Re: [RFC PATCH] pci: Proof of concept at fixing pci_enable_device/bridge races
From: Bjorn Helgaas
Date: Thu Aug 16 2018 - 23:11:30 EST
[+cc Srinath, Guenter, Jens, Lukas, Konstantin, Marta, Pierre-Yves]
On Thu, Aug 16, 2018 at 07:50:13AM +1000, Benjamin Herrenschmidt wrote:
> [Note: This isn't meant to be merged, it need splitting at the very
> least, see below]
> This is something I cooked up quickly today to test if that would fix
> my problems with large number of switch and NVME devices on POWER.
> So far it does...
> The issue (as discussed in the Re: PCIe enable device races thread) is
> that pci_enable_device and related functions along with pci_set_master
> and pci_enable_bridge are fundamentally racy.
> There is no lockign protecting the state of the device in pci_dev and
> if multiple devices under the same bridge try to enable it simultaneously
> one some of them will potentially start accessing it before it has actually
> been enabled.
> Now there are a LOT more fields in pci_dev that aren't covered by any
> form of locking.
Most of the PCI core relies on the assumption that only a single
thread touches a device at a time. This is generally true of the core
during enumeration because enumeration is single-threaded. It's
generally true in normal driver operation because the core shouldn't
touch a device after a driver claims it.
But there are several exceptions, and I think we need to understand
those scenarios before applying locks willy-nilly.
One big exception is that enabling device A may also touch an upstream
bridge B. That causes things like your issue and Srinath's issue
where drivers simultaneously enabling two devices below the same
bridge corrupt the bridge's state . Marta reported essentially the
same issue .
Hari's issue  seems related to a race between a driver work queue
and the core enumerating the device. I should have pushed harder to
understand this; I feel like we papered over the immediate problem
without clearing up the larger issue of why the core enumeration path
(pci_bus_add_device()) is running at the same time as a driver.
DPC/AER error handling adds more cases where the core potentially
accesses devices asynchronously to the driver.
User-mode sysfs controls like ASPM are also asynchronous to drivers.
Even setpci is a potential issue, though I don't know how far we want
to go to protect it. I think we should make setpci taint the kernel
It might be nice if we had some sort of writeup of the locking
strategy as a whole.