1 /* 2 * Copyright (c) 2016 Intel Corporation 3 * 4 * Permission to use, copy, modify, distribute, and sell this software and its 5 * documentation for any purpose is hereby granted without fee, provided that 6 * the above copyright notice appear in all copies and that both that copyright 7 * notice and this permission notice appear in supporting documentation, and 8 * that the name of the copyright holders not be used in advertising or 9 * publicity pertaining to distribution of the software without specific, 10 * written prior permission. The copyright holders make no representations 11 * about the suitability of this software for any purpose. It is provided "as 12 * is" without express or implied warranty. 13 * 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 20 * OF THIS SOFTWARE. 21 */ 22 23 #include <linux/export.h> 24 #include <linux/uaccess.h> 25 26 #include <drm/drm_atomic.h> 27 #include <drm/drm_atomic_uapi.h> 28 #include <drm/drm_auth.h> 29 #include <drm/drm_debugfs.h> 30 #include <drm/drm_drv.h> 31 #include <drm/drm_file.h> 32 #include <drm/drm_fourcc.h> 33 #include <drm/drm_framebuffer.h> 34 #include <drm/drm_gem.h> 35 #include <drm/drm_print.h> 36 #include <drm/drm_util.h> 37 38 #include "drm_crtc_internal.h" 39 #include "drm_internal.h" 40 41 /** 42 * DOC: overview 43 * 44 * Frame buffers are abstract memory objects that provide a source of pixels to 45 * scanout to a CRTC. Applications explicitly request the creation of frame 46 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque 47 * handle that can be passed to the KMS CRTC control, plane configuration and 48 * page flip functions. 49 * 50 * Frame buffers rely on the underlying memory manager for allocating backing 51 * storage. When creating a frame buffer applications pass a memory handle 52 * (or a list of memory handles for multi-planar formats) through the 53 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace 54 * buffer management interface this would be a GEM handle. Drivers are however 55 * free to use their own backing storage object handles, e.g. vmwgfx directly 56 * exposes special TTM handles to userspace and so expects TTM handles in the 57 * create ioctl and not GEM handles. 58 * 59 * Framebuffers are tracked with &struct drm_framebuffer. They are published 60 * using drm_framebuffer_init() - after calling that function userspace can use 61 * and access the framebuffer object. The helper function 62 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required 63 * metadata fields. 64 * 65 * The lifetime of a drm framebuffer is controlled with a reference count, 66 * drivers can grab additional references with drm_framebuffer_get() and drop 67 * them again with drm_framebuffer_put(). For driver-private framebuffers for 68 * which the last reference is never dropped (e.g. for the fbdev framebuffer 69 * when the struct &struct drm_framebuffer is embedded into the fbdev helper 70 * struct) drivers can manually clean up a framebuffer at module unload time 71 * with drm_framebuffer_unregister_private(). But doing this is not 72 * recommended, and it's better to have a normal free-standing &struct 73 * drm_framebuffer. 74 */ 75 76 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y, 77 uint32_t src_w, uint32_t src_h, 78 const struct drm_framebuffer *fb) 79 { 80 unsigned int fb_width, fb_height; 81 82 fb_width = fb->width << 16; 83 fb_height = fb->height << 16; 84 85 /* Make sure source coordinates are inside the fb. */ 86 if (src_w > fb_width || 87 src_x > fb_width - src_w || 88 src_h > fb_height || 89 src_y > fb_height - src_h) { 90 drm_dbg_kms(fb->dev, "Invalid source coordinates " 91 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n", 92 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10, 93 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10, 94 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10, 95 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10, 96 fb->width, fb->height); 97 return -ENOSPC; 98 } 99 100 return 0; 101 } 102 103 /** 104 * drm_mode_addfb - add an FB to the graphics configuration 105 * @dev: drm device for the ioctl 106 * @or: pointer to request structure 107 * @file_priv: drm file 108 * 109 * Add a new FB to the specified CRTC, given a user request. This is the 110 * original addfb ioctl which only supported RGB formats. 111 * 112 * Called by the user via ioctl, or by an in-kernel client. 113 * 114 * Returns: 115 * Zero on success, negative errno on failure. 116 */ 117 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or, 118 struct drm_file *file_priv) 119 { 120 struct drm_mode_fb_cmd2 r = {}; 121 int ret; 122 123 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 124 return -EOPNOTSUPP; 125 126 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth); 127 if (r.pixel_format == DRM_FORMAT_INVALID) { 128 drm_dbg_kms(dev, "bad {bpp:%d, depth:%d}\n", or->bpp, or->depth); 129 return -EINVAL; 130 } 131 132 /* convert to new format and call new ioctl */ 133 r.fb_id = or->fb_id; 134 r.width = or->width; 135 r.height = or->height; 136 r.pitches[0] = or->pitch; 137 r.handles[0] = or->handle; 138 139 ret = drm_mode_addfb2(dev, &r, file_priv); 140 if (ret) 141 return ret; 142 143 or->fb_id = r.fb_id; 144 145 return 0; 146 } 147 148 int drm_mode_addfb_ioctl(struct drm_device *dev, 149 void *data, struct drm_file *file_priv) 150 { 151 return drm_mode_addfb(dev, data, file_priv); 152 } 153 154 static int framebuffer_check(struct drm_device *dev, 155 const struct drm_mode_fb_cmd2 *r) 156 { 157 const struct drm_format_info *info; 158 int i; 159 160 /* check if the format is supported at all */ 161 if (!__drm_format_info(r->pixel_format)) { 162 drm_dbg_kms(dev, "bad framebuffer format %p4cc\n", 163 &r->pixel_format); 164 return -EINVAL; 165 } 166 167 if (r->width == 0) { 168 drm_dbg_kms(dev, "bad framebuffer width %u\n", r->width); 169 return -EINVAL; 170 } 171 172 if (r->height == 0) { 173 drm_dbg_kms(dev, "bad framebuffer height %u\n", r->height); 174 return -EINVAL; 175 } 176 177 /* now let the driver pick its own format info */ 178 info = drm_get_format_info(dev, r); 179 180 for (i = 0; i < info->num_planes; i++) { 181 unsigned int width = drm_format_info_plane_width(info, r->width, i); 182 unsigned int height = drm_format_info_plane_height(info, r->height, i); 183 unsigned int block_size = info->char_per_block[i]; 184 u64 min_pitch = drm_format_info_min_pitch(info, i, width); 185 186 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) { 187 drm_dbg_kms(dev, "Format requires non-linear modifier for plane %d\n", i); 188 return -EINVAL; 189 } 190 191 if (!r->handles[i]) { 192 drm_dbg_kms(dev, "no buffer object handle for plane %d\n", i); 193 return -EINVAL; 194 } 195 196 if (min_pitch > UINT_MAX) 197 return -ERANGE; 198 199 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) 200 return -ERANGE; 201 202 if (block_size && r->pitches[i] < min_pitch) { 203 drm_dbg_kms(dev, "bad pitch %u for plane %d\n", r->pitches[i], i); 204 return -EINVAL; 205 } 206 207 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) { 208 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n", 209 r->modifier[i], i); 210 return -EINVAL; 211 } 212 213 if (r->flags & DRM_MODE_FB_MODIFIERS && 214 r->modifier[i] != r->modifier[0]) { 215 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n", 216 r->modifier[i], i); 217 return -EINVAL; 218 } 219 220 /* modifier specific checks: */ 221 switch (r->modifier[i]) { 222 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE: 223 /* NOTE: the pitch restriction may be lifted later if it turns 224 * out that no hw has this restriction: 225 */ 226 if (r->pixel_format != DRM_FORMAT_NV12 || 227 width % 128 || height % 32 || 228 r->pitches[i] % 128) { 229 drm_dbg_kms(dev, "bad modifier data for plane %d\n", i); 230 return -EINVAL; 231 } 232 break; 233 234 default: 235 break; 236 } 237 } 238 239 for (i = info->num_planes; i < 4; i++) { 240 if (r->modifier[i]) { 241 drm_dbg_kms(dev, "non-zero modifier for unused plane %d\n", i); 242 return -EINVAL; 243 } 244 245 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */ 246 if (!(r->flags & DRM_MODE_FB_MODIFIERS)) 247 continue; 248 249 if (r->handles[i]) { 250 drm_dbg_kms(dev, "buffer object handle for unused plane %d\n", i); 251 return -EINVAL; 252 } 253 254 if (r->pitches[i]) { 255 drm_dbg_kms(dev, "non-zero pitch for unused plane %d\n", i); 256 return -EINVAL; 257 } 258 259 if (r->offsets[i]) { 260 drm_dbg_kms(dev, "non-zero offset for unused plane %d\n", i); 261 return -EINVAL; 262 } 263 } 264 265 return 0; 266 } 267 268 struct drm_framebuffer * 269 drm_internal_framebuffer_create(struct drm_device *dev, 270 const struct drm_mode_fb_cmd2 *r, 271 struct drm_file *file_priv) 272 { 273 struct drm_mode_config *config = &dev->mode_config; 274 struct drm_framebuffer *fb; 275 int ret; 276 277 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) { 278 drm_dbg_kms(dev, "bad framebuffer flags 0x%08x\n", r->flags); 279 return ERR_PTR(-EINVAL); 280 } 281 282 if ((config->min_width > r->width) || (r->width > config->max_width)) { 283 drm_dbg_kms(dev, "bad framebuffer width %d, should be >= %d && <= %d\n", 284 r->width, config->min_width, config->max_width); 285 return ERR_PTR(-EINVAL); 286 } 287 if ((config->min_height > r->height) || (r->height > config->max_height)) { 288 drm_dbg_kms(dev, "bad framebuffer height %d, should be >= %d && <= %d\n", 289 r->height, config->min_height, config->max_height); 290 return ERR_PTR(-EINVAL); 291 } 292 293 if (r->flags & DRM_MODE_FB_MODIFIERS && 294 dev->mode_config.fb_modifiers_not_supported) { 295 drm_dbg_kms(dev, "driver does not support fb modifiers\n"); 296 return ERR_PTR(-EINVAL); 297 } 298 299 ret = framebuffer_check(dev, r); 300 if (ret) 301 return ERR_PTR(ret); 302 303 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r); 304 if (IS_ERR(fb)) { 305 drm_dbg_kms(dev, "could not create framebuffer\n"); 306 return fb; 307 } 308 309 return fb; 310 } 311 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create); 312 313 /** 314 * drm_mode_addfb2 - add an FB to the graphics configuration 315 * @dev: drm device for the ioctl 316 * @data: data pointer for the ioctl 317 * @file_priv: drm file for the ioctl call 318 * 319 * Add a new FB to the specified CRTC, given a user request with format. This is 320 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers 321 * and uses fourcc codes as pixel format specifiers. 322 * 323 * Called by the user via ioctl. 324 * 325 * Returns: 326 * Zero on success, negative errno on failure. 327 */ 328 int drm_mode_addfb2(struct drm_device *dev, 329 void *data, struct drm_file *file_priv) 330 { 331 struct drm_mode_fb_cmd2 *r = data; 332 struct drm_framebuffer *fb; 333 334 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 335 return -EOPNOTSUPP; 336 337 fb = drm_internal_framebuffer_create(dev, r, file_priv); 338 if (IS_ERR(fb)) 339 return PTR_ERR(fb); 340 341 drm_dbg_kms(dev, "[FB:%d]\n", fb->base.id); 342 r->fb_id = fb->base.id; 343 344 /* Transfer ownership to the filp for reaping on close */ 345 mutex_lock(&file_priv->fbs_lock); 346 list_add(&fb->filp_head, &file_priv->fbs); 347 mutex_unlock(&file_priv->fbs_lock); 348 349 return 0; 350 } 351 352 int drm_mode_addfb2_ioctl(struct drm_device *dev, 353 void *data, struct drm_file *file_priv) 354 { 355 #ifdef __BIG_ENDIAN 356 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) { 357 /* 358 * Drivers must set the 359 * quirk_addfb_prefer_host_byte_order quirk to make 360 * the drm_mode_addfb() compat code work correctly on 361 * bigendian machines. 362 * 363 * If they don't they interpret pixel_format values 364 * incorrectly for bug compatibility, which in turn 365 * implies the ADDFB2 ioctl does not work correctly 366 * then. So block it to make userspace fallback to 367 * ADDFB. 368 */ 369 drm_dbg_kms(dev, "addfb2 broken on bigendian"); 370 return -EOPNOTSUPP; 371 } 372 #endif 373 return drm_mode_addfb2(dev, data, file_priv); 374 } 375 376 struct drm_mode_rmfb_work { 377 struct work_struct work; 378 struct list_head fbs; 379 }; 380 381 static void drm_mode_rmfb_work_fn(struct work_struct *w) 382 { 383 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); 384 385 while (!list_empty(&arg->fbs)) { 386 struct drm_framebuffer *fb = 387 list_first_entry(&arg->fbs, typeof(*fb), filp_head); 388 389 drm_dbg_kms(fb->dev, 390 "Removing [FB:%d] from all active usage due to RMFB ioctl\n", 391 fb->base.id); 392 list_del_init(&fb->filp_head); 393 drm_framebuffer_remove(fb); 394 } 395 } 396 397 static int drm_mode_closefb(struct drm_framebuffer *fb, 398 struct drm_file *file_priv) 399 { 400 struct drm_framebuffer *fbl; 401 bool found = false; 402 403 mutex_lock(&file_priv->fbs_lock); 404 list_for_each_entry(fbl, &file_priv->fbs, filp_head) 405 if (fb == fbl) 406 found = true; 407 408 if (!found) { 409 mutex_unlock(&file_priv->fbs_lock); 410 return -ENOENT; 411 } 412 413 list_del_init(&fb->filp_head); 414 mutex_unlock(&file_priv->fbs_lock); 415 416 /* Drop the reference that was stored in the fbs list */ 417 drm_framebuffer_put(fb); 418 419 return 0; 420 } 421 422 /** 423 * drm_mode_rmfb - remove an FB from the configuration 424 * @dev: drm device 425 * @fb_id: id of framebuffer to remove 426 * @file_priv: drm file 427 * 428 * Remove the specified FB. 429 * 430 * Called by the user via ioctl, or by an in-kernel client. 431 * 432 * Returns: 433 * Zero on success, negative errno on failure. 434 */ 435 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id, 436 struct drm_file *file_priv) 437 { 438 struct drm_framebuffer *fb; 439 int ret; 440 441 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 442 return -EOPNOTSUPP; 443 444 fb = drm_framebuffer_lookup(dev, file_priv, fb_id); 445 if (!fb) 446 return -ENOENT; 447 448 ret = drm_mode_closefb(fb, file_priv); 449 if (ret != 0) { 450 drm_framebuffer_put(fb); 451 return ret; 452 } 453 454 /* 455 * drm_framebuffer_remove may fail with -EINTR on pending signals, 456 * so run this in a separate stack as there's no way to correctly 457 * handle this after the fb is already removed from the lookup table. 458 */ 459 if (drm_framebuffer_read_refcount(fb) > 1) { 460 struct drm_mode_rmfb_work arg; 461 462 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 463 INIT_LIST_HEAD(&arg.fbs); 464 list_add_tail(&fb->filp_head, &arg.fbs); 465 466 schedule_work(&arg.work); 467 flush_work(&arg.work); 468 destroy_work_on_stack(&arg.work); 469 } else 470 drm_framebuffer_put(fb); 471 472 return 0; 473 } 474 475 int drm_mode_rmfb_ioctl(struct drm_device *dev, 476 void *data, struct drm_file *file_priv) 477 { 478 uint32_t *fb_id = data; 479 480 return drm_mode_rmfb(dev, *fb_id, file_priv); 481 } 482 483 int drm_mode_closefb_ioctl(struct drm_device *dev, 484 void *data, struct drm_file *file_priv) 485 { 486 struct drm_mode_closefb *r = data; 487 struct drm_framebuffer *fb; 488 int ret; 489 490 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 491 return -EOPNOTSUPP; 492 493 if (r->pad) 494 return -EINVAL; 495 496 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 497 if (!fb) 498 return -ENOENT; 499 500 ret = drm_mode_closefb(fb, file_priv); 501 drm_framebuffer_put(fb); 502 return ret; 503 } 504 505 /** 506 * drm_mode_getfb - get FB info 507 * @dev: drm device for the ioctl 508 * @data: data pointer for the ioctl 509 * @file_priv: drm file for the ioctl call 510 * 511 * Lookup the FB given its ID and return info about it. 512 * 513 * Called by the user via ioctl. 514 * 515 * Returns: 516 * Zero on success, negative errno on failure. 517 */ 518 int drm_mode_getfb(struct drm_device *dev, 519 void *data, struct drm_file *file_priv) 520 { 521 struct drm_mode_fb_cmd *r = data; 522 struct drm_framebuffer *fb; 523 int ret; 524 525 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 526 return -EOPNOTSUPP; 527 528 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 529 if (!fb) 530 return -ENOENT; 531 532 /* Multi-planar framebuffers need getfb2. */ 533 if (fb->format->num_planes > 1) { 534 ret = -EINVAL; 535 goto out; 536 } 537 538 if (!fb->funcs->create_handle) { 539 ret = -ENODEV; 540 goto out; 541 } 542 543 r->height = fb->height; 544 r->width = fb->width; 545 r->depth = fb->format->depth; 546 r->bpp = drm_format_info_bpp(fb->format, 0); 547 r->pitch = fb->pitches[0]; 548 549 /* GET_FB() is an unprivileged ioctl so we must not return a 550 * buffer-handle to non-master processes! For 551 * backwards-compatibility reasons, we cannot make GET_FB() privileged, 552 * so just return an invalid handle for non-masters. 553 */ 554 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 555 r->handle = 0; 556 ret = 0; 557 goto out; 558 } 559 560 ret = fb->funcs->create_handle(fb, file_priv, &r->handle); 561 562 out: 563 drm_framebuffer_put(fb); 564 return ret; 565 } 566 567 /** 568 * drm_mode_getfb2_ioctl - get extended FB info 569 * @dev: drm device for the ioctl 570 * @data: data pointer for the ioctl 571 * @file_priv: drm file for the ioctl call 572 * 573 * Lookup the FB given its ID and return info about it. 574 * 575 * Called by the user via ioctl. 576 * 577 * Returns: 578 * Zero on success, negative errno on failure. 579 */ 580 int drm_mode_getfb2_ioctl(struct drm_device *dev, 581 void *data, struct drm_file *file_priv) 582 { 583 struct drm_mode_fb_cmd2 *r = data; 584 struct drm_framebuffer *fb; 585 unsigned int i; 586 int ret = 0; 587 588 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 589 return -EINVAL; 590 591 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 592 if (!fb) 593 return -ENOENT; 594 595 /* For multi-plane framebuffers, we require the driver to place the 596 * GEM objects directly in the drm_framebuffer. For single-plane 597 * framebuffers, we can fall back to create_handle. 598 */ 599 if (!fb->obj[0] && 600 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) { 601 ret = -ENODEV; 602 goto out; 603 } 604 605 r->height = fb->height; 606 r->width = fb->width; 607 r->pixel_format = fb->format->format; 608 609 r->flags = 0; 610 if (!dev->mode_config.fb_modifiers_not_supported) 611 r->flags |= DRM_MODE_FB_MODIFIERS; 612 613 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 614 r->handles[i] = 0; 615 r->pitches[i] = 0; 616 r->offsets[i] = 0; 617 r->modifier[i] = 0; 618 } 619 620 for (i = 0; i < fb->format->num_planes; i++) { 621 r->pitches[i] = fb->pitches[i]; 622 r->offsets[i] = fb->offsets[i]; 623 if (!dev->mode_config.fb_modifiers_not_supported) 624 r->modifier[i] = fb->modifier; 625 } 626 627 /* GET_FB2() is an unprivileged ioctl so we must not return a 628 * buffer-handle to non master/root processes! To match GET_FB() 629 * just return invalid handles (0) for non masters/root 630 * rather than making GET_FB2() privileged. 631 */ 632 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 633 ret = 0; 634 goto out; 635 } 636 637 for (i = 0; i < fb->format->num_planes; i++) { 638 int j; 639 640 /* If we reuse the same object for multiple planes, also 641 * return the same handle. 642 */ 643 for (j = 0; j < i; j++) { 644 if (fb->obj[i] == fb->obj[j]) { 645 r->handles[i] = r->handles[j]; 646 break; 647 } 648 } 649 650 if (r->handles[i]) 651 continue; 652 653 if (fb->obj[i]) { 654 ret = drm_gem_handle_create(file_priv, fb->obj[i], 655 &r->handles[i]); 656 } else { 657 WARN_ON(i > 0); 658 ret = fb->funcs->create_handle(fb, file_priv, 659 &r->handles[i]); 660 } 661 662 if (ret != 0) 663 goto out; 664 } 665 666 out: 667 if (ret != 0) { 668 /* Delete any previously-created handles on failure. */ 669 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 670 int j; 671 672 if (r->handles[i]) 673 drm_gem_handle_delete(file_priv, r->handles[i]); 674 675 /* Zero out any handles identical to the one we just 676 * deleted. 677 */ 678 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) { 679 if (r->handles[j] == r->handles[i]) 680 r->handles[j] = 0; 681 } 682 } 683 } 684 685 drm_framebuffer_put(fb); 686 return ret; 687 } 688 689 /** 690 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB 691 * @dev: drm device for the ioctl 692 * @data: data pointer for the ioctl 693 * @file_priv: drm file for the ioctl call 694 * 695 * Lookup the FB and flush out the damaged area supplied by userspace as a clip 696 * rectangle list. Generic userspace which does frontbuffer rendering must call 697 * this ioctl to flush out the changes on manual-update display outputs, e.g. 698 * usb display-link, mipi manual update panels or edp panel self refresh modes. 699 * 700 * Modesetting drivers which always update the frontbuffer do not need to 701 * implement the corresponding &drm_framebuffer_funcs.dirty callback. 702 * 703 * Called by the user via ioctl. 704 * 705 * Returns: 706 * Zero on success, negative errno on failure. 707 */ 708 int drm_mode_dirtyfb_ioctl(struct drm_device *dev, 709 void *data, struct drm_file *file_priv) 710 { 711 struct drm_clip_rect __user *clips_ptr; 712 struct drm_clip_rect *clips = NULL; 713 struct drm_mode_fb_dirty_cmd *r = data; 714 struct drm_framebuffer *fb; 715 unsigned flags; 716 int num_clips; 717 int ret; 718 719 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 720 return -EOPNOTSUPP; 721 722 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 723 if (!fb) 724 return -ENOENT; 725 726 num_clips = r->num_clips; 727 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; 728 729 if (!num_clips != !clips_ptr) { 730 ret = -EINVAL; 731 goto out_err1; 732 } 733 734 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags; 735 736 /* If userspace annotates copy, clips must come in pairs */ 737 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) { 738 ret = -EINVAL; 739 goto out_err1; 740 } 741 742 if (num_clips && clips_ptr) { 743 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { 744 ret = -EINVAL; 745 goto out_err1; 746 } 747 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL); 748 if (!clips) { 749 ret = -ENOMEM; 750 goto out_err1; 751 } 752 753 ret = copy_from_user(clips, clips_ptr, 754 num_clips * sizeof(*clips)); 755 if (ret) { 756 ret = -EFAULT; 757 goto out_err2; 758 } 759 } 760 761 if (fb->funcs->dirty) { 762 ret = fb->funcs->dirty(fb, file_priv, flags, r->color, 763 clips, num_clips); 764 } else { 765 ret = -ENOSYS; 766 } 767 768 out_err2: 769 kfree(clips); 770 out_err1: 771 drm_framebuffer_put(fb); 772 773 return ret; 774 } 775 776 /** 777 * drm_fb_release - remove and free the FBs on this file 778 * @priv: drm file for the ioctl 779 * 780 * Destroy all the FBs associated with @filp. 781 * 782 * Called by the user via ioctl. 783 * 784 * Returns: 785 * Zero on success, negative errno on failure. 786 */ 787 void drm_fb_release(struct drm_file *priv) 788 { 789 struct drm_framebuffer *fb, *tfb; 790 struct drm_mode_rmfb_work arg; 791 792 INIT_LIST_HEAD(&arg.fbs); 793 794 /* 795 * When the file gets released that means no one else can access the fb 796 * list any more, so no need to grab fpriv->fbs_lock. And we need to 797 * avoid upsetting lockdep since the universal cursor code adds a 798 * framebuffer while holding mutex locks. 799 * 800 * Note that a real deadlock between fpriv->fbs_lock and the modeset 801 * locks is impossible here since no one else but this function can get 802 * at it any more. 803 */ 804 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { 805 if (drm_framebuffer_read_refcount(fb) > 1) { 806 list_move_tail(&fb->filp_head, &arg.fbs); 807 } else { 808 list_del_init(&fb->filp_head); 809 810 /* This drops the fpriv->fbs reference. */ 811 drm_framebuffer_put(fb); 812 } 813 } 814 815 if (!list_empty(&arg.fbs)) { 816 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 817 818 schedule_work(&arg.work); 819 flush_work(&arg.work); 820 destroy_work_on_stack(&arg.work); 821 } 822 } 823 824 void drm_framebuffer_free(struct kref *kref) 825 { 826 struct drm_framebuffer *fb = 827 container_of(kref, struct drm_framebuffer, base.refcount); 828 struct drm_device *dev = fb->dev; 829 830 /* 831 * The lookup idr holds a weak reference, which has not necessarily been 832 * removed at this point. Check for that. 833 */ 834 drm_mode_object_unregister(dev, &fb->base); 835 836 fb->funcs->destroy(fb); 837 } 838 839 /** 840 * drm_framebuffer_init - initialize a framebuffer 841 * @dev: DRM device 842 * @fb: framebuffer to be initialized 843 * @funcs: ... with these functions 844 * 845 * Allocates an ID for the framebuffer's parent mode object, sets its mode 846 * functions & device file and adds it to the master fd list. 847 * 848 * IMPORTANT: 849 * This functions publishes the fb and makes it available for concurrent access 850 * by other users. Which means by this point the fb _must_ be fully set up - 851 * since all the fb attributes are invariant over its lifetime, no further 852 * locking but only correct reference counting is required. 853 * 854 * Returns: 855 * Zero on success, error code on failure. 856 */ 857 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, 858 const struct drm_framebuffer_funcs *funcs) 859 { 860 int ret; 861 862 if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) 863 return -EINVAL; 864 865 INIT_LIST_HEAD(&fb->filp_head); 866 867 fb->funcs = funcs; 868 strcpy(fb->comm, current->comm); 869 870 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, 871 false, drm_framebuffer_free); 872 if (ret) 873 goto out; 874 875 mutex_lock(&dev->mode_config.fb_lock); 876 dev->mode_config.num_fb++; 877 list_add(&fb->head, &dev->mode_config.fb_list); 878 mutex_unlock(&dev->mode_config.fb_lock); 879 880 drm_mode_object_register(dev, &fb->base); 881 out: 882 return ret; 883 } 884 EXPORT_SYMBOL(drm_framebuffer_init); 885 886 /** 887 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference 888 * @dev: drm device 889 * @file_priv: drm file to check for lease against. 890 * @id: id of the fb object 891 * 892 * If successful, this grabs an additional reference to the framebuffer - 893 * callers need to make sure to eventually unreference the returned framebuffer 894 * again, using drm_framebuffer_put(). 895 */ 896 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev, 897 struct drm_file *file_priv, 898 uint32_t id) 899 { 900 struct drm_mode_object *obj; 901 struct drm_framebuffer *fb = NULL; 902 903 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB); 904 if (obj) 905 fb = obj_to_fb(obj); 906 return fb; 907 } 908 EXPORT_SYMBOL(drm_framebuffer_lookup); 909 910 /** 911 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr 912 * @fb: fb to unregister 913 * 914 * Drivers need to call this when cleaning up driver-private framebuffers, e.g. 915 * those used for fbdev. Note that the caller must hold a reference of its own, 916 * i.e. the object may not be destroyed through this call (since it'll lead to a 917 * locking inversion). 918 * 919 * NOTE: This function is deprecated. For driver-private framebuffers it is not 920 * recommended to embed a framebuffer struct info fbdev struct, instead, a 921 * framebuffer pointer is preferred and drm_framebuffer_put() should be called 922 * when the framebuffer is to be cleaned up. 923 */ 924 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb) 925 { 926 struct drm_device *dev; 927 928 if (!fb) 929 return; 930 931 dev = fb->dev; 932 933 /* Mark fb as reaped and drop idr ref. */ 934 drm_mode_object_unregister(dev, &fb->base); 935 } 936 EXPORT_SYMBOL(drm_framebuffer_unregister_private); 937 938 /** 939 * drm_framebuffer_cleanup - remove a framebuffer object 940 * @fb: framebuffer to remove 941 * 942 * Cleanup framebuffer. This function is intended to be used from the drivers 943 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up 944 * driver private framebuffers embedded into a larger structure. 945 * 946 * Note that this function does not remove the fb from active usage - if it is 947 * still used anywhere, hilarity can ensue since userspace could call getfb on 948 * the id and get back -EINVAL. Obviously no concern at driver unload time. 949 * 950 * Also, the framebuffer will not be removed from the lookup idr - for 951 * user-created framebuffers this will happen in the rmfb ioctl. For 952 * driver-private objects (e.g. for fbdev) drivers need to explicitly call 953 * drm_framebuffer_unregister_private. 954 */ 955 void drm_framebuffer_cleanup(struct drm_framebuffer *fb) 956 { 957 struct drm_device *dev = fb->dev; 958 959 mutex_lock(&dev->mode_config.fb_lock); 960 list_del(&fb->head); 961 dev->mode_config.num_fb--; 962 mutex_unlock(&dev->mode_config.fb_lock); 963 } 964 EXPORT_SYMBOL(drm_framebuffer_cleanup); 965 966 static int atomic_remove_fb(struct drm_framebuffer *fb) 967 { 968 struct drm_modeset_acquire_ctx ctx; 969 struct drm_device *dev = fb->dev; 970 struct drm_atomic_state *state; 971 struct drm_plane *plane; 972 struct drm_connector *conn __maybe_unused; 973 struct drm_connector_state *conn_state; 974 int i, ret; 975 unsigned plane_mask; 976 bool disable_crtcs = false; 977 978 retry_disable: 979 drm_modeset_acquire_init(&ctx, 0); 980 981 state = drm_atomic_state_alloc(dev); 982 if (!state) { 983 ret = -ENOMEM; 984 goto out; 985 } 986 state->acquire_ctx = &ctx; 987 988 retry: 989 plane_mask = 0; 990 ret = drm_modeset_lock_all_ctx(dev, &ctx); 991 if (ret) 992 goto unlock; 993 994 drm_for_each_plane(plane, dev) { 995 struct drm_plane_state *plane_state; 996 997 if (plane->state->fb != fb) 998 continue; 999 1000 drm_dbg_kms(dev, 1001 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n", 1002 plane->base.id, plane->name, fb->base.id); 1003 1004 plane_state = drm_atomic_get_plane_state(state, plane); 1005 if (IS_ERR(plane_state)) { 1006 ret = PTR_ERR(plane_state); 1007 goto unlock; 1008 } 1009 1010 if (disable_crtcs && plane_state->crtc->primary == plane) { 1011 struct drm_crtc_state *crtc_state; 1012 1013 drm_dbg_kms(dev, 1014 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n", 1015 plane_state->crtc->base.id, 1016 plane_state->crtc->name, fb->base.id); 1017 1018 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc); 1019 1020 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc); 1021 if (ret) 1022 goto unlock; 1023 1024 crtc_state->active = false; 1025 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); 1026 if (ret) 1027 goto unlock; 1028 } 1029 1030 drm_atomic_set_fb_for_plane(plane_state, NULL); 1031 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL); 1032 if (ret) 1033 goto unlock; 1034 1035 plane_mask |= drm_plane_mask(plane); 1036 } 1037 1038 /* This list is only filled when disable_crtcs is set. */ 1039 for_each_new_connector_in_state(state, conn, conn_state, i) { 1040 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); 1041 1042 if (ret) 1043 goto unlock; 1044 } 1045 1046 if (plane_mask) 1047 ret = drm_atomic_commit(state); 1048 1049 unlock: 1050 if (ret == -EDEADLK) { 1051 drm_atomic_state_clear(state); 1052 drm_modeset_backoff(&ctx); 1053 goto retry; 1054 } 1055 1056 drm_atomic_state_put(state); 1057 1058 out: 1059 drm_modeset_drop_locks(&ctx); 1060 drm_modeset_acquire_fini(&ctx); 1061 1062 if (ret == -EINVAL && !disable_crtcs) { 1063 disable_crtcs = true; 1064 goto retry_disable; 1065 } 1066 1067 return ret; 1068 } 1069 1070 static void legacy_remove_fb(struct drm_framebuffer *fb) 1071 { 1072 struct drm_device *dev = fb->dev; 1073 struct drm_crtc *crtc; 1074 struct drm_plane *plane; 1075 1076 drm_modeset_lock_all(dev); 1077 /* remove from any CRTC */ 1078 drm_for_each_crtc(crtc, dev) { 1079 if (crtc->primary->fb == fb) { 1080 drm_dbg_kms(dev, 1081 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n", 1082 crtc->base.id, crtc->name, fb->base.id); 1083 1084 /* should turn off the crtc */ 1085 if (drm_crtc_force_disable(crtc)) 1086 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc); 1087 } 1088 } 1089 1090 drm_for_each_plane(plane, dev) { 1091 if (plane->fb == fb) { 1092 drm_dbg_kms(dev, 1093 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n", 1094 plane->base.id, plane->name, fb->base.id); 1095 drm_plane_force_disable(plane); 1096 } 1097 } 1098 drm_modeset_unlock_all(dev); 1099 } 1100 1101 /** 1102 * drm_framebuffer_remove - remove and unreference a framebuffer object 1103 * @fb: framebuffer to remove 1104 * 1105 * Scans all the CRTCs and planes in @dev's mode_config. If they're 1106 * using @fb, removes it, setting it to NULL. Then drops the reference to the 1107 * passed-in framebuffer. Might take the modeset locks. 1108 * 1109 * Note that this function optimizes the cleanup away if the caller holds the 1110 * last reference to the framebuffer. It is also guaranteed to not take the 1111 * modeset locks in this case. 1112 */ 1113 void drm_framebuffer_remove(struct drm_framebuffer *fb) 1114 { 1115 struct drm_device *dev; 1116 1117 if (!fb) 1118 return; 1119 1120 dev = fb->dev; 1121 1122 WARN_ON(!list_empty(&fb->filp_head)); 1123 1124 /* 1125 * drm ABI mandates that we remove any deleted framebuffers from active 1126 * usage. But since most sane clients only remove framebuffers they no 1127 * longer need, try to optimize this away. 1128 * 1129 * Since we're holding a reference ourselves, observing a refcount of 1 1130 * means that we're the last holder and can skip it. Also, the refcount 1131 * can never increase from 1 again, so we don't need any barriers or 1132 * locks. 1133 * 1134 * Note that userspace could try to race with use and instate a new 1135 * usage _after_ we've cleared all current ones. End result will be an 1136 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot 1137 * in this manner. 1138 */ 1139 if (drm_framebuffer_read_refcount(fb) > 1) { 1140 if (drm_drv_uses_atomic_modeset(dev)) { 1141 int ret = atomic_remove_fb(fb); 1142 1143 WARN(ret, "atomic remove_fb failed with %i\n", ret); 1144 } else 1145 legacy_remove_fb(fb); 1146 } 1147 1148 drm_framebuffer_put(fb); 1149 } 1150 EXPORT_SYMBOL(drm_framebuffer_remove); 1151 1152 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent, 1153 const struct drm_framebuffer *fb) 1154 { 1155 unsigned int i; 1156 1157 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm); 1158 drm_printf_indent(p, indent, "refcount=%u\n", 1159 drm_framebuffer_read_refcount(fb)); 1160 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format); 1161 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier); 1162 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height); 1163 drm_printf_indent(p, indent, "layers:\n"); 1164 1165 for (i = 0; i < fb->format->num_planes; i++) { 1166 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i, 1167 drm_format_info_plane_width(fb->format, fb->width, i), 1168 drm_format_info_plane_height(fb->format, fb->height, i)); 1169 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]); 1170 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]); 1171 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i, 1172 fb->obj[i] ? "" : "(null)"); 1173 if (fb->obj[i]) 1174 drm_gem_print_info(p, indent + 2, fb->obj[i]); 1175 } 1176 } 1177 1178 #ifdef CONFIG_DEBUG_FS 1179 static int drm_framebuffer_info(struct seq_file *m, void *data) 1180 { 1181 struct drm_debugfs_entry *entry = m->private; 1182 struct drm_device *dev = entry->dev; 1183 struct drm_printer p = drm_seq_file_printer(m); 1184 struct drm_framebuffer *fb; 1185 1186 mutex_lock(&dev->mode_config.fb_lock); 1187 drm_for_each_fb(fb, dev) { 1188 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); 1189 drm_framebuffer_print_info(&p, 1, fb); 1190 } 1191 mutex_unlock(&dev->mode_config.fb_lock); 1192 1193 return 0; 1194 } 1195 1196 static const struct drm_debugfs_info drm_framebuffer_debugfs_list[] = { 1197 { "framebuffer", drm_framebuffer_info, 0 }, 1198 }; 1199 1200 void drm_framebuffer_debugfs_init(struct drm_device *dev) 1201 { 1202 drm_debugfs_add_files(dev, drm_framebuffer_debugfs_list, 1203 ARRAY_SIZE(drm_framebuffer_debugfs_list)); 1204 } 1205 #endif 1206