2 * SPDX-License-Identifier: MIT
4 * Copyright © 2012-2014 Intel Corporation
7 #include <linux/mmu_context.h>
8 #include <linux/mmu_notifier.h>
9 #include <linux/mempolicy.h>
10 #include <linux/swap.h>
11 #include <linux/sched/mm.h>
13 #include <drm/i915_drm.h>
16 #include "i915_gem_ioctls.h"
17 #include "i915_gem_object.h"
18 #include "i915_scatterlist.h"
20 struct i915_mm_struct {
22 struct drm_i915_private *i915;
23 struct i915_mmu_notifier *mn;
24 struct hlist_node node;
26 struct work_struct work;
29 #if defined(CONFIG_MMU_NOTIFIER)
30 #include <linux/interval_tree.h>
32 struct i915_mmu_notifier {
34 struct hlist_node node;
35 struct mmu_notifier mn;
36 struct rb_root_cached objects;
37 struct i915_mm_struct *mm;
40 struct i915_mmu_object {
41 struct i915_mmu_notifier *mn;
42 struct drm_i915_gem_object *obj;
43 struct interval_tree_node it;
46 static void add_object(struct i915_mmu_object *mo)
48 GEM_BUG_ON(!RB_EMPTY_NODE(&mo->it.rb));
49 interval_tree_insert(&mo->it, &mo->mn->objects);
52 static void del_object(struct i915_mmu_object *mo)
54 if (RB_EMPTY_NODE(&mo->it.rb))
57 interval_tree_remove(&mo->it, &mo->mn->objects);
58 RB_CLEAR_NODE(&mo->it.rb);
62 __i915_gem_userptr_set_active(struct drm_i915_gem_object *obj, bool value)
64 struct i915_mmu_object *mo = obj->userptr.mmu_object;
67 * During mm_invalidate_range we need to cancel any userptr that
68 * overlaps the range being invalidated. Doing so requires the
69 * struct_mutex, and that risks recursion. In order to cause
70 * recursion, the user must alias the userptr address space with
71 * a GTT mmapping (possible with a MAP_FIXED) - then when we have
72 * to invalidate that mmaping, mm_invalidate_range is called with
73 * the userptr address *and* the struct_mutex held. To prevent that
74 * we set a flag under the i915_mmu_notifier spinlock to indicate
75 * whether this object is valid.
80 spin_lock(&mo->mn->lock);
85 spin_unlock(&mo->mn->lock);
89 userptr_mn_invalidate_range_start(struct mmu_notifier *_mn,
90 const struct mmu_notifier_range *range)
92 struct i915_mmu_notifier *mn =
93 container_of(_mn, struct i915_mmu_notifier, mn);
94 struct interval_tree_node *it;
98 if (RB_EMPTY_ROOT(&mn->objects.rb_root))
101 /* interval ranges are inclusive, but invalidate range is exclusive */
102 end = range->end - 1;
104 spin_lock(&mn->lock);
105 it = interval_tree_iter_first(&mn->objects, range->start, end);
107 struct drm_i915_gem_object *obj;
109 if (!mmu_notifier_range_blockable(range)) {
115 * The mmu_object is released late when destroying the
116 * GEM object so it is entirely possible to gain a
117 * reference on an object in the process of being freed
118 * since our serialisation is via the spinlock and not
119 * the struct_mutex - and consequently use it after it
120 * is freed and then double free it. To prevent that
121 * use-after-free we only acquire a reference on the
122 * object if it is not in the process of being destroyed.
124 obj = container_of(it, struct i915_mmu_object, it)->obj;
125 if (!kref_get_unless_zero(&obj->base.refcount)) {
126 it = interval_tree_iter_next(it, range->start, end);
129 spin_unlock(&mn->lock);
131 ret = i915_gem_object_unbind(obj,
132 I915_GEM_OBJECT_UNBIND_ACTIVE);
134 ret = __i915_gem_object_put_pages(obj, I915_MM_SHRINKER);
135 i915_gem_object_put(obj);
139 spin_lock(&mn->lock);
142 * As we do not (yet) protect the mmu from concurrent insertion
143 * over this range, there is no guarantee that this search will
144 * terminate given a pathologic workload.
146 it = interval_tree_iter_first(&mn->objects, range->start, end);
148 spin_unlock(&mn->lock);
154 static const struct mmu_notifier_ops i915_gem_userptr_notifier = {
155 .invalidate_range_start = userptr_mn_invalidate_range_start,
158 static struct i915_mmu_notifier *
159 i915_mmu_notifier_create(struct i915_mm_struct *mm)
161 struct i915_mmu_notifier *mn;
163 mn = kmalloc(sizeof(*mn), GFP_KERNEL);
165 return ERR_PTR(-ENOMEM);
167 spin_lock_init(&mn->lock);
168 mn->mn.ops = &i915_gem_userptr_notifier;
169 mn->objects = RB_ROOT_CACHED;
176 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
178 struct i915_mmu_object *mo;
180 mo = fetch_and_zero(&obj->userptr.mmu_object);
184 spin_lock(&mo->mn->lock);
186 spin_unlock(&mo->mn->lock);
190 static struct i915_mmu_notifier *
191 i915_mmu_notifier_find(struct i915_mm_struct *mm)
193 struct i915_mmu_notifier *mn;
200 mn = i915_mmu_notifier_create(mm);
204 down_write(&mm->mm->mmap_sem);
205 mutex_lock(&mm->i915->mm_lock);
206 if (mm->mn == NULL && !err) {
207 /* Protected by mmap_sem (write-lock) */
208 err = __mmu_notifier_register(&mn->mn, mm->mm);
210 /* Protected by mm_lock */
211 mm->mn = fetch_and_zero(&mn);
215 * Someone else raced and successfully installed the mmu
216 * notifier, we can cancel our own errors.
220 mutex_unlock(&mm->i915->mm_lock);
221 up_write(&mm->mm->mmap_sem);
223 if (mn && !IS_ERR(mn))
226 return err ? ERR_PTR(err) : mm->mn;
230 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
233 struct i915_mmu_notifier *mn;
234 struct i915_mmu_object *mo;
236 if (flags & I915_USERPTR_UNSYNCHRONIZED)
237 return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;
239 if (WARN_ON(obj->userptr.mm == NULL))
242 mn = i915_mmu_notifier_find(obj->userptr.mm);
246 mo = kzalloc(sizeof(*mo), GFP_KERNEL);
252 mo->it.start = obj->userptr.ptr;
253 mo->it.last = obj->userptr.ptr + obj->base.size - 1;
254 RB_CLEAR_NODE(&mo->it.rb);
256 obj->userptr.mmu_object = mo;
261 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
262 struct mm_struct *mm)
267 mmu_notifier_unregister(&mn->mn, mm);
274 __i915_gem_userptr_set_active(struct drm_i915_gem_object *obj, bool value)
279 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
284 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
287 if ((flags & I915_USERPTR_UNSYNCHRONIZED) == 0)
290 if (!capable(CAP_SYS_ADMIN))
297 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
298 struct mm_struct *mm)
304 static struct i915_mm_struct *
305 __i915_mm_struct_find(struct drm_i915_private *dev_priv, struct mm_struct *real)
307 struct i915_mm_struct *mm;
309 /* Protected by dev_priv->mm_lock */
310 hash_for_each_possible(dev_priv->mm_structs, mm, node, (unsigned long)real)
318 i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object *obj)
320 struct drm_i915_private *dev_priv = to_i915(obj->base.dev);
321 struct i915_mm_struct *mm;
324 /* During release of the GEM object we hold the struct_mutex. This
325 * precludes us from calling mmput() at that time as that may be
326 * the last reference and so call exit_mmap(). exit_mmap() will
327 * attempt to reap the vma, and if we were holding a GTT mmap
328 * would then call drm_gem_vm_close() and attempt to reacquire
329 * the struct mutex. So in order to avoid that recursion, we have
330 * to defer releasing the mm reference until after we drop the
331 * struct_mutex, i.e. we need to schedule a worker to do the clean
334 mutex_lock(&dev_priv->mm_lock);
335 mm = __i915_mm_struct_find(dev_priv, current->mm);
337 mm = kmalloc(sizeof(*mm), GFP_KERNEL);
343 kref_init(&mm->kref);
344 mm->i915 = to_i915(obj->base.dev);
346 mm->mm = current->mm;
351 /* Protected by dev_priv->mm_lock */
352 hash_add(dev_priv->mm_structs,
353 &mm->node, (unsigned long)mm->mm);
357 obj->userptr.mm = mm;
359 mutex_unlock(&dev_priv->mm_lock);
364 __i915_mm_struct_free__worker(struct work_struct *work)
366 struct i915_mm_struct *mm = container_of(work, typeof(*mm), work);
367 i915_mmu_notifier_free(mm->mn, mm->mm);
373 __i915_mm_struct_free(struct kref *kref)
375 struct i915_mm_struct *mm = container_of(kref, typeof(*mm), kref);
377 /* Protected by dev_priv->mm_lock */
379 mutex_unlock(&mm->i915->mm_lock);
381 INIT_WORK(&mm->work, __i915_mm_struct_free__worker);
382 queue_work(mm->i915->mm.userptr_wq, &mm->work);
386 i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object *obj)
388 if (obj->userptr.mm == NULL)
391 kref_put_mutex(&obj->userptr.mm->kref,
392 __i915_mm_struct_free,
393 &to_i915(obj->base.dev)->mm_lock);
394 obj->userptr.mm = NULL;
397 struct get_pages_work {
398 struct work_struct work;
399 struct drm_i915_gem_object *obj;
400 struct task_struct *task;
403 static struct sg_table *
404 __i915_gem_userptr_alloc_pages(struct drm_i915_gem_object *obj,
405 struct page **pvec, int num_pages)
407 unsigned int max_segment = i915_sg_segment_size();
409 unsigned int sg_page_sizes;
412 st = kmalloc(sizeof(*st), GFP_KERNEL);
414 return ERR_PTR(-ENOMEM);
417 ret = __sg_alloc_table_from_pages(st, pvec, num_pages,
418 0, num_pages << PAGE_SHIFT,
426 ret = i915_gem_gtt_prepare_pages(obj, st);
430 if (max_segment > PAGE_SIZE) {
431 max_segment = PAGE_SIZE;
439 sg_page_sizes = i915_sg_page_sizes(st->sgl);
441 __i915_gem_object_set_pages(obj, st, sg_page_sizes);
447 __i915_gem_userptr_get_pages_worker(struct work_struct *_work)
449 struct get_pages_work *work = container_of(_work, typeof(*work), work);
450 struct drm_i915_gem_object *obj = work->obj;
451 const int npages = obj->base.size >> PAGE_SHIFT;
458 pvec = kvmalloc_array(npages, sizeof(struct page *), GFP_KERNEL);
460 struct mm_struct *mm = obj->userptr.mm->mm;
461 unsigned int flags = 0;
463 if (!i915_gem_object_is_readonly(obj))
467 if (mmget_not_zero(mm)) {
468 down_read(&mm->mmap_sem);
469 while (pinned < npages) {
470 ret = get_user_pages_remote
472 obj->userptr.ptr + pinned * PAGE_SIZE,
475 pvec + pinned, NULL, NULL);
481 up_read(&mm->mmap_sem);
486 mutex_lock(&obj->mm.lock);
487 if (obj->userptr.work == &work->work) {
488 struct sg_table *pages = ERR_PTR(ret);
490 if (pinned == npages) {
491 pages = __i915_gem_userptr_alloc_pages(obj, pvec,
493 if (!IS_ERR(pages)) {
499 obj->userptr.work = ERR_CAST(pages);
501 __i915_gem_userptr_set_active(obj, false);
503 mutex_unlock(&obj->mm.lock);
505 release_pages(pvec, pinned);
508 i915_gem_object_put(obj);
509 put_task_struct(work->task);
513 static struct sg_table *
514 __i915_gem_userptr_get_pages_schedule(struct drm_i915_gem_object *obj)
516 struct get_pages_work *work;
518 /* Spawn a worker so that we can acquire the
519 * user pages without holding our mutex. Access
520 * to the user pages requires mmap_sem, and we have
521 * a strict lock ordering of mmap_sem, struct_mutex -
522 * we already hold struct_mutex here and so cannot
523 * call gup without encountering a lock inversion.
525 * Userspace will keep on repeating the operation
526 * (thanks to EAGAIN) until either we hit the fast
527 * path or the worker completes. If the worker is
528 * cancelled or superseded, the task is still run
529 * but the results ignored. (This leads to
530 * complications that we may have a stray object
531 * refcount that we need to be wary of when
532 * checking for existing objects during creation.)
533 * If the worker encounters an error, it reports
534 * that error back to this function through
535 * obj->userptr.work = ERR_PTR.
537 work = kmalloc(sizeof(*work), GFP_KERNEL);
539 return ERR_PTR(-ENOMEM);
541 obj->userptr.work = &work->work;
543 work->obj = i915_gem_object_get(obj);
545 work->task = current;
546 get_task_struct(work->task);
548 INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker);
549 queue_work(to_i915(obj->base.dev)->mm.userptr_wq, &work->work);
551 return ERR_PTR(-EAGAIN);
554 static int i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
556 const int num_pages = obj->base.size >> PAGE_SHIFT;
557 struct mm_struct *mm = obj->userptr.mm->mm;
559 struct sg_table *pages;
563 /* If userspace should engineer that these pages are replaced in
564 * the vma between us binding this page into the GTT and completion
565 * of rendering... Their loss. If they change the mapping of their
566 * pages they need to create a new bo to point to the new vma.
568 * However, that still leaves open the possibility of the vma
569 * being copied upon fork. Which falls under the same userspace
570 * synchronisation issue as a regular bo, except that this time
571 * the process may not be expecting that a particular piece of
572 * memory is tied to the GPU.
574 * Fortunately, we can hook into the mmu_notifier in order to
575 * discard the page references prior to anything nasty happening
576 * to the vma (discard or cloning) which should prevent the more
577 * egregious cases from causing harm.
580 if (obj->userptr.work) {
581 /* active flag should still be held for the pending work */
582 if (IS_ERR(obj->userptr.work))
583 return PTR_ERR(obj->userptr.work);
591 if (mm == current->mm) {
592 pvec = kvmalloc_array(num_pages, sizeof(struct page *),
596 if (pvec) /* defer to worker if malloc fails */
597 pinned = __get_user_pages_fast(obj->userptr.ptr,
599 !i915_gem_object_is_readonly(obj),
605 pages = ERR_PTR(pinned);
607 } else if (pinned < num_pages) {
608 pages = __i915_gem_userptr_get_pages_schedule(obj);
609 active = pages == ERR_PTR(-EAGAIN);
611 pages = __i915_gem_userptr_alloc_pages(obj, pvec, num_pages);
612 active = !IS_ERR(pages);
615 __i915_gem_userptr_set_active(obj, true);
618 release_pages(pvec, pinned);
621 return PTR_ERR_OR_ZERO(pages);
625 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj,
626 struct sg_table *pages)
628 struct sgt_iter sgt_iter;
631 /* Cancel any inflight work and force them to restart their gup */
632 obj->userptr.work = NULL;
633 __i915_gem_userptr_set_active(obj, false);
637 __i915_gem_object_release_shmem(obj, pages, true);
638 i915_gem_gtt_finish_pages(obj, pages);
641 * We always mark objects as dirty when they are used by the GPU,
642 * just in case. However, if we set the vma as being read-only we know
643 * that the object will never have been written to.
645 if (i915_gem_object_is_readonly(obj))
646 obj->mm.dirty = false;
648 for_each_sgt_page(page, sgt_iter, pages) {
650 set_page_dirty(page);
652 mark_page_accessed(page);
655 obj->mm.dirty = false;
657 sg_free_table(pages);
662 i915_gem_userptr_release(struct drm_i915_gem_object *obj)
664 i915_gem_userptr_release__mmu_notifier(obj);
665 i915_gem_userptr_release__mm_struct(obj);
669 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj)
671 if (obj->userptr.mmu_object)
674 return i915_gem_userptr_init__mmu_notifier(obj, 0);
677 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
678 .flags = I915_GEM_OBJECT_HAS_STRUCT_PAGE |
679 I915_GEM_OBJECT_IS_SHRINKABLE |
680 I915_GEM_OBJECT_NO_GGTT |
681 I915_GEM_OBJECT_ASYNC_CANCEL,
682 .get_pages = i915_gem_userptr_get_pages,
683 .put_pages = i915_gem_userptr_put_pages,
684 .dmabuf_export = i915_gem_userptr_dmabuf_export,
685 .release = i915_gem_userptr_release,
689 * Creates a new mm object that wraps some normal memory from the process
690 * context - user memory.
692 * We impose several restrictions upon the memory being mapped
694 * 1. It must be page aligned (both start/end addresses, i.e ptr and size).
695 * 2. It must be normal system memory, not a pointer into another map of IO
696 * space (e.g. it must not be a GTT mmapping of another object).
697 * 3. We only allow a bo as large as we could in theory map into the GTT,
698 * that is we limit the size to the total size of the GTT.
699 * 4. The bo is marked as being snoopable. The backing pages are left
700 * accessible directly by the CPU, but reads and writes by the GPU may
701 * incur the cost of a snoop (unless you have an LLC architecture).
703 * Synchronisation between multiple users and the GPU is left to userspace
704 * through the normal set-domain-ioctl. The kernel will enforce that the
705 * GPU relinquishes the VMA before it is returned back to the system
706 * i.e. upon free(), munmap() or process termination. However, the userspace
707 * malloc() library may not immediately relinquish the VMA after free() and
708 * instead reuse it whilst the GPU is still reading and writing to the VMA.
711 * Also note, that the object created here is not currently a "first class"
712 * object, in that several ioctls are banned. These are the CPU access
713 * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
714 * direct access via your pointer rather than use those ioctls. Another
715 * restriction is that we do not allow userptr surfaces to be pinned to the
716 * hardware and so we reject any attempt to create a framebuffer out of a
719 * If you think this is a good interface to use to pass GPU memory between
720 * drivers, please use dma-buf instead. In fact, wherever possible use
724 i915_gem_userptr_ioctl(struct drm_device *dev,
726 struct drm_file *file)
728 struct drm_i915_private *dev_priv = to_i915(dev);
729 struct drm_i915_gem_userptr *args = data;
730 struct drm_i915_gem_object *obj;
734 if (!HAS_LLC(dev_priv) && !HAS_SNOOP(dev_priv)) {
735 /* We cannot support coherent userptr objects on hw without
736 * LLC and broken snooping.
741 if (args->flags & ~(I915_USERPTR_READ_ONLY |
742 I915_USERPTR_UNSYNCHRONIZED))
745 if (!args->user_size)
748 if (offset_in_page(args->user_ptr | args->user_size))
751 if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size))
754 if (args->flags & I915_USERPTR_READ_ONLY) {
755 struct i915_address_space *vm;
758 * On almost all of the older hw, we cannot tell the GPU that
759 * a page is readonly.
761 vm = rcu_dereference_protected(dev_priv->kernel_context->vm,
762 true); /* static vm */
763 if (!vm || !vm->has_read_only)
767 obj = i915_gem_object_alloc();
771 drm_gem_private_object_init(dev, &obj->base, args->user_size);
772 i915_gem_object_init(obj, &i915_gem_userptr_ops);
773 obj->read_domains = I915_GEM_DOMAIN_CPU;
774 obj->write_domain = I915_GEM_DOMAIN_CPU;
775 i915_gem_object_set_cache_coherency(obj, I915_CACHE_LLC);
777 obj->userptr.ptr = args->user_ptr;
778 if (args->flags & I915_USERPTR_READ_ONLY)
779 i915_gem_object_set_readonly(obj);
781 /* And keep a pointer to the current->mm for resolving the user pages
782 * at binding. This means that we need to hook into the mmu_notifier
783 * in order to detect if the mmu is destroyed.
785 ret = i915_gem_userptr_init__mm_struct(obj);
787 ret = i915_gem_userptr_init__mmu_notifier(obj, args->flags);
789 ret = drm_gem_handle_create(file, &obj->base, &handle);
791 /* drop reference from allocate - handle holds it now */
792 i915_gem_object_put(obj);
796 args->handle = handle;
800 int i915_gem_init_userptr(struct drm_i915_private *dev_priv)
802 mutex_init(&dev_priv->mm_lock);
803 hash_init(dev_priv->mm_structs);
805 dev_priv->mm.userptr_wq =
806 alloc_workqueue("i915-userptr-acquire",
807 WQ_HIGHPRI | WQ_UNBOUND,
809 if (!dev_priv->mm.userptr_wq)
815 void i915_gem_cleanup_userptr(struct drm_i915_private *dev_priv)
817 destroy_workqueue(dev_priv->mm.userptr_wq);
git.samba.org / sfrench / cifs-2.6.git / blob