[PATCH printk v2 2/5] printk: Add NMI safety to console_flush_on_panic() and console_unblank()

From: John Ogness
Date: Mon Jul 10 2023 - 09:45:42 EST

Next message: John Ogness: "[PATCH printk v2 4/5] printk: Add per-console suspended state"
Previous message: John Ogness: "[PATCH printk v2 3/5] printk: Consolidate console deferred printing"
In reply to: Petr Mladek: "Re: [PATCH printk v2 3/5] printk: Consolidate console deferred printing"
Next in thread: Petr Mladek: "Re: [PATCH printk v2 2/5] printk: Add NMI safety to console_flush_on_panic() and console_unblank()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The printk path is NMI safe because it only adds content to the
buffer and then triggers the delayed output via irq_work. If the
console is flushed or unblanked on panic (from NMI context) then it
can deadlock in down_trylock_console_sem() because the semaphore is
not NMI safe.

Avoid taking the console lock when flushing in panic. To prevent
other CPUs from taking the console lock while flushing, have
console_lock() block and console_trylock() fail for non-panic CPUs
during panic.

Skip unblanking in panic if the current context is NMI.

Signed-off-by: John Ogness <john.ogness@xxxxxxxxxxxxx>
---
kernel/printk/printk.c | 77 +++++++++++++++++++++++++++---------------
1 file changed, 49 insertions(+), 28 deletions(-)

diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 9644f6e5bf15..8a6c917dc081 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -2583,6 +2583,25 @@ static int console_cpu_notify(unsigned int cpu)
return 0;
}

+/*
+ * Return true when this CPU should unlock console_sem without pushing all
+ * messages to the console. This reduces the chance that the console is
+ * locked when the panic CPU tries to use it.
+ */
+static bool abandon_console_lock_in_panic(void)
+{
+ if (!panic_in_progress())
+ return false;
+
+ /*
+ * We can use raw_smp_processor_id() here because it is impossible for
+ * the task to be migrated to the panic_cpu, or away from it. If
+ * panic_cpu has already been set, and we're not currently executing on
+ * that CPU, then we never will be.
+ */
+ return atomic_read(&panic_cpu) != raw_smp_processor_id();
+}
+
/**
* console_lock - block the console subsystem from printing
*
@@ -2595,6 +2614,10 @@ void console_lock(void)
{
might_sleep();

+ /* On panic, the console_lock must be left to the panic cpu. */
+ while (abandon_console_lock_in_panic())
+ msleep(1000);
+
down_console_sem();
if (console_suspended)
return;
@@ -2613,6 +2636,9 @@ EXPORT_SYMBOL(console_lock);
*/
int console_trylock(void)
{
+ /* On panic, the console_lock must be left to the panic cpu. */
+ if (abandon_console_lock_in_panic())
+ return 0;
if (down_trylock_console_sem())
return 0;
if (console_suspended) {
@@ -2631,25 +2657,6 @@ int is_console_locked(void)
}
EXPORT_SYMBOL(is_console_locked);

-/*
- * Return true when this CPU should unlock console_sem without pushing all
- * messages to the console. This reduces the chance that the console is
- * locked when the panic CPU tries to use it.
- */
-static bool abandon_console_lock_in_panic(void)
-{
- if (!panic_in_progress())
- return false;
-
- /*
- * We can use raw_smp_processor_id() here because it is impossible for
- * the task to be migrated to the panic_cpu, or away from it. If
- * panic_cpu has already been set, and we're not currently executing on
- * that CPU, then we never will be.
- */
- return atomic_read(&panic_cpu) != raw_smp_processor_id();
-}
-
/*
* Check if the given console is currently capable and allowed to print
* records.
@@ -3054,6 +3061,10 @@ void console_unblank(void)
* In that case, attempt a trylock as best-effort.
*/
if (oops_in_progress) {
+ /* Semaphores are not NMI-safe. */
+ if (in_nmi())
+ return;
+
if (down_trylock_console_sem() != 0)
return;
} else
@@ -3083,14 +3094,24 @@ void console_unblank(void)
*/
void console_flush_on_panic(enum con_flush_mode mode)
{
+ bool handover;
+ u64 next_seq;
+
/*
- * If someone else is holding the console lock, trylock will fail
- * and may_schedule may be set. Ignore and proceed to unlock so
- * that messages are flushed out. As this can be called from any
- * context and we don't want to get preempted while flushing,
- * ensure may_schedule is cleared.
+ * Ignore the console lock and flush out the messages. Attempting a
+ * trylock would not be useful because:
+ *
+ * - if it is contended, it must be ignored anyway
+ * - console_lock() and console_trylock() block and fail
+ * respectively in panic for non-panic CPUs
+ * - semaphores are not NMI-safe
+ */
+
+ /*
+ * If another context is holding the console lock,
+ * @console_may_schedule might be set. Clear it so that
+ * this context does not call cond_resched() while flushing.
*/
- console_trylock();
console_may_schedule = 0;

if (mode == CONSOLE_REPLAY_ALL) {
@@ -3103,15 +3124,15 @@ void console_flush_on_panic(enum con_flush_mode mode)
cookie = console_srcu_read_lock();
for_each_console_srcu(c) {
/*
- * If the above console_trylock() failed, this is an
- * unsynchronized assignment. But in that case, the
+ * This is an unsynchronized assignment, but the
* kernel is in "hope and pray" mode anyway.
*/
c->seq = seq;
}
console_srcu_read_unlock(cookie);
}
- console_unlock();
+
+ console_flush_all(false, &next_seq, &handover);
}

/*
--
2.30.2

Next message: John Ogness: "[PATCH printk v2 4/5] printk: Add per-console suspended state"
Previous message: John Ogness: "[PATCH printk v2 3/5] printk: Consolidate console deferred printing"
In reply to: Petr Mladek: "Re: [PATCH printk v2 3/5] printk: Consolidate console deferred printing"
Next in thread: Petr Mladek: "Re: [PATCH printk v2 2/5] printk: Add NMI safety to console_flush_on_panic() and console_unblank()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]