453 строки
21 KiB
ReStructuredText
453 строки
21 KiB
ReStructuredText
.. _hmm:
|
|
|
|
=====================================
|
|
Heterogeneous Memory Management (HMM)
|
|
=====================================
|
|
|
|
Provide infrastructure and helpers to integrate non-conventional memory (device
|
|
memory like GPU on board memory) into regular kernel path, with the cornerstone
|
|
of this being specialized struct page for such memory (see sections 5 to 7 of
|
|
this document).
|
|
|
|
HMM also provides optional helpers for SVM (Share Virtual Memory), i.e.,
|
|
allowing a device to transparently access program addresses coherently with
|
|
the CPU meaning that any valid pointer on the CPU is also a valid pointer
|
|
for the device. This is becoming mandatory to simplify the use of advanced
|
|
heterogeneous computing where GPU, DSP, or FPGA are used to perform various
|
|
computations on behalf of a process.
|
|
|
|
This document is divided as follows: in the first section I expose the problems
|
|
related to using device specific memory allocators. In the second section, I
|
|
expose the hardware limitations that are inherent to many platforms. The third
|
|
section gives an overview of the HMM design. The fourth section explains how
|
|
CPU page-table mirroring works and the purpose of HMM in this context. The
|
|
fifth section deals with how device memory is represented inside the kernel.
|
|
Finally, the last section presents a new migration helper that allows
|
|
leveraging the device DMA engine.
|
|
|
|
.. contents:: :local:
|
|
|
|
Problems of using a device specific memory allocator
|
|
====================================================
|
|
|
|
Devices with a large amount of on board memory (several gigabytes) like GPUs
|
|
have historically managed their memory through dedicated driver specific APIs.
|
|
This creates a disconnect between memory allocated and managed by a device
|
|
driver and regular application memory (private anonymous, shared memory, or
|
|
regular file backed memory). From here on I will refer to this aspect as split
|
|
address space. I use shared address space to refer to the opposite situation:
|
|
i.e., one in which any application memory region can be used by a device
|
|
transparently.
|
|
|
|
Split address space happens because devices can only access memory allocated
|
|
through a device specific API. This implies that all memory objects in a program
|
|
are not equal from the device point of view which complicates large programs
|
|
that rely on a wide set of libraries.
|
|
|
|
Concretely, this means that code that wants to leverage devices like GPUs needs
|
|
to copy objects between generically allocated memory (malloc, mmap private, mmap
|
|
share) and memory allocated through the device driver API (this still ends up
|
|
with an mmap but of the device file).
|
|
|
|
For flat data sets (array, grid, image, ...) this isn't too hard to achieve but
|
|
for complex data sets (list, tree, ...) it's hard to get right. Duplicating a
|
|
complex data set needs to re-map all the pointer relations between each of its
|
|
elements. This is error prone and programs get harder to debug because of the
|
|
duplicate data set and addresses.
|
|
|
|
Split address space also means that libraries cannot transparently use data
|
|
they are getting from the core program or another library and thus each library
|
|
might have to duplicate its input data set using the device specific memory
|
|
allocator. Large projects suffer from this and waste resources because of the
|
|
various memory copies.
|
|
|
|
Duplicating each library API to accept as input or output memory allocated by
|
|
each device specific allocator is not a viable option. It would lead to a
|
|
combinatorial explosion in the library entry points.
|
|
|
|
Finally, with the advance of high level language constructs (in C++ but in
|
|
other languages too) it is now possible for the compiler to leverage GPUs and
|
|
other devices without programmer knowledge. Some compiler identified patterns
|
|
are only do-able with a shared address space. It is also more reasonable to use
|
|
a shared address space for all other patterns.
|
|
|
|
|
|
I/O bus, device memory characteristics
|
|
======================================
|
|
|
|
I/O buses cripple shared address spaces due to a few limitations. Most I/O
|
|
buses only allow basic memory access from device to main memory; even cache
|
|
coherency is often optional. Access to device memory from a CPU is even more
|
|
limited. More often than not, it is not cache coherent.
|
|
|
|
If we only consider the PCIE bus, then a device can access main memory (often
|
|
through an IOMMU) and be cache coherent with the CPUs. However, it only allows
|
|
a limited set of atomic operations from the device on main memory. This is worse
|
|
in the other direction: the CPU can only access a limited range of the device
|
|
memory and cannot perform atomic operations on it. Thus device memory cannot
|
|
be considered the same as regular memory from the kernel point of view.
|
|
|
|
Another crippling factor is the limited bandwidth (~32GBytes/s with PCIE 4.0
|
|
and 16 lanes). This is 33 times less than the fastest GPU memory (1 TBytes/s).
|
|
The final limitation is latency. Access to main memory from the device has an
|
|
order of magnitude higher latency than when the device accesses its own memory.
|
|
|
|
Some platforms are developing new I/O buses or additions/modifications to PCIE
|
|
to address some of these limitations (OpenCAPI, CCIX). They mainly allow
|
|
two-way cache coherency between CPU and device and allow all atomic operations the
|
|
architecture supports. Sadly, not all platforms are following this trend and
|
|
some major architectures are left without hardware solutions to these problems.
|
|
|
|
So for shared address space to make sense, not only must we allow devices to
|
|
access any memory but we must also permit any memory to be migrated to device
|
|
memory while the device is using it (blocking CPU access while it happens).
|
|
|
|
|
|
Shared address space and migration
|
|
==================================
|
|
|
|
HMM intends to provide two main features. The first one is to share the address
|
|
space by duplicating the CPU page table in the device page table so the same
|
|
address points to the same physical memory for any valid main memory address in
|
|
the process address space.
|
|
|
|
To achieve this, HMM offers a set of helpers to populate the device page table
|
|
while keeping track of CPU page table updates. Device page table updates are
|
|
not as easy as CPU page table updates. To update the device page table, you must
|
|
allocate a buffer (or use a pool of pre-allocated buffers) and write GPU
|
|
specific commands in it to perform the update (unmap, cache invalidations, and
|
|
flush, ...). This cannot be done through common code for all devices. Hence
|
|
why HMM provides helpers to factor out everything that can be while leaving the
|
|
hardware specific details to the device driver.
|
|
|
|
The second mechanism HMM provides is a new kind of ZONE_DEVICE memory that
|
|
allows allocating a struct page for each page of device memory. Those pages
|
|
are special because the CPU cannot map them. However, they allow migrating
|
|
main memory to device memory using existing migration mechanisms and everything
|
|
looks like a page that is swapped out to disk from the CPU point of view. Using a
|
|
struct page gives the easiest and cleanest integration with existing mm
|
|
mechanisms. Here again, HMM only provides helpers, first to hotplug new ZONE_DEVICE
|
|
memory for the device memory and second to perform migration. Policy decisions
|
|
of what and when to migrate is left to the device driver.
|
|
|
|
Note that any CPU access to a device page triggers a page fault and a migration
|
|
back to main memory. For example, when a page backing a given CPU address A is
|
|
migrated from a main memory page to a device page, then any CPU access to
|
|
address A triggers a page fault and initiates a migration back to main memory.
|
|
|
|
With these two features, HMM not only allows a device to mirror process address
|
|
space and keeps both CPU and device page tables synchronized, but also
|
|
leverages device memory by migrating the part of the data set that is actively being
|
|
used by the device.
|
|
|
|
|
|
Address space mirroring implementation and API
|
|
==============================================
|
|
|
|
Address space mirroring's main objective is to allow duplication of a range of
|
|
CPU page table into a device page table; HMM helps keep both synchronized. A
|
|
device driver that wants to mirror a process address space must start with the
|
|
registration of a mmu_interval_notifier::
|
|
|
|
int mmu_interval_notifier_insert(struct mmu_interval_notifier *interval_sub,
|
|
struct mm_struct *mm, unsigned long start,
|
|
unsigned long length,
|
|
const struct mmu_interval_notifier_ops *ops);
|
|
|
|
During the ops->invalidate() callback the device driver must perform the
|
|
update action to the range (mark range read only, or fully unmap, etc.). The
|
|
device must complete the update before the driver callback returns.
|
|
|
|
When the device driver wants to populate a range of virtual addresses, it can
|
|
use::
|
|
|
|
int hmm_range_fault(struct hmm_range *range);
|
|
|
|
It will trigger a page fault on missing or read-only entries if write access is
|
|
requested (see below). Page faults use the generic mm page fault code path just
|
|
like a CPU page fault.
|
|
|
|
Both functions copy CPU page table entries into their pfns array argument. Each
|
|
entry in that array corresponds to an address in the virtual range. HMM
|
|
provides a set of flags to help the driver identify special CPU page table
|
|
entries.
|
|
|
|
Locking within the sync_cpu_device_pagetables() callback is the most important
|
|
aspect the driver must respect in order to keep things properly synchronized.
|
|
The usage pattern is::
|
|
|
|
int driver_populate_range(...)
|
|
{
|
|
struct hmm_range range;
|
|
...
|
|
|
|
range.notifier = &interval_sub;
|
|
range.start = ...;
|
|
range.end = ...;
|
|
range.hmm_pfns = ...;
|
|
|
|
if (!mmget_not_zero(interval_sub->notifier.mm))
|
|
return -EFAULT;
|
|
|
|
again:
|
|
range.notifier_seq = mmu_interval_read_begin(&interval_sub);
|
|
mmap_read_lock(mm);
|
|
ret = hmm_range_fault(&range);
|
|
if (ret) {
|
|
mmap_read_unlock(mm);
|
|
if (ret == -EBUSY)
|
|
goto again;
|
|
return ret;
|
|
}
|
|
mmap_read_unlock(mm);
|
|
|
|
take_lock(driver->update);
|
|
if (mmu_interval_read_retry(&ni, range.notifier_seq) {
|
|
release_lock(driver->update);
|
|
goto again;
|
|
}
|
|
|
|
/* Use pfns array content to update device page table,
|
|
* under the update lock */
|
|
|
|
release_lock(driver->update);
|
|
return 0;
|
|
}
|
|
|
|
The driver->update lock is the same lock that the driver takes inside its
|
|
invalidate() callback. That lock must be held before calling
|
|
mmu_interval_read_retry() to avoid any race with a concurrent CPU page table
|
|
update.
|
|
|
|
Leverage default_flags and pfn_flags_mask
|
|
=========================================
|
|
|
|
The hmm_range struct has 2 fields, default_flags and pfn_flags_mask, that specify
|
|
fault or snapshot policy for the whole range instead of having to set them
|
|
for each entry in the pfns array.
|
|
|
|
For instance if the device driver wants pages for a range with at least read
|
|
permission, it sets::
|
|
|
|
range->default_flags = HMM_PFN_REQ_FAULT;
|
|
range->pfn_flags_mask = 0;
|
|
|
|
and calls hmm_range_fault() as described above. This will fill fault all pages
|
|
in the range with at least read permission.
|
|
|
|
Now let's say the driver wants to do the same except for one page in the range for
|
|
which it wants to have write permission. Now driver set::
|
|
|
|
range->default_flags = HMM_PFN_REQ_FAULT;
|
|
range->pfn_flags_mask = HMM_PFN_REQ_WRITE;
|
|
range->pfns[index_of_write] = HMM_PFN_REQ_WRITE;
|
|
|
|
With this, HMM will fault in all pages with at least read (i.e., valid) and for the
|
|
address == range->start + (index_of_write << PAGE_SHIFT) it will fault with
|
|
write permission i.e., if the CPU pte does not have write permission set then HMM
|
|
will call handle_mm_fault().
|
|
|
|
After hmm_range_fault completes the flag bits are set to the current state of
|
|
the page tables, ie HMM_PFN_VALID | HMM_PFN_WRITE will be set if the page is
|
|
writable.
|
|
|
|
|
|
Represent and manage device memory from core kernel point of view
|
|
=================================================================
|
|
|
|
Several different designs were tried to support device memory. The first one
|
|
used a device specific data structure to keep information about migrated memory
|
|
and HMM hooked itself in various places of mm code to handle any access to
|
|
addresses that were backed by device memory. It turns out that this ended up
|
|
replicating most of the fields of struct page and also needed many kernel code
|
|
paths to be updated to understand this new kind of memory.
|
|
|
|
Most kernel code paths never try to access the memory behind a page
|
|
but only care about struct page contents. Because of this, HMM switched to
|
|
directly using struct page for device memory which left most kernel code paths
|
|
unaware of the difference. We only need to make sure that no one ever tries to
|
|
map those pages from the CPU side.
|
|
|
|
Migration to and from device memory
|
|
===================================
|
|
|
|
Because the CPU cannot access device memory directly, the device driver must
|
|
use hardware DMA or device specific load/store instructions to migrate data.
|
|
The migrate_vma_setup(), migrate_vma_pages(), and migrate_vma_finalize()
|
|
functions are designed to make drivers easier to write and to centralize common
|
|
code across drivers.
|
|
|
|
Before migrating pages to device private memory, special device private
|
|
``struct page`` need to be created. These will be used as special "swap"
|
|
page table entries so that a CPU process will fault if it tries to access
|
|
a page that has been migrated to device private memory.
|
|
|
|
These can be allocated and freed with::
|
|
|
|
struct resource *res;
|
|
struct dev_pagemap pagemap;
|
|
|
|
res = request_free_mem_region(&iomem_resource, /* number of bytes */,
|
|
"name of driver resource");
|
|
pagemap.type = MEMORY_DEVICE_PRIVATE;
|
|
pagemap.range.start = res->start;
|
|
pagemap.range.end = res->end;
|
|
pagemap.nr_range = 1;
|
|
pagemap.ops = &device_devmem_ops;
|
|
memremap_pages(&pagemap, numa_node_id());
|
|
|
|
memunmap_pages(&pagemap);
|
|
release_mem_region(pagemap.range.start, range_len(&pagemap.range));
|
|
|
|
There are also devm_request_free_mem_region(), devm_memremap_pages(),
|
|
devm_memunmap_pages(), and devm_release_mem_region() when the resources can
|
|
be tied to a ``struct device``.
|
|
|
|
The overall migration steps are similar to migrating NUMA pages within system
|
|
memory (see :ref:`Page migration <page_migration>`) but the steps are split
|
|
between device driver specific code and shared common code:
|
|
|
|
1. ``mmap_read_lock()``
|
|
|
|
The device driver has to pass a ``struct vm_area_struct`` to
|
|
migrate_vma_setup() so the mmap_read_lock() or mmap_write_lock() needs to
|
|
be held for the duration of the migration.
|
|
|
|
2. ``migrate_vma_setup(struct migrate_vma *args)``
|
|
|
|
The device driver initializes the ``struct migrate_vma`` fields and passes
|
|
the pointer to migrate_vma_setup(). The ``args->flags`` field is used to
|
|
filter which source pages should be migrated. For example, setting
|
|
``MIGRATE_VMA_SELECT_SYSTEM`` will only migrate system memory and
|
|
``MIGRATE_VMA_SELECT_DEVICE_PRIVATE`` will only migrate pages residing in
|
|
device private memory. If the latter flag is set, the ``args->pgmap_owner``
|
|
field is used to identify device private pages owned by the driver. This
|
|
avoids trying to migrate device private pages residing in other devices.
|
|
Currently only anonymous private VMA ranges can be migrated to or from
|
|
system memory and device private memory.
|
|
|
|
One of the first steps migrate_vma_setup() does is to invalidate other
|
|
device's MMUs with the ``mmu_notifier_invalidate_range_start(()`` and
|
|
``mmu_notifier_invalidate_range_end()`` calls around the page table
|
|
walks to fill in the ``args->src`` array with PFNs to be migrated.
|
|
The ``invalidate_range_start()`` callback is passed a
|
|
``struct mmu_notifier_range`` with the ``event`` field set to
|
|
``MMU_NOTIFY_MIGRATE`` and the ``owner`` field set to
|
|
the ``args->pgmap_owner`` field passed to migrate_vma_setup(). This is
|
|
allows the device driver to skip the invalidation callback and only
|
|
invalidate device private MMU mappings that are actually migrating.
|
|
This is explained more in the next section.
|
|
|
|
While walking the page tables, a ``pte_none()`` or ``is_zero_pfn()``
|
|
entry results in a valid "zero" PFN stored in the ``args->src`` array.
|
|
This lets the driver allocate device private memory and clear it instead
|
|
of copying a page of zeros. Valid PTE entries to system memory or
|
|
device private struct pages will be locked with ``lock_page()``, isolated
|
|
from the LRU (if system memory since device private pages are not on
|
|
the LRU), unmapped from the process, and a special migration PTE is
|
|
inserted in place of the original PTE.
|
|
migrate_vma_setup() also clears the ``args->dst`` array.
|
|
|
|
3. The device driver allocates destination pages and copies source pages to
|
|
destination pages.
|
|
|
|
The driver checks each ``src`` entry to see if the ``MIGRATE_PFN_MIGRATE``
|
|
bit is set and skips entries that are not migrating. The device driver
|
|
can also choose to skip migrating a page by not filling in the ``dst``
|
|
array for that page.
|
|
|
|
The driver then allocates either a device private struct page or a
|
|
system memory page, locks the page with ``lock_page()``, and fills in the
|
|
``dst`` array entry with::
|
|
|
|
dst[i] = migrate_pfn(page_to_pfn(dpage)) | MIGRATE_PFN_LOCKED;
|
|
|
|
Now that the driver knows that this page is being migrated, it can
|
|
invalidate device private MMU mappings and copy device private memory
|
|
to system memory or another device private page. The core Linux kernel
|
|
handles CPU page table invalidations so the device driver only has to
|
|
invalidate its own MMU mappings.
|
|
|
|
The driver can use ``migrate_pfn_to_page(src[i])`` to get the
|
|
``struct page`` of the source and either copy the source page to the
|
|
destination or clear the destination device private memory if the pointer
|
|
is ``NULL`` meaning the source page was not populated in system memory.
|
|
|
|
4. ``migrate_vma_pages()``
|
|
|
|
This step is where the migration is actually "committed".
|
|
|
|
If the source page was a ``pte_none()`` or ``is_zero_pfn()`` page, this
|
|
is where the newly allocated page is inserted into the CPU's page table.
|
|
This can fail if a CPU thread faults on the same page. However, the page
|
|
table is locked and only one of the new pages will be inserted.
|
|
The device driver will see that the ``MIGRATE_PFN_MIGRATE`` bit is cleared
|
|
if it loses the race.
|
|
|
|
If the source page was locked, isolated, etc. the source ``struct page``
|
|
information is now copied to destination ``struct page`` finalizing the
|
|
migration on the CPU side.
|
|
|
|
5. Device driver updates device MMU page tables for pages still migrating,
|
|
rolling back pages not migrating.
|
|
|
|
If the ``src`` entry still has ``MIGRATE_PFN_MIGRATE`` bit set, the device
|
|
driver can update the device MMU and set the write enable bit if the
|
|
``MIGRATE_PFN_WRITE`` bit is set.
|
|
|
|
6. ``migrate_vma_finalize()``
|
|
|
|
This step replaces the special migration page table entry with the new
|
|
page's page table entry and releases the reference to the source and
|
|
destination ``struct page``.
|
|
|
|
7. ``mmap_read_unlock()``
|
|
|
|
The lock can now be released.
|
|
|
|
Exclusive access memory
|
|
=======================
|
|
|
|
Some devices have features such as atomic PTE bits that can be used to implement
|
|
atomic access to system memory. To support atomic operations to a shared virtual
|
|
memory page such a device needs access to that page which is exclusive of any
|
|
userspace access from the CPU. The ``make_device_exclusive_range()`` function
|
|
can be used to make a memory range inaccessible from userspace.
|
|
|
|
This replaces all mappings for pages in the given range with special swap
|
|
entries. Any attempt to access the swap entry results in a fault which is
|
|
resovled by replacing the entry with the original mapping. A driver gets
|
|
notified that the mapping has been changed by MMU notifiers, after which point
|
|
it will no longer have exclusive access to the page. Exclusive access is
|
|
guranteed to last until the driver drops the page lock and page reference, at
|
|
which point any CPU faults on the page may proceed as described.
|
|
|
|
Memory cgroup (memcg) and rss accounting
|
|
========================================
|
|
|
|
For now, device memory is accounted as any regular page in rss counters (either
|
|
anonymous if device page is used for anonymous, file if device page is used for
|
|
file backed page, or shmem if device page is used for shared memory). This is a
|
|
deliberate choice to keep existing applications, that might start using device
|
|
memory without knowing about it, running unimpacted.
|
|
|
|
A drawback is that the OOM killer might kill an application using a lot of
|
|
device memory and not a lot of regular system memory and thus not freeing much
|
|
system memory. We want to gather more real world experience on how applications
|
|
and system react under memory pressure in the presence of device memory before
|
|
deciding to account device memory differently.
|
|
|
|
|
|
Same decision was made for memory cgroup. Device memory pages are accounted
|
|
against same memory cgroup a regular page would be accounted to. This does
|
|
simplify migration to and from device memory. This also means that migration
|
|
back from device memory to regular memory cannot fail because it would
|
|
go above memory cgroup limit. We might revisit this choice latter on once we
|
|
get more experience in how device memory is used and its impact on memory
|
|
resource control.
|
|
|
|
|
|
Note that device memory can never be pinned by a device driver nor through GUP
|
|
and thus such memory is always free upon process exit. Or when last reference
|
|
is dropped in case of shared memory or file backed memory.
|