From: Daniel Almeida <dwlsalmeida@gmail.com>
To: phasta@kernel.org
Cc: "Boris Brezillon" <boris.brezillon@collabora.com>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Boqun Feng" <boqun@kernel.org>, "Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <lossin@kernel.org>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>,
"Danilo Krummrich" <dakr@kernel.org>,
"Sumit Semwal" <sumit.semwal@linaro.org>,
"Christian König" <christian.koenig@amd.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
"Frederic Weisbecker" <frederic@kernel.org>,
"Neeraj Upadhyay" <neeraj.upadhyay@kernel.org>,
"Joel Fernandes" <joelagnelf@nvidia.com>,
"Josh Triplett" <josh@joshtriplett.org>,
"Uladzislau Rezki" <urezki@gmail.com>,
"Steven Rostedt" <rostedt@goodmis.org>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Lai Jiangshan" <jiangshanlai@gmail.com>,
Zqiang <qiang.zhang@linux.dev>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Igor Korotin" <igor.korotin@linux.dev>,
"Lorenzo Stoakes" <ljs@kernel.org>,
"Alexandre Courbot" <acourbot@nvidia.com>,
"FUJITA Tomonori" <fujita.tomonori@gmail.com>,
"Krishna Ketan Rai" <prafulrai522@gmail.com>,
"Shankari Anand" <shankari.ak0208@gmail.com>,
manos@pitsidianak.is, linux-kernel@vger.kernel.org,
rust-for-linux@vger.kernel.org, linux-media@vger.kernel.org,
dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org,
rcu@vger.kernel.org
Subject: Re: [PATCH 3/4] rust: Add dma_fence abstractions
Date: Fri, 5 Jun 2026 13:00:35 -0300 [thread overview]
Message-ID: <FEFE0522-FD7A-40DE-8B2A-09FE2F33F327@gmail.com> (raw)
In-Reply-To: <8ff2de94a50ed077a4cfe520a081f2b8b438a375.camel@mailbox.org>
> On 5 Jun 2026, at 04:56, Philipp Stanner <phasta@mailbox.org> wrote:
>
> On Thu, 2026-06-04 at 10:15 +0200, Boris Brezillon wrote:
>> On Wed, 3 Jun 2026 21:43:05 -0300
>> Daniel Almeida <dwlsalmeida@gmail.com> wrote:
>>
>>>> On 3 Jun 2026, at 14:14, Boris Brezillon <boris.brezillon@collabora.com> wrote:
>>>>
>>>> On Wed, 3 Jun 2026 13:41:02 -0300
>>>> Daniel Almeida <dwlsalmeida@gmail.com> wrote:
>>>>
>>>>>> + /// Called when the fence is signaled.
>>>>>> + ///
>>>>>> + /// This is called from the fence signaling path, which may be in interrupt
>>>>>> + /// context or with locks held, which is why `self` is only borrowed, so that
>>>>>> + /// it cannot drop. Implementations must not sleep or perform
>>>>>> + /// long-running operations.
>>>>>> + ///
>>>>>> + /// An implementation likely wants to inform itself (e.g., through a work item)
>>>>>> + /// within this callback that the associated [`FenceCbRegistration`] can now be
>>>>>> + /// dropped.
>>>>>> + fn called(&mut self);
>>>>>
>>>>> This is a central point. We ideally would want this to consume self, because we
>>>>> may want to move things out of the callback.
>>>>
>>>> This one comes from me. The rationale being that ::called() is called
>>>> from an atomic context, and the resources attached to the callback data
>>>> might require acquiring other sleeping locks to be released, and
>>>> sometimes you don't even notice immediately because said resources are
>>>> refcounted, and the lock is only acquired when you happen to be the
>>>> last owner. Yes, those can be caught at runtime if the C side is
>>>> properly annotated with might_sleep(), but that's not always the case.
>>>>
>>>> If we defer the drop of the data only when the FenceCb is
>>>> dropped/recycled, we're at least not constrained by this "runs in
>>>> atomic context" thing.
>>>>
>>>
>>> This design does not solve it, because one can quite trivially get around this
>>> restriction using Option<T> as I said. If your point is “don’t run any drop() here”,
>>> then &mut self doesn’t do it.
>>
>> My bad, I thought you were talking about some Option<T> in
>> FenceCbRegistration<T> (there was one at some point, but it's gone now),
>> but you're talking about having an Option<X> inside the T. Yes, there's
>> indeed nothing preventing a drop on X in that path, and it's just as
>> bad as passing the fence back as value to the callback in that case.
>
> Then maybe we should just pass it by value and require implementation
> of an unsafe trait on `T`, whose safety-requirements demand that this
> must be save to drop from atomic context.
>
>>
>>>
>>>>>
>>>>> Consider a fence design where signal() consumes self. Now consider this:
>>>>>
>>>>> ```
>>>>> impl FenceCb for MyCallback {
>>>>> fn called(&mut self) {
>>>>> // Can't move the fence out, so we have to put an Option<T> just to be able
>>>>> // to move.
>>>>> if let Some(f) = self.some_fence.take() {
>>>>> f.signal();
>>>>> }
>>>>> }
>>>>> ```
>>>>>
>>>>> This used to be the case when our version of the job queue used the "proxy
>>>>> fence" design:
>>>>>
>>>>>
>>>>> ```
>>>>> // Callback on the hw fence
>>>>> impl FenceCb for MyCallback {
>>>>> fn called(&mut self) {
>>>>> if let Some(f) = self.submit_fence.take() {
>>>>> f.signal();
>>>>> }
>>>>
>>>> I'm pretty sure lockdep won't like it anyway, because this is nested
>>>> locking of the same lock class. For such proxies, we'll need to teach
>>>> lockdep about the nesting like has been recently done on
>>>> dma_fence_array & co. But I'm digressing.
>>>
>>> Yeah, but this is more about resource transfer in general, not
>>> this pattern specifically.
>>>
>>> I agree that this has issues, and yes, lockdep complained back
>>> then :)
>>
>> The thing is, there's so many aspects that could go wrong because of the
>> context this callback is called in. Nested locking is one of them,
>> the fact we can't sleep is another. And with rust it's even worse,
>> because of the implicit drops that will happen when you take ownership
>> of resources (taking sleeping locks to remove resources from a dataset
>> for instance).
>
> Doesn't that have to be a problem for much of Rust infrastructure? How
> do other parties solve that?
>
>>
>> So, by passing self by value to the ::callback(), you're basically
>> telling users "hey, BTW, don't forget to defer the drop to some
>> workqueue if you think it's not atomic-safe". And how can users know
>> that the thing they're about to drop can be dropped in atomic context?
>> They basically have to audit the ::drop() of all the resources they
>> embed in their type implementing FenceCb. Not only that, but they also
>> have to design the thing so the deferral of this ::drop() doesn't
>> allocate, because, obviously, allocating in atomic context is
>> tricky/fallible. AFAIK, none of this can be spot at compile-time (I
>> remember Gary/Danilo mentioning that we could teach the klint about
>> some of these rules). This would leave us with runtime checks like
>> might_sleep(), but most of the C putters (xxx_put(object)) don't have
>> might_sleep() in the path where the decref doesn't lead to a refcnt=0
>> situation.
>>
>> TLDR; Call this PTSD if you want, but this is the sort of bugs I
>> struggled with on the C side, and I can predict that the exact same
>> will happen in rust drivers if we expose the FenceCb as it is designed
>> here and we don't have a way to check the soundness of the FenceCb
>> implementations at compile time.
>
> My guess would be that the existence of unsafe-traits is the admission
> of Rust that this just cannot be guaranteed by design.
>
> If a driver cannot know whether this or that is safe to drop, then it
> would have to defer it's dropping. Or would there be cases where this
> also doesn't work?
Although I totally understand where Boris is coming from here, and I agree with
him, the reality is that the current &mut self design doesn’t solve this. An
unsafe trait could work as a pinky-promise by drivers, which is half-way there.
What we ideally would like to have is a bound though, something like:
T: !Drop
If I recall correctly there were people working to get support for that on
Rust? I think there are two things here: !Trait, which is not supported except
for !Sized IIRC, and having an auto trait that represents types that implement
Drop, similar to Send and Sync.
>
>>
>> The other option (the one I've been advocating for from the start), is
>> to not let drivers implement FenceCb (make it private), but instead
>> have a bunch of implementations that we know are safe. Here's a list of
>> implementations that I think would unblock most of the drivers use
>> cases:
>>
>> - wakeup a thread
>> - complete a completion object
>> - schedule a WorkItem
>> - schedule a kthread_worker (once we get a proper rust abstraction for
>> that)
>>
>> It doesn't mean we can't have optimized FenceCb implementations that do
>> a lot more in the callback() path instead of deferring to a
>> workqueue/thread, but at least those would have to be implemented in
>> dma_fence.rs, and the dma_fence.rs maintainers can then carefully audit
>> the code as part of the review process, which we know is not really the
>> case when changes touch drivers code only.
>
> Pragmatically speaking, if the common cases are trivial, then the
> drivers will get them right, because those critical primitives are
> already atomic-safe.
No, you can still fumble trivial code, specially when it has to be cargo-culted
from somewhere else.
I am not saying that having things in dma_fence . rs is the solution, although
it is definitely one solution. But the argument above isn’t very strong
IMHO.
>
> And a non-common case will have to be implemented in the driver
> anyways, so we'd have to allow for that.
>
>
>
> P.
next prev parent reply other threads:[~2026-06-05 16:01 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-30 14:35 [PATCH 0/4] rust / dma_buf: Add abstractions for dma_fence Philipp Stanner
2026-05-30 14:35 ` [PATCH 1/4] rust: types: implement ForeignOwnable for ARef<T> Philipp Stanner
2026-06-01 9:46 ` Alice Ryhl
2026-05-30 14:35 ` [PATCH 2/4] rust: rcu: add RcuBox type Philipp Stanner
2026-05-30 15:08 ` Boqun Feng
2026-05-30 15:27 ` Danilo Krummrich
2026-06-01 7:56 ` Philipp Stanner
2026-06-01 13:41 ` Boqun Feng
2026-06-03 9:33 ` Philipp Stanner
2026-06-03 9:35 ` Alice Ryhl
2026-06-03 15:27 ` Boqun Feng
2026-06-03 17:36 ` Boqun Feng
2026-06-03 17:07 ` Boqun Feng
2026-05-30 14:35 ` [PATCH 3/4] rust: Add dma_fence abstractions Philipp Stanner
2026-05-30 15:16 ` Danilo Krummrich
2026-06-01 8:46 ` Philipp Stanner
2026-06-01 10:13 ` Danilo Krummrich
2026-06-01 10:36 ` Alice Ryhl
2026-06-01 10:59 ` Boris Brezillon
2026-06-01 11:17 ` Philipp Stanner
2026-06-01 12:35 ` Boris Brezillon
2026-06-01 12:26 ` Philipp Stanner
2026-06-01 12:39 ` Alice Ryhl
2026-06-01 12:47 ` Philipp Stanner
2026-06-01 13:22 ` Alice Ryhl
2026-06-01 13:23 ` Philipp Stanner
2026-06-01 13:27 ` Alice Ryhl
2026-06-01 12:37 ` Boris Brezillon
2026-06-03 16:41 ` Daniel Almeida
2026-06-03 17:14 ` Boris Brezillon
2026-06-04 0:43 ` Daniel Almeida
2026-06-04 8:15 ` Boris Brezillon
2026-06-05 7:56 ` Philipp Stanner
2026-06-05 16:00 ` Daniel Almeida [this message]
2026-06-05 16:02 ` Daniel Almeida
2026-06-05 15:51 ` Daniel Almeida
2026-05-30 14:35 ` [PATCH 4/4] MAINTAINERS: Add entry for Rust dma-buf Philipp Stanner
2026-05-30 15:20 ` Danilo Krummrich
2026-06-03 15:22 ` [PATCH 0/4] rust / dma_buf: Add abstractions for dma_fence Daniel Almeida
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=FEFE0522-FD7A-40DE-8B2A-09FE2F33F327@gmail.com \
--to=dwlsalmeida@gmail.com \
--cc=a.hindborg@kernel.org \
--cc=acourbot@nvidia.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun@kernel.org \
--cc=boris.brezillon@collabora.com \
--cc=christian.koenig@amd.com \
--cc=dakr@kernel.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=frederic@kernel.org \
--cc=fujita.tomonori@gmail.com \
--cc=gary@garyguo.net \
--cc=gregkh@linuxfoundation.org \
--cc=igor.korotin@linux.dev \
--cc=jiangshanlai@gmail.com \
--cc=joelagnelf@nvidia.com \
--cc=josh@joshtriplett.org \
--cc=linaro-mm-sig@lists.linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=ljs@kernel.org \
--cc=lossin@kernel.org \
--cc=manos@pitsidianak.is \
--cc=mathieu.desnoyers@efficios.com \
--cc=neeraj.upadhyay@kernel.org \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=phasta@kernel.org \
--cc=prafulrai522@gmail.com \
--cc=qiang.zhang@linux.dev \
--cc=rcu@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=shankari.ak0208@gmail.com \
--cc=sumit.semwal@linaro.org \
--cc=tmgross@umich.edu \
--cc=urezki@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome