1=================
2Freezing of tasks
3=================
4
5(C) 2007 Rafael J. Wysocki <rjw@sisk.pl>, GPL
6
7I. What is the freezing of tasks?
8=================================
9
10The freezing of tasks is a mechanism by which user space processes and some
11kernel threads are controlled during hibernation or system-wide suspend (on some
12architectures).
13
14II. How does it work?
15=====================
16
17There are three per-task flags used for that, PF_NOFREEZE, PF_FROZEN
18and PF_FREEZER_SKIP (the last one is auxiliary).  The tasks that have
19PF_NOFREEZE unset (all user space processes and some kernel threads) are
20regarded as 'freezable' and treated in a special way before the system enters a
21suspend state as well as before a hibernation image is created (in what follows
22we only consider hibernation, but the description also applies to suspend).
23
24Namely, as the first step of the hibernation procedure the function
25freeze_processes() (defined in kernel/power/process.c) is called.  A system-wide
26variable system_freezing_cnt (as opposed to a per-task flag) is used to indicate
27whether the system is to undergo a freezing operation. And freeze_processes()
28sets this variable.  After this, it executes try_to_freeze_tasks() that sends a
29fake signal to all user space processes, and wakes up all the kernel threads.
30All freezable tasks must react to that by calling try_to_freeze(), which
31results in a call to __refrigerator() (defined in kernel/freezer.c), which sets
32the task's PF_FROZEN flag, changes its state to TASK_UNINTERRUPTIBLE and makes
33it loop until PF_FROZEN is cleared for it. Then, we say that the task is
34'frozen' and therefore the set of functions handling this mechanism is referred
35to as 'the freezer' (these functions are defined in kernel/power/process.c,
36kernel/freezer.c & include/linux/freezer.h). User space processes are generally
37frozen before kernel threads.
38
39__refrigerator() must not be called directly.  Instead, use the
40try_to_freeze() function (defined in include/linux/freezer.h), that checks
41if the task is to be frozen and makes the task enter __refrigerator().
42
43For user space processes try_to_freeze() is called automatically from the
44signal-handling code, but the freezable kernel threads need to call it
45explicitly in suitable places or use the wait_event_freezable() or
46wait_event_freezable_timeout() macros (defined in include/linux/freezer.h)
47that combine interruptible sleep with checking if the task is to be frozen and
48calling try_to_freeze().  The main loop of a freezable kernel thread may look
49like the following one::
50
51	set_freezable();
52	do {
53		hub_events();
54		wait_event_freezable(khubd_wait,
55				!list_empty(&hub_event_list) ||
56				kthread_should_stop());
57	} while (!kthread_should_stop() || !list_empty(&hub_event_list));
58
59(from drivers/usb/core/hub.c::hub_thread()).
60
61If a freezable kernel thread fails to call try_to_freeze() after the freezer has
62initiated a freezing operation, the freezing of tasks will fail and the entire
63hibernation operation will be cancelled.  For this reason, freezable kernel
64threads must call try_to_freeze() somewhere or use one of the
65wait_event_freezable() and wait_event_freezable_timeout() macros.
66
67After the system memory state has been restored from a hibernation image and
68devices have been reinitialized, the function thaw_processes() is called in
69order to clear the PF_FROZEN flag for each frozen task.  Then, the tasks that
70have been frozen leave __refrigerator() and continue running.
71
72
73Rationale behind the functions dealing with freezing and thawing of tasks
74-------------------------------------------------------------------------
75
76freeze_processes():
77  - freezes only userspace tasks
78
79freeze_kernel_threads():
80  - freezes all tasks (including kernel threads) because we can't freeze
81    kernel threads without freezing userspace tasks
82
83thaw_kernel_threads():
84  - thaws only kernel threads; this is particularly useful if we need to do
85    anything special in between thawing of kernel threads and thawing of
86    userspace tasks, or if we want to postpone the thawing of userspace tasks
87
88thaw_processes():
89  - thaws all tasks (including kernel threads) because we can't thaw userspace
90    tasks without thawing kernel threads
91
92
93III. Which kernel threads are freezable?
94========================================
95
96Kernel threads are not freezable by default.  However, a kernel thread may clear
97PF_NOFREEZE for itself by calling set_freezable() (the resetting of PF_NOFREEZE
98directly is not allowed).  From this point it is regarded as freezable
99and must call try_to_freeze() in a suitable place.
100
101IV. Why do we do that?
102======================
103
104Generally speaking, there is a couple of reasons to use the freezing of tasks:
105
1061. The principal reason is to prevent filesystems from being damaged after
107   hibernation.  At the moment we have no simple means of checkpointing
108   filesystems, so if there are any modifications made to filesystem data and/or
109   metadata on disks, we cannot bring them back to the state from before the
110   modifications.  At the same time each hibernation image contains some
111   filesystem-related information that must be consistent with the state of the
112   on-disk data and metadata after the system memory state has been restored
113   from the image (otherwise the filesystems will be damaged in a nasty way,
114   usually making them almost impossible to repair).  We therefore freeze
115   tasks that might cause the on-disk filesystems' data and metadata to be
116   modified after the hibernation image has been created and before the
117   system is finally powered off. The majority of these are user space
118   processes, but if any of the kernel threads may cause something like this
119   to happen, they have to be freezable.
120
1212. Next, to create the hibernation image we need to free a sufficient amount of
122   memory (approximately 50% of available RAM) and we need to do that before
123   devices are deactivated, because we generally need them for swapping out.
124   Then, after the memory for the image has been freed, we don't want tasks
125   to allocate additional memory and we prevent them from doing that by
126   freezing them earlier. [Of course, this also means that device drivers
127   should not allocate substantial amounts of memory from their .suspend()
128   callbacks before hibernation, but this is a separate issue.]
129
1303. The third reason is to prevent user space processes and some kernel threads
131   from interfering with the suspending and resuming of devices.  A user space
132   process running on a second CPU while we are suspending devices may, for
133   example, be troublesome and without the freezing of tasks we would need some
134   safeguards against race conditions that might occur in such a case.
135
136Although Linus Torvalds doesn't like the freezing of tasks, he said this in one
137of the discussions on LKML (https://lore.kernel.org/r/alpine.LFD.0.98.0704271801020.9964@woody.linux-foundation.org):
138
139"RJW:> Why we freeze tasks at all or why we freeze kernel threads?
140
141Linus: In many ways, 'at all'.
142
143I **do** realize the IO request queue issues, and that we cannot actually do
144s2ram with some devices in the middle of a DMA.  So we want to be able to
145avoid *that*, there's no question about that.  And I suspect that stopping
146user threads and then waiting for a sync is practically one of the easier
147ways to do so.
148
149So in practice, the 'at all' may become a 'why freeze kernel threads?' and
150freezing user threads I don't find really objectionable."
151
152Still, there are kernel threads that may want to be freezable.  For example, if
153a kernel thread that belongs to a device driver accesses the device directly, it
154in principle needs to know when the device is suspended, so that it doesn't try
155to access it at that time.  However, if the kernel thread is freezable, it will
156be frozen before the driver's .suspend() callback is executed and it will be
157thawed after the driver's .resume() callback has run, so it won't be accessing
158the device while it's suspended.
159
1604. Another reason for freezing tasks is to prevent user space processes from
161   realizing that hibernation (or suspend) operation takes place.  Ideally, user
162   space processes should not notice that such a system-wide operation has
163   occurred and should continue running without any problems after the restore
164   (or resume from suspend).  Unfortunately, in the most general case this
165   is quite difficult to achieve without the freezing of tasks.  Consider,
166   for example, a process that depends on all CPUs being online while it's
167   running.  Since we need to disable nonboot CPUs during the hibernation,
168   if this process is not frozen, it may notice that the number of CPUs has
169   changed and may start to work incorrectly because of that.
170
171V. Are there any problems related to the freezing of tasks?
172===========================================================
173
174Yes, there are.
175
176First of all, the freezing of kernel threads may be tricky if they depend one
177on another.  For example, if kernel thread A waits for a completion (in the
178TASK_UNINTERRUPTIBLE state) that needs to be done by freezable kernel thread B
179and B is frozen in the meantime, then A will be blocked until B is thawed, which
180may be undesirable.  That's why kernel threads are not freezable by default.
181
182Second, there are the following two problems related to the freezing of user
183space processes:
184
1851. Putting processes into an uninterruptible sleep distorts the load average.
1862. Now that we have FUSE, plus the framework for doing device drivers in
187   userspace, it gets even more complicated because some userspace processes are
188   now doing the sorts of things that kernel threads do
189   (https://lists.linux-foundation.org/pipermail/linux-pm/2007-May/012309.html).
190
191The problem 1. seems to be fixable, although it hasn't been fixed so far.  The
192other one is more serious, but it seems that we can work around it by using
193hibernation (and suspend) notifiers (in that case, though, we won't be able to
194avoid the realization by the user space processes that the hibernation is taking
195place).
196
197There are also problems that the freezing of tasks tends to expose, although
198they are not directly related to it.  For example, if request_firmware() is
199called from a device driver's .resume() routine, it will timeout and eventually
200fail, because the user land process that should respond to the request is frozen
201at this point.  So, seemingly, the failure is due to the freezing of tasks.
202Suppose, however, that the firmware file is located on a filesystem accessible
203only through another device that hasn't been resumed yet.  In that case,
204request_firmware() will fail regardless of whether or not the freezing of tasks
205is used.  Consequently, the problem is not really related to the freezing of
206tasks, since it generally exists anyway.
207
208A driver must have all firmwares it may need in RAM before suspend() is called.
209If keeping them is not practical, for example due to their size, they must be
210requested early enough using the suspend notifier API described in
211Documentation/driver-api/pm/notifiers.rst.
212
213VI. Are there any precautions to be taken to prevent freezing failures?
214=======================================================================
215
216Yes, there are.
217
218First of all, grabbing the 'system_transition_mutex' lock to mutually exclude a
219piece of code from system-wide sleep such as suspend/hibernation is not
220encouraged.  If possible, that piece of code must instead hook onto the
221suspend/hibernation notifiers to achieve mutual exclusion. Look at the
222CPU-Hotplug code (kernel/cpu.c) for an example.
223
224However, if that is not feasible, and grabbing 'system_transition_mutex' is
225deemed necessary, it is strongly discouraged to directly call
226mutex_[un]lock(&system_transition_mutex) since that could lead to freezing
227failures, because if the suspend/hibernate code successfully acquired the
228'system_transition_mutex' lock, and hence that other entity failed to acquire
229the lock, then that task would get blocked in TASK_UNINTERRUPTIBLE state. As a
230consequence, the freezer would not be able to freeze that task, leading to
231freezing failure.
232
233However, the [un]lock_system_sleep() APIs are safe to use in this scenario,
234since they ask the freezer to skip freezing this task, since it is anyway
235"frozen enough" as it is blocked on 'system_transition_mutex', which will be
236released only after the entire suspend/hibernation sequence is complete.  So, to
237summarize, use [un]lock_system_sleep() instead of directly using
238mutex_[un]lock(&system_transition_mutex). That would prevent freezing failures.
239
240V. Miscellaneous
241================
242
243/sys/power/pm_freeze_timeout controls how long it will cost at most to freeze
244all user space processes or all freezable kernel threads, in unit of
245millisecond.  The default value is 20000, with range of unsigned integer.
246