search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
IB: Fix information leak in marshalling code
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / drivers / media / video / videobuf-dma-sg.c
blob2ad0bc252b0eaed1612ddaac477d21f6d7033b0c
1 /*
2 * helper functions for SG DMA video4linux capture buffers
3 *
4 * The functions expect the hardware being able to scatter gather
5 * (i.e. the buffers are not linear in physical memory, but fragmented
6 * into PAGE_SIZE chunks). They also assume the driver does not need
7 * to touch the video data.
8 *
9 * (c) 2007 Mauro Carvalho Chehab, <mchehab@infradead.org>
10 *
11 * Highly based on video-buf written originally by:
12 * (c) 2001,02 Gerd Knorr <kraxel@bytesex.org>
13 * (c) 2006 Mauro Carvalho Chehab, <mchehab@infradead.org>
14 * (c) 2006 Ted Walther and John Sokol
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License as published by
18 * the Free Software Foundation; either version 2
19 */
20
21 #include <linux/init.h>
22 #include <linux/module.h>
23 #include <linux/moduleparam.h>
24 #include <linux/sched.h>
25 #include <linux/slab.h>
26 #include <linux/interrupt.h>
27
28 #include <linux/dma-mapping.h>
29 #include <linux/vmalloc.h>
30 #include <linux/pagemap.h>
31 #include <linux/scatterlist.h>
32 #include <asm/page.h>
33 #include <asm/pgtable.h>
34
35 #include <media/videobuf-dma-sg.h>
36
37 #define MAGIC_DMABUF 0x19721112
38 #define MAGIC_SG_MEM 0x17890714
39
40 #define MAGIC_CHECK(is, should) \
41 if (unlikely((is) != (should))) { \
42 printk(KERN_ERR "magic mismatch: %x (expected %x)\n", \
43 is, should); \
44 BUG(); \
45 }
46
47 static int debug;
48 module_param(debug, int, 0644);
49
50 MODULE_DESCRIPTION("helper module to manage video4linux dma sg buffers");
51 MODULE_AUTHOR("Mauro Carvalho Chehab <mchehab@infradead.org>");
52 MODULE_LICENSE("GPL");
53
54 #define dprintk(level, fmt, arg...) \
55 if (debug >= level) \
56 printk(KERN_DEBUG "vbuf-sg: " fmt , ## arg)
57
58 /* --------------------------------------------------------------------- */
59
60 /*
61 * Return a scatterlist for some page-aligned vmalloc()'ed memory
62 * block (NULL on errors). Memory for the scatterlist is allocated
63 * using kmalloc. The caller must free the memory.
64 */
65 static struct scatterlist *videobuf_vmalloc_to_sg(unsigned char *virt,
66 int nr_pages)
67 {
68 struct scatterlist *sglist;
69 struct page *pg;
70 int i;
71
72 sglist = vmalloc(nr_pages * sizeof(*sglist));
73 if (NULL == sglist)
74 return NULL;
75 memset(sglist, 0, nr_pages * sizeof(*sglist));
76 sg_init_table(sglist, nr_pages);
77 for (i = 0; i < nr_pages; i++, virt += PAGE_SIZE) {
78 pg = vmalloc_to_page(virt);
79 if (NULL == pg)
80 goto err;
81 BUG_ON(PageHighMem(pg));
82 sg_set_page(&sglist[i], pg, PAGE_SIZE, 0);
83 }
84 return sglist;
85
86 err:
87 vfree(sglist);
88 return NULL;
89 }
90
91 /*
92 * Return a scatterlist for a an array of userpages (NULL on errors).
93 * Memory for the scatterlist is allocated using kmalloc. The caller
94 * must free the memory.
95 */
96 static struct scatterlist *videobuf_pages_to_sg(struct page **pages,
97 int nr_pages, int offset, size_t size)
98 {
99 struct scatterlist *sglist;
100 int i;
101
102 if (NULL == pages[0])
103 return NULL;
104 sglist = vmalloc(nr_pages * sizeof(*sglist));
105 if (NULL == sglist)
106 return NULL;
107 sg_init_table(sglist, nr_pages);
108
109 if (PageHighMem(pages[0]))
110 /* DMA to highmem pages might not work */
111 goto highmem;
112 sg_set_page(&sglist[0], pages[0], PAGE_SIZE - offset, offset);
113 size -= PAGE_SIZE - offset;
114 for (i = 1; i < nr_pages; i++) {
115 if (NULL == pages[i])
116 goto nopage;
117 if (PageHighMem(pages[i]))
118 goto highmem;
119 sg_set_page(&sglist[i], pages[i], min(PAGE_SIZE, size), 0);
120 size -= min(PAGE_SIZE, size);
121 }
122 return sglist;
123
124 nopage:
125 dprintk(2, "sgl: oops - no page\n");
126 vfree(sglist);
127 return NULL;
128
129 highmem:
130 dprintk(2, "sgl: oops - highmem page\n");
131 vfree(sglist);
132 return NULL;
133 }
134
135 /* --------------------------------------------------------------------- */
136
137 struct videobuf_dmabuf *videobuf_to_dma(struct videobuf_buffer *buf)
138 {
139 struct videobuf_dma_sg_memory *mem = buf->priv;
140 BUG_ON(!mem);
141
142 MAGIC_CHECK(mem->magic, MAGIC_SG_MEM);
143
144 return &mem->dma;
145 }
146 EXPORT_SYMBOL_GPL(videobuf_to_dma);
147
148 void videobuf_dma_init(struct videobuf_dmabuf *dma)
149 {
150 memset(dma, 0, sizeof(*dma));
151 dma->magic = MAGIC_DMABUF;
152 }
153 EXPORT_SYMBOL_GPL(videobuf_dma_init);
154
155 static int videobuf_dma_init_user_locked(struct videobuf_dmabuf *dma,
156 int direction, unsigned long data, unsigned long size)
157 {
158 unsigned long first, last;
159 int err, rw = 0;
160
161 dma->direction = direction;
162 switch (dma->direction) {
163 case DMA_FROM_DEVICE:
164 rw = READ;
165 break;
166 case DMA_TO_DEVICE:
167 rw = WRITE;
168 break;
169 default:
170 BUG();
171 }
172
173 first = (data & PAGE_MASK) >> PAGE_SHIFT;
174 last = ((data+size-1) & PAGE_MASK) >> PAGE_SHIFT;
175 dma->offset = data & ~PAGE_MASK;
176 dma->size = size;
177 dma->nr_pages = last-first+1;
178 dma->pages = kmalloc(dma->nr_pages * sizeof(struct page *), GFP_KERNEL);
179 if (NULL == dma->pages)
180 return -ENOMEM;
181
182 dprintk(1, "init user [0x%lx+0x%lx => %d pages]\n",
183 data, size, dma->nr_pages);
184
185 err = get_user_pages(current, current->mm,
186 data & PAGE_MASK, dma->nr_pages,
187 rw == READ, 1, /* force */
188 dma->pages, NULL);
189
190 if (err != dma->nr_pages) {
191 dma->nr_pages = (err >= 0) ? err : 0;
192 dprintk(1, "get_user_pages: err=%d [%d]\n", err, dma->nr_pages);
193 return err < 0 ? err : -EINVAL;
194 }
195 return 0;
196 }
197
198 int videobuf_dma_init_user(struct videobuf_dmabuf *dma, int direction,
199 unsigned long data, unsigned long size)
200 {
201 int ret;
202
203 down_read(&current->mm->mmap_sem);
204 ret = videobuf_dma_init_user_locked(dma, direction, data, size);
205 up_read(&current->mm->mmap_sem);
206
207 return ret;
208 }
209 EXPORT_SYMBOL_GPL(videobuf_dma_init_user);
210
211 int videobuf_dma_init_kernel(struct videobuf_dmabuf *dma, int direction,
212 int nr_pages)
213 {
214 dprintk(1, "init kernel [%d pages]\n", nr_pages);
215
216 dma->direction = direction;
217 dma->vaddr = vmalloc_32(nr_pages << PAGE_SHIFT);
218 if (NULL == dma->vaddr) {
219 dprintk(1, "vmalloc_32(%d pages) failed\n", nr_pages);
220 return -ENOMEM;
221 }
222
223 dprintk(1, "vmalloc is at addr 0x%08lx, size=%d\n",
224 (unsigned long)dma->vaddr,
225 nr_pages << PAGE_SHIFT);
226
227 memset(dma->vaddr, 0, nr_pages << PAGE_SHIFT);
228 dma->nr_pages = nr_pages;
229
230 return 0;
231 }
232 EXPORT_SYMBOL_GPL(videobuf_dma_init_kernel);
233
234 int videobuf_dma_init_overlay(struct videobuf_dmabuf *dma, int direction,
235 dma_addr_t addr, int nr_pages)
236 {
237 dprintk(1, "init overlay [%d pages @ bus 0x%lx]\n",
238 nr_pages, (unsigned long)addr);
239 dma->direction = direction;
240
241 if (0 == addr)
242 return -EINVAL;
243
244 dma->bus_addr = addr;
245 dma->nr_pages = nr_pages;
246
247 return 0;
248 }
249 EXPORT_SYMBOL_GPL(videobuf_dma_init_overlay);
250
251 int videobuf_dma_map(struct device *dev, struct videobuf_dmabuf *dma)
252 {
253 MAGIC_CHECK(dma->magic, MAGIC_DMABUF);
254 BUG_ON(0 == dma->nr_pages);
255
256 if (dma->pages) {
257 dma->sglist = videobuf_pages_to_sg(dma->pages, dma->nr_pages,
258 dma->offset, dma->size);
259 }
260 if (dma->vaddr) {
261 dma->sglist = videobuf_vmalloc_to_sg(dma->vaddr,
262 dma->nr_pages);
263 }
264 if (dma->bus_addr) {
265 dma->sglist = vmalloc(sizeof(*dma->sglist));
266 if (NULL != dma->sglist) {
267 dma->sglen = 1;
268 sg_dma_address(&dma->sglist[0]) = dma->bus_addr
269 & PAGE_MASK;
270 dma->sglist[0].offset = dma->bus_addr & ~PAGE_MASK;
271 sg_dma_len(&dma->sglist[0]) = dma->nr_pages * PAGE_SIZE;
272 }
273 }
274 if (NULL == dma->sglist) {
275 dprintk(1, "scatterlist is NULL\n");
276 return -ENOMEM;
277 }
278 if (!dma->bus_addr) {
279 dma->sglen = dma_map_sg(dev, dma->sglist,
280 dma->nr_pages, dma->direction);
281 if (0 == dma->sglen) {
282 printk(KERN_WARNING
283 "%s: videobuf_map_sg failed\n", __func__);
284 vfree(dma->sglist);
285 dma->sglist = NULL;
286 dma->sglen = 0;
287 return -ENOMEM;
288 }
289 }
290
291 return 0;
292 }
293 EXPORT_SYMBOL_GPL(videobuf_dma_map);
294
295 int videobuf_dma_unmap(struct device *dev, struct videobuf_dmabuf *dma)
296 {
297 MAGIC_CHECK(dma->magic, MAGIC_DMABUF);
298
299 if (!dma->sglen)
300 return 0;
301
302 dma_unmap_sg(dev, dma->sglist, dma->sglen, dma->direction);
303
304 vfree(dma->sglist);
305 dma->sglist = NULL;
306 dma->sglen = 0;
307
308 return 0;
309 }
310 EXPORT_SYMBOL_GPL(videobuf_dma_unmap);
311
312 int videobuf_dma_free(struct videobuf_dmabuf *dma)
313 {
314 int i;
315 MAGIC_CHECK(dma->magic, MAGIC_DMABUF);
316 BUG_ON(dma->sglen);
317
318 if (dma->pages) {
319 for (i = 0; i < dma->nr_pages; i++)
320 page_cache_release(dma->pages[i]);
321 kfree(dma->pages);
322 dma->pages = NULL;
323 }
324
325 vfree(dma->vaddr);
326 dma->vaddr = NULL;
327
328 if (dma->bus_addr)
329 dma->bus_addr = 0;
330 dma->direction = DMA_NONE;
331
332 return 0;
333 }
334 EXPORT_SYMBOL_GPL(videobuf_dma_free);
335
336 /* --------------------------------------------------------------------- */
337
338 static void videobuf_vm_open(struct vm_area_struct *vma)
339 {
340 struct videobuf_mapping *map = vma->vm_private_data;
341
342 dprintk(2, "vm_open %p [count=%d,vma=%08lx-%08lx]\n", map,
343 map->count, vma->vm_start, vma->vm_end);
344
345 map->count++;
346 }
347
348 static void videobuf_vm_close(struct vm_area_struct *vma)
349 {
350 struct videobuf_mapping *map = vma->vm_private_data;
351 struct videobuf_queue *q = map->q;
352 struct videobuf_dma_sg_memory *mem;
353 int i;
354
355 dprintk(2, "vm_close %p [count=%d,vma=%08lx-%08lx]\n", map,
356 map->count, vma->vm_start, vma->vm_end);
357
358 map->count--;
359 if (0 == map->count) {
360 dprintk(1, "munmap %p q=%p\n", map, q);
361 mutex_lock(&q->vb_lock);
362 for (i = 0; i < VIDEO_MAX_FRAME; i++) {
363 if (NULL == q->bufs[i])
364 continue;
365 mem = q->bufs[i]->priv;
366 if (!mem)
367 continue;
368
369 MAGIC_CHECK(mem->magic, MAGIC_SG_MEM);
370
371 if (q->bufs[i]->map != map)
372 continue;
373 q->bufs[i]->map = NULL;
374 q->bufs[i]->baddr = 0;
375 q->ops->buf_release(q, q->bufs[i]);
376 }
377 mutex_unlock(&q->vb_lock);
378 kfree(map);
379 }
380 return;
381 }
382
383 /*
384 * Get a anonymous page for the mapping. Make sure we can DMA to that
385 * memory location with 32bit PCI devices (i.e. don't use highmem for
386 * now ...). Bounce buffers don't work very well for the data rates
387 * video capture has.
388 */
389 static int videobuf_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
390 {
391 struct page *page;
392
393 dprintk(3, "fault: fault @ %08lx [vma %08lx-%08lx]\n",
394 (unsigned long)vmf->virtual_address,
395 vma->vm_start, vma->vm_end);
396
397 page = alloc_page(GFP_USER | __GFP_DMA32);
398 if (!page)
399 return VM_FAULT_OOM;
400 clear_user_highpage(page, (unsigned long)vmf->virtual_address);
401 vmf->page = page;
402
403 return 0;
404 }
405
406 static const struct vm_operations_struct videobuf_vm_ops = {
407 .open = videobuf_vm_open,
408 .close = videobuf_vm_close,
409 .fault = videobuf_vm_fault,
410 };
411
412 /* ---------------------------------------------------------------------
413 * SG handlers for the generic methods
414 */
415
416 /* Allocated area consists on 3 parts:
417 struct video_buffer
418 struct <driver>_buffer (cx88_buffer, saa7134_buf, ...)
419 struct videobuf_dma_sg_memory
420 */
421
422 static struct videobuf_buffer *__videobuf_alloc_vb(size_t size)
423 {
424 struct videobuf_dma_sg_memory *mem;
425 struct videobuf_buffer *vb;
426
427 vb = kzalloc(size + sizeof(*mem), GFP_KERNEL);
428 if (!vb)
429 return vb;
430
431 mem = vb->priv = ((char *)vb) + size;
432 mem->magic = MAGIC_SG_MEM;
433
434 videobuf_dma_init(&mem->dma);
435
436 dprintk(1, "%s: allocated at %p(%ld+%ld) & %p(%ld)\n",
437 __func__, vb, (long)sizeof(*vb), (long)size - sizeof(*vb),
438 mem, (long)sizeof(*mem));
439
440 return vb;
441 }
442
443 static void *__videobuf_to_vaddr(struct videobuf_buffer *buf)
444 {
445 struct videobuf_dma_sg_memory *mem = buf->priv;
446 BUG_ON(!mem);
447
448 MAGIC_CHECK(mem->magic, MAGIC_SG_MEM);
449
450 return mem->dma.vaddr;
451 }
452
453 static int __videobuf_iolock(struct videobuf_queue *q,
454 struct videobuf_buffer *vb,
455 struct v4l2_framebuffer *fbuf)
456 {
457 int err, pages;
458 dma_addr_t bus;
459 struct videobuf_dma_sg_memory *mem = vb->priv;
460 BUG_ON(!mem);
461
462 MAGIC_CHECK(mem->magic, MAGIC_SG_MEM);
463
464 switch (vb->memory) {
465 case V4L2_MEMORY_MMAP:
466 case V4L2_MEMORY_USERPTR:
467 if (0 == vb->baddr) {
468 /* no userspace addr -- kernel bounce buffer */
469 pages = PAGE_ALIGN(vb->size) >> PAGE_SHIFT;
470 err = videobuf_dma_init_kernel(&mem->dma,
471 DMA_FROM_DEVICE,
472 pages);
473 if (0 != err)
474 return err;
475 } else if (vb->memory == V4L2_MEMORY_USERPTR) {
476 /* dma directly to userspace */
477 err = videobuf_dma_init_user(&mem->dma,
478 DMA_FROM_DEVICE,
479 vb->baddr, vb->bsize);
480 if (0 != err)
481 return err;
482 } else {
483 /* NOTE: HACK: videobuf_iolock on V4L2_MEMORY_MMAP
484 buffers can only be called from videobuf_qbuf
485 we take current->mm->mmap_sem there, to prevent
486 locking inversion, so don't take it here */
487
488 err = videobuf_dma_init_user_locked(&mem->dma,
489 DMA_FROM_DEVICE,
490 vb->baddr, vb->bsize);
491 if (0 != err)
492 return err;
493 }
494 break;
495 case V4L2_MEMORY_OVERLAY:
496 if (NULL == fbuf)
497 return -EINVAL;
498 /* FIXME: need sanity checks for vb->boff */
499 /*
500 * Using a double cast to avoid compiler warnings when
501 * building for PAE. Compiler doesn't like direct casting
502 * of a 32 bit ptr to 64 bit integer.
503 */
504 bus = (dma_addr_t)(unsigned long)fbuf->base + vb->boff;
505 pages = PAGE_ALIGN(vb->size) >> PAGE_SHIFT;
506 err = videobuf_dma_init_overlay(&mem->dma, DMA_FROM_DEVICE,
507 bus, pages);
508 if (0 != err)
509 return err;
510 break;
511 default:
512 BUG();
513 }
514 err = videobuf_dma_map(q->dev, &mem->dma);
515 if (0 != err)
516 return err;
517
518 return 0;
519 }
520
521 static int __videobuf_sync(struct videobuf_queue *q,
522 struct videobuf_buffer *buf)
523 {
524 struct videobuf_dma_sg_memory *mem = buf->priv;
525 BUG_ON(!mem || !mem->dma.sglen);
526
527 MAGIC_CHECK(mem->magic, MAGIC_SG_MEM);
528 MAGIC_CHECK(mem->dma.magic, MAGIC_DMABUF);
529
530 dma_sync_sg_for_cpu(q->dev, mem->dma.sglist,
531 mem->dma.sglen, mem->dma.direction);
532
533 return 0;
534 }
535
536 static int __videobuf_mmap_mapper(struct videobuf_queue *q,
537 struct videobuf_buffer *buf,
538 struct vm_area_struct *vma)
539 {
540 struct videobuf_dma_sg_memory *mem = buf->priv;
541 struct videobuf_mapping *map;
542 unsigned int first, last, size = 0, i;
543 int retval;
544
545 retval = -EINVAL;
546
547 /* This function maintains backwards compatibility with V4L1 and will
548 * map more than one buffer if the vma length is equal to the combined
549 * size of multiple buffers than it will map them together. See
550 * VIDIOCGMBUF in the v4l spec
551 *
552 * TODO: Allow drivers to specify if they support this mode
553 */
554
555 BUG_ON(!mem);
556 MAGIC_CHECK(mem->magic, MAGIC_SG_MEM);
557
558 /* look for first buffer to map */
559 for (first = 0; first < VIDEO_MAX_FRAME; first++) {
560 if (buf == q->bufs[first]) {
561 size = PAGE_ALIGN(q->bufs[first]->bsize);
562 break;
563 }
564 }
565
566 /* paranoia, should never happen since buf is always valid. */
567 if (!size) {
568 dprintk(1, "mmap app bug: offset invalid [offset=0x%lx]\n",
569 (vma->vm_pgoff << PAGE_SHIFT));
570 goto done;
571 }
572
573 last = first;
574 #ifdef CONFIG_VIDEO_V4L1_COMPAT
575 if (size != (vma->vm_end - vma->vm_start)) {
576 /* look for last buffer to map */
577 for (last = first + 1; last < VIDEO_MAX_FRAME; last++) {
578 if (NULL == q->bufs[last])
579 continue;
580 if (V4L2_MEMORY_MMAP != q->bufs[last]->memory)
581 continue;
582 if (q->bufs[last]->map) {
583 retval = -EBUSY;
584 goto done;
585 }
586 size += PAGE_ALIGN(q->bufs[last]->bsize);
587 if (size == (vma->vm_end - vma->vm_start))
588 break;
589 }
590 if (VIDEO_MAX_FRAME == last) {
591 dprintk(1, "mmap app bug: size invalid [size=0x%lx]\n",
592 (vma->vm_end - vma->vm_start));
593 goto done;
594 }
595 }
596 #endif
597
598 /* create mapping + update buffer list */
599 retval = -ENOMEM;
600 map = kmalloc(sizeof(struct videobuf_mapping), GFP_KERNEL);
601 if (NULL == map)
602 goto done;
603
604 size = 0;
605 for (i = first; i <= last; i++) {
606 if (NULL == q->bufs[i])
607 continue;
608 q->bufs[i]->map = map;
609 q->bufs[i]->baddr = vma->vm_start + size;
610 size += PAGE_ALIGN(q->bufs[i]->bsize);
611 }
612
613 map->count = 1;
614 map->q = q;
615 vma->vm_ops = &videobuf_vm_ops;
616 vma->vm_flags |= VM_DONTEXPAND | VM_RESERVED;
617 vma->vm_flags &= ~VM_IO; /* using shared anonymous pages */
618 vma->vm_private_data = map;
619 dprintk(1, "mmap %p: q=%p %08lx-%08lx pgoff %08lx bufs %d-%d\n",
620 map, q, vma->vm_start, vma->vm_end, vma->vm_pgoff, first, last);
621 retval = 0;
622
623 done:
624 return retval;
625 }
626
627 static struct videobuf_qtype_ops sg_ops = {
628 .magic = MAGIC_QTYPE_OPS,
629
630 .alloc_vb = __videobuf_alloc_vb,
631 .iolock = __videobuf_iolock,
632 .sync = __videobuf_sync,
633 .mmap_mapper = __videobuf_mmap_mapper,
634 .vaddr = __videobuf_to_vaddr,
635 };
636
637 void *videobuf_sg_alloc(size_t size)
638 {
639 struct videobuf_queue q;
640
641 /* Required to make generic handler to call __videobuf_alloc */
642 q.int_ops = &sg_ops;
643
644 q.msize = size;
645
646 return videobuf_alloc_vb(&q);
647 }
648 EXPORT_SYMBOL_GPL(videobuf_sg_alloc);
649
650 void videobuf_queue_sg_init(struct videobuf_queue *q,
651 const struct videobuf_queue_ops *ops,
652 struct device *dev,
653 spinlock_t *irqlock,
654 enum v4l2_buf_type type,
655 enum v4l2_field field,
656 unsigned int msize,
657 void *priv)
658 {
659 videobuf_queue_core_init(q, ops, dev, irqlock, type, field, msize,
660 priv, &sg_ops);
661 }
662 EXPORT_SYMBOL_GPL(videobuf_queue_sg_init);
663
Linux 2.6 ibm-acpi/thinkpad-acpi driver git tree