' '), 817 TAINT_FLAG(OVERRIDDEN_ACPI_TABLE, 'A', ' '), 818 TAINT_FLAG(WARN, 'W', ' '), 819 TAINT_FLAG(CRAP, 'C', ' '), 820 TAINT_FLAG(FIRMWARE_WORKAROUND, 'I', ' '), 821 TAINT_FLAG(OOT_MODULE, 'O', ' '), 822 TAINT_FLAG(UNSIGNED_MODULE, 'E', ' '), 823 TAINT_FLAG(SOFTLOCKUP, 'L', ' '), 824 TAINT_FLAG(LIVEPATCH, 'K', ' '), 825 TAINT_FLAG(AUX, 'X', ' '), 826 TAINT_FLAG(RANDSTRUCT, 'T', ' '), 827 TAINT_FLAG(TEST, 'N', ' '), 828 TAINT_FLAG(FWCTL, 'J', ' '), 829 }; 830 831 #undef TAINT_FLAG 832 833 static void print_tainted_seq(struct seq_buf *s, bool verbose) 834 { 835 const char *sep = ""; 836 int i; 837 838 if (!tainted_mask) { 839 seq_buf_puts(s, "Not tainted"); 840 return; 841 } 842 843 seq_buf_printf(s, "Tainted: "); 844 for (i = 0; i < TAINT_FLAGS_COUNT; i++) { 845 const struct taint_flag *t = &taint_flags[i]; 846 bool is_set = test_bit(i, &tainted_mask); 847 char c = is_set ? t->c_true : t->c_false; 848 849 if (verbose) { 850 if (is_set) { 851 seq_buf_printf(s, "%s[%c]=%s", sep, c, t->desc); 852 sep = ", "; 853 } 854 } else { 855 seq_buf_putc(s, c); 856 } 857 } 858 } 859 860 /* The initial buffer can accommodate all taint flags in verbose 861 * mode, with some headroom. Once the allocator is available, the 862 * exact size is allocated dynamically; the initial buffer remains 863 * as a fallback if allocation fails. 864 * 865 * The verbose taint string currently requires up to 327 characters. 866 */ 867 #define INIT_TAINT_BUF_MAX 350 868 869 static char init_taint_buf[INIT_TAINT_BUF_MAX] __initdata; 870 static char *taint_buf __refdata = init_taint_buf; 871 static size_t taint_buf_size = INIT_TAINT_BUF_MAX; 872 873 static __init int alloc_taint_buf(void) 874 { 875 int i; 876 char *buf; 877 size_t size = 0; 878 879 size += sizeof("Tainted: ") - 1; 880 for (i = 0; i < TAINT_FLAGS_COUNT; i++) { 881 size += 2; /* For ", " */ 882 size += 4; /* For "[%c]=" */ 883 size += strlen(taint_flags[i].desc); 884 } 885 886 size += 1; /* For NULL terminator */ 887 888 buf = kmalloc(size, GFP_KERNEL); 889 890 if (!buf) { 891 panic("Failed to allocate taint string buffer"); 892 } 893 894 taint_buf = buf; 895 taint_buf_size = size; 896 897 return 0; 898 } 899 postcore_initcall(alloc_taint_buf); 900 901 static const char *_print_tainted(bool verbose) 902 { 903 struct seq_buf s; 904 905 BUILD_BUG_ON(ARRAY_SIZE(taint_flags) != TAINT_FLAGS_COUNT); 906 907 seq_buf_init(&s, taint_buf, taint_buf_size); 908 909 print_tainted_seq(&s, verbose); 910 911 return seq_buf_str(&s); 912 } 913 914 /** 915 * print_tainted - return a string to represent the kernel taint state. 916 * 917 * For individual taint flag meanings, see Documentation/admin-guide/sysctl/kernel.rst 918 * 919 * The string is overwritten by the next call to print_tainted(), 920 * but is always NULL terminated. 921 */ 922 const char *print_tainted(void) 923 { 924 return _print_tainted(false); 925 } 926 927 /** 928 * print_tainted_verbose - A more verbose version of print_tainted() 929 */ 930 const char *print_tainted_verbose(void) 931 { 932 return _print_tainted(true); 933 } 934 935 int test_taint(unsigned flag) 936 { 937 return test_bit(flag, &tainted_mask); 938 } 939 EXPORT_SYMBOL(test_taint); 940 941 unsigned long get_taint(void) 942 { 943 return tainted_mask; 944 } 945 946 /** 947 * add_taint: add a taint flag if not already set. 948 * @flag: one of the TAINT_* constants. 949 * @lockdep_ok: whether lock debugging is still OK. 950 * 951 * If something bad has gone wrong, you'll want @lockdebug_ok = false, but for 952 * some notewortht-but-not-corrupting cases, it can be set to true. 953 */ 954 void add_taint(unsigned flag, enum lockdep_ok lockdep_ok) 955 { 956 if (lockdep_ok == LOCKDEP_NOW_UNRELIABLE && __debug_locks_off()) 957 pr_warn("Disabling lock debugging due to kernel taint\n"); 958 959 set_bit(flag, &tainted_mask); 960 961 if (tainted_mask & panic_on_taint) { 962 panic_on_taint = 0; 963 panic("panic_on_taint set ..."); 964 } 965 } 966 EXPORT_SYMBOL(add_taint); 967 968 static void spin_msec(int msecs) 969 { 970 int i; 971 972 for (i = 0; i < msecs; i++) { 973 touch_nmi_watchdog(); 974 mdelay(1); 975 } 976 } 977 978 /* 979 * It just happens that oops_enter() and oops_exit() are identically 980 * implemented... 981 */ 982 static void do_oops_enter_exit(void) 983 { 984 unsigned long flags; 985 static int spin_counter; 986 987 if (!pause_on_oops) 988 return; 989 990 spin_lock_irqsave(&pause_on_oops_lock, flags); 991 if (pause_on_oops_flag == 0) { 992 /* This CPU may now print the oops message */ 993 pause_on_oops_flag = 1; 994 } else { 995 /* We need to stall this CPU */ 996 if (!spin_counter) { 997 /* This CPU gets to do the counting */ 998 spin_counter = pause_on_oops; 999 do { 1000 spin_unlock(&pause_on_oops_lock); 1001 spin_msec(MSEC_PER_SEC); 1002 spin_lock(&pause_on_oops_lock); 1003 } while (--spin_counter); 1004 pause_on_oops_flag = 0; 1005 } else { 1006 /* This CPU waits for a different one */ 1007 while (spin_counter) { 1008 spin_unlock(&pause_on_oops_lock); 1009 spin_msec(1); 1010 spin_lock(&pause_on_oops_lock); 1011 } 1012 } 1013 } 1014 spin_unlock_irqrestore(&pause_on_oops_lock, flags); 1015 } 1016 1017 /* 1018 * Return true if the calling CPU is allowed to print oops-related info. 1019 * This is a bit racy.. 1020 */ 1021 bool oops_may_print(void) 1022 { 1023 return pause_on_oops_flag == 0; 1024 } 1025 1026 /* 1027 * Called when the architecture enters its oops handler, before it prints 1028 * anything. If this is the first CPU to oops, and it's oopsing the first 1029 * time then let it proceed. 1030 * 1031 * This is all enabled by the pause_on_oops kernel boot option. We do all 1032 * this to ensure that oopses don't scroll off the screen. It has the 1033 * side-effect of preventing later-oopsing CPUs from mucking up the display, 1034 * too. 1035 * 1036 * It turns out that the CPU which is allowed to print ends up pausing for 1037 * the right duration, whereas all the other CPUs pause for twice as long: 1038 * once in oops_enter(), once in oops_exit(). 1039 */ 1040 void oops_enter(void) 1041 { 1042 nbcon_cpu_emergency_enter(); 1043 tracing_off(); 1044 /* can't trust the integrity of the kernel anymore: */ 1045 debug_locks_off(); 1046 do_oops_enter_exit(); 1047 1048 if (sysctl_oops_all_cpu_backtrace) 1049 trigger_all_cpu_backtrace(); 1050 } 1051 1052 static void print_oops_end_marker(void) 1053 { 1054 pr_warn("---[ end trace %016llx ]---\n", 0ULL); 1055 } 1056 1057 /* 1058 * Called when the architecture exits its oops handler, after printing 1059 * everything. 1060 */ 1061 void oops_exit(void) 1062 { 1063 do_oops_enter_exit(); 1064 print_oops_end_marker(); 1065 nbcon_cpu_emergency_exit(); 1066 kmsg_dump(KMSG_DUMP_OOPS); 1067 } 1068 1069 struct warn_args { 1070 const char *fmt; 1071 va_list args; 1072 }; 1073 1074 void __warn(const char *file, int line, void *caller, unsigned taint, 1075 struct pt_regs *regs, struct warn_args *args) 1076 { 1077 nbcon_cpu_emergency_enter(); 1078 1079 disable_trace_on_warning(); 1080 1081 if (file) { 1082 pr_warn("WARNING: %s:%d at %pS, CPU#%d: %s/%d\n", 1083 file, line, caller, 1084 raw_smp_processor_id(), current->comm, current->pid); 1085 } else { 1086 pr_warn("WARNING: at %pS, CPU#%d: %s/%d\n", 1087 caller, 1088 raw_smp_processor_id(), current->comm, current->pid); 1089 } 1090 1091 #pragma GCC diagnostic push 1092 #ifndef __clang__ 1093 #pragma GCC diagnostic ignored "-Wsuggest-attribute=format" 1094 #endif 1095 if (args) 1096 vprintk(args->fmt, args->args); 1097 #pragma GCC diagnostic pop 1098 1099 print_modules(); 1100 1101 if (regs) 1102 show_regs(regs); 1103 1104 check_panic_on_warn("kernel"); 1105 1106 if (!regs) 1107 dump_stack(); 1108 1109 print_irqtrace_events(current); 1110 1111 print_oops_end_marker(); 1112 trace_error_report_end(ERROR_DETECTOR_WARN, (unsigned long)caller); 1113 1114 /* Just a warning, don't kill lockdep. */ 1115 add_taint(taint, LOCKDEP_STILL_OK); 1116 1117 nbcon_cpu_emergency_exit(); 1118 } 1119 1120 #ifdef CONFIG_BUG 1121 #ifndef __WARN_FLAGS 1122 void warn_slowpath_fmt(const char *file, int line, unsigned taint, 1123 const char *fmt, ...) 1124 { 1125 bool rcu = warn_rcu_enter(); 1126 struct warn_args args; 1127 1128 if (kunit_is_suppressed_warning(true)) { 1129 warn_rcu_exit(rcu); 1130 return; 1131 } 1132 1133 pr_warn(CUT_HERE); 1134 1135 if (!fmt) { 1136 __warn(file, line, __builtin_return_address(0), taint, 1137 NULL, NULL); 1138 warn_rcu_exit(rcu); 1139 return; 1140 } 1141 1142 args.fmt = fmt; 1143 va_start(args.args, fmt); 1144 __warn(file, line, __builtin_return_address(0), taint, NULL, &args); 1145 va_end(args.args); 1146 warn_rcu_exit(rcu); 1147 } 1148 EXPORT_SYMBOL(warn_slowpath_fmt); 1149 #else 1150 void __warn_printk(const char *fmt, ...) 1151 { 1152 bool rcu = warn_rcu_enter(); 1153 va_list args; 1154 1155 if (kunit_is_suppressed_warning(false)) { 1156 warn_rcu_exit(rcu); 1157 return; 1158 } 1159 1160 pr_warn(CUT_HERE); 1161 1162 va_start(args, fmt); 1163 vprintk(fmt, args); 1164 va_end(args); 1165 warn_rcu_exit(rcu); 1166 } 1167 EXPORT_SYMBOL(__warn_printk); 1168 #endif 1169 1170 /* Support resetting WARN*_ONCE state */ 1171 1172 static int clear_warn_once_set(void *data, u64 val) 1173 { 1174 generic_bug_clear_once(); 1175 memset(__start_once, 0, __end_once - __start_once); 1176 return 0; 1177 } 1178 1179 DEFINE_DEBUGFS_ATTRIBUTE(clear_warn_once_fops, NULL, clear_warn_once_set, 1180 "%lld\n"); 1181 1182 static __init int register_warn_debugfs(void) 1183 { 1184 /* Don't care about failure */ 1185 debugfs_create_file_unsafe("clear_warn_once", 0200, NULL, NULL, 1186 &clear_warn_once_fops); 1187 return 0; 1188 } 1189 1190 device_initcall(register_warn_debugfs); 1191 #endif 1192 1193 #ifdef CONFIG_STACKPROTECTOR 1194 1195 /* 1196 * Called when gcc's -fstack-protector feature is used, and 1197 * gcc detects corruption of the on-stack canary value 1198 */ 1199 __visible noinstr void __stack_chk_fail(void) 1200 { 1201 unsigned long flags; 1202 1203 instrumentation_begin(); 1204 flags = user_access_save(); 1205 1206 panic("stack-protector: Kernel stack is corrupted in: %pB", 1207 __builtin_return_address(0)); 1208 1209 user_access_restore(flags); 1210 instrumentation_end(); 1211 } 1212 EXPORT_SYMBOL(__stack_chk_fail); 1213 1214 #endif 1215 1216 core_param(panic, panic_timeout, int, 0644); 1217 core_param(pause_on_oops, pause_on_oops, int, 0644); 1218 core_param(panic_on_warn, panic_on_warn, int, 0644); 1219 core_param(crash_kexec_post_notifiers, crash_kexec_post_notifiers, bool, 0644); 1220 core_param(panic_console_replay, panic_console_replay, bool, 0644); 1221 1222 static int panic_print_set(const char *val, const struct kernel_param *kp) 1223 { 1224 panic_print_deprecated(); 1225 return param_set_ulong(val, kp); 1226 } 1227 1228 static int panic_print_get(char *val, const struct kernel_param *kp) 1229 { 1230 return param_get_ulong(val, kp); 1231 } 1232 1233 static const struct kernel_param_ops panic_print_ops = { 1234 .set = panic_print_set, 1235 .get = panic_print_get, 1236 }; 1237 __core_param_cb(panic_print, &panic_print_ops, &panic_print, 0644); 1238 1239 static int __init oops_setup(char *s) 1240 { 1241 if (!s) 1242 return -EINVAL; 1243 if (!strcmp(s, "panic")) 1244 panic_on_oops = 1; 1245 return 0; 1246 } 1247 early_param("oops", oops_setup); 1248 1249 static int __init panic_on_taint_setup(char *s) 1250 { 1251 char *taint_str; 1252 1253 if (!s) 1254 return -EINVAL; 1255 1256 taint_str = strsep(&s, ","); 1257 if (kstrtoul(taint_str, 16, &panic_on_taint)) 1258 return -EINVAL; 1259 1260 /* make sure panic_on_taint doesn't hold out-of-range TAINT flags */ 1261 panic_on_taint &= TAINT_FLAGS_MAX; 1262 1263 if (!panic_on_taint) 1264 return -EINVAL; 1265 1266 if (s && !strcmp(s, "nousertaint")) 1267 panic_on_taint_nousertaint = true; 1268 1269 pr_info("panic_on_taint: bitmask=0x%lx nousertaint_mode=%s\n", 1270 panic_on_taint, str_enabled_disabled(panic_on_taint_nousertaint)); 1271 1272 return 0; 1273 } 1274 early_param("panic_on_taint", panic_on_taint_setup); 1275