2 * Copyright © 2012-2014 Intel Corporation
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
26 #include <drm/i915_drm.h>
28 #include "i915_trace.h"
29 #include "intel_drv.h"
30 #include <linux/mmu_context.h>
31 #include <linux/mmu_notifier.h>
32 #include <linux/mempolicy.h>
33 #include <linux/swap.h>
35 struct i915_mm_struct {
37 struct drm_device *dev;
38 struct i915_mmu_notifier *mn;
39 struct hlist_node node;
41 struct work_struct work;
44 #if defined(CONFIG_MMU_NOTIFIER)
45 #include <linux/interval_tree.h>
47 struct i915_mmu_notifier {
49 struct hlist_node node;
50 struct mmu_notifier mn;
51 struct rb_root objects;
52 struct list_head linear;
57 struct i915_mmu_object {
58 struct i915_mmu_notifier *mn;
59 struct interval_tree_node it;
60 struct list_head link;
61 struct drm_i915_gem_object *obj;
65 static unsigned long cancel_userptr(struct drm_i915_gem_object *obj)
67 struct drm_device *dev = obj->base.dev;
70 mutex_lock(&dev->struct_mutex);
71 /* Cancel any active worker and force us to re-evaluate gup */
72 obj->userptr.work = NULL;
74 if (obj->pages != NULL) {
75 struct drm_i915_private *dev_priv = to_i915(dev);
76 struct i915_vma *vma, *tmp;
77 bool was_interruptible;
79 was_interruptible = dev_priv->mm.interruptible;
80 dev_priv->mm.interruptible = false;
82 list_for_each_entry_safe(vma, tmp, &obj->vma_list, vma_link) {
83 int ret = i915_vma_unbind(vma);
84 WARN_ON(ret && ret != -EIO);
86 WARN_ON(i915_gem_object_put_pages(obj));
88 dev_priv->mm.interruptible = was_interruptible;
91 end = obj->userptr.ptr + obj->base.size;
93 drm_gem_object_unreference(&obj->base);
94 mutex_unlock(&dev->struct_mutex);
99 static void *invalidate_range__linear(struct i915_mmu_notifier *mn,
100 struct mm_struct *mm,
104 struct i915_mmu_object *mo;
105 unsigned long serial;
109 list_for_each_entry(mo, &mn->linear, link) {
110 struct drm_i915_gem_object *obj;
112 if (mo->it.last < start || mo->it.start > end)
117 if (!kref_get_unless_zero(&obj->base.refcount))
120 spin_unlock(&mn->lock);
124 spin_lock(&mn->lock);
125 if (serial != mn->serial)
132 static void i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier *_mn,
133 struct mm_struct *mm,
137 struct i915_mmu_notifier *mn = container_of(_mn, struct i915_mmu_notifier, mn);
138 struct interval_tree_node *it = NULL;
139 unsigned long next = start;
140 unsigned long serial = 0;
142 end--; /* interval ranges are inclusive, but invalidate range is exclusive */
144 struct drm_i915_gem_object *obj = NULL;
146 spin_lock(&mn->lock);
148 it = invalidate_range__linear(mn, mm, start, end);
149 else if (serial == mn->serial)
150 it = interval_tree_iter_next(it, next, end);
152 it = interval_tree_iter_first(&mn->objects, start, end);
154 obj = container_of(it, struct i915_mmu_object, it)->obj;
156 /* The mmu_object is released late when destroying the
157 * GEM object so it is entirely possible to gain a
158 * reference on an object in the process of being freed
159 * since our serialisation is via the spinlock and not
160 * the struct_mutex - and consequently use it after it
161 * is freed and then double free it.
163 if (!kref_get_unless_zero(&obj->base.refcount)) {
164 spin_unlock(&mn->lock);
171 spin_unlock(&mn->lock);
175 next = cancel_userptr(obj);
179 static const struct mmu_notifier_ops i915_gem_userptr_notifier = {
180 .invalidate_range_start = i915_gem_userptr_mn_invalidate_range_start,
183 static struct i915_mmu_notifier *
184 i915_mmu_notifier_create(struct mm_struct *mm)
186 struct i915_mmu_notifier *mn;
189 mn = kmalloc(sizeof(*mn), GFP_KERNEL);
191 return ERR_PTR(-ENOMEM);
193 spin_lock_init(&mn->lock);
194 mn->mn.ops = &i915_gem_userptr_notifier;
195 mn->objects = RB_ROOT;
197 INIT_LIST_HEAD(&mn->linear);
198 mn->has_linear = false;
200 /* Protected by mmap_sem (write-lock) */
201 ret = __mmu_notifier_register(&mn->mn, mm);
210 static void __i915_mmu_notifier_update_serial(struct i915_mmu_notifier *mn)
212 if (++mn->serial == 0)
217 i915_mmu_notifier_add(struct drm_device *dev,
218 struct i915_mmu_notifier *mn,
219 struct i915_mmu_object *mo)
221 struct interval_tree_node *it;
224 /* By this point we have already done a lot of expensive setup that
225 * we do not want to repeat just because the caller (e.g. X) has a
226 * signal pending (and partly because of that expensive setup, X
227 * using an interrupt timer is likely to get stuck in an EINTR loop).
229 mutex_lock(&dev->struct_mutex);
231 /* Make sure we drop the final active reference (and thereby
232 * remove the objects from the interval tree) before we do
233 * the check for overlapping objects.
235 i915_gem_retire_requests(dev);
237 spin_lock(&mn->lock);
238 it = interval_tree_iter_first(&mn->objects,
239 mo->it.start, mo->it.last);
241 struct drm_i915_gem_object *obj;
243 /* We only need to check the first object in the range as it
244 * either has cancelled gup work queued and we need to
245 * return back to the user to give time for the gup-workers
246 * to flush their object references upon which the object will
247 * be removed from the interval-tree, or the the range is
248 * still in use by another client and the overlap is invalid.
250 * If we do have an overlap, we cannot use the interval tree
251 * for fast range invalidation.
254 obj = container_of(it, struct i915_mmu_object, it)->obj;
255 if (!obj->userptr.workers)
256 mn->has_linear = mo->is_linear = true;
260 interval_tree_insert(&mo->it, &mn->objects);
263 list_add(&mo->link, &mn->linear);
264 __i915_mmu_notifier_update_serial(mn);
266 spin_unlock(&mn->lock);
267 mutex_unlock(&dev->struct_mutex);
272 static bool i915_mmu_notifier_has_linear(struct i915_mmu_notifier *mn)
274 struct i915_mmu_object *mo;
276 list_for_each_entry(mo, &mn->linear, link)
284 i915_mmu_notifier_del(struct i915_mmu_notifier *mn,
285 struct i915_mmu_object *mo)
287 spin_lock(&mn->lock);
290 mn->has_linear = i915_mmu_notifier_has_linear(mn);
292 interval_tree_remove(&mo->it, &mn->objects);
293 __i915_mmu_notifier_update_serial(mn);
294 spin_unlock(&mn->lock);
298 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
300 struct i915_mmu_object *mo;
302 mo = obj->userptr.mmu_object;
306 i915_mmu_notifier_del(mo->mn, mo);
309 obj->userptr.mmu_object = NULL;
312 static struct i915_mmu_notifier *
313 i915_mmu_notifier_find(struct i915_mm_struct *mm)
315 struct i915_mmu_notifier *mn = mm->mn;
321 down_write(&mm->mm->mmap_sem);
322 mutex_lock(&to_i915(mm->dev)->mm_lock);
323 if ((mn = mm->mn) == NULL) {
324 mn = i915_mmu_notifier_create(mm->mm);
328 mutex_unlock(&to_i915(mm->dev)->mm_lock);
329 up_write(&mm->mm->mmap_sem);
335 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
338 struct i915_mmu_notifier *mn;
339 struct i915_mmu_object *mo;
342 if (flags & I915_USERPTR_UNSYNCHRONIZED)
343 return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;
345 if (WARN_ON(obj->userptr.mm == NULL))
348 mn = i915_mmu_notifier_find(obj->userptr.mm);
352 mo = kzalloc(sizeof(*mo), GFP_KERNEL);
357 mo->it.start = obj->userptr.ptr;
358 mo->it.last = mo->it.start + obj->base.size - 1;
361 ret = i915_mmu_notifier_add(obj->base.dev, mn, mo);
367 obj->userptr.mmu_object = mo;
372 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
373 struct mm_struct *mm)
378 mmu_notifier_unregister(&mn->mn, mm);
385 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
390 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
393 if ((flags & I915_USERPTR_UNSYNCHRONIZED) == 0)
396 if (!capable(CAP_SYS_ADMIN))
403 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
404 struct mm_struct *mm)
410 static struct i915_mm_struct *
411 __i915_mm_struct_find(struct drm_i915_private *dev_priv, struct mm_struct *real)
413 struct i915_mm_struct *mm;
415 /* Protected by dev_priv->mm_lock */
416 hash_for_each_possible(dev_priv->mm_structs, mm, node, (unsigned long)real)
424 i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object *obj)
426 struct drm_i915_private *dev_priv = to_i915(obj->base.dev);
427 struct i915_mm_struct *mm;
430 /* During release of the GEM object we hold the struct_mutex. This
431 * precludes us from calling mmput() at that time as that may be
432 * the last reference and so call exit_mmap(). exit_mmap() will
433 * attempt to reap the vma, and if we were holding a GTT mmap
434 * would then call drm_gem_vm_close() and attempt to reacquire
435 * the struct mutex. So in order to avoid that recursion, we have
436 * to defer releasing the mm reference until after we drop the
437 * struct_mutex, i.e. we need to schedule a worker to do the clean
440 mutex_lock(&dev_priv->mm_lock);
441 mm = __i915_mm_struct_find(dev_priv, current->mm);
443 mm = kmalloc(sizeof(*mm), GFP_KERNEL);
449 kref_init(&mm->kref);
450 mm->dev = obj->base.dev;
452 mm->mm = current->mm;
453 atomic_inc(¤t->mm->mm_count);
457 /* Protected by dev_priv->mm_lock */
458 hash_add(dev_priv->mm_structs,
459 &mm->node, (unsigned long)mm->mm);
463 obj->userptr.mm = mm;
465 mutex_unlock(&dev_priv->mm_lock);
470 __i915_mm_struct_free__worker(struct work_struct *work)
472 struct i915_mm_struct *mm = container_of(work, typeof(*mm), work);
473 i915_mmu_notifier_free(mm->mn, mm->mm);
479 __i915_mm_struct_free(struct kref *kref)
481 struct i915_mm_struct *mm = container_of(kref, typeof(*mm), kref);
483 /* Protected by dev_priv->mm_lock */
485 mutex_unlock(&to_i915(mm->dev)->mm_lock);
487 INIT_WORK(&mm->work, __i915_mm_struct_free__worker);
488 schedule_work(&mm->work);
492 i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object *obj)
494 if (obj->userptr.mm == NULL)
497 kref_put_mutex(&obj->userptr.mm->kref,
498 __i915_mm_struct_free,
499 &to_i915(obj->base.dev)->mm_lock);
500 obj->userptr.mm = NULL;
503 struct get_pages_work {
504 struct work_struct work;
505 struct drm_i915_gem_object *obj;
506 struct task_struct *task;
509 #if IS_ENABLED(CONFIG_SWIOTLB)
510 #define swiotlb_active() swiotlb_nr_tbl()
512 #define swiotlb_active() 0
516 st_set_pages(struct sg_table **st, struct page **pvec, int num_pages)
518 struct scatterlist *sg;
521 *st = kmalloc(sizeof(**st), GFP_KERNEL);
525 if (swiotlb_active()) {
526 ret = sg_alloc_table(*st, num_pages, GFP_KERNEL);
530 for_each_sg((*st)->sgl, sg, num_pages, n)
531 sg_set_page(sg, pvec[n], PAGE_SIZE, 0);
533 ret = sg_alloc_table_from_pages(*st, pvec, num_pages,
534 0, num_pages << PAGE_SHIFT,
549 __i915_gem_userptr_get_pages_worker(struct work_struct *_work)
551 struct get_pages_work *work = container_of(_work, typeof(*work), work);
552 struct drm_i915_gem_object *obj = work->obj;
553 struct drm_device *dev = obj->base.dev;
554 const int num_pages = obj->base.size >> PAGE_SHIFT;
561 pvec = kmalloc(num_pages*sizeof(struct page *),
562 GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
564 pvec = drm_malloc_ab(num_pages, sizeof(struct page *));
566 struct mm_struct *mm = obj->userptr.mm->mm;
568 down_read(&mm->mmap_sem);
569 while (pinned < num_pages) {
570 ret = get_user_pages(work->task, mm,
571 obj->userptr.ptr + pinned * PAGE_SIZE,
573 !obj->userptr.read_only, 0,
574 pvec + pinned, NULL);
580 up_read(&mm->mmap_sem);
583 mutex_lock(&dev->struct_mutex);
584 if (obj->userptr.work != &work->work) {
586 } else if (pinned == num_pages) {
587 ret = st_set_pages(&obj->pages, pvec, num_pages);
589 list_add_tail(&obj->global_list, &to_i915(dev)->mm.unbound_list);
594 obj->userptr.work = ERR_PTR(ret);
595 obj->userptr.workers--;
596 drm_gem_object_unreference(&obj->base);
597 mutex_unlock(&dev->struct_mutex);
599 release_pages(pvec, pinned, 0);
600 drm_free_large(pvec);
602 put_task_struct(work->task);
607 i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
609 const int num_pages = obj->base.size >> PAGE_SHIFT;
613 /* If userspace should engineer that these pages are replaced in
614 * the vma between us binding this page into the GTT and completion
615 * of rendering... Their loss. If they change the mapping of their
616 * pages they need to create a new bo to point to the new vma.
618 * However, that still leaves open the possibility of the vma
619 * being copied upon fork. Which falls under the same userspace
620 * synchronisation issue as a regular bo, except that this time
621 * the process may not be expecting that a particular piece of
622 * memory is tied to the GPU.
624 * Fortunately, we can hook into the mmu_notifier in order to
625 * discard the page references prior to anything nasty happening
626 * to the vma (discard or cloning) which should prevent the more
627 * egregious cases from causing harm.
632 if (obj->userptr.mm->mm == current->mm) {
633 pvec = kmalloc(num_pages*sizeof(struct page *),
634 GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
636 pvec = drm_malloc_ab(num_pages, sizeof(struct page *));
641 pinned = __get_user_pages_fast(obj->userptr.ptr, num_pages,
642 !obj->userptr.read_only, pvec);
644 if (pinned < num_pages) {
649 /* Spawn a worker so that we can acquire the
650 * user pages without holding our mutex. Access
651 * to the user pages requires mmap_sem, and we have
652 * a strict lock ordering of mmap_sem, struct_mutex -
653 * we already hold struct_mutex here and so cannot
654 * call gup without encountering a lock inversion.
656 * Userspace will keep on repeating the operation
657 * (thanks to EAGAIN) until either we hit the fast
658 * path or the worker completes. If the worker is
659 * cancelled or superseded, the task is still run
660 * but the results ignored. (This leads to
661 * complications that we may have a stray object
662 * refcount that we need to be wary of when
663 * checking for existing objects during creation.)
664 * If the worker encounters an error, it reports
665 * that error back to this function through
666 * obj->userptr.work = ERR_PTR.
669 if (obj->userptr.work == NULL &&
670 obj->userptr.workers < I915_GEM_USERPTR_MAX_WORKERS) {
671 struct get_pages_work *work;
673 work = kmalloc(sizeof(*work), GFP_KERNEL);
675 obj->userptr.work = &work->work;
676 obj->userptr.workers++;
679 drm_gem_object_reference(&obj->base);
681 work->task = current;
682 get_task_struct(work->task);
684 INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker);
685 schedule_work(&work->work);
689 if (IS_ERR(obj->userptr.work)) {
690 ret = PTR_ERR(obj->userptr.work);
691 obj->userptr.work = NULL;
696 ret = st_set_pages(&obj->pages, pvec, num_pages);
698 obj->userptr.work = NULL;
703 release_pages(pvec, pinned, 0);
704 drm_free_large(pvec);
709 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj)
711 struct sg_page_iter sg_iter;
713 BUG_ON(obj->userptr.work != NULL);
715 if (obj->madv != I915_MADV_WILLNEED)
718 for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) {
719 struct page *page = sg_page_iter_page(&sg_iter);
722 set_page_dirty(page);
724 mark_page_accessed(page);
725 page_cache_release(page);
729 sg_free_table(obj->pages);
734 i915_gem_userptr_release(struct drm_i915_gem_object *obj)
736 i915_gem_userptr_release__mmu_notifier(obj);
737 i915_gem_userptr_release__mm_struct(obj);
741 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj)
743 if (obj->userptr.mmu_object)
746 return i915_gem_userptr_init__mmu_notifier(obj, 0);
749 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
750 .dmabuf_export = i915_gem_userptr_dmabuf_export,
751 .get_pages = i915_gem_userptr_get_pages,
752 .put_pages = i915_gem_userptr_put_pages,
753 .release = i915_gem_userptr_release,
757 * Creates a new mm object that wraps some normal memory from the process
758 * context - user memory.
760 * We impose several restrictions upon the memory being mapped
762 * 1. It must be page aligned (both start/end addresses, i.e ptr and size).
763 * 2. It must be normal system memory, not a pointer into another map of IO
764 * space (e.g. it must not be a GTT mmapping of another object).
765 * 3. We only allow a bo as large as we could in theory map into the GTT,
766 * that is we limit the size to the total size of the GTT.
767 * 4. The bo is marked as being snoopable. The backing pages are left
768 * accessible directly by the CPU, but reads and writes by the GPU may
769 * incur the cost of a snoop (unless you have an LLC architecture).
771 * Synchronisation between multiple users and the GPU is left to userspace
772 * through the normal set-domain-ioctl. The kernel will enforce that the
773 * GPU relinquishes the VMA before it is returned back to the system
774 * i.e. upon free(), munmap() or process termination. However, the userspace
775 * malloc() library may not immediately relinquish the VMA after free() and
776 * instead reuse it whilst the GPU is still reading and writing to the VMA.
779 * Also note, that the object created here is not currently a "first class"
780 * object, in that several ioctls are banned. These are the CPU access
781 * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
782 * direct access via your pointer rather than use those ioctls.
784 * If you think this is a good interface to use to pass GPU memory between
785 * drivers, please use dma-buf instead. In fact, wherever possible use
789 i915_gem_userptr_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
791 struct drm_i915_private *dev_priv = dev->dev_private;
792 struct drm_i915_gem_userptr *args = data;
793 struct drm_i915_gem_object *obj;
797 if (args->flags & ~(I915_USERPTR_READ_ONLY |
798 I915_USERPTR_UNSYNCHRONIZED))
801 if (offset_in_page(args->user_ptr | args->user_size))
804 if (args->user_size > dev_priv->gtt.base.total)
807 if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE,
808 (char __user *)(unsigned long)args->user_ptr, args->user_size))
811 if (args->flags & I915_USERPTR_READ_ONLY) {
812 /* On almost all of the current hw, we cannot tell the GPU that a
813 * page is readonly, so this is just a placeholder in the uAPI.
818 obj = i915_gem_object_alloc(dev);
822 drm_gem_private_object_init(dev, &obj->base, args->user_size);
823 i915_gem_object_init(obj, &i915_gem_userptr_ops);
824 obj->cache_level = I915_CACHE_LLC;
825 obj->base.write_domain = I915_GEM_DOMAIN_CPU;
826 obj->base.read_domains = I915_GEM_DOMAIN_CPU;
828 obj->userptr.ptr = args->user_ptr;
829 obj->userptr.read_only = !!(args->flags & I915_USERPTR_READ_ONLY);
831 /* And keep a pointer to the current->mm for resolving the user pages
832 * at binding. This means that we need to hook into the mmu_notifier
833 * in order to detect if the mmu is destroyed.
835 ret = i915_gem_userptr_init__mm_struct(obj);
837 ret = i915_gem_userptr_init__mmu_notifier(obj, args->flags);
839 ret = drm_gem_handle_create(file, &obj->base, &handle);
841 /* drop reference from allocate - handle holds it now */
842 drm_gem_object_unreference_unlocked(&obj->base);
846 args->handle = handle;
851 i915_gem_init_userptr(struct drm_device *dev)
853 struct drm_i915_private *dev_priv = to_i915(dev);
854 mutex_init(&dev_priv->mm_lock);
855 hash_init(dev_priv->mm_structs);
projects / firefly-linux-kernel-4.4.55.git / blob