LXR linux/arch/x86/kernel/cpu/mce/severity.c

   1// SPDX-License-Identifier: GPL-2.0-only
   2/*
   3 * MCE grading rules.
   4 * Copyright 2008, 2009 Intel Corporation.
   5 *
   6 * Author: Andi Kleen
   7 */
   8#include <linux/kernel.h>
   9#include <linux/seq_file.h>
  10#include <linux/init.h>
  11#include <linux/debugfs.h>
  12#include <linux/uaccess.h>
  13
  14#include <asm/mce.h>
  15#include <asm/intel-family.h>
  16#include <asm/traps.h>
  17#include <asm/insn.h>
  18#include <asm/insn-eval.h>
  19
  20#include "internal.h"
  21
  22/*
  23 * Grade an mce by severity. In general the most severe ones are processed
  24 * first. Since there are quite a lot of combinations test the bits in a
  25 * table-driven way. The rules are simply processed in order, first
  26 * match wins.
  27 *
  28 * Note this is only used for machine check exceptions, the corrected
  29 * errors use much simpler rules. The exceptions still check for the corrected
  30 * errors, but only to leave them alone for the CMCI handler (except for
  31 * panic situations)
  32 */
  33
  34enum context { IN_KERNEL = 1, IN_USER = 2, IN_KERNEL_RECOV = 3 };
  35enum ser { SER_REQUIRED = 1, NO_SER = 2 };
  36enum exception { EXCP_CONTEXT = 1, NO_EXCP = 2 };
  37
  38static struct severity {
  39        u64 mask;
  40        u64 result;
  41        unsigned char sev;
  42        unsigned char mcgmask;
  43        unsigned char mcgres;
  44        unsigned char ser;
  45        unsigned char context;
  46        unsigned char excp;
  47        unsigned char covered;
  48        unsigned char cpu_model;
  49        unsigned char cpu_minstepping;
  50        unsigned char bank_lo, bank_hi;
  51        char *msg;
  52} severities[] = {
  53#define MCESEV(s, m, c...) { .sev = MCE_ ## s ## _SEVERITY, .msg = m, ## c }
  54#define BANK_RANGE(l, h) .bank_lo = l, .bank_hi = h
  55#define MODEL_STEPPING(m, s) .cpu_model = m, .cpu_minstepping = s
  56#define  KERNEL         .context = IN_KERNEL
  57#define  USER           .context = IN_USER
  58#define  KERNEL_RECOV   .context = IN_KERNEL_RECOV
  59#define  SER            .ser = SER_REQUIRED
  60#define  NOSER          .ser = NO_SER
  61#define  EXCP           .excp = EXCP_CONTEXT
  62#define  NOEXCP         .excp = NO_EXCP
  63#define  BITCLR(x)      .mask = x, .result = 0
  64#define  BITSET(x)      .mask = x, .result = x
  65#define  MCGMASK(x, y)  .mcgmask = x, .mcgres = y
  66#define  MASK(x, y)     .mask = x, .result = y
  67#define MCI_UC_S (MCI_STATUS_UC|MCI_STATUS_S)
  68#define MCI_UC_AR (MCI_STATUS_UC|MCI_STATUS_AR)
  69#define MCI_UC_SAR (MCI_STATUS_UC|MCI_STATUS_S|MCI_STATUS_AR)
  70#define MCI_ADDR (MCI_STATUS_ADDRV|MCI_STATUS_MISCV)
  71
  72        MCESEV(
  73                NO, "Invalid",
  74                BITCLR(MCI_STATUS_VAL)
  75                ),
  76        MCESEV(
  77                NO, "Not enabled",
  78                EXCP, BITCLR(MCI_STATUS_EN)
  79                ),
  80        MCESEV(
  81                PANIC, "Processor context corrupt",
  82                BITSET(MCI_STATUS_PCC)
  83                ),
  84        /* When MCIP is not set something is very confused */
  85        MCESEV(
  86                PANIC, "MCIP not set in MCA handler",
  87                EXCP, MCGMASK(MCG_STATUS_MCIP, 0)
  88                ),
  89        /* Neither return not error IP -- no chance to recover -> PANIC */
  90        MCESEV(
  91                PANIC, "Neither restart nor error IP",
  92                EXCP, MCGMASK(MCG_STATUS_RIPV|MCG_STATUS_EIPV, 0)
  93                ),
  94        MCESEV(
  95                PANIC, "In kernel and no restart IP",
  96                EXCP, KERNEL, MCGMASK(MCG_STATUS_RIPV, 0)
  97                ),
  98        MCESEV(
  99                PANIC, "In kernel and no restart IP",
 100                EXCP, KERNEL_RECOV, MCGMASK(MCG_STATUS_RIPV, 0)
 101                ),
 102        MCESEV(
 103                KEEP, "Corrected error",
 104                NOSER, BITCLR(MCI_STATUS_UC)
 105                ),
 106        /*
 107         * known AO MCACODs reported via MCE or CMC:
 108         *
 109         * SRAO could be signaled either via a machine check exception or
 110         * CMCI with the corresponding bit S 1 or 0. So we don't need to
 111         * check bit S for SRAO.
 112         */
 113        MCESEV(
 114                AO, "Action optional: memory scrubbing error",
 115                SER, MASK(MCI_UC_AR|MCACOD_SCRUBMSK, MCI_STATUS_UC|MCACOD_SCRUB)
 116                ),
 117        MCESEV(
 118                AO, "Action optional: last level cache writeback error",
 119                SER, MASK(MCI_UC_AR|MCACOD, MCI_STATUS_UC|MCACOD_L3WB)
 120                ),
 121        /*
 122         * Quirk for Skylake/Cascade Lake. Patrol scrubber may be configured
 123         * to report uncorrected errors using CMCI with a special signature.
 124         * UC=0, MSCOD=0x0010, MCACOD=binary(000X 0000 1100 XXXX) reported
 125         * in one of the memory controller banks.
 126         * Set severity to "AO" for same action as normal patrol scrub error.
 127         */
 128        MCESEV(
 129                AO, "Uncorrected Patrol Scrub Error",
 130                SER, MASK(MCI_STATUS_UC|MCI_ADDR|0xffffeff0, MCI_ADDR|0x001000c0),
 131                MODEL_STEPPING(INTEL_FAM6_SKYLAKE_X, 4), BANK_RANGE(13, 18)
 132        ),
 133
 134        /* ignore OVER for UCNA */
 135        MCESEV(
 136                UCNA, "Uncorrected no action required",
 137                SER, MASK(MCI_UC_SAR, MCI_STATUS_UC)
 138                ),
 139        MCESEV(
 140                PANIC, "Illegal combination (UCNA with AR=1)",
 141                SER,
 142                MASK(MCI_STATUS_OVER|MCI_UC_SAR, MCI_STATUS_UC|MCI_STATUS_AR)
 143                ),
 144        MCESEV(
 145                KEEP, "Non signalled machine check",
 146                SER, BITCLR(MCI_STATUS_S)
 147                ),
 148
 149        MCESEV(
 150                PANIC, "Action required with lost events",
 151                SER, BITSET(MCI_STATUS_OVER|MCI_UC_SAR)
 152                ),
 153
 154        /* known AR MCACODs: */
 155#ifdef  CONFIG_MEMORY_FAILURE
 156        MCESEV(
 157                KEEP, "Action required but unaffected thread is continuable",
 158                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR, MCI_UC_SAR|MCI_ADDR),
 159                MCGMASK(MCG_STATUS_RIPV|MCG_STATUS_EIPV, MCG_STATUS_RIPV)
 160                ),
 161        MCESEV(
 162                AR, "Action required: data load in error recoverable area of kernel",
 163                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA),
 164                KERNEL_RECOV
 165                ),
 166        MCESEV(
 167                AR, "Action required: data load error in a user process",
 168                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA),
 169                USER
 170                ),
 171        MCESEV(
 172                AR, "Action required: instruction fetch error in a user process",
 173                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR),
 174                USER
 175                ),
 176        MCESEV(
 177                PANIC, "Data load in unrecoverable area of kernel",
 178                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_DATA),
 179                KERNEL
 180                ),
 181        MCESEV(
 182                PANIC, "Instruction fetch error in kernel",
 183                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR|MCI_ADDR|MCACOD, MCI_UC_SAR|MCI_ADDR|MCACOD_INSTR),
 184                KERNEL
 185                ),
 186#endif
 187        MCESEV(
 188                PANIC, "Action required: unknown MCACOD",
 189                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR, MCI_UC_SAR)
 190                ),
 191
 192        MCESEV(
 193                SOME, "Action optional: unknown MCACOD",
 194                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR, MCI_UC_S)
 195                ),
 196        MCESEV(
 197                SOME, "Action optional with lost events",
 198                SER, MASK(MCI_STATUS_OVER|MCI_UC_SAR, MCI_STATUS_OVER|MCI_UC_S)
 199                ),
 200
 201        MCESEV(
 202                PANIC, "Overflowed uncorrected",
 203                BITSET(MCI_STATUS_OVER|MCI_STATUS_UC)
 204                ),
 205        MCESEV(
 206                UC, "Uncorrected",
 207                BITSET(MCI_STATUS_UC)
 208                ),
 209        MCESEV(
 210                SOME, "No match",
 211                BITSET(0)
 212                )       /* always matches. keep at end */
 213};
 214
 215#define mc_recoverable(mcg) (((mcg) & (MCG_STATUS_RIPV|MCG_STATUS_EIPV)) == \
 216                                (MCG_STATUS_RIPV|MCG_STATUS_EIPV))
 217
 218static bool is_copy_from_user(struct pt_regs *regs)
 219{
 220        u8 insn_buf[MAX_INSN_SIZE];
 221        struct insn insn;
 222        unsigned long addr;
 223
 224        if (copy_from_kernel_nofault(insn_buf, (void *)regs->ip, MAX_INSN_SIZE))
 225                return false;
 226
 227        kernel_insn_init(&insn, insn_buf, MAX_INSN_SIZE);
 228        insn_get_opcode(&insn);
 229        if (!insn.opcode.got)
 230                return false;
 231
 232        switch (insn.opcode.value) {
 233        /* MOV mem,reg */
 234        case 0x8A: case 0x8B:
 235        /* MOVZ mem,reg */
 236        case 0xB60F: case 0xB70F:
 237                insn_get_modrm(&insn);
 238                insn_get_sib(&insn);
 239                if (!insn.modrm.got || !insn.sib.got)
 240                        return false;
 241                addr = (unsigned long)insn_get_addr_ref(&insn, regs);
 242                break;
 243        /* REP MOVS */
 244        case 0xA4: case 0xA5:
 245                addr = regs->si;
 246                break;
 247        default:
 248                return false;
 249        }
 250
 251        if (fault_in_kernel_space(addr))
 252                return false;
 253
 254        current->mce_vaddr = (void __user *)addr;
 255
 256        return true;
 257}
 258
 259/*
 260 * If mcgstatus indicated that ip/cs on the stack were
 261 * no good, then "m->cs" will be zero and we will have
 262 * to assume the worst case (IN_KERNEL) as we actually
 263 * have no idea what we were executing when the machine
 264 * check hit.
 265 * If we do have a good "m->cs" (or a faked one in the
 266 * case we were executing in VM86 mode) we can use it to
 267 * distinguish an exception taken in user from from one
 268 * taken in the kernel.
 269 */
 270static int error_context(struct mce *m, struct pt_regs *regs)
 271{
 272        enum handler_type t;
 273
 274        if ((m->cs & 3) == 3)
 275                return IN_USER;
 276        if (!mc_recoverable(m->mcgstatus))
 277                return IN_KERNEL;
 278
 279        t = ex_get_fault_handler_type(m->ip);
 280        if (t == EX_HANDLER_FAULT) {
 281                m->kflags |= MCE_IN_KERNEL_RECOV;
 282                return IN_KERNEL_RECOV;
 283        }
 284        if (t == EX_HANDLER_UACCESS && regs && is_copy_from_user(regs)) {
 285                m->kflags |= MCE_IN_KERNEL_RECOV;
 286                m->kflags |= MCE_IN_KERNEL_COPYIN;
 287                return IN_KERNEL_RECOV;
 288        }
 289
 290        return IN_KERNEL;
 291}
 292
 293static int mce_severity_amd_smca(struct mce *m, enum context err_ctx)
 294{
 295        u32 addr = MSR_AMD64_SMCA_MCx_CONFIG(m->bank);
 296        u32 low, high;
 297
 298        /*
 299         * We need to look at the following bits:
 300         * - "succor" bit (data poisoning support), and
 301         * - TCC bit (Task Context Corrupt)
 302         * in MCi_STATUS to determine error severity.
 303         */
 304        if (!mce_flags.succor)
 305                return MCE_PANIC_SEVERITY;
 306
 307        if (rdmsr_safe(addr, &low, &high))
 308                return MCE_PANIC_SEVERITY;
 309
 310        /* TCC (Task context corrupt). If set and if IN_KERNEL, panic. */
 311        if ((low & MCI_CONFIG_MCAX) &&
 312            (m->status & MCI_STATUS_TCC) &&
 313            (err_ctx == IN_KERNEL))
 314                return MCE_PANIC_SEVERITY;
 315
 316         /* ...otherwise invoke hwpoison handler. */
 317        return MCE_AR_SEVERITY;
 318}
 319
 320/*
 321 * See AMD Error Scope Hierarchy table in a newer BKDG. For example
 322 * 49125_15h_Models_30h-3Fh_BKDG.pdf, section "RAS Features"
 323 */
 324static int mce_severity_amd(struct mce *m, struct pt_regs *regs, int tolerant,
 325                            char **msg, bool is_excp)
 326{
 327        enum context ctx = error_context(m, regs);
 328
 329        /* Processor Context Corrupt, no need to fumble too much, die! */
 330        if (m->status & MCI_STATUS_PCC)
 331                return MCE_PANIC_SEVERITY;
 332
 333        if (m->status & MCI_STATUS_UC) {
 334
 335                if (ctx == IN_KERNEL)
 336                        return MCE_PANIC_SEVERITY;
 337
 338                /*
 339                 * On older systems where overflow_recov flag is not present, we
 340                 * should simply panic if an error overflow occurs. If
 341                 * overflow_recov flag is present and set, then software can try
 342                 * to at least kill process to prolong system operation.
 343                 */
 344                if (mce_flags.overflow_recov) {
 345                        if (mce_flags.smca)
 346                                return mce_severity_amd_smca(m, ctx);
 347
 348                        /* kill current process */
 349                        return MCE_AR_SEVERITY;
 350                } else {
 351                        /* at least one error was not logged */
 352                        if (m->status & MCI_STATUS_OVER)
 353                                return MCE_PANIC_SEVERITY;
 354                }
 355
 356                /*
 357                 * For any other case, return MCE_UC_SEVERITY so that we log the
 358                 * error and exit #MC handler.
 359                 */
 360                return MCE_UC_SEVERITY;
 361        }
 362
 363        /*
 364         * deferred error: poll handler catches these and adds to mce_ring so
 365         * memory-failure can take recovery actions.
 366         */
 367        if (m->status & MCI_STATUS_DEFERRED)
 368                return MCE_DEFERRED_SEVERITY;
 369
 370        /*
 371         * corrected error: poll handler catches these and passes responsibility
 372         * of decoding the error to EDAC
 373         */
 374        return MCE_KEEP_SEVERITY;
 375}
 376
 377static int mce_severity_intel(struct mce *m, struct pt_regs *regs,
 378                              int tolerant, char **msg, bool is_excp)
 379{
 380        enum exception excp = (is_excp ? EXCP_CONTEXT : NO_EXCP);
 381        enum context ctx = error_context(m, regs);
 382        struct severity *s;
 383
 384        for (s = severities;; s++) {
 385                if ((m->status & s->mask) != s->result)
 386                        continue;
 387                if ((m->mcgstatus & s->mcgmask) != s->mcgres)
 388                        continue;
 389                if (s->ser == SER_REQUIRED && !mca_cfg.ser)
 390                        continue;
 391                if (s->ser == NO_SER && mca_cfg.ser)
 392                        continue;
 393                if (s->context && ctx != s->context)
 394                        continue;
 395                if (s->excp && excp != s->excp)
 396                        continue;
 397                if (s->cpu_model && boot_cpu_data.x86_model != s->cpu_model)
 398                        continue;
 399                if (s->cpu_minstepping && boot_cpu_data.x86_stepping < s->cpu_minstepping)
 400                        continue;
 401                if (s->bank_lo && (m->bank < s->bank_lo || m->bank > s->bank_hi))
 402                        continue;
 403                if (msg)
 404                        *msg = s->msg;
 405                s->covered = 1;
 406                if (s->sev >= MCE_UC_SEVERITY && ctx == IN_KERNEL) {
 407                        if (tolerant < 1)
 408                                return MCE_PANIC_SEVERITY;
 409                }
 410                return s->sev;
 411        }
 412}
 413
 414/* Default to mce_severity_intel */
 415int (*mce_severity)(struct mce *m, struct pt_regs *regs, int tolerant, char **msg, bool is_excp) =
 416                    mce_severity_intel;
 417
 418void __init mcheck_vendor_init_severity(void)
 419{
 420        if (boot_cpu_data.x86_vendor == X86_VENDOR_AMD ||
 421            boot_cpu_data.x86_vendor == X86_VENDOR_HYGON)
 422                mce_severity = mce_severity_amd;
 423}
 424
 425#ifdef CONFIG_DEBUG_FS
 426static void *s_start(struct seq_file *f, loff_t *pos)
 427{
 428        if (*pos >= ARRAY_SIZE(severities))
 429                return NULL;
 430        return &severities[*pos];
 431}
 432
 433static void *s_next(struct seq_file *f, void *data, loff_t *pos)
 434{
 435        if (++(*pos) >= ARRAY_SIZE(severities))
 436                return NULL;
 437        return &severities[*pos];
 438}
 439
 440static void s_stop(struct seq_file *f, void *data)
 441{
 442}
 443
 444static int s_show(struct seq_file *f, void *data)
 445{
 446        struct severity *ser = data;
 447        seq_printf(f, "%d\t%s\n", ser->covered, ser->msg);
 448        return 0;
 449}
 450
 451static const struct seq_operations severities_seq_ops = {
 452        .start  = s_start,
 453        .next   = s_next,
 454        .stop   = s_stop,
 455        .show   = s_show,
 456};
 457
 458static int severities_coverage_open(struct inode *inode, struct file *file)
 459{
 460        return seq_open(file, &severities_seq_ops);
 461}
 462
 463static ssize_t severities_coverage_write(struct file *file,
 464                                         const char __user *ubuf,
 465                                         size_t count, loff_t *ppos)
 466{
 467        int i;
 468        for (i = 0; i < ARRAY_SIZE(severities); i++)
 469                severities[i].covered = 0;
 470        return count;
 471}
 472
 473static const struct file_operations severities_coverage_fops = {
 474        .open           = severities_coverage_open,
 475        .release        = seq_release,
 476        .read           = seq_read,
 477        .write          = severities_coverage_write,
 478        .llseek         = seq_lseek,
 479};
 480
 481static int __init severities_debugfs_init(void)
 482{
 483        struct dentry *dmce;
 484
 485        dmce = mce_get_debugfs_dir();
 486
 487        debugfs_create_file("severities-coverage", 0444, dmce, NULL,
 488                            &severities_coverage_fops);
 489        return 0;
 490}
 491late_initcall(severities_debugfs_init);
 492#endif /* CONFIG_DEBUG_FS */
 493