xref: /openbmc/linux/drivers/dma-buf/dma-buf.c (revision 077e5f4f5528777ab72f4dc336569207504dc876)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Framework for buffer objects that can be shared across devices/subsystems.
4  *
5  * Copyright(C) 2011 Linaro Limited. All rights reserved.
6  * Author: Sumit Semwal <sumit.semwal@ti.com>
7  *
8  * Many thanks to linaro-mm-sig list, and specially
9  * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and
10  * Daniel Vetter <daniel@ffwll.ch> for their support in creation and
11  * refining of this idea.
12  */
13 
14 #include <linux/fs.h>
15 #include <linux/slab.h>
16 #include <linux/dma-buf.h>
17 #include <linux/dma-fence.h>
18 #include <linux/dma-fence-unwrap.h>
19 #include <linux/anon_inodes.h>
20 #include <linux/export.h>
21 #include <linux/debugfs.h>
22 #include <linux/module.h>
23 #include <linux/seq_file.h>
24 #include <linux/sync_file.h>
25 #include <linux/poll.h>
26 #include <linux/dma-resv.h>
27 #include <linux/mm.h>
28 #include <linux/mount.h>
29 #include <linux/pseudo_fs.h>
30 
31 #include <uapi/linux/dma-buf.h>
32 #include <uapi/linux/magic.h>
33 
34 #include "dma-buf-sysfs-stats.h"
35 
36 static inline int is_dma_buf_file(struct file *);
37 
38 struct dma_buf_list {
39 	struct list_head head;
40 	struct mutex lock;
41 };
42 
43 static struct dma_buf_list db_list;
44 
45 static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen)
46 {
47 	struct dma_buf *dmabuf;
48 	char name[DMA_BUF_NAME_LEN];
49 	size_t ret = 0;
50 
51 	dmabuf = dentry->d_fsdata;
52 	spin_lock(&dmabuf->name_lock);
53 	if (dmabuf->name)
54 		ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN);
55 	spin_unlock(&dmabuf->name_lock);
56 
57 	return dynamic_dname(buffer, buflen, "/%s:%s",
58 			     dentry->d_name.name, ret > 0 ? name : "");
59 }
60 
61 static void dma_buf_release(struct dentry *dentry)
62 {
63 	struct dma_buf *dmabuf;
64 
65 	dmabuf = dentry->d_fsdata;
66 	if (unlikely(!dmabuf))
67 		return;
68 
69 	BUG_ON(dmabuf->vmapping_counter);
70 
71 	/*
72 	 * If you hit this BUG() it could mean:
73 	 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
74 	 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
75 	 */
76 	BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
77 
78 	dma_buf_stats_teardown(dmabuf);
79 	dmabuf->ops->release(dmabuf);
80 
81 	if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
82 		dma_resv_fini(dmabuf->resv);
83 
84 	WARN_ON(!list_empty(&dmabuf->attachments));
85 	module_put(dmabuf->owner);
86 	kfree(dmabuf->name);
87 	kfree(dmabuf);
88 }
89 
90 static int dma_buf_file_release(struct inode *inode, struct file *file)
91 {
92 	struct dma_buf *dmabuf;
93 
94 	if (!is_dma_buf_file(file))
95 		return -EINVAL;
96 
97 	dmabuf = file->private_data;
98 
99 	mutex_lock(&db_list.lock);
100 	list_del(&dmabuf->list_node);
101 	mutex_unlock(&db_list.lock);
102 
103 	return 0;
104 }
105 
106 static const struct dentry_operations dma_buf_dentry_ops = {
107 	.d_dname = dmabuffs_dname,
108 	.d_release = dma_buf_release,
109 };
110 
111 static struct vfsmount *dma_buf_mnt;
112 
113 static int dma_buf_fs_init_context(struct fs_context *fc)
114 {
115 	struct pseudo_fs_context *ctx;
116 
117 	ctx = init_pseudo(fc, DMA_BUF_MAGIC);
118 	if (!ctx)
119 		return -ENOMEM;
120 	ctx->dops = &dma_buf_dentry_ops;
121 	return 0;
122 }
123 
124 static struct file_system_type dma_buf_fs_type = {
125 	.name = "dmabuf",
126 	.init_fs_context = dma_buf_fs_init_context,
127 	.kill_sb = kill_anon_super,
128 };
129 
130 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma)
131 {
132 	struct dma_buf *dmabuf;
133 	int ret;
134 
135 	if (!is_dma_buf_file(file))
136 		return -EINVAL;
137 
138 	dmabuf = file->private_data;
139 
140 	/* check if buffer supports mmap */
141 	if (!dmabuf->ops->mmap)
142 		return -EINVAL;
143 
144 	/* check for overflowing the buffer's size */
145 	if (vma->vm_pgoff + vma_pages(vma) >
146 	    dmabuf->size >> PAGE_SHIFT)
147 		return -EINVAL;
148 
149 	dma_resv_lock(dmabuf->resv, NULL);
150 	ret = dmabuf->ops->mmap(dmabuf, vma);
151 	dma_resv_unlock(dmabuf->resv);
152 
153 	return ret;
154 }
155 
156 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
157 {
158 	struct dma_buf *dmabuf;
159 	loff_t base;
160 
161 	if (!is_dma_buf_file(file))
162 		return -EBADF;
163 
164 	dmabuf = file->private_data;
165 
166 	/* only support discovering the end of the buffer,
167 	   but also allow SEEK_SET to maintain the idiomatic
168 	   SEEK_END(0), SEEK_CUR(0) pattern */
169 	if (whence == SEEK_END)
170 		base = dmabuf->size;
171 	else if (whence == SEEK_SET)
172 		base = 0;
173 	else
174 		return -EINVAL;
175 
176 	if (offset != 0)
177 		return -EINVAL;
178 
179 	return base + offset;
180 }
181 
182 /**
183  * DOC: implicit fence polling
184  *
185  * To support cross-device and cross-driver synchronization of buffer access
186  * implicit fences (represented internally in the kernel with &struct dma_fence)
187  * can be attached to a &dma_buf. The glue for that and a few related things are
188  * provided in the &dma_resv structure.
189  *
190  * Userspace can query the state of these implicitly tracked fences using poll()
191  * and related system calls:
192  *
193  * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the
194  *   most recent write or exclusive fence.
195  *
196  * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of
197  *   all attached fences, shared and exclusive ones.
198  *
199  * Note that this only signals the completion of the respective fences, i.e. the
200  * DMA transfers are complete. Cache flushing and any other necessary
201  * preparations before CPU access can begin still need to happen.
202  *
203  * As an alternative to poll(), the set of fences on DMA buffer can be
204  * exported as a &sync_file using &dma_buf_sync_file_export.
205  */
206 
207 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
208 {
209 	struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
210 	struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
211 	unsigned long flags;
212 
213 	spin_lock_irqsave(&dcb->poll->lock, flags);
214 	wake_up_locked_poll(dcb->poll, dcb->active);
215 	dcb->active = 0;
216 	spin_unlock_irqrestore(&dcb->poll->lock, flags);
217 	dma_fence_put(fence);
218 	/* Paired with get_file in dma_buf_poll */
219 	fput(dmabuf->file);
220 }
221 
222 static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
223 				struct dma_buf_poll_cb_t *dcb)
224 {
225 	struct dma_resv_iter cursor;
226 	struct dma_fence *fence;
227 	int r;
228 
229 	dma_resv_for_each_fence(&cursor, resv, dma_resv_usage_rw(write),
230 				fence) {
231 		dma_fence_get(fence);
232 		r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
233 		if (!r)
234 			return true;
235 		dma_fence_put(fence);
236 	}
237 
238 	return false;
239 }
240 
241 static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
242 {
243 	struct dma_buf *dmabuf;
244 	struct dma_resv *resv;
245 	__poll_t events;
246 
247 	dmabuf = file->private_data;
248 	if (!dmabuf || !dmabuf->resv)
249 		return EPOLLERR;
250 
251 	resv = dmabuf->resv;
252 
253 	poll_wait(file, &dmabuf->poll, poll);
254 
255 	events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT);
256 	if (!events)
257 		return 0;
258 
259 	dma_resv_lock(resv, NULL);
260 
261 	if (events & EPOLLOUT) {
262 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out;
263 
264 		/* Check that callback isn't busy */
265 		spin_lock_irq(&dmabuf->poll.lock);
266 		if (dcb->active)
267 			events &= ~EPOLLOUT;
268 		else
269 			dcb->active = EPOLLOUT;
270 		spin_unlock_irq(&dmabuf->poll.lock);
271 
272 		if (events & EPOLLOUT) {
273 			/* Paired with fput in dma_buf_poll_cb */
274 			get_file(dmabuf->file);
275 
276 			if (!dma_buf_poll_add_cb(resv, true, dcb))
277 				/* No callback queued, wake up any other waiters */
278 				dma_buf_poll_cb(NULL, &dcb->cb);
279 			else
280 				events &= ~EPOLLOUT;
281 		}
282 	}
283 
284 	if (events & EPOLLIN) {
285 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in;
286 
287 		/* Check that callback isn't busy */
288 		spin_lock_irq(&dmabuf->poll.lock);
289 		if (dcb->active)
290 			events &= ~EPOLLIN;
291 		else
292 			dcb->active = EPOLLIN;
293 		spin_unlock_irq(&dmabuf->poll.lock);
294 
295 		if (events & EPOLLIN) {
296 			/* Paired with fput in dma_buf_poll_cb */
297 			get_file(dmabuf->file);
298 
299 			if (!dma_buf_poll_add_cb(resv, false, dcb))
300 				/* No callback queued, wake up any other waiters */
301 				dma_buf_poll_cb(NULL, &dcb->cb);
302 			else
303 				events &= ~EPOLLIN;
304 		}
305 	}
306 
307 	dma_resv_unlock(resv);
308 	return events;
309 }
310 
311 /**
312  * dma_buf_set_name - Set a name to a specific dma_buf to track the usage.
313  * It could support changing the name of the dma-buf if the same
314  * piece of memory is used for multiple purpose between different devices.
315  *
316  * @dmabuf: [in]     dmabuf buffer that will be renamed.
317  * @buf:    [in]     A piece of userspace memory that contains the name of
318  *                   the dma-buf.
319  *
320  * Returns 0 on success. If the dma-buf buffer is already attached to
321  * devices, return -EBUSY.
322  *
323  */
324 static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf)
325 {
326 	char *name = strndup_user(buf, DMA_BUF_NAME_LEN);
327 
328 	if (IS_ERR(name))
329 		return PTR_ERR(name);
330 
331 	spin_lock(&dmabuf->name_lock);
332 	kfree(dmabuf->name);
333 	dmabuf->name = name;
334 	spin_unlock(&dmabuf->name_lock);
335 
336 	return 0;
337 }
338 
339 #if IS_ENABLED(CONFIG_SYNC_FILE)
340 static long dma_buf_export_sync_file(struct dma_buf *dmabuf,
341 				     void __user *user_data)
342 {
343 	struct dma_buf_export_sync_file arg;
344 	enum dma_resv_usage usage;
345 	struct dma_fence *fence = NULL;
346 	struct sync_file *sync_file;
347 	int fd, ret;
348 
349 	if (copy_from_user(&arg, user_data, sizeof(arg)))
350 		return -EFAULT;
351 
352 	if (arg.flags & ~DMA_BUF_SYNC_RW)
353 		return -EINVAL;
354 
355 	if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
356 		return -EINVAL;
357 
358 	fd = get_unused_fd_flags(O_CLOEXEC);
359 	if (fd < 0)
360 		return fd;
361 
362 	usage = dma_resv_usage_rw(arg.flags & DMA_BUF_SYNC_WRITE);
363 	ret = dma_resv_get_singleton(dmabuf->resv, usage, &fence);
364 	if (ret)
365 		goto err_put_fd;
366 
367 	if (!fence)
368 		fence = dma_fence_get_stub();
369 
370 	sync_file = sync_file_create(fence);
371 
372 	dma_fence_put(fence);
373 
374 	if (!sync_file) {
375 		ret = -ENOMEM;
376 		goto err_put_fd;
377 	}
378 
379 	arg.fd = fd;
380 	if (copy_to_user(user_data, &arg, sizeof(arg))) {
381 		ret = -EFAULT;
382 		goto err_put_file;
383 	}
384 
385 	fd_install(fd, sync_file->file);
386 
387 	return 0;
388 
389 err_put_file:
390 	fput(sync_file->file);
391 err_put_fd:
392 	put_unused_fd(fd);
393 	return ret;
394 }
395 
396 static long dma_buf_import_sync_file(struct dma_buf *dmabuf,
397 				     const void __user *user_data)
398 {
399 	struct dma_buf_import_sync_file arg;
400 	struct dma_fence *fence, *f;
401 	enum dma_resv_usage usage;
402 	struct dma_fence_unwrap iter;
403 	unsigned int num_fences;
404 	int ret = 0;
405 
406 	if (copy_from_user(&arg, user_data, sizeof(arg)))
407 		return -EFAULT;
408 
409 	if (arg.flags & ~DMA_BUF_SYNC_RW)
410 		return -EINVAL;
411 
412 	if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
413 		return -EINVAL;
414 
415 	fence = sync_file_get_fence(arg.fd);
416 	if (!fence)
417 		return -EINVAL;
418 
419 	usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE :
420 						   DMA_RESV_USAGE_READ;
421 
422 	num_fences = 0;
423 	dma_fence_unwrap_for_each(f, &iter, fence)
424 		++num_fences;
425 
426 	if (num_fences > 0) {
427 		dma_resv_lock(dmabuf->resv, NULL);
428 
429 		ret = dma_resv_reserve_fences(dmabuf->resv, num_fences);
430 		if (!ret) {
431 			dma_fence_unwrap_for_each(f, &iter, fence)
432 				dma_resv_add_fence(dmabuf->resv, f, usage);
433 		}
434 
435 		dma_resv_unlock(dmabuf->resv);
436 	}
437 
438 	dma_fence_put(fence);
439 
440 	return ret;
441 }
442 #endif
443 
444 static long dma_buf_ioctl(struct file *file,
445 			  unsigned int cmd, unsigned long arg)
446 {
447 	struct dma_buf *dmabuf;
448 	struct dma_buf_sync sync;
449 	enum dma_data_direction direction;
450 	int ret;
451 
452 	dmabuf = file->private_data;
453 
454 	switch (cmd) {
455 	case DMA_BUF_IOCTL_SYNC:
456 		if (copy_from_user(&sync, (void __user *) arg, sizeof(sync)))
457 			return -EFAULT;
458 
459 		if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK)
460 			return -EINVAL;
461 
462 		switch (sync.flags & DMA_BUF_SYNC_RW) {
463 		case DMA_BUF_SYNC_READ:
464 			direction = DMA_FROM_DEVICE;
465 			break;
466 		case DMA_BUF_SYNC_WRITE:
467 			direction = DMA_TO_DEVICE;
468 			break;
469 		case DMA_BUF_SYNC_RW:
470 			direction = DMA_BIDIRECTIONAL;
471 			break;
472 		default:
473 			return -EINVAL;
474 		}
475 
476 		if (sync.flags & DMA_BUF_SYNC_END)
477 			ret = dma_buf_end_cpu_access(dmabuf, direction);
478 		else
479 			ret = dma_buf_begin_cpu_access(dmabuf, direction);
480 
481 		return ret;
482 
483 	case DMA_BUF_SET_NAME_A:
484 	case DMA_BUF_SET_NAME_B:
485 		return dma_buf_set_name(dmabuf, (const char __user *)arg);
486 
487 #if IS_ENABLED(CONFIG_SYNC_FILE)
488 	case DMA_BUF_IOCTL_EXPORT_SYNC_FILE:
489 		return dma_buf_export_sync_file(dmabuf, (void __user *)arg);
490 	case DMA_BUF_IOCTL_IMPORT_SYNC_FILE:
491 		return dma_buf_import_sync_file(dmabuf, (const void __user *)arg);
492 #endif
493 
494 	default:
495 		return -ENOTTY;
496 	}
497 }
498 
499 static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file)
500 {
501 	struct dma_buf *dmabuf = file->private_data;
502 
503 	seq_printf(m, "size:\t%zu\n", dmabuf->size);
504 	/* Don't count the temporary reference taken inside procfs seq_show */
505 	seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
506 	seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
507 	spin_lock(&dmabuf->name_lock);
508 	if (dmabuf->name)
509 		seq_printf(m, "name:\t%s\n", dmabuf->name);
510 	spin_unlock(&dmabuf->name_lock);
511 }
512 
513 static const struct file_operations dma_buf_fops = {
514 	.release	= dma_buf_file_release,
515 	.mmap		= dma_buf_mmap_internal,
516 	.llseek		= dma_buf_llseek,
517 	.poll		= dma_buf_poll,
518 	.unlocked_ioctl	= dma_buf_ioctl,
519 	.compat_ioctl	= compat_ptr_ioctl,
520 	.show_fdinfo	= dma_buf_show_fdinfo,
521 };
522 
523 /*
524  * is_dma_buf_file - Check if struct file* is associated with dma_buf
525  */
526 static inline int is_dma_buf_file(struct file *file)
527 {
528 	return file->f_op == &dma_buf_fops;
529 }
530 
531 static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags)
532 {
533 	static atomic64_t dmabuf_inode = ATOMIC64_INIT(0);
534 	struct file *file;
535 	struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb);
536 
537 	if (IS_ERR(inode))
538 		return ERR_CAST(inode);
539 
540 	inode->i_size = dmabuf->size;
541 	inode_set_bytes(inode, dmabuf->size);
542 
543 	/*
544 	 * The ->i_ino acquired from get_next_ino() is not unique thus
545 	 * not suitable for using it as dentry name by dmabuf stats.
546 	 * Override ->i_ino with the unique and dmabuffs specific
547 	 * value.
548 	 */
549 	inode->i_ino = atomic64_add_return(1, &dmabuf_inode);
550 	flags &= O_ACCMODE | O_NONBLOCK;
551 	file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf",
552 				 flags, &dma_buf_fops);
553 	if (IS_ERR(file))
554 		goto err_alloc_file;
555 	file->private_data = dmabuf;
556 	file->f_path.dentry->d_fsdata = dmabuf;
557 
558 	return file;
559 
560 err_alloc_file:
561 	iput(inode);
562 	return file;
563 }
564 
565 /**
566  * DOC: dma buf device access
567  *
568  * For device DMA access to a shared DMA buffer the usual sequence of operations
569  * is fairly simple:
570  *
571  * 1. The exporter defines his exporter instance using
572  *    DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private
573  *    buffer object into a &dma_buf. It then exports that &dma_buf to userspace
574  *    as a file descriptor by calling dma_buf_fd().
575  *
576  * 2. Userspace passes this file-descriptors to all drivers it wants this buffer
577  *    to share with: First the file descriptor is converted to a &dma_buf using
578  *    dma_buf_get(). Then the buffer is attached to the device using
579  *    dma_buf_attach().
580  *
581  *    Up to this stage the exporter is still free to migrate or reallocate the
582  *    backing storage.
583  *
584  * 3. Once the buffer is attached to all devices userspace can initiate DMA
585  *    access to the shared buffer. In the kernel this is done by calling
586  *    dma_buf_map_attachment() and dma_buf_unmap_attachment().
587  *
588  * 4. Once a driver is done with a shared buffer it needs to call
589  *    dma_buf_detach() (after cleaning up any mappings) and then release the
590  *    reference acquired with dma_buf_get() by calling dma_buf_put().
591  *
592  * For the detailed semantics exporters are expected to implement see
593  * &dma_buf_ops.
594  */
595 
596 /**
597  * dma_buf_export - Creates a new dma_buf, and associates an anon file
598  * with this buffer, so it can be exported.
599  * Also connect the allocator specific data and ops to the buffer.
600  * Additionally, provide a name string for exporter; useful in debugging.
601  *
602  * @exp_info:	[in]	holds all the export related information provided
603  *			by the exporter. see &struct dma_buf_export_info
604  *			for further details.
605  *
606  * Returns, on success, a newly created struct dma_buf object, which wraps the
607  * supplied private data and operations for struct dma_buf_ops. On either
608  * missing ops, or error in allocating struct dma_buf, will return negative
609  * error.
610  *
611  * For most cases the easiest way to create @exp_info is through the
612  * %DEFINE_DMA_BUF_EXPORT_INFO macro.
613  */
614 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
615 {
616 	struct dma_buf *dmabuf;
617 	struct dma_resv *resv = exp_info->resv;
618 	struct file *file;
619 	size_t alloc_size = sizeof(struct dma_buf);
620 	int ret;
621 
622 	if (!exp_info->resv)
623 		alloc_size += sizeof(struct dma_resv);
624 	else
625 		/* prevent &dma_buf[1] == dma_buf->resv */
626 		alloc_size += 1;
627 
628 	if (WARN_ON(!exp_info->priv
629 			  || !exp_info->ops
630 			  || !exp_info->ops->map_dma_buf
631 			  || !exp_info->ops->unmap_dma_buf
632 			  || !exp_info->ops->release)) {
633 		return ERR_PTR(-EINVAL);
634 	}
635 
636 	if (WARN_ON(exp_info->ops->cache_sgt_mapping &&
637 		    (exp_info->ops->pin || exp_info->ops->unpin)))
638 		return ERR_PTR(-EINVAL);
639 
640 	if (WARN_ON(!exp_info->ops->pin != !exp_info->ops->unpin))
641 		return ERR_PTR(-EINVAL);
642 
643 	if (!try_module_get(exp_info->owner))
644 		return ERR_PTR(-ENOENT);
645 
646 	dmabuf = kzalloc(alloc_size, GFP_KERNEL);
647 	if (!dmabuf) {
648 		ret = -ENOMEM;
649 		goto err_module;
650 	}
651 
652 	dmabuf->priv = exp_info->priv;
653 	dmabuf->ops = exp_info->ops;
654 	dmabuf->size = exp_info->size;
655 	dmabuf->exp_name = exp_info->exp_name;
656 	dmabuf->owner = exp_info->owner;
657 	spin_lock_init(&dmabuf->name_lock);
658 	init_waitqueue_head(&dmabuf->poll);
659 	dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll;
660 	dmabuf->cb_in.active = dmabuf->cb_out.active = 0;
661 
662 	if (!resv) {
663 		resv = (struct dma_resv *)&dmabuf[1];
664 		dma_resv_init(resv);
665 	}
666 	dmabuf->resv = resv;
667 
668 	file = dma_buf_getfile(dmabuf, exp_info->flags);
669 	if (IS_ERR(file)) {
670 		ret = PTR_ERR(file);
671 		goto err_dmabuf;
672 	}
673 
674 	dmabuf->file = file;
675 
676 	INIT_LIST_HEAD(&dmabuf->attachments);
677 
678 	mutex_lock(&db_list.lock);
679 	list_add(&dmabuf->list_node, &db_list.head);
680 	mutex_unlock(&db_list.lock);
681 
682 	ret = dma_buf_stats_setup(dmabuf);
683 	if (ret)
684 		goto err_sysfs;
685 
686 	return dmabuf;
687 
688 err_sysfs:
689 	/*
690 	 * Set file->f_path.dentry->d_fsdata to NULL so that when
691 	 * dma_buf_release() gets invoked by dentry_ops, it exits
692 	 * early before calling the release() dma_buf op.
693 	 */
694 	file->f_path.dentry->d_fsdata = NULL;
695 	fput(file);
696 err_dmabuf:
697 	kfree(dmabuf);
698 err_module:
699 	module_put(exp_info->owner);
700 	return ERR_PTR(ret);
701 }
702 EXPORT_SYMBOL_NS_GPL(dma_buf_export, DMA_BUF);
703 
704 /**
705  * dma_buf_fd - returns a file descriptor for the given struct dma_buf
706  * @dmabuf:	[in]	pointer to dma_buf for which fd is required.
707  * @flags:      [in]    flags to give to fd
708  *
709  * On success, returns an associated 'fd'. Else, returns error.
710  */
711 int dma_buf_fd(struct dma_buf *dmabuf, int flags)
712 {
713 	int fd;
714 
715 	if (!dmabuf || !dmabuf->file)
716 		return -EINVAL;
717 
718 	fd = get_unused_fd_flags(flags);
719 	if (fd < 0)
720 		return fd;
721 
722 	fd_install(fd, dmabuf->file);
723 
724 	return fd;
725 }
726 EXPORT_SYMBOL_NS_GPL(dma_buf_fd, DMA_BUF);
727 
728 /**
729  * dma_buf_get - returns the struct dma_buf related to an fd
730  * @fd:	[in]	fd associated with the struct dma_buf to be returned
731  *
732  * On success, returns the struct dma_buf associated with an fd; uses
733  * file's refcounting done by fget to increase refcount. returns ERR_PTR
734  * otherwise.
735  */
736 struct dma_buf *dma_buf_get(int fd)
737 {
738 	struct file *file;
739 
740 	file = fget(fd);
741 
742 	if (!file)
743 		return ERR_PTR(-EBADF);
744 
745 	if (!is_dma_buf_file(file)) {
746 		fput(file);
747 		return ERR_PTR(-EINVAL);
748 	}
749 
750 	return file->private_data;
751 }
752 EXPORT_SYMBOL_NS_GPL(dma_buf_get, DMA_BUF);
753 
754 /**
755  * dma_buf_put - decreases refcount of the buffer
756  * @dmabuf:	[in]	buffer to reduce refcount of
757  *
758  * Uses file's refcounting done implicitly by fput().
759  *
760  * If, as a result of this call, the refcount becomes 0, the 'release' file
761  * operation related to this fd is called. It calls &dma_buf_ops.release vfunc
762  * in turn, and frees the memory allocated for dmabuf when exported.
763  */
764 void dma_buf_put(struct dma_buf *dmabuf)
765 {
766 	if (WARN_ON(!dmabuf || !dmabuf->file))
767 		return;
768 
769 	fput(dmabuf->file);
770 }
771 EXPORT_SYMBOL_NS_GPL(dma_buf_put, DMA_BUF);
772 
773 static void mangle_sg_table(struct sg_table *sg_table)
774 {
775 #ifdef CONFIG_DMABUF_DEBUG
776 	int i;
777 	struct scatterlist *sg;
778 
779 	/* To catch abuse of the underlying struct page by importers mix
780 	 * up the bits, but take care to preserve the low SG_ bits to
781 	 * not corrupt the sgt. The mixing is undone in __unmap_dma_buf
782 	 * before passing the sgt back to the exporter. */
783 	for_each_sgtable_sg(sg_table, sg, i)
784 		sg->page_link ^= ~0xffUL;
785 #endif
786 
787 }
788 static struct sg_table * __map_dma_buf(struct dma_buf_attachment *attach,
789 				       enum dma_data_direction direction)
790 {
791 	struct sg_table *sg_table;
792 	signed long ret;
793 
794 	sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction);
795 	if (IS_ERR_OR_NULL(sg_table))
796 		return sg_table;
797 
798 	if (!dma_buf_attachment_is_dynamic(attach)) {
799 		ret = dma_resv_wait_timeout(attach->dmabuf->resv,
800 					    DMA_RESV_USAGE_KERNEL, true,
801 					    MAX_SCHEDULE_TIMEOUT);
802 		if (ret < 0) {
803 			attach->dmabuf->ops->unmap_dma_buf(attach, sg_table,
804 							   direction);
805 			return ERR_PTR(ret);
806 		}
807 	}
808 
809 	mangle_sg_table(sg_table);
810 	return sg_table;
811 }
812 
813 /**
814  * DOC: locking convention
815  *
816  * In order to avoid deadlock situations between dma-buf exports and importers,
817  * all dma-buf API users must follow the common dma-buf locking convention.
818  *
819  * Convention for importers
820  *
821  * 1. Importers must hold the dma-buf reservation lock when calling these
822  *    functions:
823  *
824  *     - dma_buf_pin()
825  *     - dma_buf_unpin()
826  *     - dma_buf_map_attachment()
827  *     - dma_buf_unmap_attachment()
828  *     - dma_buf_vmap()
829  *     - dma_buf_vunmap()
830  *
831  * 2. Importers must not hold the dma-buf reservation lock when calling these
832  *    functions:
833  *
834  *     - dma_buf_attach()
835  *     - dma_buf_dynamic_attach()
836  *     - dma_buf_detach()
837  *     - dma_buf_export(
838  *     - dma_buf_fd()
839  *     - dma_buf_get()
840  *     - dma_buf_put()
841  *     - dma_buf_mmap()
842  *     - dma_buf_begin_cpu_access()
843  *     - dma_buf_end_cpu_access()
844  *     - dma_buf_map_attachment_unlocked()
845  *     - dma_buf_unmap_attachment_unlocked()
846  *     - dma_buf_vmap_unlocked()
847  *     - dma_buf_vunmap_unlocked()
848  *
849  * Convention for exporters
850  *
851  * 1. These &dma_buf_ops callbacks are invoked with unlocked dma-buf
852  *    reservation and exporter can take the lock:
853  *
854  *     - &dma_buf_ops.attach()
855  *     - &dma_buf_ops.detach()
856  *     - &dma_buf_ops.release()
857  *     - &dma_buf_ops.begin_cpu_access()
858  *     - &dma_buf_ops.end_cpu_access()
859  *
860  * 2. These &dma_buf_ops callbacks are invoked with locked dma-buf
861  *    reservation and exporter can't take the lock:
862  *
863  *     - &dma_buf_ops.pin()
864  *     - &dma_buf_ops.unpin()
865  *     - &dma_buf_ops.map_dma_buf()
866  *     - &dma_buf_ops.unmap_dma_buf()
867  *     - &dma_buf_ops.mmap()
868  *     - &dma_buf_ops.vmap()
869  *     - &dma_buf_ops.vunmap()
870  *
871  * 3. Exporters must hold the dma-buf reservation lock when calling these
872  *    functions:
873  *
874  *     - dma_buf_move_notify()
875  */
876 
877 /**
878  * dma_buf_dynamic_attach - Add the device to dma_buf's attachments list
879  * @dmabuf:		[in]	buffer to attach device to.
880  * @dev:		[in]	device to be attached.
881  * @importer_ops:	[in]	importer operations for the attachment
882  * @importer_priv:	[in]	importer private pointer for the attachment
883  *
884  * Returns struct dma_buf_attachment pointer for this attachment. Attachments
885  * must be cleaned up by calling dma_buf_detach().
886  *
887  * Optionally this calls &dma_buf_ops.attach to allow device-specific attach
888  * functionality.
889  *
890  * Returns:
891  *
892  * A pointer to newly created &dma_buf_attachment on success, or a negative
893  * error code wrapped into a pointer on failure.
894  *
895  * Note that this can fail if the backing storage of @dmabuf is in a place not
896  * accessible to @dev, and cannot be moved to a more suitable place. This is
897  * indicated with the error code -EBUSY.
898  */
899 struct dma_buf_attachment *
900 dma_buf_dynamic_attach(struct dma_buf *dmabuf, struct device *dev,
901 		       const struct dma_buf_attach_ops *importer_ops,
902 		       void *importer_priv)
903 {
904 	struct dma_buf_attachment *attach;
905 	int ret;
906 
907 	if (WARN_ON(!dmabuf || !dev))
908 		return ERR_PTR(-EINVAL);
909 
910 	if (WARN_ON(importer_ops && !importer_ops->move_notify))
911 		return ERR_PTR(-EINVAL);
912 
913 	attach = kzalloc(sizeof(*attach), GFP_KERNEL);
914 	if (!attach)
915 		return ERR_PTR(-ENOMEM);
916 
917 	attach->dev = dev;
918 	attach->dmabuf = dmabuf;
919 	if (importer_ops)
920 		attach->peer2peer = importer_ops->allow_peer2peer;
921 	attach->importer_ops = importer_ops;
922 	attach->importer_priv = importer_priv;
923 
924 	if (dmabuf->ops->attach) {
925 		ret = dmabuf->ops->attach(dmabuf, attach);
926 		if (ret)
927 			goto err_attach;
928 	}
929 	dma_resv_lock(dmabuf->resv, NULL);
930 	list_add(&attach->node, &dmabuf->attachments);
931 	dma_resv_unlock(dmabuf->resv);
932 
933 	/* When either the importer or the exporter can't handle dynamic
934 	 * mappings we cache the mapping here to avoid issues with the
935 	 * reservation object lock.
936 	 */
937 	if (dma_buf_attachment_is_dynamic(attach) !=
938 	    dma_buf_is_dynamic(dmabuf)) {
939 		struct sg_table *sgt;
940 
941 		dma_resv_lock(attach->dmabuf->resv, NULL);
942 		if (dma_buf_is_dynamic(attach->dmabuf)) {
943 			ret = dmabuf->ops->pin(attach);
944 			if (ret)
945 				goto err_unlock;
946 		}
947 
948 		sgt = __map_dma_buf(attach, DMA_BIDIRECTIONAL);
949 		if (!sgt)
950 			sgt = ERR_PTR(-ENOMEM);
951 		if (IS_ERR(sgt)) {
952 			ret = PTR_ERR(sgt);
953 			goto err_unpin;
954 		}
955 		dma_resv_unlock(attach->dmabuf->resv);
956 		attach->sgt = sgt;
957 		attach->dir = DMA_BIDIRECTIONAL;
958 	}
959 
960 	return attach;
961 
962 err_attach:
963 	kfree(attach);
964 	return ERR_PTR(ret);
965 
966 err_unpin:
967 	if (dma_buf_is_dynamic(attach->dmabuf))
968 		dmabuf->ops->unpin(attach);
969 
970 err_unlock:
971 	dma_resv_unlock(attach->dmabuf->resv);
972 
973 	dma_buf_detach(dmabuf, attach);
974 	return ERR_PTR(ret);
975 }
976 EXPORT_SYMBOL_NS_GPL(dma_buf_dynamic_attach, DMA_BUF);
977 
978 /**
979  * dma_buf_attach - Wrapper for dma_buf_dynamic_attach
980  * @dmabuf:	[in]	buffer to attach device to.
981  * @dev:	[in]	device to be attached.
982  *
983  * Wrapper to call dma_buf_dynamic_attach() for drivers which still use a static
984  * mapping.
985  */
986 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf,
987 					  struct device *dev)
988 {
989 	return dma_buf_dynamic_attach(dmabuf, dev, NULL, NULL);
990 }
991 EXPORT_SYMBOL_NS_GPL(dma_buf_attach, DMA_BUF);
992 
993 static void __unmap_dma_buf(struct dma_buf_attachment *attach,
994 			    struct sg_table *sg_table,
995 			    enum dma_data_direction direction)
996 {
997 	/* uses XOR, hence this unmangles */
998 	mangle_sg_table(sg_table);
999 
1000 	attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction);
1001 }
1002 
1003 /**
1004  * dma_buf_detach - Remove the given attachment from dmabuf's attachments list
1005  * @dmabuf:	[in]	buffer to detach from.
1006  * @attach:	[in]	attachment to be detached; is free'd after this call.
1007  *
1008  * Clean up a device attachment obtained by calling dma_buf_attach().
1009  *
1010  * Optionally this calls &dma_buf_ops.detach for device-specific detach.
1011  */
1012 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach)
1013 {
1014 	if (WARN_ON(!dmabuf || !attach || dmabuf != attach->dmabuf))
1015 		return;
1016 
1017 	dma_resv_lock(dmabuf->resv, NULL);
1018 
1019 	if (attach->sgt) {
1020 
1021 		__unmap_dma_buf(attach, attach->sgt, attach->dir);
1022 
1023 		if (dma_buf_is_dynamic(attach->dmabuf))
1024 			dmabuf->ops->unpin(attach);
1025 	}
1026 	list_del(&attach->node);
1027 
1028 	dma_resv_unlock(dmabuf->resv);
1029 
1030 	if (dmabuf->ops->detach)
1031 		dmabuf->ops->detach(dmabuf, attach);
1032 
1033 	kfree(attach);
1034 }
1035 EXPORT_SYMBOL_NS_GPL(dma_buf_detach, DMA_BUF);
1036 
1037 /**
1038  * dma_buf_pin - Lock down the DMA-buf
1039  * @attach:	[in]	attachment which should be pinned
1040  *
1041  * Only dynamic importers (who set up @attach with dma_buf_dynamic_attach()) may
1042  * call this, and only for limited use cases like scanout and not for temporary
1043  * pin operations. It is not permitted to allow userspace to pin arbitrary
1044  * amounts of buffers through this interface.
1045  *
1046  * Buffers must be unpinned by calling dma_buf_unpin().
1047  *
1048  * Returns:
1049  * 0 on success, negative error code on failure.
1050  */
1051 int dma_buf_pin(struct dma_buf_attachment *attach)
1052 {
1053 	struct dma_buf *dmabuf = attach->dmabuf;
1054 	int ret = 0;
1055 
1056 	WARN_ON(!dma_buf_attachment_is_dynamic(attach));
1057 
1058 	dma_resv_assert_held(dmabuf->resv);
1059 
1060 	if (dmabuf->ops->pin)
1061 		ret = dmabuf->ops->pin(attach);
1062 
1063 	return ret;
1064 }
1065 EXPORT_SYMBOL_NS_GPL(dma_buf_pin, DMA_BUF);
1066 
1067 /**
1068  * dma_buf_unpin - Unpin a DMA-buf
1069  * @attach:	[in]	attachment which should be unpinned
1070  *
1071  * This unpins a buffer pinned by dma_buf_pin() and allows the exporter to move
1072  * any mapping of @attach again and inform the importer through
1073  * &dma_buf_attach_ops.move_notify.
1074  */
1075 void dma_buf_unpin(struct dma_buf_attachment *attach)
1076 {
1077 	struct dma_buf *dmabuf = attach->dmabuf;
1078 
1079 	WARN_ON(!dma_buf_attachment_is_dynamic(attach));
1080 
1081 	dma_resv_assert_held(dmabuf->resv);
1082 
1083 	if (dmabuf->ops->unpin)
1084 		dmabuf->ops->unpin(attach);
1085 }
1086 EXPORT_SYMBOL_NS_GPL(dma_buf_unpin, DMA_BUF);
1087 
1088 /**
1089  * dma_buf_map_attachment - Returns the scatterlist table of the attachment;
1090  * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
1091  * dma_buf_ops.
1092  * @attach:	[in]	attachment whose scatterlist is to be returned
1093  * @direction:	[in]	direction of DMA transfer
1094  *
1095  * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR
1096  * on error. May return -EINTR if it is interrupted by a signal.
1097  *
1098  * On success, the DMA addresses and lengths in the returned scatterlist are
1099  * PAGE_SIZE aligned.
1100  *
1101  * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that
1102  * the underlying backing storage is pinned for as long as a mapping exists,
1103  * therefore users/importers should not hold onto a mapping for undue amounts of
1104  * time.
1105  *
1106  * Important: Dynamic importers must wait for the exclusive fence of the struct
1107  * dma_resv attached to the DMA-BUF first.
1108  */
1109 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach,
1110 					enum dma_data_direction direction)
1111 {
1112 	struct sg_table *sg_table;
1113 	int r;
1114 
1115 	might_sleep();
1116 
1117 	if (WARN_ON(!attach || !attach->dmabuf))
1118 		return ERR_PTR(-EINVAL);
1119 
1120 	dma_resv_assert_held(attach->dmabuf->resv);
1121 
1122 	if (attach->sgt) {
1123 		/*
1124 		 * Two mappings with different directions for the same
1125 		 * attachment are not allowed.
1126 		 */
1127 		if (attach->dir != direction &&
1128 		    attach->dir != DMA_BIDIRECTIONAL)
1129 			return ERR_PTR(-EBUSY);
1130 
1131 		return attach->sgt;
1132 	}
1133 
1134 	if (dma_buf_is_dynamic(attach->dmabuf)) {
1135 		if (!IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY)) {
1136 			r = attach->dmabuf->ops->pin(attach);
1137 			if (r)
1138 				return ERR_PTR(r);
1139 		}
1140 	}
1141 
1142 	sg_table = __map_dma_buf(attach, direction);
1143 	if (!sg_table)
1144 		sg_table = ERR_PTR(-ENOMEM);
1145 
1146 	if (IS_ERR(sg_table) && dma_buf_is_dynamic(attach->dmabuf) &&
1147 	     !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY))
1148 		attach->dmabuf->ops->unpin(attach);
1149 
1150 	if (!IS_ERR(sg_table) && attach->dmabuf->ops->cache_sgt_mapping) {
1151 		attach->sgt = sg_table;
1152 		attach->dir = direction;
1153 	}
1154 
1155 #ifdef CONFIG_DMA_API_DEBUG
1156 	if (!IS_ERR(sg_table)) {
1157 		struct scatterlist *sg;
1158 		u64 addr;
1159 		int len;
1160 		int i;
1161 
1162 		for_each_sgtable_dma_sg(sg_table, sg, i) {
1163 			addr = sg_dma_address(sg);
1164 			len = sg_dma_len(sg);
1165 			if (!PAGE_ALIGNED(addr) || !PAGE_ALIGNED(len)) {
1166 				pr_debug("%s: addr %llx or len %x is not page aligned!\n",
1167 					 __func__, addr, len);
1168 			}
1169 		}
1170 	}
1171 #endif /* CONFIG_DMA_API_DEBUG */
1172 	return sg_table;
1173 }
1174 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment, DMA_BUF);
1175 
1176 /**
1177  * dma_buf_map_attachment_unlocked - Returns the scatterlist table of the attachment;
1178  * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
1179  * dma_buf_ops.
1180  * @attach:	[in]	attachment whose scatterlist is to be returned
1181  * @direction:	[in]	direction of DMA transfer
1182  *
1183  * Unlocked variant of dma_buf_map_attachment().
1184  */
1185 struct sg_table *
1186 dma_buf_map_attachment_unlocked(struct dma_buf_attachment *attach,
1187 				enum dma_data_direction direction)
1188 {
1189 	struct sg_table *sg_table;
1190 
1191 	might_sleep();
1192 
1193 	if (WARN_ON(!attach || !attach->dmabuf))
1194 		return ERR_PTR(-EINVAL);
1195 
1196 	dma_resv_lock(attach->dmabuf->resv, NULL);
1197 	sg_table = dma_buf_map_attachment(attach, direction);
1198 	dma_resv_unlock(attach->dmabuf->resv);
1199 
1200 	return sg_table;
1201 }
1202 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment_unlocked, DMA_BUF);
1203 
1204 /**
1205  * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might
1206  * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
1207  * dma_buf_ops.
1208  * @attach:	[in]	attachment to unmap buffer from
1209  * @sg_table:	[in]	scatterlist info of the buffer to unmap
1210  * @direction:  [in]    direction of DMA transfer
1211  *
1212  * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment().
1213  */
1214 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach,
1215 				struct sg_table *sg_table,
1216 				enum dma_data_direction direction)
1217 {
1218 	might_sleep();
1219 
1220 	if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
1221 		return;
1222 
1223 	dma_resv_assert_held(attach->dmabuf->resv);
1224 
1225 	if (attach->sgt == sg_table)
1226 		return;
1227 
1228 	__unmap_dma_buf(attach, sg_table, direction);
1229 
1230 	if (dma_buf_is_dynamic(attach->dmabuf) &&
1231 	    !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY))
1232 		dma_buf_unpin(attach);
1233 }
1234 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment, DMA_BUF);
1235 
1236 /**
1237  * dma_buf_unmap_attachment_unlocked - unmaps and decreases usecount of the buffer;might
1238  * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
1239  * dma_buf_ops.
1240  * @attach:	[in]	attachment to unmap buffer from
1241  * @sg_table:	[in]	scatterlist info of the buffer to unmap
1242  * @direction:	[in]	direction of DMA transfer
1243  *
1244  * Unlocked variant of dma_buf_unmap_attachment().
1245  */
1246 void dma_buf_unmap_attachment_unlocked(struct dma_buf_attachment *attach,
1247 				       struct sg_table *sg_table,
1248 				       enum dma_data_direction direction)
1249 {
1250 	might_sleep();
1251 
1252 	if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
1253 		return;
1254 
1255 	dma_resv_lock(attach->dmabuf->resv, NULL);
1256 	dma_buf_unmap_attachment(attach, sg_table, direction);
1257 	dma_resv_unlock(attach->dmabuf->resv);
1258 }
1259 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment_unlocked, DMA_BUF);
1260 
1261 /**
1262  * dma_buf_move_notify - notify attachments that DMA-buf is moving
1263  *
1264  * @dmabuf:	[in]	buffer which is moving
1265  *
1266  * Informs all attachmenst that they need to destroy and recreated all their
1267  * mappings.
1268  */
1269 void dma_buf_move_notify(struct dma_buf *dmabuf)
1270 {
1271 	struct dma_buf_attachment *attach;
1272 
1273 	dma_resv_assert_held(dmabuf->resv);
1274 
1275 	list_for_each_entry(attach, &dmabuf->attachments, node)
1276 		if (attach->importer_ops)
1277 			attach->importer_ops->move_notify(attach);
1278 }
1279 EXPORT_SYMBOL_NS_GPL(dma_buf_move_notify, DMA_BUF);
1280 
1281 /**
1282  * DOC: cpu access
1283  *
1284  * There are mutliple reasons for supporting CPU access to a dma buffer object:
1285  *
1286  * - Fallback operations in the kernel, for example when a device is connected
1287  *   over USB and the kernel needs to shuffle the data around first before
1288  *   sending it away. Cache coherency is handled by braketing any transactions
1289  *   with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access()
1290  *   access.
1291  *
1292  *   Since for most kernel internal dma-buf accesses need the entire buffer, a
1293  *   vmap interface is introduced. Note that on very old 32-bit architectures
1294  *   vmalloc space might be limited and result in vmap calls failing.
1295  *
1296  *   Interfaces::
1297  *
1298  *      void \*dma_buf_vmap(struct dma_buf \*dmabuf, struct iosys_map \*map)
1299  *      void dma_buf_vunmap(struct dma_buf \*dmabuf, struct iosys_map \*map)
1300  *
1301  *   The vmap call can fail if there is no vmap support in the exporter, or if
1302  *   it runs out of vmalloc space. Note that the dma-buf layer keeps a reference
1303  *   count for all vmap access and calls down into the exporter's vmap function
1304  *   only when no vmapping exists, and only unmaps it once. Protection against
1305  *   concurrent vmap/vunmap calls is provided by taking the &dma_buf.lock mutex.
1306  *
1307  * - For full compatibility on the importer side with existing userspace
1308  *   interfaces, which might already support mmap'ing buffers. This is needed in
1309  *   many processing pipelines (e.g. feeding a software rendered image into a
1310  *   hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION
1311  *   framework already supported this and for DMA buffer file descriptors to
1312  *   replace ION buffers mmap support was needed.
1313  *
1314  *   There is no special interfaces, userspace simply calls mmap on the dma-buf
1315  *   fd. But like for CPU access there's a need to braket the actual access,
1316  *   which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that
1317  *   DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must
1318  *   be restarted.
1319  *
1320  *   Some systems might need some sort of cache coherency management e.g. when
1321  *   CPU and GPU domains are being accessed through dma-buf at the same time.
1322  *   To circumvent this problem there are begin/end coherency markers, that
1323  *   forward directly to existing dma-buf device drivers vfunc hooks. Userspace
1324  *   can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The
1325  *   sequence would be used like following:
1326  *
1327  *     - mmap dma-buf fd
1328  *     - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
1329  *       to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
1330  *       want (with the new data being consumed by say the GPU or the scanout
1331  *       device)
1332  *     - munmap once you don't need the buffer any more
1333  *
1334  *    For correctness and optimal performance, it is always required to use
1335  *    SYNC_START and SYNC_END before and after, respectively, when accessing the
1336  *    mapped address. Userspace cannot rely on coherent access, even when there
1337  *    are systems where it just works without calling these ioctls.
1338  *
1339  * - And as a CPU fallback in userspace processing pipelines.
1340  *
1341  *   Similar to the motivation for kernel cpu access it is again important that
1342  *   the userspace code of a given importing subsystem can use the same
1343  *   interfaces with a imported dma-buf buffer object as with a native buffer
1344  *   object. This is especially important for drm where the userspace part of
1345  *   contemporary OpenGL, X, and other drivers is huge, and reworking them to
1346  *   use a different way to mmap a buffer rather invasive.
1347  *
1348  *   The assumption in the current dma-buf interfaces is that redirecting the
1349  *   initial mmap is all that's needed. A survey of some of the existing
1350  *   subsystems shows that no driver seems to do any nefarious thing like
1351  *   syncing up with outstanding asynchronous processing on the device or
1352  *   allocating special resources at fault time. So hopefully this is good
1353  *   enough, since adding interfaces to intercept pagefaults and allow pte
1354  *   shootdowns would increase the complexity quite a bit.
1355  *
1356  *   Interface::
1357  *
1358  *      int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*,
1359  *		       unsigned long);
1360  *
1361  *   If the importing subsystem simply provides a special-purpose mmap call to
1362  *   set up a mapping in userspace, calling do_mmap with &dma_buf.file will
1363  *   equally achieve that for a dma-buf object.
1364  */
1365 
1366 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1367 				      enum dma_data_direction direction)
1368 {
1369 	bool write = (direction == DMA_BIDIRECTIONAL ||
1370 		      direction == DMA_TO_DEVICE);
1371 	struct dma_resv *resv = dmabuf->resv;
1372 	long ret;
1373 
1374 	/* Wait on any implicit rendering fences */
1375 	ret = dma_resv_wait_timeout(resv, dma_resv_usage_rw(write),
1376 				    true, MAX_SCHEDULE_TIMEOUT);
1377 	if (ret < 0)
1378 		return ret;
1379 
1380 	return 0;
1381 }
1382 
1383 /**
1384  * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the
1385  * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific
1386  * preparations. Coherency is only guaranteed in the specified range for the
1387  * specified access direction.
1388  * @dmabuf:	[in]	buffer to prepare cpu access for.
1389  * @direction:	[in]	length of range for cpu access.
1390  *
1391  * After the cpu access is complete the caller should call
1392  * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is
1393  * it guaranteed to be coherent with other DMA access.
1394  *
1395  * This function will also wait for any DMA transactions tracked through
1396  * implicit synchronization in &dma_buf.resv. For DMA transactions with explicit
1397  * synchronization this function will only ensure cache coherency, callers must
1398  * ensure synchronization with such DMA transactions on their own.
1399  *
1400  * Can return negative error values, returns 0 on success.
1401  */
1402 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1403 			     enum dma_data_direction direction)
1404 {
1405 	int ret = 0;
1406 
1407 	if (WARN_ON(!dmabuf))
1408 		return -EINVAL;
1409 
1410 	might_lock(&dmabuf->resv->lock.base);
1411 
1412 	if (dmabuf->ops->begin_cpu_access)
1413 		ret = dmabuf->ops->begin_cpu_access(dmabuf, direction);
1414 
1415 	/* Ensure that all fences are waited upon - but we first allow
1416 	 * the native handler the chance to do so more efficiently if it
1417 	 * chooses. A double invocation here will be reasonably cheap no-op.
1418 	 */
1419 	if (ret == 0)
1420 		ret = __dma_buf_begin_cpu_access(dmabuf, direction);
1421 
1422 	return ret;
1423 }
1424 EXPORT_SYMBOL_NS_GPL(dma_buf_begin_cpu_access, DMA_BUF);
1425 
1426 /**
1427  * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the
1428  * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific
1429  * actions. Coherency is only guaranteed in the specified range for the
1430  * specified access direction.
1431  * @dmabuf:	[in]	buffer to complete cpu access for.
1432  * @direction:	[in]	length of range for cpu access.
1433  *
1434  * This terminates CPU access started with dma_buf_begin_cpu_access().
1435  *
1436  * Can return negative error values, returns 0 on success.
1437  */
1438 int dma_buf_end_cpu_access(struct dma_buf *dmabuf,
1439 			   enum dma_data_direction direction)
1440 {
1441 	int ret = 0;
1442 
1443 	WARN_ON(!dmabuf);
1444 
1445 	might_lock(&dmabuf->resv->lock.base);
1446 
1447 	if (dmabuf->ops->end_cpu_access)
1448 		ret = dmabuf->ops->end_cpu_access(dmabuf, direction);
1449 
1450 	return ret;
1451 }
1452 EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF);
1453 
1454 
1455 /**
1456  * dma_buf_mmap - Setup up a userspace mmap with the given vma
1457  * @dmabuf:	[in]	buffer that should back the vma
1458  * @vma:	[in]	vma for the mmap
1459  * @pgoff:	[in]	offset in pages where this mmap should start within the
1460  *			dma-buf buffer.
1461  *
1462  * This function adjusts the passed in vma so that it points at the file of the
1463  * dma_buf operation. It also adjusts the starting pgoff and does bounds
1464  * checking on the size of the vma. Then it calls the exporters mmap function to
1465  * set up the mapping.
1466  *
1467  * Can return negative error values, returns 0 on success.
1468  */
1469 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
1470 		 unsigned long pgoff)
1471 {
1472 	int ret;
1473 
1474 	if (WARN_ON(!dmabuf || !vma))
1475 		return -EINVAL;
1476 
1477 	/* check if buffer supports mmap */
1478 	if (!dmabuf->ops->mmap)
1479 		return -EINVAL;
1480 
1481 	/* check for offset overflow */
1482 	if (pgoff + vma_pages(vma) < pgoff)
1483 		return -EOVERFLOW;
1484 
1485 	/* check for overflowing the buffer's size */
1486 	if (pgoff + vma_pages(vma) >
1487 	    dmabuf->size >> PAGE_SHIFT)
1488 		return -EINVAL;
1489 
1490 	/* readjust the vma */
1491 	vma_set_file(vma, dmabuf->file);
1492 	vma->vm_pgoff = pgoff;
1493 
1494 	dma_resv_lock(dmabuf->resv, NULL);
1495 	ret = dmabuf->ops->mmap(dmabuf, vma);
1496 	dma_resv_unlock(dmabuf->resv);
1497 
1498 	return ret;
1499 }
1500 EXPORT_SYMBOL_NS_GPL(dma_buf_mmap, DMA_BUF);
1501 
1502 /**
1503  * dma_buf_vmap - Create virtual mapping for the buffer object into kernel
1504  * address space. Same restrictions as for vmap and friends apply.
1505  * @dmabuf:	[in]	buffer to vmap
1506  * @map:	[out]	returns the vmap pointer
1507  *
1508  * This call may fail due to lack of virtual mapping address space.
1509  * These calls are optional in drivers. The intended use for them
1510  * is for mapping objects linear in kernel space for high use objects.
1511  *
1512  * To ensure coherency users must call dma_buf_begin_cpu_access() and
1513  * dma_buf_end_cpu_access() around any cpu access performed through this
1514  * mapping.
1515  *
1516  * Returns 0 on success, or a negative errno code otherwise.
1517  */
1518 int dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map)
1519 {
1520 	struct iosys_map ptr;
1521 	int ret;
1522 
1523 	iosys_map_clear(map);
1524 
1525 	if (WARN_ON(!dmabuf))
1526 		return -EINVAL;
1527 
1528 	dma_resv_assert_held(dmabuf->resv);
1529 
1530 	if (!dmabuf->ops->vmap)
1531 		return -EINVAL;
1532 
1533 	if (dmabuf->vmapping_counter) {
1534 		dmabuf->vmapping_counter++;
1535 		BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1536 		*map = dmabuf->vmap_ptr;
1537 		return 0;
1538 	}
1539 
1540 	BUG_ON(iosys_map_is_set(&dmabuf->vmap_ptr));
1541 
1542 	ret = dmabuf->ops->vmap(dmabuf, &ptr);
1543 	if (WARN_ON_ONCE(ret))
1544 		return ret;
1545 
1546 	dmabuf->vmap_ptr = ptr;
1547 	dmabuf->vmapping_counter = 1;
1548 
1549 	*map = dmabuf->vmap_ptr;
1550 
1551 	return 0;
1552 }
1553 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap, DMA_BUF);
1554 
1555 /**
1556  * dma_buf_vmap_unlocked - Create virtual mapping for the buffer object into kernel
1557  * address space. Same restrictions as for vmap and friends apply.
1558  * @dmabuf:	[in]	buffer to vmap
1559  * @map:	[out]	returns the vmap pointer
1560  *
1561  * Unlocked version of dma_buf_vmap()
1562  *
1563  * Returns 0 on success, or a negative errno code otherwise.
1564  */
1565 int dma_buf_vmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map)
1566 {
1567 	int ret;
1568 
1569 	iosys_map_clear(map);
1570 
1571 	if (WARN_ON(!dmabuf))
1572 		return -EINVAL;
1573 
1574 	dma_resv_lock(dmabuf->resv, NULL);
1575 	ret = dma_buf_vmap(dmabuf, map);
1576 	dma_resv_unlock(dmabuf->resv);
1577 
1578 	return ret;
1579 }
1580 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap_unlocked, DMA_BUF);
1581 
1582 /**
1583  * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap.
1584  * @dmabuf:	[in]	buffer to vunmap
1585  * @map:	[in]	vmap pointer to vunmap
1586  */
1587 void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map)
1588 {
1589 	if (WARN_ON(!dmabuf))
1590 		return;
1591 
1592 	dma_resv_assert_held(dmabuf->resv);
1593 
1594 	BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1595 	BUG_ON(dmabuf->vmapping_counter == 0);
1596 	BUG_ON(!iosys_map_is_equal(&dmabuf->vmap_ptr, map));
1597 
1598 	if (--dmabuf->vmapping_counter == 0) {
1599 		if (dmabuf->ops->vunmap)
1600 			dmabuf->ops->vunmap(dmabuf, map);
1601 		iosys_map_clear(&dmabuf->vmap_ptr);
1602 	}
1603 }
1604 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap, DMA_BUF);
1605 
1606 /**
1607  * dma_buf_vunmap_unlocked - Unmap a vmap obtained by dma_buf_vmap.
1608  * @dmabuf:	[in]	buffer to vunmap
1609  * @map:	[in]	vmap pointer to vunmap
1610  */
1611 void dma_buf_vunmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map)
1612 {
1613 	if (WARN_ON(!dmabuf))
1614 		return;
1615 
1616 	dma_resv_lock(dmabuf->resv, NULL);
1617 	dma_buf_vunmap(dmabuf, map);
1618 	dma_resv_unlock(dmabuf->resv);
1619 }
1620 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap_unlocked, DMA_BUF);
1621 
1622 #ifdef CONFIG_DEBUG_FS
1623 static int dma_buf_debug_show(struct seq_file *s, void *unused)
1624 {
1625 	struct dma_buf *buf_obj;
1626 	struct dma_buf_attachment *attach_obj;
1627 	int count = 0, attach_count;
1628 	size_t size = 0;
1629 	int ret;
1630 
1631 	ret = mutex_lock_interruptible(&db_list.lock);
1632 
1633 	if (ret)
1634 		return ret;
1635 
1636 	seq_puts(s, "\nDma-buf Objects:\n");
1637 	seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\t%-8s\tname\n",
1638 		   "size", "flags", "mode", "count", "ino");
1639 
1640 	list_for_each_entry(buf_obj, &db_list.head, list_node) {
1641 
1642 		ret = dma_resv_lock_interruptible(buf_obj->resv, NULL);
1643 		if (ret)
1644 			goto error_unlock;
1645 
1646 
1647 		spin_lock(&buf_obj->name_lock);
1648 		seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n",
1649 				buf_obj->size,
1650 				buf_obj->file->f_flags, buf_obj->file->f_mode,
1651 				file_count(buf_obj->file),
1652 				buf_obj->exp_name,
1653 				file_inode(buf_obj->file)->i_ino,
1654 				buf_obj->name ?: "<none>");
1655 		spin_unlock(&buf_obj->name_lock);
1656 
1657 		dma_resv_describe(buf_obj->resv, s);
1658 
1659 		seq_puts(s, "\tAttached Devices:\n");
1660 		attach_count = 0;
1661 
1662 		list_for_each_entry(attach_obj, &buf_obj->attachments, node) {
1663 			seq_printf(s, "\t%s\n", dev_name(attach_obj->dev));
1664 			attach_count++;
1665 		}
1666 		dma_resv_unlock(buf_obj->resv);
1667 
1668 		seq_printf(s, "Total %d devices attached\n\n",
1669 				attach_count);
1670 
1671 		count++;
1672 		size += buf_obj->size;
1673 	}
1674 
1675 	seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size);
1676 
1677 	mutex_unlock(&db_list.lock);
1678 	return 0;
1679 
1680 error_unlock:
1681 	mutex_unlock(&db_list.lock);
1682 	return ret;
1683 }
1684 
1685 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug);
1686 
1687 static struct dentry *dma_buf_debugfs_dir;
1688 
1689 static int dma_buf_init_debugfs(void)
1690 {
1691 	struct dentry *d;
1692 	int err = 0;
1693 
1694 	d = debugfs_create_dir("dma_buf", NULL);
1695 	if (IS_ERR(d))
1696 		return PTR_ERR(d);
1697 
1698 	dma_buf_debugfs_dir = d;
1699 
1700 	d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir,
1701 				NULL, &dma_buf_debug_fops);
1702 	if (IS_ERR(d)) {
1703 		pr_debug("dma_buf: debugfs: failed to create node bufinfo\n");
1704 		debugfs_remove_recursive(dma_buf_debugfs_dir);
1705 		dma_buf_debugfs_dir = NULL;
1706 		err = PTR_ERR(d);
1707 	}
1708 
1709 	return err;
1710 }
1711 
1712 static void dma_buf_uninit_debugfs(void)
1713 {
1714 	debugfs_remove_recursive(dma_buf_debugfs_dir);
1715 }
1716 #else
1717 static inline int dma_buf_init_debugfs(void)
1718 {
1719 	return 0;
1720 }
1721 static inline void dma_buf_uninit_debugfs(void)
1722 {
1723 }
1724 #endif
1725 
1726 static int __init dma_buf_init(void)
1727 {
1728 	int ret;
1729 
1730 	ret = dma_buf_init_sysfs_statistics();
1731 	if (ret)
1732 		return ret;
1733 
1734 	dma_buf_mnt = kern_mount(&dma_buf_fs_type);
1735 	if (IS_ERR(dma_buf_mnt))
1736 		return PTR_ERR(dma_buf_mnt);
1737 
1738 	mutex_init(&db_list.lock);
1739 	INIT_LIST_HEAD(&db_list.head);
1740 	dma_buf_init_debugfs();
1741 	return 0;
1742 }
1743 subsys_initcall(dma_buf_init);
1744 
1745 static void __exit dma_buf_deinit(void)
1746 {
1747 	dma_buf_uninit_debugfs();
1748 	kern_unmount(dma_buf_mnt);
1749 	dma_buf_uninit_sysfs_statistics();
1750 }
1751 __exitcall(dma_buf_deinit);
1752