[PATCH v4] drm/xe: Support for mmap-ing mmio regions

Upadhyay, Tejas tejas.upadhyay at intel.com
Tue Jul 15 05:05:20 UTC 2025 


> -----Original Message-----
> From: Levi, Ilia <ilia.levi at intel.com>
> Sent: 14 July 2025 17:57
> To: intel-xe at lists.freedesktop.org
> Cc: Levi, Ilia <ilia.levi at intel.com>; Elbaz, Koby <koby.elbaz at intel.com>; Sinyuk,
> Konstantin <konstantin.sinyuk at intel.com>; Avizrat, Yaron
> <yaron.avizrat at intel.com>; Haimovski, Moti <moti.haimovski at intel.com>;
> Freiman, Didi <didi.freiman at intel.com>; Upadhyay, Tejas
> <tejas.upadhyay at intel.com>; Auld, Matthew <matthew.auld at intel.com>;
> Roper, Matthew D <matthew.d.roper at intel.com>; Brost, Matthew
> <matthew.brost at intel.com>
> Subject: [PATCH v4] drm/xe: Support for mmap-ing mmio regions
> 
> Allow the driver to expose hardware register spaces to userspace through
> GEM objects with fake mmap offsets. This can be useful for userspace-
> firmware communication, debugging, etc.
> 
> v2: Minor doc fix (CI)
> v3: Enforce MAP_SHARED (Tejas)
>     Add fault handler with dummy page (Tejas, Matt Auld)
>     Store physical address instead of xe_mmio in the GEM object (MattB)
> v4: Separate xe_mmio_gem from xe_mmio and make it private (MattB)
> 
> Signed-off-by: Ilia Levi <ilia.levi at intel.com>

LGTM, 
Reviewed-by: Tejas Upadhyay <tejas.upadhyay at intel.com>

Tejas
> ---
>  drivers/gpu/drm/xe/Makefile      |   1 +
>  drivers/gpu/drm/xe/xe_mmio_gem.c | 226
> +++++++++++++++++++++++++++++++
> drivers/gpu/drm/xe/xe_mmio_gem.h |  20 +++
>  3 files changed, 247 insertions(+)
>  create mode 100644 drivers/gpu/drm/xe/xe_mmio_gem.c  create mode
> 100644 drivers/gpu/drm/xe/xe_mmio_gem.h
> 
> diff --git a/drivers/gpu/drm/xe/Makefile b/drivers/gpu/drm/xe/Makefile index
> 4bda20f586ed..382aadd4e816 100644
> --- a/drivers/gpu/drm/xe/Makefile
> +++ b/drivers/gpu/drm/xe/Makefile
> @@ -85,6 +85,7 @@ xe-y += xe_bb.o \
>  	xe_lrc.o \
>  	xe_migrate.o \
>  	xe_mmio.o \
> +	xe_mmio_gem.o \
>  	xe_mocs.o \
>  	xe_module.o \
>  	xe_nvm.o \
> diff --git a/drivers/gpu/drm/xe/xe_mmio_gem.c
> b/drivers/gpu/drm/xe/xe_mmio_gem.c
> new file mode 100644
> index 000000000000..9a97c4387e4f
> --- /dev/null
> +++ b/drivers/gpu/drm/xe/xe_mmio_gem.c
> @@ -0,0 +1,226 @@
> +// SPDX-License-Identifier: MIT
> +/*
> + * Copyright © 2025 Intel Corporation
> + */
> +
> +#include "xe_mmio_gem.h"
> +
> +#include <drm/drm_drv.h>
> +#include <drm/drm_gem.h>
> +#include <drm/drm_managed.h>
> +
> +#include "xe_device_types.h"
> +
> +/**
> + * DOC: Exposing MMIO regions to userspace
> + *
> + * In certain cases, the driver may allow userspace to mmap a portion of the
> hardware registers.
> + *
> + * This can be done as follows:
> + * 1. Call xe_mmio_gem_create() to create a GEM object with an mmap-able
> fake offset.
> + * 2. Use xe_mmio_gem_mmap_offset() on the created GEM object to
> retrieve the fake offset.
> + * 3. Provide the fake offset to userspace.
> + * 4. Userspace can call mmap with the fake offset. The length provided to
> mmap
> + *    must match the size of the GEM object.
> + * 5. When the region is no longer needed, call xe_mmio_gem_destroy() to
> release the GEM object.
> + *
> + * NOTE: The exposed MMIO region must be page-aligned with regards to its
> BAR offset and size.
> + *
> + * WARNING: Exposing MMIO regions to userspace can have security and
> stability implications.
> + * Make sure not to expose any sensitive registers.
> + */
> +
> +static void xe_mmio_gem_free(struct drm_gem_object *); static int
> +xe_mmio_gem_mmap(struct drm_gem_object *, struct vm_area_struct *);
> +static vm_fault_t xe_mmio_gem_vm_fault(struct vm_fault *);
> +
> +struct xe_mmio_gem {
> +	struct drm_gem_object base;
> +	phys_addr_t phys_addr;
> +};
> +
> +static const struct vm_operations_struct vm_ops = {
> +	.open = drm_gem_vm_open,
> +	.close = drm_gem_vm_close,
> +	.fault = xe_mmio_gem_vm_fault,
> +};
> +
> +static const struct drm_gem_object_funcs xe_mmio_gem_funcs = {
> +	.free = xe_mmio_gem_free,
> +	.mmap = xe_mmio_gem_mmap,
> +	.vm_ops = &vm_ops,
> +};
> +
> +static inline struct xe_mmio_gem *to_xe_mmio_gem(struct drm_gem_object
> +*obj) {
> +	return container_of(obj, struct xe_mmio_gem, base); }
> +
> +/**
> + * xe_mmio_gem_create - Expose an MMIO region to userspace
> + * @xe: The xe device
> + * @file: DRM file descriptor
> + * @phys_addr: Start of the exposed MMIO region
> + * @size: The size of the exposed MMIO region
> + *
> + * This function creates a GEM object that exposes an MMIO region with
> +an mmap-able
> + * fake offset.
> + *
> + * See: "Exposing MMIO regions to userspace"
> + */
> +struct xe_mmio_gem *xe_mmio_gem_create(struct xe_device *xe, struct
> drm_file *file,
> +				       phys_addr_t phys_addr, size_t size) {
> +	struct xe_mmio_gem *obj;
> +	struct drm_gem_object *base;
> +	int err;
> +
> +	if ((phys_addr % PAGE_SIZE != 0) || (size % PAGE_SIZE != 0))
> +		return ERR_PTR(-EINVAL);
> +
> +	obj = kzalloc(sizeof(*obj), GFP_KERNEL);
> +	if (!obj)
> +		return ERR_PTR(-ENOMEM);
> +
> +	base = &obj->base;
> +	base->funcs = &xe_mmio_gem_funcs;
> +	obj->phys_addr = phys_addr;
> +
> +	drm_gem_private_object_init(&xe->drm, base, size);
> +
> +	err = drm_gem_create_mmap_offset(base);
> +	if (err)
> +		goto free_gem;
> +
> +	err = drm_vma_node_allow(&base->vma_node, file);
> +	if (err)
> +		goto free_gem;
> +
> +	return obj;
> +
> +free_gem:
> +	xe_mmio_gem_free(base);
> +	return ERR_PTR(err);
> +}
> +
> +/**
> + * xe_mmio_gem_mmap_offset - Return the mmap-able fake offset
> + * @gem: the GEM object created with xe_mmio_gem_create()
> + *
> + * This function returns the mmap-able fake offset allocated during
> + * xe_mmio_gem_create().
> + *
> + * See: "Exposing MMIO regions to userspace"
> + */
> +u64 xe_mmio_gem_mmap_offset(struct xe_mmio_gem *gem) {
> +	return drm_vma_node_offset_addr(&gem->base.vma_node);
> +}
> +
> +static void xe_mmio_gem_free(struct drm_gem_object *base) {
> +	struct xe_mmio_gem *obj = to_xe_mmio_gem(base);
> +
> +	drm_gem_object_release(base);
> +	kfree(obj);
> +}
> +
> +/**
> + * xe_mmio_gem_destroy - Destroy the GEM object that exposes an MMIO
> +region
> + * @gem: the GEM object to destroy
> + *
> + * This function releases resources associated with the GEM object
> +created by
> + * xe_mmio_gem_create().
> + *
> + * See: "Exposing MMIO regions to userspace"
> + */
> +void xe_mmio_gem_destroy(struct xe_mmio_gem *gem) {
> +	xe_mmio_gem_free(&gem->base);
> +}
> +
> +static int xe_mmio_gem_mmap(struct drm_gem_object *base, struct
> +vm_area_struct *vma) {
> +	if (vma->vm_end - vma->vm_start != base->size)
> +		return -EINVAL;
> +
> +	if ((vma->vm_flags & VM_SHARED) == 0)
> +		return -EINVAL;
> +
> +	/* Set vm_pgoff (used as a fake buffer offset by DRM) to 0 */
> +	vma->vm_pgoff = 0;
> +	vma->vm_page_prot = pgprot_noncached(vm_get_page_prot(vma-
> >vm_flags));
> +	vm_flags_set(vma, VM_IO | VM_PFNMAP | VM_DONTEXPAND |
> VM_DONTDUMP |
> +		     VM_DONTCOPY | VM_NORESERVE);
> +
> +	/* Defer actual mapping to the fault handler. */
> +	return 0;
> +}
> +
> +static void xe_mmio_gem_release_dummy_page(struct drm_device *dev,
> void
> +*res) {
> +	__free_page((struct page *)res);
> +}
> +
> +static vm_fault_t xe_mmio_gem_vm_fault_dummy_page(struct
> vm_area_struct
> +*vma) {
> +	struct drm_gem_object *base = vma->vm_private_data;
> +	struct drm_device *dev = base->dev;
> +	vm_fault_t ret = VM_FAULT_NOPAGE;
> +	struct page *page;
> +	unsigned long pfn;
> +	unsigned long i;
> +
> +	page = alloc_page(GFP_KERNEL | __GFP_ZERO);
> +	if (!page)
> +		return VM_FAULT_OOM;
> +
> +	if (drmm_add_action_or_reset(dev,
> xe_mmio_gem_release_dummy_page, page))
> +		return VM_FAULT_OOM;
> +
> +	pfn = page_to_pfn(page);
> +
> +	/* Map the entire VMA to the same dummy page */
> +	for (i = 0; i < base->size; i += PAGE_SIZE) {
> +		unsigned long addr = vma->vm_start + i;
> +
> +		ret = vmf_insert_pfn(vma, addr, pfn);
> +		if (ret & VM_FAULT_ERROR)
> +			break;
> +	}
> +
> +	return ret;
> +}
> +
> +static vm_fault_t xe_mmio_gem_vm_fault(struct vm_fault *vmf) {
> +	struct vm_area_struct *vma = vmf->vma;
> +	struct drm_gem_object *base = vma->vm_private_data;
> +	struct xe_mmio_gem *obj = to_xe_mmio_gem(base);
> +	struct drm_device *dev = base->dev;
> +	vm_fault_t ret = VM_FAULT_NOPAGE;
> +	unsigned long i;
> +	int idx;
> +
> +	if (!drm_dev_enter(dev, &idx)) {
> +		/*
> +		 * Provide a dummy page to avoid SIGBUS for events such as
> hot-unplug.
> +		 * This gives the userspace the option to recover instead of
> crashing.
> +		 * It is assumed the userspace will receive the notification via
> some
> +		 * other channel (e.g. drm uevent).
> +		 */
> +		return xe_mmio_gem_vm_fault_dummy_page(vma);
> +	}
> +
> +	for (i = 0; i < base->size; i += PAGE_SIZE) {
> +		unsigned long addr = vma->vm_start + i;
> +		unsigned long phys_addr = obj->phys_addr + i;
> +
> +		ret = vmf_insert_pfn(vma, addr, PHYS_PFN(phys_addr));
> +		if (ret & VM_FAULT_ERROR)
> +			break;
> +	}
> +
> +	drm_dev_exit(idx);
> +	return ret;
> +}
> diff --git a/drivers/gpu/drm/xe/xe_mmio_gem.h
> b/drivers/gpu/drm/xe/xe_mmio_gem.h
> new file mode 100644
> index 000000000000..4b76d5586ebb
> --- /dev/null
> +++ b/drivers/gpu/drm/xe/xe_mmio_gem.h
> @@ -0,0 +1,20 @@
> +/* SPDX-License-Identifier: MIT */
> +/*
> + * Copyright © 2025 Intel Corporation
> + */
> +
> +#ifndef _XE_MMIO_GEM_H_
> +#define _XE_MMIO_GEM_H_
> +
> +#include <linux/types.h>
> +
> +struct drm_file;
> +struct xe_device;
> +struct xe_mmio_gem;
> +
> +struct xe_mmio_gem *xe_mmio_gem_create(struct xe_device *xe, struct
> drm_file *file,
> +				       phys_addr_t phys_addr, size_t size);
> +u64 xe_mmio_gem_mmap_offset(struct xe_mmio_gem *gem); void
> +xe_mmio_gem_destroy(struct xe_mmio_gem *gem);
> +
> +#endif /* _XE_MMIO_GEM_H_ */
> --
> 2.43.0

More information about the Intel-xe mailing list