Loading...
1/*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23#include <linux/export.h>
24#include <linux/uaccess.h>
25
26#include <drm/drm_atomic.h>
27#include <drm/drm_atomic_uapi.h>
28#include <drm/drm_auth.h>
29#include <drm/drm_debugfs.h>
30#include <drm/drm_drv.h>
31#include <drm/drm_file.h>
32#include <drm/drm_fourcc.h>
33#include <drm/drm_framebuffer.h>
34#include <drm/drm_gem.h>
35#include <drm/drm_print.h>
36#include <drm/drm_util.h>
37
38#include "drm_crtc_internal.h"
39#include "drm_internal.h"
40
41/**
42 * DOC: overview
43 *
44 * Frame buffers are abstract memory objects that provide a source of pixels to
45 * scanout to a CRTC. Applications explicitly request the creation of frame
46 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
47 * handle that can be passed to the KMS CRTC control, plane configuration and
48 * page flip functions.
49 *
50 * Frame buffers rely on the underlying memory manager for allocating backing
51 * storage. When creating a frame buffer applications pass a memory handle
52 * (or a list of memory handles for multi-planar formats) through the
53 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
54 * buffer management interface this would be a GEM handle. Drivers are however
55 * free to use their own backing storage object handles, e.g. vmwgfx directly
56 * exposes special TTM handles to userspace and so expects TTM handles in the
57 * create ioctl and not GEM handles.
58 *
59 * Framebuffers are tracked with &struct drm_framebuffer. They are published
60 * using drm_framebuffer_init() - after calling that function userspace can use
61 * and access the framebuffer object. The helper function
62 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
63 * metadata fields.
64 *
65 * The lifetime of a drm framebuffer is controlled with a reference count,
66 * drivers can grab additional references with drm_framebuffer_get() and drop
67 * them again with drm_framebuffer_put(). For driver-private framebuffers for
68 * which the last reference is never dropped (e.g. for the fbdev framebuffer
69 * when the struct &struct drm_framebuffer is embedded into the fbdev helper
70 * struct) drivers can manually clean up a framebuffer at module unload time
71 * with drm_framebuffer_unregister_private(). But doing this is not
72 * recommended, and it's better to have a normal free-standing &struct
73 * drm_framebuffer.
74 */
75
76int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
77 uint32_t src_w, uint32_t src_h,
78 const struct drm_framebuffer *fb)
79{
80 unsigned int fb_width, fb_height;
81
82 fb_width = fb->width << 16;
83 fb_height = fb->height << 16;
84
85 /* Make sure source coordinates are inside the fb. */
86 if (src_w > fb_width ||
87 src_x > fb_width - src_w ||
88 src_h > fb_height ||
89 src_y > fb_height - src_h) {
90 drm_dbg_kms(fb->dev, "Invalid source coordinates "
91 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n",
92 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
93 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
94 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
95 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10,
96 fb->width, fb->height);
97 return -ENOSPC;
98 }
99
100 return 0;
101}
102
103/**
104 * drm_mode_addfb - add an FB to the graphics configuration
105 * @dev: drm device for the ioctl
106 * @or: pointer to request structure
107 * @file_priv: drm file
108 *
109 * Add a new FB to the specified CRTC, given a user request. This is the
110 * original addfb ioctl which only supported RGB formats.
111 *
112 * Called by the user via ioctl, or by an in-kernel client.
113 *
114 * Returns:
115 * Zero on success, negative errno on failure.
116 */
117int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or,
118 struct drm_file *file_priv)
119{
120 struct drm_mode_fb_cmd2 r = {};
121 int ret;
122
123 if (!drm_core_check_feature(dev, DRIVER_MODESET))
124 return -EOPNOTSUPP;
125
126 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth);
127 if (r.pixel_format == DRM_FORMAT_INVALID) {
128 drm_dbg_kms(dev, "bad {bpp:%d, depth:%d}\n", or->bpp, or->depth);
129 return -EINVAL;
130 }
131
132 /* convert to new format and call new ioctl */
133 r.fb_id = or->fb_id;
134 r.width = or->width;
135 r.height = or->height;
136 r.pitches[0] = or->pitch;
137 r.handles[0] = or->handle;
138
139 ret = drm_mode_addfb2(dev, &r, file_priv);
140 if (ret)
141 return ret;
142
143 or->fb_id = r.fb_id;
144
145 return 0;
146}
147
148int drm_mode_addfb_ioctl(struct drm_device *dev,
149 void *data, struct drm_file *file_priv)
150{
151 return drm_mode_addfb(dev, data, file_priv);
152}
153
154static int framebuffer_check(struct drm_device *dev,
155 const struct drm_mode_fb_cmd2 *r)
156{
157 const struct drm_format_info *info;
158 int i;
159
160 /* check if the format is supported at all */
161 if (!__drm_format_info(r->pixel_format)) {
162 drm_dbg_kms(dev, "bad framebuffer format %p4cc\n",
163 &r->pixel_format);
164 return -EINVAL;
165 }
166
167 if (r->width == 0) {
168 drm_dbg_kms(dev, "bad framebuffer width %u\n", r->width);
169 return -EINVAL;
170 }
171
172 if (r->height == 0) {
173 drm_dbg_kms(dev, "bad framebuffer height %u\n", r->height);
174 return -EINVAL;
175 }
176
177 /* now let the driver pick its own format info */
178 info = drm_get_format_info(dev, r);
179
180 for (i = 0; i < info->num_planes; i++) {
181 unsigned int width = drm_format_info_plane_width(info, r->width, i);
182 unsigned int height = drm_format_info_plane_height(info, r->height, i);
183 unsigned int block_size = info->char_per_block[i];
184 u64 min_pitch = drm_format_info_min_pitch(info, i, width);
185
186 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) {
187 drm_dbg_kms(dev, "Format requires non-linear modifier for plane %d\n", i);
188 return -EINVAL;
189 }
190
191 if (!r->handles[i]) {
192 drm_dbg_kms(dev, "no buffer object handle for plane %d\n", i);
193 return -EINVAL;
194 }
195
196 if (min_pitch > UINT_MAX)
197 return -ERANGE;
198
199 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
200 return -ERANGE;
201
202 if (block_size && r->pitches[i] < min_pitch) {
203 drm_dbg_kms(dev, "bad pitch %u for plane %d\n", r->pitches[i], i);
204 return -EINVAL;
205 }
206
207 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
208 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n",
209 r->modifier[i], i);
210 return -EINVAL;
211 }
212
213 if (r->flags & DRM_MODE_FB_MODIFIERS &&
214 r->modifier[i] != r->modifier[0]) {
215 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n",
216 r->modifier[i], i);
217 return -EINVAL;
218 }
219
220 /* modifier specific checks: */
221 switch (r->modifier[i]) {
222 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
223 /* NOTE: the pitch restriction may be lifted later if it turns
224 * out that no hw has this restriction:
225 */
226 if (r->pixel_format != DRM_FORMAT_NV12 ||
227 width % 128 || height % 32 ||
228 r->pitches[i] % 128) {
229 drm_dbg_kms(dev, "bad modifier data for plane %d\n", i);
230 return -EINVAL;
231 }
232 break;
233
234 default:
235 break;
236 }
237 }
238
239 for (i = info->num_planes; i < 4; i++) {
240 if (r->modifier[i]) {
241 drm_dbg_kms(dev, "non-zero modifier for unused plane %d\n", i);
242 return -EINVAL;
243 }
244
245 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
246 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
247 continue;
248
249 if (r->handles[i]) {
250 drm_dbg_kms(dev, "buffer object handle for unused plane %d\n", i);
251 return -EINVAL;
252 }
253
254 if (r->pitches[i]) {
255 drm_dbg_kms(dev, "non-zero pitch for unused plane %d\n", i);
256 return -EINVAL;
257 }
258
259 if (r->offsets[i]) {
260 drm_dbg_kms(dev, "non-zero offset for unused plane %d\n", i);
261 return -EINVAL;
262 }
263 }
264
265 return 0;
266}
267
268struct drm_framebuffer *
269drm_internal_framebuffer_create(struct drm_device *dev,
270 const struct drm_mode_fb_cmd2 *r,
271 struct drm_file *file_priv)
272{
273 struct drm_mode_config *config = &dev->mode_config;
274 struct drm_framebuffer *fb;
275 int ret;
276
277 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
278 drm_dbg_kms(dev, "bad framebuffer flags 0x%08x\n", r->flags);
279 return ERR_PTR(-EINVAL);
280 }
281
282 if ((config->min_width > r->width) || (r->width > config->max_width)) {
283 drm_dbg_kms(dev, "bad framebuffer width %d, should be >= %d && <= %d\n",
284 r->width, config->min_width, config->max_width);
285 return ERR_PTR(-EINVAL);
286 }
287 if ((config->min_height > r->height) || (r->height > config->max_height)) {
288 drm_dbg_kms(dev, "bad framebuffer height %d, should be >= %d && <= %d\n",
289 r->height, config->min_height, config->max_height);
290 return ERR_PTR(-EINVAL);
291 }
292
293 if (r->flags & DRM_MODE_FB_MODIFIERS &&
294 dev->mode_config.fb_modifiers_not_supported) {
295 drm_dbg_kms(dev, "driver does not support fb modifiers\n");
296 return ERR_PTR(-EINVAL);
297 }
298
299 ret = framebuffer_check(dev, r);
300 if (ret)
301 return ERR_PTR(ret);
302
303 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
304 if (IS_ERR(fb)) {
305 drm_dbg_kms(dev, "could not create framebuffer\n");
306 return fb;
307 }
308
309 return fb;
310}
311EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create);
312
313/**
314 * drm_mode_addfb2 - add an FB to the graphics configuration
315 * @dev: drm device for the ioctl
316 * @data: data pointer for the ioctl
317 * @file_priv: drm file for the ioctl call
318 *
319 * Add a new FB to the specified CRTC, given a user request with format. This is
320 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
321 * and uses fourcc codes as pixel format specifiers.
322 *
323 * Called by the user via ioctl.
324 *
325 * Returns:
326 * Zero on success, negative errno on failure.
327 */
328int drm_mode_addfb2(struct drm_device *dev,
329 void *data, struct drm_file *file_priv)
330{
331 struct drm_mode_fb_cmd2 *r = data;
332 struct drm_framebuffer *fb;
333
334 if (!drm_core_check_feature(dev, DRIVER_MODESET))
335 return -EOPNOTSUPP;
336
337 fb = drm_internal_framebuffer_create(dev, r, file_priv);
338 if (IS_ERR(fb))
339 return PTR_ERR(fb);
340
341 drm_dbg_kms(dev, "[FB:%d]\n", fb->base.id);
342 r->fb_id = fb->base.id;
343
344 /* Transfer ownership to the filp for reaping on close */
345 mutex_lock(&file_priv->fbs_lock);
346 list_add(&fb->filp_head, &file_priv->fbs);
347 mutex_unlock(&file_priv->fbs_lock);
348
349 return 0;
350}
351
352int drm_mode_addfb2_ioctl(struct drm_device *dev,
353 void *data, struct drm_file *file_priv)
354{
355#ifdef __BIG_ENDIAN
356 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) {
357 /*
358 * Drivers must set the
359 * quirk_addfb_prefer_host_byte_order quirk to make
360 * the drm_mode_addfb() compat code work correctly on
361 * bigendian machines.
362 *
363 * If they don't they interpret pixel_format values
364 * incorrectly for bug compatibility, which in turn
365 * implies the ADDFB2 ioctl does not work correctly
366 * then. So block it to make userspace fallback to
367 * ADDFB.
368 */
369 drm_dbg_kms(dev, "addfb2 broken on bigendian");
370 return -EOPNOTSUPP;
371 }
372#endif
373 return drm_mode_addfb2(dev, data, file_priv);
374}
375
376struct drm_mode_rmfb_work {
377 struct work_struct work;
378 struct list_head fbs;
379};
380
381static void drm_mode_rmfb_work_fn(struct work_struct *w)
382{
383 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
384
385 while (!list_empty(&arg->fbs)) {
386 struct drm_framebuffer *fb =
387 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
388
389 drm_dbg_kms(fb->dev,
390 "Removing [FB:%d] from all active usage due to RMFB ioctl\n",
391 fb->base.id);
392 list_del_init(&fb->filp_head);
393 drm_framebuffer_remove(fb);
394 }
395}
396
397static int drm_mode_closefb(struct drm_framebuffer *fb,
398 struct drm_file *file_priv)
399{
400 struct drm_framebuffer *fbl;
401 bool found = false;
402
403 mutex_lock(&file_priv->fbs_lock);
404 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
405 if (fb == fbl)
406 found = true;
407
408 if (!found) {
409 mutex_unlock(&file_priv->fbs_lock);
410 return -ENOENT;
411 }
412
413 list_del_init(&fb->filp_head);
414 mutex_unlock(&file_priv->fbs_lock);
415
416 /* Drop the reference that was stored in the fbs list */
417 drm_framebuffer_put(fb);
418
419 return 0;
420}
421
422/**
423 * drm_mode_rmfb - remove an FB from the configuration
424 * @dev: drm device
425 * @fb_id: id of framebuffer to remove
426 * @file_priv: drm file
427 *
428 * Remove the specified FB.
429 *
430 * Called by the user via ioctl, or by an in-kernel client.
431 *
432 * Returns:
433 * Zero on success, negative errno on failure.
434 */
435int drm_mode_rmfb(struct drm_device *dev, u32 fb_id,
436 struct drm_file *file_priv)
437{
438 struct drm_framebuffer *fb;
439 int ret;
440
441 if (!drm_core_check_feature(dev, DRIVER_MODESET))
442 return -EOPNOTSUPP;
443
444 fb = drm_framebuffer_lookup(dev, file_priv, fb_id);
445 if (!fb)
446 return -ENOENT;
447
448 ret = drm_mode_closefb(fb, file_priv);
449 if (ret != 0) {
450 drm_framebuffer_put(fb);
451 return ret;
452 }
453
454 /*
455 * drm_framebuffer_remove may fail with -EINTR on pending signals,
456 * so run this in a separate stack as there's no way to correctly
457 * handle this after the fb is already removed from the lookup table.
458 */
459 if (drm_framebuffer_read_refcount(fb) > 1) {
460 struct drm_mode_rmfb_work arg;
461
462 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
463 INIT_LIST_HEAD(&arg.fbs);
464 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
465 list_add_tail(&fb->filp_head, &arg.fbs);
466
467 schedule_work(&arg.work);
468 flush_work(&arg.work);
469 destroy_work_on_stack(&arg.work);
470 } else
471 drm_framebuffer_put(fb);
472
473 return 0;
474}
475
476int drm_mode_rmfb_ioctl(struct drm_device *dev,
477 void *data, struct drm_file *file_priv)
478{
479 uint32_t *fb_id = data;
480
481 return drm_mode_rmfb(dev, *fb_id, file_priv);
482}
483
484int drm_mode_closefb_ioctl(struct drm_device *dev,
485 void *data, struct drm_file *file_priv)
486{
487 struct drm_mode_closefb *r = data;
488 struct drm_framebuffer *fb;
489 int ret;
490
491 if (!drm_core_check_feature(dev, DRIVER_MODESET))
492 return -EOPNOTSUPP;
493
494 if (r->pad)
495 return -EINVAL;
496
497 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
498 if (!fb)
499 return -ENOENT;
500
501 ret = drm_mode_closefb(fb, file_priv);
502 drm_framebuffer_put(fb);
503 return ret;
504}
505
506/**
507 * drm_mode_getfb - get FB info
508 * @dev: drm device for the ioctl
509 * @data: data pointer for the ioctl
510 * @file_priv: drm file for the ioctl call
511 *
512 * Lookup the FB given its ID and return info about it.
513 *
514 * Called by the user via ioctl.
515 *
516 * Returns:
517 * Zero on success, negative errno on failure.
518 */
519int drm_mode_getfb(struct drm_device *dev,
520 void *data, struct drm_file *file_priv)
521{
522 struct drm_mode_fb_cmd *r = data;
523 struct drm_framebuffer *fb;
524 int ret;
525
526 if (!drm_core_check_feature(dev, DRIVER_MODESET))
527 return -EOPNOTSUPP;
528
529 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
530 if (!fb)
531 return -ENOENT;
532
533 /* Multi-planar framebuffers need getfb2. */
534 if (fb->format->num_planes > 1) {
535 ret = -EINVAL;
536 goto out;
537 }
538
539 if (!fb->funcs->create_handle) {
540 ret = -ENODEV;
541 goto out;
542 }
543
544 r->height = fb->height;
545 r->width = fb->width;
546 r->depth = fb->format->depth;
547 r->bpp = drm_format_info_bpp(fb->format, 0);
548 r->pitch = fb->pitches[0];
549
550 /* GET_FB() is an unprivileged ioctl so we must not return a
551 * buffer-handle to non-master processes! For
552 * backwards-compatibility reasons, we cannot make GET_FB() privileged,
553 * so just return an invalid handle for non-masters.
554 */
555 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
556 r->handle = 0;
557 ret = 0;
558 goto out;
559 }
560
561 ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
562
563out:
564 drm_framebuffer_put(fb);
565 return ret;
566}
567
568/**
569 * drm_mode_getfb2_ioctl - get extended FB info
570 * @dev: drm device for the ioctl
571 * @data: data pointer for the ioctl
572 * @file_priv: drm file for the ioctl call
573 *
574 * Lookup the FB given its ID and return info about it.
575 *
576 * Called by the user via ioctl.
577 *
578 * Returns:
579 * Zero on success, negative errno on failure.
580 */
581int drm_mode_getfb2_ioctl(struct drm_device *dev,
582 void *data, struct drm_file *file_priv)
583{
584 struct drm_mode_fb_cmd2 *r = data;
585 struct drm_framebuffer *fb;
586 unsigned int i;
587 int ret = 0;
588
589 if (!drm_core_check_feature(dev, DRIVER_MODESET))
590 return -EINVAL;
591
592 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
593 if (!fb)
594 return -ENOENT;
595
596 /* For multi-plane framebuffers, we require the driver to place the
597 * GEM objects directly in the drm_framebuffer. For single-plane
598 * framebuffers, we can fall back to create_handle.
599 */
600 if (!fb->obj[0] &&
601 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) {
602 ret = -ENODEV;
603 goto out;
604 }
605
606 r->height = fb->height;
607 r->width = fb->width;
608 r->pixel_format = fb->format->format;
609
610 r->flags = 0;
611 if (!dev->mode_config.fb_modifiers_not_supported)
612 r->flags |= DRM_MODE_FB_MODIFIERS;
613
614 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
615 r->handles[i] = 0;
616 r->pitches[i] = 0;
617 r->offsets[i] = 0;
618 r->modifier[i] = 0;
619 }
620
621 for (i = 0; i < fb->format->num_planes; i++) {
622 r->pitches[i] = fb->pitches[i];
623 r->offsets[i] = fb->offsets[i];
624 if (!dev->mode_config.fb_modifiers_not_supported)
625 r->modifier[i] = fb->modifier;
626 }
627
628 /* GET_FB2() is an unprivileged ioctl so we must not return a
629 * buffer-handle to non master/root processes! To match GET_FB()
630 * just return invalid handles (0) for non masters/root
631 * rather than making GET_FB2() privileged.
632 */
633 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
634 ret = 0;
635 goto out;
636 }
637
638 for (i = 0; i < fb->format->num_planes; i++) {
639 int j;
640
641 /* If we reuse the same object for multiple planes, also
642 * return the same handle.
643 */
644 for (j = 0; j < i; j++) {
645 if (fb->obj[i] == fb->obj[j]) {
646 r->handles[i] = r->handles[j];
647 break;
648 }
649 }
650
651 if (r->handles[i])
652 continue;
653
654 if (fb->obj[i]) {
655 ret = drm_gem_handle_create(file_priv, fb->obj[i],
656 &r->handles[i]);
657 } else {
658 WARN_ON(i > 0);
659 ret = fb->funcs->create_handle(fb, file_priv,
660 &r->handles[i]);
661 }
662
663 if (ret != 0)
664 goto out;
665 }
666
667out:
668 if (ret != 0) {
669 /* Delete any previously-created handles on failure. */
670 for (i = 0; i < ARRAY_SIZE(r->handles); i++) {
671 int j;
672
673 if (r->handles[i])
674 drm_gem_handle_delete(file_priv, r->handles[i]);
675
676 /* Zero out any handles identical to the one we just
677 * deleted.
678 */
679 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) {
680 if (r->handles[j] == r->handles[i])
681 r->handles[j] = 0;
682 }
683 }
684 }
685
686 drm_framebuffer_put(fb);
687 return ret;
688}
689
690/**
691 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
692 * @dev: drm device for the ioctl
693 * @data: data pointer for the ioctl
694 * @file_priv: drm file for the ioctl call
695 *
696 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
697 * rectangle list. Generic userspace which does frontbuffer rendering must call
698 * this ioctl to flush out the changes on manual-update display outputs, e.g.
699 * usb display-link, mipi manual update panels or edp panel self refresh modes.
700 *
701 * Modesetting drivers which always update the frontbuffer do not need to
702 * implement the corresponding &drm_framebuffer_funcs.dirty callback.
703 *
704 * Called by the user via ioctl.
705 *
706 * Returns:
707 * Zero on success, negative errno on failure.
708 */
709int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
710 void *data, struct drm_file *file_priv)
711{
712 struct drm_clip_rect __user *clips_ptr;
713 struct drm_clip_rect *clips = NULL;
714 struct drm_mode_fb_dirty_cmd *r = data;
715 struct drm_framebuffer *fb;
716 unsigned flags;
717 int num_clips;
718 int ret;
719
720 if (!drm_core_check_feature(dev, DRIVER_MODESET))
721 return -EOPNOTSUPP;
722
723 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
724 if (!fb)
725 return -ENOENT;
726
727 num_clips = r->num_clips;
728 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
729
730 if (!num_clips != !clips_ptr) {
731 ret = -EINVAL;
732 goto out_err1;
733 }
734
735 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
736
737 /* If userspace annotates copy, clips must come in pairs */
738 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
739 ret = -EINVAL;
740 goto out_err1;
741 }
742
743 if (num_clips && clips_ptr) {
744 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
745 ret = -EINVAL;
746 goto out_err1;
747 }
748 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
749 if (!clips) {
750 ret = -ENOMEM;
751 goto out_err1;
752 }
753
754 ret = copy_from_user(clips, clips_ptr,
755 num_clips * sizeof(*clips));
756 if (ret) {
757 ret = -EFAULT;
758 goto out_err2;
759 }
760 }
761
762 if (fb->funcs->dirty) {
763 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
764 clips, num_clips);
765 } else {
766 ret = -ENOSYS;
767 }
768
769out_err2:
770 kfree(clips);
771out_err1:
772 drm_framebuffer_put(fb);
773
774 return ret;
775}
776
777/**
778 * drm_fb_release - remove and free the FBs on this file
779 * @priv: drm file for the ioctl
780 *
781 * Destroy all the FBs associated with @filp.
782 *
783 * Called by the user via ioctl.
784 *
785 * Returns:
786 * Zero on success, negative errno on failure.
787 */
788void drm_fb_release(struct drm_file *priv)
789{
790 struct drm_framebuffer *fb, *tfb;
791 struct drm_mode_rmfb_work arg;
792
793 INIT_LIST_HEAD(&arg.fbs);
794
795 /*
796 * When the file gets released that means no one else can access the fb
797 * list any more, so no need to grab fpriv->fbs_lock. And we need to
798 * avoid upsetting lockdep since the universal cursor code adds a
799 * framebuffer while holding mutex locks.
800 *
801 * Note that a real deadlock between fpriv->fbs_lock and the modeset
802 * locks is impossible here since no one else but this function can get
803 * at it any more.
804 */
805 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
806 if (drm_framebuffer_read_refcount(fb) > 1) {
807 list_move_tail(&fb->filp_head, &arg.fbs);
808 } else {
809 list_del_init(&fb->filp_head);
810
811 /* This drops the fpriv->fbs reference. */
812 drm_framebuffer_put(fb);
813 }
814 }
815
816 if (!list_empty(&arg.fbs)) {
817 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
818
819 schedule_work(&arg.work);
820 flush_work(&arg.work);
821 destroy_work_on_stack(&arg.work);
822 }
823}
824
825void drm_framebuffer_free(struct kref *kref)
826{
827 struct drm_framebuffer *fb =
828 container_of(kref, struct drm_framebuffer, base.refcount);
829 struct drm_device *dev = fb->dev;
830
831 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
832
833 /*
834 * The lookup idr holds a weak reference, which has not necessarily been
835 * removed at this point. Check for that.
836 */
837 drm_mode_object_unregister(dev, &fb->base);
838
839 fb->funcs->destroy(fb);
840}
841
842/**
843 * drm_framebuffer_init - initialize a framebuffer
844 * @dev: DRM device
845 * @fb: framebuffer to be initialized
846 * @funcs: ... with these functions
847 *
848 * Allocates an ID for the framebuffer's parent mode object, sets its mode
849 * functions & device file and adds it to the master fd list.
850 *
851 * IMPORTANT:
852 * This functions publishes the fb and makes it available for concurrent access
853 * by other users. Which means by this point the fb _must_ be fully set up -
854 * since all the fb attributes are invariant over its lifetime, no further
855 * locking but only correct reference counting is required.
856 *
857 * Returns:
858 * Zero on success, error code on failure.
859 */
860int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
861 const struct drm_framebuffer_funcs *funcs)
862{
863 int ret;
864
865 if (WARN_ON_ONCE(fb->dev != dev || !fb->format))
866 return -EINVAL;
867
868 INIT_LIST_HEAD(&fb->filp_head);
869
870 fb->funcs = funcs;
871 strcpy(fb->comm, current->comm);
872
873 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB,
874 false, drm_framebuffer_free);
875 if (ret)
876 goto out;
877
878 mutex_lock(&dev->mode_config.fb_lock);
879 dev->mode_config.num_fb++;
880 list_add(&fb->head, &dev->mode_config.fb_list);
881 mutex_unlock(&dev->mode_config.fb_lock);
882
883 drm_mode_object_register(dev, &fb->base);
884out:
885 return ret;
886}
887EXPORT_SYMBOL(drm_framebuffer_init);
888
889/**
890 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
891 * @dev: drm device
892 * @file_priv: drm file to check for lease against.
893 * @id: id of the fb object
894 *
895 * If successful, this grabs an additional reference to the framebuffer -
896 * callers need to make sure to eventually unreference the returned framebuffer
897 * again, using drm_framebuffer_put().
898 */
899struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
900 struct drm_file *file_priv,
901 uint32_t id)
902{
903 struct drm_mode_object *obj;
904 struct drm_framebuffer *fb = NULL;
905
906 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB);
907 if (obj)
908 fb = obj_to_fb(obj);
909 return fb;
910}
911EXPORT_SYMBOL(drm_framebuffer_lookup);
912
913/**
914 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
915 * @fb: fb to unregister
916 *
917 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
918 * those used for fbdev. Note that the caller must hold a reference of its own,
919 * i.e. the object may not be destroyed through this call (since it'll lead to a
920 * locking inversion).
921 *
922 * NOTE: This function is deprecated. For driver-private framebuffers it is not
923 * recommended to embed a framebuffer struct info fbdev struct, instead, a
924 * framebuffer pointer is preferred and drm_framebuffer_put() should be called
925 * when the framebuffer is to be cleaned up.
926 */
927void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
928{
929 struct drm_device *dev;
930
931 if (!fb)
932 return;
933
934 dev = fb->dev;
935
936 /* Mark fb as reaped and drop idr ref. */
937 drm_mode_object_unregister(dev, &fb->base);
938}
939EXPORT_SYMBOL(drm_framebuffer_unregister_private);
940
941/**
942 * drm_framebuffer_cleanup - remove a framebuffer object
943 * @fb: framebuffer to remove
944 *
945 * Cleanup framebuffer. This function is intended to be used from the drivers
946 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up
947 * driver private framebuffers embedded into a larger structure.
948 *
949 * Note that this function does not remove the fb from active usage - if it is
950 * still used anywhere, hilarity can ensue since userspace could call getfb on
951 * the id and get back -EINVAL. Obviously no concern at driver unload time.
952 *
953 * Also, the framebuffer will not be removed from the lookup idr - for
954 * user-created framebuffers this will happen in the rmfb ioctl. For
955 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
956 * drm_framebuffer_unregister_private.
957 */
958void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
959{
960 struct drm_device *dev = fb->dev;
961
962 mutex_lock(&dev->mode_config.fb_lock);
963 list_del(&fb->head);
964 dev->mode_config.num_fb--;
965 mutex_unlock(&dev->mode_config.fb_lock);
966}
967EXPORT_SYMBOL(drm_framebuffer_cleanup);
968
969static int atomic_remove_fb(struct drm_framebuffer *fb)
970{
971 struct drm_modeset_acquire_ctx ctx;
972 struct drm_device *dev = fb->dev;
973 struct drm_atomic_state *state;
974 struct drm_plane *plane;
975 struct drm_connector *conn __maybe_unused;
976 struct drm_connector_state *conn_state;
977 int i, ret;
978 unsigned plane_mask;
979 bool disable_crtcs = false;
980
981retry_disable:
982 drm_modeset_acquire_init(&ctx, 0);
983
984 state = drm_atomic_state_alloc(dev);
985 if (!state) {
986 ret = -ENOMEM;
987 goto out;
988 }
989 state->acquire_ctx = &ctx;
990
991retry:
992 plane_mask = 0;
993 ret = drm_modeset_lock_all_ctx(dev, &ctx);
994 if (ret)
995 goto unlock;
996
997 drm_for_each_plane(plane, dev) {
998 struct drm_plane_state *plane_state;
999
1000 if (plane->state->fb != fb)
1001 continue;
1002
1003 drm_dbg_kms(dev,
1004 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1005 plane->base.id, plane->name, fb->base.id);
1006
1007 plane_state = drm_atomic_get_plane_state(state, plane);
1008 if (IS_ERR(plane_state)) {
1009 ret = PTR_ERR(plane_state);
1010 goto unlock;
1011 }
1012
1013 if (disable_crtcs && plane_state->crtc->primary == plane) {
1014 struct drm_crtc_state *crtc_state;
1015
1016 drm_dbg_kms(dev,
1017 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1018 plane_state->crtc->base.id,
1019 plane_state->crtc->name, fb->base.id);
1020
1021 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc);
1022
1023 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc);
1024 if (ret)
1025 goto unlock;
1026
1027 crtc_state->active = false;
1028 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
1029 if (ret)
1030 goto unlock;
1031 }
1032
1033 drm_atomic_set_fb_for_plane(plane_state, NULL);
1034 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL);
1035 if (ret)
1036 goto unlock;
1037
1038 plane_mask |= drm_plane_mask(plane);
1039 }
1040
1041 /* This list is only filled when disable_crtcs is set. */
1042 for_each_new_connector_in_state(state, conn, conn_state, i) {
1043 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
1044
1045 if (ret)
1046 goto unlock;
1047 }
1048
1049 if (plane_mask)
1050 ret = drm_atomic_commit(state);
1051
1052unlock:
1053 if (ret == -EDEADLK) {
1054 drm_atomic_state_clear(state);
1055 drm_modeset_backoff(&ctx);
1056 goto retry;
1057 }
1058
1059 drm_atomic_state_put(state);
1060
1061out:
1062 drm_modeset_drop_locks(&ctx);
1063 drm_modeset_acquire_fini(&ctx);
1064
1065 if (ret == -EINVAL && !disable_crtcs) {
1066 disable_crtcs = true;
1067 goto retry_disable;
1068 }
1069
1070 return ret;
1071}
1072
1073static void legacy_remove_fb(struct drm_framebuffer *fb)
1074{
1075 struct drm_device *dev = fb->dev;
1076 struct drm_crtc *crtc;
1077 struct drm_plane *plane;
1078
1079 drm_modeset_lock_all(dev);
1080 /* remove from any CRTC */
1081 drm_for_each_crtc(crtc, dev) {
1082 if (crtc->primary->fb == fb) {
1083 drm_dbg_kms(dev,
1084 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n",
1085 crtc->base.id, crtc->name, fb->base.id);
1086
1087 /* should turn off the crtc */
1088 if (drm_crtc_force_disable(crtc))
1089 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
1090 }
1091 }
1092
1093 drm_for_each_plane(plane, dev) {
1094 if (plane->fb == fb) {
1095 drm_dbg_kms(dev,
1096 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n",
1097 plane->base.id, plane->name, fb->base.id);
1098 drm_plane_force_disable(plane);
1099 }
1100 }
1101 drm_modeset_unlock_all(dev);
1102}
1103
1104/**
1105 * drm_framebuffer_remove - remove and unreference a framebuffer object
1106 * @fb: framebuffer to remove
1107 *
1108 * Scans all the CRTCs and planes in @dev's mode_config. If they're
1109 * using @fb, removes it, setting it to NULL. Then drops the reference to the
1110 * passed-in framebuffer. Might take the modeset locks.
1111 *
1112 * Note that this function optimizes the cleanup away if the caller holds the
1113 * last reference to the framebuffer. It is also guaranteed to not take the
1114 * modeset locks in this case.
1115 */
1116void drm_framebuffer_remove(struct drm_framebuffer *fb)
1117{
1118 struct drm_device *dev;
1119
1120 if (!fb)
1121 return;
1122
1123 dev = fb->dev;
1124
1125 drm_WARN_ON(dev, !list_empty(&fb->filp_head));
1126
1127 /*
1128 * drm ABI mandates that we remove any deleted framebuffers from active
1129 * usage. But since most sane clients only remove framebuffers they no
1130 * longer need, try to optimize this away.
1131 *
1132 * Since we're holding a reference ourselves, observing a refcount of 1
1133 * means that we're the last holder and can skip it. Also, the refcount
1134 * can never increase from 1 again, so we don't need any barriers or
1135 * locks.
1136 *
1137 * Note that userspace could try to race with use and instate a new
1138 * usage _after_ we've cleared all current ones. End result will be an
1139 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
1140 * in this manner.
1141 */
1142 if (drm_framebuffer_read_refcount(fb) > 1) {
1143 if (drm_drv_uses_atomic_modeset(dev)) {
1144 int ret = atomic_remove_fb(fb);
1145
1146 WARN(ret, "atomic remove_fb failed with %i\n", ret);
1147 } else
1148 legacy_remove_fb(fb);
1149 }
1150
1151 drm_framebuffer_put(fb);
1152}
1153EXPORT_SYMBOL(drm_framebuffer_remove);
1154
1155void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent,
1156 const struct drm_framebuffer *fb)
1157{
1158 unsigned int i;
1159
1160 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm);
1161 drm_printf_indent(p, indent, "refcount=%u\n",
1162 drm_framebuffer_read_refcount(fb));
1163 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format);
1164 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier);
1165 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height);
1166 drm_printf_indent(p, indent, "layers:\n");
1167
1168 for (i = 0; i < fb->format->num_planes; i++) {
1169 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i,
1170 drm_format_info_plane_width(fb->format, fb->width, i),
1171 drm_format_info_plane_height(fb->format, fb->height, i));
1172 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]);
1173 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]);
1174 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i,
1175 fb->obj[i] ? "" : "(null)");
1176 if (fb->obj[i])
1177 drm_gem_print_info(p, indent + 2, fb->obj[i]);
1178 }
1179}
1180
1181#ifdef CONFIG_DEBUG_FS
1182static int drm_framebuffer_info(struct seq_file *m, void *data)
1183{
1184 struct drm_debugfs_entry *entry = m->private;
1185 struct drm_device *dev = entry->dev;
1186 struct drm_printer p = drm_seq_file_printer(m);
1187 struct drm_framebuffer *fb;
1188
1189 mutex_lock(&dev->mode_config.fb_lock);
1190 drm_for_each_fb(fb, dev) {
1191 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
1192 drm_framebuffer_print_info(&p, 1, fb);
1193 }
1194 mutex_unlock(&dev->mode_config.fb_lock);
1195
1196 return 0;
1197}
1198
1199static const struct drm_debugfs_info drm_framebuffer_debugfs_list[] = {
1200 { "framebuffer", drm_framebuffer_info, 0 },
1201};
1202
1203void drm_framebuffer_debugfs_init(struct drm_device *dev)
1204{
1205 drm_debugfs_add_files(dev, drm_framebuffer_debugfs_list,
1206 ARRAY_SIZE(drm_framebuffer_debugfs_list));
1207}
1208#endif
1/*
2 * Copyright (c) 2016 Intel Corporation
3 *
4 * Permission to use, copy, modify, distribute, and sell this software and its
5 * documentation for any purpose is hereby granted without fee, provided that
6 * the above copyright notice appear in all copies and that both that copyright
7 * notice and this permission notice appear in supporting documentation, and
8 * that the name of the copyright holders not be used in advertising or
9 * publicity pertaining to distribution of the software without specific,
10 * written prior permission. The copyright holders make no representations
11 * about the suitability of this software for any purpose. It is provided "as
12 * is" without express or implied warranty.
13 *
14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
20 * OF THIS SOFTWARE.
21 */
22
23#include <linux/export.h>
24#include <drm/drmP.h>
25#include <drm/drm_auth.h>
26#include <drm/drm_framebuffer.h>
27
28#include "drm_crtc_internal.h"
29
30/**
31 * DOC: overview
32 *
33 * Frame buffers are abstract memory objects that provide a source of pixels to
34 * scanout to a CRTC. Applications explicitly request the creation of frame
35 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
36 * handle that can be passed to the KMS CRTC control, plane configuration and
37 * page flip functions.
38 *
39 * Frame buffers rely on the underlying memory manager for allocating backing
40 * storage. When creating a frame buffer applications pass a memory handle
41 * (or a list of memory handles for multi-planar formats) through the
42 * struct &drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
43 * buffer management interface this would be a GEM handle. Drivers are however
44 * free to use their own backing storage object handles, e.g. vmwgfx directly
45 * exposes special TTM handles to userspace and so expects TTM handles in the
46 * create ioctl and not GEM handles.
47 *
48 * Framebuffers are tracked with struct &drm_framebuffer. They are published
49 * using drm_framebuffer_init() - after calling that function userspace can use
50 * and access the framebuffer object. The helper function
51 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
52 * metadata fields.
53 *
54 * The lifetime of a drm framebuffer is controlled with a reference count,
55 * drivers can grab additional references with drm_framebuffer_reference() and
56 * drop them again with drm_framebuffer_unreference(). For driver-private
57 * framebuffers for which the last reference is never dropped (e.g. for the
58 * fbdev framebuffer when the struct struct &drm_framebuffer is embedded into
59 * the fbdev helper struct) drivers can manually clean up a framebuffer at
60 * module unload time with drm_framebuffer_unregister_private(). But doing this
61 * is not recommended, and it's better to have a normal free-standing struct
62 * &drm_framebuffer.
63 */
64
65int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
66 uint32_t src_w, uint32_t src_h,
67 const struct drm_framebuffer *fb)
68{
69 unsigned int fb_width, fb_height;
70
71 fb_width = fb->width << 16;
72 fb_height = fb->height << 16;
73
74 /* Make sure source coordinates are inside the fb. */
75 if (src_w > fb_width ||
76 src_x > fb_width - src_w ||
77 src_h > fb_height ||
78 src_y > fb_height - src_h) {
79 DRM_DEBUG_KMS("Invalid source coordinates "
80 "%u.%06ux%u.%06u+%u.%06u+%u.%06u\n",
81 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
82 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
83 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
84 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10);
85 return -ENOSPC;
86 }
87
88 return 0;
89}
90
91/**
92 * drm_mode_addfb - add an FB to the graphics configuration
93 * @dev: drm device for the ioctl
94 * @data: data pointer for the ioctl
95 * @file_priv: drm file for the ioctl call
96 *
97 * Add a new FB to the specified CRTC, given a user request. This is the
98 * original addfb ioctl which only supported RGB formats.
99 *
100 * Called by the user via ioctl.
101 *
102 * Returns:
103 * Zero on success, negative errno on failure.
104 */
105int drm_mode_addfb(struct drm_device *dev,
106 void *data, struct drm_file *file_priv)
107{
108 struct drm_mode_fb_cmd *or = data;
109 struct drm_mode_fb_cmd2 r = {};
110 int ret;
111
112 /* convert to new format and call new ioctl */
113 r.fb_id = or->fb_id;
114 r.width = or->width;
115 r.height = or->height;
116 r.pitches[0] = or->pitch;
117 r.pixel_format = drm_mode_legacy_fb_format(or->bpp, or->depth);
118 r.handles[0] = or->handle;
119
120 ret = drm_mode_addfb2(dev, &r, file_priv);
121 if (ret)
122 return ret;
123
124 or->fb_id = r.fb_id;
125
126 return 0;
127}
128
129static int framebuffer_check(const struct drm_mode_fb_cmd2 *r)
130{
131 const struct drm_format_info *info;
132 int i;
133
134 info = __drm_format_info(r->pixel_format & ~DRM_FORMAT_BIG_ENDIAN);
135 if (!info) {
136 struct drm_format_name_buf format_name;
137 DRM_DEBUG_KMS("bad framebuffer format %s\n",
138 drm_get_format_name(r->pixel_format,
139 &format_name));
140 return -EINVAL;
141 }
142
143 if (r->width == 0 || r->width % info->hsub) {
144 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width);
145 return -EINVAL;
146 }
147
148 if (r->height == 0 || r->height % info->vsub) {
149 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height);
150 return -EINVAL;
151 }
152
153 for (i = 0; i < info->num_planes; i++) {
154 unsigned int width = r->width / (i != 0 ? info->hsub : 1);
155 unsigned int height = r->height / (i != 0 ? info->vsub : 1);
156 unsigned int cpp = info->cpp[i];
157
158 if (!r->handles[i]) {
159 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
160 return -EINVAL;
161 }
162
163 if ((uint64_t) width * cpp > UINT_MAX)
164 return -ERANGE;
165
166 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
167 return -ERANGE;
168
169 if (r->pitches[i] < width * cpp) {
170 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
171 return -EINVAL;
172 }
173
174 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
175 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
176 r->modifier[i], i);
177 return -EINVAL;
178 }
179
180 if (r->flags & DRM_MODE_FB_MODIFIERS &&
181 r->modifier[i] != r->modifier[0]) {
182 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n",
183 r->modifier[i], i);
184 return -EINVAL;
185 }
186
187 /* modifier specific checks: */
188 switch (r->modifier[i]) {
189 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
190 /* NOTE: the pitch restriction may be lifted later if it turns
191 * out that no hw has this restriction:
192 */
193 if (r->pixel_format != DRM_FORMAT_NV12 ||
194 width % 128 || height % 32 ||
195 r->pitches[i] % 128) {
196 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i);
197 return -EINVAL;
198 }
199 break;
200
201 default:
202 break;
203 }
204 }
205
206 for (i = info->num_planes; i < 4; i++) {
207 if (r->modifier[i]) {
208 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i);
209 return -EINVAL;
210 }
211
212 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
213 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
214 continue;
215
216 if (r->handles[i]) {
217 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i);
218 return -EINVAL;
219 }
220
221 if (r->pitches[i]) {
222 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i);
223 return -EINVAL;
224 }
225
226 if (r->offsets[i]) {
227 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i);
228 return -EINVAL;
229 }
230 }
231
232 return 0;
233}
234
235struct drm_framebuffer *
236drm_internal_framebuffer_create(struct drm_device *dev,
237 const struct drm_mode_fb_cmd2 *r,
238 struct drm_file *file_priv)
239{
240 struct drm_mode_config *config = &dev->mode_config;
241 struct drm_framebuffer *fb;
242 int ret;
243
244 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
245 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags);
246 return ERR_PTR(-EINVAL);
247 }
248
249 if ((config->min_width > r->width) || (r->width > config->max_width)) {
250 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n",
251 r->width, config->min_width, config->max_width);
252 return ERR_PTR(-EINVAL);
253 }
254 if ((config->min_height > r->height) || (r->height > config->max_height)) {
255 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n",
256 r->height, config->min_height, config->max_height);
257 return ERR_PTR(-EINVAL);
258 }
259
260 if (r->flags & DRM_MODE_FB_MODIFIERS &&
261 !dev->mode_config.allow_fb_modifiers) {
262 DRM_DEBUG_KMS("driver does not support fb modifiers\n");
263 return ERR_PTR(-EINVAL);
264 }
265
266 ret = framebuffer_check(r);
267 if (ret)
268 return ERR_PTR(ret);
269
270 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
271 if (IS_ERR(fb)) {
272 DRM_DEBUG_KMS("could not create framebuffer\n");
273 return fb;
274 }
275
276 return fb;
277}
278
279/**
280 * drm_mode_addfb2 - add an FB to the graphics configuration
281 * @dev: drm device for the ioctl
282 * @data: data pointer for the ioctl
283 * @file_priv: drm file for the ioctl call
284 *
285 * Add a new FB to the specified CRTC, given a user request with format. This is
286 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
287 * and uses fourcc codes as pixel format specifiers.
288 *
289 * Called by the user via ioctl.
290 *
291 * Returns:
292 * Zero on success, negative errno on failure.
293 */
294int drm_mode_addfb2(struct drm_device *dev,
295 void *data, struct drm_file *file_priv)
296{
297 struct drm_mode_fb_cmd2 *r = data;
298 struct drm_framebuffer *fb;
299
300 if (!drm_core_check_feature(dev, DRIVER_MODESET))
301 return -EINVAL;
302
303 fb = drm_internal_framebuffer_create(dev, r, file_priv);
304 if (IS_ERR(fb))
305 return PTR_ERR(fb);
306
307 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id);
308 r->fb_id = fb->base.id;
309
310 /* Transfer ownership to the filp for reaping on close */
311 mutex_lock(&file_priv->fbs_lock);
312 list_add(&fb->filp_head, &file_priv->fbs);
313 mutex_unlock(&file_priv->fbs_lock);
314
315 return 0;
316}
317
318struct drm_mode_rmfb_work {
319 struct work_struct work;
320 struct list_head fbs;
321};
322
323static void drm_mode_rmfb_work_fn(struct work_struct *w)
324{
325 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
326
327 while (!list_empty(&arg->fbs)) {
328 struct drm_framebuffer *fb =
329 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
330
331 list_del_init(&fb->filp_head);
332 drm_framebuffer_remove(fb);
333 }
334}
335
336/**
337 * drm_mode_rmfb - remove an FB from the configuration
338 * @dev: drm device for the ioctl
339 * @data: data pointer for the ioctl
340 * @file_priv: drm file for the ioctl call
341 *
342 * Remove the FB specified by the user.
343 *
344 * Called by the user via ioctl.
345 *
346 * Returns:
347 * Zero on success, negative errno on failure.
348 */
349int drm_mode_rmfb(struct drm_device *dev,
350 void *data, struct drm_file *file_priv)
351{
352 struct drm_framebuffer *fb = NULL;
353 struct drm_framebuffer *fbl = NULL;
354 uint32_t *id = data;
355 int found = 0;
356
357 if (!drm_core_check_feature(dev, DRIVER_MODESET))
358 return -EINVAL;
359
360 fb = drm_framebuffer_lookup(dev, *id);
361 if (!fb)
362 return -ENOENT;
363
364 mutex_lock(&file_priv->fbs_lock);
365 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
366 if (fb == fbl)
367 found = 1;
368 if (!found) {
369 mutex_unlock(&file_priv->fbs_lock);
370 goto fail_unref;
371 }
372
373 list_del_init(&fb->filp_head);
374 mutex_unlock(&file_priv->fbs_lock);
375
376 /* drop the reference we picked up in framebuffer lookup */
377 drm_framebuffer_unreference(fb);
378
379 /*
380 * we now own the reference that was stored in the fbs list
381 *
382 * drm_framebuffer_remove may fail with -EINTR on pending signals,
383 * so run this in a separate stack as there's no way to correctly
384 * handle this after the fb is already removed from the lookup table.
385 */
386 if (drm_framebuffer_read_refcount(fb) > 1) {
387 struct drm_mode_rmfb_work arg;
388
389 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
390 INIT_LIST_HEAD(&arg.fbs);
391 list_add_tail(&fb->filp_head, &arg.fbs);
392
393 schedule_work(&arg.work);
394 flush_work(&arg.work);
395 destroy_work_on_stack(&arg.work);
396 } else
397 drm_framebuffer_unreference(fb);
398
399 return 0;
400
401fail_unref:
402 drm_framebuffer_unreference(fb);
403 return -ENOENT;
404}
405
406/**
407 * drm_mode_getfb - get FB info
408 * @dev: drm device for the ioctl
409 * @data: data pointer for the ioctl
410 * @file_priv: drm file for the ioctl call
411 *
412 * Lookup the FB given its ID and return info about it.
413 *
414 * Called by the user via ioctl.
415 *
416 * Returns:
417 * Zero on success, negative errno on failure.
418 */
419int drm_mode_getfb(struct drm_device *dev,
420 void *data, struct drm_file *file_priv)
421{
422 struct drm_mode_fb_cmd *r = data;
423 struct drm_framebuffer *fb;
424 int ret;
425
426 if (!drm_core_check_feature(dev, DRIVER_MODESET))
427 return -EINVAL;
428
429 fb = drm_framebuffer_lookup(dev, r->fb_id);
430 if (!fb)
431 return -ENOENT;
432
433 r->height = fb->height;
434 r->width = fb->width;
435 r->depth = fb->depth;
436 r->bpp = fb->bits_per_pixel;
437 r->pitch = fb->pitches[0];
438 if (fb->funcs->create_handle) {
439 if (drm_is_current_master(file_priv) || capable(CAP_SYS_ADMIN) ||
440 drm_is_control_client(file_priv)) {
441 ret = fb->funcs->create_handle(fb, file_priv,
442 &r->handle);
443 } else {
444 /* GET_FB() is an unprivileged ioctl so we must not
445 * return a buffer-handle to non-master processes! For
446 * backwards-compatibility reasons, we cannot make
447 * GET_FB() privileged, so just return an invalid handle
448 * for non-masters. */
449 r->handle = 0;
450 ret = 0;
451 }
452 } else {
453 ret = -ENODEV;
454 }
455
456 drm_framebuffer_unreference(fb);
457
458 return ret;
459}
460
461/**
462 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
463 * @dev: drm device for the ioctl
464 * @data: data pointer for the ioctl
465 * @file_priv: drm file for the ioctl call
466 *
467 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
468 * rectangle list. Generic userspace which does frontbuffer rendering must call
469 * this ioctl to flush out the changes on manual-update display outputs, e.g.
470 * usb display-link, mipi manual update panels or edp panel self refresh modes.
471 *
472 * Modesetting drivers which always update the frontbuffer do not need to
473 * implement the corresponding ->dirty framebuffer callback.
474 *
475 * Called by the user via ioctl.
476 *
477 * Returns:
478 * Zero on success, negative errno on failure.
479 */
480int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
481 void *data, struct drm_file *file_priv)
482{
483 struct drm_clip_rect __user *clips_ptr;
484 struct drm_clip_rect *clips = NULL;
485 struct drm_mode_fb_dirty_cmd *r = data;
486 struct drm_framebuffer *fb;
487 unsigned flags;
488 int num_clips;
489 int ret;
490
491 if (!drm_core_check_feature(dev, DRIVER_MODESET))
492 return -EINVAL;
493
494 fb = drm_framebuffer_lookup(dev, r->fb_id);
495 if (!fb)
496 return -ENOENT;
497
498 num_clips = r->num_clips;
499 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
500
501 if (!num_clips != !clips_ptr) {
502 ret = -EINVAL;
503 goto out_err1;
504 }
505
506 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
507
508 /* If userspace annotates copy, clips must come in pairs */
509 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
510 ret = -EINVAL;
511 goto out_err1;
512 }
513
514 if (num_clips && clips_ptr) {
515 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
516 ret = -EINVAL;
517 goto out_err1;
518 }
519 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
520 if (!clips) {
521 ret = -ENOMEM;
522 goto out_err1;
523 }
524
525 ret = copy_from_user(clips, clips_ptr,
526 num_clips * sizeof(*clips));
527 if (ret) {
528 ret = -EFAULT;
529 goto out_err2;
530 }
531 }
532
533 if (fb->funcs->dirty) {
534 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
535 clips, num_clips);
536 } else {
537 ret = -ENOSYS;
538 }
539
540out_err2:
541 kfree(clips);
542out_err1:
543 drm_framebuffer_unreference(fb);
544
545 return ret;
546}
547
548/**
549 * drm_fb_release - remove and free the FBs on this file
550 * @priv: drm file for the ioctl
551 *
552 * Destroy all the FBs associated with @filp.
553 *
554 * Called by the user via ioctl.
555 *
556 * Returns:
557 * Zero on success, negative errno on failure.
558 */
559void drm_fb_release(struct drm_file *priv)
560{
561 struct drm_framebuffer *fb, *tfb;
562 struct drm_mode_rmfb_work arg;
563
564 INIT_LIST_HEAD(&arg.fbs);
565
566 /*
567 * When the file gets released that means no one else can access the fb
568 * list any more, so no need to grab fpriv->fbs_lock. And we need to
569 * avoid upsetting lockdep since the universal cursor code adds a
570 * framebuffer while holding mutex locks.
571 *
572 * Note that a real deadlock between fpriv->fbs_lock and the modeset
573 * locks is impossible here since no one else but this function can get
574 * at it any more.
575 */
576 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
577 if (drm_framebuffer_read_refcount(fb) > 1) {
578 list_move_tail(&fb->filp_head, &arg.fbs);
579 } else {
580 list_del_init(&fb->filp_head);
581
582 /* This drops the fpriv->fbs reference. */
583 drm_framebuffer_unreference(fb);
584 }
585 }
586
587 if (!list_empty(&arg.fbs)) {
588 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
589
590 schedule_work(&arg.work);
591 flush_work(&arg.work);
592 destroy_work_on_stack(&arg.work);
593 }
594}
595
596void drm_framebuffer_free(struct kref *kref)
597{
598 struct drm_framebuffer *fb =
599 container_of(kref, struct drm_framebuffer, base.refcount);
600 struct drm_device *dev = fb->dev;
601
602 /*
603 * The lookup idr holds a weak reference, which has not necessarily been
604 * removed at this point. Check for that.
605 */
606 drm_mode_object_unregister(dev, &fb->base);
607
608 fb->funcs->destroy(fb);
609}
610
611/**
612 * drm_framebuffer_init - initialize a framebuffer
613 * @dev: DRM device
614 * @fb: framebuffer to be initialized
615 * @funcs: ... with these functions
616 *
617 * Allocates an ID for the framebuffer's parent mode object, sets its mode
618 * functions & device file and adds it to the master fd list.
619 *
620 * IMPORTANT:
621 * This functions publishes the fb and makes it available for concurrent access
622 * by other users. Which means by this point the fb _must_ be fully set up -
623 * since all the fb attributes are invariant over its lifetime, no further
624 * locking but only correct reference counting is required.
625 *
626 * Returns:
627 * Zero on success, error code on failure.
628 */
629int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
630 const struct drm_framebuffer_funcs *funcs)
631{
632 int ret;
633
634 INIT_LIST_HEAD(&fb->filp_head);
635 fb->dev = dev;
636 fb->funcs = funcs;
637
638 ret = drm_mode_object_get_reg(dev, &fb->base, DRM_MODE_OBJECT_FB,
639 false, drm_framebuffer_free);
640 if (ret)
641 goto out;
642
643 mutex_lock(&dev->mode_config.fb_lock);
644 dev->mode_config.num_fb++;
645 list_add(&fb->head, &dev->mode_config.fb_list);
646 mutex_unlock(&dev->mode_config.fb_lock);
647
648 drm_mode_object_register(dev, &fb->base);
649out:
650 return ret;
651}
652EXPORT_SYMBOL(drm_framebuffer_init);
653
654/**
655 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
656 * @dev: drm device
657 * @id: id of the fb object
658 *
659 * If successful, this grabs an additional reference to the framebuffer -
660 * callers need to make sure to eventually unreference the returned framebuffer
661 * again, using @drm_framebuffer_unreference.
662 */
663struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
664 uint32_t id)
665{
666 struct drm_mode_object *obj;
667 struct drm_framebuffer *fb = NULL;
668
669 obj = __drm_mode_object_find(dev, id, DRM_MODE_OBJECT_FB);
670 if (obj)
671 fb = obj_to_fb(obj);
672 return fb;
673}
674EXPORT_SYMBOL(drm_framebuffer_lookup);
675
676/**
677 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
678 * @fb: fb to unregister
679 *
680 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
681 * those used for fbdev. Note that the caller must hold a reference of it's own,
682 * i.e. the object may not be destroyed through this call (since it'll lead to a
683 * locking inversion).
684 *
685 * NOTE: This function is deprecated. For driver-private framebuffers it is not
686 * recommended to embed a framebuffer struct info fbdev struct, instead, a
687 * framebuffer pointer is preferred and drm_framebuffer_unreference() should be
688 * called when the framebuffer is to be cleaned up.
689 */
690void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
691{
692 struct drm_device *dev;
693
694 if (!fb)
695 return;
696
697 dev = fb->dev;
698
699 /* Mark fb as reaped and drop idr ref. */
700 drm_mode_object_unregister(dev, &fb->base);
701}
702EXPORT_SYMBOL(drm_framebuffer_unregister_private);
703
704/**
705 * drm_framebuffer_cleanup - remove a framebuffer object
706 * @fb: framebuffer to remove
707 *
708 * Cleanup framebuffer. This function is intended to be used from the drivers
709 * ->destroy callback. It can also be used to clean up driver private
710 * framebuffers embedded into a larger structure.
711 *
712 * Note that this function does not remove the fb from active usuage - if it is
713 * still used anywhere, hilarity can ensue since userspace could call getfb on
714 * the id and get back -EINVAL. Obviously no concern at driver unload time.
715 *
716 * Also, the framebuffer will not be removed from the lookup idr - for
717 * user-created framebuffers this will happen in in the rmfb ioctl. For
718 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
719 * drm_framebuffer_unregister_private.
720 */
721void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
722{
723 struct drm_device *dev = fb->dev;
724
725 mutex_lock(&dev->mode_config.fb_lock);
726 list_del(&fb->head);
727 dev->mode_config.num_fb--;
728 mutex_unlock(&dev->mode_config.fb_lock);
729}
730EXPORT_SYMBOL(drm_framebuffer_cleanup);
731
732/**
733 * drm_framebuffer_remove - remove and unreference a framebuffer object
734 * @fb: framebuffer to remove
735 *
736 * Scans all the CRTCs and planes in @dev's mode_config. If they're
737 * using @fb, removes it, setting it to NULL. Then drops the reference to the
738 * passed-in framebuffer. Might take the modeset locks.
739 *
740 * Note that this function optimizes the cleanup away if the caller holds the
741 * last reference to the framebuffer. It is also guaranteed to not take the
742 * modeset locks in this case.
743 */
744void drm_framebuffer_remove(struct drm_framebuffer *fb)
745{
746 struct drm_device *dev;
747 struct drm_crtc *crtc;
748 struct drm_plane *plane;
749
750 if (!fb)
751 return;
752
753 dev = fb->dev;
754
755 WARN_ON(!list_empty(&fb->filp_head));
756
757 /*
758 * drm ABI mandates that we remove any deleted framebuffers from active
759 * useage. But since most sane clients only remove framebuffers they no
760 * longer need, try to optimize this away.
761 *
762 * Since we're holding a reference ourselves, observing a refcount of 1
763 * means that we're the last holder and can skip it. Also, the refcount
764 * can never increase from 1 again, so we don't need any barriers or
765 * locks.
766 *
767 * Note that userspace could try to race with use and instate a new
768 * usage _after_ we've cleared all current ones. End result will be an
769 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
770 * in this manner.
771 */
772 if (drm_framebuffer_read_refcount(fb) > 1) {
773 drm_modeset_lock_all(dev);
774 /* remove from any CRTC */
775 drm_for_each_crtc(crtc, dev) {
776 if (crtc->primary->fb == fb) {
777 /* should turn off the crtc */
778 if (drm_crtc_force_disable(crtc))
779 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
780 }
781 }
782
783 drm_for_each_plane(plane, dev) {
784 if (plane->fb == fb)
785 drm_plane_force_disable(plane);
786 }
787 drm_modeset_unlock_all(dev);
788 }
789
790 drm_framebuffer_unreference(fb);
791}
792EXPORT_SYMBOL(drm_framebuffer_remove);