1// SPDX-License-Identifier: GPL-2.0
2/*
3 * Watchdog support on powerpc systems.
4 *
5 * Copyright 2017, IBM Corporation.
6 *
7 * This uses code from arch/sparc/kernel/nmi.c and kernel/watchdog.c
8 */
9
10#define pr_fmt(fmt) "watchdog: " fmt
11
12#include <linux/kernel.h>
13#include <linux/param.h>
14#include <linux/init.h>
15#include <linux/percpu.h>
16#include <linux/cpu.h>
17#include <linux/nmi.h>
18#include <linux/module.h>
19#include <linux/export.h>
20#include <linux/kprobes.h>
21#include <linux/hardirq.h>
22#include <linux/reboot.h>
23#include <linux/slab.h>
24#include <linux/kdebug.h>
25#include <linux/sched/debug.h>
26#include <linux/delay.h>
27#include <linux/processor.h>
28#include <linux/smp.h>
29
30#include <asm/interrupt.h>
31#include <asm/paca.h>
32#include <asm/nmi.h>
33
34/*
35 * The powerpc watchdog ensures that each CPU is able to service timers.
36 * The watchdog sets up a simple timer on each CPU to run once per timer
37 * period, and updates a per-cpu timestamp and a "pending" cpumask. This is
38 * the heartbeat.
39 *
40 * Then there are two systems to check that the heartbeat is still running.
41 * The local soft-NMI, and the SMP checker.
42 *
43 * The soft-NMI checker can detect lockups on the local CPU. When interrupts
44 * are disabled with local_irq_disable(), platforms that use soft-masking
45 * can leave hardware interrupts enabled and handle them with a masked
46 * interrupt handler. The masked handler can send the timer interrupt to the
47 * watchdog's soft_nmi_interrupt(), which appears to Linux as an NMI
48 * interrupt, and can be used to detect CPUs stuck with IRQs disabled.
49 *
50 * The soft-NMI checker will compare the heartbeat timestamp for this CPU
51 * with the current time, and take action if the difference exceeds the
52 * watchdog threshold.
53 *
54 * The limitation of the soft-NMI watchdog is that it does not work when
55 * interrupts are hard disabled or otherwise not being serviced. This is
56 * solved by also having a SMP watchdog where all CPUs check all other
57 * CPUs heartbeat.
58 *
59 * The SMP checker can detect lockups on other CPUs. A global "pending"
60 * cpumask is kept, containing all CPUs which enable the watchdog. Each
61 * CPU clears their pending bit in their heartbeat timer. When the bitmask
62 * becomes empty, the last CPU to clear its pending bit updates a global
63 * timestamp and refills the pending bitmask.
64 *
65 * In the heartbeat timer, if any CPU notices that the global timestamp has
66 * not been updated for a period exceeding the watchdog threshold, then it
67 * means the CPU(s) with their bit still set in the pending mask have had
68 * their heartbeat stop, and action is taken.
69 *
70 * Some platforms implement true NMI IPIs, which can be used by the SMP
71 * watchdog to detect an unresponsive CPU and pull it out of its stuck
72 * state with the NMI IPI, to get crash/debug data from it. This way the
73 * SMP watchdog can detect hardware interrupts off lockups.
74 */
75
76static cpumask_t wd_cpus_enabled __read_mostly;
77
78static u64 wd_panic_timeout_tb __read_mostly; /* timebase ticks until panic */
79static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */
80
81static u64 wd_timer_period_ms __read_mostly;  /* interval between heartbeat */
82
83static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer);
84static DEFINE_PER_CPU(u64, wd_timer_tb);
85
86/* SMP checker bits */
87static unsigned long __wd_smp_lock;
88static unsigned long __wd_reporting;
89static unsigned long __wd_nmi_output;
90static cpumask_t wd_smp_cpus_pending;
91static cpumask_t wd_smp_cpus_stuck;
92static u64 wd_smp_last_reset_tb;
93
94#ifdef CONFIG_PPC_PSERIES
95static u64 wd_timeout_pct;
96#endif
97
98/*
99 * Try to take the exclusive watchdog action / NMI IPI / printing lock.
100 * wd_smp_lock must be held. If this fails, we should return and wait
101 * for the watchdog to kick in again (or another CPU to trigger it).
102 *
103 * Importantly, if hardlockup_panic is set, wd_try_report failure should
104 * not delay the panic, because whichever other CPU is reporting will
105 * call panic.
106 */
107static bool wd_try_report(void)
108{
109	if (__wd_reporting)
110		return false;
111	__wd_reporting = 1;
112	return true;
113}
114
115/* End printing after successful wd_try_report. wd_smp_lock not required. */
116static void wd_end_reporting(void)
117{
118	smp_mb(); /* End printing "critical section" */
119	WARN_ON_ONCE(__wd_reporting == 0);
120	WRITE_ONCE(__wd_reporting, 0);
121}
122
123static inline void wd_smp_lock(unsigned long *flags)
124{
125	/*
126	 * Avoid locking layers if possible.
127	 * This may be called from low level interrupt handlers at some
128	 * point in future.
129	 */
130	raw_local_irq_save(*flags);
131	hard_irq_disable(); /* Make it soft-NMI safe */
132	while (unlikely(test_and_set_bit_lock(0, &__wd_smp_lock))) {
133		raw_local_irq_restore(*flags);
134		spin_until_cond(!test_bit(0, &__wd_smp_lock));
135		raw_local_irq_save(*flags);
136		hard_irq_disable();
137	}
138}
139
140static inline void wd_smp_unlock(unsigned long *flags)
141{
142	clear_bit_unlock(0, &__wd_smp_lock);
143	raw_local_irq_restore(*flags);
144}
145
146static void wd_lockup_ipi(struct pt_regs *regs)
147{
148	int cpu = raw_smp_processor_id();
149	u64 tb = get_tb();
150
151	pr_emerg("CPU %d Hard LOCKUP\n", cpu);
152	pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
153		 cpu, tb, per_cpu(wd_timer_tb, cpu),
154		 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
155	print_modules();
156	print_irqtrace_events(current);
157	if (regs)
158		show_regs(regs);
159	else
160		dump_stack();
161
162	/*
163	 * __wd_nmi_output must be set after we printk from NMI context.
164	 *
165	 * printk from NMI context defers printing to the console to irq_work.
166	 * If that NMI was taken in some code that is hard-locked, then irqs
167	 * are disabled so irq_work will never fire. That can result in the
168	 * hard lockup messages being delayed (indefinitely, until something
169	 * else kicks the console drivers).
170	 *
171	 * Setting __wd_nmi_output will cause another CPU to notice and kick
172	 * the console drivers for us.
173	 *
174	 * xchg is not needed here (it could be a smp_mb and store), but xchg
175	 * gives the memory ordering and atomicity required.
176	 */
177	xchg(&__wd_nmi_output, 1);
178
179	/* Do not panic from here because that can recurse into NMI IPI layer */
180}
181
182static bool set_cpu_stuck(int cpu)
183{
184	cpumask_set_cpu(cpu, &wd_smp_cpus_stuck);
185	cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
186	/*
187	 * See wd_smp_clear_cpu_pending()
188	 */
189	smp_mb();
190	if (cpumask_empty(&wd_smp_cpus_pending)) {
191		wd_smp_last_reset_tb = get_tb();
192		cpumask_andnot(&wd_smp_cpus_pending,
193				&wd_cpus_enabled,
194				&wd_smp_cpus_stuck);
195		return true;
196	}
197	return false;
198}
199
200static void watchdog_smp_panic(int cpu)
201{
202	static cpumask_t wd_smp_cpus_ipi; // protected by reporting
203	unsigned long flags;
204	u64 tb, last_reset;
205	int c;
206
207	wd_smp_lock(&flags);
208	/* Double check some things under lock */
209	tb = get_tb();
210	last_reset = wd_smp_last_reset_tb;
211	if ((s64)(tb - last_reset) < (s64)wd_smp_panic_timeout_tb)
212		goto out;
213	if (cpumask_test_cpu(cpu, &wd_smp_cpus_pending))
214		goto out;
215	if (!wd_try_report())
216		goto out;
217	for_each_online_cpu(c) {
218		if (!cpumask_test_cpu(c, &wd_smp_cpus_pending))
219			continue;
220		if (c == cpu)
221			continue; // should not happen
222
223		__cpumask_set_cpu(c, &wd_smp_cpus_ipi);
224		if (set_cpu_stuck(c))
225			break;
226	}
227	if (cpumask_empty(&wd_smp_cpus_ipi)) {
228		wd_end_reporting();
229		goto out;
230	}
231	wd_smp_unlock(&flags);
232
233	pr_emerg("CPU %d detected hard LOCKUP on other CPUs %*pbl\n",
234		 cpu, cpumask_pr_args(&wd_smp_cpus_ipi));
235	pr_emerg("CPU %d TB:%lld, last SMP heartbeat TB:%lld (%lldms ago)\n",
236		 cpu, tb, last_reset, tb_to_ns(tb - last_reset) / 1000000);
237
238	if (!sysctl_hardlockup_all_cpu_backtrace) {
239		/*
240		 * Try to trigger the stuck CPUs, unless we are going to
241		 * get a backtrace on all of them anyway.
242		 */
243		for_each_cpu(c, &wd_smp_cpus_ipi) {
244			smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000);
245			__cpumask_clear_cpu(c, &wd_smp_cpus_ipi);
246		}
247	} else {
248		trigger_allbutcpu_cpu_backtrace(cpu);
249		cpumask_clear(&wd_smp_cpus_ipi);
250	}
251
252	if (hardlockup_panic)
253		nmi_panic(NULL, "Hard LOCKUP");
254
255	wd_end_reporting();
256
257	return;
258
259out:
260	wd_smp_unlock(&flags);
261}
262
263static void wd_smp_clear_cpu_pending(int cpu)
264{
265	if (!cpumask_test_cpu(cpu, &wd_smp_cpus_pending)) {
266		if (unlikely(cpumask_test_cpu(cpu, &wd_smp_cpus_stuck))) {
267			struct pt_regs *regs = get_irq_regs();
268			unsigned long flags;
269
270			pr_emerg("CPU %d became unstuck TB:%lld\n",
271				 cpu, get_tb());
272			print_irqtrace_events(current);
273			if (regs)
274				show_regs(regs);
275			else
276				dump_stack();
277
278			wd_smp_lock(&flags);
279			cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck);
280			wd_smp_unlock(&flags);
281		} else {
282			/*
283			 * The last CPU to clear pending should have reset the
284			 * watchdog so we generally should not find it empty
285			 * here if our CPU was clear. However it could happen
286			 * due to a rare race with another CPU taking the
287			 * last CPU out of the mask concurrently.
288			 *
289			 * We can't add a warning for it. But just in case
290			 * there is a problem with the watchdog that is causing
291			 * the mask to not be reset, try to kick it along here.
292			 */
293			if (unlikely(cpumask_empty(&wd_smp_cpus_pending)))
294				goto none_pending;
295		}
296		return;
297	}
298
299	/*
300	 * All other updates to wd_smp_cpus_pending are performed under
301	 * wd_smp_lock. All of them are atomic except the case where the
302	 * mask becomes empty and is reset. This will not happen here because
303	 * cpu was tested to be in the bitmap (above), and a CPU only clears
304	 * its own bit. _Except_ in the case where another CPU has detected a
305	 * hard lockup on our CPU and takes us out of the pending mask. So in
306	 * normal operation there will be no race here, no problem.
307	 *
308	 * In the lockup case, this atomic clear-bit vs a store that refills
309	 * other bits in the accessed word wll not be a problem. The bit clear
310	 * is atomic so it will not cause the store to get lost, and the store
311	 * will never set this bit so it will not overwrite the bit clear. The
312	 * only way for a stuck CPU to return to the pending bitmap is to
313	 * become unstuck itself.
314	 */
315	cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
316
317	/*
318	 * Order the store to clear pending with the load(s) to check all
319	 * words in the pending mask to check they are all empty. This orders
320	 * with the same barrier on another CPU. This prevents two CPUs
321	 * clearing the last 2 pending bits, but neither seeing the other's
322	 * store when checking if the mask is empty, and missing an empty
323	 * mask, which ends with a false positive.
324	 */
325	smp_mb();
326	if (cpumask_empty(&wd_smp_cpus_pending)) {
327		unsigned long flags;
328
329none_pending:
330		/*
331		 * Double check under lock because more than one CPU could see
332		 * a clear mask with the lockless check after clearing their
333		 * pending bits.
334		 */
335		wd_smp_lock(&flags);
336		if (cpumask_empty(&wd_smp_cpus_pending)) {
337			wd_smp_last_reset_tb = get_tb();
338			cpumask_andnot(&wd_smp_cpus_pending,
339					&wd_cpus_enabled,
340					&wd_smp_cpus_stuck);
341		}
342		wd_smp_unlock(&flags);
343	}
344}
345
346static void watchdog_timer_interrupt(int cpu)
347{
348	u64 tb = get_tb();
349
350	per_cpu(wd_timer_tb, cpu) = tb;
351
352	wd_smp_clear_cpu_pending(cpu);
353
354	if ((s64)(tb - wd_smp_last_reset_tb) >= (s64)wd_smp_panic_timeout_tb)
355		watchdog_smp_panic(cpu);
356
357	if (__wd_nmi_output && xchg(&__wd_nmi_output, 0)) {
358		/*
359		 * Something has called printk from NMI context. It might be
360		 * stuck, so this triggers a flush that will get that
361		 * printk output to the console.
362		 *
363		 * See wd_lockup_ipi.
364		 */
365		printk_trigger_flush();
366	}
367}
368
369DEFINE_INTERRUPT_HANDLER_NMI(soft_nmi_interrupt)
370{
371	unsigned long flags;
372	int cpu = raw_smp_processor_id();
373	u64 tb;
374
375	/* should only arrive from kernel, with irqs disabled */
376	WARN_ON_ONCE(!arch_irq_disabled_regs(regs));
377
378	if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
379		return 0;
380
381	__this_cpu_inc(irq_stat.soft_nmi_irqs);
382
383	tb = get_tb();
384	if (tb - per_cpu(wd_timer_tb, cpu) >= wd_panic_timeout_tb) {
385		/*
386		 * Taking wd_smp_lock here means it is a soft-NMI lock, which
387		 * means we can't take any regular or irqsafe spin locks while
388		 * holding this lock. This is why timers can't printk while
389		 * holding the lock.
390		 */
391		wd_smp_lock(&flags);
392		if (cpumask_test_cpu(cpu, &wd_smp_cpus_stuck)) {
393			wd_smp_unlock(&flags);
394			return 0;
395		}
396		if (!wd_try_report()) {
397			wd_smp_unlock(&flags);
398			/* Couldn't report, try again in 100ms */
399			mtspr(SPRN_DEC, 100 * tb_ticks_per_usec * 1000);
400			return 0;
401		}
402
403		set_cpu_stuck(cpu);
404
405		wd_smp_unlock(&flags);
406
407		pr_emerg("CPU %d self-detected hard LOCKUP @ %pS\n",
408			 cpu, (void *)regs->nip);
409		pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
410			 cpu, tb, per_cpu(wd_timer_tb, cpu),
411			 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
412		print_modules();
413		print_irqtrace_events(current);
414		show_regs(regs);
415
416		xchg(&__wd_nmi_output, 1); // see wd_lockup_ipi
417
418		if (sysctl_hardlockup_all_cpu_backtrace)
419			trigger_allbutcpu_cpu_backtrace(cpu);
420
421		if (hardlockup_panic)
422			nmi_panic(regs, "Hard LOCKUP");
423
424		wd_end_reporting();
425	}
426	/*
427	 * We are okay to change DEC in soft_nmi_interrupt because the masked
428	 * handler has marked a DEC as pending, so the timer interrupt will be
429	 * replayed as soon as local irqs are enabled again.
430	 */
431	if (wd_panic_timeout_tb < 0x7fffffff)
432		mtspr(SPRN_DEC, wd_panic_timeout_tb);
433
434	return 0;
435}
436
437static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer)
438{
439	int cpu = smp_processor_id();
440
441	if (!(watchdog_enabled & WATCHDOG_HARDLOCKUP_ENABLED))
442		return HRTIMER_NORESTART;
443
444	if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
445		return HRTIMER_NORESTART;
446
447	watchdog_timer_interrupt(cpu);
448
449	hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms));
450
451	return HRTIMER_RESTART;
452}
453
454void arch_touch_nmi_watchdog(void)
455{
456	unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000;
457	int cpu = smp_processor_id();
458	u64 tb;
459
460	if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
461		return;
462
463	tb = get_tb();
464	if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) {
465		per_cpu(wd_timer_tb, cpu) = tb;
466		wd_smp_clear_cpu_pending(cpu);
467	}
468}
469EXPORT_SYMBOL(arch_touch_nmi_watchdog);
470
471static void start_watchdog(void *arg)
472{
473	struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
474	int cpu = smp_processor_id();
475	unsigned long flags;
476
477	if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) {
478		WARN_ON(1);
479		return;
480	}
481
482	if (!(watchdog_enabled & WATCHDOG_HARDLOCKUP_ENABLED))
483		return;
484
485	if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
486		return;
487
488	wd_smp_lock(&flags);
489	cpumask_set_cpu(cpu, &wd_cpus_enabled);
490	if (cpumask_weight(&wd_cpus_enabled) == 1) {
491		cpumask_set_cpu(cpu, &wd_smp_cpus_pending);
492		wd_smp_last_reset_tb = get_tb();
493	}
494	wd_smp_unlock(&flags);
495
496	*this_cpu_ptr(&wd_timer_tb) = get_tb();
497
498	hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
499	hrtimer->function = watchdog_timer_fn;
500	hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms),
501		      HRTIMER_MODE_REL_PINNED);
502}
503
504static int start_watchdog_on_cpu(unsigned int cpu)
505{
506	return smp_call_function_single(cpu, start_watchdog, NULL, true);
507}
508
509static void stop_watchdog(void *arg)
510{
511	struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
512	int cpu = smp_processor_id();
513	unsigned long flags;
514
515	if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
516		return; /* Can happen in CPU unplug case */
517
518	hrtimer_cancel(hrtimer);
519
520	wd_smp_lock(&flags);
521	cpumask_clear_cpu(cpu, &wd_cpus_enabled);
522	wd_smp_unlock(&flags);
523
524	wd_smp_clear_cpu_pending(cpu);
525}
526
527static int stop_watchdog_on_cpu(unsigned int cpu)
528{
529	return smp_call_function_single(cpu, stop_watchdog, NULL, true);
530}
531
532static void watchdog_calc_timeouts(void)
533{
534	u64 threshold = watchdog_thresh;
535
536#ifdef CONFIG_PPC_PSERIES
537	threshold += (READ_ONCE(wd_timeout_pct) * threshold) / 100;
538#endif
539
540	wd_panic_timeout_tb = threshold * ppc_tb_freq;
541
542	/* Have the SMP detector trigger a bit later */
543	wd_smp_panic_timeout_tb = wd_panic_timeout_tb * 3 / 2;
544
545	/* 2/5 is the factor that the perf based detector uses */
546	wd_timer_period_ms = watchdog_thresh * 1000 * 2 / 5;
547}
548
549void watchdog_hardlockup_stop(void)
550{
551	int cpu;
552
553	for_each_cpu(cpu, &wd_cpus_enabled)
554		stop_watchdog_on_cpu(cpu);
555}
556
557void watchdog_hardlockup_start(void)
558{
559	int cpu;
560
561	watchdog_calc_timeouts();
562	for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask)
563		start_watchdog_on_cpu(cpu);
564}
565
566/*
567 * Invoked from core watchdog init.
568 */
569int __init watchdog_hardlockup_probe(void)
570{
571	int err;
572
573	err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
574					"powerpc/watchdog:online",
575					start_watchdog_on_cpu,
576					stop_watchdog_on_cpu);
577	if (err < 0) {
578		pr_warn("could not be initialized");
579		return err;
580	}
581	return 0;
582}
583
584#ifdef CONFIG_PPC_PSERIES
585void watchdog_hardlockup_set_timeout_pct(u64 pct)
586{
587	pr_info("Set the NMI watchdog timeout factor to %llu%%\n", pct);
588	WRITE_ONCE(wd_timeout_pct, pct);
589	lockup_detector_reconfigure();
590}
591#endif
592