1 /*
2 * Copyright © 2012-2014 Intel Corporation
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 *
23 */
24
25 #include "drmP.h"
26 #include "i915_drm.h"
27 #include "i915_drv.h"
28 #include "i915_trace.h"
29 #include "intel_drv.h"
30 #include <linux/mmu_context.h>
31 #include <linux/mmu_notifier.h>
32 #include <linux/mempolicy.h>
33 #include <linux/swap.h>
34
35 struct i915_mm_struct {
36 struct mm_struct *mm;
37 struct drm_device *dev;
38 struct i915_mmu_notifier *mn;
39 struct hlist_node node;
40 struct kref kref;
41 struct work_struct work;
42 };
43
44 #if defined(CONFIG_MMU_NOTIFIER)
45 #include <linux/interval_tree.h>
46
47 struct i915_mmu_notifier {
48 spinlock_t lock;
49 struct hlist_node node;
50 struct mmu_notifier mn;
51 struct rb_root objects;
52 struct list_head linear;
53 unsigned long serial;
54 bool has_linear;
55 };
56
57 struct i915_mmu_object {
58 struct i915_mmu_notifier *mn;
59 struct interval_tree_node it;
60 struct list_head link;
61 struct drm_i915_gem_object *obj;
62 bool is_linear;
63 };
64
cancel_userptr(struct drm_i915_gem_object * obj)65 static unsigned long cancel_userptr(struct drm_i915_gem_object *obj)
66 {
67 struct drm_device *dev = obj->base.dev;
68 unsigned long end;
69
70 mutex_lock(&dev->struct_mutex);
71 /* Cancel any active worker and force us to re-evaluate gup */
72 obj->userptr.work = NULL;
73
74 if (obj->pages != NULL) {
75 struct drm_i915_private *dev_priv = to_i915(dev);
76 struct i915_vma *vma, *tmp;
77 bool was_interruptible;
78
79 was_interruptible = dev_priv->mm.interruptible;
80 dev_priv->mm.interruptible = false;
81
82 list_for_each_entry_safe(vma, tmp, &obj->vma_list, vma_link) {
83 int ret = i915_vma_unbind(vma);
84 WARN_ON(ret && ret != -EIO);
85 }
86 WARN_ON(i915_gem_object_put_pages(obj));
87
88 dev_priv->mm.interruptible = was_interruptible;
89 }
90
91 end = obj->userptr.ptr + obj->base.size;
92
93 drm_gem_object_unreference(&obj->base);
94 mutex_unlock(&dev->struct_mutex);
95
96 return end;
97 }
98
invalidate_range__linear(struct i915_mmu_notifier * mn,struct mm_struct * mm,unsigned long start,unsigned long end)99 static void *invalidate_range__linear(struct i915_mmu_notifier *mn,
100 struct mm_struct *mm,
101 unsigned long start,
102 unsigned long end)
103 {
104 struct i915_mmu_object *mo;
105 unsigned long serial;
106
107 restart:
108 serial = mn->serial;
109 list_for_each_entry(mo, &mn->linear, link) {
110 struct drm_i915_gem_object *obj;
111
112 if (mo->it.last < start || mo->it.start > end)
113 continue;
114
115 obj = mo->obj;
116
117 if (!kref_get_unless_zero(&obj->base.refcount))
118 continue;
119
120 spin_unlock(&mn->lock);
121
122 cancel_userptr(obj);
123
124 spin_lock(&mn->lock);
125 if (serial != mn->serial)
126 goto restart;
127 }
128
129 return NULL;
130 }
131
i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier * _mn,struct mm_struct * mm,unsigned long start,unsigned long end)132 static void i915_gem_userptr_mn_invalidate_range_start(struct mmu_notifier *_mn,
133 struct mm_struct *mm,
134 unsigned long start,
135 unsigned long end)
136 {
137 struct i915_mmu_notifier *mn = container_of(_mn, struct i915_mmu_notifier, mn);
138 struct interval_tree_node *it = NULL;
139 unsigned long next = start;
140 unsigned long serial = 0;
141
142 end--; /* interval ranges are inclusive, but invalidate range is exclusive */
143 while (next < end) {
144 struct drm_i915_gem_object *obj = NULL;
145
146 spin_lock(&mn->lock);
147 if (mn->has_linear)
148 it = invalidate_range__linear(mn, mm, start, end);
149 else if (serial == mn->serial)
150 it = interval_tree_iter_next(it, next, end);
151 else
152 it = interval_tree_iter_first(&mn->objects, start, end);
153 if (it != NULL) {
154 obj = container_of(it, struct i915_mmu_object, it)->obj;
155
156 /* The mmu_object is released late when destroying the
157 * GEM object so it is entirely possible to gain a
158 * reference on an object in the process of being freed
159 * since our serialisation is via the spinlock and not
160 * the struct_mutex - and consequently use it after it
161 * is freed and then double free it.
162 */
163 if (!kref_get_unless_zero(&obj->base.refcount)) {
164 spin_unlock(&mn->lock);
165 serial = 0;
166 continue;
167 }
168
169 serial = mn->serial;
170 }
171 spin_unlock(&mn->lock);
172 if (obj == NULL)
173 return;
174
175 next = cancel_userptr(obj);
176 }
177 }
178
179 static const struct mmu_notifier_ops i915_gem_userptr_notifier = {
180 .invalidate_range_start = i915_gem_userptr_mn_invalidate_range_start,
181 };
182
183 static struct i915_mmu_notifier *
i915_mmu_notifier_create(struct mm_struct * mm)184 i915_mmu_notifier_create(struct mm_struct *mm)
185 {
186 struct i915_mmu_notifier *mn;
187 int ret;
188
189 mn = kmalloc(sizeof(*mn), GFP_KERNEL);
190 if (mn == NULL)
191 return ERR_PTR(-ENOMEM);
192
193 spin_lock_init(&mn->lock);
194 mn->mn.ops = &i915_gem_userptr_notifier;
195 mn->objects = RB_ROOT;
196 mn->serial = 1;
197 INIT_LIST_HEAD(&mn->linear);
198 mn->has_linear = false;
199
200 /* Protected by mmap_sem (write-lock) */
201 ret = __mmu_notifier_register(&mn->mn, mm);
202 if (ret) {
203 kfree(mn);
204 return ERR_PTR(ret);
205 }
206
207 return mn;
208 }
209
__i915_mmu_notifier_update_serial(struct i915_mmu_notifier * mn)210 static void __i915_mmu_notifier_update_serial(struct i915_mmu_notifier *mn)
211 {
212 if (++mn->serial == 0)
213 mn->serial = 1;
214 }
215
216 static int
i915_mmu_notifier_add(struct drm_device * dev,struct i915_mmu_notifier * mn,struct i915_mmu_object * mo)217 i915_mmu_notifier_add(struct drm_device *dev,
218 struct i915_mmu_notifier *mn,
219 struct i915_mmu_object *mo)
220 {
221 struct interval_tree_node *it;
222 int ret;
223
224 ret = i915_mutex_lock_interruptible(dev);
225 if (ret)
226 return ret;
227
228 /* Make sure we drop the final active reference (and thereby
229 * remove the objects from the interval tree) before we do
230 * the check for overlapping objects.
231 */
232 i915_gem_retire_requests(dev);
233
234 spin_lock(&mn->lock);
235 it = interval_tree_iter_first(&mn->objects,
236 mo->it.start, mo->it.last);
237 if (it) {
238 struct drm_i915_gem_object *obj;
239
240 /* We only need to check the first object in the range as it
241 * either has cancelled gup work queued and we need to
242 * return back to the user to give time for the gup-workers
243 * to flush their object references upon which the object will
244 * be removed from the interval-tree, or the the range is
245 * still in use by another client and the overlap is invalid.
246 *
247 * If we do have an overlap, we cannot use the interval tree
248 * for fast range invalidation.
249 */
250
251 obj = container_of(it, struct i915_mmu_object, it)->obj;
252 if (!obj->userptr.workers)
253 mn->has_linear = mo->is_linear = true;
254 else
255 ret = -EAGAIN;
256 } else
257 interval_tree_insert(&mo->it, &mn->objects);
258
259 if (ret == 0) {
260 list_add(&mo->link, &mn->linear);
261 __i915_mmu_notifier_update_serial(mn);
262 }
263 spin_unlock(&mn->lock);
264 mutex_unlock(&dev->struct_mutex);
265
266 return ret;
267 }
268
i915_mmu_notifier_has_linear(struct i915_mmu_notifier * mn)269 static bool i915_mmu_notifier_has_linear(struct i915_mmu_notifier *mn)
270 {
271 struct i915_mmu_object *mo;
272
273 list_for_each_entry(mo, &mn->linear, link)
274 if (mo->is_linear)
275 return true;
276
277 return false;
278 }
279
280 static void
i915_mmu_notifier_del(struct i915_mmu_notifier * mn,struct i915_mmu_object * mo)281 i915_mmu_notifier_del(struct i915_mmu_notifier *mn,
282 struct i915_mmu_object *mo)
283 {
284 spin_lock(&mn->lock);
285 list_del(&mo->link);
286 if (mo->is_linear)
287 mn->has_linear = i915_mmu_notifier_has_linear(mn);
288 else
289 interval_tree_remove(&mo->it, &mn->objects);
290 __i915_mmu_notifier_update_serial(mn);
291 spin_unlock(&mn->lock);
292 }
293
294 static void
i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object * obj)295 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
296 {
297 struct i915_mmu_object *mo;
298
299 mo = obj->userptr.mmu_object;
300 if (mo == NULL)
301 return;
302
303 i915_mmu_notifier_del(mo->mn, mo);
304 kfree(mo);
305
306 obj->userptr.mmu_object = NULL;
307 }
308
309 static struct i915_mmu_notifier *
i915_mmu_notifier_find(struct i915_mm_struct * mm)310 i915_mmu_notifier_find(struct i915_mm_struct *mm)
311 {
312 struct i915_mmu_notifier *mn = mm->mn;
313
314 mn = mm->mn;
315 if (mn)
316 return mn;
317
318 down_write(&mm->mm->mmap_sem);
319 mutex_lock(&to_i915(mm->dev)->mm_lock);
320 if ((mn = mm->mn) == NULL) {
321 mn = i915_mmu_notifier_create(mm->mm);
322 if (!IS_ERR(mn))
323 mm->mn = mn;
324 }
325 mutex_unlock(&to_i915(mm->dev)->mm_lock);
326 up_write(&mm->mm->mmap_sem);
327
328 return mn;
329 }
330
331 static int
i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object * obj,unsigned flags)332 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
333 unsigned flags)
334 {
335 struct i915_mmu_notifier *mn;
336 struct i915_mmu_object *mo;
337 int ret;
338
339 if (flags & I915_USERPTR_UNSYNCHRONIZED)
340 return capable(CAP_SYS_ADMIN) ? 0 : -EPERM;
341
342 if (WARN_ON(obj->userptr.mm == NULL))
343 return -EINVAL;
344
345 mn = i915_mmu_notifier_find(obj->userptr.mm);
346 if (IS_ERR(mn))
347 return PTR_ERR(mn);
348
349 mo = kzalloc(sizeof(*mo), GFP_KERNEL);
350 if (mo == NULL)
351 return -ENOMEM;
352
353 mo->mn = mn;
354 mo->it.start = obj->userptr.ptr;
355 mo->it.last = mo->it.start + obj->base.size - 1;
356 mo->obj = obj;
357
358 ret = i915_mmu_notifier_add(obj->base.dev, mn, mo);
359 if (ret) {
360 kfree(mo);
361 return ret;
362 }
363
364 obj->userptr.mmu_object = mo;
365 return 0;
366 }
367
368 static void
i915_mmu_notifier_free(struct i915_mmu_notifier * mn,struct mm_struct * mm)369 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
370 struct mm_struct *mm)
371 {
372 if (mn == NULL)
373 return;
374
375 mmu_notifier_unregister(&mn->mn, mm);
376 kfree(mn);
377 }
378
379 #else
380
381 static void
i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object * obj)382 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj)
383 {
384 }
385
386 static int
i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object * obj,unsigned flags)387 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj,
388 unsigned flags)
389 {
390 if ((flags & I915_USERPTR_UNSYNCHRONIZED) == 0)
391 return -ENODEV;
392
393 if (!capable(CAP_SYS_ADMIN))
394 return -EPERM;
395
396 return 0;
397 }
398
399 static void
i915_mmu_notifier_free(struct i915_mmu_notifier * mn,struct mm_struct * mm)400 i915_mmu_notifier_free(struct i915_mmu_notifier *mn,
401 struct mm_struct *mm)
402 {
403 }
404
405 #endif
406
407 static struct i915_mm_struct *
__i915_mm_struct_find(struct drm_i915_private * dev_priv,struct mm_struct * real)408 __i915_mm_struct_find(struct drm_i915_private *dev_priv, struct mm_struct *real)
409 {
410 struct i915_mm_struct *mm;
411
412 /* Protected by dev_priv->mm_lock */
413 hash_for_each_possible(dev_priv->mm_structs, mm, node, (unsigned long)real)
414 if (mm->mm == real)
415 return mm;
416
417 return NULL;
418 }
419
420 static int
i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object * obj)421 i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object *obj)
422 {
423 struct drm_i915_private *dev_priv = to_i915(obj->base.dev);
424 struct i915_mm_struct *mm;
425 int ret = 0;
426
427 /* During release of the GEM object we hold the struct_mutex. This
428 * precludes us from calling mmput() at that time as that may be
429 * the last reference and so call exit_mmap(). exit_mmap() will
430 * attempt to reap the vma, and if we were holding a GTT mmap
431 * would then call drm_gem_vm_close() and attempt to reacquire
432 * the struct mutex. So in order to avoid that recursion, we have
433 * to defer releasing the mm reference until after we drop the
434 * struct_mutex, i.e. we need to schedule a worker to do the clean
435 * up.
436 */
437 mutex_lock(&dev_priv->mm_lock);
438 mm = __i915_mm_struct_find(dev_priv, current->mm);
439 if (mm == NULL) {
440 mm = kmalloc(sizeof(*mm), GFP_KERNEL);
441 if (mm == NULL) {
442 ret = -ENOMEM;
443 goto out;
444 }
445
446 kref_init(&mm->kref);
447 mm->dev = obj->base.dev;
448
449 mm->mm = current->mm;
450 atomic_inc(¤t->mm->mm_count);
451
452 mm->mn = NULL;
453
454 /* Protected by dev_priv->mm_lock */
455 hash_add(dev_priv->mm_structs,
456 &mm->node, (unsigned long)mm->mm);
457 } else
458 kref_get(&mm->kref);
459
460 obj->userptr.mm = mm;
461 out:
462 mutex_unlock(&dev_priv->mm_lock);
463 return ret;
464 }
465
466 static void
__i915_mm_struct_free__worker(struct work_struct * work)467 __i915_mm_struct_free__worker(struct work_struct *work)
468 {
469 struct i915_mm_struct *mm = container_of(work, typeof(*mm), work);
470 i915_mmu_notifier_free(mm->mn, mm->mm);
471 mmdrop(mm->mm);
472 kfree(mm);
473 }
474
475 static void
__i915_mm_struct_free(struct kref * kref)476 __i915_mm_struct_free(struct kref *kref)
477 {
478 struct i915_mm_struct *mm = container_of(kref, typeof(*mm), kref);
479
480 /* Protected by dev_priv->mm_lock */
481 hash_del(&mm->node);
482 mutex_unlock(&to_i915(mm->dev)->mm_lock);
483
484 INIT_WORK(&mm->work, __i915_mm_struct_free__worker);
485 schedule_work(&mm->work);
486 }
487
488 static void
i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object * obj)489 i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object *obj)
490 {
491 if (obj->userptr.mm == NULL)
492 return;
493
494 kref_put_mutex(&obj->userptr.mm->kref,
495 __i915_mm_struct_free,
496 &to_i915(obj->base.dev)->mm_lock);
497 obj->userptr.mm = NULL;
498 }
499
500 struct get_pages_work {
501 struct work_struct work;
502 struct drm_i915_gem_object *obj;
503 struct task_struct *task;
504 };
505
506 #if IS_ENABLED(CONFIG_SWIOTLB)
507 #define swiotlb_active() swiotlb_nr_tbl()
508 #else
509 #define swiotlb_active() 0
510 #endif
511
512 static int
st_set_pages(struct sg_table ** st,struct page ** pvec,int num_pages)513 st_set_pages(struct sg_table **st, struct page **pvec, int num_pages)
514 {
515 struct scatterlist *sg;
516 int ret, n;
517
518 *st = kmalloc(sizeof(**st), GFP_KERNEL);
519 if (*st == NULL)
520 return -ENOMEM;
521
522 if (swiotlb_active()) {
523 ret = sg_alloc_table(*st, num_pages, GFP_KERNEL);
524 if (ret)
525 goto err;
526
527 for_each_sg((*st)->sgl, sg, num_pages, n)
528 sg_set_page(sg, pvec[n], PAGE_SIZE, 0);
529 } else {
530 ret = sg_alloc_table_from_pages(*st, pvec, num_pages,
531 0, num_pages << PAGE_SHIFT,
532 GFP_KERNEL);
533 if (ret)
534 goto err;
535 }
536
537 return 0;
538
539 err:
540 kfree(*st);
541 *st = NULL;
542 return ret;
543 }
544
545 static void
__i915_gem_userptr_get_pages_worker(struct work_struct * _work)546 __i915_gem_userptr_get_pages_worker(struct work_struct *_work)
547 {
548 struct get_pages_work *work = container_of(_work, typeof(*work), work);
549 struct drm_i915_gem_object *obj = work->obj;
550 struct drm_device *dev = obj->base.dev;
551 const int num_pages = obj->base.size >> PAGE_SHIFT;
552 struct page **pvec;
553 int pinned, ret;
554
555 ret = -ENOMEM;
556 pinned = 0;
557
558 pvec = kmalloc(num_pages*sizeof(struct page *),
559 GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
560 if (pvec == NULL)
561 pvec = drm_malloc_ab(num_pages, sizeof(struct page *));
562 if (pvec != NULL) {
563 struct mm_struct *mm = obj->userptr.mm->mm;
564
565 down_read(&mm->mmap_sem);
566 while (pinned < num_pages) {
567 ret = get_user_pages(work->task, mm,
568 obj->userptr.ptr + pinned * PAGE_SIZE,
569 num_pages - pinned,
570 !obj->userptr.read_only, 0,
571 pvec + pinned, NULL);
572 if (ret < 0)
573 break;
574
575 pinned += ret;
576 }
577 up_read(&mm->mmap_sem);
578 }
579
580 mutex_lock(&dev->struct_mutex);
581 if (obj->userptr.work != &work->work) {
582 ret = 0;
583 } else if (pinned == num_pages) {
584 ret = st_set_pages(&obj->pages, pvec, num_pages);
585 if (ret == 0) {
586 list_add_tail(&obj->global_list, &to_i915(dev)->mm.unbound_list);
587 pinned = 0;
588 }
589 }
590
591 obj->userptr.work = ERR_PTR(ret);
592 obj->userptr.workers--;
593 drm_gem_object_unreference(&obj->base);
594 mutex_unlock(&dev->struct_mutex);
595
596 release_pages(pvec, pinned, 0);
597 drm_free_large(pvec);
598
599 put_task_struct(work->task);
600 kfree(work);
601 }
602
603 static int
i915_gem_userptr_get_pages(struct drm_i915_gem_object * obj)604 i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
605 {
606 const int num_pages = obj->base.size >> PAGE_SHIFT;
607 struct page **pvec;
608 int pinned, ret;
609
610 /* If userspace should engineer that these pages are replaced in
611 * the vma between us binding this page into the GTT and completion
612 * of rendering... Their loss. If they change the mapping of their
613 * pages they need to create a new bo to point to the new vma.
614 *
615 * However, that still leaves open the possibility of the vma
616 * being copied upon fork. Which falls under the same userspace
617 * synchronisation issue as a regular bo, except that this time
618 * the process may not be expecting that a particular piece of
619 * memory is tied to the GPU.
620 *
621 * Fortunately, we can hook into the mmu_notifier in order to
622 * discard the page references prior to anything nasty happening
623 * to the vma (discard or cloning) which should prevent the more
624 * egregious cases from causing harm.
625 */
626
627 pvec = NULL;
628 pinned = 0;
629 if (obj->userptr.mm->mm == current->mm) {
630 pvec = kmalloc(num_pages*sizeof(struct page *),
631 GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
632 if (pvec == NULL) {
633 pvec = drm_malloc_ab(num_pages, sizeof(struct page *));
634 if (pvec == NULL)
635 return -ENOMEM;
636 }
637
638 pinned = __get_user_pages_fast(obj->userptr.ptr, num_pages,
639 !obj->userptr.read_only, pvec);
640 }
641 if (pinned < num_pages) {
642 if (pinned < 0) {
643 ret = pinned;
644 pinned = 0;
645 } else {
646 /* Spawn a worker so that we can acquire the
647 * user pages without holding our mutex. Access
648 * to the user pages requires mmap_sem, and we have
649 * a strict lock ordering of mmap_sem, struct_mutex -
650 * we already hold struct_mutex here and so cannot
651 * call gup without encountering a lock inversion.
652 *
653 * Userspace will keep on repeating the operation
654 * (thanks to EAGAIN) until either we hit the fast
655 * path or the worker completes. If the worker is
656 * cancelled or superseded, the task is still run
657 * but the results ignored. (This leads to
658 * complications that we may have a stray object
659 * refcount that we need to be wary of when
660 * checking for existing objects during creation.)
661 * If the worker encounters an error, it reports
662 * that error back to this function through
663 * obj->userptr.work = ERR_PTR.
664 */
665 ret = -EAGAIN;
666 if (obj->userptr.work == NULL &&
667 obj->userptr.workers < I915_GEM_USERPTR_MAX_WORKERS) {
668 struct get_pages_work *work;
669
670 work = kmalloc(sizeof(*work), GFP_KERNEL);
671 if (work != NULL) {
672 obj->userptr.work = &work->work;
673 obj->userptr.workers++;
674
675 work->obj = obj;
676 drm_gem_object_reference(&obj->base);
677
678 work->task = current;
679 get_task_struct(work->task);
680
681 INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker);
682 schedule_work(&work->work);
683 } else
684 ret = -ENOMEM;
685 } else {
686 if (IS_ERR(obj->userptr.work)) {
687 ret = PTR_ERR(obj->userptr.work);
688 obj->userptr.work = NULL;
689 }
690 }
691 }
692 } else {
693 ret = st_set_pages(&obj->pages, pvec, num_pages);
694 if (ret == 0) {
695 obj->userptr.work = NULL;
696 pinned = 0;
697 }
698 }
699
700 release_pages(pvec, pinned, 0);
701 drm_free_large(pvec);
702 return ret;
703 }
704
705 static void
i915_gem_userptr_put_pages(struct drm_i915_gem_object * obj)706 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj)
707 {
708 struct sg_page_iter sg_iter;
709
710 BUG_ON(obj->userptr.work != NULL);
711
712 if (obj->madv != I915_MADV_WILLNEED)
713 obj->dirty = 0;
714
715 for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) {
716 struct page *page = sg_page_iter_page(&sg_iter);
717
718 if (obj->dirty)
719 set_page_dirty(page);
720
721 mark_page_accessed(page);
722 page_cache_release(page);
723 }
724 obj->dirty = 0;
725
726 sg_free_table(obj->pages);
727 kfree(obj->pages);
728 }
729
730 static void
i915_gem_userptr_release(struct drm_i915_gem_object * obj)731 i915_gem_userptr_release(struct drm_i915_gem_object *obj)
732 {
733 i915_gem_userptr_release__mmu_notifier(obj);
734 i915_gem_userptr_release__mm_struct(obj);
735 }
736
737 static int
i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object * obj)738 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj)
739 {
740 if (obj->userptr.mmu_object)
741 return 0;
742
743 return i915_gem_userptr_init__mmu_notifier(obj, 0);
744 }
745
746 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
747 .dmabuf_export = i915_gem_userptr_dmabuf_export,
748 .get_pages = i915_gem_userptr_get_pages,
749 .put_pages = i915_gem_userptr_put_pages,
750 .release = i915_gem_userptr_release,
751 };
752
753 /**
754 * Creates a new mm object that wraps some normal memory from the process
755 * context - user memory.
756 *
757 * We impose several restrictions upon the memory being mapped
758 * into the GPU.
759 * 1. It must be page aligned (both start/end addresses, i.e ptr and size).
760 * 2. It must be normal system memory, not a pointer into another map of IO
761 * space (e.g. it must not be a GTT mmapping of another object).
762 * 3. We only allow a bo as large as we could in theory map into the GTT,
763 * that is we limit the size to the total size of the GTT.
764 * 4. The bo is marked as being snoopable. The backing pages are left
765 * accessible directly by the CPU, but reads and writes by the GPU may
766 * incur the cost of a snoop (unless you have an LLC architecture).
767 *
768 * Synchronisation between multiple users and the GPU is left to userspace
769 * through the normal set-domain-ioctl. The kernel will enforce that the
770 * GPU relinquishes the VMA before it is returned back to the system
771 * i.e. upon free(), munmap() or process termination. However, the userspace
772 * malloc() library may not immediately relinquish the VMA after free() and
773 * instead reuse it whilst the GPU is still reading and writing to the VMA.
774 * Caveat emptor.
775 *
776 * Also note, that the object created here is not currently a "first class"
777 * object, in that several ioctls are banned. These are the CPU access
778 * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
779 * direct access via your pointer rather than use those ioctls.
780 *
781 * If you think this is a good interface to use to pass GPU memory between
782 * drivers, please use dma-buf instead. In fact, wherever possible use
783 * dma-buf instead.
784 */
785 int
i915_gem_userptr_ioctl(struct drm_device * dev,void * data,struct drm_file * file)786 i915_gem_userptr_ioctl(struct drm_device *dev, void *data, struct drm_file *file)
787 {
788 struct drm_i915_private *dev_priv = dev->dev_private;
789 struct drm_i915_gem_userptr *args = data;
790 struct drm_i915_gem_object *obj;
791 int ret;
792 u32 handle;
793
794 if (args->flags & ~(I915_USERPTR_READ_ONLY |
795 I915_USERPTR_UNSYNCHRONIZED))
796 return -EINVAL;
797
798 if (offset_in_page(args->user_ptr | args->user_size))
799 return -EINVAL;
800
801 if (args->user_size > dev_priv->gtt.base.total)
802 return -E2BIG;
803
804 if (!access_ok(args->flags & I915_USERPTR_READ_ONLY ? VERIFY_READ : VERIFY_WRITE,
805 (char __user *)(unsigned long)args->user_ptr, args->user_size))
806 return -EFAULT;
807
808 if (args->flags & I915_USERPTR_READ_ONLY) {
809 /* On almost all of the current hw, we cannot tell the GPU that a
810 * page is readonly, so this is just a placeholder in the uAPI.
811 */
812 return -ENODEV;
813 }
814
815 obj = i915_gem_object_alloc(dev);
816 if (obj == NULL)
817 return -ENOMEM;
818
819 drm_gem_private_object_init(dev, &obj->base, args->user_size);
820 i915_gem_object_init(obj, &i915_gem_userptr_ops);
821 obj->cache_level = I915_CACHE_LLC;
822 obj->base.write_domain = I915_GEM_DOMAIN_CPU;
823 obj->base.read_domains = I915_GEM_DOMAIN_CPU;
824
825 obj->userptr.ptr = args->user_ptr;
826 obj->userptr.read_only = !!(args->flags & I915_USERPTR_READ_ONLY);
827
828 /* And keep a pointer to the current->mm for resolving the user pages
829 * at binding. This means that we need to hook into the mmu_notifier
830 * in order to detect if the mmu is destroyed.
831 */
832 ret = i915_gem_userptr_init__mm_struct(obj);
833 if (ret == 0)
834 ret = i915_gem_userptr_init__mmu_notifier(obj, args->flags);
835 if (ret == 0)
836 ret = drm_gem_handle_create(file, &obj->base, &handle);
837
838 /* drop reference from allocate - handle holds it now */
839 drm_gem_object_unreference_unlocked(&obj->base);
840 if (ret)
841 return ret;
842
843 args->handle = handle;
844 return 0;
845 }
846
847 int
i915_gem_init_userptr(struct drm_device * dev)848 i915_gem_init_userptr(struct drm_device *dev)
849 {
850 struct drm_i915_private *dev_priv = to_i915(dev);
851 mutex_init(&dev_priv->mm_lock);
852 hash_init(dev_priv->mm_structs);
853 return 0;
854 }
855