A GpuVaAlloc holds only uninitialised memory with no live VaData and hands out no reference to its contents, so it is Send and Sync unconditionally. A GpuVmBo is refcounted atomically and its deferred put is sound from any thread.
Implement the markers in the abstraction so drivers can move these objects between threads without an unsafe impl of their own. Send for GpuVmBo requires VmBoData: Send because the data is dropped during deferred cleanup, on whichever thread drains the queue. Sync requires both VmBoData: Sync and Object: Sync because the &self data() and obj() accessors hand out &VmBoData and &Object. Signed-off-by: Sami Tolvanen <[email protected]> --- rust/kernel/drm/gpuvm/va.rs | 8 ++++++++ rust/kernel/drm/gpuvm/vm_bo.rs | 15 +++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/rust/kernel/drm/gpuvm/va.rs b/rust/kernel/drm/gpuvm/va.rs index 0b09fe44ab39..dcb2dec4fbdf 100644 --- a/rust/kernel/drm/gpuvm/va.rs +++ b/rust/kernel/drm/gpuvm/va.rs @@ -104,6 +104,14 @@ pub fn vm_bo(&self) -> &GpuVmBo<T> { /// The memory is zeroed. pub struct GpuVaAlloc<T: DriverGpuVm>(KBox<MaybeUninit<GpuVa<T>>>); +// SAFETY: A [`GpuVaAlloc`] is an owned, uninitialised allocation with no live `T::VaData` and no +// thread-bound state. +unsafe impl<T: DriverGpuVm> Send for GpuVaAlloc<T> {} + +// SAFETY: A [`GpuVaAlloc`] has no `&self` method that reaches its contents, so a shared +// `&GpuVaAlloc` cannot access the allocation. +unsafe impl<T: DriverGpuVm> Sync for GpuVaAlloc<T> {} + impl<T: DriverGpuVm> GpuVaAlloc<T> { /// Pre-allocate a [`GpuVa`] object. pub fn new(flags: AllocFlags) -> Result<GpuVaAlloc<T>, AllocError> { diff --git a/rust/kernel/drm/gpuvm/vm_bo.rs b/rust/kernel/drm/gpuvm/vm_bo.rs index c064ac63897b..016b10e3305b 100644 --- a/rust/kernel/drm/gpuvm/vm_bo.rs +++ b/rust/kernel/drm/gpuvm/vm_bo.rs @@ -19,6 +19,21 @@ pub struct GpuVmBo<T: DriverGpuVm> { data: T::VmBoData, } +// SAFETY: The refcount in `self.inner` is atomic, so `dec_ref`'s deferred put is sound from any +// thread. `data` is dropped later by `drm_gpuvm_bo_deferred_cleanup`, on whichever thread drains +// the queue, hence the `T::VmBoData: Send` bound. +unsafe impl<T: DriverGpuVm> Send for GpuVmBo<T> where T::VmBoData: Send {} + +// SAFETY: The fields of `inner` read by shared-reference methods are immutable after construction. +// [`Self::data`] hands out `&T::VmBoData` and [`Self::obj`] hands out `&T::Object`, so sharing +// `&Self` across threads requires both to be `Sync`. +unsafe impl<T: DriverGpuVm> Sync for GpuVmBo<T> +where + T::VmBoData: Sync, + T::Object: Sync, +{ +} + // SAFETY: By type invariants, the allocation is managed by the refcount in `self.inner`. unsafe impl<T: DriverGpuVm> AlwaysRefCounted for GpuVmBo<T> { fn inc_ref(&self) { base-commit: fea3a2dd7d3fc1936211ced5f84420e610435730 -- 2.54.0.1032.g2f8565e1d1-goog
