1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Framework for userspace DMA-BUF allocations
4 *
5 * Copyright (C) 2011 Google, Inc.
6 * Copyright (C) 2019 Linaro Ltd.
7 */
8
9 #include <linux/cdev.h>
10 #include <linux/debugfs.h>
11 #include <linux/device.h>
12 #include <linux/dma-buf.h>
13 #include <linux/err.h>
14 #include <linux/xarray.h>
15 #include <linux/list.h>
16 #include <linux/slab.h>
17 #include <linux/nospec.h>
18 #include <linux/uaccess.h>
19 #include <linux/syscalls.h>
20 #include <linux/dma-heap.h>
21 #include <uapi/linux/dma-heap.h>
22
23 #include <trace/hooks/dmabuf.h>
24
25 #define DEVNAME "dma_heap"
26
27 #define NUM_HEAP_MINORS 128
28
29 /**
30 * struct dma_heap - represents a dmabuf heap in the system
31 * @name: used for debugging/device-node name
32 * @ops: ops struct for this heap
33 * @heap_devt heap device node
34 * @list list head connecting to list of heaps
35 * @heap_cdev heap char device
36 * @heap_dev heap device struct
37 *
38 * Represents a heap of memory from which buffers can be made.
39 */
40 struct dma_heap {
41 const char *name;
42 const struct dma_heap_ops *ops;
43 void *priv;
44 dev_t heap_devt;
45 struct list_head list;
46 struct cdev heap_cdev;
47 struct kref refcount;
48 struct device *heap_dev;
49 };
50
51 static LIST_HEAD(heap_list);
52 static DEFINE_MUTEX(heap_list_lock);
53 static dev_t dma_heap_devt;
54 static struct class *dma_heap_class;
55 static DEFINE_XARRAY_ALLOC(dma_heap_minors);
56
dma_heap_find(const char * name)57 struct dma_heap *dma_heap_find(const char *name)
58 {
59 struct dma_heap *h;
60
61 mutex_lock(&heap_list_lock);
62 list_for_each_entry(h, &heap_list, list) {
63 if (!strcmp(h->name, name)) {
64 kref_get(&h->refcount);
65 mutex_unlock(&heap_list_lock);
66 return h;
67 }
68 }
69 mutex_unlock(&heap_list_lock);
70 return NULL;
71 }
72 EXPORT_SYMBOL_GPL(dma_heap_find);
73
74
dma_heap_buffer_free(struct dma_buf * dmabuf)75 void dma_heap_buffer_free(struct dma_buf *dmabuf)
76 {
77 dma_buf_put(dmabuf);
78 }
79 EXPORT_SYMBOL_GPL(dma_heap_buffer_free);
80
dma_heap_buffer_alloc(struct dma_heap * heap,size_t len,unsigned int fd_flags,unsigned int heap_flags)81 struct dma_buf *dma_heap_buffer_alloc(struct dma_heap *heap, size_t len,
82 unsigned int fd_flags,
83 unsigned int heap_flags)
84 {
85 bool vh_valid = false;
86
87 trace_android_vh_dmabuf_heap_flags_validation(heap,
88 len, fd_flags, heap_flags, &vh_valid);
89
90 if (fd_flags & ~DMA_HEAP_VALID_FD_FLAGS)
91 return ERR_PTR(-EINVAL);
92
93 if (heap_flags & ~DMA_HEAP_VALID_HEAP_FLAGS && !vh_valid)
94 return ERR_PTR(-EINVAL);
95 /*
96 * Allocations from all heaps have to begin
97 * and end on page boundaries.
98 */
99 len = PAGE_ALIGN(len);
100 if (!len)
101 return ERR_PTR(-EINVAL);
102
103 return heap->ops->allocate(heap, len, fd_flags, heap_flags);
104 }
105 EXPORT_SYMBOL_GPL(dma_heap_buffer_alloc);
106
dma_heap_bufferfd_alloc(struct dma_heap * heap,size_t len,unsigned int fd_flags,unsigned int heap_flags)107 int dma_heap_bufferfd_alloc(struct dma_heap *heap, size_t len,
108 unsigned int fd_flags,
109 unsigned int heap_flags)
110 {
111 struct dma_buf *dmabuf;
112 int fd;
113
114 dmabuf = dma_heap_buffer_alloc(heap, len, fd_flags, heap_flags);
115
116 if (IS_ERR(dmabuf))
117 return PTR_ERR(dmabuf);
118
119 fd = dma_buf_fd(dmabuf, fd_flags);
120 if (fd < 0) {
121 dma_buf_put(dmabuf);
122 /* just return, as put will call release and that will free */
123 }
124 return fd;
125
126 }
127 EXPORT_SYMBOL_GPL(dma_heap_bufferfd_alloc);
128
dma_heap_open(struct inode * inode,struct file * file)129 static int dma_heap_open(struct inode *inode, struct file *file)
130 {
131 struct dma_heap *heap;
132
133 heap = xa_load(&dma_heap_minors, iminor(inode));
134 if (!heap) {
135 pr_err("dma_heap: minor %d unknown.\n", iminor(inode));
136 return -ENODEV;
137 }
138
139 /* instance data as context */
140 file->private_data = heap;
141 nonseekable_open(inode, file);
142
143 return 0;
144 }
145
dma_heap_ioctl_allocate(struct file * file,void * data)146 static long dma_heap_ioctl_allocate(struct file *file, void *data)
147 {
148 struct dma_heap_allocation_data *heap_allocation = data;
149 struct dma_heap *heap = file->private_data;
150 int fd;
151
152 if (heap_allocation->fd)
153 return -EINVAL;
154
155 fd = dma_heap_bufferfd_alloc(heap, heap_allocation->len,
156 heap_allocation->fd_flags,
157 heap_allocation->heap_flags);
158 if (fd < 0)
159 return fd;
160
161 heap_allocation->fd = fd;
162
163 return 0;
164 }
165
166 static unsigned int dma_heap_ioctl_cmds[] = {
167 DMA_HEAP_IOCTL_ALLOC,
168 };
169
dma_heap_ioctl(struct file * file,unsigned int ucmd,unsigned long arg)170 static long dma_heap_ioctl(struct file *file, unsigned int ucmd,
171 unsigned long arg)
172 {
173 char stack_kdata[128];
174 char *kdata = stack_kdata;
175 unsigned int kcmd;
176 unsigned int in_size, out_size, drv_size, ksize;
177 int nr = _IOC_NR(ucmd);
178 int ret = 0;
179
180 if (nr >= ARRAY_SIZE(dma_heap_ioctl_cmds))
181 return -EINVAL;
182
183 nr = array_index_nospec(nr, ARRAY_SIZE(dma_heap_ioctl_cmds));
184 /* Get the kernel ioctl cmd that matches */
185 kcmd = dma_heap_ioctl_cmds[nr];
186
187 /* Figure out the delta between user cmd size and kernel cmd size */
188 drv_size = _IOC_SIZE(kcmd);
189 out_size = _IOC_SIZE(ucmd);
190 in_size = out_size;
191 if ((ucmd & kcmd & IOC_IN) == 0)
192 in_size = 0;
193 if ((ucmd & kcmd & IOC_OUT) == 0)
194 out_size = 0;
195 ksize = max(max(in_size, out_size), drv_size);
196
197 /* If necessary, allocate buffer for ioctl argument */
198 if (ksize > sizeof(stack_kdata)) {
199 kdata = kmalloc(ksize, GFP_KERNEL);
200 if (!kdata)
201 return -ENOMEM;
202 }
203
204 if (copy_from_user(kdata, (void __user *)arg, in_size) != 0) {
205 ret = -EFAULT;
206 goto err;
207 }
208
209 /* zero out any difference between the kernel/user structure size */
210 if (ksize > in_size)
211 memset(kdata + in_size, 0, ksize - in_size);
212
213 switch (kcmd) {
214 case DMA_HEAP_IOCTL_ALLOC:
215 ret = dma_heap_ioctl_allocate(file, kdata);
216 break;
217 default:
218 ret = -ENOTTY;
219 goto err;
220 }
221
222 if (copy_to_user((void __user *)arg, kdata, out_size) != 0)
223 ret = -EFAULT;
224 err:
225 if (kdata != stack_kdata)
226 kfree(kdata);
227 return ret;
228 }
229
230 static const struct file_operations dma_heap_fops = {
231 .owner = THIS_MODULE,
232 .open = dma_heap_open,
233 .unlocked_ioctl = dma_heap_ioctl,
234 #ifdef CONFIG_COMPAT
235 .compat_ioctl = dma_heap_ioctl,
236 #endif
237 };
238
239 /**
240 * dma_heap_get_drvdata() - get per-subdriver data for the heap
241 * @heap: DMA-Heap to retrieve private data for
242 *
243 * Returns:
244 * The per-subdriver data for the heap.
245 */
dma_heap_get_drvdata(struct dma_heap * heap)246 void *dma_heap_get_drvdata(struct dma_heap *heap)
247 {
248 return heap->priv;
249 }
250 EXPORT_SYMBOL_GPL(dma_heap_get_drvdata);
251
dma_heap_release(struct kref * ref)252 static void dma_heap_release(struct kref *ref)
253 {
254 struct dma_heap *heap = container_of(ref, struct dma_heap, refcount);
255 int minor = MINOR(heap->heap_devt);
256
257 /* Note, we already holding the heap_list_lock here */
258 list_del(&heap->list);
259
260 device_destroy(dma_heap_class, heap->heap_devt);
261 cdev_del(&heap->heap_cdev);
262 xa_erase(&dma_heap_minors, minor);
263
264 kfree(heap);
265 }
266
dma_heap_put(struct dma_heap * h)267 void dma_heap_put(struct dma_heap *h)
268 {
269 /*
270 * Take the heap_list_lock now to avoid racing with code
271 * scanning the list and then taking a kref.
272 */
273 mutex_lock(&heap_list_lock);
274 kref_put(&h->refcount, dma_heap_release);
275 mutex_unlock(&heap_list_lock);
276 }
277 EXPORT_SYMBOL_GPL(dma_heap_put);
278
279 /**
280 * dma_heap_get_dev() - get device struct for the heap
281 * @heap: DMA-Heap to retrieve device struct from
282 *
283 * Returns:
284 * The device struct for the heap.
285 */
dma_heap_get_dev(struct dma_heap * heap)286 struct device *dma_heap_get_dev(struct dma_heap *heap)
287 {
288 return heap->heap_dev;
289 }
290 EXPORT_SYMBOL_GPL(dma_heap_get_dev);
291
292 /**
293 * dma_heap_get_name() - get heap name
294 * @heap: DMA-Heap to retrieve private data for
295 *
296 * Returns:
297 * The char* for the heap name.
298 */
dma_heap_get_name(struct dma_heap * heap)299 const char *dma_heap_get_name(struct dma_heap *heap)
300 {
301 return heap->name;
302 }
303 EXPORT_SYMBOL_GPL(dma_heap_get_name);
304
dma_heap_add(const struct dma_heap_export_info * exp_info)305 struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info)
306 {
307 struct dma_heap *heap, *h, *err_ret;
308 unsigned int minor;
309 int ret;
310
311 if (!exp_info->name || !strcmp(exp_info->name, "")) {
312 pr_err("dma_heap: Cannot add heap without a name\n");
313 return ERR_PTR(-EINVAL);
314 }
315
316 if (!exp_info->ops || !exp_info->ops->allocate) {
317 pr_err("dma_heap: Cannot add heap with invalid ops struct\n");
318 return ERR_PTR(-EINVAL);
319 }
320
321 heap = kzalloc(sizeof(*heap), GFP_KERNEL);
322 if (!heap)
323 return ERR_PTR(-ENOMEM);
324
325 kref_init(&heap->refcount);
326 heap->name = exp_info->name;
327 heap->ops = exp_info->ops;
328 heap->priv = exp_info->priv;
329
330 /* Find unused minor number */
331 ret = xa_alloc(&dma_heap_minors, &minor, heap,
332 XA_LIMIT(0, NUM_HEAP_MINORS - 1), GFP_KERNEL);
333 if (ret < 0) {
334 pr_err("dma_heap: Unable to get minor number for heap\n");
335 err_ret = ERR_PTR(ret);
336 goto err0;
337 }
338
339 /* Create device */
340 heap->heap_devt = MKDEV(MAJOR(dma_heap_devt), minor);
341
342 cdev_init(&heap->heap_cdev, &dma_heap_fops);
343 ret = cdev_add(&heap->heap_cdev, heap->heap_devt, 1);
344 if (ret < 0) {
345 pr_err("dma_heap: Unable to add char device\n");
346 err_ret = ERR_PTR(ret);
347 goto err1;
348 }
349
350 heap->heap_dev = device_create(dma_heap_class,
351 NULL,
352 heap->heap_devt,
353 NULL,
354 heap->name);
355 if (IS_ERR(heap->heap_dev)) {
356 pr_err("dma_heap: Unable to create device\n");
357 err_ret = ERR_CAST(heap->heap_dev);
358 goto err2;
359 }
360
361 /* Make sure it doesn't disappear on us */
362 heap->heap_dev = get_device(heap->heap_dev);
363
364 mutex_lock(&heap_list_lock);
365 /* check the name is unique */
366 list_for_each_entry(h, &heap_list, list) {
367 if (!strcmp(h->name, exp_info->name)) {
368 mutex_unlock(&heap_list_lock);
369 pr_err("dma_heap: Already registered heap named %s\n",
370 exp_info->name);
371 err_ret = ERR_PTR(-EINVAL);
372 put_device(heap->heap_dev);
373 goto err3;
374 }
375 }
376
377 /* Add heap to the list */
378 list_add(&heap->list, &heap_list);
379 mutex_unlock(&heap_list_lock);
380
381 return heap;
382
383 err3:
384 device_destroy(dma_heap_class, heap->heap_devt);
385 err2:
386 cdev_del(&heap->heap_cdev);
387 err1:
388 xa_erase(&dma_heap_minors, minor);
389 err0:
390 kfree(heap);
391 return err_ret;
392 }
393 EXPORT_SYMBOL_GPL(dma_heap_add);
394
dma_heap_devnode(struct device * dev,umode_t * mode)395 static char *dma_heap_devnode(struct device *dev, umode_t *mode)
396 {
397 return kasprintf(GFP_KERNEL, "dma_heap/%s", dev_name(dev));
398 }
399
total_pools_kb_show(struct kobject * kobj,struct kobj_attribute * attr,char * buf)400 static ssize_t total_pools_kb_show(struct kobject *kobj,
401 struct kobj_attribute *attr, char *buf)
402 {
403 struct dma_heap *heap;
404 u64 total_pool_size = 0;
405
406 mutex_lock(&heap_list_lock);
407 list_for_each_entry(heap, &heap_list, list) {
408 if (heap->ops->get_pool_size)
409 total_pool_size += heap->ops->get_pool_size(heap);
410 }
411 mutex_unlock(&heap_list_lock);
412
413 return sysfs_emit(buf, "%llu\n", total_pool_size / 1024);
414 }
415
416 static struct kobj_attribute total_pools_kb_attr =
417 __ATTR_RO(total_pools_kb);
418
419 static struct attribute *dma_heap_sysfs_attrs[] = {
420 &total_pools_kb_attr.attr,
421 NULL,
422 };
423
424 ATTRIBUTE_GROUPS(dma_heap_sysfs);
425
426 static struct kobject *dma_heap_kobject;
427
dma_heap_sysfs_setup(void)428 static int dma_heap_sysfs_setup(void)
429 {
430 int ret;
431
432 dma_heap_kobject = kobject_create_and_add("dma_heap", kernel_kobj);
433 if (!dma_heap_kobject)
434 return -ENOMEM;
435
436 ret = sysfs_create_groups(dma_heap_kobject, dma_heap_sysfs_groups);
437 if (ret) {
438 kobject_put(dma_heap_kobject);
439 return ret;
440 }
441
442 return 0;
443 }
444
dma_heap_sysfs_teardown(void)445 static void dma_heap_sysfs_teardown(void)
446 {
447 kobject_put(dma_heap_kobject);
448 }
449
dma_heap_init(void)450 static int dma_heap_init(void)
451 {
452 int ret;
453
454 ret = dma_heap_sysfs_setup();
455 if (ret)
456 return ret;
457
458 ret = alloc_chrdev_region(&dma_heap_devt, 0, NUM_HEAP_MINORS, DEVNAME);
459 if (ret)
460 goto err_chrdev;
461
462 dma_heap_class = class_create(THIS_MODULE, DEVNAME);
463 if (IS_ERR(dma_heap_class)) {
464 ret = PTR_ERR(dma_heap_class);
465 goto err_class;
466 }
467 dma_heap_class->devnode = dma_heap_devnode;
468
469 return 0;
470
471 err_class:
472 unregister_chrdev_region(dma_heap_devt, NUM_HEAP_MINORS);
473 err_chrdev:
474 dma_heap_sysfs_teardown();
475 return ret;
476 }
477 subsys_initcall(dma_heap_init);
478