Loading...
Note: File does not exist in v4.6.
1/*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23#include <linux/export.h>
24#include <linux/uaccess.h>
25
26#include <drm/drm_atomic.h>
27#include <drm/drm_atomic_uapi.h>
28#include <drm/drm_auth.h>
29#include <drm/drm_debugfs.h>
30#include <drm/drm_drv.h>
31#include <drm/drm_file.h>
32#include <drm/drm_fourcc.h>
33#include <drm/drm_framebuffer.h>
34#include <drm/drm_gem.h>
35#include <drm/drm_print.h>
36#include <drm/drm_util.h>
37
38#include "drm_crtc_internal.h"
39#include "drm_internal.h"
40
41/**
42 * DOC: overview
43 *
44 * Frame buffers are abstract memory objects that provide a source of pixels to
45 * scanout to a CRTC. Applications explicitly request the creation of frame
46 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
47 * handle that can be passed to the KMS CRTC control, plane configuration and
48 * page flip functions.
49 *
50 * Frame buffers rely on the underlying memory manager for allocating backing
51 * storage. When creating a frame buffer applications pass a memory handle
52 * (or a list of memory handles for multi-planar formats) through the
53 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
54 * buffer management interface this would be a GEM handle. Drivers are however
55 * free to use their own backing storage object handles, e.g. vmwgfx directly
56 * exposes special TTM handles to userspace and so expects TTM handles in the
57 * create ioctl and not GEM handles.
58 *
59 * Framebuffers are tracked with &struct drm_framebuffer. They are published
60 * using drm_framebuffer_init() - after calling that function userspace can use
61 * and access the framebuffer object. The helper function
62 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
63 * metadata fields.
64 *
65 * The lifetime of a drm framebuffer is controlled with a reference count,
66 * drivers can grab additional references with drm_framebuffer_get() and drop
67 * them again with drm_framebuffer_put(). For driver-private framebuffers for
68 * which the last reference is never dropped (e.g. for the fbdev framebuffer
69 * when the struct &struct drm_framebuffer is embedded into the fbdev helper
70 * struct) drivers can manually clean up a framebuffer at module unload time
71 * with drm_framebuffer_unregister_private(). But doing this is not
72 * recommended, and it's better to have a normal free-standing &struct
73 * drm_framebuffer.
74 */
75
76int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
77 uint32_t src_w, uint32_t src_h,
78 const struct drm_framebuffer *fb)
79{
80 unsigned int fb_width, fb_height;
81
82 fb_width = fb->width << 16;
83 fb_height = fb->height << 16;
84
85 /* Make sure source coordinates are inside the fb. */
86 if (src_w > fb_width ||
87 src_x > fb_width - src_w ||
88 src_h > fb_height ||
89 src_y > fb_height - src_h) {
90 drm_dbg_kms(fb->dev, "Invalid source coordinates "
91 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n",
92 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
93 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
94 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
95 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10,
96 fb->width, fb->height);
97 return -ENOSPC;
98 }
99
100 return 0;
101}
102EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_check_src_coords);
103
104/**
105 * drm_mode_addfb - add an FB to the graphics configuration
106 * @dev: drm device for the ioctl
107 * @or: pointer to request structure
108 * @file_priv: drm file
109 *
110 * Add a new FB to the specified CRTC, given a user request. This is the
111 * original addfb ioctl which only supported RGB formats.
112 *
113 * Called by the user via ioctl, or by an in-kernel client.
114 *
115 * Returns:
116 * Zero on success, negative errno on failure.
117 */
118int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or,
119 struct drm_file *file_priv)
120{
121 struct drm_mode_fb_cmd2 r = {};
122 int ret;
123
124 if (!drm_core_check_feature(dev, DRIVER_MODESET))
125 return -EOPNOTSUPP;
126
127 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth);
128 if (r.pixel_format == DRM_FORMAT_INVALID) {
129 drm_dbg_kms(dev, "bad {bpp:%d, depth:%d}\n", or->bpp, or->depth);
130 return -EINVAL;
131 }
132
133 /* convert to new format and call new ioctl */
134 r.fb_id = or->fb_id;
135 r.width = or->width;
136 r.height = or->height;
137 r.pitches[0] = or->pitch;
138 r.handles[0] = or->handle;
139
140 ret = drm_mode_addfb2(dev, &r, file_priv);
141 if (ret)
142 return ret;
143
144 or->fb_id = r.fb_id;
145
146 return 0;
147}
148
149int drm_mode_addfb_ioctl(struct drm_device *dev,
150 void *data, struct drm_file *file_priv)
151{
152 return drm_mode_addfb(dev, data, file_priv);
153}
154
155static int framebuffer_check(struct drm_device *dev,
156 const struct drm_mode_fb_cmd2 *r)
157{
158 const struct drm_format_info *info;
159 int i;
160
161 /* check if the format is supported at all */
162 if (!__drm_format_info(r->pixel_format)) {
163 drm_dbg_kms(dev, "bad framebuffer format %p4cc\n",
164 &r->pixel_format);
165 return -EINVAL;
166 }
167
168 if (r->width == 0) {
169 drm_dbg_kms(dev, "bad framebuffer width %u\n", r->width);
170 return -EINVAL;
171 }
172
173 if (r->height == 0) {
174 drm_dbg_kms(dev, "bad framebuffer height %u\n", r->height);
175 return -EINVAL;
176 }
177
178 /* now let the driver pick its own format info */
179 info = drm_get_format_info(dev, r);
180
181 for (i = 0; i < info->num_planes; i++) {
182 unsigned int width = drm_format_info_plane_width(info, r->width, i);
183 unsigned int height = drm_format_info_plane_height(info, r->height, i);
184 unsigned int block_size = info->char_per_block[i];
185 u64 min_pitch = drm_format_info_min_pitch(info, i, width);
186
187 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) {
188 drm_dbg_kms(dev, "Format requires non-linear modifier for plane %d\n", i);
189 return -EINVAL;
190 }
191
192 if (!r->handles[i]) {
193 drm_dbg_kms(dev, "no buffer object handle for plane %d\n", i);
194 return -EINVAL;
195 }
196
197 if (min_pitch > UINT_MAX)
198 return -ERANGE;
199
200 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
201 return -ERANGE;
202
203 if (block_size && r->pitches[i] < min_pitch) {
204 drm_dbg_kms(dev, "bad pitch %u for plane %d\n", r->pitches[i], i);
205 return -EINVAL;
206 }
207
208 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
209 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n",
210 r->modifier[i], i);
211 return -EINVAL;
212 }
213
214 if (r->flags & DRM_MODE_FB_MODIFIERS &&
215 r->modifier[i] != r->modifier[0]) {
216 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n",
217 r->modifier[i], i);
218 return -EINVAL;
219 }
220
221 /* modifier specific checks: */
222 switch (r->modifier[i]) {
223 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
224 /* NOTE: the pitch restriction may be lifted later if it turns
225 * out that no hw has this restriction:
226 */
227 if (r->pixel_format != DRM_FORMAT_NV12 ||
228 width % 128 || height % 32 ||
229 r->pitches[i] % 128) {
230 drm_dbg_kms(dev, "bad modifier data for plane %d\n", i);
231 return -EINVAL;
232 }
233 break;
234
235 default:
236 break;
237 }
238 }
239
240 for (i = info->num_planes; i < 4; i++) {
241 if (r->modifier[i]) {
242 drm_dbg_kms(dev, "non-zero modifier for unused plane %d\n", i);
243 return -EINVAL;
244 }
245
246 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
247 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
248 continue;
249
250 if (r->handles[i]) {
251 drm_dbg_kms(dev, "buffer object handle for unused plane %d\n", i);
252 return -EINVAL;
253 }
254
255 if (r->pitches[i]) {
256 drm_dbg_kms(dev, "non-zero pitch for unused plane %d\n", i);
257 return -EINVAL;
258 }
259
260 if (r->offsets[i]) {
261 drm_dbg_kms(dev, "non-zero offset for unused plane %d\n", i);
262 return -EINVAL;
263 }
264 }
265
266 return 0;
267}
268
269struct drm_framebuffer *
270drm_internal_framebuffer_create(struct drm_device *dev,
271 const struct drm_mode_fb_cmd2 *r,
272 struct drm_file *file_priv)
273{
274 struct drm_mode_config *config = &dev->mode_config;
275 struct drm_framebuffer *fb;
276 int ret;
277
278 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
279 drm_dbg_kms(dev, "bad framebuffer flags 0x%08x\n", r->flags);
280 return ERR_PTR(-EINVAL);
281 }
282
283 if ((config->min_width > r->width) || (r->width > config->max_width)) {
284 drm_dbg_kms(dev, "bad framebuffer width %d, should be >= %d && <= %d\n",
285 r->width, config->min_width, config->max_width);
286 return ERR_PTR(-EINVAL);
287 }
288 if ((config->min_height > r->height) || (r->height > config->max_height)) {
289 drm_dbg_kms(dev, "bad framebuffer height %d, should be >= %d && <= %d\n",
290 r->height, config->min_height, config->max_height);
291 return ERR_PTR(-EINVAL);
292 }
293
294 if (r->flags & DRM_MODE_FB_MODIFIERS &&
295 dev->mode_config.fb_modifiers_not_supported) {
296 drm_dbg_kms(dev, "driver does not support fb modifiers\n");
297 return ERR_PTR(-EINVAL);
298 }
299
300 ret = framebuffer_check(dev, r);
301 if (ret)
302 return ERR_PTR(ret);
303
304 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
305 if (IS_ERR(fb)) {
306 drm_dbg_kms(dev, "could not create framebuffer\n");
307 return fb;
308 }
309
310 return fb;
311}
312EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create);
313
314/**
315 * drm_mode_addfb2 - add an FB to the graphics configuration
316 * @dev: drm device for the ioctl
317 * @data: data pointer for the ioctl
318 * @file_priv: drm file for the ioctl call
319 *
320 * Add a new FB to the specified CRTC, given a user request with format. This is
321 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
322 * and uses fourcc codes as pixel format specifiers.
323 *
324 * Called by the user via ioctl.
325 *
326 * Returns:
327 * Zero on success, negative errno on failure.
328 */
329int drm_mode_addfb2(struct drm_device *dev,
330 void *data, struct drm_file *file_priv)
331{
332 struct drm_mode_fb_cmd2 *r = data;
333 struct drm_framebuffer *fb;
334
335 if (!drm_core_check_feature(dev, DRIVER_MODESET))
336 return -EOPNOTSUPP;
337
338 fb = drm_internal_framebuffer_create(dev, r, file_priv);
339 if (IS_ERR(fb))
340 return PTR_ERR(fb);
341
342 drm_dbg_kms(dev, "[FB:%d]\n", fb->base.id);
343 r->fb_id = fb->base.id;
344
345 /* Transfer ownership to the filp for reaping on close */
346 mutex_lock(&file_priv->fbs_lock);
347 list_add(&fb->filp_head, &file_priv->fbs);
348 mutex_unlock(&file_priv->fbs_lock);
349
350 return 0;
351}
352
353int drm_mode_addfb2_ioctl(struct drm_device *dev,
354 void *data, struct drm_file *file_priv)
355{
356#ifdef __BIG_ENDIAN
357 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) {
358 /*
359 * Drivers must set the
360 * quirk_addfb_prefer_host_byte_order quirk to make
361 * the drm_mode_addfb() compat code work correctly on
362 * bigendian machines.
363 *
364 * If they don't they interpret pixel_format values
365 * incorrectly for bug compatibility, which in turn
366 * implies the ADDFB2 ioctl does not work correctly
367 * then. So block it to make userspace fallback to
368 * ADDFB.
369 */
370 drm_dbg_kms(dev, "addfb2 broken on bigendian");
371 return -EOPNOTSUPP;
372 }
373#endif
374 return drm_mode_addfb2(dev, data, file_priv);
375}
376
377struct drm_mode_rmfb_work {
378 struct work_struct work;
379 struct list_head fbs;
380};
381
382static void drm_mode_rmfb_work_fn(struct work_struct *w)
383{
384 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
385
386 while (!list_empty(&arg->fbs)) {
387 struct drm_framebuffer *fb =
388 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
389
390 drm_dbg_kms(fb->dev,
391 "Removing [FB:%d] from all active usage due to RMFB ioctl\n",
392 fb->base.id);
393 list_del_init(&fb->filp_head);
394 drm_framebuffer_remove(fb);
395 }
396}
397
398static int drm_mode_closefb(struct drm_framebuffer *fb,
399 struct drm_file *file_priv)
400{
401 struct drm_framebuffer *fbl;
402 bool found = false;
403
404 mutex_lock(&file_priv->fbs_lock);
405 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
406 if (fb == fbl)
407 found = true;
408
409 if (!found) {
410 mutex_unlock(&file_priv->fbs_lock);
411 return -ENOENT;
412 }
413
414 list_del_init(&fb->filp_head);
415 mutex_unlock(&file_priv->fbs_lock);
416
417 /* Drop the reference that was stored in the fbs list */
418 drm_framebuffer_put(fb);
419
420 return 0;
421}
422
423/**
424 * drm_mode_rmfb - remove an FB from the configuration
425 * @dev: drm device
426 * @fb_id: id of framebuffer to remove
427 * @file_priv: drm file
428 *
429 * Remove the specified FB.
430 *
431 * Called by the user via ioctl, or by an in-kernel client.
432 *
433 * Returns:
434 * Zero on success, negative errno on failure.
435 */
436int drm_mode_rmfb(struct drm_device *dev, u32 fb_id,
437 struct drm_file *file_priv)
438{
439 struct drm_framebuffer *fb;
440 int ret;
441
442 if (!drm_core_check_feature(dev, DRIVER_MODESET))
443 return -EOPNOTSUPP;
444
445 fb = drm_framebuffer_lookup(dev, file_priv, fb_id);
446 if (!fb)
447 return -ENOENT;
448
449 ret = drm_mode_closefb(fb, file_priv);
450 if (ret != 0) {
451 drm_framebuffer_put(fb);
452 return ret;
453 }
454
455 /*
456 * drm_framebuffer_remove may fail with -EINTR on pending signals,
457 * so run this in a separate stack as there's no way to correctly
458 * handle this after the fb is already removed from the lookup table.
459 */
460 if (drm_framebuffer_read_refcount(fb) > 1) {
461 struct drm_mode_rmfb_work arg;
462
463 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
464 INIT_LIST_HEAD(&arg.fbs);
465 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
466 list_add_tail(&fb->filp_head, &arg.fbs);
467
468 schedule_work(&arg.work);
469 flush_work(&arg.work);
470 destroy_work_on_stack(&arg.work);
471 } else
472 drm_framebuffer_put(fb);
473
474 return 0;
475}
476
477int drm_mode_rmfb_ioctl(struct drm_device *dev,
478 void *data, struct drm_file *file_priv)
479{
480 uint32_t *fb_id = data;
481
482 return drm_mode_rmfb(dev, *fb_id, file_priv);
483}
484
485int drm_mode_closefb_ioctl(struct drm_device *dev,
486 void *data, struct drm_file *file_priv)
487{
488 struct drm_mode_closefb *r = data;
489 struct drm_framebuffer *fb;
490 int ret;
491
492 if (!drm_core_check_feature(dev, DRIVER_MODESET))
493 return -EOPNOTSUPP;
494
495 if (r->pad)
496 return -EINVAL;
497
498 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
499 if (!fb)
500 return -ENOENT;
501
502 ret = drm_mode_closefb(fb, file_priv);
503 drm_framebuffer_put(fb);
504 return ret;
505}
506
507/**
508 * drm_mode_getfb - get FB info
509 * @dev: drm device for the ioctl
510 * @data: data pointer for the ioctl
511 * @file_priv: drm file for the ioctl call
512 *
513 * Lookup the FB given its ID and return info about it.
514 *
515 * Called by the user via ioctl.
516 *
517 * Returns:
518 * Zero on success, negative errno on failure.
519 */
520int drm_mode_getfb(struct drm_device *dev,
521 void *data, struct drm_file *file_priv)
522{
523 struct drm_mode_fb_cmd *r = data;
524 struct drm_framebuffer *fb;
525 int ret;
526
527 if (!drm_core_check_feature(dev, DRIVER_MODESET))
528 return -EOPNOTSUPP;
529
530 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
531 if (!fb)
532 return -ENOENT;
533
534 /* Multi-planar framebuffers need getfb2. */
535 if (fb->format->num_planes > 1) {
536 ret = -EINVAL;
537 goto out;
538 }
539
540 if (!fb->funcs->create_handle) {
541 ret = -ENODEV;
542 goto out;
543 }
544
545 r->height = fb->height;
546 r->width = fb->width;
547 r->depth = fb->format->depth;
548 r->bpp = drm_format_info_bpp(fb->format, 0);
549 r->pitch = fb->pitches[0];
550
551 /* GET_FB() is an unprivileged ioctl so we must not return a
552 * buffer-handle to non-master processes! For
553 * backwards-compatibility reasons, we cannot make GET_FB() privileged,
554 * so just return an invalid handle for non-masters.
555 */
556 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
557 r->handle = 0;
558 ret = 0;
559 goto out;
560 }
561
562 ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
563
564out:
565 drm_framebuffer_put(fb);
566 return ret;
567}
568
569/**
570 * drm_mode_getfb2_ioctl - get extended FB info
571 * @dev: drm device for the ioctl
572 * @data: data pointer for the ioctl
573 * @file_priv: drm file for the ioctl call
574 *
575 * Lookup the FB given its ID and return info about it.
576 *
577 * Called by the user via ioctl.
578 *
579 * Returns:
580 * Zero on success, negative errno on failure.
581 */
582int drm_mode_getfb2_ioctl(struct drm_device *dev,
583 void *data, struct drm_file *file_priv)
584{
585 struct drm_mode_fb_cmd2 *r = data;
586 struct drm_framebuffer *fb;
587 unsigned int i;
588 int ret = 0;
589
590 if (!drm_core_check_feature(dev, DRIVER_MODESET))
591 return -EINVAL;
592
593 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
594 if (!fb)
595 return -ENOENT;
596
597 /* For multi-plane framebuffers, we require the driver to place the
598 * GEM objects directly in the drm_framebuffer. For single-plane
599 * framebuffers, we can fall back to create_handle.
600 */
601 if (!fb->obj[0] &&
602 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) {
603 ret = -ENODEV;
604 goto out;
605 }
606
607 r->height = fb->height;
608 r->width = fb->width;
609 r->pixel_format = fb->format->format;
610
611 r->flags = 0;
612 if (!dev->mode_config.fb_modifiers_not_supported)
613 r->flags |= DRM_MODE_FB_MODIFIERS;
614
615 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
616 r->handles[i] = 0;
617 r->pitches[i] = 0;
618 r->offsets[i] = 0;
619 r->modifier[i] = 0;
620 }
621
622 for (i = 0; i < fb->format->num_planes; i++) {
623 r->pitches[i] = fb->pitches[i];
624 r->offsets[i] = fb->offsets[i];
625 if (!dev->mode_config.fb_modifiers_not_supported)
626 r->modifier[i] = fb->modifier;
627 }
628
629 /* GET_FB2() is an unprivileged ioctl so we must not return a
630 * buffer-handle to non master/root processes! To match GET_FB()
631 * just return invalid handles (0) for non masters/root
632 * rather than making GET_FB2() privileged.
633 */
634 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
635 ret = 0;
636 goto out;
637 }
638
639 for (i = 0; i < fb->format->num_planes; i++) {
640 int j;
641
642 /* If we reuse the same object for multiple planes, also
643 * return the same handle.
644 */
645 for (j = 0; j < i; j++) {
646 if (fb->obj[i] == fb->obj[j]) {
647 r->handles[i] = r->handles[j];
648 break;
649 }
650 }
651
652 if (r->handles[i])
653 continue;
654
655 if (fb->obj[i]) {
656 ret = drm_gem_handle_create(file_priv, fb->obj[i],
657 &r->handles[i]);
658 } else {
659 WARN_ON(i > 0);
660 ret = fb->funcs->create_handle(fb, file_priv,
661 &r->handles[i]);
662 }
663
664 if (ret != 0)
665 goto out;
666 }
667
668out:
669 if (ret != 0) {
670 /* Delete any previously-created handles on failure. */
671 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
672 int j;
673
674 if (r->handles[i])
675 drm_gem_handle_delete(file_priv, r->handles[i]);
676
677 /* Zero out any handles identical to the one we just
678 * deleted.
679 */
680 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) {
681 if (r->handles[j] == r->handles[i])
682 r->handles[j] = 0;
683 }
684 }
685 }
686
687 drm_framebuffer_put(fb);
688 return ret;
689}
690
691/**
692 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
693 * @dev: drm device for the ioctl
694 * @data: data pointer for the ioctl
695 * @file_priv: drm file for the ioctl call
696 *
697 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
698 * rectangle list. Generic userspace which does frontbuffer rendering must call
699 * this ioctl to flush out the changes on manual-update display outputs, e.g.
700 * usb display-link, mipi manual update panels or edp panel self refresh modes.
701 *
702 * Modesetting drivers which always update the frontbuffer do not need to
703 * implement the corresponding &drm_framebuffer_funcs.dirty callback.
704 *
705 * Called by the user via ioctl.
706 *
707 * Returns:
708 * Zero on success, negative errno on failure.
709 */
710int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
711 void *data, struct drm_file *file_priv)
712{
713 struct drm_clip_rect __user *clips_ptr;
714 struct drm_clip_rect *clips = NULL;
715 struct drm_mode_fb_dirty_cmd *r = data;
716 struct drm_framebuffer *fb;
717 unsigned flags;
718 int num_clips;
719 int ret;
720
721 if (!drm_core_check_feature(dev, DRIVER_MODESET))
722 return -EOPNOTSUPP;
723
724 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
725 if (!fb)
726 return -ENOENT;
727
728 num_clips = r->num_clips;
729 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
730
731 if (!num_clips != !clips_ptr) {
732 ret = -EINVAL;
733 goto out_err1;
734 }
735
736 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
737
738 /* If userspace annotates copy, clips must come in pairs */
739 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
740 ret = -EINVAL;
741 goto out_err1;
742 }
743
744 if (num_clips && clips_ptr) {
745 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
746 ret = -EINVAL;
747 goto out_err1;
748 }
749 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
750 if (!clips) {
751 ret = -ENOMEM;
752 goto out_err1;
753 }
754
755 ret = copy_from_user(clips, clips_ptr,
756 num_clips * sizeof(*clips));
757 if (ret) {
758 ret = -EFAULT;
759 goto out_err2;
760 }
761 }
762
763 if (fb->funcs->dirty) {
764 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
765 clips, num_clips);
766 } else {
767 ret = -ENOSYS;
768 }
769
770out_err2:
771 kfree(clips);
772out_err1:
773 drm_framebuffer_put(fb);
774
775 return ret;
776}
777
778/**
779 * drm_fb_release - remove and free the FBs on this file
780 * @priv: drm file for the ioctl
781 *
782 * Destroy all the FBs associated with @filp.
783 *
784 * Called by the user via ioctl.
785 *
786 * Returns:
787 * Zero on success, negative errno on failure.
788 */
789void drm_fb_release(struct drm_file *priv)
790{
791 struct drm_framebuffer *fb, *tfb;
792 struct drm_mode_rmfb_work arg;
793
794 INIT_LIST_HEAD(&arg.fbs);
795
796 /*
797 * When the file gets released that means no one else can access the fb
798 * list any more, so no need to grab fpriv->fbs_lock. And we need to
799 * avoid upsetting lockdep since the universal cursor code adds a
800 * framebuffer while holding mutex locks.
801 *
802 * Note that a real deadlock between fpriv->fbs_lock and the modeset
803 * locks is impossible here since no one else but this function can get
804 * at it any more.
805 */
806 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
807 if (drm_framebuffer_read_refcount(fb) > 1) {
808 list_move_tail(&fb->filp_head, &arg.fbs);
809 } else {
810 list_del_init(&fb->filp_head);
811
812 /* This drops the fpriv->fbs reference. */
813 drm_framebuffer_put(fb);
814 }
815 }
816
817 if (!list_empty(&arg.fbs)) {
818 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
819
820 schedule_work(&arg.work);
821 flush_work(&arg.work);
822 destroy_work_on_stack(&arg.work);
823 }
824}
825
826void drm_framebuffer_free(struct kref *kref)
827{
828 struct drm_framebuffer *fb =
829 container_of(kref, struct drm_framebuffer, base.refcount);
830 struct drm_device *dev = fb->dev;
831
832 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
833
834 /*
835 * The lookup idr holds a weak reference, which has not necessarily been
836 * removed at this point. Check for that.
837 */
838 drm_mode_object_unregister(dev, &fb->base);
839
840 fb->funcs->destroy(fb);
841}
842EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_framebuffer_free);
843
844/**
845 * drm_framebuffer_init - initialize a framebuffer
846 * @dev: DRM device
847 * @fb: framebuffer to be initialized
848 * @funcs: ... with these functions
849 *
850 * Allocates an ID for the framebuffer's parent mode object, sets its mode
851 * functions & device file and adds it to the master fd list.
852 *
853 * IMPORTANT:
854 * This functions publishes the fb and makes it available for concurrent access
855 * by other users. Which means by this point the fb _must_ be fully set up -
856 * since all the fb attributes are invariant over its lifetime, no further
857 * locking but only correct reference counting is required.
858 *
859 * Returns:
860 * Zero on success, error code on failure.
861 */
862int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
863 const struct drm_framebuffer_funcs *funcs)
864{
865 int ret;
866
867 if (WARN_ON_ONCE(fb->dev != dev || !fb->format))
868 return -EINVAL;
869
870 INIT_LIST_HEAD(&fb->filp_head);
871
872 fb->funcs = funcs;
873 strscpy(fb->comm, current->comm);
874
875 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB,
876 false, drm_framebuffer_free);
877 if (ret)
878 goto out;
879
880 mutex_lock(&dev->mode_config.fb_lock);
881 dev->mode_config.num_fb++;
882 list_add(&fb->head, &dev->mode_config.fb_list);
883 mutex_unlock(&dev->mode_config.fb_lock);
884
885 drm_mode_object_register(dev, &fb->base);
886out:
887 return ret;
888}
889EXPORT_SYMBOL(drm_framebuffer_init);
890
891/**
892 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
893 * @dev: drm device
894 * @file_priv: drm file to check for lease against.
895 * @id: id of the fb object
896 *
897 * If successful, this grabs an additional reference to the framebuffer -
898 * callers need to make sure to eventually unreference the returned framebuffer
899 * again, using drm_framebuffer_put().
900 */
901struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
902 struct drm_file *file_priv,
903 uint32_t id)
904{
905 struct drm_mode_object *obj;
906 struct drm_framebuffer *fb = NULL;
907
908 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB);
909 if (obj)
910 fb = obj_to_fb(obj);
911 return fb;
912}
913EXPORT_SYMBOL(drm_framebuffer_lookup);
914
915/**
916 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
917 * @fb: fb to unregister
918 *
919 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
920 * those used for fbdev. Note that the caller must hold a reference of its own,
921 * i.e. the object may not be destroyed through this call (since it'll lead to a
922 * locking inversion).
923 *
924 * NOTE: This function is deprecated. For driver-private framebuffers it is not
925 * recommended to embed a framebuffer struct info fbdev struct, instead, a
926 * framebuffer pointer is preferred and drm_framebuffer_put() should be called
927 * when the framebuffer is to be cleaned up.
928 */
929void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
930{
931 struct drm_device *dev;
932
933 if (!fb)
934 return;
935
936 dev = fb->dev;
937
938 /* Mark fb as reaped and drop idr ref. */
939 drm_mode_object_unregister(dev, &fb->base);
940}
941EXPORT_SYMBOL(drm_framebuffer_unregister_private);
942
943/**
944 * drm_framebuffer_cleanup - remove a framebuffer object
945 * @fb: framebuffer to remove
946 *
947 * Cleanup framebuffer. This function is intended to be used from the drivers
948 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up
949 * driver private framebuffers embedded into a larger structure.
950 *
951 * Note that this function does not remove the fb from active usage - if it is
952 * still used anywhere, hilarity can ensue since userspace could call getfb on
953 * the id and get back -EINVAL. Obviously no concern at driver unload time.
954 *
955 * Also, the framebuffer will not be removed from the lookup idr - for
956 * user-created framebuffers this will happen in the rmfb ioctl. For
957 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
958 * drm_framebuffer_unregister_private.
959 */
960void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
961{
962 struct drm_device *dev = fb->dev;
963
964 mutex_lock(&dev->mode_config.fb_lock);
965 list_del(&fb->head);
966 dev->mode_config.num_fb--;
967 mutex_unlock(&dev->mode_config.fb_lock);
968}
969EXPORT_SYMBOL(drm_framebuffer_cleanup);
970
971static int atomic_remove_fb(struct drm_framebuffer *fb)
972{
973 struct drm_modeset_acquire_ctx ctx;
974 struct drm_device *dev = fb->dev;
975 struct drm_atomic_state *state;
976 struct drm_plane *plane;
977 struct drm_connector *conn __maybe_unused;
978 struct drm_connector_state *conn_state;
979 int i, ret;
980 unsigned plane_mask;
981 bool disable_crtcs = false;
982
983retry_disable:
984 drm_modeset_acquire_init(&ctx, 0);
985
986 state = drm_atomic_state_alloc(dev);
987 if (!state) {
988 ret = -ENOMEM;
989 goto out;
990 }
991 state->acquire_ctx = &ctx;
992
993retry:
994 plane_mask = 0;
995 ret = drm_modeset_lock_all_ctx(dev, &ctx);
996 if (ret)
997 goto unlock;
998
999 drm_for_each_plane(plane, dev) {
1000 struct drm_plane_state *plane_state;
1001
1002 if (plane->state->fb != fb)
1003 continue;
1004
1005 drm_dbg_kms(dev,
1006 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1007 plane->base.id, plane->name, fb->base.id);
1008
1009 plane_state = drm_atomic_get_plane_state(state, plane);
1010 if (IS_ERR(plane_state)) {
1011 ret = PTR_ERR(plane_state);
1012 goto unlock;
1013 }
1014
1015 if (disable_crtcs && plane_state->crtc->primary == plane) {
1016 struct drm_crtc_state *crtc_state;
1017
1018 drm_dbg_kms(dev,
1019 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1020 plane_state->crtc->base.id,
1021 plane_state->crtc->name, fb->base.id);
1022
1023 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc);
1024
1025 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc);
1026 if (ret)
1027 goto unlock;
1028
1029 crtc_state->active = false;
1030 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
1031 if (ret)
1032 goto unlock;
1033 }
1034
1035 drm_atomic_set_fb_for_plane(plane_state, NULL);
1036 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL);
1037 if (ret)
1038 goto unlock;
1039
1040 plane_mask |= drm_plane_mask(plane);
1041 }
1042
1043 /* This list is only filled when disable_crtcs is set. */
1044 for_each_new_connector_in_state(state, conn, conn_state, i) {
1045 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
1046
1047 if (ret)
1048 goto unlock;
1049 }
1050
1051 if (plane_mask)
1052 ret = drm_atomic_commit(state);
1053
1054unlock:
1055 if (ret == -EDEADLK) {
1056 drm_atomic_state_clear(state);
1057 drm_modeset_backoff(&ctx);
1058 goto retry;
1059 }
1060
1061 drm_atomic_state_put(state);
1062
1063out:
1064 drm_modeset_drop_locks(&ctx);
1065 drm_modeset_acquire_fini(&ctx);
1066
1067 if (ret == -EINVAL && !disable_crtcs) {
1068 disable_crtcs = true;
1069 goto retry_disable;
1070 }
1071
1072 return ret;
1073}
1074
1075static void legacy_remove_fb(struct drm_framebuffer *fb)
1076{
1077 struct drm_device *dev = fb->dev;
1078 struct drm_crtc *crtc;
1079 struct drm_plane *plane;
1080
1081 drm_modeset_lock_all(dev);
1082 /* remove from any CRTC */
1083 drm_for_each_crtc(crtc, dev) {
1084 if (crtc->primary->fb == fb) {
1085 drm_dbg_kms(dev,
1086 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1087 crtc->base.id, crtc->name, fb->base.id);
1088
1089 /* should turn off the crtc */
1090 if (drm_crtc_force_disable(crtc))
1091 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
1092 }
1093 }
1094
1095 drm_for_each_plane(plane, dev) {
1096 if (plane->fb == fb) {
1097 drm_dbg_kms(dev,
1098 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1099 plane->base.id, plane->name, fb->base.id);
1100 drm_plane_force_disable(plane);
1101 }
1102 }
1103 drm_modeset_unlock_all(dev);
1104}
1105
1106/**
1107 * drm_framebuffer_remove - remove and unreference a framebuffer object
1108 * @fb: framebuffer to remove
1109 *
1110 * Scans all the CRTCs and planes in @dev's mode_config. If they're
1111 * using @fb, removes it, setting it to NULL. Then drops the reference to the
1112 * passed-in framebuffer. Might take the modeset locks.
1113 *
1114 * Note that this function optimizes the cleanup away if the caller holds the
1115 * last reference to the framebuffer. It is also guaranteed to not take the
1116 * modeset locks in this case.
1117 */
1118void drm_framebuffer_remove(struct drm_framebuffer *fb)
1119{
1120 struct drm_device *dev;
1121
1122 if (!fb)
1123 return;
1124
1125 dev = fb->dev;
1126
1127 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
1128
1129 /*
1130 * drm ABI mandates that we remove any deleted framebuffers from active
1131 * usage. But since most sane clients only remove framebuffers they no
1132 * longer need, try to optimize this away.
1133 *
1134 * Since we're holding a reference ourselves, observing a refcount of 1
1135 * means that we're the last holder and can skip it. Also, the refcount
1136 * can never increase from 1 again, so we don't need any barriers or
1137 * locks.
1138 *
1139 * Note that userspace could try to race with use and instate a new
1140 * usage _after_ we've cleared all current ones. End result will be an
1141 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
1142 * in this manner.
1143 */
1144 if (drm_framebuffer_read_refcount(fb) > 1) {
1145 if (drm_drv_uses_atomic_modeset(dev)) {
1146 int ret = atomic_remove_fb(fb);
1147
1148 WARN(ret, "atomic remove_fb failed with %i\n", ret);
1149 } else
1150 legacy_remove_fb(fb);
1151 }
1152
1153 drm_framebuffer_put(fb);
1154}
1155EXPORT_SYMBOL(drm_framebuffer_remove);
1156
1157void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent,
1158 const struct drm_framebuffer *fb)
1159{
1160 unsigned int i;
1161
1162 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm);
1163 drm_printf_indent(p, indent, "refcount=%u\n",
1164 drm_framebuffer_read_refcount(fb));
1165 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format);
1166 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier);
1167 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height);
1168 drm_printf_indent(p, indent, "layers:\n");
1169
1170 for (i = 0; i < fb->format->num_planes; i++) {
1171 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i,
1172 drm_format_info_plane_width(fb->format, fb->width, i),
1173 drm_format_info_plane_height(fb->format, fb->height, i));
1174 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]);
1175 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]);
1176 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i,
1177 fb->obj[i] ? "" : "(null)");
1178 if (fb->obj[i])
1179 drm_gem_print_info(p, indent + 2, fb->obj[i]);
1180 }
1181}
1182
1183#ifdef CONFIG_DEBUG_FS
1184static int drm_framebuffer_info(struct seq_file *m, void *data)
1185{
1186 struct drm_debugfs_entry *entry = m->private;
1187 struct drm_device *dev = entry->dev;
1188 struct drm_printer p = drm_seq_file_printer(m);
1189 struct drm_framebuffer *fb;
1190
1191 mutex_lock(&dev->mode_config.fb_lock);
1192 drm_for_each_fb(fb, dev) {
1193 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
1194 drm_framebuffer_print_info(&p, 1, fb);
1195 }
1196 mutex_unlock(&dev->mode_config.fb_lock);
1197
1198 return 0;
1199}
1200
1201static const struct drm_debugfs_info drm_framebuffer_debugfs_list[] = {
1202 { "framebuffer", drm_framebuffer_info, 0 },
1203};
1204
1205void drm_framebuffer_debugfs_init(struct drm_device *dev)
1206{
1207 drm_debugfs_add_files(dev, drm_framebuffer_debugfs_list,
1208 ARRAY_SIZE(drm_framebuffer_debugfs_list));
1209}
1210#endif