subject:"Re\: \[PATCH v4 2\/4\] drm\/panic\: Add a drm panic handler"


Hi

Am 10.10.23 um 14:59 schrieb Daniel Vetter:
[...]




Why can't we use the model[1] suggested by Daniel using a draw_pixel
callback giving drivers full control on how they can put a pixel on the
display?


I share kind of the same general ideas/conclusions: "qthe idea is that
all the fb selection and lookup is handled in shared code (and with
proper locking, but only for atomic drivers)."

2016 is a bit old though and multiple developments happened since
(secure playback is a thing now, framebuffer compression too), so I
still think that their expectation that the framebuffer is accessible to
/ writable by the CPU no longer holds true.


I think largely it should still be ok, because the idea behind the draw_xy
callback was that the driver could take care of anything special, like
- tiling
- clearing compression bits so that just writing the raw pixels works (if
   your compression format allows for that)
- handling any differences in how the pixels need to be written, like
   cache flushing, mmio_write vs normal memory, amd also has peek/poke
   registers to be able to write even into unmappable memory

What would probably be a good idea is to do an s/void */uinptr_t/ over my
interface proposal, or maybe an even more opaque cookie since really the
only thing you can do is get the void * that ->panic_vmap returns and pass
it into ->panic_draw_xy.

I thought (but I didn't dig through details) that the panic fb struct is
essentially meant to serve this purpose in the current series?


I have one detail about the code: While working on the format-conversion 
code, I've always found struct drm_framebuffer to be clunky to work 
with. It's build around the idea of managing GEM buffers, but not 
accessing them.


So I've been thinking about something like a drm_pixmap that contains 
size, color format and data pointers in one place. Reads and writes 
would be callbacks. It could abstract access to any kind of buffer. 
IIRC Jocelyn had something like that in the very first patchset. or 
maybe fb_pixmap could be repurposed.


Best regards
Thomas




This will even work for the AMD debug interface.
In the linear CPU accessible buffer case, we can provide a helper for
that, maybe we can do helpers for other common cases as well.


Yeah, their idea of a panic_draw would work great for that.


Adding to that we would need a panic_setup/enter and panic_teardown/exit
callback.


What for?


So panic teardown would be for testing in CI, to make it non-destructive
and clean up anything panic_vmap (or _enter or whatever you call it) has
done. I thought John Oggness was also looking into how the new panic
handlers/consoles could be made testable in the panic paths, including
lock stealing and getting called from nmi.
-Sima


--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler


Hi

Am 10.10.23 um 11:33 schrieb Maxime Ripard:
[...]

We also have discussions about kexec/kdump support. Here we'd need to
retrieve the scanout address, forward it to the kexec kernel and put
simpledrm onto that framebuffer until the regular driver takes over.


Generically speaking, there's strictly no guarantee that the current
scanout buffer is accessible by the CPU. It's not even a driver issue,
it's a workload issue, so it will affect 100% of the times some users,
and some 0% of the time.


And I'd be OK with that. It's all best effort anyway.




An interface like get_scanout_buffer will be helpful for this use
case. So it makes sense to use it for the panic handler as well.


It won't be helpful because the vast majority of the ARM drivers (and
thus the vast majority of the KMS drivers) won't be able to implement it
properly and reliably.


The barrier for firmware-based drivers is low: a pre-configured display 
and mmap'able framebuffer memory. And it's assumed that a callback for 
kexec would attempt to configure hardware accordingly. If a system 
really cannot provide this, so be it.





run the atomic_update() on it, and return this commit's framebuffer ?

That way each driver have a better control on what the panic handler will
do.
It can even call directly its internal functions, to avoid the locks of the
drm generic functions, and make sure it will only change the format and base
address.
That's a bit more work for each driver, but should be more reliable I think.


I don't think that better control there is a good idea, it's a path that
won't get tested much so we'd be better off not allowing drivers to
deviate too much from the "ideal" design.

What I had in mind is something like:

- Add a panic hook in drm_mode_config_funcs, with a
  drm_atomic_helper_panic helper;

- Provide an atomic_panic hook or something in drm_plane_helper_funcs;

- If they are set, we register the drm_panic handler;

- The handler will call drm_mode_config_funcs.panic, which will take
  its prepared state, fill the framebuffer it allocated with the
  penguin and backtrace, call drm_plane_helper_funcs.atomic_panic().

- The driver now updates the format and fb address.

- Halt and catch fire

Does that make sense?


Please see my other replies. I find this fragile, and unnecessary for cases
where there already is a working scanout buffer in place.


And please see my other replies. Depending on a working scanout buffer
in place being accessible by the CPU is incredibly limiting. Ignoring it
when I'm pointing that out won't get us to a solution acceptable for
everyone.


It's something a driver could implement internally to provide a
scanout buffer if none has been set up already.


Some drivers need extra resources when setting up a plane. VC4 for
example need for every plane to allocate multiple internal SRAM buffers.
Just allocating an extra framebuffer won't cut it.

This is tied to the state so far, so I guess we would need to allocate a
new state. Oh, and if we have several drivers that need to allocate that
extra framebuffer and state, we could make it part of the core or turn
it into a helper?


I mentioned that even the simple drivers hold locks during the atomic 
commit. Some of the drivers use vmap/vunmap, which might make problems 
as well. It's used in the context of damage handling, which also makes 
no sense here. So the regular atomic helpers most likely won't work.


It sounds to me as if you're essentially asking for something like a 
flush or sync operation.


Stepping back from get_scanout_buffer for a moment and adopting your 
proposal from above, I can see something like this working:


  - the driver provides a panic callback in struct drm_driver

  - DRM registers a panic handler to invokes the callback

  - the panic callback has a scanout buffer from somewhere (currently 
active, prepared, from firmware, plain memory, etc)


  - we provide a helper that fills the scanout buffer with information

  - the driver then updates the hardware from/with the scanout buffer; 
details depend on the hardware


The final step is like a flush or commit operation. To give some 
examples: The simple drivers of this patchset probably don't have to do 
anything. Drivers with command/packet queues could attempt to send the 
necessary commands to the device.


Best regards
Thomas



Maxime


--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

2023-10-10 Thread Daniel Vetter

On Tue, Oct 10, 2023 at 02:15:47PM +0200, Maxime Ripard wrote:
> On Tue, Oct 10, 2023 at 01:29:52PM +0200, Noralf Trønnes wrote:
> > 
> > 
> > On 10/10/23 11:25, Maxime Ripard wrote:
> > > 
> > > 
> > > On Tue, Oct 10, 2023 at 10:55:09AM +0200, Thomas Zimmermann wrote:
> >  So if I understand correctly, drm_panic would pre-allocate a 
> >  plane/commit,
> >  and use that when a panic occurs ?
> > >>>
> > >>> And have it checked already, yes. We would only wait for a panic to
> > >>> happen to pull the trigger on the commit.
> > >>>
> >  I have two concern about this approach:
> >  - How much memory would be allocated for this ? a whole framebuffer 
> >  can be
> >  big for just this use case.
> > >>
> > >> As I outlined in my email at [1], there are a number of different 
> > >> scenarios.
> > >> The question of atomic state and commits is entirely separate from the 
> > >> DRM
> > >> panic handler. We should not throw them together. Whatever is necessary 
> > >> is
> > >> get a scanout buffer, should happen on the driver side of
> > >> get_scanout_buffer, not on the drm_panic side.
> > >>
> > >> [1] 
> > >> https://lore.kernel.org/dri-devel/39bd4c35-8a61-42ee-8675-ccea4f5d4...@suse.de/T/#m22f116e9438e00a5f0a9dc43987d4153424f8be1
> > >>
> > >>>
> > >>> I'dd expect a whole framebuffer for the current
> > >>> configuration/resolution. It would be typically 4MB for a full-HD system
> > >>> which isn't a lot really and I guess we can always add an option to
> > >>> disable the mechanism if needed.
> > >>>
> >  - I find it risky to completely reconfigure the hardware in a panic 
> >  handler.
> > >>>
> > >>> I would expect to only change the format and base address of the
> > >>> framebuffer. I guess it can fail, but it doesn't seem that different to
> > >>> the async plane update we already have and works well.
> > >>
> > >> The one thing I don't understand is: Why should we use atomic commits in 
> > >> the
> > >> first place? It doesn't make sense for firmware-based drivers.
> > > 
> > > Because this is generic infrastructure that is valuable for any drivers
> > > and not only firmware-based drivers?
> > > 
> > >> In some drivers, even the simple ast, we hold locks during the regular
> > >> commit. Trying to run the panic commit concurrently will likely give a
> > >> deadlock.
> > > 
> > > You're in the middle of a panic. Don't take any locks and you won't 
> > > deadlock.
> > > 
> > >> In the end it's a per-driver decision, but in most cases, the driver can
> > >> easily switch to a default mode with some ad-hoc code.
> > > 
> > > When was the last time a per-driver decision has been a good thing? I'm
> > > sorry, but the get_scanout_buffer approach buffer won't work for any
> > > driver out there.
> > > 
> > > I'm fine with discussing alternatives if you don't like the ones I
> > > suggested, but they must allow the panic handler infrastructure to work
> > > with any driver we have, not just 4.
> > > 
> > 
> > Why can't we use the model[1] suggested by Daniel using a draw_pixel
> > callback giving drivers full control on how they can put a pixel on the
> > display?
> 
> I share kind of the same general ideas/conclusions: "qthe idea is that
> all the fb selection and lookup is handled in shared code (and with
> proper locking, but only for atomic drivers)."
> 
> 2016 is a bit old though and multiple developments happened since
> (secure playback is a thing now, framebuffer compression too), so I
> still think that their expectation that the framebuffer is accessible to
> / writable by the CPU no longer holds true.

I think largely it should still be ok, because the idea behind the draw_xy
callback was that the driver could take care of anything special, like
- tiling
- clearing compression bits so that just writing the raw pixels works (if
  your compression format allows for that)
- handling any differences in how the pixels need to be written, like
  cache flushing, mmio_write vs normal memory, amd also has peek/poke
  registers to be able to write even into unmappable memory

What would probably be a good idea is to do an s/void */uinptr_t/ over my
interface proposal, or maybe an even more opaque cookie since really the
only thing you can do is get the void * that ->panic_vmap returns and pass
it into ->panic_draw_xy.

I thought (but I didn't dig through details) that the panic fb struct is
essentially meant to serve this purpose in the current series?

> > This will even work for the AMD debug interface.
> > In the linear CPU accessible buffer case, we can provide a helper for
> > that, maybe we can do helpers for other common cases as well.
> 
> Yeah, their idea of a panic_draw would work great for that.
> 
> > Adding to that we would need a panic_setup/enter and panic_teardown/exit
> > callback.
> 
> What for?

So panic teardown would be for testing in CI, to make it non-destructive
and clean up anything panic_vmap (or _enter or whatever you call it) has
done. I

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

On Tue, Oct 10, 2023 at 01:29:52PM +0200, Noralf Trønnes wrote:
> 
> 
> On 10/10/23 11:25, Maxime Ripard wrote:
> > 
> > 
> > On Tue, Oct 10, 2023 at 10:55:09AM +0200, Thomas Zimmermann wrote:
>  So if I understand correctly, drm_panic would pre-allocate a 
>  plane/commit,
>  and use that when a panic occurs ?
> >>>
> >>> And have it checked already, yes. We would only wait for a panic to
> >>> happen to pull the trigger on the commit.
> >>>
>  I have two concern about this approach:
>  - How much memory would be allocated for this ? a whole framebuffer can 
>  be
>  big for just this use case.
> >>
> >> As I outlined in my email at [1], there are a number of different 
> >> scenarios.
> >> The question of atomic state and commits is entirely separate from the DRM
> >> panic handler. We should not throw them together. Whatever is necessary is
> >> get a scanout buffer, should happen on the driver side of
> >> get_scanout_buffer, not on the drm_panic side.
> >>
> >> [1] 
> >> https://lore.kernel.org/dri-devel/39bd4c35-8a61-42ee-8675-ccea4f5d4...@suse.de/T/#m22f116e9438e00a5f0a9dc43987d4153424f8be1
> >>
> >>>
> >>> I'dd expect a whole framebuffer for the current
> >>> configuration/resolution. It would be typically 4MB for a full-HD system
> >>> which isn't a lot really and I guess we can always add an option to
> >>> disable the mechanism if needed.
> >>>
>  - I find it risky to completely reconfigure the hardware in a panic 
>  handler.
> >>>
> >>> I would expect to only change the format and base address of the
> >>> framebuffer. I guess it can fail, but it doesn't seem that different to
> >>> the async plane update we already have and works well.
> >>
> >> The one thing I don't understand is: Why should we use atomic commits in 
> >> the
> >> first place? It doesn't make sense for firmware-based drivers.
> > 
> > Because this is generic infrastructure that is valuable for any drivers
> > and not only firmware-based drivers?
> > 
> >> In some drivers, even the simple ast, we hold locks during the regular
> >> commit. Trying to run the panic commit concurrently will likely give a
> >> deadlock.
> > 
> > You're in the middle of a panic. Don't take any locks and you won't 
> > deadlock.
> > 
> >> In the end it's a per-driver decision, but in most cases, the driver can
> >> easily switch to a default mode with some ad-hoc code.
> > 
> > When was the last time a per-driver decision has been a good thing? I'm
> > sorry, but the get_scanout_buffer approach buffer won't work for any
> > driver out there.
> > 
> > I'm fine with discussing alternatives if you don't like the ones I
> > suggested, but they must allow the panic handler infrastructure to work
> > with any driver we have, not just 4.
> > 
> 
> Why can't we use the model[1] suggested by Daniel using a draw_pixel
> callback giving drivers full control on how they can put a pixel on the
> display?

I share kind of the same general ideas/conclusions: "qthe idea is that
all the fb selection and lookup is handled in shared code (and with
proper locking, but only for atomic drivers)."

2016 is a bit old though and multiple developments happened since
(secure playback is a thing now, framebuffer compression too), so I
still think that their expectation that the framebuffer is accessible to
/ writable by the CPU no longer holds true.

> This will even work for the AMD debug interface.
> In the linear CPU accessible buffer case, we can provide a helper for
> that, maybe we can do helpers for other common cases as well.

Yeah, their idea of a panic_draw would work great for that.

> Adding to that we would need a panic_setup/enter and panic_teardown/exit
> callback.

What for?

Maxime


signature.asc
Description: PGP signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

2023-10-10 Thread Noralf Trønnes




On 10/10/23 11:25, Maxime Ripard wrote:
> 
> 
> On Tue, Oct 10, 2023 at 10:55:09AM +0200, Thomas Zimmermann wrote:
 So if I understand correctly, drm_panic would pre-allocate a plane/commit,
 and use that when a panic occurs ?
>>>
>>> And have it checked already, yes. We would only wait for a panic to
>>> happen to pull the trigger on the commit.
>>>
 I have two concern about this approach:
 - How much memory would be allocated for this ? a whole framebuffer can be
 big for just this use case.
>>
>> As I outlined in my email at [1], there are a number of different scenarios.
>> The question of atomic state and commits is entirely separate from the DRM
>> panic handler. We should not throw them together. Whatever is necessary is
>> get a scanout buffer, should happen on the driver side of
>> get_scanout_buffer, not on the drm_panic side.
>>
>> [1] 
>> https://lore.kernel.org/dri-devel/39bd4c35-8a61-42ee-8675-ccea4f5d4...@suse.de/T/#m22f116e9438e00a5f0a9dc43987d4153424f8be1
>>
>>>
>>> I'dd expect a whole framebuffer for the current
>>> configuration/resolution. It would be typically 4MB for a full-HD system
>>> which isn't a lot really and I guess we can always add an option to
>>> disable the mechanism if needed.
>>>
 - I find it risky to completely reconfigure the hardware in a panic 
 handler.
>>>
>>> I would expect to only change the format and base address of the
>>> framebuffer. I guess it can fail, but it doesn't seem that different to
>>> the async plane update we already have and works well.
>>
>> The one thing I don't understand is: Why should we use atomic commits in the
>> first place? It doesn't make sense for firmware-based drivers.
> 
> Because this is generic infrastructure that is valuable for any drivers
> and not only firmware-based drivers?
> 
>> In some drivers, even the simple ast, we hold locks during the regular
>> commit. Trying to run the panic commit concurrently will likely give a
>> deadlock.
> 
> You're in the middle of a panic. Don't take any locks and you won't deadlock.
> 
>> In the end it's a per-driver decision, but in most cases, the driver can
>> easily switch to a default mode with some ad-hoc code.
> 
> When was the last time a per-driver decision has been a good thing? I'm
> sorry, but the get_scanout_buffer approach buffer won't work for any
> driver out there.
> 
> I'm fine with discussing alternatives if you don't like the ones I
> suggested, but they must allow the panic handler infrastructure to work
> with any driver we have, not just 4.
> 

Why can't we use the model[1] suggested by Daniel using a draw_pixel
callback giving drivers full control on how they can put a pixel on the
display?

This will even work for the AMD debug interface.
In the linear CPU accessible buffer case, we can provide a helper for
that, maybe we can do helpers for other common cases as well.

Adding to that we would need a panic_setup/enter and panic_teardown/exit
callback.

Noralf.

[1]
https://lore.kernel.org/dri-devel/20160810091529.GQ6232@phenom.ffwll.local/

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

On Tue, Oct 10, 2023 at 11:04:33AM +0200, Thomas Zimmermann wrote:
> Am 09.10.23 um 18:07 schrieb Maxime Ripard:
> > On Mon, Oct 09, 2023 at 04:05:19PM +0200, Jocelyn Falempe wrote:
> > > > > - I find it risky to completely reconfigure the hardware in a panic 
> > > > > handler.
> > > > 
> > > > I would expect to only change the format and base address of the
> > > > framebuffer. I guess it can fail, but it doesn't seem that different to
> > > > the async plane update we already have and works well.
> > > > 
> > > In this case it can work, but by using generic drm api, it's hard to know
> > > what the driver will do.
> > 
> > We should document extensively what we expect drivers to do in those
> > hooks, and possibly call cant_sleep() in the framework function to have
> > some reporting at least.
> > 
> > > > > Also how many drivers would need this ?
> > > > > 
> > > > > Currently I was mostly considering x86 platform, so:
> > > > > 
> > > > > simpledrm/ast/mgag200 which works well with the get_scanout_buffer().
> > > > > 
> > > > > i915/amdgpu/nouveau, which are quite complex, and will need to do 
> > > > > their own
> > > > > thing anyway.
> > > > 
> > > > I guess we're not entirely aligned there then. I would expect that
> > > > mechanism to work with any atomic KMS driver. You are right that i915,
> > > > amdgpu and nouveau are special enough that some extra internal plumbing
> > > > is going to be required, but I'd expect it to be easy to support with
> > > > any other driver for a memory-mapped device.
> > > > 
> > > > I guess what I'm trying to say is, even though it's totally fine that
> > > > you only support those drivers at first, supporting in vc4 for example
> > > > shouldn't require to rewrite the whole thing.
> > > 
> > > Would that work for you to put that in a drm_panic_helper.c,
> > > so that drivers can opt-in ?
> > > 
> > > So the driver can call a drm_panic_helper_prepare_commit() at
> > > initialization, and then in the get_scanout_buffer() function
> > 
> > If we have a full blown commit with a new framebuffer, why do we need
> > get_scanout_buffer? It should be either the framebuffer itself, or in
> > the plane state if you have a conversion.
> 
> We also have discussions about kexec/kdump support. Here we'd need to
> retrieve the scanout address, forward it to the kexec kernel and put
> simpledrm onto that framebuffer until the regular driver takes over.

Generically speaking, there's strictly no guarantee that the current
scanout buffer is accessible by the CPU. It's not even a driver issue,
it's a workload issue, so it will affect 100% of the times some users,
and some 0% of the time.

> An interface like get_scanout_buffer will be helpful for this use
> case. So it makes sense to use it for the panic handler as well.

It won't be helpful because the vast majority of the ARM drivers (and
thus the vast majority of the KMS drivers) won't be able to implement it
properly and reliably.

> > > run the atomic_update() on it, and return this commit's framebuffer ?
> > > 
> > > That way each driver have a better control on what the panic handler will
> > > do.
> > > It can even call directly its internal functions, to avoid the locks of 
> > > the
> > > drm generic functions, and make sure it will only change the format and 
> > > base
> > > address.
> > > That's a bit more work for each driver, but should be more reliable I 
> > > think.
> > 
> > I don't think that better control there is a good idea, it's a path that
> > won't get tested much so we'd be better off not allowing drivers to
> > deviate too much from the "ideal" design.
> > 
> > What I had in mind is something like:
> > 
> >- Add a panic hook in drm_mode_config_funcs, with a
> >  drm_atomic_helper_panic helper;
> > 
> >- Provide an atomic_panic hook or something in drm_plane_helper_funcs;
> > 
> >- If they are set, we register the drm_panic handler;
> > 
> >- The handler will call drm_mode_config_funcs.panic, which will take
> >  its prepared state, fill the framebuffer it allocated with the
> >  penguin and backtrace, call drm_plane_helper_funcs.atomic_panic().
> > 
> >- The driver now updates the format and fb address.
> > 
> >- Halt and catch fire
> > 
> > Does that make sense?
> 
> Please see my other replies. I find this fragile, and unnecessary for cases
> where there already is a working scanout buffer in place.

And please see my other replies. Depending on a working scanout buffer
in place being accessible by the CPU is incredibly limiting. Ignoring it
when I'm pointing that out won't get us to a solution acceptable for
everyone.

> It's something a driver could implement internally to provide a
> scanout buffer if none has been set up already.

Some drivers need extra resources when setting up a plane. VC4 for
example need for every plane to allocate multiple internal SRAM buffers.
Just allocating an extra framebuffer won't cut it.

This is tied to the state so far, so I guess

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler



On Tue, Oct 10, 2023 at 10:55:09AM +0200, Thomas Zimmermann wrote:
> > > So if I understand correctly, drm_panic would pre-allocate a plane/commit,
> > > and use that when a panic occurs ?
> > 
> > And have it checked already, yes. We would only wait for a panic to
> > happen to pull the trigger on the commit.
> > 
> > > I have two concern about this approach:
> > > - How much memory would be allocated for this ? a whole framebuffer can be
> > > big for just this use case.
> 
> As I outlined in my email at [1], there are a number of different scenarios.
> The question of atomic state and commits is entirely separate from the DRM
> panic handler. We should not throw them together. Whatever is necessary is
> get a scanout buffer, should happen on the driver side of
> get_scanout_buffer, not on the drm_panic side.
> 
> [1] 
> https://lore.kernel.org/dri-devel/39bd4c35-8a61-42ee-8675-ccea4f5d4...@suse.de/T/#m22f116e9438e00a5f0a9dc43987d4153424f8be1
> 
> > 
> > I'dd expect a whole framebuffer for the current
> > configuration/resolution. It would be typically 4MB for a full-HD system
> > which isn't a lot really and I guess we can always add an option to
> > disable the mechanism if needed.
> > 
> > > - I find it risky to completely reconfigure the hardware in a panic 
> > > handler.
> > 
> > I would expect to only change the format and base address of the
> > framebuffer. I guess it can fail, but it doesn't seem that different to
> > the async plane update we already have and works well.
> 
> The one thing I don't understand is: Why should we use atomic commits in the
> first place? It doesn't make sense for firmware-based drivers.

Because this is generic infrastructure that is valuable for any drivers
and not only firmware-based drivers?

> In some drivers, even the simple ast, we hold locks during the regular
> commit. Trying to run the panic commit concurrently will likely give a
> deadlock.

You're in the middle of a panic. Don't take any locks and you won't deadlock.

> In the end it's a per-driver decision, but in most cases, the driver can
> easily switch to a default mode with some ad-hoc code.

When was the last time a per-driver decision has been a good thing? I'm
sorry, but the get_scanout_buffer approach buffer won't work for any
driver out there.

I'm fine with discussing alternatives if you don't like the ones I
suggested, but they must allow the panic handler infrastructure to work
with any driver we have, not just 4.

Maxime


signature.asc
Description: PGP signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler


Hi

Am 09.10.23 um 18:07 schrieb Maxime Ripard:

On Mon, Oct 09, 2023 at 04:05:19PM +0200, Jocelyn Falempe wrote:

- I find it risky to completely reconfigure the hardware in a panic handler.


I would expect to only change the format and base address of the
framebuffer. I guess it can fail, but it doesn't seem that different to
the async plane update we already have and works well.


In this case it can work, but by using generic drm api, it's hard to know
what the driver will do.


We should document extensively what we expect drivers to do in those
hooks, and possibly call cant_sleep() in the framework function to have
some reporting at least.


Also how many drivers would need this ?

Currently I was mostly considering x86 platform, so:

simpledrm/ast/mgag200 which works well with the get_scanout_buffer().

i915/amdgpu/nouveau, which are quite complex, and will need to do their own
thing anyway.


I guess we're not entirely aligned there then. I would expect that
mechanism to work with any atomic KMS driver. You are right that i915,
amdgpu and nouveau are special enough that some extra internal plumbing
is going to be required, but I'd expect it to be easy to support with
any other driver for a memory-mapped device.

I guess what I'm trying to say is, even though it's totally fine that
you only support those drivers at first, supporting in vc4 for example
shouldn't require to rewrite the whole thing.


Would that work for you to put that in a drm_panic_helper.c,
so that drivers can opt-in ?

So the driver can call a drm_panic_helper_prepare_commit() at
initialization, and then in the get_scanout_buffer() function


If we have a full blown commit with a new framebuffer, why do we need
get_scanout_buffer? It should be either the framebuffer itself, or in
the plane state if you have a conversion.


We also have discussions about kexec/kdump support. Here we'd need to 
retrieve the scanout address, forward it to the kexec kernel and put 
simpledrm onto that framebuffer until the regular driver takes over. An 
interface like get_scanout_buffer will be helpful for this use case. So 
it makes sense to use it for the panic handler as well.





run the atomic_update() on it, and return this commit's framebuffer ?

That way each driver have a better control on what the panic handler will
do.
It can even call directly its internal functions, to avoid the locks of the
drm generic functions, and make sure it will only change the format and base
address.
That's a bit more work for each driver, but should be more reliable I think.


I don't think that better control there is a good idea, it's a path that
won't get tested much so we'd be better off not allowing drivers to
deviate too much from the "ideal" design.

What I had in mind is something like:

   - Add a panic hook in drm_mode_config_funcs, with a
 drm_atomic_helper_panic helper;

   - Provide an atomic_panic hook or something in drm_plane_helper_funcs;

   - If they are set, we register the drm_panic handler;

   - The handler will call drm_mode_config_funcs.panic, which will take
 its prepared state, fill the framebuffer it allocated with the
 penguin and backtrace, call drm_plane_helper_funcs.atomic_panic().

   - The driver now updates the format and fb address.

   - Halt and catch fire

Does that make sense?


Please see my other replies. I find this fragile, and unnecessary for 
cases where there already is a working scanout buffer in place. It's 
something a driver could implement internally to provide a scanout 
buffer if none has been set up already.


Best regards
Thomas


Maxime


--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)


OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

Am 09.10.23 um 13:33 schrieb Maxime Ripard:
[...]

And you don't need to support all kinds of tiling, YUV or RGB variants.

We should indeed not use YUV at all. For RGB, we already have plenty of
conversion code from XRGB-to-, so we are more flexible there.

So if I understand correctly, drm_panic would pre-allocate a plane/commit,
and use that when a panic occurs ?

And have it checked already, yes. We would only wait for a panic to
happen to pull the trigger on the commit.

I have two concern about this approach:
- How much memory would be allocated for this ? a whole framebuffer can be
big for just this use case.

As I outlined in my email at [1], there are a number of different
scenarios. The question of atomic state and commits is entirely separate
from the DRM panic handler. We should not throw them together. Whatever
is necessary is get a scanout buffer, should happen on the driver side
of get_scanout_buffer, not on the drm_panic side.

[1]
https://lore.kernel.org/dri-devel/39bd4c35-8a61-42ee-8675-ccea4f5d4...@suse.de/T/#m22f116e9438e00a5f0a9dc43987d4153424f8be1

I'dd expect a whole framebuffer for the current
configuration/resolution. It would be typically 4MB for a full-HD system
which isn't a lot really and I guess we can always add an option to
disable the mechanism if needed.

- I find it risky to completely reconfigure the hardware in a panic handler.

I would expect to only change the format and base address of the
framebuffer. I guess it can fail, but it doesn't seem that different to
the async plane update we already have and works well.

The one thing I don't understand is: Why should we use atomic commits in
the first place? It doesn't make sense for firmware-based drivers. In
some drivers, even the simple ast, we hold locks during the regular
commit. Trying to run the panic commit concurrently will likely give a
deadlock.

In the end it's a per-driver decision, but in most cases, the driver can
easily switch to a default mode with some ad-hoc code.

Best regards
Thomas

Also how many drivers would need this ?

Currently I was mostly considering x86 platform, so:

simpledrm/ast/mgag200 which works well with the get_scanout_buffer().

i915/amdgpu/nouveau, which are quite complex, and will need to do their own
thing anyway.

I guess we're not entirely aligned there then. I would expect that
mechanism to work with any atomic KMS driver. You are right that i915,
amdgpu and nouveau are special enough that some extra internal plumbing
is going to be required, but I'd expect it to be easy to support with
any other driver for a memory-mapped device.

I guess what I'm trying to say is, even though it's totally fine that
you only support those drivers at first, supporting in vc4 for example
shouldn't require to rewrite the whole thing.

I'm more in favor of an emergency function, that each driver has to
implement, and use what the hardware can do to display a simple frame
quickly. get_scanout_buffer() is a good start for simple driver, but
will need refactoring for the more complex case, like adding a
callback to write pixels one by one, if there is no memory mapped
buffer available.

Sorry, I'm not quite sure what you mean there, where would you write the
pixel to?

It was mentioned by Noralf, about the amdgpu driver:

https://lore.kernel.org/dri-devel/d233c376-ed07-2127-6084-8292d313d...@amd.com/

They have a slow "debug interface" that you can write to, and can be used
for the panic handler. It's not memory mapped, so you have to write pixels
one by one.

So for the struct drm_scanout_buffer, I can add a function pointer to a
write_pixel(u32 x, u32 y, u32 color)
So if the iosys map is null, it will use that instead.

It would be nice to support indeed, but it's a fairly rare feature afaik
so I'd rather focus on getting something that can work for everyone first

Maxime

--
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Frankenstrasse 146, 90461 Nuernberg, Germany
GF: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman
HRB 36809 (AG Nuernberg)

OpenPGP_signature.asc
Description: OpenPGP digital signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

On Tue, Oct 10, 2023 at 09:55:46AM +0200, Jocelyn Falempe wrote:
> On 09/10/2023 18:07, Maxime Ripard wrote:
> > On Mon, Oct 09, 2023 at 04:05:19PM +0200, Jocelyn Falempe wrote:
> > > > > - I find it risky to completely reconfigure the hardware in a panic 
> > > > > handler.
> > > > 
> > > > I would expect to only change the format and base address of the
> > > > framebuffer. I guess it can fail, but it doesn't seem that different to
> > > > the async plane update we already have and works well.
> > > > 
> > > In this case it can work, but by using generic drm api, it's hard to know
> > > what the driver will do.
> > 
> > We should document extensively what we expect drivers to do in those
> > hooks, and possibly call cant_sleep() in the framework function to have
> > some reporting at least.
> > 
> > > > > Also how many drivers would need this ?
> > > > > 
> > > > > Currently I was mostly considering x86 platform, so:
> > > > > 
> > > > > simpledrm/ast/mgag200 which works well with the get_scanout_buffer().
> > > > > 
> > > > > i915/amdgpu/nouveau, which are quite complex, and will need to do 
> > > > > their own
> > > > > thing anyway.
> > > > 
> > > > I guess we're not entirely aligned there then. I would expect that
> > > > mechanism to work with any atomic KMS driver. You are right that i915,
> > > > amdgpu and nouveau are special enough that some extra internal plumbing
> > > > is going to be required, but I'd expect it to be easy to support with
> > > > any other driver for a memory-mapped device.
> > > > 
> > > > I guess what I'm trying to say is, even though it's totally fine that
> > > > you only support those drivers at first, supporting in vc4 for example
> > > > shouldn't require to rewrite the whole thing.
> > > 
> > > Would that work for you to put that in a drm_panic_helper.c,
> > > so that drivers can opt-in ?
> > > 
> > > So the driver can call a drm_panic_helper_prepare_commit() at
> > > initialization, and then in the get_scanout_buffer() function
> > 
> > If we have a full blown commit with a new framebuffer, why do we need
> > get_scanout_buffer? It should be either the framebuffer itself, or in
> > the plane state if you have a conversion.
> > 
> > > run the atomic_update() on it, and return this commit's framebuffer ?
> > > 
> > > That way each driver have a better control on what the panic handler will
> > > do.
> > > It can even call directly its internal functions, to avoid the locks of 
> > > the
> > > drm generic functions, and make sure it will only change the format and 
> > > base
> > > address.
> > > That's a bit more work for each driver, but should be more reliable I 
> > > think.
> > 
> > I don't think that better control there is a good idea, it's a path that
> > won't get tested much so we'd be better off not allowing drivers to
> > deviate too much from the "ideal" design.
> > 
> > What I had in mind is something like:
> > 
> >- Add a panic hook in drm_mode_config_funcs, with a
> >  drm_atomic_helper_panic helper;
> > 
> >- Provide an atomic_panic hook or something in drm_plane_helper_funcs;
> > 
> >- If they are set, we register the drm_panic handler;
> > 
> >- The handler will call drm_mode_config_funcs.panic, which will take
> >  its prepared state, fill the framebuffer it allocated with the
> >  penguin and backtrace, call drm_plane_helper_funcs.atomic_panic().
> > 
> >- The driver now updates the format and fb address.
> > 
> >- Halt and catch fire
> > 
> > Does that make sense?
> 
> Yes, I will do some experiment with that, and see if I can make it
> work this way.

Thanks :)

> If possible I still want to have a way for simple drivers like
> simpledrm/mgag200 to not allocate a full framebuffer.

I guess the split isn't going to be whether the driver is simple or not,
but whether it always has access to the buffer used by the scanout.

Like for simpledrm, we have that guarantee so it makes sense. For other,
if we allow "direct" dma-buf, it's game over and we just can't.

Maxime


signature.asc
Description: PGP signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

2023-10-10 Thread Jocelyn Falempe


On 09/10/2023 18:07, Maxime Ripard wrote:

On Mon, Oct 09, 2023 at 04:05:19PM +0200, Jocelyn Falempe wrote:

- I find it risky to completely reconfigure the hardware in a panic handler.


I would expect to only change the format and base address of the
framebuffer. I guess it can fail, but it doesn't seem that different to
the async plane update we already have and works well.


In this case it can work, but by using generic drm api, it's hard to know
what the driver will do.


We should document extensively what we expect drivers to do in those
hooks, and possibly call cant_sleep() in the framework function to have
some reporting at least.


Also how many drivers would need this ?

Currently I was mostly considering x86 platform, so:

simpledrm/ast/mgag200 which works well with the get_scanout_buffer().

i915/amdgpu/nouveau, which are quite complex, and will need to do their own
thing anyway.


I guess we're not entirely aligned there then. I would expect that
mechanism to work with any atomic KMS driver. You are right that i915,
amdgpu and nouveau are special enough that some extra internal plumbing
is going to be required, but I'd expect it to be easy to support with
any other driver for a memory-mapped device.

I guess what I'm trying to say is, even though it's totally fine that
you only support those drivers at first, supporting in vc4 for example
shouldn't require to rewrite the whole thing.


Would that work for you to put that in a drm_panic_helper.c,
so that drivers can opt-in ?

So the driver can call a drm_panic_helper_prepare_commit() at
initialization, and then in the get_scanout_buffer() function


If we have a full blown commit with a new framebuffer, why do we need
get_scanout_buffer? It should be either the framebuffer itself, or in
the plane state if you have a conversion.


run the atomic_update() on it, and return this commit's framebuffer ?

That way each driver have a better control on what the panic handler will
do.
It can even call directly its internal functions, to avoid the locks of the
drm generic functions, and make sure it will only change the format and base
address.
That's a bit more work for each driver, but should be more reliable I think.


I don't think that better control there is a good idea, it's a path that
won't get tested much so we'd be better off not allowing drivers to
deviate too much from the "ideal" design.

What I had in mind is something like:

   - Add a panic hook in drm_mode_config_funcs, with a
 drm_atomic_helper_panic helper;

   - Provide an atomic_panic hook or something in drm_plane_helper_funcs;

   - If they are set, we register the drm_panic handler;

   - The handler will call drm_mode_config_funcs.panic, which will take
 its prepared state, fill the framebuffer it allocated with the
 penguin and backtrace, call drm_plane_helper_funcs.atomic_panic().

   - The driver now updates the format and fb address.

   - Halt and catch fire

Does that make sense?


Yes, I will do some experiment with that, and see if I can make it work 
this way.
If possible I still want to have a way for simple drivers like 
simpledrm/mgag200 to not allocate a full framebuffer.



Maxime


--

Jocelyn

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

2023-10-09 Thread Maxime Ripard

On Mon, Oct 09, 2023 at 04:05:19PM +0200, Jocelyn Falempe wrote:
> > > - I find it risky to completely reconfigure the hardware in a panic 
> > > handler.
> > 
> > I would expect to only change the format and base address of the
> > framebuffer. I guess it can fail, but it doesn't seem that different to
> > the async plane update we already have and works well.
> > 
> In this case it can work, but by using generic drm api, it's hard to know
> what the driver will do.

We should document extensively what we expect drivers to do in those
hooks, and possibly call cant_sleep() in the framework function to have
some reporting at least.

> > > Also how many drivers would need this ?
> > > 
> > > Currently I was mostly considering x86 platform, so:
> > > 
> > > simpledrm/ast/mgag200 which works well with the get_scanout_buffer().
> > > 
> > > i915/amdgpu/nouveau, which are quite complex, and will need to do their 
> > > own
> > > thing anyway.
> > 
> > I guess we're not entirely aligned there then. I would expect that
> > mechanism to work with any atomic KMS driver. You are right that i915,
> > amdgpu and nouveau are special enough that some extra internal plumbing
> > is going to be required, but I'd expect it to be easy to support with
> > any other driver for a memory-mapped device.
> > 
> > I guess what I'm trying to say is, even though it's totally fine that
> > you only support those drivers at first, supporting in vc4 for example
> > shouldn't require to rewrite the whole thing.
> 
> Would that work for you to put that in a drm_panic_helper.c,
> so that drivers can opt-in ?
> 
> So the driver can call a drm_panic_helper_prepare_commit() at
> initialization, and then in the get_scanout_buffer() function

If we have a full blown commit with a new framebuffer, why do we need
get_scanout_buffer? It should be either the framebuffer itself, or in
the plane state if you have a conversion.

> run the atomic_update() on it, and return this commit's framebuffer ?
> 
> That way each driver have a better control on what the panic handler will
> do.
> It can even call directly its internal functions, to avoid the locks of the
> drm generic functions, and make sure it will only change the format and base
> address.
> That's a bit more work for each driver, but should be more reliable I think.

I don't think that better control there is a good idea, it's a path that
won't get tested much so we'd be better off not allowing drivers to
deviate too much from the "ideal" design.

What I had in mind is something like:

  - Add a panic hook in drm_mode_config_funcs, with a
drm_atomic_helper_panic helper;

  - Provide an atomic_panic hook or something in drm_plane_helper_funcs;

  - If they are set, we register the drm_panic handler;

  - The handler will call drm_mode_config_funcs.panic, which will take
its prepared state, fill the framebuffer it allocated with the
penguin and backtrace, call drm_plane_helper_funcs.atomic_panic().

  - The driver now updates the format and fb address.

  - Halt and catch fire

Does that make sense?
Maxime


signature.asc
Description: PGP signature

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler


On 09/10/2023 13:33, Maxime Ripard wrote:

On Mon, Oct 09, 2023 at 11:48:29AM +0200, Jocelyn Falempe wrote:

On 09/10/2023 10:28, Maxime Ripard wrote:

Hi,

On Mon, Oct 09, 2023 at 09:47:49AM +0200, Jocelyn Falempe wrote:

On 06/10/2023 18:54, Noralf Trønnes wrote:



On 10/6/23 16:35, Maxime Ripard wrote:

Hi Jocelyn,

On Thu, Oct 05, 2023 at 11:16:15AM +0200, Jocelyn Falempe wrote:

On 05/10/2023 10:18, Maxime Ripard wrote:

Hi,

On Tue, Oct 03, 2023 at 04:22:45PM +0200, Jocelyn Falempe wrote:

diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
index 89e2706cac56..e538c87116d3 100644
--- a/include/drm/drm_drv.h
+++ b/include/drm/drm_drv.h
@@ -43,6 +43,7 @@ struct dma_buf_attachment;
 struct drm_display_mode;
 struct drm_mode_create_dumb;
 struct drm_printer;
+struct drm_scanout_buffer;
 struct sg_table;
 /**
@@ -408,6 +409,19 @@ struct drm_driver {
 */
void (*show_fdinfo)(struct drm_printer *p, struct drm_file *f);
+   /**
+* @get_scanout_buffer:
+*
+* Get the current scanout buffer, to display a panic message with 
drm_panic.
+* It is called from a panic callback, and must follow its restrictions.
+*
+* Returns:
+*
+* Zero on success, negative errno on failure.
+*/
+   int (*get_scanout_buffer)(struct drm_device *dev,
+ struct drm_scanout_buffer *sb);
+


What is the format of that buffer? What is supposed to happen if the
planes / CRTC are setup in a way that is incompatible with the buffer
format?


Currently, it only supports linear format, either in system memory, or
iomem.
But really what is needed is the screen size, and a way to write pixels to
it.
For more complex GPU, I don't know if it's easier to reprogram the GPU to
linear format, or to add a simple "tiled" support to drm_panic.
What would you propose as a panic interface to handle those complex format ?


It's not just about tiling, but also about YUV formats. If the display
engine is currently playing a video at the moment, it's probably going
to output some variation of multi-planar YUV and you won't have an RGB
buffer available.



I had support for some YUV formats in my 2019 attempt on a panic
handler[1] and I made a recording of a test run as well[2] (see 4:30 for
YUV). There was a discussion about challenges and i915 can disable
tiling by flipping a bit in a register[3] and AMD has a debug
interface[4] they can use to write pixels.


I only added support for the format used by simpledrm, because I don't want
to add support for all possible format if no driver are using it.


Sure.


It should be possible to add YUV format too.

I also prefer to convert only the foreground/background color, and then
write directly into the buffers, instead of converting line by line.
It works for all format where pixel size is a multiple of byte.


My point was that there might not be a buffer to write to.
DMA_ATTR_NO_KERNEL_MAPPING exists, dma-buf might be unaccessible, unsafe
or be completely out of control of the kernel space, or even not be
accessible by the system at all (when doing secure playback for example,
where the "trusted" component will do the decoding and will only give
back a dma-buf handle to a secure memory buffer).

I appreciate that we probably don't want to address these scenarios
right now, but we should have a path forward to support them eventually.
Copying the panic handler content to the buffer is optimistic and won't
work in all the scenarios described above, pretty much requiring to
start from scratch that effort.


https://lore.kernel.org/dri-devel/20190311174218.51899-1-nor...@tronnes.org/
[2] https://youtu.be/lZ80vL4dgpE
[3]
https://lore.kernel.org/dri-devel/20190314095004.GP2665@phenom.ffwll.local/
[4]
https://lore.kernel.org/dri-devel/d233c376-ed07-2127-6084-8292d313d...@amd.com/


Same story if you're using a dma-buf buffer. You might not even be able
to access that buffer at all from the CPU or the kernel.

I really think we should have some emergency state ready to commit on
the side, and possibly a panic_commit function to prevent things like
sleeping or waiting that regular atomic_commit can use.

That way, you know have all the resources available to you any time.


I think reusing the atomic commit functions might be hard, because there are
locks/allocation/threads hidden in drivers callback.


Allocations are bugs as far as I'm concerned. Allocations in
atomic_commit path are pretty big hint that you're doing something wrong
so I wouldn't worry too much about them. For locking, yeah... Which is
why I was suggesting an emergency atomic_commit of some sorts (for
planes only?). Switching back to whatever we were doing to an RGB plane
should be simple enough for most drivers and probably can be done safely
enough on most drivers without any locks.

And you don't need to support all kinds of tiling, YUV or RGB variants.


So if I understand correctly, drm_panic

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

2023-10-09 Thread Maxime Ripard

On Mon, Oct 09, 2023 at 11:48:29AM +0200, Jocelyn Falempe wrote:
> On 09/10/2023 10:28, Maxime Ripard wrote:
> > Hi,
> > 
> > On Mon, Oct 09, 2023 at 09:47:49AM +0200, Jocelyn Falempe wrote:
> > > On 06/10/2023 18:54, Noralf Trønnes wrote:
> > > > 
> > > > 
> > > > On 10/6/23 16:35, Maxime Ripard wrote:
> > > > > Hi Jocelyn,
> > > > > 
> > > > > On Thu, Oct 05, 2023 at 11:16:15AM +0200, Jocelyn Falempe wrote:
> > > > > > On 05/10/2023 10:18, Maxime Ripard wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > On Tue, Oct 03, 2023 at 04:22:45PM +0200, Jocelyn Falempe wrote:
> > > > > > > > diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
> > > > > > > > index 89e2706cac56..e538c87116d3 100644
> > > > > > > > --- a/include/drm/drm_drv.h
> > > > > > > > +++ b/include/drm/drm_drv.h
> > > > > > > > @@ -43,6 +43,7 @@ struct dma_buf_attachment;
> > > > > > > > struct drm_display_mode;
> > > > > > > > struct drm_mode_create_dumb;
> > > > > > > > struct drm_printer;
> > > > > > > > +struct drm_scanout_buffer;
> > > > > > > > struct sg_table;
> > > > > > > > /**
> > > > > > > > @@ -408,6 +409,19 @@ struct drm_driver {
> > > > > > > >  */
> > > > > > > > void (*show_fdinfo)(struct drm_printer *p, struct 
> > > > > > > > drm_file *f);
> > > > > > > > +   /**
> > > > > > > > +* @get_scanout_buffer:
> > > > > > > > +*
> > > > > > > > +* Get the current scanout buffer, to display a panic 
> > > > > > > > message with drm_panic.
> > > > > > > > +* It is called from a panic callback, and must follow 
> > > > > > > > its restrictions.
> > > > > > > > +*
> > > > > > > > +* Returns:
> > > > > > > > +*
> > > > > > > > +* Zero on success, negative errno on failure.
> > > > > > > > +*/
> > > > > > > > +   int (*get_scanout_buffer)(struct drm_device *dev,
> > > > > > > > + struct drm_scanout_buffer 
> > > > > > > > *sb);
> > > > > > > > +
> > > > > > > 
> > > > > > > What is the format of that buffer? What is supposed to happen if 
> > > > > > > the
> > > > > > > planes / CRTC are setup in a way that is incompatible with the 
> > > > > > > buffer
> > > > > > > format?
> > > > > > 
> > > > > > Currently, it only supports linear format, either in system memory, 
> > > > > > or
> > > > > > iomem.
> > > > > > But really what is needed is the screen size, and a way to write 
> > > > > > pixels to
> > > > > > it.
> > > > > > For more complex GPU, I don't know if it's easier to reprogram the 
> > > > > > GPU to
> > > > > > linear format, or to add a simple "tiled" support to drm_panic.
> > > > > > What would you propose as a panic interface to handle those complex 
> > > > > > format ?
> > > > > 
> > > > > It's not just about tiling, but also about YUV formats. If the display
> > > > > engine is currently playing a video at the moment, it's probably going
> > > > > to output some variation of multi-planar YUV and you won't have an RGB
> > > > > buffer available.
> > > > > 
> > > > 
> > > > I had support for some YUV formats in my 2019 attempt on a panic
> > > > handler[1] and I made a recording of a test run as well[2] (see 4:30 for
> > > > YUV). There was a discussion about challenges and i915 can disable
> > > > tiling by flipping a bit in a register[3] and AMD has a debug
> > > > interface[4] they can use to write pixels.
> > > 
> > > I only added support for the format used by simpledrm, because I don't 
> > > want
> > > to add support for all possible format if no driver are using it.
> > 
> > Sure.
> > 
> > > It should be possible to add YUV format too.
> > > 
> > > I also prefer to convert only the foreground/background color, and then
> > > write directly into the buffers, instead of converting line by line.
> > > It works for all format where pixel size is a multiple of byte.
> > 
> > My point was that there might not be a buffer to write to.
> > DMA_ATTR_NO_KERNEL_MAPPING exists, dma-buf might be unaccessible, unsafe
> > or be completely out of control of the kernel space, or even not be
> > accessible by the system at all (when doing secure playback for example,
> > where the "trusted" component will do the decoding and will only give
> > back a dma-buf handle to a secure memory buffer).
> > 
> > I appreciate that we probably don't want to address these scenarios
> > right now, but we should have a path forward to support them eventually.
> > Copying the panic handler content to the buffer is optimistic and won't
> > work in all the scenarios described above, pretty much requiring to
> > start from scratch that effort.
> > 
> > > > https://lore.kernel.org/dri-devel/20190311174218.51899-1-nor...@tronnes.org/
> > > > [2] https://youtu.be/lZ80vL4dgpE
> > > > [3]
> > > > https://lore.kernel.org/dri-devel/20190314095004.GP2665@phenom.ffwll.local/
> > > > [4]
> > > > https://lore.kernel.org/dri-devel/d233c376-ed07-2127-6084-8292d313d...@amd.com/
> > > > 
> > > > > Same story

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler


On 09/10/2023 10:28, Maxime Ripard wrote:

Hi,

On Mon, Oct 09, 2023 at 09:47:49AM +0200, Jocelyn Falempe wrote:

On 06/10/2023 18:54, Noralf Trønnes wrote:



On 10/6/23 16:35, Maxime Ripard wrote:

Hi Jocelyn,

On Thu, Oct 05, 2023 at 11:16:15AM +0200, Jocelyn Falempe wrote:

On 05/10/2023 10:18, Maxime Ripard wrote:

Hi,

On Tue, Oct 03, 2023 at 04:22:45PM +0200, Jocelyn Falempe wrote:

diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
index 89e2706cac56..e538c87116d3 100644
--- a/include/drm/drm_drv.h
+++ b/include/drm/drm_drv.h
@@ -43,6 +43,7 @@ struct dma_buf_attachment;
struct drm_display_mode;
struct drm_mode_create_dumb;
struct drm_printer;
+struct drm_scanout_buffer;
struct sg_table;
/**
@@ -408,6 +409,19 @@ struct drm_driver {
 */
void (*show_fdinfo)(struct drm_printer *p, struct drm_file *f);
+   /**
+* @get_scanout_buffer:
+*
+* Get the current scanout buffer, to display a panic message with 
drm_panic.
+* It is called from a panic callback, and must follow its restrictions.
+*
+* Returns:
+*
+* Zero on success, negative errno on failure.
+*/
+   int (*get_scanout_buffer)(struct drm_device *dev,
+ struct drm_scanout_buffer *sb);
+


What is the format of that buffer? What is supposed to happen if the
planes / CRTC are setup in a way that is incompatible with the buffer
format?


Currently, it only supports linear format, either in system memory, or
iomem.
But really what is needed is the screen size, and a way to write pixels to
it.
For more complex GPU, I don't know if it's easier to reprogram the GPU to
linear format, or to add a simple "tiled" support to drm_panic.
What would you propose as a panic interface to handle those complex format ?


It's not just about tiling, but also about YUV formats. If the display
engine is currently playing a video at the moment, it's probably going
to output some variation of multi-planar YUV and you won't have an RGB
buffer available.



I had support for some YUV formats in my 2019 attempt on a panic
handler[1] and I made a recording of a test run as well[2] (see 4:30 for
YUV). There was a discussion about challenges and i915 can disable
tiling by flipping a bit in a register[3] and AMD has a debug
interface[4] they can use to write pixels.


I only added support for the format used by simpledrm, because I don't want
to add support for all possible format if no driver are using it.


Sure.


It should be possible to add YUV format too.

I also prefer to convert only the foreground/background color, and then
write directly into the buffers, instead of converting line by line.
It works for all format where pixel size is a multiple of byte.


My point was that there might not be a buffer to write to.
DMA_ATTR_NO_KERNEL_MAPPING exists, dma-buf might be unaccessible, unsafe
or be completely out of control of the kernel space, or even not be
accessible by the system at all (when doing secure playback for example,
where the "trusted" component will do the decoding and will only give
back a dma-buf handle to a secure memory buffer).

I appreciate that we probably don't want to address these scenarios
right now, but we should have a path forward to support them eventually.
Copying the panic handler content to the buffer is optimistic and won't
work in all the scenarios described above, pretty much requiring to
start from scratch that effort.


https://lore.kernel.org/dri-devel/20190311174218.51899-1-nor...@tronnes.org/
[2] https://youtu.be/lZ80vL4dgpE
[3]
https://lore.kernel.org/dri-devel/20190314095004.GP2665@phenom.ffwll.local/
[4]
https://lore.kernel.org/dri-devel/d233c376-ed07-2127-6084-8292d313d...@amd.com/


Same story if you're using a dma-buf buffer. You might not even be able
to access that buffer at all from the CPU or the kernel.

I really think we should have some emergency state ready to commit on
the side, and possibly a panic_commit function to prevent things like
sleeping or waiting that regular atomic_commit can use.

That way, you know have all the resources available to you any time.


I think reusing the atomic commit functions might be hard, because there are
locks/allocation/threads hidden in drivers callback.


Allocations are bugs as far as I'm concerned. Allocations in
atomic_commit path are pretty big hint that you're doing something wrong
so I wouldn't worry too much about them. For locking, yeah... Which is
why I was suggesting an emergency atomic_commit of some sorts (for
planes only?). Switching back to whatever we were doing to an RGB plane
should be simple enough for most drivers and probably can be done safely
enough on most drivers without any locks.

And you don't need to support all kinds of tiling, YUV or RGB variants.


So if I understand correctly, drm_panic would pre-allocate a 
plane/commit, and use that when a panic occurs ?

I have two concern about this approach:
-

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler

2023-10-09 Thread Maxime Ripard

Hi,

On Mon, Oct 09, 2023 at 09:47:49AM +0200, Jocelyn Falempe wrote:
> On 06/10/2023 18:54, Noralf Trønnes wrote:
> > 
> > 
> > On 10/6/23 16:35, Maxime Ripard wrote:
> > > Hi Jocelyn,
> > > 
> > > On Thu, Oct 05, 2023 at 11:16:15AM +0200, Jocelyn Falempe wrote:
> > > > On 05/10/2023 10:18, Maxime Ripard wrote:
> > > > > Hi,
> > > > > 
> > > > > On Tue, Oct 03, 2023 at 04:22:45PM +0200, Jocelyn Falempe wrote:
> > > > > > diff --git a/include/drm/drm_drv.h b/include/drm/drm_drv.h
> > > > > > index 89e2706cac56..e538c87116d3 100644
> > > > > > --- a/include/drm/drm_drv.h
> > > > > > +++ b/include/drm/drm_drv.h
> > > > > > @@ -43,6 +43,7 @@ struct dma_buf_attachment;
> > > > > >struct drm_display_mode;
> > > > > >struct drm_mode_create_dumb;
> > > > > >struct drm_printer;
> > > > > > +struct drm_scanout_buffer;
> > > > > >struct sg_table;
> > > > > >/**
> > > > > > @@ -408,6 +409,19 @@ struct drm_driver {
> > > > > >  */
> > > > > > void (*show_fdinfo)(struct drm_printer *p, struct drm_file *f);
> > > > > > +   /**
> > > > > > +* @get_scanout_buffer:
> > > > > > +*
> > > > > > +* Get the current scanout buffer, to display a panic message 
> > > > > > with drm_panic.
> > > > > > +* It is called from a panic callback, and must follow its 
> > > > > > restrictions.
> > > > > > +*
> > > > > > +* Returns:
> > > > > > +*
> > > > > > +* Zero on success, negative errno on failure.
> > > > > > +*/
> > > > > > +   int (*get_scanout_buffer)(struct drm_device *dev,
> > > > > > + struct drm_scanout_buffer *sb);
> > > > > > +
> > > > > 
> > > > > What is the format of that buffer? What is supposed to happen if the
> > > > > planes / CRTC are setup in a way that is incompatible with the buffer
> > > > > format?
> > > > 
> > > > Currently, it only supports linear format, either in system memory, or
> > > > iomem.
> > > > But really what is needed is the screen size, and a way to write pixels 
> > > > to
> > > > it.
> > > > For more complex GPU, I don't know if it's easier to reprogram the GPU 
> > > > to
> > > > linear format, or to add a simple "tiled" support to drm_panic.
> > > > What would you propose as a panic interface to handle those complex 
> > > > format ?
> > > 
> > > It's not just about tiling, but also about YUV formats. If the display
> > > engine is currently playing a video at the moment, it's probably going
> > > to output some variation of multi-planar YUV and you won't have an RGB
> > > buffer available.
> > > 
> > 
> > I had support for some YUV formats in my 2019 attempt on a panic
> > handler[1] and I made a recording of a test run as well[2] (see 4:30 for
> > YUV). There was a discussion about challenges and i915 can disable
> > tiling by flipping a bit in a register[3] and AMD has a debug
> > interface[4] they can use to write pixels.
> 
> I only added support for the format used by simpledrm, because I don't want
> to add support for all possible format if no driver are using it.

Sure.

> It should be possible to add YUV format too.
>
> I also prefer to convert only the foreground/background color, and then
> write directly into the buffers, instead of converting line by line.
> It works for all format where pixel size is a multiple of byte.

My point was that there might not be a buffer to write to.
DMA_ATTR_NO_KERNEL_MAPPING exists, dma-buf might be unaccessible, unsafe
or be completely out of control of the kernel space, or even not be
accessible by the system at all (when doing secure playback for example,
where the "trusted" component will do the decoding and will only give
back a dma-buf handle to a secure memory buffer).

I appreciate that we probably don't want to address these scenarios
right now, but we should have a path forward to support them eventually.
Copying the panic handler content to the buffer is optimistic and won't
work in all the scenarios described above, pretty much requiring to
start from scratch that effort.

> > https://lore.kernel.org/dri-devel/20190311174218.51899-1-nor...@tronnes.org/
> > [2] https://youtu.be/lZ80vL4dgpE
> > [3]
> > https://lore.kernel.org/dri-devel/20190314095004.GP2665@phenom.ffwll.local/
> > [4]
> > https://lore.kernel.org/dri-devel/d233c376-ed07-2127-6084-8292d313d...@amd.com/
> > 
> > > Same story if you're using a dma-buf buffer. You might not even be able
> > > to access that buffer at all from the CPU or the kernel.
> > > 
> > > I really think we should have some emergency state ready to commit on
> > > the side, and possibly a panic_commit function to prevent things like
> > > sleeping or waiting that regular atomic_commit can use.
> > > 
> > > That way, you know have all the resources available to you any time.
> 
> I think reusing the atomic commit functions might be hard, because there are
> locks/allocation/threads hidden in drivers callback.

Allocations are bugs as far as I'm concerned. Allocations in
atomic_commit path are pretty big hint

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler


On 07/10/2023 14:38, Noralf Trønnes wrote:



On 10/3/23 16:22, Jocelyn Falempe wrote:

This module displays a user friendly message when a kernel panic
occurs. It currently doesn't contain any debug information,
but that can be added later.

v2
  * Use get_scanout_buffer() instead of the drm client API.
   (Thomas Zimmermann)
  * Add the panic reason to the panic message (Nerdopolis)
  * Add an exclamation mark (Nerdopolis)

v3
  * Rework the drawing functions, to write the pixels line by line and
  to use the drm conversion helper to support other formats.
  (Thomas Zimmermann)

v4
  * Use drm_fb_r1_to_32bit for fonts (Thomas Zimmermann)
  * Remove the default y to DRM_PANIC config option (Thomas Zimmermann)
  * Add foreground/background color config option
  * Fix the bottom lines not painted if the framebuffer height
is not a multiple of the font height.
  * Automatically register the device to drm_panic, if the function
get_scanout_buffer exists. (Thomas Zimmermann)

Signed-off-by: Jocelyn Falempe 
---
  drivers/gpu/drm/Kconfig |  22 ++
  drivers/gpu/drm/Makefile|   1 +
  drivers/gpu/drm/drm_drv.c   |   8 +
  drivers/gpu/drm/drm_panic.c | 413 
  include/drm/drm_drv.h   |  14 ++
  include/drm/drm_panic.h |  41 
  6 files changed, 499 insertions(+)
  create mode 100644 drivers/gpu/drm/drm_panic.c
  create mode 100644 include/drm/drm_panic.h




diff --git a/drivers/gpu/drm/drm_panic.c b/drivers/gpu/drm/drm_panic.c
new file mode 100644



+static void draw_panic_device(struct drm_device *dev, const char *msg)
+{
+   struct drm_scanout_buffer sb;
+
+   if (dev->driver->get_scanout_buffer(dev, ))
+   return;
+   if (!drm_panic_line_buf)
+   return;
+


Unless something has changed since 2019 we need to make sure fbcon
hasn't already printed the panic to avoid jumbled output. See [1] for
more info.


I think DRM_PANIC and fbcon are incompatible, so in Kconfig I prevent 
them to be built together:


config DRM_PANIC
  bool "Display a user-friendly message when a kernel panic occurs"
  depends on DRM && !FRAMEBUFFER_CONSOLE

So DRM_PANIC should be used with a userspace console, either kmscon, or 
some lightweight terminal emulator/wayland compositor, like cage/foot.


As fbcon has lost scrolling support, it's time to switch to something 
better. [1]


--

Jocelyn

[1]
https://www.reddit.com/r/linux/comments/10eccv9/config_vtn_in_2023/



Noralf.

[1]
https://lore.kernel.org/dri-devel/20190312095320.GX2665@phenom.ffwll.local/


+   /* to avoid buffer overflow on drm_panic_line_buf */
+   if (sb.width > DRM_PANIC_MAX_WIDTH)
+   sb.width = DRM_PANIC_MAX_WIDTH;
+
+   draw_panic_static(, msg);
+}

Re: [PATCH v4 2/4] drm/panic: Add a drm panic handler