xref: /openbmc/linux/Documentation/mm/hmm.rst (revision 44900c3e)
1=====================================
2Heterogeneous Memory Management (HMM)
3=====================================
4
5Provide infrastructure and helpers to integrate non-conventional memory (device
6memory like GPU on board memory) into regular kernel path, with the cornerstone
7of this being specialized struct page for such memory (see sections 5 to 7 of
8this document).
9
10HMM also provides optional helpers for SVM (Share Virtual Memory), i.e.,
11allowing a device to transparently access program addresses coherently with
12the CPU meaning that any valid pointer on the CPU is also a valid pointer
13for the device. This is becoming mandatory to simplify the use of advanced
14heterogeneous computing where GPU, DSP, or FPGA are used to perform various
15computations on behalf of a process.
16
17This document is divided as follows: in the first section I expose the problems
18related to using device specific memory allocators. In the second section, I
19expose the hardware limitations that are inherent to many platforms. The third
20section gives an overview of the HMM design. The fourth section explains how
21CPU page-table mirroring works and the purpose of HMM in this context. The
22fifth section deals with how device memory is represented inside the kernel.
23Finally, the last section presents a new migration helper that allows
24leveraging the device DMA engine.
25
26.. contents:: :local:
27
28Problems of using a device specific memory allocator
29====================================================
30
31Devices with a large amount of on board memory (several gigabytes) like GPUs
32have historically managed their memory through dedicated driver specific APIs.
33This creates a disconnect between memory allocated and managed by a device
34driver and regular application memory (private anonymous, shared memory, or
35regular file backed memory). From here on I will refer to this aspect as split
36address space. I use shared address space to refer to the opposite situation:
37i.e., one in which any application memory region can be used by a device
38transparently.
39
40Split address space happens because devices can only access memory allocated
41through a device specific API. This implies that all memory objects in a program
42are not equal from the device point of view which complicates large programs
43that rely on a wide set of libraries.
44
45Concretely, this means that code that wants to leverage devices like GPUs needs
46to copy objects between generically allocated memory (malloc, mmap private, mmap
47share) and memory allocated through the device driver API (this still ends up
48with an mmap but of the device file).
49
50For flat data sets (array, grid, image, ...) this isn't too hard to achieve but
51for complex data sets (list, tree, ...) it's hard to get right. Duplicating a
52complex data set needs to re-map all the pointer relations between each of its
53elements. This is error prone and programs get harder to debug because of the
54duplicate data set and addresses.
55
56Split address space also means that libraries cannot transparently use data
57they are getting from the core program or another library and thus each library
58might have to duplicate its input data set using the device specific memory
59allocator. Large projects suffer from this and waste resources because of the
60various memory copies.
61
62Duplicating each library API to accept as input or output memory allocated by
63each device specific allocator is not a viable option. It would lead to a
64combinatorial explosion in the library entry points.
65
66Finally, with the advance of high level language constructs (in C++ but in
67other languages too) it is now possible for the compiler to leverage GPUs and
68other devices without programmer knowledge. Some compiler identified patterns
69are only do-able with a shared address space. It is also more reasonable to use
70a shared address space for all other patterns.
71
72
73I/O bus, device memory characteristics
74======================================
75
76I/O buses cripple shared address spaces due to a few limitations. Most I/O
77buses only allow basic memory access from device to main memory; even cache
78coherency is often optional. Access to device memory from a CPU is even more
79limited. More often than not, it is not cache coherent.
80
81If we only consider the PCIE bus, then a device can access main memory (often
82through an IOMMU) and be cache coherent with the CPUs. However, it only allows
83a limited set of atomic operations from the device on main memory. This is worse
84in the other direction: the CPU can only access a limited range of the device
85memory and cannot perform atomic operations on it. Thus device memory cannot
86be considered the same as regular memory from the kernel point of view.
87
88Another crippling factor is the limited bandwidth (~32GBytes/s with PCIE 4.0
89and 16 lanes). This is 33 times less than the fastest GPU memory (1 TBytes/s).
90The final limitation is latency. Access to main memory from the device has an
91order of magnitude higher latency than when the device accesses its own memory.
92
93Some platforms are developing new I/O buses or additions/modifications to PCIE
94to address some of these limitations (OpenCAPI, CCIX). They mainly allow
95two-way cache coherency between CPU and device and allow all atomic operations the
96architecture supports. Sadly, not all platforms are following this trend and
97some major architectures are left without hardware solutions to these problems.
98
99So for shared address space to make sense, not only must we allow devices to
100access any memory but we must also permit any memory to be migrated to device
101memory while the device is using it (blocking CPU access while it happens).
102
103
104Shared address space and migration
105==================================
106
107HMM intends to provide two main features. The first one is to share the address
108space by duplicating the CPU page table in the device page table so the same
109address points to the same physical memory for any valid main memory address in
110the process address space.
111
112To achieve this, HMM offers a set of helpers to populate the device page table
113while keeping track of CPU page table updates. Device page table updates are
114not as easy as CPU page table updates. To update the device page table, you must
115allocate a buffer (or use a pool of pre-allocated buffers) and write GPU
116specific commands in it to perform the update (unmap, cache invalidations, and
117flush, ...). This cannot be done through common code for all devices. Hence
118why HMM provides helpers to factor out everything that can be while leaving the
119hardware specific details to the device driver.
120
121The second mechanism HMM provides is a new kind of ZONE_DEVICE memory that
122allows allocating a struct page for each page of device memory. Those pages
123are special because the CPU cannot map them. However, they allow migrating
124main memory to device memory using existing migration mechanisms and everything
125looks like a page that is swapped out to disk from the CPU point of view. Using a
126struct page gives the easiest and cleanest integration with existing mm
127mechanisms. Here again, HMM only provides helpers, first to hotplug new ZONE_DEVICE
128memory for the device memory and second to perform migration. Policy decisions
129of what and when to migrate is left to the device driver.
130
131Note that any CPU access to a device page triggers a page fault and a migration
132back to main memory. For example, when a page backing a given CPU address A is
133migrated from a main memory page to a device page, then any CPU access to
134address A triggers a page fault and initiates a migration back to main memory.
135
136With these two features, HMM not only allows a device to mirror process address
137space and keeps both CPU and device page tables synchronized, but also
138leverages device memory by migrating the part of the data set that is actively being
139used by the device.
140
141
142Address space mirroring implementation and API
143==============================================
144
145Address space mirroring's main objective is to allow duplication of a range of
146CPU page table into a device page table; HMM helps keep both synchronized. A
147device driver that wants to mirror a process address space must start with the
148registration of a mmu_interval_notifier::
149
150 int mmu_interval_notifier_insert(struct mmu_interval_notifier *interval_sub,
151				  struct mm_struct *mm, unsigned long start,
152				  unsigned long length,
153				  const struct mmu_interval_notifier_ops *ops);
154
155During the ops->invalidate() callback the device driver must perform the
156update action to the range (mark range read only, or fully unmap, etc.). The
157device must complete the update before the driver callback returns.
158
159When the device driver wants to populate a range of virtual addresses, it can
160use::
161
162  int hmm_range_fault(struct hmm_range *range);
163
164It will trigger a page fault on missing or read-only entries if write access is
165requested (see below). Page faults use the generic mm page fault code path just
166like a CPU page fault.
167
168Both functions copy CPU page table entries into their pfns array argument. Each
169entry in that array corresponds to an address in the virtual range. HMM
170provides a set of flags to help the driver identify special CPU page table
171entries.
172
173Locking within the sync_cpu_device_pagetables() callback is the most important
174aspect the driver must respect in order to keep things properly synchronized.
175The usage pattern is::
176
177 int driver_populate_range(...)
178 {
179      struct hmm_range range;
180      ...
181
182      range.notifier = &interval_sub;
183      range.start = ...;
184      range.end = ...;
185      range.hmm_pfns = ...;
186
187      if (!mmget_not_zero(interval_sub->notifier.mm))
188          return -EFAULT;
189
190 again:
191      range.notifier_seq = mmu_interval_read_begin(&interval_sub);
192      mmap_read_lock(mm);
193      ret = hmm_range_fault(&range);
194      if (ret) {
195          mmap_read_unlock(mm);
196          if (ret == -EBUSY)
197                 goto again;
198          return ret;
199      }
200      mmap_read_unlock(mm);
201
202      take_lock(driver->update);
203      if (mmu_interval_read_retry(&ni, range.notifier_seq) {
204          release_lock(driver->update);
205          goto again;
206      }
207
208      /* Use pfns array content to update device page table,
209       * under the update lock */
210
211      release_lock(driver->update);
212      return 0;
213 }
214
215The driver->update lock is the same lock that the driver takes inside its
216invalidate() callback. That lock must be held before calling
217mmu_interval_read_retry() to avoid any race with a concurrent CPU page table
218update.
219
220Leverage default_flags and pfn_flags_mask
221=========================================
222
223The hmm_range struct has 2 fields, default_flags and pfn_flags_mask, that specify
224fault or snapshot policy for the whole range instead of having to set them
225for each entry in the pfns array.
226
227For instance if the device driver wants pages for a range with at least read
228permission, it sets::
229
230    range->default_flags = HMM_PFN_REQ_FAULT;
231    range->pfn_flags_mask = 0;
232
233and calls hmm_range_fault() as described above. This will fill fault all pages
234in the range with at least read permission.
235
236Now let's say the driver wants to do the same except for one page in the range for
237which it wants to have write permission. Now driver set::
238
239    range->default_flags = HMM_PFN_REQ_FAULT;
240    range->pfn_flags_mask = HMM_PFN_REQ_WRITE;
241    range->pfns[index_of_write] = HMM_PFN_REQ_WRITE;
242
243With this, HMM will fault in all pages with at least read (i.e., valid) and for the
244address == range->start + (index_of_write << PAGE_SHIFT) it will fault with
245write permission i.e., if the CPU pte does not have write permission set then HMM
246will call handle_mm_fault().
247
248After hmm_range_fault completes the flag bits are set to the current state of
249the page tables, ie HMM_PFN_VALID | HMM_PFN_WRITE will be set if the page is
250writable.
251
252
253Represent and manage device memory from core kernel point of view
254=================================================================
255
256Several different designs were tried to support device memory. The first one
257used a device specific data structure to keep information about migrated memory
258and HMM hooked itself in various places of mm code to handle any access to
259addresses that were backed by device memory. It turns out that this ended up
260replicating most of the fields of struct page and also needed many kernel code
261paths to be updated to understand this new kind of memory.
262
263Most kernel code paths never try to access the memory behind a page
264but only care about struct page contents. Because of this, HMM switched to
265directly using struct page for device memory which left most kernel code paths
266unaware of the difference. We only need to make sure that no one ever tries to
267map those pages from the CPU side.
268
269Migration to and from device memory
270===================================
271
272Because the CPU cannot access device memory directly, the device driver must
273use hardware DMA or device specific load/store instructions to migrate data.
274The migrate_vma_setup(), migrate_vma_pages(), and migrate_vma_finalize()
275functions are designed to make drivers easier to write and to centralize common
276code across drivers.
277
278Before migrating pages to device private memory, special device private
279``struct page`` need to be created. These will be used as special "swap"
280page table entries so that a CPU process will fault if it tries to access
281a page that has been migrated to device private memory.
282
283These can be allocated and freed with::
284
285    struct resource *res;
286    struct dev_pagemap pagemap;
287
288    res = request_free_mem_region(&iomem_resource, /* number of bytes */,
289                                  "name of driver resource");
290    pagemap.type = MEMORY_DEVICE_PRIVATE;
291    pagemap.range.start = res->start;
292    pagemap.range.end = res->end;
293    pagemap.nr_range = 1;
294    pagemap.ops = &device_devmem_ops;
295    memremap_pages(&pagemap, numa_node_id());
296
297    memunmap_pages(&pagemap);
298    release_mem_region(pagemap.range.start, range_len(&pagemap.range));
299
300There are also devm_request_free_mem_region(), devm_memremap_pages(),
301devm_memunmap_pages(), and devm_release_mem_region() when the resources can
302be tied to a ``struct device``.
303
304The overall migration steps are similar to migrating NUMA pages within system
305memory (see Documentation/mm/page_migration.rst) but the steps are split
306between device driver specific code and shared common code:
307
3081. ``mmap_read_lock()``
309
310   The device driver has to pass a ``struct vm_area_struct`` to
311   migrate_vma_setup() so the mmap_read_lock() or mmap_write_lock() needs to
312   be held for the duration of the migration.
313
3142. ``migrate_vma_setup(struct migrate_vma *args)``
315
316   The device driver initializes the ``struct migrate_vma`` fields and passes
317   the pointer to migrate_vma_setup(). The ``args->flags`` field is used to
318   filter which source pages should be migrated. For example, setting
319   ``MIGRATE_VMA_SELECT_SYSTEM`` will only migrate system memory and
320   ``MIGRATE_VMA_SELECT_DEVICE_PRIVATE`` will only migrate pages residing in
321   device private memory. If the latter flag is set, the ``args->pgmap_owner``
322   field is used to identify device private pages owned by the driver. This
323   avoids trying to migrate device private pages residing in other devices.
324   Currently only anonymous private VMA ranges can be migrated to or from
325   system memory and device private memory.
326
327   One of the first steps migrate_vma_setup() does is to invalidate other
328   device's MMUs with the ``mmu_notifier_invalidate_range_start(()`` and
329   ``mmu_notifier_invalidate_range_end()`` calls around the page table
330   walks to fill in the ``args->src`` array with PFNs to be migrated.
331   The ``invalidate_range_start()`` callback is passed a
332   ``struct mmu_notifier_range`` with the ``event`` field set to
333   ``MMU_NOTIFY_MIGRATE`` and the ``owner`` field set to
334   the ``args->pgmap_owner`` field passed to migrate_vma_setup(). This is
335   allows the device driver to skip the invalidation callback and only
336   invalidate device private MMU mappings that are actually migrating.
337   This is explained more in the next section.
338
339   While walking the page tables, a ``pte_none()`` or ``is_zero_pfn()``
340   entry results in a valid "zero" PFN stored in the ``args->src`` array.
341   This lets the driver allocate device private memory and clear it instead
342   of copying a page of zeros. Valid PTE entries to system memory or
343   device private struct pages will be locked with ``lock_page()``, isolated
344   from the LRU (if system memory since device private pages are not on
345   the LRU), unmapped from the process, and a special migration PTE is
346   inserted in place of the original PTE.
347   migrate_vma_setup() also clears the ``args->dst`` array.
348
3493. The device driver allocates destination pages and copies source pages to
350   destination pages.
351
352   The driver checks each ``src`` entry to see if the ``MIGRATE_PFN_MIGRATE``
353   bit is set and skips entries that are not migrating. The device driver
354   can also choose to skip migrating a page by not filling in the ``dst``
355   array for that page.
356
357   The driver then allocates either a device private struct page or a
358   system memory page, locks the page with ``lock_page()``, and fills in the
359   ``dst`` array entry with::
360
361     dst[i] = migrate_pfn(page_to_pfn(dpage));
362
363   Now that the driver knows that this page is being migrated, it can
364   invalidate device private MMU mappings and copy device private memory
365   to system memory or another device private page. The core Linux kernel
366   handles CPU page table invalidations so the device driver only has to
367   invalidate its own MMU mappings.
368
369   The driver can use ``migrate_pfn_to_page(src[i])`` to get the
370   ``struct page`` of the source and either copy the source page to the
371   destination or clear the destination device private memory if the pointer
372   is ``NULL`` meaning the source page was not populated in system memory.
373
3744. ``migrate_vma_pages()``
375
376   This step is where the migration is actually "committed".
377
378   If the source page was a ``pte_none()`` or ``is_zero_pfn()`` page, this
379   is where the newly allocated page is inserted into the CPU's page table.
380   This can fail if a CPU thread faults on the same page. However, the page
381   table is locked and only one of the new pages will be inserted.
382   The device driver will see that the ``MIGRATE_PFN_MIGRATE`` bit is cleared
383   if it loses the race.
384
385   If the source page was locked, isolated, etc. the source ``struct page``
386   information is now copied to destination ``struct page`` finalizing the
387   migration on the CPU side.
388
3895. Device driver updates device MMU page tables for pages still migrating,
390   rolling back pages not migrating.
391
392   If the ``src`` entry still has ``MIGRATE_PFN_MIGRATE`` bit set, the device
393   driver can update the device MMU and set the write enable bit if the
394   ``MIGRATE_PFN_WRITE`` bit is set.
395
3966. ``migrate_vma_finalize()``
397
398   This step replaces the special migration page table entry with the new
399   page's page table entry and releases the reference to the source and
400   destination ``struct page``.
401
4027. ``mmap_read_unlock()``
403
404   The lock can now be released.
405
406Exclusive access memory
407=======================
408
409Some devices have features such as atomic PTE bits that can be used to implement
410atomic access to system memory. To support atomic operations to a shared virtual
411memory page such a device needs access to that page which is exclusive of any
412userspace access from the CPU. The ``make_device_exclusive_range()`` function
413can be used to make a memory range inaccessible from userspace.
414
415This replaces all mappings for pages in the given range with special swap
416entries. Any attempt to access the swap entry results in a fault which is
417resovled by replacing the entry with the original mapping. A driver gets
418notified that the mapping has been changed by MMU notifiers, after which point
419it will no longer have exclusive access to the page. Exclusive access is
420guranteed to last until the driver drops the page lock and page reference, at
421which point any CPU faults on the page may proceed as described.
422
423Memory cgroup (memcg) and rss accounting
424========================================
425
426For now, device memory is accounted as any regular page in rss counters (either
427anonymous if device page is used for anonymous, file if device page is used for
428file backed page, or shmem if device page is used for shared memory). This is a
429deliberate choice to keep existing applications, that might start using device
430memory without knowing about it, running unimpacted.
431
432A drawback is that the OOM killer might kill an application using a lot of
433device memory and not a lot of regular system memory and thus not freeing much
434system memory. We want to gather more real world experience on how applications
435and system react under memory pressure in the presence of device memory before
436deciding to account device memory differently.
437
438
439Same decision was made for memory cgroup. Device memory pages are accounted
440against same memory cgroup a regular page would be accounted to. This does
441simplify migration to and from device memory. This also means that migration
442back from device memory to regular memory cannot fail because it would
443go above memory cgroup limit. We might revisit this choice latter on once we
444get more experience in how device memory is used and its impact on memory
445resource control.
446
447
448Note that device memory can never be pinned by a device driver nor through GUP
449and thus such memory is always free upon process exit. Or when last reference
450is dropped in case of shared memory or file backed memory.
451