2005-04-17 05:20:36 +07:00
|
|
|
/*
|
|
|
|
* Machine check handler.
|
2009-04-08 17:31:17 +07:00
|
|
|
*
|
2005-04-17 05:20:36 +07:00
|
|
|
* K8 parts Copyright 2002,2003 Andi Kleen, SuSE Labs.
|
2007-10-24 03:37:23 +07:00
|
|
|
* Rest from unknown author(s).
|
|
|
|
* 2004 Andi Kleen. Rewrote most of it.
|
2009-02-12 19:43:23 +07:00
|
|
|
* Copyright 2008 Intel Corporation
|
|
|
|
* Author: Andi Kleen
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
2012-05-22 09:50:07 +07:00
|
|
|
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/thread_info.h>
|
|
|
|
#include <linux/capability.h>
|
|
|
|
#include <linux/miscdevice.h>
|
|
|
|
#include <linux/ratelimit.h>
|
|
|
|
#include <linux/kallsyms.h>
|
|
|
|
#include <linux/rcupdate.h>
|
|
|
|
#include <linux/kobject.h>
|
2009-04-30 14:04:51 +07:00
|
|
|
#include <linux/uaccess.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/kdebug.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/percpu.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
#include <linux/string.h>
|
2011-12-22 05:29:42 +07:00
|
|
|
#include <linux/device.h>
|
2011-03-24 04:15:54 +07:00
|
|
|
#include <linux/syscore_ops.h>
|
2009-05-28 02:56:55 +07:00
|
|
|
#include <linux/delay.h>
|
2005-09-12 23:49:24 +07:00
|
|
|
#include <linux/ctype.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/sched.h>
|
2009-02-18 05:07:13 +07:00
|
|
|
#include <linux/sysfs.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/types.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 15:04:11 +07:00
|
|
|
#include <linux/slab.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/kmod.h>
|
|
|
|
#include <linux/poll.h>
|
2009-05-28 02:56:55 +07:00
|
|
|
#include <linux/nmi.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/cpu.h>
|
2009-04-30 14:04:51 +07:00
|
|
|
#include <linux/smp.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <linux/fs.h>
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
#include <linux/mm.h>
|
2009-07-31 08:41:42 +07:00
|
|
|
#include <linux/debugfs.h>
|
2011-06-08 08:56:02 +07:00
|
|
|
#include <linux/irq_work.h>
|
2011-05-26 23:22:53 +07:00
|
|
|
#include <linux/export.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
#include <asm/processor.h>
|
2014-11-20 08:41:09 +07:00
|
|
|
#include <asm/traps.h>
|
2014-10-25 05:58:07 +07:00
|
|
|
#include <asm/tlbflush.h>
|
2009-04-08 17:31:17 +07:00
|
|
|
#include <asm/mce.h>
|
|
|
|
#include <asm/msr.h>
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
#include "mce-internal.h"
|
2009-04-08 17:31:26 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static DEFINE_MUTEX(mce_chrdev_read_mutex);
|
2010-03-14 14:57:03 +07:00
|
|
|
|
2015-08-12 23:29:43 +07:00
|
|
|
#define mce_log_get_idx_check(p) \
|
2015-04-20 08:16:02 +07:00
|
|
|
({ \
|
2015-06-19 05:50:02 +07:00
|
|
|
RCU_LOCKDEP_WARN(!rcu_read_lock_sched_held() && \
|
|
|
|
!lockdep_is_held(&mce_chrdev_read_mutex), \
|
2015-09-01 10:20:30 +07:00
|
|
|
"suspicious mce_log_get_idx_check() usage"); \
|
2015-04-20 08:16:02 +07:00
|
|
|
smp_load_acquire(&(p)); \
|
|
|
|
})
|
2010-03-06 06:03:27 +07:00
|
|
|
|
perf_event, x86, mce: Use TRACE_EVENT() for MCE logging
This approach is the first baby step towards solving many of the
structural problems the x86 MCE logging code is having today:
- It has a private ring-buffer implementation that has a number
of limitations and has been historically fragile and buggy.
- It is using a quirky /dev/mcelog ioctl driven ABI that is MCE
specific. /dev/mcelog is not part of any larger logging
framework and hence has remained on the fringes for many years.
- The MCE logging code is still very unclean partly due to its ABI
limitations. Fields are being reused for multiple purposes, and
the whole message structure is limited and x86 specific to begin
with.
All in one, the x86 tree would like to move away from this private
implementation of an event logging facility to a broader framework.
By using perf events we gain the following advantages:
- Multiple user-space agents can access MCE events. We can have an
mcelog daemon running but also a system-wide tracer capturing
important events in flight-recorder mode.
- Sampling support: the kernel and the user-space call-chain of MCE
events can be stored and analyzed as well. This way actual patterns
of bad behavior can be matched to precisely what kind of activity
happened in the kernel (and/or in the app) around that moment in
time.
- Coupling with other hardware and software events: the PMU can track a
number of other anomalies - monitoring software might chose to
monitor those plus the MCE events as well - in one coherent stream of
events.
- Discovery of MCE sources - tracepoints are enumerated and tools can
act upon the existence (or non-existence) of various channels of MCE
information.
- Filtering support: we just subscribe to and act upon the events we
are interested in. Then even on a per event source basis there's
in-kernel filter expressions available that can restrict the amount
of data that hits the event channel.
- Arbitrary deep per cpu buffering of events - we can buffer 32
entries or we can buffer as much as we want, as long as we have
the RAM.
- An NMI-safe ring-buffer implementation - mappable to user-space.
- Built-in support for timestamping of events, PID markers, CPU
markers, etc.
- A rich ABI accessible over system call interface. Per cpu, per task
and per workload monitoring of MCE events can be done this way. The
ABI itself has a nice, meaningful structure.
- Extensible ABI: new fields can be added without breaking tooling.
New tracepoints can be added as the hardware side evolves. There's
various parsers that can be used.
- Lots of scheduling/buffering/batching modes of operandi for MCE
events. poll() support. mmap() support. read() support. You name it.
- Rich tooling support: even without any MCE specific extensions added
the 'perf' tool today offers various views of MCE data: perf report,
perf stat, perf trace can all be used to view logged MCE events and
perhaps correlate them to certain user-space usage patterns. But it
can be used directly as well, for user-space agents and policy action
in mcelog, etc.
With this we hope to achieve significant code cleanup and feature
improvements in the MCE code, and we hope to be able to drop the
/dev/mcelog facility in the end.
This patch is just a plain dumb dump of mce_log() records to
the tracepoints / perf events framework - a first proof of
concept step.
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
LKML-Reference: <4AD42A0D.7050104@jp.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-10-13 14:19:41 +07:00
|
|
|
#define CREATE_TRACE_POINTS
|
|
|
|
#include <trace/events/mce.h>
|
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
#define SPINUNIT 100 /* 100ns */
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2009-05-28 02:56:52 +07:00
|
|
|
DEFINE_PER_CPU(unsigned, mce_exception_count);
|
|
|
|
|
2012-10-17 17:05:33 +07:00
|
|
|
struct mce_bank *mce_banks __read_mostly;
|
2015-03-23 22:42:52 +07:00
|
|
|
struct mce_vendor_flags mce_flags __read_mostly;
|
2009-07-09 05:31:43 +07:00
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
struct mca_config mca_cfg __read_mostly = {
|
2012-10-16 00:59:18 +07:00
|
|
|
.bootlog = -1,
|
2012-10-15 23:03:57 +07:00
|
|
|
/*
|
|
|
|
* Tolerant levels:
|
|
|
|
* 0: always panic on uncorrected errors, log corrected errors
|
|
|
|
* 1: panic or SIGBUS on uncorrected errors, log corrected errors
|
|
|
|
* 2: SIGBUS or log uncorrected errors (if possible), log corr. errors
|
|
|
|
* 3: never panic or SIGBUS, log all errors (for testing only)
|
|
|
|
*/
|
2012-10-16 00:59:18 +07:00
|
|
|
.tolerant = 1,
|
|
|
|
.monarch_timeout = -1
|
2012-10-15 23:03:57 +07:00
|
|
|
};
|
|
|
|
|
2009-06-15 15:20:57 +07:00
|
|
|
/* User mode helper program triggered by machine check event */
|
|
|
|
static unsigned long mce_need_notify;
|
|
|
|
static char mce_helper[128];
|
|
|
|
static char *mce_helper_argv[2] = { mce_helper, NULL };
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static DECLARE_WAIT_QUEUE_HEAD(mce_chrdev_wait);
|
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
static DEFINE_PER_CPU(struct mce, mces_seen);
|
|
|
|
static int cpu_missing;
|
|
|
|
|
2013-06-26 01:28:59 +07:00
|
|
|
/*
|
|
|
|
* MCA banks polled by the period polling timer for corrected events.
|
|
|
|
* With Intel CMCI, this only has MCA banks which do not support CMCI (if any).
|
|
|
|
*/
|
2009-02-12 19:49:34 +07:00
|
|
|
DEFINE_PER_CPU(mce_banks_t, mce_poll_banks) = {
|
|
|
|
[0 ... BITS_TO_LONGS(MAX_NR_BANKS)-1] = ~0UL
|
|
|
|
};
|
|
|
|
|
2013-07-01 22:38:47 +07:00
|
|
|
/*
|
|
|
|
* MCA banks controlled through firmware first for corrected errors.
|
|
|
|
* This is a global list of banks for which we won't enable CMCI and we
|
|
|
|
* won't poll. Firmware controls these banks and is responsible for
|
|
|
|
* reporting corrected errors through GHES. Uncorrected/recoverable
|
|
|
|
* errors are still notified through a machine check.
|
|
|
|
*/
|
|
|
|
mce_banks_t mce_banks_ce_disabled;
|
|
|
|
|
2015-08-12 23:29:35 +07:00
|
|
|
static struct work_struct mce_work;
|
|
|
|
static struct irq_work mce_irq_work;
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
|
2012-07-20 01:28:46 +07:00
|
|
|
static void (*quirk_no_way_out)(int bank, struct mce *m, struct pt_regs *regs);
|
2015-08-12 23:29:36 +07:00
|
|
|
static int mce_usable_address(struct mce *m);
|
2012-07-20 01:28:46 +07:00
|
|
|
|
2011-12-04 21:12:09 +07:00
|
|
|
/*
|
|
|
|
* CPU/chipset specific EDAC code can register a notifier call here to print
|
|
|
|
* MCE errors in a human-readable form.
|
|
|
|
*/
|
2015-08-12 23:29:34 +07:00
|
|
|
ATOMIC_NOTIFIER_HEAD(x86_mce_decoder_chain);
|
2011-12-04 21:12:09 +07:00
|
|
|
|
2009-02-12 19:43:22 +07:00
|
|
|
/* Do initial initialization of a struct mce */
|
|
|
|
void mce_setup(struct mce *m)
|
|
|
|
{
|
|
|
|
memset(m, 0, sizeof(struct mce));
|
2009-05-28 02:56:56 +07:00
|
|
|
m->cpu = m->extcpu = smp_processor_id();
|
2015-06-25 23:44:07 +07:00
|
|
|
m->tsc = rdtsc();
|
2009-05-28 02:56:56 +07:00
|
|
|
/* We hope get_seconds stays lockless */
|
|
|
|
m->time = get_seconds();
|
|
|
|
m->cpuvendor = boot_cpu_data.x86_vendor;
|
|
|
|
m->cpuid = cpuid_eax(1);
|
|
|
|
m->socketid = cpu_data(m->extcpu).phys_proc_id;
|
|
|
|
m->apicid = cpu_data(m->extcpu).initial_apicid;
|
|
|
|
rdmsrl(MSR_IA32_MCG_CAP, m->mcgcap);
|
2009-02-12 19:43:22 +07:00
|
|
|
}
|
|
|
|
|
2009-04-30 00:31:00 +07:00
|
|
|
DEFINE_PER_CPU(struct mce, injectm);
|
|
|
|
EXPORT_PER_CPU_SYMBOL_GPL(injectm);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/*
|
|
|
|
* Lockless MCE logging infrastructure.
|
|
|
|
* This avoids deadlocks on printk locks without having to break locks. Also
|
|
|
|
* separate MCEs from kernel messages to avoid bogus bug reports.
|
|
|
|
*/
|
|
|
|
|
2008-01-30 19:30:30 +07:00
|
|
|
static struct mce_log mcelog = {
|
2009-05-28 02:56:55 +07:00
|
|
|
.signature = MCE_LOG_SIGNATURE,
|
|
|
|
.len = MCE_LOG_LEN,
|
|
|
|
.recordlen = sizeof(struct mce),
|
2007-10-24 03:37:23 +07:00
|
|
|
};
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
void mce_log(struct mce *mce)
|
|
|
|
{
|
|
|
|
unsigned next, entry;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
perf_event, x86, mce: Use TRACE_EVENT() for MCE logging
This approach is the first baby step towards solving many of the
structural problems the x86 MCE logging code is having today:
- It has a private ring-buffer implementation that has a number
of limitations and has been historically fragile and buggy.
- It is using a quirky /dev/mcelog ioctl driven ABI that is MCE
specific. /dev/mcelog is not part of any larger logging
framework and hence has remained on the fringes for many years.
- The MCE logging code is still very unclean partly due to its ABI
limitations. Fields are being reused for multiple purposes, and
the whole message structure is limited and x86 specific to begin
with.
All in one, the x86 tree would like to move away from this private
implementation of an event logging facility to a broader framework.
By using perf events we gain the following advantages:
- Multiple user-space agents can access MCE events. We can have an
mcelog daemon running but also a system-wide tracer capturing
important events in flight-recorder mode.
- Sampling support: the kernel and the user-space call-chain of MCE
events can be stored and analyzed as well. This way actual patterns
of bad behavior can be matched to precisely what kind of activity
happened in the kernel (and/or in the app) around that moment in
time.
- Coupling with other hardware and software events: the PMU can track a
number of other anomalies - monitoring software might chose to
monitor those plus the MCE events as well - in one coherent stream of
events.
- Discovery of MCE sources - tracepoints are enumerated and tools can
act upon the existence (or non-existence) of various channels of MCE
information.
- Filtering support: we just subscribe to and act upon the events we
are interested in. Then even on a per event source basis there's
in-kernel filter expressions available that can restrict the amount
of data that hits the event channel.
- Arbitrary deep per cpu buffering of events - we can buffer 32
entries or we can buffer as much as we want, as long as we have
the RAM.
- An NMI-safe ring-buffer implementation - mappable to user-space.
- Built-in support for timestamping of events, PID markers, CPU
markers, etc.
- A rich ABI accessible over system call interface. Per cpu, per task
and per workload monitoring of MCE events can be done this way. The
ABI itself has a nice, meaningful structure.
- Extensible ABI: new fields can be added without breaking tooling.
New tracepoints can be added as the hardware side evolves. There's
various parsers that can be used.
- Lots of scheduling/buffering/batching modes of operandi for MCE
events. poll() support. mmap() support. read() support. You name it.
- Rich tooling support: even without any MCE specific extensions added
the 'perf' tool today offers various views of MCE data: perf report,
perf stat, perf trace can all be used to view logged MCE events and
perhaps correlate them to certain user-space usage patterns. But it
can be used directly as well, for user-space agents and policy action
in mcelog, etc.
With this we hope to achieve significant code cleanup and feature
improvements in the MCE code, and we hope to be able to drop the
/dev/mcelog facility in the end.
This patch is just a plain dumb dump of mce_log() records to
the tracepoints / perf events framework - a first proof of
concept step.
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
LKML-Reference: <4AD42A0D.7050104@jp.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-10-13 14:19:41 +07:00
|
|
|
/* Emit the trace record: */
|
|
|
|
trace_mce_record(mce);
|
|
|
|
|
2015-08-12 23:29:37 +07:00
|
|
|
if (!mce_gen_pool_add(mce))
|
|
|
|
irq_work_queue(&mce_irq_work);
|
2011-07-18 21:24:45 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
mce->finished = 0;
|
2005-09-30 05:01:27 +07:00
|
|
|
wmb();
|
2005-04-17 05:20:36 +07:00
|
|
|
for (;;) {
|
2015-08-12 23:29:43 +07:00
|
|
|
entry = mce_log_get_idx_check(mcelog.next);
|
2005-09-12 23:49:24 +07:00
|
|
|
for (;;) {
|
2009-07-23 16:57:45 +07:00
|
|
|
|
2009-04-08 17:31:17 +07:00
|
|
|
/*
|
|
|
|
* When the buffer fills up discard new entries.
|
|
|
|
* Assume that the earlier errors are the more
|
|
|
|
* interesting ones:
|
|
|
|
*/
|
2005-09-12 23:49:24 +07:00
|
|
|
if (entry >= MCE_LOG_LEN) {
|
2009-04-30 14:04:51 +07:00
|
|
|
set_bit(MCE_OVERFLOW,
|
|
|
|
(unsigned long *)&mcelog.flags);
|
2005-09-12 23:49:24 +07:00
|
|
|
return;
|
|
|
|
}
|
2009-04-08 17:31:17 +07:00
|
|
|
/* Old left over entry. Skip: */
|
2005-09-12 23:49:24 +07:00
|
|
|
if (mcelog.entry[entry].finished) {
|
|
|
|
entry++;
|
|
|
|
continue;
|
|
|
|
}
|
2005-09-30 05:01:27 +07:00
|
|
|
break;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
smp_rmb();
|
|
|
|
next = entry + 1;
|
|
|
|
if (cmpxchg(&mcelog.next, entry, next) == entry)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
memcpy(mcelog.entry + entry, mce, sizeof(struct mce));
|
2005-09-30 05:01:27 +07:00
|
|
|
wmb();
|
2005-04-17 05:20:36 +07:00
|
|
|
mcelog.entry[entry].finished = 1;
|
2005-09-30 05:01:27 +07:00
|
|
|
wmb();
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-05-28 02:56:54 +07:00
|
|
|
mce->finished = 1;
|
2009-06-15 15:20:57 +07:00
|
|
|
set_bit(0, &mce_need_notify);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:44 +07:00
|
|
|
void mce_inject_log(struct mce *m)
|
2011-12-08 18:28:33 +07:00
|
|
|
{
|
2015-08-12 23:29:44 +07:00
|
|
|
mutex_lock(&mce_chrdev_read_mutex);
|
|
|
|
mce_log(m);
|
|
|
|
mutex_unlock(&mce_chrdev_read_mutex);
|
2011-12-08 18:28:33 +07:00
|
|
|
}
|
2015-08-12 23:29:44 +07:00
|
|
|
EXPORT_SYMBOL_GPL(mce_inject_log);
|
2011-12-08 18:28:33 +07:00
|
|
|
|
2015-08-12 23:29:36 +07:00
|
|
|
static struct notifier_block mce_srao_nb;
|
2011-12-08 18:28:33 +07:00
|
|
|
|
2011-12-04 21:12:09 +07:00
|
|
|
void mce_register_decode_chain(struct notifier_block *nb)
|
|
|
|
{
|
2015-08-12 23:29:36 +07:00
|
|
|
/* Ensure SRAO notifier has the highest priority in the decode chain. */
|
|
|
|
if (nb != &mce_srao_nb && nb->priority == INT_MAX)
|
|
|
|
nb->priority -= 1;
|
|
|
|
|
2011-12-04 21:12:09 +07:00
|
|
|
atomic_notifier_chain_register(&x86_mce_decoder_chain, nb);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mce_register_decode_chain);
|
|
|
|
|
|
|
|
void mce_unregister_decode_chain(struct notifier_block *nb)
|
|
|
|
{
|
|
|
|
atomic_notifier_chain_unregister(&x86_mce_decoder_chain, nb);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mce_unregister_decode_chain);
|
|
|
|
|
2009-06-11 14:04:35 +07:00
|
|
|
static void print_mce(struct mce *m)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2011-04-20 17:23:49 +07:00
|
|
|
int ret = 0;
|
|
|
|
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_emerg(HW_ERR "CPU %d: Machine Check Exception: %Lx Bank %d: %016Lx\n",
|
2009-05-28 02:56:56 +07:00
|
|
|
m->extcpu, m->mcgstatus, m->bank, m->status);
|
2009-10-01 21:14:32 +07:00
|
|
|
|
2008-01-30 19:30:56 +07:00
|
|
|
if (m->ip) {
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_emerg(HW_ERR "RIP%s %02x:<%016Lx> ",
|
2009-10-01 21:14:32 +07:00
|
|
|
!(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
|
|
|
|
m->cs, m->ip);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
if (m->cs == __KERNEL_CS)
|
2008-01-30 19:30:56 +07:00
|
|
|
print_symbol("{%s}", m->ip);
|
2009-10-01 21:14:32 +07:00
|
|
|
pr_cont("\n");
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
2009-10-01 21:14:32 +07:00
|
|
|
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_emerg(HW_ERR "TSC %llx ", m->tsc);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (m->addr)
|
2009-10-01 21:14:32 +07:00
|
|
|
pr_cont("ADDR %llx ", m->addr);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (m->misc)
|
2009-10-01 21:14:32 +07:00
|
|
|
pr_cont("MISC %llx ", m->misc);
|
2009-07-24 18:51:42 +07:00
|
|
|
|
2009-10-01 21:14:32 +07:00
|
|
|
pr_cont("\n");
|
2011-10-13 07:46:33 +07:00
|
|
|
/*
|
|
|
|
* Note this output is parsed by external tools and old fields
|
|
|
|
* should not be changed.
|
|
|
|
*/
|
2011-10-17 21:45:10 +07:00
|
|
|
pr_emerg(HW_ERR "PROCESSOR %u:%x TIME %llu SOCKET %u APIC %x microcode %x\n",
|
2011-10-13 07:46:33 +07:00
|
|
|
m->cpuvendor, m->cpuid, m->time, m->socketid, m->apicid,
|
|
|
|
cpu_data(m->extcpu).microcode);
|
2009-10-01 21:14:32 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Print out human-readable details about the MCE error,
|
2009-10-07 18:20:38 +07:00
|
|
|
* (if the CPU has an implementation for that)
|
2009-10-01 21:14:32 +07:00
|
|
|
*/
|
2011-04-20 17:23:49 +07:00
|
|
|
ret = atomic_notifier_call_chain(&x86_mce_decoder_chain, 0, m);
|
|
|
|
if (ret == NOTIFY_STOP)
|
|
|
|
return;
|
|
|
|
|
|
|
|
pr_emerg_ratelimited(HW_ERR "Run the above through 'mcelog --ascii'\n");
|
2009-05-28 02:56:58 +07:00
|
|
|
}
|
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
#define PANIC_TIMEOUT 5 /* 5 seconds */
|
|
|
|
|
2014-12-04 04:36:45 +07:00
|
|
|
static atomic_t mce_panicked;
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
static int fake_panic;
|
2014-12-04 04:36:45 +07:00
|
|
|
static atomic_t mce_fake_panicked;
|
2009-07-31 08:41:43 +07:00
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
/* Panic in progress. Enable interrupts and wait for final IPI */
|
|
|
|
static void wait_for_panic(void)
|
|
|
|
{
|
|
|
|
long timeout = PANIC_TIMEOUT*USEC_PER_SEC;
|
2009-10-01 21:14:32 +07:00
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
preempt_disable();
|
|
|
|
local_irq_enable();
|
|
|
|
while (timeout-- > 0)
|
|
|
|
udelay(1);
|
2009-05-28 02:56:56 +07:00
|
|
|
if (panic_timeout == 0)
|
2012-10-16 01:25:17 +07:00
|
|
|
panic_timeout = mca_cfg.panic_timeout;
|
2009-05-28 02:56:55 +07:00
|
|
|
panic("Panicing machine check CPU died");
|
|
|
|
}
|
|
|
|
|
2014-12-21 23:18:25 +07:00
|
|
|
static void mce_panic(const char *msg, struct mce *final, char *exp)
|
2007-10-24 03:37:23 +07:00
|
|
|
{
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
int i, apei_err = 0;
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
if (!fake_panic) {
|
|
|
|
/*
|
|
|
|
* Make sure only one CPU runs in machine check panic
|
|
|
|
*/
|
2014-12-04 04:36:45 +07:00
|
|
|
if (atomic_inc_return(&mce_panicked) > 1)
|
2009-07-31 08:41:43 +07:00
|
|
|
wait_for_panic();
|
|
|
|
barrier();
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
bust_spinlocks(1);
|
|
|
|
console_verbose();
|
|
|
|
} else {
|
|
|
|
/* Don't log too much for fake panic */
|
2014-12-04 04:36:45 +07:00
|
|
|
if (atomic_inc_return(&mce_fake_panicked) > 1)
|
2009-07-31 08:41:43 +07:00
|
|
|
return;
|
|
|
|
}
|
2009-05-28 02:56:54 +07:00
|
|
|
/* First print corrected ones that are still unlogged */
|
2005-04-17 05:20:36 +07:00
|
|
|
for (i = 0; i < MCE_LOG_LEN; i++) {
|
2009-05-28 02:56:54 +07:00
|
|
|
struct mce *m = &mcelog.entry[i];
|
2009-06-11 14:04:35 +07:00
|
|
|
if (!(m->status & MCI_STATUS_VAL))
|
|
|
|
continue;
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (!(m->status & MCI_STATUS_UC)) {
|
2009-06-11 14:04:35 +07:00
|
|
|
print_mce(m);
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (!apei_err)
|
|
|
|
apei_err = apei_write_mce(m);
|
|
|
|
}
|
2009-05-28 02:56:54 +07:00
|
|
|
}
|
|
|
|
/* Now print uncorrected but with the final one last */
|
|
|
|
for (i = 0; i < MCE_LOG_LEN; i++) {
|
|
|
|
struct mce *m = &mcelog.entry[i];
|
|
|
|
if (!(m->status & MCI_STATUS_VAL))
|
2005-04-17 05:20:36 +07:00
|
|
|
continue;
|
2009-06-11 14:04:35 +07:00
|
|
|
if (!(m->status & MCI_STATUS_UC))
|
|
|
|
continue;
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (!final || memcmp(m, final, sizeof(struct mce))) {
|
2009-06-11 14:04:35 +07:00
|
|
|
print_mce(m);
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (!apei_err)
|
|
|
|
apei_err = apei_write_mce(m);
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (final) {
|
2009-06-11 14:04:35 +07:00
|
|
|
print_mce(final);
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (!apei_err)
|
|
|
|
apei_err = apei_write_mce(final);
|
|
|
|
}
|
2009-05-28 02:56:55 +07:00
|
|
|
if (cpu_missing)
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_emerg(HW_ERR "Some CPUs didn't answer in synchronization\n");
|
2009-05-28 02:56:55 +07:00
|
|
|
if (exp)
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_emerg(HW_ERR "Machine check: %s\n", exp);
|
2009-07-31 08:41:43 +07:00
|
|
|
if (!fake_panic) {
|
|
|
|
if (panic_timeout == 0)
|
2012-10-16 01:25:17 +07:00
|
|
|
panic_timeout = mca_cfg.panic_timeout;
|
2009-07-31 08:41:43 +07:00
|
|
|
panic(msg);
|
|
|
|
} else
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
|
2007-10-24 03:37:23 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-04-30 00:31:00 +07:00
|
|
|
/* Support code for software error injection */
|
|
|
|
|
|
|
|
static int msr_to_offset(u32 msr)
|
|
|
|
{
|
2010-12-18 22:28:55 +07:00
|
|
|
unsigned bank = __this_cpu_read(injectm.bank);
|
2009-10-01 21:14:32 +07:00
|
|
|
|
2012-10-16 00:59:18 +07:00
|
|
|
if (msr == mca_cfg.rip_msr)
|
2009-04-30 00:31:00 +07:00
|
|
|
return offsetof(struct mce, ip);
|
2009-07-09 05:31:44 +07:00
|
|
|
if (msr == MSR_IA32_MCx_STATUS(bank))
|
2009-04-30 00:31:00 +07:00
|
|
|
return offsetof(struct mce, status);
|
2009-07-09 05:31:44 +07:00
|
|
|
if (msr == MSR_IA32_MCx_ADDR(bank))
|
2009-04-30 00:31:00 +07:00
|
|
|
return offsetof(struct mce, addr);
|
2009-07-09 05:31:44 +07:00
|
|
|
if (msr == MSR_IA32_MCx_MISC(bank))
|
2009-04-30 00:31:00 +07:00
|
|
|
return offsetof(struct mce, misc);
|
|
|
|
if (msr == MSR_IA32_MCG_STATUS)
|
|
|
|
return offsetof(struct mce, mcgstatus);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2009-04-30 00:29:12 +07:00
|
|
|
/* MSR access wrappers used for error injection */
|
|
|
|
static u64 mce_rdmsrl(u32 msr)
|
|
|
|
{
|
|
|
|
u64 v;
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2010-12-18 22:28:55 +07:00
|
|
|
if (__this_cpu_read(injectm.finished)) {
|
2009-04-30 00:31:00 +07:00
|
|
|
int offset = msr_to_offset(msr);
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-04-30 00:31:00 +07:00
|
|
|
if (offset < 0)
|
|
|
|
return 0;
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
return *(u64 *)((char *)this_cpu_ptr(&injectm) + offset);
|
2009-04-30 00:31:00 +07:00
|
|
|
}
|
2009-09-23 22:49:55 +07:00
|
|
|
|
|
|
|
if (rdmsrl_safe(msr, &v)) {
|
|
|
|
WARN_ONCE(1, "mce: Unable to read msr %d!\n", msr);
|
|
|
|
/*
|
|
|
|
* Return zero in case the access faulted. This should
|
|
|
|
* not happen normally but can happen if the CPU does
|
|
|
|
* something weird, or if the code is buggy.
|
|
|
|
*/
|
|
|
|
v = 0;
|
|
|
|
}
|
|
|
|
|
2009-04-30 00:29:12 +07:00
|
|
|
return v;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void mce_wrmsrl(u32 msr, u64 v)
|
|
|
|
{
|
2010-12-18 22:28:55 +07:00
|
|
|
if (__this_cpu_read(injectm.finished)) {
|
2009-04-30 00:31:00 +07:00
|
|
|
int offset = msr_to_offset(msr);
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-04-30 00:31:00 +07:00
|
|
|
if (offset >= 0)
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
*(u64 *)((char *)this_cpu_ptr(&injectm) + offset) = v;
|
2009-04-30 00:31:00 +07:00
|
|
|
return;
|
|
|
|
}
|
2009-04-30 00:29:12 +07:00
|
|
|
wrmsrl(msr, v);
|
|
|
|
}
|
|
|
|
|
2011-06-08 08:57:46 +07:00
|
|
|
/*
|
|
|
|
* Collect all global (w.r.t. this processor) status about this machine
|
|
|
|
* check into our "mce" struct so that we can use it later to assess
|
|
|
|
* the severity of the problem as we read per-bank specific details.
|
|
|
|
*/
|
|
|
|
static inline void mce_gather_info(struct mce *m, struct pt_regs *regs)
|
|
|
|
{
|
|
|
|
mce_setup(m);
|
|
|
|
|
|
|
|
m->mcgstatus = mce_rdmsrl(MSR_IA32_MCG_STATUS);
|
|
|
|
if (regs) {
|
|
|
|
/*
|
|
|
|
* Get the address of the instruction at the time of
|
|
|
|
* the machine check error.
|
|
|
|
*/
|
|
|
|
if (m->mcgstatus & (MCG_STATUS_RIPV|MCG_STATUS_EIPV)) {
|
|
|
|
m->ip = regs->ip;
|
|
|
|
m->cs = regs->cs;
|
2010-11-19 19:16:22 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* When in VM86 mode make the cs look like ring 3
|
|
|
|
* always. This is a lie, but it's better than passing
|
|
|
|
* the additional vm86 bit around everywhere.
|
|
|
|
*/
|
|
|
|
if (v8086_mode(regs))
|
|
|
|
m->cs |= 3;
|
2011-06-08 08:57:46 +07:00
|
|
|
}
|
|
|
|
/* Use accurate RIP reporting if available. */
|
2012-10-16 00:59:18 +07:00
|
|
|
if (mca_cfg.rip_msr)
|
|
|
|
m->ip = mce_rdmsrl(mca_cfg.rip_msr);
|
2011-06-08 08:57:46 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-02-12 19:49:36 +07:00
|
|
|
int mce_available(struct cpuinfo_x86 *c)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-10-17 17:05:33 +07:00
|
|
|
if (mca_cfg.disabled)
|
2009-02-12 19:39:30 +07:00
|
|
|
return 0;
|
2006-03-24 18:15:11 +07:00
|
|
|
return cpu_has(c, X86_FEATURE_MCE) && cpu_has(c, X86_FEATURE_MCA);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
static void mce_schedule_work(void)
|
|
|
|
{
|
2015-08-12 23:29:36 +07:00
|
|
|
if (!mce_gen_pool_empty() && keventd_up())
|
2015-08-12 23:29:35 +07:00
|
|
|
schedule_work(&mce_work);
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
}
|
|
|
|
|
2011-06-08 08:56:02 +07:00
|
|
|
static void mce_irq_work_cb(struct irq_work *entry)
|
2009-05-28 02:56:54 +07:00
|
|
|
{
|
2009-05-28 02:56:58 +07:00
|
|
|
mce_notify_irq();
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
mce_schedule_work();
|
2009-05-28 02:56:54 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
static void mce_report_event(struct pt_regs *regs)
|
|
|
|
{
|
|
|
|
if (regs->flags & (X86_VM_MASK|X86_EFLAGS_IF)) {
|
2009-05-28 02:56:58 +07:00
|
|
|
mce_notify_irq();
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
/*
|
|
|
|
* Triggering the work queue here is just an insurance
|
|
|
|
* policy in case the syscall exit notify handler
|
|
|
|
* doesn't run soon enough or ends up running on the
|
|
|
|
* wrong CPU (can happen when audit sleeps)
|
|
|
|
*/
|
|
|
|
mce_schedule_work();
|
2009-05-28 02:56:54 +07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:35 +07:00
|
|
|
irq_work_queue(&mce_irq_work);
|
2009-05-28 02:56:54 +07:00
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:36 +07:00
|
|
|
static int srao_decode_notifier(struct notifier_block *nb, unsigned long val,
|
|
|
|
void *data)
|
|
|
|
{
|
|
|
|
struct mce *mce = (struct mce *)data;
|
|
|
|
unsigned long pfn;
|
|
|
|
|
|
|
|
if (!mce)
|
|
|
|
return NOTIFY_DONE;
|
|
|
|
|
|
|
|
if (mce->usable_addr && (mce->severity == MCE_AO_SEVERITY)) {
|
|
|
|
pfn = mce->addr >> PAGE_SHIFT;
|
|
|
|
memory_failure(pfn, MCE_VECTOR, 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
return NOTIFY_OK;
|
2009-05-28 02:56:54 +07:00
|
|
|
}
|
2015-08-12 23:29:36 +07:00
|
|
|
static struct notifier_block mce_srao_nb = {
|
|
|
|
.notifier_call = srao_decode_notifier,
|
|
|
|
.priority = INT_MAX,
|
|
|
|
};
|
2009-05-28 02:56:54 +07:00
|
|
|
|
2011-12-14 00:48:13 +07:00
|
|
|
/*
|
|
|
|
* Read ADDR and MISC registers.
|
|
|
|
*/
|
|
|
|
static void mce_read_aux(struct mce *m, int i)
|
|
|
|
{
|
|
|
|
if (m->status & MCI_STATUS_MISCV)
|
|
|
|
m->misc = mce_rdmsrl(MSR_IA32_MCx_MISC(i));
|
|
|
|
if (m->status & MCI_STATUS_ADDRV) {
|
|
|
|
m->addr = mce_rdmsrl(MSR_IA32_MCx_ADDR(i));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Mask the reported address by the reported granularity.
|
|
|
|
*/
|
2012-10-17 17:05:33 +07:00
|
|
|
if (mca_cfg.ser && (m->status & MCI_STATUS_MISCV)) {
|
2011-12-14 00:48:13 +07:00
|
|
|
u8 shift = MCI_MISC_ADDR_LSB(m->misc);
|
|
|
|
m->addr >>= shift;
|
|
|
|
m->addr <<= shift;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
x86, mce: Support memory error recovery for both UCNA and Deferred error in machine_check_poll
Uncorrected no action required (UCNA) - is a uncorrected recoverable
machine check error that is not signaled via a machine check exception
and, instead, is reported to system software as a corrected machine
check error. UCNA errors indicate that some data in the system is
corrupted, but the data has not been consumed and the processor state
is valid and you may continue execution on this processor. UCNA errors
require no action from system software to continue execution. Note that
UCNA errors are supported by the processor only when IA32_MCG_CAP[24]
(MCG_SER_P) is set.
-- Intel SDM Volume 3B
Deferred errors are errors that cannot be corrected by hardware, but
do not cause an immediate interruption in program flow, loss of data
integrity, or corruption of processor state. These errors indicate
that data has been corrupted but not consumed. Hardware writes information
to the status and address registers in the corresponding bank that
identifies the source of the error if deferred errors are enabled for
logging. Deferred errors are not reported via machine check exceptions;
they can be seen by polling the MCi_STATUS registers.
-- AMD64 APM Volume 2
Above two items, both UCNA and Deferred errors belong to detected
errors, but they can't be corrected by hardware, and this is very
similar to Software Recoverable Action Optional (SRAO) errors.
Therefore, we can take some actions that have been used for handling
SRAO errors to handle UCNA and Deferred errors.
Acked-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Chen Yucong <slaoub@gmail.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2014-11-18 09:09:20 +07:00
|
|
|
static bool memory_error(struct mce *m)
|
|
|
|
{
|
|
|
|
struct cpuinfo_x86 *c = &boot_cpu_data;
|
|
|
|
|
|
|
|
if (c->x86_vendor == X86_VENDOR_AMD) {
|
|
|
|
/*
|
|
|
|
* coming soon
|
|
|
|
*/
|
|
|
|
return false;
|
|
|
|
} else if (c->x86_vendor == X86_VENDOR_INTEL) {
|
|
|
|
/*
|
|
|
|
* Intel SDM Volume 3B - 15.9.2 Compound Error Codes
|
|
|
|
*
|
|
|
|
* Bit 7 of the MCACOD field of IA32_MCi_STATUS is used for
|
|
|
|
* indicating a memory error. Bit 8 is used for indicating a
|
|
|
|
* cache hierarchy error. The combination of bit 2 and bit 3
|
|
|
|
* is used for indicating a `generic' cache hierarchy error
|
|
|
|
* But we can't just blindly check the above bits, because if
|
|
|
|
* bit 11 is set, then it is a bus/interconnect error - and
|
|
|
|
* either way the above bits just gives more detail on what
|
|
|
|
* bus/interconnect error happened. Note that bit 12 can be
|
|
|
|
* ignored, as it's the "filter" bit.
|
|
|
|
*/
|
|
|
|
return (m->status & 0xef80) == BIT(7) ||
|
|
|
|
(m->status & 0xef00) == BIT(8) ||
|
|
|
|
(m->status & 0xeffc) == 0xc;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2009-05-28 02:56:57 +07:00
|
|
|
DEFINE_PER_CPU(unsigned, mce_poll_count);
|
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
/*
|
2009-02-12 19:43:23 +07:00
|
|
|
* Poll for corrected events or events that happened before reset.
|
|
|
|
* Those are just logged through /dev/mcelog.
|
|
|
|
*
|
|
|
|
* This is executed in standard interrupt context.
|
2009-05-28 02:56:57 +07:00
|
|
|
*
|
|
|
|
* Note: spec recommends to panic for fatal unsignalled
|
|
|
|
* errors here. However this would be quite problematic --
|
|
|
|
* we would need to reimplement the Monarch handling and
|
|
|
|
* it would mess up the exclusion between exception handler
|
|
|
|
* and poll hander -- * so we skip this for now.
|
|
|
|
* These cases should not happen anyways, or only when the CPU
|
|
|
|
* is already totally * confused. In this case it's likely it will
|
|
|
|
* not fully execute the machine check handler either.
|
2009-02-12 19:43:23 +07:00
|
|
|
*/
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
bool machine_check_poll(enum mcp_flags flags, mce_banks_t *b)
|
2009-02-12 19:43:23 +07:00
|
|
|
{
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
bool error_logged = false;
|
2009-02-12 19:43:23 +07:00
|
|
|
struct mce m;
|
x86, mce: Support memory error recovery for both UCNA and Deferred error in machine_check_poll
Uncorrected no action required (UCNA) - is a uncorrected recoverable
machine check error that is not signaled via a machine check exception
and, instead, is reported to system software as a corrected machine
check error. UCNA errors indicate that some data in the system is
corrupted, but the data has not been consumed and the processor state
is valid and you may continue execution on this processor. UCNA errors
require no action from system software to continue execution. Note that
UCNA errors are supported by the processor only when IA32_MCG_CAP[24]
(MCG_SER_P) is set.
-- Intel SDM Volume 3B
Deferred errors are errors that cannot be corrected by hardware, but
do not cause an immediate interruption in program flow, loss of data
integrity, or corruption of processor state. These errors indicate
that data has been corrupted but not consumed. Hardware writes information
to the status and address registers in the corresponding bank that
identifies the source of the error if deferred errors are enabled for
logging. Deferred errors are not reported via machine check exceptions;
they can be seen by polling the MCi_STATUS registers.
-- AMD64 APM Volume 2
Above two items, both UCNA and Deferred errors belong to detected
errors, but they can't be corrected by hardware, and this is very
similar to Software Recoverable Action Optional (SRAO) errors.
Therefore, we can take some actions that have been used for handling
SRAO errors to handle UCNA and Deferred errors.
Acked-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Chen Yucong <slaoub@gmail.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2014-11-18 09:09:20 +07:00
|
|
|
int severity;
|
2009-02-12 19:43:23 +07:00
|
|
|
int i;
|
|
|
|
|
2012-05-11 14:35:27 +07:00
|
|
|
this_cpu_inc(mce_poll_count);
|
2009-05-28 02:56:57 +07:00
|
|
|
|
2011-06-08 08:57:46 +07:00
|
|
|
mce_gather_info(&m, NULL);
|
2009-02-12 19:43:23 +07:00
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-07-09 05:31:43 +07:00
|
|
|
if (!mce_banks[i].ctl || !test_bit(i, *b))
|
2009-02-12 19:43:23 +07:00
|
|
|
continue;
|
|
|
|
|
|
|
|
m.misc = 0;
|
|
|
|
m.addr = 0;
|
|
|
|
m.bank = i;
|
|
|
|
m.tsc = 0;
|
|
|
|
|
|
|
|
barrier();
|
2009-07-09 05:31:44 +07:00
|
|
|
m.status = mce_rdmsrl(MSR_IA32_MCx_STATUS(i));
|
2009-02-12 19:43:23 +07:00
|
|
|
if (!(m.status & MCI_STATUS_VAL))
|
|
|
|
continue;
|
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
|
2009-02-12 19:43:23 +07:00
|
|
|
/*
|
2009-05-28 02:56:57 +07:00
|
|
|
* Uncorrected or signalled events are handled by the exception
|
|
|
|
* handler when it is enabled, so don't process those here.
|
2009-02-12 19:43:23 +07:00
|
|
|
*
|
|
|
|
* TBD do the same check for MCI_STATUS_EN here?
|
|
|
|
*/
|
2009-05-28 02:56:57 +07:00
|
|
|
if (!(flags & MCP_UC) &&
|
2012-10-17 17:05:33 +07:00
|
|
|
(m.status & (mca_cfg.ser ? MCI_STATUS_S : MCI_STATUS_UC)))
|
2009-02-12 19:43:23 +07:00
|
|
|
continue;
|
|
|
|
|
2011-12-14 00:48:13 +07:00
|
|
|
mce_read_aux(&m, i);
|
2009-02-12 19:43:23 +07:00
|
|
|
|
|
|
|
if (!(flags & MCP_TIMESTAMP))
|
|
|
|
m.tsc = 0;
|
x86, mce: Support memory error recovery for both UCNA and Deferred error in machine_check_poll
Uncorrected no action required (UCNA) - is a uncorrected recoverable
machine check error that is not signaled via a machine check exception
and, instead, is reported to system software as a corrected machine
check error. UCNA errors indicate that some data in the system is
corrupted, but the data has not been consumed and the processor state
is valid and you may continue execution on this processor. UCNA errors
require no action from system software to continue execution. Note that
UCNA errors are supported by the processor only when IA32_MCG_CAP[24]
(MCG_SER_P) is set.
-- Intel SDM Volume 3B
Deferred errors are errors that cannot be corrected by hardware, but
do not cause an immediate interruption in program flow, loss of data
integrity, or corruption of processor state. These errors indicate
that data has been corrupted but not consumed. Hardware writes information
to the status and address registers in the corresponding bank that
identifies the source of the error if deferred errors are enabled for
logging. Deferred errors are not reported via machine check exceptions;
they can be seen by polling the MCi_STATUS registers.
-- AMD64 APM Volume 2
Above two items, both UCNA and Deferred errors belong to detected
errors, but they can't be corrected by hardware, and this is very
similar to Software Recoverable Action Optional (SRAO) errors.
Therefore, we can take some actions that have been used for handling
SRAO errors to handle UCNA and Deferred errors.
Acked-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Chen Yucong <slaoub@gmail.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2014-11-18 09:09:20 +07:00
|
|
|
|
|
|
|
severity = mce_severity(&m, mca_cfg.tolerant, NULL, false);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* In the cases where we don't have a valid address after all,
|
|
|
|
* do not add it into the ring buffer.
|
|
|
|
*/
|
|
|
|
if (severity == MCE_DEFERRED_SEVERITY && memory_error(&m)) {
|
|
|
|
if (m.status & MCI_STATUS_ADDRV) {
|
2015-08-12 23:29:36 +07:00
|
|
|
m.severity = severity;
|
|
|
|
m.usable_addr = mce_usable_address(&m);
|
|
|
|
|
|
|
|
if (!mce_gen_pool_add(&m))
|
|
|
|
mce_schedule_work();
|
x86, mce: Support memory error recovery for both UCNA and Deferred error in machine_check_poll
Uncorrected no action required (UCNA) - is a uncorrected recoverable
machine check error that is not signaled via a machine check exception
and, instead, is reported to system software as a corrected machine
check error. UCNA errors indicate that some data in the system is
corrupted, but the data has not been consumed and the processor state
is valid and you may continue execution on this processor. UCNA errors
require no action from system software to continue execution. Note that
UCNA errors are supported by the processor only when IA32_MCG_CAP[24]
(MCG_SER_P) is set.
-- Intel SDM Volume 3B
Deferred errors are errors that cannot be corrected by hardware, but
do not cause an immediate interruption in program flow, loss of data
integrity, or corruption of processor state. These errors indicate
that data has been corrupted but not consumed. Hardware writes information
to the status and address registers in the corresponding bank that
identifies the source of the error if deferred errors are enabled for
logging. Deferred errors are not reported via machine check exceptions;
they can be seen by polling the MCi_STATUS registers.
-- AMD64 APM Volume 2
Above two items, both UCNA and Deferred errors belong to detected
errors, but they can't be corrected by hardware, and this is very
similar to Software Recoverable Action Optional (SRAO) errors.
Therefore, we can take some actions that have been used for handling
SRAO errors to handle UCNA and Deferred errors.
Acked-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Chen Yucong <slaoub@gmail.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
2014-11-18 09:09:20 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-02-12 19:43:23 +07:00
|
|
|
/*
|
|
|
|
* Don't get the IP here because it's unlikely to
|
|
|
|
* have anything to do with the actual error location.
|
|
|
|
*/
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
if (!(flags & MCP_DONTLOG) && !mca_cfg.dont_log_ce) {
|
|
|
|
error_logged = true;
|
2009-04-07 22:06:55 +07:00
|
|
|
mce_log(&m);
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
}
|
2009-02-12 19:43:23 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Clear state for this bank.
|
|
|
|
*/
|
2009-07-09 05:31:44 +07:00
|
|
|
mce_wrmsrl(MSR_IA32_MCx_STATUS(i), 0);
|
2009-02-12 19:43:23 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Don't clear MCG_STATUS here because it's only defined for
|
|
|
|
* exceptions.
|
|
|
|
*/
|
2009-05-28 02:56:51 +07:00
|
|
|
|
|
|
|
sync_core();
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
|
|
|
|
return error_logged;
|
2009-02-12 19:43:23 +07:00
|
|
|
}
|
2009-04-30 00:31:00 +07:00
|
|
|
EXPORT_SYMBOL_GPL(machine_check_poll);
|
2009-02-12 19:43:23 +07:00
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
/*
|
|
|
|
* Do a quick check if any of the events requires a panic.
|
|
|
|
* This decides if we keep the events around or clear them.
|
|
|
|
*/
|
2012-07-20 01:28:46 +07:00
|
|
|
static int mce_no_way_out(struct mce *m, char **msg, unsigned long *validp,
|
|
|
|
struct pt_regs *regs)
|
2009-05-28 02:56:55 +07:00
|
|
|
{
|
2012-04-19 05:19:40 +07:00
|
|
|
int i, ret = 0;
|
2015-05-18 15:07:17 +07:00
|
|
|
char *tmp;
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-07-09 05:31:44 +07:00
|
|
|
m->status = mce_rdmsrl(MSR_IA32_MCx_STATUS(i));
|
2012-07-20 01:28:46 +07:00
|
|
|
if (m->status & MCI_STATUS_VAL) {
|
2012-04-19 05:19:40 +07:00
|
|
|
__set_bit(i, validp);
|
2012-07-20 01:28:46 +07:00
|
|
|
if (quirk_no_way_out)
|
|
|
|
quirk_no_way_out(i, m, regs);
|
|
|
|
}
|
2015-05-18 15:07:17 +07:00
|
|
|
|
|
|
|
if (mce_severity(m, mca_cfg.tolerant, &tmp, true) >= MCE_PANIC_SEVERITY) {
|
|
|
|
*msg = tmp;
|
2012-04-19 05:19:40 +07:00
|
|
|
ret = 1;
|
2015-05-18 15:07:17 +07:00
|
|
|
}
|
2009-05-28 02:56:55 +07:00
|
|
|
}
|
2012-04-19 05:19:40 +07:00
|
|
|
return ret;
|
2009-05-28 02:56:55 +07:00
|
|
|
}
|
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
/*
|
|
|
|
* Variable to establish order between CPUs while scanning.
|
|
|
|
* Each CPU spins initially until executing is equal its number.
|
|
|
|
*/
|
|
|
|
static atomic_t mce_executing;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Defines order of CPUs on entry. First CPU becomes Monarch.
|
|
|
|
*/
|
|
|
|
static atomic_t mce_callin;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check if a timeout waiting for other CPUs happened.
|
|
|
|
*/
|
2014-12-21 23:18:25 +07:00
|
|
|
static int mce_timed_out(u64 *t, const char *msg)
|
2009-05-28 02:56:55 +07:00
|
|
|
{
|
|
|
|
/*
|
|
|
|
* The others already did panic for some reason.
|
|
|
|
* Bail out like in a timeout.
|
|
|
|
* rmb() to tell the compiler that system_state
|
|
|
|
* might have been modified by someone else.
|
|
|
|
*/
|
|
|
|
rmb();
|
2014-12-04 04:36:45 +07:00
|
|
|
if (atomic_read(&mce_panicked))
|
2009-05-28 02:56:55 +07:00
|
|
|
wait_for_panic();
|
2012-10-16 00:59:18 +07:00
|
|
|
if (!mca_cfg.monarch_timeout)
|
2009-05-28 02:56:55 +07:00
|
|
|
goto out;
|
|
|
|
if ((s64)*t < SPINUNIT) {
|
2014-05-23 16:06:35 +07:00
|
|
|
if (mca_cfg.tolerant <= 1)
|
2014-12-21 23:18:25 +07:00
|
|
|
mce_panic(msg, NULL, NULL);
|
2009-05-28 02:56:55 +07:00
|
|
|
cpu_missing = 1;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
*t -= SPINUNIT;
|
|
|
|
out:
|
|
|
|
touch_nmi_watchdog();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The Monarch's reign. The Monarch is the CPU who entered
|
|
|
|
* the machine check handler first. It waits for the others to
|
|
|
|
* raise the exception too and then grades them. When any
|
|
|
|
* error is fatal panic. Only then let the others continue.
|
|
|
|
*
|
|
|
|
* The other CPUs entering the MCE handler will be controlled by the
|
|
|
|
* Monarch. They are called Subjects.
|
|
|
|
*
|
|
|
|
* This way we prevent any potential data corruption in a unrecoverable case
|
|
|
|
* and also makes sure always all CPU's errors are examined.
|
|
|
|
*
|
2009-08-26 14:20:36 +07:00
|
|
|
* Also this detects the case of a machine check event coming from outer
|
2009-05-28 02:56:55 +07:00
|
|
|
* space (not detected by any CPUs) In this case some external agent wants
|
|
|
|
* us to shut down, so panic too.
|
|
|
|
*
|
|
|
|
* The other CPUs might still decide to panic if the handler happens
|
|
|
|
* in a unrecoverable place, but in this case the system is in a semi-stable
|
|
|
|
* state and won't corrupt anything by itself. It's ok to let the others
|
|
|
|
* continue for a bit first.
|
|
|
|
*
|
|
|
|
* All the spin loops have timeouts; when a timeout happens a CPU
|
|
|
|
* typically elects itself to be Monarch.
|
|
|
|
*/
|
|
|
|
static void mce_reign(void)
|
|
|
|
{
|
|
|
|
int cpu;
|
|
|
|
struct mce *m = NULL;
|
|
|
|
int global_worst = 0;
|
|
|
|
char *msg = NULL;
|
|
|
|
char *nmsg = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This CPU is the Monarch and the other CPUs have run
|
|
|
|
* through their handlers.
|
|
|
|
* Grade the severity of the errors of all the CPUs.
|
|
|
|
*/
|
|
|
|
for_each_possible_cpu(cpu) {
|
2012-10-15 23:03:57 +07:00
|
|
|
int severity = mce_severity(&per_cpu(mces_seen, cpu),
|
|
|
|
mca_cfg.tolerant,
|
2014-11-18 09:09:19 +07:00
|
|
|
&nmsg, true);
|
2009-05-28 02:56:55 +07:00
|
|
|
if (severity > global_worst) {
|
|
|
|
msg = nmsg;
|
|
|
|
global_worst = severity;
|
|
|
|
m = &per_cpu(mces_seen, cpu);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Cannot recover? Panic here then.
|
|
|
|
* This dumps all the mces in the log buffer and stops the
|
|
|
|
* other CPUs.
|
|
|
|
*/
|
2012-10-15 23:03:57 +07:00
|
|
|
if (m && global_worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
|
2015-02-03 01:30:21 +07:00
|
|
|
mce_panic("Fatal machine check", m, msg);
|
2009-05-28 02:56:55 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* For UC somewhere we let the CPU who detects it handle it.
|
|
|
|
* Also must let continue the others, otherwise the handling
|
|
|
|
* CPU could deadlock on a lock.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* No machine check event found. Must be some external
|
|
|
|
* source or one CPU is hung. Panic.
|
|
|
|
*/
|
2012-10-15 23:03:57 +07:00
|
|
|
if (global_worst <= MCE_KEEP_SEVERITY && mca_cfg.tolerant < 3)
|
2015-02-03 01:30:21 +07:00
|
|
|
mce_panic("Fatal machine check from unknown source", NULL, NULL);
|
2009-05-28 02:56:55 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Now clear all the mces_seen so that they don't reappear on
|
|
|
|
* the next mce.
|
|
|
|
*/
|
|
|
|
for_each_possible_cpu(cpu)
|
|
|
|
memset(&per_cpu(mces_seen, cpu), 0, sizeof(struct mce));
|
|
|
|
}
|
|
|
|
|
|
|
|
static atomic_t global_nwo;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Start of Monarch synchronization. This waits until all CPUs have
|
|
|
|
* entered the exception handler and then determines if any of them
|
|
|
|
* saw a fatal event that requires panic. Then it executes them
|
|
|
|
* in the entry order.
|
|
|
|
* TBD double check parallel CPU hotunplug
|
|
|
|
*/
|
2009-06-15 16:18:43 +07:00
|
|
|
static int mce_start(int *no_way_out)
|
2009-05-28 02:56:55 +07:00
|
|
|
{
|
2009-06-15 16:18:43 +07:00
|
|
|
int order;
|
2009-05-28 02:56:55 +07:00
|
|
|
int cpus = num_online_cpus();
|
2012-10-16 00:59:18 +07:00
|
|
|
u64 timeout = (u64)mca_cfg.monarch_timeout * NSEC_PER_USEC;
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2009-06-15 16:18:43 +07:00
|
|
|
if (!timeout)
|
|
|
|
return -1;
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2009-06-15 16:18:43 +07:00
|
|
|
atomic_add(*no_way_out, &global_nwo);
|
2009-06-15 14:37:07 +07:00
|
|
|
/*
|
|
|
|
* global_nwo should be updated before mce_callin
|
|
|
|
*/
|
|
|
|
smp_wmb();
|
2009-06-21 13:28:22 +07:00
|
|
|
order = atomic_inc_return(&mce_callin);
|
2009-05-28 02:56:55 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Wait for everyone.
|
|
|
|
*/
|
|
|
|
while (atomic_read(&mce_callin) != cpus) {
|
2014-12-21 23:18:25 +07:00
|
|
|
if (mce_timed_out(&timeout,
|
|
|
|
"Timeout: Not all CPUs entered broadcast exception handler")) {
|
2009-05-28 02:56:55 +07:00
|
|
|
atomic_set(&global_nwo, 0);
|
2009-06-15 16:18:43 +07:00
|
|
|
return -1;
|
2009-05-28 02:56:55 +07:00
|
|
|
}
|
|
|
|
ndelay(SPINUNIT);
|
|
|
|
}
|
|
|
|
|
2009-06-15 14:37:07 +07:00
|
|
|
/*
|
|
|
|
* mce_callin should be read before global_nwo
|
|
|
|
*/
|
|
|
|
smp_rmb();
|
2009-05-28 02:56:55 +07:00
|
|
|
|
2009-06-15 16:18:43 +07:00
|
|
|
if (order == 1) {
|
|
|
|
/*
|
|
|
|
* Monarch: Starts executing now, the others wait.
|
|
|
|
*/
|
2009-05-28 02:56:55 +07:00
|
|
|
atomic_set(&mce_executing, 1);
|
2009-06-15 16:18:43 +07:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Subject: Now start the scanning loop one by one in
|
|
|
|
* the original callin order.
|
|
|
|
* This way when there are any shared banks it will be
|
|
|
|
* only seen by one CPU before cleared, avoiding duplicates.
|
|
|
|
*/
|
|
|
|
while (atomic_read(&mce_executing) < order) {
|
2014-12-21 23:18:25 +07:00
|
|
|
if (mce_timed_out(&timeout,
|
|
|
|
"Timeout: Subject CPUs unable to finish machine check processing")) {
|
2009-06-15 16:18:43 +07:00
|
|
|
atomic_set(&global_nwo, 0);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
ndelay(SPINUNIT);
|
|
|
|
}
|
2009-05-28 02:56:55 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2009-06-15 16:18:43 +07:00
|
|
|
* Cache the global no_way_out state.
|
2009-05-28 02:56:55 +07:00
|
|
|
*/
|
2009-06-15 16:18:43 +07:00
|
|
|
*no_way_out = atomic_read(&global_nwo);
|
|
|
|
|
|
|
|
return order;
|
2009-05-28 02:56:55 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Synchronize between CPUs after main scanning loop.
|
|
|
|
* This invokes the bulk of the Monarch processing.
|
|
|
|
*/
|
|
|
|
static int mce_end(int order)
|
|
|
|
{
|
|
|
|
int ret = -1;
|
2012-10-16 00:59:18 +07:00
|
|
|
u64 timeout = (u64)mca_cfg.monarch_timeout * NSEC_PER_USEC;
|
2009-05-28 02:56:55 +07:00
|
|
|
|
|
|
|
if (!timeout)
|
|
|
|
goto reset;
|
|
|
|
if (order < 0)
|
|
|
|
goto reset;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Allow others to run.
|
|
|
|
*/
|
|
|
|
atomic_inc(&mce_executing);
|
|
|
|
|
|
|
|
if (order == 1) {
|
|
|
|
/* CHECKME: Can this race with a parallel hotplug? */
|
|
|
|
int cpus = num_online_cpus();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Monarch: Wait for everyone to go through their scanning
|
|
|
|
* loops.
|
|
|
|
*/
|
|
|
|
while (atomic_read(&mce_executing) <= cpus) {
|
2014-12-21 23:18:25 +07:00
|
|
|
if (mce_timed_out(&timeout,
|
|
|
|
"Timeout: Monarch CPU unable to finish machine check processing"))
|
2009-05-28 02:56:55 +07:00
|
|
|
goto reset;
|
|
|
|
ndelay(SPINUNIT);
|
|
|
|
}
|
|
|
|
|
|
|
|
mce_reign();
|
|
|
|
barrier();
|
|
|
|
ret = 0;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Subject: Wait for Monarch to finish.
|
|
|
|
*/
|
|
|
|
while (atomic_read(&mce_executing) != 0) {
|
2014-12-21 23:18:25 +07:00
|
|
|
if (mce_timed_out(&timeout,
|
|
|
|
"Timeout: Monarch CPU did not finish machine check processing"))
|
2009-05-28 02:56:55 +07:00
|
|
|
goto reset;
|
|
|
|
ndelay(SPINUNIT);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Don't reset anything. That's done by the Monarch.
|
|
|
|
*/
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reset all global state.
|
|
|
|
*/
|
|
|
|
reset:
|
|
|
|
atomic_set(&global_nwo, 0);
|
|
|
|
atomic_set(&mce_callin, 0);
|
|
|
|
barrier();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Let others run again.
|
|
|
|
*/
|
|
|
|
atomic_set(&mce_executing, 0);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
/*
|
|
|
|
* Check if the address reported by the CPU is in a format we can parse.
|
|
|
|
* It would be possible to add code for most other cases, but all would
|
|
|
|
* be somewhat complicated (e.g. segment offset would require an instruction
|
2011-03-18 02:24:16 +07:00
|
|
|
* parser). So only support physical addresses up to page granuality for now.
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
*/
|
|
|
|
static int mce_usable_address(struct mce *m)
|
|
|
|
{
|
|
|
|
if (!(m->status & MCI_STATUS_MISCV) || !(m->status & MCI_STATUS_ADDRV))
|
|
|
|
return 0;
|
2011-06-08 08:56:56 +07:00
|
|
|
if (MCI_MISC_ADDR_LSB(m->misc) > PAGE_SHIFT)
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
return 0;
|
2011-06-08 08:56:56 +07:00
|
|
|
if (MCI_MISC_ADDR_MODE(m->misc) != MCI_MISC_ADDR_PHYS)
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
static void mce_clear_state(unsigned long *toclear)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-05-28 02:56:55 +07:00
|
|
|
if (test_bit(i, toclear))
|
2009-07-09 05:31:44 +07:00
|
|
|
mce_wrmsrl(MSR_IA32_MCx_STATUS(i), 0);
|
2009-05-28 02:56:55 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-02-12 19:43:23 +07:00
|
|
|
/*
|
|
|
|
* The actual machine check handler. This only handles real
|
|
|
|
* exceptions when something got corrupted coming in through int 18.
|
|
|
|
*
|
|
|
|
* This is executed in NMI context not subject to normal locking rules. This
|
|
|
|
* implies that most kernel services cannot be safely used. Don't even
|
|
|
|
* think about putting a printk in there!
|
2009-05-28 02:56:55 +07:00
|
|
|
*
|
|
|
|
* On Intel systems this is entered on all CPUs in parallel through
|
|
|
|
* MCE broadcast. However some CPUs might be broken beyond repair,
|
|
|
|
* so be always careful when synchronizing with others.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
2009-04-08 17:31:17 +07:00
|
|
|
void do_machine_check(struct pt_regs *regs, long error_code)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-10-17 17:05:33 +07:00
|
|
|
struct mca_config *cfg = &mca_cfg;
|
2009-05-28 02:56:55 +07:00
|
|
|
struct mce m, *final;
|
2005-04-17 05:20:36 +07:00
|
|
|
int i;
|
2009-05-28 02:56:55 +07:00
|
|
|
int worst = 0;
|
|
|
|
int severity;
|
|
|
|
/*
|
|
|
|
* Establish sequential order between the CPUs entering the machine
|
|
|
|
* check handler.
|
|
|
|
*/
|
2009-06-15 16:18:43 +07:00
|
|
|
int order;
|
x86_64: mcelog tolerant level cleanup
Background:
The MCE handler has several paths that it can take, depending on various
conditions of the MCE status and the value of the 'tolerant' knob. The
exact semantics are not well defined and the code is a bit twisty.
Description:
This patch makes the MCE handler's behavior more clear by documenting the
behavior for various 'tolerant' levels. It also fixes or enhances
several small things in the handler. Specifically:
* If RIPV is set it is not safe to restart, so set the 'no way out'
flag rather than the 'kill it' flag.
* Don't panic() on correctable MCEs.
* If the _OVER bit is set *and* the _UC bit is set (meaning possibly
dropped uncorrected errors), set the 'no way out' flag.
* Use EIPV for testing whether an app can be killed (SIGBUS) rather
than RIPV. According to docs, EIPV indicates that the error is
related to the IP, while RIPV simply means the IP is valid to
restart from.
* Don't clear the MCi_STATUS registers until after the panic() path.
This leaves the status bits set after the panic() so clever BIOSes
can find them (and dumb BIOSes can do nothing).
This patch also calls nonseekable_open() in mce_open (as suggested by akpm).
Result:
Tolerant levels behave almost identically to how they always have, but
not it's well defined. There's a slightly higher chance of panic()ing
when multiple errors happen (a good thing, IMHO). If you take an MBE and
panic(), the error status bits are not cleared.
Alternatives:
None.
Testing:
I used software to inject correctable and uncorrectable errors. With
tolerant = 3, the system usually survives. With tolerant = 2, the system
usually panic()s (PCC) but not always. With tolerant = 1, the system
always panic()s. When the system panic()s, the BIOS is able to detect
that the cause of death was an MC4. I was not able to reproduce the
case of a non-PCC error in userspace, with EIPV, with (tolerant < 3).
That will be rare at best.
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:37 +07:00
|
|
|
/*
|
|
|
|
* If no_way_out gets set, there is no safe way to recover from this
|
2012-10-15 23:03:57 +07:00
|
|
|
* MCE. If mca_cfg.tolerant is cranked up, we'll try anyway.
|
x86_64: mcelog tolerant level cleanup
Background:
The MCE handler has several paths that it can take, depending on various
conditions of the MCE status and the value of the 'tolerant' knob. The
exact semantics are not well defined and the code is a bit twisty.
Description:
This patch makes the MCE handler's behavior more clear by documenting the
behavior for various 'tolerant' levels. It also fixes or enhances
several small things in the handler. Specifically:
* If RIPV is set it is not safe to restart, so set the 'no way out'
flag rather than the 'kill it' flag.
* Don't panic() on correctable MCEs.
* If the _OVER bit is set *and* the _UC bit is set (meaning possibly
dropped uncorrected errors), set the 'no way out' flag.
* Use EIPV for testing whether an app can be killed (SIGBUS) rather
than RIPV. According to docs, EIPV indicates that the error is
related to the IP, while RIPV simply means the IP is valid to
restart from.
* Don't clear the MCi_STATUS registers until after the panic() path.
This leaves the status bits set after the panic() so clever BIOSes
can find them (and dumb BIOSes can do nothing).
This patch also calls nonseekable_open() in mce_open (as suggested by akpm).
Result:
Tolerant levels behave almost identically to how they always have, but
not it's well defined. There's a slightly higher chance of panic()ing
when multiple errors happen (a good thing, IMHO). If you take an MBE and
panic(), the error status bits are not cleared.
Alternatives:
None.
Testing:
I used software to inject correctable and uncorrectable errors. With
tolerant = 3, the system usually survives. With tolerant = 2, the system
usually panic()s (PCC) but not always. With tolerant = 1, the system
always panic()s. When the system panic()s, the BIOS is able to detect
that the cause of death was an MC4. I was not able to reproduce the
case of a non-PCC error in userspace, with EIPV, with (tolerant < 3).
That will be rare at best.
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:37 +07:00
|
|
|
*/
|
|
|
|
int no_way_out = 0;
|
|
|
|
/*
|
|
|
|
* If kill_it gets set, there might be a way to recover from this
|
|
|
|
* error.
|
|
|
|
*/
|
|
|
|
int kill_it = 0;
|
2009-02-12 19:43:23 +07:00
|
|
|
DECLARE_BITMAP(toclear, MAX_NR_BANKS);
|
2012-04-19 05:19:40 +07:00
|
|
|
DECLARE_BITMAP(valid_banks, MAX_NR_BANKS);
|
2009-05-28 02:56:55 +07:00
|
|
|
char *msg = "Unknown";
|
2015-01-06 07:44:42 +07:00
|
|
|
u64 recover_paddr = ~0ull;
|
|
|
|
int flags = MF_ACTION_REQUIRED;
|
2015-06-04 23:55:24 +07:00
|
|
|
int lmce = 0;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2015-07-04 02:44:32 +07:00
|
|
|
ist_enter(regs);
|
2014-11-20 08:41:09 +07:00
|
|
|
|
2012-05-11 14:35:27 +07:00
|
|
|
this_cpu_inc(mce_exception_count);
|
2009-05-28 02:56:52 +07:00
|
|
|
|
2012-10-17 17:05:33 +07:00
|
|
|
if (!cfg->banks)
|
2009-05-28 02:56:53 +07:00
|
|
|
goto out;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2011-06-08 08:57:46 +07:00
|
|
|
mce_gather_info(&m, regs);
|
2009-02-12 19:43:22 +07:00
|
|
|
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
final = this_cpu_ptr(&mces_seen);
|
2009-05-28 02:56:55 +07:00
|
|
|
*final = m;
|
|
|
|
|
2012-04-19 05:19:40 +07:00
|
|
|
memset(valid_banks, 0, sizeof(valid_banks));
|
2012-07-20 01:28:46 +07:00
|
|
|
no_way_out = mce_no_way_out(&m, &msg, valid_banks, regs);
|
2009-08-26 14:20:36 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
barrier();
|
|
|
|
|
2009-05-28 02:56:57 +07:00
|
|
|
/*
|
2012-01-04 02:45:45 +07:00
|
|
|
* When no restart IP might need to kill or panic.
|
|
|
|
* Assume the worst for now, but if we find the
|
|
|
|
* severity is MCE_AR_SEVERITY we have other options.
|
2009-05-28 02:56:57 +07:00
|
|
|
*/
|
|
|
|
if (!(m.mcgstatus & MCG_STATUS_RIPV))
|
|
|
|
kill_it = 1;
|
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
/*
|
2015-06-04 23:55:24 +07:00
|
|
|
* Check if this MCE is signaled to only this logical processor
|
2009-05-28 02:56:55 +07:00
|
|
|
*/
|
2015-06-04 23:55:24 +07:00
|
|
|
if (m.mcgstatus & MCG_STATUS_LMCES)
|
|
|
|
lmce = 1;
|
|
|
|
else {
|
|
|
|
/*
|
|
|
|
* Go through all the banks in exclusion of the other CPUs.
|
|
|
|
* This way we don't report duplicated events on shared banks
|
|
|
|
* because the first one to see it will clear it.
|
|
|
|
* If this is a Local MCE, then no need to perform rendezvous.
|
|
|
|
*/
|
|
|
|
order = mce_start(&no_way_out);
|
|
|
|
}
|
|
|
|
|
2012-10-17 17:05:33 +07:00
|
|
|
for (i = 0; i < cfg->banks; i++) {
|
2009-02-12 19:43:23 +07:00
|
|
|
__clear_bit(i, toclear);
|
2012-04-19 05:19:40 +07:00
|
|
|
if (!test_bit(i, valid_banks))
|
|
|
|
continue;
|
2009-07-09 05:31:43 +07:00
|
|
|
if (!mce_banks[i].ctl)
|
2005-04-17 05:20:36 +07:00
|
|
|
continue;
|
2007-10-24 03:37:23 +07:00
|
|
|
|
|
|
|
m.misc = 0;
|
2005-04-17 05:20:36 +07:00
|
|
|
m.addr = 0;
|
|
|
|
m.bank = i;
|
|
|
|
|
2009-07-09 05:31:44 +07:00
|
|
|
m.status = mce_rdmsrl(MSR_IA32_MCx_STATUS(i));
|
2005-04-17 05:20:36 +07:00
|
|
|
if ((m.status & MCI_STATUS_VAL) == 0)
|
|
|
|
continue;
|
|
|
|
|
2009-02-12 19:43:23 +07:00
|
|
|
/*
|
2009-05-28 02:56:57 +07:00
|
|
|
* Non uncorrected or non signaled errors are handled by
|
|
|
|
* machine_check_poll. Leave them alone, unless this panics.
|
2009-02-12 19:43:23 +07:00
|
|
|
*/
|
2012-10-17 17:05:33 +07:00
|
|
|
if (!(m.status & (cfg->ser ? MCI_STATUS_S : MCI_STATUS_UC)) &&
|
2009-05-28 02:56:57 +07:00
|
|
|
!no_way_out)
|
2009-02-12 19:43:23 +07:00
|
|
|
continue;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set taint even when machine check was not enabled.
|
|
|
|
*/
|
2013-01-21 13:47:39 +07:00
|
|
|
add_taint(TAINT_MACHINE_CHECK, LOCKDEP_NOW_UNRELIABLE);
|
2009-02-12 19:43:23 +07:00
|
|
|
|
2014-11-18 09:09:19 +07:00
|
|
|
severity = mce_severity(&m, cfg->tolerant, NULL, true);
|
2009-02-12 19:43:23 +07:00
|
|
|
|
2009-05-28 02:56:57 +07:00
|
|
|
/*
|
2014-11-18 09:09:19 +07:00
|
|
|
* When machine check was for corrected/deferred handler don't
|
|
|
|
* touch, unless we're panicing.
|
2009-05-28 02:56:57 +07:00
|
|
|
*/
|
2014-11-18 09:09:19 +07:00
|
|
|
if ((severity == MCE_KEEP_SEVERITY ||
|
|
|
|
severity == MCE_UCNA_SEVERITY) && !no_way_out)
|
2009-05-28 02:56:57 +07:00
|
|
|
continue;
|
|
|
|
__set_bit(i, toclear);
|
|
|
|
if (severity == MCE_NO_SEVERITY) {
|
2009-02-12 19:43:23 +07:00
|
|
|
/*
|
|
|
|
* Machine check event was not enabled. Clear, but
|
|
|
|
* ignore.
|
|
|
|
*/
|
|
|
|
continue;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2011-12-14 00:48:13 +07:00
|
|
|
mce_read_aux(&m, i);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2015-08-12 23:29:36 +07:00
|
|
|
/* assuming valid severity level != 0 */
|
|
|
|
m.severity = severity;
|
|
|
|
m.usable_addr = mce_usable_address(&m);
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
|
2009-02-12 19:43:23 +07:00
|
|
|
mce_log(&m);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
if (severity > worst) {
|
|
|
|
*final = m;
|
|
|
|
worst = severity;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-01-04 02:45:45 +07:00
|
|
|
/* mce_clear_state will clear *final, save locally for use later */
|
|
|
|
m = *final;
|
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
if (!no_way_out)
|
|
|
|
mce_clear_state(toclear);
|
|
|
|
|
2009-04-08 17:31:17 +07:00
|
|
|
/*
|
2009-05-28 02:56:55 +07:00
|
|
|
* Do most of the synchronization with other CPUs.
|
|
|
|
* When there's any problem use only local no_way_out state.
|
2009-04-08 17:31:17 +07:00
|
|
|
*/
|
2015-06-04 23:55:24 +07:00
|
|
|
if (!lmce) {
|
|
|
|
if (mce_end(order) < 0)
|
|
|
|
no_way_out = worst >= MCE_PANIC_SEVERITY;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Local MCE skipped calling mce_reign()
|
|
|
|
* If we found a fatal error, we need to panic here.
|
|
|
|
*/
|
|
|
|
if (worst >= MCE_PANIC_SEVERITY && mca_cfg.tolerant < 3)
|
|
|
|
mce_panic("Machine check from unknown source",
|
|
|
|
NULL, NULL);
|
|
|
|
}
|
x86_64: mcelog tolerant level cleanup
Background:
The MCE handler has several paths that it can take, depending on various
conditions of the MCE status and the value of the 'tolerant' knob. The
exact semantics are not well defined and the code is a bit twisty.
Description:
This patch makes the MCE handler's behavior more clear by documenting the
behavior for various 'tolerant' levels. It also fixes or enhances
several small things in the handler. Specifically:
* If RIPV is set it is not safe to restart, so set the 'no way out'
flag rather than the 'kill it' flag.
* Don't panic() on correctable MCEs.
* If the _OVER bit is set *and* the _UC bit is set (meaning possibly
dropped uncorrected errors), set the 'no way out' flag.
* Use EIPV for testing whether an app can be killed (SIGBUS) rather
than RIPV. According to docs, EIPV indicates that the error is
related to the IP, while RIPV simply means the IP is valid to
restart from.
* Don't clear the MCi_STATUS registers until after the panic() path.
This leaves the status bits set after the panic() so clever BIOSes
can find them (and dumb BIOSes can do nothing).
This patch also calls nonseekable_open() in mce_open (as suggested by akpm).
Result:
Tolerant levels behave almost identically to how they always have, but
not it's well defined. There's a slightly higher chance of panic()ing
when multiple errors happen (a good thing, IMHO). If you take an MBE and
panic(), the error status bits are not cleared.
Alternatives:
None.
Testing:
I used software to inject correctable and uncorrectable errors. With
tolerant = 3, the system usually survives. With tolerant = 2, the system
usually panic()s (PCC) but not always. With tolerant = 1, the system
always panic()s. When the system panic()s, the BIOS is able to detect
that the cause of death was an MC4. I was not able to reproduce the
case of a non-PCC error in userspace, with EIPV, with (tolerant < 3).
That will be rare at best.
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:37 +07:00
|
|
|
|
|
|
|
/*
|
2012-01-04 02:45:45 +07:00
|
|
|
* At insane "tolerant" levels we take no action. Otherwise
|
|
|
|
* we only die if we have no other choice. For less serious
|
|
|
|
* issues we try to recover, or limit damage to the current
|
|
|
|
* process.
|
x86_64: mcelog tolerant level cleanup
Background:
The MCE handler has several paths that it can take, depending on various
conditions of the MCE status and the value of the 'tolerant' knob. The
exact semantics are not well defined and the code is a bit twisty.
Description:
This patch makes the MCE handler's behavior more clear by documenting the
behavior for various 'tolerant' levels. It also fixes or enhances
several small things in the handler. Specifically:
* If RIPV is set it is not safe to restart, so set the 'no way out'
flag rather than the 'kill it' flag.
* Don't panic() on correctable MCEs.
* If the _OVER bit is set *and* the _UC bit is set (meaning possibly
dropped uncorrected errors), set the 'no way out' flag.
* Use EIPV for testing whether an app can be killed (SIGBUS) rather
than RIPV. According to docs, EIPV indicates that the error is
related to the IP, while RIPV simply means the IP is valid to
restart from.
* Don't clear the MCi_STATUS registers until after the panic() path.
This leaves the status bits set after the panic() so clever BIOSes
can find them (and dumb BIOSes can do nothing).
This patch also calls nonseekable_open() in mce_open (as suggested by akpm).
Result:
Tolerant levels behave almost identically to how they always have, but
not it's well defined. There's a slightly higher chance of panic()ing
when multiple errors happen (a good thing, IMHO). If you take an MBE and
panic(), the error status bits are not cleared.
Alternatives:
None.
Testing:
I used software to inject correctable and uncorrectable errors. With
tolerant = 3, the system usually survives. With tolerant = 2, the system
usually panic()s (PCC) but not always. With tolerant = 1, the system
always panic()s. When the system panic()s, the BIOS is able to detect
that the cause of death was an MC4. I was not able to reproduce the
case of a non-PCC error in userspace, with EIPV, with (tolerant < 3).
That will be rare at best.
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:37 +07:00
|
|
|
*/
|
2012-10-17 17:05:33 +07:00
|
|
|
if (cfg->tolerant < 3) {
|
2012-01-04 02:45:45 +07:00
|
|
|
if (no_way_out)
|
|
|
|
mce_panic("Fatal machine check on current CPU", &m, msg);
|
|
|
|
if (worst == MCE_AR_SEVERITY) {
|
2015-01-06 07:44:42 +07:00
|
|
|
recover_paddr = m.addr;
|
|
|
|
if (!(m.mcgstatus & MCG_STATUS_RIPV))
|
|
|
|
flags |= MF_MUST_KILL;
|
2012-01-04 02:45:45 +07:00
|
|
|
} else if (kill_it) {
|
|
|
|
force_sig(SIGBUS, current);
|
|
|
|
}
|
|
|
|
}
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
|
2009-05-28 02:56:55 +07:00
|
|
|
if (worst > 0)
|
|
|
|
mce_report_event(regs);
|
2009-04-30 00:29:12 +07:00
|
|
|
mce_wrmsrl(MSR_IA32_MCG_STATUS, 0);
|
2009-05-28 02:56:53 +07:00
|
|
|
out:
|
2009-05-28 02:56:51 +07:00
|
|
|
sync_core();
|
2015-01-06 07:44:42 +07:00
|
|
|
|
|
|
|
if (recover_paddr == ~0ull)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
pr_err("Uncorrected hardware memory error in user-access at %llx",
|
|
|
|
recover_paddr);
|
|
|
|
/*
|
|
|
|
* We must call memory_failure() here even if the current process is
|
|
|
|
* doomed. We still need to mark the page as poisoned and alert any
|
|
|
|
* other users of the page.
|
|
|
|
*/
|
|
|
|
ist_begin_non_atomic(regs);
|
|
|
|
local_irq_enable();
|
|
|
|
if (memory_failure(recover_paddr >> PAGE_SHIFT, MCE_VECTOR, flags) < 0) {
|
|
|
|
pr_err("Memory error not recovered");
|
|
|
|
force_sig(SIGBUS, current);
|
|
|
|
}
|
|
|
|
local_irq_disable();
|
|
|
|
ist_end_non_atomic();
|
|
|
|
done:
|
2015-07-04 02:44:32 +07:00
|
|
|
ist_exit(regs);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
2009-04-30 00:31:00 +07:00
|
|
|
EXPORT_SYMBOL_GPL(do_machine_check);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2011-12-16 01:48:12 +07:00
|
|
|
#ifndef CONFIG_MEMORY_FAILURE
|
|
|
|
int memory_failure(unsigned long pfn, int vector, int flags)
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
{
|
2012-01-04 02:45:45 +07:00
|
|
|
/* mce_severity() should not hand us an ACTION_REQUIRED error */
|
|
|
|
BUG_ON(flags & MF_ACTION_REQUIRED);
|
2012-05-22 09:50:07 +07:00
|
|
|
pr_err("Uncorrected memory error in page 0x%lx ignored\n"
|
|
|
|
"Rebuild kernel with CONFIG_MEMORY_FAILURE=y for smarter handling\n",
|
|
|
|
pfn);
|
2011-12-16 01:48:12 +07:00
|
|
|
|
|
|
|
return 0;
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
}
|
2011-12-16 01:48:12 +07:00
|
|
|
#endif
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
|
2012-01-04 02:45:45 +07:00
|
|
|
/*
|
|
|
|
* Action optional processing happens here (picking up
|
|
|
|
* from the list of faulting pages that do_machine_check()
|
2015-08-12 23:29:36 +07:00
|
|
|
* placed into the genpool).
|
2012-01-04 02:45:45 +07:00
|
|
|
*/
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
static void mce_process_work(struct work_struct *dummy)
|
|
|
|
{
|
2015-08-12 23:29:36 +07:00
|
|
|
mce_gen_pool_process();
|
x86, mce: support action-optional machine checks
Newer Intel CPUs support a new class of machine checks called recoverable
action optional.
Action Optional means that the CPU detected some form of corruption in
the background and tells the OS about using a machine check
exception. The OS can then take appropiate action, like killing the
process with the corrupted data or logging the event properly to disk.
This is done by the new generic high level memory failure handler added
in a earlier patch. The high level handler takes the address with the
failed memory and does the appropiate action, like killing the process.
In this version of the patch the high level handler is stubbed out
with a weak function to not create a direct dependency on the hwpoison
branch.
The high level handler cannot be directly called from the machine check
exception though, because it has to run in a defined process context to
be able to sleep when taking VM locks (it is not expected to sleep for a
long time, just do so in some exceptional cases like lock contention)
Thus the MCE handler has to queue a work item for process context,
trigger process context and then call the high level handler from there.
This patch adds two path to process context: through a per thread kernel
exit notify_user() callback or through a high priority work item.
The first runs when the process exits back to user space, the other when
it goes to sleep and there is no higher priority process.
The machine check handler will schedule both, and whoever runs first
will grab the event. This is done because quick reaction to this
event is critical to avoid a potential more fatal machine check
when the corruption is consumed.
There is a simple lock less ring buffer to queue the corrupted
addresses between the exception handler and the process context handler.
Then in process context it just calls the high level VM code with
the corrupted PFNs.
The code adds the required code to extract the failed address from
the CPU's machine check registers. It doesn't try to handle all
possible cases -- the specification has 6 different ways to specify
memory address -- but only the linear address.
Most of the required checking has been already done earlier in the
mce_severity rule checking engine. Following the Intel
recommendations Action Optional errors are only enabled for known
situations (encoded in MCACODs). The errors are ignored otherwise,
because they are action optional.
v2: Improve comment, disable preemption while processing ring buffer
(reported by Ying Huang)
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-05-28 02:56:59 +07:00
|
|
|
}
|
|
|
|
|
2006-09-26 15:52:42 +07:00
|
|
|
#ifdef CONFIG_X86_MCE_INTEL
|
|
|
|
/***
|
|
|
|
* mce_log_therm_throt_event - Logs the thermal throttling event to mcelog
|
2007-10-20 06:25:36 +07:00
|
|
|
* @cpu: The CPU on which the event occurred.
|
2006-09-26 15:52:42 +07:00
|
|
|
* @status: Event status information
|
|
|
|
*
|
|
|
|
* This function should be called by the thermal interrupt after the
|
|
|
|
* event has been processed and the decision was made to log the event
|
|
|
|
* further.
|
|
|
|
*
|
|
|
|
* The status parameter will be saved to the 'status' field of 'struct mce'
|
|
|
|
* and historically has been the register value of the
|
|
|
|
* MSR_IA32_THERMAL_STATUS (Intel) msr.
|
|
|
|
*/
|
2009-02-12 19:43:22 +07:00
|
|
|
void mce_log_therm_throt_event(__u64 status)
|
2006-09-26 15:52:42 +07:00
|
|
|
{
|
|
|
|
struct mce m;
|
|
|
|
|
2009-02-12 19:43:22 +07:00
|
|
|
mce_setup(&m);
|
2006-09-26 15:52:42 +07:00
|
|
|
m.bank = MCE_THERMAL_BANK;
|
|
|
|
m.status = status;
|
|
|
|
mce_log(&m);
|
|
|
|
}
|
|
|
|
#endif /* CONFIG_X86_MCE_INTEL */
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/*
|
2007-05-03 00:27:19 +07:00
|
|
|
* Periodic polling timer for "silent" machine check errors. If the
|
|
|
|
* poller finds an MCE, poll 2x faster. When the poller finds no more
|
|
|
|
* errors, poll 2x slower (up to check_interval seconds).
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
static unsigned long check_interval = INITIAL_CHECK_INTERVAL;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2012-05-25 00:54:51 +07:00
|
|
|
static DEFINE_PER_CPU(unsigned long, mce_next_interval); /* in jiffies */
|
2009-02-12 19:39:29 +07:00
|
|
|
static DEFINE_PER_CPU(struct timer_list, mce_timer);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2012-08-10 01:44:51 +07:00
|
|
|
static unsigned long mce_adjust_timer_default(unsigned long interval)
|
|
|
|
{
|
|
|
|
return interval;
|
|
|
|
}
|
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
static unsigned long (*mce_adjust_timer)(unsigned long interval) = mce_adjust_timer_default;
|
2012-08-10 01:44:51 +07:00
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
static void __restart_timer(struct timer_list *t, unsigned long interval)
|
2014-03-28 08:24:36 +07:00
|
|
|
{
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
unsigned long when = jiffies + interval;
|
|
|
|
unsigned long flags;
|
2014-03-28 08:24:36 +07:00
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
local_irq_save(flags);
|
2014-03-28 08:24:36 +07:00
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
if (timer_pending(t)) {
|
|
|
|
if (time_before(when, t->expires))
|
|
|
|
mod_timer_pinned(t, when);
|
|
|
|
} else {
|
|
|
|
t->expires = round_jiffies(when);
|
|
|
|
add_timer_on(t, smp_processor_id());
|
|
|
|
}
|
|
|
|
|
|
|
|
local_irq_restore(flags);
|
2014-03-28 08:24:36 +07:00
|
|
|
}
|
|
|
|
|
2012-05-25 00:54:51 +07:00
|
|
|
static void mce_timer_fn(unsigned long data)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
struct timer_list *t = this_cpu_ptr(&mce_timer);
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
int cpu = smp_processor_id();
|
2012-05-25 00:54:51 +07:00
|
|
|
unsigned long iv;
|
2009-02-12 19:39:29 +07:00
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
WARN_ON(cpu != data);
|
|
|
|
|
|
|
|
iv = __this_cpu_read(mce_next_interval);
|
2009-02-12 19:39:29 +07:00
|
|
|
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
if (mce_available(this_cpu_ptr(&cpu_info))) {
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
machine_check_poll(MCP_TIMESTAMP, this_cpu_ptr(&mce_poll_banks));
|
|
|
|
|
|
|
|
if (mce_intel_cmci_poll()) {
|
|
|
|
iv = mce_adjust_timer(iv);
|
|
|
|
goto done;
|
|
|
|
}
|
2009-04-08 17:31:17 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/*
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
* Alert userspace if needed. If we logged an MCE, reduce the polling
|
|
|
|
* interval, otherwise increase the polling interval.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
if (mce_notify_irq())
|
2012-06-05 09:35:02 +07:00
|
|
|
iv = max(iv / 2, (unsigned long) HZ/100);
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
else
|
2012-05-25 00:54:51 +07:00
|
|
|
iv = min(iv * 2, round_jiffies_relative(check_interval * HZ));
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
|
|
|
|
done:
|
2012-05-25 00:54:51 +07:00
|
|
|
__this_cpu_write(mce_next_interval, iv);
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
__restart_timer(t, iv);
|
2012-08-10 01:44:51 +07:00
|
|
|
}
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
|
2012-08-10 01:44:51 +07:00
|
|
|
/*
|
|
|
|
* Ensure that the timer is firing in @interval from now.
|
|
|
|
*/
|
|
|
|
void mce_timer_kick(unsigned long interval)
|
|
|
|
{
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
struct timer_list *t = this_cpu_ptr(&mce_timer);
|
2012-08-10 01:44:51 +07:00
|
|
|
unsigned long iv = __this_cpu_read(mce_next_interval);
|
|
|
|
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
__restart_timer(t, interval);
|
|
|
|
|
2012-08-10 01:44:51 +07:00
|
|
|
if (interval < iv)
|
|
|
|
__this_cpu_write(mce_next_interval, interval);
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
}
|
|
|
|
|
2011-06-17 15:40:36 +07:00
|
|
|
/* Must not be called in IRQ context where del_timer_sync() can deadlock */
|
|
|
|
static void mce_timer_delete_all(void)
|
|
|
|
{
|
|
|
|
int cpu;
|
|
|
|
|
|
|
|
for_each_online_cpu(cpu)
|
|
|
|
del_timer_sync(&per_cpu(mce_timer, cpu));
|
|
|
|
}
|
|
|
|
|
2009-02-12 19:39:28 +07:00
|
|
|
static void mce_do_trigger(struct work_struct *work)
|
|
|
|
{
|
2009-06-15 15:20:57 +07:00
|
|
|
call_usermodehelper(mce_helper, mce_helper_argv, NULL, UMH_NO_WAIT);
|
2009-02-12 19:39:28 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
static DECLARE_WORK(mce_trigger_work, mce_do_trigger);
|
|
|
|
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
/*
|
2009-02-12 19:39:28 +07:00
|
|
|
* Notify the user(s) about new machine check events.
|
|
|
|
* Can be called from interrupt context, but not from machine check/NMI
|
|
|
|
* context.
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
*/
|
2009-05-28 02:56:58 +07:00
|
|
|
int mce_notify_irq(void)
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
{
|
2009-02-12 19:49:33 +07:00
|
|
|
/* Not more than two messages every minute */
|
|
|
|
static DEFINE_RATELIMIT_STATE(ratelimit, 60*HZ, 2);
|
|
|
|
|
2009-06-15 15:20:57 +07:00
|
|
|
if (test_and_clear_bit(0, &mce_need_notify)) {
|
2011-06-08 09:00:45 +07:00
|
|
|
/* wake processes polling /dev/mcelog */
|
|
|
|
wake_up_interruptible(&mce_chrdev_wait);
|
2009-02-12 19:39:28 +07:00
|
|
|
|
2012-12-22 08:57:05 +07:00
|
|
|
if (mce_helper[0])
|
2009-02-12 19:39:28 +07:00
|
|
|
schedule_work(&mce_trigger_work);
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
|
2009-02-12 19:49:33 +07:00
|
|
|
if (__ratelimit(&ratelimit))
|
2010-06-08 13:35:39 +07:00
|
|
|
pr_info(HW_ERR "Machine check events logged\n");
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
|
|
|
|
return 1;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
return 0;
|
|
|
|
}
|
2009-05-28 02:56:58 +07:00
|
|
|
EXPORT_SYMBOL_GPL(mce_notify_irq);
|
2007-05-03 00:27:19 +07:00
|
|
|
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static int __mcheck_cpu_mce_banks_init(void)
|
2009-07-09 05:31:43 +07:00
|
|
|
{
|
|
|
|
int i;
|
2012-10-15 23:03:57 +07:00
|
|
|
u8 num_banks = mca_cfg.banks;
|
2009-07-09 05:31:43 +07:00
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
mce_banks = kzalloc(num_banks * sizeof(struct mce_bank), GFP_KERNEL);
|
2009-07-09 05:31:43 +07:00
|
|
|
if (!mce_banks)
|
|
|
|
return -ENOMEM;
|
2012-10-15 23:03:57 +07:00
|
|
|
|
|
|
|
for (i = 0; i < num_banks; i++) {
|
2009-07-09 05:31:43 +07:00
|
|
|
struct mce_bank *b = &mce_banks[i];
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
b->ctl = -1ULL;
|
|
|
|
b->init = 1;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
/*
|
2005-04-17 05:20:36 +07:00
|
|
|
* Initialize Machine Checks for a CPU.
|
|
|
|
*/
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static int __mcheck_cpu_cap_init(void)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2009-02-18 05:07:13 +07:00
|
|
|
unsigned b;
|
2009-04-08 17:31:17 +07:00
|
|
|
u64 cap;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
rdmsrl(MSR_IA32_MCG_CAP, cap);
|
2009-04-08 17:31:24 +07:00
|
|
|
|
|
|
|
b = cap & MCG_BANKCNT_MASK;
|
2012-10-15 23:03:57 +07:00
|
|
|
if (!mca_cfg.banks)
|
2012-05-22 09:50:07 +07:00
|
|
|
pr_info("CPU supports %d MCE banks\n", b);
|
2009-04-08 17:31:27 +07:00
|
|
|
|
2009-02-18 05:07:13 +07:00
|
|
|
if (b > MAX_NR_BANKS) {
|
2012-05-22 09:50:07 +07:00
|
|
|
pr_warn("Using only %u machine check banks out of %u\n",
|
2009-02-18 05:07:13 +07:00
|
|
|
MAX_NR_BANKS, b);
|
|
|
|
b = MAX_NR_BANKS;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Don't support asymmetric configurations today */
|
2012-10-15 23:03:57 +07:00
|
|
|
WARN_ON(mca_cfg.banks != 0 && b != mca_cfg.banks);
|
|
|
|
mca_cfg.banks = b;
|
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
if (!mce_banks) {
|
2009-11-12 13:52:40 +07:00
|
|
|
int err = __mcheck_cpu_mce_banks_init();
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
if (err)
|
|
|
|
return err;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
2009-02-18 05:07:13 +07:00
|
|
|
|
2005-04-17 05:25:09 +07:00
|
|
|
/* Use accurate RIP reporting if available. */
|
2009-04-08 17:31:24 +07:00
|
|
|
if ((cap & MCG_EXT_P) && MCG_EXT_CNT(cap) >= 9)
|
2012-10-16 00:59:18 +07:00
|
|
|
mca_cfg.rip_msr = MSR_IA32_MCG_EIP;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-05-28 02:56:57 +07:00
|
|
|
if (cap & MCG_SER_P)
|
2012-10-17 17:05:33 +07:00
|
|
|
mca_cfg.ser = true;
|
2009-05-28 02:56:57 +07:00
|
|
|
|
2009-02-18 05:07:13 +07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-10-16 17:31:32 +07:00
|
|
|
static void __mcheck_cpu_init_generic(void)
|
2009-02-18 05:07:13 +07:00
|
|
|
{
|
2012-10-16 00:59:18 +07:00
|
|
|
enum mcp_flags m_fl = 0;
|
2009-04-08 17:31:17 +07:00
|
|
|
mce_banks_t all_banks;
|
2009-02-18 05:07:13 +07:00
|
|
|
u64 cap;
|
|
|
|
int i;
|
|
|
|
|
2012-10-16 00:59:18 +07:00
|
|
|
if (!mca_cfg.bootlog)
|
|
|
|
m_fl = MCP_DONTLOG;
|
|
|
|
|
2009-02-12 19:43:23 +07:00
|
|
|
/*
|
|
|
|
* Log the machine checks left over from the previous reset.
|
|
|
|
*/
|
2009-02-12 19:49:34 +07:00
|
|
|
bitmap_fill(all_banks, MAX_NR_BANKS);
|
2012-10-16 00:59:18 +07:00
|
|
|
machine_check_poll(MCP_UC | m_fl, &all_banks);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2014-10-25 05:58:07 +07:00
|
|
|
cr4_set_bits(X86_CR4_MCE);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-02-18 05:07:13 +07:00
|
|
|
rdmsrl(MSR_IA32_MCG_CAP, cap);
|
2005-04-17 05:20:36 +07:00
|
|
|
if (cap & MCG_CTL_P)
|
|
|
|
wrmsr(MSR_IA32_MCG_CTL, 0xffffffff, 0xffffffff);
|
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-07-09 05:31:43 +07:00
|
|
|
struct mce_bank *b = &mce_banks[i];
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
if (!b->init)
|
2009-04-27 23:37:43 +07:00
|
|
|
continue;
|
2009-07-09 05:31:44 +07:00
|
|
|
wrmsrl(MSR_IA32_MCx_CTL(i), b->ctl);
|
|
|
|
wrmsrl(MSR_IA32_MCx_STATUS(i), 0);
|
2007-10-24 03:37:23 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2012-07-20 01:28:46 +07:00
|
|
|
/*
|
|
|
|
* During IFU recovery Sandy Bridge -EP4S processors set the RIPV and
|
|
|
|
* EIPV bits in MCG_STATUS to zero on the affected logical processor (SDM
|
|
|
|
* Vol 3B Table 15-20). But this confuses both the code that determines
|
|
|
|
* whether the machine check occurred in kernel or user mode, and also
|
|
|
|
* the severity assessment code. Pretend that EIPV was set, and take the
|
|
|
|
* ip/cs values from the pt_regs that mce_gather_info() ignored earlier.
|
|
|
|
*/
|
|
|
|
static void quirk_sandybridge_ifu(int bank, struct mce *m, struct pt_regs *regs)
|
|
|
|
{
|
|
|
|
if (bank != 0)
|
|
|
|
return;
|
|
|
|
if ((m->mcgstatus & (MCG_STATUS_EIPV|MCG_STATUS_RIPV)) != 0)
|
|
|
|
return;
|
|
|
|
if ((m->status & (MCI_STATUS_OVER|MCI_STATUS_UC|
|
|
|
|
MCI_STATUS_EN|MCI_STATUS_MISCV|MCI_STATUS_ADDRV|
|
|
|
|
MCI_STATUS_PCC|MCI_STATUS_S|MCI_STATUS_AR|
|
|
|
|
MCACOD)) !=
|
|
|
|
(MCI_STATUS_UC|MCI_STATUS_EN|
|
|
|
|
MCI_STATUS_MISCV|MCI_STATUS_ADDRV|MCI_STATUS_S|
|
|
|
|
MCI_STATUS_AR|MCACOD_INSTR))
|
|
|
|
return;
|
|
|
|
|
|
|
|
m->mcgstatus |= MCG_STATUS_EIPV;
|
|
|
|
m->ip = regs->ip;
|
|
|
|
m->cs = regs->cs;
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Add per CPU specific workarounds here */
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static int __mcheck_cpu_apply_quirks(struct cpuinfo_x86 *c)
|
2007-10-24 03:37:23 +07:00
|
|
|
{
|
2012-10-15 23:03:57 +07:00
|
|
|
struct mca_config *cfg = &mca_cfg;
|
|
|
|
|
2009-08-17 15:19:00 +07:00
|
|
|
if (c->x86_vendor == X86_VENDOR_UNKNOWN) {
|
2012-05-22 09:50:07 +07:00
|
|
|
pr_info("unknown CPU type - not enabling MCE support\n");
|
2009-08-17 15:19:00 +07:00
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* This should be disabled by the BIOS, but isn't always */
|
2008-04-22 22:22:21 +07:00
|
|
|
if (c->x86_vendor == X86_VENDOR_AMD) {
|
2012-10-15 23:03:57 +07:00
|
|
|
if (c->x86 == 15 && cfg->banks > 4) {
|
2009-04-08 17:31:17 +07:00
|
|
|
/*
|
|
|
|
* disable GART TBL walk error reporting, which
|
|
|
|
* trips off incorrectly with the IOMMU & 3ware
|
|
|
|
* & Cerberus:
|
|
|
|
*/
|
2009-07-09 05:31:43 +07:00
|
|
|
clear_bit(10, (unsigned long *)&mce_banks[4].ctl);
|
2009-04-08 17:31:17 +07:00
|
|
|
}
|
2012-10-16 00:59:18 +07:00
|
|
|
if (c->x86 <= 17 && cfg->bootlog < 0) {
|
2009-04-08 17:31:17 +07:00
|
|
|
/*
|
|
|
|
* Lots of broken BIOS around that don't clear them
|
|
|
|
* by default and leave crap in there. Don't log:
|
|
|
|
*/
|
2012-10-16 00:59:18 +07:00
|
|
|
cfg->bootlog = 0;
|
2009-04-08 17:31:17 +07:00
|
|
|
}
|
2009-04-27 23:42:48 +07:00
|
|
|
/*
|
|
|
|
* Various K7s with broken bank 0 around. Always disable
|
|
|
|
* by default.
|
|
|
|
*/
|
2015-03-14 05:30:47 +07:00
|
|
|
if (c->x86 == 6 && cfg->banks > 0)
|
2009-07-09 05:31:43 +07:00
|
|
|
mce_banks[0].ctl = 0;
|
2012-04-20 23:01:34 +07:00
|
|
|
|
2015-03-23 22:42:52 +07:00
|
|
|
/*
|
|
|
|
* overflow_recov is supported for F15h Models 00h-0fh
|
|
|
|
* even though we don't have a CPUID bit for it.
|
|
|
|
*/
|
|
|
|
if (c->x86 == 0x15 && c->x86_model <= 0xf)
|
|
|
|
mce_flags.overflow_recov = 1;
|
|
|
|
|
2015-03-14 05:30:47 +07:00
|
|
|
/*
|
|
|
|
* Turn off MC4_MISC thresholding banks on those models since
|
|
|
|
* they're not supported there.
|
|
|
|
*/
|
|
|
|
if (c->x86 == 0x15 &&
|
|
|
|
(c->x86_model >= 0x10 && c->x86_model <= 0x1f)) {
|
|
|
|
int i;
|
|
|
|
u64 hwcr;
|
|
|
|
bool need_toggle;
|
|
|
|
u32 msrs[] = {
|
2012-04-20 23:01:34 +07:00
|
|
|
0x00000413, /* MC4_MISC0 */
|
|
|
|
0xc0000408, /* MC4_MISC1 */
|
2015-03-14 05:30:47 +07:00
|
|
|
};
|
2012-04-20 23:01:34 +07:00
|
|
|
|
2015-03-14 05:30:47 +07:00
|
|
|
rdmsrl(MSR_K7_HWCR, hwcr);
|
2012-04-20 23:01:34 +07:00
|
|
|
|
2015-03-14 05:30:47 +07:00
|
|
|
/* McStatusWrEn has to be set */
|
|
|
|
need_toggle = !(hwcr & BIT(18));
|
2012-04-20 23:01:34 +07:00
|
|
|
|
2015-03-14 05:30:47 +07:00
|
|
|
if (need_toggle)
|
|
|
|
wrmsrl(MSR_K7_HWCR, hwcr | BIT(18));
|
2012-04-20 23:01:34 +07:00
|
|
|
|
2015-03-14 05:30:47 +07:00
|
|
|
/* Clear CntP bit safely */
|
|
|
|
for (i = 0; i < ARRAY_SIZE(msrs); i++)
|
|
|
|
msr_clear_bit(msrs[i], 62);
|
2012-04-20 23:01:34 +07:00
|
|
|
|
2015-03-14 05:30:47 +07:00
|
|
|
/* restore old settings */
|
|
|
|
if (need_toggle)
|
|
|
|
wrmsrl(MSR_K7_HWCR, hwcr);
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
2005-11-05 23:25:54 +07:00
|
|
|
|
2009-04-27 23:37:43 +07:00
|
|
|
if (c->x86_vendor == X86_VENDOR_INTEL) {
|
|
|
|
/*
|
|
|
|
* SDM documents that on family 6 bank 0 should not be written
|
|
|
|
* because it aliases to another special BIOS controlled
|
|
|
|
* register.
|
|
|
|
* But it's not aliased anymore on model 0x1a+
|
|
|
|
* Don't ignore bank 0 completely because there could be a
|
|
|
|
* valid event later, merely don't write CTL0.
|
|
|
|
*/
|
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
if (c->x86 == 6 && c->x86_model < 0x1A && cfg->banks > 0)
|
2009-07-09 05:31:43 +07:00
|
|
|
mce_banks[0].init = 0;
|
2009-05-28 02:56:55 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* All newer Intel systems support MCE broadcasting. Enable
|
|
|
|
* synchronization with a one second timeout.
|
|
|
|
*/
|
|
|
|
if ((c->x86 > 6 || (c->x86 == 6 && c->x86_model >= 0xe)) &&
|
2012-10-16 00:59:18 +07:00
|
|
|
cfg->monarch_timeout < 0)
|
|
|
|
cfg->monarch_timeout = USEC_PER_SEC;
|
2009-07-29 04:52:54 +07:00
|
|
|
|
2009-08-17 15:19:00 +07:00
|
|
|
/*
|
|
|
|
* There are also broken BIOSes on some Pentium M and
|
|
|
|
* earlier systems:
|
|
|
|
*/
|
2012-10-16 00:59:18 +07:00
|
|
|
if (c->x86 == 6 && c->x86_model <= 13 && cfg->bootlog < 0)
|
|
|
|
cfg->bootlog = 0;
|
2012-07-20 01:28:46 +07:00
|
|
|
|
|
|
|
if (c->x86 == 6 && c->x86_model == 45)
|
|
|
|
quirk_no_way_out = quirk_sandybridge_ifu;
|
2009-04-27 23:37:43 +07:00
|
|
|
}
|
2012-10-16 00:59:18 +07:00
|
|
|
if (cfg->monarch_timeout < 0)
|
|
|
|
cfg->monarch_timeout = 0;
|
|
|
|
if (cfg->bootlog != 0)
|
2012-10-16 01:25:17 +07:00
|
|
|
cfg->panic_timeout = 30;
|
2009-08-17 15:19:00 +07:00
|
|
|
|
|
|
|
return 0;
|
2007-10-24 03:37:23 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static int __mcheck_cpu_ancient_init(struct cpuinfo_x86 *c)
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
{
|
|
|
|
if (c->x86 != 5)
|
2011-06-08 08:58:35 +07:00
|
|
|
return 0;
|
|
|
|
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
switch (c->x86_vendor) {
|
|
|
|
case X86_VENDOR_INTEL:
|
2009-06-15 15:22:49 +07:00
|
|
|
intel_p5_mcheck_init(c);
|
2011-06-08 08:58:35 +07:00
|
|
|
return 1;
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
break;
|
|
|
|
case X86_VENDOR_CENTAUR:
|
|
|
|
winchip_mcheck_init(c);
|
2011-06-08 08:58:35 +07:00
|
|
|
return 1;
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
break;
|
2015-10-30 19:11:38 +07:00
|
|
|
default:
|
|
|
|
return 0;
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
}
|
2011-06-08 08:58:35 +07:00
|
|
|
|
|
|
|
return 0;
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
}
|
|
|
|
|
2009-10-16 17:31:32 +07:00
|
|
|
static void __mcheck_cpu_init_vendor(struct cpuinfo_x86 *c)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
switch (c->x86_vendor) {
|
|
|
|
case X86_VENDOR_INTEL:
|
|
|
|
mce_intel_feature_init(c);
|
x86/MCE/intel: Cleanup CMCI storm logic
Initially, this started with the yet another report about a race
condition in the CMCI storm adaptive period length thing. Yes, we have
to admit, it is fragile and error prone. So let's simplify it.
The simpler logic is: now, after we enter storm mode, we go straight to
polling with CMCI_STORM_INTERVAL, i.e. once a second. We remain in storm
mode as long as we see errors being logged while polling.
Theoretically, if we see an uninterrupted error stream, we will remain
in storm mode indefinitely and keep polling the MSRs.
However, when the storm is actually a burst of errors, once we have
logged them all, we back out of it after ~5 mins of polling and no more
errors logged.
If we encounter an error during those 5 minutes, we reset the polling
interval to 5 mins.
Making machine_check_poll() return a bool and denoting whether it has
seen an error or not lets us simplify a bunch of code and move the storm
handling private to mce_intel.c.
Some minor cleanups while at it.
Reported-by: Calvin Owens <calvinowens@fb.com>
Tested-by: Tony Luck <tony.luck@intel.com>
Link: http://lkml.kernel.org/r/1417746575-23299-1-git-send-email-calvinowens@fb.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2015-01-13 21:08:51 +07:00
|
|
|
mce_adjust_timer = cmci_intel_adjust_timer;
|
2005-04-17 05:20:36 +07:00
|
|
|
break;
|
2015-05-06 18:58:55 +07:00
|
|
|
|
|
|
|
case X86_VENDOR_AMD: {
|
|
|
|
u32 ebx = cpuid_ebx(0x80000007);
|
|
|
|
|
2005-11-05 23:25:53 +07:00
|
|
|
mce_amd_feature_init(c);
|
2015-05-06 18:58:55 +07:00
|
|
|
mce_flags.overflow_recov = !!(ebx & BIT(0));
|
|
|
|
mce_flags.succor = !!(ebx & BIT(1));
|
2015-10-30 19:11:37 +07:00
|
|
|
mce_flags.smca = !!(ebx & BIT(3));
|
|
|
|
|
2005-11-05 23:25:53 +07:00
|
|
|
break;
|
2015-05-06 18:58:55 +07:00
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:40 +07:00
|
|
|
static void __mcheck_cpu_clear_vendor(struct cpuinfo_x86 *c)
|
|
|
|
{
|
|
|
|
switch (c->x86_vendor) {
|
|
|
|
case X86_VENDOR_INTEL:
|
|
|
|
mce_intel_feature_clear(c);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-07-20 00:59:39 +07:00
|
|
|
static void mce_start_timer(unsigned int cpu, struct timer_list *t)
|
2009-02-12 19:39:29 +07:00
|
|
|
{
|
2013-12-24 00:05:02 +07:00
|
|
|
unsigned long iv = check_interval * HZ;
|
2009-12-08 09:21:37 +07:00
|
|
|
|
2012-10-16 01:25:17 +07:00
|
|
|
if (mca_cfg.ignore_ce || !iv)
|
2009-06-11 14:06:07 +07:00
|
|
|
return;
|
|
|
|
|
2013-12-24 00:05:02 +07:00
|
|
|
per_cpu(mce_next_interval, cpu) = iv;
|
|
|
|
|
2012-05-25 00:54:51 +07:00
|
|
|
t->expires = round_jiffies(jiffies + iv);
|
2013-12-24 00:05:02 +07:00
|
|
|
add_timer_on(t, cpu);
|
2009-02-12 19:39:29 +07:00
|
|
|
}
|
|
|
|
|
2012-07-20 00:59:39 +07:00
|
|
|
static void __mcheck_cpu_init_timer(void)
|
|
|
|
{
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
struct timer_list *t = this_cpu_ptr(&mce_timer);
|
2012-07-20 00:59:39 +07:00
|
|
|
unsigned int cpu = smp_processor_id();
|
|
|
|
|
|
|
|
setup_timer(t, mce_timer_fn, cpu);
|
|
|
|
mce_start_timer(cpu, t);
|
|
|
|
}
|
|
|
|
|
2009-07-09 05:31:42 +07:00
|
|
|
/* Handle unconfigured int18 (should never happen) */
|
|
|
|
static void unexpected_machine_check(struct pt_regs *regs, long error_code)
|
|
|
|
{
|
2012-05-22 09:50:07 +07:00
|
|
|
pr_err("CPU#%d: Unexpected int18 (Machine Check)\n",
|
2009-07-09 05:31:42 +07:00
|
|
|
smp_processor_id());
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Call the installed machine check handler for this CPU setup. */
|
|
|
|
void (*machine_check_vector)(struct pt_regs *, long error_code) =
|
|
|
|
unexpected_machine_check;
|
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
/*
|
2005-04-17 05:20:36 +07:00
|
|
|
* Called for each booted CPU to set up machine checks.
|
2009-04-08 17:31:17 +07:00
|
|
|
* Must be called with preempt off:
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
void mcheck_cpu_init(struct cpuinfo_x86 *c)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-10-17 17:05:33 +07:00
|
|
|
if (mca_cfg.disabled)
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
return;
|
|
|
|
|
2011-06-08 08:58:35 +07:00
|
|
|
if (__mcheck_cpu_ancient_init(c))
|
|
|
|
return;
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
|
2009-02-12 19:39:30 +07:00
|
|
|
if (!mce_available(c))
|
2005-04-17 05:20:36 +07:00
|
|
|
return;
|
|
|
|
|
2009-10-16 17:31:32 +07:00
|
|
|
if (__mcheck_cpu_cap_init() < 0 || __mcheck_cpu_apply_quirks(c) < 0) {
|
2012-10-17 17:05:33 +07:00
|
|
|
mca_cfg.disabled = true;
|
2009-02-18 05:07:13 +07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:34 +07:00
|
|
|
if (mce_gen_pool_init()) {
|
|
|
|
mca_cfg.disabled = true;
|
|
|
|
pr_emerg("Couldn't allocate MCE records pool!\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2009-04-28 00:25:48 +07:00
|
|
|
machine_check_vector = do_machine_check;
|
|
|
|
|
2009-10-16 17:31:32 +07:00
|
|
|
__mcheck_cpu_init_generic();
|
|
|
|
__mcheck_cpu_init_vendor(c);
|
|
|
|
__mcheck_cpu_init_timer();
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:40 +07:00
|
|
|
/*
|
|
|
|
* Called for each booted CPU to clear some machine checks opt-ins
|
|
|
|
*/
|
|
|
|
void mcheck_cpu_clear(struct cpuinfo_x86 *c)
|
|
|
|
{
|
|
|
|
if (mca_cfg.disabled)
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (!mce_available(c))
|
|
|
|
return;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Possibly to clear general settings generic to x86
|
|
|
|
* __mcheck_cpu_clear_generic(c);
|
|
|
|
*/
|
|
|
|
__mcheck_cpu_clear_vendor(c);
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2011-06-08 09:00:45 +07:00
|
|
|
* mce_chrdev: Character device /dev/mcelog to read and clear the MCE log.
|
2005-04-17 05:20:36 +07:00
|
|
|
*/
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static DEFINE_SPINLOCK(mce_chrdev_state_lock);
|
|
|
|
static int mce_chrdev_open_count; /* #times opened */
|
|
|
|
static int mce_chrdev_open_exclu; /* already open exclusive? */
|
2007-07-21 22:10:35 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static int mce_chrdev_open(struct inode *inode, struct file *file)
|
2007-07-21 22:10:35 +07:00
|
|
|
{
|
2011-06-08 09:00:45 +07:00
|
|
|
spin_lock(&mce_chrdev_state_lock);
|
2007-07-21 22:10:35 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
if (mce_chrdev_open_exclu ||
|
|
|
|
(mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
|
|
|
|
spin_unlock(&mce_chrdev_state_lock);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2007-07-21 22:10:35 +07:00
|
|
|
return -EBUSY;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (file->f_flags & O_EXCL)
|
2011-06-08 09:00:45 +07:00
|
|
|
mce_chrdev_open_exclu = 1;
|
|
|
|
mce_chrdev_open_count++;
|
2007-07-21 22:10:35 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
spin_unlock(&mce_chrdev_state_lock);
|
2007-07-21 22:10:35 +07:00
|
|
|
|
x86_64: mcelog tolerant level cleanup
Background:
The MCE handler has several paths that it can take, depending on various
conditions of the MCE status and the value of the 'tolerant' knob. The
exact semantics are not well defined and the code is a bit twisty.
Description:
This patch makes the MCE handler's behavior more clear by documenting the
behavior for various 'tolerant' levels. It also fixes or enhances
several small things in the handler. Specifically:
* If RIPV is set it is not safe to restart, so set the 'no way out'
flag rather than the 'kill it' flag.
* Don't panic() on correctable MCEs.
* If the _OVER bit is set *and* the _UC bit is set (meaning possibly
dropped uncorrected errors), set the 'no way out' flag.
* Use EIPV for testing whether an app can be killed (SIGBUS) rather
than RIPV. According to docs, EIPV indicates that the error is
related to the IP, while RIPV simply means the IP is valid to
restart from.
* Don't clear the MCi_STATUS registers until after the panic() path.
This leaves the status bits set after the panic() so clever BIOSes
can find them (and dumb BIOSes can do nothing).
This patch also calls nonseekable_open() in mce_open (as suggested by akpm).
Result:
Tolerant levels behave almost identically to how they always have, but
not it's well defined. There's a slightly higher chance of panic()ing
when multiple errors happen (a good thing, IMHO). If you take an MBE and
panic(), the error status bits are not cleared.
Alternatives:
None.
Testing:
I used software to inject correctable and uncorrectable errors. With
tolerant = 3, the system usually survives. With tolerant = 2, the system
usually panic()s (PCC) but not always. With tolerant = 1, the system
always panic()s. When the system panic()s, the BIOS is able to detect
that the cause of death was an MC4. I was not able to reproduce the
case of a non-PCC error in userspace, with EIPV, with (tolerant < 3).
That will be rare at best.
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:37 +07:00
|
|
|
return nonseekable_open(inode, file);
|
2007-07-21 22:10:35 +07:00
|
|
|
}
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static int mce_chrdev_release(struct inode *inode, struct file *file)
|
2007-07-21 22:10:35 +07:00
|
|
|
{
|
2011-06-08 09:00:45 +07:00
|
|
|
spin_lock(&mce_chrdev_state_lock);
|
2007-07-21 22:10:35 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
mce_chrdev_open_count--;
|
|
|
|
mce_chrdev_open_exclu = 0;
|
2007-07-21 22:10:35 +07:00
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
spin_unlock(&mce_chrdev_state_lock);
|
2007-07-21 22:10:35 +07:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
static void collect_tscs(void *data)
|
|
|
|
{
|
2005-04-17 05:20:36 +07:00
|
|
|
unsigned long *cpu_tsc = (unsigned long *)data;
|
2007-10-24 03:37:23 +07:00
|
|
|
|
2015-06-25 23:44:07 +07:00
|
|
|
cpu_tsc[smp_processor_id()] = rdtsc();
|
2007-10-24 03:37:23 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
static int mce_apei_read_done;
|
|
|
|
|
|
|
|
/* Collect MCE record of previous boot in persistent storage via APEI ERST. */
|
|
|
|
static int __mce_read_apei(char __user **ubuf, size_t usize)
|
|
|
|
{
|
|
|
|
int rc;
|
|
|
|
u64 record_id;
|
|
|
|
struct mce m;
|
|
|
|
|
|
|
|
if (usize < sizeof(struct mce))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rc = apei_read_mce(&m, &record_id);
|
|
|
|
/* Error or no more MCE record */
|
|
|
|
if (rc <= 0) {
|
|
|
|
mce_apei_read_done = 1;
|
2012-01-24 03:54:52 +07:00
|
|
|
/*
|
|
|
|
* When ERST is disabled, mce_chrdev_read() should return
|
|
|
|
* "no record" instead of "no device."
|
|
|
|
*/
|
|
|
|
if (rc == -ENODEV)
|
|
|
|
return 0;
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
rc = -EFAULT;
|
|
|
|
if (copy_to_user(*ubuf, &m, sizeof(struct mce)))
|
|
|
|
return rc;
|
|
|
|
/*
|
|
|
|
* In fact, we should have cleared the record after that has
|
|
|
|
* been flushed to the disk or sent to network in
|
|
|
|
* /sbin/mcelog, but we have no interface to support that now,
|
|
|
|
* so just clear it to avoid duplication.
|
|
|
|
*/
|
|
|
|
rc = apei_clear_mce(record_id);
|
|
|
|
if (rc) {
|
|
|
|
mce_apei_read_done = 1;
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
*ubuf += sizeof(struct mce);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static ssize_t mce_chrdev_read(struct file *filp, char __user *ubuf,
|
|
|
|
size_t usize, loff_t *off)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2009-04-08 17:31:17 +07:00
|
|
|
char __user *buf = ubuf;
|
2005-04-17 05:25:10 +07:00
|
|
|
unsigned long *cpu_tsc;
|
2009-02-12 19:39:34 +07:00
|
|
|
unsigned prev, next;
|
2005-04-17 05:20:36 +07:00
|
|
|
int i, err;
|
|
|
|
|
2008-07-19 08:11:27 +07:00
|
|
|
cpu_tsc = kmalloc(nr_cpu_ids * sizeof(long), GFP_KERNEL);
|
2005-04-17 05:25:10 +07:00
|
|
|
if (!cpu_tsc)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
mutex_lock(&mce_chrdev_read_mutex);
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
|
|
|
|
if (!mce_apei_read_done) {
|
|
|
|
err = __mce_read_apei(&buf, usize);
|
|
|
|
if (err || buf != ubuf)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2015-08-12 23:29:43 +07:00
|
|
|
next = mce_log_get_idx_check(mcelog.next);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
/* Only supports full reads right now */
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
err = -EINVAL;
|
|
|
|
if (*off != 0 || usize < MCE_LOG_LEN*sizeof(struct mce))
|
|
|
|
goto out;
|
2005-04-17 05:20:36 +07:00
|
|
|
|
|
|
|
err = 0;
|
2009-02-12 19:39:34 +07:00
|
|
|
prev = 0;
|
|
|
|
do {
|
|
|
|
for (i = prev; i < next; i++) {
|
|
|
|
unsigned long start = jiffies;
|
2011-06-08 09:00:08 +07:00
|
|
|
struct mce *m = &mcelog.entry[i];
|
2009-02-12 19:39:34 +07:00
|
|
|
|
2011-06-08 09:00:08 +07:00
|
|
|
while (!m->finished) {
|
2009-02-12 19:39:34 +07:00
|
|
|
if (time_after_eq(jiffies, start + 2)) {
|
2011-06-08 09:00:08 +07:00
|
|
|
memset(m, 0, sizeof(*m));
|
2009-02-12 19:39:34 +07:00
|
|
|
goto timeout;
|
|
|
|
}
|
|
|
|
cpu_relax();
|
2005-09-12 23:49:24 +07:00
|
|
|
}
|
2009-02-12 19:39:34 +07:00
|
|
|
smp_rmb();
|
2011-06-08 09:00:08 +07:00
|
|
|
err |= copy_to_user(buf, m, sizeof(*m));
|
|
|
|
buf += sizeof(*m);
|
2009-02-12 19:39:34 +07:00
|
|
|
timeout:
|
|
|
|
;
|
2005-09-12 23:49:24 +07:00
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-02-12 19:39:34 +07:00
|
|
|
memset(mcelog.entry + prev, 0,
|
|
|
|
(next - prev) * sizeof(struct mce));
|
|
|
|
prev = next;
|
|
|
|
next = cmpxchg(&mcelog.next, prev, 0);
|
|
|
|
} while (next != prev);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2005-06-26 04:55:38 +07:00
|
|
|
synchronize_sched();
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
/*
|
|
|
|
* Collect entries that were still getting written before the
|
|
|
|
* synchronize.
|
|
|
|
*/
|
2008-05-09 14:39:44 +07:00
|
|
|
on_each_cpu(collect_tscs, cpu_tsc, 1);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
for (i = next; i < MCE_LOG_LEN; i++) {
|
2011-06-08 09:00:08 +07:00
|
|
|
struct mce *m = &mcelog.entry[i];
|
|
|
|
|
|
|
|
if (m->finished && m->tsc < cpu_tsc[m->cpu]) {
|
|
|
|
err |= copy_to_user(buf, m, sizeof(*m));
|
2005-04-17 05:20:36 +07:00
|
|
|
smp_rmb();
|
2011-06-08 09:00:08 +07:00
|
|
|
buf += sizeof(*m);
|
|
|
|
memset(m, 0, sizeof(*m));
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
2007-10-24 03:37:23 +07:00
|
|
|
}
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
|
|
|
|
if (err)
|
|
|
|
err = -EFAULT;
|
|
|
|
|
|
|
|
out:
|
2011-06-08 09:00:45 +07:00
|
|
|
mutex_unlock(&mce_chrdev_read_mutex);
|
2005-04-17 05:25:10 +07:00
|
|
|
kfree(cpu_tsc);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
return err ? err : buf - ubuf;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static unsigned int mce_chrdev_poll(struct file *file, poll_table *wait)
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
{
|
2011-06-08 09:00:45 +07:00
|
|
|
poll_wait(file, &mce_chrdev_wait, wait);
|
2015-04-20 08:16:02 +07:00
|
|
|
if (READ_ONCE(mcelog.next))
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
return POLLIN | POLLRDNORM;
|
ACPI, APEI, Use ERST for persistent storage of MCE
Traditionally, fatal MCE will cause Linux print error log to console
then reboot. Because MCE registers will preserve their content after
warm reboot, the hardware error can be logged to disk or network after
reboot. But system may fail to warm reboot, then you may lose the
hardware error log. ERST can help here. Through saving the hardware
error log into flash via ERST before go panic, the hardware error log
can be gotten from the flash after system boot successful again.
The fatal MCE processing procedure with ERST involved is as follow:
- Hardware detect error, MCE raised
- MCE read MCE registers, check error severity (fatal), prepare error record
- Write MCE error record into flash via ERST
- Go panic, then trigger system reboot
- System reboot, /sbin/mcelog run, it reads /dev/mcelog to check flash
for error record of previous boot via ERST, and output and clear
them if available
- /sbin/mcelog logs error records into disk or network
ERST only accepts CPER record format, but there is no pre-defined CPER
section can accommodate all information in struct mce, so a customized
section type is defined to hold struct mce inside a CPER record as an
error section.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
2010-05-18 13:35:22 +07:00
|
|
|
if (!mce_apei_read_done && apei_check_mce())
|
|
|
|
return POLLIN | POLLRDNORM;
|
x86_64: support poll() on /dev/mcelog
Background:
/dev/mcelog is typically polled manually. This is less than optimal for
situations where accurate accounting of MCEs is important. Calling
poll() on /dev/mcelog does not work.
Description:
This patch adds support for poll() to /dev/mcelog. This results in
immediate wakeup of user apps whenever the poller finds MCEs. Because
the exception handler can not take any locks, it can not call the wakeup
itself. Instead, it uses a thread_info flag (TIF_MCE_NOTIFY) which is
caught at the next return from interrupt or exit from idle, calling the
mce_user_notify() routine. This patch also disables the "fake panic"
path of the mce_panic(), because it results in printk()s in the exception
handler and crashy systems.
This patch also does some small cleanup for essentially unused variables,
and moves the user notification into the body of the poller, so it is
only called once per poll, rather than once per CPU.
Result:
Applications can now poll() on /dev/mcelog. When an error is logged
(whether through the poller or through an exception) the applications are
woken up promptly. This should not affect any previous behaviors. If no
MCEs are being logged, there is no overhead.
Alternatives:
I considered simply supporting poll() through the poller and not using
TIF_MCE_NOTIFY at all. However, the time between an uncorrectable error
happening and the user application being notified is *the*most* critical
window for us. Many uncorrectable errors can be logged to the network if
given a chance.
I also considered doing the MCE poll directly from the idle notifier, but
decided that was overkill.
Testing:
I used an error-injecting DIMM to create lots of correctable DRAM errors
and verified that my user app is woken up in sync with the polling interval.
I also used the northbridge to inject uncorrectable ECC errors, and
verified (printk() to the rescue) that the notify routine is called and the
user app does wake up. I built with PREEMPT on and off, and verified
that my machine survives MCEs.
[wli@holomorphy.com: build fix]
Signed-off-by: Tim Hockin <thockin@google.com>
Signed-off-by: William Irwin <bill.irwin@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-21 22:10:36 +07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static long mce_chrdev_ioctl(struct file *f, unsigned int cmd,
|
|
|
|
unsigned long arg)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
|
|
|
int __user *p = (int __user *)arg;
|
2007-10-24 03:37:23 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!capable(CAP_SYS_ADMIN))
|
2007-10-24 03:37:23 +07:00
|
|
|
return -EPERM;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
switch (cmd) {
|
2007-10-24 03:37:23 +07:00
|
|
|
case MCE_GET_RECORD_LEN:
|
2005-04-17 05:20:36 +07:00
|
|
|
return put_user(sizeof(struct mce), p);
|
|
|
|
case MCE_GET_LOG_LEN:
|
2007-10-24 03:37:23 +07:00
|
|
|
return put_user(MCE_LOG_LEN, p);
|
2005-04-17 05:20:36 +07:00
|
|
|
case MCE_GETCLEAR_FLAGS: {
|
|
|
|
unsigned flags;
|
2007-10-24 03:37:23 +07:00
|
|
|
|
|
|
|
do {
|
2005-04-17 05:20:36 +07:00
|
|
|
flags = mcelog.flags;
|
2007-10-24 03:37:23 +07:00
|
|
|
} while (cmpxchg(&mcelog.flags, flags, 0) != flags);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
return put_user(flags, p);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
default:
|
2007-10-24 03:37:23 +07:00
|
|
|
return -ENOTTY;
|
|
|
|
}
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2011-11-04 01:46:47 +07:00
|
|
|
static ssize_t (*mce_write)(struct file *filp, const char __user *ubuf,
|
|
|
|
size_t usize, loff_t *off);
|
|
|
|
|
|
|
|
void register_mce_write_callback(ssize_t (*fn)(struct file *filp,
|
|
|
|
const char __user *ubuf,
|
|
|
|
size_t usize, loff_t *off))
|
|
|
|
{
|
|
|
|
mce_write = fn;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(register_mce_write_callback);
|
|
|
|
|
2015-04-22 04:05:25 +07:00
|
|
|
static ssize_t mce_chrdev_write(struct file *filp, const char __user *ubuf,
|
|
|
|
size_t usize, loff_t *off)
|
2011-11-04 01:46:47 +07:00
|
|
|
{
|
|
|
|
if (mce_write)
|
|
|
|
return mce_write(filp, ubuf, usize, off);
|
|
|
|
else
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct file_operations mce_chrdev_ops = {
|
2011-06-08 09:00:45 +07:00
|
|
|
.open = mce_chrdev_open,
|
|
|
|
.release = mce_chrdev_release,
|
|
|
|
.read = mce_chrdev_read,
|
2011-11-04 01:46:47 +07:00
|
|
|
.write = mce_chrdev_write,
|
2011-06-08 09:00:45 +07:00
|
|
|
.poll = mce_chrdev_poll,
|
|
|
|
.unlocked_ioctl = mce_chrdev_ioctl,
|
|
|
|
.llseek = no_llseek,
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
static struct miscdevice mce_chrdev_device = {
|
2005-04-17 05:20:36 +07:00
|
|
|
MISC_MCELOG_MINOR,
|
|
|
|
"mcelog",
|
|
|
|
&mce_chrdev_ops,
|
|
|
|
};
|
|
|
|
|
2013-07-01 22:38:47 +07:00
|
|
|
static void __mce_disable_bank(void *arg)
|
|
|
|
{
|
|
|
|
int bank = *((int *)arg);
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
__clear_bit(bank, this_cpu_ptr(mce_poll_banks));
|
2013-07-01 22:38:47 +07:00
|
|
|
cmci_disable_bank(bank);
|
|
|
|
}
|
|
|
|
|
|
|
|
void mce_disable_bank(int bank)
|
|
|
|
{
|
|
|
|
if (bank >= mca_cfg.banks) {
|
|
|
|
pr_warn(FW_BUG
|
|
|
|
"Ignoring request to disable invalid MCA bank %d.\n",
|
|
|
|
bank);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
set_bit(bank, mce_banks_ce_disabled);
|
|
|
|
on_each_cpu(__mce_disable_bank, &bank, 1);
|
|
|
|
}
|
|
|
|
|
2009-03-26 15:39:20 +07:00
|
|
|
/*
|
2009-06-11 14:06:07 +07:00
|
|
|
* mce=off Disables machine check
|
|
|
|
* mce=no_cmci Disables CMCI
|
2015-06-04 23:55:23 +07:00
|
|
|
* mce=no_lmce Disables LMCE
|
2009-06-11 14:06:07 +07:00
|
|
|
* mce=dont_log_ce Clears corrected events silently, no log created for CEs.
|
|
|
|
* mce=ignore_ce Disables polling and CMCI, corrected events are not cleared.
|
2009-05-28 02:56:55 +07:00
|
|
|
* mce=TOLERANCELEVEL[,monarchtimeout] (number, see above)
|
|
|
|
* monarchtimeout is how long to wait for other CPUs on machine
|
|
|
|
* check, or 0 to not wait
|
2009-03-26 15:39:20 +07:00
|
|
|
* mce=bootlog Log MCEs from before booting. Disabled by default on AMD.
|
|
|
|
* mce=nobootlog Don't log MCEs from before booting.
|
2012-09-28 00:08:00 +07:00
|
|
|
* mce=bios_cmci_threshold Don't program the CMCI threshold
|
2009-03-26 15:39:20 +07:00
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
static int __init mcheck_enable(char *str)
|
|
|
|
{
|
2012-10-15 23:03:57 +07:00
|
|
|
struct mca_config *cfg = &mca_cfg;
|
|
|
|
|
2009-07-29 04:55:09 +07:00
|
|
|
if (*str == 0) {
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
enable_p5_mce();
|
2009-07-29 04:55:09 +07:00
|
|
|
return 1;
|
|
|
|
}
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
if (*str == '=')
|
|
|
|
str++;
|
2005-04-17 05:20:36 +07:00
|
|
|
if (!strcmp(str, "off"))
|
2012-10-17 17:05:33 +07:00
|
|
|
cfg->disabled = true;
|
2009-06-11 14:06:07 +07:00
|
|
|
else if (!strcmp(str, "no_cmci"))
|
2012-10-16 01:25:17 +07:00
|
|
|
cfg->cmci_disabled = true;
|
2015-06-04 23:55:23 +07:00
|
|
|
else if (!strcmp(str, "no_lmce"))
|
|
|
|
cfg->lmce_disabled = true;
|
2009-06-11 14:06:07 +07:00
|
|
|
else if (!strcmp(str, "dont_log_ce"))
|
2012-10-15 23:03:57 +07:00
|
|
|
cfg->dont_log_ce = true;
|
2009-06-11 14:06:07 +07:00
|
|
|
else if (!strcmp(str, "ignore_ce"))
|
2012-10-16 01:25:17 +07:00
|
|
|
cfg->ignore_ce = true;
|
2009-03-26 15:39:20 +07:00
|
|
|
else if (!strcmp(str, "bootlog") || !strcmp(str, "nobootlog"))
|
2012-10-16 00:59:18 +07:00
|
|
|
cfg->bootlog = (str[0] == 'b');
|
2012-09-28 00:08:00 +07:00
|
|
|
else if (!strcmp(str, "bios_cmci_threshold"))
|
2012-10-17 17:05:33 +07:00
|
|
|
cfg->bios_cmci_threshold = true;
|
2009-05-28 02:56:55 +07:00
|
|
|
else if (isdigit(str[0])) {
|
2015-05-26 15:28:21 +07:00
|
|
|
if (get_option(&str, &cfg->tolerant) == 2)
|
2012-10-16 00:59:18 +07:00
|
|
|
get_option(&str, &(cfg->monarch_timeout));
|
2009-05-28 02:56:55 +07:00
|
|
|
} else {
|
2012-05-22 09:50:07 +07:00
|
|
|
pr_info("mce argument %s ignored. Please use /sys\n", str);
|
2009-03-26 15:39:20 +07:00
|
|
|
return 0;
|
|
|
|
}
|
2006-03-31 17:30:33 +07:00
|
|
|
return 1;
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
x86, mce: use 64bit machine check code on 32bit
The 64bit machine check code is in many ways much better than
the 32bit machine check code: it is more specification compliant,
is cleaner, only has a single code base versus one per CPU,
has better infrastructure for recovery, has a cleaner way to communicate
with user space etc. etc.
Use the 64bit code for 32bit too.
This is the second attempt to do this. There was one a couple of years
ago to unify this code for 32bit and 64bit. Back then this ran into some
trouble with K7s and was reverted.
I believe this time the K7 problems (and some others) are addressed.
I went over the old handlers and was very careful to retain
all quirks.
But of course this needs a lot of testing on old systems. On newer
64bit capable systems I don't expect much problems because they have been
already tested with the 64bit kernel.
I made this a CONFIG for now that still allows to select the old
machine check code. This is mostly to make testing easier,
if someone runs into a problem we can ask them to try
with the CONFIG switched.
The new code is default y for more coverage.
Once there is confidence the 64bit code works well on older hardware
too the CONFIG_X86_OLD_MCE and the associated code can be easily
removed.
This causes a behaviour change for 32bit installations. They now
have to install the mcelog package to be able to log
corrected machine checks.
The 64bit machine check code only handles CPUs which support the
standard Intel machine check architecture described in the IA32 SDM.
The 32bit code has special support for some older CPUs which
have non standard machine check architectures, in particular
WinChip C3 and Intel P5. I made those a separate CONFIG option
and kept them for now. The WinChip variant could be probably
removed without too much pain, it doesn't really do anything
interesting. P5 is also disabled by default (like it
was before) because many motherboards have it miswired, but
according to Alan Cox a few embedded setups use that one.
Forward ported/heavily changed version of old patch, original patch
included review/fixes from Thomas Gleixner, Bert Wesarg.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2009-04-29 00:07:31 +07:00
|
|
|
__setup("mce", mcheck_enable);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-11-10 08:38:24 +07:00
|
|
|
int __init mcheck_init(void)
|
2009-10-16 17:31:33 +07:00
|
|
|
{
|
2009-11-10 08:38:24 +07:00
|
|
|
mcheck_intel_therm_init();
|
2015-08-12 23:29:38 +07:00
|
|
|
mce_register_decode_chain(&mce_srao_nb);
|
2015-03-23 22:42:53 +07:00
|
|
|
mcheck_vendor_init_severity();
|
2009-11-10 08:38:24 +07:00
|
|
|
|
2015-08-12 23:29:35 +07:00
|
|
|
INIT_WORK(&mce_work, mce_process_work);
|
|
|
|
init_irq_work(&mce_irq_work, mce_irq_work_cb);
|
|
|
|
|
2009-10-16 17:31:33 +07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-10-24 03:37:23 +07:00
|
|
|
/*
|
2011-06-08 09:02:03 +07:00
|
|
|
* mce_syscore: PM support
|
2007-10-24 03:37:23 +07:00
|
|
|
*/
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2009-02-12 19:39:32 +07:00
|
|
|
/*
|
|
|
|
* Disable machine checks on suspend and shutdown. We can't really handle
|
|
|
|
* them later.
|
|
|
|
*/
|
x86/mce: Don't clear shared banks on Intel when offlining CPUs
It is not safe to clear global MCi_CTL banks during CPU offline
or suspend/resume operations. These MSRs are either
thread-scoped (meaning private to a thread), or core-scoped
(private to threads in that core only), or with a socket scope:
visible and controllable from all threads in the socket.
When we offline a single CPU, clearing those MCi_CTL bits will
stop signaling for all the shared, i.e., socket-wide resources,
such as LLC, iMC, etc.
In addition, it might be possible to compromise the integrity of
an Intel Secure Guard eXtentions (SGX) system if the attacker
has control of the host system and is able to inject errors
which would be otherwise ignored when MCi_CTL bits are cleared.
Hence on SGX enabled systems, if MCi_CTL is cleared, SGX gets
disabled.
Tested-by: Serge Ayoun <serge.ayoun@intel.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
[ Cleanup text. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/1441391390-16985-1-git-send-email-ashok.raj@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-28 14:21:43 +07:00
|
|
|
static void mce_disable_error_reporting(void)
|
2009-02-12 19:39:32 +07:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-07-09 05:31:43 +07:00
|
|
|
struct mce_bank *b = &mce_banks[i];
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
if (b->init)
|
2009-07-09 05:31:44 +07:00
|
|
|
wrmsrl(MSR_IA32_MCx_CTL(i), 0);
|
2009-04-27 23:37:43 +07:00
|
|
|
}
|
x86/mce: Don't clear shared banks on Intel when offlining CPUs
It is not safe to clear global MCi_CTL banks during CPU offline
or suspend/resume operations. These MSRs are either
thread-scoped (meaning private to a thread), or core-scoped
(private to threads in that core only), or with a socket scope:
visible and controllable from all threads in the socket.
When we offline a single CPU, clearing those MCi_CTL bits will
stop signaling for all the shared, i.e., socket-wide resources,
such as LLC, iMC, etc.
In addition, it might be possible to compromise the integrity of
an Intel Secure Guard eXtentions (SGX) system if the attacker
has control of the host system and is able to inject errors
which would be otherwise ignored when MCi_CTL bits are cleared.
Hence on SGX enabled systems, if MCi_CTL is cleared, SGX gets
disabled.
Tested-by: Serge Ayoun <serge.ayoun@intel.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
[ Cleanup text. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/1441391390-16985-1-git-send-email-ashok.raj@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-28 14:21:43 +07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void vendor_disable_error_reporting(void)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Don't clear on Intel CPUs. Some of these MSRs are socket-wide.
|
|
|
|
* Disabling them for just a single offlined CPU is bad, since it will
|
|
|
|
* inhibit reporting for all shared resources on the socket like the
|
|
|
|
* last level cache (LLC), the integrated memory controller (iMC), etc.
|
|
|
|
*/
|
|
|
|
if (boot_cpu_data.x86_vendor == X86_VENDOR_INTEL)
|
|
|
|
return;
|
|
|
|
|
|
|
|
mce_disable_error_reporting();
|
2009-02-12 19:39:32 +07:00
|
|
|
}
|
|
|
|
|
2011-06-08 09:02:03 +07:00
|
|
|
static int mce_syscore_suspend(void)
|
2009-02-12 19:39:32 +07:00
|
|
|
{
|
x86/mce: Don't clear shared banks on Intel when offlining CPUs
It is not safe to clear global MCi_CTL banks during CPU offline
or suspend/resume operations. These MSRs are either
thread-scoped (meaning private to a thread), or core-scoped
(private to threads in that core only), or with a socket scope:
visible and controllable from all threads in the socket.
When we offline a single CPU, clearing those MCi_CTL bits will
stop signaling for all the shared, i.e., socket-wide resources,
such as LLC, iMC, etc.
In addition, it might be possible to compromise the integrity of
an Intel Secure Guard eXtentions (SGX) system if the attacker
has control of the host system and is able to inject errors
which would be otherwise ignored when MCi_CTL bits are cleared.
Hence on SGX enabled systems, if MCi_CTL is cleared, SGX gets
disabled.
Tested-by: Serge Ayoun <serge.ayoun@intel.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
[ Cleanup text. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/1441391390-16985-1-git-send-email-ashok.raj@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-28 14:21:43 +07:00
|
|
|
vendor_disable_error_reporting();
|
|
|
|
return 0;
|
2009-02-12 19:39:32 +07:00
|
|
|
}
|
|
|
|
|
2011-06-08 09:02:03 +07:00
|
|
|
static void mce_syscore_shutdown(void)
|
2009-02-12 19:39:32 +07:00
|
|
|
{
|
x86/mce: Don't clear shared banks on Intel when offlining CPUs
It is not safe to clear global MCi_CTL banks during CPU offline
or suspend/resume operations. These MSRs are either
thread-scoped (meaning private to a thread), or core-scoped
(private to threads in that core only), or with a socket scope:
visible and controllable from all threads in the socket.
When we offline a single CPU, clearing those MCi_CTL bits will
stop signaling for all the shared, i.e., socket-wide resources,
such as LLC, iMC, etc.
In addition, it might be possible to compromise the integrity of
an Intel Secure Guard eXtentions (SGX) system if the attacker
has control of the host system and is able to inject errors
which would be otherwise ignored when MCi_CTL bits are cleared.
Hence on SGX enabled systems, if MCi_CTL is cleared, SGX gets
disabled.
Tested-by: Serge Ayoun <serge.ayoun@intel.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
[ Cleanup text. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/1441391390-16985-1-git-send-email-ashok.raj@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-28 14:21:43 +07:00
|
|
|
vendor_disable_error_reporting();
|
2009-02-12 19:39:32 +07:00
|
|
|
}
|
|
|
|
|
2009-04-08 17:31:17 +07:00
|
|
|
/*
|
|
|
|
* On resume clear all MCE state. Don't want to see leftovers from the BIOS.
|
|
|
|
* Only one CPU is active at this time, the others get re-added later using
|
|
|
|
* CPU hotplug:
|
|
|
|
*/
|
2011-06-08 09:02:03 +07:00
|
|
|
static void mce_syscore_resume(void)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2009-10-16 17:31:32 +07:00
|
|
|
__mcheck_cpu_init_generic();
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
__mcheck_cpu_init_vendor(raw_cpu_ptr(&cpu_info));
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2011-03-24 04:15:54 +07:00
|
|
|
static struct syscore_ops mce_syscore_ops = {
|
2011-06-08 09:02:03 +07:00
|
|
|
.suspend = mce_syscore_suspend,
|
|
|
|
.shutdown = mce_syscore_shutdown,
|
|
|
|
.resume = mce_syscore_resume,
|
2011-03-24 04:15:54 +07:00
|
|
|
};
|
|
|
|
|
2011-06-08 09:02:03 +07:00
|
|
|
/*
|
2011-12-22 05:29:42 +07:00
|
|
|
* mce_device: Sysfs support
|
2011-06-08 09:02:03 +07:00
|
|
|
*/
|
|
|
|
|
2009-02-12 19:39:29 +07:00
|
|
|
static void mce_cpu_restart(void *data)
|
|
|
|
{
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
if (!mce_available(raw_cpu_ptr(&cpu_info)))
|
2009-06-15 15:18:45 +07:00
|
|
|
return;
|
2009-10-16 17:31:32 +07:00
|
|
|
__mcheck_cpu_init_generic();
|
|
|
|
__mcheck_cpu_init_timer();
|
2009-02-12 19:39:29 +07:00
|
|
|
}
|
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
/* Reinit MCEs after user configuration changes */
|
2007-10-24 03:37:23 +07:00
|
|
|
static void mce_restart(void)
|
|
|
|
{
|
2011-06-17 15:40:36 +07:00
|
|
|
mce_timer_delete_all();
|
2009-02-12 19:39:29 +07:00
|
|
|
on_each_cpu(mce_cpu_restart, NULL, 1);
|
2005-04-17 05:20:36 +07:00
|
|
|
}
|
|
|
|
|
2009-06-15 15:21:36 +07:00
|
|
|
/* Toggle features for corrected errors */
|
2011-06-17 15:40:36 +07:00
|
|
|
static void mce_disable_cmci(void *data)
|
2009-06-15 15:21:36 +07:00
|
|
|
{
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
if (!mce_available(raw_cpu_ptr(&cpu_info)))
|
2009-06-15 15:21:36 +07:00
|
|
|
return;
|
|
|
|
cmci_clear();
|
|
|
|
}
|
|
|
|
|
|
|
|
static void mce_enable_ce(void *all)
|
|
|
|
{
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
if (!mce_available(raw_cpu_ptr(&cpu_info)))
|
2009-06-15 15:21:36 +07:00
|
|
|
return;
|
|
|
|
cmci_reenable();
|
|
|
|
cmci_recheck();
|
|
|
|
if (all)
|
2009-10-16 17:31:32 +07:00
|
|
|
__mcheck_cpu_init_timer();
|
2009-06-15 15:21:36 +07:00
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static struct bus_type mce_subsys = {
|
2009-04-08 17:31:17 +07:00
|
|
|
.name = "machinecheck",
|
2011-12-22 05:29:42 +07:00
|
|
|
.dev_name = "machinecheck",
|
2005-04-17 05:20:36 +07:00
|
|
|
};
|
|
|
|
|
2012-01-27 06:49:14 +07:00
|
|
|
DEFINE_PER_CPU(struct device *, mce_device);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
|
|
|
void (*threshold_cpu_callback)(unsigned long action, unsigned int cpu);
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static inline struct mce_bank *attr_to_bank(struct device_attribute *attr)
|
2009-07-09 05:31:43 +07:00
|
|
|
{
|
|
|
|
return container_of(attr, struct mce_bank, attr);
|
|
|
|
}
|
2009-02-18 05:07:13 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static ssize_t show_bank(struct device *s, struct device_attribute *attr,
|
2009-02-18 05:07:13 +07:00
|
|
|
char *buf)
|
|
|
|
{
|
2009-07-09 05:31:43 +07:00
|
|
|
return sprintf(buf, "%llx\n", attr_to_bank(attr)->ctl);
|
2009-02-18 05:07:13 +07:00
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static ssize_t set_bank(struct device *s, struct device_attribute *attr,
|
2009-04-14 15:26:30 +07:00
|
|
|
const char *buf, size_t size)
|
2009-02-18 05:07:13 +07:00
|
|
|
{
|
2009-04-14 15:26:30 +07:00
|
|
|
u64 new;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2014-08-09 04:24:03 +07:00
|
|
|
if (kstrtou64(buf, 0, &new) < 0)
|
2009-02-18 05:07:13 +07:00
|
|
|
return -EINVAL;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
attr_to_bank(attr)->ctl = new;
|
2009-02-18 05:07:13 +07:00
|
|
|
mce_restart();
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2009-04-14 15:26:30 +07:00
|
|
|
return size;
|
2009-02-18 05:07:13 +07:00
|
|
|
}
|
2007-02-13 19:26:23 +07:00
|
|
|
|
2009-04-08 17:31:17 +07:00
|
|
|
static ssize_t
|
2011-12-22 05:29:42 +07:00
|
|
|
show_trigger(struct device *s, struct device_attribute *attr, char *buf)
|
2007-02-13 19:26:23 +07:00
|
|
|
{
|
2009-06-15 15:20:57 +07:00
|
|
|
strcpy(buf, mce_helper);
|
2007-02-13 19:26:23 +07:00
|
|
|
strcat(buf, "\n");
|
2009-06-15 15:20:57 +07:00
|
|
|
return strlen(mce_helper) + 1;
|
2007-02-13 19:26:23 +07:00
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static ssize_t set_trigger(struct device *s, struct device_attribute *attr,
|
2009-04-08 17:31:17 +07:00
|
|
|
const char *buf, size_t siz)
|
2007-02-13 19:26:23 +07:00
|
|
|
{
|
|
|
|
char *p;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2009-06-15 15:20:57 +07:00
|
|
|
strncpy(mce_helper, buf, sizeof(mce_helper));
|
|
|
|
mce_helper[sizeof(mce_helper)-1] = 0;
|
|
|
|
p = strchr(mce_helper, '\n');
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2009-07-16 15:45:11 +07:00
|
|
|
if (p)
|
2009-04-08 17:31:17 +07:00
|
|
|
*p = 0;
|
|
|
|
|
2009-07-16 15:45:11 +07:00
|
|
|
return strlen(mce_helper) + !!p;
|
2007-02-13 19:26:23 +07:00
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static ssize_t set_ignore_ce(struct device *s,
|
|
|
|
struct device_attribute *attr,
|
2009-06-15 15:21:36 +07:00
|
|
|
const char *buf, size_t size)
|
|
|
|
{
|
|
|
|
u64 new;
|
|
|
|
|
2014-08-09 04:24:03 +07:00
|
|
|
if (kstrtou64(buf, 0, &new) < 0)
|
2009-06-15 15:21:36 +07:00
|
|
|
return -EINVAL;
|
|
|
|
|
2012-10-16 01:25:17 +07:00
|
|
|
if (mca_cfg.ignore_ce ^ !!new) {
|
2009-06-15 15:21:36 +07:00
|
|
|
if (new) {
|
|
|
|
/* disable ce features */
|
2011-06-17 15:40:36 +07:00
|
|
|
mce_timer_delete_all();
|
|
|
|
on_each_cpu(mce_disable_cmci, NULL, 1);
|
2012-10-16 01:25:17 +07:00
|
|
|
mca_cfg.ignore_ce = true;
|
2009-06-15 15:21:36 +07:00
|
|
|
} else {
|
|
|
|
/* enable ce features */
|
2012-10-16 01:25:17 +07:00
|
|
|
mca_cfg.ignore_ce = false;
|
2009-06-15 15:21:36 +07:00
|
|
|
on_each_cpu(mce_enable_ce, (void *)1, 1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static ssize_t set_cmci_disabled(struct device *s,
|
|
|
|
struct device_attribute *attr,
|
2009-06-15 15:21:36 +07:00
|
|
|
const char *buf, size_t size)
|
|
|
|
{
|
|
|
|
u64 new;
|
|
|
|
|
2014-08-09 04:24:03 +07:00
|
|
|
if (kstrtou64(buf, 0, &new) < 0)
|
2009-06-15 15:21:36 +07:00
|
|
|
return -EINVAL;
|
|
|
|
|
2012-10-16 01:25:17 +07:00
|
|
|
if (mca_cfg.cmci_disabled ^ !!new) {
|
2009-06-15 15:21:36 +07:00
|
|
|
if (new) {
|
|
|
|
/* disable cmci */
|
2011-06-17 15:40:36 +07:00
|
|
|
on_each_cpu(mce_disable_cmci, NULL, 1);
|
2012-10-16 01:25:17 +07:00
|
|
|
mca_cfg.cmci_disabled = true;
|
2009-06-15 15:21:36 +07:00
|
|
|
} else {
|
|
|
|
/* enable cmci */
|
2012-10-16 01:25:17 +07:00
|
|
|
mca_cfg.cmci_disabled = false;
|
2009-06-15 15:21:36 +07:00
|
|
|
on_each_cpu(mce_enable_ce, NULL, 1);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return size;
|
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static ssize_t store_int_with_restart(struct device *s,
|
|
|
|
struct device_attribute *attr,
|
2009-05-28 02:56:52 +07:00
|
|
|
const char *buf, size_t size)
|
|
|
|
{
|
2011-12-22 05:29:42 +07:00
|
|
|
ssize_t ret = device_store_int(s, attr, buf, size);
|
2009-05-28 02:56:52 +07:00
|
|
|
mce_restart();
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static DEVICE_ATTR(trigger, 0644, show_trigger, set_trigger);
|
2012-10-15 23:03:57 +07:00
|
|
|
static DEVICE_INT_ATTR(tolerant, 0644, mca_cfg.tolerant);
|
2012-10-16 00:59:18 +07:00
|
|
|
static DEVICE_INT_ATTR(monarch_timeout, 0644, mca_cfg.monarch_timeout);
|
2012-10-15 23:03:57 +07:00
|
|
|
static DEVICE_BOOL_ATTR(dont_log_ce, 0644, mca_cfg.dont_log_ce);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static struct dev_ext_attribute dev_attr_check_interval = {
|
|
|
|
__ATTR(check_interval, 0644, device_show_int, store_int_with_restart),
|
2009-05-28 02:56:52 +07:00
|
|
|
&check_interval
|
|
|
|
};
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static struct dev_ext_attribute dev_attr_ignore_ce = {
|
2012-10-16 01:25:17 +07:00
|
|
|
__ATTR(ignore_ce, 0644, device_show_bool, set_ignore_ce),
|
|
|
|
&mca_cfg.ignore_ce
|
2009-06-15 15:21:36 +07:00
|
|
|
};
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static struct dev_ext_attribute dev_attr_cmci_disabled = {
|
2012-10-16 01:25:17 +07:00
|
|
|
__ATTR(cmci_disabled, 0644, device_show_bool, set_cmci_disabled),
|
|
|
|
&mca_cfg.cmci_disabled
|
2009-06-15 15:21:36 +07:00
|
|
|
};
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static struct device_attribute *mce_device_attrs[] = {
|
|
|
|
&dev_attr_tolerant.attr,
|
|
|
|
&dev_attr_check_interval.attr,
|
|
|
|
&dev_attr_trigger,
|
|
|
|
&dev_attr_monarch_timeout.attr,
|
|
|
|
&dev_attr_dont_log_ce.attr,
|
|
|
|
&dev_attr_ignore_ce.attr,
|
|
|
|
&dev_attr_cmci_disabled.attr,
|
2007-02-13 19:26:23 +07:00
|
|
|
NULL
|
|
|
|
};
|
2005-04-17 05:20:36 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
static cpumask_var_t mce_device_initialized;
|
2007-11-15 08:00:44 +07:00
|
|
|
|
2012-01-17 05:40:28 +07:00
|
|
|
static void mce_device_release(struct device *dev)
|
|
|
|
{
|
|
|
|
kfree(dev);
|
|
|
|
}
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
/* Per cpu device init. All of the cpus still share the same ctrl bank: */
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static int mce_device_create(unsigned int cpu)
|
2005-04-17 05:20:36 +07:00
|
|
|
{
|
2012-01-17 05:40:28 +07:00
|
|
|
struct device *dev;
|
2005-04-17 05:20:36 +07:00
|
|
|
int err;
|
2009-06-18 12:53:24 +07:00
|
|
|
int i, j;
|
2007-10-20 01:35:04 +07:00
|
|
|
|
2007-11-07 08:12:58 +07:00
|
|
|
if (!mce_available(&boot_cpu_data))
|
2005-07-29 11:15:39 +07:00
|
|
|
return -EIO;
|
|
|
|
|
2012-01-17 05:40:28 +07:00
|
|
|
dev = kzalloc(sizeof *dev, GFP_KERNEL);
|
|
|
|
if (!dev)
|
|
|
|
return -ENOMEM;
|
2011-12-22 05:29:42 +07:00
|
|
|
dev->id = cpu;
|
|
|
|
dev->bus = &mce_subsys;
|
2012-01-17 05:40:28 +07:00
|
|
|
dev->release = &mce_device_release;
|
2005-07-29 11:15:39 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
err = device_register(dev);
|
2013-11-30 03:28:48 +07:00
|
|
|
if (err) {
|
|
|
|
put_device(dev);
|
2007-10-18 17:05:15 +07:00
|
|
|
return err;
|
2013-11-30 03:28:48 +07:00
|
|
|
}
|
2007-10-18 17:05:15 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
for (i = 0; mce_device_attrs[i]; i++) {
|
|
|
|
err = device_create_file(dev, mce_device_attrs[i]);
|
2007-10-18 17:05:15 +07:00
|
|
|
if (err)
|
|
|
|
goto error;
|
|
|
|
}
|
2012-10-15 23:03:57 +07:00
|
|
|
for (j = 0; j < mca_cfg.banks; j++) {
|
2011-12-22 05:29:42 +07:00
|
|
|
err = device_create_file(dev, &mce_banks[j].attr);
|
2009-02-18 05:07:13 +07:00
|
|
|
if (err)
|
|
|
|
goto error2;
|
|
|
|
}
|
2011-12-22 05:29:42 +07:00
|
|
|
cpumask_set_cpu(cpu, mce_device_initialized);
|
2012-01-27 06:49:14 +07:00
|
|
|
per_cpu(mce_device, cpu) = dev;
|
2005-07-29 11:15:39 +07:00
|
|
|
|
2007-10-18 17:05:15 +07:00
|
|
|
return 0;
|
2009-02-18 05:07:13 +07:00
|
|
|
error2:
|
2009-06-18 12:53:24 +07:00
|
|
|
while (--j >= 0)
|
2011-12-22 05:29:42 +07:00
|
|
|
device_remove_file(dev, &mce_banks[j].attr);
|
2007-10-18 17:05:15 +07:00
|
|
|
error:
|
2009-04-08 17:31:17 +07:00
|
|
|
while (--i >= 0)
|
2011-12-22 05:29:42 +07:00
|
|
|
device_remove_file(dev, mce_device_attrs[i]);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
device_unregister(dev);
|
2007-10-18 17:05:15 +07:00
|
|
|
|
2005-07-29 11:15:39 +07:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static void mce_device_remove(unsigned int cpu)
|
2005-07-29 11:15:39 +07:00
|
|
|
{
|
2012-01-27 06:49:14 +07:00
|
|
|
struct device *dev = per_cpu(mce_device, cpu);
|
2006-01-12 04:43:06 +07:00
|
|
|
int i;
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
if (!cpumask_test_cpu(cpu, mce_device_initialized))
|
2007-11-15 08:00:44 +07:00
|
|
|
return;
|
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
for (i = 0; mce_device_attrs[i]; i++)
|
|
|
|
device_remove_file(dev, mce_device_attrs[i]);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++)
|
2011-12-22 05:29:42 +07:00
|
|
|
device_remove_file(dev, &mce_banks[i].attr);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
device_unregister(dev);
|
|
|
|
cpumask_clear_cpu(cpu, mce_device_initialized);
|
2012-01-27 06:49:14 +07:00
|
|
|
per_cpu(mce_device, cpu) = NULL;
|
2005-07-29 11:15:39 +07:00
|
|
|
}
|
|
|
|
|
2009-02-12 19:39:31 +07:00
|
|
|
/* Make sure there are no machine checks on offlined CPUs. */
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static void mce_disable_cpu(void *h)
|
2009-02-12 19:39:31 +07:00
|
|
|
{
|
2009-02-12 19:49:36 +07:00
|
|
|
unsigned long action = *(unsigned long *)h;
|
2009-02-12 19:39:31 +07:00
|
|
|
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
if (!mce_available(raw_cpu_ptr(&cpu_info)))
|
2009-02-12 19:39:31 +07:00
|
|
|
return;
|
2009-11-26 15:29:02 +07:00
|
|
|
|
2009-02-12 19:49:36 +07:00
|
|
|
if (!(action & CPU_TASKS_FROZEN))
|
|
|
|
cmci_clear();
|
2009-09-23 22:49:55 +07:00
|
|
|
|
x86/mce: Don't clear shared banks on Intel when offlining CPUs
It is not safe to clear global MCi_CTL banks during CPU offline
or suspend/resume operations. These MSRs are either
thread-scoped (meaning private to a thread), or core-scoped
(private to threads in that core only), or with a socket scope:
visible and controllable from all threads in the socket.
When we offline a single CPU, clearing those MCi_CTL bits will
stop signaling for all the shared, i.e., socket-wide resources,
such as LLC, iMC, etc.
In addition, it might be possible to compromise the integrity of
an Intel Secure Guard eXtentions (SGX) system if the attacker
has control of the host system and is able to inject errors
which would be otherwise ignored when MCi_CTL bits are cleared.
Hence on SGX enabled systems, if MCi_CTL is cleared, SGX gets
disabled.
Tested-by: Serge Ayoun <serge.ayoun@intel.com>
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
[ Cleanup text. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/1441391390-16985-1-git-send-email-ashok.raj@intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2015-09-28 14:21:43 +07:00
|
|
|
vendor_disable_error_reporting();
|
2009-02-12 19:39:31 +07:00
|
|
|
}
|
|
|
|
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static void mce_reenable_cpu(void *h)
|
2009-02-12 19:39:31 +07:00
|
|
|
{
|
2009-02-12 19:49:36 +07:00
|
|
|
unsigned long action = *(unsigned long *)h;
|
2009-04-08 17:31:17 +07:00
|
|
|
int i;
|
2009-02-12 19:39:31 +07:00
|
|
|
|
x86: Replace __get_cpu_var uses
__get_cpu_var() is used for multiple purposes in the kernel source. One of
them is address calculation via the form &__get_cpu_var(x). This calculates
the address for the instance of the percpu variable of the current processor
based on an offset.
Other use cases are for storing and retrieving data from the current
processors percpu area. __get_cpu_var() can be used as an lvalue when
writing data or on the right side of an assignment.
__get_cpu_var() is defined as :
#define __get_cpu_var(var) (*this_cpu_ptr(&(var)))
__get_cpu_var() always only does an address determination. However, store
and retrieve operations could use a segment prefix (or global register on
other platforms) to avoid the address calculation.
this_cpu_write() and this_cpu_read() can directly take an offset into a
percpu area and use optimized assembly code to read and write per cpu
variables.
This patch converts __get_cpu_var into either an explicit address
calculation using this_cpu_ptr() or into a use of this_cpu operations that
use the offset. Thereby address calculations are avoided and less registers
are used when code is generated.
Transformations done to __get_cpu_var()
1. Determine the address of the percpu instance of the current processor.
DEFINE_PER_CPU(int, y);
int *x = &__get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(&y);
2. Same as #1 but this time an array structure is involved.
DEFINE_PER_CPU(int, y[20]);
int *x = __get_cpu_var(y);
Converts to
int *x = this_cpu_ptr(y);
3. Retrieve the content of the current processors instance of a per cpu
variable.
DEFINE_PER_CPU(int, y);
int x = __get_cpu_var(y)
Converts to
int x = __this_cpu_read(y);
4. Retrieve the content of a percpu struct
DEFINE_PER_CPU(struct mystruct, y);
struct mystruct x = __get_cpu_var(y);
Converts to
memcpy(&x, this_cpu_ptr(&y), sizeof(x));
5. Assignment to a per cpu variable
DEFINE_PER_CPU(int, y)
__get_cpu_var(y) = x;
Converts to
__this_cpu_write(y, x);
6. Increment/Decrement etc of a per cpu variable
DEFINE_PER_CPU(int, y);
__get_cpu_var(y)++
Converts to
__this_cpu_inc(y)
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86@kernel.org
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
2014-08-18 00:30:40 +07:00
|
|
|
if (!mce_available(raw_cpu_ptr(&cpu_info)))
|
2009-02-12 19:39:31 +07:00
|
|
|
return;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2009-02-12 19:49:36 +07:00
|
|
|
if (!(action & CPU_TASKS_FROZEN))
|
|
|
|
cmci_reenable();
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-07-09 05:31:43 +07:00
|
|
|
struct mce_bank *b = &mce_banks[i];
|
2009-09-23 22:49:55 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
if (b->init)
|
2009-07-09 05:31:44 +07:00
|
|
|
wrmsrl(MSR_IA32_MCx_CTL(i), b->ctl);
|
2009-04-27 23:37:43 +07:00
|
|
|
}
|
2009-02-12 19:39:31 +07:00
|
|
|
}
|
|
|
|
|
2005-07-29 11:15:39 +07:00
|
|
|
/* Get notified when a cpu comes on/off. Be hotplug friendly. */
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static int
|
2009-04-08 17:31:17 +07:00
|
|
|
mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu)
|
2005-07-29 11:15:39 +07:00
|
|
|
{
|
|
|
|
unsigned int cpu = (unsigned long)hcpu;
|
2009-02-12 19:39:29 +07:00
|
|
|
struct timer_list *t = &per_cpu(mce_timer, cpu);
|
2005-07-29 11:15:39 +07:00
|
|
|
|
2012-07-20 00:59:40 +07:00
|
|
|
switch (action & ~CPU_TASKS_FROZEN) {
|
2007-11-15 08:00:44 +07:00
|
|
|
case CPU_ONLINE:
|
2011-12-22 05:29:42 +07:00
|
|
|
mce_device_create(cpu);
|
x86 MCE: Fix CPU hotplug problem with multiple multicore AMD CPUs
During CPU hot-remove the sysfs directory created by
threshold_create_bank(), defined in
arch/x86/kernel/cpu/mcheck/mce_amd_64.c, has to be removed before
its parent directory, created by mce_create_device(), defined in
arch/x86/kernel/cpu/mcheck/mce_64.c . Moreover, when the CPU in
question is hotplugged again, obviously the latter has to be created
before the former. At present, the right ordering is not enforced,
because all of these operations are carried out by CPU hotplug
notifiers which are not appropriately ordered with respect to each
other. This leads to serious problems on systems with two or more
multicore AMD CPUs, among other things during suspend and hibernation.
Fix the problem by placing threshold bank CPU hotplug callbacks in
mce_cpu_callback(), so that they are invoked at the right places,
if defined. Additionally, use kobject_del() to remove the sysfs
directory associated with the kobject created by
kobject_create_and_add() in threshold_create_bank(), to prevent the
kernel from crashing during CPU hotplug operations on systems with
two or more multicore AMD CPUs.
This patch fixes bug #11337.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Andi Kleen <andi@firstfloor.org>
Tested-by: Mark Langsdorf <mark.langsdorf@amd.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-08-23 03:23:09 +07:00
|
|
|
if (threshold_cpu_callback)
|
|
|
|
threshold_cpu_callback(action, cpu);
|
2005-07-29 11:15:39 +07:00
|
|
|
break;
|
|
|
|
case CPU_DEAD:
|
x86 MCE: Fix CPU hotplug problem with multiple multicore AMD CPUs
During CPU hot-remove the sysfs directory created by
threshold_create_bank(), defined in
arch/x86/kernel/cpu/mcheck/mce_amd_64.c, has to be removed before
its parent directory, created by mce_create_device(), defined in
arch/x86/kernel/cpu/mcheck/mce_64.c . Moreover, when the CPU in
question is hotplugged again, obviously the latter has to be created
before the former. At present, the right ordering is not enforced,
because all of these operations are carried out by CPU hotplug
notifiers which are not appropriately ordered with respect to each
other. This leads to serious problems on systems with two or more
multicore AMD CPUs, among other things during suspend and hibernation.
Fix the problem by placing threshold bank CPU hotplug callbacks in
mce_cpu_callback(), so that they are invoked at the right places,
if defined. Additionally, use kobject_del() to remove the sysfs
directory associated with the kobject created by
kobject_create_and_add() in threshold_create_bank(), to prevent the
kernel from crashing during CPU hotplug operations on systems with
two or more multicore AMD CPUs.
This patch fixes bug #11337.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Andi Kleen <andi@firstfloor.org>
Tested-by: Mark Langsdorf <mark.langsdorf@amd.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-08-23 03:23:09 +07:00
|
|
|
if (threshold_cpu_callback)
|
|
|
|
threshold_cpu_callback(action, cpu);
|
2011-12-22 05:29:42 +07:00
|
|
|
mce_device_remove(cpu);
|
2012-08-10 01:44:51 +07:00
|
|
|
mce_intel_hcpu_update(cpu);
|
2014-05-22 21:40:54 +07:00
|
|
|
|
|
|
|
/* intentionally ignoring frozen here */
|
|
|
|
if (!(action & CPU_TASKS_FROZEN))
|
|
|
|
cmci_rediscover();
|
2005-07-29 11:15:39 +07:00
|
|
|
break;
|
2009-02-12 19:39:29 +07:00
|
|
|
case CPU_DOWN_PREPARE:
|
2009-02-12 19:49:36 +07:00
|
|
|
smp_call_function_single(cpu, mce_disable_cpu, &action, 1);
|
2012-08-10 01:44:51 +07:00
|
|
|
del_timer_sync(t);
|
2009-02-12 19:39:29 +07:00
|
|
|
break;
|
|
|
|
case CPU_DOWN_FAILED:
|
2009-02-12 19:49:36 +07:00
|
|
|
smp_call_function_single(cpu, mce_reenable_cpu, &action, 1);
|
2012-07-20 00:59:39 +07:00
|
|
|
mce_start_timer(cpu, t);
|
2009-02-12 19:49:36 +07:00
|
|
|
break;
|
2012-07-20 00:59:40 +07:00
|
|
|
}
|
|
|
|
|
2007-11-15 08:00:44 +07:00
|
|
|
return NOTIFY_OK;
|
2005-07-29 11:15:39 +07:00
|
|
|
}
|
|
|
|
|
x86: delete __cpuinit usage from all x86 files
The __cpuinit type of throwaway sections might have made sense
some time ago when RAM was more constrained, but now the savings
do not offset the cost and complications. For example, the fix in
commit 5e427ec2d0 ("x86: Fix bit corruption at CPU resume time")
is a good example of the nasty type of bugs that can be created
with improper use of the various __init prefixes.
After a discussion on LKML[1] it was decided that cpuinit should go
the way of devinit and be phased out. Once all the users are gone,
we can then finally remove the macros themselves from linux/init.h.
Note that some harmless section mismatch warnings may result, since
notify_cpu_starting() and cpu_up() are arch independent (kernel/cpu.c)
are flagged as __cpuinit -- so if we remove the __cpuinit from
arch specific callers, we will also get section mismatch warnings.
As an intermediate step, we intend to turn the linux/init.h cpuinit
content into no-ops as early as possible, since that will get rid
of these warnings. In any case, they are temporary and harmless.
This removes all the arch/x86 uses of the __cpuinit macros from
all C files. x86 only had the one __CPUINIT used in assembly files,
and it wasn't paired off with a .previous or a __FINIT, so we can
delete it directly w/o any corresponding additional change there.
[1] https://lkml.org/lkml/2013/5/20/589
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: x86@kernel.org
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
2013-06-19 05:23:59 +07:00
|
|
|
static struct notifier_block mce_cpu_notifier = {
|
2005-07-29 11:15:39 +07:00
|
|
|
.notifier_call = mce_cpu_callback,
|
|
|
|
};
|
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
static __init void mce_init_banks(void)
|
2009-02-18 05:07:13 +07:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2012-10-15 23:03:57 +07:00
|
|
|
for (i = 0; i < mca_cfg.banks; i++) {
|
2009-07-09 05:31:43 +07:00
|
|
|
struct mce_bank *b = &mce_banks[i];
|
2011-12-22 05:29:42 +07:00
|
|
|
struct device_attribute *a = &b->attr;
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2010-02-12 06:23:05 +07:00
|
|
|
sysfs_attr_init(&a->attr);
|
2009-07-09 05:31:43 +07:00
|
|
|
a->attr.name = b->attrname;
|
|
|
|
snprintf(b->attrname, ATTR_LEN, "bank%d", i);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
|
|
|
a->attr.mode = 0644;
|
|
|
|
a->show = show_bank;
|
|
|
|
a->store = set_bank;
|
2009-02-18 05:07:13 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2009-10-16 17:31:32 +07:00
|
|
|
static __init int mcheck_init_device(void)
|
2005-07-29 11:15:39 +07:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
int i = 0;
|
|
|
|
|
2014-05-28 14:12:37 +07:00
|
|
|
if (!mce_available(&boot_cpu_data)) {
|
|
|
|
err = -EIO;
|
|
|
|
goto err_out;
|
|
|
|
}
|
2009-02-18 05:07:13 +07:00
|
|
|
|
2014-05-28 14:12:37 +07:00
|
|
|
if (!zalloc_cpumask_var(&mce_device_initialized, GFP_KERNEL)) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto err_out;
|
|
|
|
}
|
2009-03-13 11:19:51 +07:00
|
|
|
|
2009-07-09 05:31:43 +07:00
|
|
|
mce_init_banks();
|
2009-02-18 05:07:13 +07:00
|
|
|
|
2011-12-22 05:29:42 +07:00
|
|
|
err = subsys_system_register(&mce_subsys, NULL);
|
2007-10-18 17:05:15 +07:00
|
|
|
if (err)
|
2014-05-28 14:12:37 +07:00
|
|
|
goto err_out_mem;
|
2005-07-29 11:15:39 +07:00
|
|
|
|
2014-03-11 03:37:04 +07:00
|
|
|
cpu_notifier_register_begin();
|
2005-07-29 11:15:39 +07:00
|
|
|
for_each_online_cpu(i) {
|
2011-12-22 05:29:42 +07:00
|
|
|
err = mce_device_create(i);
|
2014-03-11 03:37:04 +07:00
|
|
|
if (err) {
|
2014-06-21 04:16:45 +07:00
|
|
|
/*
|
|
|
|
* Register notifier anyway (and do not unreg it) so
|
|
|
|
* that we don't leave undeleted timers, see notifier
|
|
|
|
* callback above.
|
|
|
|
*/
|
|
|
|
__register_hotcpu_notifier(&mce_cpu_notifier);
|
2014-03-11 03:37:04 +07:00
|
|
|
cpu_notifier_register_done();
|
2014-05-28 14:12:37 +07:00
|
|
|
goto err_device_create;
|
2014-03-11 03:37:04 +07:00
|
|
|
}
|
2005-07-29 11:15:39 +07:00
|
|
|
}
|
|
|
|
|
2014-03-11 03:37:04 +07:00
|
|
|
__register_hotcpu_notifier(&mce_cpu_notifier);
|
|
|
|
cpu_notifier_register_done();
|
2011-06-08 09:00:45 +07:00
|
|
|
|
2014-05-28 14:12:37 +07:00
|
|
|
register_syscore_ops(&mce_syscore_ops);
|
|
|
|
|
2011-06-08 09:00:45 +07:00
|
|
|
/* register character device /dev/mcelog */
|
2014-05-28 14:12:37 +07:00
|
|
|
err = misc_register(&mce_chrdev_device);
|
|
|
|
if (err)
|
|
|
|
goto err_register;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err_register:
|
|
|
|
unregister_syscore_ops(&mce_syscore_ops);
|
|
|
|
|
|
|
|
err_device_create:
|
|
|
|
/*
|
|
|
|
* We didn't keep track of which devices were created above, but
|
|
|
|
* even if we had, the set of online cpus might have changed.
|
|
|
|
* Play safe and remove for every possible cpu, since
|
|
|
|
* mce_device_remove() will do the right thing.
|
|
|
|
*/
|
|
|
|
for_each_possible_cpu(i)
|
|
|
|
mce_device_remove(i);
|
|
|
|
|
|
|
|
err_out_mem:
|
|
|
|
free_cpumask_var(mce_device_initialized);
|
|
|
|
|
|
|
|
err_out:
|
|
|
|
pr_err("Unable to init device /dev/mcelog (rc: %d)\n", err);
|
2009-04-08 17:31:17 +07:00
|
|
|
|
2005-04-17 05:20:36 +07:00
|
|
|
return err;
|
|
|
|
}
|
2012-06-07 18:56:51 +07:00
|
|
|
device_initcall_sync(mcheck_init_device);
|
2009-04-08 17:31:25 +07:00
|
|
|
|
2009-04-29 04:07:25 +07:00
|
|
|
/*
|
|
|
|
* Old style boot options parsing. Only for compatibility.
|
|
|
|
*/
|
|
|
|
static int __init mcheck_disable(char *str)
|
|
|
|
{
|
2012-10-17 17:05:33 +07:00
|
|
|
mca_cfg.disabled = true;
|
2009-04-29 04:07:25 +07:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
__setup("nomce", mcheck_disable);
|
2009-04-08 17:31:25 +07:00
|
|
|
|
2009-07-31 08:41:42 +07:00
|
|
|
#ifdef CONFIG_DEBUG_FS
|
|
|
|
struct dentry *mce_get_debugfs_dir(void)
|
2009-04-08 17:31:25 +07:00
|
|
|
{
|
2009-07-31 08:41:42 +07:00
|
|
|
static struct dentry *dmce;
|
2009-04-08 17:31:25 +07:00
|
|
|
|
2009-07-31 08:41:42 +07:00
|
|
|
if (!dmce)
|
|
|
|
dmce = debugfs_create_dir("mce", NULL);
|
2009-04-08 17:31:25 +07:00
|
|
|
|
2009-07-31 08:41:42 +07:00
|
|
|
return dmce;
|
|
|
|
}
|
2009-04-08 17:31:25 +07:00
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
static void mce_reset(void)
|
|
|
|
{
|
|
|
|
cpu_missing = 0;
|
2014-12-04 04:36:45 +07:00
|
|
|
atomic_set(&mce_fake_panicked, 0);
|
2009-07-31 08:41:43 +07:00
|
|
|
atomic_set(&mce_executing, 0);
|
|
|
|
atomic_set(&mce_callin, 0);
|
|
|
|
atomic_set(&global_nwo, 0);
|
|
|
|
}
|
2009-04-08 17:31:25 +07:00
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
static int fake_panic_get(void *data, u64 *val)
|
|
|
|
{
|
|
|
|
*val = fake_panic;
|
|
|
|
return 0;
|
2009-04-08 17:31:25 +07:00
|
|
|
}
|
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
static int fake_panic_set(void *data, u64 val)
|
2009-04-08 17:31:25 +07:00
|
|
|
{
|
2009-07-31 08:41:43 +07:00
|
|
|
mce_reset();
|
|
|
|
fake_panic = val;
|
|
|
|
return 0;
|
2009-04-08 17:31:25 +07:00
|
|
|
}
|
|
|
|
|
2009-07-31 08:41:43 +07:00
|
|
|
DEFINE_SIMPLE_ATTRIBUTE(fake_panic_fops, fake_panic_get,
|
|
|
|
fake_panic_set, "%llu\n");
|
2009-04-29 04:07:25 +07:00
|
|
|
|
2009-10-16 17:31:32 +07:00
|
|
|
static int __init mcheck_debugfs_init(void)
|
2009-04-29 04:07:25 +07:00
|
|
|
{
|
2009-07-31 08:41:43 +07:00
|
|
|
struct dentry *dmce, *ffake_panic;
|
|
|
|
|
|
|
|
dmce = mce_get_debugfs_dir();
|
|
|
|
if (!dmce)
|
|
|
|
return -ENOMEM;
|
|
|
|
ffake_panic = debugfs_create_file("fake_panic", 0444, dmce, NULL,
|
|
|
|
&fake_panic_fops);
|
|
|
|
if (!ffake_panic)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
return 0;
|
2009-04-29 04:07:25 +07:00
|
|
|
}
|
2015-08-12 23:29:36 +07:00
|
|
|
#else
|
|
|
|
static int __init mcheck_debugfs_init(void) { return -EINVAL; }
|
2009-07-31 08:41:42 +07:00
|
|
|
#endif
|
2015-08-12 23:29:36 +07:00
|
|
|
|
|
|
|
static int __init mcheck_late_init(void)
|
|
|
|
{
|
|
|
|
mcheck_debugfs_init();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Flush out everything that has been logged during early boot, now that
|
|
|
|
* everything has been initialized (workqueues, decoders, ...).
|
|
|
|
*/
|
|
|
|
mce_schedule_work();
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
late_initcall(mcheck_late_init);
|