Linaro-mm-sig

linaro-mm-sig@lists.linaro.org

5 participants
2541 discussions

[PATCH v10 0/3] Secure Memory Allocation Framework

by Benjamin Gaignard

version 10 changes: - rebased on kernel 4.8 tag - minor typo fix version 9 changes: - rebased on 4.8-rc5 - struct dma_attrs doesn't exist anymore so update CMA allocator to compile with new dma_*_attr functions - add example SMAF use case in cover letter version 8 changes: - rework of the structures used within ioctl by adding a version field and padding to be futur proof - rename fake secure moduel to test secure module - fix the various remarks done on the previous patcheset version 7 changes: - rebased on kernel 4.6-rc7 - simplify secure module API - add vma ops to be able to detect mmap/munmap calls - add ioctl to get number and allocator names - update libsmaf with adding tests https://git.linaro.org/people/benjamin.gaignard/libsmaf.git - add debug log in fake secure module version 6 changes: - rebased on kernel 4.5-rc4 - fix mmapping bug while requested allocation size isn't a a multiple of PAGE_SIZE (add a test for this in libsmaf) version 5 changes: - rebased on kernel 4.3-rc6 - rework locking schema and make handle status use an atomic_t - add a fake secure module to allow performing tests without trusted environment version 4 changes: - rebased on kernel 4.3-rc3 - fix missing EXPORT_SYMBOL for smaf_create_handle() version 3 changes: - Remove ioctl for allocator selection instead provide the name of the targeted allocator with allocation request. Selecting allocator from userland isn't the prefered way of working but is needed when the first user of the buffer is a software component. - Fix issues in case of error while creating smaf handle. - Fix module license. - Update libsmaf and tests to care of the SMAF API evolution https://git.linaro.org/people/benjamin.gaignard/libsmaf.git version 2 changes: - Add one ioctl to allow allocator selection from userspace. This is required for the uses case where the first user of the buffer is a software IP which can't perform dma_buf attachement. - Add name and ranking to allocator structure to be able to sort them. - Create a tiny library to test SMAF: https://git.linaro.org/people/benjamin.gaignard/libsmaf.git - Fix one issue when try to secure buffer without secure module registered SMAF aim to solve two problems: allocating memory that fit with hardware IPs constraints and secure those data from bus point of view. One example of SMAF usage is camera preview: on SoC you may use either an USB webcam or the built-in camera interface and the frames could be send directly to the dipslay Ip or handle by GPU. Most of USB interfaces and GPU have mmu but almost all built-in camera interace and display Ips don't have mmu so when selecting how allocate buffer you need to be aware of each devices constraints (contiguous memroy, stride, boundary, alignment ...). ION has solve this problem by let userland decide which allocator (heap) to use but this require to adapt userland for each platform and sometime for each use case. To be sure to select the best allocation method for devices SMAF implement deferred allocation mechanism: memory allocation is only done when the first device effectively required it. Allocator modules have to implement a match() to let SMAF know if they are compatibles with devices needs. This patch set provide an example of allocator module which use dma_{alloc/free/mmap}_attrs() and check if at least one device have coherent_dma_mask set to DMA_BIT_MASK(32) in match function. In the same camera preview use case, SMAF allow to protect the data from being read by unauthorized IPs (i.e. a malware to dump camera stream). Until now I have only see access rights protection at process/thread level (PKeys/MPK) or on file (SELinux) but nothing allow to drive data bus firewalls. SMAF propose an interface to control and implement those firewalls. Like IOMMU, firewalls IPs can help to protect memory from malicious/faulty devices that are attempting DMA attacks. Secure modules are responsibles of granting and revoking devices access rights on the memory. Secure module is also called to check if CPU map memory into kernel and user address spaces. An example of secure module implementation can be found here: http://git.linaro.org/people/benjamin.gaignard/optee-sdp.git This code isn't yet part of the patch set because it depends on generic TEE which is still under discussion (https://lwn.net/Articles/644646/) For allocation part of SMAF code I get inspirated by Sumit Semwal work about constraint aware allocator. Benjamin Gaignard (3): create SMAF module SMAF: add CMA allocator SMAF: add test secure module drivers/Kconfig | 2 + drivers/Makefile | 1 + drivers/smaf/Kconfig | 17 + drivers/smaf/Makefile | 3 + drivers/smaf/smaf-cma.c | 186 ++++++++++ drivers/smaf/smaf-core.c | 818 +++++++++++++++++++++++++++++++++++++++++ drivers/smaf/smaf-testsecure.c | 90 +++++ include/linux/smaf-allocator.h | 45 +++ include/linux/smaf-secure.h | 65 ++++ include/uapi/linux/smaf.h | 85 +++++ 10 files changed, 1312 insertions(+) create mode 100644 drivers/smaf/Kconfig create mode 100644 drivers/smaf/Makefile create mode 100644 drivers/smaf/smaf-cma.c create mode 100644 drivers/smaf/smaf-core.c create mode 100644 drivers/smaf/smaf-testsecure.c create mode 100644 include/linux/smaf-allocator.h create mode 100644 include/linux/smaf-secure.h create mode 100644 include/uapi/linux/smaf.h -- 1.9.1

8 years, 3 months

[PATCH 00/15] improve function-level documentation

by Julia Lawall

These patches fix cases where the documentation above a function definition is not consistent with the function header. Issues are detected using the semantic patch below (http://coccinelle.lip6.fr/). Basically, the semantic patch parses a file to find comments, then matches each function header, and checks that the name and parameter list in the function header are compatible with the comment that preceeds it most closely. // <smpl> @initialize:ocaml@ @@ let tbl = ref [] let fnstart = ref [] let success = Hashtbl.create 101 let thefile = ref "" let parsed = ref [] let nea = ref [] let parse file = thefile := List.nth (Str.split (Str.regexp "linux-next/") file) 1; let i = open_in file in let startline = ref 0 in let fn = ref "" in let ids = ref [] in let rec inside n = let l = input_line i in let n = n + 1 in match Str.split_delim (Str.regexp_string "*/") l with before::after::_ -> (if not (!fn = "") then tbl := (!startline,n,!fn,List.rev !ids)::!tbl); startline := 0; fn := ""; ids := []; outside n | _ -> (match Str.split (Str.regexp "[ \t]+") l with "*"::name::rest -> let len = String.length name in (if !fn = "" && len > 2 && String.sub name (len-2) 2 = "()" then fn := String.sub name 0 (len-2) else if !fn = "" && (not (rest = [])) && List.hd rest = "-" then if String.get name (len-1) = ':' then fn := String.sub name 0 (len-1) else fn := name else if not(!fn = "") && len > 2 && String.get name 0 = '@' && String.get name (len-1) = ':' then ids := (String.sub name 1 (len-2)) :: !ids); | _ -> ()); inside n and outside n = let l = input_line i in let n = n + 1 in if String.length l > 2 && String.sub l 0 3 = "/**" then begin startline := n; inside n end else outside n in try outside 0 with End_of_file -> () let hashadd tbl k v = let cell = try Hashtbl.find tbl k with Not_found -> let cell = ref [] in Hashtbl.add tbl k cell; cell in cell := v :: !cell @script:ocaml@ @@ tbl := []; fnstart := []; Hashtbl.clear success; parsed := []; nea := []; parse (List.hd (Coccilib.files())) @r@ identifier f; position p; @@ f@p(...) { ... } @script:ocaml@ p << r.p; f << r.f; @@ parsed := f :: !parsed; fnstart := (List.hd p).line :: !fnstart @param@ identifier f; type T; identifier i; parameter list[n] ps; parameter list[n1] ps1; position p; @@ f@p(ps,T i,ps1) { ... } @script:ocaml@ @@ tbl := List.rev (List.sort compare !tbl) @script:ocaml@ p << param.p; f << param.f; @@ let myline = (List.hd p).line in let prevline = List.fold_left (fun prev x -> if x < myline then max x prev else prev) 0 !fnstart in let _ = List.exists (function (st,fn,nm,ids) -> if prevline < st && myline > st && prevline < fn && myline > fn then begin (if not (String.lowercase f = String.lowercase nm) then Printf.printf "%s:%d %s doesn't match preceding comment: %s\n" !thefile myline f nm); true end else false) !tbl in () @script:ocaml@ p << param.p; n << param.n; n1 << param.n1; i << param.i; f << param.f; @@ let myline = (List.hd p).line in let prevline = List.fold_left (fun prev x -> if x < myline then max x prev else prev) 0 !fnstart in let _ = List.exists (function (st,fn,nm,ids) -> if prevline < st && myline > st && prevline < fn && myline > fn then begin (if List.mem i ids then hashadd success (st,fn,nm) i); (if ids = [] (* arg list seems not obligatory *) then () else if not (List.mem i ids) then Printf.printf "%s:%d %s doesn't appear in ids: %s\n" !thefile myline i (String.concat " " ids) else if List.length ids <= n || List.length ids <= n1 then (if not (List.mem f !nea) then begin nea := f :: !nea; Printf.printf "%s:%d %s not enough args\n" !thefile myline f; end) else let foundid = List.nth ids n in let efoundid = List.nth (List.rev ids) n1 in if not(foundid = i || efoundid = i) then Printf.printf "%s:%d %s wrong arg in position %d: %s\n" !thefile myline i n foundid); true end else false) !tbl in () @script:ocaml@ @@ List.iter (function (st,fn,nm,ids) -> if List.mem nm !parsed then let entry = try !(Hashtbl.find success (st,fn,nm)) with Not_found -> [] in List.iter (fun id -> if not (List.mem id entry) && not (id = "...") then Printf.printf "%s:%d %s not used\n" !thefile st id) ids) !tbl // </smpl> --- drivers/clk/keystone/pll.c | 4 ++-- drivers/clk/sunxi/clk-mod0.c | 2 +- drivers/clk/tegra/cvb.c | 10 +++++----- drivers/dma-buf/sw_sync.c | 6 +++--- drivers/gpu/drm/gma500/intel_i2c.c | 3 +-- drivers/gpu/drm/omapdrm/omap_drv.c | 4 ++-- drivers/irqchip/irq-metag-ext.c | 1 - drivers/irqchip/irq-vic.c | 1 - drivers/mfd/tc3589x.c | 4 ++-- drivers/power/supply/ab8500_fg.c | 8 ++++---- drivers/power/supply/abx500_chargalg.c | 1 + drivers/power/supply/intel_mid_battery.c | 2 +- drivers/power/supply/power_supply_core.c | 4 ++-- fs/crypto/crypto.c | 4 ++-- fs/crypto/fname.c | 4 ++-- fs/ubifs/file.c | 2 +- fs/ubifs/gc.c | 2 +- fs/ubifs/lprops.c | 2 +- fs/ubifs/lpt_commit.c | 4 +--- fs/ubifs/replay.c | 2 +- lib/kobject_uevent.c | 6 +++--- lib/lru_cache.c | 4 ++-- lib/nlattr.c | 2 +- 23 files changed, 39 insertions(+), 43 deletions(-)

8 years, 3 months

Re: [Linaro-mm-sig] [PATCH 00/15] improve function-level documentation

by Julia Lawall

On Sat, 1 Oct 2016, Joe Perches wrote: > On Sat, 2016-10-01 at 21:46 +0200, Julia Lawall wrote: > > These patches fix cases where the documentation above a function definition > > is not consistent with the function header. Issues are detected using the > > semantic patch below (http://coccinelle.lip6.fr/). Basically, the semantic > > patch parses a file to find comments, then matches each function header, > > and checks that the name and parameter list in the function header are > > compatible with the comment that preceeds it most closely. > > Hi Julia. > > Would it be possible for a semantic patch to scan for > function definitions where the types do not have > identifiers and update the definitions to match the > declarations? > > For instance, given: > > <some.h> > int foo(int); > > <some.c> > int foo(int bar) > { > return baz; > } > > Could coccinelle output: > > diff a/some.h b/some.h > [] > -int foo(int); > +int foo(int bar); The following seems to work: @r@ identifier f; position p; type T, t; parameter list[n] ps; @@ T f@p(ps,t,...); @s@ identifier r.f,x; type r.T, r.t; parameter list[r.n] ps; @@ T f(ps,t x,...) { ... } @@ identifier r.f, s.x; position r.p; type r.T, r.t; parameter list[r.n] ps; @@ T f@p(ps,t + x ,...); After letting it run for a few minutes without making any effort to include .h files, I get over 2700 changed lines. julia

8 years, 3 months

Re: [Linaro-mm-sig] [Intel-gfx] [PATCH 11/11] dma-buf: Do a fast lockless check for poll with timeout=0

by Daniel Vetter

On Fri, Sep 23, 2016 at 07:59:44PM +0200, Christian König wrote: > Am 23.09.2016 um 17:20 schrieb Chris Wilson: > > On Fri, Sep 23, 2016 at 03:50:44PM +0200, Daniel Vetter wrote: > > > On Mon, Aug 29, 2016 at 08:08:34AM +0100, Chris Wilson wrote: > > > > Currently we install a callback for performing poll on a dma-buf, > > > > irrespective of the timeout. This involves taking a spinlock, as well as > > > > unnecessary work, and greatly reduces scaling of poll(.timeout=0) across > > > > multiple threads. > > > > > > > > We can query whether the poll will block prior to installing the > > > > callback to make the busy-query fast. > > > > > > > > Single thread: 60% faster > > > > 8 threads on 4 (+4 HT) cores: 600% faster > > > > > > > > Still not quite the perfect scaling we get with a native busy ioctl, but > > > > poll(dmabuf) is faster due to the quicker lookup of the object and > > > > avoiding drm_ioctl(). > > > > > > > > Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> > > > > Cc: Sumit Semwal <sumit.semwal(a)linaro.org> > > > > Cc: linux-media(a)vger.kernel.org > > > > Cc: dri-devel(a)lists.freedesktop.org > > > > Cc: linaro-mm-sig(a)lists.linaro.org > > > > Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> > > > Need to strike the r-b here, since Christian König pointed out that > > > objects won't magically switch signalling on. > > Oh, it also means that > > > > commit fb8b7d2b9d80e1e71f379e57355936bd2b024be9 > > Author: Jammy Zhou <Jammy.Zhou(a)amd.com> > > Date: Wed Jan 21 18:35:47 2015 +0800 > > > > reservation: wait only with non-zero timeout specified (v3) > > When the timeout value passed to reservation_object_wait_timeout_rcu > > is zero, no wait should be done if the fences are not signaled. > > Return '1' for idle and '0' for busy if the specified timeout is '0' > > to keep consistent with the case of non-zero timeout. > > v2: call fence_put if not signaled in the case of timeout==0 > > v3: switch to reservation_object_test_signaled_rcu > > Signed-off-by: Jammy Zhou <Jammy.Zhou(a)amd.com> > > Reviewed-by: Christian König <christian.koenig(a)amd.com> > > Reviewed-by: Alex Deucher <alexander.deucher(a)amd.com> > > Reviewed-By: Maarten Lankhorst <maarten.lankhorst(a)canonical.com> > > Signed-off-by: Sumit Semwal <sumit.semwal(a)linaro.org> > > > > is wrong. And reservation_object_test_signaled_rcu() is unreliable. > > Ups indeed, that patch is wrong as well. > > I suggest that we just enable the signaling in this case as well. Will you/Zhou take care of this corner case? Just so I can't forget about it ;-) Thanks, Daniel -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch

8 years, 3 months

[PATCH 10/11] dma-buf: Use seqlock to close RCU race in test_signaled_single

by Chris Wilson

With the seqlock now extended to cover the lookup of the fence and its testing, we can perform that testing solely under the seqlock guard and avoid the effective locking and serialisation of acquiring a reference to the request. As the fence is RCU protected we know it cannot disappear as we test it, the same guarantee that made it safe to acquire the reference previously. The seqlock tests whether the fence was replaced as we are testing it telling us whether or not we can trust the result (if not, we just repeat the test until stable). Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org --- drivers/dma-buf/reservation.c | 32 ++++---------------------------- 1 file changed, 4 insertions(+), 28 deletions(-) diff --git a/drivers/dma-buf/reservation.c b/drivers/dma-buf/reservation.c index e74493e7332b..1ddffa5adb5a 100644 --- a/drivers/dma-buf/reservation.c +++ b/drivers/dma-buf/reservation.c @@ -442,24 +442,6 @@ unlock_retry: } EXPORT_SYMBOL_GPL(reservation_object_wait_timeout_rcu); - -static inline int -reservation_object_test_signaled_single(struct fence *passed_fence) -{ - struct fence *fence, *lfence = passed_fence; - int ret = 1; - - if (!test_bit(FENCE_FLAG_SIGNALED_BIT, &lfence->flags)) { - fence = fence_get_rcu(lfence); - if (!fence) - return -1; - - ret = !!fence_is_signaled(fence); - fence_put(fence); - } - return ret; -} - /** * reservation_object_test_signaled_rcu - Test if a reservation object's * fences have been signaled. @@ -474,7 +456,7 @@ bool reservation_object_test_signaled_rcu(struct reservation_object *obj, bool test_all) { unsigned seq, shared_count; - int ret; + bool ret; rcu_read_lock(); retry: @@ -494,10 +476,8 @@ retry: for (i = 0; i < shared_count; ++i) { struct fence *fence = rcu_dereference(fobj->shared[i]); - ret = reservation_object_test_signaled_single(fence); - if (ret < 0) - goto retry; - else if (!ret) + ret = fence_is_signaled(fence); + if (!ret) break; } @@ -509,11 +489,7 @@ retry: struct fence *fence_excl = rcu_dereference(obj->fence_excl); if (fence_excl) { - ret = reservation_object_test_signaled_single( - fence_excl); - if (ret < 0) - goto retry; - + ret = fence_is_signaled(fence_excl); if (read_seqcount_retry(&obj->seq, seq)) goto retry; } -- 2.9.3

8 years, 3 months

[PATCH] dma-buf/sw_sync: mark sync_timeline_create() static

by Baoyou Xie

We get 1 warning when building kernel with W=1: drivers/dma-buf/sw_sync.c:87:23: warning: no previous prototype for 'sync_timeline_create' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. So this patch marks it 'static'. Signed-off-by: Baoyou Xie <baoyou.xie(a)linaro.org> --- drivers/dma-buf/sw_sync.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma-buf/sw_sync.c b/drivers/dma-buf/sw_sync.c index 62e8e6d..6f16c85 100644 --- a/drivers/dma-buf/sw_sync.c +++ b/drivers/dma-buf/sw_sync.c @@ -84,7 +84,7 @@ static inline struct sync_pt *fence_to_sync_pt(struct fence *fence) * Creates a new sync_timeline. Returns the sync_timeline object or NULL in * case of error. */ -struct sync_timeline *sync_timeline_create(const char *name) +static struct sync_timeline *sync_timeline_create(const char *name) { struct sync_timeline *obj; -- 2.7.4

8 years, 3 months

[PATCH] dma-buf/sw_sync: mark sync_timeline_create() static

by Baoyou Xie

8 years, 3 months

[PATCH 11/11] dma-buf: Do a fast lockless check for poll with timeout=0

by Chris Wilson

Currently we install a callback for performing poll on a dma-buf, irrespective of the timeout. This involves taking a spinlock, as well as unnecessary work, and greatly reduces scaling of poll(.timeout=0) across multiple threads. We can query whether the poll will block prior to installing the callback to make the busy-query fast. Single thread: 60% faster 8 threads on 4 (+4 HT) cores: 600% faster Still not quite the perfect scaling we get with a native busy ioctl, but poll(dmabuf) is faster due to the quicker lookup of the object and avoiding drm_ioctl(). Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> --- drivers/dma-buf/dma-buf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index cf04d249a6a4..c7a7bc579941 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -156,6 +156,18 @@ static unsigned int dma_buf_poll(struct file *file, poll_table *poll) if (!events) return 0; + if (poll_does_not_wait(poll)) { + if (events & POLLOUT && + !reservation_object_test_signaled_rcu(resv, true)) + events &= ~(POLLOUT | POLLIN); + + if (events & POLLIN && + !reservation_object_test_signaled_rcu(resv, false)) + events &= ~POLLIN; + + return events; + } + retry: seq = read_seqcount_begin(&resv->seq); rcu_read_lock(); -- 2.9.3

8 years, 3 months

[PATCH 09/11] dma-buf: Restart reservation_object_test_signaled_rcu() after writes

by Chris Wilson

In order to be completely generic, we have to double check the read seqlock after acquiring a reference to the fence. If the driver is allocating fences from a SLAB_DESTROY_BY_RCU, or similar freelist, then within an RCU grace period a fence may be freed and reallocated. The RCU read side critical section does not prevent this reallocation, instead we have to inspect the reservation's seqlock to double check if the fences have been reassigned as we were acquiring our reference. Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Cc: Christian König <christian.koenig(a)amd.com> Cc: Alex Deucher <alexander.deucher(a)amd.com> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org --- drivers/dma-buf/reservation.c | 30 ++++++++++-------------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/drivers/dma-buf/reservation.c b/drivers/dma-buf/reservation.c index 3369e4668e96..e74493e7332b 100644 --- a/drivers/dma-buf/reservation.c +++ b/drivers/dma-buf/reservation.c @@ -474,12 +474,13 @@ bool reservation_object_test_signaled_rcu(struct reservation_object *obj, bool test_all) { unsigned seq, shared_count; - int ret = true; + int ret; + rcu_read_lock(); retry: + ret = true; shared_count = 0; seq = read_seqcount_begin(&obj->seq); - rcu_read_lock(); if (test_all) { unsigned i; @@ -490,46 +491,35 @@ retry: if (fobj) shared_count = fobj->shared_count; - if (read_seqcount_retry(&obj->seq, seq)) - goto unlock_retry; - for (i = 0; i < shared_count; ++i) { struct fence *fence = rcu_dereference(fobj->shared[i]); ret = reservation_object_test_signaled_single(fence); if (ret < 0) - goto unlock_retry; + goto retry; else if (!ret) break; } - /* - * There could be a read_seqcount_retry here, but nothing cares - * about whether it's the old or newer fence pointers that are - * signaled. That race could still have happened after checking - * read_seqcount_retry. If you care, use ww_mutex_lock. - */ + if (read_seqcount_retry(&obj->seq, seq)) + goto retry; } if (!shared_count) { struct fence *fence_excl = rcu_dereference(obj->fence_excl); - if (read_seqcount_retry(&obj->seq, seq)) - goto unlock_retry; - if (fence_excl) { ret = reservation_object_test_signaled_single( fence_excl); if (ret < 0) - goto unlock_retry; + goto retry; + + if (read_seqcount_retry(&obj->seq, seq)) + goto retry; } } rcu_read_unlock(); return ret; - -unlock_retry: - rcu_read_unlock(); - goto retry; } EXPORT_SYMBOL_GPL(reservation_object_test_signaled_rcu); -- 2.9.3

8 years, 3 months

[PATCH 06/11] dma-buf: Introduce fence_get_rcu_safe()

by Chris Wilson

This variant of fence_get_rcu() takes an RCU protected pointer to a fence and carefully returns a reference to the fence ensuring that it is not reallocated as it does. This is required when mixing fences and SLAB_DESTROY_BY_RCU - although it serves a more pedagogical function atm Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Daniel Vetter <daniel.vetter(a)ffwll.ch> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Cc: linux-media(a)vger.kernel.org Cc: dri-devel(a)lists.freedesktop.org Cc: linaro-mm-sig(a)lists.linaro.org --- include/linux/fence.h | 56 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 51 insertions(+), 5 deletions(-) diff --git a/include/linux/fence.h b/include/linux/fence.h index 0d763053f97a..c9c5ba98c302 100644 --- a/include/linux/fence.h +++ b/include/linux/fence.h @@ -183,6 +183,16 @@ void fence_release(struct kref *kref); void fence_free(struct fence *fence); /** + * fence_put - decreases refcount of the fence + * @fence: [in] fence to reduce refcount of + */ +static inline void fence_put(struct fence *fence) +{ + if (fence) + kref_put(&fence->refcount, fence_release); +} + +/** * fence_get - increases refcount of the fence * @fence: [in] fence to increase refcount of * @@ -210,13 +220,49 @@ static inline struct fence *fence_get_rcu(struct fence *fence) } /** - * fence_put - decreases refcount of the fence - * @fence: [in] fence to reduce refcount of + * fence_get_rcu_safe - acquire a reference to an RCU tracked fence + * @fence: [in] pointer to fence to increase refcount of + * + * Function returns NULL if no refcount could be obtained, or the fence. + * This function handles acquiring a reference to a fence that may be + * reallocated within the RCU grace period (such as with SLAB_DESTROY_BY_RCU), + * so long as the caller is using RCU on the pointer to the fence. + * + * An alternative mechanism is to employ a seqlock to protect a bunch of + * fences, such as used by struct reservation_object. When using a seqlock, + * the seqlock must be taken before and checked after a reference to the + * fence is acquired (as shown here). + * + * The caller is required to hold the RCU read lock. */ -static inline void fence_put(struct fence *fence) +static inline struct fence *fence_get_rcu_safe(struct fence * __rcu *fencep) { - if (fence) - kref_put(&fence->refcount, fence_release); + do { + struct fence *fence; + + fence = rcu_dereference(*fencep); + if (!fence || !fence_get_rcu(fence)) + return NULL; + + /* The atomic_inc_not_zero() inside fence_get_rcu() + * provides a full memory barrier upon success (such as now). + * This is paired with the write barrier from assigning + * to the __rcu protected fence pointer so that if that + * pointer still matches the current fence, we know we + * have successfully acquire a reference to it. If it no + * longer matches, we are holding a reference to some other + * reallocated pointer. This is possible if the allocator + * is using a freelist like SLAB_DESTROY_BY_RCU where the + * fence remains valid for the RCU grace period, but it + * may be reallocated. When using such allocators, we are + * responsible for ensuring the reference we get is to + * the right fence, as below. + */ + if (fence == rcu_access_pointer(*fencep)) + return rcu_pointer_handoff(fence); + + fence_put(fence); + } while (1); } int fence_signal(struct fence *fence); -- 2.9.3

8 years, 3 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Linaro-mm-sig