3 * Copyright (C) 2011 Google, Inc.
5 * This software is licensed under the terms of the GNU General Public
6 * License version 2, as published by the Free Software Foundation, and
7 * may be copied, distributed, and modified under those terms.
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
16 #include <linux/kernel.h>
17 #include <linux/file.h>
19 #include <linux/uaccess.h>
23 #include "compat_ion.h"
26 struct ion_fd_data fd;
27 struct ion_allocation_data allocation;
28 struct ion_handle_data handle;
29 struct ion_custom_data custom;
30 struct ion_heap_query query;
33 /* Must hold the client lock */
34 static void user_ion_handle_get(struct ion_handle *handle)
36 if (handle->user_ref_count++ == 0)
37 kref_get(&handle->ref);
40 /* Must hold the client lock */
41 static struct ion_handle *user_ion_handle_get_check_overflow(
42 struct ion_handle *handle)
44 if (handle->user_ref_count + 1 == 0)
45 return ERR_PTR(-EOVERFLOW);
46 user_ion_handle_get(handle);
50 /* passes a kref to the user ref count.
51 * We know we're holding a kref to the object before and
52 * after this call, so no need to reverify handle.
54 static struct ion_handle *pass_to_user(struct ion_handle *handle)
56 struct ion_client *client = handle->client;
57 struct ion_handle *ret;
59 mutex_lock(&client->lock);
60 ret = user_ion_handle_get_check_overflow(handle);
61 ion_handle_put_nolock(handle);
62 mutex_unlock(&client->lock);
66 /* Must hold the client lock */
67 static int user_ion_handle_put_nolock(struct ion_handle *handle)
71 if (--handle->user_ref_count == 0)
72 ret = ion_handle_put_nolock(handle);
77 static void user_ion_free_nolock(struct ion_client *client,
78 struct ion_handle *handle)
82 WARN_ON(client != handle->client);
84 valid_handle = ion_handle_validate(client, handle);
86 WARN(1, "%s: invalid handle passed to free.\n", __func__);
89 if (handle->user_ref_count == 0) {
90 WARN(1, "%s: User does not have access!\n", __func__);
93 user_ion_handle_put_nolock(handle);
96 static int validate_ioctl_arg(unsigned int cmd, union ion_ioctl_arg *arg)
101 case ION_IOC_HEAP_QUERY:
102 ret = arg->query.reserved0 != 0;
103 ret |= arg->query.reserved1 != 0;
104 ret |= arg->query.reserved2 != 0;
110 return ret ? -EINVAL : 0;
113 /* fix up the cases where the ioctl direction bits are incorrect */
114 static unsigned int ion_ioctl_dir(unsigned int cmd)
122 return _IOC_DIR(cmd);
126 long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
128 struct ion_client *client = filp->private_data;
129 struct ion_device *dev = client->dev;
130 struct ion_handle *cleanup_handle = NULL;
133 union ion_ioctl_arg data;
135 dir = ion_ioctl_dir(cmd);
137 if (_IOC_SIZE(cmd) > sizeof(data))
141 * The copy_from_user is unconditional here for both read and write
142 * to do the validate. If there is no write for the ioctl, the
145 if (copy_from_user(&data, (void __user *)arg, _IOC_SIZE(cmd)))
148 ret = validate_ioctl_arg(cmd, &data);
150 pr_warn_once("%s: ioctl validate failed\n", __func__);
154 if (!(dir & _IOC_WRITE))
155 memset(&data, 0, sizeof(data));
160 struct ion_handle *handle;
162 handle = __ion_alloc(client, data.allocation.len,
163 data.allocation.align,
164 data.allocation.heap_id_mask,
165 data.allocation.flags, true);
167 return PTR_ERR(handle);
168 data.allocation.handle = handle->id;
169 cleanup_handle = handle;
170 pass_to_user(handle);
175 struct ion_handle *handle;
177 mutex_lock(&client->lock);
178 handle = ion_handle_get_by_id_nolock(client, data.handle.handle);
179 if (IS_ERR(handle)) {
180 mutex_unlock(&client->lock);
181 return PTR_ERR(handle);
183 user_ion_free_nolock(client, handle);
184 ion_handle_put_nolock(handle);
185 mutex_unlock(&client->lock);
191 struct ion_handle *handle;
193 mutex_lock(&client->lock);
194 handle = ion_handle_get_by_id_nolock(client, data.handle.handle);
195 if (IS_ERR(handle)) {
196 mutex_unlock(&client->lock);
197 return PTR_ERR(handle);
199 data.fd.fd = ion_share_dma_buf_fd_nolock(client, handle);
200 ion_handle_put_nolock(handle);
201 mutex_unlock(&client->lock);
208 struct ion_handle *handle;
210 handle = ion_import_dma_buf_fd(client, data.fd.fd);
211 if (IS_ERR(handle)) {
212 ret = PTR_ERR(handle);
214 data.handle.handle = handle->id;
215 handle = pass_to_user(handle);
216 if (IS_ERR(handle)) {
217 ret = PTR_ERR(handle);
218 data.handle.handle = 0;
225 ret = ion_sync_for_device(client, data.fd.fd);
230 if (!dev->custom_ioctl)
232 ret = dev->custom_ioctl(client, data.custom.cmd,
236 case ION_IOC_HEAP_QUERY:
237 ret = ion_query_heaps(client, &data.query);
243 if (dir & _IOC_READ) {
244 if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
245 if (cleanup_handle) {
246 mutex_lock(&client->lock);
247 user_ion_free_nolock(client, cleanup_handle);
248 ion_handle_put_nolock(cleanup_handle);
249 mutex_unlock(&client->lock);
255 ion_handle_put(cleanup_handle);