1 // SPDX-License-Identifier: GPL-2.0
3 * Watchdog support on powerpc systems.
5 * Copyright 2017, IBM Corporation.
7 * This uses code from arch/sparc/kernel/nmi.c and kernel/watchdog.c
10 #define pr_fmt(fmt) "watchdog: " fmt
12 #include <linux/kernel.h>
13 #include <linux/param.h>
14 #include <linux/init.h>
15 #include <linux/percpu.h>
16 #include <linux/cpu.h>
17 #include <linux/nmi.h>
18 #include <linux/module.h>
19 #include <linux/export.h>
20 #include <linux/kprobes.h>
21 #include <linux/hardirq.h>
22 #include <linux/reboot.h>
23 #include <linux/slab.h>
24 #include <linux/kdebug.h>
25 #include <linux/sched/debug.h>
26 #include <linux/delay.h>
27 #include <linux/processor.h>
28 #include <linux/smp.h>
30 #include <asm/interrupt.h>
35 * The powerpc watchdog ensures that each CPU is able to service timers.
36 * The watchdog sets up a simple timer on each CPU to run once per timer
37 * period, and updates a per-cpu timestamp and a "pending" cpumask. This is
40 * Then there are two systems to check that the heartbeat is still running.
41 * The local soft-NMI, and the SMP checker.
43 * The soft-NMI checker can detect lockups on the local CPU. When interrupts
44 * are disabled with local_irq_disable(), platforms that use soft-masking
45 * can leave hardware interrupts enabled and handle them with a masked
46 * interrupt handler. The masked handler can send the timer interrupt to the
47 * watchdog's soft_nmi_interrupt(), which appears to Linux as an NMI
48 * interrupt, and can be used to detect CPUs stuck with IRQs disabled.
50 * The soft-NMI checker will compare the heartbeat timestamp for this CPU
51 * with the current time, and take action if the difference exceeds the
54 * The limitation of the soft-NMI watchdog is that it does not work when
55 * interrupts are hard disabled or otherwise not being serviced. This is
56 * solved by also having a SMP watchdog where all CPUs check all other
59 * The SMP checker can detect lockups on other CPUs. A global "pending"
60 * cpumask is kept, containing all CPUs which enable the watchdog. Each
61 * CPU clears their pending bit in their heartbeat timer. When the bitmask
62 * becomes empty, the last CPU to clear its pending bit updates a global
63 * timestamp and refills the pending bitmask.
65 * In the heartbeat timer, if any CPU notices that the global timestamp has
66 * not been updated for a period exceeding the watchdog threshold, then it
67 * means the CPU(s) with their bit still set in the pending mask have had
68 * their heartbeat stop, and action is taken.
70 * Some platforms implement true NMI IPIs, which can be used by the SMP
71 * watchdog to detect an unresponsive CPU and pull it out of its stuck
72 * state with the NMI IPI, to get crash/debug data from it. This way the
73 * SMP watchdog can detect hardware interrupts off lockups.
76 static cpumask_t wd_cpus_enabled __read_mostly;
78 static u64 wd_panic_timeout_tb __read_mostly; /* timebase ticks until panic */
79 static u64 wd_smp_panic_timeout_tb __read_mostly; /* panic other CPUs */
81 static u64 wd_timer_period_ms __read_mostly; /* interval between heartbeat */
83 static DEFINE_PER_CPU(struct hrtimer, wd_hrtimer);
84 static DEFINE_PER_CPU(u64, wd_timer_tb);
86 /* SMP checker bits */
87 static unsigned long __wd_smp_lock;
88 static unsigned long __wd_reporting;
89 static unsigned long __wd_nmi_output;
90 static cpumask_t wd_smp_cpus_pending;
91 static cpumask_t wd_smp_cpus_stuck;
92 static u64 wd_smp_last_reset_tb;
94 #ifdef CONFIG_PPC_PSERIES
95 static u64 wd_timeout_pct;
99 * Try to take the exclusive watchdog action / NMI IPI / printing lock.
100 * wd_smp_lock must be held. If this fails, we should return and wait
101 * for the watchdog to kick in again (or another CPU to trigger it).
103 * Importantly, if hardlockup_panic is set, wd_try_report failure should
104 * not delay the panic, because whichever other CPU is reporting will
107 static bool wd_try_report(void)
115 /* End printing after successful wd_try_report. wd_smp_lock not required. */
116 static void wd_end_reporting(void)
118 smp_mb(); /* End printing "critical section" */
119 WARN_ON_ONCE(__wd_reporting == 0);
120 WRITE_ONCE(__wd_reporting, 0);
123 static inline void wd_smp_lock(unsigned long *flags)
126 * Avoid locking layers if possible.
127 * This may be called from low level interrupt handlers at some
130 raw_local_irq_save(*flags);
131 hard_irq_disable(); /* Make it soft-NMI safe */
132 while (unlikely(test_and_set_bit_lock(0, &__wd_smp_lock))) {
133 raw_local_irq_restore(*flags);
134 spin_until_cond(!test_bit(0, &__wd_smp_lock));
135 raw_local_irq_save(*flags);
140 static inline void wd_smp_unlock(unsigned long *flags)
142 clear_bit_unlock(0, &__wd_smp_lock);
143 raw_local_irq_restore(*flags);
146 static void wd_lockup_ipi(struct pt_regs *regs)
148 int cpu = raw_smp_processor_id();
151 pr_emerg("CPU %d Hard LOCKUP\n", cpu);
152 pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
153 cpu, tb, per_cpu(wd_timer_tb, cpu),
154 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
156 print_irqtrace_events(current);
163 * __wd_nmi_output must be set after we printk from NMI context.
165 * printk from NMI context defers printing to the console to irq_work.
166 * If that NMI was taken in some code that is hard-locked, then irqs
167 * are disabled so irq_work will never fire. That can result in the
168 * hard lockup messages being delayed (indefinitely, until something
169 * else kicks the console drivers).
171 * Setting __wd_nmi_output will cause another CPU to notice and kick
172 * the console drivers for us.
174 * xchg is not needed here (it could be a smp_mb and store), but xchg
175 * gives the memory ordering and atomicity required.
177 xchg(&__wd_nmi_output, 1);
179 /* Do not panic from here because that can recurse into NMI IPI layer */
182 static bool set_cpu_stuck(int cpu)
184 cpumask_set_cpu(cpu, &wd_smp_cpus_stuck);
185 cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
187 * See wd_smp_clear_cpu_pending()
190 if (cpumask_empty(&wd_smp_cpus_pending)) {
191 wd_smp_last_reset_tb = get_tb();
192 cpumask_andnot(&wd_smp_cpus_pending,
200 static void watchdog_smp_panic(int cpu)
202 static cpumask_t wd_smp_cpus_ipi; // protected by reporting
208 /* Double check some things under lock */
210 last_reset = wd_smp_last_reset_tb;
211 if ((s64)(tb - last_reset) < (s64)wd_smp_panic_timeout_tb)
213 if (cpumask_test_cpu(cpu, &wd_smp_cpus_pending))
215 if (!wd_try_report())
217 for_each_online_cpu(c) {
218 if (!cpumask_test_cpu(c, &wd_smp_cpus_pending))
221 continue; // should not happen
223 __cpumask_set_cpu(c, &wd_smp_cpus_ipi);
224 if (set_cpu_stuck(c))
227 if (cpumask_empty(&wd_smp_cpus_ipi)) {
231 wd_smp_unlock(&flags);
233 pr_emerg("CPU %d detected hard LOCKUP on other CPUs %*pbl\n",
234 cpu, cpumask_pr_args(&wd_smp_cpus_ipi));
235 pr_emerg("CPU %d TB:%lld, last SMP heartbeat TB:%lld (%lldms ago)\n",
236 cpu, tb, last_reset, tb_to_ns(tb - last_reset) / 1000000);
238 if (!sysctl_hardlockup_all_cpu_backtrace) {
240 * Try to trigger the stuck CPUs, unless we are going to
241 * get a backtrace on all of them anyway.
243 for_each_cpu(c, &wd_smp_cpus_ipi) {
244 smp_send_nmi_ipi(c, wd_lockup_ipi, 1000000);
245 __cpumask_clear_cpu(c, &wd_smp_cpus_ipi);
248 trigger_allbutcpu_cpu_backtrace(cpu);
249 cpumask_clear(&wd_smp_cpus_ipi);
252 if (hardlockup_panic)
253 nmi_panic(NULL, "Hard LOCKUP");
260 wd_smp_unlock(&flags);
263 static void wd_smp_clear_cpu_pending(int cpu)
265 if (!cpumask_test_cpu(cpu, &wd_smp_cpus_pending)) {
266 if (unlikely(cpumask_test_cpu(cpu, &wd_smp_cpus_stuck))) {
267 struct pt_regs *regs = get_irq_regs();
270 pr_emerg("CPU %d became unstuck TB:%lld\n",
272 print_irqtrace_events(current);
279 cpumask_clear_cpu(cpu, &wd_smp_cpus_stuck);
280 wd_smp_unlock(&flags);
283 * The last CPU to clear pending should have reset the
284 * watchdog so we generally should not find it empty
285 * here if our CPU was clear. However it could happen
286 * due to a rare race with another CPU taking the
287 * last CPU out of the mask concurrently.
289 * We can't add a warning for it. But just in case
290 * there is a problem with the watchdog that is causing
291 * the mask to not be reset, try to kick it along here.
293 if (unlikely(cpumask_empty(&wd_smp_cpus_pending)))
300 * All other updates to wd_smp_cpus_pending are performed under
301 * wd_smp_lock. All of them are atomic except the case where the
302 * mask becomes empty and is reset. This will not happen here because
303 * cpu was tested to be in the bitmap (above), and a CPU only clears
304 * its own bit. _Except_ in the case where another CPU has detected a
305 * hard lockup on our CPU and takes us out of the pending mask. So in
306 * normal operation there will be no race here, no problem.
308 * In the lockup case, this atomic clear-bit vs a store that refills
309 * other bits in the accessed word wll not be a problem. The bit clear
310 * is atomic so it will not cause the store to get lost, and the store
311 * will never set this bit so it will not overwrite the bit clear. The
312 * only way for a stuck CPU to return to the pending bitmap is to
313 * become unstuck itself.
315 cpumask_clear_cpu(cpu, &wd_smp_cpus_pending);
318 * Order the store to clear pending with the load(s) to check all
319 * words in the pending mask to check they are all empty. This orders
320 * with the same barrier on another CPU. This prevents two CPUs
321 * clearing the last 2 pending bits, but neither seeing the other's
322 * store when checking if the mask is empty, and missing an empty
323 * mask, which ends with a false positive.
326 if (cpumask_empty(&wd_smp_cpus_pending)) {
331 * Double check under lock because more than one CPU could see
332 * a clear mask with the lockless check after clearing their
336 if (cpumask_empty(&wd_smp_cpus_pending)) {
337 wd_smp_last_reset_tb = get_tb();
338 cpumask_andnot(&wd_smp_cpus_pending,
342 wd_smp_unlock(&flags);
346 static void watchdog_timer_interrupt(int cpu)
350 per_cpu(wd_timer_tb, cpu) = tb;
352 wd_smp_clear_cpu_pending(cpu);
354 if ((s64)(tb - wd_smp_last_reset_tb) >= (s64)wd_smp_panic_timeout_tb)
355 watchdog_smp_panic(cpu);
357 if (__wd_nmi_output && xchg(&__wd_nmi_output, 0)) {
359 * Something has called printk from NMI context. It might be
360 * stuck, so this triggers a flush that will get that
361 * printk output to the console.
365 printk_trigger_flush();
369 DEFINE_INTERRUPT_HANDLER_NMI(soft_nmi_interrupt)
372 int cpu = raw_smp_processor_id();
375 /* should only arrive from kernel, with irqs disabled */
376 WARN_ON_ONCE(!arch_irq_disabled_regs(regs));
378 if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
381 __this_cpu_inc(irq_stat.soft_nmi_irqs);
384 if (tb - per_cpu(wd_timer_tb, cpu) >= wd_panic_timeout_tb) {
386 * Taking wd_smp_lock here means it is a soft-NMI lock, which
387 * means we can't take any regular or irqsafe spin locks while
388 * holding this lock. This is why timers can't printk while
392 if (cpumask_test_cpu(cpu, &wd_smp_cpus_stuck)) {
393 wd_smp_unlock(&flags);
396 if (!wd_try_report()) {
397 wd_smp_unlock(&flags);
398 /* Couldn't report, try again in 100ms */
399 mtspr(SPRN_DEC, 100 * tb_ticks_per_usec * 1000);
405 wd_smp_unlock(&flags);
407 pr_emerg("CPU %d self-detected hard LOCKUP @ %pS\n",
408 cpu, (void *)regs->nip);
409 pr_emerg("CPU %d TB:%lld, last heartbeat TB:%lld (%lldms ago)\n",
410 cpu, tb, per_cpu(wd_timer_tb, cpu),
411 tb_to_ns(tb - per_cpu(wd_timer_tb, cpu)) / 1000000);
413 print_irqtrace_events(current);
416 xchg(&__wd_nmi_output, 1); // see wd_lockup_ipi
418 if (sysctl_hardlockup_all_cpu_backtrace)
419 trigger_allbutcpu_cpu_backtrace(cpu);
421 if (hardlockup_panic)
422 nmi_panic(regs, "Hard LOCKUP");
427 * We are okay to change DEC in soft_nmi_interrupt because the masked
428 * handler has marked a DEC as pending, so the timer interrupt will be
429 * replayed as soon as local irqs are enabled again.
431 if (wd_panic_timeout_tb < 0x7fffffff)
432 mtspr(SPRN_DEC, wd_panic_timeout_tb);
437 static enum hrtimer_restart watchdog_timer_fn(struct hrtimer *hrtimer)
439 int cpu = smp_processor_id();
441 if (!(watchdog_enabled & WATCHDOG_HARDLOCKUP_ENABLED))
442 return HRTIMER_NORESTART;
444 if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
445 return HRTIMER_NORESTART;
447 watchdog_timer_interrupt(cpu);
449 hrtimer_forward_now(hrtimer, ms_to_ktime(wd_timer_period_ms));
451 return HRTIMER_RESTART;
454 void arch_touch_nmi_watchdog(void)
456 unsigned long ticks = tb_ticks_per_usec * wd_timer_period_ms * 1000;
457 int cpu = smp_processor_id();
460 if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
464 if (tb - per_cpu(wd_timer_tb, cpu) >= ticks) {
465 per_cpu(wd_timer_tb, cpu) = tb;
466 wd_smp_clear_cpu_pending(cpu);
469 EXPORT_SYMBOL(arch_touch_nmi_watchdog);
471 static void start_watchdog(void *arg)
473 struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
474 int cpu = smp_processor_id();
477 if (cpumask_test_cpu(cpu, &wd_cpus_enabled)) {
482 if (!(watchdog_enabled & WATCHDOG_HARDLOCKUP_ENABLED))
485 if (!cpumask_test_cpu(cpu, &watchdog_cpumask))
489 cpumask_set_cpu(cpu, &wd_cpus_enabled);
490 if (cpumask_weight(&wd_cpus_enabled) == 1) {
491 cpumask_set_cpu(cpu, &wd_smp_cpus_pending);
492 wd_smp_last_reset_tb = get_tb();
494 wd_smp_unlock(&flags);
496 *this_cpu_ptr(&wd_timer_tb) = get_tb();
498 hrtimer_init(hrtimer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
499 hrtimer->function = watchdog_timer_fn;
500 hrtimer_start(hrtimer, ms_to_ktime(wd_timer_period_ms),
501 HRTIMER_MODE_REL_PINNED);
504 static int start_watchdog_on_cpu(unsigned int cpu)
506 return smp_call_function_single(cpu, start_watchdog, NULL, true);
509 static void stop_watchdog(void *arg)
511 struct hrtimer *hrtimer = this_cpu_ptr(&wd_hrtimer);
512 int cpu = smp_processor_id();
515 if (!cpumask_test_cpu(cpu, &wd_cpus_enabled))
516 return; /* Can happen in CPU unplug case */
518 hrtimer_cancel(hrtimer);
521 cpumask_clear_cpu(cpu, &wd_cpus_enabled);
522 wd_smp_unlock(&flags);
524 wd_smp_clear_cpu_pending(cpu);
527 static int stop_watchdog_on_cpu(unsigned int cpu)
529 return smp_call_function_single(cpu, stop_watchdog, NULL, true);
532 static void watchdog_calc_timeouts(void)
534 u64 threshold = watchdog_thresh;
536 #ifdef CONFIG_PPC_PSERIES
537 threshold += (READ_ONCE(wd_timeout_pct) * threshold) / 100;
540 wd_panic_timeout_tb = threshold * ppc_tb_freq;
542 /* Have the SMP detector trigger a bit later */
543 wd_smp_panic_timeout_tb = wd_panic_timeout_tb * 3 / 2;
545 /* 2/5 is the factor that the perf based detector uses */
546 wd_timer_period_ms = watchdog_thresh * 1000 * 2 / 5;
549 void watchdog_hardlockup_stop(void)
553 for_each_cpu(cpu, &wd_cpus_enabled)
554 stop_watchdog_on_cpu(cpu);
557 void watchdog_hardlockup_start(void)
561 watchdog_calc_timeouts();
562 for_each_cpu_and(cpu, cpu_online_mask, &watchdog_cpumask)
563 start_watchdog_on_cpu(cpu);
567 * Invoked from core watchdog init.
569 int __init watchdog_hardlockup_probe(void)
573 err = cpuhp_setup_state_nocalls(CPUHP_AP_ONLINE_DYN,
574 "powerpc/watchdog:online",
575 start_watchdog_on_cpu,
576 stop_watchdog_on_cpu);
578 pr_warn("could not be initialized");
584 #ifdef CONFIG_PPC_PSERIES
585 void watchdog_hardlockup_set_timeout_pct(u64 pct)
587 pr_info("Set the NMI watchdog timeout factor to %llu%%\n", pct);
588 WRITE_ONCE(wd_timeout_pct, pct);
589 lockup_detector_reconfigure();