1 /* 2 * Copyright (c) 2016 Intel Corporation 3 * 4 * Permission to use, copy, modify, distribute, and sell this software and its 5 * documentation for any purpose is hereby granted without fee, provided that 6 * the above copyright notice appear in all copies and that both that copyright 7 * notice and this permission notice appear in supporting documentation, and 8 * that the name of the copyright holders not be used in advertising or 9 * publicity pertaining to distribution of the software without specific, 10 * written prior permission. The copyright holders make no representations 11 * about the suitability of this software for any purpose. It is provided "as 12 * is" without express or implied warranty. 13 * 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 20 * OF THIS SOFTWARE. 21 */ 22 23 #include <linux/export.h> 24 #include <linux/uaccess.h> 25 26 #include <drm/drm_atomic.h> 27 #include <drm/drm_atomic_uapi.h> 28 #include <drm/drm_auth.h> 29 #include <drm/drm_debugfs.h> 30 #include <drm/drm_drv.h> 31 #include <drm/drm_file.h> 32 #include <drm/drm_fourcc.h> 33 #include <drm/drm_framebuffer.h> 34 #include <drm/drm_gem.h> 35 #include <drm/drm_print.h> 36 #include <drm/drm_util.h> 37 38 #include "drm_crtc_internal.h" 39 #include "drm_internal.h" 40 41 /** 42 * DOC: overview 43 * 44 * Frame buffers are abstract memory objects that provide a source of pixels to 45 * scanout to a CRTC. Applications explicitly request the creation of frame 46 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque 47 * handle that can be passed to the KMS CRTC control, plane configuration and 48 * page flip functions. 49 * 50 * Frame buffers rely on the underlying memory manager for allocating backing 51 * storage. When creating a frame buffer applications pass a memory handle 52 * (or a list of memory handles for multi-planar formats) through the 53 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace 54 * buffer management interface this would be a GEM handle. Drivers are however 55 * free to use their own backing storage object handles, e.g. vmwgfx directly 56 * exposes special TTM handles to userspace and so expects TTM handles in the 57 * create ioctl and not GEM handles. 58 * 59 * Framebuffers are tracked with &struct drm_framebuffer. They are published 60 * using drm_framebuffer_init() - after calling that function userspace can use 61 * and access the framebuffer object. The helper function 62 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required 63 * metadata fields. 64 * 65 * The lifetime of a drm framebuffer is controlled with a reference count, 66 * drivers can grab additional references with drm_framebuffer_get() and drop 67 * them again with drm_framebuffer_put(). For driver-private framebuffers for 68 * which the last reference is never dropped (e.g. for the fbdev framebuffer 69 * when the struct &struct drm_framebuffer is embedded into the fbdev helper 70 * struct) drivers can manually clean up a framebuffer at module unload time 71 * with drm_framebuffer_unregister_private(). But doing this is not 72 * recommended, and it's better to have a normal free-standing &struct 73 * drm_framebuffer. 74 */ 75 76 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y, 77 uint32_t src_w, uint32_t src_h, 78 const struct drm_framebuffer *fb) 79 { 80 unsigned int fb_width, fb_height; 81 82 fb_width = fb->width << 16; 83 fb_height = fb->height << 16; 84 85 /* Make sure source coordinates are inside the fb. */ 86 if (src_w > fb_width || 87 src_x > fb_width - src_w || 88 src_h > fb_height || 89 src_y > fb_height - src_h) { 90 drm_dbg_kms(fb->dev, "Invalid source coordinates " 91 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n", 92 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10, 93 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10, 94 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10, 95 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10, 96 fb->width, fb->height); 97 return -ENOSPC; 98 } 99 100 return 0; 101 } 102 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_check_src_coords); 103 104 /** 105 * drm_mode_addfb - add an FB to the graphics configuration 106 * @dev: drm device for the ioctl 107 * @or: pointer to request structure 108 * @file_priv: drm file 109 * 110 * Add a new FB to the specified CRTC, given a user request. This is the 111 * original addfb ioctl which only supported RGB formats. 112 * 113 * Called by the user via ioctl, or by an in-kernel client. 114 * 115 * Returns: 116 * Zero on success, negative errno on failure. 117 */ 118 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or, 119 struct drm_file *file_priv) 120 { 121 struct drm_mode_fb_cmd2 r = {}; 122 int ret; 123 124 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 125 return -EOPNOTSUPP; 126 127 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth); 128 if (r.pixel_format == DRM_FORMAT_INVALID) { 129 drm_dbg_kms(dev, "bad {bpp:%d, depth:%d}\n", or->bpp, or->depth); 130 return -EINVAL; 131 } 132 133 /* convert to new format and call new ioctl */ 134 r.fb_id = or->fb_id; 135 r.width = or->width; 136 r.height = or->height; 137 r.pitches[0] = or->pitch; 138 r.handles[0] = or->handle; 139 140 ret = drm_mode_addfb2(dev, &r, file_priv); 141 if (ret) 142 return ret; 143 144 or->fb_id = r.fb_id; 145 146 return 0; 147 } 148 149 int drm_mode_addfb_ioctl(struct drm_device *dev, 150 void *data, struct drm_file *file_priv) 151 { 152 return drm_mode_addfb(dev, data, file_priv); 153 } 154 155 static int framebuffer_check(struct drm_device *dev, 156 const struct drm_mode_fb_cmd2 *r) 157 { 158 const struct drm_format_info *info; 159 int i; 160 161 /* check if the format is supported at all */ 162 if (!__drm_format_info(r->pixel_format)) { 163 drm_dbg_kms(dev, "bad framebuffer format %p4cc\n", 164 &r->pixel_format); 165 return -EINVAL; 166 } 167 168 if (r->width == 0) { 169 drm_dbg_kms(dev, "bad framebuffer width %u\n", r->width); 170 return -EINVAL; 171 } 172 173 if (r->height == 0) { 174 drm_dbg_kms(dev, "bad framebuffer height %u\n", r->height); 175 return -EINVAL; 176 } 177 178 /* now let the driver pick its own format info */ 179 info = drm_get_format_info(dev, r); 180 181 for (i = 0; i < info->num_planes; i++) { 182 unsigned int width = drm_format_info_plane_width(info, r->width, i); 183 unsigned int height = drm_format_info_plane_height(info, r->height, i); 184 unsigned int block_size = info->char_per_block[i]; 185 u64 min_pitch = drm_format_info_min_pitch(info, i, width); 186 187 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) { 188 drm_dbg_kms(dev, "Format requires non-linear modifier for plane %d\n", i); 189 return -EINVAL; 190 } 191 192 if (!r->handles[i]) { 193 drm_dbg_kms(dev, "no buffer object handle for plane %d\n", i); 194 return -EINVAL; 195 } 196 197 if (min_pitch > UINT_MAX) 198 return -ERANGE; 199 200 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) 201 return -ERANGE; 202 203 if (block_size && r->pitches[i] < min_pitch) { 204 drm_dbg_kms(dev, "bad pitch %u for plane %d\n", r->pitches[i], i); 205 return -EINVAL; 206 } 207 208 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) { 209 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n", 210 r->modifier[i], i); 211 return -EINVAL; 212 } 213 214 if (r->flags & DRM_MODE_FB_MODIFIERS && 215 r->modifier[i] != r->modifier[0]) { 216 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n", 217 r->modifier[i], i); 218 return -EINVAL; 219 } 220 221 /* modifier specific checks: */ 222 switch (r->modifier[i]) { 223 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE: 224 /* NOTE: the pitch restriction may be lifted later if it turns 225 * out that no hw has this restriction: 226 */ 227 if (r->pixel_format != DRM_FORMAT_NV12 || 228 width % 128 || height % 32 || 229 r->pitches[i] % 128) { 230 drm_dbg_kms(dev, "bad modifier data for plane %d\n", i); 231 return -EINVAL; 232 } 233 break; 234 235 default: 236 break; 237 } 238 } 239 240 for (i = info->num_planes; i < 4; i++) { 241 if (r->modifier[i]) { 242 drm_dbg_kms(dev, "non-zero modifier for unused plane %d\n", i); 243 return -EINVAL; 244 } 245 246 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */ 247 if (!(r->flags & DRM_MODE_FB_MODIFIERS)) 248 continue; 249 250 if (r->handles[i]) { 251 drm_dbg_kms(dev, "buffer object handle for unused plane %d\n", i); 252 return -EINVAL; 253 } 254 255 if (r->pitches[i]) { 256 drm_dbg_kms(dev, "non-zero pitch for unused plane %d\n", i); 257 return -EINVAL; 258 } 259 260 if (r->offsets[i]) { 261 drm_dbg_kms(dev, "non-zero offset for unused plane %d\n", i); 262 return -EINVAL; 263 } 264 } 265 266 return 0; 267 } 268 269 struct drm_framebuffer * 270 drm_internal_framebuffer_create(struct drm_device *dev, 271 const struct drm_mode_fb_cmd2 *r, 272 struct drm_file *file_priv) 273 { 274 struct drm_mode_config *config = &dev->mode_config; 275 struct drm_framebuffer *fb; 276 int ret; 277 278 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) { 279 drm_dbg_kms(dev, "bad framebuffer flags 0x%08x\n", r->flags); 280 return ERR_PTR(-EINVAL); 281 } 282 283 if ((config->min_width > r->width) || (r->width > config->max_width)) { 284 drm_dbg_kms(dev, "bad framebuffer width %d, should be >= %d && <= %d\n", 285 r->width, config->min_width, config->max_width); 286 return ERR_PTR(-EINVAL); 287 } 288 if ((config->min_height > r->height) || (r->height > config->max_height)) { 289 drm_dbg_kms(dev, "bad framebuffer height %d, should be >= %d && <= %d\n", 290 r->height, config->min_height, config->max_height); 291 return ERR_PTR(-EINVAL); 292 } 293 294 if (r->flags & DRM_MODE_FB_MODIFIERS && 295 dev->mode_config.fb_modifiers_not_supported) { 296 drm_dbg_kms(dev, "driver does not support fb modifiers\n"); 297 return ERR_PTR(-EINVAL); 298 } 299 300 ret = framebuffer_check(dev, r); 301 if (ret) 302 return ERR_PTR(ret); 303 304 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r); 305 if (IS_ERR(fb)) { 306 drm_dbg_kms(dev, "could not create framebuffer\n"); 307 return fb; 308 } 309 310 return fb; 311 } 312 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create); 313 314 /** 315 * drm_mode_addfb2 - add an FB to the graphics configuration 316 * @dev: drm device for the ioctl 317 * @data: data pointer for the ioctl 318 * @file_priv: drm file for the ioctl call 319 * 320 * Add a new FB to the specified CRTC, given a user request with format. This is 321 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers 322 * and uses fourcc codes as pixel format specifiers. 323 * 324 * Called by the user via ioctl. 325 * 326 * Returns: 327 * Zero on success, negative errno on failure. 328 */ 329 int drm_mode_addfb2(struct drm_device *dev, 330 void *data, struct drm_file *file_priv) 331 { 332 struct drm_mode_fb_cmd2 *r = data; 333 struct drm_framebuffer *fb; 334 335 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 336 return -EOPNOTSUPP; 337 338 fb = drm_internal_framebuffer_create(dev, r, file_priv); 339 if (IS_ERR(fb)) 340 return PTR_ERR(fb); 341 342 drm_dbg_kms(dev, "[FB:%d]\n", fb->base.id); 343 r->fb_id = fb->base.id; 344 345 /* Transfer ownership to the filp for reaping on close */ 346 mutex_lock(&file_priv->fbs_lock); 347 list_add(&fb->filp_head, &file_priv->fbs); 348 mutex_unlock(&file_priv->fbs_lock); 349 350 return 0; 351 } 352 353 int drm_mode_addfb2_ioctl(struct drm_device *dev, 354 void *data, struct drm_file *file_priv) 355 { 356 #ifdef __BIG_ENDIAN 357 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) { 358 /* 359 * Drivers must set the 360 * quirk_addfb_prefer_host_byte_order quirk to make 361 * the drm_mode_addfb() compat code work correctly on 362 * bigendian machines. 363 * 364 * If they don't they interpret pixel_format values 365 * incorrectly for bug compatibility, which in turn 366 * implies the ADDFB2 ioctl does not work correctly 367 * then. So block it to make userspace fallback to 368 * ADDFB. 369 */ 370 drm_dbg_kms(dev, "addfb2 broken on bigendian"); 371 return -EOPNOTSUPP; 372 } 373 #endif 374 return drm_mode_addfb2(dev, data, file_priv); 375 } 376 377 struct drm_mode_rmfb_work { 378 struct work_struct work; 379 struct list_head fbs; 380 }; 381 382 static void drm_mode_rmfb_work_fn(struct work_struct *w) 383 { 384 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); 385 386 while (!list_empty(&arg->fbs)) { 387 struct drm_framebuffer *fb = 388 list_first_entry(&arg->fbs, typeof(*fb), filp_head); 389 390 drm_dbg_kms(fb->dev, 391 "Removing [FB:%d] from all active usage due to RMFB ioctl\n", 392 fb->base.id); 393 list_del_init(&fb->filp_head); 394 drm_framebuffer_remove(fb); 395 } 396 } 397 398 static int drm_mode_closefb(struct drm_framebuffer *fb, 399 struct drm_file *file_priv) 400 { 401 struct drm_framebuffer *fbl; 402 bool found = false; 403 404 mutex_lock(&file_priv->fbs_lock); 405 list_for_each_entry(fbl, &file_priv->fbs, filp_head) 406 if (fb == fbl) 407 found = true; 408 409 if (!found) { 410 mutex_unlock(&file_priv->fbs_lock); 411 return -ENOENT; 412 } 413 414 list_del_init(&fb->filp_head); 415 mutex_unlock(&file_priv->fbs_lock); 416 417 /* Drop the reference that was stored in the fbs list */ 418 drm_framebuffer_put(fb); 419 420 return 0; 421 } 422 423 /** 424 * drm_mode_rmfb - remove an FB from the configuration 425 * @dev: drm device 426 * @fb_id: id of framebuffer to remove 427 * @file_priv: drm file 428 * 429 * Remove the specified FB. 430 * 431 * Called by the user via ioctl, or by an in-kernel client. 432 * 433 * Returns: 434 * Zero on success, negative errno on failure. 435 */ 436 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id, 437 struct drm_file *file_priv) 438 { 439 struct drm_framebuffer *fb; 440 int ret; 441 442 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 443 return -EOPNOTSUPP; 444 445 fb = drm_framebuffer_lookup(dev, file_priv, fb_id); 446 if (!fb) 447 return -ENOENT; 448 449 ret = drm_mode_closefb(fb, file_priv); 450 if (ret != 0) { 451 drm_framebuffer_put(fb); 452 return ret; 453 } 454 455 /* 456 * drm_framebuffer_remove may fail with -EINTR on pending signals, 457 * so run this in a separate stack as there's no way to correctly 458 * handle this after the fb is already removed from the lookup table. 459 */ 460 if (drm_framebuffer_read_refcount(fb) > 1) { 461 struct drm_mode_rmfb_work arg; 462 463 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 464 INIT_LIST_HEAD(&arg.fbs); 465 drm_WARN_ON(dev, !list_empty(&fb->filp_head)); 466 list_add_tail(&fb->filp_head, &arg.fbs); 467 468 schedule_work(&arg.work); 469 flush_work(&arg.work); 470 destroy_work_on_stack(&arg.work); 471 } else 472 drm_framebuffer_put(fb); 473 474 return 0; 475 } 476 477 int drm_mode_rmfb_ioctl(struct drm_device *dev, 478 void *data, struct drm_file *file_priv) 479 { 480 uint32_t *fb_id = data; 481 482 return drm_mode_rmfb(dev, *fb_id, file_priv); 483 } 484 485 int drm_mode_closefb_ioctl(struct drm_device *dev, 486 void *data, struct drm_file *file_priv) 487 { 488 struct drm_mode_closefb *r = data; 489 struct drm_framebuffer *fb; 490 int ret; 491 492 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 493 return -EOPNOTSUPP; 494 495 if (r->pad) 496 return -EINVAL; 497 498 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 499 if (!fb) 500 return -ENOENT; 501 502 ret = drm_mode_closefb(fb, file_priv); 503 drm_framebuffer_put(fb); 504 return ret; 505 } 506 507 /** 508 * drm_mode_getfb - get FB info 509 * @dev: drm device for the ioctl 510 * @data: data pointer for the ioctl 511 * @file_priv: drm file for the ioctl call 512 * 513 * Lookup the FB given its ID and return info about it. 514 * 515 * Called by the user via ioctl. 516 * 517 * Returns: 518 * Zero on success, negative errno on failure. 519 */ 520 int drm_mode_getfb(struct drm_device *dev, 521 void *data, struct drm_file *file_priv) 522 { 523 struct drm_mode_fb_cmd *r = data; 524 struct drm_framebuffer *fb; 525 int ret; 526 527 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 528 return -EOPNOTSUPP; 529 530 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 531 if (!fb) 532 return -ENOENT; 533 534 /* Multi-planar framebuffers need getfb2. */ 535 if (fb->format->num_planes > 1) { 536 ret = -EINVAL; 537 goto out; 538 } 539 540 if (!fb->funcs->create_handle) { 541 ret = -ENODEV; 542 goto out; 543 } 544 545 r->height = fb->height; 546 r->width = fb->width; 547 r->depth = fb->format->depth; 548 r->bpp = drm_format_info_bpp(fb->format, 0); 549 r->pitch = fb->pitches[0]; 550 551 /* GET_FB() is an unprivileged ioctl so we must not return a 552 * buffer-handle to non-master processes! For 553 * backwards-compatibility reasons, we cannot make GET_FB() privileged, 554 * so just return an invalid handle for non-masters. 555 */ 556 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 557 r->handle = 0; 558 ret = 0; 559 goto out; 560 } 561 562 ret = fb->funcs->create_handle(fb, file_priv, &r->handle); 563 564 out: 565 drm_framebuffer_put(fb); 566 return ret; 567 } 568 569 /** 570 * drm_mode_getfb2_ioctl - get extended FB info 571 * @dev: drm device for the ioctl 572 * @data: data pointer for the ioctl 573 * @file_priv: drm file for the ioctl call 574 * 575 * Lookup the FB given its ID and return info about it. 576 * 577 * Called by the user via ioctl. 578 * 579 * Returns: 580 * Zero on success, negative errno on failure. 581 */ 582 int drm_mode_getfb2_ioctl(struct drm_device *dev, 583 void *data, struct drm_file *file_priv) 584 { 585 struct drm_mode_fb_cmd2 *r = data; 586 struct drm_framebuffer *fb; 587 unsigned int i; 588 int ret = 0; 589 590 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 591 return -EINVAL; 592 593 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 594 if (!fb) 595 return -ENOENT; 596 597 /* For multi-plane framebuffers, we require the driver to place the 598 * GEM objects directly in the drm_framebuffer. For single-plane 599 * framebuffers, we can fall back to create_handle. 600 */ 601 if (!fb->obj[0] && 602 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) { 603 ret = -ENODEV; 604 goto out; 605 } 606 607 r->height = fb->height; 608 r->width = fb->width; 609 r->pixel_format = fb->format->format; 610 611 r->flags = 0; 612 if (!dev->mode_config.fb_modifiers_not_supported) 613 r->flags |= DRM_MODE_FB_MODIFIERS; 614 615 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 616 r->handles[i] = 0; 617 r->pitches[i] = 0; 618 r->offsets[i] = 0; 619 r->modifier[i] = 0; 620 } 621 622 for (i = 0; i < fb->format->num_planes; i++) { 623 r->pitches[i] = fb->pitches[i]; 624 r->offsets[i] = fb->offsets[i]; 625 if (!dev->mode_config.fb_modifiers_not_supported) 626 r->modifier[i] = fb->modifier; 627 } 628 629 /* GET_FB2() is an unprivileged ioctl so we must not return a 630 * buffer-handle to non master/root processes! To match GET_FB() 631 * just return invalid handles (0) for non masters/root 632 * rather than making GET_FB2() privileged. 633 */ 634 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 635 ret = 0; 636 goto out; 637 } 638 639 for (i = 0; i < fb->format->num_planes; i++) { 640 int j; 641 642 /* If we reuse the same object for multiple planes, also 643 * return the same handle. 644 */ 645 for (j = 0; j < i; j++) { 646 if (fb->obj[i] == fb->obj[j]) { 647 r->handles[i] = r->handles[j]; 648 break; 649 } 650 } 651 652 if (r->handles[i]) 653 continue; 654 655 if (fb->obj[i]) { 656 ret = drm_gem_handle_create(file_priv, fb->obj[i], 657 &r->handles[i]); 658 } else { 659 WARN_ON(i > 0); 660 ret = fb->funcs->create_handle(fb, file_priv, 661 &r->handles[i]); 662 } 663 664 if (ret != 0) 665 goto out; 666 } 667 668 out: 669 if (ret != 0) { 670 /* Delete any previously-created handles on failure. */ 671 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 672 int j; 673 674 if (r->handles[i]) 675 drm_gem_handle_delete(file_priv, r->handles[i]); 676 677 /* Zero out any handles identical to the one we just 678 * deleted. 679 */ 680 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) { 681 if (r->handles[j] == r->handles[i]) 682 r->handles[j] = 0; 683 } 684 } 685 } 686 687 drm_framebuffer_put(fb); 688 return ret; 689 } 690 691 /** 692 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB 693 * @dev: drm device for the ioctl 694 * @data: data pointer for the ioctl 695 * @file_priv: drm file for the ioctl call 696 * 697 * Lookup the FB and flush out the damaged area supplied by userspace as a clip 698 * rectangle list. Generic userspace which does frontbuffer rendering must call 699 * this ioctl to flush out the changes on manual-update display outputs, e.g. 700 * usb display-link, mipi manual update panels or edp panel self refresh modes. 701 * 702 * Modesetting drivers which always update the frontbuffer do not need to 703 * implement the corresponding &drm_framebuffer_funcs.dirty callback. 704 * 705 * Called by the user via ioctl. 706 * 707 * Returns: 708 * Zero on success, negative errno on failure. 709 */ 710 int drm_mode_dirtyfb_ioctl(struct drm_device *dev, 711 void *data, struct drm_file *file_priv) 712 { 713 struct drm_clip_rect __user *clips_ptr; 714 struct drm_clip_rect *clips = NULL; 715 struct drm_mode_fb_dirty_cmd *r = data; 716 struct drm_framebuffer *fb; 717 unsigned flags; 718 int num_clips; 719 int ret; 720 721 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 722 return -EOPNOTSUPP; 723 724 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 725 if (!fb) 726 return -ENOENT; 727 728 num_clips = r->num_clips; 729 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; 730 731 if (!num_clips != !clips_ptr) { 732 ret = -EINVAL; 733 goto out_err1; 734 } 735 736 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags; 737 738 /* If userspace annotates copy, clips must come in pairs */ 739 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) { 740 ret = -EINVAL; 741 goto out_err1; 742 } 743 744 if (num_clips && clips_ptr) { 745 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { 746 ret = -EINVAL; 747 goto out_err1; 748 } 749 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL); 750 if (!clips) { 751 ret = -ENOMEM; 752 goto out_err1; 753 } 754 755 ret = copy_from_user(clips, clips_ptr, 756 num_clips * sizeof(*clips)); 757 if (ret) { 758 ret = -EFAULT; 759 goto out_err2; 760 } 761 } 762 763 if (fb->funcs->dirty) { 764 ret = fb->funcs->dirty(fb, file_priv, flags, r->color, 765 clips, num_clips); 766 } else { 767 ret = -ENOSYS; 768 } 769 770 out_err2: 771 kfree(clips); 772 out_err1: 773 drm_framebuffer_put(fb); 774 775 return ret; 776 } 777 778 /** 779 * drm_fb_release - remove and free the FBs on this file 780 * @priv: drm file for the ioctl 781 * 782 * Destroy all the FBs associated with @filp. 783 * 784 * Called by the user via ioctl. 785 * 786 * Returns: 787 * Zero on success, negative errno on failure. 788 */ 789 void drm_fb_release(struct drm_file *priv) 790 { 791 struct drm_framebuffer *fb, *tfb; 792 struct drm_mode_rmfb_work arg; 793 794 INIT_LIST_HEAD(&arg.fbs); 795 796 /* 797 * When the file gets released that means no one else can access the fb 798 * list any more, so no need to grab fpriv->fbs_lock. And we need to 799 * avoid upsetting lockdep since the universal cursor code adds a 800 * framebuffer while holding mutex locks. 801 * 802 * Note that a real deadlock between fpriv->fbs_lock and the modeset 803 * locks is impossible here since no one else but this function can get 804 * at it any more. 805 */ 806 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { 807 if (drm_framebuffer_read_refcount(fb) > 1) { 808 list_move_tail(&fb->filp_head, &arg.fbs); 809 } else { 810 list_del_init(&fb->filp_head); 811 812 /* This drops the fpriv->fbs reference. */ 813 drm_framebuffer_put(fb); 814 } 815 } 816 817 if (!list_empty(&arg.fbs)) { 818 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 819 820 schedule_work(&arg.work); 821 flush_work(&arg.work); 822 destroy_work_on_stack(&arg.work); 823 } 824 } 825 826 void drm_framebuffer_free(struct kref *kref) 827 { 828 struct drm_framebuffer *fb = 829 container_of(kref, struct drm_framebuffer, base.refcount); 830 struct drm_device *dev = fb->dev; 831 832 drm_WARN_ON(dev, !list_empty(&fb->filp_head)); 833 834 /* 835 * The lookup idr holds a weak reference, which has not necessarily been 836 * removed at this point. Check for that. 837 */ 838 drm_mode_object_unregister(dev, &fb->base); 839 840 fb->funcs->destroy(fb); 841 } 842 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_free); 843 844 /** 845 * drm_framebuffer_init - initialize a framebuffer 846 * @dev: DRM device 847 * @fb: framebuffer to be initialized 848 * @funcs: ... with these functions 849 * 850 * Allocates an ID for the framebuffer's parent mode object, sets its mode 851 * functions & device file and adds it to the master fd list. 852 * 853 * IMPORTANT: 854 * This functions publishes the fb and makes it available for concurrent access 855 * by other users. Which means by this point the fb _must_ be fully set up - 856 * since all the fb attributes are invariant over its lifetime, no further 857 * locking but only correct reference counting is required. 858 * 859 * Returns: 860 * Zero on success, error code on failure. 861 */ 862 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, 863 const struct drm_framebuffer_funcs *funcs) 864 { 865 int ret; 866 867 if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) 868 return -EINVAL; 869 870 INIT_LIST_HEAD(&fb->filp_head); 871 872 fb->funcs = funcs; 873 strscpy(fb->comm, current->comm); 874 875 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, 876 false, drm_framebuffer_free); 877 if (ret) 878 goto out; 879 880 mutex_lock(&dev->mode_config.fb_lock); 881 dev->mode_config.num_fb++; 882 list_add(&fb->head, &dev->mode_config.fb_list); 883 mutex_unlock(&dev->mode_config.fb_lock); 884 885 drm_mode_object_register(dev, &fb->base); 886 out: 887 return ret; 888 } 889 EXPORT_SYMBOL(drm_framebuffer_init); 890 891 /** 892 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference 893 * @dev: drm device 894 * @file_priv: drm file to check for lease against. 895 * @id: id of the fb object 896 * 897 * If successful, this grabs an additional reference to the framebuffer - 898 * callers need to make sure to eventually unreference the returned framebuffer 899 * again, using drm_framebuffer_put(). 900 */ 901 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev, 902 struct drm_file *file_priv, 903 uint32_t id) 904 { 905 struct drm_mode_object *obj; 906 struct drm_framebuffer *fb = NULL; 907 908 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB); 909 if (obj) 910 fb = obj_to_fb(obj); 911 return fb; 912 } 913 EXPORT_SYMBOL(drm_framebuffer_lookup); 914 915 /** 916 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr 917 * @fb: fb to unregister 918 * 919 * Drivers need to call this when cleaning up driver-private framebuffers, e.g. 920 * those used for fbdev. Note that the caller must hold a reference of its own, 921 * i.e. the object may not be destroyed through this call (since it'll lead to a 922 * locking inversion). 923 * 924 * NOTE: This function is deprecated. For driver-private framebuffers it is not 925 * recommended to embed a framebuffer struct info fbdev struct, instead, a 926 * framebuffer pointer is preferred and drm_framebuffer_put() should be called 927 * when the framebuffer is to be cleaned up. 928 */ 929 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb) 930 { 931 struct drm_device *dev; 932 933 if (!fb) 934 return; 935 936 dev = fb->dev; 937 938 /* Mark fb as reaped and drop idr ref. */ 939 drm_mode_object_unregister(dev, &fb->base); 940 } 941 EXPORT_SYMBOL(drm_framebuffer_unregister_private); 942 943 /** 944 * drm_framebuffer_cleanup - remove a framebuffer object 945 * @fb: framebuffer to remove 946 * 947 * Cleanup framebuffer. This function is intended to be used from the drivers 948 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up 949 * driver private framebuffers embedded into a larger structure. 950 * 951 * Note that this function does not remove the fb from active usage - if it is 952 * still used anywhere, hilarity can ensue since userspace could call getfb on 953 * the id and get back -EINVAL. Obviously no concern at driver unload time. 954 * 955 * Also, the framebuffer will not be removed from the lookup idr - for 956 * user-created framebuffers this will happen in the rmfb ioctl. For 957 * driver-private objects (e.g. for fbdev) drivers need to explicitly call 958 * drm_framebuffer_unregister_private. 959 */ 960 void drm_framebuffer_cleanup(struct drm_framebuffer *fb) 961 { 962 struct drm_device *dev = fb->dev; 963 964 mutex_lock(&dev->mode_config.fb_lock); 965 list_del(&fb->head); 966 dev->mode_config.num_fb--; 967 mutex_unlock(&dev->mode_config.fb_lock); 968 } 969 EXPORT_SYMBOL(drm_framebuffer_cleanup); 970 971 static int atomic_remove_fb(struct drm_framebuffer *fb) 972 { 973 struct drm_modeset_acquire_ctx ctx; 974 struct drm_device *dev = fb->dev; 975 struct drm_atomic_state *state; 976 struct drm_plane *plane; 977 struct drm_connector *conn __maybe_unused; 978 struct drm_connector_state *conn_state; 979 int i, ret; 980 unsigned plane_mask; 981 bool disable_crtcs = false; 982 983 retry_disable: 984 drm_modeset_acquire_init(&ctx, 0); 985 986 state = drm_atomic_state_alloc(dev); 987 if (!state) { 988 ret = -ENOMEM; 989 goto out; 990 } 991 state->acquire_ctx = &ctx; 992 993 retry: 994 plane_mask = 0; 995 ret = drm_modeset_lock_all_ctx(dev, &ctx); 996 if (ret) 997 goto unlock; 998 999 drm_for_each_plane(plane, dev) { 1000 struct drm_plane_state *plane_state; 1001 1002 if (plane->state->fb != fb) 1003 continue; 1004 1005 drm_dbg_kms(dev, 1006 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n", 1007 plane->base.id, plane->name, fb->base.id); 1008 1009 plane_state = drm_atomic_get_plane_state(state, plane); 1010 if (IS_ERR(plane_state)) { 1011 ret = PTR_ERR(plane_state); 1012 goto unlock; 1013 } 1014 1015 if (disable_crtcs && plane_state->crtc->primary == plane) { 1016 struct drm_crtc_state *crtc_state; 1017 1018 drm_dbg_kms(dev, 1019 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n", 1020 plane_state->crtc->base.id, 1021 plane_state->crtc->name, fb->base.id); 1022 1023 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc); 1024 1025 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc); 1026 if (ret) 1027 goto unlock; 1028 1029 crtc_state->active = false; 1030 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); 1031 if (ret) 1032 goto unlock; 1033 } 1034 1035 drm_atomic_set_fb_for_plane(plane_state, NULL); 1036 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL); 1037 if (ret) 1038 goto unlock; 1039 1040 plane_mask |= drm_plane_mask(plane); 1041 } 1042 1043 /* This list is only filled when disable_crtcs is set. */ 1044 for_each_new_connector_in_state(state, conn, conn_state, i) { 1045 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); 1046 1047 if (ret) 1048 goto unlock; 1049 } 1050 1051 if (plane_mask) 1052 ret = drm_atomic_commit(state); 1053 1054 unlock: 1055 if (ret == -EDEADLK) { 1056 drm_atomic_state_clear(state); 1057 drm_modeset_backoff(&ctx); 1058 goto retry; 1059 } 1060 1061 drm_atomic_state_put(state); 1062 1063 out: 1064 drm_modeset_drop_locks(&ctx); 1065 drm_modeset_acquire_fini(&ctx); 1066 1067 if (ret == -EINVAL && !disable_crtcs) { 1068 disable_crtcs = true; 1069 goto retry_disable; 1070 } 1071 1072 return ret; 1073 } 1074 1075 static void legacy_remove_fb(struct drm_framebuffer *fb) 1076 { 1077 struct drm_device *dev = fb->dev; 1078 struct drm_crtc *crtc; 1079 struct drm_plane *plane; 1080 1081 drm_modeset_lock_all(dev); 1082 /* remove from any CRTC */ 1083 drm_for_each_crtc(crtc, dev) { 1084 if (crtc->primary->fb == fb) { 1085 drm_dbg_kms(dev, 1086 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n", 1087 crtc->base.id, crtc->name, fb->base.id); 1088 1089 /* should turn off the crtc */ 1090 if (drm_crtc_force_disable(crtc)) 1091 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc); 1092 } 1093 } 1094 1095 drm_for_each_plane(plane, dev) { 1096 if (plane->fb == fb) { 1097 drm_dbg_kms(dev, 1098 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n", 1099 plane->base.id, plane->name, fb->base.id); 1100 drm_plane_force_disable(plane); 1101 } 1102 } 1103 drm_modeset_unlock_all(dev); 1104 } 1105 1106 /** 1107 * drm_framebuffer_remove - remove and unreference a framebuffer object 1108 * @fb: framebuffer to remove 1109 * 1110 * Scans all the CRTCs and planes in @dev's mode_config. If they're 1111 * using @fb, removes it, setting it to NULL. Then drops the reference to the 1112 * passed-in framebuffer. Might take the modeset locks. 1113 * 1114 * Note that this function optimizes the cleanup away if the caller holds the 1115 * last reference to the framebuffer. It is also guaranteed to not take the 1116 * modeset locks in this case. 1117 */ 1118 void drm_framebuffer_remove(struct drm_framebuffer *fb) 1119 { 1120 struct drm_device *dev; 1121 1122 if (!fb) 1123 return; 1124 1125 dev = fb->dev; 1126 1127 drm_WARN_ON(dev, !list_empty(&fb->filp_head)); 1128 1129 /* 1130 * drm ABI mandates that we remove any deleted framebuffers from active 1131 * usage. But since most sane clients only remove framebuffers they no 1132 * longer need, try to optimize this away. 1133 * 1134 * Since we're holding a reference ourselves, observing a refcount of 1 1135 * means that we're the last holder and can skip it. Also, the refcount 1136 * can never increase from 1 again, so we don't need any barriers or 1137 * locks. 1138 * 1139 * Note that userspace could try to race with use and instate a new 1140 * usage _after_ we've cleared all current ones. End result will be an 1141 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot 1142 * in this manner. 1143 */ 1144 if (drm_framebuffer_read_refcount(fb) > 1) { 1145 if (drm_drv_uses_atomic_modeset(dev)) { 1146 int ret = atomic_remove_fb(fb); 1147 1148 WARN(ret, "atomic remove_fb failed with %i\n", ret); 1149 } else 1150 legacy_remove_fb(fb); 1151 } 1152 1153 drm_framebuffer_put(fb); 1154 } 1155 EXPORT_SYMBOL(drm_framebuffer_remove); 1156 1157 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent, 1158 const struct drm_framebuffer *fb) 1159 { 1160 unsigned int i; 1161 1162 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm); 1163 drm_printf_indent(p, indent, "refcount=%u\n", 1164 drm_framebuffer_read_refcount(fb)); 1165 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format); 1166 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier); 1167 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height); 1168 drm_printf_indent(p, indent, "layers:\n"); 1169 1170 for (i = 0; i < fb->format->num_planes; i++) { 1171 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i, 1172 drm_format_info_plane_width(fb->format, fb->width, i), 1173 drm_format_info_plane_height(fb->format, fb->height, i)); 1174 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]); 1175 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]); 1176 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i, 1177 fb->obj[i] ? "" : "(null)"); 1178 if (fb->obj[i]) 1179 drm_gem_print_info(p, indent + 2, fb->obj[i]); 1180 } 1181 } 1182 1183 #ifdef CONFIG_DEBUG_FS 1184 static int drm_framebuffer_info(struct seq_file *m, void *data) 1185 { 1186 struct drm_debugfs_entry *entry = m->private; 1187 struct drm_device *dev = entry->dev; 1188 struct drm_printer p = drm_seq_file_printer(m); 1189 struct drm_framebuffer *fb; 1190 1191 mutex_lock(&dev->mode_config.fb_lock); 1192 drm_for_each_fb(fb, dev) { 1193 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); 1194 drm_framebuffer_print_info(&p, 1, fb); 1195 } 1196 mutex_unlock(&dev->mode_config.fb_lock); 1197 1198 return 0; 1199 } 1200 1201 static const struct drm_debugfs_info drm_framebuffer_debugfs_list[] = { 1202 { "framebuffer", drm_framebuffer_info, 0 }, 1203 }; 1204 1205 void drm_framebuffer_debugfs_init(struct drm_device *dev) 1206 { 1207 drm_debugfs_add_files(dev, drm_framebuffer_debugfs_list, 1208 ARRAY_SIZE(drm_framebuffer_debugfs_list)); 1209 } 1210 #endif 1211