1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Framework for buffer objects that can be shared across devices/subsystems. 4 * 5 * Copyright(C) 2011 Linaro Limited. All rights reserved. 6 * Author: Sumit Semwal <sumit.semwal@ti.com> 7 * 8 * Many thanks to linaro-mm-sig list, and specially 9 * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and 10 * Daniel Vetter <daniel@ffwll.ch> for their support in creation and 11 * refining of this idea. 12 */ 13 14 #include <linux/fs.h> 15 #include <linux/slab.h> 16 #include <linux/dma-buf.h> 17 #include <linux/dma-fence.h> 18 #include <linux/dma-fence-unwrap.h> 19 #include <linux/anon_inodes.h> 20 #include <linux/export.h> 21 #include <linux/debugfs.h> 22 #include <linux/list.h> 23 #include <linux/module.h> 24 #include <linux/mutex.h> 25 #include <linux/seq_file.h> 26 #include <linux/sync_file.h> 27 #include <linux/poll.h> 28 #include <linux/dma-resv.h> 29 #include <linux/mm.h> 30 #include <linux/mount.h> 31 #include <linux/pseudo_fs.h> 32 33 #include <uapi/linux/dma-buf.h> 34 #include <uapi/linux/magic.h> 35 36 #define CREATE_TRACE_POINTS 37 #include <trace/events/dma_buf.h> 38 39 /* 40 * dmabuf->name must be accessed with holding dmabuf->name_lock. 41 * we need to take the lock around the tracepoint call itself where 42 * it is called in the code. 43 * 44 * Note: FUNC##_enabled() is a static branch that will only 45 * be set when the trace event is enabled. 46 */ 47 #define DMA_BUF_TRACE(FUNC, ...) \ 48 do { \ 49 /* Always expose lock if lockdep is enabled */ \ 50 if (IS_ENABLED(CONFIG_LOCKDEP) || FUNC##_enabled()) { \ 51 guard(spinlock)(&dmabuf->name_lock); \ 52 FUNC(__VA_ARGS__); \ 53 } \ 54 } while (0) 55 56 /* Wrapper to hide the sg_table page link from the importer */ 57 struct dma_buf_sg_table_wrapper { 58 struct sg_table *original; 59 struct sg_table wrapper; 60 }; 61 62 static inline int is_dma_buf_file(struct file *); 63 64 static DEFINE_MUTEX(dmabuf_list_mutex); 65 static LIST_HEAD(dmabuf_list); 66 67 static void __dma_buf_list_add(struct dma_buf *dmabuf) 68 { 69 mutex_lock(&dmabuf_list_mutex); 70 list_add(&dmabuf->list_node, &dmabuf_list); 71 mutex_unlock(&dmabuf_list_mutex); 72 } 73 74 static void __dma_buf_list_del(struct dma_buf *dmabuf) 75 { 76 if (!dmabuf) 77 return; 78 79 mutex_lock(&dmabuf_list_mutex); 80 list_del(&dmabuf->list_node); 81 mutex_unlock(&dmabuf_list_mutex); 82 } 83 84 /** 85 * dma_buf_iter_begin - begin iteration through global list of all DMA buffers 86 * 87 * Returns the first buffer in the global list of DMA-bufs that's not in the 88 * process of being destroyed. Increments that buffer's reference count to 89 * prevent buffer destruction. Callers must release the reference, either by 90 * continuing iteration with dma_buf_iter_next(), or with dma_buf_put(). 91 * 92 * Return: 93 * * First buffer from global list, with refcount elevated 94 * * NULL if no active buffers are present 95 */ 96 struct dma_buf *dma_buf_iter_begin(void) 97 { 98 struct dma_buf *ret = NULL, *dmabuf; 99 100 /* 101 * The list mutex does not protect a dmabuf's refcount, so it can be 102 * zeroed while we are iterating. We cannot call get_dma_buf() since the 103 * caller may not already own a reference to the buffer. 104 */ 105 mutex_lock(&dmabuf_list_mutex); 106 list_for_each_entry(dmabuf, &dmabuf_list, list_node) { 107 if (file_ref_get(&dmabuf->file->f_ref)) { 108 ret = dmabuf; 109 break; 110 } 111 } 112 mutex_unlock(&dmabuf_list_mutex); 113 return ret; 114 } 115 116 /** 117 * dma_buf_iter_next - continue iteration through global list of all DMA buffers 118 * @dmabuf: [in] pointer to dma_buf 119 * 120 * Decrements the reference count on the provided buffer. Returns the next 121 * buffer from the remainder of the global list of DMA-bufs with its reference 122 * count incremented. Callers must release the reference, either by continuing 123 * iteration with dma_buf_iter_next(), or with dma_buf_put(). 124 * 125 * Return: 126 * * Next buffer from global list, with refcount elevated 127 * * NULL if no additional active buffers are present 128 */ 129 struct dma_buf *dma_buf_iter_next(struct dma_buf *dmabuf) 130 { 131 struct dma_buf *ret = NULL; 132 133 /* 134 * The list mutex does not protect a dmabuf's refcount, so it can be 135 * zeroed while we are iterating. We cannot call get_dma_buf() since the 136 * caller may not already own a reference to the buffer. 137 */ 138 mutex_lock(&dmabuf_list_mutex); 139 dma_buf_put(dmabuf); 140 list_for_each_entry_continue(dmabuf, &dmabuf_list, list_node) { 141 if (file_ref_get(&dmabuf->file->f_ref)) { 142 ret = dmabuf; 143 break; 144 } 145 } 146 mutex_unlock(&dmabuf_list_mutex); 147 return ret; 148 } 149 150 static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen) 151 { 152 struct dma_buf *dmabuf; 153 char name[DMA_BUF_NAME_LEN]; 154 ssize_t ret = 0; 155 156 dmabuf = dentry->d_fsdata; 157 spin_lock(&dmabuf->name_lock); 158 if (dmabuf->name) 159 ret = strscpy(name, dmabuf->name, sizeof(name)); 160 spin_unlock(&dmabuf->name_lock); 161 162 return dynamic_dname(buffer, buflen, "/%s:%s", 163 dentry->d_name.name, ret > 0 ? name : ""); 164 } 165 166 static void dma_buf_release(struct dentry *dentry) 167 { 168 struct dma_buf *dmabuf; 169 170 dmabuf = dentry->d_fsdata; 171 if (unlikely(!dmabuf)) 172 return; 173 174 BUG_ON(dmabuf->vmapping_counter); 175 176 /* 177 * If you hit this BUG() it could mean: 178 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else 179 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback 180 */ 181 BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active); 182 183 dmabuf->ops->release(dmabuf); 184 185 if (dmabuf->resv == (struct dma_resv *)&dmabuf[1]) 186 dma_resv_fini(dmabuf->resv); 187 188 WARN_ON(!list_empty(&dmabuf->attachments)); 189 module_put(dmabuf->owner); 190 kfree(dmabuf->name); 191 kfree(dmabuf); 192 } 193 194 static int dma_buf_file_release(struct inode *inode, struct file *file) 195 { 196 if (!is_dma_buf_file(file)) 197 return -EINVAL; 198 199 __dma_buf_list_del(file->private_data); 200 201 return 0; 202 } 203 204 static const struct dentry_operations dma_buf_dentry_ops = { 205 .d_dname = dmabuffs_dname, 206 .d_release = dma_buf_release, 207 }; 208 209 static struct vfsmount *dma_buf_mnt; 210 211 static int dma_buf_fs_init_context(struct fs_context *fc) 212 { 213 struct pseudo_fs_context *ctx; 214 215 ctx = init_pseudo(fc, DMA_BUF_MAGIC); 216 if (!ctx) 217 return -ENOMEM; 218 ctx->dops = &dma_buf_dentry_ops; 219 return 0; 220 } 221 222 static struct file_system_type dma_buf_fs_type = { 223 .name = "dmabuf", 224 .init_fs_context = dma_buf_fs_init_context, 225 .kill_sb = kill_anon_super, 226 }; 227 228 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma) 229 { 230 struct dma_buf *dmabuf; 231 232 if (!is_dma_buf_file(file)) 233 return -EINVAL; 234 235 dmabuf = file->private_data; 236 237 /* check if buffer supports mmap */ 238 if (!dmabuf->ops->mmap) 239 return -EINVAL; 240 241 /* check for overflowing the buffer's size */ 242 if (vma->vm_pgoff + vma_pages(vma) > 243 dmabuf->size >> PAGE_SHIFT) 244 return -EINVAL; 245 246 DMA_BUF_TRACE(trace_dma_buf_mmap_internal, dmabuf); 247 248 return dmabuf->ops->mmap(dmabuf, vma); 249 } 250 251 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence) 252 { 253 struct dma_buf *dmabuf; 254 loff_t base; 255 256 if (!is_dma_buf_file(file)) 257 return -EBADF; 258 259 dmabuf = file->private_data; 260 261 /* only support discovering the end of the buffer, 262 * but also allow SEEK_SET to maintain the idiomatic 263 * SEEK_END(0), SEEK_CUR(0) pattern. 264 */ 265 if (whence == SEEK_END) 266 base = dmabuf->size; 267 else if (whence == SEEK_SET) 268 base = 0; 269 else 270 return -EINVAL; 271 272 if (offset != 0) 273 return -EINVAL; 274 275 return base + offset; 276 } 277 278 /** 279 * DOC: implicit fence polling 280 * 281 * To support cross-device and cross-driver synchronization of buffer access 282 * implicit fences (represented internally in the kernel with &struct dma_fence) 283 * can be attached to a &dma_buf. The glue for that and a few related things are 284 * provided in the &dma_resv structure. 285 * 286 * Userspace can query the state of these implicitly tracked fences using poll() 287 * and related system calls: 288 * 289 * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the 290 * most recent write or exclusive fence. 291 * 292 * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of 293 * all attached fences, shared and exclusive ones. 294 * 295 * Note that this only signals the completion of the respective fences, i.e. the 296 * DMA transfers are complete. Cache flushing and any other necessary 297 * preparations before CPU access can begin still need to happen. 298 * 299 * As an alternative to poll(), the set of fences on DMA buffer can be 300 * exported as a &sync_file using &dma_buf_sync_file_export. 301 */ 302 303 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb) 304 { 305 struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb; 306 struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll); 307 unsigned long flags; 308 309 spin_lock_irqsave(&dcb->poll->lock, flags); 310 wake_up_locked_poll(dcb->poll, dcb->active); 311 dcb->active = 0; 312 spin_unlock_irqrestore(&dcb->poll->lock, flags); 313 dma_fence_put(fence); 314 /* Paired with get_file in dma_buf_poll */ 315 fput(dmabuf->file); 316 } 317 318 static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write, 319 struct dma_buf_poll_cb_t *dcb) 320 { 321 struct dma_resv_iter cursor; 322 struct dma_fence *fence; 323 int r; 324 325 dma_resv_for_each_fence(&cursor, resv, dma_resv_usage_rw(write), 326 fence) { 327 dma_fence_get(fence); 328 r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb); 329 if (!r) 330 return true; 331 dma_fence_put(fence); 332 } 333 334 return false; 335 } 336 337 static __poll_t dma_buf_poll(struct file *file, poll_table *poll) 338 { 339 struct dma_buf *dmabuf; 340 struct dma_resv *resv; 341 __poll_t events; 342 343 dmabuf = file->private_data; 344 if (!dmabuf || !dmabuf->resv) 345 return EPOLLERR; 346 347 resv = dmabuf->resv; 348 349 poll_wait(file, &dmabuf->poll, poll); 350 351 events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT); 352 if (!events) 353 return 0; 354 355 dma_resv_lock(resv, NULL); 356 357 if (events & EPOLLOUT) { 358 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out; 359 360 /* Check that callback isn't busy */ 361 spin_lock_irq(&dmabuf->poll.lock); 362 if (dcb->active) 363 events &= ~EPOLLOUT; 364 else 365 dcb->active = EPOLLOUT; 366 spin_unlock_irq(&dmabuf->poll.lock); 367 368 if (events & EPOLLOUT) { 369 /* Paired with fput in dma_buf_poll_cb */ 370 get_file(dmabuf->file); 371 372 if (!dma_buf_poll_add_cb(resv, true, dcb)) 373 /* No callback queued, wake up any other waiters */ 374 dma_buf_poll_cb(NULL, &dcb->cb); 375 else 376 events &= ~EPOLLOUT; 377 } 378 } 379 380 if (events & EPOLLIN) { 381 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in; 382 383 /* Check that callback isn't busy */ 384 spin_lock_irq(&dmabuf->poll.lock); 385 if (dcb->active) 386 events &= ~EPOLLIN; 387 else 388 dcb->active = EPOLLIN; 389 spin_unlock_irq(&dmabuf->poll.lock); 390 391 if (events & EPOLLIN) { 392 /* Paired with fput in dma_buf_poll_cb */ 393 get_file(dmabuf->file); 394 395 if (!dma_buf_poll_add_cb(resv, false, dcb)) 396 /* No callback queued, wake up any other waiters */ 397 dma_buf_poll_cb(NULL, &dcb->cb); 398 else 399 events &= ~EPOLLIN; 400 } 401 } 402 403 dma_resv_unlock(resv); 404 return events; 405 } 406 407 /** 408 * dma_buf_set_name - Set a name to a specific dma_buf to track the usage. 409 * It could support changing the name of the dma-buf if the same 410 * piece of memory is used for multiple purpose between different devices. 411 * 412 * @dmabuf: [in] dmabuf buffer that will be renamed. 413 * @buf: [in] A piece of userspace memory that contains the name of 414 * the dma-buf. 415 * 416 * Returns 0 on success. If the dma-buf buffer is already attached to 417 * devices, return -EBUSY. 418 * 419 */ 420 static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) 421 { 422 char *name = strndup_user(buf, DMA_BUF_NAME_LEN); 423 424 if (IS_ERR(name)) 425 return PTR_ERR(name); 426 427 spin_lock(&dmabuf->name_lock); 428 kfree(dmabuf->name); 429 dmabuf->name = name; 430 spin_unlock(&dmabuf->name_lock); 431 432 return 0; 433 } 434 435 #if IS_ENABLED(CONFIG_SYNC_FILE) 436 static long dma_buf_export_sync_file(struct dma_buf *dmabuf, 437 void __user *user_data) 438 { 439 struct dma_buf_export_sync_file arg; 440 enum dma_resv_usage usage; 441 struct dma_fence *fence = NULL; 442 struct sync_file *sync_file; 443 int fd, ret; 444 445 if (copy_from_user(&arg, user_data, sizeof(arg))) 446 return -EFAULT; 447 448 if (arg.flags & ~DMA_BUF_SYNC_RW) 449 return -EINVAL; 450 451 if ((arg.flags & DMA_BUF_SYNC_RW) == 0) 452 return -EINVAL; 453 454 fd = get_unused_fd_flags(O_CLOEXEC); 455 if (fd < 0) 456 return fd; 457 458 usage = dma_resv_usage_rw(arg.flags & DMA_BUF_SYNC_WRITE); 459 ret = dma_resv_get_singleton(dmabuf->resv, usage, &fence); 460 if (ret) 461 goto err_put_fd; 462 463 if (!fence) 464 fence = dma_fence_get_stub(); 465 466 sync_file = sync_file_create(fence); 467 468 dma_fence_put(fence); 469 470 if (!sync_file) { 471 ret = -ENOMEM; 472 goto err_put_fd; 473 } 474 475 arg.fd = fd; 476 if (copy_to_user(user_data, &arg, sizeof(arg))) { 477 ret = -EFAULT; 478 goto err_put_file; 479 } 480 481 fd_install(fd, sync_file->file); 482 483 return 0; 484 485 err_put_file: 486 fput(sync_file->file); 487 err_put_fd: 488 put_unused_fd(fd); 489 return ret; 490 } 491 492 static long dma_buf_import_sync_file(struct dma_buf *dmabuf, 493 const void __user *user_data) 494 { 495 struct dma_buf_import_sync_file arg; 496 struct dma_fence *fence, *f; 497 enum dma_resv_usage usage; 498 struct dma_fence_unwrap iter; 499 unsigned int num_fences; 500 int ret = 0; 501 502 if (copy_from_user(&arg, user_data, sizeof(arg))) 503 return -EFAULT; 504 505 if (arg.flags & ~DMA_BUF_SYNC_RW) 506 return -EINVAL; 507 508 if ((arg.flags & DMA_BUF_SYNC_RW) == 0) 509 return -EINVAL; 510 511 fence = sync_file_get_fence(arg.fd); 512 if (!fence) 513 return -EINVAL; 514 515 usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE : 516 DMA_RESV_USAGE_READ; 517 518 num_fences = 0; 519 dma_fence_unwrap_for_each(f, &iter, fence) 520 ++num_fences; 521 522 if (num_fences > 0) { 523 dma_resv_lock(dmabuf->resv, NULL); 524 525 ret = dma_resv_reserve_fences(dmabuf->resv, num_fences); 526 if (!ret) { 527 dma_fence_unwrap_for_each(f, &iter, fence) 528 dma_resv_add_fence(dmabuf->resv, f, usage); 529 } 530 531 dma_resv_unlock(dmabuf->resv); 532 } 533 534 dma_fence_put(fence); 535 536 return ret; 537 } 538 #endif 539 540 static long dma_buf_ioctl(struct file *file, 541 unsigned int cmd, unsigned long arg) 542 { 543 struct dma_buf *dmabuf; 544 struct dma_buf_sync sync; 545 enum dma_data_direction direction; 546 int ret; 547 548 dmabuf = file->private_data; 549 550 switch (cmd) { 551 case DMA_BUF_IOCTL_SYNC: 552 if (copy_from_user(&sync, (void __user *) arg, sizeof(sync))) 553 return -EFAULT; 554 555 if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK) 556 return -EINVAL; 557 558 switch (sync.flags & DMA_BUF_SYNC_RW) { 559 case DMA_BUF_SYNC_READ: 560 direction = DMA_FROM_DEVICE; 561 break; 562 case DMA_BUF_SYNC_WRITE: 563 direction = DMA_TO_DEVICE; 564 break; 565 case DMA_BUF_SYNC_RW: 566 direction = DMA_BIDIRECTIONAL; 567 break; 568 default: 569 return -EINVAL; 570 } 571 572 if (sync.flags & DMA_BUF_SYNC_END) 573 ret = dma_buf_end_cpu_access(dmabuf, direction); 574 else 575 ret = dma_buf_begin_cpu_access(dmabuf, direction); 576 577 return ret; 578 579 case DMA_BUF_SET_NAME_A: 580 case DMA_BUF_SET_NAME_B: 581 return dma_buf_set_name(dmabuf, (const char __user *)arg); 582 583 #if IS_ENABLED(CONFIG_SYNC_FILE) 584 case DMA_BUF_IOCTL_EXPORT_SYNC_FILE: 585 return dma_buf_export_sync_file(dmabuf, (void __user *)arg); 586 case DMA_BUF_IOCTL_IMPORT_SYNC_FILE: 587 return dma_buf_import_sync_file(dmabuf, (const void __user *)arg); 588 #endif 589 590 default: 591 return -ENOTTY; 592 } 593 } 594 595 static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file) 596 { 597 struct dma_buf *dmabuf = file->private_data; 598 599 seq_printf(m, "size:\t%zu\n", dmabuf->size); 600 /* Don't count the temporary reference taken inside procfs seq_show */ 601 seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); 602 seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); 603 spin_lock(&dmabuf->name_lock); 604 if (dmabuf->name) 605 seq_printf(m, "name:\t%s\n", dmabuf->name); 606 spin_unlock(&dmabuf->name_lock); 607 } 608 609 static const struct file_operations dma_buf_fops = { 610 .release = dma_buf_file_release, 611 .mmap = dma_buf_mmap_internal, 612 .llseek = dma_buf_llseek, 613 .poll = dma_buf_poll, 614 .unlocked_ioctl = dma_buf_ioctl, 615 .compat_ioctl = compat_ptr_ioctl, 616 .show_fdinfo = dma_buf_show_fdinfo, 617 }; 618 619 /* 620 * is_dma_buf_file - Check if struct file* is associated with dma_buf 621 */ 622 static inline int is_dma_buf_file(struct file *file) 623 { 624 return file->f_op == &dma_buf_fops; 625 } 626 627 static struct file *dma_buf_getfile(size_t size, int flags) 628 { 629 static atomic64_t dmabuf_inode = ATOMIC64_INIT(0); 630 struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb); 631 struct file *file; 632 633 if (IS_ERR(inode)) 634 return ERR_CAST(inode); 635 636 inode->i_size = size; 637 inode_set_bytes(inode, size); 638 639 /* 640 * The ->i_ino acquired from get_next_ino() is not unique thus 641 * not suitable for using it as dentry name by dmabuf stats. 642 * Override ->i_ino with the unique and dmabuffs specific 643 * value. 644 */ 645 inode->i_ino = atomic64_inc_return(&dmabuf_inode); 646 flags &= O_ACCMODE | O_NONBLOCK; 647 file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf", 648 flags, &dma_buf_fops); 649 if (IS_ERR(file)) 650 goto err_alloc_file; 651 652 return file; 653 654 err_alloc_file: 655 iput(inode); 656 return file; 657 } 658 659 /** 660 * DOC: dma buf device access 661 * 662 * For device DMA access to a shared DMA buffer the usual sequence of operations 663 * is fairly simple: 664 * 665 * 1. The exporter defines his exporter instance using 666 * DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private 667 * buffer object into a &dma_buf. It then exports that &dma_buf to userspace 668 * as a file descriptor by calling dma_buf_fd(). 669 * 670 * 2. Userspace passes this file-descriptors to all drivers it wants this buffer 671 * to share with: First the file descriptor is converted to a &dma_buf using 672 * dma_buf_get(). Then the buffer is attached to the device using 673 * dma_buf_attach(). 674 * 675 * Up to this stage the exporter is still free to migrate or reallocate the 676 * backing storage. 677 * 678 * 3. Once the buffer is attached to all devices userspace can initiate DMA 679 * access to the shared buffer. In the kernel this is done by calling 680 * dma_buf_map_attachment() and dma_buf_unmap_attachment(). 681 * 682 * 4. Once a driver is done with a shared buffer it needs to call 683 * dma_buf_detach() (after cleaning up any mappings) and then release the 684 * reference acquired with dma_buf_get() by calling dma_buf_put(). 685 * 686 * For the detailed semantics exporters are expected to implement see 687 * &dma_buf_ops. 688 */ 689 690 /** 691 * dma_buf_export - Creates a new dma_buf, and associates an anon file 692 * with this buffer, so it can be exported. 693 * Also connect the allocator specific data and ops to the buffer. 694 * Additionally, provide a name string for exporter; useful in debugging. 695 * 696 * @exp_info: [in] holds all the export related information provided 697 * by the exporter. see &struct dma_buf_export_info 698 * for further details. 699 * 700 * Returns, on success, a newly created struct dma_buf object, which wraps the 701 * supplied private data and operations for struct dma_buf_ops. On either 702 * missing ops, or error in allocating struct dma_buf, will return negative 703 * error. 704 * 705 * For most cases the easiest way to create @exp_info is through the 706 * %DEFINE_DMA_BUF_EXPORT_INFO macro. 707 */ 708 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) 709 { 710 struct dma_buf *dmabuf; 711 struct dma_resv *resv = exp_info->resv; 712 struct file *file; 713 size_t alloc_size = sizeof(struct dma_buf); 714 int ret; 715 716 if (WARN_ON(!exp_info->priv || !exp_info->ops 717 || !exp_info->ops->map_dma_buf 718 || !exp_info->ops->unmap_dma_buf 719 || !exp_info->ops->release)) 720 return ERR_PTR(-EINVAL); 721 722 if (WARN_ON(!exp_info->ops->pin != !exp_info->ops->unpin)) 723 return ERR_PTR(-EINVAL); 724 725 if (!try_module_get(exp_info->owner)) 726 return ERR_PTR(-ENOENT); 727 728 file = dma_buf_getfile(exp_info->size, exp_info->flags); 729 if (IS_ERR(file)) { 730 ret = PTR_ERR(file); 731 goto err_module; 732 } 733 734 if (!exp_info->resv) 735 alloc_size += sizeof(struct dma_resv); 736 else 737 /* prevent &dma_buf[1] == dma_buf->resv */ 738 alloc_size += 1; 739 dmabuf = kzalloc(alloc_size, GFP_KERNEL); 740 if (!dmabuf) { 741 ret = -ENOMEM; 742 goto err_file; 743 } 744 745 dmabuf->priv = exp_info->priv; 746 dmabuf->ops = exp_info->ops; 747 dmabuf->size = exp_info->size; 748 dmabuf->exp_name = exp_info->exp_name; 749 dmabuf->owner = exp_info->owner; 750 spin_lock_init(&dmabuf->name_lock); 751 init_waitqueue_head(&dmabuf->poll); 752 dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll; 753 dmabuf->cb_in.active = dmabuf->cb_out.active = 0; 754 INIT_LIST_HEAD(&dmabuf->attachments); 755 756 if (!resv) { 757 dmabuf->resv = (struct dma_resv *)&dmabuf[1]; 758 dma_resv_init(dmabuf->resv); 759 } else { 760 dmabuf->resv = resv; 761 } 762 763 file->private_data = dmabuf; 764 file->f_path.dentry->d_fsdata = dmabuf; 765 dmabuf->file = file; 766 767 __dma_buf_list_add(dmabuf); 768 769 DMA_BUF_TRACE(trace_dma_buf_export, dmabuf); 770 771 return dmabuf; 772 773 err_file: 774 fput(file); 775 err_module: 776 module_put(exp_info->owner); 777 return ERR_PTR(ret); 778 } 779 EXPORT_SYMBOL_NS_GPL(dma_buf_export, "DMA_BUF"); 780 781 /** 782 * dma_buf_fd - returns a file descriptor for the given struct dma_buf 783 * @dmabuf: [in] pointer to dma_buf for which fd is required. 784 * @flags: [in] flags to give to fd 785 * 786 * On success, returns an associated 'fd'. Else, returns error. 787 */ 788 int dma_buf_fd(struct dma_buf *dmabuf, int flags) 789 { 790 int fd; 791 792 if (!dmabuf || !dmabuf->file) 793 return -EINVAL; 794 795 fd = get_unused_fd_flags(flags); 796 if (fd < 0) 797 return fd; 798 799 DMA_BUF_TRACE(trace_dma_buf_fd, dmabuf, fd); 800 801 fd_install(fd, dmabuf->file); 802 return fd; 803 } 804 EXPORT_SYMBOL_NS_GPL(dma_buf_fd, "DMA_BUF"); 805 806 /** 807 * dma_buf_get - returns the struct dma_buf related to an fd 808 * @fd: [in] fd associated with the struct dma_buf to be returned 809 * 810 * On success, returns the struct dma_buf associated with an fd; uses 811 * file's refcounting done by fget to increase refcount. returns ERR_PTR 812 * otherwise. 813 */ 814 struct dma_buf *dma_buf_get(int fd) 815 { 816 struct file *file; 817 struct dma_buf *dmabuf; 818 819 file = fget(fd); 820 821 if (!file) 822 return ERR_PTR(-EBADF); 823 824 if (!is_dma_buf_file(file)) { 825 fput(file); 826 return ERR_PTR(-EINVAL); 827 } 828 829 dmabuf = file->private_data; 830 831 DMA_BUF_TRACE(trace_dma_buf_get, dmabuf, fd); 832 833 return dmabuf; 834 } 835 EXPORT_SYMBOL_NS_GPL(dma_buf_get, "DMA_BUF"); 836 837 /** 838 * dma_buf_put - decreases refcount of the buffer 839 * @dmabuf: [in] buffer to reduce refcount of 840 * 841 * Uses file's refcounting done implicitly by fput(). 842 * 843 * If, as a result of this call, the refcount becomes 0, the 'release' file 844 * operation related to this fd is called. It calls &dma_buf_ops.release vfunc 845 * in turn, and frees the memory allocated for dmabuf when exported. 846 */ 847 void dma_buf_put(struct dma_buf *dmabuf) 848 { 849 if (WARN_ON(!dmabuf || !dmabuf->file)) 850 return; 851 852 DMA_BUF_TRACE(trace_dma_buf_put, dmabuf); 853 fput(dmabuf->file); 854 } 855 EXPORT_SYMBOL_NS_GPL(dma_buf_put, "DMA_BUF"); 856 857 static int dma_buf_wrap_sg_table(struct sg_table **sg_table) 858 { 859 struct scatterlist *to_sg, *from_sg; 860 struct sg_table *from = *sg_table; 861 struct dma_buf_sg_table_wrapper *to; 862 int i, ret; 863 864 if (!IS_ENABLED(CONFIG_DMABUF_DEBUG)) 865 return 0; 866 867 /* 868 * To catch abuse of the underlying struct page by importers copy the 869 * sg_table without copying the page_link and give only the copy back to 870 * the importer. 871 */ 872 to = kzalloc_obj(*to); 873 if (!to) 874 return -ENOMEM; 875 876 ret = sg_alloc_table(&to->wrapper, from->nents, GFP_KERNEL); 877 if (ret) 878 goto free_to; 879 880 to_sg = to->wrapper.sgl; 881 for_each_sgtable_dma_sg(from, from_sg, i) { 882 to_sg->offset = 0; 883 to_sg->length = 0; 884 sg_assign_page(to_sg, NULL); 885 sg_dma_address(to_sg) = sg_dma_address(from_sg); 886 sg_dma_len(to_sg) = sg_dma_len(from_sg); 887 to_sg = sg_next(to_sg); 888 } 889 890 to->original = from; 891 *sg_table = &to->wrapper; 892 return 0; 893 894 free_to: 895 kfree(to); 896 return ret; 897 } 898 899 static void dma_buf_unwrap_sg_table(struct sg_table **sg_table) 900 { 901 struct dma_buf_sg_table_wrapper *copy; 902 903 if (!IS_ENABLED(CONFIG_DMABUF_DEBUG)) 904 return; 905 906 copy = container_of(*sg_table, typeof(*copy), wrapper); 907 *sg_table = copy->original; 908 sg_free_table(©->wrapper); 909 kfree(copy); 910 } 911 912 static inline bool 913 dma_buf_attachment_is_dynamic(struct dma_buf_attachment *attach) 914 { 915 return !!attach->importer_ops; 916 } 917 918 static bool 919 dma_buf_pin_on_map(struct dma_buf_attachment *attach) 920 { 921 return attach->dmabuf->ops->pin && 922 !dma_buf_attachment_is_dynamic(attach); 923 } 924 925 /** 926 * DOC: locking convention 927 * 928 * In order to avoid deadlock situations between dma-buf exports and importers, 929 * all dma-buf API users must follow the common dma-buf locking convention. 930 * 931 * Convention for importers 932 * 933 * 1. Importers must hold the dma-buf reservation lock when calling these 934 * functions: 935 * 936 * - dma_buf_pin() 937 * - dma_buf_unpin() 938 * - dma_buf_map_attachment() 939 * - dma_buf_unmap_attachment() 940 * - dma_buf_vmap() 941 * - dma_buf_vunmap() 942 * 943 * 2. Importers must not hold the dma-buf reservation lock when calling these 944 * functions: 945 * 946 * - dma_buf_attach() 947 * - dma_buf_dynamic_attach() 948 * - dma_buf_detach() 949 * - dma_buf_export() 950 * - dma_buf_fd() 951 * - dma_buf_get() 952 * - dma_buf_put() 953 * - dma_buf_mmap() 954 * - dma_buf_begin_cpu_access() 955 * - dma_buf_end_cpu_access() 956 * - dma_buf_map_attachment_unlocked() 957 * - dma_buf_unmap_attachment_unlocked() 958 * - dma_buf_vmap_unlocked() 959 * - dma_buf_vunmap_unlocked() 960 * 961 * Convention for exporters 962 * 963 * 1. These &dma_buf_ops callbacks are invoked with unlocked dma-buf 964 * reservation and exporter can take the lock: 965 * 966 * - &dma_buf_ops.attach() 967 * - &dma_buf_ops.detach() 968 * - &dma_buf_ops.release() 969 * - &dma_buf_ops.begin_cpu_access() 970 * - &dma_buf_ops.end_cpu_access() 971 * - &dma_buf_ops.mmap() 972 * 973 * 2. These &dma_buf_ops callbacks are invoked with locked dma-buf 974 * reservation and exporter can't take the lock: 975 * 976 * - &dma_buf_ops.pin() 977 * - &dma_buf_ops.unpin() 978 * - &dma_buf_ops.map_dma_buf() 979 * - &dma_buf_ops.unmap_dma_buf() 980 * - &dma_buf_ops.vmap() 981 * - &dma_buf_ops.vunmap() 982 * 983 * 3. Exporters must hold the dma-buf reservation lock when calling these 984 * functions: 985 * 986 * - dma_buf_invalidate_mappings() 987 */ 988 989 /** 990 * dma_buf_dynamic_attach - Add the device to dma_buf's attachments list 991 * @dmabuf: [in] buffer to attach device to. 992 * @dev: [in] device to be attached. 993 * @importer_ops: [in] importer operations for the attachment 994 * @importer_priv: [in] importer private pointer for the attachment 995 * 996 * Returns struct dma_buf_attachment pointer for this attachment. Attachments 997 * must be cleaned up by calling dma_buf_detach(). 998 * 999 * Optionally this calls &dma_buf_ops.attach to allow device-specific attach 1000 * functionality. 1001 * 1002 * Returns: 1003 * 1004 * A pointer to newly created &dma_buf_attachment on success, or a negative 1005 * error code wrapped into a pointer on failure. 1006 * 1007 * Note that this can fail if the backing storage of @dmabuf is in a place not 1008 * accessible to @dev, and cannot be moved to a more suitable place. This is 1009 * indicated with the error code -EBUSY. 1010 */ 1011 struct dma_buf_attachment * 1012 dma_buf_dynamic_attach(struct dma_buf *dmabuf, struct device *dev, 1013 const struct dma_buf_attach_ops *importer_ops, 1014 void *importer_priv) 1015 { 1016 struct dma_buf_attachment *attach; 1017 int ret; 1018 1019 if (WARN_ON(!dmabuf || !dev)) 1020 return ERR_PTR(-EINVAL); 1021 1022 attach = kzalloc_obj(*attach); 1023 if (!attach) 1024 return ERR_PTR(-ENOMEM); 1025 1026 attach->dev = dev; 1027 attach->dmabuf = dmabuf; 1028 if (importer_ops) 1029 attach->peer2peer = importer_ops->allow_peer2peer; 1030 attach->importer_ops = importer_ops; 1031 attach->importer_priv = importer_priv; 1032 1033 if (dmabuf->ops->attach) { 1034 ret = dmabuf->ops->attach(dmabuf, attach); 1035 if (ret) 1036 goto err_attach; 1037 } 1038 dma_resv_lock(dmabuf->resv, NULL); 1039 list_add(&attach->node, &dmabuf->attachments); 1040 dma_resv_unlock(dmabuf->resv); 1041 1042 DMA_BUF_TRACE(trace_dma_buf_dynamic_attach, dmabuf, attach, 1043 dma_buf_attachment_is_dynamic(attach), dev); 1044 1045 return attach; 1046 1047 err_attach: 1048 kfree(attach); 1049 return ERR_PTR(ret); 1050 } 1051 EXPORT_SYMBOL_NS_GPL(dma_buf_dynamic_attach, "DMA_BUF"); 1052 1053 /** 1054 * dma_buf_attach - Wrapper for dma_buf_dynamic_attach 1055 * @dmabuf: [in] buffer to attach device to. 1056 * @dev: [in] device to be attached. 1057 * 1058 * Wrapper to call dma_buf_dynamic_attach() for drivers which still use a static 1059 * mapping. 1060 */ 1061 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf, 1062 struct device *dev) 1063 { 1064 return dma_buf_dynamic_attach(dmabuf, dev, NULL, NULL); 1065 } 1066 EXPORT_SYMBOL_NS_GPL(dma_buf_attach, "DMA_BUF"); 1067 1068 /** 1069 * dma_buf_detach - Remove the given attachment from dmabuf's attachments list 1070 * @dmabuf: [in] buffer to detach from. 1071 * @attach: [in] attachment to be detached; is free'd after this call. 1072 * 1073 * Clean up a device attachment obtained by calling dma_buf_attach(). 1074 * 1075 * Optionally this calls &dma_buf_ops.detach for device-specific detach. 1076 */ 1077 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach) 1078 { 1079 if (WARN_ON(!dmabuf || !attach || dmabuf != attach->dmabuf)) 1080 return; 1081 1082 dma_resv_lock(dmabuf->resv, NULL); 1083 list_del(&attach->node); 1084 dma_resv_unlock(dmabuf->resv); 1085 1086 if (dmabuf->ops->detach) 1087 dmabuf->ops->detach(dmabuf, attach); 1088 1089 DMA_BUF_TRACE(trace_dma_buf_detach, dmabuf, attach, 1090 dma_buf_attachment_is_dynamic(attach), attach->dev); 1091 1092 kfree(attach); 1093 } 1094 EXPORT_SYMBOL_NS_GPL(dma_buf_detach, "DMA_BUF"); 1095 1096 /** 1097 * dma_buf_pin - Lock down the DMA-buf 1098 * @attach: [in] attachment which should be pinned 1099 * 1100 * Only dynamic importers (who set up @attach with dma_buf_dynamic_attach()) may 1101 * call this, and only for limited use cases like scanout and not for temporary 1102 * pin operations. It is not permitted to allow userspace to pin arbitrary 1103 * amounts of buffers through this interface. 1104 * 1105 * Buffers must be unpinned by calling dma_buf_unpin(). 1106 * 1107 * Returns: 1108 * 0 on success, negative error code on failure. 1109 */ 1110 int dma_buf_pin(struct dma_buf_attachment *attach) 1111 { 1112 struct dma_buf *dmabuf = attach->dmabuf; 1113 int ret = 0; 1114 1115 WARN_ON(!attach->importer_ops); 1116 1117 dma_resv_assert_held(dmabuf->resv); 1118 1119 if (dmabuf->ops->pin) 1120 ret = dmabuf->ops->pin(attach); 1121 1122 return ret; 1123 } 1124 EXPORT_SYMBOL_NS_GPL(dma_buf_pin, "DMA_BUF"); 1125 1126 /** 1127 * dma_buf_unpin - Unpin a DMA-buf 1128 * @attach: [in] attachment which should be unpinned 1129 * 1130 * This unpins a buffer pinned by dma_buf_pin() and allows the exporter to move 1131 * any mapping of @attach again and inform the importer through 1132 * &dma_buf_attach_ops.invalidate_mappings. 1133 */ 1134 void dma_buf_unpin(struct dma_buf_attachment *attach) 1135 { 1136 struct dma_buf *dmabuf = attach->dmabuf; 1137 1138 WARN_ON(!attach->importer_ops); 1139 1140 dma_resv_assert_held(dmabuf->resv); 1141 1142 if (dmabuf->ops->unpin) 1143 dmabuf->ops->unpin(attach); 1144 } 1145 EXPORT_SYMBOL_NS_GPL(dma_buf_unpin, "DMA_BUF"); 1146 1147 /** 1148 * dma_buf_map_attachment - Returns the scatterlist table of the attachment; 1149 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the 1150 * dma_buf_ops. 1151 * @attach: [in] attachment whose scatterlist is to be returned 1152 * @direction: [in] direction of DMA transfer 1153 * 1154 * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR 1155 * on error. May return -EINTR if it is interrupted by a signal. 1156 * 1157 * On success, the DMA addresses and lengths in the returned scatterlist are 1158 * PAGE_SIZE aligned. 1159 * 1160 * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that 1161 * the underlying backing storage is pinned for as long as a mapping exists, 1162 * therefore users/importers should not hold onto a mapping for undue amounts of 1163 * time. 1164 * 1165 * Important: Dynamic importers must wait for the exclusive fence of the struct 1166 * dma_resv attached to the DMA-BUF first. 1167 */ 1168 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach, 1169 enum dma_data_direction direction) 1170 { 1171 struct sg_table *sg_table; 1172 signed long ret; 1173 1174 might_sleep(); 1175 1176 if (WARN_ON(!attach || !attach->dmabuf)) 1177 return ERR_PTR(-EINVAL); 1178 1179 dma_resv_assert_held(attach->dmabuf->resv); 1180 1181 if (dma_buf_pin_on_map(attach)) { 1182 ret = attach->dmabuf->ops->pin(attach); 1183 /* 1184 * Catch exporters making buffers inaccessible even when 1185 * attachments preventing that exist. 1186 */ 1187 WARN_ON_ONCE(ret == -EBUSY); 1188 if (ret) 1189 return ERR_PTR(ret); 1190 } 1191 1192 sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction); 1193 if (!sg_table) 1194 sg_table = ERR_PTR(-ENOMEM); 1195 if (IS_ERR(sg_table)) 1196 goto error_unpin; 1197 1198 /* 1199 * Importers with static attachments don't wait for fences. 1200 */ 1201 if (!dma_buf_attachment_is_dynamic(attach)) { 1202 ret = dma_resv_wait_timeout(attach->dmabuf->resv, 1203 DMA_RESV_USAGE_KERNEL, true, 1204 MAX_SCHEDULE_TIMEOUT); 1205 if (ret < 0) 1206 goto error_unmap; 1207 } 1208 ret = dma_buf_wrap_sg_table(&sg_table); 1209 if (ret) 1210 goto error_unmap; 1211 1212 if (IS_ENABLED(CONFIG_DMA_API_DEBUG)) { 1213 struct scatterlist *sg; 1214 u64 addr; 1215 int len; 1216 int i; 1217 1218 for_each_sgtable_dma_sg(sg_table, sg, i) { 1219 addr = sg_dma_address(sg); 1220 len = sg_dma_len(sg); 1221 if (!PAGE_ALIGNED(addr) || !PAGE_ALIGNED(len)) { 1222 pr_debug("%s: addr %llx or len %x is not page aligned!\n", 1223 __func__, addr, len); 1224 break; 1225 } 1226 } 1227 } 1228 return sg_table; 1229 1230 error_unmap: 1231 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction); 1232 sg_table = ERR_PTR(ret); 1233 1234 error_unpin: 1235 if (dma_buf_pin_on_map(attach)) 1236 attach->dmabuf->ops->unpin(attach); 1237 1238 return sg_table; 1239 } 1240 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment, "DMA_BUF"); 1241 1242 /** 1243 * dma_buf_map_attachment_unlocked - Returns the scatterlist table of the attachment; 1244 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the 1245 * dma_buf_ops. 1246 * @attach: [in] attachment whose scatterlist is to be returned 1247 * @direction: [in] direction of DMA transfer 1248 * 1249 * Unlocked variant of dma_buf_map_attachment(). 1250 */ 1251 struct sg_table * 1252 dma_buf_map_attachment_unlocked(struct dma_buf_attachment *attach, 1253 enum dma_data_direction direction) 1254 { 1255 struct sg_table *sg_table; 1256 1257 might_sleep(); 1258 1259 if (WARN_ON(!attach || !attach->dmabuf)) 1260 return ERR_PTR(-EINVAL); 1261 1262 dma_resv_lock(attach->dmabuf->resv, NULL); 1263 sg_table = dma_buf_map_attachment(attach, direction); 1264 dma_resv_unlock(attach->dmabuf->resv); 1265 1266 return sg_table; 1267 } 1268 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment_unlocked, "DMA_BUF"); 1269 1270 /** 1271 * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might 1272 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of 1273 * dma_buf_ops. 1274 * @attach: [in] attachment to unmap buffer from 1275 * @sg_table: [in] scatterlist info of the buffer to unmap 1276 * @direction: [in] direction of DMA transfer 1277 * 1278 * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment(). 1279 */ 1280 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach, 1281 struct sg_table *sg_table, 1282 enum dma_data_direction direction) 1283 { 1284 might_sleep(); 1285 1286 if (WARN_ON(!attach || !attach->dmabuf || !sg_table)) 1287 return; 1288 1289 dma_resv_assert_held(attach->dmabuf->resv); 1290 1291 dma_buf_unwrap_sg_table(&sg_table); 1292 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction); 1293 1294 if (dma_buf_pin_on_map(attach)) 1295 attach->dmabuf->ops->unpin(attach); 1296 } 1297 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment, "DMA_BUF"); 1298 1299 /** 1300 * dma_buf_unmap_attachment_unlocked - unmaps and decreases usecount of the buffer;might 1301 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of 1302 * dma_buf_ops. 1303 * @attach: [in] attachment to unmap buffer from 1304 * @sg_table: [in] scatterlist info of the buffer to unmap 1305 * @direction: [in] direction of DMA transfer 1306 * 1307 * Unlocked variant of dma_buf_unmap_attachment(). 1308 */ 1309 void dma_buf_unmap_attachment_unlocked(struct dma_buf_attachment *attach, 1310 struct sg_table *sg_table, 1311 enum dma_data_direction direction) 1312 { 1313 might_sleep(); 1314 1315 if (WARN_ON(!attach || !attach->dmabuf || !sg_table)) 1316 return; 1317 1318 dma_resv_lock(attach->dmabuf->resv, NULL); 1319 dma_buf_unmap_attachment(attach, sg_table, direction); 1320 dma_resv_unlock(attach->dmabuf->resv); 1321 } 1322 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment_unlocked, "DMA_BUF"); 1323 1324 /** 1325 * dma_buf_attach_revocable - check if a DMA-buf importer implements 1326 * revoke semantics. 1327 * @attach: the DMA-buf attachment to check 1328 * 1329 * Returns true if the DMA-buf importer can support the revoke sequence 1330 * explained in dma_buf_invalidate_mappings() within bounded time. Meaning the 1331 * importer implements invalidate_mappings() and ensures that unmap is called as 1332 * a result. 1333 */ 1334 bool dma_buf_attach_revocable(struct dma_buf_attachment *attach) 1335 { 1336 return attach->importer_ops && 1337 attach->importer_ops->invalidate_mappings; 1338 } 1339 EXPORT_SYMBOL_NS_GPL(dma_buf_attach_revocable, "DMA_BUF"); 1340 1341 /** 1342 * dma_buf_invalidate_mappings - notify attachments that DMA-buf is moving 1343 * 1344 * @dmabuf: [in] buffer which is moving 1345 * 1346 * Informs all attachments that they need to destroy and recreate all their 1347 * mappings. If the attachment is dynamic then the dynamic importer is expected 1348 * to invalidate any caches it has of the mapping result and perform a new 1349 * mapping request before allowing HW to do any further DMA. 1350 * 1351 * If the attachment is pinned then this informs the pinned importer that the 1352 * underlying mapping is no longer available. Pinned importers may take this is 1353 * as a permanent revocation and never establish new mappings so exporters 1354 * should not trigger it lightly. 1355 * 1356 * Upon return importers may continue to access the DMA-buf memory. The caller 1357 * must do two additional waits to ensure that the memory is no longer being 1358 * accessed: 1359 * 1360 * 1) Until dma_resv_wait_timeout() retires fences the importer is allowed to 1361 * fully access the memory. 1362 * 2) Until the importer calls unmap it is allowed to speculatively 1363 * read-and-discard the memory. It must not write to the memory. 1364 * 1365 * A caller wishing to use dma_buf_invalidate_mappings() to fully stop access to 1366 * the DMA-buf must wait for both. Dynamic callers can often use just the first. 1367 * 1368 * All importers providing a invalidate_mappings() op must ensure that unmap is 1369 * called within bounded time after the op. 1370 * 1371 * Pinned importers that do not support a invalidate_mappings() op will 1372 * eventually perform unmap when they are done with the buffer, which may be an 1373 * ubounded time from calling this function. dma_buf_attach_revocable() can be 1374 * used to prevent such importers from attaching. 1375 * 1376 * Importers are free to request a new mapping in parallel as this function 1377 * returns. 1378 */ 1379 void dma_buf_invalidate_mappings(struct dma_buf *dmabuf) 1380 { 1381 struct dma_buf_attachment *attach; 1382 1383 dma_resv_assert_held(dmabuf->resv); 1384 1385 list_for_each_entry(attach, &dmabuf->attachments, node) 1386 if (attach->importer_ops && 1387 attach->importer_ops->invalidate_mappings) 1388 attach->importer_ops->invalidate_mappings(attach); 1389 } 1390 EXPORT_SYMBOL_NS_GPL(dma_buf_invalidate_mappings, "DMA_BUF"); 1391 1392 /** 1393 * DOC: cpu access 1394 * 1395 * There are multiple reasons for supporting CPU access to a dma buffer object: 1396 * 1397 * - Fallback operations in the kernel, for example when a device is connected 1398 * over USB and the kernel needs to shuffle the data around first before 1399 * sending it away. Cache coherency is handled by bracketing any transactions 1400 * with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access() 1401 * access. 1402 * 1403 * Since for most kernel internal dma-buf accesses need the entire buffer, a 1404 * vmap interface is introduced. Note that on very old 32-bit architectures 1405 * vmalloc space might be limited and result in vmap calls failing. 1406 * 1407 * Interfaces: 1408 * 1409 * .. code-block:: c 1410 * 1411 * void *dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map) 1412 * void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map) 1413 * 1414 * The vmap call can fail if there is no vmap support in the exporter, or if 1415 * it runs out of vmalloc space. Note that the dma-buf layer keeps a reference 1416 * count for all vmap access and calls down into the exporter's vmap function 1417 * only when no vmapping exists, and only unmaps it once. Protection against 1418 * concurrent vmap/vunmap calls is provided by taking the &dma_buf.lock mutex. 1419 * 1420 * - For full compatibility on the importer side with existing userspace 1421 * interfaces, which might already support mmap'ing buffers. This is needed in 1422 * many processing pipelines (e.g. feeding a software rendered image into a 1423 * hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION 1424 * framework already supported this and for DMA buffer file descriptors to 1425 * replace ION buffers mmap support was needed. 1426 * 1427 * There is no special interfaces, userspace simply calls mmap on the dma-buf 1428 * fd. But like for CPU access there's a need to bracket the actual access, 1429 * which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that 1430 * DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must 1431 * be restarted. 1432 * 1433 * Some systems might need some sort of cache coherency management e.g. when 1434 * CPU and GPU domains are being accessed through dma-buf at the same time. 1435 * To circumvent this problem there are begin/end coherency markers, that 1436 * forward directly to existing dma-buf device drivers vfunc hooks. Userspace 1437 * can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The 1438 * sequence would be used like following: 1439 * 1440 * - mmap dma-buf fd 1441 * - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write 1442 * to mmap area 3. SYNC_END ioctl. This can be repeated as often as you 1443 * want (with the new data being consumed by say the GPU or the scanout 1444 * device) 1445 * - munmap once you don't need the buffer any more 1446 * 1447 * For correctness and optimal performance, it is always required to use 1448 * SYNC_START and SYNC_END before and after, respectively, when accessing the 1449 * mapped address. Userspace cannot rely on coherent access, even when there 1450 * are systems where it just works without calling these ioctls. 1451 * 1452 * - And as a CPU fallback in userspace processing pipelines. 1453 * 1454 * Similar to the motivation for kernel cpu access it is again important that 1455 * the userspace code of a given importing subsystem can use the same 1456 * interfaces with a imported dma-buf buffer object as with a native buffer 1457 * object. This is especially important for drm where the userspace part of 1458 * contemporary OpenGL, X, and other drivers is huge, and reworking them to 1459 * use a different way to mmap a buffer rather invasive. 1460 * 1461 * The assumption in the current dma-buf interfaces is that redirecting the 1462 * initial mmap is all that's needed. A survey of some of the existing 1463 * subsystems shows that no driver seems to do any nefarious thing like 1464 * syncing up with outstanding asynchronous processing on the device or 1465 * allocating special resources at fault time. So hopefully this is good 1466 * enough, since adding interfaces to intercept pagefaults and allow pte 1467 * shootdowns would increase the complexity quite a bit. 1468 * 1469 * Interface: 1470 * 1471 * .. code-block:: c 1472 * 1473 * int dma_buf_mmap(struct dma_buf *, struct vm_area_struct *, unsigned long); 1474 * 1475 * If the importing subsystem simply provides a special-purpose mmap call to 1476 * set up a mapping in userspace, calling do_mmap with &dma_buf.file will 1477 * equally achieve that for a dma-buf object. 1478 */ 1479 1480 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf, 1481 enum dma_data_direction direction) 1482 { 1483 bool write = (direction == DMA_BIDIRECTIONAL || 1484 direction == DMA_TO_DEVICE); 1485 struct dma_resv *resv = dmabuf->resv; 1486 long ret; 1487 1488 /* Wait on any implicit rendering fences */ 1489 ret = dma_resv_wait_timeout(resv, dma_resv_usage_rw(write), 1490 true, MAX_SCHEDULE_TIMEOUT); 1491 if (ret < 0) 1492 return ret; 1493 1494 return 0; 1495 } 1496 1497 /** 1498 * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the 1499 * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific 1500 * preparations. Coherency is only guaranteed in the specified range for the 1501 * specified access direction. 1502 * @dmabuf: [in] buffer to prepare cpu access for. 1503 * @direction: [in] direction of access. 1504 * 1505 * After the cpu access is complete the caller should call 1506 * dma_buf_end_cpu_access(). Only when cpu access is bracketed by both calls is 1507 * it guaranteed to be coherent with other DMA access. 1508 * 1509 * This function will also wait for any DMA transactions tracked through 1510 * implicit synchronization in &dma_buf.resv. For DMA transactions with explicit 1511 * synchronization this function will only ensure cache coherency, callers must 1512 * ensure synchronization with such DMA transactions on their own. 1513 * 1514 * Can return negative error values, returns 0 on success. 1515 */ 1516 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf, 1517 enum dma_data_direction direction) 1518 { 1519 int ret = 0; 1520 1521 if (WARN_ON(!dmabuf)) 1522 return -EINVAL; 1523 1524 might_lock(&dmabuf->resv->lock.base); 1525 1526 if (dmabuf->ops->begin_cpu_access) 1527 ret = dmabuf->ops->begin_cpu_access(dmabuf, direction); 1528 1529 /* Ensure that all fences are waited upon - but we first allow 1530 * the native handler the chance to do so more efficiently if it 1531 * chooses. A double invocation here will be reasonably cheap no-op. 1532 */ 1533 if (ret == 0) 1534 ret = __dma_buf_begin_cpu_access(dmabuf, direction); 1535 1536 return ret; 1537 } 1538 EXPORT_SYMBOL_NS_GPL(dma_buf_begin_cpu_access, "DMA_BUF"); 1539 1540 /** 1541 * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the 1542 * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific 1543 * actions. Coherency is only guaranteed in the specified range for the 1544 * specified access direction. 1545 * @dmabuf: [in] buffer to complete cpu access for. 1546 * @direction: [in] direction of access. 1547 * 1548 * This terminates CPU access started with dma_buf_begin_cpu_access(). 1549 * 1550 * Can return negative error values, returns 0 on success. 1551 */ 1552 int dma_buf_end_cpu_access(struct dma_buf *dmabuf, 1553 enum dma_data_direction direction) 1554 { 1555 int ret = 0; 1556 1557 WARN_ON(!dmabuf); 1558 1559 might_lock(&dmabuf->resv->lock.base); 1560 1561 if (dmabuf->ops->end_cpu_access) 1562 ret = dmabuf->ops->end_cpu_access(dmabuf, direction); 1563 1564 return ret; 1565 } 1566 EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, "DMA_BUF"); 1567 1568 1569 /** 1570 * dma_buf_mmap - Setup up a userspace mmap with the given vma 1571 * @dmabuf: [in] buffer that should back the vma 1572 * @vma: [in] vma for the mmap 1573 * @pgoff: [in] offset in pages where this mmap should start within the 1574 * dma-buf buffer. 1575 * 1576 * This function adjusts the passed in vma so that it points at the file of the 1577 * dma_buf operation. It also adjusts the starting pgoff and does bounds 1578 * checking on the size of the vma. Then it calls the exporters mmap function to 1579 * set up the mapping. 1580 * 1581 * Can return negative error values, returns 0 on success. 1582 */ 1583 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma, 1584 unsigned long pgoff) 1585 { 1586 if (WARN_ON(!dmabuf || !vma)) 1587 return -EINVAL; 1588 1589 /* check if buffer supports mmap */ 1590 if (!dmabuf->ops->mmap) 1591 return -EINVAL; 1592 1593 /* check for offset overflow */ 1594 if (pgoff + vma_pages(vma) < pgoff) 1595 return -EOVERFLOW; 1596 1597 /* check for overflowing the buffer's size */ 1598 if (pgoff + vma_pages(vma) > 1599 dmabuf->size >> PAGE_SHIFT) 1600 return -EINVAL; 1601 1602 /* readjust the vma */ 1603 vma_set_file(vma, dmabuf->file); 1604 vma->vm_pgoff = pgoff; 1605 1606 DMA_BUF_TRACE(trace_dma_buf_mmap, dmabuf); 1607 1608 return dmabuf->ops->mmap(dmabuf, vma); 1609 } 1610 EXPORT_SYMBOL_NS_GPL(dma_buf_mmap, "DMA_BUF"); 1611 1612 /** 1613 * dma_buf_vmap - Create virtual mapping for the buffer object into kernel 1614 * address space. Same restrictions as for vmap and friends apply. 1615 * @dmabuf: [in] buffer to vmap 1616 * @map: [out] returns the vmap pointer 1617 * 1618 * This call may fail due to lack of virtual mapping address space. 1619 * These calls are optional in drivers. The intended use for them 1620 * is for mapping objects linear in kernel space for high use objects. 1621 * 1622 * To ensure coherency users must call dma_buf_begin_cpu_access() and 1623 * dma_buf_end_cpu_access() around any cpu access performed through this 1624 * mapping. 1625 * 1626 * Returns 0 on success, or a negative errno code otherwise. 1627 */ 1628 int dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map) 1629 { 1630 struct iosys_map ptr; 1631 int ret; 1632 1633 iosys_map_clear(map); 1634 1635 if (WARN_ON(!dmabuf)) 1636 return -EINVAL; 1637 1638 dma_resv_assert_held(dmabuf->resv); 1639 1640 if (!dmabuf->ops->vmap) 1641 return -EINVAL; 1642 1643 if (dmabuf->vmapping_counter) { 1644 dmabuf->vmapping_counter++; 1645 BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr)); 1646 *map = dmabuf->vmap_ptr; 1647 return 0; 1648 } 1649 1650 BUG_ON(iosys_map_is_set(&dmabuf->vmap_ptr)); 1651 1652 ret = dmabuf->ops->vmap(dmabuf, &ptr); 1653 if (WARN_ON_ONCE(ret)) 1654 return ret; 1655 1656 dmabuf->vmap_ptr = ptr; 1657 dmabuf->vmapping_counter = 1; 1658 1659 *map = dmabuf->vmap_ptr; 1660 1661 return 0; 1662 } 1663 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap, "DMA_BUF"); 1664 1665 /** 1666 * dma_buf_vmap_unlocked - Create virtual mapping for the buffer object into kernel 1667 * address space. Same restrictions as for vmap and friends apply. 1668 * @dmabuf: [in] buffer to vmap 1669 * @map: [out] returns the vmap pointer 1670 * 1671 * Unlocked version of dma_buf_vmap() 1672 * 1673 * Returns 0 on success, or a negative errno code otherwise. 1674 */ 1675 int dma_buf_vmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map) 1676 { 1677 int ret; 1678 1679 iosys_map_clear(map); 1680 1681 if (WARN_ON(!dmabuf)) 1682 return -EINVAL; 1683 1684 dma_resv_lock(dmabuf->resv, NULL); 1685 ret = dma_buf_vmap(dmabuf, map); 1686 dma_resv_unlock(dmabuf->resv); 1687 1688 return ret; 1689 } 1690 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap_unlocked, "DMA_BUF"); 1691 1692 /** 1693 * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap. 1694 * @dmabuf: [in] buffer to vunmap 1695 * @map: [in] vmap pointer to vunmap 1696 */ 1697 void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map) 1698 { 1699 if (WARN_ON(!dmabuf)) 1700 return; 1701 1702 dma_resv_assert_held(dmabuf->resv); 1703 1704 BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr)); 1705 BUG_ON(dmabuf->vmapping_counter == 0); 1706 BUG_ON(!iosys_map_is_equal(&dmabuf->vmap_ptr, map)); 1707 1708 if (--dmabuf->vmapping_counter == 0) { 1709 if (dmabuf->ops->vunmap) 1710 dmabuf->ops->vunmap(dmabuf, map); 1711 iosys_map_clear(&dmabuf->vmap_ptr); 1712 } 1713 } 1714 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap, "DMA_BUF"); 1715 1716 /** 1717 * dma_buf_vunmap_unlocked - Unmap a vmap obtained by dma_buf_vmap. 1718 * @dmabuf: [in] buffer to vunmap 1719 * @map: [in] vmap pointer to vunmap 1720 */ 1721 void dma_buf_vunmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map) 1722 { 1723 if (WARN_ON(!dmabuf)) 1724 return; 1725 1726 dma_resv_lock(dmabuf->resv, NULL); 1727 dma_buf_vunmap(dmabuf, map); 1728 dma_resv_unlock(dmabuf->resv); 1729 } 1730 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap_unlocked, "DMA_BUF"); 1731 1732 #ifdef CONFIG_DEBUG_FS 1733 static int dma_buf_debug_show(struct seq_file *s, void *unused) 1734 { 1735 struct dma_buf *buf_obj; 1736 struct dma_buf_attachment *attach_obj; 1737 int count = 0, attach_count; 1738 size_t size = 0; 1739 int ret; 1740 1741 ret = mutex_lock_interruptible(&dmabuf_list_mutex); 1742 1743 if (ret) 1744 return ret; 1745 1746 seq_puts(s, "\nDma-buf Objects:\n"); 1747 seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\t%-8s\tname\n", 1748 "size", "flags", "mode", "count", "ino"); 1749 1750 list_for_each_entry(buf_obj, &dmabuf_list, list_node) { 1751 1752 ret = dma_resv_lock_interruptible(buf_obj->resv, NULL); 1753 if (ret) 1754 goto error_unlock; 1755 1756 1757 spin_lock(&buf_obj->name_lock); 1758 seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08llu\t%s\n", 1759 buf_obj->size, 1760 buf_obj->file->f_flags, buf_obj->file->f_mode, 1761 file_count(buf_obj->file), 1762 buf_obj->exp_name, 1763 file_inode(buf_obj->file)->i_ino, 1764 buf_obj->name ?: "<none>"); 1765 spin_unlock(&buf_obj->name_lock); 1766 1767 dma_resv_describe(buf_obj->resv, s); 1768 1769 seq_puts(s, "\tAttached Devices:\n"); 1770 attach_count = 0; 1771 1772 list_for_each_entry(attach_obj, &buf_obj->attachments, node) { 1773 seq_printf(s, "\t%s\n", dev_name(attach_obj->dev)); 1774 attach_count++; 1775 } 1776 dma_resv_unlock(buf_obj->resv); 1777 1778 seq_printf(s, "Total %d devices attached\n\n", 1779 attach_count); 1780 1781 count++; 1782 size += buf_obj->size; 1783 } 1784 1785 seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size); 1786 1787 mutex_unlock(&dmabuf_list_mutex); 1788 return 0; 1789 1790 error_unlock: 1791 mutex_unlock(&dmabuf_list_mutex); 1792 return ret; 1793 } 1794 1795 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug); 1796 1797 static struct dentry *dma_buf_debugfs_dir; 1798 1799 static int dma_buf_init_debugfs(void) 1800 { 1801 struct dentry *d; 1802 int err = 0; 1803 1804 d = debugfs_create_dir("dma_buf", NULL); 1805 if (IS_ERR(d)) 1806 return PTR_ERR(d); 1807 1808 dma_buf_debugfs_dir = d; 1809 1810 d = debugfs_create_file("bufinfo", 0444, dma_buf_debugfs_dir, 1811 NULL, &dma_buf_debug_fops); 1812 if (IS_ERR(d)) { 1813 pr_debug("dma_buf: debugfs: failed to create node bufinfo\n"); 1814 debugfs_remove_recursive(dma_buf_debugfs_dir); 1815 dma_buf_debugfs_dir = NULL; 1816 err = PTR_ERR(d); 1817 } 1818 1819 return err; 1820 } 1821 1822 static void dma_buf_uninit_debugfs(void) 1823 { 1824 debugfs_remove_recursive(dma_buf_debugfs_dir); 1825 } 1826 #else 1827 static inline int dma_buf_init_debugfs(void) 1828 { 1829 return 0; 1830 } 1831 static inline void dma_buf_uninit_debugfs(void) 1832 { 1833 } 1834 #endif 1835 1836 static int __init dma_buf_init(void) 1837 { 1838 dma_buf_mnt = kern_mount(&dma_buf_fs_type); 1839 if (IS_ERR(dma_buf_mnt)) 1840 return PTR_ERR(dma_buf_mnt); 1841 1842 dma_buf_init_debugfs(); 1843 return 0; 1844 } 1845 subsys_initcall(dma_buf_init); 1846 1847 static void __exit dma_buf_deinit(void) 1848 { 1849 dma_buf_uninit_debugfs(); 1850 kern_unmount(dma_buf_mnt); 1851 } 1852 __exitcall(dma_buf_deinit); 1853