From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Bartosz Golaszewski <brgl@bgdev.pl>
Cc: Linus Walleij <linus.walleij@linaro.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Kent Gibson <warthog618@gmail.com>,
"open list:GPIO SUBSYSTEM" <linux-gpio@vger.kernel.org>
Subject: Re: GPIOLIB locking is broken and how to fix it
Date: Fri, 24 Nov 2023 19:27:53 +0200 [thread overview]
Message-ID: <ZWDdGa-Zf06bteld@smile.fi.intel.com> (raw)
In-Reply-To: <CAMRc=McMxnYQosDDip3KGNBsQHDpHg_7bJgvS_Yr_7Y=2kqyUg@mail.gmail.com>
On Fri, Nov 24, 2023 at 05:00:36PM +0100, Bartosz Golaszewski wrote:
> Hi!
>
> I've been scratching my head over it for a couple days and I wanted to
> pick your brains a bit.
>
> The existing locking in GPIOLIB is utterly broken. We have a global
> spinlock that "protects" the list of GPIO devices but also the
> descriptor objects (and who knows what else). I put "protects" in
> quotation marks because the spinlock is released and re-acquired in
> several places where the code needs to call functions that can
> possibly sleep. I don't have to tell you it makes the spinlock useless
> and doesn't protect anything.
>
> An example of that is gpiod_request_commit() where in the time between
> releasing the lock in order to call gc->request() and acquiring it
> again, gpiod_free_commit() can be called, thus undoing a part of the
> changes we just introduced in the first part of this function. We'd
> then return from gc->request() and continue acting like we've just
> requested the GPIO leading to undefined behavior.
>
> There are more instances of this pattern. This seems to be a way to
> work around the fact that we have GPIO API functions that can be
> called from atomic context (gpiod_set/get_value(),
> gpiod_direction_input/output(), etc.) that in their implementation
> call driver callbacks that may as well sleep (gc->set(),
> gc->direction_output(), etc.).
>
> Protecting the list of GPIO devices is simple. It should be a mutex as
> the list should never be modified from atomic context. This can be
> easily factored out right now. Protecting GPIO descriptors is
> trickier. If we use a spinlock for that, we'll run into problems with
> GPIO drivers that can sleep. If we use a mutex, we'll have a problem
> with users calling GPIO functions from atomic context.
>
> One idea I have is introducing a strict limit on which functions can
> be used from atomic context (we don't enforce anything ATM in
> functions that don't have the _cansleep suffix in their names) and
> check which parts of the descriptor struct they modify. Then protect
> these parts with a spinlock in very limited critical sections. Have a
> mutex for everything else that can only be accessed from process
> context.
>
> Another one is introducing strict APIs like gpiod_set_value_atomic()
> that'll be designed to be called from atomic context exclusively and
> be able to handle it. Everything else must only be called from process
> context. This of course would be a treewide change as we'd need to
> modify all GPIO calls in interrupt handlers.
>
> I'd like to hear your ideas as this change is vital before we start
> protecting gdev->chip with SRCU in all API calls.
Brief side note: If we can really fix something (partially) right now,
do it, otherwise technical debt kills us.
(Most likely I refer to the list of the GPIO devices.)
--
With Best Regards,
Andy Shevchenko
next prev parent reply other threads:[~2023-11-24 17:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 16:00 GPIOLIB locking is broken and how to fix it Bartosz Golaszewski
2023-11-24 17:27 ` Andy Shevchenko [this message]
2023-11-24 17:33 ` Andy Shevchenko
2023-11-24 20:55 ` Bartosz Golaszewski
2023-11-24 23:20 ` Linus Walleij
2023-11-25 1:29 ` Kent Gibson
2023-11-25 20:13 ` Bartosz Golaszewski
2023-11-26 0:05 ` Kent Gibson
2023-11-28 10:47 ` Bartosz Golaszewski
2023-12-07 18:37 ` Bartosz Golaszewski
2023-12-08 1:01 ` Kent Gibson
2023-12-08 8:13 ` Bartosz Golaszewski
2023-12-08 8:38 ` Kent Gibson
2023-12-08 9:52 ` Bartosz Golaszewski
2023-12-08 10:27 ` Kent Gibson
2023-12-08 18:54 ` Bartosz Golaszewski
2023-12-09 1:56 ` Kent Gibson
2023-12-09 19:24 ` Bartosz Golaszewski
2023-12-10 2:34 ` Kent Gibson
2023-12-10 13:28 ` Kent Gibson
2023-12-11 15:10 ` Bartosz Golaszewski
2023-12-12 0:47 ` Kent Gibson
2023-12-08 13:12 ` Linus Walleij
2023-12-08 13:56 ` Thierry Reding
2023-12-08 14:47 ` Bartosz Golaszewski
2023-12-08 16:40 ` Thierry Reding
2023-12-08 18:30 ` Bartosz Golaszewski
2023-12-11 10:55 ` Thierry Reding
2023-12-11 15:49 ` Bartosz Golaszewski
2023-12-12 10:12 ` Aaro Koskinen
2023-12-12 11:00 ` Bartosz Golaszewski
2023-12-12 14:32 ` Aaro Koskinen
2023-12-12 15:15 ` Bartosz Golaszewski
2023-12-08 13:53 ` Thierry Reding
2023-11-28 11:05 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZWDdGa-Zf06bteld@smile.fi.intel.com \
--to=andriy.shevchenko@linux.intel.com \
--cc=brgl@bgdev.pl \
--cc=geert@linux-m68k.org \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=warthog618@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.