| blob | 0924da6eda4762fd8080bf1c3228e75c47c45c64 |
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 */
26 /*
27 * Kernel Error Queues
28 *
29 * A common problem when handling hardware error traps and interrupts is that
30 * these errors frequently must be handled at high interrupt level, where
31 * reliably producing error messages and safely examining and manipulating
32 * other kernel state may not be possible. The kernel error queue primitive is
33 * a common set of routines that allow a subsystem to maintain a queue of
34 * errors that can be processed by an explicit call from a safe context or by a
35 * soft interrupt that fires at a specific lower interrupt level. The queue
36 * management code also ensures that if the system panics, all in-transit
37 * errors are logged prior to reset. Each queue has an associated kstat for
38 * observing the number of errors dispatched and logged, and mdb(1) debugging
39 * support is provided for live and post-mortem observability.
40 *
41 * Memory Allocation
42 *
43 * All of the queue data structures are allocated in advance as part of
44 * the errorq_create() call. No additional memory allocations are
45 * performed as part of errorq_dispatch(), errorq_reserve(),
46 * errorq_commit() or errorq_drain(). This design
47 * facilitates reliable error queue processing even when the system is low
48 * on memory, and ensures that errorq_dispatch() can be called from any
49 * context. When the queue is created, the maximum queue length is
50 * specified as a parameter to errorq_create() and errorq_nvcreate(). This
51 * length should represent a reasonable upper bound on the number of
52 * simultaneous errors. If errorq_dispatch() or errorq_reserve() is
53 * invoked and no free queue elements are available, the error is
54 * dropped and will not be logged. Typically, the queue will only be
55 * exhausted by an error storm, and in this case
56 * the earlier errors provide the most important data for analysis.
57 * When a new error is dispatched, the error data is copied into the
58 * preallocated queue element so that the caller's buffer can be reused.
59 *
60 * When a new error is reserved, an element is moved from the free pool
61 * and returned to the caller. The element buffer data, eqe_data, may be
62 * managed by the caller and dispatched to the errorq by calling
63 * errorq_commit(). This is useful for additions to errorq's
64 * created with errorq_nvcreate() to handle name-value pair (nvpair) data.
65 * See below for a discussion on nvlist errorq's.
66 *
67 * Queue Drain Callback
68 *
69 * When the error queue is drained, the caller's queue drain callback is
70 * invoked with a pointer to the saved error data. This function may be
71 * called from passive kernel context or soft interrupt context at or
72 * below LOCK_LEVEL, or as part of panic(). As such, the callback should
73 * basically only be calling cmn_err (but NOT with the CE_PANIC flag).
74 * The callback must not call panic(), attempt to allocate memory, or wait
75 * on a condition variable. The callback may not call errorq_destroy()
76 * or errorq_drain() on the same error queue that called it.
77 *
78 * The queue drain callback will always be called for each pending error
79 * in the order in which errors were enqueued (oldest to newest). The
80 * queue drain callback is guaranteed to provide at *least* once semantics
81 * for all errors that are successfully dispatched (i.e. for which
82 * errorq_dispatch() has successfully completed). If an unrelated panic
83 * occurs while the queue drain callback is running on a vital queue, the
84 * panic subsystem will continue the queue drain and the callback may be
85 * invoked again for the same error. Therefore, the callback should
86 * restrict itself to logging messages and taking other actions that are
87 * not destructive if repeated.
88 *
89 * Name-Value Pair Error Queues
90 *
91 * During error handling, it may be more convenient to store error
92 * queue element data as a fixed buffer of name-value pairs. The
93 * nvpair library allows construction and destruction of nvlists
94 * in pre-allocated memory buffers.
95 *
96 * Error queues created via errorq_nvcreate() store queue element
97 * data as fixed buffer nvlists (ereports). errorq_reserve()
98 * allocates an errorq element from eqp->eq_bitmap and returns a valid
99 * pointer to a errorq_elem_t (queue element) and a pre-allocated
100 * fixed buffer nvlist. errorq_elem_nvl() is used to gain access
101 * to the nvlist to add name-value ereport members prior to
102 * dispatching the error queue element in errorq_commit().
103 *
104 * Once dispatched, the drain function will return the element to
105 * eqp->eq_bitmap and reset the associated nv_alloc structure.
106 * error_cancel() may be called to cancel an element reservation
107 * element that was never dispatched (committed). This is useful in
108 * cases where a programming error prevents a queue element from being
109 * dispatched.
110 *
111 * Queue Management
112 *
113 * The queue element structures and error data buffers are allocated in
114 * two contiguous chunks as part of errorq_create() or errorq_nvcreate().
115 * Each queue element structure contains a next pointer,
116 * a previous pointer, and a pointer to the corresponding error data
117 * buffer. The data buffer for a nvlist errorq is a shared buffer
118 * for the allocation of name-value pair lists. The elements are kept on
119 * one of four lists:
120 *
121 * Unused elements are kept in the free pool, managed by eqp->eq_bitmap.
122 * The eqe_prev and eqe_next pointers are not used while in the free pool
123 * and will be set to NULL.
124 *
125 * Pending errors are kept on the pending list, a singly-linked list
126 * pointed to by eqp->eq_pend, and linked together using eqe_prev. This
127 * list is maintained in order from newest error to oldest. The eqe_next
128 * pointer is not used by the pending list and will be set to NULL.
129 *
130 * The processing list is a doubly-linked list pointed to by eqp->eq_phead
131 * (the oldest element) and eqp->eq_ptail (the newest element). The
132 * eqe_next pointer is used to traverse from eq_phead to eq_ptail, and the
133 * eqe_prev pointer is used to traverse from eq_ptail to eq_phead. Once a
134 * queue drain operation begins, the current pending list is moved to the
135 * processing list in a two-phase commit fashion (eq_ptail being cleared
136 * at the beginning but eq_phead only at the end), allowing the panic code
137 * to always locate and process all pending errors in the event that a
138 * panic occurs in the middle of queue processing.
139 *
140 * A fourth list is maintained for nvlist errorqs. The dump list,
141 * eq_dump is used to link all errorq elements that should be stored
142 * in a crash dump file in the event of a system panic. During
143 * errorq_panic(), the list is created and subsequently traversed
144 * in errorq_dump() during the final phases of a crash dump.
145 *
146 * Platform Considerations
147 *
148 * In order to simplify their implementation, error queues make use of the
149 * C wrappers for compare-and-swap. If the platform itself does not
150 * support compare-and-swap in hardware and the kernel emulation routines
151 * are used instead, then the context in which errorq_dispatch() can be
152 * safely invoked is further constrained by the implementation of the
153 * compare-and-swap emulation. Specifically, if errorq_dispatch() is
154 * called from a code path that can be executed above ATOMIC_LEVEL on such
155 * a platform, the dispatch code could potentially deadlock unless the
156 * corresponding error interrupt is blocked or disabled prior to calling
157 * errorq_dispatch(). Error queues should therefore be deployed with
158 * caution on these platforms.
159 *
160 * Interfaces
161 *
162 * errorq_t *errorq_create(name, func, private, qlen, eltsize, ipl, flags);
163 * errorq_t *errorq_nvcreate(name, func, private, qlen, eltsize, ipl, flags);
164 *
165 * Create a new error queue with the specified name, callback, and
166 * properties. A pointer to the new error queue is returned upon success,
167 * or NULL is returned to indicate that the queue could not be created.
168 * This function must be called from passive kernel context with no locks
169 * held that can prevent a sleeping memory allocation from occurring.
170 * errorq_create() will return failure if the queue kstats cannot be
171 * created, or if a soft interrupt handler cannot be registered.
172 *
173 * The queue 'name' is a string that is recorded for live and post-mortem
174 * examination by a debugger. The queue callback 'func' will be invoked
175 * for each error drained from the queue, and will receive the 'private'
176 * pointer as its first argument. The callback must obey the rules for
177 * callbacks described above. The queue will have maximum length 'qlen'
178 * and each element will be able to record up to 'eltsize' bytes of data.
179 * The queue's soft interrupt (see errorq_dispatch(), below) will fire
180 * at 'ipl', which should not exceed LOCK_LEVEL. The queue 'flags' may
181 * include the following flag:
182 *
183 * ERRORQ_VITAL - This queue contains information that is considered
184 * vital to problem diagnosis. Error queues that are marked vital will
185 * be automatically drained by the panic subsystem prior to printing
186 * the panic messages to the console.
187 *
188 * void errorq_destroy(errorq);
189 *
190 * Destroy the specified error queue. The queue is drained of any
191 * pending elements and these are logged before errorq_destroy returns.
192 * Once errorq_destroy() begins draining the queue, any simultaneous
193 * calls to dispatch errors will result in the errors being dropped.
194 * The caller must invoke a higher-level abstraction (e.g. disabling
195 * an error interrupt) to ensure that error handling code does not
196 * attempt to dispatch errors to the queue while it is being freed.
197 *
198 * void errorq_dispatch(errorq, data, len, flag);
199 *
200 * Attempt to enqueue the specified error data. If a free queue element
201 * is available, the data is copied into a free element and placed on a
202 * pending list. If no free queue element is available, the error is
203 * dropped. The data length (len) is specified in bytes and should not
204 * exceed the queue's maximum element size. If the data length is less
205 * than the maximum element size, the remainder of the queue element is
206 * filled with zeroes. The flag parameter should be one of:
207 *
208 * ERRORQ_ASYNC - Schedule a soft interrupt at the previously specified
209 * IPL to asynchronously drain the queue on behalf of the caller.
210 *
211 * ERRORQ_SYNC - Do not schedule a soft interrupt to drain the queue.
212 * The caller is presumed to be calling errorq_drain() or panic() in
213 * the near future in order to drain the queue and log the error.
214 *
215 * The errorq_dispatch() function may be called from any context, subject
216 * to the Platform Considerations described above.
217 *
218 * void errorq_drain(errorq);
219 *
220 * Drain the error queue of all pending errors. The queue's callback
221 * function is invoked for each error in order from oldest to newest.
222 * This function may be used at or below LOCK_LEVEL or from panic context.
223 *
224 * errorq_elem_t *errorq_reserve(errorq);
225 *
226 * Reserve an error queue element for later processing and dispatching.
227 * The element is returned to the caller who may add error-specific data
228 * to element. The element is retured to the free pool when either
229 * errorq_commit() is called and the element asynchronously processed
230 * or immediately when errorq_cancel() is called.
231 *
232 * void errorq_commit(errorq, errorq_elem, flag);
233 *
234 * Commit an errorq element (eqep) for dispatching, see
235 * errorq_dispatch().
236 *
237 * void errorq_cancel(errorq, errorq_elem);
238 *
239 * Cancel a pending errorq element reservation. The errorq element is
240 * returned to the free pool upon cancelation.
241 */
243 #include <sys/errorq_impl.h>
244 #include <sys/sysmacros.h>
245 #include <sys/machlock.h>
246 #include <sys/cmn_err.h>
247 #include <sys/atomic.h>
248 #include <sys/systm.h>
249 #include <sys/kmem.h>
250 #include <sys/conf.h>
251 #include <sys/ddi.h>
252 #include <sys/sunddi.h>
253 #include <sys/bootconf.h>
254 #include <sys/spl.h>
255 #include <sys/dumphdr.h>
256 #include <sys/compress.h>
257 #include <sys/time.h>
258 #include <sys/panic.h>
259 #include <sys/bitmap.h>
260 #include <sys/fm/protocol.h>
261 #include <sys/fm/util.h>
272 };
279 static uint_t
281 {
284 }
286 /*
287 * Create a new error queue with the specified properties and add a software
288 * interrupt handler and kstat for it. This function must be called from
289 * passive kernel context with no locks held that can prevent a sleeping
290 * memory allocation from occurring. This function will return NULL if the
291 * softint or kstat for this queue cannot be created.
292 */
293 errorq_t *
296 {
303 caddr_t data;
308 /*
309 * If a queue is created very early in boot before device tree services
310 * are available, the queue softint handler cannot be created. We
311 * manually drain these queues and create their softint handlers when
312 * it is safe to do so as part of errorq_init(), below.
313 */
320 }
331 }
358 /*
359 * Iterate over the array of errorq_elem_t structures and set its
360 * data pointer.
361 */
368 eep++;
369 }
375 /*
376 * Once the errorq is initialized, add it to the global list of queues,
377 * and then return a pointer to the new queue to the caller.
378 */
385 }
387 /*
388 * Create a new errorq as if by errorq_create(), but set the ERRORQ_NVLIST
389 * flag and initialize each element to have the start of its data region used
390 * as an errorq_nvelem_t with a nvlist allocator that consumes the data region.
391 */
392 errorq_t *
395 {
411 }
415 }
417 /*
418 * To destroy an error queue, we mark it as disabled and then explicitly drain
419 * all pending errors. Once the drain is complete, we can remove the queue
420 * from the global list of queues examined by errorq_panic(), and then free
421 * the various queue data structures. The caller must use some higher-level
422 * abstraction (e.g. disabling an error interrupt) to ensure that no one will
423 * attempt to enqueue new errors while we are freeing this queue.
424 */
425 void
427 {
430 ulong_t i;
443 }
445 }
454 }
455 }
468 }
470 /*
471 * private version of bt_availbit which makes a best-efforts attempt
472 * at allocating in a round-robin fashion in order to facilitate post-mortem
473 * diagnosis.
474 */
475 static index_t
477 {
486 /*
487 * First check if there are still some bits remaining in the current
488 * word, and see if any of those are available. We need to do this by
489 * hand as the bt_availbit() function always starts at the beginning
490 * of a word.
491 */
497 nextword++;
498 }
499 /*
500 * Now check if there are any words remaining before the end of the
501 * bitmap. Use bt_availbit() to find any free bits.
502 */
507 /*
508 * Finally loop back to the start and look for any free bits starting
509 * from the beginning of the bitmap to the current rotor position.
510 */
512 }
514 /*
515 * Dispatch a new error into the queue for later processing. The specified
516 * data buffer is copied into a preallocated queue element. If 'len' is
517 * smaller than the queue element size, the remainder of the queue element is
518 * filled with zeroes. This function may be called from any context subject
519 * to the Platform Considerations described above.
520 */
521 void
523 {
529 }
538 }
544 }
545 }
560 }
566 }
568 /*
569 * Drain the specified error queue by calling eq_func() for each pending error.
570 * This function must be called at or below LOCK_LEVEL or from panic context.
571 * In order to synchronize with other attempts to drain the queue, we acquire
572 * the adaptive eq_lock, blocking other consumers. Once this lock is held,
573 * we must use compare-and-swap to move the pending list to the processing
574 * list and to return elements to the free pool in order to synchronize
575 * with producers, who do not acquire any locks and only use atomic set/clear.
576 *
577 * An additional constraint on this function is that if the system panics
578 * while this function is running, the panic code must be able to detect and
579 * handle all intermediate states and correctly dequeue all errors. The
580 * errorq_panic() function below will be used for detecting and handling
581 * these intermediate states. The comments in errorq_drain() below explain
582 * how we make sure each intermediate state is distinct and consistent.
583 */
584 void
586 {
592 /*
593 * If there are one or more pending errors, set eq_ptail to point to
594 * the first element on the pending list and then attempt to compare-
595 * and-swap NULL to the pending list. We use membar_producer() to
596 * make sure that eq_ptail will be visible to errorq_panic() below
597 * before the pending list is NULLed out. This section is labeled
598 * case (1) for errorq_panic, below. If eq_ptail is not yet set (1A)
599 * eq_pend has all the pending errors. If atomic_cas_ptr fails or
600 * has not been called yet (1B), eq_pend still has all the pending
601 * errors. If atomic_cas_ptr succeeds (1C), eq_ptail has all the
602 * pending errors.
603 */
610 }
612 /*
613 * If no errors were pending, assert that eq_ptail is set to NULL,
614 * drop the consumer lock, and return without doing anything.
615 */
620 }
622 /*
623 * Now iterate from eq_ptail (a.k.a. eep, the newest error) to the
624 * oldest error, setting the eqe_next pointer so that we can iterate
625 * over the errors from oldest to newest. We use membar_producer()
626 * to make sure that these stores are visible before we set eq_phead.
627 * If we panic before, during, or just after this loop (case 2),
628 * errorq_panic() will simply redo this work, as described below.
629 */
634 /*
635 * Now set eq_phead to the head of the processing list (the oldest
636 * error) and issue another membar_producer() to make sure that
637 * eq_phead is seen as non-NULL before we clear eq_ptail. If we panic
638 * after eq_phead is set (case 3), we will detect and log these errors
639 * in errorq_panic(), as described below.
640 */
647 /*
648 * If we enter from errorq_panic_drain(), we may already have
649 * errorq elements on the dump list. Find the tail of
650 * the list ready for append.
651 */
655 }
657 /*
658 * Now iterate over the processing list from oldest (eq_phead) to
659 * newest and log each error. Once an error is logged, we use
660 * atomic clear to return it to the free pool. If we panic before,
661 * during, or after calling eq_func() (case 4), the error will still be
662 * found on eq_phead and will be logged in errorq_panic below.
663 */
674 /*
675 * On panic, we add the element to the dump list for each
676 * nvlist errorq. Elements are stored oldest to newest.
677 * Then continue, so we don't free and subsequently overwrite
678 * any elements which we've put on the dump queue.
679 */
683 else
687 }
691 }
694 }
696 /*
697 * Now that device tree services are available, set up the soft interrupt
698 * handlers for any queues that were created early in boot. We then
699 * manually drain these queues to report any pending early errors.
700 */
701 void
703 {
705 ddi_softintr_t id;
714 ddi_iblock_cookie_t ibc =
724 }
728 }
731 }
733 /*
734 * This function is designed to be called from panic context only, and
735 * therefore does not need to acquire errorq_lock when iterating over
736 * errorq_list. This function must be called no more than once for each
737 * 'what' value (if you change this then review the manipulation of 'dep'.
738 */
739 static uint64_t
741 {
753 /*
754 * In case (1B) above, eq_ptail may be set but the
755 * atomic_cas_ptr may not have been executed yet or may have
756 * failed. Either way, we must log errors in chronological
757 * order. So we search the pending list for the error
758 * pointed to by eq_ptail. If it is found, we know that all
759 * subsequent errors are also still on the pending list, so
760 * just NULL out eq_ptail and let errorq_drain(), below,
761 * take care of the logging.
762 */
768 }
769 }
771 /*
772 * In cases (1C) and (2) above, eq_ptail will be set to the
773 * newest error on the processing list but eq_phead will still
774 * be NULL. We set the eqe_next pointers so we can iterate
775 * over the processing list in order from oldest error to the
776 * newest error. We then set eq_phead to point to the oldest
777 * error and fall into the for-loop below.
778 */
786 }
788 /*
789 * In cases (3) and (4) above (or after case (1C/2) handling),
790 * eq_phead will be set to the oldest error on the processing
791 * list. We log each error and return it to the free pool.
792 *
793 * Unlike errorq_drain(), we don't need to worry about updating
794 * eq_phead because errorq_panic() will be called at most once.
795 * However, we must use atomic_cas_ptr to update the
796 * freelist in case errors are still being enqueued during
797 * panic.
798 */
806 /*
807 * On panic, we add the element to the dump list for
808 * each nvlist errorq, stored oldest to newest. Then
809 * continue, so we don't free and subsequently overwrite
810 * any elements which we've put on the dump queue.
811 */
815 else
819 }
823 }
825 /*
826 * Now go ahead and drain any other errors on the pending list.
827 * This call transparently handles case (1A) above, as well as
828 * any other errors that were dispatched after errorq_drain()
829 * completed its first compare-and-swap.
830 */
834 }
836 }
838 /*
839 * Drain all error queues - called only from panic context. Some drain
840 * functions may enqueue errors to ERRORQ_NVLIST error queues so that
841 * they may be written out in the panic dump - so ERRORQ_NVLIST queues
842 * must be drained last. Drain ERRORQ_VITAL queues before nonvital queues
843 * so that vital errors get to fill the ERRORQ_NVLIST queues first, and
844 * do not drain the nonvital queues if there are many vital errors.
845 */
846 void
848 {
855 }
857 /*
858 * Reserve an error queue element for later processing and dispatching. The
859 * element is returned to the caller who may add error-specific data to
860 * element. The element is retured to the free pool when either
861 * errorq_commit() is called and the element asynchronously processed
862 * or immediately when errorq_cancel() is called.
863 */
864 errorq_elem_t *
866 {
872 }
881 }
887 }
888 }
894 }
898 }
900 /*
901 * Commit an errorq element (eqep) for dispatching.
902 * This function may be called from any context subject
903 * to the Platform Considerations described above.
904 */
905 void
907 {
913 }
922 }
928 }
930 /*
931 * Cancel an errorq element reservation by returning the specified element
932 * to the free pool. Duplicate or invalid frees are not supported.
933 */
934 void
936 {
943 }
945 /*
946 * Write elements on the dump list of each nvlist errorq to the dump device.
947 * Upon reboot, fmd(1M) will extract and replay them for diagnosis.
948 */
949 void
951 {
966 erpt_dump_t ed;
977 }
986 }
999 }
1000 }
1001 }
1003 nvlist_t *
1005 {
1011 }
1013 nv_alloc_t *
1015 {
1021 }
1023 /*
1024 * Reserve a new element and duplicate the data of the original into it.
1025 */
1028 {
1037 }