1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Framework for buffer objects that can be shared across devices/subsystems. 4 * 5 * Copyright(C) 2011 Linaro Limited. All rights reserved. 6 * Author: Sumit Semwal <sumit.semwal@ti.com> 7 * 8 * Many thanks to linaro-mm-sig list, and specially 9 * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and 10 * Daniel Vetter <daniel@ffwll.ch> for their support in creation and 11 * refining of this idea. 12 */ 13 14 #include <linux/fs.h> 15 #include <linux/slab.h> 16 #include <linux/dma-buf.h> 17 #include <linux/dma-fence.h> 18 #include <linux/anon_inodes.h> 19 #include <linux/export.h> 20 #include <linux/debugfs.h> 21 #include <linux/module.h> 22 #include <linux/seq_file.h> 23 #include <linux/sync_file.h> 24 #include <linux/poll.h> 25 #include <linux/dma-resv.h> 26 #include <linux/mm.h> 27 #include <linux/mount.h> 28 #include <linux/pseudo_fs.h> 29 30 #include <uapi/linux/dma-buf.h> 31 #include <uapi/linux/magic.h> 32 33 #include "dma-buf-sysfs-stats.h" 34 35 static inline int is_dma_buf_file(struct file *); 36 37 struct dma_buf_list { 38 struct list_head head; 39 struct mutex lock; 40 }; 41 42 static struct dma_buf_list db_list; 43 44 static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen) 45 { 46 struct dma_buf *dmabuf; 47 char name[DMA_BUF_NAME_LEN]; 48 size_t ret = 0; 49 50 dmabuf = dentry->d_fsdata; 51 spin_lock(&dmabuf->name_lock); 52 if (dmabuf->name) 53 ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); 54 spin_unlock(&dmabuf->name_lock); 55 56 return dynamic_dname(buffer, buflen, "/%s:%s", 57 dentry->d_name.name, ret > 0 ? name : ""); 58 } 59 60 static void dma_buf_release(struct dentry *dentry) 61 { 62 struct dma_buf *dmabuf; 63 64 dmabuf = dentry->d_fsdata; 65 if (unlikely(!dmabuf)) 66 return; 67 68 BUG_ON(dmabuf->vmapping_counter); 69 70 /* 71 * If you hit this BUG() it could mean: 72 * * There's a file reference imbalance in dma_buf_poll / dma_buf_poll_cb or somewhere else 73 * * dmabuf->cb_in/out.active are non-0 despite no pending fence callback 74 */ 75 BUG_ON(dmabuf->cb_in.active || dmabuf->cb_out.active); 76 77 dma_buf_stats_teardown(dmabuf); 78 dmabuf->ops->release(dmabuf); 79 80 if (dmabuf->resv == (struct dma_resv *)&dmabuf[1]) 81 dma_resv_fini(dmabuf->resv); 82 83 WARN_ON(!list_empty(&dmabuf->attachments)); 84 module_put(dmabuf->owner); 85 kfree(dmabuf->name); 86 kfree(dmabuf); 87 } 88 89 static int dma_buf_file_release(struct inode *inode, struct file *file) 90 { 91 struct dma_buf *dmabuf; 92 93 if (!is_dma_buf_file(file)) 94 return -EINVAL; 95 96 dmabuf = file->private_data; 97 98 mutex_lock(&db_list.lock); 99 list_del(&dmabuf->list_node); 100 mutex_unlock(&db_list.lock); 101 102 return 0; 103 } 104 105 static const struct dentry_operations dma_buf_dentry_ops = { 106 .d_dname = dmabuffs_dname, 107 .d_release = dma_buf_release, 108 }; 109 110 static struct vfsmount *dma_buf_mnt; 111 112 static int dma_buf_fs_init_context(struct fs_context *fc) 113 { 114 struct pseudo_fs_context *ctx; 115 116 ctx = init_pseudo(fc, DMA_BUF_MAGIC); 117 if (!ctx) 118 return -ENOMEM; 119 ctx->dops = &dma_buf_dentry_ops; 120 return 0; 121 } 122 123 static struct file_system_type dma_buf_fs_type = { 124 .name = "dmabuf", 125 .init_fs_context = dma_buf_fs_init_context, 126 .kill_sb = kill_anon_super, 127 }; 128 129 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma) 130 { 131 struct dma_buf *dmabuf; 132 133 if (!is_dma_buf_file(file)) 134 return -EINVAL; 135 136 dmabuf = file->private_data; 137 138 /* check if buffer supports mmap */ 139 if (!dmabuf->ops->mmap) 140 return -EINVAL; 141 142 /* check for overflowing the buffer's size */ 143 if (vma->vm_pgoff + vma_pages(vma) > 144 dmabuf->size >> PAGE_SHIFT) 145 return -EINVAL; 146 147 return dmabuf->ops->mmap(dmabuf, vma); 148 } 149 150 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence) 151 { 152 struct dma_buf *dmabuf; 153 loff_t base; 154 155 if (!is_dma_buf_file(file)) 156 return -EBADF; 157 158 dmabuf = file->private_data; 159 160 /* only support discovering the end of the buffer, 161 but also allow SEEK_SET to maintain the idiomatic 162 SEEK_END(0), SEEK_CUR(0) pattern */ 163 if (whence == SEEK_END) 164 base = dmabuf->size; 165 else if (whence == SEEK_SET) 166 base = 0; 167 else 168 return -EINVAL; 169 170 if (offset != 0) 171 return -EINVAL; 172 173 return base + offset; 174 } 175 176 /** 177 * DOC: implicit fence polling 178 * 179 * To support cross-device and cross-driver synchronization of buffer access 180 * implicit fences (represented internally in the kernel with &struct dma_fence) 181 * can be attached to a &dma_buf. The glue for that and a few related things are 182 * provided in the &dma_resv structure. 183 * 184 * Userspace can query the state of these implicitly tracked fences using poll() 185 * and related system calls: 186 * 187 * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the 188 * most recent write or exclusive fence. 189 * 190 * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of 191 * all attached fences, shared and exclusive ones. 192 * 193 * Note that this only signals the completion of the respective fences, i.e. the 194 * DMA transfers are complete. Cache flushing and any other necessary 195 * preparations before CPU access can begin still need to happen. 196 * 197 * As an alternative to poll(), the set of fences on DMA buffer can be 198 * exported as a &sync_file using &dma_buf_sync_file_export. 199 */ 200 201 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb) 202 { 203 struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb; 204 struct dma_buf *dmabuf = container_of(dcb->poll, struct dma_buf, poll); 205 unsigned long flags; 206 207 spin_lock_irqsave(&dcb->poll->lock, flags); 208 wake_up_locked_poll(dcb->poll, dcb->active); 209 dcb->active = 0; 210 spin_unlock_irqrestore(&dcb->poll->lock, flags); 211 dma_fence_put(fence); 212 /* Paired with get_file in dma_buf_poll */ 213 fput(dmabuf->file); 214 } 215 216 static bool dma_buf_poll_add_cb(struct dma_resv *resv, bool write, 217 struct dma_buf_poll_cb_t *dcb) 218 { 219 struct dma_resv_iter cursor; 220 struct dma_fence *fence; 221 int r; 222 223 dma_resv_for_each_fence(&cursor, resv, dma_resv_usage_rw(write), 224 fence) { 225 dma_fence_get(fence); 226 r = dma_fence_add_callback(fence, &dcb->cb, dma_buf_poll_cb); 227 if (!r) 228 return true; 229 dma_fence_put(fence); 230 } 231 232 return false; 233 } 234 235 static __poll_t dma_buf_poll(struct file *file, poll_table *poll) 236 { 237 struct dma_buf *dmabuf; 238 struct dma_resv *resv; 239 __poll_t events; 240 241 dmabuf = file->private_data; 242 if (!dmabuf || !dmabuf->resv) 243 return EPOLLERR; 244 245 resv = dmabuf->resv; 246 247 poll_wait(file, &dmabuf->poll, poll); 248 249 events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT); 250 if (!events) 251 return 0; 252 253 dma_resv_lock(resv, NULL); 254 255 if (events & EPOLLOUT) { 256 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_out; 257 258 /* Check that callback isn't busy */ 259 spin_lock_irq(&dmabuf->poll.lock); 260 if (dcb->active) 261 events &= ~EPOLLOUT; 262 else 263 dcb->active = EPOLLOUT; 264 spin_unlock_irq(&dmabuf->poll.lock); 265 266 if (events & EPOLLOUT) { 267 /* Paired with fput in dma_buf_poll_cb */ 268 get_file(dmabuf->file); 269 270 if (!dma_buf_poll_add_cb(resv, true, dcb)) 271 /* No callback queued, wake up any other waiters */ 272 dma_buf_poll_cb(NULL, &dcb->cb); 273 else 274 events &= ~EPOLLOUT; 275 } 276 } 277 278 if (events & EPOLLIN) { 279 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_in; 280 281 /* Check that callback isn't busy */ 282 spin_lock_irq(&dmabuf->poll.lock); 283 if (dcb->active) 284 events &= ~EPOLLIN; 285 else 286 dcb->active = EPOLLIN; 287 spin_unlock_irq(&dmabuf->poll.lock); 288 289 if (events & EPOLLIN) { 290 /* Paired with fput in dma_buf_poll_cb */ 291 get_file(dmabuf->file); 292 293 if (!dma_buf_poll_add_cb(resv, false, dcb)) 294 /* No callback queued, wake up any other waiters */ 295 dma_buf_poll_cb(NULL, &dcb->cb); 296 else 297 events &= ~EPOLLIN; 298 } 299 } 300 301 dma_resv_unlock(resv); 302 return events; 303 } 304 305 /** 306 * dma_buf_set_name - Set a name to a specific dma_buf to track the usage. 307 * It could support changing the name of the dma-buf if the same 308 * piece of memory is used for multiple purpose between different devices. 309 * 310 * @dmabuf: [in] dmabuf buffer that will be renamed. 311 * @buf: [in] A piece of userspace memory that contains the name of 312 * the dma-buf. 313 * 314 * Returns 0 on success. If the dma-buf buffer is already attached to 315 * devices, return -EBUSY. 316 * 317 */ 318 static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) 319 { 320 char *name = strndup_user(buf, DMA_BUF_NAME_LEN); 321 322 if (IS_ERR(name)) 323 return PTR_ERR(name); 324 325 spin_lock(&dmabuf->name_lock); 326 kfree(dmabuf->name); 327 dmabuf->name = name; 328 spin_unlock(&dmabuf->name_lock); 329 330 return 0; 331 } 332 333 #if IS_ENABLED(CONFIG_SYNC_FILE) 334 static long dma_buf_export_sync_file(struct dma_buf *dmabuf, 335 void __user *user_data) 336 { 337 struct dma_buf_export_sync_file arg; 338 enum dma_resv_usage usage; 339 struct dma_fence *fence = NULL; 340 struct sync_file *sync_file; 341 int fd, ret; 342 343 if (copy_from_user(&arg, user_data, sizeof(arg))) 344 return -EFAULT; 345 346 if (arg.flags & ~DMA_BUF_SYNC_RW) 347 return -EINVAL; 348 349 if ((arg.flags & DMA_BUF_SYNC_RW) == 0) 350 return -EINVAL; 351 352 fd = get_unused_fd_flags(O_CLOEXEC); 353 if (fd < 0) 354 return fd; 355 356 usage = dma_resv_usage_rw(arg.flags & DMA_BUF_SYNC_WRITE); 357 ret = dma_resv_get_singleton(dmabuf->resv, usage, &fence); 358 if (ret) 359 goto err_put_fd; 360 361 if (!fence) 362 fence = dma_fence_get_stub(); 363 364 sync_file = sync_file_create(fence); 365 366 dma_fence_put(fence); 367 368 if (!sync_file) { 369 ret = -ENOMEM; 370 goto err_put_fd; 371 } 372 373 arg.fd = fd; 374 if (copy_to_user(user_data, &arg, sizeof(arg))) { 375 ret = -EFAULT; 376 goto err_put_file; 377 } 378 379 fd_install(fd, sync_file->file); 380 381 return 0; 382 383 err_put_file: 384 fput(sync_file->file); 385 err_put_fd: 386 put_unused_fd(fd); 387 return ret; 388 } 389 390 static long dma_buf_import_sync_file(struct dma_buf *dmabuf, 391 const void __user *user_data) 392 { 393 struct dma_buf_import_sync_file arg; 394 struct dma_fence *fence; 395 enum dma_resv_usage usage; 396 int ret = 0; 397 398 if (copy_from_user(&arg, user_data, sizeof(arg))) 399 return -EFAULT; 400 401 if (arg.flags & ~DMA_BUF_SYNC_RW) 402 return -EINVAL; 403 404 if ((arg.flags & DMA_BUF_SYNC_RW) == 0) 405 return -EINVAL; 406 407 fence = sync_file_get_fence(arg.fd); 408 if (!fence) 409 return -EINVAL; 410 411 usage = (arg.flags & DMA_BUF_SYNC_WRITE) ? DMA_RESV_USAGE_WRITE : 412 DMA_RESV_USAGE_READ; 413 414 dma_resv_lock(dmabuf->resv, NULL); 415 416 ret = dma_resv_reserve_fences(dmabuf->resv, 1); 417 if (!ret) 418 dma_resv_add_fence(dmabuf->resv, fence, usage); 419 420 dma_resv_unlock(dmabuf->resv); 421 422 dma_fence_put(fence); 423 424 return ret; 425 } 426 #endif 427 428 static long dma_buf_ioctl(struct file *file, 429 unsigned int cmd, unsigned long arg) 430 { 431 struct dma_buf *dmabuf; 432 struct dma_buf_sync sync; 433 enum dma_data_direction direction; 434 int ret; 435 436 dmabuf = file->private_data; 437 438 switch (cmd) { 439 case DMA_BUF_IOCTL_SYNC: 440 if (copy_from_user(&sync, (void __user *) arg, sizeof(sync))) 441 return -EFAULT; 442 443 if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK) 444 return -EINVAL; 445 446 switch (sync.flags & DMA_BUF_SYNC_RW) { 447 case DMA_BUF_SYNC_READ: 448 direction = DMA_FROM_DEVICE; 449 break; 450 case DMA_BUF_SYNC_WRITE: 451 direction = DMA_TO_DEVICE; 452 break; 453 case DMA_BUF_SYNC_RW: 454 direction = DMA_BIDIRECTIONAL; 455 break; 456 default: 457 return -EINVAL; 458 } 459 460 if (sync.flags & DMA_BUF_SYNC_END) 461 ret = dma_buf_end_cpu_access(dmabuf, direction); 462 else 463 ret = dma_buf_begin_cpu_access(dmabuf, direction); 464 465 return ret; 466 467 case DMA_BUF_SET_NAME_A: 468 case DMA_BUF_SET_NAME_B: 469 return dma_buf_set_name(dmabuf, (const char __user *)arg); 470 471 #if IS_ENABLED(CONFIG_SYNC_FILE) 472 case DMA_BUF_IOCTL_EXPORT_SYNC_FILE: 473 return dma_buf_export_sync_file(dmabuf, (void __user *)arg); 474 case DMA_BUF_IOCTL_IMPORT_SYNC_FILE: 475 return dma_buf_import_sync_file(dmabuf, (const void __user *)arg); 476 #endif 477 478 default: 479 return -ENOTTY; 480 } 481 } 482 483 static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file) 484 { 485 struct dma_buf *dmabuf = file->private_data; 486 487 seq_printf(m, "size:\t%zu\n", dmabuf->size); 488 /* Don't count the temporary reference taken inside procfs seq_show */ 489 seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); 490 seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); 491 spin_lock(&dmabuf->name_lock); 492 if (dmabuf->name) 493 seq_printf(m, "name:\t%s\n", dmabuf->name); 494 spin_unlock(&dmabuf->name_lock); 495 } 496 497 static const struct file_operations dma_buf_fops = { 498 .release = dma_buf_file_release, 499 .mmap = dma_buf_mmap_internal, 500 .llseek = dma_buf_llseek, 501 .poll = dma_buf_poll, 502 .unlocked_ioctl = dma_buf_ioctl, 503 .compat_ioctl = compat_ptr_ioctl, 504 .show_fdinfo = dma_buf_show_fdinfo, 505 }; 506 507 /* 508 * is_dma_buf_file - Check if struct file* is associated with dma_buf 509 */ 510 static inline int is_dma_buf_file(struct file *file) 511 { 512 return file->f_op == &dma_buf_fops; 513 } 514 515 static struct file *dma_buf_getfile(struct dma_buf *dmabuf, int flags) 516 { 517 static atomic64_t dmabuf_inode = ATOMIC64_INIT(0); 518 struct file *file; 519 struct inode *inode = alloc_anon_inode(dma_buf_mnt->mnt_sb); 520 521 if (IS_ERR(inode)) 522 return ERR_CAST(inode); 523 524 inode->i_size = dmabuf->size; 525 inode_set_bytes(inode, dmabuf->size); 526 527 /* 528 * The ->i_ino acquired from get_next_ino() is not unique thus 529 * not suitable for using it as dentry name by dmabuf stats. 530 * Override ->i_ino with the unique and dmabuffs specific 531 * value. 532 */ 533 inode->i_ino = atomic64_add_return(1, &dmabuf_inode); 534 flags &= O_ACCMODE | O_NONBLOCK; 535 file = alloc_file_pseudo(inode, dma_buf_mnt, "dmabuf", 536 flags, &dma_buf_fops); 537 if (IS_ERR(file)) 538 goto err_alloc_file; 539 file->private_data = dmabuf; 540 file->f_path.dentry->d_fsdata = dmabuf; 541 542 return file; 543 544 err_alloc_file: 545 iput(inode); 546 return file; 547 } 548 549 /** 550 * DOC: dma buf device access 551 * 552 * For device DMA access to a shared DMA buffer the usual sequence of operations 553 * is fairly simple: 554 * 555 * 1. The exporter defines his exporter instance using 556 * DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private 557 * buffer object into a &dma_buf. It then exports that &dma_buf to userspace 558 * as a file descriptor by calling dma_buf_fd(). 559 * 560 * 2. Userspace passes this file-descriptors to all drivers it wants this buffer 561 * to share with: First the file descriptor is converted to a &dma_buf using 562 * dma_buf_get(). Then the buffer is attached to the device using 563 * dma_buf_attach(). 564 * 565 * Up to this stage the exporter is still free to migrate or reallocate the 566 * backing storage. 567 * 568 * 3. Once the buffer is attached to all devices userspace can initiate DMA 569 * access to the shared buffer. In the kernel this is done by calling 570 * dma_buf_map_attachment() and dma_buf_unmap_attachment(). 571 * 572 * 4. Once a driver is done with a shared buffer it needs to call 573 * dma_buf_detach() (after cleaning up any mappings) and then release the 574 * reference acquired with dma_buf_get() by calling dma_buf_put(). 575 * 576 * For the detailed semantics exporters are expected to implement see 577 * &dma_buf_ops. 578 */ 579 580 /** 581 * dma_buf_export - Creates a new dma_buf, and associates an anon file 582 * with this buffer, so it can be exported. 583 * Also connect the allocator specific data and ops to the buffer. 584 * Additionally, provide a name string for exporter; useful in debugging. 585 * 586 * @exp_info: [in] holds all the export related information provided 587 * by the exporter. see &struct dma_buf_export_info 588 * for further details. 589 * 590 * Returns, on success, a newly created struct dma_buf object, which wraps the 591 * supplied private data and operations for struct dma_buf_ops. On either 592 * missing ops, or error in allocating struct dma_buf, will return negative 593 * error. 594 * 595 * For most cases the easiest way to create @exp_info is through the 596 * %DEFINE_DMA_BUF_EXPORT_INFO macro. 597 */ 598 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) 599 { 600 struct dma_buf *dmabuf; 601 struct dma_resv *resv = exp_info->resv; 602 struct file *file; 603 size_t alloc_size = sizeof(struct dma_buf); 604 int ret; 605 606 if (!exp_info->resv) 607 alloc_size += sizeof(struct dma_resv); 608 else 609 /* prevent &dma_buf[1] == dma_buf->resv */ 610 alloc_size += 1; 611 612 if (WARN_ON(!exp_info->priv 613 || !exp_info->ops 614 || !exp_info->ops->map_dma_buf 615 || !exp_info->ops->unmap_dma_buf 616 || !exp_info->ops->release)) { 617 return ERR_PTR(-EINVAL); 618 } 619 620 if (WARN_ON(exp_info->ops->cache_sgt_mapping && 621 (exp_info->ops->pin || exp_info->ops->unpin))) 622 return ERR_PTR(-EINVAL); 623 624 if (WARN_ON(!exp_info->ops->pin != !exp_info->ops->unpin)) 625 return ERR_PTR(-EINVAL); 626 627 if (!try_module_get(exp_info->owner)) 628 return ERR_PTR(-ENOENT); 629 630 dmabuf = kzalloc(alloc_size, GFP_KERNEL); 631 if (!dmabuf) { 632 ret = -ENOMEM; 633 goto err_module; 634 } 635 636 dmabuf->priv = exp_info->priv; 637 dmabuf->ops = exp_info->ops; 638 dmabuf->size = exp_info->size; 639 dmabuf->exp_name = exp_info->exp_name; 640 dmabuf->owner = exp_info->owner; 641 spin_lock_init(&dmabuf->name_lock); 642 init_waitqueue_head(&dmabuf->poll); 643 dmabuf->cb_in.poll = dmabuf->cb_out.poll = &dmabuf->poll; 644 dmabuf->cb_in.active = dmabuf->cb_out.active = 0; 645 646 if (!resv) { 647 resv = (struct dma_resv *)&dmabuf[1]; 648 dma_resv_init(resv); 649 } 650 dmabuf->resv = resv; 651 652 file = dma_buf_getfile(dmabuf, exp_info->flags); 653 if (IS_ERR(file)) { 654 ret = PTR_ERR(file); 655 goto err_dmabuf; 656 } 657 658 dmabuf->file = file; 659 660 INIT_LIST_HEAD(&dmabuf->attachments); 661 662 mutex_lock(&db_list.lock); 663 list_add(&dmabuf->list_node, &db_list.head); 664 mutex_unlock(&db_list.lock); 665 666 ret = dma_buf_stats_setup(dmabuf); 667 if (ret) 668 goto err_sysfs; 669 670 return dmabuf; 671 672 err_sysfs: 673 /* 674 * Set file->f_path.dentry->d_fsdata to NULL so that when 675 * dma_buf_release() gets invoked by dentry_ops, it exits 676 * early before calling the release() dma_buf op. 677 */ 678 file->f_path.dentry->d_fsdata = NULL; 679 fput(file); 680 err_dmabuf: 681 kfree(dmabuf); 682 err_module: 683 module_put(exp_info->owner); 684 return ERR_PTR(ret); 685 } 686 EXPORT_SYMBOL_NS_GPL(dma_buf_export, DMA_BUF); 687 688 /** 689 * dma_buf_fd - returns a file descriptor for the given struct dma_buf 690 * @dmabuf: [in] pointer to dma_buf for which fd is required. 691 * @flags: [in] flags to give to fd 692 * 693 * On success, returns an associated 'fd'. Else, returns error. 694 */ 695 int dma_buf_fd(struct dma_buf *dmabuf, int flags) 696 { 697 int fd; 698 699 if (!dmabuf || !dmabuf->file) 700 return -EINVAL; 701 702 fd = get_unused_fd_flags(flags); 703 if (fd < 0) 704 return fd; 705 706 fd_install(fd, dmabuf->file); 707 708 return fd; 709 } 710 EXPORT_SYMBOL_NS_GPL(dma_buf_fd, DMA_BUF); 711 712 /** 713 * dma_buf_get - returns the struct dma_buf related to an fd 714 * @fd: [in] fd associated with the struct dma_buf to be returned 715 * 716 * On success, returns the struct dma_buf associated with an fd; uses 717 * file's refcounting done by fget to increase refcount. returns ERR_PTR 718 * otherwise. 719 */ 720 struct dma_buf *dma_buf_get(int fd) 721 { 722 struct file *file; 723 724 file = fget(fd); 725 726 if (!file) 727 return ERR_PTR(-EBADF); 728 729 if (!is_dma_buf_file(file)) { 730 fput(file); 731 return ERR_PTR(-EINVAL); 732 } 733 734 return file->private_data; 735 } 736 EXPORT_SYMBOL_NS_GPL(dma_buf_get, DMA_BUF); 737 738 /** 739 * dma_buf_put - decreases refcount of the buffer 740 * @dmabuf: [in] buffer to reduce refcount of 741 * 742 * Uses file's refcounting done implicitly by fput(). 743 * 744 * If, as a result of this call, the refcount becomes 0, the 'release' file 745 * operation related to this fd is called. It calls &dma_buf_ops.release vfunc 746 * in turn, and frees the memory allocated for dmabuf when exported. 747 */ 748 void dma_buf_put(struct dma_buf *dmabuf) 749 { 750 if (WARN_ON(!dmabuf || !dmabuf->file)) 751 return; 752 753 fput(dmabuf->file); 754 } 755 EXPORT_SYMBOL_NS_GPL(dma_buf_put, DMA_BUF); 756 757 static void mangle_sg_table(struct sg_table *sg_table) 758 { 759 #ifdef CONFIG_DMABUF_DEBUG 760 int i; 761 struct scatterlist *sg; 762 763 /* To catch abuse of the underlying struct page by importers mix 764 * up the bits, but take care to preserve the low SG_ bits to 765 * not corrupt the sgt. The mixing is undone in __unmap_dma_buf 766 * before passing the sgt back to the exporter. */ 767 for_each_sgtable_sg(sg_table, sg, i) 768 sg->page_link ^= ~0xffUL; 769 #endif 770 771 } 772 static struct sg_table * __map_dma_buf(struct dma_buf_attachment *attach, 773 enum dma_data_direction direction) 774 { 775 struct sg_table *sg_table; 776 signed long ret; 777 778 sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction); 779 if (IS_ERR_OR_NULL(sg_table)) 780 return sg_table; 781 782 if (!dma_buf_attachment_is_dynamic(attach)) { 783 ret = dma_resv_wait_timeout(attach->dmabuf->resv, 784 DMA_RESV_USAGE_KERNEL, true, 785 MAX_SCHEDULE_TIMEOUT); 786 if (ret < 0) { 787 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, 788 direction); 789 return ERR_PTR(ret); 790 } 791 } 792 793 mangle_sg_table(sg_table); 794 return sg_table; 795 } 796 797 /** 798 * DOC: locking convention 799 * 800 * In order to avoid deadlock situations between dma-buf exports and importers, 801 * all dma-buf API users must follow the common dma-buf locking convention. 802 * 803 * Convention for importers 804 * 805 * 1. Importers must hold the dma-buf reservation lock when calling these 806 * functions: 807 * 808 * - dma_buf_pin() 809 * - dma_buf_unpin() 810 * - dma_buf_map_attachment() 811 * - dma_buf_unmap_attachment() 812 * - dma_buf_vmap() 813 * - dma_buf_vunmap() 814 * 815 * 2. Importers must not hold the dma-buf reservation lock when calling these 816 * functions: 817 * 818 * - dma_buf_attach() 819 * - dma_buf_dynamic_attach() 820 * - dma_buf_detach() 821 * - dma_buf_export( 822 * - dma_buf_fd() 823 * - dma_buf_get() 824 * - dma_buf_put() 825 * - dma_buf_mmap() 826 * - dma_buf_begin_cpu_access() 827 * - dma_buf_end_cpu_access() 828 * - dma_buf_map_attachment_unlocked() 829 * - dma_buf_unmap_attachment_unlocked() 830 * - dma_buf_vmap_unlocked() 831 * - dma_buf_vunmap_unlocked() 832 * 833 * Convention for exporters 834 * 835 * 1. These &dma_buf_ops callbacks are invoked with unlocked dma-buf 836 * reservation and exporter can take the lock: 837 * 838 * - &dma_buf_ops.attach() 839 * - &dma_buf_ops.detach() 840 * - &dma_buf_ops.release() 841 * - &dma_buf_ops.begin_cpu_access() 842 * - &dma_buf_ops.end_cpu_access() 843 * 844 * 2. These &dma_buf_ops callbacks are invoked with locked dma-buf 845 * reservation and exporter can't take the lock: 846 * 847 * - &dma_buf_ops.pin() 848 * - &dma_buf_ops.unpin() 849 * - &dma_buf_ops.map_dma_buf() 850 * - &dma_buf_ops.unmap_dma_buf() 851 * - &dma_buf_ops.mmap() 852 * - &dma_buf_ops.vmap() 853 * - &dma_buf_ops.vunmap() 854 * 855 * 3. Exporters must hold the dma-buf reservation lock when calling these 856 * functions: 857 * 858 * - dma_buf_move_notify() 859 */ 860 861 /** 862 * dma_buf_dynamic_attach - Add the device to dma_buf's attachments list 863 * @dmabuf: [in] buffer to attach device to. 864 * @dev: [in] device to be attached. 865 * @importer_ops: [in] importer operations for the attachment 866 * @importer_priv: [in] importer private pointer for the attachment 867 * 868 * Returns struct dma_buf_attachment pointer for this attachment. Attachments 869 * must be cleaned up by calling dma_buf_detach(). 870 * 871 * Optionally this calls &dma_buf_ops.attach to allow device-specific attach 872 * functionality. 873 * 874 * Returns: 875 * 876 * A pointer to newly created &dma_buf_attachment on success, or a negative 877 * error code wrapped into a pointer on failure. 878 * 879 * Note that this can fail if the backing storage of @dmabuf is in a place not 880 * accessible to @dev, and cannot be moved to a more suitable place. This is 881 * indicated with the error code -EBUSY. 882 */ 883 struct dma_buf_attachment * 884 dma_buf_dynamic_attach(struct dma_buf *dmabuf, struct device *dev, 885 const struct dma_buf_attach_ops *importer_ops, 886 void *importer_priv) 887 { 888 struct dma_buf_attachment *attach; 889 int ret; 890 891 if (WARN_ON(!dmabuf || !dev)) 892 return ERR_PTR(-EINVAL); 893 894 if (WARN_ON(importer_ops && !importer_ops->move_notify)) 895 return ERR_PTR(-EINVAL); 896 897 attach = kzalloc(sizeof(*attach), GFP_KERNEL); 898 if (!attach) 899 return ERR_PTR(-ENOMEM); 900 901 attach->dev = dev; 902 attach->dmabuf = dmabuf; 903 if (importer_ops) 904 attach->peer2peer = importer_ops->allow_peer2peer; 905 attach->importer_ops = importer_ops; 906 attach->importer_priv = importer_priv; 907 908 if (dmabuf->ops->attach) { 909 ret = dmabuf->ops->attach(dmabuf, attach); 910 if (ret) 911 goto err_attach; 912 } 913 dma_resv_lock(dmabuf->resv, NULL); 914 list_add(&attach->node, &dmabuf->attachments); 915 dma_resv_unlock(dmabuf->resv); 916 917 /* When either the importer or the exporter can't handle dynamic 918 * mappings we cache the mapping here to avoid issues with the 919 * reservation object lock. 920 */ 921 if (dma_buf_attachment_is_dynamic(attach) != 922 dma_buf_is_dynamic(dmabuf)) { 923 struct sg_table *sgt; 924 925 dma_resv_lock(attach->dmabuf->resv, NULL); 926 if (dma_buf_is_dynamic(attach->dmabuf)) { 927 ret = dmabuf->ops->pin(attach); 928 if (ret) 929 goto err_unlock; 930 } 931 932 sgt = __map_dma_buf(attach, DMA_BIDIRECTIONAL); 933 if (!sgt) 934 sgt = ERR_PTR(-ENOMEM); 935 if (IS_ERR(sgt)) { 936 ret = PTR_ERR(sgt); 937 goto err_unpin; 938 } 939 dma_resv_unlock(attach->dmabuf->resv); 940 attach->sgt = sgt; 941 attach->dir = DMA_BIDIRECTIONAL; 942 } 943 944 return attach; 945 946 err_attach: 947 kfree(attach); 948 return ERR_PTR(ret); 949 950 err_unpin: 951 if (dma_buf_is_dynamic(attach->dmabuf)) 952 dmabuf->ops->unpin(attach); 953 954 err_unlock: 955 dma_resv_unlock(attach->dmabuf->resv); 956 957 dma_buf_detach(dmabuf, attach); 958 return ERR_PTR(ret); 959 } 960 EXPORT_SYMBOL_NS_GPL(dma_buf_dynamic_attach, DMA_BUF); 961 962 /** 963 * dma_buf_attach - Wrapper for dma_buf_dynamic_attach 964 * @dmabuf: [in] buffer to attach device to. 965 * @dev: [in] device to be attached. 966 * 967 * Wrapper to call dma_buf_dynamic_attach() for drivers which still use a static 968 * mapping. 969 */ 970 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf, 971 struct device *dev) 972 { 973 return dma_buf_dynamic_attach(dmabuf, dev, NULL, NULL); 974 } 975 EXPORT_SYMBOL_NS_GPL(dma_buf_attach, DMA_BUF); 976 977 static void __unmap_dma_buf(struct dma_buf_attachment *attach, 978 struct sg_table *sg_table, 979 enum dma_data_direction direction) 980 { 981 /* uses XOR, hence this unmangles */ 982 mangle_sg_table(sg_table); 983 984 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction); 985 } 986 987 /** 988 * dma_buf_detach - Remove the given attachment from dmabuf's attachments list 989 * @dmabuf: [in] buffer to detach from. 990 * @attach: [in] attachment to be detached; is free'd after this call. 991 * 992 * Clean up a device attachment obtained by calling dma_buf_attach(). 993 * 994 * Optionally this calls &dma_buf_ops.detach for device-specific detach. 995 */ 996 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach) 997 { 998 if (WARN_ON(!dmabuf || !attach || dmabuf != attach->dmabuf)) 999 return; 1000 1001 dma_resv_lock(dmabuf->resv, NULL); 1002 1003 if (attach->sgt) { 1004 1005 __unmap_dma_buf(attach, attach->sgt, attach->dir); 1006 1007 if (dma_buf_is_dynamic(attach->dmabuf)) 1008 dmabuf->ops->unpin(attach); 1009 } 1010 list_del(&attach->node); 1011 1012 dma_resv_unlock(dmabuf->resv); 1013 1014 if (dmabuf->ops->detach) 1015 dmabuf->ops->detach(dmabuf, attach); 1016 1017 kfree(attach); 1018 } 1019 EXPORT_SYMBOL_NS_GPL(dma_buf_detach, DMA_BUF); 1020 1021 /** 1022 * dma_buf_pin - Lock down the DMA-buf 1023 * @attach: [in] attachment which should be pinned 1024 * 1025 * Only dynamic importers (who set up @attach with dma_buf_dynamic_attach()) may 1026 * call this, and only for limited use cases like scanout and not for temporary 1027 * pin operations. It is not permitted to allow userspace to pin arbitrary 1028 * amounts of buffers through this interface. 1029 * 1030 * Buffers must be unpinned by calling dma_buf_unpin(). 1031 * 1032 * Returns: 1033 * 0 on success, negative error code on failure. 1034 */ 1035 int dma_buf_pin(struct dma_buf_attachment *attach) 1036 { 1037 struct dma_buf *dmabuf = attach->dmabuf; 1038 int ret = 0; 1039 1040 WARN_ON(!dma_buf_attachment_is_dynamic(attach)); 1041 1042 dma_resv_assert_held(dmabuf->resv); 1043 1044 if (dmabuf->ops->pin) 1045 ret = dmabuf->ops->pin(attach); 1046 1047 return ret; 1048 } 1049 EXPORT_SYMBOL_NS_GPL(dma_buf_pin, DMA_BUF); 1050 1051 /** 1052 * dma_buf_unpin - Unpin a DMA-buf 1053 * @attach: [in] attachment which should be unpinned 1054 * 1055 * This unpins a buffer pinned by dma_buf_pin() and allows the exporter to move 1056 * any mapping of @attach again and inform the importer through 1057 * &dma_buf_attach_ops.move_notify. 1058 */ 1059 void dma_buf_unpin(struct dma_buf_attachment *attach) 1060 { 1061 struct dma_buf *dmabuf = attach->dmabuf; 1062 1063 WARN_ON(!dma_buf_attachment_is_dynamic(attach)); 1064 1065 dma_resv_assert_held(dmabuf->resv); 1066 1067 if (dmabuf->ops->unpin) 1068 dmabuf->ops->unpin(attach); 1069 } 1070 EXPORT_SYMBOL_NS_GPL(dma_buf_unpin, DMA_BUF); 1071 1072 /** 1073 * dma_buf_map_attachment - Returns the scatterlist table of the attachment; 1074 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the 1075 * dma_buf_ops. 1076 * @attach: [in] attachment whose scatterlist is to be returned 1077 * @direction: [in] direction of DMA transfer 1078 * 1079 * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR 1080 * on error. May return -EINTR if it is interrupted by a signal. 1081 * 1082 * On success, the DMA addresses and lengths in the returned scatterlist are 1083 * PAGE_SIZE aligned. 1084 * 1085 * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that 1086 * the underlying backing storage is pinned for as long as a mapping exists, 1087 * therefore users/importers should not hold onto a mapping for undue amounts of 1088 * time. 1089 * 1090 * Important: Dynamic importers must wait for the exclusive fence of the struct 1091 * dma_resv attached to the DMA-BUF first. 1092 */ 1093 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach, 1094 enum dma_data_direction direction) 1095 { 1096 struct sg_table *sg_table; 1097 int r; 1098 1099 might_sleep(); 1100 1101 if (WARN_ON(!attach || !attach->dmabuf)) 1102 return ERR_PTR(-EINVAL); 1103 1104 dma_resv_assert_held(attach->dmabuf->resv); 1105 1106 if (attach->sgt) { 1107 /* 1108 * Two mappings with different directions for the same 1109 * attachment are not allowed. 1110 */ 1111 if (attach->dir != direction && 1112 attach->dir != DMA_BIDIRECTIONAL) 1113 return ERR_PTR(-EBUSY); 1114 1115 return attach->sgt; 1116 } 1117 1118 if (dma_buf_is_dynamic(attach->dmabuf)) { 1119 if (!IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY)) { 1120 r = attach->dmabuf->ops->pin(attach); 1121 if (r) 1122 return ERR_PTR(r); 1123 } 1124 } 1125 1126 sg_table = __map_dma_buf(attach, direction); 1127 if (!sg_table) 1128 sg_table = ERR_PTR(-ENOMEM); 1129 1130 if (IS_ERR(sg_table) && dma_buf_is_dynamic(attach->dmabuf) && 1131 !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY)) 1132 attach->dmabuf->ops->unpin(attach); 1133 1134 if (!IS_ERR(sg_table) && attach->dmabuf->ops->cache_sgt_mapping) { 1135 attach->sgt = sg_table; 1136 attach->dir = direction; 1137 } 1138 1139 #ifdef CONFIG_DMA_API_DEBUG 1140 if (!IS_ERR(sg_table)) { 1141 struct scatterlist *sg; 1142 u64 addr; 1143 int len; 1144 int i; 1145 1146 for_each_sgtable_dma_sg(sg_table, sg, i) { 1147 addr = sg_dma_address(sg); 1148 len = sg_dma_len(sg); 1149 if (!PAGE_ALIGNED(addr) || !PAGE_ALIGNED(len)) { 1150 pr_debug("%s: addr %llx or len %x is not page aligned!\n", 1151 __func__, addr, len); 1152 } 1153 } 1154 } 1155 #endif /* CONFIG_DMA_API_DEBUG */ 1156 return sg_table; 1157 } 1158 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment, DMA_BUF); 1159 1160 /** 1161 * dma_buf_map_attachment_unlocked - Returns the scatterlist table of the attachment; 1162 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the 1163 * dma_buf_ops. 1164 * @attach: [in] attachment whose scatterlist is to be returned 1165 * @direction: [in] direction of DMA transfer 1166 * 1167 * Unlocked variant of dma_buf_map_attachment(). 1168 */ 1169 struct sg_table * 1170 dma_buf_map_attachment_unlocked(struct dma_buf_attachment *attach, 1171 enum dma_data_direction direction) 1172 { 1173 struct sg_table *sg_table; 1174 1175 might_sleep(); 1176 1177 if (WARN_ON(!attach || !attach->dmabuf)) 1178 return ERR_PTR(-EINVAL); 1179 1180 dma_resv_lock(attach->dmabuf->resv, NULL); 1181 sg_table = dma_buf_map_attachment(attach, direction); 1182 dma_resv_unlock(attach->dmabuf->resv); 1183 1184 return sg_table; 1185 } 1186 EXPORT_SYMBOL_NS_GPL(dma_buf_map_attachment_unlocked, DMA_BUF); 1187 1188 /** 1189 * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might 1190 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of 1191 * dma_buf_ops. 1192 * @attach: [in] attachment to unmap buffer from 1193 * @sg_table: [in] scatterlist info of the buffer to unmap 1194 * @direction: [in] direction of DMA transfer 1195 * 1196 * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment(). 1197 */ 1198 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach, 1199 struct sg_table *sg_table, 1200 enum dma_data_direction direction) 1201 { 1202 might_sleep(); 1203 1204 if (WARN_ON(!attach || !attach->dmabuf || !sg_table)) 1205 return; 1206 1207 dma_resv_assert_held(attach->dmabuf->resv); 1208 1209 if (attach->sgt == sg_table) 1210 return; 1211 1212 __unmap_dma_buf(attach, sg_table, direction); 1213 1214 if (dma_buf_is_dynamic(attach->dmabuf) && 1215 !IS_ENABLED(CONFIG_DMABUF_MOVE_NOTIFY)) 1216 dma_buf_unpin(attach); 1217 } 1218 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment, DMA_BUF); 1219 1220 /** 1221 * dma_buf_unmap_attachment_unlocked - unmaps and decreases usecount of the buffer;might 1222 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of 1223 * dma_buf_ops. 1224 * @attach: [in] attachment to unmap buffer from 1225 * @sg_table: [in] scatterlist info of the buffer to unmap 1226 * @direction: [in] direction of DMA transfer 1227 * 1228 * Unlocked variant of dma_buf_unmap_attachment(). 1229 */ 1230 void dma_buf_unmap_attachment_unlocked(struct dma_buf_attachment *attach, 1231 struct sg_table *sg_table, 1232 enum dma_data_direction direction) 1233 { 1234 might_sleep(); 1235 1236 if (WARN_ON(!attach || !attach->dmabuf || !sg_table)) 1237 return; 1238 1239 dma_resv_lock(attach->dmabuf->resv, NULL); 1240 dma_buf_unmap_attachment(attach, sg_table, direction); 1241 dma_resv_unlock(attach->dmabuf->resv); 1242 } 1243 EXPORT_SYMBOL_NS_GPL(dma_buf_unmap_attachment_unlocked, DMA_BUF); 1244 1245 /** 1246 * dma_buf_move_notify - notify attachments that DMA-buf is moving 1247 * 1248 * @dmabuf: [in] buffer which is moving 1249 * 1250 * Informs all attachmenst that they need to destroy and recreated all their 1251 * mappings. 1252 */ 1253 void dma_buf_move_notify(struct dma_buf *dmabuf) 1254 { 1255 struct dma_buf_attachment *attach; 1256 1257 dma_resv_assert_held(dmabuf->resv); 1258 1259 list_for_each_entry(attach, &dmabuf->attachments, node) 1260 if (attach->importer_ops) 1261 attach->importer_ops->move_notify(attach); 1262 } 1263 EXPORT_SYMBOL_NS_GPL(dma_buf_move_notify, DMA_BUF); 1264 1265 /** 1266 * DOC: cpu access 1267 * 1268 * There are mutliple reasons for supporting CPU access to a dma buffer object: 1269 * 1270 * - Fallback operations in the kernel, for example when a device is connected 1271 * over USB and the kernel needs to shuffle the data around first before 1272 * sending it away. Cache coherency is handled by braketing any transactions 1273 * with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access() 1274 * access. 1275 * 1276 * Since for most kernel internal dma-buf accesses need the entire buffer, a 1277 * vmap interface is introduced. Note that on very old 32-bit architectures 1278 * vmalloc space might be limited and result in vmap calls failing. 1279 * 1280 * Interfaces:: 1281 * 1282 * void \*dma_buf_vmap(struct dma_buf \*dmabuf, struct iosys_map \*map) 1283 * void dma_buf_vunmap(struct dma_buf \*dmabuf, struct iosys_map \*map) 1284 * 1285 * The vmap call can fail if there is no vmap support in the exporter, or if 1286 * it runs out of vmalloc space. Note that the dma-buf layer keeps a reference 1287 * count for all vmap access and calls down into the exporter's vmap function 1288 * only when no vmapping exists, and only unmaps it once. Protection against 1289 * concurrent vmap/vunmap calls is provided by taking the &dma_buf.lock mutex. 1290 * 1291 * - For full compatibility on the importer side with existing userspace 1292 * interfaces, which might already support mmap'ing buffers. This is needed in 1293 * many processing pipelines (e.g. feeding a software rendered image into a 1294 * hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION 1295 * framework already supported this and for DMA buffer file descriptors to 1296 * replace ION buffers mmap support was needed. 1297 * 1298 * There is no special interfaces, userspace simply calls mmap on the dma-buf 1299 * fd. But like for CPU access there's a need to braket the actual access, 1300 * which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that 1301 * DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must 1302 * be restarted. 1303 * 1304 * Some systems might need some sort of cache coherency management e.g. when 1305 * CPU and GPU domains are being accessed through dma-buf at the same time. 1306 * To circumvent this problem there are begin/end coherency markers, that 1307 * forward directly to existing dma-buf device drivers vfunc hooks. Userspace 1308 * can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The 1309 * sequence would be used like following: 1310 * 1311 * - mmap dma-buf fd 1312 * - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write 1313 * to mmap area 3. SYNC_END ioctl. This can be repeated as often as you 1314 * want (with the new data being consumed by say the GPU or the scanout 1315 * device) 1316 * - munmap once you don't need the buffer any more 1317 * 1318 * For correctness and optimal performance, it is always required to use 1319 * SYNC_START and SYNC_END before and after, respectively, when accessing the 1320 * mapped address. Userspace cannot rely on coherent access, even when there 1321 * are systems where it just works without calling these ioctls. 1322 * 1323 * - And as a CPU fallback in userspace processing pipelines. 1324 * 1325 * Similar to the motivation for kernel cpu access it is again important that 1326 * the userspace code of a given importing subsystem can use the same 1327 * interfaces with a imported dma-buf buffer object as with a native buffer 1328 * object. This is especially important for drm where the userspace part of 1329 * contemporary OpenGL, X, and other drivers is huge, and reworking them to 1330 * use a different way to mmap a buffer rather invasive. 1331 * 1332 * The assumption in the current dma-buf interfaces is that redirecting the 1333 * initial mmap is all that's needed. A survey of some of the existing 1334 * subsystems shows that no driver seems to do any nefarious thing like 1335 * syncing up with outstanding asynchronous processing on the device or 1336 * allocating special resources at fault time. So hopefully this is good 1337 * enough, since adding interfaces to intercept pagefaults and allow pte 1338 * shootdowns would increase the complexity quite a bit. 1339 * 1340 * Interface:: 1341 * 1342 * int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*, 1343 * unsigned long); 1344 * 1345 * If the importing subsystem simply provides a special-purpose mmap call to 1346 * set up a mapping in userspace, calling do_mmap with &dma_buf.file will 1347 * equally achieve that for a dma-buf object. 1348 */ 1349 1350 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf, 1351 enum dma_data_direction direction) 1352 { 1353 bool write = (direction == DMA_BIDIRECTIONAL || 1354 direction == DMA_TO_DEVICE); 1355 struct dma_resv *resv = dmabuf->resv; 1356 long ret; 1357 1358 /* Wait on any implicit rendering fences */ 1359 ret = dma_resv_wait_timeout(resv, dma_resv_usage_rw(write), 1360 true, MAX_SCHEDULE_TIMEOUT); 1361 if (ret < 0) 1362 return ret; 1363 1364 return 0; 1365 } 1366 1367 /** 1368 * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the 1369 * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific 1370 * preparations. Coherency is only guaranteed in the specified range for the 1371 * specified access direction. 1372 * @dmabuf: [in] buffer to prepare cpu access for. 1373 * @direction: [in] length of range for cpu access. 1374 * 1375 * After the cpu access is complete the caller should call 1376 * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is 1377 * it guaranteed to be coherent with other DMA access. 1378 * 1379 * This function will also wait for any DMA transactions tracked through 1380 * implicit synchronization in &dma_buf.resv. For DMA transactions with explicit 1381 * synchronization this function will only ensure cache coherency, callers must 1382 * ensure synchronization with such DMA transactions on their own. 1383 * 1384 * Can return negative error values, returns 0 on success. 1385 */ 1386 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf, 1387 enum dma_data_direction direction) 1388 { 1389 int ret = 0; 1390 1391 if (WARN_ON(!dmabuf)) 1392 return -EINVAL; 1393 1394 might_lock(&dmabuf->resv->lock.base); 1395 1396 if (dmabuf->ops->begin_cpu_access) 1397 ret = dmabuf->ops->begin_cpu_access(dmabuf, direction); 1398 1399 /* Ensure that all fences are waited upon - but we first allow 1400 * the native handler the chance to do so more efficiently if it 1401 * chooses. A double invocation here will be reasonably cheap no-op. 1402 */ 1403 if (ret == 0) 1404 ret = __dma_buf_begin_cpu_access(dmabuf, direction); 1405 1406 return ret; 1407 } 1408 EXPORT_SYMBOL_NS_GPL(dma_buf_begin_cpu_access, DMA_BUF); 1409 1410 /** 1411 * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the 1412 * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific 1413 * actions. Coherency is only guaranteed in the specified range for the 1414 * specified access direction. 1415 * @dmabuf: [in] buffer to complete cpu access for. 1416 * @direction: [in] length of range for cpu access. 1417 * 1418 * This terminates CPU access started with dma_buf_begin_cpu_access(). 1419 * 1420 * Can return negative error values, returns 0 on success. 1421 */ 1422 int dma_buf_end_cpu_access(struct dma_buf *dmabuf, 1423 enum dma_data_direction direction) 1424 { 1425 int ret = 0; 1426 1427 WARN_ON(!dmabuf); 1428 1429 might_lock(&dmabuf->resv->lock.base); 1430 1431 if (dmabuf->ops->end_cpu_access) 1432 ret = dmabuf->ops->end_cpu_access(dmabuf, direction); 1433 1434 return ret; 1435 } 1436 EXPORT_SYMBOL_NS_GPL(dma_buf_end_cpu_access, DMA_BUF); 1437 1438 1439 /** 1440 * dma_buf_mmap - Setup up a userspace mmap with the given vma 1441 * @dmabuf: [in] buffer that should back the vma 1442 * @vma: [in] vma for the mmap 1443 * @pgoff: [in] offset in pages where this mmap should start within the 1444 * dma-buf buffer. 1445 * 1446 * This function adjusts the passed in vma so that it points at the file of the 1447 * dma_buf operation. It also adjusts the starting pgoff and does bounds 1448 * checking on the size of the vma. Then it calls the exporters mmap function to 1449 * set up the mapping. 1450 * 1451 * Can return negative error values, returns 0 on success. 1452 */ 1453 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma, 1454 unsigned long pgoff) 1455 { 1456 int ret; 1457 1458 if (WARN_ON(!dmabuf || !vma)) 1459 return -EINVAL; 1460 1461 /* check if buffer supports mmap */ 1462 if (!dmabuf->ops->mmap) 1463 return -EINVAL; 1464 1465 /* check for offset overflow */ 1466 if (pgoff + vma_pages(vma) < pgoff) 1467 return -EOVERFLOW; 1468 1469 /* check for overflowing the buffer's size */ 1470 if (pgoff + vma_pages(vma) > 1471 dmabuf->size >> PAGE_SHIFT) 1472 return -EINVAL; 1473 1474 /* readjust the vma */ 1475 vma_set_file(vma, dmabuf->file); 1476 vma->vm_pgoff = pgoff; 1477 1478 dma_resv_lock(dmabuf->resv, NULL); 1479 ret = dmabuf->ops->mmap(dmabuf, vma); 1480 dma_resv_unlock(dmabuf->resv); 1481 1482 return ret; 1483 } 1484 EXPORT_SYMBOL_NS_GPL(dma_buf_mmap, DMA_BUF); 1485 1486 /** 1487 * dma_buf_vmap - Create virtual mapping for the buffer object into kernel 1488 * address space. Same restrictions as for vmap and friends apply. 1489 * @dmabuf: [in] buffer to vmap 1490 * @map: [out] returns the vmap pointer 1491 * 1492 * This call may fail due to lack of virtual mapping address space. 1493 * These calls are optional in drivers. The intended use for them 1494 * is for mapping objects linear in kernel space for high use objects. 1495 * 1496 * To ensure coherency users must call dma_buf_begin_cpu_access() and 1497 * dma_buf_end_cpu_access() around any cpu access performed through this 1498 * mapping. 1499 * 1500 * Returns 0 on success, or a negative errno code otherwise. 1501 */ 1502 int dma_buf_vmap(struct dma_buf *dmabuf, struct iosys_map *map) 1503 { 1504 struct iosys_map ptr; 1505 int ret; 1506 1507 iosys_map_clear(map); 1508 1509 if (WARN_ON(!dmabuf)) 1510 return -EINVAL; 1511 1512 dma_resv_assert_held(dmabuf->resv); 1513 1514 if (!dmabuf->ops->vmap) 1515 return -EINVAL; 1516 1517 if (dmabuf->vmapping_counter) { 1518 dmabuf->vmapping_counter++; 1519 BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr)); 1520 *map = dmabuf->vmap_ptr; 1521 return 0; 1522 } 1523 1524 BUG_ON(iosys_map_is_set(&dmabuf->vmap_ptr)); 1525 1526 ret = dmabuf->ops->vmap(dmabuf, &ptr); 1527 if (WARN_ON_ONCE(ret)) 1528 return ret; 1529 1530 dmabuf->vmap_ptr = ptr; 1531 dmabuf->vmapping_counter = 1; 1532 1533 *map = dmabuf->vmap_ptr; 1534 1535 return 0; 1536 } 1537 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap, DMA_BUF); 1538 1539 /** 1540 * dma_buf_vmap_unlocked - Create virtual mapping for the buffer object into kernel 1541 * address space. Same restrictions as for vmap and friends apply. 1542 * @dmabuf: [in] buffer to vmap 1543 * @map: [out] returns the vmap pointer 1544 * 1545 * Unlocked version of dma_buf_vmap() 1546 * 1547 * Returns 0 on success, or a negative errno code otherwise. 1548 */ 1549 int dma_buf_vmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map) 1550 { 1551 int ret; 1552 1553 iosys_map_clear(map); 1554 1555 if (WARN_ON(!dmabuf)) 1556 return -EINVAL; 1557 1558 dma_resv_lock(dmabuf->resv, NULL); 1559 ret = dma_buf_vmap(dmabuf, map); 1560 dma_resv_unlock(dmabuf->resv); 1561 1562 return ret; 1563 } 1564 EXPORT_SYMBOL_NS_GPL(dma_buf_vmap_unlocked, DMA_BUF); 1565 1566 /** 1567 * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap. 1568 * @dmabuf: [in] buffer to vunmap 1569 * @map: [in] vmap pointer to vunmap 1570 */ 1571 void dma_buf_vunmap(struct dma_buf *dmabuf, struct iosys_map *map) 1572 { 1573 if (WARN_ON(!dmabuf)) 1574 return; 1575 1576 dma_resv_assert_held(dmabuf->resv); 1577 1578 BUG_ON(iosys_map_is_null(&dmabuf->vmap_ptr)); 1579 BUG_ON(dmabuf->vmapping_counter == 0); 1580 BUG_ON(!iosys_map_is_equal(&dmabuf->vmap_ptr, map)); 1581 1582 if (--dmabuf->vmapping_counter == 0) { 1583 if (dmabuf->ops->vunmap) 1584 dmabuf->ops->vunmap(dmabuf, map); 1585 iosys_map_clear(&dmabuf->vmap_ptr); 1586 } 1587 } 1588 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap, DMA_BUF); 1589 1590 /** 1591 * dma_buf_vunmap_unlocked - Unmap a vmap obtained by dma_buf_vmap. 1592 * @dmabuf: [in] buffer to vunmap 1593 * @map: [in] vmap pointer to vunmap 1594 */ 1595 void dma_buf_vunmap_unlocked(struct dma_buf *dmabuf, struct iosys_map *map) 1596 { 1597 if (WARN_ON(!dmabuf)) 1598 return; 1599 1600 dma_resv_lock(dmabuf->resv, NULL); 1601 dma_buf_vunmap(dmabuf, map); 1602 dma_resv_unlock(dmabuf->resv); 1603 } 1604 EXPORT_SYMBOL_NS_GPL(dma_buf_vunmap_unlocked, DMA_BUF); 1605 1606 #ifdef CONFIG_DEBUG_FS 1607 static int dma_buf_debug_show(struct seq_file *s, void *unused) 1608 { 1609 struct dma_buf *buf_obj; 1610 struct dma_buf_attachment *attach_obj; 1611 int count = 0, attach_count; 1612 size_t size = 0; 1613 int ret; 1614 1615 ret = mutex_lock_interruptible(&db_list.lock); 1616 1617 if (ret) 1618 return ret; 1619 1620 seq_puts(s, "\nDma-buf Objects:\n"); 1621 seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\t%-8s\tname\n", 1622 "size", "flags", "mode", "count", "ino"); 1623 1624 list_for_each_entry(buf_obj, &db_list.head, list_node) { 1625 1626 ret = dma_resv_lock_interruptible(buf_obj->resv, NULL); 1627 if (ret) 1628 goto error_unlock; 1629 1630 1631 spin_lock(&buf_obj->name_lock); 1632 seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\t%08lu\t%s\n", 1633 buf_obj->size, 1634 buf_obj->file->f_flags, buf_obj->file->f_mode, 1635 file_count(buf_obj->file), 1636 buf_obj->exp_name, 1637 file_inode(buf_obj->file)->i_ino, 1638 buf_obj->name ?: "<none>"); 1639 spin_unlock(&buf_obj->name_lock); 1640 1641 dma_resv_describe(buf_obj->resv, s); 1642 1643 seq_puts(s, "\tAttached Devices:\n"); 1644 attach_count = 0; 1645 1646 list_for_each_entry(attach_obj, &buf_obj->attachments, node) { 1647 seq_printf(s, "\t%s\n", dev_name(attach_obj->dev)); 1648 attach_count++; 1649 } 1650 dma_resv_unlock(buf_obj->resv); 1651 1652 seq_printf(s, "Total %d devices attached\n\n", 1653 attach_count); 1654 1655 count++; 1656 size += buf_obj->size; 1657 } 1658 1659 seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size); 1660 1661 mutex_unlock(&db_list.lock); 1662 return 0; 1663 1664 error_unlock: 1665 mutex_unlock(&db_list.lock); 1666 return ret; 1667 } 1668 1669 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug); 1670 1671 static struct dentry *dma_buf_debugfs_dir; 1672 1673 static int dma_buf_init_debugfs(void) 1674 { 1675 struct dentry *d; 1676 int err = 0; 1677 1678 d = debugfs_create_dir("dma_buf", NULL); 1679 if (IS_ERR(d)) 1680 return PTR_ERR(d); 1681 1682 dma_buf_debugfs_dir = d; 1683 1684 d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir, 1685 NULL, &dma_buf_debug_fops); 1686 if (IS_ERR(d)) { 1687 pr_debug("dma_buf: debugfs: failed to create node bufinfo\n"); 1688 debugfs_remove_recursive(dma_buf_debugfs_dir); 1689 dma_buf_debugfs_dir = NULL; 1690 err = PTR_ERR(d); 1691 } 1692 1693 return err; 1694 } 1695 1696 static void dma_buf_uninit_debugfs(void) 1697 { 1698 debugfs_remove_recursive(dma_buf_debugfs_dir); 1699 } 1700 #else 1701 static inline int dma_buf_init_debugfs(void) 1702 { 1703 return 0; 1704 } 1705 static inline void dma_buf_uninit_debugfs(void) 1706 { 1707 } 1708 #endif 1709 1710 static int __init dma_buf_init(void) 1711 { 1712 int ret; 1713 1714 ret = dma_buf_init_sysfs_statistics(); 1715 if (ret) 1716 return ret; 1717 1718 dma_buf_mnt = kern_mount(&dma_buf_fs_type); 1719 if (IS_ERR(dma_buf_mnt)) 1720 return PTR_ERR(dma_buf_mnt); 1721 1722 mutex_init(&db_list.lock); 1723 INIT_LIST_HEAD(&db_list.head); 1724 dma_buf_init_debugfs(); 1725 return 0; 1726 } 1727 subsys_initcall(dma_buf_init); 1728 1729 static void __exit dma_buf_deinit(void) 1730 { 1731 dma_buf_uninit_debugfs(); 1732 kern_unmount(dma_buf_mnt); 1733 dma_buf_uninit_sysfs_statistics(); 1734 } 1735 __exitcall(dma_buf_deinit); 1736