On 03/19/2018 07:00 PM, jgli...@redhat.com wrote:
> From: Ralph Campbell <rcampb...@nvidia.com>
>
> The hmm_mirror_register() function registers a callback for when
> the CPU pagetable is modified. Normally, the device driver will
> call hmm_mirror_unregister() when the process using the device is
> finished. However, if the process exits uncleanly, the struct_mm
> can be destroyed with no warning to the device driver.
>
> Changed since v1:
> - dropped VM_BUG_ON()
> - cc stable
>
> Signed-off-by: Ralph Campbell <rcampb...@nvidia.com>
> Signed-off-by: Jérôme Glisse <jgli...@redhat.com>
> Cc: sta...@vger.kernel.org
> Cc: Evgeny Baskakov <ebaska...@nvidia.com>
> Cc: Mark Hairgrove <mhairgr...@nvidia.com>
> Cc: John Hubbard <jhubb...@nvidia.com>
> ---
> include/linux/hmm.h | 10 ++++++++++
> mm/hmm.c | 18 +++++++++++++++++-
> 2 files changed, 27 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/hmm.h b/include/linux/hmm.h
> index 36dd21fe5caf..fa7b51f65905 100644
> --- a/include/linux/hmm.h
> +++ b/include/linux/hmm.h
> @@ -218,6 +218,16 @@ enum hmm_update_type {
> * @update: callback to update range on a device
> */
> struct hmm_mirror_ops {
> + /* release() - release hmm_mirror
> + *
> + * @mirror: pointer to struct hmm_mirror
> + *
> + * This is called when the mm_struct is being released.
> + * The callback should make sure no references to the mirror occur
> + * after the callback returns.
> + */
> + void (*release)(struct hmm_mirror *mirror);
> +
> /* sync_cpu_device_pagetables() - synchronize page tables
> *
> * @mirror: pointer to struct hmm_mirror
> diff --git a/mm/hmm.c b/mm/hmm.c
> index 320545b98ff5..6088fa6ed137 100644
> --- a/mm/hmm.c
> +++ b/mm/hmm.c
> @@ -160,6 +160,21 @@ static void hmm_invalidate_range(struct hmm *hmm,
> up_read(&hmm->mirrors_sem);
> }
>
> +static void hmm_release(struct mmu_notifier *mn, struct mm_struct *mm)
> +{
> + struct hmm *hmm = mm->hmm;
> + struct hmm_mirror *mirror;
> + struct hmm_mirror *mirror_next;
> +
> + down_write(&hmm->mirrors_sem);
> + list_for_each_entry_safe(mirror, mirror_next, &hmm->mirrors, list) {
> + list_del_init(&mirror->list);
> + if (mirror->ops->release)
> + mirror->ops->release(mirror);
Hi Jerome,
This presents a deadlock problem (details below). As for solution ideas,
Mark Hairgrove points out that the MMU notifiers had to solve the
same sort of problem, and part of the solution involves "avoid
holding locks when issuing these callbacks". That's not an entire
solution description, of course, but it seems like a good start.
Anyway, for the deadlock problem:
Each of these ->release callbacks potentially has to wait for the
hmm_invalidate_range() callbacks to finish. That is not shown in any
code directly, but it's because: when a device driver is processing
the above ->release callback, it has to allow any in-progress operations
to finish up (as specified clearly in your comment documentation above).
Some of those operations will invariably need to do things that result
in page invalidations, thus triggering the hmm_invalidate_range() callback.
Then, the hmm_invalidate_range() callback tries to acquire the same
hmm->mirrors_sem lock, thus leading to deadlock:
hmm_invalidate_range():
// ...
down_read(&hmm->mirrors_sem);
list_for_each_entry(mirror, &hmm->mirrors, list)
mirror->ops->sync_cpu_device_pagetables(mirror, action,
start, end);
up_read(&hmm->mirrors_sem);
thanks,
--
John Hubbard
NVIDIA
