1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Framework for buffer objects that can be shared across devices/subsystems.
4 *
5 * Copyright(C) 2011 Linaro Limited. All rights reserved.
6 * Author: Sumit Semwal <sumit.semwal@ti.com>
7 *
8 * Many thanks to linaro-mm-sig list, and specially
9 * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and
10 * Daniel Vetter <daniel@ffwll.ch> for their support in creation and
11 * refining of this idea.
12 */
13
14 #include <linux/fs.h>
15 #include <linux/slab.h>
16 #include <linux/dma-buf.h>
17 #include <linux/dma-fence.h>
18 #include <linux/dma-fence-unwrap.h>
19 #include <linux/anon_inodes.h>
20 #include <linux/export.h>
21 #include <linux/debugfs.h>
22 #include <linux/list.h>
23 #include <linux/module.h>
24 #include <linux/mutex.h>
25 #include <linux/seq_file.h>
26 #include <linux/sync_file.h>
27 #include <linux/poll.h>
28 #include <linux/dma-resv.h>
29 #include <linux/mm.h>
30 #include <linux/mount.h>
31 #include <linux/pseudo_fs.h>
32
33 #include <uapi/linux/dma-buf.h>
34 #include <uapi/linux/magic.h>
35
36 #define CREATE_TRACE_POINTS
37 #include <trace/events/dma_buf.h>
38
39 /*
40 * dmabuf->name must be accessed with holding dmabuf->name_lock.
41 * we need to take the lock around the tracepoint call itself where
42 * it is called in the code.
43 *
44 * Note: FUNC##_enabled() is a static branch that will only
45 * be set when the trace event is enabled.
46 */
47 #define DMA_BUF_TRACE(FUNC, ...) \
48 do { \
49 /* Always expose lock if lockdep is enabled */ \
50 if (IS_ENABLED(CONFIG_LOCKDEP) || FUNC##_enabled()) { \
51 guard(spinlock)(&dmabuf->name_lock); \
52 FUNC(__VA_ARGS__); \
53 } \
54 } while (0)
55
56 /* Wrapper to hide the sg_table page link from the importer */
57 struct dma_buf_sg_table_wrapper {
58 struct sg_table *original;
59 struct sg_table wrapper;
60 };
61
62 static inline int is_dma_buf_file(struct file *);
63
64 static DEFINE_MUTEX(dmabuf_list_mutex);
65 static LIST_HEAD(dmabuf_list);
66
__dma_buf_list_add(struct dma_buf * dmabuf)67 static void __dma_buf_list_add(struct dma_buf *dmabuf)
68 {
69 mutex_lock(&dmabuf_list_mutex);
70 list_add(&dmabuf->list_node, &dmabuf_list);
71 mutex_unlock(&dmabuf_list_mutex);
72 }
73
__dma_buf_list_del(struct dma_buf * dmabuf)74 static void __dma_buf_list_del(struct dma_buf *dmabuf)
75 {
76 if (!dmabuf)
77 return;
78
79 mutex_lock(&dmabuf_list_mutex);
80 list_del(&dmabuf->list_node);
81 mutex_unlock(&dmabuf_list_mutex);
82 }
83
84 /**
85 * dma_buf_iter_begin - begin iteration through global list of all DMA buffers
86 *
87 * Returns the first buffer in the global list of DMA-bufs that's not in the
88 * process of being destroyed. Increments that buffer's reference count to
89 * prevent buffer destruction. Callers must release the reference, either by
90 * continuing iteration with dma_buf_iter_next(), or with dma_buf_put().
91 *
92 * Return:
93 * * First buffer from global list, with refcount elevated
94 * * NULL if no active buffers are present
95 */
dma_buf_iter_begin(void)96 struct dma_buf *dma_buf_iter_begin(void)
97 {
98 struct dma_buf *ret = NULL, *dmabuf;
99
100 /*
101 * The list mutex does not protect a dmabuf's refcount, so it can be
102 * zeroed while we are iterating. We cannot call get_dma_buf() since the
103 * caller may not already own a reference to the buffer.
104 */
105 mutex_lock(&dmabuf_list_mutex);
106 list_for_each_entry(dmabuf, &dmabuf_list, list_node) {
107 if (file_ref_get(&dmabuf->file->f_ref)) {
108 ret = dmabuf;
109 break;
110 }
111 }
112 mutex_unlock(&dmabuf_list_mutex);
113 return ret;
114 }
115
116 /**
117 * dma_buf_iter_next - continue iteration through global list of all DMA buffers
118 * @dmabuf: [in] pointer to dma_buf
119 *
120 * Decrements the reference count on the provided buffer. Returns the next
121 * buffer from the remainder of the global list of DMA-bufs with its reference
122 * count incremented. Callers must release the reference, either by continuing
123 * iteration with dma_buf_iter_next(), or with dma_buf_put().
124 *
125 * Return:
126 * * Next buffer from global list, with refcount elevated
127 * * NULL if no additional active buffers are present
128 */
dma_buf_iter_next(struct dma_buf * dmabuf)129 struct dma_buf *dma_buf_iter_next(struct dma_buf *dmabuf)
130 {
131 struct dma_buf *ret = NULL;
132
133 /*
134 * The list mutex does not protect a dmabuf's refcount, so it can be
135 * zeroed while we are iterating. We cannot call get_dma_buf() since the
136 * caller may not already own a reference to the buffer.
137 */
138 mutex_lock(&dmabuf_list_mutex);
139 dma_buf_put(dmabuf);
140 list_for_each_entry_continue(dmabuf, &dmabuf_list, list_node) {
141 if (file_ref_get(&dmabuf->file->f_ref)) {
142 ret = dmabuf;
143 break;
144 }
145 }
146 mutex_unlock(&dmabuf_list_mutex);
147 return ret;
148 }
149
dmabuffs_dname(struct dentry * dentry,char * buffer,int buflen)150 static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen)
151 {
152 struct dma_buf *dmabuf;
153 char name[DMA_BUF_NAME_LEN];
154 ssize_t ret = 0;
155
156 dmabuf = dentry->d_fsdata;
157 spin_lock(&dmabuf->name_lock);
158 if (dmabuf->name)
159 ret = strscpy(name, dmabuf->name, sizeof(name));
160 spin_unlock(&dmabuf->name_lock);
161
162 return dynamic_dname(buffer, buflen, "/%s:%s",
163 dentry->d_name.name, ret > 0 ? name : "");
164 }
165
dma_buf_release(struct dentry * dentry)166 static void dma_buf_release(struct dentry *dentry)
167 {
168 struct dma_buf *dmabuf;
169
170 dmabuf = dentry->d_fsdata;
171 if (unlikely(!dmabuf))
172 return;
173
174 BUG_ON(dmabuf->vmapping_counter);
175
176 /*
177 * If you hit this BUG() it could mean:
178 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
179 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
180 */
181 BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
182
183 dmabuf->ops->release(dmabuf);
184
185 if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
186 dma_resv_fini(dmabuf->resv);
187
188 WARN_ON(!list_empty(&dmabuf->attachments));
189 module_put(dmabuf->owner);
190 kfree(dmabuf->name);
191 kfree(dmabuf);
192 }
193
dma_buf_file_release(struct inode * inode,struct file * file)194 static int dma_buf_file_release(struct inode *inode, struct file *file)
195 {
196 if (!is_dma_buf_file(file))
197 return -EINVAL;
198
199 __dma_buf_list_del(file->private_data);
200
201 return 0;
202 }
203
204 static const struct dentry_operations dma_buf_dentry_ops = {
205 .d_dname = dmabuffs_dname,
206 .d_release = dma_buf_release,
207 };
208
209 static struct vfsmount *dma_buf_mnt;
210
dma_buf_fs_init_context(struct fs_context * fc)211 static int dma_buf_fs_init_context(struct fs_context *fc)
212 {
213 struct pseudo_fs_context *ctx;
214
215 ctx = init_pseudo(fc, DMA_BUF_MAGIC);
216 if (!ctx)
217 return -ENOMEM;
218 ctx->dops = &dma_buf_dentry_ops;
219 return 0;
220 }
221
222 static struct file_system_type dma_buf_fs_type = {
223 .name = "dmabuf",
224 .init_fs_context = dma_buf_fs_init_context,
225 .kill_sb = kill_anon_super,
226 };
227
dma_buf_mmap_internal(struct file * file,struct vm_area_struct * vma)228 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma)
229 {
230 struct dma_buf *dmabuf;
231
232 if (!is_dma_buf_file(file))
233 return -EINVAL;
234
235 dmabuf = file->private_data;
236
237 /* check if buffer supports mmap */
238 if (!dmabuf->ops->mmap)
239 return -EINVAL;
240
241 /* check for overflowing the buffer's size */
242 if (vma->vm_pgoff + vma_pages(vma) >
243 dmabuf->size >> PAGE_SHIFT)
244 return -EINVAL;
245
246 DMA_BUF_TRACE(trace_dma_buf_mmap_internal, dmabuf);
247
248 return dmabuf->ops->mmap(dmabuf, vma);
249 }
250
dma_buf_llseek(struct file * file,loff_t offset,int whence)251 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
252 {
253 struct dma_buf *dmabuf;
254 loff_t base;
255
256 if (!is_dma_buf_file(file))
257 return -EBADF;
258
259 dmabuf = file->private_data;
260
261 /* only support discovering the end of the buffer,
262 * but also allow SEEK_SET to maintain the idiomatic
263 * SEEK_END(0), SEEK_CUR(0) pattern.
264 */
265 if (whence == SEEK_END)
266 base = dmabuf->size;
267 else if (whence == SEEK_SET)
268 base = 0;
269 else
270 return -EINVAL;
271
272 if (offset != 0)
273 return -EINVAL;
274
275 return base + offset;
276 }
277
278 /**
279 * DOC: implicit fence polling
280 *
281 * To support cross-device and cross-driver synchronization of buffer access
282 * implicit fences (represented internally in the kernel with &struct dma_fence)
283 * can be attached to a &dma_buf. The glue for that and a few related things are
284 * provided in the &dma_resv structure.
285 *
286 * Userspace can query the state of these implicitly tracked fences using poll()
287 * and related system calls:
288 *
289 * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the
290 * most recent write or exclusive fence.
291 *
292 * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of
293 * all attached fences, shared and exclusive ones.
294 *
295 * Note that this only signals the completion of the respective fences, i.e. the
296 * DMA transfers are complete. Cache flushing and any other necessary
297 * preparations before CPU access can begin still need to happen.
298 *
299 * As an alternative to poll(), the set of fences on DMA buffer can be
300 * exported as a &sync_file using &dma_buf_sync_file_export.
301 */
302
dma_buf_poll_cb(struct dma_fence * fence,struct dma_fence_cb * cb)303 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
304 {
305 struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
306 struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
307 unsigned long flags;
308
309 spin_lock_irqsave(&dcb->poll->lock, flags);
310 wake_up_locked_poll(dcb->poll, dcb->active);
311 dcb->active = 0;
312 spin_unlock_irqrestore(&dcb->poll->lock, flags);
313 dma_fence_put(fence);
314 /* Paired with get_file in dma_buf_poll */
315 fput(dmabuf->file);
316 }
317
dma_buf_poll_add_cb(struct dma_resv * resv,bool write,struct dma_buf_poll_cb_t * dcb)318 static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
319 struct dma_buf_poll_cb_t *dcb)
320 {
321 struct dma_resv_iter cursor;
322 struct dma_fence *fence;
323 int r;
324
325 dma_resv_for_each_fence(&cursor, resv, dma_resv_usage_rw(write),
326 fence) {
327 dma_fence_get(fence);
328 r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
329 if (!r)
330 return true;
331 dma_fence_put(fence);
332 }
333
334 return false;
335 }
336
dma_buf_poll(struct file * file,poll_table * poll)337 static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
338 {
339 struct dma_buf *dmabuf;
340 struct dma_resv *resv;
341 __poll_t events;
342
343 dmabuf = file->private_data;
344 if (!dmabuf || !dmabuf->resv)
345 return EPOLLERR;
346
347 resv = dmabuf->resv;
348
349 poll_wait(file, &dmabuf->poll, poll);
350
351 events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT);
352 if (!events)
353 return 0;
354
355 dma_resv_lock(resv, NULL);
356
357 if (events & EPOLLOUT) {
358 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out;
359
360 /* Check that callback isn't busy */
361 spin_lock_irq(&dmabuf->poll.lock);
362 if (dcb->active)
363 events &= ~EPOLLOUT;
364 else
365 dcb->active = EPOLLOUT;
366 spin_unlock_irq(&dmabuf->poll.lock);
367
368 if (events & EPOLLOUT) {
369 /* Paired with fput in dma_buf_poll_cb */
370 get_file(dmabuf->file);
371
372 if (!dma_buf_poll_add_cb(resv, true, dcb))
373 /* No callback queued, wake up any other waiters */
374 dma_buf_poll_cb(NULL, &dcb->cb);
375 else
376 events &= ~EPOLLOUT;
377 }
378 }
379
380 if (events & EPOLLIN) {
381 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in;
382
383 /* Check that callback isn't busy */
384 spin_lock_irq(&dmabuf->poll.lock);
385 if (dcb->active)
386 events &= ~EPOLLIN;
387 else
388 dcb->active = EPOLLIN;
389 spin_unlock_irq(&dmabuf->poll.lock);
390
391 if (events & EPOLLIN) {
392 /* Paired with fput in dma_buf_poll_cb */
393 get_file(dmabuf->file);
394
395 if (!dma_buf_poll_add_cb(resv, false, dcb))
396 /* No callback queued, wake up any other waiters */
397 dma_buf_poll_cb(NULL, &dcb->cb);
398 else
399 events &= ~EPOLLIN;
400 }
401 }
402
403 dma_resv_unlock(resv);
404 return events;
405 }
406
407 /**
408 * dma_buf_set_name - Set a name to a specific dma_buf to track the usage.
409 * It could support changing the name of the dma-buf if the same
410 * piece of memory is used for multiple purpose between different devices.
411 *
412 * @dmabuf: [in] dmabuf buffer that will be renamed.
413 * @buf: [in] A piece of userspace memory that contains the name of
414 * the dma-buf.
415 *
416 * Returns 0 on success. If the dma-buf buffer is already attached to
417 * devices, return -EBUSY.
418 *
419 */
dma_buf_set_name(struct dma_buf * dmabuf,const char __user * buf)420 static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf)
421 {
422 char *name = strndup_user(buf, DMA_BUF_NAME_LEN);
423
424 if (IS_ERR(name))
425 return PTR_ERR(name);
426
427 spin_lock(&dmabuf->name_lock);
428 kfree(dmabuf->name);
429 dmabuf->name = name;
430 spin_unlock(&dmabuf->name_lock);
431
432 return 0;
433 }
434
435 #if IS_ENABLED(CONFIG_SYNC_FILE)
dma_buf_export_sync_file(struct dma_buf * dmabuf,void __user * user_data)436 static long dma_buf_export_sync_file(struct dma_buf *dmabuf,
437 void __user *user_data)
438 {
439 struct dma_buf_export_sync_file arg;
440 enum dma_resv_usage usage;
441 struct dma_fence *fence = NULL;
442 struct sync_file *sync_file;
443 int fd, ret;
444
445 if (copy_from_user(&arg, user_data, sizeof(arg)))
446 return -EFAULT;
447
448 if (arg.flags & ~DMA_BUF_SYNC_RW)
449 return -EINVAL;
450
451 if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
452 return -EINVAL;
453
454 fd = get_unused_fd_flags(O_CLOEXEC);
455 if (fd < 0)
456 return fd;
457
458 usage = dma_resv_usage_rw(arg.flags & DMA_BUF_SYNC_WRITE);
459 ret = dma_resv_get_singleton(dmabuf->resv, usage, &fence);
460 if (ret)
461 goto err_put_fd;
462
463 if (!fence)
464 fence = dma_fence_get_stub();
465
466 sync_file = sync_file_create(fence);
467
468 dma_fence_put(fence);
469
470 if (!sync_file) {
471 ret = -ENOMEM;
472 goto err_put_fd;
473 }
474
475 arg.fd = fd;
476 if (copy_to_user(user_data, &arg, sizeof(arg))) {
477 ret = -EFAULT;
478 goto err_put_file;
479 }
480
481 fd_install(fd, sync_file->file);
482
483 return 0;
484
485 err_put_file:
486 fput(sync_file->file);
487 err_put_fd:
488 put_unused_fd(fd);
489 return ret;
490 }
491
dma_buf_import_sync_file(struct dma_buf * dmabuf,const void __user * user_data)492 static long dma_buf_import_sync_file(struct dma_buf *dmabuf,
493 const void __user *user_data)
494 {
495 struct dma_buf_import_sync_file arg;
496 struct dma_fence *fence, *f;
497 enum dma_resv_usage usage;
498 struct dma_fence_unwrap iter;
499 unsigned int num_fences;
500 int ret = 0;
501
502 if (copy_from_user(&arg, user_data, sizeof(arg)))
503 return -EFAULT;
504
505 if (arg.flags & ~DMA_BUF_SYNC_RW)
506 return -EINVAL;
507
508 if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
509 return -EINVAL;
510
511 fence = sync_file_get_fence(arg.fd);
512 if (!fence)
513 return -EINVAL;
514
515 usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE :
516 DMA_RESV_USAGE_READ;
517
518 num_fences = 0;
519 dma_fence_unwrap_for_each(f, &iter, fence)
520 ++num_fences;
521
522 if (num_fences > 0) {
523 dma_resv_lock(dmabuf->resv, NULL);
524
525 ret = dma_resv_reserve_fences(dmabuf->resv, num_fences);
526 if (!ret) {
527 dma_fence_unwrap_for_each(f, &iter, fence)
528 dma_resv_add_fence(dmabuf->resv, f, usage);
529 }
530
531 dma_resv_unlock(dmabuf->resv);
532 }
533
534 dma_fence_put(fence);
535
536 return ret;
537 }
538 #endif
539
dma_buf_ioctl(struct file * file,unsigned int cmd,unsigned long arg)540 static long dma_buf_ioctl(struct file *file,
541 unsigned int cmd, unsigned long arg)
542 {
543 struct dma_buf *dmabuf;
544 struct dma_buf_sync sync;
545 enum dma_data_direction direction;
546 int ret;
547
548 dmabuf = file->private_data;
549
550 switch (cmd) {
551 case DMA_BUF_IOCTL_SYNC:
552 if (copy_from_user(&sync, (void __user *) arg, sizeof(sync)))
553 return -EFAULT;
554
555 if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK)
556 return -EINVAL;
557
558 switch (sync.flags & DMA_BUF_SYNC_RW) {
559 case DMA_BUF_SYNC_READ:
560 direction = DMA_FROM_DEVICE;
561 break;
562 case DMA_BUF_SYNC_WRITE:
563 direction = DMA_TO_DEVICE;
564 break;
565 case DMA_BUF_SYNC_RW:
566 direction = DMA_BIDIRECTIONAL;
567 break;
568 default:
569 return -EINVAL;
570 }
571
572 if (sync.flags & DMA_BUF_SYNC_END)
573 ret = dma_buf_end_cpu_access(dmabuf, direction);
574 else
575 ret = dma_buf_begin_cpu_access(dmabuf, direction);
576
577 return ret;
578
579 case DMA_BUF_SET_NAME_A:
580 case DMA_BUF_SET_NAME_B:
581 return dma_buf_set_name(dmabuf, (const char __user *)arg);
582
583 #if IS_ENABLED(CONFIG_SYNC_FILE)
584 case DMA_BUF_IOCTL_EXPORT_SYNC_FILE:
585 return dma_buf_export_sync_file(dmabuf, (void __user *)arg);
586 case DMA_BUF_IOCTL_IMPORT_SYNC_FILE:
587 return dma_buf_import_sync_file(dmabuf, (const void __user *)arg);
588 #endif
589
590 default:
591 return -ENOTTY;
592 }
593 }
594
dma_buf_show_fdinfo(struct seq_file * m,struct file * file)595 static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file)
596 {
597 struct dma_buf *dmabuf = file->private_data;
598
599 seq_printf(m, "size:\t%zu\n", dmabuf->size);
600 /* Don't count the temporary reference taken inside procfs seq_show */
601 seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
602 seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
603 spin_lock(&dmabuf->name_lock);
604 if (dmabuf->name)
605 seq_printf(m, "name:\t%s\n", dmabuf->name);
606 spin_unlock(&dmabuf->name_lock);
607 }
608
609 static const struct file_operations dma_buf_fops = {
610 .release = dma_buf_file_release,
611 .mmap = dma_buf_mmap_internal,
612 .llseek = dma_buf_llseek,
613 .poll = dma_buf_poll,
614 .unlocked_ioctl = dma_buf_ioctl,
615 .compat_ioctl = compat_ptr_ioctl,
616 .show_fdinfo = dma_buf_show_fdinfo,
617 };
618
619 /*
620 * is_dma_buf_file - Check if struct file* is associated with dma_buf
621 */
is_dma_buf_file(struct file * file)622 static inline int is_dma_buf_file(struct file *file)
623 {
624 return file->f_op == &dma_buf_fops;
625 }
626
dma_buf_getfile(size_t size,int flags)627 static struct file *dma_buf_getfile(size_t size, int flags)
628 {
629 static atomic64_t dmabuf_inode = ATOMIC64_INIT(0);
630 struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb);
631 struct file *file;
632
633 if (IS_ERR(inode))
634 return ERR_CAST(inode);
635
636 inode->i_size = size;
637 inode_set_bytes(inode, size);
638
639 /*
640 * The ->i_ino acquired from get_next_ino() is not unique thus
641 * not suitable for using it as dentry name by dmabuf stats.
642 * Override ->i_ino with the unique and dmabuffs specific
643 * value.
644 */
645 inode->i_ino = atomic64_inc_return(&dmabuf_inode);
646 flags &= O_ACCMODE | O_NONBLOCK;
647 file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf",
648 flags, &dma_buf_fops);
649 if (IS_ERR(file))
650 goto err_alloc_file;
651
652 return file;
653
654 err_alloc_file:
655 iput(inode);
656 return file;
657 }
658
659 /**
660 * DOC: dma buf device access
661 *
662 * For device DMA access to a shared DMA buffer the usual sequence of operations
663 * is fairly simple:
664 *
665 * 1. The exporter defines his exporter instance using
666 * DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private
667 * buffer object into a &dma_buf. It then exports that &dma_buf to userspace
668 * as a file descriptor by calling dma_buf_fd().
669 *
670 * 2. Userspace passes this file-descriptors to all drivers it wants this buffer
671 * to share with: First the file descriptor is converted to a &dma_buf using
672 * dma_buf_get(). Then the buffer is attached to the device using
673 * dma_buf_attach().
674 *
675 * Up to this stage the exporter is still free to migrate or reallocate the
676 * backing storage.
677 *
678 * 3. Once the buffer is attached to all devices userspace can initiate DMA
679 * access to the shared buffer. In the kernel this is done by calling
680 * dma_buf_map_attachment() and dma_buf_unmap_attachment().
681 *
682 * 4. Once a driver is done with a shared buffer it needs to call
683 * dma_buf_detach() (after cleaning up any mappings) and then release the
684 * reference acquired with dma_buf_get() by calling dma_buf_put().
685 *
686 * For the detailed semantics exporters are expected to implement see
687 * &dma_buf_ops.
688 */
689
690 /**
691 * dma_buf_export - Creates a new dma_buf, and associates an anon file
692 * with this buffer, so it can be exported.
693 * Also connect the allocator specific data and ops to the buffer.
694 * Additionally, provide a name string for exporter; useful in debugging.
695 *
696 * @exp_info: [in] holds all the export related information provided
697 * by the exporter. see &struct dma_buf_export_info
698 * for further details.
699 *
700 * Returns, on success, a newly created struct dma_buf object, which wraps the
701 * supplied private data and operations for struct dma_buf_ops. On either
702 * missing ops, or error in allocating struct dma_buf, will return negative
703 * error.
704 *
705 * For most cases the easiest way to create @exp_info is through the
706 * %DEFINE_DMA_BUF_EXPORT_INFO macro.
707 */
dma_buf_export(const struct dma_buf_export_info * exp_info)708 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
709 {
710 struct dma_buf *dmabuf;
711 struct dma_resv *resv = exp_info->resv;
712 struct file *file;
713 size_t alloc_size = sizeof(struct dma_buf);
714 int ret;
715
716 if (WARN_ON(!exp_info->priv || !exp_info->ops
717 || !exp_info->ops->map_dma_buf
718 || !exp_info->ops->unmap_dma_buf
719 || !exp_info->ops->release))
720 return ERR_PTR(-EINVAL);
721
722 if (WARN_ON(!exp_info->ops->pin != !exp_info->ops->unpin))
723 return ERR_PTR(-EINVAL);
724
725 if (!try_module_get(exp_info->owner))
726 return ERR_PTR(-ENOENT);
727
728 file = dma_buf_getfile(exp_info->size, exp_info->flags);
729 if (IS_ERR(file)) {
730 ret = PTR_ERR(file);
731 goto err_module;
732 }
733
734 if (!exp_info->resv)
735 alloc_size += sizeof(struct dma_resv);
736 else
737 /* prevent &dma_buf[1] == dma_buf->resv */
738 alloc_size += 1;
739 dmabuf = kzalloc(alloc_size, GFP_KERNEL);
740 if (!dmabuf) {
741 ret = -ENOMEM;
742 goto err_file;
743 }
744
745 dmabuf->priv = exp_info->priv;
746 dmabuf->ops = exp_info->ops;
747 dmabuf->size = exp_info->size;
748 dmabuf->exp_name = exp_info->exp_name;
749 dmabuf->owner = exp_info->owner;
750 spin_lock_init(&dmabuf->name_lock);
751 init_waitqueue_head(&dmabuf->poll);
752 dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll;
753 dmabuf->cb_in.active = dmabuf->cb_out.active = 0;
754 INIT_LIST_HEAD(&dmabuf->attachments);
755
756 if (!resv) {
757 dmabuf->resv = (struct dma_resv *)&dmabuf[1];
758 dma_resv_init(dmabuf->resv);
759 } else {
760 dmabuf->resv = resv;
761 }
762
763 file->private_data = dmabuf;
764 file->f_path.dentry->d_fsdata = dmabuf;
765 dmabuf->file = file;
766
767 __dma_buf_list_add(dmabuf);
768
769 DMA_BUF_TRACE(trace_dma_buf_export, dmabuf);
770
771 return dmabuf;
772
773 err_file:
774 fput(file);
775 err_module:
776 module_put(exp_info->owner);
777 return ERR_PTR(ret);
778 }
779 EXPORT_SYMBOL_NS_GPL(dma_buf_export, "DMA_BUF");
780
781 /**
782 * dma_buf_fd - returns a file descriptor for the given struct dma_buf
783 * @dmabuf: [in] pointer to dma_buf for which fd is required.
784 * @flags: [in] flags to give to fd
785 *
786 * On success, returns an associated 'fd'. Else, returns error.
787 */
dma_buf_fd(struct dma_buf * dmabuf,int flags)788 int dma_buf_fd(struct dma_buf *dmabuf, int flags)
789 {
790 int fd;
791
792 if (!dmabuf || !dmabuf->file)
793 return -EINVAL;
794
795 fd = FD_ADD(flags, dmabuf->file);
796 DMA_BUF_TRACE(trace_dma_buf_fd, dmabuf, fd);
797
798 return fd;
799 }
800 EXPORT_SYMBOL_NS_GPL(dma_buf_fd, "DMA_BUF");
801
802 /**
803 * dma_buf_get - returns the struct dma_buf related to an fd
804 * @fd: [in] fd associated with the struct dma_buf to be returned
805 *
806 * On success, returns the struct dma_buf associated with an fd; uses
807 * file's refcounting done by fget to increase refcount. returns ERR_PTR
808 * otherwise.
809 */
dma_buf_get(int fd)810 struct dma_buf *dma_buf_get(int fd)
811 {
812 struct file *file;
813 struct dma_buf *dmabuf;
814
815 file = fget(fd);
816
817 if (!file)
818 return ERR_PTR(-EBADF);
819
820 if (!is_dma_buf_file(file)) {
821 fput(file);
822 return ERR_PTR(-EINVAL);
823 }
824
825 dmabuf = file->private_data;
826
827 DMA_BUF_TRACE(trace_dma_buf_get, dmabuf, fd);
828
829 return dmabuf;
830 }
831 EXPORT_SYMBOL_NS_GPL(dma_buf_get, "DMA_BUF");
832
833 /**
834 * dma_buf_put - decreases refcount of the buffer
835 * @dmabuf: [in] buffer to reduce refcount of
836 *
837 * Uses file's refcounting done implicitly by fput().
838 *
839 * If, as a result of this call, the refcount becomes 0, the 'release' file
840 * operation related to this fd is called. It calls &dma_buf_ops.release vfunc
841 * in turn, and frees the memory allocated for dmabuf when exported.
842 */
dma_buf_put(struct dma_buf * dmabuf)843 void dma_buf_put(struct dma_buf *dmabuf)
844 {
845 if (WARN_ON(!dmabuf || !dmabuf->file))
846 return;
847
848 fput(dmabuf->file);
849
850 DMA_BUF_TRACE(trace_dma_buf_put, dmabuf);
851 }
852 EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF");
853
dma_buf_wrap_sg_table(struct sg_table ** sg_table)854 static int dma_buf_wrap_sg_table(struct sg_table **sg_table)
855 {
856 struct scatterlist *to_sg, *from_sg;
857 struct sg_table *from = *sg_table;
858 struct dma_buf_sg_table_wrapper *to;
859 int i, ret;
860
861 if (!IS_ENABLED(CONFIG_DMABUF_DEBUG))
862 return 0;
863
864 /*
865 * To catch abuse of the underlying struct page by importers copy the
866 * sg_table without copying the page_link and give only the copy back to
867 * the importer.
868 */
869 to = kzalloc_obj(*to);
870 if (!to)
871 return -ENOMEM;
872
873 ret = sg_alloc_table(&to->wrapper, from->nents, GFP_KERNEL);
874 if (ret)
875 goto free_to;
876
877 to_sg = to->wrapper.sgl;
878 for_each_sgtable_dma_sg(from, from_sg, i) {
879 to_sg->offset = 0;
880 to_sg->length = 0;
881 sg_assign_page(to_sg, NULL);
882 sg_dma_address(to_sg) = sg_dma_address(from_sg);
883 sg_dma_len(to_sg) = sg_dma_len(from_sg);
884 to_sg = sg_next(to_sg);
885 }
886
887 to->original = from;
888 *sg_table = &to->wrapper;
889 return 0;
890
891 free_to:
892 kfree(to);
893 return ret;
894 }
895
dma_buf_unwrap_sg_table(struct sg_table ** sg_table)896 static void dma_buf_unwrap_sg_table(struct sg_table **sg_table)
897 {
898 struct dma_buf_sg_table_wrapper *copy;
899
900 if (!IS_ENABLED(CONFIG_DMABUF_DEBUG))
901 return;
902
903 copy = container_of(*sg_table, typeof(*copy), wrapper);
904 *sg_table = copy->original;
905 sg_free_table(©->wrapper);
906 kfree(copy);
907 }
908
909 static inline bool
dma_buf_attachment_is_dynamic(struct dma_buf_attachment * attach)910 dma_buf_attachment_is_dynamic(struct dma_buf_attachment *attach)
911 {
912 return !!attach->importer_ops;
913 }
914
915 static bool
dma_buf_pin_on_map(struct dma_buf_attachment * attach)916 dma_buf_pin_on_map(struct dma_buf_attachment *attach)
917 {
918 return attach->dmabuf->ops->pin &&
919 (!dma_buf_attachment_is_dynamic(attach) ||
920 !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY));
921 }
922
923 /**
924 * DOC: locking convention
925 *
926 * In order to avoid deadlock situations between dma-buf exports and importers,
927 * all dma-buf API users must follow the common dma-buf locking convention.
928 *
929 * Convention for importers
930 *
931 * 1. Importers must hold the dma-buf reservation lock when calling these
932 * functions:
933 *
934 * - dma_buf_pin()
935 * - dma_buf_unpin()
936 * - dma_buf_map_attachment()
937 * - dma_buf_unmap_attachment()
938 * - dma_buf_vmap()
939 * - dma_buf_vunmap()
940 *
941 * 2. Importers must not hold the dma-buf reservation lock when calling these
942 * functions:
943 *
944 * - dma_buf_attach()
945 * - dma_buf_dynamic_attach()
946 * - dma_buf_detach()
947 * - dma_buf_export()
948 * - dma_buf_fd()
949 * - dma_buf_get()
950 * - dma_buf_put()
951 * - dma_buf_mmap()
952 * - dma_buf_begin_cpu_access()
953 * - dma_buf_end_cpu_access()
954 * - dma_buf_map_attachment_unlocked()
955 * - dma_buf_unmap_attachment_unlocked()
956 * - dma_buf_vmap_unlocked()
957 * - dma_buf_vunmap_unlocked()
958 *
959 * Convention for exporters
960 *
961 * 1. These &dma_buf_ops callbacks are invoked with unlocked dma-buf
962 * reservation and exporter can take the lock:
963 *
964 * - &dma_buf_ops.attach()
965 * - &dma_buf_ops.detach()
966 * - &dma_buf_ops.release()
967 * - &dma_buf_ops.begin_cpu_access()
968 * - &dma_buf_ops.end_cpu_access()
969 * - &dma_buf_ops.mmap()
970 *
971 * 2. These &dma_buf_ops callbacks are invoked with locked dma-buf
972 * reservation and exporter can't take the lock:
973 *
974 * - &dma_buf_ops.pin()
975 * - &dma_buf_ops.unpin()
976 * - &dma_buf_ops.map_dma_buf()
977 * - &dma_buf_ops.unmap_dma_buf()
978 * - &dma_buf_ops.vmap()
979 * - &dma_buf_ops.vunmap()
980 *
981 * 3. Exporters must hold the dma-buf reservation lock when calling these
982 * functions:
983 *
984 * - dma_buf_move_notify()
985 */
986
987 /**
988 * dma_buf_dynamic_attach - Add the device to dma_buf's attachments list
989 * @dmabuf: [in] buffer to attach device to.
990 * @dev: [in] device to be attached.
991 * @importer_ops: [in] importer operations for the attachment
992 * @importer_priv: [in] importer private pointer for the attachment
993 *
994 * Returns struct dma_buf_attachment pointer for this attachment. Attachments
995 * must be cleaned up by calling dma_buf_detach().
996 *
997 * Optionally this calls &dma_buf_ops.attach to allow device-specific attach
998 * functionality.
999 *
1000 * Returns:
1001 *
1002 * A pointer to newly created &dma_buf_attachment on success, or a negative
1003 * error code wrapped into a pointer on failure.
1004 *
1005 * Note that this can fail if the backing storage of @dmabuf is in a place not
1006 * accessible to @dev, and cannot be moved to a more suitable place. This is
1007 * indicated with the error code -EBUSY.
1008 */
1009 struct dma_buf_attachment *
dma_buf_dynamic_attach(struct dma_buf * dmabuf,struct device * dev,const struct dma_buf_attach_ops * importer_ops,void * importer_priv)1010 dma_buf_dynamic_attach(struct dma_buf *dmabuf, struct device *dev,
1011 const struct dma_buf_attach_ops *importer_ops,
1012 void *importer_priv)
1013 {
1014 struct dma_buf_attachment *attach;
1015 int ret;
1016
1017 if (WARN_ON(!dmabuf || !dev))
1018 return ERR_PTR(-EINVAL);
1019
1020 if (WARN_ON(importer_ops && !importer_ops->move_notify))
1021 return ERR_PTR(-EINVAL);
1022
1023 attach = kzalloc_obj(*attach);
1024 if (!attach)
1025 return ERR_PTR(-ENOMEM);
1026
1027 attach->dev = dev;
1028 attach->dmabuf = dmabuf;
1029 if (importer_ops)
1030 attach->peer2peer = importer_ops->allow_peer2peer;
1031 attach->importer_ops = importer_ops;
1032 attach->importer_priv = importer_priv;
1033
1034 if (dmabuf->ops->attach) {
1035 ret = dmabuf->ops->attach(dmabuf, attach);
1036 if (ret)
1037 goto err_attach;
1038 }
1039 dma_resv_lock(dmabuf->resv, NULL);
1040 list_add(&attach->node, &dmabuf->attachments);
1041 dma_resv_unlock(dmabuf->resv);
1042
1043 DMA_BUF_TRACE(trace_dma_buf_dynamic_attach, dmabuf, attach,
1044 dma_buf_attachment_is_dynamic(attach), dev);
1045
1046 return attach;
1047
1048 err_attach:
1049 kfree(attach);
1050 return ERR_PTR(ret);
1051 }
1052 EXPORT_SYMBOL_NS_GPL(dma_buf_dynamic_attach, "DMA_BUF");
1053
1054 /**
1055 * dma_buf_attach - Wrapper for dma_buf_dynamic_attach
1056 * @dmabuf: [in] buffer to attach device to.
1057 * @dev: [in] device to be attached.
1058 *
1059 * Wrapper to call dma_buf_dynamic_attach() for drivers which still use a static
1060 * mapping.
1061 */
dma_buf_attach(struct dma_buf * dmabuf,struct device * dev)1062 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf,
1063 struct device *dev)
1064 {
1065 return dma_buf_dynamic_attach(dmabuf, dev, NULL, NULL);
1066 }
1067 EXPORT_SYMBOL_NS_GPL(dma_buf_attach, "DMA_BUF");
1068
1069 /**
1070 * dma_buf_detach - Remove the given attachment from dmabuf's attachments list
1071 * @dmabuf: [in] buffer to detach from.
1072 * @attach: [in] attachment to be detached; is free'd after this call.
1073 *
1074 * Clean up a device attachment obtained by calling dma_buf_attach().
1075 *
1076 * Optionally this calls &dma_buf_ops.detach for device-specific detach.
1077 */
dma_buf_detach(struct dma_buf * dmabuf,struct dma_buf_attachment * attach)1078 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach)
1079 {
1080 if (WARN_ON(!dmabuf || !attach || dmabuf != attach->dmabuf))
1081 return;
1082
1083 dma_resv_lock(dmabuf->resv, NULL);
1084 list_del(&attach->node);
1085 dma_resv_unlock(dmabuf->resv);
1086
1087 if (dmabuf->ops->detach)
1088 dmabuf->ops->detach(dmabuf, attach);
1089
1090 DMA_BUF_TRACE(trace_dma_buf_detach, dmabuf, attach,
1091 dma_buf_attachment_is_dynamic(attach), attach->dev);
1092
1093 kfree(attach);
1094 }
1095 EXPORT_SYMBOL_NS_GPL(dma_buf_detach, "DMA_BUF");
1096
1097 /**
1098 * dma_buf_pin - Lock down the DMA-buf
1099 * @attach: [in] attachment which should be pinned
1100 *
1101 * Only dynamic importers (who set up @attach with dma_buf_dynamic_attach()) may
1102 * call this, and only for limited use cases like scanout and not for temporary
1103 * pin operations. It is not permitted to allow userspace to pin arbitrary
1104 * amounts of buffers through this interface.
1105 *
1106 * Buffers must be unpinned by calling dma_buf_unpin().
1107 *
1108 * Returns:
1109 * 0 on success, negative error code on failure.
1110 */
dma_buf_pin(struct dma_buf_attachment * attach)1111 int dma_buf_pin(struct dma_buf_attachment *attach)
1112 {
1113 struct dma_buf *dmabuf = attach->dmabuf;
1114 int ret = 0;
1115
1116 WARN_ON(!attach->importer_ops);
1117
1118 dma_resv_assert_held(dmabuf->resv);
1119
1120 if (dmabuf->ops->pin)
1121 ret = dmabuf->ops->pin(attach);
1122
1123 return ret;
1124 }
1125 EXPORT_SYMBOL_NS_GPL(dma_buf_pin, "DMA_BUF");
1126
1127 /**
1128 * dma_buf_unpin - Unpin a DMA-buf
1129 * @attach: [in] attachment which should be unpinned
1130 *
1131 * This unpins a buffer pinned by dma_buf_pin() and allows the exporter to move
1132 * any mapping of @attach again and inform the importer through
1133 * &dma_buf_attach_ops.move_notify.
1134 */
dma_buf_unpin(struct dma_buf_attachment * attach)1135 void dma_buf_unpin(struct dma_buf_attachment *attach)
1136 {
1137 struct dma_buf *dmabuf = attach->dmabuf;
1138
1139 WARN_ON(!attach->importer_ops);
1140
1141 dma_resv_assert_held(dmabuf->resv);
1142
1143 if (dmabuf->ops->unpin)
1144 dmabuf->ops->unpin(attach);
1145 }
1146 EXPORT_SYMBOL_NS_GPL(dma_buf_unpin, "DMA_BUF");
1147
1148 /**
1149 * dma_buf_map_attachment - Returns the scatterlist table of the attachment;
1150 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
1151 * dma_buf_ops.
1152 * @attach: [in] attachment whose scatterlist is to be returned
1153 * @direction: [in] direction of DMA transfer
1154 *
1155 * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR
1156 * on error. May return -EINTR if it is interrupted by a signal.
1157 *
1158 * On success, the DMA addresses and lengths in the returned scatterlist are
1159 * PAGE_SIZE aligned.
1160 *
1161 * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that
1162 * the underlying backing storage is pinned for as long as a mapping exists,
1163 * therefore users/importers should not hold onto a mapping for undue amounts of
1164 * time.
1165 *
1166 * Important: Dynamic importers must wait for the exclusive fence of the struct
1167 * dma_resv attached to the DMA-BUF first.
1168 */
dma_buf_map_attachment(struct dma_buf_attachment * attach,enum dma_data_direction direction)1169 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach,
1170 enum dma_data_direction direction)
1171 {
1172 struct sg_table *sg_table;
1173 signed long ret;
1174
1175 might_sleep();
1176
1177 if (WARN_ON(!attach || !attach->dmabuf))
1178 return ERR_PTR(-EINVAL);
1179
1180 dma_resv_assert_held(attach->dmabuf->resv);
1181
1182 if (dma_buf_pin_on_map(attach)) {
1183 ret = attach->dmabuf->ops->pin(attach);
1184 /*
1185 * Catch exporters making buffers inaccessible even when
1186 * attachments preventing that exist.
1187 */
1188 WARN_ON_ONCE(ret == -EBUSY);
1189 if (ret)
1190 return ERR_PTR(ret);
1191 }
1192
1193 sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction);
1194 if (!sg_table)
1195 sg_table = ERR_PTR(-ENOMEM);
1196 if (IS_ERR(sg_table))
1197 goto error_unpin;
1198
1199 /*
1200 * Importers with static attachments don't wait for fences.
1201 */
1202 if (!dma_buf_attachment_is_dynamic(attach)) {
1203 ret = dma_resv_wait_timeout(attach->dmabuf->resv,
1204 DMA_RESV_USAGE_KERNEL, true,
1205 MAX_SCHEDULE_TIMEOUT);
1206 if (ret < 0)
1207 goto error_unmap;
1208 }
1209 ret = dma_buf_wrap_sg_table(&sg_table);
1210 if (ret)
1211 goto error_unmap;
1212
1213 if (IS_ENABLED(CONFIG_DMA_API_DEBUG)) {
1214 struct scatterlist *sg;
1215 u64 addr;
1216 int len;
1217 int i;
1218
1219 for_each_sgtable_dma_sg(sg_table, sg, i) {
1220 addr = sg_dma_address(sg);
1221 len = sg_dma_len(sg);
1222 if (!PAGE_ALIGNED(addr) || !PAGE_ALIGNED(len)) {
1223 pr_debug("%s: addr %llx or len %x is not page aligned!\n",
1224 __func__, addr, len);
1225 break;
1226 }
1227 }
1228 }
1229 return sg_table;
1230
1231 error_unmap:
1232 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction);
1233 sg_table = ERR_PTR(ret);
1234
1235 error_unpin:
1236 if (dma_buf_pin_on_map(attach))
1237 attach->dmabuf->ops->unpin(attach);
1238
1239 return sg_table;
1240 }
1241 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment, "DMA_BUF");
1242
1243 /**
1244 * dma_buf_map_attachment_unlocked - Returns the scatterlist table of the attachment;
1245 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
1246 * dma_buf_ops.
1247 * @attach: [in] attachment whose scatterlist is to be returned
1248 * @direction: [in] direction of DMA transfer
1249 *
1250 * Unlocked variant of dma_buf_map_attachment().
1251 */
1252 struct sg_table *
dma_buf_map_attachment_unlocked(struct dma_buf_attachment * attach,enum dma_data_direction direction)1253 dma_buf_map_attachment_unlocked(struct dma_buf_attachment *attach,
1254 enum dma_data_direction direction)
1255 {
1256 struct sg_table *sg_table;
1257
1258 might_sleep();
1259
1260 if (WARN_ON(!attach || !attach->dmabuf))
1261 return ERR_PTR(-EINVAL);
1262
1263 dma_resv_lock(attach->dmabuf->resv, NULL);
1264 sg_table = dma_buf_map_attachment(attach, direction);
1265 dma_resv_unlock(attach->dmabuf->resv);
1266
1267 return sg_table;
1268 }
1269 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment_unlocked, "DMA_BUF");
1270
1271 /**
1272 * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might
1273 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
1274 * dma_buf_ops.
1275 * @attach: [in] attachment to unmap buffer from
1276 * @sg_table: [in] scatterlist info of the buffer to unmap
1277 * @direction: [in] direction of DMA transfer
1278 *
1279 * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment().
1280 */
dma_buf_unmap_attachment(struct dma_buf_attachment * attach,struct sg_table * sg_table,enum dma_data_direction direction)1281 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach,
1282 struct sg_table *sg_table,
1283 enum dma_data_direction direction)
1284 {
1285 might_sleep();
1286
1287 if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
1288 return;
1289
1290 dma_resv_assert_held(attach->dmabuf->resv);
1291
1292 dma_buf_unwrap_sg_table(&sg_table);
1293 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction);
1294
1295 if (dma_buf_pin_on_map(attach))
1296 attach->dmabuf->ops->unpin(attach);
1297 }
1298 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment, "DMA_BUF");
1299
1300 /**
1301 * dma_buf_unmap_attachment_unlocked - unmaps and decreases usecount of the buffer;might
1302 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
1303 * dma_buf_ops.
1304 * @attach: [in] attachment to unmap buffer from
1305 * @sg_table: [in] scatterlist info of the buffer to unmap
1306 * @direction: [in] direction of DMA transfer
1307 *
1308 * Unlocked variant of dma_buf_unmap_attachment().
1309 */
dma_buf_unmap_attachment_unlocked(struct dma_buf_attachment * attach,struct sg_table * sg_table,enum dma_data_direction direction)1310 void dma_buf_unmap_attachment_unlocked(struct dma_buf_attachment *attach,
1311 struct sg_table *sg_table,
1312 enum dma_data_direction direction)
1313 {
1314 might_sleep();
1315
1316 if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
1317 return;
1318
1319 dma_resv_lock(attach->dmabuf->resv, NULL);
1320 dma_buf_unmap_attachment(attach, sg_table, direction);
1321 dma_resv_unlock(attach->dmabuf->resv);
1322 }
1323 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment_unlocked, "DMA_BUF");
1324
1325 /**
1326 * dma_buf_move_notify - notify attachments that DMA-buf is moving
1327 *
1328 * @dmabuf: [in] buffer which is moving
1329 *
1330 * Informs all attachments that they need to destroy and recreate all their
1331 * mappings.
1332 */
dma_buf_move_notify(struct dma_buf * dmabuf)1333 void dma_buf_move_notify(struct dma_buf *dmabuf)
1334 {
1335 struct dma_buf_attachment *attach;
1336
1337 dma_resv_assert_held(dmabuf->resv);
1338
1339 list_for_each_entry(attach, &dmabuf->attachments, node)
1340 if (attach->importer_ops)
1341 attach->importer_ops->move_notify(attach);
1342 }
1343 EXPORT_SYMBOL_NS_GPL(dma_buf_move_notify, "DMA_BUF");
1344
1345 /**
1346 * DOC: cpu access
1347 *
1348 * There are multiple reasons for supporting CPU access to a dma buffer object:
1349 *
1350 * - Fallback operations in the kernel, for example when a device is connected
1351 * over USB and the kernel needs to shuffle the data around first before
1352 * sending it away. Cache coherency is handled by bracketing any transactions
1353 * with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access()
1354 * access.
1355 *
1356 * Since for most kernel internal dma-buf accesses need the entire buffer, a
1357 * vmap interface is introduced. Note that on very old 32-bit architectures
1358 * vmalloc space might be limited and result in vmap calls failing.
1359 *
1360 * Interfaces:
1361 *
1362 * .. code-block:: c
1363 *
1364 * void *dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map)
1365 * void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map)
1366 *
1367 * The vmap call can fail if there is no vmap support in the exporter, or if
1368 * it runs out of vmalloc space. Note that the dma-buf layer keeps a reference
1369 * count for all vmap access and calls down into the exporter's vmap function
1370 * only when no vmapping exists, and only unmaps it once. Protection against
1371 * concurrent vmap/vunmap calls is provided by taking the &dma_buf.lock mutex.
1372 *
1373 * - For full compatibility on the importer side with existing userspace
1374 * interfaces, which might already support mmap'ing buffers. This is needed in
1375 * many processing pipelines (e.g. feeding a software rendered image into a
1376 * hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION
1377 * framework already supported this and for DMA buffer file descriptors to
1378 * replace ION buffers mmap support was needed.
1379 *
1380 * There is no special interfaces, userspace simply calls mmap on the dma-buf
1381 * fd. But like for CPU access there's a need to bracket the actual access,
1382 * which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that
1383 * DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must
1384 * be restarted.
1385 *
1386 * Some systems might need some sort of cache coherency management e.g. when
1387 * CPU and GPU domains are being accessed through dma-buf at the same time.
1388 * To circumvent this problem there are begin/end coherency markers, that
1389 * forward directly to existing dma-buf device drivers vfunc hooks. Userspace
1390 * can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The
1391 * sequence would be used like following:
1392 *
1393 * - mmap dma-buf fd
1394 * - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
1395 * to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
1396 * want (with the new data being consumed by say the GPU or the scanout
1397 * device)
1398 * - munmap once you don't need the buffer any more
1399 *
1400 * For correctness and optimal performance, it is always required to use
1401 * SYNC_START and SYNC_END before and after, respectively, when accessing the
1402 * mapped address. Userspace cannot rely on coherent access, even when there
1403 * are systems where it just works without calling these ioctls.
1404 *
1405 * - And as a CPU fallback in userspace processing pipelines.
1406 *
1407 * Similar to the motivation for kernel cpu access it is again important that
1408 * the userspace code of a given importing subsystem can use the same
1409 * interfaces with a imported dma-buf buffer object as with a native buffer
1410 * object. This is especially important for drm where the userspace part of
1411 * contemporary OpenGL, X, and other drivers is huge, and reworking them to
1412 * use a different way to mmap a buffer rather invasive.
1413 *
1414 * The assumption in the current dma-buf interfaces is that redirecting the
1415 * initial mmap is all that's needed. A survey of some of the existing
1416 * subsystems shows that no driver seems to do any nefarious thing like
1417 * syncing up with outstanding asynchronous processing on the device or
1418 * allocating special resources at fault time. So hopefully this is good
1419 * enough, since adding interfaces to intercept pagefaults and allow pte
1420 * shootdowns would increase the complexity quite a bit.
1421 *
1422 * Interface:
1423 *
1424 * .. code-block:: c
1425 *
1426 * int dma_buf_mmap(struct dma_buf *, struct vm_area_struct *, unsigned long);
1427 *
1428 * If the importing subsystem simply provides a special-purpose mmap call to
1429 * set up a mapping in userspace, calling do_mmap with &dma_buf.file will
1430 * equally achieve that for a dma-buf object.
1431 */
1432
__dma_buf_begin_cpu_access(struct dma_buf * dmabuf,enum dma_data_direction direction)1433 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1434 enum dma_data_direction direction)
1435 {
1436 bool write = (direction == DMA_BIDIRECTIONAL ||
1437 direction == DMA_TO_DEVICE);
1438 struct dma_resv *resv = dmabuf->resv;
1439 long ret;
1440
1441 /* Wait on any implicit rendering fences */
1442 ret = dma_resv_wait_timeout(resv, dma_resv_usage_rw(write),
1443 true, MAX_SCHEDULE_TIMEOUT);
1444 if (ret < 0)
1445 return ret;
1446
1447 return 0;
1448 }
1449
1450 /**
1451 * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the
1452 * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific
1453 * preparations. Coherency is only guaranteed in the specified range for the
1454 * specified access direction.
1455 * @dmabuf: [in] buffer to prepare cpu access for.
1456 * @direction: [in] direction of access.
1457 *
1458 * After the cpu access is complete the caller should call
1459 * dma_buf_end_cpu_access(). Only when cpu access is bracketed by both calls is
1460 * it guaranteed to be coherent with other DMA access.
1461 *
1462 * This function will also wait for any DMA transactions tracked through
1463 * implicit synchronization in &dma_buf.resv. For DMA transactions with explicit
1464 * synchronization this function will only ensure cache coherency, callers must
1465 * ensure synchronization with such DMA transactions on their own.
1466 *
1467 * Can return negative error values, returns 0 on success.
1468 */
dma_buf_begin_cpu_access(struct dma_buf * dmabuf,enum dma_data_direction direction)1469 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1470 enum dma_data_direction direction)
1471 {
1472 int ret = 0;
1473
1474 if (WARN_ON(!dmabuf))
1475 return -EINVAL;
1476
1477 might_lock(&dmabuf->resv->lock.base);
1478
1479 if (dmabuf->ops->begin_cpu_access)
1480 ret = dmabuf->ops->begin_cpu_access(dmabuf, direction);
1481
1482 /* Ensure that all fences are waited upon - but we first allow
1483 * the native handler the chance to do so more efficiently if it
1484 * chooses. A double invocation here will be reasonably cheap no-op.
1485 */
1486 if (ret == 0)
1487 ret = __dma_buf_begin_cpu_access(dmabuf, direction);
1488
1489 return ret;
1490 }
1491 EXPORT_SYMBOL_NS_GPL(dma_buf_begin_cpu_access, "DMA_BUF");
1492
1493 /**
1494 * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the
1495 * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific
1496 * actions. Coherency is only guaranteed in the specified range for the
1497 * specified access direction.
1498 * @dmabuf: [in] buffer to complete cpu access for.
1499 * @direction: [in] direction of access.
1500 *
1501 * This terminates CPU access started with dma_buf_begin_cpu_access().
1502 *
1503 * Can return negative error values, returns 0 on success.
1504 */
dma_buf_end_cpu_access(struct dma_buf * dmabuf,enum dma_data_direction direction)1505 int dma_buf_end_cpu_access(struct dma_buf *dmabuf,
1506 enum dma_data_direction direction)
1507 {
1508 int ret = 0;
1509
1510 WARN_ON(!dmabuf);
1511
1512 might_lock(&dmabuf->resv->lock.base);
1513
1514 if (dmabuf->ops->end_cpu_access)
1515 ret = dmabuf->ops->end_cpu_access(dmabuf, direction);
1516
1517 return ret;
1518 }
1519 EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, "DMA_BUF");
1520
1521
1522 /**
1523 * dma_buf_mmap - Setup up a userspace mmap with the given vma
1524 * @dmabuf: [in] buffer that should back the vma
1525 * @vma: [in] vma for the mmap
1526 * @pgoff: [in] offset in pages where this mmap should start within the
1527 * dma-buf buffer.
1528 *
1529 * This function adjusts the passed in vma so that it points at the file of the
1530 * dma_buf operation. It also adjusts the starting pgoff and does bounds
1531 * checking on the size of the vma. Then it calls the exporters mmap function to
1532 * set up the mapping.
1533 *
1534 * Can return negative error values, returns 0 on success.
1535 */
dma_buf_mmap(struct dma_buf * dmabuf,struct vm_area_struct * vma,unsigned long pgoff)1536 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
1537 unsigned long pgoff)
1538 {
1539 if (WARN_ON(!dmabuf || !vma))
1540 return -EINVAL;
1541
1542 /* check if buffer supports mmap */
1543 if (!dmabuf->ops->mmap)
1544 return -EINVAL;
1545
1546 /* check for offset overflow */
1547 if (pgoff + vma_pages(vma) < pgoff)
1548 return -EOVERFLOW;
1549
1550 /* check for overflowing the buffer's size */
1551 if (pgoff + vma_pages(vma) >
1552 dmabuf->size >> PAGE_SHIFT)
1553 return -EINVAL;
1554
1555 /* readjust the vma */
1556 vma_set_file(vma, dmabuf->file);
1557 vma->vm_pgoff = pgoff;
1558
1559 DMA_BUF_TRACE(trace_dma_buf_mmap, dmabuf);
1560
1561 return dmabuf->ops->mmap(dmabuf, vma);
1562 }
1563 EXPORT_SYMBOL_NS_GPL(dma_buf_mmap, "DMA_BUF");
1564
1565 /**
1566 * dma_buf_vmap - Create virtual mapping for the buffer object into kernel
1567 * address space. Same restrictions as for vmap and friends apply.
1568 * @dmabuf: [in] buffer to vmap
1569 * @map: [out] returns the vmap pointer
1570 *
1571 * This call may fail due to lack of virtual mapping address space.
1572 * These calls are optional in drivers. The intended use for them
1573 * is for mapping objects linear in kernel space for high use objects.
1574 *
1575 * To ensure coherency users must call dma_buf_begin_cpu_access() and
1576 * dma_buf_end_cpu_access() around any cpu access performed through this
1577 * mapping.
1578 *
1579 * Returns 0 on success, or a negative errno code otherwise.
1580 */
dma_buf_vmap(struct dma_buf * dmabuf,struct iosys_map * map)1581 int dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map)
1582 {
1583 struct iosys_map ptr;
1584 int ret;
1585
1586 iosys_map_clear(map);
1587
1588 if (WARN_ON(!dmabuf))
1589 return -EINVAL;
1590
1591 dma_resv_assert_held(dmabuf->resv);
1592
1593 if (!dmabuf->ops->vmap)
1594 return -EINVAL;
1595
1596 if (dmabuf->vmapping_counter) {
1597 dmabuf->vmapping_counter++;
1598 BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1599 *map = dmabuf->vmap_ptr;
1600 return 0;
1601 }
1602
1603 BUG_ON(iosys_map_is_set(&dmabuf->vmap_ptr));
1604
1605 ret = dmabuf->ops->vmap(dmabuf, &ptr);
1606 if (WARN_ON_ONCE(ret))
1607 return ret;
1608
1609 dmabuf->vmap_ptr = ptr;
1610 dmabuf->vmapping_counter = 1;
1611
1612 *map = dmabuf->vmap_ptr;
1613
1614 return 0;
1615 }
1616 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap, "DMA_BUF");
1617
1618 /**
1619 * dma_buf_vmap_unlocked - Create virtual mapping for the buffer object into kernel
1620 * address space. Same restrictions as for vmap and friends apply.
1621 * @dmabuf: [in] buffer to vmap
1622 * @map: [out] returns the vmap pointer
1623 *
1624 * Unlocked version of dma_buf_vmap()
1625 *
1626 * Returns 0 on success, or a negative errno code otherwise.
1627 */
dma_buf_vmap_unlocked(struct dma_buf * dmabuf,struct iosys_map * map)1628 int dma_buf_vmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map)
1629 {
1630 int ret;
1631
1632 iosys_map_clear(map);
1633
1634 if (WARN_ON(!dmabuf))
1635 return -EINVAL;
1636
1637 dma_resv_lock(dmabuf->resv, NULL);
1638 ret = dma_buf_vmap(dmabuf, map);
1639 dma_resv_unlock(dmabuf->resv);
1640
1641 return ret;
1642 }
1643 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap_unlocked, "DMA_BUF");
1644
1645 /**
1646 * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap.
1647 * @dmabuf: [in] buffer to vunmap
1648 * @map: [in] vmap pointer to vunmap
1649 */
dma_buf_vunmap(struct dma_buf * dmabuf,struct iosys_map * map)1650 void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map)
1651 {
1652 if (WARN_ON(!dmabuf))
1653 return;
1654
1655 dma_resv_assert_held(dmabuf->resv);
1656
1657 BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1658 BUG_ON(dmabuf->vmapping_counter == 0);
1659 BUG_ON(!iosys_map_is_equal(&dmabuf->vmap_ptr, map));
1660
1661 if (--dmabuf->vmapping_counter == 0) {
1662 if (dmabuf->ops->vunmap)
1663 dmabuf->ops->vunmap(dmabuf, map);
1664 iosys_map_clear(&dmabuf->vmap_ptr);
1665 }
1666 }
1667 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap, "DMA_BUF");
1668
1669 /**
1670 * dma_buf_vunmap_unlocked - Unmap a vmap obtained by dma_buf_vmap.
1671 * @dmabuf: [in] buffer to vunmap
1672 * @map: [in] vmap pointer to vunmap
1673 */
dma_buf_vunmap_unlocked(struct dma_buf * dmabuf,struct iosys_map * map)1674 void dma_buf_vunmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map)
1675 {
1676 if (WARN_ON(!dmabuf))
1677 return;
1678
1679 dma_resv_lock(dmabuf->resv, NULL);
1680 dma_buf_vunmap(dmabuf, map);
1681 dma_resv_unlock(dmabuf->resv);
1682 }
1683 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap_unlocked, "DMA_BUF");
1684
1685 #ifdef CONFIG_DEBUG_FS
dma_buf_debug_show(struct seq_file * s,void * unused)1686 static int dma_buf_debug_show(struct seq_file *s, void *unused)
1687 {
1688 struct dma_buf *buf_obj;
1689 struct dma_buf_attachment *attach_obj;
1690 int count = 0, attach_count;
1691 size_t size = 0;
1692 int ret;
1693
1694 ret = mutex_lock_interruptible(&dmabuf_list_mutex);
1695
1696 if (ret)
1697 return ret;
1698
1699 seq_puts(s, "\nDma-buf Objects:\n");
1700 seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\t%-8s\tname\n",
1701 "size", "flags", "mode", "count", "ino");
1702
1703 list_for_each_entry(buf_obj, &dmabuf_list, list_node) {
1704
1705 ret = dma_resv_lock_interruptible(buf_obj->resv, NULL);
1706 if (ret)
1707 goto error_unlock;
1708
1709
1710 spin_lock(&buf_obj->name_lock);
1711 seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n",
1712 buf_obj->size,
1713 buf_obj->file->f_flags, buf_obj->file->f_mode,
1714 file_count(buf_obj->file),
1715 buf_obj->exp_name,
1716 file_inode(buf_obj->file)->i_ino,
1717 buf_obj->name ?: "<none>");
1718 spin_unlock(&buf_obj->name_lock);
1719
1720 dma_resv_describe(buf_obj->resv, s);
1721
1722 seq_puts(s, "\tAttached Devices:\n");
1723 attach_count = 0;
1724
1725 list_for_each_entry(attach_obj, &buf_obj->attachments, node) {
1726 seq_printf(s, "\t%s\n", dev_name(attach_obj->dev));
1727 attach_count++;
1728 }
1729 dma_resv_unlock(buf_obj->resv);
1730
1731 seq_printf(s, "Total %d devices attached\n\n",
1732 attach_count);
1733
1734 count++;
1735 size += buf_obj->size;
1736 }
1737
1738 seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size);
1739
1740 mutex_unlock(&dmabuf_list_mutex);
1741 return 0;
1742
1743 error_unlock:
1744 mutex_unlock(&dmabuf_list_mutex);
1745 return ret;
1746 }
1747
1748 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug);
1749
1750 static struct dentry *dma_buf_debugfs_dir;
1751
dma_buf_init_debugfs(void)1752 static int dma_buf_init_debugfs(void)
1753 {
1754 struct dentry *d;
1755 int err = 0;
1756
1757 d = debugfs_create_dir("dma_buf", NULL);
1758 if (IS_ERR(d))
1759 return PTR_ERR(d);
1760
1761 dma_buf_debugfs_dir = d;
1762
1763 d = debugfs_create_file("bufinfo", 0444, dma_buf_debugfs_dir,
1764 NULL, &dma_buf_debug_fops);
1765 if (IS_ERR(d)) {
1766 pr_debug("dma_buf: debugfs: failed to create node bufinfo\n");
1767 debugfs_remove_recursive(dma_buf_debugfs_dir);
1768 dma_buf_debugfs_dir = NULL;
1769 err = PTR_ERR(d);
1770 }
1771
1772 return err;
1773 }
1774
dma_buf_uninit_debugfs(void)1775 static void dma_buf_uninit_debugfs(void)
1776 {
1777 debugfs_remove_recursive(dma_buf_debugfs_dir);
1778 }
1779 #else
dma_buf_init_debugfs(void)1780 static inline int dma_buf_init_debugfs(void)
1781 {
1782 return 0;
1783 }
dma_buf_uninit_debugfs(void)1784 static inline void dma_buf_uninit_debugfs(void)
1785 {
1786 }
1787 #endif
1788
dma_buf_init(void)1789 static int __init dma_buf_init(void)
1790 {
1791 dma_buf_mnt = kern_mount(&dma_buf_fs_type);
1792 if (IS_ERR(dma_buf_mnt))
1793 return PTR_ERR(dma_buf_mnt);
1794
1795 dma_buf_init_debugfs();
1796 return 0;
1797 }
1798 subsys_initcall(dma_buf_init);
1799
dma_buf_deinit(void)1800 static void __exit dma_buf_deinit(void)
1801 {
1802 dma_buf_uninit_debugfs();
1803 kern_unmount(dma_buf_mnt);
1804 }
1805 __exitcall(dma_buf_deinit);
1806