1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Xen dma-buf functionality for gntdev. 5 * 6 * DMA buffer implementation is based on drivers/gpu/drm/drm_prime.c. 7 * 8 * Copyright (c) 2018 Oleksandr Andrushchenko, EPAM Systems Inc. 9 */ 10 11 #include <linux/kernel.h> 12 #include <linux/errno.h> 13 #include <linux/dma-buf.h> 14 #include <linux/slab.h> 15 #include <linux/types.h> 16 #include <linux/uaccess.h> 17 #include <linux/module.h> 18 19 #include <xen/xen.h> 20 #include <xen/grant_table.h> 21 22 #include "gntdev-common.h" 23 #include "gntdev-dmabuf.h" 24 25 MODULE_IMPORT_NS(DMA_BUF); 26 27 #ifndef GRANT_INVALID_REF 28 /* 29 * Note on usage of grant reference 0 as invalid grant reference: 30 * grant reference 0 is valid, but never exposed to a driver, 31 * because of the fact it is already in use/reserved by the PV console. 32 */ 33 #define GRANT_INVALID_REF 0 34 #endif 35 36 struct gntdev_dmabuf { 37 struct gntdev_dmabuf_priv *priv; 38 struct dma_buf *dmabuf; 39 struct list_head next; 40 int fd; 41 42 union { 43 struct { 44 /* Exported buffers are reference counted. */ 45 struct kref refcount; 46 47 struct gntdev_priv *priv; 48 struct gntdev_grant_map *map; 49 } exp; 50 struct { 51 /* Granted references of the imported buffer. */ 52 grant_ref_t *refs; 53 /* Scatter-gather table of the imported buffer. */ 54 struct sg_table *sgt; 55 /* dma-buf attachment of the imported buffer. */ 56 struct dma_buf_attachment *attach; 57 } imp; 58 } u; 59 60 /* Number of pages this buffer has. */ 61 int nr_pages; 62 /* Pages of this buffer. */ 63 struct page **pages; 64 }; 65 66 struct gntdev_dmabuf_wait_obj { 67 struct list_head next; 68 struct gntdev_dmabuf *gntdev_dmabuf; 69 struct completion completion; 70 }; 71 72 struct gntdev_dmabuf_attachment { 73 struct sg_table *sgt; 74 enum dma_data_direction dir; 75 }; 76 77 struct gntdev_dmabuf_priv { 78 /* List of exported DMA buffers. */ 79 struct list_head exp_list; 80 /* List of wait objects. */ 81 struct list_head exp_wait_list; 82 /* List of imported DMA buffers. */ 83 struct list_head imp_list; 84 /* This is the lock which protects dma_buf_xxx lists. */ 85 struct mutex lock; 86 /* 87 * We reference this file while exporting dma-bufs, so 88 * the grant device context is not destroyed while there are 89 * external users alive. 90 */ 91 struct file *filp; 92 }; 93 94 /* DMA buffer export support. */ 95 96 /* Implementation of wait for exported DMA buffer to be released. */ 97 98 static void dmabuf_exp_release(struct kref *kref); 99 100 static struct gntdev_dmabuf_wait_obj * 101 dmabuf_exp_wait_obj_new(struct gntdev_dmabuf_priv *priv, 102 struct gntdev_dmabuf *gntdev_dmabuf) 103 { 104 struct gntdev_dmabuf_wait_obj *obj; 105 106 obj = kzalloc(sizeof(*obj), GFP_KERNEL); 107 if (!obj) 108 return ERR_PTR(-ENOMEM); 109 110 init_completion(&obj->completion); 111 obj->gntdev_dmabuf = gntdev_dmabuf; 112 113 mutex_lock(&priv->lock); 114 list_add(&obj->next, &priv->exp_wait_list); 115 /* Put our reference and wait for gntdev_dmabuf's release to fire. */ 116 kref_put(&gntdev_dmabuf->u.exp.refcount, dmabuf_exp_release); 117 mutex_unlock(&priv->lock); 118 return obj; 119 } 120 121 static void dmabuf_exp_wait_obj_free(struct gntdev_dmabuf_priv *priv, 122 struct gntdev_dmabuf_wait_obj *obj) 123 { 124 mutex_lock(&priv->lock); 125 list_del(&obj->next); 126 mutex_unlock(&priv->lock); 127 kfree(obj); 128 } 129 130 static int dmabuf_exp_wait_obj_wait(struct gntdev_dmabuf_wait_obj *obj, 131 u32 wait_to_ms) 132 { 133 if (wait_for_completion_timeout(&obj->completion, 134 msecs_to_jiffies(wait_to_ms)) <= 0) 135 return -ETIMEDOUT; 136 137 return 0; 138 } 139 140 static void dmabuf_exp_wait_obj_signal(struct gntdev_dmabuf_priv *priv, 141 struct gntdev_dmabuf *gntdev_dmabuf) 142 { 143 struct gntdev_dmabuf_wait_obj *obj; 144 145 list_for_each_entry(obj, &priv->exp_wait_list, next) 146 if (obj->gntdev_dmabuf == gntdev_dmabuf) { 147 pr_debug("Found gntdev_dmabuf in the wait list, wake\n"); 148 complete_all(&obj->completion); 149 break; 150 } 151 } 152 153 static struct gntdev_dmabuf * 154 dmabuf_exp_wait_obj_get_dmabuf(struct gntdev_dmabuf_priv *priv, int fd) 155 { 156 struct gntdev_dmabuf *gntdev_dmabuf, *ret = ERR_PTR(-ENOENT); 157 158 mutex_lock(&priv->lock); 159 list_for_each_entry(gntdev_dmabuf, &priv->exp_list, next) 160 if (gntdev_dmabuf->fd == fd) { 161 pr_debug("Found gntdev_dmabuf in the wait list\n"); 162 kref_get(&gntdev_dmabuf->u.exp.refcount); 163 ret = gntdev_dmabuf; 164 break; 165 } 166 mutex_unlock(&priv->lock); 167 return ret; 168 } 169 170 static int dmabuf_exp_wait_released(struct gntdev_dmabuf_priv *priv, int fd, 171 int wait_to_ms) 172 { 173 struct gntdev_dmabuf *gntdev_dmabuf; 174 struct gntdev_dmabuf_wait_obj *obj; 175 int ret; 176 177 pr_debug("Will wait for dma-buf with fd %d\n", fd); 178 /* 179 * Try to find the DMA buffer: if not found means that 180 * either the buffer has already been released or file descriptor 181 * provided is wrong. 182 */ 183 gntdev_dmabuf = dmabuf_exp_wait_obj_get_dmabuf(priv, fd); 184 if (IS_ERR(gntdev_dmabuf)) 185 return PTR_ERR(gntdev_dmabuf); 186 187 /* 188 * gntdev_dmabuf still exists and is reference count locked by us now, 189 * so prepare to wait: allocate wait object and add it to the wait list, 190 * so we can find it on release. 191 */ 192 obj = dmabuf_exp_wait_obj_new(priv, gntdev_dmabuf); 193 if (IS_ERR(obj)) 194 return PTR_ERR(obj); 195 196 ret = dmabuf_exp_wait_obj_wait(obj, wait_to_ms); 197 dmabuf_exp_wait_obj_free(priv, obj); 198 return ret; 199 } 200 201 /* DMA buffer export support. */ 202 203 static struct sg_table * 204 dmabuf_pages_to_sgt(struct page **pages, unsigned int nr_pages) 205 { 206 struct sg_table *sgt; 207 int ret; 208 209 sgt = kmalloc(sizeof(*sgt), GFP_KERNEL); 210 if (!sgt) { 211 ret = -ENOMEM; 212 goto out; 213 } 214 215 ret = sg_alloc_table_from_pages(sgt, pages, nr_pages, 0, 216 nr_pages << PAGE_SHIFT, 217 GFP_KERNEL); 218 if (ret) 219 goto out; 220 221 return sgt; 222 223 out: 224 kfree(sgt); 225 return ERR_PTR(ret); 226 } 227 228 static int dmabuf_exp_ops_attach(struct dma_buf *dma_buf, 229 struct dma_buf_attachment *attach) 230 { 231 struct gntdev_dmabuf_attachment *gntdev_dmabuf_attach; 232 233 gntdev_dmabuf_attach = kzalloc(sizeof(*gntdev_dmabuf_attach), 234 GFP_KERNEL); 235 if (!gntdev_dmabuf_attach) 236 return -ENOMEM; 237 238 gntdev_dmabuf_attach->dir = DMA_NONE; 239 attach->priv = gntdev_dmabuf_attach; 240 return 0; 241 } 242 243 static void dmabuf_exp_ops_detach(struct dma_buf *dma_buf, 244 struct dma_buf_attachment *attach) 245 { 246 struct gntdev_dmabuf_attachment *gntdev_dmabuf_attach = attach->priv; 247 248 if (gntdev_dmabuf_attach) { 249 struct sg_table *sgt = gntdev_dmabuf_attach->sgt; 250 251 if (sgt) { 252 if (gntdev_dmabuf_attach->dir != DMA_NONE) 253 dma_unmap_sgtable(attach->dev, sgt, 254 gntdev_dmabuf_attach->dir, 255 DMA_ATTR_SKIP_CPU_SYNC); 256 sg_free_table(sgt); 257 } 258 259 kfree(sgt); 260 kfree(gntdev_dmabuf_attach); 261 attach->priv = NULL; 262 } 263 } 264 265 static struct sg_table * 266 dmabuf_exp_ops_map_dma_buf(struct dma_buf_attachment *attach, 267 enum dma_data_direction dir) 268 { 269 struct gntdev_dmabuf_attachment *gntdev_dmabuf_attach = attach->priv; 270 struct gntdev_dmabuf *gntdev_dmabuf = attach->dmabuf->priv; 271 struct sg_table *sgt; 272 273 pr_debug("Mapping %d pages for dev %p\n", gntdev_dmabuf->nr_pages, 274 attach->dev); 275 276 if (dir == DMA_NONE || !gntdev_dmabuf_attach) 277 return ERR_PTR(-EINVAL); 278 279 /* Return the cached mapping when possible. */ 280 if (gntdev_dmabuf_attach->dir == dir) 281 return gntdev_dmabuf_attach->sgt; 282 283 /* 284 * Two mappings with different directions for the same attachment are 285 * not allowed. 286 */ 287 if (gntdev_dmabuf_attach->dir != DMA_NONE) 288 return ERR_PTR(-EBUSY); 289 290 sgt = dmabuf_pages_to_sgt(gntdev_dmabuf->pages, 291 gntdev_dmabuf->nr_pages); 292 if (!IS_ERR(sgt)) { 293 if (dma_map_sgtable(attach->dev, sgt, dir, 294 DMA_ATTR_SKIP_CPU_SYNC)) { 295 sg_free_table(sgt); 296 kfree(sgt); 297 sgt = ERR_PTR(-ENOMEM); 298 } else { 299 gntdev_dmabuf_attach->sgt = sgt; 300 gntdev_dmabuf_attach->dir = dir; 301 } 302 } 303 if (IS_ERR(sgt)) 304 pr_debug("Failed to map sg table for dev %p\n", attach->dev); 305 return sgt; 306 } 307 308 static void dmabuf_exp_ops_unmap_dma_buf(struct dma_buf_attachment *attach, 309 struct sg_table *sgt, 310 enum dma_data_direction dir) 311 { 312 /* Not implemented. The unmap is done at dmabuf_exp_ops_detach(). */ 313 } 314 315 static void dmabuf_exp_release(struct kref *kref) 316 { 317 struct gntdev_dmabuf *gntdev_dmabuf = 318 container_of(kref, struct gntdev_dmabuf, u.exp.refcount); 319 320 dmabuf_exp_wait_obj_signal(gntdev_dmabuf->priv, gntdev_dmabuf); 321 list_del(&gntdev_dmabuf->next); 322 fput(gntdev_dmabuf->priv->filp); 323 kfree(gntdev_dmabuf); 324 } 325 326 static void dmabuf_exp_remove_map(struct gntdev_priv *priv, 327 struct gntdev_grant_map *map) 328 { 329 mutex_lock(&priv->lock); 330 list_del(&map->next); 331 gntdev_put_map(NULL /* already removed */, map); 332 mutex_unlock(&priv->lock); 333 } 334 335 static void dmabuf_exp_ops_release(struct dma_buf *dma_buf) 336 { 337 struct gntdev_dmabuf *gntdev_dmabuf = dma_buf->priv; 338 struct gntdev_dmabuf_priv *priv = gntdev_dmabuf->priv; 339 340 dmabuf_exp_remove_map(gntdev_dmabuf->u.exp.priv, 341 gntdev_dmabuf->u.exp.map); 342 mutex_lock(&priv->lock); 343 kref_put(&gntdev_dmabuf->u.exp.refcount, dmabuf_exp_release); 344 mutex_unlock(&priv->lock); 345 } 346 347 static const struct dma_buf_ops dmabuf_exp_ops = { 348 .attach = dmabuf_exp_ops_attach, 349 .detach = dmabuf_exp_ops_detach, 350 .map_dma_buf = dmabuf_exp_ops_map_dma_buf, 351 .unmap_dma_buf = dmabuf_exp_ops_unmap_dma_buf, 352 .release = dmabuf_exp_ops_release, 353 }; 354 355 struct gntdev_dmabuf_export_args { 356 struct gntdev_priv *priv; 357 struct gntdev_grant_map *map; 358 struct gntdev_dmabuf_priv *dmabuf_priv; 359 struct device *dev; 360 int count; 361 struct page **pages; 362 u32 fd; 363 }; 364 365 static int dmabuf_exp_from_pages(struct gntdev_dmabuf_export_args *args) 366 { 367 DEFINE_DMA_BUF_EXPORT_INFO(exp_info); 368 struct gntdev_dmabuf *gntdev_dmabuf; 369 int ret; 370 371 gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL); 372 if (!gntdev_dmabuf) 373 return -ENOMEM; 374 375 kref_init(&gntdev_dmabuf->u.exp.refcount); 376 377 gntdev_dmabuf->priv = args->dmabuf_priv; 378 gntdev_dmabuf->nr_pages = args->count; 379 gntdev_dmabuf->pages = args->pages; 380 gntdev_dmabuf->u.exp.priv = args->priv; 381 gntdev_dmabuf->u.exp.map = args->map; 382 383 exp_info.exp_name = KBUILD_MODNAME; 384 if (args->dev->driver && args->dev->driver->owner) 385 exp_info.owner = args->dev->driver->owner; 386 else 387 exp_info.owner = THIS_MODULE; 388 exp_info.ops = &dmabuf_exp_ops; 389 exp_info.size = args->count << PAGE_SHIFT; 390 exp_info.flags = O_RDWR; 391 exp_info.priv = gntdev_dmabuf; 392 393 gntdev_dmabuf->dmabuf = dma_buf_export(&exp_info); 394 if (IS_ERR(gntdev_dmabuf->dmabuf)) { 395 ret = PTR_ERR(gntdev_dmabuf->dmabuf); 396 gntdev_dmabuf->dmabuf = NULL; 397 goto fail; 398 } 399 400 ret = dma_buf_fd(gntdev_dmabuf->dmabuf, O_CLOEXEC); 401 if (ret < 0) 402 goto fail; 403 404 gntdev_dmabuf->fd = ret; 405 args->fd = ret; 406 407 pr_debug("Exporting DMA buffer with fd %d\n", ret); 408 409 mutex_lock(&args->dmabuf_priv->lock); 410 list_add(&gntdev_dmabuf->next, &args->dmabuf_priv->exp_list); 411 mutex_unlock(&args->dmabuf_priv->lock); 412 get_file(gntdev_dmabuf->priv->filp); 413 return 0; 414 415 fail: 416 if (gntdev_dmabuf->dmabuf) 417 dma_buf_put(gntdev_dmabuf->dmabuf); 418 kfree(gntdev_dmabuf); 419 return ret; 420 } 421 422 static struct gntdev_grant_map * 423 dmabuf_exp_alloc_backing_storage(struct gntdev_priv *priv, int dmabuf_flags, 424 int count) 425 { 426 struct gntdev_grant_map *map; 427 428 if (unlikely(gntdev_test_page_count(count))) 429 return ERR_PTR(-EINVAL); 430 431 if ((dmabuf_flags & GNTDEV_DMA_FLAG_WC) && 432 (dmabuf_flags & GNTDEV_DMA_FLAG_COHERENT)) { 433 pr_debug("Wrong dma-buf flags: 0x%x\n", dmabuf_flags); 434 return ERR_PTR(-EINVAL); 435 } 436 437 map = gntdev_alloc_map(priv, count, dmabuf_flags); 438 if (!map) 439 return ERR_PTR(-ENOMEM); 440 441 return map; 442 } 443 444 static int dmabuf_exp_from_refs(struct gntdev_priv *priv, int flags, 445 int count, u32 domid, u32 *refs, u32 *fd) 446 { 447 struct gntdev_grant_map *map; 448 struct gntdev_dmabuf_export_args args; 449 int i, ret; 450 451 map = dmabuf_exp_alloc_backing_storage(priv, flags, count); 452 if (IS_ERR(map)) 453 return PTR_ERR(map); 454 455 for (i = 0; i < count; i++) { 456 map->grants[i].domid = domid; 457 map->grants[i].ref = refs[i]; 458 } 459 460 mutex_lock(&priv->lock); 461 gntdev_add_map(priv, map); 462 mutex_unlock(&priv->lock); 463 464 map->flags |= GNTMAP_host_map; 465 #if defined(CONFIG_X86) 466 map->flags |= GNTMAP_device_map; 467 #endif 468 469 ret = gntdev_map_grant_pages(map); 470 if (ret < 0) 471 goto out; 472 473 args.priv = priv; 474 args.map = map; 475 args.dev = priv->dma_dev; 476 args.dmabuf_priv = priv->dmabuf_priv; 477 args.count = map->count; 478 args.pages = map->pages; 479 args.fd = -1; /* Shut up unnecessary gcc warning for i386 */ 480 481 ret = dmabuf_exp_from_pages(&args); 482 if (ret < 0) 483 goto out; 484 485 *fd = args.fd; 486 return 0; 487 488 out: 489 dmabuf_exp_remove_map(priv, map); 490 return ret; 491 } 492 493 /* DMA buffer import support. */ 494 495 static int 496 dmabuf_imp_grant_foreign_access(struct page **pages, u32 *refs, 497 int count, int domid) 498 { 499 grant_ref_t priv_gref_head; 500 int i, ret; 501 502 ret = gnttab_alloc_grant_references(count, &priv_gref_head); 503 if (ret < 0) { 504 pr_debug("Cannot allocate grant references, ret %d\n", ret); 505 return ret; 506 } 507 508 for (i = 0; i < count; i++) { 509 int cur_ref; 510 511 cur_ref = gnttab_claim_grant_reference(&priv_gref_head); 512 if (cur_ref < 0) { 513 ret = cur_ref; 514 pr_debug("Cannot claim grant reference, ret %d\n", ret); 515 goto out; 516 } 517 518 gnttab_grant_foreign_access_ref(cur_ref, domid, 519 xen_page_to_gfn(pages[i]), 0); 520 refs[i] = cur_ref; 521 } 522 523 return 0; 524 525 out: 526 gnttab_free_grant_references(priv_gref_head); 527 return ret; 528 } 529 530 static void dmabuf_imp_end_foreign_access(u32 *refs, int count) 531 { 532 int i; 533 534 for (i = 0; i < count; i++) 535 if (refs[i] != GRANT_INVALID_REF) 536 gnttab_end_foreign_access(refs[i], 0, 0UL); 537 } 538 539 static void dmabuf_imp_free_storage(struct gntdev_dmabuf *gntdev_dmabuf) 540 { 541 kfree(gntdev_dmabuf->pages); 542 kfree(gntdev_dmabuf->u.imp.refs); 543 kfree(gntdev_dmabuf); 544 } 545 546 static struct gntdev_dmabuf *dmabuf_imp_alloc_storage(int count) 547 { 548 struct gntdev_dmabuf *gntdev_dmabuf; 549 int i; 550 551 gntdev_dmabuf = kzalloc(sizeof(*gntdev_dmabuf), GFP_KERNEL); 552 if (!gntdev_dmabuf) 553 goto fail_no_free; 554 555 gntdev_dmabuf->u.imp.refs = kcalloc(count, 556 sizeof(gntdev_dmabuf->u.imp.refs[0]), 557 GFP_KERNEL); 558 if (!gntdev_dmabuf->u.imp.refs) 559 goto fail; 560 561 gntdev_dmabuf->pages = kcalloc(count, 562 sizeof(gntdev_dmabuf->pages[0]), 563 GFP_KERNEL); 564 if (!gntdev_dmabuf->pages) 565 goto fail; 566 567 gntdev_dmabuf->nr_pages = count; 568 569 for (i = 0; i < count; i++) 570 gntdev_dmabuf->u.imp.refs[i] = GRANT_INVALID_REF; 571 572 return gntdev_dmabuf; 573 574 fail: 575 dmabuf_imp_free_storage(gntdev_dmabuf); 576 fail_no_free: 577 return ERR_PTR(-ENOMEM); 578 } 579 580 static struct gntdev_dmabuf * 581 dmabuf_imp_to_refs(struct gntdev_dmabuf_priv *priv, struct device *dev, 582 int fd, int count, int domid) 583 { 584 struct gntdev_dmabuf *gntdev_dmabuf, *ret; 585 struct dma_buf *dma_buf; 586 struct dma_buf_attachment *attach; 587 struct sg_table *sgt; 588 struct sg_page_iter sg_iter; 589 int i; 590 591 dma_buf = dma_buf_get(fd); 592 if (IS_ERR(dma_buf)) 593 return ERR_CAST(dma_buf); 594 595 gntdev_dmabuf = dmabuf_imp_alloc_storage(count); 596 if (IS_ERR(gntdev_dmabuf)) { 597 ret = gntdev_dmabuf; 598 goto fail_put; 599 } 600 601 gntdev_dmabuf->priv = priv; 602 gntdev_dmabuf->fd = fd; 603 604 attach = dma_buf_attach(dma_buf, dev); 605 if (IS_ERR(attach)) { 606 ret = ERR_CAST(attach); 607 goto fail_free_obj; 608 } 609 610 gntdev_dmabuf->u.imp.attach = attach; 611 612 sgt = dma_buf_map_attachment(attach, DMA_BIDIRECTIONAL); 613 if (IS_ERR(sgt)) { 614 ret = ERR_CAST(sgt); 615 goto fail_detach; 616 } 617 618 /* Check that we have zero offset. */ 619 if (sgt->sgl->offset) { 620 ret = ERR_PTR(-EINVAL); 621 pr_debug("DMA buffer has %d bytes offset, user-space expects 0\n", 622 sgt->sgl->offset); 623 goto fail_unmap; 624 } 625 626 /* Check number of pages that imported buffer has. */ 627 if (attach->dmabuf->size != gntdev_dmabuf->nr_pages << PAGE_SHIFT) { 628 ret = ERR_PTR(-EINVAL); 629 pr_debug("DMA buffer has %zu pages, user-space expects %d\n", 630 attach->dmabuf->size, gntdev_dmabuf->nr_pages); 631 goto fail_unmap; 632 } 633 634 gntdev_dmabuf->u.imp.sgt = sgt; 635 636 /* Now convert sgt to array of pages and check for page validity. */ 637 i = 0; 638 for_each_sgtable_page(sgt, &sg_iter, 0) { 639 struct page *page = sg_page_iter_page(&sg_iter); 640 /* 641 * Check if page is valid: this can happen if we are given 642 * a page from VRAM or other resources which are not backed 643 * by a struct page. 644 */ 645 if (!pfn_valid(page_to_pfn(page))) { 646 ret = ERR_PTR(-EINVAL); 647 goto fail_unmap; 648 } 649 650 gntdev_dmabuf->pages[i++] = page; 651 } 652 653 ret = ERR_PTR(dmabuf_imp_grant_foreign_access(gntdev_dmabuf->pages, 654 gntdev_dmabuf->u.imp.refs, 655 count, domid)); 656 if (IS_ERR(ret)) 657 goto fail_end_access; 658 659 pr_debug("Imported DMA buffer with fd %d\n", fd); 660 661 mutex_lock(&priv->lock); 662 list_add(&gntdev_dmabuf->next, &priv->imp_list); 663 mutex_unlock(&priv->lock); 664 665 return gntdev_dmabuf; 666 667 fail_end_access: 668 dmabuf_imp_end_foreign_access(gntdev_dmabuf->u.imp.refs, count); 669 fail_unmap: 670 dma_buf_unmap_attachment(attach, sgt, DMA_BIDIRECTIONAL); 671 fail_detach: 672 dma_buf_detach(dma_buf, attach); 673 fail_free_obj: 674 dmabuf_imp_free_storage(gntdev_dmabuf); 675 fail_put: 676 dma_buf_put(dma_buf); 677 return ret; 678 } 679 680 /* 681 * Find the hyper dma-buf by its file descriptor and remove 682 * it from the buffer's list. 683 */ 684 static struct gntdev_dmabuf * 685 dmabuf_imp_find_unlink(struct gntdev_dmabuf_priv *priv, int fd) 686 { 687 struct gntdev_dmabuf *q, *gntdev_dmabuf, *ret = ERR_PTR(-ENOENT); 688 689 mutex_lock(&priv->lock); 690 list_for_each_entry_safe(gntdev_dmabuf, q, &priv->imp_list, next) { 691 if (gntdev_dmabuf->fd == fd) { 692 pr_debug("Found gntdev_dmabuf in the import list\n"); 693 ret = gntdev_dmabuf; 694 list_del(&gntdev_dmabuf->next); 695 break; 696 } 697 } 698 mutex_unlock(&priv->lock); 699 return ret; 700 } 701 702 static int dmabuf_imp_release(struct gntdev_dmabuf_priv *priv, u32 fd) 703 { 704 struct gntdev_dmabuf *gntdev_dmabuf; 705 struct dma_buf_attachment *attach; 706 struct dma_buf *dma_buf; 707 708 gntdev_dmabuf = dmabuf_imp_find_unlink(priv, fd); 709 if (IS_ERR(gntdev_dmabuf)) 710 return PTR_ERR(gntdev_dmabuf); 711 712 pr_debug("Releasing DMA buffer with fd %d\n", fd); 713 714 dmabuf_imp_end_foreign_access(gntdev_dmabuf->u.imp.refs, 715 gntdev_dmabuf->nr_pages); 716 717 attach = gntdev_dmabuf->u.imp.attach; 718 719 if (gntdev_dmabuf->u.imp.sgt) 720 dma_buf_unmap_attachment(attach, gntdev_dmabuf->u.imp.sgt, 721 DMA_BIDIRECTIONAL); 722 dma_buf = attach->dmabuf; 723 dma_buf_detach(attach->dmabuf, attach); 724 dma_buf_put(dma_buf); 725 726 dmabuf_imp_free_storage(gntdev_dmabuf); 727 return 0; 728 } 729 730 static void dmabuf_imp_release_all(struct gntdev_dmabuf_priv *priv) 731 { 732 struct gntdev_dmabuf *q, *gntdev_dmabuf; 733 734 list_for_each_entry_safe(gntdev_dmabuf, q, &priv->imp_list, next) 735 dmabuf_imp_release(priv, gntdev_dmabuf->fd); 736 } 737 738 /* DMA buffer IOCTL support. */ 739 740 long gntdev_ioctl_dmabuf_exp_from_refs(struct gntdev_priv *priv, int use_ptemod, 741 struct ioctl_gntdev_dmabuf_exp_from_refs __user *u) 742 { 743 struct ioctl_gntdev_dmabuf_exp_from_refs op; 744 u32 *refs; 745 long ret; 746 747 if (use_ptemod) { 748 pr_debug("Cannot provide dma-buf: use_ptemode %d\n", 749 use_ptemod); 750 return -EINVAL; 751 } 752 753 if (copy_from_user(&op, u, sizeof(op)) != 0) 754 return -EFAULT; 755 756 if (unlikely(gntdev_test_page_count(op.count))) 757 return -EINVAL; 758 759 refs = kcalloc(op.count, sizeof(*refs), GFP_KERNEL); 760 if (!refs) 761 return -ENOMEM; 762 763 if (copy_from_user(refs, u->refs, sizeof(*refs) * op.count) != 0) { 764 ret = -EFAULT; 765 goto out; 766 } 767 768 ret = dmabuf_exp_from_refs(priv, op.flags, op.count, 769 op.domid, refs, &op.fd); 770 if (ret) 771 goto out; 772 773 if (copy_to_user(u, &op, sizeof(op)) != 0) 774 ret = -EFAULT; 775 776 out: 777 kfree(refs); 778 return ret; 779 } 780 781 long gntdev_ioctl_dmabuf_exp_wait_released(struct gntdev_priv *priv, 782 struct ioctl_gntdev_dmabuf_exp_wait_released __user *u) 783 { 784 struct ioctl_gntdev_dmabuf_exp_wait_released op; 785 786 if (copy_from_user(&op, u, sizeof(op)) != 0) 787 return -EFAULT; 788 789 return dmabuf_exp_wait_released(priv->dmabuf_priv, op.fd, 790 op.wait_to_ms); 791 } 792 793 long gntdev_ioctl_dmabuf_imp_to_refs(struct gntdev_priv *priv, 794 struct ioctl_gntdev_dmabuf_imp_to_refs __user *u) 795 { 796 struct ioctl_gntdev_dmabuf_imp_to_refs op; 797 struct gntdev_dmabuf *gntdev_dmabuf; 798 long ret; 799 800 if (copy_from_user(&op, u, sizeof(op)) != 0) 801 return -EFAULT; 802 803 if (unlikely(gntdev_test_page_count(op.count))) 804 return -EINVAL; 805 806 gntdev_dmabuf = dmabuf_imp_to_refs(priv->dmabuf_priv, 807 priv->dma_dev, op.fd, 808 op.count, op.domid); 809 if (IS_ERR(gntdev_dmabuf)) 810 return PTR_ERR(gntdev_dmabuf); 811 812 if (copy_to_user(u->refs, gntdev_dmabuf->u.imp.refs, 813 sizeof(*u->refs) * op.count) != 0) { 814 ret = -EFAULT; 815 goto out_release; 816 } 817 return 0; 818 819 out_release: 820 dmabuf_imp_release(priv->dmabuf_priv, op.fd); 821 return ret; 822 } 823 824 long gntdev_ioctl_dmabuf_imp_release(struct gntdev_priv *priv, 825 struct ioctl_gntdev_dmabuf_imp_release __user *u) 826 { 827 struct ioctl_gntdev_dmabuf_imp_release op; 828 829 if (copy_from_user(&op, u, sizeof(op)) != 0) 830 return -EFAULT; 831 832 return dmabuf_imp_release(priv->dmabuf_priv, op.fd); 833 } 834 835 struct gntdev_dmabuf_priv *gntdev_dmabuf_init(struct file *filp) 836 { 837 struct gntdev_dmabuf_priv *priv; 838 839 priv = kzalloc(sizeof(*priv), GFP_KERNEL); 840 if (!priv) 841 return ERR_PTR(-ENOMEM); 842 843 mutex_init(&priv->lock); 844 INIT_LIST_HEAD(&priv->exp_list); 845 INIT_LIST_HEAD(&priv->exp_wait_list); 846 INIT_LIST_HEAD(&priv->imp_list); 847 848 priv->filp = filp; 849 850 return priv; 851 } 852 853 void gntdev_dmabuf_fini(struct gntdev_dmabuf_priv *priv) 854 { 855 dmabuf_imp_release_all(priv); 856 kfree(priv); 857 } 858