x86/smp: Put CPUs into INIT on shutdown if possible

Parking CPUs in a HLT loop is not completely safe vs. kexec() as HLT can
resume execution due to NMI, SMI and MCE, which has the same issue as the
MWAIT loop.

Kicking the secondary CPUs into INIT makes this safe against NMI and SMI.

A broadcast MCE will take the machine down, but a broadcast MCE which makes
HLT resume and execute overwritten text, pagetables or data will end up in
a disaster too.

So chose the lesser of two evils and kick the secondary CPUs into INIT
unless the system has installed special wakeup mechanisms which are not
using INIT.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Ashok Raj <ashok.raj@intel.com>
Reviewed-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/r/20230615193330.608657211@linutronix.de

diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
index d4ce5cb5c9534172e7d03eddc241037e64f41ddb..5906aa914220526be7f79d3bfac99abceff97fa2 100644 (file)
--- a/arch/x86/include/asm/smp.h
+++ b/arch/x86/include/asm/smp.h
@@ -139,6 +139,8 @@ void native_send_call_func_ipi(const struct cpumask *mask);
 void native_send_call_func_single_ipi(int cpu);
 void x86_idle_thread_init(unsigned int cpu, struct task_struct *idle);
 
+bool smp_park_other_cpus_in_init(void);
+
 void smp_store_boot_cpu_info(void);
 void smp_store_cpu_info(int id);
 

diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
index 174d6232b87fd9119cb265513605e41cb1c401f5..0076932cfd40109feedb6bdc0656cbfc913b6b84 100644 (file)
--- a/arch/x86/kernel/smp.c
+++ b/arch/x86/kernel/smp.c
@@ -131,7 +131,7 @@ static int smp_stop_nmi_callback(unsigned int val, struct pt_regs *regs)
 }
 
 /*
- * this function calls the 'stop' function on all other CPUs in the system.
+ * Disable virtualization, APIC etc. and park the CPU in a HLT loop
  */
 DEFINE_IDTENTRY_SYSVEC(sysvec_reboot)
 {
@@ -172,13 +172,17 @@ static void native_stop_other_cpus(int wait)
         * 2) Wait for all other CPUs to report that they reached the
         *    HLT loop in stop_this_cpu()
         *
-        * 3) If #2 timed out send an NMI to the CPUs which did not
-        *    yet report
+        * 3) If the system uses INIT/STARTUP for CPU bringup, then
+        *    send all present CPUs an INIT vector, which brings them
+        *    completely out of the way.
         *
-        * 4) Wait for all other CPUs to report that they reached the
+        * 4) If #3 is not possible and #2 timed out send an NMI to the
+        *    CPUs which did not yet report
+        *
+        * 5) Wait for all other CPUs to report that they reached the
         *    HLT loop in stop_this_cpu()
         *
-        * #3 can obviously race against a CPU reaching the HLT loop late.
+        * #4 can obviously race against a CPU reaching the HLT loop late.
         * That CPU will have reported already and the "have all CPUs
         * reached HLT" condition will be true despite the fact that the
         * other CPU is still handling the NMI. Again, there is no
@@ -194,7 +198,7 @@ static void native_stop_other_cpus(int wait)
                /*
                 * Don't wait longer than a second for IPI completion. The
                 * wait request is not checked here because that would
-                * prevent an NMI shutdown attempt in case that not all
+                * prevent an NMI/INIT shutdown in case that not all
                 * CPUs reach shutdown state.
                 */
                timeout = USEC_PER_SEC;
@@ -202,7 +206,27 @@ static void native_stop_other_cpus(int wait)
                        udelay(1);
        }
 
-       /* if the REBOOT_VECTOR didn't work, try with the NMI */
+       /*
+        * Park all other CPUs in INIT including "offline" CPUs, if
+        * possible. That's a safe place where they can't resume execution
+        * of HLT and then execute the HLT loop from overwritten text or
+        * page tables.
+        *
+        * The only downside is a broadcast MCE, but up to the point where
+        * the kexec() kernel brought all APs online again an MCE will just
+        * make HLT resume and handle the MCE. The machine crashes and burns
+        * due to overwritten text, page tables and data. So there is a
+        * choice between fire and frying pan. The result is pretty much
+        * the same. Chose frying pan until x86 provides a sane mechanism
+        * to park a CPU.
+        */
+       if (smp_park_other_cpus_in_init())
+               goto done;
+
+       /*
+        * If park with INIT was not possible and the REBOOT_VECTOR didn't
+        * take all secondary CPUs offline, try with the NMI.
+        */
        if (!cpumask_empty(&cpus_stop_mask)) {
                /*
                 * If NMI IPI is enabled, try to register the stop handler
@@ -225,6 +249,7 @@ static void native_stop_other_cpus(int wait)
                        udelay(1);
        }
 
+done:
        local_irq_save(flags);
        disable_local_APIC();
        mcheck_cpu_clear(this_cpu_ptr(&cpu_info));

diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
index b403ead7eebd33a521b771f514c694fd8856abd6..4ee43396b9102481d6de4957b08d8d3f2f06e8ec 100644 (file)
--- a/arch/x86/kernel/smpboot.c
+++ b/arch/x86/kernel/smpboot.c
@@ -1465,6 +1465,25 @@ void arch_thaw_secondary_cpus_end(void)
        cache_aps_init();
 }
 
+bool smp_park_other_cpus_in_init(void)
+{
+       unsigned int cpu, this_cpu = smp_processor_id();
+       unsigned int apicid;
+
+       if (apic->wakeup_secondary_cpu_64 || apic->wakeup_secondary_cpu)
+               return false;
+
+       for_each_present_cpu(cpu) {
+               if (cpu == this_cpu)
+                       continue;
+               apicid = apic->cpu_present_to_apicid(cpu);
+               if (apicid == BAD_APICID)
+                       continue;
+               send_init_sequence(apicid);
+       }
+       return true;
+}
+
 /*
  * Early setup to make printk work.
  */