1 /*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23 #include <linux/export.h>
24 #include <linux/uaccess.h>
25
26 #include <drm/drm_atomic.h>
27 #include <drm/drm_atomic_uapi.h>
28 #include <drm/drm_auth.h>
29 #include <drm/drm_debugfs.h>
30 #include <drm/drm_drv.h>
31 #include <drm/drm_file.h>
32 #include <drm/drm_fourcc.h>
33 #include <drm/drm_framebuffer.h>
34 #include <drm/drm_gem.h>
35 #include <drm/drm_print.h>
36 #include <drm/drm_util.h>
37
38 #include "drm_crtc_internal.h"
39 #include "drm_internal.h"
40
41 #include <linux/android_kabi.h>
42 ANDROID_KABI_DECLONLY(dma_buf);
43 ANDROID_KABI_DECLONLY(dma_buf_attachment);
44 ANDROID_KABI_DECLONLY(iosys_map);
45
46 /**
47 * DOC: overview
48 *
49 * Frame buffers are abstract memory objects that provide a source of pixels to
50 * scanout to a CRTC. Applications explicitly request the creation of frame
51 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
52 * handle that can be passed to the KMS CRTC control, plane configuration and
53 * page flip functions.
54 *
55 * Frame buffers rely on the underlying memory manager for allocating backing
56 * storage. When creating a frame buffer applications pass a memory handle
57 * (or a list of memory handles for multi-planar formats) through the
58 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
59 * buffer management interface this would be a GEM handle. Drivers are however
60 * free to use their own backing storage object handles, e.g. vmwgfx directly
61 * exposes special TTM handles to userspace and so expects TTM handles in the
62 * create ioctl and not GEM handles.
63 *
64 * Framebuffers are tracked with &struct drm_framebuffer. They are published
65 * using drm_framebuffer_init() - after calling that function userspace can use
66 * and access the framebuffer object. The helper function
67 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
68 * metadata fields.
69 *
70 * The lifetime of a drm framebuffer is controlled with a reference count,
71 * drivers can grab additional references with drm_framebuffer_get() and drop
72 * them again with drm_framebuffer_put(). For driver-private framebuffers for
73 * which the last reference is never dropped (e.g. for the fbdev framebuffer
74 * when the struct &struct drm_framebuffer is embedded into the fbdev helper
75 * struct) drivers can manually clean up a framebuffer at module unload time
76 * with drm_framebuffer_unregister_private(). But doing this is not
77 * recommended, and it's better to have a normal free-standing &struct
78 * drm_framebuffer.
79 */
80
drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)81 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
82 uint32_t src_w, uint32_t src_h,
83 const struct drm_framebuffer *fb)
84 {
85 unsigned int fb_width, fb_height;
86
87 fb_width = fb->width << 16;
88 fb_height = fb->height << 16;
89
90 /* Make sure source coordinates are inside the fb. */
91 if (src_w > fb_width ||
92 src_x > fb_width - src_w ||
93 src_h > fb_height ||
94 src_y > fb_height - src_h) {
95 drm_dbg_kms(fb->dev, "Invalid source coordinates "
96 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n",
97 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
98 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
99 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
100 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10,
101 fb->width, fb->height);
102 return -ENOSPC;
103 }
104
105 return 0;
106 }
107
108 /**
109 * drm_mode_addfb - add an FB to the graphics configuration
110 * @dev: drm device for the ioctl
111 * @or: pointer to request structure
112 * @file_priv: drm file
113 *
114 * Add a new FB to the specified CRTC, given a user request. This is the
115 * original addfb ioctl which only supported RGB formats.
116 *
117 * Called by the user via ioctl, or by an in-kernel client.
118 *
119 * Returns:
120 * Zero on success, negative errno on failure.
121 */
drm_mode_addfb(struct drm_device * dev,struct drm_mode_fb_cmd * or,struct drm_file * file_priv)122 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or,
123 struct drm_file *file_priv)
124 {
125 struct drm_mode_fb_cmd2 r = {};
126 int ret;
127
128 if (!drm_core_check_feature(dev, DRIVER_MODESET))
129 return -EOPNOTSUPP;
130
131 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth);
132 if (r.pixel_format == DRM_FORMAT_INVALID) {
133 drm_dbg_kms(dev, "bad {bpp:%d, depth:%d}\n", or->bpp, or->depth);
134 return -EINVAL;
135 }
136
137 /* convert to new format and call new ioctl */
138 r.fb_id = or->fb_id;
139 r.width = or->width;
140 r.height = or->height;
141 r.pitches[0] = or->pitch;
142 r.handles[0] = or->handle;
143
144 ret = drm_mode_addfb2(dev, &r, file_priv);
145 if (ret)
146 return ret;
147
148 or->fb_id = r.fb_id;
149
150 return 0;
151 }
152
drm_mode_addfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)153 int drm_mode_addfb_ioctl(struct drm_device *dev,
154 void *data, struct drm_file *file_priv)
155 {
156 return drm_mode_addfb(dev, data, file_priv);
157 }
158
framebuffer_check(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r)159 static int framebuffer_check(struct drm_device *dev,
160 const struct drm_mode_fb_cmd2 *r)
161 {
162 const struct drm_format_info *info;
163 int i;
164
165 /* check if the format is supported at all */
166 if (!__drm_format_info(r->pixel_format)) {
167 drm_dbg_kms(dev, "bad framebuffer format %p4cc\n",
168 &r->pixel_format);
169 return -EINVAL;
170 }
171
172 if (r->width == 0) {
173 drm_dbg_kms(dev, "bad framebuffer width %u\n", r->width);
174 return -EINVAL;
175 }
176
177 if (r->height == 0) {
178 drm_dbg_kms(dev, "bad framebuffer height %u\n", r->height);
179 return -EINVAL;
180 }
181
182 /* now let the driver pick its own format info */
183 info = drm_get_format_info(dev, r);
184
185 for (i = 0; i < info->num_planes; i++) {
186 unsigned int width = drm_format_info_plane_width(info, r->width, i);
187 unsigned int height = drm_format_info_plane_height(info, r->height, i);
188 unsigned int block_size = info->char_per_block[i];
189 u64 min_pitch = drm_format_info_min_pitch(info, i, width);
190
191 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) {
192 drm_dbg_kms(dev, "Format requires non-linear modifier for plane %d\n", i);
193 return -EINVAL;
194 }
195
196 if (!r->handles[i]) {
197 drm_dbg_kms(dev, "no buffer object handle for plane %d\n", i);
198 return -EINVAL;
199 }
200
201 if (min_pitch > UINT_MAX)
202 return -ERANGE;
203
204 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
205 return -ERANGE;
206
207 if (block_size && r->pitches[i] < min_pitch) {
208 drm_dbg_kms(dev, "bad pitch %u for plane %d\n", r->pitches[i], i);
209 return -EINVAL;
210 }
211
212 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
213 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n",
214 r->modifier[i], i);
215 return -EINVAL;
216 }
217
218 if (r->flags & DRM_MODE_FB_MODIFIERS &&
219 r->modifier[i] != r->modifier[0]) {
220 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n",
221 r->modifier[i], i);
222 return -EINVAL;
223 }
224
225 /* modifier specific checks: */
226 switch (r->modifier[i]) {
227 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
228 /* NOTE: the pitch restriction may be lifted later if it turns
229 * out that no hw has this restriction:
230 */
231 if (r->pixel_format != DRM_FORMAT_NV12 ||
232 width % 128 || height % 32 ||
233 r->pitches[i] % 128) {
234 drm_dbg_kms(dev, "bad modifier data for plane %d\n", i);
235 return -EINVAL;
236 }
237 break;
238
239 default:
240 break;
241 }
242 }
243
244 for (i = info->num_planes; i < 4; i++) {
245 if (r->modifier[i]) {
246 drm_dbg_kms(dev, "non-zero modifier for unused plane %d\n", i);
247 return -EINVAL;
248 }
249
250 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
251 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
252 continue;
253
254 if (r->handles[i]) {
255 drm_dbg_kms(dev, "buffer object handle for unused plane %d\n", i);
256 return -EINVAL;
257 }
258
259 if (r->pitches[i]) {
260 drm_dbg_kms(dev, "non-zero pitch for unused plane %d\n", i);
261 return -EINVAL;
262 }
263
264 if (r->offsets[i]) {
265 drm_dbg_kms(dev, "non-zero offset for unused plane %d\n", i);
266 return -EINVAL;
267 }
268 }
269
270 return 0;
271 }
272
273 struct drm_framebuffer *
drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)274 drm_internal_framebuffer_create(struct drm_device *dev,
275 const struct drm_mode_fb_cmd2 *r,
276 struct drm_file *file_priv)
277 {
278 struct drm_mode_config *config = &dev->mode_config;
279 struct drm_framebuffer *fb;
280 int ret;
281
282 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
283 drm_dbg_kms(dev, "bad framebuffer flags 0x%08x\n", r->flags);
284 return ERR_PTR(-EINVAL);
285 }
286
287 if ((config->min_width > r->width) || (r->width > config->max_width)) {
288 drm_dbg_kms(dev, "bad framebuffer width %d, should be >= %d && <= %d\n",
289 r->width, config->min_width, config->max_width);
290 return ERR_PTR(-EINVAL);
291 }
292 if ((config->min_height > r->height) || (r->height > config->max_height)) {
293 drm_dbg_kms(dev, "bad framebuffer height %d, should be >= %d && <= %d\n",
294 r->height, config->min_height, config->max_height);
295 return ERR_PTR(-EINVAL);
296 }
297
298 if (r->flags & DRM_MODE_FB_MODIFIERS &&
299 dev->mode_config.fb_modifiers_not_supported) {
300 drm_dbg_kms(dev, "driver does not support fb modifiers\n");
301 return ERR_PTR(-EINVAL);
302 }
303
304 ret = framebuffer_check(dev, r);
305 if (ret)
306 return ERR_PTR(ret);
307
308 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
309 if (IS_ERR(fb)) {
310 drm_dbg_kms(dev, "could not create framebuffer\n");
311 return fb;
312 }
313
314 return fb;
315 }
316 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create);
317
318 /**
319 * drm_mode_addfb2 - add an FB to the graphics configuration
320 * @dev: drm device for the ioctl
321 * @data: data pointer for the ioctl
322 * @file_priv: drm file for the ioctl call
323 *
324 * Add a new FB to the specified CRTC, given a user request with format. This is
325 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
326 * and uses fourcc codes as pixel format specifiers.
327 *
328 * Called by the user via ioctl.
329 *
330 * Returns:
331 * Zero on success, negative errno on failure.
332 */
drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)333 int drm_mode_addfb2(struct drm_device *dev,
334 void *data, struct drm_file *file_priv)
335 {
336 struct drm_mode_fb_cmd2 *r = data;
337 struct drm_framebuffer *fb;
338
339 if (!drm_core_check_feature(dev, DRIVER_MODESET))
340 return -EOPNOTSUPP;
341
342 fb = drm_internal_framebuffer_create(dev, r, file_priv);
343 if (IS_ERR(fb))
344 return PTR_ERR(fb);
345
346 drm_dbg_kms(dev, "[FB:%d]\n", fb->base.id);
347 r->fb_id = fb->base.id;
348
349 /* Transfer ownership to the filp for reaping on close */
350 mutex_lock(&file_priv->fbs_lock);
351 list_add(&fb->filp_head, &file_priv->fbs);
352 mutex_unlock(&file_priv->fbs_lock);
353
354 return 0;
355 }
356
drm_mode_addfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)357 int drm_mode_addfb2_ioctl(struct drm_device *dev,
358 void *data, struct drm_file *file_priv)
359 {
360 #ifdef __BIG_ENDIAN
361 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) {
362 /*
363 * Drivers must set the
364 * quirk_addfb_prefer_host_byte_order quirk to make
365 * the drm_mode_addfb() compat code work correctly on
366 * bigendian machines.
367 *
368 * If they don't they interpret pixel_format values
369 * incorrectly for bug compatibility, which in turn
370 * implies the ADDFB2 ioctl does not work correctly
371 * then. So block it to make userspace fallback to
372 * ADDFB.
373 */
374 drm_dbg_kms(dev, "addfb2 broken on bigendian");
375 return -EOPNOTSUPP;
376 }
377 #endif
378 return drm_mode_addfb2(dev, data, file_priv);
379 }
380
381 struct drm_mode_rmfb_work {
382 struct work_struct work;
383 struct list_head fbs;
384 };
385
drm_mode_rmfb_work_fn(struct work_struct * w)386 static void drm_mode_rmfb_work_fn(struct work_struct *w)
387 {
388 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
389
390 while (!list_empty(&arg->fbs)) {
391 struct drm_framebuffer *fb =
392 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
393
394 drm_dbg_kms(fb->dev,
395 "Removing [FB:%d] from all active usage due to RMFB ioctl\n",
396 fb->base.id);
397 list_del_init(&fb->filp_head);
398 drm_framebuffer_remove(fb);
399 }
400 }
401
drm_mode_closefb(struct drm_framebuffer * fb,struct drm_file * file_priv)402 static int drm_mode_closefb(struct drm_framebuffer *fb,
403 struct drm_file *file_priv)
404 {
405 struct drm_framebuffer *fbl;
406 bool found = false;
407
408 mutex_lock(&file_priv->fbs_lock);
409 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
410 if (fb == fbl)
411 found = true;
412
413 if (!found) {
414 mutex_unlock(&file_priv->fbs_lock);
415 return -ENOENT;
416 }
417
418 list_del_init(&fb->filp_head);
419 mutex_unlock(&file_priv->fbs_lock);
420
421 /* Drop the reference that was stored in the fbs list */
422 drm_framebuffer_put(fb);
423
424 return 0;
425 }
426
427 /**
428 * drm_mode_rmfb - remove an FB from the configuration
429 * @dev: drm device
430 * @fb_id: id of framebuffer to remove
431 * @file_priv: drm file
432 *
433 * Remove the specified FB.
434 *
435 * Called by the user via ioctl, or by an in-kernel client.
436 *
437 * Returns:
438 * Zero on success, negative errno on failure.
439 */
drm_mode_rmfb(struct drm_device * dev,u32 fb_id,struct drm_file * file_priv)440 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id,
441 struct drm_file *file_priv)
442 {
443 struct drm_framebuffer *fb;
444 int ret;
445
446 if (!drm_core_check_feature(dev, DRIVER_MODESET))
447 return -EOPNOTSUPP;
448
449 fb = drm_framebuffer_lookup(dev, file_priv, fb_id);
450 if (!fb)
451 return -ENOENT;
452
453 ret = drm_mode_closefb(fb, file_priv);
454 if (ret != 0) {
455 drm_framebuffer_put(fb);
456 return ret;
457 }
458
459 /*
460 * drm_framebuffer_remove may fail with -EINTR on pending signals,
461 * so run this in a separate stack as there's no way to correctly
462 * handle this after the fb is already removed from the lookup table.
463 */
464 if (drm_framebuffer_read_refcount(fb) > 1) {
465 struct drm_mode_rmfb_work arg;
466
467 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
468 INIT_LIST_HEAD(&arg.fbs);
469 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
470 list_add_tail(&fb->filp_head, &arg.fbs);
471
472 schedule_work(&arg.work);
473 flush_work(&arg.work);
474 destroy_work_on_stack(&arg.work);
475 } else
476 drm_framebuffer_put(fb);
477
478 return 0;
479 }
480
drm_mode_rmfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)481 int drm_mode_rmfb_ioctl(struct drm_device *dev,
482 void *data, struct drm_file *file_priv)
483 {
484 uint32_t *fb_id = data;
485
486 return drm_mode_rmfb(dev, *fb_id, file_priv);
487 }
488
drm_mode_closefb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)489 int drm_mode_closefb_ioctl(struct drm_device *dev,
490 void *data, struct drm_file *file_priv)
491 {
492 struct drm_mode_closefb *r = data;
493 struct drm_framebuffer *fb;
494 int ret;
495
496 if (!drm_core_check_feature(dev, DRIVER_MODESET))
497 return -EOPNOTSUPP;
498
499 if (r->pad)
500 return -EINVAL;
501
502 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
503 if (!fb)
504 return -ENOENT;
505
506 ret = drm_mode_closefb(fb, file_priv);
507 drm_framebuffer_put(fb);
508 return ret;
509 }
510
511 /**
512 * drm_mode_getfb - get FB info
513 * @dev: drm device for the ioctl
514 * @data: data pointer for the ioctl
515 * @file_priv: drm file for the ioctl call
516 *
517 * Lookup the FB given its ID and return info about it.
518 *
519 * Called by the user via ioctl.
520 *
521 * Returns:
522 * Zero on success, negative errno on failure.
523 */
drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)524 int drm_mode_getfb(struct drm_device *dev,
525 void *data, struct drm_file *file_priv)
526 {
527 struct drm_mode_fb_cmd *r = data;
528 struct drm_framebuffer *fb;
529 int ret;
530
531 if (!drm_core_check_feature(dev, DRIVER_MODESET))
532 return -EOPNOTSUPP;
533
534 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
535 if (!fb)
536 return -ENOENT;
537
538 /* Multi-planar framebuffers need getfb2. */
539 if (fb->format->num_planes > 1) {
540 ret = -EINVAL;
541 goto out;
542 }
543
544 if (!fb->funcs->create_handle) {
545 ret = -ENODEV;
546 goto out;
547 }
548
549 r->height = fb->height;
550 r->width = fb->width;
551 r->depth = fb->format->depth;
552 r->bpp = drm_format_info_bpp(fb->format, 0);
553 r->pitch = fb->pitches[0];
554
555 /* GET_FB() is an unprivileged ioctl so we must not return a
556 * buffer-handle to non-master processes! For
557 * backwards-compatibility reasons, we cannot make GET_FB() privileged,
558 * so just return an invalid handle for non-masters.
559 */
560 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
561 r->handle = 0;
562 ret = 0;
563 goto out;
564 }
565
566 ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
567
568 out:
569 drm_framebuffer_put(fb);
570 return ret;
571 }
572
573 /**
574 * drm_mode_getfb2_ioctl - get extended FB info
575 * @dev: drm device for the ioctl
576 * @data: data pointer for the ioctl
577 * @file_priv: drm file for the ioctl call
578 *
579 * Lookup the FB given its ID and return info about it.
580 *
581 * Called by the user via ioctl.
582 *
583 * Returns:
584 * Zero on success, negative errno on failure.
585 */
drm_mode_getfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)586 int drm_mode_getfb2_ioctl(struct drm_device *dev,
587 void *data, struct drm_file *file_priv)
588 {
589 struct drm_mode_fb_cmd2 *r = data;
590 struct drm_framebuffer *fb;
591 unsigned int i;
592 int ret = 0;
593
594 if (!drm_core_check_feature(dev, DRIVER_MODESET))
595 return -EINVAL;
596
597 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
598 if (!fb)
599 return -ENOENT;
600
601 /* For multi-plane framebuffers, we require the driver to place the
602 * GEM objects directly in the drm_framebuffer. For single-plane
603 * framebuffers, we can fall back to create_handle.
604 */
605 if (!fb->obj[0] &&
606 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) {
607 ret = -ENODEV;
608 goto out;
609 }
610
611 r->height = fb->height;
612 r->width = fb->width;
613 r->pixel_format = fb->format->format;
614
615 r->flags = 0;
616 if (!dev->mode_config.fb_modifiers_not_supported)
617 r->flags |= DRM_MODE_FB_MODIFIERS;
618
619 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
620 r->handles[i] = 0;
621 r->pitches[i] = 0;
622 r->offsets[i] = 0;
623 r->modifier[i] = 0;
624 }
625
626 for (i = 0; i < fb->format->num_planes; i++) {
627 r->pitches[i] = fb->pitches[i];
628 r->offsets[i] = fb->offsets[i];
629 if (!dev->mode_config.fb_modifiers_not_supported)
630 r->modifier[i] = fb->modifier;
631 }
632
633 /* GET_FB2() is an unprivileged ioctl so we must not return a
634 * buffer-handle to non master/root processes! To match GET_FB()
635 * just return invalid handles (0) for non masters/root
636 * rather than making GET_FB2() privileged.
637 */
638 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
639 ret = 0;
640 goto out;
641 }
642
643 for (i = 0; i < fb->format->num_planes; i++) {
644 int j;
645
646 /* If we reuse the same object for multiple planes, also
647 * return the same handle.
648 */
649 for (j = 0; j < i; j++) {
650 if (fb->obj[i] == fb->obj[j]) {
651 r->handles[i] = r->handles[j];
652 break;
653 }
654 }
655
656 if (r->handles[i])
657 continue;
658
659 if (fb->obj[i]) {
660 ret = drm_gem_handle_create(file_priv, fb->obj[i],
661 &r->handles[i]);
662 } else {
663 WARN_ON(i > 0);
664 ret = fb->funcs->create_handle(fb, file_priv,
665 &r->handles[i]);
666 }
667
668 if (ret != 0)
669 goto out;
670 }
671
672 out:
673 if (ret != 0) {
674 /* Delete any previously-created handles on failure. */
675 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
676 int j;
677
678 if (r->handles[i])
679 drm_gem_handle_delete(file_priv, r->handles[i]);
680
681 /* Zero out any handles identical to the one we just
682 * deleted.
683 */
684 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) {
685 if (r->handles[j] == r->handles[i])
686 r->handles[j] = 0;
687 }
688 }
689 }
690
691 drm_framebuffer_put(fb);
692 return ret;
693 }
694
695 /**
696 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
697 * @dev: drm device for the ioctl
698 * @data: data pointer for the ioctl
699 * @file_priv: drm file for the ioctl call
700 *
701 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
702 * rectangle list. Generic userspace which does frontbuffer rendering must call
703 * this ioctl to flush out the changes on manual-update display outputs, e.g.
704 * usb display-link, mipi manual update panels or edp panel self refresh modes.
705 *
706 * Modesetting drivers which always update the frontbuffer do not need to
707 * implement the corresponding &drm_framebuffer_funcs.dirty callback.
708 *
709 * Called by the user via ioctl.
710 *
711 * Returns:
712 * Zero on success, negative errno on failure.
713 */
drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)714 int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
715 void *data, struct drm_file *file_priv)
716 {
717 struct drm_clip_rect __user *clips_ptr;
718 struct drm_clip_rect *clips = NULL;
719 struct drm_mode_fb_dirty_cmd *r = data;
720 struct drm_framebuffer *fb;
721 unsigned flags;
722 int num_clips;
723 int ret;
724
725 if (!drm_core_check_feature(dev, DRIVER_MODESET))
726 return -EOPNOTSUPP;
727
728 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
729 if (!fb)
730 return -ENOENT;
731
732 num_clips = r->num_clips;
733 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
734
735 if (!num_clips != !clips_ptr) {
736 ret = -EINVAL;
737 goto out_err1;
738 }
739
740 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
741
742 /* If userspace annotates copy, clips must come in pairs */
743 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
744 ret = -EINVAL;
745 goto out_err1;
746 }
747
748 if (num_clips && clips_ptr) {
749 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
750 ret = -EINVAL;
751 goto out_err1;
752 }
753 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
754 if (!clips) {
755 ret = -ENOMEM;
756 goto out_err1;
757 }
758
759 ret = copy_from_user(clips, clips_ptr,
760 num_clips * sizeof(*clips));
761 if (ret) {
762 ret = -EFAULT;
763 goto out_err2;
764 }
765 }
766
767 if (fb->funcs->dirty) {
768 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
769 clips, num_clips);
770 } else {
771 ret = -ENOSYS;
772 }
773
774 out_err2:
775 kfree(clips);
776 out_err1:
777 drm_framebuffer_put(fb);
778
779 return ret;
780 }
781
782 /**
783 * drm_fb_release - remove and free the FBs on this file
784 * @priv: drm file for the ioctl
785 *
786 * Destroy all the FBs associated with @filp.
787 *
788 * Called by the user via ioctl.
789 *
790 * Returns:
791 * Zero on success, negative errno on failure.
792 */
drm_fb_release(struct drm_file * priv)793 void drm_fb_release(struct drm_file *priv)
794 {
795 struct drm_framebuffer *fb, *tfb;
796 struct drm_mode_rmfb_work arg;
797
798 INIT_LIST_HEAD(&arg.fbs);
799
800 /*
801 * When the file gets released that means no one else can access the fb
802 * list any more, so no need to grab fpriv->fbs_lock. And we need to
803 * avoid upsetting lockdep since the universal cursor code adds a
804 * framebuffer while holding mutex locks.
805 *
806 * Note that a real deadlock between fpriv->fbs_lock and the modeset
807 * locks is impossible here since no one else but this function can get
808 * at it any more.
809 */
810 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
811 if (drm_framebuffer_read_refcount(fb) > 1) {
812 list_move_tail(&fb->filp_head, &arg.fbs);
813 } else {
814 list_del_init(&fb->filp_head);
815
816 /* This drops the fpriv->fbs reference. */
817 drm_framebuffer_put(fb);
818 }
819 }
820
821 if (!list_empty(&arg.fbs)) {
822 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
823
824 schedule_work(&arg.work);
825 flush_work(&arg.work);
826 destroy_work_on_stack(&arg.work);
827 }
828 }
829
drm_framebuffer_free(struct kref * kref)830 void drm_framebuffer_free(struct kref *kref)
831 {
832 struct drm_framebuffer *fb =
833 container_of(kref, struct drm_framebuffer, base.refcount);
834 struct drm_device *dev = fb->dev;
835
836 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
837
838 /*
839 * The lookup idr holds a weak reference, which has not necessarily been
840 * removed at this point. Check for that.
841 */
842 drm_mode_object_unregister(dev, &fb->base);
843
844 fb->funcs->destroy(fb);
845 }
846
847 /**
848 * drm_framebuffer_init - initialize a framebuffer
849 * @dev: DRM device
850 * @fb: framebuffer to be initialized
851 * @funcs: ... with these functions
852 *
853 * Allocates an ID for the framebuffer's parent mode object, sets its mode
854 * functions & device file and adds it to the master fd list.
855 *
856 * IMPORTANT:
857 * This functions publishes the fb and makes it available for concurrent access
858 * by other users. Which means by this point the fb _must_ be fully set up -
859 * since all the fb attributes are invariant over its lifetime, no further
860 * locking but only correct reference counting is required.
861 *
862 * Returns:
863 * Zero on success, error code on failure.
864 */
drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)865 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
866 const struct drm_framebuffer_funcs *funcs)
867 {
868 unsigned int i;
869 int ret;
870 bool exists;
871
872 if (WARN_ON_ONCE(fb->dev != dev || !fb->format))
873 return -EINVAL;
874
875 for (i = 0; i < fb->format->num_planes; i++) {
876 if (drm_WARN_ON_ONCE(dev, fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)))
877 fb->internal_flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i);
878 if (fb->obj[i]) {
879 exists = drm_gem_object_handle_get_if_exists_unlocked(fb->obj[i]);
880 if (exists)
881 fb->internal_flags |= DRM_FRAMEBUFFER_HAS_HANDLE_REF(i);
882 }
883 }
884
885 INIT_LIST_HEAD(&fb->filp_head);
886
887 fb->funcs = funcs;
888 strcpy(fb->comm, current->comm);
889
890 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB,
891 false, drm_framebuffer_free);
892 if (ret)
893 goto err;
894
895 mutex_lock(&dev->mode_config.fb_lock);
896 dev->mode_config.num_fb++;
897 list_add(&fb->head, &dev->mode_config.fb_list);
898 mutex_unlock(&dev->mode_config.fb_lock);
899
900 drm_mode_object_register(dev, &fb->base);
901
902 return 0;
903
904 err:
905 for (i = 0; i < fb->format->num_planes; i++) {
906 if (fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i)) {
907 drm_gem_object_handle_put_unlocked(fb->obj[i]);
908 fb->internal_flags &= ~DRM_FRAMEBUFFER_HAS_HANDLE_REF(i);
909 }
910 }
911 return ret;
912 }
913 EXPORT_SYMBOL(drm_framebuffer_init);
914
915 /**
916 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
917 * @dev: drm device
918 * @file_priv: drm file to check for lease against.
919 * @id: id of the fb object
920 *
921 * If successful, this grabs an additional reference to the framebuffer -
922 * callers need to make sure to eventually unreference the returned framebuffer
923 * again, using drm_framebuffer_put().
924 */
drm_framebuffer_lookup(struct drm_device * dev,struct drm_file * file_priv,uint32_t id)925 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
926 struct drm_file *file_priv,
927 uint32_t id)
928 {
929 struct drm_mode_object *obj;
930 struct drm_framebuffer *fb = NULL;
931
932 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB);
933 if (obj)
934 fb = obj_to_fb(obj);
935 return fb;
936 }
937 EXPORT_SYMBOL(drm_framebuffer_lookup);
938
939 /**
940 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
941 * @fb: fb to unregister
942 *
943 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
944 * those used for fbdev. Note that the caller must hold a reference of its own,
945 * i.e. the object may not be destroyed through this call (since it'll lead to a
946 * locking inversion).
947 *
948 * NOTE: This function is deprecated. For driver-private framebuffers it is not
949 * recommended to embed a framebuffer struct info fbdev struct, instead, a
950 * framebuffer pointer is preferred and drm_framebuffer_put() should be called
951 * when the framebuffer is to be cleaned up.
952 */
drm_framebuffer_unregister_private(struct drm_framebuffer * fb)953 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
954 {
955 struct drm_device *dev;
956
957 if (!fb)
958 return;
959
960 dev = fb->dev;
961
962 /* Mark fb as reaped and drop idr ref. */
963 drm_mode_object_unregister(dev, &fb->base);
964 }
965 EXPORT_SYMBOL(drm_framebuffer_unregister_private);
966
967 /**
968 * drm_framebuffer_cleanup - remove a framebuffer object
969 * @fb: framebuffer to remove
970 *
971 * Cleanup framebuffer. This function is intended to be used from the drivers
972 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up
973 * driver private framebuffers embedded into a larger structure.
974 *
975 * Note that this function does not remove the fb from active usage - if it is
976 * still used anywhere, hilarity can ensue since userspace could call getfb on
977 * the id and get back -EINVAL. Obviously no concern at driver unload time.
978 *
979 * Also, the framebuffer will not be removed from the lookup idr - for
980 * user-created framebuffers this will happen in the rmfb ioctl. For
981 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
982 * drm_framebuffer_unregister_private.
983 */
drm_framebuffer_cleanup(struct drm_framebuffer * fb)984 void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
985 {
986 struct drm_device *dev = fb->dev;
987 unsigned int i;
988
989 for (i = 0; i < fb->format->num_planes; i++) {
990 if (fb->internal_flags & DRM_FRAMEBUFFER_HAS_HANDLE_REF(i))
991 drm_gem_object_handle_put_unlocked(fb->obj[i]);
992 }
993
994 mutex_lock(&dev->mode_config.fb_lock);
995 list_del(&fb->head);
996 dev->mode_config.num_fb--;
997 mutex_unlock(&dev->mode_config.fb_lock);
998 }
999 EXPORT_SYMBOL(drm_framebuffer_cleanup);
1000
atomic_remove_fb(struct drm_framebuffer * fb)1001 static int atomic_remove_fb(struct drm_framebuffer *fb)
1002 {
1003 struct drm_modeset_acquire_ctx ctx;
1004 struct drm_device *dev = fb->dev;
1005 struct drm_atomic_state *state;
1006 struct drm_plane *plane;
1007 struct drm_connector *conn __maybe_unused;
1008 struct drm_connector_state *conn_state;
1009 int i, ret;
1010 unsigned plane_mask;
1011 bool disable_crtcs = false;
1012
1013 retry_disable:
1014 drm_modeset_acquire_init(&ctx, 0);
1015
1016 state = drm_atomic_state_alloc(dev);
1017 if (!state) {
1018 ret = -ENOMEM;
1019 goto out;
1020 }
1021 state->acquire_ctx = &ctx;
1022
1023 retry:
1024 plane_mask = 0;
1025 ret = drm_modeset_lock_all_ctx(dev, &ctx);
1026 if (ret)
1027 goto unlock;
1028
1029 drm_for_each_plane(plane, dev) {
1030 struct drm_plane_state *plane_state;
1031
1032 if (plane->state->fb != fb)
1033 continue;
1034
1035 drm_dbg_kms(dev,
1036 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1037 plane->base.id, plane->name, fb->base.id);
1038
1039 plane_state = drm_atomic_get_plane_state(state, plane);
1040 if (IS_ERR(plane_state)) {
1041 ret = PTR_ERR(plane_state);
1042 goto unlock;
1043 }
1044
1045 if (disable_crtcs && plane_state->crtc->primary == plane) {
1046 struct drm_crtc_state *crtc_state;
1047
1048 drm_dbg_kms(dev,
1049 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1050 plane_state->crtc->base.id,
1051 plane_state->crtc->name, fb->base.id);
1052
1053 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc);
1054
1055 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc);
1056 if (ret)
1057 goto unlock;
1058
1059 crtc_state->active = false;
1060 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
1061 if (ret)
1062 goto unlock;
1063 }
1064
1065 drm_atomic_set_fb_for_plane(plane_state, NULL);
1066 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL);
1067 if (ret)
1068 goto unlock;
1069
1070 plane_mask |= drm_plane_mask(plane);
1071 }
1072
1073 /* This list is only filled when disable_crtcs is set. */
1074 for_each_new_connector_in_state(state, conn, conn_state, i) {
1075 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
1076
1077 if (ret)
1078 goto unlock;
1079 }
1080
1081 if (plane_mask)
1082 ret = drm_atomic_commit(state);
1083
1084 unlock:
1085 if (ret == -EDEADLK) {
1086 drm_atomic_state_clear(state);
1087 drm_modeset_backoff(&ctx);
1088 goto retry;
1089 }
1090
1091 drm_atomic_state_put(state);
1092
1093 out:
1094 drm_modeset_drop_locks(&ctx);
1095 drm_modeset_acquire_fini(&ctx);
1096
1097 if (ret == -EINVAL && !disable_crtcs) {
1098 disable_crtcs = true;
1099 goto retry_disable;
1100 }
1101
1102 return ret;
1103 }
1104
legacy_remove_fb(struct drm_framebuffer * fb)1105 static void legacy_remove_fb(struct drm_framebuffer *fb)
1106 {
1107 struct drm_device *dev = fb->dev;
1108 struct drm_crtc *crtc;
1109 struct drm_plane *plane;
1110
1111 drm_modeset_lock_all(dev);
1112 /* remove from any CRTC */
1113 drm_for_each_crtc(crtc, dev) {
1114 if (crtc->primary->fb == fb) {
1115 drm_dbg_kms(dev,
1116 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1117 crtc->base.id, crtc->name, fb->base.id);
1118
1119 /* should turn off the crtc */
1120 if (drm_crtc_force_disable(crtc))
1121 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
1122 }
1123 }
1124
1125 drm_for_each_plane(plane, dev) {
1126 if (plane->fb == fb) {
1127 drm_dbg_kms(dev,
1128 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1129 plane->base.id, plane->name, fb->base.id);
1130 drm_plane_force_disable(plane);
1131 }
1132 }
1133 drm_modeset_unlock_all(dev);
1134 }
1135
1136 /**
1137 * drm_framebuffer_remove - remove and unreference a framebuffer object
1138 * @fb: framebuffer to remove
1139 *
1140 * Scans all the CRTCs and planes in @dev's mode_config. If they're
1141 * using @fb, removes it, setting it to NULL. Then drops the reference to the
1142 * passed-in framebuffer. Might take the modeset locks.
1143 *
1144 * Note that this function optimizes the cleanup away if the caller holds the
1145 * last reference to the framebuffer. It is also guaranteed to not take the
1146 * modeset locks in this case.
1147 */
drm_framebuffer_remove(struct drm_framebuffer * fb)1148 void drm_framebuffer_remove(struct drm_framebuffer *fb)
1149 {
1150 struct drm_device *dev;
1151
1152 if (!fb)
1153 return;
1154
1155 dev = fb->dev;
1156
1157 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
1158
1159 /*
1160 * drm ABI mandates that we remove any deleted framebuffers from active
1161 * usage. But since most sane clients only remove framebuffers they no
1162 * longer need, try to optimize this away.
1163 *
1164 * Since we're holding a reference ourselves, observing a refcount of 1
1165 * means that we're the last holder and can skip it. Also, the refcount
1166 * can never increase from 1 again, so we don't need any barriers or
1167 * locks.
1168 *
1169 * Note that userspace could try to race with use and instate a new
1170 * usage _after_ we've cleared all current ones. End result will be an
1171 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
1172 * in this manner.
1173 */
1174 if (drm_framebuffer_read_refcount(fb) > 1) {
1175 if (drm_drv_uses_atomic_modeset(dev)) {
1176 int ret = atomic_remove_fb(fb);
1177
1178 WARN(ret, "atomic remove_fb failed with %i\n", ret);
1179 } else
1180 legacy_remove_fb(fb);
1181 }
1182
1183 drm_framebuffer_put(fb);
1184 }
1185 EXPORT_SYMBOL(drm_framebuffer_remove);
1186
drm_framebuffer_print_info(struct drm_printer * p,unsigned int indent,const struct drm_framebuffer * fb)1187 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent,
1188 const struct drm_framebuffer *fb)
1189 {
1190 unsigned int i;
1191
1192 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm);
1193 drm_printf_indent(p, indent, "refcount=%u\n",
1194 drm_framebuffer_read_refcount(fb));
1195 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format);
1196 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier);
1197 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height);
1198 drm_printf_indent(p, indent, "layers:\n");
1199
1200 for (i = 0; i < fb->format->num_planes; i++) {
1201 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i,
1202 drm_format_info_plane_width(fb->format, fb->width, i),
1203 drm_format_info_plane_height(fb->format, fb->height, i));
1204 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]);
1205 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]);
1206 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i,
1207 fb->obj[i] ? "" : "(null)");
1208 if (fb->obj[i])
1209 drm_gem_print_info(p, indent + 2, fb->obj[i]);
1210 }
1211 }
1212
1213 #ifdef CONFIG_DEBUG_FS
drm_framebuffer_info(struct seq_file * m,void * data)1214 static int drm_framebuffer_info(struct seq_file *m, void *data)
1215 {
1216 struct drm_debugfs_entry *entry = m->private;
1217 struct drm_device *dev = entry->dev;
1218 struct drm_printer p = drm_seq_file_printer(m);
1219 struct drm_framebuffer *fb;
1220
1221 mutex_lock(&dev->mode_config.fb_lock);
1222 drm_for_each_fb(fb, dev) {
1223 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
1224 drm_framebuffer_print_info(&p, 1, fb);
1225 }
1226 mutex_unlock(&dev->mode_config.fb_lock);
1227
1228 return 0;
1229 }
1230
1231 static const struct drm_debugfs_info drm_framebuffer_debugfs_list[] = {
1232 { "framebuffer", drm_framebuffer_info, 0 },
1233 };
1234
drm_framebuffer_debugfs_init(struct drm_device * dev)1235 void drm_framebuffer_debugfs_init(struct drm_device *dev)
1236 {
1237 drm_debugfs_add_files(dev, drm_framebuffer_debugfs_list,
1238 ARRAY_SIZE(drm_framebuffer_debugfs_list));
1239 }
1240 #endif
1241