xref: /linux/kernel/printk/printk_ringbuffer.c (revision 79790b6818e96c58fe2bffee1b418c16e64e7b80)
1 // SPDX-License-Identifier: GPL-2.0
2 
3 #include <linux/kernel.h>
4 #include <linux/irqflags.h>
5 #include <linux/string.h>
6 #include <linux/errno.h>
7 #include <linux/bug.h>
8 #include "printk_ringbuffer.h"
9 #include "internal.h"
10 
11 /**
12  * DOC: printk_ringbuffer overview
13  *
14  * Data Structure
15  * --------------
16  * The printk_ringbuffer is made up of 3 internal ringbuffers:
17  *
18  *   desc_ring
19  *     A ring of descriptors and their meta data (such as sequence number,
20  *     timestamp, loglevel, etc.) as well as internal state information about
21  *     the record and logical positions specifying where in the other
22  *     ringbuffer the text strings are located.
23  *
24  *   text_data_ring
25  *     A ring of data blocks. A data block consists of an unsigned long
26  *     integer (ID) that maps to a desc_ring index followed by the text
27  *     string of the record.
28  *
29  * The internal state information of a descriptor is the key element to allow
30  * readers and writers to locklessly synchronize access to the data.
31  *
32  * Implementation
33  * --------------
34  *
35  * Descriptor Ring
36  * ~~~~~~~~~~~~~~~
37  * The descriptor ring is an array of descriptors. A descriptor contains
38  * essential meta data to track the data of a printk record using
39  * blk_lpos structs pointing to associated text data blocks (see
40  * "Data Rings" below). Each descriptor is assigned an ID that maps
41  * directly to index values of the descriptor array and has a state. The ID
42  * and the state are bitwise combined into a single descriptor field named
43  * @state_var, allowing ID and state to be synchronously and atomically
44  * updated.
45  *
46  * Descriptors have four states:
47  *
48  *   reserved
49  *     A writer is modifying the record.
50  *
51  *   committed
52  *     The record and all its data are written. A writer can reopen the
53  *     descriptor (transitioning it back to reserved), but in the committed
54  *     state the data is consistent.
55  *
56  *   finalized
57  *     The record and all its data are complete and available for reading. A
58  *     writer cannot reopen the descriptor.
59  *
60  *   reusable
61  *     The record exists, but its text and/or meta data may no longer be
62  *     available.
63  *
64  * Querying the @state_var of a record requires providing the ID of the
65  * descriptor to query. This can yield a possible fifth (pseudo) state:
66  *
67  *   miss
68  *     The descriptor being queried has an unexpected ID.
69  *
70  * The descriptor ring has a @tail_id that contains the ID of the oldest
71  * descriptor and @head_id that contains the ID of the newest descriptor.
72  *
73  * When a new descriptor should be created (and the ring is full), the tail
74  * descriptor is invalidated by first transitioning to the reusable state and
75  * then invalidating all tail data blocks up to and including the data blocks
76  * associated with the tail descriptor (for the text ring). Then
77  * @tail_id is advanced, followed by advancing @head_id. And finally the
78  * @state_var of the new descriptor is initialized to the new ID and reserved
79  * state.
80  *
81  * The @tail_id can only be advanced if the new @tail_id would be in the
82  * committed or reusable queried state. This makes it possible that a valid
83  * sequence number of the tail is always available.
84  *
85  * Descriptor Finalization
86  * ~~~~~~~~~~~~~~~~~~~~~~~
87  * When a writer calls the commit function prb_commit(), record data is
88  * fully stored and is consistent within the ringbuffer. However, a writer can
89  * reopen that record, claiming exclusive access (as with prb_reserve()), and
90  * modify that record. When finished, the writer must again commit the record.
91  *
92  * In order for a record to be made available to readers (and also become
93  * recyclable for writers), it must be finalized. A finalized record cannot be
94  * reopened and can never become "unfinalized". Record finalization can occur
95  * in three different scenarios:
96  *
97  *   1) A writer can simultaneously commit and finalize its record by calling
98  *      prb_final_commit() instead of prb_commit().
99  *
100  *   2) When a new record is reserved and the previous record has been
101  *      committed via prb_commit(), that previous record is automatically
102  *      finalized.
103  *
104  *   3) When a record is committed via prb_commit() and a newer record
105  *      already exists, the record being committed is automatically finalized.
106  *
107  * Data Ring
108  * ~~~~~~~~~
109  * The text data ring is a byte array composed of data blocks. Data blocks are
110  * referenced by blk_lpos structs that point to the logical position of the
111  * beginning of a data block and the beginning of the next adjacent data
112  * block. Logical positions are mapped directly to index values of the byte
113  * array ringbuffer.
114  *
115  * Each data block consists of an ID followed by the writer data. The ID is
116  * the identifier of a descriptor that is associated with the data block. A
117  * given data block is considered valid if all of the following conditions
118  * are met:
119  *
120  *   1) The descriptor associated with the data block is in the committed
121  *      or finalized queried state.
122  *
123  *   2) The blk_lpos struct within the descriptor associated with the data
124  *      block references back to the same data block.
125  *
126  *   3) The data block is within the head/tail logical position range.
127  *
128  * If the writer data of a data block would extend beyond the end of the
129  * byte array, only the ID of the data block is stored at the logical
130  * position and the full data block (ID and writer data) is stored at the
131  * beginning of the byte array. The referencing blk_lpos will point to the
132  * ID before the wrap and the next data block will be at the logical
133  * position adjacent the full data block after the wrap.
134  *
135  * Data rings have a @tail_lpos that points to the beginning of the oldest
136  * data block and a @head_lpos that points to the logical position of the
137  * next (not yet existing) data block.
138  *
139  * When a new data block should be created (and the ring is full), tail data
140  * blocks will first be invalidated by putting their associated descriptors
141  * into the reusable state and then pushing the @tail_lpos forward beyond
142  * them. Then the @head_lpos is pushed forward and is associated with a new
143  * descriptor. If a data block is not valid, the @tail_lpos cannot be
144  * advanced beyond it.
145  *
146  * Info Array
147  * ~~~~~~~~~~
148  * The general meta data of printk records are stored in printk_info structs,
149  * stored in an array with the same number of elements as the descriptor ring.
150  * Each info corresponds to the descriptor of the same index in the
151  * descriptor ring. Info validity is confirmed by evaluating the corresponding
152  * descriptor before and after loading the info.
153  *
154  * Usage
155  * -----
156  * Here are some simple examples demonstrating writers and readers. For the
157  * examples a global ringbuffer (test_rb) is available (which is not the
158  * actual ringbuffer used by printk)::
159  *
160  *	DEFINE_PRINTKRB(test_rb, 15, 5);
161  *
162  * This ringbuffer allows up to 32768 records (2 ^ 15) and has a size of
163  * 1 MiB (2 ^ (15 + 5)) for text data.
164  *
165  * Sample writer code::
166  *
167  *	const char *textstr = "message text";
168  *	struct prb_reserved_entry e;
169  *	struct printk_record r;
170  *
171  *	// specify how much to allocate
172  *	prb_rec_init_wr(&r, strlen(textstr) + 1);
173  *
174  *	if (prb_reserve(&e, &test_rb, &r)) {
175  *		snprintf(r.text_buf, r.text_buf_size, "%s", textstr);
176  *
177  *		r.info->text_len = strlen(textstr);
178  *		r.info->ts_nsec = local_clock();
179  *		r.info->caller_id = printk_caller_id();
180  *
181  *		// commit and finalize the record
182  *		prb_final_commit(&e);
183  *	}
184  *
185  * Note that additional writer functions are available to extend a record
186  * after it has been committed but not yet finalized. This can be done as
187  * long as no new records have been reserved and the caller is the same.
188  *
189  * Sample writer code (record extending)::
190  *
191  *		// alternate rest of previous example
192  *
193  *		r.info->text_len = strlen(textstr);
194  *		r.info->ts_nsec = local_clock();
195  *		r.info->caller_id = printk_caller_id();
196  *
197  *		// commit the record (but do not finalize yet)
198  *		prb_commit(&e);
199  *	}
200  *
201  *	...
202  *
203  *	// specify additional 5 bytes text space to extend
204  *	prb_rec_init_wr(&r, 5);
205  *
206  *	// try to extend, but only if it does not exceed 32 bytes
207  *	if (prb_reserve_in_last(&e, &test_rb, &r, printk_caller_id(), 32)) {
208  *		snprintf(&r.text_buf[r.info->text_len],
209  *			 r.text_buf_size - r.info->text_len, "hello");
210  *
211  *		r.info->text_len += 5;
212  *
213  *		// commit and finalize the record
214  *		prb_final_commit(&e);
215  *	}
216  *
217  * Sample reader code::
218  *
219  *	struct printk_info info;
220  *	struct printk_record r;
221  *	char text_buf[32];
222  *	u64 seq;
223  *
224  *	prb_rec_init_rd(&r, &info, &text_buf[0], sizeof(text_buf));
225  *
226  *	prb_for_each_record(0, &test_rb, &seq, &r) {
227  *		if (info.seq != seq)
228  *			pr_warn("lost %llu records\n", info.seq - seq);
229  *
230  *		if (info.text_len > r.text_buf_size) {
231  *			pr_warn("record %llu text truncated\n", info.seq);
232  *			text_buf[r.text_buf_size - 1] = 0;
233  *		}
234  *
235  *		pr_info("%llu: %llu: %s\n", info.seq, info.ts_nsec,
236  *			&text_buf[0]);
237  *	}
238  *
239  * Note that additional less convenient reader functions are available to
240  * allow complex record access.
241  *
242  * ABA Issues
243  * ~~~~~~~~~~
244  * To help avoid ABA issues, descriptors are referenced by IDs (array index
245  * values combined with tagged bits counting array wraps) and data blocks are
246  * referenced by logical positions (array index values combined with tagged
247  * bits counting array wraps). However, on 32-bit systems the number of
248  * tagged bits is relatively small such that an ABA incident is (at least
249  * theoretically) possible. For example, if 4 million maximally sized (1KiB)
250  * printk messages were to occur in NMI context on a 32-bit system, the
251  * interrupted context would not be able to recognize that the 32-bit integer
252  * completely wrapped and thus represents a different data block than the one
253  * the interrupted context expects.
254  *
255  * To help combat this possibility, additional state checking is performed
256  * (such as using cmpxchg() even though set() would suffice). These extra
257  * checks are commented as such and will hopefully catch any ABA issue that
258  * a 32-bit system might experience.
259  *
260  * Memory Barriers
261  * ~~~~~~~~~~~~~~~
262  * Multiple memory barriers are used. To simplify proving correctness and
263  * generating litmus tests, lines of code related to memory barriers
264  * (loads, stores, and the associated memory barriers) are labeled::
265  *
266  *	LMM(function:letter)
267  *
268  * Comments reference the labels using only the "function:letter" part.
269  *
270  * The memory barrier pairs and their ordering are:
271  *
272  *   desc_reserve:D / desc_reserve:B
273  *     push descriptor tail (id), then push descriptor head (id)
274  *
275  *   desc_reserve:D / data_push_tail:B
276  *     push data tail (lpos), then set new descriptor reserved (state)
277  *
278  *   desc_reserve:D / desc_push_tail:C
279  *     push descriptor tail (id), then set new descriptor reserved (state)
280  *
281  *   desc_reserve:D / prb_first_seq:C
282  *     push descriptor tail (id), then set new descriptor reserved (state)
283  *
284  *   desc_reserve:F / desc_read:D
285  *     set new descriptor id and reserved (state), then allow writer changes
286  *
287  *   data_alloc:A (or data_realloc:A) / desc_read:D
288  *     set old descriptor reusable (state), then modify new data block area
289  *
290  *   data_alloc:A (or data_realloc:A) / data_push_tail:B
291  *     push data tail (lpos), then modify new data block area
292  *
293  *   _prb_commit:B / desc_read:B
294  *     store writer changes, then set new descriptor committed (state)
295  *
296  *   desc_reopen_last:A / _prb_commit:B
297  *     set descriptor reserved (state), then read descriptor data
298  *
299  *   _prb_commit:B / desc_reserve:D
300  *     set new descriptor committed (state), then check descriptor head (id)
301  *
302  *   data_push_tail:D / data_push_tail:A
303  *     set descriptor reusable (state), then push data tail (lpos)
304  *
305  *   desc_push_tail:B / desc_reserve:D
306  *     set descriptor reusable (state), then push descriptor tail (id)
307  *
308  *   desc_update_last_finalized:A / desc_last_finalized_seq:A
309  *     store finalized record, then set new highest finalized sequence number
310  */
311 
312 #define DATA_SIZE(data_ring)		_DATA_SIZE((data_ring)->size_bits)
313 #define DATA_SIZE_MASK(data_ring)	(DATA_SIZE(data_ring) - 1)
314 
315 #define DESCS_COUNT(desc_ring)		_DESCS_COUNT((desc_ring)->count_bits)
316 #define DESCS_COUNT_MASK(desc_ring)	(DESCS_COUNT(desc_ring) - 1)
317 
318 /* Determine the data array index from a logical position. */
319 #define DATA_INDEX(data_ring, lpos)	((lpos) & DATA_SIZE_MASK(data_ring))
320 
321 /* Determine the desc array index from an ID or sequence number. */
322 #define DESC_INDEX(desc_ring, n)	((n) & DESCS_COUNT_MASK(desc_ring))
323 
324 /* Determine how many times the data array has wrapped. */
325 #define DATA_WRAPS(data_ring, lpos)	((lpos) >> (data_ring)->size_bits)
326 
327 /* Determine if a logical position refers to a data-less block. */
328 #define LPOS_DATALESS(lpos)		((lpos) & 1UL)
329 #define BLK_DATALESS(blk)		(LPOS_DATALESS((blk)->begin) && \
330 					 LPOS_DATALESS((blk)->next))
331 
332 /* Get the logical position at index 0 of the current wrap. */
333 #define DATA_THIS_WRAP_START_LPOS(data_ring, lpos) \
334 ((lpos) & ~DATA_SIZE_MASK(data_ring))
335 
336 /* Get the ID for the same index of the previous wrap as the given ID. */
337 #define DESC_ID_PREV_WRAP(desc_ring, id) \
338 DESC_ID((id) - DESCS_COUNT(desc_ring))
339 
340 /*
341  * A data block: mapped directly to the beginning of the data block area
342  * specified as a logical position within the data ring.
343  *
344  * @id:   the ID of the associated descriptor
345  * @data: the writer data
346  *
347  * Note that the size of a data block is only known by its associated
348  * descriptor.
349  */
350 struct prb_data_block {
351 	unsigned long	id;
352 	char		data[];
353 };
354 
355 /*
356  * Return the descriptor associated with @n. @n can be either a
357  * descriptor ID or a sequence number.
358  */
to_desc(struct prb_desc_ring * desc_ring,u64 n)359 static struct prb_desc *to_desc(struct prb_desc_ring *desc_ring, u64 n)
360 {
361 	return &desc_ring->descs[DESC_INDEX(desc_ring, n)];
362 }
363 
364 /*
365  * Return the printk_info associated with @n. @n can be either a
366  * descriptor ID or a sequence number.
367  */
to_info(struct prb_desc_ring * desc_ring,u64 n)368 static struct printk_info *to_info(struct prb_desc_ring *desc_ring, u64 n)
369 {
370 	return &desc_ring->infos[DESC_INDEX(desc_ring, n)];
371 }
372 
to_block(struct prb_data_ring * data_ring,unsigned long begin_lpos)373 static struct prb_data_block *to_block(struct prb_data_ring *data_ring,
374 				       unsigned long begin_lpos)
375 {
376 	return (void *)&data_ring->data[DATA_INDEX(data_ring, begin_lpos)];
377 }
378 
379 /*
380  * Increase the data size to account for data block meta data plus any
381  * padding so that the adjacent data block is aligned on the ID size.
382  */
to_blk_size(unsigned int size)383 static unsigned int to_blk_size(unsigned int size)
384 {
385 	struct prb_data_block *db = NULL;
386 
387 	size += sizeof(*db);
388 	size = ALIGN(size, sizeof(db->id));
389 	return size;
390 }
391 
392 /*
393  * Sanity checker for reserve size. The ringbuffer code assumes that a data
394  * block does not exceed the maximum possible size that could fit within the
395  * ringbuffer. This function provides that basic size check so that the
396  * assumption is safe.
397  */
data_check_size(struct prb_data_ring * data_ring,unsigned int size)398 static bool data_check_size(struct prb_data_ring *data_ring, unsigned int size)
399 {
400 	struct prb_data_block *db = NULL;
401 
402 	if (size == 0)
403 		return true;
404 
405 	/*
406 	 * Ensure the alignment padded size could possibly fit in the data
407 	 * array. The largest possible data block must still leave room for
408 	 * at least the ID of the next block.
409 	 */
410 	size = to_blk_size(size);
411 	if (size > DATA_SIZE(data_ring) - sizeof(db->id))
412 		return false;
413 
414 	return true;
415 }
416 
417 /* Query the state of a descriptor. */
get_desc_state(unsigned long id,unsigned long state_val)418 static enum desc_state get_desc_state(unsigned long id,
419 				      unsigned long state_val)
420 {
421 	if (id != DESC_ID(state_val))
422 		return desc_miss;
423 
424 	return DESC_STATE(state_val);
425 }
426 
427 /*
428  * Get a copy of a specified descriptor and return its queried state. If the
429  * descriptor is in an inconsistent state (miss or reserved), the caller can
430  * only expect the descriptor's @state_var field to be valid.
431  *
432  * The sequence number and caller_id can be optionally retrieved. Like all
433  * non-state_var data, they are only valid if the descriptor is in a
434  * consistent state.
435  */
desc_read(struct prb_desc_ring * desc_ring,unsigned long id,struct prb_desc * desc_out,u64 * seq_out,u32 * caller_id_out)436 static enum desc_state desc_read(struct prb_desc_ring *desc_ring,
437 				 unsigned long id, struct prb_desc *desc_out,
438 				 u64 *seq_out, u32 *caller_id_out)
439 {
440 	struct printk_info *info = to_info(desc_ring, id);
441 	struct prb_desc *desc = to_desc(desc_ring, id);
442 	atomic_long_t *state_var = &desc->state_var;
443 	enum desc_state d_state;
444 	unsigned long state_val;
445 
446 	/* Check the descriptor state. */
447 	state_val = atomic_long_read(state_var); /* LMM(desc_read:A) */
448 	d_state = get_desc_state(id, state_val);
449 	if (d_state == desc_miss || d_state == desc_reserved) {
450 		/*
451 		 * The descriptor is in an inconsistent state. Set at least
452 		 * @state_var so that the caller can see the details of
453 		 * the inconsistent state.
454 		 */
455 		goto out;
456 	}
457 
458 	/*
459 	 * Guarantee the state is loaded before copying the descriptor
460 	 * content. This avoids copying obsolete descriptor content that might
461 	 * not apply to the descriptor state. This pairs with _prb_commit:B.
462 	 *
463 	 * Memory barrier involvement:
464 	 *
465 	 * If desc_read:A reads from _prb_commit:B, then desc_read:C reads
466 	 * from _prb_commit:A.
467 	 *
468 	 * Relies on:
469 	 *
470 	 * WMB from _prb_commit:A to _prb_commit:B
471 	 *    matching
472 	 * RMB from desc_read:A to desc_read:C
473 	 */
474 	smp_rmb(); /* LMM(desc_read:B) */
475 
476 	/*
477 	 * Copy the descriptor data. The data is not valid until the
478 	 * state has been re-checked. A memcpy() for all of @desc
479 	 * cannot be used because of the atomic_t @state_var field.
480 	 */
481 	if (desc_out) {
482 		memcpy(&desc_out->text_blk_lpos, &desc->text_blk_lpos,
483 		       sizeof(desc_out->text_blk_lpos)); /* LMM(desc_read:C) */
484 	}
485 	if (seq_out)
486 		*seq_out = info->seq; /* also part of desc_read:C */
487 	if (caller_id_out)
488 		*caller_id_out = info->caller_id; /* also part of desc_read:C */
489 
490 	/*
491 	 * 1. Guarantee the descriptor content is loaded before re-checking
492 	 *    the state. This avoids reading an obsolete descriptor state
493 	 *    that may not apply to the copied content. This pairs with
494 	 *    desc_reserve:F.
495 	 *
496 	 *    Memory barrier involvement:
497 	 *
498 	 *    If desc_read:C reads from desc_reserve:G, then desc_read:E
499 	 *    reads from desc_reserve:F.
500 	 *
501 	 *    Relies on:
502 	 *
503 	 *    WMB from desc_reserve:F to desc_reserve:G
504 	 *       matching
505 	 *    RMB from desc_read:C to desc_read:E
506 	 *
507 	 * 2. Guarantee the record data is loaded before re-checking the
508 	 *    state. This avoids reading an obsolete descriptor state that may
509 	 *    not apply to the copied data. This pairs with data_alloc:A and
510 	 *    data_realloc:A.
511 	 *
512 	 *    Memory barrier involvement:
513 	 *
514 	 *    If copy_data:A reads from data_alloc:B, then desc_read:E
515 	 *    reads from desc_make_reusable:A.
516 	 *
517 	 *    Relies on:
518 	 *
519 	 *    MB from desc_make_reusable:A to data_alloc:B
520 	 *       matching
521 	 *    RMB from desc_read:C to desc_read:E
522 	 *
523 	 *    Note: desc_make_reusable:A and data_alloc:B can be different
524 	 *          CPUs. However, the data_alloc:B CPU (which performs the
525 	 *          full memory barrier) must have previously seen
526 	 *          desc_make_reusable:A.
527 	 */
528 	smp_rmb(); /* LMM(desc_read:D) */
529 
530 	/*
531 	 * The data has been copied. Return the current descriptor state,
532 	 * which may have changed since the load above.
533 	 */
534 	state_val = atomic_long_read(state_var); /* LMM(desc_read:E) */
535 	d_state = get_desc_state(id, state_val);
536 out:
537 	if (desc_out)
538 		atomic_long_set(&desc_out->state_var, state_val);
539 	return d_state;
540 }
541 
542 /*
543  * Take a specified descriptor out of the finalized state by attempting
544  * the transition from finalized to reusable. Either this context or some
545  * other context will have been successful.
546  */
desc_make_reusable(struct prb_desc_ring * desc_ring,unsigned long id)547 static void desc_make_reusable(struct prb_desc_ring *desc_ring,
548 			       unsigned long id)
549 {
550 	unsigned long val_finalized = DESC_SV(id, desc_finalized);
551 	unsigned long val_reusable = DESC_SV(id, desc_reusable);
552 	struct prb_desc *desc = to_desc(desc_ring, id);
553 	atomic_long_t *state_var = &desc->state_var;
554 
555 	atomic_long_cmpxchg_relaxed(state_var, val_finalized,
556 				    val_reusable); /* LMM(desc_make_reusable:A) */
557 }
558 
559 /*
560  * Given the text data ring, put the associated descriptor of each
561  * data block from @lpos_begin until @lpos_end into the reusable state.
562  *
563  * If there is any problem making the associated descriptor reusable, either
564  * the descriptor has not yet been finalized or another writer context has
565  * already pushed the tail lpos past the problematic data block. Regardless,
566  * on error the caller can re-load the tail lpos to determine the situation.
567  */
data_make_reusable(struct printk_ringbuffer * rb,unsigned long lpos_begin,unsigned long lpos_end,unsigned long * lpos_out)568 static bool data_make_reusable(struct printk_ringbuffer *rb,
569 			       unsigned long lpos_begin,
570 			       unsigned long lpos_end,
571 			       unsigned long *lpos_out)
572 {
573 
574 	struct prb_data_ring *data_ring = &rb->text_data_ring;
575 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
576 	struct prb_data_block *blk;
577 	enum desc_state d_state;
578 	struct prb_desc desc;
579 	struct prb_data_blk_lpos *blk_lpos = &desc.text_blk_lpos;
580 	unsigned long id;
581 
582 	/* Loop until @lpos_begin has advanced to or beyond @lpos_end. */
583 	while ((lpos_end - lpos_begin) - 1 < DATA_SIZE(data_ring)) {
584 		blk = to_block(data_ring, lpos_begin);
585 
586 		/*
587 		 * Load the block ID from the data block. This is a data race
588 		 * against a writer that may have newly reserved this data
589 		 * area. If the loaded value matches a valid descriptor ID,
590 		 * the blk_lpos of that descriptor will be checked to make
591 		 * sure it points back to this data block. If the check fails,
592 		 * the data area has been recycled by another writer.
593 		 */
594 		id = blk->id; /* LMM(data_make_reusable:A) */
595 
596 		d_state = desc_read(desc_ring, id, &desc,
597 				    NULL, NULL); /* LMM(data_make_reusable:B) */
598 
599 		switch (d_state) {
600 		case desc_miss:
601 		case desc_reserved:
602 		case desc_committed:
603 			return false;
604 		case desc_finalized:
605 			/*
606 			 * This data block is invalid if the descriptor
607 			 * does not point back to it.
608 			 */
609 			if (blk_lpos->begin != lpos_begin)
610 				return false;
611 			desc_make_reusable(desc_ring, id);
612 			break;
613 		case desc_reusable:
614 			/*
615 			 * This data block is invalid if the descriptor
616 			 * does not point back to it.
617 			 */
618 			if (blk_lpos->begin != lpos_begin)
619 				return false;
620 			break;
621 		}
622 
623 		/* Advance @lpos_begin to the next data block. */
624 		lpos_begin = blk_lpos->next;
625 	}
626 
627 	*lpos_out = lpos_begin;
628 	return true;
629 }
630 
631 /*
632  * Advance the data ring tail to at least @lpos. This function puts
633  * descriptors into the reusable state if the tail is pushed beyond
634  * their associated data block.
635  */
data_push_tail(struct printk_ringbuffer * rb,unsigned long lpos)636 static bool data_push_tail(struct printk_ringbuffer *rb, unsigned long lpos)
637 {
638 	struct prb_data_ring *data_ring = &rb->text_data_ring;
639 	unsigned long tail_lpos_new;
640 	unsigned long tail_lpos;
641 	unsigned long next_lpos;
642 
643 	/* If @lpos is from a data-less block, there is nothing to do. */
644 	if (LPOS_DATALESS(lpos))
645 		return true;
646 
647 	/*
648 	 * Any descriptor states that have transitioned to reusable due to the
649 	 * data tail being pushed to this loaded value will be visible to this
650 	 * CPU. This pairs with data_push_tail:D.
651 	 *
652 	 * Memory barrier involvement:
653 	 *
654 	 * If data_push_tail:A reads from data_push_tail:D, then this CPU can
655 	 * see desc_make_reusable:A.
656 	 *
657 	 * Relies on:
658 	 *
659 	 * MB from desc_make_reusable:A to data_push_tail:D
660 	 *    matches
661 	 * READFROM from data_push_tail:D to data_push_tail:A
662 	 *    thus
663 	 * READFROM from desc_make_reusable:A to this CPU
664 	 */
665 	tail_lpos = atomic_long_read(&data_ring->tail_lpos); /* LMM(data_push_tail:A) */
666 
667 	/*
668 	 * Loop until the tail lpos is at or beyond @lpos. This condition
669 	 * may already be satisfied, resulting in no full memory barrier
670 	 * from data_push_tail:D being performed. However, since this CPU
671 	 * sees the new tail lpos, any descriptor states that transitioned to
672 	 * the reusable state must already be visible.
673 	 */
674 	while ((lpos - tail_lpos) - 1 < DATA_SIZE(data_ring)) {
675 		/*
676 		 * Make all descriptors reusable that are associated with
677 		 * data blocks before @lpos.
678 		 */
679 		if (!data_make_reusable(rb, tail_lpos, lpos, &next_lpos)) {
680 			/*
681 			 * 1. Guarantee the block ID loaded in
682 			 *    data_make_reusable() is performed before
683 			 *    reloading the tail lpos. The failed
684 			 *    data_make_reusable() may be due to a newly
685 			 *    recycled data area causing the tail lpos to
686 			 *    have been previously pushed. This pairs with
687 			 *    data_alloc:A and data_realloc:A.
688 			 *
689 			 *    Memory barrier involvement:
690 			 *
691 			 *    If data_make_reusable:A reads from data_alloc:B,
692 			 *    then data_push_tail:C reads from
693 			 *    data_push_tail:D.
694 			 *
695 			 *    Relies on:
696 			 *
697 			 *    MB from data_push_tail:D to data_alloc:B
698 			 *       matching
699 			 *    RMB from data_make_reusable:A to
700 			 *    data_push_tail:C
701 			 *
702 			 *    Note: data_push_tail:D and data_alloc:B can be
703 			 *          different CPUs. However, the data_alloc:B
704 			 *          CPU (which performs the full memory
705 			 *          barrier) must have previously seen
706 			 *          data_push_tail:D.
707 			 *
708 			 * 2. Guarantee the descriptor state loaded in
709 			 *    data_make_reusable() is performed before
710 			 *    reloading the tail lpos. The failed
711 			 *    data_make_reusable() may be due to a newly
712 			 *    recycled descriptor causing the tail lpos to
713 			 *    have been previously pushed. This pairs with
714 			 *    desc_reserve:D.
715 			 *
716 			 *    Memory barrier involvement:
717 			 *
718 			 *    If data_make_reusable:B reads from
719 			 *    desc_reserve:F, then data_push_tail:C reads
720 			 *    from data_push_tail:D.
721 			 *
722 			 *    Relies on:
723 			 *
724 			 *    MB from data_push_tail:D to desc_reserve:F
725 			 *       matching
726 			 *    RMB from data_make_reusable:B to
727 			 *    data_push_tail:C
728 			 *
729 			 *    Note: data_push_tail:D and desc_reserve:F can
730 			 *          be different CPUs. However, the
731 			 *          desc_reserve:F CPU (which performs the
732 			 *          full memory barrier) must have previously
733 			 *          seen data_push_tail:D.
734 			 */
735 			smp_rmb(); /* LMM(data_push_tail:B) */
736 
737 			tail_lpos_new = atomic_long_read(&data_ring->tail_lpos
738 							); /* LMM(data_push_tail:C) */
739 			if (tail_lpos_new == tail_lpos)
740 				return false;
741 
742 			/* Another CPU pushed the tail. Try again. */
743 			tail_lpos = tail_lpos_new;
744 			continue;
745 		}
746 
747 		/*
748 		 * Guarantee any descriptor states that have transitioned to
749 		 * reusable are stored before pushing the tail lpos. A full
750 		 * memory barrier is needed since other CPUs may have made
751 		 * the descriptor states reusable. This pairs with
752 		 * data_push_tail:A.
753 		 */
754 		if (atomic_long_try_cmpxchg(&data_ring->tail_lpos, &tail_lpos,
755 					    next_lpos)) { /* LMM(data_push_tail:D) */
756 			break;
757 		}
758 	}
759 
760 	return true;
761 }
762 
763 /*
764  * Advance the desc ring tail. This function advances the tail by one
765  * descriptor, thus invalidating the oldest descriptor. Before advancing
766  * the tail, the tail descriptor is made reusable and all data blocks up to
767  * and including the descriptor's data block are invalidated (i.e. the data
768  * ring tail is pushed past the data block of the descriptor being made
769  * reusable).
770  */
desc_push_tail(struct printk_ringbuffer * rb,unsigned long tail_id)771 static bool desc_push_tail(struct printk_ringbuffer *rb,
772 			   unsigned long tail_id)
773 {
774 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
775 	enum desc_state d_state;
776 	struct prb_desc desc;
777 
778 	d_state = desc_read(desc_ring, tail_id, &desc, NULL, NULL);
779 
780 	switch (d_state) {
781 	case desc_miss:
782 		/*
783 		 * If the ID is exactly 1 wrap behind the expected, it is
784 		 * in the process of being reserved by another writer and
785 		 * must be considered reserved.
786 		 */
787 		if (DESC_ID(atomic_long_read(&desc.state_var)) ==
788 		    DESC_ID_PREV_WRAP(desc_ring, tail_id)) {
789 			return false;
790 		}
791 
792 		/*
793 		 * The ID has changed. Another writer must have pushed the
794 		 * tail and recycled the descriptor already. Success is
795 		 * returned because the caller is only interested in the
796 		 * specified tail being pushed, which it was.
797 		 */
798 		return true;
799 	case desc_reserved:
800 	case desc_committed:
801 		return false;
802 	case desc_finalized:
803 		desc_make_reusable(desc_ring, tail_id);
804 		break;
805 	case desc_reusable:
806 		break;
807 	}
808 
809 	/*
810 	 * Data blocks must be invalidated before their associated
811 	 * descriptor can be made available for recycling. Invalidating
812 	 * them later is not possible because there is no way to trust
813 	 * data blocks once their associated descriptor is gone.
814 	 */
815 
816 	if (!data_push_tail(rb, desc.text_blk_lpos.next))
817 		return false;
818 
819 	/*
820 	 * Check the next descriptor after @tail_id before pushing the tail
821 	 * to it because the tail must always be in a finalized or reusable
822 	 * state. The implementation of prb_first_seq() relies on this.
823 	 *
824 	 * A successful read implies that the next descriptor is less than or
825 	 * equal to @head_id so there is no risk of pushing the tail past the
826 	 * head.
827 	 */
828 	d_state = desc_read(desc_ring, DESC_ID(tail_id + 1), &desc,
829 			    NULL, NULL); /* LMM(desc_push_tail:A) */
830 
831 	if (d_state == desc_finalized || d_state == desc_reusable) {
832 		/*
833 		 * Guarantee any descriptor states that have transitioned to
834 		 * reusable are stored before pushing the tail ID. This allows
835 		 * verifying the recycled descriptor state. A full memory
836 		 * barrier is needed since other CPUs may have made the
837 		 * descriptor states reusable. This pairs with desc_reserve:D.
838 		 */
839 		atomic_long_cmpxchg(&desc_ring->tail_id, tail_id,
840 				    DESC_ID(tail_id + 1)); /* LMM(desc_push_tail:B) */
841 	} else {
842 		/*
843 		 * Guarantee the last state load from desc_read() is before
844 		 * reloading @tail_id in order to see a new tail ID in the
845 		 * case that the descriptor has been recycled. This pairs
846 		 * with desc_reserve:D.
847 		 *
848 		 * Memory barrier involvement:
849 		 *
850 		 * If desc_push_tail:A reads from desc_reserve:F, then
851 		 * desc_push_tail:D reads from desc_push_tail:B.
852 		 *
853 		 * Relies on:
854 		 *
855 		 * MB from desc_push_tail:B to desc_reserve:F
856 		 *    matching
857 		 * RMB from desc_push_tail:A to desc_push_tail:D
858 		 *
859 		 * Note: desc_push_tail:B and desc_reserve:F can be different
860 		 *       CPUs. However, the desc_reserve:F CPU (which performs
861 		 *       the full memory barrier) must have previously seen
862 		 *       desc_push_tail:B.
863 		 */
864 		smp_rmb(); /* LMM(desc_push_tail:C) */
865 
866 		/*
867 		 * Re-check the tail ID. The descriptor following @tail_id is
868 		 * not in an allowed tail state. But if the tail has since
869 		 * been moved by another CPU, then it does not matter.
870 		 */
871 		if (atomic_long_read(&desc_ring->tail_id) == tail_id) /* LMM(desc_push_tail:D) */
872 			return false;
873 	}
874 
875 	return true;
876 }
877 
878 /* Reserve a new descriptor, invalidating the oldest if necessary. */
desc_reserve(struct printk_ringbuffer * rb,unsigned long * id_out)879 static bool desc_reserve(struct printk_ringbuffer *rb, unsigned long *id_out)
880 {
881 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
882 	unsigned long prev_state_val;
883 	unsigned long id_prev_wrap;
884 	struct prb_desc *desc;
885 	unsigned long head_id;
886 	unsigned long id;
887 
888 	head_id = atomic_long_read(&desc_ring->head_id); /* LMM(desc_reserve:A) */
889 
890 	do {
891 		id = DESC_ID(head_id + 1);
892 		id_prev_wrap = DESC_ID_PREV_WRAP(desc_ring, id);
893 
894 		/*
895 		 * Guarantee the head ID is read before reading the tail ID.
896 		 * Since the tail ID is updated before the head ID, this
897 		 * guarantees that @id_prev_wrap is never ahead of the tail
898 		 * ID. This pairs with desc_reserve:D.
899 		 *
900 		 * Memory barrier involvement:
901 		 *
902 		 * If desc_reserve:A reads from desc_reserve:D, then
903 		 * desc_reserve:C reads from desc_push_tail:B.
904 		 *
905 		 * Relies on:
906 		 *
907 		 * MB from desc_push_tail:B to desc_reserve:D
908 		 *    matching
909 		 * RMB from desc_reserve:A to desc_reserve:C
910 		 *
911 		 * Note: desc_push_tail:B and desc_reserve:D can be different
912 		 *       CPUs. However, the desc_reserve:D CPU (which performs
913 		 *       the full memory barrier) must have previously seen
914 		 *       desc_push_tail:B.
915 		 */
916 		smp_rmb(); /* LMM(desc_reserve:B) */
917 
918 		if (id_prev_wrap == atomic_long_read(&desc_ring->tail_id
919 						    )) { /* LMM(desc_reserve:C) */
920 			/*
921 			 * Make space for the new descriptor by
922 			 * advancing the tail.
923 			 */
924 			if (!desc_push_tail(rb, id_prev_wrap))
925 				return false;
926 		}
927 
928 		/*
929 		 * 1. Guarantee the tail ID is read before validating the
930 		 *    recycled descriptor state. A read memory barrier is
931 		 *    sufficient for this. This pairs with desc_push_tail:B.
932 		 *
933 		 *    Memory barrier involvement:
934 		 *
935 		 *    If desc_reserve:C reads from desc_push_tail:B, then
936 		 *    desc_reserve:E reads from desc_make_reusable:A.
937 		 *
938 		 *    Relies on:
939 		 *
940 		 *    MB from desc_make_reusable:A to desc_push_tail:B
941 		 *       matching
942 		 *    RMB from desc_reserve:C to desc_reserve:E
943 		 *
944 		 *    Note: desc_make_reusable:A and desc_push_tail:B can be
945 		 *          different CPUs. However, the desc_push_tail:B CPU
946 		 *          (which performs the full memory barrier) must have
947 		 *          previously seen desc_make_reusable:A.
948 		 *
949 		 * 2. Guarantee the tail ID is stored before storing the head
950 		 *    ID. This pairs with desc_reserve:B.
951 		 *
952 		 * 3. Guarantee any data ring tail changes are stored before
953 		 *    recycling the descriptor. Data ring tail changes can
954 		 *    happen via desc_push_tail()->data_push_tail(). A full
955 		 *    memory barrier is needed since another CPU may have
956 		 *    pushed the data ring tails. This pairs with
957 		 *    data_push_tail:B.
958 		 *
959 		 * 4. Guarantee a new tail ID is stored before recycling the
960 		 *    descriptor. A full memory barrier is needed since
961 		 *    another CPU may have pushed the tail ID. This pairs
962 		 *    with desc_push_tail:C and this also pairs with
963 		 *    prb_first_seq:C.
964 		 *
965 		 * 5. Guarantee the head ID is stored before trying to
966 		 *    finalize the previous descriptor. This pairs with
967 		 *    _prb_commit:B.
968 		 */
969 	} while (!atomic_long_try_cmpxchg(&desc_ring->head_id, &head_id,
970 					  id)); /* LMM(desc_reserve:D) */
971 
972 	desc = to_desc(desc_ring, id);
973 
974 	/*
975 	 * If the descriptor has been recycled, verify the old state val.
976 	 * See "ABA Issues" about why this verification is performed.
977 	 */
978 	prev_state_val = atomic_long_read(&desc->state_var); /* LMM(desc_reserve:E) */
979 	if (prev_state_val &&
980 	    get_desc_state(id_prev_wrap, prev_state_val) != desc_reusable) {
981 		WARN_ON_ONCE(1);
982 		return false;
983 	}
984 
985 	/*
986 	 * Assign the descriptor a new ID and set its state to reserved.
987 	 * See "ABA Issues" about why cmpxchg() instead of set() is used.
988 	 *
989 	 * Guarantee the new descriptor ID and state is stored before making
990 	 * any other changes. A write memory barrier is sufficient for this.
991 	 * This pairs with desc_read:D.
992 	 */
993 	if (!atomic_long_try_cmpxchg(&desc->state_var, &prev_state_val,
994 			DESC_SV(id, desc_reserved))) { /* LMM(desc_reserve:F) */
995 		WARN_ON_ONCE(1);
996 		return false;
997 	}
998 
999 	/* Now data in @desc can be modified: LMM(desc_reserve:G) */
1000 
1001 	*id_out = id;
1002 	return true;
1003 }
1004 
1005 /* Determine the end of a data block. */
get_next_lpos(struct prb_data_ring * data_ring,unsigned long lpos,unsigned int size)1006 static unsigned long get_next_lpos(struct prb_data_ring *data_ring,
1007 				   unsigned long lpos, unsigned int size)
1008 {
1009 	unsigned long begin_lpos;
1010 	unsigned long next_lpos;
1011 
1012 	begin_lpos = lpos;
1013 	next_lpos = lpos + size;
1014 
1015 	/* First check if the data block does not wrap. */
1016 	if (DATA_WRAPS(data_ring, begin_lpos) == DATA_WRAPS(data_ring, next_lpos))
1017 		return next_lpos;
1018 
1019 	/* Wrapping data blocks store their data at the beginning. */
1020 	return (DATA_THIS_WRAP_START_LPOS(data_ring, next_lpos) + size);
1021 }
1022 
1023 /*
1024  * Allocate a new data block, invalidating the oldest data block(s)
1025  * if necessary. This function also associates the data block with
1026  * a specified descriptor.
1027  */
data_alloc(struct printk_ringbuffer * rb,unsigned int size,struct prb_data_blk_lpos * blk_lpos,unsigned long id)1028 static char *data_alloc(struct printk_ringbuffer *rb, unsigned int size,
1029 			struct prb_data_blk_lpos *blk_lpos, unsigned long id)
1030 {
1031 	struct prb_data_ring *data_ring = &rb->text_data_ring;
1032 	struct prb_data_block *blk;
1033 	unsigned long begin_lpos;
1034 	unsigned long next_lpos;
1035 
1036 	if (size == 0) {
1037 		/*
1038 		 * Data blocks are not created for empty lines. Instead, the
1039 		 * reader will recognize these special lpos values and handle
1040 		 * it appropriately.
1041 		 */
1042 		blk_lpos->begin = EMPTY_LINE_LPOS;
1043 		blk_lpos->next = EMPTY_LINE_LPOS;
1044 		return NULL;
1045 	}
1046 
1047 	size = to_blk_size(size);
1048 
1049 	begin_lpos = atomic_long_read(&data_ring->head_lpos);
1050 
1051 	do {
1052 		next_lpos = get_next_lpos(data_ring, begin_lpos, size);
1053 
1054 		if (!data_push_tail(rb, next_lpos - DATA_SIZE(data_ring))) {
1055 			/* Failed to allocate, specify a data-less block. */
1056 			blk_lpos->begin = FAILED_LPOS;
1057 			blk_lpos->next = FAILED_LPOS;
1058 			return NULL;
1059 		}
1060 
1061 		/*
1062 		 * 1. Guarantee any descriptor states that have transitioned
1063 		 *    to reusable are stored before modifying the newly
1064 		 *    allocated data area. A full memory barrier is needed
1065 		 *    since other CPUs may have made the descriptor states
1066 		 *    reusable. See data_push_tail:A about why the reusable
1067 		 *    states are visible. This pairs with desc_read:D.
1068 		 *
1069 		 * 2. Guarantee any updated tail lpos is stored before
1070 		 *    modifying the newly allocated data area. Another CPU may
1071 		 *    be in data_make_reusable() and is reading a block ID
1072 		 *    from this area. data_make_reusable() can handle reading
1073 		 *    a garbage block ID value, but then it must be able to
1074 		 *    load a new tail lpos. A full memory barrier is needed
1075 		 *    since other CPUs may have updated the tail lpos. This
1076 		 *    pairs with data_push_tail:B.
1077 		 */
1078 	} while (!atomic_long_try_cmpxchg(&data_ring->head_lpos, &begin_lpos,
1079 					  next_lpos)); /* LMM(data_alloc:A) */
1080 
1081 	blk = to_block(data_ring, begin_lpos);
1082 	blk->id = id; /* LMM(data_alloc:B) */
1083 
1084 	if (DATA_WRAPS(data_ring, begin_lpos) != DATA_WRAPS(data_ring, next_lpos)) {
1085 		/* Wrapping data blocks store their data at the beginning. */
1086 		blk = to_block(data_ring, 0);
1087 
1088 		/*
1089 		 * Store the ID on the wrapped block for consistency.
1090 		 * The printk_ringbuffer does not actually use it.
1091 		 */
1092 		blk->id = id;
1093 	}
1094 
1095 	blk_lpos->begin = begin_lpos;
1096 	blk_lpos->next = next_lpos;
1097 
1098 	return &blk->data[0];
1099 }
1100 
1101 /*
1102  * Try to resize an existing data block associated with the descriptor
1103  * specified by @id. If the resized data block should become wrapped, it
1104  * copies the old data to the new data block. If @size yields a data block
1105  * with the same or less size, the data block is left as is.
1106  *
1107  * Fail if this is not the last allocated data block or if there is not
1108  * enough space or it is not possible make enough space.
1109  *
1110  * Return a pointer to the beginning of the entire data buffer or NULL on
1111  * failure.
1112  */
data_realloc(struct printk_ringbuffer * rb,unsigned int size,struct prb_data_blk_lpos * blk_lpos,unsigned long id)1113 static char *data_realloc(struct printk_ringbuffer *rb, unsigned int size,
1114 			  struct prb_data_blk_lpos *blk_lpos, unsigned long id)
1115 {
1116 	struct prb_data_ring *data_ring = &rb->text_data_ring;
1117 	struct prb_data_block *blk;
1118 	unsigned long head_lpos;
1119 	unsigned long next_lpos;
1120 	bool wrapped;
1121 
1122 	/* Reallocation only works if @blk_lpos is the newest data block. */
1123 	head_lpos = atomic_long_read(&data_ring->head_lpos);
1124 	if (head_lpos != blk_lpos->next)
1125 		return NULL;
1126 
1127 	/* Keep track if @blk_lpos was a wrapping data block. */
1128 	wrapped = (DATA_WRAPS(data_ring, blk_lpos->begin) != DATA_WRAPS(data_ring, blk_lpos->next));
1129 
1130 	size = to_blk_size(size);
1131 
1132 	next_lpos = get_next_lpos(data_ring, blk_lpos->begin, size);
1133 
1134 	/* If the data block does not increase, there is nothing to do. */
1135 	if (head_lpos - next_lpos < DATA_SIZE(data_ring)) {
1136 		if (wrapped)
1137 			blk = to_block(data_ring, 0);
1138 		else
1139 			blk = to_block(data_ring, blk_lpos->begin);
1140 		return &blk->data[0];
1141 	}
1142 
1143 	if (!data_push_tail(rb, next_lpos - DATA_SIZE(data_ring)))
1144 		return NULL;
1145 
1146 	/* The memory barrier involvement is the same as data_alloc:A. */
1147 	if (!atomic_long_try_cmpxchg(&data_ring->head_lpos, &head_lpos,
1148 				     next_lpos)) { /* LMM(data_realloc:A) */
1149 		return NULL;
1150 	}
1151 
1152 	blk = to_block(data_ring, blk_lpos->begin);
1153 
1154 	if (DATA_WRAPS(data_ring, blk_lpos->begin) != DATA_WRAPS(data_ring, next_lpos)) {
1155 		struct prb_data_block *old_blk = blk;
1156 
1157 		/* Wrapping data blocks store their data at the beginning. */
1158 		blk = to_block(data_ring, 0);
1159 
1160 		/*
1161 		 * Store the ID on the wrapped block for consistency.
1162 		 * The printk_ringbuffer does not actually use it.
1163 		 */
1164 		blk->id = id;
1165 
1166 		if (!wrapped) {
1167 			/*
1168 			 * Since the allocated space is now in the newly
1169 			 * created wrapping data block, copy the content
1170 			 * from the old data block.
1171 			 */
1172 			memcpy(&blk->data[0], &old_blk->data[0],
1173 			       (blk_lpos->next - blk_lpos->begin) - sizeof(blk->id));
1174 		}
1175 	}
1176 
1177 	blk_lpos->next = next_lpos;
1178 
1179 	return &blk->data[0];
1180 }
1181 
1182 /* Return the number of bytes used by a data block. */
space_used(struct prb_data_ring * data_ring,struct prb_data_blk_lpos * blk_lpos)1183 static unsigned int space_used(struct prb_data_ring *data_ring,
1184 			       struct prb_data_blk_lpos *blk_lpos)
1185 {
1186 	/* Data-less blocks take no space. */
1187 	if (BLK_DATALESS(blk_lpos))
1188 		return 0;
1189 
1190 	if (DATA_WRAPS(data_ring, blk_lpos->begin) == DATA_WRAPS(data_ring, blk_lpos->next)) {
1191 		/* Data block does not wrap. */
1192 		return (DATA_INDEX(data_ring, blk_lpos->next) -
1193 			DATA_INDEX(data_ring, blk_lpos->begin));
1194 	}
1195 
1196 	/*
1197 	 * For wrapping data blocks, the trailing (wasted) space is
1198 	 * also counted.
1199 	 */
1200 	return (DATA_INDEX(data_ring, blk_lpos->next) +
1201 		DATA_SIZE(data_ring) - DATA_INDEX(data_ring, blk_lpos->begin));
1202 }
1203 
1204 /*
1205  * Given @blk_lpos, return a pointer to the writer data from the data block
1206  * and calculate the size of the data part. A NULL pointer is returned if
1207  * @blk_lpos specifies values that could never be legal.
1208  *
1209  * This function (used by readers) performs strict validation on the lpos
1210  * values to possibly detect bugs in the writer code. A WARN_ON_ONCE() is
1211  * triggered if an internal error is detected.
1212  */
get_data(struct prb_data_ring * data_ring,struct prb_data_blk_lpos * blk_lpos,unsigned int * data_size)1213 static const char *get_data(struct prb_data_ring *data_ring,
1214 			    struct prb_data_blk_lpos *blk_lpos,
1215 			    unsigned int *data_size)
1216 {
1217 	struct prb_data_block *db;
1218 
1219 	/* Data-less data block description. */
1220 	if (BLK_DATALESS(blk_lpos)) {
1221 		/*
1222 		 * Records that are just empty lines are also valid, even
1223 		 * though they do not have a data block. For such records
1224 		 * explicitly return empty string data to signify success.
1225 		 */
1226 		if (blk_lpos->begin == EMPTY_LINE_LPOS &&
1227 		    blk_lpos->next == EMPTY_LINE_LPOS) {
1228 			*data_size = 0;
1229 			return "";
1230 		}
1231 
1232 		/* Data lost, invalid, or otherwise unavailable. */
1233 		return NULL;
1234 	}
1235 
1236 	/* Regular data block: @begin less than @next and in same wrap. */
1237 	if (DATA_WRAPS(data_ring, blk_lpos->begin) == DATA_WRAPS(data_ring, blk_lpos->next) &&
1238 	    blk_lpos->begin < blk_lpos->next) {
1239 		db = to_block(data_ring, blk_lpos->begin);
1240 		*data_size = blk_lpos->next - blk_lpos->begin;
1241 
1242 	/* Wrapping data block: @begin is one wrap behind @next. */
1243 	} else if (DATA_WRAPS(data_ring, blk_lpos->begin + DATA_SIZE(data_ring)) ==
1244 		   DATA_WRAPS(data_ring, blk_lpos->next)) {
1245 		db = to_block(data_ring, 0);
1246 		*data_size = DATA_INDEX(data_ring, blk_lpos->next);
1247 
1248 	/* Illegal block description. */
1249 	} else {
1250 		WARN_ON_ONCE(1);
1251 		return NULL;
1252 	}
1253 
1254 	/* A valid data block will always be aligned to the ID size. */
1255 	if (WARN_ON_ONCE(blk_lpos->begin != ALIGN(blk_lpos->begin, sizeof(db->id))) ||
1256 	    WARN_ON_ONCE(blk_lpos->next != ALIGN(blk_lpos->next, sizeof(db->id)))) {
1257 		return NULL;
1258 	}
1259 
1260 	/* A valid data block will always have at least an ID. */
1261 	if (WARN_ON_ONCE(*data_size < sizeof(db->id)))
1262 		return NULL;
1263 
1264 	/* Subtract block ID space from size to reflect data size. */
1265 	*data_size -= sizeof(db->id);
1266 
1267 	return &db->data[0];
1268 }
1269 
1270 /*
1271  * Attempt to transition the newest descriptor from committed back to reserved
1272  * so that the record can be modified by a writer again. This is only possible
1273  * if the descriptor is not yet finalized and the provided @caller_id matches.
1274  */
desc_reopen_last(struct prb_desc_ring * desc_ring,u32 caller_id,unsigned long * id_out)1275 static struct prb_desc *desc_reopen_last(struct prb_desc_ring *desc_ring,
1276 					 u32 caller_id, unsigned long *id_out)
1277 {
1278 	unsigned long prev_state_val;
1279 	enum desc_state d_state;
1280 	struct prb_desc desc;
1281 	struct prb_desc *d;
1282 	unsigned long id;
1283 	u32 cid;
1284 
1285 	id = atomic_long_read(&desc_ring->head_id);
1286 
1287 	/*
1288 	 * To reduce unnecessarily reopening, first check if the descriptor
1289 	 * state and caller ID are correct.
1290 	 */
1291 	d_state = desc_read(desc_ring, id, &desc, NULL, &cid);
1292 	if (d_state != desc_committed || cid != caller_id)
1293 		return NULL;
1294 
1295 	d = to_desc(desc_ring, id);
1296 
1297 	prev_state_val = DESC_SV(id, desc_committed);
1298 
1299 	/*
1300 	 * Guarantee the reserved state is stored before reading any
1301 	 * record data. A full memory barrier is needed because @state_var
1302 	 * modification is followed by reading. This pairs with _prb_commit:B.
1303 	 *
1304 	 * Memory barrier involvement:
1305 	 *
1306 	 * If desc_reopen_last:A reads from _prb_commit:B, then
1307 	 * prb_reserve_in_last:A reads from _prb_commit:A.
1308 	 *
1309 	 * Relies on:
1310 	 *
1311 	 * WMB from _prb_commit:A to _prb_commit:B
1312 	 *    matching
1313 	 * MB If desc_reopen_last:A to prb_reserve_in_last:A
1314 	 */
1315 	if (!atomic_long_try_cmpxchg(&d->state_var, &prev_state_val,
1316 			DESC_SV(id, desc_reserved))) { /* LMM(desc_reopen_last:A) */
1317 		return NULL;
1318 	}
1319 
1320 	*id_out = id;
1321 	return d;
1322 }
1323 
1324 /**
1325  * prb_reserve_in_last() - Re-reserve and extend the space in the ringbuffer
1326  *                         used by the newest record.
1327  *
1328  * @e:         The entry structure to setup.
1329  * @rb:        The ringbuffer to re-reserve and extend data in.
1330  * @r:         The record structure to allocate buffers for.
1331  * @caller_id: The caller ID of the caller (reserving writer).
1332  * @max_size:  Fail if the extended size would be greater than this.
1333  *
1334  * This is the public function available to writers to re-reserve and extend
1335  * data.
1336  *
1337  * The writer specifies the text size to extend (not the new total size) by
1338  * setting the @text_buf_size field of @r. To ensure proper initialization
1339  * of @r, prb_rec_init_wr() should be used.
1340  *
1341  * This function will fail if @caller_id does not match the caller ID of the
1342  * newest record. In that case the caller must reserve new data using
1343  * prb_reserve().
1344  *
1345  * Context: Any context. Disables local interrupts on success.
1346  * Return: true if text data could be extended, otherwise false.
1347  *
1348  * On success:
1349  *
1350  *   - @r->text_buf points to the beginning of the entire text buffer.
1351  *
1352  *   - @r->text_buf_size is set to the new total size of the buffer.
1353  *
1354  *   - @r->info is not touched so that @r->info->text_len could be used
1355  *     to append the text.
1356  *
1357  *   - prb_record_text_space() can be used on @e to query the new
1358  *     actually used space.
1359  *
1360  * Important: All @r->info fields will already be set with the current values
1361  *            for the record. I.e. @r->info->text_len will be less than
1362  *            @text_buf_size. Writers can use @r->info->text_len to know
1363  *            where concatenation begins and writers should update
1364  *            @r->info->text_len after concatenating.
1365  */
prb_reserve_in_last(struct prb_reserved_entry * e,struct printk_ringbuffer * rb,struct printk_record * r,u32 caller_id,unsigned int max_size)1366 bool prb_reserve_in_last(struct prb_reserved_entry *e, struct printk_ringbuffer *rb,
1367 			 struct printk_record *r, u32 caller_id, unsigned int max_size)
1368 {
1369 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1370 	struct printk_info *info;
1371 	unsigned int data_size;
1372 	struct prb_desc *d;
1373 	unsigned long id;
1374 
1375 	local_irq_save(e->irqflags);
1376 
1377 	/* Transition the newest descriptor back to the reserved state. */
1378 	d = desc_reopen_last(desc_ring, caller_id, &id);
1379 	if (!d) {
1380 		local_irq_restore(e->irqflags);
1381 		goto fail_reopen;
1382 	}
1383 
1384 	/* Now the writer has exclusive access: LMM(prb_reserve_in_last:A) */
1385 
1386 	info = to_info(desc_ring, id);
1387 
1388 	/*
1389 	 * Set the @e fields here so that prb_commit() can be used if
1390 	 * anything fails from now on.
1391 	 */
1392 	e->rb = rb;
1393 	e->id = id;
1394 
1395 	/*
1396 	 * desc_reopen_last() checked the caller_id, but there was no
1397 	 * exclusive access at that point. The descriptor may have
1398 	 * changed since then.
1399 	 */
1400 	if (caller_id != info->caller_id)
1401 		goto fail;
1402 
1403 	if (BLK_DATALESS(&d->text_blk_lpos)) {
1404 		if (WARN_ON_ONCE(info->text_len != 0)) {
1405 			pr_warn_once("wrong text_len value (%hu, expecting 0)\n",
1406 				     info->text_len);
1407 			info->text_len = 0;
1408 		}
1409 
1410 		if (!data_check_size(&rb->text_data_ring, r->text_buf_size))
1411 			goto fail;
1412 
1413 		if (r->text_buf_size > max_size)
1414 			goto fail;
1415 
1416 		r->text_buf = data_alloc(rb, r->text_buf_size,
1417 					 &d->text_blk_lpos, id);
1418 	} else {
1419 		if (!get_data(&rb->text_data_ring, &d->text_blk_lpos, &data_size))
1420 			goto fail;
1421 
1422 		/*
1423 		 * Increase the buffer size to include the original size. If
1424 		 * the meta data (@text_len) is not sane, use the full data
1425 		 * block size.
1426 		 */
1427 		if (WARN_ON_ONCE(info->text_len > data_size)) {
1428 			pr_warn_once("wrong text_len value (%hu, expecting <=%u)\n",
1429 				     info->text_len, data_size);
1430 			info->text_len = data_size;
1431 		}
1432 		r->text_buf_size += info->text_len;
1433 
1434 		if (!data_check_size(&rb->text_data_ring, r->text_buf_size))
1435 			goto fail;
1436 
1437 		if (r->text_buf_size > max_size)
1438 			goto fail;
1439 
1440 		r->text_buf = data_realloc(rb, r->text_buf_size,
1441 					   &d->text_blk_lpos, id);
1442 	}
1443 	if (r->text_buf_size && !r->text_buf)
1444 		goto fail;
1445 
1446 	r->info = info;
1447 
1448 	e->text_space = space_used(&rb->text_data_ring, &d->text_blk_lpos);
1449 
1450 	return true;
1451 fail:
1452 	prb_commit(e);
1453 	/* prb_commit() re-enabled interrupts. */
1454 fail_reopen:
1455 	/* Make it clear to the caller that the re-reserve failed. */
1456 	memset(r, 0, sizeof(*r));
1457 	return false;
1458 }
1459 
1460 /*
1461  * @last_finalized_seq value guarantees that all records up to and including
1462  * this sequence number are finalized and can be read. The only exception are
1463  * too old records which have already been overwritten.
1464  *
1465  * It is also guaranteed that @last_finalized_seq only increases.
1466  *
1467  * Be aware that finalized records following non-finalized records are not
1468  * reported because they are not yet available to the reader. For example,
1469  * a new record stored via printk() will not be available to a printer if
1470  * it follows a record that has not been finalized yet. However, once that
1471  * non-finalized record becomes finalized, @last_finalized_seq will be
1472  * appropriately updated and the full set of finalized records will be
1473  * available to the printer. And since each printk() caller will either
1474  * directly print or trigger deferred printing of all available unprinted
1475  * records, all printk() messages will get printed.
1476  */
desc_last_finalized_seq(struct printk_ringbuffer * rb)1477 static u64 desc_last_finalized_seq(struct printk_ringbuffer *rb)
1478 {
1479 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1480 	unsigned long ulseq;
1481 
1482 	/*
1483 	 * Guarantee the sequence number is loaded before loading the
1484 	 * associated record in order to guarantee that the record can be
1485 	 * seen by this CPU. This pairs with desc_update_last_finalized:A.
1486 	 */
1487 	ulseq = atomic_long_read_acquire(&desc_ring->last_finalized_seq
1488 					); /* LMM(desc_last_finalized_seq:A) */
1489 
1490 	return __ulseq_to_u64seq(rb, ulseq);
1491 }
1492 
1493 static bool _prb_read_valid(struct printk_ringbuffer *rb, u64 *seq,
1494 			    struct printk_record *r, unsigned int *line_count);
1495 
1496 /*
1497  * Check if there are records directly following @last_finalized_seq that are
1498  * finalized. If so, update @last_finalized_seq to the latest of these
1499  * records. It is not allowed to skip over records that are not yet finalized.
1500  */
desc_update_last_finalized(struct printk_ringbuffer * rb)1501 static void desc_update_last_finalized(struct printk_ringbuffer *rb)
1502 {
1503 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1504 	u64 old_seq = desc_last_finalized_seq(rb);
1505 	unsigned long oldval;
1506 	unsigned long newval;
1507 	u64 finalized_seq;
1508 	u64 try_seq;
1509 
1510 try_again:
1511 	finalized_seq = old_seq;
1512 	try_seq = finalized_seq + 1;
1513 
1514 	/* Try to find later finalized records. */
1515 	while (_prb_read_valid(rb, &try_seq, NULL, NULL)) {
1516 		finalized_seq = try_seq;
1517 		try_seq++;
1518 	}
1519 
1520 	/* No update needed if no later finalized record was found. */
1521 	if (finalized_seq == old_seq)
1522 		return;
1523 
1524 	oldval = __u64seq_to_ulseq(old_seq);
1525 	newval = __u64seq_to_ulseq(finalized_seq);
1526 
1527 	/*
1528 	 * Set the sequence number of a later finalized record that has been
1529 	 * seen.
1530 	 *
1531 	 * Guarantee the record data is visible to other CPUs before storing
1532 	 * its sequence number. This pairs with desc_last_finalized_seq:A.
1533 	 *
1534 	 * Memory barrier involvement:
1535 	 *
1536 	 * If desc_last_finalized_seq:A reads from
1537 	 * desc_update_last_finalized:A, then desc_read:A reads from
1538 	 * _prb_commit:B.
1539 	 *
1540 	 * Relies on:
1541 	 *
1542 	 * RELEASE from _prb_commit:B to desc_update_last_finalized:A
1543 	 *    matching
1544 	 * ACQUIRE from desc_last_finalized_seq:A to desc_read:A
1545 	 *
1546 	 * Note: _prb_commit:B and desc_update_last_finalized:A can be
1547 	 *       different CPUs. However, the desc_update_last_finalized:A
1548 	 *       CPU (which performs the release) must have previously seen
1549 	 *       _prb_commit:B.
1550 	 */
1551 	if (!atomic_long_try_cmpxchg_release(&desc_ring->last_finalized_seq,
1552 				&oldval, newval)) { /* LMM(desc_update_last_finalized:A) */
1553 		old_seq = __ulseq_to_u64seq(rb, oldval);
1554 		goto try_again;
1555 	}
1556 }
1557 
1558 /*
1559  * Attempt to finalize a specified descriptor. If this fails, the descriptor
1560  * is either already final or it will finalize itself when the writer commits.
1561  */
desc_make_final(struct printk_ringbuffer * rb,unsigned long id)1562 static void desc_make_final(struct printk_ringbuffer *rb, unsigned long id)
1563 {
1564 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1565 	unsigned long prev_state_val = DESC_SV(id, desc_committed);
1566 	struct prb_desc *d = to_desc(desc_ring, id);
1567 
1568 	if (atomic_long_try_cmpxchg_relaxed(&d->state_var, &prev_state_val,
1569 			DESC_SV(id, desc_finalized))) { /* LMM(desc_make_final:A) */
1570 		desc_update_last_finalized(rb);
1571 	}
1572 }
1573 
1574 /**
1575  * prb_reserve() - Reserve space in the ringbuffer.
1576  *
1577  * @e:  The entry structure to setup.
1578  * @rb: The ringbuffer to reserve data in.
1579  * @r:  The record structure to allocate buffers for.
1580  *
1581  * This is the public function available to writers to reserve data.
1582  *
1583  * The writer specifies the text size to reserve by setting the
1584  * @text_buf_size field of @r. To ensure proper initialization of @r,
1585  * prb_rec_init_wr() should be used.
1586  *
1587  * Context: Any context. Disables local interrupts on success.
1588  * Return: true if at least text data could be allocated, otherwise false.
1589  *
1590  * On success, the fields @info and @text_buf of @r will be set by this
1591  * function and should be filled in by the writer before committing. Also
1592  * on success, prb_record_text_space() can be used on @e to query the actual
1593  * space used for the text data block.
1594  *
1595  * Important: @info->text_len needs to be set correctly by the writer in
1596  *            order for data to be readable and/or extended. Its value
1597  *            is initialized to 0.
1598  */
prb_reserve(struct prb_reserved_entry * e,struct printk_ringbuffer * rb,struct printk_record * r)1599 bool prb_reserve(struct prb_reserved_entry *e, struct printk_ringbuffer *rb,
1600 		 struct printk_record *r)
1601 {
1602 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1603 	struct printk_info *info;
1604 	struct prb_desc *d;
1605 	unsigned long id;
1606 	u64 seq;
1607 
1608 	if (!data_check_size(&rb->text_data_ring, r->text_buf_size))
1609 		goto fail;
1610 
1611 	/*
1612 	 * Descriptors in the reserved state act as blockers to all further
1613 	 * reservations once the desc_ring has fully wrapped. Disable
1614 	 * interrupts during the reserve/commit window in order to minimize
1615 	 * the likelihood of this happening.
1616 	 */
1617 	local_irq_save(e->irqflags);
1618 
1619 	if (!desc_reserve(rb, &id)) {
1620 		/* Descriptor reservation failures are tracked. */
1621 		atomic_long_inc(&rb->fail);
1622 		local_irq_restore(e->irqflags);
1623 		goto fail;
1624 	}
1625 
1626 	d = to_desc(desc_ring, id);
1627 	info = to_info(desc_ring, id);
1628 
1629 	/*
1630 	 * All @info fields (except @seq) are cleared and must be filled in
1631 	 * by the writer. Save @seq before clearing because it is used to
1632 	 * determine the new sequence number.
1633 	 */
1634 	seq = info->seq;
1635 	memset(info, 0, sizeof(*info));
1636 
1637 	/*
1638 	 * Set the @e fields here so that prb_commit() can be used if
1639 	 * text data allocation fails.
1640 	 */
1641 	e->rb = rb;
1642 	e->id = id;
1643 
1644 	/*
1645 	 * Initialize the sequence number if it has "never been set".
1646 	 * Otherwise just increment it by a full wrap.
1647 	 *
1648 	 * @seq is considered "never been set" if it has a value of 0,
1649 	 * _except_ for @infos[0], which was specially setup by the ringbuffer
1650 	 * initializer and therefore is always considered as set.
1651 	 *
1652 	 * See the "Bootstrap" comment block in printk_ringbuffer.h for
1653 	 * details about how the initializer bootstraps the descriptors.
1654 	 */
1655 	if (seq == 0 && DESC_INDEX(desc_ring, id) != 0)
1656 		info->seq = DESC_INDEX(desc_ring, id);
1657 	else
1658 		info->seq = seq + DESCS_COUNT(desc_ring);
1659 
1660 	/*
1661 	 * New data is about to be reserved. Once that happens, previous
1662 	 * descriptors are no longer able to be extended. Finalize the
1663 	 * previous descriptor now so that it can be made available to
1664 	 * readers. (For seq==0 there is no previous descriptor.)
1665 	 */
1666 	if (info->seq > 0)
1667 		desc_make_final(rb, DESC_ID(id - 1));
1668 
1669 	r->text_buf = data_alloc(rb, r->text_buf_size, &d->text_blk_lpos, id);
1670 	/* If text data allocation fails, a data-less record is committed. */
1671 	if (r->text_buf_size && !r->text_buf) {
1672 		prb_commit(e);
1673 		/* prb_commit() re-enabled interrupts. */
1674 		goto fail;
1675 	}
1676 
1677 	r->info = info;
1678 
1679 	/* Record full text space used by record. */
1680 	e->text_space = space_used(&rb->text_data_ring, &d->text_blk_lpos);
1681 
1682 	return true;
1683 fail:
1684 	/* Make it clear to the caller that the reserve failed. */
1685 	memset(r, 0, sizeof(*r));
1686 	return false;
1687 }
1688 
1689 /* Commit the data (possibly finalizing it) and restore interrupts. */
_prb_commit(struct prb_reserved_entry * e,unsigned long state_val)1690 static void _prb_commit(struct prb_reserved_entry *e, unsigned long state_val)
1691 {
1692 	struct prb_desc_ring *desc_ring = &e->rb->desc_ring;
1693 	struct prb_desc *d = to_desc(desc_ring, e->id);
1694 	unsigned long prev_state_val = DESC_SV(e->id, desc_reserved);
1695 
1696 	/* Now the writer has finished all writing: LMM(_prb_commit:A) */
1697 
1698 	/*
1699 	 * Set the descriptor as committed. See "ABA Issues" about why
1700 	 * cmpxchg() instead of set() is used.
1701 	 *
1702 	 * 1  Guarantee all record data is stored before the descriptor state
1703 	 *    is stored as committed. A write memory barrier is sufficient
1704 	 *    for this. This pairs with desc_read:B and desc_reopen_last:A.
1705 	 *
1706 	 * 2. Guarantee the descriptor state is stored as committed before
1707 	 *    re-checking the head ID in order to possibly finalize this
1708 	 *    descriptor. This pairs with desc_reserve:D.
1709 	 *
1710 	 *    Memory barrier involvement:
1711 	 *
1712 	 *    If prb_commit:A reads from desc_reserve:D, then
1713 	 *    desc_make_final:A reads from _prb_commit:B.
1714 	 *
1715 	 *    Relies on:
1716 	 *
1717 	 *    MB _prb_commit:B to prb_commit:A
1718 	 *       matching
1719 	 *    MB desc_reserve:D to desc_make_final:A
1720 	 */
1721 	if (!atomic_long_try_cmpxchg(&d->state_var, &prev_state_val,
1722 			DESC_SV(e->id, state_val))) { /* LMM(_prb_commit:B) */
1723 		WARN_ON_ONCE(1);
1724 	}
1725 
1726 	/* Restore interrupts, the reserve/commit window is finished. */
1727 	local_irq_restore(e->irqflags);
1728 }
1729 
1730 /**
1731  * prb_commit() - Commit (previously reserved) data to the ringbuffer.
1732  *
1733  * @e: The entry containing the reserved data information.
1734  *
1735  * This is the public function available to writers to commit data.
1736  *
1737  * Note that the data is not yet available to readers until it is finalized.
1738  * Finalizing happens automatically when space for the next record is
1739  * reserved.
1740  *
1741  * See prb_final_commit() for a version of this function that finalizes
1742  * immediately.
1743  *
1744  * Context: Any context. Enables local interrupts.
1745  */
prb_commit(struct prb_reserved_entry * e)1746 void prb_commit(struct prb_reserved_entry *e)
1747 {
1748 	struct prb_desc_ring *desc_ring = &e->rb->desc_ring;
1749 	unsigned long head_id;
1750 
1751 	_prb_commit(e, desc_committed);
1752 
1753 	/*
1754 	 * If this descriptor is no longer the head (i.e. a new record has
1755 	 * been allocated), extending the data for this record is no longer
1756 	 * allowed and therefore it must be finalized.
1757 	 */
1758 	head_id = atomic_long_read(&desc_ring->head_id); /* LMM(prb_commit:A) */
1759 	if (head_id != e->id)
1760 		desc_make_final(e->rb, e->id);
1761 }
1762 
1763 /**
1764  * prb_final_commit() - Commit and finalize (previously reserved) data to
1765  *                      the ringbuffer.
1766  *
1767  * @e: The entry containing the reserved data information.
1768  *
1769  * This is the public function available to writers to commit+finalize data.
1770  *
1771  * By finalizing, the data is made immediately available to readers.
1772  *
1773  * This function should only be used if there are no intentions of extending
1774  * this data using prb_reserve_in_last().
1775  *
1776  * Context: Any context. Enables local interrupts.
1777  */
prb_final_commit(struct prb_reserved_entry * e)1778 void prb_final_commit(struct prb_reserved_entry *e)
1779 {
1780 	_prb_commit(e, desc_finalized);
1781 
1782 	desc_update_last_finalized(e->rb);
1783 }
1784 
1785 /*
1786  * Count the number of lines in provided text. All text has at least 1 line
1787  * (even if @text_size is 0). Each '\n' processed is counted as an additional
1788  * line.
1789  */
count_lines(const char * text,unsigned int text_size)1790 static unsigned int count_lines(const char *text, unsigned int text_size)
1791 {
1792 	unsigned int next_size = text_size;
1793 	unsigned int line_count = 1;
1794 	const char *next = text;
1795 
1796 	while (next_size) {
1797 		next = memchr(next, '\n', next_size);
1798 		if (!next)
1799 			break;
1800 		line_count++;
1801 		next++;
1802 		next_size = text_size - (next - text);
1803 	}
1804 
1805 	return line_count;
1806 }
1807 
1808 /*
1809  * Given @blk_lpos, copy an expected @len of data into the provided buffer.
1810  * If @line_count is provided, count the number of lines in the data.
1811  *
1812  * This function (used by readers) performs strict validation on the data
1813  * size to possibly detect bugs in the writer code. A WARN_ON_ONCE() is
1814  * triggered if an internal error is detected.
1815  */
copy_data(struct prb_data_ring * data_ring,struct prb_data_blk_lpos * blk_lpos,u16 len,char * buf,unsigned int buf_size,unsigned int * line_count)1816 static bool copy_data(struct prb_data_ring *data_ring,
1817 		      struct prb_data_blk_lpos *blk_lpos, u16 len, char *buf,
1818 		      unsigned int buf_size, unsigned int *line_count)
1819 {
1820 	unsigned int data_size;
1821 	const char *data;
1822 
1823 	/* Caller might not want any data. */
1824 	if ((!buf || !buf_size) && !line_count)
1825 		return true;
1826 
1827 	data = get_data(data_ring, blk_lpos, &data_size);
1828 	if (!data)
1829 		return false;
1830 
1831 	/*
1832 	 * Actual cannot be less than expected. It can be more than expected
1833 	 * because of the trailing alignment padding.
1834 	 *
1835 	 * Note that invalid @len values can occur because the caller loads
1836 	 * the value during an allowed data race.
1837 	 */
1838 	if (data_size < (unsigned int)len)
1839 		return false;
1840 
1841 	/* Caller interested in the line count? */
1842 	if (line_count)
1843 		*line_count = count_lines(data, len);
1844 
1845 	/* Caller interested in the data content? */
1846 	if (!buf || !buf_size)
1847 		return true;
1848 
1849 	data_size = min_t(unsigned int, buf_size, len);
1850 
1851 	memcpy(&buf[0], data, data_size); /* LMM(copy_data:A) */
1852 	return true;
1853 }
1854 
1855 /*
1856  * This is an extended version of desc_read(). It gets a copy of a specified
1857  * descriptor. However, it also verifies that the record is finalized and has
1858  * the sequence number @seq. On success, 0 is returned.
1859  *
1860  * Error return values:
1861  * -EINVAL: A finalized record with sequence number @seq does not exist.
1862  * -ENOENT: A finalized record with sequence number @seq exists, but its data
1863  *          is not available. This is a valid record, so readers should
1864  *          continue with the next record.
1865  */
desc_read_finalized_seq(struct prb_desc_ring * desc_ring,unsigned long id,u64 seq,struct prb_desc * desc_out)1866 static int desc_read_finalized_seq(struct prb_desc_ring *desc_ring,
1867 				   unsigned long id, u64 seq,
1868 				   struct prb_desc *desc_out)
1869 {
1870 	struct prb_data_blk_lpos *blk_lpos = &desc_out->text_blk_lpos;
1871 	enum desc_state d_state;
1872 	u64 s;
1873 
1874 	d_state = desc_read(desc_ring, id, desc_out, &s, NULL);
1875 
1876 	/*
1877 	 * An unexpected @id (desc_miss) or @seq mismatch means the record
1878 	 * does not exist. A descriptor in the reserved or committed state
1879 	 * means the record does not yet exist for the reader.
1880 	 */
1881 	if (d_state == desc_miss ||
1882 	    d_state == desc_reserved ||
1883 	    d_state == desc_committed ||
1884 	    s != seq) {
1885 		return -EINVAL;
1886 	}
1887 
1888 	/*
1889 	 * A descriptor in the reusable state may no longer have its data
1890 	 * available; report it as existing but with lost data. Or the record
1891 	 * may actually be a record with lost data.
1892 	 */
1893 	if (d_state == desc_reusable ||
1894 	    (blk_lpos->begin == FAILED_LPOS && blk_lpos->next == FAILED_LPOS)) {
1895 		return -ENOENT;
1896 	}
1897 
1898 	return 0;
1899 }
1900 
1901 /*
1902  * Copy the ringbuffer data from the record with @seq to the provided
1903  * @r buffer. On success, 0 is returned.
1904  *
1905  * See desc_read_finalized_seq() for error return values.
1906  */
prb_read(struct printk_ringbuffer * rb,u64 seq,struct printk_record * r,unsigned int * line_count)1907 static int prb_read(struct printk_ringbuffer *rb, u64 seq,
1908 		    struct printk_record *r, unsigned int *line_count)
1909 {
1910 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1911 	struct printk_info *info = to_info(desc_ring, seq);
1912 	struct prb_desc *rdesc = to_desc(desc_ring, seq);
1913 	atomic_long_t *state_var = &rdesc->state_var;
1914 	struct prb_desc desc;
1915 	unsigned long id;
1916 	int err;
1917 
1918 	/* Extract the ID, used to specify the descriptor to read. */
1919 	id = DESC_ID(atomic_long_read(state_var));
1920 
1921 	/* Get a local copy of the correct descriptor (if available). */
1922 	err = desc_read_finalized_seq(desc_ring, id, seq, &desc);
1923 
1924 	/*
1925 	 * If @r is NULL, the caller is only interested in the availability
1926 	 * of the record.
1927 	 */
1928 	if (err || !r)
1929 		return err;
1930 
1931 	/* If requested, copy meta data. */
1932 	if (r->info)
1933 		memcpy(r->info, info, sizeof(*(r->info)));
1934 
1935 	/* Copy text data. If it fails, this is a data-less record. */
1936 	if (!copy_data(&rb->text_data_ring, &desc.text_blk_lpos, info->text_len,
1937 		       r->text_buf, r->text_buf_size, line_count)) {
1938 		return -ENOENT;
1939 	}
1940 
1941 	/* Ensure the record is still finalized and has the same @seq. */
1942 	return desc_read_finalized_seq(desc_ring, id, seq, &desc);
1943 }
1944 
1945 /* Get the sequence number of the tail descriptor. */
prb_first_seq(struct printk_ringbuffer * rb)1946 u64 prb_first_seq(struct printk_ringbuffer *rb)
1947 {
1948 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
1949 	enum desc_state d_state;
1950 	struct prb_desc desc;
1951 	unsigned long id;
1952 	u64 seq;
1953 
1954 	for (;;) {
1955 		id = atomic_long_read(&rb->desc_ring.tail_id); /* LMM(prb_first_seq:A) */
1956 
1957 		d_state = desc_read(desc_ring, id, &desc, &seq, NULL); /* LMM(prb_first_seq:B) */
1958 
1959 		/*
1960 		 * This loop will not be infinite because the tail is
1961 		 * _always_ in the finalized or reusable state.
1962 		 */
1963 		if (d_state == desc_finalized || d_state == desc_reusable)
1964 			break;
1965 
1966 		/*
1967 		 * Guarantee the last state load from desc_read() is before
1968 		 * reloading @tail_id in order to see a new tail in the case
1969 		 * that the descriptor has been recycled. This pairs with
1970 		 * desc_reserve:D.
1971 		 *
1972 		 * Memory barrier involvement:
1973 		 *
1974 		 * If prb_first_seq:B reads from desc_reserve:F, then
1975 		 * prb_first_seq:A reads from desc_push_tail:B.
1976 		 *
1977 		 * Relies on:
1978 		 *
1979 		 * MB from desc_push_tail:B to desc_reserve:F
1980 		 *    matching
1981 		 * RMB prb_first_seq:B to prb_first_seq:A
1982 		 */
1983 		smp_rmb(); /* LMM(prb_first_seq:C) */
1984 	}
1985 
1986 	return seq;
1987 }
1988 
1989 /**
1990  * prb_next_reserve_seq() - Get the sequence number after the most recently
1991  *                  reserved record.
1992  *
1993  * @rb:  The ringbuffer to get the sequence number from.
1994  *
1995  * This is the public function available to readers to see what sequence
1996  * number will be assigned to the next reserved record.
1997  *
1998  * Note that depending on the situation, this value can be equal to or
1999  * higher than the sequence number returned by prb_next_seq().
2000  *
2001  * Context: Any context.
2002  * Return: The sequence number that will be assigned to the next record
2003  *         reserved.
2004  */
prb_next_reserve_seq(struct printk_ringbuffer * rb)2005 u64 prb_next_reserve_seq(struct printk_ringbuffer *rb)
2006 {
2007 	struct prb_desc_ring *desc_ring = &rb->desc_ring;
2008 	unsigned long last_finalized_id;
2009 	atomic_long_t *state_var;
2010 	u64 last_finalized_seq;
2011 	unsigned long head_id;
2012 	struct prb_desc desc;
2013 	unsigned long diff;
2014 	struct prb_desc *d;
2015 	int err;
2016 
2017 	/*
2018 	 * It may not be possible to read a sequence number for @head_id.
2019 	 * So the ID of @last_finailzed_seq is used to calculate what the
2020 	 * sequence number of @head_id will be.
2021 	 */
2022 
2023 try_again:
2024 	last_finalized_seq = desc_last_finalized_seq(rb);
2025 
2026 	/*
2027 	 * @head_id is loaded after @last_finalized_seq to ensure that
2028 	 * it points to the record with @last_finalized_seq or newer.
2029 	 *
2030 	 * Memory barrier involvement:
2031 	 *
2032 	 * If desc_last_finalized_seq:A reads from
2033 	 * desc_update_last_finalized:A, then
2034 	 * prb_next_reserve_seq:A reads from desc_reserve:D.
2035 	 *
2036 	 * Relies on:
2037 	 *
2038 	 * RELEASE from desc_reserve:D to desc_update_last_finalized:A
2039 	 *    matching
2040 	 * ACQUIRE from desc_last_finalized_seq:A to prb_next_reserve_seq:A
2041 	 *
2042 	 * Note: desc_reserve:D and desc_update_last_finalized:A can be
2043 	 *       different CPUs. However, the desc_update_last_finalized:A CPU
2044 	 *       (which performs the release) must have previously seen
2045 	 *       desc_read:C, which implies desc_reserve:D can be seen.
2046 	 */
2047 	head_id = atomic_long_read(&desc_ring->head_id); /* LMM(prb_next_reserve_seq:A) */
2048 
2049 	d = to_desc(desc_ring, last_finalized_seq);
2050 	state_var = &d->state_var;
2051 
2052 	/* Extract the ID, used to specify the descriptor to read. */
2053 	last_finalized_id = DESC_ID(atomic_long_read(state_var));
2054 
2055 	/* Ensure @last_finalized_id is correct. */
2056 	err = desc_read_finalized_seq(desc_ring, last_finalized_id, last_finalized_seq, &desc);
2057 
2058 	if (err == -EINVAL) {
2059 		if (last_finalized_seq == 0) {
2060 			/*
2061 			 * No record has been finalized or even reserved yet.
2062 			 *
2063 			 * The @head_id is initialized such that the first
2064 			 * increment will yield the first record (seq=0).
2065 			 * Handle it separately to avoid a negative @diff
2066 			 * below.
2067 			 */
2068 			if (head_id == DESC0_ID(desc_ring->count_bits))
2069 				return 0;
2070 
2071 			/*
2072 			 * One or more descriptors are already reserved. Use
2073 			 * the descriptor ID of the first one (@seq=0) for
2074 			 * the @diff below.
2075 			 */
2076 			last_finalized_id = DESC0_ID(desc_ring->count_bits) + 1;
2077 		} else {
2078 			/* Record must have been overwritten. Try again. */
2079 			goto try_again;
2080 		}
2081 	}
2082 
2083 	/* Diff of known descriptor IDs to compute related sequence numbers. */
2084 	diff = head_id - last_finalized_id;
2085 
2086 	/*
2087 	 * @head_id points to the most recently reserved record, but this
2088 	 * function returns the sequence number that will be assigned to the
2089 	 * next (not yet reserved) record. Thus +1 is needed.
2090 	 */
2091 	return (last_finalized_seq + diff + 1);
2092 }
2093 
2094 /*
2095  * Non-blocking read of a record.
2096  *
2097  * On success @seq is updated to the record that was read and (if provided)
2098  * @r and @line_count will contain the read/calculated data.
2099  *
2100  * On failure @seq is updated to a record that is not yet available to the
2101  * reader, but it will be the next record available to the reader.
2102  *
2103  * Note: When the current CPU is in panic, this function will skip over any
2104  *       non-existent/non-finalized records in order to allow the panic CPU
2105  *       to print any and all records that have been finalized.
2106  */
_prb_read_valid(struct printk_ringbuffer * rb,u64 * seq,struct printk_record * r,unsigned int * line_count)2107 static bool _prb_read_valid(struct printk_ringbuffer *rb, u64 *seq,
2108 			    struct printk_record *r, unsigned int *line_count)
2109 {
2110 	u64 tail_seq;
2111 	int err;
2112 
2113 	while ((err = prb_read(rb, *seq, r, line_count))) {
2114 		tail_seq = prb_first_seq(rb);
2115 
2116 		if (*seq < tail_seq) {
2117 			/*
2118 			 * Behind the tail. Catch up and try again. This
2119 			 * can happen for -ENOENT and -EINVAL cases.
2120 			 */
2121 			*seq = tail_seq;
2122 
2123 		} else if (err == -ENOENT) {
2124 			/* Record exists, but the data was lost. Skip. */
2125 			(*seq)++;
2126 
2127 		} else {
2128 			/*
2129 			 * Non-existent/non-finalized record. Must stop.
2130 			 *
2131 			 * For panic situations it cannot be expected that
2132 			 * non-finalized records will become finalized. But
2133 			 * there may be other finalized records beyond that
2134 			 * need to be printed for a panic situation. If this
2135 			 * is the panic CPU, skip this
2136 			 * non-existent/non-finalized record unless it is
2137 			 * at or beyond the head, in which case it is not
2138 			 * possible to continue.
2139 			 *
2140 			 * Note that new messages printed on panic CPU are
2141 			 * finalized when we are here. The only exception
2142 			 * might be the last message without trailing newline.
2143 			 * But it would have the sequence number returned
2144 			 * by "prb_next_reserve_seq() - 1".
2145 			 */
2146 			if (this_cpu_in_panic() && ((*seq + 1) < prb_next_reserve_seq(rb)))
2147 				(*seq)++;
2148 			else
2149 				return false;
2150 		}
2151 	}
2152 
2153 	return true;
2154 }
2155 
2156 /**
2157  * prb_read_valid() - Non-blocking read of a requested record or (if gone)
2158  *                    the next available record.
2159  *
2160  * @rb:  The ringbuffer to read from.
2161  * @seq: The sequence number of the record to read.
2162  * @r:   A record data buffer to store the read record to.
2163  *
2164  * This is the public function available to readers to read a record.
2165  *
2166  * The reader provides the @info and @text_buf buffers of @r to be
2167  * filled in. Any of the buffer pointers can be set to NULL if the reader
2168  * is not interested in that data. To ensure proper initialization of @r,
2169  * prb_rec_init_rd() should be used.
2170  *
2171  * Context: Any context.
2172  * Return: true if a record was read, otherwise false.
2173  *
2174  * On success, the reader must check r->info.seq to see which record was
2175  * actually read. This allows the reader to detect dropped records.
2176  *
2177  * Failure means @seq refers to a record not yet available to the reader.
2178  */
prb_read_valid(struct printk_ringbuffer * rb,u64 seq,struct printk_record * r)2179 bool prb_read_valid(struct printk_ringbuffer *rb, u64 seq,
2180 		    struct printk_record *r)
2181 {
2182 	return _prb_read_valid(rb, &seq, r, NULL);
2183 }
2184 
2185 /**
2186  * prb_read_valid_info() - Non-blocking read of meta data for a requested
2187  *                         record or (if gone) the next available record.
2188  *
2189  * @rb:         The ringbuffer to read from.
2190  * @seq:        The sequence number of the record to read.
2191  * @info:       A buffer to store the read record meta data to.
2192  * @line_count: A buffer to store the number of lines in the record text.
2193  *
2194  * This is the public function available to readers to read only the
2195  * meta data of a record.
2196  *
2197  * The reader provides the @info, @line_count buffers to be filled in.
2198  * Either of the buffer pointers can be set to NULL if the reader is not
2199  * interested in that data.
2200  *
2201  * Context: Any context.
2202  * Return: true if a record's meta data was read, otherwise false.
2203  *
2204  * On success, the reader must check info->seq to see which record meta data
2205  * was actually read. This allows the reader to detect dropped records.
2206  *
2207  * Failure means @seq refers to a record not yet available to the reader.
2208  */
prb_read_valid_info(struct printk_ringbuffer * rb,u64 seq,struct printk_info * info,unsigned int * line_count)2209 bool prb_read_valid_info(struct printk_ringbuffer *rb, u64 seq,
2210 			 struct printk_info *info, unsigned int *line_count)
2211 {
2212 	struct printk_record r;
2213 
2214 	prb_rec_init_rd(&r, info, NULL, 0);
2215 
2216 	return _prb_read_valid(rb, &seq, &r, line_count);
2217 }
2218 
2219 /**
2220  * prb_first_valid_seq() - Get the sequence number of the oldest available
2221  *                         record.
2222  *
2223  * @rb: The ringbuffer to get the sequence number from.
2224  *
2225  * This is the public function available to readers to see what the
2226  * first/oldest valid sequence number is.
2227  *
2228  * This provides readers a starting point to begin iterating the ringbuffer.
2229  *
2230  * Context: Any context.
2231  * Return: The sequence number of the first/oldest record or, if the
2232  *         ringbuffer is empty, 0 is returned.
2233  */
prb_first_valid_seq(struct printk_ringbuffer * rb)2234 u64 prb_first_valid_seq(struct printk_ringbuffer *rb)
2235 {
2236 	u64 seq = 0;
2237 
2238 	if (!_prb_read_valid(rb, &seq, NULL, NULL))
2239 		return 0;
2240 
2241 	return seq;
2242 }
2243 
2244 /**
2245  * prb_next_seq() - Get the sequence number after the last available record.
2246  *
2247  * @rb:  The ringbuffer to get the sequence number from.
2248  *
2249  * This is the public function available to readers to see what the next
2250  * newest sequence number available to readers will be.
2251  *
2252  * This provides readers a sequence number to jump to if all currently
2253  * available records should be skipped. It is guaranteed that all records
2254  * previous to the returned value have been finalized and are (or were)
2255  * available to the reader.
2256  *
2257  * Context: Any context.
2258  * Return: The sequence number of the next newest (not yet available) record
2259  *         for readers.
2260  */
prb_next_seq(struct printk_ringbuffer * rb)2261 u64 prb_next_seq(struct printk_ringbuffer *rb)
2262 {
2263 	u64 seq;
2264 
2265 	seq = desc_last_finalized_seq(rb);
2266 
2267 	/*
2268 	 * Begin searching after the last finalized record.
2269 	 *
2270 	 * On 0, the search must begin at 0 because of hack#2
2271 	 * of the bootstrapping phase it is not known if a
2272 	 * record at index 0 exists.
2273 	 */
2274 	if (seq != 0)
2275 		seq++;
2276 
2277 	/*
2278 	 * The information about the last finalized @seq might be inaccurate.
2279 	 * Search forward to find the current one.
2280 	 */
2281 	while (_prb_read_valid(rb, &seq, NULL, NULL))
2282 		seq++;
2283 
2284 	return seq;
2285 }
2286 
2287 /**
2288  * prb_init() - Initialize a ringbuffer to use provided external buffers.
2289  *
2290  * @rb:       The ringbuffer to initialize.
2291  * @text_buf: The data buffer for text data.
2292  * @textbits: The size of @text_buf as a power-of-2 value.
2293  * @descs:    The descriptor buffer for ringbuffer records.
2294  * @descbits: The count of @descs items as a power-of-2 value.
2295  * @infos:    The printk_info buffer for ringbuffer records.
2296  *
2297  * This is the public function available to writers to setup a ringbuffer
2298  * during runtime using provided buffers.
2299  *
2300  * This must match the initialization of DEFINE_PRINTKRB().
2301  *
2302  * Context: Any context.
2303  */
prb_init(struct printk_ringbuffer * rb,char * text_buf,unsigned int textbits,struct prb_desc * descs,unsigned int descbits,struct printk_info * infos)2304 void prb_init(struct printk_ringbuffer *rb,
2305 	      char *text_buf, unsigned int textbits,
2306 	      struct prb_desc *descs, unsigned int descbits,
2307 	      struct printk_info *infos)
2308 {
2309 	memset(descs, 0, _DESCS_COUNT(descbits) * sizeof(descs[0]));
2310 	memset(infos, 0, _DESCS_COUNT(descbits) * sizeof(infos[0]));
2311 
2312 	rb->desc_ring.count_bits = descbits;
2313 	rb->desc_ring.descs = descs;
2314 	rb->desc_ring.infos = infos;
2315 	atomic_long_set(&rb->desc_ring.head_id, DESC0_ID(descbits));
2316 	atomic_long_set(&rb->desc_ring.tail_id, DESC0_ID(descbits));
2317 	atomic_long_set(&rb->desc_ring.last_finalized_seq, 0);
2318 
2319 	rb->text_data_ring.size_bits = textbits;
2320 	rb->text_data_ring.data = text_buf;
2321 	atomic_long_set(&rb->text_data_ring.head_lpos, BLK0_LPOS(textbits));
2322 	atomic_long_set(&rb->text_data_ring.tail_lpos, BLK0_LPOS(textbits));
2323 
2324 	atomic_long_set(&rb->fail, 0);
2325 
2326 	atomic_long_set(&(descs[_DESCS_COUNT(descbits) - 1].state_var), DESC0_SV(descbits));
2327 	descs[_DESCS_COUNT(descbits) - 1].text_blk_lpos.begin = FAILED_LPOS;
2328 	descs[_DESCS_COUNT(descbits) - 1].text_blk_lpos.next = FAILED_LPOS;
2329 
2330 	infos[0].seq = -(u64)_DESCS_COUNT(descbits);
2331 	infos[_DESCS_COUNT(descbits) - 1].seq = 0;
2332 }
2333 
2334 /**
2335  * prb_record_text_space() - Query the full actual used ringbuffer space for
2336  *                           the text data of a reserved entry.
2337  *
2338  * @e: The successfully reserved entry to query.
2339  *
2340  * This is the public function available to writers to see how much actual
2341  * space is used in the ringbuffer to store the text data of the specified
2342  * entry.
2343  *
2344  * This function is only valid if @e has been successfully reserved using
2345  * prb_reserve().
2346  *
2347  * Context: Any context.
2348  * Return: The size in bytes used by the text data of the associated record.
2349  */
prb_record_text_space(struct prb_reserved_entry * e)2350 unsigned int prb_record_text_space(struct prb_reserved_entry *e)
2351 {
2352 	return e->text_space;
2353 }
2354