1 /*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23 #include <linux/export.h>
24 #include <drm/drmP.h>
25 #include <drm/drm_auth.h>
26 #include <drm/drm_framebuffer.h>
27
28 #include "drm_crtc_internal.h"
29
30 /**
31 * DOC: overview
32 *
33 * Frame buffers are abstract memory objects that provide a source of pixels to
34 * scanout to a CRTC. Applications explicitly request the creation of frame
35 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
36 * handle that can be passed to the KMS CRTC control, plane configuration and
37 * page flip functions.
38 *
39 * Frame buffers rely on the underlying memory manager for allocating backing
40 * storage. When creating a frame buffer applications pass a memory handle
41 * (or a list of memory handles for multi-planar formats) through the
42 * struct &drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
43 * buffer management interface this would be a GEM handle. Drivers are however
44 * free to use their own backing storage object handles, e.g. vmwgfx directly
45 * exposes special TTM handles to userspace and so expects TTM handles in the
46 * create ioctl and not GEM handles.
47 *
48 * Framebuffers are tracked with struct &drm_framebuffer. They are published
49 * using drm_framebuffer_init() - after calling that function userspace can use
50 * and access the framebuffer object. The helper function
51 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
52 * metadata fields.
53 *
54 * The lifetime of a drm framebuffer is controlled with a reference count,
55 * drivers can grab additional references with drm_framebuffer_reference() and
56 * drop them again with drm_framebuffer_unreference(). For driver-private
57 * framebuffers for which the last reference is never dropped (e.g. for the
58 * fbdev framebuffer when the struct struct &drm_framebuffer is embedded into
59 * the fbdev helper struct) drivers can manually clean up a framebuffer at
60 * module unload time with drm_framebuffer_unregister_private(). But doing this
61 * is not recommended, and it's better to have a normal free-standing struct
62 * &drm_framebuffer.
63 */
64
drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)65 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
66 uint32_t src_w, uint32_t src_h,
67 const struct drm_framebuffer *fb)
68 {
69 unsigned int fb_width, fb_height;
70
71 fb_width = fb->width << 16;
72 fb_height = fb->height << 16;
73
74 /* Make sure source coordinates are inside the fb. */
75 if (src_w > fb_width ||
76 src_x > fb_width - src_w ||
77 src_h > fb_height ||
78 src_y > fb_height - src_h) {
79 DRM_DEBUG_KMS("Invalid source coordinates "
80 "%u.%06ux%u.%06u+%u.%06u+%u.%06u\n",
81 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
82 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
83 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
84 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10);
85 return -ENOSPC;
86 }
87
88 return 0;
89 }
90
91 /**
92 * drm_mode_addfb - add an FB to the graphics configuration
93 * @dev: drm device for the ioctl
94 * @data: data pointer for the ioctl
95 * @file_priv: drm file for the ioctl call
96 *
97 * Add a new FB to the specified CRTC, given a user request. This is the
98 * original addfb ioctl which only supported RGB formats.
99 *
100 * Called by the user via ioctl.
101 *
102 * Returns:
103 * Zero on success, negative errno on failure.
104 */
drm_mode_addfb(struct drm_device * dev,void * data,struct drm_file * file_priv)105 int drm_mode_addfb(struct drm_device *dev,
106 void *data, struct drm_file *file_priv)
107 {
108 struct drm_mode_fb_cmd *or = data;
109 struct drm_mode_fb_cmd2 r = {};
110 int ret;
111
112 /* convert to new format and call new ioctl */
113 r.fb_id = or->fb_id;
114 r.width = or->width;
115 r.height = or->height;
116 r.pitches[0] = or->pitch;
117 r.pixel_format = drm_mode_legacy_fb_format(or->bpp, or->depth);
118 r.handles[0] = or->handle;
119
120 ret = drm_mode_addfb2(dev, &r, file_priv);
121 if (ret)
122 return ret;
123
124 or->fb_id = r.fb_id;
125
126 return 0;
127 }
128
format_check(const struct drm_mode_fb_cmd2 * r)129 static int format_check(const struct drm_mode_fb_cmd2 *r)
130 {
131 uint32_t format = r->pixel_format & ~DRM_FORMAT_BIG_ENDIAN;
132 char *format_name;
133
134 switch (format) {
135 case DRM_FORMAT_C8:
136 case DRM_FORMAT_RGB332:
137 case DRM_FORMAT_BGR233:
138 case DRM_FORMAT_XRGB4444:
139 case DRM_FORMAT_XBGR4444:
140 case DRM_FORMAT_RGBX4444:
141 case DRM_FORMAT_BGRX4444:
142 case DRM_FORMAT_ARGB4444:
143 case DRM_FORMAT_ABGR4444:
144 case DRM_FORMAT_RGBA4444:
145 case DRM_FORMAT_BGRA4444:
146 case DRM_FORMAT_XRGB1555:
147 case DRM_FORMAT_XBGR1555:
148 case DRM_FORMAT_RGBX5551:
149 case DRM_FORMAT_BGRX5551:
150 case DRM_FORMAT_ARGB1555:
151 case DRM_FORMAT_ABGR1555:
152 case DRM_FORMAT_RGBA5551:
153 case DRM_FORMAT_BGRA5551:
154 case DRM_FORMAT_RGB565:
155 case DRM_FORMAT_BGR565:
156 case DRM_FORMAT_RGB888:
157 case DRM_FORMAT_BGR888:
158 case DRM_FORMAT_XRGB8888:
159 case DRM_FORMAT_XBGR8888:
160 case DRM_FORMAT_RGBX8888:
161 case DRM_FORMAT_BGRX8888:
162 case DRM_FORMAT_ARGB8888:
163 case DRM_FORMAT_ABGR8888:
164 case DRM_FORMAT_RGBA8888:
165 case DRM_FORMAT_BGRA8888:
166 case DRM_FORMAT_XRGB2101010:
167 case DRM_FORMAT_XBGR2101010:
168 case DRM_FORMAT_RGBX1010102:
169 case DRM_FORMAT_BGRX1010102:
170 case DRM_FORMAT_ARGB2101010:
171 case DRM_FORMAT_ABGR2101010:
172 case DRM_FORMAT_RGBA1010102:
173 case DRM_FORMAT_BGRA1010102:
174 case DRM_FORMAT_YUYV:
175 case DRM_FORMAT_YVYU:
176 case DRM_FORMAT_UYVY:
177 case DRM_FORMAT_VYUY:
178 case DRM_FORMAT_AYUV:
179 case DRM_FORMAT_NV12:
180 case DRM_FORMAT_NV21:
181 case DRM_FORMAT_NV16:
182 case DRM_FORMAT_NV61:
183 case DRM_FORMAT_NV24:
184 case DRM_FORMAT_NV42:
185 case DRM_FORMAT_YUV410:
186 case DRM_FORMAT_YVU410:
187 case DRM_FORMAT_YUV411:
188 case DRM_FORMAT_YVU411:
189 case DRM_FORMAT_YUV420:
190 case DRM_FORMAT_YVU420:
191 case DRM_FORMAT_YUV422:
192 case DRM_FORMAT_YVU422:
193 case DRM_FORMAT_YUV444:
194 case DRM_FORMAT_YVU444:
195 return 0;
196 default:
197 format_name = drm_get_format_name(r->pixel_format);
198 DRM_DEBUG_KMS("invalid pixel format %s\n", format_name);
199 kfree(format_name);
200 return -EINVAL;
201 }
202 }
203
framebuffer_check(const struct drm_mode_fb_cmd2 * r)204 static int framebuffer_check(const struct drm_mode_fb_cmd2 *r)
205 {
206 int ret, hsub, vsub, num_planes, i;
207
208 ret = format_check(r);
209 if (ret) {
210 char *format_name = drm_get_format_name(r->pixel_format);
211 DRM_DEBUG_KMS("bad framebuffer format %s\n", format_name);
212 kfree(format_name);
213 return ret;
214 }
215
216 hsub = drm_format_horz_chroma_subsampling(r->pixel_format);
217 vsub = drm_format_vert_chroma_subsampling(r->pixel_format);
218 num_planes = drm_format_num_planes(r->pixel_format);
219
220 if (r->width == 0 || r->width % hsub) {
221 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width);
222 return -EINVAL;
223 }
224
225 if (r->height == 0 || r->height % vsub) {
226 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height);
227 return -EINVAL;
228 }
229
230 for (i = 0; i < num_planes; i++) {
231 unsigned int width = r->width / (i != 0 ? hsub : 1);
232 unsigned int height = r->height / (i != 0 ? vsub : 1);
233 unsigned int cpp = drm_format_plane_cpp(r->pixel_format, i);
234
235 if (!r->handles[i]) {
236 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
237 return -EINVAL;
238 }
239
240 if ((uint64_t) width * cpp > UINT_MAX)
241 return -ERANGE;
242
243 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
244 return -ERANGE;
245
246 if (r->pitches[i] < width * cpp) {
247 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
248 return -EINVAL;
249 }
250
251 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
252 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
253 r->modifier[i], i);
254 return -EINVAL;
255 }
256
257 /* modifier specific checks: */
258 switch (r->modifier[i]) {
259 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
260 /* NOTE: the pitch restriction may be lifted later if it turns
261 * out that no hw has this restriction:
262 */
263 if (r->pixel_format != DRM_FORMAT_NV12 ||
264 width % 128 || height % 32 ||
265 r->pitches[i] % 128) {
266 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i);
267 return -EINVAL;
268 }
269 break;
270
271 default:
272 break;
273 }
274 }
275
276 for (i = num_planes; i < 4; i++) {
277 if (r->modifier[i]) {
278 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i);
279 return -EINVAL;
280 }
281
282 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
283 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
284 continue;
285
286 if (r->handles[i]) {
287 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i);
288 return -EINVAL;
289 }
290
291 if (r->pitches[i]) {
292 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i);
293 return -EINVAL;
294 }
295
296 if (r->offsets[i]) {
297 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i);
298 return -EINVAL;
299 }
300 }
301
302 return 0;
303 }
304
305 struct drm_framebuffer *
drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)306 drm_internal_framebuffer_create(struct drm_device *dev,
307 const struct drm_mode_fb_cmd2 *r,
308 struct drm_file *file_priv)
309 {
310 struct drm_mode_config *config = &dev->mode_config;
311 struct drm_framebuffer *fb;
312 int ret;
313
314 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
315 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags);
316 return ERR_PTR(-EINVAL);
317 }
318
319 if ((config->min_width > r->width) || (r->width > config->max_width)) {
320 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n",
321 r->width, config->min_width, config->max_width);
322 return ERR_PTR(-EINVAL);
323 }
324 if ((config->min_height > r->height) || (r->height > config->max_height)) {
325 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n",
326 r->height, config->min_height, config->max_height);
327 return ERR_PTR(-EINVAL);
328 }
329
330 if (r->flags & DRM_MODE_FB_MODIFIERS &&
331 !dev->mode_config.allow_fb_modifiers) {
332 DRM_DEBUG_KMS("driver does not support fb modifiers\n");
333 return ERR_PTR(-EINVAL);
334 }
335
336 ret = framebuffer_check(r);
337 if (ret)
338 return ERR_PTR(ret);
339
340 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
341 if (IS_ERR(fb)) {
342 DRM_DEBUG_KMS("could not create framebuffer\n");
343 return fb;
344 }
345
346 return fb;
347 }
348
349 /**
350 * drm_mode_addfb2 - add an FB to the graphics configuration
351 * @dev: drm device for the ioctl
352 * @data: data pointer for the ioctl
353 * @file_priv: drm file for the ioctl call
354 *
355 * Add a new FB to the specified CRTC, given a user request with format. This is
356 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
357 * and uses fourcc codes as pixel format specifiers.
358 *
359 * Called by the user via ioctl.
360 *
361 * Returns:
362 * Zero on success, negative errno on failure.
363 */
drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)364 int drm_mode_addfb2(struct drm_device *dev,
365 void *data, struct drm_file *file_priv)
366 {
367 struct drm_mode_fb_cmd2 *r = data;
368 struct drm_framebuffer *fb;
369
370 if (!drm_core_check_feature(dev, DRIVER_MODESET))
371 return -EINVAL;
372
373 fb = drm_internal_framebuffer_create(dev, r, file_priv);
374 if (IS_ERR(fb))
375 return PTR_ERR(fb);
376
377 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id);
378 r->fb_id = fb->base.id;
379
380 /* Transfer ownership to the filp for reaping on close */
381 mutex_lock(&file_priv->fbs_lock);
382 list_add(&fb->filp_head, &file_priv->fbs);
383 mutex_unlock(&file_priv->fbs_lock);
384
385 return 0;
386 }
387
388 struct drm_mode_rmfb_work {
389 struct work_struct work;
390 struct list_head fbs;
391 };
392
drm_mode_rmfb_work_fn(struct work_struct * w)393 static void drm_mode_rmfb_work_fn(struct work_struct *w)
394 {
395 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
396
397 while (!list_empty(&arg->fbs)) {
398 struct drm_framebuffer *fb =
399 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
400
401 list_del_init(&fb->filp_head);
402 drm_framebuffer_remove(fb);
403 }
404 }
405
406 /**
407 * drm_mode_rmfb - remove an FB from the configuration
408 * @dev: drm device for the ioctl
409 * @data: data pointer for the ioctl
410 * @file_priv: drm file for the ioctl call
411 *
412 * Remove the FB specified by the user.
413 *
414 * Called by the user via ioctl.
415 *
416 * Returns:
417 * Zero on success, negative errno on failure.
418 */
drm_mode_rmfb(struct drm_device * dev,void * data,struct drm_file * file_priv)419 int drm_mode_rmfb(struct drm_device *dev,
420 void *data, struct drm_file *file_priv)
421 {
422 struct drm_framebuffer *fb = NULL;
423 struct drm_framebuffer *fbl = NULL;
424 uint32_t *id = data;
425 int found = 0;
426
427 if (!drm_core_check_feature(dev, DRIVER_MODESET))
428 return -EINVAL;
429
430 fb = drm_framebuffer_lookup(dev, *id);
431 if (!fb)
432 return -ENOENT;
433
434 mutex_lock(&file_priv->fbs_lock);
435 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
436 if (fb == fbl)
437 found = 1;
438 if (!found) {
439 mutex_unlock(&file_priv->fbs_lock);
440 goto fail_unref;
441 }
442
443 list_del_init(&fb->filp_head);
444 mutex_unlock(&file_priv->fbs_lock);
445
446 /* drop the reference we picked up in framebuffer lookup */
447 drm_framebuffer_unreference(fb);
448
449 /*
450 * we now own the reference that was stored in the fbs list
451 *
452 * drm_framebuffer_remove may fail with -EINTR on pending signals,
453 * so run this in a separate stack as there's no way to correctly
454 * handle this after the fb is already removed from the lookup table.
455 */
456 if (drm_framebuffer_read_refcount(fb) > 1) {
457 struct drm_mode_rmfb_work arg;
458
459 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
460 INIT_LIST_HEAD(&arg.fbs);
461 list_add_tail(&fb->filp_head, &arg.fbs);
462
463 schedule_work(&arg.work);
464 flush_work(&arg.work);
465 destroy_work_on_stack(&arg.work);
466 } else
467 drm_framebuffer_unreference(fb);
468
469 return 0;
470
471 fail_unref:
472 drm_framebuffer_unreference(fb);
473 return -ENOENT;
474 }
475
476 /**
477 * drm_mode_getfb - get FB info
478 * @dev: drm device for the ioctl
479 * @data: data pointer for the ioctl
480 * @file_priv: drm file for the ioctl call
481 *
482 * Lookup the FB given its ID and return info about it.
483 *
484 * Called by the user via ioctl.
485 *
486 * Returns:
487 * Zero on success, negative errno on failure.
488 */
drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)489 int drm_mode_getfb(struct drm_device *dev,
490 void *data, struct drm_file *file_priv)
491 {
492 struct drm_mode_fb_cmd *r = data;
493 struct drm_framebuffer *fb;
494 int ret;
495
496 if (!drm_core_check_feature(dev, DRIVER_MODESET))
497 return -EINVAL;
498
499 fb = drm_framebuffer_lookup(dev, r->fb_id);
500 if (!fb)
501 return -ENOENT;
502
503 r->height = fb->height;
504 r->width = fb->width;
505 r->depth = fb->depth;
506 r->bpp = fb->bits_per_pixel;
507 r->pitch = fb->pitches[0];
508 if (fb->funcs->create_handle) {
509 if (drm_is_current_master(file_priv) || capable(CAP_SYS_ADMIN) ||
510 drm_is_control_client(file_priv)) {
511 ret = fb->funcs->create_handle(fb, file_priv,
512 &r->handle);
513 } else {
514 /* GET_FB() is an unprivileged ioctl so we must not
515 * return a buffer-handle to non-master processes! For
516 * backwards-compatibility reasons, we cannot make
517 * GET_FB() privileged, so just return an invalid handle
518 * for non-masters. */
519 r->handle = 0;
520 ret = 0;
521 }
522 } else {
523 ret = -ENODEV;
524 }
525
526 drm_framebuffer_unreference(fb);
527
528 return ret;
529 }
530
531 /**
532 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
533 * @dev: drm device for the ioctl
534 * @data: data pointer for the ioctl
535 * @file_priv: drm file for the ioctl call
536 *
537 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
538 * rectangle list. Generic userspace which does frontbuffer rendering must call
539 * this ioctl to flush out the changes on manual-update display outputs, e.g.
540 * usb display-link, mipi manual update panels or edp panel self refresh modes.
541 *
542 * Modesetting drivers which always update the frontbuffer do not need to
543 * implement the corresponding ->dirty framebuffer callback.
544 *
545 * Called by the user via ioctl.
546 *
547 * Returns:
548 * Zero on success, negative errno on failure.
549 */
drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)550 int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
551 void *data, struct drm_file *file_priv)
552 {
553 struct drm_clip_rect __user *clips_ptr;
554 struct drm_clip_rect *clips = NULL;
555 struct drm_mode_fb_dirty_cmd *r = data;
556 struct drm_framebuffer *fb;
557 unsigned flags;
558 int num_clips;
559 int ret;
560
561 if (!drm_core_check_feature(dev, DRIVER_MODESET))
562 return -EINVAL;
563
564 fb = drm_framebuffer_lookup(dev, r->fb_id);
565 if (!fb)
566 return -ENOENT;
567
568 num_clips = r->num_clips;
569 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
570
571 if (!num_clips != !clips_ptr) {
572 ret = -EINVAL;
573 goto out_err1;
574 }
575
576 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
577
578 /* If userspace annotates copy, clips must come in pairs */
579 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
580 ret = -EINVAL;
581 goto out_err1;
582 }
583
584 if (num_clips && clips_ptr) {
585 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
586 ret = -EINVAL;
587 goto out_err1;
588 }
589 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
590 if (!clips) {
591 ret = -ENOMEM;
592 goto out_err1;
593 }
594
595 ret = copy_from_user(clips, clips_ptr,
596 num_clips * sizeof(*clips));
597 if (ret) {
598 ret = -EFAULT;
599 goto out_err2;
600 }
601 }
602
603 if (fb->funcs->dirty) {
604 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
605 clips, num_clips);
606 } else {
607 ret = -ENOSYS;
608 }
609
610 out_err2:
611 kfree(clips);
612 out_err1:
613 drm_framebuffer_unreference(fb);
614
615 return ret;
616 }
617
618 /**
619 * drm_fb_release - remove and free the FBs on this file
620 * @priv: drm file for the ioctl
621 *
622 * Destroy all the FBs associated with @filp.
623 *
624 * Called by the user via ioctl.
625 *
626 * Returns:
627 * Zero on success, negative errno on failure.
628 */
drm_fb_release(struct drm_file * priv)629 void drm_fb_release(struct drm_file *priv)
630 {
631 struct drm_framebuffer *fb, *tfb;
632 struct drm_mode_rmfb_work arg;
633
634 INIT_LIST_HEAD(&arg.fbs);
635
636 /*
637 * When the file gets released that means no one else can access the fb
638 * list any more, so no need to grab fpriv->fbs_lock. And we need to
639 * avoid upsetting lockdep since the universal cursor code adds a
640 * framebuffer while holding mutex locks.
641 *
642 * Note that a real deadlock between fpriv->fbs_lock and the modeset
643 * locks is impossible here since no one else but this function can get
644 * at it any more.
645 */
646 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
647 if (drm_framebuffer_read_refcount(fb) > 1) {
648 list_move_tail(&fb->filp_head, &arg.fbs);
649 } else {
650 list_del_init(&fb->filp_head);
651
652 /* This drops the fpriv->fbs reference. */
653 drm_framebuffer_unreference(fb);
654 }
655 }
656
657 if (!list_empty(&arg.fbs)) {
658 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
659
660 schedule_work(&arg.work);
661 flush_work(&arg.work);
662 destroy_work_on_stack(&arg.work);
663 }
664 }
665
drm_framebuffer_free(struct kref * kref)666 void drm_framebuffer_free(struct kref *kref)
667 {
668 struct drm_framebuffer *fb =
669 container_of(kref, struct drm_framebuffer, base.refcount);
670 struct drm_device *dev = fb->dev;
671
672 /*
673 * The lookup idr holds a weak reference, which has not necessarily been
674 * removed at this point. Check for that.
675 */
676 drm_mode_object_unregister(dev, &fb->base);
677
678 fb->funcs->destroy(fb);
679 }
680
681 /**
682 * drm_framebuffer_init - initialize a framebuffer
683 * @dev: DRM device
684 * @fb: framebuffer to be initialized
685 * @funcs: ... with these functions
686 *
687 * Allocates an ID for the framebuffer's parent mode object, sets its mode
688 * functions & device file and adds it to the master fd list.
689 *
690 * IMPORTANT:
691 * This functions publishes the fb and makes it available for concurrent access
692 * by other users. Which means by this point the fb _must_ be fully set up -
693 * since all the fb attributes are invariant over its lifetime, no further
694 * locking but only correct reference counting is required.
695 *
696 * Returns:
697 * Zero on success, error code on failure.
698 */
drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)699 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
700 const struct drm_framebuffer_funcs *funcs)
701 {
702 int ret;
703
704 INIT_LIST_HEAD(&fb->filp_head);
705 fb->dev = dev;
706 fb->funcs = funcs;
707
708 ret = drm_mode_object_get_reg(dev, &fb->base, DRM_MODE_OBJECT_FB,
709 false, drm_framebuffer_free);
710 if (ret)
711 goto out;
712
713 mutex_lock(&dev->mode_config.fb_lock);
714 dev->mode_config.num_fb++;
715 list_add(&fb->head, &dev->mode_config.fb_list);
716 mutex_unlock(&dev->mode_config.fb_lock);
717
718 drm_mode_object_register(dev, &fb->base);
719 out:
720 return ret;
721 }
722 EXPORT_SYMBOL(drm_framebuffer_init);
723
724 /**
725 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
726 * @dev: drm device
727 * @id: id of the fb object
728 *
729 * If successful, this grabs an additional reference to the framebuffer -
730 * callers need to make sure to eventually unreference the returned framebuffer
731 * again, using @drm_framebuffer_unreference.
732 */
drm_framebuffer_lookup(struct drm_device * dev,uint32_t id)733 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
734 uint32_t id)
735 {
736 struct drm_mode_object *obj;
737 struct drm_framebuffer *fb = NULL;
738
739 obj = __drm_mode_object_find(dev, id, DRM_MODE_OBJECT_FB);
740 if (obj)
741 fb = obj_to_fb(obj);
742 return fb;
743 }
744 EXPORT_SYMBOL(drm_framebuffer_lookup);
745
746 /**
747 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
748 * @fb: fb to unregister
749 *
750 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
751 * those used for fbdev. Note that the caller must hold a reference of it's own,
752 * i.e. the object may not be destroyed through this call (since it'll lead to a
753 * locking inversion).
754 */
drm_framebuffer_unregister_private(struct drm_framebuffer * fb)755 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
756 {
757 struct drm_device *dev;
758
759 if (!fb)
760 return;
761
762 dev = fb->dev;
763
764 /* Mark fb as reaped and drop idr ref. */
765 drm_mode_object_unregister(dev, &fb->base);
766 }
767 EXPORT_SYMBOL(drm_framebuffer_unregister_private);
768
769 /**
770 * drm_framebuffer_cleanup - remove a framebuffer object
771 * @fb: framebuffer to remove
772 *
773 * Cleanup framebuffer. This function is intended to be used from the drivers
774 * ->destroy callback. It can also be used to clean up driver private
775 * framebuffers embedded into a larger structure.
776 *
777 * Note that this function does not remove the fb from active usuage - if it is
778 * still used anywhere, hilarity can ensue since userspace could call getfb on
779 * the id and get back -EINVAL. Obviously no concern at driver unload time.
780 *
781 * Also, the framebuffer will not be removed from the lookup idr - for
782 * user-created framebuffers this will happen in in the rmfb ioctl. For
783 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
784 * drm_framebuffer_unregister_private.
785 */
drm_framebuffer_cleanup(struct drm_framebuffer * fb)786 void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
787 {
788 struct drm_device *dev = fb->dev;
789
790 mutex_lock(&dev->mode_config.fb_lock);
791 list_del(&fb->head);
792 dev->mode_config.num_fb--;
793 mutex_unlock(&dev->mode_config.fb_lock);
794 }
795 EXPORT_SYMBOL(drm_framebuffer_cleanup);
796
797 /**
798 * drm_framebuffer_remove - remove and unreference a framebuffer object
799 * @fb: framebuffer to remove
800 *
801 * Scans all the CRTCs and planes in @dev's mode_config. If they're
802 * using @fb, removes it, setting it to NULL. Then drops the reference to the
803 * passed-in framebuffer. Might take the modeset locks.
804 *
805 * Note that this function optimizes the cleanup away if the caller holds the
806 * last reference to the framebuffer. It is also guaranteed to not take the
807 * modeset locks in this case.
808 */
drm_framebuffer_remove(struct drm_framebuffer * fb)809 void drm_framebuffer_remove(struct drm_framebuffer *fb)
810 {
811 struct drm_device *dev;
812 struct drm_crtc *crtc;
813 struct drm_plane *plane;
814
815 if (!fb)
816 return;
817
818 dev = fb->dev;
819
820 WARN_ON(!list_empty(&fb->filp_head));
821
822 /*
823 * drm ABI mandates that we remove any deleted framebuffers from active
824 * useage. But since most sane clients only remove framebuffers they no
825 * longer need, try to optimize this away.
826 *
827 * Since we're holding a reference ourselves, observing a refcount of 1
828 * means that we're the last holder and can skip it. Also, the refcount
829 * can never increase from 1 again, so we don't need any barriers or
830 * locks.
831 *
832 * Note that userspace could try to race with use and instate a new
833 * usage _after_ we've cleared all current ones. End result will be an
834 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
835 * in this manner.
836 */
837 if (drm_framebuffer_read_refcount(fb) > 1) {
838 drm_modeset_lock_all(dev);
839 /* remove from any CRTC */
840 drm_for_each_crtc(crtc, dev) {
841 if (crtc->primary->fb == fb) {
842 /* should turn off the crtc */
843 if (drm_crtc_force_disable(crtc))
844 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
845 }
846 }
847
848 drm_for_each_plane(plane, dev) {
849 if (plane->fb == fb)
850 drm_plane_force_disable(plane);
851 }
852 drm_modeset_unlock_all(dev);
853 }
854
855 drm_framebuffer_unreference(fb);
856 }
857 EXPORT_SYMBOL(drm_framebuffer_remove);
858