1 /*
2 * Framework for buffer objects that can be shared across devices/subsystems.
3 *
4 * Copyright(C) 2011 Linaro Limited. All rights reserved.
5 * Author: Sumit Semwal <sumit.semwal@ti.com>
6 *
7 * Many thanks to linaro-mm-sig list, and specially
8 * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and
9 * Daniel Vetter <daniel@ffwll.ch> for their support in creation and
10 * refining of this idea.
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License version 2 as published by
14 * the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful, but WITHOUT
17 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
18 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
19 * more details.
20 *
21 * You should have received a copy of the GNU General Public License along with
22 * this program. If not, see <http://www.gnu.org/licenses/>.
23 */
24
25 #include <linux/fs.h>
26 #include <linux/slab.h>
27 #include <linux/dma-buf.h>
28 #include <linux/dma-fence.h>
29 #include <linux/anon_inodes.h>
30 #include <linux/export.h>
31 #include <linux/debugfs.h>
32 #include <linux/module.h>
33 #include <linux/seq_file.h>
34 #include <linux/poll.h>
35 #include <linux/reservation.h>
36 #include <linux/mm.h>
37
38 #include <uapi/linux/dma-buf.h>
39
40 static inline int is_dma_buf_file(struct file *);
41
42 struct dma_buf_list {
43 struct list_head head;
44 struct mutex lock;
45 };
46
47 static struct dma_buf_list db_list;
48
dma_buf_release(struct inode * inode,struct file * file)49 static int dma_buf_release(struct inode *inode, struct file *file)
50 {
51 struct dma_buf *dmabuf;
52
53 if (!is_dma_buf_file(file))
54 return -EINVAL;
55
56 dmabuf = file->private_data;
57
58 BUG_ON(dmabuf->vmapping_counter);
59
60 /*
61 * Any fences that a dma-buf poll can wait on should be signaled
62 * before releasing dma-buf. This is the responsibility of each
63 * driver that uses the reservation objects.
64 *
65 * If you hit this BUG() it means someone dropped their ref to the
66 * dma-buf while still having pending operation to the buffer.
67 */
68 BUG_ON(dmabuf->cb_shared.active || dmabuf->cb_excl.active);
69
70 dmabuf->ops->release(dmabuf);
71
72 mutex_lock(&db_list.lock);
73 list_del(&dmabuf->list_node);
74 mutex_unlock(&db_list.lock);
75
76 if (dmabuf->resv == (struct reservation_object *)&dmabuf[1])
77 reservation_object_fini(dmabuf->resv);
78
79 module_put(dmabuf->owner);
80 kfree(dmabuf);
81 return 0;
82 }
83
dma_buf_mmap_internal(struct file * file,struct vm_area_struct * vma)84 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma)
85 {
86 struct dma_buf *dmabuf;
87
88 if (!is_dma_buf_file(file))
89 return -EINVAL;
90
91 dmabuf = file->private_data;
92
93 /* check for overflowing the buffer's size */
94 if (vma->vm_pgoff + vma_pages(vma) >
95 dmabuf->size >> PAGE_SHIFT)
96 return -EINVAL;
97
98 return dmabuf->ops->mmap(dmabuf, vma);
99 }
100
dma_buf_llseek(struct file * file,loff_t offset,int whence)101 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
102 {
103 struct dma_buf *dmabuf;
104 loff_t base;
105
106 if (!is_dma_buf_file(file))
107 return -EBADF;
108
109 dmabuf = file->private_data;
110
111 /* only support discovering the end of the buffer,
112 but also allow SEEK_SET to maintain the idiomatic
113 SEEK_END(0), SEEK_CUR(0) pattern */
114 if (whence == SEEK_END)
115 base = dmabuf->size;
116 else if (whence == SEEK_SET)
117 base = 0;
118 else
119 return -EINVAL;
120
121 if (offset != 0)
122 return -EINVAL;
123
124 return base + offset;
125 }
126
127 /**
128 * DOC: fence polling
129 *
130 * To support cross-device and cross-driver synchronization of buffer access
131 * implicit fences (represented internally in the kernel with &struct fence) can
132 * be attached to a &dma_buf. The glue for that and a few related things are
133 * provided in the &reservation_object structure.
134 *
135 * Userspace can query the state of these implicitly tracked fences using poll()
136 * and related system calls:
137 *
138 * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the
139 * most recent write or exclusive fence.
140 *
141 * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of
142 * all attached fences, shared and exclusive ones.
143 *
144 * Note that this only signals the completion of the respective fences, i.e. the
145 * DMA transfers are complete. Cache flushing and any other necessary
146 * preparations before CPU access can begin still need to happen.
147 */
148
dma_buf_poll_cb(struct dma_fence * fence,struct dma_fence_cb * cb)149 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
150 {
151 struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
152 unsigned long flags;
153
154 spin_lock_irqsave(&dcb->poll->lock, flags);
155 wake_up_locked_poll(dcb->poll, dcb->active);
156 dcb->active = 0;
157 spin_unlock_irqrestore(&dcb->poll->lock, flags);
158 }
159
dma_buf_poll(struct file * file,poll_table * poll)160 static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
161 {
162 struct dma_buf *dmabuf;
163 struct reservation_object *resv;
164 struct reservation_object_list *fobj;
165 struct dma_fence *fence_excl;
166 __poll_t events;
167 unsigned shared_count, seq;
168
169 dmabuf = file->private_data;
170 if (!dmabuf || !dmabuf->resv)
171 return EPOLLERR;
172
173 resv = dmabuf->resv;
174
175 poll_wait(file, &dmabuf->poll, poll);
176
177 events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT);
178 if (!events)
179 return 0;
180
181 retry:
182 seq = read_seqcount_begin(&resv->seq);
183 rcu_read_lock();
184
185 fobj = rcu_dereference(resv->fence);
186 if (fobj)
187 shared_count = fobj->shared_count;
188 else
189 shared_count = 0;
190 fence_excl = rcu_dereference(resv->fence_excl);
191 if (read_seqcount_retry(&resv->seq, seq)) {
192 rcu_read_unlock();
193 goto retry;
194 }
195
196 if (fence_excl && (!(events & EPOLLOUT) || shared_count == 0)) {
197 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_excl;
198 __poll_t pevents = EPOLLIN;
199
200 if (shared_count == 0)
201 pevents |= EPOLLOUT;
202
203 spin_lock_irq(&dmabuf->poll.lock);
204 if (dcb->active) {
205 dcb->active |= pevents;
206 events &= ~pevents;
207 } else
208 dcb->active = pevents;
209 spin_unlock_irq(&dmabuf->poll.lock);
210
211 if (events & pevents) {
212 if (!dma_fence_get_rcu(fence_excl)) {
213 /* force a recheck */
214 events &= ~pevents;
215 dma_buf_poll_cb(NULL, &dcb->cb);
216 } else if (!dma_fence_add_callback(fence_excl, &dcb->cb,
217 dma_buf_poll_cb)) {
218 events &= ~pevents;
219 dma_fence_put(fence_excl);
220 } else {
221 /*
222 * No callback queued, wake up any additional
223 * waiters.
224 */
225 dma_fence_put(fence_excl);
226 dma_buf_poll_cb(NULL, &dcb->cb);
227 }
228 }
229 }
230
231 if ((events & EPOLLOUT) && shared_count > 0) {
232 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_shared;
233 int i;
234
235 /* Only queue a new callback if no event has fired yet */
236 spin_lock_irq(&dmabuf->poll.lock);
237 if (dcb->active)
238 events &= ~EPOLLOUT;
239 else
240 dcb->active = EPOLLOUT;
241 spin_unlock_irq(&dmabuf->poll.lock);
242
243 if (!(events & EPOLLOUT))
244 goto out;
245
246 for (i = 0; i < shared_count; ++i) {
247 struct dma_fence *fence = rcu_dereference(fobj->shared[i]);
248
249 if (!dma_fence_get_rcu(fence)) {
250 /*
251 * fence refcount dropped to zero, this means
252 * that fobj has been freed
253 *
254 * call dma_buf_poll_cb and force a recheck!
255 */
256 events &= ~EPOLLOUT;
257 dma_buf_poll_cb(NULL, &dcb->cb);
258 break;
259 }
260 if (!dma_fence_add_callback(fence, &dcb->cb,
261 dma_buf_poll_cb)) {
262 dma_fence_put(fence);
263 events &= ~EPOLLOUT;
264 break;
265 }
266 dma_fence_put(fence);
267 }
268
269 /* No callback queued, wake up any additional waiters. */
270 if (i == shared_count)
271 dma_buf_poll_cb(NULL, &dcb->cb);
272 }
273
274 out:
275 rcu_read_unlock();
276 return events;
277 }
278
dma_buf_ioctl(struct file * file,unsigned int cmd,unsigned long arg)279 static long dma_buf_ioctl(struct file *file,
280 unsigned int cmd, unsigned long arg)
281 {
282 struct dma_buf *dmabuf;
283 struct dma_buf_sync sync;
284 enum dma_data_direction direction;
285 int ret;
286
287 dmabuf = file->private_data;
288
289 switch (cmd) {
290 case DMA_BUF_IOCTL_SYNC:
291 if (copy_from_user(&sync, (void __user *) arg, sizeof(sync)))
292 return -EFAULT;
293
294 if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK)
295 return -EINVAL;
296
297 switch (sync.flags & DMA_BUF_SYNC_RW) {
298 case DMA_BUF_SYNC_READ:
299 direction = DMA_FROM_DEVICE;
300 break;
301 case DMA_BUF_SYNC_WRITE:
302 direction = DMA_TO_DEVICE;
303 break;
304 case DMA_BUF_SYNC_RW:
305 direction = DMA_BIDIRECTIONAL;
306 break;
307 default:
308 return -EINVAL;
309 }
310
311 if (sync.flags & DMA_BUF_SYNC_END)
312 ret = dma_buf_end_cpu_access(dmabuf, direction);
313 else
314 ret = dma_buf_begin_cpu_access(dmabuf, direction);
315
316 return ret;
317 default:
318 return -ENOTTY;
319 }
320 }
321
322 static const struct file_operations dma_buf_fops = {
323 .release = dma_buf_release,
324 .mmap = dma_buf_mmap_internal,
325 .llseek = dma_buf_llseek,
326 .poll = dma_buf_poll,
327 .unlocked_ioctl = dma_buf_ioctl,
328 #ifdef CONFIG_COMPAT
329 .compat_ioctl = dma_buf_ioctl,
330 #endif
331 };
332
333 /*
334 * is_dma_buf_file - Check if struct file* is associated with dma_buf
335 */
is_dma_buf_file(struct file * file)336 static inline int is_dma_buf_file(struct file *file)
337 {
338 return file->f_op == &dma_buf_fops;
339 }
340
341 /**
342 * DOC: dma buf device access
343 *
344 * For device DMA access to a shared DMA buffer the usual sequence of operations
345 * is fairly simple:
346 *
347 * 1. The exporter defines his exporter instance using
348 * DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private
349 * buffer object into a &dma_buf. It then exports that &dma_buf to userspace
350 * as a file descriptor by calling dma_buf_fd().
351 *
352 * 2. Userspace passes this file-descriptors to all drivers it wants this buffer
353 * to share with: First the filedescriptor is converted to a &dma_buf using
354 * dma_buf_get(). Then the buffer is attached to the device using
355 * dma_buf_attach().
356 *
357 * Up to this stage the exporter is still free to migrate or reallocate the
358 * backing storage.
359 *
360 * 3. Once the buffer is attached to all devices userspace can initiate DMA
361 * access to the shared buffer. In the kernel this is done by calling
362 * dma_buf_map_attachment() and dma_buf_unmap_attachment().
363 *
364 * 4. Once a driver is done with a shared buffer it needs to call
365 * dma_buf_detach() (after cleaning up any mappings) and then release the
366 * reference acquired with dma_buf_get by calling dma_buf_put().
367 *
368 * For the detailed semantics exporters are expected to implement see
369 * &dma_buf_ops.
370 */
371
372 /**
373 * dma_buf_export - Creates a new dma_buf, and associates an anon file
374 * with this buffer, so it can be exported.
375 * Also connect the allocator specific data and ops to the buffer.
376 * Additionally, provide a name string for exporter; useful in debugging.
377 *
378 * @exp_info: [in] holds all the export related information provided
379 * by the exporter. see &struct dma_buf_export_info
380 * for further details.
381 *
382 * Returns, on success, a newly created dma_buf object, which wraps the
383 * supplied private data and operations for dma_buf_ops. On either missing
384 * ops, or error in allocating struct dma_buf, will return negative error.
385 *
386 * For most cases the easiest way to create @exp_info is through the
387 * %DEFINE_DMA_BUF_EXPORT_INFO macro.
388 */
dma_buf_export(const struct dma_buf_export_info * exp_info)389 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
390 {
391 struct dma_buf *dmabuf;
392 struct reservation_object *resv = exp_info->resv;
393 struct file *file;
394 size_t alloc_size = sizeof(struct dma_buf);
395 int ret;
396
397 if (!exp_info->resv)
398 alloc_size += sizeof(struct reservation_object);
399 else
400 /* prevent &dma_buf[1] == dma_buf->resv */
401 alloc_size += 1;
402
403 if (WARN_ON(!exp_info->priv
404 || !exp_info->ops
405 || !exp_info->ops->map_dma_buf
406 || !exp_info->ops->unmap_dma_buf
407 || !exp_info->ops->release
408 || !exp_info->ops->map
409 || !exp_info->ops->mmap)) {
410 return ERR_PTR(-EINVAL);
411 }
412
413 if (!try_module_get(exp_info->owner))
414 return ERR_PTR(-ENOENT);
415
416 dmabuf = kzalloc(alloc_size, GFP_KERNEL);
417 if (!dmabuf) {
418 ret = -ENOMEM;
419 goto err_module;
420 }
421
422 dmabuf->priv = exp_info->priv;
423 dmabuf->ops = exp_info->ops;
424 dmabuf->size = exp_info->size;
425 dmabuf->exp_name = exp_info->exp_name;
426 dmabuf->owner = exp_info->owner;
427 init_waitqueue_head(&dmabuf->poll);
428 dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll;
429 dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0;
430
431 if (!resv) {
432 resv = (struct reservation_object *)&dmabuf[1];
433 reservation_object_init(resv);
434 }
435 dmabuf->resv = resv;
436
437 file = anon_inode_getfile("dmabuf", &dma_buf_fops, dmabuf,
438 exp_info->flags);
439 if (IS_ERR(file)) {
440 ret = PTR_ERR(file);
441 goto err_dmabuf;
442 }
443
444 file->f_mode |= FMODE_LSEEK;
445 dmabuf->file = file;
446
447 mutex_init(&dmabuf->lock);
448 INIT_LIST_HEAD(&dmabuf->attachments);
449
450 mutex_lock(&db_list.lock);
451 list_add(&dmabuf->list_node, &db_list.head);
452 mutex_unlock(&db_list.lock);
453
454 return dmabuf;
455
456 err_dmabuf:
457 kfree(dmabuf);
458 err_module:
459 module_put(exp_info->owner);
460 return ERR_PTR(ret);
461 }
462 EXPORT_SYMBOL_GPL(dma_buf_export);
463
464 /**
465 * dma_buf_fd - returns a file descriptor for the given dma_buf
466 * @dmabuf: [in] pointer to dma_buf for which fd is required.
467 * @flags: [in] flags to give to fd
468 *
469 * On success, returns an associated 'fd'. Else, returns error.
470 */
dma_buf_fd(struct dma_buf * dmabuf,int flags)471 int dma_buf_fd(struct dma_buf *dmabuf, int flags)
472 {
473 int fd;
474
475 if (!dmabuf || !dmabuf->file)
476 return -EINVAL;
477
478 fd = get_unused_fd_flags(flags);
479 if (fd < 0)
480 return fd;
481
482 fd_install(fd, dmabuf->file);
483
484 return fd;
485 }
486 EXPORT_SYMBOL_GPL(dma_buf_fd);
487
488 /**
489 * dma_buf_get - returns the dma_buf structure related to an fd
490 * @fd: [in] fd associated with the dma_buf to be returned
491 *
492 * On success, returns the dma_buf structure associated with an fd; uses
493 * file's refcounting done by fget to increase refcount. returns ERR_PTR
494 * otherwise.
495 */
dma_buf_get(int fd)496 struct dma_buf *dma_buf_get(int fd)
497 {
498 struct file *file;
499
500 file = fget(fd);
501
502 if (!file)
503 return ERR_PTR(-EBADF);
504
505 if (!is_dma_buf_file(file)) {
506 fput(file);
507 return ERR_PTR(-EINVAL);
508 }
509
510 return file->private_data;
511 }
512 EXPORT_SYMBOL_GPL(dma_buf_get);
513
514 /**
515 * dma_buf_put - decreases refcount of the buffer
516 * @dmabuf: [in] buffer to reduce refcount of
517 *
518 * Uses file's refcounting done implicitly by fput().
519 *
520 * If, as a result of this call, the refcount becomes 0, the 'release' file
521 * operation related to this fd is called. It calls &dma_buf_ops.release vfunc
522 * in turn, and frees the memory allocated for dmabuf when exported.
523 */
dma_buf_put(struct dma_buf * dmabuf)524 void dma_buf_put(struct dma_buf *dmabuf)
525 {
526 if (WARN_ON(!dmabuf || !dmabuf->file))
527 return;
528
529 fput(dmabuf->file);
530 }
531 EXPORT_SYMBOL_GPL(dma_buf_put);
532
533 /**
534 * dma_buf_attach - Add the device to dma_buf's attachments list; optionally,
535 * calls attach() of dma_buf_ops to allow device-specific attach functionality
536 * @dmabuf: [in] buffer to attach device to.
537 * @dev: [in] device to be attached.
538 *
539 * Returns struct dma_buf_attachment pointer for this attachment. Attachments
540 * must be cleaned up by calling dma_buf_detach().
541 *
542 * Returns:
543 *
544 * A pointer to newly created &dma_buf_attachment on success, or a negative
545 * error code wrapped into a pointer on failure.
546 *
547 * Note that this can fail if the backing storage of @dmabuf is in a place not
548 * accessible to @dev, and cannot be moved to a more suitable place. This is
549 * indicated with the error code -EBUSY.
550 */
dma_buf_attach(struct dma_buf * dmabuf,struct device * dev)551 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf,
552 struct device *dev)
553 {
554 struct dma_buf_attachment *attach;
555 int ret;
556
557 if (WARN_ON(!dmabuf || !dev))
558 return ERR_PTR(-EINVAL);
559
560 attach = kzalloc(sizeof(*attach), GFP_KERNEL);
561 if (!attach)
562 return ERR_PTR(-ENOMEM);
563
564 attach->dev = dev;
565 attach->dmabuf = dmabuf;
566
567 mutex_lock(&dmabuf->lock);
568
569 if (dmabuf->ops->attach) {
570 ret = dmabuf->ops->attach(dmabuf, attach);
571 if (ret)
572 goto err_attach;
573 }
574 list_add(&attach->node, &dmabuf->attachments);
575
576 mutex_unlock(&dmabuf->lock);
577 return attach;
578
579 err_attach:
580 kfree(attach);
581 mutex_unlock(&dmabuf->lock);
582 return ERR_PTR(ret);
583 }
584 EXPORT_SYMBOL_GPL(dma_buf_attach);
585
586 /**
587 * dma_buf_detach - Remove the given attachment from dmabuf's attachments list;
588 * optionally calls detach() of dma_buf_ops for device-specific detach
589 * @dmabuf: [in] buffer to detach from.
590 * @attach: [in] attachment to be detached; is free'd after this call.
591 *
592 * Clean up a device attachment obtained by calling dma_buf_attach().
593 */
dma_buf_detach(struct dma_buf * dmabuf,struct dma_buf_attachment * attach)594 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach)
595 {
596 if (WARN_ON(!dmabuf || !attach))
597 return;
598
599 mutex_lock(&dmabuf->lock);
600 list_del(&attach->node);
601 if (dmabuf->ops->detach)
602 dmabuf->ops->detach(dmabuf, attach);
603
604 mutex_unlock(&dmabuf->lock);
605 kfree(attach);
606 }
607 EXPORT_SYMBOL_GPL(dma_buf_detach);
608
609 /**
610 * dma_buf_map_attachment - Returns the scatterlist table of the attachment;
611 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
612 * dma_buf_ops.
613 * @attach: [in] attachment whose scatterlist is to be returned
614 * @direction: [in] direction of DMA transfer
615 *
616 * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR
617 * on error. May return -EINTR if it is interrupted by a signal.
618 *
619 * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that
620 * the underlying backing storage is pinned for as long as a mapping exists,
621 * therefore users/importers should not hold onto a mapping for undue amounts of
622 * time.
623 */
dma_buf_map_attachment(struct dma_buf_attachment * attach,enum dma_data_direction direction)624 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach,
625 enum dma_data_direction direction)
626 {
627 struct sg_table *sg_table;
628
629 might_sleep();
630
631 if (WARN_ON(!attach || !attach->dmabuf))
632 return ERR_PTR(-EINVAL);
633
634 sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction);
635 if (!sg_table)
636 sg_table = ERR_PTR(-ENOMEM);
637
638 return sg_table;
639 }
640 EXPORT_SYMBOL_GPL(dma_buf_map_attachment);
641
642 /**
643 * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might
644 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
645 * dma_buf_ops.
646 * @attach: [in] attachment to unmap buffer from
647 * @sg_table: [in] scatterlist info of the buffer to unmap
648 * @direction: [in] direction of DMA transfer
649 *
650 * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment().
651 */
dma_buf_unmap_attachment(struct dma_buf_attachment * attach,struct sg_table * sg_table,enum dma_data_direction direction)652 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach,
653 struct sg_table *sg_table,
654 enum dma_data_direction direction)
655 {
656 might_sleep();
657
658 if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
659 return;
660
661 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table,
662 direction);
663 }
664 EXPORT_SYMBOL_GPL(dma_buf_unmap_attachment);
665
666 /**
667 * DOC: cpu access
668 *
669 * There are mutliple reasons for supporting CPU access to a dma buffer object:
670 *
671 * - Fallback operations in the kernel, for example when a device is connected
672 * over USB and the kernel needs to shuffle the data around first before
673 * sending it away. Cache coherency is handled by braketing any transactions
674 * with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access()
675 * access.
676 *
677 * To support dma_buf objects residing in highmem cpu access is page-based
678 * using an api similar to kmap. Accessing a dma_buf is done in aligned chunks
679 * of PAGE_SIZE size. Before accessing a chunk it needs to be mapped, which
680 * returns a pointer in kernel virtual address space. Afterwards the chunk
681 * needs to be unmapped again. There is no limit on how often a given chunk
682 * can be mapped and unmapped, i.e. the importer does not need to call
683 * begin_cpu_access again before mapping the same chunk again.
684 *
685 * Interfaces::
686 * void \*dma_buf_kmap(struct dma_buf \*, unsigned long);
687 * void dma_buf_kunmap(struct dma_buf \*, unsigned long, void \*);
688 *
689 * Implementing the functions is optional for exporters and for importers all
690 * the restrictions of using kmap apply.
691 *
692 * dma_buf kmap calls outside of the range specified in begin_cpu_access are
693 * undefined. If the range is not PAGE_SIZE aligned, kmap needs to succeed on
694 * the partial chunks at the beginning and end but may return stale or bogus
695 * data outside of the range (in these partial chunks).
696 *
697 * For some cases the overhead of kmap can be too high, a vmap interface
698 * is introduced. This interface should be used very carefully, as vmalloc
699 * space is a limited resources on many architectures.
700 *
701 * Interfaces::
702 * void \*dma_buf_vmap(struct dma_buf \*dmabuf)
703 * void dma_buf_vunmap(struct dma_buf \*dmabuf, void \*vaddr)
704 *
705 * The vmap call can fail if there is no vmap support in the exporter, or if
706 * it runs out of vmalloc space. Fallback to kmap should be implemented. Note
707 * that the dma-buf layer keeps a reference count for all vmap access and
708 * calls down into the exporter's vmap function only when no vmapping exists,
709 * and only unmaps it once. Protection against concurrent vmap/vunmap calls is
710 * provided by taking the dma_buf->lock mutex.
711 *
712 * - For full compatibility on the importer side with existing userspace
713 * interfaces, which might already support mmap'ing buffers. This is needed in
714 * many processing pipelines (e.g. feeding a software rendered image into a
715 * hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION
716 * framework already supported this and for DMA buffer file descriptors to
717 * replace ION buffers mmap support was needed.
718 *
719 * There is no special interfaces, userspace simply calls mmap on the dma-buf
720 * fd. But like for CPU access there's a need to braket the actual access,
721 * which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that
722 * DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must
723 * be restarted.
724 *
725 * Some systems might need some sort of cache coherency management e.g. when
726 * CPU and GPU domains are being accessed through dma-buf at the same time.
727 * To circumvent this problem there are begin/end coherency markers, that
728 * forward directly to existing dma-buf device drivers vfunc hooks. Userspace
729 * can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The
730 * sequence would be used like following:
731 *
732 * - mmap dma-buf fd
733 * - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
734 * to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
735 * want (with the new data being consumed by say the GPU or the scanout
736 * device)
737 * - munmap once you don't need the buffer any more
738 *
739 * For correctness and optimal performance, it is always required to use
740 * SYNC_START and SYNC_END before and after, respectively, when accessing the
741 * mapped address. Userspace cannot rely on coherent access, even when there
742 * are systems where it just works without calling these ioctls.
743 *
744 * - And as a CPU fallback in userspace processing pipelines.
745 *
746 * Similar to the motivation for kernel cpu access it is again important that
747 * the userspace code of a given importing subsystem can use the same
748 * interfaces with a imported dma-buf buffer object as with a native buffer
749 * object. This is especially important for drm where the userspace part of
750 * contemporary OpenGL, X, and other drivers is huge, and reworking them to
751 * use a different way to mmap a buffer rather invasive.
752 *
753 * The assumption in the current dma-buf interfaces is that redirecting the
754 * initial mmap is all that's needed. A survey of some of the existing
755 * subsystems shows that no driver seems to do any nefarious thing like
756 * syncing up with outstanding asynchronous processing on the device or
757 * allocating special resources at fault time. So hopefully this is good
758 * enough, since adding interfaces to intercept pagefaults and allow pte
759 * shootdowns would increase the complexity quite a bit.
760 *
761 * Interface::
762 * int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*,
763 * unsigned long);
764 *
765 * If the importing subsystem simply provides a special-purpose mmap call to
766 * set up a mapping in userspace, calling do_mmap with dma_buf->file will
767 * equally achieve that for a dma-buf object.
768 */
769
__dma_buf_begin_cpu_access(struct dma_buf * dmabuf,enum dma_data_direction direction)770 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
771 enum dma_data_direction direction)
772 {
773 bool write = (direction == DMA_BIDIRECTIONAL ||
774 direction == DMA_TO_DEVICE);
775 struct reservation_object *resv = dmabuf->resv;
776 long ret;
777
778 /* Wait on any implicit rendering fences */
779 ret = reservation_object_wait_timeout_rcu(resv, write, true,
780 MAX_SCHEDULE_TIMEOUT);
781 if (ret < 0)
782 return ret;
783
784 return 0;
785 }
786
787 /**
788 * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the
789 * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific
790 * preparations. Coherency is only guaranteed in the specified range for the
791 * specified access direction.
792 * @dmabuf: [in] buffer to prepare cpu access for.
793 * @direction: [in] length of range for cpu access.
794 *
795 * After the cpu access is complete the caller should call
796 * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is
797 * it guaranteed to be coherent with other DMA access.
798 *
799 * Can return negative error values, returns 0 on success.
800 */
dma_buf_begin_cpu_access(struct dma_buf * dmabuf,enum dma_data_direction direction)801 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
802 enum dma_data_direction direction)
803 {
804 int ret = 0;
805
806 if (WARN_ON(!dmabuf))
807 return -EINVAL;
808
809 if (dmabuf->ops->begin_cpu_access)
810 ret = dmabuf->ops->begin_cpu_access(dmabuf, direction);
811
812 /* Ensure that all fences are waited upon - but we first allow
813 * the native handler the chance to do so more efficiently if it
814 * chooses. A double invocation here will be reasonably cheap no-op.
815 */
816 if (ret == 0)
817 ret = __dma_buf_begin_cpu_access(dmabuf, direction);
818
819 return ret;
820 }
821 EXPORT_SYMBOL_GPL(dma_buf_begin_cpu_access);
822
823 /**
824 * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the
825 * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific
826 * actions. Coherency is only guaranteed in the specified range for the
827 * specified access direction.
828 * @dmabuf: [in] buffer to complete cpu access for.
829 * @direction: [in] length of range for cpu access.
830 *
831 * This terminates CPU access started with dma_buf_begin_cpu_access().
832 *
833 * Can return negative error values, returns 0 on success.
834 */
dma_buf_end_cpu_access(struct dma_buf * dmabuf,enum dma_data_direction direction)835 int dma_buf_end_cpu_access(struct dma_buf *dmabuf,
836 enum dma_data_direction direction)
837 {
838 int ret = 0;
839
840 WARN_ON(!dmabuf);
841
842 if (dmabuf->ops->end_cpu_access)
843 ret = dmabuf->ops->end_cpu_access(dmabuf, direction);
844
845 return ret;
846 }
847 EXPORT_SYMBOL_GPL(dma_buf_end_cpu_access);
848
849 /**
850 * dma_buf_kmap - Map a page of the buffer object into kernel address space. The
851 * same restrictions as for kmap and friends apply.
852 * @dmabuf: [in] buffer to map page from.
853 * @page_num: [in] page in PAGE_SIZE units to map.
854 *
855 * This call must always succeed, any necessary preparations that might fail
856 * need to be done in begin_cpu_access.
857 */
dma_buf_kmap(struct dma_buf * dmabuf,unsigned long page_num)858 void *dma_buf_kmap(struct dma_buf *dmabuf, unsigned long page_num)
859 {
860 WARN_ON(!dmabuf);
861
862 if (!dmabuf->ops->map)
863 return NULL;
864 return dmabuf->ops->map(dmabuf, page_num);
865 }
866 EXPORT_SYMBOL_GPL(dma_buf_kmap);
867
868 /**
869 * dma_buf_kunmap - Unmap a page obtained by dma_buf_kmap.
870 * @dmabuf: [in] buffer to unmap page from.
871 * @page_num: [in] page in PAGE_SIZE units to unmap.
872 * @vaddr: [in] kernel space pointer obtained from dma_buf_kmap.
873 *
874 * This call must always succeed.
875 */
dma_buf_kunmap(struct dma_buf * dmabuf,unsigned long page_num,void * vaddr)876 void dma_buf_kunmap(struct dma_buf *dmabuf, unsigned long page_num,
877 void *vaddr)
878 {
879 WARN_ON(!dmabuf);
880
881 if (dmabuf->ops->unmap)
882 dmabuf->ops->unmap(dmabuf, page_num, vaddr);
883 }
884 EXPORT_SYMBOL_GPL(dma_buf_kunmap);
885
886
887 /**
888 * dma_buf_mmap - Setup up a userspace mmap with the given vma
889 * @dmabuf: [in] buffer that should back the vma
890 * @vma: [in] vma for the mmap
891 * @pgoff: [in] offset in pages where this mmap should start within the
892 * dma-buf buffer.
893 *
894 * This function adjusts the passed in vma so that it points at the file of the
895 * dma_buf operation. It also adjusts the starting pgoff and does bounds
896 * checking on the size of the vma. Then it calls the exporters mmap function to
897 * set up the mapping.
898 *
899 * Can return negative error values, returns 0 on success.
900 */
dma_buf_mmap(struct dma_buf * dmabuf,struct vm_area_struct * vma,unsigned long pgoff)901 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
902 unsigned long pgoff)
903 {
904 struct file *oldfile;
905 int ret;
906
907 if (WARN_ON(!dmabuf || !vma))
908 return -EINVAL;
909
910 /* check for offset overflow */
911 if (pgoff + vma_pages(vma) < pgoff)
912 return -EOVERFLOW;
913
914 /* check for overflowing the buffer's size */
915 if (pgoff + vma_pages(vma) >
916 dmabuf->size >> PAGE_SHIFT)
917 return -EINVAL;
918
919 /* readjust the vma */
920 get_file(dmabuf->file);
921 oldfile = vma->vm_file;
922 vma->vm_file = dmabuf->file;
923 vma->vm_pgoff = pgoff;
924
925 ret = dmabuf->ops->mmap(dmabuf, vma);
926 if (ret) {
927 /* restore old parameters on failure */
928 vma->vm_file = oldfile;
929 fput(dmabuf->file);
930 } else {
931 if (oldfile)
932 fput(oldfile);
933 }
934 return ret;
935
936 }
937 EXPORT_SYMBOL_GPL(dma_buf_mmap);
938
939 /**
940 * dma_buf_vmap - Create virtual mapping for the buffer object into kernel
941 * address space. Same restrictions as for vmap and friends apply.
942 * @dmabuf: [in] buffer to vmap
943 *
944 * This call may fail due to lack of virtual mapping address space.
945 * These calls are optional in drivers. The intended use for them
946 * is for mapping objects linear in kernel space for high use objects.
947 * Please attempt to use kmap/kunmap before thinking about these interfaces.
948 *
949 * Returns NULL on error.
950 */
dma_buf_vmap(struct dma_buf * dmabuf)951 void *dma_buf_vmap(struct dma_buf *dmabuf)
952 {
953 void *ptr;
954
955 if (WARN_ON(!dmabuf))
956 return NULL;
957
958 if (!dmabuf->ops->vmap)
959 return NULL;
960
961 mutex_lock(&dmabuf->lock);
962 if (dmabuf->vmapping_counter) {
963 dmabuf->vmapping_counter++;
964 BUG_ON(!dmabuf->vmap_ptr);
965 ptr = dmabuf->vmap_ptr;
966 goto out_unlock;
967 }
968
969 BUG_ON(dmabuf->vmap_ptr);
970
971 ptr = dmabuf->ops->vmap(dmabuf);
972 if (WARN_ON_ONCE(IS_ERR(ptr)))
973 ptr = NULL;
974 if (!ptr)
975 goto out_unlock;
976
977 dmabuf->vmap_ptr = ptr;
978 dmabuf->vmapping_counter = 1;
979
980 out_unlock:
981 mutex_unlock(&dmabuf->lock);
982 return ptr;
983 }
984 EXPORT_SYMBOL_GPL(dma_buf_vmap);
985
986 /**
987 * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap.
988 * @dmabuf: [in] buffer to vunmap
989 * @vaddr: [in] vmap to vunmap
990 */
dma_buf_vunmap(struct dma_buf * dmabuf,void * vaddr)991 void dma_buf_vunmap(struct dma_buf *dmabuf, void *vaddr)
992 {
993 if (WARN_ON(!dmabuf))
994 return;
995
996 BUG_ON(!dmabuf->vmap_ptr);
997 BUG_ON(dmabuf->vmapping_counter == 0);
998 BUG_ON(dmabuf->vmap_ptr != vaddr);
999
1000 mutex_lock(&dmabuf->lock);
1001 if (--dmabuf->vmapping_counter == 0) {
1002 if (dmabuf->ops->vunmap)
1003 dmabuf->ops->vunmap(dmabuf, vaddr);
1004 dmabuf->vmap_ptr = NULL;
1005 }
1006 mutex_unlock(&dmabuf->lock);
1007 }
1008 EXPORT_SYMBOL_GPL(dma_buf_vunmap);
1009
1010 #ifdef CONFIG_DEBUG_FS
dma_buf_debug_show(struct seq_file * s,void * unused)1011 static int dma_buf_debug_show(struct seq_file *s, void *unused)
1012 {
1013 int ret;
1014 struct dma_buf *buf_obj;
1015 struct dma_buf_attachment *attach_obj;
1016 struct reservation_object *robj;
1017 struct reservation_object_list *fobj;
1018 struct dma_fence *fence;
1019 unsigned seq;
1020 int count = 0, attach_count, shared_count, i;
1021 size_t size = 0;
1022
1023 ret = mutex_lock_interruptible(&db_list.lock);
1024
1025 if (ret)
1026 return ret;
1027
1028 seq_puts(s, "\nDma-buf Objects:\n");
1029 seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\n",
1030 "size", "flags", "mode", "count");
1031
1032 list_for_each_entry(buf_obj, &db_list.head, list_node) {
1033 ret = mutex_lock_interruptible(&buf_obj->lock);
1034
1035 if (ret) {
1036 seq_puts(s,
1037 "\tERROR locking buffer object: skipping\n");
1038 continue;
1039 }
1040
1041 seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\n",
1042 buf_obj->size,
1043 buf_obj->file->f_flags, buf_obj->file->f_mode,
1044 file_count(buf_obj->file),
1045 buf_obj->exp_name);
1046
1047 robj = buf_obj->resv;
1048 while (true) {
1049 seq = read_seqcount_begin(&robj->seq);
1050 rcu_read_lock();
1051 fobj = rcu_dereference(robj->fence);
1052 shared_count = fobj ? fobj->shared_count : 0;
1053 fence = rcu_dereference(robj->fence_excl);
1054 if (!read_seqcount_retry(&robj->seq, seq))
1055 break;
1056 rcu_read_unlock();
1057 }
1058
1059 if (fence)
1060 seq_printf(s, "\tExclusive fence: %s %s %ssignalled\n",
1061 fence->ops->get_driver_name(fence),
1062 fence->ops->get_timeline_name(fence),
1063 dma_fence_is_signaled(fence) ? "" : "un");
1064 for (i = 0; i < shared_count; i++) {
1065 fence = rcu_dereference(fobj->shared[i]);
1066 if (!dma_fence_get_rcu(fence))
1067 continue;
1068 seq_printf(s, "\tShared fence: %s %s %ssignalled\n",
1069 fence->ops->get_driver_name(fence),
1070 fence->ops->get_timeline_name(fence),
1071 dma_fence_is_signaled(fence) ? "" : "un");
1072 }
1073 rcu_read_unlock();
1074
1075 seq_puts(s, "\tAttached Devices:\n");
1076 attach_count = 0;
1077
1078 list_for_each_entry(attach_obj, &buf_obj->attachments, node) {
1079 seq_printf(s, "\t%s\n", dev_name(attach_obj->dev));
1080 attach_count++;
1081 }
1082
1083 seq_printf(s, "Total %d devices attached\n\n",
1084 attach_count);
1085
1086 count++;
1087 size += buf_obj->size;
1088 mutex_unlock(&buf_obj->lock);
1089 }
1090
1091 seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size);
1092
1093 mutex_unlock(&db_list.lock);
1094 return 0;
1095 }
1096
dma_buf_debug_open(struct inode * inode,struct file * file)1097 static int dma_buf_debug_open(struct inode *inode, struct file *file)
1098 {
1099 return single_open(file, dma_buf_debug_show, NULL);
1100 }
1101
1102 static const struct file_operations dma_buf_debug_fops = {
1103 .open = dma_buf_debug_open,
1104 .read = seq_read,
1105 .llseek = seq_lseek,
1106 .release = single_release,
1107 };
1108
1109 static struct dentry *dma_buf_debugfs_dir;
1110
dma_buf_init_debugfs(void)1111 static int dma_buf_init_debugfs(void)
1112 {
1113 struct dentry *d;
1114 int err = 0;
1115
1116 d = debugfs_create_dir("dma_buf", NULL);
1117 if (IS_ERR(d))
1118 return PTR_ERR(d);
1119
1120 dma_buf_debugfs_dir = d;
1121
1122 d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir,
1123 NULL, &dma_buf_debug_fops);
1124 if (IS_ERR(d)) {
1125 pr_debug("dma_buf: debugfs: failed to create node bufinfo\n");
1126 debugfs_remove_recursive(dma_buf_debugfs_dir);
1127 dma_buf_debugfs_dir = NULL;
1128 err = PTR_ERR(d);
1129 }
1130
1131 return err;
1132 }
1133
dma_buf_uninit_debugfs(void)1134 static void dma_buf_uninit_debugfs(void)
1135 {
1136 debugfs_remove_recursive(dma_buf_debugfs_dir);
1137 }
1138 #else
dma_buf_init_debugfs(void)1139 static inline int dma_buf_init_debugfs(void)
1140 {
1141 return 0;
1142 }
dma_buf_uninit_debugfs(void)1143 static inline void dma_buf_uninit_debugfs(void)
1144 {
1145 }
1146 #endif
1147
dma_buf_init(void)1148 static int __init dma_buf_init(void)
1149 {
1150 mutex_init(&db_list.lock);
1151 INIT_LIST_HEAD(&db_list.head);
1152 dma_buf_init_debugfs();
1153 return 0;
1154 }
1155 subsys_initcall(dma_buf_init);
1156
dma_buf_deinit(void)1157 static void __exit dma_buf_deinit(void)
1158 {
1159 dma_buf_uninit_debugfs();
1160 }
1161 __exitcall(dma_buf_deinit);
1162