1 /*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23 #include <linux/export.h>
24 #include <linux/uaccess.h>
25
26 #include <drm/drm_atomic.h>
27 #include <drm/drm_atomic_uapi.h>
28 #include <drm/drm_auth.h>
29 #include <drm/drm_debugfs.h>
30 #include <drm/drm_drv.h>
31 #include <drm/drm_file.h>
32 #include <drm/drm_fourcc.h>
33 #include <drm/drm_framebuffer.h>
34 #include <drm/drm_print.h>
35 #include <drm/drm_util.h>
36
37 #include "drm_crtc_internal.h"
38 #include "drm_internal.h"
39
40 /**
41 * DOC: overview
42 *
43 * Frame buffers are abstract memory objects that provide a source of pixels to
44 * scanout to a CRTC. Applications explicitly request the creation of frame
45 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
46 * handle that can be passed to the KMS CRTC control, plane configuration and
47 * page flip functions.
48 *
49 * Frame buffers rely on the underlying memory manager for allocating backing
50 * storage. When creating a frame buffer applications pass a memory handle
51 * (or a list of memory handles for multi-planar formats) through the
52 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
53 * buffer management interface this would be a GEM handle. Drivers are however
54 * free to use their own backing storage object handles, e.g. vmwgfx directly
55 * exposes special TTM handles to userspace and so expects TTM handles in the
56 * create ioctl and not GEM handles.
57 *
58 * Framebuffers are tracked with &struct drm_framebuffer. They are published
59 * using drm_framebuffer_init() - after calling that function userspace can use
60 * and access the framebuffer object. The helper function
61 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
62 * metadata fields.
63 *
64 * The lifetime of a drm framebuffer is controlled with a reference count,
65 * drivers can grab additional references with drm_framebuffer_get() and drop
66 * them again with drm_framebuffer_put(). For driver-private framebuffers for
67 * which the last reference is never dropped (e.g. for the fbdev framebuffer
68 * when the struct &struct drm_framebuffer is embedded into the fbdev helper
69 * struct) drivers can manually clean up a framebuffer at module unload time
70 * with drm_framebuffer_unregister_private(). But doing this is not
71 * recommended, and it's better to have a normal free-standing &struct
72 * drm_framebuffer.
73 */
74
drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)75 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
76 uint32_t src_w, uint32_t src_h,
77 const struct drm_framebuffer *fb)
78 {
79 unsigned int fb_width, fb_height;
80
81 fb_width = fb->width << 16;
82 fb_height = fb->height << 16;
83
84 /* Make sure source coordinates are inside the fb. */
85 if (src_w > fb_width ||
86 src_x > fb_width - src_w ||
87 src_h > fb_height ||
88 src_y > fb_height - src_h) {
89 DRM_DEBUG_KMS("Invalid source coordinates "
90 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n",
91 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
92 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
93 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
94 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10,
95 fb->width, fb->height);
96 return -ENOSPC;
97 }
98
99 return 0;
100 }
101
102 /**
103 * drm_mode_addfb - add an FB to the graphics configuration
104 * @dev: drm device for the ioctl
105 * @or: pointer to request structure
106 * @file_priv: drm file
107 *
108 * Add a new FB to the specified CRTC, given a user request. This is the
109 * original addfb ioctl which only supported RGB formats.
110 *
111 * Called by the user via ioctl, or by an in-kernel client.
112 *
113 * Returns:
114 * Zero on success, negative errno on failure.
115 */
drm_mode_addfb(struct drm_device * dev,struct drm_mode_fb_cmd * or,struct drm_file * file_priv)116 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or,
117 struct drm_file *file_priv)
118 {
119 struct drm_mode_fb_cmd2 r = {};
120 int ret;
121
122 if (!drm_core_check_feature(dev, DRIVER_MODESET))
123 return -EOPNOTSUPP;
124
125 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth);
126 if (r.pixel_format == DRM_FORMAT_INVALID) {
127 DRM_DEBUG("bad {bpp:%d, depth:%d}\n", or->bpp, or->depth);
128 return -EINVAL;
129 }
130
131 /* convert to new format and call new ioctl */
132 r.fb_id = or->fb_id;
133 r.width = or->width;
134 r.height = or->height;
135 r.pitches[0] = or->pitch;
136 r.handles[0] = or->handle;
137
138 ret = drm_mode_addfb2(dev, &r, file_priv);
139 if (ret)
140 return ret;
141
142 or->fb_id = r.fb_id;
143
144 return 0;
145 }
146
drm_mode_addfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)147 int drm_mode_addfb_ioctl(struct drm_device *dev,
148 void *data, struct drm_file *file_priv)
149 {
150 return drm_mode_addfb(dev, data, file_priv);
151 }
152
fb_plane_width(int width,const struct drm_format_info * format,int plane)153 static int fb_plane_width(int width,
154 const struct drm_format_info *format, int plane)
155 {
156 if (plane == 0)
157 return width;
158
159 return DIV_ROUND_UP(width, format->hsub);
160 }
161
fb_plane_height(int height,const struct drm_format_info * format,int plane)162 static int fb_plane_height(int height,
163 const struct drm_format_info *format, int plane)
164 {
165 if (plane == 0)
166 return height;
167
168 return DIV_ROUND_UP(height, format->vsub);
169 }
170
framebuffer_check(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r)171 static int framebuffer_check(struct drm_device *dev,
172 const struct drm_mode_fb_cmd2 *r)
173 {
174 const struct drm_format_info *info;
175 int i;
176
177 /* check if the format is supported at all */
178 info = __drm_format_info(r->pixel_format);
179 if (!info) {
180 struct drm_format_name_buf format_name;
181
182 DRM_DEBUG_KMS("bad framebuffer format %s\n",
183 drm_get_format_name(r->pixel_format,
184 &format_name));
185 return -EINVAL;
186 }
187
188 /* now let the driver pick its own format info */
189 info = drm_get_format_info(dev, r);
190
191 if (r->width == 0) {
192 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width);
193 return -EINVAL;
194 }
195
196 if (r->height == 0) {
197 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height);
198 return -EINVAL;
199 }
200
201 for (i = 0; i < info->num_planes; i++) {
202 unsigned int width = fb_plane_width(r->width, info, i);
203 unsigned int height = fb_plane_height(r->height, info, i);
204 unsigned int block_size = info->char_per_block[i];
205 u64 min_pitch = drm_format_info_min_pitch(info, i, width);
206
207 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) {
208 DRM_DEBUG_KMS("Format requires non-linear modifier for plane %d\n", i);
209 return -EINVAL;
210 }
211
212 if (!r->handles[i]) {
213 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
214 return -EINVAL;
215 }
216
217 if (min_pitch > UINT_MAX)
218 return -ERANGE;
219
220 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
221 return -ERANGE;
222
223 if (block_size && r->pitches[i] < min_pitch) {
224 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
225 return -EINVAL;
226 }
227
228 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
229 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
230 r->modifier[i], i);
231 return -EINVAL;
232 }
233
234 if (r->flags & DRM_MODE_FB_MODIFIERS &&
235 r->modifier[i] != r->modifier[0]) {
236 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
237 r->modifier[i], i);
238 return -EINVAL;
239 }
240
241 /* modifier specific checks: */
242 switch (r->modifier[i]) {
243 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
244 /* NOTE: the pitch restriction may be lifted later if it turns
245 * out that no hw has this restriction:
246 */
247 if (r->pixel_format != DRM_FORMAT_NV12 ||
248 width % 128 || height % 32 ||
249 r->pitches[i] % 128) {
250 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i);
251 return -EINVAL;
252 }
253 break;
254
255 default:
256 break;
257 }
258 }
259
260 for (i = info->num_planes; i < 4; i++) {
261 if (r->modifier[i]) {
262 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i);
263 return -EINVAL;
264 }
265
266 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
267 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
268 continue;
269
270 if (r->handles[i]) {
271 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i);
272 return -EINVAL;
273 }
274
275 if (r->pitches[i]) {
276 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i);
277 return -EINVAL;
278 }
279
280 if (r->offsets[i]) {
281 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i);
282 return -EINVAL;
283 }
284 }
285
286 return 0;
287 }
288
289 struct drm_framebuffer *
drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)290 drm_internal_framebuffer_create(struct drm_device *dev,
291 const struct drm_mode_fb_cmd2 *r,
292 struct drm_file *file_priv)
293 {
294 struct drm_mode_config *config = &dev->mode_config;
295 struct drm_framebuffer *fb;
296 int ret;
297
298 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS |
299 DRM_MODE_FB_SECURE)) {
300 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags);
301 return ERR_PTR(-EINVAL);
302 }
303
304 if ((config->min_width > r->width) || (r->width > config->max_width)) {
305 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n",
306 r->width, config->min_width, config->max_width);
307 return ERR_PTR(-EINVAL);
308 }
309 if ((config->min_height > r->height) || (r->height > config->max_height)) {
310 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n",
311 r->height, config->min_height, config->max_height);
312 return ERR_PTR(-EINVAL);
313 }
314
315 if (r->flags & DRM_MODE_FB_MODIFIERS &&
316 !dev->mode_config.allow_fb_modifiers) {
317 DRM_DEBUG_KMS("driver does not support fb modifiers\n");
318 return ERR_PTR(-EINVAL);
319 }
320
321 ret = framebuffer_check(dev, r);
322 if (ret)
323 return ERR_PTR(ret);
324
325 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
326 if (IS_ERR(fb)) {
327 DRM_DEBUG_KMS("could not create framebuffer\n");
328 return fb;
329 }
330
331 return fb;
332 }
333 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create);
334
335 /**
336 * drm_mode_addfb2 - add an FB to the graphics configuration
337 * @dev: drm device for the ioctl
338 * @data: data pointer for the ioctl
339 * @file_priv: drm file for the ioctl call
340 *
341 * Add a new FB to the specified CRTC, given a user request with format. This is
342 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
343 * and uses fourcc codes as pixel format specifiers.
344 *
345 * Called by the user via ioctl.
346 *
347 * Returns:
348 * Zero on success, negative errno on failure.
349 */
drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)350 int drm_mode_addfb2(struct drm_device *dev,
351 void *data, struct drm_file *file_priv)
352 {
353 struct drm_mode_fb_cmd2 *r = data;
354 struct drm_framebuffer *fb;
355
356 if (!drm_core_check_feature(dev, DRIVER_MODESET))
357 return -EOPNOTSUPP;
358
359 fb = drm_internal_framebuffer_create(dev, r, file_priv);
360 if (IS_ERR(fb))
361 return PTR_ERR(fb);
362
363 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id);
364 r->fb_id = fb->base.id;
365
366 /* Transfer ownership to the filp for reaping on close */
367 mutex_lock(&file_priv->fbs_lock);
368 list_add(&fb->filp_head, &file_priv->fbs);
369 mutex_unlock(&file_priv->fbs_lock);
370
371 return 0;
372 }
373
drm_mode_addfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)374 int drm_mode_addfb2_ioctl(struct drm_device *dev,
375 void *data, struct drm_file *file_priv)
376 {
377 #ifdef __BIG_ENDIAN
378 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) {
379 /*
380 * Drivers must set the
381 * quirk_addfb_prefer_host_byte_order quirk to make
382 * the drm_mode_addfb() compat code work correctly on
383 * bigendian machines.
384 *
385 * If they don't they interpret pixel_format values
386 * incorrectly for bug compatibility, which in turn
387 * implies the ADDFB2 ioctl does not work correctly
388 * then. So block it to make userspace fallback to
389 * ADDFB.
390 */
391 DRM_DEBUG_KMS("addfb2 broken on bigendian");
392 return -EOPNOTSUPP;
393 }
394 #endif
395 return drm_mode_addfb2(dev, data, file_priv);
396 }
397
398 struct drm_mode_rmfb_work {
399 struct work_struct work;
400 struct list_head fbs;
401 };
402
drm_mode_rmfb_work_fn(struct work_struct * w)403 static void drm_mode_rmfb_work_fn(struct work_struct *w)
404 {
405 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
406
407 while (!list_empty(&arg->fbs)) {
408 struct drm_framebuffer *fb =
409 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
410
411 list_del_init(&fb->filp_head);
412 drm_framebuffer_remove(fb);
413 }
414 }
415
416 /**
417 * drm_mode_rmfb - remove an FB from the configuration
418 * @dev: drm device
419 * @fb_id: id of framebuffer to remove
420 * @file_priv: drm file
421 *
422 * Remove the specified FB.
423 *
424 * Called by the user via ioctl, or by an in-kernel client.
425 *
426 * Returns:
427 * Zero on success, negative errno on failure.
428 */
drm_mode_rmfb(struct drm_device * dev,u32 fb_id,struct drm_file * file_priv)429 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id,
430 struct drm_file *file_priv)
431 {
432 struct drm_framebuffer *fb = NULL;
433 struct drm_framebuffer *fbl = NULL;
434 int found = 0;
435
436 if (!drm_core_check_feature(dev, DRIVER_MODESET))
437 return -EOPNOTSUPP;
438
439 fb = drm_framebuffer_lookup(dev, file_priv, fb_id);
440 if (!fb)
441 return -ENOENT;
442
443 mutex_lock(&file_priv->fbs_lock);
444 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
445 if (fb == fbl)
446 found = 1;
447 if (!found) {
448 mutex_unlock(&file_priv->fbs_lock);
449 goto fail_unref;
450 }
451
452 list_del_init(&fb->filp_head);
453 mutex_unlock(&file_priv->fbs_lock);
454
455 /* drop the reference we picked up in framebuffer lookup */
456 drm_framebuffer_put(fb);
457
458 /*
459 * we now own the reference that was stored in the fbs list
460 *
461 * drm_framebuffer_remove may fail with -EINTR on pending signals,
462 * so run this in a separate stack as there's no way to correctly
463 * handle this after the fb is already removed from the lookup table.
464 */
465 if (drm_framebuffer_read_refcount(fb) > 1) {
466 struct drm_mode_rmfb_work arg;
467
468 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
469 INIT_LIST_HEAD(&arg.fbs);
470 list_add_tail(&fb->filp_head, &arg.fbs);
471
472 schedule_work(&arg.work);
473 flush_work(&arg.work);
474 destroy_work_on_stack(&arg.work);
475 } else
476 drm_framebuffer_put(fb);
477
478 return 0;
479
480 fail_unref:
481 drm_framebuffer_put(fb);
482 return -ENOENT;
483 }
484
drm_mode_rmfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)485 int drm_mode_rmfb_ioctl(struct drm_device *dev,
486 void *data, struct drm_file *file_priv)
487 {
488 uint32_t *fb_id = data;
489
490 return drm_mode_rmfb(dev, *fb_id, file_priv);
491 }
492
493 /**
494 * drm_mode_getfb - get FB info
495 * @dev: drm device for the ioctl
496 * @data: data pointer for the ioctl
497 * @file_priv: drm file for the ioctl call
498 *
499 * Lookup the FB given its ID and return info about it.
500 *
501 * Called by the user via ioctl.
502 *
503 * Returns:
504 * Zero on success, negative errno on failure.
505 */
drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)506 int drm_mode_getfb(struct drm_device *dev,
507 void *data, struct drm_file *file_priv)
508 {
509 struct drm_mode_fb_cmd *r = data;
510 struct drm_framebuffer *fb;
511 int ret;
512
513 if (!drm_core_check_feature(dev, DRIVER_MODESET))
514 return -EOPNOTSUPP;
515
516 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
517 if (!fb)
518 return -ENOENT;
519
520 /* Multi-planar framebuffers need getfb2. */
521 if (fb->format->num_planes > 1) {
522 ret = -EINVAL;
523 goto out;
524 }
525
526 if (!fb->funcs->create_handle) {
527 ret = -ENODEV;
528 goto out;
529 }
530
531 r->height = fb->height;
532 r->width = fb->width;
533 r->depth = fb->format->depth;
534 r->bpp = fb->format->cpp[0] * 8;
535 r->pitch = fb->pitches[0];
536
537 /* GET_FB() is an unprivileged ioctl so we must not return a
538 * buffer-handle to non-master processes! For
539 * backwards-compatibility reasons, we cannot make GET_FB() privileged,
540 * so just return an invalid handle for non-masters.
541 */
542 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
543 r->handle = 0;
544 ret = 0;
545 goto out;
546 }
547
548 ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
549
550 out:
551 drm_framebuffer_put(fb);
552
553 return ret;
554 }
555
556 /**
557 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
558 * @dev: drm device for the ioctl
559 * @data: data pointer for the ioctl
560 * @file_priv: drm file for the ioctl call
561 *
562 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
563 * rectangle list. Generic userspace which does frontbuffer rendering must call
564 * this ioctl to flush out the changes on manual-update display outputs, e.g.
565 * usb display-link, mipi manual update panels or edp panel self refresh modes.
566 *
567 * Modesetting drivers which always update the frontbuffer do not need to
568 * implement the corresponding &drm_framebuffer_funcs.dirty callback.
569 *
570 * Called by the user via ioctl.
571 *
572 * Returns:
573 * Zero on success, negative errno on failure.
574 */
drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)575 int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
576 void *data, struct drm_file *file_priv)
577 {
578 struct drm_clip_rect __user *clips_ptr;
579 struct drm_clip_rect *clips = NULL;
580 struct drm_mode_fb_dirty_cmd *r = data;
581 struct drm_framebuffer *fb;
582 unsigned flags;
583 int num_clips;
584 int ret;
585
586 if (!drm_core_check_feature(dev, DRIVER_MODESET))
587 return -EOPNOTSUPP;
588
589 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
590 if (!fb)
591 return -ENOENT;
592
593 num_clips = r->num_clips;
594 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
595
596 if (!num_clips != !clips_ptr) {
597 ret = -EINVAL;
598 goto out_err1;
599 }
600
601 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
602
603 /* If userspace annotates copy, clips must come in pairs */
604 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
605 ret = -EINVAL;
606 goto out_err1;
607 }
608
609 if (num_clips && clips_ptr) {
610 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
611 ret = -EINVAL;
612 goto out_err1;
613 }
614 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
615 if (!clips) {
616 ret = -ENOMEM;
617 goto out_err1;
618 }
619
620 ret = copy_from_user(clips, clips_ptr,
621 num_clips * sizeof(*clips));
622 if (ret) {
623 ret = -EFAULT;
624 goto out_err2;
625 }
626 }
627
628 if (fb->funcs->dirty) {
629 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
630 clips, num_clips);
631 } else {
632 ret = -ENOSYS;
633 }
634
635 out_err2:
636 kfree(clips);
637 out_err1:
638 drm_framebuffer_put(fb);
639
640 return ret;
641 }
642
643 /**
644 * drm_fb_release - remove and free the FBs on this file
645 * @priv: drm file for the ioctl
646 *
647 * Destroy all the FBs associated with @filp.
648 *
649 * Called by the user via ioctl.
650 *
651 * Returns:
652 * Zero on success, negative errno on failure.
653 */
drm_fb_release(struct drm_file * priv)654 void drm_fb_release(struct drm_file *priv)
655 {
656 struct drm_framebuffer *fb, *tfb;
657 struct drm_mode_rmfb_work arg;
658
659 INIT_LIST_HEAD(&arg.fbs);
660
661 /*
662 * When the file gets released that means no one else can access the fb
663 * list any more, so no need to grab fpriv->fbs_lock. And we need to
664 * avoid upsetting lockdep since the universal cursor code adds a
665 * framebuffer while holding mutex locks.
666 *
667 * Note that a real deadlock between fpriv->fbs_lock and the modeset
668 * locks is impossible here since no one else but this function can get
669 * at it any more.
670 */
671 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
672 if (drm_framebuffer_read_refcount(fb) > 1) {
673 list_move_tail(&fb->filp_head, &arg.fbs);
674 } else {
675 list_del_init(&fb->filp_head);
676
677 /* This drops the fpriv->fbs reference. */
678 drm_framebuffer_put(fb);
679 }
680 }
681
682 if (!list_empty(&arg.fbs)) {
683 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
684
685 schedule_work(&arg.work);
686 flush_work(&arg.work);
687 destroy_work_on_stack(&arg.work);
688 }
689 }
690
drm_framebuffer_free(struct kref * kref)691 void drm_framebuffer_free(struct kref *kref)
692 {
693 struct drm_framebuffer *fb =
694 container_of(kref, struct drm_framebuffer, base.refcount);
695 struct drm_device *dev = fb->dev;
696
697 /*
698 * The lookup idr holds a weak reference, which has not necessarily been
699 * removed at this point. Check for that.
700 */
701 drm_mode_object_unregister(dev, &fb->base);
702
703 fb->funcs->destroy(fb);
704 }
705
706 /**
707 * drm_framebuffer_init - initialize a framebuffer
708 * @dev: DRM device
709 * @fb: framebuffer to be initialized
710 * @funcs: ... with these functions
711 *
712 * Allocates an ID for the framebuffer's parent mode object, sets its mode
713 * functions & device file and adds it to the master fd list.
714 *
715 * IMPORTANT:
716 * This functions publishes the fb and makes it available for concurrent access
717 * by other users. Which means by this point the fb _must_ be fully set up -
718 * since all the fb attributes are invariant over its lifetime, no further
719 * locking but only correct reference counting is required.
720 *
721 * Returns:
722 * Zero on success, error code on failure.
723 */
drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)724 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
725 const struct drm_framebuffer_funcs *funcs)
726 {
727 int ret;
728
729 if (WARN_ON_ONCE(fb->dev != dev || !fb->format))
730 return -EINVAL;
731
732 INIT_LIST_HEAD(&fb->filp_head);
733
734 fb->funcs = funcs;
735 strcpy(fb->comm, current->comm);
736
737 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB,
738 false, drm_framebuffer_free);
739 if (ret)
740 goto out;
741
742 mutex_lock(&dev->mode_config.fb_lock);
743 dev->mode_config.num_fb++;
744 list_add(&fb->head, &dev->mode_config.fb_list);
745 mutex_unlock(&dev->mode_config.fb_lock);
746
747 drm_mode_object_register(dev, &fb->base);
748 out:
749 return ret;
750 }
751 EXPORT_SYMBOL(drm_framebuffer_init);
752
753 /**
754 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
755 * @dev: drm device
756 * @file_priv: drm file to check for lease against.
757 * @id: id of the fb object
758 *
759 * If successful, this grabs an additional reference to the framebuffer -
760 * callers need to make sure to eventually unreference the returned framebuffer
761 * again, using drm_framebuffer_put().
762 */
drm_framebuffer_lookup(struct drm_device * dev,struct drm_file * file_priv,uint32_t id)763 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
764 struct drm_file *file_priv,
765 uint32_t id)
766 {
767 struct drm_mode_object *obj;
768 struct drm_framebuffer *fb = NULL;
769
770 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB);
771 if (obj)
772 fb = obj_to_fb(obj);
773 return fb;
774 }
775 EXPORT_SYMBOL(drm_framebuffer_lookup);
776
777 /**
778 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
779 * @fb: fb to unregister
780 *
781 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
782 * those used for fbdev. Note that the caller must hold a reference of its own,
783 * i.e. the object may not be destroyed through this call (since it'll lead to a
784 * locking inversion).
785 *
786 * NOTE: This function is deprecated. For driver-private framebuffers it is not
787 * recommended to embed a framebuffer struct info fbdev struct, instead, a
788 * framebuffer pointer is preferred and drm_framebuffer_put() should be called
789 * when the framebuffer is to be cleaned up.
790 */
drm_framebuffer_unregister_private(struct drm_framebuffer * fb)791 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
792 {
793 struct drm_device *dev;
794
795 if (!fb)
796 return;
797
798 dev = fb->dev;
799
800 /* Mark fb as reaped and drop idr ref. */
801 drm_mode_object_unregister(dev, &fb->base);
802 }
803 EXPORT_SYMBOL(drm_framebuffer_unregister_private);
804
805 /**
806 * drm_framebuffer_cleanup - remove a framebuffer object
807 * @fb: framebuffer to remove
808 *
809 * Cleanup framebuffer. This function is intended to be used from the drivers
810 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up
811 * driver private framebuffers embedded into a larger structure.
812 *
813 * Note that this function does not remove the fb from active usage - if it is
814 * still used anywhere, hilarity can ensue since userspace could call getfb on
815 * the id and get back -EINVAL. Obviously no concern at driver unload time.
816 *
817 * Also, the framebuffer will not be removed from the lookup idr - for
818 * user-created framebuffers this will happen in in the rmfb ioctl. For
819 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
820 * drm_framebuffer_unregister_private.
821 */
drm_framebuffer_cleanup(struct drm_framebuffer * fb)822 void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
823 {
824 struct drm_device *dev = fb->dev;
825
826 mutex_lock(&dev->mode_config.fb_lock);
827 list_del(&fb->head);
828 dev->mode_config.num_fb--;
829 mutex_unlock(&dev->mode_config.fb_lock);
830 }
831 EXPORT_SYMBOL(drm_framebuffer_cleanup);
832
atomic_remove_fb(struct drm_framebuffer * fb)833 static int atomic_remove_fb(struct drm_framebuffer *fb)
834 {
835 struct drm_modeset_acquire_ctx ctx;
836 struct drm_device *dev = fb->dev;
837 struct drm_atomic_state *state;
838 struct drm_plane *plane;
839 struct drm_connector *conn __maybe_unused;
840 struct drm_connector_state *conn_state;
841 int i, ret;
842 unsigned plane_mask;
843 bool disable_crtcs = false;
844
845 retry_disable:
846 drm_modeset_acquire_init(&ctx, 0);
847
848 state = drm_atomic_state_alloc(dev);
849 if (!state) {
850 ret = -ENOMEM;
851 goto out;
852 }
853 state->acquire_ctx = &ctx;
854
855 retry:
856 plane_mask = 0;
857 ret = drm_modeset_lock_all_ctx(dev, &ctx);
858 if (ret)
859 goto unlock;
860
861 drm_for_each_plane(plane, dev) {
862 struct drm_plane_state *plane_state;
863
864 if (plane->state->fb != fb)
865 continue;
866
867 plane_state = drm_atomic_get_plane_state(state, plane);
868 if (IS_ERR(plane_state)) {
869 ret = PTR_ERR(plane_state);
870 goto unlock;
871 }
872
873 if (disable_crtcs && plane_state->crtc->primary == plane) {
874 struct drm_crtc_state *crtc_state;
875
876 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc);
877
878 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc);
879 if (ret)
880 goto unlock;
881
882 crtc_state->active = false;
883 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
884 if (ret)
885 goto unlock;
886 }
887
888 drm_atomic_set_fb_for_plane(plane_state, NULL);
889 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL);
890 if (ret)
891 goto unlock;
892
893 plane_mask |= drm_plane_mask(plane);
894 }
895
896 /* This list is only filled when disable_crtcs is set. */
897 for_each_new_connector_in_state(state, conn, conn_state, i) {
898 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
899
900 if (ret)
901 goto unlock;
902 }
903
904 if (plane_mask)
905 ret = drm_atomic_commit(state);
906
907 unlock:
908 if (ret == -EDEADLK) {
909 drm_atomic_state_clear(state);
910 drm_modeset_backoff(&ctx);
911 goto retry;
912 }
913
914 drm_atomic_state_put(state);
915
916 out:
917 drm_modeset_drop_locks(&ctx);
918 drm_modeset_acquire_fini(&ctx);
919
920 if (ret == -EINVAL && !disable_crtcs) {
921 disable_crtcs = true;
922 goto retry_disable;
923 }
924
925 return ret;
926 }
927
legacy_remove_fb(struct drm_framebuffer * fb)928 static void legacy_remove_fb(struct drm_framebuffer *fb)
929 {
930 struct drm_device *dev = fb->dev;
931 struct drm_crtc *crtc;
932 struct drm_plane *plane;
933
934 drm_modeset_lock_all(dev);
935 /* remove from any CRTC */
936 drm_for_each_crtc(crtc, dev) {
937 if (crtc->primary->fb == fb) {
938 /* should turn off the crtc */
939 if (drm_crtc_force_disable(crtc))
940 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
941 }
942 }
943
944 drm_for_each_plane(plane, dev) {
945 if (plane->fb == fb)
946 drm_plane_force_disable(plane);
947 }
948 drm_modeset_unlock_all(dev);
949 }
950
951 /**
952 * drm_framebuffer_remove - remove and unreference a framebuffer object
953 * @fb: framebuffer to remove
954 *
955 * Scans all the CRTCs and planes in @dev's mode_config. If they're
956 * using @fb, removes it, setting it to NULL. Then drops the reference to the
957 * passed-in framebuffer. Might take the modeset locks.
958 *
959 * Note that this function optimizes the cleanup away if the caller holds the
960 * last reference to the framebuffer. It is also guaranteed to not take the
961 * modeset locks in this case.
962 */
drm_framebuffer_remove(struct drm_framebuffer * fb)963 void drm_framebuffer_remove(struct drm_framebuffer *fb)
964 {
965 struct drm_device *dev;
966
967 if (!fb)
968 return;
969
970 dev = fb->dev;
971
972 WARN_ON(!list_empty(&fb->filp_head));
973
974 /*
975 * drm ABI mandates that we remove any deleted framebuffers from active
976 * useage. But since most sane clients only remove framebuffers they no
977 * longer need, try to optimize this away.
978 *
979 * Since we're holding a reference ourselves, observing a refcount of 1
980 * means that we're the last holder and can skip it. Also, the refcount
981 * can never increase from 1 again, so we don't need any barriers or
982 * locks.
983 *
984 * Note that userspace could try to race with use and instate a new
985 * usage _after_ we've cleared all current ones. End result will be an
986 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
987 * in this manner.
988 */
989 if (drm_framebuffer_read_refcount(fb) > 1) {
990 if (drm_drv_uses_atomic_modeset(dev)) {
991 int ret = atomic_remove_fb(fb);
992 WARN(ret, "atomic remove_fb failed with %i\n", ret);
993 } else
994 legacy_remove_fb(fb);
995 }
996
997 drm_framebuffer_put(fb);
998 }
999 EXPORT_SYMBOL(drm_framebuffer_remove);
1000
1001 /**
1002 * drm_framebuffer_plane_width - width of the plane given the first plane
1003 * @width: width of the first plane
1004 * @fb: the framebuffer
1005 * @plane: plane index
1006 *
1007 * Returns:
1008 * The width of @plane, given that the width of the first plane is @width.
1009 */
drm_framebuffer_plane_width(int width,const struct drm_framebuffer * fb,int plane)1010 int drm_framebuffer_plane_width(int width,
1011 const struct drm_framebuffer *fb, int plane)
1012 {
1013 if (plane >= fb->format->num_planes)
1014 return 0;
1015
1016 return fb_plane_width(width, fb->format, plane);
1017 }
1018 EXPORT_SYMBOL(drm_framebuffer_plane_width);
1019
1020 /**
1021 * drm_framebuffer_plane_height - height of the plane given the first plane
1022 * @height: height of the first plane
1023 * @fb: the framebuffer
1024 * @plane: plane index
1025 *
1026 * Returns:
1027 * The height of @plane, given that the height of the first plane is @height.
1028 */
drm_framebuffer_plane_height(int height,const struct drm_framebuffer * fb,int plane)1029 int drm_framebuffer_plane_height(int height,
1030 const struct drm_framebuffer *fb, int plane)
1031 {
1032 if (plane >= fb->format->num_planes)
1033 return 0;
1034
1035 return fb_plane_height(height, fb->format, plane);
1036 }
1037 EXPORT_SYMBOL(drm_framebuffer_plane_height);
1038
drm_framebuffer_print_info(struct drm_printer * p,unsigned int indent,const struct drm_framebuffer * fb)1039 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent,
1040 const struct drm_framebuffer *fb)
1041 {
1042 struct drm_format_name_buf format_name;
1043 unsigned int i;
1044
1045 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm);
1046 drm_printf_indent(p, indent, "refcount=%u\n",
1047 drm_framebuffer_read_refcount(fb));
1048 drm_printf_indent(p, indent, "format=%s\n",
1049 drm_get_format_name(fb->format->format, &format_name));
1050 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier);
1051 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height);
1052 drm_printf_indent(p, indent, "layers:\n");
1053
1054 for (i = 0; i < fb->format->num_planes; i++) {
1055 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i,
1056 drm_framebuffer_plane_width(fb->width, fb, i),
1057 drm_framebuffer_plane_height(fb->height, fb, i));
1058 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]);
1059 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]);
1060 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i,
1061 fb->obj[i] ? "" : "(null)");
1062 if (fb->obj[i])
1063 drm_gem_print_info(p, indent + 2, fb->obj[i]);
1064 }
1065 }
1066
1067 #ifdef CONFIG_DEBUG_FS
drm_framebuffer_info(struct seq_file * m,void * data)1068 static int drm_framebuffer_info(struct seq_file *m, void *data)
1069 {
1070 struct drm_info_node *node = m->private;
1071 struct drm_device *dev = node->minor->dev;
1072 struct drm_printer p = drm_seq_file_printer(m);
1073 struct drm_framebuffer *fb;
1074
1075 mutex_lock(&dev->mode_config.fb_lock);
1076 drm_for_each_fb(fb, dev) {
1077 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
1078 drm_framebuffer_print_info(&p, 1, fb);
1079 }
1080 mutex_unlock(&dev->mode_config.fb_lock);
1081
1082 return 0;
1083 }
1084
1085 static const struct drm_info_list drm_framebuffer_debugfs_list[] = {
1086 { "framebuffer", drm_framebuffer_info, 0 },
1087 };
1088
drm_framebuffer_debugfs_init(struct drm_minor * minor)1089 int drm_framebuffer_debugfs_init(struct drm_minor *minor)
1090 {
1091 return drm_debugfs_create_files(drm_framebuffer_debugfs_list,
1092 ARRAY_SIZE(drm_framebuffer_debugfs_list),
1093 minor->debugfs_root, minor);
1094 }
1095 #endif
1096