Re: [Xen-devel] [PATCH] [PVOPS] fix gntdev on PAE

[Stefano Stabellini <stefano.stabellini@xxxxxxxxxxxxx>]

On Fri, 28 May 2010, Jeremy Fitzhardinge wrote:
> 
> I managed to catch a lockdep problem in gntdev, which may be the same as
> before:
> 
> BUG: sleeping function called from invalid context at kernel/rwsem.c:21
> in_atomic(): 1, irqs_disabled(): 0, pid: 4091, name: qemu-dm
> 2 locks held by qemu-dm/4091:
>  #0:  (&mm->mmap_sem){++++++}, at: [<ffffffff810bb50f>] sys_munmap+0x33/0x58
>  #1:  (rcu_read_lock){.+.+..}, at: [<ffffffff810cd63a>] 
> __mmu_notifier_invalidate_range_start+0x0/0xc7
> Pid: 4091, comm: qemu-dm Not tainted 2.6.32.13 #23
> Call Trace:
>  [<ffffffff8106705b>] ? __debug_show_held_locks+0x22/0x24
>  [<ffffffff81039522>] __might_sleep+0x123/0x127
>  [<ffffffff810a8536>] ? release_pages+0xd2/0x1e7
>  [<ffffffff81498849>] down_read+0x1f/0x57
>  [<ffffffff81010142>] ? check_events+0x12/0x20
>  [<ffffffff810a8536>] ? release_pages+0xd2/0x1e7
>  [<ffffffff810cd63a>] ? __mmu_notifier_invalidate_range_start+0x0/0xc7
>  [<ffffffff8123e069>] mn_invl_range_start+0x32/0x118
>  [<ffffffff810cd69c>] __mmu_notifier_invalidate_range_start+0x62/0xc7
>  [<ffffffff810cd63a>] ? __mmu_notifier_invalidate_range_start+0x0/0xc7
>  [<ffffffff810b54bc>] unmap_vmas+0x8c/0x91a
>  [<ffffffff810ba363>] unmap_region+0xda/0x178
>  [<ffffffff810bb472>] do_munmap+0x2ae/0x318
>  [<ffffffff810bb51d>] sys_munmap+0x41/0x58
>  [<ffffffff81013b82>] system_call_fastpath+0x16/0x1b
> 
> 
> The problem is that mn_invl_range_start does a down_read(), but it is
> called from __mmu_notifier_invalidate_range_start(), which does an
> rcu_read_lock, which has the side-effect of disabling preemption.
> 
> The mmu notifier code seems to have always used rcu_read_lock this way,
> so I guess this bug has always been there.  It's not immediately obvious
> how to fix it.
> 
> Thoughts?

What about turning the semaphore into a rwlock?
Performances shouldn't matter in this case.
Something like this:

---


diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index ddc59cc..91846b9 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -28,7 +28,7 @@
 #include <linux/types.h>
 #include <linux/uaccess.h>
 #include <linux/sched.h>
-#include <linux/rwsem.h>
+#include <linux/spinlock_types.h>
 
 #include <xen/xen.h>
 #include <xen/grant_table.h>
@@ -51,7 +51,7 @@ struct gntdev_priv {
        struct list_head maps;
        uint32_t used;
        uint32_t limit;
-       struct rw_semaphore sem;
+       rwlock_t rwlock;
        struct mm_struct *mm;
        struct mmu_notifier mn;
 };
@@ -277,7 +277,7 @@ static void mn_invl_range_start(struct mmu_notifier *mn,
        unsigned long mstart, mend;
        int err;
 
-       down_read(&priv->sem);
+       read_lock(&priv->rwlock);
        list_for_each_entry(map, &priv->maps, next) {
                if (!map->vma)
                        continue;
@@ -299,7 +299,7 @@ static void mn_invl_range_start(struct mmu_notifier *mn,
                                        (mend - mstart) >> PAGE_SHIFT);
                WARN_ON(err);
        }
-       up_read(&priv->sem);
+       read_unlock(&priv->rwlock);
 }
 
 static void mn_invl_page(struct mmu_notifier *mn,
@@ -316,7 +316,7 @@ static void mn_release(struct mmu_notifier *mn,
        struct grant_map *map;
        int err;
 
-       down_read(&priv->sem);
+       read_lock(&priv->rwlock);
        list_for_each_entry(map, &priv->maps, next) {
                if (!map->vma)
                        continue;
@@ -327,7 +327,7 @@ static void mn_release(struct mmu_notifier *mn,
                err = unmap_grant_pages(map, 0, map->count);
                WARN_ON(err);
        }
-       up_read(&priv->sem);
+       read_unlock(&priv->rwlock);
 }
 
 struct mmu_notifier_ops gntdev_mmu_ops = {
@@ -347,7 +347,7 @@ static int gntdev_open(struct inode *inode, struct file 
*flip)
                return -ENOMEM;
 
        INIT_LIST_HEAD(&priv->maps);
-       init_rwsem(&priv->sem);
+       priv->rwlock = RW_LOCK_UNLOCKED;
        priv->limit = limit;
 
        priv->mm = get_task_mm(current);
@@ -375,13 +375,13 @@ static int gntdev_release(struct inode *inode, struct 
file *flip)
        if (debug)
                printk("%s: priv %p\n", __FUNCTION__, priv);
 
-       down_write(&priv->sem);
+       write_lock(&priv->rwlock);
        while (!list_empty(&priv->maps)) {
                map = list_entry(priv->maps.next, struct grant_map, next);
                err = gntdev_del_map(map);
                WARN_ON(err);
        }
-       up_write(&priv->sem);
+       write_unlock(&priv->rwlock);
        mmu_notifier_unregister(&priv->mn, priv->mm);
        kfree(priv);
        return 0;
@@ -404,7 +404,7 @@ static long gntdev_ioctl_map_grant_ref(struct gntdev_priv 
*priv,
        if (unlikely(op.count > priv->limit))
                return -EINVAL;
 
-       down_write(&priv->sem);
+       write_lock(&priv->rwlock);
        err = -ENOMEM;
        map = gntdev_add_map(priv, op.count);
        if (!map)
@@ -417,13 +417,13 @@ static long gntdev_ioctl_map_grant_ref(struct gntdev_priv 
*priv,
        op.index = map->index << PAGE_SHIFT;
        if (copy_to_user(u, &op, sizeof(op)) != 0)
                goto err_free;
-       up_write(&priv->sem);
+       write_unlock(&priv->rwlock);
        return 0;
 
 err_free:
        gntdev_del_map(map);
 err_unlock:
-       up_write(&priv->sem);
+       write_unlock(&priv->rwlock);
        return err;
 }
 
@@ -440,11 +440,11 @@ static long gntdev_ioctl_unmap_grant_ref(struct 
gntdev_priv *priv,
                printk("%s: priv %p, del %d+%d\n", __FUNCTION__, priv,
                       (int)op.index, (int)op.count);
 
-       down_write(&priv->sem);
+       write_lock(&priv->rwlock);
        map = gntdev_find_map_index(priv, op.index >> PAGE_SHIFT, op.count);
        if (map)
                err = gntdev_del_map(map);
-       up_write(&priv->sem);
+       write_unlock(&priv->rwlock);
        return err;
 }
 
@@ -460,16 +460,16 @@ static long gntdev_ioctl_get_offset_for_vaddr(struct 
gntdev_priv *priv,
                printk("%s: priv %p, offset for vaddr %lx\n", __FUNCTION__, 
priv,
                       (unsigned long)op.vaddr);
 
-       down_read(&priv->sem);
+       read_lock(&priv->rwlock);
        map = gntdev_find_map_vaddr(priv, op.vaddr);
        if (map == NULL ||
            map->vma->vm_start != op.vaddr) {
-               up_read(&priv->sem);
+               read_unlock(&priv->rwlock);
                return -EINVAL;
        }
        op.offset = map->index << PAGE_SHIFT;
        op.count = map->count;
-       up_read(&priv->sem);
+       read_unlock(&priv->rwlock);
 
        if (copy_to_user(u, &op, sizeof(op)) != 0)
                return -EFAULT;
@@ -488,9 +488,9 @@ static long gntdev_ioctl_set_max_grants(struct gntdev_priv 
*priv,
        if (op.count > limit)
                return -EINVAL;
 
-       down_write(&priv->sem);
+       write_lock(&priv->rwlock);
        priv->limit = op.count;
-       up_write(&priv->sem);
+       write_unlock(&priv->rwlock);
        return 0;
 }
 
@@ -538,7 +538,7 @@ static int gntdev_mmap(struct file *flip, struct 
vm_area_struct *vma)
                printk("%s: map %d+%d at %lx (pgoff %lx)\n", __FUNCTION__,
                       index, count, vma->vm_start, vma->vm_pgoff);
 
-       down_read(&priv->sem);
+       read_lock(&priv->rwlock);
        map = gntdev_find_map_index(priv, index, count);
        if (!map)
                goto unlock_out;
@@ -580,7 +580,7 @@ static int gntdev_mmap(struct file *flip, struct 
vm_area_struct *vma)
        map->is_mapped = 1;
 
 unlock_out:
-       up_read(&priv->sem);
+       read_unlock(&priv->rwlock);
        return err;
 }
 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel