1 | /* |
2 | * Copyright (c) 2000-2020 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * @OSF_COPYRIGHT@ |
30 | */ |
31 | /* |
32 | * Mach Operating System |
33 | * Copyright (c) 1991,1990,1989 Carnegie Mellon University |
34 | * All Rights Reserved. |
35 | * |
36 | * Permission to use, copy, modify and distribute this software and its |
37 | * documentation is hereby granted, provided that both the copyright |
38 | * notice and this permission notice appear in all copies of the |
39 | * software, derivative works or modified versions, and any portions |
40 | * thereof, and that both notices appear in supporting documentation. |
41 | * |
42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" |
43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR |
44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. |
45 | * |
46 | * Carnegie Mellon requests users of this software to return to |
47 | * |
48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU |
49 | * School of Computer Science |
50 | * Carnegie Mellon University |
51 | * Pittsburgh PA 15213-3890 |
52 | * |
53 | * any improvements or extensions that they make and grant Carnegie Mellon |
54 | * the rights to redistribute these changes. |
55 | */ |
56 | |
57 | #include <mach_assert.h> |
58 | #include <mach_kdp.h> |
59 | #include <kdp/kdp.h> |
60 | #include <kdp/kdp_core.h> |
61 | #include <kdp/kdp_internal.h> |
62 | #include <kdp/kdp_callout.h> |
63 | #include <kern/cpu_number.h> |
64 | #include <kern/kalloc.h> |
65 | #include <kern/percpu.h> |
66 | #include <kern/spl.h> |
67 | #include <kern/thread.h> |
68 | #include <kern/assert.h> |
69 | #include <kern/sched_prim.h> |
70 | #include <kern/socd_client.h> |
71 | #include <kern/misc_protos.h> |
72 | #include <kern/clock.h> |
73 | #include <kern/telemetry.h> |
74 | #include <kern/ecc.h> |
75 | #include <kern/kern_cdata.h> |
76 | #include <kern/zalloc_internal.h> |
77 | #include <kern/iotrace.h> |
78 | #include <pexpert/device_tree.h> |
79 | #include <vm/vm_kern.h> |
80 | #include <vm/vm_map.h> |
81 | #include <vm/pmap.h> |
82 | #include <vm/vm_compressor.h> |
83 | #include <stdarg.h> |
84 | #include <stdatomic.h> |
85 | #include <sys/pgo.h> |
86 | #include <console/serial_protos.h> |
87 | #include <IOKit/IOBSD.h> |
88 | |
89 | #if !(MACH_KDP && CONFIG_KDP_INTERACTIVE_DEBUGGING) |
90 | #include <kdp/kdp_udp.h> |
91 | #endif |
92 | #include <kern/processor.h> |
93 | |
94 | #if defined(__i386__) || defined(__x86_64__) |
95 | #include <IOKit/IOBSD.h> |
96 | |
97 | #include <i386/cpu_threads.h> |
98 | #include <i386/pmCPU.h> |
99 | #include <i386/lbr.h> |
100 | #endif |
101 | |
102 | #include <IOKit/IOPlatformExpert.h> |
103 | #include <machine/machine_cpu.h> |
104 | #include <machine/pal_routines.h> |
105 | |
106 | #include <sys/kdebug.h> |
107 | #include <libkern/OSKextLibPrivate.h> |
108 | #include <libkern/OSAtomic.h> |
109 | #include <libkern/kernel_mach_header.h> |
110 | #include <libkern/section_keywords.h> |
111 | #include <uuid/uuid.h> |
112 | #include <mach_debug/zone_info.h> |
113 | #include <mach/resource_monitors.h> |
114 | #include <machine/machine_routines.h> |
115 | #include <sys/proc_require.h> |
116 | |
117 | #include <os/log_private.h> |
118 | |
119 | #include <kern/ext_paniclog.h> |
120 | |
121 | #if defined(__arm64__) |
122 | #include <pexpert/pexpert.h> /* For gPanicBase */ |
123 | #include <arm/caches_internal.h> |
124 | #include <arm/misc_protos.h> |
125 | extern volatile struct xnu_hw_shmem_dbg_command_info *hwsd_info; |
126 | #endif |
127 | |
128 | #include <san/kcov.h> |
129 | |
130 | #if CONFIG_XNUPOST |
131 | #include <tests/xnupost.h> |
132 | extern int vsnprintf(char *, size_t, const char *, va_list); |
133 | #endif |
134 | |
135 | #if CONFIG_CSR |
136 | #include <sys/csr.h> |
137 | #endif |
138 | |
139 | #if CONFIG_EXCLAVES |
140 | #include <xnuproxy/panic.h> |
141 | #include "exclaves_panic.h" |
142 | #endif |
143 | |
144 | #if CONFIG_SPTM |
145 | #include <arm64/sptm/sptm.h> |
146 | #include <arm64/sptm/pmap/pmap_data.h> |
147 | #endif /* CONFIG_SPTM */ |
148 | |
149 | extern int IODTGetLoaderInfo( const char *key, void **infoAddr, int *infosize ); |
150 | extern void IODTFreeLoaderInfo( const char *key, void *infoAddr, int infoSize ); |
151 | |
152 | unsigned int halt_in_debugger = 0; |
153 | unsigned int current_debugger = 0; |
154 | unsigned int active_debugger = 0; |
155 | SECURITY_READ_ONLY_LATE(unsigned int) panicDebugging = FALSE; |
156 | unsigned int kernel_debugger_entry_count = 0; |
157 | |
158 | #if DEVELOPMENT || DEBUG |
159 | unsigned int panic_test_failure_mode = PANIC_TEST_FAILURE_MODE_BADPTR; |
160 | unsigned int panic_test_action_count = 1; |
161 | unsigned int panic_test_case = PANIC_TEST_CASE_DISABLED; |
162 | #endif |
163 | |
164 | #if defined(__arm64__) |
165 | struct additional_panic_data_buffer *panic_data_buffers = NULL; |
166 | #endif |
167 | |
168 | #if defined(__arm64__) |
169 | /* |
170 | * Magic number; this should be identical to the armv7 encoding for trap. |
171 | */ |
172 | #define TRAP_DEBUGGER __asm__ volatile(".long 0xe7ffdeff") |
173 | #elif defined (__x86_64__) |
174 | #define TRAP_DEBUGGER __asm__("int3") |
175 | #else |
176 | #error No TRAP_DEBUGGER for this architecture |
177 | #endif |
178 | |
179 | #if defined(__i386__) || defined(__x86_64__) |
180 | #define panic_stop() pmCPUHalt(PM_HALT_PANIC) |
181 | #else |
182 | #define panic_stop() panic_spin_forever() |
183 | #endif |
184 | |
185 | #if defined(__arm64__) && (DEVELOPMENT || DEBUG) |
186 | /* |
187 | * More than enough for any typical format string passed to panic(); |
188 | * anything longer will be truncated but that's better than nothing. |
189 | */ |
190 | #define EARLY_PANIC_BUFLEN 256 |
191 | #endif |
192 | |
193 | struct debugger_state { |
194 | uint64_t db_panic_options; |
195 | debugger_op db_current_op; |
196 | boolean_t db_proceed_on_sync_failure; |
197 | const char *db_message; |
198 | const char *db_panic_str; |
199 | va_list *db_panic_args; |
200 | void *db_panic_data_ptr; |
201 | unsigned long db_panic_caller; |
202 | /* incremented whenever we panic or call Debugger (current CPU panic level) */ |
203 | uint32_t db_entry_count; |
204 | kern_return_t db_op_return; |
205 | }; |
206 | static struct debugger_state PERCPU_DATA(debugger_state); |
207 | |
208 | /* __pure2 is correct if this function is called with preemption disabled */ |
209 | static inline __pure2 struct debugger_state * |
210 | current_debugger_state(void) |
211 | { |
212 | return PERCPU_GET(debugger_state); |
213 | } |
214 | |
215 | #define CPUDEBUGGEROP current_debugger_state()->db_current_op |
216 | #define CPUDEBUGGERMSG current_debugger_state()->db_message |
217 | #define CPUPANICSTR current_debugger_state()->db_panic_str |
218 | #define CPUPANICARGS current_debugger_state()->db_panic_args |
219 | #define CPUPANICOPTS current_debugger_state()->db_panic_options |
220 | #define CPUPANICDATAPTR current_debugger_state()->db_panic_data_ptr |
221 | #define CPUDEBUGGERSYNC current_debugger_state()->db_proceed_on_sync_failure |
222 | #define CPUDEBUGGERCOUNT current_debugger_state()->db_entry_count |
223 | #define CPUDEBUGGERRET current_debugger_state()->db_op_return |
224 | #define CPUPANICCALLER current_debugger_state()->db_panic_caller |
225 | |
226 | |
227 | /* |
228 | * Usage: |
229 | * panic_test_action_count is in the context of other flags, e.g. for IO errors it is "succeed this many times then fail" and for nesting it is "panic this many times then succeed" |
230 | * panic_test_failure_mode is a bit map of things to do |
231 | * panic_test_case is what sort of test we are injecting |
232 | * |
233 | * For more details see definitions in debugger.h |
234 | * |
235 | * Note that not all combinations are sensible, but some actions can be combined, e.g. |
236 | * - BADPTR+SPIN with action count = 3 will cause panic->panic->spin |
237 | * - BADPTR with action count = 2 will cause 2 nested panics (in addition to the initial panic) |
238 | * - IO_ERR with action 15 will cause 14 successful IOs, then fail on the next one |
239 | */ |
240 | #if DEVELOPMENT || DEBUG |
241 | #define INJECT_NESTED_PANIC_IF_REQUESTED(requested) \ |
242 | MACRO_BEGIN \ |
243 | if ((panic_test_case & requested) && panic_test_action_count) { \ |
244 | panic_test_action_count--; \ |
245 | volatile int *panic_test_badpointer = (int *)4; \ |
246 | if ((panic_test_failure_mode & PANIC_TEST_FAILURE_MODE_SPIN) && (!panic_test_action_count)) { printf("inject spin...\n"); while(panic_test_badpointer); } \ |
247 | if ((panic_test_failure_mode & PANIC_TEST_FAILURE_MODE_BADPTR) && (panic_test_action_count+1)) { printf("inject badptr...\n"); *panic_test_badpointer = 0; } \ |
248 | if ((panic_test_failure_mode & PANIC_TEST_FAILURE_MODE_PANIC) && (panic_test_action_count+1)) { printf("inject panic...\n"); panic("nested panic level %d", panic_test_action_count); } \ |
249 | } \ |
250 | MACRO_END |
251 | |
252 | #endif /* DEVELOPMENT || DEBUG */ |
253 | |
254 | debugger_op debugger_current_op = DBOP_NONE; |
255 | const char *debugger_panic_str = NULL; |
256 | va_list *debugger_panic_args = NULL; |
257 | void *debugger_panic_data = NULL; |
258 | uint64_t debugger_panic_options = 0; |
259 | const char *debugger_message = NULL; |
260 | unsigned long debugger_panic_caller = 0; |
261 | |
262 | void panic_trap_to_debugger(const char *panic_format_str, va_list *panic_args, |
263 | unsigned int reason, void *ctx, uint64_t panic_options_mask, void *panic_data, |
264 | unsigned long panic_caller) __dead2 __printflike(1, 0); |
265 | static void kdp_machine_reboot_type(unsigned int type, uint64_t debugger_flags); |
266 | void panic_spin_forever(void) __dead2; |
267 | extern kern_return_t do_panic_stackshot(void); |
268 | extern kern_return_t do_stackshot(void); |
269 | extern void PE_panic_hook(const char*); |
270 | extern int sync(proc_t p, void *, void *); |
271 | |
272 | #define NESTEDDEBUGGERENTRYMAX 5 |
273 | static TUNABLE(unsigned int, max_debugger_entry_count, "nested_panic_max" , |
274 | NESTEDDEBUGGERENTRYMAX); |
275 | |
276 | SECURITY_READ_ONLY_LATE(bool) awl_scratch_reg_supported = false; |
277 | static bool PERCPU_DATA(hv_entry_detected); // = false |
278 | static void awl_set_scratch_reg_hv_bit(void); |
279 | void awl_mark_hv_entry(void); |
280 | static bool awl_pm_state_change_cbk(void *param, enum cpu_event event, unsigned int cpu_or_cluster); |
281 | |
282 | #if defined(__arm64__) |
283 | #define DEBUG_BUF_SIZE (4096) |
284 | |
285 | /* debug_buf is directly linked with iBoot panic region for arm targets */ |
286 | char *debug_buf_base = NULL; |
287 | char *debug_buf_ptr = NULL; |
288 | unsigned int debug_buf_size = 0; |
289 | |
290 | SECURITY_READ_ONLY_LATE(boolean_t) kdp_explicitly_requested = FALSE; |
291 | #else /* defined(__arm64__) */ |
292 | #define DEBUG_BUF_SIZE ((3 * PAGE_SIZE) + offsetof(struct macos_panic_header, mph_data)) |
293 | /* EXTENDED_DEBUG_BUF_SIZE definition is now in debug.h */ |
294 | static_assert(((EXTENDED_DEBUG_BUF_SIZE % PANIC_FLUSH_BOUNDARY) == 0), "Extended debug buf size must match SMC alignment requirements" ); |
295 | |
296 | char debug_buf[DEBUG_BUF_SIZE]; |
297 | struct macos_panic_header *panic_info = (struct macos_panic_header *)debug_buf; |
298 | char *debug_buf_base = (debug_buf + offsetof(struct macos_panic_header, mph_data)); |
299 | char *debug_buf_ptr = (debug_buf + offsetof(struct macos_panic_header, mph_data)); |
300 | |
301 | /* |
302 | * We don't include the size of the panic header in the length of the data we actually write. |
303 | * On co-processor platforms, we lose sizeof(struct macos_panic_header) bytes from the end of |
304 | * the end of the log because we only support writing (3*PAGESIZE) bytes. |
305 | */ |
306 | unsigned int debug_buf_size = (DEBUG_BUF_SIZE - offsetof(struct macos_panic_header, mph_data)); |
307 | |
308 | boolean_t extended_debug_log_enabled = FALSE; |
309 | #endif /* defined(__arm64__) */ |
310 | |
311 | #if defined(XNU_TARGET_OS_OSX) |
312 | #define KDBG_TRACE_PANIC_FILENAME "/var/tmp/panic.trace" |
313 | #else |
314 | #define KDBG_TRACE_PANIC_FILENAME "/var/log/panic.trace" |
315 | #endif |
316 | |
317 | /* Debugger state */ |
318 | atomic_int debugger_cpu = DEBUGGER_NO_CPU; |
319 | boolean_t debugger_allcpus_halted = FALSE; |
320 | boolean_t debugger_safe_to_return = TRUE; |
321 | unsigned int debugger_context = 0; |
322 | |
323 | static char model_name[64]; |
324 | unsigned char *kernel_uuid; |
325 | |
326 | boolean_t kernelcache_uuid_valid = FALSE; |
327 | uuid_t kernelcache_uuid; |
328 | uuid_string_t kernelcache_uuid_string; |
329 | |
330 | boolean_t pageablekc_uuid_valid = FALSE; |
331 | uuid_t pageablekc_uuid; |
332 | uuid_string_t pageablekc_uuid_string; |
333 | |
334 | boolean_t auxkc_uuid_valid = FALSE; |
335 | uuid_t auxkc_uuid; |
336 | uuid_string_t auxkc_uuid_string; |
337 | |
338 | |
339 | /* |
340 | * By default we treat Debugger() the same as calls to panic(), unless |
341 | * we have debug boot-args present and the DB_KERN_DUMP_ON_NMI *NOT* set. |
342 | * If DB_KERN_DUMP_ON_NMI is *NOT* set, return from Debugger() is supported. |
343 | * |
344 | * Return from Debugger() is currently only implemented on x86 |
345 | */ |
346 | static boolean_t debugger_is_panic = TRUE; |
347 | |
348 | TUNABLE(unsigned int, debug_boot_arg, "debug" , 0); |
349 | |
350 | TUNABLE(int, verbose_panic_flow_logging, "verbose_panic_flow_logging" , 0); |
351 | |
352 | char kernel_uuid_string[37]; /* uuid_string_t */ |
353 | char kernelcache_uuid_string[37]; /* uuid_string_t */ |
354 | char panic_disk_error_description[512]; |
355 | size_t panic_disk_error_description_size = sizeof(panic_disk_error_description); |
356 | |
357 | extern unsigned int write_trace_on_panic; |
358 | int kext_assertions_enable = |
359 | #if DEBUG || DEVELOPMENT |
360 | TRUE; |
361 | #else |
362 | FALSE; |
363 | #endif |
364 | |
365 | #if (DEVELOPMENT || DEBUG) |
366 | uint64_t xnu_platform_stall_value = PLATFORM_STALL_XNU_DISABLE; |
367 | #endif |
368 | |
369 | /* |
370 | * Maintain the physically-contiguous carveouts for the carveout bootargs. |
371 | */ |
372 | TUNABLE_WRITEABLE(boolean_t, phys_carveout_core, "phys_carveout_core" , 1); |
373 | |
374 | TUNABLE(uint32_t, phys_carveout_mb, "phys_carveout_mb" , 0); |
375 | SECURITY_READ_ONLY_LATE(vm_offset_t) phys_carveout = 0; |
376 | SECURITY_READ_ONLY_LATE(uintptr_t) phys_carveout_pa = 0; |
377 | SECURITY_READ_ONLY_LATE(size_t) phys_carveout_size = 0; |
378 | |
379 | |
380 | /* |
381 | * Returns whether kernel debugging is expected to be restricted |
382 | * on the device currently based on CSR or other platform restrictions. |
383 | */ |
384 | boolean_t |
385 | kernel_debugging_restricted(void) |
386 | { |
387 | #if XNU_TARGET_OS_OSX |
388 | #if CONFIG_CSR |
389 | if (csr_check(CSR_ALLOW_KERNEL_DEBUGGER) != 0) { |
390 | return TRUE; |
391 | } |
392 | #endif /* CONFIG_CSR */ |
393 | return FALSE; |
394 | #else /* XNU_TARGET_OS_OSX */ |
395 | return FALSE; |
396 | #endif /* XNU_TARGET_OS_OSX */ |
397 | } |
398 | |
399 | __startup_func |
400 | static void |
401 | panic_init(void) |
402 | { |
403 | unsigned long uuidlen = 0; |
404 | void *uuid; |
405 | |
406 | uuid = getuuidfromheader(&_mh_execute_header, &uuidlen); |
407 | if ((uuid != NULL) && (uuidlen == sizeof(uuid_t))) { |
408 | kernel_uuid = uuid; |
409 | uuid_unparse_upper(uu: *(uuid_t *)uuid, out: kernel_uuid_string); |
410 | } |
411 | |
412 | /* |
413 | * Take the value of the debug boot-arg into account |
414 | */ |
415 | #if MACH_KDP |
416 | if (!kernel_debugging_restricted() && debug_boot_arg) { |
417 | if (debug_boot_arg & DB_HALT) { |
418 | halt_in_debugger = 1; |
419 | } |
420 | |
421 | #if defined(__arm64__) |
422 | if (debug_boot_arg & DB_NMI) { |
423 | panicDebugging = TRUE; |
424 | } |
425 | #else |
426 | panicDebugging = TRUE; |
427 | #endif /* defined(__arm64__) */ |
428 | } |
429 | |
430 | #if defined(__arm64__) |
431 | char kdpname[80]; |
432 | |
433 | kdp_explicitly_requested = PE_parse_boot_argn(arg_string: "kdp_match_name" , arg_ptr: kdpname, max_arg: sizeof(kdpname)); |
434 | #endif /* defined(__arm64__) */ |
435 | |
436 | #endif /* MACH_KDP */ |
437 | |
438 | #if defined (__x86_64__) |
439 | /* |
440 | * By default we treat Debugger() the same as calls to panic(), unless |
441 | * we have debug boot-args present and the DB_KERN_DUMP_ON_NMI *NOT* set. |
442 | * If DB_KERN_DUMP_ON_NMI is *NOT* set, return from Debugger() is supported. |
443 | * This is because writing an on-device corefile is a destructive operation. |
444 | * |
445 | * Return from Debugger() is currently only implemented on x86 |
446 | */ |
447 | if (PE_i_can_has_debugger(NULL) && !(debug_boot_arg & DB_KERN_DUMP_ON_NMI)) { |
448 | debugger_is_panic = FALSE; |
449 | } |
450 | #endif |
451 | } |
452 | STARTUP(TUNABLES, STARTUP_RANK_MIDDLE, panic_init); |
453 | |
454 | #if defined (__x86_64__) |
455 | void |
456 | extended_debug_log_init(void) |
457 | { |
458 | assert(coprocessor_paniclog_flush); |
459 | /* |
460 | * Allocate an extended panic log buffer that has space for the panic |
461 | * stackshot at the end. Update the debug buf pointers appropriately |
462 | * to point at this new buffer. |
463 | * |
464 | * iBoot pre-initializes the panic region with the NULL character. We set this here |
465 | * so we can accurately calculate the CRC for the region without needing to flush the |
466 | * full region over SMC. |
467 | */ |
468 | char *new_debug_buf = kalloc_data(EXTENDED_DEBUG_BUF_SIZE, Z_WAITOK | Z_ZERO); |
469 | |
470 | panic_info = (struct macos_panic_header *)new_debug_buf; |
471 | debug_buf_ptr = debug_buf_base = (new_debug_buf + offsetof(struct macos_panic_header, mph_data)); |
472 | debug_buf_size = (EXTENDED_DEBUG_BUF_SIZE - offsetof(struct macos_panic_header, mph_data)); |
473 | |
474 | extended_debug_log_enabled = TRUE; |
475 | |
476 | /* |
477 | * Insert a compiler barrier so we don't free the other panic stackshot buffer |
478 | * until after we've marked the new one as available |
479 | */ |
480 | __compiler_barrier(); |
481 | kmem_free(kernel_map, panic_stackshot_buf, panic_stackshot_buf_len); |
482 | panic_stackshot_buf = 0; |
483 | panic_stackshot_buf_len = 0; |
484 | } |
485 | #endif /* defined (__x86_64__) */ |
486 | |
487 | void |
488 | debug_log_init(void) |
489 | { |
490 | #if defined(__arm64__) |
491 | if (!gPanicBase) { |
492 | printf(format: "debug_log_init: Error!! gPanicBase is still not initialized\n" ); |
493 | return; |
494 | } |
495 | /* Shift debug buf start location and size by the length of the panic header */ |
496 | debug_buf_base = (char *)gPanicBase + sizeof(struct embedded_panic_header); |
497 | debug_buf_ptr = debug_buf_base; |
498 | debug_buf_size = gPanicSize - sizeof(struct embedded_panic_header); |
499 | |
500 | #if CONFIG_EXT_PANICLOG |
501 | ext_paniclog_init(); |
502 | #endif |
503 | #else |
504 | kern_return_t kr = KERN_SUCCESS; |
505 | bzero(panic_info, DEBUG_BUF_SIZE); |
506 | |
507 | assert(debug_buf_base != NULL); |
508 | assert(debug_buf_ptr != NULL); |
509 | assert(debug_buf_size != 0); |
510 | |
511 | /* |
512 | * We allocate a buffer to store a panic time stackshot. If we later discover that this is a |
513 | * system that supports flushing a stackshot via an extended debug log (see above), we'll free this memory |
514 | * as it's not necessary on this platform. This information won't be available until the IOPlatform has come |
515 | * up. |
516 | */ |
517 | kr = kmem_alloc(kernel_map, &panic_stackshot_buf, PANIC_STACKSHOT_BUFSIZE, |
518 | KMA_DATA | KMA_ZERO, VM_KERN_MEMORY_DIAG); |
519 | assert(kr == KERN_SUCCESS); |
520 | if (kr == KERN_SUCCESS) { |
521 | panic_stackshot_buf_len = PANIC_STACKSHOT_BUFSIZE; |
522 | } |
523 | #endif |
524 | } |
525 | |
526 | void |
527 | phys_carveout_init(void) |
528 | { |
529 | if (!PE_i_can_has_debugger(NULL)) { |
530 | return; |
531 | } |
532 | |
533 | #if __arm__ || __arm64__ |
534 | #if DEVELOPMENT || DEBUG |
535 | #endif /* DEVELOPMENT || DEBUG */ |
536 | #endif /* __arm__ || __arm64__ */ |
537 | |
538 | struct carveout { |
539 | const char *name; |
540 | vm_offset_t *va; |
541 | uint32_t requested_size; |
542 | uintptr_t *pa; |
543 | size_t *allocated_size; |
544 | uint64_t present; |
545 | } carveouts[] = { |
546 | { |
547 | "phys_carveout" , |
548 | &phys_carveout, |
549 | phys_carveout_mb, |
550 | &phys_carveout_pa, |
551 | &phys_carveout_size, |
552 | phys_carveout_mb != 0, |
553 | } |
554 | }; |
555 | |
556 | for (int i = 0; i < (sizeof(carveouts) / sizeof(struct carveout)); i++) { |
557 | if (carveouts[i].present) { |
558 | size_t temp_carveout_size = 0; |
559 | if (os_mul_overflow(carveouts[i].requested_size, 1024 * 1024, &temp_carveout_size)) { |
560 | panic("%s_mb size overflowed (%uMB)" , |
561 | carveouts[i].name, carveouts[i].requested_size); |
562 | return; |
563 | } |
564 | |
565 | kmem_alloc_contig(map: kernel_map, addrp: carveouts[i].va, |
566 | size: temp_carveout_size, PAGE_MASK, max_pnum: 0, pnum_mask: 0, |
567 | flags: KMA_NOFAIL | KMA_PERMANENT | KMA_NOPAGEWAIT | KMA_DATA, |
568 | VM_KERN_MEMORY_DIAG); |
569 | |
570 | *carveouts[i].pa = kvtophys(va: *carveouts[i].va); |
571 | *carveouts[i].allocated_size = temp_carveout_size; |
572 | } |
573 | } |
574 | |
575 | #if __arm64__ && (DEVELOPMENT || DEBUG) |
576 | /* likely panic_trace boot-arg is also set so check and enable tracing if necessary into new carveout */ |
577 | PE_arm_debug_enable_trace(true); |
578 | #endif /* __arm64__ && (DEVELOPMENT || DEBUG) */ |
579 | } |
580 | |
581 | boolean_t |
582 | debug_is_in_phys_carveout(vm_map_offset_t va) |
583 | { |
584 | return phys_carveout_size && va >= phys_carveout && |
585 | va < (phys_carveout + phys_carveout_size); |
586 | } |
587 | |
588 | boolean_t |
589 | debug_can_coredump_phys_carveout(void) |
590 | { |
591 | return phys_carveout_core; |
592 | } |
593 | |
594 | static void |
595 | DebuggerLock(void) |
596 | { |
597 | int my_cpu = cpu_number(); |
598 | int debugger_exp_cpu = DEBUGGER_NO_CPU; |
599 | assert(ml_get_interrupts_enabled() == FALSE); |
600 | |
601 | if (atomic_load(&debugger_cpu) == my_cpu) { |
602 | return; |
603 | } |
604 | |
605 | while (!atomic_compare_exchange_strong(&debugger_cpu, &debugger_exp_cpu, my_cpu)) { |
606 | debugger_exp_cpu = DEBUGGER_NO_CPU; |
607 | } |
608 | |
609 | return; |
610 | } |
611 | |
612 | static void |
613 | DebuggerUnlock(void) |
614 | { |
615 | assert(atomic_load_explicit(&debugger_cpu, memory_order_relaxed) == cpu_number()); |
616 | |
617 | /* |
618 | * We don't do an atomic exchange here in case |
619 | * there's another CPU spinning to acquire the debugger_lock |
620 | * and we never get a chance to update it. We already have the |
621 | * lock so we can simply store DEBUGGER_NO_CPU and follow with |
622 | * a barrier. |
623 | */ |
624 | atomic_store(&debugger_cpu, DEBUGGER_NO_CPU); |
625 | OSMemoryBarrier(); |
626 | |
627 | return; |
628 | } |
629 | |
630 | static kern_return_t |
631 | DebuggerHaltOtherCores(boolean_t proceed_on_failure, bool is_stackshot) |
632 | { |
633 | #if defined(__arm64__) |
634 | return DebuggerXCallEnter(proceed_on_failure, is_stackshot); |
635 | #else /* defined(__arm64__) */ |
636 | #pragma unused(proceed_on_failure) |
637 | #pragma unused(is_stackshot) |
638 | mp_kdp_enter(proceed_on_failure); |
639 | return KERN_SUCCESS; |
640 | #endif |
641 | } |
642 | |
643 | static void |
644 | DebuggerResumeOtherCores(void) |
645 | { |
646 | #if defined(__arm64__) |
647 | DebuggerXCallReturn(); |
648 | #else /* defined(__arm64__) */ |
649 | mp_kdp_exit(); |
650 | #endif |
651 | } |
652 | |
653 | __printflike(3, 0) |
654 | static void |
655 | DebuggerSaveState(debugger_op db_op, const char *db_message, const char *db_panic_str, |
656 | va_list *db_panic_args, uint64_t db_panic_options, void *db_panic_data_ptr, |
657 | boolean_t db_proceed_on_sync_failure, unsigned long db_panic_caller) |
658 | { |
659 | CPUDEBUGGEROP = db_op; |
660 | |
661 | /* |
662 | * Note: |
663 | * if CPUDEBUGGERCOUNT == 1 then we are in the normal case - record the panic data |
664 | * if CPUDEBUGGERCOUNT > 1 and CPUPANICSTR == NULL then we are in a nested panic that happened before DebuggerSaveState was called, so store the nested panic data |
665 | * if CPUDEBUGGERCOUNT > 1 and CPUPANICSTR != NULL then we are in a nested panic that happened after DebuggerSaveState was called, so leave the original panic data |
666 | * |
667 | * TODO: is it safe to flatten this to if (CPUPANICSTR == NULL)? |
668 | */ |
669 | if (CPUDEBUGGERCOUNT == 1 || CPUPANICSTR == NULL) { |
670 | CPUDEBUGGERMSG = db_message; |
671 | CPUPANICSTR = db_panic_str; |
672 | CPUPANICARGS = db_panic_args; |
673 | CPUPANICDATAPTR = db_panic_data_ptr; |
674 | CPUPANICCALLER = db_panic_caller; |
675 | |
676 | #if CONFIG_EXCLAVES |
677 | char *panic_str; |
678 | if (exclaves_panic_get_string(&panic_str) == KERN_SUCCESS) { |
679 | CPUPANICSTR = panic_str; |
680 | } |
681 | #endif |
682 | } |
683 | |
684 | CPUDEBUGGERSYNC = db_proceed_on_sync_failure; |
685 | CPUDEBUGGERRET = KERN_SUCCESS; |
686 | |
687 | /* Reset these on any nested panics */ |
688 | // follow up in rdar://88497308 (nested panics should not clobber panic flags) |
689 | CPUPANICOPTS = db_panic_options; |
690 | |
691 | return; |
692 | } |
693 | |
694 | /* |
695 | * Save the requested debugger state/action into the current processor's |
696 | * percu state and trap to the debugger. |
697 | */ |
698 | kern_return_t |
699 | DebuggerTrapWithState(debugger_op db_op, const char *db_message, const char *db_panic_str, |
700 | va_list *db_panic_args, uint64_t db_panic_options, void *db_panic_data_ptr, |
701 | boolean_t db_proceed_on_sync_failure, unsigned long db_panic_caller) |
702 | { |
703 | kern_return_t ret; |
704 | |
705 | #if defined(__arm64__) && (DEVELOPMENT || DEBUG) |
706 | if (!PE_arm_debug_and_trace_initialized()) { |
707 | /* |
708 | * In practice this can only happen if we panicked very early, |
709 | * when only the boot CPU is online and before it has finished |
710 | * initializing the debug and trace infrastructure. We're going |
711 | * to hang soon, so let's at least make sure the message passed |
712 | * to panic() is actually logged. |
713 | */ |
714 | char buf[EARLY_PANIC_BUFLEN]; |
715 | vsnprintf(buf, EARLY_PANIC_BUFLEN, db_panic_str, *db_panic_args); |
716 | paniclog_append_noflush("%s\n" , buf); |
717 | } |
718 | #endif |
719 | |
720 | assert(ml_get_interrupts_enabled() == FALSE); |
721 | DebuggerSaveState(db_op, db_message, db_panic_str, db_panic_args, |
722 | db_panic_options, db_panic_data_ptr, |
723 | db_proceed_on_sync_failure, db_panic_caller); |
724 | |
725 | /* |
726 | * On ARM this generates an uncategorized exception -> sleh code -> |
727 | * DebuggerCall -> kdp_trap -> handle_debugger_trap |
728 | * So that is how XNU ensures that only one core can panic. |
729 | * The rest of the cores are halted by IPI if possible; if that |
730 | * fails it will fall back to dbgwrap. |
731 | */ |
732 | TRAP_DEBUGGER; |
733 | |
734 | ret = CPUDEBUGGERRET; |
735 | |
736 | DebuggerSaveState(db_op: DBOP_NONE, NULL, NULL, NULL, db_panic_options: 0, NULL, FALSE, db_panic_caller: 0); |
737 | |
738 | return ret; |
739 | } |
740 | |
741 | void __attribute__((noinline)) |
742 | Assert( |
743 | const char *file, |
744 | int line, |
745 | const char *expression |
746 | ) |
747 | { |
748 | #if CONFIG_NONFATAL_ASSERTS |
749 | static TUNABLE(bool, mach_assert, "assertions" , true); |
750 | |
751 | if (!mach_assert) { |
752 | kprintf("%s:%d non-fatal Assertion: %s" , file, line, expression); |
753 | return; |
754 | } |
755 | #endif |
756 | |
757 | panic_plain("%s:%d Assertion failed: %s" , file, line, expression); |
758 | } |
759 | |
760 | boolean_t |
761 | debug_is_current_cpu_in_panic_state(void) |
762 | { |
763 | return current_debugger_state()->db_entry_count > 0; |
764 | } |
765 | |
766 | /* |
767 | * check if we are in a nested panic, report findings, take evasive action where necessary |
768 | * |
769 | * see also PE_update_panicheader_nestedpanic |
770 | */ |
771 | static void |
772 | check_and_handle_nested_panic(uint64_t panic_options_mask, unsigned long panic_caller, const char *db_panic_str, va_list *db_panic_args) |
773 | { |
774 | if ((CPUDEBUGGERCOUNT > 1) && (CPUDEBUGGERCOUNT < max_debugger_entry_count)) { |
775 | // Note: this is the first indication in the panic log or serial that we are off the rails... |
776 | // |
777 | // if we panic *before* the paniclog is finalized then this will end up in the ips report with a panic_caller addr that gives us a clue |
778 | // if we panic *after* the log is finalized then we will only see it in the serial log |
779 | // |
780 | paniclog_append_noflush(format: "Nested panic detected - entry count: %d panic_caller: 0x%016lx\n" , CPUDEBUGGERCOUNT, panic_caller); |
781 | paniclog_flush(); |
782 | |
783 | // print the *new* panic string to the console, we might not get it by other means... |
784 | // TODO: I tried to write this stuff to the paniclog, but the serial output gets corrupted and the panicstring in the ips file is <mysterious> |
785 | // rdar://87846117 (NestedPanic: output panic string to paniclog) |
786 | if (db_panic_str) { |
787 | printf(format: "Nested panic string:\n" ); |
788 | #pragma clang diagnostic push |
789 | #pragma clang diagnostic ignored "-Wformat-nonliteral" |
790 | _doprnt(fmt: db_panic_str, argp: db_panic_args, putc: PE_kputc, radix: 0); |
791 | #pragma clang diagnostic pop |
792 | printf(format: "\n<end nested panic string>\n" ); |
793 | } |
794 | } |
795 | |
796 | // Stage 1 bailout |
797 | // |
798 | // Try to complete the normal panic flow, i.e. try to make sure the callouts happen and we flush the paniclog. If this fails with another nested |
799 | // panic then we will land in Stage 2 below... |
800 | // |
801 | if (CPUDEBUGGERCOUNT == max_debugger_entry_count) { |
802 | uint32_t panic_details = 0; |
803 | |
804 | // if this is a force-reset panic then capture a log and reboot immediately. |
805 | if (panic_options_mask & DEBUGGER_OPTION_PANICLOGANDREBOOT) { |
806 | panic_details |= kPanicDetailsForcePowerOff; |
807 | } |
808 | |
809 | // normally the kPEPanicBegin is sent from debugger_collect_diagnostics(), but we might nested-panic before we get |
810 | // there. To be safe send another notification, the function called below will only send kPEPanicBegin if it has not yet been sent. |
811 | // |
812 | PEHaltRestartInternal(type: kPEPanicBegin, details: panic_details); |
813 | |
814 | paniclog_append_noflush(format: "Nested panic count exceeds limit %d, machine will reset or spin\n" , max_debugger_entry_count); |
815 | PE_update_panicheader_nestedpanic(); |
816 | paniclog_flush(); |
817 | |
818 | if (!panicDebugging) { |
819 | // note that this will also send kPEPanicEnd |
820 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: panic_options_mask); |
821 | } |
822 | |
823 | // prints to console |
824 | paniclog_append_noflush(format: "\nNested panic stall. Stage 1 bailout. Please go to https://panic.apple.com to report this panic\n" ); |
825 | panic_spin_forever(); |
826 | } |
827 | |
828 | // Stage 2 bailout |
829 | // |
830 | // Things are severely hosed, we have nested to the point of bailout and then nested again during the bailout path. Try to issue |
831 | // a chipreset as quickly as possible, hopefully something in the panic log is salvageable, since we flushed it during Stage 1. |
832 | // |
833 | if (CPUDEBUGGERCOUNT == max_debugger_entry_count + 1) { |
834 | if (!panicDebugging) { |
835 | // note that: |
836 | // - this code path should be audited for prints, as that is a common cause of nested panics |
837 | // - this code path should take the fastest route to the actual reset, and not call any un-necessary code |
838 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: panic_options_mask & DEBUGGER_OPTION_SKIP_PANICEND_CALLOUTS); |
839 | } |
840 | |
841 | // prints to console, but another nested panic will land in Stage 3 where we simply spin, so that is sort of ok... |
842 | paniclog_append_noflush(format: "\nIn Nested panic stall. Stage 2 bailout. Please go to https://panic.apple.com to report this panic\n" ); |
843 | panic_spin_forever(); |
844 | } |
845 | |
846 | // Stage 3 bailout |
847 | // |
848 | // We are done here, we were unable to reset the platform without another nested panic. Spin until the watchdog kicks in. |
849 | // |
850 | if (CPUDEBUGGERCOUNT > max_debugger_entry_count + 1) { |
851 | kdp_machine_reboot_type(type: kPEHangCPU, debugger_flags: 0); |
852 | } |
853 | } |
854 | |
855 | void |
856 | Debugger(const char *message) |
857 | { |
858 | DebuggerWithContext(reason: 0, NULL, message, DEBUGGER_OPTION_NONE, debugger_caller: (unsigned long)(char *)__builtin_return_address(0)); |
859 | } |
860 | |
861 | /* |
862 | * Enter the Debugger |
863 | * |
864 | * This is similar to, but not the same as a panic |
865 | * |
866 | * Key differences: |
867 | * - we get here from a debugger entry action (e.g. NMI) |
868 | * - the system is resumable on x86 (in theory, however it is not clear if this is tested) |
869 | * - rdar://57738811 (xnu: support resume from debugger via KDP on arm devices) |
870 | * |
871 | */ |
872 | void |
873 | DebuggerWithContext(unsigned int reason, void *ctx, const char *message, |
874 | uint64_t debugger_options_mask, unsigned long debugger_caller) |
875 | { |
876 | spl_t previous_interrupts_state; |
877 | boolean_t old_doprnt_hide_pointers = doprnt_hide_pointers; |
878 | |
879 | #if defined(__x86_64__) && (DEVELOPMENT || DEBUG) |
880 | read_lbr(); |
881 | #endif |
882 | previous_interrupts_state = ml_set_interrupts_enabled(FALSE); |
883 | disable_preemption(); |
884 | |
885 | /* track depth of debugger/panic entry */ |
886 | CPUDEBUGGERCOUNT++; |
887 | |
888 | /* emit a tracepoint as early as possible in case of hang */ |
889 | SOCD_TRACE_XNU(PANIC, PACK_2X32(VALUE(cpu_number()), VALUE(CPUDEBUGGERCOUNT)), VALUE(debugger_options_mask), ADDR(message), ADDR(debugger_caller)); |
890 | |
891 | /* do max nested panic/debugger check, this will report nesting to the console and spin forever if we exceed a limit */ |
892 | check_and_handle_nested_panic(panic_options_mask: debugger_options_mask, panic_caller: debugger_caller, db_panic_str: message, NULL); |
893 | |
894 | /* Handle any necessary platform specific actions before we proceed */ |
895 | PEInitiatePanic(); |
896 | |
897 | #if DEVELOPMENT || DEBUG |
898 | INJECT_NESTED_PANIC_IF_REQUESTED(PANIC_TEST_CASE_RECURPANIC_ENTRY); |
899 | #endif |
900 | |
901 | PE_panic_hook(message); |
902 | |
903 | doprnt_hide_pointers = FALSE; |
904 | |
905 | if (ctx != NULL) { |
906 | DebuggerSaveState(db_op: DBOP_DEBUGGER, db_message: message, |
907 | NULL, NULL, db_panic_options: debugger_options_mask, NULL, TRUE, db_panic_caller: 0); |
908 | handle_debugger_trap(exception: reason, code: 0, subcode: 0, state: ctx); |
909 | DebuggerSaveState(db_op: DBOP_NONE, NULL, NULL, |
910 | NULL, db_panic_options: 0, NULL, FALSE, db_panic_caller: 0); |
911 | } else { |
912 | DebuggerTrapWithState(db_op: DBOP_DEBUGGER, db_message: message, |
913 | NULL, NULL, db_panic_options: debugger_options_mask, NULL, TRUE, db_panic_caller: 0); |
914 | } |
915 | |
916 | /* resume from the debugger */ |
917 | |
918 | CPUDEBUGGERCOUNT--; |
919 | doprnt_hide_pointers = old_doprnt_hide_pointers; |
920 | enable_preemption(); |
921 | ml_set_interrupts_enabled(enable: previous_interrupts_state); |
922 | } |
923 | |
924 | static struct kdp_callout { |
925 | struct kdp_callout * callout_next; |
926 | kdp_callout_fn_t callout_fn; |
927 | boolean_t callout_in_progress; |
928 | void * callout_arg; |
929 | } * kdp_callout_list = NULL; |
930 | |
931 | /* |
932 | * Called from kernel context to register a kdp event callout. |
933 | */ |
934 | void |
935 | kdp_register_callout(kdp_callout_fn_t fn, void * arg) |
936 | { |
937 | struct kdp_callout * kcp; |
938 | struct kdp_callout * list_head; |
939 | |
940 | kcp = zalloc_permanent_type(struct kdp_callout); |
941 | |
942 | kcp->callout_fn = fn; |
943 | kcp->callout_arg = arg; |
944 | kcp->callout_in_progress = FALSE; |
945 | |
946 | /* Lock-less list insertion using compare and exchange. */ |
947 | do { |
948 | list_head = kdp_callout_list; |
949 | kcp->callout_next = list_head; |
950 | } while (!OSCompareAndSwapPtr(list_head, kcp, &kdp_callout_list)); |
951 | } |
952 | |
953 | static void |
954 | kdp_callouts(kdp_event_t event) |
955 | { |
956 | struct kdp_callout *kcp = kdp_callout_list; |
957 | |
958 | while (kcp) { |
959 | if (!kcp->callout_in_progress) { |
960 | kcp->callout_in_progress = TRUE; |
961 | kcp->callout_fn(kcp->callout_arg, event); |
962 | kcp->callout_in_progress = FALSE; |
963 | } |
964 | kcp = kcp->callout_next; |
965 | } |
966 | } |
967 | |
968 | #if defined(__arm64__) |
969 | /* |
970 | * Register an additional buffer with data to include in the panic log |
971 | * |
972 | * <rdar://problem/50137705> tracks supporting more than one buffer |
973 | * |
974 | * Note that producer_name and buf should never be de-allocated as we reference these during panic. |
975 | */ |
976 | void |
977 | register_additional_panic_data_buffer(const char *producer_name, void *buf, int len) |
978 | { |
979 | if (panic_data_buffers != NULL) { |
980 | panic("register_additional_panic_data_buffer called with buffer already registered" ); |
981 | } |
982 | |
983 | if (producer_name == NULL || (strlen(s: producer_name) == 0)) { |
984 | panic("register_additional_panic_data_buffer called with invalid producer_name" ); |
985 | } |
986 | |
987 | if (buf == NULL) { |
988 | panic("register_additional_panic_data_buffer called with invalid buffer pointer" ); |
989 | } |
990 | |
991 | if ((len <= 0) || (len > ADDITIONAL_PANIC_DATA_BUFFER_MAX_LEN)) { |
992 | panic("register_additional_panic_data_buffer called with invalid length" ); |
993 | } |
994 | |
995 | struct additional_panic_data_buffer *new_panic_data_buffer = zalloc_permanent_type(struct additional_panic_data_buffer); |
996 | new_panic_data_buffer->producer_name = producer_name; |
997 | new_panic_data_buffer->buf = buf; |
998 | new_panic_data_buffer->len = len; |
999 | |
1000 | if (!OSCompareAndSwapPtr(NULL, new_panic_data_buffer, &panic_data_buffers)) { |
1001 | panic("register_additional_panic_data_buffer called with buffer already registered" ); |
1002 | } |
1003 | |
1004 | return; |
1005 | } |
1006 | #endif /* defined(__arm64__) */ |
1007 | |
1008 | /* |
1009 | * An overview of the xnu panic path: |
1010 | * |
1011 | * Several panic wrappers (panic(), panic_with_options(), etc.) all funnel into panic_trap_to_debugger(). |
1012 | * panic_trap_to_debugger() sets the panic state in the current processor's debugger_state prior |
1013 | * to trapping into the debugger. Once we trap to the debugger, we end up in handle_debugger_trap() |
1014 | * which tries to acquire the panic lock by atomically swapping the current CPU number into debugger_cpu. |
1015 | * debugger_cpu acts as a synchronization point, from which the winning CPU can halt the other cores and |
1016 | * continue to debugger_collect_diagnostics() where we write the paniclog, corefile (if appropriate) and proceed |
1017 | * according to the device's boot-args. |
1018 | */ |
1019 | #undef panic |
1020 | void |
1021 | panic(const char *str, ...) |
1022 | { |
1023 | va_list panic_str_args; |
1024 | |
1025 | va_start(panic_str_args, str); |
1026 | panic_trap_to_debugger(panic_format_str: str, panic_args: &panic_str_args, reason: 0, NULL, panic_options_mask: 0, NULL, panic_caller: (unsigned long)(char *)__builtin_return_address(0)); |
1027 | va_end(panic_str_args); |
1028 | } |
1029 | |
1030 | void |
1031 | panic_with_data(uuid_t uuid, void *addr, uint32_t len, const char *str, ...) |
1032 | { |
1033 | va_list panic_str_args; |
1034 | |
1035 | ext_paniclog_panic_with_data(uuid, addr, len); |
1036 | |
1037 | va_start(panic_str_args, str); |
1038 | panic_trap_to_debugger(panic_format_str: str, panic_args: &panic_str_args, reason: 0, NULL, panic_options_mask: 0, NULL, panic_caller: (unsigned long)(char *)__builtin_return_address(0)); |
1039 | va_end(panic_str_args); |
1040 | } |
1041 | |
1042 | void |
1043 | panic_with_options(unsigned int reason, void *ctx, uint64_t debugger_options_mask, const char *str, ...) |
1044 | { |
1045 | va_list panic_str_args; |
1046 | |
1047 | va_start(panic_str_args, str); |
1048 | panic_trap_to_debugger(panic_format_str: str, panic_args: &panic_str_args, reason, ctx, panic_options_mask: (debugger_options_mask & ~DEBUGGER_INTERNAL_OPTIONS_MASK), |
1049 | NULL, panic_caller: (unsigned long)(char *)__builtin_return_address(0)); |
1050 | va_end(panic_str_args); |
1051 | } |
1052 | |
1053 | boolean_t |
1054 | panic_validate_ptr(void *ptr, vm_size_t size, const char *what) |
1055 | { |
1056 | if (ptr == NULL) { |
1057 | paniclog_append_noflush(format: "NULL %s pointer\n" , what); |
1058 | return false; |
1059 | } |
1060 | |
1061 | if (!ml_validate_nofault(virtsrc: (vm_offset_t)ptr, size)) { |
1062 | paniclog_append_noflush(format: "Invalid %s pointer: %p (size %d)\n" , |
1063 | what, ptr, (uint32_t)size); |
1064 | return false; |
1065 | } |
1066 | |
1067 | return true; |
1068 | } |
1069 | |
1070 | boolean_t |
1071 | panic_get_thread_proc_task(struct thread *thread, struct task **task, struct proc **proc) |
1072 | { |
1073 | if (!PANIC_VALIDATE_PTR(thread)) { |
1074 | return false; |
1075 | } |
1076 | |
1077 | if (!PANIC_VALIDATE_PTR(thread->t_tro)) { |
1078 | return false; |
1079 | } |
1080 | |
1081 | if (!PANIC_VALIDATE_PTR(thread->t_tro->tro_task)) { |
1082 | return false; |
1083 | } |
1084 | |
1085 | if (task) { |
1086 | *task = thread->t_tro->tro_task; |
1087 | } |
1088 | |
1089 | if (!panic_validate_ptr(ptr: thread->t_tro->tro_proc, |
1090 | size: sizeof(struct proc *), what: "bsd_info" )) { |
1091 | *proc = NULL; |
1092 | } else { |
1093 | *proc = thread->t_tro->tro_proc; |
1094 | } |
1095 | |
1096 | return true; |
1097 | } |
1098 | |
1099 | #if defined (__x86_64__) |
1100 | /* |
1101 | * panic_with_thread_context() is used on x86 platforms to specify a different thread that should be backtraced in the paniclog. |
1102 | * We don't generally need this functionality on embedded platforms because embedded platforms include a panic time stackshot |
1103 | * from customer devices. We plumb the thread pointer via the debugger trap mechanism and backtrace the kernel stack from the |
1104 | * thread when writing the panic log. |
1105 | * |
1106 | * NOTE: panic_with_thread_context() should be called with an explicit thread reference held on the passed thread. |
1107 | */ |
1108 | void |
1109 | panic_with_thread_context(unsigned int reason, void *ctx, uint64_t debugger_options_mask, thread_t thread, const char *str, ...) |
1110 | { |
1111 | va_list panic_str_args; |
1112 | __assert_only os_ref_count_t th_ref_count; |
1113 | |
1114 | assert_thread_magic(thread); |
1115 | th_ref_count = os_ref_get_count_raw(&thread->ref_count); |
1116 | assertf(th_ref_count > 0, "panic_with_thread_context called with invalid thread %p with refcount %u" , thread, th_ref_count); |
1117 | |
1118 | /* Take a reference on the thread so it doesn't disappear by the time we try to backtrace it */ |
1119 | thread_reference(thread); |
1120 | |
1121 | va_start(panic_str_args, str); |
1122 | panic_trap_to_debugger(str, &panic_str_args, reason, ctx, ((debugger_options_mask & ~DEBUGGER_INTERNAL_OPTIONS_MASK) | DEBUGGER_INTERNAL_OPTION_THREAD_BACKTRACE), |
1123 | thread, (unsigned long)(char *)__builtin_return_address(0)); |
1124 | |
1125 | va_end(panic_str_args); |
1126 | } |
1127 | #endif /* defined (__x86_64__) */ |
1128 | |
1129 | #pragma clang diagnostic push |
1130 | #pragma clang diagnostic ignored "-Wmissing-noreturn" |
1131 | void |
1132 | panic_trap_to_debugger(const char *panic_format_str, va_list *panic_args, unsigned int reason, void *ctx, |
1133 | uint64_t panic_options_mask, void *panic_data_ptr, unsigned long panic_caller) |
1134 | { |
1135 | #pragma clang diagnostic pop |
1136 | |
1137 | #if defined(__x86_64__) && (DEVELOPMENT || DEBUG) |
1138 | read_lbr(); |
1139 | #endif |
1140 | |
1141 | #if CONFIG_SPTM |
1142 | /* |
1143 | * If SPTM has not itself already panicked, trigger a panic lockdown. This |
1144 | * check is necessary since attempting to re-enter the SPTM after it calls |
1145 | * panic will lead to a hang, which harms kernel field debugability. |
1146 | * |
1147 | * Whether or not this check can be subverted is murky. This doesn't really |
1148 | * matter, however, because any security critical panics events will have |
1149 | * already initiated lockdown before calling panic. Thus, lockdown from |
1150 | * panic itself is merely a "best effort". |
1151 | */ |
1152 | libsptm_error_t sptm_error = LIBSPTM_SUCCESS; |
1153 | bool sptm_has_panicked = false; |
1154 | if (((sptm_error = sptm_triggered_panic(&sptm_has_panicked)) == LIBSPTM_SUCCESS) && |
1155 | !sptm_has_panicked) { |
1156 | sptm_xnu_panic_begin(); |
1157 | } |
1158 | #endif /* CONFIG_SPTM */ |
1159 | |
1160 | /* optionally call sync, to reduce lost logs on restart, avoid on recursive panic. Unsafe due to unbounded sync() duration */ |
1161 | if ((panic_options_mask & DEBUGGER_OPTION_SYNC_ON_PANIC_UNSAFE) && (CPUDEBUGGERCOUNT == 0)) { |
1162 | sync(NULL, NULL, NULL); |
1163 | } |
1164 | |
1165 | /* Turn off I/O tracing once we've panicked */ |
1166 | iotrace_disable(); |
1167 | |
1168 | /* call machine-layer panic handler */ |
1169 | ml_panic_trap_to_debugger(panic_format_str, panic_args, reason, ctx, panic_options_mask, panic_caller); |
1170 | |
1171 | /* track depth of debugger/panic entry */ |
1172 | CPUDEBUGGERCOUNT++; |
1173 | |
1174 | /* emit a tracepoint as early as possible in case of hang */ |
1175 | SOCD_TRACE_XNU(PANIC, PACK_2X32(VALUE(cpu_number()), VALUE(CPUDEBUGGERCOUNT)), VALUE(panic_options_mask), ADDR(panic_format_str), ADDR(panic_caller)); |
1176 | |
1177 | /* do max nested panic/debugger check, this will report nesting to the console and spin forever if we exceed a limit */ |
1178 | check_and_handle_nested_panic(panic_options_mask, panic_caller, db_panic_str: panic_format_str, db_panic_args: panic_args); |
1179 | |
1180 | /* Handle any necessary platform specific actions before we proceed */ |
1181 | PEInitiatePanic(); |
1182 | |
1183 | #if DEVELOPMENT || DEBUG |
1184 | INJECT_NESTED_PANIC_IF_REQUESTED(PANIC_TEST_CASE_RECURPANIC_ENTRY); |
1185 | #endif |
1186 | |
1187 | PE_panic_hook(panic_format_str); |
1188 | |
1189 | #if defined (__x86_64__) |
1190 | plctrace_disable(); |
1191 | #endif |
1192 | |
1193 | if (write_trace_on_panic && kdebug_enable) { |
1194 | if (get_preemption_level() == 0 && !ml_at_interrupt_context()) { |
1195 | ml_set_interrupts_enabled(TRUE); |
1196 | KDBG_RELEASE(TRACE_PANIC); |
1197 | kdbg_dump_trace_to_file(KDBG_TRACE_PANIC_FILENAME, false); |
1198 | } |
1199 | } |
1200 | |
1201 | ml_set_interrupts_enabled(FALSE); |
1202 | disable_preemption(); |
1203 | |
1204 | #if defined (__x86_64__) |
1205 | pmSafeMode(x86_lcpu(), PM_SAFE_FL_SAFE); |
1206 | #endif /* defined (__x86_64__) */ |
1207 | |
1208 | /* Never hide pointers from panic logs. */ |
1209 | doprnt_hide_pointers = FALSE; |
1210 | |
1211 | if (ctx != NULL) { |
1212 | /* |
1213 | * We called into panic from a trap, no need to trap again. Set the |
1214 | * state on the current CPU and then jump to handle_debugger_trap. |
1215 | */ |
1216 | DebuggerSaveState(db_op: DBOP_PANIC, db_message: "panic" , |
1217 | db_panic_str: panic_format_str, db_panic_args: panic_args, |
1218 | db_panic_options: panic_options_mask, db_panic_data_ptr: panic_data_ptr, TRUE, db_panic_caller: panic_caller); |
1219 | handle_debugger_trap(exception: reason, code: 0, subcode: 0, state: ctx); |
1220 | } |
1221 | |
1222 | #if defined(__arm64__) && !APPLEVIRTUALPLATFORM |
1223 | /* |
1224 | * Signal to fastsim that it should open debug ports (nop on hardware) |
1225 | */ |
1226 | __asm__ volatile ("hint #0x45" ); |
1227 | #endif /* defined(__arm64__) && !APPLEVIRTUALPLATFORM */ |
1228 | |
1229 | DebuggerTrapWithState(db_op: DBOP_PANIC, db_message: "panic" , db_panic_str: panic_format_str, |
1230 | db_panic_args: panic_args, db_panic_options: panic_options_mask, db_panic_data_ptr: panic_data_ptr, TRUE, db_panic_caller: panic_caller); |
1231 | |
1232 | /* |
1233 | * Not reached. |
1234 | */ |
1235 | panic_stop(); |
1236 | __builtin_unreachable(); |
1237 | } |
1238 | |
1239 | void |
1240 | panic_spin_forever(void) |
1241 | { |
1242 | for (;;) { |
1243 | #if defined(__arm__) || defined(__arm64__) |
1244 | /* On arm32, which doesn't have a WFE timeout, this may not return. But that should be OK on this path. */ |
1245 | __builtin_arm_wfe(); |
1246 | #else |
1247 | cpu_pause(); |
1248 | #endif |
1249 | } |
1250 | } |
1251 | |
1252 | static void |
1253 | kdp_machine_reboot_type(unsigned int type, uint64_t debugger_flags) |
1254 | { |
1255 | if ((type == kPEPanicRestartCPU) && (debugger_flags & DEBUGGER_OPTION_SKIP_PANICEND_CALLOUTS)) { |
1256 | PEHaltRestart(type: kPEPanicRestartCPUNoCallouts); |
1257 | } else { |
1258 | PEHaltRestart(type); |
1259 | } |
1260 | halt_all_cpus(TRUE); |
1261 | } |
1262 | |
1263 | void |
1264 | kdp_machine_reboot(void) |
1265 | { |
1266 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: 0); |
1267 | } |
1268 | |
1269 | static __attribute__((unused)) void |
1270 | panic_debugger_log(const char *string, ...) |
1271 | { |
1272 | va_list panic_debugger_log_args; |
1273 | |
1274 | va_start(panic_debugger_log_args, string); |
1275 | #pragma clang diagnostic push |
1276 | #pragma clang diagnostic ignored "-Wformat-nonliteral" |
1277 | _doprnt(fmt: string, argp: &panic_debugger_log_args, putc: consdebug_putc, radix: 16); |
1278 | #pragma clang diagnostic pop |
1279 | va_end(panic_debugger_log_args); |
1280 | |
1281 | #if defined(__arm64__) |
1282 | paniclog_flush(); |
1283 | #endif |
1284 | } |
1285 | |
1286 | /* |
1287 | * Gather and save diagnostic information about a panic (or Debugger call). |
1288 | * |
1289 | * On embedded, Debugger and Panic are treated very similarly -- WDT uses Debugger so we can |
1290 | * theoretically return from it. On desktop, Debugger is treated as a conventional debugger -- i.e no |
1291 | * paniclog is written and no core is written unless we request a core on NMI. |
1292 | * |
1293 | * This routine handles kicking off local coredumps, paniclogs, calling into the Debugger/KDP (if it's configured), |
1294 | * and calling out to any other functions we have for collecting diagnostic info. |
1295 | */ |
1296 | static void |
1297 | debugger_collect_diagnostics(unsigned int exception, unsigned int code, unsigned int subcode, void *state) |
1298 | { |
1299 | #if DEVELOPMENT || DEBUG |
1300 | INJECT_NESTED_PANIC_IF_REQUESTED(PANIC_TEST_CASE_RECURPANIC_PRELOG); |
1301 | #endif |
1302 | |
1303 | #if defined(__x86_64__) |
1304 | kprintf("Debugger called: <%s>\n" , debugger_message ? debugger_message : "" ); |
1305 | #endif |
1306 | /* |
1307 | * DB_HALT (halt_in_debugger) can be requested on startup, we shouldn't generate |
1308 | * a coredump/paniclog for this type of debugger entry. If KDP isn't configured, |
1309 | * we'll just spin in kdp_raise_exception. |
1310 | */ |
1311 | if (debugger_current_op == DBOP_DEBUGGER && halt_in_debugger) { |
1312 | kdp_raise_exception(exception, code, subcode, saved_state: state); |
1313 | if (debugger_safe_to_return && !debugger_is_panic) { |
1314 | return; |
1315 | } |
1316 | } |
1317 | |
1318 | #ifdef CONFIG_KCOV |
1319 | /* Try not to break core dump path by sanitizer. */ |
1320 | kcov_panic_disable(); |
1321 | #endif |
1322 | |
1323 | if ((debugger_current_op == DBOP_PANIC) || |
1324 | ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) { |
1325 | /* |
1326 | * Attempt to notify listeners once and only once that we've started |
1327 | * panicking. Only do this for Debugger() calls if we're treating |
1328 | * Debugger() calls like panic(). |
1329 | */ |
1330 | uint32_t panic_details = 0; |
1331 | /* if this is a force-reset panic then capture a log and reboot immediately. */ |
1332 | if (debugger_panic_options & DEBUGGER_OPTION_PANICLOGANDREBOOT) { |
1333 | panic_details |= kPanicDetailsForcePowerOff; |
1334 | } |
1335 | PEHaltRestartInternal(type: kPEPanicBegin, details: panic_details); |
1336 | |
1337 | /* |
1338 | * Set the begin pointer in the panic log structure. We key off of this |
1339 | * static variable rather than contents from the panic header itself in case someone |
1340 | * has stomped over the panic_info structure. Also initializes the header magic. |
1341 | */ |
1342 | static boolean_t began_writing_paniclog = FALSE; |
1343 | if (!began_writing_paniclog) { |
1344 | PE_init_panicheader(); |
1345 | began_writing_paniclog = TRUE; |
1346 | } |
1347 | |
1348 | if (CPUDEBUGGERCOUNT > 1) { |
1349 | /* |
1350 | * we are in a nested panic. Record the nested bit in panic flags and do some housekeeping |
1351 | */ |
1352 | PE_update_panicheader_nestedpanic(); |
1353 | paniclog_flush(); |
1354 | } |
1355 | } |
1356 | |
1357 | /* |
1358 | * Write panic string if this was a panic. |
1359 | * |
1360 | * TODO: Consider moving to SavePanicInfo as this is part of the panic log. |
1361 | */ |
1362 | if (debugger_current_op == DBOP_PANIC) { |
1363 | paniclog_append_noflush(format: "panic(cpu %u caller 0x%lx): " , (unsigned) cpu_number(), debugger_panic_caller); |
1364 | if (debugger_panic_str) { |
1365 | #pragma clang diagnostic push |
1366 | #pragma clang diagnostic ignored "-Wformat-nonliteral" |
1367 | _doprnt(fmt: debugger_panic_str, argp: debugger_panic_args, putc: consdebug_putc, radix: 0); |
1368 | #pragma clang diagnostic pop |
1369 | } |
1370 | paniclog_append_noflush(format: "\n" ); |
1371 | } |
1372 | #if defined(__x86_64__) |
1373 | else if (((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) { |
1374 | paniclog_append_noflush("Debugger called: <%s>\n" , debugger_message ? debugger_message : "" ); |
1375 | } |
1376 | |
1377 | /* |
1378 | * Debugger() is treated like panic() on embedded -- for example we use it for WDT |
1379 | * panics (so we need to write a paniclog). On desktop Debugger() is used in the |
1380 | * conventional sense. |
1381 | */ |
1382 | if (debugger_current_op == DBOP_PANIC || ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) |
1383 | #endif /* __x86_64__ */ |
1384 | { |
1385 | kdp_callouts(event: KDP_EVENT_PANICLOG); |
1386 | |
1387 | /* |
1388 | * Write paniclog and panic stackshot (if supported) |
1389 | * TODO: Need to clear panic log when return from debugger |
1390 | * hooked up for embedded |
1391 | */ |
1392 | SavePanicInfo(message: debugger_message, panic_data: debugger_panic_data, panic_options: debugger_panic_options); |
1393 | |
1394 | #if DEVELOPMENT || DEBUG |
1395 | INJECT_NESTED_PANIC_IF_REQUESTED(PANIC_TEST_CASE_RECURPANIC_POSTLOG); |
1396 | #endif |
1397 | |
1398 | /* DEBUGGER_OPTION_PANICLOGANDREBOOT is used for two finger resets on embedded so we get a paniclog */ |
1399 | if (debugger_panic_options & DEBUGGER_OPTION_PANICLOGANDREBOOT) { |
1400 | PEHaltRestart(type: kPEPanicDiagnosticsDone); |
1401 | PEHaltRestart(type: kPEPanicRestartCPUNoCallouts); |
1402 | } |
1403 | } |
1404 | |
1405 | #if CONFIG_KDP_INTERACTIVE_DEBUGGING |
1406 | /* |
1407 | * If reboot on panic is enabled and the caller of panic indicated that we should skip |
1408 | * local coredumps, don't try to write these and instead go straight to reboot. This |
1409 | * allows us to persist any data that's stored in the panic log. |
1410 | */ |
1411 | if ((debugger_panic_options & DEBUGGER_OPTION_SKIP_LOCAL_COREDUMP) && |
1412 | (debug_boot_arg & DB_REBOOT_POST_CORE)) { |
1413 | PEHaltRestart(type: kPEPanicDiagnosticsDone); |
1414 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: debugger_panic_options); |
1415 | } |
1416 | |
1417 | /* |
1418 | * Consider generating a local corefile if the infrastructure is configured |
1419 | * and we haven't disabled on-device coredumps. |
1420 | */ |
1421 | if (on_device_corefile_enabled()) { |
1422 | #if CONFIG_SPTM |
1423 | /* We want to skip taking a local core dump if this is a panic from SPTM/TXM/cL4. */ |
1424 | extern uint8_t sptm_supports_local_coredump; |
1425 | bool sptm_interrupted = false; |
1426 | pmap_sptm_percpu_data_t *sptm_pcpu = PERCPU_GET(pmap_sptm_percpu); |
1427 | sptm_get_cpu_state(sptm_pcpu->sptm_cpu_id, CPUSTATE_SPTM_INTERRUPTED, &sptm_interrupted); |
1428 | #endif |
1429 | if (!kdp_has_polled_corefile()) { |
1430 | if (debug_boot_arg & (DB_KERN_DUMP_ON_PANIC | DB_KERN_DUMP_ON_NMI)) { |
1431 | paniclog_append_noflush(format: "skipping local kernel core because core file could not be opened prior to panic (mode : 0x%x, error : 0x%x)\n" , |
1432 | kdp_polled_corefile_mode(), kdp_polled_corefile_error()); |
1433 | #if defined(__arm64__) |
1434 | if (kdp_polled_corefile_mode() == kIOPolledCoreFileModeUnlinked) { |
1435 | panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREFILE_UNLINKED; |
1436 | } |
1437 | panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED; |
1438 | paniclog_flush(); |
1439 | #else /* defined(__arm64__) */ |
1440 | if (panic_info->mph_panic_log_offset != 0) { |
1441 | if (kdp_polled_corefile_mode() == kIOPolledCoreFileModeUnlinked) { |
1442 | panic_info->mph_panic_flags |= MACOS_PANIC_HEADER_FLAG_COREFILE_UNLINKED; |
1443 | } |
1444 | panic_info->mph_panic_flags |= MACOS_PANIC_HEADER_FLAG_COREDUMP_FAILED; |
1445 | paniclog_flush(); |
1446 | } |
1447 | #endif /* defined(__arm64__) */ |
1448 | } |
1449 | } |
1450 | #if XNU_MONITOR |
1451 | else if (pmap_get_cpu_data()->ppl_state != PPL_STATE_KERNEL) { |
1452 | paniclog_append_noflush("skipping local kernel core because the PPL is not in KERNEL state\n" ); |
1453 | panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED; |
1454 | paniclog_flush(); |
1455 | } |
1456 | #elif CONFIG_SPTM |
1457 | else if (!sptm_supports_local_coredump) { |
1458 | paniclog_append_noflush("skipping local kernel core because the SPTM is in PANIC state and can't support core dump generation\n" ); |
1459 | panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED; |
1460 | paniclog_flush(); |
1461 | } else if (sptm_interrupted) { |
1462 | paniclog_append_noflush("skipping local kernel core because the SPTM is in INTERRUPTED state and can't support core dump generation\n" ); |
1463 | panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED; |
1464 | paniclog_flush(); |
1465 | } |
1466 | #endif /* XNU_MONITOR */ |
1467 | else { |
1468 | int ret = -1; |
1469 | |
1470 | #if defined (__x86_64__) |
1471 | /* On x86 we don't do a coredump on Debugger unless the DB_KERN_DUMP_ON_NMI boot-arg is specified. */ |
1472 | if (debugger_current_op != DBOP_DEBUGGER || (debug_boot_arg & DB_KERN_DUMP_ON_NMI)) |
1473 | #endif |
1474 | { |
1475 | /* |
1476 | * Doing an on-device coredump leaves the disk driver in a state |
1477 | * that can not be resumed. |
1478 | */ |
1479 | debugger_safe_to_return = FALSE; |
1480 | begin_panic_transfer(); |
1481 | ret = kern_dump(kd_variant: KERN_DUMP_DISK); |
1482 | abort_panic_transfer(); |
1483 | |
1484 | #if DEVELOPMENT || DEBUG |
1485 | INJECT_NESTED_PANIC_IF_REQUESTED(PANIC_TEST_CASE_RECURPANIC_POSTCORE); |
1486 | #endif |
1487 | } |
1488 | |
1489 | /* |
1490 | * If DB_REBOOT_POST_CORE is set, then reboot if coredump is sucessfully saved |
1491 | * or if option to ignore failures is set. |
1492 | */ |
1493 | if ((debug_boot_arg & DB_REBOOT_POST_CORE) && |
1494 | ((ret == 0) || (debugger_panic_options & DEBUGGER_OPTION_ATTEMPTCOREDUMPANDREBOOT))) { |
1495 | PEHaltRestart(type: kPEPanicDiagnosticsDone); |
1496 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: debugger_panic_options); |
1497 | } |
1498 | } |
1499 | } |
1500 | |
1501 | if (debugger_current_op == DBOP_PANIC || |
1502 | ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) { |
1503 | PEHaltRestart(type: kPEPanicDiagnosticsDone); |
1504 | } |
1505 | |
1506 | if (debug_boot_arg & DB_REBOOT_ALWAYS) { |
1507 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: debugger_panic_options); |
1508 | } |
1509 | |
1510 | /* If KDP is configured, try to trap to the debugger */ |
1511 | #if defined(__arm64__) |
1512 | if (kdp_explicitly_requested && (current_debugger != NO_CUR_DB)) { |
1513 | #else |
1514 | if (current_debugger != NO_CUR_DB) { |
1515 | #endif |
1516 | kdp_raise_exception(exception, code, subcode, saved_state: state); |
1517 | /* |
1518 | * Only return if we entered via Debugger and it's safe to return |
1519 | * (we halted the other cores successfully, this isn't a nested panic, etc) |
1520 | */ |
1521 | if (debugger_current_op == DBOP_DEBUGGER && |
1522 | debugger_safe_to_return && |
1523 | kernel_debugger_entry_count == 1 && |
1524 | !debugger_is_panic) { |
1525 | return; |
1526 | } |
1527 | } |
1528 | |
1529 | #if defined(__arm64__) |
1530 | if (PE_i_can_has_debugger(NULL) && panicDebugging) { |
1531 | /* |
1532 | * Print panic string at the end of serial output |
1533 | * to make panic more obvious when someone connects a debugger |
1534 | */ |
1535 | if (debugger_panic_str) { |
1536 | panic_debugger_log(string: "Original panic string:\n" ); |
1537 | panic_debugger_log(string: "panic(cpu %u caller 0x%lx): " , (unsigned) cpu_number(), debugger_panic_caller); |
1538 | #pragma clang diagnostic push |
1539 | #pragma clang diagnostic ignored "-Wformat-nonliteral" |
1540 | _doprnt(fmt: debugger_panic_str, argp: debugger_panic_args, putc: consdebug_putc, radix: 0); |
1541 | #pragma clang diagnostic pop |
1542 | panic_debugger_log(string: "\n" ); |
1543 | } |
1544 | |
1545 | /* If panic debugging is configured and we're on a dev fused device, spin for astris to connect */ |
1546 | panic_spin_shmcon(); |
1547 | } |
1548 | #endif /* defined(__arm64__) */ |
1549 | |
1550 | #else /* CONFIG_KDP_INTERACTIVE_DEBUGGING */ |
1551 | |
1552 | PEHaltRestart(kPEPanicDiagnosticsDone); |
1553 | |
1554 | #endif /* CONFIG_KDP_INTERACTIVE_DEBUGGING */ |
1555 | |
1556 | if (!panicDebugging) { |
1557 | kdp_machine_reboot_type(type: kPEPanicRestartCPU, debugger_flags: debugger_panic_options); |
1558 | } |
1559 | |
1560 | paniclog_append_noflush(format: "\nPlease go to https://panic.apple.com to report this panic\n" ); |
1561 | panic_spin_forever(); |
1562 | } |
1563 | |
1564 | #if SCHED_HYGIENE_DEBUG |
1565 | uint64_t debugger_trap_timestamps[9]; |
1566 | # define DEBUGGER_TRAP_TIMESTAMP(i) debugger_trap_timestamps[i] = mach_absolute_time(); |
1567 | #else |
1568 | # define DEBUGGER_TRAP_TIMESTAMP(i) |
1569 | #endif /* SCHED_HYGIENE_DEBUG */ |
1570 | |
1571 | void |
1572 | handle_debugger_trap(unsigned int exception, unsigned int code, unsigned int subcode, void *state) |
1573 | { |
1574 | unsigned int initial_not_in_kdp = not_in_kdp; |
1575 | kern_return_t ret; |
1576 | debugger_op db_prev_op = debugger_current_op; |
1577 | |
1578 | DEBUGGER_TRAP_TIMESTAMP(0); |
1579 | |
1580 | DebuggerLock(); |
1581 | ret = DebuggerHaltOtherCores(CPUDEBUGGERSYNC, is_stackshot: (CPUDEBUGGEROP == DBOP_STACKSHOT)); |
1582 | |
1583 | DEBUGGER_TRAP_TIMESTAMP(1); |
1584 | |
1585 | #if SCHED_HYGIENE_DEBUG |
1586 | if (serialmode & SERIALMODE_OUTPUT) { |
1587 | ml_spin_debug_reset(current_thread()); |
1588 | } |
1589 | #endif /* SCHED_HYGIENE_DEBUG */ |
1590 | if (ret != KERN_SUCCESS) { |
1591 | CPUDEBUGGERRET = ret; |
1592 | DebuggerUnlock(); |
1593 | return; |
1594 | } |
1595 | |
1596 | /* Update the global panic/debugger nested entry level */ |
1597 | kernel_debugger_entry_count = CPUDEBUGGERCOUNT; |
1598 | if (kernel_debugger_entry_count > 0) { |
1599 | console_suspend(); |
1600 | } |
1601 | |
1602 | /* |
1603 | * TODO: Should we do anything special for nested panics here? i.e. if we've trapped more than twice |
1604 | * should we call into the debugger if it's configured and then reboot if the panic log has been written? |
1605 | */ |
1606 | |
1607 | if (CPUDEBUGGEROP == DBOP_NONE) { |
1608 | /* If there was no debugger context setup, we trapped due to a software breakpoint */ |
1609 | debugger_current_op = DBOP_BREAKPOINT; |
1610 | } else { |
1611 | /* Not safe to return from a nested panic/debugger call */ |
1612 | if (debugger_current_op == DBOP_PANIC || |
1613 | debugger_current_op == DBOP_DEBUGGER) { |
1614 | debugger_safe_to_return = FALSE; |
1615 | } |
1616 | |
1617 | debugger_current_op = CPUDEBUGGEROP; |
1618 | |
1619 | /* Only overwrite the panic message if there is none already - save the data from the first call */ |
1620 | if (debugger_panic_str == NULL) { |
1621 | debugger_panic_str = CPUPANICSTR; |
1622 | debugger_panic_args = CPUPANICARGS; |
1623 | debugger_panic_data = CPUPANICDATAPTR; |
1624 | debugger_message = CPUDEBUGGERMSG; |
1625 | debugger_panic_caller = CPUPANICCALLER; |
1626 | } |
1627 | |
1628 | debugger_panic_options = CPUPANICOPTS; |
1629 | } |
1630 | |
1631 | /* |
1632 | * Clear the op from the processor debugger context so we can handle |
1633 | * breakpoints in the debugger |
1634 | */ |
1635 | CPUDEBUGGEROP = DBOP_NONE; |
1636 | |
1637 | DEBUGGER_TRAP_TIMESTAMP(2); |
1638 | |
1639 | kdp_callouts(event: KDP_EVENT_ENTER); |
1640 | not_in_kdp = 0; |
1641 | |
1642 | DEBUGGER_TRAP_TIMESTAMP(3); |
1643 | |
1644 | #if defined(__arm64__) && CONFIG_KDP_INTERACTIVE_DEBUGGING |
1645 | shmem_mark_as_busy(); |
1646 | #endif |
1647 | |
1648 | if (debugger_current_op == DBOP_BREAKPOINT) { |
1649 | kdp_raise_exception(exception, code, subcode, saved_state: state); |
1650 | } else if (debugger_current_op == DBOP_STACKSHOT) { |
1651 | CPUDEBUGGERRET = do_stackshot(); |
1652 | #if PGO |
1653 | } else if (debugger_current_op == DBOP_RESET_PGO_COUNTERS) { |
1654 | CPUDEBUGGERRET = do_pgo_reset_counters(); |
1655 | #endif |
1656 | } else { |
1657 | /* note: this is the panic path... */ |
1658 | #if CONFIG_SPTM |
1659 | /* |
1660 | * Debug trap panics do not go through the standard panic flows so we |
1661 | * have to notify the SPTM that we're going down now. This is not so |
1662 | * much for security (critical cases are handled elsewhere) but rather |
1663 | * to just keep the SPTM bit in sync with the actual XNU state. |
1664 | */ |
1665 | bool sptm_has_panicked = false; |
1666 | if (sptm_triggered_panic(&sptm_has_panicked) == LIBSPTM_SUCCESS && |
1667 | !sptm_has_panicked) { |
1668 | sptm_xnu_panic_begin(); |
1669 | } |
1670 | #endif /* CONFIG_SPTM */ |
1671 | #if defined(__arm64__) && (DEBUG || DEVELOPMENT) |
1672 | if (!PE_arm_debug_and_trace_initialized()) { |
1673 | paniclog_append_noflush("kernel panicked before debug and trace infrastructure initialized!\n" |
1674 | "spinning forever...\n" ); |
1675 | panic_spin_forever(); |
1676 | } |
1677 | #endif |
1678 | debugger_collect_diagnostics(exception, code, subcode, state); |
1679 | } |
1680 | |
1681 | #if defined(__arm64__) && CONFIG_KDP_INTERACTIVE_DEBUGGING |
1682 | shmem_unmark_as_busy(); |
1683 | #endif |
1684 | |
1685 | DEBUGGER_TRAP_TIMESTAMP(4); |
1686 | |
1687 | not_in_kdp = initial_not_in_kdp; |
1688 | kdp_callouts(event: KDP_EVENT_EXIT); |
1689 | |
1690 | DEBUGGER_TRAP_TIMESTAMP(5); |
1691 | |
1692 | if (debugger_current_op != DBOP_BREAKPOINT) { |
1693 | debugger_panic_str = NULL; |
1694 | debugger_panic_args = NULL; |
1695 | debugger_panic_data = NULL; |
1696 | debugger_panic_options = 0; |
1697 | debugger_message = NULL; |
1698 | } |
1699 | |
1700 | /* Restore the previous debugger state */ |
1701 | debugger_current_op = db_prev_op; |
1702 | |
1703 | DEBUGGER_TRAP_TIMESTAMP(6); |
1704 | |
1705 | DebuggerResumeOtherCores(); |
1706 | |
1707 | DEBUGGER_TRAP_TIMESTAMP(7); |
1708 | |
1709 | DebuggerUnlock(); |
1710 | |
1711 | DEBUGGER_TRAP_TIMESTAMP(8); |
1712 | |
1713 | return; |
1714 | } |
1715 | |
1716 | __attribute__((noinline, not_tail_called)) |
1717 | void |
1718 | log(__unused int level, char *fmt, ...) |
1719 | { |
1720 | void *caller = __builtin_return_address(0); |
1721 | va_list listp; |
1722 | va_list listp2; |
1723 | |
1724 | |
1725 | #ifdef lint |
1726 | level++; |
1727 | #endif /* lint */ |
1728 | #ifdef MACH_BSD |
1729 | va_start(listp, fmt); |
1730 | va_copy(listp2, listp); |
1731 | |
1732 | disable_preemption(); |
1733 | _doprnt(fmt, argp: &listp, putc: cons_putc_locked, radix: 0); |
1734 | enable_preemption(); |
1735 | |
1736 | va_end(listp); |
1737 | |
1738 | #pragma clang diagnostic push |
1739 | #pragma clang diagnostic ignored "-Wformat-nonliteral" |
1740 | os_log_with_args(OS_LOG_DEFAULT, type: OS_LOG_TYPE_DEFAULT, format: fmt, args: listp2, ret_addr: caller); |
1741 | #pragma clang diagnostic pop |
1742 | va_end(listp2); |
1743 | #endif |
1744 | } |
1745 | |
1746 | /* |
1747 | * Per <rdar://problem/24974766>, skip appending log messages to |
1748 | * the new logging infrastructure in contexts where safety is |
1749 | * uncertain. These contexts include: |
1750 | * - When we're in the debugger |
1751 | * - We're in a panic |
1752 | * - Interrupts are disabled |
1753 | * - Or Pre-emption is disabled |
1754 | * In all the above cases, it is potentially unsafe to log messages. |
1755 | */ |
1756 | |
1757 | boolean_t |
1758 | oslog_is_safe(void) |
1759 | { |
1760 | return kernel_debugger_entry_count == 0 && |
1761 | not_in_kdp == 1 && |
1762 | get_preemption_level() == 0 && |
1763 | ml_get_interrupts_enabled() == TRUE; |
1764 | } |
1765 | |
1766 | boolean_t |
1767 | debug_mode_active(void) |
1768 | { |
1769 | return (0 != kernel_debugger_entry_count != 0) || (0 == not_in_kdp); |
1770 | } |
1771 | |
1772 | void |
1773 | debug_putc(char c) |
1774 | { |
1775 | if ((debug_buf_size != 0) && |
1776 | ((debug_buf_ptr - debug_buf_base) < (int)debug_buf_size) && |
1777 | (!is_debug_ptr_in_ext_paniclog())) { |
1778 | *debug_buf_ptr = c; |
1779 | debug_buf_ptr++; |
1780 | } |
1781 | } |
1782 | |
1783 | #if defined (__x86_64__) |
1784 | struct pasc { |
1785 | unsigned a: 7; |
1786 | unsigned b: 7; |
1787 | unsigned c: 7; |
1788 | unsigned d: 7; |
1789 | unsigned e: 7; |
1790 | unsigned f: 7; |
1791 | unsigned g: 7; |
1792 | unsigned h: 7; |
1793 | } __attribute__((packed)); |
1794 | |
1795 | typedef struct pasc pasc_t; |
1796 | |
1797 | /* |
1798 | * In-place packing routines -- inefficient, but they're called at most once. |
1799 | * Assumes "buflen" is a multiple of 8. Used for compressing paniclogs on x86. |
1800 | */ |
1801 | int |
1802 | packA(char *inbuf, uint32_t length, uint32_t buflen) |
1803 | { |
1804 | unsigned int i, j = 0; |
1805 | pasc_t pack; |
1806 | |
1807 | length = MIN(((length + 7) & ~7), buflen); |
1808 | |
1809 | for (i = 0; i < length; i += 8) { |
1810 | pack.a = inbuf[i]; |
1811 | pack.b = inbuf[i + 1]; |
1812 | pack.c = inbuf[i + 2]; |
1813 | pack.d = inbuf[i + 3]; |
1814 | pack.e = inbuf[i + 4]; |
1815 | pack.f = inbuf[i + 5]; |
1816 | pack.g = inbuf[i + 6]; |
1817 | pack.h = inbuf[i + 7]; |
1818 | bcopy((char *) &pack, inbuf + j, 7); |
1819 | j += 7; |
1820 | } |
1821 | return j; |
1822 | } |
1823 | |
1824 | void |
1825 | unpackA(char *inbuf, uint32_t length) |
1826 | { |
1827 | pasc_t packs; |
1828 | unsigned i = 0; |
1829 | length = (length * 8) / 7; |
1830 | |
1831 | while (i < length) { |
1832 | packs = *(pasc_t *)&inbuf[i]; |
1833 | bcopy(&inbuf[i + 7], &inbuf[i + 8], MAX(0, (int) (length - i - 8))); |
1834 | inbuf[i++] = packs.a; |
1835 | inbuf[i++] = packs.b; |
1836 | inbuf[i++] = packs.c; |
1837 | inbuf[i++] = packs.d; |
1838 | inbuf[i++] = packs.e; |
1839 | inbuf[i++] = packs.f; |
1840 | inbuf[i++] = packs.g; |
1841 | inbuf[i++] = packs.h; |
1842 | } |
1843 | } |
1844 | #endif /* defined (__x86_64__) */ |
1845 | |
1846 | extern char *proc_name_address(void *); |
1847 | extern char *proc_longname_address(void *); |
1848 | |
1849 | __private_extern__ void |
1850 | panic_display_process_name(void) |
1851 | { |
1852 | proc_name_t proc_name = {}; |
1853 | struct proc *cbsd_info = NULL; |
1854 | task_t ctask = NULL; |
1855 | vm_size_t size; |
1856 | |
1857 | if (!panic_get_thread_proc_task(thread: current_thread(), task: &ctask, proc: &cbsd_info)) { |
1858 | goto out; |
1859 | } |
1860 | |
1861 | if (cbsd_info == NULL) { |
1862 | goto out; |
1863 | } |
1864 | |
1865 | size = ml_nofault_copy(virtsrc: (vm_offset_t)proc_longname_address(cbsd_info), |
1866 | virtdst: (vm_offset_t)&proc_name, size: sizeof(proc_name)); |
1867 | |
1868 | if (size == 0 || proc_name[0] == '\0') { |
1869 | size = ml_nofault_copy(virtsrc: (vm_offset_t)proc_name_address(cbsd_info), |
1870 | virtdst: (vm_offset_t)&proc_name, |
1871 | MIN(sizeof(command_t), sizeof(proc_name))); |
1872 | if (size > 0) { |
1873 | proc_name[size - 1] = '\0'; |
1874 | } |
1875 | } |
1876 | |
1877 | out: |
1878 | proc_name[sizeof(proc_name) - 1] = '\0'; |
1879 | paniclog_append_noflush(format: "\nProcess name corresponding to current thread (%p): %s\n" , |
1880 | current_thread(), proc_name[0] != '\0' ? proc_name : "Unknown" ); |
1881 | } |
1882 | |
1883 | unsigned |
1884 | panic_active(void) |
1885 | { |
1886 | return debugger_current_op == DBOP_PANIC || |
1887 | (debugger_current_op == DBOP_DEBUGGER && debugger_is_panic); |
1888 | } |
1889 | |
1890 | void |
1891 | populate_model_name(char *model_string) |
1892 | { |
1893 | strlcpy(dst: model_name, src: model_string, n: sizeof(model_name)); |
1894 | } |
1895 | |
1896 | void |
1897 | panic_display_model_name(void) |
1898 | { |
1899 | char tmp_model_name[sizeof(model_name)]; |
1900 | |
1901 | if (ml_nofault_copy(virtsrc: (vm_offset_t) &model_name, virtdst: (vm_offset_t) &tmp_model_name, size: sizeof(model_name)) != sizeof(model_name)) { |
1902 | return; |
1903 | } |
1904 | |
1905 | tmp_model_name[sizeof(tmp_model_name) - 1] = '\0'; |
1906 | |
1907 | if (tmp_model_name[0] != 0) { |
1908 | paniclog_append_noflush(format: "System model name: %s\n" , tmp_model_name); |
1909 | } |
1910 | } |
1911 | |
1912 | void |
1913 | panic_display_kernel_uuid(void) |
1914 | { |
1915 | char tmp_kernel_uuid[sizeof(kernel_uuid_string)]; |
1916 | |
1917 | if (ml_nofault_copy(virtsrc: (vm_offset_t) &kernel_uuid_string, virtdst: (vm_offset_t) &tmp_kernel_uuid, size: sizeof(kernel_uuid_string)) != sizeof(kernel_uuid_string)) { |
1918 | return; |
1919 | } |
1920 | |
1921 | if (tmp_kernel_uuid[0] != '\0') { |
1922 | paniclog_append_noflush(format: "Kernel UUID: %s\n" , tmp_kernel_uuid); |
1923 | } |
1924 | } |
1925 | |
1926 | #if CONFIG_SPTM |
1927 | static void |
1928 | panic_display_component_uuid(char const *component_name, void *component_address) |
1929 | { |
1930 | uuid_t *component_uuid; |
1931 | unsigned long component_uuid_len = 0; |
1932 | uuid_string_t component_uuid_string; |
1933 | |
1934 | component_uuid = getuuidfromheader((kernel_mach_header_t *)component_address, &component_uuid_len); |
1935 | |
1936 | if (component_uuid != NULL && component_uuid_len == sizeof(uuid_t)) { |
1937 | uuid_unparse_upper(*component_uuid, component_uuid_string); |
1938 | paniclog_append_noflush("%s UUID: %s\n" , component_name, component_uuid_string); |
1939 | } |
1940 | } |
1941 | #endif /* CONFIG_SPTM */ |
1942 | |
1943 | void |
1944 | panic_display_kernel_aslr(void) |
1945 | { |
1946 | #if CONFIG_SPTM |
1947 | { |
1948 | struct debug_header const *dh = SPTMArgs->debug_header; |
1949 | |
1950 | paniclog_append_noflush("Debug Header address: %p\n" , dh); |
1951 | |
1952 | if (dh != NULL) { |
1953 | void *component_address; |
1954 | |
1955 | paniclog_append_noflush("Debug Header entry count: %d\n" , dh->count); |
1956 | |
1957 | switch (dh->count) { |
1958 | default: // 3 or more |
1959 | component_address = dh->image[DEBUG_HEADER_ENTRY_TXM]; |
1960 | paniclog_append_noflush("TXM load address: %p\n" , component_address); |
1961 | |
1962 | panic_display_component_uuid("TXM" , component_address); |
1963 | OS_FALLTHROUGH; |
1964 | case 2: |
1965 | component_address = dh->image[DEBUG_HEADER_ENTRY_XNU]; |
1966 | paniclog_append_noflush("Debug Header kernelcache load address: %p\n" , component_address); |
1967 | |
1968 | panic_display_component_uuid("Debug Header kernelcache" , component_address); |
1969 | OS_FALLTHROUGH; |
1970 | case 1: |
1971 | component_address = dh->image[DEBUG_HEADER_ENTRY_SPTM]; |
1972 | paniclog_append_noflush("SPTM load address: %p\n" , component_address); |
1973 | |
1974 | panic_display_component_uuid("SPTM" , component_address); |
1975 | OS_FALLTHROUGH; |
1976 | case 0: |
1977 | ; // nothing to print |
1978 | } |
1979 | } |
1980 | } |
1981 | #endif /* CONFIG_SPTM */ |
1982 | |
1983 | kc_format_t kc_format; |
1984 | |
1985 | PE_get_primary_kc_format(type: &kc_format); |
1986 | |
1987 | if (kc_format == KCFormatFileset) { |
1988 | void *kch = PE_get_kc_header(type: KCKindPrimary); |
1989 | paniclog_append_noflush(format: "KernelCache slide: 0x%016lx\n" , (unsigned long) vm_kernel_slide); |
1990 | paniclog_append_noflush(format: "KernelCache base: %p\n" , (void*) kch); |
1991 | paniclog_append_noflush(format: "Kernel slide: 0x%016lx\n" , vm_kernel_stext - (unsigned long)kch + vm_kernel_slide); |
1992 | paniclog_append_noflush(format: "Kernel text base: %p\n" , (void *) vm_kernel_stext); |
1993 | #if defined(__arm64__) |
1994 | extern vm_offset_t segTEXTEXECB; |
1995 | paniclog_append_noflush(format: "Kernel text exec slide: 0x%016lx\n" , (unsigned long)segTEXTEXECB - (unsigned long)kch + vm_kernel_slide); |
1996 | paniclog_append_noflush(format: "Kernel text exec base: 0x%016lx\n" , (unsigned long)segTEXTEXECB); |
1997 | #endif /* defined(__arm64__) */ |
1998 | } else if (vm_kernel_slide) { |
1999 | paniclog_append_noflush(format: "Kernel slide: 0x%016lx\n" , (unsigned long) vm_kernel_slide); |
2000 | paniclog_append_noflush(format: "Kernel text base: %p\n" , (void *)vm_kernel_stext); |
2001 | } else { |
2002 | paniclog_append_noflush(format: "Kernel text base: %p\n" , (void *)vm_kernel_stext); |
2003 | } |
2004 | } |
2005 | |
2006 | void |
2007 | panic_display_hibb(void) |
2008 | { |
2009 | #if defined(__i386__) || defined (__x86_64__) |
2010 | paniclog_append_noflush("__HIB text base: %p\n" , (void *) vm_hib_base); |
2011 | #endif |
2012 | } |
2013 | |
2014 | #if CONFIG_ECC_LOGGING |
2015 | __private_extern__ void |
2016 | panic_display_ecc_errors(void) |
2017 | { |
2018 | uint32_t count = ecc_log_get_correction_count(); |
2019 | |
2020 | if (count > 0) { |
2021 | paniclog_append_noflush(format: "ECC Corrections:%u\n" , count); |
2022 | } |
2023 | } |
2024 | #endif /* CONFIG_ECC_LOGGING */ |
2025 | |
2026 | #if CONFIG_FREEZE |
2027 | extern bool freezer_incore_cseg_acct; |
2028 | extern int32_t c_segment_pages_compressed_incore; |
2029 | #endif |
2030 | |
2031 | extern uint32_t c_segment_pages_compressed; |
2032 | extern uint32_t c_segment_count; |
2033 | extern uint32_t c_segments_limit; |
2034 | extern uint32_t c_segment_pages_compressed_limit; |
2035 | extern uint32_t c_segment_pages_compressed_nearing_limit; |
2036 | extern uint32_t c_segments_nearing_limit; |
2037 | extern int vm_num_swap_files; |
2038 | |
2039 | void |
2040 | panic_display_compressor_stats(void) |
2041 | { |
2042 | int isswaplow = vm_swap_low_on_space(); |
2043 | #if CONFIG_FREEZE |
2044 | uint32_t incore_seg_count; |
2045 | uint32_t incore_compressed_pages; |
2046 | if (freezer_incore_cseg_acct) { |
2047 | incore_seg_count = c_segment_count - c_swappedout_count - c_swappedout_sparse_count; |
2048 | incore_compressed_pages = c_segment_pages_compressed_incore; |
2049 | } else { |
2050 | incore_seg_count = c_segment_count; |
2051 | incore_compressed_pages = c_segment_pages_compressed; |
2052 | } |
2053 | |
2054 | paniclog_append_noflush("Compressor Info: %u%% of compressed pages limit (%s) and %u%% of segments limit (%s) with %d swapfiles and %s swap space\n" , |
2055 | (incore_compressed_pages * 100) / c_segment_pages_compressed_limit, |
2056 | (incore_compressed_pages > c_segment_pages_compressed_nearing_limit) ? "BAD" :"OK" , |
2057 | (incore_seg_count * 100) / c_segments_limit, |
2058 | (incore_seg_count > c_segments_nearing_limit) ? "BAD" :"OK" , |
2059 | vm_num_swap_files, |
2060 | isswaplow ? "LOW" :"OK" ); |
2061 | #else /* CONFIG_FREEZE */ |
2062 | paniclog_append_noflush(format: "Compressor Info: %u%% of compressed pages limit (%s) and %u%% of segments limit (%s) with %d swapfiles and %s swap space\n" , |
2063 | (c_segment_pages_compressed * 100) / c_segment_pages_compressed_limit, |
2064 | (c_segment_pages_compressed > c_segment_pages_compressed_nearing_limit) ? "BAD" :"OK" , |
2065 | (c_segment_count * 100) / c_segments_limit, |
2066 | (c_segment_count > c_segments_nearing_limit) ? "BAD" :"OK" , |
2067 | vm_num_swap_files, |
2068 | isswaplow ? "LOW" :"OK" ); |
2069 | #endif /* CONFIG_FREEZE */ |
2070 | } |
2071 | |
2072 | #if !CONFIG_TELEMETRY |
2073 | int |
2074 | telemetry_gather(user_addr_t buffer __unused, uint32_t *length __unused, bool mark __unused) |
2075 | { |
2076 | return KERN_NOT_SUPPORTED; |
2077 | } |
2078 | #endif |
2079 | |
2080 | #include <machine/machine_cpu.h> |
2081 | |
2082 | TUNABLE(uint32_t, kern_feature_overrides, "validation_disables" , 0); |
2083 | |
2084 | boolean_t |
2085 | kern_feature_override(uint32_t fmask) |
2086 | { |
2087 | return (kern_feature_overrides & fmask) == fmask; |
2088 | } |
2089 | |
2090 | boolean_t |
2091 | on_device_corefile_enabled(void) |
2092 | { |
2093 | assert(startup_phase >= STARTUP_SUB_TUNABLES); |
2094 | #if CONFIG_KDP_INTERACTIVE_DEBUGGING |
2095 | if (debug_boot_arg == 0) { |
2096 | return FALSE; |
2097 | } |
2098 | if (debug_boot_arg & DB_DISABLE_LOCAL_CORE) { |
2099 | return FALSE; |
2100 | } |
2101 | #if !XNU_TARGET_OS_OSX |
2102 | /* |
2103 | * outside of macOS, if there's a debug boot-arg set and local |
2104 | * cores aren't explicitly disabled, we always write a corefile. |
2105 | */ |
2106 | return TRUE; |
2107 | #else /* !XNU_TARGET_OS_OSX */ |
2108 | /* |
2109 | * on macOS, if corefiles on panic are requested and local cores |
2110 | * aren't disabled we write a local core. |
2111 | */ |
2112 | if (debug_boot_arg & (DB_KERN_DUMP_ON_NMI | DB_KERN_DUMP_ON_PANIC)) { |
2113 | return TRUE; |
2114 | } |
2115 | #endif /* !XNU_TARGET_OS_OSX */ |
2116 | #endif /* CONFIG_KDP_INTERACTIVE_DEBUGGING */ |
2117 | return FALSE; |
2118 | } |
2119 | |
2120 | boolean_t |
2121 | panic_stackshot_to_disk_enabled(void) |
2122 | { |
2123 | assert(startup_phase >= STARTUP_SUB_TUNABLES); |
2124 | #if defined(__x86_64__) |
2125 | if (PEGetCoprocessorVersion() < kCoprocessorVersion2) { |
2126 | /* Only enabled on pre-Gibraltar machines where it hasn't been disabled explicitly */ |
2127 | if ((debug_boot_arg != 0) && (debug_boot_arg & DB_DISABLE_STACKSHOT_TO_DISK)) { |
2128 | return FALSE; |
2129 | } |
2130 | |
2131 | return TRUE; |
2132 | } |
2133 | #endif |
2134 | return FALSE; |
2135 | } |
2136 | |
2137 | const char * |
2138 | sysctl_debug_get_preoslog(size_t *size) |
2139 | { |
2140 | int result = 0; |
2141 | void *preoslog_pa = NULL; |
2142 | int preoslog_size = 0; |
2143 | |
2144 | result = IODTGetLoaderInfo(key: "preoslog" , infoAddr: &preoslog_pa, infosize: &preoslog_size); |
2145 | if (result || preoslog_pa == NULL || preoslog_size == 0) { |
2146 | kprintf(fmt: "Couldn't obtain preoslog region: result = %d, preoslog_pa = %p, preoslog_size = %d\n" , result, preoslog_pa, preoslog_size); |
2147 | *size = 0; |
2148 | return NULL; |
2149 | } |
2150 | |
2151 | /* |
2152 | * Beware: |
2153 | * On release builds, we would need to call IODTFreeLoaderInfo("preoslog", preoslog_pa, preoslog_size) to free the preoslog buffer. |
2154 | * On Development & Debug builds, we retain the buffer so it can be extracted from coredumps. |
2155 | */ |
2156 | *size = preoslog_size; |
2157 | return (char *)(ml_static_ptovirt((vm_offset_t)(preoslog_pa))); |
2158 | } |
2159 | |
2160 | void |
2161 | sysctl_debug_free_preoslog(void) |
2162 | { |
2163 | #if RELEASE |
2164 | int result = 0; |
2165 | void *preoslog_pa = NULL; |
2166 | int preoslog_size = 0; |
2167 | |
2168 | result = IODTGetLoaderInfo("preoslog" , &preoslog_pa, &preoslog_size); |
2169 | if (result || preoslog_pa == NULL || preoslog_size == 0) { |
2170 | kprintf("Couldn't obtain preoslog region: result = %d, preoslog_pa = %p, preoslog_size = %d\n" , result, preoslog_pa, preoslog_size); |
2171 | return; |
2172 | } |
2173 | |
2174 | IODTFreeLoaderInfo("preoslog" , preoslog_pa, preoslog_size); |
2175 | #else |
2176 | /* On Development & Debug builds, we retain the buffer so it can be extracted from coredumps. */ |
2177 | #endif // RELEASE |
2178 | } |
2179 | |
2180 | |
2181 | #if (DEVELOPMENT || DEBUG) |
2182 | |
2183 | void |
2184 | platform_stall_panic_or_spin(uint32_t req) |
2185 | { |
2186 | if (xnu_platform_stall_value & req) { |
2187 | if (xnu_platform_stall_value & PLATFORM_STALL_XNU_ACTION_PANIC) { |
2188 | panic("Platform stall: User requested panic" ); |
2189 | } else { |
2190 | paniclog_append_noflush("\nUser requested platform stall. Stall Code: 0x%x" , req); |
2191 | panic_spin_forever(); |
2192 | } |
2193 | } |
2194 | } |
2195 | #endif |
2196 | |
2197 | |
2198 | #define AWL_HV_ENTRY_FLAG (0x1) |
2199 | |
2200 | static inline void |
2201 | awl_set_scratch_reg_hv_bit(void) |
2202 | { |
2203 | #if defined(__arm64__) |
2204 | #define WATCHDOG_DIAG0 "S3_5_c15_c2_6" |
2205 | uint64_t awl_diag0 = __builtin_arm_rsr64(WATCHDOG_DIAG0); |
2206 | awl_diag0 |= AWL_HV_ENTRY_FLAG; |
2207 | __builtin_arm_wsr64(WATCHDOG_DIAG0, awl_diag0); |
2208 | #endif // defined(__arm64__) |
2209 | } |
2210 | |
2211 | void |
2212 | awl_mark_hv_entry(void) |
2213 | { |
2214 | if (__probable(*PERCPU_GET(hv_entry_detected) || !awl_scratch_reg_supported)) { |
2215 | return; |
2216 | } |
2217 | *PERCPU_GET(hv_entry_detected) = true; |
2218 | |
2219 | awl_set_scratch_reg_hv_bit(); |
2220 | } |
2221 | |
2222 | /* |
2223 | * Awl WatchdogDiag0 is not restored by hardware when coming out of reset, |
2224 | * so restore it manually. |
2225 | */ |
2226 | static bool |
2227 | awl_pm_state_change_cbk(void *param __unused, enum cpu_event event, unsigned int cpu_or_cluster __unused) |
2228 | { |
2229 | if (event == CPU_BOOTED) { |
2230 | if (*PERCPU_GET(hv_entry_detected)) { |
2231 | awl_set_scratch_reg_hv_bit(); |
2232 | } |
2233 | } |
2234 | |
2235 | return true; |
2236 | } |
2237 | |
2238 | /* |
2239 | * Identifies and sets a flag if AWL Scratch0/1 exists in the system, subscribes |
2240 | * for a callback to restore register after hibernation |
2241 | */ |
2242 | __startup_func |
2243 | static void |
2244 | set_awl_scratch_exists_flag_and_subscribe_for_pm(void) |
2245 | { |
2246 | DTEntry base = NULL; |
2247 | |
2248 | if (SecureDTLookupEntry(NULL, pathName: "/arm-io/wdt" , foundEntry: &base) != kSuccess) { |
2249 | return; |
2250 | } |
2251 | const uint8_t *data = NULL; |
2252 | unsigned int data_size = sizeof(uint8_t); |
2253 | |
2254 | if (base != NULL && SecureDTGetProperty(entry: base, propertyName: "awl-scratch-supported" , propertyValue: (const void **)&data, propertySize: &data_size) == kSuccess) { |
2255 | for (unsigned int i = 0; i < data_size; i++) { |
2256 | if (data[i] != 0) { |
2257 | awl_scratch_reg_supported = true; |
2258 | cpu_event_register_callback(fn: awl_pm_state_change_cbk, NULL); |
2259 | break; |
2260 | } |
2261 | } |
2262 | } |
2263 | } |
2264 | STARTUP(EARLY_BOOT, STARTUP_RANK_MIDDLE, set_awl_scratch_exists_flag_and_subscribe_for_pm); |
2265 | |