From: Alex Williamson <alex@shazbot.org>
To: Leon Romanovsky <leon@kernel.org>
Cc: "Tian, Kevin" <kevin.tian@intel.com>,
"Jason Gunthorpe" <jgg@ziepe.ca>,
"Pranjal Shrivastava" <praan@google.com>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"David Airlie" <airlied@gmail.com>,
"Simona Vetter" <simona@ffwll.ch>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Chia-I Wu" <olvaffe@gmail.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Maxime Ripard" <mripard@kernel.org>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Thomas Hellström" <thomas.hellstrom@linux.intel.com>,
"Vivi, Rodrigo" <rodrigo.vivi@intel.com>,
"Joerg Roedel" <joro@8bytes.org>, "Will Deacon" <will@kernel.org>,
"Robin Murphy" <robin.murphy@arm.com>,
"Felix Kuehling" <Felix.Kuehling@amd.com>,
"Ankit Agrawal" <ankita@nvidia.com>,
"Kasireddy, Vivek" <vivek.kasireddy@intel.com>,
"linux-media@vger.kernel.org" <linux-media@vger.kernel.org>,
"dri-devel@lists.freedesktop.org"
<dri-devel@lists.freedesktop.org>,
"linaro-mm-sig@lists.linaro.org" <linaro-mm-sig@lists.linaro.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"amd-gfx@lists.freedesktop.org" <amd-gfx@lists.freedesktop.org>,
"virtualization@lists.linux.dev" <virtualization@lists.linux.dev>,
"intel-xe@lists.freedesktop.org" <intel-xe@lists.freedesktop.org>,
"linux-rdma@vger.kernel.org" <linux-rdma@vger.kernel.org>,
"iommu@lists.linux.dev" <iommu@lists.linux.dev>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>
Subject: Re: [PATCH v5 4/8] vfio: Wait for dma-buf invalidation to complete
Date: Thu, 29 Jan 2026 14:04:01 -0700 [thread overview]
Message-ID: <20260129140401.52245b63@shazbot.org> (raw)
In-Reply-To: <20260129084156.GC10992@unreal>
On Thu, 29 Jan 2026 10:41:56 +0200
Leon Romanovsky <leon@kernel.org> wrote:
> On Thu, Jan 29, 2026 at 08:13:18AM +0000, Tian, Kevin wrote:
> > > From: Leon Romanovsky <leon@kernel.org>
> > > Sent: Thursday, January 29, 2026 3:34 PM
> > >
> > > On Thu, Jan 29, 2026 at 07:06:37AM +0000, Tian, Kevin wrote:
> > > > > From: Jason Gunthorpe <jgg@ziepe.ca>
> > > > > Sent: Wednesday, January 28, 2026 12:28 AM
> > > > >
> > > > > On Tue, Jan 27, 2026 at 10:58:35AM +0200, Leon Romanovsky wrote:
> > > > > > > > @@ -333,7 +359,37 @@ void vfio_pci_dma_buf_move(struct
> > > > > vfio_pci_core_device *vdev, bool revoked)
> > > > > > > > dma_resv_lock(priv->dmabuf->resv, NULL);
> > > > > > > > priv->revoked = revoked;
> > > > > > > > dma_buf_invalidate_mappings(priv-
> > > >dmabuf);
> > > > > > > > + dma_resv_wait_timeout(priv->dmabuf->resv,
> > > > > > > > +
> > > DMA_RESV_USAGE_BOOKKEEP,
> > > > > false,
> > > > > > > > +
> > > MAX_SCHEDULE_TIMEOUT);
> > > > > > > > dma_resv_unlock(priv->dmabuf->resv);
> > > > > > > > + if (revoked) {
> > > > > > > > + kref_put(&priv->kref,
> > > > > vfio_pci_dma_buf_done);
> > > > > > > > + /* Let's wait till all DMA unmap are
> > > > > completed. */
> > > > > > > > + wait = wait_for_completion_timeout(
> > > > > > > > + &priv->comp,
> > > secs_to_jiffies(1));
> > > > > > >
> > > > > > > Is the 1-second constant sufficient for all hardware, or should the
> > > > > > > invalidate_mappings() contract require the callback to block until
> > > > > > > speculative reads are strictly fenced? I'm wondering about a case
> > > where
> > > > > > > a device's firmware has a high response latency, perhaps due to
> > > internal
> > > > > > > management tasks like error recovery or thermal and it exceeds the
> > > 1s
> > > > > > > timeout.
> > > > > > >
> > > > > > > If the device is in the middle of a large DMA burst and the firmware is
> > > > > > > slow to flush the internal pipelines to a fully "quiesced"
> > > > > > > read-and-discard state, reclaiming the memory at exactly 1.001
> > > seconds
> > > > > > > risks triggering platform-level faults..
> > > > > > >
> > > > > > > Since the wen explicitly permit these speculative reads until unmap is
> > > > > > > complete, relying on a hardcoded timeout in the exporter seems to
> > > > > > > introduce a hardware-dependent race condition that could
> > > compromise
> > > > > > > system stability via IOMMU errors or AER faults.
> > > > > > >
> > > > > > > Should the importer instead be required to guarantee that all
> > > > > > > speculative access has ceased before the invalidation call returns?
> > > > > >
> > > > > > It is guaranteed by the dma_resv_wait_timeout() call above. That call
> > > > > ensures
> > > > > > that the hardware has completed all pending operations. The 1‑second
> > > > > delay is
> > > > > > meant to catch cases where an in-kernel DMA unmap call is missing,
> > > which
> > > > > should
> > > > > > not trigger any DMA activity at that point.
> > > > >
> > > > > Christian may know actual examples, but my general feeling is he was
> > > > > worrying about drivers that have pushed the DMABUF to visibility on
> > > > > the GPU and the move notify & fences only shoot down some access. So
> > > > > it has to wait until the DMABUF is finally unmapped.
> > > > >
> > > > > Pranjal's example should be covered by the driver adding a fence and
> > > > > then the unbounded fence wait will complete it.
> > > > >
> > > >
> > > > Bear me if it's an ignorant question.
> > > >
> > > > The commit msg of patch6 says that VFIO doesn't tolerate unbounded
> > > > wait, which is the reason behind the 2nd timeout wait here.
> > >
> > > It is not accurate. A second timeout is present both in the
> > > description of patch 6 and in VFIO implementation. The difference is
> > > that the timeout is enforced within VFIO.
> > >
> > > >
> > > > Then why is "the unbounded fence wait" not a problem in the same
> > > > code path? the use of MAX_SCHEDULE_TIMEOUT imply a worst-case
> > > > timeout in hundreds of years...
> > >
> > > "An unbounded fence wait" is a different class of wait. It indicates broken
> > > hardware that continues to issue DMA transactions even after it has been
> > > told to
> > > stop.
> > >
> > > The second wait exists to catch software bugs or misuse, where the dma-buf
> > > importer has misrepresented its capabilities.
> > >
> >
> > Okay I see.
> >
> > > >
> > > > and it'd be helpful to put some words in the code based on what's
> > > > discussed here.
> > >
> > > We've documented as much as we can in dma_buf_attach_revocable() and
> > > dma_buf_invalidate_mappings(). Do you have any suggestions on what else
> > > should be added here?
> > >
> >
> > the selection of 1s?
>
> It is indirectly written in description of WARN_ON(), but let's add
> more. What about the following?
>
> diff --git a/drivers/vfio/pci/vfio_pci_dmabuf.c b/drivers/vfio/pci/vfio_pci_dmabuf.c
> index 93795ad2e025..948ba75288c6 100644
> --- a/drivers/vfio/pci/vfio_pci_dmabuf.c
> +++ b/drivers/vfio/pci/vfio_pci_dmabuf.c
> @@ -357,7 +357,13 @@ void vfio_pci_dma_buf_move(struct vfio_pci_core_device *vdev, bool revoked)
> dma_resv_unlock(priv->dmabuf->resv);
> if (revoked) {
> kref_put(&priv->kref, vfio_pci_dma_buf_done);
> - /* Let's wait till all DMA unmap are completed. */
> + /*
> + * Let's wait for 1 second till all DMA unmap
> + * are completed. It is supposed to catch dma-buf
> + * importers which lied about their support
> + * of dmabuf revoke. See dma_buf_invalidate_mappings()
> + * for the expected behaviour,
> + */
> wait = wait_for_completion_timeout(
> &priv->comp, secs_to_jiffies(1));
> /*
>
> >
> > then,
> >
> > Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Alex Williamson <alex@shazbot.org>
next prev parent reply other threads:[~2026-01-29 21:04 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-24 19:14 [PATCH v5 0/8] dma-buf: Use revoke mechanism to invalidate shared buffers Leon Romanovsky
2026-01-24 19:14 ` [PATCH v5 1/8] dma-buf: Rename .move_notify() callback to a clearer identifier Leon Romanovsky
2026-01-24 19:14 ` [PATCH v5 2/8] dma-buf: Rename dma_buf_move_notify() to dma_buf_invalidate_mappings() Leon Romanovsky
2026-01-27 9:21 ` Christian König
2026-01-24 19:14 ` [PATCH v5 3/8] dma-buf: Always build with DMABUF_MOVE_NOTIFY Leon Romanovsky
2026-01-27 9:26 ` Christian König
2026-01-27 9:58 ` Leon Romanovsky
2026-01-27 10:02 ` Christian König
2026-01-27 11:42 ` Leon Romanovsky
2026-01-27 20:45 ` Leon Romanovsky
2026-01-30 7:00 ` Leon Romanovsky
2026-01-24 19:14 ` [PATCH v5 4/8] vfio: Wait for dma-buf invalidation to complete Leon Romanovsky
2026-01-26 20:53 ` Pranjal Shrivastava
2026-01-27 8:58 ` Leon Romanovsky
2026-01-27 16:27 ` Jason Gunthorpe
2026-01-29 7:06 ` Tian, Kevin
2026-01-29 7:33 ` Leon Romanovsky
2026-01-29 8:13 ` Tian, Kevin
2026-01-29 8:41 ` Leon Romanovsky
2026-01-29 21:04 ` Alex Williamson [this message]
2026-01-30 3:10 ` Tian, Kevin
2026-01-29 14:58 ` Jason Gunthorpe
2026-01-30 3:12 ` Tian, Kevin
2026-01-30 5:43 ` Mauro Carvalho Chehab
2026-01-30 5:48 ` Tian, Kevin
2026-01-30 8:46 ` Christian König
2026-01-30 8:30 ` Christian König
2026-01-30 13:01 ` Leon Romanovsky
2026-01-30 13:21 ` Christian König
2026-01-30 13:31 ` Leon Romanovsky
2026-01-30 13:56 ` Jason Gunthorpe
2026-01-30 14:11 ` Christian König
2026-01-30 14:44 ` Jason Gunthorpe
2026-02-02 8:42 ` Christian König
2026-02-02 15:12 ` Jason Gunthorpe
2026-02-02 15:21 ` Christian König
2026-02-02 15:55 ` Jason Gunthorpe
2026-01-24 19:14 ` [PATCH v5 5/8] dma-buf: Make .invalidate_mapping() truly optional Leon Romanovsky
2026-01-30 8:30 ` Christian König
2026-01-30 12:55 ` Leon Romanovsky
2026-01-24 19:14 ` [PATCH v5 6/8] dma-buf: Add dma_buf_attach_revocable() Leon Romanovsky
2026-01-26 20:38 ` Pranjal Shrivastava
2026-01-26 21:01 ` Jason Gunthorpe
2026-01-30 8:43 ` Christian König
2026-01-30 14:00 ` Jason Gunthorpe
2026-01-24 19:14 ` [PATCH v5 7/8] vfio: Permit VFIO to work with pinned importers Leon Romanovsky
2026-01-29 21:04 ` Alex Williamson
2026-01-30 3:14 ` Tian, Kevin
2026-01-24 19:14 ` [PATCH v5 8/8] iommufd: Add dma_buf_pin() Leon Romanovsky
2026-01-29 7:08 ` Tian, Kevin
2026-01-30 0:17 ` Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260129140401.52245b63@shazbot.org \
--to=alex@shazbot.org \
--cc=Felix.Kuehling@amd.com \
--cc=airlied@gmail.com \
--cc=alexander.deucher@amd.com \
--cc=amd-gfx@lists.freedesktop.org \
--cc=ankita@nvidia.com \
--cc=christian.koenig@amd.com \
--cc=dmitry.osipenko@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=gurchetansingh@chromium.org \
--cc=intel-xe@lists.freedesktop.org \
--cc=iommu@lists.linux.dev \
--cc=jgg@ziepe.ca \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=kraxel@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=leon@kernel.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=lucas.demarchi@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=mripard@kernel.org \
--cc=olvaffe@gmail.com \
--cc=praan@google.com \
--cc=robin.murphy@arm.com \
--cc=rodrigo.vivi@intel.com \
--cc=simona@ffwll.ch \
--cc=sumit.semwal@linaro.org \
--cc=thomas.hellstrom@linux.intel.com \
--cc=tzimmermann@suse.de \
--cc=virtualization@lists.linux.dev \
--cc=vivek.kasireddy@intel.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox