From: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: "Gustavo Padovan" <gustavo@padovan.org>,
intel-gfx@lists.freedesktop.org, stable@vger.kernel.org,
"Christian König" <christian.koenig@amd.com>,
"ML dri-devel" <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH 1/2] dma-buf/sw_sync: Avoid recursive lock during fence signal
Date: Wed, 15 Jul 2020 13:26:40 +0200 [thread overview]
Message-ID: <CAP+8YyFU1G84=0JAVeeK=cssc+GX5Jc1kYDyTTU8hYzrQzHHBQ@mail.gmail.com> (raw)
In-Reply-To: <20200715100432.13928-2-chris@chris-wilson.co.uk>
Reviewed-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
On Wed, Jul 15, 2020 at 12:04 PM Chris Wilson <chris@chris-wilson.co.uk> wrote:
>
> If a signal callback releases the sw_sync fence, that will trigger a
> deadlock as the timeline_fence_release recurses onto the fence->lock
> (used both for signaling and the the timeline tree).
>
> If we always hold a reference for an unsignaled fence held by the
> timeline, we no longer need to detach the fence from the timeline upon
> release. This is only possible since commit ea4d5a270b57
> ("dma-buf/sw_sync: force signal all unsignaled fences on dying timeline")
> where we introduced decoupling of the fences from the timeline upon release.
>
> Reported-by: Bas Nieuwenhuizen <bas@basnieuwenhuizen.nl>
> Fixes: d3c6dd1fb30d ("dma-buf/sw_sync: Synchronize signal vs syncpt free")
> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Sumit Semwal <sumit.semwal@linaro.org>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Gustavo Padovan <gustavo@padovan.org>
> Cc: Christian König <christian.koenig@amd.com>
> Cc: <stable@vger.kernel.org>
> ---
> drivers/dma-buf/sw_sync.c | 32 +++++++-------------------------
> 1 file changed, 7 insertions(+), 25 deletions(-)
>
> diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c
> index 348b3a9170fa..4cc2ac03a84a 100644
> --- a/drivers/dma-buf/sw_sync.c
> +++ b/drivers/dma-buf/sw_sync.c
> @@ -130,16 +130,7 @@ static const char *timeline_fence_get_timeline_name(struct dma_fence *fence)
>
> static void timeline_fence_release(struct dma_fence *fence)
> {
> - struct sync_pt *pt = dma_fence_to_sync_pt(fence);
> struct sync_timeline *parent = dma_fence_parent(fence);
> - unsigned long flags;
> -
> - spin_lock_irqsave(fence->lock, flags);
> - if (!list_empty(&pt->link)) {
> - list_del(&pt->link);
> - rb_erase(&pt->node, &parent->pt_tree);
> - }
> - spin_unlock_irqrestore(fence->lock, flags);
>
> sync_timeline_put(parent);
> dma_fence_free(fence);
> @@ -203,18 +194,11 @@ static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
> if (!timeline_fence_signaled(&pt->base))
> break;
>
> - list_del_init(&pt->link);
> + list_del(&pt->link);
> rb_erase(&pt->node, &obj->pt_tree);
>
> - /*
> - * A signal callback may release the last reference to this
> - * fence, causing it to be freed. That operation has to be
> - * last to avoid a use after free inside this loop, and must
> - * be after we remove the fence from the timeline in order to
> - * prevent deadlocking on timeline->lock inside
> - * timeline_fence_release().
> - */
> dma_fence_signal_locked(&pt->base);
> + dma_fence_put(&pt->base);
> }
>
> spin_unlock_irq(&obj->lock);
> @@ -261,13 +245,9 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj,
> } else if (cmp < 0) {
> p = &parent->rb_left;
> } else {
> - if (dma_fence_get_rcu(&other->base)) {
> - sync_timeline_put(obj);
> - kfree(pt);
> - pt = other;
> - goto unlock;
> - }
> - p = &parent->rb_left;
> + dma_fence_put(&pt->base);
> + pt = other;
> + goto unlock;
> }
> }
> rb_link_node(&pt->node, parent, p);
> @@ -278,6 +258,7 @@ static struct sync_pt *sync_pt_create(struct sync_timeline *obj,
> parent ? &rb_entry(parent, typeof(*pt), node)->link : &obj->pt_list);
> }
> unlock:
> + dma_fence_get(&pt->base); /* keep a ref for the timeline */
> spin_unlock_irq(&obj->lock);
>
> return pt;
> @@ -316,6 +297,7 @@ static int sw_sync_debugfs_release(struct inode *inode, struct file *file)
> list_for_each_entry_safe(pt, next, &obj->pt_list, link) {
> dma_fence_set_error(&pt->base, -ENOENT);
> dma_fence_signal_locked(&pt->base);
> + dma_fence_put(&pt->base);
> }
>
> spin_unlock_irq(&obj->lock);
> --
> 2.20.1
>
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2020-07-15 11:26 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-15 10:04 sw_sync deadlock avoidance, take 3 Chris Wilson
2020-07-15 10:04 ` [PATCH 1/2] dma-buf/sw_sync: Avoid recursive lock during fence signal Chris Wilson
2020-07-15 11:26 ` Bas Nieuwenhuizen [this message]
2020-07-15 10:04 ` [PATCH 2/2] dma-buf/selftests: Add locking selftests for sw_sync Chris Wilson
2020-07-15 10:23 ` sw_sync deadlock avoidance, take 3 Bas Nieuwenhuizen
2020-07-15 10:29 ` Daniel Stone
2020-07-15 10:34 ` Chris Wilson
2020-07-15 11:05 ` Bas Nieuwenhuizen
2020-07-15 11:47 ` [Intel-gfx] " Daniel Stone
2020-07-15 11:57 ` Daniel Vetter
2020-07-17 0:24 ` Daniel Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP+8YyFU1G84=0JAVeeK=cssc+GX5Jc1kYDyTTU8hYzrQzHHBQ@mail.gmail.com' \
--to=bas@basnieuwenhuizen.nl \
--cc=chris@chris-wilson.co.uk \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gustavo@padovan.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).