1 /* $OpenBSD: drm_gem.c,v 1.3 2016/04/05 20:50:44 kettenis Exp $ */ 2 /* 3 * Copyright © 2008 Intel Corporation 4 * 5 * Permission is hereby granted, free of charge, to any person obtaining a 6 * copy of this software and associated documentation files (the "Software"), 7 * to deal in the Software without restriction, including without limitation 8 * the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 * and/or sell copies of the Software, and to permit persons to whom the 10 * Software is furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice (including the next 13 * paragraph) shall be included in all copies or substantial portions of the 14 * Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 * 24 * Authors: 25 * Eric Anholt <eric@anholt.net> 26 * 27 */ 28 29 #include <dev/pci/drm/drmP.h> 30 #include <dev/pci/drm/drm_vma_manager.h> 31 32 #include <uvm/uvm.h> 33 34 void drm_unref(struct uvm_object *); 35 void drm_ref(struct uvm_object *); 36 boolean_t drm_flush(struct uvm_object *, voff_t, voff_t, int); 37 int drm_fault(struct uvm_faultinfo *, vaddr_t, vm_page_t *, int, int, 38 vm_fault_t, vm_prot_t, int); 39 40 struct uvm_pagerops drm_pgops = { 41 NULL, 42 drm_ref, 43 drm_unref, 44 drm_fault, 45 drm_flush, 46 }; 47 48 void 49 drm_ref(struct uvm_object *uobj) 50 { 51 struct drm_gem_object *obj = 52 container_of(uobj, struct drm_gem_object, uobj); 53 54 drm_gem_object_reference(obj); 55 } 56 57 void 58 drm_unref(struct uvm_object *uobj) 59 { 60 struct drm_gem_object *obj = 61 container_of(uobj, struct drm_gem_object, uobj); 62 63 drm_gem_object_unreference_unlocked(obj); 64 } 65 66 int 67 drm_fault(struct uvm_faultinfo *ufi, vaddr_t vaddr, vm_page_t *pps, 68 int npages, int centeridx, vm_fault_t fault_type, 69 vm_prot_t access_type, int flags) 70 { 71 struct vm_map_entry *entry = ufi->entry; 72 struct uvm_object *uobj = entry->object.uvm_obj; 73 struct drm_gem_object *obj = 74 container_of(uobj, struct drm_gem_object, uobj); 75 struct drm_device *dev = obj->dev; 76 int ret; 77 78 /* 79 * we do not allow device mappings to be mapped copy-on-write 80 * so we kill any attempt to do so here. 81 */ 82 83 if (UVM_ET_ISCOPYONWRITE(entry)) { 84 uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap, uobj, NULL); 85 return(VM_PAGER_ERROR); 86 } 87 88 /* 89 * We could end up here as the result of a copyin(9) or 90 * copyout(9) while handling an ioctl. So we must be careful 91 * not to deadlock. Therefore we only block if the quiesce 92 * count is zero, which guarantees we didn't enter from within 93 * an ioctl code path. 94 */ 95 mtx_enter(&dev->quiesce_mtx); 96 if (dev->quiesce && dev->quiesce_count == 0) { 97 mtx_leave(&dev->quiesce_mtx); 98 uvmfault_unlockall(ufi, ufi->entry->aref.ar_amap, uobj, NULL); 99 mtx_enter(&dev->quiesce_mtx); 100 while (dev->quiesce) { 101 msleep(&dev->quiesce, &dev->quiesce_mtx, 102 PZERO, "drmflt", 0); 103 } 104 mtx_leave(&dev->quiesce_mtx); 105 return(VM_PAGER_REFAULT); 106 } 107 dev->quiesce_count++; 108 mtx_leave(&dev->quiesce_mtx); 109 110 /* Call down into driver to do the magic */ 111 ret = dev->driver->gem_fault(obj, ufi, entry->offset + (vaddr - 112 entry->start), vaddr, pps, npages, centeridx, 113 access_type, flags); 114 115 mtx_enter(&dev->quiesce_mtx); 116 dev->quiesce_count--; 117 if (dev->quiesce) 118 wakeup(&dev->quiesce_count); 119 mtx_leave(&dev->quiesce_mtx); 120 121 return (ret); 122 } 123 124 boolean_t 125 drm_flush(struct uvm_object *uobj, voff_t start, voff_t stop, int flags) 126 { 127 return (TRUE); 128 } 129 130 struct uvm_object * 131 udv_attach_drm(dev_t device, vm_prot_t accessprot, voff_t off, vsize_t size) 132 { 133 struct drm_device *dev = drm_get_device_from_kdev(device); 134 struct drm_gem_object *obj; 135 struct drm_vma_offset_node *node; 136 struct drm_file *priv; 137 struct file *filp; 138 139 if (cdevsw[major(device)].d_mmap != drmmmap) 140 return NULL; 141 142 if (dev == NULL) 143 return NULL; 144 145 if (dev->driver->mmap) 146 return dev->driver->mmap(dev, off, size); 147 148 mutex_lock(&dev->struct_mutex); 149 150 priv = drm_find_file_by_minor(dev, minor(device)); 151 if (priv == 0) { 152 mutex_unlock(&dev->struct_mutex); 153 return NULL; 154 } 155 filp = priv->filp; 156 157 node = drm_vma_offset_exact_lookup(dev->vma_offset_manager, 158 off >> PAGE_SHIFT, 159 atop(round_page(size))); 160 if (!node) { 161 mutex_unlock(&dev->struct_mutex); 162 return NULL; 163 } else if (!drm_vma_node_is_allowed(node, filp)) { 164 mutex_unlock(&dev->struct_mutex); 165 return NULL; 166 } 167 168 obj = container_of(node, struct drm_gem_object, vma_node); 169 drm_gem_object_reference(obj); 170 171 mutex_unlock(&dev->struct_mutex); 172 return &obj->uobj; 173 } 174 175 /** @file drm_gem.c 176 * 177 * This file provides some of the base ioctls and library routines for 178 * the graphics memory manager implemented by each device driver. 179 * 180 * Because various devices have different requirements in terms of 181 * synchronization and migration strategies, implementing that is left up to 182 * the driver, and all that the general API provides should be generic -- 183 * allocating objects, reading/writing data with the cpu, freeing objects. 184 * Even there, platform-dependent optimizations for reading/writing data with 185 * the CPU mean we'll likely hook those out to driver-specific calls. However, 186 * the DRI2 implementation wants to have at least allocate/mmap be generic. 187 * 188 * The goal was to have swap-backed object allocation managed through 189 * struct file. However, file descriptors as handles to a struct file have 190 * two major failings: 191 * - Process limits prevent more than 1024 or so being used at a time by 192 * default. 193 * - Inability to allocate high fds will aggravate the X Server's select() 194 * handling, and likely that of many GL client applications as well. 195 * 196 * This led to a plan of using our own integer IDs (called handles, following 197 * DRM terminology) to mimic fds, and implement the fd syscalls we need as 198 * ioctls. The objects themselves will still include the struct file so 199 * that we can transition to fds if the required kernel infrastructure shows 200 * up at a later date, and as our interface with shmfs for memory allocation. 201 */ 202 203 /* 204 * We make up offsets for buffer objects so we can recognize them at 205 * mmap time. 206 */ 207 208 /* pgoff in mmap is an unsigned long, so we need to make sure that 209 * the faked up offset will fit 210 */ 211 212 #if BITS_PER_LONG == 64 213 #define DRM_FILE_PAGE_OFFSET_START ((0xFFFFFFFFUL >> PAGE_SHIFT) + 1) 214 #define DRM_FILE_PAGE_OFFSET_SIZE ((0xFFFFFFFFUL >> PAGE_SHIFT) * 16) 215 #else 216 #define DRM_FILE_PAGE_OFFSET_START ((0xFFFFFFFUL >> PAGE_SHIFT) + 1) 217 #define DRM_FILE_PAGE_OFFSET_SIZE ((0xFFFFFFFUL >> PAGE_SHIFT) * 16) 218 #endif 219 220 /** 221 * Initialize the GEM device fields 222 */ 223 224 int 225 drm_gem_init(struct drm_device *dev) 226 { 227 struct drm_vma_offset_manager *vma_offset_manager; 228 229 rw_init(&dev->object_name_lock, "drmonl"); 230 idr_init(&dev->object_name_idr); 231 232 vma_offset_manager = kzalloc(sizeof(*vma_offset_manager), GFP_KERNEL); 233 if (!vma_offset_manager) { 234 DRM_ERROR("out of memory\n"); 235 return -ENOMEM; 236 } 237 238 dev->vma_offset_manager = vma_offset_manager; 239 drm_vma_offset_manager_init(vma_offset_manager, 240 DRM_FILE_PAGE_OFFSET_START, 241 DRM_FILE_PAGE_OFFSET_SIZE); 242 243 return 0; 244 } 245 246 void 247 drm_gem_destroy(struct drm_device *dev) 248 { 249 250 drm_vma_offset_manager_destroy(dev->vma_offset_manager); 251 kfree(dev->vma_offset_manager); 252 dev->vma_offset_manager = NULL; 253 } 254 255 #ifdef __linux__ 256 257 /** 258 * Initialize an already allocated GEM object of the specified size with 259 * shmfs backing store. 260 */ 261 int drm_gem_object_init(struct drm_device *dev, 262 struct drm_gem_object *obj, size_t size) 263 { 264 struct file *filp; 265 266 drm_gem_private_object_init(dev, obj, size); 267 268 filp = shmem_file_setup("drm mm object", size, VM_NORESERVE); 269 if (IS_ERR(filp)) 270 return PTR_ERR(filp); 271 272 obj->filp = filp; 273 274 return 0; 275 } 276 EXPORT_SYMBOL(drm_gem_object_init); 277 278 #else 279 280 int drm_gem_object_init(struct drm_device *dev, 281 struct drm_gem_object *obj, size_t size) 282 { 283 drm_gem_private_object_init(dev, obj, size); 284 285 obj->uao = uao_create(size, 0); 286 uvm_objinit(&obj->uobj, &drm_pgops, 1); 287 288 atomic_inc(&dev->obj_count); 289 atomic_add(obj->size, &dev->obj_memory); 290 291 return 0; 292 } 293 294 #endif 295 296 /** 297 * Initialize an already allocated GEM object of the specified size with 298 * no GEM provided backing store. Instead the caller is responsible for 299 * backing the object and handling it. 300 */ 301 void drm_gem_private_object_init(struct drm_device *dev, 302 struct drm_gem_object *obj, size_t size) 303 { 304 BUG_ON((size & (PAGE_SIZE - 1)) != 0); 305 306 obj->dev = dev; 307 obj->filp = NULL; 308 309 kref_init(&obj->refcount); 310 obj->handle_count = 0; 311 obj->size = size; 312 drm_vma_node_reset(&obj->vma_node); 313 } 314 EXPORT_SYMBOL(drm_gem_private_object_init); 315 316 static void 317 drm_gem_remove_prime_handles(struct drm_gem_object *obj, struct drm_file *filp) 318 { 319 #ifdef __linux__ 320 /* 321 * Note: obj->dma_buf can't disappear as long as we still hold a 322 * handle reference in obj->handle_count. 323 */ 324 mutex_lock(&filp->prime.lock); 325 if (obj->dma_buf) { 326 drm_prime_remove_buf_handle_locked(&filp->prime, 327 obj->dma_buf); 328 } 329 mutex_unlock(&filp->prime.lock); 330 #endif 331 } 332 333 /** 334 * Called after the last handle to the object has been closed 335 * 336 * Removes any name for the object. Note that this must be 337 * called before drm_gem_object_free or we'll be touching 338 * freed memory 339 */ 340 static void drm_gem_object_handle_free(struct drm_gem_object *obj) 341 { 342 struct drm_device *dev = obj->dev; 343 344 /* Remove any name for this object */ 345 if (obj->name) { 346 idr_remove(&dev->object_name_idr, obj->name); 347 obj->name = 0; 348 } 349 } 350 351 static void drm_gem_object_exported_dma_buf_free(struct drm_gem_object *obj) 352 { 353 #ifdef __linux__ 354 /* Unbreak the reference cycle if we have an exported dma_buf. */ 355 if (obj->dma_buf) { 356 dma_buf_put(obj->dma_buf); 357 obj->dma_buf = NULL; 358 } 359 #endif 360 } 361 362 static void 363 drm_gem_object_handle_unreference_unlocked(struct drm_gem_object *obj) 364 { 365 if (WARN_ON(obj->handle_count == 0)) 366 return; 367 368 /* 369 * Must bump handle count first as this may be the last 370 * ref, in which case the object would disappear before we 371 * checked for a name 372 */ 373 374 mutex_lock(&obj->dev->object_name_lock); 375 if (--obj->handle_count == 0) { 376 drm_gem_object_handle_free(obj); 377 drm_gem_object_exported_dma_buf_free(obj); 378 } 379 mutex_unlock(&obj->dev->object_name_lock); 380 381 drm_gem_object_unreference_unlocked(obj); 382 } 383 384 /** 385 * Removes the mapping from handle to filp for this object. 386 */ 387 int 388 drm_gem_handle_delete(struct drm_file *filp, u32 handle) 389 { 390 struct drm_device *dev; 391 struct drm_gem_object *obj; 392 393 /* This is gross. The idr system doesn't let us try a delete and 394 * return an error code. It just spews if you fail at deleting. 395 * So, we have to grab a lock around finding the object and then 396 * doing the delete on it and dropping the refcount, or the user 397 * could race us to double-decrement the refcount and cause a 398 * use-after-free later. Given the frequency of our handle lookups, 399 * we may want to use ida for number allocation and a hash table 400 * for the pointers, anyway. 401 */ 402 spin_lock(&filp->table_lock); 403 404 /* Check if we currently have a reference on the object */ 405 obj = idr_find(&filp->object_idr, handle); 406 if (obj == NULL) { 407 spin_unlock(&filp->table_lock); 408 return -EINVAL; 409 } 410 dev = obj->dev; 411 412 /* Release reference and decrement refcount. */ 413 idr_remove(&filp->object_idr, handle); 414 spin_unlock(&filp->table_lock); 415 416 if (drm_core_check_feature(dev, DRIVER_PRIME)) 417 drm_gem_remove_prime_handles(obj, filp); 418 drm_vma_node_revoke(&obj->vma_node, filp->filp); 419 420 if (dev->driver->gem_close_object) 421 dev->driver->gem_close_object(obj, filp); 422 drm_gem_object_handle_unreference_unlocked(obj); 423 424 return 0; 425 } 426 EXPORT_SYMBOL(drm_gem_handle_delete); 427 428 /** 429 * drm_gem_dumb_destroy - dumb fb callback helper for gem based drivers 430 * 431 * This implements the ->dumb_destroy kms driver callback for drivers which use 432 * gem to manage their backing storage. 433 */ 434 int drm_gem_dumb_destroy(struct drm_file *file, 435 struct drm_device *dev, 436 uint32_t handle) 437 { 438 return drm_gem_handle_delete(file, handle); 439 } 440 EXPORT_SYMBOL(drm_gem_dumb_destroy); 441 442 /** 443 * drm_gem_handle_create_tail - internal functions to create a handle 444 * 445 * This expects the dev->object_name_lock to be held already and will drop it 446 * before returning. Used to avoid races in establishing new handles when 447 * importing an object from either an flink name or a dma-buf. 448 */ 449 int 450 drm_gem_handle_create_tail(struct drm_file *file_priv, 451 struct drm_gem_object *obj, 452 u32 *handlep) 453 { 454 struct drm_device *dev = obj->dev; 455 int ret; 456 457 WARN_ON(!mutex_is_locked(&dev->object_name_lock)); 458 459 /* 460 * Get the user-visible handle using idr. Preload and perform 461 * allocation under our spinlock. 462 */ 463 idr_preload(GFP_KERNEL); 464 spin_lock(&file_priv->table_lock); 465 466 ret = idr_alloc(&file_priv->object_idr, obj, 1, 0, GFP_NOWAIT); 467 drm_gem_object_reference(obj); 468 obj->handle_count++; 469 spin_unlock(&file_priv->table_lock); 470 idr_preload_end(); 471 mutex_unlock(&dev->object_name_lock); 472 if (ret < 0) { 473 drm_gem_object_handle_unreference_unlocked(obj); 474 return ret; 475 } 476 *handlep = ret; 477 478 ret = drm_vma_node_allow(&obj->vma_node, file_priv->filp); 479 if (ret) { 480 drm_gem_handle_delete(file_priv, *handlep); 481 return ret; 482 } 483 484 if (dev->driver->gem_open_object) { 485 ret = dev->driver->gem_open_object(obj, file_priv); 486 if (ret) { 487 drm_gem_handle_delete(file_priv, *handlep); 488 return ret; 489 } 490 } 491 492 return 0; 493 } 494 495 /** 496 * Create a handle for this object. This adds a handle reference 497 * to the object, which includes a regular reference count. Callers 498 * will likely want to dereference the object afterwards. 499 */ 500 int 501 drm_gem_handle_create(struct drm_file *file_priv, 502 struct drm_gem_object *obj, 503 u32 *handlep) 504 { 505 mutex_lock(&obj->dev->object_name_lock); 506 507 return drm_gem_handle_create_tail(file_priv, obj, handlep); 508 } 509 EXPORT_SYMBOL(drm_gem_handle_create); 510 511 512 /** 513 * drm_gem_free_mmap_offset - release a fake mmap offset for an object 514 * @obj: obj in question 515 * 516 * This routine frees fake offsets allocated by drm_gem_create_mmap_offset(). 517 */ 518 void 519 drm_gem_free_mmap_offset(struct drm_gem_object *obj) 520 { 521 struct drm_device *dev = obj->dev; 522 523 drm_vma_offset_remove(dev->vma_offset_manager, &obj->vma_node); 524 } 525 EXPORT_SYMBOL(drm_gem_free_mmap_offset); 526 527 /** 528 * drm_gem_create_mmap_offset_size - create a fake mmap offset for an object 529 * @obj: obj in question 530 * @size: the virtual size 531 * 532 * GEM memory mapping works by handing back to userspace a fake mmap offset 533 * it can use in a subsequent mmap(2) call. The DRM core code then looks 534 * up the object based on the offset and sets up the various memory mapping 535 * structures. 536 * 537 * This routine allocates and attaches a fake offset for @obj, in cases where 538 * the virtual size differs from the physical size (ie. obj->size). Otherwise 539 * just use drm_gem_create_mmap_offset(). 540 */ 541 int 542 drm_gem_create_mmap_offset_size(struct drm_gem_object *obj, size_t size) 543 { 544 struct drm_device *dev = obj->dev; 545 546 return drm_vma_offset_add(dev->vma_offset_manager, &obj->vma_node, 547 size / PAGE_SIZE); 548 } 549 EXPORT_SYMBOL(drm_gem_create_mmap_offset_size); 550 551 /** 552 * drm_gem_create_mmap_offset - create a fake mmap offset for an object 553 * @obj: obj in question 554 * 555 * GEM memory mapping works by handing back to userspace a fake mmap offset 556 * it can use in a subsequent mmap(2) call. The DRM core code then looks 557 * up the object based on the offset and sets up the various memory mapping 558 * structures. 559 * 560 * This routine allocates and attaches a fake offset for @obj. 561 */ 562 int drm_gem_create_mmap_offset(struct drm_gem_object *obj) 563 { 564 return drm_gem_create_mmap_offset_size(obj, obj->size); 565 } 566 EXPORT_SYMBOL(drm_gem_create_mmap_offset); 567 568 #ifdef __linux__ 569 570 /** 571 * drm_gem_get_pages - helper to allocate backing pages for a GEM object 572 * from shmem 573 * @obj: obj in question 574 * @gfpmask: gfp mask of requested pages 575 */ 576 struct page **drm_gem_get_pages(struct drm_gem_object *obj, gfp_t gfpmask) 577 { 578 struct inode *inode; 579 struct address_space *mapping; 580 struct page *p, **pages; 581 int i, npages; 582 583 /* This is the shared memory object that backs the GEM resource */ 584 inode = file_inode(obj->filp); 585 mapping = inode->i_mapping; 586 587 /* We already BUG_ON() for non-page-aligned sizes in 588 * drm_gem_object_init(), so we should never hit this unless 589 * driver author is doing something really wrong: 590 */ 591 WARN_ON((obj->size & (PAGE_SIZE - 1)) != 0); 592 593 npages = obj->size >> PAGE_SHIFT; 594 595 pages = drm_malloc_ab(npages, sizeof(struct page *)); 596 if (pages == NULL) 597 return ERR_PTR(-ENOMEM); 598 599 gfpmask |= mapping_gfp_mask(mapping); 600 601 for (i = 0; i < npages; i++) { 602 p = shmem_read_mapping_page_gfp(mapping, i, gfpmask); 603 if (IS_ERR(p)) 604 goto fail; 605 pages[i] = p; 606 607 /* There is a hypothetical issue w/ drivers that require 608 * buffer memory in the low 4GB.. if the pages are un- 609 * pinned, and swapped out, they can end up swapped back 610 * in above 4GB. If pages are already in memory, then 611 * shmem_read_mapping_page_gfp will ignore the gfpmask, 612 * even if the already in-memory page disobeys the mask. 613 * 614 * It is only a theoretical issue today, because none of 615 * the devices with this limitation can be populated with 616 * enough memory to trigger the issue. But this BUG_ON() 617 * is here as a reminder in case the problem with 618 * shmem_read_mapping_page_gfp() isn't solved by the time 619 * it does become a real issue. 620 * 621 * See this thread: http://lkml.org/lkml/2011/7/11/238 622 */ 623 BUG_ON((gfpmask & __GFP_DMA32) && 624 (page_to_pfn(p) >= 0x00100000UL)); 625 } 626 627 return pages; 628 629 fail: 630 while (i--) 631 page_cache_release(pages[i]); 632 633 drm_free_large(pages); 634 return ERR_CAST(p); 635 } 636 EXPORT_SYMBOL(drm_gem_get_pages); 637 638 /** 639 * drm_gem_put_pages - helper to free backing pages for a GEM object 640 * @obj: obj in question 641 * @pages: pages to free 642 * @dirty: if true, pages will be marked as dirty 643 * @accessed: if true, the pages will be marked as accessed 644 */ 645 void drm_gem_put_pages(struct drm_gem_object *obj, struct page **pages, 646 bool dirty, bool accessed) 647 { 648 int i, npages; 649 650 /* We already BUG_ON() for non-page-aligned sizes in 651 * drm_gem_object_init(), so we should never hit this unless 652 * driver author is doing something really wrong: 653 */ 654 WARN_ON((obj->size & (PAGE_SIZE - 1)) != 0); 655 656 npages = obj->size >> PAGE_SHIFT; 657 658 for (i = 0; i < npages; i++) { 659 if (dirty) 660 set_page_dirty(pages[i]); 661 662 if (accessed) 663 mark_page_accessed(pages[i]); 664 665 /* Undo the reference we took when populating the table */ 666 page_cache_release(pages[i]); 667 } 668 669 drm_free_large(pages); 670 } 671 EXPORT_SYMBOL(drm_gem_put_pages); 672 673 #endif 674 675 /** Returns a reference to the object named by the handle. */ 676 struct drm_gem_object * 677 drm_gem_object_lookup(struct drm_device *dev, struct drm_file *filp, 678 u32 handle) 679 { 680 struct drm_gem_object *obj; 681 682 spin_lock(&filp->table_lock); 683 684 /* Check if we currently have a reference on the object */ 685 obj = idr_find(&filp->object_idr, handle); 686 if (obj == NULL) { 687 spin_unlock(&filp->table_lock); 688 return NULL; 689 } 690 691 drm_gem_object_reference(obj); 692 693 spin_unlock(&filp->table_lock); 694 695 return obj; 696 } 697 EXPORT_SYMBOL(drm_gem_object_lookup); 698 699 /** 700 * Releases the handle to an mm object. 701 */ 702 int 703 drm_gem_close_ioctl(struct drm_device *dev, void *data, 704 struct drm_file *file_priv) 705 { 706 struct drm_gem_close *args = data; 707 int ret; 708 709 if (!(dev->driver->driver_features & DRIVER_GEM)) 710 return -ENODEV; 711 712 ret = drm_gem_handle_delete(file_priv, args->handle); 713 714 return ret; 715 } 716 717 /** 718 * Create a global name for an object, returning the name. 719 * 720 * Note that the name does not hold a reference; when the object 721 * is freed, the name goes away. 722 */ 723 int 724 drm_gem_flink_ioctl(struct drm_device *dev, void *data, 725 struct drm_file *file_priv) 726 { 727 struct drm_gem_flink *args = data; 728 struct drm_gem_object *obj; 729 int ret; 730 731 if (!(dev->driver->driver_features & DRIVER_GEM)) 732 return -ENODEV; 733 734 obj = drm_gem_object_lookup(dev, file_priv, args->handle); 735 if (obj == NULL) 736 return -ENOENT; 737 738 mutex_lock(&dev->object_name_lock); 739 idr_preload(GFP_KERNEL); 740 /* prevent races with concurrent gem_close. */ 741 if (obj->handle_count == 0) { 742 ret = -ENOENT; 743 goto err; 744 } 745 746 if (!obj->name) { 747 ret = idr_alloc(&dev->object_name_idr, obj, 1, 0, GFP_NOWAIT); 748 if (ret < 0) 749 goto err; 750 751 obj->name = ret; 752 } 753 754 args->name = (uint64_t) obj->name; 755 ret = 0; 756 757 err: 758 idr_preload_end(); 759 mutex_unlock(&dev->object_name_lock); 760 drm_gem_object_unreference_unlocked(obj); 761 return ret; 762 } 763 764 /** 765 * Open an object using the global name, returning a handle and the size. 766 * 767 * This handle (of course) holds a reference to the object, so the object 768 * will not go away until the handle is deleted. 769 */ 770 int 771 drm_gem_open_ioctl(struct drm_device *dev, void *data, 772 struct drm_file *file_priv) 773 { 774 struct drm_gem_open *args = data; 775 struct drm_gem_object *obj; 776 int ret; 777 u32 handle; 778 779 if (!(dev->driver->driver_features & DRIVER_GEM)) 780 return -ENODEV; 781 782 mutex_lock(&dev->object_name_lock); 783 obj = idr_find(&dev->object_name_idr, (int) args->name); 784 if (obj) { 785 drm_gem_object_reference(obj); 786 } else { 787 mutex_unlock(&dev->object_name_lock); 788 return -ENOENT; 789 } 790 791 /* drm_gem_handle_create_tail unlocks dev->object_name_lock. */ 792 ret = drm_gem_handle_create_tail(file_priv, obj, &handle); 793 drm_gem_object_unreference_unlocked(obj); 794 if (ret) 795 return ret; 796 797 args->handle = handle; 798 args->size = obj->size; 799 800 return 0; 801 } 802 803 /** 804 * Called at device open time, sets up the structure for handling refcounting 805 * of mm objects. 806 */ 807 void 808 drm_gem_open(struct drm_device *dev, struct drm_file *file_private) 809 { 810 idr_init(&file_private->object_idr); 811 mtx_init(&file_private->table_lock, IPL_NONE); 812 } 813 814 /** 815 * Called at device close to release the file's 816 * handle references on objects. 817 */ 818 static int 819 drm_gem_object_release_handle(int id, void *ptr, void *data) 820 { 821 struct drm_file *file_priv = data; 822 struct drm_gem_object *obj = ptr; 823 struct drm_device *dev = obj->dev; 824 825 if (drm_core_check_feature(dev, DRIVER_PRIME)) 826 drm_gem_remove_prime_handles(obj, file_priv); 827 drm_vma_node_revoke(&obj->vma_node, file_priv->filp); 828 829 if (dev->driver->gem_close_object) 830 dev->driver->gem_close_object(obj, file_priv); 831 832 drm_gem_object_handle_unreference_unlocked(obj); 833 834 return 0; 835 } 836 837 /** 838 * Called at close time when the filp is going away. 839 * 840 * Releases any remaining references on objects by this filp. 841 */ 842 void 843 drm_gem_release(struct drm_device *dev, struct drm_file *file_private) 844 { 845 idr_for_each(&file_private->object_idr, 846 &drm_gem_object_release_handle, file_private); 847 idr_destroy(&file_private->object_idr); 848 } 849 850 #ifdef __linux__ 851 852 void 853 drm_gem_object_release(struct drm_gem_object *obj) 854 { 855 WARN_ON(obj->dma_buf); 856 857 if (obj->filp) 858 fput(obj->filp); 859 } 860 EXPORT_SYMBOL(drm_gem_object_release); 861 862 #else 863 864 void 865 drm_gem_object_release(struct drm_gem_object *obj) 866 { 867 struct drm_device *dev = obj->dev; 868 869 if (obj->uao) 870 uao_detach(obj->uao); 871 872 atomic_dec(&dev->obj_count); 873 atomic_sub(obj->size, &dev->obj_memory); 874 } 875 876 #endif 877 878 /** 879 * Called after the last reference to the object has been lost. 880 * Must be called holding struct_ mutex 881 * 882 * Frees the object 883 */ 884 void 885 drm_gem_object_free(struct kref *kref) 886 { 887 struct drm_gem_object *obj = (struct drm_gem_object *) kref; 888 struct drm_device *dev = obj->dev; 889 890 BUG_ON(!mutex_is_locked(&dev->struct_mutex)); 891 892 if (dev->driver->gem_free_object != NULL) 893 dev->driver->gem_free_object(obj); 894 } 895 EXPORT_SYMBOL(drm_gem_object_free); 896 897 #ifdef __linux__ 898 899 void drm_gem_vm_open(struct vm_area_struct *vma) 900 { 901 struct drm_gem_object *obj = vma->vm_private_data; 902 903 drm_gem_object_reference(obj); 904 905 mutex_lock(&obj->dev->struct_mutex); 906 drm_vm_open_locked(obj->dev, vma); 907 mutex_unlock(&obj->dev->struct_mutex); 908 } 909 EXPORT_SYMBOL(drm_gem_vm_open); 910 911 void drm_gem_vm_close(struct vm_area_struct *vma) 912 { 913 struct drm_gem_object *obj = vma->vm_private_data; 914 struct drm_device *dev = obj->dev; 915 916 mutex_lock(&dev->struct_mutex); 917 drm_vm_close_locked(obj->dev, vma); 918 drm_gem_object_unreference(obj); 919 mutex_unlock(&dev->struct_mutex); 920 } 921 EXPORT_SYMBOL(drm_gem_vm_close); 922 923 /** 924 * drm_gem_mmap_obj - memory map a GEM object 925 * @obj: the GEM object to map 926 * @obj_size: the object size to be mapped, in bytes 927 * @vma: VMA for the area to be mapped 928 * 929 * Set up the VMA to prepare mapping of the GEM object using the gem_vm_ops 930 * provided by the driver. Depending on their requirements, drivers can either 931 * provide a fault handler in their gem_vm_ops (in which case any accesses to 932 * the object will be trapped, to perform migration, GTT binding, surface 933 * register allocation, or performance monitoring), or mmap the buffer memory 934 * synchronously after calling drm_gem_mmap_obj. 935 * 936 * This function is mainly intended to implement the DMABUF mmap operation, when 937 * the GEM object is not looked up based on its fake offset. To implement the 938 * DRM mmap operation, drivers should use the drm_gem_mmap() function. 939 * 940 * drm_gem_mmap_obj() assumes the user is granted access to the buffer while 941 * drm_gem_mmap() prevents unprivileged users from mapping random objects. So 942 * callers must verify access restrictions before calling this helper. 943 * 944 * NOTE: This function has to be protected with dev->struct_mutex 945 * 946 * Return 0 or success or -EINVAL if the object size is smaller than the VMA 947 * size, or if no gem_vm_ops are provided. 948 */ 949 int drm_gem_mmap_obj(struct drm_gem_object *obj, unsigned long obj_size, 950 struct vm_area_struct *vma) 951 { 952 struct drm_device *dev = obj->dev; 953 954 lockdep_assert_held(&dev->struct_mutex); 955 956 /* Check for valid size. */ 957 if (obj_size < vma->vm_end - vma->vm_start) 958 return -EINVAL; 959 960 if (!dev->driver->gem_vm_ops) 961 return -EINVAL; 962 963 vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; 964 vma->vm_ops = dev->driver->gem_vm_ops; 965 vma->vm_private_data = obj; 966 vma->vm_page_prot = pgprot_writecombine(vm_get_page_prot(vma->vm_flags)); 967 968 /* Take a ref for this mapping of the object, so that the fault 969 * handler can dereference the mmap offset's pointer to the object. 970 * This reference is cleaned up by the corresponding vm_close 971 * (which should happen whether the vma was created by this call, or 972 * by a vm_open due to mremap or partial unmap or whatever). 973 */ 974 drm_gem_object_reference(obj); 975 976 drm_vm_open_locked(dev, vma); 977 return 0; 978 } 979 EXPORT_SYMBOL(drm_gem_mmap_obj); 980 981 /** 982 * drm_gem_mmap - memory map routine for GEM objects 983 * @filp: DRM file pointer 984 * @vma: VMA for the area to be mapped 985 * 986 * If a driver supports GEM object mapping, mmap calls on the DRM file 987 * descriptor will end up here. 988 * 989 * Look up the GEM object based on the offset passed in (vma->vm_pgoff will 990 * contain the fake offset we created when the GTT map ioctl was called on 991 * the object) and map it with a call to drm_gem_mmap_obj(). 992 * 993 * If the caller is not granted access to the buffer object, the mmap will fail 994 * with EACCES. Please see the vma manager for more information. 995 */ 996 int drm_gem_mmap(struct file *filp, struct vm_area_struct *vma) 997 { 998 struct drm_file *priv = filp->private_data; 999 struct drm_device *dev = priv->minor->dev; 1000 struct drm_gem_object *obj; 1001 struct drm_vma_offset_node *node; 1002 int ret = 0; 1003 1004 if (drm_device_is_unplugged(dev)) 1005 return -ENODEV; 1006 1007 mutex_lock(&dev->struct_mutex); 1008 1009 node = drm_vma_offset_exact_lookup(dev->vma_offset_manager, 1010 vma->vm_pgoff, 1011 vma_pages(vma)); 1012 if (!node) { 1013 mutex_unlock(&dev->struct_mutex); 1014 return drm_mmap(filp, vma); 1015 } else if (!drm_vma_node_is_allowed(node, filp)) { 1016 mutex_unlock(&dev->struct_mutex); 1017 return -EACCES; 1018 } 1019 1020 obj = container_of(node, struct drm_gem_object, vma_node); 1021 ret = drm_gem_mmap_obj(obj, drm_vma_node_size(node) << PAGE_SHIFT, vma); 1022 1023 mutex_unlock(&dev->struct_mutex); 1024 1025 return ret; 1026 } 1027 EXPORT_SYMBOL(drm_gem_mmap); 1028 1029 #endif 1030