Re: [RFC PATCH] pci: Proof of concept at fixing pci_enable_device/bridge races

From: Bjorn Helgaas
Date: Thu Aug 16 2018 - 23:11:30 EST

Next message: Matthew Rickard: "Re: [PATCH] x86/vdso: Fix vDSO build if a retpoline is emitted"
Previous message: Wen Yang: "[PATCH] drm/amd/display: fix a compile warning"
Next in thread: Benjamin Herrenschmidt: "Re: [RFC PATCH] pci: Proof of concept at fixing pci_enable_device/bridge races"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[+cc Srinath, Guenter, Jens, Lukas, Konstantin, Marta, Pierre-Yves]

On Thu, Aug 16, 2018 at 07:50:13AM +1000, Benjamin Herrenschmidt wrote:
> [Note: This isn't meant to be merged, it need splitting at the very
> least, see below]
>
> This is something I cooked up quickly today to test if that would fix
> my problems with large number of switch and NVME devices on POWER.
>
> So far it does...
>
> The issue (as discussed in the Re: PCIe enable device races thread) is
> that pci_enable_device and related functions along with pci_set_master
> and pci_enable_bridge are fundamentally racy.
>
> There is no lockign protecting the state of the device in pci_dev and
> if multiple devices under the same bridge try to enable it simultaneously
> one some of them will potentially start accessing it before it has actually
> been enabled.
>
> Now there are a LOT more fields in pci_dev that aren't covered by any
> form of locking.

Most of the PCI core relies on the assumption that only a single
thread touches a device at a time. This is generally true of the core
during enumeration because enumeration is single-threaded. It's
generally true in normal driver operation because the core shouldn't
touch a device after a driver claims it.

But there are several exceptions, and I think we need to understand
those scenarios before applying locks willy-nilly.

One big exception is that enabling device A may also touch an upstream
bridge B. That causes things like your issue and Srinath's issue
where drivers simultaneously enabling two devices below the same
bridge corrupt the bridge's state [1]. Marta reported essentially the
same issue [2].

Hari's issue [3] seems related to a race between a driver work queue
and the core enumerating the device. I should have pushed harder to
understand this; I feel like we papered over the immediate problem
without clearing up the larger issue of why the core enumeration path
(pci_bus_add_device()) is running at the same time as a driver.

DPC/AER error handling adds more cases where the core potentially
accesses devices asynchronously to the driver.

User-mode sysfs controls like ASPM are also asynchronous to drivers.

Even setpci is a potential issue, though I don't know how far we want
to go to protect it. I think we should make setpci taint the kernel
anyway.

It might be nice if we had some sort of writeup of the locking
strategy as a whole.

[1] https://lkml.kernel.org/r/1501858648-22228-1-git-send-email-srinath.mannam@xxxxxxxxxxxx
[2] https://lkml.kernel.org/r/744877924.5841545.1521630049567.JavaMail.zimbra@xxxxxxxxx
[3] https://lkml.kernel.org/r/1530608741-30664-2-git-send-email-hari.vyas@xxxxxxxxxxxx

Next message: Matthew Rickard: "Re: [PATCH] x86/vdso: Fix vDSO build if a retpoline is emitted"
Previous message: Wen Yang: "[PATCH] drm/amd/display: fix a compile warning"
Next in thread: Benjamin Herrenschmidt: "Re: [RFC PATCH] pci: Proof of concept at fixing pci_enable_device/bridge races"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]