[PATCH v3] drm/xe: Support for mmap-ing mmio regions
Upadhyay, Tejas
tejas.upadhyay at intel.com
Tue Jul 8 11:55:17 UTC 2025
> -----Original Message-----
> From: Levi, Ilia <ilia.levi at intel.com>
> Sent: 08 July 2025 16:22
> To: Upadhyay, Tejas <tejas.upadhyay at intel.com>; intel-
> xe at lists.freedesktop.org
> Cc: Elbaz, Koby <koby.elbaz at intel.com>; Sinyuk, Konstantin
> <konstantin.sinyuk at intel.com>; Avizrat, Yaron <yaron.avizrat at intel.com>;
> Haimovski, Moti <moti.haimovski at intel.com>; Freiman, Didi
> <didi.freiman at intel.com>; Auld, Matthew <matthew.auld at intel.com>; Roper,
> Matthew D <matthew.d.roper at intel.com>; Brost, Matthew
> <matthew.brost at intel.com>
> Subject: Re: [PATCH v3] drm/xe: Support for mmap-ing mmio regions
>
> On 02/07/2025 16:25, Upadhyay, Tejas wrote:
> >
> >> -----Original Message-----
> >> From: Levi, Ilia <ilia.levi at intel.com>
> >> Sent: 24 June 2025 21:22
> >> To: intel-xe at lists.freedesktop.org
> >> Cc: Levi, Ilia <ilia.levi at intel.com>; Elbaz, Koby
> >> <koby.elbaz at intel.com>; Sinyuk, Konstantin
> >> <konstantin.sinyuk at intel.com>; Avizrat, Yaron
> >> <yaron.avizrat at intel.com>; Haimovski, Moti
> >> <moti.haimovski at intel.com>; Freiman, Didi <didi.freiman at intel.com>;
> >> Upadhyay, Tejas <tejas.upadhyay at intel.com>; Auld, Matthew
> >> <matthew.auld at intel.com>; Roper, Matthew D
> >> <matthew.d.roper at intel.com>; Brost, Matthew
> <matthew.brost at intel.com>
> >> Subject: [PATCH v3] drm/xe: Support for mmap-ing mmio regions
> >>
> >> Allow the driver to expose hardware register spaces to userspace
> >> through GEM objects with fake mmap offsets. This can be useful for
> >> userspace- firmware communication, debugging, etc.
> >>
> >> v2: Minor doc fix (CI)
> >> v3: Enforce MAP_SHARED (Tejas)
> >> Add fault handler with dummy page (Tejas, Matt Auld)
> >> Store physical address instead of xe_mmio in the GEM object
> >> (MattB)
> >>
> >> Signed-off-by: Ilia Levi <ilia.levi at intel.com>
> >> ---
> >> drivers/gpu/drm/xe/xe_device_types.h | 14 ++
> >> drivers/gpu/drm/xe/xe_mmio.c | 210
> >> +++++++++++++++++++++++++++
> >> drivers/gpu/drm/xe/xe_mmio.h | 4 +
> >> 3 files changed, 228 insertions(+)
> >>
> >> diff --git a/drivers/gpu/drm/xe/xe_device_types.h
> >> b/drivers/gpu/drm/xe/xe_device_types.h
> >> index 6aca4b1a2824..22a567c5f0de 100644
> >> --- a/drivers/gpu/drm/xe/xe_device_types.h
> >> +++ b/drivers/gpu/drm/xe/xe_device_types.h
> >> @@ -10,6 +10,7 @@
> >>
> >> #include <drm/drm_device.h>
> >> #include <drm/drm_file.h>
> >> +#include <drm/drm_gem.h>
> >> #include <drm/drm_pagemap.h>
> >> #include <drm/ttm/ttm_device.h>
> >>
> >> @@ -162,6 +163,19 @@ struct xe_mmio {
> >> u32 adj_offset;
> >> };
> >>
> >> +/**
> >> + * struct xe_mmio_gem - GEM wrapper for xe_mmio
> >> + *
> >> + * A GEM object for exposing xe_mmio instance to userspace via mmap.
> >> + */
> >> +struct xe_mmio_gem {
> >> + /** @base: GEM object base */
> >> + struct drm_gem_object base;
> >> +
> >> + /** @phys_addr: The physical address of the exposed MMIO region */
> >> + phys_addr_t phys_addr;
> >> +};
> >> +
> >> /**
> >> * struct xe_tile - hardware tile structure
> >> *
> >> diff --git a/drivers/gpu/drm/xe/xe_mmio.c
> >> b/drivers/gpu/drm/xe/xe_mmio.c index 7357458bc0d2..3298ab0f1fb4
> >> 100644
> >> --- a/drivers/gpu/drm/xe/xe_mmio.c
> >> +++ b/drivers/gpu/drm/xe/xe_mmio.c
> >> @@ -10,6 +10,7 @@
> >> #include <linux/minmax.h>
> >> #include <linux/pci.h>
> >>
> >> +#include <drm/drm_drv.h>
> >> #include <drm/drm_managed.h>
> >> #include <drm/drm_print.h>
> >>
> >> @@ -408,3 +409,212 @@ int xe_mmio_wait32_not(struct xe_mmio
> *mmio,
> >> struct xe_reg reg, u32 mask, u32 va {
> >> return __xe_mmio_wait32(mmio, reg, mask, val, timeout_us, out_val,
> >> atomic, false); }
> >> +
> >> +/**
> >> + * DOC: Exposing MMIO regions to userspace
> >> + *
> >> + * In certain cases, the driver may allow userspace to mmap a
> >> +portion of the
> >> hardware registers.
> >> + *
> >> + * This can be done as follows:
> >> + * 1. Define an xe_mmio instance that represents this portion.
> >> + * 2. Call xe_mmio_gem_create() to create a GEM object with an
> >> + mmap-able
> >> fake offset.
> >> + * 3. Use drm_vma_node_offset_addr() on the created GEM object to
> >> retrieve the fake offset.
> >> + * 4. Provide the fake offset to userspace.
> >> + * 5. Userspace can call mmap with the fake offset. The length
> >> + provided to
> >> mmap
> >> + * must match the size of the xe_mmio instance.
> >> + * 6. When the region is no longer needed, call
> >> + xe_mmio_gem_destroy() to
> >> release the GEM object.
> >> + *
> >> + * Limitations: The exposed xe_mmio must be page-aligned with
> >> + regards to its
> >> BAR offset and size.
> >> + *
> >> + * WARNING: Exposing MMIO regions to userspace can have security and
> >> stability implications.
> >> + * Make sure not to expose any sensitive registers.
> >> + */
> >> +
> >> +static void xe_mmio_gem_free(struct drm_gem_object *); static int
> >> +xe_mmio_gem_mmap(struct drm_gem_object *, struct vm_area_struct
> *);
> >> +static vm_fault_t xe_mmio_gem_vm_fault(struct vm_fault *);
> >> +
> >> +static const struct vm_operations_struct vm_ops = {
> >> + .open = drm_gem_vm_open,
> >> + .close = drm_gem_vm_close,
> >> + .fault = xe_mmio_gem_vm_fault,
> >> +};
> >> +
> >> +static const struct drm_gem_object_funcs xe_mmio_gem_funcs = {
> >> + .free = xe_mmio_gem_free,
> >> + .mmap = xe_mmio_gem_mmap,
> >> + .vm_ops = &vm_ops,
> >> +};
> >> +
> >> +static inline struct xe_mmio_gem *to_xe_mmio_gem(struct
> >> +drm_gem_object
> >> +*obj) {
> >> + return container_of(obj, struct xe_mmio_gem, base); }
> >> +
> >> +static inline phys_addr_t xe_mmio_phys_addr(struct xe_mmio *mmio) {
> >> + struct xe_device *xe = tile_to_xe(mmio->tile);
> >> +
> >> + /*
> >> + * All MMIO instances are currently on PCI BAR 0, so we can do the
> >> trick below.
> >> + * In the future we may want to store the physical address in
> >> +struct
> >> xe_mmio.
> >> + */
> >> + return pci_resource_start(to_pci_dev(xe->drm.dev),
> >> GTTMMADR_BAR) +
> >> + (uintptr_t)(mmio->regs - xe->mmio.regs); }
> > Can you please elaborate which physical addresses mapped here!
>
> Could you clarify your comment? xe_mmio_gem_create receives an xe_mmio
> struct to map.
> In order to perform the map, we need to extract from xe_mmio the physical
> address of the start of its region and the size of the region.
> xe_mmio_phys_addr calculates this physical address, currently by leveraging
> the fact that xe->mmio.regs points to the start of the BAR. - Ilia
Ok
> >
> >> +
> >> +/**
> >> + * xe_mmio_gem_create - Expose an MMIO region to userspace
> >> + * @mmio: xe_mmio instance
> >> + * @file: DRM file descriptor
> >> + *
> >> + * This function creates a GEM object with an mmap-able fake offset
> >> +that wraps
> >> + * the provided xe_mmio instance.
> >> + *
> >> + * See: "Exposing MMIO regions to userspace"
> >> + */
> >> +struct xe_mmio_gem *
> >> +xe_mmio_gem_create(struct xe_mmio *mmio, struct drm_file *file) {
> >> + struct xe_device *xe = tile_to_xe(mmio->tile);
> >> + size_t size = mmio->regs_size;
> >> + struct xe_mmio_gem *obj;
> >> + struct drm_gem_object *base;
> >> + phys_addr_t phys_addr = xe_mmio_phys_addr(mmio);
> >> + int err;
> >> +
> >> + if ((phys_addr % PAGE_SIZE != 0) || (size % PAGE_SIZE != 0))
> >> + return ERR_PTR(-EINVAL);
> >> +
> >> + obj = kzalloc(sizeof(*obj), GFP_KERNEL);
> >> + if (!obj)
> >> + return ERR_PTR(-ENOMEM);
> >> +
> >> + base = &obj->base;
> >> + base->funcs = &xe_mmio_gem_funcs;
> >> + obj->phys_addr = phys_addr;
> >> +
> >> + drm_gem_private_object_init(&xe->drm, base, size);
> >> +
> >> + err = drm_gem_create_mmap_offset(base);
> >> + if (err)
> >> + goto free_gem;
> >> +
> >> + err = drm_vma_node_allow(&base->vma_node, file);
> >> + if (err)
> >> + goto free_gem;
> >> +
> >> + return obj;
> >> +
> >> +free_gem:
> >> + xe_mmio_gem_free(base);
> >> + return ERR_PTR(err);
> >> +}
> >> +
> >> +static void xe_mmio_gem_free(struct drm_gem_object *base) {
> >> + struct xe_mmio_gem *obj = to_xe_mmio_gem(base);
> >> +
> > We can release fake offset here!
> >
> > Tejas
>
>
> drm_gem_object_release does that, see:
> https://elixir.bootlin.com/linux/v6.15.5/source/drivers/gpu/drm/drm_gem.c
> #L983
Yes.
The change overall looks good to me :
Reviewed-by: Tejas Upadhyay <tejas.upadhyay at intel.com>
>
> - Ilia
>
> >> + drm_gem_object_release(base);
> >> + kfree(obj);
> >> +}
> >> +
> >> +/**
> >> + * xe_mmio_gem_destroy - Destroy the GEM object wrapping xe_mmio
> >> + * @gem: the GEM object to destroy
> >> + *
> >> + * This function releases resources associated with the GEM object
> >> +created by
> >> + * xe_mmio_gem_create().
> >> + *
> >> + * See: "Exposing MMIO regions to userspace"
> >> + */
> >> +void xe_mmio_gem_destroy(struct xe_mmio_gem *gem) {
> >> + xe_mmio_gem_free(&gem->base);
> >> +}
> >> +
> >> +static int xe_mmio_gem_mmap(struct drm_gem_object *base, struct
> >> +vm_area_struct *vma) {
> >> + if (vma->vm_end - vma->vm_start != base->size)
> >> + return -EINVAL;
> >> +
> >> + if ((vma->vm_flags & VM_SHARED) == 0)
> >> + return -EINVAL;
> >> +
> >> + /* Set vm_pgoff (used as a fake buffer offset by DRM) to 0 */
> >> + vma->vm_pgoff = 0;
> >> + vma->vm_page_prot = pgprot_noncached(vm_get_page_prot(vma-
> >>> vm_flags));
> >> + vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND |
> >> VM_DONTDUMP |
> >> + VM_DONTCOPY | VM_NORESERVE);
> >> +
> >> + /* Defer actual mapping to the fault handler. */
> >> + return 0;
> >> +}
> >> +
> >> +static void xe_mmio_gem_release_dummy_page(struct drm_device *dev,
> >> void
> >> +*res) {
> >> + __free_page((struct page *)res);
> >> +}
> >> +
> >> +static vm_fault_t xe_mmio_gem_vm_fault_dummy_page(struct
> >> vm_area_struct
> >> +*vma) {
> >> + struct drm_gem_object *base = vma->vm_private_data;
> >> + struct drm_device *dev = base->dev;
> >> + vm_fault_t ret = VM_FAULT_NOPAGE;
> >> + struct page *page;
> >> + unsigned long pfn;
> >> + unsigned long i;
> >> +
> >> + page = alloc_page(GFP_KERNEL | __GFP_ZERO);
> >> + if (!page)
> >> + return VM_FAULT_OOM;
> >> +
> >> + if (drmm_add_action_or_reset(dev,
> >> xe_mmio_gem_release_dummy_page, page))
> >> + return VM_FAULT_OOM;
> >> +
> >> + pfn = page_to_pfn(page);
> >> +
> >> + /* Map the entire VMA to the same dummy page */
> >> + for (i = 0; i < base->size; i += PAGE_SIZE) {
> >> + unsigned long addr = vma->vm_start + i;
> >> +
> >> + ret = vmf_insert_pfn(vma, addr, pfn);
> >> + if (ret & VM_FAULT_ERROR)
> >> + break;
> >> + }
> >> +
> >> + return ret;
> >> +}
> >> +
> >> +static vm_fault_t xe_mmio_gem_vm_fault(struct vm_fault *vmf) {
> >> + struct vm_area_struct *vma = vmf->vma;
> >> + struct drm_gem_object *base = vma->vm_private_data;
> >> + struct xe_mmio_gem *obj = to_xe_mmio_gem(base);
> >> + struct drm_device *dev = base->dev;
> >> + vm_fault_t ret = VM_FAULT_NOPAGE;
> >> + unsigned long i;
> >> + int idx;
> >> +
> >> + if (!drm_dev_enter(dev, &idx)) {
> >> + /*
> >> + * Provide a dummy page to avoid SIGBUS for events such as
> >> hot-unplug.
> >> + * This gives the userspace the option to recover instead of
> >> crashing.
> >> + * It is assumed the userspace will receive the notification via
> >> some
> >> + * other channel (e.g. drm uevent).
> >> + */
> >> + return xe_mmio_gem_vm_fault_dummy_page(vma);
> >> + }
> >> +
> >> + for (i = 0; i < base->size; i += PAGE_SIZE) {
> >> + unsigned long addr = vma->vm_start + i;
> >> + unsigned long phys_addr = obj->phys_addr + i;
> >> +
> >> + ret = vmf_insert_pfn(vma, addr, PHYS_PFN(phys_addr));
> >> + if (ret & VM_FAULT_ERROR)
> >> + break;
> >> + }
> >> +
> >> + drm_dev_exit(idx);
> >> + return ret;
> >> +}
> >> diff --git a/drivers/gpu/drm/xe/xe_mmio.h
> >> b/drivers/gpu/drm/xe/xe_mmio.h index c151ba569003..2990bbcef24d
> >> 100644
> >> --- a/drivers/gpu/drm/xe/xe_mmio.h
> >> +++ b/drivers/gpu/drm/xe/xe_mmio.h
> >> @@ -8,6 +8,7 @@
> >>
> >> #include "xe_gt_types.h"
> >>
> >> +struct drm_file;
> >> struct xe_device;
> >> struct xe_reg;
> >>
> >> @@ -42,4 +43,7 @@ static inline struct xe_mmio
> >> *xe_root_tile_mmio(struct xe_device *xe)
> >> return &xe->tiles[0].mmio;
> >> }
> >>
> >> +struct xe_mmio_gem *xe_mmio_gem_create(struct xe_mmio *mmio,
> struct
> >> +drm_file *file); void xe_mmio_gem_destroy(struct xe_mmio_gem *gem);
> >> +
> >> #endif
> >> --
> >> 2.43.0
>
More information about the Intel-xe
mailing list