xref: /openbmc/linux/drivers/dma-buf/dma-buf.c (revision 61c1f340bc809a1ca1e3c8794207a91cde1a7c78)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Framework for buffer objects that can be shared across devices/subsystems.
4  *
5  * Copyright(C) 2011 Linaro Limited. All rights reserved.
6  * Author: Sumit Semwal <sumit.semwal@ti.com>
7  *
8  * Many thanks to linaro-mm-sig list, and specially
9  * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and
10  * Daniel Vetter <daniel@ffwll.ch> for their support in creation and
11  * refining of this idea.
12  */
13 
14 #include <linux/fs.h>
15 #include <linux/slab.h>
16 #include <linux/dma-buf.h>
17 #include <linux/dma-fence.h>
18 #include <linux/anon_inodes.h>
19 #include <linux/export.h>
20 #include <linux/debugfs.h>
21 #include <linux/module.h>
22 #include <linux/seq_file.h>
23 #include <linux/sync_file.h>
24 #include <linux/poll.h>
25 #include <linux/dma-resv.h>
26 #include <linux/mm.h>
27 #include <linux/mount.h>
28 #include <linux/pseudo_fs.h>
29 
30 #include <uapi/linux/dma-buf.h>
31 #include <uapi/linux/magic.h>
32 
33 #include "dma-buf-sysfs-stats.h"
34 
35 static inline int is_dma_buf_file(struct file *);
36 
37 struct dma_buf_list {
38 	struct list_head head;
39 	struct mutex lock;
40 };
41 
42 static struct dma_buf_list db_list;
43 
44 static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen)
45 {
46 	struct dma_buf *dmabuf;
47 	char name[DMA_BUF_NAME_LEN];
48 	size_t ret = 0;
49 
50 	dmabuf = dentry->d_fsdata;
51 	spin_lock(&dmabuf->name_lock);
52 	if (dmabuf->name)
53 		ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN);
54 	spin_unlock(&dmabuf->name_lock);
55 
56 	return dynamic_dname(dentry, buffer, buflen, "/%s:%s",
57 			     dentry->d_name.name, ret > 0 ? name : "");
58 }
59 
60 static void dma_buf_release(struct dentry *dentry)
61 {
62 	struct dma_buf *dmabuf;
63 
64 	dmabuf = dentry->d_fsdata;
65 	if (unlikely(!dmabuf))
66 		return;
67 
68 	BUG_ON(dmabuf->vmapping_counter);
69 
70 	/*
71 	 * If you hit this BUG() it could mean:
72 	 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else
73 	 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback
74 	 */
75 	BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active);
76 
77 	dma_buf_stats_teardown(dmabuf);
78 	dmabuf->ops->release(dmabuf);
79 
80 	if (dmabuf->resv == (struct dma_resv *)&dmabuf[1])
81 		dma_resv_fini(dmabuf->resv);
82 
83 	WARN_ON(!list_empty(&dmabuf->attachments));
84 	module_put(dmabuf->owner);
85 	kfree(dmabuf->name);
86 	kfree(dmabuf);
87 }
88 
89 static int dma_buf_file_release(struct inode *inode, struct file *file)
90 {
91 	struct dma_buf *dmabuf;
92 
93 	if (!is_dma_buf_file(file))
94 		return -EINVAL;
95 
96 	dmabuf = file->private_data;
97 
98 	mutex_lock(&db_list.lock);
99 	list_del(&dmabuf->list_node);
100 	mutex_unlock(&db_list.lock);
101 
102 	return 0;
103 }
104 
105 static const struct dentry_operations dma_buf_dentry_ops = {
106 	.d_dname = dmabuffs_dname,
107 	.d_release = dma_buf_release,
108 };
109 
110 static struct vfsmount *dma_buf_mnt;
111 
112 static int dma_buf_fs_init_context(struct fs_context *fc)
113 {
114 	struct pseudo_fs_context *ctx;
115 
116 	ctx = init_pseudo(fc, DMA_BUF_MAGIC);
117 	if (!ctx)
118 		return -ENOMEM;
119 	ctx->dops = &dma_buf_dentry_ops;
120 	return 0;
121 }
122 
123 static struct file_system_type dma_buf_fs_type = {
124 	.name = "dmabuf",
125 	.init_fs_context = dma_buf_fs_init_context,
126 	.kill_sb = kill_anon_super,
127 };
128 
129 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma)
130 {
131 	struct dma_buf *dmabuf;
132 
133 	if (!is_dma_buf_file(file))
134 		return -EINVAL;
135 
136 	dmabuf = file->private_data;
137 
138 	/* check if buffer supports mmap */
139 	if (!dmabuf->ops->mmap)
140 		return -EINVAL;
141 
142 	/* check for overflowing the buffer's size */
143 	if (vma->vm_pgoff + vma_pages(vma) >
144 	    dmabuf->size >> PAGE_SHIFT)
145 		return -EINVAL;
146 
147 	return dmabuf->ops->mmap(dmabuf, vma);
148 }
149 
150 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence)
151 {
152 	struct dma_buf *dmabuf;
153 	loff_t base;
154 
155 	if (!is_dma_buf_file(file))
156 		return -EBADF;
157 
158 	dmabuf = file->private_data;
159 
160 	/* only support discovering the end of the buffer,
161 	   but also allow SEEK_SET to maintain the idiomatic
162 	   SEEK_END(0), SEEK_CUR(0) pattern */
163 	if (whence == SEEK_END)
164 		base = dmabuf->size;
165 	else if (whence == SEEK_SET)
166 		base = 0;
167 	else
168 		return -EINVAL;
169 
170 	if (offset != 0)
171 		return -EINVAL;
172 
173 	return base + offset;
174 }
175 
176 /**
177  * DOC: implicit fence polling
178  *
179  * To support cross-device and cross-driver synchronization of buffer access
180  * implicit fences (represented internally in the kernel with &struct dma_fence)
181  * can be attached to a &dma_buf. The glue for that and a few related things are
182  * provided in the &dma_resv structure.
183  *
184  * Userspace can query the state of these implicitly tracked fences using poll()
185  * and related system calls:
186  *
187  * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the
188  *   most recent write or exclusive fence.
189  *
190  * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of
191  *   all attached fences, shared and exclusive ones.
192  *
193  * Note that this only signals the completion of the respective fences, i.e. the
194  * DMA transfers are complete. Cache flushing and any other necessary
195  * preparations before CPU access can begin still need to happen.
196  *
197  * As an alternative to poll(), the set of fences on DMA buffer can be
198  * exported as a &sync_file using &dma_buf_sync_file_export.
199  */
200 
201 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb)
202 {
203 	struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb;
204 	struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll);
205 	unsigned long flags;
206 
207 	spin_lock_irqsave(&dcb->poll->lock, flags);
208 	wake_up_locked_poll(dcb->poll, dcb->active);
209 	dcb->active = 0;
210 	spin_unlock_irqrestore(&dcb->poll->lock, flags);
211 	dma_fence_put(fence);
212 	/* Paired with get_file in dma_buf_poll */
213 	fput(dmabuf->file);
214 }
215 
216 static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write,
217 				struct dma_buf_poll_cb_t *dcb)
218 {
219 	struct dma_resv_iter cursor;
220 	struct dma_fence *fence;
221 	int r;
222 
223 	dma_resv_for_each_fence(&cursor, resv, dma_resv_usage_rw(write),
224 				fence) {
225 		dma_fence_get(fence);
226 		r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb);
227 		if (!r)
228 			return true;
229 		dma_fence_put(fence);
230 	}
231 
232 	return false;
233 }
234 
235 static __poll_t dma_buf_poll(struct file *file, poll_table *poll)
236 {
237 	struct dma_buf *dmabuf;
238 	struct dma_resv *resv;
239 	__poll_t events;
240 
241 	dmabuf = file->private_data;
242 	if (!dmabuf || !dmabuf->resv)
243 		return EPOLLERR;
244 
245 	resv = dmabuf->resv;
246 
247 	poll_wait(file, &dmabuf->poll, poll);
248 
249 	events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT);
250 	if (!events)
251 		return 0;
252 
253 	dma_resv_lock(resv, NULL);
254 
255 	if (events & EPOLLOUT) {
256 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out;
257 
258 		/* Check that callback isn't busy */
259 		spin_lock_irq(&dmabuf->poll.lock);
260 		if (dcb->active)
261 			events &= ~EPOLLOUT;
262 		else
263 			dcb->active = EPOLLOUT;
264 		spin_unlock_irq(&dmabuf->poll.lock);
265 
266 		if (events & EPOLLOUT) {
267 			/* Paired with fput in dma_buf_poll_cb */
268 			get_file(dmabuf->file);
269 
270 			if (!dma_buf_poll_add_cb(resv, true, dcb))
271 				/* No callback queued, wake up any other waiters */
272 				dma_buf_poll_cb(NULL, &dcb->cb);
273 			else
274 				events &= ~EPOLLOUT;
275 		}
276 	}
277 
278 	if (events & EPOLLIN) {
279 		struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in;
280 
281 		/* Check that callback isn't busy */
282 		spin_lock_irq(&dmabuf->poll.lock);
283 		if (dcb->active)
284 			events &= ~EPOLLIN;
285 		else
286 			dcb->active = EPOLLIN;
287 		spin_unlock_irq(&dmabuf->poll.lock);
288 
289 		if (events & EPOLLIN) {
290 			/* Paired with fput in dma_buf_poll_cb */
291 			get_file(dmabuf->file);
292 
293 			if (!dma_buf_poll_add_cb(resv, false, dcb))
294 				/* No callback queued, wake up any other waiters */
295 				dma_buf_poll_cb(NULL, &dcb->cb);
296 			else
297 				events &= ~EPOLLIN;
298 		}
299 	}
300 
301 	dma_resv_unlock(resv);
302 	return events;
303 }
304 
305 /**
306  * dma_buf_set_name - Set a name to a specific dma_buf to track the usage.
307  * It could support changing the name of the dma-buf if the same
308  * piece of memory is used for multiple purpose between different devices.
309  *
310  * @dmabuf: [in]     dmabuf buffer that will be renamed.
311  * @buf:    [in]     A piece of userspace memory that contains the name of
312  *                   the dma-buf.
313  *
314  * Returns 0 on success. If the dma-buf buffer is already attached to
315  * devices, return -EBUSY.
316  *
317  */
318 static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf)
319 {
320 	char *name = strndup_user(buf, DMA_BUF_NAME_LEN);
321 
322 	if (IS_ERR(name))
323 		return PTR_ERR(name);
324 
325 	spin_lock(&dmabuf->name_lock);
326 	kfree(dmabuf->name);
327 	dmabuf->name = name;
328 	spin_unlock(&dmabuf->name_lock);
329 
330 	return 0;
331 }
332 
333 #if IS_ENABLED(CONFIG_SYNC_FILE)
334 static long dma_buf_export_sync_file(struct dma_buf *dmabuf,
335 				     void __user *user_data)
336 {
337 	struct dma_buf_export_sync_file arg;
338 	enum dma_resv_usage usage;
339 	struct dma_fence *fence = NULL;
340 	struct sync_file *sync_file;
341 	int fd, ret;
342 
343 	if (copy_from_user(&arg, user_data, sizeof(arg)))
344 		return -EFAULT;
345 
346 	if (arg.flags & ~DMA_BUF_SYNC_RW)
347 		return -EINVAL;
348 
349 	if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
350 		return -EINVAL;
351 
352 	fd = get_unused_fd_flags(O_CLOEXEC);
353 	if (fd < 0)
354 		return fd;
355 
356 	usage = dma_resv_usage_rw(arg.flags & DMA_BUF_SYNC_WRITE);
357 	ret = dma_resv_get_singleton(dmabuf->resv, usage, &fence);
358 	if (ret)
359 		goto err_put_fd;
360 
361 	if (!fence)
362 		fence = dma_fence_get_stub();
363 
364 	sync_file = sync_file_create(fence);
365 
366 	dma_fence_put(fence);
367 
368 	if (!sync_file) {
369 		ret = -ENOMEM;
370 		goto err_put_fd;
371 	}
372 
373 	arg.fd = fd;
374 	if (copy_to_user(user_data, &arg, sizeof(arg))) {
375 		ret = -EFAULT;
376 		goto err_put_file;
377 	}
378 
379 	fd_install(fd, sync_file->file);
380 
381 	return 0;
382 
383 err_put_file:
384 	fput(sync_file->file);
385 err_put_fd:
386 	put_unused_fd(fd);
387 	return ret;
388 }
389 
390 static long dma_buf_import_sync_file(struct dma_buf *dmabuf,
391 				     const void __user *user_data)
392 {
393 	struct dma_buf_import_sync_file arg;
394 	struct dma_fence *fence;
395 	enum dma_resv_usage usage;
396 	int ret = 0;
397 
398 	if (copy_from_user(&arg, user_data, sizeof(arg)))
399 		return -EFAULT;
400 
401 	if (arg.flags & ~DMA_BUF_SYNC_RW)
402 		return -EINVAL;
403 
404 	if ((arg.flags & DMA_BUF_SYNC_RW) == 0)
405 		return -EINVAL;
406 
407 	fence = sync_file_get_fence(arg.fd);
408 	if (!fence)
409 		return -EINVAL;
410 
411 	usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE :
412 						   DMA_RESV_USAGE_READ;
413 
414 	dma_resv_lock(dmabuf->resv, NULL);
415 
416 	ret = dma_resv_reserve_fences(dmabuf->resv, 1);
417 	if (!ret)
418 		dma_resv_add_fence(dmabuf->resv, fence, usage);
419 
420 	dma_resv_unlock(dmabuf->resv);
421 
422 	dma_fence_put(fence);
423 
424 	return ret;
425 }
426 #endif
427 
428 static long dma_buf_ioctl(struct file *file,
429 			  unsigned int cmd, unsigned long arg)
430 {
431 	struct dma_buf *dmabuf;
432 	struct dma_buf_sync sync;
433 	enum dma_data_direction direction;
434 	int ret;
435 
436 	dmabuf = file->private_data;
437 
438 	switch (cmd) {
439 	case DMA_BUF_IOCTL_SYNC:
440 		if (copy_from_user(&sync, (void __user *) arg, sizeof(sync)))
441 			return -EFAULT;
442 
443 		if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK)
444 			return -EINVAL;
445 
446 		switch (sync.flags & DMA_BUF_SYNC_RW) {
447 		case DMA_BUF_SYNC_READ:
448 			direction = DMA_FROM_DEVICE;
449 			break;
450 		case DMA_BUF_SYNC_WRITE:
451 			direction = DMA_TO_DEVICE;
452 			break;
453 		case DMA_BUF_SYNC_RW:
454 			direction = DMA_BIDIRECTIONAL;
455 			break;
456 		default:
457 			return -EINVAL;
458 		}
459 
460 		if (sync.flags & DMA_BUF_SYNC_END)
461 			ret = dma_buf_end_cpu_access(dmabuf, direction);
462 		else
463 			ret = dma_buf_begin_cpu_access(dmabuf, direction);
464 
465 		return ret;
466 
467 	case DMA_BUF_SET_NAME_A:
468 	case DMA_BUF_SET_NAME_B:
469 		return dma_buf_set_name(dmabuf, (const char __user *)arg);
470 
471 #if IS_ENABLED(CONFIG_SYNC_FILE)
472 	case DMA_BUF_IOCTL_EXPORT_SYNC_FILE:
473 		return dma_buf_export_sync_file(dmabuf, (void __user *)arg);
474 	case DMA_BUF_IOCTL_IMPORT_SYNC_FILE:
475 		return dma_buf_import_sync_file(dmabuf, (const void __user *)arg);
476 #endif
477 
478 	default:
479 		return -ENOTTY;
480 	}
481 }
482 
483 static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file)
484 {
485 	struct dma_buf *dmabuf = file->private_data;
486 
487 	seq_printf(m, "size:\t%zu\n", dmabuf->size);
488 	/* Don't count the temporary reference taken inside procfs seq_show */
489 	seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
490 	seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
491 	spin_lock(&dmabuf->name_lock);
492 	if (dmabuf->name)
493 		seq_printf(m, "name:\t%s\n", dmabuf->name);
494 	spin_unlock(&dmabuf->name_lock);
495 }
496 
497 static const struct file_operations dma_buf_fops = {
498 	.release	= dma_buf_file_release,
499 	.mmap		= dma_buf_mmap_internal,
500 	.llseek		= dma_buf_llseek,
501 	.poll		= dma_buf_poll,
502 	.unlocked_ioctl	= dma_buf_ioctl,
503 	.compat_ioctl	= compat_ptr_ioctl,
504 	.show_fdinfo	= dma_buf_show_fdinfo,
505 };
506 
507 /*
508  * is_dma_buf_file - Check if struct file* is associated with dma_buf
509  */
510 static inline int is_dma_buf_file(struct file *file)
511 {
512 	return file->f_op == &dma_buf_fops;
513 }
514 
515 static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags)
516 {
517 	static atomic64_t dmabuf_inode = ATOMIC64_INIT(0);
518 	struct file *file;
519 	struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb);
520 
521 	if (IS_ERR(inode))
522 		return ERR_CAST(inode);
523 
524 	inode->i_size = dmabuf->size;
525 	inode_set_bytes(inode, dmabuf->size);
526 
527 	/*
528 	 * The ->i_ino acquired from get_next_ino() is not unique thus
529 	 * not suitable for using it as dentry name by dmabuf stats.
530 	 * Override ->i_ino with the unique and dmabuffs specific
531 	 * value.
532 	 */
533 	inode->i_ino = atomic64_add_return(1, &dmabuf_inode);
534 	file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf",
535 				 flags, &dma_buf_fops);
536 	if (IS_ERR(file))
537 		goto err_alloc_file;
538 	file->f_flags = flags & (O_ACCMODE | O_NONBLOCK);
539 	file->private_data = dmabuf;
540 	file->f_path.dentry->d_fsdata = dmabuf;
541 
542 	return file;
543 
544 err_alloc_file:
545 	iput(inode);
546 	return file;
547 }
548 
549 /**
550  * DOC: dma buf device access
551  *
552  * For device DMA access to a shared DMA buffer the usual sequence of operations
553  * is fairly simple:
554  *
555  * 1. The exporter defines his exporter instance using
556  *    DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private
557  *    buffer object into a &dma_buf. It then exports that &dma_buf to userspace
558  *    as a file descriptor by calling dma_buf_fd().
559  *
560  * 2. Userspace passes this file-descriptors to all drivers it wants this buffer
561  *    to share with: First the file descriptor is converted to a &dma_buf using
562  *    dma_buf_get(). Then the buffer is attached to the device using
563  *    dma_buf_attach().
564  *
565  *    Up to this stage the exporter is still free to migrate or reallocate the
566  *    backing storage.
567  *
568  * 3. Once the buffer is attached to all devices userspace can initiate DMA
569  *    access to the shared buffer. In the kernel this is done by calling
570  *    dma_buf_map_attachment() and dma_buf_unmap_attachment().
571  *
572  * 4. Once a driver is done with a shared buffer it needs to call
573  *    dma_buf_detach() (after cleaning up any mappings) and then release the
574  *    reference acquired with dma_buf_get() by calling dma_buf_put().
575  *
576  * For the detailed semantics exporters are expected to implement see
577  * &dma_buf_ops.
578  */
579 
580 /**
581  * dma_buf_export - Creates a new dma_buf, and associates an anon file
582  * with this buffer, so it can be exported.
583  * Also connect the allocator specific data and ops to the buffer.
584  * Additionally, provide a name string for exporter; useful in debugging.
585  *
586  * @exp_info:	[in]	holds all the export related information provided
587  *			by the exporter. see &struct dma_buf_export_info
588  *			for further details.
589  *
590  * Returns, on success, a newly created struct dma_buf object, which wraps the
591  * supplied private data and operations for struct dma_buf_ops. On either
592  * missing ops, or error in allocating struct dma_buf, will return negative
593  * error.
594  *
595  * For most cases the easiest way to create @exp_info is through the
596  * %DEFINE_DMA_BUF_EXPORT_INFO macro.
597  */
598 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info)
599 {
600 	struct dma_buf *dmabuf;
601 	struct dma_resv *resv = exp_info->resv;
602 	struct file *file;
603 	size_t alloc_size = sizeof(struct dma_buf);
604 	int ret;
605 
606 	if (!exp_info->resv)
607 		alloc_size += sizeof(struct dma_resv);
608 	else
609 		/* prevent &dma_buf[1] == dma_buf->resv */
610 		alloc_size += 1;
611 
612 	if (WARN_ON(!exp_info->priv
613 			  || !exp_info->ops
614 			  || !exp_info->ops->map_dma_buf
615 			  || !exp_info->ops->unmap_dma_buf
616 			  || !exp_info->ops->release)) {
617 		return ERR_PTR(-EINVAL);
618 	}
619 
620 	if (WARN_ON(exp_info->ops->cache_sgt_mapping &&
621 		    (exp_info->ops->pin || exp_info->ops->unpin)))
622 		return ERR_PTR(-EINVAL);
623 
624 	if (WARN_ON(!exp_info->ops->pin != !exp_info->ops->unpin))
625 		return ERR_PTR(-EINVAL);
626 
627 	if (!try_module_get(exp_info->owner))
628 		return ERR_PTR(-ENOENT);
629 
630 	dmabuf = kzalloc(alloc_size, GFP_KERNEL);
631 	if (!dmabuf) {
632 		ret = -ENOMEM;
633 		goto err_module;
634 	}
635 
636 	dmabuf->priv = exp_info->priv;
637 	dmabuf->ops = exp_info->ops;
638 	dmabuf->size = exp_info->size;
639 	dmabuf->exp_name = exp_info->exp_name;
640 	dmabuf->owner = exp_info->owner;
641 	spin_lock_init(&dmabuf->name_lock);
642 	init_waitqueue_head(&dmabuf->poll);
643 	dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll;
644 	dmabuf->cb_in.active = dmabuf->cb_out.active = 0;
645 
646 	if (!resv) {
647 		resv = (struct dma_resv *)&dmabuf[1];
648 		dma_resv_init(resv);
649 	}
650 	dmabuf->resv = resv;
651 
652 	file = dma_buf_getfile(dmabuf, exp_info->flags);
653 	if (IS_ERR(file)) {
654 		ret = PTR_ERR(file);
655 		goto err_dmabuf;
656 	}
657 
658 	file->f_mode |= FMODE_LSEEK;
659 	dmabuf->file = file;
660 
661 	mutex_init(&dmabuf->lock);
662 	INIT_LIST_HEAD(&dmabuf->attachments);
663 
664 	mutex_lock(&db_list.lock);
665 	list_add(&dmabuf->list_node, &db_list.head);
666 	mutex_unlock(&db_list.lock);
667 
668 	ret = dma_buf_stats_setup(dmabuf);
669 	if (ret)
670 		goto err_sysfs;
671 
672 	return dmabuf;
673 
674 err_sysfs:
675 	/*
676 	 * Set file->f_path.dentry->d_fsdata to NULL so that when
677 	 * dma_buf_release() gets invoked by dentry_ops, it exits
678 	 * early before calling the release() dma_buf op.
679 	 */
680 	file->f_path.dentry->d_fsdata = NULL;
681 	fput(file);
682 err_dmabuf:
683 	kfree(dmabuf);
684 err_module:
685 	module_put(exp_info->owner);
686 	return ERR_PTR(ret);
687 }
688 EXPORT_SYMBOL_NS_GPL(dma_buf_export, DMA_BUF);
689 
690 /**
691  * dma_buf_fd - returns a file descriptor for the given struct dma_buf
692  * @dmabuf:	[in]	pointer to dma_buf for which fd is required.
693  * @flags:      [in]    flags to give to fd
694  *
695  * On success, returns an associated 'fd'. Else, returns error.
696  */
697 int dma_buf_fd(struct dma_buf *dmabuf, int flags)
698 {
699 	int fd;
700 
701 	if (!dmabuf || !dmabuf->file)
702 		return -EINVAL;
703 
704 	fd = get_unused_fd_flags(flags);
705 	if (fd < 0)
706 		return fd;
707 
708 	fd_install(fd, dmabuf->file);
709 
710 	return fd;
711 }
712 EXPORT_SYMBOL_NS_GPL(dma_buf_fd, DMA_BUF);
713 
714 /**
715  * dma_buf_get - returns the struct dma_buf related to an fd
716  * @fd:	[in]	fd associated with the struct dma_buf to be returned
717  *
718  * On success, returns the struct dma_buf associated with an fd; uses
719  * file's refcounting done by fget to increase refcount. returns ERR_PTR
720  * otherwise.
721  */
722 struct dma_buf *dma_buf_get(int fd)
723 {
724 	struct file *file;
725 
726 	file = fget(fd);
727 
728 	if (!file)
729 		return ERR_PTR(-EBADF);
730 
731 	if (!is_dma_buf_file(file)) {
732 		fput(file);
733 		return ERR_PTR(-EINVAL);
734 	}
735 
736 	return file->private_data;
737 }
738 EXPORT_SYMBOL_NS_GPL(dma_buf_get, DMA_BUF);
739 
740 /**
741  * dma_buf_put - decreases refcount of the buffer
742  * @dmabuf:	[in]	buffer to reduce refcount of
743  *
744  * Uses file's refcounting done implicitly by fput().
745  *
746  * If, as a result of this call, the refcount becomes 0, the 'release' file
747  * operation related to this fd is called. It calls &dma_buf_ops.release vfunc
748  * in turn, and frees the memory allocated for dmabuf when exported.
749  */
750 void dma_buf_put(struct dma_buf *dmabuf)
751 {
752 	if (WARN_ON(!dmabuf || !dmabuf->file))
753 		return;
754 
755 	fput(dmabuf->file);
756 }
757 EXPORT_SYMBOL_NS_GPL(dma_buf_put, DMA_BUF);
758 
759 static void mangle_sg_table(struct sg_table *sg_table)
760 {
761 #ifdef CONFIG_DMABUF_DEBUG
762 	int i;
763 	struct scatterlist *sg;
764 
765 	/* To catch abuse of the underlying struct page by importers mix
766 	 * up the bits, but take care to preserve the low SG_ bits to
767 	 * not corrupt the sgt. The mixing is undone in __unmap_dma_buf
768 	 * before passing the sgt back to the exporter. */
769 	for_each_sgtable_sg(sg_table, sg, i)
770 		sg->page_link ^= ~0xffUL;
771 #endif
772 
773 }
774 static struct sg_table * __map_dma_buf(struct dma_buf_attachment *attach,
775 				       enum dma_data_direction direction)
776 {
777 	struct sg_table *sg_table;
778 	signed long ret;
779 
780 	sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction);
781 	if (IS_ERR_OR_NULL(sg_table))
782 		return sg_table;
783 
784 	if (!dma_buf_attachment_is_dynamic(attach)) {
785 		ret = dma_resv_wait_timeout(attach->dmabuf->resv,
786 					    DMA_RESV_USAGE_KERNEL, true,
787 					    MAX_SCHEDULE_TIMEOUT);
788 		if (ret < 0) {
789 			attach->dmabuf->ops->unmap_dma_buf(attach, sg_table,
790 							   direction);
791 			return ERR_PTR(ret);
792 		}
793 	}
794 
795 	mangle_sg_table(sg_table);
796 	return sg_table;
797 }
798 
799 /**
800  * dma_buf_dynamic_attach - Add the device to dma_buf's attachments list
801  * @dmabuf:		[in]	buffer to attach device to.
802  * @dev:		[in]	device to be attached.
803  * @importer_ops:	[in]	importer operations for the attachment
804  * @importer_priv:	[in]	importer private pointer for the attachment
805  *
806  * Returns struct dma_buf_attachment pointer for this attachment. Attachments
807  * must be cleaned up by calling dma_buf_detach().
808  *
809  * Optionally this calls &dma_buf_ops.attach to allow device-specific attach
810  * functionality.
811  *
812  * Returns:
813  *
814  * A pointer to newly created &dma_buf_attachment on success, or a negative
815  * error code wrapped into a pointer on failure.
816  *
817  * Note that this can fail if the backing storage of @dmabuf is in a place not
818  * accessible to @dev, and cannot be moved to a more suitable place. This is
819  * indicated with the error code -EBUSY.
820  */
821 struct dma_buf_attachment *
822 dma_buf_dynamic_attach(struct dma_buf *dmabuf, struct device *dev,
823 		       const struct dma_buf_attach_ops *importer_ops,
824 		       void *importer_priv)
825 {
826 	struct dma_buf_attachment *attach;
827 	int ret;
828 
829 	if (WARN_ON(!dmabuf || !dev))
830 		return ERR_PTR(-EINVAL);
831 
832 	if (WARN_ON(importer_ops && !importer_ops->move_notify))
833 		return ERR_PTR(-EINVAL);
834 
835 	attach = kzalloc(sizeof(*attach), GFP_KERNEL);
836 	if (!attach)
837 		return ERR_PTR(-ENOMEM);
838 
839 	attach->dev = dev;
840 	attach->dmabuf = dmabuf;
841 	if (importer_ops)
842 		attach->peer2peer = importer_ops->allow_peer2peer;
843 	attach->importer_ops = importer_ops;
844 	attach->importer_priv = importer_priv;
845 
846 	if (dmabuf->ops->attach) {
847 		ret = dmabuf->ops->attach(dmabuf, attach);
848 		if (ret)
849 			goto err_attach;
850 	}
851 	dma_resv_lock(dmabuf->resv, NULL);
852 	list_add(&attach->node, &dmabuf->attachments);
853 	dma_resv_unlock(dmabuf->resv);
854 
855 	/* When either the importer or the exporter can't handle dynamic
856 	 * mappings we cache the mapping here to avoid issues with the
857 	 * reservation object lock.
858 	 */
859 	if (dma_buf_attachment_is_dynamic(attach) !=
860 	    dma_buf_is_dynamic(dmabuf)) {
861 		struct sg_table *sgt;
862 
863 		if (dma_buf_is_dynamic(attach->dmabuf)) {
864 			dma_resv_lock(attach->dmabuf->resv, NULL);
865 			ret = dmabuf->ops->pin(attach);
866 			if (ret)
867 				goto err_unlock;
868 		}
869 
870 		sgt = __map_dma_buf(attach, DMA_BIDIRECTIONAL);
871 		if (!sgt)
872 			sgt = ERR_PTR(-ENOMEM);
873 		if (IS_ERR(sgt)) {
874 			ret = PTR_ERR(sgt);
875 			goto err_unpin;
876 		}
877 		if (dma_buf_is_dynamic(attach->dmabuf))
878 			dma_resv_unlock(attach->dmabuf->resv);
879 		attach->sgt = sgt;
880 		attach->dir = DMA_BIDIRECTIONAL;
881 	}
882 
883 	return attach;
884 
885 err_attach:
886 	kfree(attach);
887 	return ERR_PTR(ret);
888 
889 err_unpin:
890 	if (dma_buf_is_dynamic(attach->dmabuf))
891 		dmabuf->ops->unpin(attach);
892 
893 err_unlock:
894 	if (dma_buf_is_dynamic(attach->dmabuf))
895 		dma_resv_unlock(attach->dmabuf->resv);
896 
897 	dma_buf_detach(dmabuf, attach);
898 	return ERR_PTR(ret);
899 }
900 EXPORT_SYMBOL_NS_GPL(dma_buf_dynamic_attach, DMA_BUF);
901 
902 /**
903  * dma_buf_attach - Wrapper for dma_buf_dynamic_attach
904  * @dmabuf:	[in]	buffer to attach device to.
905  * @dev:	[in]	device to be attached.
906  *
907  * Wrapper to call dma_buf_dynamic_attach() for drivers which still use a static
908  * mapping.
909  */
910 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf,
911 					  struct device *dev)
912 {
913 	return dma_buf_dynamic_attach(dmabuf, dev, NULL, NULL);
914 }
915 EXPORT_SYMBOL_NS_GPL(dma_buf_attach, DMA_BUF);
916 
917 static void __unmap_dma_buf(struct dma_buf_attachment *attach,
918 			    struct sg_table *sg_table,
919 			    enum dma_data_direction direction)
920 {
921 	/* uses XOR, hence this unmangles */
922 	mangle_sg_table(sg_table);
923 
924 	attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction);
925 }
926 
927 /**
928  * dma_buf_detach - Remove the given attachment from dmabuf's attachments list
929  * @dmabuf:	[in]	buffer to detach from.
930  * @attach:	[in]	attachment to be detached; is free'd after this call.
931  *
932  * Clean up a device attachment obtained by calling dma_buf_attach().
933  *
934  * Optionally this calls &dma_buf_ops.detach for device-specific detach.
935  */
936 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach)
937 {
938 	if (WARN_ON(!dmabuf || !attach))
939 		return;
940 
941 	if (attach->sgt) {
942 		if (dma_buf_is_dynamic(attach->dmabuf))
943 			dma_resv_lock(attach->dmabuf->resv, NULL);
944 
945 		__unmap_dma_buf(attach, attach->sgt, attach->dir);
946 
947 		if (dma_buf_is_dynamic(attach->dmabuf)) {
948 			dmabuf->ops->unpin(attach);
949 			dma_resv_unlock(attach->dmabuf->resv);
950 		}
951 	}
952 
953 	dma_resv_lock(dmabuf->resv, NULL);
954 	list_del(&attach->node);
955 	dma_resv_unlock(dmabuf->resv);
956 	if (dmabuf->ops->detach)
957 		dmabuf->ops->detach(dmabuf, attach);
958 
959 	kfree(attach);
960 }
961 EXPORT_SYMBOL_NS_GPL(dma_buf_detach, DMA_BUF);
962 
963 /**
964  * dma_buf_pin - Lock down the DMA-buf
965  * @attach:	[in]	attachment which should be pinned
966  *
967  * Only dynamic importers (who set up @attach with dma_buf_dynamic_attach()) may
968  * call this, and only for limited use cases like scanout and not for temporary
969  * pin operations. It is not permitted to allow userspace to pin arbitrary
970  * amounts of buffers through this interface.
971  *
972  * Buffers must be unpinned by calling dma_buf_unpin().
973  *
974  * Returns:
975  * 0 on success, negative error code on failure.
976  */
977 int dma_buf_pin(struct dma_buf_attachment *attach)
978 {
979 	struct dma_buf *dmabuf = attach->dmabuf;
980 	int ret = 0;
981 
982 	WARN_ON(!dma_buf_attachment_is_dynamic(attach));
983 
984 	dma_resv_assert_held(dmabuf->resv);
985 
986 	if (dmabuf->ops->pin)
987 		ret = dmabuf->ops->pin(attach);
988 
989 	return ret;
990 }
991 EXPORT_SYMBOL_NS_GPL(dma_buf_pin, DMA_BUF);
992 
993 /**
994  * dma_buf_unpin - Unpin a DMA-buf
995  * @attach:	[in]	attachment which should be unpinned
996  *
997  * This unpins a buffer pinned by dma_buf_pin() and allows the exporter to move
998  * any mapping of @attach again and inform the importer through
999  * &dma_buf_attach_ops.move_notify.
1000  */
1001 void dma_buf_unpin(struct dma_buf_attachment *attach)
1002 {
1003 	struct dma_buf *dmabuf = attach->dmabuf;
1004 
1005 	WARN_ON(!dma_buf_attachment_is_dynamic(attach));
1006 
1007 	dma_resv_assert_held(dmabuf->resv);
1008 
1009 	if (dmabuf->ops->unpin)
1010 		dmabuf->ops->unpin(attach);
1011 }
1012 EXPORT_SYMBOL_NS_GPL(dma_buf_unpin, DMA_BUF);
1013 
1014 /**
1015  * dma_buf_map_attachment - Returns the scatterlist table of the attachment;
1016  * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the
1017  * dma_buf_ops.
1018  * @attach:	[in]	attachment whose scatterlist is to be returned
1019  * @direction:	[in]	direction of DMA transfer
1020  *
1021  * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR
1022  * on error. May return -EINTR if it is interrupted by a signal.
1023  *
1024  * On success, the DMA addresses and lengths in the returned scatterlist are
1025  * PAGE_SIZE aligned.
1026  *
1027  * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that
1028  * the underlying backing storage is pinned for as long as a mapping exists,
1029  * therefore users/importers should not hold onto a mapping for undue amounts of
1030  * time.
1031  *
1032  * Important: Dynamic importers must wait for the exclusive fence of the struct
1033  * dma_resv attached to the DMA-BUF first.
1034  */
1035 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach,
1036 					enum dma_data_direction direction)
1037 {
1038 	struct sg_table *sg_table;
1039 	int r;
1040 
1041 	might_sleep();
1042 
1043 	if (WARN_ON(!attach || !attach->dmabuf))
1044 		return ERR_PTR(-EINVAL);
1045 
1046 	if (dma_buf_attachment_is_dynamic(attach))
1047 		dma_resv_assert_held(attach->dmabuf->resv);
1048 
1049 	if (attach->sgt) {
1050 		/*
1051 		 * Two mappings with different directions for the same
1052 		 * attachment are not allowed.
1053 		 */
1054 		if (attach->dir != direction &&
1055 		    attach->dir != DMA_BIDIRECTIONAL)
1056 			return ERR_PTR(-EBUSY);
1057 
1058 		return attach->sgt;
1059 	}
1060 
1061 	if (dma_buf_is_dynamic(attach->dmabuf)) {
1062 		dma_resv_assert_held(attach->dmabuf->resv);
1063 		if (!IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY)) {
1064 			r = attach->dmabuf->ops->pin(attach);
1065 			if (r)
1066 				return ERR_PTR(r);
1067 		}
1068 	}
1069 
1070 	sg_table = __map_dma_buf(attach, direction);
1071 	if (!sg_table)
1072 		sg_table = ERR_PTR(-ENOMEM);
1073 
1074 	if (IS_ERR(sg_table) && dma_buf_is_dynamic(attach->dmabuf) &&
1075 	     !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY))
1076 		attach->dmabuf->ops->unpin(attach);
1077 
1078 	if (!IS_ERR(sg_table) && attach->dmabuf->ops->cache_sgt_mapping) {
1079 		attach->sgt = sg_table;
1080 		attach->dir = direction;
1081 	}
1082 
1083 #ifdef CONFIG_DMA_API_DEBUG
1084 	if (!IS_ERR(sg_table)) {
1085 		struct scatterlist *sg;
1086 		u64 addr;
1087 		int len;
1088 		int i;
1089 
1090 		for_each_sgtable_dma_sg(sg_table, sg, i) {
1091 			addr = sg_dma_address(sg);
1092 			len = sg_dma_len(sg);
1093 			if (!PAGE_ALIGNED(addr) || !PAGE_ALIGNED(len)) {
1094 				pr_debug("%s: addr %llx or len %x is not page aligned!\n",
1095 					 __func__, addr, len);
1096 			}
1097 		}
1098 	}
1099 #endif /* CONFIG_DMA_API_DEBUG */
1100 	return sg_table;
1101 }
1102 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment, DMA_BUF);
1103 
1104 /**
1105  * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might
1106  * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of
1107  * dma_buf_ops.
1108  * @attach:	[in]	attachment to unmap buffer from
1109  * @sg_table:	[in]	scatterlist info of the buffer to unmap
1110  * @direction:  [in]    direction of DMA transfer
1111  *
1112  * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment().
1113  */
1114 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach,
1115 				struct sg_table *sg_table,
1116 				enum dma_data_direction direction)
1117 {
1118 	might_sleep();
1119 
1120 	if (WARN_ON(!attach || !attach->dmabuf || !sg_table))
1121 		return;
1122 
1123 	if (dma_buf_attachment_is_dynamic(attach))
1124 		dma_resv_assert_held(attach->dmabuf->resv);
1125 
1126 	if (attach->sgt == sg_table)
1127 		return;
1128 
1129 	if (dma_buf_is_dynamic(attach->dmabuf))
1130 		dma_resv_assert_held(attach->dmabuf->resv);
1131 
1132 	__unmap_dma_buf(attach, sg_table, direction);
1133 
1134 	if (dma_buf_is_dynamic(attach->dmabuf) &&
1135 	    !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY))
1136 		dma_buf_unpin(attach);
1137 }
1138 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment, DMA_BUF);
1139 
1140 /**
1141  * dma_buf_move_notify - notify attachments that DMA-buf is moving
1142  *
1143  * @dmabuf:	[in]	buffer which is moving
1144  *
1145  * Informs all attachmenst that they need to destroy and recreated all their
1146  * mappings.
1147  */
1148 void dma_buf_move_notify(struct dma_buf *dmabuf)
1149 {
1150 	struct dma_buf_attachment *attach;
1151 
1152 	dma_resv_assert_held(dmabuf->resv);
1153 
1154 	list_for_each_entry(attach, &dmabuf->attachments, node)
1155 		if (attach->importer_ops)
1156 			attach->importer_ops->move_notify(attach);
1157 }
1158 EXPORT_SYMBOL_NS_GPL(dma_buf_move_notify, DMA_BUF);
1159 
1160 /**
1161  * DOC: cpu access
1162  *
1163  * There are mutliple reasons for supporting CPU access to a dma buffer object:
1164  *
1165  * - Fallback operations in the kernel, for example when a device is connected
1166  *   over USB and the kernel needs to shuffle the data around first before
1167  *   sending it away. Cache coherency is handled by braketing any transactions
1168  *   with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access()
1169  *   access.
1170  *
1171  *   Since for most kernel internal dma-buf accesses need the entire buffer, a
1172  *   vmap interface is introduced. Note that on very old 32-bit architectures
1173  *   vmalloc space might be limited and result in vmap calls failing.
1174  *
1175  *   Interfaces::
1176  *
1177  *      void \*dma_buf_vmap(struct dma_buf \*dmabuf, struct iosys_map \*map)
1178  *      void dma_buf_vunmap(struct dma_buf \*dmabuf, struct iosys_map \*map)
1179  *
1180  *   The vmap call can fail if there is no vmap support in the exporter, or if
1181  *   it runs out of vmalloc space. Note that the dma-buf layer keeps a reference
1182  *   count for all vmap access and calls down into the exporter's vmap function
1183  *   only when no vmapping exists, and only unmaps it once. Protection against
1184  *   concurrent vmap/vunmap calls is provided by taking the &dma_buf.lock mutex.
1185  *
1186  * - For full compatibility on the importer side with existing userspace
1187  *   interfaces, which might already support mmap'ing buffers. This is needed in
1188  *   many processing pipelines (e.g. feeding a software rendered image into a
1189  *   hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION
1190  *   framework already supported this and for DMA buffer file descriptors to
1191  *   replace ION buffers mmap support was needed.
1192  *
1193  *   There is no special interfaces, userspace simply calls mmap on the dma-buf
1194  *   fd. But like for CPU access there's a need to braket the actual access,
1195  *   which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that
1196  *   DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must
1197  *   be restarted.
1198  *
1199  *   Some systems might need some sort of cache coherency management e.g. when
1200  *   CPU and GPU domains are being accessed through dma-buf at the same time.
1201  *   To circumvent this problem there are begin/end coherency markers, that
1202  *   forward directly to existing dma-buf device drivers vfunc hooks. Userspace
1203  *   can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The
1204  *   sequence would be used like following:
1205  *
1206  *     - mmap dma-buf fd
1207  *     - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
1208  *       to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
1209  *       want (with the new data being consumed by say the GPU or the scanout
1210  *       device)
1211  *     - munmap once you don't need the buffer any more
1212  *
1213  *    For correctness and optimal performance, it is always required to use
1214  *    SYNC_START and SYNC_END before and after, respectively, when accessing the
1215  *    mapped address. Userspace cannot rely on coherent access, even when there
1216  *    are systems where it just works without calling these ioctls.
1217  *
1218  * - And as a CPU fallback in userspace processing pipelines.
1219  *
1220  *   Similar to the motivation for kernel cpu access it is again important that
1221  *   the userspace code of a given importing subsystem can use the same
1222  *   interfaces with a imported dma-buf buffer object as with a native buffer
1223  *   object. This is especially important for drm where the userspace part of
1224  *   contemporary OpenGL, X, and other drivers is huge, and reworking them to
1225  *   use a different way to mmap a buffer rather invasive.
1226  *
1227  *   The assumption in the current dma-buf interfaces is that redirecting the
1228  *   initial mmap is all that's needed. A survey of some of the existing
1229  *   subsystems shows that no driver seems to do any nefarious thing like
1230  *   syncing up with outstanding asynchronous processing on the device or
1231  *   allocating special resources at fault time. So hopefully this is good
1232  *   enough, since adding interfaces to intercept pagefaults and allow pte
1233  *   shootdowns would increase the complexity quite a bit.
1234  *
1235  *   Interface::
1236  *
1237  *      int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*,
1238  *		       unsigned long);
1239  *
1240  *   If the importing subsystem simply provides a special-purpose mmap call to
1241  *   set up a mapping in userspace, calling do_mmap with &dma_buf.file will
1242  *   equally achieve that for a dma-buf object.
1243  */
1244 
1245 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1246 				      enum dma_data_direction direction)
1247 {
1248 	bool write = (direction == DMA_BIDIRECTIONAL ||
1249 		      direction == DMA_TO_DEVICE);
1250 	struct dma_resv *resv = dmabuf->resv;
1251 	long ret;
1252 
1253 	/* Wait on any implicit rendering fences */
1254 	ret = dma_resv_wait_timeout(resv, dma_resv_usage_rw(write),
1255 				    true, MAX_SCHEDULE_TIMEOUT);
1256 	if (ret < 0)
1257 		return ret;
1258 
1259 	return 0;
1260 }
1261 
1262 /**
1263  * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the
1264  * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific
1265  * preparations. Coherency is only guaranteed in the specified range for the
1266  * specified access direction.
1267  * @dmabuf:	[in]	buffer to prepare cpu access for.
1268  * @direction:	[in]	length of range for cpu access.
1269  *
1270  * After the cpu access is complete the caller should call
1271  * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is
1272  * it guaranteed to be coherent with other DMA access.
1273  *
1274  * This function will also wait for any DMA transactions tracked through
1275  * implicit synchronization in &dma_buf.resv. For DMA transactions with explicit
1276  * synchronization this function will only ensure cache coherency, callers must
1277  * ensure synchronization with such DMA transactions on their own.
1278  *
1279  * Can return negative error values, returns 0 on success.
1280  */
1281 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf,
1282 			     enum dma_data_direction direction)
1283 {
1284 	int ret = 0;
1285 
1286 	if (WARN_ON(!dmabuf))
1287 		return -EINVAL;
1288 
1289 	might_lock(&dmabuf->resv->lock.base);
1290 
1291 	if (dmabuf->ops->begin_cpu_access)
1292 		ret = dmabuf->ops->begin_cpu_access(dmabuf, direction);
1293 
1294 	/* Ensure that all fences are waited upon - but we first allow
1295 	 * the native handler the chance to do so more efficiently if it
1296 	 * chooses. A double invocation here will be reasonably cheap no-op.
1297 	 */
1298 	if (ret == 0)
1299 		ret = __dma_buf_begin_cpu_access(dmabuf, direction);
1300 
1301 	return ret;
1302 }
1303 EXPORT_SYMBOL_NS_GPL(dma_buf_begin_cpu_access, DMA_BUF);
1304 
1305 /**
1306  * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the
1307  * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific
1308  * actions. Coherency is only guaranteed in the specified range for the
1309  * specified access direction.
1310  * @dmabuf:	[in]	buffer to complete cpu access for.
1311  * @direction:	[in]	length of range for cpu access.
1312  *
1313  * This terminates CPU access started with dma_buf_begin_cpu_access().
1314  *
1315  * Can return negative error values, returns 0 on success.
1316  */
1317 int dma_buf_end_cpu_access(struct dma_buf *dmabuf,
1318 			   enum dma_data_direction direction)
1319 {
1320 	int ret = 0;
1321 
1322 	WARN_ON(!dmabuf);
1323 
1324 	might_lock(&dmabuf->resv->lock.base);
1325 
1326 	if (dmabuf->ops->end_cpu_access)
1327 		ret = dmabuf->ops->end_cpu_access(dmabuf, direction);
1328 
1329 	return ret;
1330 }
1331 EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF);
1332 
1333 
1334 /**
1335  * dma_buf_mmap - Setup up a userspace mmap with the given vma
1336  * @dmabuf:	[in]	buffer that should back the vma
1337  * @vma:	[in]	vma for the mmap
1338  * @pgoff:	[in]	offset in pages where this mmap should start within the
1339  *			dma-buf buffer.
1340  *
1341  * This function adjusts the passed in vma so that it points at the file of the
1342  * dma_buf operation. It also adjusts the starting pgoff and does bounds
1343  * checking on the size of the vma. Then it calls the exporters mmap function to
1344  * set up the mapping.
1345  *
1346  * Can return negative error values, returns 0 on success.
1347  */
1348 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma,
1349 		 unsigned long pgoff)
1350 {
1351 	if (WARN_ON(!dmabuf || !vma))
1352 		return -EINVAL;
1353 
1354 	/* check if buffer supports mmap */
1355 	if (!dmabuf->ops->mmap)
1356 		return -EINVAL;
1357 
1358 	/* check for offset overflow */
1359 	if (pgoff + vma_pages(vma) < pgoff)
1360 		return -EOVERFLOW;
1361 
1362 	/* check for overflowing the buffer's size */
1363 	if (pgoff + vma_pages(vma) >
1364 	    dmabuf->size >> PAGE_SHIFT)
1365 		return -EINVAL;
1366 
1367 	/* readjust the vma */
1368 	vma_set_file(vma, dmabuf->file);
1369 	vma->vm_pgoff = pgoff;
1370 
1371 	return dmabuf->ops->mmap(dmabuf, vma);
1372 }
1373 EXPORT_SYMBOL_NS_GPL(dma_buf_mmap, DMA_BUF);
1374 
1375 /**
1376  * dma_buf_vmap - Create virtual mapping for the buffer object into kernel
1377  * address space. Same restrictions as for vmap and friends apply.
1378  * @dmabuf:	[in]	buffer to vmap
1379  * @map:	[out]	returns the vmap pointer
1380  *
1381  * This call may fail due to lack of virtual mapping address space.
1382  * These calls are optional in drivers. The intended use for them
1383  * is for mapping objects linear in kernel space for high use objects.
1384  *
1385  * To ensure coherency users must call dma_buf_begin_cpu_access() and
1386  * dma_buf_end_cpu_access() around any cpu access performed through this
1387  * mapping.
1388  *
1389  * Returns 0 on success, or a negative errno code otherwise.
1390  */
1391 int dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map)
1392 {
1393 	struct iosys_map ptr;
1394 	int ret = 0;
1395 
1396 	iosys_map_clear(map);
1397 
1398 	if (WARN_ON(!dmabuf))
1399 		return -EINVAL;
1400 
1401 	if (!dmabuf->ops->vmap)
1402 		return -EINVAL;
1403 
1404 	mutex_lock(&dmabuf->lock);
1405 	if (dmabuf->vmapping_counter) {
1406 		dmabuf->vmapping_counter++;
1407 		BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1408 		*map = dmabuf->vmap_ptr;
1409 		goto out_unlock;
1410 	}
1411 
1412 	BUG_ON(iosys_map_is_set(&dmabuf->vmap_ptr));
1413 
1414 	ret = dmabuf->ops->vmap(dmabuf, &ptr);
1415 	if (WARN_ON_ONCE(ret))
1416 		goto out_unlock;
1417 
1418 	dmabuf->vmap_ptr = ptr;
1419 	dmabuf->vmapping_counter = 1;
1420 
1421 	*map = dmabuf->vmap_ptr;
1422 
1423 out_unlock:
1424 	mutex_unlock(&dmabuf->lock);
1425 	return ret;
1426 }
1427 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap, DMA_BUF);
1428 
1429 /**
1430  * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap.
1431  * @dmabuf:	[in]	buffer to vunmap
1432  * @map:	[in]	vmap pointer to vunmap
1433  */
1434 void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map)
1435 {
1436 	if (WARN_ON(!dmabuf))
1437 		return;
1438 
1439 	BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr));
1440 	BUG_ON(dmabuf->vmapping_counter == 0);
1441 	BUG_ON(!iosys_map_is_equal(&dmabuf->vmap_ptr, map));
1442 
1443 	mutex_lock(&dmabuf->lock);
1444 	if (--dmabuf->vmapping_counter == 0) {
1445 		if (dmabuf->ops->vunmap)
1446 			dmabuf->ops->vunmap(dmabuf, map);
1447 		iosys_map_clear(&dmabuf->vmap_ptr);
1448 	}
1449 	mutex_unlock(&dmabuf->lock);
1450 }
1451 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap, DMA_BUF);
1452 
1453 #ifdef CONFIG_DEBUG_FS
1454 static int dma_buf_debug_show(struct seq_file *s, void *unused)
1455 {
1456 	struct dma_buf *buf_obj;
1457 	struct dma_buf_attachment *attach_obj;
1458 	int count = 0, attach_count;
1459 	size_t size = 0;
1460 	int ret;
1461 
1462 	ret = mutex_lock_interruptible(&db_list.lock);
1463 
1464 	if (ret)
1465 		return ret;
1466 
1467 	seq_puts(s, "\nDma-buf Objects:\n");
1468 	seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\t%-8s\tname\n",
1469 		   "size", "flags", "mode", "count", "ino");
1470 
1471 	list_for_each_entry(buf_obj, &db_list.head, list_node) {
1472 
1473 		ret = dma_resv_lock_interruptible(buf_obj->resv, NULL);
1474 		if (ret)
1475 			goto error_unlock;
1476 
1477 
1478 		spin_lock(&buf_obj->name_lock);
1479 		seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n",
1480 				buf_obj->size,
1481 				buf_obj->file->f_flags, buf_obj->file->f_mode,
1482 				file_count(buf_obj->file),
1483 				buf_obj->exp_name,
1484 				file_inode(buf_obj->file)->i_ino,
1485 				buf_obj->name ?: "<none>");
1486 		spin_unlock(&buf_obj->name_lock);
1487 
1488 		dma_resv_describe(buf_obj->resv, s);
1489 
1490 		seq_puts(s, "\tAttached Devices:\n");
1491 		attach_count = 0;
1492 
1493 		list_for_each_entry(attach_obj, &buf_obj->attachments, node) {
1494 			seq_printf(s, "\t%s\n", dev_name(attach_obj->dev));
1495 			attach_count++;
1496 		}
1497 		dma_resv_unlock(buf_obj->resv);
1498 
1499 		seq_printf(s, "Total %d devices attached\n\n",
1500 				attach_count);
1501 
1502 		count++;
1503 		size += buf_obj->size;
1504 	}
1505 
1506 	seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size);
1507 
1508 	mutex_unlock(&db_list.lock);
1509 	return 0;
1510 
1511 error_unlock:
1512 	mutex_unlock(&db_list.lock);
1513 	return ret;
1514 }
1515 
1516 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug);
1517 
1518 static struct dentry *dma_buf_debugfs_dir;
1519 
1520 static int dma_buf_init_debugfs(void)
1521 {
1522 	struct dentry *d;
1523 	int err = 0;
1524 
1525 	d = debugfs_create_dir("dma_buf", NULL);
1526 	if (IS_ERR(d))
1527 		return PTR_ERR(d);
1528 
1529 	dma_buf_debugfs_dir = d;
1530 
1531 	d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir,
1532 				NULL, &dma_buf_debug_fops);
1533 	if (IS_ERR(d)) {
1534 		pr_debug("dma_buf: debugfs: failed to create node bufinfo\n");
1535 		debugfs_remove_recursive(dma_buf_debugfs_dir);
1536 		dma_buf_debugfs_dir = NULL;
1537 		err = PTR_ERR(d);
1538 	}
1539 
1540 	return err;
1541 }
1542 
1543 static void dma_buf_uninit_debugfs(void)
1544 {
1545 	debugfs_remove_recursive(dma_buf_debugfs_dir);
1546 }
1547 #else
1548 static inline int dma_buf_init_debugfs(void)
1549 {
1550 	return 0;
1551 }
1552 static inline void dma_buf_uninit_debugfs(void)
1553 {
1554 }
1555 #endif
1556 
1557 static int __init dma_buf_init(void)
1558 {
1559 	int ret;
1560 
1561 	ret = dma_buf_init_sysfs_statistics();
1562 	if (ret)
1563 		return ret;
1564 
1565 	dma_buf_mnt = kern_mount(&dma_buf_fs_type);
1566 	if (IS_ERR(dma_buf_mnt))
1567 		return PTR_ERR(dma_buf_mnt);
1568 
1569 	mutex_init(&db_list.lock);
1570 	INIT_LIST_HEAD(&db_list.head);
1571 	dma_buf_init_debugfs();
1572 	return 0;
1573 }
1574 subsys_initcall(dma_buf_init);
1575 
1576 static void __exit dma_buf_deinit(void)
1577 {
1578 	dma_buf_uninit_debugfs();
1579 	kern_unmount(dma_buf_mnt);
1580 	dma_buf_uninit_sysfs_statistics();
1581 }
1582 __exitcall(dma_buf_deinit);
1583