On Wed, Jun 10, 2020 at 2:01 PM Thomas Hellström (Intel) thomas_os@shipmail.org wrote:

Hi, Daniel,

Please see below.

On 6/4/20 10:12 AM, Daniel Vetter wrote:

...

fs_reclaim_acquire/release nicely catch recursion issues when allocating GFP_KERNEL memory against shrinkers (which gpu drivers tend to use to keep the excessive caches in check). For mmu notifier recursions we do have lockdep annotations since 23b68395c7c7 ("mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end").

But these only fire if a path actually results in some pte invalidation - for most small allocations that's very rarely the case. The other trouble is that pte invalidation can happen any time when __GFP_RECLAIM is set. Which means only really GFP_ATOMIC is a safe choice, GFP_NOIO isn't good enough to avoid potential mmu notifier recursion.

I was pondering whether we should just do the general annotation, but there's always the risk for false positives. Plus I'm assuming that the core fs and io code is a lot better reviewed and tested than random mmu notifier code in drivers. Hence why I decide to only annotate for that specific case.

Furthermore even if we'd create a lockdep map for direct reclaim, we'd still need to explicit pull in the mmu notifier map - there's a lot more places that do pte invalidation than just direct reclaim, these two contexts arent the same.

Note that the mmu notifiers needing their own independent lockdep map is also the reason we can't hold them from fs_reclaim_acquire to fs_reclaim_release - it would nest with the acquistion in the pte invalidation code, causing a lockdep splat. And we can't remove the annotations from pte invalidation and all the other places since they're called from many other places than page reclaim. Hence we can only do the equivalent of might_lock, but on the raw lockdep map.

With this we can also remove the lockdep priming added in 66204f1d2d1b ("mm/mmu_notifiers: prime lockdep") since the new annotations are strictly more powerful.

Cc: Andrew Morton akpm@linux-foundation.org Cc: Jason Gunthorpe jgg@mellanox.com Cc: linux-mm@kvack.org Cc: linux-rdma@vger.kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

---

This is part of a gpu lockdep annotation series simply because it really helps to catch issues where gpu subsystem locks and primitives can deadlock with themselves through allocations and mmu notifiers. But aside from that motivation it should be completely free-standing, and can land through -mm/-rdma/-hmm or any other tree really whenever.

-Daniel

mm/mmu_notifier.c | 7 ------- mm/page_alloc.c | 23 ++++++++++++++--------- 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 06852b896fa6..5d578b9122f8 100644 --- a/mm/mmu_notifier.c +++ b/mm/mmu_notifier.c @@ -612,13 +612,6 @@ int __mmu_notifier_register(struct mmu_notifier *subscription, lockdep_assert_held_write(&mm->mmap_sem); BUG_ON(atomic_read(&mm->mm_users) <= 0);

• if (IS_ENABLED(CONFIG_LOCKDEP)) {
  

•         fs_reclaim_acquire(GFP_KERNEL);
  

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

•         fs_reclaim_release(GFP_KERNEL);
  

• }
  

• if (!mm->notifier_subscriptions) {
          /*
           * kmalloc cannot be called under mm_take_all_locks(), but we
  

diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 13cc653122b7..f8a222db4a53 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -57,6 +57,7 @@ #include <trace/events/oom.h> #include <linux/prefetch.h> #include <linux/mm_inline.h> +#include <linux/mmu_notifier.h> #include <linux/migrate.h> #include <linux/hugetlb.h> #include <linux/sched/rt.h> @@ -4124,7 +4125,7 @@ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_fla static struct lockdep_map __fs_reclaim_map = STATIC_LOCKDEP_MAP_INIT("fs_reclaim", &__fs_reclaim_map);

-static bool __need_fs_reclaim(gfp_t gfp_mask) +static bool __need_reclaim(gfp_t gfp_mask) { gfp_mask = current_gfp_context(gfp_mask);

@@ -4136,10 +4137,6 @@ static bool __need_fs_reclaim(gfp_t gfp_mask) if (current->flags & PF_MEMALLOC) return false;

• /* We're only interested __GFP_FS allocations for now */
  

• if (!(gfp_mask & __GFP_FS))
  

•         return false;
  

• if (gfp_mask & __GFP_NOLOCKDEP)
          return false;
  
  

@@ -4158,15 +4155,23 @@ void __fs_reclaim_release(void)

void fs_reclaim_acquire(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))
  

•         __fs_reclaim_acquire();
  

• if (__need_reclaim(gfp_mask)) {
  

•         if (!(gfp_mask & __GFP_FS))
  

Hmm. Shouldn't this be "if (gfp_mask & __GFP_FS)" or am I misunderstanding?

Uh yes :-( I guess what saved me is that I immediately went for the lockdep splat in drivers/gpu. And I guess there's not any obvious inversions for GFP_NOFS/GFP_NOIO, and since I made the mistake consintely the GFP_FS annotation was still consistent, but simply for GFP_NOFS. Oops.

Will fix in the next version.

...

•                 __fs_reclaim_acquire();
  

#ifdef CONFIG_MMU_NOTIFIER?

Hm indeed. Will fix too.

Thanks for your review.

...

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

• }
  

  } EXPORT_SYMBOL_GPL(fs_reclaim_acquire);

  void fs_reclaim_release(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))
  

•         __fs_reclaim_release();
  

• if (__need_reclaim(gfp_mask)) {
  

•         if (!(gfp_mask & __GFP_FS))
  

Same here?

...

•                 __fs_reclaim_release();
  

• }
  

  } EXPORT_SYMBOL_GPL(fs_reclaim_release); #endif

One suggested test case would perhaps be to call madvise(madv_dontneed) on a subpart of a transhuge page. That would IIRC trigger a page split and interesting mmu notifier calls....

The neat thing about the mmu notifier lockdep key is that we take it whether there's notifiers or not - it's called outside of any of these paths. So as long as you have ever hit a hugepage split somewhen since boot, and you've hit your driver's mmu_notifier paths, lockdep will connect the dots. Explicit testcases for all combinations not needed anymore. This patch here just makes sure that the same holds for memory allocations and direct reclaim (which is a lot harder to trigger intentionally in testcases).

That was at least the idea, seems to have caught a few things already. -Daniel

Thanks, Thomas

---

Intel-gfx mailing list Intel-gfx@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/intel-gfx

On Sun, Jun 21, 2020 at 7:42 PM Qian Cai cai@lca.pw wrote:

On Wed, Jun 10, 2020 at 09:41:01PM +0200, Daniel Vetter wrote:

...

fs_reclaim_acquire/release nicely catch recursion issues when allocating GFP_KERNEL memory against shrinkers (which gpu drivers tend to use to keep the excessive caches in check). For mmu notifier recursions we do have lockdep annotations since 23b68395c7c7 ("mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end").

But these only fire if a path actually results in some pte invalidation - for most small allocations that's very rarely the case. The other trouble is that pte invalidation can happen any time when __GFP_RECLAIM is set. Which means only really GFP_ATOMIC is a safe choice, GFP_NOIO isn't good enough to avoid potential mmu notifier recursion.

I was pondering whether we should just do the general annotation, but there's always the risk for false positives. Plus I'm assuming that the core fs and io code is a lot better reviewed and tested than random mmu notifier code in drivers. Hence why I decide to only annotate for that specific case.

Furthermore even if we'd create a lockdep map for direct reclaim, we'd still need to explicit pull in the mmu notifier map - there's a lot more places that do pte invalidation than just direct reclaim, these two contexts arent the same.

Note that the mmu notifiers needing their own independent lockdep map is also the reason we can't hold them from fs_reclaim_acquire to fs_reclaim_release - it would nest with the acquistion in the pte invalidation code, causing a lockdep splat. And we can't remove the annotations from pte invalidation and all the other places since they're called from many other places than page reclaim. Hence we can only do the equivalent of might_lock, but on the raw lockdep map.

With this we can also remove the lockdep priming added in 66204f1d2d1b ("mm/mmu_notifiers: prime lockdep") since the new annotations are strictly more powerful.

v2: Review from Thomas Hellstrom:

• unbotch the fs_reclaim context check, I accidentally inverted it, but it didn't blow up because I inverted it immediately
• fix compiling for !CONFIG_MMU_NOTIFIER

Cc: Thomas Hellström (Intel) thomas_os@shipmail.org Cc: Andrew Morton akpm@linux-foundation.org Cc: Jason Gunthorpe jgg@mellanox.com Cc: linux-mm@kvack.org Cc: linux-rdma@vger.kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

Replying the right patch here...

Reverting this commit [1] fixed the lockdep warning below while applying some memory pressure.

[1] linux-next cbf7c9d86d75 ("mm: track mmu notifiers in fs_reclaim_acquire/release")

Hm, then I'm confused because - there's not mmut notifier lockdep map in the splat at a.. - the patch is supposed to not change anything for fs_reclaim (but the interim version got that wrong) - looking at the paths it's kmalloc vs kswapd, both places I totally expect fs_reflaim to be used.

But you're claiming reverting this prevents the lockdep splat. If that's right, then my reasoning above is broken somewhere. Someone less blind than me having an idea?

Aside this is the first email I've typed, until I realized the first report was against the broken patch and that looked like a much more reasonable explanation (but didn't quite match up with the code paths).

Thanks, Daniel

[ 190.455003][ T369] WARNING: possible circular locking dependency detected [ 190.487291][ T369] 5.8.0-rc1-next-20200621 #1 Not tainted [ 190.512363][ T369] ------------------------------------------------------ [ 190.543354][ T369] kswapd3/369 is trying to acquire lock: [ 190.568523][ T369] ffff889fcf694528 (&xfs_nondir_ilock_class){++++}-{3:3}, at: xfs_reclaim_inode+0xdf/0x860 spin_lock at include/linux/spinlock.h:353 (inlined by) xfs_iflags_test_and_set at fs/xfs/xfs_inode.h:166 (inlined by) xfs_iflock_nowait at fs/xfs/xfs_inode.h:249 (inlined by) xfs_reclaim_inode at fs/xfs/xfs_icache.c:1127 [ 190.614359][ T369] [ 190.614359][ T369] but task is already holding lock: [ 190.647763][ T369] ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 __fs_reclaim_acquire at mm/page_alloc.c:4200 [ 190.687845][ T369] [ 190.687845][ T369] which lock already depends on the new lock. [ 190.687845][ T369] [ 190.734890][ T369] [ 190.734890][ T369] the existing dependency chain (in reverse order) is: [ 190.775991][ T369] [ 190.775991][ T369] -> #1 (fs_reclaim){+.+.}-{0:0}: [ 190.808150][ T369] fs_reclaim_acquire+0x77/0x80 [ 190.832152][ T369] slab_pre_alloc_hook.constprop.52+0x20/0x120 slab_pre_alloc_hook at mm/slab.h:507 [ 190.862173][ T369] kmem_cache_alloc+0x43/0x2a0 [ 190.885602][ T369] kmem_zone_alloc+0x113/0x3ef kmem_zone_alloc at fs/xfs/kmem.c:129 [ 190.908702][ T369] xfs_inode_item_init+0x1d/0xa0 xfs_inode_item_init at fs/xfs/xfs_inode_item.c:639 [ 190.934461][ T369] xfs_trans_ijoin+0x96/0x100 xfs_trans_ijoin at fs/xfs/libxfs/xfs_trans_inode.c:34 [ 190.961530][ T369] xfs_setattr_nonsize+0x1a6/0xcd0 xfs_setattr_nonsize at fs/xfs/xfs_iops.c:716 [ 190.987331][ T369] xfs_vn_setattr+0x133/0x160 xfs_vn_setattr at fs/xfs/xfs_iops.c:1081 [ 191.010476][ T369] notify_change+0x6c5/0xba1 notify_change at fs/attr.c:336 [ 191.033317][ T369] chmod_common+0x19b/0x390 [ 191.055770][ T369] ksys_fchmod+0x28/0x60 [ 191.077957][ T369] __x64_sys_fchmod+0x4e/0x70 [ 191.102767][ T369] do_syscall_64+0x5f/0x310 [ 191.125090][ T369] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 191.153749][ T369] [ 191.153749][ T369] -> #0 (&xfs_nondir_ilock_class){++++}-{3:3}: [ 191.191267][ T369] __lock_acquire+0x2efc/0x4da0 [ 191.215974][ T369] lock_acquire+0x1ac/0xaf0 [ 191.238953][ T369] down_write_nested+0x92/0x150 [ 191.262955][ T369] xfs_reclaim_inode+0xdf/0x860 [ 191.287149][ T369] xfs_reclaim_inodes_ag+0x505/0xb00 [ 191.313291][ T369] xfs_reclaim_inodes_nr+0x93/0xd0 [ 191.338357][ T369] super_cache_scan+0x2fd/0x430 [ 191.362354][ T369] do_shrink_slab+0x317/0x990 [ 191.385341][ T369] shrink_slab+0x3a8/0x4b0 [ 191.407214][ T369] shrink_node+0x49c/0x17b0 [ 191.429841][ T369] balance_pgdat+0x59c/0xed0 [ 191.455041][ T369] kswapd+0x5a4/0xc40 [ 191.477524][ T369] kthread+0x358/0x420 [ 191.499285][ T369] ret_from_fork+0x22/0x30 [ 191.521107][ T369] [ 191.521107][ T369] other info that might help us debug this: [ 191.521107][ T369] [ 191.567490][ T369] Possible unsafe locking scenario: [ 191.567490][ T369] [ 191.600947][ T369] CPU0 CPU1 [ 191.624808][ T369] ---- ---- [ 191.649236][ T369] lock(fs_reclaim); [ 191.667607][ T369] lock(&xfs_nondir_ilock_class); [ 191.702096][ T369] lock(fs_reclaim); [ 191.731243][ T369] lock(&xfs_nondir_ilock_class); [ 191.754025][ T369] [ 191.754025][ T369] *** DEADLOCK *** [ 191.754025][ T369] [ 191.791126][ T369] 4 locks held by kswapd3/369: [ 191.812198][ T369] #0: ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 [ 191.854319][ T369] #1: ffffffffb5074c50 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x219/0x4b0 [ 191.896043][ T369] #2: ffff8890279b40e0 (&type->s_umount_key#27){++++}-{3:3}, at: trylock_super+0x11/0xb0 [ 191.940538][ T369] #3: ffff889027a73a28 (&pag->pag_ici_reclaim_lock){+.+.}-{3:3}, at: xfs_reclaim_inodes_ag+0x135/0xb00 [ 191.995314][ T369] [ 191.995314][ T369] stack backtrace: [ 192.022934][ T369] CPU: 42 PID: 369 Comm: kswapd3 Not tainted 5.8.0-rc1-next-20200621 #1 [ 192.060546][ T369] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018 [ 192.094518][ T369] Call Trace: [ 192.109005][ T369] dump_stack+0x9d/0xe0 [ 192.127468][ T369] check_noncircular+0x347/0x400 [ 192.149526][ T369] ? print_circular_bug+0x360/0x360 [ 192.172584][ T369] ? freezing_slow_path.cold.2+0x2a/0x2a [ 192.197251][ T369] __lock_acquire+0x2efc/0x4da0 [ 192.218737][ T369] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 192.246736][ T369] ? __lock_acquire+0x3541/0x4da0 [ 192.269673][ T369] lock_acquire+0x1ac/0xaf0 [ 192.290192][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.313158][ T369] ? rcu_read_unlock+0x50/0x50 [ 192.335057][ T369] down_write_nested+0x92/0x150 [ 192.358409][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.380890][ T369] ? rwsem_down_write_slowpath+0xf50/0xf50 [ 192.406891][ T369] ? find_held_lock+0x33/0x1c0 [ 192.427925][ T369] ? xfs_ilock+0x2ef/0x370 [ 192.447496][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.472315][ T369] xfs_reclaim_inode+0xdf/0x860 [ 192.496649][ T369] ? xfs_inode_clear_reclaim_tag+0xa0/0xa0 [ 192.524188][ T369] ? do_raw_spin_unlock+0x4f/0x250 [ 192.546852][ T369] xfs_reclaim_inodes_ag+0x505/0xb00 [ 192.570473][ T369] ? xfs_reclaim_inode+0x860/0x860 [ 192.592692][ T369] ? mark_held_locks+0xb0/0x110 [ 192.614287][ T369] ? lockdep_hardirqs_on_prepare+0x38c/0x550 [ 192.640800][ T369] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 192.666695][ T369] ? try_to_wake_up+0xcf/0xf40 [ 192.688265][ T369] ? migrate_swap_stop+0xc10/0xc10 [ 192.711966][ T369] ? do_raw_spin_unlock+0x4f/0x250 [ 192.735032][ T369] xfs_reclaim_inodes_nr+0x93/0xd0 xfs_reclaim_inodes_nr at fs/xfs/xfs_icache.c:1399 [ 192.757674][ T369] ? xfs_reclaim_inodes+0x90/0x90 [ 192.780028][ T369] ? list_lru_count_one+0x177/0x300 [ 192.803010][ T369] super_cache_scan+0x2fd/0x430 super_cache_scan at fs/super.c:115 [ 192.824491][ T369] do_shrink_slab+0x317/0x990 do_shrink_slab at mm/vmscan.c:514 [ 192.845160][ T369] shrink_slab+0x3a8/0x4b0 shrink_slab_memcg at mm/vmscan.c:584 (inlined by) shrink_slab at mm/vmscan.c:662 [ 192.864722][ T369] ? do_shrink_slab+0x990/0x990 [ 192.886137][ T369] ? rcu_is_watching+0x2c/0x80 [ 192.907289][ T369] ? mem_cgroup_protected+0x228/0x470 [ 192.931166][ T369] ? vmpressure+0x25/0x290 [ 192.950595][ T369] shrink_node+0x49c/0x17b0 [ 192.972332][ T369] balance_pgdat+0x59c/0xed0 kswapd_shrink_node at mm/vmscan.c:3521 (inlined by) balance_pgdat at mm/vmscan.c:3670 [ 192.994918][ T369] ? __node_reclaim+0x950/0x950 [ 193.018625][ T369] ? lockdep_hardirqs_on_prepare+0x38c/0x550 [ 193.046566][ T369] ? _raw_spin_unlock_irq+0x1f/0x30 [ 193.070214][ T369] ? _raw_spin_unlock_irq+0x1f/0x30 [ 193.093176][ T369] ? finish_task_switch+0x129/0x650 [ 193.116225][ T369] ? finish_task_switch+0xf2/0x650 [ 193.138809][ T369] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 193.163323][ T369] kswapd+0x5a4/0xc40 [ 193.182690][ T369] ? __kthread_parkme+0x4d/0x1a0 [ 193.204660][ T369] ? balance_pgdat+0xed0/0xed0 [ 193.225776][ T369] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 193.252306][ T369] ? finish_wait+0x270/0x270 [ 193.272473][ T369] ? __kthread_parkme+0x4d/0x1a0 [ 193.294476][ T369] ? __kthread_parkme+0xcc/0x1a0 [ 193.316704][ T369] ? balance_pgdat+0xed0/0xed0 [ 193.337808][ T369] kthread+0x358/0x420 [ 193.355666][ T369] ? kthread_create_worker_on_cpu+0xc0/0xc0 [ 193.381884][ T369] ret_from_fork+0x22/0x30

...

---

This is part of a gpu lockdep annotation series simply because it really helps to catch issues where gpu subsystem locks and primitives can deadlock with themselves through allocations and mmu notifiers. But aside from that motivation it should be completely free-standing, and can land through -mm/-rdma/-hmm or any other tree really whenever.

-Daniel

mm/mmu_notifier.c | 7 ------- mm/page_alloc.c | 25 ++++++++++++++++--------- 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 06852b896fa6..5d578b9122f8 100644 --- a/mm/mmu_notifier.c +++ b/mm/mmu_notifier.c @@ -612,13 +612,6 @@ int __mmu_notifier_register(struct mmu_notifier *subscription, lockdep_assert_held_write(&mm->mmap_sem); BUG_ON(atomic_read(&mm->mm_users) <= 0);

• if (IS_ENABLED(CONFIG_LOCKDEP)) {
  

•         fs_reclaim_acquire(GFP_KERNEL);
  

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

•         fs_reclaim_release(GFP_KERNEL);
  

• }
  

• if (!mm->notifier_subscriptions) {
          /*
           * kmalloc cannot be called under mm_take_all_locks(), but we
  

diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 13cc653122b7..7536faaaa0fd 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -57,6 +57,7 @@ #include <trace/events/oom.h> #include <linux/prefetch.h> #include <linux/mm_inline.h> +#include <linux/mmu_notifier.h> #include <linux/migrate.h> #include <linux/hugetlb.h> #include <linux/sched/rt.h> @@ -4124,7 +4125,7 @@ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_fla static struct lockdep_map __fs_reclaim_map = STATIC_LOCKDEP_MAP_INIT("fs_reclaim", &__fs_reclaim_map);

-static bool __need_fs_reclaim(gfp_t gfp_mask) +static bool __need_reclaim(gfp_t gfp_mask) { gfp_mask = current_gfp_context(gfp_mask);

@@ -4136,10 +4137,6 @@ static bool __need_fs_reclaim(gfp_t gfp_mask) if (current->flags & PF_MEMALLOC) return false;

• /* We're only interested __GFP_FS allocations for now */
  

• if (!(gfp_mask & __GFP_FS))
  

•         return false;
  

• if (gfp_mask & __GFP_NOLOCKDEP)
          return false;
  
  

@@ -4158,15 +4155,25 @@ void __fs_reclaim_release(void)

void fs_reclaim_acquire(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))
  

•         __fs_reclaim_acquire();
  

• if (__need_reclaim(gfp_mask)) {
  

•         if (gfp_mask & __GFP_FS)
  

•                 __fs_reclaim_acquire();
  

+#ifdef CONFIG_MMU_NOTIFIER

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

+#endif

• }
  

} EXPORT_SYMBOL_GPL(fs_reclaim_acquire);

void fs_reclaim_release(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))
  

•         __fs_reclaim_release();
  

• if (__need_reclaim(gfp_mask)) {
  

•         if (gfp_mask & __GFP_FS)
  

•                 __fs_reclaim_release();
  

• }
  

} EXPORT_SYMBOL_GPL(fs_reclaim_release);

#endif

2.26.2

On Tue, Jun 23, 2020 at 6:18 PM Qian Cai cai@lca.pw wrote:

On Sun, Jun 21, 2020 at 10:01:03PM +0200, Daniel Vetter wrote:

...

On Sun, Jun 21, 2020 at 08:07:08PM +0200, Daniel Vetter wrote:

...

On Sun, Jun 21, 2020 at 7:42 PM Qian Cai cai@lca.pw wrote:

...

On Wed, Jun 10, 2020 at 09:41:01PM +0200, Daniel Vetter wrote:

...

fs_reclaim_acquire/release nicely catch recursion issues when allocating GFP_KERNEL memory against shrinkers (which gpu drivers tend to use to keep the excessive caches in check). For mmu notifier recursions we do have lockdep annotations since 23b68395c7c7 ("mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end").

But these only fire if a path actually results in some pte invalidation - for most small allocations that's very rarely the case. The other trouble is that pte invalidation can happen any time when __GFP_RECLAIM is set. Which means only really GFP_ATOMIC is a safe choice, GFP_NOIO isn't good enough to avoid potential mmu notifier recursion.

I was pondering whether we should just do the general annotation, but there's always the risk for false positives. Plus I'm assuming that the core fs and io code is a lot better reviewed and tested than random mmu notifier code in drivers. Hence why I decide to only annotate for that specific case.

Furthermore even if we'd create a lockdep map for direct reclaim, we'd still need to explicit pull in the mmu notifier map - there's a lot more places that do pte invalidation than just direct reclaim, these two contexts arent the same.

Note that the mmu notifiers needing their own independent lockdep map is also the reason we can't hold them from fs_reclaim_acquire to fs_reclaim_release - it would nest with the acquistion in the pte invalidation code, causing a lockdep splat. And we can't remove the annotations from pte invalidation and all the other places since they're called from many other places than page reclaim. Hence we can only do the equivalent of might_lock, but on the raw lockdep map.

With this we can also remove the lockdep priming added in 66204f1d2d1b ("mm/mmu_notifiers: prime lockdep") since the new annotations are strictly more powerful.

v2: Review from Thomas Hellstrom:

• unbotch the fs_reclaim context check, I accidentally inverted it, but it didn't blow up because I inverted it immediately
• fix compiling for !CONFIG_MMU_NOTIFIER

Cc: Thomas Hellström (Intel) thomas_os@shipmail.org Cc: Andrew Morton akpm@linux-foundation.org Cc: Jason Gunthorpe jgg@mellanox.com Cc: linux-mm@kvack.org Cc: linux-rdma@vger.kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

Replying the right patch here...

Reverting this commit [1] fixed the lockdep warning below while applying some memory pressure.

[1] linux-next cbf7c9d86d75 ("mm: track mmu notifiers in fs_reclaim_acquire/release")

Hm, then I'm confused because

• there's not mmut notifier lockdep map in the splat at a..
• the patch is supposed to not change anything for fs_reclaim (but the

interim version got that wrong)

• looking at the paths it's kmalloc vs kswapd, both places I totally

expect fs_reflaim to be used.

But you're claiming reverting this prevents the lockdep splat. If that's right, then my reasoning above is broken somewhere. Someone less blind than me having an idea?

Aside this is the first email I've typed, until I realized the first report was against the broken patch and that looked like a much more reasonable explanation (but didn't quite match up with the code paths).

Below diff should undo the functional change in my patch. Can you pls test whether the lockdep splat is really gone with that? Might need a lot of testing and memory pressure to be sure, since all these reclaim paths aren't very deterministic.

No, this patch does not help but reverting the whole patch still fixed the splat.

Ok I tested this. I can't use your script to repro because - I don't have a setup with xfs, and the splat points at an issue in xfs - reproducing lockdep splats in shrinker callbacks is always a bit tricky

So instead I made a quick test to validate whether the fs_reclaim annotations work correctly, and nothing has changed:

+ printk("GFP_NOFS block\n"); + fs_reclaim_acquire(GFP_NOFS); + printk("allocate atomic\n"); + kfree(kmalloc(16, GFP_ATOMIC)); + printk("allocate noio\n"); + kfree(kmalloc(16, GFP_NOIO));

The below two calls to kmalloc are wrong, but the current annotations don't track __GFP_IO and other levels, only __GFP_FS. So no lockdep splats here.

+ printk("allocate nofs\n"); + kfree(kmalloc(16, GFP_NOFS)); + printk("allocate kernel\n"); + kfree(kmalloc(16, GFP_KERNEL)); + fs_reclaim_release(GFP_NOFS); + + + printk("GFP_KERNEL block\n"); + fs_reclaim_acquire(GFP_KERNEL); + printk("allocate atomic\n"); + kfree(kmalloc(16, GFP_ATOMIC)); + printk("allocate noio\n"); + kfree(kmalloc(16, GFP_NOIO)); + printk("allocate nofs\n"); + kfree(kmalloc(16, GFP_NOFS));

This allocation is buggy, and should splat. This is the case for both with my patch, and with my patch reverted.

+ printk("allocate kernel\n"); + kfree(kmalloc(16, GFP_KERNEL)); + fs_reclaim_release(GFP_KERNEL);

I also looked at the paths in your lockdep splat in xfs, this is simply GFP_KERNEL vs a shrinker reclaim in kswapd.

Summary: Everything is working as expected, there's no change in the lockdep annotations.

I really think the problem is that either your testcase doesn't hit the issue reliably enough, or that you're not actually testing the same kernels and there's some other changes (xfs most likely, but really it could be anywhere) which is causing this regression. I'm rather convinced now after this test that it's not my stuff.

Thanks, Daniel

...

-Daniel

---

diff --git a/mm/page_alloc.c b/mm/page_alloc.c index d807587c9ae6..27ea763c6155 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -4191,11 +4191,6 @@ void fs_reclaim_acquire(gfp_t gfp_mask) if (gfp_mask & __GFP_FS) __fs_reclaim_acquire();

-#ifdef CONFIG_MMU_NOTIFIER

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

-#endif

• }
  

} EXPORT_SYMBOL_GPL(fs_reclaim_acquire); -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch

On Sun, Jun 21, 2020 at 01:42:05PM -0400, Qian Cai wrote:

On Wed, Jun 10, 2020 at 09:41:01PM +0200, Daniel Vetter wrote:

...

fs_reclaim_acquire/release nicely catch recursion issues when allocating GFP_KERNEL memory against shrinkers (which gpu drivers tend to use to keep the excessive caches in check). For mmu notifier recursions we do have lockdep annotations since 23b68395c7c7 ("mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end").

But these only fire if a path actually results in some pte invalidation - for most small allocations that's very rarely the case. The other trouble is that pte invalidation can happen any time when __GFP_RECLAIM is set. Which means only really GFP_ATOMIC is a safe choice, GFP_NOIO isn't good enough to avoid potential mmu notifier recursion.

I was pondering whether we should just do the general annotation, but there's always the risk for false positives. Plus I'm assuming that the core fs and io code is a lot better reviewed and tested than random mmu notifier code in drivers. Hence why I decide to only annotate for that specific case.

Furthermore even if we'd create a lockdep map for direct reclaim, we'd still need to explicit pull in the mmu notifier map - there's a lot more places that do pte invalidation than just direct reclaim, these two contexts arent the same.

Note that the mmu notifiers needing their own independent lockdep map is also the reason we can't hold them from fs_reclaim_acquire to fs_reclaim_release - it would nest with the acquistion in the pte invalidation code, causing a lockdep splat. And we can't remove the annotations from pte invalidation and all the other places since they're called from many other places than page reclaim. Hence we can only do the equivalent of might_lock, but on the raw lockdep map.

With this we can also remove the lockdep priming added in 66204f1d2d1b ("mm/mmu_notifiers: prime lockdep") since the new annotations are strictly more powerful.

v2: Review from Thomas Hellstrom:

• unbotch the fs_reclaim context check, I accidentally inverted it, but it didn't blow up because I inverted it immediately
• fix compiling for !CONFIG_MMU_NOTIFIER

Cc: Thomas Hellström (Intel) thomas_os@shipmail.org Cc: Andrew Morton akpm@linux-foundation.org Cc: Jason Gunthorpe jgg@mellanox.com Cc: linux-mm@kvack.org Cc: linux-rdma@vger.kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

Replying the right patch here...

Reverting this commit [1] fixed the lockdep warning below while applying some memory pressure.

[1] linux-next cbf7c9d86d75 ("mm: track mmu notifiers in fs_reclaim_acquire/release")

[ 190.455003][ T369] WARNING: possible circular locking dependency detected [ 190.487291][ T369] 5.8.0-rc1-next-20200621 #1 Not tainted [ 190.512363][ T369] ------------------------------------------------------ [ 190.543354][ T369] kswapd3/369 is trying to acquire lock: [ 190.568523][ T369] ffff889fcf694528 (&xfs_nondir_ilock_class){++++}-{3:3}, at: xfs_reclaim_inode+0xdf/0x860 spin_lock at include/linux/spinlock.h:353 (inlined by) xfs_iflags_test_and_set at fs/xfs/xfs_inode.h:166 (inlined by) xfs_iflock_nowait at fs/xfs/xfs_inode.h:249 (inlined by) xfs_reclaim_inode at fs/xfs/xfs_icache.c:1127 [ 190.614359][ T369] [ 190.614359][ T369] but task is already holding lock: [ 190.647763][ T369] ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 __fs_reclaim_acquire at mm/page_alloc.c:4200 [ 190.687845][ T369] [ 190.687845][ T369] which lock already depends on the new lock. [ 190.687845][ T369] [ 190.734890][ T369] [ 190.734890][ T369] the existing dependency chain (in reverse order) is: [ 190.775991][ T369] [ 190.775991][ T369] -> #1 (fs_reclaim){+.+.}-{0:0}: [ 190.808150][ T369] fs_reclaim_acquire+0x77/0x80 [ 190.832152][ T369] slab_pre_alloc_hook.constprop.52+0x20/0x120 slab_pre_alloc_hook at mm/slab.h:507 [ 190.862173][ T369] kmem_cache_alloc+0x43/0x2a0 [ 190.885602][ T369] kmem_zone_alloc+0x113/0x3ef kmem_zone_alloc at fs/xfs/kmem.c:129 [ 190.908702][ T369] xfs_inode_item_init+0x1d/0xa0 xfs_inode_item_init at fs/xfs/xfs_inode_item.c:639 [ 190.934461][ T369] xfs_trans_ijoin+0x96/0x100 xfs_trans_ijoin at fs/xfs/libxfs/xfs_trans_inode.c:34 [ 190.961530][ T369] xfs_setattr_nonsize+0x1a6/0xcd0

OK, this patch has royally screwed something up if this path thinks it can enter memory reclaim. This path is inside a transaction, so it is running under PF_MEMALLOC_NOFS context, so should *never* enter memory reclaim.

I'd suggest that whatever mods were made to fs_reclaim_acquire by this patch broke it's basic functionality....

...

diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 13cc653122b7..7536faaaa0fd 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -57,6 +57,7 @@ #include <trace/events/oom.h> #include <linux/prefetch.h> #include <linux/mm_inline.h> +#include <linux/mmu_notifier.h> #include <linux/migrate.h> #include <linux/hugetlb.h> #include <linux/sched/rt.h> @@ -4124,7 +4125,7 @@ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_fla static struct lockdep_map __fs_reclaim_map = STATIC_LOCKDEP_MAP_INIT("fs_reclaim", &__fs_reclaim_map);

-static bool __need_fs_reclaim(gfp_t gfp_mask) +static bool __need_reclaim(gfp_t gfp_mask) { gfp_mask = current_gfp_context(gfp_mask);

This is applies the per-task memory allocation context flags to the mask that is checked here.

...

@@ -4136,10 +4137,6 @@ static bool __need_fs_reclaim(gfp_t gfp_mask) if (current->flags & PF_MEMALLOC) return false;

• /* We're only interested __GFP_FS allocations for now */
• if (!(gfp_mask & __GFP_FS))

• return false;
  

• if (gfp_mask & __GFP_NOLOCKDEP) return false;

@@ -4158,15 +4155,25 @@ void __fs_reclaim_release(void)

void fs_reclaim_acquire(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))

• __fs_reclaim_acquire();
  

• if (__need_reclaim(gfp_mask)) {

• if (gfp_mask & __GFP_FS)
  

• 	__fs_reclaim_acquire();
  

.... and they have not been applied in this path. There's your breakage.

For future reference, please post anything that changes NOFS allocation contexts or behaviours to linux-fsdevel, as filesystem developers need to know about proposed changes to infrastructure that is critical to the correct functioning of filesystems...

Cheers,

Dave.

On Thu, Jun 04, 2020 at 10:12:07AM +0200, Daniel Vetter wrote:

fs_reclaim_acquire/release nicely catch recursion issues when allocating GFP_KERNEL memory against shrinkers (which gpu drivers tend to use to keep the excessive caches in check). For mmu notifier recursions we do have lockdep annotations since 23b68395c7c7 ("mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end").

But these only fire if a path actually results in some pte invalidation - for most small allocations that's very rarely the case. The other trouble is that pte invalidation can happen any time when __GFP_RECLAIM is set. Which means only really GFP_ATOMIC is a safe choice, GFP_NOIO isn't good enough to avoid potential mmu notifier recursion.

I was pondering whether we should just do the general annotation, but there's always the risk for false positives. Plus I'm assuming that the core fs and io code is a lot better reviewed and tested than random mmu notifier code in drivers. Hence why I decide to only annotate for that specific case.

Furthermore even if we'd create a lockdep map for direct reclaim, we'd still need to explicit pull in the mmu notifier map - there's a lot more places that do pte invalidation than just direct reclaim, these two contexts arent the same.

Note that the mmu notifiers needing their own independent lockdep map is also the reason we can't hold them from fs_reclaim_acquire to fs_reclaim_release - it would nest with the acquistion in the pte invalidation code, causing a lockdep splat. And we can't remove the annotations from pte invalidation and all the other places since they're called from many other places than page reclaim. Hence we can only do the equivalent of might_lock, but on the raw lockdep map.

With this we can also remove the lockdep priming added in 66204f1d2d1b ("mm/mmu_notifiers: prime lockdep") since the new annotations are strictly more powerful.

Cc: Andrew Morton akpm@linux-foundation.org Cc: Jason Gunthorpe jgg@mellanox.com Cc: linux-mm@kvack.org Cc: linux-rdma@vger.kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

Reverting this commit fixed the lockdep splat below while applying some memory pressure,

[ 190.455003][ T369] WARNING: possible circular locking dependency detected [ 190.487291][ T369] 5.8.0-rc1-next-20200621 #1 Not tainted [ 190.512363][ T369] ------------------------------------------------------ [ 190.543354][ T369] kswapd3/369 is trying to acquire lock: [ 190.568523][ T369] ffff889fcf694528 (&xfs_nondir_ilock_class){++++}-{3:3}, at: xfs_reclaim_inode+0xdf/0x860 spin_lock at include/linux/spinlock.h:353 (inlined by) xfs_iflags_test_and_set at fs/xfs/xfs_inode.h:166 (inlined by) xfs_iflock_nowait at fs/xfs/xfs_inode.h:249 (inlined by) xfs_reclaim_inode at fs/xfs/xfs_icache.c:1127 [ 190.614359][ T369] [ 190.614359][ T369] but task is already holding lock: [ 190.647763][ T369] ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 __fs_reclaim_acquire at mm/page_alloc.c:4200 [ 190.687845][ T369] [ 190.687845][ T369] which lock already depends on the new lock. [ 190.687845][ T369] [ 190.734890][ T369] [ 190.734890][ T369] the existing dependency chain (in reverse order) is: [ 190.775991][ T369] [ 190.775991][ T369] -> #1 (fs_reclaim){+.+.}-{0:0}: [ 190.808150][ T369] fs_reclaim_acquire+0x77/0x80 [ 190.832152][ T369] slab_pre_alloc_hook.constprop.52+0x20/0x120 slab_pre_alloc_hook at mm/slab.h:507 [ 190.862173][ T369] kmem_cache_alloc+0x43/0x2a0 [ 190.885602][ T369] kmem_zone_alloc+0x113/0x3ef kmem_zone_alloc at fs/xfs/kmem.c:129 [ 190.908702][ T369] xfs_inode_item_init+0x1d/0xa0 xfs_inode_item_init at fs/xfs/xfs_inode_item.c:639 [ 190.934461][ T369] xfs_trans_ijoin+0x96/0x100 xfs_trans_ijoin at fs/xfs/libxfs/xfs_trans_inode.c:34 [ 190.961530][ T369] xfs_setattr_nonsize+0x1a6/0xcd0 xfs_setattr_nonsize at fs/xfs/xfs_iops.c:716 [ 190.987331][ T369] xfs_vn_setattr+0x133/0x160 xfs_vn_setattr at fs/xfs/xfs_iops.c:1081 [ 191.010476][ T369] notify_change+0x6c5/0xba1 notify_change at fs/attr.c:336 [ 191.033317][ T369] chmod_common+0x19b/0x390 [ 191.055770][ T369] ksys_fchmod+0x28/0x60 [ 191.077957][ T369] __x64_sys_fchmod+0x4e/0x70 [ 191.102767][ T369] do_syscall_64+0x5f/0x310 [ 191.125090][ T369] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 191.153749][ T369] [ 191.153749][ T369] -> #0 (&xfs_nondir_ilock_class){++++}-{3:3}: [ 191.191267][ T369] __lock_acquire+0x2efc/0x4da0 [ 191.215974][ T369] lock_acquire+0x1ac/0xaf0 [ 191.238953][ T369] down_write_nested+0x92/0x150 [ 191.262955][ T369] xfs_reclaim_inode+0xdf/0x860 [ 191.287149][ T369] xfs_reclaim_inodes_ag+0x505/0xb00 [ 191.313291][ T369] xfs_reclaim_inodes_nr+0x93/0xd0 [ 191.338357][ T369] super_cache_scan+0x2fd/0x430 [ 191.362354][ T369] do_shrink_slab+0x317/0x990 [ 191.385341][ T369] shrink_slab+0x3a8/0x4b0 [ 191.407214][ T369] shrink_node+0x49c/0x17b0 [ 191.429841][ T369] balance_pgdat+0x59c/0xed0 [ 191.455041][ T369] kswapd+0x5a4/0xc40 [ 191.477524][ T369] kthread+0x358/0x420 [ 191.499285][ T369] ret_from_fork+0x22/0x30 [ 191.521107][ T369] [ 191.521107][ T369] other info that might help us debug this: [ 191.521107][ T369] [ 191.567490][ T369] Possible unsafe locking scenario: [ 191.567490][ T369] [ 191.600947][ T369] CPU0 CPU1 [ 191.624808][ T369] ---- ---- [ 191.649236][ T369] lock(fs_reclaim); [ 191.667607][ T369] lock(&xfs_nondir_ilock_class); [ 191.702096][ T369] lock(fs_reclaim); [ 191.731243][ T369] lock(&xfs_nondir_ilock_class); [ 191.754025][ T369] [ 191.754025][ T369] *** DEADLOCK *** [ 191.754025][ T369] [ 191.791126][ T369] 4 locks held by kswapd3/369: [ 191.812198][ T369] #0: ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 [ 191.854319][ T369] #1: ffffffffb5074c50 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x219/0x4b0 [ 191.896043][ T369] #2: ffff8890279b40e0 (&type->s_umount_key#27){++++}-{3:3}, at: trylock_super+0x11/0xb0 [ 191.940538][ T369] #3: ffff889027a73a28 (&pag->pag_ici_reclaim_lock){+.+.}-{3:3}, at: xfs_reclaim_inodes_ag+0x135/0xb00 [ 191.995314][ T369] [ 191.995314][ T369] stack backtrace: [ 192.022934][ T369] CPU: 42 PID: 369 Comm: kswapd3 Not tainted 5.8.0-rc1-next-20200621 #1 [ 192.060546][ T369] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018 [ 192.094518][ T369] Call Trace: [ 192.109005][ T369] dump_stack+0x9d/0xe0 [ 192.127468][ T369] check_noncircular+0x347/0x400 [ 192.149526][ T369] ? print_circular_bug+0x360/0x360 [ 192.172584][ T369] ? freezing_slow_path.cold.2+0x2a/0x2a [ 192.197251][ T369] __lock_acquire+0x2efc/0x4da0 [ 192.218737][ T369] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 192.246736][ T369] ? __lock_acquire+0x3541/0x4da0 [ 192.269673][ T369] lock_acquire+0x1ac/0xaf0 [ 192.290192][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.313158][ T369] ? rcu_read_unlock+0x50/0x50 [ 192.335057][ T369] down_write_nested+0x92/0x150 [ 192.358409][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.380890][ T369] ? rwsem_down_write_slowpath+0xf50/0xf50 [ 192.406891][ T369] ? find_held_lock+0x33/0x1c0 [ 192.427925][ T369] ? xfs_ilock+0x2ef/0x370 [ 192.447496][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.472315][ T369] xfs_reclaim_inode+0xdf/0x860 [ 192.496649][ T369] ? xfs_inode_clear_reclaim_tag+0xa0/0xa0 [ 192.524188][ T369] ? do_raw_spin_unlock+0x4f/0x250 [ 192.546852][ T369] xfs_reclaim_inodes_ag+0x505/0xb00 [ 192.570473][ T369] ? xfs_reclaim_inode+0x860/0x860 [ 192.592692][ T369] ? mark_held_locks+0xb0/0x110 [ 192.614287][ T369] ? lockdep_hardirqs_on_prepare+0x38c/0x550 [ 192.640800][ T369] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 192.666695][ T369] ? try_to_wake_up+0xcf/0xf40 [ 192.688265][ T369] ? migrate_swap_stop+0xc10/0xc10 [ 192.711966][ T369] ? do_raw_spin_unlock+0x4f/0x250 [ 192.735032][ T369] xfs_reclaim_inodes_nr+0x93/0xd0 xfs_reclaim_inodes_nr at fs/xfs/xfs_icache.c:1399 [ 192.757674][ T369] ? xfs_reclaim_inodes+0x90/0x90 [ 192.780028][ T369] ? list_lru_count_one+0x177/0x300 [ 192.803010][ T369] super_cache_scan+0x2fd/0x430 super_cache_scan at fs/super.c:115 [ 192.824491][ T369] do_shrink_slab+0x317/0x990 do_shrink_slab at mm/vmscan.c:514 [ 192.845160][ T369] shrink_slab+0x3a8/0x4b0 shrink_slab_memcg at mm/vmscan.c:584 (inlined by) shrink_slab at mm/vmscan.c:662 [ 192.864722][ T369] ? do_shrink_slab+0x990/0x990 [ 192.886137][ T369] ? rcu_is_watching+0x2c/0x80 [ 192.907289][ T369] ? mem_cgroup_protected+0x228/0x470 [ 192.931166][ T369] ? vmpressure+0x25/0x290 [ 192.950595][ T369] shrink_node+0x49c/0x17b0 [ 192.972332][ T369] balance_pgdat+0x59c/0xed0 kswapd_shrink_node at mm/vmscan.c:3521 (inlined by) balance_pgdat at mm/vmscan.c:3670 [ 192.994918][ T369] ? __node_reclaim+0x950/0x950 [ 193.018625][ T369] ? lockdep_hardirqs_on_prepare+0x38c/0x550 [ 193.046566][ T369] ? _raw_spin_unlock_irq+0x1f/0x30 [ 193.070214][ T369] ? _raw_spin_unlock_irq+0x1f/0x30 [ 193.093176][ T369] ? finish_task_switch+0x129/0x650 [ 193.116225][ T369] ? finish_task_switch+0xf2/0x650 [ 193.138809][ T369] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 193.163323][ T369] kswapd+0x5a4/0xc40 [ 193.182690][ T369] ? __kthread_parkme+0x4d/0x1a0 [ 193.204660][ T369] ? balance_pgdat+0xed0/0xed0 [ 193.225776][ T369] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 193.252306][ T369] ? finish_wait+0x270/0x270 [ 193.272473][ T369] ? __kthread_parkme+0x4d/0x1a0 [ 193.294476][ T369] ? __kthread_parkme+0xcc/0x1a0 [ 193.316704][ T369] ? balance_pgdat+0xed0/0xed0 [ 193.337808][ T369] kthread+0x358/0x420 [ 193.355666][ T369] ? kthread_create_worker_on_cpu+0xc0/0xc0 [ 193.381884][ T369] ret_from_fork+0x22/0x30

---

This is part of a gpu lockdep annotation series simply because it really helps to catch issues where gpu subsystem locks and primitives can deadlock with themselves through allocations and mmu notifiers. But aside from that motivation it should be completely free-standing, and can land through -mm/-rdma/-hmm or any other tree really whenever.

-Daniel

mm/mmu_notifier.c | 7 ------- mm/page_alloc.c | 23 ++++++++++++++--------- 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 06852b896fa6..5d578b9122f8 100644 --- a/mm/mmu_notifier.c +++ b/mm/mmu_notifier.c @@ -612,13 +612,6 @@ int __mmu_notifier_register(struct mmu_notifier *subscription, lockdep_assert_held_write(&mm->mmap_sem); BUG_ON(atomic_read(&mm->mm_users) <= 0);

• if (IS_ENABLED(CONFIG_LOCKDEP)) {

• fs_reclaim_acquire(GFP_KERNEL);
  

• lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

• lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

• fs_reclaim_release(GFP_KERNEL);
  

• }
• if (!mm->notifier_subscriptions) { /*
  • kmalloc cannot be called under mm_take_all_locks(), but we

diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 13cc653122b7..f8a222db4a53 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -57,6 +57,7 @@ #include <trace/events/oom.h> #include <linux/prefetch.h> #include <linux/mm_inline.h> +#include <linux/mmu_notifier.h> #include <linux/migrate.h> #include <linux/hugetlb.h> #include <linux/sched/rt.h> @@ -4124,7 +4125,7 @@ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_fla static struct lockdep_map __fs_reclaim_map = STATIC_LOCKDEP_MAP_INIT("fs_reclaim", &__fs_reclaim_map);

-static bool __need_fs_reclaim(gfp_t gfp_mask) +static bool __need_reclaim(gfp_t gfp_mask) { gfp_mask = current_gfp_context(gfp_mask);

@@ -4136,10 +4137,6 @@ static bool __need_fs_reclaim(gfp_t gfp_mask) if (current->flags & PF_MEMALLOC) return false;

• /* We're only interested __GFP_FS allocations for now */
• if (!(gfp_mask & __GFP_FS))

• return false;
  

• if (gfp_mask & __GFP_NOLOCKDEP) return false;

@@ -4158,15 +4155,23 @@ void __fs_reclaim_release(void)

void fs_reclaim_acquire(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))

• __fs_reclaim_acquire();
  

• if (__need_reclaim(gfp_mask)) {

• if (!(gfp_mask & __GFP_FS))
  

• 	__fs_reclaim_acquire();
  

• lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

• lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

• }

} EXPORT_SYMBOL_GPL(fs_reclaim_acquire);

void fs_reclaim_release(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))

• __fs_reclaim_release();
  

• if (__need_reclaim(gfp_mask)) {

• if (!(gfp_mask & __GFP_FS))
  

• 	__fs_reclaim_release();
  

• }

} EXPORT_SYMBOL_GPL(fs_reclaim_release);

#endif

2.26.2

On Sun, Jun 21, 2020 at 07:28:40PM +0200, Daniel Vetter wrote:

On Sun, Jun 21, 2020 at 7:01 PM Qian Cai cai@lca.pw wrote:

...

On Thu, Jun 04, 2020 at 10:12:07AM +0200, Daniel Vetter wrote:

...

fs_reclaim_acquire/release nicely catch recursion issues when allocating GFP_KERNEL memory against shrinkers (which gpu drivers tend to use to keep the excessive caches in check). For mmu notifier recursions we do have lockdep annotations since 23b68395c7c7 ("mm/mmu_notifiers: add a lockdep map for invalidate_range_start/end").

But these only fire if a path actually results in some pte invalidation - for most small allocations that's very rarely the case. The other trouble is that pte invalidation can happen any time when __GFP_RECLAIM is set. Which means only really GFP_ATOMIC is a safe choice, GFP_NOIO isn't good enough to avoid potential mmu notifier recursion.

I was pondering whether we should just do the general annotation, but there's always the risk for false positives. Plus I'm assuming that the core fs and io code is a lot better reviewed and tested than random mmu notifier code in drivers. Hence why I decide to only annotate for that specific case.

Furthermore even if we'd create a lockdep map for direct reclaim, we'd still need to explicit pull in the mmu notifier map - there's a lot more places that do pte invalidation than just direct reclaim, these two contexts arent the same.

Note that the mmu notifiers needing their own independent lockdep map is also the reason we can't hold them from fs_reclaim_acquire to fs_reclaim_release - it would nest with the acquistion in the pte invalidation code, causing a lockdep splat. And we can't remove the annotations from pte invalidation and all the other places since they're called from many other places than page reclaim. Hence we can only do the equivalent of might_lock, but on the raw lockdep map.

With this we can also remove the lockdep priming added in 66204f1d2d1b ("mm/mmu_notifiers: prime lockdep") since the new annotations are strictly more powerful.

Cc: Andrew Morton akpm@linux-foundation.org Cc: Jason Gunthorpe jgg@mellanox.com Cc: linux-mm@kvack.org Cc: linux-rdma@vger.kernel.org Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

Reverting this commit fixed the lockdep splat below while applying some memory pressure,

This is a broken version of the patch, please use the one Andrew merged into -mm.

Yes, since it is 5.8.0-rc1-next-20200621 which I believe it includes the latest version from -mm. Anyway, I replied again to your latest patch,

https://lore.kernel.org/lkml/20200621174205.GB1398@lca.pw/

Thanks, Daniel

...

[ 190.455003][ T369] WARNING: possible circular locking dependency detected [ 190.487291][ T369] 5.8.0-rc1-next-20200621 #1 Not tainted [ 190.512363][ T369] ------------------------------------------------------ [ 190.543354][ T369] kswapd3/369 is trying to acquire lock: [ 190.568523][ T369] ffff889fcf694528 (&xfs_nondir_ilock_class){++++}-{3:3}, at: xfs_reclaim_inode+0xdf/0x860 spin_lock at include/linux/spinlock.h:353 (inlined by) xfs_iflags_test_and_set at fs/xfs/xfs_inode.h:166 (inlined by) xfs_iflock_nowait at fs/xfs/xfs_inode.h:249 (inlined by) xfs_reclaim_inode at fs/xfs/xfs_icache.c:1127 [ 190.614359][ T369] [ 190.614359][ T369] but task is already holding lock: [ 190.647763][ T369] ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 __fs_reclaim_acquire at mm/page_alloc.c:4200 [ 190.687845][ T369] [ 190.687845][ T369] which lock already depends on the new lock. [ 190.687845][ T369] [ 190.734890][ T369] [ 190.734890][ T369] the existing dependency chain (in reverse order) is: [ 190.775991][ T369] [ 190.775991][ T369] -> #1 (fs_reclaim){+.+.}-{0:0}: [ 190.808150][ T369] fs_reclaim_acquire+0x77/0x80 [ 190.832152][ T369] slab_pre_alloc_hook.constprop.52+0x20/0x120 slab_pre_alloc_hook at mm/slab.h:507 [ 190.862173][ T369] kmem_cache_alloc+0x43/0x2a0 [ 190.885602][ T369] kmem_zone_alloc+0x113/0x3ef kmem_zone_alloc at fs/xfs/kmem.c:129 [ 190.908702][ T369] xfs_inode_item_init+0x1d/0xa0 xfs_inode_item_init at fs/xfs/xfs_inode_item.c:639 [ 190.934461][ T369] xfs_trans_ijoin+0x96/0x100 xfs_trans_ijoin at fs/xfs/libxfs/xfs_trans_inode.c:34 [ 190.961530][ T369] xfs_setattr_nonsize+0x1a6/0xcd0 xfs_setattr_nonsize at fs/xfs/xfs_iops.c:716 [ 190.987331][ T369] xfs_vn_setattr+0x133/0x160 xfs_vn_setattr at fs/xfs/xfs_iops.c:1081 [ 191.010476][ T369] notify_change+0x6c5/0xba1 notify_change at fs/attr.c:336 [ 191.033317][ T369] chmod_common+0x19b/0x390 [ 191.055770][ T369] ksys_fchmod+0x28/0x60 [ 191.077957][ T369] __x64_sys_fchmod+0x4e/0x70 [ 191.102767][ T369] do_syscall_64+0x5f/0x310 [ 191.125090][ T369] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 191.153749][ T369] [ 191.153749][ T369] -> #0 (&xfs_nondir_ilock_class){++++}-{3:3}: [ 191.191267][ T369] __lock_acquire+0x2efc/0x4da0 [ 191.215974][ T369] lock_acquire+0x1ac/0xaf0 [ 191.238953][ T369] down_write_nested+0x92/0x150 [ 191.262955][ T369] xfs_reclaim_inode+0xdf/0x860 [ 191.287149][ T369] xfs_reclaim_inodes_ag+0x505/0xb00 [ 191.313291][ T369] xfs_reclaim_inodes_nr+0x93/0xd0 [ 191.338357][ T369] super_cache_scan+0x2fd/0x430 [ 191.362354][ T369] do_shrink_slab+0x317/0x990 [ 191.385341][ T369] shrink_slab+0x3a8/0x4b0 [ 191.407214][ T369] shrink_node+0x49c/0x17b0 [ 191.429841][ T369] balance_pgdat+0x59c/0xed0 [ 191.455041][ T369] kswapd+0x5a4/0xc40 [ 191.477524][ T369] kthread+0x358/0x420 [ 191.499285][ T369] ret_from_fork+0x22/0x30 [ 191.521107][ T369] [ 191.521107][ T369] other info that might help us debug this: [ 191.521107][ T369] [ 191.567490][ T369] Possible unsafe locking scenario: [ 191.567490][ T369] [ 191.600947][ T369] CPU0 CPU1 [ 191.624808][ T369] ---- ---- [ 191.649236][ T369] lock(fs_reclaim); [ 191.667607][ T369] lock(&xfs_nondir_ilock_class); [ 191.702096][ T369] lock(fs_reclaim); [ 191.731243][ T369] lock(&xfs_nondir_ilock_class); [ 191.754025][ T369] [ 191.754025][ T369] *** DEADLOCK *** [ 191.754025][ T369] [ 191.791126][ T369] 4 locks held by kswapd3/369: [ 191.812198][ T369] #0: ffffffffb50ced00 (fs_reclaim){+.+.}-{0:0}, at: __fs_reclaim_acquire+0x0/0x30 [ 191.854319][ T369] #1: ffffffffb5074c50 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x219/0x4b0 [ 191.896043][ T369] #2: ffff8890279b40e0 (&type->s_umount_key#27){++++}-{3:3}, at: trylock_super+0x11/0xb0 [ 191.940538][ T369] #3: ffff889027a73a28 (&pag->pag_ici_reclaim_lock){+.+.}-{3:3}, at: xfs_reclaim_inodes_ag+0x135/0xb00 [ 191.995314][ T369] [ 191.995314][ T369] stack backtrace: [ 192.022934][ T369] CPU: 42 PID: 369 Comm: kswapd3 Not tainted 5.8.0-rc1-next-20200621 #1 [ 192.060546][ T369] Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018 [ 192.094518][ T369] Call Trace: [ 192.109005][ T369] dump_stack+0x9d/0xe0 [ 192.127468][ T369] check_noncircular+0x347/0x400 [ 192.149526][ T369] ? print_circular_bug+0x360/0x360 [ 192.172584][ T369] ? freezing_slow_path.cold.2+0x2a/0x2a [ 192.197251][ T369] __lock_acquire+0x2efc/0x4da0 [ 192.218737][ T369] ? lockdep_hardirqs_on_prepare+0x550/0x550 [ 192.246736][ T369] ? __lock_acquire+0x3541/0x4da0 [ 192.269673][ T369] lock_acquire+0x1ac/0xaf0 [ 192.290192][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.313158][ T369] ? rcu_read_unlock+0x50/0x50 [ 192.335057][ T369] down_write_nested+0x92/0x150 [ 192.358409][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.380890][ T369] ? rwsem_down_write_slowpath+0xf50/0xf50 [ 192.406891][ T369] ? find_held_lock+0x33/0x1c0 [ 192.427925][ T369] ? xfs_ilock+0x2ef/0x370 [ 192.447496][ T369] ? xfs_reclaim_inode+0xdf/0x860 [ 192.472315][ T369] xfs_reclaim_inode+0xdf/0x860 [ 192.496649][ T369] ? xfs_inode_clear_reclaim_tag+0xa0/0xa0 [ 192.524188][ T369] ? do_raw_spin_unlock+0x4f/0x250 [ 192.546852][ T369] xfs_reclaim_inodes_ag+0x505/0xb00 [ 192.570473][ T369] ? xfs_reclaim_inode+0x860/0x860 [ 192.592692][ T369] ? mark_held_locks+0xb0/0x110 [ 192.614287][ T369] ? lockdep_hardirqs_on_prepare+0x38c/0x550 [ 192.640800][ T369] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 192.666695][ T369] ? try_to_wake_up+0xcf/0xf40 [ 192.688265][ T369] ? migrate_swap_stop+0xc10/0xc10 [ 192.711966][ T369] ? do_raw_spin_unlock+0x4f/0x250 [ 192.735032][ T369] xfs_reclaim_inodes_nr+0x93/0xd0 xfs_reclaim_inodes_nr at fs/xfs/xfs_icache.c:1399 [ 192.757674][ T369] ? xfs_reclaim_inodes+0x90/0x90 [ 192.780028][ T369] ? list_lru_count_one+0x177/0x300 [ 192.803010][ T369] super_cache_scan+0x2fd/0x430 super_cache_scan at fs/super.c:115 [ 192.824491][ T369] do_shrink_slab+0x317/0x990 do_shrink_slab at mm/vmscan.c:514 [ 192.845160][ T369] shrink_slab+0x3a8/0x4b0 shrink_slab_memcg at mm/vmscan.c:584 (inlined by) shrink_slab at mm/vmscan.c:662 [ 192.864722][ T369] ? do_shrink_slab+0x990/0x990 [ 192.886137][ T369] ? rcu_is_watching+0x2c/0x80 [ 192.907289][ T369] ? mem_cgroup_protected+0x228/0x470 [ 192.931166][ T369] ? vmpressure+0x25/0x290 [ 192.950595][ T369] shrink_node+0x49c/0x17b0 [ 192.972332][ T369] balance_pgdat+0x59c/0xed0 kswapd_shrink_node at mm/vmscan.c:3521 (inlined by) balance_pgdat at mm/vmscan.c:3670 [ 192.994918][ T369] ? __node_reclaim+0x950/0x950 [ 193.018625][ T369] ? lockdep_hardirqs_on_prepare+0x38c/0x550 [ 193.046566][ T369] ? _raw_spin_unlock_irq+0x1f/0x30 [ 193.070214][ T369] ? _raw_spin_unlock_irq+0x1f/0x30 [ 193.093176][ T369] ? finish_task_switch+0x129/0x650 [ 193.116225][ T369] ? finish_task_switch+0xf2/0x650 [ 193.138809][ T369] ? rcu_read_lock_bh_held+0xc0/0xc0 [ 193.163323][ T369] kswapd+0x5a4/0xc40 [ 193.182690][ T369] ? __kthread_parkme+0x4d/0x1a0 [ 193.204660][ T369] ? balance_pgdat+0xed0/0xed0 [ 193.225776][ T369] ? _raw_spin_unlock_irqrestore+0x39/0x40 [ 193.252306][ T369] ? finish_wait+0x270/0x270 [ 193.272473][ T369] ? __kthread_parkme+0x4d/0x1a0 [ 193.294476][ T369] ? __kthread_parkme+0xcc/0x1a0 [ 193.316704][ T369] ? balance_pgdat+0xed0/0xed0 [ 193.337808][ T369] kthread+0x358/0x420 [ 193.355666][ T369] ? kthread_create_worker_on_cpu+0xc0/0xc0 [ 193.381884][ T369] ret_from_fork+0x22/0x30

...

---

This is part of a gpu lockdep annotation series simply because it really helps to catch issues where gpu subsystem locks and primitives can deadlock with themselves through allocations and mmu notifiers. But aside from that motivation it should be completely free-standing, and can land through -mm/-rdma/-hmm or any other tree really whenever.

-Daniel

mm/mmu_notifier.c | 7 ------- mm/page_alloc.c | 23 ++++++++++++++--------- 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/mm/mmu_notifier.c b/mm/mmu_notifier.c index 06852b896fa6..5d578b9122f8 100644 --- a/mm/mmu_notifier.c +++ b/mm/mmu_notifier.c @@ -612,13 +612,6 @@ int __mmu_notifier_register(struct mmu_notifier *subscription, lockdep_assert_held_write(&mm->mmap_sem); BUG_ON(atomic_read(&mm->mm_users) <= 0);

• if (IS_ENABLED(CONFIG_LOCKDEP)) {
  

•         fs_reclaim_acquire(GFP_KERNEL);
  

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

•         fs_reclaim_release(GFP_KERNEL);
  

• }
  

• if (!mm->notifier_subscriptions) {
          /*
           * kmalloc cannot be called under mm_take_all_locks(), but we
  

diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 13cc653122b7..f8a222db4a53 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -57,6 +57,7 @@ #include <trace/events/oom.h> #include <linux/prefetch.h> #include <linux/mm_inline.h> +#include <linux/mmu_notifier.h> #include <linux/migrate.h> #include <linux/hugetlb.h> #include <linux/sched/rt.h> @@ -4124,7 +4125,7 @@ should_compact_retry(struct alloc_context *ac, unsigned int order, int alloc_fla static struct lockdep_map __fs_reclaim_map = STATIC_LOCKDEP_MAP_INIT("fs_reclaim", &__fs_reclaim_map);

-static bool __need_fs_reclaim(gfp_t gfp_mask) +static bool __need_reclaim(gfp_t gfp_mask) { gfp_mask = current_gfp_context(gfp_mask);

@@ -4136,10 +4137,6 @@ static bool __need_fs_reclaim(gfp_t gfp_mask) if (current->flags & PF_MEMALLOC) return false;

• /* We're only interested __GFP_FS allocations for now */
  

• if (!(gfp_mask & __GFP_FS))
  

•         return false;
  

• if (gfp_mask & __GFP_NOLOCKDEP)
          return false;
  
  

@@ -4158,15 +4155,23 @@ void __fs_reclaim_release(void)

void fs_reclaim_acquire(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))
  

•         __fs_reclaim_acquire();
  

• if (__need_reclaim(gfp_mask)) {
  

•         if (!(gfp_mask & __GFP_FS))
  

•                 __fs_reclaim_acquire();
  

•         lock_map_acquire(&__mmu_notifier_invalidate_range_start_map);
  

•         lock_map_release(&__mmu_notifier_invalidate_range_start_map);
  

• }
  

} EXPORT_SYMBOL_GPL(fs_reclaim_acquire);

void fs_reclaim_release(gfp_t gfp_mask) {

• if (__need_fs_reclaim(gfp_mask))
  

•         __fs_reclaim_release();
  

• if (__need_reclaim(gfp_mask)) {
  

•         if (!(gfp_mask & __GFP_FS))
  

•                 __fs_reclaim_release();
  

• }
  

} EXPORT_SYMBOL_GPL(fs_reclaim_release);

#endif

2.26.2

-- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch

On Fri, Jun 12, 2020 at 09:05:35AM +0200, Daniel Vetter wrote:

Just some tiny edits:

• fix link to struct dma_fence
• give slightly more meaningful title - the polling here is about implicit fences, explicit fences (in sync_file or drm_syncobj) also have their own polling

v2: I misplaced the .rst include change corresponding to this patch.

Reviewed-by: Thomas Hellstrom thomas.hellstrom@intel.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

I went ahead and merged this one, shouldn't be the controversial part of the series :-) -Daniel

---

Documentation/driver-api/dma-buf.rst | 6 +++--- drivers/dma-buf/dma-buf.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..7fb7b661febd 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c

• :doc: fence polling

• :doc: implicit fence polling

Kernel Functions and Structures Reference

diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 01ce125f8e8d..e018ef80451e 100644
--- a/drivers/dma-buf/dma-buf.c
+++ b/drivers/dma-buf/dma-buf.c
@@ -161,11 +161,11 @@ static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
}

/**
- * DOC: fence polling
+ * DOC: implicit fence polling
 *
 * To support cross-device and cross-driver synchronization of buffer access
- * implicit fences (represented internally in the kernel with &struct fence) can
- * be attached to a &dma_buf. The glue for that and a few related things are
+ * implicit fences (represented internally in the kernel with &struct dma_fence)
+ * can be attached to a &dma_buf. The glue for that and a few related things are
 * provided in the &dma_resv structure.
 *
 * Userspace can query the state of these implicitly tracked fences using poll()
-- 
2.26.2

On 6/4/20 10:12 AM, Daniel Vetter wrote: ...

Thread A:

mutex_lock(A); mutex_unlock(A);

dma_fence_signal();

Thread B:

mutex_lock(A); dma_fence_wait(); mutex_unlock(A);

Thread B is blocked on A signalling the fence, but A never gets around to that because it cannot acquire the lock A.

Note that dma_fence_wait() is allowed to be nested within dma_fence_begin/end_signalling sections. To allow this to happen the read lock needs to be upgraded to a write lock, which means that any other lock is acquired between the dma_fence_begin_signalling() call and the call to dma_fence_wait(), and still held, this will result in an immediate lockdep complaint. The only other option would be to not annotate such calls, defeating the point. Therefore these annotations cannot be sprinkled over the code entirely mindless to avoid false positives.

Just realized, isn't that example actually a true positive, or at least a great candidate for a true positive, since if another thread reenters that signaling path, it will block on that mutex, and the fence would never be signaled unless there is another signaling path?

Although I agree the conclusion is sound: These annotations cannot be sprinkled mindlessly over the code.

/Thomas

v2: handle soft/hardirq ctx better against write side and dont forget EXPORT_SYMBOL, drivers can't use this otherwise.

v3: Kerneldoc.

v4: Some spelling fixes from Mika

Cc: Mika Kuoppala mika.kuoppala@intel.com Cc: Thomas Hellstrom thomas.hellstrom@intel.com Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: linux-rdma@vger.kernel.org Cc: amd-gfx@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

---

Documentation/driver-api/dma-buf.rst | 12 +- drivers/dma-buf/dma-fence.c | 161 +++++++++++++++++++++++++++ include/linux/dma-fence.h | 12 ++ 3 files changed, 182 insertions(+), 3 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..05d856131140 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c

• :doc: fence polling

• :doc: implicit fence polling

  Kernel Functions and Structures Reference

@@ -133,6 +133,12 @@ DMA Fences .. kernel-doc:: drivers/dma-buf/dma-fence.c :doc: DMA fences overview

+DMA Fence Signalling Annotations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. kernel-doc:: drivers/dma-buf/dma-fence.c

• :doc: fence signalling annotation
• DMA Fences Functions Reference

diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 656e9ac2d028..0005bc002529 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c @@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num) } EXPORT_SYMBOL(dma_fence_context_alloc);

+/**

• • DOC: fence signalling annotation
• • Proving correctness of all the kernel code around &dma_fence through code
• • review and testing is tricky for a few reasons:
• • • It is a cross-driver contract, and therefore all drivers must follow the
• • same rules for lock nesting order, calling contexts for various functions
• • and anything else significant for in-kernel interfaces. But it is also
• • impossible to test all drivers in a single machine, hence brute-force N vs.
• • N testing of all combinations is impossible. Even just limiting to the
• • possible combinations is infeasible.
• • • There is an enormous amount of driver code involved. For render drivers
• • there's the tail of command submission, after fences are published,
• • scheduler code, interrupt and workers to process job completion,
• • and timeout, gpu reset and gpu hang recovery code. Plus for integration
• • with core mm with have &mmu_notifier, respectively &mmu_interval_notifier,
• • and &shrinker. For modesetting drivers there's the commit tail functions
• • between when fences for an atomic modeset are published, and when the
• • corresponding vblank completes, including any interrupt processing and
• • related workers. Auditing all that code, across all drivers, is not
• • feasible.
• • • Due to how many other subsystems are involved and the locking hierarchies
• • this pulls in there is extremely thin wiggle-room for driver-specific
• • differences. &dma_fence interacts with almost all of the core memory
• • handling through page fault handlers via &dma_resv, dma_resv_lock() and
• • dma_resv_unlock(). On the other side it also interacts through all
• • allocation sites through &mmu_notifier and &shrinker.
• • Furthermore lockdep does not handle cross-release dependencies, which means
• • any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught
• • at runtime with some quick testing. The simplest example is one thread
• • waiting on a &dma_fence while holding a lock::

• • lock(A);
    

• • dma_fence_wait(B);
    

• • unlock(A);
    

• • while the other thread is stuck trying to acquire the same lock, which
• • prevents it from signalling the fence the previous thread is stuck waiting
• • on::

• • lock(A);
    

• • unlock(A);
    

• • dma_fence_signal(B);
    

• • By manually annotating all code relevant to signalling a &dma_fence we can
• • teach lockdep about these dependencies, which also helps with the validation
• • headache since now lockdep can check all the rules for us::
• • cookie = dma_fence_begin_signalling();
• • lock(A);
• • unlock(A);
• • dma_fence_signal(B);
• • dma_fence_end_signalling(cookie);
• • For using dma_fence_begin_signalling() and dma_fence_end_signalling() to
• • annotate critical sections the following rules need to be observed:
• • • All code necessary to complete a &dma_fence must be annotated, from the
• • point where a fence is accessible to other threads, to the point where
• • dma_fence_signal() is called. Un-annotated code can contain deadlock issues,
• • and due to the very strict rules and many corner cases it is infeasible to
• • catch these just with review or normal stress testing.
• • • &struct dma_resv deserves a special note, since the readers are only
• • protected by rcu. This means the signalling critical section starts as soon
• • as the new fences are installed, even before dma_resv_unlock() is called.
• • • The only exception are fast paths and opportunistic signalling code, which
• • calls dma_fence_signal() purely as an optimization, but is not required to
• • guarantee completion of a &dma_fence. The usual example is a wait IOCTL
• • which calls dma_fence_signal(), while the mandatory completion path goes
• • through a hardware interrupt and possible job completion worker.
• • • To aid composability of code, the annotations can be freely nested, as long
• • as the overall locking hierarchy is consistent. The annotations also work
• • both in interrupt and process context. Due to implementation details this
• • requires that callers pass an opaque cookie from
• • dma_fence_begin_signalling() to dma_fence_end_signalling().
• • • Validation against the cross driver contract is implemented by priming
• • lockdep with the relevant hierarchy at boot-up. This means even just
• • testing with a single device is enough to validate a driver, at least as
• • far as deadlocks with dma_fence_wait() against dma_fence_signal() are
• • concerned.
• */

+#ifdef CONFIG_LOCKDEP +struct lockdep_map dma_fence_lockdep_map = {

• .name = "dma_fence_map"

+};

+/**

• • dma_fence_begin_signalling - begin a critical DMA fence signalling section
• • Drivers should use this to annotate the beginning of any code section
• • required to eventually complete &dma_fence by calling dma_fence_signal().
• • The end of these critical sections are annotated with
• • dma_fence_end_signalling().
• • Returns:
• • Opaque cookie needed by the implementation, which needs to be passed to
• • dma_fence_end_signalling().
• */

+bool dma_fence_begin_signalling(void) +{

• /* explicitly nesting ... */
• if (lock_is_held_type(&dma_fence_lockdep_map, 1))

• return true;
  

• /* rely on might_sleep check for soft/hardirq locks */
• if (in_atomic())

• return true;
  

• /* ... and non-recursive readlock */
• lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
• return false;

+} +EXPORT_SYMBOL(dma_fence_begin_signalling);

+/**

• • dma_fence_end_signalling - end a critical DMA fence signalling section
• • Closes a critical section annotation opened by dma_fence_begin_signalling().
• */

+void dma_fence_end_signalling(bool cookie) +{

• if (cookie)

• return;
  

• lock_release(&dma_fence_lockdep_map, _RET_IP_);

+} +EXPORT_SYMBOL(dma_fence_end_signalling);

+void __dma_fence_might_wait(void) +{

• bool tmp;
• tmp = lock_is_held_type(&dma_fence_lockdep_map, 1);
• if (tmp)

• lock_release(&dma_fence_lockdep_map, _THIS_IP_);
  

• lock_map_acquire(&dma_fence_lockdep_map);
• lock_map_release(&dma_fence_lockdep_map);
• if (tmp)

• lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);
  

+} +#endif

• /**
  • dma_fence_signal_locked - signal completion of a fence
  • @fence: the fence to signal

@@ -170,14 +324,19 @@ int dma_fence_signal(struct dma_fence *fence) { unsigned long flags; int ret;

• bool tmp;

  if (!fence) return -EINVAL;

• tmp = dma_fence_begin_signalling();

• spin_lock_irqsave(fence->lock, flags); ret = dma_fence_signal_locked(fence); spin_unlock_irqrestore(fence->lock, flags);

• dma_fence_end_signalling(tmp);

• return ret; } EXPORT_SYMBOL(dma_fence_signal);

@@ -210,6 +369,8 @@ dma_fence_wait_timeout(struct dma_fence *fence, bool intr, signed long timeout)

might_sleep();

• __dma_fence_might_wait();
• trace_dma_fence_wait_start(fence); if (fence->ops->wait) ret = fence->ops->wait(fence, intr, timeout);

diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h index 3347c54f3a87..3f288f7db2ef 100644 --- a/include/linux/dma-fence.h +++ b/include/linux/dma-fence.h @@ -357,6 +357,18 @@ dma_fence_get_rcu_safe(struct dma_fence __rcu **fencep) } while (1); }

+#ifdef CONFIG_LOCKDEP +bool dma_fence_begin_signalling(void); +void dma_fence_end_signalling(bool cookie); +#else +static inline bool dma_fence_begin_signalling(void) +{

• return true;

+} +static inline void dma_fence_end_signalling(bool cookie) {} +static inline void __dma_fence_might_wait(void) {} +#endif

• int dma_fence_signal(struct dma_fence *fence); int dma_fence_signal_locked(struct dma_fence *fence); signed long dma_fence_default_wait(struct dma_fence *fence,

Design is similar to the lockdep annotations for workers, but with some twists:

- We use a read-lock for the execution/worker/completion side, so that this explicit annotation can be more liberally sprinkled around. With read locks lockdep isn't going to complain if the read-side isn't nested the same way under all circumstances, so ABBA deadlocks are ok. Which they are, since this is an annotation only.

- We're using non-recursive lockdep read lock mode, since in recursive read lock mode lockdep does not catch read side hazards. And we _very_ much want read side hazards to be caught. For full details of this limitation see

commit e91498589746065e3ae95d9a00b068e525eec34f Author: Peter Zijlstra peterz@infradead.org Date: Wed Aug 23 13:13:11 2017 +0200

locking/lockdep/selftests: Add mixed read-write ABBA tests

- To allow nesting of the read-side explicit annotations we explicitly keep track of the nesting. lock_is_held() allows us to do that.

- The wait-side annotation is a write lock, and entirely done within dma_fence_wait() for everyone by default.

- To be able to freely annotate helper functions I want to make it ok to call dma_fence_begin/end_signalling from soft/hardirq context. First attempt was using the hardirq locking context for the write side in lockdep, but this forces all normal spinlocks nested within dma_fence_begin/end_signalling to be spinlocks. That bollocks.

The approach now is to simple check in_atomic(), and for these cases entirely rely on the might_sleep() check in dma_fence_wait(). That will catch any wrong nesting against spinlocks from soft/hardirq contexts.

The idea here is that every code path that's critical for eventually signalling a dma_fence should be annotated with dma_fence_begin/end_signalling. The annotation ideally starts right after a dma_fence is published (added to a dma_resv, exposed as a sync_file fd, attached to a drm_syncobj fd, or anything else that makes the dma_fence visible to other kernel threads), up to and including the dma_fence_wait(). Examples are irq handlers, the scheduler rt threads, the tail of execbuf (after the corresponding fences are visible), any workers that end up signalling dma_fences and really anything else. Not annotated should be code paths that only complete fences opportunistically as the gpu progresses, like e.g. shrinker/eviction code.

The main class of deadlocks this is supposed to catch are:

Thread A:

mutex_lock(A); mutex_unlock(A);

dma_fence_signal();

Thread B:

mutex_lock(A); dma_fence_wait(); mutex_unlock(A);

Thread B is blocked on A signalling the fence, but A never gets around to that because it cannot acquire the lock A.

Note that dma_fence_wait() is allowed to be nested within dma_fence_begin/end_signalling sections. To allow this to happen the read lock needs to be upgraded to a write lock, which means that any other lock is acquired between the dma_fence_begin_signalling() call and the call to dma_fence_wait(), and still held, this will result in an immediate lockdep complaint. The only other option would be to not annotate such calls, defeating the point. Therefore these annotations cannot be sprinkled over the code entirely mindless to avoid false positives.

Originally I hope that the cross-release lockdep extensions would alleviate the need for explicit annotations:

https://lwn.net/Articles/709849/

But there's a few reasons why that's not an option:

- It's not happening in upstream, since it got reverted due to too many false positives:

commit e966eaeeb623f09975ef362c2866fae6f86844f9 Author: Ingo Molnar mingo@kernel.org Date: Tue Dec 12 12:31:16 2017 +0100

locking/lockdep: Remove the cross-release locking checks

This code (CONFIG_LOCKDEP_CROSSRELEASE=y and CONFIG_LOCKDEP_COMPLETIONS=y), while it found a number of old bugs initially, was also causing too many false positives that caused people to disable lockdep - which is arguably a worse overall outcome.

- cross-release uses the complete() call to annotate the end of critical sections, for dma_fence that would be dma_fence_signal(). But we do not want all dma_fence_signal() calls to be treated as critical, since many are opportunistic cleanup of gpu requests. If these get stuck there's still the main completion interrupt and workers who can unblock everyone. Automatically annotating all dma_fence_signal() calls would hence cause false positives.

- cross-release had some educated guesses for when a critical section starts, like fresh syscall or fresh work callback. This would again cause false positives without explicit annotations, since for dma_fence the critical sections only starts when we publish a fence.

- Furthermore there can be cases where a thread never does a dma_fence_signal, but is still critical for reaching completion of fences. One example would be a scheduler kthread which picks up jobs and pushes them into hardware, where the interrupt handler or another completion thread calls dma_fence_signal(). But if the scheduler thread hangs, then all the fences hang, hence we need to manually annotate it. cross-release aimed to solve this by chaining cross-release dependencies, but the dependency from scheduler thread to the completion interrupt handler goes through hw where cross-release code can't observe it.

In short, without manual annotations and careful review of the start and end of critical sections, cross-relese dependency tracking doesn't work. We need explicit annotations.

v2: handle soft/hardirq ctx better against write side and dont forget EXPORT_SYMBOL, drivers can't use this otherwise.

v3: Kerneldoc.

v4: Some spelling fixes from Mika

v5: Amend commit message to explain in detail why cross-release isn't the solution.

Cc: Mika Kuoppala mika.kuoppala@intel.com Cc: Thomas Hellstrom thomas.hellstrom@intel.com Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: linux-rdma@vger.kernel.org Cc: amd-gfx@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com --- Documentation/driver-api/dma-buf.rst | 12 +- drivers/dma-buf/dma-fence.c | 161 +++++++++++++++++++++++++++ include/linux/dma-fence.h | 12 ++ 3 files changed, 182 insertions(+), 3 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..05d856131140 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c - :doc: fence polling + :doc: implicit fence polling

Kernel Functions and Structures Reference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -133,6 +133,12 @@ DMA Fences .. kernel-doc:: drivers/dma-buf/dma-fence.c :doc: DMA fences overview

+DMA Fence Signalling Annotations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. kernel-doc:: drivers/dma-buf/dma-fence.c + :doc: fence signalling annotation + DMA Fences Functions Reference ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 656e9ac2d028..0005bc002529 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c @@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num) } EXPORT_SYMBOL(dma_fence_context_alloc);

+/** + * DOC: fence signalling annotation + * + * Proving correctness of all the kernel code around &dma_fence through code + * review and testing is tricky for a few reasons: + * + * * It is a cross-driver contract, and therefore all drivers must follow the + * same rules for lock nesting order, calling contexts for various functions + * and anything else significant for in-kernel interfaces. But it is also + * impossible to test all drivers in a single machine, hence brute-force N vs. + * N testing of all combinations is impossible. Even just limiting to the + * possible combinations is infeasible. + * + * * There is an enormous amount of driver code involved. For render drivers + * there's the tail of command submission, after fences are published, + * scheduler code, interrupt and workers to process job completion, + * and timeout, gpu reset and gpu hang recovery code. Plus for integration + * with core mm with have &mmu_notifier, respectively &mmu_interval_notifier, + * and &shrinker. For modesetting drivers there's the commit tail functions + * between when fences for an atomic modeset are published, and when the + * corresponding vblank completes, including any interrupt processing and + * related workers. Auditing all that code, across all drivers, is not + * feasible. + * + * * Due to how many other subsystems are involved and the locking hierarchies + * this pulls in there is extremely thin wiggle-room for driver-specific + * differences. &dma_fence interacts with almost all of the core memory + * handling through page fault handlers via &dma_resv, dma_resv_lock() and + * dma_resv_unlock(). On the other side it also interacts through all + * allocation sites through &mmu_notifier and &shrinker. + * + * Furthermore lockdep does not handle cross-release dependencies, which means + * any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught + * at runtime with some quick testing. The simplest example is one thread + * waiting on a &dma_fence while holding a lock:: + * + * lock(A); + * dma_fence_wait(B); + * unlock(A); + * + * while the other thread is stuck trying to acquire the same lock, which + * prevents it from signalling the fence the previous thread is stuck waiting + * on:: + * + * lock(A); + * unlock(A); + * dma_fence_signal(B); + * + * By manually annotating all code relevant to signalling a &dma_fence we can + * teach lockdep about these dependencies, which also helps with the validation + * headache since now lockdep can check all the rules for us:: + * + * cookie = dma_fence_begin_signalling(); + * lock(A); + * unlock(A); + * dma_fence_signal(B); + * dma_fence_end_signalling(cookie); + * + * For using dma_fence_begin_signalling() and dma_fence_end_signalling() to + * annotate critical sections the following rules need to be observed: + * + * * All code necessary to complete a &dma_fence must be annotated, from the + * point where a fence is accessible to other threads, to the point where + * dma_fence_signal() is called. Un-annotated code can contain deadlock issues, + * and due to the very strict rules and many corner cases it is infeasible to + * catch these just with review or normal stress testing. + * + * * &struct dma_resv deserves a special note, since the readers are only + * protected by rcu. This means the signalling critical section starts as soon + * as the new fences are installed, even before dma_resv_unlock() is called. + * + * * The only exception are fast paths and opportunistic signalling code, which + * calls dma_fence_signal() purely as an optimization, but is not required to + * guarantee completion of a &dma_fence. The usual example is a wait IOCTL + * which calls dma_fence_signal(), while the mandatory completion path goes + * through a hardware interrupt and possible job completion worker. + * + * * To aid composability of code, the annotations can be freely nested, as long + * as the overall locking hierarchy is consistent. The annotations also work + * both in interrupt and process context. Due to implementation details this + * requires that callers pass an opaque cookie from + * dma_fence_begin_signalling() to dma_fence_end_signalling(). + * + * * Validation against the cross driver contract is implemented by priming + * lockdep with the relevant hierarchy at boot-up. This means even just + * testing with a single device is enough to validate a driver, at least as + * far as deadlocks with dma_fence_wait() against dma_fence_signal() are + * concerned. + */ +#ifdef CONFIG_LOCKDEP +struct lockdep_map dma_fence_lockdep_map = { + .name = "dma_fence_map" +}; + +/** + * dma_fence_begin_signalling - begin a critical DMA fence signalling section + * + * Drivers should use this to annotate the beginning of any code section + * required to eventually complete &dma_fence by calling dma_fence_signal(). + * + * The end of these critical sections are annotated with + * dma_fence_end_signalling(). + * + * Returns: + * + * Opaque cookie needed by the implementation, which needs to be passed to + * dma_fence_end_signalling(). + */ +bool dma_fence_begin_signalling(void) +{ + /* explicitly nesting ... */ + if (lock_is_held_type(&dma_fence_lockdep_map, 1)) + return true; + + /* rely on might_sleep check for soft/hardirq locks */ + if (in_atomic()) + return true; + + /* ... and non-recursive readlock */ + lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_); + + return false; +} +EXPORT_SYMBOL(dma_fence_begin_signalling); + +/** + * dma_fence_end_signalling - end a critical DMA fence signalling section + * + * Closes a critical section annotation opened by dma_fence_begin_signalling(). + */ +void dma_fence_end_signalling(bool cookie) +{ + if (cookie) + return; + + lock_release(&dma_fence_lockdep_map, _RET_IP_); +} +EXPORT_SYMBOL(dma_fence_end_signalling); + +void __dma_fence_might_wait(void) +{ + bool tmp; + + tmp = lock_is_held_type(&dma_fence_lockdep_map, 1); + if (tmp) + lock_release(&dma_fence_lockdep_map, _THIS_IP_); + lock_map_acquire(&dma_fence_lockdep_map); + lock_map_release(&dma_fence_lockdep_map); + if (tmp) + lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_); +} +#endif + + /** * dma_fence_signal_locked - signal completion of a fence * @fence: the fence to signal @@ -170,14 +324,19 @@ int dma_fence_signal(struct dma_fence *fence) { unsigned long flags; int ret; + bool tmp;

if (!fence) return -EINVAL;

+ tmp = dma_fence_begin_signalling(); + spin_lock_irqsave(fence->lock, flags); ret = dma_fence_signal_locked(fence); spin_unlock_irqrestore(fence->lock, flags);

+ dma_fence_end_signalling(tmp); + return ret; } EXPORT_SYMBOL(dma_fence_signal); @@ -210,6 +369,8 @@ dma_fence_wait_timeout(struct dma_fence *fence, bool intr, signed long timeout)

might_sleep();

+ __dma_fence_might_wait(); + trace_dma_fence_wait_start(fence); if (fence->ops->wait) ret = fence->ops->wait(fence, intr, timeout); diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h index 3347c54f3a87..3f288f7db2ef 100644 --- a/include/linux/dma-fence.h +++ b/include/linux/dma-fence.h @@ -357,6 +357,18 @@ dma_fence_get_rcu_safe(struct dma_fence __rcu **fencep) } while (1); }

+#ifdef CONFIG_LOCKDEP +bool dma_fence_begin_signalling(void); +void dma_fence_end_signalling(bool cookie); +#else +static inline bool dma_fence_begin_signalling(void) +{ + return true; +} +static inline void dma_fence_end_signalling(bool cookie) {} +static inline void __dma_fence_might_wait(void) {} +#endif + int dma_fence_signal(struct dma_fence *fence); int dma_fence_signal_locked(struct dma_fence *fence); signed long dma_fence_default_wait(struct dma_fence *fence,

Op 05-06-2020 om 15:29 schreef Daniel Vetter:

Design is similar to the lockdep annotations for workers, but with some twists:

• We use a read-lock for the execution/worker/completion side, so that this explicit annotation can be more liberally sprinkled around. With read locks lockdep isn't going to complain if the read-side isn't nested the same way under all circumstances, so ABBA deadlocks are ok. Which they are, since this is an annotation only.

• We're using non-recursive lockdep read lock mode, since in recursive read lock mode lockdep does not catch read side hazards. And we _very_ much want read side hazards to be caught. For full details of this limitation see

  commit e91498589746065e3ae95d9a00b068e525eec34f Author: Peter Zijlstra peterz@infradead.org Date: Wed Aug 23 13:13:11 2017 +0200

  locking/lockdep/selftests: Add mixed read-write ABBA tests
  
  

• To allow nesting of the read-side explicit annotations we explicitly keep track of the nesting. lock_is_held() allows us to do that.

• The wait-side annotation is a write lock, and entirely done within dma_fence_wait() for everyone by default.

• To be able to freely annotate helper functions I want to make it ok to call dma_fence_begin/end_signalling from soft/hardirq context. First attempt was using the hardirq locking context for the write side in lockdep, but this forces all normal spinlocks nested within dma_fence_begin/end_signalling to be spinlocks. That bollocks.

  The approach now is to simple check in_atomic(), and for these cases entirely rely on the might_sleep() check in dma_fence_wait(). That will catch any wrong nesting against spinlocks from soft/hardirq contexts.

The idea here is that every code path that's critical for eventually signalling a dma_fence should be annotated with dma_fence_begin/end_signalling. The annotation ideally starts right after a dma_fence is published (added to a dma_resv, exposed as a sync_file fd, attached to a drm_syncobj fd, or anything else that makes the dma_fence visible to other kernel threads), up to and including the dma_fence_wait(). Examples are irq handlers, the scheduler rt threads, the tail of execbuf (after the corresponding fences are visible), any workers that end up signalling dma_fences and really anything else. Not annotated should be code paths that only complete fences opportunistically as the gpu progresses, like e.g. shrinker/eviction code.

The main class of deadlocks this is supposed to catch are:

Thread A:

mutex_lock(A); mutex_unlock(A);

dma_fence_signal();

Thread B:

mutex_lock(A); dma_fence_wait(); mutex_unlock(A);

Thread B is blocked on A signalling the fence, but A never gets around to that because it cannot acquire the lock A.

Note that dma_fence_wait() is allowed to be nested within dma_fence_begin/end_signalling sections. To allow this to happen the read lock needs to be upgraded to a write lock, which means that any other lock is acquired between the dma_fence_begin_signalling() call and the call to dma_fence_wait(), and still held, this will result in an immediate lockdep complaint. The only other option would be to not annotate such calls, defeating the point. Therefore these annotations cannot be sprinkled over the code entirely mindless to avoid false positives.

Originally I hope that the cross-release lockdep extensions would alleviate the need for explicit annotations:

https://lwn.net/Articles/709849/

But there's a few reasons why that's not an option:

• It's not happening in upstream, since it got reverted due to too many false positives:

  commit e966eaeeb623f09975ef362c2866fae6f86844f9 Author: Ingo Molnar mingo@kernel.org Date: Tue Dec 12 12:31:16 2017 +0100

   locking/lockdep: Remove the cross-release locking checks
  
   This code (CONFIG_LOCKDEP_CROSSRELEASE=y and CONFIG_LOCKDEP_COMPLETIONS=y),
   while it found a number of old bugs initially, was also causing too many
   false positives that caused people to disable lockdep - which is arguably
   a worse overall outcome.
  
  

• cross-release uses the complete() call to annotate the end of critical sections, for dma_fence that would be dma_fence_signal(). But we do not want all dma_fence_signal() calls to be treated as critical, since many are opportunistic cleanup of gpu requests. If these get stuck there's still the main completion interrupt and workers who can unblock everyone. Automatically annotating all dma_fence_signal() calls would hence cause false positives.

• cross-release had some educated guesses for when a critical section starts, like fresh syscall or fresh work callback. This would again cause false positives without explicit annotations, since for dma_fence the critical sections only starts when we publish a fence.

• Furthermore there can be cases where a thread never does a dma_fence_signal, but is still critical for reaching completion of fences. One example would be a scheduler kthread which picks up jobs and pushes them into hardware, where the interrupt handler or another completion thread calls dma_fence_signal(). But if the scheduler thread hangs, then all the fences hang, hence we need to manually annotate it. cross-release aimed to solve this by chaining cross-release dependencies, but the dependency from scheduler thread to the completion interrupt handler goes through hw where cross-release code can't observe it.

In short, without manual annotations and careful review of the start and end of critical sections, cross-relese dependency tracking doesn't work. We need explicit annotations.

v2: handle soft/hardirq ctx better against write side and dont forget EXPORT_SYMBOL, drivers can't use this otherwise.

v3: Kerneldoc.

v4: Some spelling fixes from Mika

v5: Amend commit message to explain in detail why cross-release isn't the solution.

Cc: Mika Kuoppala mika.kuoppala@intel.com Cc: Thomas Hellstrom thomas.hellstrom@intel.com Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: linux-rdma@vger.kernel.org Cc: amd-gfx@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

---

Documentation/driver-api/dma-buf.rst | 12 +- drivers/dma-buf/dma-fence.c | 161 +++++++++++++++++++++++++++ include/linux/dma-fence.h | 12 ++ 3 files changed, 182 insertions(+), 3 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..05d856131140 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c

• :doc: fence polling

• :doc: implicit fence polling

Kernel Functions and Structures Reference

@@ -133,6 +133,12 @@ DMA Fences
.. kernel-doc:: drivers/dma-buf/dma-fence.c
   :doc: DMA fences overview

+DMA Fence Signalling Annotations
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. kernel-doc:: drivers/dma-buf/dma-fence.c
+   :doc: fence signalling annotation
+
DMA Fences Functions Reference
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
index 656e9ac2d028..0005bc002529 100644
--- a/drivers/dma-buf/dma-fence.c
+++ b/drivers/dma-buf/dma-fence.c
@@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num)
}
EXPORT_SYMBOL(dma_fence_context_alloc);

+/**
+ * DOC: fence signalling annotation
+ *
+ * Proving correctness of all the kernel code around &dma_fence through code
+ * review and testing is tricky for a few reasons:
+ *
+ * * It is a cross-driver contract, and therefore all drivers must follow the
+ *   same rules for lock nesting order, calling contexts for various functions
+ *   and anything else significant for in-kernel interfaces. But it is also
+ *   impossible to test all drivers in a single machine, hence brute-force N vs.
+ *   N testing of all combinations is impossible. Even just limiting to the
+ *   possible combinations is infeasible.
+ *
+ * * There is an enormous amount of driver code involved. For render drivers
+ *   there's the tail of command submission, after fences are published,
+ *   scheduler code, interrupt and workers to process job completion,
+ *   and timeout, gpu reset and gpu hang recovery code. Plus for integration
+ *   with core mm with have &mmu_notifier, respectively &mmu_interval_notifier,
+ *   and &shrinker. For modesetting drivers there's the commit tail functions
+ *   between when fences for an atomic modeset are published, and when the
+ *   corresponding vblank completes, including any interrupt processing and
+ *   related workers. Auditing all that code, across all drivers, is not
+ *   feasible.
+ *
+ * * Due to how many other subsystems are involved and the locking hierarchies
+ *   this pulls in there is extremely thin wiggle-room for driver-specific
+ *   differences. &dma_fence interacts with almost all of the core memory
+ *   handling through page fault handlers via &dma_resv, dma_resv_lock() and
+ *   dma_resv_unlock(). On the other side it also interacts through all
+ *   allocation sites through &mmu_notifier and &shrinker.
+ *
+ * Furthermore lockdep does not handle cross-release dependencies, which means
+ * any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught
+ * at runtime with some quick testing. The simplest example is one thread
+ * waiting on a &dma_fence while holding a lock::
+ *
+ *     lock(A);
+ *     dma_fence_wait(B);
+ *     unlock(A);
+ *
+ * while the other thread is stuck trying to acquire the same lock, which
+ * prevents it from signalling the fence the previous thread is stuck waiting
+ * on::
+ *
+ *     lock(A);
+ *     unlock(A);
+ *     dma_fence_signal(B);
+ *
+ * By manually annotating all code relevant to signalling a &dma_fence we can
+ * teach lockdep about these dependencies, which also helps with the validation
+ * headache since now lockdep can check all the rules for us::
+ *
+ *    cookie = dma_fence_begin_signalling();
+ *    lock(A);
+ *    unlock(A);
+ *    dma_fence_signal(B);
+ *    dma_fence_end_signalling(cookie);
+ *
+ * For using dma_fence_begin_signalling() and dma_fence_end_signalling() to
+ * annotate critical sections the following rules need to be observed:
+ *
+ * * All code necessary to complete a &dma_fence must be annotated, from the
+ *   point where a fence is accessible to other threads, to the point where
+ *   dma_fence_signal() is called. Un-annotated code can contain deadlock issues,
+ *   and due to the very strict rules and many corner cases it is infeasible to
+ *   catch these just with review or normal stress testing.
+ *
+ * * &struct dma_resv deserves a special note, since the readers are only
+ *   protected by rcu. This means the signalling critical section starts as soon
+ *   as the new fences are installed, even before dma_resv_unlock() is called.
+ *
+ * * The only exception are fast paths and opportunistic signalling code, which
+ *   calls dma_fence_signal() purely as an optimization, but is not required to
+ *   guarantee completion of a &dma_fence. The usual example is a wait IOCTL
+ *   which calls dma_fence_signal(), while the mandatory completion path goes
+ *   through a hardware interrupt and possible job completion worker.
+ *
+ * * To aid composability of code, the annotations can be freely nested, as long
+ *   as the overall locking hierarchy is consistent. The annotations also work
+ *   both in interrupt and process context. Due to implementation details this
+ *   requires that callers pass an opaque cookie from
+ *   dma_fence_begin_signalling() to dma_fence_end_signalling().
+ *
+ * * Validation against the cross driver contract is implemented by priming
+ *   lockdep with the relevant hierarchy at boot-up. This means even just
+ *   testing with a single device is enough to validate a driver, at least as
+ *   far as deadlocks with dma_fence_wait() against dma_fence_signal() are
+ *   concerned.
+ */
+#ifdef CONFIG_LOCKDEP
+struct lockdep_map	dma_fence_lockdep_map = {
+	.name = "dma_fence_map"
+};
+
+/**
+ * dma_fence_begin_signalling - begin a critical DMA fence signalling section
+ *
+ * Drivers should use this to annotate the beginning of any code section
+ * required to eventually complete &dma_fence by calling dma_fence_signal().
+ *
+ * The end of these critical sections are annotated with
+ * dma_fence_end_signalling().
+ *
+ * Returns:
+ *
+ * Opaque cookie needed by the implementation, which needs to be passed to
+ * dma_fence_end_signalling().
+ */
+bool dma_fence_begin_signalling(void)
+{
+	/* explicitly nesting ... */
+	if (lock_is_held_type(&dma_fence_lockdep_map, 1))
+		return true;
+
+	/* rely on might_sleep check for soft/hardirq locks */
+	if (in_atomic())
+		return true;
+
+	/* ... and non-recursive readlock */
+	lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
+
+	return false;
+}
+EXPORT_SYMBOL(dma_fence_begin_signalling);
+
+/**
+ * dma_fence_end_signalling - end a critical DMA fence signalling section
+ *
+ * Closes a critical section annotation opened by dma_fence_begin_signalling().
+ */
+void dma_fence_end_signalling(bool cookie)
+{
+	if (cookie)
+		return;
+
+	lock_release(&dma_fence_lockdep_map, _RET_IP_);
+}
+EXPORT_SYMBOL(dma_fence_end_signalling);
+
+void __dma_fence_might_wait(void)
+{
+	bool tmp;
+
+	tmp = lock_is_held_type(&dma_fence_lockdep_map, 1);
+	if (tmp)
+		lock_release(&dma_fence_lockdep_map, _THIS_IP_);
+	lock_map_acquire(&dma_fence_lockdep_map);
+	lock_map_release(&dma_fence_lockdep_map);
+	if (tmp)
+		lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);
+}
+#endif
+
+
/**
 * dma_fence_signal_locked - signal completion of a fence
 * @fence: the fence to signal
@@ -170,14 +324,19 @@ int dma_fence_signal(struct dma_fence *fence)
{
  unsigned long flags;
  int ret;
+	bool tmp;

  if (!fence)
  	return -EINVAL;

+	tmp = dma_fence_begin_signalling();
+
  spin_lock_irqsave(fence->lock, flags);
  ret = dma_fence_signal_locked(fence);
  spin_unlock_irqrestore(fence->lock, flags);

+	dma_fence_end_signalling(tmp);
+
  return ret;
}
EXPORT_SYMBOL(dma_fence_signal);
@@ -210,6 +369,8 @@ dma_fence_wait_timeout(struct dma_fence *fence, bool intr, signed long timeout)

  might_sleep();

+	__dma_fence_might_wait();
+
  trace_dma_fence_wait_start(fence);
  if (fence->ops->wait)
  	ret = fence->ops->wait(fence, intr, timeout);
diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h
index 3347c54f3a87..3f288f7db2ef 100644
--- a/include/linux/dma-fence.h
+++ b/include/linux/dma-fence.h
@@ -357,6 +357,18 @@ dma_fence_get_rcu_safe(struct dma_fence __rcu **fencep)
  } while (1);
}

+#ifdef CONFIG_LOCKDEP
+bool dma_fence_begin_signalling(void);
+void dma_fence_end_signalling(bool cookie);
+#else
+static inline bool dma_fence_begin_signalling(void)
+{
+	return true;
+}
+static inline void dma_fence_end_signalling(bool cookie) {}
+static inline void __dma_fence_might_wait(void) {}
+#endif
+
int dma_fence_signal(struct dma_fence *fence);
int dma_fence_signal_locked(struct dma_fence *fence);
signed long dma_fence_default_wait(struct dma_fence *fence,

As original author of dma-fence, I enjoy seeing more lockdep annotations. Fence was always meant to be cross-driver, so strict driver annotations that can be verified by lockdep are a good thing. Because drivers have to interact with other drivers that use dma-fence, the rules must be the same for everyone, and the above code makes sense.

Reviewed-by: Maarten Lankhorst maarten.lankhorst@linux.intel.com

On Wed, Jun 10, 2020 at 4:22 PM Tvrtko Ursulin tvrtko.ursulin@linux.intel.com wrote:

On 04/06/2020 09:12, Daniel Vetter wrote:

...

Design is similar to the lockdep annotations for workers, but with some twists:

• We use a read-lock for the execution/worker/completion side, so that this explicit annotation can be more liberally sprinkled around. With read locks lockdep isn't going to complain if the read-side isn't nested the same way under all circumstances, so ABBA deadlocks are ok. Which they are, since this is an annotation only.

• We're using non-recursive lockdep read lock mode, since in recursive read lock mode lockdep does not catch read side hazards. And we _very_ much want read side hazards to be caught. For full details of this limitation see

  commit e91498589746065e3ae95d9a00b068e525eec34f Author: Peter Zijlstra peterz@infradead.org Date: Wed Aug 23 13:13:11 2017 +0200

   locking/lockdep/selftests: Add mixed read-write ABBA tests
  
  

• To allow nesting of the read-side explicit annotations we explicitly keep track of the nesting. lock_is_held() allows us to do that.

• The wait-side annotation is a write lock, and entirely done within dma_fence_wait() for everyone by default.

• To be able to freely annotate helper functions I want to make it ok to call dma_fence_begin/end_signalling from soft/hardirq context. First attempt was using the hardirq locking context for the write side in lockdep, but this forces all normal spinlocks nested within dma_fence_begin/end_signalling to be spinlocks. That bollocks.

  The approach now is to simple check in_atomic(), and for these cases entirely rely on the might_sleep() check in dma_fence_wait(). That will catch any wrong nesting against spinlocks from soft/hardirq contexts.

The idea here is that every code path that's critical for eventually signalling a dma_fence should be annotated with dma_fence_begin/end_signalling. The annotation ideally starts right after a dma_fence is published (added to a dma_resv, exposed as a sync_file fd, attached to a drm_syncobj fd, or anything else that makes the dma_fence visible to other kernel threads), up to and including the dma_fence_wait(). Examples are irq handlers, the scheduler rt threads, the tail of execbuf (after the corresponding fences are visible), any workers that end up signalling dma_fences and really anything else. Not annotated should be code paths that only complete fences opportunistically as the gpu progresses, like e.g. shrinker/eviction code.

The main class of deadlocks this is supposed to catch are:

Thread A:

  mutex_lock(A);
  mutex_unlock(A);

  dma_fence_signal();

Thread B:

  mutex_lock(A);
  dma_fence_wait();
  mutex_unlock(A);

Thread B is blocked on A signalling the fence, but A never gets around to that because it cannot acquire the lock A.

Note that dma_fence_wait() is allowed to be nested within dma_fence_begin/end_signalling sections. To allow this to happen the read lock needs to be upgraded to a write lock, which means that any other lock is acquired between the dma_fence_begin_signalling() call and the call to dma_fence_wait(), and still held, this will result in an immediate lockdep complaint. The only other option would be to not annotate such calls, defeating the point. Therefore these annotations cannot be sprinkled over the code entirely mindless to avoid false positives.

v2: handle soft/hardirq ctx better against write side and dont forget EXPORT_SYMBOL, drivers can't use this otherwise.

v3: Kerneldoc.

v4: Some spelling fixes from Mika

Cc: Mika Kuoppala mika.kuoppala@intel.com Cc: Thomas Hellstrom thomas.hellstrom@intel.com Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: linux-rdma@vger.kernel.org Cc: amd-gfx@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

---

Documentation/driver-api/dma-buf.rst | 12 +- drivers/dma-buf/dma-fence.c | 161 +++++++++++++++++++++++++++ include/linux/dma-fence.h | 12 ++ 3 files changed, 182 insertions(+), 3 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..05d856131140 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c

• :doc: fence polling

• :doc: implicit fence polling

  Kernel Functions and Structures Reference

@@ -133,6 +133,12 @@ DMA Fences .. kernel-doc:: drivers/dma-buf/dma-fence.c :doc: DMA fences overview

+DMA Fence Signalling Annotations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. kernel-doc:: drivers/dma-buf/dma-fence.c

• :doc: fence signalling annotation
• DMA Fences Functions Reference

diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 656e9ac2d028..0005bc002529 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c @@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num) } EXPORT_SYMBOL(dma_fence_context_alloc);

+/**

• • DOC: fence signalling annotation
• • Proving correctness of all the kernel code around &dma_fence through code
• • review and testing is tricky for a few reasons:
• • • It is a cross-driver contract, and therefore all drivers must follow the
• • same rules for lock nesting order, calling contexts for various functions
• • and anything else significant for in-kernel interfaces. But it is also
• • impossible to test all drivers in a single machine, hence brute-force N vs.
• • N testing of all combinations is impossible. Even just limiting to the
• • possible combinations is infeasible.
• • • There is an enormous amount of driver code involved. For render drivers
• • there's the tail of command submission, after fences are published,
• • scheduler code, interrupt and workers to process job completion,
• • and timeout, gpu reset and gpu hang recovery code. Plus for integration
• • with core mm with have &mmu_notifier, respectively &mmu_interval_notifier,
• • and &shrinker. For modesetting drivers there's the commit tail functions
• • between when fences for an atomic modeset are published, and when the
• • corresponding vblank completes, including any interrupt processing and
• • related workers. Auditing all that code, across all drivers, is not
• • feasible.
• • • Due to how many other subsystems are involved and the locking hierarchies
• • this pulls in there is extremely thin wiggle-room for driver-specific
• • differences. &dma_fence interacts with almost all of the core memory
• • handling through page fault handlers via &dma_resv, dma_resv_lock() and
• • dma_resv_unlock(). On the other side it also interacts through all
• • allocation sites through &mmu_notifier and &shrinker.
• • Furthermore lockdep does not handle cross-release dependencies, which means
• • any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught
• • at runtime with some quick testing. The simplest example is one thread
• • waiting on a &dma_fence while holding a lock::

• • lock(A);
    

• • dma_fence_wait(B);
    

• • unlock(A);
    

• • while the other thread is stuck trying to acquire the same lock, which
• • prevents it from signalling the fence the previous thread is stuck waiting
• • on::

• • lock(A);
    

• • unlock(A);
    

• • dma_fence_signal(B);
    

• • By manually annotating all code relevant to signalling a &dma_fence we can
• • teach lockdep about these dependencies, which also helps with the validation
• • headache since now lockdep can check all the rules for us::
• • cookie = dma_fence_begin_signalling();
• • lock(A);
• • unlock(A);
• • dma_fence_signal(B);
• • dma_fence_end_signalling(cookie);
• • For using dma_fence_begin_signalling() and dma_fence_end_signalling() to
• • annotate critical sections the following rules need to be observed:
• • • All code necessary to complete a &dma_fence must be annotated, from the
• • point where a fence is accessible to other threads, to the point where
• • dma_fence_signal() is called. Un-annotated code can contain deadlock issues,
• • and due to the very strict rules and many corner cases it is infeasible to
• • catch these just with review or normal stress testing.
• • • &struct dma_resv deserves a special note, since the readers are only
• • protected by rcu. This means the signalling critical section starts as soon
• • as the new fences are installed, even before dma_resv_unlock() is called.
• • • The only exception are fast paths and opportunistic signalling code, which
• • calls dma_fence_signal() purely as an optimization, but is not required to
• • guarantee completion of a &dma_fence. The usual example is a wait IOCTL
• • which calls dma_fence_signal(), while the mandatory completion path goes
• • through a hardware interrupt and possible job completion worker.
• • • To aid composability of code, the annotations can be freely nested, as long
• • as the overall locking hierarchy is consistent. The annotations also work
• • both in interrupt and process context. Due to implementation details this
• • requires that callers pass an opaque cookie from
• • dma_fence_begin_signalling() to dma_fence_end_signalling().
• • • Validation against the cross driver contract is implemented by priming
• • lockdep with the relevant hierarchy at boot-up. This means even just
• • testing with a single device is enough to validate a driver, at least as
• • far as deadlocks with dma_fence_wait() against dma_fence_signal() are
• • concerned.
• */

+#ifdef CONFIG_LOCKDEP +struct lockdep_map dma_fence_lockdep_map = {

• .name = "dma_fence_map"
  

+};

Maybe a stupid question because this is definitely complicated, but.. If you have a single/static/global lockdep map, doesn't this mean _all_ locks, from _all_ drivers happening to use dma-fences will get recorded in it. Will this work and not cause false positives?

Sounds like it could create a common link between two completely unconnected usages. Because below you do add annotations to generic dma_fence_signal and dma_fence_wait.

This is fully intentional. dma-fence is a cross-driver interface, if every driver invents its own rules about how this should work we have an unmaintainable and unreviewable mess.

I've typed up the full length rant already here:

https://lore.kernel.org/dri-devel/CAKMK7uGnFhbpuurRsnZ4dvRV9gQ_3-rmSJaoqSFY=...

...

+/**

• • dma_fence_begin_signalling - begin a critical DMA fence signalling section
• • Drivers should use this to annotate the beginning of any code section
• • required to eventually complete &dma_fence by calling dma_fence_signal().
• • The end of these critical sections are annotated with
• • dma_fence_end_signalling().
• • Returns:
• • Opaque cookie needed by the implementation, which needs to be passed to
• • dma_fence_end_signalling().
• */

+bool dma_fence_begin_signalling(void) +{

• /* explicitly nesting ... */
  

• if (lock_is_held_type(&dma_fence_lockdep_map, 1))
  

•         return true;
  

• /* rely on might_sleep check for soft/hardirq locks */
  

• if (in_atomic())
  

•         return true;
  

• /* ... and non-recursive readlock */
  

• lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
  

Would it work if signalling path would mark itself as a write lock? I am thinking it would be nice to see in lockdep splats what are signals and what are waits.

Yeah it'd be nice to have a read vs write name for the lock. But we already have this problem for e.g. flush_work(), from which I've stolen this idea. So it's not really new. Essentially look at the backtraces lockdep gives you, and reconstruct the deadlock. I'm hoping that people will notice the special functions on the backtrace, e.g. dma_fence_begin_signalling will be listed as offending function/lock holder, and then read the kerneldoc.

The recursive usage wouldn't work then right? Would write annotation on the wait path work?

Wait path is write annotations already, but yeah annotating the signalling side as write would cause endless amounts of alse positives. Also it makes composability of these e.g. what I've done in amdgpu with annotations in tdr work in drm/scheduler, annotations in the amdgpu gpu reset code and then also annotations in atomic code, which all nest within each other in some call chains, but not others. Dropping the recursion would break that and make it really awkward to annotate such cases correctly.

And the recursion only works if it's read locks, otherwise lockdep complains if you have inconsistent annotations on the signalling side (which again would make it more or less impossible to annotate the above case fully).

Cheers, Daniel

Regards,

Tvrtko

...

• return false;
  

+} +EXPORT_SYMBOL(dma_fence_begin_signalling);

+/**

• • dma_fence_end_signalling - end a critical DMA fence signalling section
• • Closes a critical section annotation opened by dma_fence_begin_signalling().
• */

+void dma_fence_end_signalling(bool cookie) +{

• if (cookie)
  

•         return;
  

• lock_release(&dma_fence_lockdep_map, _RET_IP_);
  

+} +EXPORT_SYMBOL(dma_fence_end_signalling);

+void __dma_fence_might_wait(void) +{

• bool tmp;
  

• tmp = lock_is_held_type(&dma_fence_lockdep_map, 1);
  

• if (tmp)
  

•         lock_release(&dma_fence_lockdep_map, _THIS_IP_);
  

• lock_map_acquire(&dma_fence_lockdep_map);
  

• lock_map_release(&dma_fence_lockdep_map);
  

• if (tmp)
  

•         lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);
  

+} +#endif

• /**
  • dma_fence_signal_locked - signal completion of a fence
  • @fence: the fence to signal

@@ -170,14 +324,19 @@ int dma_fence_signal(struct dma_fence *fence) { unsigned long flags; int ret;

• bool tmp;
  
  if (!fence)
          return -EINVAL;
  
  

• tmp = dma_fence_begin_signalling();
  

• spin_lock_irqsave(fence->lock, flags);
  ret = dma_fence_signal_locked(fence);
  spin_unlock_irqrestore(fence->lock, flags);
  
  

• dma_fence_end_signalling(tmp);
  

• return ret;
  

  } EXPORT_SYMBOL(dma_fence_signal);

@@ -210,6 +369,8 @@ dma_fence_wait_timeout(struct dma_fence *fence, bool intr, signed long timeout)

  might_sleep();

• __dma_fence_might_wait();
  

• trace_dma_fence_wait_start(fence);
  if (fence->ops->wait)
          ret = fence->ops->wait(fence, intr, timeout);
  

diff --git a/include/linux/dma-fence.h b/include/linux/dma-fence.h index 3347c54f3a87..3f288f7db2ef 100644 --- a/include/linux/dma-fence.h +++ b/include/linux/dma-fence.h @@ -357,6 +357,18 @@ dma_fence_get_rcu_safe(struct dma_fence __rcu **fencep) } while (1); }

+#ifdef CONFIG_LOCKDEP +bool dma_fence_begin_signalling(void); +void dma_fence_end_signalling(bool cookie); +#else +static inline bool dma_fence_begin_signalling(void) +{

• return true;
  

+} +static inline void dma_fence_end_signalling(bool cookie) {} +static inline void __dma_fence_might_wait(void) {} +#endif

• int dma_fence_signal(struct dma_fence *fence); int dma_fence_signal_locked(struct dma_fence *fence); signed long dma_fence_default_wait(struct dma_fence *fence,

On Thu, Jun 11, 2020 at 12:36 PM Tvrtko Ursulin tvrtko.ursulin@linux.intel.com wrote:

On 10/06/2020 16:17, Daniel Vetter wrote:

...

On Wed, Jun 10, 2020 at 4:22 PM Tvrtko Ursulin tvrtko.ursulin@linux.intel.com wrote:

...

On 04/06/2020 09:12, Daniel Vetter wrote:

...

Design is similar to the lockdep annotations for workers, but with some twists:

• We use a read-lock for the execution/worker/completion side, so that this explicit annotation can be more liberally sprinkled around. With read locks lockdep isn't going to complain if the read-side isn't nested the same way under all circumstances, so ABBA deadlocks are ok. Which they are, since this is an annotation only.

• We're using non-recursive lockdep read lock mode, since in recursive read lock mode lockdep does not catch read side hazards. And we _very_ much want read side hazards to be caught. For full details of this limitation see

  commit e91498589746065e3ae95d9a00b068e525eec34f Author: Peter Zijlstra peterz@infradead.org Date: Wed Aug 23 13:13:11 2017 +0200

    locking/lockdep/selftests: Add mixed read-write ABBA tests
  
  

• To allow nesting of the read-side explicit annotations we explicitly keep track of the nesting. lock_is_held() allows us to do that.

• The wait-side annotation is a write lock, and entirely done within dma_fence_wait() for everyone by default.

• To be able to freely annotate helper functions I want to make it ok to call dma_fence_begin/end_signalling from soft/hardirq context. First attempt was using the hardirq locking context for the write side in lockdep, but this forces all normal spinlocks nested within dma_fence_begin/end_signalling to be spinlocks. That bollocks.

  The approach now is to simple check in_atomic(), and for these cases entirely rely on the might_sleep() check in dma_fence_wait(). That will catch any wrong nesting against spinlocks from soft/hardirq contexts.

The idea here is that every code path that's critical for eventually signalling a dma_fence should be annotated with dma_fence_begin/end_signalling. The annotation ideally starts right after a dma_fence is published (added to a dma_resv, exposed as a sync_file fd, attached to a drm_syncobj fd, or anything else that makes the dma_fence visible to other kernel threads), up to and including the dma_fence_wait(). Examples are irq handlers, the scheduler rt threads, the tail of execbuf (after the corresponding fences are visible), any workers that end up signalling dma_fences and really anything else. Not annotated should be code paths that only complete fences opportunistically as the gpu progresses, like e.g. shrinker/eviction code.

The main class of deadlocks this is supposed to catch are:

Thread A:

   mutex_lock(A);
   mutex_unlock(A);

   dma_fence_signal();

Thread B:

   mutex_lock(A);
   dma_fence_wait();
   mutex_unlock(A);

Thread B is blocked on A signalling the fence, but A never gets around to that because it cannot acquire the lock A.

Note that dma_fence_wait() is allowed to be nested within dma_fence_begin/end_signalling sections. To allow this to happen the read lock needs to be upgraded to a write lock, which means that any other lock is acquired between the dma_fence_begin_signalling() call and the call to dma_fence_wait(), and still held, this will result in an immediate lockdep complaint. The only other option would be to not annotate such calls, defeating the point. Therefore these annotations cannot be sprinkled over the code entirely mindless to avoid false positives.

v2: handle soft/hardirq ctx better against write side and dont forget EXPORT_SYMBOL, drivers can't use this otherwise.

v3: Kerneldoc.

v4: Some spelling fixes from Mika

Cc: Mika Kuoppala mika.kuoppala@intel.com Cc: Thomas Hellstrom thomas.hellstrom@intel.com Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: linux-rdma@vger.kernel.org Cc: amd-gfx@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

---

Documentation/driver-api/dma-buf.rst | 12 +- drivers/dma-buf/dma-fence.c | 161 +++++++++++++++++++++++++++ include/linux/dma-fence.h | 12 ++ 3 files changed, 182 insertions(+), 3 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..05d856131140 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c

• :doc: fence polling

• :doc: implicit fence polling

  Kernel Functions and Structures Reference

@@ -133,6 +133,12 @@ DMA Fences .. kernel-doc:: drivers/dma-buf/dma-fence.c :doc: DMA fences overview

+DMA Fence Signalling Annotations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. kernel-doc:: drivers/dma-buf/dma-fence.c

• :doc: fence signalling annotation
• DMA Fences Functions Reference

diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 656e9ac2d028..0005bc002529 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c @@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num) } EXPORT_SYMBOL(dma_fence_context_alloc);

+/**

• • DOC: fence signalling annotation
• • Proving correctness of all the kernel code around &dma_fence through code
• • review and testing is tricky for a few reasons:
• • • It is a cross-driver contract, and therefore all drivers must follow the
• • same rules for lock nesting order, calling contexts for various functions
• • and anything else significant for in-kernel interfaces. But it is also
• • impossible to test all drivers in a single machine, hence brute-force N vs.
• • N testing of all combinations is impossible. Even just limiting to the
• • possible combinations is infeasible.
• • • There is an enormous amount of driver code involved. For render drivers
• • there's the tail of command submission, after fences are published,
• • scheduler code, interrupt and workers to process job completion,
• • and timeout, gpu reset and gpu hang recovery code. Plus for integration
• • with core mm with have &mmu_notifier, respectively &mmu_interval_notifier,
• • and &shrinker. For modesetting drivers there's the commit tail functions
• • between when fences for an atomic modeset are published, and when the
• • corresponding vblank completes, including any interrupt processing and
• • related workers. Auditing all that code, across all drivers, is not
• • feasible.
• • • Due to how many other subsystems are involved and the locking hierarchies
• • this pulls in there is extremely thin wiggle-room for driver-specific
• • differences. &dma_fence interacts with almost all of the core memory
• • handling through page fault handlers via &dma_resv, dma_resv_lock() and
• • dma_resv_unlock(). On the other side it also interacts through all
• • allocation sites through &mmu_notifier and &shrinker.
• • Furthermore lockdep does not handle cross-release dependencies, which means
• • any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught
• • at runtime with some quick testing. The simplest example is one thread
• • waiting on a &dma_fence while holding a lock::

• • lock(A);
    

• • dma_fence_wait(B);
    

• • unlock(A);
    

• • while the other thread is stuck trying to acquire the same lock, which
• • prevents it from signalling the fence the previous thread is stuck waiting
• • on::

• • lock(A);
    

• • unlock(A);
    

• • dma_fence_signal(B);
    

• • By manually annotating all code relevant to signalling a &dma_fence we can
• • teach lockdep about these dependencies, which also helps with the validation
• • headache since now lockdep can check all the rules for us::
• • cookie = dma_fence_begin_signalling();
• • lock(A);
• • unlock(A);
• • dma_fence_signal(B);
• • dma_fence_end_signalling(cookie);
• • For using dma_fence_begin_signalling() and dma_fence_end_signalling() to
• • annotate critical sections the following rules need to be observed:
• • • All code necessary to complete a &dma_fence must be annotated, from the
• • point where a fence is accessible to other threads, to the point where
• • dma_fence_signal() is called. Un-annotated code can contain deadlock issues,
• • and due to the very strict rules and many corner cases it is infeasible to
• • catch these just with review or normal stress testing.
• • • &struct dma_resv deserves a special note, since the readers are only
• • protected by rcu. This means the signalling critical section starts as soon
• • as the new fences are installed, even before dma_resv_unlock() is called.
• • • The only exception are fast paths and opportunistic signalling code, which
• • calls dma_fence_signal() purely as an optimization, but is not required to
• • guarantee completion of a &dma_fence. The usual example is a wait IOCTL
• • which calls dma_fence_signal(), while the mandatory completion path goes
• • through a hardware interrupt and possible job completion worker.
• • • To aid composability of code, the annotations can be freely nested, as long
• • as the overall locking hierarchy is consistent. The annotations also work
• • both in interrupt and process context. Due to implementation details this
• • requires that callers pass an opaque cookie from
• • dma_fence_begin_signalling() to dma_fence_end_signalling().
• • • Validation against the cross driver contract is implemented by priming
• • lockdep with the relevant hierarchy at boot-up. This means even just
• • testing with a single device is enough to validate a driver, at least as
• • far as deadlocks with dma_fence_wait() against dma_fence_signal() are
• • concerned.
• */

+#ifdef CONFIG_LOCKDEP +struct lockdep_map dma_fence_lockdep_map = {

• .name = "dma_fence_map"
  

+};

Maybe a stupid question because this is definitely complicated, but.. If you have a single/static/global lockdep map, doesn't this mean _all_ locks, from _all_ drivers happening to use dma-fences will get recorded in it. Will this work and not cause false positives?

Sounds like it could create a common link between two completely unconnected usages. Because below you do add annotations to generic dma_fence_signal and dma_fence_wait.

This is fully intentional. dma-fence is a cross-driver interface, if every driver invents its own rules about how this should work we have an unmaintainable and unreviewable mess.

I've typed up the full length rant already here:

https://lore.kernel.org/dri-devel/CAKMK7uGnFhbpuurRsnZ4dvRV9gQ_3-rmSJaoqSFY=...

But "perfect storm" of:

• global fence lockmap
• mmu notifiers
• fs reclaim
• default annotations in dma_fence_signal / dma_fence_wait

Equals to anything ever using dma_fence will be in impossible chains with random other drivers, even if neither driver has code to export/share that fence.

Example from the CI run:

[25.918788] Chain exists of: fs_reclaim --> mmu_notifier_invalidate_range_start --> dma_fence_map [25.918794] Possible unsafe locking scenario: [25.918797] CPU0 CPU1 [25.918799] ---- ---- [25.918801] lock(dma_fence_map); [25.918803] lock(mmu_notifier_invalidate_range_start); [25.918807] lock(dma_fence_map); [25.918809] lock(fs_reclaim);

What about a dma_fence_export helper which would "arm" the annotations? It would be called as soon as the fence is exported. Maybe when added to dma_resv, or exported via sync_file, etc. Before that point begin/end_signaling and so would be no-ops.

Run CI without the i915 annotation patch, nothing breaks.

So we can gradually fix up existing code that doesn't quite get it right and move on.

...

...

...

+/**

• • dma_fence_begin_signalling - begin a critical DMA fence signalling section
• • Drivers should use this to annotate the beginning of any code section
• • required to eventually complete &dma_fence by calling dma_fence_signal().
• • The end of these critical sections are annotated with
• • dma_fence_end_signalling().
• • Returns:
• • Opaque cookie needed by the implementation, which needs to be passed to
• • dma_fence_end_signalling().
• */

+bool dma_fence_begin_signalling(void) +{

• /* explicitly nesting ... */
  

• if (lock_is_held_type(&dma_fence_lockdep_map, 1))
  

•         return true;
  

• /* rely on might_sleep check for soft/hardirq locks */
  

• if (in_atomic())
  

•         return true;
  

• /* ... and non-recursive readlock */
  

• lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
  

Would it work if signalling path would mark itself as a write lock? I am thinking it would be nice to see in lockdep splats what are signals and what are waits.

Yeah it'd be nice to have a read vs write name for the lock. But we already have this problem for e.g. flush_work(), from which I've stolen this idea. So it's not really new. Essentially look at the backtraces lockdep gives you, and reconstruct the deadlock. I'm hoping that people will notice the special functions on the backtrace, e.g. dma_fence_begin_signalling will be listed as offending function/lock holder, and then read the kerneldoc.

...

The recursive usage wouldn't work then right? Would write annotation on the wait path work?

Wait path is write annotations already, but yeah annotating the signalling side as write would cause endless amounts of alse positives. Also it makes composability of these e.g. what I've done in amdgpu with annotations in tdr work in drm/scheduler, annotations in the amdgpu gpu reset code and then also annotations in atomic code, which all nest within each other in some call chains, but not others. Dropping the recursion would break that and make it really awkward to annotate such cases correctly.

And the recursion only works if it's read locks, otherwise lockdep complains if you have inconsistent annotations on the signalling side (which again would make it more or less impossible to annotate the above case fully).

How do I see in lockdep splats if it was a read or write user? Your patch appears to have:

dma_fence_signal:

•   lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
  
  

__dma_fence_might_wait:

•   lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);
  
  

Which both seem like read lock. I don't fully understand the lockdep API so I might be wrong, not sure. But neither I see a difference in splats telling me which path is which.

I think you got tricked by the implementation, this isn't quite what's going on. There's two things which make the annotations special:

- we want a recursive read lock on the signalling critical section. The problem is that lockdep doesn't implement full validation for recursive read locks, only non-recursive read/write locks fully validated. There's some checks for recursive read locks, but exactly the checks we need to catch common dma_fence_wait deadlocks aren't done. That's why we need to implement manual lock recursion on the reader side

- now on the write side we additionally need to implement an read2write upgrade, and a write2read downgrade. Lockdep doesn't implement that, so again we have to hand-roll this.

Let's go through the code line-by-line:

bool tmp;

tmp = lock_is_held_type(&dma_fence_lockdep_map, 1);

We check whether someone is holding the non-recursive read lock already.

if (tmp) lock_release(&dma_fence_lockdep_map, _THIS_IP_);

If that's the case, we drop that read lock.

lock_map_acquire(&dma_fence_lockdep_map);

Then we do the actual might_wait annotation, the above takes the full write lock ...

lock_map_release(&dma_fence_lockdep_map);

... and now we release the write lock again.

if (tmp) lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);

Finally we need to re-acquire the read lock, if we've held that when entering this function. This annotation naturally has to exactly match what begin_signalling would do, otherwise the hand-rolled nesting would fall apart.

I hope that explains what's going on here, and assures you that might_wait() is indeed a write lock annotation, but with a big pile of complications. -Daniel

On Thu, Jun 11, 2020 at 4:29 PM Tvrtko Ursulin tvrtko.ursulin@linux.intel.com wrote:

On 11/06/2020 12:29, Daniel Vetter wrote:

...

On Thu, Jun 11, 2020 at 12:36 PM Tvrtko Ursulin tvrtko.ursulin@linux.intel.com wrote:

...

On 10/06/2020 16:17, Daniel Vetter wrote:

...

On Wed, Jun 10, 2020 at 4:22 PM Tvrtko Ursulin tvrtko.ursulin@linux.intel.com wrote:

...

On 04/06/2020 09:12, Daniel Vetter wrote:

...

Design is similar to the lockdep annotations for workers, but with some twists:

• We use a read-lock for the execution/worker/completion side, so that this explicit annotation can be more liberally sprinkled around. With read locks lockdep isn't going to complain if the read-side isn't nested the same way under all circumstances, so ABBA deadlocks are ok. Which they are, since this is an annotation only.

• We're using non-recursive lockdep read lock mode, since in recursive read lock mode lockdep does not catch read side hazards. And we _very_ much want read side hazards to be caught. For full details of this limitation see

  commit e91498589746065e3ae95d9a00b068e525eec34f Author: Peter Zijlstra peterz@infradead.org Date: Wed Aug 23 13:13:11 2017 +0200

     locking/lockdep/selftests: Add mixed read-write ABBA tests
  
  

• To allow nesting of the read-side explicit annotations we explicitly keep track of the nesting. lock_is_held() allows us to do that.

• The wait-side annotation is a write lock, and entirely done within dma_fence_wait() for everyone by default.

• To be able to freely annotate helper functions I want to make it ok to call dma_fence_begin/end_signalling from soft/hardirq context. First attempt was using the hardirq locking context for the write side in lockdep, but this forces all normal spinlocks nested within dma_fence_begin/end_signalling to be spinlocks. That bollocks.

  The approach now is to simple check in_atomic(), and for these cases entirely rely on the might_sleep() check in dma_fence_wait(). That will catch any wrong nesting against spinlocks from soft/hardirq contexts.

The idea here is that every code path that's critical for eventually signalling a dma_fence should be annotated with dma_fence_begin/end_signalling. The annotation ideally starts right after a dma_fence is published (added to a dma_resv, exposed as a sync_file fd, attached to a drm_syncobj fd, or anything else that makes the dma_fence visible to other kernel threads), up to and including the dma_fence_wait(). Examples are irq handlers, the scheduler rt threads, the tail of execbuf (after the corresponding fences are visible), any workers that end up signalling dma_fences and really anything else. Not annotated should be code paths that only complete fences opportunistically as the gpu progresses, like e.g. shrinker/eviction code.

The main class of deadlocks this is supposed to catch are:

Thread A:

    mutex_lock(A);
    mutex_unlock(A);

    dma_fence_signal();

Thread B:

    mutex_lock(A);
    dma_fence_wait();
    mutex_unlock(A);

Thread B is blocked on A signalling the fence, but A never gets around to that because it cannot acquire the lock A.

Note that dma_fence_wait() is allowed to be nested within dma_fence_begin/end_signalling sections. To allow this to happen the read lock needs to be upgraded to a write lock, which means that any other lock is acquired between the dma_fence_begin_signalling() call and the call to dma_fence_wait(), and still held, this will result in an immediate lockdep complaint. The only other option would be to not annotate such calls, defeating the point. Therefore these annotations cannot be sprinkled over the code entirely mindless to avoid false positives.

v2: handle soft/hardirq ctx better against write side and dont forget EXPORT_SYMBOL, drivers can't use this otherwise.

v3: Kerneldoc.

v4: Some spelling fixes from Mika

Cc: Mika Kuoppala mika.kuoppala@intel.com Cc: Thomas Hellstrom thomas.hellstrom@intel.com Cc: linux-media@vger.kernel.org Cc: linaro-mm-sig@lists.linaro.org Cc: linux-rdma@vger.kernel.org Cc: amd-gfx@lists.freedesktop.org Cc: intel-gfx@lists.freedesktop.org Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Maarten Lankhorst maarten.lankhorst@linux.intel.com Cc: Christian König christian.koenig@amd.com Signed-off-by: Daniel Vetter daniel.vetter@intel.com

---

Documentation/driver-api/dma-buf.rst |  12 +-
drivers/dma-buf/dma-fence.c          | 161 +++++++++++++++++++++++++++
include/linux/dma-fence.h            |  12 ++
3 files changed, 182 insertions(+), 3 deletions(-)

diff --git a/Documentation/driver-api/dma-buf.rst b/Documentation/driver-api/dma-buf.rst index 63dec76d1d8d..05d856131140 100644 --- a/Documentation/driver-api/dma-buf.rst +++ b/Documentation/driver-api/dma-buf.rst @@ -100,11 +100,11 @@ CPU Access to DMA Buffer Objects .. kernel-doc:: drivers/dma-buf/dma-buf.c :doc: cpu access

-Fence Poll Support -~~~~~~~~~~~~~~~~~~ +Implicit Fence Poll Support +~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. kernel-doc:: drivers/dma-buf/dma-buf.c

• :doc: fence polling

• :doc: implicit fence polling

  Kernel Functions and Structures Reference

@@ -133,6 +133,12 @@ DMA Fences .. kernel-doc:: drivers/dma-buf/dma-fence.c :doc: DMA fences overview

+DMA Fence Signalling Annotations +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+.. kernel-doc:: drivers/dma-buf/dma-fence.c

• :doc: fence signalling annotation
• DMA Fences Functions Reference

diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c index 656e9ac2d028..0005bc002529 100644 --- a/drivers/dma-buf/dma-fence.c +++ b/drivers/dma-buf/dma-fence.c @@ -110,6 +110,160 @@ u64 dma_fence_context_alloc(unsigned num) } EXPORT_SYMBOL(dma_fence_context_alloc);

+/**

• • DOC: fence signalling annotation
• • Proving correctness of all the kernel code around &dma_fence through code
• • review and testing is tricky for a few reasons:
• • • It is a cross-driver contract, and therefore all drivers must follow the
• • same rules for lock nesting order, calling contexts for various functions
• • and anything else significant for in-kernel interfaces. But it is also
• • impossible to test all drivers in a single machine, hence brute-force N vs.
• • N testing of all combinations is impossible. Even just limiting to the
• • possible combinations is infeasible.
• • • There is an enormous amount of driver code involved. For render drivers
• • there's the tail of command submission, after fences are published,
• • scheduler code, interrupt and workers to process job completion,
• • and timeout, gpu reset and gpu hang recovery code. Plus for integration
• • with core mm with have &mmu_notifier, respectively &mmu_interval_notifier,
• • and &shrinker. For modesetting drivers there's the commit tail functions
• • between when fences for an atomic modeset are published, and when the
• • corresponding vblank completes, including any interrupt processing and
• • related workers. Auditing all that code, across all drivers, is not
• • feasible.
• • • Due to how many other subsystems are involved and the locking hierarchies
• • this pulls in there is extremely thin wiggle-room for driver-specific
• • differences. &dma_fence interacts with almost all of the core memory
• • handling through page fault handlers via &dma_resv, dma_resv_lock() and
• • dma_resv_unlock(). On the other side it also interacts through all
• • allocation sites through &mmu_notifier and &shrinker.
• • Furthermore lockdep does not handle cross-release dependencies, which means
• • any deadlocks between dma_fence_wait() and dma_fence_signal() can't be caught
• • at runtime with some quick testing. The simplest example is one thread
• • waiting on a &dma_fence while holding a lock::

• • lock(A);
    

• • dma_fence_wait(B);
    

• • unlock(A);
    

• • while the other thread is stuck trying to acquire the same lock, which
• • prevents it from signalling the fence the previous thread is stuck waiting
• • on::

• • lock(A);
    

• • unlock(A);
    

• • dma_fence_signal(B);
    

• • By manually annotating all code relevant to signalling a &dma_fence we can
• • teach lockdep about these dependencies, which also helps with the validation
• • headache since now lockdep can check all the rules for us::
• • cookie = dma_fence_begin_signalling();
• • lock(A);
• • unlock(A);
• • dma_fence_signal(B);
• • dma_fence_end_signalling(cookie);
• • For using dma_fence_begin_signalling() and dma_fence_end_signalling() to
• • annotate critical sections the following rules need to be observed:
• • • All code necessary to complete a &dma_fence must be annotated, from the
• • point where a fence is accessible to other threads, to the point where
• • dma_fence_signal() is called. Un-annotated code can contain deadlock issues,
• • and due to the very strict rules and many corner cases it is infeasible to
• • catch these just with review or normal stress testing.
• • • &struct dma_resv deserves a special note, since the readers are only
• • protected by rcu. This means the signalling critical section starts as soon
• • as the new fences are installed, even before dma_resv_unlock() is called.
• • • The only exception are fast paths and opportunistic signalling code, which
• • calls dma_fence_signal() purely as an optimization, but is not required to
• • guarantee completion of a &dma_fence. The usual example is a wait IOCTL
• • which calls dma_fence_signal(), while the mandatory completion path goes
• • through a hardware interrupt and possible job completion worker.
• • • To aid composability of code, the annotations can be freely nested, as long
• • as the overall locking hierarchy is consistent. The annotations also work
• • both in interrupt and process context. Due to implementation details this
• • requires that callers pass an opaque cookie from
• • dma_fence_begin_signalling() to dma_fence_end_signalling().
• • • Validation against the cross driver contract is implemented by priming
• • lockdep with the relevant hierarchy at boot-up. This means even just
• • testing with a single device is enough to validate a driver, at least as
• • far as deadlocks with dma_fence_wait() against dma_fence_signal() are
• • concerned.
• */

+#ifdef CONFIG_LOCKDEP +struct lockdep_map dma_fence_lockdep_map = {

• .name = "dma_fence_map"
  

+};

Maybe a stupid question because this is definitely complicated, but.. If you have a single/static/global lockdep map, doesn't this mean _all_ locks, from _all_ drivers happening to use dma-fences will get recorded in it. Will this work and not cause false positives?

Sounds like it could create a common link between two completely unconnected usages. Because below you do add annotations to generic dma_fence_signal and dma_fence_wait.

This is fully intentional. dma-fence is a cross-driver interface, if every driver invents its own rules about how this should work we have an unmaintainable and unreviewable mess.

I've typed up the full length rant already here:

https://lore.kernel.org/dri-devel/CAKMK7uGnFhbpuurRsnZ4dvRV9gQ_3-rmSJaoqSFY=...

But "perfect storm" of:

• global fence lockmap
• mmu notifiers
• fs reclaim
• default annotations in dma_fence_signal / dma_fence_wait

Equals to anything ever using dma_fence will be in impossible chains with random other drivers, even if neither driver has code to export/share that fence.

Example from the CI run:

[25.918788] Chain exists of: fs_reclaim --> mmu_notifier_invalidate_range_start --> dma_fence_map [25.918794] Possible unsafe locking scenario: [25.918797] CPU0 CPU1 [25.918799] ---- ---- [25.918801] lock(dma_fence_map); [25.918803] lock(mmu_notifier_invalidate_range_start); [25.918807] lock(dma_fence_map); [25.918809] lock(fs_reclaim);

What about a dma_fence_export helper which would "arm" the annotations? It would be called as soon as the fence is exported. Maybe when added to dma_resv, or exported via sync_file, etc. Before that point begin/end_signaling and so would be no-ops.

Run CI without the i915 annotation patch, nothing breaks.

I think some parts of i915 would still break with my idea to only apply annotations on exported fences. What do you dislike about that idea? I thought the point is to enforce rules for _exported_ fences.

dma_fence is a shared concept, this is upstream, drivers are expected to a) use shared concepts and b) use them in a consistent way. If drivers do whatever they feel like then they're no maintainable in the upstream sense of "maintainable even if the vendor walks away". This was the reason why amd had to spend 2 refactoring from DAL (which used all the helpers they shared with their firmware/windows driver) to DC (which uses all the upstream kms helpers and datastructures directly).

How you have annotated dma_fence_work you can't say, maybe it is exported maybe it isn't. I think it is btw, so splats would still be there, but I am not sure it is conceptually correct.

At least my understanding is GFP_KERNEL allocations are only disallowed by the virtue of the global dma-fence contract. If you want to enforce they are never used for anything but exporting, then that would be a bit harsh, no?

Another example from the CI run:

[26.585357] CPU0 CPU1 [26.585359] ---- ---- [26.585360] lock(dma_fence_map); [26.585362] lock(mmu_notifier_invalidate_range_start); [26.585365] lock(dma_fence_map); [26.585367] lock(i915_gem_object_internal/1); [26.585369] *** DEADLOCK ***

So ime the above deadlock summaries tend to be wrong as soon as you have more than 2 locks involved. Which we have here - they only ever show at most 2 threads, with each thread only taking 2 locks in total, which isn't going to deadlock if you have more than 2 locks involved. Which is the case above.

Personally I just ignore the above deadlock scenario and just always look at all the locks and backtraces lockdep gives me, and then reconstruct the dependency graph by hand myself, including deadlock scenario.

Lets say someone submitted an execbuf using userptr as a batch and then unmapped it immediately. That would explain CPU1 getting into the mmu notifier and waiting on this batch to unbind the object.

Meanwhile CPU0 is the async command parser for this request trying to lock the shadow batch buffer. Because it uses the dma_fence_work this is between the begin/end signalling markers.

It can be the same dma-fence I think, since we install the async parser fence on the real batch dma-resv, but dma_fence_map is not a real lock, so what is actually preventing progress in this case?

CPU1 is waiting on a fence, but CPU0 can obtain the lock(i915_gem_object_internal/1), proceed to parse the batch, and exit the signalling section. At which point CPU1 is still blocked, waiting until the execbuf finishes and then mmu notifier can finish and invalidate the pages.

Maybe I am missing something but I don't see how this one is real.

The above doesn't deadlock, and it also shouldn't result in a lockdep splat. The trouble is when the signalling thread also grabs i915_gem_object_internal/1 somewhere. Which if you go through full CI results you see there's more involved (and at least one of the splats is all just lockdep priming and might_lock, so could be an annotation bug on top), and there is indeed a path where we lock the driver private lock in more places, and the wrong way round. That's the thing lockdep is complaining about, it's just not making that clear in the summary because the summary is only ever correct for 2 locks. Not if more is involved.

...

So we can gradually fix up existing code that doesn't quite get it right and move on.

...

...

...

...

+/**

• • dma_fence_begin_signalling - begin a critical DMA fence signalling section
• • Drivers should use this to annotate the beginning of any code section
• • required to eventually complete &dma_fence by calling dma_fence_signal().
• • The end of these critical sections are annotated with
• • dma_fence_end_signalling().
• • Returns:
• • Opaque cookie needed by the implementation, which needs to be passed to
• • dma_fence_end_signalling().
• */

+bool dma_fence_begin_signalling(void) +{

• /* explicitly nesting ... */
  

• if (lock_is_held_type(&dma_fence_lockdep_map, 1))
  

•         return true;
  

• /* rely on might_sleep check for soft/hardirq locks */
  

• if (in_atomic())
  

•         return true;
  

• /* ... and non-recursive readlock */
  

• lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
  

Would it work if signalling path would mark itself as a write lock? I am thinking it would be nice to see in lockdep splats what are signals and what are waits.

Yeah it'd be nice to have a read vs write name for the lock. But we already have this problem for e.g. flush_work(), from which I've stolen this idea. So it's not really new. Essentially look at the backtraces lockdep gives you, and reconstruct the deadlock. I'm hoping that people will notice the special functions on the backtrace, e.g. dma_fence_begin_signalling will be listed as offending function/lock holder, and then read the kerneldoc.

...

The recursive usage wouldn't work then right? Would write annotation on the wait path work?

Wait path is write annotations already, but yeah annotating the signalling side as write would cause endless amounts of alse positives. Also it makes composability of these e.g. what I've done in amdgpu with annotations in tdr work in drm/scheduler, annotations in the amdgpu gpu reset code and then also annotations in atomic code, which all nest within each other in some call chains, but not others. Dropping the recursion would break that and make it really awkward to annotate such cases correctly.

And the recursion only works if it's read locks, otherwise lockdep complains if you have inconsistent annotations on the signalling side (which again would make it more or less impossible to annotate the above case fully).

How do I see in lockdep splats if it was a read or write user? Your patch appears to have:

dma_fence_signal:

•   lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _RET_IP_);
  
  

__dma_fence_might_wait:

•   lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);
  
  

Which both seem like read lock. I don't fully understand the lockdep API so I might be wrong, not sure. But neither I see a difference in splats telling me which path is which.

I think you got tricked by the implementation, this isn't quite what's going on. There's two things which make the annotations special:

• we want a recursive read lock on the signalling critical section.

The problem is that lockdep doesn't implement full validation for recursive read locks, only non-recursive read/write locks fully validated. There's some checks for recursive read locks, but exactly the checks we need to catch common dma_fence_wait deadlocks aren't done. That's why we need to implement manual lock recursion on the reader side

• now on the write side we additionally need to implement an

read2write upgrade, and a write2read downgrade. Lockdep doesn't implement that, so again we have to hand-roll this.

Let's go through the code line-by-line:

 bool tmp;

 tmp = lock_is_held_type(&dma_fence_lockdep_map, 1);

We check whether someone is holding the non-recursive read lock already.

 if (tmp)
     lock_release(&dma_fence_lockdep_map, _THIS_IP_);

If that's the case, we drop that read lock.

 lock_map_acquire(&dma_fence_lockdep_map);

Then we do the actual might_wait annotation, the above takes the full write lock ...

 lock_map_release(&dma_fence_lockdep_map);

... and now we release the write lock again.

 if (tmp)
     lock_acquire(&dma_fence_lockdep_map, 0, 0, 1, 1, NULL, _THIS_IP_);

Finally we need to re-acquire the read lock, if we've held that when entering this function. This annotation naturally has to exactly match what begin_signalling would do, otherwise the hand-rolled nesting would fall apart.

I hope that explains what's going on here, and assures you that might_wait() is indeed a write lock annotation, but with a big pile of complications.

I am certainly confused by the difference between lock_map_acquire/release and lock_acquire/release. What is the difference between the two?

lock_acquire/release is a wrapper around lock_map_acquire/release. This is all lockdep internal, it's a completely undocumented maze, so unfortunately only option is to really careful follow all the definitions from various locking primitives. And then compare with lockdep self-test (which use the locking primitives, not the lockdep internals) to see which flag controls which kind of behaviour.

That's at least what I do, and it's horrible. But yeah lockdep doesn't have documentation for this.

If you think it's better to open code the lock_map/acquire, I guess I can do that. But it's a mess, so I need to carefully retest everything and make sure I've set the right flags and bits - for added fun they also change ordering in some of the wrappers! -Daniel