1 /*
2  * Legacy: Generic DRM Buffer Management
3  *
4  * Copyright 1999, 2000 Precision Insight, Inc., Cedar Park, Texas.
5  * Copyright 2000 VA Linux Systems, Inc., Sunnyvale, California.
6  * All Rights Reserved.
7  *
8  * Author: Rickard E. (Rik) Faith <faith@valinux.com>
9  * Author: Gareth Hughes <gareth@valinux.com>
10  *
11  * Permission is hereby granted, free of charge, to any person obtaining a
12  * copy of this software and associated documentation files (the "Software"),
13  * to deal in the Software without restriction, including without limitation
14  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
15  * and/or sell copies of the Software, and to permit persons to whom the
16  * Software is furnished to do so, subject to the following conditions:
17  *
18  * The above copyright notice and this permission notice (including the next
19  * paragraph) shall be included in all copies or substantial portions of the
20  * Software.
21  *
22  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
23  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
24  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
25  * VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
26  * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
27  * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
28  * OTHER DEALINGS IN THE SOFTWARE.
29  */
30 
31 #include <linux/export.h>
32 #include <linux/log2.h>
33 #include <linux/mm.h>
34 #include <linux/mman.h>
35 #include <linux/nospec.h>
36 #include <linux/pci.h>
37 #include <linux/slab.h>
38 #include <linux/uaccess.h>
39 #include <linux/vmalloc.h>
40 
41 #include <asm/shmparam.h>
42 
43 #include <drm/drm_agpsupport.h>
44 #include <drm/drm_device.h>
45 #include <drm/drm_drv.h>
46 #include <drm/drm_file.h>
47 #include <drm/drm_print.h>
48 
49 #include "drm_legacy.h"
50 
51 
drm_find_matching_map(struct drm_device * dev,struct drm_local_map * map)52 static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
53 						  struct drm_local_map *map)
54 {
55 	struct drm_map_list *entry;
56 
57 	list_for_each_entry(entry, &dev->maplist, head) {
58 		/*
59 		 * Because the kernel-userspace ABI is fixed at a 32-bit offset
60 		 * while PCI resources may live above that, we only compare the
61 		 * lower 32 bits of the map offset for maps of type
62 		 * _DRM_FRAMEBUFFER or _DRM_REGISTERS.
63 		 * It is assumed that if a driver have more than one resource
64 		 * of each type, the lower 32 bits are different.
65 		 */
66 		if (!entry->map ||
67 		    map->type != entry->map->type ||
68 		    entry->master != dev->master)
69 			continue;
70 		switch (map->type) {
71 		case _DRM_SHM:
72 			if (map->flags != _DRM_CONTAINS_LOCK)
73 				break;
74 			return entry;
75 		case _DRM_REGISTERS:
76 		case _DRM_FRAME_BUFFER:
77 			if ((entry->map->offset & 0xffffffff) ==
78 			    (map->offset & 0xffffffff))
79 				return entry;
80 		default: /* Make gcc happy */
81 			;
82 		}
83 		if (entry->map->offset == map->offset)
84 			return entry;
85 	}
86 
87 	return NULL;
88 }
89 
drm_map_handle(struct drm_device * dev,struct drm_hash_item * hash,unsigned long user_token,int hashed_handle,int shm)90 static int drm_map_handle(struct drm_device *dev, struct drm_hash_item *hash,
91 			  unsigned long user_token, int hashed_handle, int shm)
92 {
93 	int use_hashed_handle, shift;
94 	unsigned long add;
95 
96 #if (BITS_PER_LONG == 64)
97 	use_hashed_handle = ((user_token & 0xFFFFFFFF00000000UL) || hashed_handle);
98 #elif (BITS_PER_LONG == 32)
99 	use_hashed_handle = hashed_handle;
100 #else
101 #error Unsupported long size. Neither 64 nor 32 bits.
102 #endif
103 
104 	if (!use_hashed_handle) {
105 		int ret;
106 
107 		hash->key = user_token >> PAGE_SHIFT;
108 		ret = drm_ht_insert_item(&dev->map_hash, hash);
109 		if (ret != -EINVAL)
110 			return ret;
111 	}
112 
113 	shift = 0;
114 	add = DRM_MAP_HASH_OFFSET >> PAGE_SHIFT;
115 	if (shm && (SHMLBA > PAGE_SIZE)) {
116 		int bits = ilog2(SHMLBA >> PAGE_SHIFT) + 1;
117 
118 		/* For shared memory, we have to preserve the SHMLBA
119 		 * bits of the eventual vma->vm_pgoff value during
120 		 * mmap().  Otherwise we run into cache aliasing problems
121 		 * on some platforms.  On these platforms, the pgoff of
122 		 * a mmap() request is used to pick a suitable virtual
123 		 * address for the mmap() region such that it will not
124 		 * cause cache aliasing problems.
125 		 *
126 		 * Therefore, make sure the SHMLBA relevant bits of the
127 		 * hash value we use are equal to those in the original
128 		 * kernel virtual address.
129 		 */
130 		shift = bits;
131 		add |= ((user_token >> PAGE_SHIFT) & ((1UL << bits) - 1UL));
132 	}
133 
134 	return drm_ht_just_insert_please(&dev->map_hash, hash,
135 					 user_token, 32 - PAGE_SHIFT - 3,
136 					 shift, add);
137 }
138 
139 /*
140  * Core function to create a range of memory available for mapping by a
141  * non-root process.
142  *
143  * Adjusts the memory offset to its absolute value according to the mapping
144  * type.  Adds the map to the map list drm_device::maplist. Adds MTRR's where
145  * applicable and if supported by the kernel.
146  */
drm_addmap_core(struct drm_device * dev,resource_size_t offset,unsigned int size,enum drm_map_type type,enum drm_map_flags flags,struct drm_map_list ** maplist)147 static int drm_addmap_core(struct drm_device *dev, resource_size_t offset,
148 			   unsigned int size, enum drm_map_type type,
149 			   enum drm_map_flags flags,
150 			   struct drm_map_list **maplist)
151 {
152 	struct drm_local_map *map;
153 	struct drm_map_list *list;
154 	unsigned long user_token;
155 	int ret;
156 
157 	map = kmalloc(sizeof(*map), GFP_KERNEL);
158 	if (!map)
159 		return -ENOMEM;
160 
161 	map->offset = offset;
162 	map->size = size;
163 	map->flags = flags;
164 	map->type = type;
165 
166 	/* Only allow shared memory to be removable since we only keep enough
167 	 * book keeping information about shared memory to allow for removal
168 	 * when processes fork.
169 	 */
170 	if ((map->flags & _DRM_REMOVABLE) && map->type != _DRM_SHM) {
171 		kfree(map);
172 		return -EINVAL;
173 	}
174 	DRM_DEBUG("offset = 0x%08llx, size = 0x%08lx, type = %d\n",
175 		  (unsigned long long)map->offset, map->size, map->type);
176 
177 	/* page-align _DRM_SHM maps. They are allocated here so there is no security
178 	 * hole created by that and it works around various broken drivers that use
179 	 * a non-aligned quantity to map the SAREA. --BenH
180 	 */
181 	if (map->type == _DRM_SHM)
182 		map->size = PAGE_ALIGN(map->size);
183 
184 	if ((map->offset & (~(resource_size_t)PAGE_MASK)) || (map->size & (~PAGE_MASK))) {
185 		kfree(map);
186 		return -EINVAL;
187 	}
188 	map->mtrr = -1;
189 	map->handle = NULL;
190 
191 	switch (map->type) {
192 	case _DRM_REGISTERS:
193 	case _DRM_FRAME_BUFFER:
194 #if !defined(__sparc__) && !defined(__alpha__) && !defined(__ia64__) && !defined(__powerpc64__) && !defined(__x86_64__) && !defined(__arm__)
195 		if (map->offset + (map->size-1) < map->offset ||
196 		    map->offset < virt_to_phys(high_memory)) {
197 			kfree(map);
198 			return -EINVAL;
199 		}
200 #endif
201 		/* Some drivers preinitialize some maps, without the X Server
202 		 * needing to be aware of it.  Therefore, we just return success
203 		 * when the server tries to create a duplicate map.
204 		 */
205 		list = drm_find_matching_map(dev, map);
206 		if (list != NULL) {
207 			if (list->map->size != map->size) {
208 				DRM_DEBUG("Matching maps of type %d with "
209 					  "mismatched sizes, (%ld vs %ld)\n",
210 					  map->type, map->size,
211 					  list->map->size);
212 				list->map->size = map->size;
213 			}
214 
215 			kfree(map);
216 			*maplist = list;
217 			return 0;
218 		}
219 
220 		if (map->type == _DRM_FRAME_BUFFER ||
221 		    (map->flags & _DRM_WRITE_COMBINING)) {
222 			map->mtrr =
223 				arch_phys_wc_add(map->offset, map->size);
224 		}
225 		if (map->type == _DRM_REGISTERS) {
226 			if (map->flags & _DRM_WRITE_COMBINING)
227 				map->handle = ioremap_wc(map->offset,
228 							 map->size);
229 			else
230 				map->handle = ioremap(map->offset, map->size);
231 			if (!map->handle) {
232 				kfree(map);
233 				return -ENOMEM;
234 			}
235 		}
236 
237 		break;
238 	case _DRM_SHM:
239 		list = drm_find_matching_map(dev, map);
240 		if (list != NULL) {
241 			if (list->map->size != map->size) {
242 				DRM_DEBUG("Matching maps of type %d with "
243 					  "mismatched sizes, (%ld vs %ld)\n",
244 					  map->type, map->size, list->map->size);
245 				list->map->size = map->size;
246 			}
247 
248 			kfree(map);
249 			*maplist = list;
250 			return 0;
251 		}
252 		map->handle = vmalloc_user(map->size);
253 		DRM_DEBUG("%lu %d %p\n",
254 			  map->size, order_base_2(map->size), map->handle);
255 		if (!map->handle) {
256 			kfree(map);
257 			return -ENOMEM;
258 		}
259 		map->offset = (unsigned long)map->handle;
260 		if (map->flags & _DRM_CONTAINS_LOCK) {
261 			/* Prevent a 2nd X Server from creating a 2nd lock */
262 			if (dev->master->lock.hw_lock != NULL) {
263 				vfree(map->handle);
264 				kfree(map);
265 				return -EBUSY;
266 			}
267 			dev->sigdata.lock = dev->master->lock.hw_lock = map->handle;	/* Pointer to lock */
268 		}
269 		break;
270 	case _DRM_AGP: {
271 		struct drm_agp_mem *entry;
272 		int valid = 0;
273 
274 		if (!dev->agp) {
275 			kfree(map);
276 			return -EINVAL;
277 		}
278 #ifdef __alpha__
279 		map->offset += dev->hose->mem_space->start;
280 #endif
281 		/* In some cases (i810 driver), user space may have already
282 		 * added the AGP base itself, because dev->agp->base previously
283 		 * only got set during AGP enable.  So, only add the base
284 		 * address if the map's offset isn't already within the
285 		 * aperture.
286 		 */
287 		if (map->offset < dev->agp->base ||
288 		    map->offset > dev->agp->base +
289 		    dev->agp->agp_info.aper_size * 1024 * 1024 - 1) {
290 			map->offset += dev->agp->base;
291 		}
292 		map->mtrr = dev->agp->agp_mtrr;	/* for getmap */
293 
294 		/* This assumes the DRM is in total control of AGP space.
295 		 * It's not always the case as AGP can be in the control
296 		 * of user space (i.e. i810 driver). So this loop will get
297 		 * skipped and we double check that dev->agp->memory is
298 		 * actually set as well as being invalid before EPERM'ing
299 		 */
300 		list_for_each_entry(entry, &dev->agp->memory, head) {
301 			if ((map->offset >= entry->bound) &&
302 			    (map->offset + map->size <= entry->bound + entry->pages * PAGE_SIZE)) {
303 				valid = 1;
304 				break;
305 			}
306 		}
307 		if (!list_empty(&dev->agp->memory) && !valid) {
308 			kfree(map);
309 			return -EPERM;
310 		}
311 		DRM_DEBUG("AGP offset = 0x%08llx, size = 0x%08lx\n",
312 			  (unsigned long long)map->offset, map->size);
313 
314 		break;
315 	}
316 	case _DRM_SCATTER_GATHER:
317 		if (!dev->sg) {
318 			kfree(map);
319 			return -EINVAL;
320 		}
321 		map->offset += (unsigned long)dev->sg->virtual;
322 		break;
323 	case _DRM_CONSISTENT:
324 		/* dma_addr_t is 64bit on i386 with CONFIG_HIGHMEM64G,
325 		 * As we're limiting the address to 2^32-1 (or less),
326 		 * casting it down to 32 bits is no problem, but we
327 		 * need to point to a 64bit variable first. */
328 		map->handle = dma_alloc_coherent(&dev->pdev->dev,
329 						 map->size,
330 						 &map->offset,
331 						 GFP_KERNEL);
332 		if (!map->handle) {
333 			kfree(map);
334 			return -ENOMEM;
335 		}
336 		break;
337 	default:
338 		kfree(map);
339 		return -EINVAL;
340 	}
341 
342 	list = kzalloc(sizeof(*list), GFP_KERNEL);
343 	if (!list) {
344 		if (map->type == _DRM_REGISTERS)
345 			iounmap(map->handle);
346 		kfree(map);
347 		return -EINVAL;
348 	}
349 	list->map = map;
350 
351 	mutex_lock(&dev->struct_mutex);
352 	list_add(&list->head, &dev->maplist);
353 
354 	/* Assign a 32-bit handle */
355 	/* We do it here so that dev->struct_mutex protects the increment */
356 	user_token = (map->type == _DRM_SHM) ? (unsigned long)map->handle :
357 		map->offset;
358 	ret = drm_map_handle(dev, &list->hash, user_token, 0,
359 			     (map->type == _DRM_SHM));
360 	if (ret) {
361 		if (map->type == _DRM_REGISTERS)
362 			iounmap(map->handle);
363 		kfree(map);
364 		kfree(list);
365 		mutex_unlock(&dev->struct_mutex);
366 		return ret;
367 	}
368 
369 	list->user_token = list->hash.key << PAGE_SHIFT;
370 	mutex_unlock(&dev->struct_mutex);
371 
372 	if (!(map->flags & _DRM_DRIVER))
373 		list->master = dev->master;
374 	*maplist = list;
375 	return 0;
376 }
377 
drm_legacy_addmap(struct drm_device * dev,resource_size_t offset,unsigned int size,enum drm_map_type type,enum drm_map_flags flags,struct drm_local_map ** map_ptr)378 int drm_legacy_addmap(struct drm_device *dev, resource_size_t offset,
379 		      unsigned int size, enum drm_map_type type,
380 		      enum drm_map_flags flags, struct drm_local_map **map_ptr)
381 {
382 	struct drm_map_list *list;
383 	int rc;
384 
385 	rc = drm_addmap_core(dev, offset, size, type, flags, &list);
386 	if (!rc)
387 		*map_ptr = list->map;
388 	return rc;
389 }
390 EXPORT_SYMBOL(drm_legacy_addmap);
391 
drm_legacy_findmap(struct drm_device * dev,unsigned int token)392 struct drm_local_map *drm_legacy_findmap(struct drm_device *dev,
393 					 unsigned int token)
394 {
395 	struct drm_map_list *_entry;
396 
397 	list_for_each_entry(_entry, &dev->maplist, head)
398 		if (_entry->user_token == token)
399 			return _entry->map;
400 	return NULL;
401 }
402 EXPORT_SYMBOL(drm_legacy_findmap);
403 
404 /*
405  * Ioctl to specify a range of memory that is available for mapping by a
406  * non-root process.
407  *
408  * \param inode device inode.
409  * \param file_priv DRM file private.
410  * \param cmd command.
411  * \param arg pointer to a drm_map structure.
412  * \return zero on success or a negative value on error.
413  *
414  */
drm_legacy_addmap_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)415 int drm_legacy_addmap_ioctl(struct drm_device *dev, void *data,
416 			    struct drm_file *file_priv)
417 {
418 	struct drm_map *map = data;
419 	struct drm_map_list *maplist;
420 	int err;
421 
422 	if (!(capable(CAP_SYS_ADMIN) || map->type == _DRM_AGP || map->type == _DRM_SHM))
423 		return -EPERM;
424 
425 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
426 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
427 		return -EOPNOTSUPP;
428 
429 	err = drm_addmap_core(dev, map->offset, map->size, map->type,
430 			      map->flags, &maplist);
431 
432 	if (err)
433 		return err;
434 
435 	/* avoid a warning on 64-bit, this casting isn't very nice, but the API is set so too late */
436 	map->handle = (void *)(unsigned long)maplist->user_token;
437 
438 	/*
439 	 * It appears that there are no users of this value whatsoever --
440 	 * drmAddMap just discards it.  Let's not encourage its use.
441 	 * (Keeping drm_addmap_core's returned mtrr value would be wrong --
442 	 *  it's not a real mtrr index anymore.)
443 	 */
444 	map->mtrr = -1;
445 
446 	return 0;
447 }
448 
449 /*
450  * Get a mapping information.
451  *
452  * \param inode device inode.
453  * \param file_priv DRM file private.
454  * \param cmd command.
455  * \param arg user argument, pointing to a drm_map structure.
456  *
457  * \return zero on success or a negative number on failure.
458  *
459  * Searches for the mapping with the specified offset and copies its information
460  * into userspace
461  */
drm_legacy_getmap_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)462 int drm_legacy_getmap_ioctl(struct drm_device *dev, void *data,
463 			    struct drm_file *file_priv)
464 {
465 	struct drm_map *map = data;
466 	struct drm_map_list *r_list = NULL;
467 	struct list_head *list;
468 	int idx;
469 	int i;
470 
471 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
472 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
473 		return -EOPNOTSUPP;
474 
475 	idx = map->offset;
476 	if (idx < 0)
477 		return -EINVAL;
478 
479 	i = 0;
480 	mutex_lock(&dev->struct_mutex);
481 	list_for_each(list, &dev->maplist) {
482 		if (i == idx) {
483 			r_list = list_entry(list, struct drm_map_list, head);
484 			break;
485 		}
486 		i++;
487 	}
488 	if (!r_list || !r_list->map) {
489 		mutex_unlock(&dev->struct_mutex);
490 		return -EINVAL;
491 	}
492 
493 	map->offset = r_list->map->offset;
494 	map->size = r_list->map->size;
495 	map->type = r_list->map->type;
496 	map->flags = r_list->map->flags;
497 	map->handle = (void *)(unsigned long) r_list->user_token;
498 	map->mtrr = arch_phys_wc_index(r_list->map->mtrr);
499 
500 	mutex_unlock(&dev->struct_mutex);
501 
502 	return 0;
503 }
504 
505 /*
506  * Remove a map private from list and deallocate resources if the mapping
507  * isn't in use.
508  *
509  * Searches the map on drm_device::maplist, removes it from the list, see if
510  * it's being used, and free any associated resource (such as MTRR's) if it's not
511  * being on use.
512  *
513  * \sa drm_legacy_addmap
514  */
drm_legacy_rmmap_locked(struct drm_device * dev,struct drm_local_map * map)515 int drm_legacy_rmmap_locked(struct drm_device *dev, struct drm_local_map *map)
516 {
517 	struct drm_map_list *r_list = NULL, *list_t;
518 	int found = 0;
519 	struct drm_master *master;
520 
521 	/* Find the list entry for the map and remove it */
522 	list_for_each_entry_safe(r_list, list_t, &dev->maplist, head) {
523 		if (r_list->map == map) {
524 			master = r_list->master;
525 			list_del(&r_list->head);
526 			drm_ht_remove_key(&dev->map_hash,
527 					  r_list->user_token >> PAGE_SHIFT);
528 			kfree(r_list);
529 			found = 1;
530 			break;
531 		}
532 	}
533 
534 	if (!found)
535 		return -EINVAL;
536 
537 	switch (map->type) {
538 	case _DRM_REGISTERS:
539 		iounmap(map->handle);
540 		fallthrough;
541 	case _DRM_FRAME_BUFFER:
542 		arch_phys_wc_del(map->mtrr);
543 		break;
544 	case _DRM_SHM:
545 		vfree(map->handle);
546 		if (master) {
547 			if (dev->sigdata.lock == master->lock.hw_lock)
548 				dev->sigdata.lock = NULL;
549 			master->lock.hw_lock = NULL;   /* SHM removed */
550 			master->lock.file_priv = NULL;
551 			wake_up_interruptible_all(&master->lock.lock_queue);
552 		}
553 		break;
554 	case _DRM_AGP:
555 	case _DRM_SCATTER_GATHER:
556 		break;
557 	case _DRM_CONSISTENT:
558 		dma_free_coherent(&dev->pdev->dev,
559 				  map->size,
560 				  map->handle,
561 				  map->offset);
562 		break;
563 	}
564 	kfree(map);
565 
566 	return 0;
567 }
568 EXPORT_SYMBOL(drm_legacy_rmmap_locked);
569 
drm_legacy_rmmap(struct drm_device * dev,struct drm_local_map * map)570 void drm_legacy_rmmap(struct drm_device *dev, struct drm_local_map *map)
571 {
572 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
573 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
574 		return;
575 
576 	mutex_lock(&dev->struct_mutex);
577 	drm_legacy_rmmap_locked(dev, map);
578 	mutex_unlock(&dev->struct_mutex);
579 }
580 EXPORT_SYMBOL(drm_legacy_rmmap);
581 
drm_legacy_master_rmmaps(struct drm_device * dev,struct drm_master * master)582 void drm_legacy_master_rmmaps(struct drm_device *dev, struct drm_master *master)
583 {
584 	struct drm_map_list *r_list, *list_temp;
585 
586 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
587 		return;
588 
589 	mutex_lock(&dev->struct_mutex);
590 	list_for_each_entry_safe(r_list, list_temp, &dev->maplist, head) {
591 		if (r_list->master == master) {
592 			drm_legacy_rmmap_locked(dev, r_list->map);
593 			r_list = NULL;
594 		}
595 	}
596 	mutex_unlock(&dev->struct_mutex);
597 }
598 
drm_legacy_rmmaps(struct drm_device * dev)599 void drm_legacy_rmmaps(struct drm_device *dev)
600 {
601 	struct drm_map_list *r_list, *list_temp;
602 
603 	list_for_each_entry_safe(r_list, list_temp, &dev->maplist, head)
604 		drm_legacy_rmmap(dev, r_list->map);
605 }
606 
607 /* The rmmap ioctl appears to be unnecessary.  All mappings are torn down on
608  * the last close of the device, and this is necessary for cleanup when things
609  * exit uncleanly.  Therefore, having userland manually remove mappings seems
610  * like a pointless exercise since they're going away anyway.
611  *
612  * One use case might be after addmap is allowed for normal users for SHM and
613  * gets used by drivers that the server doesn't need to care about.  This seems
614  * unlikely.
615  *
616  * \param inode device inode.
617  * \param file_priv DRM file private.
618  * \param cmd command.
619  * \param arg pointer to a struct drm_map structure.
620  * \return zero on success or a negative value on error.
621  */
drm_legacy_rmmap_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)622 int drm_legacy_rmmap_ioctl(struct drm_device *dev, void *data,
623 			   struct drm_file *file_priv)
624 {
625 	struct drm_map *request = data;
626 	struct drm_local_map *map = NULL;
627 	struct drm_map_list *r_list;
628 	int ret;
629 
630 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
631 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
632 		return -EOPNOTSUPP;
633 
634 	mutex_lock(&dev->struct_mutex);
635 	list_for_each_entry(r_list, &dev->maplist, head) {
636 		if (r_list->map &&
637 		    r_list->user_token == (unsigned long)request->handle &&
638 		    r_list->map->flags & _DRM_REMOVABLE) {
639 			map = r_list->map;
640 			break;
641 		}
642 	}
643 
644 	/* List has wrapped around to the head pointer, or it's empty we didn't
645 	 * find anything.
646 	 */
647 	if (list_empty(&dev->maplist) || !map) {
648 		mutex_unlock(&dev->struct_mutex);
649 		return -EINVAL;
650 	}
651 
652 	/* Register and framebuffer maps are permanent */
653 	if ((map->type == _DRM_REGISTERS) || (map->type == _DRM_FRAME_BUFFER)) {
654 		mutex_unlock(&dev->struct_mutex);
655 		return 0;
656 	}
657 
658 	ret = drm_legacy_rmmap_locked(dev, map);
659 
660 	mutex_unlock(&dev->struct_mutex);
661 
662 	return ret;
663 }
664 
665 /*
666  * Cleanup after an error on one of the addbufs() functions.
667  *
668  * \param dev DRM device.
669  * \param entry buffer entry where the error occurred.
670  *
671  * Frees any pages and buffers associated with the given entry.
672  */
drm_cleanup_buf_error(struct drm_device * dev,struct drm_buf_entry * entry)673 static void drm_cleanup_buf_error(struct drm_device *dev,
674 				  struct drm_buf_entry *entry)
675 {
676 	int i;
677 
678 	if (entry->seg_count) {
679 		for (i = 0; i < entry->seg_count; i++) {
680 			if (entry->seglist[i]) {
681 				drm_pci_free(dev, entry->seglist[i]);
682 			}
683 		}
684 		kfree(entry->seglist);
685 
686 		entry->seg_count = 0;
687 	}
688 
689 	if (entry->buf_count) {
690 		for (i = 0; i < entry->buf_count; i++) {
691 			kfree(entry->buflist[i].dev_private);
692 		}
693 		kfree(entry->buflist);
694 
695 		entry->buf_count = 0;
696 	}
697 }
698 
699 #if IS_ENABLED(CONFIG_AGP)
700 /*
701  * Add AGP buffers for DMA transfers.
702  *
703  * \param dev struct drm_device to which the buffers are to be added.
704  * \param request pointer to a struct drm_buf_desc describing the request.
705  * \return zero on success or a negative number on failure.
706  *
707  * After some sanity checks creates a drm_buf structure for each buffer and
708  * reallocates the buffer list of the same size order to accommodate the new
709  * buffers.
710  */
drm_legacy_addbufs_agp(struct drm_device * dev,struct drm_buf_desc * request)711 int drm_legacy_addbufs_agp(struct drm_device *dev,
712 			   struct drm_buf_desc *request)
713 {
714 	struct drm_device_dma *dma = dev->dma;
715 	struct drm_buf_entry *entry;
716 	struct drm_agp_mem *agp_entry;
717 	struct drm_buf *buf;
718 	unsigned long offset;
719 	unsigned long agp_offset;
720 	int count;
721 	int order;
722 	int size;
723 	int alignment;
724 	int page_order;
725 	int total;
726 	int byte_count;
727 	int i, valid;
728 	struct drm_buf **temp_buflist;
729 
730 	if (!dma)
731 		return -EINVAL;
732 
733 	count = request->count;
734 	order = order_base_2(request->size);
735 	size = 1 << order;
736 
737 	alignment = (request->flags & _DRM_PAGE_ALIGN)
738 	    ? PAGE_ALIGN(size) : size;
739 	page_order = order - PAGE_SHIFT > 0 ? order - PAGE_SHIFT : 0;
740 	total = PAGE_SIZE << page_order;
741 
742 	byte_count = 0;
743 	agp_offset = dev->agp->base + request->agp_start;
744 
745 	DRM_DEBUG("count:      %d\n", count);
746 	DRM_DEBUG("order:      %d\n", order);
747 	DRM_DEBUG("size:       %d\n", size);
748 	DRM_DEBUG("agp_offset: %lx\n", agp_offset);
749 	DRM_DEBUG("alignment:  %d\n", alignment);
750 	DRM_DEBUG("page_order: %d\n", page_order);
751 	DRM_DEBUG("total:      %d\n", total);
752 
753 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
754 		return -EINVAL;
755 
756 	/* Make sure buffers are located in AGP memory that we own */
757 	valid = 0;
758 	list_for_each_entry(agp_entry, &dev->agp->memory, head) {
759 		if ((agp_offset >= agp_entry->bound) &&
760 		    (agp_offset + total * count <= agp_entry->bound + agp_entry->pages * PAGE_SIZE)) {
761 			valid = 1;
762 			break;
763 		}
764 	}
765 	if (!list_empty(&dev->agp->memory) && !valid) {
766 		DRM_DEBUG("zone invalid\n");
767 		return -EINVAL;
768 	}
769 	spin_lock(&dev->buf_lock);
770 	if (dev->buf_use) {
771 		spin_unlock(&dev->buf_lock);
772 		return -EBUSY;
773 	}
774 	atomic_inc(&dev->buf_alloc);
775 	spin_unlock(&dev->buf_lock);
776 
777 	mutex_lock(&dev->struct_mutex);
778 	entry = &dma->bufs[order];
779 	if (entry->buf_count) {
780 		mutex_unlock(&dev->struct_mutex);
781 		atomic_dec(&dev->buf_alloc);
782 		return -ENOMEM;	/* May only call once for each order */
783 	}
784 
785 	if (count < 0 || count > 4096) {
786 		mutex_unlock(&dev->struct_mutex);
787 		atomic_dec(&dev->buf_alloc);
788 		return -EINVAL;
789 	}
790 
791 	entry->buflist = kcalloc(count, sizeof(*entry->buflist), GFP_KERNEL);
792 	if (!entry->buflist) {
793 		mutex_unlock(&dev->struct_mutex);
794 		atomic_dec(&dev->buf_alloc);
795 		return -ENOMEM;
796 	}
797 
798 	entry->buf_size = size;
799 	entry->page_order = page_order;
800 
801 	offset = 0;
802 
803 	while (entry->buf_count < count) {
804 		buf = &entry->buflist[entry->buf_count];
805 		buf->idx = dma->buf_count + entry->buf_count;
806 		buf->total = alignment;
807 		buf->order = order;
808 		buf->used = 0;
809 
810 		buf->offset = (dma->byte_count + offset);
811 		buf->bus_address = agp_offset + offset;
812 		buf->address = (void *)(agp_offset + offset);
813 		buf->next = NULL;
814 		buf->waiting = 0;
815 		buf->pending = 0;
816 		buf->file_priv = NULL;
817 
818 		buf->dev_priv_size = dev->driver->dev_priv_size;
819 		buf->dev_private = kzalloc(buf->dev_priv_size, GFP_KERNEL);
820 		if (!buf->dev_private) {
821 			/* Set count correctly so we free the proper amount. */
822 			entry->buf_count = count;
823 			drm_cleanup_buf_error(dev, entry);
824 			mutex_unlock(&dev->struct_mutex);
825 			atomic_dec(&dev->buf_alloc);
826 			return -ENOMEM;
827 		}
828 
829 		DRM_DEBUG("buffer %d @ %p\n", entry->buf_count, buf->address);
830 
831 		offset += alignment;
832 		entry->buf_count++;
833 		byte_count += PAGE_SIZE << page_order;
834 	}
835 
836 	DRM_DEBUG("byte_count: %d\n", byte_count);
837 
838 	temp_buflist = krealloc(dma->buflist,
839 				(dma->buf_count + entry->buf_count) *
840 				sizeof(*dma->buflist), GFP_KERNEL);
841 	if (!temp_buflist) {
842 		/* Free the entry because it isn't valid */
843 		drm_cleanup_buf_error(dev, entry);
844 		mutex_unlock(&dev->struct_mutex);
845 		atomic_dec(&dev->buf_alloc);
846 		return -ENOMEM;
847 	}
848 	dma->buflist = temp_buflist;
849 
850 	for (i = 0; i < entry->buf_count; i++) {
851 		dma->buflist[i + dma->buf_count] = &entry->buflist[i];
852 	}
853 
854 	dma->buf_count += entry->buf_count;
855 	dma->seg_count += entry->seg_count;
856 	dma->page_count += byte_count >> PAGE_SHIFT;
857 	dma->byte_count += byte_count;
858 
859 	DRM_DEBUG("dma->buf_count : %d\n", dma->buf_count);
860 	DRM_DEBUG("entry->buf_count : %d\n", entry->buf_count);
861 
862 	mutex_unlock(&dev->struct_mutex);
863 
864 	request->count = entry->buf_count;
865 	request->size = size;
866 
867 	dma->flags = _DRM_DMA_USE_AGP;
868 
869 	atomic_dec(&dev->buf_alloc);
870 	return 0;
871 }
872 EXPORT_SYMBOL(drm_legacy_addbufs_agp);
873 #endif /* CONFIG_AGP */
874 
drm_legacy_addbufs_pci(struct drm_device * dev,struct drm_buf_desc * request)875 int drm_legacy_addbufs_pci(struct drm_device *dev,
876 			   struct drm_buf_desc *request)
877 {
878 	struct drm_device_dma *dma = dev->dma;
879 	int count;
880 	int order;
881 	int size;
882 	int total;
883 	int page_order;
884 	struct drm_buf_entry *entry;
885 	drm_dma_handle_t *dmah;
886 	struct drm_buf *buf;
887 	int alignment;
888 	unsigned long offset;
889 	int i;
890 	int byte_count;
891 	int page_count;
892 	unsigned long *temp_pagelist;
893 	struct drm_buf **temp_buflist;
894 
895 	if (!drm_core_check_feature(dev, DRIVER_PCI_DMA))
896 		return -EOPNOTSUPP;
897 
898 	if (!dma)
899 		return -EINVAL;
900 
901 	if (!capable(CAP_SYS_ADMIN))
902 		return -EPERM;
903 
904 	count = request->count;
905 	order = order_base_2(request->size);
906 	size = 1 << order;
907 
908 	DRM_DEBUG("count=%d, size=%d (%d), order=%d\n",
909 		  request->count, request->size, size, order);
910 
911 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
912 		return -EINVAL;
913 
914 	alignment = (request->flags & _DRM_PAGE_ALIGN)
915 	    ? PAGE_ALIGN(size) : size;
916 	page_order = order - PAGE_SHIFT > 0 ? order - PAGE_SHIFT : 0;
917 	total = PAGE_SIZE << page_order;
918 
919 	spin_lock(&dev->buf_lock);
920 	if (dev->buf_use) {
921 		spin_unlock(&dev->buf_lock);
922 		return -EBUSY;
923 	}
924 	atomic_inc(&dev->buf_alloc);
925 	spin_unlock(&dev->buf_lock);
926 
927 	mutex_lock(&dev->struct_mutex);
928 	entry = &dma->bufs[order];
929 	if (entry->buf_count) {
930 		mutex_unlock(&dev->struct_mutex);
931 		atomic_dec(&dev->buf_alloc);
932 		return -ENOMEM;	/* May only call once for each order */
933 	}
934 
935 	if (count < 0 || count > 4096) {
936 		mutex_unlock(&dev->struct_mutex);
937 		atomic_dec(&dev->buf_alloc);
938 		return -EINVAL;
939 	}
940 
941 	entry->buflist = kcalloc(count, sizeof(*entry->buflist), GFP_KERNEL);
942 	if (!entry->buflist) {
943 		mutex_unlock(&dev->struct_mutex);
944 		atomic_dec(&dev->buf_alloc);
945 		return -ENOMEM;
946 	}
947 
948 	entry->seglist = kcalloc(count, sizeof(*entry->seglist), GFP_KERNEL);
949 	if (!entry->seglist) {
950 		kfree(entry->buflist);
951 		mutex_unlock(&dev->struct_mutex);
952 		atomic_dec(&dev->buf_alloc);
953 		return -ENOMEM;
954 	}
955 
956 	/* Keep the original pagelist until we know all the allocations
957 	 * have succeeded
958 	 */
959 	temp_pagelist = kmalloc_array(dma->page_count + (count << page_order),
960 				      sizeof(*dma->pagelist),
961 				      GFP_KERNEL);
962 	if (!temp_pagelist) {
963 		kfree(entry->buflist);
964 		kfree(entry->seglist);
965 		mutex_unlock(&dev->struct_mutex);
966 		atomic_dec(&dev->buf_alloc);
967 		return -ENOMEM;
968 	}
969 	memcpy(temp_pagelist,
970 	       dma->pagelist, dma->page_count * sizeof(*dma->pagelist));
971 	DRM_DEBUG("pagelist: %d entries\n",
972 		  dma->page_count + (count << page_order));
973 
974 	entry->buf_size = size;
975 	entry->page_order = page_order;
976 	byte_count = 0;
977 	page_count = 0;
978 
979 	while (entry->buf_count < count) {
980 
981 		dmah = drm_pci_alloc(dev, PAGE_SIZE << page_order, 0x1000);
982 
983 		if (!dmah) {
984 			/* Set count correctly so we free the proper amount. */
985 			entry->buf_count = count;
986 			entry->seg_count = count;
987 			drm_cleanup_buf_error(dev, entry);
988 			kfree(temp_pagelist);
989 			mutex_unlock(&dev->struct_mutex);
990 			atomic_dec(&dev->buf_alloc);
991 			return -ENOMEM;
992 		}
993 		entry->seglist[entry->seg_count++] = dmah;
994 		for (i = 0; i < (1 << page_order); i++) {
995 			DRM_DEBUG("page %d @ 0x%08lx\n",
996 				  dma->page_count + page_count,
997 				  (unsigned long)dmah->vaddr + PAGE_SIZE * i);
998 			temp_pagelist[dma->page_count + page_count++]
999 				= (unsigned long)dmah->vaddr + PAGE_SIZE * i;
1000 		}
1001 		for (offset = 0;
1002 		     offset + size <= total && entry->buf_count < count;
1003 		     offset += alignment, ++entry->buf_count) {
1004 			buf = &entry->buflist[entry->buf_count];
1005 			buf->idx = dma->buf_count + entry->buf_count;
1006 			buf->total = alignment;
1007 			buf->order = order;
1008 			buf->used = 0;
1009 			buf->offset = (dma->byte_count + byte_count + offset);
1010 			buf->address = (void *)(dmah->vaddr + offset);
1011 			buf->bus_address = dmah->busaddr + offset;
1012 			buf->next = NULL;
1013 			buf->waiting = 0;
1014 			buf->pending = 0;
1015 			buf->file_priv = NULL;
1016 
1017 			buf->dev_priv_size = dev->driver->dev_priv_size;
1018 			buf->dev_private = kzalloc(buf->dev_priv_size,
1019 						GFP_KERNEL);
1020 			if (!buf->dev_private) {
1021 				/* Set count correctly so we free the proper amount. */
1022 				entry->buf_count = count;
1023 				entry->seg_count = count;
1024 				drm_cleanup_buf_error(dev, entry);
1025 				kfree(temp_pagelist);
1026 				mutex_unlock(&dev->struct_mutex);
1027 				atomic_dec(&dev->buf_alloc);
1028 				return -ENOMEM;
1029 			}
1030 
1031 			DRM_DEBUG("buffer %d @ %p\n",
1032 				  entry->buf_count, buf->address);
1033 		}
1034 		byte_count += PAGE_SIZE << page_order;
1035 	}
1036 
1037 	temp_buflist = krealloc(dma->buflist,
1038 				(dma->buf_count + entry->buf_count) *
1039 				sizeof(*dma->buflist), GFP_KERNEL);
1040 	if (!temp_buflist) {
1041 		/* Free the entry because it isn't valid */
1042 		drm_cleanup_buf_error(dev, entry);
1043 		kfree(temp_pagelist);
1044 		mutex_unlock(&dev->struct_mutex);
1045 		atomic_dec(&dev->buf_alloc);
1046 		return -ENOMEM;
1047 	}
1048 	dma->buflist = temp_buflist;
1049 
1050 	for (i = 0; i < entry->buf_count; i++) {
1051 		dma->buflist[i + dma->buf_count] = &entry->buflist[i];
1052 	}
1053 
1054 	/* No allocations failed, so now we can replace the original pagelist
1055 	 * with the new one.
1056 	 */
1057 	if (dma->page_count) {
1058 		kfree(dma->pagelist);
1059 	}
1060 	dma->pagelist = temp_pagelist;
1061 
1062 	dma->buf_count += entry->buf_count;
1063 	dma->seg_count += entry->seg_count;
1064 	dma->page_count += entry->seg_count << page_order;
1065 	dma->byte_count += PAGE_SIZE * (entry->seg_count << page_order);
1066 
1067 	mutex_unlock(&dev->struct_mutex);
1068 
1069 	request->count = entry->buf_count;
1070 	request->size = size;
1071 
1072 	if (request->flags & _DRM_PCI_BUFFER_RO)
1073 		dma->flags = _DRM_DMA_USE_PCI_RO;
1074 
1075 	atomic_dec(&dev->buf_alloc);
1076 	return 0;
1077 
1078 }
1079 EXPORT_SYMBOL(drm_legacy_addbufs_pci);
1080 
drm_legacy_addbufs_sg(struct drm_device * dev,struct drm_buf_desc * request)1081 static int drm_legacy_addbufs_sg(struct drm_device *dev,
1082 				 struct drm_buf_desc *request)
1083 {
1084 	struct drm_device_dma *dma = dev->dma;
1085 	struct drm_buf_entry *entry;
1086 	struct drm_buf *buf;
1087 	unsigned long offset;
1088 	unsigned long agp_offset;
1089 	int count;
1090 	int order;
1091 	int size;
1092 	int alignment;
1093 	int page_order;
1094 	int total;
1095 	int byte_count;
1096 	int i;
1097 	struct drm_buf **temp_buflist;
1098 
1099 	if (!drm_core_check_feature(dev, DRIVER_SG))
1100 		return -EOPNOTSUPP;
1101 
1102 	if (!dma)
1103 		return -EINVAL;
1104 
1105 	if (!capable(CAP_SYS_ADMIN))
1106 		return -EPERM;
1107 
1108 	count = request->count;
1109 	order = order_base_2(request->size);
1110 	size = 1 << order;
1111 
1112 	alignment = (request->flags & _DRM_PAGE_ALIGN)
1113 	    ? PAGE_ALIGN(size) : size;
1114 	page_order = order - PAGE_SHIFT > 0 ? order - PAGE_SHIFT : 0;
1115 	total = PAGE_SIZE << page_order;
1116 
1117 	byte_count = 0;
1118 	agp_offset = request->agp_start;
1119 
1120 	DRM_DEBUG("count:      %d\n", count);
1121 	DRM_DEBUG("order:      %d\n", order);
1122 	DRM_DEBUG("size:       %d\n", size);
1123 	DRM_DEBUG("agp_offset: %lu\n", agp_offset);
1124 	DRM_DEBUG("alignment:  %d\n", alignment);
1125 	DRM_DEBUG("page_order: %d\n", page_order);
1126 	DRM_DEBUG("total:      %d\n", total);
1127 
1128 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
1129 		return -EINVAL;
1130 
1131 	spin_lock(&dev->buf_lock);
1132 	if (dev->buf_use) {
1133 		spin_unlock(&dev->buf_lock);
1134 		return -EBUSY;
1135 	}
1136 	atomic_inc(&dev->buf_alloc);
1137 	spin_unlock(&dev->buf_lock);
1138 
1139 	mutex_lock(&dev->struct_mutex);
1140 	entry = &dma->bufs[order];
1141 	if (entry->buf_count) {
1142 		mutex_unlock(&dev->struct_mutex);
1143 		atomic_dec(&dev->buf_alloc);
1144 		return -ENOMEM;	/* May only call once for each order */
1145 	}
1146 
1147 	if (count < 0 || count > 4096) {
1148 		mutex_unlock(&dev->struct_mutex);
1149 		atomic_dec(&dev->buf_alloc);
1150 		return -EINVAL;
1151 	}
1152 
1153 	entry->buflist = kcalloc(count, sizeof(*entry->buflist), GFP_KERNEL);
1154 	if (!entry->buflist) {
1155 		mutex_unlock(&dev->struct_mutex);
1156 		atomic_dec(&dev->buf_alloc);
1157 		return -ENOMEM;
1158 	}
1159 
1160 	entry->buf_size = size;
1161 	entry->page_order = page_order;
1162 
1163 	offset = 0;
1164 
1165 	while (entry->buf_count < count) {
1166 		buf = &entry->buflist[entry->buf_count];
1167 		buf->idx = dma->buf_count + entry->buf_count;
1168 		buf->total = alignment;
1169 		buf->order = order;
1170 		buf->used = 0;
1171 
1172 		buf->offset = (dma->byte_count + offset);
1173 		buf->bus_address = agp_offset + offset;
1174 		buf->address = (void *)(agp_offset + offset
1175 					+ (unsigned long)dev->sg->virtual);
1176 		buf->next = NULL;
1177 		buf->waiting = 0;
1178 		buf->pending = 0;
1179 		buf->file_priv = NULL;
1180 
1181 		buf->dev_priv_size = dev->driver->dev_priv_size;
1182 		buf->dev_private = kzalloc(buf->dev_priv_size, GFP_KERNEL);
1183 		if (!buf->dev_private) {
1184 			/* Set count correctly so we free the proper amount. */
1185 			entry->buf_count = count;
1186 			drm_cleanup_buf_error(dev, entry);
1187 			mutex_unlock(&dev->struct_mutex);
1188 			atomic_dec(&dev->buf_alloc);
1189 			return -ENOMEM;
1190 		}
1191 
1192 		DRM_DEBUG("buffer %d @ %p\n", entry->buf_count, buf->address);
1193 
1194 		offset += alignment;
1195 		entry->buf_count++;
1196 		byte_count += PAGE_SIZE << page_order;
1197 	}
1198 
1199 	DRM_DEBUG("byte_count: %d\n", byte_count);
1200 
1201 	temp_buflist = krealloc(dma->buflist,
1202 				(dma->buf_count + entry->buf_count) *
1203 				sizeof(*dma->buflist), GFP_KERNEL);
1204 	if (!temp_buflist) {
1205 		/* Free the entry because it isn't valid */
1206 		drm_cleanup_buf_error(dev, entry);
1207 		mutex_unlock(&dev->struct_mutex);
1208 		atomic_dec(&dev->buf_alloc);
1209 		return -ENOMEM;
1210 	}
1211 	dma->buflist = temp_buflist;
1212 
1213 	for (i = 0; i < entry->buf_count; i++) {
1214 		dma->buflist[i + dma->buf_count] = &entry->buflist[i];
1215 	}
1216 
1217 	dma->buf_count += entry->buf_count;
1218 	dma->seg_count += entry->seg_count;
1219 	dma->page_count += byte_count >> PAGE_SHIFT;
1220 	dma->byte_count += byte_count;
1221 
1222 	DRM_DEBUG("dma->buf_count : %d\n", dma->buf_count);
1223 	DRM_DEBUG("entry->buf_count : %d\n", entry->buf_count);
1224 
1225 	mutex_unlock(&dev->struct_mutex);
1226 
1227 	request->count = entry->buf_count;
1228 	request->size = size;
1229 
1230 	dma->flags = _DRM_DMA_USE_SG;
1231 
1232 	atomic_dec(&dev->buf_alloc);
1233 	return 0;
1234 }
1235 
1236 /*
1237  * Add buffers for DMA transfers (ioctl).
1238  *
1239  * \param inode device inode.
1240  * \param file_priv DRM file private.
1241  * \param cmd command.
1242  * \param arg pointer to a struct drm_buf_desc request.
1243  * \return zero on success or a negative number on failure.
1244  *
1245  * According with the memory type specified in drm_buf_desc::flags and the
1246  * build options, it dispatches the call either to addbufs_agp(),
1247  * addbufs_sg() or addbufs_pci() for AGP, scatter-gather or consistent
1248  * PCI memory respectively.
1249  */
drm_legacy_addbufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1250 int drm_legacy_addbufs(struct drm_device *dev, void *data,
1251 		       struct drm_file *file_priv)
1252 {
1253 	struct drm_buf_desc *request = data;
1254 	int ret;
1255 
1256 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1257 		return -EOPNOTSUPP;
1258 
1259 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1260 		return -EOPNOTSUPP;
1261 
1262 #if IS_ENABLED(CONFIG_AGP)
1263 	if (request->flags & _DRM_AGP_BUFFER)
1264 		ret = drm_legacy_addbufs_agp(dev, request);
1265 	else
1266 #endif
1267 	if (request->flags & _DRM_SG_BUFFER)
1268 		ret = drm_legacy_addbufs_sg(dev, request);
1269 	else if (request->flags & _DRM_FB_BUFFER)
1270 		ret = -EINVAL;
1271 	else
1272 		ret = drm_legacy_addbufs_pci(dev, request);
1273 
1274 	return ret;
1275 }
1276 
1277 /*
1278  * Get information about the buffer mappings.
1279  *
1280  * This was originally mean for debugging purposes, or by a sophisticated
1281  * client library to determine how best to use the available buffers (e.g.,
1282  * large buffers can be used for image transfer).
1283  *
1284  * \param inode device inode.
1285  * \param file_priv DRM file private.
1286  * \param cmd command.
1287  * \param arg pointer to a drm_buf_info structure.
1288  * \return zero on success or a negative number on failure.
1289  *
1290  * Increments drm_device::buf_use while holding the drm_device::buf_lock
1291  * lock, preventing of allocating more buffers after this call. Information
1292  * about each requested buffer is then copied into user space.
1293  */
__drm_legacy_infobufs(struct drm_device * dev,void * data,int * p,int (* f)(void *,int,struct drm_buf_entry *))1294 int __drm_legacy_infobufs(struct drm_device *dev,
1295 			void *data, int *p,
1296 			int (*f)(void *, int, struct drm_buf_entry *))
1297 {
1298 	struct drm_device_dma *dma = dev->dma;
1299 	int i;
1300 	int count;
1301 
1302 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1303 		return -EOPNOTSUPP;
1304 
1305 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1306 		return -EOPNOTSUPP;
1307 
1308 	if (!dma)
1309 		return -EINVAL;
1310 
1311 	spin_lock(&dev->buf_lock);
1312 	if (atomic_read(&dev->buf_alloc)) {
1313 		spin_unlock(&dev->buf_lock);
1314 		return -EBUSY;
1315 	}
1316 	++dev->buf_use;		/* Can't allocate more after this call */
1317 	spin_unlock(&dev->buf_lock);
1318 
1319 	for (i = 0, count = 0; i < DRM_MAX_ORDER + 1; i++) {
1320 		if (dma->bufs[i].buf_count)
1321 			++count;
1322 	}
1323 
1324 	DRM_DEBUG("count = %d\n", count);
1325 
1326 	if (*p >= count) {
1327 		for (i = 0, count = 0; i < DRM_MAX_ORDER + 1; i++) {
1328 			struct drm_buf_entry *from = &dma->bufs[i];
1329 
1330 			if (from->buf_count) {
1331 				if (f(data, count, from) < 0)
1332 					return -EFAULT;
1333 				DRM_DEBUG("%d %d %d %d %d\n",
1334 					  i,
1335 					  dma->bufs[i].buf_count,
1336 					  dma->bufs[i].buf_size,
1337 					  dma->bufs[i].low_mark,
1338 					  dma->bufs[i].high_mark);
1339 				++count;
1340 			}
1341 		}
1342 	}
1343 	*p = count;
1344 
1345 	return 0;
1346 }
1347 
copy_one_buf(void * data,int count,struct drm_buf_entry * from)1348 static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
1349 {
1350 	struct drm_buf_info *request = data;
1351 	struct drm_buf_desc __user *to = &request->list[count];
1352 	struct drm_buf_desc v = {.count = from->buf_count,
1353 				 .size = from->buf_size,
1354 				 .low_mark = from->low_mark,
1355 				 .high_mark = from->high_mark};
1356 
1357 	if (copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags)))
1358 		return -EFAULT;
1359 	return 0;
1360 }
1361 
drm_legacy_infobufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1362 int drm_legacy_infobufs(struct drm_device *dev, void *data,
1363 			struct drm_file *file_priv)
1364 {
1365 	struct drm_buf_info *request = data;
1366 
1367 	return __drm_legacy_infobufs(dev, data, &request->count, copy_one_buf);
1368 }
1369 
1370 /*
1371  * Specifies a low and high water mark for buffer allocation
1372  *
1373  * \param inode device inode.
1374  * \param file_priv DRM file private.
1375  * \param cmd command.
1376  * \param arg a pointer to a drm_buf_desc structure.
1377  * \return zero on success or a negative number on failure.
1378  *
1379  * Verifies that the size order is bounded between the admissible orders and
1380  * updates the respective drm_device_dma::bufs entry low and high water mark.
1381  *
1382  * \note This ioctl is deprecated and mostly never used.
1383  */
drm_legacy_markbufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1384 int drm_legacy_markbufs(struct drm_device *dev, void *data,
1385 			struct drm_file *file_priv)
1386 {
1387 	struct drm_device_dma *dma = dev->dma;
1388 	struct drm_buf_desc *request = data;
1389 	int order;
1390 	struct drm_buf_entry *entry;
1391 
1392 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1393 		return -EOPNOTSUPP;
1394 
1395 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1396 		return -EOPNOTSUPP;
1397 
1398 	if (!dma)
1399 		return -EINVAL;
1400 
1401 	DRM_DEBUG("%d, %d, %d\n",
1402 		  request->size, request->low_mark, request->high_mark);
1403 	order = order_base_2(request->size);
1404 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
1405 		return -EINVAL;
1406 	entry = &dma->bufs[order];
1407 
1408 	if (request->low_mark < 0 || request->low_mark > entry->buf_count)
1409 		return -EINVAL;
1410 	if (request->high_mark < 0 || request->high_mark > entry->buf_count)
1411 		return -EINVAL;
1412 
1413 	entry->low_mark = request->low_mark;
1414 	entry->high_mark = request->high_mark;
1415 
1416 	return 0;
1417 }
1418 
1419 /*
1420  * Unreserve the buffers in list, previously reserved using drmDMA.
1421  *
1422  * \param inode device inode.
1423  * \param file_priv DRM file private.
1424  * \param cmd command.
1425  * \param arg pointer to a drm_buf_free structure.
1426  * \return zero on success or a negative number on failure.
1427  *
1428  * Calls free_buffer() for each used buffer.
1429  * This function is primarily used for debugging.
1430  */
drm_legacy_freebufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1431 int drm_legacy_freebufs(struct drm_device *dev, void *data,
1432 			struct drm_file *file_priv)
1433 {
1434 	struct drm_device_dma *dma = dev->dma;
1435 	struct drm_buf_free *request = data;
1436 	int i;
1437 	int idx;
1438 	struct drm_buf *buf;
1439 
1440 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1441 		return -EOPNOTSUPP;
1442 
1443 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1444 		return -EOPNOTSUPP;
1445 
1446 	if (!dma)
1447 		return -EINVAL;
1448 
1449 	DRM_DEBUG("%d\n", request->count);
1450 	for (i = 0; i < request->count; i++) {
1451 		if (copy_from_user(&idx, &request->list[i], sizeof(idx)))
1452 			return -EFAULT;
1453 		if (idx < 0 || idx >= dma->buf_count) {
1454 			DRM_ERROR("Index %d (of %d max)\n",
1455 				  idx, dma->buf_count - 1);
1456 			return -EINVAL;
1457 		}
1458 		idx = array_index_nospec(idx, dma->buf_count);
1459 		buf = dma->buflist[idx];
1460 		if (buf->file_priv != file_priv) {
1461 			DRM_ERROR("Process %d freeing buffer not owned\n",
1462 				  task_pid_nr(current));
1463 			return -EINVAL;
1464 		}
1465 		drm_legacy_free_buffer(dev, buf);
1466 	}
1467 
1468 	return 0;
1469 }
1470 
1471 /*
1472  * Maps all of the DMA buffers into client-virtual space (ioctl).
1473  *
1474  * \param inode device inode.
1475  * \param file_priv DRM file private.
1476  * \param cmd command.
1477  * \param arg pointer to a drm_buf_map structure.
1478  * \return zero on success or a negative number on failure.
1479  *
1480  * Maps the AGP, SG or PCI buffer region with vm_mmap(), and copies information
1481  * about each buffer into user space. For PCI buffers, it calls vm_mmap() with
1482  * offset equal to 0, which drm_mmap() interpretes as PCI buffers and calls
1483  * drm_mmap_dma().
1484  */
__drm_legacy_mapbufs(struct drm_device * dev,void * data,int * p,void __user ** v,int (* f)(void *,int,unsigned long,struct drm_buf *),struct drm_file * file_priv)1485 int __drm_legacy_mapbufs(struct drm_device *dev, void *data, int *p,
1486 			 void __user **v,
1487 			 int (*f)(void *, int, unsigned long,
1488 				 struct drm_buf *),
1489 				 struct drm_file *file_priv)
1490 {
1491 	struct drm_device_dma *dma = dev->dma;
1492 	int retcode = 0;
1493 	unsigned long virtual;
1494 	int i;
1495 
1496 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1497 		return -EOPNOTSUPP;
1498 
1499 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1500 		return -EOPNOTSUPP;
1501 
1502 	if (!dma)
1503 		return -EINVAL;
1504 
1505 	spin_lock(&dev->buf_lock);
1506 	if (atomic_read(&dev->buf_alloc)) {
1507 		spin_unlock(&dev->buf_lock);
1508 		return -EBUSY;
1509 	}
1510 	dev->buf_use++;		/* Can't allocate more after this call */
1511 	spin_unlock(&dev->buf_lock);
1512 
1513 	if (*p >= dma->buf_count) {
1514 		if ((dev->agp && (dma->flags & _DRM_DMA_USE_AGP))
1515 		    || (drm_core_check_feature(dev, DRIVER_SG)
1516 			&& (dma->flags & _DRM_DMA_USE_SG))) {
1517 			struct drm_local_map *map = dev->agp_buffer_map;
1518 			unsigned long token = dev->agp_buffer_token;
1519 
1520 			if (!map) {
1521 				retcode = -EINVAL;
1522 				goto done;
1523 			}
1524 			virtual = vm_mmap(file_priv->filp, 0, map->size,
1525 					  PROT_READ | PROT_WRITE,
1526 					  MAP_SHARED,
1527 					  token);
1528 		} else {
1529 			virtual = vm_mmap(file_priv->filp, 0, dma->byte_count,
1530 					  PROT_READ | PROT_WRITE,
1531 					  MAP_SHARED, 0);
1532 		}
1533 		if (virtual > -1024UL) {
1534 			/* Real error */
1535 			retcode = (signed long)virtual;
1536 			goto done;
1537 		}
1538 		*v = (void __user *)virtual;
1539 
1540 		for (i = 0; i < dma->buf_count; i++) {
1541 			if (f(data, i, virtual, dma->buflist[i]) < 0) {
1542 				retcode = -EFAULT;
1543 				goto done;
1544 			}
1545 		}
1546 	}
1547       done:
1548 	*p = dma->buf_count;
1549 	DRM_DEBUG("%d buffers, retcode = %d\n", *p, retcode);
1550 
1551 	return retcode;
1552 }
1553 
map_one_buf(void * data,int idx,unsigned long virtual,struct drm_buf * buf)1554 static int map_one_buf(void *data, int idx, unsigned long virtual,
1555 			struct drm_buf *buf)
1556 {
1557 	struct drm_buf_map *request = data;
1558 	unsigned long address = virtual + buf->offset;	/* *** */
1559 
1560 	if (copy_to_user(&request->list[idx].idx, &buf->idx,
1561 			 sizeof(request->list[0].idx)))
1562 		return -EFAULT;
1563 	if (copy_to_user(&request->list[idx].total, &buf->total,
1564 			 sizeof(request->list[0].total)))
1565 		return -EFAULT;
1566 	if (clear_user(&request->list[idx].used, sizeof(int)))
1567 		return -EFAULT;
1568 	if (copy_to_user(&request->list[idx].address, &address,
1569 			 sizeof(address)))
1570 		return -EFAULT;
1571 	return 0;
1572 }
1573 
drm_legacy_mapbufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1574 int drm_legacy_mapbufs(struct drm_device *dev, void *data,
1575 		       struct drm_file *file_priv)
1576 {
1577 	struct drm_buf_map *request = data;
1578 
1579 	return __drm_legacy_mapbufs(dev, data, &request->count,
1580 				    &request->virtual, map_one_buf,
1581 				    file_priv);
1582 }
1583 
drm_legacy_dma_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)1584 int drm_legacy_dma_ioctl(struct drm_device *dev, void *data,
1585 		  struct drm_file *file_priv)
1586 {
1587 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1588 		return -EOPNOTSUPP;
1589 
1590 	if (dev->driver->dma_ioctl)
1591 		return dev->driver->dma_ioctl(dev, data, file_priv);
1592 	else
1593 		return -EINVAL;
1594 }
1595 
drm_legacy_getsarea(struct drm_device * dev)1596 struct drm_local_map *drm_legacy_getsarea(struct drm_device *dev)
1597 {
1598 	struct drm_map_list *entry;
1599 
1600 	list_for_each_entry(entry, &dev->maplist, head) {
1601 		if (entry->map && entry->map->type == _DRM_SHM &&
1602 		    (entry->map->flags & _DRM_CONTAINS_LOCK)) {
1603 			return entry->map;
1604 		}
1605 	}
1606 	return NULL;
1607 }
1608 EXPORT_SYMBOL(drm_legacy_getsarea);
1609