1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Framework for userspace DMA-BUF allocations
4 *
5 * Copyright (C) 2011 Google, Inc.
6 * Copyright (C) 2019 Linaro Ltd.
7 */
8
9 #include <linux/cdev.h>
10 #include <linux/debugfs.h>
11 #include <linux/device.h>
12 #include <linux/dma-buf.h>
13 #include <linux/err.h>
14 #include <linux/xarray.h>
15 #include <linux/list.h>
16 #include <linux/slab.h>
17 #include <linux/nospec.h>
18 #include <linux/uaccess.h>
19 #include <linux/syscalls.h>
20 #include <linux/dma-heap.h>
21 #include <linux/page_size_compat.h>
22 #include <uapi/linux/dma-heap.h>
23 #include <trace/hooks/dmabuf.h>
24
25 #define DEVNAME "dma_heap"
26
27 #define NUM_HEAP_MINORS 128
28
29 /**
30 * struct dma_heap - represents a dmabuf heap in the system
31 * @name: used for debugging/device-node name
32 * @ops: ops struct for this heap
33 * @heap_devt heap device node
34 * @list list head connecting to list of heaps
35 * @heap_cdev heap char device
36 * @heap_dev heap device struct
37 *
38 * Represents a heap of memory from which buffers can be made.
39 */
40 struct dma_heap {
41 const char *name;
42 const struct dma_heap_ops *ops;
43 void *priv;
44 dev_t heap_devt;
45 struct list_head list;
46 struct cdev heap_cdev;
47 struct kref refcount;
48 struct device *heap_dev;
49 };
50
51 static LIST_HEAD(heap_list);
52 static DEFINE_MUTEX(heap_list_lock);
53 static dev_t dma_heap_devt;
54 static struct class *dma_heap_class;
55 static DEFINE_XARRAY_ALLOC(dma_heap_minors);
56
dma_heap_find(const char * name)57 struct dma_heap *dma_heap_find(const char *name)
58 {
59 struct dma_heap *h;
60
61 mutex_lock(&heap_list_lock);
62 list_for_each_entry(h, &heap_list, list) {
63 if (!strcmp(h->name, name)) {
64 kref_get(&h->refcount);
65 mutex_unlock(&heap_list_lock);
66 return h;
67 }
68 }
69 mutex_unlock(&heap_list_lock);
70 return NULL;
71 }
72 EXPORT_SYMBOL_GPL(dma_heap_find);
73
74
dma_heap_buffer_free(struct dma_buf * dmabuf)75 void dma_heap_buffer_free(struct dma_buf *dmabuf)
76 {
77 dma_buf_put(dmabuf);
78 }
79 EXPORT_SYMBOL_GPL(dma_heap_buffer_free);
80
dma_heap_buffer_alloc(struct dma_heap * heap,size_t len,u32 fd_flags,u64 heap_flags)81 struct dma_buf *dma_heap_buffer_alloc(struct dma_heap *heap, size_t len,
82 u32 fd_flags,
83 u64 heap_flags)
84 {
85 struct dma_buf *dma_buf;
86
87 if (fd_flags & ~DMA_HEAP_VALID_FD_FLAGS)
88 return ERR_PTR(-EINVAL);
89
90 if (heap_flags & ~DMA_HEAP_VALID_HEAP_FLAGS)
91 return ERR_PTR(-EINVAL);
92 /*
93 * Allocations from all heaps have to begin
94 * and end on page boundaries.
95 */
96 len = __PAGE_ALIGN(len);
97 if (!len)
98 return ERR_PTR(-EINVAL);
99
100 trace_android_vh_dma_heap_buffer_alloc_start(heap->name, len,
101 fd_flags, heap_flags);
102 dma_buf = heap->ops->allocate(heap, len, fd_flags, heap_flags);
103 trace_android_vh_dma_heap_buffer_alloc_end(heap->name, len);
104
105 return dma_buf;
106 }
107 EXPORT_SYMBOL_GPL(dma_heap_buffer_alloc);
108
dma_heap_bufferfd_alloc(struct dma_heap * heap,size_t len,u32 fd_flags,u64 heap_flags)109 int dma_heap_bufferfd_alloc(struct dma_heap *heap, size_t len,
110 u32 fd_flags,
111 u64 heap_flags)
112 {
113 struct dma_buf *dmabuf;
114 int fd;
115
116 dmabuf = dma_heap_buffer_alloc(heap, len, fd_flags, heap_flags);
117
118 if (IS_ERR(dmabuf))
119 return PTR_ERR(dmabuf);
120
121 fd = dma_buf_fd(dmabuf, fd_flags);
122 if (fd < 0) {
123 dma_buf_put(dmabuf);
124 /* just return, as put will call release and that will free */
125 }
126 return fd;
127
128 }
129 EXPORT_SYMBOL_GPL(dma_heap_bufferfd_alloc);
130
dma_heap_open(struct inode * inode,struct file * file)131 static int dma_heap_open(struct inode *inode, struct file *file)
132 {
133 struct dma_heap *heap;
134
135 heap = xa_load(&dma_heap_minors, iminor(inode));
136 if (!heap) {
137 pr_err("dma_heap: minor %d unknown.\n", iminor(inode));
138 return -ENODEV;
139 }
140
141 /* instance data as context */
142 file->private_data = heap;
143 nonseekable_open(inode, file);
144
145 return 0;
146 }
147
dma_heap_ioctl_allocate(struct file * file,void * data)148 static long dma_heap_ioctl_allocate(struct file *file, void *data)
149 {
150 struct dma_heap_allocation_data *heap_allocation = data;
151 struct dma_heap *heap = file->private_data;
152 int fd;
153
154 if (heap_allocation->fd)
155 return -EINVAL;
156
157 fd = dma_heap_bufferfd_alloc(heap, heap_allocation->len,
158 heap_allocation->fd_flags,
159 heap_allocation->heap_flags);
160 if (fd < 0)
161 return fd;
162
163 heap_allocation->fd = fd;
164
165 return 0;
166 }
167
168 static unsigned int dma_heap_ioctl_cmds[] = {
169 DMA_HEAP_IOCTL_ALLOC,
170 };
171
dma_heap_ioctl(struct file * file,unsigned int ucmd,unsigned long arg)172 static long dma_heap_ioctl(struct file *file, unsigned int ucmd,
173 unsigned long arg)
174 {
175 char stack_kdata[128];
176 char *kdata = stack_kdata;
177 unsigned int kcmd;
178 unsigned int in_size, out_size, drv_size, ksize;
179 int nr = _IOC_NR(ucmd);
180 int ret = 0;
181
182 if (nr >= ARRAY_SIZE(dma_heap_ioctl_cmds))
183 return -EINVAL;
184
185 nr = array_index_nospec(nr, ARRAY_SIZE(dma_heap_ioctl_cmds));
186 /* Get the kernel ioctl cmd that matches */
187 kcmd = dma_heap_ioctl_cmds[nr];
188
189 /* Figure out the delta between user cmd size and kernel cmd size */
190 drv_size = _IOC_SIZE(kcmd);
191 out_size = _IOC_SIZE(ucmd);
192 in_size = out_size;
193 if ((ucmd & kcmd & IOC_IN) == 0)
194 in_size = 0;
195 if ((ucmd & kcmd & IOC_OUT) == 0)
196 out_size = 0;
197 ksize = max(max(in_size, out_size), drv_size);
198
199 /* If necessary, allocate buffer for ioctl argument */
200 if (ksize > sizeof(stack_kdata)) {
201 kdata = kmalloc(ksize, GFP_KERNEL);
202 if (!kdata)
203 return -ENOMEM;
204 }
205
206 if (copy_from_user(kdata, (void __user *)arg, in_size) != 0) {
207 ret = -EFAULT;
208 goto err;
209 }
210
211 /* zero out any difference between the kernel/user structure size */
212 if (ksize > in_size)
213 memset(kdata + in_size, 0, ksize - in_size);
214
215 switch (kcmd) {
216 case DMA_HEAP_IOCTL_ALLOC:
217 ret = dma_heap_ioctl_allocate(file, kdata);
218 break;
219 default:
220 ret = -ENOTTY;
221 goto err;
222 }
223
224 if (copy_to_user((void __user *)arg, kdata, out_size) != 0)
225 ret = -EFAULT;
226 err:
227 if (kdata != stack_kdata)
228 kfree(kdata);
229 return ret;
230 }
231
232 static const struct file_operations dma_heap_fops = {
233 .owner = THIS_MODULE,
234 .open = dma_heap_open,
235 .unlocked_ioctl = dma_heap_ioctl,
236 #ifdef CONFIG_COMPAT
237 .compat_ioctl = dma_heap_ioctl,
238 #endif
239 };
240
241 /**
242 * dma_heap_get_drvdata() - get per-subdriver data for the heap
243 * @heap: DMA-Heap to retrieve private data for
244 *
245 * Returns:
246 * The per-subdriver data for the heap.
247 */
dma_heap_get_drvdata(struct dma_heap * heap)248 void *dma_heap_get_drvdata(struct dma_heap *heap)
249 {
250 return heap->priv;
251 }
252 EXPORT_SYMBOL_GPL(dma_heap_get_drvdata);
253
dma_heap_release(struct kref * ref)254 static void dma_heap_release(struct kref *ref)
255 {
256 struct dma_heap *heap = container_of(ref, struct dma_heap, refcount);
257 int minor = MINOR(heap->heap_devt);
258
259 /* Note, we already holding the heap_list_lock here */
260 list_del(&heap->list);
261
262 device_destroy(dma_heap_class, heap->heap_devt);
263 cdev_del(&heap->heap_cdev);
264 xa_erase(&dma_heap_minors, minor);
265
266 kfree(heap);
267 }
268
dma_heap_put(struct dma_heap * h)269 void dma_heap_put(struct dma_heap *h)
270 {
271 /*
272 * Take the heap_list_lock now to avoid racing with code
273 * scanning the list and then taking a kref.
274 */
275 mutex_lock(&heap_list_lock);
276 kref_put(&h->refcount, dma_heap_release);
277 mutex_unlock(&heap_list_lock);
278 }
279 EXPORT_SYMBOL_GPL(dma_heap_put);
280
281 /**
282 * dma_heap_get_dev() - get device struct for the heap
283 * @heap: DMA-Heap to retrieve device struct from
284 *
285 * Returns:
286 * The device struct for the heap.
287 */
dma_heap_get_dev(struct dma_heap * heap)288 struct device *dma_heap_get_dev(struct dma_heap *heap)
289 {
290 return heap->heap_dev;
291 }
292 EXPORT_SYMBOL_GPL(dma_heap_get_dev);
293
294 /**
295 * dma_heap_get_name() - get heap name
296 * @heap: DMA-Heap to retrieve private data for
297 *
298 * Returns:
299 * The char* for the heap name.
300 */
dma_heap_get_name(struct dma_heap * heap)301 const char *dma_heap_get_name(struct dma_heap *heap)
302 {
303 return heap->name;
304 }
305 EXPORT_SYMBOL_GPL(dma_heap_get_name);
306
dma_heap_add(const struct dma_heap_export_info * exp_info)307 struct dma_heap *dma_heap_add(const struct dma_heap_export_info *exp_info)
308 {
309 struct dma_heap *heap, *h, *err_ret;
310 unsigned int minor;
311 int ret;
312
313 if (!exp_info->name || !strcmp(exp_info->name, "")) {
314 pr_err("dma_heap: Cannot add heap without a name\n");
315 return ERR_PTR(-EINVAL);
316 }
317
318 if (!exp_info->ops || !exp_info->ops->allocate) {
319 pr_err("dma_heap: Cannot add heap with invalid ops struct\n");
320 return ERR_PTR(-EINVAL);
321 }
322
323 heap = kzalloc(sizeof(*heap), GFP_KERNEL);
324 if (!heap)
325 return ERR_PTR(-ENOMEM);
326
327 kref_init(&heap->refcount);
328 heap->name = exp_info->name;
329 heap->ops = exp_info->ops;
330 heap->priv = exp_info->priv;
331
332 /* Find unused minor number */
333 ret = xa_alloc(&dma_heap_minors, &minor, heap,
334 XA_LIMIT(0, NUM_HEAP_MINORS - 1), GFP_KERNEL);
335 if (ret < 0) {
336 pr_err("dma_heap: Unable to get minor number for heap\n");
337 err_ret = ERR_PTR(ret);
338 goto err0;
339 }
340
341 /* Create device */
342 heap->heap_devt = MKDEV(MAJOR(dma_heap_devt), minor);
343
344 cdev_init(&heap->heap_cdev, &dma_heap_fops);
345 ret = cdev_add(&heap->heap_cdev, heap->heap_devt, 1);
346 if (ret < 0) {
347 pr_err("dma_heap: Unable to add char device\n");
348 err_ret = ERR_PTR(ret);
349 goto err1;
350 }
351
352 heap->heap_dev = device_create(dma_heap_class,
353 NULL,
354 heap->heap_devt,
355 NULL,
356 heap->name);
357 if (IS_ERR(heap->heap_dev)) {
358 pr_err("dma_heap: Unable to create device\n");
359 err_ret = ERR_CAST(heap->heap_dev);
360 goto err2;
361 }
362
363 /* Make sure it doesn't disappear on us */
364 heap->heap_dev = get_device(heap->heap_dev);
365
366 mutex_lock(&heap_list_lock);
367 /* check the name is unique */
368 list_for_each_entry(h, &heap_list, list) {
369 if (!strcmp(h->name, exp_info->name)) {
370 mutex_unlock(&heap_list_lock);
371 pr_err("dma_heap: Already registered heap named %s\n",
372 exp_info->name);
373 err_ret = ERR_PTR(-EINVAL);
374 put_device(heap->heap_dev);
375 goto err3;
376 }
377 }
378
379 /* Add heap to the list */
380 list_add(&heap->list, &heap_list);
381 mutex_unlock(&heap_list_lock);
382
383 return heap;
384
385 err3:
386 device_destroy(dma_heap_class, heap->heap_devt);
387 err2:
388 cdev_del(&heap->heap_cdev);
389 err1:
390 xa_erase(&dma_heap_minors, minor);
391 err0:
392 kfree(heap);
393 return err_ret;
394 }
395 EXPORT_SYMBOL_GPL(dma_heap_add);
396
dma_heap_devnode(const struct device * dev,umode_t * mode)397 static char *dma_heap_devnode(const struct device *dev, umode_t *mode)
398 {
399 return kasprintf(GFP_KERNEL, "dma_heap/%s", dev_name(dev));
400 }
401
dma_heap_try_get_pool_size_kb(void)402 long dma_heap_try_get_pool_size_kb(void)
403 {
404 struct dma_heap *heap;
405 u64 total_pool_size = 0;
406
407 if (!mutex_trylock(&heap_list_lock))
408 return -1;
409
410 list_for_each_entry(heap, &heap_list, list) {
411 if (heap->ops->get_pool_size)
412 total_pool_size += heap->ops->get_pool_size(heap);
413 }
414 mutex_unlock(&heap_list_lock);
415
416 return (long)(total_pool_size / 1024);
417 }
418 EXPORT_SYMBOL_GPL(dma_heap_try_get_pool_size_kb);
419
total_pools_kb_show(struct kobject * kobj,struct kobj_attribute * attr,char * buf)420 static ssize_t total_pools_kb_show(struct kobject *kobj,
421 struct kobj_attribute *attr, char *buf)
422 {
423 struct dma_heap *heap;
424 u64 total_pool_size = 0;
425
426 mutex_lock(&heap_list_lock);
427 list_for_each_entry(heap, &heap_list, list) {
428 if (heap->ops->get_pool_size)
429 total_pool_size += heap->ops->get_pool_size(heap);
430 }
431 mutex_unlock(&heap_list_lock);
432
433 return sysfs_emit(buf, "%llu\n", total_pool_size / 1024);
434 }
435
436 static struct kobj_attribute total_pools_kb_attr =
437 __ATTR_RO(total_pools_kb);
438
439 static struct attribute *dma_heap_sysfs_attrs[] = {
440 &total_pools_kb_attr.attr,
441 NULL,
442 };
443
444 ATTRIBUTE_GROUPS(dma_heap_sysfs);
445
446 static struct kobject *dma_heap_kobject;
447
dma_heap_sysfs_setup(void)448 static int dma_heap_sysfs_setup(void)
449 {
450 int ret;
451
452 dma_heap_kobject = kobject_create_and_add("dma_heap", kernel_kobj);
453 if (!dma_heap_kobject)
454 return -ENOMEM;
455
456 ret = sysfs_create_groups(dma_heap_kobject, dma_heap_sysfs_groups);
457 if (ret) {
458 kobject_put(dma_heap_kobject);
459 return ret;
460 }
461
462 return 0;
463 }
464
dma_heap_sysfs_teardown(void)465 static void dma_heap_sysfs_teardown(void)
466 {
467 kobject_put(dma_heap_kobject);
468 }
469
dma_heap_init(void)470 static int dma_heap_init(void)
471 {
472 int ret;
473
474 ret = dma_heap_sysfs_setup();
475 if (ret)
476 return ret;
477
478 ret = alloc_chrdev_region(&dma_heap_devt, 0, NUM_HEAP_MINORS, DEVNAME);
479 if (ret)
480 goto err_chrdev;
481
482 dma_heap_class = class_create(DEVNAME);
483 if (IS_ERR(dma_heap_class)) {
484 unregister_chrdev_region(dma_heap_devt, NUM_HEAP_MINORS);
485 ret = PTR_ERR(dma_heap_class);
486 goto err_class;
487 }
488 dma_heap_class->devnode = dma_heap_devnode;
489
490 return 0;
491
492 err_class:
493 unregister_chrdev_region(dma_heap_devt, NUM_HEAP_MINORS);
494 err_chrdev:
495 dma_heap_sysfs_teardown();
496 return ret;
497 }
498 subsys_initcall(dma_heap_init);
499