Moving a GpuVaAlloc or GpuVmBo between threads currently forces drivers to write their own unsafe Send and Sync impls. Provide the markers in the abstraction instead.
GpuVaAlloc wraps only uninitialised memory and exposes none of it, so it is unconditionally Send and Sync. GpuVmBo is an atomically refcounted handle whose accessors hand out the driver data and GEM object by shared reference and whose deferred put drops them, so its Send and Sync impls are bounded on T::VmBoData and T::Object. Signed-off-by: Sami Tolvanen <[email protected]> --- rust/kernel/drm/gpuvm/va.rs | 8 ++++++++ rust/kernel/drm/gpuvm/vm_bo.rs | 22 ++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/rust/kernel/drm/gpuvm/va.rs b/rust/kernel/drm/gpuvm/va.rs index 0b09fe44ab39..b108ec7aa1bc 100644 --- a/rust/kernel/drm/gpuvm/va.rs +++ b/rust/kernel/drm/gpuvm/va.rs @@ -104,6 +104,14 @@ pub fn vm_bo(&self) -> &GpuVmBo<T> { /// The memory is zeroed. pub struct GpuVaAlloc<T: DriverGpuVm>(KBox<MaybeUninit<GpuVa<T>>>); +// SAFETY: A `GpuVaAlloc` is an owned, uninitialised allocation with no live `T::VaData` and no +// thread-bound state. +unsafe impl<T: DriverGpuVm> Send for GpuVaAlloc<T> {} + +// SAFETY: A `GpuVaAlloc` has no `&self` method that reaches its contents, so a shared +// `&GpuVaAlloc` cannot access the allocation. +unsafe impl<T: DriverGpuVm> Sync for GpuVaAlloc<T> {} + impl<T: DriverGpuVm> GpuVaAlloc<T> { /// Pre-allocate a [`GpuVa`] object. pub fn new(flags: AllocFlags) -> Result<GpuVaAlloc<T>, AllocError> { diff --git a/rust/kernel/drm/gpuvm/vm_bo.rs b/rust/kernel/drm/gpuvm/vm_bo.rs index c064ac63897b..c5e3bb44a2ee 100644 --- a/rust/kernel/drm/gpuvm/vm_bo.rs +++ b/rust/kernel/drm/gpuvm/vm_bo.rs @@ -19,6 +19,28 @@ pub struct GpuVmBo<T: DriverGpuVm> { data: T::VmBoData, } +// SAFETY: It is safe to send a `GpuVmBo<T>` to another thread when `T::VmBoData` and `T::Object` +// are `Sync` because `data()` and `obj()` share `&T::VmBoData` and `&T::Object`; they must also be +// `Send` because the last reference drop runs their destructors on whichever thread drains the +// deferred-cleanup queue. +unsafe impl<T: DriverGpuVm> Send for GpuVmBo<T> +where + T::VmBoData: Send + Sync, + T::Object: Send + Sync, +{ +} + +// SAFETY: It is safe to send `&GpuVmBo<T>` to another thread when `T::VmBoData` and `T::Object` are +// `Sync` because `data()` and `obj()` share `&T::VmBoData` and `&T::Object`; they must also be +// `Send` because any thread with a `&GpuVmBo<T>` can clone it via `ARef::from`, whose last drop +// runs their destructors on whichever thread drains the deferred-cleanup queue. +unsafe impl<T: DriverGpuVm> Sync for GpuVmBo<T> +where + T::VmBoData: Send + Sync, + T::Object: Send + Sync, +{ +} + // SAFETY: By type invariants, the allocation is managed by the refcount in `self.inner`. unsafe impl<T: DriverGpuVm> AlwaysRefCounted for GpuVmBo<T> { fn inc_ref(&self) { -- 2.54.0.1099.g489fc7bff1-goog
