xref: /dragonfly/sys/dev/drm/drm_bufs.c (revision 3f2dd94a)
1 /*
2  * Legacy: Generic DRM Buffer Management
3  *
4  * Copyright 1999, 2000 Precision Insight, Inc., Cedar Park, Texas.
5  * Copyright 2000 VA Linux Systems, Inc., Sunnyvale, California.
6  * All Rights Reserved.
7  *
8  * Author: Rickard E. (Rik) Faith <faith@valinux.com>
9  * Author: Gareth Hughes <gareth@valinux.com>
10  *
11  * Permission is hereby granted, free of charge, to any person obtaining a
12  * copy of this software and associated documentation files (the "Software"),
13  * to deal in the Software without restriction, including without limitation
14  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
15  * and/or sell copies of the Software, and to permit persons to whom the
16  * Software is furnished to do so, subject to the following conditions:
17  *
18  * The above copyright notice and this permission notice (including the next
19  * paragraph) shall be included in all copies or substantial portions of the
20  * Software.
21  *
22  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
23  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
24  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
25  * VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR
26  * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
27  * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
28  * OTHER DEALINGS IN THE SOFTWARE.
29  */
30 
31 #include <linux/vmalloc.h>
32 #include <linux/slab.h>
33 #include <linux/log2.h>
34 #include <linux/export.h>
35 #include <asm/shmparam.h>
36 #include <drm/drmP.h>
37 #include "drm_legacy.h"
38 
39 #include <sys/conf.h>
40 #include <sys/mman.h>
41 #include <vm/vm_map.h>
42 
drm_find_matching_map(struct drm_device * dev,struct drm_local_map * map)43 static struct drm_map_list *drm_find_matching_map(struct drm_device *dev,
44 						  struct drm_local_map *map)
45 {
46 	struct drm_map_list *entry;
47 	list_for_each_entry(entry, &dev->maplist, head) {
48 		/*
49 		 * Because the kernel-userspace ABI is fixed at a 32-bit offset
50 		 * while PCI resources may live above that, we only compare the
51 		 * lower 32 bits of the map offset for maps of type
52 		 * _DRM_FRAMEBUFFER or _DRM_REGISTERS.
53 		 * It is assumed that if a driver have more than one resource
54 		 * of each type, the lower 32 bits are different.
55 		 */
56 		if (!entry->map ||
57 		    map->type != entry->map->type ||
58 		    entry->master != dev->master)
59 			continue;
60 		switch (map->type) {
61 		case _DRM_SHM:
62 			if (map->flags != _DRM_CONTAINS_LOCK)
63 				break;
64 			return entry;
65 		case _DRM_REGISTERS:
66 		case _DRM_FRAME_BUFFER:
67 			if ((entry->map->offset & 0xffffffff) ==
68 			    (map->offset & 0xffffffff))
69 				return entry;
70 		default: /* Make gcc happy */
71 			;
72 		}
73 		if (entry->map->offset == map->offset)
74 			return entry;
75 	}
76 
77 	return NULL;
78 }
79 
drm_map_handle(struct drm_device * dev,struct drm_hash_item * hash,unsigned long user_token,int hashed_handle,int shm)80 static int drm_map_handle(struct drm_device *dev, struct drm_hash_item *hash,
81 			  unsigned long user_token, int hashed_handle, int shm)
82 {
83 	int use_hashed_handle, shift;
84 	unsigned long add;
85 
86 #if (BITS_PER_LONG == 64)
87 	use_hashed_handle = ((user_token & 0xFFFFFFFF00000000UL) || hashed_handle);
88 #elif (BITS_PER_LONG == 32)
89 	use_hashed_handle = hashed_handle;
90 #else
91 #error Unsupported long size. Neither 64 nor 32 bits.
92 #endif
93 
94 	if (!use_hashed_handle) {
95 		int ret;
96 		hash->key = user_token >> PAGE_SHIFT;
97 		ret = drm_ht_insert_item(&dev->map_hash, hash);
98 		if (ret != -EINVAL)
99 			return ret;
100 	}
101 
102 	shift = 0;
103 	add = DRM_MAP_HASH_OFFSET >> PAGE_SHIFT;
104 	if (shm && (SHMLBA > PAGE_SIZE)) {
105 		int bits = ilog2(SHMLBA >> PAGE_SHIFT) + 1;
106 
107 		/* For shared memory, we have to preserve the SHMLBA
108 		 * bits of the eventual vma->vm_pgoff value during
109 		 * mmap().  Otherwise we run into cache aliasing problems
110 		 * on some platforms.  On these platforms, the pgoff of
111 		 * a mmap() request is used to pick a suitable virtual
112 		 * address for the mmap() region such that it will not
113 		 * cause cache aliasing problems.
114 		 *
115 		 * Therefore, make sure the SHMLBA relevant bits of the
116 		 * hash value we use are equal to those in the original
117 		 * kernel virtual address.
118 		 */
119 		shift = bits;
120 		add |= ((user_token >> PAGE_SHIFT) & ((1UL << bits) - 1UL));
121 	}
122 
123 	return drm_ht_just_insert_please(&dev->map_hash, hash,
124 					 user_token, 32 - PAGE_SHIFT - 3,
125 					 shift, add);
126 }
127 
128 /**
129  * Core function to create a range of memory available for mapping by a
130  * non-root process.
131  *
132  * Adjusts the memory offset to its absolute value according to the mapping
133  * type.  Adds the map to the map list drm_device::maplist. Adds MTRR's where
134  * applicable and if supported by the kernel.
135  */
drm_addmap_core(struct drm_device * dev,resource_size_t offset,unsigned int size,enum drm_map_type type,enum drm_map_flags flags,struct drm_map_list ** maplist)136 static int drm_addmap_core(struct drm_device * dev, resource_size_t offset,
137 			   unsigned int size, enum drm_map_type type,
138 			   enum drm_map_flags flags,
139 			   struct drm_map_list ** maplist)
140 {
141 	struct drm_local_map *map;
142 	struct drm_map_list *list;
143 	drm_dma_handle_t *dmah;
144 	unsigned long user_token;
145 	int ret;
146 
147 	map = kmalloc(sizeof(*map), M_DRM, GFP_KERNEL);
148 	if (!map)
149 		return -ENOMEM;
150 
151 	map->offset = offset;
152 	map->size = size;
153 	map->flags = flags;
154 	map->type = type;
155 
156 	/* Only allow shared memory to be removable since we only keep enough
157 	 * book keeping information about shared memory to allow for removal
158 	 * when processes fork.
159 	 */
160 	if ((map->flags & _DRM_REMOVABLE) && map->type != _DRM_SHM) {
161 		kfree(map);
162 		return -EINVAL;
163 	}
164 	DRM_DEBUG("offset = 0x%08llx, size = 0x%08lx, type = %d\n",
165 		  (unsigned long long)map->offset, map->size, map->type);
166 
167 	/* page-align _DRM_SHM maps. They are allocated here so there is no security
168 	 * hole created by that and it works around various broken drivers that use
169 	 * a non-aligned quantity to map the SAREA. --BenH
170 	 */
171 	if (map->type == _DRM_SHM)
172 		map->size = PAGE_ALIGN(map->size);
173 
174 	if ((map->offset & (~(resource_size_t) LINUX_PAGE_MASK)) || (map->size & (~LINUX_PAGE_MASK))) {
175 		kfree(map);
176 		return -EINVAL;
177 	}
178 	map->mtrr = -1;
179 	map->handle = NULL;
180 
181 	switch (map->type) {
182 	case _DRM_REGISTERS:
183 	case _DRM_FRAME_BUFFER:
184 #if !defined(__sparc__) && !defined(__alpha__) && !defined(__ia64__) && !defined(__powerpc64__) && !defined(__x86_64__) && !defined(__arm__)
185 		if (map->offset + (map->size-1) < map->offset ||
186 		    map->offset < virt_to_phys(high_memory)) {
187 			kfree(map);
188 			return -EINVAL;
189 		}
190 #endif
191 		/* Some drivers preinitialize some maps, without the X Server
192 		 * needing to be aware of it.  Therefore, we just return success
193 		 * when the server tries to create a duplicate map.
194 		 */
195 		list = drm_find_matching_map(dev, map);
196 		if (list != NULL) {
197 			if (list->map->size != map->size) {
198 				DRM_DEBUG("Matching maps of type %d with "
199 					  "mismatched sizes, (%ld vs %ld)\n",
200 					  map->type, map->size,
201 					  list->map->size);
202 				list->map->size = map->size;
203 			}
204 
205 			kfree(map);
206 			*maplist = list;
207 			return 0;
208 		}
209 
210 		if (map->type == _DRM_FRAME_BUFFER ||
211 		    (map->flags & _DRM_WRITE_COMBINING)) {
212 			map->mtrr =
213 				arch_phys_wc_add(map->offset, map->size);
214 		}
215 		if (map->type == _DRM_REGISTERS) {
216 			if (map->flags & _DRM_WRITE_COMBINING)
217 				map->handle = ioremap_wc(map->offset,
218 							 map->size);
219 			else
220 				map->handle = ioremap(map->offset, map->size);
221 			if (!map->handle) {
222 				kfree(map);
223 				return -ENOMEM;
224 			}
225 		}
226 
227 		break;
228 	case _DRM_SHM:
229 		list = drm_find_matching_map(dev, map);
230 		if (list != NULL) {
231 			if(list->map->size != map->size) {
232 				DRM_DEBUG("Matching maps of type %d with "
233 					  "mismatched sizes, (%ld vs %ld)\n",
234 					  map->type, map->size, list->map->size);
235 				list->map->size = map->size;
236 			}
237 
238 			kfree(map);
239 			*maplist = list;
240 			return 0;
241 		}
242 		map->handle = vmalloc_user(map->size);
243 		DRM_DEBUG("%lu %d %p\n",
244 			  map->size, order_base_2(map->size), map->handle);
245 		if (!map->handle) {
246 			kfree(map);
247 			return -ENOMEM;
248 		}
249 		map->offset = (unsigned long)map->handle;
250 		if (map->flags & _DRM_CONTAINS_LOCK) {
251 			/* Prevent a 2nd X Server from creating a 2nd lock */
252 			if (dev->master->lock.hw_lock != NULL) {
253 				vfree(map->handle);
254 				kfree(map);
255 				return -EBUSY;
256 			}
257 			dev->sigdata.lock = dev->master->lock.hw_lock = map->handle;	/* Pointer to lock */
258 		}
259 		break;
260 	case _DRM_AGP: {
261 #if 0
262 		struct drm_agp_mem *entry;
263 		int valid = 0;
264 
265 		if (!dev->agp) {
266 			kfree(map);
267 			return -EINVAL;
268 		}
269 #ifdef __alpha__
270 		map->offset += dev->hose->mem_space->start;
271 #endif
272 		/* In some cases (i810 driver), user space may have already
273 		 * added the AGP base itself, because dev->agp->base previously
274 		 * only got set during AGP enable.  So, only add the base
275 		 * address if the map's offset isn't already within the
276 		 * aperture.
277 		 */
278 		if (map->offset < dev->agp->base ||
279 		    map->offset > dev->agp->base +
280 		    dev->agp->agp_info.aper_size * 1024 * 1024 - 1) {
281 			map->offset += dev->agp->base;
282 		}
283 		map->mtrr = dev->agp->agp_mtrr;	/* for getmap */
284 
285 		/* This assumes the DRM is in total control of AGP space.
286 		 * It's not always the case as AGP can be in the control
287 		 * of user space (i.e. i810 driver). So this loop will get
288 		 * skipped and we double check that dev->agp->memory is
289 		 * actually set as well as being invalid before EPERM'ing
290 		 */
291 		list_for_each_entry(entry, &dev->agp->memory, head) {
292 			if ((map->offset >= entry->bound) &&
293 			    (map->offset + map->size <= entry->bound + entry->pages * PAGE_SIZE)) {
294 				valid = 1;
295 				break;
296 			}
297 		}
298 		if (!list_empty(&dev->agp->memory) && !valid) {
299 			kfree(map);
300 			return -EPERM;
301 		}
302 		DRM_DEBUG("AGP offset = 0x%08llx, size = 0x%08lx\n",
303 			  (unsigned long long)map->offset, map->size);
304 
305 		break;
306 #endif
307 		return -EINVAL;		/* AGP hardware is no longer supported */
308 	}
309 	case _DRM_SCATTER_GATHER:
310 		if (!dev->sg) {
311 			kfree(map);
312 			return -EINVAL;
313 		}
314 		map->handle = (void *)(uintptr_t)(dev->sg->vaddr + offset);
315 		map->offset = dev->sg->vaddr + offset;
316 		break;
317 	case _DRM_CONSISTENT:
318 		/* dma_addr_t is 64bit on i386 with CONFIG_HIGHMEM64G,
319 		 * As we're limiting the address to 2^32-1 (or less),
320 		 * casting it down to 32 bits is no problem, but we
321 		 * need to point to a 64bit variable first. */
322 		dmah = drm_pci_alloc(dev, map->size, map->size);
323 		if (!dmah) {
324 			kfree(map);
325 			return -ENOMEM;
326 		}
327 		map->handle = dmah->vaddr;
328 		map->offset = (unsigned long)dmah->busaddr;
329 		kfree(dmah);
330 		break;
331 	default:
332 		kfree(map);
333 		return -EINVAL;
334 	}
335 
336 	list = kzalloc(sizeof(*list), GFP_KERNEL);
337 	if (!list) {
338 		if (map->type == _DRM_REGISTERS)
339 			iounmap(map->handle);
340 		kfree(map);
341 		return -EINVAL;
342 	}
343 	list->map = map;
344 
345 	mutex_lock(&dev->struct_mutex);
346 	list_add(&list->head, &dev->maplist);
347 
348 	/* Assign a 32-bit handle */
349 	/* We do it here so that dev->struct_mutex protects the increment */
350 	user_token = (map->type == _DRM_SHM) ? (unsigned long)map->handle :
351 		map->offset;
352 	ret = drm_map_handle(dev, &list->hash, user_token, 0,
353 			     (map->type == _DRM_SHM));
354 	if (ret) {
355 		if (map->type == _DRM_REGISTERS)
356 			iounmap(map->handle);
357 		kfree(map);
358 		kfree(list);
359 		mutex_unlock(&dev->struct_mutex);
360 		return ret;
361 	}
362 
363 	list->user_token = list->hash.key << PAGE_SHIFT;
364 	mutex_unlock(&dev->struct_mutex);
365 
366 	if (!(map->flags & _DRM_DRIVER))
367 		list->master = dev->master;
368 	*maplist = list;
369 	return 0;
370 }
371 
drm_legacy_addmap(struct drm_device * dev,resource_size_t offset,unsigned int size,enum drm_map_type type,enum drm_map_flags flags,struct drm_local_map ** map_ptr)372 int drm_legacy_addmap(struct drm_device * dev, resource_size_t offset,
373 		      unsigned int size, enum drm_map_type type,
374 		      enum drm_map_flags flags, struct drm_local_map **map_ptr)
375 {
376 	struct drm_map_list *list;
377 	int rc;
378 
379 	rc = drm_addmap_core(dev, offset, size, type, flags, &list);
380 	if (!rc)
381 		*map_ptr = list->map;
382 	return rc;
383 }
384 EXPORT_SYMBOL(drm_legacy_addmap);
385 
386 /**
387  * Ioctl to specify a range of memory that is available for mapping by a
388  * non-root process.
389  *
390  * \param inode device inode.
391  * \param file_priv DRM file private.
392  * \param cmd command.
393  * \param arg pointer to a drm_map structure.
394  * \return zero on success or a negative value on error.
395  *
396  */
drm_legacy_addmap_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)397 int drm_legacy_addmap_ioctl(struct drm_device *dev, void *data,
398 			    struct drm_file *file_priv)
399 {
400 	struct drm_map *map = data;
401 	struct drm_map_list *maplist;
402 	int err;
403 
404 	if (!(capable(CAP_SYS_ADMIN) || map->type == _DRM_AGP || map->type == _DRM_SHM))
405 		return -EPERM;
406 
407 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
408 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
409 		return -EINVAL;
410 
411 	err = drm_addmap_core(dev, map->offset, map->size, map->type,
412 			      map->flags, &maplist);
413 
414 	if (err)
415 		return err;
416 
417 	/* avoid a warning on 64-bit, this casting isn't very nice, but the API is set so too late */
418 	map->handle = (void *)(unsigned long)maplist->user_token;
419 
420 	/*
421 	 * It appears that there are no users of this value whatsoever --
422 	 * drmAddMap just discards it.  Let's not encourage its use.
423 	 * (Keeping drm_addmap_core's returned mtrr value would be wrong --
424 	 *  it's not a real mtrr index anymore.)
425 	 */
426 	map->mtrr = -1;
427 
428 	return 0;
429 }
430 
431 /*
432  * Get a mapping information.
433  *
434  * \param inode device inode.
435  * \param file_priv DRM file private.
436  * \param cmd command.
437  * \param arg user argument, pointing to a drm_map structure.
438  *
439  * \return zero on success or a negative number on failure.
440  *
441  * Searches for the mapping with the specified offset and copies its information
442  * into userspace
443  */
drm_legacy_getmap_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)444 int drm_legacy_getmap_ioctl(struct drm_device *dev, void *data,
445 			    struct drm_file *file_priv)
446 {
447 	struct drm_map *map = data;
448 	struct drm_map_list *r_list = NULL;
449 	struct list_head *list;
450 	int idx;
451 	int i;
452 
453 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
454 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
455 		return -EINVAL;
456 
457 	idx = map->offset;
458 	if (idx < 0)
459 		return -EINVAL;
460 
461 	i = 0;
462 	mutex_lock(&dev->struct_mutex);
463 	list_for_each(list, &dev->maplist) {
464 		if (i == idx) {
465 			r_list = list_entry(list, struct drm_map_list, head);
466 			break;
467 		}
468 		i++;
469 	}
470 	if (!r_list || !r_list->map) {
471 		mutex_unlock(&dev->struct_mutex);
472 		return -EINVAL;
473 	}
474 
475 	map->offset = r_list->map->offset;
476 	map->size = r_list->map->size;
477 	map->type = r_list->map->type;
478 	map->flags = r_list->map->flags;
479 	map->handle = (void *)(unsigned long) r_list->user_token;
480 	map->mtrr = r_list->map->mtrr;
481 
482 	mutex_unlock(&dev->struct_mutex);
483 
484 	return 0;
485 }
486 
487 /**
488  * Remove a map private from list and deallocate resources if the mapping
489  * isn't in use.
490  *
491  * Searches the map on drm_device::maplist, removes it from the list, see if
492  * its being used, and free any associate resource (such as MTRR's) if it's not
493  * being on use.
494  *
495  * \sa drm_legacy_addmap
496  */
drm_legacy_rmmap_locked(struct drm_device * dev,struct drm_local_map * map)497 int drm_legacy_rmmap_locked(struct drm_device *dev, struct drm_local_map *map)
498 {
499 	struct drm_map_list *r_list = NULL, *list_t;
500 	drm_dma_handle_t dmah;
501 	int found = 0;
502 	struct drm_master *master;
503 
504 	/* Find the list entry for the map and remove it */
505 	list_for_each_entry_safe(r_list, list_t, &dev->maplist, head) {
506 		if (r_list->map == map) {
507 			master = r_list->master;
508 			list_del(&r_list->head);
509 			drm_ht_remove_key(&dev->map_hash,
510 					  r_list->user_token >> PAGE_SHIFT);
511 			kfree(r_list);
512 			found = 1;
513 			break;
514 		}
515 	}
516 
517 	if (!found)
518 		return -EINVAL;
519 
520 	switch (map->type) {
521 	case _DRM_REGISTERS:
522 		iounmap(map->handle);
523 		/* FALLTHROUGH */
524 	case _DRM_FRAME_BUFFER:
525 		arch_phys_wc_del(map->mtrr);
526 		break;
527 	case _DRM_SHM:
528 		vfree(map->handle);
529 		if (master) {
530 			if (dev->sigdata.lock == master->lock.hw_lock)
531 				dev->sigdata.lock = NULL;
532 			master->lock.hw_lock = NULL;   /* SHM removed */
533 			master->lock.file_priv = NULL;
534 			wake_up_interruptible_all(&master->lock.lock_queue);
535 		}
536 		break;
537 	case _DRM_AGP:
538 	case _DRM_SCATTER_GATHER:
539 		break;
540 	case _DRM_CONSISTENT:
541 		dmah.vaddr = map->handle;
542 		dmah.busaddr = map->offset;
543 		dmah.size = map->size;
544 		__drm_legacy_pci_free(dev, &dmah);
545 		break;
546 	}
547 	kfree(map);
548 
549 	return 0;
550 }
551 EXPORT_SYMBOL(drm_legacy_rmmap_locked);
552 
drm_legacy_rmmap(struct drm_device * dev,struct drm_local_map * map)553 void drm_legacy_rmmap(struct drm_device *dev, struct drm_local_map *map)
554 {
555 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
556 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
557 		return;
558 
559 	mutex_lock(&dev->struct_mutex);
560 	drm_legacy_rmmap_locked(dev, map);
561 	mutex_unlock(&dev->struct_mutex);
562 }
563 EXPORT_SYMBOL(drm_legacy_rmmap);
564 
drm_legacy_master_rmmaps(struct drm_device * dev,struct drm_master * master)565 void drm_legacy_master_rmmaps(struct drm_device *dev, struct drm_master *master)
566 {
567 	struct drm_map_list *r_list, *list_temp;
568 
569 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
570 		return;
571 
572 	mutex_lock(&dev->struct_mutex);
573 	list_for_each_entry_safe(r_list, list_temp, &dev->maplist, head) {
574 		if (r_list->master == master) {
575 			drm_legacy_rmmap_locked(dev, r_list->map);
576 			r_list = NULL;
577 		}
578 	}
579 	mutex_unlock(&dev->struct_mutex);
580 }
581 
582 /* The rmmap ioctl appears to be unnecessary.  All mappings are torn down on
583  * the last close of the device, and this is necessary for cleanup when things
584  * exit uncleanly.  Therefore, having userland manually remove mappings seems
585  * like a pointless exercise since they're going away anyway.
586  *
587  * One use case might be after addmap is allowed for normal users for SHM and
588  * gets used by drivers that the server doesn't need to care about.  This seems
589  * unlikely.
590  *
591  * \param inode device inode.
592  * \param file_priv DRM file private.
593  * \param cmd command.
594  * \param arg pointer to a struct drm_map structure.
595  * \return zero on success or a negative value on error.
596  */
drm_legacy_rmmap_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)597 int drm_legacy_rmmap_ioctl(struct drm_device *dev, void *data,
598 			   struct drm_file *file_priv)
599 {
600 	struct drm_map *request = data;
601 	struct drm_local_map *map = NULL;
602 	struct drm_map_list *r_list;
603 	int ret;
604 
605 	if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT) &&
606 	    !drm_core_check_feature(dev, DRIVER_LEGACY))
607 		return -EINVAL;
608 
609 	mutex_lock(&dev->struct_mutex);
610 	list_for_each_entry(r_list, &dev->maplist, head) {
611 		if (r_list->map &&
612 		    r_list->user_token == (unsigned long)request->handle &&
613 		    r_list->map->flags & _DRM_REMOVABLE) {
614 			map = r_list->map;
615 			break;
616 		}
617 	}
618 
619 	/* List has wrapped around to the head pointer, or its empty we didn't
620 	 * find anything.
621 	 */
622 	if (list_empty(&dev->maplist) || !map) {
623 		mutex_unlock(&dev->struct_mutex);
624 		return -EINVAL;
625 	}
626 
627 	/* Register and framebuffer maps are permanent */
628 	if ((map->type == _DRM_REGISTERS) || (map->type == _DRM_FRAME_BUFFER)) {
629 		mutex_unlock(&dev->struct_mutex);
630 		return 0;
631 	}
632 
633 	ret = drm_legacy_rmmap_locked(dev, map);
634 
635 	mutex_unlock(&dev->struct_mutex);
636 
637 	return ret;
638 }
639 
640 /**
641  * Cleanup after an error on one of the addbufs() functions.
642  *
643  * \param dev DRM device.
644  * \param entry buffer entry where the error occurred.
645  *
646  * Frees any pages and buffers associated with the given entry.
647  */
drm_cleanup_buf_error(struct drm_device * dev,struct drm_buf_entry * entry)648 static void drm_cleanup_buf_error(struct drm_device * dev,
649 				  struct drm_buf_entry * entry)
650 {
651 	int i;
652 
653 	if (entry->seg_count) {
654 		for (i = 0; i < entry->seg_count; i++) {
655 			if (entry->seglist[i]) {
656 				drm_pci_free(dev, entry->seglist[i]);
657 			}
658 		}
659 		kfree(entry->seglist);
660 
661 		entry->seg_count = 0;
662 	}
663 
664 	if (entry->buf_count) {
665 		for (i = 0; i < entry->buf_count; i++) {
666 			kfree(entry->buflist[i].dev_private);
667 		}
668 		kfree(entry->buflist);
669 
670 		entry->buf_count = 0;
671 	}
672 }
673 
674 #if IS_ENABLED(CONFIG_AGP)
675 /**
676  * Add AGP buffers for DMA transfers.
677  *
678  * \param dev struct drm_device to which the buffers are to be added.
679  * \param request pointer to a struct drm_buf_desc describing the request.
680  * \return zero on success or a negative number on failure.
681  *
682  * After some sanity checks creates a drm_buf structure for each buffer and
683  * reallocates the buffer list of the same size order to accommodate the new
684  * buffers.
685  */
drm_legacy_addbufs_agp(struct drm_device * dev,struct drm_buf_desc * request)686 int drm_legacy_addbufs_agp(struct drm_device *dev,
687 			   struct drm_buf_desc *request)
688 {
689 	struct drm_device_dma *dma = dev->dma;
690 	struct drm_buf_entry *entry;
691 	struct drm_agp_mem *agp_entry;
692 	struct drm_buf *buf;
693 	unsigned long offset;
694 	unsigned long agp_offset;
695 	int count;
696 	int order;
697 	int size;
698 	int alignment;
699 	int page_order;
700 	int total;
701 	int byte_count;
702 	int i, valid;
703 	struct drm_buf **temp_buflist;
704 
705 	if (!dma)
706 		return -EINVAL;
707 
708 	count = request->count;
709 	order = order_base_2(request->size);
710 	size = 1 << order;
711 
712 	alignment = (request->flags & _DRM_PAGE_ALIGN)
713 	    ? PAGE_ALIGN(size) : size;
714 	page_order = order - PAGE_SHIFT > 0 ? order - PAGE_SHIFT : 0;
715 	total = PAGE_SIZE << page_order;
716 
717 	byte_count = 0;
718 	agp_offset = dev->agp->base + request->agp_start;
719 
720 	DRM_DEBUG("count:      %d\n", count);
721 	DRM_DEBUG("order:      %d\n", order);
722 	DRM_DEBUG("size:       %d\n", size);
723 	DRM_DEBUG("agp_offset: %lx\n", agp_offset);
724 	DRM_DEBUG("alignment:  %d\n", alignment);
725 	DRM_DEBUG("page_order: %d\n", page_order);
726 	DRM_DEBUG("total:      %d\n", total);
727 
728 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
729 		return -EINVAL;
730 
731 	/* Make sure buffers are located in AGP memory that we own */
732 	valid = 0;
733 	list_for_each_entry(agp_entry, &dev->agp->memory, head) {
734 		if ((agp_offset >= agp_entry->bound) &&
735 		    (agp_offset + total * count <= agp_entry->bound + agp_entry->pages * PAGE_SIZE)) {
736 			valid = 1;
737 			break;
738 		}
739 	}
740 	if (!list_empty(&dev->agp->memory) && !valid) {
741 		DRM_DEBUG("zone invalid\n");
742 		return -EINVAL;
743 	}
744 	lockmgr(&dev->buf_lock, LK_EXCLUSIVE);
745 	if (dev->buf_use) {
746 		lockmgr(&dev->buf_lock, LK_RELEASE);
747 		return -EBUSY;
748 	}
749 	atomic_inc(&dev->buf_alloc);
750 	lockmgr(&dev->buf_lock, LK_RELEASE);
751 
752 	mutex_lock(&dev->struct_mutex);
753 	entry = &dma->bufs[order];
754 	if (entry->buf_count) {
755 		mutex_unlock(&dev->struct_mutex);
756 		atomic_dec(&dev->buf_alloc);
757 		return -ENOMEM;	/* May only call once for each order */
758 	}
759 
760 	if (count < 0 || count > 4096) {
761 		mutex_unlock(&dev->struct_mutex);
762 		atomic_dec(&dev->buf_alloc);
763 		return -EINVAL;
764 	}
765 
766 	entry->buflist = kcalloc(count, sizeof(*entry->buflist), GFP_KERNEL);
767 	if (!entry->buflist) {
768 		mutex_unlock(&dev->struct_mutex);
769 		atomic_dec(&dev->buf_alloc);
770 		return -ENOMEM;
771 	}
772 
773 	entry->buf_size = size;
774 	entry->page_order = page_order;
775 
776 	offset = 0;
777 
778 	while (entry->buf_count < count) {
779 		buf = &entry->buflist[entry->buf_count];
780 		buf->idx = dma->buf_count + entry->buf_count;
781 		buf->total = alignment;
782 		buf->order = order;
783 		buf->used = 0;
784 
785 		buf->offset = (dma->byte_count + offset);
786 		buf->bus_address = agp_offset + offset;
787 		buf->address = (void *)(agp_offset + offset);
788 		buf->next = NULL;
789 		buf->waiting = 0;
790 		buf->pending = 0;
791 		buf->file_priv = NULL;
792 
793 		buf->dev_priv_size = dev->driver->dev_priv_size;
794 		buf->dev_private = kzalloc(buf->dev_priv_size, GFP_KERNEL);
795 		if (!buf->dev_private) {
796 			/* Set count correctly so we free the proper amount. */
797 			entry->buf_count = count;
798 			drm_cleanup_buf_error(dev, entry);
799 			mutex_unlock(&dev->struct_mutex);
800 			atomic_dec(&dev->buf_alloc);
801 			return -ENOMEM;
802 		}
803 
804 		DRM_DEBUG("buffer %d @ %p\n", entry->buf_count, buf->address);
805 
806 		offset += alignment;
807 		entry->buf_count++;
808 		byte_count += PAGE_SIZE << page_order;
809 	}
810 
811 	DRM_DEBUG("byte_count: %d\n", byte_count);
812 
813 	temp_buflist = krealloc(dma->buflist,
814 				(dma->buf_count + entry->buf_count) * sizeof(*dma->buflist),
815 				M_DRM, GFP_KERNEL);
816 	if (!temp_buflist) {
817 		/* Free the entry because it isn't valid */
818 		drm_cleanup_buf_error(dev, entry);
819 		mutex_unlock(&dev->struct_mutex);
820 		atomic_dec(&dev->buf_alloc);
821 		return -ENOMEM;
822 	}
823 	dma->buflist = temp_buflist;
824 
825 	for (i = 0; i < entry->buf_count; i++) {
826 		dma->buflist[i + dma->buf_count] = &entry->buflist[i];
827 	}
828 
829 	dma->buf_count += entry->buf_count;
830 	dma->seg_count += entry->seg_count;
831 	dma->page_count += byte_count >> PAGE_SHIFT;
832 	dma->byte_count += byte_count;
833 
834 	DRM_DEBUG("dma->buf_count : %d\n", dma->buf_count);
835 	DRM_DEBUG("entry->buf_count : %d\n", entry->buf_count);
836 
837 	mutex_unlock(&dev->struct_mutex);
838 
839 	request->count = entry->buf_count;
840 	request->size = size;
841 
842 	dma->flags = _DRM_DMA_USE_AGP;
843 
844 	atomic_dec(&dev->buf_alloc);
845 	return 0;
846 }
847 EXPORT_SYMBOL(drm_legacy_addbufs_agp);
848 #endif /* CONFIG_AGP */
849 
drm_legacy_addbufs_pci(struct drm_device * dev,struct drm_buf_desc * request)850 int drm_legacy_addbufs_pci(struct drm_device *dev,
851 			   struct drm_buf_desc *request)
852 {
853 	struct drm_device_dma *dma = dev->dma;
854 	int count;
855 	int order;
856 	int size;
857 	int total;
858 	int page_order;
859 	struct drm_buf_entry *entry;
860 	drm_dma_handle_t *dmah;
861 	struct drm_buf *buf;
862 	int alignment;
863 	unsigned long offset;
864 	int i;
865 	int byte_count;
866 	int page_count;
867 	unsigned long *temp_pagelist;
868 	struct drm_buf **temp_buflist;
869 
870 	if (!drm_core_check_feature(dev, DRIVER_PCI_DMA))
871 		return -EINVAL;
872 
873 	if (!dma)
874 		return -EINVAL;
875 
876 	if (!capable(CAP_SYS_ADMIN))
877 		return -EPERM;
878 
879 	count = request->count;
880 	order = order_base_2(request->size);
881 	size = 1 << order;
882 
883 	DRM_DEBUG("count=%d, size=%d (%d), order=%d\n",
884 		  request->count, request->size, size, order);
885 
886 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
887 		return -EINVAL;
888 
889 	alignment = (request->flags & _DRM_PAGE_ALIGN)
890 	    ? PAGE_ALIGN(size) : size;
891 	page_order = order - PAGE_SHIFT > 0 ? order - PAGE_SHIFT : 0;
892 	total = PAGE_SIZE << page_order;
893 
894 	lockmgr(&dev->buf_lock, LK_EXCLUSIVE);
895 	if (dev->buf_use) {
896 		lockmgr(&dev->buf_lock, LK_RELEASE);
897 		return -EBUSY;
898 	}
899 	atomic_inc(&dev->buf_alloc);
900 	lockmgr(&dev->buf_lock, LK_RELEASE);
901 
902 	mutex_lock(&dev->struct_mutex);
903 	entry = &dma->bufs[order];
904 	if (entry->buf_count) {
905 		mutex_unlock(&dev->struct_mutex);
906 		atomic_dec(&dev->buf_alloc);
907 		return -ENOMEM;	/* May only call once for each order */
908 	}
909 
910 	if (count < 0 || count > 4096) {
911 		mutex_unlock(&dev->struct_mutex);
912 		atomic_dec(&dev->buf_alloc);
913 		return -EINVAL;
914 	}
915 
916 	entry->buflist = kcalloc(count, sizeof(*entry->buflist), GFP_KERNEL);
917 	if (!entry->buflist) {
918 		mutex_unlock(&dev->struct_mutex);
919 		atomic_dec(&dev->buf_alloc);
920 		return -ENOMEM;
921 	}
922 
923 	entry->seglist = kcalloc(count, sizeof(*entry->seglist), GFP_KERNEL);
924 	if (!entry->seglist) {
925 		kfree(entry->buflist);
926 		mutex_unlock(&dev->struct_mutex);
927 		atomic_dec(&dev->buf_alloc);
928 		return -ENOMEM;
929 	}
930 
931 	/* Keep the original pagelist until we know all the allocations
932 	 * have succeeded
933 	 */
934 	temp_pagelist = kmalloc_array(dma->page_count + (count << page_order),
935 				      sizeof(*dma->pagelist),
936 				      GFP_KERNEL);
937 	if (!temp_pagelist) {
938 		kfree(entry->buflist);
939 		kfree(entry->seglist);
940 		mutex_unlock(&dev->struct_mutex);
941 		atomic_dec(&dev->buf_alloc);
942 		return -ENOMEM;
943 	}
944 	memcpy(temp_pagelist,
945 	       dma->pagelist, dma->page_count * sizeof(*dma->pagelist));
946 	DRM_DEBUG("pagelist: %d entries\n",
947 		  dma->page_count + (count << page_order));
948 
949 	entry->buf_size = size;
950 	entry->page_order = page_order;
951 	byte_count = 0;
952 	page_count = 0;
953 
954 	while (entry->buf_count < count) {
955 
956 		dmah = drm_pci_alloc(dev, PAGE_SIZE << page_order, 0x1000);
957 
958 		if (!dmah) {
959 			/* Set count correctly so we free the proper amount. */
960 			entry->buf_count = count;
961 			entry->seg_count = count;
962 			drm_cleanup_buf_error(dev, entry);
963 			kfree(temp_pagelist);
964 			mutex_unlock(&dev->struct_mutex);
965 			atomic_dec(&dev->buf_alloc);
966 			return -ENOMEM;
967 		}
968 		entry->seglist[entry->seg_count++] = dmah;
969 		for (i = 0; i < (1 << page_order); i++) {
970 			DRM_DEBUG("page %d @ 0x%08lx\n",
971 				  dma->page_count + page_count,
972 				  (unsigned long)dmah->vaddr + PAGE_SIZE * i);
973 			temp_pagelist[dma->page_count + page_count++]
974 				= (unsigned long)dmah->vaddr + PAGE_SIZE * i;
975 		}
976 		for (offset = 0;
977 		     offset + size <= total && entry->buf_count < count;
978 		     offset += alignment, ++entry->buf_count) {
979 			buf = &entry->buflist[entry->buf_count];
980 			buf->idx = dma->buf_count + entry->buf_count;
981 			buf->total = alignment;
982 			buf->order = order;
983 			buf->used = 0;
984 			buf->offset = (dma->byte_count + byte_count + offset);
985 			buf->address = (void *)(dmah->vaddr + offset);
986 			buf->bus_address = dmah->busaddr + offset;
987 			buf->next = NULL;
988 			buf->waiting = 0;
989 			buf->pending = 0;
990 			buf->file_priv = NULL;
991 
992 			buf->dev_priv_size = dev->driver->dev_priv_size;
993 			buf->dev_private = kzalloc(buf->dev_priv_size,
994 						GFP_KERNEL);
995 			if (!buf->dev_private) {
996 				/* Set count correctly so we free the proper amount. */
997 				entry->buf_count = count;
998 				entry->seg_count = count;
999 				drm_cleanup_buf_error(dev, entry);
1000 				kfree(temp_pagelist);
1001 				mutex_unlock(&dev->struct_mutex);
1002 				atomic_dec(&dev->buf_alloc);
1003 				return -ENOMEM;
1004 			}
1005 
1006 			DRM_DEBUG("buffer %d @ %p\n",
1007 				  entry->buf_count, buf->address);
1008 		}
1009 		byte_count += PAGE_SIZE << page_order;
1010 	}
1011 
1012 	temp_buflist = krealloc(dma->buflist,
1013 				(dma->buf_count + entry->buf_count) * sizeof(*dma->buflist),
1014 				M_DRM, GFP_KERNEL);
1015 	if (!temp_buflist) {
1016 		/* Free the entry because it isn't valid */
1017 		drm_cleanup_buf_error(dev, entry);
1018 		kfree(temp_pagelist);
1019 		mutex_unlock(&dev->struct_mutex);
1020 		atomic_dec(&dev->buf_alloc);
1021 		return -ENOMEM;
1022 	}
1023 	dma->buflist = temp_buflist;
1024 
1025 	for (i = 0; i < entry->buf_count; i++) {
1026 		dma->buflist[i + dma->buf_count] = &entry->buflist[i];
1027 	}
1028 
1029 	/* No allocations failed, so now we can replace the original pagelist
1030 	 * with the new one.
1031 	 */
1032 	if (dma->page_count) {
1033 		kfree(dma->pagelist);
1034 	}
1035 	dma->pagelist = temp_pagelist;
1036 
1037 	dma->buf_count += entry->buf_count;
1038 	dma->seg_count += entry->seg_count;
1039 	dma->page_count += entry->seg_count << page_order;
1040 	dma->byte_count += PAGE_SIZE * (entry->seg_count << page_order);
1041 
1042 	mutex_unlock(&dev->struct_mutex);
1043 
1044 	request->count = entry->buf_count;
1045 	request->size = size;
1046 
1047 	if (request->flags & _DRM_PCI_BUFFER_RO)
1048 		dma->flags = _DRM_DMA_USE_PCI_RO;
1049 
1050 	atomic_dec(&dev->buf_alloc);
1051 	return 0;
1052 
1053 }
1054 EXPORT_SYMBOL(drm_legacy_addbufs_pci);
1055 
drm_legacy_addbufs_sg(struct drm_device * dev,struct drm_buf_desc * request)1056 static int drm_legacy_addbufs_sg(struct drm_device *dev,
1057 				 struct drm_buf_desc *request)
1058 {
1059 	struct drm_device_dma *dma = dev->dma;
1060 	struct drm_buf_entry *entry;
1061 	struct drm_buf *buf;
1062 	unsigned long offset;
1063 	unsigned long agp_offset;
1064 	int count;
1065 	int order;
1066 	int size;
1067 	int alignment;
1068 	int page_order;
1069 	int total;
1070 	int byte_count;
1071 	int i;
1072 	struct drm_buf **temp_buflist;
1073 
1074 	if (!drm_core_check_feature(dev, DRIVER_SG))
1075 		return -EINVAL;
1076 
1077 	if (!dma)
1078 		return -EINVAL;
1079 
1080 	if (!capable(CAP_SYS_ADMIN))
1081 		return -EPERM;
1082 
1083 	count = request->count;
1084 	order = order_base_2(request->size);
1085 	size = 1 << order;
1086 
1087 	alignment = (request->flags & _DRM_PAGE_ALIGN)
1088 	    ? PAGE_ALIGN(size) : size;
1089 	page_order = order - PAGE_SHIFT > 0 ? order - PAGE_SHIFT : 0;
1090 	total = PAGE_SIZE << page_order;
1091 
1092 	byte_count = 0;
1093 	agp_offset = request->agp_start;
1094 
1095 	DRM_DEBUG("count:      %d\n", count);
1096 	DRM_DEBUG("order:      %d\n", order);
1097 	DRM_DEBUG("size:       %d\n", size);
1098 	DRM_DEBUG("agp_offset: %lu\n", agp_offset);
1099 	DRM_DEBUG("alignment:  %d\n", alignment);
1100 	DRM_DEBUG("page_order: %d\n", page_order);
1101 	DRM_DEBUG("total:      %d\n", total);
1102 
1103 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
1104 		return -EINVAL;
1105 
1106 	lockmgr(&dev->buf_lock, LK_EXCLUSIVE);
1107 	if (dev->buf_use) {
1108 		lockmgr(&dev->buf_lock, LK_RELEASE);
1109 		return -EBUSY;
1110 	}
1111 	atomic_inc(&dev->buf_alloc);
1112 	lockmgr(&dev->buf_lock, LK_RELEASE);
1113 
1114 	mutex_lock(&dev->struct_mutex);
1115 	entry = &dma->bufs[order];
1116 	if (entry->buf_count) {
1117 		mutex_unlock(&dev->struct_mutex);
1118 		atomic_dec(&dev->buf_alloc);
1119 		return -ENOMEM;	/* May only call once for each order */
1120 	}
1121 
1122 	if (count < 0 || count > 4096) {
1123 		mutex_unlock(&dev->struct_mutex);
1124 		atomic_dec(&dev->buf_alloc);
1125 		return -EINVAL;
1126 	}
1127 
1128 	entry->buflist = kcalloc(count, sizeof(*entry->buflist), GFP_KERNEL);
1129 	if (!entry->buflist) {
1130 		mutex_unlock(&dev->struct_mutex);
1131 		atomic_dec(&dev->buf_alloc);
1132 		return -ENOMEM;
1133 	}
1134 
1135 	entry->buf_size = size;
1136 	entry->page_order = page_order;
1137 
1138 	offset = 0;
1139 
1140 	while (entry->buf_count < count) {
1141 		buf = &entry->buflist[entry->buf_count];
1142 		buf->idx = dma->buf_count + entry->buf_count;
1143 		buf->total = alignment;
1144 		buf->order = order;
1145 		buf->used = 0;
1146 
1147 		buf->offset = (dma->byte_count + offset);
1148 		buf->bus_address = agp_offset + offset;
1149 		buf->address = (void *)(agp_offset + offset + dev->sg->vaddr);
1150 		buf->next = NULL;
1151 		buf->waiting = 0;
1152 		buf->pending = 0;
1153 		buf->file_priv = NULL;
1154 
1155 		buf->dev_priv_size = dev->driver->dev_priv_size;
1156 		buf->dev_private = kzalloc(buf->dev_priv_size, GFP_KERNEL);
1157 		if (!buf->dev_private) {
1158 			/* Set count correctly so we free the proper amount. */
1159 			entry->buf_count = count;
1160 			drm_cleanup_buf_error(dev, entry);
1161 			mutex_unlock(&dev->struct_mutex);
1162 			atomic_dec(&dev->buf_alloc);
1163 			return -ENOMEM;
1164 		}
1165 
1166 		DRM_DEBUG("buffer %d @ %p\n", entry->buf_count, buf->address);
1167 
1168 		offset += alignment;
1169 		entry->buf_count++;
1170 		byte_count += PAGE_SIZE << page_order;
1171 	}
1172 
1173 	DRM_DEBUG("byte_count: %d\n", byte_count);
1174 
1175 	temp_buflist = krealloc(dma->buflist,
1176 				(dma->buf_count + entry->buf_count) * sizeof(*dma->buflist),
1177 				M_DRM, GFP_KERNEL);
1178 	if (!temp_buflist) {
1179 		/* Free the entry because it isn't valid */
1180 		drm_cleanup_buf_error(dev, entry);
1181 		mutex_unlock(&dev->struct_mutex);
1182 		atomic_dec(&dev->buf_alloc);
1183 		return -ENOMEM;
1184 	}
1185 	dma->buflist = temp_buflist;
1186 
1187 	for (i = 0; i < entry->buf_count; i++) {
1188 		dma->buflist[i + dma->buf_count] = &entry->buflist[i];
1189 	}
1190 
1191 	dma->buf_count += entry->buf_count;
1192 	dma->seg_count += entry->seg_count;
1193 	dma->page_count += byte_count >> PAGE_SHIFT;
1194 	dma->byte_count += byte_count;
1195 
1196 	DRM_DEBUG("dma->buf_count : %d\n", dma->buf_count);
1197 	DRM_DEBUG("entry->buf_count : %d\n", entry->buf_count);
1198 
1199 	mutex_unlock(&dev->struct_mutex);
1200 
1201 	request->count = entry->buf_count;
1202 	request->size = size;
1203 
1204 	dma->flags = _DRM_DMA_USE_SG;
1205 
1206 	atomic_dec(&dev->buf_alloc);
1207 	return 0;
1208 }
1209 
1210 /**
1211  * Add buffers for DMA transfers (ioctl).
1212  *
1213  * \param inode device inode.
1214  * \param file_priv DRM file private.
1215  * \param cmd command.
1216  * \param arg pointer to a struct drm_buf_desc request.
1217  * \return zero on success or a negative number on failure.
1218  *
1219  * According with the memory type specified in drm_buf_desc::flags and the
1220  * build options, it dispatches the call either to addbufs_agp(),
1221  * addbufs_sg() or addbufs_pci() for AGP, scatter-gather or consistent
1222  * PCI memory respectively.
1223  */
drm_legacy_addbufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1224 int drm_legacy_addbufs(struct drm_device *dev, void *data,
1225 		       struct drm_file *file_priv)
1226 {
1227 	struct drm_buf_desc *request = data;
1228 	int ret;
1229 
1230 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1231 		return -EINVAL;
1232 
1233 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1234 		return -EINVAL;
1235 
1236 #if IS_ENABLED(CONFIG_AGP)
1237 	if (request->flags & _DRM_AGP_BUFFER)
1238 		ret = drm_legacy_addbufs_agp(dev, request);
1239 	else
1240 #endif
1241 	if (request->flags & _DRM_SG_BUFFER)
1242 		ret = drm_legacy_addbufs_sg(dev, request);
1243 	else if (request->flags & _DRM_FB_BUFFER)
1244 		ret = -EINVAL;
1245 	else
1246 		ret = drm_legacy_addbufs_pci(dev, request);
1247 
1248 	return ret;
1249 }
1250 
1251 /**
1252  * Get information about the buffer mappings.
1253  *
1254  * This was originally mean for debugging purposes, or by a sophisticated
1255  * client library to determine how best to use the available buffers (e.g.,
1256  * large buffers can be used for image transfer).
1257  *
1258  * \param inode device inode.
1259  * \param file_priv DRM file private.
1260  * \param cmd command.
1261  * \param arg pointer to a drm_buf_info structure.
1262  * \return zero on success or a negative number on failure.
1263  *
1264  * Increments drm_device::buf_use while holding the drm_device::buf_lock
1265  * lock, preventing of allocating more buffers after this call. Information
1266  * about each requested buffer is then copied into user space.
1267  */
__drm_legacy_infobufs(struct drm_device * dev,void * data,int * p,int (* f)(void *,int,struct drm_buf_entry *))1268 int __drm_legacy_infobufs(struct drm_device *dev,
1269 			void *data, int *p,
1270 			int (*f)(void *, int, struct drm_buf_entry *))
1271 {
1272 	struct drm_device_dma *dma = dev->dma;
1273 	int i;
1274 	int count;
1275 
1276 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1277 		return -EINVAL;
1278 
1279 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1280 		return -EINVAL;
1281 
1282 	if (!dma)
1283 		return -EINVAL;
1284 
1285 	lockmgr(&dev->buf_lock, LK_EXCLUSIVE);
1286 	if (atomic_read(&dev->buf_alloc)) {
1287 		lockmgr(&dev->buf_lock, LK_RELEASE);
1288 		return -EBUSY;
1289 	}
1290 	++dev->buf_use;		/* Can't allocate more after this call */
1291 	lockmgr(&dev->buf_lock, LK_RELEASE);
1292 
1293 	for (i = 0, count = 0; i < DRM_MAX_ORDER + 1; i++) {
1294 		if (dma->bufs[i].buf_count)
1295 			++count;
1296 	}
1297 
1298 	DRM_DEBUG("count = %d\n", count);
1299 
1300 	if (*p >= count) {
1301 		for (i = 0, count = 0; i < DRM_MAX_ORDER + 1; i++) {
1302 			struct drm_buf_entry *from = &dma->bufs[i];
1303 			if (from->buf_count) {
1304 				if (f(data, count, from) < 0)
1305 					return -EFAULT;
1306 				DRM_DEBUG("%d %d %d %d %d\n",
1307 					  i,
1308 					  dma->bufs[i].buf_count,
1309 					  dma->bufs[i].buf_size,
1310 					  dma->bufs[i].low_mark,
1311 					  dma->bufs[i].high_mark);
1312 				++count;
1313 			}
1314 		}
1315 	}
1316 	*p = count;
1317 
1318 	return 0;
1319 }
1320 
copy_one_buf(void * data,int count,struct drm_buf_entry * from)1321 static int copy_one_buf(void *data, int count, struct drm_buf_entry *from)
1322 {
1323 	struct drm_buf_info *request = data;
1324 	struct drm_buf_desc __user *to = &request->list[count];
1325 	struct drm_buf_desc v = {.count = from->buf_count,
1326 				 .size = from->buf_size,
1327 				 .low_mark = from->low_mark,
1328 				 .high_mark = from->high_mark};
1329 	return copy_to_user(to, &v, offsetof(struct drm_buf_desc, flags));
1330 }
1331 
drm_legacy_infobufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1332 int drm_legacy_infobufs(struct drm_device *dev, void *data,
1333 			struct drm_file *file_priv)
1334 {
1335 	struct drm_buf_info *request = data;
1336 	return __drm_legacy_infobufs(dev, data, &request->count, copy_one_buf);
1337 }
1338 
1339 /**
1340  * Specifies a low and high water mark for buffer allocation
1341  *
1342  * \param inode device inode.
1343  * \param file_priv DRM file private.
1344  * \param cmd command.
1345  * \param arg a pointer to a drm_buf_desc structure.
1346  * \return zero on success or a negative number on failure.
1347  *
1348  * Verifies that the size order is bounded between the admissible orders and
1349  * updates the respective drm_device_dma::bufs entry low and high water mark.
1350  *
1351  * \note This ioctl is deprecated and mostly never used.
1352  */
drm_legacy_markbufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1353 int drm_legacy_markbufs(struct drm_device *dev, void *data,
1354 			struct drm_file *file_priv)
1355 {
1356 	struct drm_device_dma *dma = dev->dma;
1357 	struct drm_buf_desc *request = data;
1358 	int order;
1359 	struct drm_buf_entry *entry;
1360 
1361 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1362 		return -EINVAL;
1363 
1364 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1365 		return -EINVAL;
1366 
1367 	if (!dma)
1368 		return -EINVAL;
1369 
1370 	DRM_DEBUG("%d, %d, %d\n",
1371 		  request->size, request->low_mark, request->high_mark);
1372 	order = order_base_2(request->size);
1373 	if (order < DRM_MIN_ORDER || order > DRM_MAX_ORDER)
1374 		return -EINVAL;
1375 	entry = &dma->bufs[order];
1376 
1377 	if (request->low_mark < 0 || request->low_mark > entry->buf_count)
1378 		return -EINVAL;
1379 	if (request->high_mark < 0 || request->high_mark > entry->buf_count)
1380 		return -EINVAL;
1381 
1382 	entry->low_mark = request->low_mark;
1383 	entry->high_mark = request->high_mark;
1384 
1385 	return 0;
1386 }
1387 
1388 /**
1389  * Unreserve the buffers in list, previously reserved using drmDMA.
1390  *
1391  * \param inode device inode.
1392  * \param file_priv DRM file private.
1393  * \param cmd command.
1394  * \param arg pointer to a drm_buf_free structure.
1395  * \return zero on success or a negative number on failure.
1396  *
1397  * Calls free_buffer() for each used buffer.
1398  * This function is primarily used for debugging.
1399  */
drm_legacy_freebufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1400 int drm_legacy_freebufs(struct drm_device *dev, void *data,
1401 			struct drm_file *file_priv)
1402 {
1403 	struct drm_device_dma *dma = dev->dma;
1404 	struct drm_buf_free *request = data;
1405 	int i;
1406 	int idx;
1407 	struct drm_buf *buf;
1408 
1409 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1410 		return -EINVAL;
1411 
1412 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1413 		return -EINVAL;
1414 
1415 	if (!dma)
1416 		return -EINVAL;
1417 
1418 	DRM_DEBUG("%d\n", request->count);
1419 	for (i = 0; i < request->count; i++) {
1420 		if (copy_from_user(&idx, &request->list[i], sizeof(idx)))
1421 			return -EFAULT;
1422 		if (idx < 0 || idx >= dma->buf_count) {
1423 			DRM_ERROR("Index %d (of %d max)\n",
1424 				  idx, dma->buf_count - 1);
1425 			return -EINVAL;
1426 		}
1427 		buf = dma->buflist[idx];
1428 		if (buf->file_priv != file_priv) {
1429 			DRM_ERROR("Process %d freeing buffer not owned\n",
1430 				  DRM_CURRENTPID);
1431 			return -EINVAL;
1432 		}
1433 		drm_legacy_free_buffer(dev, buf);
1434 	}
1435 
1436 	return 0;
1437 }
1438 
1439 /**
1440  * Maps all of the DMA buffers into client-virtual space (ioctl).
1441  *
1442  * \param inode device inode.
1443  * \param file_priv DRM file private.
1444  * \param cmd command.
1445  * \param arg pointer to a drm_buf_map structure.
1446  * \return zero on success or a negative number on failure.
1447  *
1448  * Maps the AGP, SG or PCI buffer region with vm_mmap(), and copies information
1449  * about each buffer into user space. For PCI buffers, it calls vm_mmap() with
1450  * offset equal to 0, which drm_mmap() interpretes as PCI buffers and calls
1451  * drm_mmap_dma().
1452  */
__drm_legacy_mapbufs(struct drm_device * dev,void * data,int * p,void __user ** v,int (* f)(void *,int,unsigned long,struct drm_buf *),struct drm_file * file_priv)1453 int __drm_legacy_mapbufs(struct drm_device *dev, void *data, int *p,
1454 			 void __user **v,
1455 			 int (*f)(void *, int, unsigned long,
1456 				  struct drm_buf *),
1457 		         struct drm_file *file_priv)
1458 {
1459 #ifndef __DragonFly__
1460 	struct drm_device_dma *dma = dev->dma;
1461 	int retcode = 0;
1462 	unsigned long virtual;
1463 	int i;
1464 
1465 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1466 		return -EINVAL;
1467 
1468 	if (!drm_core_check_feature(dev, DRIVER_HAVE_DMA))
1469 		return -EINVAL;
1470 
1471 	if (!dma)
1472 		return -EINVAL;
1473 
1474 	lockmgr(&dev->buf_lock, LK_EXCLUSIVE);
1475 	if (atomic_read(&dev->buf_alloc)) {
1476 		lockmgr(&dev->buf_lock, LK_RELEASE);
1477 		return -EBUSY;
1478 	}
1479 	dev->buf_use++;		/* Can't allocate more after this call */
1480 	lockmgr(&dev->buf_lock, LK_RELEASE);
1481 
1482 	if (*p >= dma->buf_count) {
1483 		if ((dev->agp && (dma->flags & _DRM_DMA_USE_AGP))
1484 		    || (drm_core_check_feature(dev, DRIVER_SG)
1485 			&& (dma->flags & _DRM_DMA_USE_SG))) {
1486 			struct drm_local_map *map = dev->agp_buffer_map;
1487 			unsigned long token = dev->agp_buffer_token;
1488 
1489 			if (!map) {
1490 				retcode = -EINVAL;
1491 				goto done;
1492 			}
1493 			virtual = vm_mmap(file_priv->filp, 0, map->size,
1494 					  PROT_READ | PROT_WRITE,
1495 					  MAP_SHARED,
1496 					  token, NULL);
1497 		} else {
1498 			virtual = vm_mmap(file_priv->filp, 0, dma->byte_count,
1499 					  PROT_READ | PROT_WRITE,
1500 					  MAP_SHARED,
1501 					  0, NULL);
1502 		}
1503 		if (virtual > -1024UL) {
1504 			/* Real error */
1505 			retcode = (signed long)virtual;
1506 			goto done;
1507 		}
1508 		*v = (void __user *)virtual;
1509 
1510 		for (i = 0; i < dma->buf_count; i++) {
1511 			if (f(data, i, virtual, dma->buflist[i]) < 0) {
1512 				retcode = -EFAULT;
1513 				goto done;
1514 			}
1515 		}
1516 	}
1517       done:
1518 	*p = dma->buf_count;
1519 	DRM_DEBUG("%d buffers, retcode = %d\n", *p, retcode);
1520 
1521 	return retcode;
1522 #else
1523 	return -EINVAL;
1524 #endif
1525 }
1526 
map_one_buf(void * data,int idx,unsigned long virtual,struct drm_buf * buf)1527 static int map_one_buf(void *data, int idx, unsigned long virtual,
1528 			struct drm_buf *buf)
1529 {
1530 #ifndef __DragonFly__
1531 	struct drm_buf_map *request = data;
1532 	unsigned long address = virtual + buf->offset;	/* *** */
1533 
1534 	if (copy_to_user(&request->list[idx].idx, &buf->idx,
1535 			 sizeof(request->list[0].idx)))
1536 		return -EFAULT;
1537 	if (copy_to_user(&request->list[idx].total, &buf->total,
1538 			 sizeof(request->list[0].total)))
1539 		return -EFAULT;
1540 	if (clear_user(&request->list[idx].used, sizeof(int)))
1541 		return -EFAULT;
1542 	if (copy_to_user(&request->list[idx].address, &address,
1543 			 sizeof(address)))
1544 		return -EFAULT;
1545 #endif
1546 	return 0;
1547 }
1548 
drm_legacy_mapbufs(struct drm_device * dev,void * data,struct drm_file * file_priv)1549 int drm_legacy_mapbufs(struct drm_device *dev, void *data,
1550 		       struct drm_file *file_priv)
1551 {
1552 	struct drm_buf_map *request = data;
1553 	return __drm_legacy_mapbufs(dev, data, &request->count,
1554 				    &request->virtual, map_one_buf,
1555 				    file_priv);
1556 }
1557 
drm_legacy_dma_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)1558 int drm_legacy_dma_ioctl(struct drm_device *dev, void *data,
1559 		  struct drm_file *file_priv)
1560 {
1561 	if (!drm_core_check_feature(dev, DRIVER_LEGACY))
1562 		return -EINVAL;
1563 
1564 	if (dev->driver->dma_ioctl)
1565 		return dev->driver->dma_ioctl(dev, data, file_priv);
1566 	else
1567 		return -EINVAL;
1568 }
1569 
drm_legacy_getsarea(struct drm_device * dev)1570 struct drm_local_map *drm_legacy_getsarea(struct drm_device *dev)
1571 {
1572 	struct drm_map_list *entry;
1573 
1574 	list_for_each_entry(entry, &dev->maplist, head) {
1575 		if (entry->map && entry->map->type == _DRM_SHM &&
1576 		    (entry->map->flags & _DRM_CONTAINS_LOCK)) {
1577 			return entry->map;
1578 		}
1579 	}
1580 	return NULL;
1581 }
1582 EXPORT_SYMBOL(drm_legacy_getsarea);
1583