From: "Danilo Krummrich" <dakr@kernel.org>
To: "Philipp Stanner" <phasta@mailbox.org>
Cc: phasta@kernel.org, "Christian König" <christian.koenig@amd.com>,
"Boris Brezillon" <boris.brezillon@collabora.com>,
"Tvrtko Ursulin" <tvrtko.ursulin@igalia.com>,
dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: dma_fence: force users to take the lock manually
Date: Fri, 06 Mar 2026 14:03:33 +0100 [thread overview]
Message-ID: <DGVPXPMB8JB3.3VWBBX3YOK3G5@kernel.org> (raw)
In-Reply-To: <87197ff8d812debbd348ccb2befff855b30abb31.camel@mailbox.org>
On Fri Mar 6, 2026 at 1:36 PM CET, Philipp Stanner wrote:
> On Fri, 2026-03-06 at 13:31 +0100, Christian König wrote:
>> All fences must always signal because the HW operation must always complete
>> or be terminated by a timeout.
>>
>> If a fence signals only because it runs out of scope than that means that you
>> have a huge potential for data corruption and that is even worse than not
>> signaling a fence.
If that happens, it is a functional bug, the potential data corruption is only
within a separate memory object, e.g. GEM etc., no? I.e. it may fault the GPU,
but it does not fault the kernel.
>> In other words not signaling a fence can leave the system in a deadlock
>> state, but signaling it incorrectly usually results in random data
>> corruption.
Well, not signaling it results in a potential deadlock of the whole kernel,
whereas wrongly signaling it is "only" a functional bug.
> It all stands and falls with the question whether a fence can drop by
> accident in Rust, or if it will only ever drop when the hw-ring is
> closed.
>
> What do you believe is the right thing to do when a driver unloads?
The fence has to be signaled -- ideally after shutting down all queues, but it
has to be signaled.
> Ideally we could design it in a way that the driver closes its rings,
> the pending fences drop and get signaled with ECANCELED.
>
> Your concern seems to be a driver by accident droping a fence while the
> hardware is still processing the associated job.
I'm not concerned about the "driver drops fence by accident" case, as it is less
problematic than the "driver forgets to signal the fence" case. One is a logic
bug, whereas the other can deadlock the kernel, i.e. it is unsafe in terms of
Rust.
(Technically, there are subsequent problems to solve, as core::mem::forget() is
safe and would cause the same problem. However, this is not new, it applies to
lock guards in general. We can catch such things with klint though.)
Ultimately, a DMA fence (that has been exposed to the outside world) is
technically equivalent to a lock guard.
> (how's that dangerous, though? Shouldn't parties waiting for the fence
> detect the error? ECANCELED ⇒ you must not access the associated
> memory)
next prev parent reply other threads:[~2026-03-06 13:03 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 13:54 dma_fence: force users to take the lock manually Philipp Stanner
2026-03-05 13:59 ` Christian König
2026-03-05 15:12 ` Boris Brezillon
2026-03-06 8:10 ` Christian König
2026-03-06 9:46 ` Boris Brezillon
2026-03-06 9:54 ` Philipp Stanner
2026-03-06 10:27 ` Boris Brezillon
2026-03-06 9:58 ` Christian König
2026-03-06 10:37 ` Boris Brezillon
2026-03-06 11:03 ` Christian König
2026-03-06 11:24 ` Boris Brezillon
2026-03-06 11:57 ` Philipp Stanner
2026-03-06 12:31 ` Christian König
2026-03-06 12:36 ` Philipp Stanner
2026-03-06 12:54 ` Christian König
2026-03-06 14:55 ` Boris Brezillon
2026-03-09 9:33 ` Christian König
2026-03-09 15:06 ` Boris Brezillon
2026-03-09 16:46 ` Christian König
2026-03-06 13:03 ` Danilo Krummrich [this message]
2026-03-06 13:15 ` Christian König
2026-03-06 13:36 ` Philipp Stanner
2026-03-06 14:37 ` Christian König
2026-03-06 15:25 ` Boris Brezillon
2026-03-06 15:43 ` Boris Brezillon
2026-03-06 19:02 ` Philipp Stanner
2026-03-09 8:16 ` Boris Brezillon
2026-03-09 9:36 ` Christian König
2026-03-06 14:21 ` Boris Brezillon
2026-03-06 12:48 ` Boris Brezillon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DGVPXPMB8JB3.3VWBBX3YOK3G5@kernel.org \
--to=dakr@kernel.org \
--cc=boris.brezillon@collabora.com \
--cc=christian.koenig@amd.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=phasta@kernel.org \
--cc=phasta@mailbox.org \
--cc=tvrtko.ursulin@igalia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.