1 /*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23 #include <linux/export.h>
24 #include <linux/uaccess.h>
25
26 #include <drm/drm_atomic.h>
27 #include <drm/drm_atomic_uapi.h>
28 #include <drm/drm_auth.h>
29 #include <drm/drm_debugfs.h>
30 #include <drm/drm_drv.h>
31 #include <drm/drm_file.h>
32 #include <drm/drm_fourcc.h>
33 #include <drm/drm_framebuffer.h>
34 #include <drm/drm_gem.h>
35 #include <drm/drm_print.h>
36 #include <drm/drm_util.h>
37
38 #include <trace/hooks/drm_framebuffer.h>
39
40 #include "drm_crtc_internal.h"
41 #include "drm_internal.h"
42
43 /**
44 * DOC: overview
45 *
46 * Frame buffers are abstract memory objects that provide a source of pixels to
47 * scanout to a CRTC. Applications explicitly request the creation of frame
48 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
49 * handle that can be passed to the KMS CRTC control, plane configuration and
50 * page flip functions.
51 *
52 * Frame buffers rely on the underlying memory manager for allocating backing
53 * storage. When creating a frame buffer applications pass a memory handle
54 * (or a list of memory handles for multi-planar formats) through the
55 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
56 * buffer management interface this would be a GEM handle. Drivers are however
57 * free to use their own backing storage object handles, e.g. vmwgfx directly
58 * exposes special TTM handles to userspace and so expects TTM handles in the
59 * create ioctl and not GEM handles.
60 *
61 * Framebuffers are tracked with &struct drm_framebuffer. They are published
62 * using drm_framebuffer_init() - after calling that function userspace can use
63 * and access the framebuffer object. The helper function
64 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
65 * metadata fields.
66 *
67 * The lifetime of a drm framebuffer is controlled with a reference count,
68 * drivers can grab additional references with drm_framebuffer_get() and drop
69 * them again with drm_framebuffer_put(). For driver-private framebuffers for
70 * which the last reference is never dropped (e.g. for the fbdev framebuffer
71 * when the struct &struct drm_framebuffer is embedded into the fbdev helper
72 * struct) drivers can manually clean up a framebuffer at module unload time
73 * with drm_framebuffer_unregister_private(). But doing this is not
74 * recommended, and it's better to have a normal free-standing &struct
75 * drm_framebuffer.
76 */
77
drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)78 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
79 uint32_t src_w, uint32_t src_h,
80 const struct drm_framebuffer *fb)
81 {
82 unsigned int fb_width, fb_height;
83
84 fb_width = fb->width << 16;
85 fb_height = fb->height << 16;
86
87 /* Make sure source coordinates are inside the fb. */
88 if (src_w > fb_width ||
89 src_x > fb_width - src_w ||
90 src_h > fb_height ||
91 src_y > fb_height - src_h) {
92 DRM_DEBUG_KMS("Invalid source coordinates "
93 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n",
94 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
95 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
96 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
97 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10,
98 fb->width, fb->height);
99 return -ENOSPC;
100 }
101
102 return 0;
103 }
104
105 /**
106 * drm_mode_addfb - add an FB to the graphics configuration
107 * @dev: drm device for the ioctl
108 * @or: pointer to request structure
109 * @file_priv: drm file
110 *
111 * Add a new FB to the specified CRTC, given a user request. This is the
112 * original addfb ioctl which only supported RGB formats.
113 *
114 * Called by the user via ioctl, or by an in-kernel client.
115 *
116 * Returns:
117 * Zero on success, negative errno on failure.
118 */
drm_mode_addfb(struct drm_device * dev,struct drm_mode_fb_cmd * or,struct drm_file * file_priv)119 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or,
120 struct drm_file *file_priv)
121 {
122 struct drm_mode_fb_cmd2 r = {};
123 int ret;
124
125 if (!drm_core_check_feature(dev, DRIVER_MODESET))
126 return -EOPNOTSUPP;
127
128 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth);
129 if (r.pixel_format == DRM_FORMAT_INVALID) {
130 DRM_DEBUG("bad {bpp:%d, depth:%d}\n", or->bpp, or->depth);
131 return -EINVAL;
132 }
133
134 /* convert to new format and call new ioctl */
135 r.fb_id = or->fb_id;
136 r.width = or->width;
137 r.height = or->height;
138 r.pitches[0] = or->pitch;
139 r.handles[0] = or->handle;
140
141 ret = drm_mode_addfb2(dev, &r, file_priv);
142 if (ret)
143 return ret;
144
145 or->fb_id = r.fb_id;
146
147 return 0;
148 }
149
drm_mode_addfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)150 int drm_mode_addfb_ioctl(struct drm_device *dev,
151 void *data, struct drm_file *file_priv)
152 {
153 return drm_mode_addfb(dev, data, file_priv);
154 }
155
fb_plane_width(int width,const struct drm_format_info * format,int plane)156 static int fb_plane_width(int width,
157 const struct drm_format_info *format, int plane)
158 {
159 if (plane == 0)
160 return width;
161
162 return DIV_ROUND_UP(width, format->hsub);
163 }
164
fb_plane_height(int height,const struct drm_format_info * format,int plane)165 static int fb_plane_height(int height,
166 const struct drm_format_info *format, int plane)
167 {
168 if (plane == 0)
169 return height;
170
171 return DIV_ROUND_UP(height, format->vsub);
172 }
173
framebuffer_check(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r)174 static int framebuffer_check(struct drm_device *dev,
175 const struct drm_mode_fb_cmd2 *r)
176 {
177 const struct drm_format_info *info;
178 int i;
179
180 /* check if the format is supported at all */
181 if (!__drm_format_info(r->pixel_format)) {
182 DRM_DEBUG_KMS("bad framebuffer format %p4cc\n",
183 &r->pixel_format);
184 return -EINVAL;
185 }
186
187 if (r->width == 0) {
188 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width);
189 return -EINVAL;
190 }
191
192 if (r->height == 0) {
193 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height);
194 return -EINVAL;
195 }
196
197 /* now let the driver pick its own format info */
198 info = drm_get_format_info(dev, r);
199
200 for (i = 0; i < info->num_planes; i++) {
201 unsigned int width = fb_plane_width(r->width, info, i);
202 unsigned int height = fb_plane_height(r->height, info, i);
203 unsigned int block_size = info->char_per_block[i];
204 u64 min_pitch = drm_format_info_min_pitch(info, i, width);
205
206 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) {
207 DRM_DEBUG_KMS("Format requires non-linear modifier for plane %d\n", i);
208 return -EINVAL;
209 }
210
211 if (!r->handles[i]) {
212 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
213 return -EINVAL;
214 }
215
216 if (min_pitch > UINT_MAX)
217 return -ERANGE;
218
219 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
220 return -ERANGE;
221
222 if (block_size && r->pitches[i] < min_pitch) {
223 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
224 return -EINVAL;
225 }
226
227 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
228 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
229 r->modifier[i], i);
230 return -EINVAL;
231 }
232
233 if (r->flags & DRM_MODE_FB_MODIFIERS &&
234 r->modifier[i] != r->modifier[0]) {
235 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
236 r->modifier[i], i);
237 return -EINVAL;
238 }
239
240 /* modifier specific checks: */
241 switch (r->modifier[i]) {
242 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
243 /* NOTE: the pitch restriction may be lifted later if it turns
244 * out that no hw has this restriction:
245 */
246 if (r->pixel_format != DRM_FORMAT_NV12 ||
247 width % 128 || height % 32 ||
248 r->pitches[i] % 128) {
249 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i);
250 return -EINVAL;
251 }
252 break;
253
254 default:
255 break;
256 }
257 }
258
259 for (i = info->num_planes; i < 4; i++) {
260 if (r->modifier[i]) {
261 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i);
262 return -EINVAL;
263 }
264
265 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
266 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
267 continue;
268
269 if (r->handles[i]) {
270 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i);
271 return -EINVAL;
272 }
273
274 if (r->pitches[i]) {
275 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i);
276 return -EINVAL;
277 }
278
279 if (r->offsets[i]) {
280 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i);
281 return -EINVAL;
282 }
283 }
284
285 return 0;
286 }
287
288 struct drm_framebuffer *
drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)289 drm_internal_framebuffer_create(struct drm_device *dev,
290 const struct drm_mode_fb_cmd2 *r,
291 struct drm_file *file_priv)
292 {
293 struct drm_mode_config *config = &dev->mode_config;
294 struct drm_framebuffer *fb;
295 int ret;
296
297 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
298 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags);
299 return ERR_PTR(-EINVAL);
300 }
301
302 if ((config->min_width > r->width) || (r->width > config->max_width)) {
303 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n",
304 r->width, config->min_width, config->max_width);
305 return ERR_PTR(-EINVAL);
306 }
307 if ((config->min_height > r->height) || (r->height > config->max_height)) {
308 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n",
309 r->height, config->min_height, config->max_height);
310 return ERR_PTR(-EINVAL);
311 }
312
313 if (r->flags & DRM_MODE_FB_MODIFIERS &&
314 !dev->mode_config.allow_fb_modifiers) {
315 DRM_DEBUG_KMS("driver does not support fb modifiers\n");
316 return ERR_PTR(-EINVAL);
317 }
318
319 ret = framebuffer_check(dev, r);
320 if (ret)
321 return ERR_PTR(ret);
322
323 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
324 if (IS_ERR(fb)) {
325 DRM_DEBUG_KMS("could not create framebuffer\n");
326 return fb;
327 }
328
329 return fb;
330 }
331 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create);
332
333 /**
334 * drm_mode_addfb2 - add an FB to the graphics configuration
335 * @dev: drm device for the ioctl
336 * @data: data pointer for the ioctl
337 * @file_priv: drm file for the ioctl call
338 *
339 * Add a new FB to the specified CRTC, given a user request with format. This is
340 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
341 * and uses fourcc codes as pixel format specifiers.
342 *
343 * Called by the user via ioctl.
344 *
345 * Returns:
346 * Zero on success, negative errno on failure.
347 */
drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)348 int drm_mode_addfb2(struct drm_device *dev,
349 void *data, struct drm_file *file_priv)
350 {
351 struct drm_mode_fb_cmd2 *r = data;
352 struct drm_framebuffer *fb;
353
354 if (!drm_core_check_feature(dev, DRIVER_MODESET))
355 return -EOPNOTSUPP;
356
357 fb = drm_internal_framebuffer_create(dev, r, file_priv);
358 if (IS_ERR(fb))
359 return PTR_ERR(fb);
360
361 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id);
362 r->fb_id = fb->base.id;
363
364 /* Transfer ownership to the filp for reaping on close */
365 mutex_lock(&file_priv->fbs_lock);
366 list_add(&fb->filp_head, &file_priv->fbs);
367 mutex_unlock(&file_priv->fbs_lock);
368
369 return 0;
370 }
371
drm_mode_addfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)372 int drm_mode_addfb2_ioctl(struct drm_device *dev,
373 void *data, struct drm_file *file_priv)
374 {
375 #ifdef __BIG_ENDIAN
376 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) {
377 /*
378 * Drivers must set the
379 * quirk_addfb_prefer_host_byte_order quirk to make
380 * the drm_mode_addfb() compat code work correctly on
381 * bigendian machines.
382 *
383 * If they don't they interpret pixel_format values
384 * incorrectly for bug compatibility, which in turn
385 * implies the ADDFB2 ioctl does not work correctly
386 * then. So block it to make userspace fallback to
387 * ADDFB.
388 */
389 DRM_DEBUG_KMS("addfb2 broken on bigendian");
390 return -EOPNOTSUPP;
391 }
392 #endif
393 return drm_mode_addfb2(dev, data, file_priv);
394 }
395
396 struct drm_mode_rmfb_work {
397 struct work_struct work;
398 struct list_head fbs;
399 };
400
drm_mode_rmfb_work_fn(struct work_struct * w)401 static void drm_mode_rmfb_work_fn(struct work_struct *w)
402 {
403 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
404
405 while (!list_empty(&arg->fbs)) {
406 struct drm_framebuffer *fb =
407 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
408
409 drm_dbg_kms(fb->dev,
410 "Removing [FB:%d] from all active usage due to RMFB ioctl\n",
411 fb->base.id);
412 list_del_init(&fb->filp_head);
413 drm_framebuffer_remove(fb);
414 }
415 }
416
417 /**
418 * drm_mode_rmfb - remove an FB from the configuration
419 * @dev: drm device
420 * @fb_id: id of framebuffer to remove
421 * @file_priv: drm file
422 *
423 * Remove the specified FB.
424 *
425 * Called by the user via ioctl, or by an in-kernel client.
426 *
427 * Returns:
428 * Zero on success, negative errno on failure.
429 */
drm_mode_rmfb(struct drm_device * dev,u32 fb_id,struct drm_file * file_priv)430 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id,
431 struct drm_file *file_priv)
432 {
433 struct drm_framebuffer *fb = NULL;
434 struct drm_framebuffer *fbl = NULL;
435 int found = 0;
436
437 if (!drm_core_check_feature(dev, DRIVER_MODESET))
438 return -EOPNOTSUPP;
439
440 fb = drm_framebuffer_lookup(dev, file_priv, fb_id);
441 if (!fb)
442 return -ENOENT;
443
444 mutex_lock(&file_priv->fbs_lock);
445 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
446 if (fb == fbl)
447 found = 1;
448 if (!found) {
449 mutex_unlock(&file_priv->fbs_lock);
450 goto fail_unref;
451 }
452
453 list_del_init(&fb->filp_head);
454 mutex_unlock(&file_priv->fbs_lock);
455
456 /* drop the reference we picked up in framebuffer lookup */
457 drm_framebuffer_put(fb);
458
459 /*
460 * we now own the reference that was stored in the fbs list
461 *
462 * drm_framebuffer_remove may fail with -EINTR on pending signals,
463 * so run this in a separate stack as there's no way to correctly
464 * handle this after the fb is already removed from the lookup table.
465 */
466 if (drm_framebuffer_read_refcount(fb) > 1) {
467 struct drm_mode_rmfb_work arg;
468
469 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
470 INIT_LIST_HEAD(&arg.fbs);
471 list_add_tail(&fb->filp_head, &arg.fbs);
472
473 schedule_work(&arg.work);
474 flush_work(&arg.work);
475 destroy_work_on_stack(&arg.work);
476 } else
477 drm_framebuffer_put(fb);
478
479 return 0;
480
481 fail_unref:
482 drm_framebuffer_put(fb);
483 return -ENOENT;
484 }
485
drm_mode_rmfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)486 int drm_mode_rmfb_ioctl(struct drm_device *dev,
487 void *data, struct drm_file *file_priv)
488 {
489 uint32_t *fb_id = data;
490
491 return drm_mode_rmfb(dev, *fb_id, file_priv);
492 }
493
494 /**
495 * drm_mode_getfb - get FB info
496 * @dev: drm device for the ioctl
497 * @data: data pointer for the ioctl
498 * @file_priv: drm file for the ioctl call
499 *
500 * Lookup the FB given its ID and return info about it.
501 *
502 * Called by the user via ioctl.
503 *
504 * Returns:
505 * Zero on success, negative errno on failure.
506 */
drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)507 int drm_mode_getfb(struct drm_device *dev,
508 void *data, struct drm_file *file_priv)
509 {
510 struct drm_mode_fb_cmd *r = data;
511 struct drm_framebuffer *fb;
512 int ret;
513
514 if (!drm_core_check_feature(dev, DRIVER_MODESET))
515 return -EOPNOTSUPP;
516
517 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
518 if (!fb)
519 return -ENOENT;
520
521 /* Multi-planar framebuffers need getfb2. */
522 if (fb->format->num_planes > 1) {
523 ret = -EINVAL;
524 goto out;
525 }
526
527 if (!fb->funcs->create_handle) {
528 ret = -ENODEV;
529 goto out;
530 }
531
532 r->height = fb->height;
533 r->width = fb->width;
534 r->depth = fb->format->depth;
535 r->bpp = fb->format->cpp[0] * 8;
536 r->pitch = fb->pitches[0];
537
538 /* GET_FB() is an unprivileged ioctl so we must not return a
539 * buffer-handle to non-master processes! For
540 * backwards-compatibility reasons, we cannot make GET_FB() privileged,
541 * so just return an invalid handle for non-masters.
542 */
543 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
544 r->handle = 0;
545 ret = 0;
546 goto out;
547 }
548
549 ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
550
551 out:
552 drm_framebuffer_put(fb);
553 return ret;
554 }
555
556 /**
557 * drm_mode_getfb2_ioctl - get extended FB info
558 * @dev: drm device for the ioctl
559 * @data: data pointer for the ioctl
560 * @file_priv: drm file for the ioctl call
561 *
562 * Lookup the FB given its ID and return info about it.
563 *
564 * Called by the user via ioctl.
565 *
566 * Returns:
567 * Zero on success, negative errno on failure.
568 */
drm_mode_getfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)569 int drm_mode_getfb2_ioctl(struct drm_device *dev,
570 void *data, struct drm_file *file_priv)
571 {
572 struct drm_mode_fb_cmd2 *r = data;
573 struct drm_framebuffer *fb;
574 unsigned int i;
575 int ret = 0;
576
577 if (!drm_core_check_feature(dev, DRIVER_MODESET))
578 return -EINVAL;
579
580 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
581 if (!fb)
582 return -ENOENT;
583
584 /* For multi-plane framebuffers, we require the driver to place the
585 * GEM objects directly in the drm_framebuffer. For single-plane
586 * framebuffers, we can fall back to create_handle.
587 */
588 if (!fb->obj[0] &&
589 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) {
590 ret = -ENODEV;
591 goto out;
592 }
593
594 r->height = fb->height;
595 r->width = fb->width;
596 r->pixel_format = fb->format->format;
597
598 r->flags = 0;
599 if (dev->mode_config.allow_fb_modifiers)
600 r->flags |= DRM_MODE_FB_MODIFIERS;
601
602 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
603 r->handles[i] = 0;
604 r->pitches[i] = 0;
605 r->offsets[i] = 0;
606 r->modifier[i] = 0;
607 }
608
609 for (i = 0; i < fb->format->num_planes; i++) {
610 r->pitches[i] = fb->pitches[i];
611 r->offsets[i] = fb->offsets[i];
612 if (dev->mode_config.allow_fb_modifiers)
613 r->modifier[i] = fb->modifier;
614 }
615
616 /* GET_FB2() is an unprivileged ioctl so we must not return a
617 * buffer-handle to non master/root processes! To match GET_FB()
618 * just return invalid handles (0) for non masters/root
619 * rather than making GET_FB2() privileged.
620 */
621 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
622 ret = 0;
623 goto out;
624 }
625
626 for (i = 0; i < fb->format->num_planes; i++) {
627 int j;
628
629 /* If we reuse the same object for multiple planes, also
630 * return the same handle.
631 */
632 for (j = 0; j < i; j++) {
633 if (fb->obj[i] == fb->obj[j]) {
634 r->handles[i] = r->handles[j];
635 break;
636 }
637 }
638
639 if (r->handles[i])
640 continue;
641
642 if (fb->obj[i]) {
643 ret = drm_gem_handle_create(file_priv, fb->obj[i],
644 &r->handles[i]);
645 } else {
646 WARN_ON(i > 0);
647 ret = fb->funcs->create_handle(fb, file_priv,
648 &r->handles[i]);
649 }
650
651 if (ret != 0)
652 goto out;
653 }
654
655 out:
656 if (ret != 0) {
657 /* Delete any previously-created handles on failure. */
658 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
659 int j;
660
661 if (r->handles[i])
662 drm_gem_handle_delete(file_priv, r->handles[i]);
663
664 /* Zero out any handles identical to the one we just
665 * deleted.
666 */
667 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) {
668 if (r->handles[j] == r->handles[i])
669 r->handles[j] = 0;
670 }
671 }
672 }
673
674 drm_framebuffer_put(fb);
675 return ret;
676 }
677
678 /**
679 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
680 * @dev: drm device for the ioctl
681 * @data: data pointer for the ioctl
682 * @file_priv: drm file for the ioctl call
683 *
684 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
685 * rectangle list. Generic userspace which does frontbuffer rendering must call
686 * this ioctl to flush out the changes on manual-update display outputs, e.g.
687 * usb display-link, mipi manual update panels or edp panel self refresh modes.
688 *
689 * Modesetting drivers which always update the frontbuffer do not need to
690 * implement the corresponding &drm_framebuffer_funcs.dirty callback.
691 *
692 * Called by the user via ioctl.
693 *
694 * Returns:
695 * Zero on success, negative errno on failure.
696 */
drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)697 int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
698 void *data, struct drm_file *file_priv)
699 {
700 struct drm_clip_rect __user *clips_ptr;
701 struct drm_clip_rect *clips = NULL;
702 struct drm_mode_fb_dirty_cmd *r = data;
703 struct drm_framebuffer *fb;
704 unsigned flags;
705 int num_clips;
706 int ret;
707
708 if (!drm_core_check_feature(dev, DRIVER_MODESET))
709 return -EOPNOTSUPP;
710
711 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
712 if (!fb)
713 return -ENOENT;
714
715 num_clips = r->num_clips;
716 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
717
718 if (!num_clips != !clips_ptr) {
719 ret = -EINVAL;
720 goto out_err1;
721 }
722
723 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
724
725 /* If userspace annotates copy, clips must come in pairs */
726 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
727 ret = -EINVAL;
728 goto out_err1;
729 }
730
731 if (num_clips && clips_ptr) {
732 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
733 ret = -EINVAL;
734 goto out_err1;
735 }
736 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
737 if (!clips) {
738 ret = -ENOMEM;
739 goto out_err1;
740 }
741
742 ret = copy_from_user(clips, clips_ptr,
743 num_clips * sizeof(*clips));
744 if (ret) {
745 ret = -EFAULT;
746 goto out_err2;
747 }
748 }
749
750 if (fb->funcs->dirty) {
751 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
752 clips, num_clips);
753 } else {
754 ret = -ENOSYS;
755 }
756
757 out_err2:
758 kfree(clips);
759 out_err1:
760 drm_framebuffer_put(fb);
761
762 return ret;
763 }
764
765 /**
766 * drm_fb_release - remove and free the FBs on this file
767 * @priv: drm file for the ioctl
768 *
769 * Destroy all the FBs associated with @filp.
770 *
771 * Called by the user via ioctl.
772 *
773 * Returns:
774 * Zero on success, negative errno on failure.
775 */
drm_fb_release(struct drm_file * priv)776 void drm_fb_release(struct drm_file *priv)
777 {
778 struct drm_framebuffer *fb, *tfb;
779 struct drm_mode_rmfb_work arg;
780
781 INIT_LIST_HEAD(&arg.fbs);
782
783 /*
784 * When the file gets released that means no one else can access the fb
785 * list any more, so no need to grab fpriv->fbs_lock. And we need to
786 * avoid upsetting lockdep since the universal cursor code adds a
787 * framebuffer while holding mutex locks.
788 *
789 * Note that a real deadlock between fpriv->fbs_lock and the modeset
790 * locks is impossible here since no one else but this function can get
791 * at it any more.
792 */
793 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
794 if (drm_framebuffer_read_refcount(fb) > 1) {
795 list_move_tail(&fb->filp_head, &arg.fbs);
796 } else {
797 list_del_init(&fb->filp_head);
798
799 /* This drops the fpriv->fbs reference. */
800 drm_framebuffer_put(fb);
801 }
802 }
803
804 if (!list_empty(&arg.fbs)) {
805 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
806
807 schedule_work(&arg.work);
808 flush_work(&arg.work);
809 destroy_work_on_stack(&arg.work);
810 }
811 }
812
drm_framebuffer_free(struct kref * kref)813 void drm_framebuffer_free(struct kref *kref)
814 {
815 struct drm_framebuffer *fb =
816 container_of(kref, struct drm_framebuffer, base.refcount);
817 struct drm_device *dev = fb->dev;
818
819 /*
820 * The lookup idr holds a weak reference, which has not necessarily been
821 * removed at this point. Check for that.
822 */
823 drm_mode_object_unregister(dev, &fb->base);
824
825 fb->funcs->destroy(fb);
826 }
827
828 /**
829 * drm_framebuffer_init - initialize a framebuffer
830 * @dev: DRM device
831 * @fb: framebuffer to be initialized
832 * @funcs: ... with these functions
833 *
834 * Allocates an ID for the framebuffer's parent mode object, sets its mode
835 * functions & device file and adds it to the master fd list.
836 *
837 * IMPORTANT:
838 * This functions publishes the fb and makes it available for concurrent access
839 * by other users. Which means by this point the fb _must_ be fully set up -
840 * since all the fb attributes are invariant over its lifetime, no further
841 * locking but only correct reference counting is required.
842 *
843 * Returns:
844 * Zero on success, error code on failure.
845 */
drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)846 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
847 const struct drm_framebuffer_funcs *funcs)
848 {
849 int ret;
850
851 if (WARN_ON_ONCE(fb->dev != dev || !fb->format))
852 return -EINVAL;
853
854 INIT_LIST_HEAD(&fb->filp_head);
855
856 fb->funcs = funcs;
857 strcpy(fb->comm, current->comm);
858
859 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB,
860 false, drm_framebuffer_free);
861 if (ret)
862 goto out;
863
864 mutex_lock(&dev->mode_config.fb_lock);
865 dev->mode_config.num_fb++;
866 list_add(&fb->head, &dev->mode_config.fb_list);
867 mutex_unlock(&dev->mode_config.fb_lock);
868
869 drm_mode_object_register(dev, &fb->base);
870 out:
871 return ret;
872 }
873 EXPORT_SYMBOL(drm_framebuffer_init);
874
875 /**
876 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
877 * @dev: drm device
878 * @file_priv: drm file to check for lease against.
879 * @id: id of the fb object
880 *
881 * If successful, this grabs an additional reference to the framebuffer -
882 * callers need to make sure to eventually unreference the returned framebuffer
883 * again, using drm_framebuffer_put().
884 */
drm_framebuffer_lookup(struct drm_device * dev,struct drm_file * file_priv,uint32_t id)885 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
886 struct drm_file *file_priv,
887 uint32_t id)
888 {
889 struct drm_mode_object *obj;
890 struct drm_framebuffer *fb = NULL;
891
892 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB);
893 if (obj)
894 fb = obj_to_fb(obj);
895 return fb;
896 }
897 EXPORT_SYMBOL(drm_framebuffer_lookup);
898
899 /**
900 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
901 * @fb: fb to unregister
902 *
903 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
904 * those used for fbdev. Note that the caller must hold a reference of its own,
905 * i.e. the object may not be destroyed through this call (since it'll lead to a
906 * locking inversion).
907 *
908 * NOTE: This function is deprecated. For driver-private framebuffers it is not
909 * recommended to embed a framebuffer struct info fbdev struct, instead, a
910 * framebuffer pointer is preferred and drm_framebuffer_put() should be called
911 * when the framebuffer is to be cleaned up.
912 */
drm_framebuffer_unregister_private(struct drm_framebuffer * fb)913 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
914 {
915 struct drm_device *dev;
916
917 if (!fb)
918 return;
919
920 dev = fb->dev;
921
922 /* Mark fb as reaped and drop idr ref. */
923 drm_mode_object_unregister(dev, &fb->base);
924 }
925 EXPORT_SYMBOL(drm_framebuffer_unregister_private);
926
927 /**
928 * drm_framebuffer_cleanup - remove a framebuffer object
929 * @fb: framebuffer to remove
930 *
931 * Cleanup framebuffer. This function is intended to be used from the drivers
932 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up
933 * driver private framebuffers embedded into a larger structure.
934 *
935 * Note that this function does not remove the fb from active usage - if it is
936 * still used anywhere, hilarity can ensue since userspace could call getfb on
937 * the id and get back -EINVAL. Obviously no concern at driver unload time.
938 *
939 * Also, the framebuffer will not be removed from the lookup idr - for
940 * user-created framebuffers this will happen in in the rmfb ioctl. For
941 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
942 * drm_framebuffer_unregister_private.
943 */
drm_framebuffer_cleanup(struct drm_framebuffer * fb)944 void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
945 {
946 struct drm_device *dev = fb->dev;
947
948 mutex_lock(&dev->mode_config.fb_lock);
949 list_del(&fb->head);
950 dev->mode_config.num_fb--;
951 mutex_unlock(&dev->mode_config.fb_lock);
952 }
953 EXPORT_SYMBOL(drm_framebuffer_cleanup);
954
atomic_remove_fb(struct drm_framebuffer * fb)955 static int atomic_remove_fb(struct drm_framebuffer *fb)
956 {
957 struct drm_modeset_acquire_ctx ctx;
958 struct drm_device *dev = fb->dev;
959 struct drm_atomic_state *state;
960 struct drm_plane *plane;
961 struct drm_connector *conn __maybe_unused;
962 struct drm_connector_state *conn_state;
963 int i, ret;
964 unsigned plane_mask;
965 bool disable_crtcs = false;
966 bool allow = false;
967
968 retry_disable:
969 drm_modeset_acquire_init(&ctx, 0);
970
971 state = drm_atomic_state_alloc(dev);
972 if (!state) {
973 ret = -ENOMEM;
974 goto out;
975 }
976 state->acquire_ctx = &ctx;
977
978 retry:
979 plane_mask = 0;
980 ret = drm_modeset_lock_all_ctx(dev, &ctx);
981 if (ret)
982 goto unlock;
983
984 drm_for_each_plane(plane, dev) {
985 struct drm_plane_state *plane_state;
986
987 if (plane->state->fb != fb)
988 continue;
989
990 drm_dbg_kms(dev,
991 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
992 plane->base.id, plane->name, fb->base.id);
993
994 plane_state = drm_atomic_get_plane_state(state, plane);
995 if (IS_ERR(plane_state)) {
996 ret = PTR_ERR(plane_state);
997 goto unlock;
998 }
999
1000 if (disable_crtcs && plane_state->crtc->primary == plane) {
1001 struct drm_crtc_state *crtc_state;
1002
1003 drm_dbg_kms(dev,
1004 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1005 plane_state->crtc->base.id,
1006 plane_state->crtc->name, fb->base.id);
1007
1008 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc);
1009
1010 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc);
1011 if (ret)
1012 goto unlock;
1013
1014 crtc_state->active = false;
1015 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
1016 if (ret)
1017 goto unlock;
1018 }
1019
1020 drm_atomic_set_fb_for_plane(plane_state, NULL);
1021 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL);
1022 if (ret)
1023 goto unlock;
1024
1025 plane_mask |= drm_plane_mask(plane);
1026 }
1027
1028 /* This list is only filled when disable_crtcs is set. */
1029 for_each_new_connector_in_state(state, conn, conn_state, i) {
1030 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
1031
1032 if (ret)
1033 goto unlock;
1034 }
1035
1036 trace_android_vh_atomic_remove_fb(fb, &allow);
1037 if (allow)
1038 goto unlock;
1039
1040 if (plane_mask)
1041 ret = drm_atomic_commit(state);
1042
1043 unlock:
1044 if (ret == -EDEADLK) {
1045 drm_atomic_state_clear(state);
1046 drm_modeset_backoff(&ctx);
1047 goto retry;
1048 }
1049
1050 drm_atomic_state_put(state);
1051
1052 out:
1053 drm_modeset_drop_locks(&ctx);
1054 drm_modeset_acquire_fini(&ctx);
1055
1056 if (ret == -EINVAL && !disable_crtcs) {
1057 disable_crtcs = true;
1058 goto retry_disable;
1059 }
1060
1061 return ret;
1062 }
1063
legacy_remove_fb(struct drm_framebuffer * fb)1064 static void legacy_remove_fb(struct drm_framebuffer *fb)
1065 {
1066 struct drm_device *dev = fb->dev;
1067 struct drm_crtc *crtc;
1068 struct drm_plane *plane;
1069
1070 drm_modeset_lock_all(dev);
1071 /* remove from any CRTC */
1072 drm_for_each_crtc(crtc, dev) {
1073 if (crtc->primary->fb == fb) {
1074 drm_dbg_kms(dev,
1075 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1076 crtc->base.id, crtc->name, fb->base.id);
1077
1078 /* should turn off the crtc */
1079 if (drm_crtc_force_disable(crtc))
1080 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
1081 }
1082 }
1083
1084 drm_for_each_plane(plane, dev) {
1085 if (plane->fb == fb) {
1086 drm_dbg_kms(dev,
1087 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1088 plane->base.id, plane->name, fb->base.id);
1089 drm_plane_force_disable(plane);
1090 }
1091 }
1092 drm_modeset_unlock_all(dev);
1093 }
1094
1095 /**
1096 * drm_framebuffer_remove - remove and unreference a framebuffer object
1097 * @fb: framebuffer to remove
1098 *
1099 * Scans all the CRTCs and planes in @dev's mode_config. If they're
1100 * using @fb, removes it, setting it to NULL. Then drops the reference to the
1101 * passed-in framebuffer. Might take the modeset locks.
1102 *
1103 * Note that this function optimizes the cleanup away if the caller holds the
1104 * last reference to the framebuffer. It is also guaranteed to not take the
1105 * modeset locks in this case.
1106 */
drm_framebuffer_remove(struct drm_framebuffer * fb)1107 void drm_framebuffer_remove(struct drm_framebuffer *fb)
1108 {
1109 struct drm_device *dev;
1110
1111 if (!fb)
1112 return;
1113
1114 dev = fb->dev;
1115
1116 WARN_ON(!list_empty(&fb->filp_head));
1117
1118 /*
1119 * drm ABI mandates that we remove any deleted framebuffers from active
1120 * usage. But since most sane clients only remove framebuffers they no
1121 * longer need, try to optimize this away.
1122 *
1123 * Since we're holding a reference ourselves, observing a refcount of 1
1124 * means that we're the last holder and can skip it. Also, the refcount
1125 * can never increase from 1 again, so we don't need any barriers or
1126 * locks.
1127 *
1128 * Note that userspace could try to race with use and instate a new
1129 * usage _after_ we've cleared all current ones. End result will be an
1130 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
1131 * in this manner.
1132 */
1133 if (drm_framebuffer_read_refcount(fb) > 1) {
1134 if (drm_drv_uses_atomic_modeset(dev)) {
1135 int ret = atomic_remove_fb(fb);
1136
1137 WARN(ret, "atomic remove_fb failed with %i\n", ret);
1138 } else
1139 legacy_remove_fb(fb);
1140 }
1141
1142 drm_framebuffer_put(fb);
1143 }
1144 EXPORT_SYMBOL(drm_framebuffer_remove);
1145
1146 /**
1147 * drm_framebuffer_plane_width - width of the plane given the first plane
1148 * @width: width of the first plane
1149 * @fb: the framebuffer
1150 * @plane: plane index
1151 *
1152 * Returns:
1153 * The width of @plane, given that the width of the first plane is @width.
1154 */
drm_framebuffer_plane_width(int width,const struct drm_framebuffer * fb,int plane)1155 int drm_framebuffer_plane_width(int width,
1156 const struct drm_framebuffer *fb, int plane)
1157 {
1158 if (plane >= fb->format->num_planes)
1159 return 0;
1160
1161 return fb_plane_width(width, fb->format, plane);
1162 }
1163 EXPORT_SYMBOL(drm_framebuffer_plane_width);
1164
1165 /**
1166 * drm_framebuffer_plane_height - height of the plane given the first plane
1167 * @height: height of the first plane
1168 * @fb: the framebuffer
1169 * @plane: plane index
1170 *
1171 * Returns:
1172 * The height of @plane, given that the height of the first plane is @height.
1173 */
drm_framebuffer_plane_height(int height,const struct drm_framebuffer * fb,int plane)1174 int drm_framebuffer_plane_height(int height,
1175 const struct drm_framebuffer *fb, int plane)
1176 {
1177 if (plane >= fb->format->num_planes)
1178 return 0;
1179
1180 return fb_plane_height(height, fb->format, plane);
1181 }
1182 EXPORT_SYMBOL(drm_framebuffer_plane_height);
1183
drm_framebuffer_print_info(struct drm_printer * p,unsigned int indent,const struct drm_framebuffer * fb)1184 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent,
1185 const struct drm_framebuffer *fb)
1186 {
1187 unsigned int i;
1188
1189 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm);
1190 drm_printf_indent(p, indent, "refcount=%u\n",
1191 drm_framebuffer_read_refcount(fb));
1192 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format);
1193 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier);
1194 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height);
1195 drm_printf_indent(p, indent, "layers:\n");
1196
1197 for (i = 0; i < fb->format->num_planes; i++) {
1198 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i,
1199 drm_framebuffer_plane_width(fb->width, fb, i),
1200 drm_framebuffer_plane_height(fb->height, fb, i));
1201 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]);
1202 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]);
1203 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i,
1204 fb->obj[i] ? "" : "(null)");
1205 if (fb->obj[i])
1206 drm_gem_print_info(p, indent + 2, fb->obj[i]);
1207 }
1208 }
1209
1210 #ifdef CONFIG_DEBUG_FS
drm_framebuffer_info(struct seq_file * m,void * data)1211 static int drm_framebuffer_info(struct seq_file *m, void *data)
1212 {
1213 struct drm_info_node *node = m->private;
1214 struct drm_device *dev = node->minor->dev;
1215 struct drm_printer p = drm_seq_file_printer(m);
1216 struct drm_framebuffer *fb;
1217
1218 mutex_lock(&dev->mode_config.fb_lock);
1219 drm_for_each_fb(fb, dev) {
1220 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
1221 drm_framebuffer_print_info(&p, 1, fb);
1222 }
1223 mutex_unlock(&dev->mode_config.fb_lock);
1224
1225 return 0;
1226 }
1227
1228 static const struct drm_info_list drm_framebuffer_debugfs_list[] = {
1229 { "framebuffer", drm_framebuffer_info, 0 },
1230 };
1231
drm_framebuffer_debugfs_init(struct drm_minor * minor)1232 void drm_framebuffer_debugfs_init(struct drm_minor *minor)
1233 {
1234 drm_debugfs_create_files(drm_framebuffer_debugfs_list,
1235 ARRAY_SIZE(drm_framebuffer_debugfs_list),
1236 minor->debugfs_root, minor);
1237 }
1238 #endif
1239