Moving a GpuVaAlloc or GpuVmBo between threads currently forces drivers to write their own unsafe Send and Sync impls. Provide the markers in the abstraction instead.
GpuVaAlloc wraps only uninitialised memory and exposes none of it, so it is unconditionally Send and Sync. GpuVmBo is an atomically refcounted handle whose accessors hand out the driver data and GEM object by shared reference and whose deferred put drops them, so its Send and Sync impls are bounded on T::VmBoData and T::Object. Signed-off-by: Sami Tolvanen <[email protected]> --- Changes in v2: - Added a missing T::Object: Send + Sync bound pointed out by Sashiko. --- rust/kernel/drm/gpuvm/va.rs | 8 ++++++++ rust/kernel/drm/gpuvm/vm_bo.rs | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/rust/kernel/drm/gpuvm/va.rs b/rust/kernel/drm/gpuvm/va.rs index 0b09fe44ab39..dcb2dec4fbdf 100644 --- a/rust/kernel/drm/gpuvm/va.rs +++ b/rust/kernel/drm/gpuvm/va.rs @@ -104,6 +104,14 @@ pub fn vm_bo(&self) -> &GpuVmBo<T> { /// The memory is zeroed. pub struct GpuVaAlloc<T: DriverGpuVm>(KBox<MaybeUninit<GpuVa<T>>>); +// SAFETY: A [`GpuVaAlloc`] is an owned, uninitialised allocation with no live `T::VaData` and no +// thread-bound state. +unsafe impl<T: DriverGpuVm> Send for GpuVaAlloc<T> {} + +// SAFETY: A [`GpuVaAlloc`] has no `&self` method that reaches its contents, so a shared +// `&GpuVaAlloc` cannot access the allocation. +unsafe impl<T: DriverGpuVm> Sync for GpuVaAlloc<T> {} + impl<T: DriverGpuVm> GpuVaAlloc<T> { /// Pre-allocate a [`GpuVa`] object. pub fn new(flags: AllocFlags) -> Result<GpuVaAlloc<T>, AllocError> { diff --git a/rust/kernel/drm/gpuvm/vm_bo.rs b/rust/kernel/drm/gpuvm/vm_bo.rs index c064ac63897b..fa183f6306ff 100644 --- a/rust/kernel/drm/gpuvm/vm_bo.rs +++ b/rust/kernel/drm/gpuvm/vm_bo.rs @@ -19,6 +19,27 @@ pub struct GpuVmBo<T: DriverGpuVm> { data: T::VmBoData, } +// SAFETY: The refcount in `self.inner` is atomic, so `dec_ref`'s deferred put is sound from any +// thread. `drm_gpuvm_bo_deferred_cleanup` drops `data` and the last GEM-object reference on +// whichever thread drains the queue, hence the `T::VmBoData: Send` and `T::Object: Send` bounds. +// [`Self::obj`] hands out `&T::Object` for a shared object, so the move needs `T::Object: Sync`. +unsafe impl<T: DriverGpuVm> Send for GpuVmBo<T> +where + T::VmBoData: Send, + T::Object: Send + Sync, +{ +} + +// SAFETY: The fields of `inner` read by shared-reference methods are immutable after construction. +// [`Self::data`] hands out `&T::VmBoData` and [`Self::obj`] hands out `&T::Object`, so sharing +// `&Self` across threads requires both to be `Sync`. +unsafe impl<T: DriverGpuVm> Sync for GpuVmBo<T> +where + T::VmBoData: Sync, + T::Object: Sync, +{ +} + // SAFETY: By type invariants, the allocation is managed by the refcount in `self.inner`. unsafe impl<T: DriverGpuVm> AlwaysRefCounted for GpuVmBo<T> { fn inc_ref(&self) { base-commit: fea3a2dd7d3fc1936211ced5f84420e610435730 -- 2.54.0.1032.g2f8565e1d1-goog
