1 /*
2  * SPDX-License-Identifier: MIT
3  *
4  * Copyright © 2012-2014 Intel Corporation
5  *
6   * Based on amdgpu_mn, which bears the following notice:
7  *
8  * Copyright 2014 Advanced Micro Devices, Inc.
9  * All Rights Reserved.
10  *
11  * Permission is hereby granted, free of charge, to any person obtaining a
12  * copy of this software and associated documentation files (the
13  * "Software"), to deal in the Software without restriction, including
14  * without limitation the rights to use, copy, modify, merge, publish,
15  * distribute, sub license, and/or sell copies of the Software, and to
16  * permit persons to whom the Software is furnished to do so, subject to
17  * the following conditions:
18  *
19  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
20  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
21  * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
22  * THE COPYRIGHT HOLDERS, AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM,
23  * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
24  * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
25  * USE OR OTHER DEALINGS IN THE SOFTWARE.
26  *
27  * The above copyright notice and this permission notice (including the
28  * next paragraph) shall be included in all copies or substantial portions
29  * of the Software.
30  *
31  */
32 /*
33  * Authors:
34  *    Christian König <christian.koenig@amd.com>
35  */
36 
37 #include <linux/mmu_context.h>
38 #include <linux/mempolicy.h>
39 #include <linux/swap.h>
40 #include <linux/sched/mm.h>
41 
42 #include "i915_drv.h"
43 #include "i915_gem_ioctls.h"
44 #include "i915_gem_object.h"
45 #include "i915_gem_userptr.h"
46 #include "i915_scatterlist.h"
47 
48 #ifdef CONFIG_MMU_NOTIFIER
49 
50 /**
51  * i915_gem_userptr_invalidate - callback to notify about mm change
52  *
53  * @mni: the range (mm) is about to update
54  * @range: details on the invalidation
55  * @cur_seq: Value to pass to mmu_interval_set_seq()
56  *
57  * Block for operations on BOs to finish and mark pages as accessed and
58  * potentially dirty.
59  */
60 static bool i915_gem_userptr_invalidate(struct mmu_interval_notifier *mni,
61 					const struct mmu_notifier_range *range,
62 					unsigned long cur_seq)
63 {
64 	struct drm_i915_gem_object *obj = container_of(mni, struct drm_i915_gem_object, userptr.notifier);
65 	struct drm_i915_private *i915 = to_i915(obj->base.dev);
66 	long r;
67 
68 	if (!mmu_notifier_range_blockable(range))
69 		return false;
70 
71 	write_lock(&i915->mm.notifier_lock);
72 
73 	mmu_interval_set_seq(mni, cur_seq);
74 
75 	write_unlock(&i915->mm.notifier_lock);
76 
77 	/*
78 	 * We don't wait when the process is exiting. This is valid
79 	 * because the object will be cleaned up anyway.
80 	 *
81 	 * This is also temporarily required as a hack, because we
82 	 * cannot currently force non-consistent batch buffers to preempt
83 	 * and reschedule by waiting on it, hanging processes on exit.
84 	 */
85 	if (current->flags & PF_EXITING)
86 		return true;
87 
88 	/* we will unbind on next submission, still have userptr pins */
89 	r = dma_resv_wait_timeout(obj->base.resv, DMA_RESV_USAGE_BOOKKEEP, false,
90 				  MAX_SCHEDULE_TIMEOUT);
91 	if (r <= 0)
92 		drm_err(&i915->drm, "(%ld) failed to wait for idle\n", r);
93 
94 	return true;
95 }
96 
97 static const struct mmu_interval_notifier_ops i915_gem_userptr_notifier_ops = {
98 	.invalidate = i915_gem_userptr_invalidate,
99 };
100 
101 static int
102 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj)
103 {
104 	return mmu_interval_notifier_insert(&obj->userptr.notifier, current->mm,
105 					    obj->userptr.ptr, obj->base.size,
106 					    &i915_gem_userptr_notifier_ops);
107 }
108 
109 static void i915_gem_object_userptr_drop_ref(struct drm_i915_gem_object *obj)
110 {
111 	struct page **pvec = NULL;
112 
113 	assert_object_held_shared(obj);
114 
115 	if (!--obj->userptr.page_ref) {
116 		pvec = obj->userptr.pvec;
117 		obj->userptr.pvec = NULL;
118 	}
119 	GEM_BUG_ON(obj->userptr.page_ref < 0);
120 
121 	if (pvec) {
122 		const unsigned long num_pages = obj->base.size >> PAGE_SHIFT;
123 
124 		unpin_user_pages(pvec, num_pages);
125 		kvfree(pvec);
126 	}
127 }
128 
129 static int i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj)
130 {
131 	unsigned int max_segment = i915_sg_segment_size(obj->base.dev->dev);
132 	struct sg_table *st;
133 	struct page **pvec;
134 	unsigned int num_pages; /* limited by sg_alloc_table_from_pages_segment */
135 	int ret;
136 
137 	if (overflows_type(obj->base.size >> PAGE_SHIFT, num_pages))
138 		return -E2BIG;
139 
140 	num_pages = obj->base.size >> PAGE_SHIFT;
141 	st = kmalloc(sizeof(*st), GFP_KERNEL);
142 	if (!st)
143 		return -ENOMEM;
144 
145 	if (!obj->userptr.page_ref) {
146 		ret = -EAGAIN;
147 		goto err_free;
148 	}
149 
150 	obj->userptr.page_ref++;
151 	pvec = obj->userptr.pvec;
152 
153 alloc_table:
154 	ret = sg_alloc_table_from_pages_segment(st, pvec, num_pages, 0,
155 						num_pages << PAGE_SHIFT,
156 						max_segment, GFP_KERNEL);
157 	if (ret)
158 		goto err;
159 
160 	ret = i915_gem_gtt_prepare_pages(obj, st);
161 	if (ret) {
162 		sg_free_table(st);
163 
164 		if (max_segment > PAGE_SIZE) {
165 			max_segment = PAGE_SIZE;
166 			goto alloc_table;
167 		}
168 
169 		goto err;
170 	}
171 
172 	WARN_ON_ONCE(!(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_WRITE));
173 	if (i915_gem_object_can_bypass_llc(obj))
174 		obj->cache_dirty = true;
175 
176 	__i915_gem_object_set_pages(obj, st);
177 
178 	return 0;
179 
180 err:
181 	i915_gem_object_userptr_drop_ref(obj);
182 err_free:
183 	kfree(st);
184 	return ret;
185 }
186 
187 static void
188 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj,
189 			   struct sg_table *pages)
190 {
191 	struct sgt_iter sgt_iter;
192 	struct page *page;
193 
194 	if (!pages)
195 		return;
196 
197 	__i915_gem_object_release_shmem(obj, pages, true);
198 	i915_gem_gtt_finish_pages(obj, pages);
199 
200 	/*
201 	 * We always mark objects as dirty when they are used by the GPU,
202 	 * just in case. However, if we set the vma as being read-only we know
203 	 * that the object will never have been written to.
204 	 */
205 	if (i915_gem_object_is_readonly(obj))
206 		obj->mm.dirty = false;
207 
208 	for_each_sgt_page(page, sgt_iter, pages) {
209 		if (obj->mm.dirty && trylock_page(page)) {
210 			/*
211 			 * As this may not be anonymous memory (e.g. shmem)
212 			 * but exist on a real mapping, we have to lock
213 			 * the page in order to dirty it -- holding
214 			 * the page reference is not sufficient to
215 			 * prevent the inode from being truncated.
216 			 * Play safe and take the lock.
217 			 *
218 			 * However...!
219 			 *
220 			 * The mmu-notifier can be invalidated for a
221 			 * migrate_folio, that is alreadying holding the lock
222 			 * on the folio. Such a try_to_unmap() will result
223 			 * in us calling put_pages() and so recursively try
224 			 * to lock the page. We avoid that deadlock with
225 			 * a trylock_page() and in exchange we risk missing
226 			 * some page dirtying.
227 			 */
228 			set_page_dirty(page);
229 			unlock_page(page);
230 		}
231 
232 		mark_page_accessed(page);
233 	}
234 	obj->mm.dirty = false;
235 
236 	sg_free_table(pages);
237 	kfree(pages);
238 
239 	i915_gem_object_userptr_drop_ref(obj);
240 }
241 
242 static int i915_gem_object_userptr_unbind(struct drm_i915_gem_object *obj)
243 {
244 	struct sg_table *pages;
245 	int err;
246 
247 	err = i915_gem_object_unbind(obj, I915_GEM_OBJECT_UNBIND_ACTIVE);
248 	if (err)
249 		return err;
250 
251 	if (GEM_WARN_ON(i915_gem_object_has_pinned_pages(obj)))
252 		return -EBUSY;
253 
254 	assert_object_held(obj);
255 
256 	pages = __i915_gem_object_unset_pages(obj);
257 	if (!IS_ERR_OR_NULL(pages))
258 		i915_gem_userptr_put_pages(obj, pages);
259 
260 	return err;
261 }
262 
263 int i915_gem_object_userptr_submit_init(struct drm_i915_gem_object *obj)
264 {
265 	const unsigned long num_pages = obj->base.size >> PAGE_SHIFT;
266 	struct page **pvec;
267 	unsigned int gup_flags = 0;
268 	unsigned long notifier_seq;
269 	int pinned, ret;
270 
271 	if (obj->userptr.notifier.mm != current->mm)
272 		return -EFAULT;
273 
274 	notifier_seq = mmu_interval_read_begin(&obj->userptr.notifier);
275 
276 	ret = i915_gem_object_lock_interruptible(obj, NULL);
277 	if (ret)
278 		return ret;
279 
280 	if (notifier_seq == obj->userptr.notifier_seq && obj->userptr.pvec) {
281 		i915_gem_object_unlock(obj);
282 		return 0;
283 	}
284 
285 	ret = i915_gem_object_userptr_unbind(obj);
286 	i915_gem_object_unlock(obj);
287 	if (ret)
288 		return ret;
289 
290 	pvec = kvmalloc_array(num_pages, sizeof(struct page *), GFP_KERNEL);
291 	if (!pvec)
292 		return -ENOMEM;
293 
294 	if (!i915_gem_object_is_readonly(obj))
295 		gup_flags |= FOLL_WRITE;
296 
297 	pinned = 0;
298 	while (pinned < num_pages) {
299 		ret = pin_user_pages_fast(obj->userptr.ptr + pinned * PAGE_SIZE,
300 					  num_pages - pinned, gup_flags,
301 					  &pvec[pinned]);
302 		if (ret < 0)
303 			goto out;
304 
305 		pinned += ret;
306 	}
307 
308 	ret = i915_gem_object_lock_interruptible(obj, NULL);
309 	if (ret)
310 		goto out;
311 
312 	if (mmu_interval_read_retry(&obj->userptr.notifier,
313 		!obj->userptr.page_ref ? notifier_seq :
314 		obj->userptr.notifier_seq)) {
315 		ret = -EAGAIN;
316 		goto out_unlock;
317 	}
318 
319 	if (!obj->userptr.page_ref++) {
320 		obj->userptr.pvec = pvec;
321 		obj->userptr.notifier_seq = notifier_seq;
322 		pvec = NULL;
323 		ret = ____i915_gem_object_get_pages(obj);
324 	}
325 
326 	obj->userptr.page_ref--;
327 
328 out_unlock:
329 	i915_gem_object_unlock(obj);
330 
331 out:
332 	if (pvec) {
333 		unpin_user_pages(pvec, pinned);
334 		kvfree(pvec);
335 	}
336 
337 	return ret;
338 }
339 
340 int i915_gem_object_userptr_submit_done(struct drm_i915_gem_object *obj)
341 {
342 	if (mmu_interval_read_retry(&obj->userptr.notifier,
343 				    obj->userptr.notifier_seq)) {
344 		/* We collided with the mmu notifier, need to retry */
345 
346 		return -EAGAIN;
347 	}
348 
349 	return 0;
350 }
351 
352 int i915_gem_object_userptr_validate(struct drm_i915_gem_object *obj)
353 {
354 	int err;
355 
356 	err = i915_gem_object_userptr_submit_init(obj);
357 	if (err)
358 		return err;
359 
360 	err = i915_gem_object_lock_interruptible(obj, NULL);
361 	if (!err) {
362 		/*
363 		 * Since we only check validity, not use the pages,
364 		 * it doesn't matter if we collide with the mmu notifier,
365 		 * and -EAGAIN handling is not required.
366 		 */
367 		err = i915_gem_object_pin_pages(obj);
368 		if (!err)
369 			i915_gem_object_unpin_pages(obj);
370 
371 		i915_gem_object_unlock(obj);
372 	}
373 
374 	return err;
375 }
376 
377 static void
378 i915_gem_userptr_release(struct drm_i915_gem_object *obj)
379 {
380 	GEM_WARN_ON(obj->userptr.page_ref);
381 
382 	mmu_interval_notifier_remove(&obj->userptr.notifier);
383 	obj->userptr.notifier.mm = NULL;
384 }
385 
386 static int
387 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj)
388 {
389 	drm_dbg(obj->base.dev, "Exporting userptr no longer allowed\n");
390 
391 	return -EINVAL;
392 }
393 
394 static int
395 i915_gem_userptr_pwrite(struct drm_i915_gem_object *obj,
396 			const struct drm_i915_gem_pwrite *args)
397 {
398 	drm_dbg(obj->base.dev, "pwrite to userptr no longer allowed\n");
399 
400 	return -EINVAL;
401 }
402 
403 static int
404 i915_gem_userptr_pread(struct drm_i915_gem_object *obj,
405 		       const struct drm_i915_gem_pread *args)
406 {
407 	drm_dbg(obj->base.dev, "pread from userptr no longer allowed\n");
408 
409 	return -EINVAL;
410 }
411 
412 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = {
413 	.name = "i915_gem_object_userptr",
414 	.flags = I915_GEM_OBJECT_IS_SHRINKABLE |
415 		 I915_GEM_OBJECT_NO_MMAP |
416 		 I915_GEM_OBJECT_IS_PROXY,
417 	.get_pages = i915_gem_userptr_get_pages,
418 	.put_pages = i915_gem_userptr_put_pages,
419 	.dmabuf_export = i915_gem_userptr_dmabuf_export,
420 	.pwrite = i915_gem_userptr_pwrite,
421 	.pread = i915_gem_userptr_pread,
422 	.release = i915_gem_userptr_release,
423 };
424 
425 #endif
426 
427 static int
428 probe_range(struct mm_struct *mm, unsigned long addr, unsigned long len)
429 {
430 	VMA_ITERATOR(vmi, mm, addr);
431 	struct vm_area_struct *vma;
432 	unsigned long end = addr + len;
433 
434 	mmap_read_lock(mm);
435 	for_each_vma_range(vmi, vma, end) {
436 		/* Check for holes, note that we also update the addr below */
437 		if (vma->vm_start > addr)
438 			break;
439 
440 		if (vma->vm_flags & (VM_PFNMAP | VM_MIXEDMAP))
441 			break;
442 
443 		addr = vma->vm_end;
444 	}
445 	mmap_read_unlock(mm);
446 
447 	if (vma || addr < end)
448 		return -EFAULT;
449 	return 0;
450 }
451 
452 /*
453  * Creates a new mm object that wraps some normal memory from the process
454  * context - user memory.
455  *
456  * We impose several restrictions upon the memory being mapped
457  * into the GPU.
458  * 1. It must be page aligned (both start/end addresses, i.e ptr and size).
459  * 2. It must be normal system memory, not a pointer into another map of IO
460  *    space (e.g. it must not be a GTT mmapping of another object).
461  * 3. We only allow a bo as large as we could in theory map into the GTT,
462  *    that is we limit the size to the total size of the GTT.
463  * 4. The bo is marked as being snoopable. The backing pages are left
464  *    accessible directly by the CPU, but reads and writes by the GPU may
465  *    incur the cost of a snoop (unless you have an LLC architecture).
466  *
467  * Synchronisation between multiple users and the GPU is left to userspace
468  * through the normal set-domain-ioctl. The kernel will enforce that the
469  * GPU relinquishes the VMA before it is returned back to the system
470  * i.e. upon free(), munmap() or process termination. However, the userspace
471  * malloc() library may not immediately relinquish the VMA after free() and
472  * instead reuse it whilst the GPU is still reading and writing to the VMA.
473  * Caveat emptor.
474  *
475  * Also note, that the object created here is not currently a "first class"
476  * object, in that several ioctls are banned. These are the CPU access
477  * ioctls: mmap(), pwrite and pread. In practice, you are expected to use
478  * direct access via your pointer rather than use those ioctls. Another
479  * restriction is that we do not allow userptr surfaces to be pinned to the
480  * hardware and so we reject any attempt to create a framebuffer out of a
481  * userptr.
482  *
483  * If you think this is a good interface to use to pass GPU memory between
484  * drivers, please use dma-buf instead. In fact, wherever possible use
485  * dma-buf instead.
486  */
487 int
488 i915_gem_userptr_ioctl(struct drm_device *dev,
489 		       void *data,
490 		       struct drm_file *file)
491 {
492 	static struct lock_class_key __maybe_unused lock_class;
493 	struct drm_i915_private *dev_priv = to_i915(dev);
494 	struct drm_i915_gem_userptr *args = data;
495 	struct drm_i915_gem_object __maybe_unused *obj;
496 	int __maybe_unused ret;
497 	u32 __maybe_unused handle;
498 
499 	if (!HAS_LLC(dev_priv) && !HAS_SNOOP(dev_priv)) {
500 		/* We cannot support coherent userptr objects on hw without
501 		 * LLC and broken snooping.
502 		 */
503 		return -ENODEV;
504 	}
505 
506 	if (args->flags & ~(I915_USERPTR_READ_ONLY |
507 			    I915_USERPTR_UNSYNCHRONIZED |
508 			    I915_USERPTR_PROBE))
509 		return -EINVAL;
510 
511 	if (i915_gem_object_size_2big(args->user_size))
512 		return -E2BIG;
513 
514 	if (!args->user_size)
515 		return -EINVAL;
516 
517 	if (offset_in_page(args->user_ptr | args->user_size))
518 		return -EINVAL;
519 
520 	if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size))
521 		return -EFAULT;
522 
523 	if (args->flags & I915_USERPTR_UNSYNCHRONIZED)
524 		return -ENODEV;
525 
526 	if (args->flags & I915_USERPTR_READ_ONLY) {
527 		/*
528 		 * On almost all of the older hw, we cannot tell the GPU that
529 		 * a page is readonly.
530 		 */
531 		if (!to_gt(dev_priv)->vm->has_read_only)
532 			return -ENODEV;
533 	}
534 
535 	if (args->flags & I915_USERPTR_PROBE) {
536 		/*
537 		 * Check that the range pointed to represents real struct
538 		 * pages and not iomappings (at this moment in time!)
539 		 */
540 		ret = probe_range(current->mm, args->user_ptr, args->user_size);
541 		if (ret)
542 			return ret;
543 	}
544 
545 #ifdef CONFIG_MMU_NOTIFIER
546 	obj = i915_gem_object_alloc();
547 	if (obj == NULL)
548 		return -ENOMEM;
549 
550 	drm_gem_private_object_init(dev, &obj->base, args->user_size);
551 	i915_gem_object_init(obj, &i915_gem_userptr_ops, &lock_class,
552 			     I915_BO_ALLOC_USER);
553 	obj->mem_flags = I915_BO_FLAG_STRUCT_PAGE;
554 	obj->read_domains = I915_GEM_DOMAIN_CPU;
555 	obj->write_domain = I915_GEM_DOMAIN_CPU;
556 	i915_gem_object_set_cache_coherency(obj, I915_CACHE_LLC);
557 
558 	obj->userptr.ptr = args->user_ptr;
559 	obj->userptr.notifier_seq = ULONG_MAX;
560 	if (args->flags & I915_USERPTR_READ_ONLY)
561 		i915_gem_object_set_readonly(obj);
562 
563 	/* And keep a pointer to the current->mm for resolving the user pages
564 	 * at binding. This means that we need to hook into the mmu_notifier
565 	 * in order to detect if the mmu is destroyed.
566 	 */
567 	ret = i915_gem_userptr_init__mmu_notifier(obj);
568 	if (ret == 0)
569 		ret = drm_gem_handle_create(file, &obj->base, &handle);
570 
571 	/* drop reference from allocate - handle holds it now */
572 	i915_gem_object_put(obj);
573 	if (ret)
574 		return ret;
575 
576 	args->handle = handle;
577 	return 0;
578 #else
579 	return -ENODEV;
580 #endif
581 }
582 
583 int i915_gem_init_userptr(struct drm_i915_private *dev_priv)
584 {
585 #ifdef CONFIG_MMU_NOTIFIER
586 	rwlock_init(&dev_priv->mm.notifier_lock);
587 #endif
588 
589 	return 0;
590 }
591 
592 void i915_gem_cleanup_userptr(struct drm_i915_private *dev_priv)
593 {
594 }
595