mirror of
https://github.com/torvalds/linux.git
synced 2025-12-07 20:06:24 +00:00
printk: nbcon: Allow unsafe write_atomic() for panic
There may be console drivers that have not yet figured out a way to implement safe atomic printing (->write_atomic() callback). These drivers could choose to only implement threaded printing (->write_thread() callback), but then it is guaranteed that _no_ output will be printed during panic. Not even attempted. As a result, developers may be tempted to implement unsafe ->write_atomic() callbacks and/or implement some sort of custom deferred printing trickery to try to make it work. This goes against the principle intention of the nbcon API as well as endangers other nbcon drivers that are doing things correctly (safely). As a compromise, allow nbcon drivers to implement unsafe ->write_atomic() callbacks by providing a new console flag CON_NBCON_ATOMIC_UNSAFE. When specified, the ->write_atomic() callback for that console will _only_ be called during the final "hope and pray" flush attempt at the end of a panic: nbcon_atomic_flush_unsafe(). Signed-off-by: John Ogness <john.ogness@linutronix.de> Link: https://lore.kernel.org/lkml/b2qps3uywhmjaym4mht2wpxul4yqtuuayeoq4iv4k3zf5wdgh3@tocu6c7mj4lt Reviewed-by: Petr Mladek <pmladek@suse.com> Link: https://lore.kernel.org/all/swdpckuwwlv3uiessmtnf2jwlx3jusw6u7fpk5iggqo4t2vdws@7rpjso4gr7qp/ [1] Link: https://lore.kernel.org/all/20251103-fix_netpoll_aa-v4-1-4cfecdf6da7c@debian.org/ [2] Link: https://patch.msgid.link/20251027161212.334219-2-john.ogness@linutronix.de [pmladek@suse.com: Fix build with rework/nbcon-in-kdb branch.] Signed-off-by: Petr Mladek <pmladek@suse.com>
This commit is contained in:
John Ogness
@@ -186,6 +186,8 @@ static inline void con_debug_leave(void) { }
|
||||
* printing callbacks must not be called.
|
||||
* @CON_NBCON: Console can operate outside of the legacy style console_lock
|
||||
* constraints.
|
||||
* @CON_NBCON_ATOMIC_UNSAFE: The write_atomic() callback is not safe and is
|
||||
* therefore only used by nbcon_atomic_flush_unsafe().
|
||||
*/
|
||||
enum cons_flags {
|
||||
CON_PRINTBUFFER = BIT(0),
|
||||
@@ -197,6 +199,7 @@ enum cons_flags {
|
||||
CON_EXTENDED = BIT(6),
|
||||
CON_SUSPENDED = BIT(7),
|
||||
CON_NBCON = BIT(8),
|
||||
CON_NBCON_ATOMIC_UNSAFE = BIT(9),
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -608,6 +611,7 @@ extern void nbcon_write_context_set_buf(struct nbcon_write_context *wctxt,
|
||||
extern bool nbcon_enter_unsafe(struct nbcon_write_context *wctxt);
|
||||
extern bool nbcon_exit_unsafe(struct nbcon_write_context *wctxt);
|
||||
extern void nbcon_reacquire_nobuf(struct nbcon_write_context *wctxt);
|
||||
extern bool nbcon_allow_unsafe_takeover(void);
|
||||
extern bool nbcon_kdb_try_acquire(struct console *con,
|
||||
struct nbcon_write_context *wctxt);
|
||||
extern void nbcon_kdb_release(struct nbcon_write_context *wctxt);
|
||||
@@ -627,9 +631,18 @@ static inline bool console_is_usable(struct console *con, short flags, bool use_
|
||||
return false;
|
||||
|
||||
if (flags & CON_NBCON) {
|
||||
/* The write_atomic() callback is optional. */
|
||||
if (use_atomic && !con->write_atomic)
|
||||
return false;
|
||||
if (use_atomic) {
|
||||
/* The write_atomic() callback is optional. */
|
||||
if (!con->write_atomic)
|
||||
return false;
|
||||
|
||||
/*
|
||||
* An unsafe write_atomic() callback is only usable
|
||||
* when unsafe takeovers are allowed.
|
||||
*/
|
||||
if ((flags & CON_NBCON_ATOMIC_UNSAFE) && !nbcon_allow_unsafe_takeover())
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* For the !use_atomic case, @printk_kthreads_running is not
|
||||
|
||||
@@ -1408,6 +1408,26 @@ enum nbcon_prio nbcon_get_default_prio(void)
|
||||
return NBCON_PRIO_NORMAL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Track if it is allowed to perform unsafe hostile takeovers of console
|
||||
* ownership. When true, console drivers might perform unsafe actions while
|
||||
* printing. It is externally available via nbcon_allow_unsafe_takeover().
|
||||
*/
|
||||
static bool panic_nbcon_allow_unsafe_takeover;
|
||||
|
||||
/**
|
||||
* nbcon_allow_unsafe_takeover - Check if unsafe console takeovers are allowed
|
||||
*
|
||||
* Return: True, when it is permitted to perform unsafe console printing
|
||||
*
|
||||
* This is also used by console_is_usable() to determine if it is allowed to
|
||||
* call write_atomic() callbacks flagged as unsafe (CON_NBCON_ATOMIC_UNSAFE).
|
||||
*/
|
||||
bool nbcon_allow_unsafe_takeover(void)
|
||||
{
|
||||
return panic_on_this_cpu() && panic_nbcon_allow_unsafe_takeover;
|
||||
}
|
||||
|
||||
/**
|
||||
* nbcon_legacy_emit_next_record - Print one record for an nbcon console
|
||||
* in legacy contexts
|
||||
@@ -1478,7 +1498,6 @@ bool nbcon_legacy_emit_next_record(struct console *con, bool *handover,
|
||||
* write_atomic() callback
|
||||
* @con: The nbcon console to flush
|
||||
* @stop_seq: Flush up until this record
|
||||
* @allow_unsafe_takeover: True, to allow unsafe hostile takeovers
|
||||
*
|
||||
* Return: 0 if @con was flushed up to @stop_seq Otherwise, error code on
|
||||
* failure.
|
||||
@@ -1497,8 +1516,7 @@ bool nbcon_legacy_emit_next_record(struct console *con, bool *handover,
|
||||
* returned, it cannot be expected that the unfinalized record will become
|
||||
* available.
|
||||
*/
|
||||
static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq,
|
||||
bool allow_unsafe_takeover)
|
||||
static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq)
|
||||
{
|
||||
struct nbcon_write_context wctxt = { };
|
||||
struct nbcon_context *ctxt = &ACCESS_PRIVATE(&wctxt, ctxt);
|
||||
@@ -1507,7 +1525,7 @@ static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq,
|
||||
ctxt->console = con;
|
||||
ctxt->spinwait_max_us = 2000;
|
||||
ctxt->prio = nbcon_get_default_prio();
|
||||
ctxt->allow_unsafe_takeover = allow_unsafe_takeover;
|
||||
ctxt->allow_unsafe_takeover = nbcon_allow_unsafe_takeover();
|
||||
|
||||
if (!nbcon_context_try_acquire(ctxt, false))
|
||||
return -EPERM;
|
||||
@@ -1538,15 +1556,13 @@ static int __nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq,
|
||||
* write_atomic() callback
|
||||
* @con: The nbcon console to flush
|
||||
* @stop_seq: Flush up until this record
|
||||
* @allow_unsafe_takeover: True, to allow unsafe hostile takeovers
|
||||
*
|
||||
* This will stop flushing before @stop_seq if another context has ownership.
|
||||
* That context is then responsible for the flushing. Likewise, if new records
|
||||
* are added while this context was flushing and there is no other context
|
||||
* to handle the printing, this context must also flush those records.
|
||||
*/
|
||||
static void nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq,
|
||||
bool allow_unsafe_takeover)
|
||||
static void nbcon_atomic_flush_pending_con(struct console *con, u64 stop_seq)
|
||||
{
|
||||
struct console_flush_type ft;
|
||||
unsigned long flags;
|
||||
@@ -1561,7 +1577,7 @@ again:
|
||||
*/
|
||||
local_irq_save(flags);
|
||||
|
||||
err = __nbcon_atomic_flush_pending_con(con, stop_seq, allow_unsafe_takeover);
|
||||
err = __nbcon_atomic_flush_pending_con(con, stop_seq);
|
||||
|
||||
local_irq_restore(flags);
|
||||
|
||||
@@ -1593,9 +1609,8 @@ again:
|
||||
* __nbcon_atomic_flush_pending - Flush all nbcon consoles using their
|
||||
* write_atomic() callback
|
||||
* @stop_seq: Flush up until this record
|
||||
* @allow_unsafe_takeover: True, to allow unsafe hostile takeovers
|
||||
*/
|
||||
static void __nbcon_atomic_flush_pending(u64 stop_seq, bool allow_unsafe_takeover)
|
||||
static void __nbcon_atomic_flush_pending(u64 stop_seq)
|
||||
{
|
||||
struct console *con;
|
||||
int cookie;
|
||||
@@ -1613,7 +1628,7 @@ static void __nbcon_atomic_flush_pending(u64 stop_seq, bool allow_unsafe_takeove
|
||||
if (nbcon_seq_read(con) >= stop_seq)
|
||||
continue;
|
||||
|
||||
nbcon_atomic_flush_pending_con(con, stop_seq, allow_unsafe_takeover);
|
||||
nbcon_atomic_flush_pending_con(con, stop_seq);
|
||||
}
|
||||
console_srcu_read_unlock(cookie);
|
||||
}
|
||||
@@ -1629,7 +1644,7 @@ static void __nbcon_atomic_flush_pending(u64 stop_seq, bool allow_unsafe_takeove
|
||||
*/
|
||||
void nbcon_atomic_flush_pending(void)
|
||||
{
|
||||
__nbcon_atomic_flush_pending(prb_next_reserve_seq(prb), false);
|
||||
__nbcon_atomic_flush_pending(prb_next_reserve_seq(prb));
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1641,7 +1656,9 @@ void nbcon_atomic_flush_pending(void)
|
||||
*/
|
||||
void nbcon_atomic_flush_unsafe(void)
|
||||
{
|
||||
__nbcon_atomic_flush_pending(prb_next_reserve_seq(prb), true);
|
||||
panic_nbcon_allow_unsafe_takeover = true;
|
||||
__nbcon_atomic_flush_pending(prb_next_reserve_seq(prb));
|
||||
panic_nbcon_allow_unsafe_takeover = false;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1848,7 +1865,7 @@ void nbcon_device_release(struct console *con)
|
||||
* using the legacy loop.
|
||||
*/
|
||||
if (ft.nbcon_atomic) {
|
||||
__nbcon_atomic_flush_pending_con(con, prb_next_reserve_seq(prb), false);
|
||||
__nbcon_atomic_flush_pending_con(con, prb_next_reserve_seq(prb));
|
||||
} else if (ft.legacy_direct) {
|
||||
if (console_trylock())
|
||||
console_unlock();
|
||||
@@ -1918,5 +1935,5 @@ void nbcon_kdb_release(struct nbcon_write_context *wctxt)
|
||||
* The console was locked only when the write_atomic() callback
|
||||
* was usable.
|
||||
*/
|
||||
__nbcon_atomic_flush_pending_con(ctxt->console, prb_next_reserve_seq(prb), false);
|
||||
__nbcon_atomic_flush_pending_con(ctxt->console, prb_next_reserve_seq(prb));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user