[Mesa-dev] [RFC] Linux Graphics Next: Explicit fences everywhere and no BO fences - initial proposal
Daniel Vetter
daniel at ffwll.ch
Thu Apr 29 11:07:57 UTC 2021
On Wed, Apr 28, 2021 at 04:45:01PM +0200, Christian König wrote:
> Am 28.04.21 um 16:34 schrieb Daniel Vetter:
> > On Wed, Apr 28, 2021 at 03:37:49PM +0200, Christian König wrote:
> > > Am 28.04.21 um 15:34 schrieb Daniel Vetter:
> > > > On Wed, Apr 28, 2021 at 03:11:27PM +0200, Christian König wrote:
> > > > > Am 28.04.21 um 14:26 schrieb Daniel Vetter:
> > > > > > On Wed, Apr 28, 2021 at 02:21:54PM +0200, Daniel Vetter wrote:
> > > > > > > On Wed, Apr 28, 2021 at 12:31:09PM +0200, Christian König wrote:
> > > > > > > > Am 28.04.21 um 12:05 schrieb Daniel Vetter:
> > > > > > > > > On Tue, Apr 27, 2021 at 02:01:20PM -0400, Alex Deucher wrote:
> > > > > > > > > > On Tue, Apr 27, 2021 at 1:35 PM Simon Ser <contact at emersion.fr> wrote:
> > > > > > > > > > > On Tuesday, April 27th, 2021 at 7:31 PM, Lucas Stach <l.stach at pengutronix.de> wrote:
> > > > > > > > > > >
> > > > > > > > > > > > > Ok. So that would only make the following use cases broken for now:
> > > > > > > > > > > > >
> > > > > > > > > > > > > - amd render -> external gpu
> > > > > > > > > > > > > - amd video encode -> network device
> > > > > > > > > > > > FWIW, "only" breaking amd render -> external gpu will make us pretty
> > > > > > > > > > > > unhappy
> > > > > > > > > > > I concur. I have quite a few users with a multi-GPU setup involving
> > > > > > > > > > > AMD hardware.
> > > > > > > > > > >
> > > > > > > > > > > Note, if this brokenness can't be avoided, I'd prefer a to get a clear
> > > > > > > > > > > error, and not bad results on screen because nothing is synchronized
> > > > > > > > > > > anymore.
> > > > > > > > > > It's an upcoming requirement for windows[1], so you are likely to
> > > > > > > > > > start seeing this across all GPU vendors that support windows. I
> > > > > > > > > > think the timing depends on how quickly the legacy hardware support
> > > > > > > > > > sticks around for each vendor.
> > > > > > > > > Yeah but hw scheduling doesn't mean the hw has to be constructed to not
> > > > > > > > > support isolating the ringbuffer at all.
> > > > > > > > >
> > > > > > > > > E.g. even if the hw loses the bit to put the ringbuffer outside of the
> > > > > > > > > userspace gpu vm, if you have pagetables I'm seriously hoping you have r/o
> > > > > > > > > pte flags. Otherwise the entire "share address space with cpu side,
> > > > > > > > > seamlessly" thing is out of the window.
> > > > > > > > >
> > > > > > > > > And with that r/o bit on the ringbuffer you can once more force submit
> > > > > > > > > through kernel space, and all the legacy dma_fence based stuff keeps
> > > > > > > > > working. And we don't have to invent some horrendous userspace fence based
> > > > > > > > > implicit sync mechanism in the kernel, but can instead do this transition
> > > > > > > > > properly with drm_syncobj timeline explicit sync and protocol reving.
> > > > > > > > >
> > > > > > > > > At least I think you'd have to work extra hard to create a gpu which
> > > > > > > > > cannot possibly be intercepted by the kernel, even when it's designed to
> > > > > > > > > support userspace direct submit only.
> > > > > > > > >
> > > > > > > > > Or are your hw engineers more creative here and we're screwed?
> > > > > > > > The upcomming hardware generation will have this hardware scheduler as a
> > > > > > > > must have, but there are certain ways we can still stick to the old
> > > > > > > > approach:
> > > > > > > >
> > > > > > > > 1. The new hardware scheduler currently still supports kernel queues which
> > > > > > > > essentially is the same as the old hardware ring buffer.
> > > > > > > >
> > > > > > > > 2. Mapping the top level ring buffer into the VM at least partially solves
> > > > > > > > the problem. This way you can't manipulate the ring buffer content, but the
> > > > > > > > location for the fence must still be writeable.
> > > > > > > Yeah allowing userspace to lie about completion fences in this model is
> > > > > > > ok. Though I haven't thought through full consequences of that, but I
> > > > > > > think it's not any worse than userspace lying about which buffers/address
> > > > > > > it uses in the current model - we rely on hw vm ptes to catch that stuff.
> > > > > > >
> > > > > > > Also it might be good to switch to a non-recoverable ctx model for these.
> > > > > > > That's already what we do in i915 (opt-in, but all current umd use that
> > > > > > > mode). So any hang/watchdog just kills the entire ctx and you don't have
> > > > > > > to worry about userspace doing something funny with it's ringbuffer.
> > > > > > > Simplifies everything.
> > > > > > >
> > > > > > > Also ofc userspace fencing still disallowed, but since userspace would
> > > > > > > queu up all writes to its ringbuffer through the drm/scheduler, we'd
> > > > > > > handle dependencies through that still. Not great, but workable.
> > > > > > >
> > > > > > > Thinking about this, not even mapping the ringbuffer r/o is required, it's
> > > > > > > just that we must queue things throug the kernel to resolve dependencies
> > > > > > > and everything without breaking dma_fence. If userspace lies, tdr will
> > > > > > > shoot it and the kernel stops running that context entirely.
> > > > > Thinking more about that approach I don't think that it will work correctly.
> > > > >
> > > > > See we not only need to write the fence as signal that an IB is submitted,
> > > > > but also adjust a bunch of privileged hardware registers.
> > > > >
> > > > > When userspace could do that from its IBs as well then there is nothing
> > > > > blocking it from reprogramming the page table base address for example.
> > > > >
> > > > > We could do those writes with the CPU as well, but that would be a huge
> > > > > performance drop because of the additional latency.
> > > > That's not what I'm suggesting. I'm suggesting you have the queue and
> > > > everything in userspace, like in wondows. Fences are exactly handled like
> > > > on windows too. The difference is:
> > > >
> > > > - All new additions to the ringbuffer are done through a kernel ioctl
> > > > call, using the drm/scheduler to resolve dependencies.
> > > >
> > > > - Memory management is also done like today int that ioctl.
> > > >
> > > > - TDR makes sure that if userspace abuses the contract (which it can, but
> > > > it can do that already today because there's also no command parser to
> > > > e.g. stop gpu semaphores) the entire context is shot and terminally
> > > > killed. Userspace has to then set up a new one. This isn't how amdgpu
> > > > recovery works right now, but i915 supports it and I think it's also the
> > > > better model for userspace error recovery anyway.
> > > >
> > > > So from hw pov this will look _exactly_ like windows, except we never page
> > > > fault.
> > > >
> > > > From sw pov this will look _exactly_ like current kernel ringbuf model,
> > > > with exactly same dma_fence semantics. If userspace lies, does something
> > > > stupid or otherwise breaks the uapi contract, vm ptes stop invalid access
> > > > and tdr kills it if it takes too long.
> > > >
> > > > Where do you need priviledge IB writes or anything like that?
> > > For writing the fence value and setting up the priority and VM registers.
> > I'm confused. How does this work on windows then with pure userspace
> > submit? Windows userspace sets its priorties and vm registers itself from
> > userspace?
>
> The priorities and VM registers are setup from the hw scheduler on windows,
> but this comes with preemption again.
The thing is, if the hw scheduler preempts your stuff a bit occasionally,
what's the problem? Essentially it just looks like each context is it's
own queue that can make forward progress.
Also, I'm assuming there's some way in the windows model to make sure that
unpriviledged userspace can't change the vm registers and priorities
itself. Those work the same in both worlds.
> And just letting the kernel write to the ring buffer hast the same problems
> as userspace fences. E.g. userspace could just overwrite the command which
> write the fence value with NOPs.
>
> In other words we certainly need some kind of protection for the ring
> buffer, e.g. setting it readonly and making sure that it can always write
> the fence and is never preempted by the HW scheduler. But that protection
> breaks our neck at different places again.
My point is: You don't need protection. With the current cs ioctl
userspace can already do all kinds of nasty stuff and break itself. gpu
pagetables and TDR make sure nothing bad happens.
So imo you don't actually need to protected anything in the ring, as long
as you don't bother supporting recoverable TDR. You just declare the
entire ring shot and ask userspace to set up a new one.
> That solution could maybe work, but it is certainly not something we have
> tested.
Again, you can run the entire hw like on windows. The only thing you add
on top is that new stuff gets added to the userspace ring through the
kernel, so that the kernel can make sure all the resulting dma_fence are
still properly ordered, wont deadlock and will complete in due time (using
TDR). Also, the entire memory management works like now, but from a hw
point of view that's also not different. It just means that page faults
are never fixed, but the response is always that there's really no page
present at that slot.
I'm really not seeing the fundamental problem, nor why exactly you need a
completely different hw model here.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
More information about the mesa-dev
mailing list