1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1986, 1988, 1991, 1993
5 * The Regents of the University of California. All rights reserved.
6 * (c) UNIX System Laboratories, Inc.
7 * All or some portions of this file are derived from material licensed
8 * to the University of California by American Telephone and Telegraph
9 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
10 * the permission of UNIX System Laboratories, Inc.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of the University nor the names of its contributors
21 * may be used to endorse or promote products derived from this software
22 * without specific prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 * SUCH DAMAGE.
35 *
36 * @(#)kern_shutdown.c 8.3 (Berkeley) 1/21/94
37 */
38
39 #include <sys/cdefs.h>
40 __FBSDID("$FreeBSD$");
41
42 #include "opt_ddb.h"
43 #include "opt_ekcd.h"
44 #include "opt_kdb.h"
45 #include "opt_panic.h"
46 #include "opt_sched.h"
47 #include "opt_watchdog.h"
48
49 #include <sys/param.h>
50 #include <sys/systm.h>
51 #include <sys/bio.h>
52 #include <sys/buf.h>
53 #include <sys/conf.h>
54 #include <sys/compressor.h>
55 #include <sys/cons.h>
56 #include <sys/eventhandler.h>
57 #include <sys/filedesc.h>
58 #include <sys/jail.h>
59 #include <sys/kdb.h>
60 #include <sys/kernel.h>
61 #include <sys/kerneldump.h>
62 #include <sys/kthread.h>
63 #include <sys/ktr.h>
64 #include <sys/malloc.h>
65 #include <sys/mbuf.h>
66 #include <sys/mount.h>
67 #include <sys/priv.h>
68 #include <sys/proc.h>
69 #include <sys/reboot.h>
70 #include <sys/resourcevar.h>
71 #include <sys/rwlock.h>
72 #include <sys/sched.h>
73 #include <sys/smp.h>
74 #include <sys/sysctl.h>
75 #include <sys/sysproto.h>
76 #include <sys/taskqueue.h>
77 #include <sys/vnode.h>
78 #include <sys/watchdog.h>
79
80 #include <crypto/rijndael/rijndael-api-fst.h>
81 #include <crypto/sha2/sha256.h>
82
83 #include <ddb/ddb.h>
84
85 #include <machine/cpu.h>
86 #include <machine/dump.h>
87 #include <machine/pcb.h>
88 #include <machine/smp.h>
89
90 #include <security/mac/mac_framework.h>
91
92 #include <vm/vm.h>
93 #include <vm/vm_object.h>
94 #include <vm/vm_page.h>
95 #include <vm/vm_pager.h>
96 #include <vm/swap_pager.h>
97
98 #include <sys/signalvar.h>
99
100 static MALLOC_DEFINE(M_DUMPER, "dumper", "dumper block buffer");
101
102 #ifndef PANIC_REBOOT_WAIT_TIME
103 #define PANIC_REBOOT_WAIT_TIME 15 /* default to 15 seconds */
104 #endif
105 static int panic_reboot_wait_time = PANIC_REBOOT_WAIT_TIME;
106 SYSCTL_INT(_kern, OID_AUTO, panic_reboot_wait_time, CTLFLAG_RWTUN,
107 &panic_reboot_wait_time, 0,
108 "Seconds to wait before rebooting after a panic");
109
110 /*
111 * Note that stdarg.h and the ANSI style va_start macro is used for both
112 * ANSI and traditional C compilers.
113 */
114 #include <machine/stdarg.h>
115
116 #ifdef KDB
117 #ifdef KDB_UNATTENDED
118 int debugger_on_panic = 0;
119 #else
120 int debugger_on_panic = 1;
121 #endif
122 SYSCTL_INT(_debug, OID_AUTO, debugger_on_panic,
123 CTLFLAG_RWTUN | CTLFLAG_SECURE,
124 &debugger_on_panic, 0, "Run debugger on kernel panic");
125
126 int debugger_on_trap = 0;
127 SYSCTL_INT(_debug, OID_AUTO, debugger_on_trap,
128 CTLFLAG_RWTUN | CTLFLAG_SECURE,
129 &debugger_on_trap, 0, "Run debugger on kernel trap before panic");
130
131 #ifdef KDB_TRACE
132 static int trace_on_panic = 1;
133 static bool trace_all_panics = true;
134 #else
135 static int trace_on_panic = 0;
136 static bool trace_all_panics = false;
137 #endif
138 SYSCTL_INT(_debug, OID_AUTO, trace_on_panic,
139 CTLFLAG_RWTUN | CTLFLAG_SECURE,
140 &trace_on_panic, 0, "Print stack trace on kernel panic");
141 SYSCTL_BOOL(_debug, OID_AUTO, trace_all_panics, CTLFLAG_RWTUN,
142 &trace_all_panics, 0, "Print stack traces on secondary kernel panics");
143 #endif /* KDB */
144
145 static int sync_on_panic = 0;
146 SYSCTL_INT(_kern, OID_AUTO, sync_on_panic, CTLFLAG_RWTUN,
147 &sync_on_panic, 0, "Do a sync before rebooting from a panic");
148
149 static bool poweroff_on_panic = 0;
150 SYSCTL_BOOL(_kern, OID_AUTO, poweroff_on_panic, CTLFLAG_RWTUN,
151 &poweroff_on_panic, 0, "Do a power off instead of a reboot on a panic");
152
153 static bool powercycle_on_panic = 0;
154 SYSCTL_BOOL(_kern, OID_AUTO, powercycle_on_panic, CTLFLAG_RWTUN,
155 &powercycle_on_panic, 0, "Do a power cycle instead of a reboot on a panic");
156
157 static SYSCTL_NODE(_kern, OID_AUTO, shutdown, CTLFLAG_RW, 0,
158 "Shutdown environment");
159
160 #ifndef DIAGNOSTIC
161 static int show_busybufs;
162 #else
163 static int show_busybufs = 1;
164 #endif
165 SYSCTL_INT(_kern_shutdown, OID_AUTO, show_busybufs, CTLFLAG_RW,
166 &show_busybufs, 0, "");
167
168 int suspend_blocked = 0;
169 SYSCTL_INT(_kern, OID_AUTO, suspend_blocked, CTLFLAG_RW,
170 &suspend_blocked, 0, "Block suspend due to a pending shutdown");
171
172 #ifdef EKCD
173 FEATURE(ekcd, "Encrypted kernel crash dumps support");
174
175 MALLOC_DEFINE(M_EKCD, "ekcd", "Encrypted kernel crash dumps data");
176
177 struct kerneldumpcrypto {
178 uint8_t kdc_encryption;
179 uint8_t kdc_iv[KERNELDUMP_IV_MAX_SIZE];
180 keyInstance kdc_ki;
181 cipherInstance kdc_ci;
182 uint32_t kdc_dumpkeysize;
183 struct kerneldumpkey kdc_dumpkey[];
184 };
185 #endif
186
187 struct kerneldumpcomp {
188 uint8_t kdc_format;
189 struct compressor *kdc_stream;
190 uint8_t *kdc_buf;
191 size_t kdc_resid;
192 };
193
194 static struct kerneldumpcomp *kerneldumpcomp_create(struct dumperinfo *di,
195 uint8_t compression);
196 static void kerneldumpcomp_destroy(struct dumperinfo *di);
197 static int kerneldumpcomp_write_cb(void *base, size_t len, off_t off, void *arg);
198
199 static int kerneldump_gzlevel = 6;
200 SYSCTL_INT(_kern, OID_AUTO, kerneldump_gzlevel, CTLFLAG_RWTUN,
201 &kerneldump_gzlevel, 0,
202 "Kernel crash dump compression level");
203
204 /*
205 * Variable panicstr contains argument to first call to panic; used as flag
206 * to indicate that the kernel has already called panic.
207 */
208 const char __read_mostly *panicstr;
209
210 int __read_mostly dumping; /* system is dumping */
211 int rebooting; /* system is rebooting */
212 static struct dumperinfo dumper; /* our selected dumper */
213
214 /* Context information for dump-debuggers. */
215 static struct pcb dumppcb; /* Registers. */
216 lwpid_t dumptid; /* Thread ID. */
217
218 static struct cdevsw reroot_cdevsw = {
219 .d_version = D_VERSION,
220 .d_name = "reroot",
221 };
222
223 static void poweroff_wait(void *, int);
224 static void shutdown_halt(void *junk, int howto);
225 static void shutdown_panic(void *junk, int howto);
226 static void shutdown_reset(void *junk, int howto);
227 static int kern_reroot(void);
228
229 /* register various local shutdown events */
230 static void
231 shutdown_conf(void *unused)
232 {
233
234 EVENTHANDLER_REGISTER(shutdown_final, poweroff_wait, NULL,
235 SHUTDOWN_PRI_FIRST);
236 EVENTHANDLER_REGISTER(shutdown_final, shutdown_halt, NULL,
237 SHUTDOWN_PRI_LAST + 100);
238 EVENTHANDLER_REGISTER(shutdown_final, shutdown_panic, NULL,
239 SHUTDOWN_PRI_LAST + 100);
240 EVENTHANDLER_REGISTER(shutdown_final, shutdown_reset, NULL,
241 SHUTDOWN_PRI_LAST + 200);
242 }
243
244 SYSINIT(shutdown_conf, SI_SUB_INTRINSIC, SI_ORDER_ANY, shutdown_conf, NULL);
245
246 /*
247 * The only reason this exists is to create the /dev/reroot/ directory,
248 * used by reroot code in init(8) as a mountpoint for tmpfs.
249 */
250 static void
251 reroot_conf(void *unused)
252 {
253 int error;
254 struct cdev *cdev;
255
256 error = make_dev_p(MAKEDEV_CHECKNAME | MAKEDEV_WAITOK, &cdev,
257 &reroot_cdevsw, NULL, UID_ROOT, GID_WHEEL, 0600, "reroot/reroot");
258 if (error != 0) {
259 printf("%s: failed to create device node, error %d",
260 __func__, error);
261 }
262 }
263
264 SYSINIT(reroot_conf, SI_SUB_DEVFS, SI_ORDER_ANY, reroot_conf, NULL);
265
266 /*
267 * The system call that results in a reboot.
268 */
269 /* ARGSUSED */
270 int
271 sys_reboot(struct thread *td, struct reboot_args *uap)
272 {
273 int error;
274
275 error = 0;
276 #ifdef MAC
277 error = mac_system_check_reboot(td->td_ucred, uap->opt);
278 #endif
279 if (error == 0)
280 error = priv_check(td, PRIV_REBOOT);
281 if (error == 0) {
282 if (uap->opt & RB_REROOT)
283 error = kern_reroot();
284 else
285 kern_reboot(uap->opt);
286 }
287 return (error);
288 }
289
290 static void
291 shutdown_nice_task_fn(void *arg, int pending __unused)
292 {
293 int howto;
294
295 howto = (uintptr_t)arg;
296 /* Send a signal to init(8) and have it shutdown the world. */
297 PROC_LOCK(initproc);
298 if (howto & RB_POWEROFF)
299 kern_psignal(initproc, SIGUSR2);
300 else if (howto & RB_POWERCYCLE)
301 kern_psignal(initproc, SIGWINCH);
302 else if (howto & RB_HALT)
303 kern_psignal(initproc, SIGUSR1);
304 else
305 kern_psignal(initproc, SIGINT);
306 PROC_UNLOCK(initproc);
307 }
308
309 static struct task shutdown_nice_task = TASK_INITIALIZER(0,
310 &shutdown_nice_task_fn, NULL);
311
312 /*
313 * Called by events that want to shut down.. e.g <CTL><ALT><DEL> on a PC
314 */
315 void
316 shutdown_nice(int howto)
317 {
318
319 if (initproc != NULL && !SCHEDULER_STOPPED()) {
320 shutdown_nice_task.ta_context = (void *)(uintptr_t)howto;
321 taskqueue_enqueue(taskqueue_fast, &shutdown_nice_task);
322 } else {
323 /*
324 * No init(8) running, or scheduler would not allow it
325 * to run, so simply reboot.
326 */
327 kern_reboot(howto | RB_NOSYNC);
328 }
329 }
330
331 static void
332 print_uptime(void)
333 {
334 int f;
335 struct timespec ts;
336
337 getnanouptime(&ts);
338 printf("Uptime: ");
339 f = 0;
340 if (ts.tv_sec >= 86400) {
341 printf("%ldd", (long)ts.tv_sec / 86400);
342 ts.tv_sec %= 86400;
343 f = 1;
344 }
345 if (f || ts.tv_sec >= 3600) {
346 printf("%ldh", (long)ts.tv_sec / 3600);
347 ts.tv_sec %= 3600;
348 f = 1;
349 }
350 if (f || ts.tv_sec >= 60) {
351 printf("%ldm", (long)ts.tv_sec / 60);
352 ts.tv_sec %= 60;
353 f = 1;
354 }
355 printf("%lds\n", (long)ts.tv_sec);
356 }
357
358 int
359 doadump(boolean_t textdump)
360 {
361 boolean_t coredump;
362 int error;
363
364 error = 0;
365 if (dumping)
366 return (EBUSY);
367 if (dumper.dumper == NULL)
368 return (ENXIO);
369
370 savectx(&dumppcb);
371 dumptid = curthread->td_tid;
372 dumping++;
373
374 coredump = TRUE;
375 #ifdef DDB
376 if (textdump && textdump_pending) {
377 coredump = FALSE;
378 textdump_dumpsys(&dumper);
379 }
380 #endif
381 if (coredump)
382 error = dumpsys(&dumper);
383
384 dumping--;
385 return (error);
386 }
387
388 /*
389 * kern_reboot(9): Shut down the system cleanly to prepare for reboot, halt, or
390 * power off.
391 */
392 void
393 kern_reboot(int howto)
394 {
395 static int once = 0;
396
397 /*
398 * Normal paths here don't hold Giant, but we can wind up here
399 * unexpectedly with it held. Drop it now so we don't have to
400 * drop and pick it up elsewhere. The paths it is locking will
401 * never be returned to, and it is preferable to preclude
402 * deadlock than to lock against code that won't ever
403 * continue.
404 */
405 while (mtx_owned(&Giant))
406 mtx_unlock(&Giant);
407
408 #if defined(SMP)
409 /*
410 * Bind us to the first CPU so that all shutdown code runs there. Some
411 * systems don't shutdown properly (i.e., ACPI power off) if we
412 * run on another processor.
413 */
414 if (!SCHEDULER_STOPPED()) {
415 thread_lock(curthread);
416 sched_bind(curthread, CPU_FIRST());
417 thread_unlock(curthread);
418 KASSERT(PCPU_GET(cpuid) == CPU_FIRST(),
419 ("%s: not running on cpu 0", __func__));
420 }
421 #endif
422 /* We're in the process of rebooting. */
423 rebooting = 1;
424
425 /* We are out of the debugger now. */
426 kdb_active = 0;
427
428 /*
429 * Do any callouts that should be done BEFORE syncing the filesystems.
430 */
431 EVENTHANDLER_INVOKE(shutdown_pre_sync, howto);
432
433 /*
434 * Now sync filesystems
435 */
436 if (!cold && (howto & RB_NOSYNC) == 0 && once == 0) {
437 once = 1;
438 bufshutdown(show_busybufs);
439 }
440
441 print_uptime();
442
443 cngrab();
444
445 /*
446 * Ok, now do things that assume all filesystem activity has
447 * been completed.
448 */
449 EVENTHANDLER_INVOKE(shutdown_post_sync, howto);
450
451 if ((howto & (RB_HALT|RB_DUMP)) == RB_DUMP && !cold && !dumping)
452 doadump(TRUE);
453
454 /* Now that we're going to really halt the system... */
455 EVENTHANDLER_INVOKE(shutdown_final, howto);
456
457 for(;;) ; /* safety against shutdown_reset not working */
458 /* NOTREACHED */
459 }
460
461 /*
462 * The system call that results in changing the rootfs.
463 */
464 static int
465 kern_reroot(void)
466 {
467 struct vnode *oldrootvnode, *vp;
468 struct mount *mp, *devmp;
469 int error;
470
471 if (curproc != initproc)
472 return (EPERM);
473
474 /*
475 * Mark the filesystem containing currently-running executable
476 * (the temporary copy of init(8)) busy.
477 */
478 vp = curproc->p_textvp;
479 error = vn_lock(vp, LK_SHARED);
480 if (error != 0)
481 return (error);
482 mp = vp->v_mount;
483 error = vfs_busy(mp, MBF_NOWAIT);
484 if (error != 0) {
485 vfs_ref(mp);
486 VOP_UNLOCK(vp, 0);
487 error = vfs_busy(mp, 0);
488 vn_lock(vp, LK_SHARED | LK_RETRY);
489 vfs_rel(mp);
490 if (error != 0) {
491 VOP_UNLOCK(vp, 0);
492 return (ENOENT);
493 }
494 if (vp->v_iflag & VI_DOOMED) {
495 VOP_UNLOCK(vp, 0);
496 vfs_unbusy(mp);
497 return (ENOENT);
498 }
499 }
500 VOP_UNLOCK(vp, 0);
501
502 /*
503 * Remove the filesystem containing currently-running executable
504 * from the mount list, to prevent it from being unmounted
505 * by vfs_unmountall(), and to avoid confusing vfs_mountroot().
506 *
507 * Also preserve /dev - forcibly unmounting it could cause driver
508 * reinitialization.
509 */
510
511 vfs_ref(rootdevmp);
512 devmp = rootdevmp;
513 rootdevmp = NULL;
514
515 mtx_lock(&mountlist_mtx);
516 TAILQ_REMOVE(&mountlist, mp, mnt_list);
517 TAILQ_REMOVE(&mountlist, devmp, mnt_list);
518 mtx_unlock(&mountlist_mtx);
519
520 oldrootvnode = rootvnode;
521
522 /*
523 * Unmount everything except for the two filesystems preserved above.
524 */
525 vfs_unmountall();
526
527 /*
528 * Add /dev back; vfs_mountroot() will move it into its new place.
529 */
530 mtx_lock(&mountlist_mtx);
531 TAILQ_INSERT_HEAD(&mountlist, devmp, mnt_list);
532 mtx_unlock(&mountlist_mtx);
533 rootdevmp = devmp;
534 vfs_rel(rootdevmp);
535
536 /*
537 * Mount the new rootfs.
538 */
539 vfs_mountroot();
540
541 /*
542 * Update all references to the old rootvnode.
543 */
544 mountcheckdirs(oldrootvnode, rootvnode);
545
546 /*
547 * Add the temporary filesystem back and unbusy it.
548 */
549 mtx_lock(&mountlist_mtx);
550 TAILQ_INSERT_TAIL(&mountlist, mp, mnt_list);
551 mtx_unlock(&mountlist_mtx);
552 vfs_unbusy(mp);
553
554 return (0);
555 }
556
557 /*
558 * If the shutdown was a clean halt, behave accordingly.
559 */
560 static void
561 shutdown_halt(void *junk, int howto)
562 {
563
564 if (howto & RB_HALT) {
565 printf("\n");
566 printf("The operating system has halted.\n");
567 printf("Please press any key to reboot.\n\n");
568
569 wdog_kern_pat(WD_TO_NEVER);
570
571 switch (cngetc()) {
572 case -1: /* No console, just die */
573 cpu_halt();
574 /* NOTREACHED */
575 default:
576 break;
577 }
578 }
579 }
580
581 /*
582 * Check to see if the system panicked, pause and then reboot
583 * according to the specified delay.
584 */
585 static void
586 shutdown_panic(void *junk, int howto)
587 {
588 int loop;
589
590 if (howto & RB_DUMP) {
591 if (panic_reboot_wait_time != 0) {
592 if (panic_reboot_wait_time != -1) {
593 printf("Automatic reboot in %d seconds - "
594 "press a key on the console to abort\n",
595 panic_reboot_wait_time);
596 for (loop = panic_reboot_wait_time * 10;
597 loop > 0; --loop) {
598 DELAY(1000 * 100); /* 1/10th second */
599 /* Did user type a key? */
600 if (cncheckc() != -1)
601 break;
602 }
603 if (!loop)
604 return;
605 }
606 } else { /* zero time specified - reboot NOW */
607 return;
608 }
609 printf("--> Press a key on the console to reboot,\n");
610 printf("--> or switch off the system now.\n");
611 cngetc();
612 }
613 }
614
615 /*
616 * Everything done, now reset
617 */
618 static void
619 shutdown_reset(void *junk, int howto)
620 {
621
622 printf("Rebooting...\n");
623 DELAY(1000000); /* wait 1 sec for printf's to complete and be read */
624
625 /*
626 * Acquiring smp_ipi_mtx here has a double effect:
627 * - it disables interrupts avoiding CPU0 preemption
628 * by fast handlers (thus deadlocking against other CPUs)
629 * - it avoids deadlocks against smp_rendezvous() or, more
630 * generally, threads busy-waiting, with this spinlock held,
631 * and waiting for responses by threads on other CPUs
632 * (ie. smp_tlb_shootdown()).
633 *
634 * For the !SMP case it just needs to handle the former problem.
635 */
636 #ifdef SMP
637 mtx_lock_spin(&smp_ipi_mtx);
638 #else
639 spinlock_enter();
640 #endif
641
642 /* cpu_boot(howto); */ /* doesn't do anything at the moment */
643 cpu_reset();
644 /* NOTREACHED */ /* assuming reset worked */
645 }
646
647 #if defined(WITNESS) || defined(INVARIANT_SUPPORT)
648 static int kassert_warn_only = 0;
649 #ifdef KDB
650 static int kassert_do_kdb = 0;
651 #endif
652 #ifdef KTR
653 static int kassert_do_ktr = 0;
654 #endif
655 static int kassert_do_log = 1;
656 static int kassert_log_pps_limit = 4;
657 static int kassert_log_mute_at = 0;
658 static int kassert_log_panic_at = 0;
659 static int kassert_suppress_in_panic = 0;
660 static int kassert_warnings = 0;
661
662 SYSCTL_NODE(_debug, OID_AUTO, kassert, CTLFLAG_RW, NULL, "kassert options");
663
664 #ifdef KASSERT_PANIC_OPTIONAL
665 #define KASSERT_RWTUN CTLFLAG_RWTUN
666 #else
667 #define KASSERT_RWTUN CTLFLAG_RDTUN
668 #endif
669
670 SYSCTL_INT(_debug_kassert, OID_AUTO, warn_only, KASSERT_RWTUN,
671 &kassert_warn_only, 0,
672 "KASSERT triggers a panic (0) or just a warning (1)");
673
674 #ifdef KDB
675 SYSCTL_INT(_debug_kassert, OID_AUTO, do_kdb, KASSERT_RWTUN,
676 &kassert_do_kdb, 0, "KASSERT will enter the debugger");
677 #endif
678
679 #ifdef KTR
680 SYSCTL_UINT(_debug_kassert, OID_AUTO, do_ktr, KASSERT_RWTUN,
681 &kassert_do_ktr, 0,
682 "KASSERT does a KTR, set this to the KTRMASK you want");
683 #endif
684
685 SYSCTL_INT(_debug_kassert, OID_AUTO, do_log, KASSERT_RWTUN,
686 &kassert_do_log, 0,
687 "If warn_only is enabled, log (1) or do not log (0) assertion violations");
688
689 SYSCTL_INT(_debug_kassert, OID_AUTO, warnings, CTLFLAG_RD | CTLFLAG_STATS,
690 &kassert_warnings, 0, "number of KASSERTs that have been triggered");
691
692 SYSCTL_INT(_debug_kassert, OID_AUTO, log_panic_at, KASSERT_RWTUN,
693 &kassert_log_panic_at, 0, "max number of KASSERTS before we will panic");
694
695 SYSCTL_INT(_debug_kassert, OID_AUTO, log_pps_limit, KASSERT_RWTUN,
696 &kassert_log_pps_limit, 0, "limit number of log messages per second");
697
698 SYSCTL_INT(_debug_kassert, OID_AUTO, log_mute_at, KASSERT_RWTUN,
699 &kassert_log_mute_at, 0, "max number of KASSERTS to log");
700
701 SYSCTL_INT(_debug_kassert, OID_AUTO, suppress_in_panic, KASSERT_RWTUN,
702 &kassert_suppress_in_panic, 0,
703 "KASSERTs will be suppressed while handling a panic");
704 #undef KASSERT_RWTUN
705
706 static int kassert_sysctl_kassert(SYSCTL_HANDLER_ARGS);
707
708 SYSCTL_PROC(_debug_kassert, OID_AUTO, kassert,
709 CTLTYPE_INT | CTLFLAG_RW | CTLFLAG_SECURE, NULL, 0,
710 kassert_sysctl_kassert, "I", "set to trigger a test kassert");
711
712 static int
713 kassert_sysctl_kassert(SYSCTL_HANDLER_ARGS)
714 {
715 int error, i;
716
717 error = sysctl_wire_old_buffer(req, sizeof(int));
718 if (error == 0) {
719 i = 0;
720 error = sysctl_handle_int(oidp, &i, 0, req);
721 }
722 if (error != 0 || req->newptr == NULL)
723 return (error);
724 KASSERT(0, ("kassert_sysctl_kassert triggered kassert %d", i));
725 return (0);
726 }
727
728 #ifdef KASSERT_PANIC_OPTIONAL
729 /*
730 * Called by KASSERT, this decides if we will panic
731 * or if we will log via printf and/or ktr.
732 */
733 void
734 kassert_panic(const char *fmt, ...)
735 {
736 static char buf[256];
737 va_list ap;
738
739 va_start(ap, fmt);
740 (void)vsnprintf(buf, sizeof(buf), fmt, ap);
741 va_end(ap);
742
743 /*
744 * If we are suppressing secondary panics, log the warning but do not
745 * re-enter panic/kdb.
746 */
747 if (panicstr != NULL && kassert_suppress_in_panic) {
748 if (kassert_do_log) {
749 printf("KASSERT failed: %s\n", buf);
750 #ifdef KDB
751 if (trace_all_panics && trace_on_panic)
752 kdb_backtrace();
753 #endif
754 }
755 return;
756 }
757
758 /*
759 * panic if we're not just warning, or if we've exceeded
760 * kassert_log_panic_at warnings.
761 */
762 if (!kassert_warn_only ||
763 (kassert_log_panic_at > 0 &&
764 kassert_warnings >= kassert_log_panic_at)) {
765 va_start(ap, fmt);
766 vpanic(fmt, ap);
767 /* NORETURN */
768 }
769 #ifdef KTR
770 if (kassert_do_ktr)
771 CTR0(ktr_mask, buf);
772 #endif /* KTR */
773 /*
774 * log if we've not yet met the mute limit.
775 */
776 if (kassert_do_log &&
777 (kassert_log_mute_at == 0 ||
778 kassert_warnings < kassert_log_mute_at)) {
779 static struct timeval lasterr;
780 static int curerr;
781
782 if (ppsratecheck(&lasterr, &curerr, kassert_log_pps_limit)) {
783 printf("KASSERT failed: %s\n", buf);
784 kdb_backtrace();
785 }
786 }
787 #ifdef KDB
788 if (kassert_do_kdb) {
789 kdb_enter(KDB_WHY_KASSERT, buf);
790 }
791 #endif
792 atomic_add_int(&kassert_warnings, 1);
793 }
794 #endif /* KASSERT_PANIC_OPTIONAL */
795 #endif
796
797 /*
798 * Panic is called on unresolvable fatal errors. It prints "panic: mesg",
799 * and then reboots. If we are called twice, then we avoid trying to sync
800 * the disks as this often leads to recursive panics.
801 */
802 void
803 panic(const char *fmt, ...)
804 {
805 va_list ap;
806
807 va_start(ap, fmt);
808 vpanic(fmt, ap);
809 }
810
811 void
812 vpanic(const char *fmt, va_list ap)
813 {
814 #ifdef SMP
815 cpuset_t other_cpus;
816 #endif
817 struct thread *td = curthread;
818 int bootopt, newpanic;
819 static char buf[256];
820
821 spinlock_enter();
822
823 #ifdef SMP
824 /*
825 * stop_cpus_hard(other_cpus) should prevent multiple CPUs from
826 * concurrently entering panic. Only the winner will proceed
827 * further.
828 */
829 if (panicstr == NULL && !kdb_active) {
830 other_cpus = all_cpus;
831 CPU_CLR(PCPU_GET(cpuid), &other_cpus);
832 stop_cpus_hard(other_cpus);
833 }
834 #endif
835
836 /*
837 * Ensure that the scheduler is stopped while panicking, even if panic
838 * has been entered from kdb.
839 */
840 td->td_stopsched = 1;
841
842 bootopt = RB_AUTOBOOT;
843 newpanic = 0;
844 if (panicstr)
845 bootopt |= RB_NOSYNC;
846 else {
847 bootopt |= RB_DUMP;
848 panicstr = fmt;
849 newpanic = 1;
850 }
851
852 if (newpanic) {
853 (void)vsnprintf(buf, sizeof(buf), fmt, ap);
854 panicstr = buf;
855 cngrab();
856 printf("panic: %s\n", buf);
857 } else {
858 printf("panic: ");
859 vprintf(fmt, ap);
860 printf("\n");
861 }
862 #ifdef SMP
863 printf("cpuid = %d\n", PCPU_GET(cpuid));
864 #endif
865 printf("time = %jd\n", (intmax_t )time_second);
866 #ifdef KDB
867 if ((newpanic || trace_all_panics) && trace_on_panic)
868 kdb_backtrace();
869 if (debugger_on_panic)
870 kdb_enter(KDB_WHY_PANIC, "panic");
871 #endif
872 /*thread_lock(td); */
873 td->td_flags |= TDF_INPANIC;
874 /* thread_unlock(td); */
875 if (!sync_on_panic)
876 bootopt |= RB_NOSYNC;
877 if (poweroff_on_panic)
878 bootopt |= RB_POWEROFF;
879 if (powercycle_on_panic)
880 bootopt |= RB_POWERCYCLE;
881 kern_reboot(bootopt);
882 }
883
884 /*
885 * Support for poweroff delay.
886 *
887 * Please note that setting this delay too short might power off your machine
888 * before the write cache on your hard disk has been flushed, leading to
889 * soft-updates inconsistencies.
890 */
891 #ifndef POWEROFF_DELAY
892 # define POWEROFF_DELAY 5000
893 #endif
894 static int poweroff_delay = POWEROFF_DELAY;
895
896 SYSCTL_INT(_kern_shutdown, OID_AUTO, poweroff_delay, CTLFLAG_RW,
897 &poweroff_delay, 0, "Delay before poweroff to write disk caches (msec)");
898
899 static void
900 poweroff_wait(void *junk, int howto)
901 {
902
903 if ((howto & (RB_POWEROFF | RB_POWERCYCLE)) == 0 || poweroff_delay <= 0)
904 return;
905 DELAY(poweroff_delay * 1000);
906 }
907
908 /*
909 * Some system processes (e.g. syncer) need to be stopped at appropriate
910 * points in their main loops prior to a system shutdown, so that they
911 * won't interfere with the shutdown process (e.g. by holding a disk buf
912 * to cause sync to fail). For each of these system processes, register
913 * shutdown_kproc() as a handler for one of shutdown events.
914 */
915 static int kproc_shutdown_wait = 60;
916 SYSCTL_INT(_kern_shutdown, OID_AUTO, kproc_shutdown_wait, CTLFLAG_RW,
917 &kproc_shutdown_wait, 0, "Max wait time (sec) to stop for each process");
918
919 void
920 kproc_shutdown(void *arg, int howto)
921 {
922 struct proc *p;
923 int error;
924
925 if (panicstr)
926 return;
927
928 p = (struct proc *)arg;
929 printf("Waiting (max %d seconds) for system process `%s' to stop... ",
930 kproc_shutdown_wait, p->p_comm);
931 error = kproc_suspend(p, kproc_shutdown_wait * hz);
932
933 if (error == EWOULDBLOCK)
934 printf("timed out\n");
935 else
936 printf("done\n");
937 }
938
939 void
940 kthread_shutdown(void *arg, int howto)
941 {
942 struct thread *td;
943 int error;
944
945 if (panicstr)
946 return;
947
948 td = (struct thread *)arg;
949 printf("Waiting (max %d seconds) for system thread `%s' to stop... ",
950 kproc_shutdown_wait, td->td_name);
951 error = kthread_suspend(td, kproc_shutdown_wait * hz);
952
953 if (error == EWOULDBLOCK)
954 printf("timed out\n");
955 else
956 printf("done\n");
957 }
958
959 static char dumpdevname[sizeof(((struct cdev*)NULL)->si_name)];
960 SYSCTL_STRING(_kern_shutdown, OID_AUTO, dumpdevname, CTLFLAG_RD,
961 dumpdevname, 0, "Device for kernel dumps");
962
963 static int _dump_append(struct dumperinfo *di, void *virtual,
964 vm_offset_t physical, size_t length);
965
966 #ifdef EKCD
967 static struct kerneldumpcrypto *
968 kerneldumpcrypto_create(size_t blocksize, uint8_t encryption,
969 const uint8_t *key, uint32_t encryptedkeysize, const uint8_t *encryptedkey)
970 {
971 struct kerneldumpcrypto *kdc;
972 struct kerneldumpkey *kdk;
973 uint32_t dumpkeysize;
974
975 dumpkeysize = roundup2(sizeof(*kdk) + encryptedkeysize, blocksize);
976 kdc = malloc(sizeof(*kdc) + dumpkeysize, M_EKCD, M_WAITOK | M_ZERO);
977
978 arc4rand(kdc->kdc_iv, sizeof(kdc->kdc_iv), 0);
979
980 kdc->kdc_encryption = encryption;
981 switch (kdc->kdc_encryption) {
982 case KERNELDUMP_ENC_AES_256_CBC:
983 if (rijndael_makeKey(&kdc->kdc_ki, DIR_ENCRYPT, 256, key) <= 0)
984 goto failed;
985 break;
986 default:
987 goto failed;
988 }
989
990 kdc->kdc_dumpkeysize = dumpkeysize;
991 kdk = kdc->kdc_dumpkey;
992 kdk->kdk_encryption = kdc->kdc_encryption;
993 memcpy(kdk->kdk_iv, kdc->kdc_iv, sizeof(kdk->kdk_iv));
994 kdk->kdk_encryptedkeysize = htod32(encryptedkeysize);
995 memcpy(kdk->kdk_encryptedkey, encryptedkey, encryptedkeysize);
996
997 return (kdc);
998 failed:
999 explicit_bzero(kdc, sizeof(*kdc) + dumpkeysize);
1000 free(kdc, M_EKCD);
1001 return (NULL);
1002 }
1003
1004 static int
1005 kerneldumpcrypto_init(struct kerneldumpcrypto *kdc)
1006 {
1007 uint8_t hash[SHA256_DIGEST_LENGTH];
1008 SHA256_CTX ctx;
1009 struct kerneldumpkey *kdk;
1010 int error;
1011
1012 error = 0;
1013
1014 if (kdc == NULL)
1015 return (0);
1016
1017 /*
1018 * When a user enters ddb it can write a crash dump multiple times.
1019 * Each time it should be encrypted using a different IV.
1020 */
1021 SHA256_Init(&ctx);
1022 SHA256_Update(&ctx, kdc->kdc_iv, sizeof(kdc->kdc_iv));
1023 SHA256_Final(hash, &ctx);
1024 bcopy(hash, kdc->kdc_iv, sizeof(kdc->kdc_iv));
1025
1026 switch (kdc->kdc_encryption) {
1027 case KERNELDUMP_ENC_AES_256_CBC:
1028 if (rijndael_cipherInit(&kdc->kdc_ci, MODE_CBC,
1029 kdc->kdc_iv) <= 0) {
1030 error = EINVAL;
1031 goto out;
1032 }
1033 break;
1034 default:
1035 error = EINVAL;
1036 goto out;
1037 }
1038
1039 kdk = kdc->kdc_dumpkey;
1040 memcpy(kdk->kdk_iv, kdc->kdc_iv, sizeof(kdk->kdk_iv));
1041 out:
1042 explicit_bzero(hash, sizeof(hash));
1043 return (error);
1044 }
1045
1046 static uint32_t
1047 kerneldumpcrypto_dumpkeysize(const struct kerneldumpcrypto *kdc)
1048 {
1049
1050 if (kdc == NULL)
1051 return (0);
1052 return (kdc->kdc_dumpkeysize);
1053 }
1054 #endif /* EKCD */
1055
1056 static struct kerneldumpcomp *
1057 kerneldumpcomp_create(struct dumperinfo *di, uint8_t compression)
1058 {
1059 struct kerneldumpcomp *kdcomp;
1060 int format;
1061
1062 switch (compression) {
1063 case KERNELDUMP_COMP_GZIP:
1064 format = COMPRESS_GZIP;
1065 break;
1066 case KERNELDUMP_COMP_ZSTD:
1067 format = COMPRESS_ZSTD;
1068 break;
1069 default:
1070 return (NULL);
1071 }
1072
1073 kdcomp = malloc(sizeof(*kdcomp), M_DUMPER, M_WAITOK | M_ZERO);
1074 kdcomp->kdc_format = compression;
1075 kdcomp->kdc_stream = compressor_init(kerneldumpcomp_write_cb,
1076 format, di->maxiosize, kerneldump_gzlevel, di);
1077 if (kdcomp->kdc_stream == NULL) {
1078 free(kdcomp, M_DUMPER);
1079 return (NULL);
1080 }
1081 kdcomp->kdc_buf = malloc(di->maxiosize, M_DUMPER, M_WAITOK | M_NODUMP);
1082 return (kdcomp);
1083 }
1084
1085 static void
1086 kerneldumpcomp_destroy(struct dumperinfo *di)
1087 {
1088 struct kerneldumpcomp *kdcomp;
1089
1090 kdcomp = di->kdcomp;
1091 if (kdcomp == NULL)
1092 return;
1093 compressor_fini(kdcomp->kdc_stream);
1094 explicit_bzero(kdcomp->kdc_buf, di->maxiosize);
1095 free(kdcomp->kdc_buf, M_DUMPER);
1096 free(kdcomp, M_DUMPER);
1097 }
1098
1099 /* Registration of dumpers */
1100 int
1101 set_dumper(struct dumperinfo *di, const char *devname, struct thread *td,
1102 uint8_t compression, uint8_t encryption, const uint8_t *key,
1103 uint32_t encryptedkeysize, const uint8_t *encryptedkey)
1104 {
1105 size_t wantcopy;
1106 int error;
1107
1108 error = priv_check(td, PRIV_SETDUMPER);
1109 if (error != 0)
1110 return (error);
1111
1112 if (dumper.dumper != NULL)
1113 return (EBUSY);
1114 dumper = *di;
1115 dumper.blockbuf = NULL;
1116 dumper.kdcrypto = NULL;
1117 dumper.kdcomp = NULL;
1118
1119 if (encryption != KERNELDUMP_ENC_NONE) {
1120 #ifdef EKCD
1121 dumper.kdcrypto = kerneldumpcrypto_create(di->blocksize,
1122 encryption, key, encryptedkeysize, encryptedkey);
1123 if (dumper.kdcrypto == NULL) {
1124 error = EINVAL;
1125 goto cleanup;
1126 }
1127 #else
1128 error = EOPNOTSUPP;
1129 goto cleanup;
1130 #endif
1131 }
1132
1133 wantcopy = strlcpy(dumpdevname, devname, sizeof(dumpdevname));
1134 if (wantcopy >= sizeof(dumpdevname)) {
1135 printf("set_dumper: device name truncated from '%s' -> '%s'\n",
1136 devname, dumpdevname);
1137 }
1138
1139 if (compression != KERNELDUMP_COMP_NONE) {
1140 /*
1141 * We currently can't support simultaneous encryption and
1142 * compression.
1143 */
1144 if (encryption != KERNELDUMP_ENC_NONE) {
1145 error = EOPNOTSUPP;
1146 goto cleanup;
1147 }
1148 dumper.kdcomp = kerneldumpcomp_create(&dumper, compression);
1149 if (dumper.kdcomp == NULL) {
1150 error = EINVAL;
1151 goto cleanup;
1152 }
1153 }
1154
1155 dumper.blockbuf = malloc(di->blocksize, M_DUMPER, M_WAITOK | M_ZERO);
1156 return (0);
1157
1158 cleanup:
1159 (void)clear_dumper(td);
1160 return (error);
1161 }
1162
1163 int
1164 clear_dumper(struct thread *td)
1165 {
1166 int error;
1167
1168 error = priv_check(td, PRIV_SETDUMPER);
1169 if (error != 0)
1170 return (error);
1171
1172 #ifdef NETDUMP
1173 netdump_mbuf_drain();
1174 #endif
1175
1176 #ifdef EKCD
1177 if (dumper.kdcrypto != NULL) {
1178 explicit_bzero(dumper.kdcrypto, sizeof(*dumper.kdcrypto) +
1179 dumper.kdcrypto->kdc_dumpkeysize);
1180 free(dumper.kdcrypto, M_EKCD);
1181 }
1182 #endif
1183
1184 kerneldumpcomp_destroy(&dumper);
1185
1186 if (dumper.blockbuf != NULL) {
1187 explicit_bzero(dumper.blockbuf, dumper.blocksize);
1188 free(dumper.blockbuf, M_DUMPER);
1189 }
1190 explicit_bzero(&dumper, sizeof(dumper));
1191 dumpdevname[0] = '\0';
1192 return (0);
1193 }
1194
1195 static int
1196 dump_check_bounds(struct dumperinfo *di, off_t offset, size_t length)
1197 {
1198
1199 if (di->mediasize > 0 && length != 0 && (offset < di->mediaoffset ||
1200 offset - di->mediaoffset + length > di->mediasize)) {
1201 if (di->kdcomp != NULL && offset >= di->mediaoffset) {
1202 printf(
1203 "Compressed dump failed to fit in device boundaries.\n");
1204 return (E2BIG);
1205 }
1206
1207 printf("Attempt to write outside dump device boundaries.\n"
1208 "offset(%jd), mediaoffset(%jd), length(%ju), mediasize(%jd).\n",
1209 (intmax_t)offset, (intmax_t)di->mediaoffset,
1210 (uintmax_t)length, (intmax_t)di->mediasize);
1211 return (ENOSPC);
1212 }
1213 if (length % di->blocksize != 0) {
1214 printf("Attempt to write partial block of length %ju.\n",
1215 (uintmax_t)length);
1216 return (EINVAL);
1217 }
1218 if (offset % di->blocksize != 0) {
1219 printf("Attempt to write at unaligned offset %jd.\n",
1220 (intmax_t)offset);
1221 return (EINVAL);
1222 }
1223
1224 return (0);
1225 }
1226
1227 #ifdef EKCD
1228 static int
1229 dump_encrypt(struct kerneldumpcrypto *kdc, uint8_t *buf, size_t size)
1230 {
1231
1232 switch (kdc->kdc_encryption) {
1233 case KERNELDUMP_ENC_AES_256_CBC:
1234 if (rijndael_blockEncrypt(&kdc->kdc_ci, &kdc->kdc_ki, buf,
1235 8 * size, buf) <= 0) {
1236 return (EIO);
1237 }
1238 if (rijndael_cipherInit(&kdc->kdc_ci, MODE_CBC,
1239 buf + size - 16 /* IV size for AES-256-CBC */) <= 0) {
1240 return (EIO);
1241 }
1242 break;
1243 default:
1244 return (EINVAL);
1245 }
1246
1247 return (0);
1248 }
1249
1250 /* Encrypt data and call dumper. */
1251 static int
1252 dump_encrypted_write(struct dumperinfo *di, void *virtual,
1253 vm_offset_t physical, off_t offset, size_t length)
1254 {
1255 static uint8_t buf[KERNELDUMP_BUFFER_SIZE];
1256 struct kerneldumpcrypto *kdc;
1257 int error;
1258 size_t nbytes;
1259
1260 kdc = di->kdcrypto;
1261
1262 while (length > 0) {
1263 nbytes = MIN(length, sizeof(buf));
1264 bcopy(virtual, buf, nbytes);
1265
1266 if (dump_encrypt(kdc, buf, nbytes) != 0)
1267 return (EIO);
1268
1269 error = dump_write(di, buf, physical, offset, nbytes);
1270 if (error != 0)
1271 return (error);
1272
1273 offset += nbytes;
1274 virtual = (void *)((uint8_t *)virtual + nbytes);
1275 length -= nbytes;
1276 }
1277
1278 return (0);
1279 }
1280 #endif /* EKCD */
1281
1282 static int
1283 kerneldumpcomp_write_cb(void *base, size_t length, off_t offset, void *arg)
1284 {
1285 struct dumperinfo *di;
1286 size_t resid, rlength;
1287 int error;
1288
1289 di = arg;
1290
1291 if (length % di->blocksize != 0) {
1292 /*
1293 * This must be the final write after flushing the compression
1294 * stream. Write as many full blocks as possible and stash the
1295 * residual data in the dumper's block buffer. It will be
1296 * padded and written in dump_finish().
1297 */
1298 rlength = rounddown(length, di->blocksize);
1299 if (rlength != 0) {
1300 error = _dump_append(di, base, 0, rlength);
1301 if (error != 0)
1302 return (error);
1303 }
1304 resid = length - rlength;
1305 memmove(di->blockbuf, (uint8_t *)base + rlength, resid);
1306 bzero((uint8_t *)di->blockbuf + resid, di->blocksize - resid);
1307 di->kdcomp->kdc_resid = resid;
1308 return (EAGAIN);
1309 }
1310 return (_dump_append(di, base, 0, length));
1311 }
1312
1313 /*
1314 * Write kernel dump headers at the beginning and end of the dump extent.
1315 * Write the kernel dump encryption key after the leading header if we were
1316 * configured to do so.
1317 */
1318 static int
1319 dump_write_headers(struct dumperinfo *di, struct kerneldumpheader *kdh)
1320 {
1321 #ifdef EKCD
1322 struct kerneldumpcrypto *kdc;
1323 #endif
1324 void *buf, *key;
1325 size_t hdrsz;
1326 uint64_t extent;
1327 uint32_t keysize;
1328 int error;
1329
1330 hdrsz = sizeof(*kdh);
1331 if (hdrsz > di->blocksize)
1332 return (ENOMEM);
1333
1334 #ifdef EKCD
1335 kdc = di->kdcrypto;
1336 key = kdc->kdc_dumpkey;
1337 keysize = kerneldumpcrypto_dumpkeysize(kdc);
1338 #else
1339 key = NULL;
1340 keysize = 0;
1341 #endif
1342
1343 /*
1344 * If the dump device has special handling for headers, let it take care
1345 * of writing them out.
1346 */
1347 if (di->dumper_hdr != NULL)
1348 return (di->dumper_hdr(di, kdh, key, keysize));
1349
1350 if (hdrsz == di->blocksize)
1351 buf = kdh;
1352 else {
1353 buf = di->blockbuf;
1354 memset(buf, 0, di->blocksize);
1355 memcpy(buf, kdh, hdrsz);
1356 }
1357
1358 extent = dtoh64(kdh->dumpextent);
1359 #ifdef EKCD
1360 if (kdc != NULL) {
1361 error = dump_write(di, kdc->kdc_dumpkey, 0,
1362 di->mediaoffset + di->mediasize - di->blocksize - extent -
1363 keysize, keysize);
1364 if (error != 0)
1365 return (error);
1366 }
1367 #endif
1368
1369 error = dump_write(di, buf, 0,
1370 di->mediaoffset + di->mediasize - 2 * di->blocksize - extent -
1371 keysize, di->blocksize);
1372 if (error == 0)
1373 error = dump_write(di, buf, 0, di->mediaoffset + di->mediasize -
1374 di->blocksize, di->blocksize);
1375 return (error);
1376 }
1377
1378 /*
1379 * Don't touch the first SIZEOF_METADATA bytes on the dump device. This is to
1380 * protect us from metadata and metadata from us.
1381 */
1382 #define SIZEOF_METADATA (64 * 1024)
1383
1384 /*
1385 * Do some preliminary setup for a kernel dump: initialize state for encryption,
1386 * if requested, and make sure that we have enough space on the dump device.
1387 *
1388 * We set things up so that the dump ends before the last sector of the dump
1389 * device, at which the trailing header is written.
1390 *
1391 * +-----------+------+-----+----------------------------+------+
1392 * | | lhdr | key | ... kernel dump ... | thdr |
1393 * +-----------+------+-----+----------------------------+------+
1394 * 1 blk opt <------- dump extent --------> 1 blk
1395 *
1396 * Dumps written using dump_append() start at the beginning of the extent.
1397 * Uncompressed dumps will use the entire extent, but compressed dumps typically
1398 * will not. The true length of the dump is recorded in the leading and trailing
1399 * headers once the dump has been completed.
1400 *
1401 * The dump device may provide a callback, in which case it will initialize
1402 * dumpoff and take care of laying out the headers.
1403 */
1404 int
1405 dump_start(struct dumperinfo *di, struct kerneldumpheader *kdh)
1406 {
1407 uint64_t dumpextent, span;
1408 uint32_t keysize;
1409 int error;
1410
1411 #ifdef EKCD
1412 error = kerneldumpcrypto_init(di->kdcrypto);
1413 if (error != 0)
1414 return (error);
1415 keysize = kerneldumpcrypto_dumpkeysize(di->kdcrypto);
1416 #else
1417 error = 0;
1418 keysize = 0;
1419 #endif
1420
1421 if (di->dumper_start != NULL) {
1422 error = di->dumper_start(di);
1423 } else {
1424 dumpextent = dtoh64(kdh->dumpextent);
1425 span = SIZEOF_METADATA + dumpextent + 2 * di->blocksize +
1426 keysize;
1427 if (di->mediasize < span) {
1428 if (di->kdcomp == NULL)
1429 return (E2BIG);
1430
1431 /*
1432 * We don't yet know how much space the compressed dump
1433 * will occupy, so try to use the whole swap partition
1434 * (minus the first 64KB) in the hope that the
1435 * compressed dump will fit. If that doesn't turn out to
1436 * be enough, the bounds checking in dump_write()
1437 * will catch us and cause the dump to fail.
1438 */
1439 dumpextent = di->mediasize - span + dumpextent;
1440 kdh->dumpextent = htod64(dumpextent);
1441 }
1442
1443 /*
1444 * The offset at which to begin writing the dump.
1445 */
1446 di->dumpoff = di->mediaoffset + di->mediasize - di->blocksize -
1447 dumpextent;
1448 }
1449 di->origdumpoff = di->dumpoff;
1450 return (error);
1451 }
1452
1453 static int
1454 _dump_append(struct dumperinfo *di, void *virtual, vm_offset_t physical,
1455 size_t length)
1456 {
1457 int error;
1458
1459 #ifdef EKCD
1460 if (di->kdcrypto != NULL)
1461 error = dump_encrypted_write(di, virtual, physical, di->dumpoff,
1462 length);
1463 else
1464 #endif
1465 error = dump_write(di, virtual, physical, di->dumpoff, length);
1466 if (error == 0)
1467 di->dumpoff += length;
1468 return (error);
1469 }
1470
1471 /*
1472 * Write to the dump device starting at dumpoff. When compression is enabled,
1473 * writes to the device will be performed using a callback that gets invoked
1474 * when the compression stream's output buffer is full.
1475 */
1476 int
1477 dump_append(struct dumperinfo *di, void *virtual, vm_offset_t physical,
1478 size_t length)
1479 {
1480 void *buf;
1481
1482 if (di->kdcomp != NULL) {
1483 /* Bounce through a buffer to avoid CRC errors. */
1484 if (length > di->maxiosize)
1485 return (EINVAL);
1486 buf = di->kdcomp->kdc_buf;
1487 memmove(buf, virtual, length);
1488 return (compressor_write(di->kdcomp->kdc_stream, buf, length));
1489 }
1490 return (_dump_append(di, virtual, physical, length));
1491 }
1492
1493 /*
1494 * Write to the dump device at the specified offset.
1495 */
1496 int
1497 dump_write(struct dumperinfo *di, void *virtual, vm_offset_t physical,
1498 off_t offset, size_t length)
1499 {
1500 int error;
1501
1502 error = dump_check_bounds(di, offset, length);
1503 if (error != 0)
1504 return (error);
1505 return (di->dumper(di->priv, virtual, physical, offset, length));
1506 }
1507
1508 /*
1509 * Perform kernel dump finalization: flush the compression stream, if necessary,
1510 * write the leading and trailing kernel dump headers now that we know the true
1511 * length of the dump, and optionally write the encryption key following the
1512 * leading header.
1513 */
1514 int
1515 dump_finish(struct dumperinfo *di, struct kerneldumpheader *kdh)
1516 {
1517 int error;
1518
1519 if (di->kdcomp != NULL) {
1520 error = compressor_flush(di->kdcomp->kdc_stream);
1521 if (error == EAGAIN) {
1522 /* We have residual data in di->blockbuf. */
1523 error = _dump_append(di, di->blockbuf, 0, di->blocksize);
1524 if (error == 0)
1525 /* Compensate for _dump_append()'s adjustment. */
1526 di->dumpoff -= di->blocksize - di->kdcomp->kdc_resid;
1527 di->kdcomp->kdc_resid = 0;
1528 }
1529 if (error != 0)
1530 return (error);
1531
1532 /*
1533 * We now know the size of the compressed dump, so update the
1534 * header accordingly and recompute parity.
1535 */
1536 kdh->dumplength = htod64(di->dumpoff - di->origdumpoff);
1537 kdh->parity = 0;
1538 kdh->parity = kerneldump_parity(kdh);
1539
1540 compressor_reset(di->kdcomp->kdc_stream);
1541 }
1542
1543 error = dump_write_headers(di, kdh);
1544 if (error != 0)
1545 return (error);
1546
1547 (void)dump_write(di, NULL, 0, 0, 0);
1548 return (0);
1549 }
1550
1551 void
1552 dump_init_header(const struct dumperinfo *di, struct kerneldumpheader *kdh,
1553 char *magic, uint32_t archver, uint64_t dumplen)
1554 {
1555 size_t dstsize;
1556
1557 bzero(kdh, sizeof(*kdh));
1558 strlcpy(kdh->magic, magic, sizeof(kdh->magic));
1559 strlcpy(kdh->architecture, MACHINE_ARCH, sizeof(kdh->architecture));
1560 kdh->version = htod32(KERNELDUMPVERSION);
1561 kdh->architectureversion = htod32(archver);
1562 kdh->dumplength = htod64(dumplen);
1563 kdh->dumpextent = kdh->dumplength;
1564 kdh->dumptime = htod64(time_second);
1565 #ifdef EKCD
1566 kdh->dumpkeysize = htod32(kerneldumpcrypto_dumpkeysize(di->kdcrypto));
1567 #else
1568 kdh->dumpkeysize = 0;
1569 #endif
1570 kdh->blocksize = htod32(di->blocksize);
1571 strlcpy(kdh->hostname, prison0.pr_hostname, sizeof(kdh->hostname));
1572 dstsize = sizeof(kdh->versionstring);
1573 if (strlcpy(kdh->versionstring, version, dstsize) >= dstsize)
1574 kdh->versionstring[dstsize - 2] = '\n';
1575 if (panicstr != NULL)
1576 strlcpy(kdh->panicstring, panicstr, sizeof(kdh->panicstring));
1577 if (di->kdcomp != NULL)
1578 kdh->compression = di->kdcomp->kdc_format;
1579 kdh->parity = kerneldump_parity(kdh);
1580 }
1581
1582 #ifdef DDB
1583 DB_SHOW_COMMAND(panic, db_show_panic)
1584 {
1585
1586 if (panicstr == NULL)
1587 db_printf("panicstr not set\n");
1588 else
1589 db_printf("panic: %s\n", panicstr);
1590 }
1591 #endif
Cache object: c26897611bb84ff779f7ab7b2686ea7b
|