Nouveau - Mar 2018 - [RFC PATCH 00/13] SVM (share virtual memory) with HMM in nouveau

On 03/12/2018 10:50 AM, Jerome Glisse wrote:
> On Mon, Mar 12, 2018 at 06:30:09PM +0100, Daniel Vetter wrote:
>> On Sat, Mar 10, 2018 at 04:01:58PM +0100, Christian K??nig wrote:
> 
> [...]
> 
>>>> They are work underway to revamp nouveau channel creation with
a new
>>>> userspace API. So we might want to delay upstreaming until this
lands.
>>>> We can stil discuss one aspect specific to HMM here namely the
issue
>>>> around GEM objects used for some specific part of the GPU. Some
engine
>>>> inside the GPU (engine are a GPU block like the display block
which
>>>> is responsible of scaning memory to send out a picture through
some
>>>> connector for instance HDMI or DisplayPort) can only access
memory
>>>> with virtual address below (1 << 40). To accomodate those
we need to
>>>> create a "hole" inside the process address space.
This patchset have
>>>> a hack for that (patch 13 HACK FOR HMM AREA), it reserves a
range of
>>>> device file offset so that process can mmap this range with
PROT_NONE
>>>> to create a hole (process must make sure the hole is below 1
<< 40).
>>>> I feel un-easy of doing it this way but maybe it is ok with
other
>>>> folks.
>>>
>>> Well we have essentially the same problem with pre gfx9 AMD
hardware. Felix
>>> might have some advise how it was solved for HSA.
>>
>> Couldn't we do an in-kernel address space for those special gpu
blocks? As
>> long as it's display the kernel needs to manage it anyway, and
adding a
>> 2nd mapping when you pin/unpin for scanout usage shouldn't really
matter
>> (as long as you cache the mapping until the buffer gets thrown out of
>> vram). More-or-less what we do for i915 (where we have an entirely
>> separate address space for these things which is 4G on the latest
chips).
>> -Daniel
> 
> We can not do an in-kernel address space for those. We already have an
> in kernel address space but it does not apply for the object considered
> here.
> 
> For NVidia (i believe this is the same for AMD AFAIK) the objects we
> are talking about are objects that must be in the same address space
> as the one against which process's shader/dma/... get executed.
> 
> For instance command buffer submited by userspace must be inside a
> GEM object mapped inside the GPU's process address against which the
> command are executed. My understanding is that the PFIFO (the engine
> on nv GPU that fetch commands) first context switch to address space
> associated with the channel and then starts fetching commands with
> all address being interpreted against the channel address space.
> 
> Hence why we need to reserve some range in the process virtual address
> space if we want to do SVM in a sane way. I mean we could just map
> buffer into GPU page table and then cross fingers and toes hopping that
> the process will never get any of its mmap overlapping those mapping :)
> 
> Cheers,
> Jérôme
> 
Hi Jerome and all,

Yes, on NVIDIA GPUs, the Host/FIFO unit is limited to 40-bit addresses, so
things such as the following need to be below (1 << 40), and also
accessible
to both CPU (user space) and GPU hardware. 
    -- command buffers (CPU user space driver fills them, GPU consumes them), 
    -- semaphores (here, a GPU-centric term, rather than OS-type: these are
       memory locations that, for example, the GPU hardware might write to, in
       order to indicate work completion; there are other uses as well), 
    -- a few other things most likely (this is not a complete list).

So what I'd tentatively expect that to translate into in the driver stack
is,
approximately:

    -- User space driver code mmap's an area below (1 << 40). It's
hard to avoid this,
       given that user space needs access to the area (for filling out command
       buffers and monitoring semaphores, that sort of thing). Then suballocate
       from there using mmap's MAP_FIXED or (future-ish) MAP_FIXED_SAFE
flags.

       ...glancing at the other fork of this thread, I think that is exactly
what
       Felix is saying, too. So that's good.

    -- The user space program sits above the user space driver, and although the
       program could, in theory, interfere with this mmap'd area, that would
be
       wrong in the same way that mucking around with malloc'd areas
(outside of
       malloc() itself) is wrong. So I don't see any particular need to do
much
       more than the above.

thanks,
-- 
John Hubbard
NVIDIA

On Mon, Mar 12, 2018 at 11:14:47PM -0700, John Hubbard
wrote:
> Yes, on NVIDIA GPUs, the Host/FIFO unit is limited to 40-bit addresses, so
> things such as the following need to be below (1 << 40), and also
accessible
> to both CPU (user space) and GPU hardware. 
>     -- command buffers (CPU user space driver fills them, GPU consumes
them),
>     -- semaphores (here, a GPU-centric term, rather than OS-type: these are
>        memory locations that, for example, the GPU hardware might write to,
in
>        order to indicate work completion; there are other uses as well), 
>     -- a few other things most likely (this is not a complete list).
Is that a 40-bit virtual address limit or physical address limit?  I'm
no longer sure who is addressing what memory through what mechanism ;-)

On Tue, Mar 13, 2018 at 06:29:40AM -0700, Matthew Wilcox
wrote:
> On Mon, Mar 12, 2018 at 11:14:47PM -0700, John Hubbard wrote:
> > Yes, on NVIDIA GPUs, the Host/FIFO unit is limited to 40-bit
addresses, so
> > things such as the following need to be below (1 << 40), and
also accessible
> > to both CPU (user space) and GPU hardware. 
> >     -- command buffers (CPU user space driver fills them, GPU consumes
them),
> >     -- semaphores (here, a GPU-centric term, rather than OS-type:
these are
> >        memory locations that, for example, the GPU hardware might
write to, in
> >        order to indicate work completion; there are other uses as
well),
> >     -- a few other things most likely (this is not a complete list).
> 
> Is that a 40-bit virtual address limit or physical address limit?  I'm
> no longer sure who is addressing what memory through what mechanism ;-)
> 
Virtual address limit, those object get mapped into GPU page table but
the register/structure fields where you program those object's address
only are 32bits (the virtual address is shifted by 8bits for alignment).

Cheers,
Jérôme

On Mon, Mar 12, 2018 at 11:14:47PM -0700, John Hubbard
wrote:
> On 03/12/2018 10:50 AM, Jerome Glisse wrote:
[...]
> Yes, on NVIDIA GPUs, the Host/FIFO unit is limited to 40-bit addresses, so
> things such as the following need to be below (1 << 40), and also
accessible
> to both CPU (user space) and GPU hardware. 
>     -- command buffers (CPU user space driver fills them, GPU consumes
them),
>     -- semaphores (here, a GPU-centric term, rather than OS-type: these are
>        memory locations that, for example, the GPU hardware might write to,
in
>        order to indicate work completion; there are other uses as well), 
>     -- a few other things most likely (this is not a complete list).
> 
> So what I'd tentatively expect that to translate into in the driver
stack is,
> approximately:
> 
>     -- User space driver code mmap's an area below (1 << 40).
It's hard to avoid this,
>        given that user space needs access to the area (for filling out
command
>        buffers and monitoring semaphores, that sort of thing). Then
suballocate
>        from there using mmap's MAP_FIXED or (future-ish) MAP_FIXED_SAFE
flags.
> 
>        ...glancing at the other fork of this thread, I think that is
exactly what
>        Felix is saying, too. So that's good.
> 
>     -- The user space program sits above the user space driver, and
although the
>        program could, in theory, interfere with this mmap'd area, that
would be
>        wrong in the same way that mucking around with malloc'd areas
(outside of
>        malloc() itself) is wrong. So I don't see any particular need to
do much
>        more than the above.
I am worried that rogue program (i am not worried about buggy program
if people shoot themself in the foot they should feel the pain) could
use that to abuse channel to do something harmful. I am not familiar
enough with the hardware to completely rule out such scenario.

I do believe hardware with userspace queue support have the necessary
boundary to keep thing secure as i would assume for those the hardware
engineers had to take security into consideration.

Note that in my patchset the code that monitor the special vma is small
something like 20lines of code that only get call if something happen
to the reserved area. So i believe it is worth having such thing, cost
is low for little extra peace of mind :)

Cheers,
Jérôme