On Tue, 23 Apr 2024 23:46:23 +0100 Adrián Larumbe <adrian.larumbe@xxxxxxxxxxxxx> wrote: > When Panfrost must pin an object that is being prepared a dma-buf > attachment for on behalf of another driver, the core drm gem object pinning > code already takes a lock on the object's dma reservation. > > However, Panfrost GEM object's pinning callback would eventually try taking > the lock on the same dma reservation when delegating pinning of the object > onto the shmem subsystem, which led to a deadlock. > > This can be shown by enabling CONFIG_DEBUG_WW_MUTEX_SLOWPATH, which throws > the following recursive locking situation: > > weston/3440 is trying to acquire lock: > ffff000000e235a0 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_gem_shmem_pin+0x34/0xb8 [drm_shmem_helper] > but task is already holding lock: > ffff000000e235a0 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_gem_pin+0x2c/0x80 [drm] > > Fix it by assuming the object's reservation had already been locked by the > time we reach panfrost_gem_pin. > > Do the same thing for the Lima driver, as it most likely suffers from the > same issue. > > Cc: Thomas Zimmermann <tzimmermann@xxxxxxx> > Cc: Dmitry Osipenko <dmitry.osipenko@xxxxxxxxxxxxx> > Cc: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx> > Cc: Steven Price <steven.price@xxxxxxx> > Fixes: a78027847226 ("drm/gem: Acquire reservation lock in drm_gem_{pin/unpin}()") > Reviewed-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx> > Signed-off-by: Adrián Larumbe <adrian.larumbe@xxxxxxxxxxxxx> > --- > drivers/gpu/drm/lima/lima_gem.c | 9 +++++++-- > drivers/gpu/drm/panfrost/panfrost_gem.c | 8 +++++++- > 2 files changed, 14 insertions(+), 3 deletions(-) > > diff --git a/drivers/gpu/drm/lima/lima_gem.c b/drivers/gpu/drm/lima/lima_gem.c > index 7ea244d876ca..8a5bcf498ef6 100644 > --- a/drivers/gpu/drm/lima/lima_gem.c > +++ b/drivers/gpu/drm/lima/lima_gem.c > @@ -184,8 +184,13 @@ static int lima_gem_pin(struct drm_gem_object *obj) > > if (bo->heap_size) > return -EINVAL; > - > - return drm_gem_shmem_pin(&bo->base); > + /* > + * Pinning can only happen in response to a prime attachment request > + * from another driver, but dma reservation locking is already being > + * handled by drm_gem_pin This comment looks a bit weird now that you call a function that doesn't have the _locked suffix. I'd be tempted to drop it, or clarify the fact drm_gem_shmem_object_pin() expects the resv lock to be held. > + */ > + drm_WARN_ON(obj->dev, obj->import_attach); Should this be moved to drm_gem_shmem_[un]pin_locked() instead of being duplicated in all overloads of ->[un]pin()? > + return drm_gem_shmem_object_pin(obj); > } > > static int lima_gem_vmap(struct drm_gem_object *obj, struct iosys_map *map) > diff --git a/drivers/gpu/drm/panfrost/panfrost_gem.c b/drivers/gpu/drm/panfrost/panfrost_gem.c > index d47b40b82b0b..e3fbcb020617 100644 > --- a/drivers/gpu/drm/panfrost/panfrost_gem.c > +++ b/drivers/gpu/drm/panfrost/panfrost_gem.c > @@ -192,7 +192,13 @@ static int panfrost_gem_pin(struct drm_gem_object *obj) > if (bo->is_heap) > return -EINVAL; > > - return drm_gem_shmem_pin(&bo->base); > + /* > + * Pinning can only happen in response to a prime attachment request > + * from another driver, but dma reservation locking is already being > + * handled by drm_gem_pin > + */ > + drm_WARN_ON(obj->dev, obj->import_attach); > + return drm_gem_shmem_object_pin(obj); > } > > static enum drm_gem_object_status panfrost_gem_status(struct drm_gem_object *obj)