1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Watchdog support on powerpc systems.
4 *
5 * Copyright 2017, IBM Corporation.
6 *
7 * This uses code from arch/sparc/kernel/nmi.c and kernel/watchdog.c
8 */
9
10 #define pr_fmt(fmt) "watchdog: " fmt
11
12 #include <linux/kernel.h>
13 #include <linux/param.h>
14 #include <linux/init.h>
15 #include <linux/percpu.h>
16 #include <linux/cpu.h>
17 #include <linux/nmi.h>
18 #include <linux/module.h>
19 #include <linux/export.h>
20 #include <linux/kprobes.h>
21 #include <linux/hardirq.h>
22 #include <linux/reboot.h>
23 #include <linux/slab.h>
24 #include <linux/kdebug.h>
25 #include <linux/sched/debug.h>
26 #include <linux/delay.h>
27 #include <linux/smp.h>
28
29 #include <asm/paca.h>
30
31 /*
32 * The powerpc watchdog ensures that each CPU is able to service timers.
33 * The watchdog sets up a simple timer on each CPU to run once per timer
34 * period, and updates a per-cpu timestamp and a "pending" cpumask. This is
35 * the heartbeat.
36 *
37 * Then there are two systems to check that the heartbeat is still running.
38 * The local soft-NMI, and the SMP checker.
39 *
40 * The soft-NMI checker can detect lockups on the local CPU. When interrupts
41 * are disabled with local_irq_disable(), platforms that use soft-masking
42 * can leave hardware interrupts enabled and handle them with a masked
43 * interrupt handler. The masked handler can send the timer interrupt to the
44 * watchdog's soft_nmi_interrupt(), which appears to Linux as an NMI
45 * interrupt, and can be used to detect CPUs stuck with IRQs disabled.
46 *
47 * The soft-NMI checker will compare the heartbeat timestamp for this CPU
48 * with the current time, and take action if the difference exceeds the
49 * watchdog threshold.
50 *
51 * The limitation of the soft-NMI watchdog is that it does not work when
52 * interrupts are hard disabled or otherwise not being serviced. This is
53 * solved by also having a SMP watchdog where all CPUs check all other
54 * CPUs heartbeat.
55 *
56 * The SMP checker can detect lockups on other CPUs. A gobal "pending"
57 * cpumask is kept, containing all CPUs which enable the watchdog. Each
58 * CPU clears their pending bit in their heartbeat timer. When the bitmask
59 * becomes empty, the last CPU to clear its pending bit updates a global
60 * timestamp and refills the pending bitmask.
61 *
62 * In the heartbeat timer, if any CPU notices that the global timestamp has
63 * not been updated for a period exceeding the watchdog threshold, then it
64 * means the CPU(s) with their bit still set in the pending mask have had
65 * their heartbeat stop, and action is taken.
66 *
67 * Some platforms implement true NMI IPIs, which can be used by the SMP
68 * watchdog to detect an unresponsive CPU and pull it out of its stuck
69 * state with the NMI IPI, to get crash/debug data from it. This way the
70 * SMP watchdog can detect hardware interrupts off lockups.
71 */
72
73 static cpumask_t wd_cpus_enabled __read_mostly;
74
75 static u64 wd_panic_timeout_tb __read_mostly; /* timebase ticks until panic */
76 static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */
77
78 static u64 wd_timer_period_ms __read_mostly; /* interval between heartbeat */
79
80 static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer);
81 static DEFINE_PER_CPU(u64, wd_timer_tb);
82
83 /* SMP checker bits */
84 static unsigned long __wd_smp_lock;
85 static cpumask_t wd_smp_cpus_pending;
86 static cpumask_t wd_smp_cpus_stuck;
87 static u64 wd_smp_last_reset_tb;
88
wd_smp_lock(unsigned long * flags)89 static inline void wd_smp_lock(unsigned long *flags)
90 {
91 /*
92 * Avoid locking layers if possible.
93 * This may be called from low level interrupt handlers at some
94 * point in future.
95 */
96 raw_local_irq_save(*flags);
97 hard_irq_disable(); /* Make it soft-NMI safe */
98 while (unlikely(test_and_set_bit_lock(0, &__wd_smp_lock))) {
99 raw_local_irq_restore(*flags);
100 spin_until_cond(!test_bit(0, &__wd_smp_lock));
101 raw_local_irq_save(*flags);
102 hard_irq_disable();
103 }
104 }
105
wd_smp_unlock(unsigned long * flags)106 static inline void wd_smp_unlock(unsigned long *flags)
107 {
108 clear_bit_unlock(0, &__wd_smp_lock);
109 raw_local_irq_restore(*flags);
110 }
111
wd_lockup_ipi(struct pt_regs * regs)112 static void wd_lockup_ipi(struct pt_regs *regs)
113 {
114 int cpu = raw_smp_processor_id();
115 u64 tb = get_tb();
116
117 pr_emerg("CPU %d Hard LOCKUP\n", cpu);
118 pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
119 cpu, tb, per_cpu(wd_timer_tb, cpu),
120 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
121 print_modules();
122 print_irqtrace_events(current);
123 if (regs)
124 show_regs(regs);
125 else
126 dump_stack();
127
128 /* Do not panic from here because that can recurse into NMI IPI layer */
129 }
130
set_cpumask_stuck(const struct cpumask * cpumask,u64 tb)131 static void set_cpumask_stuck(const struct cpumask *cpumask, u64 tb)
132 {
133 cpumask_or(&wd_smp_cpus_stuck, &wd_smp_cpus_stuck, cpumask);
134 cpumask_andnot(&wd_smp_cpus_pending, &wd_smp_cpus_pending, cpumask);
135 /*
136 * See wd_smp_clear_cpu_pending()
137 */
138 smp_mb();
139 if (cpumask_empty(&wd_smp_cpus_pending)) {
140 wd_smp_last_reset_tb = tb;
141 cpumask_andnot(&wd_smp_cpus_pending,
142 &wd_cpus_enabled,
143 &wd_smp_cpus_stuck);
144 }
145 }
set_cpu_stuck(int cpu,u64 tb)146 static void set_cpu_stuck(int cpu, u64 tb)
147 {
148 set_cpumask_stuck(cpumask_of(cpu), tb);
149 }
150
watchdog_smp_panic(int cpu,u64 tb)151 static void watchdog_smp_panic(int cpu, u64 tb)
152 {
153 unsigned long flags;
154 int c;
155
156 wd_smp_lock(&flags);
157 /* Double check some things under lock */
158 if ((s64)(tb - wd_smp_last_reset_tb) < (s64)wd_smp_panic_timeout_tb)
159 goto out;
160 if (cpumask_test_cpu(cpu, &wd_smp_cpus_pending))
161 goto out;
162 if (cpumask_weight(&wd_smp_cpus_pending) == 0)
163 goto out;
164
165 pr_emerg("CPU %d detected hard LOCKUP on other CPUs %*pbl\n",
166 cpu, cpumask_pr_args(&wd_smp_cpus_pending));
167 pr_emerg("CPU %d TB:%lld, last SMP heartbeat TB:%lld (%lldms ago)\n",
168 cpu, tb, wd_smp_last_reset_tb,
169 tb_to_ns(tb - wd_smp_last_reset_tb) / 1000000);
170
171 if (!sysctl_hardlockup_all_cpu_backtrace) {
172 /*
173 * Try to trigger the stuck CPUs, unless we are going to
174 * get a backtrace on all of them anyway.
175 */
176 for_each_cpu(c, &wd_smp_cpus_pending) {
177 if (c == cpu)
178 continue;
179 smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000);
180 }
181 }
182
183 /* Take the stuck CPUs out of the watch group */
184 set_cpumask_stuck(&wd_smp_cpus_pending, tb);
185
186 wd_smp_unlock(&flags);
187
188 printk_safe_flush();
189 /*
190 * printk_safe_flush() seems to require another print
191 * before anything actually goes out to console.
192 */
193 if (sysctl_hardlockup_all_cpu_backtrace)
194 trigger_allbutself_cpu_backtrace();
195
196 if (hardlockup_panic)
197 nmi_panic(NULL, "Hard LOCKUP");
198
199 return;
200
201 out:
202 wd_smp_unlock(&flags);
203 }
204
wd_smp_clear_cpu_pending(int cpu,u64 tb)205 static void wd_smp_clear_cpu_pending(int cpu, u64 tb)
206 {
207 if (!cpumask_test_cpu(cpu, &wd_smp_cpus_pending)) {
208 if (unlikely(cpumask_test_cpu(cpu, &wd_smp_cpus_stuck))) {
209 struct pt_regs *regs = get_irq_regs();
210 unsigned long flags;
211
212 wd_smp_lock(&flags);
213
214 pr_emerg("CPU %d became unstuck TB:%lld\n",
215 cpu, tb);
216 print_irqtrace_events(current);
217 if (regs)
218 show_regs(regs);
219 else
220 dump_stack();
221
222 cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck);
223 wd_smp_unlock(&flags);
224 } else {
225 /*
226 * The last CPU to clear pending should have reset the
227 * watchdog so we generally should not find it empty
228 * here if our CPU was clear. However it could happen
229 * due to a rare race with another CPU taking the
230 * last CPU out of the mask concurrently.
231 *
232 * We can't add a warning for it. But just in case
233 * there is a problem with the watchdog that is causing
234 * the mask to not be reset, try to kick it along here.
235 */
236 if (unlikely(cpumask_empty(&wd_smp_cpus_pending)))
237 goto none_pending;
238 }
239 return;
240 }
241
242 cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
243
244 /*
245 * Order the store to clear pending with the load(s) to check all
246 * words in the pending mask to check they are all empty. This orders
247 * with the same barrier on another CPU. This prevents two CPUs
248 * clearing the last 2 pending bits, but neither seeing the other's
249 * store when checking if the mask is empty, and missing an empty
250 * mask, which ends with a false positive.
251 */
252 smp_mb();
253 if (cpumask_empty(&wd_smp_cpus_pending)) {
254 unsigned long flags;
255
256 none_pending:
257 /*
258 * Double check under lock because more than one CPU could see
259 * a clear mask with the lockless check after clearing their
260 * pending bits.
261 */
262 wd_smp_lock(&flags);
263 if (cpumask_empty(&wd_smp_cpus_pending)) {
264 wd_smp_last_reset_tb = tb;
265 cpumask_andnot(&wd_smp_cpus_pending,
266 &wd_cpus_enabled,
267 &wd_smp_cpus_stuck);
268 }
269 wd_smp_unlock(&flags);
270 }
271 }
272
watchdog_timer_interrupt(int cpu)273 static void watchdog_timer_interrupt(int cpu)
274 {
275 u64 tb = get_tb();
276
277 per_cpu(wd_timer_tb, cpu) = tb;
278
279 wd_smp_clear_cpu_pending(cpu, tb);
280
281 if ((s64)(tb - wd_smp_last_reset_tb) >= (s64)wd_smp_panic_timeout_tb)
282 watchdog_smp_panic(cpu, tb);
283 }
284
soft_nmi_interrupt(struct pt_regs * regs)285 void soft_nmi_interrupt(struct pt_regs *regs)
286 {
287 unsigned long flags;
288 int cpu = raw_smp_processor_id();
289 u64 tb;
290
291 if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
292 return;
293
294 nmi_enter();
295
296 __this_cpu_inc(irq_stat.soft_nmi_irqs);
297
298 tb = get_tb();
299 if (tb - per_cpu(wd_timer_tb, cpu) >= wd_panic_timeout_tb) {
300 wd_smp_lock(&flags);
301 if (cpumask_test_cpu(cpu, &wd_smp_cpus_stuck)) {
302 wd_smp_unlock(&flags);
303 goto out;
304 }
305 set_cpu_stuck(cpu, tb);
306
307 pr_emerg("CPU %d self-detected hard LOCKUP @ %pS\n",
308 cpu, (void *)regs->nip);
309 pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
310 cpu, tb, per_cpu(wd_timer_tb, cpu),
311 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
312 print_modules();
313 print_irqtrace_events(current);
314 show_regs(regs);
315
316 wd_smp_unlock(&flags);
317
318 if (sysctl_hardlockup_all_cpu_backtrace)
319 trigger_allbutself_cpu_backtrace();
320
321 if (hardlockup_panic)
322 nmi_panic(regs, "Hard LOCKUP");
323 }
324 if (wd_panic_timeout_tb < 0x7fffffff)
325 mtspr(SPRN_DEC, wd_panic_timeout_tb);
326
327 out:
328 nmi_exit();
329 }
330
watchdog_timer_fn(struct hrtimer * hrtimer)331 static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer)
332 {
333 int cpu = smp_processor_id();
334
335 if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED))
336 return HRTIMER_NORESTART;
337
338 if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
339 return HRTIMER_NORESTART;
340
341 watchdog_timer_interrupt(cpu);
342
343 hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms));
344
345 return HRTIMER_RESTART;
346 }
347
arch_touch_nmi_watchdog(void)348 void arch_touch_nmi_watchdog(void)
349 {
350 unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000;
351 int cpu = smp_processor_id();
352 u64 tb;
353
354 if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
355 return;
356
357 tb = get_tb();
358 if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) {
359 per_cpu(wd_timer_tb, cpu) = tb;
360 wd_smp_clear_cpu_pending(cpu, tb);
361 }
362 }
363 EXPORT_SYMBOL(arch_touch_nmi_watchdog);
364
start_watchdog(void * arg)365 static void start_watchdog(void *arg)
366 {
367 struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
368 int cpu = smp_processor_id();
369 unsigned long flags;
370
371 if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) {
372 WARN_ON(1);
373 return;
374 }
375
376 if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED))
377 return;
378
379 if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
380 return;
381
382 wd_smp_lock(&flags);
383 cpumask_set_cpu(cpu, &wd_cpus_enabled);
384 if (cpumask_weight(&wd_cpus_enabled) == 1) {
385 cpumask_set_cpu(cpu, &wd_smp_cpus_pending);
386 wd_smp_last_reset_tb = get_tb();
387 }
388 wd_smp_unlock(&flags);
389
390 *this_cpu_ptr(&wd_timer_tb) = get_tb();
391
392 hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
393 hrtimer->function = watchdog_timer_fn;
394 hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms),
395 HRTIMER_MODE_REL_PINNED);
396 }
397
start_watchdog_on_cpu(unsigned int cpu)398 static int start_watchdog_on_cpu(unsigned int cpu)
399 {
400 return smp_call_function_single(cpu, start_watchdog, NULL, true);
401 }
402
stop_watchdog(void * arg)403 static void stop_watchdog(void *arg)
404 {
405 struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
406 int cpu = smp_processor_id();
407 unsigned long flags;
408
409 if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
410 return; /* Can happen in CPU unplug case */
411
412 hrtimer_cancel(hrtimer);
413
414 wd_smp_lock(&flags);
415 cpumask_clear_cpu(cpu, &wd_cpus_enabled);
416 wd_smp_unlock(&flags);
417
418 wd_smp_clear_cpu_pending(cpu, get_tb());
419 }
420
stop_watchdog_on_cpu(unsigned int cpu)421 static int stop_watchdog_on_cpu(unsigned int cpu)
422 {
423 return smp_call_function_single(cpu, stop_watchdog, NULL, true);
424 }
425
watchdog_calc_timeouts(void)426 static void watchdog_calc_timeouts(void)
427 {
428 wd_panic_timeout_tb = watchdog_thresh * ppc_tb_freq;
429
430 /* Have the SMP detector trigger a bit later */
431 wd_smp_panic_timeout_tb = wd_panic_timeout_tb * 3 / 2;
432
433 /* 2/5 is the factor that the perf based detector uses */
434 wd_timer_period_ms = watchdog_thresh * 1000 * 2 / 5;
435 }
436
watchdog_nmi_stop(void)437 void watchdog_nmi_stop(void)
438 {
439 int cpu;
440
441 for_each_cpu(cpu, &wd_cpus_enabled)
442 stop_watchdog_on_cpu(cpu);
443 }
444
watchdog_nmi_start(void)445 void watchdog_nmi_start(void)
446 {
447 int cpu;
448
449 watchdog_calc_timeouts();
450 for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask)
451 start_watchdog_on_cpu(cpu);
452 }
453
454 /*
455 * Invoked from core watchdog init.
456 */
watchdog_nmi_probe(void)457 int __init watchdog_nmi_probe(void)
458 {
459 int err;
460
461 err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
462 "powerpc/watchdog:online",
463 start_watchdog_on_cpu,
464 stop_watchdog_on_cpu);
465 if (err < 0) {
466 pr_warn("could not be initialized");
467 return err;
468 }
469 return 0;
470 }
471