xref: /linux/drivers/dma-buf/dma-buf.c (revision e58e871becec2d3b04ed91c0c16fe8deac9c9dfa)
1 /*
2  * Framework for buffer objects that can be shared across devices/subsystems.
3  *
4  * Copyright(C) 2011 Linaro Limited. All rights reserved.
5  * Author: Sumit Semwal <sumit.semwal@ti.com>
6  *
7  * Many thanks to linaro-mm-sig list, and specially
8  * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and
9  * Daniel Vetter <daniel@ffwll.ch> for their support in creation and
10  * refining of this idea.
11  *
12  * This program is free software; you can redistribute it and/or modify it
13  * under the terms of the GNU General Public License version 2 as published by
14  * the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful, but WITHOUT
17  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
18  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
19  * more details.
20  *
21  * You should have received a copy of the GNU General Public License along with
22  * this program.  If not, see <http://www.gnu.org/licenses/>.
23  */
24 
25 #include <linux/fs.h>
26 #include <linux/slab.h>
27 #include <linux/dma-buf.h>
28 #include <linux/dma-fence.h>
29 #include <linux/anon_inodes.h>
30 #include <linux/export.h>
31 #include <linux/debugfs.h>
32 #include <linux/module.h>
33 #include <linux/seq_file.h>
34 #include <linux/poll.h>
35 #include <linux/reservation.h>
36 #include <linux/mm.h>
37 
38 #include <uapi/linux/dma-buf.h>
39 
40 static inline int is_dma_buf_file(struct file *);
41 
42 struct dma_buf_list {
43 	struct list_head head;
44 	struct mutex lock;
45 };
46 
47 static struct dma_buf_list db_list;
48 
49 static int dma_buf_release(struct inode *inode, struct file *file)
50 {
51 	struct dma_buf *dmabuf;
52 
53 	if (!is_dma_buf_file(file))
54 		return -EINVAL;
55 
56 	dmabuf = file->private_data;
57 
58 	BUG_ON(dmabuf->vmapping_counter);
59 
60 	/*
61 	 * Any fences that a dma-buf poll can wait on should be signaled
62 	 * before releasing dma-buf. This is the responsibility of each
63 	 * driver that uses the reservation objects.
64 	 *
65 	 * If you hit this BUG() it means someone dropped their ref to the
66 	 * dma-buf while still having pending operation to the buffer.
67 	 */
68 	BUG_ON(dmabuf->cb_shared.active || dmabuf->cb_excl.active);
69 
70 	dmabuf->ops->release(dmabuf);
71 
72 	mutex_lock(&db_list.lock);
73 	list_del(&dmabuf->list_node);
74 	mutex_unlock(&db_list.lock);
75 
76 	if (dmabuf->resv == (struct reservation_object *)&dmabuf[1])
77 		reservation_object_fini(dmabuf->resv);
78 
79 	module_put(dmabuf->owner);
80 	kfree(dmabuf);
81 	return 0;
82 }
83 
84 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma)
85 {
86 	struct dma_buf *dmabuf;
87 
88 	if (!is_dma_buf_file(file))
89 		return -EINVAL;
90 
91 	dmabuf = file->private_data;
92 
93 	/* check for overflowing the buffer's size */
94 	if (vma->vm_pgoff + vma_pages(vma) >
95 	    dmabuf->size >> PAGE_SHIFT)
96 		return -EINVAL;
97 
98 	return dmabuf->ops->mmap(dmabuf, vma);
99 }
100 
101 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
102 {
103 	struct dma_buf *dmabuf;
104 	loff_t base;
105 
106 	if (!is_dma_buf_file(file))
107 		return -EBADF;
108 
109 	dmabuf = file->private_data;
110 
111 	/* only support discovering the end of the buffer,
112 	   but also allow SEEK_SET to maintain the idiomatic
113 	   SEEK_END(0), SEEK_CUR(0) pattern */
114 	if (whence == SEEK_END)
115 		base = dmabuf->size;
116 	else if (whence == SEEK_SET)
117 		base = 0;
118 	else
119 		return -EINVAL;
120 
121 	if (offset != 0)
122 		return -EINVAL;
123 
124 	return base + offset;
125 }
126 
127 /**
128  * DOC: fence polling
129  *
130  * To support cross-device and cross-driver synchronization of buffer access
131  * implicit fences (represented internally in the kernel with &struct fence) can
132  * be attached to a &dma_buf. The glue for that and a few related things are
133  * provided in the &reservation_object structure.
134  *
135  * Userspace can query the state of these implicitly tracked fences using poll()
136  * and related system calls:
137  *
138  * - Checking for POLLIN, i.e. read access, can be use to query the state of the
139  *   most recent write or exclusive fence.
140  *
141  * - Checking for POLLOUT, i.e. write access, can be used to query the state of
142  *   all attached fences, shared and exclusive ones.
143  *
144  * Note that this only signals the completion of the respective fences, i.e. the
145  * DMA transfers are complete. Cache flushing and any other necessary
146  * preparations before CPU access can begin still need to happen.
147  */
148 
149 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
150 {
151 	struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
152 	unsigned long flags;
153 
154 	spin_lock_irqsave(&dcb->poll->lock, flags);
155 	wake_up_locked_poll(dcb->poll, dcb->active);
156 	dcb->active = 0;
157 	spin_unlock_irqrestore(&dcb->poll->lock, flags);
158 }
159 
160 static unsigned int dma_buf_poll(struct file *file, poll_table *poll)
161 {
162 	struct dma_buf *dmabuf;
163 	struct reservation_object *resv;
164 	struct reservation_object_list *fobj;
165 	struct dma_fence *fence_excl;
166 	unsigned long events;
167 	unsigned shared_count, seq;
168 
169 	dmabuf = file->private_data;
170 	if (!dmabuf || !dmabuf->resv)
171 		return POLLERR;
172 
173 	resv = dmabuf->resv;
174 
175 	poll_wait(file, &dmabuf->poll, poll);
176 
177 	events = poll_requested_events(poll) & (POLLIN | POLLOUT);
178 	if (!events)
179 		return 0;
180 
181 retry:
182 	seq = read_seqcount_begin(&resv->seq);
183 	rcu_read_lock();
184 
185 	fobj = rcu_dereference(resv->fence);
186 	if (fobj)
187 		shared_count = fobj->shared_count;
188 	else
189 		shared_count = 0;
190 	fence_excl = rcu_dereference(resv->fence_excl);
191 	if (read_seqcount_retry(&resv->seq, seq)) {
192 		rcu_read_unlock();
193 		goto retry;
194 	}
195 
196 	if (fence_excl && (!(events & POLLOUT) || shared_count == 0)) {
197 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_excl;
198 		unsigned long pevents = POLLIN;
199 
200 		if (shared_count == 0)
201 			pevents |= POLLOUT;
202 
203 		spin_lock_irq(&dmabuf->poll.lock);
204 		if (dcb->active) {
205 			dcb->active |= pevents;
206 			events &= ~pevents;
207 		} else
208 			dcb->active = pevents;
209 		spin_unlock_irq(&dmabuf->poll.lock);
210 
211 		if (events & pevents) {
212 			if (!dma_fence_get_rcu(fence_excl)) {
213 				/* force a recheck */
214 				events &= ~pevents;
215 				dma_buf_poll_cb(NULL, &dcb->cb);
216 			} else if (!dma_fence_add_callback(fence_excl, &dcb->cb,
217 							   dma_buf_poll_cb)) {
218 				events &= ~pevents;
219 				dma_fence_put(fence_excl);
220 			} else {
221 				/*
222 				 * No callback queued, wake up any additional
223 				 * waiters.
224 				 */
225 				dma_fence_put(fence_excl);
226 				dma_buf_poll_cb(NULL, &dcb->cb);
227 			}
228 		}
229 	}
230 
231 	if ((events & POLLOUT) && shared_count > 0) {
232 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_shared;
233 		int i;
234 
235 		/* Only queue a new callback if no event has fired yet */
236 		spin_lock_irq(&dmabuf->poll.lock);
237 		if (dcb->active)
238 			events &= ~POLLOUT;
239 		else
240 			dcb->active = POLLOUT;
241 		spin_unlock_irq(&dmabuf->poll.lock);
242 
243 		if (!(events & POLLOUT))
244 			goto out;
245 
246 		for (i = 0; i < shared_count; ++i) {
247 			struct dma_fence *fence = rcu_dereference(fobj->shared[i]);
248 
249 			if (!dma_fence_get_rcu(fence)) {
250 				/*
251 				 * fence refcount dropped to zero, this means
252 				 * that fobj has been freed
253 				 *
254 				 * call dma_buf_poll_cb and force a recheck!
255 				 */
256 				events &= ~POLLOUT;
257 				dma_buf_poll_cb(NULL, &dcb->cb);
258 				break;
259 			}
260 			if (!dma_fence_add_callback(fence, &dcb->cb,
261 						    dma_buf_poll_cb)) {
262 				dma_fence_put(fence);
263 				events &= ~POLLOUT;
264 				break;
265 			}
266 			dma_fence_put(fence);
267 		}
268 
269 		/* No callback queued, wake up any additional waiters. */
270 		if (i == shared_count)
271 			dma_buf_poll_cb(NULL, &dcb->cb);
272 	}
273 
274 out:
275 	rcu_read_unlock();
276 	return events;
277 }
278 
279 static long dma_buf_ioctl(struct file *file,
280 			  unsigned int cmd, unsigned long arg)
281 {
282 	struct dma_buf *dmabuf;
283 	struct dma_buf_sync sync;
284 	enum dma_data_direction direction;
285 	int ret;
286 
287 	dmabuf = file->private_data;
288 
289 	switch (cmd) {
290 	case DMA_BUF_IOCTL_SYNC:
291 		if (copy_from_user(&sync, (void __user *) arg, sizeof(sync)))
292 			return -EFAULT;
293 
294 		if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK)
295 			return -EINVAL;
296 
297 		switch (sync.flags & DMA_BUF_SYNC_RW) {
298 		case DMA_BUF_SYNC_READ:
299 			direction = DMA_FROM_DEVICE;
300 			break;
301 		case DMA_BUF_SYNC_WRITE:
302 			direction = DMA_TO_DEVICE;
303 			break;
304 		case DMA_BUF_SYNC_RW:
305 			direction = DMA_BIDIRECTIONAL;
306 			break;
307 		default:
308 			return -EINVAL;
309 		}
310 
311 		if (sync.flags & DMA_BUF_SYNC_END)
312 			ret = dma_buf_end_cpu_access(dmabuf, direction);
313 		else
314 			ret = dma_buf_begin_cpu_access(dmabuf, direction);
315 
316 		return ret;
317 	default:
318 		return -ENOTTY;
319 	}
320 }
321 
322 static const struct file_operations dma_buf_fops = {
323 	.release	= dma_buf_release,
324 	.mmap		= dma_buf_mmap_internal,
325 	.llseek		= dma_buf_llseek,
326 	.poll		= dma_buf_poll,
327 	.unlocked_ioctl	= dma_buf_ioctl,
328 #ifdef CONFIG_COMPAT
329 	.compat_ioctl	= dma_buf_ioctl,
330 #endif
331 };
332 
333 /*
334  * is_dma_buf_file - Check if struct file* is associated with dma_buf
335  */
336 static inline int is_dma_buf_file(struct file *file)
337 {
338 	return file->f_op == &dma_buf_fops;
339 }
340 
341 /**
342  * DOC: dma buf device access
343  *
344  * For device DMA access to a shared DMA buffer the usual sequence of operations
345  * is fairly simple:
346  *
347  * 1. The exporter defines his exporter instance using
348  *    DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private
349  *    buffer object into a &dma_buf. It then exports that &dma_buf to userspace
350  *    as a file descriptor by calling dma_buf_fd().
351  *
352  * 2. Userspace passes this file-descriptors to all drivers it wants this buffer
353  *    to share with: First the filedescriptor is converted to a &dma_buf using
354  *    dma_buf_get(). The the buffer is attached to the device using
355  *    dma_buf_attach().
356  *
357  *    Up to this stage the exporter is still free to migrate or reallocate the
358  *    backing storage.
359  *
360  * 3. Once the buffer is attached to all devices userspace can inniate DMA
361  *    access to the shared buffer. In the kernel this is done by calling
362  *    dma_buf_map_attachment() and dma_buf_unmap_attachment().
363  *
364  * 4. Once a driver is done with a shared buffer it needs to call
365  *    dma_buf_detach() (after cleaning up any mappings) and then release the
366  *    reference acquired with dma_buf_get by calling dma_buf_put().
367  *
368  * For the detailed semantics exporters are expected to implement see
369  * &dma_buf_ops.
370  */
371 
372 /**
373  * dma_buf_export - Creates a new dma_buf, and associates an anon file
374  * with this buffer, so it can be exported.
375  * Also connect the allocator specific data and ops to the buffer.
376  * Additionally, provide a name string for exporter; useful in debugging.
377  *
378  * @exp_info:	[in]	holds all the export related information provided
379  *			by the exporter. see &struct dma_buf_export_info
380  *			for further details.
381  *
382  * Returns, on success, a newly created dma_buf object, which wraps the
383  * supplied private data and operations for dma_buf_ops. On either missing
384  * ops, or error in allocating struct dma_buf, will return negative error.
385  *
386  * For most cases the easiest way to create @exp_info is through the
387  * %DEFINE_DMA_BUF_EXPORT_INFO macro.
388  */
389 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
390 {
391 	struct dma_buf *dmabuf;
392 	struct reservation_object *resv = exp_info->resv;
393 	struct file *file;
394 	size_t alloc_size = sizeof(struct dma_buf);
395 	int ret;
396 
397 	if (!exp_info->resv)
398 		alloc_size += sizeof(struct reservation_object);
399 	else
400 		/* prevent &dma_buf[1] == dma_buf->resv */
401 		alloc_size += 1;
402 
403 	if (WARN_ON(!exp_info->priv
404 			  || !exp_info->ops
405 			  || !exp_info->ops->map_dma_buf
406 			  || !exp_info->ops->unmap_dma_buf
407 			  || !exp_info->ops->release
408 			  || !exp_info->ops->map_atomic
409 			  || !exp_info->ops->map
410 			  || !exp_info->ops->mmap)) {
411 		return ERR_PTR(-EINVAL);
412 	}
413 
414 	if (!try_module_get(exp_info->owner))
415 		return ERR_PTR(-ENOENT);
416 
417 	dmabuf = kzalloc(alloc_size, GFP_KERNEL);
418 	if (!dmabuf) {
419 		ret = -ENOMEM;
420 		goto err_module;
421 	}
422 
423 	dmabuf->priv = exp_info->priv;
424 	dmabuf->ops = exp_info->ops;
425 	dmabuf->size = exp_info->size;
426 	dmabuf->exp_name = exp_info->exp_name;
427 	dmabuf->owner = exp_info->owner;
428 	init_waitqueue_head(&dmabuf->poll);
429 	dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll;
430 	dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0;
431 
432 	if (!resv) {
433 		resv = (struct reservation_object *)&dmabuf[1];
434 		reservation_object_init(resv);
435 	}
436 	dmabuf->resv = resv;
437 
438 	file = anon_inode_getfile("dmabuf", &dma_buf_fops, dmabuf,
439 					exp_info->flags);
440 	if (IS_ERR(file)) {
441 		ret = PTR_ERR(file);
442 		goto err_dmabuf;
443 	}
444 
445 	file->f_mode |= FMODE_LSEEK;
446 	dmabuf->file = file;
447 
448 	mutex_init(&dmabuf->lock);
449 	INIT_LIST_HEAD(&dmabuf->attachments);
450 
451 	mutex_lock(&db_list.lock);
452 	list_add(&dmabuf->list_node, &db_list.head);
453 	mutex_unlock(&db_list.lock);
454 
455 	return dmabuf;
456 
457 err_dmabuf:
458 	kfree(dmabuf);
459 err_module:
460 	module_put(exp_info->owner);
461 	return ERR_PTR(ret);
462 }
463 EXPORT_SYMBOL_GPL(dma_buf_export);
464 
465 /**
466  * dma_buf_fd - returns a file descriptor for the given dma_buf
467  * @dmabuf:	[in]	pointer to dma_buf for which fd is required.
468  * @flags:      [in]    flags to give to fd
469  *
470  * On success, returns an associated 'fd'. Else, returns error.
471  */
472 int dma_buf_fd(struct dma_buf *dmabuf, int flags)
473 {
474 	int fd;
475 
476 	if (!dmabuf || !dmabuf->file)
477 		return -EINVAL;
478 
479 	fd = get_unused_fd_flags(flags);
480 	if (fd < 0)
481 		return fd;
482 
483 	fd_install(fd, dmabuf->file);
484 
485 	return fd;
486 }
487 EXPORT_SYMBOL_GPL(dma_buf_fd);
488 
489 /**
490  * dma_buf_get - returns the dma_buf structure related to an fd
491  * @fd:	[in]	fd associated with the dma_buf to be returned
492  *
493  * On success, returns the dma_buf structure associated with an fd; uses
494  * file's refcounting done by fget to increase refcount. returns ERR_PTR
495  * otherwise.
496  */
497 struct dma_buf *dma_buf_get(int fd)
498 {
499 	struct file *file;
500 
501 	file = fget(fd);
502 
503 	if (!file)
504 		return ERR_PTR(-EBADF);
505 
506 	if (!is_dma_buf_file(file)) {
507 		fput(file);
508 		return ERR_PTR(-EINVAL);
509 	}
510 
511 	return file->private_data;
512 }
513 EXPORT_SYMBOL_GPL(dma_buf_get);
514 
515 /**
516  * dma_buf_put - decreases refcount of the buffer
517  * @dmabuf:	[in]	buffer to reduce refcount of
518  *
519  * Uses file's refcounting done implicitly by fput().
520  *
521  * If, as a result of this call, the refcount becomes 0, the 'release' file
522  * operation related to this fd is called. It calls &dma_buf_ops.release vfunc
523  * in turn, and frees the memory allocated for dmabuf when exported.
524  */
525 void dma_buf_put(struct dma_buf *dmabuf)
526 {
527 	if (WARN_ON(!dmabuf || !dmabuf->file))
528 		return;
529 
530 	fput(dmabuf->file);
531 }
532 EXPORT_SYMBOL_GPL(dma_buf_put);
533 
534 /**
535  * dma_buf_attach - Add the device to dma_buf's attachments list; optionally,
536  * calls attach() of dma_buf_ops to allow device-specific attach functionality
537  * @dmabuf:	[in]	buffer to attach device to.
538  * @dev:	[in]	device to be attached.
539  *
540  * Returns struct dma_buf_attachment pointer for this attachment. Attachments
541  * must be cleaned up by calling dma_buf_detach().
542  *
543  * Returns:
544  *
545  * A pointer to newly created &dma_buf_attachment on success, or a negative
546  * error code wrapped into a pointer on failure.
547  *
548  * Note that this can fail if the backing storage of @dmabuf is in a place not
549  * accessible to @dev, and cannot be moved to a more suitable place. This is
550  * indicated with the error code -EBUSY.
551  */
552 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf,
553 					  struct device *dev)
554 {
555 	struct dma_buf_attachment *attach;
556 	int ret;
557 
558 	if (WARN_ON(!dmabuf || !dev))
559 		return ERR_PTR(-EINVAL);
560 
561 	attach = kzalloc(sizeof(struct dma_buf_attachment), GFP_KERNEL);
562 	if (attach == NULL)
563 		return ERR_PTR(-ENOMEM);
564 
565 	attach->dev = dev;
566 	attach->dmabuf = dmabuf;
567 
568 	mutex_lock(&dmabuf->lock);
569 
570 	if (dmabuf->ops->attach) {
571 		ret = dmabuf->ops->attach(dmabuf, dev, attach);
572 		if (ret)
573 			goto err_attach;
574 	}
575 	list_add(&attach->node, &dmabuf->attachments);
576 
577 	mutex_unlock(&dmabuf->lock);
578 	return attach;
579 
580 err_attach:
581 	kfree(attach);
582 	mutex_unlock(&dmabuf->lock);
583 	return ERR_PTR(ret);
584 }
585 EXPORT_SYMBOL_GPL(dma_buf_attach);
586 
587 /**
588  * dma_buf_detach - Remove the given attachment from dmabuf's attachments list;
589  * optionally calls detach() of dma_buf_ops for device-specific detach
590  * @dmabuf:	[in]	buffer to detach from.
591  * @attach:	[in]	attachment to be detached; is free'd after this call.
592  *
593  * Clean up a device attachment obtained by calling dma_buf_attach().
594  */
595 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach)
596 {
597 	if (WARN_ON(!dmabuf || !attach))
598 		return;
599 
600 	mutex_lock(&dmabuf->lock);
601 	list_del(&attach->node);
602 	if (dmabuf->ops->detach)
603 		dmabuf->ops->detach(dmabuf, attach);
604 
605 	mutex_unlock(&dmabuf->lock);
606 	kfree(attach);
607 }
608 EXPORT_SYMBOL_GPL(dma_buf_detach);
609 
610 /**
611  * dma_buf_map_attachment - Returns the scatterlist table of the attachment;
612  * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
613  * dma_buf_ops.
614  * @attach:	[in]	attachment whose scatterlist is to be returned
615  * @direction:	[in]	direction of DMA transfer
616  *
617  * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR
618  * on error. May return -EINTR if it is interrupted by a signal.
619  *
620  * A mapping must be unmapped again using dma_buf_map_attachment(). Note that
621  * the underlying backing storage is pinned for as long as a mapping exists,
622  * therefore users/importers should not hold onto a mapping for undue amounts of
623  * time.
624  */
625 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach,
626 					enum dma_data_direction direction)
627 {
628 	struct sg_table *sg_table = ERR_PTR(-EINVAL);
629 
630 	might_sleep();
631 
632 	if (WARN_ON(!attach || !attach->dmabuf))
633 		return ERR_PTR(-EINVAL);
634 
635 	sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction);
636 	if (!sg_table)
637 		sg_table = ERR_PTR(-ENOMEM);
638 
639 	return sg_table;
640 }
641 EXPORT_SYMBOL_GPL(dma_buf_map_attachment);
642 
643 /**
644  * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might
645  * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
646  * dma_buf_ops.
647  * @attach:	[in]	attachment to unmap buffer from
648  * @sg_table:	[in]	scatterlist info of the buffer to unmap
649  * @direction:  [in]    direction of DMA transfer
650  *
651  * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment().
652  */
653 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach,
654 				struct sg_table *sg_table,
655 				enum dma_data_direction direction)
656 {
657 	might_sleep();
658 
659 	if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
660 		return;
661 
662 	attach->dmabuf->ops->unmap_dma_buf(attach, sg_table,
663 						direction);
664 }
665 EXPORT_SYMBOL_GPL(dma_buf_unmap_attachment);
666 
667 /**
668  * DOC: cpu access
669  *
670  * There are mutliple reasons for supporting CPU access to a dma buffer object:
671  *
672  * - Fallback operations in the kernel, for example when a device is connected
673  *   over USB and the kernel needs to shuffle the data around first before
674  *   sending it away. Cache coherency is handled by braketing any transactions
675  *   with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access()
676  *   access.
677  *
678  *   To support dma_buf objects residing in highmem cpu access is page-based
679  *   using an api similar to kmap. Accessing a dma_buf is done in aligned chunks
680  *   of PAGE_SIZE size. Before accessing a chunk it needs to be mapped, which
681  *   returns a pointer in kernel virtual address space. Afterwards the chunk
682  *   needs to be unmapped again. There is no limit on how often a given chunk
683  *   can be mapped and unmapped, i.e. the importer does not need to call
684  *   begin_cpu_access again before mapping the same chunk again.
685  *
686  *   Interfaces::
687  *      void \*dma_buf_kmap(struct dma_buf \*, unsigned long);
688  *      void dma_buf_kunmap(struct dma_buf \*, unsigned long, void \*);
689  *
690  *   There are also atomic variants of these interfaces. Like for kmap they
691  *   facilitate non-blocking fast-paths. Neither the importer nor the exporter
692  *   (in the callback) is allowed to block when using these.
693  *
694  *   Interfaces::
695  *      void \*dma_buf_kmap_atomic(struct dma_buf \*, unsigned long);
696  *      void dma_buf_kunmap_atomic(struct dma_buf \*, unsigned long, void \*);
697  *
698  *   For importers all the restrictions of using kmap apply, like the limited
699  *   supply of kmap_atomic slots. Hence an importer shall only hold onto at
700  *   max 2 atomic dma_buf kmaps at the same time (in any given process context).
701  *
702  *   dma_buf kmap calls outside of the range specified in begin_cpu_access are
703  *   undefined. If the range is not PAGE_SIZE aligned, kmap needs to succeed on
704  *   the partial chunks at the beginning and end but may return stale or bogus
705  *   data outside of the range (in these partial chunks).
706  *
707  *   Note that these calls need to always succeed. The exporter needs to
708  *   complete any preparations that might fail in begin_cpu_access.
709  *
710  *   For some cases the overhead of kmap can be too high, a vmap interface
711  *   is introduced. This interface should be used very carefully, as vmalloc
712  *   space is a limited resources on many architectures.
713  *
714  *   Interfaces::
715  *      void \*dma_buf_vmap(struct dma_buf \*dmabuf)
716  *      void dma_buf_vunmap(struct dma_buf \*dmabuf, void \*vaddr)
717  *
718  *   The vmap call can fail if there is no vmap support in the exporter, or if
719  *   it runs out of vmalloc space. Fallback to kmap should be implemented. Note
720  *   that the dma-buf layer keeps a reference count for all vmap access and
721  *   calls down into the exporter's vmap function only when no vmapping exists,
722  *   and only unmaps it once. Protection against concurrent vmap/vunmap calls is
723  *   provided by taking the dma_buf->lock mutex.
724  *
725  * - For full compatibility on the importer side with existing userspace
726  *   interfaces, which might already support mmap'ing buffers. This is needed in
727  *   many processing pipelines (e.g. feeding a software rendered image into a
728  *   hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION
729  *   framework already supported this and for DMA buffer file descriptors to
730  *   replace ION buffers mmap support was needed.
731  *
732  *   There is no special interfaces, userspace simply calls mmap on the dma-buf
733  *   fd. But like for CPU access there's a need to braket the actual access,
734  *   which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that
735  *   DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must
736  *   be restarted.
737  *
738  *   Some systems might need some sort of cache coherency management e.g. when
739  *   CPU and GPU domains are being accessed through dma-buf at the same time.
740  *   To circumvent this problem there are begin/end coherency markers, that
741  *   forward directly to existing dma-buf device drivers vfunc hooks. Userspace
742  *   can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The
743  *   sequence would be used like following:
744  *
745  *     - mmap dma-buf fd
746  *     - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
747  *       to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
748  *       want (with the new data being consumed by say the GPU or the scanout
749  *       device)
750  *     - munmap once you don't need the buffer any more
751  *
752  *    For correctness and optimal performance, it is always required to use
753  *    SYNC_START and SYNC_END before and after, respectively, when accessing the
754  *    mapped address. Userspace cannot rely on coherent access, even when there
755  *    are systems where it just works without calling these ioctls.
756  *
757  * - And as a CPU fallback in userspace processing pipelines.
758  *
759  *   Similar to the motivation for kernel cpu access it is again important that
760  *   the userspace code of a given importing subsystem can use the same
761  *   interfaces with a imported dma-buf buffer object as with a native buffer
762  *   object. This is especially important for drm where the userspace part of
763  *   contemporary OpenGL, X, and other drivers is huge, and reworking them to
764  *   use a different way to mmap a buffer rather invasive.
765  *
766  *   The assumption in the current dma-buf interfaces is that redirecting the
767  *   initial mmap is all that's needed. A survey of some of the existing
768  *   subsystems shows that no driver seems to do any nefarious thing like
769  *   syncing up with outstanding asynchronous processing on the device or
770  *   allocating special resources at fault time. So hopefully this is good
771  *   enough, since adding interfaces to intercept pagefaults and allow pte
772  *   shootdowns would increase the complexity quite a bit.
773  *
774  *   Interface::
775  *      int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*,
776  *		       unsigned long);
777  *
778  *   If the importing subsystem simply provides a special-purpose mmap call to
779  *   set up a mapping in userspace, calling do_mmap with dma_buf->file will
780  *   equally achieve that for a dma-buf object.
781  */
782 
783 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
784 				      enum dma_data_direction direction)
785 {
786 	bool write = (direction == DMA_BIDIRECTIONAL ||
787 		      direction == DMA_TO_DEVICE);
788 	struct reservation_object *resv = dmabuf->resv;
789 	long ret;
790 
791 	/* Wait on any implicit rendering fences */
792 	ret = reservation_object_wait_timeout_rcu(resv, write, true,
793 						  MAX_SCHEDULE_TIMEOUT);
794 	if (ret < 0)
795 		return ret;
796 
797 	return 0;
798 }
799 
800 /**
801  * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the
802  * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific
803  * preparations. Coherency is only guaranteed in the specified range for the
804  * specified access direction.
805  * @dmabuf:	[in]	buffer to prepare cpu access for.
806  * @direction:	[in]	length of range for cpu access.
807  *
808  * After the cpu access is complete the caller should call
809  * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is
810  * it guaranteed to be coherent with other DMA access.
811  *
812  * Can return negative error values, returns 0 on success.
813  */
814 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
815 			     enum dma_data_direction direction)
816 {
817 	int ret = 0;
818 
819 	if (WARN_ON(!dmabuf))
820 		return -EINVAL;
821 
822 	if (dmabuf->ops->begin_cpu_access)
823 		ret = dmabuf->ops->begin_cpu_access(dmabuf, direction);
824 
825 	/* Ensure that all fences are waited upon - but we first allow
826 	 * the native handler the chance to do so more efficiently if it
827 	 * chooses. A double invocation here will be reasonably cheap no-op.
828 	 */
829 	if (ret == 0)
830 		ret = __dma_buf_begin_cpu_access(dmabuf, direction);
831 
832 	return ret;
833 }
834 EXPORT_SYMBOL_GPL(dma_buf_begin_cpu_access);
835 
836 /**
837  * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the
838  * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific
839  * actions. Coherency is only guaranteed in the specified range for the
840  * specified access direction.
841  * @dmabuf:	[in]	buffer to complete cpu access for.
842  * @direction:	[in]	length of range for cpu access.
843  *
844  * This terminates CPU access started with dma_buf_begin_cpu_access().
845  *
846  * Can return negative error values, returns 0 on success.
847  */
848 int dma_buf_end_cpu_access(struct dma_buf *dmabuf,
849 			   enum dma_data_direction direction)
850 {
851 	int ret = 0;
852 
853 	WARN_ON(!dmabuf);
854 
855 	if (dmabuf->ops->end_cpu_access)
856 		ret = dmabuf->ops->end_cpu_access(dmabuf, direction);
857 
858 	return ret;
859 }
860 EXPORT_SYMBOL_GPL(dma_buf_end_cpu_access);
861 
862 /**
863  * dma_buf_kmap_atomic - Map a page of the buffer object into kernel address
864  * space. The same restrictions as for kmap_atomic and friends apply.
865  * @dmabuf:	[in]	buffer to map page from.
866  * @page_num:	[in]	page in PAGE_SIZE units to map.
867  *
868  * This call must always succeed, any necessary preparations that might fail
869  * need to be done in begin_cpu_access.
870  */
871 void *dma_buf_kmap_atomic(struct dma_buf *dmabuf, unsigned long page_num)
872 {
873 	WARN_ON(!dmabuf);
874 
875 	return dmabuf->ops->map_atomic(dmabuf, page_num);
876 }
877 EXPORT_SYMBOL_GPL(dma_buf_kmap_atomic);
878 
879 /**
880  * dma_buf_kunmap_atomic - Unmap a page obtained by dma_buf_kmap_atomic.
881  * @dmabuf:	[in]	buffer to unmap page from.
882  * @page_num:	[in]	page in PAGE_SIZE units to unmap.
883  * @vaddr:	[in]	kernel space pointer obtained from dma_buf_kmap_atomic.
884  *
885  * This call must always succeed.
886  */
887 void dma_buf_kunmap_atomic(struct dma_buf *dmabuf, unsigned long page_num,
888 			   void *vaddr)
889 {
890 	WARN_ON(!dmabuf);
891 
892 	if (dmabuf->ops->unmap_atomic)
893 		dmabuf->ops->unmap_atomic(dmabuf, page_num, vaddr);
894 }
895 EXPORT_SYMBOL_GPL(dma_buf_kunmap_atomic);
896 
897 /**
898  * dma_buf_kmap - Map a page of the buffer object into kernel address space. The
899  * same restrictions as for kmap and friends apply.
900  * @dmabuf:	[in]	buffer to map page from.
901  * @page_num:	[in]	page in PAGE_SIZE units to map.
902  *
903  * This call must always succeed, any necessary preparations that might fail
904  * need to be done in begin_cpu_access.
905  */
906 void *dma_buf_kmap(struct dma_buf *dmabuf, unsigned long page_num)
907 {
908 	WARN_ON(!dmabuf);
909 
910 	return dmabuf->ops->map(dmabuf, page_num);
911 }
912 EXPORT_SYMBOL_GPL(dma_buf_kmap);
913 
914 /**
915  * dma_buf_kunmap - Unmap a page obtained by dma_buf_kmap.
916  * @dmabuf:	[in]	buffer to unmap page from.
917  * @page_num:	[in]	page in PAGE_SIZE units to unmap.
918  * @vaddr:	[in]	kernel space pointer obtained from dma_buf_kmap.
919  *
920  * This call must always succeed.
921  */
922 void dma_buf_kunmap(struct dma_buf *dmabuf, unsigned long page_num,
923 		    void *vaddr)
924 {
925 	WARN_ON(!dmabuf);
926 
927 	if (dmabuf->ops->unmap)
928 		dmabuf->ops->unmap(dmabuf, page_num, vaddr);
929 }
930 EXPORT_SYMBOL_GPL(dma_buf_kunmap);
931 
932 
933 /**
934  * dma_buf_mmap - Setup up a userspace mmap with the given vma
935  * @dmabuf:	[in]	buffer that should back the vma
936  * @vma:	[in]	vma for the mmap
937  * @pgoff:	[in]	offset in pages where this mmap should start within the
938  *			dma-buf buffer.
939  *
940  * This function adjusts the passed in vma so that it points at the file of the
941  * dma_buf operation. It also adjusts the starting pgoff and does bounds
942  * checking on the size of the vma. Then it calls the exporters mmap function to
943  * set up the mapping.
944  *
945  * Can return negative error values, returns 0 on success.
946  */
947 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
948 		 unsigned long pgoff)
949 {
950 	struct file *oldfile;
951 	int ret;
952 
953 	if (WARN_ON(!dmabuf || !vma))
954 		return -EINVAL;
955 
956 	/* check for offset overflow */
957 	if (pgoff + vma_pages(vma) < pgoff)
958 		return -EOVERFLOW;
959 
960 	/* check for overflowing the buffer's size */
961 	if (pgoff + vma_pages(vma) >
962 	    dmabuf->size >> PAGE_SHIFT)
963 		return -EINVAL;
964 
965 	/* readjust the vma */
966 	get_file(dmabuf->file);
967 	oldfile = vma->vm_file;
968 	vma->vm_file = dmabuf->file;
969 	vma->vm_pgoff = pgoff;
970 
971 	ret = dmabuf->ops->mmap(dmabuf, vma);
972 	if (ret) {
973 		/* restore old parameters on failure */
974 		vma->vm_file = oldfile;
975 		fput(dmabuf->file);
976 	} else {
977 		if (oldfile)
978 			fput(oldfile);
979 	}
980 	return ret;
981 
982 }
983 EXPORT_SYMBOL_GPL(dma_buf_mmap);
984 
985 /**
986  * dma_buf_vmap - Create virtual mapping for the buffer object into kernel
987  * address space. Same restrictions as for vmap and friends apply.
988  * @dmabuf:	[in]	buffer to vmap
989  *
990  * This call may fail due to lack of virtual mapping address space.
991  * These calls are optional in drivers. The intended use for them
992  * is for mapping objects linear in kernel space for high use objects.
993  * Please attempt to use kmap/kunmap before thinking about these interfaces.
994  *
995  * Returns NULL on error.
996  */
997 void *dma_buf_vmap(struct dma_buf *dmabuf)
998 {
999 	void *ptr;
1000 
1001 	if (WARN_ON(!dmabuf))
1002 		return NULL;
1003 
1004 	if (!dmabuf->ops->vmap)
1005 		return NULL;
1006 
1007 	mutex_lock(&dmabuf->lock);
1008 	if (dmabuf->vmapping_counter) {
1009 		dmabuf->vmapping_counter++;
1010 		BUG_ON(!dmabuf->vmap_ptr);
1011 		ptr = dmabuf->vmap_ptr;
1012 		goto out_unlock;
1013 	}
1014 
1015 	BUG_ON(dmabuf->vmap_ptr);
1016 
1017 	ptr = dmabuf->ops->vmap(dmabuf);
1018 	if (WARN_ON_ONCE(IS_ERR(ptr)))
1019 		ptr = NULL;
1020 	if (!ptr)
1021 		goto out_unlock;
1022 
1023 	dmabuf->vmap_ptr = ptr;
1024 	dmabuf->vmapping_counter = 1;
1025 
1026 out_unlock:
1027 	mutex_unlock(&dmabuf->lock);
1028 	return ptr;
1029 }
1030 EXPORT_SYMBOL_GPL(dma_buf_vmap);
1031 
1032 /**
1033  * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap.
1034  * @dmabuf:	[in]	buffer to vunmap
1035  * @vaddr:	[in]	vmap to vunmap
1036  */
1037 void dma_buf_vunmap(struct dma_buf *dmabuf, void *vaddr)
1038 {
1039 	if (WARN_ON(!dmabuf))
1040 		return;
1041 
1042 	BUG_ON(!dmabuf->vmap_ptr);
1043 	BUG_ON(dmabuf->vmapping_counter == 0);
1044 	BUG_ON(dmabuf->vmap_ptr != vaddr);
1045 
1046 	mutex_lock(&dmabuf->lock);
1047 	if (--dmabuf->vmapping_counter == 0) {
1048 		if (dmabuf->ops->vunmap)
1049 			dmabuf->ops->vunmap(dmabuf, vaddr);
1050 		dmabuf->vmap_ptr = NULL;
1051 	}
1052 	mutex_unlock(&dmabuf->lock);
1053 }
1054 EXPORT_SYMBOL_GPL(dma_buf_vunmap);
1055 
1056 #ifdef CONFIG_DEBUG_FS
1057 static int dma_buf_debug_show(struct seq_file *s, void *unused)
1058 {
1059 	int ret;
1060 	struct dma_buf *buf_obj;
1061 	struct dma_buf_attachment *attach_obj;
1062 	struct reservation_object *robj;
1063 	struct reservation_object_list *fobj;
1064 	struct dma_fence *fence;
1065 	unsigned seq;
1066 	int count = 0, attach_count, shared_count, i;
1067 	size_t size = 0;
1068 
1069 	ret = mutex_lock_interruptible(&db_list.lock);
1070 
1071 	if (ret)
1072 		return ret;
1073 
1074 	seq_puts(s, "\nDma-buf Objects:\n");
1075 	seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\n",
1076 		   "size", "flags", "mode", "count");
1077 
1078 	list_for_each_entry(buf_obj, &db_list.head, list_node) {
1079 		ret = mutex_lock_interruptible(&buf_obj->lock);
1080 
1081 		if (ret) {
1082 			seq_puts(s,
1083 				 "\tERROR locking buffer object: skipping\n");
1084 			continue;
1085 		}
1086 
1087 		seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\n",
1088 				buf_obj->size,
1089 				buf_obj->file->f_flags, buf_obj->file->f_mode,
1090 				file_count(buf_obj->file),
1091 				buf_obj->exp_name);
1092 
1093 		robj = buf_obj->resv;
1094 		while (true) {
1095 			seq = read_seqcount_begin(&robj->seq);
1096 			rcu_read_lock();
1097 			fobj = rcu_dereference(robj->fence);
1098 			shared_count = fobj ? fobj->shared_count : 0;
1099 			fence = rcu_dereference(robj->fence_excl);
1100 			if (!read_seqcount_retry(&robj->seq, seq))
1101 				break;
1102 			rcu_read_unlock();
1103 		}
1104 
1105 		if (fence)
1106 			seq_printf(s, "\tExclusive fence: %s %s %ssignalled\n",
1107 				   fence->ops->get_driver_name(fence),
1108 				   fence->ops->get_timeline_name(fence),
1109 				   dma_fence_is_signaled(fence) ? "" : "un");
1110 		for (i = 0; i < shared_count; i++) {
1111 			fence = rcu_dereference(fobj->shared[i]);
1112 			if (!dma_fence_get_rcu(fence))
1113 				continue;
1114 			seq_printf(s, "\tShared fence: %s %s %ssignalled\n",
1115 				   fence->ops->get_driver_name(fence),
1116 				   fence->ops->get_timeline_name(fence),
1117 				   dma_fence_is_signaled(fence) ? "" : "un");
1118 		}
1119 		rcu_read_unlock();
1120 
1121 		seq_puts(s, "\tAttached Devices:\n");
1122 		attach_count = 0;
1123 
1124 		list_for_each_entry(attach_obj, &buf_obj->attachments, node) {
1125 			seq_puts(s, "\t");
1126 
1127 			seq_printf(s, "%s\n", dev_name(attach_obj->dev));
1128 			attach_count++;
1129 		}
1130 
1131 		seq_printf(s, "Total %d devices attached\n\n",
1132 				attach_count);
1133 
1134 		count++;
1135 		size += buf_obj->size;
1136 		mutex_unlock(&buf_obj->lock);
1137 	}
1138 
1139 	seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size);
1140 
1141 	mutex_unlock(&db_list.lock);
1142 	return 0;
1143 }
1144 
1145 static int dma_buf_debug_open(struct inode *inode, struct file *file)
1146 {
1147 	return single_open(file, dma_buf_debug_show, NULL);
1148 }
1149 
1150 static const struct file_operations dma_buf_debug_fops = {
1151 	.open           = dma_buf_debug_open,
1152 	.read           = seq_read,
1153 	.llseek         = seq_lseek,
1154 	.release        = single_release,
1155 };
1156 
1157 static struct dentry *dma_buf_debugfs_dir;
1158 
1159 static int dma_buf_init_debugfs(void)
1160 {
1161 	struct dentry *d;
1162 	int err = 0;
1163 
1164 	d = debugfs_create_dir("dma_buf", NULL);
1165 	if (IS_ERR(d))
1166 		return PTR_ERR(d);
1167 
1168 	dma_buf_debugfs_dir = d;
1169 
1170 	d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir,
1171 				NULL, &dma_buf_debug_fops);
1172 	if (IS_ERR(d)) {
1173 		pr_debug("dma_buf: debugfs: failed to create node bufinfo\n");
1174 		debugfs_remove_recursive(dma_buf_debugfs_dir);
1175 		dma_buf_debugfs_dir = NULL;
1176 		err = PTR_ERR(d);
1177 	}
1178 
1179 	return err;
1180 }
1181 
1182 static void dma_buf_uninit_debugfs(void)
1183 {
1184 	if (dma_buf_debugfs_dir)
1185 		debugfs_remove_recursive(dma_buf_debugfs_dir);
1186 }
1187 #else
1188 static inline int dma_buf_init_debugfs(void)
1189 {
1190 	return 0;
1191 }
1192 static inline void dma_buf_uninit_debugfs(void)
1193 {
1194 }
1195 #endif
1196 
1197 static int __init dma_buf_init(void)
1198 {
1199 	mutex_init(&db_list.lock);
1200 	INIT_LIST_HEAD(&db_list.head);
1201 	dma_buf_init_debugfs();
1202 	return 0;
1203 }
1204 subsys_initcall(dma_buf_init);
1205 
1206 static void __exit dma_buf_deinit(void)
1207 {
1208 	dma_buf_uninit_debugfs();
1209 }
1210 __exitcall(dma_buf_deinit);
1211