1 /*
2 * Copyright (c) 2000-2020 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * @OSF_COPYRIGHT@
30 */
31 /*
32 * Mach Operating System
33 * Copyright (c) 1991,1990,1989 Carnegie Mellon University
34 * All Rights Reserved.
35 *
36 * Permission to use, copy, modify and distribute this software and its
37 * documentation is hereby granted, provided that both the copyright
38 * notice and this permission notice appear in all copies of the
39 * software, derivative works or modified versions, and any portions
40 * thereof, and that both notices appear in supporting documentation.
41 *
42 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
43 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
44 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
45 *
46 * Carnegie Mellon requests users of this software to return to
47 *
48 * Software Distribution Coordinator or [email protected]
49 * School of Computer Science
50 * Carnegie Mellon University
51 * Pittsburgh PA 15213-3890
52 *
53 * any improvements or extensions that they make and grant Carnegie Mellon
54 * the rights to redistribute these changes.
55 */
56
57 #include <mach_assert.h>
58 #include <mach_kdp.h>
59 #include <kdp/kdp.h>
60 #include <kdp/kdp_core.h>
61 #include <kdp/kdp_internal.h>
62 #include <kdp/kdp_callout.h>
63 #include <kern/cpu_number.h>
64 #include <kern/kalloc.h>
65 #include <kern/percpu.h>
66 #include <kern/spl.h>
67 #include <kern/thread.h>
68 #include <kern/assert.h>
69 #include <kern/sched_prim.h>
70 #include <kern/socd_client.h>
71 #include <kern/misc_protos.h>
72 #include <kern/clock.h>
73 #include <kern/telemetry.h>
74 #include <kern/ecc.h>
75 #include <kern/kern_cdata.h>
76 #include <kern/zalloc_internal.h>
77 #include <vm/vm_kern.h>
78 #include <vm/vm_map.h>
79 #include <vm/pmap.h>
80 #include <vm/vm_compressor.h>
81 #include <stdarg.h>
82 #include <stdatomic.h>
83 #include <sys/pgo.h>
84 #include <console/serial_protos.h>
85
86 #if !(MACH_KDP && CONFIG_KDP_INTERACTIVE_DEBUGGING)
87 #include <kdp/kdp_udp.h>
88 #endif
89 #include <kern/processor.h>
90
91 #if defined(__i386__) || defined(__x86_64__)
92 #include <IOKit/IOBSD.h>
93
94 #include <i386/cpu_threads.h>
95 #include <i386/pmCPU.h>
96 #include <i386/lbr.h>
97 #endif
98
99 #include <IOKit/IOPlatformExpert.h>
100 #include <machine/pal_routines.h>
101
102 #include <sys/kdebug.h>
103 #include <libkern/OSKextLibPrivate.h>
104 #include <libkern/OSAtomic.h>
105 #include <libkern/kernel_mach_header.h>
106 #include <libkern/section_keywords.h>
107 #include <uuid/uuid.h>
108 #include <mach_debug/zone_info.h>
109 #include <mach/resource_monitors.h>
110
111 #include <os/log_private.h>
112
113 #if defined(__arm__) || defined(__arm64__)
114 #include <pexpert/pexpert.h> /* For gPanicBase */
115 #include <arm/caches_internal.h>
116 #include <arm/misc_protos.h>
117 extern volatile struct xnu_hw_shmem_dbg_command_info *hwsd_info;
118 #endif
119
120 #include <san/kcov.h>
121
122 #if CONFIG_XNUPOST
123 #include <tests/xnupost.h>
124 extern int vsnprintf(char *, size_t, const char *, va_list);
125 #endif
126
127 #if CONFIG_CSR
128 #include <sys/csr.h>
129 #endif
130
131 extern int IODTGetLoaderInfo( const char *key, void **infoAddr, int *infosize );
132 extern void IODTFreeLoaderInfo( const char *key, void *infoAddr, int infoSize );
133
134 unsigned int halt_in_debugger = 0;
135 unsigned int current_debugger = 0;
136 unsigned int active_debugger = 0;
137 unsigned int panicDebugging = FALSE;
138 unsigned int kernel_debugger_entry_count = 0;
139
140 #if defined(__arm__) || defined(__arm64__)
141 struct additional_panic_data_buffer *panic_data_buffers = NULL;
142 #endif
143
144 #if defined(__arm__)
145 #define TRAP_DEBUGGER __asm__ volatile("trap")
146 #elif defined(__arm64__)
147 /*
148 * Magic number; this should be identical to the __arm__ encoding for trap.
149 */
150 #define TRAP_DEBUGGER __asm__ volatile(".long 0xe7ffdeff")
151 #elif defined (__x86_64__)
152 #define TRAP_DEBUGGER __asm__("int3")
153 #else
154 #error No TRAP_DEBUGGER for this architecture
155 #endif
156
157 #if defined(__i386__) || defined(__x86_64__)
158 #define panic_stop() pmCPUHalt(PM_HALT_PANIC)
159 #else
160 #define panic_stop() panic_spin_forever()
161 #endif
162
163 struct debugger_state {
164 uint64_t db_panic_options;
165 debugger_op db_current_op;
166 boolean_t db_proceed_on_sync_failure;
167 const char *db_message;
168 const char *db_panic_str;
169 va_list *db_panic_args;
170 void *db_panic_data_ptr;
171 unsigned long db_panic_caller;
172 /* incremented whenever we panic or call Debugger (current CPU panic level) */
173 uint32_t db_entry_count;
174 kern_return_t db_op_return;
175 };
176 static struct debugger_state PERCPU_DATA(debugger_state);
177
178 /* __pure2 is correct if this function is called with preemption disabled */
179 static inline __pure2 struct debugger_state *
current_debugger_state(void)180 current_debugger_state(void)
181 {
182 return PERCPU_GET(debugger_state);
183 }
184
185 #define CPUDEBUGGEROP current_debugger_state()->db_current_op
186 #define CPUDEBUGGERMSG current_debugger_state()->db_message
187 #define CPUPANICSTR current_debugger_state()->db_panic_str
188 #define CPUPANICARGS current_debugger_state()->db_panic_args
189 #define CPUPANICOPTS current_debugger_state()->db_panic_options
190 #define CPUPANICDATAPTR current_debugger_state()->db_panic_data_ptr
191 #define CPUDEBUGGERSYNC current_debugger_state()->db_proceed_on_sync_failure
192 #define CPUDEBUGGERCOUNT current_debugger_state()->db_entry_count
193 #define CPUDEBUGGERRET current_debugger_state()->db_op_return
194 #define CPUPANICCALLER current_debugger_state()->db_panic_caller
195
196 #if DEVELOPMENT || DEBUG
197 #define DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED(requested) \
198 MACRO_BEGIN \
199 if (requested) { \
200 volatile int *badpointer = (int *)4; \
201 *badpointer = 0; \
202 } \
203 MACRO_END
204 #endif /* DEVELOPMENT || DEBUG */
205
206 debugger_op debugger_current_op = DBOP_NONE;
207 const char *debugger_panic_str = NULL;
208 va_list *debugger_panic_args = NULL;
209 void *debugger_panic_data = NULL;
210 uint64_t debugger_panic_options = 0;
211 const char *debugger_message = NULL;
212 unsigned long debugger_panic_caller = 0;
213
214 void panic_trap_to_debugger(const char *panic_format_str, va_list *panic_args,
215 unsigned int reason, void *ctx, uint64_t panic_options_mask, void *panic_data,
216 unsigned long panic_caller) __dead2 __printflike(1, 0);
217 static void kdp_machine_reboot_type(unsigned int type, uint64_t debugger_flags);
218 void panic_spin_forever(void) __dead2;
219 extern kern_return_t do_stackshot(void);
220 extern void PE_panic_hook(const char*);
221
222 #define NESTEDDEBUGGERENTRYMAX 5
223 static unsigned int max_debugger_entry_count = NESTEDDEBUGGERENTRYMAX;
224
225 #if defined(__arm__) || defined(__arm64__)
226 #define DEBUG_BUF_SIZE (4096)
227
228 /* debug_buf is directly linked with iBoot panic region for arm targets */
229 char *debug_buf_base = NULL;
230 char *debug_buf_ptr = NULL;
231 unsigned int debug_buf_size = 0;
232
233 SECURITY_READ_ONLY_LATE(boolean_t) kdp_explicitly_requested = FALSE;
234 #else /* defined(__arm__) || defined(__arm64__) */
235 #define DEBUG_BUF_SIZE ((3 * PAGE_SIZE) + offsetof(struct macos_panic_header, mph_data))
236 /* EXTENDED_DEBUG_BUF_SIZE definition is now in debug.h */
237 static_assert(((EXTENDED_DEBUG_BUF_SIZE % PANIC_FLUSH_BOUNDARY) == 0), "Extended debug buf size must match SMC alignment requirements");
238
239 char debug_buf[DEBUG_BUF_SIZE];
240 struct macos_panic_header *panic_info = (struct macos_panic_header *)debug_buf;
241 char *debug_buf_base = (debug_buf + offsetof(struct macos_panic_header, mph_data));
242 char *debug_buf_ptr = (debug_buf + offsetof(struct macos_panic_header, mph_data));
243
244 /*
245 * We don't include the size of the panic header in the length of the data we actually write.
246 * On co-processor platforms, we lose sizeof(struct macos_panic_header) bytes from the end of
247 * the end of the log because we only support writing (3*PAGESIZE) bytes.
248 */
249 unsigned int debug_buf_size = (DEBUG_BUF_SIZE - offsetof(struct macos_panic_header, mph_data));
250
251 boolean_t extended_debug_log_enabled = FALSE;
252 #endif /* defined(__arm__) || defined(__arm64__) */
253
254 #if defined(XNU_TARGET_OS_OSX)
255 #define KDBG_TRACE_PANIC_FILENAME "/var/tmp/panic.trace"
256 #else
257 #define KDBG_TRACE_PANIC_FILENAME "/var/log/panic.trace"
258 #endif
259
260 /* Debugger state */
261 atomic_int debugger_cpu = ATOMIC_VAR_INIT(DEBUGGER_NO_CPU);
262 boolean_t debugger_allcpus_halted = FALSE;
263 boolean_t debugger_safe_to_return = TRUE;
264 unsigned int debugger_context = 0;
265
266 static char model_name[64];
267 unsigned char *kernel_uuid;
268
269 boolean_t kernelcache_uuid_valid = FALSE;
270 uuid_t kernelcache_uuid;
271 uuid_string_t kernelcache_uuid_string;
272
273 boolean_t pageablekc_uuid_valid = FALSE;
274 uuid_t pageablekc_uuid;
275 uuid_string_t pageablekc_uuid_string;
276
277 boolean_t auxkc_uuid_valid = FALSE;
278 uuid_t auxkc_uuid;
279 uuid_string_t auxkc_uuid_string;
280
281
282 /*
283 * By default we treat Debugger() the same as calls to panic(), unless
284 * we have debug boot-args present and the DB_KERN_DUMP_ON_NMI *NOT* set.
285 * If DB_KERN_DUMP_ON_NMI is *NOT* set, return from Debugger() is supported.
286 *
287 * Return from Debugger() is currently only implemented on x86
288 */
289 static boolean_t debugger_is_panic = TRUE;
290
291 TUNABLE(unsigned int, debug_boot_arg, "debug", 0);
292
293 TUNABLE(int, verbose_panic_flow_logging, "verbose_panic_flow_logging", 0);
294
295 char kernel_uuid_string[37]; /* uuid_string_t */
296 char kernelcache_uuid_string[37]; /* uuid_string_t */
297 char panic_disk_error_description[512];
298 size_t panic_disk_error_description_size = sizeof(panic_disk_error_description);
299
300 extern unsigned int write_trace_on_panic;
301 int kext_assertions_enable =
302 #if DEBUG || DEVELOPMENT
303 TRUE;
304 #else
305 FALSE;
306 #endif
307
308 /*
309 * Maintain the physically-contiguous carveout for the `phys_carveout_mb`
310 * boot-arg.
311 */
312
313 TUNABLE(size_t, phys_carveout_mb, "phys_carveout_mb", 0);
314 TUNABLE_WRITEABLE(boolean_t, phys_carveout_core, "phys_carveout_core", 0);
315 SECURITY_READ_ONLY_LATE(vm_offset_t) phys_carveout = 0;
316 SECURITY_READ_ONLY_LATE(uintptr_t) phys_carveout_pa = 0;
317 SECURITY_READ_ONLY_LATE(size_t) phys_carveout_size = 0;
318 SECURITY_READ_ONLY_LATE(vm_offset_t) phys_carveout_metadata = 0;
319 SECURITY_READ_ONLY_LATE(uintptr_t) phys_carveout_metadata_pa = 0;
320 SECURITY_READ_ONLY_LATE(size_t) phys_carveout_metadata_size = 0;
321
322 /*
323 * Returns whether kernel debugging is expected to be restricted
324 * on the device currently based on CSR or other platform restrictions.
325 */
326 boolean_t
kernel_debugging_restricted(void)327 kernel_debugging_restricted(void)
328 {
329 #if XNU_TARGET_OS_OSX
330 #if CONFIG_CSR
331 if (csr_check(CSR_ALLOW_KERNEL_DEBUGGER) != 0) {
332 return TRUE;
333 }
334 #endif /* CONFIG_CSR */
335 return FALSE;
336 #else /* XNU_TARGET_OS_OSX */
337 return FALSE;
338 #endif /* XNU_TARGET_OS_OSX */
339 }
340
341 __startup_func
342 static void
panic_init(void)343 panic_init(void)
344 {
345 unsigned long uuidlen = 0;
346 void *uuid;
347
348 uuid = getuuidfromheader(&_mh_execute_header, &uuidlen);
349 if ((uuid != NULL) && (uuidlen == sizeof(uuid_t))) {
350 kernel_uuid = uuid;
351 uuid_unparse_upper(*(uuid_t *)uuid, kernel_uuid_string);
352 }
353
354 /*
355 * Take the value of the debug boot-arg into account
356 */
357 #if MACH_KDP
358 if (!kernel_debugging_restricted() && debug_boot_arg) {
359 if (debug_boot_arg & DB_HALT) {
360 halt_in_debugger = 1;
361 }
362
363 #if defined(__arm__) || defined(__arm64__)
364 if (debug_boot_arg & DB_NMI) {
365 panicDebugging = TRUE;
366 }
367 #else
368 panicDebugging = TRUE;
369 #endif /* defined(__arm__) || defined(__arm64__) */
370 }
371
372 if (!PE_parse_boot_argn("nested_panic_max", &max_debugger_entry_count, sizeof(max_debugger_entry_count))) {
373 max_debugger_entry_count = NESTEDDEBUGGERENTRYMAX;
374 }
375
376 #if defined(__arm__) || defined(__arm64__)
377 char kdpname[80];
378
379 kdp_explicitly_requested = PE_parse_boot_argn("kdp_match_name", kdpname, sizeof(kdpname));
380 #endif /* defined(__arm__) || defined(__arm64__) */
381
382 #endif /* MACH_KDP */
383
384 #if defined (__x86_64__)
385 /*
386 * By default we treat Debugger() the same as calls to panic(), unless
387 * we have debug boot-args present and the DB_KERN_DUMP_ON_NMI *NOT* set.
388 * If DB_KERN_DUMP_ON_NMI is *NOT* set, return from Debugger() is supported.
389 * This is because writing an on-device corefile is a destructive operation.
390 *
391 * Return from Debugger() is currently only implemented on x86
392 */
393 if (PE_i_can_has_debugger(NULL) && !(debug_boot_arg & DB_KERN_DUMP_ON_NMI)) {
394 debugger_is_panic = FALSE;
395 }
396 #endif
397 }
398 STARTUP(TUNABLES, STARTUP_RANK_MIDDLE, panic_init);
399
400 #if defined (__x86_64__)
401 void
extended_debug_log_init(void)402 extended_debug_log_init(void)
403 {
404 assert(coprocessor_paniclog_flush);
405 /*
406 * Allocate an extended panic log buffer that has space for the panic
407 * stackshot at the end. Update the debug buf pointers appropriately
408 * to point at this new buffer.
409 *
410 * iBoot pre-initializes the panic region with the NULL character. We set this here
411 * so we can accurately calculate the CRC for the region without needing to flush the
412 * full region over SMC.
413 */
414 char *new_debug_buf = kalloc_data(EXTENDED_DEBUG_BUF_SIZE, Z_WAITOK | Z_ZERO);
415
416 panic_info = (struct macos_panic_header *)new_debug_buf;
417 debug_buf_ptr = debug_buf_base = (new_debug_buf + offsetof(struct macos_panic_header, mph_data));
418 debug_buf_size = (EXTENDED_DEBUG_BUF_SIZE - offsetof(struct macos_panic_header, mph_data));
419
420 extended_debug_log_enabled = TRUE;
421
422 /*
423 * Insert a compiler barrier so we don't free the other panic stackshot buffer
424 * until after we've marked the new one as available
425 */
426 __compiler_barrier();
427 kmem_free(kernel_map, panic_stackshot_buf, panic_stackshot_buf_len);
428 panic_stackshot_buf = 0;
429 panic_stackshot_buf_len = 0;
430 }
431 #endif /* defined (__x86_64__) */
432
433 void
debug_log_init(void)434 debug_log_init(void)
435 {
436 #if defined(__arm__) || defined(__arm64__)
437 if (!gPanicBase) {
438 printf("debug_log_init: Error!! gPanicBase is still not initialized\n");
439 return;
440 }
441 /* Shift debug buf start location and size by the length of the panic header */
442 debug_buf_base = (char *)gPanicBase + sizeof(struct embedded_panic_header);
443 debug_buf_ptr = debug_buf_base;
444 debug_buf_size = gPanicSize - sizeof(struct embedded_panic_header);
445 #else
446 kern_return_t kr = KERN_SUCCESS;
447 bzero(panic_info, DEBUG_BUF_SIZE);
448
449 assert(debug_buf_base != NULL);
450 assert(debug_buf_ptr != NULL);
451 assert(debug_buf_size != 0);
452
453 /*
454 * We allocate a buffer to store a panic time stackshot. If we later discover that this is a
455 * system that supports flushing a stackshot via an extended debug log (see above), we'll free this memory
456 * as it's not necessary on this platform. This information won't be available until the IOPlatform has come
457 * up.
458 */
459 kr = kmem_alloc(kernel_map, &panic_stackshot_buf, PANIC_STACKSHOT_BUFSIZE, VM_KERN_MEMORY_DIAG);
460 assert(kr == KERN_SUCCESS);
461 if (kr == KERN_SUCCESS) {
462 panic_stackshot_buf_len = PANIC_STACKSHOT_BUFSIZE;
463 }
464 #endif
465 }
466
467 void
phys_carveout_init(void)468 phys_carveout_init(void)
469 {
470 if (!PE_i_can_has_debugger(NULL)) {
471 return;
472 }
473
474 if (phys_carveout_mb == 0) {
475 return;
476 }
477
478 size_t temp_phys_carveout_size = 0;
479 if (os_mul_overflow(phys_carveout_mb, 1024 * 1024, &temp_phys_carveout_size)) {
480 panic("phys_carveout_mb size overflowed (%luMB)",
481 phys_carveout_mb);
482 return;
483 }
484
485 kern_return_t kr = kmem_alloc_contig(kernel_map, &phys_carveout, temp_phys_carveout_size,
486 VM_MAP_PAGE_MASK(kernel_map), 0, 0, KMA_NOPAGEWAIT,
487 VM_KERN_MEMORY_DIAG);
488 if (kr != KERN_SUCCESS) {
489 panic("failed to allocate %luMB for phys_carveout_mb: %u",
490 phys_carveout_mb, (unsigned int)kr);
491 return;
492 }
493
494 phys_carveout_pa = kvtophys(phys_carveout);
495 phys_carveout_size = temp_phys_carveout_size;
496
497 /*
498 * Record and dump carveout metadata region into corefile. Smallest unit (a
499 * page) is allocated as storage for panic_trace_header_t content, which is
500 * unfortunately wasteful but simplifies usage logic rather than stealing
501 * bytes from prior phys_carveout.
502 */
503 if (debug_can_coredump_phys_carveout()) {
504 size_t temp_phys_carveout_metadata_size = PAGE_SIZE;
505 kr = kmem_alloc_contig(kernel_map, &phys_carveout_metadata, temp_phys_carveout_metadata_size,
506 VM_MAP_PAGE_MASK(kernel_map), 0, 0,
507 KMA_NOPAGEWAIT, VM_KERN_MEMORY_DIAG);
508 if (kr != KERN_SUCCESS) {
509 panic("failed to allocate %u for phys_carveout_metadata: %u",
510 (unsigned int)temp_phys_carveout_metadata_size, (unsigned int)kr);
511 return;
512 }
513 phys_carveout_metadata_size = temp_phys_carveout_metadata_size;
514 phys_carveout_metadata_pa = kvtophys(phys_carveout_metadata);
515 }
516
517 #if (__arm__ || __arm64__) && (DEVELOPMENT || DEBUG)
518 /* likely panic_trace boot-arg is also set so check and enable tracing if necessary into new carveout */
519 PE_arm_debug_enable_trace();
520 #endif /* (__arm__ || __arm64__) && (DEVELOPMENT || DEBUG) */
521 }
522
523 boolean_t
debug_is_in_phys_carveout(vm_map_offset_t va)524 debug_is_in_phys_carveout(vm_map_offset_t va)
525 {
526 return phys_carveout_size && va >= phys_carveout &&
527 va < (phys_carveout + phys_carveout_size);
528 }
529
530 boolean_t
debug_is_in_phys_carveout_metadata(vm_map_offset_t va)531 debug_is_in_phys_carveout_metadata(vm_map_offset_t va)
532 {
533 return phys_carveout_metadata_size && va >= phys_carveout_metadata && va < (phys_carveout_metadata + phys_carveout_metadata_size);
534 }
535
536 boolean_t
debug_can_coredump_phys_carveout(void)537 debug_can_coredump_phys_carveout(void)
538 {
539 return phys_carveout_core;
540 }
541
542 static void
DebuggerLock(void)543 DebuggerLock(void)
544 {
545 int my_cpu = cpu_number();
546 int debugger_exp_cpu = DEBUGGER_NO_CPU;
547 assert(ml_get_interrupts_enabled() == FALSE);
548
549 if (atomic_load(&debugger_cpu) == my_cpu) {
550 return;
551 }
552
553 while (!atomic_compare_exchange_strong(&debugger_cpu, &debugger_exp_cpu, my_cpu)) {
554 debugger_exp_cpu = DEBUGGER_NO_CPU;
555 }
556
557 return;
558 }
559
560 static void
DebuggerUnlock(void)561 DebuggerUnlock(void)
562 {
563 assert(atomic_load_explicit(&debugger_cpu, memory_order_relaxed) == cpu_number());
564
565 /*
566 * We don't do an atomic exchange here in case
567 * there's another CPU spinning to acquire the debugger_lock
568 * and we never get a chance to update it. We already have the
569 * lock so we can simply store DEBUGGER_NO_CPU and follow with
570 * a barrier.
571 */
572 atomic_store(&debugger_cpu, DEBUGGER_NO_CPU);
573 OSMemoryBarrier();
574
575 return;
576 }
577
578 static kern_return_t
DebuggerHaltOtherCores(boolean_t proceed_on_failure,bool is_stackshot)579 DebuggerHaltOtherCores(boolean_t proceed_on_failure, bool is_stackshot)
580 {
581 #if defined(__arm__) || defined(__arm64__)
582 return DebuggerXCallEnter(proceed_on_failure, is_stackshot);
583 #else /* defined(__arm__) || defined(__arm64__) */
584 #pragma unused(proceed_on_failure)
585 #pragma unused(is_stackshot)
586 mp_kdp_enter(proceed_on_failure);
587 return KERN_SUCCESS;
588 #endif
589 }
590
591 static void
DebuggerResumeOtherCores(void)592 DebuggerResumeOtherCores(void)
593 {
594 #if defined(__arm__) || defined(__arm64__)
595 DebuggerXCallReturn();
596 #else /* defined(__arm__) || defined(__arm64__) */
597 mp_kdp_exit();
598 #endif
599 }
600
601 __printflike(3, 0)
602 static void
DebuggerSaveState(debugger_op db_op,const char * db_message,const char * db_panic_str,va_list * db_panic_args,uint64_t db_panic_options,void * db_panic_data_ptr,boolean_t db_proceed_on_sync_failure,unsigned long db_panic_caller)603 DebuggerSaveState(debugger_op db_op, const char *db_message, const char *db_panic_str,
604 va_list *db_panic_args, uint64_t db_panic_options, void *db_panic_data_ptr,
605 boolean_t db_proceed_on_sync_failure, unsigned long db_panic_caller)
606 {
607 CPUDEBUGGEROP = db_op;
608
609 /* Preserve the original panic message */
610 if (CPUDEBUGGERCOUNT == 1 || CPUPANICSTR == NULL) {
611 CPUDEBUGGERMSG = db_message;
612 CPUPANICSTR = db_panic_str;
613 CPUPANICARGS = db_panic_args;
614 CPUPANICDATAPTR = db_panic_data_ptr;
615 CPUPANICCALLER = db_panic_caller;
616 } else if (CPUDEBUGGERCOUNT > 1 && db_panic_str != NULL) {
617 kprintf("Nested panic detected:");
618 if (db_panic_str != NULL) {
619 _doprnt(db_panic_str, db_panic_args, PE_kputc, 0);
620 }
621 }
622
623 CPUDEBUGGERSYNC = db_proceed_on_sync_failure;
624 CPUDEBUGGERRET = KERN_SUCCESS;
625
626 /* Reset these on any nested panics */
627 CPUPANICOPTS = db_panic_options;
628
629 return;
630 }
631
632 /*
633 * Save the requested debugger state/action into the current processor's
634 * percu state and trap to the debugger.
635 */
636 kern_return_t
DebuggerTrapWithState(debugger_op db_op,const char * db_message,const char * db_panic_str,va_list * db_panic_args,uint64_t db_panic_options,void * db_panic_data_ptr,boolean_t db_proceed_on_sync_failure,unsigned long db_panic_caller)637 DebuggerTrapWithState(debugger_op db_op, const char *db_message, const char *db_panic_str,
638 va_list *db_panic_args, uint64_t db_panic_options, void *db_panic_data_ptr,
639 boolean_t db_proceed_on_sync_failure, unsigned long db_panic_caller)
640 {
641 kern_return_t ret;
642
643 assert(ml_get_interrupts_enabled() == FALSE);
644 DebuggerSaveState(db_op, db_message, db_panic_str, db_panic_args,
645 db_panic_options, db_panic_data_ptr,
646 db_proceed_on_sync_failure, db_panic_caller);
647
648 /*
649 * On ARM this generates an uncategorized exception -> sleh code ->
650 * DebuggerCall -> kdp_trap -> handle_debugger_trap
651 * So that is how XNU ensures that only one core can panic.
652 * The rest of the cores are halted by IPI if possible; if that
653 * fails it will fall back to dbgwrap.
654 */
655 TRAP_DEBUGGER;
656
657 ret = CPUDEBUGGERRET;
658
659 DebuggerSaveState(DBOP_NONE, NULL, NULL, NULL, 0, NULL, FALSE, 0);
660
661 return ret;
662 }
663
664 void __attribute__((noinline))
Assert(const char * file,int line,const char * expression)665 Assert(
666 const char *file,
667 int line,
668 const char *expression
669 )
670 {
671 #if CONFIG_NONFATAL_ASSERTS
672 static TUNABLE(bool, mach_assert, "assertions", true);
673
674 if (!mach_assert) {
675 kprintf("%s:%d non-fatal Assertion: %s", file, line, expression);
676 return;
677 }
678 #endif
679
680 panic_plain("%s:%d Assertion failed: %s", file, line, expression);
681 }
682
683 boolean_t
debug_is_current_cpu_in_panic_state(void)684 debug_is_current_cpu_in_panic_state(void)
685 {
686 return current_debugger_state()->db_entry_count > 0;
687 }
688
689 void
Debugger(const char * message)690 Debugger(const char *message)
691 {
692 DebuggerWithContext(0, NULL, message, DEBUGGER_OPTION_NONE, (unsigned long)(char *)__builtin_return_address(0));
693 }
694
695 void
DebuggerWithContext(unsigned int reason,void * ctx,const char * message,uint64_t debugger_options_mask,unsigned long debugger_caller)696 DebuggerWithContext(unsigned int reason, void *ctx, const char *message,
697 uint64_t debugger_options_mask, unsigned long debugger_caller)
698 {
699 spl_t previous_interrupts_state;
700 boolean_t old_doprnt_hide_pointers = doprnt_hide_pointers;
701
702 #if defined(__x86_64__) && (DEVELOPMENT || DEBUG)
703 read_lbr();
704 #endif
705 previous_interrupts_state = ml_set_interrupts_enabled(FALSE);
706 disable_preemption();
707
708 CPUDEBUGGERCOUNT++;
709
710 if (CPUDEBUGGERCOUNT > max_debugger_entry_count) {
711 static boolean_t in_panic_kprintf = FALSE;
712
713 /* Notify any listeners that we've started a panic */
714 uint32_t panic_details = 0;
715 if (debugger_options_mask & DEBUGGER_OPTION_PANICLOGANDREBOOT) {
716 panic_details |= kPanicDetailsForcePowerOff;
717 }
718 PEHaltRestartInternal(kPEPanicBegin, panic_details);
719
720 if (!in_panic_kprintf) {
721 in_panic_kprintf = TRUE;
722 kprintf("Detected nested debugger entry count exceeding %d\n",
723 max_debugger_entry_count);
724 in_panic_kprintf = FALSE;
725 }
726
727 if (!panicDebugging) {
728 kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_options_mask);
729 }
730
731 panic_spin_forever();
732 }
733
734 #pragma unused(debugger_caller) // lies!
735 SOCD_TRACE_XNU(PANIC, PACK_2X32(VALUE(cpu_number()), VALUE(CPUDEBUGGERCOUNT)), VALUE(debugger_options_mask), ADDR(message), ADDR(debugger_caller));
736
737 /* Handle any necessary platform specific actions before we proceed */
738 PEInitiatePanic();
739
740 #if DEVELOPMENT || DEBUG
741 DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_options_mask & DEBUGGER_OPTION_RECURPANIC_ENTRY));
742 #endif
743
744 PE_panic_hook(message);
745
746 doprnt_hide_pointers = FALSE;
747
748 if (ctx != NULL) {
749 DebuggerSaveState(DBOP_DEBUGGER, message,
750 NULL, NULL, debugger_options_mask, NULL, TRUE, 0);
751 handle_debugger_trap(reason, 0, 0, ctx);
752 DebuggerSaveState(DBOP_NONE, NULL, NULL,
753 NULL, 0, NULL, FALSE, 0);
754 } else {
755 DebuggerTrapWithState(DBOP_DEBUGGER, message,
756 NULL, NULL, debugger_options_mask, NULL, TRUE, 0);
757 }
758
759 CPUDEBUGGERCOUNT--;
760 doprnt_hide_pointers = old_doprnt_hide_pointers;
761 enable_preemption();
762 ml_set_interrupts_enabled(previous_interrupts_state);
763 }
764
765 static struct kdp_callout {
766 struct kdp_callout * callout_next;
767 kdp_callout_fn_t callout_fn;
768 boolean_t callout_in_progress;
769 void * callout_arg;
770 } * kdp_callout_list = NULL;
771
772 /*
773 * Called from kernel context to register a kdp event callout.
774 */
775 void
kdp_register_callout(kdp_callout_fn_t fn,void * arg)776 kdp_register_callout(kdp_callout_fn_t fn, void * arg)
777 {
778 struct kdp_callout * kcp;
779 struct kdp_callout * list_head;
780
781 kcp = zalloc_permanent_type(struct kdp_callout);
782
783 kcp->callout_fn = fn;
784 kcp->callout_arg = arg;
785 kcp->callout_in_progress = FALSE;
786
787 /* Lock-less list insertion using compare and exchange. */
788 do {
789 list_head = kdp_callout_list;
790 kcp->callout_next = list_head;
791 } while (!OSCompareAndSwapPtr(list_head, kcp, &kdp_callout_list));
792 }
793
794 static void
kdp_callouts(kdp_event_t event)795 kdp_callouts(kdp_event_t event)
796 {
797 struct kdp_callout *kcp = kdp_callout_list;
798
799 while (kcp) {
800 if (!kcp->callout_in_progress) {
801 kcp->callout_in_progress = TRUE;
802 kcp->callout_fn(kcp->callout_arg, event);
803 kcp->callout_in_progress = FALSE;
804 }
805 kcp = kcp->callout_next;
806 }
807 }
808
809 #if defined(__arm__) || defined(__arm64__)
810 /*
811 * Register an additional buffer with data to include in the panic log
812 *
813 * <rdar://problem/50137705> tracks supporting more than one buffer
814 *
815 * Note that producer_name and buf should never be de-allocated as we reference these during panic.
816 */
817 void
register_additional_panic_data_buffer(const char * producer_name,void * buf,int len)818 register_additional_panic_data_buffer(const char *producer_name, void *buf, int len)
819 {
820 if (panic_data_buffers != NULL) {
821 panic("register_additional_panic_data_buffer called with buffer already registered");
822 }
823
824 if (producer_name == NULL || (strlen(producer_name) == 0)) {
825 panic("register_additional_panic_data_buffer called with invalid producer_name");
826 }
827
828 if (buf == NULL) {
829 panic("register_additional_panic_data_buffer called with invalid buffer pointer");
830 }
831
832 if ((len <= 0) || (len > ADDITIONAL_PANIC_DATA_BUFFER_MAX_LEN)) {
833 panic("register_additional_panic_data_buffer called with invalid length");
834 }
835
836 struct additional_panic_data_buffer *new_panic_data_buffer = zalloc_permanent_type(struct additional_panic_data_buffer);
837 new_panic_data_buffer->producer_name = producer_name;
838 new_panic_data_buffer->buf = buf;
839 new_panic_data_buffer->len = len;
840
841 if (!OSCompareAndSwapPtr(NULL, new_panic_data_buffer, &panic_data_buffers)) {
842 panic("register_additional_panic_data_buffer called with buffer already registered");
843 }
844
845 return;
846 }
847 #endif /* defined(__arm__) || defined(__arm64__) */
848
849 /*
850 * An overview of the xnu panic path:
851 *
852 * Several panic wrappers (panic(), panic_with_options(), etc.) all funnel into panic_trap_to_debugger().
853 * panic_trap_to_debugger() sets the panic state in the current processor's debugger_state prior
854 * to trapping into the debugger. Once we trap to the debugger, we end up in handle_debugger_trap()
855 * which tries to acquire the panic lock by atomically swapping the current CPU number into debugger_cpu.
856 * debugger_cpu acts as a synchronization point, from which the winning CPU can halt the other cores and
857 * continue to debugger_collect_diagnostics() where we write the paniclog, corefile (if appropriate) and proceed
858 * according to the device's boot-args.
859 */
860 #undef panic
861 void
panic(const char * str,...)862 panic(const char *str, ...)
863 {
864 va_list panic_str_args;
865
866 va_start(panic_str_args, str);
867 panic_trap_to_debugger(str, &panic_str_args, 0, NULL, 0, NULL, (unsigned long)(char *)__builtin_return_address(0));
868 va_end(panic_str_args);
869 }
870
871 void
panic_with_options(unsigned int reason,void * ctx,uint64_t debugger_options_mask,const char * str,...)872 panic_with_options(unsigned int reason, void *ctx, uint64_t debugger_options_mask, const char *str, ...)
873 {
874 va_list panic_str_args;
875
876 va_start(panic_str_args, str);
877 panic_trap_to_debugger(str, &panic_str_args, reason, ctx, (debugger_options_mask & ~DEBUGGER_INTERNAL_OPTIONS_MASK),
878 NULL, (unsigned long)(char *)__builtin_return_address(0));
879 va_end(panic_str_args);
880 }
881
882 boolean_t
panic_validate_ptr(void * ptr,vm_size_t size,const char * what)883 panic_validate_ptr(void *ptr, vm_size_t size, const char *what)
884 {
885 if (ptr == NULL) {
886 paniclog_append_noflush("NULL %s pointer\n", what);
887 return false;
888 }
889
890 if (!ml_validate_nofault((vm_offset_t)ptr, size)) {
891 paniclog_append_noflush("Invalid %s pointer: %p (size %d)\n",
892 what, ptr, (uint32_t)size);
893 return false;
894 }
895
896 return true;
897 }
898
899 boolean_t
panic_get_thread_proc_task(struct thread * thread,struct task ** task,struct proc ** proc)900 panic_get_thread_proc_task(struct thread *thread, struct task **task, struct proc **proc)
901 {
902 if (!PANIC_VALIDATE_PTR(thread)) {
903 return false;
904 }
905
906 if (!PANIC_VALIDATE_PTR(thread->t_tro)) {
907 return false;
908 }
909
910 if (!PANIC_VALIDATE_PTR(thread->t_tro->tro_task)) {
911 return false;
912 }
913
914 if (task) {
915 *task = thread->t_tro->tro_task;
916 }
917
918 if (!panic_validate_ptr(thread->t_tro->tro_proc,
919 sizeof(struct proc *), "bsd_info")) {
920 *proc = NULL;
921 } else {
922 *proc = thread->t_tro->tro_proc;
923 }
924
925 return true;
926 }
927
928 #if defined (__x86_64__)
929 /*
930 * panic_with_thread_context() is used on x86 platforms to specify a different thread that should be backtraced in the paniclog.
931 * We don't generally need this functionality on embedded platforms because embedded platforms include a panic time stackshot
932 * from customer devices. We plumb the thread pointer via the debugger trap mechanism and backtrace the kernel stack from the
933 * thread when writing the panic log.
934 *
935 * NOTE: panic_with_thread_context() should be called with an explicit thread reference held on the passed thread.
936 */
937 void
panic_with_thread_context(unsigned int reason,void * ctx,uint64_t debugger_options_mask,thread_t thread,const char * str,...)938 panic_with_thread_context(unsigned int reason, void *ctx, uint64_t debugger_options_mask, thread_t thread, const char *str, ...)
939 {
940 va_list panic_str_args;
941 __assert_only os_ref_count_t th_ref_count;
942
943 assert_thread_magic(thread);
944 th_ref_count = os_ref_get_count_raw(&thread->ref_count);
945 assertf(th_ref_count > 0, "panic_with_thread_context called with invalid thread %p with refcount %u", thread, th_ref_count);
946
947 /* Take a reference on the thread so it doesn't disappear by the time we try to backtrace it */
948 thread_reference(thread);
949
950 va_start(panic_str_args, str);
951 panic_trap_to_debugger(str, &panic_str_args, reason, ctx, ((debugger_options_mask & ~DEBUGGER_INTERNAL_OPTIONS_MASK) | DEBUGGER_INTERNAL_OPTION_THREAD_BACKTRACE),
952 thread, (unsigned long)(char *)__builtin_return_address(0));
953
954 va_end(panic_str_args);
955 }
956 #endif /* defined (__x86_64__) */
957
958 #pragma clang diagnostic push
959 #pragma clang diagnostic ignored "-Wmissing-noreturn"
960 void
panic_trap_to_debugger(const char * panic_format_str,va_list * panic_args,unsigned int reason,void * ctx,uint64_t panic_options_mask,void * panic_data_ptr,unsigned long panic_caller)961 panic_trap_to_debugger(const char *panic_format_str, va_list *panic_args, unsigned int reason, void *ctx,
962 uint64_t panic_options_mask, void *panic_data_ptr, unsigned long panic_caller)
963 {
964 #pragma clang diagnostic pop
965
966 #if defined(__x86_64__) && (DEVELOPMENT || DEBUG)
967 read_lbr();
968 /* Turn off I/O tracing once we've panicked */
969 mmiotrace_enabled = 0;
970 #endif
971
972 ml_panic_trap_to_debugger(panic_format_str, panic_args, reason, ctx, panic_options_mask, panic_caller);
973
974 CPUDEBUGGERCOUNT++;
975
976 if (CPUDEBUGGERCOUNT > max_debugger_entry_count) {
977 static boolean_t in_panic_kprintf = FALSE;
978
979 /* Notify any listeners that we've started a panic */
980 uint32_t panic_details = 0;
981 if (panic_options_mask & DEBUGGER_OPTION_PANICLOGANDREBOOT) {
982 panic_details |= kPanicDetailsForcePowerOff;
983 }
984 PEHaltRestartInternal(kPEPanicBegin, panic_details);
985
986 if (!in_panic_kprintf) {
987 in_panic_kprintf = TRUE;
988 kprintf("Detected nested debugger entry count exceeding %d\n",
989 max_debugger_entry_count);
990 in_panic_kprintf = FALSE;
991 }
992
993 if (!panicDebugging) {
994 kdp_machine_reboot_type(kPEPanicRestartCPU, panic_options_mask);
995 }
996
997 panic_spin_forever();
998 }
999
1000 SOCD_TRACE_XNU(PANIC, PACK_2X32(VALUE(cpu_number()), VALUE(CPUDEBUGGERCOUNT)), VALUE(panic_options_mask), ADDR(panic_format_str), ADDR(panic_caller));
1001 /* Handle any necessary platform specific actions before we proceed */
1002 PEInitiatePanic();
1003
1004 #if DEVELOPMENT || DEBUG
1005 DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((panic_options_mask & DEBUGGER_OPTION_RECURPANIC_ENTRY));
1006 #endif
1007
1008 PE_panic_hook(panic_format_str);
1009
1010 #if defined (__x86_64__)
1011 plctrace_disable();
1012 #endif
1013
1014 if (write_trace_on_panic && kdebug_enable) {
1015 if (get_preemption_level() == 0 && !ml_at_interrupt_context()) {
1016 ml_set_interrupts_enabled(TRUE);
1017 KDBG_RELEASE(TRACE_PANIC);
1018 kdbg_dump_trace_to_file(KDBG_TRACE_PANIC_FILENAME, false);
1019 }
1020 }
1021
1022 ml_set_interrupts_enabled(FALSE);
1023 disable_preemption();
1024
1025 #if defined (__x86_64__)
1026 pmSafeMode(x86_lcpu(), PM_SAFE_FL_SAFE);
1027 #endif /* defined (__x86_64__) */
1028
1029 /* Never hide pointers from panic logs. */
1030 doprnt_hide_pointers = FALSE;
1031
1032 if (ctx != NULL) {
1033 /*
1034 * We called into panic from a trap, no need to trap again. Set the
1035 * state on the current CPU and then jump to handle_debugger_trap.
1036 */
1037 DebuggerSaveState(DBOP_PANIC, "panic",
1038 panic_format_str, panic_args,
1039 panic_options_mask, panic_data_ptr, TRUE, panic_caller);
1040 handle_debugger_trap(reason, 0, 0, ctx);
1041 }
1042
1043 #if defined(__arm64__)
1044 /*
1045 * Signal to fastsim that it should open debug ports (nop on hardware)
1046 */
1047 __asm__ volatile ("HINT 0x45");
1048 #endif /* defined(__arm64__) */
1049
1050 DebuggerTrapWithState(DBOP_PANIC, "panic", panic_format_str,
1051 panic_args, panic_options_mask, panic_data_ptr, TRUE, panic_caller);
1052
1053 /*
1054 * Not reached.
1055 */
1056 panic_stop();
1057 __builtin_unreachable();
1058 }
1059
1060 void
panic_spin_forever(void)1061 panic_spin_forever(void)
1062 {
1063 paniclog_append_noflush("\nPlease go to https://panic.apple.com to report this panic\n");
1064
1065 for (;;) {
1066 }
1067 }
1068
1069 static void
kdp_machine_reboot_type(unsigned int type,uint64_t debugger_flags)1070 kdp_machine_reboot_type(unsigned int type, uint64_t debugger_flags)
1071 {
1072 printf("Attempting system restart...\n");
1073 if ((type == kPEPanicRestartCPU) && (debugger_flags & DEBUGGER_OPTION_SKIP_PANICEND_CALLOUTS)) {
1074 PEHaltRestart(kPEPanicRestartCPUNoCallouts);
1075 } else {
1076 PEHaltRestart(type);
1077 }
1078 halt_all_cpus(TRUE);
1079 }
1080
1081 void
kdp_machine_reboot(void)1082 kdp_machine_reboot(void)
1083 {
1084 kdp_machine_reboot_type(kPEPanicRestartCPU, 0);
1085 }
1086
1087 /*
1088 * Gather and save diagnostic information about a panic (or Debugger call).
1089 *
1090 * On embedded, Debugger and Panic are treated very similarly -- WDT uses Debugger so we can
1091 * theoretically return from it. On desktop, Debugger is treated as a conventional debugger -- i.e no
1092 * paniclog is written and no core is written unless we request a core on NMI.
1093 *
1094 * This routine handles kicking off local coredumps, paniclogs, calling into the Debugger/KDP (if it's configured),
1095 * and calling out to any other functions we have for collecting diagnostic info.
1096 */
1097 static void
debugger_collect_diagnostics(unsigned int exception,unsigned int code,unsigned int subcode,void * state)1098 debugger_collect_diagnostics(unsigned int exception, unsigned int code, unsigned int subcode, void *state)
1099 {
1100 #if DEVELOPMENT || DEBUG
1101 DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_panic_options & DEBUGGER_OPTION_RECURPANIC_PRELOG));
1102 #endif
1103
1104 #if defined(__x86_64__)
1105 kprintf("Debugger called: <%s>\n", debugger_message ? debugger_message : "");
1106 #endif
1107 /*
1108 * DB_HALT (halt_in_debugger) can be requested on startup, we shouldn't generate
1109 * a coredump/paniclog for this type of debugger entry. If KDP isn't configured,
1110 * we'll just spin in kdp_raise_exception.
1111 */
1112 if (debugger_current_op == DBOP_DEBUGGER && halt_in_debugger) {
1113 kdp_raise_exception(exception, code, subcode, state);
1114 if (debugger_safe_to_return && !debugger_is_panic) {
1115 return;
1116 }
1117 }
1118
1119 #ifdef CONFIG_KCOV
1120 /* Try not to break core dump path by sanitizer. */
1121 kcov_panic_disable();
1122 #endif
1123
1124 if ((debugger_current_op == DBOP_PANIC) ||
1125 ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) {
1126 /*
1127 * Attempt to notify listeners once and only once that we've started
1128 * panicking. Only do this for Debugger() calls if we're treating
1129 * Debugger() calls like panic().
1130 */
1131 uint32_t panic_details = 0;
1132 if (debugger_panic_options & DEBUGGER_OPTION_PANICLOGANDREBOOT) {
1133 panic_details |= kPanicDetailsForcePowerOff;
1134 }
1135 PEHaltRestartInternal(kPEPanicBegin, panic_details);
1136
1137 /*
1138 * Set the begin pointer in the panic log structure. We key off of this
1139 * static variable rather than contents from the panic header itself in case someone
1140 * has stomped over the panic_info structure. Also initializes the header magic.
1141 */
1142 static boolean_t began_writing_paniclog = FALSE;
1143 if (!began_writing_paniclog) {
1144 PE_init_panicheader();
1145 began_writing_paniclog = TRUE;
1146 } else {
1147 /*
1148 * If we reached here, update the panic header to keep it as consistent
1149 * as possible during a nested panic
1150 */
1151 PE_update_panicheader_nestedpanic();
1152 }
1153 }
1154
1155 /*
1156 * Write panic string if this was a panic.
1157 *
1158 * TODO: Consider moving to SavePanicInfo as this is part of the panic log.
1159 */
1160 if (debugger_current_op == DBOP_PANIC) {
1161 paniclog_append_noflush("panic(cpu %d caller 0x%lx): ", (unsigned) cpu_number(), debugger_panic_caller);
1162 if (debugger_panic_str) {
1163 #pragma clang diagnostic push
1164 #pragma clang diagnostic ignored "-Wformat-nonliteral"
1165 _doprnt(debugger_panic_str, debugger_panic_args, consdebug_putc, 0);
1166 #pragma clang diagnostic pop
1167 }
1168 paniclog_append_noflush("\n");
1169 }
1170 #if defined(__x86_64__)
1171 else if (((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) {
1172 paniclog_append_noflush("Debugger called: <%s>\n", debugger_message ? debugger_message : "");
1173 }
1174
1175 /*
1176 * Debugger() is treated like panic() on embedded -- for example we use it for WDT
1177 * panics (so we need to write a paniclog). On desktop Debugger() is used in the
1178 * conventional sense.
1179 */
1180 if (debugger_current_op == DBOP_PANIC || ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic))
1181 #endif /* __x86_64__ */
1182 {
1183 kdp_callouts(KDP_EVENT_PANICLOG);
1184
1185 /*
1186 * Write paniclog and panic stackshot (if supported)
1187 * TODO: Need to clear panic log when return from debugger
1188 * hooked up for embedded
1189 */
1190 SavePanicInfo(debugger_message, debugger_panic_data, debugger_panic_options);
1191
1192 #if DEVELOPMENT || DEBUG
1193 DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_panic_options & DEBUGGER_OPTION_RECURPANIC_POSTLOG));
1194 #endif
1195
1196 /* DEBUGGER_OPTION_PANICLOGANDREBOOT is used for two finger resets on embedded so we get a paniclog */
1197 if (debugger_panic_options & DEBUGGER_OPTION_PANICLOGANDREBOOT) {
1198 PEHaltRestart(kPEPanicDiagnosticsDone);
1199 PEHaltRestart(kPEPanicRestartCPUNoCallouts);
1200 }
1201 }
1202
1203 #if CONFIG_KDP_INTERACTIVE_DEBUGGING
1204 /*
1205 * If reboot on panic is enabled and the caller of panic indicated that we should skip
1206 * local coredumps, don't try to write these and instead go straight to reboot. This
1207 * allows us to persist any data that's stored in the panic log.
1208 */
1209 if ((debugger_panic_options & DEBUGGER_OPTION_SKIP_LOCAL_COREDUMP) &&
1210 (debug_boot_arg & DB_REBOOT_POST_CORE)) {
1211 PEHaltRestart(kPEPanicDiagnosticsDone);
1212 kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
1213 }
1214
1215 /*
1216 * Consider generating a local corefile if the infrastructure is configured
1217 * and we haven't disabled on-device coredumps.
1218 */
1219 if (on_device_corefile_enabled()) {
1220 if (!kdp_has_polled_corefile()) {
1221 if (debug_boot_arg & (DB_KERN_DUMP_ON_PANIC | DB_KERN_DUMP_ON_NMI)) {
1222 paniclog_append_noflush("skipping local kernel core because core file could not be opened prior to panic (error : 0x%x)\n",
1223 kdp_polled_corefile_error());
1224 #if defined(__arm__) || defined(__arm64__)
1225 panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED;
1226 paniclog_flush();
1227 #else /* defined(__arm__) || defined(__arm64__) */
1228 if (panic_info->mph_panic_log_offset != 0) {
1229 panic_info->mph_panic_flags |= MACOS_PANIC_HEADER_FLAG_COREDUMP_FAILED;
1230 paniclog_flush();
1231 }
1232 #endif /* defined(__arm__) || defined(__arm64__) */
1233 }
1234 }
1235 #if XNU_MONITOR
1236 else if ((pmap_get_cpu_data()->ppl_state == PPL_STATE_PANIC) && (debug_boot_arg & (DB_KERN_DUMP_ON_PANIC | DB_KERN_DUMP_ON_NMI))) {
1237 paniclog_append_noflush("skipping local kernel core because the PPL is in PANIC state\n");
1238 panic_info->eph_panic_flags |= EMBEDDED_PANIC_HEADER_FLAG_COREDUMP_FAILED;
1239 paniclog_flush();
1240 }
1241 #endif /* XNU_MONITOR */
1242 else {
1243 int ret = -1;
1244
1245 #if defined (__x86_64__)
1246 /* On x86 we don't do a coredump on Debugger unless the DB_KERN_DUMP_ON_NMI boot-arg is specified. */
1247 if (debugger_current_op != DBOP_DEBUGGER || (debug_boot_arg & DB_KERN_DUMP_ON_NMI))
1248 #endif
1249 {
1250 /*
1251 * Doing an on-device coredump leaves the disk driver in a state
1252 * that can not be resumed.
1253 */
1254 debugger_safe_to_return = FALSE;
1255 begin_panic_transfer();
1256 ret = kern_dump(KERN_DUMP_DISK);
1257 abort_panic_transfer();
1258
1259 #if DEVELOPMENT || DEBUG
1260 DEBUGGER_DEBUGGING_NESTED_PANIC_IF_REQUESTED((debugger_panic_options & DEBUGGER_OPTION_RECURPANIC_POSTCORE));
1261 #endif
1262 }
1263
1264 /*
1265 * If DB_REBOOT_POST_CORE is set, then reboot if coredump is sucessfully saved
1266 * or if option to ignore failures is set.
1267 */
1268 if ((debug_boot_arg & DB_REBOOT_POST_CORE) &&
1269 ((ret == 0) || (debugger_panic_options & DEBUGGER_OPTION_ATTEMPTCOREDUMPANDREBOOT))) {
1270 PEHaltRestart(kPEPanicDiagnosticsDone);
1271 kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
1272 }
1273 }
1274 }
1275
1276 if (debugger_current_op == DBOP_PANIC ||
1277 ((debugger_current_op == DBOP_DEBUGGER) && debugger_is_panic)) {
1278 PEHaltRestart(kPEPanicDiagnosticsDone);
1279 }
1280
1281 if (debug_boot_arg & DB_REBOOT_ALWAYS) {
1282 kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
1283 }
1284
1285 /* If KDP is configured, try to trap to the debugger */
1286 #if defined(__arm__) || defined(__arm64__)
1287 if (kdp_explicitly_requested && (current_debugger != NO_CUR_DB)) {
1288 #else
1289 if (current_debugger != NO_CUR_DB) {
1290 #endif
1291 kdp_raise_exception(exception, code, subcode, state);
1292 /*
1293 * Only return if we entered via Debugger and it's safe to return
1294 * (we halted the other cores successfully, this isn't a nested panic, etc)
1295 */
1296 if (debugger_current_op == DBOP_DEBUGGER &&
1297 debugger_safe_to_return &&
1298 kernel_debugger_entry_count == 1 &&
1299 !debugger_is_panic) {
1300 return;
1301 }
1302 }
1303
1304 #if defined(__arm__) || defined(__arm64__)
1305 if (PE_i_can_has_debugger(NULL) && panicDebugging) {
1306 /* If panic debugging is configured and we're on a dev fused device, spin for astris to connect */
1307 panic_spin_shmcon();
1308 }
1309 #endif /* defined(__arm__) || defined(__arm64__) */
1310
1311 #else /* CONFIG_KDP_INTERACTIVE_DEBUGGING */
1312
1313 PEHaltRestart(kPEPanicDiagnosticsDone);
1314
1315 #endif /* CONFIG_KDP_INTERACTIVE_DEBUGGING */
1316
1317 if (!panicDebugging) {
1318 kdp_machine_reboot_type(kPEPanicRestartCPU, debugger_panic_options);
1319 }
1320
1321 panic_spin_forever();
1322 }
1323
1324 #if INTERRUPT_MASKED_DEBUG
1325 uint64_t debugger_trap_timestamps[9];
1326 # define DEBUGGER_TRAP_TIMESTAMP(i) debugger_trap_timestamps[i] = mach_absolute_time();
1327 #else
1328 # define DEBUGGER_TRAP_TIMESTAMP(i)
1329 #endif
1330
1331 void
1332 handle_debugger_trap(unsigned int exception, unsigned int code, unsigned int subcode, void *state)
1333 {
1334 unsigned int initial_not_in_kdp = not_in_kdp;
1335 kern_return_t ret;
1336 debugger_op db_prev_op = debugger_current_op;
1337
1338 DEBUGGER_TRAP_TIMESTAMP(0);
1339
1340 DebuggerLock();
1341 ret = DebuggerHaltOtherCores(CPUDEBUGGERSYNC, (CPUDEBUGGEROP == DBOP_STACKSHOT));
1342
1343 DEBUGGER_TRAP_TIMESTAMP(1);
1344
1345 #if INTERRUPT_MASKED_DEBUG
1346 if (serialmode & SERIALMODE_OUTPUT) {
1347 ml_spin_debug_reset(current_thread());
1348 }
1349 #endif
1350 if (ret != KERN_SUCCESS) {
1351 CPUDEBUGGERRET = ret;
1352 DebuggerUnlock();
1353 return;
1354 }
1355
1356 /* Update the global panic/debugger nested entry level */
1357 kernel_debugger_entry_count = CPUDEBUGGERCOUNT;
1358 if (kernel_debugger_entry_count > 0) {
1359 console_suspend();
1360 }
1361
1362 /*
1363 * TODO: Should we do anything special for nested panics here? i.e. if we've trapped more than twice
1364 * should we call into the debugger if it's configured and then reboot if the panic log has been written?
1365 */
1366
1367 if (CPUDEBUGGEROP == DBOP_NONE) {
1368 /* If there was no debugger context setup, we trapped due to a software breakpoint */
1369 debugger_current_op = DBOP_BREAKPOINT;
1370 } else {
1371 /* Not safe to return from a nested panic/debugger call */
1372 if (debugger_current_op == DBOP_PANIC ||
1373 debugger_current_op == DBOP_DEBUGGER) {
1374 debugger_safe_to_return = FALSE;
1375 }
1376
1377 debugger_current_op = CPUDEBUGGEROP;
1378
1379 /* Only overwrite the panic message if there is none already - save the data from the first call */
1380 if (debugger_panic_str == NULL) {
1381 debugger_panic_str = CPUPANICSTR;
1382 debugger_panic_args = CPUPANICARGS;
1383 debugger_panic_data = CPUPANICDATAPTR;
1384 debugger_message = CPUDEBUGGERMSG;
1385 debugger_panic_caller = CPUPANICCALLER;
1386 }
1387
1388 debugger_panic_options = CPUPANICOPTS;
1389 }
1390
1391 /*
1392 * Clear the op from the processor debugger context so we can handle
1393 * breakpoints in the debugger
1394 */
1395 CPUDEBUGGEROP = DBOP_NONE;
1396
1397 DEBUGGER_TRAP_TIMESTAMP(2);
1398
1399 kdp_callouts(KDP_EVENT_ENTER);
1400 not_in_kdp = 0;
1401
1402 DEBUGGER_TRAP_TIMESTAMP(3);
1403
1404 if (debugger_current_op == DBOP_BREAKPOINT) {
1405 kdp_raise_exception(exception, code, subcode, state);
1406 } else if (debugger_current_op == DBOP_STACKSHOT) {
1407 CPUDEBUGGERRET = do_stackshot();
1408 #if PGO
1409 } else if (debugger_current_op == DBOP_RESET_PGO_COUNTERS) {
1410 CPUDEBUGGERRET = do_pgo_reset_counters();
1411 #endif
1412 } else {
1413 debugger_collect_diagnostics(exception, code, subcode, state);
1414 }
1415
1416 DEBUGGER_TRAP_TIMESTAMP(4);
1417
1418 not_in_kdp = initial_not_in_kdp;
1419 kdp_callouts(KDP_EVENT_EXIT);
1420
1421 DEBUGGER_TRAP_TIMESTAMP(5);
1422
1423 if (debugger_current_op != DBOP_BREAKPOINT) {
1424 debugger_panic_str = NULL;
1425 debugger_panic_args = NULL;
1426 debugger_panic_data = NULL;
1427 debugger_panic_options = 0;
1428 debugger_message = NULL;
1429 }
1430
1431 /* Restore the previous debugger state */
1432 debugger_current_op = db_prev_op;
1433
1434 DEBUGGER_TRAP_TIMESTAMP(6);
1435
1436 DebuggerResumeOtherCores();
1437
1438 DEBUGGER_TRAP_TIMESTAMP(7);
1439
1440 DebuggerUnlock();
1441
1442 DEBUGGER_TRAP_TIMESTAMP(8);
1443
1444 return;
1445 }
1446
1447 __attribute__((noinline, not_tail_called))
1448 void
1449 log(__unused int level, char *fmt, ...)
1450 {
1451 void *caller = __builtin_return_address(0);
1452 va_list listp;
1453 va_list listp2;
1454
1455
1456 #ifdef lint
1457 level++;
1458 #endif /* lint */
1459 #ifdef MACH_BSD
1460 va_start(listp, fmt);
1461 va_copy(listp2, listp);
1462
1463 disable_preemption();
1464 _doprnt(fmt, &listp, cons_putc_locked, 0);
1465 enable_preemption();
1466
1467 va_end(listp);
1468
1469 #pragma clang diagnostic push
1470 #pragma clang diagnostic ignored "-Wformat-nonliteral"
1471 os_log_with_args(OS_LOG_DEFAULT, OS_LOG_TYPE_DEFAULT, fmt, listp2, caller);
1472 #pragma clang diagnostic pop
1473 va_end(listp2);
1474 #endif
1475 }
1476
1477 /*
1478 * Per <rdar://problem/24974766>, skip appending log messages to
1479 * the new logging infrastructure in contexts where safety is
1480 * uncertain. These contexts include:
1481 * - When we're in the debugger
1482 * - We're in a panic
1483 * - Interrupts are disabled
1484 * - Or Pre-emption is disabled
1485 * In all the above cases, it is potentially unsafe to log messages.
1486 */
1487
1488 boolean_t
1489 oslog_is_safe(void)
1490 {
1491 return kernel_debugger_entry_count == 0 &&
1492 not_in_kdp == 1 &&
1493 get_preemption_level() == 0 &&
1494 ml_get_interrupts_enabled() == TRUE;
1495 }
1496
1497 boolean_t
1498 debug_mode_active(void)
1499 {
1500 return (0 != kernel_debugger_entry_count != 0) || (0 == not_in_kdp);
1501 }
1502
1503 void
1504 debug_putc(char c)
1505 {
1506 if ((debug_buf_size != 0) &&
1507 ((debug_buf_ptr - debug_buf_base) < (int)debug_buf_size)) {
1508 *debug_buf_ptr = c;
1509 debug_buf_ptr++;
1510 }
1511 }
1512
1513 #if defined (__x86_64__)
1514 struct pasc {
1515 unsigned a: 7;
1516 unsigned b: 7;
1517 unsigned c: 7;
1518 unsigned d: 7;
1519 unsigned e: 7;
1520 unsigned f: 7;
1521 unsigned g: 7;
1522 unsigned h: 7;
1523 } __attribute__((packed));
1524
1525 typedef struct pasc pasc_t;
1526
1527 /*
1528 * In-place packing routines -- inefficient, but they're called at most once.
1529 * Assumes "buflen" is a multiple of 8. Used for compressing paniclogs on x86.
1530 */
1531 int
1532 packA(char *inbuf, uint32_t length, uint32_t buflen)
1533 {
1534 unsigned int i, j = 0;
1535 pasc_t pack;
1536
1537 length = MIN(((length + 7) & ~7), buflen);
1538
1539 for (i = 0; i < length; i += 8) {
1540 pack.a = inbuf[i];
1541 pack.b = inbuf[i + 1];
1542 pack.c = inbuf[i + 2];
1543 pack.d = inbuf[i + 3];
1544 pack.e = inbuf[i + 4];
1545 pack.f = inbuf[i + 5];
1546 pack.g = inbuf[i + 6];
1547 pack.h = inbuf[i + 7];
1548 bcopy((char *) &pack, inbuf + j, 7);
1549 j += 7;
1550 }
1551 return j;
1552 }
1553
1554 void
1555 unpackA(char *inbuf, uint32_t length)
1556 {
1557 pasc_t packs;
1558 unsigned i = 0;
1559 length = (length * 8) / 7;
1560
1561 while (i < length) {
1562 packs = *(pasc_t *)&inbuf[i];
1563 bcopy(&inbuf[i + 7], &inbuf[i + 8], MAX(0, (int) (length - i - 8)));
1564 inbuf[i++] = packs.a;
1565 inbuf[i++] = packs.b;
1566 inbuf[i++] = packs.c;
1567 inbuf[i++] = packs.d;
1568 inbuf[i++] = packs.e;
1569 inbuf[i++] = packs.f;
1570 inbuf[i++] = packs.g;
1571 inbuf[i++] = packs.h;
1572 }
1573 }
1574 #endif /* defined (__x86_64__) */
1575
1576 extern char *proc_name_address(void *);
1577 extern char *proc_longname_address(void *);
1578
1579 __private_extern__ void
1580 panic_display_process_name(void)
1581 {
1582 proc_name_t proc_name = {};
1583 struct proc *cbsd_info = NULL;
1584 task_t ctask = NULL;
1585 vm_size_t size;
1586
1587 if (!panic_get_thread_proc_task(current_thread(), &ctask, &cbsd_info)) {
1588 goto out;
1589 }
1590
1591 if (cbsd_info == NULL) {
1592 goto out;
1593 }
1594
1595 size = ml_nofault_copy((vm_offset_t)proc_longname_address(cbsd_info),
1596 (vm_offset_t)&proc_name, sizeof(proc_name));
1597
1598 if (size == 0 || proc_name[0] == '\0') {
1599 size = ml_nofault_copy((vm_offset_t)proc_name_address(cbsd_info),
1600 (vm_offset_t)&proc_name,
1601 MIN(sizeof(command_t), sizeof(proc_name)));
1602 if (size > 0) {
1603 proc_name[size - 1] = '\0';
1604 }
1605 }
1606
1607 out:
1608 proc_name[sizeof(proc_name) - 1] = '\0';
1609 paniclog_append_noflush("\nProcess name corresponding to current thread (%p): %s\n",
1610 current_thread(), proc_name[0] != '\0' ? proc_name : "Unknown");
1611 }
1612
1613 unsigned
1614 panic_active(void)
1615 {
1616 return debugger_current_op == DBOP_PANIC ||
1617 (debugger_current_op == DBOP_DEBUGGER && debugger_is_panic);
1618 }
1619
1620 void
1621 populate_model_name(char *model_string)
1622 {
1623 strlcpy(model_name, model_string, sizeof(model_name));
1624 }
1625
1626 void
1627 panic_display_model_name(void)
1628 {
1629 char tmp_model_name[sizeof(model_name)];
1630
1631 if (ml_nofault_copy((vm_offset_t) &model_name, (vm_offset_t) &tmp_model_name, sizeof(model_name)) != sizeof(model_name)) {
1632 return;
1633 }
1634
1635 tmp_model_name[sizeof(tmp_model_name) - 1] = '\0';
1636
1637 if (tmp_model_name[0] != 0) {
1638 paniclog_append_noflush("System model name: %s\n", tmp_model_name);
1639 }
1640 }
1641
1642 void
1643 panic_display_kernel_uuid(void)
1644 {
1645 char tmp_kernel_uuid[sizeof(kernel_uuid_string)];
1646
1647 if (ml_nofault_copy((vm_offset_t) &kernel_uuid_string, (vm_offset_t) &tmp_kernel_uuid, sizeof(kernel_uuid_string)) != sizeof(kernel_uuid_string)) {
1648 return;
1649 }
1650
1651 if (tmp_kernel_uuid[0] != '\0') {
1652 paniclog_append_noflush("Kernel UUID: %s\n", tmp_kernel_uuid);
1653 }
1654 }
1655
1656 void
1657 panic_display_kernel_aslr(void)
1658 {
1659 kc_format_t kc_format;
1660
1661 PE_get_primary_kc_format(&kc_format);
1662
1663 if (kc_format == KCFormatFileset) {
1664 void *kch = PE_get_kc_header(KCKindPrimary);
1665 paniclog_append_noflush("KernelCache slide: 0x%016lx\n", (unsigned long) vm_kernel_slide);
1666 paniclog_append_noflush("KernelCache base: %p\n", (void*) kch);
1667 paniclog_append_noflush("Kernel slide: 0x%016lx\n", vm_kernel_stext - (unsigned long)kch + vm_kernel_slide);
1668 paniclog_append_noflush("Kernel text base: %p\n", (void *) vm_kernel_stext);
1669 #if defined(__arm64__)
1670 extern vm_offset_t segTEXTEXECB;
1671 paniclog_append_noflush("Kernel text exec slide: 0x%016lx\n", (unsigned long)segTEXTEXECB - (unsigned long)kch + vm_kernel_slide);
1672 paniclog_append_noflush("Kernel text exec base: 0x%016lx\n", (unsigned long)segTEXTEXECB);
1673 #endif /* defined(__arm64__) */
1674 } else if (vm_kernel_slide) {
1675 paniclog_append_noflush("Kernel slide: 0x%016lx\n", (unsigned long) vm_kernel_slide);
1676 paniclog_append_noflush("Kernel text base: %p\n", (void *)vm_kernel_stext);
1677 } else {
1678 paniclog_append_noflush("Kernel text base: %p\n", (void *)vm_kernel_stext);
1679 }
1680 }
1681
1682 void
1683 panic_display_hibb(void)
1684 {
1685 #if defined(__i386__) || defined (__x86_64__)
1686 paniclog_append_noflush("__HIB text base: %p\n", (void *) vm_hib_base);
1687 #endif
1688 }
1689
1690 #if CONFIG_ECC_LOGGING
1691 __private_extern__ void
1692 panic_display_ecc_errors(void)
1693 {
1694 uint32_t count = ecc_log_get_correction_count();
1695
1696 if (count > 0) {
1697 paniclog_append_noflush("ECC Corrections:%u\n", count);
1698 }
1699 }
1700 #endif /* CONFIG_ECC_LOGGING */
1701
1702 #if CONFIG_FREEZE
1703 extern bool freezer_incore_cseg_acct;
1704 extern uint32_t c_segment_pages_compressed_incore;
1705 #endif
1706
1707 extern uint32_t c_segment_pages_compressed;
1708 extern uint32_t c_segment_count;
1709 extern uint32_t c_segments_limit;
1710 extern uint32_t c_segment_pages_compressed_limit;
1711 extern uint32_t c_segment_pages_compressed_nearing_limit;
1712 extern uint32_t c_segments_nearing_limit;
1713 extern int vm_num_swap_files;
1714
1715 void
1716 panic_display_compressor_stats(void)
1717 {
1718 int isswaplow = vm_swap_low_on_space();
1719 #if CONFIG_FREEZE
1720 uint32_t incore_seg_count;
1721 uint32_t incore_compressed_pages;
1722 if (freezer_incore_cseg_acct) {
1723 incore_seg_count = c_segment_count - c_swappedout_count - c_swappedout_sparse_count;
1724 incore_compressed_pages = c_segment_pages_compressed_incore;
1725 } else {
1726 incore_seg_count = c_segment_count;
1727 incore_compressed_pages = c_segment_pages_compressed;
1728 }
1729
1730 paniclog_append_noflush("Compressor Info: %u%% of compressed pages limit (%s) and %u%% of segments limit (%s) with %d swapfiles and %s swap space\n",
1731 (incore_compressed_pages * 100) / c_segment_pages_compressed_limit,
1732 (incore_compressed_pages > c_segment_pages_compressed_nearing_limit) ? "BAD":"OK",
1733 (incore_seg_count * 100) / c_segments_limit,
1734 (incore_seg_count > c_segments_nearing_limit) ? "BAD":"OK",
1735 vm_num_swap_files,
1736 isswaplow ? "LOW":"OK");
1737 #else /* CONFIG_FREEZE */
1738 paniclog_append_noflush("Compressor Info: %u%% of compressed pages limit (%s) and %u%% of segments limit (%s) with %d swapfiles and %s swap space\n",
1739 (c_segment_pages_compressed * 100) / c_segment_pages_compressed_limit,
1740 (c_segment_pages_compressed > c_segment_pages_compressed_nearing_limit) ? "BAD":"OK",
1741 (c_segment_count * 100) / c_segments_limit,
1742 (c_segment_count > c_segments_nearing_limit) ? "BAD":"OK",
1743 vm_num_swap_files,
1744 isswaplow ? "LOW":"OK");
1745 #endif /* CONFIG_FREEZE */
1746 }
1747
1748 #if !CONFIG_TELEMETRY
1749 int
1750 telemetry_gather(user_addr_t buffer __unused, uint32_t *length __unused, bool mark __unused)
1751 {
1752 return KERN_NOT_SUPPORTED;
1753 }
1754 #endif
1755
1756 #include <machine/machine_cpu.h>
1757
1758 SECURITY_READ_ONLY_LATE(uint32_t) kern_feature_overrides = 0;
1759
1760 boolean_t
1761 kern_feature_override(uint32_t fmask)
1762 {
1763 if (kern_feature_overrides == 0) {
1764 uint32_t fdisables = 0;
1765 /*
1766 * Expected to be first invoked early, in a single-threaded
1767 * environment
1768 */
1769 if (PE_parse_boot_argn("validation_disables", &fdisables, sizeof(fdisables))) {
1770 fdisables |= KF_INITIALIZED;
1771 kern_feature_overrides = fdisables;
1772 } else {
1773 kern_feature_overrides |= KF_INITIALIZED;
1774 }
1775 }
1776 return (kern_feature_overrides & fmask) == fmask;
1777 }
1778
1779 boolean_t
1780 on_device_corefile_enabled(void)
1781 {
1782 assert(startup_phase >= STARTUP_SUB_TUNABLES);
1783 #if CONFIG_KDP_INTERACTIVE_DEBUGGING
1784 if (debug_boot_arg == 0) {
1785 return FALSE;
1786 }
1787 if (debug_boot_arg & DB_DISABLE_LOCAL_CORE) {
1788 return FALSE;
1789 }
1790 #if !XNU_TARGET_OS_OSX
1791 /*
1792 * outside of macOS, if there's a debug boot-arg set and local
1793 * cores aren't explicitly disabled, we always write a corefile.
1794 */
1795 return TRUE;
1796 #else /* !XNU_TARGET_OS_OSX */
1797 /*
1798 * on macOS, if corefiles on panic are requested and local cores
1799 * aren't disabled we write a local core.
1800 */
1801 if (debug_boot_arg & (DB_KERN_DUMP_ON_NMI | DB_KERN_DUMP_ON_PANIC)) {
1802 return TRUE;
1803 }
1804 #endif /* !XNU_TARGET_OS_OSX */
1805 #endif /* CONFIG_KDP_INTERACTIVE_DEBUGGING */
1806 return FALSE;
1807 }
1808
1809 boolean_t
1810 panic_stackshot_to_disk_enabled(void)
1811 {
1812 assert(startup_phase >= STARTUP_SUB_TUNABLES);
1813 #if defined(__x86_64__)
1814 if (PEGetCoprocessorVersion() < kCoprocessorVersion2) {
1815 /* Only enabled on pre-Gibraltar machines where it hasn't been disabled explicitly */
1816 if ((debug_boot_arg != 0) && (debug_boot_arg & DB_DISABLE_STACKSHOT_TO_DISK)) {
1817 return FALSE;
1818 }
1819
1820 return TRUE;
1821 }
1822 #endif
1823 return FALSE;
1824 }
1825
1826 const char *
1827 sysctl_debug_get_preoslog(size_t *size)
1828 {
1829 int result = 0;
1830 void *preoslog_pa = NULL;
1831 int preoslog_size = 0;
1832
1833 result = IODTGetLoaderInfo("preoslog", &preoslog_pa, &preoslog_size);
1834 if (result || preoslog_pa == NULL || preoslog_size == 0) {
1835 kprintf("Couldn't obtain preoslog region: result = %d, preoslog_pa = %p, preoslog_size = %d\n", result, preoslog_pa, preoslog_size);
1836 *size = 0;
1837 return NULL;
1838 }
1839
1840 /*
1841 * Beware:
1842 * On release builds, we would need to call IODTFreeLoaderInfo("preoslog", preoslog_pa, preoslog_size) to free the preoslog buffer.
1843 * On Development & Debug builds, we retain the buffer so it can be extracted from coredumps.
1844 */
1845 *size = preoslog_size;
1846 return (char *)(ml_static_ptovirt((vm_offset_t)(preoslog_pa)));
1847 }
1848
1849 void
1850 sysctl_debug_free_preoslog(void)
1851 {
1852 #if RELEASE
1853 int result = 0;
1854 void *preoslog_pa = NULL;
1855 int preoslog_size = 0;
1856
1857 result = IODTGetLoaderInfo("preoslog", &preoslog_pa, &preoslog_size);
1858 if (result || preoslog_pa == NULL || preoslog_size == 0) {
1859 kprintf("Couldn't obtain preoslog region: result = %d, preoslog_pa = %p, preoslog_size = %d\n", result, preoslog_pa, preoslog_size);
1860 return;
1861 }
1862
1863 IODTFreeLoaderInfo("preoslog", preoslog_pa, preoslog_size);
1864 #else
1865 /* On Development & Debug builds, we retain the buffer so it can be extracted from coredumps. */
1866 #endif // RELEASE
1867 }
1868