From: "Thomas Hellström (Intel)" <thomas_os@shipmail.org>
To: Daniel Vetter <daniel.vetter@ffwll.ch>,
DRI Development <dri-devel@lists.freedesktop.org>
Cc: linux-rdma@vger.kernel.org,
"Intel Graphics Development" <intel-gfx@lists.freedesktop.org>,
LKML <linux-kernel@vger.kernel.org>,
amd-gfx@lists.freedesktop.org,
"Chris Wilson" <chris@chris-wilson.co.uk>,
linaro-mm-sig@lists.linaro.org,
"Thomas Hellstrom" <thomas.hellstrom@intel.com>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Mika Kuoppala" <mika.kuoppala@intel.com>,
"Christian König" <christian.koenig@amd.com>,
linux-media@vger.kernel.org
Subject: Re: [PATCH 03/18] dma-fence: basic lockdep annotations
Date: Thu, 4 Jun 2020 10:57:35 +0200 [thread overview]
Message-ID: <edbfc1aa-9297-8202-cef8-1facafaa0dfe@shipmail.org> (raw)
In-Reply-To: <20200604081224.863494-4-daniel.vetter@ffwll.ch>
On 6/4/20 10:12 AM, Daniel Vetter wrote:
...
> Thread A:
>
> mutex_lock(A);
> mutex_unlock(A);
>
> dma_fence_signal();
>
> Thread B:
>
> mutex_lock(A);
> dma_fence_wait();
> mutex_unlock(A);
>
> Thread B is blocked on A signalling the fence, but A never gets around
> to that because it cannot acquire the lock A.
>
> Note that dma_fence_wait() is allowed to be nested within
> dma_fence_begin/end_signalling sections. To allow this to happen the
> read lock needs to be upgraded to a write lock, which means that any
> other lock is acquired between the dma_fence_begin_signalling() call and
> the call to dma_fence_wait(), and still held, this will result in an
> immediate lockdep complaint. The only other option would be to not
> annotate such calls, defeating the point. Therefore these annotations
> cannot be sprinkled over the code entirely mindless to avoid false
> positives.
Just realized, isn't that example actually a true positive, or at least
a great candidate for a true positive, since if another thread reenters
that signaling path, it will block on that mutex, and the fence would
never be signaled unless there is another signaling path?
Although I agree the conclusion is sound: These annotations cannot be
sprinkled mindlessly over the code.
/Thomas
>
> v2: handle soft/hardirq ctx better against write side and dont forget
> EXPORT_SYMBOL, drivers can't use this otherwise.
>
> v3: Kerneldoc.
>
> v4: Some spelling fixes from Mika
>
> Cc: Mika Kuoppala <mika.kuoppala@intel.com>
> Cc: Thomas Hellstrom <thomas.hellstrom@intel.com>
> Cc: linux-media@vger.kernel.org
> Cc: linaro-mm-sig@lists.linaro.org
> Cc: linux-rdma@vger.kernel.org
> Cc: amd-gfx@lists.freedesktop.org
> Cc: intel-gfx@lists.freedesktop.org
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Christian König <christian.koenig@amd.com>
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> Documentation/driver-api/dma-buf.rst | 12 +-
> drivers/dma-buf/dma-fence.c | 161 +++++++++++++++++++++++++++
> include/linux/dma-fence.h | 12 ++
> 3 files changed, 182 insertions(+), 3 deletions(-)
>
> diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst
> index 63dec76d1d8d..05d856131140 100644
> --- a/Documentation/driver-api/dma-buf.rst
> +++ b/Documentation/driver-api/dma-buf.rst
> @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects
> .. kernel-doc:: drivers/dma-buf/dma-buf.c
> :doc: cpu access
>
> -Fence Poll Support
> -~~~~~~~~~~~~~~~~~~
> +Implicit Fence Poll Support
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> .. kernel-doc:: drivers/dma-buf/dma-buf.c
> - :doc: fence polling
> + :doc: implicit fence polling
>
> Kernel Functions and Structures Reference
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> @@ -133,6 +133,12 @@ DMA Fences
> .. kernel-doc:: drivers/dma-buf/dma-fence.c
> :doc: DMA fences overview
>
> +DMA Fence Signalling Annotations
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +.. kernel-doc:: drivers/dma-buf/dma-fence.c
> + :doc: fence signalling annotation
> +
> DMA Fences Functions Reference
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> index 656e9ac2d028..0005bc002529 100644
> --- a/drivers/dma-buf/dma-fence.c
> +++ b/drivers/dma-buf/dma-fence.c
> @@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num)
> }
> EXPORT_SYMBOL(dma_fence_context_alloc);
>
> +/**
> + * DOC: fence signalling annotation
> + *
> + * Proving correctness of all the kernel code around &dma_fence through code
> + * review and testing is tricky for a few reasons:
> + *
> + * * It is a cross-driver contract, and therefore all drivers must follow the
> + * same rules for lock nesting order, calling contexts for various functions
> + * and anything else significant for in-kernel interfaces. But it is also
> + * impossible to test all drivers in a single machine, hence brute-force N vs.
> + * N testing of all combinations is impossible. Even just limiting to the
> + * possible combinations is infeasible.
> + *
> + * * There is an enormous amount of driver code involved. For render drivers
> + * there's the tail of command submission, after fences are published,
> + * scheduler code, interrupt and workers to process job completion,
> + * and timeout, gpu reset and gpu hang recovery code. Plus for integration
> + * with core mm with have &mmu_notifier, respectively &mmu_interval_notifier,
> + * and &shrinker. For modesetting drivers there's the commit tail functions
> + * between when fences for an atomic modeset are published, and when the
> + * corresponding vblank completes, including any interrupt processing and
> + * related workers. Auditing all that code, across all drivers, is not
> + * feasible.
> + *
> + * * Due to how many other subsystems are involved and the locking hierarchies
> + * this pulls in there is extremely thin wiggle-room for driver-specific
> + * differences. &dma_fence interacts with almost all of the core memory
> + * handling through page fault handlers via &dma_resv, dma_resv_lock() and
> + * dma_resv_unlock(). On the other side it also interacts through all
> + * allocation sites through &mmu_notifier and &shrinker.
> + *
> + * Furthermore lockdep does not handle cross-release dependencies, which means
> + * any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught
> + * at runtime with some quick testing. The simplest example is one thread
> + * waiting on a &dma_fence while holding a lock::
> + *
> + * lock(A);
> + * dma_fence_wait(B);
> + * unlock(A);
> + *
> + * while the other thread is stuck trying to acquire the same lock, which
> + * prevents it from signalling the fence the previous thread is stuck waiting
> + * on::
> + *
> + * lock(A);
> + * unlock(A);
> + * dma_fence_signal(B);
> + *
> + * By manually annotating all code relevant to signalling a &dma_fence we can
> + * teach lockdep about these dependencies, which also helps with the validation
> + * headache since now lockdep can check all the rules for us::
> + *
> + * cookie = dma_fence_begin_signalling();
> + * lock(A);
> + * unlock(A);
> + * dma_fence_signal(B);
> + * dma_fence_end_signalling(cookie);
> + *
> + * For using dma_fence_begin_signalling() and dma_fence_end_signalling() to
> + * annotate critical sections the following rules need to be observed:
> + *
> + * * All code necessary to complete a &dma_fence must be annotated, from the
> + * point where a fence is accessible to other threads, to the point where
> + * dma_fence_signal() is called. Un-annotated code can contain deadlock issues,
> + * and due to the very strict rules and many corner cases it is infeasible to
> + * catch these just with review or normal stress testing.
> + *
> + * * &struct dma_resv deserves a special note, since the readers are only
> + * protected by rcu. This means the signalling critical section starts as soon
> + * as the new fences are installed, even before dma_resv_unlock() is called.
> + *
> + * * The only exception are fast paths and opportunistic signalling code, which
> + * calls dma_fence_signal() purely as an optimization, but is not required to
> + * guarantee completion of a &dma_fence. The usual example is a wait IOCTL
> + * which calls dma_fence_signal(), while the mandatory completion path goes
> + * through a hardware interrupt and possible job completion worker.
> + *
> + * * To aid composability of code, the annotations can be freely nested, as long
> + * as the overall locking hierarchy is consistent. The annotations also work
> + * both in interrupt and process context. Due to implementation details this
> + * requires that callers pass an opaque cookie from
> + * dma_fence_begin_signalling() to dma_fence_end_signalling().
> + *
> + * * Validation against the cross driver contract is implemented by priming
> + * lockdep with the relevant hierarchy at boot-up. This means even just
> + * testing with a single device is enough to validate a driver, at least as
> + * far as deadlocks with dma_fence_wait() against dma_fence_signal() are
> + * concerned.
> + */
> +#ifdef CONFIG_LOCKDEP
> +struct lockdep_map dma_fence_lockdep_map = {
> + .name = "dma_fence_map"
> +};
> +
> +/**
> + * dma_fence_begin_signalling - begin a critical DMA fence signalling section
> + *
> + * Drivers should use this to annotate the beginning of any code section
> + * required to eventually complete &dma_fence by calling dma_fence_signal().
> + *
> + * The end of these critical sections are annotated with
> + * dma_fence_end_signalling().
> + *
> + * Returns:
> + *
> + * Opaque cookie needed by the implementation, which needs to be passed to
> + * dma_fence_end_signalling().
> + */
> +bool dma_fence_begin_signalling(void)
> +{
> + /* explicitly nesting ... */
> + if (lock_is_held_type(&dma_fence_lockdep_map, 1))
> + return true;
> +
> + /* rely on might_sleep check for soft/hardirq locks */
> + if (in_atomic())
> + return true;
> +
> + /* ... and non-recursive readlock */
> + lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
> +
> + return false;
> +}
> +EXPORT_SYMBOL(dma_fence_begin_signalling);
> +
> +/**
> + * dma_fence_end_signalling - end a critical DMA fence signalling section
> + *
> + * Closes a critical section annotation opened by dma_fence_begin_signalling().
> + */
> +void dma_fence_end_signalling(bool cookie)
> +{
> + if (cookie)
> + return;
> +
> + lock_release(&dma_fence_lockdep_map, _RET_IP_);
> +}
> +EXPORT_SYMBOL(dma_fence_end_signalling);
> +
> +void __dma_fence_might_wait(void)
> +{
> + bool tmp;
> +
> + tmp = lock_is_held_type(&dma_fence_lockdep_map, 1);
> + if (tmp)
> + lock_release(&dma_fence_lockdep_map, _THIS_IP_);
> + lock_map_acquire(&dma_fence_lockdep_map);
> + lock_map_release(&dma_fence_lockdep_map);
> + if (tmp)
> + lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);
> +}
> +#endif
> +
> +
> /**
> * dma_fence_signal_locked - signal completion of a fence
> * @fence: the fence to signal
> @@ -170,14 +324,19 @@ int dma_fence_signal(struct dma_fence *fence)
> {
> unsigned long flags;
> int ret;
> + bool tmp;
>
> if (!fence)
> return -EINVAL;
>
> + tmp = dma_fence_begin_signalling();
> +
> spin_lock_irqsave(fence->lock, flags);
> ret = dma_fence_signal_locked(fence);
> spin_unlock_irqrestore(fence->lock, flags);
>
> + dma_fence_end_signalling(tmp);
> +
> return ret;
> }
> EXPORT_SYMBOL(dma_fence_signal);
> @@ -210,6 +369,8 @@ dma_fence_wait_timeout(struct dma_fence *fence, bool intr, signed long timeout)
>
> might_sleep();
>
> + __dma_fence_might_wait();
> +
> trace_dma_fence_wait_start(fence);
> if (fence->ops->wait)
> ret = fence->ops->wait(fence, intr, timeout);
> diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h
> index 3347c54f3a87..3f288f7db2ef 100644
> --- a/include/linux/dma-fence.h
> +++ b/include/linux/dma-fence.h
> @@ -357,6 +357,18 @@ dma_fence_get_rcu_safe(struct dma_fence __rcu **fencep)
> } while (1);
> }
>
> +#ifdef CONFIG_LOCKDEP
> +bool dma_fence_begin_signalling(void);
> +void dma_fence_end_signalling(bool cookie);
> +#else
> +static inline bool dma_fence_begin_signalling(void)
> +{
> + return true;
> +}
> +static inline void dma_fence_end_signalling(bool cookie) {}
> +static inline void __dma_fence_might_wait(void) {}
> +#endif
> +
> int dma_fence_signal(struct dma_fence *fence);
> int dma_fence_signal_locked(struct dma_fence *fence);
> signed long dma_fence_default_wait(struct dma_fence *fence,
_______________________________________________
amd-gfx mailing list
amd-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/amd-gfx
next prev parent reply other threads:[~2020-06-04 8:57 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 8:12 [PATCH 00/18] dma-fence lockdep annotations, round 2 Daniel Vetter
2020-06-04 8:12 ` [PATCH 01/18] mm: Track mmu notifiers in fs_reclaim_acquire/release Daniel Vetter
2020-06-10 12:01 ` Thomas Hellström (Intel)
2020-06-10 12:25 ` [Intel-gfx] " Daniel Vetter
2020-06-10 19:41 ` [PATCH] " Daniel Vetter
2020-06-11 14:29 ` Jason Gunthorpe
2020-06-21 17:42 ` Qian Cai
2020-06-21 18:07 ` Daniel Vetter
2020-06-21 20:01 ` Daniel Vetter
2020-06-21 22:09 ` Qian Cai
2020-06-23 16:17 ` Qian Cai
2020-06-23 22:13 ` Daniel Vetter
2020-06-23 22:29 ` Qian Cai
2020-06-23 22:31 ` Dave Chinner
2020-06-23 22:36 ` Daniel Vetter
2020-06-21 17:00 ` [PATCH 01/18] " Qian Cai
2020-06-21 17:28 ` Daniel Vetter
2020-06-21 17:46 ` Qian Cai
2020-06-04 8:12 ` [PATCH 02/18] dma-buf: minor doc touch-ups Daniel Vetter
2020-06-10 13:07 ` Thomas Hellström (Intel)
2020-06-04 8:12 ` [PATCH 03/18] dma-fence: basic lockdep annotations Daniel Vetter
2020-06-04 8:57 ` Thomas Hellström (Intel) [this message]
2020-06-04 9:21 ` Daniel Vetter
2020-06-04 9:26 ` Chris Wilson
2020-06-04 9:36 ` [Intel-gfx] " Daniel Vetter
2020-06-05 13:29 ` [PATCH] " Daniel Vetter
2020-06-05 14:30 ` Thomas Hellström (Intel)
2020-06-11 9:57 ` Maarten Lankhorst
2020-06-10 14:21 ` [Intel-gfx] [PATCH 03/18] " Tvrtko Ursulin
2020-06-10 15:17 ` Daniel Vetter
2020-06-11 10:36 ` Tvrtko Ursulin
2020-06-11 11:29 ` Daniel Vetter
2020-06-11 14:29 ` Tvrtko Ursulin
2020-06-11 15:03 ` Daniel Vetter
2020-06-11 8:00 ` Chris Wilson
2020-06-11 8:44 ` Dave Airlie
2020-06-11 9:01 ` [Intel-gfx] " Daniel Stone
2020-06-19 8:25 ` Chris Wilson
2020-06-19 8:51 ` Daniel Vetter
2020-06-19 9:13 ` Chris Wilson
2020-06-19 9:43 ` Daniel Vetter
2020-06-19 13:12 ` Chris Wilson
2020-06-22 9:16 ` Daniel Vetter
2020-07-09 7:29 ` Daniel Stone
2020-07-09 8:01 ` Daniel Vetter
2020-06-12 7:06 ` [PATCH] " Daniel Vetter
2020-06-04 8:12 ` [PATCH 04/18] dma-fence: prime " Daniel Vetter
2020-06-11 7:30 ` [Linaro-mm-sig] " Thomas Hellström (Intel)
2020-06-11 8:34 ` Daniel Vetter
2020-06-11 14:15 ` Jason Gunthorpe
2020-06-11 23:35 ` Felix Kuehling
2020-06-12 5:11 ` Daniel Vetter
2020-06-19 18:13 ` Jerome Glisse
2020-06-23 7:39 ` Daniel Vetter
2020-06-23 18:44 ` Felix Kuehling
2020-06-23 19:02 ` Daniel Vetter
2020-06-16 12:07 ` Daniel Vetter
2020-06-16 14:53 ` Jason Gunthorpe
2020-06-17 7:57 ` Daniel Vetter
2020-06-17 15:29 ` Jason Gunthorpe
2020-06-18 14:42 ` Daniel Vetter
2020-06-17 6:48 ` Daniel Vetter
2020-06-17 15:28 ` Jason Gunthorpe
2020-06-18 15:00 ` Daniel Vetter
2020-06-18 17:23 ` Jason Gunthorpe
2020-06-19 7:22 ` Daniel Vetter
2020-06-19 11:39 ` Jason Gunthorpe
2020-06-19 15:06 ` Daniel Vetter
2020-06-19 15:15 ` Jason Gunthorpe
2020-06-19 16:19 ` Daniel Vetter
2020-06-19 17:23 ` Jason Gunthorpe
2020-06-19 18:09 ` Jerome Glisse
2020-06-19 18:18 ` Jason Gunthorpe
2020-06-19 19:48 ` Felix Kuehling
2020-06-19 19:55 ` Jason Gunthorpe
2020-06-19 20:03 ` Felix Kuehling
2020-06-19 20:31 ` Jerome Glisse
2020-06-22 11:46 ` Jason Gunthorpe
2020-06-22 20:15 ` Jerome Glisse
2020-06-23 0:02 ` Jason Gunthorpe
2020-06-19 20:10 ` Jerome Glisse
2020-06-19 20:43 ` Daniel Vetter
2020-06-19 20:59 ` Jerome Glisse
2020-06-23 0:05 ` Jason Gunthorpe
2020-06-19 19:11 ` Alex Deucher
2020-06-19 19:30 ` Felix Kuehling
2020-06-19 19:40 ` Jerome Glisse
2020-06-19 19:51 ` Jason Gunthorpe
2020-06-12 7:01 ` [PATCH] " Daniel Vetter
2020-06-04 8:12 ` [PATCH 05/18] drm/vkms: Annotate vblank timer Daniel Vetter
2020-06-04 8:12 ` [PATCH 06/18] drm/vblank: Annotate with dma-fence signalling section Daniel Vetter
2020-06-04 8:12 ` [PATCH 07/18] drm/atomic-helper: Add dma-fence annotations Daniel Vetter
2020-06-04 8:12 ` [PATCH 08/18] drm/amdgpu: add dma-fence annotations to atomic commit path Daniel Vetter
2020-06-23 10:51 ` Daniel Vetter
2020-06-04 8:12 ` [PATCH 09/18] drm/scheduler: use dma-fence annotations in main thread Daniel Vetter
2020-06-04 8:12 ` [PATCH 10/18] drm/amdgpu: use dma-fence annotations in cs_submit() Daniel Vetter
2020-06-04 8:12 ` [PATCH 11/18] drm/amdgpu: s/GFP_KERNEL/GFP_ATOMIC in scheduler code Daniel Vetter
2020-06-04 8:12 ` [PATCH 12/18] drm/amdgpu: DC also loves to allocate stuff where it shouldn't Daniel Vetter
2020-06-04 8:12 ` [PATCH 13/18] drm/amdgpu/dc: Stop dma_resv_lock inversion in commit_tail Daniel Vetter
2020-06-05 8:30 ` Pierre-Eric Pelloux-Prayer
2020-06-05 12:41 ` Daniel Vetter
2020-06-04 8:12 ` [PATCH 14/18] drm/scheduler: use dma-fence annotations in tdr work Daniel Vetter
2020-06-04 8:12 ` [PATCH 15/18] drm/amdgpu: use dma-fence annotations for gpu reset code Daniel Vetter
2020-06-04 8:12 ` [PATCH 16/18] Revert "drm/amdgpu: add fbdev suspend/resume on gpu reset" Daniel Vetter
2020-06-04 8:12 ` [PATCH 17/18] drm/amdgpu: gpu recovery does full modesets Daniel Vetter
2020-06-04 8:12 ` [PATCH 18/18] drm/i915: Annotate dma_fence_work Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=edbfc1aa-9297-8202-cef8-1facafaa0dfe@shipmail.org \
--to=thomas_os@shipmail.org \
--cc=amd-gfx@lists.freedesktop.org \
--cc=chris@chris-wilson.co.uk \
--cc=christian.koenig@amd.com \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel.vetter@intel.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=mika.kuoppala@intel.com \
--cc=thomas.hellstrom@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).