1 // SPDX-License-Identifier: GPL-2.0-only
2 // Copyright (C) 2022 Linutronix GmbH, John Ogness
3 // Copyright (C) 2022 Intel, Thomas Gleixner
4
5 #include <linux/atomic.h>
6 #include <linux/bug.h>
7 #include <linux/console.h>
8 #include <linux/delay.h>
9 #include <linux/errno.h>
10 #include <linux/export.h>
11 #include <linux/init.h>
12 #include <linux/irqflags.h>
13 #include <linux/kthread.h>
14 #include <linux/minmax.h>
15 #include <linux/percpu.h>
16 #include <linux/preempt.h>
17 #include <linux/slab.h>
18 #include <linux/smp.h>
19 #include <linux/stddef.h>
20 #include <linux/string.h>
21 #include <linux/types.h>
22 #include "internal.h"
23 #include "printk_ringbuffer.h"
24 /*
25 * Printk console printing implementation for consoles which does not depend
26 * on the legacy style console_lock mechanism.
27 *
28 * The state of the console is maintained in the "nbcon_state" atomic
29 * variable.
30 *
31 * The console is locked when:
32 *
33 * - The 'prio' field contains the priority of the context that owns the
34 * console. Only higher priority contexts are allowed to take over the
35 * lock. A value of 0 (NBCON_PRIO_NONE) means the console is not locked.
36 *
37 * - The 'cpu' field denotes on which CPU the console is locked. It is used
38 * to prevent busy waiting on the same CPU. Also it informs the lock owner
39 * that it has lost the lock in a more complex scenario when the lock was
40 * taken over by a higher priority context, released, and taken on another
41 * CPU with the same priority as the interrupted owner.
42 *
43 * The acquire mechanism uses a few more fields:
44 *
45 * - The 'req_prio' field is used by the handover approach to make the
46 * current owner aware that there is a context with a higher priority
47 * waiting for the friendly handover.
48 *
49 * - The 'unsafe' field allows to take over the console in a safe way in the
50 * middle of emitting a message. The field is set only when accessing some
51 * shared resources or when the console device is manipulated. It can be
52 * cleared, for example, after emitting one character when the console
53 * device is in a consistent state.
54 *
55 * - The 'unsafe_takeover' field is set when a hostile takeover took the
56 * console in an unsafe state. The console will stay in the unsafe state
57 * until re-initialized.
58 *
59 * The acquire mechanism uses three approaches:
60 *
61 * 1) Direct acquire when the console is not owned or is owned by a lower
62 * priority context and is in a safe state.
63 *
64 * 2) Friendly handover mechanism uses a request/grant handshake. It is used
65 * when the current owner has lower priority and the console is in an
66 * unsafe state.
67 *
68 * The requesting context:
69 *
70 * a) Sets its priority into the 'req_prio' field.
71 *
72 * b) Waits (with a timeout) for the owning context to unlock the
73 * console.
74 *
75 * c) Takes the lock and clears the 'req_prio' field.
76 *
77 * The owning context:
78 *
79 * a) Observes the 'req_prio' field set on exit from the unsafe
80 * console state.
81 *
82 * b) Gives up console ownership by clearing the 'prio' field.
83 *
84 * 3) Unsafe hostile takeover allows to take over the lock even when the
85 * console is an unsafe state. It is used only in panic() by the final
86 * attempt to flush consoles in a try and hope mode.
87 *
88 * Note that separate record buffers are used in panic(). As a result,
89 * the messages can be read and formatted without any risk even after
90 * using the hostile takeover in unsafe state.
91 *
92 * The release function simply clears the 'prio' field.
93 *
94 * All operations on @console::nbcon_state are atomic cmpxchg based to
95 * handle concurrency.
96 *
97 * The acquire/release functions implement only minimal policies:
98 *
99 * - Preference for higher priority contexts.
100 * - Protection of the panic CPU.
101 *
102 * All other policy decisions must be made at the call sites:
103 *
104 * - What is marked as an unsafe section.
105 * - Whether to spin-wait if there is already an owner and the console is
106 * in an unsafe state.
107 * - Whether to attempt an unsafe hostile takeover.
108 *
109 * The design allows to implement the well known:
110 *
111 * acquire()
112 * output_one_printk_record()
113 * release()
114 *
115 * The output of one printk record might be interrupted with a higher priority
116 * context. The new owner is supposed to reprint the entire interrupted record
117 * from scratch.
118 */
119
120 /**
121 * nbcon_state_set - Helper function to set the console state
122 * @con: Console to update
123 * @new: The new state to write
124 *
125 * Only to be used when the console is not yet or no longer visible in the
126 * system. Otherwise use nbcon_state_try_cmpxchg().
127 */
nbcon_state_set(struct console * con,struct nbcon_state * new)128 static inline void nbcon_state_set(struct console *con, struct nbcon_state *new)
129 {
130 atomic_set(&ACCESS_PRIVATE(con, nbcon_state), new->atom);
131 }
132
133 /**
134 * nbcon_state_read - Helper function to read the console state
135 * @con: Console to read
136 * @state: The state to store the result
137 */
nbcon_state_read(struct console * con,struct nbcon_state * state)138 static inline void nbcon_state_read(struct console *con, struct nbcon_state *state)
139 {
140 state->atom = atomic_read(&ACCESS_PRIVATE(con, nbcon_state));
141 }
142
143 /**
144 * nbcon_state_try_cmpxchg() - Helper function for atomic_try_cmpxchg() on console state
145 * @con: Console to update
146 * @cur: Old/expected state
147 * @new: New state
148 *
149 * Return: True on success. False on fail and @cur is updated.
150 */
nbcon_state_try_cmpxchg(struct console * con,struct nbcon_state * cur,struct nbcon_state * new)151 static inline bool nbcon_state_try_cmpxchg(struct console *con, struct nbcon_state *cur,
152 struct nbcon_state *new)
153 {
154 return atomic_try_cmpxchg(&ACCESS_PRIVATE(con, nbcon_state), &cur->atom, new->atom);
155 }
156
157 /**
158 * nbcon_seq_read - Read the current console sequence
159 * @con: Console to read the sequence of
160 *
161 * Return: Sequence number of the next record to print on @con.
162 */
nbcon_seq_read(struct console * con)163 u64 nbcon_seq_read(struct console *con)
164 {
165 unsigned long nbcon_seq = atomic_long_read(&ACCESS_PRIVATE(con, nbcon_seq));
166
167 return __ulseq_to_u64seq(prb, nbcon_seq);
168 }
169
170 /**
171 * nbcon_seq_force - Force console sequence to a specific value
172 * @con: Console to work on
173 * @seq: Sequence number value to set
174 *
175 * Only to be used during init (before registration) or in extreme situations
176 * (such as panic with CONSOLE_REPLAY_ALL).
177 */
nbcon_seq_force(struct console * con,u64 seq)178 void nbcon_seq_force(struct console *con, u64 seq)
179 {
180 /*
181 * If the specified record no longer exists, the oldest available record
182 * is chosen. This is especially important on 32bit systems because only
183 * the lower 32 bits of the sequence number are stored. The upper 32 bits
184 * are derived from the sequence numbers available in the ringbuffer.
185 */
186 u64 valid_seq = max_t(u64, seq, prb_first_valid_seq(prb));
187
188 atomic_long_set(&ACCESS_PRIVATE(con, nbcon_seq), __u64seq_to_ulseq(valid_seq));
189 }
190
191 /**
192 * nbcon_seq_try_update - Try to update the console sequence number
193 * @ctxt: Pointer to an acquire context that contains
194 * all information about the acquire mode
195 * @new_seq: The new sequence number to set
196 *
197 * @ctxt->seq is updated to the new value of @con::nbcon_seq (expanded to
198 * the 64bit value). This could be a different value than @new_seq if
199 * nbcon_seq_force() was used or the current context no longer owns the
200 * console. In the later case, it will stop printing anyway.
201 */
nbcon_seq_try_update(struct nbcon_context * ctxt,u64 new_seq)202 static void nbcon_seq_try_update(struct nbcon_context *ctxt, u64 new_seq)
203 {
204 unsigned long nbcon_seq = __u64seq_to_ulseq(ctxt->seq);
205 struct console *con = ctxt->console;
206
207 if (atomic_long_try_cmpxchg(&ACCESS_PRIVATE(con, nbcon_seq), &nbcon_seq,
208 __u64seq_to_ulseq(new_seq))) {
209 ctxt->seq = new_seq;
210 } else {
211 ctxt->seq = nbcon_seq_read(con);
212 }
213 }
214
215 /**
216 * nbcon_context_try_acquire_direct - Try to acquire directly
217 * @ctxt: The context of the caller
218 * @cur: The current console state
219 * @is_reacquire: This acquire is a reacquire
220 *
221 * Acquire the console when it is released. Also acquire the console when
222 * the current owner has a lower priority and the console is in a safe state.
223 *
224 * Return: 0 on success. Otherwise, an error code on failure. Also @cur
225 * is updated to the latest state when failed to modify it.
226 *
227 * Errors:
228 *
229 * -EPERM: A panic is in progress and this is neither the panic
230 * CPU nor is this a reacquire. Or the current owner or
231 * waiter has the same or higher priority. No acquire
232 * method can be successful in these cases.
233 *
234 * -EBUSY: The current owner has a lower priority but the console
235 * in an unsafe state. The caller should try using
236 * the handover acquire method.
237 */
nbcon_context_try_acquire_direct(struct nbcon_context * ctxt,struct nbcon_state * cur,bool is_reacquire)238 static int nbcon_context_try_acquire_direct(struct nbcon_context *ctxt,
239 struct nbcon_state *cur, bool is_reacquire)
240 {
241 unsigned int cpu = smp_processor_id();
242 struct console *con = ctxt->console;
243 struct nbcon_state new;
244
245 do {
246 /*
247 * Panic does not imply that the console is owned. However,
248 * since all non-panic CPUs are stopped during panic(), it
249 * is safer to have them avoid gaining console ownership.
250 *
251 * If this acquire is a reacquire (and an unsafe takeover
252 * has not previously occurred) then it is allowed to attempt
253 * a direct acquire in panic. This gives console drivers an
254 * opportunity to perform any necessary cleanup if they were
255 * interrupted by the panic CPU while printing.
256 */
257 if (other_cpu_in_panic() &&
258 (!is_reacquire || cur->unsafe_takeover)) {
259 return -EPERM;
260 }
261
262 if (ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio)
263 return -EPERM;
264
265 if (cur->unsafe)
266 return -EBUSY;
267
268 /*
269 * The console should never be safe for a direct acquire
270 * if an unsafe hostile takeover has ever happened.
271 */
272 WARN_ON_ONCE(cur->unsafe_takeover);
273
274 new.atom = cur->atom;
275 new.prio = ctxt->prio;
276 new.req_prio = NBCON_PRIO_NONE;
277 new.unsafe = cur->unsafe_takeover;
278 new.cpu = cpu;
279
280 } while (!nbcon_state_try_cmpxchg(con, cur, &new));
281
282 return 0;
283 }
284
nbcon_waiter_matches(struct nbcon_state * cur,int expected_prio)285 static bool nbcon_waiter_matches(struct nbcon_state *cur, int expected_prio)
286 {
287 /*
288 * The request context is well defined by the @req_prio because:
289 *
290 * - Only a context with a priority higher than the owner can become
291 * a waiter.
292 * - Only a context with a priority higher than the waiter can
293 * directly take over the request.
294 * - There are only three priorities.
295 * - Only one CPU is allowed to request PANIC priority.
296 * - Lower priorities are ignored during panic() until reboot.
297 *
298 * As a result, the following scenario is *not* possible:
299 *
300 * 1. This context is currently a waiter.
301 * 2. Another context with a higher priority than this context
302 * directly takes ownership.
303 * 3. The higher priority context releases the ownership.
304 * 4. Another lower priority context takes the ownership.
305 * 5. Another context with the same priority as this context
306 * creates a request and starts waiting.
307 *
308 * Event #1 implies this context is EMERGENCY.
309 * Event #2 implies the new context is PANIC.
310 * Event #3 occurs when panic() has flushed the console.
311 * Event #4 occurs when a non-panic CPU reacquires.
312 * Event #5 is not possible due to the other_cpu_in_panic() check
313 * in nbcon_context_try_acquire_handover().
314 */
315
316 return (cur->req_prio == expected_prio);
317 }
318
319 /**
320 * nbcon_context_try_acquire_requested - Try to acquire after having
321 * requested a handover
322 * @ctxt: The context of the caller
323 * @cur: The current console state
324 *
325 * This is a helper function for nbcon_context_try_acquire_handover().
326 * It is called when the console is in an unsafe state. The current
327 * owner will release the console on exit from the unsafe region.
328 *
329 * Return: 0 on success and @cur is updated to the new console state.
330 * Otherwise an error code on failure.
331 *
332 * Errors:
333 *
334 * -EPERM: A panic is in progress and this is not the panic CPU
335 * or this context is no longer the waiter.
336 *
337 * -EBUSY: The console is still locked. The caller should
338 * continue waiting.
339 *
340 * Note: The caller must still remove the request when an error has occurred
341 * except when this context is no longer the waiter.
342 */
nbcon_context_try_acquire_requested(struct nbcon_context * ctxt,struct nbcon_state * cur)343 static int nbcon_context_try_acquire_requested(struct nbcon_context *ctxt,
344 struct nbcon_state *cur)
345 {
346 unsigned int cpu = smp_processor_id();
347 struct console *con = ctxt->console;
348 struct nbcon_state new;
349
350 /* Note that the caller must still remove the request! */
351 if (other_cpu_in_panic())
352 return -EPERM;
353
354 /*
355 * Note that the waiter will also change if there was an unsafe
356 * hostile takeover.
357 */
358 if (!nbcon_waiter_matches(cur, ctxt->prio))
359 return -EPERM;
360
361 /* If still locked, caller should continue waiting. */
362 if (cur->prio != NBCON_PRIO_NONE)
363 return -EBUSY;
364
365 /*
366 * The previous owner should have never released ownership
367 * in an unsafe region.
368 */
369 WARN_ON_ONCE(cur->unsafe);
370
371 new.atom = cur->atom;
372 new.prio = ctxt->prio;
373 new.req_prio = NBCON_PRIO_NONE;
374 new.unsafe = cur->unsafe_takeover;
375 new.cpu = cpu;
376
377 if (!nbcon_state_try_cmpxchg(con, cur, &new)) {
378 /*
379 * The acquire could fail only when it has been taken
380 * over by a higher priority context.
381 */
382 WARN_ON_ONCE(nbcon_waiter_matches(cur, ctxt->prio));
383 return -EPERM;
384 }
385
386 /* Handover success. This context now owns the console. */
387 return 0;
388 }
389
390 /**
391 * nbcon_context_try_acquire_handover - Try to acquire via handover
392 * @ctxt: The context of the caller
393 * @cur: The current console state
394 *
395 * The function must be called only when the context has higher priority
396 * than the current owner and the console is in an unsafe state.
397 * It is the case when nbcon_context_try_acquire_direct() returns -EBUSY.
398 *
399 * The function sets "req_prio" field to make the current owner aware of
400 * the request. Then it waits until the current owner releases the console,
401 * or an even higher context takes over the request, or timeout expires.
402 *
403 * The current owner checks the "req_prio" field on exit from the unsafe
404 * region and releases the console. It does not touch the "req_prio" field
405 * so that the console stays reserved for the waiter.
406 *
407 * Return: 0 on success. Otherwise, an error code on failure. Also @cur
408 * is updated to the latest state when failed to modify it.
409 *
410 * Errors:
411 *
412 * -EPERM: A panic is in progress and this is not the panic CPU.
413 * Or a higher priority context has taken over the
414 * console or the handover request.
415 *
416 * -EBUSY: The current owner is on the same CPU so that the hand
417 * shake could not work. Or the current owner is not
418 * willing to wait (zero timeout). Or the console does
419 * not enter the safe state before timeout passed. The
420 * caller might still use the unsafe hostile takeover
421 * when allowed.
422 *
423 * -EAGAIN: @cur has changed when creating the handover request.
424 * The caller should retry with direct acquire.
425 */
nbcon_context_try_acquire_handover(struct nbcon_context * ctxt,struct nbcon_state * cur)426 static int nbcon_context_try_acquire_handover(struct nbcon_context *ctxt,
427 struct nbcon_state *cur)
428 {
429 unsigned int cpu = smp_processor_id();
430 struct console *con = ctxt->console;
431 struct nbcon_state new;
432 int timeout;
433 int request_err = -EBUSY;
434
435 /*
436 * Check that the handover is called when the direct acquire failed
437 * with -EBUSY.
438 */
439 WARN_ON_ONCE(ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio);
440 WARN_ON_ONCE(!cur->unsafe);
441
442 /*
443 * Panic does not imply that the console is owned. However, it
444 * is critical that non-panic CPUs during panic are unable to
445 * wait for a handover in order to satisfy the assumptions of
446 * nbcon_waiter_matches(). In particular, the assumption that
447 * lower priorities are ignored during panic.
448 */
449 if (other_cpu_in_panic())
450 return -EPERM;
451
452 /* Handover is not possible on the same CPU. */
453 if (cur->cpu == cpu)
454 return -EBUSY;
455
456 /*
457 * Console stays unsafe after an unsafe takeover until re-initialized.
458 * Waiting is not going to help in this case.
459 */
460 if (cur->unsafe_takeover)
461 return -EBUSY;
462
463 /* Is the caller willing to wait? */
464 if (ctxt->spinwait_max_us == 0)
465 return -EBUSY;
466
467 /*
468 * Setup a request for the handover. The caller should try to acquire
469 * the console directly when the current state has been modified.
470 */
471 new.atom = cur->atom;
472 new.req_prio = ctxt->prio;
473 if (!nbcon_state_try_cmpxchg(con, cur, &new))
474 return -EAGAIN;
475
476 cur->atom = new.atom;
477
478 /* Wait until there is no owner and then acquire the console. */
479 for (timeout = ctxt->spinwait_max_us; timeout >= 0; timeout--) {
480 /* On successful acquire, this request is cleared. */
481 request_err = nbcon_context_try_acquire_requested(ctxt, cur);
482 if (!request_err)
483 return 0;
484
485 /*
486 * If the acquire should be aborted, it must be ensured
487 * that the request is removed before returning to caller.
488 */
489 if (request_err == -EPERM)
490 break;
491
492 udelay(1);
493
494 /* Re-read the state because some time has passed. */
495 nbcon_state_read(con, cur);
496 }
497
498 /* Timed out or aborted. Carefully remove handover request. */
499 do {
500 /*
501 * No need to remove request if there is a new waiter. This
502 * can only happen if a higher priority context has taken over
503 * the console or the handover request.
504 */
505 if (!nbcon_waiter_matches(cur, ctxt->prio))
506 return -EPERM;
507
508 /* Unset request for handover. */
509 new.atom = cur->atom;
510 new.req_prio = NBCON_PRIO_NONE;
511 if (nbcon_state_try_cmpxchg(con, cur, &new)) {
512 /*
513 * Request successfully unset. Report failure of
514 * acquiring via handover.
515 */
516 cur->atom = new.atom;
517 return request_err;
518 }
519
520 /*
521 * Unable to remove request. Try to acquire in case
522 * the owner has released the lock.
523 */
524 } while (nbcon_context_try_acquire_requested(ctxt, cur));
525
526 /* Lucky timing. The acquire succeeded while removing the request. */
527 return 0;
528 }
529
530 /**
531 * nbcon_context_try_acquire_hostile - Acquire via unsafe hostile takeover
532 * @ctxt: The context of the caller
533 * @cur: The current console state
534 *
535 * Acquire the console even in the unsafe state.
536 *
537 * It can be permitted by setting the 'allow_unsafe_takeover' field only
538 * by the final attempt to flush messages in panic().
539 *
540 * Return: 0 on success. -EPERM when not allowed by the context.
541 */
nbcon_context_try_acquire_hostile(struct nbcon_context * ctxt,struct nbcon_state * cur)542 static int nbcon_context_try_acquire_hostile(struct nbcon_context *ctxt,
543 struct nbcon_state *cur)
544 {
545 unsigned int cpu = smp_processor_id();
546 struct console *con = ctxt->console;
547 struct nbcon_state new;
548
549 if (!ctxt->allow_unsafe_takeover)
550 return -EPERM;
551
552 /* Ensure caller is allowed to perform unsafe hostile takeovers. */
553 if (WARN_ON_ONCE(ctxt->prio != NBCON_PRIO_PANIC))
554 return -EPERM;
555
556 /*
557 * Check that try_acquire_direct() and try_acquire_handover() returned
558 * -EBUSY in the right situation.
559 */
560 WARN_ON_ONCE(ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio);
561 WARN_ON_ONCE(cur->unsafe != true);
562
563 do {
564 new.atom = cur->atom;
565 new.cpu = cpu;
566 new.prio = ctxt->prio;
567 new.unsafe |= cur->unsafe_takeover;
568 new.unsafe_takeover |= cur->unsafe;
569
570 } while (!nbcon_state_try_cmpxchg(con, cur, &new));
571
572 return 0;
573 }
574
575 static struct printk_buffers panic_nbcon_pbufs;
576
577 /**
578 * nbcon_context_try_acquire - Try to acquire nbcon console
579 * @ctxt: The context of the caller
580 * @is_reacquire: This acquire is a reacquire
581 *
582 * Context: Under @ctxt->con->device_lock() or local_irq_save().
583 * Return: True if the console was acquired. False otherwise.
584 *
585 * If the caller allowed an unsafe hostile takeover, on success the
586 * caller should check the current console state to see if it is
587 * in an unsafe state. Otherwise, on success the caller may assume
588 * the console is not in an unsafe state.
589 */
nbcon_context_try_acquire(struct nbcon_context * ctxt,bool is_reacquire)590 static bool nbcon_context_try_acquire(struct nbcon_context *ctxt, bool is_reacquire)
591 {
592 unsigned int cpu = smp_processor_id();
593 struct console *con = ctxt->console;
594 struct nbcon_state cur;
595 int err;
596
597 nbcon_state_read(con, &cur);
598 try_again:
599 err = nbcon_context_try_acquire_direct(ctxt, &cur, is_reacquire);
600 if (err != -EBUSY)
601 goto out;
602
603 err = nbcon_context_try_acquire_handover(ctxt, &cur);
604 if (err == -EAGAIN)
605 goto try_again;
606 if (err != -EBUSY)
607 goto out;
608
609 err = nbcon_context_try_acquire_hostile(ctxt, &cur);
610 out:
611 if (err)
612 return false;
613
614 /* Acquire succeeded. */
615
616 /* Assign the appropriate buffer for this context. */
617 if (atomic_read(&panic_cpu) == cpu)
618 ctxt->pbufs = &panic_nbcon_pbufs;
619 else
620 ctxt->pbufs = con->pbufs;
621
622 /* Set the record sequence for this context to print. */
623 ctxt->seq = nbcon_seq_read(ctxt->console);
624
625 return true;
626 }
627
nbcon_owner_matches(struct nbcon_state * cur,int expected_cpu,int expected_prio)628 static bool nbcon_owner_matches(struct nbcon_state *cur, int expected_cpu,
629 int expected_prio)
630 {
631 /*
632 * A similar function, nbcon_waiter_matches(), only deals with
633 * EMERGENCY and PANIC priorities. However, this function must also
634 * deal with the NORMAL priority, which requires additional checks
635 * and constraints.
636 *
637 * For the case where preemption and interrupts are disabled, it is
638 * enough to also verify that the owning CPU has not changed.
639 *
640 * For the case where preemption or interrupts are enabled, an
641 * external synchronization method *must* be used. In particular,
642 * the driver-specific locking mechanism used in device_lock()
643 * (including disabling migration) should be used. It prevents
644 * scenarios such as:
645 *
646 * 1. [Task A] owns a context with NBCON_PRIO_NORMAL on [CPU X] and
647 * is scheduled out.
648 * 2. Another context takes over the lock with NBCON_PRIO_EMERGENCY
649 * and releases it.
650 * 3. [Task B] acquires a context with NBCON_PRIO_NORMAL on [CPU X]
651 * and is scheduled out.
652 * 4. [Task A] gets running on [CPU X] and sees that the console is
653 * still owned by a task on [CPU X] with NBON_PRIO_NORMAL. Thus
654 * [Task A] thinks it is the owner when it is not.
655 */
656
657 if (cur->prio != expected_prio)
658 return false;
659
660 if (cur->cpu != expected_cpu)
661 return false;
662
663 return true;
664 }
665
666 /**
667 * nbcon_context_release - Release the console
668 * @ctxt: The nbcon context from nbcon_context_try_acquire()
669 */
nbcon_context_release(struct nbcon_context * ctxt)670 static void nbcon_context_release(struct nbcon_context *ctxt)
671 {
672 unsigned int cpu = smp_processor_id();
673 struct console *con = ctxt->console;
674 struct nbcon_state cur;
675 struct nbcon_state new;
676
677 nbcon_state_read(con, &cur);
678
679 do {
680 if (!nbcon_owner_matches(&cur, cpu, ctxt->prio))
681 break;
682
683 new.atom = cur.atom;
684 new.prio = NBCON_PRIO_NONE;
685
686 /*
687 * If @unsafe_takeover is set, it is kept set so that
688 * the state remains permanently unsafe.
689 */
690 new.unsafe |= cur.unsafe_takeover;
691
692 } while (!nbcon_state_try_cmpxchg(con, &cur, &new));
693
694 ctxt->pbufs = NULL;
695 }
696
697 /**
698 * nbcon_context_can_proceed - Check whether ownership can proceed
699 * @ctxt: The nbcon context from nbcon_context_try_acquire()
700 * @cur: The current console state
701 *
702 * Return: True if this context still owns the console. False if
703 * ownership was handed over or taken.
704 *
705 * Must be invoked when entering the unsafe state to make sure that it still
706 * owns the lock. Also must be invoked when exiting the unsafe context
707 * to eventually free the lock for a higher priority context which asked
708 * for the friendly handover.
709 *
710 * It can be called inside an unsafe section when the console is just
711 * temporary in safe state instead of exiting and entering the unsafe
712 * state.
713 *
714 * Also it can be called in the safe context before doing an expensive
715 * safe operation. It does not make sense to do the operation when
716 * a higher priority context took the lock.
717 *
718 * When this function returns false then the calling context no longer owns
719 * the console and is no longer allowed to go forward. In this case it must
720 * back out immediately and carefully. The buffer content is also no longer
721 * trusted since it no longer belongs to the calling context.
722 */
nbcon_context_can_proceed(struct nbcon_context * ctxt,struct nbcon_state * cur)723 static bool nbcon_context_can_proceed(struct nbcon_context *ctxt, struct nbcon_state *cur)
724 {
725 unsigned int cpu = smp_processor_id();
726
727 /* Make sure this context still owns the console. */
728 if (!nbcon_owner_matches(cur, cpu, ctxt->prio))
729 return false;
730
731 /* The console owner can proceed if there is no waiter. */
732 if (cur->req_prio == NBCON_PRIO_NONE)
733 return true;
734
735 /*
736 * A console owner within an unsafe region is always allowed to
737 * proceed, even if there are waiters. It can perform a handover
738 * when exiting the unsafe region. Otherwise the waiter will
739 * need to perform an unsafe hostile takeover.
740 */
741 if (cur->unsafe)
742 return true;
743
744 /* Waiters always have higher priorities than owners. */
745 WARN_ON_ONCE(cur->req_prio <= cur->prio);
746
747 /*
748 * Having a safe point for take over and eventually a few
749 * duplicated characters or a full line is way better than a
750 * hostile takeover. Post processing can take care of the garbage.
751 * Release and hand over.
752 */
753 nbcon_context_release(ctxt);
754
755 /*
756 * It is not clear whether the waiter really took over ownership. The
757 * outermost callsite must make the final decision whether console
758 * ownership is needed for it to proceed. If yes, it must reacquire
759 * ownership (possibly hostile) before carefully proceeding.
760 *
761 * The calling context no longer owns the console so go back all the
762 * way instead of trying to implement reacquire heuristics in tons of
763 * places.
764 */
765 return false;
766 }
767
768 /**
769 * nbcon_can_proceed - Check whether ownership can proceed
770 * @wctxt: The write context that was handed to the write function
771 *
772 * Return: True if this context still owns the console. False if
773 * ownership was handed over or taken.
774 *
775 * It is used in nbcon_enter_unsafe() to make sure that it still owns the
776 * lock. Also it is used in nbcon_exit_unsafe() to eventually free the lock
777 * for a higher priority context which asked for the friendly handover.
778 *
779 * It can be called inside an unsafe section when the console is just
780 * temporary in safe state instead of exiting and entering the unsafe state.
781 *
782 * Also it can be called in the safe context before doing an expensive safe
783 * operation. It does not make sense to do the operation when a higher
784 * priority context took the lock.
785 *
786 * When this function returns false then the calling context no longer owns
787 * the console and is no longer allowed to go forward. In this case it must
788 * back out immediately and carefully. The buffer content is also no longer
789 * trusted since it no longer belongs to the calling context.
790 */
nbcon_can_proceed(struct nbcon_write_context * wctxt)791 bool nbcon_can_proceed(struct nbcon_write_context *wctxt)
792 {
793 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
794 struct console *con = ctxt->console;
795 struct nbcon_state cur;
796
797 nbcon_state_read(con, &cur);
798
799 return nbcon_context_can_proceed(ctxt, &cur);
800 }
801 EXPORT_SYMBOL_GPL(nbcon_can_proceed);
802
803 #define nbcon_context_enter_unsafe(c) __nbcon_context_update_unsafe(c, true)
804 #define nbcon_context_exit_unsafe(c) __nbcon_context_update_unsafe(c, false)
805
806 /**
807 * __nbcon_context_update_unsafe - Update the unsafe bit in @con->nbcon_state
808 * @ctxt: The nbcon context from nbcon_context_try_acquire()
809 * @unsafe: The new value for the unsafe bit
810 *
811 * Return: True if the unsafe state was updated and this context still
812 * owns the console. Otherwise false if ownership was handed
813 * over or taken.
814 *
815 * This function allows console owners to modify the unsafe status of the
816 * console.
817 *
818 * When this function returns false then the calling context no longer owns
819 * the console and is no longer allowed to go forward. In this case it must
820 * back out immediately and carefully. The buffer content is also no longer
821 * trusted since it no longer belongs to the calling context.
822 *
823 * Internal helper to avoid duplicated code.
824 */
__nbcon_context_update_unsafe(struct nbcon_context * ctxt,bool unsafe)825 static bool __nbcon_context_update_unsafe(struct nbcon_context *ctxt, bool unsafe)
826 {
827 struct console *con = ctxt->console;
828 struct nbcon_state cur;
829 struct nbcon_state new;
830
831 nbcon_state_read(con, &cur);
832
833 do {
834 /*
835 * The unsafe bit must not be cleared if an
836 * unsafe hostile takeover has occurred.
837 */
838 if (!unsafe && cur.unsafe_takeover)
839 goto out;
840
841 if (!nbcon_context_can_proceed(ctxt, &cur))
842 return false;
843
844 new.atom = cur.atom;
845 new.unsafe = unsafe;
846 } while (!nbcon_state_try_cmpxchg(con, &cur, &new));
847
848 cur.atom = new.atom;
849 out:
850 return nbcon_context_can_proceed(ctxt, &cur);
851 }
852
nbcon_write_context_set_buf(struct nbcon_write_context * wctxt,char * buf,unsigned int len)853 static void nbcon_write_context_set_buf(struct nbcon_write_context *wctxt,
854 char *buf, unsigned int len)
855 {
856 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
857 struct console *con = ctxt->console;
858 struct nbcon_state cur;
859
860 wctxt->outbuf = buf;
861 wctxt->len = len;
862 nbcon_state_read(con, &cur);
863 wctxt->unsafe_takeover = cur.unsafe_takeover;
864 }
865
866 /**
867 * nbcon_enter_unsafe - Enter an unsafe region in the driver
868 * @wctxt: The write context that was handed to the write function
869 *
870 * Return: True if this context still owns the console. False if
871 * ownership was handed over or taken.
872 *
873 * When this function returns false then the calling context no longer owns
874 * the console and is no longer allowed to go forward. In this case it must
875 * back out immediately and carefully. The buffer content is also no longer
876 * trusted since it no longer belongs to the calling context.
877 */
nbcon_enter_unsafe(struct nbcon_write_context * wctxt)878 bool nbcon_enter_unsafe(struct nbcon_write_context *wctxt)
879 {
880 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
881 bool is_owner;
882
883 is_owner = nbcon_context_enter_unsafe(ctxt);
884 if (!is_owner)
885 nbcon_write_context_set_buf(wctxt, NULL, 0);
886 return is_owner;
887 }
888 EXPORT_SYMBOL_GPL(nbcon_enter_unsafe);
889
890 /**
891 * nbcon_exit_unsafe - Exit an unsafe region in the driver
892 * @wctxt: The write context that was handed to the write function
893 *
894 * Return: True if this context still owns the console. False if
895 * ownership was handed over or taken.
896 *
897 * When this function returns false then the calling context no longer owns
898 * the console and is no longer allowed to go forward. In this case it must
899 * back out immediately and carefully. The buffer content is also no longer
900 * trusted since it no longer belongs to the calling context.
901 */
nbcon_exit_unsafe(struct nbcon_write_context * wctxt)902 bool nbcon_exit_unsafe(struct nbcon_write_context *wctxt)
903 {
904 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
905 bool ret;
906
907 ret = nbcon_context_exit_unsafe(ctxt);
908 if (!ret)
909 nbcon_write_context_set_buf(wctxt, NULL, 0);
910 return ret;
911 }
912 EXPORT_SYMBOL_GPL(nbcon_exit_unsafe);
913
914 /**
915 * nbcon_reacquire_nobuf - Reacquire a console after losing ownership
916 * while printing
917 * @wctxt: The write context that was handed to the write callback
918 *
919 * Since ownership can be lost at any time due to handover or takeover, a
920 * printing context _must_ be prepared to back out immediately and
921 * carefully. However, there are scenarios where the printing context must
922 * reacquire ownership in order to finalize or revert hardware changes.
923 *
924 * This function allows a printing context to reacquire ownership using the
925 * same priority as its previous ownership.
926 *
927 * Note that after a successful reacquire the printing context will have no
928 * output buffer because that has been lost. This function cannot be used to
929 * resume printing.
930 */
nbcon_reacquire_nobuf(struct nbcon_write_context * wctxt)931 void nbcon_reacquire_nobuf(struct nbcon_write_context *wctxt)
932 {
933 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
934
935 while (!nbcon_context_try_acquire(ctxt, true))
936 cpu_relax();
937
938 nbcon_write_context_set_buf(wctxt, NULL, 0);
939 }
940 EXPORT_SYMBOL_GPL(nbcon_reacquire_nobuf);
941
942 /**
943 * nbcon_emit_next_record - Emit a record in the acquired context
944 * @wctxt: The write context that will be handed to the write function
945 * @use_atomic: True if the write_atomic() callback is to be used
946 *
947 * Return: True if this context still owns the console. False if
948 * ownership was handed over or taken.
949 *
950 * When this function returns false then the calling context no longer owns
951 * the console and is no longer allowed to go forward. In this case it must
952 * back out immediately and carefully. The buffer content is also no longer
953 * trusted since it no longer belongs to the calling context. If the caller
954 * wants to do more it must reacquire the console first.
955 *
956 * When true is returned, @wctxt->ctxt.backlog indicates whether there are
957 * still records pending in the ringbuffer,
958 */
nbcon_emit_next_record(struct nbcon_write_context * wctxt,bool use_atomic)959 static bool nbcon_emit_next_record(struct nbcon_write_context *wctxt, bool use_atomic)
960 {
961 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
962 struct console *con = ctxt->console;
963 bool is_extended = console_srcu_read_flags(con) & CON_EXTENDED;
964 struct printk_message pmsg = {
965 .pbufs = ctxt->pbufs,
966 };
967 unsigned long con_dropped;
968 struct nbcon_state cur;
969 unsigned long dropped;
970 unsigned long ulseq;
971
972 /*
973 * This function should never be called for consoles that have not
974 * implemented the necessary callback for writing: i.e. legacy
975 * consoles and, when atomic, nbcon consoles with no write_atomic().
976 * Handle it as if ownership was lost and try to continue.
977 *
978 * Note that for nbcon consoles the write_thread() callback is
979 * mandatory and was already checked in nbcon_alloc().
980 */
981 if (WARN_ON_ONCE((use_atomic && !con->write_atomic) ||
982 !(console_srcu_read_flags(con) & CON_NBCON))) {
983 nbcon_context_release(ctxt);
984 return false;
985 }
986
987 /*
988 * The printk buffers are filled within an unsafe section. This
989 * prevents NBCON_PRIO_NORMAL and NBCON_PRIO_EMERGENCY from
990 * clobbering each other.
991 */
992
993 if (!nbcon_context_enter_unsafe(ctxt))
994 return false;
995
996 ctxt->backlog = printk_get_next_message(&pmsg, ctxt->seq, is_extended, true);
997 if (!ctxt->backlog)
998 return nbcon_context_exit_unsafe(ctxt);
999
1000 /*
1001 * @con->dropped is not protected in case of an unsafe hostile
1002 * takeover. In that situation the update can be racy so
1003 * annotate it accordingly.
1004 */
1005 con_dropped = data_race(READ_ONCE(con->dropped));
1006
1007 dropped = con_dropped + pmsg.dropped;
1008 if (dropped && !is_extended)
1009 console_prepend_dropped(&pmsg, dropped);
1010
1011 /*
1012 * If the previous owner was assigned the same record, this context
1013 * has taken over ownership and is replaying the record. Prepend a
1014 * message to let the user know the record is replayed.
1015 */
1016 ulseq = atomic_long_read(&ACCESS_PRIVATE(con, nbcon_prev_seq));
1017 if (__ulseq_to_u64seq(prb, ulseq) == pmsg.seq) {
1018 console_prepend_replay(&pmsg);
1019 } else {
1020 /*
1021 * Ensure this context is still the owner before trying to
1022 * update @nbcon_prev_seq. Otherwise the value in @ulseq may
1023 * not be from the previous owner and instead be some later
1024 * value from the context that took over ownership.
1025 */
1026 nbcon_state_read(con, &cur);
1027 if (!nbcon_context_can_proceed(ctxt, &cur))
1028 return false;
1029
1030 atomic_long_try_cmpxchg(&ACCESS_PRIVATE(con, nbcon_prev_seq), &ulseq,
1031 __u64seq_to_ulseq(pmsg.seq));
1032 }
1033
1034 if (!nbcon_context_exit_unsafe(ctxt))
1035 return false;
1036
1037 /* For skipped records just update seq/dropped in @con. */
1038 if (pmsg.outbuf_len == 0)
1039 goto update_con;
1040
1041 /* Initialize the write context for driver callbacks. */
1042 nbcon_write_context_set_buf(wctxt, &pmsg.pbufs->outbuf[0], pmsg.outbuf_len);
1043
1044 if (use_atomic)
1045 con->write_atomic(con, wctxt);
1046 else
1047 con->write_thread(con, wctxt);
1048
1049 if (!wctxt->outbuf) {
1050 /*
1051 * Ownership was lost and reacquired by the driver. Handle it
1052 * as if ownership was lost.
1053 */
1054 nbcon_context_release(ctxt);
1055 return false;
1056 }
1057
1058 /*
1059 * Ownership may have been lost but _not_ reacquired by the driver.
1060 * This case is detected and handled when entering unsafe to update
1061 * dropped/seq values.
1062 */
1063
1064 /*
1065 * Since any dropped message was successfully output, reset the
1066 * dropped count for the console.
1067 */
1068 dropped = 0;
1069 update_con:
1070 /*
1071 * The dropped count and the sequence number are updated within an
1072 * unsafe section. This limits update races to the panic context and
1073 * allows the panic context to win.
1074 */
1075
1076 if (!nbcon_context_enter_unsafe(ctxt))
1077 return false;
1078
1079 if (dropped != con_dropped) {
1080 /* Counterpart to the READ_ONCE() above. */
1081 WRITE_ONCE(con->dropped, dropped);
1082 }
1083
1084 nbcon_seq_try_update(ctxt, pmsg.seq + 1);
1085
1086 return nbcon_context_exit_unsafe(ctxt);
1087 }
1088
1089 /*
1090 * nbcon_emit_one - Print one record for an nbcon console using the
1091 * specified callback
1092 * @wctxt: An initialized write context struct to use for this context
1093 * @use_atomic: True if the write_atomic() callback is to be used
1094 *
1095 * Return: True, when a record has been printed and there are still
1096 * pending records. The caller might want to continue flushing.
1097 *
1098 * False, when there is no pending record, or when the console
1099 * context cannot be acquired, or the ownership has been lost.
1100 * The caller should give up. Either the job is done, cannot be
1101 * done, or will be handled by the owning context.
1102 *
1103 * This is an internal helper to handle the locking of the console before
1104 * calling nbcon_emit_next_record().
1105 */
nbcon_emit_one(struct nbcon_write_context * wctxt,bool use_atomic)1106 static bool nbcon_emit_one(struct nbcon_write_context *wctxt, bool use_atomic)
1107 {
1108 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt);
1109 struct console *con = ctxt->console;
1110 unsigned long flags;
1111 bool ret = false;
1112
1113 if (!use_atomic) {
1114 con->device_lock(con, &flags);
1115
1116 /*
1117 * Ensure this stays on the CPU to make handover and
1118 * takeover possible.
1119 */
1120 cant_migrate();
1121 }
1122
1123 if (!nbcon_context_try_acquire(ctxt, false))
1124 goto out;
1125
1126 /*
1127 * nbcon_emit_next_record() returns false when the console was
1128 * handed over or taken over. In both cases the context is no
1129 * longer valid.
1130 *
1131 * The higher priority printing context takes over responsibility
1132 * to print the pending records.
1133 */
1134 if (!nbcon_emit_next_record(wctxt, use_atomic))
1135 goto out;
1136
1137 nbcon_context_release(ctxt);
1138
1139 ret = ctxt->backlog;
1140 out:
1141 if (!use_atomic)
1142 con->device_unlock(con, flags);
1143 return ret;
1144 }
1145
1146 /**
1147 * nbcon_kthread_should_wakeup - Check whether a printer thread should wakeup
1148 * @con: Console to operate on
1149 * @ctxt: The nbcon context from nbcon_context_try_acquire()
1150 *
1151 * Return: True if the thread should shutdown or if the console is
1152 * allowed to print and a record is available. False otherwise.
1153 *
1154 * After the thread wakes up, it must first check if it should shutdown before
1155 * attempting any printing.
1156 */
nbcon_kthread_should_wakeup(struct console * con,struct nbcon_context * ctxt)1157 static bool nbcon_kthread_should_wakeup(struct console *con, struct nbcon_context *ctxt)
1158 {
1159 bool ret = false;
1160 short flags;
1161 int cookie;
1162
1163 if (kthread_should_stop())
1164 return true;
1165
1166 cookie = console_srcu_read_lock();
1167
1168 flags = console_srcu_read_flags(con);
1169 if (console_is_usable(con, flags, false)) {
1170 /* Bring the sequence in @ctxt up to date */
1171 ctxt->seq = nbcon_seq_read(con);
1172
1173 ret = prb_read_valid(prb, ctxt->seq, NULL);
1174 }
1175
1176 console_srcu_read_unlock(cookie);
1177 return ret;
1178 }
1179
1180 /**
1181 * nbcon_kthread_func - The printer thread function
1182 * @__console: Console to operate on
1183 *
1184 * Return: 0
1185 */
nbcon_kthread_func(void * __console)1186 static int nbcon_kthread_func(void *__console)
1187 {
1188 struct console *con = __console;
1189 struct nbcon_write_context wctxt = {
1190 .ctxt.console = con,
1191 .ctxt.prio = NBCON_PRIO_NORMAL,
1192 };
1193 struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt);
1194 short con_flags;
1195 bool backlog;
1196 int cookie;
1197
1198 wait_for_event:
1199 /*
1200 * Guarantee this task is visible on the rcuwait before
1201 * checking the wake condition.
1202 *
1203 * The full memory barrier within set_current_state() of
1204 * ___rcuwait_wait_event() pairs with the full memory
1205 * barrier within rcuwait_has_sleeper().
1206 *
1207 * This pairs with rcuwait_has_sleeper:A and nbcon_kthread_wake:A.
1208 */
1209 rcuwait_wait_event(&con->rcuwait,
1210 nbcon_kthread_should_wakeup(con, ctxt),
1211 TASK_INTERRUPTIBLE); /* LMM(nbcon_kthread_func:A) */
1212
1213 do {
1214 if (kthread_should_stop())
1215 return 0;
1216
1217 backlog = false;
1218
1219 /*
1220 * Keep the srcu read lock around the entire operation so that
1221 * synchronize_srcu() can guarantee that the kthread stopped
1222 * or suspended printing.
1223 */
1224 cookie = console_srcu_read_lock();
1225
1226 con_flags = console_srcu_read_flags(con);
1227
1228 if (console_is_usable(con, con_flags, false))
1229 backlog = nbcon_emit_one(&wctxt, false);
1230
1231 console_srcu_read_unlock(cookie);
1232
1233 cond_resched();
1234
1235 } while (backlog);
1236
1237 goto wait_for_event;
1238 }
1239
1240 /**
1241 * nbcon_irq_work - irq work to wake console printer thread
1242 * @irq_work: The irq work to operate on
1243 */
nbcon_irq_work(struct irq_work * irq_work)1244 static void nbcon_irq_work(struct irq_work *irq_work)
1245 {
1246 struct console *con = container_of(irq_work, struct console, irq_work);
1247
1248 nbcon_kthread_wake(con);
1249 }
1250
rcuwait_has_sleeper(struct rcuwait * w)1251 static inline bool rcuwait_has_sleeper(struct rcuwait *w)
1252 {
1253 /*
1254 * Guarantee any new records can be seen by tasks preparing to wait
1255 * before this context checks if the rcuwait is empty.
1256 *
1257 * This full memory barrier pairs with the full memory barrier within
1258 * set_current_state() of ___rcuwait_wait_event(), which is called
1259 * after prepare_to_rcuwait() adds the waiter but before it has
1260 * checked the wait condition.
1261 *
1262 * This pairs with nbcon_kthread_func:A.
1263 */
1264 smp_mb(); /* LMM(rcuwait_has_sleeper:A) */
1265 return rcuwait_active(w);
1266 }
1267
1268 /**
1269 * nbcon_kthreads_wake - Wake up printing threads using irq_work
1270 */
nbcon_kthreads_wake(void)1271 void nbcon_kthreads_wake(void)
1272 {
1273 struct console *con;
1274 int cookie;
1275
1276 if (!printk_kthreads_running)
1277 return;
1278
1279 cookie = console_srcu_read_lock();
1280 for_each_console_srcu(con) {
1281 if (!(console_srcu_read_flags(con) & CON_NBCON))
1282 continue;
1283
1284 /*
1285 * Only schedule irq_work if the printing thread is
1286 * actively waiting. If not waiting, the thread will
1287 * notice by itself that it has work to do.
1288 */
1289 if (rcuwait_has_sleeper(&con->rcuwait))
1290 irq_work_queue(&con->irq_work);
1291 }
1292 console_srcu_read_unlock(cookie);
1293 }
1294
1295 /*
1296 * nbcon_kthread_stop - Stop a console printer thread
1297 * @con: Console to operate on
1298 */
nbcon_kthread_stop(struct console * con)1299 void nbcon_kthread_stop(struct console *con)
1300 {
1301 lockdep_assert_console_list_lock_held();
1302
1303 if (!con->kthread)
1304 return;
1305
1306 kthread_stop(con->kthread);
1307 con->kthread = NULL;
1308 }
1309
1310 /**
1311 * nbcon_kthread_create - Create a console printer thread
1312 * @con: Console to operate on
1313 *
1314 * Return: True if the kthread was started or already exists.
1315 * Otherwise false and @con must not be registered.
1316 *
1317 * This function is called when it will be expected that nbcon consoles are
1318 * flushed using the kthread. The messages printed with NBCON_PRIO_NORMAL
1319 * will be no longer flushed by the legacy loop. This is why failure must
1320 * be fatal for console registration.
1321 *
1322 * If @con was already registered and this function fails, @con must be
1323 * unregistered before the global state variable @printk_kthreads_running
1324 * can be set.
1325 */
nbcon_kthread_create(struct console * con)1326 bool nbcon_kthread_create(struct console *con)
1327 {
1328 struct task_struct *kt;
1329
1330 lockdep_assert_console_list_lock_held();
1331
1332 if (con->kthread)
1333 return true;
1334
1335 kt = kthread_run(nbcon_kthread_func, con, "pr/%s%d", con->name, con->index);
1336 if (WARN_ON(IS_ERR(kt))) {
1337 con_printk(KERN_ERR, con, "failed to start printing thread\n");
1338 return false;
1339 }
1340
1341 con->kthread = kt;
1342
1343 /*
1344 * It is important that console printing threads are scheduled
1345 * shortly after a printk call and with generous runtime budgets.
1346 */
1347 sched_set_normal(con->kthread, -20);
1348
1349 return true;
1350 }
1351
1352 /* Track the nbcon emergency nesting per CPU. */
1353 static DEFINE_PER_CPU(unsigned int, nbcon_pcpu_emergency_nesting);
1354 static unsigned int early_nbcon_pcpu_emergency_nesting __initdata;
1355
1356 /**
1357 * nbcon_get_cpu_emergency_nesting - Get the per CPU emergency nesting pointer
1358 *
1359 * Context: For reading, any context. For writing, any context which could
1360 * not be migrated to another CPU.
1361 * Return: Either a pointer to the per CPU emergency nesting counter of
1362 * the current CPU or to the init data during early boot.
1363 *
1364 * The function is safe for reading per-CPU variables in any context because
1365 * preemption is disabled if the current CPU is in the emergency state. See
1366 * also nbcon_cpu_emergency_enter().
1367 */
nbcon_get_cpu_emergency_nesting(void)1368 static __ref unsigned int *nbcon_get_cpu_emergency_nesting(void)
1369 {
1370 /*
1371 * The value of __printk_percpu_data_ready gets set in normal
1372 * context and before SMP initialization. As a result it could
1373 * never change while inside an nbcon emergency section.
1374 */
1375 if (!printk_percpu_data_ready())
1376 return &early_nbcon_pcpu_emergency_nesting;
1377
1378 return raw_cpu_ptr(&nbcon_pcpu_emergency_nesting);
1379 }
1380
1381 /**
1382 * nbcon_get_default_prio - The appropriate nbcon priority to use for nbcon
1383 * printing on the current CPU
1384 *
1385 * Context: Any context.
1386 * Return: The nbcon_prio to use for acquiring an nbcon console in this
1387 * context for printing.
1388 *
1389 * The function is safe for reading per-CPU data in any context because
1390 * preemption is disabled if the current CPU is in the emergency or panic
1391 * state.
1392 */
nbcon_get_default_prio(void)1393 enum nbcon_prio nbcon_get_default_prio(void)
1394 {
1395 unsigned int *cpu_emergency_nesting;
1396
1397 if (this_cpu_in_panic())
1398 return NBCON_PRIO_PANIC;
1399
1400 cpu_emergency_nesting = nbcon_get_cpu_emergency_nesting();
1401 if (*cpu_emergency_nesting)
1402 return NBCON_PRIO_EMERGENCY;
1403
1404 return NBCON_PRIO_NORMAL;
1405 }
1406
1407 /**
1408 * nbcon_legacy_emit_next_record - Print one record for an nbcon console
1409 * in legacy contexts
1410 * @con: The console to print on
1411 * @handover: Will be set to true if a printk waiter has taken over the
1412 * console_lock, in which case the caller is no longer holding
1413 * both the console_lock and the SRCU read lock. Otherwise it
1414 * is set to false.
1415 * @cookie: The cookie from the SRCU read lock.
1416 * @use_atomic: Set true when called in an atomic or unknown context.
1417 * It affects which nbcon callback will be used: write_atomic()
1418 * or write_thread().
1419 *
1420 * When false, the write_thread() callback is used and would be
1421 * called in a preemtible context unless disabled by the
1422 * device_lock. The legacy handover is not allowed in this mode.
1423 *
1424 * Context: Any context except NMI.
1425 * Return: True, when a record has been printed and there are still
1426 * pending records. The caller might want to continue flushing.
1427 *
1428 * False, when there is no pending record, or when the console
1429 * context cannot be acquired, or the ownership has been lost.
1430 * The caller should give up. Either the job is done, cannot be
1431 * done, or will be handled by the owning context.
1432 *
1433 * This function is meant to be called by console_flush_all() to print records
1434 * on nbcon consoles from legacy context (printing via console unlocking).
1435 * Essentially it is the nbcon version of console_emit_next_record().
1436 */
nbcon_legacy_emit_next_record(struct console * con,bool * handover,int cookie,bool use_atomic)1437 bool nbcon_legacy_emit_next_record(struct console *con, bool *handover,
1438 int cookie, bool use_atomic)
1439 {
1440 struct nbcon_write_context wctxt = { };
1441 struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt);
1442 unsigned long flags;
1443 bool progress;
1444
1445 ctxt->console = con;
1446 ctxt->prio = nbcon_get_default_prio();
1447
1448 if (use_atomic) {
1449 /*
1450 * In an atomic or unknown context, use the same procedure as
1451 * in console_emit_next_record(). It allows to handover.
1452 */
1453 printk_safe_enter_irqsave(flags);
1454 console_lock_spinning_enable();
1455 stop_critical_timings();
1456 }
1457
1458 progress = nbcon_emit_one(&wctxt, use_atomic);
1459
1460 if (use_atomic) {
1461 start_critical_timings();
1462 *handover = console_lock_spinning_disable_and_check(cookie);
1463 printk_safe_exit_irqrestore(flags);
1464 } else {
1465 /* Non-atomic does not perform legacy spinning handovers. */
1466 *handover = false;
1467 }
1468
1469 return progress;
1470 }
1471
1472 /**
1473 * __nbcon_atomic_flush_pending_con - Flush specified nbcon console using its
1474 * write_atomic() callback
1475 * @con: The nbcon console to flush
1476 * @stop_seq: Flush up until this record
1477 * @allow_unsafe_takeover: True, to allow unsafe hostile takeovers
1478 *
1479 * Return: 0 if @con was flushed up to @stop_seq Otherwise, error code on
1480 * failure.
1481 *
1482 * Errors:
1483 *
1484 * -EPERM: Unable to acquire console ownership.
1485 *
1486 * -EAGAIN: Another context took over ownership while printing.
1487 *
1488 * -ENOENT: A record before @stop_seq is not available.
1489 *
1490 * If flushing up to @stop_seq was not successful, it only makes sense for the
1491 * caller to try again when -EAGAIN was returned. When -EPERM is returned,
1492 * this context is not allowed to acquire the console. When -ENOENT is
1493 * returned, it cannot be expected that the unfinalized record will become
1494 * available.
1495 */
__nbcon_atomic_flush_pending_con(struct console * con,u64 stop_seq,bool allow_unsafe_takeover)1496 static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq,
1497 bool allow_unsafe_takeover)
1498 {
1499 struct nbcon_write_context wctxt = { };
1500 struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt);
1501 int err = 0;
1502
1503 ctxt->console = con;
1504 ctxt->spinwait_max_us = 2000;
1505 ctxt->prio = nbcon_get_default_prio();
1506 ctxt->allow_unsafe_takeover = allow_unsafe_takeover;
1507
1508 if (!nbcon_context_try_acquire(ctxt, false))
1509 return -EPERM;
1510
1511 while (nbcon_seq_read(con) < stop_seq) {
1512 /*
1513 * nbcon_emit_next_record() returns false when the console was
1514 * handed over or taken over. In both cases the context is no
1515 * longer valid.
1516 */
1517 if (!nbcon_emit_next_record(&wctxt, true))
1518 return -EAGAIN;
1519
1520 if (!ctxt->backlog) {
1521 /* Are there reserved but not yet finalized records? */
1522 if (nbcon_seq_read(con) < stop_seq)
1523 err = -ENOENT;
1524 break;
1525 }
1526 }
1527
1528 nbcon_context_release(ctxt);
1529 return err;
1530 }
1531
1532 /**
1533 * nbcon_atomic_flush_pending_con - Flush specified nbcon console using its
1534 * write_atomic() callback
1535 * @con: The nbcon console to flush
1536 * @stop_seq: Flush up until this record
1537 * @allow_unsafe_takeover: True, to allow unsafe hostile takeovers
1538 *
1539 * This will stop flushing before @stop_seq if another context has ownership.
1540 * That context is then responsible for the flushing. Likewise, if new records
1541 * are added while this context was flushing and there is no other context
1542 * to handle the printing, this context must also flush those records.
1543 */
nbcon_atomic_flush_pending_con(struct console * con,u64 stop_seq,bool allow_unsafe_takeover)1544 static void nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq,
1545 bool allow_unsafe_takeover)
1546 {
1547 struct console_flush_type ft;
1548 unsigned long flags;
1549 int err;
1550
1551 again:
1552 /*
1553 * Atomic flushing does not use console driver synchronization (i.e.
1554 * it does not hold the port lock for uart consoles). Therefore IRQs
1555 * must be disabled to avoid being interrupted and then calling into
1556 * a driver that will deadlock trying to acquire console ownership.
1557 */
1558 local_irq_save(flags);
1559
1560 err = __nbcon_atomic_flush_pending_con(con, stop_seq, allow_unsafe_takeover);
1561
1562 local_irq_restore(flags);
1563
1564 /*
1565 * If there was a new owner (-EPERM, -EAGAIN), that context is
1566 * responsible for completing.
1567 *
1568 * Do not wait for records not yet finalized (-ENOENT) to avoid a
1569 * possible deadlock. They will either get flushed by the writer or
1570 * eventually skipped on panic CPU.
1571 */
1572 if (err)
1573 return;
1574
1575 /*
1576 * If flushing was successful but more records are available, this
1577 * context must flush those remaining records if the printer thread
1578 * is not available do it.
1579 */
1580 printk_get_console_flush_type(&ft);
1581 if (!ft.nbcon_offload &&
1582 prb_read_valid(prb, nbcon_seq_read(con), NULL)) {
1583 stop_seq = prb_next_reserve_seq(prb);
1584 goto again;
1585 }
1586 }
1587
1588 /**
1589 * __nbcon_atomic_flush_pending - Flush all nbcon consoles using their
1590 * write_atomic() callback
1591 * @stop_seq: Flush up until this record
1592 * @allow_unsafe_takeover: True, to allow unsafe hostile takeovers
1593 */
__nbcon_atomic_flush_pending(u64 stop_seq,bool allow_unsafe_takeover)1594 static void __nbcon_atomic_flush_pending(u64 stop_seq, bool allow_unsafe_takeover)
1595 {
1596 struct console *con;
1597 int cookie;
1598
1599 cookie = console_srcu_read_lock();
1600 for_each_console_srcu(con) {
1601 short flags = console_srcu_read_flags(con);
1602
1603 if (!(flags & CON_NBCON))
1604 continue;
1605
1606 if (!console_is_usable(con, flags, true))
1607 continue;
1608
1609 if (nbcon_seq_read(con) >= stop_seq)
1610 continue;
1611
1612 nbcon_atomic_flush_pending_con(con, stop_seq, allow_unsafe_takeover);
1613 }
1614 console_srcu_read_unlock(cookie);
1615 }
1616
1617 /**
1618 * nbcon_atomic_flush_pending - Flush all nbcon consoles using their
1619 * write_atomic() callback
1620 *
1621 * Flush the backlog up through the currently newest record. Any new
1622 * records added while flushing will not be flushed if there is another
1623 * context available to handle the flushing. This is to avoid one CPU
1624 * printing unbounded because other CPUs continue to add records.
1625 */
nbcon_atomic_flush_pending(void)1626 void nbcon_atomic_flush_pending(void)
1627 {
1628 __nbcon_atomic_flush_pending(prb_next_reserve_seq(prb), false);
1629 }
1630
1631 /**
1632 * nbcon_atomic_flush_unsafe - Flush all nbcon consoles using their
1633 * write_atomic() callback and allowing unsafe hostile takeovers
1634 *
1635 * Flush the backlog up through the currently newest record. Unsafe hostile
1636 * takeovers will be performed, if necessary.
1637 */
nbcon_atomic_flush_unsafe(void)1638 void nbcon_atomic_flush_unsafe(void)
1639 {
1640 __nbcon_atomic_flush_pending(prb_next_reserve_seq(prb), true);
1641 }
1642
1643 /**
1644 * nbcon_cpu_emergency_enter - Enter an emergency section where printk()
1645 * messages for that CPU are flushed directly
1646 *
1647 * Context: Any context. Disables preemption.
1648 *
1649 * When within an emergency section, printk() calls will attempt to flush any
1650 * pending messages in the ringbuffer.
1651 */
nbcon_cpu_emergency_enter(void)1652 void nbcon_cpu_emergency_enter(void)
1653 {
1654 unsigned int *cpu_emergency_nesting;
1655
1656 preempt_disable();
1657
1658 cpu_emergency_nesting = nbcon_get_cpu_emergency_nesting();
1659 (*cpu_emergency_nesting)++;
1660 }
1661
1662 /**
1663 * nbcon_cpu_emergency_exit - Exit an emergency section
1664 *
1665 * Context: Within an emergency section. Enables preemption.
1666 */
nbcon_cpu_emergency_exit(void)1667 void nbcon_cpu_emergency_exit(void)
1668 {
1669 unsigned int *cpu_emergency_nesting;
1670
1671 cpu_emergency_nesting = nbcon_get_cpu_emergency_nesting();
1672
1673 if (!WARN_ON_ONCE(*cpu_emergency_nesting == 0))
1674 (*cpu_emergency_nesting)--;
1675
1676 preempt_enable();
1677 }
1678
1679 /**
1680 * nbcon_alloc - Allocate and init the nbcon console specific data
1681 * @con: Console to initialize
1682 *
1683 * Return: True if the console was fully allocated and initialized.
1684 * Otherwise @con must not be registered.
1685 *
1686 * When allocation and init was successful, the console must be properly
1687 * freed using nbcon_free() once it is no longer needed.
1688 */
nbcon_alloc(struct console * con)1689 bool nbcon_alloc(struct console *con)
1690 {
1691 struct nbcon_state state = { };
1692
1693 /* Synchronize the kthread start. */
1694 lockdep_assert_console_list_lock_held();
1695
1696 /* The write_thread() callback is mandatory. */
1697 if (WARN_ON(!con->write_thread))
1698 return false;
1699
1700 rcuwait_init(&con->rcuwait);
1701 init_irq_work(&con->irq_work, nbcon_irq_work);
1702 atomic_long_set(&ACCESS_PRIVATE(con, nbcon_prev_seq), -1UL);
1703 nbcon_state_set(con, &state);
1704
1705 /*
1706 * Initialize @nbcon_seq to the highest possible sequence number so
1707 * that practically speaking it will have nothing to print until a
1708 * desired initial sequence number has been set via nbcon_seq_force().
1709 */
1710 atomic_long_set(&ACCESS_PRIVATE(con, nbcon_seq), ULSEQ_MAX(prb));
1711
1712 if (con->flags & CON_BOOT) {
1713 /*
1714 * Boot console printing is synchronized with legacy console
1715 * printing, so boot consoles can share the same global printk
1716 * buffers.
1717 */
1718 con->pbufs = &printk_shared_pbufs;
1719 } else {
1720 con->pbufs = kmalloc(sizeof(*con->pbufs), GFP_KERNEL);
1721 if (!con->pbufs) {
1722 con_printk(KERN_ERR, con, "failed to allocate printing buffer\n");
1723 return false;
1724 }
1725
1726 if (printk_kthreads_ready && !have_boot_console) {
1727 if (!nbcon_kthread_create(con)) {
1728 kfree(con->pbufs);
1729 con->pbufs = NULL;
1730 return false;
1731 }
1732
1733 /* Might be the first kthread. */
1734 printk_kthreads_running = true;
1735 }
1736 }
1737
1738 return true;
1739 }
1740
1741 /**
1742 * nbcon_free - Free and cleanup the nbcon console specific data
1743 * @con: Console to free/cleanup nbcon data
1744 *
1745 * Important: @have_nbcon_console must be updated before calling
1746 * this function. In particular, it can be set only when there
1747 * is still another nbcon console registered.
1748 */
nbcon_free(struct console * con)1749 void nbcon_free(struct console *con)
1750 {
1751 struct nbcon_state state = { };
1752
1753 /* Synchronize the kthread stop. */
1754 lockdep_assert_console_list_lock_held();
1755
1756 if (printk_kthreads_running) {
1757 nbcon_kthread_stop(con);
1758
1759 /* Might be the last nbcon console.
1760 *
1761 * Do not rely on printk_kthreads_check_locked(). It is not
1762 * called in some code paths, see nbcon_free() callers.
1763 */
1764 if (!have_nbcon_console)
1765 printk_kthreads_running = false;
1766 }
1767
1768 nbcon_state_set(con, &state);
1769
1770 /* Boot consoles share global printk buffers. */
1771 if (!(con->flags & CON_BOOT))
1772 kfree(con->pbufs);
1773
1774 con->pbufs = NULL;
1775 }
1776
1777 /**
1778 * nbcon_device_try_acquire - Try to acquire nbcon console and enter unsafe
1779 * section
1780 * @con: The nbcon console to acquire
1781 *
1782 * Context: Under the locking mechanism implemented in
1783 * @con->device_lock() including disabling migration.
1784 * Return: True if the console was acquired. False otherwise.
1785 *
1786 * Console drivers will usually use their own internal synchronization
1787 * mechasism to synchronize between console printing and non-printing
1788 * activities (such as setting baud rates). However, nbcon console drivers
1789 * supporting atomic consoles may also want to mark unsafe sections when
1790 * performing non-printing activities in order to synchronize against their
1791 * atomic_write() callback.
1792 *
1793 * This function acquires the nbcon console using priority NBCON_PRIO_NORMAL
1794 * and marks it unsafe for handover/takeover.
1795 */
nbcon_device_try_acquire(struct console * con)1796 bool nbcon_device_try_acquire(struct console *con)
1797 {
1798 struct nbcon_context *ctxt = &ACCESS_PRIVATE(con, nbcon_device_ctxt);
1799
1800 cant_migrate();
1801
1802 memset(ctxt, 0, sizeof(*ctxt));
1803 ctxt->console = con;
1804 ctxt->prio = NBCON_PRIO_NORMAL;
1805
1806 if (!nbcon_context_try_acquire(ctxt, false))
1807 return false;
1808
1809 if (!nbcon_context_enter_unsafe(ctxt))
1810 return false;
1811
1812 return true;
1813 }
1814 EXPORT_SYMBOL_GPL(nbcon_device_try_acquire);
1815
1816 /**
1817 * nbcon_device_release - Exit unsafe section and release the nbcon console
1818 * @con: The nbcon console acquired in nbcon_device_try_acquire()
1819 */
nbcon_device_release(struct console * con)1820 void nbcon_device_release(struct console *con)
1821 {
1822 struct nbcon_context *ctxt = &ACCESS_PRIVATE(con, nbcon_device_ctxt);
1823 struct console_flush_type ft;
1824 int cookie;
1825
1826 if (!nbcon_context_exit_unsafe(ctxt))
1827 return;
1828
1829 nbcon_context_release(ctxt);
1830
1831 /*
1832 * This context must flush any new records added while the console
1833 * was locked if the printer thread is not available to do it. The
1834 * console_srcu_read_lock must be taken to ensure the console is
1835 * usable throughout flushing.
1836 */
1837 cookie = console_srcu_read_lock();
1838 printk_get_console_flush_type(&ft);
1839 if (console_is_usable(con, console_srcu_read_flags(con), true) &&
1840 !ft.nbcon_offload &&
1841 prb_read_valid(prb, nbcon_seq_read(con), NULL)) {
1842 /*
1843 * If nbcon_atomic flushing is not available, fallback to
1844 * using the legacy loop.
1845 */
1846 if (ft.nbcon_atomic) {
1847 __nbcon_atomic_flush_pending_con(con, prb_next_reserve_seq(prb), false);
1848 } else if (ft.legacy_direct) {
1849 if (console_trylock())
1850 console_unlock();
1851 } else if (ft.legacy_offload) {
1852 printk_trigger_flush();
1853 }
1854 }
1855 console_srcu_read_unlock(cookie);
1856 }
1857 EXPORT_SYMBOL_GPL(nbcon_device_release);
1858