1 /* $NetBSD: drm_framebuffer.c,v 1.6 2021/12/19 09:47:44 riastradh Exp $ */
2
3 /*
4 * Copyright (c) 2016 Intel Corporation
5 *
6 * Permission to use, copy, modify, distribute, and sell this software and its
7 * documentation for any purpose is hereby granted without fee, provided that
8 * the above copyright notice appear in all copies and that both that copyright
9 * notice and this permission notice appear in supporting documentation, and
10 * that the name of the copyright holders not be used in advertising or
11 * publicity pertaining to distribution of the software without specific,
12 * written prior permission. The copyright holders make no representations
13 * about the suitability of this software for any purpose. It is provided "as
14 * is" without express or implied warranty.
15 *
16 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
17 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
18 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR
19 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
20 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
21 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
22 * OF THIS SOFTWARE.
23 */
24
25 #include <sys/cdefs.h>
26 __KERNEL_RCSID(0, "$NetBSD: drm_framebuffer.c,v 1.6 2021/12/19 09:47:44 riastradh Exp $");
27
28 #include <linux/export.h>
29 #include <linux/capability.h>
30 #include <linux/uaccess.h>
31
32 #include <drm/drm_atomic.h>
33 #include <drm/drm_atomic_uapi.h>
34 #include <drm/drm_auth.h>
35 #include <drm/drm_debugfs.h>
36 #include <drm/drm_drv.h>
37 #include <drm/drm_file.h>
38 #include <drm/drm_fourcc.h>
39 #include <drm/drm_framebuffer.h>
40 #include <drm/drm_print.h>
41 #include <drm/drm_util.h>
42
43 #include "drm_crtc_internal.h"
44 #include "drm_internal.h"
45
46 /**
47 * DOC: overview
48 *
49 * Frame buffers are abstract memory objects that provide a source of pixels to
50 * scanout to a CRTC. Applications explicitly request the creation of frame
51 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque
52 * handle that can be passed to the KMS CRTC control, plane configuration and
53 * page flip functions.
54 *
55 * Frame buffers rely on the underlying memory manager for allocating backing
56 * storage. When creating a frame buffer applications pass a memory handle
57 * (or a list of memory handles for multi-planar formats) through the
58 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace
59 * buffer management interface this would be a GEM handle. Drivers are however
60 * free to use their own backing storage object handles, e.g. vmwgfx directly
61 * exposes special TTM handles to userspace and so expects TTM handles in the
62 * create ioctl and not GEM handles.
63 *
64 * Framebuffers are tracked with &struct drm_framebuffer. They are published
65 * using drm_framebuffer_init() - after calling that function userspace can use
66 * and access the framebuffer object. The helper function
67 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required
68 * metadata fields.
69 *
70 * The lifetime of a drm framebuffer is controlled with a reference count,
71 * drivers can grab additional references with drm_framebuffer_get() and drop
72 * them again with drm_framebuffer_put(). For driver-private framebuffers for
73 * which the last reference is never dropped (e.g. for the fbdev framebuffer
74 * when the struct &struct drm_framebuffer is embedded into the fbdev helper
75 * struct) drivers can manually clean up a framebuffer at module unload time
76 * with drm_framebuffer_unregister_private(). But doing this is not
77 * recommended, and it's better to have a normal free-standing &struct
78 * drm_framebuffer.
79 */
80
drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)81 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y,
82 uint32_t src_w, uint32_t src_h,
83 const struct drm_framebuffer *fb)
84 {
85 unsigned int fb_width, fb_height;
86
87 fb_width = fb->width << 16;
88 fb_height = fb->height << 16;
89
90 /* Make sure source coordinates are inside the fb. */
91 if (src_w > fb_width ||
92 src_x > fb_width - src_w ||
93 src_h > fb_height ||
94 src_y > fb_height - src_h) {
95 DRM_DEBUG_KMS("Invalid source coordinates "
96 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n",
97 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10,
98 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10,
99 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10,
100 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10,
101 fb->width, fb->height);
102 return -ENOSPC;
103 }
104
105 return 0;
106 }
107
108 /**
109 * drm_mode_addfb - add an FB to the graphics configuration
110 * @dev: drm device for the ioctl
111 * @or: pointer to request structure
112 * @file_priv: drm file
113 *
114 * Add a new FB to the specified CRTC, given a user request. This is the
115 * original addfb ioctl which only supported RGB formats.
116 *
117 * Called by the user via ioctl, or by an in-kernel client.
118 *
119 * Returns:
120 * Zero on success, negative errno on failure.
121 */
drm_mode_addfb(struct drm_device * dev,struct drm_mode_fb_cmd * or,struct drm_file * file_priv)122 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or,
123 struct drm_file *file_priv)
124 {
125 struct drm_mode_fb_cmd2 r = {};
126 int ret;
127
128 if (!drm_core_check_feature(dev, DRIVER_MODESET))
129 return -EOPNOTSUPP;
130
131 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth);
132 if (r.pixel_format == DRM_FORMAT_INVALID) {
133 DRM_DEBUG("bad {bpp:%d, depth:%d}\n", or->bpp, or->depth);
134 return -EINVAL;
135 }
136
137 /* convert to new format and call new ioctl */
138 r.fb_id = or->fb_id;
139 r.width = or->width;
140 r.height = or->height;
141 r.pitches[0] = or->pitch;
142 r.handles[0] = or->handle;
143
144 ret = drm_mode_addfb2(dev, &r, file_priv);
145 if (ret)
146 return ret;
147
148 or->fb_id = r.fb_id;
149
150 return 0;
151 }
152
drm_mode_addfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)153 int drm_mode_addfb_ioctl(struct drm_device *dev,
154 void *data, struct drm_file *file_priv)
155 {
156 return drm_mode_addfb(dev, data, file_priv);
157 }
158
fb_plane_width(int width,const struct drm_format_info * format,int plane)159 static int fb_plane_width(int width,
160 const struct drm_format_info *format, int plane)
161 {
162 if (plane == 0)
163 return width;
164
165 return DIV_ROUND_UP(width, format->hsub);
166 }
167
fb_plane_height(int height,const struct drm_format_info * format,int plane)168 static int fb_plane_height(int height,
169 const struct drm_format_info *format, int plane)
170 {
171 if (plane == 0)
172 return height;
173
174 return DIV_ROUND_UP(height, format->vsub);
175 }
176
framebuffer_check(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r)177 static int framebuffer_check(struct drm_device *dev,
178 const struct drm_mode_fb_cmd2 *r)
179 {
180 const struct drm_format_info *info;
181 int i;
182
183 /* check if the format is supported at all */
184 info = __drm_format_info(r->pixel_format);
185 if (!info) {
186 struct drm_format_name_buf format_name;
187
188 DRM_DEBUG_KMS("bad framebuffer format %s\n",
189 drm_get_format_name(r->pixel_format,
190 &format_name));
191 return -EINVAL;
192 }
193
194 /* now let the driver pick its own format info */
195 info = drm_get_format_info(dev, r);
196
197 if (r->width == 0) {
198 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width);
199 return -EINVAL;
200 }
201
202 if (r->height == 0) {
203 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height);
204 return -EINVAL;
205 }
206
207 for (i = 0; i < info->num_planes; i++) {
208 unsigned int width = fb_plane_width(r->width, info, i);
209 unsigned int height = fb_plane_height(r->height, info, i);
210 unsigned int block_size = info->char_per_block[i];
211 u64 min_pitch = drm_format_info_min_pitch(info, i, width);
212
213 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) {
214 DRM_DEBUG_KMS("Format requires non-linear modifier for plane %d\n", i);
215 return -EINVAL;
216 }
217
218 if (!r->handles[i]) {
219 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i);
220 return -EINVAL;
221 }
222
223 if (min_pitch > UINT_MAX)
224 return -ERANGE;
225
226 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX)
227 return -ERANGE;
228
229 if (block_size && r->pitches[i] < min_pitch) {
230 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i);
231 return -EINVAL;
232 }
233
234 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) {
235 DRM_DEBUG_KMS("bad fb modifier %"PRIu64" for plane %d\n",
236 r->modifier[i], i);
237 return -EINVAL;
238 }
239
240 if (r->flags & DRM_MODE_FB_MODIFIERS &&
241 r->modifier[i] != r->modifier[0]) {
242 DRM_DEBUG_KMS("bad fb modifier %"PRIu64" for plane %d\n",
243 r->modifier[i], i);
244 return -EINVAL;
245 }
246
247 /* modifier specific checks: */
248 switch (r->modifier[i]) {
249 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE:
250 /* NOTE: the pitch restriction may be lifted later if it turns
251 * out that no hw has this restriction:
252 */
253 if (r->pixel_format != DRM_FORMAT_NV12 ||
254 width % 128 || height % 32 ||
255 r->pitches[i] % 128) {
256 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i);
257 return -EINVAL;
258 }
259 break;
260
261 default:
262 break;
263 }
264 }
265
266 for (i = info->num_planes; i < 4; i++) {
267 if (r->modifier[i]) {
268 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i);
269 return -EINVAL;
270 }
271
272 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */
273 if (!(r->flags & DRM_MODE_FB_MODIFIERS))
274 continue;
275
276 if (r->handles[i]) {
277 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i);
278 return -EINVAL;
279 }
280
281 if (r->pitches[i]) {
282 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i);
283 return -EINVAL;
284 }
285
286 if (r->offsets[i]) {
287 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i);
288 return -EINVAL;
289 }
290 }
291
292 return 0;
293 }
294
295 struct drm_framebuffer *
drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)296 drm_internal_framebuffer_create(struct drm_device *dev,
297 const struct drm_mode_fb_cmd2 *r,
298 struct drm_file *file_priv)
299 {
300 struct drm_mode_config *config = &dev->mode_config;
301 struct drm_framebuffer *fb;
302 int ret;
303
304 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) {
305 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags);
306 return ERR_PTR(-EINVAL);
307 }
308
309 if ((config->min_width > r->width) || (r->width > config->max_width)) {
310 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n",
311 r->width, config->min_width, config->max_width);
312 return ERR_PTR(-EINVAL);
313 }
314 if ((config->min_height > r->height) || (r->height > config->max_height)) {
315 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n",
316 r->height, config->min_height, config->max_height);
317 return ERR_PTR(-EINVAL);
318 }
319
320 if (r->flags & DRM_MODE_FB_MODIFIERS &&
321 !dev->mode_config.allow_fb_modifiers) {
322 DRM_DEBUG_KMS("driver does not support fb modifiers\n");
323 return ERR_PTR(-EINVAL);
324 }
325
326 ret = framebuffer_check(dev, r);
327 if (ret)
328 return ERR_PTR(ret);
329
330 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r);
331 if (IS_ERR(fb)) {
332 DRM_DEBUG_KMS("could not create framebuffer\n");
333 return fb;
334 }
335
336 return fb;
337 }
338 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create);
339
340 /**
341 * drm_mode_addfb2 - add an FB to the graphics configuration
342 * @dev: drm device for the ioctl
343 * @data: data pointer for the ioctl
344 * @file_priv: drm file for the ioctl call
345 *
346 * Add a new FB to the specified CRTC, given a user request with format. This is
347 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers
348 * and uses fourcc codes as pixel format specifiers.
349 *
350 * Called by the user via ioctl.
351 *
352 * Returns:
353 * Zero on success, negative errno on failure.
354 */
drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)355 int drm_mode_addfb2(struct drm_device *dev,
356 void *data, struct drm_file *file_priv)
357 {
358 struct drm_mode_fb_cmd2 *r = data;
359 struct drm_framebuffer *fb;
360
361 if (!drm_core_check_feature(dev, DRIVER_MODESET))
362 return -EOPNOTSUPP;
363
364 fb = drm_internal_framebuffer_create(dev, r, file_priv);
365 if (IS_ERR(fb))
366 return PTR_ERR(fb);
367
368 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id);
369 r->fb_id = fb->base.id;
370
371 /* Transfer ownership to the filp for reaping on close */
372 mutex_lock(&file_priv->fbs_lock);
373 list_add(&fb->filp_head, &file_priv->fbs);
374 mutex_unlock(&file_priv->fbs_lock);
375
376 return 0;
377 }
378
drm_mode_addfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)379 int drm_mode_addfb2_ioctl(struct drm_device *dev,
380 void *data, struct drm_file *file_priv)
381 {
382 #ifdef __BIG_ENDIAN
383 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) {
384 /*
385 * Drivers must set the
386 * quirk_addfb_prefer_host_byte_order quirk to make
387 * the drm_mode_addfb() compat code work correctly on
388 * bigendian machines.
389 *
390 * If they don't they interpret pixel_format values
391 * incorrectly for bug compatibility, which in turn
392 * implies the ADDFB2 ioctl does not work correctly
393 * then. So block it to make userspace fallback to
394 * ADDFB.
395 */
396 DRM_DEBUG_KMS("addfb2 broken on bigendian");
397 return -EOPNOTSUPP;
398 }
399 #endif
400 return drm_mode_addfb2(dev, data, file_priv);
401 }
402
403 struct drm_mode_rmfb_work {
404 struct work_struct work;
405 struct list_head fbs;
406 };
407
drm_mode_rmfb_work_fn(struct work_struct * w)408 static void drm_mode_rmfb_work_fn(struct work_struct *w)
409 {
410 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work);
411
412 while (!list_empty(&arg->fbs)) {
413 struct drm_framebuffer *fb =
414 list_first_entry(&arg->fbs, typeof(*fb), filp_head);
415
416 list_del_init(&fb->filp_head);
417 drm_framebuffer_remove(fb);
418 }
419 }
420
421 /**
422 * drm_mode_rmfb - remove an FB from the configuration
423 * @dev: drm device
424 * @fb_id: id of framebuffer to remove
425 * @file_priv: drm file
426 *
427 * Remove the specified FB.
428 *
429 * Called by the user via ioctl, or by an in-kernel client.
430 *
431 * Returns:
432 * Zero on success, negative errno on failure.
433 */
drm_mode_rmfb(struct drm_device * dev,u32 fb_id,struct drm_file * file_priv)434 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id,
435 struct drm_file *file_priv)
436 {
437 struct drm_framebuffer *fb = NULL;
438 struct drm_framebuffer *fbl = NULL;
439 int found = 0;
440
441 if (!drm_core_check_feature(dev, DRIVER_MODESET))
442 return -EOPNOTSUPP;
443
444 fb = drm_framebuffer_lookup(dev, file_priv, fb_id);
445 if (!fb)
446 return -ENOENT;
447
448 mutex_lock(&file_priv->fbs_lock);
449 list_for_each_entry(fbl, &file_priv->fbs, filp_head)
450 if (fb == fbl)
451 found = 1;
452 if (!found) {
453 mutex_unlock(&file_priv->fbs_lock);
454 goto fail_unref;
455 }
456
457 list_del_init(&fb->filp_head);
458 mutex_unlock(&file_priv->fbs_lock);
459
460 /* drop the reference we picked up in framebuffer lookup */
461 drm_framebuffer_put(fb);
462
463 /*
464 * we now own the reference that was stored in the fbs list
465 *
466 * drm_framebuffer_remove may fail with -EINTR on pending signals,
467 * so run this in a separate stack as there's no way to correctly
468 * handle this after the fb is already removed from the lookup table.
469 */
470 if (drm_framebuffer_read_refcount(fb) > 1) {
471 struct drm_mode_rmfb_work arg;
472
473 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
474 INIT_LIST_HEAD(&arg.fbs);
475 list_add_tail(&fb->filp_head, &arg.fbs);
476
477 schedule_work(&arg.work);
478 flush_work(&arg.work);
479 destroy_work_on_stack(&arg.work);
480 } else
481 drm_framebuffer_put(fb);
482
483 return 0;
484
485 fail_unref:
486 drm_framebuffer_put(fb);
487 return -ENOENT;
488 }
489
drm_mode_rmfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)490 int drm_mode_rmfb_ioctl(struct drm_device *dev,
491 void *data, struct drm_file *file_priv)
492 {
493 uint32_t *fb_id = data;
494
495 return drm_mode_rmfb(dev, *fb_id, file_priv);
496 }
497
498 /**
499 * drm_mode_getfb - get FB info
500 * @dev: drm device for the ioctl
501 * @data: data pointer for the ioctl
502 * @file_priv: drm file for the ioctl call
503 *
504 * Lookup the FB given its ID and return info about it.
505 *
506 * Called by the user via ioctl.
507 *
508 * Returns:
509 * Zero on success, negative errno on failure.
510 */
drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)511 int drm_mode_getfb(struct drm_device *dev,
512 void *data, struct drm_file *file_priv)
513 {
514 struct drm_mode_fb_cmd *r = data;
515 struct drm_framebuffer *fb;
516 int ret;
517
518 if (!drm_core_check_feature(dev, DRIVER_MODESET))
519 return -EOPNOTSUPP;
520
521 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
522 if (!fb)
523 return -ENOENT;
524
525 /* Multi-planar framebuffers need getfb2. */
526 if (fb->format->num_planes > 1) {
527 ret = -EINVAL;
528 goto out;
529 }
530
531 if (!fb->funcs->create_handle) {
532 ret = -ENODEV;
533 goto out;
534 }
535
536 r->height = fb->height;
537 r->width = fb->width;
538 r->depth = fb->format->depth;
539 r->bpp = fb->format->cpp[0] * 8;
540 r->pitch = fb->pitches[0];
541
542 /* GET_FB() is an unprivileged ioctl so we must not return a
543 * buffer-handle to non-master processes! For
544 * backwards-compatibility reasons, we cannot make GET_FB() privileged,
545 * so just return an invalid handle for non-masters.
546 */
547 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) {
548 r->handle = 0;
549 ret = 0;
550 goto out;
551 }
552
553 ret = fb->funcs->create_handle(fb, file_priv, &r->handle);
554
555 out:
556 drm_framebuffer_put(fb);
557
558 return ret;
559 }
560
561 /**
562 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB
563 * @dev: drm device for the ioctl
564 * @data: data pointer for the ioctl
565 * @file_priv: drm file for the ioctl call
566 *
567 * Lookup the FB and flush out the damaged area supplied by userspace as a clip
568 * rectangle list. Generic userspace which does frontbuffer rendering must call
569 * this ioctl to flush out the changes on manual-update display outputs, e.g.
570 * usb display-link, mipi manual update panels or edp panel self refresh modes.
571 *
572 * Modesetting drivers which always update the frontbuffer do not need to
573 * implement the corresponding &drm_framebuffer_funcs.dirty callback.
574 *
575 * Called by the user via ioctl.
576 *
577 * Returns:
578 * Zero on success, negative errno on failure.
579 */
drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)580 int drm_mode_dirtyfb_ioctl(struct drm_device *dev,
581 void *data, struct drm_file *file_priv)
582 {
583 struct drm_clip_rect __user *clips_ptr;
584 struct drm_clip_rect *clips = NULL;
585 struct drm_mode_fb_dirty_cmd *r = data;
586 struct drm_framebuffer *fb;
587 unsigned flags;
588 int num_clips;
589 int ret;
590
591 if (!drm_core_check_feature(dev, DRIVER_MODESET))
592 return -EOPNOTSUPP;
593
594 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id);
595 if (!fb)
596 return -ENOENT;
597
598 num_clips = r->num_clips;
599 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr;
600
601 if (!num_clips != !clips_ptr) {
602 ret = -EINVAL;
603 goto out_err1;
604 }
605
606 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags;
607
608 /* If userspace annotates copy, clips must come in pairs */
609 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) {
610 ret = -EINVAL;
611 goto out_err1;
612 }
613
614 if (num_clips && clips_ptr) {
615 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) {
616 ret = -EINVAL;
617 goto out_err1;
618 }
619 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL);
620 if (!clips) {
621 ret = -ENOMEM;
622 goto out_err1;
623 }
624
625 ret = copy_from_user(clips, clips_ptr,
626 num_clips * sizeof(*clips));
627 if (ret) {
628 ret = -EFAULT;
629 goto out_err2;
630 }
631 }
632
633 if (fb->funcs->dirty) {
634 ret = fb->funcs->dirty(fb, file_priv, flags, r->color,
635 clips, num_clips);
636 } else {
637 ret = -ENOSYS;
638 }
639
640 out_err2:
641 kfree(clips);
642 out_err1:
643 drm_framebuffer_put(fb);
644
645 return ret;
646 }
647
648 /**
649 * drm_fb_release - remove and free the FBs on this file
650 * @priv: drm file for the ioctl
651 *
652 * Destroy all the FBs associated with @filp.
653 *
654 * Called by the user via ioctl.
655 *
656 * Returns:
657 * Zero on success, negative errno on failure.
658 */
drm_fb_release(struct drm_file * priv)659 void drm_fb_release(struct drm_file *priv)
660 {
661 struct drm_framebuffer *fb, *tfb;
662 struct drm_mode_rmfb_work arg;
663
664 INIT_LIST_HEAD(&arg.fbs);
665
666 /*
667 * When the file gets released that means no one else can access the fb
668 * list any more, so no need to grab fpriv->fbs_lock. And we need to
669 * avoid upsetting lockdep since the universal cursor code adds a
670 * framebuffer while holding mutex locks.
671 *
672 * Note that a real deadlock between fpriv->fbs_lock and the modeset
673 * locks is impossible here since no one else but this function can get
674 * at it any more.
675 */
676 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) {
677 if (drm_framebuffer_read_refcount(fb) > 1) {
678 list_move_tail(&fb->filp_head, &arg.fbs);
679 } else {
680 list_del_init(&fb->filp_head);
681
682 /* This drops the fpriv->fbs reference. */
683 drm_framebuffer_put(fb);
684 }
685 }
686
687 if (!list_empty(&arg.fbs)) {
688 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn);
689
690 schedule_work(&arg.work);
691 flush_work(&arg.work);
692 destroy_work_on_stack(&arg.work);
693 }
694 }
695
drm_framebuffer_free(struct kref * kref)696 void drm_framebuffer_free(struct kref *kref)
697 {
698 struct drm_framebuffer *fb =
699 container_of(kref, struct drm_framebuffer, base.refcount);
700 struct drm_device *dev = fb->dev;
701
702 /*
703 * The lookup idr holds a weak reference, which has not necessarily been
704 * removed at this point. Check for that.
705 */
706 drm_mode_object_unregister(dev, &fb->base);
707
708 fb->funcs->destroy(fb);
709 }
710
711 /**
712 * drm_framebuffer_init - initialize a framebuffer
713 * @dev: DRM device
714 * @fb: framebuffer to be initialized
715 * @funcs: ... with these functions
716 *
717 * Allocates an ID for the framebuffer's parent mode object, sets its mode
718 * functions & device file and adds it to the master fd list.
719 *
720 * IMPORTANT:
721 * This functions publishes the fb and makes it available for concurrent access
722 * by other users. Which means by this point the fb _must_ be fully set up -
723 * since all the fb attributes are invariant over its lifetime, no further
724 * locking but only correct reference counting is required.
725 *
726 * Returns:
727 * Zero on success, error code on failure.
728 */
drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)729 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb,
730 const struct drm_framebuffer_funcs *funcs)
731 {
732 int ret;
733
734 if (WARN_ON_ONCE(fb->dev != dev || !fb->format))
735 return -EINVAL;
736
737 INIT_LIST_HEAD(&fb->filp_head);
738
739 fb->funcs = funcs;
740 #ifdef __NetBSD__
741 strlcpy(fb->comm, curproc->p_comm, sizeof fb->comm);
742 #else
743 strcpy(fb->comm, current->comm);
744 #endif
745
746 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB,
747 false, drm_framebuffer_free);
748 if (ret)
749 goto out;
750
751 mutex_lock(&dev->mode_config.fb_lock);
752 dev->mode_config.num_fb++;
753 list_add(&fb->head, &dev->mode_config.fb_list);
754 mutex_unlock(&dev->mode_config.fb_lock);
755
756 drm_mode_object_register(dev, &fb->base);
757 out:
758 return ret;
759 }
760 EXPORT_SYMBOL(drm_framebuffer_init);
761
762 /**
763 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference
764 * @dev: drm device
765 * @file_priv: drm file to check for lease against.
766 * @id: id of the fb object
767 *
768 * If successful, this grabs an additional reference to the framebuffer -
769 * callers need to make sure to eventually unreference the returned framebuffer
770 * again, using drm_framebuffer_put().
771 */
drm_framebuffer_lookup(struct drm_device * dev,struct drm_file * file_priv,uint32_t id)772 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev,
773 struct drm_file *file_priv,
774 uint32_t id)
775 {
776 struct drm_mode_object *obj;
777 struct drm_framebuffer *fb = NULL;
778
779 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB);
780 if (obj)
781 fb = obj_to_fb(obj);
782 return fb;
783 }
784 EXPORT_SYMBOL(drm_framebuffer_lookup);
785
786 /**
787 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
788 * @fb: fb to unregister
789 *
790 * Drivers need to call this when cleaning up driver-private framebuffers, e.g.
791 * those used for fbdev. Note that the caller must hold a reference of its own,
792 * i.e. the object may not be destroyed through this call (since it'll lead to a
793 * locking inversion).
794 *
795 * NOTE: This function is deprecated. For driver-private framebuffers it is not
796 * recommended to embed a framebuffer struct info fbdev struct, instead, a
797 * framebuffer pointer is preferred and drm_framebuffer_put() should be called
798 * when the framebuffer is to be cleaned up.
799 */
drm_framebuffer_unregister_private(struct drm_framebuffer * fb)800 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb)
801 {
802 struct drm_device *dev;
803
804 if (!fb)
805 return;
806
807 dev = fb->dev;
808
809 /* Mark fb as reaped and drop idr ref. */
810 drm_mode_object_unregister(dev, &fb->base);
811 }
812 EXPORT_SYMBOL(drm_framebuffer_unregister_private);
813
814 /**
815 * drm_framebuffer_cleanup - remove a framebuffer object
816 * @fb: framebuffer to remove
817 *
818 * Cleanup framebuffer. This function is intended to be used from the drivers
819 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up
820 * driver private framebuffers embedded into a larger structure.
821 *
822 * Note that this function does not remove the fb from active usage - if it is
823 * still used anywhere, hilarity can ensue since userspace could call getfb on
824 * the id and get back -EINVAL. Obviously no concern at driver unload time.
825 *
826 * Also, the framebuffer will not be removed from the lookup idr - for
827 * user-created framebuffers this will happen in in the rmfb ioctl. For
828 * driver-private objects (e.g. for fbdev) drivers need to explicitly call
829 * drm_framebuffer_unregister_private.
830 */
drm_framebuffer_cleanup(struct drm_framebuffer * fb)831 void drm_framebuffer_cleanup(struct drm_framebuffer *fb)
832 {
833 struct drm_device *dev = fb->dev;
834
835 mutex_lock(&dev->mode_config.fb_lock);
836 list_del(&fb->head);
837 dev->mode_config.num_fb--;
838 mutex_unlock(&dev->mode_config.fb_lock);
839 }
840 EXPORT_SYMBOL(drm_framebuffer_cleanup);
841
atomic_remove_fb(struct drm_framebuffer * fb)842 static int atomic_remove_fb(struct drm_framebuffer *fb)
843 {
844 struct drm_modeset_acquire_ctx ctx;
845 struct drm_device *dev = fb->dev;
846 struct drm_atomic_state *state;
847 struct drm_plane *plane;
848 struct drm_connector *conn __maybe_unused;
849 struct drm_connector_state *conn_state;
850 int i, ret;
851 unsigned plane_mask;
852 bool disable_crtcs = false;
853
854 retry_disable:
855 drm_modeset_acquire_init(&ctx, 0);
856
857 state = drm_atomic_state_alloc(dev);
858 if (!state) {
859 ret = -ENOMEM;
860 goto out;
861 }
862 state->acquire_ctx = &ctx;
863
864 retry:
865 plane_mask = 0;
866 ret = drm_modeset_lock_all_ctx(dev, &ctx);
867 if (ret)
868 goto unlock;
869
870 drm_for_each_plane(plane, dev) {
871 struct drm_plane_state *plane_state;
872
873 if (plane->state->fb != fb)
874 continue;
875
876 plane_state = drm_atomic_get_plane_state(state, plane);
877 if (IS_ERR(plane_state)) {
878 ret = PTR_ERR(plane_state);
879 goto unlock;
880 }
881
882 if (disable_crtcs && plane_state->crtc->primary == plane) {
883 struct drm_crtc_state *crtc_state;
884
885 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc);
886
887 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc);
888 if (ret)
889 goto unlock;
890
891 crtc_state->active = false;
892 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL);
893 if (ret)
894 goto unlock;
895 }
896
897 drm_atomic_set_fb_for_plane(plane_state, NULL);
898 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL);
899 if (ret)
900 goto unlock;
901
902 plane_mask |= drm_plane_mask(plane);
903 }
904
905 /* This list is only filled when disable_crtcs is set. */
906 for_each_new_connector_in_state(state, conn, conn_state, i) {
907 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL);
908
909 if (ret)
910 goto unlock;
911 }
912
913 if (plane_mask)
914 ret = drm_atomic_commit(state);
915
916 unlock:
917 if (ret == -EDEADLK) {
918 drm_atomic_state_clear(state);
919 drm_modeset_backoff(&ctx);
920 goto retry;
921 }
922
923 drm_atomic_state_put(state);
924
925 out:
926 drm_modeset_drop_locks(&ctx);
927 drm_modeset_acquire_fini(&ctx);
928
929 if (ret == -EINVAL && !disable_crtcs) {
930 disable_crtcs = true;
931 goto retry_disable;
932 }
933
934 return ret;
935 }
936
legacy_remove_fb(struct drm_framebuffer * fb)937 static void legacy_remove_fb(struct drm_framebuffer *fb)
938 {
939 struct drm_device *dev = fb->dev;
940 struct drm_crtc *crtc;
941 struct drm_plane *plane;
942
943 drm_modeset_lock_all(dev);
944 /* remove from any CRTC */
945 drm_for_each_crtc(crtc, dev) {
946 if (crtc->primary->fb == fb) {
947 /* should turn off the crtc */
948 if (drm_crtc_force_disable(crtc))
949 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc);
950 }
951 }
952
953 drm_for_each_plane(plane, dev) {
954 if (plane->fb == fb)
955 drm_plane_force_disable(plane);
956 }
957 drm_modeset_unlock_all(dev);
958 }
959
960 /**
961 * drm_framebuffer_remove - remove and unreference a framebuffer object
962 * @fb: framebuffer to remove
963 *
964 * Scans all the CRTCs and planes in @dev's mode_config. If they're
965 * using @fb, removes it, setting it to NULL. Then drops the reference to the
966 * passed-in framebuffer. Might take the modeset locks.
967 *
968 * Note that this function optimizes the cleanup away if the caller holds the
969 * last reference to the framebuffer. It is also guaranteed to not take the
970 * modeset locks in this case.
971 */
drm_framebuffer_remove(struct drm_framebuffer * fb)972 void drm_framebuffer_remove(struct drm_framebuffer *fb)
973 {
974 struct drm_device *dev;
975
976 if (!fb)
977 return;
978
979 dev = fb->dev;
980
981 WARN_ON(!list_empty(&fb->filp_head));
982
983 /*
984 * drm ABI mandates that we remove any deleted framebuffers from active
985 * useage. But since most sane clients only remove framebuffers they no
986 * longer need, try to optimize this away.
987 *
988 * Since we're holding a reference ourselves, observing a refcount of 1
989 * means that we're the last holder and can skip it. Also, the refcount
990 * can never increase from 1 again, so we don't need any barriers or
991 * locks.
992 *
993 * Note that userspace could try to race with use and instate a new
994 * usage _after_ we've cleared all current ones. End result will be an
995 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot
996 * in this manner.
997 */
998 if (drm_framebuffer_read_refcount(fb) > 1) {
999 if (drm_drv_uses_atomic_modeset(dev)) {
1000 int ret = atomic_remove_fb(fb);
1001 WARN(ret, "atomic remove_fb failed with %i\n", ret);
1002 } else
1003 legacy_remove_fb(fb);
1004 }
1005
1006 drm_framebuffer_put(fb);
1007 }
1008 EXPORT_SYMBOL(drm_framebuffer_remove);
1009
1010 /**
1011 * drm_framebuffer_plane_width - width of the plane given the first plane
1012 * @width: width of the first plane
1013 * @fb: the framebuffer
1014 * @plane: plane index
1015 *
1016 * Returns:
1017 * The width of @plane, given that the width of the first plane is @width.
1018 */
drm_framebuffer_plane_width(int width,const struct drm_framebuffer * fb,int plane)1019 int drm_framebuffer_plane_width(int width,
1020 const struct drm_framebuffer *fb, int plane)
1021 {
1022 if (plane >= fb->format->num_planes)
1023 return 0;
1024
1025 return fb_plane_width(width, fb->format, plane);
1026 }
1027 EXPORT_SYMBOL(drm_framebuffer_plane_width);
1028
1029 /**
1030 * drm_framebuffer_plane_height - height of the plane given the first plane
1031 * @height: height of the first plane
1032 * @fb: the framebuffer
1033 * @plane: plane index
1034 *
1035 * Returns:
1036 * The height of @plane, given that the height of the first plane is @height.
1037 */
drm_framebuffer_plane_height(int height,const struct drm_framebuffer * fb,int plane)1038 int drm_framebuffer_plane_height(int height,
1039 const struct drm_framebuffer *fb, int plane)
1040 {
1041 if (plane >= fb->format->num_planes)
1042 return 0;
1043
1044 return fb_plane_height(height, fb->format, plane);
1045 }
1046 EXPORT_SYMBOL(drm_framebuffer_plane_height);
1047
drm_framebuffer_print_info(struct drm_printer * p,unsigned int indent,const struct drm_framebuffer * fb)1048 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent,
1049 const struct drm_framebuffer *fb)
1050 {
1051 struct drm_format_name_buf format_name;
1052 unsigned int i;
1053
1054 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm);
1055 drm_printf_indent(p, indent, "refcount=%u\n",
1056 drm_framebuffer_read_refcount(fb));
1057 drm_printf_indent(p, indent, "format=%s\n",
1058 drm_get_format_name(fb->format->format, &format_name));
1059 drm_printf_indent(p, indent, "modifier=0x%"PRIx64"\n", fb->modifier);
1060 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height);
1061 drm_printf_indent(p, indent, "layers:\n");
1062
1063 for (i = 0; i < fb->format->num_planes; i++) {
1064 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i,
1065 drm_framebuffer_plane_width(fb->width, fb, i),
1066 drm_framebuffer_plane_height(fb->height, fb, i));
1067 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]);
1068 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]);
1069 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i,
1070 fb->obj[i] ? "" : "(null)");
1071 if (fb->obj[i])
1072 drm_gem_print_info(p, indent + 2, fb->obj[i]);
1073 }
1074 }
1075
1076 #ifdef CONFIG_DEBUG_FS
drm_framebuffer_info(struct seq_file * m,void * data)1077 static int drm_framebuffer_info(struct seq_file *m, void *data)
1078 {
1079 struct drm_info_node *node = m->private;
1080 struct drm_device *dev = node->minor->dev;
1081 struct drm_printer p = drm_seq_file_printer(m);
1082 struct drm_framebuffer *fb;
1083
1084 mutex_lock(&dev->mode_config.fb_lock);
1085 drm_for_each_fb(fb, dev) {
1086 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id);
1087 drm_framebuffer_print_info(&p, 1, fb);
1088 }
1089 mutex_unlock(&dev->mode_config.fb_lock);
1090
1091 return 0;
1092 }
1093
1094 static const struct drm_info_list drm_framebuffer_debugfs_list[] = {
1095 { "framebuffer", drm_framebuffer_info, 0 },
1096 };
1097
drm_framebuffer_debugfs_init(struct drm_minor * minor)1098 int drm_framebuffer_debugfs_init(struct drm_minor *minor)
1099 {
1100 return drm_debugfs_create_files(drm_framebuffer_debugfs_list,
1101 ARRAY_SIZE(drm_framebuffer_debugfs_list),
1102 minor->debugfs_root, minor);
1103 }
1104 #endif
1105