1 /* $OpenBSD: drm_gem.c,v 1.6 2018/06/25 22:29:16 kettenis Exp $ */ 2 /* 3 * Copyright © 2008 Intel Corporation 4 * 5 * Permission is hereby granted, free of charge, to any person obtaining a 6 * copy of this software and associated documentation files (the "Software"), 7 * to deal in the Software without restriction, including without limitation 8 * the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 * and/or sell copies of the Software, and to permit persons to whom the 10 * Software is furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice (including the next 13 * paragraph) shall be included in all copies or substantial portions of the 14 * Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 * 24 * Authors: 25 * Eric Anholt <eric@anholt.net> 26 * 27 */ 28 29 #include <dev/pci/drm/drmP.h> 30 #include <dev/pci/drm/drm_vma_manager.h> 31 #include "drm_internal.h" 32 33 #include <uvm/uvm.h> 34 35 void drm_unref(struct uvm_object *); 36 void drm_ref(struct uvm_object *); 37 boolean_t drm_flush(struct uvm_object *, voff_t, voff_t, int); 38 int drm_fault(struct uvm_faultinfo *, vaddr_t, vm_page_t *, int, int, 39 vm_fault_t, vm_prot_t, int); 40 41 struct uvm_pagerops drm_pgops = { 42 NULL, 43 drm_ref, 44 drm_unref, 45 drm_fault, 46 drm_flush, 47 }; 48 49 void 50 drm_ref(struct uvm_object *uobj) 51 { 52 struct drm_gem_object *obj = 53 container_of(uobj, struct drm_gem_object, uobj); 54 55 drm_gem_object_reference(obj); 56 } 57 58 void 59 drm_unref(struct uvm_object *uobj) 60 { 61 struct drm_gem_object *obj = 62 container_of(uobj, struct drm_gem_object, uobj); 63 64 drm_gem_object_unreference_unlocked(obj); 65 } 66 67 int 68 drm_fault(struct uvm_faultinfo *ufi, vaddr_t vaddr, vm_page_t *pps, 69 int npages, int centeridx, vm_fault_t fault_type, 70 vm_prot_t access_type, int flags) 71 { 72 struct vm_map_entry *entry = ufi->entry; 73 struct uvm_object *uobj = entry->object.uvm_obj; 74 struct drm_gem_object *obj = 75 container_of(uobj, struct drm_gem_object, uobj); 76 struct drm_device *dev = obj->dev; 77 int ret; 78 79 /* 80 * we do not allow device mappings to be mapped copy-on-write 81 * so we kill any attempt to do so here. 82 */ 83 84 if (UVM_ET_ISCOPYONWRITE(entry)) { 85 uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap, uobj, NULL); 86 return(VM_PAGER_ERROR); 87 } 88 89 /* 90 * We could end up here as the result of a copyin(9) or 91 * copyout(9) while handling an ioctl. So we must be careful 92 * not to deadlock. Therefore we only block if the quiesce 93 * count is zero, which guarantees we didn't enter from within 94 * an ioctl code path. 95 */ 96 mtx_enter(&dev->quiesce_mtx); 97 if (dev->quiesce && dev->quiesce_count == 0) { 98 mtx_leave(&dev->quiesce_mtx); 99 uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap, uobj, NULL); 100 mtx_enter(&dev->quiesce_mtx); 101 while (dev->quiesce) { 102 msleep(&dev->quiesce, &dev->quiesce_mtx, 103 PZERO, "drmflt", 0); 104 } 105 mtx_leave(&dev->quiesce_mtx); 106 return(VM_PAGER_REFAULT); 107 } 108 dev->quiesce_count++; 109 mtx_leave(&dev->quiesce_mtx); 110 111 /* Call down into driver to do the magic */ 112 ret = dev->driver->gem_fault(obj, ufi, entry->offset + (vaddr - 113 entry->start), vaddr, pps, npages, centeridx, 114 access_type, flags); 115 116 mtx_enter(&dev->quiesce_mtx); 117 dev->quiesce_count--; 118 if (dev->quiesce) 119 wakeup(&dev->quiesce_count); 120 mtx_leave(&dev->quiesce_mtx); 121 122 return (ret); 123 } 124 125 boolean_t 126 drm_flush(struct uvm_object *uobj, voff_t start, voff_t stop, int flags) 127 { 128 return (TRUE); 129 } 130 131 struct uvm_object * 132 udv_attach_drm(dev_t device, vm_prot_t accessprot, voff_t off, vsize_t size) 133 { 134 struct drm_device *dev = drm_get_device_from_kdev(device); 135 struct drm_gem_object *obj; 136 struct drm_vma_offset_node *node; 137 struct drm_file *priv; 138 struct file *filp; 139 140 if (cdevsw[major(device)].d_mmap != drmmmap) 141 return NULL; 142 143 if (dev == NULL) 144 return NULL; 145 146 if (dev->driver->mmap) 147 return dev->driver->mmap(dev, off, size); 148 149 mutex_lock(&dev->struct_mutex); 150 151 priv = drm_find_file_by_minor(dev, minor(device)); 152 if (priv == 0) { 153 mutex_unlock(&dev->struct_mutex); 154 return NULL; 155 } 156 filp = priv->filp; 157 158 node = drm_vma_offset_exact_lookup(dev->vma_offset_manager, 159 off >> PAGE_SHIFT, 160 atop(round_page(size))); 161 if (!node) { 162 mutex_unlock(&dev->struct_mutex); 163 return NULL; 164 } else if (!drm_vma_node_is_allowed(node, filp)) { 165 mutex_unlock(&dev->struct_mutex); 166 return NULL; 167 } 168 169 obj = container_of(node, struct drm_gem_object, vma_node); 170 drm_gem_object_reference(obj); 171 172 mutex_unlock(&dev->struct_mutex); 173 return &obj->uobj; 174 } 175 176 /** @file drm_gem.c 177 * 178 * This file provides some of the base ioctls and library routines for 179 * the graphics memory manager implemented by each device driver. 180 * 181 * Because various devices have different requirements in terms of 182 * synchronization and migration strategies, implementing that is left up to 183 * the driver, and all that the general API provides should be generic -- 184 * allocating objects, reading/writing data with the cpu, freeing objects. 185 * Even there, platform-dependent optimizations for reading/writing data with 186 * the CPU mean we'll likely hook those out to driver-specific calls. However, 187 * the DRI2 implementation wants to have at least allocate/mmap be generic. 188 * 189 * The goal was to have swap-backed object allocation managed through 190 * struct file. However, file descriptors as handles to a struct file have 191 * two major failings: 192 * - Process limits prevent more than 1024 or so being used at a time by 193 * default. 194 * - Inability to allocate high fds will aggravate the X Server's select() 195 * handling, and likely that of many GL client applications as well. 196 * 197 * This led to a plan of using our own integer IDs (called handles, following 198 * DRM terminology) to mimic fds, and implement the fd syscalls we need as 199 * ioctls. The objects themselves will still include the struct file so 200 * that we can transition to fds if the required kernel infrastructure shows 201 * up at a later date, and as our interface with shmfs for memory allocation. 202 */ 203 204 /* 205 * We make up offsets for buffer objects so we can recognize them at 206 * mmap time. 207 */ 208 209 /* pgoff in mmap is an unsigned long, so we need to make sure that 210 * the faked up offset will fit 211 */ 212 213 #if BITS_PER_LONG == 64 214 #define DRM_FILE_PAGE_OFFSET_START ((0xFFFFFFFFUL >> PAGE_SHIFT) + 1) 215 #define DRM_FILE_PAGE_OFFSET_SIZE ((0xFFFFFFFFUL >> PAGE_SHIFT) * 16) 216 #else 217 #define DRM_FILE_PAGE_OFFSET_START ((0xFFFFFFFUL >> PAGE_SHIFT) + 1) 218 #define DRM_FILE_PAGE_OFFSET_SIZE ((0xFFFFFFFUL >> PAGE_SHIFT) * 16) 219 #endif 220 221 /** 222 * Initialize the GEM device fields 223 */ 224 225 int 226 drm_gem_init(struct drm_device *dev) 227 { 228 struct drm_vma_offset_manager *vma_offset_manager; 229 230 rw_init(&dev->object_name_lock, "drmonl"); 231 idr_init(&dev->object_name_idr); 232 233 vma_offset_manager = kzalloc(sizeof(*vma_offset_manager), GFP_KERNEL); 234 if (!vma_offset_manager) { 235 DRM_ERROR("out of memory\n"); 236 return -ENOMEM; 237 } 238 239 dev->vma_offset_manager = vma_offset_manager; 240 drm_vma_offset_manager_init(vma_offset_manager, 241 DRM_FILE_PAGE_OFFSET_START, 242 DRM_FILE_PAGE_OFFSET_SIZE); 243 244 return 0; 245 } 246 247 void 248 drm_gem_destroy(struct drm_device *dev) 249 { 250 251 drm_vma_offset_manager_destroy(dev->vma_offset_manager); 252 kfree(dev->vma_offset_manager); 253 dev->vma_offset_manager = NULL; 254 } 255 256 #ifdef __linux__ 257 258 /** 259 * Initialize an already allocated GEM object of the specified size with 260 * shmfs backing store. 261 */ 262 int drm_gem_object_init(struct drm_device *dev, 263 struct drm_gem_object *obj, size_t size) 264 { 265 struct file *filp; 266 267 drm_gem_private_object_init(dev, obj, size); 268 269 filp = shmem_file_setup("drm mm object", size, VM_NORESERVE); 270 if (IS_ERR(filp)) 271 return PTR_ERR(filp); 272 273 obj->filp = filp; 274 275 return 0; 276 } 277 EXPORT_SYMBOL(drm_gem_object_init); 278 279 #else 280 281 int drm_gem_object_init(struct drm_device *dev, 282 struct drm_gem_object *obj, size_t size) 283 { 284 drm_gem_private_object_init(dev, obj, size); 285 286 obj->uao = uao_create(size, 0); 287 uvm_objinit(&obj->uobj, &drm_pgops, 1); 288 289 atomic_inc(&dev->obj_count); 290 atomic_add(obj->size, &dev->obj_memory); 291 292 obj->filp = (void *)obj->uao; 293 294 return 0; 295 } 296 297 #endif 298 299 /** 300 * Initialize an already allocated GEM object of the specified size with 301 * no GEM provided backing store. Instead the caller is responsible for 302 * backing the object and handling it. 303 */ 304 void drm_gem_private_object_init(struct drm_device *dev, 305 struct drm_gem_object *obj, size_t size) 306 { 307 BUG_ON((size & (PAGE_SIZE - 1)) != 0); 308 309 obj->dev = dev; 310 obj->filp = NULL; 311 312 kref_init(&obj->refcount); 313 obj->handle_count = 0; 314 obj->size = size; 315 drm_vma_node_reset(&obj->vma_node); 316 } 317 EXPORT_SYMBOL(drm_gem_private_object_init); 318 319 static void 320 drm_gem_remove_prime_handles(struct drm_gem_object *obj, struct drm_file *filp) 321 { 322 /* 323 * Note: obj->dma_buf can't disappear as long as we still hold a 324 * handle reference in obj->handle_count. 325 */ 326 mutex_lock(&filp->prime.lock); 327 if (obj->dma_buf) { 328 drm_prime_remove_buf_handle_locked(&filp->prime, 329 obj->dma_buf); 330 } 331 mutex_unlock(&filp->prime.lock); 332 } 333 334 /** 335 * Called after the last handle to the object has been closed 336 * 337 * Removes any name for the object. Note that this must be 338 * called before drm_gem_object_free or we'll be touching 339 * freed memory 340 */ 341 static void drm_gem_object_handle_free(struct drm_gem_object *obj) 342 { 343 struct drm_device *dev = obj->dev; 344 345 /* Remove any name for this object */ 346 if (obj->name) { 347 idr_remove(&dev->object_name_idr, obj->name); 348 obj->name = 0; 349 } 350 } 351 352 static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) 353 { 354 /* Unbreak the reference cycle if we have an exported dma_buf. */ 355 if (obj->dma_buf) { 356 dma_buf_put(obj->dma_buf); 357 obj->dma_buf = NULL; 358 } 359 } 360 361 static void 362 drm_gem_object_handle_unreference_unlocked(struct drm_gem_object *obj) 363 { 364 if (WARN_ON(obj->handle_count == 0)) 365 return; 366 367 /* 368 * Must bump handle count first as this may be the last 369 * ref, in which case the object would disappear before we 370 * checked for a name 371 */ 372 373 mutex_lock(&obj->dev->object_name_lock); 374 if (--obj->handle_count == 0) { 375 drm_gem_object_handle_free(obj); 376 drm_gem_object_exported_dma_buf_free(obj); 377 } 378 mutex_unlock(&obj->dev->object_name_lock); 379 380 drm_gem_object_unreference_unlocked(obj); 381 } 382 383 /** 384 * Removes the mapping from handle to filp for this object. 385 */ 386 int 387 drm_gem_handle_delete(struct drm_file *filp, u32 handle) 388 { 389 struct drm_device *dev; 390 struct drm_gem_object *obj; 391 392 /* This is gross. The idr system doesn't let us try a delete and 393 * return an error code. It just spews if you fail at deleting. 394 * So, we have to grab a lock around finding the object and then 395 * doing the delete on it and dropping the refcount, or the user 396 * could race us to double-decrement the refcount and cause a 397 * use-after-free later. Given the frequency of our handle lookups, 398 * we may want to use ida for number allocation and a hash table 399 * for the pointers, anyway. 400 */ 401 spin_lock(&filp->table_lock); 402 403 /* Check if we currently have a reference on the object */ 404 obj = idr_find(&filp->object_idr, handle); 405 if (obj == NULL) { 406 spin_unlock(&filp->table_lock); 407 return -EINVAL; 408 } 409 dev = obj->dev; 410 411 /* Release reference and decrement refcount. */ 412 idr_remove(&filp->object_idr, handle); 413 spin_unlock(&filp->table_lock); 414 415 if (drm_core_check_feature(dev, DRIVER_PRIME)) 416 drm_gem_remove_prime_handles(obj, filp); 417 drm_vma_node_revoke(&obj->vma_node, filp->filp); 418 419 if (dev->driver->gem_close_object) 420 dev->driver->gem_close_object(obj, filp); 421 drm_gem_object_handle_unreference_unlocked(obj); 422 423 return 0; 424 } 425 EXPORT_SYMBOL(drm_gem_handle_delete); 426 427 /** 428 * drm_gem_dumb_destroy - dumb fb callback helper for gem based drivers 429 * 430 * This implements the ->dumb_destroy kms driver callback for drivers which use 431 * gem to manage their backing storage. 432 */ 433 int drm_gem_dumb_destroy(struct drm_file *file, 434 struct drm_device *dev, 435 uint32_t handle) 436 { 437 return drm_gem_handle_delete(file, handle); 438 } 439 EXPORT_SYMBOL(drm_gem_dumb_destroy); 440 441 /** 442 * drm_gem_handle_create_tail - internal functions to create a handle 443 * 444 * This expects the dev->object_name_lock to be held already and will drop it 445 * before returning. Used to avoid races in establishing new handles when 446 * importing an object from either an flink name or a dma-buf. 447 */ 448 int 449 drm_gem_handle_create_tail(struct drm_file *file_priv, 450 struct drm_gem_object *obj, 451 u32 *handlep) 452 { 453 struct drm_device *dev = obj->dev; 454 int ret; 455 456 WARN_ON(!mutex_is_locked(&dev->object_name_lock)); 457 458 /* 459 * Get the user-visible handle using idr. Preload and perform 460 * allocation under our spinlock. 461 */ 462 idr_preload(GFP_KERNEL); 463 spin_lock(&file_priv->table_lock); 464 465 ret = idr_alloc(&file_priv->object_idr, obj, 1, 0, GFP_NOWAIT); 466 drm_gem_object_reference(obj); 467 obj->handle_count++; 468 spin_unlock(&file_priv->table_lock); 469 idr_preload_end(); 470 mutex_unlock(&dev->object_name_lock); 471 if (ret < 0) 472 goto err_unref; 473 474 *handlep = ret; 475 476 ret = drm_vma_node_allow(&obj->vma_node, file_priv->filp); 477 if (ret) 478 goto err_remove; 479 480 if (dev->driver->gem_open_object) { 481 ret = dev->driver->gem_open_object(obj, file_priv); 482 if (ret) 483 goto err_revoke; 484 } 485 486 return 0; 487 488 err_revoke: 489 drm_vma_node_revoke(&obj->vma_node, file_priv->filp); 490 err_remove: 491 spin_lock(&file_priv->table_lock); 492 idr_remove(&file_priv->object_idr, *handlep); 493 spin_unlock(&file_priv->table_lock); 494 err_unref: 495 drm_gem_object_handle_unreference_unlocked(obj); 496 return ret; 497 } 498 499 /** 500 * Create a handle for this object. This adds a handle reference 501 * to the object, which includes a regular reference count. Callers 502 * will likely want to dereference the object afterwards. 503 */ 504 int 505 drm_gem_handle_create(struct drm_file *file_priv, 506 struct drm_gem_object *obj, 507 u32 *handlep) 508 { 509 mutex_lock(&obj->dev->object_name_lock); 510 511 return drm_gem_handle_create_tail(file_priv, obj, handlep); 512 } 513 EXPORT_SYMBOL(drm_gem_handle_create); 514 515 516 /** 517 * drm_gem_free_mmap_offset - release a fake mmap offset for an object 518 * @obj: obj in question 519 * 520 * This routine frees fake offsets allocated by drm_gem_create_mmap_offset(). 521 */ 522 void 523 drm_gem_free_mmap_offset(struct drm_gem_object *obj) 524 { 525 struct drm_device *dev = obj->dev; 526 527 drm_vma_offset_remove(dev->vma_offset_manager, &obj->vma_node); 528 } 529 EXPORT_SYMBOL(drm_gem_free_mmap_offset); 530 531 /** 532 * drm_gem_create_mmap_offset_size - create a fake mmap offset for an object 533 * @obj: obj in question 534 * @size: the virtual size 535 * 536 * GEM memory mapping works by handing back to userspace a fake mmap offset 537 * it can use in a subsequent mmap(2) call. The DRM core code then looks 538 * up the object based on the offset and sets up the various memory mapping 539 * structures. 540 * 541 * This routine allocates and attaches a fake offset for @obj, in cases where 542 * the virtual size differs from the physical size (ie. obj->size). Otherwise 543 * just use drm_gem_create_mmap_offset(). 544 */ 545 int 546 drm_gem_create_mmap_offset_size(struct drm_gem_object *obj, size_t size) 547 { 548 struct drm_device *dev = obj->dev; 549 550 return drm_vma_offset_add(dev->vma_offset_manager, &obj->vma_node, 551 size / PAGE_SIZE); 552 } 553 EXPORT_SYMBOL(drm_gem_create_mmap_offset_size); 554 555 /** 556 * drm_gem_create_mmap_offset - create a fake mmap offset for an object 557 * @obj: obj in question 558 * 559 * GEM memory mapping works by handing back to userspace a fake mmap offset 560 * it can use in a subsequent mmap(2) call. The DRM core code then looks 561 * up the object based on the offset and sets up the various memory mapping 562 * structures. 563 * 564 * This routine allocates and attaches a fake offset for @obj. 565 */ 566 int drm_gem_create_mmap_offset(struct drm_gem_object *obj) 567 { 568 return drm_gem_create_mmap_offset_size(obj, obj->size); 569 } 570 EXPORT_SYMBOL(drm_gem_create_mmap_offset); 571 572 #ifdef __linux__ 573 574 /** 575 * drm_gem_get_pages - helper to allocate backing pages for a GEM object 576 * from shmem 577 * @obj: obj in question 578 * @gfpmask: gfp mask of requested pages 579 */ 580 struct page **drm_gem_get_pages(struct drm_gem_object *obj, gfp_t gfpmask) 581 { 582 struct inode *inode; 583 struct address_space *mapping; 584 struct page *p, **pages; 585 int i, npages; 586 587 /* This is the shared memory object that backs the GEM resource */ 588 inode = file_inode(obj->filp); 589 mapping = inode->i_mapping; 590 591 /* We already BUG_ON() for non-page-aligned sizes in 592 * drm_gem_object_init(), so we should never hit this unless 593 * driver author is doing something really wrong: 594 */ 595 WARN_ON((obj->size & (PAGE_SIZE - 1)) != 0); 596 597 npages = obj->size >> PAGE_SHIFT; 598 599 pages = drm_malloc_ab(npages, sizeof(struct page *)); 600 if (pages == NULL) 601 return ERR_PTR(-ENOMEM); 602 603 gfpmask |= mapping_gfp_mask(mapping); 604 605 for (i = 0; i < npages; i++) { 606 p = shmem_read_mapping_page_gfp(mapping, i, gfpmask); 607 if (IS_ERR(p)) 608 goto fail; 609 pages[i] = p; 610 611 /* There is a hypothetical issue w/ drivers that require 612 * buffer memory in the low 4GB.. if the pages are un- 613 * pinned, and swapped out, they can end up swapped back 614 * in above 4GB. If pages are already in memory, then 615 * shmem_read_mapping_page_gfp will ignore the gfpmask, 616 * even if the already in-memory page disobeys the mask. 617 * 618 * It is only a theoretical issue today, because none of 619 * the devices with this limitation can be populated with 620 * enough memory to trigger the issue. But this BUG_ON() 621 * is here as a reminder in case the problem with 622 * shmem_read_mapping_page_gfp() isn't solved by the time 623 * it does become a real issue. 624 * 625 * See this thread: http://lkml.org/lkml/2011/7/11/238 626 */ 627 BUG_ON((gfpmask & __GFP_DMA32) && 628 (page_to_pfn(p) >= 0x00100000UL)); 629 } 630 631 return pages; 632 633 fail: 634 while (i--) 635 page_cache_release(pages[i]); 636 637 drm_free_large(pages); 638 return ERR_CAST(p); 639 } 640 EXPORT_SYMBOL(drm_gem_get_pages); 641 642 /** 643 * drm_gem_put_pages - helper to free backing pages for a GEM object 644 * @obj: obj in question 645 * @pages: pages to free 646 * @dirty: if true, pages will be marked as dirty 647 * @accessed: if true, the pages will be marked as accessed 648 */ 649 void drm_gem_put_pages(struct drm_gem_object *obj, struct page **pages, 650 bool dirty, bool accessed) 651 { 652 int i, npages; 653 654 /* We already BUG_ON() for non-page-aligned sizes in 655 * drm_gem_object_init(), so we should never hit this unless 656 * driver author is doing something really wrong: 657 */ 658 WARN_ON((obj->size & (PAGE_SIZE - 1)) != 0); 659 660 npages = obj->size >> PAGE_SHIFT; 661 662 for (i = 0; i < npages; i++) { 663 if (dirty) 664 set_page_dirty(pages[i]); 665 666 if (accessed) 667 mark_page_accessed(pages[i]); 668 669 /* Undo the reference we took when populating the table */ 670 page_cache_release(pages[i]); 671 } 672 673 drm_free_large(pages); 674 } 675 EXPORT_SYMBOL(drm_gem_put_pages); 676 677 #endif 678 679 /** Returns a reference to the object named by the handle. */ 680 struct drm_gem_object * 681 drm_gem_object_lookup(struct drm_device *dev, struct drm_file *filp, 682 u32 handle) 683 { 684 struct drm_gem_object *obj; 685 686 spin_lock(&filp->table_lock); 687 688 /* Check if we currently have a reference on the object */ 689 obj = idr_find(&filp->object_idr, handle); 690 if (obj == NULL) { 691 spin_unlock(&filp->table_lock); 692 return NULL; 693 } 694 695 drm_gem_object_reference(obj); 696 697 spin_unlock(&filp->table_lock); 698 699 return obj; 700 } 701 EXPORT_SYMBOL(drm_gem_object_lookup); 702 703 /** 704 * Releases the handle to an mm object. 705 */ 706 int 707 drm_gem_close_ioctl(struct drm_device *dev, void *data, 708 struct drm_file *file_priv) 709 { 710 struct drm_gem_close *args = data; 711 int ret; 712 713 if (!(dev->driver->driver_features & DRIVER_GEM)) 714 return -ENODEV; 715 716 ret = drm_gem_handle_delete(file_priv, args->handle); 717 718 return ret; 719 } 720 721 /** 722 * Create a global name for an object, returning the name. 723 * 724 * Note that the name does not hold a reference; when the object 725 * is freed, the name goes away. 726 */ 727 int 728 drm_gem_flink_ioctl(struct drm_device *dev, void *data, 729 struct drm_file *file_priv) 730 { 731 struct drm_gem_flink *args = data; 732 struct drm_gem_object *obj; 733 int ret; 734 735 if (!(dev->driver->driver_features & DRIVER_GEM)) 736 return -ENODEV; 737 738 obj = drm_gem_object_lookup(dev, file_priv, args->handle); 739 if (obj == NULL) 740 return -ENOENT; 741 742 mutex_lock(&dev->object_name_lock); 743 idr_preload(GFP_KERNEL); 744 /* prevent races with concurrent gem_close. */ 745 if (obj->handle_count == 0) { 746 ret = -ENOENT; 747 goto err; 748 } 749 750 if (!obj->name) { 751 ret = idr_alloc(&dev->object_name_idr, obj, 1, 0, GFP_NOWAIT); 752 if (ret < 0) 753 goto err; 754 755 obj->name = ret; 756 } 757 758 args->name = (uint64_t) obj->name; 759 ret = 0; 760 761 err: 762 idr_preload_end(); 763 mutex_unlock(&dev->object_name_lock); 764 drm_gem_object_unreference_unlocked(obj); 765 return ret; 766 } 767 768 /** 769 * Open an object using the global name, returning a handle and the size. 770 * 771 * This handle (of course) holds a reference to the object, so the object 772 * will not go away until the handle is deleted. 773 */ 774 int 775 drm_gem_open_ioctl(struct drm_device *dev, void *data, 776 struct drm_file *file_priv) 777 { 778 struct drm_gem_open *args = data; 779 struct drm_gem_object *obj; 780 int ret; 781 u32 handle; 782 783 if (!(dev->driver->driver_features & DRIVER_GEM)) 784 return -ENODEV; 785 786 mutex_lock(&dev->object_name_lock); 787 obj = idr_find(&dev->object_name_idr, (int) args->name); 788 if (obj) { 789 drm_gem_object_reference(obj); 790 } else { 791 mutex_unlock(&dev->object_name_lock); 792 return -ENOENT; 793 } 794 795 /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ 796 ret = drm_gem_handle_create_tail(file_priv, obj, &handle); 797 drm_gem_object_unreference_unlocked(obj); 798 if (ret) 799 return ret; 800 801 args->handle = handle; 802 args->size = obj->size; 803 804 return 0; 805 } 806 807 /** 808 * Called at device open time, sets up the structure for handling refcounting 809 * of mm objects. 810 */ 811 void 812 drm_gem_open(struct drm_device *dev, struct drm_file *file_private) 813 { 814 idr_init(&file_private->object_idr); 815 mtx_init(&file_private->table_lock, IPL_NONE); 816 } 817 818 /** 819 * Called at device close to release the file's 820 * handle references on objects. 821 */ 822 static int 823 drm_gem_object_release_handle(int id, void *ptr, void *data) 824 { 825 struct drm_file *file_priv = data; 826 struct drm_gem_object *obj = ptr; 827 struct drm_device *dev = obj->dev; 828 829 if (dev->driver->gem_close_object) 830 dev->driver->gem_close_object(obj, file_priv); 831 832 if (drm_core_check_feature(dev, DRIVER_PRIME)) 833 drm_gem_remove_prime_handles(obj, file_priv); 834 drm_vma_node_revoke(&obj->vma_node, file_priv->filp); 835 836 drm_gem_object_handle_unreference_unlocked(obj); 837 838 return 0; 839 } 840 841 /** 842 * Called at close time when the filp is going away. 843 * 844 * Releases any remaining references on objects by this filp. 845 */ 846 void 847 drm_gem_release(struct drm_device *dev, struct drm_file *file_private) 848 { 849 idr_for_each(&file_private->object_idr, 850 &drm_gem_object_release_handle, file_private); 851 idr_destroy(&file_private->object_idr); 852 } 853 854 #ifdef __linux__ 855 856 void 857 drm_gem_object_release(struct drm_gem_object *obj) 858 { 859 WARN_ON(obj->dma_buf); 860 861 if (obj->filp) 862 fput(obj->filp); 863 } 864 EXPORT_SYMBOL(drm_gem_object_release); 865 866 #else 867 868 void 869 drm_gem_object_release(struct drm_gem_object *obj) 870 { 871 struct drm_device *dev = obj->dev; 872 873 WARN_ON(obj->dma_buf); 874 875 if (obj->uao) 876 uao_detach(obj->uao); 877 878 atomic_dec(&dev->obj_count); 879 atomic_sub(obj->size, &dev->obj_memory); 880 } 881 882 #endif 883 884 /** 885 * Called after the last reference to the object has been lost. 886 * Must be called holding struct_ mutex 887 * 888 * Frees the object 889 */ 890 void 891 drm_gem_object_free(struct kref *kref) 892 { 893 struct drm_gem_object *obj = (struct drm_gem_object *) kref; 894 struct drm_device *dev = obj->dev; 895 896 BUG_ON(!mutex_is_locked(&dev->struct_mutex)); 897 898 if (dev->driver->gem_free_object != NULL) 899 dev->driver->gem_free_object(obj); 900 } 901 EXPORT_SYMBOL(drm_gem_object_free); 902 903 #ifdef __linux__ 904 905 void drm_gem_vm_open(struct vm_area_struct *vma) 906 { 907 struct drm_gem_object *obj = vma->vm_private_data; 908 909 drm_gem_object_reference(obj); 910 911 mutex_lock(&obj->dev->struct_mutex); 912 drm_vm_open_locked(obj->dev, vma); 913 mutex_unlock(&obj->dev->struct_mutex); 914 } 915 EXPORT_SYMBOL(drm_gem_vm_open); 916 917 void drm_gem_vm_close(struct vm_area_struct *vma) 918 { 919 struct drm_gem_object *obj = vma->vm_private_data; 920 struct drm_device *dev = obj->dev; 921 922 mutex_lock(&dev->struct_mutex); 923 drm_vm_close_locked(obj->dev, vma); 924 drm_gem_object_unreference(obj); 925 mutex_unlock(&dev->struct_mutex); 926 } 927 EXPORT_SYMBOL(drm_gem_vm_close); 928 929 /** 930 * drm_gem_mmap_obj - memory map a GEM object 931 * @obj: the GEM object to map 932 * @obj_size: the object size to be mapped, in bytes 933 * @vma: VMA for the area to be mapped 934 * 935 * Set up the VMA to prepare mapping of the GEM object using the gem_vm_ops 936 * provided by the driver. Depending on their requirements, drivers can either 937 * provide a fault handler in their gem_vm_ops (in which case any accesses to 938 * the object will be trapped, to perform migration, GTT binding, surface 939 * register allocation, or performance monitoring), or mmap the buffer memory 940 * synchronously after calling drm_gem_mmap_obj. 941 * 942 * This function is mainly intended to implement the DMABUF mmap operation, when 943 * the GEM object is not looked up based on its fake offset. To implement the 944 * DRM mmap operation, drivers should use the drm_gem_mmap() function. 945 * 946 * drm_gem_mmap_obj() assumes the user is granted access to the buffer while 947 * drm_gem_mmap() prevents unprivileged users from mapping random objects. So 948 * callers must verify access restrictions before calling this helper. 949 * 950 * NOTE: This function has to be protected with dev->struct_mutex 951 * 952 * Return 0 or success or -EINVAL if the object size is smaller than the VMA 953 * size, or if no gem_vm_ops are provided. 954 */ 955 int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size, 956 struct vm_area_struct *vma) 957 { 958 struct drm_device *dev = obj->dev; 959 960 lockdep_assert_held(&dev->struct_mutex); 961 962 /* Check for valid size. */ 963 if (obj_size < vma->vm_end - vma->vm_start) 964 return -EINVAL; 965 966 if (!dev->driver->gem_vm_ops) 967 return -EINVAL; 968 969 vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; 970 vma->vm_ops = dev->driver->gem_vm_ops; 971 vma->vm_private_data = obj; 972 vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); 973 974 /* Take a ref for this mapping of the object, so that the fault 975 * handler can dereference the mmap offset's pointer to the object. 976 * This reference is cleaned up by the corresponding vm_close 977 * (which should happen whether the vma was created by this call, or 978 * by a vm_open due to mremap or partial unmap or whatever). 979 */ 980 drm_gem_object_reference(obj); 981 982 drm_vm_open_locked(dev, vma); 983 return 0; 984 } 985 EXPORT_SYMBOL(drm_gem_mmap_obj); 986 987 /** 988 * drm_gem_mmap - memory map routine for GEM objects 989 * @filp: DRM file pointer 990 * @vma: VMA for the area to be mapped 991 * 992 * If a driver supports GEM object mapping, mmap calls on the DRM file 993 * descriptor will end up here. 994 * 995 * Look up the GEM object based on the offset passed in (vma->vm_pgoff will 996 * contain the fake offset we created when the GTT map ioctl was called on 997 * the object) and map it with a call to drm_gem_mmap_obj(). 998 * 999 * If the caller is not granted access to the buffer object, the mmap will fail 1000 * with EACCES. Please see the vma manager for more information. 1001 */ 1002 int drm_gem_mmap(struct file *filp, struct vm_area_struct *vma) 1003 { 1004 struct drm_file *priv = filp->private_data; 1005 struct drm_device *dev = priv->minor->dev; 1006 struct drm_gem_object *obj; 1007 struct drm_vma_offset_node *node; 1008 int ret = 0; 1009 1010 if (drm_device_is_unplugged(dev)) 1011 return -ENODEV; 1012 1013 mutex_lock(&dev->struct_mutex); 1014 1015 node = drm_vma_offset_exact_lookup(dev->vma_offset_manager, 1016 vma->vm_pgoff, 1017 vma_pages(vma)); 1018 if (!node) { 1019 mutex_unlock(&dev->struct_mutex); 1020 return drm_mmap(filp, vma); 1021 } else if (!drm_vma_node_is_allowed(node, filp)) { 1022 mutex_unlock(&dev->struct_mutex); 1023 return -EACCES; 1024 } 1025 1026 obj = container_of(node, struct drm_gem_object, vma_node); 1027 ret = drm_gem_mmap_obj(obj, drm_vma_node_size(node) << PAGE_SHIFT, vma); 1028 1029 mutex_unlock(&dev->struct_mutex); 1030 1031 return ret; 1032 } 1033 EXPORT_SYMBOL(drm_gem_mmap); 1034 1035 #endif 1036