2 * Copyright © 2012-2014 Intel Corporation
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
26 #include <drm/i915_drm.h>
28 #include "i915_trace.h"
29 #include "intel_drv.h"
30 #include <linux/mmu_context.h>
31 #include <linux/mmu_notifier.h>
32 #include <linux/mempolicy.h>
33 #include <linux/swap.h>
35 struct i915_mm_struct {
37 struct drm_i915_private *i915;
38 struct i915_mmu_notifier *mn;
39 struct hlist_node node;
41 struct work_struct work;
44 #if defined(CONFIG_MMU_NOTIFIER)
45 #include <linux/interval_tree.h>
47 struct i915_mmu_notifier {
49 struct hlist_node node;
50 struct mmu_notifier mn;
51 struct rb_root objects;
52 struct workqueue_struct *wq;
55 struct i915_mmu_object {
56 struct i915_mmu_notifier *mn;
57 struct drm_i915_gem_object *obj;
58 struct interval_tree_node it;
59 struct list_head link;
60 struct work_struct work;
64 static void cancel_userptr(struct work_struct *work)
66 struct i915_mmu_object *mo = container_of(work, typeof(*mo), work);
67 struct drm_i915_gem_object *obj = mo->obj;
68 struct drm_device *dev = obj->base.dev;
70 i915_gem_object_wait(obj, I915_WAIT_ALL, MAX_SCHEDULE_TIMEOUT, NULL);
72 mutex_lock(&dev->struct_mutex);
73 /* Cancel any active worker and force us to re-evaluate gup */
74 obj->userptr.work = NULL;
76 if (obj->pages != NULL) {
77 /* We are inside a kthread context and can't be interrupted */
78 WARN_ON(i915_gem_object_unbind(obj));
79 WARN_ON(i915_gem_object_put_pages(obj));
82 i915_gem_object_put(obj);
83 mutex_unlock(&dev->struct_mutex);
86 static void add_object(struct i915_mmu_object *mo)
91 interval_tree_insert(&mo->it, &mo->mn->objects);
95 static void del_object(struct i915_mmu_object *mo)
100 interval_tree_remove(&mo->it, &mo->mn->objects);
101 mo->attached = false;
104 static void i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier *_mn,
105 struct mm_struct *mm,
109 struct i915_mmu_notifier *mn =
110 container_of(_mn, struct i915_mmu_notifier, mn);
111 struct i915_mmu_object *mo;
112 struct interval_tree_node *it;
113 LIST_HEAD(cancelled);
115 if (RB_EMPTY_ROOT(&mn->objects))
118 /* interval ranges are inclusive, but invalidate range is exclusive */
121 spin_lock(&mn->lock);
122 it = interval_tree_iter_first(&mn->objects, start, end);
124 /* The mmu_object is released late when destroying the
125 * GEM object so it is entirely possible to gain a
126 * reference on an object in the process of being freed
127 * since our serialisation is via the spinlock and not
128 * the struct_mutex - and consequently use it after it
129 * is freed and then double free it. To prevent that
130 * use-after-free we only acquire a reference on the
131 * object if it is not in the process of being destroyed.
133 mo = container_of(it, struct i915_mmu_object, it);
134 if (kref_get_unless_zero(&mo->obj->base.refcount))
135 queue_work(mn->wq, &mo->work);
137 list_add(&mo->link, &cancelled);
138 it = interval_tree_iter_next(it, start, end);
140 list_for_each_entry(mo, &cancelled, link)
142 spin_unlock(&mn->lock);
144 flush_workqueue(mn->wq);
147 static const struct mmu_notifier_ops i915_gem_userptr_notifier = {
148 .invalidate_range_start = i915_gem_userptr_mn_invalidate_range_start,
151 static struct i915_mmu_notifier *
152 i915_mmu_notifier_create(struct mm_struct *mm)
154 struct i915_mmu_notifier *mn;
157 mn = kmalloc(sizeof(*mn), GFP_KERNEL);
159 return ERR_PTR(-ENOMEM);
161 spin_lock_init(&mn->lock);
162 mn->mn.ops = &i915_gem_userptr_notifier;
163 mn->objects = RB_ROOT;
164 mn->wq = alloc_workqueue("i915-userptr-release", WQ_UNBOUND, 0);
165 if (mn->wq == NULL) {
167 return ERR_PTR(-ENOMEM);
170 /* Protected by mmap_sem (write-lock) */
171 ret = __mmu_notifier_register(&mn->mn, mm);
173 destroy_workqueue(mn->wq);
182 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
184 struct i915_mmu_object *mo;
186 mo = obj->userptr.mmu_object;
190 spin_lock(&mo->mn->lock);
192 spin_unlock(&mo->mn->lock);
195 obj->userptr.mmu_object = NULL;
198 static struct i915_mmu_notifier *
199 i915_mmu_notifier_find(struct i915_mm_struct *mm)
201 struct i915_mmu_notifier *mn = mm->mn;
207 down_write(&mm->mm->mmap_sem);
208 mutex_lock(&mm->i915->mm_lock);
209 if ((mn = mm->mn) == NULL) {
210 mn = i915_mmu_notifier_create(mm->mm);
214 mutex_unlock(&mm->i915->mm_lock);
215 up_write(&mm->mm->mmap_sem);
221 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
224 struct i915_mmu_notifier *mn;
225 struct i915_mmu_object *mo;
227 if (flags & I915_USERPTR_UNSYNCHRONIZED)
228 return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;
230 if (WARN_ON(obj->userptr.mm == NULL))
233 mn = i915_mmu_notifier_find(obj->userptr.mm);
237 mo = kzalloc(sizeof(*mo), GFP_KERNEL);
243 mo->it.start = obj->userptr.ptr;
244 mo->it.last = obj->userptr.ptr + obj->base.size - 1;
245 INIT_WORK(&mo->work, cancel_userptr);
247 obj->userptr.mmu_object = mo;
252 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
253 struct mm_struct *mm)
258 mmu_notifier_unregister(&mn->mn, mm);
259 destroy_workqueue(mn->wq);
266 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
271 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
274 if ((flags & I915_USERPTR_UNSYNCHRONIZED) == 0)
277 if (!capable(CAP_SYS_ADMIN))
284 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
285 struct mm_struct *mm)
291 static struct i915_mm_struct *
292 __i915_mm_struct_find(struct drm_i915_private *dev_priv, struct mm_struct *real)
294 struct i915_mm_struct *mm;
296 /* Protected by dev_priv->mm_lock */
297 hash_for_each_possible(dev_priv->mm_structs, mm, node, (unsigned long)real)
305 i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object *obj)
307 struct drm_i915_private *dev_priv = to_i915(obj->base.dev);
308 struct i915_mm_struct *mm;
311 /* During release of the GEM object we hold the struct_mutex. This
312 * precludes us from calling mmput() at that time as that may be
313 * the last reference and so call exit_mmap(). exit_mmap() will
314 * attempt to reap the vma, and if we were holding a GTT mmap
315 * would then call drm_gem_vm_close() and attempt to reacquire
316 * the struct mutex. So in order to avoid that recursion, we have
317 * to defer releasing the mm reference until after we drop the
318 * struct_mutex, i.e. we need to schedule a worker to do the clean
321 mutex_lock(&dev_priv->mm_lock);
322 mm = __i915_mm_struct_find(dev_priv, current->mm);
324 mm = kmalloc(sizeof(*mm), GFP_KERNEL);
330 kref_init(&mm->kref);
331 mm->i915 = to_i915(obj->base.dev);
333 mm->mm = current->mm;
334 atomic_inc(¤t->mm->mm_count);
338 /* Protected by dev_priv->mm_lock */
339 hash_add(dev_priv->mm_structs,
340 &mm->node, (unsigned long)mm->mm);
344 obj->userptr.mm = mm;
346 mutex_unlock(&dev_priv->mm_lock);
351 __i915_mm_struct_free__worker(struct work_struct *work)
353 struct i915_mm_struct *mm = container_of(work, typeof(*mm), work);
354 i915_mmu_notifier_free(mm->mn, mm->mm);
360 __i915_mm_struct_free(struct kref *kref)
362 struct i915_mm_struct *mm = container_of(kref, typeof(*mm), kref);
364 /* Protected by dev_priv->mm_lock */
366 mutex_unlock(&mm->i915->mm_lock);
368 INIT_WORK(&mm->work, __i915_mm_struct_free__worker);
369 schedule_work(&mm->work);
373 i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object *obj)
375 if (obj->userptr.mm == NULL)
378 kref_put_mutex(&obj->userptr.mm->kref,
379 __i915_mm_struct_free,
380 &to_i915(obj->base.dev)->mm_lock);
381 obj->userptr.mm = NULL;
384 struct get_pages_work {
385 struct work_struct work;
386 struct drm_i915_gem_object *obj;
387 struct task_struct *task;
390 #if IS_ENABLED(CONFIG_SWIOTLB)
391 #define swiotlb_active() swiotlb_nr_tbl()
393 #define swiotlb_active() 0
397 st_set_pages(struct sg_table **st, struct page **pvec, int num_pages)
399 struct scatterlist *sg;
402 *st = kmalloc(sizeof(**st), GFP_KERNEL);
406 if (swiotlb_active()) {
407 ret = sg_alloc_table(*st, num_pages, GFP_KERNEL);
411 for_each_sg((*st)->sgl, sg, num_pages, n)
412 sg_set_page(sg, pvec[n], PAGE_SIZE, 0);
414 ret = sg_alloc_table_from_pages(*st, pvec, num_pages,
415 0, num_pages << PAGE_SHIFT,
430 __i915_gem_userptr_set_pages(struct drm_i915_gem_object *obj,
431 struct page **pvec, int num_pages)
435 ret = st_set_pages(&obj->pages, pvec, num_pages);
439 ret = i915_gem_gtt_prepare_object(obj);
441 sg_free_table(obj->pages);
450 __i915_gem_userptr_set_active(struct drm_i915_gem_object *obj,
455 /* During mm_invalidate_range we need to cancel any userptr that
456 * overlaps the range being invalidated. Doing so requires the
457 * struct_mutex, and that risks recursion. In order to cause
458 * recursion, the user must alias the userptr address space with
459 * a GTT mmapping (possible with a MAP_FIXED) - then when we have
460 * to invalidate that mmaping, mm_invalidate_range is called with
461 * the userptr address *and* the struct_mutex held. To prevent that
462 * we set a flag under the i915_mmu_notifier spinlock to indicate
463 * whether this object is valid.
465 #if defined(CONFIG_MMU_NOTIFIER)
466 if (obj->userptr.mmu_object == NULL)
469 spin_lock(&obj->userptr.mmu_object->mn->lock);
470 /* In order to serialise get_pages with an outstanding
471 * cancel_userptr, we must drop the struct_mutex and try again.
474 del_object(obj->userptr.mmu_object);
475 else if (!work_pending(&obj->userptr.mmu_object->work))
476 add_object(obj->userptr.mmu_object);
479 spin_unlock(&obj->userptr.mmu_object->mn->lock);
486 __i915_gem_userptr_get_pages_worker(struct work_struct *_work)
488 struct get_pages_work *work = container_of(_work, typeof(*work), work);
489 struct drm_i915_gem_object *obj = work->obj;
490 struct drm_device *dev = obj->base.dev;
491 const int npages = obj->base.size >> PAGE_SHIFT;
498 pvec = drm_malloc_gfp(npages, sizeof(struct page *), GFP_TEMPORARY);
500 struct mm_struct *mm = obj->userptr.mm->mm;
501 unsigned int flags = 0;
503 if (!obj->userptr.read_only)
507 if (atomic_inc_not_zero(&mm->mm_users)) {
508 down_read(&mm->mmap_sem);
509 while (pinned < npages) {
510 ret = get_user_pages_remote
512 obj->userptr.ptr + pinned * PAGE_SIZE,
515 pvec + pinned, NULL);
521 up_read(&mm->mmap_sem);
526 mutex_lock(&dev->struct_mutex);
527 if (obj->userptr.work == &work->work) {
528 if (pinned == npages) {
529 ret = __i915_gem_userptr_set_pages(obj, pvec, npages);
531 list_add_tail(&obj->global_list,
532 &to_i915(dev)->mm.unbound_list);
533 obj->get_page.sg = obj->pages->sgl;
534 obj->get_page.last = 0;
538 obj->userptr.work = ERR_PTR(ret);
541 obj->userptr.workers--;
542 i915_gem_object_put(obj);
543 mutex_unlock(&dev->struct_mutex);
545 release_pages(pvec, pinned, 0);
546 drm_free_large(pvec);
548 put_task_struct(work->task);
553 __i915_gem_userptr_get_pages_schedule(struct drm_i915_gem_object *obj,
556 struct get_pages_work *work;
558 /* Spawn a worker so that we can acquire the
559 * user pages without holding our mutex. Access
560 * to the user pages requires mmap_sem, and we have
561 * a strict lock ordering of mmap_sem, struct_mutex -
562 * we already hold struct_mutex here and so cannot
563 * call gup without encountering a lock inversion.
565 * Userspace will keep on repeating the operation
566 * (thanks to EAGAIN) until either we hit the fast
567 * path or the worker completes. If the worker is
568 * cancelled or superseded, the task is still run
569 * but the results ignored. (This leads to
570 * complications that we may have a stray object
571 * refcount that we need to be wary of when
572 * checking for existing objects during creation.)
573 * If the worker encounters an error, it reports
574 * that error back to this function through
575 * obj->userptr.work = ERR_PTR.
577 if (obj->userptr.workers >= I915_GEM_USERPTR_MAX_WORKERS)
580 work = kmalloc(sizeof(*work), GFP_KERNEL);
584 obj->userptr.work = &work->work;
585 obj->userptr.workers++;
587 work->obj = i915_gem_object_get(obj);
589 work->task = current;
590 get_task_struct(work->task);
592 INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker);
593 schedule_work(&work->work);
600 i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
602 const int num_pages = obj->base.size >> PAGE_SHIFT;
607 /* If userspace should engineer that these pages are replaced in
608 * the vma between us binding this page into the GTT and completion
609 * of rendering... Their loss. If they change the mapping of their
610 * pages they need to create a new bo to point to the new vma.
612 * However, that still leaves open the possibility of the vma
613 * being copied upon fork. Which falls under the same userspace
614 * synchronisation issue as a regular bo, except that this time
615 * the process may not be expecting that a particular piece of
616 * memory is tied to the GPU.
618 * Fortunately, we can hook into the mmu_notifier in order to
619 * discard the page references prior to anything nasty happening
620 * to the vma (discard or cloning) which should prevent the more
621 * egregious cases from causing harm.
624 if (obj->userptr.work) {
625 /* active flag should still be held for the pending work */
626 if (IS_ERR(obj->userptr.work))
627 return PTR_ERR(obj->userptr.work);
632 /* Let the mmu-notifier know that we have begun and need cancellation */
633 ret = __i915_gem_userptr_set_active(obj, true);
639 if (obj->userptr.mm->mm == current->mm) {
640 pvec = drm_malloc_gfp(num_pages, sizeof(struct page *),
643 __i915_gem_userptr_set_active(obj, false);
647 pinned = __get_user_pages_fast(obj->userptr.ptr, num_pages,
648 !obj->userptr.read_only, pvec);
653 ret = pinned, pinned = 0;
654 else if (pinned < num_pages)
655 ret = __i915_gem_userptr_get_pages_schedule(obj, &active);
657 ret = __i915_gem_userptr_set_pages(obj, pvec, num_pages);
659 __i915_gem_userptr_set_active(obj, active);
660 release_pages(pvec, pinned, 0);
662 drm_free_large(pvec);
667 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj)
669 struct sgt_iter sgt_iter;
672 BUG_ON(obj->userptr.work != NULL);
673 __i915_gem_userptr_set_active(obj, false);
675 if (obj->madv != I915_MADV_WILLNEED)
678 i915_gem_gtt_finish_object(obj);
680 for_each_sgt_page(page, sgt_iter, obj->pages) {
682 set_page_dirty(page);
684 mark_page_accessed(page);
689 sg_free_table(obj->pages);
694 i915_gem_userptr_release(struct drm_i915_gem_object *obj)
696 i915_gem_userptr_release__mmu_notifier(obj);
697 i915_gem_userptr_release__mm_struct(obj);
701 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj)
703 if (obj->userptr.mmu_object)
706 return i915_gem_userptr_init__mmu_notifier(obj, 0);
709 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
710 .flags = I915_GEM_OBJECT_HAS_STRUCT_PAGE,
711 .get_pages = i915_gem_userptr_get_pages,
712 .put_pages = i915_gem_userptr_put_pages,
713 .dmabuf_export = i915_gem_userptr_dmabuf_export,
714 .release = i915_gem_userptr_release,
718 * Creates a new mm object that wraps some normal memory from the process
719 * context - user memory.
721 * We impose several restrictions upon the memory being mapped
723 * 1. It must be page aligned (both start/end addresses, i.e ptr and size).
724 * 2. It must be normal system memory, not a pointer into another map of IO
725 * space (e.g. it must not be a GTT mmapping of another object).
726 * 3. We only allow a bo as large as we could in theory map into the GTT,
727 * that is we limit the size to the total size of the GTT.
728 * 4. The bo is marked as being snoopable. The backing pages are left
729 * accessible directly by the CPU, but reads and writes by the GPU may
730 * incur the cost of a snoop (unless you have an LLC architecture).
732 * Synchronisation between multiple users and the GPU is left to userspace
733 * through the normal set-domain-ioctl. The kernel will enforce that the
734 * GPU relinquishes the VMA before it is returned back to the system
735 * i.e. upon free(), munmap() or process termination. However, the userspace
736 * malloc() library may not immediately relinquish the VMA after free() and
737 * instead reuse it whilst the GPU is still reading and writing to the VMA.
740 * Also note, that the object created here is not currently a "first class"
741 * object, in that several ioctls are banned. These are the CPU access
742 * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
743 * direct access via your pointer rather than use those ioctls. Another
744 * restriction is that we do not allow userptr surfaces to be pinned to the
745 * hardware and so we reject any attempt to create a framebuffer out of a
748 * If you think this is a good interface to use to pass GPU memory between
749 * drivers, please use dma-buf instead. In fact, wherever possible use
753 i915_gem_userptr_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
755 struct drm_i915_gem_userptr *args = data;
756 struct drm_i915_gem_object *obj;
760 if (!HAS_LLC(dev) && !HAS_SNOOP(dev)) {
761 /* We cannot support coherent userptr objects on hw without
762 * LLC and broken snooping.
767 if (args->flags & ~(I915_USERPTR_READ_ONLY |
768 I915_USERPTR_UNSYNCHRONIZED))
771 if (offset_in_page(args->user_ptr | args->user_size))
774 if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE,
775 (char __user *)(unsigned long)args->user_ptr, args->user_size))
778 if (args->flags & I915_USERPTR_READ_ONLY) {
779 /* On almost all of the current hw, we cannot tell the GPU that a
780 * page is readonly, so this is just a placeholder in the uAPI.
785 obj = i915_gem_object_alloc(dev);
789 drm_gem_private_object_init(dev, &obj->base, args->user_size);
790 i915_gem_object_init(obj, &i915_gem_userptr_ops);
791 obj->cache_level = I915_CACHE_LLC;
792 obj->base.write_domain = I915_GEM_DOMAIN_CPU;
793 obj->base.read_domains = I915_GEM_DOMAIN_CPU;
795 obj->userptr.ptr = args->user_ptr;
796 obj->userptr.read_only = !!(args->flags & I915_USERPTR_READ_ONLY);
798 /* And keep a pointer to the current->mm for resolving the user pages
799 * at binding. This means that we need to hook into the mmu_notifier
800 * in order to detect if the mmu is destroyed.
802 ret = i915_gem_userptr_init__mm_struct(obj);
804 ret = i915_gem_userptr_init__mmu_notifier(obj, args->flags);
806 ret = drm_gem_handle_create(file, &obj->base, &handle);
808 /* drop reference from allocate - handle holds it now */
809 i915_gem_object_put_unlocked(obj);
813 args->handle = handle;
817 void i915_gem_init_userptr(struct drm_i915_private *dev_priv)
819 mutex_init(&dev_priv->mm_lock);
820 hash_init(dev_priv->mm_structs);
projects / karo-tx-linux.git / blob