blob: bfc27496fe7e25dbf0ca4b92ebe7c46eab0a6ccd [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0
/*
* Watchdog support on powerpc systems.
*
* Copyright 2017, IBM Corporation.
*
* This uses code from arch/sparc/kernel/nmi.c and kernel/watchdog.c
*/
#define pr_fmt(fmt) "watchdog: " fmt
#include <linux/kernel.h>
#include <linux/param.h>
#include <linux/init.h>
#include <linux/percpu.h>
#include <linux/cpu.h>
#include <linux/nmi.h>
#include <linux/module.h>
#include <linux/export.h>
#include <linux/kprobes.h>
#include <linux/hardirq.h>
#include <linux/reboot.h>
#include <linux/slab.h>
#include <linux/kdebug.h>
#include <linux/sched/debug.h>
#include <linux/delay.h>
#include <linux/processor.h>
#include <linux/smp.h>
#include <asm/interrupt.h>
#include <asm/paca.h>
#include <asm/nmi.h>
/*
* The powerpc watchdog ensures that each CPU is able to service timers.
* The watchdog sets up a simple timer on each CPU to run once per timer
* period, and updates a per-cpu timestamp and a "pending" cpumask. This is
* the heartbeat.
*
* Then there are two systems to check that the heartbeat is still running.
* The local soft-NMI, and the SMP checker.
*
* The soft-NMI checker can detect lockups on the local CPU. When interrupts
* are disabled with local_irq_disable(), platforms that use soft-masking
* can leave hardware interrupts enabled and handle them with a masked
* interrupt handler. The masked handler can send the timer interrupt to the
* watchdog's soft_nmi_interrupt(), which appears to Linux as an NMI
* interrupt, and can be used to detect CPUs stuck with IRQs disabled.
*
* The soft-NMI checker will compare the heartbeat timestamp for this CPU
* with the current time, and take action if the difference exceeds the
* watchdog threshold.
*
* The limitation of the soft-NMI watchdog is that it does not work when
* interrupts are hard disabled or otherwise not being serviced. This is
* solved by also having a SMP watchdog where all CPUs check all other
* CPUs heartbeat.
*
* The SMP checker can detect lockups on other CPUs. A gobal "pending"
* cpumask is kept, containing all CPUs which enable the watchdog. Each
* CPU clears their pending bit in their heartbeat timer. When the bitmask
* becomes empty, the last CPU to clear its pending bit updates a global
* timestamp and refills the pending bitmask.
*
* In the heartbeat timer, if any CPU notices that the global timestamp has
* not been updated for a period exceeding the watchdog threshold, then it
* means the CPU(s) with their bit still set in the pending mask have had
* their heartbeat stop, and action is taken.
*
* Some platforms implement true NMI IPIs, which can be used by the SMP
* watchdog to detect an unresponsive CPU and pull it out of its stuck
* state with the NMI IPI, to get crash/debug data from it. This way the
* SMP watchdog can detect hardware interrupts off lockups.
*/
static cpumask_t wd_cpus_enabled __read_mostly;
static u64 wd_panic_timeout_tb __read_mostly; /* timebase ticks until panic */
static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */
static u64 wd_timer_period_ms __read_mostly; /* interval between heartbeat */
static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer);
static DEFINE_PER_CPU(u64, wd_timer_tb);
/* SMP checker bits */
static unsigned long __wd_smp_lock;
static unsigned long __wd_reporting;
static unsigned long __wd_nmi_output;
static cpumask_t wd_smp_cpus_pending;
static cpumask_t wd_smp_cpus_stuck;
static u64 wd_smp_last_reset_tb;
/*
* Try to take the exclusive watchdog action / NMI IPI / printing lock.
* wd_smp_lock must be held. If this fails, we should return and wait
* for the watchdog to kick in again (or another CPU to trigger it).
*
* Importantly, if hardlockup_panic is set, wd_try_report failure should
* not delay the panic, because whichever other CPU is reporting will
* call panic.
*/
static bool wd_try_report(void)
{
if (__wd_reporting)
return false;
__wd_reporting = 1;
return true;
}
/* End printing after successful wd_try_report. wd_smp_lock not required. */
static void wd_end_reporting(void)
{
smp_mb(); /* End printing "critical section" */
WARN_ON_ONCE(__wd_reporting == 0);
WRITE_ONCE(__wd_reporting, 0);
}
static inline void wd_smp_lock(unsigned long *flags)
{
/*
* Avoid locking layers if possible.
* This may be called from low level interrupt handlers at some
* point in future.
*/
raw_local_irq_save(*flags);
hard_irq_disable(); /* Make it soft-NMI safe */
while (unlikely(test_and_set_bit_lock(0, &__wd_smp_lock))) {
raw_local_irq_restore(*flags);
spin_until_cond(!test_bit(0, &__wd_smp_lock));
raw_local_irq_save(*flags);
hard_irq_disable();
}
}
static inline void wd_smp_unlock(unsigned long *flags)
{
clear_bit_unlock(0, &__wd_smp_lock);
raw_local_irq_restore(*flags);
}
static void wd_lockup_ipi(struct pt_regs *regs)
{
int cpu = raw_smp_processor_id();
u64 tb = get_tb();
pr_emerg("CPU %d Hard LOCKUP\n", cpu);
pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
cpu, tb, per_cpu(wd_timer_tb, cpu),
tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
print_modules();
print_irqtrace_events(current);
if (regs)
show_regs(regs);
else
dump_stack();
/*
* __wd_nmi_output must be set after we printk from NMI context.
*
* printk from NMI context defers printing to the console to irq_work.
* If that NMI was taken in some code that is hard-locked, then irqs
* are disabled so irq_work will never fire. That can result in the
* hard lockup messages being delayed (indefinitely, until something
* else kicks the console drivers).
*
* Setting __wd_nmi_output will cause another CPU to notice and kick
* the console drivers for us.
*
* xchg is not needed here (it could be a smp_mb and store), but xchg
* gives the memory ordering and atomicity required.
*/
xchg(&__wd_nmi_output, 1);
/* Do not panic from here because that can recurse into NMI IPI layer */
}
static bool set_cpu_stuck(int cpu)
{
cpumask_set_cpu(cpu, &wd_smp_cpus_stuck);
cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
/*
* See wd_smp_clear_cpu_pending()
*/
smp_mb();
if (cpumask_empty(&wd_smp_cpus_pending)) {
wd_smp_last_reset_tb = get_tb();
cpumask_andnot(&wd_smp_cpus_pending,
&wd_cpus_enabled,
&wd_smp_cpus_stuck);
return true;
}
return false;
}
static void watchdog_smp_panic(int cpu)
{
static cpumask_t wd_smp_cpus_ipi; // protected by reporting
unsigned long flags;
u64 tb, last_reset;
int c;
wd_smp_lock(&flags);
/* Double check some things under lock */
tb = get_tb();
last_reset = wd_smp_last_reset_tb;
if ((s64)(tb - last_reset) < (s64)wd_smp_panic_timeout_tb)
goto out;
if (cpumask_test_cpu(cpu, &wd_smp_cpus_pending))
goto out;
if (!wd_try_report())
goto out;
for_each_online_cpu(c) {
if (!cpumask_test_cpu(c, &wd_smp_cpus_pending))
continue;
if (c == cpu)
continue; // should not happen
__cpumask_set_cpu(c, &wd_smp_cpus_ipi);
if (set_cpu_stuck(c))
break;
}
if (cpumask_empty(&wd_smp_cpus_ipi)) {
wd_end_reporting();
goto out;
}
wd_smp_unlock(&flags);
pr_emerg("CPU %d detected hard LOCKUP on other CPUs %*pbl\n",
cpu, cpumask_pr_args(&wd_smp_cpus_ipi));
pr_emerg("CPU %d TB:%lld, last SMP heartbeat TB:%lld (%lldms ago)\n",
cpu, tb, last_reset, tb_to_ns(tb - last_reset) / 1000000);
if (!sysctl_hardlockup_all_cpu_backtrace) {
/*
* Try to trigger the stuck CPUs, unless we are going to
* get a backtrace on all of them anyway.
*/
for_each_cpu(c, &wd_smp_cpus_ipi) {
smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000);
__cpumask_clear_cpu(c, &wd_smp_cpus_ipi);
}
} else {
trigger_allbutself_cpu_backtrace();
cpumask_clear(&wd_smp_cpus_ipi);
}
if (hardlockup_panic)
nmi_panic(NULL, "Hard LOCKUP");
wd_end_reporting();
return;
out:
wd_smp_unlock(&flags);
}
static void wd_smp_clear_cpu_pending(int cpu)
{
if (!cpumask_test_cpu(cpu, &wd_smp_cpus_pending)) {
if (unlikely(cpumask_test_cpu(cpu, &wd_smp_cpus_stuck))) {
struct pt_regs *regs = get_irq_regs();
unsigned long flags;
pr_emerg("CPU %d became unstuck TB:%lld\n",
cpu, get_tb());
print_irqtrace_events(current);
if (regs)
show_regs(regs);
else
dump_stack();
wd_smp_lock(&flags);
cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck);
wd_smp_unlock(&flags);
} else {
/*
* The last CPU to clear pending should have reset the
* watchdog so we generally should not find it empty
* here if our CPU was clear. However it could happen
* due to a rare race with another CPU taking the
* last CPU out of the mask concurrently.
*
* We can't add a warning for it. But just in case
* there is a problem with the watchdog that is causing
* the mask to not be reset, try to kick it along here.
*/
if (unlikely(cpumask_empty(&wd_smp_cpus_pending)))
goto none_pending;
}
return;
}
/*
* All other updates to wd_smp_cpus_pending are performed under
* wd_smp_lock. All of them are atomic except the case where the
* mask becomes empty and is reset. This will not happen here because
* cpu was tested to be in the bitmap (above), and a CPU only clears
* its own bit. _Except_ in the case where another CPU has detected a
* hard lockup on our CPU and takes us out of the pending mask. So in
* normal operation there will be no race here, no problem.
*
* In the lockup case, this atomic clear-bit vs a store that refills
* other bits in the accessed word wll not be a problem. The bit clear
* is atomic so it will not cause the store to get lost, and the store
* will never set this bit so it will not overwrite the bit clear. The
* only way for a stuck CPU to return to the pending bitmap is to
* become unstuck itself.
*/
cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
/*
* Order the store to clear pending with the load(s) to check all
* words in the pending mask to check they are all empty. This orders
* with the same barrier on another CPU. This prevents two CPUs
* clearing the last 2 pending bits, but neither seeing the other's
* store when checking if the mask is empty, and missing an empty
* mask, which ends with a false positive.
*/
smp_mb();
if (cpumask_empty(&wd_smp_cpus_pending)) {
unsigned long flags;
none_pending:
/*
* Double check under lock because more than one CPU could see
* a clear mask with the lockless check after clearing their
* pending bits.
*/
wd_smp_lock(&flags);
if (cpumask_empty(&wd_smp_cpus_pending)) {
wd_smp_last_reset_tb = get_tb();
cpumask_andnot(&wd_smp_cpus_pending,
&wd_cpus_enabled,
&wd_smp_cpus_stuck);
}
wd_smp_unlock(&flags);
}
}
static void watchdog_timer_interrupt(int cpu)
{
u64 tb = get_tb();
per_cpu(wd_timer_tb, cpu) = tb;
wd_smp_clear_cpu_pending(cpu);
if ((s64)(tb - wd_smp_last_reset_tb) >= (s64)wd_smp_panic_timeout_tb)
watchdog_smp_panic(cpu);
if (__wd_nmi_output && xchg(&__wd_nmi_output, 0)) {
/*
* Something has called printk from NMI context. It might be
* stuck, so this this triggers a flush that will get that
* printk output to the console.
*
* See wd_lockup_ipi.
*/
printk_trigger_flush();
}
}
DEFINE_INTERRUPT_HANDLER_NMI(soft_nmi_interrupt)
{
unsigned long flags;
int cpu = raw_smp_processor_id();
u64 tb;
/* should only arrive from kernel, with irqs disabled */
WARN_ON_ONCE(!arch_irq_disabled_regs(regs));
if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
return 0;
__this_cpu_inc(irq_stat.soft_nmi_irqs);
tb = get_tb();
if (tb - per_cpu(wd_timer_tb, cpu) >= wd_panic_timeout_tb) {
/*
* Taking wd_smp_lock here means it is a soft-NMI lock, which
* means we can't take any regular or irqsafe spin locks while
* holding this lock. This is why timers can't printk while
* holding the lock.
*/
wd_smp_lock(&flags);
if (cpumask_test_cpu(cpu, &wd_smp_cpus_stuck)) {
wd_smp_unlock(&flags);
return 0;
}
if (!wd_try_report()) {
wd_smp_unlock(&flags);
/* Couldn't report, try again in 100ms */
mtspr(SPRN_DEC, 100 * tb_ticks_per_usec * 1000);
return 0;
}
set_cpu_stuck(cpu);
wd_smp_unlock(&flags);
pr_emerg("CPU %d self-detected hard LOCKUP @ %pS\n",
cpu, (void *)regs->nip);
pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
cpu, tb, per_cpu(wd_timer_tb, cpu),
tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
print_modules();
print_irqtrace_events(current);
show_regs(regs);
xchg(&__wd_nmi_output, 1); // see wd_lockup_ipi
if (sysctl_hardlockup_all_cpu_backtrace)
trigger_allbutself_cpu_backtrace();
if (hardlockup_panic)
nmi_panic(regs, "Hard LOCKUP");
wd_end_reporting();
}
/*
* We are okay to change DEC in soft_nmi_interrupt because the masked
* handler has marked a DEC as pending, so the timer interrupt will be
* replayed as soon as local irqs are enabled again.
*/
if (wd_panic_timeout_tb < 0x7fffffff)
mtspr(SPRN_DEC, wd_panic_timeout_tb);
return 0;
}
static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer)
{
int cpu = smp_processor_id();
if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED))
return HRTIMER_NORESTART;
if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
return HRTIMER_NORESTART;
watchdog_timer_interrupt(cpu);
hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms));
return HRTIMER_RESTART;
}
void arch_touch_nmi_watchdog(void)
{
unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000;
int cpu = smp_processor_id();
u64 tb;
if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
return;
tb = get_tb();
if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) {
per_cpu(wd_timer_tb, cpu) = tb;
wd_smp_clear_cpu_pending(cpu);
}
}
EXPORT_SYMBOL(arch_touch_nmi_watchdog);
static void start_watchdog(void *arg)
{
struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
int cpu = smp_processor_id();
unsigned long flags;
if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) {
WARN_ON(1);
return;
}
if (!(watchdog_enabled & NMI_WATCHDOG_ENABLED))
return;
if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
return;
wd_smp_lock(&flags);
cpumask_set_cpu(cpu, &wd_cpus_enabled);
if (cpumask_weight(&wd_cpus_enabled) == 1) {
cpumask_set_cpu(cpu, &wd_smp_cpus_pending);
wd_smp_last_reset_tb = get_tb();
}
wd_smp_unlock(&flags);
*this_cpu_ptr(&wd_timer_tb) = get_tb();
hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
hrtimer->function = watchdog_timer_fn;
hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms),
HRTIMER_MODE_REL_PINNED);
}
static int start_watchdog_on_cpu(unsigned int cpu)
{
return smp_call_function_single(cpu, start_watchdog, NULL, true);
}
static void stop_watchdog(void *arg)
{
struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
int cpu = smp_processor_id();
unsigned long flags;
if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
return; /* Can happen in CPU unplug case */
hrtimer_cancel(hrtimer);
wd_smp_lock(&flags);
cpumask_clear_cpu(cpu, &wd_cpus_enabled);
wd_smp_unlock(&flags);
wd_smp_clear_cpu_pending(cpu);
}
static int stop_watchdog_on_cpu(unsigned int cpu)
{
return smp_call_function_single(cpu, stop_watchdog, NULL, true);
}
static void watchdog_calc_timeouts(void)
{
wd_panic_timeout_tb = watchdog_thresh * ppc_tb_freq;
/* Have the SMP detector trigger a bit later */
wd_smp_panic_timeout_tb = wd_panic_timeout_tb * 3 / 2;
/* 2/5 is the factor that the perf based detector uses */
wd_timer_period_ms = watchdog_thresh * 1000 * 2 / 5;
}
void watchdog_nmi_stop(void)
{
int cpu;
for_each_cpu(cpu, &wd_cpus_enabled)
stop_watchdog_on_cpu(cpu);
}
void watchdog_nmi_start(void)
{
int cpu;
watchdog_calc_timeouts();
for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask)
start_watchdog_on_cpu(cpu);
}
/*
* Invoked from core watchdog init.
*/
int __init watchdog_nmi_probe(void)
{
int err;
err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
"powerpc/watchdog:online",
start_watchdog_on_cpu,
stop_watchdog_on_cpu);
if (err < 0) {
pr_warn("could not be initialized");
return err;
}
return 0;
}