xref: /linux/drivers/dma-buf/dma-buf.c (revision fc6dfd5547794b0bf10790576a9d97443d975439)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Framework for buffer objects that can be shared across devices/subsystems.
4  *
5  * Copyright(C) 2011 Linaro Limited. All rights reserved.
6  * Author: Sumit Semwal <sumit.semwal@ti.com>
7  *
8  * Many thanks to linaro-mm-sig list, and specially
9  * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and
10  * Daniel Vetter <daniel@ffwll.ch> for their support in creation and
11  * refining of this idea.
12  */
13 
14 #include <linux/fs.h>
15 #include <linux/slab.h>
16 #include <linux/dma-buf.h>
17 #include <linux/dma-fence.h>
18 #include <linux/anon_inodes.h>
19 #include <linux/export.h>
20 #include <linux/debugfs.h>
21 #include <linux/module.h>
22 #include <linux/seq_file.h>
23 #include <linux/sync_file.h>
24 #include <linux/poll.h>
25 #include <linux/dma-resv.h>
26 #include <linux/mm.h>
27 #include <linux/mount.h>
28 #include <linux/pseudo_fs.h>
29 
30 #include <uapi/linux/dma-buf.h>
31 #include <uapi/linux/magic.h>
32 
33 #include "dma-buf-sysfs-stats.h"
34 
35 static inline int is_dma_buf_file(struct file *);
36 
37 struct dma_buf_list {
38 	struct list_head head;
39 	struct mutex lock;
40 };
41 
42 static struct dma_buf_list db_list;
43 
44 static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen)
45 {
46 	struct dma_buf *dmabuf;
47 	char name[DMA_BUF_NAME_LEN];
48 	size_t ret = 0;
49 
50 	dmabuf = dentry->d_fsdata;
51 	spin_lock(&dmabuf->name_lock);
52 	if (dmabuf->name)
53 		ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN);
54 	spin_unlock(&dmabuf->name_lock);
55 
56 	return dynamic_dname(buffer, buflen, "/%s:%s",
57 			     dentry->d_name.name, ret > 0 ? name : "");
58 }
59 
60 static void dma_buf_release(struct dentry *dentry)
61 {
62 	struct dma_buf *dmabuf;
63 
64 	dmabuf = dentry->d_fsdata;
65 	if (unlikely(!dmabuf))
66 		return;
67 
68 	BUG_ON(dmabuf->vmapping_counter);
69 
70 	/*
71 	 * If you hit this BUG() it could mean:
72 	 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
73 	 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
74 	 */
75 	BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
76 
77 	dma_buf_stats_teardown(dmabuf);
78 	dmabuf->ops->release(dmabuf);
79 
80 	if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
81 		dma_resv_fini(dmabuf->resv);
82 
83 	WARN_ON(!list_empty(&dmabuf->attachments));
84 	module_put(dmabuf->owner);
85 	kfree(dmabuf->name);
86 	kfree(dmabuf);
87 }
88 
89 static int dma_buf_file_release(struct inode *inode, struct file *file)
90 {
91 	struct dma_buf *dmabuf;
92 
93 	if (!is_dma_buf_file(file))
94 		return -EINVAL;
95 
96 	dmabuf = file->private_data;
97 
98 	mutex_lock(&db_list.lock);
99 	list_del(&dmabuf->list_node);
100 	mutex_unlock(&db_list.lock);
101 
102 	return 0;
103 }
104 
105 static const struct dentry_operations dma_buf_dentry_ops = {
106 	.d_dname = dmabuffs_dname,
107 	.d_release = dma_buf_release,
108 };
109 
110 static struct vfsmount *dma_buf_mnt;
111 
112 static int dma_buf_fs_init_context(struct fs_context *fc)
113 {
114 	struct pseudo_fs_context *ctx;
115 
116 	ctx = init_pseudo(fc, DMA_BUF_MAGIC);
117 	if (!ctx)
118 		return -ENOMEM;
119 	ctx->dops = &dma_buf_dentry_ops;
120 	return 0;
121 }
122 
123 static struct file_system_type dma_buf_fs_type = {
124 	.name = "dmabuf",
125 	.init_fs_context = dma_buf_fs_init_context,
126 	.kill_sb = kill_anon_super,
127 };
128 
129 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma)
130 {
131 	struct dma_buf *dmabuf;
132 
133 	if (!is_dma_buf_file(file))
134 		return -EINVAL;
135 
136 	dmabuf = file->private_data;
137 
138 	/* check if buffer supports mmap */
139 	if (!dmabuf->ops->mmap)
140 		return -EINVAL;
141 
142 	/* check for overflowing the buffer's size */
143 	if (vma->vm_pgoff + vma_pages(vma) >
144 	    dmabuf->size >> PAGE_SHIFT)
145 		return -EINVAL;
146 
147 	return dmabuf->ops->mmap(dmabuf, vma);
148 }
149 
150 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
151 {
152 	struct dma_buf *dmabuf;
153 	loff_t base;
154 
155 	if (!is_dma_buf_file(file))
156 		return -EBADF;
157 
158 	dmabuf = file->private_data;
159 
160 	/* only support discovering the end of the buffer,
161 	   but also allow SEEK_SET to maintain the idiomatic
162 	   SEEK_END(0), SEEK_CUR(0) pattern */
163 	if (whence == SEEK_END)
164 		base = dmabuf->size;
165 	else if (whence == SEEK_SET)
166 		base = 0;
167 	else
168 		return -EINVAL;
169 
170 	if (offset != 0)
171 		return -EINVAL;
172 
173 	return base + offset;
174 }
175 
176 /**
177  * DOC: implicit fence polling
178  *
179  * To support cross-device and cross-driver synchronization of buffer access
180  * implicit fences (represented internally in the kernel with &struct dma_fence)
181  * can be attached to a &dma_buf. The glue for that and a few related things are
182  * provided in the &dma_resv structure.
183  *
184  * Userspace can query the state of these implicitly tracked fences using poll()
185  * and related system calls:
186  *
187  * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the
188  *   most recent write or exclusive fence.
189  *
190  * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of
191  *   all attached fences, shared and exclusive ones.
192  *
193  * Note that this only signals the completion of the respective fences, i.e. the
194  * DMA transfers are complete. Cache flushing and any other necessary
195  * preparations before CPU access can begin still need to happen.
196  *
197  * As an alternative to poll(), the set of fences on DMA buffer can be
198  * exported as a &sync_file using &dma_buf_sync_file_export.
199  */
200 
201 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
202 {
203 	struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
204 	struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
205 	unsigned long flags;
206 
207 	spin_lock_irqsave(&dcb->poll->lock, flags);
208 	wake_up_locked_poll(dcb->poll, dcb->active);
209 	dcb->active = 0;
210 	spin_unlock_irqrestore(&dcb->poll->lock, flags);
211 	dma_fence_put(fence);
212 	/* Paired with get_file in dma_buf_poll */
213 	fput(dmabuf->file);
214 }
215 
216 static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
217 				struct dma_buf_poll_cb_t *dcb)
218 {
219 	struct dma_resv_iter cursor;
220 	struct dma_fence *fence;
221 	int r;
222 
223 	dma_resv_for_each_fence(&cursor, resv, dma_resv_usage_rw(write),
224 				fence) {
225 		dma_fence_get(fence);
226 		r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
227 		if (!r)
228 			return true;
229 		dma_fence_put(fence);
230 	}
231 
232 	return false;
233 }
234 
235 static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
236 {
237 	struct dma_buf *dmabuf;
238 	struct dma_resv *resv;
239 	__poll_t events;
240 
241 	dmabuf = file->private_data;
242 	if (!dmabuf || !dmabuf->resv)
243 		return EPOLLERR;
244 
245 	resv = dmabuf->resv;
246 
247 	poll_wait(file, &dmabuf->poll, poll);
248 
249 	events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT);
250 	if (!events)
251 		return 0;
252 
253 	dma_resv_lock(resv, NULL);
254 
255 	if (events & EPOLLOUT) {
256 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out;
257 
258 		/* Check that callback isn't busy */
259 		spin_lock_irq(&dmabuf->poll.lock);
260 		if (dcb->active)
261 			events &= ~EPOLLOUT;
262 		else
263 			dcb->active = EPOLLOUT;
264 		spin_unlock_irq(&dmabuf->poll.lock);
265 
266 		if (events & EPOLLOUT) {
267 			/* Paired with fput in dma_buf_poll_cb */
268 			get_file(dmabuf->file);
269 
270 			if (!dma_buf_poll_add_cb(resv, true, dcb))
271 				/* No callback queued, wake up any other waiters */
272 				dma_buf_poll_cb(NULL, &dcb->cb);
273 			else
274 				events &= ~EPOLLOUT;
275 		}
276 	}
277 
278 	if (events & EPOLLIN) {
279 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in;
280 
281 		/* Check that callback isn't busy */
282 		spin_lock_irq(&dmabuf->poll.lock);
283 		if (dcb->active)
284 			events &= ~EPOLLIN;
285 		else
286 			dcb->active = EPOLLIN;
287 		spin_unlock_irq(&dmabuf->poll.lock);
288 
289 		if (events & EPOLLIN) {
290 			/* Paired with fput in dma_buf_poll_cb */
291 			get_file(dmabuf->file);
292 
293 			if (!dma_buf_poll_add_cb(resv, false, dcb))
294 				/* No callback queued, wake up any other waiters */
295 				dma_buf_poll_cb(NULL, &dcb->cb);
296 			else
297 				events &= ~EPOLLIN;
298 		}
299 	}
300 
301 	dma_resv_unlock(resv);
302 	return events;
303 }
304 
305 /**
306  * dma_buf_set_name - Set a name to a specific dma_buf to track the usage.
307  * It could support changing the name of the dma-buf if the same
308  * piece of memory is used for multiple purpose between different devices.
309  *
310  * @dmabuf: [in]     dmabuf buffer that will be renamed.
311  * @buf:    [in]     A piece of userspace memory that contains the name of
312  *                   the dma-buf.
313  *
314  * Returns 0 on success. If the dma-buf buffer is already attached to
315  * devices, return -EBUSY.
316  *
317  */
318 static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf)
319 {
320 	char *name = strndup_user(buf, DMA_BUF_NAME_LEN);
321 
322 	if (IS_ERR(name))
323 		return PTR_ERR(name);
324 
325 	spin_lock(&dmabuf->name_lock);
326 	kfree(dmabuf->name);
327 	dmabuf->name = name;
328 	spin_unlock(&dmabuf->name_lock);
329 
330 	return 0;
331 }
332 
333 #if IS_ENABLED(CONFIG_SYNC_FILE)
334 static long dma_buf_export_sync_file(struct dma_buf *dmabuf,
335 				     void __user *user_data)
336 {
337 	struct dma_buf_export_sync_file arg;
338 	enum dma_resv_usage usage;
339 	struct dma_fence *fence = NULL;
340 	struct sync_file *sync_file;
341 	int fd, ret;
342 
343 	if (copy_from_user(&arg, user_data, sizeof(arg)))
344 		return -EFAULT;
345 
346 	if (arg.flags & ~DMA_BUF_SYNC_RW)
347 		return -EINVAL;
348 
349 	if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
350 		return -EINVAL;
351 
352 	fd = get_unused_fd_flags(O_CLOEXEC);
353 	if (fd < 0)
354 		return fd;
355 
356 	usage = dma_resv_usage_rw(arg.flags & DMA_BUF_SYNC_WRITE);
357 	ret = dma_resv_get_singleton(dmabuf->resv, usage, &fence);
358 	if (ret)
359 		goto err_put_fd;
360 
361 	if (!fence)
362 		fence = dma_fence_get_stub();
363 
364 	sync_file = sync_file_create(fence);
365 
366 	dma_fence_put(fence);
367 
368 	if (!sync_file) {
369 		ret = -ENOMEM;
370 		goto err_put_fd;
371 	}
372 
373 	arg.fd = fd;
374 	if (copy_to_user(user_data, &arg, sizeof(arg))) {
375 		ret = -EFAULT;
376 		goto err_put_file;
377 	}
378 
379 	fd_install(fd, sync_file->file);
380 
381 	return 0;
382 
383 err_put_file:
384 	fput(sync_file->file);
385 err_put_fd:
386 	put_unused_fd(fd);
387 	return ret;
388 }
389 
390 static long dma_buf_import_sync_file(struct dma_buf *dmabuf,
391 				     const void __user *user_data)
392 {
393 	struct dma_buf_import_sync_file arg;
394 	struct dma_fence *fence;
395 	enum dma_resv_usage usage;
396 	int ret = 0;
397 
398 	if (copy_from_user(&arg, user_data, sizeof(arg)))
399 		return -EFAULT;
400 
401 	if (arg.flags & ~DMA_BUF_SYNC_RW)
402 		return -EINVAL;
403 
404 	if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
405 		return -EINVAL;
406 
407 	fence = sync_file_get_fence(arg.fd);
408 	if (!fence)
409 		return -EINVAL;
410 
411 	usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE :
412 						   DMA_RESV_USAGE_READ;
413 
414 	dma_resv_lock(dmabuf->resv, NULL);
415 
416 	ret = dma_resv_reserve_fences(dmabuf->resv, 1);
417 	if (!ret)
418 		dma_resv_add_fence(dmabuf->resv, fence, usage);
419 
420 	dma_resv_unlock(dmabuf->resv);
421 
422 	dma_fence_put(fence);
423 
424 	return ret;
425 }
426 #endif
427 
428 static long dma_buf_ioctl(struct file *file,
429 			  unsigned int cmd, unsigned long arg)
430 {
431 	struct dma_buf *dmabuf;
432 	struct dma_buf_sync sync;
433 	enum dma_data_direction direction;
434 	int ret;
435 
436 	dmabuf = file->private_data;
437 
438 	switch (cmd) {
439 	case DMA_BUF_IOCTL_SYNC:
440 		if (copy_from_user(&sync, (void __user *) arg, sizeof(sync)))
441 			return -EFAULT;
442 
443 		if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK)
444 			return -EINVAL;
445 
446 		switch (sync.flags & DMA_BUF_SYNC_RW) {
447 		case DMA_BUF_SYNC_READ:
448 			direction = DMA_FROM_DEVICE;
449 			break;
450 		case DMA_BUF_SYNC_WRITE:
451 			direction = DMA_TO_DEVICE;
452 			break;
453 		case DMA_BUF_SYNC_RW:
454 			direction = DMA_BIDIRECTIONAL;
455 			break;
456 		default:
457 			return -EINVAL;
458 		}
459 
460 		if (sync.flags & DMA_BUF_SYNC_END)
461 			ret = dma_buf_end_cpu_access(dmabuf, direction);
462 		else
463 			ret = dma_buf_begin_cpu_access(dmabuf, direction);
464 
465 		return ret;
466 
467 	case DMA_BUF_SET_NAME_A:
468 	case DMA_BUF_SET_NAME_B:
469 		return dma_buf_set_name(dmabuf, (const char __user *)arg);
470 
471 #if IS_ENABLED(CONFIG_SYNC_FILE)
472 	case DMA_BUF_IOCTL_EXPORT_SYNC_FILE:
473 		return dma_buf_export_sync_file(dmabuf, (void __user *)arg);
474 	case DMA_BUF_IOCTL_IMPORT_SYNC_FILE:
475 		return dma_buf_import_sync_file(dmabuf, (const void __user *)arg);
476 #endif
477 
478 	default:
479 		return -ENOTTY;
480 	}
481 }
482 
483 static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file)
484 {
485 	struct dma_buf *dmabuf = file->private_data;
486 
487 	seq_printf(m, "size:\t%zu\n", dmabuf->size);
488 	/* Don't count the temporary reference taken inside procfs seq_show */
489 	seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
490 	seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
491 	spin_lock(&dmabuf->name_lock);
492 	if (dmabuf->name)
493 		seq_printf(m, "name:\t%s\n", dmabuf->name);
494 	spin_unlock(&dmabuf->name_lock);
495 }
496 
497 static const struct file_operations dma_buf_fops = {
498 	.release	= dma_buf_file_release,
499 	.mmap		= dma_buf_mmap_internal,
500 	.llseek		= dma_buf_llseek,
501 	.poll		= dma_buf_poll,
502 	.unlocked_ioctl	= dma_buf_ioctl,
503 	.compat_ioctl	= compat_ptr_ioctl,
504 	.show_fdinfo	= dma_buf_show_fdinfo,
505 };
506 
507 /*
508  * is_dma_buf_file - Check if struct file* is associated with dma_buf
509  */
510 static inline int is_dma_buf_file(struct file *file)
511 {
512 	return file->f_op == &dma_buf_fops;
513 }
514 
515 static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags)
516 {
517 	static atomic64_t dmabuf_inode = ATOMIC64_INIT(0);
518 	struct file *file;
519 	struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb);
520 
521 	if (IS_ERR(inode))
522 		return ERR_CAST(inode);
523 
524 	inode->i_size = dmabuf->size;
525 	inode_set_bytes(inode, dmabuf->size);
526 
527 	/*
528 	 * The ->i_ino acquired from get_next_ino() is not unique thus
529 	 * not suitable for using it as dentry name by dmabuf stats.
530 	 * Override ->i_ino with the unique and dmabuffs specific
531 	 * value.
532 	 */
533 	inode->i_ino = atomic64_add_return(1, &dmabuf_inode);
534 	flags &= O_ACCMODE | O_NONBLOCK;
535 	file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf",
536 				 flags, &dma_buf_fops);
537 	if (IS_ERR(file))
538 		goto err_alloc_file;
539 	file->private_data = dmabuf;
540 	file->f_path.dentry->d_fsdata = dmabuf;
541 
542 	return file;
543 
544 err_alloc_file:
545 	iput(inode);
546 	return file;
547 }
548 
549 /**
550  * DOC: dma buf device access
551  *
552  * For device DMA access to a shared DMA buffer the usual sequence of operations
553  * is fairly simple:
554  *
555  * 1. The exporter defines his exporter instance using
556  *    DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private
557  *    buffer object into a &dma_buf. It then exports that &dma_buf to userspace
558  *    as a file descriptor by calling dma_buf_fd().
559  *
560  * 2. Userspace passes this file-descriptors to all drivers it wants this buffer
561  *    to share with: First the file descriptor is converted to a &dma_buf using
562  *    dma_buf_get(). Then the buffer is attached to the device using
563  *    dma_buf_attach().
564  *
565  *    Up to this stage the exporter is still free to migrate or reallocate the
566  *    backing storage.
567  *
568  * 3. Once the buffer is attached to all devices userspace can initiate DMA
569  *    access to the shared buffer. In the kernel this is done by calling
570  *    dma_buf_map_attachment() and dma_buf_unmap_attachment().
571  *
572  * 4. Once a driver is done with a shared buffer it needs to call
573  *    dma_buf_detach() (after cleaning up any mappings) and then release the
574  *    reference acquired with dma_buf_get() by calling dma_buf_put().
575  *
576  * For the detailed semantics exporters are expected to implement see
577  * &dma_buf_ops.
578  */
579 
580 /**
581  * dma_buf_export - Creates a new dma_buf, and associates an anon file
582  * with this buffer, so it can be exported.
583  * Also connect the allocator specific data and ops to the buffer.
584  * Additionally, provide a name string for exporter; useful in debugging.
585  *
586  * @exp_info:	[in]	holds all the export related information provided
587  *			by the exporter. see &struct dma_buf_export_info
588  *			for further details.
589  *
590  * Returns, on success, a newly created struct dma_buf object, which wraps the
591  * supplied private data and operations for struct dma_buf_ops. On either
592  * missing ops, or error in allocating struct dma_buf, will return negative
593  * error.
594  *
595  * For most cases the easiest way to create @exp_info is through the
596  * %DEFINE_DMA_BUF_EXPORT_INFO macro.
597  */
598 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
599 {
600 	struct dma_buf *dmabuf;
601 	struct dma_resv *resv = exp_info->resv;
602 	struct file *file;
603 	size_t alloc_size = sizeof(struct dma_buf);
604 	int ret;
605 
606 	if (!exp_info->resv)
607 		alloc_size += sizeof(struct dma_resv);
608 	else
609 		/* prevent &dma_buf[1] == dma_buf->resv */
610 		alloc_size += 1;
611 
612 	if (WARN_ON(!exp_info->priv
613 			  || !exp_info->ops
614 			  || !exp_info->ops->map_dma_buf
615 			  || !exp_info->ops->unmap_dma_buf
616 			  || !exp_info->ops->release)) {
617 		return ERR_PTR(-EINVAL);
618 	}
619 
620 	if (WARN_ON(exp_info->ops->cache_sgt_mapping &&
621 		    (exp_info->ops->pin || exp_info->ops->unpin)))
622 		return ERR_PTR(-EINVAL);
623 
624 	if (WARN_ON(!exp_info->ops->pin != !exp_info->ops->unpin))
625 		return ERR_PTR(-EINVAL);
626 
627 	if (!try_module_get(exp_info->owner))
628 		return ERR_PTR(-ENOENT);
629 
630 	dmabuf = kzalloc(alloc_size, GFP_KERNEL);
631 	if (!dmabuf) {
632 		ret = -ENOMEM;
633 		goto err_module;
634 	}
635 
636 	dmabuf->priv = exp_info->priv;
637 	dmabuf->ops = exp_info->ops;
638 	dmabuf->size = exp_info->size;
639 	dmabuf->exp_name = exp_info->exp_name;
640 	dmabuf->owner = exp_info->owner;
641 	spin_lock_init(&dmabuf->name_lock);
642 	init_waitqueue_head(&dmabuf->poll);
643 	dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll;
644 	dmabuf->cb_in.active = dmabuf->cb_out.active = 0;
645 
646 	if (!resv) {
647 		resv = (struct dma_resv *)&dmabuf[1];
648 		dma_resv_init(resv);
649 	}
650 	dmabuf->resv = resv;
651 
652 	file = dma_buf_getfile(dmabuf, exp_info->flags);
653 	if (IS_ERR(file)) {
654 		ret = PTR_ERR(file);
655 		goto err_dmabuf;
656 	}
657 
658 	dmabuf->file = file;
659 
660 	mutex_init(&dmabuf->lock);
661 	INIT_LIST_HEAD(&dmabuf->attachments);
662 
663 	mutex_lock(&db_list.lock);
664 	list_add(&dmabuf->list_node, &db_list.head);
665 	mutex_unlock(&db_list.lock);
666 
667 	ret = dma_buf_stats_setup(dmabuf);
668 	if (ret)
669 		goto err_sysfs;
670 
671 	return dmabuf;
672 
673 err_sysfs:
674 	/*
675 	 * Set file->f_path.dentry->d_fsdata to NULL so that when
676 	 * dma_buf_release() gets invoked by dentry_ops, it exits
677 	 * early before calling the release() dma_buf op.
678 	 */
679 	file->f_path.dentry->d_fsdata = NULL;
680 	fput(file);
681 err_dmabuf:
682 	kfree(dmabuf);
683 err_module:
684 	module_put(exp_info->owner);
685 	return ERR_PTR(ret);
686 }
687 EXPORT_SYMBOL_NS_GPL(dma_buf_export, DMA_BUF);
688 
689 /**
690  * dma_buf_fd - returns a file descriptor for the given struct dma_buf
691  * @dmabuf:	[in]	pointer to dma_buf for which fd is required.
692  * @flags:      [in]    flags to give to fd
693  *
694  * On success, returns an associated 'fd'. Else, returns error.
695  */
696 int dma_buf_fd(struct dma_buf *dmabuf, int flags)
697 {
698 	int fd;
699 
700 	if (!dmabuf || !dmabuf->file)
701 		return -EINVAL;
702 
703 	fd = get_unused_fd_flags(flags);
704 	if (fd < 0)
705 		return fd;
706 
707 	fd_install(fd, dmabuf->file);
708 
709 	return fd;
710 }
711 EXPORT_SYMBOL_NS_GPL(dma_buf_fd, DMA_BUF);
712 
713 /**
714  * dma_buf_get - returns the struct dma_buf related to an fd
715  * @fd:	[in]	fd associated with the struct dma_buf to be returned
716  *
717  * On success, returns the struct dma_buf associated with an fd; uses
718  * file's refcounting done by fget to increase refcount. returns ERR_PTR
719  * otherwise.
720  */
721 struct dma_buf *dma_buf_get(int fd)
722 {
723 	struct file *file;
724 
725 	file = fget(fd);
726 
727 	if (!file)
728 		return ERR_PTR(-EBADF);
729 
730 	if (!is_dma_buf_file(file)) {
731 		fput(file);
732 		return ERR_PTR(-EINVAL);
733 	}
734 
735 	return file->private_data;
736 }
737 EXPORT_SYMBOL_NS_GPL(dma_buf_get, DMA_BUF);
738 
739 /**
740  * dma_buf_put - decreases refcount of the buffer
741  * @dmabuf:	[in]	buffer to reduce refcount of
742  *
743  * Uses file's refcounting done implicitly by fput().
744  *
745  * If, as a result of this call, the refcount becomes 0, the 'release' file
746  * operation related to this fd is called. It calls &dma_buf_ops.release vfunc
747  * in turn, and frees the memory allocated for dmabuf when exported.
748  */
749 void dma_buf_put(struct dma_buf *dmabuf)
750 {
751 	if (WARN_ON(!dmabuf || !dmabuf->file))
752 		return;
753 
754 	fput(dmabuf->file);
755 }
756 EXPORT_SYMBOL_NS_GPL(dma_buf_put, DMA_BUF);
757 
758 static void mangle_sg_table(struct sg_table *sg_table)
759 {
760 #ifdef CONFIG_DMABUF_DEBUG
761 	int i;
762 	struct scatterlist *sg;
763 
764 	/* To catch abuse of the underlying struct page by importers mix
765 	 * up the bits, but take care to preserve the low SG_ bits to
766 	 * not corrupt the sgt. The mixing is undone in __unmap_dma_buf
767 	 * before passing the sgt back to the exporter. */
768 	for_each_sgtable_sg(sg_table, sg, i)
769 		sg->page_link ^= ~0xffUL;
770 #endif
771 
772 }
773 static struct sg_table * __map_dma_buf(struct dma_buf_attachment *attach,
774 				       enum dma_data_direction direction)
775 {
776 	struct sg_table *sg_table;
777 	signed long ret;
778 
779 	sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction);
780 	if (IS_ERR_OR_NULL(sg_table))
781 		return sg_table;
782 
783 	if (!dma_buf_attachment_is_dynamic(attach)) {
784 		ret = dma_resv_wait_timeout(attach->dmabuf->resv,
785 					    DMA_RESV_USAGE_KERNEL, true,
786 					    MAX_SCHEDULE_TIMEOUT);
787 		if (ret < 0) {
788 			attach->dmabuf->ops->unmap_dma_buf(attach, sg_table,
789 							   direction);
790 			return ERR_PTR(ret);
791 		}
792 	}
793 
794 	mangle_sg_table(sg_table);
795 	return sg_table;
796 }
797 
798 /**
799  * dma_buf_dynamic_attach - Add the device to dma_buf's attachments list
800  * @dmabuf:		[in]	buffer to attach device to.
801  * @dev:		[in]	device to be attached.
802  * @importer_ops:	[in]	importer operations for the attachment
803  * @importer_priv:	[in]	importer private pointer for the attachment
804  *
805  * Returns struct dma_buf_attachment pointer for this attachment. Attachments
806  * must be cleaned up by calling dma_buf_detach().
807  *
808  * Optionally this calls &dma_buf_ops.attach to allow device-specific attach
809  * functionality.
810  *
811  * Returns:
812  *
813  * A pointer to newly created &dma_buf_attachment on success, or a negative
814  * error code wrapped into a pointer on failure.
815  *
816  * Note that this can fail if the backing storage of @dmabuf is in a place not
817  * accessible to @dev, and cannot be moved to a more suitable place. This is
818  * indicated with the error code -EBUSY.
819  */
820 struct dma_buf_attachment *
821 dma_buf_dynamic_attach(struct dma_buf *dmabuf, struct device *dev,
822 		       const struct dma_buf_attach_ops *importer_ops,
823 		       void *importer_priv)
824 {
825 	struct dma_buf_attachment *attach;
826 	int ret;
827 
828 	if (WARN_ON(!dmabuf || !dev))
829 		return ERR_PTR(-EINVAL);
830 
831 	if (WARN_ON(importer_ops && !importer_ops->move_notify))
832 		return ERR_PTR(-EINVAL);
833 
834 	attach = kzalloc(sizeof(*attach), GFP_KERNEL);
835 	if (!attach)
836 		return ERR_PTR(-ENOMEM);
837 
838 	attach->dev = dev;
839 	attach->dmabuf = dmabuf;
840 	if (importer_ops)
841 		attach->peer2peer = importer_ops->allow_peer2peer;
842 	attach->importer_ops = importer_ops;
843 	attach->importer_priv = importer_priv;
844 
845 	if (dmabuf->ops->attach) {
846 		ret = dmabuf->ops->attach(dmabuf, attach);
847 		if (ret)
848 			goto err_attach;
849 	}
850 	dma_resv_lock(dmabuf->resv, NULL);
851 	list_add(&attach->node, &dmabuf->attachments);
852 	dma_resv_unlock(dmabuf->resv);
853 
854 	/* When either the importer or the exporter can't handle dynamic
855 	 * mappings we cache the mapping here to avoid issues with the
856 	 * reservation object lock.
857 	 */
858 	if (dma_buf_attachment_is_dynamic(attach) !=
859 	    dma_buf_is_dynamic(dmabuf)) {
860 		struct sg_table *sgt;
861 
862 		if (dma_buf_is_dynamic(attach->dmabuf)) {
863 			dma_resv_lock(attach->dmabuf->resv, NULL);
864 			ret = dmabuf->ops->pin(attach);
865 			if (ret)
866 				goto err_unlock;
867 		}
868 
869 		sgt = __map_dma_buf(attach, DMA_BIDIRECTIONAL);
870 		if (!sgt)
871 			sgt = ERR_PTR(-ENOMEM);
872 		if (IS_ERR(sgt)) {
873 			ret = PTR_ERR(sgt);
874 			goto err_unpin;
875 		}
876 		if (dma_buf_is_dynamic(attach->dmabuf))
877 			dma_resv_unlock(attach->dmabuf->resv);
878 		attach->sgt = sgt;
879 		attach->dir = DMA_BIDIRECTIONAL;
880 	}
881 
882 	return attach;
883 
884 err_attach:
885 	kfree(attach);
886 	return ERR_PTR(ret);
887 
888 err_unpin:
889 	if (dma_buf_is_dynamic(attach->dmabuf))
890 		dmabuf->ops->unpin(attach);
891 
892 err_unlock:
893 	if (dma_buf_is_dynamic(attach->dmabuf))
894 		dma_resv_unlock(attach->dmabuf->resv);
895 
896 	dma_buf_detach(dmabuf, attach);
897 	return ERR_PTR(ret);
898 }
899 EXPORT_SYMBOL_NS_GPL(dma_buf_dynamic_attach, DMA_BUF);
900 
901 /**
902  * dma_buf_attach - Wrapper for dma_buf_dynamic_attach
903  * @dmabuf:	[in]	buffer to attach device to.
904  * @dev:	[in]	device to be attached.
905  *
906  * Wrapper to call dma_buf_dynamic_attach() for drivers which still use a static
907  * mapping.
908  */
909 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf,
910 					  struct device *dev)
911 {
912 	return dma_buf_dynamic_attach(dmabuf, dev, NULL, NULL);
913 }
914 EXPORT_SYMBOL_NS_GPL(dma_buf_attach, DMA_BUF);
915 
916 static void __unmap_dma_buf(struct dma_buf_attachment *attach,
917 			    struct sg_table *sg_table,
918 			    enum dma_data_direction direction)
919 {
920 	/* uses XOR, hence this unmangles */
921 	mangle_sg_table(sg_table);
922 
923 	attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction);
924 }
925 
926 /**
927  * dma_buf_detach - Remove the given attachment from dmabuf's attachments list
928  * @dmabuf:	[in]	buffer to detach from.
929  * @attach:	[in]	attachment to be detached; is free'd after this call.
930  *
931  * Clean up a device attachment obtained by calling dma_buf_attach().
932  *
933  * Optionally this calls &dma_buf_ops.detach for device-specific detach.
934  */
935 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach)
936 {
937 	if (WARN_ON(!dmabuf || !attach))
938 		return;
939 
940 	if (attach->sgt) {
941 		if (dma_buf_is_dynamic(attach->dmabuf))
942 			dma_resv_lock(attach->dmabuf->resv, NULL);
943 
944 		__unmap_dma_buf(attach, attach->sgt, attach->dir);
945 
946 		if (dma_buf_is_dynamic(attach->dmabuf)) {
947 			dmabuf->ops->unpin(attach);
948 			dma_resv_unlock(attach->dmabuf->resv);
949 		}
950 	}
951 
952 	dma_resv_lock(dmabuf->resv, NULL);
953 	list_del(&attach->node);
954 	dma_resv_unlock(dmabuf->resv);
955 	if (dmabuf->ops->detach)
956 		dmabuf->ops->detach(dmabuf, attach);
957 
958 	kfree(attach);
959 }
960 EXPORT_SYMBOL_NS_GPL(dma_buf_detach, DMA_BUF);
961 
962 /**
963  * dma_buf_pin - Lock down the DMA-buf
964  * @attach:	[in]	attachment which should be pinned
965  *
966  * Only dynamic importers (who set up @attach with dma_buf_dynamic_attach()) may
967  * call this, and only for limited use cases like scanout and not for temporary
968  * pin operations. It is not permitted to allow userspace to pin arbitrary
969  * amounts of buffers through this interface.
970  *
971  * Buffers must be unpinned by calling dma_buf_unpin().
972  *
973  * Returns:
974  * 0 on success, negative error code on failure.
975  */
976 int dma_buf_pin(struct dma_buf_attachment *attach)
977 {
978 	struct dma_buf *dmabuf = attach->dmabuf;
979 	int ret = 0;
980 
981 	WARN_ON(!dma_buf_attachment_is_dynamic(attach));
982 
983 	dma_resv_assert_held(dmabuf->resv);
984 
985 	if (dmabuf->ops->pin)
986 		ret = dmabuf->ops->pin(attach);
987 
988 	return ret;
989 }
990 EXPORT_SYMBOL_NS_GPL(dma_buf_pin, DMA_BUF);
991 
992 /**
993  * dma_buf_unpin - Unpin a DMA-buf
994  * @attach:	[in]	attachment which should be unpinned
995  *
996  * This unpins a buffer pinned by dma_buf_pin() and allows the exporter to move
997  * any mapping of @attach again and inform the importer through
998  * &dma_buf_attach_ops.move_notify.
999  */
1000 void dma_buf_unpin(struct dma_buf_attachment *attach)
1001 {
1002 	struct dma_buf *dmabuf = attach->dmabuf;
1003 
1004 	WARN_ON(!dma_buf_attachment_is_dynamic(attach));
1005 
1006 	dma_resv_assert_held(dmabuf->resv);
1007 
1008 	if (dmabuf->ops->unpin)
1009 		dmabuf->ops->unpin(attach);
1010 }
1011 EXPORT_SYMBOL_NS_GPL(dma_buf_unpin, DMA_BUF);
1012 
1013 /**
1014  * dma_buf_map_attachment - Returns the scatterlist table of the attachment;
1015  * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
1016  * dma_buf_ops.
1017  * @attach:	[in]	attachment whose scatterlist is to be returned
1018  * @direction:	[in]	direction of DMA transfer
1019  *
1020  * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR
1021  * on error. May return -EINTR if it is interrupted by a signal.
1022  *
1023  * On success, the DMA addresses and lengths in the returned scatterlist are
1024  * PAGE_SIZE aligned.
1025  *
1026  * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that
1027  * the underlying backing storage is pinned for as long as a mapping exists,
1028  * therefore users/importers should not hold onto a mapping for undue amounts of
1029  * time.
1030  *
1031  * Important: Dynamic importers must wait for the exclusive fence of the struct
1032  * dma_resv attached to the DMA-BUF first.
1033  */
1034 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach,
1035 					enum dma_data_direction direction)
1036 {
1037 	struct sg_table *sg_table;
1038 	int r;
1039 
1040 	might_sleep();
1041 
1042 	if (WARN_ON(!attach || !attach->dmabuf))
1043 		return ERR_PTR(-EINVAL);
1044 
1045 	if (dma_buf_attachment_is_dynamic(attach))
1046 		dma_resv_assert_held(attach->dmabuf->resv);
1047 
1048 	if (attach->sgt) {
1049 		/*
1050 		 * Two mappings with different directions for the same
1051 		 * attachment are not allowed.
1052 		 */
1053 		if (attach->dir != direction &&
1054 		    attach->dir != DMA_BIDIRECTIONAL)
1055 			return ERR_PTR(-EBUSY);
1056 
1057 		return attach->sgt;
1058 	}
1059 
1060 	if (dma_buf_is_dynamic(attach->dmabuf)) {
1061 		dma_resv_assert_held(attach->dmabuf->resv);
1062 		if (!IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY)) {
1063 			r = attach->dmabuf->ops->pin(attach);
1064 			if (r)
1065 				return ERR_PTR(r);
1066 		}
1067 	}
1068 
1069 	sg_table = __map_dma_buf(attach, direction);
1070 	if (!sg_table)
1071 		sg_table = ERR_PTR(-ENOMEM);
1072 
1073 	if (IS_ERR(sg_table) && dma_buf_is_dynamic(attach->dmabuf) &&
1074 	     !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY))
1075 		attach->dmabuf->ops->unpin(attach);
1076 
1077 	if (!IS_ERR(sg_table) && attach->dmabuf->ops->cache_sgt_mapping) {
1078 		attach->sgt = sg_table;
1079 		attach->dir = direction;
1080 	}
1081 
1082 #ifdef CONFIG_DMA_API_DEBUG
1083 	if (!IS_ERR(sg_table)) {
1084 		struct scatterlist *sg;
1085 		u64 addr;
1086 		int len;
1087 		int i;
1088 
1089 		for_each_sgtable_dma_sg(sg_table, sg, i) {
1090 			addr = sg_dma_address(sg);
1091 			len = sg_dma_len(sg);
1092 			if (!PAGE_ALIGNED(addr) || !PAGE_ALIGNED(len)) {
1093 				pr_debug("%s: addr %llx or len %x is not page aligned!\n",
1094 					 __func__, addr, len);
1095 			}
1096 		}
1097 	}
1098 #endif /* CONFIG_DMA_API_DEBUG */
1099 	return sg_table;
1100 }
1101 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment, DMA_BUF);
1102 
1103 /**
1104  * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might
1105  * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
1106  * dma_buf_ops.
1107  * @attach:	[in]	attachment to unmap buffer from
1108  * @sg_table:	[in]	scatterlist info of the buffer to unmap
1109  * @direction:  [in]    direction of DMA transfer
1110  *
1111  * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment().
1112  */
1113 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach,
1114 				struct sg_table *sg_table,
1115 				enum dma_data_direction direction)
1116 {
1117 	might_sleep();
1118 
1119 	if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
1120 		return;
1121 
1122 	if (dma_buf_attachment_is_dynamic(attach))
1123 		dma_resv_assert_held(attach->dmabuf->resv);
1124 
1125 	if (attach->sgt == sg_table)
1126 		return;
1127 
1128 	if (dma_buf_is_dynamic(attach->dmabuf))
1129 		dma_resv_assert_held(attach->dmabuf->resv);
1130 
1131 	__unmap_dma_buf(attach, sg_table, direction);
1132 
1133 	if (dma_buf_is_dynamic(attach->dmabuf) &&
1134 	    !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY))
1135 		dma_buf_unpin(attach);
1136 }
1137 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment, DMA_BUF);
1138 
1139 /**
1140  * dma_buf_move_notify - notify attachments that DMA-buf is moving
1141  *
1142  * @dmabuf:	[in]	buffer which is moving
1143  *
1144  * Informs all attachmenst that they need to destroy and recreated all their
1145  * mappings.
1146  */
1147 void dma_buf_move_notify(struct dma_buf *dmabuf)
1148 {
1149 	struct dma_buf_attachment *attach;
1150 
1151 	dma_resv_assert_held(dmabuf->resv);
1152 
1153 	list_for_each_entry(attach, &dmabuf->attachments, node)
1154 		if (attach->importer_ops)
1155 			attach->importer_ops->move_notify(attach);
1156 }
1157 EXPORT_SYMBOL_NS_GPL(dma_buf_move_notify, DMA_BUF);
1158 
1159 /**
1160  * DOC: cpu access
1161  *
1162  * There are mutliple reasons for supporting CPU access to a dma buffer object:
1163  *
1164  * - Fallback operations in the kernel, for example when a device is connected
1165  *   over USB and the kernel needs to shuffle the data around first before
1166  *   sending it away. Cache coherency is handled by braketing any transactions
1167  *   with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access()
1168  *   access.
1169  *
1170  *   Since for most kernel internal dma-buf accesses need the entire buffer, a
1171  *   vmap interface is introduced. Note that on very old 32-bit architectures
1172  *   vmalloc space might be limited and result in vmap calls failing.
1173  *
1174  *   Interfaces::
1175  *
1176  *      void \*dma_buf_vmap(struct dma_buf \*dmabuf, struct iosys_map \*map)
1177  *      void dma_buf_vunmap(struct dma_buf \*dmabuf, struct iosys_map \*map)
1178  *
1179  *   The vmap call can fail if there is no vmap support in the exporter, or if
1180  *   it runs out of vmalloc space. Note that the dma-buf layer keeps a reference
1181  *   count for all vmap access and calls down into the exporter's vmap function
1182  *   only when no vmapping exists, and only unmaps it once. Protection against
1183  *   concurrent vmap/vunmap calls is provided by taking the &dma_buf.lock mutex.
1184  *
1185  * - For full compatibility on the importer side with existing userspace
1186  *   interfaces, which might already support mmap'ing buffers. This is needed in
1187  *   many processing pipelines (e.g. feeding a software rendered image into a
1188  *   hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION
1189  *   framework already supported this and for DMA buffer file descriptors to
1190  *   replace ION buffers mmap support was needed.
1191  *
1192  *   There is no special interfaces, userspace simply calls mmap on the dma-buf
1193  *   fd. But like for CPU access there's a need to braket the actual access,
1194  *   which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that
1195  *   DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must
1196  *   be restarted.
1197  *
1198  *   Some systems might need some sort of cache coherency management e.g. when
1199  *   CPU and GPU domains are being accessed through dma-buf at the same time.
1200  *   To circumvent this problem there are begin/end coherency markers, that
1201  *   forward directly to existing dma-buf device drivers vfunc hooks. Userspace
1202  *   can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The
1203  *   sequence would be used like following:
1204  *
1205  *     - mmap dma-buf fd
1206  *     - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
1207  *       to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
1208  *       want (with the new data being consumed by say the GPU or the scanout
1209  *       device)
1210  *     - munmap once you don't need the buffer any more
1211  *
1212  *    For correctness and optimal performance, it is always required to use
1213  *    SYNC_START and SYNC_END before and after, respectively, when accessing the
1214  *    mapped address. Userspace cannot rely on coherent access, even when there
1215  *    are systems where it just works without calling these ioctls.
1216  *
1217  * - And as a CPU fallback in userspace processing pipelines.
1218  *
1219  *   Similar to the motivation for kernel cpu access it is again important that
1220  *   the userspace code of a given importing subsystem can use the same
1221  *   interfaces with a imported dma-buf buffer object as with a native buffer
1222  *   object. This is especially important for drm where the userspace part of
1223  *   contemporary OpenGL, X, and other drivers is huge, and reworking them to
1224  *   use a different way to mmap a buffer rather invasive.
1225  *
1226  *   The assumption in the current dma-buf interfaces is that redirecting the
1227  *   initial mmap is all that's needed. A survey of some of the existing
1228  *   subsystems shows that no driver seems to do any nefarious thing like
1229  *   syncing up with outstanding asynchronous processing on the device or
1230  *   allocating special resources at fault time. So hopefully this is good
1231  *   enough, since adding interfaces to intercept pagefaults and allow pte
1232  *   shootdowns would increase the complexity quite a bit.
1233  *
1234  *   Interface::
1235  *
1236  *      int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*,
1237  *		       unsigned long);
1238  *
1239  *   If the importing subsystem simply provides a special-purpose mmap call to
1240  *   set up a mapping in userspace, calling do_mmap with &dma_buf.file will
1241  *   equally achieve that for a dma-buf object.
1242  */
1243 
1244 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1245 				      enum dma_data_direction direction)
1246 {
1247 	bool write = (direction == DMA_BIDIRECTIONAL ||
1248 		      direction == DMA_TO_DEVICE);
1249 	struct dma_resv *resv = dmabuf->resv;
1250 	long ret;
1251 
1252 	/* Wait on any implicit rendering fences */
1253 	ret = dma_resv_wait_timeout(resv, dma_resv_usage_rw(write),
1254 				    true, MAX_SCHEDULE_TIMEOUT);
1255 	if (ret < 0)
1256 		return ret;
1257 
1258 	return 0;
1259 }
1260 
1261 /**
1262  * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the
1263  * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific
1264  * preparations. Coherency is only guaranteed in the specified range for the
1265  * specified access direction.
1266  * @dmabuf:	[in]	buffer to prepare cpu access for.
1267  * @direction:	[in]	length of range for cpu access.
1268  *
1269  * After the cpu access is complete the caller should call
1270  * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is
1271  * it guaranteed to be coherent with other DMA access.
1272  *
1273  * This function will also wait for any DMA transactions tracked through
1274  * implicit synchronization in &dma_buf.resv. For DMA transactions with explicit
1275  * synchronization this function will only ensure cache coherency, callers must
1276  * ensure synchronization with such DMA transactions on their own.
1277  *
1278  * Can return negative error values, returns 0 on success.
1279  */
1280 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1281 			     enum dma_data_direction direction)
1282 {
1283 	int ret = 0;
1284 
1285 	if (WARN_ON(!dmabuf))
1286 		return -EINVAL;
1287 
1288 	might_lock(&dmabuf->resv->lock.base);
1289 
1290 	if (dmabuf->ops->begin_cpu_access)
1291 		ret = dmabuf->ops->begin_cpu_access(dmabuf, direction);
1292 
1293 	/* Ensure that all fences are waited upon - but we first allow
1294 	 * the native handler the chance to do so more efficiently if it
1295 	 * chooses. A double invocation here will be reasonably cheap no-op.
1296 	 */
1297 	if (ret == 0)
1298 		ret = __dma_buf_begin_cpu_access(dmabuf, direction);
1299 
1300 	return ret;
1301 }
1302 EXPORT_SYMBOL_NS_GPL(dma_buf_begin_cpu_access, DMA_BUF);
1303 
1304 /**
1305  * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the
1306  * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific
1307  * actions. Coherency is only guaranteed in the specified range for the
1308  * specified access direction.
1309  * @dmabuf:	[in]	buffer to complete cpu access for.
1310  * @direction:	[in]	length of range for cpu access.
1311  *
1312  * This terminates CPU access started with dma_buf_begin_cpu_access().
1313  *
1314  * Can return negative error values, returns 0 on success.
1315  */
1316 int dma_buf_end_cpu_access(struct dma_buf *dmabuf,
1317 			   enum dma_data_direction direction)
1318 {
1319 	int ret = 0;
1320 
1321 	WARN_ON(!dmabuf);
1322 
1323 	might_lock(&dmabuf->resv->lock.base);
1324 
1325 	if (dmabuf->ops->end_cpu_access)
1326 		ret = dmabuf->ops->end_cpu_access(dmabuf, direction);
1327 
1328 	return ret;
1329 }
1330 EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF);
1331 
1332 
1333 /**
1334  * dma_buf_mmap - Setup up a userspace mmap with the given vma
1335  * @dmabuf:	[in]	buffer that should back the vma
1336  * @vma:	[in]	vma for the mmap
1337  * @pgoff:	[in]	offset in pages where this mmap should start within the
1338  *			dma-buf buffer.
1339  *
1340  * This function adjusts the passed in vma so that it points at the file of the
1341  * dma_buf operation. It also adjusts the starting pgoff and does bounds
1342  * checking on the size of the vma. Then it calls the exporters mmap function to
1343  * set up the mapping.
1344  *
1345  * Can return negative error values, returns 0 on success.
1346  */
1347 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
1348 		 unsigned long pgoff)
1349 {
1350 	if (WARN_ON(!dmabuf || !vma))
1351 		return -EINVAL;
1352 
1353 	/* check if buffer supports mmap */
1354 	if (!dmabuf->ops->mmap)
1355 		return -EINVAL;
1356 
1357 	/* check for offset overflow */
1358 	if (pgoff + vma_pages(vma) < pgoff)
1359 		return -EOVERFLOW;
1360 
1361 	/* check for overflowing the buffer's size */
1362 	if (pgoff + vma_pages(vma) >
1363 	    dmabuf->size >> PAGE_SHIFT)
1364 		return -EINVAL;
1365 
1366 	/* readjust the vma */
1367 	vma_set_file(vma, dmabuf->file);
1368 	vma->vm_pgoff = pgoff;
1369 
1370 	return dmabuf->ops->mmap(dmabuf, vma);
1371 }
1372 EXPORT_SYMBOL_NS_GPL(dma_buf_mmap, DMA_BUF);
1373 
1374 /**
1375  * dma_buf_vmap - Create virtual mapping for the buffer object into kernel
1376  * address space. Same restrictions as for vmap and friends apply.
1377  * @dmabuf:	[in]	buffer to vmap
1378  * @map:	[out]	returns the vmap pointer
1379  *
1380  * This call may fail due to lack of virtual mapping address space.
1381  * These calls are optional in drivers. The intended use for them
1382  * is for mapping objects linear in kernel space for high use objects.
1383  *
1384  * To ensure coherency users must call dma_buf_begin_cpu_access() and
1385  * dma_buf_end_cpu_access() around any cpu access performed through this
1386  * mapping.
1387  *
1388  * Returns 0 on success, or a negative errno code otherwise.
1389  */
1390 int dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map)
1391 {
1392 	struct iosys_map ptr;
1393 	int ret = 0;
1394 
1395 	iosys_map_clear(map);
1396 
1397 	if (WARN_ON(!dmabuf))
1398 		return -EINVAL;
1399 
1400 	if (!dmabuf->ops->vmap)
1401 		return -EINVAL;
1402 
1403 	mutex_lock(&dmabuf->lock);
1404 	if (dmabuf->vmapping_counter) {
1405 		dmabuf->vmapping_counter++;
1406 		BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1407 		*map = dmabuf->vmap_ptr;
1408 		goto out_unlock;
1409 	}
1410 
1411 	BUG_ON(iosys_map_is_set(&dmabuf->vmap_ptr));
1412 
1413 	ret = dmabuf->ops->vmap(dmabuf, &ptr);
1414 	if (WARN_ON_ONCE(ret))
1415 		goto out_unlock;
1416 
1417 	dmabuf->vmap_ptr = ptr;
1418 	dmabuf->vmapping_counter = 1;
1419 
1420 	*map = dmabuf->vmap_ptr;
1421 
1422 out_unlock:
1423 	mutex_unlock(&dmabuf->lock);
1424 	return ret;
1425 }
1426 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap, DMA_BUF);
1427 
1428 /**
1429  * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap.
1430  * @dmabuf:	[in]	buffer to vunmap
1431  * @map:	[in]	vmap pointer to vunmap
1432  */
1433 void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map)
1434 {
1435 	if (WARN_ON(!dmabuf))
1436 		return;
1437 
1438 	BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1439 	BUG_ON(dmabuf->vmapping_counter == 0);
1440 	BUG_ON(!iosys_map_is_equal(&dmabuf->vmap_ptr, map));
1441 
1442 	mutex_lock(&dmabuf->lock);
1443 	if (--dmabuf->vmapping_counter == 0) {
1444 		if (dmabuf->ops->vunmap)
1445 			dmabuf->ops->vunmap(dmabuf, map);
1446 		iosys_map_clear(&dmabuf->vmap_ptr);
1447 	}
1448 	mutex_unlock(&dmabuf->lock);
1449 }
1450 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap, DMA_BUF);
1451 
1452 #ifdef CONFIG_DEBUG_FS
1453 static int dma_buf_debug_show(struct seq_file *s, void *unused)
1454 {
1455 	struct dma_buf *buf_obj;
1456 	struct dma_buf_attachment *attach_obj;
1457 	int count = 0, attach_count;
1458 	size_t size = 0;
1459 	int ret;
1460 
1461 	ret = mutex_lock_interruptible(&db_list.lock);
1462 
1463 	if (ret)
1464 		return ret;
1465 
1466 	seq_puts(s, "\nDma-buf Objects:\n");
1467 	seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\t%-8s\tname\n",
1468 		   "size", "flags", "mode", "count", "ino");
1469 
1470 	list_for_each_entry(buf_obj, &db_list.head, list_node) {
1471 
1472 		ret = dma_resv_lock_interruptible(buf_obj->resv, NULL);
1473 		if (ret)
1474 			goto error_unlock;
1475 
1476 
1477 		spin_lock(&buf_obj->name_lock);
1478 		seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n",
1479 				buf_obj->size,
1480 				buf_obj->file->f_flags, buf_obj->file->f_mode,
1481 				file_count(buf_obj->file),
1482 				buf_obj->exp_name,
1483 				file_inode(buf_obj->file)->i_ino,
1484 				buf_obj->name ?: "<none>");
1485 		spin_unlock(&buf_obj->name_lock);
1486 
1487 		dma_resv_describe(buf_obj->resv, s);
1488 
1489 		seq_puts(s, "\tAttached Devices:\n");
1490 		attach_count = 0;
1491 
1492 		list_for_each_entry(attach_obj, &buf_obj->attachments, node) {
1493 			seq_printf(s, "\t%s\n", dev_name(attach_obj->dev));
1494 			attach_count++;
1495 		}
1496 		dma_resv_unlock(buf_obj->resv);
1497 
1498 		seq_printf(s, "Total %d devices attached\n\n",
1499 				attach_count);
1500 
1501 		count++;
1502 		size += buf_obj->size;
1503 	}
1504 
1505 	seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size);
1506 
1507 	mutex_unlock(&db_list.lock);
1508 	return 0;
1509 
1510 error_unlock:
1511 	mutex_unlock(&db_list.lock);
1512 	return ret;
1513 }
1514 
1515 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug);
1516 
1517 static struct dentry *dma_buf_debugfs_dir;
1518 
1519 static int dma_buf_init_debugfs(void)
1520 {
1521 	struct dentry *d;
1522 	int err = 0;
1523 
1524 	d = debugfs_create_dir("dma_buf", NULL);
1525 	if (IS_ERR(d))
1526 		return PTR_ERR(d);
1527 
1528 	dma_buf_debugfs_dir = d;
1529 
1530 	d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir,
1531 				NULL, &dma_buf_debug_fops);
1532 	if (IS_ERR(d)) {
1533 		pr_debug("dma_buf: debugfs: failed to create node bufinfo\n");
1534 		debugfs_remove_recursive(dma_buf_debugfs_dir);
1535 		dma_buf_debugfs_dir = NULL;
1536 		err = PTR_ERR(d);
1537 	}
1538 
1539 	return err;
1540 }
1541 
1542 static void dma_buf_uninit_debugfs(void)
1543 {
1544 	debugfs_remove_recursive(dma_buf_debugfs_dir);
1545 }
1546 #else
1547 static inline int dma_buf_init_debugfs(void)
1548 {
1549 	return 0;
1550 }
1551 static inline void dma_buf_uninit_debugfs(void)
1552 {
1553 }
1554 #endif
1555 
1556 static int __init dma_buf_init(void)
1557 {
1558 	int ret;
1559 
1560 	ret = dma_buf_init_sysfs_statistics();
1561 	if (ret)
1562 		return ret;
1563 
1564 	dma_buf_mnt = kern_mount(&dma_buf_fs_type);
1565 	if (IS_ERR(dma_buf_mnt))
1566 		return PTR_ERR(dma_buf_mnt);
1567 
1568 	mutex_init(&db_list.lock);
1569 	INIT_LIST_HEAD(&db_list.head);
1570 	dma_buf_init_debugfs();
1571 	return 0;
1572 }
1573 subsys_initcall(dma_buf_init);
1574 
1575 static void __exit dma_buf_deinit(void)
1576 {
1577 	dma_buf_uninit_debugfs();
1578 	kern_unmount(dma_buf_mnt);
1579 	dma_buf_uninit_sysfs_statistics();
1580 }
1581 __exitcall(dma_buf_deinit);
1582