1 /* 2 * SPDX-License-Identifier: MIT 3 * 4 * Copyright © 2014-2016 Intel Corporation 5 */ 6 7 #include <linux/mman.h> 8 #include <linux/sizes.h> 9 10 #include "gt/intel_gt.h" 11 #include "gt/intel_gt_requests.h" 12 13 #include "i915_drv.h" 14 #include "i915_gem_gtt.h" 15 #include "i915_gem_ioctls.h" 16 #include "i915_gem_object.h" 17 #include "i915_trace.h" 18 #include "i915_vma.h" 19 20 static inline bool 21 __vma_matches(struct vm_area_struct *vma, struct file *filp, 22 unsigned long addr, unsigned long size) 23 { 24 if (vma->vm_file != filp) 25 return false; 26 27 return vma->vm_start == addr && 28 (vma->vm_end - vma->vm_start) == PAGE_ALIGN(size); 29 } 30 31 /** 32 * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address 33 * it is mapped to. 34 * @dev: drm device 35 * @data: ioctl data blob 36 * @file: drm file 37 * 38 * While the mapping holds a reference on the contents of the object, it doesn't 39 * imply a ref on the object itself. 40 * 41 * IMPORTANT: 42 * 43 * DRM driver writers who look a this function as an example for how to do GEM 44 * mmap support, please don't implement mmap support like here. The modern way 45 * to implement DRM mmap support is with an mmap offset ioctl (like 46 * i915_gem_mmap_gtt) and then using the mmap syscall on the DRM fd directly. 47 * That way debug tooling like valgrind will understand what's going on, hiding 48 * the mmap call in a driver private ioctl will break that. The i915 driver only 49 * does cpu mmaps this way because we didn't know better. 50 */ 51 int 52 i915_gem_mmap_ioctl(struct drm_device *dev, void *data, 53 struct drm_file *file) 54 { 55 struct drm_i915_gem_mmap *args = data; 56 struct drm_i915_gem_object *obj; 57 unsigned long addr; 58 59 if (args->flags & ~(I915_MMAP_WC)) 60 return -EINVAL; 61 62 if (args->flags & I915_MMAP_WC && !boot_cpu_has(X86_FEATURE_PAT)) 63 return -ENODEV; 64 65 obj = i915_gem_object_lookup(file, args->handle); 66 if (!obj) 67 return -ENOENT; 68 69 /* prime objects have no backing filp to GEM mmap 70 * pages from. 71 */ 72 if (!obj->base.filp) { 73 addr = -ENXIO; 74 goto err; 75 } 76 77 if (range_overflows(args->offset, args->size, (u64)obj->base.size)) { 78 addr = -EINVAL; 79 goto err; 80 } 81 82 addr = vm_mmap(obj->base.filp, 0, args->size, 83 PROT_READ | PROT_WRITE, MAP_SHARED, 84 args->offset); 85 if (IS_ERR_VALUE(addr)) 86 goto err; 87 88 if (args->flags & I915_MMAP_WC) { 89 struct mm_struct *mm = current->mm; 90 struct vm_area_struct *vma; 91 92 if (down_write_killable(&mm->mmap_sem)) { 93 addr = -EINTR; 94 goto err; 95 } 96 vma = find_vma(mm, addr); 97 if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) 98 vma->vm_page_prot = 99 pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); 100 else 101 addr = -ENOMEM; 102 up_write(&mm->mmap_sem); 103 if (IS_ERR_VALUE(addr)) 104 goto err; 105 } 106 i915_gem_object_put(obj); 107 108 args->addr_ptr = (u64)addr; 109 return 0; 110 111 err: 112 i915_gem_object_put(obj); 113 return addr; 114 } 115 116 static unsigned int tile_row_pages(const struct drm_i915_gem_object *obj) 117 { 118 return i915_gem_object_get_tile_row_size(obj) >> PAGE_SHIFT; 119 } 120 121 /** 122 * i915_gem_mmap_gtt_version - report the current feature set for GTT mmaps 123 * 124 * A history of the GTT mmap interface: 125 * 126 * 0 - Everything had to fit into the GTT. Both parties of a memcpy had to 127 * aligned and suitable for fencing, and still fit into the available 128 * mappable space left by the pinned display objects. A classic problem 129 * we called the page-fault-of-doom where we would ping-pong between 130 * two objects that could not fit inside the GTT and so the memcpy 131 * would page one object in at the expense of the other between every 132 * single byte. 133 * 134 * 1 - Objects can be any size, and have any compatible fencing (X Y, or none 135 * as set via i915_gem_set_tiling() [DRM_I915_GEM_SET_TILING]). If the 136 * object is too large for the available space (or simply too large 137 * for the mappable aperture!), a view is created instead and faulted 138 * into userspace. (This view is aligned and sized appropriately for 139 * fenced access.) 140 * 141 * 2 - Recognise WC as a separate cache domain so that we can flush the 142 * delayed writes via GTT before performing direct access via WC. 143 * 144 * 3 - Remove implicit set-domain(GTT) and synchronisation on initial 145 * pagefault; swapin remains transparent. 146 * 147 * Restrictions: 148 * 149 * * snoopable objects cannot be accessed via the GTT. It can cause machine 150 * hangs on some architectures, corruption on others. An attempt to service 151 * a GTT page fault from a snoopable object will generate a SIGBUS. 152 * 153 * * the object must be able to fit into RAM (physical memory, though no 154 * limited to the mappable aperture). 155 * 156 * 157 * Caveats: 158 * 159 * * a new GTT page fault will synchronize rendering from the GPU and flush 160 * all data to system memory. Subsequent access will not be synchronized. 161 * 162 * * all mappings are revoked on runtime device suspend. 163 * 164 * * there are only 8, 16 or 32 fence registers to share between all users 165 * (older machines require fence register for display and blitter access 166 * as well). Contention of the fence registers will cause the previous users 167 * to be unmapped and any new access will generate new page faults. 168 * 169 * * running out of memory while servicing a fault may generate a SIGBUS, 170 * rather than the expected SIGSEGV. 171 */ 172 int i915_gem_mmap_gtt_version(void) 173 { 174 return 3; 175 } 176 177 static inline struct i915_ggtt_view 178 compute_partial_view(const struct drm_i915_gem_object *obj, 179 pgoff_t page_offset, 180 unsigned int chunk) 181 { 182 struct i915_ggtt_view view; 183 184 if (i915_gem_object_is_tiled(obj)) 185 chunk = roundup(chunk, tile_row_pages(obj)); 186 187 view.type = I915_GGTT_VIEW_PARTIAL; 188 view.partial.offset = rounddown(page_offset, chunk); 189 view.partial.size = 190 min_t(unsigned int, chunk, 191 (obj->base.size >> PAGE_SHIFT) - view.partial.offset); 192 193 /* If the partial covers the entire object, just create a normal VMA. */ 194 if (chunk >= obj->base.size >> PAGE_SHIFT) 195 view.type = I915_GGTT_VIEW_NORMAL; 196 197 return view; 198 } 199 200 /** 201 * i915_gem_fault - fault a page into the GTT 202 * @vmf: fault info 203 * 204 * The fault handler is set up by drm_gem_mmap() when a object is GTT mapped 205 * from userspace. The fault handler takes care of binding the object to 206 * the GTT (if needed), allocating and programming a fence register (again, 207 * only if needed based on whether the old reg is still valid or the object 208 * is tiled) and inserting a new PTE into the faulting process. 209 * 210 * Note that the faulting process may involve evicting existing objects 211 * from the GTT and/or fence registers to make room. So performance may 212 * suffer if the GTT working set is large or there are few fence registers 213 * left. 214 * 215 * The current feature set supported by i915_gem_fault() and thus GTT mmaps 216 * is exposed via I915_PARAM_MMAP_GTT_VERSION (see i915_gem_mmap_gtt_version). 217 */ 218 vm_fault_t i915_gem_fault(struct vm_fault *vmf) 219 { 220 #define MIN_CHUNK_PAGES (SZ_1M >> PAGE_SHIFT) 221 struct vm_area_struct *area = vmf->vma; 222 struct drm_i915_gem_object *obj = to_intel_bo(area->vm_private_data); 223 struct drm_device *dev = obj->base.dev; 224 struct drm_i915_private *i915 = to_i915(dev); 225 struct intel_runtime_pm *rpm = &i915->runtime_pm; 226 struct i915_ggtt *ggtt = &i915->ggtt; 227 bool write = area->vm_flags & VM_WRITE; 228 intel_wakeref_t wakeref; 229 struct i915_vma *vma; 230 pgoff_t page_offset; 231 int srcu; 232 int ret; 233 234 /* Sanity check that we allow writing into this object */ 235 if (i915_gem_object_is_readonly(obj) && write) 236 return VM_FAULT_SIGBUS; 237 238 /* We don't use vmf->pgoff since that has the fake offset */ 239 page_offset = (vmf->address - area->vm_start) >> PAGE_SHIFT; 240 241 trace_i915_gem_object_fault(obj, page_offset, true, write); 242 243 ret = i915_gem_object_pin_pages(obj); 244 if (ret) 245 goto err; 246 247 wakeref = intel_runtime_pm_get(rpm); 248 249 ret = intel_gt_reset_trylock(ggtt->vm.gt, &srcu); 250 if (ret) 251 goto err_rpm; 252 253 /* Now pin it into the GTT as needed */ 254 vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0, 255 PIN_MAPPABLE | 256 PIN_NONBLOCK /* NOWARN */ | 257 PIN_NOEVICT); 258 if (IS_ERR(vma)) { 259 /* Use a partial view if it is bigger than available space */ 260 struct i915_ggtt_view view = 261 compute_partial_view(obj, page_offset, MIN_CHUNK_PAGES); 262 unsigned int flags; 263 264 flags = PIN_MAPPABLE | PIN_NOSEARCH; 265 if (view.type == I915_GGTT_VIEW_NORMAL) 266 flags |= PIN_NONBLOCK; /* avoid warnings for pinned */ 267 268 /* 269 * Userspace is now writing through an untracked VMA, abandon 270 * all hope that the hardware is able to track future writes. 271 */ 272 273 vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, flags); 274 if (IS_ERR(vma)) { 275 flags = PIN_MAPPABLE; 276 view.type = I915_GGTT_VIEW_PARTIAL; 277 vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, flags); 278 } 279 280 /* The entire mappable GGTT is pinned? Unexpected! */ 281 GEM_BUG_ON(vma == ERR_PTR(-ENOSPC)); 282 } 283 if (IS_ERR(vma)) { 284 ret = PTR_ERR(vma); 285 goto err_reset; 286 } 287 288 /* Access to snoopable pages through the GTT is incoherent. */ 289 if (obj->cache_level != I915_CACHE_NONE && !HAS_LLC(i915)) { 290 ret = -EFAULT; 291 goto err_unpin; 292 } 293 294 ret = i915_vma_pin_fence(vma); 295 if (ret) 296 goto err_unpin; 297 298 /* Finally, remap it using the new GTT offset */ 299 ret = remap_io_mapping(area, 300 area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT), 301 (ggtt->gmadr.start + vma->node.start) >> PAGE_SHIFT, 302 min_t(u64, vma->size, area->vm_end - area->vm_start), 303 &ggtt->iomap); 304 if (ret) 305 goto err_fence; 306 307 assert_rpm_wakelock_held(rpm); 308 309 /* Mark as being mmapped into userspace for later revocation */ 310 mutex_lock(&i915->ggtt.vm.mutex); 311 if (!i915_vma_set_userfault(vma) && !obj->userfault_count++) 312 list_add(&obj->userfault_link, &i915->ggtt.userfault_list); 313 mutex_unlock(&i915->ggtt.vm.mutex); 314 315 if (IS_ACTIVE(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)) 316 intel_wakeref_auto(&i915->ggtt.userfault_wakeref, 317 msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)); 318 319 if (write) { 320 GEM_BUG_ON(!i915_gem_object_has_pinned_pages(obj)); 321 i915_vma_set_ggtt_write(vma); 322 obj->mm.dirty = true; 323 } 324 325 err_fence: 326 i915_vma_unpin_fence(vma); 327 err_unpin: 328 __i915_vma_unpin(vma); 329 err_reset: 330 intel_gt_reset_unlock(ggtt->vm.gt, srcu); 331 err_rpm: 332 intel_runtime_pm_put(rpm, wakeref); 333 i915_gem_object_unpin_pages(obj); 334 err: 335 switch (ret) { 336 default: 337 WARN_ONCE(ret, "unhandled error in %s: %i\n", __func__, ret); 338 /* fallthrough */ 339 case -EIO: /* shmemfs failure from swap device */ 340 case -EFAULT: /* purged object */ 341 case -ENODEV: /* bad object, how did you get here! */ 342 return VM_FAULT_SIGBUS; 343 344 case -ENOSPC: /* shmemfs allocation failure */ 345 case -ENOMEM: /* our allocation failure */ 346 return VM_FAULT_OOM; 347 348 case 0: 349 case -EAGAIN: 350 case -ERESTARTSYS: 351 case -EINTR: 352 case -EBUSY: 353 /* 354 * EBUSY is ok: this just means that another thread 355 * already did the job. 356 */ 357 return VM_FAULT_NOPAGE; 358 } 359 } 360 361 void __i915_gem_object_release_mmap(struct drm_i915_gem_object *obj) 362 { 363 struct i915_vma *vma; 364 365 GEM_BUG_ON(!obj->userfault_count); 366 367 obj->userfault_count = 0; 368 list_del(&obj->userfault_link); 369 drm_vma_node_unmap(&obj->base.vma_node, 370 obj->base.dev->anon_inode->i_mapping); 371 372 for_each_ggtt_vma(vma, obj) 373 i915_vma_unset_userfault(vma); 374 } 375 376 /** 377 * i915_gem_object_release_mmap - remove physical page mappings 378 * @obj: obj in question 379 * 380 * Preserve the reservation of the mmapping with the DRM core code, but 381 * relinquish ownership of the pages back to the system. 382 * 383 * It is vital that we remove the page mapping if we have mapped a tiled 384 * object through the GTT and then lose the fence register due to 385 * resource pressure. Similarly if the object has been moved out of the 386 * aperture, than pages mapped into userspace must be revoked. Removing the 387 * mapping will then trigger a page fault on the next user access, allowing 388 * fixup by i915_gem_fault(). 389 */ 390 void i915_gem_object_release_mmap(struct drm_i915_gem_object *obj) 391 { 392 struct drm_i915_private *i915 = to_i915(obj->base.dev); 393 intel_wakeref_t wakeref; 394 395 /* Serialisation between user GTT access and our code depends upon 396 * revoking the CPU's PTE whilst the mutex is held. The next user 397 * pagefault then has to wait until we release the mutex. 398 * 399 * Note that RPM complicates somewhat by adding an additional 400 * requirement that operations to the GGTT be made holding the RPM 401 * wakeref. 402 */ 403 wakeref = intel_runtime_pm_get(&i915->runtime_pm); 404 mutex_lock(&i915->ggtt.vm.mutex); 405 406 if (!obj->userfault_count) 407 goto out; 408 409 __i915_gem_object_release_mmap(obj); 410 411 /* Ensure that the CPU's PTE are revoked and there are not outstanding 412 * memory transactions from userspace before we return. The TLB 413 * flushing implied above by changing the PTE above *should* be 414 * sufficient, an extra barrier here just provides us with a bit 415 * of paranoid documentation about our requirement to serialise 416 * memory writes before touching registers / GSM. 417 */ 418 wmb(); 419 420 out: 421 mutex_unlock(&i915->ggtt.vm.mutex); 422 intel_runtime_pm_put(&i915->runtime_pm, wakeref); 423 } 424 425 static int create_mmap_offset(struct drm_i915_gem_object *obj) 426 { 427 struct drm_i915_private *i915 = to_i915(obj->base.dev); 428 struct intel_gt *gt = &i915->gt; 429 int err; 430 431 err = drm_gem_create_mmap_offset(&obj->base); 432 if (likely(!err)) 433 return 0; 434 435 /* Attempt to reap some mmap space from dead objects */ 436 err = intel_gt_retire_requests_timeout(gt, MAX_SCHEDULE_TIMEOUT); 437 if (err) 438 return err; 439 440 i915_gem_drain_freed_objects(i915); 441 return drm_gem_create_mmap_offset(&obj->base); 442 } 443 444 int 445 i915_gem_mmap_gtt(struct drm_file *file, 446 struct drm_device *dev, 447 u32 handle, 448 u64 *offset) 449 { 450 struct drm_i915_gem_object *obj; 451 int ret; 452 453 obj = i915_gem_object_lookup(file, handle); 454 if (!obj) 455 return -ENOENT; 456 457 if (i915_gem_object_never_bind_ggtt(obj)) { 458 ret = -ENODEV; 459 goto out; 460 } 461 462 ret = create_mmap_offset(obj); 463 if (ret == 0) 464 *offset = drm_vma_node_offset_addr(&obj->base.vma_node); 465 466 out: 467 i915_gem_object_put(obj); 468 return ret; 469 } 470 471 /** 472 * i915_gem_mmap_gtt_ioctl - prepare an object for GTT mmap'ing 473 * @dev: DRM device 474 * @data: GTT mapping ioctl data 475 * @file: GEM object info 476 * 477 * Simply returns the fake offset to userspace so it can mmap it. 478 * The mmap call will end up in drm_gem_mmap(), which will set things 479 * up so we can get faults in the handler above. 480 * 481 * The fault handler will take care of binding the object into the GTT 482 * (since it may have been evicted to make room for something), allocating 483 * a fence register, and mapping the appropriate aperture address into 484 * userspace. 485 */ 486 int 487 i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data, 488 struct drm_file *file) 489 { 490 struct drm_i915_gem_mmap_gtt *args = data; 491 492 return i915_gem_mmap_gtt(file, dev, args->handle, &args->offset); 493 } 494 495 #if IS_ENABLED(CONFIG_DRM_I915_SELFTEST) 496 #include "selftests/i915_gem_mman.c" 497 #endif 498