1 /* 2 * SPDX-License-Identifier: MIT 3 * 4 * Copyright © 2012-2014 Intel Corporation 5 */ 6 7 #include <linux/mmu_context.h> 8 #include <linux/mmu_notifier.h> 9 #include <linux/mempolicy.h> 10 #include <linux/swap.h> 11 #include <linux/sched/mm.h> 12 13 #include "i915_drv.h" 14 #include "i915_gem_ioctls.h" 15 #include "i915_gem_object.h" 16 #include "i915_scatterlist.h" 17 18 #ifdef __linux__ 19 20 struct i915_mm_struct { 21 struct mm_struct *mm; 22 struct drm_i915_private *i915; 23 struct i915_mmu_notifier *mn; 24 struct hlist_node node; 25 struct kref kref; 26 struct rcu_work work; 27 }; 28 29 #if defined(CONFIG_MMU_NOTIFIER) 30 #include <linux/interval_tree.h> 31 32 struct i915_mmu_notifier { 33 spinlock_t lock; 34 struct hlist_node node; 35 struct mmu_notifier mn; 36 struct rb_root_cached objects; 37 struct i915_mm_struct *mm; 38 }; 39 40 struct i915_mmu_object { 41 struct i915_mmu_notifier *mn; 42 struct drm_i915_gem_object *obj; 43 struct interval_tree_node it; 44 }; 45 46 static void add_object(struct i915_mmu_object *mo) 47 { 48 GEM_BUG_ON(!RB_EMPTY_NODE(&mo->it.rb)); 49 interval_tree_insert(&mo->it, &mo->mn->objects); 50 } 51 52 static void del_object(struct i915_mmu_object *mo) 53 { 54 if (RB_EMPTY_NODE(&mo->it.rb)) 55 return; 56 57 interval_tree_remove(&mo->it, &mo->mn->objects); 58 RB_CLEAR_NODE(&mo->it.rb); 59 } 60 61 static void 62 __i915_gem_userptr_set_active(struct drm_i915_gem_object *obj, bool value) 63 { 64 struct i915_mmu_object *mo = obj->userptr.mmu_object; 65 66 /* 67 * During mm_invalidate_range we need to cancel any userptr that 68 * overlaps the range being invalidated. Doing so requires the 69 * struct_mutex, and that risks recursion. In order to cause 70 * recursion, the user must alias the userptr address space with 71 * a GTT mmapping (possible with a MAP_FIXED) - then when we have 72 * to invalidate that mmaping, mm_invalidate_range is called with 73 * the userptr address *and* the struct_mutex held. To prevent that 74 * we set a flag under the i915_mmu_notifier spinlock to indicate 75 * whether this object is valid. 76 */ 77 if (!mo) 78 return; 79 80 spin_lock(&mo->mn->lock); 81 if (value) 82 add_object(mo); 83 else 84 del_object(mo); 85 spin_unlock(&mo->mn->lock); 86 } 87 88 static int 89 userptr_mn_invalidate_range_start(struct mmu_notifier *_mn, 90 const struct mmu_notifier_range *range) 91 { 92 struct i915_mmu_notifier *mn = 93 container_of(_mn, struct i915_mmu_notifier, mn); 94 struct interval_tree_node *it; 95 unsigned long end; 96 int ret = 0; 97 98 if (RB_EMPTY_ROOT(&mn->objects.rb_root)) 99 return 0; 100 101 /* interval ranges are inclusive, but invalidate range is exclusive */ 102 end = range->end - 1; 103 104 spin_lock(&mn->lock); 105 it = interval_tree_iter_first(&mn->objects, range->start, end); 106 while (it) { 107 struct drm_i915_gem_object *obj; 108 109 if (!mmu_notifier_range_blockable(range)) { 110 ret = -EAGAIN; 111 break; 112 } 113 114 /* 115 * The mmu_object is released late when destroying the 116 * GEM object so it is entirely possible to gain a 117 * reference on an object in the process of being freed 118 * since our serialisation is via the spinlock and not 119 * the struct_mutex - and consequently use it after it 120 * is freed and then double free it. To prevent that 121 * use-after-free we only acquire a reference on the 122 * object if it is not in the process of being destroyed. 123 */ 124 obj = container_of(it, struct i915_mmu_object, it)->obj; 125 if (!kref_get_unless_zero(&obj->base.refcount)) { 126 it = interval_tree_iter_next(it, range->start, end); 127 continue; 128 } 129 spin_unlock(&mn->lock); 130 131 ret = i915_gem_object_unbind(obj, 132 I915_GEM_OBJECT_UNBIND_ACTIVE | 133 I915_GEM_OBJECT_UNBIND_BARRIER); 134 if (ret == 0) 135 ret = __i915_gem_object_put_pages(obj); 136 i915_gem_object_put(obj); 137 if (ret) 138 return ret; 139 140 spin_lock(&mn->lock); 141 142 /* 143 * As we do not (yet) protect the mmu from concurrent insertion 144 * over this range, there is no guarantee that this search will 145 * terminate given a pathologic workload. 146 */ 147 it = interval_tree_iter_first(&mn->objects, range->start, end); 148 } 149 spin_unlock(&mn->lock); 150 151 return ret; 152 153 } 154 155 static const struct mmu_notifier_ops i915_gem_userptr_notifier = { 156 .invalidate_range_start = userptr_mn_invalidate_range_start, 157 }; 158 159 static struct i915_mmu_notifier * 160 i915_mmu_notifier_create(struct i915_mm_struct *mm) 161 { 162 struct i915_mmu_notifier *mn; 163 164 mn = kmalloc(sizeof(*mn), GFP_KERNEL); 165 if (mn == NULL) 166 return ERR_PTR(-ENOMEM); 167 168 spin_lock_init(&mn->lock); 169 mn->mn.ops = &i915_gem_userptr_notifier; 170 mn->objects = RB_ROOT_CACHED; 171 mn->mm = mm; 172 173 return mn; 174 } 175 176 static void 177 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj) 178 { 179 struct i915_mmu_object *mo; 180 181 mo = fetch_and_zero(&obj->userptr.mmu_object); 182 if (!mo) 183 return; 184 185 spin_lock(&mo->mn->lock); 186 del_object(mo); 187 spin_unlock(&mo->mn->lock); 188 kfree(mo); 189 } 190 191 static struct i915_mmu_notifier * 192 i915_mmu_notifier_find(struct i915_mm_struct *mm) 193 { 194 struct i915_mmu_notifier *mn, *old; 195 int err; 196 197 mn = READ_ONCE(mm->mn); 198 if (likely(mn)) 199 return mn; 200 201 mn = i915_mmu_notifier_create(mm); 202 if (IS_ERR(mn)) 203 return mn; 204 205 err = mmu_notifier_register(&mn->mn, mm->mm); 206 if (err) { 207 kfree(mn); 208 return ERR_PTR(err); 209 } 210 211 old = cmpxchg(&mm->mn, NULL, mn); 212 if (old) { 213 mmu_notifier_unregister(&mn->mn, mm->mm); 214 kfree(mn); 215 mn = old; 216 } 217 218 return mn; 219 } 220 221 static int 222 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj, 223 unsigned flags) 224 { 225 struct i915_mmu_notifier *mn; 226 struct i915_mmu_object *mo; 227 228 if (flags & I915_USERPTR_UNSYNCHRONIZED) 229 return capable(CAP_SYS_ADMIN) ? 0 : -EPERM; 230 231 if (GEM_WARN_ON(!obj->userptr.mm)) 232 return -EINVAL; 233 234 mn = i915_mmu_notifier_find(obj->userptr.mm); 235 if (IS_ERR(mn)) 236 return PTR_ERR(mn); 237 238 mo = kzalloc(sizeof(*mo), GFP_KERNEL); 239 if (!mo) 240 return -ENOMEM; 241 242 mo->mn = mn; 243 mo->obj = obj; 244 mo->it.start = obj->userptr.ptr; 245 mo->it.last = obj->userptr.ptr + obj->base.size - 1; 246 RB_CLEAR_NODE(&mo->it.rb); 247 248 obj->userptr.mmu_object = mo; 249 return 0; 250 } 251 252 static void 253 i915_mmu_notifier_free(struct i915_mmu_notifier *mn, 254 struct mm_struct *mm) 255 { 256 if (mn == NULL) 257 return; 258 259 mmu_notifier_unregister(&mn->mn, mm); 260 kfree(mn); 261 } 262 263 #else 264 265 static void 266 __i915_gem_userptr_set_active(struct drm_i915_gem_object *obj, bool value) 267 { 268 } 269 270 static void 271 i915_gem_userptr_release__mmu_notifier(struct drm_i915_gem_object *obj) 272 { 273 } 274 275 static int 276 i915_gem_userptr_init__mmu_notifier(struct drm_i915_gem_object *obj, 277 unsigned flags) 278 { 279 if ((flags & I915_USERPTR_UNSYNCHRONIZED) == 0) 280 return -ENODEV; 281 282 if (!capable(CAP_SYS_ADMIN)) 283 return -EPERM; 284 285 return 0; 286 } 287 288 static void 289 i915_mmu_notifier_free(struct i915_mmu_notifier *mn, 290 struct mm_struct *mm) 291 { 292 } 293 294 #endif 295 296 static struct i915_mm_struct * 297 __i915_mm_struct_find(struct drm_i915_private *i915, struct mm_struct *real) 298 { 299 struct i915_mm_struct *it, *mm = NULL; 300 301 rcu_read_lock(); 302 hash_for_each_possible_rcu(i915->mm_structs, 303 it, node, 304 (unsigned long)real) 305 if (it->mm == real && kref_get_unless_zero(&it->kref)) { 306 mm = it; 307 break; 308 } 309 rcu_read_unlock(); 310 311 return mm; 312 } 313 314 static int 315 i915_gem_userptr_init__mm_struct(struct drm_i915_gem_object *obj) 316 { 317 struct drm_i915_private *i915 = to_i915(obj->base.dev); 318 struct i915_mm_struct *mm, *new; 319 int ret = 0; 320 321 /* During release of the GEM object we hold the struct_mutex. This 322 * precludes us from calling mmput() at that time as that may be 323 * the last reference and so call exit_mmap(). exit_mmap() will 324 * attempt to reap the vma, and if we were holding a GTT mmap 325 * would then call drm_gem_vm_close() and attempt to reacquire 326 * the struct mutex. So in order to avoid that recursion, we have 327 * to defer releasing the mm reference until after we drop the 328 * struct_mutex, i.e. we need to schedule a worker to do the clean 329 * up. 330 */ 331 mm = __i915_mm_struct_find(i915, current->mm); 332 if (mm) 333 goto out; 334 335 new = kmalloc(sizeof(*mm), GFP_KERNEL); 336 if (!new) 337 return -ENOMEM; 338 339 kref_init(&new->kref); 340 new->i915 = to_i915(obj->base.dev); 341 new->mm = current->mm; 342 new->mn = NULL; 343 344 spin_lock(&i915->mm_lock); 345 mm = __i915_mm_struct_find(i915, current->mm); 346 if (!mm) { 347 hash_add_rcu(i915->mm_structs, 348 &new->node, 349 (unsigned long)new->mm); 350 mmgrab(current->mm); 351 mm = new; 352 } 353 spin_unlock(&i915->mm_lock); 354 if (mm != new) 355 kfree(new); 356 357 out: 358 obj->userptr.mm = mm; 359 return ret; 360 } 361 362 static void 363 __i915_mm_struct_free__worker(struct work_struct *work) 364 { 365 struct i915_mm_struct *mm = container_of(work, typeof(*mm), work.work); 366 367 i915_mmu_notifier_free(mm->mn, mm->mm); 368 mmdrop(mm->mm); 369 kfree(mm); 370 } 371 372 static void 373 __i915_mm_struct_free(struct kref *kref) 374 { 375 struct i915_mm_struct *mm = container_of(kref, typeof(*mm), kref); 376 377 spin_lock(&mm->i915->mm_lock); 378 hash_del_rcu(&mm->node); 379 spin_unlock(&mm->i915->mm_lock); 380 381 INIT_RCU_WORK(&mm->work, __i915_mm_struct_free__worker); 382 queue_rcu_work(system_wq, &mm->work); 383 } 384 385 static void 386 i915_gem_userptr_release__mm_struct(struct drm_i915_gem_object *obj) 387 { 388 if (obj->userptr.mm == NULL) 389 return; 390 391 kref_put(&obj->userptr.mm->kref, __i915_mm_struct_free); 392 obj->userptr.mm = NULL; 393 } 394 395 struct get_pages_work { 396 struct work_struct work; 397 struct drm_i915_gem_object *obj; 398 struct task_struct *task; 399 }; 400 401 static struct sg_table * 402 __i915_gem_userptr_alloc_pages(struct drm_i915_gem_object *obj, 403 struct page **pvec, unsigned long num_pages) 404 { 405 unsigned int max_segment = i915_sg_segment_size(); 406 struct sg_table *st; 407 unsigned int sg_page_sizes; 408 struct scatterlist *sg; 409 int ret; 410 411 st = kmalloc(sizeof(*st), GFP_KERNEL); 412 if (!st) 413 return ERR_PTR(-ENOMEM); 414 415 alloc_table: 416 sg = __sg_alloc_table_from_pages(st, pvec, num_pages, 0, 417 num_pages << PAGE_SHIFT, max_segment, 418 NULL, 0, GFP_KERNEL); 419 if (IS_ERR(sg)) { 420 kfree(st); 421 return ERR_CAST(sg); 422 } 423 424 ret = i915_gem_gtt_prepare_pages(obj, st); 425 if (ret) { 426 sg_free_table(st); 427 428 if (max_segment > PAGE_SIZE) { 429 max_segment = PAGE_SIZE; 430 goto alloc_table; 431 } 432 433 kfree(st); 434 return ERR_PTR(ret); 435 } 436 437 sg_page_sizes = i915_sg_page_sizes(st->sgl); 438 439 __i915_gem_object_set_pages(obj, st, sg_page_sizes); 440 441 return st; 442 } 443 444 static void 445 __i915_gem_userptr_get_pages_worker(struct work_struct *_work) 446 { 447 struct get_pages_work *work = container_of(_work, typeof(*work), work); 448 struct drm_i915_gem_object *obj = work->obj; 449 const unsigned long npages = obj->base.size >> PAGE_SHIFT; 450 unsigned long pinned; 451 struct page **pvec; 452 int ret; 453 454 ret = -ENOMEM; 455 pinned = 0; 456 457 pvec = kvmalloc_array(npages, sizeof(struct page *), GFP_KERNEL); 458 if (pvec != NULL) { 459 struct mm_struct *mm = obj->userptr.mm->mm; 460 unsigned int flags = 0; 461 int locked = 0; 462 463 if (!i915_gem_object_is_readonly(obj)) 464 flags |= FOLL_WRITE; 465 466 ret = -EFAULT; 467 if (mmget_not_zero(mm)) { 468 while (pinned < npages) { 469 if (!locked) { 470 mmap_read_lock(mm); 471 locked = 1; 472 } 473 ret = pin_user_pages_remote 474 (mm, 475 obj->userptr.ptr + pinned * PAGE_SIZE, 476 npages - pinned, 477 flags, 478 pvec + pinned, NULL, &locked); 479 if (ret < 0) 480 break; 481 482 pinned += ret; 483 } 484 if (locked) 485 mmap_read_unlock(mm); 486 mmput(mm); 487 } 488 } 489 490 mutex_lock_nested(&obj->mm.lock, I915_MM_GET_PAGES); 491 if (obj->userptr.work == &work->work) { 492 struct sg_table *pages = ERR_PTR(ret); 493 494 if (pinned == npages) { 495 pages = __i915_gem_userptr_alloc_pages(obj, pvec, 496 npages); 497 if (!IS_ERR(pages)) { 498 pinned = 0; 499 pages = NULL; 500 } 501 } 502 503 obj->userptr.work = ERR_CAST(pages); 504 if (IS_ERR(pages)) 505 __i915_gem_userptr_set_active(obj, false); 506 } 507 mutex_unlock(&obj->mm.lock); 508 509 unpin_user_pages(pvec, pinned); 510 kvfree(pvec); 511 512 i915_gem_object_put(obj); 513 put_task_struct(work->task); 514 kfree(work); 515 } 516 517 static struct sg_table * 518 __i915_gem_userptr_get_pages_schedule(struct drm_i915_gem_object *obj) 519 { 520 struct get_pages_work *work; 521 522 /* Spawn a worker so that we can acquire the 523 * user pages without holding our mutex. Access 524 * to the user pages requires mmap_lock, and we have 525 * a strict lock ordering of mmap_lock, struct_mutex - 526 * we already hold struct_mutex here and so cannot 527 * call gup without encountering a lock inversion. 528 * 529 * Userspace will keep on repeating the operation 530 * (thanks to EAGAIN) until either we hit the fast 531 * path or the worker completes. If the worker is 532 * cancelled or superseded, the task is still run 533 * but the results ignored. (This leads to 534 * complications that we may have a stray object 535 * refcount that we need to be wary of when 536 * checking for existing objects during creation.) 537 * If the worker encounters an error, it reports 538 * that error back to this function through 539 * obj->userptr.work = ERR_PTR. 540 */ 541 work = kmalloc(sizeof(*work), GFP_KERNEL); 542 if (work == NULL) 543 return ERR_PTR(-ENOMEM); 544 545 obj->userptr.work = &work->work; 546 547 work->obj = i915_gem_object_get(obj); 548 549 work->task = current; 550 get_task_struct(work->task); 551 552 INIT_WORK(&work->work, __i915_gem_userptr_get_pages_worker); 553 queue_work(to_i915(obj->base.dev)->mm.userptr_wq, &work->work); 554 555 return ERR_PTR(-EAGAIN); 556 } 557 558 static int i915_gem_userptr_get_pages(struct drm_i915_gem_object *obj) 559 { 560 const unsigned long num_pages = obj->base.size >> PAGE_SHIFT; 561 struct mm_struct *mm = obj->userptr.mm->mm; 562 struct page **pvec; 563 struct sg_table *pages; 564 bool active; 565 int pinned; 566 unsigned int gup_flags = 0; 567 568 /* If userspace should engineer that these pages are replaced in 569 * the vma between us binding this page into the GTT and completion 570 * of rendering... Their loss. If they change the mapping of their 571 * pages they need to create a new bo to point to the new vma. 572 * 573 * However, that still leaves open the possibility of the vma 574 * being copied upon fork. Which falls under the same userspace 575 * synchronisation issue as a regular bo, except that this time 576 * the process may not be expecting that a particular piece of 577 * memory is tied to the GPU. 578 * 579 * Fortunately, we can hook into the mmu_notifier in order to 580 * discard the page references prior to anything nasty happening 581 * to the vma (discard or cloning) which should prevent the more 582 * egregious cases from causing harm. 583 */ 584 585 if (obj->userptr.work) { 586 /* active flag should still be held for the pending work */ 587 if (IS_ERR(obj->userptr.work)) 588 return PTR_ERR(obj->userptr.work); 589 else 590 return -EAGAIN; 591 } 592 593 pvec = NULL; 594 pinned = 0; 595 596 if (mm == current->mm) { 597 pvec = kvmalloc_array(num_pages, sizeof(struct page *), 598 GFP_KERNEL | 599 __GFP_NORETRY | 600 __GFP_NOWARN); 601 if (pvec) { 602 /* defer to worker if malloc fails */ 603 if (!i915_gem_object_is_readonly(obj)) 604 gup_flags |= FOLL_WRITE; 605 pinned = pin_user_pages_fast_only(obj->userptr.ptr, 606 num_pages, gup_flags, 607 pvec); 608 } 609 } 610 611 active = false; 612 if (pinned < 0) { 613 pages = ERR_PTR(pinned); 614 pinned = 0; 615 } else if (pinned < num_pages) { 616 pages = __i915_gem_userptr_get_pages_schedule(obj); 617 active = pages == ERR_PTR(-EAGAIN); 618 } else { 619 pages = __i915_gem_userptr_alloc_pages(obj, pvec, num_pages); 620 active = !IS_ERR(pages); 621 } 622 if (active) 623 __i915_gem_userptr_set_active(obj, true); 624 625 if (IS_ERR(pages)) 626 unpin_user_pages(pvec, pinned); 627 kvfree(pvec); 628 629 return PTR_ERR_OR_ZERO(pages); 630 } 631 632 static void 633 i915_gem_userptr_put_pages(struct drm_i915_gem_object *obj, 634 struct sg_table *pages) 635 { 636 struct sgt_iter sgt_iter; 637 struct page *page; 638 639 /* Cancel any inflight work and force them to restart their gup */ 640 obj->userptr.work = NULL; 641 __i915_gem_userptr_set_active(obj, false); 642 if (!pages) 643 return; 644 645 __i915_gem_object_release_shmem(obj, pages, true); 646 i915_gem_gtt_finish_pages(obj, pages); 647 648 /* 649 * We always mark objects as dirty when they are used by the GPU, 650 * just in case. However, if we set the vma as being read-only we know 651 * that the object will never have been written to. 652 */ 653 if (i915_gem_object_is_readonly(obj)) 654 obj->mm.dirty = false; 655 656 for_each_sgt_page(page, sgt_iter, pages) { 657 if (obj->mm.dirty && trylock_page(page)) { 658 /* 659 * As this may not be anonymous memory (e.g. shmem) 660 * but exist on a real mapping, we have to lock 661 * the page in order to dirty it -- holding 662 * the page reference is not sufficient to 663 * prevent the inode from being truncated. 664 * Play safe and take the lock. 665 * 666 * However...! 667 * 668 * The mmu-notifier can be invalidated for a 669 * migrate_page, that is alreadying holding the lock 670 * on the page. Such a try_to_unmap() will result 671 * in us calling put_pages() and so recursively try 672 * to lock the page. We avoid that deadlock with 673 * a trylock_page() and in exchange we risk missing 674 * some page dirtying. 675 */ 676 set_page_dirty(page); 677 unlock_page(page); 678 } 679 680 mark_page_accessed(page); 681 unpin_user_page(page); 682 } 683 obj->mm.dirty = false; 684 685 sg_free_table(pages); 686 kfree(pages); 687 } 688 689 static void 690 i915_gem_userptr_release(struct drm_i915_gem_object *obj) 691 { 692 i915_gem_userptr_release__mmu_notifier(obj); 693 i915_gem_userptr_release__mm_struct(obj); 694 } 695 696 static int 697 i915_gem_userptr_dmabuf_export(struct drm_i915_gem_object *obj) 698 { 699 if (obj->userptr.mmu_object) 700 return 0; 701 702 return i915_gem_userptr_init__mmu_notifier(obj, 0); 703 } 704 705 static const struct drm_i915_gem_object_ops i915_gem_userptr_ops = { 706 .name = "i915_gem_object_userptr", 707 .flags = I915_GEM_OBJECT_HAS_STRUCT_PAGE | 708 I915_GEM_OBJECT_IS_SHRINKABLE | 709 I915_GEM_OBJECT_NO_MMAP | 710 I915_GEM_OBJECT_ASYNC_CANCEL, 711 .get_pages = i915_gem_userptr_get_pages, 712 .put_pages = i915_gem_userptr_put_pages, 713 .dmabuf_export = i915_gem_userptr_dmabuf_export, 714 .release = i915_gem_userptr_release, 715 }; 716 717 /* 718 * Creates a new mm object that wraps some normal memory from the process 719 * context - user memory. 720 * 721 * We impose several restrictions upon the memory being mapped 722 * into the GPU. 723 * 1. It must be page aligned (both start/end addresses, i.e ptr and size). 724 * 2. It must be normal system memory, not a pointer into another map of IO 725 * space (e.g. it must not be a GTT mmapping of another object). 726 * 3. We only allow a bo as large as we could in theory map into the GTT, 727 * that is we limit the size to the total size of the GTT. 728 * 4. The bo is marked as being snoopable. The backing pages are left 729 * accessible directly by the CPU, but reads and writes by the GPU may 730 * incur the cost of a snoop (unless you have an LLC architecture). 731 * 732 * Synchronisation between multiple users and the GPU is left to userspace 733 * through the normal set-domain-ioctl. The kernel will enforce that the 734 * GPU relinquishes the VMA before it is returned back to the system 735 * i.e. upon free(), munmap() or process termination. However, the userspace 736 * malloc() library may not immediately relinquish the VMA after free() and 737 * instead reuse it whilst the GPU is still reading and writing to the VMA. 738 * Caveat emptor. 739 * 740 * Also note, that the object created here is not currently a "first class" 741 * object, in that several ioctls are banned. These are the CPU access 742 * ioctls: mmap(), pwrite and pread. In practice, you are expected to use 743 * direct access via your pointer rather than use those ioctls. Another 744 * restriction is that we do not allow userptr surfaces to be pinned to the 745 * hardware and so we reject any attempt to create a framebuffer out of a 746 * userptr. 747 * 748 * If you think this is a good interface to use to pass GPU memory between 749 * drivers, please use dma-buf instead. In fact, wherever possible use 750 * dma-buf instead. 751 */ 752 int 753 i915_gem_userptr_ioctl(struct drm_device *dev, 754 void *data, 755 struct drm_file *file) 756 { 757 static struct lock_class_key lock_class; 758 struct drm_i915_private *dev_priv = to_i915(dev); 759 struct drm_i915_gem_userptr *args = data; 760 struct drm_i915_gem_object *obj; 761 int ret; 762 u32 handle; 763 764 if (!HAS_LLC(dev_priv) && !HAS_SNOOP(dev_priv)) { 765 /* We cannot support coherent userptr objects on hw without 766 * LLC and broken snooping. 767 */ 768 return -ENODEV; 769 } 770 771 if (args->flags & ~(I915_USERPTR_READ_ONLY | 772 I915_USERPTR_UNSYNCHRONIZED)) 773 return -EINVAL; 774 775 /* 776 * XXX: There is a prevalence of the assumption that we fit the 777 * object's page count inside a 32bit _signed_ variable. Let's document 778 * this and catch if we ever need to fix it. In the meantime, if you do 779 * spot such a local variable, please consider fixing! 780 * 781 * Aside from our own locals (for which we have no excuse!): 782 * - sg_table embeds unsigned int for num_pages 783 * - get_user_pages*() mixed ints with longs 784 */ 785 786 if (args->user_size >> PAGE_SHIFT > INT_MAX) 787 return -E2BIG; 788 789 if (overflows_type(args->user_size, obj->base.size)) 790 return -E2BIG; 791 792 if (!args->user_size) 793 return -EINVAL; 794 795 if (offset_in_page(args->user_ptr | args->user_size)) 796 return -EINVAL; 797 798 if (!access_ok((char __user *)(unsigned long)args->user_ptr, args->user_size)) 799 return -EFAULT; 800 801 if (args->flags & I915_USERPTR_READ_ONLY) { 802 /* 803 * On almost all of the older hw, we cannot tell the GPU that 804 * a page is readonly. 805 */ 806 if (!dev_priv->gt.vm->has_read_only) 807 return -ENODEV; 808 } 809 810 obj = i915_gem_object_alloc(); 811 if (obj == NULL) 812 return -ENOMEM; 813 814 drm_gem_private_object_init(dev, &obj->base, args->user_size); 815 i915_gem_object_init(obj, &i915_gem_userptr_ops, &lock_class); 816 obj->read_domains = I915_GEM_DOMAIN_CPU; 817 obj->write_domain = I915_GEM_DOMAIN_CPU; 818 i915_gem_object_set_cache_coherency(obj, I915_CACHE_LLC); 819 820 obj->userptr.ptr = args->user_ptr; 821 if (args->flags & I915_USERPTR_READ_ONLY) 822 i915_gem_object_set_readonly(obj); 823 824 /* And keep a pointer to the current->mm for resolving the user pages 825 * at binding. This means that we need to hook into the mmu_notifier 826 * in order to detect if the mmu is destroyed. 827 */ 828 ret = i915_gem_userptr_init__mm_struct(obj); 829 if (ret == 0) 830 ret = i915_gem_userptr_init__mmu_notifier(obj, args->flags); 831 if (ret == 0) 832 ret = drm_gem_handle_create(file, &obj->base, &handle); 833 834 /* drop reference from allocate - handle holds it now */ 835 i915_gem_object_put(obj); 836 if (ret) 837 return ret; 838 839 args->handle = handle; 840 return 0; 841 } 842 843 #else 844 845 int 846 i915_gem_userptr_ioctl(struct drm_device *dev, 847 void *data, 848 struct drm_file *file) 849 { 850 return -ENODEV; 851 } 852 853 #endif 854 855 int i915_gem_init_userptr(struct drm_i915_private *dev_priv) 856 { 857 mtx_init(&dev_priv->mm_lock, IPL_NONE); 858 hash_init(dev_priv->mm_structs); 859 860 dev_priv->mm.userptr_wq = 861 alloc_workqueue("i915-userptr-acquire", 862 WQ_HIGHPRI | WQ_UNBOUND, 863 0); 864 if (!dev_priv->mm.userptr_wq) 865 return -ENOMEM; 866 867 return 0; 868 } 869 870 void i915_gem_cleanup_userptr(struct drm_i915_private *dev_priv) 871 { 872 destroy_workqueue(dev_priv->mm.userptr_wq); 873 } 874