1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * BTS PMU driver for perf
4  * Copyright (c) 2013-2014, Intel Corporation.
5  */
6 
7 #undef DEBUG
8 
9 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10 
11 #include <linux/bitops.h>
12 #include <linux/types.h>
13 #include <linux/slab.h>
14 #include <linux/debugfs.h>
15 #include <linux/device.h>
16 #include <linux/coredump.h>
17 
18 #include <linux/sizes.h>
19 #include <asm/perf_event.h>
20 
21 #include "../perf_event.h"
22 
23 struct bts_ctx {
24 	struct perf_output_handle	handle;
25 	struct debug_store		ds_back;
26 	int				state;
27 };
28 
29 /* BTS context states: */
30 enum {
31 	/* no ongoing AUX transactions */
32 	BTS_STATE_STOPPED = 0,
33 	/* AUX transaction is on, BTS tracing is disabled */
34 	BTS_STATE_INACTIVE,
35 	/* AUX transaction is on, BTS tracing is running */
36 	BTS_STATE_ACTIVE,
37 };
38 
39 static DEFINE_PER_CPU(struct bts_ctx, bts_ctx);
40 
41 #define BTS_RECORD_SIZE		24
42 #define BTS_SAFETY_MARGIN	4080
43 
44 struct bts_phys {
45 	struct page	*page;
46 	unsigned long	size;
47 	unsigned long	offset;
48 	unsigned long	displacement;
49 };
50 
51 struct bts_buffer {
52 	size_t		real_size;	/* multiple of BTS_RECORD_SIZE */
53 	unsigned int	nr_pages;
54 	unsigned int	nr_bufs;
55 	unsigned int	cur_buf;
56 	bool		snapshot;
57 	local_t		data_size;
58 	local_t		head;
59 	unsigned long	end;
60 	void		**data_pages;
61 	struct bts_phys	buf[0];
62 };
63 
64 static struct pmu bts_pmu;
65 
buf_size(struct page * page)66 static size_t buf_size(struct page *page)
67 {
68 	return 1 << (PAGE_SHIFT + page_private(page));
69 }
70 
71 static void *
bts_buffer_setup_aux(struct perf_event * event,void ** pages,int nr_pages,bool overwrite)72 bts_buffer_setup_aux(struct perf_event *event, void **pages,
73 		     int nr_pages, bool overwrite)
74 {
75 	struct bts_buffer *buf;
76 	struct page *page;
77 	int cpu = event->cpu;
78 	int node = (cpu == -1) ? cpu : cpu_to_node(cpu);
79 	unsigned long offset;
80 	size_t size = nr_pages << PAGE_SHIFT;
81 	int pg, nbuf, pad;
82 
83 	/* count all the high order buffers */
84 	for (pg = 0, nbuf = 0; pg < nr_pages;) {
85 		page = virt_to_page(pages[pg]);
86 		if (WARN_ON_ONCE(!PagePrivate(page) && nr_pages > 1))
87 			return NULL;
88 		pg += 1 << page_private(page);
89 		nbuf++;
90 	}
91 
92 	/*
93 	 * to avoid interrupts in overwrite mode, only allow one physical
94 	 */
95 	if (overwrite && nbuf > 1)
96 		return NULL;
97 
98 	buf = kzalloc_node(offsetof(struct bts_buffer, buf[nbuf]), GFP_KERNEL, node);
99 	if (!buf)
100 		return NULL;
101 
102 	buf->nr_pages = nr_pages;
103 	buf->nr_bufs = nbuf;
104 	buf->snapshot = overwrite;
105 	buf->data_pages = pages;
106 	buf->real_size = size - size % BTS_RECORD_SIZE;
107 
108 	for (pg = 0, nbuf = 0, offset = 0, pad = 0; nbuf < buf->nr_bufs; nbuf++) {
109 		unsigned int __nr_pages;
110 
111 		page = virt_to_page(pages[pg]);
112 		__nr_pages = PagePrivate(page) ? 1 << page_private(page) : 1;
113 		buf->buf[nbuf].page = page;
114 		buf->buf[nbuf].offset = offset;
115 		buf->buf[nbuf].displacement = (pad ? BTS_RECORD_SIZE - pad : 0);
116 		buf->buf[nbuf].size = buf_size(page) - buf->buf[nbuf].displacement;
117 		pad = buf->buf[nbuf].size % BTS_RECORD_SIZE;
118 		buf->buf[nbuf].size -= pad;
119 
120 		pg += __nr_pages;
121 		offset += __nr_pages << PAGE_SHIFT;
122 	}
123 
124 	return buf;
125 }
126 
bts_buffer_free_aux(void * data)127 static void bts_buffer_free_aux(void *data)
128 {
129 	kfree(data);
130 }
131 
bts_buffer_offset(struct bts_buffer * buf,unsigned int idx)132 static unsigned long bts_buffer_offset(struct bts_buffer *buf, unsigned int idx)
133 {
134 	return buf->buf[idx].offset + buf->buf[idx].displacement;
135 }
136 
137 static void
bts_config_buffer(struct bts_buffer * buf)138 bts_config_buffer(struct bts_buffer *buf)
139 {
140 	int cpu = raw_smp_processor_id();
141 	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
142 	struct bts_phys *phys = &buf->buf[buf->cur_buf];
143 	unsigned long index, thresh = 0, end = phys->size;
144 	struct page *page = phys->page;
145 
146 	index = local_read(&buf->head);
147 
148 	if (!buf->snapshot) {
149 		if (buf->end < phys->offset + buf_size(page))
150 			end = buf->end - phys->offset - phys->displacement;
151 
152 		index -= phys->offset + phys->displacement;
153 
154 		if (end - index > BTS_SAFETY_MARGIN)
155 			thresh = end - BTS_SAFETY_MARGIN;
156 		else if (end - index > BTS_RECORD_SIZE)
157 			thresh = end - BTS_RECORD_SIZE;
158 		else
159 			thresh = end;
160 	}
161 
162 	ds->bts_buffer_base = (u64)(long)page_address(page) + phys->displacement;
163 	ds->bts_index = ds->bts_buffer_base + index;
164 	ds->bts_absolute_maximum = ds->bts_buffer_base + end;
165 	ds->bts_interrupt_threshold = !buf->snapshot
166 		? ds->bts_buffer_base + thresh
167 		: ds->bts_absolute_maximum + BTS_RECORD_SIZE;
168 }
169 
bts_buffer_pad_out(struct bts_phys * phys,unsigned long head)170 static void bts_buffer_pad_out(struct bts_phys *phys, unsigned long head)
171 {
172 	unsigned long index = head - phys->offset;
173 
174 	memset(page_address(phys->page) + index, 0, phys->size - index);
175 }
176 
bts_update(struct bts_ctx * bts)177 static void bts_update(struct bts_ctx *bts)
178 {
179 	int cpu = raw_smp_processor_id();
180 	struct debug_store *ds = per_cpu(cpu_hw_events, cpu).ds;
181 	struct bts_buffer *buf = perf_get_aux(&bts->handle);
182 	unsigned long index = ds->bts_index - ds->bts_buffer_base, old, head;
183 
184 	if (!buf)
185 		return;
186 
187 	head = index + bts_buffer_offset(buf, buf->cur_buf);
188 	old = local_xchg(&buf->head, head);
189 
190 	if (!buf->snapshot) {
191 		if (old == head)
192 			return;
193 
194 		if (ds->bts_index >= ds->bts_absolute_maximum)
195 			perf_aux_output_flag(&bts->handle,
196 			                     PERF_AUX_FLAG_TRUNCATED);
197 
198 		/*
199 		 * old and head are always in the same physical buffer, so we
200 		 * can subtract them to get the data size.
201 		 */
202 		local_add(head - old, &buf->data_size);
203 	} else {
204 		local_set(&buf->data_size, head);
205 	}
206 }
207 
208 static int
209 bts_buffer_reset(struct bts_buffer *buf, struct perf_output_handle *handle);
210 
211 /*
212  * Ordering PMU callbacks wrt themselves and the PMI is done by means
213  * of bts::state, which:
214  *  - is set when bts::handle::event is valid, that is, between
215  *    perf_aux_output_begin() and perf_aux_output_end();
216  *  - is zero otherwise;
217  *  - is ordered against bts::handle::event with a compiler barrier.
218  */
219 
__bts_event_start(struct perf_event * event)220 static void __bts_event_start(struct perf_event *event)
221 {
222 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
223 	struct bts_buffer *buf = perf_get_aux(&bts->handle);
224 	u64 config = 0;
225 
226 	if (!buf->snapshot)
227 		config |= ARCH_PERFMON_EVENTSEL_INT;
228 	if (!event->attr.exclude_kernel)
229 		config |= ARCH_PERFMON_EVENTSEL_OS;
230 	if (!event->attr.exclude_user)
231 		config |= ARCH_PERFMON_EVENTSEL_USR;
232 
233 	bts_config_buffer(buf);
234 
235 	/*
236 	 * local barrier to make sure that ds configuration made it
237 	 * before we enable BTS and bts::state goes ACTIVE
238 	 */
239 	wmb();
240 
241 	/* INACTIVE/STOPPED -> ACTIVE */
242 	WRITE_ONCE(bts->state, BTS_STATE_ACTIVE);
243 
244 	intel_pmu_enable_bts(config);
245 
246 }
247 
bts_event_start(struct perf_event * event,int flags)248 static void bts_event_start(struct perf_event *event, int flags)
249 {
250 	struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
251 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
252 	struct bts_buffer *buf;
253 
254 	buf = perf_aux_output_begin(&bts->handle, event);
255 	if (!buf)
256 		goto fail_stop;
257 
258 	if (bts_buffer_reset(buf, &bts->handle))
259 		goto fail_end_stop;
260 
261 	bts->ds_back.bts_buffer_base = cpuc->ds->bts_buffer_base;
262 	bts->ds_back.bts_absolute_maximum = cpuc->ds->bts_absolute_maximum;
263 	bts->ds_back.bts_interrupt_threshold = cpuc->ds->bts_interrupt_threshold;
264 
265 	perf_event_itrace_started(event);
266 	event->hw.state = 0;
267 
268 	__bts_event_start(event);
269 
270 	return;
271 
272 fail_end_stop:
273 	perf_aux_output_end(&bts->handle, 0);
274 
275 fail_stop:
276 	event->hw.state = PERF_HES_STOPPED;
277 }
278 
__bts_event_stop(struct perf_event * event,int state)279 static void __bts_event_stop(struct perf_event *event, int state)
280 {
281 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
282 
283 	/* ACTIVE -> INACTIVE(PMI)/STOPPED(->stop()) */
284 	WRITE_ONCE(bts->state, state);
285 
286 	/*
287 	 * No extra synchronization is mandated by the documentation to have
288 	 * BTS data stores globally visible.
289 	 */
290 	intel_pmu_disable_bts();
291 }
292 
bts_event_stop(struct perf_event * event,int flags)293 static void bts_event_stop(struct perf_event *event, int flags)
294 {
295 	struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
296 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
297 	struct bts_buffer *buf = NULL;
298 	int state = READ_ONCE(bts->state);
299 
300 	if (state == BTS_STATE_ACTIVE)
301 		__bts_event_stop(event, BTS_STATE_STOPPED);
302 
303 	if (state != BTS_STATE_STOPPED)
304 		buf = perf_get_aux(&bts->handle);
305 
306 	event->hw.state |= PERF_HES_STOPPED;
307 
308 	if (flags & PERF_EF_UPDATE) {
309 		bts_update(bts);
310 
311 		if (buf) {
312 			if (buf->snapshot)
313 				bts->handle.head =
314 					local_xchg(&buf->data_size,
315 						   buf->nr_pages << PAGE_SHIFT);
316 			perf_aux_output_end(&bts->handle,
317 			                    local_xchg(&buf->data_size, 0));
318 		}
319 
320 		cpuc->ds->bts_index = bts->ds_back.bts_buffer_base;
321 		cpuc->ds->bts_buffer_base = bts->ds_back.bts_buffer_base;
322 		cpuc->ds->bts_absolute_maximum = bts->ds_back.bts_absolute_maximum;
323 		cpuc->ds->bts_interrupt_threshold = bts->ds_back.bts_interrupt_threshold;
324 	}
325 }
326 
intel_bts_enable_local(void)327 void intel_bts_enable_local(void)
328 {
329 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
330 	int state = READ_ONCE(bts->state);
331 
332 	/*
333 	 * Here we transition from INACTIVE to ACTIVE;
334 	 * if we instead are STOPPED from the interrupt handler,
335 	 * stay that way. Can't be ACTIVE here though.
336 	 */
337 	if (WARN_ON_ONCE(state == BTS_STATE_ACTIVE))
338 		return;
339 
340 	if (state == BTS_STATE_STOPPED)
341 		return;
342 
343 	if (bts->handle.event)
344 		__bts_event_start(bts->handle.event);
345 }
346 
intel_bts_disable_local(void)347 void intel_bts_disable_local(void)
348 {
349 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
350 
351 	/*
352 	 * Here we transition from ACTIVE to INACTIVE;
353 	 * do nothing for STOPPED or INACTIVE.
354 	 */
355 	if (READ_ONCE(bts->state) != BTS_STATE_ACTIVE)
356 		return;
357 
358 	if (bts->handle.event)
359 		__bts_event_stop(bts->handle.event, BTS_STATE_INACTIVE);
360 }
361 
362 static int
bts_buffer_reset(struct bts_buffer * buf,struct perf_output_handle * handle)363 bts_buffer_reset(struct bts_buffer *buf, struct perf_output_handle *handle)
364 {
365 	unsigned long head, space, next_space, pad, gap, skip, wakeup;
366 	unsigned int next_buf;
367 	struct bts_phys *phys, *next_phys;
368 	int ret;
369 
370 	if (buf->snapshot)
371 		return 0;
372 
373 	head = handle->head & ((buf->nr_pages << PAGE_SHIFT) - 1);
374 
375 	phys = &buf->buf[buf->cur_buf];
376 	space = phys->offset + phys->displacement + phys->size - head;
377 	pad = space;
378 	if (space > handle->size) {
379 		space = handle->size;
380 		space -= space % BTS_RECORD_SIZE;
381 	}
382 	if (space <= BTS_SAFETY_MARGIN) {
383 		/* See if next phys buffer has more space */
384 		next_buf = buf->cur_buf + 1;
385 		if (next_buf >= buf->nr_bufs)
386 			next_buf = 0;
387 		next_phys = &buf->buf[next_buf];
388 		gap = buf_size(phys->page) - phys->displacement - phys->size +
389 		      next_phys->displacement;
390 		skip = pad + gap;
391 		if (handle->size >= skip) {
392 			next_space = next_phys->size;
393 			if (next_space + skip > handle->size) {
394 				next_space = handle->size - skip;
395 				next_space -= next_space % BTS_RECORD_SIZE;
396 			}
397 			if (next_space > space || !space) {
398 				if (pad)
399 					bts_buffer_pad_out(phys, head);
400 				ret = perf_aux_output_skip(handle, skip);
401 				if (ret)
402 					return ret;
403 				/* Advance to next phys buffer */
404 				phys = next_phys;
405 				space = next_space;
406 				head = phys->offset + phys->displacement;
407 				/*
408 				 * After this, cur_buf and head won't match ds
409 				 * anymore, so we must not be racing with
410 				 * bts_update().
411 				 */
412 				buf->cur_buf = next_buf;
413 				local_set(&buf->head, head);
414 			}
415 		}
416 	}
417 
418 	/* Don't go far beyond wakeup watermark */
419 	wakeup = BTS_SAFETY_MARGIN + BTS_RECORD_SIZE + handle->wakeup -
420 		 handle->head;
421 	if (space > wakeup) {
422 		space = wakeup;
423 		space -= space % BTS_RECORD_SIZE;
424 	}
425 
426 	buf->end = head + space;
427 
428 	/*
429 	 * If we have no space, the lost notification would have been sent when
430 	 * we hit absolute_maximum - see bts_update()
431 	 */
432 	if (!space)
433 		return -ENOSPC;
434 
435 	return 0;
436 }
437 
intel_bts_interrupt(void)438 int intel_bts_interrupt(void)
439 {
440 	struct debug_store *ds = this_cpu_ptr(&cpu_hw_events)->ds;
441 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
442 	struct perf_event *event = bts->handle.event;
443 	struct bts_buffer *buf;
444 	s64 old_head;
445 	int err = -ENOSPC, handled = 0;
446 
447 	/*
448 	 * The only surefire way of knowing if this NMI is ours is by checking
449 	 * the write ptr against the PMI threshold.
450 	 */
451 	if (ds && (ds->bts_index >= ds->bts_interrupt_threshold))
452 		handled = 1;
453 
454 	/*
455 	 * this is wrapped in intel_bts_enable_local/intel_bts_disable_local,
456 	 * so we can only be INACTIVE or STOPPED
457 	 */
458 	if (READ_ONCE(bts->state) == BTS_STATE_STOPPED)
459 		return handled;
460 
461 	buf = perf_get_aux(&bts->handle);
462 	if (!buf)
463 		return handled;
464 
465 	/*
466 	 * Skip snapshot counters: they don't use the interrupt, but
467 	 * there's no other way of telling, because the pointer will
468 	 * keep moving
469 	 */
470 	if (buf->snapshot)
471 		return 0;
472 
473 	old_head = local_read(&buf->head);
474 	bts_update(bts);
475 
476 	/* no new data */
477 	if (old_head == local_read(&buf->head))
478 		return handled;
479 
480 	perf_aux_output_end(&bts->handle, local_xchg(&buf->data_size, 0));
481 
482 	buf = perf_aux_output_begin(&bts->handle, event);
483 	if (buf)
484 		err = bts_buffer_reset(buf, &bts->handle);
485 
486 	if (err) {
487 		WRITE_ONCE(bts->state, BTS_STATE_STOPPED);
488 
489 		if (buf) {
490 			/*
491 			 * BTS_STATE_STOPPED should be visible before
492 			 * cleared handle::event
493 			 */
494 			barrier();
495 			perf_aux_output_end(&bts->handle, 0);
496 		}
497 	}
498 
499 	return 1;
500 }
501 
bts_event_del(struct perf_event * event,int mode)502 static void bts_event_del(struct perf_event *event, int mode)
503 {
504 	bts_event_stop(event, PERF_EF_UPDATE);
505 }
506 
bts_event_add(struct perf_event * event,int mode)507 static int bts_event_add(struct perf_event *event, int mode)
508 {
509 	struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
510 	struct cpu_hw_events *cpuc = this_cpu_ptr(&cpu_hw_events);
511 	struct hw_perf_event *hwc = &event->hw;
512 
513 	event->hw.state = PERF_HES_STOPPED;
514 
515 	if (test_bit(INTEL_PMC_IDX_FIXED_BTS, cpuc->active_mask))
516 		return -EBUSY;
517 
518 	if (bts->handle.event)
519 		return -EBUSY;
520 
521 	if (mode & PERF_EF_START) {
522 		bts_event_start(event, 0);
523 		if (hwc->state & PERF_HES_STOPPED)
524 			return -EINVAL;
525 	}
526 
527 	return 0;
528 }
529 
bts_event_destroy(struct perf_event * event)530 static void bts_event_destroy(struct perf_event *event)
531 {
532 	x86_release_hardware();
533 	x86_del_exclusive(x86_lbr_exclusive_bts);
534 }
535 
bts_event_init(struct perf_event * event)536 static int bts_event_init(struct perf_event *event)
537 {
538 	int ret;
539 
540 	if (event->attr.type != bts_pmu.type)
541 		return -ENOENT;
542 
543 	/*
544 	 * BTS leaks kernel addresses even when CPL0 tracing is
545 	 * disabled, so disallow intel_bts driver for unprivileged
546 	 * users on paranoid systems since it provides trace data
547 	 * to the user in a zero-copy fashion.
548 	 *
549 	 * Note that the default paranoia setting permits unprivileged
550 	 * users to profile the kernel.
551 	 */
552 	if (event->attr.exclude_kernel && perf_paranoid_kernel() &&
553 	    !capable(CAP_SYS_ADMIN))
554 		return -EACCES;
555 
556 	if (x86_add_exclusive(x86_lbr_exclusive_bts))
557 		return -EBUSY;
558 
559 	ret = x86_reserve_hardware();
560 	if (ret) {
561 		x86_del_exclusive(x86_lbr_exclusive_bts);
562 		return ret;
563 	}
564 
565 	event->destroy = bts_event_destroy;
566 
567 	return 0;
568 }
569 
bts_event_read(struct perf_event * event)570 static void bts_event_read(struct perf_event *event)
571 {
572 }
573 
bts_init(void)574 static __init int bts_init(void)
575 {
576 	if (!boot_cpu_has(X86_FEATURE_DTES64) || !x86_pmu.bts)
577 		return -ENODEV;
578 
579 	if (boot_cpu_has(X86_FEATURE_PTI)) {
580 		/*
581 		 * BTS hardware writes through a virtual memory map we must
582 		 * either use the kernel physical map, or the user mapping of
583 		 * the AUX buffer.
584 		 *
585 		 * However, since this driver supports per-CPU and per-task inherit
586 		 * we cannot use the user mapping since it will not be available
587 		 * if we're not running the owning process.
588 		 *
589 		 * With PTI we can't use the kernal map either, because its not
590 		 * there when we run userspace.
591 		 *
592 		 * For now, disable this driver when using PTI.
593 		 */
594 		return -ENODEV;
595 	}
596 
597 	bts_pmu.capabilities	= PERF_PMU_CAP_AUX_NO_SG | PERF_PMU_CAP_ITRACE |
598 				  PERF_PMU_CAP_EXCLUSIVE;
599 	bts_pmu.task_ctx_nr	= perf_sw_context;
600 	bts_pmu.event_init	= bts_event_init;
601 	bts_pmu.add		= bts_event_add;
602 	bts_pmu.del		= bts_event_del;
603 	bts_pmu.start		= bts_event_start;
604 	bts_pmu.stop		= bts_event_stop;
605 	bts_pmu.read		= bts_event_read;
606 	bts_pmu.setup_aux	= bts_buffer_setup_aux;
607 	bts_pmu.free_aux	= bts_buffer_free_aux;
608 
609 	return perf_pmu_register(&bts_pmu, "intel_bts", -1);
610 }
611 arch_initcall(bts_init);
612