1 /* 2 * Framework for buffer objects that can be shared across devices/subsystems. 3 * 4 * Copyright(C) 2011 Linaro Limited. All rights reserved. 5 * Author: Sumit Semwal <sumit.semwal@ti.com> 6 * 7 * Many thanks to linaro-mm-sig list, and specially 8 * Arnd Bergmann <arnd@arndb.de>, Rob Clark <rob@ti.com> and 9 * Daniel Vetter <daniel@ffwll.ch> for their support in creation and 10 * refining of this idea. 11 * 12 * This program is free software; you can redistribute it and/or modify it 13 * under the terms of the GNU General Public License version 2 as published by 14 * the Free Software Foundation. 15 * 16 * This program is distributed in the hope that it will be useful, but WITHOUT 17 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 18 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for 19 * more details. 20 * 21 * You should have received a copy of the GNU General Public License along with 22 * this program. If not, see <http://www.gnu.org/licenses/>. 23 */ 24 25 #include <linux/fs.h> 26 #include <linux/slab.h> 27 #include <linux/dma-buf.h> 28 #include <linux/dma-fence.h> 29 #include <linux/anon_inodes.h> 30 #include <linux/export.h> 31 #include <linux/debugfs.h> 32 #include <linux/module.h> 33 #include <linux/seq_file.h> 34 #include <linux/poll.h> 35 #include <linux/reservation.h> 36 #include <linux/mm.h> 37 38 #include <uapi/linux/dma-buf.h> 39 40 static inline int is_dma_buf_file(struct file *); 41 42 struct dma_buf_list { 43 struct list_head head; 44 struct mutex lock; 45 }; 46 47 static struct dma_buf_list db_list; 48 49 static int dma_buf_release(struct inode *inode, struct file *file) 50 { 51 struct dma_buf *dmabuf; 52 53 if (!is_dma_buf_file(file)) 54 return -EINVAL; 55 56 dmabuf = file->private_data; 57 58 BUG_ON(dmabuf->vmapping_counter); 59 60 /* 61 * Any fences that a dma-buf poll can wait on should be signaled 62 * before releasing dma-buf. This is the responsibility of each 63 * driver that uses the reservation objects. 64 * 65 * If you hit this BUG() it means someone dropped their ref to the 66 * dma-buf while still having pending operation to the buffer. 67 */ 68 BUG_ON(dmabuf->cb_shared.active || dmabuf->cb_excl.active); 69 70 dmabuf->ops->release(dmabuf); 71 72 mutex_lock(&db_list.lock); 73 list_del(&dmabuf->list_node); 74 mutex_unlock(&db_list.lock); 75 76 if (dmabuf->resv == (struct reservation_object *)&dmabuf[1]) 77 reservation_object_fini(dmabuf->resv); 78 79 module_put(dmabuf->owner); 80 kfree(dmabuf); 81 return 0; 82 } 83 84 static int dma_buf_mmap_internal(struct file *file, struct vm_area_struct *vma) 85 { 86 struct dma_buf *dmabuf; 87 88 if (!is_dma_buf_file(file)) 89 return -EINVAL; 90 91 dmabuf = file->private_data; 92 93 /* check if buffer supports mmap */ 94 if (!dmabuf->ops->mmap) 95 return -EINVAL; 96 97 /* check for overflowing the buffer's size */ 98 if (vma->vm_pgoff + vma_pages(vma) > 99 dmabuf->size >> PAGE_SHIFT) 100 return -EINVAL; 101 102 return dmabuf->ops->mmap(dmabuf, vma); 103 } 104 105 static loff_t dma_buf_llseek(struct file *file, loff_t offset, int whence) 106 { 107 struct dma_buf *dmabuf; 108 loff_t base; 109 110 if (!is_dma_buf_file(file)) 111 return -EBADF; 112 113 dmabuf = file->private_data; 114 115 /* only support discovering the end of the buffer, 116 but also allow SEEK_SET to maintain the idiomatic 117 SEEK_END(0), SEEK_CUR(0) pattern */ 118 if (whence == SEEK_END) 119 base = dmabuf->size; 120 else if (whence == SEEK_SET) 121 base = 0; 122 else 123 return -EINVAL; 124 125 if (offset != 0) 126 return -EINVAL; 127 128 return base + offset; 129 } 130 131 /** 132 * DOC: fence polling 133 * 134 * To support cross-device and cross-driver synchronization of buffer access 135 * implicit fences (represented internally in the kernel with &struct fence) can 136 * be attached to a &dma_buf. The glue for that and a few related things are 137 * provided in the &reservation_object structure. 138 * 139 * Userspace can query the state of these implicitly tracked fences using poll() 140 * and related system calls: 141 * 142 * - Checking for EPOLLIN, i.e. read access, can be use to query the state of the 143 * most recent write or exclusive fence. 144 * 145 * - Checking for EPOLLOUT, i.e. write access, can be used to query the state of 146 * all attached fences, shared and exclusive ones. 147 * 148 * Note that this only signals the completion of the respective fences, i.e. the 149 * DMA transfers are complete. Cache flushing and any other necessary 150 * preparations before CPU access can begin still need to happen. 151 */ 152 153 static void dma_buf_poll_cb(struct dma_fence *fence, struct dma_fence_cb *cb) 154 { 155 struct dma_buf_poll_cb_t *dcb = (struct dma_buf_poll_cb_t *)cb; 156 unsigned long flags; 157 158 spin_lock_irqsave(&dcb->poll->lock, flags); 159 wake_up_locked_poll(dcb->poll, dcb->active); 160 dcb->active = 0; 161 spin_unlock_irqrestore(&dcb->poll->lock, flags); 162 } 163 164 static __poll_t dma_buf_poll(struct file *file, poll_table *poll) 165 { 166 struct dma_buf *dmabuf; 167 struct reservation_object *resv; 168 struct reservation_object_list *fobj; 169 struct dma_fence *fence_excl; 170 __poll_t events; 171 unsigned shared_count, seq; 172 173 dmabuf = file->private_data; 174 if (!dmabuf || !dmabuf->resv) 175 return EPOLLERR; 176 177 resv = dmabuf->resv; 178 179 poll_wait(file, &dmabuf->poll, poll); 180 181 events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT); 182 if (!events) 183 return 0; 184 185 retry: 186 seq = read_seqcount_begin(&resv->seq); 187 rcu_read_lock(); 188 189 fobj = rcu_dereference(resv->fence); 190 if (fobj) 191 shared_count = fobj->shared_count; 192 else 193 shared_count = 0; 194 fence_excl = rcu_dereference(resv->fence_excl); 195 if (read_seqcount_retry(&resv->seq, seq)) { 196 rcu_read_unlock(); 197 goto retry; 198 } 199 200 if (fence_excl && (!(events & EPOLLOUT) || shared_count == 0)) { 201 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_excl; 202 __poll_t pevents = EPOLLIN; 203 204 if (shared_count == 0) 205 pevents |= EPOLLOUT; 206 207 spin_lock_irq(&dmabuf->poll.lock); 208 if (dcb->active) { 209 dcb->active |= pevents; 210 events &= ~pevents; 211 } else 212 dcb->active = pevents; 213 spin_unlock_irq(&dmabuf->poll.lock); 214 215 if (events & pevents) { 216 if (!dma_fence_get_rcu(fence_excl)) { 217 /* force a recheck */ 218 events &= ~pevents; 219 dma_buf_poll_cb(NULL, &dcb->cb); 220 } else if (!dma_fence_add_callback(fence_excl, &dcb->cb, 221 dma_buf_poll_cb)) { 222 events &= ~pevents; 223 dma_fence_put(fence_excl); 224 } else { 225 /* 226 * No callback queued, wake up any additional 227 * waiters. 228 */ 229 dma_fence_put(fence_excl); 230 dma_buf_poll_cb(NULL, &dcb->cb); 231 } 232 } 233 } 234 235 if ((events & EPOLLOUT) && shared_count > 0) { 236 struct dma_buf_poll_cb_t *dcb = &dmabuf->cb_shared; 237 int i; 238 239 /* Only queue a new callback if no event has fired yet */ 240 spin_lock_irq(&dmabuf->poll.lock); 241 if (dcb->active) 242 events &= ~EPOLLOUT; 243 else 244 dcb->active = EPOLLOUT; 245 spin_unlock_irq(&dmabuf->poll.lock); 246 247 if (!(events & EPOLLOUT)) 248 goto out; 249 250 for (i = 0; i < shared_count; ++i) { 251 struct dma_fence *fence = rcu_dereference(fobj->shared[i]); 252 253 if (!dma_fence_get_rcu(fence)) { 254 /* 255 * fence refcount dropped to zero, this means 256 * that fobj has been freed 257 * 258 * call dma_buf_poll_cb and force a recheck! 259 */ 260 events &= ~EPOLLOUT; 261 dma_buf_poll_cb(NULL, &dcb->cb); 262 break; 263 } 264 if (!dma_fence_add_callback(fence, &dcb->cb, 265 dma_buf_poll_cb)) { 266 dma_fence_put(fence); 267 events &= ~EPOLLOUT; 268 break; 269 } 270 dma_fence_put(fence); 271 } 272 273 /* No callback queued, wake up any additional waiters. */ 274 if (i == shared_count) 275 dma_buf_poll_cb(NULL, &dcb->cb); 276 } 277 278 out: 279 rcu_read_unlock(); 280 return events; 281 } 282 283 static long dma_buf_ioctl(struct file *file, 284 unsigned int cmd, unsigned long arg) 285 { 286 struct dma_buf *dmabuf; 287 struct dma_buf_sync sync; 288 enum dma_data_direction direction; 289 int ret; 290 291 dmabuf = file->private_data; 292 293 switch (cmd) { 294 case DMA_BUF_IOCTL_SYNC: 295 if (copy_from_user(&sync, (void __user *) arg, sizeof(sync))) 296 return -EFAULT; 297 298 if (sync.flags & ~DMA_BUF_SYNC_VALID_FLAGS_MASK) 299 return -EINVAL; 300 301 switch (sync.flags & DMA_BUF_SYNC_RW) { 302 case DMA_BUF_SYNC_READ: 303 direction = DMA_FROM_DEVICE; 304 break; 305 case DMA_BUF_SYNC_WRITE: 306 direction = DMA_TO_DEVICE; 307 break; 308 case DMA_BUF_SYNC_RW: 309 direction = DMA_BIDIRECTIONAL; 310 break; 311 default: 312 return -EINVAL; 313 } 314 315 if (sync.flags & DMA_BUF_SYNC_END) 316 ret = dma_buf_end_cpu_access(dmabuf, direction); 317 else 318 ret = dma_buf_begin_cpu_access(dmabuf, direction); 319 320 return ret; 321 default: 322 return -ENOTTY; 323 } 324 } 325 326 static const struct file_operations dma_buf_fops = { 327 .release = dma_buf_release, 328 .mmap = dma_buf_mmap_internal, 329 .llseek = dma_buf_llseek, 330 .poll = dma_buf_poll, 331 .unlocked_ioctl = dma_buf_ioctl, 332 #ifdef CONFIG_COMPAT 333 .compat_ioctl = dma_buf_ioctl, 334 #endif 335 }; 336 337 /* 338 * is_dma_buf_file - Check if struct file* is associated with dma_buf 339 */ 340 static inline int is_dma_buf_file(struct file *file) 341 { 342 return file->f_op == &dma_buf_fops; 343 } 344 345 /** 346 * DOC: dma buf device access 347 * 348 * For device DMA access to a shared DMA buffer the usual sequence of operations 349 * is fairly simple: 350 * 351 * 1. The exporter defines his exporter instance using 352 * DEFINE_DMA_BUF_EXPORT_INFO() and calls dma_buf_export() to wrap a private 353 * buffer object into a &dma_buf. It then exports that &dma_buf to userspace 354 * as a file descriptor by calling dma_buf_fd(). 355 * 356 * 2. Userspace passes this file-descriptors to all drivers it wants this buffer 357 * to share with: First the filedescriptor is converted to a &dma_buf using 358 * dma_buf_get(). Then the buffer is attached to the device using 359 * dma_buf_attach(). 360 * 361 * Up to this stage the exporter is still free to migrate or reallocate the 362 * backing storage. 363 * 364 * 3. Once the buffer is attached to all devices userspace can initiate DMA 365 * access to the shared buffer. In the kernel this is done by calling 366 * dma_buf_map_attachment() and dma_buf_unmap_attachment(). 367 * 368 * 4. Once a driver is done with a shared buffer it needs to call 369 * dma_buf_detach() (after cleaning up any mappings) and then release the 370 * reference acquired with dma_buf_get by calling dma_buf_put(). 371 * 372 * For the detailed semantics exporters are expected to implement see 373 * &dma_buf_ops. 374 */ 375 376 /** 377 * dma_buf_export - Creates a new dma_buf, and associates an anon file 378 * with this buffer, so it can be exported. 379 * Also connect the allocator specific data and ops to the buffer. 380 * Additionally, provide a name string for exporter; useful in debugging. 381 * 382 * @exp_info: [in] holds all the export related information provided 383 * by the exporter. see &struct dma_buf_export_info 384 * for further details. 385 * 386 * Returns, on success, a newly created dma_buf object, which wraps the 387 * supplied private data and operations for dma_buf_ops. On either missing 388 * ops, or error in allocating struct dma_buf, will return negative error. 389 * 390 * For most cases the easiest way to create @exp_info is through the 391 * %DEFINE_DMA_BUF_EXPORT_INFO macro. 392 */ 393 struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) 394 { 395 struct dma_buf *dmabuf; 396 struct reservation_object *resv = exp_info->resv; 397 struct file *file; 398 size_t alloc_size = sizeof(struct dma_buf); 399 int ret; 400 401 if (!exp_info->resv) 402 alloc_size += sizeof(struct reservation_object); 403 else 404 /* prevent &dma_buf[1] == dma_buf->resv */ 405 alloc_size += 1; 406 407 if (WARN_ON(!exp_info->priv 408 || !exp_info->ops 409 || !exp_info->ops->map_dma_buf 410 || !exp_info->ops->unmap_dma_buf 411 || !exp_info->ops->release)) { 412 return ERR_PTR(-EINVAL); 413 } 414 415 if (!try_module_get(exp_info->owner)) 416 return ERR_PTR(-ENOENT); 417 418 dmabuf = kzalloc(alloc_size, GFP_KERNEL); 419 if (!dmabuf) { 420 ret = -ENOMEM; 421 goto err_module; 422 } 423 424 dmabuf->priv = exp_info->priv; 425 dmabuf->ops = exp_info->ops; 426 dmabuf->size = exp_info->size; 427 dmabuf->exp_name = exp_info->exp_name; 428 dmabuf->owner = exp_info->owner; 429 init_waitqueue_head(&dmabuf->poll); 430 dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; 431 dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; 432 433 if (!resv) { 434 resv = (struct reservation_object *)&dmabuf[1]; 435 reservation_object_init(resv); 436 } 437 dmabuf->resv = resv; 438 439 file = anon_inode_getfile("dmabuf", &dma_buf_fops, dmabuf, 440 exp_info->flags); 441 if (IS_ERR(file)) { 442 ret = PTR_ERR(file); 443 goto err_dmabuf; 444 } 445 446 file->f_mode |= FMODE_LSEEK; 447 dmabuf->file = file; 448 449 mutex_init(&dmabuf->lock); 450 INIT_LIST_HEAD(&dmabuf->attachments); 451 452 mutex_lock(&db_list.lock); 453 list_add(&dmabuf->list_node, &db_list.head); 454 mutex_unlock(&db_list.lock); 455 456 return dmabuf; 457 458 err_dmabuf: 459 kfree(dmabuf); 460 err_module: 461 module_put(exp_info->owner); 462 return ERR_PTR(ret); 463 } 464 EXPORT_SYMBOL_GPL(dma_buf_export); 465 466 /** 467 * dma_buf_fd - returns a file descriptor for the given dma_buf 468 * @dmabuf: [in] pointer to dma_buf for which fd is required. 469 * @flags: [in] flags to give to fd 470 * 471 * On success, returns an associated 'fd'. Else, returns error. 472 */ 473 int dma_buf_fd(struct dma_buf *dmabuf, int flags) 474 { 475 int fd; 476 477 if (!dmabuf || !dmabuf->file) 478 return -EINVAL; 479 480 fd = get_unused_fd_flags(flags); 481 if (fd < 0) 482 return fd; 483 484 fd_install(fd, dmabuf->file); 485 486 return fd; 487 } 488 EXPORT_SYMBOL_GPL(dma_buf_fd); 489 490 /** 491 * dma_buf_get - returns the dma_buf structure related to an fd 492 * @fd: [in] fd associated with the dma_buf to be returned 493 * 494 * On success, returns the dma_buf structure associated with an fd; uses 495 * file's refcounting done by fget to increase refcount. returns ERR_PTR 496 * otherwise. 497 */ 498 struct dma_buf *dma_buf_get(int fd) 499 { 500 struct file *file; 501 502 file = fget(fd); 503 504 if (!file) 505 return ERR_PTR(-EBADF); 506 507 if (!is_dma_buf_file(file)) { 508 fput(file); 509 return ERR_PTR(-EINVAL); 510 } 511 512 return file->private_data; 513 } 514 EXPORT_SYMBOL_GPL(dma_buf_get); 515 516 /** 517 * dma_buf_put - decreases refcount of the buffer 518 * @dmabuf: [in] buffer to reduce refcount of 519 * 520 * Uses file's refcounting done implicitly by fput(). 521 * 522 * If, as a result of this call, the refcount becomes 0, the 'release' file 523 * operation related to this fd is called. It calls &dma_buf_ops.release vfunc 524 * in turn, and frees the memory allocated for dmabuf when exported. 525 */ 526 void dma_buf_put(struct dma_buf *dmabuf) 527 { 528 if (WARN_ON(!dmabuf || !dmabuf->file)) 529 return; 530 531 fput(dmabuf->file); 532 } 533 EXPORT_SYMBOL_GPL(dma_buf_put); 534 535 /** 536 * dma_buf_attach - Add the device to dma_buf's attachments list; optionally, 537 * calls attach() of dma_buf_ops to allow device-specific attach functionality 538 * @dmabuf: [in] buffer to attach device to. 539 * @dev: [in] device to be attached. 540 * 541 * Returns struct dma_buf_attachment pointer for this attachment. Attachments 542 * must be cleaned up by calling dma_buf_detach(). 543 * 544 * Returns: 545 * 546 * A pointer to newly created &dma_buf_attachment on success, or a negative 547 * error code wrapped into a pointer on failure. 548 * 549 * Note that this can fail if the backing storage of @dmabuf is in a place not 550 * accessible to @dev, and cannot be moved to a more suitable place. This is 551 * indicated with the error code -EBUSY. 552 */ 553 struct dma_buf_attachment *dma_buf_attach(struct dma_buf *dmabuf, 554 struct device *dev) 555 { 556 struct dma_buf_attachment *attach; 557 int ret; 558 559 if (WARN_ON(!dmabuf || !dev)) 560 return ERR_PTR(-EINVAL); 561 562 attach = kzalloc(sizeof(*attach), GFP_KERNEL); 563 if (!attach) 564 return ERR_PTR(-ENOMEM); 565 566 attach->dev = dev; 567 attach->dmabuf = dmabuf; 568 569 mutex_lock(&dmabuf->lock); 570 571 if (dmabuf->ops->attach) { 572 ret = dmabuf->ops->attach(dmabuf, attach); 573 if (ret) 574 goto err_attach; 575 } 576 list_add(&attach->node, &dmabuf->attachments); 577 578 mutex_unlock(&dmabuf->lock); 579 580 return attach; 581 582 err_attach: 583 kfree(attach); 584 mutex_unlock(&dmabuf->lock); 585 return ERR_PTR(ret); 586 } 587 EXPORT_SYMBOL_GPL(dma_buf_attach); 588 589 /** 590 * dma_buf_detach - Remove the given attachment from dmabuf's attachments list; 591 * optionally calls detach() of dma_buf_ops for device-specific detach 592 * @dmabuf: [in] buffer to detach from. 593 * @attach: [in] attachment to be detached; is free'd after this call. 594 * 595 * Clean up a device attachment obtained by calling dma_buf_attach(). 596 */ 597 void dma_buf_detach(struct dma_buf *dmabuf, struct dma_buf_attachment *attach) 598 { 599 if (WARN_ON(!dmabuf || !attach)) 600 return; 601 602 if (attach->sgt) 603 dmabuf->ops->unmap_dma_buf(attach, attach->sgt, attach->dir); 604 605 mutex_lock(&dmabuf->lock); 606 list_del(&attach->node); 607 if (dmabuf->ops->detach) 608 dmabuf->ops->detach(dmabuf, attach); 609 610 mutex_unlock(&dmabuf->lock); 611 kfree(attach); 612 } 613 EXPORT_SYMBOL_GPL(dma_buf_detach); 614 615 /** 616 * dma_buf_map_attachment - Returns the scatterlist table of the attachment; 617 * mapped into _device_ address space. Is a wrapper for map_dma_buf() of the 618 * dma_buf_ops. 619 * @attach: [in] attachment whose scatterlist is to be returned 620 * @direction: [in] direction of DMA transfer 621 * 622 * Returns sg_table containing the scatterlist to be returned; returns ERR_PTR 623 * on error. May return -EINTR if it is interrupted by a signal. 624 * 625 * A mapping must be unmapped by using dma_buf_unmap_attachment(). Note that 626 * the underlying backing storage is pinned for as long as a mapping exists, 627 * therefore users/importers should not hold onto a mapping for undue amounts of 628 * time. 629 */ 630 struct sg_table *dma_buf_map_attachment(struct dma_buf_attachment *attach, 631 enum dma_data_direction direction) 632 { 633 struct sg_table *sg_table; 634 635 might_sleep(); 636 637 if (WARN_ON(!attach || !attach->dmabuf)) 638 return ERR_PTR(-EINVAL); 639 640 if (attach->sgt) { 641 /* 642 * Two mappings with different directions for the same 643 * attachment are not allowed. 644 */ 645 if (attach->dir != direction && 646 attach->dir != DMA_BIDIRECTIONAL) 647 return ERR_PTR(-EBUSY); 648 649 return attach->sgt; 650 } 651 652 sg_table = attach->dmabuf->ops->map_dma_buf(attach, direction); 653 if (!sg_table) 654 sg_table = ERR_PTR(-ENOMEM); 655 656 if (!IS_ERR(sg_table) && attach->dmabuf->ops->cache_sgt_mapping) { 657 attach->sgt = sg_table; 658 attach->dir = direction; 659 } 660 661 return sg_table; 662 } 663 EXPORT_SYMBOL_GPL(dma_buf_map_attachment); 664 665 /** 666 * dma_buf_unmap_attachment - unmaps and decreases usecount of the buffer;might 667 * deallocate the scatterlist associated. Is a wrapper for unmap_dma_buf() of 668 * dma_buf_ops. 669 * @attach: [in] attachment to unmap buffer from 670 * @sg_table: [in] scatterlist info of the buffer to unmap 671 * @direction: [in] direction of DMA transfer 672 * 673 * This unmaps a DMA mapping for @attached obtained by dma_buf_map_attachment(). 674 */ 675 void dma_buf_unmap_attachment(struct dma_buf_attachment *attach, 676 struct sg_table *sg_table, 677 enum dma_data_direction direction) 678 { 679 might_sleep(); 680 681 if (WARN_ON(!attach || !attach->dmabuf || !sg_table)) 682 return; 683 684 if (attach->sgt == sg_table) 685 return; 686 687 attach->dmabuf->ops->unmap_dma_buf(attach, sg_table, direction); 688 } 689 EXPORT_SYMBOL_GPL(dma_buf_unmap_attachment); 690 691 /** 692 * DOC: cpu access 693 * 694 * There are mutliple reasons for supporting CPU access to a dma buffer object: 695 * 696 * - Fallback operations in the kernel, for example when a device is connected 697 * over USB and the kernel needs to shuffle the data around first before 698 * sending it away. Cache coherency is handled by braketing any transactions 699 * with calls to dma_buf_begin_cpu_access() and dma_buf_end_cpu_access() 700 * access. 701 * 702 * To support dma_buf objects residing in highmem cpu access is page-based 703 * using an api similar to kmap. Accessing a dma_buf is done in aligned chunks 704 * of PAGE_SIZE size. Before accessing a chunk it needs to be mapped, which 705 * returns a pointer in kernel virtual address space. Afterwards the chunk 706 * needs to be unmapped again. There is no limit on how often a given chunk 707 * can be mapped and unmapped, i.e. the importer does not need to call 708 * begin_cpu_access again before mapping the same chunk again. 709 * 710 * Interfaces:: 711 * void \*dma_buf_kmap(struct dma_buf \*, unsigned long); 712 * void dma_buf_kunmap(struct dma_buf \*, unsigned long, void \*); 713 * 714 * Implementing the functions is optional for exporters and for importers all 715 * the restrictions of using kmap apply. 716 * 717 * dma_buf kmap calls outside of the range specified in begin_cpu_access are 718 * undefined. If the range is not PAGE_SIZE aligned, kmap needs to succeed on 719 * the partial chunks at the beginning and end but may return stale or bogus 720 * data outside of the range (in these partial chunks). 721 * 722 * For some cases the overhead of kmap can be too high, a vmap interface 723 * is introduced. This interface should be used very carefully, as vmalloc 724 * space is a limited resources on many architectures. 725 * 726 * Interfaces:: 727 * void \*dma_buf_vmap(struct dma_buf \*dmabuf) 728 * void dma_buf_vunmap(struct dma_buf \*dmabuf, void \*vaddr) 729 * 730 * The vmap call can fail if there is no vmap support in the exporter, or if 731 * it runs out of vmalloc space. Fallback to kmap should be implemented. Note 732 * that the dma-buf layer keeps a reference count for all vmap access and 733 * calls down into the exporter's vmap function only when no vmapping exists, 734 * and only unmaps it once. Protection against concurrent vmap/vunmap calls is 735 * provided by taking the dma_buf->lock mutex. 736 * 737 * - For full compatibility on the importer side with existing userspace 738 * interfaces, which might already support mmap'ing buffers. This is needed in 739 * many processing pipelines (e.g. feeding a software rendered image into a 740 * hardware pipeline, thumbnail creation, snapshots, ...). Also, Android's ION 741 * framework already supported this and for DMA buffer file descriptors to 742 * replace ION buffers mmap support was needed. 743 * 744 * There is no special interfaces, userspace simply calls mmap on the dma-buf 745 * fd. But like for CPU access there's a need to braket the actual access, 746 * which is handled by the ioctl (DMA_BUF_IOCTL_SYNC). Note that 747 * DMA_BUF_IOCTL_SYNC can fail with -EAGAIN or -EINTR, in which case it must 748 * be restarted. 749 * 750 * Some systems might need some sort of cache coherency management e.g. when 751 * CPU and GPU domains are being accessed through dma-buf at the same time. 752 * To circumvent this problem there are begin/end coherency markers, that 753 * forward directly to existing dma-buf device drivers vfunc hooks. Userspace 754 * can make use of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The 755 * sequence would be used like following: 756 * 757 * - mmap dma-buf fd 758 * - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write 759 * to mmap area 3. SYNC_END ioctl. This can be repeated as often as you 760 * want (with the new data being consumed by say the GPU or the scanout 761 * device) 762 * - munmap once you don't need the buffer any more 763 * 764 * For correctness and optimal performance, it is always required to use 765 * SYNC_START and SYNC_END before and after, respectively, when accessing the 766 * mapped address. Userspace cannot rely on coherent access, even when there 767 * are systems where it just works without calling these ioctls. 768 * 769 * - And as a CPU fallback in userspace processing pipelines. 770 * 771 * Similar to the motivation for kernel cpu access it is again important that 772 * the userspace code of a given importing subsystem can use the same 773 * interfaces with a imported dma-buf buffer object as with a native buffer 774 * object. This is especially important for drm where the userspace part of 775 * contemporary OpenGL, X, and other drivers is huge, and reworking them to 776 * use a different way to mmap a buffer rather invasive. 777 * 778 * The assumption in the current dma-buf interfaces is that redirecting the 779 * initial mmap is all that's needed. A survey of some of the existing 780 * subsystems shows that no driver seems to do any nefarious thing like 781 * syncing up with outstanding asynchronous processing on the device or 782 * allocating special resources at fault time. So hopefully this is good 783 * enough, since adding interfaces to intercept pagefaults and allow pte 784 * shootdowns would increase the complexity quite a bit. 785 * 786 * Interface:: 787 * int dma_buf_mmap(struct dma_buf \*, struct vm_area_struct \*, 788 * unsigned long); 789 * 790 * If the importing subsystem simply provides a special-purpose mmap call to 791 * set up a mapping in userspace, calling do_mmap with dma_buf->file will 792 * equally achieve that for a dma-buf object. 793 */ 794 795 static int __dma_buf_begin_cpu_access(struct dma_buf *dmabuf, 796 enum dma_data_direction direction) 797 { 798 bool write = (direction == DMA_BIDIRECTIONAL || 799 direction == DMA_TO_DEVICE); 800 struct reservation_object *resv = dmabuf->resv; 801 long ret; 802 803 /* Wait on any implicit rendering fences */ 804 ret = reservation_object_wait_timeout_rcu(resv, write, true, 805 MAX_SCHEDULE_TIMEOUT); 806 if (ret < 0) 807 return ret; 808 809 return 0; 810 } 811 812 /** 813 * dma_buf_begin_cpu_access - Must be called before accessing a dma_buf from the 814 * cpu in the kernel context. Calls begin_cpu_access to allow exporter-specific 815 * preparations. Coherency is only guaranteed in the specified range for the 816 * specified access direction. 817 * @dmabuf: [in] buffer to prepare cpu access for. 818 * @direction: [in] length of range for cpu access. 819 * 820 * After the cpu access is complete the caller should call 821 * dma_buf_end_cpu_access(). Only when cpu access is braketed by both calls is 822 * it guaranteed to be coherent with other DMA access. 823 * 824 * Can return negative error values, returns 0 on success. 825 */ 826 int dma_buf_begin_cpu_access(struct dma_buf *dmabuf, 827 enum dma_data_direction direction) 828 { 829 int ret = 0; 830 831 if (WARN_ON(!dmabuf)) 832 return -EINVAL; 833 834 if (dmabuf->ops->begin_cpu_access) 835 ret = dmabuf->ops->begin_cpu_access(dmabuf, direction); 836 837 /* Ensure that all fences are waited upon - but we first allow 838 * the native handler the chance to do so more efficiently if it 839 * chooses. A double invocation here will be reasonably cheap no-op. 840 */ 841 if (ret == 0) 842 ret = __dma_buf_begin_cpu_access(dmabuf, direction); 843 844 return ret; 845 } 846 EXPORT_SYMBOL_GPL(dma_buf_begin_cpu_access); 847 848 /** 849 * dma_buf_end_cpu_access - Must be called after accessing a dma_buf from the 850 * cpu in the kernel context. Calls end_cpu_access to allow exporter-specific 851 * actions. Coherency is only guaranteed in the specified range for the 852 * specified access direction. 853 * @dmabuf: [in] buffer to complete cpu access for. 854 * @direction: [in] length of range for cpu access. 855 * 856 * This terminates CPU access started with dma_buf_begin_cpu_access(). 857 * 858 * Can return negative error values, returns 0 on success. 859 */ 860 int dma_buf_end_cpu_access(struct dma_buf *dmabuf, 861 enum dma_data_direction direction) 862 { 863 int ret = 0; 864 865 WARN_ON(!dmabuf); 866 867 if (dmabuf->ops->end_cpu_access) 868 ret = dmabuf->ops->end_cpu_access(dmabuf, direction); 869 870 return ret; 871 } 872 EXPORT_SYMBOL_GPL(dma_buf_end_cpu_access); 873 874 /** 875 * dma_buf_kmap - Map a page of the buffer object into kernel address space. The 876 * same restrictions as for kmap and friends apply. 877 * @dmabuf: [in] buffer to map page from. 878 * @page_num: [in] page in PAGE_SIZE units to map. 879 * 880 * This call must always succeed, any necessary preparations that might fail 881 * need to be done in begin_cpu_access. 882 */ 883 void *dma_buf_kmap(struct dma_buf *dmabuf, unsigned long page_num) 884 { 885 WARN_ON(!dmabuf); 886 887 if (!dmabuf->ops->map) 888 return NULL; 889 return dmabuf->ops->map(dmabuf, page_num); 890 } 891 EXPORT_SYMBOL_GPL(dma_buf_kmap); 892 893 /** 894 * dma_buf_kunmap - Unmap a page obtained by dma_buf_kmap. 895 * @dmabuf: [in] buffer to unmap page from. 896 * @page_num: [in] page in PAGE_SIZE units to unmap. 897 * @vaddr: [in] kernel space pointer obtained from dma_buf_kmap. 898 * 899 * This call must always succeed. 900 */ 901 void dma_buf_kunmap(struct dma_buf *dmabuf, unsigned long page_num, 902 void *vaddr) 903 { 904 WARN_ON(!dmabuf); 905 906 if (dmabuf->ops->unmap) 907 dmabuf->ops->unmap(dmabuf, page_num, vaddr); 908 } 909 EXPORT_SYMBOL_GPL(dma_buf_kunmap); 910 911 912 /** 913 * dma_buf_mmap - Setup up a userspace mmap with the given vma 914 * @dmabuf: [in] buffer that should back the vma 915 * @vma: [in] vma for the mmap 916 * @pgoff: [in] offset in pages where this mmap should start within the 917 * dma-buf buffer. 918 * 919 * This function adjusts the passed in vma so that it points at the file of the 920 * dma_buf operation. It also adjusts the starting pgoff and does bounds 921 * checking on the size of the vma. Then it calls the exporters mmap function to 922 * set up the mapping. 923 * 924 * Can return negative error values, returns 0 on success. 925 */ 926 int dma_buf_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma, 927 unsigned long pgoff) 928 { 929 struct file *oldfile; 930 int ret; 931 932 if (WARN_ON(!dmabuf || !vma)) 933 return -EINVAL; 934 935 /* check if buffer supports mmap */ 936 if (!dmabuf->ops->mmap) 937 return -EINVAL; 938 939 /* check for offset overflow */ 940 if (pgoff + vma_pages(vma) < pgoff) 941 return -EOVERFLOW; 942 943 /* check for overflowing the buffer's size */ 944 if (pgoff + vma_pages(vma) > 945 dmabuf->size >> PAGE_SHIFT) 946 return -EINVAL; 947 948 /* readjust the vma */ 949 get_file(dmabuf->file); 950 oldfile = vma->vm_file; 951 vma->vm_file = dmabuf->file; 952 vma->vm_pgoff = pgoff; 953 954 ret = dmabuf->ops->mmap(dmabuf, vma); 955 if (ret) { 956 /* restore old parameters on failure */ 957 vma->vm_file = oldfile; 958 fput(dmabuf->file); 959 } else { 960 if (oldfile) 961 fput(oldfile); 962 } 963 return ret; 964 965 } 966 EXPORT_SYMBOL_GPL(dma_buf_mmap); 967 968 /** 969 * dma_buf_vmap - Create virtual mapping for the buffer object into kernel 970 * address space. Same restrictions as for vmap and friends apply. 971 * @dmabuf: [in] buffer to vmap 972 * 973 * This call may fail due to lack of virtual mapping address space. 974 * These calls are optional in drivers. The intended use for them 975 * is for mapping objects linear in kernel space for high use objects. 976 * Please attempt to use kmap/kunmap before thinking about these interfaces. 977 * 978 * Returns NULL on error. 979 */ 980 void *dma_buf_vmap(struct dma_buf *dmabuf) 981 { 982 void *ptr; 983 984 if (WARN_ON(!dmabuf)) 985 return NULL; 986 987 if (!dmabuf->ops->vmap) 988 return NULL; 989 990 mutex_lock(&dmabuf->lock); 991 if (dmabuf->vmapping_counter) { 992 dmabuf->vmapping_counter++; 993 BUG_ON(!dmabuf->vmap_ptr); 994 ptr = dmabuf->vmap_ptr; 995 goto out_unlock; 996 } 997 998 BUG_ON(dmabuf->vmap_ptr); 999 1000 ptr = dmabuf->ops->vmap(dmabuf); 1001 if (WARN_ON_ONCE(IS_ERR(ptr))) 1002 ptr = NULL; 1003 if (!ptr) 1004 goto out_unlock; 1005 1006 dmabuf->vmap_ptr = ptr; 1007 dmabuf->vmapping_counter = 1; 1008 1009 out_unlock: 1010 mutex_unlock(&dmabuf->lock); 1011 return ptr; 1012 } 1013 EXPORT_SYMBOL_GPL(dma_buf_vmap); 1014 1015 /** 1016 * dma_buf_vunmap - Unmap a vmap obtained by dma_buf_vmap. 1017 * @dmabuf: [in] buffer to vunmap 1018 * @vaddr: [in] vmap to vunmap 1019 */ 1020 void dma_buf_vunmap(struct dma_buf *dmabuf, void *vaddr) 1021 { 1022 if (WARN_ON(!dmabuf)) 1023 return; 1024 1025 BUG_ON(!dmabuf->vmap_ptr); 1026 BUG_ON(dmabuf->vmapping_counter == 0); 1027 BUG_ON(dmabuf->vmap_ptr != vaddr); 1028 1029 mutex_lock(&dmabuf->lock); 1030 if (--dmabuf->vmapping_counter == 0) { 1031 if (dmabuf->ops->vunmap) 1032 dmabuf->ops->vunmap(dmabuf, vaddr); 1033 dmabuf->vmap_ptr = NULL; 1034 } 1035 mutex_unlock(&dmabuf->lock); 1036 } 1037 EXPORT_SYMBOL_GPL(dma_buf_vunmap); 1038 1039 #ifdef CONFIG_DEBUG_FS 1040 static int dma_buf_debug_show(struct seq_file *s, void *unused) 1041 { 1042 int ret; 1043 struct dma_buf *buf_obj; 1044 struct dma_buf_attachment *attach_obj; 1045 struct reservation_object *robj; 1046 struct reservation_object_list *fobj; 1047 struct dma_fence *fence; 1048 unsigned seq; 1049 int count = 0, attach_count, shared_count, i; 1050 size_t size = 0; 1051 1052 ret = mutex_lock_interruptible(&db_list.lock); 1053 1054 if (ret) 1055 return ret; 1056 1057 seq_puts(s, "\nDma-buf Objects:\n"); 1058 seq_printf(s, "%-8s\t%-8s\t%-8s\t%-8s\texp_name\n", 1059 "size", "flags", "mode", "count"); 1060 1061 list_for_each_entry(buf_obj, &db_list.head, list_node) { 1062 ret = mutex_lock_interruptible(&buf_obj->lock); 1063 1064 if (ret) { 1065 seq_puts(s, 1066 "\tERROR locking buffer object: skipping\n"); 1067 continue; 1068 } 1069 1070 seq_printf(s, "%08zu\t%08x\t%08x\t%08ld\t%s\n", 1071 buf_obj->size, 1072 buf_obj->file->f_flags, buf_obj->file->f_mode, 1073 file_count(buf_obj->file), 1074 buf_obj->exp_name); 1075 1076 robj = buf_obj->resv; 1077 while (true) { 1078 seq = read_seqcount_begin(&robj->seq); 1079 rcu_read_lock(); 1080 fobj = rcu_dereference(robj->fence); 1081 shared_count = fobj ? fobj->shared_count : 0; 1082 fence = rcu_dereference(robj->fence_excl); 1083 if (!read_seqcount_retry(&robj->seq, seq)) 1084 break; 1085 rcu_read_unlock(); 1086 } 1087 1088 if (fence) 1089 seq_printf(s, "\tExclusive fence: %s %s %ssignalled\n", 1090 fence->ops->get_driver_name(fence), 1091 fence->ops->get_timeline_name(fence), 1092 dma_fence_is_signaled(fence) ? "" : "un"); 1093 for (i = 0; i < shared_count; i++) { 1094 fence = rcu_dereference(fobj->shared[i]); 1095 if (!dma_fence_get_rcu(fence)) 1096 continue; 1097 seq_printf(s, "\tShared fence: %s %s %ssignalled\n", 1098 fence->ops->get_driver_name(fence), 1099 fence->ops->get_timeline_name(fence), 1100 dma_fence_is_signaled(fence) ? "" : "un"); 1101 dma_fence_put(fence); 1102 } 1103 rcu_read_unlock(); 1104 1105 seq_puts(s, "\tAttached Devices:\n"); 1106 attach_count = 0; 1107 1108 list_for_each_entry(attach_obj, &buf_obj->attachments, node) { 1109 seq_printf(s, "\t%s\n", dev_name(attach_obj->dev)); 1110 attach_count++; 1111 } 1112 1113 seq_printf(s, "Total %d devices attached\n\n", 1114 attach_count); 1115 1116 count++; 1117 size += buf_obj->size; 1118 mutex_unlock(&buf_obj->lock); 1119 } 1120 1121 seq_printf(s, "\nTotal %d objects, %zu bytes\n", count, size); 1122 1123 mutex_unlock(&db_list.lock); 1124 return 0; 1125 } 1126 1127 DEFINE_SHOW_ATTRIBUTE(dma_buf_debug); 1128 1129 static struct dentry *dma_buf_debugfs_dir; 1130 1131 static int dma_buf_init_debugfs(void) 1132 { 1133 struct dentry *d; 1134 int err = 0; 1135 1136 d = debugfs_create_dir("dma_buf", NULL); 1137 if (IS_ERR(d)) 1138 return PTR_ERR(d); 1139 1140 dma_buf_debugfs_dir = d; 1141 1142 d = debugfs_create_file("bufinfo", S_IRUGO, dma_buf_debugfs_dir, 1143 NULL, &dma_buf_debug_fops); 1144 if (IS_ERR(d)) { 1145 pr_debug("dma_buf: debugfs: failed to create node bufinfo\n"); 1146 debugfs_remove_recursive(dma_buf_debugfs_dir); 1147 dma_buf_debugfs_dir = NULL; 1148 err = PTR_ERR(d); 1149 } 1150 1151 return err; 1152 } 1153 1154 static void dma_buf_uninit_debugfs(void) 1155 { 1156 debugfs_remove_recursive(dma_buf_debugfs_dir); 1157 } 1158 #else 1159 static inline int dma_buf_init_debugfs(void) 1160 { 1161 return 0; 1162 } 1163 static inline void dma_buf_uninit_debugfs(void) 1164 { 1165 } 1166 #endif 1167 1168 static int __init dma_buf_init(void) 1169 { 1170 mutex_init(&db_list.lock); 1171 INIT_LIST_HEAD(&db_list.head); 1172 dma_buf_init_debugfs(); 1173 return 0; 1174 } 1175 subsys_initcall(dma_buf_init); 1176 1177 static void __exit dma_buf_deinit(void) 1178 { 1179 dma_buf_uninit_debugfs(); 1180 } 1181 __exitcall(dma_buf_deinit); 1182