3 * drivers/staging/android/ion/ion.c
5 * Copyright (C) 2011 Google, Inc.
7 * This software is licensed under the terms of the GNU General Public
8 * License version 2, as published by the Free Software Foundation, and
9 * may be copied, distributed, and modified under those terms.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
18 #include <linux/device.h>
19 #include <linux/err.h>
20 #include <linux/file.h>
21 #include <linux/freezer.h>
23 #include <linux/anon_inodes.h>
24 #include <linux/kthread.h>
25 #include <linux/list.h>
26 #include <linux/memblock.h>
27 #include <linux/miscdevice.h>
28 #include <linux/export.h>
30 #include <linux/mm_types.h>
31 #include <linux/rbtree.h>
32 #include <linux/slab.h>
33 #include <linux/seq_file.h>
34 #include <linux/uaccess.h>
35 #include <linux/vmalloc.h>
36 #include <linux/debugfs.h>
37 #include <linux/dma-buf.h>
38 #include <linux/idr.h>
42 #include "compat_ion.h"
45 * struct ion_device - the metadata of the ion device node
46 * @dev: the actual misc device
47 * @buffers: an rb tree of all the existing buffers
48 * @buffer_lock: lock protecting the tree of buffers
49 * @lock: rwsem protecting the tree of heaps and clients
50 * @heaps: list of all the heaps in the system
51 * @user_clients: list of all the clients created from userspace
54 struct miscdevice dev;
55 struct rb_root buffers;
56 struct mutex buffer_lock;
57 struct rw_semaphore lock;
58 struct plist_head heaps;
59 long (*custom_ioctl)(struct ion_client *client, unsigned int cmd,
61 struct rb_root clients;
62 struct dentry *debug_root;
63 struct dentry *heaps_debug_root;
64 struct dentry *clients_debug_root;
68 * struct ion_client - a process/hw block local address space
69 * @node: node in the tree of all clients
70 * @dev: backpointer to ion device
71 * @handles: an rb tree of all the handles in this client
72 * @idr: an idr space for allocating handle ids
73 * @lock: lock protecting the tree of handles
74 * @name: used for debugging
75 * @display_name: used for debugging (unique version of @name)
76 * @display_serial: used for debugging (to make display_name unique)
77 * @task: used for debugging
79 * A client represents a list of buffers this client may access.
80 * The mutex stored here is used to protect both handles tree
81 * as well as the handles themselves, and should be held while modifying either.
85 struct ion_device *dev;
86 struct rb_root handles;
92 struct task_struct *task;
94 struct dentry *debug_root;
98 * ion_handle - a client local reference to a buffer
99 * @ref: reference count
100 * @client: back pointer to the client the buffer resides in
101 * @buffer: pointer to the buffer
102 * @node: node in the client's handle rbtree
103 * @kmap_cnt: count of times this client has mapped to kernel
104 * @id: client-unique id allocated by client->idr
106 * Modifications to node, map_cnt or mapping should be protected by the
107 * lock in the client. Other fields are never changed after initialization.
111 struct ion_client *client;
112 struct ion_buffer *buffer;
114 unsigned int kmap_cnt;
118 bool ion_buffer_fault_user_mappings(struct ion_buffer *buffer)
120 return (buffer->flags & ION_FLAG_CACHED) &&
121 !(buffer->flags & ION_FLAG_CACHED_NEEDS_SYNC);
124 bool ion_buffer_cached(struct ion_buffer *buffer)
126 return !!(buffer->flags & ION_FLAG_CACHED);
129 static inline struct page *ion_buffer_page(struct page *page)
131 return (struct page *)((unsigned long)page & ~(1UL));
134 static inline bool ion_buffer_page_is_dirty(struct page *page)
136 return !!((unsigned long)page & 1UL);
139 static inline void ion_buffer_page_dirty(struct page **page)
141 *page = (struct page *)((unsigned long)(*page) | 1UL);
144 static inline void ion_buffer_page_clean(struct page **page)
146 *page = (struct page *)((unsigned long)(*page) & ~(1UL));
149 /* this function should only be called while dev->lock is held */
150 static void ion_buffer_add(struct ion_device *dev,
151 struct ion_buffer *buffer)
153 struct rb_node **p = &dev->buffers.rb_node;
154 struct rb_node *parent = NULL;
155 struct ion_buffer *entry;
159 entry = rb_entry(parent, struct ion_buffer, node);
161 if (buffer < entry) {
163 } else if (buffer > entry) {
166 pr_err("%s: buffer already found.", __func__);
171 rb_link_node(&buffer->node, parent, p);
172 rb_insert_color(&buffer->node, &dev->buffers);
175 /* this function should only be called while dev->lock is held */
176 static struct ion_buffer *ion_buffer_create(struct ion_heap *heap,
177 struct ion_device *dev,
182 struct ion_buffer *buffer;
183 struct sg_table *table;
184 struct scatterlist *sg;
187 buffer = kzalloc(sizeof(struct ion_buffer), GFP_KERNEL);
189 return ERR_PTR(-ENOMEM);
192 buffer->flags = flags;
193 kref_init(&buffer->ref);
195 ret = heap->ops->allocate(heap, buffer, len, align, flags);
198 if (!(heap->flags & ION_HEAP_FLAG_DEFER_FREE))
201 ion_heap_freelist_drain(heap, 0);
202 ret = heap->ops->allocate(heap, buffer, len, align,
211 table = heap->ops->map_dma(heap, buffer);
212 if (WARN_ONCE(table == NULL,
213 "heap->ops->map_dma should return ERR_PTR on error"))
214 table = ERR_PTR(-EINVAL);
216 heap->ops->free(buffer);
218 return ERR_CAST(table);
220 buffer->sg_table = table;
221 if (ion_buffer_fault_user_mappings(buffer)) {
222 int num_pages = PAGE_ALIGN(buffer->size) / PAGE_SIZE;
223 struct scatterlist *sg;
226 buffer->pages = vmalloc(sizeof(struct page *) * num_pages);
227 if (!buffer->pages) {
232 for_each_sg(table->sgl, sg, table->nents, i) {
233 struct page *page = sg_page(sg);
235 for (j = 0; j < sg->length / PAGE_SIZE; j++)
236 buffer->pages[k++] = page++;
245 INIT_LIST_HEAD(&buffer->vmas);
246 mutex_init(&buffer->lock);
247 /* this will set up dma addresses for the sglist -- it is not
248 technically correct as per the dma api -- a specific
249 device isn't really taking ownership here. However, in practice on
250 our systems the only dma_address space is physical addresses.
251 Additionally, we can't afford the overhead of invalidating every
252 allocation via dma_map_sg. The implicit contract here is that
253 memory coming from the heaps is ready for dma, ie if it has a
254 cached mapping that mapping has been invalidated */
255 for_each_sg(buffer->sg_table->sgl, sg, buffer->sg_table->nents, i)
256 sg_dma_address(sg) = sg_phys(sg);
257 mutex_lock(&dev->buffer_lock);
258 ion_buffer_add(dev, buffer);
259 mutex_unlock(&dev->buffer_lock);
263 heap->ops->unmap_dma(heap, buffer);
264 heap->ops->free(buffer);
266 vfree(buffer->pages);
272 void ion_buffer_destroy(struct ion_buffer *buffer)
274 if (WARN_ON(buffer->kmap_cnt > 0))
275 buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
276 buffer->heap->ops->unmap_dma(buffer->heap, buffer);
277 buffer->heap->ops->free(buffer);
278 vfree(buffer->pages);
282 static void _ion_buffer_destroy(struct kref *kref)
284 struct ion_buffer *buffer = container_of(kref, struct ion_buffer, ref);
285 struct ion_heap *heap = buffer->heap;
286 struct ion_device *dev = buffer->dev;
288 mutex_lock(&dev->buffer_lock);
289 rb_erase(&buffer->node, &dev->buffers);
290 mutex_unlock(&dev->buffer_lock);
292 if (heap->flags & ION_HEAP_FLAG_DEFER_FREE)
293 ion_heap_freelist_add(heap, buffer);
295 ion_buffer_destroy(buffer);
298 static void ion_buffer_get(struct ion_buffer *buffer)
300 kref_get(&buffer->ref);
303 static int ion_buffer_put(struct ion_buffer *buffer)
305 return kref_put(&buffer->ref, _ion_buffer_destroy);
308 static void ion_buffer_add_to_handle(struct ion_buffer *buffer)
310 mutex_lock(&buffer->lock);
311 buffer->handle_count++;
312 mutex_unlock(&buffer->lock);
315 static void ion_buffer_remove_from_handle(struct ion_buffer *buffer)
318 * when a buffer is removed from a handle, if it is not in
319 * any other handles, copy the taskcomm and the pid of the
320 * process it's being removed from into the buffer. At this
321 * point there will be no way to track what processes this buffer is
322 * being used by, it only exists as a dma_buf file descriptor.
323 * The taskcomm and pid can provide a debug hint as to where this fd
326 mutex_lock(&buffer->lock);
327 buffer->handle_count--;
328 BUG_ON(buffer->handle_count < 0);
329 if (!buffer->handle_count) {
330 struct task_struct *task;
332 task = current->group_leader;
333 get_task_comm(buffer->task_comm, task);
334 buffer->pid = task_pid_nr(task);
336 mutex_unlock(&buffer->lock);
339 static struct ion_handle *ion_handle_create(struct ion_client *client,
340 struct ion_buffer *buffer)
342 struct ion_handle *handle;
344 handle = kzalloc(sizeof(struct ion_handle), GFP_KERNEL);
346 return ERR_PTR(-ENOMEM);
347 kref_init(&handle->ref);
348 RB_CLEAR_NODE(&handle->node);
349 handle->client = client;
350 ion_buffer_get(buffer);
351 ion_buffer_add_to_handle(buffer);
352 handle->buffer = buffer;
357 static void ion_handle_kmap_put(struct ion_handle *);
359 static void ion_handle_destroy(struct kref *kref)
361 struct ion_handle *handle = container_of(kref, struct ion_handle, ref);
362 struct ion_client *client = handle->client;
363 struct ion_buffer *buffer = handle->buffer;
365 mutex_lock(&buffer->lock);
366 while (handle->kmap_cnt)
367 ion_handle_kmap_put(handle);
368 mutex_unlock(&buffer->lock);
370 idr_remove(&client->idr, handle->id);
371 if (!RB_EMPTY_NODE(&handle->node))
372 rb_erase(&handle->node, &client->handles);
374 ion_buffer_remove_from_handle(buffer);
375 ion_buffer_put(buffer);
380 struct ion_buffer *ion_handle_buffer(struct ion_handle *handle)
382 return handle->buffer;
385 static void ion_handle_get(struct ion_handle *handle)
387 kref_get(&handle->ref);
390 static int ion_handle_put(struct ion_handle *handle)
392 struct ion_client *client = handle->client;
395 mutex_lock(&client->lock);
396 ret = kref_put(&handle->ref, ion_handle_destroy);
397 mutex_unlock(&client->lock);
402 static struct ion_handle *ion_handle_lookup(struct ion_client *client,
403 struct ion_buffer *buffer)
405 struct rb_node *n = client->handles.rb_node;
408 struct ion_handle *entry = rb_entry(n, struct ion_handle, node);
410 if (buffer < entry->buffer)
412 else if (buffer > entry->buffer)
417 return ERR_PTR(-EINVAL);
420 static struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
423 struct ion_handle *handle;
425 mutex_lock(&client->lock);
426 handle = idr_find(&client->idr, id);
428 ion_handle_get(handle);
429 mutex_unlock(&client->lock);
431 return handle ? handle : ERR_PTR(-EINVAL);
434 static bool ion_handle_validate(struct ion_client *client,
435 struct ion_handle *handle)
437 WARN_ON(!mutex_is_locked(&client->lock));
438 return idr_find(&client->idr, handle->id) == handle;
441 static int ion_handle_add(struct ion_client *client, struct ion_handle *handle)
444 struct rb_node **p = &client->handles.rb_node;
445 struct rb_node *parent = NULL;
446 struct ion_handle *entry;
448 id = idr_alloc(&client->idr, handle, 1, 0, GFP_KERNEL);
456 entry = rb_entry(parent, struct ion_handle, node);
458 if (handle->buffer < entry->buffer)
460 else if (handle->buffer > entry->buffer)
463 WARN(1, "%s: buffer already found.", __func__);
466 rb_link_node(&handle->node, parent, p);
467 rb_insert_color(&handle->node, &client->handles);
472 struct ion_handle *ion_alloc(struct ion_client *client, size_t len,
473 size_t align, unsigned int heap_id_mask,
476 struct ion_handle *handle;
477 struct ion_device *dev = client->dev;
478 struct ion_buffer *buffer = NULL;
479 struct ion_heap *heap;
482 pr_debug("%s: len %zu align %zu heap_id_mask %u flags %x\n", __func__,
483 len, align, heap_id_mask, flags);
485 * traverse the list of heaps available in this system in priority
486 * order. If the heap type is supported by the client, and matches the
487 * request of the caller allocate from it. Repeat until allocate has
488 * succeeded or all heaps have been tried
490 len = PAGE_ALIGN(len);
493 return ERR_PTR(-EINVAL);
495 down_read(&dev->lock);
496 plist_for_each_entry(heap, &dev->heaps, node) {
497 /* if the caller didn't specify this heap id */
498 if (!((1 << heap->id) & heap_id_mask))
500 buffer = ion_buffer_create(heap, dev, len, align, flags);
507 return ERR_PTR(-ENODEV);
510 return ERR_CAST(buffer);
512 handle = ion_handle_create(client, buffer);
515 * ion_buffer_create will create a buffer with a ref_cnt of 1,
516 * and ion_handle_create will take a second reference, drop one here
518 ion_buffer_put(buffer);
523 mutex_lock(&client->lock);
524 ret = ion_handle_add(client, handle);
525 mutex_unlock(&client->lock);
527 ion_handle_put(handle);
528 handle = ERR_PTR(ret);
533 EXPORT_SYMBOL(ion_alloc);
535 void ion_free(struct ion_client *client, struct ion_handle *handle)
539 BUG_ON(client != handle->client);
541 mutex_lock(&client->lock);
542 valid_handle = ion_handle_validate(client, handle);
545 WARN(1, "%s: invalid handle passed to free.\n", __func__);
546 mutex_unlock(&client->lock);
549 mutex_unlock(&client->lock);
550 ion_handle_put(handle);
552 EXPORT_SYMBOL(ion_free);
554 int ion_phys(struct ion_client *client, struct ion_handle *handle,
555 ion_phys_addr_t *addr, size_t *len)
557 struct ion_buffer *buffer;
560 mutex_lock(&client->lock);
561 if (!ion_handle_validate(client, handle)) {
562 mutex_unlock(&client->lock);
566 buffer = handle->buffer;
568 if (!buffer->heap->ops->phys) {
569 pr_err("%s: ion_phys is not implemented by this heap (name=%s, type=%d).\n",
570 __func__, buffer->heap->name, buffer->heap->type);
571 mutex_unlock(&client->lock);
574 mutex_unlock(&client->lock);
575 ret = buffer->heap->ops->phys(buffer->heap, buffer, addr, len);
578 EXPORT_SYMBOL(ion_phys);
580 static void *ion_buffer_kmap_get(struct ion_buffer *buffer)
584 if (buffer->kmap_cnt) {
586 return buffer->vaddr;
588 vaddr = buffer->heap->ops->map_kernel(buffer->heap, buffer);
589 if (WARN_ONCE(vaddr == NULL,
590 "heap->ops->map_kernel should return ERR_PTR on error"))
591 return ERR_PTR(-EINVAL);
594 buffer->vaddr = vaddr;
599 static void *ion_handle_kmap_get(struct ion_handle *handle)
601 struct ion_buffer *buffer = handle->buffer;
604 if (handle->kmap_cnt) {
606 return buffer->vaddr;
608 vaddr = ion_buffer_kmap_get(buffer);
615 static void ion_buffer_kmap_put(struct ion_buffer *buffer)
618 if (!buffer->kmap_cnt) {
619 buffer->heap->ops->unmap_kernel(buffer->heap, buffer);
620 buffer->vaddr = NULL;
624 static void ion_handle_kmap_put(struct ion_handle *handle)
626 struct ion_buffer *buffer = handle->buffer;
628 if (!handle->kmap_cnt) {
629 WARN(1, "%s: Double unmap detected! bailing...\n", __func__);
633 if (!handle->kmap_cnt)
634 ion_buffer_kmap_put(buffer);
637 void *ion_map_kernel(struct ion_client *client, struct ion_handle *handle)
639 struct ion_buffer *buffer;
642 mutex_lock(&client->lock);
643 if (!ion_handle_validate(client, handle)) {
644 pr_err("%s: invalid handle passed to map_kernel.\n",
646 mutex_unlock(&client->lock);
647 return ERR_PTR(-EINVAL);
650 buffer = handle->buffer;
652 if (!handle->buffer->heap->ops->map_kernel) {
653 pr_err("%s: map_kernel is not implemented by this heap.\n",
655 mutex_unlock(&client->lock);
656 return ERR_PTR(-ENODEV);
659 mutex_lock(&buffer->lock);
660 vaddr = ion_handle_kmap_get(handle);
661 mutex_unlock(&buffer->lock);
662 mutex_unlock(&client->lock);
665 EXPORT_SYMBOL(ion_map_kernel);
667 void ion_unmap_kernel(struct ion_client *client, struct ion_handle *handle)
669 struct ion_buffer *buffer;
671 mutex_lock(&client->lock);
672 buffer = handle->buffer;
673 mutex_lock(&buffer->lock);
674 ion_handle_kmap_put(handle);
675 mutex_unlock(&buffer->lock);
676 mutex_unlock(&client->lock);
678 EXPORT_SYMBOL(ion_unmap_kernel);
680 static int ion_debug_client_show(struct seq_file *s, void *unused)
682 struct ion_client *client = s->private;
684 size_t sizes[ION_NUM_HEAP_IDS] = {0};
685 const char *names[ION_NUM_HEAP_IDS] = {NULL};
688 mutex_lock(&client->lock);
689 for (n = rb_first(&client->handles); n; n = rb_next(n)) {
690 struct ion_handle *handle = rb_entry(n, struct ion_handle,
692 unsigned int id = handle->buffer->heap->id;
695 names[id] = handle->buffer->heap->name;
696 sizes[id] += handle->buffer->size;
698 mutex_unlock(&client->lock);
700 seq_printf(s, "%16.16s: %16.16s\n", "heap_name", "size_in_bytes");
701 for (i = 0; i < ION_NUM_HEAP_IDS; i++) {
704 seq_printf(s, "%16.16s: %16zu\n", names[i], sizes[i]);
709 static int ion_debug_client_open(struct inode *inode, struct file *file)
711 return single_open(file, ion_debug_client_show, inode->i_private);
714 static const struct file_operations debug_client_fops = {
715 .open = ion_debug_client_open,
718 .release = single_release,
721 static int ion_get_client_serial(const struct rb_root *root,
722 const unsigned char *name)
725 struct rb_node *node;
727 for (node = rb_first(root); node; node = rb_next(node)) {
728 struct ion_client *client = rb_entry(node, struct ion_client,
731 if (strcmp(client->name, name))
733 serial = max(serial, client->display_serial);
738 struct ion_client *ion_client_create(struct ion_device *dev,
741 struct ion_client *client;
742 struct task_struct *task;
744 struct rb_node *parent = NULL;
745 struct ion_client *entry;
749 pr_err("%s: Name cannot be null\n", __func__);
750 return ERR_PTR(-EINVAL);
753 get_task_struct(current->group_leader);
754 task_lock(current->group_leader);
755 pid = task_pid_nr(current->group_leader);
756 /* don't bother to store task struct for kernel threads,
757 they can't be killed anyway */
758 if (current->group_leader->flags & PF_KTHREAD) {
759 put_task_struct(current->group_leader);
762 task = current->group_leader;
764 task_unlock(current->group_leader);
766 client = kzalloc(sizeof(struct ion_client), GFP_KERNEL);
768 goto err_put_task_struct;
771 client->handles = RB_ROOT;
772 idr_init(&client->idr);
773 mutex_init(&client->lock);
776 client->name = kstrdup(name, GFP_KERNEL);
778 goto err_free_client;
780 down_write(&dev->lock);
781 client->display_serial = ion_get_client_serial(&dev->clients, name);
782 client->display_name = kasprintf(
783 GFP_KERNEL, "%s-%d", name, client->display_serial);
784 if (!client->display_name) {
785 up_write(&dev->lock);
786 goto err_free_client_name;
788 p = &dev->clients.rb_node;
791 entry = rb_entry(parent, struct ion_client, node);
795 else if (client > entry)
798 rb_link_node(&client->node, parent, p);
799 rb_insert_color(&client->node, &dev->clients);
801 client->debug_root = debugfs_create_file(client->display_name, 0664,
802 dev->clients_debug_root,
803 client, &debug_client_fops);
804 if (!client->debug_root) {
805 char buf[256], *path;
807 path = dentry_path(dev->clients_debug_root, buf, 256);
808 pr_err("Failed to create client debugfs at %s/%s\n",
809 path, client->display_name);
812 up_write(&dev->lock);
816 err_free_client_name:
822 put_task_struct(current->group_leader);
823 return ERR_PTR(-ENOMEM);
825 EXPORT_SYMBOL(ion_client_create);
827 void ion_client_destroy(struct ion_client *client)
829 struct ion_device *dev = client->dev;
832 pr_debug("%s: %d\n", __func__, __LINE__);
833 while ((n = rb_first(&client->handles))) {
834 struct ion_handle *handle = rb_entry(n, struct ion_handle,
836 ion_handle_destroy(&handle->ref);
839 idr_destroy(&client->idr);
841 down_write(&dev->lock);
843 put_task_struct(client->task);
844 rb_erase(&client->node, &dev->clients);
845 debugfs_remove_recursive(client->debug_root);
846 up_write(&dev->lock);
848 kfree(client->display_name);
852 EXPORT_SYMBOL(ion_client_destroy);
854 struct sg_table *ion_sg_table(struct ion_client *client,
855 struct ion_handle *handle)
857 struct ion_buffer *buffer;
858 struct sg_table *table;
860 mutex_lock(&client->lock);
861 if (!ion_handle_validate(client, handle)) {
862 pr_err("%s: invalid handle passed to map_dma.\n",
864 mutex_unlock(&client->lock);
865 return ERR_PTR(-EINVAL);
867 buffer = handle->buffer;
868 table = buffer->sg_table;
869 mutex_unlock(&client->lock);
872 EXPORT_SYMBOL(ion_sg_table);
874 static void ion_buffer_sync_for_device(struct ion_buffer *buffer,
876 enum dma_data_direction direction);
878 static struct sg_table *ion_map_dma_buf(struct dma_buf_attachment *attachment,
879 enum dma_data_direction direction)
881 struct dma_buf *dmabuf = attachment->dmabuf;
882 struct ion_buffer *buffer = dmabuf->priv;
884 ion_buffer_sync_for_device(buffer, attachment->dev, direction);
885 return buffer->sg_table;
888 static void ion_unmap_dma_buf(struct dma_buf_attachment *attachment,
889 struct sg_table *table,
890 enum dma_data_direction direction)
894 void ion_pages_sync_for_device(struct device *dev, struct page *page,
895 size_t size, enum dma_data_direction dir)
897 struct scatterlist sg;
899 sg_init_table(&sg, 1);
900 sg_set_page(&sg, page, size, 0);
902 * This is not correct - sg_dma_address needs a dma_addr_t that is valid
903 * for the targeted device, but this works on the currently targeted
906 sg_dma_address(&sg) = page_to_phys(page);
907 dma_sync_sg_for_device(dev, &sg, 1, dir);
910 struct ion_vma_list {
911 struct list_head list;
912 struct vm_area_struct *vma;
915 static void ion_buffer_sync_for_device(struct ion_buffer *buffer,
917 enum dma_data_direction dir)
919 struct ion_vma_list *vma_list;
920 int pages = PAGE_ALIGN(buffer->size) / PAGE_SIZE;
923 pr_debug("%s: syncing for device %s\n", __func__,
924 dev ? dev_name(dev) : "null");
926 if (!ion_buffer_fault_user_mappings(buffer))
929 mutex_lock(&buffer->lock);
930 for (i = 0; i < pages; i++) {
931 struct page *page = buffer->pages[i];
933 if (ion_buffer_page_is_dirty(page))
934 ion_pages_sync_for_device(dev, ion_buffer_page(page),
937 ion_buffer_page_clean(buffer->pages + i);
939 list_for_each_entry(vma_list, &buffer->vmas, list) {
940 struct vm_area_struct *vma = vma_list->vma;
942 zap_page_range(vma, vma->vm_start, vma->vm_end - vma->vm_start,
945 mutex_unlock(&buffer->lock);
948 static int ion_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
950 struct ion_buffer *buffer = vma->vm_private_data;
954 mutex_lock(&buffer->lock);
955 ion_buffer_page_dirty(buffer->pages + vmf->pgoff);
956 BUG_ON(!buffer->pages || !buffer->pages[vmf->pgoff]);
958 pfn = page_to_pfn(ion_buffer_page(buffer->pages[vmf->pgoff]));
959 ret = vm_insert_pfn(vma, (unsigned long)vmf->virtual_address, pfn);
960 mutex_unlock(&buffer->lock);
962 return VM_FAULT_ERROR;
964 return VM_FAULT_NOPAGE;
967 static void ion_vm_open(struct vm_area_struct *vma)
969 struct ion_buffer *buffer = vma->vm_private_data;
970 struct ion_vma_list *vma_list;
972 vma_list = kmalloc(sizeof(struct ion_vma_list), GFP_KERNEL);
976 mutex_lock(&buffer->lock);
977 list_add(&vma_list->list, &buffer->vmas);
978 mutex_unlock(&buffer->lock);
979 pr_debug("%s: adding %p\n", __func__, vma);
982 static void ion_vm_close(struct vm_area_struct *vma)
984 struct ion_buffer *buffer = vma->vm_private_data;
985 struct ion_vma_list *vma_list, *tmp;
987 pr_debug("%s\n", __func__);
988 mutex_lock(&buffer->lock);
989 list_for_each_entry_safe(vma_list, tmp, &buffer->vmas, list) {
990 if (vma_list->vma != vma)
992 list_del(&vma_list->list);
994 pr_debug("%s: deleting %p\n", __func__, vma);
997 mutex_unlock(&buffer->lock);
1000 static struct vm_operations_struct ion_vma_ops = {
1001 .open = ion_vm_open,
1002 .close = ion_vm_close,
1003 .fault = ion_vm_fault,
1006 static int ion_mmap(struct dma_buf *dmabuf, struct vm_area_struct *vma)
1008 struct ion_buffer *buffer = dmabuf->priv;
1011 if (!buffer->heap->ops->map_user) {
1012 pr_err("%s: this heap does not define a method for mapping to userspace\n",
1017 if (ion_buffer_fault_user_mappings(buffer)) {
1018 vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND |
1020 vma->vm_private_data = buffer;
1021 vma->vm_ops = &ion_vma_ops;
1026 if (!(buffer->flags & ION_FLAG_CACHED))
1027 vma->vm_page_prot = pgprot_writecombine(vma->vm_page_prot);
1029 mutex_lock(&buffer->lock);
1030 /* now map it to userspace */
1031 ret = buffer->heap->ops->map_user(buffer->heap, buffer, vma);
1032 mutex_unlock(&buffer->lock);
1035 pr_err("%s: failure mapping buffer to userspace\n",
1041 static void ion_dma_buf_release(struct dma_buf *dmabuf)
1043 struct ion_buffer *buffer = dmabuf->priv;
1045 ion_buffer_put(buffer);
1048 static void *ion_dma_buf_kmap(struct dma_buf *dmabuf, unsigned long offset)
1050 struct ion_buffer *buffer = dmabuf->priv;
1052 return buffer->vaddr + offset * PAGE_SIZE;
1055 static void ion_dma_buf_kunmap(struct dma_buf *dmabuf, unsigned long offset,
1060 static int ion_dma_buf_begin_cpu_access(struct dma_buf *dmabuf, size_t start,
1062 enum dma_data_direction direction)
1064 struct ion_buffer *buffer = dmabuf->priv;
1067 if (!buffer->heap->ops->map_kernel) {
1068 pr_err("%s: map kernel is not implemented by this heap.\n",
1073 mutex_lock(&buffer->lock);
1074 vaddr = ion_buffer_kmap_get(buffer);
1075 mutex_unlock(&buffer->lock);
1076 return PTR_ERR_OR_ZERO(vaddr);
1079 static void ion_dma_buf_end_cpu_access(struct dma_buf *dmabuf, size_t start,
1081 enum dma_data_direction direction)
1083 struct ion_buffer *buffer = dmabuf->priv;
1085 mutex_lock(&buffer->lock);
1086 ion_buffer_kmap_put(buffer);
1087 mutex_unlock(&buffer->lock);
1090 static struct dma_buf_ops dma_buf_ops = {
1091 .map_dma_buf = ion_map_dma_buf,
1092 .unmap_dma_buf = ion_unmap_dma_buf,
1094 .release = ion_dma_buf_release,
1095 .begin_cpu_access = ion_dma_buf_begin_cpu_access,
1096 .end_cpu_access = ion_dma_buf_end_cpu_access,
1097 .kmap_atomic = ion_dma_buf_kmap,
1098 .kunmap_atomic = ion_dma_buf_kunmap,
1099 .kmap = ion_dma_buf_kmap,
1100 .kunmap = ion_dma_buf_kunmap,
1103 struct dma_buf *ion_share_dma_buf(struct ion_client *client,
1104 struct ion_handle *handle)
1106 struct ion_buffer *buffer;
1107 struct dma_buf *dmabuf;
1110 mutex_lock(&client->lock);
1111 valid_handle = ion_handle_validate(client, handle);
1112 if (!valid_handle) {
1113 WARN(1, "%s: invalid handle passed to share.\n", __func__);
1114 mutex_unlock(&client->lock);
1115 return ERR_PTR(-EINVAL);
1117 buffer = handle->buffer;
1118 ion_buffer_get(buffer);
1119 mutex_unlock(&client->lock);
1121 dmabuf = dma_buf_export(buffer, &dma_buf_ops, buffer->size, O_RDWR,
1123 if (IS_ERR(dmabuf)) {
1124 ion_buffer_put(buffer);
1130 EXPORT_SYMBOL(ion_share_dma_buf);
1132 int ion_share_dma_buf_fd(struct ion_client *client, struct ion_handle *handle)
1134 struct dma_buf *dmabuf;
1137 dmabuf = ion_share_dma_buf(client, handle);
1139 return PTR_ERR(dmabuf);
1141 fd = dma_buf_fd(dmabuf, O_CLOEXEC);
1143 dma_buf_put(dmabuf);
1147 EXPORT_SYMBOL(ion_share_dma_buf_fd);
1149 struct ion_handle *ion_import_dma_buf(struct ion_client *client, int fd)
1151 struct dma_buf *dmabuf;
1152 struct ion_buffer *buffer;
1153 struct ion_handle *handle;
1156 dmabuf = dma_buf_get(fd);
1158 return ERR_CAST(dmabuf);
1159 /* if this memory came from ion */
1161 if (dmabuf->ops != &dma_buf_ops) {
1162 pr_err("%s: can not import dmabuf from another exporter\n",
1164 dma_buf_put(dmabuf);
1165 return ERR_PTR(-EINVAL);
1167 buffer = dmabuf->priv;
1169 mutex_lock(&client->lock);
1170 /* if a handle exists for this buffer just take a reference to it */
1171 handle = ion_handle_lookup(client, buffer);
1172 if (!IS_ERR(handle)) {
1173 ion_handle_get(handle);
1174 mutex_unlock(&client->lock);
1177 mutex_unlock(&client->lock);
1179 handle = ion_handle_create(client, buffer);
1183 mutex_lock(&client->lock);
1184 ret = ion_handle_add(client, handle);
1185 mutex_unlock(&client->lock);
1187 ion_handle_put(handle);
1188 handle = ERR_PTR(ret);
1192 dma_buf_put(dmabuf);
1195 EXPORT_SYMBOL(ion_import_dma_buf);
1197 static int ion_sync_for_device(struct ion_client *client, int fd)
1199 struct dma_buf *dmabuf;
1200 struct ion_buffer *buffer;
1202 dmabuf = dma_buf_get(fd);
1204 return PTR_ERR(dmabuf);
1206 /* if this memory came from ion */
1207 if (dmabuf->ops != &dma_buf_ops) {
1208 pr_err("%s: can not sync dmabuf from another exporter\n",
1210 dma_buf_put(dmabuf);
1213 buffer = dmabuf->priv;
1215 dma_sync_sg_for_device(NULL, buffer->sg_table->sgl,
1216 buffer->sg_table->nents, DMA_BIDIRECTIONAL);
1217 dma_buf_put(dmabuf);
1221 /* fix up the cases where the ioctl direction bits are incorrect */
1222 static unsigned int ion_ioctl_dir(unsigned int cmd)
1227 case ION_IOC_CUSTOM:
1230 return _IOC_DIR(cmd);
1234 static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
1236 struct ion_client *client = filp->private_data;
1237 struct ion_device *dev = client->dev;
1238 struct ion_handle *cleanup_handle = NULL;
1243 struct ion_fd_data fd;
1244 struct ion_allocation_data allocation;
1245 struct ion_handle_data handle;
1246 struct ion_custom_data custom;
1249 dir = ion_ioctl_dir(cmd);
1251 if (_IOC_SIZE(cmd) > sizeof(data))
1254 if (dir & _IOC_WRITE)
1255 if (copy_from_user(&data, (void __user *)arg, _IOC_SIZE(cmd)))
1261 struct ion_handle *handle;
1263 handle = ion_alloc(client, data.allocation.len,
1264 data.allocation.align,
1265 data.allocation.heap_id_mask,
1266 data.allocation.flags);
1268 return PTR_ERR(handle);
1270 data.allocation.handle = handle->id;
1272 cleanup_handle = handle;
1277 struct ion_handle *handle;
1279 handle = ion_handle_get_by_id(client, data.handle.handle);
1281 return PTR_ERR(handle);
1282 ion_free(client, handle);
1283 ion_handle_put(handle);
1289 struct ion_handle *handle;
1291 handle = ion_handle_get_by_id(client, data.handle.handle);
1293 return PTR_ERR(handle);
1294 data.fd.fd = ion_share_dma_buf_fd(client, handle);
1295 ion_handle_put(handle);
1300 case ION_IOC_IMPORT:
1302 struct ion_handle *handle;
1304 handle = ion_import_dma_buf(client, data.fd.fd);
1306 ret = PTR_ERR(handle);
1308 data.handle.handle = handle->id;
1313 ret = ion_sync_for_device(client, data.fd.fd);
1316 case ION_IOC_CUSTOM:
1318 if (!dev->custom_ioctl)
1320 ret = dev->custom_ioctl(client, data.custom.cmd,
1328 if (dir & _IOC_READ) {
1329 if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
1331 ion_free(client, cleanup_handle);
1338 static int ion_release(struct inode *inode, struct file *file)
1340 struct ion_client *client = file->private_data;
1342 pr_debug("%s: %d\n", __func__, __LINE__);
1343 ion_client_destroy(client);
1347 static int ion_open(struct inode *inode, struct file *file)
1349 struct miscdevice *miscdev = file->private_data;
1350 struct ion_device *dev = container_of(miscdev, struct ion_device, dev);
1351 struct ion_client *client;
1352 char debug_name[64];
1354 pr_debug("%s: %d\n", __func__, __LINE__);
1355 snprintf(debug_name, 64, "%u", task_pid_nr(current->group_leader));
1356 client = ion_client_create(dev, debug_name);
1358 return PTR_ERR(client);
1359 file->private_data = client;
1364 static const struct file_operations ion_fops = {
1365 .owner = THIS_MODULE,
1367 .release = ion_release,
1368 .unlocked_ioctl = ion_ioctl,
1369 .compat_ioctl = compat_ion_ioctl,
1372 static size_t ion_debug_heap_total(struct ion_client *client,
1378 mutex_lock(&client->lock);
1379 for (n = rb_first(&client->handles); n; n = rb_next(n)) {
1380 struct ion_handle *handle = rb_entry(n,
1383 if (handle->buffer->heap->id == id)
1384 size += handle->buffer->size;
1386 mutex_unlock(&client->lock);
1390 static int ion_debug_heap_show(struct seq_file *s, void *unused)
1392 struct ion_heap *heap = s->private;
1393 struct ion_device *dev = heap->dev;
1395 size_t total_size = 0;
1396 size_t total_orphaned_size = 0;
1398 seq_printf(s, "%16s %16s %16s\n", "client", "pid", "size");
1399 seq_puts(s, "----------------------------------------------------\n");
1401 for (n = rb_first(&dev->clients); n; n = rb_next(n)) {
1402 struct ion_client *client = rb_entry(n, struct ion_client,
1404 size_t size = ion_debug_heap_total(client, heap->id);
1409 char task_comm[TASK_COMM_LEN];
1411 get_task_comm(task_comm, client->task);
1412 seq_printf(s, "%16s %16u %16zu\n", task_comm,
1415 seq_printf(s, "%16s %16u %16zu\n", client->name,
1419 seq_puts(s, "----------------------------------------------------\n");
1420 seq_puts(s, "orphaned allocations (info is from last known client):\n");
1421 mutex_lock(&dev->buffer_lock);
1422 for (n = rb_first(&dev->buffers); n; n = rb_next(n)) {
1423 struct ion_buffer *buffer = rb_entry(n, struct ion_buffer,
1425 if (buffer->heap->id != heap->id)
1427 total_size += buffer->size;
1428 if (!buffer->handle_count) {
1429 seq_printf(s, "%16s %16u %16zu %d %d\n",
1430 buffer->task_comm, buffer->pid,
1431 buffer->size, buffer->kmap_cnt,
1432 atomic_read(&buffer->ref.refcount));
1433 total_orphaned_size += buffer->size;
1436 mutex_unlock(&dev->buffer_lock);
1437 seq_puts(s, "----------------------------------------------------\n");
1438 seq_printf(s, "%16s %16zu\n", "total orphaned",
1439 total_orphaned_size);
1440 seq_printf(s, "%16s %16zu\n", "total ", total_size);
1441 if (heap->flags & ION_HEAP_FLAG_DEFER_FREE)
1442 seq_printf(s, "%16s %16zu\n", "deferred free",
1443 heap->free_list_size);
1444 seq_puts(s, "----------------------------------------------------\n");
1446 if (heap->debug_show)
1447 heap->debug_show(heap, s, unused);
1452 static int ion_debug_heap_open(struct inode *inode, struct file *file)
1454 return single_open(file, ion_debug_heap_show, inode->i_private);
1457 static const struct file_operations debug_heap_fops = {
1458 .open = ion_debug_heap_open,
1460 .llseek = seq_lseek,
1461 .release = single_release,
1464 #ifdef DEBUG_HEAP_SHRINKER
1465 static int debug_shrink_set(void *data, u64 val)
1467 struct ion_heap *heap = data;
1468 struct shrink_control sc;
1477 objs = heap->shrinker.shrink(&heap->shrinker, &sc);
1478 sc.nr_to_scan = objs;
1480 heap->shrinker.shrink(&heap->shrinker, &sc);
1484 static int debug_shrink_get(void *data, u64 *val)
1486 struct ion_heap *heap = data;
1487 struct shrink_control sc;
1493 objs = heap->shrinker.shrink(&heap->shrinker, &sc);
1498 DEFINE_SIMPLE_ATTRIBUTE(debug_shrink_fops, debug_shrink_get,
1499 debug_shrink_set, "%llu\n");
1502 void ion_device_add_heap(struct ion_device *dev, struct ion_heap *heap)
1504 struct dentry *debug_file;
1506 if (!heap->ops->allocate || !heap->ops->free || !heap->ops->map_dma ||
1507 !heap->ops->unmap_dma)
1508 pr_err("%s: can not add heap with invalid ops struct.\n",
1511 spin_lock_init(&heap->free_lock);
1512 heap->free_list_size = 0;
1514 if (heap->flags & ION_HEAP_FLAG_DEFER_FREE)
1515 ion_heap_init_deferred_free(heap);
1517 if ((heap->flags & ION_HEAP_FLAG_DEFER_FREE) || heap->ops->shrink)
1518 ion_heap_init_shrinker(heap);
1521 down_write(&dev->lock);
1522 /* use negative heap->id to reverse the priority -- when traversing
1523 the list later attempt higher id numbers first */
1524 plist_node_init(&heap->node, -heap->id);
1525 plist_add(&heap->node, &dev->heaps);
1526 debug_file = debugfs_create_file(heap->name, 0664,
1527 dev->heaps_debug_root, heap,
1531 char buf[256], *path;
1533 path = dentry_path(dev->heaps_debug_root, buf, 256);
1534 pr_err("Failed to create heap debugfs at %s/%s\n",
1538 #ifdef DEBUG_HEAP_SHRINKER
1539 if (heap->shrinker.shrink) {
1540 char debug_name[64];
1542 snprintf(debug_name, 64, "%s_shrink", heap->name);
1543 debug_file = debugfs_create_file(
1544 debug_name, 0644, dev->heaps_debug_root, heap,
1545 &debug_shrink_fops);
1547 char buf[256], *path;
1549 path = dentry_path(dev->heaps_debug_root, buf, 256);
1550 pr_err("Failed to create heap shrinker debugfs at %s/%s\n",
1555 up_write(&dev->lock);
1558 struct ion_device *ion_device_create(long (*custom_ioctl)
1559 (struct ion_client *client,
1563 struct ion_device *idev;
1566 idev = kzalloc(sizeof(struct ion_device), GFP_KERNEL);
1568 return ERR_PTR(-ENOMEM);
1570 idev->dev.minor = MISC_DYNAMIC_MINOR;
1571 idev->dev.name = "ion";
1572 idev->dev.fops = &ion_fops;
1573 idev->dev.parent = NULL;
1574 ret = misc_register(&idev->dev);
1576 pr_err("ion: failed to register misc device.\n");
1577 return ERR_PTR(ret);
1580 idev->debug_root = debugfs_create_dir("ion", NULL);
1581 if (!idev->debug_root) {
1582 pr_err("ion: failed to create debugfs root directory.\n");
1585 idev->heaps_debug_root = debugfs_create_dir("heaps", idev->debug_root);
1586 if (!idev->heaps_debug_root) {
1587 pr_err("ion: failed to create debugfs heaps directory.\n");
1590 idev->clients_debug_root = debugfs_create_dir("clients",
1592 if (!idev->clients_debug_root)
1593 pr_err("ion: failed to create debugfs clients directory.\n");
1597 idev->custom_ioctl = custom_ioctl;
1598 idev->buffers = RB_ROOT;
1599 mutex_init(&idev->buffer_lock);
1600 init_rwsem(&idev->lock);
1601 plist_head_init(&idev->heaps);
1602 idev->clients = RB_ROOT;
1606 void ion_device_destroy(struct ion_device *dev)
1608 misc_deregister(&dev->dev);
1609 debugfs_remove_recursive(dev->debug_root);
1610 /* XXX need to free the heaps and clients ? */
1614 void __init ion_reserve(struct ion_platform_data *data)
1618 for (i = 0; i < data->nr; i++) {
1619 if (data->heaps[i].size == 0)
1622 if (data->heaps[i].base == 0) {
1625 paddr = memblock_alloc_base(data->heaps[i].size,
1626 data->heaps[i].align,
1627 MEMBLOCK_ALLOC_ANYWHERE);
1629 pr_err("%s: error allocating memblock for heap %d\n",
1633 data->heaps[i].base = paddr;
1635 int ret = memblock_reserve(data->heaps[i].base,
1636 data->heaps[i].size);
1638 pr_err("memblock reserve of %zx@%lx failed\n",
1639 data->heaps[i].size,
1640 data->heaps[i].base);
1642 pr_info("%s: %s reserved base %lx size %zu\n", __func__,
1643 data->heaps[i].name,
1644 data->heaps[i].base,
1645 data->heaps[i].size);