@@ -178,3 +178,73 @@ DMA Fence uABI/Sync File
178178.. kernel-doc :: include/linux/sync_file.h
179179 :internal:
180180
181+ Indefinite DMA Fences
182+ ~~~~~~~~~~~~~~~~~~~~
183+
184+ At various times &dma_fence with an indefinite time until dma_fence_wait()
185+ finishes have been proposed. Examples include:
186+
187+ * Future fences, used in HWC1 to signal when a buffer isn't used by the display
188+ any longer, and created with the screen update that makes the buffer visible.
189+ The time this fence completes is entirely under userspace's control.
190+
191+ * Proxy fences, proposed to handle &drm_syncobj for which the fence has not yet
192+ been set. Used to asynchronously delay command submission.
193+
194+ * Userspace fences or gpu futexes, fine-grained locking within a command buffer
195+ that userspace uses for synchronization across engines or with the CPU, which
196+ are then imported as a DMA fence for integration into existing winsys
197+ protocols.
198+
199+ * Long-running compute command buffers, while still using traditional end of
200+ batch DMA fences for memory management instead of context preemption DMA
201+ fences which get reattached when the compute job is rescheduled.
202+
203+ Common to all these schemes is that userspace controls the dependencies of these
204+ fences and controls when they fire. Mixing indefinite fences with normal
205+ in-kernel DMA fences does not work, even when a fallback timeout is included to
206+ protect against malicious userspace:
207+
208+ * Only the kernel knows about all DMA fence dependencies, userspace is not aware
209+ of dependencies injected due to memory management or scheduler decisions.
210+
211+ * Only userspace knows about all dependencies in indefinite fences and when
212+ exactly they will complete, the kernel has no visibility.
213+
214+ Furthermore the kernel has to be able to hold up userspace command submission
215+ for memory management needs, which means we must support indefinite fences being
216+ dependent upon DMA fences. If the kernel also support indefinite fences in the
217+ kernel like a DMA fence, like any of the above proposal would, there is the
218+ potential for deadlocks.
219+
220+ .. kernel-render :: DOT
221+ :alt: Indefinite Fencing Dependency Cycle
222+ :caption: Indefinite Fencing Dependency Cycle
223+
224+ digraph "Fencing Cycle" {
225+ node [shape=box bgcolor=grey style=filled]
226+ kernel [label="Kernel DMA Fences"]
227+ userspace [label="userspace controlled fences"]
228+ kernel -> userspace [label="memory management"]
229+ userspace -> kernel [label="Future fence, fence proxy, ..."]
230+
231+ { rank=same; kernel userspace }
232+ }
233+
234+ This means that the kernel might accidentally create deadlocks
235+ through memory management dependencies which userspace is unaware of, which
236+ randomly hangs workloads until the timeout kicks in. Workloads, which from
237+ userspace's perspective, do not contain a deadlock. In such a mixed fencing
238+ architecture there is no single entity with knowledge of all dependencies.
239+ Thefore preventing such deadlocks from within the kernel is not possible.
240+
241+ The only solution to avoid dependencies loops is by not allowing indefinite
242+ fences in the kernel. This means:
243+
244+ * No future fences, proxy fences or userspace fences imported as DMA fences,
245+ with or without a timeout.
246+
247+ * No DMA fences that signal end of batchbuffer for command submission where
248+ userspace is allowed to use userspace fencing or long running compute
249+ workloads. This also means no implicit fencing for shared buffers in these
250+ cases.
0 commit comments