On Sat, 27 May 2017 16:38:52 +0800 Xiaoguang Chen <xiaoguang.chen@xxxxxxxxx> wrote: > User space should create the management fd for the dma-buf operation first. > Then user can query the plane information and create dma-buf if necessary > using the management fd. > > Signed-off-by: Xiaoguang Chen <xiaoguang.chen@xxxxxxxxx> > --- > drivers/gpu/drm/i915/gvt/dmabuf.c | 12 ++++ > drivers/gpu/drm/i915/gvt/dmabuf.h | 5 ++ > drivers/gpu/drm/i915/gvt/gvt.c | 2 + > drivers/gpu/drm/i915/gvt/gvt.h | 5 ++ > drivers/gpu/drm/i915/gvt/kvmgt.c | 144 ++++++++++++++++++++++++++++++++++++++ > drivers/gpu/drm/i915/gvt/vgpu.c | 1 + > 6 files changed, 169 insertions(+) > > diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.c b/drivers/gpu/drm/i915/gvt/dmabuf.c > index c831e91..9759e9a 100644 > --- a/drivers/gpu/drm/i915/gvt/dmabuf.c > +++ b/drivers/gpu/drm/i915/gvt/dmabuf.c > @@ -226,6 +226,7 @@ int intel_vgpu_create_dmabuf(struct intel_vgpu *vgpu, void *args) > struct vfio_vgpu_dmabuf_info *gvt_dmabuf = args; > struct intel_vgpu_fb_info *fb_info; > int ret; > + struct intel_vgpu_dmabuf_obj *dmabuf_obj; > > ret = intel_vgpu_get_plane_info(dev, vgpu, &gvt_dmabuf->plane_info); > if (ret != 0) > @@ -263,6 +264,17 @@ int intel_vgpu_create_dmabuf(struct intel_vgpu *vgpu, void *args) > gvt_vgpu_err("create dma-buf fd failed ret:%d\n", ret); > return ret; > } > + dmabuf_obj = kmalloc(sizeof(*dmabuf_obj), GFP_KERNEL); > + if (dmabuf_obj == NULL) { > + kfree(fb_info); > + i915_gem_object_put(obj); > + gvt_vgpu_err("alloc dmabuf_obj failed\n"); > + return -ENOMEM; > + } > + dmabuf_obj->obj = obj; > + INIT_LIST_HEAD(&dmabuf_obj->list); > + list_add_tail(&dmabuf_obj->list, &vgpu->dmabuf_obj_list_head); > + > gvt_dmabuf->fd = ret; > > return 0; > diff --git a/drivers/gpu/drm/i915/gvt/dmabuf.h b/drivers/gpu/drm/i915/gvt/dmabuf.h > index 8be9979..cafa781 100644 > --- a/drivers/gpu/drm/i915/gvt/dmabuf.h > +++ b/drivers/gpu/drm/i915/gvt/dmabuf.h > @@ -31,6 +31,11 @@ struct intel_vgpu_fb_info { > uint32_t fb_size; > }; > > +struct intel_vgpu_dmabuf_obj { > + struct drm_i915_gem_object *obj; > + struct list_head list; > +}; > + > int intel_vgpu_query_plane(struct intel_vgpu *vgpu, void *args); > int intel_vgpu_create_dmabuf(struct intel_vgpu *vgpu, void *args); > > diff --git a/drivers/gpu/drm/i915/gvt/gvt.c b/drivers/gpu/drm/i915/gvt/gvt.c > index 2032917..dbc3f86 100644 > --- a/drivers/gpu/drm/i915/gvt/gvt.c > +++ b/drivers/gpu/drm/i915/gvt/gvt.c > @@ -54,6 +54,8 @@ static const struct intel_gvt_ops intel_gvt_ops = { > .vgpu_reset = intel_gvt_reset_vgpu, > .vgpu_activate = intel_gvt_activate_vgpu, > .vgpu_deactivate = intel_gvt_deactivate_vgpu, > + .vgpu_query_plane = intel_vgpu_query_plane, > + .vgpu_create_dmabuf = intel_vgpu_create_dmabuf, > }; > > /** > diff --git a/drivers/gpu/drm/i915/gvt/gvt.h b/drivers/gpu/drm/i915/gvt/gvt.h > index 763a8c5..a855797 100644 > --- a/drivers/gpu/drm/i915/gvt/gvt.h > +++ b/drivers/gpu/drm/i915/gvt/gvt.h > @@ -185,8 +185,11 @@ struct intel_vgpu { > struct kvm *kvm; > struct work_struct release_work; > atomic_t released; > + struct vfio_device *vfio_device; > } vdev; > #endif > + int dmabuf_mgr_fd; > + struct list_head dmabuf_obj_list_head; > }; > > struct intel_gvt_gm { > @@ -467,6 +470,8 @@ struct intel_gvt_ops { > void (*vgpu_reset)(struct intel_vgpu *); > void (*vgpu_activate)(struct intel_vgpu *); > void (*vgpu_deactivate)(struct intel_vgpu *); > + int (*vgpu_query_plane)(struct intel_vgpu *vgpu, void *); > + int (*vgpu_create_dmabuf)(struct intel_vgpu *vgpu, void *); > }; > > > diff --git a/drivers/gpu/drm/i915/gvt/kvmgt.c b/drivers/gpu/drm/i915/gvt/kvmgt.c > index 389f072..a079080 100644 > --- a/drivers/gpu/drm/i915/gvt/kvmgt.c > +++ b/drivers/gpu/drm/i915/gvt/kvmgt.c > @@ -41,6 +41,7 @@ > #include <linux/kvm_host.h> > #include <linux/vfio.h> > #include <linux/mdev.h> > +#include <linux/anon_inodes.h> > > #include "i915_drv.h" > #include "gvt.h" > @@ -524,6 +525,125 @@ static int intel_vgpu_reg_init_opregion(struct intel_vgpu *vgpu) > return ret; > } > > +static int kvmgt_get_vfio_device(struct intel_vgpu *vgpu) > +{ > + struct vfio_device *device; > + > + device = vfio_device_get_from_dev(mdev_dev(vgpu->vdev.mdev)); > + if (device == NULL) > + return -ENODEV; > + vgpu->vdev.vfio_device = device; > + > + return 0; > +} > + > +static void kvmgt_put_vfio_device(struct intel_vgpu *vgpu) > +{ > + vfio_device_put(vgpu->vdev.vfio_device); > +} > + > +static int intel_vgpu_dmabuf_mgr_fd_mmap(struct file *file, > + struct vm_area_struct *vma) > +{ > + return -EPERM; > +} > + > +static int intel_vgpu_dmabuf_mgr_fd_release(struct inode *inode, > + struct file *filp) > +{ > + struct intel_vgpu *vgpu = filp->private_data; > + struct intel_vgpu_dmabuf_obj *obj; > + struct list_head *pos; > + > + if (WARN_ON(!vgpu->vdev.vfio_device)) > + return -ENODEV; > + > + list_for_each(pos, &vgpu->dmabuf_obj_list_head) { > + obj = container_of(pos, struct intel_vgpu_dmabuf_obj, list); > + if (WARN_ON(!obj)) > + return -ENODEV; > + kfree(obj->obj->gvt_info); > + i915_gem_object_put(obj->obj); > + kfree(obj); > + kvmgt_put_vfio_device(vgpu); Can we do this? If I understand, we're releasing all the references and allocations for the dmabuf fds on release of the manager fd. What happens if the user continues trying to access those dmabuf fds after this? > + } > + kvmgt_put_vfio_device(vgpu); > + > + return 0; > +} > + > +static long intel_vgpu_dmabuf_mgr_fd_ioctl(struct file *filp, > + unsigned int ioctl, unsigned long arg) > +{ > + struct intel_vgpu *vgpu = filp->private_data; > + int minsz; > + int ret; > + struct fd f; > + > + f = fdget(vgpu->dmabuf_mgr_fd); > + if (!f.file) > + return -EBADF; > + > + if (ioctl == VFIO_DEVICE_QUERY_PLANE) { > + struct vfio_vgpu_plane_info info; > + > + minsz = offsetofend(struct vfio_vgpu_plane_info, resv); > + if (copy_from_user(&info, (void __user *)arg, minsz)) { > + fdput(f); > + return -EFAULT; > + } > + if (info.argsz < minsz) { > + fdput(f); > + return -EINVAL; > + } > + ret = intel_gvt_ops->vgpu_query_plane(vgpu, &info); > + if (ret != 0) { > + fdput(f); > + gvt_vgpu_err("query plane failed:%d\n", ret); > + return -EINVAL; > + } > + fdput(f); > + return copy_to_user((void __user *)arg, &info, minsz) ? > + -EFAULT : 0; > + } else if (ioctl == VFIO_DEVICE_CREATE_DMABUF) { > + struct vfio_vgpu_dmabuf_info dmabuf; > + > + minsz = offsetofend(struct vfio_vgpu_dmabuf_info, resv); > + if (copy_from_user(&dmabuf, (void __user *)arg, minsz)) { > + fdput(f); > + return -EFAULT; > + } > + if (dmabuf.argsz < minsz) { > + fdput(f); > + return -EINVAL; > + } > + ret = kvmgt_get_vfio_device(vgpu); > + if (ret != 0) > + return ret; Missed an fdput, though I'm not sure I understand the value of the original fdget or the dmabuf_mgr_fd field at all. dmabuf_mgr_fd is only used here, presumably to add a reference to the fd while we're in the ioctl, but we're in the ioctl function of that fd, so I think there are already references elsewhere. > + > + ret = intel_gvt_ops->vgpu_create_dmabuf(vgpu, &dmabuf); > + if (ret != 0) { > + kvmgt_put_vfio_device(vgpu); > + fdput(f); > + return -EINVAL; Why not return the errno that vgpu_create_dmabuf provided? > + } > + fdput(f); > + return copy_to_user((void __user *)arg, &dmabuf, minsz) ? > + -EFAULT : 0; > + } > + > + fdput(f); > + gvt_vgpu_err("unsupported dmabuf operation\n"); > + > + return -EINVAL; > +} > + > +static const struct file_operations intel_vgpu_dmabuf_mgr_fd_ops = { > + .release = intel_vgpu_dmabuf_mgr_fd_release, > + .unlocked_ioctl = intel_vgpu_dmabuf_mgr_fd_ioctl, > + .mmap = intel_vgpu_dmabuf_mgr_fd_mmap, > + .llseek = noop_llseek, > +}; > static int intel_vgpu_create(struct kobject *kobj, struct mdev_device *mdev) > { > struct intel_vgpu *vgpu = NULL; > @@ -1259,6 +1379,30 @@ static long intel_vgpu_ioctl(struct mdev_device *mdev, unsigned int cmd, > } else if (cmd == VFIO_DEVICE_RESET) { > intel_gvt_ops->vgpu_reset(vgpu); > return 0; > + } else if (cmd == VFIO_DEVICE_GET_FD) { > + int fd; > + u32 type; > + int ret; > + > + if (copy_from_user(&type, (void __user *)arg, sizeof(type))) > + return -EINVAL; > + if (type != VFIO_DEVICE_DMABUF_MGR_FD) > + return -EINVAL; > + > + ret = kvmgt_get_vfio_device(vgpu); > + if (ret != 0) > + return ret; > + > + fd = anon_inode_getfd("intel-vgpu-dmabuf-mgr-fd", > + &intel_vgpu_dmabuf_mgr_fd_ops, > + vgpu, O_RDWR | O_CLOEXEC); > + if (fd < 0) { > + gvt_vgpu_err("create dmabuf mgr fd failed\n"); > + return -EINVAL; Error path leaks vfio_device reference. > + } > + vgpu->dmabuf_mgr_fd = fd; As above, unclear value of this field, additionally, what if the user calls VFIO_DEVICE_GET_FD more than once? > + > + return fd; > } > > return 0; > diff --git a/drivers/gpu/drm/i915/gvt/vgpu.c b/drivers/gpu/drm/i915/gvt/vgpu.c > index 6e3cbd8..af6fc74 100644 > --- a/drivers/gpu/drm/i915/gvt/vgpu.c > +++ b/drivers/gpu/drm/i915/gvt/vgpu.c > @@ -346,6 +346,7 @@ static struct intel_vgpu *__intel_gvt_create_vgpu(struct intel_gvt *gvt, > vgpu->gvt = gvt; > vgpu->sched_ctl.weight = param->weight; > bitmap_zero(vgpu->tlb_handle_pending, I915_NUM_ENGINES); > + INIT_LIST_HEAD(&vgpu->dmabuf_obj_list_head); > > intel_vgpu_init_cfg_space(vgpu, param->primary); > _______________________________________________ Intel-gfx mailing list Intel-gfx@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/intel-gfx