Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp1848585rdb; Tue, 20 Feb 2024 08:41:52 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVKg6nrU8ETGVrL52WYbrkml4sKkVvCidhnuMm6xJZQjf+DgFlQdvKOMbIqLospvmHdQoWZpcWztyrKlF9G51KsCXv9aKLn1Tgsy2apYA== X-Google-Smtp-Source: AGHT+IEfc6dvnjvHPTK8xSJRKS9KvY9WEpHLRDoUyXc1vH14HxGAh17Y/2Id/XbJ/oFGNOPpCspH X-Received: by 2002:a05:6358:8aa:b0:176:5c72:8e6b with SMTP id m42-20020a05635808aa00b001765c728e6bmr19954865rwj.0.1708447311685; Tue, 20 Feb 2024 08:41:51 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708447311; cv=pass; d=google.com; s=arc-20160816; b=Zbp3Okwda1cEkcYBXPzB6KfWk4iWLSqjDHp9dYIe1DkbIsxpUMi2Aj4gPmiga3SwsP 1cJKuyLqkB5wXsTKJiYMjPAVkYT0ObM2Fa7t9uaP8IZkEo6ek1WoO9ezrwFlrl8/heTq jw4ACN0PZYdyv9iHL1+GTjaJUB3br8DYqOtboWFTSf77rLfhbyxUan3hyDK17OjMQqPk /1OSV60rGOFAbLcpr08BPbkhRxZM0Yes8WT3QbIsRsmMliLiYB/15FtsEP/erqI0I6Nl 4C5ioiWIVg0lhf9xpsyVyh/dTo7LF7+OnTFI0PuwOYsN3jznwAR4d2qhtvVinpLb6WOW TEjQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature :dkim-signature:from; bh=QFtBnVpmjj9QkVhwE8uoha4NhmQA+CgIGJamwL8qgPE=; fh=pKnPKUsir0uEGSsor+4Zc2vgbu+g+ayvUgsdzkuXaoA=; b=Hgk4S1xnMbOTqd//uYCosvkuCKh/keKk49O8UCZZFSK6IBogyz5kCWhfBj4jnYbFi6 avebjOc3p2zpmEy9eUnPSYJMG75io6Bto8GsMhSUHIyexj680sDqV80fUQJiTY2i0vim z2naCkkNOl5wsW+tqtZFwubMcIGDeQQQyuf9mWICgKHWZJ+dA2dyZiJIvncYDixk4eFX I/lVKfl7+Jp3Z8R/9sYfgIIZrP4D4DPYDiQkZx/4XdmLr9WlnVxRThky6iWtF/9QQ4gU 5kXH5Y7GMAOH1hJaXUtzbKCWaxYO1wfXMXqK8RpNv/ss6t+hqkfhLSHoMQHMNRu1k45b 1maA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=VIcAevZM; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b=GVouwBFZ; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-73357-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-73357-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id v63-20020a632f42000000b005dc927ee328si6433784pgv.662.2024.02.20.08.41.51 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Feb 2024 08:41:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-73357-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b=VIcAevZM; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e header.b=GVouwBFZ; arc=pass (i=1 spf=pass spfdomain=linutronix.de dkim=pass dkdomain=linutronix.de dmarc=pass fromdomain=linutronix.de); spf=pass (google.com: domain of linux-kernel+bounces-73357-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-73357-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 29A8FB21630 for ; Tue, 20 Feb 2024 16:29:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 19A8A763EF; Tue, 20 Feb 2024 16:29:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="VIcAevZM"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="GVouwBFZ" Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D98B67C4D for ; Tue, 20 Feb 2024 16:29:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708446574; cv=none; b=bfkoxQCfEHxqOCsKICQqWW4vd8wiWJQRGw973A0EPFxVpL/nfZUZvw847Cha9o+Bgru+UAYRqZ2BMAXjft8UAW43Jiqxp5hd1pAwS/VQcCm91XIR5N0HuJttnBzE+ax1ls7jjfWSklwltkxX5/E2yDFxHClxnJO289EEWGdguKg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708446574; c=relaxed/simple; bh=G//O48lj/o6qEVj46+ng5J07Z8+VCB5i+gnKDaQ25Ik=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=V1Afohv3byA5vKSuVGLYR4EvWT7HJcLLtfxn6R9tbqdZacKFaCUyJR0CTW3B5S4vytfGCVyFeLxjSNKaNIHHEOISlpe02rihAPZjHN6BtiRsehiVzsISQM2k+XvvM1kqjqOQc0jyfiXMZFc/stMAFghifkLi0Q8YCJIXsgIv4MA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=VIcAevZM; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=GVouwBFZ; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de From: John Ogness DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1708446570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QFtBnVpmjj9QkVhwE8uoha4NhmQA+CgIGJamwL8qgPE=; b=VIcAevZM5aOKUM0T8NdB25zrY4LPvy6M6cEgR/BSAivw6gX5b5H684ZoKocl3bvWCDphiM wk4ubvUiBIG0+QZE5K8YUgwTVVCVlpOldoPR6OXDyadJD2+afVOMGPZmosfiwBKBhRBY2h HGrzDiliJ2G4RaBo7d4m9HXOWIp81ICSYr9TPAvV76pzFFEOeRmkuI689k9v6nRVvjxdg1 rqOfYfBKPuzq+EAnng2f0ak1uYT04bZ5NUYVo3S7KcptcYK9oT/NqDgGMvYK0ENjpuZdc1 /xNWX/G46Jk1VFTopEggDGTamDqPY8TDVEG0/EiXLHlB0QIqkIy2BV/u1kA0XQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1708446570; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QFtBnVpmjj9QkVhwE8uoha4NhmQA+CgIGJamwL8qgPE=; b=GVouwBFZSqs+wk1Po3fIqWjzdPRkESw2E3TW8nvUoVbR1H+lO4jqT/9xPbhMq7ilDKDh2K RpM+svaX7YiLIyDA== To: Petr Mladek Cc: Sergey Senozhatsky , Steven Rostedt , Thomas Gleixner , linux-kernel@vger.kernel.org Subject: Re: [PATCH printk v2 06/26] printk: nbcon: Ensure ownership release on failed emit In-Reply-To: References: <20240218185726.1994771-1-john.ogness@linutronix.de> <20240218185726.1994771-7-john.ogness@linutronix.de> Date: Tue, 20 Feb 2024 17:35:08 +0106 Message-ID: <87o7cbgkvf.fsf@jogness.linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain On 2024-02-20, Petr Mladek wrote: >> Until now it was assumed that ownership has been lost when the >> write_atomic() callback fails. And nbcon_emit_next_record() >> directly returned false. However, if nbcon_emit_next_record() >> returns false, the context must no longer have ownership. >> >> The semantics for the callbacks could be specified such that >> if they return false, they must have released ownership. But >> in practice those semantics seem odd since the ownership was >> acquired outside of the callback. >> >> Ensure ownership has been released before reporting failure by >> explicitly attempting a release. If the current context is not >> the owner, the release has no effect. > > Hmm, the new semantic is not ideal either. And I think that it is > even worse. The function still releases the owership even though > it has been acquired by the caller. In addition, it causes > a double unlock in a valid case. I know that the 2nd > nbcon_context_release() is a NOP but... > > I would personally solve this by adding a comment into the code > and moving the check, see below. > >> --- a/kernel/printk/nbcon.c >> +++ b/kernel/printk/nbcon.c >> @@ -891,17 +891,18 @@ static bool nbcon_emit_next_record(struct nbcon_write_context *wctxt) >> nbcon_state_read(con, &cur); >> wctxt->unsafe_takeover = cur.unsafe_takeover; >> >> - if (con->write_atomic) { >> + if (con->write_atomic) >> done = con->write_atomic(con, wctxt); >> - } else { > > This code path does not create a bad semantic. The semantic is > as it is because the context might lose the ownership in "any" > nested function. > > Well, it might deserve a comment, something like: > > /* > * nbcon_emit_next_record() should never be called for legacy > * consoles. Handle it as if write_atomic() have lost > * the ownership and try to continue. > */ >> - nbcon_context_release(ctxt); >> - WARN_ON_ONCE(1); >> - done = false; >> - } >> >> - /* If not done, the emit was aborted. */ >> - if (!done) >> + if (!done) { >> + /* >> + * The emit was aborted, probably due to a loss of ownership. >> + * Ensure ownership was lost or released before reporting the >> + * loss. >> + */ > > Is there a valid reason when con->write_atomic() would return false > and still own the context? This is driver code, so you must use your imagination. But I thought maybe there might be some reason why the driver cannot print the message (due to other driver-internal reasons). In this case, it would return false even though it never lost ownership. > If not, then this would hide bugs and cause double unlock in > the valid case. Even if true is returned, that does not mean that there is still ownership (because it can be lost at any time). And even if we hit the WARN because there is no callback, ownership may have been lost. My point is that there is _always_ a chance that nbcon_context_release() will be called when ownership was already lost. nbcon_context_release() was purposely implemented with the idea that it may be called by a context that has lost ownership. So why not leverage this here? It is _critical_ that if _this_ function returns false, the context no longer has ownership. We could add a nbcon_can_proceed() in front of the release, but nbcon_context_release() already does that internally. >> + nbcon_context_release(ctxt); >> return false; > > Even better solution might be to do the check at the beginning of > the function. It might look like: > > if (WARN_ON_ONCE(!con->write_atomic)) { > /* > * This function should never be called for legacy consoles. > * Handle it as if write_atomic() have lost the ownership > * and try to continue. > */ > nbcon_context_release(ctxt); > return false; > } In the future, con->write_thread() is added. So the missing callback check will end up in a final else branch anyway. John