• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (c) 2016 Intel Corporation
3  *
4  * Permission to use, copy, modify, distribute, and sell this software and its
5  * documentation for any purpose is hereby granted without fee, provided that
6  * the above copyright notice appear in all copies and that both that copyright
7  * notice and this permission notice appear in supporting documentation, and
8  * that the name of the copyright holders not be used in advertising or
9  * publicity pertaining to distribution of the software without specific,
10  * written prior permission.  The copyright holders make no representations
11  * about the suitability of this software for any purpose.  It is provided "as
12  * is" without express or implied warranty.
13  *
14  * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16  * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17  * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18  * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19  * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20  * OF THIS SOFTWARE.
21  */
22 
23 #include <linux/export.h>
24 #include <drm/drmP.h>
25 #include <drm/drm_auth.h>
26 #include <drm/drm_framebuffer.h>
27 
28 #include "drm_crtc_internal.h"
29 
30 /**
31  * DOC: overview
32  *
33  * Frame buffers are abstract memory objects that provide a source of pixels to
34  * scanout to a CRTC. Applications explicitly request the creation of frame
35  * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
36  * handle that can be passed to the KMS CRTC control, plane configuration and
37  * page flip functions.
38  *
39  * Frame buffers rely on the underlying memory manager for allocating backing
40  * storage. When creating a frame buffer applications pass a memory handle
41  * (or a list of memory handles for multi-planar formats) through the
42  * struct &drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
43  * buffer management interface this would be a GEM handle.  Drivers are however
44  * free to use their own backing storage object handles, e.g. vmwgfx directly
45  * exposes special TTM handles to userspace and so expects TTM handles in the
46  * create ioctl and not GEM handles.
47  *
48  * Framebuffers are tracked with struct &drm_framebuffer. They are published
49  * using drm_framebuffer_init() - after calling that function userspace can use
50  * and access the framebuffer object. The helper function
51  * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
52  * metadata fields.
53  *
54  * The lifetime of a drm framebuffer is controlled with a reference count,
55  * drivers can grab additional references with drm_framebuffer_reference() and
56  * drop them again with drm_framebuffer_unreference(). For driver-private
57  * framebuffers for which the last reference is never dropped (e.g. for the
58  * fbdev framebuffer when the struct struct &drm_framebuffer is embedded into
59  * the fbdev helper struct) drivers can manually clean up a framebuffer at
60  * module unload time with drm_framebuffer_unregister_private(). But doing this
61  * is not recommended, and it's better to have a normal free-standing struct
62  * &drm_framebuffer.
63  */
64 
drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)65 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
66 				     uint32_t src_w, uint32_t src_h,
67 				     const struct drm_framebuffer *fb)
68 {
69 	unsigned int fb_width, fb_height;
70 
71 	fb_width = fb->width << 16;
72 	fb_height = fb->height << 16;
73 
74 	/* Make sure source coordinates are inside the fb. */
75 	if (src_w > fb_width ||
76 	    src_x > fb_width - src_w ||
77 	    src_h > fb_height ||
78 	    src_y > fb_height - src_h) {
79 		DRM_DEBUG_KMS("Invalid source coordinates "
80 			      "%u.%06ux%u.%06u+%u.%06u+%u.%06u\n",
81 			      src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
82 			      src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
83 			      src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
84 			      src_y >> 16, ((src_y & 0xffff) * 15625) >> 10);
85 		return -ENOSPC;
86 	}
87 
88 	return 0;
89 }
90 
91 /**
92  * drm_mode_addfb - add an FB to the graphics configuration
93  * @dev: drm device for the ioctl
94  * @data: data pointer for the ioctl
95  * @file_priv: drm file for the ioctl call
96  *
97  * Add a new FB to the specified CRTC, given a user request. This is the
98  * original addfb ioctl which only supported RGB formats.
99  *
100  * Called by the user via ioctl.
101  *
102  * Returns:
103  * Zero on success, negative errno on failure.
104  */
drm_mode_addfb(struct drm_device * dev,void * data,struct drm_file * file_priv)105 int drm_mode_addfb(struct drm_device *dev,
106 		   void *data, struct drm_file *file_priv)
107 {
108 	struct drm_mode_fb_cmd *or = data;
109 	struct drm_mode_fb_cmd2 r = {};
110 	int ret;
111 
112 	/* convert to new format and call new ioctl */
113 	r.fb_id = or->fb_id;
114 	r.width = or->width;
115 	r.height = or->height;
116 	r.pitches[0] = or->pitch;
117 	r.pixel_format = drm_mode_legacy_fb_format(or->bpp, or->depth);
118 	r.handles[0] = or->handle;
119 
120 	ret = drm_mode_addfb2(dev, &r, file_priv);
121 	if (ret)
122 		return ret;
123 
124 	or->fb_id = r.fb_id;
125 
126 	return 0;
127 }
128 
format_check(const struct drm_mode_fb_cmd2 * r)129 static int format_check(const struct drm_mode_fb_cmd2 *r)
130 {
131 	uint32_t format = r->pixel_format & ~DRM_FORMAT_BIG_ENDIAN;
132 	char *format_name;
133 
134 	switch (format) {
135 	case DRM_FORMAT_C8:
136 	case DRM_FORMAT_RGB332:
137 	case DRM_FORMAT_BGR233:
138 	case DRM_FORMAT_XRGB4444:
139 	case DRM_FORMAT_XBGR4444:
140 	case DRM_FORMAT_RGBX4444:
141 	case DRM_FORMAT_BGRX4444:
142 	case DRM_FORMAT_ARGB4444:
143 	case DRM_FORMAT_ABGR4444:
144 	case DRM_FORMAT_RGBA4444:
145 	case DRM_FORMAT_BGRA4444:
146 	case DRM_FORMAT_XRGB1555:
147 	case DRM_FORMAT_XBGR1555:
148 	case DRM_FORMAT_RGBX5551:
149 	case DRM_FORMAT_BGRX5551:
150 	case DRM_FORMAT_ARGB1555:
151 	case DRM_FORMAT_ABGR1555:
152 	case DRM_FORMAT_RGBA5551:
153 	case DRM_FORMAT_BGRA5551:
154 	case DRM_FORMAT_RGB565:
155 	case DRM_FORMAT_BGR565:
156 	case DRM_FORMAT_RGB888:
157 	case DRM_FORMAT_BGR888:
158 	case DRM_FORMAT_XRGB8888:
159 	case DRM_FORMAT_XBGR8888:
160 	case DRM_FORMAT_RGBX8888:
161 	case DRM_FORMAT_BGRX8888:
162 	case DRM_FORMAT_ARGB8888:
163 	case DRM_FORMAT_ABGR8888:
164 	case DRM_FORMAT_RGBA8888:
165 	case DRM_FORMAT_BGRA8888:
166 	case DRM_FORMAT_XRGB2101010:
167 	case DRM_FORMAT_XBGR2101010:
168 	case DRM_FORMAT_RGBX1010102:
169 	case DRM_FORMAT_BGRX1010102:
170 	case DRM_FORMAT_ARGB2101010:
171 	case DRM_FORMAT_ABGR2101010:
172 	case DRM_FORMAT_RGBA1010102:
173 	case DRM_FORMAT_BGRA1010102:
174 	case DRM_FORMAT_YUYV:
175 	case DRM_FORMAT_YVYU:
176 	case DRM_FORMAT_UYVY:
177 	case DRM_FORMAT_VYUY:
178 	case DRM_FORMAT_AYUV:
179 	case DRM_FORMAT_NV12:
180 	case DRM_FORMAT_NV21:
181 	case DRM_FORMAT_NV16:
182 	case DRM_FORMAT_NV61:
183 	case DRM_FORMAT_NV24:
184 	case DRM_FORMAT_NV42:
185 	case DRM_FORMAT_YUV410:
186 	case DRM_FORMAT_YVU410:
187 	case DRM_FORMAT_YUV411:
188 	case DRM_FORMAT_YVU411:
189 	case DRM_FORMAT_YUV420:
190 	case DRM_FORMAT_YVU420:
191 	case DRM_FORMAT_YUV422:
192 	case DRM_FORMAT_YVU422:
193 	case DRM_FORMAT_YUV444:
194 	case DRM_FORMAT_YVU444:
195 		return 0;
196 	default:
197 		format_name = drm_get_format_name(r->pixel_format);
198 		DRM_DEBUG_KMS("invalid pixel format %s\n", format_name);
199 		kfree(format_name);
200 		return -EINVAL;
201 	}
202 }
203 
framebuffer_check(const struct drm_mode_fb_cmd2 * r)204 static int framebuffer_check(const struct drm_mode_fb_cmd2 *r)
205 {
206 	int ret, hsub, vsub, num_planes, i;
207 
208 	ret = format_check(r);
209 	if (ret) {
210 		char *format_name = drm_get_format_name(r->pixel_format);
211 		DRM_DEBUG_KMS("bad framebuffer format %s\n", format_name);
212 		kfree(format_name);
213 		return ret;
214 	}
215 
216 	hsub = drm_format_horz_chroma_subsampling(r->pixel_format);
217 	vsub = drm_format_vert_chroma_subsampling(r->pixel_format);
218 	num_planes = drm_format_num_planes(r->pixel_format);
219 
220 	if (r->width == 0 || r->width % hsub) {
221 		DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width);
222 		return -EINVAL;
223 	}
224 
225 	if (r->height == 0 || r->height % vsub) {
226 		DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height);
227 		return -EINVAL;
228 	}
229 
230 	for (i = 0; i < num_planes; i++) {
231 		unsigned int width = r->width / (i != 0 ? hsub : 1);
232 		unsigned int height = r->height / (i != 0 ? vsub : 1);
233 		unsigned int cpp = drm_format_plane_cpp(r->pixel_format, i);
234 
235 		if (!r->handles[i]) {
236 			DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
237 			return -EINVAL;
238 		}
239 
240 		if ((uint64_t) width * cpp > UINT_MAX)
241 			return -ERANGE;
242 
243 		if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
244 			return -ERANGE;
245 
246 		if (r->pitches[i] < width * cpp) {
247 			DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
248 			return -EINVAL;
249 		}
250 
251 		if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
252 			DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
253 				      r->modifier[i], i);
254 			return -EINVAL;
255 		}
256 
257 		/* modifier specific checks: */
258 		switch (r->modifier[i]) {
259 		case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
260 			/* NOTE: the pitch restriction may be lifted later if it turns
261 			 * out that no hw has this restriction:
262 			 */
263 			if (r->pixel_format != DRM_FORMAT_NV12 ||
264 					width % 128 || height % 32 ||
265 					r->pitches[i] % 128) {
266 				DRM_DEBUG_KMS("bad modifier data for plane %d\n", i);
267 				return -EINVAL;
268 			}
269 			break;
270 
271 		default:
272 			break;
273 		}
274 	}
275 
276 	for (i = num_planes; i < 4; i++) {
277 		if (r->modifier[i]) {
278 			DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i);
279 			return -EINVAL;
280 		}
281 
282 		/* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
283 		if (!(r->flags & DRM_MODE_FB_MODIFIERS))
284 			continue;
285 
286 		if (r->handles[i]) {
287 			DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i);
288 			return -EINVAL;
289 		}
290 
291 		if (r->pitches[i]) {
292 			DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i);
293 			return -EINVAL;
294 		}
295 
296 		if (r->offsets[i]) {
297 			DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i);
298 			return -EINVAL;
299 		}
300 	}
301 
302 	return 0;
303 }
304 
305 struct drm_framebuffer *
drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)306 drm_internal_framebuffer_create(struct drm_device *dev,
307 				const struct drm_mode_fb_cmd2 *r,
308 				struct drm_file *file_priv)
309 {
310 	struct drm_mode_config *config = &dev->mode_config;
311 	struct drm_framebuffer *fb;
312 	int ret;
313 
314 	if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
315 		DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags);
316 		return ERR_PTR(-EINVAL);
317 	}
318 
319 	if ((config->min_width > r->width) || (r->width > config->max_width)) {
320 		DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n",
321 			  r->width, config->min_width, config->max_width);
322 		return ERR_PTR(-EINVAL);
323 	}
324 	if ((config->min_height > r->height) || (r->height > config->max_height)) {
325 		DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n",
326 			  r->height, config->min_height, config->max_height);
327 		return ERR_PTR(-EINVAL);
328 	}
329 
330 	if (r->flags & DRM_MODE_FB_MODIFIERS &&
331 	    !dev->mode_config.allow_fb_modifiers) {
332 		DRM_DEBUG_KMS("driver does not support fb modifiers\n");
333 		return ERR_PTR(-EINVAL);
334 	}
335 
336 	ret = framebuffer_check(r);
337 	if (ret)
338 		return ERR_PTR(ret);
339 
340 	fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
341 	if (IS_ERR(fb)) {
342 		DRM_DEBUG_KMS("could not create framebuffer\n");
343 		return fb;
344 	}
345 
346 	return fb;
347 }
348 
349 /**
350  * drm_mode_addfb2 - add an FB to the graphics configuration
351  * @dev: drm device for the ioctl
352  * @data: data pointer for the ioctl
353  * @file_priv: drm file for the ioctl call
354  *
355  * Add a new FB to the specified CRTC, given a user request with format. This is
356  * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
357  * and uses fourcc codes as pixel format specifiers.
358  *
359  * Called by the user via ioctl.
360  *
361  * Returns:
362  * Zero on success, negative errno on failure.
363  */
drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)364 int drm_mode_addfb2(struct drm_device *dev,
365 		    void *data, struct drm_file *file_priv)
366 {
367 	struct drm_mode_fb_cmd2 *r = data;
368 	struct drm_framebuffer *fb;
369 
370 	if (!drm_core_check_feature(dev, DRIVER_MODESET))
371 		return -EINVAL;
372 
373 	fb = drm_internal_framebuffer_create(dev, r, file_priv);
374 	if (IS_ERR(fb))
375 		return PTR_ERR(fb);
376 
377 	DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id);
378 	r->fb_id = fb->base.id;
379 
380 	/* Transfer ownership to the filp for reaping on close */
381 	mutex_lock(&file_priv->fbs_lock);
382 	list_add(&fb->filp_head, &file_priv->fbs);
383 	mutex_unlock(&file_priv->fbs_lock);
384 
385 	return 0;
386 }
387 
388 struct drm_mode_rmfb_work {
389 	struct work_struct work;
390 	struct list_head fbs;
391 };
392 
drm_mode_rmfb_work_fn(struct work_struct * w)393 static void drm_mode_rmfb_work_fn(struct work_struct *w)
394 {
395 	struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
396 
397 	while (!list_empty(&arg->fbs)) {
398 		struct drm_framebuffer *fb =
399 			list_first_entry(&arg->fbs, typeof(*fb), filp_head);
400 
401 		list_del_init(&fb->filp_head);
402 		drm_framebuffer_remove(fb);
403 	}
404 }
405 
406 /**
407  * drm_mode_rmfb - remove an FB from the configuration
408  * @dev: drm device for the ioctl
409  * @data: data pointer for the ioctl
410  * @file_priv: drm file for the ioctl call
411  *
412  * Remove the FB specified by the user.
413  *
414  * Called by the user via ioctl.
415  *
416  * Returns:
417  * Zero on success, negative errno on failure.
418  */
drm_mode_rmfb(struct drm_device * dev,void * data,struct drm_file * file_priv)419 int drm_mode_rmfb(struct drm_device *dev,
420 		   void *data, struct drm_file *file_priv)
421 {
422 	struct drm_framebuffer *fb = NULL;
423 	struct drm_framebuffer *fbl = NULL;
424 	uint32_t *id = data;
425 	int found = 0;
426 
427 	if (!drm_core_check_feature(dev, DRIVER_MODESET))
428 		return -EINVAL;
429 
430 	fb = drm_framebuffer_lookup(dev, *id);
431 	if (!fb)
432 		return -ENOENT;
433 
434 	mutex_lock(&file_priv->fbs_lock);
435 	list_for_each_entry(fbl, &file_priv->fbs, filp_head)
436 		if (fb == fbl)
437 			found = 1;
438 	if (!found) {
439 		mutex_unlock(&file_priv->fbs_lock);
440 		goto fail_unref;
441 	}
442 
443 	list_del_init(&fb->filp_head);
444 	mutex_unlock(&file_priv->fbs_lock);
445 
446 	/* drop the reference we picked up in framebuffer lookup */
447 	drm_framebuffer_unreference(fb);
448 
449 	/*
450 	 * we now own the reference that was stored in the fbs list
451 	 *
452 	 * drm_framebuffer_remove may fail with -EINTR on pending signals,
453 	 * so run this in a separate stack as there's no way to correctly
454 	 * handle this after the fb is already removed from the lookup table.
455 	 */
456 	if (drm_framebuffer_read_refcount(fb) > 1) {
457 		struct drm_mode_rmfb_work arg;
458 
459 		INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
460 		INIT_LIST_HEAD(&arg.fbs);
461 		list_add_tail(&fb->filp_head, &arg.fbs);
462 
463 		schedule_work(&arg.work);
464 		flush_work(&arg.work);
465 		destroy_work_on_stack(&arg.work);
466 	} else
467 		drm_framebuffer_unreference(fb);
468 
469 	return 0;
470 
471 fail_unref:
472 	drm_framebuffer_unreference(fb);
473 	return -ENOENT;
474 }
475 
476 /**
477  * drm_mode_getfb - get FB info
478  * @dev: drm device for the ioctl
479  * @data: data pointer for the ioctl
480  * @file_priv: drm file for the ioctl call
481  *
482  * Lookup the FB given its ID and return info about it.
483  *
484  * Called by the user via ioctl.
485  *
486  * Returns:
487  * Zero on success, negative errno on failure.
488  */
drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)489 int drm_mode_getfb(struct drm_device *dev,
490 		   void *data, struct drm_file *file_priv)
491 {
492 	struct drm_mode_fb_cmd *r = data;
493 	struct drm_framebuffer *fb;
494 	int ret;
495 
496 	if (!drm_core_check_feature(dev, DRIVER_MODESET))
497 		return -EINVAL;
498 
499 	fb = drm_framebuffer_lookup(dev, r->fb_id);
500 	if (!fb)
501 		return -ENOENT;
502 
503 	r->height = fb->height;
504 	r->width = fb->width;
505 	r->depth = fb->depth;
506 	r->bpp = fb->bits_per_pixel;
507 	r->pitch = fb->pitches[0];
508 	if (fb->funcs->create_handle) {
509 		if (drm_is_current_master(file_priv) || capable(CAP_SYS_ADMIN) ||
510 		    drm_is_control_client(file_priv)) {
511 			ret = fb->funcs->create_handle(fb, file_priv,
512 						       &r->handle);
513 		} else {
514 			/* GET_FB() is an unprivileged ioctl so we must not
515 			 * return a buffer-handle to non-master processes! For
516 			 * backwards-compatibility reasons, we cannot make
517 			 * GET_FB() privileged, so just return an invalid handle
518 			 * for non-masters. */
519 			r->handle = 0;
520 			ret = 0;
521 		}
522 	} else {
523 		ret = -ENODEV;
524 	}
525 
526 	drm_framebuffer_unreference(fb);
527 
528 	return ret;
529 }
530 
531 /**
532  * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
533  * @dev: drm device for the ioctl
534  * @data: data pointer for the ioctl
535  * @file_priv: drm file for the ioctl call
536  *
537  * Lookup the FB and flush out the damaged area supplied by userspace as a clip
538  * rectangle list. Generic userspace which does frontbuffer rendering must call
539  * this ioctl to flush out the changes on manual-update display outputs, e.g.
540  * usb display-link, mipi manual update panels or edp panel self refresh modes.
541  *
542  * Modesetting drivers which always update the frontbuffer do not need to
543  * implement the corresponding ->dirty framebuffer callback.
544  *
545  * Called by the user via ioctl.
546  *
547  * Returns:
548  * Zero on success, negative errno on failure.
549  */
drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)550 int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
551 			   void *data, struct drm_file *file_priv)
552 {
553 	struct drm_clip_rect __user *clips_ptr;
554 	struct drm_clip_rect *clips = NULL;
555 	struct drm_mode_fb_dirty_cmd *r = data;
556 	struct drm_framebuffer *fb;
557 	unsigned flags;
558 	int num_clips;
559 	int ret;
560 
561 	if (!drm_core_check_feature(dev, DRIVER_MODESET))
562 		return -EINVAL;
563 
564 	fb = drm_framebuffer_lookup(dev, r->fb_id);
565 	if (!fb)
566 		return -ENOENT;
567 
568 	num_clips = r->num_clips;
569 	clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
570 
571 	if (!num_clips != !clips_ptr) {
572 		ret = -EINVAL;
573 		goto out_err1;
574 	}
575 
576 	flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
577 
578 	/* If userspace annotates copy, clips must come in pairs */
579 	if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
580 		ret = -EINVAL;
581 		goto out_err1;
582 	}
583 
584 	if (num_clips && clips_ptr) {
585 		if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
586 			ret = -EINVAL;
587 			goto out_err1;
588 		}
589 		clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
590 		if (!clips) {
591 			ret = -ENOMEM;
592 			goto out_err1;
593 		}
594 
595 		ret = copy_from_user(clips, clips_ptr,
596 				     num_clips * sizeof(*clips));
597 		if (ret) {
598 			ret = -EFAULT;
599 			goto out_err2;
600 		}
601 	}
602 
603 	if (fb->funcs->dirty) {
604 		ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
605 				       clips, num_clips);
606 	} else {
607 		ret = -ENOSYS;
608 	}
609 
610 out_err2:
611 	kfree(clips);
612 out_err1:
613 	drm_framebuffer_unreference(fb);
614 
615 	return ret;
616 }
617 
618 /**
619  * drm_fb_release - remove and free the FBs on this file
620  * @priv: drm file for the ioctl
621  *
622  * Destroy all the FBs associated with @filp.
623  *
624  * Called by the user via ioctl.
625  *
626  * Returns:
627  * Zero on success, negative errno on failure.
628  */
drm_fb_release(struct drm_file * priv)629 void drm_fb_release(struct drm_file *priv)
630 {
631 	struct drm_framebuffer *fb, *tfb;
632 	struct drm_mode_rmfb_work arg;
633 
634 	INIT_LIST_HEAD(&arg.fbs);
635 
636 	/*
637 	 * When the file gets released that means no one else can access the fb
638 	 * list any more, so no need to grab fpriv->fbs_lock. And we need to
639 	 * avoid upsetting lockdep since the universal cursor code adds a
640 	 * framebuffer while holding mutex locks.
641 	 *
642 	 * Note that a real deadlock between fpriv->fbs_lock and the modeset
643 	 * locks is impossible here since no one else but this function can get
644 	 * at it any more.
645 	 */
646 	list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
647 		if (drm_framebuffer_read_refcount(fb) > 1) {
648 			list_move_tail(&fb->filp_head, &arg.fbs);
649 		} else {
650 			list_del_init(&fb->filp_head);
651 
652 			/* This drops the fpriv->fbs reference. */
653 			drm_framebuffer_unreference(fb);
654 		}
655 	}
656 
657 	if (!list_empty(&arg.fbs)) {
658 		INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
659 
660 		schedule_work(&arg.work);
661 		flush_work(&arg.work);
662 		destroy_work_on_stack(&arg.work);
663 	}
664 }
665 
drm_framebuffer_free(struct kref * kref)666 void drm_framebuffer_free(struct kref *kref)
667 {
668 	struct drm_framebuffer *fb =
669 			container_of(kref, struct drm_framebuffer, base.refcount);
670 	struct drm_device *dev = fb->dev;
671 
672 	/*
673 	 * The lookup idr holds a weak reference, which has not necessarily been
674 	 * removed at this point. Check for that.
675 	 */
676 	drm_mode_object_unregister(dev, &fb->base);
677 
678 	fb->funcs->destroy(fb);
679 }
680 
681 /**
682  * drm_framebuffer_init - initialize a framebuffer
683  * @dev: DRM device
684  * @fb: framebuffer to be initialized
685  * @funcs: ... with these functions
686  *
687  * Allocates an ID for the framebuffer's parent mode object, sets its mode
688  * functions & device file and adds it to the master fd list.
689  *
690  * IMPORTANT:
691  * This functions publishes the fb and makes it available for concurrent access
692  * by other users. Which means by this point the fb _must_ be fully set up -
693  * since all the fb attributes are invariant over its lifetime, no further
694  * locking but only correct reference counting is required.
695  *
696  * Returns:
697  * Zero on success, error code on failure.
698  */
drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)699 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
700 			 const struct drm_framebuffer_funcs *funcs)
701 {
702 	int ret;
703 
704 	INIT_LIST_HEAD(&fb->filp_head);
705 	fb->dev = dev;
706 	fb->funcs = funcs;
707 
708 	ret = drm_mode_object_get_reg(dev, &fb->base, DRM_MODE_OBJECT_FB,
709 				      false, drm_framebuffer_free);
710 	if (ret)
711 		goto out;
712 
713 	mutex_lock(&dev->mode_config.fb_lock);
714 	dev->mode_config.num_fb++;
715 	list_add(&fb->head, &dev->mode_config.fb_list);
716 	mutex_unlock(&dev->mode_config.fb_lock);
717 
718 	drm_mode_object_register(dev, &fb->base);
719 out:
720 	return ret;
721 }
722 EXPORT_SYMBOL(drm_framebuffer_init);
723 
724 /**
725  * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
726  * @dev: drm device
727  * @id: id of the fb object
728  *
729  * If successful, this grabs an additional reference to the framebuffer -
730  * callers need to make sure to eventually unreference the returned framebuffer
731  * again, using @drm_framebuffer_unreference.
732  */
drm_framebuffer_lookup(struct drm_device * dev,uint32_t id)733 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
734 					       uint32_t id)
735 {
736 	struct drm_mode_object *obj;
737 	struct drm_framebuffer *fb = NULL;
738 
739 	obj = __drm_mode_object_find(dev, id, DRM_MODE_OBJECT_FB);
740 	if (obj)
741 		fb = obj_to_fb(obj);
742 	return fb;
743 }
744 EXPORT_SYMBOL(drm_framebuffer_lookup);
745 
746 /**
747  * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
748  * @fb: fb to unregister
749  *
750  * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
751  * those used for fbdev. Note that the caller must hold a reference of it's own,
752  * i.e. the object may not be destroyed through this call (since it'll lead to a
753  * locking inversion).
754  */
drm_framebuffer_unregister_private(struct drm_framebuffer * fb)755 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
756 {
757 	struct drm_device *dev;
758 
759 	if (!fb)
760 		return;
761 
762 	dev = fb->dev;
763 
764 	/* Mark fb as reaped and drop idr ref. */
765 	drm_mode_object_unregister(dev, &fb->base);
766 }
767 EXPORT_SYMBOL(drm_framebuffer_unregister_private);
768 
769 /**
770  * drm_framebuffer_cleanup - remove a framebuffer object
771  * @fb: framebuffer to remove
772  *
773  * Cleanup framebuffer. This function is intended to be used from the drivers
774  * ->destroy callback. It can also be used to clean up driver private
775  * framebuffers embedded into a larger structure.
776  *
777  * Note that this function does not remove the fb from active usuage - if it is
778  * still used anywhere, hilarity can ensue since userspace could call getfb on
779  * the id and get back -EINVAL. Obviously no concern at driver unload time.
780  *
781  * Also, the framebuffer will not be removed from the lookup idr - for
782  * user-created framebuffers this will happen in in the rmfb ioctl. For
783  * driver-private objects (e.g. for fbdev) drivers need to explicitly call
784  * drm_framebuffer_unregister_private.
785  */
drm_framebuffer_cleanup(struct drm_framebuffer * fb)786 void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
787 {
788 	struct drm_device *dev = fb->dev;
789 
790 	mutex_lock(&dev->mode_config.fb_lock);
791 	list_del(&fb->head);
792 	dev->mode_config.num_fb--;
793 	mutex_unlock(&dev->mode_config.fb_lock);
794 }
795 EXPORT_SYMBOL(drm_framebuffer_cleanup);
796 
797 /**
798  * drm_framebuffer_remove - remove and unreference a framebuffer object
799  * @fb: framebuffer to remove
800  *
801  * Scans all the CRTCs and planes in @dev's mode_config.  If they're
802  * using @fb, removes it, setting it to NULL. Then drops the reference to the
803  * passed-in framebuffer. Might take the modeset locks.
804  *
805  * Note that this function optimizes the cleanup away if the caller holds the
806  * last reference to the framebuffer. It is also guaranteed to not take the
807  * modeset locks in this case.
808  */
drm_framebuffer_remove(struct drm_framebuffer * fb)809 void drm_framebuffer_remove(struct drm_framebuffer *fb)
810 {
811 	struct drm_device *dev;
812 	struct drm_crtc *crtc;
813 	struct drm_plane *plane;
814 
815 	if (!fb)
816 		return;
817 
818 	dev = fb->dev;
819 
820 	WARN_ON(!list_empty(&fb->filp_head));
821 
822 	/*
823 	 * drm ABI mandates that we remove any deleted framebuffers from active
824 	 * useage. But since most sane clients only remove framebuffers they no
825 	 * longer need, try to optimize this away.
826 	 *
827 	 * Since we're holding a reference ourselves, observing a refcount of 1
828 	 * means that we're the last holder and can skip it. Also, the refcount
829 	 * can never increase from 1 again, so we don't need any barriers or
830 	 * locks.
831 	 *
832 	 * Note that userspace could try to race with use and instate a new
833 	 * usage _after_ we've cleared all current ones. End result will be an
834 	 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
835 	 * in this manner.
836 	 */
837 	if (drm_framebuffer_read_refcount(fb) > 1) {
838 		drm_modeset_lock_all(dev);
839 		/* remove from any CRTC */
840 		drm_for_each_crtc(crtc, dev) {
841 			if (crtc->primary->fb == fb) {
842 				/* should turn off the crtc */
843 				if (drm_crtc_force_disable(crtc))
844 					DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
845 			}
846 		}
847 
848 		drm_for_each_plane(plane, dev) {
849 			if (plane->fb == fb)
850 				drm_plane_force_disable(plane);
851 		}
852 		drm_modeset_unlock_all(dev);
853 	}
854 
855 	drm_framebuffer_unreference(fb);
856 }
857 EXPORT_SYMBOL(drm_framebuffer_remove);
858