search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
9075 Improve ZFS pool import/load process and corrupted pool recovery
[unleashed.git] / usr / src / uts / common / contract / device.c
blob35daef995ac4413ec62a57ca4db1526e70070eac
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
23 */
24
25 #include <sys/mutex.h>
26 #include <sys/debug.h>
27 #include <sys/types.h>
28 #include <sys/param.h>
29 #include <sys/kmem.h>
30 #include <sys/thread.h>
31 #include <sys/id_space.h>
32 #include <sys/avl.h>
33 #include <sys/list.h>
34 #include <sys/sysmacros.h>
35 #include <sys/proc.h>
36 #include <sys/contract.h>
37 #include <sys/contract_impl.h>
38 #include <sys/contract/device.h>
39 #include <sys/contract/device_impl.h>
40 #include <sys/cmn_err.h>
41 #include <sys/nvpair.h>
42 #include <sys/policy.h>
43 #include <sys/ddi_impldefs.h>
44 #include <sys/ddi_implfuncs.h>
45 #include <sys/systm.h>
46 #include <sys/stat.h>
47 #include <sys/sunddi.h>
48 #include <sys/esunddi.h>
49 #include <sys/ddi.h>
50 #include <sys/fs/dv_node.h>
51 #include <sys/sunndi.h>
52 #undef ct_lock /* needed because clnt.h defines ct_lock as a macro */
53
54 /*
55 * Device Contracts
56 * -----------------
57 * This file contains the core code for the device contracts framework.
58 * A device contract is an agreement or a contract between a process and
59 * the kernel regarding the state of the device. A device contract may be
60 * created when a relationship is formed between a device and a process
61 * i.e. at open(2) time, or it may be created at some point after the device
62 * has been opened. A device contract once formed may be broken by either party.
63 * A device contract can be broken by the process by an explicit abandon of the
64 * contract or by an implicit abandon when the process exits. A device contract
65 * can be broken by the kernel either asynchronously (without negotiation) or
66 * synchronously (with negotiation). Exactly which happens depends on the device
67 * state transition. The following state diagram shows the transitions between
68 * device states. Only device state transitions currently supported by device
69 * contracts is shown.
70 *
71 * <-- A -->
72 * /-----------------> DEGRADED
73 * | |
74 * | |
75 * | | S
76 * | | |
77 * | | v
78 * v S --> v
79 * ONLINE ------------> OFFLINE
80 *
81 *
82 * In the figure above, the arrows indicate the direction of transition. The
83 * letter S refers to transitions which are inherently synchronous i.e.
84 * require negotiation and the letter A indicates transitions which are
85 * asynchronous i.e. are done without contract negotiations. A good example
86 * of a synchronous transition is the ONLINE -> OFFLINE transition. This
87 * transition cannot happen as long as there are consumers which have the
88 * device open. Thus some form of negotiation needs to happen between the
89 * consumers and the kernel to ensure that consumers either close devices
90 * or disallow the move to OFFLINE. Certain other transitions such as
91 * ONLINE --> DEGRADED for example, are inherently asynchronous i.e.
92 * non-negotiable. A device that suffers a fault that degrades its
93 * capabilities will become degraded irrespective of what consumers it has,
94 * so a negotiation in this case is pointless.
95 *
96 * The following device states are currently defined for device contracts:
97 *
98 * CT_DEV_EV_ONLINE
99 * The device is online and functioning normally
100 * CT_DEV_EV_DEGRADED
101 * The device is online but is functioning in a degraded capacity
102 * CT_DEV_EV_OFFLINE
103 * The device is offline and is no longer configured
104 *
105 * A typical consumer of device contracts starts out with a contract
106 * template and adds terms to that template. These include the
107 * "acceptable set" (A-set) term, which is a bitset of device states which
108 * are guaranteed by the contract. If the device moves out of a state in
109 * the A-set, the contract is broken. The breaking of the contract can
110 * be asynchronous in which case a critical contract event is sent to the
111 * contract holder but no negotiations take place. If the breaking of the
112 * contract is synchronous, negotations are opened between the affected
113 * consumer and the kernel. The kernel does this by sending a critical
114 * event to the consumer with the CTE_NEG flag set indicating that this
115 * is a negotiation event. The consumer can accept this change by sending
116 * a ACK message to the kernel. Alternatively, if it has the necessary
117 * privileges, it can send a NACK message to the kernel which will block
118 * the device state change. To NACK a negotiable event, a process must
119 * have the {PRIV_SYS_DEVICES} privilege asserted in its effective set.
120 *
121 * Other terms include the "minor path" term, specified explicitly if the
122 * contract is not being created at open(2) time or specified implicitly
123 * if the contract is being created at open time via an activated template.
124 *
125 * A contract event is sent on any state change to which the contract
126 * owner has subscribed via the informative or critical event sets. Only
127 * critical events are guaranteed to be delivered. Since all device state
128 * changes are controlled by the kernel and cannot be arbitrarily generated
129 * by a non-privileged user, the {PRIV_CONTRACT_EVENT} privilege does not
130 * need to be asserted in a process's effective set to designate an event as
131 * critical. To ensure privacy, a process must either have the same effective
132 * userid as the contract holder or have the {PRIV_CONTRACT_OBSERVER} privilege
133 * asserted in its effective set in order to observe device contract events
134 * off the device contract type specific endpoint.
135 *
136 * Yet another term available with device contracts is the "non-negotiable"
137 * term. This term is used to pre-specify a NACK to any contract negotiation.
138 * This term is ignored for asynchronous state changes. For example, a
139 * provcess may have the A-set {ONLINE|DEGRADED} and make the contract
140 * non-negotiable. In this case, the device contract framework assumes a
141 * NACK for any transition to OFFLINE and blocks the offline. If the A-set
142 * is {ONLINE} and the non-negotiable term is set, transitions to OFFLINE
143 * are NACKed but transitions to DEGRADE succeed.
144 *
145 * The OFFLINE negotiation (if OFFLINE state is not in the A-set for a contract)
146 * happens just before the I/O framework attempts to offline a device
147 * (i.e. detach a device and set the offline flag so that it cannot be
148 * reattached). A device contract holder is expected to either NACK the offline
149 * (if privileged) or release the device and allow the offline to proceed.
150 *
151 * The DEGRADE contract event (if DEGRADE is not in the A-set for a contract)
152 * is generated just before the I/O framework transitions the device state
153 * to "degraded" (i.e. DEVI_DEVICE_DEGRADED in I/O framework terminology).
154 *
155 * The contract holder is expected to ACK or NACK a negotiation event
156 * within a certain period of time. If the ACK/NACK is not received
157 * within the timeout period, the device contract framework will behave
158 * as if the contract does not exist and will proceed with the event.
159 *
160 * Unlike a process contract a device contract does not need to exist
161 * once it is abandoned, since it does not define a fault boundary. It
162 * merely represents an agreement between a process and the kernel
163 * regarding the state of the device. Once the process has abandoned
164 * the contract (either implicitly via a process exit or explicitly)
165 * the kernel has no reason to retain the contract. As a result
166 * device contracts are neither inheritable nor need to exist in an
167 * orphan state.
168 *
169 * A device unlike a process may exist in multiple contracts and has
170 * a "life" outside a device contract. A device unlike a process
171 * may exist without an associated contract. Unlike a process contract
172 * a device contract may be formed after a binding relationship is
173 * formed between a process and a device.
174 *
175 * IMPLEMENTATION NOTES
176 * ====================
177 * DATA STRUCTURES
178 * ----------------
179 * The heart of the device contracts implementation is the device contract
180 * private cont_device_t (or ctd for short) data structure. It encapsulates
181 * the generic contract_t data structure and has a number of private
182 * fields.
183 * These include:
184 * cond_minor: The minor device that is the subject of the contract
185 * cond_aset: The bitset of states which are guaranteed by the
186 * contract
187 * cond_noneg: If set, indicates that the result of negotiation has
188 * been predefined to be a NACK
189 * In addition, there are other device identifiers such the devinfo node,
190 * dev_t and spec_type of the minor node. There are also a few fields that
191 * are used during negotiation to maintain state. See
192 * uts/common/sys/contract/device_impl.h
193 * for details.
194 * The ctd structure represents the device private part of a contract of
195 * type "device"
196 *
197 * Another data structure used by device contracts is ctmpl_device. It is
198 * the device contracts private part of the contract template structure. It
199 * encapsulates the generic template structure "ct_template_t" and includes
200 * the following device contract specific fields
201 * ctd_aset: The bitset of states that should be guaranteed by a
202 * contract
203 * ctd_noneg: If set, indicates that contract should NACK a
204 * negotiation
205 * ctd_minor: The devfs_path (without the /devices prefix) of the
206 * minor node that is the subject of the contract.
207 *
208 * ALGORITHMS
209 * ---------
210 * There are three sets of routines in this file
211 * Template related routines
212 * -------------------------
213 * These routines provide support for template related operations initated
214 * via the generic template operations. These include routines that dup
215 * a template, free it, and set various terms in the template
216 * (such as the minor node path, the acceptable state set (or A-set)
217 * and the non-negotiable term) as well as a routine to query the
218 * device specific portion of the template for the abovementioned terms.
219 * There is also a routine to create (ctmpl_device_create) that is used to
220 * create a contract from a template. This routine calls (after initial
221 * setup) the common function used to create a device contract
222 * (contract_device_create).
223 *
224 * core device contract implementation
225 * ----------------------------------
226 * These routines support the generic contract framework to provide
227 * functionality that allows contracts to be created, managed and
228 * destroyed. The contract_device_create() routine is a routine used
229 * to create a contract from a template (either via an explicit create
230 * operation on a template or implicitly via an open with an
231 * activated template.). The contract_device_free() routine assists
232 * in freeing the device contract specific parts. There are routines
233 * used to abandon (contract_device_abandon) a device contract as well
234 * as a routine to destroy (which despite its name does not destroy,
235 * it only moves a contract to a dead state) a contract.
236 * There is also a routine to return status information about a
237 * contract - the level of detail depends on what is requested by the
238 * user. A value of CTD_FIXED only returns fixed length fields such
239 * as the A-set, state of device and value of the "noneg" term. If
240 * CTD_ALL is specified, the minor node path is returned as well.
241 *
242 * In addition there are interfaces (contract_device_ack/nack) which
243 * are used to support negotiation between userland processes and
244 * device contracts. These interfaces record the acknowledgement
245 * or lack thereof for negotiation events and help determine if the
246 * negotiated event should occur.
247 *
248 * "backend routines"
249 * -----------------
250 * The backend routines form the interface between the I/O framework
251 * and the device contract subsystem. These routines, allow the I/O
252 * framework to call into the device contract subsystem to notify it of
253 * impending changes to a device state as well as to inform of the
254 * final disposition of such attempted state changes. Routines in this
255 * class include contract_device_offline() that indicates an attempt to
256 * offline a device, contract_device_degrade() that indicates that
257 * a device is moving to the degraded state and contract_device_negend()
258 * that is used by the I/O framework to inform the contracts subsystem of
259 * the final disposition of an attempted operation.
260 *
261 * SUMMARY
262 * -------
263 * A contract starts its life as a template. A process allocates a device
264 * contract template and sets various terms:
265 * The A-set
266 * The device minor node
267 * Critical and informative events
268 * The noneg i.e. no negotition term
269 * Setting of these terms in the template is done via the
270 * ctmpl_device_set() entry point in this file. A process can query a
271 * template to determine the terms already set in the template - this is
272 * facilitated by the ctmpl_device_get() routine.
273 *
274 * Once all the appropriate terms are set, the contract is instantiated via
275 * one of two methods
276 * - via an explicit create operation - this is facilitated by the
277 * ctmpl_device_create() entry point
278 * - synchronously with the open(2) system call - this is achieved via the
279 * contract_device_open() routine.
280 * The core work for both these above functions is done by
281 * contract_device_create()
282 *
283 * A contract once created can be queried for its status. Support for
284 * status info is provided by both the common contracts framework and by
285 * the "device" contract type. If the level of detail requested is
286 * CTD_COMMON, only the common contract framework data is used. Higher
287 * levels of detail result in calls to contract_device_status() to supply
288 * device contract type specific status information.
289 *
290 * A contract once created may be abandoned either explicitly or implictly.
291 * In either case, the contract_device_abandon() function is invoked. This
292 * function merely calls contract_destroy() which moves the contract to
293 * the DEAD state. The device contract portion of destroy processing is
294 * provided by contract_device_destroy() which merely disassociates the
295 * contract from its device devinfo node. A contract in the DEAD state is
296 * not freed. It hanbgs around until all references to the contract are
297 * gone. When that happens, the contract is finally deallocated. The
298 * device contract specific portion of the free is done by
299 * contract_device_free() which finally frees the device contract specific
300 * data structure (cont_device_t).
301 *
302 * When a device undergoes a state change, the I/O framework calls the
303 * corresponding device contract entry point. For example, when a device
304 * is about to go OFFLINE, the routine contract_device_offline() is
305 * invoked. Similarly if a device moves to DEGRADED state, the routine
306 * contract_device_degrade() function is called. These functions call the
307 * core routine contract_device_publish(). This function determines via
308 * the function is_sync_neg() whether an event is a synchronous (i.e.
309 * negotiable) event or not. In the former case contract_device_publish()
310 * publishes a CTE_NEG event and then waits in wait_for_acks() for ACKs
311 * and/or NACKs from contract holders. In the latter case, it simply
312 * publishes the event and does not wait. In the negotiation case, ACKs or
313 * NACKs from userland consumers results in contract_device_ack_nack()
314 * being called where the result of the negotiation is recorded in the
315 * contract data structure. Once all outstanding contract owners have
316 * responded, the device contract code in wait_for_acks() determines the
317 * final result of the negotiation. A single NACK overrides all other ACKs
318 * If there is no NACK, then a single ACK will result in an overall ACK
319 * result. If there are no ACKs or NACKs, then the result CT_NONE is
320 * returned back to the I/O framework. Once the event is permitted or
321 * blocked, the I/O framework proceeds or aborts the state change. The
322 * I/O framework then calls contract_device_negend() with a result code
323 * indicating final disposition of the event. This call releases the
324 * barrier and other state associated with the previous negotiation,
325 * which permits the next event (if any) to come into the device contract
326 * framework.
327 *
328 * Finally, a device that has outstanding contracts may be removed from
329 * the system which results in its devinfo node being freed. The devinfo
330 * free routine in the I/O framework, calls into the device contract
331 * function - contract_device_remove_dip(). This routine, disassociates
332 * the dip from all contracts associated with the contract being freed,
333 * allowing the devinfo node to be freed.
334 *
335 * LOCKING
336 * ---------
337 * There are four sets of data that need to be protected by locks
338 *
339 * i) device contract specific portion of the contract template - This data
340 * is protected by the template lock ctmpl_lock.
341 *
342 * ii) device contract specific portion of the contract - This data is
343 * protected by the contract lock ct_lock
344 *
345 * iii) The linked list of contracts hanging off a devinfo node - This
346 * list is protected by the per-devinfo node lock devi_ct_lock
347 *
348 * iv) Finally there is a barrier, controlled by devi_ct_lock, devi_ct_cv
349 * and devi_ct_count that controls state changes to a dip
350 *
351 * The template lock is independent in that none of the other locks in this
352 * file may be taken while holding the template lock (and vice versa).
353 *
354 * The remaining three locks have the following lock order
355 *
356 * devi_ct_lock -> ct_count barrier -> ct_lock
357 *
358 */
359
360 static cont_device_t *contract_device_create(ctmpl_device_t *dtmpl, dev_t dev,
361 int spec_type, proc_t *owner, int *errorp);
362
363 /* barrier routines */
364 static void ct_barrier_acquire(dev_info_t *dip);
365 static void ct_barrier_release(dev_info_t *dip);
366 static int ct_barrier_held(dev_info_t *dip);
367 static int ct_barrier_empty(dev_info_t *dip);
368 static void ct_barrier_wait_for_release(dev_info_t *dip);
369 static int ct_barrier_wait_for_empty(dev_info_t *dip, int secs);
370 static void ct_barrier_decr(dev_info_t *dip);
371 static void ct_barrier_incr(dev_info_t *dip);
372
373 ct_type_t *device_type;
374
375 /*
376 * Macro predicates for determining when events should be sent and how.
377 */
378 #define EVSENDP(ctd, flag) \
379 ((ctd->cond_contract.ct_ev_info | ctd->cond_contract.ct_ev_crit) & flag)
380
381 #define EVINFOP(ctd, flag) \
382 ((ctd->cond_contract.ct_ev_crit & flag) == 0)
383
384 /*
385 * State transition table showing which transitions are synchronous and which
386 * are not.
387 */
388 struct ct_dev_negtable {
389 uint_t st_old;
390 uint_t st_new;
391 uint_t st_neg;
392 } ct_dev_negtable[] = {
393 {CT_DEV_EV_ONLINE, CT_DEV_EV_OFFLINE, 1},
394 {CT_DEV_EV_ONLINE, CT_DEV_EV_DEGRADED, 0},
395 {CT_DEV_EV_DEGRADED, CT_DEV_EV_ONLINE, 0},
396 {CT_DEV_EV_DEGRADED, CT_DEV_EV_OFFLINE, 1},
397 {0}
398 };
399
400 /*
401 * Device contract template implementation
402 */
403
404 /*
405 * ctmpl_device_dup
406 *
407 * The device contract template dup entry point.
408 * This simply copies all the fields (generic as well as device contract
409 * specific) fields of the original.
410 */
411 static struct ct_template *
412 ctmpl_device_dup(struct ct_template *template)
413 {
414 ctmpl_device_t *new;
415 ctmpl_device_t *old = template->ctmpl_data;
416 char *buf;
417 char *minor;
418
419 new = kmem_zalloc(sizeof (ctmpl_device_t), KM_SLEEP);
420 buf = kmem_alloc(MAXPATHLEN, KM_SLEEP);
421
422 /*
423 * copy generic fields.
424 * ctmpl_copy returns with old template lock held
425 */
426 ctmpl_copy(&new->ctd_ctmpl, template);
427
428 new->ctd_ctmpl.ctmpl_data = new;
429 new->ctd_aset = old->ctd_aset;
430 new->ctd_minor = NULL;
431 new->ctd_noneg = old->ctd_noneg;
432
433 if (old->ctd_minor) {
434 ASSERT(strlen(old->ctd_minor) + 1 <= MAXPATHLEN);
435 bcopy(old->ctd_minor, buf, strlen(old->ctd_minor) + 1);
436 } else {
437 kmem_free(buf, MAXPATHLEN);
438 buf = NULL;
439 }
440
441 mutex_exit(&template->ctmpl_lock);
442 if (buf) {
443 minor = i_ddi_strdup(buf, KM_SLEEP);
444 kmem_free(buf, MAXPATHLEN);
445 buf = NULL;
446 } else {
447 minor = NULL;
448 }
449 mutex_enter(&template->ctmpl_lock);
450
451 if (minor) {
452 new->ctd_minor = minor;
453 }
454
455 ASSERT(buf == NULL);
456 return (&new->ctd_ctmpl);
457 }
458
459 /*
460 * ctmpl_device_free
461 *
462 * The device contract template free entry point. Just
463 * frees the template.
464 */
465 static void
466 ctmpl_device_free(struct ct_template *template)
467 {
468 ctmpl_device_t *dtmpl = template->ctmpl_data;
469
470 if (dtmpl->ctd_minor)
471 kmem_free(dtmpl->ctd_minor, strlen(dtmpl->ctd_minor) + 1);
472
473 kmem_free(dtmpl, sizeof (ctmpl_device_t));
474 }
475
476 /*
477 * SAFE_EV is the set of events which a non-privileged process is
478 * allowed to make critical. An unprivileged device contract owner has
479 * no control over when a device changes state, so all device events
480 * can be in the critical set.
481 *
482 * EXCESS tells us if "value", a critical event set, requires
483 * additional privilege. For device contracts EXCESS currently
484 * evaluates to 0.
485 */
486 #define SAFE_EV (CT_DEV_ALLEVENT)
487 #define EXCESS(value) ((value) & ~SAFE_EV)
488
489
490 /*
491 * ctmpl_device_set
492 *
493 * The device contract template set entry point. Sets various terms in the
494 * template. The non-negotiable term can only be set if the process has
495 * the {PRIV_SYS_DEVICES} privilege asserted in its effective set.
496 */
497 static int
498 ctmpl_device_set(struct ct_template *tmpl, ct_kparam_t *kparam,
499 const cred_t *cr)
500 {
501 ctmpl_device_t *dtmpl = tmpl->ctmpl_data;
502 ct_param_t *param = &kparam->param;
503 int error;
504 dev_info_t *dip;
505 int spec_type;
506 uint64_t param_value;
507 char *str_value;
508
509 ASSERT(MUTEX_HELD(&tmpl->ctmpl_lock));
510
511 if (param->ctpm_id == CTDP_MINOR) {
512 str_value = (char *)kparam->ctpm_kbuf;
513 str_value[param->ctpm_size - 1] = '\0';
514 } else {
515 if (param->ctpm_size < sizeof (uint64_t))
516 return (EINVAL);
517 param_value = *(uint64_t *)kparam->ctpm_kbuf;
518 }
519
520 switch (param->ctpm_id) {
521 case CTDP_ACCEPT:
522 if (param_value & ~CT_DEV_ALLEVENT)
523 return (EINVAL);
524 if (param_value == 0)
525 return (EINVAL);
526 if (param_value == CT_DEV_ALLEVENT)
527 return (EINVAL);
528
529 dtmpl->ctd_aset = param_value;
530 break;
531 case CTDP_NONEG:
532 if (param_value != CTDP_NONEG_SET &&
533 param_value != CTDP_NONEG_CLEAR)
534 return (EINVAL);
535
536 /*
537 * only privileged processes can designate a contract
538 * non-negotiatble.
539 */
540 if (param_value == CTDP_NONEG_SET &&
541 (error = secpolicy_sys_devices(cr)) != 0) {
542 return (error);
543 }
544
545 dtmpl->ctd_noneg = param_value;
546 break;
547
548 case CTDP_MINOR:
549 if (*str_value != '/' ||
550 strncmp(str_value, "/devices/",
551 strlen("/devices/")) == 0 ||
552 strstr(str_value, "../devices/") != NULL ||
553 strchr(str_value, ':') == NULL) {
554 return (EINVAL);
555 }
556
557 spec_type = 0;
558 dip = NULL;
559 if (resolve_pathname(str_value, &dip, NULL, &spec_type) != 0) {
560 return (ERANGE);
561 }
562 ddi_release_devi(dip);
563
564 if (spec_type != S_IFCHR && spec_type != S_IFBLK) {
565 return (EINVAL);
566 }
567
568 if (dtmpl->ctd_minor != NULL) {
569 kmem_free(dtmpl->ctd_minor,
570 strlen(dtmpl->ctd_minor) + 1);
571 }
572 dtmpl->ctd_minor = i_ddi_strdup(str_value, KM_SLEEP);
573 break;
574 case CTP_EV_CRITICAL:
575 /*
576 * Currently for device contracts, any event
577 * may be added to the critical set. We retain the
578 * following code however for future enhancements.
579 */
580 if (EXCESS(param_value) &&
581 (error = secpolicy_contract_event(cr)) != 0)
582 return (error);
583 tmpl->ctmpl_ev_crit = param_value;
584 break;
585 default:
586 return (EINVAL);
587 }
588
589 return (0);
590 }
591
592 /*
593 * ctmpl_device_get
594 *
595 * The device contract template get entry point. Simply fetches and
596 * returns the value of the requested term.
597 */
598 static int
599 ctmpl_device_get(struct ct_template *template, ct_kparam_t *kparam)
600 {
601 ctmpl_device_t *dtmpl = template->ctmpl_data;
602 ct_param_t *param = &kparam->param;
603 uint64_t *param_value = kparam->ctpm_kbuf;
604
605 ASSERT(MUTEX_HELD(&template->ctmpl_lock));
606
607 if (param->ctpm_id == CTDP_ACCEPT ||
608 param->ctpm_id == CTDP_NONEG) {
609 if (param->ctpm_size < sizeof (uint64_t))
610 return (EINVAL);
611 kparam->ret_size = sizeof (uint64_t);
612 }
613
614 switch (param->ctpm_id) {
615 case CTDP_ACCEPT:
616 *param_value = dtmpl->ctd_aset;
617 break;
618 case CTDP_NONEG:
619 *param_value = dtmpl->ctd_noneg;
620 break;
621 case CTDP_MINOR:
622 if (dtmpl->ctd_minor) {
623 kparam->ret_size = strlcpy((char *)kparam->ctpm_kbuf,
624 dtmpl->ctd_minor, param->ctpm_size);
625 kparam->ret_size++;
626 } else {
627 return (ENOENT);
628 }
629 break;
630 default:
631 return (EINVAL);
632 }
633
634 return (0);
635 }
636
637 /*
638 * Device contract type specific portion of creating a contract using
639 * a specified template
640 */
641 /*ARGSUSED*/
642 int
643 ctmpl_device_create(ct_template_t *template, ctid_t *ctidp)
644 {
645 ctmpl_device_t *dtmpl;
646 char *buf;
647 dev_t dev;
648 int spec_type;
649 int error;
650 cont_device_t *ctd;
651
652 if (ctidp == NULL)
653 return (EINVAL);
654
655 buf = kmem_alloc(MAXPATHLEN, KM_SLEEP);
656
657 dtmpl = template->ctmpl_data;
658
659 mutex_enter(&template->ctmpl_lock);
660 if (dtmpl->ctd_minor == NULL) {
661 /* incomplete template */
662 mutex_exit(&template->ctmpl_lock);
663 kmem_free(buf, MAXPATHLEN);
664 return (EINVAL);
665 } else {
666 ASSERT(strlen(dtmpl->ctd_minor) < MAXPATHLEN);
667 bcopy(dtmpl->ctd_minor, buf, strlen(dtmpl->ctd_minor) + 1);
668 }
669 mutex_exit(&template->ctmpl_lock);
670
671 spec_type = 0;
672 dev = NODEV;
673 if (resolve_pathname(buf, NULL, &dev, &spec_type) != 0 ||
674 dev == NODEV || dev == DDI_DEV_T_ANY || dev == DDI_DEV_T_NONE ||
675 (spec_type != S_IFCHR && spec_type != S_IFBLK)) {
676 CT_DEBUG((CE_WARN,
677 "tmpl_create: failed to find device: %s", buf));
678 kmem_free(buf, MAXPATHLEN);
679 return (ERANGE);
680 }
681 kmem_free(buf, MAXPATHLEN);
682
683 ctd = contract_device_create(template->ctmpl_data,
684 dev, spec_type, curproc, &error);
685
686 if (ctd == NULL) {
687 CT_DEBUG((CE_WARN, "Failed to create device contract for "
688 "process (%d) with device (devt = %lu, spec_type = %s)",
689 curproc->p_pid, dev,
690 spec_type == S_IFCHR ? "S_IFCHR" : "S_IFBLK"));
691 return (error);
692 }
693
694 mutex_enter(&ctd->cond_contract.ct_lock);
695 *ctidp = ctd->cond_contract.ct_id;
696 mutex_exit(&ctd->cond_contract.ct_lock);
697
698 return (0);
699 }
700
701 /*
702 * Device contract specific template entry points
703 */
704 static ctmplops_t ctmpl_device_ops = {
705 ctmpl_device_dup, /* ctop_dup */
706 ctmpl_device_free, /* ctop_free */
707 ctmpl_device_set, /* ctop_set */
708 ctmpl_device_get, /* ctop_get */
709 ctmpl_device_create, /* ctop_create */
710 CT_DEV_ALLEVENT /* all device events bitmask */
711 };
712
713
714 /*
715 * Device contract implementation
716 */
717
718 /*
719 * contract_device_default
720 *
721 * The device contract default template entry point. Creates a
722 * device contract template with a default A-set and no "noneg" ,
723 * with informative degrade events and critical offline events.
724 * There is no default minor path.
725 */
726 static ct_template_t *
727 contract_device_default(void)
728 {
729 ctmpl_device_t *new;
730
731 new = kmem_zalloc(sizeof (ctmpl_device_t), KM_SLEEP);
732 ctmpl_init(&new->ctd_ctmpl, &ctmpl_device_ops, device_type, new);
733
734 new->ctd_aset = CT_DEV_EV_ONLINE | CT_DEV_EV_DEGRADED;
735 new->ctd_noneg = 0;
736 new->ctd_ctmpl.ctmpl_ev_info = CT_DEV_EV_DEGRADED;
737 new->ctd_ctmpl.ctmpl_ev_crit = CT_DEV_EV_OFFLINE;
738
739 return (&new->ctd_ctmpl);
740 }
741
742 /*
743 * contract_device_free
744 *
745 * Destroys the device contract specific portion of a contract and
746 * frees the contract.
747 */
748 static void
749 contract_device_free(contract_t *ct)
750 {
751 cont_device_t *ctd = ct->ct_data;
752
753 ASSERT(ctd->cond_minor);
754 ASSERT(strlen(ctd->cond_minor) < MAXPATHLEN);
755 kmem_free(ctd->cond_minor, strlen(ctd->cond_minor) + 1);
756
757 ASSERT(ctd->cond_devt != DDI_DEV_T_ANY &&
758 ctd->cond_devt != DDI_DEV_T_NONE && ctd->cond_devt != NODEV);
759
760 ASSERT(ctd->cond_spec == S_IFBLK || ctd->cond_spec == S_IFCHR);
761
762 ASSERT(!(ctd->cond_aset & ~CT_DEV_ALLEVENT));
763 ASSERT(ctd->cond_noneg == 0 || ctd->cond_noneg == 1);
764
765 ASSERT(!(ctd->cond_currev_type & ~CT_DEV_ALLEVENT));
766 ASSERT(!(ctd->cond_currev_ack & ~(CT_ACK | CT_NACK)));
767
768 ASSERT((ctd->cond_currev_id > 0) ^ (ctd->cond_currev_type == 0));
769 ASSERT((ctd->cond_currev_id > 0) || (ctd->cond_currev_ack == 0));
770
771 ASSERT(!list_link_active(&ctd->cond_next));
772
773 kmem_free(ctd, sizeof (cont_device_t));
774 }
775
776 /*
777 * contract_device_abandon
778 *
779 * The device contract abandon entry point.
780 */
781 static void
782 contract_device_abandon(contract_t *ct)
783 {
784 ASSERT(MUTEX_HELD(&ct->ct_lock));
785
786 /*
787 * device contracts cannot be inherited or orphaned.
788 * Move the contract to the DEAD_STATE. It will be freed
789 * once all references to it are gone.
790 */
791 contract_destroy(ct);
792 }
793
794 /*
795 * contract_device_destroy
796 *
797 * The device contract destroy entry point.
798 * Called from contract_destroy() to do any type specific destroy. Note
799 * that destroy is a misnomer - this does not free the contract, it only
800 * moves it to the dead state. A contract is actually freed via
801 * contract_rele() -> contract_dtor(), contop_free()
802 */
803 static void
804 contract_device_destroy(contract_t *ct)
805 {
806 cont_device_t *ctd;
807 dev_info_t *dip;
808
809 ASSERT(MUTEX_HELD(&ct->ct_lock));
810
811 for (;;) {
812 ctd = ct->ct_data;
813 dip = ctd->cond_dip;
814 if (dip == NULL) {
815 /*
816 * The dip has been removed, this is a dangling contract
817 * Check that dip linkages are NULL
818 */
819 ASSERT(!list_link_active(&ctd->cond_next));
820 CT_DEBUG((CE_NOTE, "contract_device_destroy:"
821 " contract has no devinfo node. contract ctid : %d",
822 ct->ct_id));
823 return;
824 }
825
826 /*
827 * The intended lock order is : devi_ct_lock -> ct_count
828 * barrier -> ct_lock.
829 * However we can't do this here as dropping the ct_lock allows
830 * a race condition with i_ddi_free_node()/
831 * contract_device_remove_dip() which may free off dip before
832 * we can take devi_ct_lock. So use mutex_tryenter to avoid
833 * dropping ct_lock until we have acquired devi_ct_lock.
834 */
835 if (mutex_tryenter(&(DEVI(dip)->devi_ct_lock)) != 0)
836 break;
837 mutex_exit(&ct->ct_lock);
838 delay(drv_usectohz(1000));
839 mutex_enter(&ct->ct_lock);
840 }
841 mutex_exit(&ct->ct_lock);
842
843 /*
844 * Waiting for the barrier to be released is strictly speaking not
845 * necessary. But it simplifies the implementation of
846 * contract_device_publish() by establishing the invariant that
847 * device contracts cannot go away during negotiation.
848 */
849 ct_barrier_wait_for_release(dip);
850 mutex_enter(&ct->ct_lock);
851
852 list_remove(&(DEVI(dip)->devi_ct), ctd);
853 ctd->cond_dip = NULL; /* no longer linked to dip */
854 contract_rele(ct); /* remove hold for dip linkage */
855
856 mutex_exit(&ct->ct_lock);
857 mutex_exit(&(DEVI(dip)->devi_ct_lock));
858 mutex_enter(&ct->ct_lock);
859 }
860
861 /*
862 * contract_device_status
863 *
864 * The device contract status entry point. Called when level of "detail"
865 * is either CTD_FIXED or CTD_ALL
866 *
867 */
868 static void
869 contract_device_status(contract_t *ct, zone_t *zone, int detail, nvlist_t *nvl,
870 void *status, model_t model)
871 {
872 cont_device_t *ctd = ct->ct_data;
873
874 ASSERT(detail == CTD_FIXED || detail == CTD_ALL);
875
876 mutex_enter(&ct->ct_lock);
877 contract_status_common(ct, zone, status, model);
878
879 /*
880 * There's no need to hold the contract lock while accessing static
881 * data like aset or noneg. But since we need the lock to access other
882 * data like state, we hold it anyway.
883 */
884 VERIFY(nvlist_add_uint32(nvl, CTDS_STATE, ctd->cond_state) == 0);
885 VERIFY(nvlist_add_uint32(nvl, CTDS_ASET, ctd->cond_aset) == 0);
886 VERIFY(nvlist_add_uint32(nvl, CTDS_NONEG, ctd->cond_noneg) == 0);
887
888 if (detail == CTD_FIXED) {
889 mutex_exit(&ct->ct_lock);
890 return;
891 }
892
893 ASSERT(ctd->cond_minor);
894 VERIFY(nvlist_add_string(nvl, CTDS_MINOR, ctd->cond_minor) == 0);
895
896 mutex_exit(&ct->ct_lock);
897 }
898
899 /*
900 * Converts a result integer into the corresponding string. Used for printing
901 * messages
902 */
903 static char *
904 result_str(uint_t result)
905 {
906 switch (result) {
907 case CT_ACK:
908 return ("CT_ACK");
909 case CT_NACK:
910 return ("CT_NACK");
911 case CT_NONE:
912 return ("CT_NONE");
913 default:
914 return ("UNKNOWN");
915 }
916 }
917
918 /*
919 * Converts a device state integer constant into the corresponding string.
920 * Used to print messages.
921 */
922 static char *
923 state_str(uint_t state)
924 {
925 switch (state) {
926 case CT_DEV_EV_ONLINE:
927 return ("ONLINE");
928 case CT_DEV_EV_DEGRADED:
929 return ("DEGRADED");
930 case CT_DEV_EV_OFFLINE:
931 return ("OFFLINE");
932 default:
933 return ("UNKNOWN");
934 }
935 }
936
937 /*
938 * Routine that determines if a particular CT_DEV_EV_? event corresponds to a
939 * synchronous state change or not.
940 */
941 static int
942 is_sync_neg(uint_t old, uint_t new)
943 {
944 int i;
945
946 ASSERT(old & CT_DEV_ALLEVENT);
947 ASSERT(new & CT_DEV_ALLEVENT);
948
949 if (old == new) {
950 CT_DEBUG((CE_WARN, "is_sync_neg: transition to same state: %s",
951 state_str(new)));
952 return (-2);
953 }
954
955 for (i = 0; ct_dev_negtable[i].st_new != 0; i++) {
956 if (old == ct_dev_negtable[i].st_old &&
957 new == ct_dev_negtable[i].st_new) {
958 return (ct_dev_negtable[i].st_neg);
959 }
960 }
961
962 CT_DEBUG((CE_WARN, "is_sync_neg: Unsupported state transition: "
963 "old = %s -> new = %s", state_str(old), state_str(new)));
964
965 return (-1);
966 }
967
968 /*
969 * Used to cleanup cached dv_nodes so that when a device is released by
970 * a contract holder, its devinfo node can be successfully detached.
971 */
972 static int
973 contract_device_dvclean(dev_info_t *dip)
974 {
975 char *devnm;
976 dev_info_t *pdip;
977
978 ASSERT(dip);
979
980 /* pdip can be NULL if we have contracts against the root dip */
981 pdip = ddi_get_parent(dip);
982
983 if (pdip && DEVI_BUSY_OWNED(pdip) || !pdip && DEVI_BUSY_OWNED(dip)) {
984 char *path;
985
986 path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
987 (void) ddi_pathname(dip, path);
988 CT_DEBUG((CE_WARN, "ct_dv_clean: Parent node is busy owned, "
989 "device=%s", path));
990 kmem_free(path, MAXPATHLEN);
991 return (EDEADLOCK);
992 }
993
994 if (pdip) {
995 devnm = kmem_alloc(MAXNAMELEN + 1, KM_SLEEP);
996 (void) ddi_deviname(dip, devnm);
997 (void) devfs_clean(pdip, devnm + 1, DV_CLEAN_FORCE);
998 kmem_free(devnm, MAXNAMELEN + 1);
999 } else {
1000 (void) devfs_clean(dip, NULL, DV_CLEAN_FORCE);
1001 }
1002
1003 return (0);
1004 }
1005
1006 /*
1007 * Endpoint of a ct_ctl_ack() or ct_ctl_nack() call from userland.
1008 * Results in the ACK or NACK being recorded on the dip for one particular
1009 * contract. The device contracts framework evaluates the ACK/NACKs for all
1010 * contracts against a device to determine if a particular device state change
1011 * should be allowed.
1012 */
1013 static int
1014 contract_device_ack_nack(contract_t *ct, uint_t evtype, uint64_t evid,
1015 uint_t cmd)
1016 {
1017 cont_device_t *ctd = ct->ct_data;
1018 dev_info_t *dip;
1019 ctid_t ctid;
1020 int error;
1021
1022 ctid = ct->ct_id;
1023
1024 CT_DEBUG((CE_NOTE, "ack_nack: entered: ctid %d", ctid));
1025
1026 mutex_enter(&ct->ct_lock);
1027 CT_DEBUG((CE_NOTE, "ack_nack: contract lock acquired: %d", ctid));
1028
1029 dip = ctd->cond_dip;
1030
1031 ASSERT(ctd->cond_minor);
1032 ASSERT(strlen(ctd->cond_minor) < MAXPATHLEN);
1033
1034 /*
1035 * Negotiation only if new state is not in A-set
1036 */
1037 ASSERT(!(ctd->cond_aset & evtype));
1038
1039 /*
1040 * Negotiation only if transition is synchronous
1041 */
1042 ASSERT(is_sync_neg(ctd->cond_state, evtype));
1043
1044 /*
1045 * We shouldn't be negotiating if the "noneg" flag is set
1046 */
1047 ASSERT(!ctd->cond_noneg);
1048
1049 if (dip)
1050 ndi_hold_devi(dip);
1051
1052 mutex_exit(&ct->ct_lock);
1053
1054 /*
1055 * dv_clean only if !NACK and offline state change
1056 */
1057 if (cmd != CT_NACK && evtype == CT_DEV_EV_OFFLINE && dip) {
1058 CT_DEBUG((CE_NOTE, "ack_nack: dv_clean: %d", ctid));
1059 error = contract_device_dvclean(dip);
1060 if (error != 0) {
1061 CT_DEBUG((CE_NOTE, "ack_nack: dv_clean: failed: %d",
1062 ctid));
1063 ddi_release_devi(dip);
1064 }
1065 }
1066
1067 mutex_enter(&ct->ct_lock);
1068
1069 if (dip)
1070 ddi_release_devi(dip);
1071
1072 if (dip == NULL) {
1073 if (ctd->cond_currev_id != evid) {
1074 CT_DEBUG((CE_WARN, "%sACK for non-current event "
1075 "(type=%s, id=%llu) on removed device",
1076 cmd == CT_NACK ? "N" : "",
1077 state_str(evtype), (unsigned long long)evid));
1078 CT_DEBUG((CE_NOTE, "ack_nack: error: ESRCH, ctid: %d",
1079 ctid));
1080 } else {
1081 ASSERT(ctd->cond_currev_type == evtype);
1082 CT_DEBUG((CE_WARN, "contract_ack: no such device: "
1083 "ctid: %d", ctid));
1084 }
1085 error = (ct->ct_state == CTS_DEAD) ? ESRCH :
1086 ((cmd == CT_NACK) ? ETIMEDOUT : 0);
1087 mutex_exit(&ct->ct_lock);
1088 return (error);
1089 }
1090
1091 /*
1092 * Must follow lock order: devi_ct_lock -> ct_count barrier - >ct_lock
1093 */
1094 mutex_exit(&ct->ct_lock);
1095
1096 mutex_enter(&DEVI(dip)->devi_ct_lock);
1097 mutex_enter(&ct->ct_lock);
1098 if (ctd->cond_currev_id != evid) {
1099 char *buf;
1100 mutex_exit(&ct->ct_lock);
1101 mutex_exit(&DEVI(dip)->devi_ct_lock);
1102 ndi_hold_devi(dip);
1103 buf = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1104 (void) ddi_pathname(dip, buf);
1105 ddi_release_devi(dip);
1106 CT_DEBUG((CE_WARN, "%sACK for non-current event"
1107 "(type=%s, id=%llu) on device %s",
1108 cmd == CT_NACK ? "N" : "",
1109 state_str(evtype), (unsigned long long)evid, buf));
1110 kmem_free(buf, MAXPATHLEN);
1111 CT_DEBUG((CE_NOTE, "ack_nack: error: %d, ctid: %d",
1112 cmd == CT_NACK ? ETIMEDOUT : 0, ctid));
1113 return (cmd == CT_ACK ? 0 : ETIMEDOUT);
1114 }
1115
1116 ASSERT(ctd->cond_currev_type == evtype);
1117 ASSERT(cmd == CT_ACK || cmd == CT_NACK);
1118
1119 CT_DEBUG((CE_NOTE, "ack_nack: setting %sACK for ctid: %d",
1120 cmd == CT_NACK ? "N" : "", ctid));
1121
1122 ctd->cond_currev_ack = cmd;
1123 mutex_exit(&ct->ct_lock);
1124
1125 ct_barrier_decr(dip);
1126 mutex_exit(&DEVI(dip)->devi_ct_lock);
1127
1128 CT_DEBUG((CE_NOTE, "ack_nack: normal exit: ctid: %d", ctid));
1129
1130 return (0);
1131 }
1132
1133 /*
1134 * Invoked when a userland contract holder approves (i.e. ACKs) a state change
1135 */
1136 static int
1137 contract_device_ack(contract_t *ct, uint_t evtype, uint64_t evid)
1138 {
1139 return (contract_device_ack_nack(ct, evtype, evid, CT_ACK));
1140 }
1141
1142 /*
1143 * Invoked when a userland contract holder blocks (i.e. NACKs) a state change
1144 */
1145 static int
1146 contract_device_nack(contract_t *ct, uint_t evtype, uint64_t evid)
1147 {
1148 return (contract_device_ack_nack(ct, evtype, evid, CT_NACK));
1149 }
1150
1151 /*
1152 * Creates a new contract synchronously with the breaking of an existing
1153 * contract. Currently not supported.
1154 */
1155 /*ARGSUSED*/
1156 static int
1157 contract_device_newct(contract_t *ct)
1158 {
1159 return (ENOTSUP);
1160 }
1161
1162 /*
1163 * Core device contract implementation entry points
1164 */
1165 static contops_t contract_device_ops = {
1166 contract_device_free, /* contop_free */
1167 contract_device_abandon, /* contop_abandon */
1168 contract_device_destroy, /* contop_destroy */
1169 contract_device_status, /* contop_status */
1170 contract_device_ack, /* contop_ack */
1171 contract_device_nack, /* contop_nack */
1172 contract_qack_notsup, /* contop_qack */
1173 contract_device_newct /* contop_newct */
1174 };
1175
1176 /*
1177 * contract_device_init
1178 *
1179 * Initializes the device contract type.
1180 */
1181 void
1182 contract_device_init(void)
1183 {
1184 device_type = contract_type_init(CTT_DEVICE, "device",
1185 &contract_device_ops, contract_device_default);
1186 }
1187
1188 /*
1189 * contract_device_create
1190 *
1191 * create a device contract given template "tmpl" and the "owner" process.
1192 * May fail and return NULL if project.max-contracts would have been exceeded.
1193 *
1194 * Common device contract creation routine called for both open-time and
1195 * non-open time device contract creation
1196 */
1197 static cont_device_t *
1198 contract_device_create(ctmpl_device_t *dtmpl, dev_t dev, int spec_type,
1199 proc_t *owner, int *errorp)
1200 {
1201 cont_device_t *ctd;
1202 char *minor;
1203 char *path;
1204 dev_info_t *dip;
1205
1206 ASSERT(dtmpl != NULL);
1207 ASSERT(dev != NODEV && dev != DDI_DEV_T_ANY && dev != DDI_DEV_T_NONE);
1208 ASSERT(spec_type == S_IFCHR || spec_type == S_IFBLK);
1209 ASSERT(errorp);
1210
1211 *errorp = 0;
1212
1213 path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1214
1215 mutex_enter(&dtmpl->ctd_ctmpl.ctmpl_lock);
1216 ASSERT(strlen(dtmpl->ctd_minor) < MAXPATHLEN);
1217 bcopy(dtmpl->ctd_minor, path, strlen(dtmpl->ctd_minor) + 1);
1218 mutex_exit(&dtmpl->ctd_ctmpl.ctmpl_lock);
1219
1220 dip = e_ddi_hold_devi_by_path(path, 0);
1221 if (dip == NULL) {
1222 cmn_err(CE_WARN, "contract_create: Cannot find devinfo node "
1223 "for device path (%s)", path);
1224 kmem_free(path, MAXPATHLEN);
1225 *errorp = ERANGE;
1226 return (NULL);
1227 }
1228
1229 /*
1230 * Lock out any parallel contract negotiations
1231 */
1232 mutex_enter(&(DEVI(dip)->devi_ct_lock));
1233 ct_barrier_acquire(dip);
1234 mutex_exit(&(DEVI(dip)->devi_ct_lock));
1235
1236 minor = i_ddi_strdup(path, KM_SLEEP);
1237 kmem_free(path, MAXPATHLEN);
1238
1239 (void) contract_type_pbundle(device_type, owner);
1240
1241 ctd = kmem_zalloc(sizeof (cont_device_t), KM_SLEEP);
1242
1243 /*
1244 * Only we hold a refernce to this contract. Safe to access
1245 * the fields without a ct_lock
1246 */
1247 ctd->cond_minor = minor;
1248 /*
1249 * It is safe to set the dip pointer in the contract
1250 * as the contract will always be destroyed before the dip
1251 * is released
1252 */
1253 ctd->cond_dip = dip;
1254 ctd->cond_devt = dev;
1255 ctd->cond_spec = spec_type;
1256
1257 /*
1258 * Since we are able to lookup the device, it is either
1259 * online or degraded
1260 */
1261 ctd->cond_state = DEVI_IS_DEVICE_DEGRADED(dip) ?
1262 CT_DEV_EV_DEGRADED : CT_DEV_EV_ONLINE;
1263
1264 mutex_enter(&dtmpl->ctd_ctmpl.ctmpl_lock);
1265 ctd->cond_aset = dtmpl->ctd_aset;
1266 ctd->cond_noneg = dtmpl->ctd_noneg;
1267
1268 /*
1269 * contract_ctor() initailizes the common portion of a contract
1270 * contract_dtor() destroys the common portion of a contract
1271 */
1272 if (contract_ctor(&ctd->cond_contract, device_type, &dtmpl->ctd_ctmpl,
1273 ctd, 0, owner, B_TRUE)) {
1274 mutex_exit(&dtmpl->ctd_ctmpl.ctmpl_lock);
1275 /*
1276 * contract_device_free() destroys the type specific
1277 * portion of a contract and frees the contract.
1278 * The "minor" path and "cred" is a part of the type specific
1279 * portion of the contract and will be freed by
1280 * contract_device_free()
1281 */
1282 contract_device_free(&ctd->cond_contract);
1283
1284 /* release barrier */
1285 mutex_enter(&(DEVI(dip)->devi_ct_lock));
1286 ct_barrier_release(dip);
1287 mutex_exit(&(DEVI(dip)->devi_ct_lock));
1288
1289 ddi_release_devi(dip);
1290 *errorp = EAGAIN;
1291 return (NULL);
1292 }
1293 mutex_exit(&dtmpl->ctd_ctmpl.ctmpl_lock);
1294
1295 mutex_enter(&ctd->cond_contract.ct_lock);
1296 ctd->cond_contract.ct_ntime.ctm_total = CT_DEV_ACKTIME;
1297 ctd->cond_contract.ct_qtime.ctm_total = CT_DEV_ACKTIME;
1298 ctd->cond_contract.ct_ntime.ctm_start = -1;
1299 ctd->cond_contract.ct_qtime.ctm_start = -1;
1300 mutex_exit(&ctd->cond_contract.ct_lock);
1301
1302 /*
1303 * Insert device contract into list hanging off the dip
1304 * Bump up the ref-count on the contract to reflect this
1305 */
1306 contract_hold(&ctd->cond_contract);
1307 mutex_enter(&(DEVI(dip)->devi_ct_lock));
1308 list_insert_tail(&(DEVI(dip)->devi_ct), ctd);
1309
1310 /* release barrier */
1311 ct_barrier_release(dip);
1312 mutex_exit(&(DEVI(dip)->devi_ct_lock));
1313
1314 ddi_release_devi(dip);
1315
1316 return (ctd);
1317 }
1318
1319 /*
1320 * Called when a device is successfully opened to create an open-time contract
1321 * i.e. synchronously with a device open.
1322 */
1323 int
1324 contract_device_open(dev_t dev, int spec_type, contract_t **ctpp)
1325 {
1326 ctmpl_device_t *dtmpl;
1327 ct_template_t *tmpl;
1328 cont_device_t *ctd;
1329 char *path;
1330 klwp_t *lwp;
1331 int error;
1332
1333 if (ctpp)
1334 *ctpp = NULL;
1335
1336 /*
1337 * Check if we are in user-context i.e. if we have an lwp
1338 */
1339 lwp = ttolwp(curthread);
1340 if (lwp == NULL) {
1341 CT_DEBUG((CE_NOTE, "contract_open: Not user-context"));
1342 return (0);
1343 }
1344
1345 tmpl = ctmpl_dup(lwp->lwp_ct_active[device_type->ct_type_index]);
1346 if (tmpl == NULL) {
1347 return (0);
1348 }
1349 dtmpl = tmpl->ctmpl_data;
1350
1351 /*
1352 * If the user set a minor path in the template before an open,
1353 * ignore it. We use the minor path of the actual minor opened.
1354 */
1355 mutex_enter(&tmpl->ctmpl_lock);
1356 if (dtmpl->ctd_minor != NULL) {
1357 CT_DEBUG((CE_NOTE, "contract_device_open(): Process %d: "
1358 "ignoring device minor path in active template: %s",
1359 curproc->p_pid, dtmpl->ctd_minor));
1360 /*
1361 * This is a copy of the actual activated template.
1362 * Safe to make changes such as freeing the minor
1363 * path in the template.
1364 */
1365 kmem_free(dtmpl->ctd_minor, strlen(dtmpl->ctd_minor) + 1);
1366 dtmpl->ctd_minor = NULL;
1367 }
1368 mutex_exit(&tmpl->ctmpl_lock);
1369
1370 path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1371
1372 if (ddi_dev_pathname(dev, spec_type, path) != DDI_SUCCESS) {
1373 CT_DEBUG((CE_NOTE, "contract_device_open(): Failed to derive "
1374 "minor path from dev_t,spec {%lu, %d} for process (%d)",
1375 dev, spec_type, curproc->p_pid));
1376 ctmpl_free(tmpl);
1377 kmem_free(path, MAXPATHLEN);
1378 return (1);
1379 }
1380
1381 mutex_enter(&tmpl->ctmpl_lock);
1382 ASSERT(dtmpl->ctd_minor == NULL);
1383 dtmpl->ctd_minor = path;
1384 mutex_exit(&tmpl->ctmpl_lock);
1385
1386 ctd = contract_device_create(dtmpl, dev, spec_type, curproc, &error);
1387
1388 mutex_enter(&tmpl->ctmpl_lock);
1389 ASSERT(dtmpl->ctd_minor);
1390 dtmpl->ctd_minor = NULL;
1391 mutex_exit(&tmpl->ctmpl_lock);
1392 ctmpl_free(tmpl);
1393 kmem_free(path, MAXPATHLEN);
1394
1395 if (ctd == NULL) {
1396 cmn_err(CE_NOTE, "contract_device_open(): Failed to "
1397 "create device contract for process (%d) holding "
1398 "device (devt = %lu, spec_type = %d)",
1399 curproc->p_pid, dev, spec_type);
1400 return (1);
1401 }
1402
1403 if (ctpp) {
1404 mutex_enter(&ctd->cond_contract.ct_lock);
1405 *ctpp = &ctd->cond_contract;
1406 mutex_exit(&ctd->cond_contract.ct_lock);
1407 }
1408 return (0);
1409 }
1410
1411 /*
1412 * Called during contract negotiation by the device contract framework to wait
1413 * for ACKs or NACKs from contract holders. If all responses are not received
1414 * before a specified timeout, this routine times out.
1415 */
1416 static uint_t
1417 wait_for_acks(dev_info_t *dip, dev_t dev, int spec_type, uint_t evtype)
1418 {
1419 cont_device_t *ctd;
1420 int timed_out = 0;
1421 int result = CT_NONE;
1422 int ack;
1423 char *f = "wait_for_acks";
1424
1425 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
1426 ASSERT(dip);
1427 ASSERT(evtype & CT_DEV_ALLEVENT);
1428 ASSERT(dev != NODEV && dev != DDI_DEV_T_NONE);
1429 ASSERT((dev == DDI_DEV_T_ANY && spec_type == 0) ||
1430 (spec_type == S_IFBLK || spec_type == S_IFCHR));
1431
1432 CT_DEBUG((CE_NOTE, "%s: entered: dip: %p", f, (void *)dip));
1433
1434 if (ct_barrier_wait_for_empty(dip, CT_DEV_ACKTIME) == -1) {
1435 /*
1436 * some contract owner(s) didn't respond in time
1437 */
1438 CT_DEBUG((CE_NOTE, "%s: timed out: %p", f, (void *)dip));
1439 timed_out = 1;
1440 }
1441
1442 ack = 0;
1443 for (ctd = list_head(&(DEVI(dip)->devi_ct)); ctd != NULL;
1444 ctd = list_next(&(DEVI(dip)->devi_ct), ctd)) {
1445
1446 mutex_enter(&ctd->cond_contract.ct_lock);
1447
1448 ASSERT(ctd->cond_dip == dip);
1449
1450 if (dev != DDI_DEV_T_ANY && dev != ctd->cond_devt) {
1451 mutex_exit(&ctd->cond_contract.ct_lock);
1452 continue;
1453 }
1454 if (dev != DDI_DEV_T_ANY && spec_type != ctd->cond_spec) {
1455 mutex_exit(&ctd->cond_contract.ct_lock);
1456 continue;
1457 }
1458
1459 /* skip if non-negotiable contract */
1460 if (ctd->cond_noneg) {
1461 mutex_exit(&ctd->cond_contract.ct_lock);
1462 continue;
1463 }
1464
1465 ASSERT(ctd->cond_currev_type == evtype);
1466 if (ctd->cond_currev_ack == CT_NACK) {
1467 CT_DEBUG((CE_NOTE, "%s: found a NACK,result = NACK: %p",
1468 f, (void *)dip));
1469 mutex_exit(&ctd->cond_contract.ct_lock);
1470 return (CT_NACK);
1471 } else if (ctd->cond_currev_ack == CT_ACK) {
1472 ack = 1;
1473 CT_DEBUG((CE_NOTE, "%s: found a ACK: %p",
1474 f, (void *)dip));
1475 }
1476 mutex_exit(&ctd->cond_contract.ct_lock);
1477 }
1478
1479 if (ack) {
1480 result = CT_ACK;
1481 CT_DEBUG((CE_NOTE, "%s: result = ACK, dip=%p", f, (void *)dip));
1482 } else if (timed_out) {
1483 result = CT_NONE;
1484 CT_DEBUG((CE_NOTE, "%s: result = NONE (timed-out), dip=%p",
1485 f, (void *)dip));
1486 } else {
1487 CT_DEBUG((CE_NOTE, "%s: result = NONE, dip=%p",
1488 f, (void *)dip));
1489 }
1490
1491
1492 return (result);
1493 }
1494
1495 /*
1496 * Determines the current state of a device (i.e a devinfo node
1497 */
1498 static int
1499 get_state(dev_info_t *dip)
1500 {
1501 if (DEVI_IS_DEVICE_OFFLINE(dip) || DEVI_IS_DEVICE_DOWN(dip))
1502 return (CT_DEV_EV_OFFLINE);
1503 else if (DEVI_IS_DEVICE_DEGRADED(dip))
1504 return (CT_DEV_EV_DEGRADED);
1505 else
1506 return (CT_DEV_EV_ONLINE);
1507 }
1508
1509 /*
1510 * Sets the current state of a device in a device contract
1511 */
1512 static void
1513 set_cond_state(dev_info_t *dip)
1514 {
1515 uint_t state = get_state(dip);
1516 cont_device_t *ctd;
1517
1518 /* verify that barrier is held */
1519 ASSERT(ct_barrier_held(dip));
1520
1521 for (ctd = list_head(&(DEVI(dip)->devi_ct)); ctd != NULL;
1522 ctd = list_next(&(DEVI(dip)->devi_ct), ctd)) {
1523 mutex_enter(&ctd->cond_contract.ct_lock);
1524 ASSERT(ctd->cond_dip == dip);
1525 ctd->cond_state = state;
1526 mutex_exit(&ctd->cond_contract.ct_lock);
1527 }
1528 }
1529
1530 /*
1531 * Core routine called by event-specific routines when an event occurs.
1532 * Determines if an event should be be published, and if it is to be
1533 * published, whether a negotiation should take place. Also implements
1534 * NEGEND events which publish the final disposition of an event after
1535 * negotiations are complete.
1536 *
1537 * When an event occurs on a minor node, this routine walks the list of
1538 * contracts hanging off a devinfo node and for each contract on the affected
1539 * dip, evaluates the following cases
1540 *
1541 * a. an event that is synchronous, breaks the contract and NONEG not set
1542 * - bumps up the outstanding negotiation counts on the dip
1543 * - marks the dip as undergoing negotiation (devi_ct_neg)
1544 * - event of type CTE_NEG is published
1545 * b. an event that is synchronous, breaks the contract and NONEG is set
1546 * - sets the final result to CT_NACK, event is blocked
1547 * - does not publish an event
1548 * c. event is asynchronous and breaks the contract
1549 * - publishes a critical event irrespect of whether the NONEG
1550 * flag is set, since the contract will be broken and contract
1551 * owner needs to be informed.
1552 * d. No contract breakage but the owner has subscribed to the event
1553 * - publishes the event irrespective of the NONEG event as the
1554 * owner has explicitly subscribed to the event.
1555 * e. NEGEND event
1556 * - publishes a critical event. Should only be doing this if
1557 * if NONEG is not set.
1558 * f. all other events
1559 * - Since a contract is not broken and this event has not been
1560 * subscribed to, this event does not need to be published for
1561 * for this contract.
1562 *
1563 * Once an event is published, what happens next depends on the type of
1564 * event:
1565 *
1566 * a. NEGEND event
1567 * - cleanup all state associated with the preceding negotiation
1568 * and return CT_ACK to the caller of contract_device_publish()
1569 * b. NACKed event
1570 * - One or more contracts had the NONEG term, so the event was
1571 * blocked. Return CT_NACK to the caller.
1572 * c. Negotiated event
1573 * - Call wait_for_acks() to wait for responses from contract
1574 * holders. The end result is either CT_ACK (event is permitted),
1575 * CT_NACK (event is blocked) or CT_NONE (no contract owner)
1576 * responded. This result is returned back to the caller.
1577 * d. All other events
1578 * - If the event was asynchronous (i.e. not negotiated) or
1579 * a contract was not broken return CT_ACK to the caller.
1580 */
1581 static uint_t
1582 contract_device_publish(dev_info_t *dip, dev_t dev, int spec_type,
1583 uint_t evtype, nvlist_t *tnvl)
1584 {
1585 cont_device_t *ctd;
1586 uint_t result = CT_NONE;
1587 uint64_t evid = 0;
1588 uint64_t nevid = 0;
1589 char *path = NULL;
1590 int negend;
1591 int match;
1592 int sync = 0;
1593 contract_t *ct;
1594 ct_kevent_t *event;
1595 nvlist_t *nvl;
1596 int broken = 0;
1597
1598 ASSERT(dip);
1599 ASSERT(dev != NODEV && dev != DDI_DEV_T_NONE);
1600 ASSERT((dev == DDI_DEV_T_ANY && spec_type == 0) ||
1601 (spec_type == S_IFBLK || spec_type == S_IFCHR));
1602 ASSERT(evtype == 0 || (evtype & CT_DEV_ALLEVENT));
1603
1604 /* Is this a synchronous state change ? */
1605 if (evtype != CT_EV_NEGEND) {
1606 sync = is_sync_neg(get_state(dip), evtype);
1607 /* NOP if unsupported transition */
1608 if (sync == -2 || sync == -1) {
1609 DEVI(dip)->devi_flags |= DEVI_CT_NOP;
1610 result = (sync == -2) ? CT_ACK : CT_NONE;
1611 goto out;
1612 }
1613 CT_DEBUG((CE_NOTE, "publish: is%s sync state change",
1614 sync ? "" : " not"));
1615 } else if (DEVI(dip)->devi_flags & DEVI_CT_NOP) {
1616 DEVI(dip)->devi_flags &= ~DEVI_CT_NOP;
1617 result = CT_ACK;
1618 goto out;
1619 }
1620
1621 path = kmem_alloc(MAXPATHLEN, KM_SLEEP);
1622 (void) ddi_pathname(dip, path);
1623
1624 mutex_enter(&(DEVI(dip)->devi_ct_lock));
1625
1626 /*
1627 * Negotiation end - set the state of the device in the contract
1628 */
1629 if (evtype == CT_EV_NEGEND) {
1630 CT_DEBUG((CE_NOTE, "publish: negend: setting cond state"));
1631 set_cond_state(dip);
1632 }
1633
1634 /*
1635 * If this device didn't go through negotiation, don't publish
1636 * a NEGEND event - simply release the barrier to allow other
1637 * device events in.
1638 */
1639 negend = 0;
1640 if (evtype == CT_EV_NEGEND && !DEVI(dip)->devi_ct_neg) {
1641 CT_DEBUG((CE_NOTE, "publish: no negend reqd. release barrier"));
1642 ct_barrier_release(dip);
1643 mutex_exit(&(DEVI(dip)->devi_ct_lock));
1644 result = CT_ACK;
1645 goto out;
1646 } else if (evtype == CT_EV_NEGEND) {
1647 /*
1648 * There are negotiated contract breakages that
1649 * need a NEGEND event
1650 */
1651 ASSERT(ct_barrier_held(dip));
1652 negend = 1;
1653 CT_DEBUG((CE_NOTE, "publish: setting negend flag"));
1654 } else {
1655 /*
1656 * This is a new event, not a NEGEND event. Wait for previous
1657 * contract events to complete.
1658 */
1659 ct_barrier_acquire(dip);
1660 }
1661
1662
1663 match = 0;
1664 for (ctd = list_head(&(DEVI(dip)->devi_ct)); ctd != NULL;
1665 ctd = list_next(&(DEVI(dip)->devi_ct), ctd)) {
1666
1667 ctid_t ctid;
1668 size_t len = strlen(path);
1669
1670 mutex_enter(&ctd->cond_contract.ct_lock);
1671
1672 ASSERT(ctd->cond_dip == dip);
1673 ASSERT(ctd->cond_minor);
1674 ASSERT(strncmp(ctd->cond_minor, path, len) == 0 &&
1675 ctd->cond_minor[len] == ':');
1676
1677 if (dev != DDI_DEV_T_ANY && dev != ctd->cond_devt) {
1678 mutex_exit(&ctd->cond_contract.ct_lock);
1679 continue;
1680 }
1681 if (dev != DDI_DEV_T_ANY && spec_type != ctd->cond_spec) {
1682 mutex_exit(&ctd->cond_contract.ct_lock);
1683 continue;
1684 }
1685
1686 /* We have a matching contract */
1687 match = 1;
1688 ctid = ctd->cond_contract.ct_id;
1689 CT_DEBUG((CE_NOTE, "publish: found matching contract: %d",
1690 ctid));
1691
1692 /*
1693 * There are 4 possible cases
1694 * 1. A contract is broken (dev not in acceptable state) and
1695 * the state change is synchronous - start negotiation
1696 * by sending a CTE_NEG critical event.
1697 * 2. A contract is broken and the state change is
1698 * asynchronous - just send a critical event and
1699 * break the contract.
1700 * 3. Contract is not broken, but consumer has subscribed
1701 * to the event as a critical or informative event
1702 * - just send the appropriate event
1703 * 4. contract waiting for negend event - just send the critical
1704 * NEGEND event.
1705 */
1706 broken = 0;
1707 if (!negend && !(evtype & ctd->cond_aset)) {
1708 broken = 1;
1709 CT_DEBUG((CE_NOTE, "publish: Contract broken: %d",
1710 ctid));
1711 }
1712
1713 /*
1714 * Don't send event if
1715 * - contract is not broken AND
1716 * - contract holder has not subscribed to this event AND
1717 * - contract not waiting for a NEGEND event
1718 */
1719 if (!broken && !EVSENDP(ctd, evtype) &&
1720 !ctd->cond_neg) {
1721 CT_DEBUG((CE_NOTE, "contract_device_publish(): "
1722 "contract (%d): no publish reqd: event %d",
1723 ctd->cond_contract.ct_id, evtype));
1724 mutex_exit(&ctd->cond_contract.ct_lock);
1725 continue;
1726 }
1727
1728 /*
1729 * Note: need to kmem_zalloc() the event so mutexes are
1730 * initialized automatically
1731 */
1732 ct = &ctd->cond_contract;
1733 event = kmem_zalloc(sizeof (ct_kevent_t), KM_SLEEP);
1734 event->cte_type = evtype;
1735
1736 if (broken && sync) {
1737 CT_DEBUG((CE_NOTE, "publish: broken + sync: "
1738 "ctid: %d", ctid));
1739 ASSERT(!negend);
1740 ASSERT(ctd->cond_currev_id == 0);
1741 ASSERT(ctd->cond_currev_type == 0);
1742 ASSERT(ctd->cond_currev_ack == 0);
1743 ASSERT(ctd->cond_neg == 0);
1744 if (ctd->cond_noneg) {
1745 /* Nothing to publish. Event has been blocked */
1746 CT_DEBUG((CE_NOTE, "publish: sync and noneg:"
1747 "not publishing blocked ev: ctid: %d",
1748 ctid));
1749 result = CT_NACK;
1750 kmem_free(event, sizeof (ct_kevent_t));
1751 mutex_exit(&ctd->cond_contract.ct_lock);
1752 continue;
1753 }
1754 event->cte_flags = CTE_NEG; /* critical neg. event */
1755 ctd->cond_currev_type = event->cte_type;
1756 ct_barrier_incr(dip);
1757 DEVI(dip)->devi_ct_neg = 1; /* waiting for negend */
1758 ctd->cond_neg = 1;
1759 } else if (broken && !sync) {
1760 CT_DEBUG((CE_NOTE, "publish: broken + async: ctid: %d",
1761 ctid));
1762 ASSERT(!negend);
1763 ASSERT(ctd->cond_currev_id == 0);
1764 ASSERT(ctd->cond_currev_type == 0);
1765 ASSERT(ctd->cond_currev_ack == 0);
1766 ASSERT(ctd->cond_neg == 0);
1767 event->cte_flags = 0; /* critical event */
1768 } else if (EVSENDP(ctd, event->cte_type)) {
1769 CT_DEBUG((CE_NOTE, "publish: event suscrib: ctid: %d",
1770 ctid));
1771 ASSERT(!negend);
1772 ASSERT(ctd->cond_currev_id == 0);
1773 ASSERT(ctd->cond_currev_type == 0);
1774 ASSERT(ctd->cond_currev_ack == 0);
1775 ASSERT(ctd->cond_neg == 0);
1776 event->cte_flags = EVINFOP(ctd, event->cte_type) ?
1777 CTE_INFO : 0;
1778 } else if (ctd->cond_neg) {
1779 CT_DEBUG((CE_NOTE, "publish: NEGEND: ctid: %d", ctid));
1780 ASSERT(negend);
1781 ASSERT(ctd->cond_noneg == 0);
1782 nevid = ctd->cond_contract.ct_nevent ?
1783 ctd->cond_contract.ct_nevent->cte_id : 0;
1784 ASSERT(ctd->cond_currev_id == nevid);
1785 event->cte_flags = 0; /* NEGEND is always critical */
1786 ctd->cond_currev_id = 0;
1787 ctd->cond_currev_type = 0;
1788 ctd->cond_currev_ack = 0;
1789 ctd->cond_neg = 0;
1790 } else {
1791 CT_DEBUG((CE_NOTE, "publish: not publishing event for "
1792 "ctid: %d, evtype: %d",
1793 ctd->cond_contract.ct_id, event->cte_type));
1794 ASSERT(!negend);
1795 ASSERT(ctd->cond_currev_id == 0);
1796 ASSERT(ctd->cond_currev_type == 0);
1797 ASSERT(ctd->cond_currev_ack == 0);
1798 ASSERT(ctd->cond_neg == 0);
1799 kmem_free(event, sizeof (ct_kevent_t));
1800 mutex_exit(&ctd->cond_contract.ct_lock);
1801 continue;
1802 }
1803
1804 nvl = NULL;
1805 if (tnvl) {
1806 VERIFY(nvlist_dup(tnvl, &nvl, 0) == 0);
1807 if (negend) {
1808 int32_t newct = 0;
1809 ASSERT(ctd->cond_noneg == 0);
1810 VERIFY(nvlist_add_uint64(nvl, CTS_NEVID, nevid)
1811 == 0);
1812 VERIFY(nvlist_lookup_int32(nvl, CTS_NEWCT,
1813 &newct) == 0);
1814 VERIFY(nvlist_add_int32(nvl, CTS_NEWCT,
1815 newct == 1 ? 0 :
1816 ctd->cond_contract.ct_id) == 0);
1817 CT_DEBUG((CE_NOTE, "publish: negend: ctid: %d "
1818 "CTS_NEVID: %llu, CTS_NEWCT: %s",
1819 ctid, (unsigned long long)nevid,
1820 newct ? "success" : "failure"));
1821
1822 }
1823 }
1824
1825 if (ctd->cond_neg) {
1826 ASSERT(ctd->cond_contract.ct_ntime.ctm_start == -1);
1827 ASSERT(ctd->cond_contract.ct_qtime.ctm_start == -1);
1828 ctd->cond_contract.ct_ntime.ctm_start = ddi_get_lbolt();
1829 ctd->cond_contract.ct_qtime.ctm_start =
1830 ctd->cond_contract.ct_ntime.ctm_start;
1831 }
1832
1833 /*
1834 * by holding the dip's devi_ct_lock we ensure that
1835 * all ACK/NACKs are held up until we have finished
1836 * publishing to all contracts.
1837 */
1838 mutex_exit(&ctd->cond_contract.ct_lock);
1839 evid = cte_publish_all(ct, event, nvl, NULL);
1840 mutex_enter(&ctd->cond_contract.ct_lock);
1841
1842 if (ctd->cond_neg) {
1843 ASSERT(!negend);
1844 ASSERT(broken);
1845 ASSERT(sync);
1846 ASSERT(!ctd->cond_noneg);
1847 CT_DEBUG((CE_NOTE, "publish: sync break, setting evid"
1848 ": %d", ctid));
1849 ctd->cond_currev_id = evid;
1850 } else if (negend) {
1851 ctd->cond_contract.ct_ntime.ctm_start = -1;
1852 ctd->cond_contract.ct_qtime.ctm_start = -1;
1853 }
1854 mutex_exit(&ctd->cond_contract.ct_lock);
1855 }
1856
1857 /*
1858 * If "negend" set counter back to initial state (-1) so that
1859 * other events can be published. Also clear the negotiation flag
1860 * on dip.
1861 *
1862 * 0 .. n are used for counting.
1863 * -1 indicates counter is available for use.
1864 */
1865 if (negend) {
1866 /*
1867 * devi_ct_count not necessarily 0. We may have
1868 * timed out in which case, count will be non-zero.
1869 */
1870 ct_barrier_release(dip);
1871 DEVI(dip)->devi_ct_neg = 0;
1872 CT_DEBUG((CE_NOTE, "publish: negend: reset dip state: dip=%p",
1873 (void *)dip));
1874 } else if (DEVI(dip)->devi_ct_neg) {
1875 ASSERT(match);
1876 ASSERT(!ct_barrier_empty(dip));
1877 CT_DEBUG((CE_NOTE, "publish: sync count=%d, dip=%p",
1878 DEVI(dip)->devi_ct_count, (void *)dip));
1879 } else {
1880 /*
1881 * for non-negotiated events or subscribed events or no
1882 * matching contracts
1883 */
1884 ASSERT(ct_barrier_empty(dip));
1885 ASSERT(DEVI(dip)->devi_ct_neg == 0);
1886 CT_DEBUG((CE_NOTE, "publish: async/non-nego/subscrib/no-match: "
1887 "dip=%p", (void *)dip));
1888
1889 /*
1890 * only this function when called from contract_device_negend()
1891 * can reset the counter to READY state i.e. -1. This function
1892 * is so called for every event whether a NEGEND event is needed
1893 * or not, but the negend event is only published if the event
1894 * whose end they signal is a negotiated event for the contract.
1895 */
1896 }
1897
1898 if (!match) {
1899 /* No matching contracts */
1900 CT_DEBUG((CE_NOTE, "publish: No matching contract"));
1901 result = CT_NONE;
1902 } else if (result == CT_NACK) {
1903 /* a non-negotiable contract exists and this is a neg. event */
1904 CT_DEBUG((CE_NOTE, "publish: found 1 or more NONEG contract"));
1905 (void) wait_for_acks(dip, dev, spec_type, evtype);
1906 } else if (DEVI(dip)->devi_ct_neg) {
1907 /* one or more contracts going through negotations */
1908 CT_DEBUG((CE_NOTE, "publish: sync contract: waiting"));
1909 result = wait_for_acks(dip, dev, spec_type, evtype);
1910 } else {
1911 /* no negotiated contracts or no broken contracts or NEGEND */
1912 CT_DEBUG((CE_NOTE, "publish: async/no-break/negend"));
1913 result = CT_ACK;
1914 }
1915
1916 /*
1917 * Release the lock only now so that the only point where we
1918 * drop the lock is in wait_for_acks(). This is so that we don't
1919 * miss cv_signal/cv_broadcast from contract holders
1920 */
1921 CT_DEBUG((CE_NOTE, "publish: dropping devi_ct_lock"));
1922 mutex_exit(&(DEVI(dip)->devi_ct_lock));
1923
1924 out:
1925 nvlist_free(tnvl);
1926 if (path)
1927 kmem_free(path, MAXPATHLEN);
1928
1929
1930 CT_DEBUG((CE_NOTE, "publish: result = %s", result_str(result)));
1931 return (result);
1932 }
1933
1934
1935 /*
1936 * contract_device_offline
1937 *
1938 * Event publishing routine called by I/O framework when a device is offlined.
1939 */
1940 ct_ack_t
1941 contract_device_offline(dev_info_t *dip, dev_t dev, int spec_type)
1942 {
1943 nvlist_t *nvl;
1944 uint_t result;
1945 uint_t evtype;
1946
1947 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1948
1949 evtype = CT_DEV_EV_OFFLINE;
1950 result = contract_device_publish(dip, dev, spec_type, evtype, nvl);
1951
1952 /*
1953 * If a contract offline is NACKED, the framework expects us to call
1954 * NEGEND ourselves, since we know the final result
1955 */
1956 if (result == CT_NACK) {
1957 contract_device_negend(dip, dev, spec_type, CT_EV_FAILURE);
1958 }
1959
1960 return (result);
1961 }
1962
1963 /*
1964 * contract_device_degrade
1965 *
1966 * Event publishing routine called by I/O framework when a device
1967 * moves to degrade state.
1968 */
1969 /*ARGSUSED*/
1970 void
1971 contract_device_degrade(dev_info_t *dip, dev_t dev, int spec_type)
1972 {
1973 nvlist_t *nvl;
1974 uint_t evtype;
1975
1976 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1977
1978 evtype = CT_DEV_EV_DEGRADED;
1979 (void) contract_device_publish(dip, dev, spec_type, evtype, nvl);
1980 }
1981
1982 /*
1983 * contract_device_undegrade
1984 *
1985 * Event publishing routine called by I/O framework when a device
1986 * moves from degraded state to online state.
1987 */
1988 /*ARGSUSED*/
1989 void
1990 contract_device_undegrade(dev_info_t *dip, dev_t dev, int spec_type)
1991 {
1992 nvlist_t *nvl;
1993 uint_t evtype;
1994
1995 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
1996
1997 evtype = CT_DEV_EV_ONLINE;
1998 (void) contract_device_publish(dip, dev, spec_type, evtype, nvl);
1999 }
2000
2001 /*
2002 * For all contracts which have undergone a negotiation (because the device
2003 * moved out of the acceptable state for that contract and the state
2004 * change is synchronous i.e. requires negotiation) this routine publishes
2005 * a CT_EV_NEGEND event with the final disposition of the event.
2006 *
2007 * This event is always a critical event.
2008 */
2009 void
2010 contract_device_negend(dev_info_t *dip, dev_t dev, int spec_type, int result)
2011 {
2012 nvlist_t *nvl;
2013 uint_t evtype;
2014
2015 ASSERT(result == CT_EV_SUCCESS || result == CT_EV_FAILURE);
2016
2017 CT_DEBUG((CE_NOTE, "contract_device_negend(): entered: result: %d, "
2018 "dip: %p", result, (void *)dip));
2019
2020 VERIFY(nvlist_alloc(&nvl, NV_UNIQUE_NAME, KM_SLEEP) == 0);
2021 VERIFY(nvlist_add_int32(nvl, CTS_NEWCT,
2022 result == CT_EV_SUCCESS ? 1 : 0) == 0);
2023
2024 evtype = CT_EV_NEGEND;
2025 (void) contract_device_publish(dip, dev, spec_type, evtype, nvl);
2026
2027 CT_DEBUG((CE_NOTE, "contract_device_negend(): exit dip: %p",
2028 (void *)dip));
2029 }
2030
2031 /*
2032 * Wrapper routine called by other subsystems (such as LDI) to start
2033 * negotiations when a synchronous device state change occurs.
2034 * Returns CT_ACK or CT_NACK.
2035 */
2036 ct_ack_t
2037 contract_device_negotiate(dev_info_t *dip, dev_t dev, int spec_type,
2038 uint_t evtype)
2039 {
2040 int result;
2041
2042 ASSERT(dip);
2043 ASSERT(dev != NODEV);
2044 ASSERT(dev != DDI_DEV_T_ANY);
2045 ASSERT(dev != DDI_DEV_T_NONE);
2046 ASSERT(spec_type == S_IFBLK || spec_type == S_IFCHR);
2047
2048 switch (evtype) {
2049 case CT_DEV_EV_OFFLINE:
2050 result = contract_device_offline(dip, dev, spec_type);
2051 break;
2052 default:
2053 cmn_err(CE_PANIC, "contract_device_negotiate(): Negotiation "
2054 "not supported: event (%d) for dev_t (%lu) and spec (%d), "
2055 "dip (%p)", evtype, dev, spec_type, (void *)dip);
2056 result = CT_NACK;
2057 break;
2058 }
2059
2060 return (result);
2061 }
2062
2063 /*
2064 * A wrapper routine called by other subsystems (such as the LDI) to
2065 * finalize event processing for a state change event. For synchronous
2066 * state changes, this publishes NEGEND events. For asynchronous i.e.
2067 * non-negotiable events this publishes the event.
2068 */
2069 void
2070 contract_device_finalize(dev_info_t *dip, dev_t dev, int spec_type,
2071 uint_t evtype, int ct_result)
2072 {
2073 ASSERT(dip);
2074 ASSERT(dev != NODEV);
2075 ASSERT(dev != DDI_DEV_T_ANY);
2076 ASSERT(dev != DDI_DEV_T_NONE);
2077 ASSERT(spec_type == S_IFBLK || spec_type == S_IFCHR);
2078
2079 switch (evtype) {
2080 case CT_DEV_EV_OFFLINE:
2081 contract_device_negend(dip, dev, spec_type, ct_result);
2082 break;
2083 case CT_DEV_EV_DEGRADED:
2084 contract_device_degrade(dip, dev, spec_type);
2085 contract_device_negend(dip, dev, spec_type, ct_result);
2086 break;
2087 case CT_DEV_EV_ONLINE:
2088 contract_device_undegrade(dip, dev, spec_type);
2089 contract_device_negend(dip, dev, spec_type, ct_result);
2090 break;
2091 default:
2092 cmn_err(CE_PANIC, "contract_device_finalize(): Unsupported "
2093 "event (%d) for dev_t (%lu) and spec (%d), dip (%p)",
2094 evtype, dev, spec_type, (void *)dip);
2095 break;
2096 }
2097 }
2098
2099 /*
2100 * Called by I/O framework when a devinfo node is freed to remove the
2101 * association between a devinfo node and its contracts.
2102 */
2103 void
2104 contract_device_remove_dip(dev_info_t *dip)
2105 {
2106 cont_device_t *ctd;
2107 cont_device_t *next;
2108 contract_t *ct;
2109
2110 mutex_enter(&(DEVI(dip)->devi_ct_lock));
2111 ct_barrier_wait_for_release(dip);
2112
2113 for (ctd = list_head(&(DEVI(dip)->devi_ct)); ctd != NULL; ctd = next) {
2114 next = list_next(&(DEVI(dip)->devi_ct), ctd);
2115 list_remove(&(DEVI(dip)->devi_ct), ctd);
2116 ct = &ctd->cond_contract;
2117 /*
2118 * Unlink the dip associated with this contract
2119 */
2120 mutex_enter(&ct->ct_lock);
2121 ASSERT(ctd->cond_dip == dip);
2122 ctd->cond_dip = NULL; /* no longer linked to dip */
2123 contract_rele(ct); /* remove hold for dip linkage */
2124 CT_DEBUG((CE_NOTE, "ct: remove_dip: removed dip from contract: "
2125 "ctid: %d", ct->ct_id));
2126 mutex_exit(&ct->ct_lock);
2127 }
2128 ASSERT(list_is_empty(&(DEVI(dip)->devi_ct)));
2129 mutex_exit(&(DEVI(dip)->devi_ct_lock));
2130 }
2131
2132 /*
2133 * Barrier related routines
2134 */
2135 static void
2136 ct_barrier_acquire(dev_info_t *dip)
2137 {
2138 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2139 CT_DEBUG((CE_NOTE, "ct_barrier_acquire: waiting for barrier"));
2140 while (DEVI(dip)->devi_ct_count != -1)
2141 cv_wait(&(DEVI(dip)->devi_ct_cv), &(DEVI(dip)->devi_ct_lock));
2142 DEVI(dip)->devi_ct_count = 0;
2143 CT_DEBUG((CE_NOTE, "ct_barrier_acquire: thread owns barrier"));
2144 }
2145
2146 static void
2147 ct_barrier_release(dev_info_t *dip)
2148 {
2149 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2150 ASSERT(DEVI(dip)->devi_ct_count != -1);
2151 DEVI(dip)->devi_ct_count = -1;
2152 cv_broadcast(&(DEVI(dip)->devi_ct_cv));
2153 CT_DEBUG((CE_NOTE, "ct_barrier_release: Released barrier"));
2154 }
2155
2156 static int
2157 ct_barrier_held(dev_info_t *dip)
2158 {
2159 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2160 return (DEVI(dip)->devi_ct_count != -1);
2161 }
2162
2163 static int
2164 ct_barrier_empty(dev_info_t *dip)
2165 {
2166 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2167 ASSERT(DEVI(dip)->devi_ct_count != -1);
2168 return (DEVI(dip)->devi_ct_count == 0);
2169 }
2170
2171 static void
2172 ct_barrier_wait_for_release(dev_info_t *dip)
2173 {
2174 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2175 while (DEVI(dip)->devi_ct_count != -1)
2176 cv_wait(&(DEVI(dip)->devi_ct_cv), &(DEVI(dip)->devi_ct_lock));
2177 }
2178
2179 static void
2180 ct_barrier_decr(dev_info_t *dip)
2181 {
2182 CT_DEBUG((CE_NOTE, "barrier_decr: ct_count before decr: %d",
2183 DEVI(dip)->devi_ct_count));
2184
2185 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2186 ASSERT(DEVI(dip)->devi_ct_count > 0);
2187
2188 DEVI(dip)->devi_ct_count--;
2189 if (DEVI(dip)->devi_ct_count == 0) {
2190 cv_broadcast(&DEVI(dip)->devi_ct_cv);
2191 CT_DEBUG((CE_NOTE, "barrier_decr: cv_broadcast"));
2192 }
2193 }
2194
2195 static void
2196 ct_barrier_incr(dev_info_t *dip)
2197 {
2198 ASSERT(ct_barrier_held(dip));
2199 DEVI(dip)->devi_ct_count++;
2200 }
2201
2202 static int
2203 ct_barrier_wait_for_empty(dev_info_t *dip, int secs)
2204 {
2205 clock_t abstime;
2206
2207 ASSERT(MUTEX_HELD(&(DEVI(dip)->devi_ct_lock)));
2208
2209 abstime = ddi_get_lbolt() + drv_usectohz(secs*1000000);
2210 while (DEVI(dip)->devi_ct_count) {
2211 if (cv_timedwait(&(DEVI(dip)->devi_ct_cv),
2212 &(DEVI(dip)->devi_ct_lock), abstime) == -1) {
2213 return (-1);
2214 }
2215 }
2216 return (0);
2217 }
Unleashed OS