1 /* 2 * SPDX-License-Identifier: MIT 3 * 4 * Copyright © 2014-2016 Intel Corporation 5 */ 6 7 #include <linux/mman.h> 8 #include <linux/sizes.h> 9 10 #include "gt/intel_gt.h" 11 12 #include "i915_drv.h" 13 #include "i915_gem_gtt.h" 14 #include "i915_gem_ioctls.h" 15 #include "i915_gem_object.h" 16 #include "i915_vma.h" 17 #include "intel_drv.h" 18 19 static inline bool 20 __vma_matches(struct vm_area_struct *vma, struct file *filp, 21 unsigned long addr, unsigned long size) 22 { 23 if (vma->vm_file != filp) 24 return false; 25 26 return vma->vm_start == addr && 27 (vma->vm_end - vma->vm_start) == PAGE_ALIGN(size); 28 } 29 30 /** 31 * i915_gem_mmap_ioctl - Maps the contents of an object, returning the address 32 * it is mapped to. 33 * @dev: drm device 34 * @data: ioctl data blob 35 * @file: drm file 36 * 37 * While the mapping holds a reference on the contents of the object, it doesn't 38 * imply a ref on the object itself. 39 * 40 * IMPORTANT: 41 * 42 * DRM driver writers who look a this function as an example for how to do GEM 43 * mmap support, please don't implement mmap support like here. The modern way 44 * to implement DRM mmap support is with an mmap offset ioctl (like 45 * i915_gem_mmap_gtt) and then using the mmap syscall on the DRM fd directly. 46 * That way debug tooling like valgrind will understand what's going on, hiding 47 * the mmap call in a driver private ioctl will break that. The i915 driver only 48 * does cpu mmaps this way because we didn't know better. 49 */ 50 int 51 i915_gem_mmap_ioctl(struct drm_device *dev, void *data, 52 struct drm_file *file) 53 { 54 struct drm_i915_gem_mmap *args = data; 55 struct drm_i915_gem_object *obj; 56 unsigned long addr; 57 58 if (args->flags & ~(I915_MMAP_WC)) 59 return -EINVAL; 60 61 if (args->flags & I915_MMAP_WC && !boot_cpu_has(X86_FEATURE_PAT)) 62 return -ENODEV; 63 64 obj = i915_gem_object_lookup(file, args->handle); 65 if (!obj) 66 return -ENOENT; 67 68 /* prime objects have no backing filp to GEM mmap 69 * pages from. 70 */ 71 if (!obj->base.filp) { 72 addr = -ENXIO; 73 goto err; 74 } 75 76 if (range_overflows(args->offset, args->size, (u64)obj->base.size)) { 77 addr = -EINVAL; 78 goto err; 79 } 80 81 addr = vm_mmap(obj->base.filp, 0, args->size, 82 PROT_READ | PROT_WRITE, MAP_SHARED, 83 args->offset); 84 if (IS_ERR_VALUE(addr)) 85 goto err; 86 87 if (args->flags & I915_MMAP_WC) { 88 struct mm_struct *mm = current->mm; 89 struct vm_area_struct *vma; 90 91 if (down_write_killable(&mm->mmap_sem)) { 92 addr = -EINTR; 93 goto err; 94 } 95 vma = find_vma(mm, addr); 96 if (vma && __vma_matches(vma, obj->base.filp, addr, args->size)) 97 vma->vm_page_prot = 98 pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); 99 else 100 addr = -ENOMEM; 101 up_write(&mm->mmap_sem); 102 if (IS_ERR_VALUE(addr)) 103 goto err; 104 105 /* This may race, but that's ok, it only gets set */ 106 WRITE_ONCE(obj->frontbuffer_ggtt_origin, ORIGIN_CPU); 107 } 108 i915_gem_object_put(obj); 109 110 args->addr_ptr = (u64)addr; 111 return 0; 112 113 err: 114 i915_gem_object_put(obj); 115 return addr; 116 } 117 118 static unsigned int tile_row_pages(const struct drm_i915_gem_object *obj) 119 { 120 return i915_gem_object_get_tile_row_size(obj) >> PAGE_SHIFT; 121 } 122 123 /** 124 * i915_gem_mmap_gtt_version - report the current feature set for GTT mmaps 125 * 126 * A history of the GTT mmap interface: 127 * 128 * 0 - Everything had to fit into the GTT. Both parties of a memcpy had to 129 * aligned and suitable for fencing, and still fit into the available 130 * mappable space left by the pinned display objects. A classic problem 131 * we called the page-fault-of-doom where we would ping-pong between 132 * two objects that could not fit inside the GTT and so the memcpy 133 * would page one object in at the expense of the other between every 134 * single byte. 135 * 136 * 1 - Objects can be any size, and have any compatible fencing (X Y, or none 137 * as set via i915_gem_set_tiling() [DRM_I915_GEM_SET_TILING]). If the 138 * object is too large for the available space (or simply too large 139 * for the mappable aperture!), a view is created instead and faulted 140 * into userspace. (This view is aligned and sized appropriately for 141 * fenced access.) 142 * 143 * 2 - Recognise WC as a separate cache domain so that we can flush the 144 * delayed writes via GTT before performing direct access via WC. 145 * 146 * 3 - Remove implicit set-domain(GTT) and synchronisation on initial 147 * pagefault; swapin remains transparent. 148 * 149 * Restrictions: 150 * 151 * * snoopable objects cannot be accessed via the GTT. It can cause machine 152 * hangs on some architectures, corruption on others. An attempt to service 153 * a GTT page fault from a snoopable object will generate a SIGBUS. 154 * 155 * * the object must be able to fit into RAM (physical memory, though no 156 * limited to the mappable aperture). 157 * 158 * 159 * Caveats: 160 * 161 * * a new GTT page fault will synchronize rendering from the GPU and flush 162 * all data to system memory. Subsequent access will not be synchronized. 163 * 164 * * all mappings are revoked on runtime device suspend. 165 * 166 * * there are only 8, 16 or 32 fence registers to share between all users 167 * (older machines require fence register for display and blitter access 168 * as well). Contention of the fence registers will cause the previous users 169 * to be unmapped and any new access will generate new page faults. 170 * 171 * * running out of memory while servicing a fault may generate a SIGBUS, 172 * rather than the expected SIGSEGV. 173 */ 174 int i915_gem_mmap_gtt_version(void) 175 { 176 return 3; 177 } 178 179 static inline struct i915_ggtt_view 180 compute_partial_view(const struct drm_i915_gem_object *obj, 181 pgoff_t page_offset, 182 unsigned int chunk) 183 { 184 struct i915_ggtt_view view; 185 186 if (i915_gem_object_is_tiled(obj)) 187 chunk = roundup(chunk, tile_row_pages(obj)); 188 189 view.type = I915_GGTT_VIEW_PARTIAL; 190 view.partial.offset = rounddown(page_offset, chunk); 191 view.partial.size = 192 min_t(unsigned int, chunk, 193 (obj->base.size >> PAGE_SHIFT) - view.partial.offset); 194 195 /* If the partial covers the entire object, just create a normal VMA. */ 196 if (chunk >= obj->base.size >> PAGE_SHIFT) 197 view.type = I915_GGTT_VIEW_NORMAL; 198 199 return view; 200 } 201 202 /** 203 * i915_gem_fault - fault a page into the GTT 204 * @vmf: fault info 205 * 206 * The fault handler is set up by drm_gem_mmap() when a object is GTT mapped 207 * from userspace. The fault handler takes care of binding the object to 208 * the GTT (if needed), allocating and programming a fence register (again, 209 * only if needed based on whether the old reg is still valid or the object 210 * is tiled) and inserting a new PTE into the faulting process. 211 * 212 * Note that the faulting process may involve evicting existing objects 213 * from the GTT and/or fence registers to make room. So performance may 214 * suffer if the GTT working set is large or there are few fence registers 215 * left. 216 * 217 * The current feature set supported by i915_gem_fault() and thus GTT mmaps 218 * is exposed via I915_PARAM_MMAP_GTT_VERSION (see i915_gem_mmap_gtt_version). 219 */ 220 vm_fault_t i915_gem_fault(struct vm_fault *vmf) 221 { 222 #define MIN_CHUNK_PAGES (SZ_1M >> PAGE_SHIFT) 223 struct vm_area_struct *area = vmf->vma; 224 struct drm_i915_gem_object *obj = to_intel_bo(area->vm_private_data); 225 struct drm_device *dev = obj->base.dev; 226 struct drm_i915_private *i915 = to_i915(dev); 227 struct intel_runtime_pm *rpm = &i915->runtime_pm; 228 struct i915_ggtt *ggtt = &i915->ggtt; 229 bool write = area->vm_flags & VM_WRITE; 230 intel_wakeref_t wakeref; 231 struct i915_vma *vma; 232 pgoff_t page_offset; 233 int srcu; 234 int ret; 235 236 /* Sanity check that we allow writing into this object */ 237 if (i915_gem_object_is_readonly(obj) && write) 238 return VM_FAULT_SIGBUS; 239 240 /* We don't use vmf->pgoff since that has the fake offset */ 241 page_offset = (vmf->address - area->vm_start) >> PAGE_SHIFT; 242 243 trace_i915_gem_object_fault(obj, page_offset, true, write); 244 245 ret = i915_gem_object_pin_pages(obj); 246 if (ret) 247 goto err; 248 249 wakeref = intel_runtime_pm_get(rpm); 250 251 srcu = intel_gt_reset_trylock(ggtt->vm.gt); 252 if (srcu < 0) { 253 ret = srcu; 254 goto err_rpm; 255 } 256 257 ret = i915_mutex_lock_interruptible(dev); 258 if (ret) 259 goto err_reset; 260 261 /* Access to snoopable pages through the GTT is incoherent. */ 262 if (obj->cache_level != I915_CACHE_NONE && !HAS_LLC(i915)) { 263 ret = -EFAULT; 264 goto err_unlock; 265 } 266 267 /* Now pin it into the GTT as needed */ 268 vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0, 269 PIN_MAPPABLE | 270 PIN_NONBLOCK | 271 PIN_NONFAULT); 272 if (IS_ERR(vma)) { 273 /* Use a partial view if it is bigger than available space */ 274 struct i915_ggtt_view view = 275 compute_partial_view(obj, page_offset, MIN_CHUNK_PAGES); 276 unsigned int flags; 277 278 flags = PIN_MAPPABLE; 279 if (view.type == I915_GGTT_VIEW_NORMAL) 280 flags |= PIN_NONBLOCK; /* avoid warnings for pinned */ 281 282 /* 283 * Userspace is now writing through an untracked VMA, abandon 284 * all hope that the hardware is able to track future writes. 285 */ 286 obj->frontbuffer_ggtt_origin = ORIGIN_CPU; 287 288 vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, flags); 289 if (IS_ERR(vma) && !view.type) { 290 flags = PIN_MAPPABLE; 291 view.type = I915_GGTT_VIEW_PARTIAL; 292 vma = i915_gem_object_ggtt_pin(obj, &view, 0, 0, flags); 293 } 294 } 295 if (IS_ERR(vma)) { 296 ret = PTR_ERR(vma); 297 goto err_unlock; 298 } 299 300 ret = i915_vma_pin_fence(vma); 301 if (ret) 302 goto err_unpin; 303 304 /* Finally, remap it using the new GTT offset */ 305 ret = remap_io_mapping(area, 306 area->vm_start + (vma->ggtt_view.partial.offset << PAGE_SHIFT), 307 (ggtt->gmadr.start + vma->node.start) >> PAGE_SHIFT, 308 min_t(u64, vma->size, area->vm_end - area->vm_start), 309 &ggtt->iomap); 310 if (ret) 311 goto err_fence; 312 313 /* Mark as being mmapped into userspace for later revocation */ 314 assert_rpm_wakelock_held(rpm); 315 if (!i915_vma_set_userfault(vma) && !obj->userfault_count++) 316 list_add(&obj->userfault_link, &i915->ggtt.userfault_list); 317 if (CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND) 318 intel_wakeref_auto(&i915->ggtt.userfault_wakeref, 319 msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)); 320 GEM_BUG_ON(!obj->userfault_count); 321 322 i915_vma_set_ggtt_write(vma); 323 324 err_fence: 325 i915_vma_unpin_fence(vma); 326 err_unpin: 327 __i915_vma_unpin(vma); 328 err_unlock: 329 mutex_unlock(&dev->struct_mutex); 330 err_reset: 331 intel_gt_reset_unlock(ggtt->vm.gt, srcu); 332 err_rpm: 333 intel_runtime_pm_put(rpm, wakeref); 334 i915_gem_object_unpin_pages(obj); 335 err: 336 switch (ret) { 337 case -EIO: 338 /* 339 * We eat errors when the gpu is terminally wedged to avoid 340 * userspace unduly crashing (gl has no provisions for mmaps to 341 * fail). But any other -EIO isn't ours (e.g. swap in failure) 342 * and so needs to be reported. 343 */ 344 if (!intel_gt_is_wedged(ggtt->vm.gt)) 345 return VM_FAULT_SIGBUS; 346 /* else, fall through */ 347 case -EAGAIN: 348 /* 349 * EAGAIN means the gpu is hung and we'll wait for the error 350 * handler to reset everything when re-faulting in 351 * i915_mutex_lock_interruptible. 352 */ 353 case 0: 354 case -ERESTARTSYS: 355 case -EINTR: 356 case -EBUSY: 357 /* 358 * EBUSY is ok: this just means that another thread 359 * already did the job. 360 */ 361 return VM_FAULT_NOPAGE; 362 case -ENOMEM: 363 return VM_FAULT_OOM; 364 case -ENOSPC: 365 case -EFAULT: 366 return VM_FAULT_SIGBUS; 367 default: 368 WARN_ONCE(ret, "unhandled error in %s: %i\n", __func__, ret); 369 return VM_FAULT_SIGBUS; 370 } 371 } 372 373 void __i915_gem_object_release_mmap(struct drm_i915_gem_object *obj) 374 { 375 struct i915_vma *vma; 376 377 GEM_BUG_ON(!obj->userfault_count); 378 379 obj->userfault_count = 0; 380 list_del(&obj->userfault_link); 381 drm_vma_node_unmap(&obj->base.vma_node, 382 obj->base.dev->anon_inode->i_mapping); 383 384 for_each_ggtt_vma(vma, obj) 385 i915_vma_unset_userfault(vma); 386 } 387 388 /** 389 * i915_gem_object_release_mmap - remove physical page mappings 390 * @obj: obj in question 391 * 392 * Preserve the reservation of the mmapping with the DRM core code, but 393 * relinquish ownership of the pages back to the system. 394 * 395 * It is vital that we remove the page mapping if we have mapped a tiled 396 * object through the GTT and then lose the fence register due to 397 * resource pressure. Similarly if the object has been moved out of the 398 * aperture, than pages mapped into userspace must be revoked. Removing the 399 * mapping will then trigger a page fault on the next user access, allowing 400 * fixup by i915_gem_fault(). 401 */ 402 void i915_gem_object_release_mmap(struct drm_i915_gem_object *obj) 403 { 404 struct drm_i915_private *i915 = to_i915(obj->base.dev); 405 intel_wakeref_t wakeref; 406 407 /* Serialisation between user GTT access and our code depends upon 408 * revoking the CPU's PTE whilst the mutex is held. The next user 409 * pagefault then has to wait until we release the mutex. 410 * 411 * Note that RPM complicates somewhat by adding an additional 412 * requirement that operations to the GGTT be made holding the RPM 413 * wakeref. 414 */ 415 lockdep_assert_held(&i915->drm.struct_mutex); 416 wakeref = intel_runtime_pm_get(&i915->runtime_pm); 417 418 if (!obj->userfault_count) 419 goto out; 420 421 __i915_gem_object_release_mmap(obj); 422 423 /* Ensure that the CPU's PTE are revoked and there are not outstanding 424 * memory transactions from userspace before we return. The TLB 425 * flushing implied above by changing the PTE above *should* be 426 * sufficient, an extra barrier here just provides us with a bit 427 * of paranoid documentation about our requirement to serialise 428 * memory writes before touching registers / GSM. 429 */ 430 wmb(); 431 432 out: 433 intel_runtime_pm_put(&i915->runtime_pm, wakeref); 434 } 435 436 static int create_mmap_offset(struct drm_i915_gem_object *obj) 437 { 438 struct drm_i915_private *i915 = to_i915(obj->base.dev); 439 int err; 440 441 err = drm_gem_create_mmap_offset(&obj->base); 442 if (likely(!err)) 443 return 0; 444 445 /* Attempt to reap some mmap space from dead objects */ 446 do { 447 err = i915_gem_wait_for_idle(i915, 448 I915_WAIT_INTERRUPTIBLE, 449 MAX_SCHEDULE_TIMEOUT); 450 if (err) 451 break; 452 453 i915_gem_drain_freed_objects(i915); 454 err = drm_gem_create_mmap_offset(&obj->base); 455 if (!err) 456 break; 457 458 } while (flush_delayed_work(&i915->gem.retire_work)); 459 460 return err; 461 } 462 463 int 464 i915_gem_mmap_gtt(struct drm_file *file, 465 struct drm_device *dev, 466 u32 handle, 467 u64 *offset) 468 { 469 struct drm_i915_gem_object *obj; 470 int ret; 471 472 obj = i915_gem_object_lookup(file, handle); 473 if (!obj) 474 return -ENOENT; 475 476 ret = create_mmap_offset(obj); 477 if (ret == 0) 478 *offset = drm_vma_node_offset_addr(&obj->base.vma_node); 479 480 i915_gem_object_put(obj); 481 return ret; 482 } 483 484 /** 485 * i915_gem_mmap_gtt_ioctl - prepare an object for GTT mmap'ing 486 * @dev: DRM device 487 * @data: GTT mapping ioctl data 488 * @file: GEM object info 489 * 490 * Simply returns the fake offset to userspace so it can mmap it. 491 * The mmap call will end up in drm_gem_mmap(), which will set things 492 * up so we can get faults in the handler above. 493 * 494 * The fault handler will take care of binding the object into the GTT 495 * (since it may have been evicted to make room for something), allocating 496 * a fence register, and mapping the appropriate aperture address into 497 * userspace. 498 */ 499 int 500 i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data, 501 struct drm_file *file) 502 { 503 struct drm_i915_gem_mmap_gtt *args = data; 504 505 return i915_gem_mmap_gtt(file, dev, args->handle, &args->offset); 506 } 507 508 #if IS_ENABLED(CONFIG_DRM_I915_SELFTEST) 509 #include "selftests/i915_gem_mman.c" 510 #endif 511