1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Sync File validation framework
4 *
5 * Copyright (C) 2012 Google, Inc.
6 */
7
8 #include <linux/file.h>
9 #include <linux/fs.h>
10 #include <linux/miscdevice.h>
11 #include <linux/module.h>
12 #include <linux/uaccess.h>
13 #include <linux/slab.h>
14 #include <linux/sync_file.h>
15
16 #include "sync_debug.h"
17
18 #define CREATE_TRACE_POINTS
19 #include "sync_trace.h"
20
21 /*
22 * SW SYNC validation framework
23 *
24 * A sync object driver that uses a 32bit counter to coordinate
25 * synchronization. Useful when there is no hardware primitive backing
26 * the synchronization.
27 *
28 * To start the framework just open:
29 *
30 * <debugfs>/sync/sw_sync
31 *
32 * That will create a sync timeline, all fences created under this timeline
33 * file descriptor will belong to the this timeline.
34 *
35 * The 'sw_sync' file can be opened many times as to create different
36 * timelines.
37 *
38 * Fences can be created with SW_SYNC_IOC_CREATE_FENCE ioctl with struct
39 * sw_sync_create_fence_data as parameter.
40 *
41 * To increment the timeline counter, SW_SYNC_IOC_INC ioctl should be used
42 * with the increment as u32. This will update the last signaled value
43 * from the timeline and signal any fence that has a seqno smaller or equal
44 * to it.
45 *
46 * struct sw_sync_create_fence_data
47 * @value: the seqno to initialise the fence with
48 * @name: the name of the new sync point
49 * @fence: return the fd of the new sync_file with the created fence
50 */
51 struct sw_sync_create_fence_data {
52 __u32 value;
53 char name[32];
54 __s32 fence; /* fd of new fence */
55 };
56
57 #define SW_SYNC_IOC_MAGIC 'W'
58
59 #define SW_SYNC_IOC_CREATE_FENCE _IOWR(SW_SYNC_IOC_MAGIC, 0, struct sw_sync_create_fence_data)
60
61 #define SW_SYNC_IOC_INC _IOW(SW_SYNC_IOC_MAGIC, 1, __u32)
62
63 static const struct dma_fence_ops timeline_fence_ops;
64
dma_fence_to_sync_pt(struct dma_fence * fence)65 static inline struct sync_pt *dma_fence_to_sync_pt(struct dma_fence *fence)
66 {
67 if (fence->ops != &timeline_fence_ops) {
68 return NULL;
69 }
70 return container_of(fence, struct sync_pt, base);
71 }
72
73 /**
74 * sync_timeline_create() - creates a sync object
75 * @name: sync_timeline name
76 *
77 * Creates a new sync_timeline. Returns the sync_timeline object or NULL in
78 * case of error.
79 */
sync_timeline_create(const char * name)80 static struct sync_timeline *sync_timeline_create(const char *name)
81 {
82 struct sync_timeline *obj;
83
84 obj = kzalloc(sizeof(*obj), GFP_KERNEL);
85 if (!obj) {
86 return NULL;
87 }
88
89 kref_init(&obj->kref);
90 obj->context = dma_fence_context_alloc(1);
91 strlcpy(obj->name, name, sizeof(obj->name));
92
93 obj->pt_tree = RB_ROOT;
94 INIT_LIST_HEAD(&obj->pt_list);
95 spin_lock_init(&obj->lock);
96
97 sync_timeline_debug_add(obj);
98
99 return obj;
100 }
101
sync_timeline_free(struct kref * kref)102 static void sync_timeline_free(struct kref *kref)
103 {
104 struct sync_timeline *obj = container_of(kref, struct sync_timeline, kref);
105
106 sync_timeline_debug_remove(obj);
107
108 kfree(obj);
109 }
110
sync_timeline_get(struct sync_timeline * obj)111 static void sync_timeline_get(struct sync_timeline *obj)
112 {
113 kref_get(&obj->kref);
114 }
115
sync_timeline_put(struct sync_timeline * obj)116 static void sync_timeline_put(struct sync_timeline *obj)
117 {
118 kref_put(&obj->kref, sync_timeline_free);
119 }
120
timeline_fence_get_driver_name(struct dma_fence * fence)121 static const char *timeline_fence_get_driver_name(struct dma_fence *fence)
122 {
123 return "sw_sync";
124 }
125
timeline_fence_get_timeline_name(struct dma_fence * fence)126 static const char *timeline_fence_get_timeline_name(struct dma_fence *fence)
127 {
128 struct sync_timeline *parent = dma_fence_parent(fence);
129
130 return parent->name;
131 }
132
timeline_fence_release(struct dma_fence * fence)133 static void timeline_fence_release(struct dma_fence *fence)
134 {
135 struct sync_pt *pt = dma_fence_to_sync_pt(fence);
136 struct sync_timeline *parent = dma_fence_parent(fence);
137 unsigned long flags;
138
139 spin_lock_irqsave(fence->lock, flags);
140 if (!list_empty(&pt->link)) {
141 list_del(&pt->link);
142 rb_erase(&pt->node, &parent->pt_tree);
143 }
144 spin_unlock_irqrestore(fence->lock, flags);
145
146 sync_timeline_put(parent);
147 dma_fence_free(fence);
148 }
149
timeline_fence_signaled(struct dma_fence * fence)150 static bool timeline_fence_signaled(struct dma_fence *fence)
151 {
152 struct sync_timeline *parent = dma_fence_parent(fence);
153
154 return !__dma_fence_is_later(fence->seqno, parent->value, fence->ops);
155 }
156
timeline_fence_enable_signaling(struct dma_fence * fence)157 static bool timeline_fence_enable_signaling(struct dma_fence *fence)
158 {
159 return true;
160 }
161
timeline_fence_value_str(struct dma_fence * fence,char * str,int size)162 static void timeline_fence_value_str(struct dma_fence *fence, char *str, int size)
163 {
164 int ret = 0;
165 ret = snprintf(str, size, "%lld", fence->seqno);
166 }
167
timeline_fence_timeline_value_str(struct dma_fence * fence,char * str,int size)168 static void timeline_fence_timeline_value_str(struct dma_fence *fence, char *str, int size)
169 {
170 struct sync_timeline *parent = dma_fence_parent(fence);
171 int ret = 0;
172 ret = snprintf(str, size, "%d", parent->value);
173 }
174
175 static const struct dma_fence_ops timeline_fence_ops = {
176 .get_driver_name = timeline_fence_get_driver_name,
177 .get_timeline_name = timeline_fence_get_timeline_name,
178 .enable_signaling = timeline_fence_enable_signaling,
179 .signaled = timeline_fence_signaled,
180 .release = timeline_fence_release,
181 .fence_value_str = timeline_fence_value_str,
182 .timeline_value_str = timeline_fence_timeline_value_str,
183 };
184
185 /**
186 * sync_timeline_signal() - signal a status change on a sync_timeline
187 * @obj: sync_timeline to signal
188 * @inc: num to increment on timeline->value
189 *
190 * A sync implementation should call this any time one of it's fences
191 * has signaled or has an error condition.
192 */
sync_timeline_signal(struct sync_timeline * obj,unsigned int inc)193 static void sync_timeline_signal(struct sync_timeline *obj, unsigned int inc)
194 {
195 struct sync_pt *pt, *next;
196
197 trace_sync_timeline(obj);
198
199 spin_lock_irq(&obj->lock);
200
201 obj->value += inc;
202
203 list_for_each_entry_safe(pt, next, &obj->pt_list, link)
204 {
205 if (!timeline_fence_signaled(&pt->base)) {
206 break;
207 }
208
209 list_del_init(&pt->link);
210 rb_erase(&pt->node, &obj->pt_tree);
211
212 /*
213 * A signal callback may release the last reference to this
214 * fence, causing it to be freed. That operation has to be
215 * last to avoid a use after free inside this loop, and must
216 * be after we remove the fence from the timeline in order to
217 * prevent deadlocking on timeline->lock inside
218 * timeline_fence_release().
219 */
220 dma_fence_signal_locked(&pt->base);
221 }
222
223 spin_unlock_irq(&obj->lock);
224 }
225
226 /**
227 * sync_pt_create() - creates a sync pt
228 * @obj: parent sync_timeline
229 * @value: value of the fence
230 *
231 * Creates a new sync_pt (fence) as a child of @parent. @size bytes will be
232 * allocated allowing for implementation specific data to be kept after
233 * the generic sync_timeline struct. Returns the sync_pt object or
234 * NULL in case of error.
235 */
sync_pt_create(struct sync_timeline * obj,unsigned int value)236 static struct sync_pt *sync_pt_create(struct sync_timeline *obj, unsigned int value)
237 {
238 struct sync_pt *pt;
239
240 pt = kzalloc(sizeof(*pt), GFP_KERNEL);
241 if (!pt) {
242 return NULL;
243 }
244
245 sync_timeline_get(obj);
246 dma_fence_init(&pt->base, &timeline_fence_ops, &obj->lock, obj->context, value);
247 INIT_LIST_HEAD(&pt->link);
248
249 spin_lock_irq(&obj->lock);
250 if (!dma_fence_is_signaled_locked(&pt->base)) {
251 struct rb_node **p = &obj->pt_tree.rb_node;
252 struct rb_node *parent = NULL;
253
254 while (*p) {
255 struct sync_pt *other;
256 int cmp;
257
258 parent = *p;
259 other = rb_entry(parent, typeof(*pt), node);
260 cmp = value - other->base.seqno;
261 if (cmp > 0) {
262 p = &parent->rb_right;
263 } else if (cmp < 0) {
264 p = &parent->rb_left;
265 } else {
266 if (dma_fence_get_rcu(&other->base)) {
267 sync_timeline_put(obj);
268 kfree(pt);
269 pt = other;
270 goto unlock;
271 }
272 p = &parent->rb_left;
273 }
274 }
275 rb_link_node(&pt->node, parent, p);
276 rb_insert_color(&pt->node, &obj->pt_tree);
277
278 parent = rb_next(&pt->node);
279 list_add_tail(&pt->link, parent ? &rb_entry(parent, typeof(*pt), node)->link : &obj->pt_list);
280 }
281 unlock:
282 spin_unlock_irq(&obj->lock);
283
284 return pt;
285 }
286
287 /*
288 * *WARNING*
289 *
290 * improper use of this can result in deadlocking kernel drivers from userspace.
291 */
292
293 /* opening sw_sync create a new sync obj */
sw_sync_debugfs_open(struct inode * inode,struct file * file)294 static int sw_sync_debugfs_open(struct inode *inode, struct file *file)
295 {
296 struct sync_timeline *obj;
297 char task_comm[TASK_COMM_LEN];
298
299 get_task_comm(task_comm, current);
300
301 obj = sync_timeline_create(task_comm);
302 if (!obj) {
303 return -ENOMEM;
304 }
305
306 file->private_data = obj;
307
308 return 0;
309 }
310
sw_sync_debugfs_release(struct inode * inode,struct file * file)311 static int sw_sync_debugfs_release(struct inode *inode, struct file *file)
312 {
313 struct sync_timeline *obj = file->private_data;
314 struct sync_pt *pt, *next;
315
316 spin_lock_irq(&obj->lock);
317
318 list_for_each_entry_safe(pt, next, &obj->pt_list, link)
319 {
320 dma_fence_set_error(&pt->base, -ENOENT);
321 dma_fence_signal_locked(&pt->base);
322 }
323
324 spin_unlock_irq(&obj->lock);
325
326 sync_timeline_put(obj);
327 return 0;
328 }
329
sw_sync_ioctl_create_fence(struct sync_timeline * obj,unsigned long arg)330 static long sw_sync_ioctl_create_fence(struct sync_timeline *obj, unsigned long arg)
331 {
332 int fd = get_unused_fd_flags(O_CLOEXEC);
333 int err;
334 struct sync_pt *pt;
335 struct sync_file *sync_file;
336 struct sw_sync_create_fence_data data;
337
338 if (fd < 0) {
339 return fd;
340 }
341
342 if (copy_from_user(&data, (void __user *)arg, sizeof(data))) {
343 err = -EFAULT;
344 goto err;
345 }
346
347 pt = sync_pt_create(obj, data.value);
348 if (!pt) {
349 err = -ENOMEM;
350 goto err;
351 }
352
353 sync_file = sync_file_create(&pt->base);
354 dma_fence_put(&pt->base);
355 if (!sync_file) {
356 err = -ENOMEM;
357 goto err;
358 }
359
360 data.fence = fd;
361 if (copy_to_user((void __user *)arg, &data, sizeof(data))) {
362 fput(sync_file->file);
363 err = -EFAULT;
364 goto err;
365 }
366
367 fd_install(fd, sync_file->file);
368
369 return 0;
370
371 err:
372 put_unused_fd(fd);
373 return err;
374 }
375
sw_sync_ioctl_inc(struct sync_timeline * obj,unsigned long arg)376 static long sw_sync_ioctl_inc(struct sync_timeline *obj, unsigned long arg)
377 {
378 u32 value;
379
380 if (copy_from_user(&value, (void __user *)arg, sizeof(value))) {
381 return -EFAULT;
382 }
383
384 while (value > INT_MAX) {
385 sync_timeline_signal(obj, INT_MAX);
386 value -= INT_MAX;
387 }
388
389 sync_timeline_signal(obj, value);
390
391 return 0;
392 }
393
sw_sync_ioctl(struct file * file,unsigned int cmd,unsigned long arg)394 static long sw_sync_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
395 {
396 struct sync_timeline *obj = file->private_data;
397
398 switch (cmd) {
399 case SW_SYNC_IOC_CREATE_FENCE:
400 return sw_sync_ioctl_create_fence(obj, arg);
401
402 case SW_SYNC_IOC_INC:
403 return sw_sync_ioctl_inc(obj, arg);
404
405 default:
406 return -ENOTTY;
407 }
408 }
409
410 const struct file_operations sw_sync_debugfs_fops = {
411 .open = sw_sync_debugfs_open,
412 .release = sw_sync_debugfs_release,
413 .unlocked_ioctl = sw_sync_ioctl,
414 .compat_ioctl = compat_ptr_ioctl,
415 };
416
417 static struct miscdevice sw_sync_dev = {
418 .minor = MISC_DYNAMIC_MINOR,
419 .name = "sw_sync",
420 .fops = &sw_sync_debugfs_fops,
421 };
422
423 module_misc_device(sw_sync_dev);
424
425 MODULE_LICENSE("GPL v2");
426