1 // SPDX-License-Identifier: GPL-2.0-only 2 // Copyright (C) 2022 Linutronix GmbH, John Ogness 3 // Copyright (C) 2022 Intel, Thomas Gleixner 4 5 #include <linux/atomic.h> 6 #include <linux/bug.h> 7 #include <linux/console.h> 8 #include <linux/delay.h> 9 #include <linux/errno.h> 10 #include <linux/export.h> 11 #include <linux/init.h> 12 #include <linux/irqflags.h> 13 #include <linux/kthread.h> 14 #include <linux/minmax.h> 15 #include <linux/percpu.h> 16 #include <linux/preempt.h> 17 #include <linux/slab.h> 18 #include <linux/smp.h> 19 #include <linux/stddef.h> 20 #include <linux/string.h> 21 #include <linux/types.h> 22 #include "internal.h" 23 #include "printk_ringbuffer.h" 24 /* 25 * Printk console printing implementation for consoles which does not depend 26 * on the legacy style console_lock mechanism. 27 * 28 * The state of the console is maintained in the "nbcon_state" atomic 29 * variable. 30 * 31 * The console is locked when: 32 * 33 * - The 'prio' field contains the priority of the context that owns the 34 * console. Only higher priority contexts are allowed to take over the 35 * lock. A value of 0 (NBCON_PRIO_NONE) means the console is not locked. 36 * 37 * - The 'cpu' field denotes on which CPU the console is locked. It is used 38 * to prevent busy waiting on the same CPU. Also it informs the lock owner 39 * that it has lost the lock in a more complex scenario when the lock was 40 * taken over by a higher priority context, released, and taken on another 41 * CPU with the same priority as the interrupted owner. 42 * 43 * The acquire mechanism uses a few more fields: 44 * 45 * - The 'req_prio' field is used by the handover approach to make the 46 * current owner aware that there is a context with a higher priority 47 * waiting for the friendly handover. 48 * 49 * - The 'unsafe' field allows to take over the console in a safe way in the 50 * middle of emitting a message. The field is set only when accessing some 51 * shared resources or when the console device is manipulated. It can be 52 * cleared, for example, after emitting one character when the console 53 * device is in a consistent state. 54 * 55 * - The 'unsafe_takeover' field is set when a hostile takeover took the 56 * console in an unsafe state. The console will stay in the unsafe state 57 * until re-initialized. 58 * 59 * The acquire mechanism uses three approaches: 60 * 61 * 1) Direct acquire when the console is not owned or is owned by a lower 62 * priority context and is in a safe state. 63 * 64 * 2) Friendly handover mechanism uses a request/grant handshake. It is used 65 * when the current owner has lower priority and the console is in an 66 * unsafe state. 67 * 68 * The requesting context: 69 * 70 * a) Sets its priority into the 'req_prio' field. 71 * 72 * b) Waits (with a timeout) for the owning context to unlock the 73 * console. 74 * 75 * c) Takes the lock and clears the 'req_prio' field. 76 * 77 * The owning context: 78 * 79 * a) Observes the 'req_prio' field set on exit from the unsafe 80 * console state. 81 * 82 * b) Gives up console ownership by clearing the 'prio' field. 83 * 84 * 3) Unsafe hostile takeover allows to take over the lock even when the 85 * console is an unsafe state. It is used only in panic() by the final 86 * attempt to flush consoles in a try and hope mode. 87 * 88 * Note that separate record buffers are used in panic(). As a result, 89 * the messages can be read and formatted without any risk even after 90 * using the hostile takeover in unsafe state. 91 * 92 * The release function simply clears the 'prio' field. 93 * 94 * All operations on @console::nbcon_state are atomic cmpxchg based to 95 * handle concurrency. 96 * 97 * The acquire/release functions implement only minimal policies: 98 * 99 * - Preference for higher priority contexts. 100 * - Protection of the panic CPU. 101 * 102 * All other policy decisions must be made at the call sites: 103 * 104 * - What is marked as an unsafe section. 105 * - Whether to spin-wait if there is already an owner and the console is 106 * in an unsafe state. 107 * - Whether to attempt an unsafe hostile takeover. 108 * 109 * The design allows to implement the well known: 110 * 111 * acquire() 112 * output_one_printk_record() 113 * release() 114 * 115 * The output of one printk record might be interrupted with a higher priority 116 * context. The new owner is supposed to reprint the entire interrupted record 117 * from scratch. 118 */ 119 120 /** 121 * nbcon_state_set - Helper function to set the console state 122 * @con: Console to update 123 * @new: The new state to write 124 * 125 * Only to be used when the console is not yet or no longer visible in the 126 * system. Otherwise use nbcon_state_try_cmpxchg(). 127 */ 128 static inline void nbcon_state_set(struct console *con, struct nbcon_state *new) 129 { 130 atomic_set(&ACCESS_PRIVATE(con, nbcon_state), new->atom); 131 } 132 133 /** 134 * nbcon_state_read - Helper function to read the console state 135 * @con: Console to read 136 * @state: The state to store the result 137 */ 138 static inline void nbcon_state_read(struct console *con, struct nbcon_state *state) 139 { 140 state->atom = atomic_read(&ACCESS_PRIVATE(con, nbcon_state)); 141 } 142 143 /** 144 * nbcon_state_try_cmpxchg() - Helper function for atomic_try_cmpxchg() on console state 145 * @con: Console to update 146 * @cur: Old/expected state 147 * @new: New state 148 * 149 * Return: True on success. False on fail and @cur is updated. 150 */ 151 static inline bool nbcon_state_try_cmpxchg(struct console *con, struct nbcon_state *cur, 152 struct nbcon_state *new) 153 { 154 return atomic_try_cmpxchg(&ACCESS_PRIVATE(con, nbcon_state), &cur->atom, new->atom); 155 } 156 157 /** 158 * nbcon_seq_read - Read the current console sequence 159 * @con: Console to read the sequence of 160 * 161 * Return: Sequence number of the next record to print on @con. 162 */ 163 u64 nbcon_seq_read(struct console *con) 164 { 165 unsigned long nbcon_seq = atomic_long_read(&ACCESS_PRIVATE(con, nbcon_seq)); 166 167 return __ulseq_to_u64seq(prb, nbcon_seq); 168 } 169 170 /** 171 * nbcon_seq_force - Force console sequence to a specific value 172 * @con: Console to work on 173 * @seq: Sequence number value to set 174 * 175 * Only to be used during init (before registration) or in extreme situations 176 * (such as panic with CONSOLE_REPLAY_ALL). 177 */ 178 void nbcon_seq_force(struct console *con, u64 seq) 179 { 180 /* 181 * If the specified record no longer exists, the oldest available record 182 * is chosen. This is especially important on 32bit systems because only 183 * the lower 32 bits of the sequence number are stored. The upper 32 bits 184 * are derived from the sequence numbers available in the ringbuffer. 185 */ 186 u64 valid_seq = max_t(u64, seq, prb_first_valid_seq(prb)); 187 188 atomic_long_set(&ACCESS_PRIVATE(con, nbcon_seq), __u64seq_to_ulseq(valid_seq)); 189 } 190 191 /** 192 * nbcon_seq_try_update - Try to update the console sequence number 193 * @ctxt: Pointer to an acquire context that contains 194 * all information about the acquire mode 195 * @new_seq: The new sequence number to set 196 * 197 * @ctxt->seq is updated to the new value of @con::nbcon_seq (expanded to 198 * the 64bit value). This could be a different value than @new_seq if 199 * nbcon_seq_force() was used or the current context no longer owns the 200 * console. In the later case, it will stop printing anyway. 201 */ 202 static void nbcon_seq_try_update(struct nbcon_context *ctxt, u64 new_seq) 203 { 204 unsigned long nbcon_seq = __u64seq_to_ulseq(ctxt->seq); 205 struct console *con = ctxt->console; 206 207 if (atomic_long_try_cmpxchg(&ACCESS_PRIVATE(con, nbcon_seq), &nbcon_seq, 208 __u64seq_to_ulseq(new_seq))) { 209 ctxt->seq = new_seq; 210 } else { 211 ctxt->seq = nbcon_seq_read(con); 212 } 213 } 214 215 /** 216 * nbcon_context_try_acquire_direct - Try to acquire directly 217 * @ctxt: The context of the caller 218 * @cur: The current console state 219 * @is_reacquire: This acquire is a reacquire 220 * 221 * Acquire the console when it is released. Also acquire the console when 222 * the current owner has a lower priority and the console is in a safe state. 223 * 224 * Return: 0 on success. Otherwise, an error code on failure. Also @cur 225 * is updated to the latest state when failed to modify it. 226 * 227 * Errors: 228 * 229 * -EPERM: A panic is in progress and this is neither the panic 230 * CPU nor is this a reacquire. Or the current owner or 231 * waiter has the same or higher priority. No acquire 232 * method can be successful in these cases. 233 * 234 * -EBUSY: The current owner has a lower priority but the console 235 * in an unsafe state. The caller should try using 236 * the handover acquire method. 237 */ 238 static int nbcon_context_try_acquire_direct(struct nbcon_context *ctxt, 239 struct nbcon_state *cur, bool is_reacquire) 240 { 241 unsigned int cpu = smp_processor_id(); 242 struct console *con = ctxt->console; 243 struct nbcon_state new; 244 245 do { 246 /* 247 * Panic does not imply that the console is owned. However, 248 * since all non-panic CPUs are stopped during panic(), it 249 * is safer to have them avoid gaining console ownership. 250 * 251 * If this acquire is a reacquire (and an unsafe takeover 252 * has not previously occurred) then it is allowed to attempt 253 * a direct acquire in panic. This gives console drivers an 254 * opportunity to perform any necessary cleanup if they were 255 * interrupted by the panic CPU while printing. 256 */ 257 if (other_cpu_in_panic() && 258 (!is_reacquire || cur->unsafe_takeover)) { 259 return -EPERM; 260 } 261 262 if (ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio) 263 return -EPERM; 264 265 if (cur->unsafe) 266 return -EBUSY; 267 268 /* 269 * The console should never be safe for a direct acquire 270 * if an unsafe hostile takeover has ever happened. 271 */ 272 WARN_ON_ONCE(cur->unsafe_takeover); 273 274 new.atom = cur->atom; 275 new.prio = ctxt->prio; 276 new.req_prio = NBCON_PRIO_NONE; 277 new.unsafe = cur->unsafe_takeover; 278 new.cpu = cpu; 279 280 } while (!nbcon_state_try_cmpxchg(con, cur, &new)); 281 282 return 0; 283 } 284 285 static bool nbcon_waiter_matches(struct nbcon_state *cur, int expected_prio) 286 { 287 /* 288 * The request context is well defined by the @req_prio because: 289 * 290 * - Only a context with a priority higher than the owner can become 291 * a waiter. 292 * - Only a context with a priority higher than the waiter can 293 * directly take over the request. 294 * - There are only three priorities. 295 * - Only one CPU is allowed to request PANIC priority. 296 * - Lower priorities are ignored during panic() until reboot. 297 * 298 * As a result, the following scenario is *not* possible: 299 * 300 * 1. This context is currently a waiter. 301 * 2. Another context with a higher priority than this context 302 * directly takes ownership. 303 * 3. The higher priority context releases the ownership. 304 * 4. Another lower priority context takes the ownership. 305 * 5. Another context with the same priority as this context 306 * creates a request and starts waiting. 307 * 308 * Event #1 implies this context is EMERGENCY. 309 * Event #2 implies the new context is PANIC. 310 * Event #3 occurs when panic() has flushed the console. 311 * Event #4 occurs when a non-panic CPU reacquires. 312 * Event #5 is not possible due to the other_cpu_in_panic() check 313 * in nbcon_context_try_acquire_handover(). 314 */ 315 316 return (cur->req_prio == expected_prio); 317 } 318 319 /** 320 * nbcon_context_try_acquire_requested - Try to acquire after having 321 * requested a handover 322 * @ctxt: The context of the caller 323 * @cur: The current console state 324 * 325 * This is a helper function for nbcon_context_try_acquire_handover(). 326 * It is called when the console is in an unsafe state. The current 327 * owner will release the console on exit from the unsafe region. 328 * 329 * Return: 0 on success and @cur is updated to the new console state. 330 * Otherwise an error code on failure. 331 * 332 * Errors: 333 * 334 * -EPERM: A panic is in progress and this is not the panic CPU 335 * or this context is no longer the waiter. 336 * 337 * -EBUSY: The console is still locked. The caller should 338 * continue waiting. 339 * 340 * Note: The caller must still remove the request when an error has occurred 341 * except when this context is no longer the waiter. 342 */ 343 static int nbcon_context_try_acquire_requested(struct nbcon_context *ctxt, 344 struct nbcon_state *cur) 345 { 346 unsigned int cpu = smp_processor_id(); 347 struct console *con = ctxt->console; 348 struct nbcon_state new; 349 350 /* Note that the caller must still remove the request! */ 351 if (other_cpu_in_panic()) 352 return -EPERM; 353 354 /* 355 * Note that the waiter will also change if there was an unsafe 356 * hostile takeover. 357 */ 358 if (!nbcon_waiter_matches(cur, ctxt->prio)) 359 return -EPERM; 360 361 /* If still locked, caller should continue waiting. */ 362 if (cur->prio != NBCON_PRIO_NONE) 363 return -EBUSY; 364 365 /* 366 * The previous owner should have never released ownership 367 * in an unsafe region. 368 */ 369 WARN_ON_ONCE(cur->unsafe); 370 371 new.atom = cur->atom; 372 new.prio = ctxt->prio; 373 new.req_prio = NBCON_PRIO_NONE; 374 new.unsafe = cur->unsafe_takeover; 375 new.cpu = cpu; 376 377 if (!nbcon_state_try_cmpxchg(con, cur, &new)) { 378 /* 379 * The acquire could fail only when it has been taken 380 * over by a higher priority context. 381 */ 382 WARN_ON_ONCE(nbcon_waiter_matches(cur, ctxt->prio)); 383 return -EPERM; 384 } 385 386 /* Handover success. This context now owns the console. */ 387 return 0; 388 } 389 390 /** 391 * nbcon_context_try_acquire_handover - Try to acquire via handover 392 * @ctxt: The context of the caller 393 * @cur: The current console state 394 * 395 * The function must be called only when the context has higher priority 396 * than the current owner and the console is in an unsafe state. 397 * It is the case when nbcon_context_try_acquire_direct() returns -EBUSY. 398 * 399 * The function sets "req_prio" field to make the current owner aware of 400 * the request. Then it waits until the current owner releases the console, 401 * or an even higher context takes over the request, or timeout expires. 402 * 403 * The current owner checks the "req_prio" field on exit from the unsafe 404 * region and releases the console. It does not touch the "req_prio" field 405 * so that the console stays reserved for the waiter. 406 * 407 * Return: 0 on success. Otherwise, an error code on failure. Also @cur 408 * is updated to the latest state when failed to modify it. 409 * 410 * Errors: 411 * 412 * -EPERM: A panic is in progress and this is not the panic CPU. 413 * Or a higher priority context has taken over the 414 * console or the handover request. 415 * 416 * -EBUSY: The current owner is on the same CPU so that the hand 417 * shake could not work. Or the current owner is not 418 * willing to wait (zero timeout). Or the console does 419 * not enter the safe state before timeout passed. The 420 * caller might still use the unsafe hostile takeover 421 * when allowed. 422 * 423 * -EAGAIN: @cur has changed when creating the handover request. 424 * The caller should retry with direct acquire. 425 */ 426 static int nbcon_context_try_acquire_handover(struct nbcon_context *ctxt, 427 struct nbcon_state *cur) 428 { 429 unsigned int cpu = smp_processor_id(); 430 struct console *con = ctxt->console; 431 struct nbcon_state new; 432 int timeout; 433 int request_err = -EBUSY; 434 435 /* 436 * Check that the handover is called when the direct acquire failed 437 * with -EBUSY. 438 */ 439 WARN_ON_ONCE(ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio); 440 WARN_ON_ONCE(!cur->unsafe); 441 442 /* 443 * Panic does not imply that the console is owned. However, it 444 * is critical that non-panic CPUs during panic are unable to 445 * wait for a handover in order to satisfy the assumptions of 446 * nbcon_waiter_matches(). In particular, the assumption that 447 * lower priorities are ignored during panic. 448 */ 449 if (other_cpu_in_panic()) 450 return -EPERM; 451 452 /* Handover is not possible on the same CPU. */ 453 if (cur->cpu == cpu) 454 return -EBUSY; 455 456 /* 457 * Console stays unsafe after an unsafe takeover until re-initialized. 458 * Waiting is not going to help in this case. 459 */ 460 if (cur->unsafe_takeover) 461 return -EBUSY; 462 463 /* Is the caller willing to wait? */ 464 if (ctxt->spinwait_max_us == 0) 465 return -EBUSY; 466 467 /* 468 * Setup a request for the handover. The caller should try to acquire 469 * the console directly when the current state has been modified. 470 */ 471 new.atom = cur->atom; 472 new.req_prio = ctxt->prio; 473 if (!nbcon_state_try_cmpxchg(con, cur, &new)) 474 return -EAGAIN; 475 476 cur->atom = new.atom; 477 478 /* Wait until there is no owner and then acquire the console. */ 479 for (timeout = ctxt->spinwait_max_us; timeout >= 0; timeout--) { 480 /* On successful acquire, this request is cleared. */ 481 request_err = nbcon_context_try_acquire_requested(ctxt, cur); 482 if (!request_err) 483 return 0; 484 485 /* 486 * If the acquire should be aborted, it must be ensured 487 * that the request is removed before returning to caller. 488 */ 489 if (request_err == -EPERM) 490 break; 491 492 udelay(1); 493 494 /* Re-read the state because some time has passed. */ 495 nbcon_state_read(con, cur); 496 } 497 498 /* Timed out or aborted. Carefully remove handover request. */ 499 do { 500 /* 501 * No need to remove request if there is a new waiter. This 502 * can only happen if a higher priority context has taken over 503 * the console or the handover request. 504 */ 505 if (!nbcon_waiter_matches(cur, ctxt->prio)) 506 return -EPERM; 507 508 /* Unset request for handover. */ 509 new.atom = cur->atom; 510 new.req_prio = NBCON_PRIO_NONE; 511 if (nbcon_state_try_cmpxchg(con, cur, &new)) { 512 /* 513 * Request successfully unset. Report failure of 514 * acquiring via handover. 515 */ 516 cur->atom = new.atom; 517 return request_err; 518 } 519 520 /* 521 * Unable to remove request. Try to acquire in case 522 * the owner has released the lock. 523 */ 524 } while (nbcon_context_try_acquire_requested(ctxt, cur)); 525 526 /* Lucky timing. The acquire succeeded while removing the request. */ 527 return 0; 528 } 529 530 /** 531 * nbcon_context_try_acquire_hostile - Acquire via unsafe hostile takeover 532 * @ctxt: The context of the caller 533 * @cur: The current console state 534 * 535 * Acquire the console even in the unsafe state. 536 * 537 * It can be permitted by setting the 'allow_unsafe_takeover' field only 538 * by the final attempt to flush messages in panic(). 539 * 540 * Return: 0 on success. -EPERM when not allowed by the context. 541 */ 542 static int nbcon_context_try_acquire_hostile(struct nbcon_context *ctxt, 543 struct nbcon_state *cur) 544 { 545 unsigned int cpu = smp_processor_id(); 546 struct console *con = ctxt->console; 547 struct nbcon_state new; 548 549 if (!ctxt->allow_unsafe_takeover) 550 return -EPERM; 551 552 /* Ensure caller is allowed to perform unsafe hostile takeovers. */ 553 if (WARN_ON_ONCE(ctxt->prio != NBCON_PRIO_PANIC)) 554 return -EPERM; 555 556 /* 557 * Check that try_acquire_direct() and try_acquire_handover() returned 558 * -EBUSY in the right situation. 559 */ 560 WARN_ON_ONCE(ctxt->prio <= cur->prio || ctxt->prio <= cur->req_prio); 561 WARN_ON_ONCE(cur->unsafe != true); 562 563 do { 564 new.atom = cur->atom; 565 new.cpu = cpu; 566 new.prio = ctxt->prio; 567 new.unsafe |= cur->unsafe_takeover; 568 new.unsafe_takeover |= cur->unsafe; 569 570 } while (!nbcon_state_try_cmpxchg(con, cur, &new)); 571 572 return 0; 573 } 574 575 static struct printk_buffers panic_nbcon_pbufs; 576 577 /** 578 * nbcon_context_try_acquire - Try to acquire nbcon console 579 * @ctxt: The context of the caller 580 * @is_reacquire: This acquire is a reacquire 581 * 582 * Context: Under @ctxt->con->device_lock() or local_irq_save(). 583 * Return: True if the console was acquired. False otherwise. 584 * 585 * If the caller allowed an unsafe hostile takeover, on success the 586 * caller should check the current console state to see if it is 587 * in an unsafe state. Otherwise, on success the caller may assume 588 * the console is not in an unsafe state. 589 */ 590 static bool nbcon_context_try_acquire(struct nbcon_context *ctxt, bool is_reacquire) 591 { 592 unsigned int cpu = smp_processor_id(); 593 struct console *con = ctxt->console; 594 struct nbcon_state cur; 595 int err; 596 597 nbcon_state_read(con, &cur); 598 try_again: 599 err = nbcon_context_try_acquire_direct(ctxt, &cur, is_reacquire); 600 if (err != -EBUSY) 601 goto out; 602 603 err = nbcon_context_try_acquire_handover(ctxt, &cur); 604 if (err == -EAGAIN) 605 goto try_again; 606 if (err != -EBUSY) 607 goto out; 608 609 err = nbcon_context_try_acquire_hostile(ctxt, &cur); 610 out: 611 if (err) 612 return false; 613 614 /* Acquire succeeded. */ 615 616 /* Assign the appropriate buffer for this context. */ 617 if (atomic_read(&panic_cpu) == cpu) 618 ctxt->pbufs = &panic_nbcon_pbufs; 619 else 620 ctxt->pbufs = con->pbufs; 621 622 /* Set the record sequence for this context to print. */ 623 ctxt->seq = nbcon_seq_read(ctxt->console); 624 625 return true; 626 } 627 628 static bool nbcon_owner_matches(struct nbcon_state *cur, int expected_cpu, 629 int expected_prio) 630 { 631 /* 632 * A similar function, nbcon_waiter_matches(), only deals with 633 * EMERGENCY and PANIC priorities. However, this function must also 634 * deal with the NORMAL priority, which requires additional checks 635 * and constraints. 636 * 637 * For the case where preemption and interrupts are disabled, it is 638 * enough to also verify that the owning CPU has not changed. 639 * 640 * For the case where preemption or interrupts are enabled, an 641 * external synchronization method *must* be used. In particular, 642 * the driver-specific locking mechanism used in device_lock() 643 * (including disabling migration) should be used. It prevents 644 * scenarios such as: 645 * 646 * 1. [Task A] owns a context with NBCON_PRIO_NORMAL on [CPU X] and 647 * is scheduled out. 648 * 2. Another context takes over the lock with NBCON_PRIO_EMERGENCY 649 * and releases it. 650 * 3. [Task B] acquires a context with NBCON_PRIO_NORMAL on [CPU X] 651 * and is scheduled out. 652 * 4. [Task A] gets running on [CPU X] and sees that the console is 653 * still owned by a task on [CPU X] with NBON_PRIO_NORMAL. Thus 654 * [Task A] thinks it is the owner when it is not. 655 */ 656 657 if (cur->prio != expected_prio) 658 return false; 659 660 if (cur->cpu != expected_cpu) 661 return false; 662 663 return true; 664 } 665 666 /** 667 * nbcon_context_release - Release the console 668 * @ctxt: The nbcon context from nbcon_context_try_acquire() 669 */ 670 static void nbcon_context_release(struct nbcon_context *ctxt) 671 { 672 unsigned int cpu = smp_processor_id(); 673 struct console *con = ctxt->console; 674 struct nbcon_state cur; 675 struct nbcon_state new; 676 677 nbcon_state_read(con, &cur); 678 679 do { 680 if (!nbcon_owner_matches(&cur, cpu, ctxt->prio)) 681 break; 682 683 new.atom = cur.atom; 684 new.prio = NBCON_PRIO_NONE; 685 686 /* 687 * If @unsafe_takeover is set, it is kept set so that 688 * the state remains permanently unsafe. 689 */ 690 new.unsafe |= cur.unsafe_takeover; 691 692 } while (!nbcon_state_try_cmpxchg(con, &cur, &new)); 693 694 ctxt->pbufs = NULL; 695 } 696 697 /** 698 * nbcon_context_can_proceed - Check whether ownership can proceed 699 * @ctxt: The nbcon context from nbcon_context_try_acquire() 700 * @cur: The current console state 701 * 702 * Return: True if this context still owns the console. False if 703 * ownership was handed over or taken. 704 * 705 * Must be invoked when entering the unsafe state to make sure that it still 706 * owns the lock. Also must be invoked when exiting the unsafe context 707 * to eventually free the lock for a higher priority context which asked 708 * for the friendly handover. 709 * 710 * It can be called inside an unsafe section when the console is just 711 * temporary in safe state instead of exiting and entering the unsafe 712 * state. 713 * 714 * Also it can be called in the safe context before doing an expensive 715 * safe operation. It does not make sense to do the operation when 716 * a higher priority context took the lock. 717 * 718 * When this function returns false then the calling context no longer owns 719 * the console and is no longer allowed to go forward. In this case it must 720 * back out immediately and carefully. The buffer content is also no longer 721 * trusted since it no longer belongs to the calling context. 722 */ 723 static bool nbcon_context_can_proceed(struct nbcon_context *ctxt, struct nbcon_state *cur) 724 { 725 unsigned int cpu = smp_processor_id(); 726 727 /* Make sure this context still owns the console. */ 728 if (!nbcon_owner_matches(cur, cpu, ctxt->prio)) 729 return false; 730 731 /* The console owner can proceed if there is no waiter. */ 732 if (cur->req_prio == NBCON_PRIO_NONE) 733 return true; 734 735 /* 736 * A console owner within an unsafe region is always allowed to 737 * proceed, even if there are waiters. It can perform a handover 738 * when exiting the unsafe region. Otherwise the waiter will 739 * need to perform an unsafe hostile takeover. 740 */ 741 if (cur->unsafe) 742 return true; 743 744 /* Waiters always have higher priorities than owners. */ 745 WARN_ON_ONCE(cur->req_prio <= cur->prio); 746 747 /* 748 * Having a safe point for take over and eventually a few 749 * duplicated characters or a full line is way better than a 750 * hostile takeover. Post processing can take care of the garbage. 751 * Release and hand over. 752 */ 753 nbcon_context_release(ctxt); 754 755 /* 756 * It is not clear whether the waiter really took over ownership. The 757 * outermost callsite must make the final decision whether console 758 * ownership is needed for it to proceed. If yes, it must reacquire 759 * ownership (possibly hostile) before carefully proceeding. 760 * 761 * The calling context no longer owns the console so go back all the 762 * way instead of trying to implement reacquire heuristics in tons of 763 * places. 764 */ 765 return false; 766 } 767 768 /** 769 * nbcon_can_proceed - Check whether ownership can proceed 770 * @wctxt: The write context that was handed to the write function 771 * 772 * Return: True if this context still owns the console. False if 773 * ownership was handed over or taken. 774 * 775 * It is used in nbcon_enter_unsafe() to make sure that it still owns the 776 * lock. Also it is used in nbcon_exit_unsafe() to eventually free the lock 777 * for a higher priority context which asked for the friendly handover. 778 * 779 * It can be called inside an unsafe section when the console is just 780 * temporary in safe state instead of exiting and entering the unsafe state. 781 * 782 * Also it can be called in the safe context before doing an expensive safe 783 * operation. It does not make sense to do the operation when a higher 784 * priority context took the lock. 785 * 786 * When this function returns false then the calling context no longer owns 787 * the console and is no longer allowed to go forward. In this case it must 788 * back out immediately and carefully. The buffer content is also no longer 789 * trusted since it no longer belongs to the calling context. 790 */ 791 bool nbcon_can_proceed(struct nbcon_write_context *wctxt) 792 { 793 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 794 struct console *con = ctxt->console; 795 struct nbcon_state cur; 796 797 nbcon_state_read(con, &cur); 798 799 return nbcon_context_can_proceed(ctxt, &cur); 800 } 801 EXPORT_SYMBOL_GPL(nbcon_can_proceed); 802 803 #define nbcon_context_enter_unsafe(c) __nbcon_context_update_unsafe(c, true) 804 #define nbcon_context_exit_unsafe(c) __nbcon_context_update_unsafe(c, false) 805 806 /** 807 * __nbcon_context_update_unsafe - Update the unsafe bit in @con->nbcon_state 808 * @ctxt: The nbcon context from nbcon_context_try_acquire() 809 * @unsafe: The new value for the unsafe bit 810 * 811 * Return: True if the unsafe state was updated and this context still 812 * owns the console. Otherwise false if ownership was handed 813 * over or taken. 814 * 815 * This function allows console owners to modify the unsafe status of the 816 * console. 817 * 818 * When this function returns false then the calling context no longer owns 819 * the console and is no longer allowed to go forward. In this case it must 820 * back out immediately and carefully. The buffer content is also no longer 821 * trusted since it no longer belongs to the calling context. 822 * 823 * Internal helper to avoid duplicated code. 824 */ 825 static bool __nbcon_context_update_unsafe(struct nbcon_context *ctxt, bool unsafe) 826 { 827 struct console *con = ctxt->console; 828 struct nbcon_state cur; 829 struct nbcon_state new; 830 831 nbcon_state_read(con, &cur); 832 833 do { 834 /* 835 * The unsafe bit must not be cleared if an 836 * unsafe hostile takeover has occurred. 837 */ 838 if (!unsafe && cur.unsafe_takeover) 839 goto out; 840 841 if (!nbcon_context_can_proceed(ctxt, &cur)) 842 return false; 843 844 new.atom = cur.atom; 845 new.unsafe = unsafe; 846 } while (!nbcon_state_try_cmpxchg(con, &cur, &new)); 847 848 cur.atom = new.atom; 849 out: 850 return nbcon_context_can_proceed(ctxt, &cur); 851 } 852 853 static void nbcon_write_context_set_buf(struct nbcon_write_context *wctxt, 854 char *buf, unsigned int len) 855 { 856 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 857 struct console *con = ctxt->console; 858 struct nbcon_state cur; 859 860 wctxt->outbuf = buf; 861 wctxt->len = len; 862 nbcon_state_read(con, &cur); 863 wctxt->unsafe_takeover = cur.unsafe_takeover; 864 } 865 866 /** 867 * nbcon_enter_unsafe - Enter an unsafe region in the driver 868 * @wctxt: The write context that was handed to the write function 869 * 870 * Return: True if this context still owns the console. False if 871 * ownership was handed over or taken. 872 * 873 * When this function returns false then the calling context no longer owns 874 * the console and is no longer allowed to go forward. In this case it must 875 * back out immediately and carefully. The buffer content is also no longer 876 * trusted since it no longer belongs to the calling context. 877 */ 878 bool nbcon_enter_unsafe(struct nbcon_write_context *wctxt) 879 { 880 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 881 bool is_owner; 882 883 is_owner = nbcon_context_enter_unsafe(ctxt); 884 if (!is_owner) 885 nbcon_write_context_set_buf(wctxt, NULL, 0); 886 return is_owner; 887 } 888 EXPORT_SYMBOL_GPL(nbcon_enter_unsafe); 889 890 /** 891 * nbcon_exit_unsafe - Exit an unsafe region in the driver 892 * @wctxt: The write context that was handed to the write function 893 * 894 * Return: True if this context still owns the console. False if 895 * ownership was handed over or taken. 896 * 897 * When this function returns false then the calling context no longer owns 898 * the console and is no longer allowed to go forward. In this case it must 899 * back out immediately and carefully. The buffer content is also no longer 900 * trusted since it no longer belongs to the calling context. 901 */ 902 bool nbcon_exit_unsafe(struct nbcon_write_context *wctxt) 903 { 904 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 905 bool ret; 906 907 ret = nbcon_context_exit_unsafe(ctxt); 908 if (!ret) 909 nbcon_write_context_set_buf(wctxt, NULL, 0); 910 return ret; 911 } 912 EXPORT_SYMBOL_GPL(nbcon_exit_unsafe); 913 914 /** 915 * nbcon_reacquire_nobuf - Reacquire a console after losing ownership 916 * while printing 917 * @wctxt: The write context that was handed to the write callback 918 * 919 * Since ownership can be lost at any time due to handover or takeover, a 920 * printing context _must_ be prepared to back out immediately and 921 * carefully. However, there are scenarios where the printing context must 922 * reacquire ownership in order to finalize or revert hardware changes. 923 * 924 * This function allows a printing context to reacquire ownership using the 925 * same priority as its previous ownership. 926 * 927 * Note that after a successful reacquire the printing context will have no 928 * output buffer because that has been lost. This function cannot be used to 929 * resume printing. 930 */ 931 void nbcon_reacquire_nobuf(struct nbcon_write_context *wctxt) 932 { 933 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 934 935 while (!nbcon_context_try_acquire(ctxt, true)) 936 cpu_relax(); 937 938 nbcon_write_context_set_buf(wctxt, NULL, 0); 939 } 940 EXPORT_SYMBOL_GPL(nbcon_reacquire_nobuf); 941 942 /** 943 * nbcon_emit_next_record - Emit a record in the acquired context 944 * @wctxt: The write context that will be handed to the write function 945 * @use_atomic: True if the write_atomic() callback is to be used 946 * 947 * Return: True if this context still owns the console. False if 948 * ownership was handed over or taken. 949 * 950 * When this function returns false then the calling context no longer owns 951 * the console and is no longer allowed to go forward. In this case it must 952 * back out immediately and carefully. The buffer content is also no longer 953 * trusted since it no longer belongs to the calling context. If the caller 954 * wants to do more it must reacquire the console first. 955 * 956 * When true is returned, @wctxt->ctxt.backlog indicates whether there are 957 * still records pending in the ringbuffer, 958 */ 959 static bool nbcon_emit_next_record(struct nbcon_write_context *wctxt, bool use_atomic) 960 { 961 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 962 struct console *con = ctxt->console; 963 bool is_extended = console_srcu_read_flags(con) & CON_EXTENDED; 964 struct printk_message pmsg = { 965 .pbufs = ctxt->pbufs, 966 }; 967 unsigned long con_dropped; 968 struct nbcon_state cur; 969 unsigned long dropped; 970 unsigned long ulseq; 971 972 /* 973 * This function should never be called for consoles that have not 974 * implemented the necessary callback for writing: i.e. legacy 975 * consoles and, when atomic, nbcon consoles with no write_atomic(). 976 * Handle it as if ownership was lost and try to continue. 977 * 978 * Note that for nbcon consoles the write_thread() callback is 979 * mandatory and was already checked in nbcon_alloc(). 980 */ 981 if (WARN_ON_ONCE((use_atomic && !con->write_atomic) || 982 !(console_srcu_read_flags(con) & CON_NBCON))) { 983 nbcon_context_release(ctxt); 984 return false; 985 } 986 987 /* 988 * The printk buffers are filled within an unsafe section. This 989 * prevents NBCON_PRIO_NORMAL and NBCON_PRIO_EMERGENCY from 990 * clobbering each other. 991 */ 992 993 if (!nbcon_context_enter_unsafe(ctxt)) 994 return false; 995 996 ctxt->backlog = printk_get_next_message(&pmsg, ctxt->seq, is_extended, true); 997 if (!ctxt->backlog) 998 return nbcon_context_exit_unsafe(ctxt); 999 1000 /* 1001 * @con->dropped is not protected in case of an unsafe hostile 1002 * takeover. In that situation the update can be racy so 1003 * annotate it accordingly. 1004 */ 1005 con_dropped = data_race(READ_ONCE(con->dropped)); 1006 1007 dropped = con_dropped + pmsg.dropped; 1008 if (dropped && !is_extended) 1009 console_prepend_dropped(&pmsg, dropped); 1010 1011 /* 1012 * If the previous owner was assigned the same record, this context 1013 * has taken over ownership and is replaying the record. Prepend a 1014 * message to let the user know the record is replayed. 1015 */ 1016 ulseq = atomic_long_read(&ACCESS_PRIVATE(con, nbcon_prev_seq)); 1017 if (__ulseq_to_u64seq(prb, ulseq) == pmsg.seq) { 1018 console_prepend_replay(&pmsg); 1019 } else { 1020 /* 1021 * Ensure this context is still the owner before trying to 1022 * update @nbcon_prev_seq. Otherwise the value in @ulseq may 1023 * not be from the previous owner and instead be some later 1024 * value from the context that took over ownership. 1025 */ 1026 nbcon_state_read(con, &cur); 1027 if (!nbcon_context_can_proceed(ctxt, &cur)) 1028 return false; 1029 1030 atomic_long_try_cmpxchg(&ACCESS_PRIVATE(con, nbcon_prev_seq), &ulseq, 1031 __u64seq_to_ulseq(pmsg.seq)); 1032 } 1033 1034 if (!nbcon_context_exit_unsafe(ctxt)) 1035 return false; 1036 1037 /* For skipped records just update seq/dropped in @con. */ 1038 if (pmsg.outbuf_len == 0) 1039 goto update_con; 1040 1041 /* Initialize the write context for driver callbacks. */ 1042 nbcon_write_context_set_buf(wctxt, &pmsg.pbufs->outbuf[0], pmsg.outbuf_len); 1043 1044 if (use_atomic) 1045 con->write_atomic(con, wctxt); 1046 else 1047 con->write_thread(con, wctxt); 1048 1049 if (!wctxt->outbuf) { 1050 /* 1051 * Ownership was lost and reacquired by the driver. Handle it 1052 * as if ownership was lost. 1053 */ 1054 nbcon_context_release(ctxt); 1055 return false; 1056 } 1057 1058 /* 1059 * Ownership may have been lost but _not_ reacquired by the driver. 1060 * This case is detected and handled when entering unsafe to update 1061 * dropped/seq values. 1062 */ 1063 1064 /* 1065 * Since any dropped message was successfully output, reset the 1066 * dropped count for the console. 1067 */ 1068 dropped = 0; 1069 update_con: 1070 /* 1071 * The dropped count and the sequence number are updated within an 1072 * unsafe section. This limits update races to the panic context and 1073 * allows the panic context to win. 1074 */ 1075 1076 if (!nbcon_context_enter_unsafe(ctxt)) 1077 return false; 1078 1079 if (dropped != con_dropped) { 1080 /* Counterpart to the READ_ONCE() above. */ 1081 WRITE_ONCE(con->dropped, dropped); 1082 } 1083 1084 nbcon_seq_try_update(ctxt, pmsg.seq + 1); 1085 1086 return nbcon_context_exit_unsafe(ctxt); 1087 } 1088 1089 /* 1090 * nbcon_emit_one - Print one record for an nbcon console using the 1091 * specified callback 1092 * @wctxt: An initialized write context struct to use for this context 1093 * @use_atomic: True if the write_atomic() callback is to be used 1094 * 1095 * Return: True, when a record has been printed and there are still 1096 * pending records. The caller might want to continue flushing. 1097 * 1098 * False, when there is no pending record, or when the console 1099 * context cannot be acquired, or the ownership has been lost. 1100 * The caller should give up. Either the job is done, cannot be 1101 * done, or will be handled by the owning context. 1102 * 1103 * This is an internal helper to handle the locking of the console before 1104 * calling nbcon_emit_next_record(). 1105 */ 1106 static bool nbcon_emit_one(struct nbcon_write_context *wctxt, bool use_atomic) 1107 { 1108 struct nbcon_context *ctxt = &ACCESS_PRIVATE(wctxt, ctxt); 1109 struct console *con = ctxt->console; 1110 unsigned long flags; 1111 bool ret = false; 1112 1113 if (!use_atomic) { 1114 con->device_lock(con, &flags); 1115 1116 /* 1117 * Ensure this stays on the CPU to make handover and 1118 * takeover possible. 1119 */ 1120 cant_migrate(); 1121 } 1122 1123 if (!nbcon_context_try_acquire(ctxt, false)) 1124 goto out; 1125 1126 /* 1127 * nbcon_emit_next_record() returns false when the console was 1128 * handed over or taken over. In both cases the context is no 1129 * longer valid. 1130 * 1131 * The higher priority printing context takes over responsibility 1132 * to print the pending records. 1133 */ 1134 if (!nbcon_emit_next_record(wctxt, use_atomic)) 1135 goto out; 1136 1137 nbcon_context_release(ctxt); 1138 1139 ret = ctxt->backlog; 1140 out: 1141 if (!use_atomic) 1142 con->device_unlock(con, flags); 1143 return ret; 1144 } 1145 1146 /** 1147 * nbcon_kthread_should_wakeup - Check whether a printer thread should wakeup 1148 * @con: Console to operate on 1149 * @ctxt: The nbcon context from nbcon_context_try_acquire() 1150 * 1151 * Return: True if the thread should shutdown or if the console is 1152 * allowed to print and a record is available. False otherwise. 1153 * 1154 * After the thread wakes up, it must first check if it should shutdown before 1155 * attempting any printing. 1156 */ 1157 static bool nbcon_kthread_should_wakeup(struct console *con, struct nbcon_context *ctxt) 1158 { 1159 bool ret = false; 1160 short flags; 1161 int cookie; 1162 1163 if (kthread_should_stop()) 1164 return true; 1165 1166 cookie = console_srcu_read_lock(); 1167 1168 flags = console_srcu_read_flags(con); 1169 if (console_is_usable(con, flags, false)) { 1170 /* Bring the sequence in @ctxt up to date */ 1171 ctxt->seq = nbcon_seq_read(con); 1172 1173 ret = prb_read_valid(prb, ctxt->seq, NULL); 1174 } 1175 1176 console_srcu_read_unlock(cookie); 1177 return ret; 1178 } 1179 1180 /** 1181 * nbcon_kthread_func - The printer thread function 1182 * @__console: Console to operate on 1183 * 1184 * Return: 0 1185 */ 1186 static int nbcon_kthread_func(void *__console) 1187 { 1188 struct console *con = __console; 1189 struct nbcon_write_context wctxt = { 1190 .ctxt.console = con, 1191 .ctxt.prio = NBCON_PRIO_NORMAL, 1192 }; 1193 struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt); 1194 short con_flags; 1195 bool backlog; 1196 int cookie; 1197 1198 wait_for_event: 1199 /* 1200 * Guarantee this task is visible on the rcuwait before 1201 * checking the wake condition. 1202 * 1203 * The full memory barrier within set_current_state() of 1204 * ___rcuwait_wait_event() pairs with the full memory 1205 * barrier within rcuwait_has_sleeper(). 1206 * 1207 * This pairs with rcuwait_has_sleeper:A and nbcon_kthread_wake:A. 1208 */ 1209 rcuwait_wait_event(&con->rcuwait, 1210 nbcon_kthread_should_wakeup(con, ctxt), 1211 TASK_INTERRUPTIBLE); /* LMM(nbcon_kthread_func:A) */ 1212 1213 do { 1214 if (kthread_should_stop()) 1215 return 0; 1216 1217 backlog = false; 1218 1219 /* 1220 * Keep the srcu read lock around the entire operation so that 1221 * synchronize_srcu() can guarantee that the kthread stopped 1222 * or suspended printing. 1223 */ 1224 cookie = console_srcu_read_lock(); 1225 1226 con_flags = console_srcu_read_flags(con); 1227 1228 if (console_is_usable(con, con_flags, false)) 1229 backlog = nbcon_emit_one(&wctxt, false); 1230 1231 console_srcu_read_unlock(cookie); 1232 1233 cond_resched(); 1234 1235 } while (backlog); 1236 1237 goto wait_for_event; 1238 } 1239 1240 /** 1241 * nbcon_irq_work - irq work to wake console printer thread 1242 * @irq_work: The irq work to operate on 1243 */ 1244 static void nbcon_irq_work(struct irq_work *irq_work) 1245 { 1246 struct console *con = container_of(irq_work, struct console, irq_work); 1247 1248 nbcon_kthread_wake(con); 1249 } 1250 1251 static inline bool rcuwait_has_sleeper(struct rcuwait *w) 1252 { 1253 /* 1254 * Guarantee any new records can be seen by tasks preparing to wait 1255 * before this context checks if the rcuwait is empty. 1256 * 1257 * This full memory barrier pairs with the full memory barrier within 1258 * set_current_state() of ___rcuwait_wait_event(), which is called 1259 * after prepare_to_rcuwait() adds the waiter but before it has 1260 * checked the wait condition. 1261 * 1262 * This pairs with nbcon_kthread_func:A. 1263 */ 1264 smp_mb(); /* LMM(rcuwait_has_sleeper:A) */ 1265 return rcuwait_active(w); 1266 } 1267 1268 /** 1269 * nbcon_kthreads_wake - Wake up printing threads using irq_work 1270 */ 1271 void nbcon_kthreads_wake(void) 1272 { 1273 struct console *con; 1274 int cookie; 1275 1276 if (!printk_kthreads_running) 1277 return; 1278 1279 cookie = console_srcu_read_lock(); 1280 for_each_console_srcu(con) { 1281 if (!(console_srcu_read_flags(con) & CON_NBCON)) 1282 continue; 1283 1284 /* 1285 * Only schedule irq_work if the printing thread is 1286 * actively waiting. If not waiting, the thread will 1287 * notice by itself that it has work to do. 1288 */ 1289 if (rcuwait_has_sleeper(&con->rcuwait)) 1290 irq_work_queue(&con->irq_work); 1291 } 1292 console_srcu_read_unlock(cookie); 1293 } 1294 1295 /* 1296 * nbcon_kthread_stop - Stop a console printer thread 1297 * @con: Console to operate on 1298 */ 1299 void nbcon_kthread_stop(struct console *con) 1300 { 1301 lockdep_assert_console_list_lock_held(); 1302 1303 if (!con->kthread) 1304 return; 1305 1306 kthread_stop(con->kthread); 1307 con->kthread = NULL; 1308 } 1309 1310 /** 1311 * nbcon_kthread_create - Create a console printer thread 1312 * @con: Console to operate on 1313 * 1314 * Return: True if the kthread was started or already exists. 1315 * Otherwise false and @con must not be registered. 1316 * 1317 * This function is called when it will be expected that nbcon consoles are 1318 * flushed using the kthread. The messages printed with NBCON_PRIO_NORMAL 1319 * will be no longer flushed by the legacy loop. This is why failure must 1320 * be fatal for console registration. 1321 * 1322 * If @con was already registered and this function fails, @con must be 1323 * unregistered before the global state variable @printk_kthreads_running 1324 * can be set. 1325 */ 1326 bool nbcon_kthread_create(struct console *con) 1327 { 1328 struct task_struct *kt; 1329 1330 lockdep_assert_console_list_lock_held(); 1331 1332 if (con->kthread) 1333 return true; 1334 1335 kt = kthread_run(nbcon_kthread_func, con, "pr/%s%d", con->name, con->index); 1336 if (WARN_ON(IS_ERR(kt))) { 1337 con_printk(KERN_ERR, con, "failed to start printing thread\n"); 1338 return false; 1339 } 1340 1341 con->kthread = kt; 1342 1343 /* 1344 * It is important that console printing threads are scheduled 1345 * shortly after a printk call and with generous runtime budgets. 1346 */ 1347 sched_set_normal(con->kthread, -20); 1348 1349 return true; 1350 } 1351 1352 /* Track the nbcon emergency nesting per CPU. */ 1353 static DEFINE_PER_CPU(unsigned int, nbcon_pcpu_emergency_nesting); 1354 static unsigned int early_nbcon_pcpu_emergency_nesting __initdata; 1355 1356 /** 1357 * nbcon_get_cpu_emergency_nesting - Get the per CPU emergency nesting pointer 1358 * 1359 * Context: For reading, any context. For writing, any context which could 1360 * not be migrated to another CPU. 1361 * Return: Either a pointer to the per CPU emergency nesting counter of 1362 * the current CPU or to the init data during early boot. 1363 * 1364 * The function is safe for reading per-CPU variables in any context because 1365 * preemption is disabled if the current CPU is in the emergency state. See 1366 * also nbcon_cpu_emergency_enter(). 1367 */ 1368 static __ref unsigned int *nbcon_get_cpu_emergency_nesting(void) 1369 { 1370 /* 1371 * The value of __printk_percpu_data_ready gets set in normal 1372 * context and before SMP initialization. As a result it could 1373 * never change while inside an nbcon emergency section. 1374 */ 1375 if (!printk_percpu_data_ready()) 1376 return &early_nbcon_pcpu_emergency_nesting; 1377 1378 return raw_cpu_ptr(&nbcon_pcpu_emergency_nesting); 1379 } 1380 1381 /** 1382 * nbcon_get_default_prio - The appropriate nbcon priority to use for nbcon 1383 * printing on the current CPU 1384 * 1385 * Context: Any context. 1386 * Return: The nbcon_prio to use for acquiring an nbcon console in this 1387 * context for printing. 1388 * 1389 * The function is safe for reading per-CPU data in any context because 1390 * preemption is disabled if the current CPU is in the emergency or panic 1391 * state. 1392 */ 1393 enum nbcon_prio nbcon_get_default_prio(void) 1394 { 1395 unsigned int *cpu_emergency_nesting; 1396 1397 if (this_cpu_in_panic()) 1398 return NBCON_PRIO_PANIC; 1399 1400 cpu_emergency_nesting = nbcon_get_cpu_emergency_nesting(); 1401 if (*cpu_emergency_nesting) 1402 return NBCON_PRIO_EMERGENCY; 1403 1404 return NBCON_PRIO_NORMAL; 1405 } 1406 1407 /** 1408 * nbcon_legacy_emit_next_record - Print one record for an nbcon console 1409 * in legacy contexts 1410 * @con: The console to print on 1411 * @handover: Will be set to true if a printk waiter has taken over the 1412 * console_lock, in which case the caller is no longer holding 1413 * both the console_lock and the SRCU read lock. Otherwise it 1414 * is set to false. 1415 * @cookie: The cookie from the SRCU read lock. 1416 * @use_atomic: Set true when called in an atomic or unknown context. 1417 * It affects which nbcon callback will be used: write_atomic() 1418 * or write_thread(). 1419 * 1420 * When false, the write_thread() callback is used and would be 1421 * called in a preemtible context unless disabled by the 1422 * device_lock. The legacy handover is not allowed in this mode. 1423 * 1424 * Context: Any context except NMI. 1425 * Return: True, when a record has been printed and there are still 1426 * pending records. The caller might want to continue flushing. 1427 * 1428 * False, when there is no pending record, or when the console 1429 * context cannot be acquired, or the ownership has been lost. 1430 * The caller should give up. Either the job is done, cannot be 1431 * done, or will be handled by the owning context. 1432 * 1433 * This function is meant to be called by console_flush_all() to print records 1434 * on nbcon consoles from legacy context (printing via console unlocking). 1435 * Essentially it is the nbcon version of console_emit_next_record(). 1436 */ 1437 bool nbcon_legacy_emit_next_record(struct console *con, bool *handover, 1438 int cookie, bool use_atomic) 1439 { 1440 struct nbcon_write_context wctxt = { }; 1441 struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt); 1442 unsigned long flags; 1443 bool progress; 1444 1445 ctxt->console = con; 1446 ctxt->prio = nbcon_get_default_prio(); 1447 1448 if (use_atomic) { 1449 /* 1450 * In an atomic or unknown context, use the same procedure as 1451 * in console_emit_next_record(). It allows to handover. 1452 */ 1453 printk_safe_enter_irqsave(flags); 1454 console_lock_spinning_enable(); 1455 stop_critical_timings(); 1456 } 1457 1458 progress = nbcon_emit_one(&wctxt, use_atomic); 1459 1460 if (use_atomic) { 1461 start_critical_timings(); 1462 *handover = console_lock_spinning_disable_and_check(cookie); 1463 printk_safe_exit_irqrestore(flags); 1464 } else { 1465 /* Non-atomic does not perform legacy spinning handovers. */ 1466 *handover = false; 1467 } 1468 1469 return progress; 1470 } 1471 1472 /** 1473 * __nbcon_atomic_flush_pending_con - Flush specified nbcon console using its 1474 * write_atomic() callback 1475 * @con: The nbcon console to flush 1476 * @stop_seq: Flush up until this record 1477 * @allow_unsafe_takeover: True, to allow unsafe hostile takeovers 1478 * 1479 * Return: 0 if @con was flushed up to @stop_seq Otherwise, error code on 1480 * failure. 1481 * 1482 * Errors: 1483 * 1484 * -EPERM: Unable to acquire console ownership. 1485 * 1486 * -EAGAIN: Another context took over ownership while printing. 1487 * 1488 * -ENOENT: A record before @stop_seq is not available. 1489 * 1490 * If flushing up to @stop_seq was not successful, it only makes sense for the 1491 * caller to try again when -EAGAIN was returned. When -EPERM is returned, 1492 * this context is not allowed to acquire the console. When -ENOENT is 1493 * returned, it cannot be expected that the unfinalized record will become 1494 * available. 1495 */ 1496 static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq, 1497 bool allow_unsafe_takeover) 1498 { 1499 struct nbcon_write_context wctxt = { }; 1500 struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt); 1501 int err = 0; 1502 1503 ctxt->console = con; 1504 ctxt->spinwait_max_us = 2000; 1505 ctxt->prio = nbcon_get_default_prio(); 1506 ctxt->allow_unsafe_takeover = allow_unsafe_takeover; 1507 1508 if (!nbcon_context_try_acquire(ctxt, false)) 1509 return -EPERM; 1510 1511 while (nbcon_seq_read(con) < stop_seq) { 1512 /* 1513 * nbcon_emit_next_record() returns false when the console was 1514 * handed over or taken over. In both cases the context is no 1515 * longer valid. 1516 */ 1517 if (!nbcon_emit_next_record(&wctxt, true)) 1518 return -EAGAIN; 1519 1520 if (!ctxt->backlog) { 1521 /* Are there reserved but not yet finalized records? */ 1522 if (nbcon_seq_read(con) < stop_seq) 1523 err = -ENOENT; 1524 break; 1525 } 1526 } 1527 1528 nbcon_context_release(ctxt); 1529 return err; 1530 } 1531 1532 /** 1533 * nbcon_atomic_flush_pending_con - Flush specified nbcon console using its 1534 * write_atomic() callback 1535 * @con: The nbcon console to flush 1536 * @stop_seq: Flush up until this record 1537 * @allow_unsafe_takeover: True, to allow unsafe hostile takeovers 1538 * 1539 * This will stop flushing before @stop_seq if another context has ownership. 1540 * That context is then responsible for the flushing. Likewise, if new records 1541 * are added while this context was flushing and there is no other context 1542 * to handle the printing, this context must also flush those records. 1543 */ 1544 static void nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq, 1545 bool allow_unsafe_takeover) 1546 { 1547 struct console_flush_type ft; 1548 unsigned long flags; 1549 int err; 1550 1551 again: 1552 /* 1553 * Atomic flushing does not use console driver synchronization (i.e. 1554 * it does not hold the port lock for uart consoles). Therefore IRQs 1555 * must be disabled to avoid being interrupted and then calling into 1556 * a driver that will deadlock trying to acquire console ownership. 1557 */ 1558 local_irq_save(flags); 1559 1560 err = __nbcon_atomic_flush_pending_con(con, stop_seq, allow_unsafe_takeover); 1561 1562 local_irq_restore(flags); 1563 1564 /* 1565 * If there was a new owner (-EPERM, -EAGAIN), that context is 1566 * responsible for completing. 1567 * 1568 * Do not wait for records not yet finalized (-ENOENT) to avoid a 1569 * possible deadlock. They will either get flushed by the writer or 1570 * eventually skipped on panic CPU. 1571 */ 1572 if (err) 1573 return; 1574 1575 /* 1576 * If flushing was successful but more records are available, this 1577 * context must flush those remaining records if the printer thread 1578 * is not available do it. 1579 */ 1580 printk_get_console_flush_type(&ft); 1581 if (!ft.nbcon_offload && 1582 prb_read_valid(prb, nbcon_seq_read(con), NULL)) { 1583 stop_seq = prb_next_reserve_seq(prb); 1584 goto again; 1585 } 1586 } 1587 1588 /** 1589 * __nbcon_atomic_flush_pending - Flush all nbcon consoles using their 1590 * write_atomic() callback 1591 * @stop_seq: Flush up until this record 1592 * @allow_unsafe_takeover: True, to allow unsafe hostile takeovers 1593 */ 1594 static void __nbcon_atomic_flush_pending(u64 stop_seq, bool allow_unsafe_takeover) 1595 { 1596 struct console *con; 1597 int cookie; 1598 1599 cookie = console_srcu_read_lock(); 1600 for_each_console_srcu(con) { 1601 short flags = console_srcu_read_flags(con); 1602 1603 if (!(flags & CON_NBCON)) 1604 continue; 1605 1606 if (!console_is_usable(con, flags, true)) 1607 continue; 1608 1609 if (nbcon_seq_read(con) >= stop_seq) 1610 continue; 1611 1612 nbcon_atomic_flush_pending_con(con, stop_seq, allow_unsafe_takeover); 1613 } 1614 console_srcu_read_unlock(cookie); 1615 } 1616 1617 /** 1618 * nbcon_atomic_flush_pending - Flush all nbcon consoles using their 1619 * write_atomic() callback 1620 * 1621 * Flush the backlog up through the currently newest record. Any new 1622 * records added while flushing will not be flushed if there is another 1623 * context available to handle the flushing. This is to avoid one CPU 1624 * printing unbounded because other CPUs continue to add records. 1625 */ 1626 void nbcon_atomic_flush_pending(void) 1627 { 1628 __nbcon_atomic_flush_pending(prb_next_reserve_seq(prb), false); 1629 } 1630 1631 /** 1632 * nbcon_atomic_flush_unsafe - Flush all nbcon consoles using their 1633 * write_atomic() callback and allowing unsafe hostile takeovers 1634 * 1635 * Flush the backlog up through the currently newest record. Unsafe hostile 1636 * takeovers will be performed, if necessary. 1637 */ 1638 void nbcon_atomic_flush_unsafe(void) 1639 { 1640 __nbcon_atomic_flush_pending(prb_next_reserve_seq(prb), true); 1641 } 1642 1643 /** 1644 * nbcon_cpu_emergency_enter - Enter an emergency section where printk() 1645 * messages for that CPU are flushed directly 1646 * 1647 * Context: Any context. Disables preemption. 1648 * 1649 * When within an emergency section, printk() calls will attempt to flush any 1650 * pending messages in the ringbuffer. 1651 */ 1652 void nbcon_cpu_emergency_enter(void) 1653 { 1654 unsigned int *cpu_emergency_nesting; 1655 1656 preempt_disable(); 1657 1658 cpu_emergency_nesting = nbcon_get_cpu_emergency_nesting(); 1659 (*cpu_emergency_nesting)++; 1660 } 1661 1662 /** 1663 * nbcon_cpu_emergency_exit - Exit an emergency section 1664 * 1665 * Context: Within an emergency section. Enables preemption. 1666 */ 1667 void nbcon_cpu_emergency_exit(void) 1668 { 1669 unsigned int *cpu_emergency_nesting; 1670 1671 cpu_emergency_nesting = nbcon_get_cpu_emergency_nesting(); 1672 1673 if (!WARN_ON_ONCE(*cpu_emergency_nesting == 0)) 1674 (*cpu_emergency_nesting)--; 1675 1676 preempt_enable(); 1677 } 1678 1679 /** 1680 * nbcon_alloc - Allocate and init the nbcon console specific data 1681 * @con: Console to initialize 1682 * 1683 * Return: True if the console was fully allocated and initialized. 1684 * Otherwise @con must not be registered. 1685 * 1686 * When allocation and init was successful, the console must be properly 1687 * freed using nbcon_free() once it is no longer needed. 1688 */ 1689 bool nbcon_alloc(struct console *con) 1690 { 1691 struct nbcon_state state = { }; 1692 1693 /* Synchronize the kthread start. */ 1694 lockdep_assert_console_list_lock_held(); 1695 1696 /* The write_thread() callback is mandatory. */ 1697 if (WARN_ON(!con->write_thread)) 1698 return false; 1699 1700 rcuwait_init(&con->rcuwait); 1701 init_irq_work(&con->irq_work, nbcon_irq_work); 1702 atomic_long_set(&ACCESS_PRIVATE(con, nbcon_prev_seq), -1UL); 1703 nbcon_state_set(con, &state); 1704 1705 /* 1706 * Initialize @nbcon_seq to the highest possible sequence number so 1707 * that practically speaking it will have nothing to print until a 1708 * desired initial sequence number has been set via nbcon_seq_force(). 1709 */ 1710 atomic_long_set(&ACCESS_PRIVATE(con, nbcon_seq), ULSEQ_MAX(prb)); 1711 1712 if (con->flags & CON_BOOT) { 1713 /* 1714 * Boot console printing is synchronized with legacy console 1715 * printing, so boot consoles can share the same global printk 1716 * buffers. 1717 */ 1718 con->pbufs = &printk_shared_pbufs; 1719 } else { 1720 con->pbufs = kmalloc(sizeof(*con->pbufs), GFP_KERNEL); 1721 if (!con->pbufs) { 1722 con_printk(KERN_ERR, con, "failed to allocate printing buffer\n"); 1723 return false; 1724 } 1725 1726 if (printk_kthreads_ready && !have_boot_console) { 1727 if (!nbcon_kthread_create(con)) { 1728 kfree(con->pbufs); 1729 con->pbufs = NULL; 1730 return false; 1731 } 1732 1733 /* Might be the first kthread. */ 1734 printk_kthreads_running = true; 1735 } 1736 } 1737 1738 return true; 1739 } 1740 1741 /** 1742 * nbcon_free - Free and cleanup the nbcon console specific data 1743 * @con: Console to free/cleanup nbcon data 1744 * 1745 * Important: @have_nbcon_console must be updated before calling 1746 * this function. In particular, it can be set only when there 1747 * is still another nbcon console registered. 1748 */ 1749 void nbcon_free(struct console *con) 1750 { 1751 struct nbcon_state state = { }; 1752 1753 /* Synchronize the kthread stop. */ 1754 lockdep_assert_console_list_lock_held(); 1755 1756 if (printk_kthreads_running) { 1757 nbcon_kthread_stop(con); 1758 1759 /* Might be the last nbcon console. 1760 * 1761 * Do not rely on printk_kthreads_check_locked(). It is not 1762 * called in some code paths, see nbcon_free() callers. 1763 */ 1764 if (!have_nbcon_console) 1765 printk_kthreads_running = false; 1766 } 1767 1768 nbcon_state_set(con, &state); 1769 1770 /* Boot consoles share global printk buffers. */ 1771 if (!(con->flags & CON_BOOT)) 1772 kfree(con->pbufs); 1773 1774 con->pbufs = NULL; 1775 } 1776 1777 /** 1778 * nbcon_device_try_acquire - Try to acquire nbcon console and enter unsafe 1779 * section 1780 * @con: The nbcon console to acquire 1781 * 1782 * Context: Under the locking mechanism implemented in 1783 * @con->device_lock() including disabling migration. 1784 * Return: True if the console was acquired. False otherwise. 1785 * 1786 * Console drivers will usually use their own internal synchronization 1787 * mechasism to synchronize between console printing and non-printing 1788 * activities (such as setting baud rates). However, nbcon console drivers 1789 * supporting atomic consoles may also want to mark unsafe sections when 1790 * performing non-printing activities in order to synchronize against their 1791 * atomic_write() callback. 1792 * 1793 * This function acquires the nbcon console using priority NBCON_PRIO_NORMAL 1794 * and marks it unsafe for handover/takeover. 1795 */ 1796 bool nbcon_device_try_acquire(struct console *con) 1797 { 1798 struct nbcon_context *ctxt = &ACCESS_PRIVATE(con, nbcon_device_ctxt); 1799 1800 cant_migrate(); 1801 1802 memset(ctxt, 0, sizeof(*ctxt)); 1803 ctxt->console = con; 1804 ctxt->prio = NBCON_PRIO_NORMAL; 1805 1806 if (!nbcon_context_try_acquire(ctxt, false)) 1807 return false; 1808 1809 if (!nbcon_context_enter_unsafe(ctxt)) 1810 return false; 1811 1812 return true; 1813 } 1814 EXPORT_SYMBOL_GPL(nbcon_device_try_acquire); 1815 1816 /** 1817 * nbcon_device_release - Exit unsafe section and release the nbcon console 1818 * @con: The nbcon console acquired in nbcon_device_try_acquire() 1819 */ 1820 void nbcon_device_release(struct console *con) 1821 { 1822 struct nbcon_context *ctxt = &ACCESS_PRIVATE(con, nbcon_device_ctxt); 1823 struct console_flush_type ft; 1824 int cookie; 1825 1826 if (!nbcon_context_exit_unsafe(ctxt)) 1827 return; 1828 1829 nbcon_context_release(ctxt); 1830 1831 /* 1832 * This context must flush any new records added while the console 1833 * was locked if the printer thread is not available to do it. The 1834 * console_srcu_read_lock must be taken to ensure the console is 1835 * usable throughout flushing. 1836 */ 1837 cookie = console_srcu_read_lock(); 1838 printk_get_console_flush_type(&ft); 1839 if (console_is_usable(con, console_srcu_read_flags(con), true) && 1840 !ft.nbcon_offload && 1841 prb_read_valid(prb, nbcon_seq_read(con), NULL)) { 1842 /* 1843 * If nbcon_atomic flushing is not available, fallback to 1844 * using the legacy loop. 1845 */ 1846 if (ft.nbcon_atomic) { 1847 __nbcon_atomic_flush_pending_con(con, prb_next_reserve_seq(prb), false); 1848 } else if (ft.legacy_direct) { 1849 if (console_trylock()) 1850 console_unlock(); 1851 } else if (ft.legacy_offload) { 1852 printk_trigger_flush(); 1853 } 1854 } 1855 console_srcu_read_unlock(cookie); 1856 } 1857 EXPORT_SYMBOL_GPL(nbcon_device_release); 1858