1 // SPDX-License-Identifier: GPL-2.0 2 3 #define pr_fmt(fmt) "x86/split lock detection: " fmt 4 5 #include <linux/semaphore.h> 6 #include <linux/workqueue.h> 7 #include <linux/delay.h> 8 #include <linux/cpuhotplug.h> 9 #include <asm/cpu_device_id.h> 10 #include <asm/cmdline.h> 11 #include <asm/traps.h> 12 #include <asm/cpu.h> 13 14 enum split_lock_detect_state { 15 sld_off = 0, 16 sld_warn, 17 sld_fatal, 18 sld_ratelimit, 19 }; 20 21 /* 22 * Default to sld_off because most systems do not support split lock detection. 23 * sld_state_setup() will switch this to sld_warn on systems that support 24 * split lock/bus lock detect, unless there is a command line override. 25 */ 26 static enum split_lock_detect_state sld_state __ro_after_init = sld_off; 27 static u64 msr_test_ctrl_cache __ro_after_init; 28 29 /* 30 * With a name like MSR_TEST_CTL it should go without saying, but don't touch 31 * MSR_TEST_CTL unless the CPU is one of the whitelisted models. Writing it 32 * on CPUs that do not support SLD can cause fireworks, even when writing '0'. 33 */ 34 static bool cpu_model_supports_sld __ro_after_init; 35 36 static const struct { 37 const char *option; 38 enum split_lock_detect_state state; 39 } sld_options[] __initconst = { 40 { "off", sld_off }, 41 { "warn", sld_warn }, 42 { "fatal", sld_fatal }, 43 { "ratelimit:", sld_ratelimit }, 44 }; 45 46 static struct ratelimit_state bld_ratelimit; 47 48 static unsigned int sysctl_sld_mitigate = 1; 49 static DEFINE_SEMAPHORE(buslock_sem, 1); 50 51 #ifdef CONFIG_PROC_SYSCTL 52 static const struct ctl_table sld_sysctls[] = { 53 { 54 .procname = "split_lock_mitigate", 55 .data = &sysctl_sld_mitigate, 56 .maxlen = sizeof(unsigned int), 57 .mode = 0644, 58 .proc_handler = proc_douintvec_minmax, 59 .extra1 = SYSCTL_ZERO, 60 .extra2 = SYSCTL_ONE, 61 }, 62 }; 63 64 static int __init sld_mitigate_sysctl_init(void) 65 { 66 register_sysctl_init("kernel", sld_sysctls); 67 return 0; 68 } 69 70 late_initcall(sld_mitigate_sysctl_init); 71 #endif 72 73 static inline bool match_option(const char *arg, int arglen, const char *opt) 74 { 75 int len = strlen(opt), ratelimit; 76 77 if (strncmp(arg, opt, len)) 78 return false; 79 80 /* 81 * Min ratelimit is 1 bus lock/sec. 82 * Max ratelimit is 1000 bus locks/sec. 83 */ 84 if (sscanf(arg, "ratelimit:%d", &ratelimit) == 1 && 85 ratelimit > 0 && ratelimit <= 1000) { 86 ratelimit_state_init(&bld_ratelimit, HZ, ratelimit); 87 ratelimit_set_flags(&bld_ratelimit, RATELIMIT_MSG_ON_RELEASE); 88 return true; 89 } 90 91 return len == arglen; 92 } 93 94 static bool split_lock_verify_msr(bool on) 95 { 96 u64 ctrl, tmp; 97 98 if (rdmsrl_safe(MSR_TEST_CTRL, &ctrl)) 99 return false; 100 if (on) 101 ctrl |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 102 else 103 ctrl &= ~MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 104 if (wrmsrl_safe(MSR_TEST_CTRL, ctrl)) 105 return false; 106 rdmsrl(MSR_TEST_CTRL, tmp); 107 return ctrl == tmp; 108 } 109 110 static void __init sld_state_setup(void) 111 { 112 enum split_lock_detect_state state = sld_warn; 113 char arg[20]; 114 int i, ret; 115 116 if (!boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) && 117 !boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 118 return; 119 120 ret = cmdline_find_option(boot_command_line, "split_lock_detect", 121 arg, sizeof(arg)); 122 if (ret >= 0) { 123 for (i = 0; i < ARRAY_SIZE(sld_options); i++) { 124 if (match_option(arg, ret, sld_options[i].option)) { 125 state = sld_options[i].state; 126 break; 127 } 128 } 129 } 130 sld_state = state; 131 } 132 133 static void __init __split_lock_setup(void) 134 { 135 if (!split_lock_verify_msr(false)) { 136 pr_info("MSR access failed: Disabled\n"); 137 return; 138 } 139 140 rdmsrl(MSR_TEST_CTRL, msr_test_ctrl_cache); 141 142 if (!split_lock_verify_msr(true)) { 143 pr_info("MSR access failed: Disabled\n"); 144 return; 145 } 146 147 /* Restore the MSR to its cached value. */ 148 wrmsrl(MSR_TEST_CTRL, msr_test_ctrl_cache); 149 150 setup_force_cpu_cap(X86_FEATURE_SPLIT_LOCK_DETECT); 151 } 152 153 /* 154 * MSR_TEST_CTRL is per core, but we treat it like a per CPU MSR. Locking 155 * is not implemented as one thread could undo the setting of the other 156 * thread immediately after dropping the lock anyway. 157 */ 158 static void sld_update_msr(bool on) 159 { 160 u64 test_ctrl_val = msr_test_ctrl_cache; 161 162 if (on) 163 test_ctrl_val |= MSR_TEST_CTRL_SPLIT_LOCK_DETECT; 164 165 wrmsrl(MSR_TEST_CTRL, test_ctrl_val); 166 } 167 168 void split_lock_init(void) 169 { 170 /* 171 * #DB for bus lock handles ratelimit and #AC for split lock is 172 * disabled. 173 */ 174 if (sld_state == sld_ratelimit) { 175 split_lock_verify_msr(false); 176 return; 177 } 178 179 if (cpu_model_supports_sld) 180 split_lock_verify_msr(sld_state != sld_off); 181 } 182 183 static void __split_lock_reenable_unlock(struct work_struct *work) 184 { 185 sld_update_msr(true); 186 up(&buslock_sem); 187 } 188 189 static DECLARE_DELAYED_WORK(sl_reenable_unlock, __split_lock_reenable_unlock); 190 191 static void __split_lock_reenable(struct work_struct *work) 192 { 193 sld_update_msr(true); 194 } 195 /* 196 * In order for each CPU to schedule its delayed work independently of the 197 * others, delayed work struct must be per-CPU. This is not required when 198 * sysctl_sld_mitigate is enabled because of the semaphore that limits 199 * the number of simultaneously scheduled delayed works to 1. 200 */ 201 static DEFINE_PER_CPU(struct delayed_work, sl_reenable); 202 203 /* 204 * Per-CPU delayed_work can't be statically initialized properly because 205 * the struct address is unknown. Thus per-CPU delayed_work structures 206 * have to be initialized during kernel initialization and after calling 207 * setup_per_cpu_areas(). 208 */ 209 static int __init setup_split_lock_delayed_work(void) 210 { 211 unsigned int cpu; 212 213 for_each_possible_cpu(cpu) { 214 struct delayed_work *work = per_cpu_ptr(&sl_reenable, cpu); 215 216 INIT_DELAYED_WORK(work, __split_lock_reenable); 217 } 218 219 return 0; 220 } 221 pure_initcall(setup_split_lock_delayed_work); 222 223 /* 224 * If a CPU goes offline with pending delayed work to re-enable split lock 225 * detection then the delayed work will be executed on some other CPU. That 226 * handles releasing the buslock_sem, but because it executes on a 227 * different CPU probably won't re-enable split lock detection. This is a 228 * problem on HT systems since the sibling CPU on the same core may then be 229 * left running with split lock detection disabled. 230 * 231 * Unconditionally re-enable detection here. 232 */ 233 static int splitlock_cpu_offline(unsigned int cpu) 234 { 235 sld_update_msr(true); 236 237 return 0; 238 } 239 240 static void split_lock_warn(unsigned long ip) 241 { 242 struct delayed_work *work; 243 int cpu; 244 unsigned int saved_sld_mitigate = READ_ONCE(sysctl_sld_mitigate); 245 246 if (!current->reported_split_lock) 247 pr_warn_ratelimited("#AC: %s/%d took a split_lock trap at address: 0x%lx\n", 248 current->comm, current->pid, ip); 249 current->reported_split_lock = 1; 250 251 if (saved_sld_mitigate) { 252 /* 253 * misery factor #1: 254 * sleep 10ms before trying to execute split lock. 255 */ 256 if (msleep_interruptible(10) > 0) 257 return; 258 /* 259 * Misery factor #2: 260 * only allow one buslocked disabled core at a time. 261 */ 262 if (down_interruptible(&buslock_sem) == -EINTR) 263 return; 264 } 265 266 cpu = get_cpu(); 267 work = saved_sld_mitigate ? &sl_reenable_unlock : per_cpu_ptr(&sl_reenable, cpu); 268 schedule_delayed_work_on(cpu, work, 2); 269 270 /* Disable split lock detection on this CPU to make progress */ 271 sld_update_msr(false); 272 put_cpu(); 273 } 274 275 bool handle_guest_split_lock(unsigned long ip) 276 { 277 if (sld_state == sld_warn) { 278 split_lock_warn(ip); 279 return true; 280 } 281 282 pr_warn_once("#AC: %s/%d %s split_lock trap at address: 0x%lx\n", 283 current->comm, current->pid, 284 sld_state == sld_fatal ? "fatal" : "bogus", ip); 285 286 current->thread.error_code = 0; 287 current->thread.trap_nr = X86_TRAP_AC; 288 force_sig_fault(SIGBUS, BUS_ADRALN, NULL); 289 return false; 290 } 291 EXPORT_SYMBOL_GPL(handle_guest_split_lock); 292 293 void bus_lock_init(void) 294 { 295 u64 val; 296 297 if (!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 298 return; 299 300 rdmsrl(MSR_IA32_DEBUGCTLMSR, val); 301 302 if ((boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) && 303 (sld_state == sld_warn || sld_state == sld_fatal)) || 304 sld_state == sld_off) { 305 /* 306 * Warn and fatal are handled by #AC for split lock if #AC for 307 * split lock is supported. 308 */ 309 val &= ~DEBUGCTLMSR_BUS_LOCK_DETECT; 310 } else { 311 val |= DEBUGCTLMSR_BUS_LOCK_DETECT; 312 } 313 314 wrmsrl(MSR_IA32_DEBUGCTLMSR, val); 315 } 316 317 bool handle_user_split_lock(struct pt_regs *regs, long error_code) 318 { 319 if ((regs->flags & X86_EFLAGS_AC) || sld_state == sld_fatal) 320 return false; 321 split_lock_warn(regs->ip); 322 return true; 323 } 324 325 void handle_bus_lock(struct pt_regs *regs) 326 { 327 switch (sld_state) { 328 case sld_off: 329 break; 330 case sld_ratelimit: 331 /* Enforce no more than bld_ratelimit bus locks/sec. */ 332 while (!__ratelimit(&bld_ratelimit)) 333 msleep(20); 334 /* Warn on the bus lock. */ 335 fallthrough; 336 case sld_warn: 337 pr_warn_ratelimited("#DB: %s/%d took a bus_lock trap at address: 0x%lx\n", 338 current->comm, current->pid, regs->ip); 339 break; 340 case sld_fatal: 341 force_sig_fault(SIGBUS, BUS_ADRALN, NULL); 342 break; 343 } 344 } 345 346 /* 347 * CPU models that are known to have the per-core split-lock detection 348 * feature even though they do not enumerate IA32_CORE_CAPABILITIES. 349 */ 350 static const struct x86_cpu_id split_lock_cpu_ids[] __initconst = { 351 X86_MATCH_VFM(INTEL_ICELAKE_X, 0), 352 X86_MATCH_VFM(INTEL_ICELAKE_L, 0), 353 X86_MATCH_VFM(INTEL_ICELAKE_D, 0), 354 {} 355 }; 356 357 static void __init split_lock_setup(struct cpuinfo_x86 *c) 358 { 359 const struct x86_cpu_id *m; 360 u64 ia32_core_caps; 361 362 if (boot_cpu_has(X86_FEATURE_HYPERVISOR)) 363 return; 364 365 /* Check for CPUs that have support but do not enumerate it: */ 366 m = x86_match_cpu(split_lock_cpu_ids); 367 if (m) 368 goto supported; 369 370 if (!cpu_has(c, X86_FEATURE_CORE_CAPABILITIES)) 371 return; 372 373 /* 374 * Not all bits in MSR_IA32_CORE_CAPS are architectural, but 375 * MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT is. All CPUs that set 376 * it have split lock detection. 377 */ 378 rdmsrl(MSR_IA32_CORE_CAPS, ia32_core_caps); 379 if (ia32_core_caps & MSR_IA32_CORE_CAPS_SPLIT_LOCK_DETECT) 380 goto supported; 381 382 /* CPU is not in the model list and does not have the MSR bit: */ 383 return; 384 385 supported: 386 cpu_model_supports_sld = true; 387 __split_lock_setup(); 388 } 389 390 static void sld_state_show(void) 391 { 392 if (!boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT) && 393 !boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) 394 return; 395 396 switch (sld_state) { 397 case sld_off: 398 pr_info("disabled\n"); 399 break; 400 case sld_warn: 401 if (boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) { 402 pr_info("#AC: crashing the kernel on kernel split_locks and warning on user-space split_locks\n"); 403 if (cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, 404 "x86/splitlock", NULL, splitlock_cpu_offline) < 0) 405 pr_warn("No splitlock CPU offline handler\n"); 406 } else if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) { 407 pr_info("#DB: warning on user-space bus_locks\n"); 408 } 409 break; 410 case sld_fatal: 411 if (boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT)) { 412 pr_info("#AC: crashing the kernel on kernel split_locks and sending SIGBUS on user-space split_locks\n"); 413 } else if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) { 414 pr_info("#DB: sending SIGBUS on user-space bus_locks%s\n", 415 boot_cpu_has(X86_FEATURE_SPLIT_LOCK_DETECT) ? 416 " from non-WB" : ""); 417 } 418 break; 419 case sld_ratelimit: 420 if (boot_cpu_has(X86_FEATURE_BUS_LOCK_DETECT)) 421 pr_info("#DB: setting system wide bus lock rate limit to %u/sec\n", bld_ratelimit.burst); 422 break; 423 } 424 } 425 426 void __init sld_setup(struct cpuinfo_x86 *c) 427 { 428 split_lock_setup(c); 429 sld_state_setup(); 430 sld_state_show(); 431 } 432