When an HA cluster software or administrator detects non-response
of a host, they issue an NMI to the host to completely stop current
works and take a crash dump. If the kernel has already panicked
or is capturing a crash dump at that time, further NMI can cause
a crash dump failure.
To solve this issue, this patch set does two things:
- Don't panic on NMI if the kernel has already panicked
- Introduce "noextnmi" boot option which masks external NMI at the
boot time (supported only for x86)
V2:
- Use atomic_cmpxchg() instead of current spin_trylock() to exclude
concurrent accesses to panic() and crash_kexec()
- Don't introduce no-lock version of panic() and crash_kexec()
---
Hidehiro Kawai (3):
x86/panic: Fix re-entrance problem due to panic on NMI
kexec: Fix race between panic() and crash_kexec() called directly
x86/apic: Introduce noextnmi boot option
Documentation/kernel-parameters.txt | 4 ++++
arch/x86/kernel/apic/apic.c | 17 ++++++++++++++++-
arch/x86/kernel/nmi.c | 15 +++++++++++----
include/linux/kernel.h | 1 +
kernel/kexec.c | 20 ++++++++++++++++++++
kernel/panic.c | 13 ++++++++++---
6 files changed, 62 insertions(+), 8 deletions(-)
--
Hidehiro Kawai
Hitachi, Ltd. Research & Development Group
This patch introduces new boot option "noextnmi" which disables
external NMI. This option is useful for the dump capture kernel
so that an HA application or administrator wouldn't mistakenly
shoot down the kernel by NMI.
Currently, only x86 supports this option.
Signed-off-by: Hidehiro Kawai <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Cc: Jonathan Corbet <[email protected]>
---
Documentation/kernel-parameters.txt | 4 ++++
arch/x86/kernel/apic/apic.c | 17 ++++++++++++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 1d6f045..2cbd40b 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -2364,6 +2364,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
noexec=on: enable non-executable mappings (default)
noexec=off: disable non-executable mappings
+ noextnmi [X86]
+ Mask external NMI. This option is useful for a
+ dump capture kernel to be shot down by NMI.
+
nosmap [X86]
Disable SMAP (Supervisor Mode Access Prevention)
even if it is supported by processor.
diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
index dcb5285..a140410 100644
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -82,6 +82,12 @@
static unsigned int disabled_cpu_apicid __read_mostly = BAD_APICID;
/*
+ * Don't enable external NMI via LINT1 on BSP. This is useful for
+ * the dump capture kernel.
+ */
+static bool apic_noextnmi;
+
+/*
* Map cpu index to physical APIC ID
*/
DEFINE_EARLY_PER_CPU_READ_MOSTLY(u16, x86_cpu_to_apicid, BAD_APICID);
@@ -1150,6 +1156,8 @@ void __init init_bsp_APIC(void)
value = APIC_DM_NMI;
if (!lapic_is_integrated()) /* 82489DX */
value |= APIC_LVT_LEVEL_TRIGGER;
+ if (apic_noextnmi)
+ value |= APIC_LVT_MASKED;
apic_write(APIC_LVT1, value);
}
@@ -1369,7 +1377,7 @@ void setup_local_APIC(void)
/*
* only the BP should see the LINT1 NMI signal, obviously.
*/
- if (!cpu)
+ if (!cpu && !apic_noextnmi)
value = APIC_DM_NMI;
else
value = APIC_DM_NMI | APIC_LVT_MASKED;
@@ -2537,3 +2545,10 @@ static int __init apic_set_disabled_cpu_apicid(char *arg)
return 0;
}
early_param("disable_cpu_apicid", apic_set_disabled_cpu_apicid);
+
+static int __init apic_set_noextnmi(char *arg)
+{
+ apic_noextnmi = true;
+ return 0;
+}
+early_param("noextnmi", apic_set_noextnmi);
If panic on NMI happens just after panic() on the same CPU, panic()
is recursively called. As the result, it stalls after failing to
acquire panic_lock.
To avoid this problem, don't call panic() in NMI context if
we've already entered panic().
V2:
- Use atomic_cmpxchg() instead of current spin_trylock() to
exclude concurrent accesses to the panic routines
- Don't introduce no-lock version of panic()
Signed-off-by: Hidehiro Kawai <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: "H. Peter Anvin" <[email protected]>
Cc: Peter Zijlstra <[email protected]>
---
arch/x86/kernel/nmi.c | 15 +++++++++++----
include/linux/kernel.h | 1 +
kernel/panic.c | 13 ++++++++++---
3 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
index d05bd2e..5b32d81 100644
--- a/arch/x86/kernel/nmi.c
+++ b/arch/x86/kernel/nmi.c
@@ -230,7 +230,8 @@ void unregister_nmi_handler(unsigned int type, const char *name)
}
#endif
- if (panic_on_unrecovered_nmi)
+ if (panic_on_unrecovered_nmi &&
+ atomic_cmpxchg(&panicking_cpu, -1, raw_smp_processor_id()) == -1)
panic("NMI: Not continuing");
pr_emerg("Dazed and confused, but trying to continue\n");
@@ -255,8 +256,13 @@ void unregister_nmi_handler(unsigned int type, const char *name)
reason, smp_processor_id());
show_regs(regs);
- if (panic_on_io_nmi)
- panic("NMI IOCK error: Not continuing");
+ if (panic_on_io_nmi) {
+ if (atomic_cmpxchg(&panicking_cpu, -1, raw_smp_processor_id())
+ == -1)
+ panic("NMI IOCK error: Not continuing");
+ else
+ return; /* We don't want to wait and re-enable NMI */
+ }
/* Re-enable the IOCK line, wait for a few seconds */
reason = (reason & NMI_REASON_CLEAR_MASK) | NMI_REASON_CLEAR_IOCHK;
@@ -296,7 +302,8 @@ void unregister_nmi_handler(unsigned int type, const char *name)
reason, smp_processor_id());
pr_emerg("Do you have a strange power saving mode enabled?\n");
- if (unknown_nmi_panic || panic_on_unrecovered_nmi)
+ if ((unknown_nmi_panic || panic_on_unrecovered_nmi) &&
+ atomic_cmpxchg(&panicking_cpu, -1, raw_smp_processor_id()) == -1)
panic("NMI: Not continuing");
pr_emerg("Dazed and confused, but trying to continue\n");
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 5582410..8ca199b 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -442,6 +442,7 @@ extern __scanf(2, 0)
extern int sysctl_panic_on_stackoverflow;
extern bool crash_kexec_post_notifiers;
+extern atomic_t panicking_cpu;
/*
* Only to be used by arch init code. If the user over-wrote the default
diff --git a/kernel/panic.c b/kernel/panic.c
index 04e91ff..7e6b568 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -60,6 +60,8 @@ void __weak panic_smp_self_stop(void)
cpu_relax();
}
+atomic_t panicking_cpu = ATOMIC_INIT(-1);
+
/**
* panic - halt the system
* @fmt: The text string to print
@@ -70,17 +72,17 @@ void __weak panic_smp_self_stop(void)
*/
void panic(const char *fmt, ...)
{
- static DEFINE_SPINLOCK(panic_lock);
static char buf[1024];
va_list args;
long i, i_next = 0;
int state = 0;
+ int old_cpu, this_cpu;
/*
* Disable local interrupts. This will prevent panic_smp_self_stop
* from deadlocking the first cpu that invokes the panic, since
* there is nothing to prevent an interrupt handler (that runs
- * after the panic_lock is acquired) from invoking panic again.
+ * after setting panicking_cpu) from invoking panic again.
*/
local_irq_disable();
@@ -93,8 +95,13 @@ void panic(const char *fmt, ...)
* multiple parallel invocations of panic, all other CPUs either
* stop themself or will wait until they are stopped by the 1st CPU
* with smp_send_stop().
+ *
+ * `old_cpu == -1' means we are the first comer.
+ * `old_cpu == this_cpu' means we came here due to panic on NMI.
*/
- if (!spin_trylock(&panic_lock))
+ this_cpu = raw_smp_processor_id();
+ old_cpu = atomic_cmpxchg(&panicking_cpu, -1, this_cpu);
+ if (old_cpu != -1 && old_cpu != this_cpu)
panic_smp_self_stop();
console_verbose();
Currently, panic() and crash_kexec() can be called at the same time.
For example (x86 case):
CPU 0:
oops_end()
crash_kexec()
mutex_trylock() // acquired
nmi_shootdown_cpus() // stop other cpus
CPU 1:
panic()
crash_kexec()
mutex_trylock() // failed to acquire
smp_send_stop() // stop other cpus
infinite loop
If CPU 1 calls smp_send_stop() before nmi_shootdown_cpus(), kdump
fails.
In another case:
CPU 0:
oops_end()
crash_kexec()
mutex_trylock() // acquired
<NMI>
io_check_error()
panic()
crash_kexec()
mutex_trylock() // failed to acquire
infinite loop
Clearly, this is an undesirable result.
To fix this problem, this patch changes crash_kexec() to exclude
others by using atomic_t panicking_cpu.
V2:
- Use atomic_cmpxchg() instead of spin_trylock() on panic_lock
to exclude concurrent accesses
- Don't introduce no-lock version of crash_kexec()
Signed-off-by: Hidehiro Kawai <[email protected]>
Cc: Eric Biederman <[email protected]>
Cc: Vivek Goyal <[email protected]>
Cc: Andrew Morton <[email protected]>
---
kernel/kexec.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/kernel/kexec.c b/kernel/kexec.c
index a785c10..ca40a19 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -1472,6 +1472,18 @@ void __weak crash_unmap_reserved_pages(void)
void crash_kexec(struct pt_regs *regs)
{
+ int old_cpu, this_cpu;
+
+ /*
+ * `old_cpu == -1' means we are the first comer and crash_kexec()
+ * was called without entering panic().
+ * `old_cpu == this_cpu' means crash_kexec() was called from panic().
+ */
+ this_cpu = raw_smp_processor_id();
+ old_cpu = atomic_cmpxchg(&panicking_cpu, -1, this_cpu);
+ if (old_cpu != -1 && old_cpu != this_cpu)
+ return;
+
/* Take the kexec_mutex here to prevent sys_kexec_load
* running on one cpu from replacing the crash kernel
* we are using after a panic on a different cpu.
@@ -1491,6 +1503,14 @@ void crash_kexec(struct pt_regs *regs)
}
mutex_unlock(&kexec_mutex);
}
+
+ /*
+ * If we came here from panic(), we have to keep panicking_cpu
+ * to prevent other cpus from entering panic(). Otherwise,
+ * resetting it so that other cpus can enter panic()/crash_kexec().
+ */
+ if (old_cpu == this_cpu)
+ atomic_set(&panicking_cpu, -1);
}
size_t crash_get_memory_size(void)
On Mon 27-07-15 10:58:50, Hidehiro Kawai wrote:
[...]
> diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
> index d05bd2e..5b32d81 100644
> --- a/arch/x86/kernel/nmi.c
> +++ b/arch/x86/kernel/nmi.c
> @@ -230,7 +230,8 @@ void unregister_nmi_handler(unsigned int type, const char *name)
> }
> #endif
>
> - if (panic_on_unrecovered_nmi)
> + if (panic_on_unrecovered_nmi &&
> + atomic_cmpxchg(&panicking_cpu, -1, raw_smp_processor_id()) == -1)
> panic("NMI: Not continuing");
Spreading the check to all NMI callers is quite ugly. Wouldn't it be
better to introduce nmi_panic() which wouldn't be __noreturn unlike the
regular panic. The check could be also relaxed a bit and nmi_panic would
return only if the ongoing panic is the current cpu when we really have
to return and allow the preempted panic to finish.
Something like
---
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 5582410727cb..409091c48e6c 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -253,6 +253,7 @@ static inline void might_fault(void) { }
extern struct atomic_notifier_head panic_notifier_list;
extern long (*panic_blink)(int state);
__printf(1, 2)
+void nmi_panic(const char *fmt, ...) __cold;
void panic(const char *fmt, ...)
__noreturn __cold;
extern void oops_enter(void);
diff --git a/kernel/panic.c b/kernel/panic.c
index 04e91ff7560b..4c1ff7e19cdc 100644
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -60,6 +60,8 @@ void __weak panic_smp_self_stop(void)
cpu_relax();
}
+static atomic_t panic_cpu = ATOMIC_INIT(-1);
+
/**
* panic - halt the system
* @fmt: The text string to print
@@ -70,11 +72,11 @@ void __weak panic_smp_self_stop(void)
*/
void panic(const char *fmt, ...)
{
- static DEFINE_SPINLOCK(panic_lock);
static char buf[1024];
va_list args;
long i, i_next = 0;
int state = 0;
+ int this_cpu, old_cpu;
/*
* Disable local interrupts. This will prevent panic_smp_self_stop
@@ -94,7 +96,9 @@ void panic(const char *fmt, ...)
* stop themself or will wait until they are stopped by the 1st CPU
* with smp_send_stop().
*/
- if (!spin_trylock(&panic_lock))
+ this_cpu = raw_smp_processor_id();
+ old_cpu = atomic_cmpxchg(&panic_cpu, -1, this_cpu);
+ if (old_cpu != -1 && old_cpu != this_cpu)
panic_smp_self_stop();
console_verbose();
@@ -201,9 +205,20 @@ void panic(const char *fmt, ...)
mdelay(PANIC_TIMER_STEP);
}
}
-
EXPORT_SYMBOL(panic);
+void nmi_panic(const char *fmt, ...)
+{
+ /*
+ * We have to back off if the NMI has preempted an ongoing panic and
+ * allow it to finish
+ */
+ if (atomic_read(&panic_cpu) == raw_smp_processor_id())
+ return;
+
+ panic();
+}
+EXPORT_SYMBOL(nmi_panic);
struct tnt {
u8 bit;
--
Michal Hocko
SUSE Labs
On Mon 27-07-15 10:58:50, Hidehiro Kawai wrote:
[...]
> @@ -1472,6 +1472,18 @@ void __weak crash_unmap_reserved_pages(void)
>
> void crash_kexec(struct pt_regs *regs)
> {
> + int old_cpu, this_cpu;
> +
> + /*
> + * `old_cpu == -1' means we are the first comer and crash_kexec()
> + * was called without entering panic().
> + * `old_cpu == this_cpu' means crash_kexec() was called from panic().
> + */
> + this_cpu = raw_smp_processor_id();
> + old_cpu = atomic_cmpxchg(&panicking_cpu, -1, this_cpu);
> + if (old_cpu != -1 && old_cpu != this_cpu)
> + return;
> +
> /* Take the kexec_mutex here to prevent sys_kexec_load
> * running on one cpu from replacing the crash kernel
> * we are using after a panic on a different cpu.
> @@ -1491,6 +1503,14 @@ void crash_kexec(struct pt_regs *regs)
> }
> mutex_unlock(&kexec_mutex);
> }
> +
> + /*
> + * If we came here from panic(), we have to keep panicking_cpu
> + * to prevent other cpus from entering panic(). Otherwise,
> + * resetting it so that other cpus can enter panic()/crash_kexec().
> + */
> + if (old_cpu == this_cpu)
> + atomic_set(&panicking_cpu, -1);
This do the opposite what the comment says, wouldn't it? You should
check old_cpu == -1. Also atomic_set doesn't imply memory barriers which
might be a problem.
--
Michal Hocko
SUSE Labs
Hi,
Thanks for the review.
(2015/07/27 23:34), Michal Hocko wrote:
> On Mon 27-07-15 10:58:50, Hidehiro Kawai wrote:
> [...]
>> diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
>> index d05bd2e..5b32d81 100644
>> --- a/arch/x86/kernel/nmi.c
>> +++ b/arch/x86/kernel/nmi.c
>> @@ -230,7 +230,8 @@ void unregister_nmi_handler(unsigned int type, const char *name)
>> }
>> #endif
>>
>> - if (panic_on_unrecovered_nmi)
>> + if (panic_on_unrecovered_nmi &&
>> + atomic_cmpxchg(&panicking_cpu, -1, raw_smp_processor_id()) == -1)
>> panic("NMI: Not continuing");
>
> Spreading the check to all NMI callers is quite ugly. Wouldn't it be
> better to introduce nmi_panic() which wouldn't be __noreturn unlike the
> regular panic.
Sure. I'll fix it.
> The check could be also relaxed a bit and nmi_panic would
> return only if the ongoing panic is the current cpu when we really have
> to return and allow the preempted panic to finish.
It's reasonable. I'll do that in the next version.
> Something like
[...]
> +void nmi_panic(const char *fmt, ...)
Since we can't directly pass variable arguments to a subroutine,
we have to use a macro or do like this:
void nmi_panic(const char *msg)
{
...
panic("%s", msg);
}
If there is no objection, I'm going to use a macro.
> +{
> + /*
> + * We have to back off if the NMI has preempted an ongoing panic and
> + * allow it to finish
> + */
> + if (atomic_read(&panic_cpu) == raw_smp_processor_id())
> + return;
> +
> + panic();
> +}
> +EXPORT_SYMBOL(nmi_panic);
>
> struct tnt {
> u8 bit;
>
--
Hidehiro Kawai
Hitachi, Ltd. Research & Development Group
Hi,
(2015/07/27 23:55), Michal Hocko wrote:
> On Mon 27-07-15 10:58:50, Hidehiro Kawai wrote:
> [...]
>> @@ -1472,6 +1472,18 @@ void __weak crash_unmap_reserved_pages(void)
>>
>> void crash_kexec(struct pt_regs *regs)
>> {
>> + int old_cpu, this_cpu;
>> +
>> + /*
>> + * `old_cpu == -1' means we are the first comer and crash_kexec()
>> + * was called without entering panic().
>> + * `old_cpu == this_cpu' means crash_kexec() was called from panic().
>> + */
>> + this_cpu = raw_smp_processor_id();
>> + old_cpu = atomic_cmpxchg(&panicking_cpu, -1, this_cpu);
>> + if (old_cpu != -1 && old_cpu != this_cpu)
>> + return;
>> +
>> /* Take the kexec_mutex here to prevent sys_kexec_load
>> * running on one cpu from replacing the crash kernel
>> * we are using after a panic on a different cpu.
>> @@ -1491,6 +1503,14 @@ void crash_kexec(struct pt_regs *regs)
>> }
>> mutex_unlock(&kexec_mutex);
>> }
>> +
>> + /*
>> + * If we came here from panic(), we have to keep panicking_cpu
>> + * to prevent other cpus from entering panic(). Otherwise,
>> + * resetting it so that other cpus can enter panic()/crash_kexec().
>> + */
>> + if (old_cpu == this_cpu)
>> + atomic_set(&panicking_cpu, -1);
>
> This do the opposite what the comment says, wouldn't it? You should
> check old_cpu == -1.
Sorry, you are right. I performed same tests as for the
previous patch set, but I missed the test case for this
new logic.
> Also atomic_set doesn't imply memory barriers which
> might be a problem.
OK, I'll use atomic_xchg().
Regards,
--
Hidehiro Kawai
Hitachi, Ltd. Research & Development Group
On Tue 28-07-15 11:02:11, Hidehiro Kawai wrote:
[...]
> > Something like
> [...]
> > +void nmi_panic(const char *fmt, ...)
>
> Since we can't directly pass variable arguments to a subroutine,
Sure, I was just too lazy to finish this as it was just an illustration
of the idea.
> we have to use a macro or do like this:
>
> void nmi_panic(const char *msg)
> {
> ...
> panic("%s", msg);
> }
>
> If there is no objection, I'm going to use a macro.
Your other patch needs panic_cpu externally visible so the macro should
be OK.
--
Michal Hocko
SUSE Labs
Hi,
> From: [email protected] [mailto:[email protected]] On Behalf Of Hidehiro Kawai
> (2015/07/27 23:34), Michal Hocko wrote:
> > On Mon 27-07-15 10:58:50, Hidehiro Kawai wrote:
[...]
> > The check could be also relaxed a bit and nmi_panic would
> > return only if the ongoing panic is the current cpu when we really have
> > to return and allow the preempted panic to finish.
>
> It's reasonable. I'll do that in the next version.
I noticed atomic_read() is insufficient. Please consider the following
scenario.
CPU 1: call panic() in the normal context
CPU 0: call nmi_panic(), check the value of panic_cpu, then call panic()
CPU 1: set 1 to panic_cpu
CPU 0: fail to set 0 to panic_cpu, then do an infinite loop
CPU 1: call crash_kexec(), then call kdump_nmi_shootdown_cpus()
At this point, since CPU 0 loops in NMI context, it never executes
the NMI handler registered by kdump_nmi_shootdown_cpus(). This means
that no register states are saved and no cleanups for VMX/SVM are
performed. So, we should still use atomic_cmpxchg() in nmi_panic() to
prevent other cpus from running panic routines.
> > +void nmi_panic(const char *fmt, ...)
> > +{
> > + /*
> > + * We have to back off if the NMI has preempted an ongoing panic and
> > + * allow it to finish
> > + */
> > + if (atomic_read(&panic_cpu) == raw_smp_processor_id())
> > + return;
> > +
> > + panic();
> > +}
> > +EXPORT_SYMBOL(nmi_panic);
On Wed 29-07-15 05:48:47, 河合英宏 / KAWAI,HIDEHIRO wrote:
> Hi,
>
> > From: [email protected] [mailto:[email protected]] On Behalf Of Hidehiro Kawai
> > (2015/07/27 23:34), Michal Hocko wrote:
> > > On Mon 27-07-15 10:58:50, Hidehiro Kawai wrote:
> [...]
> > > The check could be also relaxed a bit and nmi_panic would
> > > return only if the ongoing panic is the current cpu when we really have
> > > to return and allow the preempted panic to finish.
> >
> > It's reasonable. I'll do that in the next version.
>
> I noticed atomic_read() is insufficient. Please consider the following
> scenario.
>
> CPU 1: call panic() in the normal context
> CPU 0: call nmi_panic(), check the value of panic_cpu, then call panic()
> CPU 1: set 1 to panic_cpu
> CPU 0: fail to set 0 to panic_cpu, then do an infinite loop
> CPU 1: call crash_kexec(), then call kdump_nmi_shootdown_cpus()
>
> At this point, since CPU 0 loops in NMI context, it never executes
> the NMI handler registered by kdump_nmi_shootdown_cpus(). This means
> that no register states are saved and no cleanups for VMX/SVM are
> performed.
Yes this is true but it is no different from the current state, isn't
it? So if you want to handle that then it deserves a separate patch.
It is certainly not harmful wrt. panic behavior.
> So, we should still use atomic_cmpxchg() in nmi_panic() to
> prevent other cpus from running panic routines.
Not sure what you mean by that.
--
Michal Hocko
SUSE Labs