Quoting Daniel Vetter (2020-05-12 10:08:47)
> On Tue, May 12, 2020 at 10:04:22AM +0100, Chris Wilson wrote:
> > Quoting Daniel Vetter (2020-05-12 09:59:29)
> > > Design is similar to the lockdep annotations for workers, but with
> > > some twists:
> > >
> > > - We use a read-lock for the execution/worker/completion side, so that
> > > this explicit annotation can be more liberally sprinkled around.
> > > With read locks lockdep isn't going to complain if the read-side
> > > isn't nested the same way under all circumstances, so ABBA deadlocks
> > > are ok. Which they are, since this is an annotation only.
> > >
> > > - We're using non-recursive lockdep read lock mode, since in recursive
> > > read lock mode lockdep does not catch read side hazards. And we
> > > _very_ much want read side hazards to be caught. For full details of
> > > this limitation see
> > >
> > > commit e91498589746065e3ae95d9a00b068e525eec34f
> > > Author: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> > > Date: Wed Aug 23 13:13:11 2017 +0200
> > >
> > > locking/lockdep/selftests: Add mixed read-write ABBA tests
> > >
> > > - To allow nesting of the read-side explicit annotations we explicitly
> > > keep track of the nesting. lock_is_held() allows us to do that.
> > >
> > > - The wait-side annotation is a write lock, and entirely done within
> > > dma_fence_wait() for everyone by default.
> > >
> > > - To be able to freely annotate helper functions I want to make it ok
> > > to call dma_fence_begin/end_signalling from soft/hardirq context.
> > > First attempt was using the hardirq locking context for the write
> > > side in lockdep, but this forces all normal spinlocks nested within
> > > dma_fence_begin/end_signalling to be spinlocks. That bollocks.
> > >
> > > The approach now is to simple check in_atomic(), and for these cases
> > > entirely rely on the might_sleep() check in dma_fence_wait(). That
> > > will catch any wrong nesting against spinlocks from soft/hardirq
> > > contexts.
> > >
> > > The idea here is that every code path that's critical for eventually
> > > signalling a dma_fence should be annotated with
> > > dma_fence_begin/end_signalling. The annotation ideally starts right
> > > after a dma_fence is published (added to a dma_resv, exposed as a
> > > sync_file fd, attached to a drm_syncobj fd, or anything else that
> > > makes the dma_fence visible to other kernel threads), up to and
> > > including the dma_fence_wait(). Examples are irq handlers, the
> > > scheduler rt threads, the tail of execbuf (after the corresponding
> > > fences are visible), any workers that end up signalling dma_fences and
> > > really anything else. Not annotated should be code paths that only
> > > complete fences opportunistically as the gpu progresses, like e.g.
> > > shrinker/eviction code.
> > >
> > > The main class of deadlocks this is supposed to catch are:
> > >
> > > Thread A:
> > >
> > > mutex_lock(A);
> > > mutex_unlock(A);
> > >
> > > dma_fence_signal();
> > >
> > > Thread B:
> > >
> > > mutex_lock(A);
> > > dma_fence_wait();
> > > mutex_unlock(A);
> > >
> > > Thread B is blocked on A signalling the fence, but A never gets around
> > > to that because it cannot acquire the lock A.
> > >
> > > Note that dma_fence_wait() is allowed to be nested within
> > > dma_fence_begin/end_signalling sections. To allow this to happen the
> > > read lock needs to be upgraded to a write lock, which means that any
> > > other lock is acquired between the dma_fence_begin_signalling() call and
> > > the call to dma_fence_wait(), and still held, this will result in an
> > > immediate lockdep complaint. The only other option would be to not
> > > annotate such calls, defeating the point. Therefore these annotations
> > > cannot be sprinkled over the code entirely mindless to avoid false
> > > positives.
> > >
> > > v2: handle soft/hardirq ctx better against write side and dont forget
> > > EXPORT_SYMBOL, drivers can't use this otherwise.
> > >
> > > Cc: linux-media@xxxxxxxxxxxxxxx
> > > Cc: linaro-mm-sig@xxxxxxxxxxxxxxxx
> > > Cc: linux-rdma@xxxxxxxxxxxxxxx
> > > Cc: amd-gfx@xxxxxxxxxxxxxxxxxxxxx
> > > Cc: intel-gfx@xxxxxxxxxxxxxxxxxxxxx
> > > Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx>
> > > Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
> > > Cc: Christian König <christian.koenig@xxxxxxx>
> > > Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
> > > ---
> > > drivers/dma-buf/dma-fence.c | 53 +++++++++++++++++++++++++++++++++++++
> > > include/linux/dma-fence.h | 12 +++++++++
> > > 2 files changed, 65 insertions(+)
> > >
> > > diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> > > index 6802125349fb..d5c0fd2efc70 100644
> > > --- a/drivers/dma-buf/dma-fence.c
> > > +++ b/drivers/dma-buf/dma-fence.c
> > > @@ -110,6 +110,52 @@ u64 dma_fence_context_alloc(unsigned num)
> > > }
> > > EXPORT_SYMBOL(dma_fence_context_alloc);
> > >
> > > +#ifdef CONFIG_LOCKDEP
> > > +struct lockdep_map dma_fence_lockdep_map = {
> > > + .name = "dma_fence_map"
> > > +};
> >
> > Not another false global sharing lockmap.
>
> It's a global contract, it needs a global lockdep map. And yes a big
> reason for the motivation here is that i915-gem has a tremendous urge to
> just redefine all these global locks to fit to some local interpretation
> of what's going on.
No, you can build the global contract out of the actual contracts
between fence drivers. If you introduce a struct lockdep_map *map into
the fence_ops (so the fence_ops can remain const), you gain correctness
at the cost of having to run through all possible interactions once.
You can also then do if ops->lockmap ?: &global_fence_lockmap for
piecemeal conversion of drivers that do not already use lockmaps for
contract enforcement of their fence waits.
-Chris
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel
