Unprotected list walks are a brilliant idea. Especially in the context of
hotpluggable consoles.
Signed-off-by: Thomas Gleixner <[email protected]>
---
include/linux/console.h | 30 ++++++++++++++++--
kernel/printk/printk.c | 79 ++++++++++++++++++++++++++++++++++++++++--------
2 files changed, 93 insertions(+), 16 deletions(-)
--- a/include/linux/console.h
+++ b/include/linux/console.h
@@ -157,10 +157,34 @@ struct console {
struct console *next;
};
-/*
- * for_each_console() allows you to iterate on each console
+#ifdef CONFIG_LOCKDEP
+extern void lockdep_assert_console_list_lock_held(void);
+#else
+static inline void lockdep_assert_console_list_lock_held(void) { }
+#endif
+
+extern void console_list_lock(void) __acquires(console_mutex);
+extern void console_list_unlock(void) __releases(console_mutex);
+
+/**
+ * for_each_registered_console() - Iterator over registered consoles
+ * @con: struct console pointer used as loop cursor
+ *
+ * Requires console_list_lock to be held. Can only be invoked from
+ * preemptible context.
+ */
+#define for_each_registered_console(con) \
+ lockdep_assert_console_list_lock_held(); \
+ for (con = console_drivers; con != NULL; con = con->next)
+
+/**
+ * for_each_console() - Iterator over registered consoles
+ * @con: struct console pointer used as loop cursor
+ *
+ * Requires console_lock to be held which guarantees that the
+ * list is immutable.
*/
-#define for_each_console(con) \
+#define for_each_console(con) \
for (con = console_drivers; con != NULL; con = con->next)
extern int console_set_on_cmdline;
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -79,10 +79,14 @@ int oops_in_progress;
EXPORT_SYMBOL(oops_in_progress);
/*
- * console_sem protects the console_drivers list, and also
- * provides serialisation for access to the entire console
- * driver system.
+ * console_sem protects the console_drivers list, and also provides
+ * serialization for access to the entire console driver system.
+ *
+ * console_mutex serializes register/unregister. console_sem has to be
+ * taken for any list manipulation inside the console_mutex locked
+ * section to keep the console BKL machinery happy.
*/
+static DEFINE_MUTEX(console_mutex);
static DEFINE_SEMAPHORE(console_sem);
struct console *console_drivers;
EXPORT_SYMBOL_GPL(console_drivers);
@@ -103,6 +107,12 @@ static int __read_mostly suppress_panic_
static struct lockdep_map console_lock_dep_map = {
.name = "console_lock"
};
+
+void lockdep_assert_console_list_lock_held(void)
+{
+ lockdep_assert_held(&console_mutex);
+}
+
#endif
enum devkmsg_log_bits {
@@ -220,6 +230,26 @@ int devkmsg_sysctl_set_loglvl(struct ctl
}
#endif /* CONFIG_PRINTK && CONFIG_SYSCTL */
+/**
+ * console_list_lock - Lock the console list
+ *
+ * For non-console related list walks, e.g. procfs, sysfs...
+ */
+void console_list_lock(void)
+{
+ mutex_lock(&console_mutex);
+}
+
+/**
+ * console_list_unlock - Unlock the console list
+ *
+ * Counterpart to console_list_lock()
+ */
+void console_list_unlock(void)
+{
+ mutex_unlock(&console_mutex);
+}
+
/*
* Helper macros to handle lockdep when locking/unlocking console_sem. We use
* macros instead of functions so that _RET_IP_ contains useful information.
@@ -2978,17 +3008,21 @@ struct tty_driver *console_device(int *i
void console_stop(struct console *console)
{
__pr_flush(console, 1000, true);
+ console_list_lock();
console_lock();
console->flags &= ~CON_ENABLED;
console_unlock();
+ console_list_unlock();
}
EXPORT_SYMBOL(console_stop);
void console_start(struct console *console)
{
+ console_list_lock();
console_lock();
console->flags |= CON_ENABLED;
console_unlock();
+ console_list_unlock();
__pr_flush(console, 1000, true);
}
EXPORT_SYMBOL(console_start);
@@ -3081,6 +3115,8 @@ static void try_enable_default_console(s
(con->flags & CON_BOOT) ? "boot" : "", \
con->name, con->index, ##__VA_ARGS__)
+static int console_unregister_locked(struct console *console);
+
/*
* The console driver calls this routine during kernel initialization
* to register the console printing procedure with printk() and to
@@ -3107,13 +3143,14 @@ void register_console(struct console *ne
bool realcon_enabled = false;
int err;
- for_each_console(con) {
+ console_list_lock();
+ for_each_registered_console(con) {
if (WARN(con == newcon, "console '%s%d' already registered\n",
con->name, con->index))
- return;
+ goto unlock;
}
- for_each_console(con) {
+ for_each_registered_console(con) {
if (con->flags & CON_BOOT)
bootcon_enabled = true;
else
@@ -3124,7 +3161,7 @@ void register_console(struct console *ne
if (newcon->flags & CON_BOOT && realcon_enabled) {
pr_info("Too late to register bootconsole %s%d\n",
newcon->name, newcon->index);
- return;
+ goto unlock;
}
/*
@@ -3155,7 +3192,7 @@ void register_console(struct console *ne
/* printk() messages are not printed to the Braille console. */
if (err || newcon->flags & CON_BRL)
- return;
+ goto unlock;
/*
* If we have a bootconsole, and are switching to a real console,
@@ -3209,14 +3246,17 @@ void register_console(struct console *ne
if (bootcon_enabled &&
((newcon->flags & (CON_CONSDEV | CON_BOOT)) == CON_CONSDEV) &&
!keep_bootcon) {
- for_each_console(con)
+ for_each_console(con) {
if (con->flags & CON_BOOT)
- unregister_console(con);
+ console_unregister_locked(con);
+ }
}
+unlock:
+ console_list_unlock();
}
EXPORT_SYMBOL(register_console);
-int unregister_console(struct console *console)
+static int console_unregister_locked(struct console *console)
{
struct console *con;
int res;
@@ -3269,6 +3309,16 @@ int unregister_console(struct console *c
return res;
}
+
+int unregister_console(struct console *console)
+{
+ int res;
+
+ console_list_lock();
+ res = console_unregister_locked(console);
+ console_list_unlock();
+ return res;
+}
EXPORT_SYMBOL(unregister_console);
/*
@@ -3320,7 +3370,8 @@ static int __init printk_late_init(void)
struct console *con;
int ret;
- for_each_console(con) {
+ console_list_lock();
+ for_each_registered_console(con) {
if (!(con->flags & CON_BOOT))
continue;
@@ -3337,9 +3388,11 @@ static int __init printk_late_init(void)
*/
pr_warn("bootconsole [%s%d] uses init memory and must be disabled even before the real one is ready\n",
con->name, con->index);
- unregister_console(con);
+ console_unregister_locked(con);
}
}
+ console_list_unlock();
+
ret = cpuhp_setup_state_nocalls(CPUHP_PRINTK_DEAD, "printk:dead", NULL,
console_cpu_notify);
WARN_ON(ret < 0);
On (22/09/11 00:27), Thomas Gleixner wrote:
[..]
> + * console_sem protects the console_drivers list, and also provides
> + * serialization for access to the entire console driver system.
> + *
> + * console_mutex serializes register/unregister. console_sem has to be
> + * taken for any list manipulation inside the console_mutex locked
> + * section to keep the console BKL machinery happy.
> */
> +static DEFINE_MUTEX(console_mutex);
> static DEFINE_SEMAPHORE(console_sem);
[..]
> /*
> * Helper macros to handle lockdep when locking/unlocking console_sem. We use
> * macros instead of functions so that _RET_IP_ contains useful information.
> @@ -2978,17 +3008,21 @@ struct tty_driver *console_device(int *i
> void console_stop(struct console *console)
> {
> __pr_flush(console, 1000, true);
> + console_list_lock();
> console_lock();
> console->flags &= ~CON_ENABLED;
> console_unlock();
> + console_list_unlock();
> }
> EXPORT_SYMBOL(console_stop);
>
> void console_start(struct console *console)
> {
> + console_list_lock();
> console_lock();
> console->flags |= CON_ENABLED;
> console_unlock();
> + console_list_unlock();
> __pr_flush(console, 1000, true);
> }
> EXPORT_SYMBOL(console_start);
So the comment says that list lock (console_mutex) is to serialize
register/unregister, but then we take it in stop/start as well. What
does list lock protect us against in start/stop? console->flags reader
(console_is_usable()) does not take list lock, it's called under console
lock and console->flags writers (console_unregister() and console_stop())
modify console->flags under console_lock.
On (22/09/11 00:27), Thomas Gleixner wrote:
>
> Unprotected list walks are a brilliant idea. Especially in the context of
> hotpluggable consoles.
If it crashes on you then "you're holding the computer the wrong way" ;)
On 2022-09-14, Sergey Senozhatsky <[email protected]> wrote:
> On (22/09/11 00:27), Thomas Gleixner wrote:
> [..]
>> + * console_sem protects the console_drivers list, and also provides
>> + * serialization for access to the entire console driver system.
>> + *
>> + * console_mutex serializes register/unregister. console_sem has to be
>> + * taken for any list manipulation inside the console_mutex locked
>> + * section to keep the console BKL machinery happy.
>> */
>> +static DEFINE_MUTEX(console_mutex);
>> static DEFINE_SEMAPHORE(console_sem);
> [..]
>> /*
>> * Helper macros to handle lockdep when locking/unlocking console_sem. We use
>> * macros instead of functions so that _RET_IP_ contains useful information.
>> @@ -2978,17 +3008,21 @@ struct tty_driver *console_device(int *i
>> void console_stop(struct console *console)
>> {
>> __pr_flush(console, 1000, true);
>> + console_list_lock();
>> console_lock();
>> console->flags &= ~CON_ENABLED;
>> console_unlock();
>> + console_list_unlock();
>> }
>> EXPORT_SYMBOL(console_stop);
>>
>> void console_start(struct console *console)
>> {
>> + console_list_lock();
>> console_lock();
>> console->flags |= CON_ENABLED;
>> console_unlock();
>> + console_list_unlock();
>> __pr_flush(console, 1000, true);
>> }
>> EXPORT_SYMBOL(console_start);
>
> So the comment says that list lock (console_mutex) is to serialize
> register/unregister, but then we take it in stop/start as well. What
> does list lock protect us against in start/stop? console->flags reader
> (console_is_usable()) does not take list lock, it's called under console
> lock and console->flags writers (console_unregister() and console_stop())
> modify console->flags under console_lock.
Currently all writers to console->flags are holding the
console_lock. However, there are console->flags readers that do _not_
hold the console_lock (register_console, unregister_console,
printk_late_init).
Aside from adding list synchronization, the list lock also provides the
missing console->flags synchronization. Now all console->flags writers
hold the list lock _and_ console_lock. A console->flags reader can hold
either the list lock or the console_lock.
Since console_start and console_stop are console->flags writers, they
also need to take the list lock. I agree that this should be mentioned
in the commit message and code comments.
The follow-up patch in the series only deals with list/flags
readers. Therefore I think the change to console_stop/console_start
belongs in this patch, which focusses on fixing synchronization.
John
On Sun 2022-09-11 00:27:41, Thomas Gleixner wrote:
> Unprotected list walks are a brilliant idea. Especially in the context of
> hotpluggable consoles.
Yeah, it is crazy. And it is there probably since the beginning.
> --- a/kernel/printk/printk.c
> +++ b/kernel/printk/printk.c
> @@ -79,10 +79,14 @@ int oops_in_progress;
> EXPORT_SYMBOL(oops_in_progress);
>
> /*
> - * console_sem protects the console_drivers list, and also
> - * provides serialisation for access to the entire console
> - * driver system.
> + * console_sem protects the console_drivers list, and also provides
> + * serialization for access to the entire console driver system.
> + *
> + * console_mutex serializes register/unregister. console_sem has to be
> + * taken for any list manipulation inside the console_mutex locked
> + * section to keep the console BKL machinery happy.
> */
> +static DEFINE_MUTEX(console_mutex);
> static DEFINE_SEMAPHORE(console_sem);
> struct console *console_drivers;
> EXPORT_SYMBOL_GPL(console_drivers);
> @@ -220,6 +230,26 @@ int devkmsg_sysctl_set_loglvl(struct ctl
> }
> #endif /* CONFIG_PRINTK && CONFIG_SYSCTL */
>
> +/**
> + * console_list_lock - Lock the console list
> + *
> + * For non-console related list walks, e.g. procfs, sysfs...
> + */
> +void console_list_lock(void)
> +{
> + mutex_lock(&console_mutex);
> +}
> +
> +/**
> + * console_list_unlock - Unlock the console list
> + *
> + * Counterpart to console_list_lock()
> + */
> +void console_list_unlock(void)
> +{
> + mutex_unlock(&console_mutex);
> +}
> +
> /*
> * Helper macros to handle lockdep when locking/unlocking console_sem. We use
> * macros instead of functions so that _RET_IP_ contains useful information.
> @@ -3107,13 +3143,14 @@ void register_console(struct console *ne
> bool realcon_enabled = false;
> int err;
>
> - for_each_console(con) {
> + console_list_lock();
Hmm, the new mutex is really nasty. It has very strange semantic.
It makes the locking even more complicated.
The ideal solution would be take console_lock() here. We (me and
Sergey) never did it because con->match() and con->setup()
callbacks were called in try_enable_*console(). We were afraid
that some might want to take console_lock() and it could create
a deadlock. There were too many drivers and we did not found time
to check them all. And it had low priority because nobody reported
problems.
A good enough solution might be call this under the later
added srcu_read_lock(&console_srcu) and use for_each_console_srcu().
The srcu walk would prevent seeing broken list. Obviously,
the code might see outdated list and do bad decisions:
+ try to enable the same console twice
+ enable more consoles by default in try_enable_default_console()
+ associate more consoles with /dev/console, see CON_CONSDEV in
try_enable_preferred_console() and try_enable_default_console()
If we race then we could end up with more consoles enabled by default
and with more consoles with CON_CONSDEV flag.
IMHO, the rcu walk is an acceptable and conservative solution.
Registering the same driver twice is hard to imagine at all.
And I have never seen reports about too many default consoles
or CON_CONSDEV flags.
Anyway, I would like to avoid adding console_mutex. From my POV,
it is a hack that complicates the code. Taking console_lock()
should be enough. Using rcu walk would be good enough.
Do I miss something, please?
> + for_each_registered_console(con) {
> if (WARN(con == newcon, "console '%s%d' already registered\n",
> con->name, con->index))
> - return;
> + goto unlock;
> }
>
> - for_each_console(con) {
> + for_each_registered_console(con) {
> if (con->flags & CON_BOOT)
> bootcon_enabled = true;
> else
Best Regards,
Petr
On Tue 2022-09-27 11:56:30, Petr Mladek wrote:
> On Sun 2022-09-11 00:27:41, Thomas Gleixner wrote:
> > Unprotected list walks are a brilliant idea. Especially in the context of
> > hotpluggable consoles.
>
> Yeah, it is crazy. And it is there probably since the beginning.
>
> > @@ -3107,13 +3143,14 @@ void register_console(struct console *ne
> > bool realcon_enabled = false;
> > int err;
> >
> > - for_each_console(con) {
> > + console_list_lock();
>
> Hmm, the new mutex is really nasty. It has very strange semantic.
> It makes the locking even more complicated.
Please, continue the discussion in the reply to the v1 patchset,
see https://lore.kernel.org/r/YzMT27FVllY3u05k@alley
I send it to this RFC by mistake.
I am sorry for the mess.
Best Regards,
Petr