From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
To: Bartosz Golaszewski <brgl@bgdev.pl>
Cc: Linus Walleij <linus.walleij@linaro.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Kent Gibson <warthog618@gmail.com>,
"open list:GPIO SUBSYSTEM" <linux-gpio@vger.kernel.org>
Subject: Re: GPIOLIB locking is broken and how to fix it
Date: Fri, 24 Nov 2023 19:27:53 +0200 [thread overview]
Message-ID: <ZWDdGa-Zf06bteld@smile.fi.intel.com> (raw)
In-Reply-To: <CAMRc=McMxnYQosDDip3KGNBsQHDpHg_7bJgvS_Yr_7Y=2kqyUg@mail.gmail.com>
On Fri, Nov 24, 2023 at 05:00:36PM +0100, Bartosz Golaszewski wrote:
> Hi!
>
> I've been scratching my head over it for a couple days and I wanted to
> pick your brains a bit.
>
> The existing locking in GPIOLIB is utterly broken. We have a global
> spinlock that "protects" the list of GPIO devices but also the
> descriptor objects (and who knows what else). I put "protects" in
> quotation marks because the spinlock is released and re-acquired in
> several places where the code needs to call functions that can
> possibly sleep. I don't have to tell you it makes the spinlock useless
> and doesn't protect anything.
>
> An example of that is gpiod_request_commit() where in the time between
> releasing the lock in order to call gc->request() and acquiring it
> again, gpiod_free_commit() can be called, thus undoing a part of the
> changes we just introduced in the first part of this function. We'd
> then return from gc->request() and continue acting like we've just
> requested the GPIO leading to undefined behavior.
>
> There are more instances of this pattern. This seems to be a way to
> work around the fact that we have GPIO API functions that can be
> called from atomic context (gpiod_set/get_value(),
> gpiod_direction_input/output(), etc.) that in their implementation
> call driver callbacks that may as well sleep (gc->set(),
> gc->direction_output(), etc.).
>
> Protecting the list of GPIO devices is simple. It should be a mutex as
> the list should never be modified from atomic context. This can be
> easily factored out right now. Protecting GPIO descriptors is
> trickier. If we use a spinlock for that, we'll run into problems with
> GPIO drivers that can sleep. If we use a mutex, we'll have a problem
> with users calling GPIO functions from atomic context.
>
> One idea I have is introducing a strict limit on which functions can
> be used from atomic context (we don't enforce anything ATM in
> functions that don't have the _cansleep suffix in their names) and
> check which parts of the descriptor struct they modify. Then protect
> these parts with a spinlock in very limited critical sections. Have a
> mutex for everything else that can only be accessed from process
> context.
>
> Another one is introducing strict APIs like gpiod_set_value_atomic()
> that'll be designed to be called from atomic context exclusively and
> be able to handle it. Everything else must only be called from process
> context. This of course would be a treewide change as we'd need to
> modify all GPIO calls in interrupt handlers.
>
> I'd like to hear your ideas as this change is vital before we start
> protecting gdev->chip with SRCU in all API calls.
Brief side note: If we can really fix something (partially) right now,
do it, otherwise technical debt kills us.
(Most likely I refer to the list of the GPIO devices.)
--
With Best Regards,
Andy Shevchenko
next prev parent reply other threads:[~2023-11-24 17:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-24 16:00 GPIOLIB locking is broken and how to fix it Bartosz Golaszewski
2023-11-24 17:27 ` Andy Shevchenko [this message]
2023-11-24 17:33 ` Andy Shevchenko
2023-11-24 20:55 ` Bartosz Golaszewski
2023-11-24 23:20 ` Linus Walleij
2023-11-25 1:29 ` Kent Gibson
2023-11-25 20:13 ` Bartosz Golaszewski
2023-11-26 0:05 ` Kent Gibson
2023-11-28 10:47 ` Bartosz Golaszewski
2023-12-07 18:37 ` Bartosz Golaszewski
2023-12-08 1:01 ` Kent Gibson
2023-12-08 8:13 ` Bartosz Golaszewski
2023-12-08 8:38 ` Kent Gibson
2023-12-08 9:52 ` Bartosz Golaszewski
2023-12-08 10:27 ` Kent Gibson
2023-12-08 18:54 ` Bartosz Golaszewski
2023-12-09 1:56 ` Kent Gibson
2023-12-09 19:24 ` Bartosz Golaszewski
2023-12-10 2:34 ` Kent Gibson
2023-12-10 13:28 ` Kent Gibson
2023-12-11 15:10 ` Bartosz Golaszewski
2023-12-12 0:47 ` Kent Gibson
2023-12-08 13:12 ` Linus Walleij
2023-12-08 13:56 ` Thierry Reding
2023-12-08 14:47 ` Bartosz Golaszewski
2023-12-08 16:40 ` Thierry Reding
2023-12-08 18:30 ` Bartosz Golaszewski
2023-12-11 10:55 ` Thierry Reding
2023-12-11 15:49 ` Bartosz Golaszewski
2023-12-12 10:12 ` Aaro Koskinen
2023-12-12 11:00 ` Bartosz Golaszewski
2023-12-12 14:32 ` Aaro Koskinen
2023-12-12 15:15 ` Bartosz Golaszewski
2023-12-08 13:53 ` Thierry Reding
2023-11-28 11:05 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZWDdGa-Zf06bteld@smile.fi.intel.com \
--to=andriy.shevchenko@linux.intel.com \
--cc=brgl@bgdev.pl \
--cc=geert@linux-m68k.org \
--cc=linus.walleij@linaro.org \
--cc=linux-gpio@vger.kernel.org \
--cc=warthog618@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox