Re: [PATCH] drm/doc: device hot-unplug for userspace

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, May 28, 2020 at 03:27:57PM +0300, Pekka Paalanen wrote:
> On Mon, 25 May 2020 17:09:55 +0200
> Daniel Vetter <daniel@xxxxxxxx> wrote:
> 
> > On Mon, May 25, 2020 at 05:55:19PM +0300, Pekka Paalanen wrote:
> > > On Mon, 25 May 2020 16:28:04 +0200
> > > Daniel Vetter <daniel@xxxxxxxx> wrote:
> > >   
> > > > On Wed, May 20, 2020 at 10:50:41AM -0400, Andrey Grodzovsky wrote:  
> > > > > 
> > > > > On 5/20/20 8:46 AM, Daniel Vetter wrote:    
> > > > > > On Wed, May 20, 2020 at 02:19:08PM +0300, Pekka Paalanen wrote:    
> > > > > > > On Tue, 19 May 2020 10:37:12 -0400
> > > > > > > Andrey Grodzovsky <Andrey.Grodzovsky@xxxxxxx> wrote:
> > > > > > >     
> > > > > > > > Thanks for the summary, does put things in order and makes it easier to
> > > > > > > > comprehend all the TODOs, some questions bellow
> > > > > > > > 
> > > > > > > > On 5/19/20 6:06 AM, Pekka Paalanen wrote:    
> > > > > > > > > From: Pekka Paalanen <pekka.paalanen@xxxxxxxxxxxxx>
> > > > > > > > > 
> > > > > > > > > Set up the expectations on how hot-unplugging a DRM device should look like to
> > > > > > > > > userspace.
> 
> ...
> 
> > > > > So currently drm_ioctl will just check for drm_dev_is_unplugged and return
> > > > > -ENODEV at the very beginning of the function (https://elixir.bootlin.com/linux/latest/source/drivers/gpu/drm/drm_ioctl.c#L825)
> > > > > meaning that currently we blanket failure any IOCTL in case the device is
> > > > > unplagued (ignoring the race condition if the device unplugged after the
> > > > > check). So do we want to remove this check and put it only for render ioctls
> > > > > (which are those ? e.g. for amdgpu there is  AMDGPU_CS ioctl) but not for
> > > > > mode setting/dma_buf_import/dma_buf_export ioctls ? What about other types
> > > > > of ioctls which are non of the listed above ?    
> > > > 
> > > > Hm right, and this goes back all the way to first usb udl support:
> > > > 
> > > > commit 2c07a21d6fb0be47fda696a618b726ea258ed1dd
> > > > Author: Dave Airlie <airlied@xxxxxxxxxx>
> > > > Date:   Mon Feb 20 14:18:07 2012 +0000
> > > > 
> > > >     drm: add core support for unplugging a device (v2)
> > > > 
> > > > So I guess we need to change the uapi docs to explain that. Not sure
> > > > everyone can cope, but I guess they better do. Since the use-case back
> > > > then was just udl, so simple legacy kms only, the damage was probably
> > > > rather limited. I'm not sure we can get away with that now, where kms code
> > > > has spread to funny places likey vulkan winsys code.
> > > > 
> > > > Or maybe we want a file priv flag you can set along the lines of "give me
> > > > less shitty hotunplug semantics for ioctls". Or maybe we can just change
> > > > the semantics, not crashing&burning shouldn't cause a regression :-)
> > > > 
> > > > For everything else (mmap, dma-buf fd, sync_file fd, syncobj fd) I think
> > > > the discussion is still more or less accurate.
> > > > 
> > > > Pekka, any thoughts?  
> > > 
> > > Hi,
> > > 
> > > is ENODEV unique to this particular failure?  
> > 
> > Not really sure, we'd need to audit all of drm ...
> 
> $ git ngrep ENODEV -- drivers/gpu/drm | wc -l
> 762
> 
> Yeah, grep is not enough.
> 
> > > Returning errors instead of faking success was my first idea, but you
> > > already convinced me that faking is at least as good if not better. :-)
> > > 
> > > So as long as the error code returned is unique to hot-unplug or other
> > > "oops, the device is gone" conditions, I think I'm fine. Weston does
> > > not handle ENODEV any way, it never did, and it certainly cannot be
> > > called a kernel regression.
> > > 
> > > As a Weston developer, I don't mind adding checks for ENODEV. But if I
> > > don't have to, even better. Weston is going to need more code to handle
> > > DRM device unplug in any case.
> > > 
> > > Sorry, no preference from me. ;-)
> > > 
> > > I do agree that replacing ENODEV with fake success is hard to imagine
> > > regressing anything. It's something you can do in the kernel at any
> > > time easily, but going from fake success to error is going to be
> > > painful. Maybe don't change things until there is a good reason to?
> > > 
> > > We need a kernel that doesn't crash before we can properly test what
> > > would be best for userspace, fake or error.  
> > 
> > One upshot of faking stuff and only bailing in low-level hw code is that
> > it makes validating the races when you hotunplug easier - if we remove the
> > early bail-out check even an ioctl later on will look like it raced with
> > the hotunplug path in the kernel. So better assurance that things won't
> > blow up badly.
> > 
> > Otoh the early bail out in the top-level ioctl code increases the odds
> > that you'll survive even on a driver that's totally buggy.
> > 
> > So yeah I guess maybe we should just document that currently you get an
> > -ENODEV and maybe have the option mentioned that we might change this
> > going forward. See also
> > 
> > https://dri.freedesktop.org/docs/drm/gpu/drm-uapi.html#recommended-ioctl-return-values
> > 
> > I think that needs an update, at least clarify that "not present" includes
> > "no longer present".
> 
> So if dmabuf import related ioctl returns ENODEV, it means a Wayland
> compositor should not punish the client for giving a bad buffer.

Atm this is only for the drm fd. I think right now dma-buf keep "working",
where "working" = "probably results in some oopses". So maybe for dma-buf
we need to put down the rule that they're not allowed to go boom, and then
figure out how to do that, see below.

> If a compositor uses EGL to import a dmabuf, then the EGL
> implementation will be calling dmabuf import related ioctls, does it
> not? But I'm fairly sure that EGL has no way to signal this particular
> condition to the caller uniquely. That means that either a compositor
> accepts buffers it never should have, or that it punishes clients for
> the DRM device disappearing.
> 
> See the below quote for a reminder:
> 
> > > > > > > > > +- dmabuf which point to memory that has disappeared are rewritten to
> > > > > > > > > +  point to harmless zero pages, similar to mmaps. Imports still succeed
> > > > > > > > > +  both ways: an existing device importing a dmabuf pointing to
> > > > > > > > > +  disappeared memory, and a disappeared device importing any dmabuf.    
> > > > > > > > 
> > > > > > > > Same as above, I would expect drmPrimeHandleToFD and drmPrimeFDToHandle
> > > > > > > > to return -EIO in case device is detached    
> > > > > > > I imagined a use case behind this: a Wayland compositor attempting to
> > > > > > > import a client's dmabuf. The GPU the client was using is
> > > > > > > hot-unplugged, meaning the dmabufs lose their storage. It is up to the
> > > > > > > client to handle its rendering GPU disappearance on its own, but also
> > > > > > > the compositor should not disconnect it because the GPU disappeared.
> > > > > > > It's not the client's fault the GPU disappeared.
> > > > > > > 
> > > > > > > In Wayland, failure to use a wl_buffer is considered a protocol error,
> > > > > > > and protocol errors are always fatal: the client is disconnected. The
> > > > > > > rationale is that the compositor must always be able to present the
> > > > > > > client buffer somehow. If the compositor cannot, then the client did
> > > > > > > not obey the protocol.
> > > > > > > 
> > > > > > > The fallback presentation path in a compositor is usually importing the
> > > > > > > dmabuf to EGL, to be sampled from OpenGL. Normally the protocol
> > > > > > > guarantees that this works, so any failure to do so is a protocol
> > > > > > > violation. But if the GPU used by the client suddenly disappears and
> > > > > > > the imports start to fail, that is interpreted as a protocol violation
> > > > > > > unless the compositor can see why the import failed. Since the import
> > > > > > > is done via EGL, getting the right error code plumbed through from
> > > > > > > libdrm functions to the EGL caller would be a hassle. I don't see any
> > > > > > > error code in EGL_EXT_image_dma_buf_import reserved for "the dmabuf
> > > > > > > storage was hot-unplugged", and I doubt there is anything exclusively
> > > > > > > for only that in the EGL base spec either.
> > > > > > > 
> > > > > > > The cost of lying that the import worked is that the compositor will
> > > > > > > paint black or transparent where the window was supposed to be. It's a
> > > > > > > graphical glitch that is contrary to the Wayland design principles, but
> > > > > > > in this case a glitch is unavoidable: even if the compositor knew this
> > > > > > > buffer is now bad, what would it paint instead? It has nothing else to
> > > > > > > paint from. I'm assuming the compositor is using a different GPU than
> > > > > > > what disappeared.
> > > > > > > 
> > > > > > > Ideally, the client will eventually react to losing the GPU and either
> > > > > > > crash, quit, or switch its rendering to something that works which
> > > > > > > simply gives the compositor a new, working buffer without losing any
> > > > > > > window state in the process. If we risk the compositor disconnecting
> > > > > > > the client, then the client might not recover even if it wanted to.
> 
> This goes for both ways: importing a good dmabuf to a bad device, and a
> bad dmabuf to a good device. In neither case there should be a risk of
> erroneously disconnecting the Wayland client.
> 
> Hmm. Maybe Wayland compositors should ignore all EGL import failures
> that happen after the wl_buffer has been created (which implies that
> the dmabuf has been validated to work initially). When import fails at
> a later time, the compositor should just paint some error pattern
> instead of the window. That would let the kernel keep on returning
> errors.
> 
> Yeah, ok. I'll keep the ENODEV there in my next version. Let's see how
> that looks then.

tbh I have no idea what to do with dma-buf shared across drivers.

For dma-fence it's fairly simple: Force-complete them all, with an error
code of ENODEV. But for dma-buf I have no idea. As long as the dma-buf
sits in system memory it should keep working, plus/minus bugs in the
exporter where it tries to look at device state that might no longer be
there.

The real fun starts when the buffer is in vram, or when the mmap somehow
goes through the device (but that's more a case for integrated gpu, and
it's a bit hard to hotunplug those and consider that a real use-case).
-Daniel

> 
> 
> Thanks,
> pq



-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/dri-devel




[Index of Archives]     [Linux DRI Users]     [Linux Intel Graphics]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]
  Powered by Linux