Heterogeneous Memory Management (HMM)

Provide infrastructure and helpers to integrate non-conventional memory (devicememory like GPU on board memory) into regular kernel path, with the cornerstoneof this being specializedstructpage for such memory (see sections 5 to 7 ofthis document).

HMM also provides optional helpers for SVM (Share Virtual Memory), i.e.,allowing a device to transparently access program addresses coherently withthe CPU meaning that any valid pointer on the CPU is also a valid pointerfor the device. This is becoming mandatory to simplify the use of advancedheterogeneous computing where GPU, DSP, or FPGA are used to perform variouscomputations on behalf of a process.

This document is divided as follows: in the first section I expose the problemsrelated to using device specific memory allocators. In the second section, Iexpose the hardware limitations that are inherent to many platforms. The thirdsection gives an overview of the HMM design. The fourth section explains howCPU page-table mirroring works and the purpose of HMM in this context. Thefifth section deals with how device memory is represented inside the kernel.Finally, the last section presents a new migration helper that allowsleveraging the device DMA engine.

Problems of using a device specific memory allocator

Devices with a large amount of on board memory (several gigabytes) like GPUshave historically managed their memory through dedicated driver specific APIs.This creates a disconnect between memory allocated and managed by a devicedriver and regular application memory (private anonymous, shared memory, orregular file backed memory). From here on I will refer to this aspect as splitaddress space. I use shared address space to refer to the opposite situation:i.e., one in which any application memory region can be used by a devicetransparently.

Split address space happens because devices can only access memory allocatedthrough a device specific API. This implies that all memory objects in a programare not equal from the device point of view which complicates large programsthat rely on a wide set of libraries.

Concretely, this means that code that wants to leverage devices like GPUs needsto copy objects between generically allocated memory (malloc, mmap private, mmapshare) and memory allocated through the device driver API (this still ends upwith an mmap but of the device file).

For flat data sets (array, grid, image, ...) this isn’t too hard to achieve butfor complex data sets (list, tree, ...) it’s hard to get right. Duplicating acomplex data set needs to re-map all the pointer relations between each of itselements. This is error prone and programs get harder to debug because of theduplicate data set and addresses.

Split address space also means that libraries cannot transparently use datathey are getting from the core program or another library and thus each librarymight have to duplicate its input data set using the device specific memoryallocator. Large projects suffer from this and waste resources because of thevarious memory copies.

Duplicating each library API to accept as input or output memory allocated byeach device specific allocator is not a viable option. It would lead to acombinatorial explosion in the library entry points.

Finally, with the advance of high level language constructs (in C++ but inother languages too) it is now possible for the compiler to leverage GPUs andother devices without programmer knowledge. Some compiler identified patternsare only doable with a shared address space. It is also more reasonable to usea shared address space for all other patterns.

I/O bus, device memory characteristics

I/O buses cripple shared address spaces due to a few limitations. Most I/Obuses only allow basic memory access from device to main memory; even cachecoherency is often optional. Access to device memory from a CPU is even morelimited. More often than not, it is not cache coherent.

If we only consider the PCIE bus, then a device can access main memory (oftenthrough an IOMMU) and be cache coherent with the CPUs. However, it only allowsa limited set of atomic operations from the device on main memory. This is worsein the other direction: the CPU can only access a limited range of the devicememory and cannot perform atomic operations on it. Thus device memory cannotbe considered the same as regular memory from the kernel point of view.

Another crippling factor is the limited bandwidth (~32GBytes/s with PCIE 4.0and 16 lanes). This is 33 times less than the fastest GPU memory (1 TBytes/s).The final limitation is latency. Access to main memory from the device has anorder of magnitude higher latency than when the device accesses its own memory.

Some platforms are developing new I/O buses or additions/modifications to PCIEto address some of these limitations (OpenCAPI, CCIX). They mainly allowtwo-way cache coherency between CPU and device and allow all atomic operations thearchitecture supports. Sadly, not all platforms are following this trend andsome major architectures are left without hardware solutions to these problems.

So for shared address space to make sense, not only must we allow devices toaccess any memory but we must also permit any memory to be migrated to devicememory while the device is using it (blocking CPU access while it happens).

Shared address space and migration

HMM intends to provide two main features. The first one is to share the addressspace by duplicating the CPU page table in the device page table so the sameaddress points to the same physical memory for any valid main memory address inthe process address space.

To achieve this, HMM offers a set of helpers to populate the device page tablewhile keeping track of CPU page table updates. Device page table updates arenot as easy as CPU page table updates. To update the device page table, you mustallocate a buffer (or use a pool of pre-allocated buffers) and write GPUspecific commands in it to perform the update (unmap, cache invalidations, andflush, ...). This cannot be done through common code for all devices. Hencewhy HMM provides helpers to factor out everything that can be while leaving thehardware specific details to the device driver.

The second mechanism HMM provides is a new kind of ZONE_DEVICE memory thatallows allocating astructpage for each page of device memory. Those pagesare special because the CPU cannot map them. However, they allow migratingmain memory to device memory using existing migration mechanisms and everythinglooks like a page that is swapped out to disk from the CPU point of view. Using astructpage gives the easiest and cleanest integration with existing mmmechanisms. Here again, HMM only provides helpers, first to hotplug new ZONE_DEVICEmemory for the device memory and second to perform migration. Policy decisionsof what and when to migrate is left to the device driver.

Note that any CPU access to a device page triggers a page fault and a migrationback to main memory. For example, when a page backing a given CPU address A ismigrated from a main memory page to a device page, then any CPU access toaddress A triggers a page fault and initiates a migration back to main memory.

With these two features, HMM not only allows a device to mirror process addressspace and keeps both CPU and device page tables synchronized, but alsoleverages device memory by migrating the part of the data set that is actively beingused by the device.

Address space mirroring implementation and API

Address space mirroring’s main objective is to allow duplication of a range ofCPU page table into a device page table; HMM helps keep both synchronized. Adevice driver that wants to mirror a process address space must start with theregistration of a mmu_interval_notifier:

int mmu_interval_notifier_insert(struct mmu_interval_notifier *interval_sub,                                 struct mm_struct *mm, unsigned long start,                                 unsigned long length,                                 const struct mmu_interval_notifier_ops *ops);

During the ops->invalidate() callback the device driver must perform theupdate action to the range (mark range read only, or fully unmap, etc.). Thedevice must complete the update before the driver callback returns.

When the device driver wants to populate a range of virtual addresses, it canuse:

int hmm_range_fault(struct hmm_range *range);

It will trigger a page fault on missing or read-only entries if write access isrequested (see below). Page faults use the generic mm page fault code path justlike a CPU page fault. The usage pattern is:

int driver_populate_range(...){     struct hmm_range range;     ...     range.notifier = &interval_sub;     range.start = ...;     range.end = ...;     range.hmm_pfns = ...;     if (!mmget_not_zero(interval_sub->notifier.mm))         return -EFAULT;again:     range.notifier_seq = mmu_interval_read_begin(&interval_sub);     mmap_read_lock(mm);     ret = hmm_range_fault(&range);     if (ret) {         mmap_read_unlock(mm);         if (ret == -EBUSY)                goto again;         return ret;     }     mmap_read_unlock(mm);     take_lock(driver->update);     if (mmu_interval_read_retry(&ni, range.notifier_seq) {         release_lock(driver->update);         goto again;     }     /* Use pfns array content to update device page table,      * under the update lock */     release_lock(driver->update);     return 0;}

The driver->update lock is the same lock that the driver takes inside itsinvalidate() callback. That lock must be held before callingmmu_interval_read_retry() to avoid any race with a concurrent CPU page tableupdate.

Leverage default_flags and pfn_flags_mask

The hmm_rangestructhas 2 fields, default_flags and pfn_flags_mask, that specifyfault or snapshot policy for the whole range instead of having to set themfor each entry in the pfns array.

For instance if the device driver wants pages for a range with at least readpermission, it sets:

range->default_flags = HMM_PFN_REQ_FAULT;range->pfn_flags_mask = 0;

and callshmm_range_fault() as described above. This will fill fault all pagesin the range with at least read permission.

Now let’s say the driver wants to do the same except for one page in the range forwhich it wants to have write permission. Now driver set:

range->default_flags = HMM_PFN_REQ_FAULT;range->pfn_flags_mask = HMM_PFN_REQ_WRITE;range->pfns[index_of_write] = HMM_PFN_REQ_WRITE;

With this, HMM will fault in all pages with at least read (i.e., valid) and for theaddress == range->start + (index_of_write << PAGE_SHIFT) it will fault withwrite permission i.e., if the CPU pte does not have write permission set then HMMwill callhandle_mm_fault().

After hmm_range_fault completes the flag bits are set to the current state ofthe page tables, ie HMM_PFN_VALID | HMM_PFN_WRITE will be set if the page iswritable.

Represent and manage device memory from core kernel point of view

Several different designs were tried to support device memory. The first oneused a device specific data structure to keep information about migrated memoryand HMM hooked itself in various places of mm code to handle any access toaddresses that were backed by device memory. It turns out that this ended upreplicating most of the fields ofstructpage and also needed many kernel codepaths to be updated to understand this new kind of memory.

Most kernel code paths never try to access the memory behind a pagebut only care aboutstructpage contents. Because of this, HMM switched todirectly usingstructpage for device memory which left most kernel code pathsunaware of the difference. We only need to make sure that no one ever tries tomap those pages from the CPU side.

Migration to and from device memory

Because the CPU cannot access device memory directly, the device driver mustuse hardware DMA or device specific load/store instructions to migrate data.Themigrate_vma_setup(),migrate_vma_pages(), andmigrate_vma_finalize()functions are designed to make drivers easier to write and to centralize commoncode across drivers.

Before migrating pages to device private memory, special device privatestructpage needs to be created. These will be used as special “swap”page table entries so that a CPU process will fault if it tries to accessa page that has been migrated to device private memory.

These can be allocated and freed with:

struct resource *res;struct dev_pagemap pagemap;res = request_free_mem_region(&iomem_resource, /* number of bytes */,                              "name of driver resource");pagemap.type = MEMORY_DEVICE_PRIVATE;pagemap.range.start = res->start;pagemap.range.end = res->end;pagemap.nr_range = 1;pagemap.ops = &device_devmem_ops;memremap_pages(&pagemap, numa_node_id());memunmap_pages(&pagemap);release_mem_region(pagemap.range.start, range_len(&pagemap.range));

There are alsodevm_request_free_mem_region(),devm_memremap_pages(),devm_memunmap_pages(), anddevm_release_mem_region() when the resources canbe tied to astructdevice.

The overall migration steps are similar to migrating NUMA pages within systemmemory (seePage migration) but the steps are splitbetween device driver specific code and shared common code:

  1. mmap_read_lock()

    The device driver has to pass astructvm_area_struct tomigrate_vma_setup() so themmap_read_lock() ormmap_write_lock() needs tobe held for the duration of the migration.

  2. migrate_vma_setup(structmigrate_vma*args)

    The device driver initializes thestructmigrate_vma fields and passesthe pointer tomigrate_vma_setup(). Theargs->flags field is used tofilter which source pages should be migrated. For example, settingMIGRATE_VMA_SELECT_SYSTEM will only migrate system memory andMIGRATE_VMA_SELECT_DEVICE_PRIVATE will only migrate pages residing indevice private memory. If the latter flag is set, theargs->pgmap_ownerfield is used to identify device private pages owned by the driver. Thisavoids trying to migrate device private pages residing in other devices.Currently only anonymous private VMA ranges can be migrated to or fromsystem memory and device private memory.

    One of the first stepsmigrate_vma_setup() does is to invalidate otherdevice’s MMUs with themmu_notifier_invalidate_range_start(() andmmu_notifier_invalidate_range_end() calls around the page tablewalks to fill in theargs->src array with PFNs to be migrated.Theinvalidate_range_start() callback is passed astructmmu_notifier_range with theevent field set toMMU_NOTIFY_MIGRATE and theowner field set totheargs->pgmap_owner field passed tomigrate_vma_setup(). Thisallows the device driver to skip the invalidation callback and onlyinvalidate device private MMU mappings that are actually migrating.This is explained more in the next section.

    While walking the page tables, apte_none() oris_zero_pfn()entry results in a valid “zero” PFN stored in theargs->src array.This lets the driver allocate device private memory and clear it insteadof copying a page of zeros. Valid PTE entries to system memory ordevice privatestructpages will be locked withlock_page(), isolatedfrom the LRU (if system memory since device private pages are not onthe LRU), unmapped from the process, and a special migration PTE isinserted in place of the original PTE.migrate_vma_setup() also clears theargs->dst array.

  3. The device driver allocates destination pages and copies source pages todestination pages.

    The driver checks eachsrc entry to see if theMIGRATE_PFN_MIGRATEbit is set and skips entries that are not migrating. The device drivercan also choose to skip migrating a page by not filling in thedstarray for that page.

    The driver then allocates either a device privatestructpage or asystem memory page, locks the page withlock_page(), and fills in thedst array entry with:

    dst[i] = migrate_pfn(page_to_pfn(dpage));

    Now that the driver knows that this page is being migrated, it caninvalidate device private MMU mappings and copy device private memoryto system memory or another device private page. The core Linux kernelhandles CPU page table invalidations so the device driver only has toinvalidate its own MMU mappings.

    The driver can usemigrate_pfn_to_page(src[i]) to get thestructpage of the source and either copy the source page to thedestination or clear the destination device private memory if the pointerisNULL meaning the source page was not populated in system memory.

  4. migrate_vma_pages()

    This step is where the migration is actually “committed”.

    If the source page was apte_none() oris_zero_pfn() page, thisis where the newly allocated page is inserted into the CPU’s page table.This can fail if a CPU thread faults on the same page. However, the pagetable is locked and only one of the new pages will be inserted.The device driver will see that theMIGRATE_PFN_MIGRATE bit is clearedif it loses the race.

    If the source page was locked, isolated, etc. the sourcestructpageinformation is now copied to destinationstructpage finalizing themigration on the CPU side.

  5. Device driver updates device MMU page tables for pages still migrating,rolling back pages not migrating.

    If thesrc entry still hasMIGRATE_PFN_MIGRATE bit set, the devicedriver can update the device MMU and set the write enable bit if theMIGRATE_PFN_WRITE bit is set.

  6. migrate_vma_finalize()

    This step replaces the special migration page table entry with the newpage’s page table entry and releases the reference to the source anddestinationstructpage.

  7. mmap_read_unlock()

    The lock can now be released.

Exclusive access memory

Some devices have features such as atomic PTE bits that can be used to implementatomic access to system memory. To support atomic operations to a shared virtualmemory page such a device needs access to that page which is exclusive of anyuserspace access from the CPU. Themake_device_exclusive() functioncan be used to make a memory range inaccessible from userspace.

This replaces all mappings for pages in the given range with special swapentries. Any attempt to access the swap entry results in a fault which isresolved by replacing the entry with the original mapping. A driver getsnotified that the mapping has been changed by MMU notifiers, after which pointit will no longer have exclusive access to the page. Exclusive access isguaranteed to last until the driver drops the page lock and page reference, atwhich point any CPU faults on the page may proceed as described.

Memory cgroup (memcg) and rss accounting

For now, device memory is accounted as any regular page in rss counters (eitheranonymous if device page is used for anonymous, file if device page is used forfile backed page, or shmem if device page is used for shared memory). This is adeliberate choice to keep existing applications, that might start using devicememory without knowing about it, running unimpacted.

A drawback is that the OOM killer might kill an application using a lot ofdevice memory and not a lot of regular system memory and thus not freeing muchsystem memory. We want to gather more real world experience on how applicationsand system react under memory pressure in the presence of device memory beforedeciding to account device memory differently.

Same decision was made for memory cgroup. Device memory pages are accountedagainst same memory cgroup a regular page would be accounted to. This doessimplify migration to and from device memory. This also means that migrationback from device memory to regular memory cannot fail because it wouldgo above memory cgroup limit. We might revisit this choice later on once weget more experience in how device memory is used and its impact on memoryresource control.

Note that device memory can never be pinned by a device driver nor through GUPand thus such memory is always free upon process exit. Or when last referenceis dropped in case of shared memory or file backed memory.