[RFC 02/17] dma-fence: basic lockdep annotations

Tue May 12 09:19:56 UTC 2020

Quoting Daniel Vetter (2020-05-12 10:08:47)
> On Tue, May 12, 2020 at 10:04:22AM +0100, Chris Wilson wrote:
> > Quoting Daniel Vetter (2020-05-12 09:59:29)
> > > Design is similar to the lockdep annotations for workers, but with
> > > some twists:
> > > 
> > > - We use a read-lock for the execution/worker/completion side, so that
> > >   this explicit annotation can be more liberally sprinkled around.
> > >   With read locks lockdep isn't going to complain if the read-side
> > >   isn't nested the same way under all circumstances, so ABBA deadlocks
> > >   are ok. Which they are, since this is an annotation only.
> > > 
> > > - We're using non-recursive lockdep read lock mode, since in recursive
> > >   read lock mode lockdep does not catch read side hazards. And we
> > >   _very_ much want read side hazards to be caught. For full details of
> > >   this limitation see
> > > 
> > >   commit e91498589746065e3ae95d9a00b068e525eec34f
> > >   Author: Peter Zijlstra <peterz at infradead.org>
> > >   Date:   Wed Aug 23 13:13:11 2017 +0200
> > > 
> > >       locking/lockdep/selftests: Add mixed read-write ABBA tests
> > > 
> > > - To allow nesting of the read-side explicit annotations we explicitly
> > >   keep track of the nesting. lock_is_held() allows us to do that.
> > > 
> > > - The wait-side annotation is a write lock, and entirely done within
> > >   dma_fence_wait() for everyone by default.
> > > 
> > > - To be able to freely annotate helper functions I want to make it ok
> > >   to call dma_fence_begin/end_signalling from soft/hardirq context.
> > >   First attempt was using the hardirq locking context for the write
> > >   side in lockdep, but this forces all normal spinlocks nested within
> > >   dma_fence_begin/end_signalling to be spinlocks. That bollocks.
> > > 
> > >   The approach now is to simple check in_atomic(), and for these cases
> > >   entirely rely on the might_sleep() check in dma_fence_wait(). That
> > >   will catch any wrong nesting against spinlocks from soft/hardirq
> > >   contexts.
> > > 
> > > The idea here is that every code path that's critical for eventually
> > > signalling a dma_fence should be annotated with
> > > dma_fence_begin/end_signalling. The annotation ideally starts right
> > > after a dma_fence is published (added to a dma_resv, exposed as a
> > > sync_file fd, attached to a drm_syncobj fd, or anything else that
> > > makes the dma_fence visible to other kernel threads), up to and
> > > including the dma_fence_wait(). Examples are irq handlers, the
> > > scheduler rt threads, the tail of execbuf (after the corresponding
> > > fences are visible), any workers that end up signalling dma_fences and
> > > really anything else. Not annotated should be code paths that only
> > > complete fences opportunistically as the gpu progresses, like e.g.
> > > shrinker/eviction code.
> > > 
> > > The main class of deadlocks this is supposed to catch are:
> > > 
> > > Thread A:
> > > 
> > >         mutex_lock(A);
> > >         mutex_unlock(A);
> > > 
> > >         dma_fence_signal();
> > > 
> > > Thread B:
> > > 
> > >         mutex_lock(A);
> > >         dma_fence_wait();
> > >         mutex_unlock(A);
> > > 
> > > Thread B is blocked on A signalling the fence, but A never gets around
> > > to that because it cannot acquire the lock A.
> > > 
> > > Note that dma_fence_wait() is allowed to be nested within
> > > dma_fence_begin/end_signalling sections. To allow this to happen the
> > > read lock needs to be upgraded to a write lock, which means that any
> > > other lock is acquired between the dma_fence_begin_signalling() call and
> > > the call to dma_fence_wait(), and still held, this will result in an
> > > immediate lockdep complaint. The only other option would be to not
> > > annotate such calls, defeating the point. Therefore these annotations
> > > cannot be sprinkled over the code entirely mindless to avoid false
> > > positives.
> > > 
> > > v2: handle soft/hardirq ctx better against write side and dont forget
> > > EXPORT_SYMBOL, drivers can't use this otherwise.
> > > 
> > > Cc: linux-media at vger.kernel.org
> > > Cc: linaro-mm-sig at lists.linaro.org
> > > Cc: linux-rdma at vger.kernel.org
> > > Cc: amd-gfx at lists.freedesktop.org
> > > Cc: intel-gfx at lists.freedesktop.org
> > > Cc: Chris Wilson <chris at chris-wilson.co.uk>
> > > Cc: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> > > Cc: Christian König <christian.koenig at amd.com>
> > > Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
> > > ---
> > >  drivers/dma-buf/dma-fence.c | 53 +++++++++++++++++++++++++++++++++++++
> > >  include/linux/dma-fence.h   | 12 +++++++++
> > >  2 files changed, 65 insertions(+)
> > > 
> > > diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
> > > index 6802125349fb..d5c0fd2efc70 100644
> > > --- a/drivers/dma-buf/dma-fence.c
> > > +++ b/drivers/dma-buf/dma-fence.c
> > > @@ -110,6 +110,52 @@ u64 dma_fence_context_alloc(unsigned num)
> > >  }
> > >  EXPORT_SYMBOL(dma_fence_context_alloc);
> > >  
> > > +#ifdef CONFIG_LOCKDEP
> > > +struct lockdep_map     dma_fence_lockdep_map = {
> > > +       .name = "dma_fence_map"
> > > +};
> > 
> > Not another false global sharing lockmap.
> 
> It's a global contract, it needs a global lockdep map. And yes a big
> reason for the motivation here is that i915-gem has a tremendous urge to
> just redefine all these global locks to fit to some local interpretation
> of what's going on.

No, you can build the global contract out of the actual contracts
between fence drivers. If you introduce a struct lockdep_map *map into
the fence_ops (so the fence_ops can remain const), you gain correctness
at the cost of having to run through all possible interactions once.
You can also then do if ops->lockmap ?: &global_fence_lockmap for
piecemeal conversion of drivers that do not already use lockmaps for
contract enforcement of their fence waits.
-Chris