2 * Copyright © 2012-2014 Intel Corporation
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
26 #include <drm/i915_drm.h>
28 #include "i915_trace.h"
29 #include "intel_drv.h"
30 #include <linux/mmu_context.h>
31 #include <linux/mmu_notifier.h>
32 #include <linux/mempolicy.h>
33 #include <linux/swap.h>
35 struct i915_mm_struct {
37 struct drm_device *dev;
38 struct i915_mmu_notifier *mn;
39 struct hlist_node node;
41 struct work_struct work;
44 #if defined(CONFIG_MMU_NOTIFIER)
45 #include <linux/interval_tree.h>
47 struct i915_mmu_notifier {
49 struct hlist_node node;
50 struct mmu_notifier mn;
51 struct rb_root objects;
54 struct i915_mmu_object {
55 struct i915_mmu_notifier *mn;
56 struct drm_i915_gem_object *obj;
57 struct interval_tree_node it;
58 struct list_head link;
59 struct work_struct work;
63 static void cancel_userptr(struct work_struct *work)
65 struct i915_mmu_object *mo = container_of(work, typeof(*mo), work);
66 struct drm_i915_gem_object *obj = mo->obj;
67 struct drm_device *dev = obj->base.dev;
69 mutex_lock(&dev->struct_mutex);
70 /* Cancel any active worker and force us to re-evaluate gup */
71 obj->userptr.work = NULL;
73 if (obj->pages != NULL) {
74 struct drm_i915_private *dev_priv = to_i915(dev);
75 struct i915_vma *vma, *tmp;
76 bool was_interruptible;
78 was_interruptible = dev_priv->mm.interruptible;
79 dev_priv->mm.interruptible = false;
81 list_for_each_entry_safe(vma, tmp, &obj->vma_list, obj_link) {
82 int ret = i915_vma_unbind(vma);
83 WARN_ON(ret && ret != -EIO);
85 WARN_ON(i915_gem_object_put_pages(obj));
87 dev_priv->mm.interruptible = was_interruptible;
90 drm_gem_object_unreference(&obj->base);
91 mutex_unlock(&dev->struct_mutex);
94 static void add_object(struct i915_mmu_object *mo)
99 interval_tree_insert(&mo->it, &mo->mn->objects);
103 static void del_object(struct i915_mmu_object *mo)
108 interval_tree_remove(&mo->it, &mo->mn->objects);
109 mo->attached = false;
112 static void i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier *_mn,
113 struct mm_struct *mm,
117 struct i915_mmu_notifier *mn =
118 container_of(_mn, struct i915_mmu_notifier, mn);
119 struct i915_mmu_object *mo;
120 struct interval_tree_node *it;
121 LIST_HEAD(cancelled);
123 if (RB_EMPTY_ROOT(&mn->objects))
126 /* interval ranges are inclusive, but invalidate range is exclusive */
129 spin_lock(&mn->lock);
130 it = interval_tree_iter_first(&mn->objects, start, end);
132 /* The mmu_object is released late when destroying the
133 * GEM object so it is entirely possible to gain a
134 * reference on an object in the process of being freed
135 * since our serialisation is via the spinlock and not
136 * the struct_mutex - and consequently use it after it
137 * is freed and then double free it. To prevent that
138 * use-after-free we only acquire a reference on the
139 * object if it is not in the process of being destroyed.
141 mo = container_of(it, struct i915_mmu_object, it);
142 if (kref_get_unless_zero(&mo->obj->base.refcount))
143 schedule_work(&mo->work);
145 list_add(&mo->link, &cancelled);
146 it = interval_tree_iter_next(it, start, end);
148 list_for_each_entry(mo, &cancelled, link)
150 spin_unlock(&mn->lock);
153 static const struct mmu_notifier_ops i915_gem_userptr_notifier = {
154 .invalidate_range_start = i915_gem_userptr_mn_invalidate_range_start,
157 static struct i915_mmu_notifier *
158 i915_mmu_notifier_create(struct mm_struct *mm)
160 struct i915_mmu_notifier *mn;
163 mn = kmalloc(sizeof(*mn), GFP_KERNEL);
165 return ERR_PTR(-ENOMEM);
167 spin_lock_init(&mn->lock);
168 mn->mn.ops = &i915_gem_userptr_notifier;
169 mn->objects = RB_ROOT;
171 /* Protected by mmap_sem (write-lock) */
172 ret = __mmu_notifier_register(&mn->mn, mm);
182 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
184 struct i915_mmu_object *mo;
186 mo = obj->userptr.mmu_object;
190 spin_lock(&mo->mn->lock);
192 spin_unlock(&mo->mn->lock);
195 obj->userptr.mmu_object = NULL;
198 static struct i915_mmu_notifier *
199 i915_mmu_notifier_find(struct i915_mm_struct *mm)
201 struct i915_mmu_notifier *mn = mm->mn;
207 down_write(&mm->mm->mmap_sem);
208 mutex_lock(&to_i915(mm->dev)->mm_lock);
209 if ((mn = mm->mn) == NULL) {
210 mn = i915_mmu_notifier_create(mm->mm);
214 mutex_unlock(&to_i915(mm->dev)->mm_lock);
215 up_write(&mm->mm->mmap_sem);
221 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
224 struct i915_mmu_notifier *mn;
225 struct i915_mmu_object *mo;
227 if (flags & I915_USERPTR_UNSYNCHRONIZED)
228 return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;
230 if (WARN_ON(obj->userptr.mm == NULL))
233 mn = i915_mmu_notifier_find(obj->userptr.mm);
237 mo = kzalloc(sizeof(*mo), GFP_KERNEL);
243 mo->it.start = obj->userptr.ptr;
244 mo->it.last = obj->userptr.ptr + obj->base.size - 1;
245 INIT_WORK(&mo->work, cancel_userptr);
247 obj->userptr.mmu_object = mo;
252 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
253 struct mm_struct *mm)
258 mmu_notifier_unregister(&mn->mn, mm);
265 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
270 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
273 if ((flags & I915_USERPTR_UNSYNCHRONIZED) == 0)
276 if (!capable(CAP_SYS_ADMIN))
283 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
284 struct mm_struct *mm)
290 static struct i915_mm_struct *
291 __i915_mm_struct_find(struct drm_i915_private *dev_priv, struct mm_struct *real)
293 struct i915_mm_struct *mm;
295 /* Protected by dev_priv->mm_lock */
296 hash_for_each_possible(dev_priv->mm_structs, mm, node, (unsigned long)real)
304 i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object *obj)
306 struct drm_i915_private *dev_priv = to_i915(obj->base.dev);
307 struct i915_mm_struct *mm;
310 /* During release of the GEM object we hold the struct_mutex. This
311 * precludes us from calling mmput() at that time as that may be
312 * the last reference and so call exit_mmap(). exit_mmap() will
313 * attempt to reap the vma, and if we were holding a GTT mmap
314 * would then call drm_gem_vm_close() and attempt to reacquire
315 * the struct mutex. So in order to avoid that recursion, we have
316 * to defer releasing the mm reference until after we drop the
317 * struct_mutex, i.e. we need to schedule a worker to do the clean
320 mutex_lock(&dev_priv->mm_lock);
321 mm = __i915_mm_struct_find(dev_priv, current->mm);
323 mm = kmalloc(sizeof(*mm), GFP_KERNEL);
329 kref_init(&mm->kref);
330 mm->dev = obj->base.dev;
332 mm->mm = current->mm;
333 atomic_inc(¤t->mm->mm_count);
337 /* Protected by dev_priv->mm_lock */
338 hash_add(dev_priv->mm_structs,
339 &mm->node, (unsigned long)mm->mm);
343 obj->userptr.mm = mm;
345 mutex_unlock(&dev_priv->mm_lock);
350 __i915_mm_struct_free__worker(struct work_struct *work)
352 struct i915_mm_struct *mm = container_of(work, typeof(*mm), work);
353 i915_mmu_notifier_free(mm->mn, mm->mm);
359 __i915_mm_struct_free(struct kref *kref)
361 struct i915_mm_struct *mm = container_of(kref, typeof(*mm), kref);
363 /* Protected by dev_priv->mm_lock */
365 mutex_unlock(&to_i915(mm->dev)->mm_lock);
367 INIT_WORK(&mm->work, __i915_mm_struct_free__worker);
368 schedule_work(&mm->work);
372 i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object *obj)
374 if (obj->userptr.mm == NULL)
377 kref_put_mutex(&obj->userptr.mm->kref,
378 __i915_mm_struct_free,
379 &to_i915(obj->base.dev)->mm_lock);
380 obj->userptr.mm = NULL;
383 struct get_pages_work {
384 struct work_struct work;
385 struct drm_i915_gem_object *obj;
386 struct task_struct *task;
389 #if IS_ENABLED(CONFIG_SWIOTLB)
390 #define swiotlb_active() swiotlb_nr_tbl()
392 #define swiotlb_active() 0
396 st_set_pages(struct sg_table **st, struct page **pvec, int num_pages)
398 struct scatterlist *sg;
401 *st = kmalloc(sizeof(**st), GFP_KERNEL);
405 if (swiotlb_active()) {
406 ret = sg_alloc_table(*st, num_pages, GFP_KERNEL);
410 for_each_sg((*st)->sgl, sg, num_pages, n)
411 sg_set_page(sg, pvec[n], PAGE_SIZE, 0);
413 ret = sg_alloc_table_from_pages(*st, pvec, num_pages,
414 0, num_pages << PAGE_SHIFT,
429 __i915_gem_userptr_set_pages(struct drm_i915_gem_object *obj,
430 struct page **pvec, int num_pages)
434 ret = st_set_pages(&obj->pages, pvec, num_pages);
438 ret = i915_gem_gtt_prepare_object(obj);
440 sg_free_table(obj->pages);
449 __i915_gem_userptr_set_active(struct drm_i915_gem_object *obj,
454 /* During mm_invalidate_range we need to cancel any userptr that
455 * overlaps the range being invalidated. Doing so requires the
456 * struct_mutex, and that risks recursion. In order to cause
457 * recursion, the user must alias the userptr address space with
458 * a GTT mmapping (possible with a MAP_FIXED) - then when we have
459 * to invalidate that mmaping, mm_invalidate_range is called with
460 * the userptr address *and* the struct_mutex held. To prevent that
461 * we set a flag under the i915_mmu_notifier spinlock to indicate
462 * whether this object is valid.
464 #if defined(CONFIG_MMU_NOTIFIER)
465 if (obj->userptr.mmu_object == NULL)
468 spin_lock(&obj->userptr.mmu_object->mn->lock);
469 /* In order to serialise get_pages with an outstanding
470 * cancel_userptr, we must drop the struct_mutex and try again.
473 del_object(obj->userptr.mmu_object);
474 else if (!work_pending(&obj->userptr.mmu_object->work))
475 add_object(obj->userptr.mmu_object);
478 spin_unlock(&obj->userptr.mmu_object->mn->lock);
485 __i915_gem_userptr_get_pages_worker(struct work_struct *_work)
487 struct get_pages_work *work = container_of(_work, typeof(*work), work);
488 struct drm_i915_gem_object *obj = work->obj;
489 struct drm_device *dev = obj->base.dev;
490 const int npages = obj->base.size >> PAGE_SHIFT;
497 pvec = kmalloc(npages*sizeof(struct page *),
498 GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
500 pvec = drm_malloc_ab(npages, sizeof(struct page *));
502 struct mm_struct *mm = obj->userptr.mm->mm;
504 down_read(&mm->mmap_sem);
505 while (pinned < npages) {
506 ret = get_user_pages_remote(work->task, mm,
507 obj->userptr.ptr + pinned * PAGE_SIZE,
509 !obj->userptr.read_only, 0,
510 pvec + pinned, NULL);
516 up_read(&mm->mmap_sem);
519 mutex_lock(&dev->struct_mutex);
520 if (obj->userptr.work == &work->work) {
521 if (pinned == npages) {
522 ret = __i915_gem_userptr_set_pages(obj, pvec, npages);
524 list_add_tail(&obj->global_list,
525 &to_i915(dev)->mm.unbound_list);
526 obj->get_page.sg = obj->pages->sgl;
527 obj->get_page.last = 0;
531 obj->userptr.work = ERR_PTR(ret);
533 __i915_gem_userptr_set_active(obj, false);
536 obj->userptr.workers--;
537 drm_gem_object_unreference(&obj->base);
538 mutex_unlock(&dev->struct_mutex);
540 release_pages(pvec, pinned, 0);
541 drm_free_large(pvec);
543 put_task_struct(work->task);
548 __i915_gem_userptr_get_pages_schedule(struct drm_i915_gem_object *obj,
551 struct get_pages_work *work;
553 /* Spawn a worker so that we can acquire the
554 * user pages without holding our mutex. Access
555 * to the user pages requires mmap_sem, and we have
556 * a strict lock ordering of mmap_sem, struct_mutex -
557 * we already hold struct_mutex here and so cannot
558 * call gup without encountering a lock inversion.
560 * Userspace will keep on repeating the operation
561 * (thanks to EAGAIN) until either we hit the fast
562 * path or the worker completes. If the worker is
563 * cancelled or superseded, the task is still run
564 * but the results ignored. (This leads to
565 * complications that we may have a stray object
566 * refcount that we need to be wary of when
567 * checking for existing objects during creation.)
568 * If the worker encounters an error, it reports
569 * that error back to this function through
570 * obj->userptr.work = ERR_PTR.
572 if (obj->userptr.workers >= I915_GEM_USERPTR_MAX_WORKERS)
575 work = kmalloc(sizeof(*work), GFP_KERNEL);
579 obj->userptr.work = &work->work;
580 obj->userptr.workers++;
583 drm_gem_object_reference(&obj->base);
585 work->task = current;
586 get_task_struct(work->task);
588 INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker);
589 schedule_work(&work->work);
596 i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
598 const int num_pages = obj->base.size >> PAGE_SHIFT;
603 /* If userspace should engineer that these pages are replaced in
604 * the vma between us binding this page into the GTT and completion
605 * of rendering... Their loss. If they change the mapping of their
606 * pages they need to create a new bo to point to the new vma.
608 * However, that still leaves open the possibility of the vma
609 * being copied upon fork. Which falls under the same userspace
610 * synchronisation issue as a regular bo, except that this time
611 * the process may not be expecting that a particular piece of
612 * memory is tied to the GPU.
614 * Fortunately, we can hook into the mmu_notifier in order to
615 * discard the page references prior to anything nasty happening
616 * to the vma (discard or cloning) which should prevent the more
617 * egregious cases from causing harm.
619 if (IS_ERR(obj->userptr.work)) {
620 /* active flag will have been dropped already by the worker */
621 ret = PTR_ERR(obj->userptr.work);
622 obj->userptr.work = NULL;
625 if (obj->userptr.work)
626 /* active flag should still be held for the pending work */
629 /* Let the mmu-notifier know that we have begun and need cancellation */
630 ret = __i915_gem_userptr_set_active(obj, true);
636 if (obj->userptr.mm->mm == current->mm) {
637 pvec = kmalloc(num_pages*sizeof(struct page *),
638 GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
640 pvec = drm_malloc_ab(num_pages, sizeof(struct page *));
642 __i915_gem_userptr_set_active(obj, false);
647 pinned = __get_user_pages_fast(obj->userptr.ptr, num_pages,
648 !obj->userptr.read_only, pvec);
653 ret = pinned, pinned = 0;
654 else if (pinned < num_pages)
655 ret = __i915_gem_userptr_get_pages_schedule(obj, &active);
657 ret = __i915_gem_userptr_set_pages(obj, pvec, num_pages);
659 __i915_gem_userptr_set_active(obj, active);
660 release_pages(pvec, pinned, 0);
662 drm_free_large(pvec);
667 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj)
669 struct sg_page_iter sg_iter;
671 BUG_ON(obj->userptr.work != NULL);
672 __i915_gem_userptr_set_active(obj, false);
674 if (obj->madv != I915_MADV_WILLNEED)
677 i915_gem_gtt_finish_object(obj);
679 for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) {
680 struct page *page = sg_page_iter_page(&sg_iter);
683 set_page_dirty(page);
685 mark_page_accessed(page);
690 sg_free_table(obj->pages);
695 i915_gem_userptr_release(struct drm_i915_gem_object *obj)
697 i915_gem_userptr_release__mmu_notifier(obj);
698 i915_gem_userptr_release__mm_struct(obj);
702 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj)
704 if (obj->userptr.mmu_object)
707 return i915_gem_userptr_init__mmu_notifier(obj, 0);
710 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
711 .flags = I915_GEM_OBJECT_HAS_STRUCT_PAGE,
712 .get_pages = i915_gem_userptr_get_pages,
713 .put_pages = i915_gem_userptr_put_pages,
714 .dmabuf_export = i915_gem_userptr_dmabuf_export,
715 .release = i915_gem_userptr_release,
719 * Creates a new mm object that wraps some normal memory from the process
720 * context - user memory.
722 * We impose several restrictions upon the memory being mapped
724 * 1. It must be page aligned (both start/end addresses, i.e ptr and size).
725 * 2. It must be normal system memory, not a pointer into another map of IO
726 * space (e.g. it must not be a GTT mmapping of another object).
727 * 3. We only allow a bo as large as we could in theory map into the GTT,
728 * that is we limit the size to the total size of the GTT.
729 * 4. The bo is marked as being snoopable. The backing pages are left
730 * accessible directly by the CPU, but reads and writes by the GPU may
731 * incur the cost of a snoop (unless you have an LLC architecture).
733 * Synchronisation between multiple users and the GPU is left to userspace
734 * through the normal set-domain-ioctl. The kernel will enforce that the
735 * GPU relinquishes the VMA before it is returned back to the system
736 * i.e. upon free(), munmap() or process termination. However, the userspace
737 * malloc() library may not immediately relinquish the VMA after free() and
738 * instead reuse it whilst the GPU is still reading and writing to the VMA.
741 * Also note, that the object created here is not currently a "first class"
742 * object, in that several ioctls are banned. These are the CPU access
743 * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
744 * direct access via your pointer rather than use those ioctls. Another
745 * restriction is that we do not allow userptr surfaces to be pinned to the
746 * hardware and so we reject any attempt to create a framebuffer out of a
749 * If you think this is a good interface to use to pass GPU memory between
750 * drivers, please use dma-buf instead. In fact, wherever possible use
754 i915_gem_userptr_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
756 struct drm_i915_gem_userptr *args = data;
757 struct drm_i915_gem_object *obj;
761 if (args->flags & ~(I915_USERPTR_READ_ONLY |
762 I915_USERPTR_UNSYNCHRONIZED))
765 if (offset_in_page(args->user_ptr | args->user_size))
768 if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE,
769 (char __user *)(unsigned long)args->user_ptr, args->user_size))
772 if (args->flags & I915_USERPTR_READ_ONLY) {
773 /* On almost all of the current hw, we cannot tell the GPU that a
774 * page is readonly, so this is just a placeholder in the uAPI.
779 obj = i915_gem_object_alloc(dev);
783 drm_gem_private_object_init(dev, &obj->base, args->user_size);
784 i915_gem_object_init(obj, &i915_gem_userptr_ops);
785 obj->cache_level = I915_CACHE_LLC;
786 obj->base.write_domain = I915_GEM_DOMAIN_CPU;
787 obj->base.read_domains = I915_GEM_DOMAIN_CPU;
789 obj->userptr.ptr = args->user_ptr;
790 obj->userptr.read_only = !!(args->flags & I915_USERPTR_READ_ONLY);
792 /* And keep a pointer to the current->mm for resolving the user pages
793 * at binding. This means that we need to hook into the mmu_notifier
794 * in order to detect if the mmu is destroyed.
796 ret = i915_gem_userptr_init__mm_struct(obj);
798 ret = i915_gem_userptr_init__mmu_notifier(obj, args->flags);
800 ret = drm_gem_handle_create(file, &obj->base, &handle);
802 /* drop reference from allocate - handle holds it now */
803 drm_gem_object_unreference_unlocked(&obj->base);
807 args->handle = handle;
812 i915_gem_init_userptr(struct drm_device *dev)
814 struct drm_i915_private *dev_priv = to_i915(dev);
815 mutex_init(&dev_priv->mm_lock);
816 hash_init(dev_priv->mm_structs);
projects / cascardo / linux.git / blob