1 /* 2 * Copyright (c) 2016 Intel Corporation 3 * 4 * Permission to use, copy, modify, distribute, and sell this software and its 5 * documentation for any purpose is hereby granted without fee, provided that 6 * the above copyright notice appear in all copies and that both that copyright 7 * notice and this permission notice appear in supporting documentation, and 8 * that the name of the copyright holders not be used in advertising or 9 * publicity pertaining to distribution of the software without specific, 10 * written prior permission. The copyright holders make no representations 11 * about the suitability of this software for any purpose. It is provided "as 12 * is" without express or implied warranty. 13 * 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 20 * OF THIS SOFTWARE. 21 */ 22 23 #include <linux/export.h> 24 #include <linux/uaccess.h> 25 26 #include <drm/drm_atomic.h> 27 #include <drm/drm_atomic_uapi.h> 28 #include <drm/drm_auth.h> 29 #include <drm/drm_debugfs.h> 30 #include <drm/drm_drv.h> 31 #include <drm/drm_file.h> 32 #include <drm/drm_fourcc.h> 33 #include <drm/drm_framebuffer.h> 34 #include <drm/drm_gem.h> 35 #include <drm/drm_print.h> 36 #include <drm/drm_util.h> 37 38 #include "drm_crtc_internal.h" 39 #include "drm_internal.h" 40 41 /** 42 * DOC: overview 43 * 44 * Frame buffers are abstract memory objects that provide a source of pixels to 45 * scanout to a CRTC. Applications explicitly request the creation of frame 46 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque 47 * handle that can be passed to the KMS CRTC control, plane configuration and 48 * page flip functions. 49 * 50 * Frame buffers rely on the underlying memory manager for allocating backing 51 * storage. When creating a frame buffer applications pass a memory handle 52 * (or a list of memory handles for multi-planar formats) through the 53 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace 54 * buffer management interface this would be a GEM handle. Drivers are however 55 * free to use their own backing storage object handles, e.g. vmwgfx directly 56 * exposes special TTM handles to userspace and so expects TTM handles in the 57 * create ioctl and not GEM handles. 58 * 59 * Framebuffers are tracked with &struct drm_framebuffer. They are published 60 * using drm_framebuffer_init() - after calling that function userspace can use 61 * and access the framebuffer object. The helper function 62 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required 63 * metadata fields. 64 * 65 * The lifetime of a drm framebuffer is controlled with a reference count, 66 * drivers can grab additional references with drm_framebuffer_get() and drop 67 * them again with drm_framebuffer_put(). For driver-private framebuffers for 68 * which the last reference is never dropped (e.g. for the fbdev framebuffer 69 * when the struct &struct drm_framebuffer is embedded into the fbdev helper 70 * struct) drivers can manually clean up a framebuffer at module unload time 71 * with drm_framebuffer_unregister_private(). But doing this is not 72 * recommended, and it's better to have a normal free-standing &struct 73 * drm_framebuffer. 74 */ 75 76 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y, 77 uint32_t src_w, uint32_t src_h, 78 const struct drm_framebuffer *fb) 79 { 80 unsigned int fb_width, fb_height; 81 82 fb_width = fb->width << 16; 83 fb_height = fb->height << 16; 84 85 /* Make sure source coordinates are inside the fb. */ 86 if (src_w > fb_width || 87 src_x > fb_width - src_w || 88 src_h > fb_height || 89 src_y > fb_height - src_h) { 90 DRM_DEBUG_KMS("Invalid source coordinates " 91 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n", 92 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10, 93 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10, 94 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10, 95 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10, 96 fb->width, fb->height); 97 return -ENOSPC; 98 } 99 100 return 0; 101 } 102 103 /** 104 * drm_mode_addfb - add an FB to the graphics configuration 105 * @dev: drm device for the ioctl 106 * @or: pointer to request structure 107 * @file_priv: drm file 108 * 109 * Add a new FB to the specified CRTC, given a user request. This is the 110 * original addfb ioctl which only supported RGB formats. 111 * 112 * Called by the user via ioctl, or by an in-kernel client. 113 * 114 * Returns: 115 * Zero on success, negative errno on failure. 116 */ 117 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or, 118 struct drm_file *file_priv) 119 { 120 struct drm_mode_fb_cmd2 r = {}; 121 int ret; 122 123 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 124 return -EOPNOTSUPP; 125 126 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth); 127 if (r.pixel_format == DRM_FORMAT_INVALID) { 128 DRM_DEBUG("bad {bpp:%d, depth:%d}\n", or->bpp, or->depth); 129 return -EINVAL; 130 } 131 132 /* convert to new format and call new ioctl */ 133 r.fb_id = or->fb_id; 134 r.width = or->width; 135 r.height = or->height; 136 r.pitches[0] = or->pitch; 137 r.handles[0] = or->handle; 138 139 ret = drm_mode_addfb2(dev, &r, file_priv); 140 if (ret) 141 return ret; 142 143 or->fb_id = r.fb_id; 144 145 return 0; 146 } 147 148 int drm_mode_addfb_ioctl(struct drm_device *dev, 149 void *data, struct drm_file *file_priv) 150 { 151 return drm_mode_addfb(dev, data, file_priv); 152 } 153 154 static int fb_plane_width(int width, 155 const struct drm_format_info *format, int plane) 156 { 157 if (plane == 0) 158 return width; 159 160 return DIV_ROUND_UP(width, format->hsub); 161 } 162 163 static int fb_plane_height(int height, 164 const struct drm_format_info *format, int plane) 165 { 166 if (plane == 0) 167 return height; 168 169 return DIV_ROUND_UP(height, format->vsub); 170 } 171 172 static int framebuffer_check(struct drm_device *dev, 173 const struct drm_mode_fb_cmd2 *r) 174 { 175 const struct drm_format_info *info; 176 int i; 177 178 /* check if the format is supported at all */ 179 if (!__drm_format_info(r->pixel_format)) { 180 DRM_DEBUG_KMS("bad framebuffer format %p4cc\n", 181 &r->pixel_format); 182 return -EINVAL; 183 } 184 185 if (r->width == 0) { 186 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width); 187 return -EINVAL; 188 } 189 190 if (r->height == 0) { 191 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height); 192 return -EINVAL; 193 } 194 195 /* now let the driver pick its own format info */ 196 info = drm_get_format_info(dev, r); 197 198 for (i = 0; i < info->num_planes; i++) { 199 unsigned int width = fb_plane_width(r->width, info, i); 200 unsigned int height = fb_plane_height(r->height, info, i); 201 unsigned int block_size = info->char_per_block[i]; 202 u64 min_pitch = drm_format_info_min_pitch(info, i, width); 203 204 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) { 205 DRM_DEBUG_KMS("Format requires non-linear modifier for plane %d\n", i); 206 return -EINVAL; 207 } 208 209 if (!r->handles[i]) { 210 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i); 211 return -EINVAL; 212 } 213 214 if (min_pitch > UINT_MAX) 215 return -ERANGE; 216 217 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) 218 return -ERANGE; 219 220 if (block_size && r->pitches[i] < min_pitch) { 221 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i); 222 return -EINVAL; 223 } 224 225 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) { 226 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n", 227 r->modifier[i], i); 228 return -EINVAL; 229 } 230 231 if (r->flags & DRM_MODE_FB_MODIFIERS && 232 r->modifier[i] != r->modifier[0]) { 233 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n", 234 r->modifier[i], i); 235 return -EINVAL; 236 } 237 238 /* modifier specific checks: */ 239 switch (r->modifier[i]) { 240 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE: 241 /* NOTE: the pitch restriction may be lifted later if it turns 242 * out that no hw has this restriction: 243 */ 244 if (r->pixel_format != DRM_FORMAT_NV12 || 245 width % 128 || height % 32 || 246 r->pitches[i] % 128) { 247 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i); 248 return -EINVAL; 249 } 250 break; 251 252 default: 253 break; 254 } 255 } 256 257 for (i = info->num_planes; i < 4; i++) { 258 if (r->modifier[i]) { 259 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i); 260 return -EINVAL; 261 } 262 263 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */ 264 if (!(r->flags & DRM_MODE_FB_MODIFIERS)) 265 continue; 266 267 if (r->handles[i]) { 268 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i); 269 return -EINVAL; 270 } 271 272 if (r->pitches[i]) { 273 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i); 274 return -EINVAL; 275 } 276 277 if (r->offsets[i]) { 278 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i); 279 return -EINVAL; 280 } 281 } 282 283 return 0; 284 } 285 286 struct drm_framebuffer * 287 drm_internal_framebuffer_create(struct drm_device *dev, 288 const struct drm_mode_fb_cmd2 *r, 289 struct drm_file *file_priv) 290 { 291 struct drm_mode_config *config = &dev->mode_config; 292 struct drm_framebuffer *fb; 293 int ret; 294 295 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) { 296 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags); 297 return ERR_PTR(-EINVAL); 298 } 299 300 if ((config->min_width > r->width) || (r->width > config->max_width)) { 301 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n", 302 r->width, config->min_width, config->max_width); 303 return ERR_PTR(-EINVAL); 304 } 305 if ((config->min_height > r->height) || (r->height > config->max_height)) { 306 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n", 307 r->height, config->min_height, config->max_height); 308 return ERR_PTR(-EINVAL); 309 } 310 311 if (r->flags & DRM_MODE_FB_MODIFIERS && 312 !dev->mode_config.allow_fb_modifiers) { 313 DRM_DEBUG_KMS("driver does not support fb modifiers\n"); 314 return ERR_PTR(-EINVAL); 315 } 316 317 ret = framebuffer_check(dev, r); 318 if (ret) 319 return ERR_PTR(ret); 320 321 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r); 322 if (IS_ERR(fb)) { 323 DRM_DEBUG_KMS("could not create framebuffer\n"); 324 return fb; 325 } 326 327 return fb; 328 } 329 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create); 330 331 /** 332 * drm_mode_addfb2 - add an FB to the graphics configuration 333 * @dev: drm device for the ioctl 334 * @data: data pointer for the ioctl 335 * @file_priv: drm file for the ioctl call 336 * 337 * Add a new FB to the specified CRTC, given a user request with format. This is 338 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers 339 * and uses fourcc codes as pixel format specifiers. 340 * 341 * Called by the user via ioctl. 342 * 343 * Returns: 344 * Zero on success, negative errno on failure. 345 */ 346 int drm_mode_addfb2(struct drm_device *dev, 347 void *data, struct drm_file *file_priv) 348 { 349 struct drm_mode_fb_cmd2 *r = data; 350 struct drm_framebuffer *fb; 351 352 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 353 return -EOPNOTSUPP; 354 355 fb = drm_internal_framebuffer_create(dev, r, file_priv); 356 if (IS_ERR(fb)) 357 return PTR_ERR(fb); 358 359 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id); 360 r->fb_id = fb->base.id; 361 362 /* Transfer ownership to the filp for reaping on close */ 363 mutex_lock(&file_priv->fbs_lock); 364 list_add(&fb->filp_head, &file_priv->fbs); 365 mutex_unlock(&file_priv->fbs_lock); 366 367 return 0; 368 } 369 370 int drm_mode_addfb2_ioctl(struct drm_device *dev, 371 void *data, struct drm_file *file_priv) 372 { 373 #ifdef __BIG_ENDIAN 374 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) { 375 /* 376 * Drivers must set the 377 * quirk_addfb_prefer_host_byte_order quirk to make 378 * the drm_mode_addfb() compat code work correctly on 379 * bigendian machines. 380 * 381 * If they don't they interpret pixel_format values 382 * incorrectly for bug compatibility, which in turn 383 * implies the ADDFB2 ioctl does not work correctly 384 * then. So block it to make userspace fallback to 385 * ADDFB. 386 */ 387 DRM_DEBUG_KMS("addfb2 broken on bigendian"); 388 return -EOPNOTSUPP; 389 } 390 #endif 391 return drm_mode_addfb2(dev, data, file_priv); 392 } 393 394 struct drm_mode_rmfb_work { 395 struct work_struct work; 396 struct list_head fbs; 397 }; 398 399 static void drm_mode_rmfb_work_fn(struct work_struct *w) 400 { 401 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); 402 403 while (!list_empty(&arg->fbs)) { 404 struct drm_framebuffer *fb = 405 list_first_entry(&arg->fbs, typeof(*fb), filp_head); 406 407 list_del_init(&fb->filp_head); 408 drm_framebuffer_remove(fb); 409 } 410 } 411 412 /** 413 * drm_mode_rmfb - remove an FB from the configuration 414 * @dev: drm device 415 * @fb_id: id of framebuffer to remove 416 * @file_priv: drm file 417 * 418 * Remove the specified FB. 419 * 420 * Called by the user via ioctl, or by an in-kernel client. 421 * 422 * Returns: 423 * Zero on success, negative errno on failure. 424 */ 425 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id, 426 struct drm_file *file_priv) 427 { 428 struct drm_framebuffer *fb = NULL; 429 struct drm_framebuffer *fbl = NULL; 430 int found = 0; 431 432 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 433 return -EOPNOTSUPP; 434 435 fb = drm_framebuffer_lookup(dev, file_priv, fb_id); 436 if (!fb) 437 return -ENOENT; 438 439 mutex_lock(&file_priv->fbs_lock); 440 list_for_each_entry(fbl, &file_priv->fbs, filp_head) 441 if (fb == fbl) 442 found = 1; 443 if (!found) { 444 mutex_unlock(&file_priv->fbs_lock); 445 goto fail_unref; 446 } 447 448 list_del_init(&fb->filp_head); 449 mutex_unlock(&file_priv->fbs_lock); 450 451 /* drop the reference we picked up in framebuffer lookup */ 452 drm_framebuffer_put(fb); 453 454 /* 455 * we now own the reference that was stored in the fbs list 456 * 457 * drm_framebuffer_remove may fail with -EINTR on pending signals, 458 * so run this in a separate stack as there's no way to correctly 459 * handle this after the fb is already removed from the lookup table. 460 */ 461 if (drm_framebuffer_read_refcount(fb) > 1) { 462 struct drm_mode_rmfb_work arg; 463 464 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 465 INIT_LIST_HEAD(&arg.fbs); 466 list_add_tail(&fb->filp_head, &arg.fbs); 467 468 schedule_work(&arg.work); 469 flush_work(&arg.work); 470 destroy_work_on_stack(&arg.work); 471 } else 472 drm_framebuffer_put(fb); 473 474 return 0; 475 476 fail_unref: 477 drm_framebuffer_put(fb); 478 return -ENOENT; 479 } 480 481 int drm_mode_rmfb_ioctl(struct drm_device *dev, 482 void *data, struct drm_file *file_priv) 483 { 484 uint32_t *fb_id = data; 485 486 return drm_mode_rmfb(dev, *fb_id, file_priv); 487 } 488 489 /** 490 * drm_mode_getfb - get FB info 491 * @dev: drm device for the ioctl 492 * @data: data pointer for the ioctl 493 * @file_priv: drm file for the ioctl call 494 * 495 * Lookup the FB given its ID and return info about it. 496 * 497 * Called by the user via ioctl. 498 * 499 * Returns: 500 * Zero on success, negative errno on failure. 501 */ 502 int drm_mode_getfb(struct drm_device *dev, 503 void *data, struct drm_file *file_priv) 504 { 505 struct drm_mode_fb_cmd *r = data; 506 struct drm_framebuffer *fb; 507 int ret; 508 509 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 510 return -EOPNOTSUPP; 511 512 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 513 if (!fb) 514 return -ENOENT; 515 516 /* Multi-planar framebuffers need getfb2. */ 517 if (fb->format->num_planes > 1) { 518 ret = -EINVAL; 519 goto out; 520 } 521 522 if (!fb->funcs->create_handle) { 523 ret = -ENODEV; 524 goto out; 525 } 526 527 r->height = fb->height; 528 r->width = fb->width; 529 r->depth = fb->format->depth; 530 r->bpp = fb->format->cpp[0] * 8; 531 r->pitch = fb->pitches[0]; 532 533 /* GET_FB() is an unprivileged ioctl so we must not return a 534 * buffer-handle to non-master processes! For 535 * backwards-compatibility reasons, we cannot make GET_FB() privileged, 536 * so just return an invalid handle for non-masters. 537 */ 538 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 539 r->handle = 0; 540 ret = 0; 541 goto out; 542 } 543 544 ret = fb->funcs->create_handle(fb, file_priv, &r->handle); 545 546 out: 547 drm_framebuffer_put(fb); 548 return ret; 549 } 550 551 /** 552 * drm_mode_getfb2_ioctl - get extended FB info 553 * @dev: drm device for the ioctl 554 * @data: data pointer for the ioctl 555 * @file_priv: drm file for the ioctl call 556 * 557 * Lookup the FB given its ID and return info about it. 558 * 559 * Called by the user via ioctl. 560 * 561 * Returns: 562 * Zero on success, negative errno on failure. 563 */ 564 int drm_mode_getfb2_ioctl(struct drm_device *dev, 565 void *data, struct drm_file *file_priv) 566 { 567 struct drm_mode_fb_cmd2 *r = data; 568 struct drm_framebuffer *fb; 569 unsigned int i; 570 int ret; 571 572 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 573 return -EINVAL; 574 575 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 576 if (!fb) 577 return -ENOENT; 578 579 /* For multi-plane framebuffers, we require the driver to place the 580 * GEM objects directly in the drm_framebuffer. For single-plane 581 * framebuffers, we can fall back to create_handle. 582 */ 583 if (!fb->obj[0] && 584 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) { 585 ret = -ENODEV; 586 goto out; 587 } 588 589 r->height = fb->height; 590 r->width = fb->width; 591 r->pixel_format = fb->format->format; 592 593 r->flags = 0; 594 if (dev->mode_config.allow_fb_modifiers) 595 r->flags |= DRM_MODE_FB_MODIFIERS; 596 597 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 598 r->handles[i] = 0; 599 r->pitches[i] = 0; 600 r->offsets[i] = 0; 601 r->modifier[i] = 0; 602 } 603 604 for (i = 0; i < fb->format->num_planes; i++) { 605 r->pitches[i] = fb->pitches[i]; 606 r->offsets[i] = fb->offsets[i]; 607 if (dev->mode_config.allow_fb_modifiers) 608 r->modifier[i] = fb->modifier; 609 } 610 611 /* GET_FB2() is an unprivileged ioctl so we must not return a 612 * buffer-handle to non master/root processes! To match GET_FB() 613 * just return invalid handles (0) for non masters/root 614 * rather than making GET_FB2() privileged. 615 */ 616 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 617 ret = 0; 618 goto out; 619 } 620 621 for (i = 0; i < fb->format->num_planes; i++) { 622 int j; 623 624 /* If we reuse the same object for multiple planes, also 625 * return the same handle. 626 */ 627 for (j = 0; j < i; j++) { 628 if (fb->obj[i] == fb->obj[j]) { 629 r->handles[i] = r->handles[j]; 630 break; 631 } 632 } 633 634 if (r->handles[i]) 635 continue; 636 637 if (fb->obj[i]) { 638 ret = drm_gem_handle_create(file_priv, fb->obj[i], 639 &r->handles[i]); 640 } else { 641 WARN_ON(i > 0); 642 ret = fb->funcs->create_handle(fb, file_priv, 643 &r->handles[i]); 644 } 645 646 if (ret != 0) 647 goto out; 648 } 649 650 out: 651 if (ret != 0) { 652 /* Delete any previously-created handles on failure. */ 653 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 654 int j; 655 656 if (r->handles[i]) 657 drm_gem_handle_delete(file_priv, r->handles[i]); 658 659 /* Zero out any handles identical to the one we just 660 * deleted. 661 */ 662 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) { 663 if (r->handles[j] == r->handles[i]) 664 r->handles[j] = 0; 665 } 666 } 667 } 668 669 drm_framebuffer_put(fb); 670 return ret; 671 } 672 673 /** 674 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB 675 * @dev: drm device for the ioctl 676 * @data: data pointer for the ioctl 677 * @file_priv: drm file for the ioctl call 678 * 679 * Lookup the FB and flush out the damaged area supplied by userspace as a clip 680 * rectangle list. Generic userspace which does frontbuffer rendering must call 681 * this ioctl to flush out the changes on manual-update display outputs, e.g. 682 * usb display-link, mipi manual update panels or edp panel self refresh modes. 683 * 684 * Modesetting drivers which always update the frontbuffer do not need to 685 * implement the corresponding &drm_framebuffer_funcs.dirty callback. 686 * 687 * Called by the user via ioctl. 688 * 689 * Returns: 690 * Zero on success, negative errno on failure. 691 */ 692 int drm_mode_dirtyfb_ioctl(struct drm_device *dev, 693 void *data, struct drm_file *file_priv) 694 { 695 struct drm_clip_rect __user *clips_ptr; 696 struct drm_clip_rect *clips = NULL; 697 struct drm_mode_fb_dirty_cmd *r = data; 698 struct drm_framebuffer *fb; 699 unsigned flags; 700 int num_clips; 701 int ret; 702 703 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 704 return -EOPNOTSUPP; 705 706 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 707 if (!fb) 708 return -ENOENT; 709 710 num_clips = r->num_clips; 711 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; 712 713 if (!num_clips != !clips_ptr) { 714 ret = -EINVAL; 715 goto out_err1; 716 } 717 718 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags; 719 720 /* If userspace annotates copy, clips must come in pairs */ 721 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) { 722 ret = -EINVAL; 723 goto out_err1; 724 } 725 726 if (num_clips && clips_ptr) { 727 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { 728 ret = -EINVAL; 729 goto out_err1; 730 } 731 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL); 732 if (!clips) { 733 ret = -ENOMEM; 734 goto out_err1; 735 } 736 737 ret = copy_from_user(clips, clips_ptr, 738 num_clips * sizeof(*clips)); 739 if (ret) { 740 ret = -EFAULT; 741 goto out_err2; 742 } 743 } 744 745 if (fb->funcs->dirty) { 746 ret = fb->funcs->dirty(fb, file_priv, flags, r->color, 747 clips, num_clips); 748 } else { 749 ret = -ENOSYS; 750 } 751 752 out_err2: 753 kfree(clips); 754 out_err1: 755 drm_framebuffer_put(fb); 756 757 return ret; 758 } 759 760 /** 761 * drm_fb_release - remove and free the FBs on this file 762 * @priv: drm file for the ioctl 763 * 764 * Destroy all the FBs associated with @filp. 765 * 766 * Called by the user via ioctl. 767 * 768 * Returns: 769 * Zero on success, negative errno on failure. 770 */ 771 void drm_fb_release(struct drm_file *priv) 772 { 773 struct drm_framebuffer *fb, *tfb; 774 struct drm_mode_rmfb_work arg; 775 776 INIT_LIST_HEAD(&arg.fbs); 777 778 /* 779 * When the file gets released that means no one else can access the fb 780 * list any more, so no need to grab fpriv->fbs_lock. And we need to 781 * avoid upsetting lockdep since the universal cursor code adds a 782 * framebuffer while holding mutex locks. 783 * 784 * Note that a real deadlock between fpriv->fbs_lock and the modeset 785 * locks is impossible here since no one else but this function can get 786 * at it any more. 787 */ 788 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { 789 if (drm_framebuffer_read_refcount(fb) > 1) { 790 list_move_tail(&fb->filp_head, &arg.fbs); 791 } else { 792 list_del_init(&fb->filp_head); 793 794 /* This drops the fpriv->fbs reference. */ 795 drm_framebuffer_put(fb); 796 } 797 } 798 799 if (!list_empty(&arg.fbs)) { 800 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 801 802 schedule_work(&arg.work); 803 flush_work(&arg.work); 804 destroy_work_on_stack(&arg.work); 805 } 806 } 807 808 void drm_framebuffer_free(struct kref *kref) 809 { 810 struct drm_framebuffer *fb = 811 container_of(kref, struct drm_framebuffer, base.refcount); 812 struct drm_device *dev = fb->dev; 813 814 /* 815 * The lookup idr holds a weak reference, which has not necessarily been 816 * removed at this point. Check for that. 817 */ 818 drm_mode_object_unregister(dev, &fb->base); 819 820 fb->funcs->destroy(fb); 821 } 822 823 /** 824 * drm_framebuffer_init - initialize a framebuffer 825 * @dev: DRM device 826 * @fb: framebuffer to be initialized 827 * @funcs: ... with these functions 828 * 829 * Allocates an ID for the framebuffer's parent mode object, sets its mode 830 * functions & device file and adds it to the master fd list. 831 * 832 * IMPORTANT: 833 * This functions publishes the fb and makes it available for concurrent access 834 * by other users. Which means by this point the fb _must_ be fully set up - 835 * since all the fb attributes are invariant over its lifetime, no further 836 * locking but only correct reference counting is required. 837 * 838 * Returns: 839 * Zero on success, error code on failure. 840 */ 841 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, 842 const struct drm_framebuffer_funcs *funcs) 843 { 844 int ret; 845 846 if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) 847 return -EINVAL; 848 849 INIT_LIST_HEAD(&fb->filp_head); 850 851 fb->funcs = funcs; 852 strcpy(fb->comm, current->comm); 853 854 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, 855 false, drm_framebuffer_free); 856 if (ret) 857 goto out; 858 859 mutex_lock(&dev->mode_config.fb_lock); 860 dev->mode_config.num_fb++; 861 list_add(&fb->head, &dev->mode_config.fb_list); 862 mutex_unlock(&dev->mode_config.fb_lock); 863 864 drm_mode_object_register(dev, &fb->base); 865 out: 866 return ret; 867 } 868 EXPORT_SYMBOL(drm_framebuffer_init); 869 870 /** 871 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference 872 * @dev: drm device 873 * @file_priv: drm file to check for lease against. 874 * @id: id of the fb object 875 * 876 * If successful, this grabs an additional reference to the framebuffer - 877 * callers need to make sure to eventually unreference the returned framebuffer 878 * again, using drm_framebuffer_put(). 879 */ 880 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev, 881 struct drm_file *file_priv, 882 uint32_t id) 883 { 884 struct drm_mode_object *obj; 885 struct drm_framebuffer *fb = NULL; 886 887 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB); 888 if (obj) 889 fb = obj_to_fb(obj); 890 return fb; 891 } 892 EXPORT_SYMBOL(drm_framebuffer_lookup); 893 894 /** 895 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr 896 * @fb: fb to unregister 897 * 898 * Drivers need to call this when cleaning up driver-private framebuffers, e.g. 899 * those used for fbdev. Note that the caller must hold a reference of its own, 900 * i.e. the object may not be destroyed through this call (since it'll lead to a 901 * locking inversion). 902 * 903 * NOTE: This function is deprecated. For driver-private framebuffers it is not 904 * recommended to embed a framebuffer struct info fbdev struct, instead, a 905 * framebuffer pointer is preferred and drm_framebuffer_put() should be called 906 * when the framebuffer is to be cleaned up. 907 */ 908 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb) 909 { 910 struct drm_device *dev; 911 912 if (!fb) 913 return; 914 915 dev = fb->dev; 916 917 /* Mark fb as reaped and drop idr ref. */ 918 drm_mode_object_unregister(dev, &fb->base); 919 } 920 EXPORT_SYMBOL(drm_framebuffer_unregister_private); 921 922 /** 923 * drm_framebuffer_cleanup - remove a framebuffer object 924 * @fb: framebuffer to remove 925 * 926 * Cleanup framebuffer. This function is intended to be used from the drivers 927 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up 928 * driver private framebuffers embedded into a larger structure. 929 * 930 * Note that this function does not remove the fb from active usage - if it is 931 * still used anywhere, hilarity can ensue since userspace could call getfb on 932 * the id and get back -EINVAL. Obviously no concern at driver unload time. 933 * 934 * Also, the framebuffer will not be removed from the lookup idr - for 935 * user-created framebuffers this will happen in in the rmfb ioctl. For 936 * driver-private objects (e.g. for fbdev) drivers need to explicitly call 937 * drm_framebuffer_unregister_private. 938 */ 939 void drm_framebuffer_cleanup(struct drm_framebuffer *fb) 940 { 941 struct drm_device *dev = fb->dev; 942 943 mutex_lock(&dev->mode_config.fb_lock); 944 list_del(&fb->head); 945 dev->mode_config.num_fb--; 946 mutex_unlock(&dev->mode_config.fb_lock); 947 } 948 EXPORT_SYMBOL(drm_framebuffer_cleanup); 949 950 static int atomic_remove_fb(struct drm_framebuffer *fb) 951 { 952 struct drm_modeset_acquire_ctx ctx; 953 struct drm_device *dev = fb->dev; 954 struct drm_atomic_state *state; 955 struct drm_plane *plane; 956 struct drm_connector *conn __maybe_unused; 957 struct drm_connector_state *conn_state; 958 int i, ret; 959 unsigned plane_mask; 960 bool disable_crtcs = false; 961 962 retry_disable: 963 drm_modeset_acquire_init(&ctx, 0); 964 965 state = drm_atomic_state_alloc(dev); 966 if (!state) { 967 ret = -ENOMEM; 968 goto out; 969 } 970 state->acquire_ctx = &ctx; 971 972 retry: 973 plane_mask = 0; 974 ret = drm_modeset_lock_all_ctx(dev, &ctx); 975 if (ret) 976 goto unlock; 977 978 drm_for_each_plane(plane, dev) { 979 struct drm_plane_state *plane_state; 980 981 if (plane->state->fb != fb) 982 continue; 983 984 plane_state = drm_atomic_get_plane_state(state, plane); 985 if (IS_ERR(plane_state)) { 986 ret = PTR_ERR(plane_state); 987 goto unlock; 988 } 989 990 if (disable_crtcs && plane_state->crtc->primary == plane) { 991 struct drm_crtc_state *crtc_state; 992 993 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc); 994 995 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc); 996 if (ret) 997 goto unlock; 998 999 crtc_state->active = false; 1000 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); 1001 if (ret) 1002 goto unlock; 1003 } 1004 1005 drm_atomic_set_fb_for_plane(plane_state, NULL); 1006 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL); 1007 if (ret) 1008 goto unlock; 1009 1010 plane_mask |= drm_plane_mask(plane); 1011 } 1012 1013 /* This list is only filled when disable_crtcs is set. */ 1014 for_each_new_connector_in_state(state, conn, conn_state, i) { 1015 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); 1016 1017 if (ret) 1018 goto unlock; 1019 } 1020 1021 if (plane_mask) 1022 ret = drm_atomic_commit(state); 1023 1024 unlock: 1025 if (ret == -EDEADLK) { 1026 drm_atomic_state_clear(state); 1027 drm_modeset_backoff(&ctx); 1028 goto retry; 1029 } 1030 1031 drm_atomic_state_put(state); 1032 1033 out: 1034 drm_modeset_drop_locks(&ctx); 1035 drm_modeset_acquire_fini(&ctx); 1036 1037 if (ret == -EINVAL && !disable_crtcs) { 1038 disable_crtcs = true; 1039 goto retry_disable; 1040 } 1041 1042 return ret; 1043 } 1044 1045 static void legacy_remove_fb(struct drm_framebuffer *fb) 1046 { 1047 struct drm_device *dev = fb->dev; 1048 struct drm_crtc *crtc; 1049 struct drm_plane *plane; 1050 1051 drm_modeset_lock_all(dev); 1052 /* remove from any CRTC */ 1053 drm_for_each_crtc(crtc, dev) { 1054 if (crtc->primary->fb == fb) { 1055 /* should turn off the crtc */ 1056 if (drm_crtc_force_disable(crtc)) 1057 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc); 1058 } 1059 } 1060 1061 drm_for_each_plane(plane, dev) { 1062 if (plane->fb == fb) 1063 drm_plane_force_disable(plane); 1064 } 1065 drm_modeset_unlock_all(dev); 1066 } 1067 1068 /** 1069 * drm_framebuffer_remove - remove and unreference a framebuffer object 1070 * @fb: framebuffer to remove 1071 * 1072 * Scans all the CRTCs and planes in @dev's mode_config. If they're 1073 * using @fb, removes it, setting it to NULL. Then drops the reference to the 1074 * passed-in framebuffer. Might take the modeset locks. 1075 * 1076 * Note that this function optimizes the cleanup away if the caller holds the 1077 * last reference to the framebuffer. It is also guaranteed to not take the 1078 * modeset locks in this case. 1079 */ 1080 void drm_framebuffer_remove(struct drm_framebuffer *fb) 1081 { 1082 struct drm_device *dev; 1083 1084 if (!fb) 1085 return; 1086 1087 dev = fb->dev; 1088 1089 WARN_ON(!list_empty(&fb->filp_head)); 1090 1091 /* 1092 * drm ABI mandates that we remove any deleted framebuffers from active 1093 * useage. But since most sane clients only remove framebuffers they no 1094 * longer need, try to optimize this away. 1095 * 1096 * Since we're holding a reference ourselves, observing a refcount of 1 1097 * means that we're the last holder and can skip it. Also, the refcount 1098 * can never increase from 1 again, so we don't need any barriers or 1099 * locks. 1100 * 1101 * Note that userspace could try to race with use and instate a new 1102 * usage _after_ we've cleared all current ones. End result will be an 1103 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot 1104 * in this manner. 1105 */ 1106 if (drm_framebuffer_read_refcount(fb) > 1) { 1107 if (drm_drv_uses_atomic_modeset(dev)) { 1108 int ret = atomic_remove_fb(fb); 1109 1110 WARN(ret, "atomic remove_fb failed with %i\n", ret); 1111 } else 1112 legacy_remove_fb(fb); 1113 } 1114 1115 drm_framebuffer_put(fb); 1116 } 1117 EXPORT_SYMBOL(drm_framebuffer_remove); 1118 1119 /** 1120 * drm_framebuffer_plane_width - width of the plane given the first plane 1121 * @width: width of the first plane 1122 * @fb: the framebuffer 1123 * @plane: plane index 1124 * 1125 * Returns: 1126 * The width of @plane, given that the width of the first plane is @width. 1127 */ 1128 int drm_framebuffer_plane_width(int width, 1129 const struct drm_framebuffer *fb, int plane) 1130 { 1131 if (plane >= fb->format->num_planes) 1132 return 0; 1133 1134 return fb_plane_width(width, fb->format, plane); 1135 } 1136 EXPORT_SYMBOL(drm_framebuffer_plane_width); 1137 1138 /** 1139 * drm_framebuffer_plane_height - height of the plane given the first plane 1140 * @height: height of the first plane 1141 * @fb: the framebuffer 1142 * @plane: plane index 1143 * 1144 * Returns: 1145 * The height of @plane, given that the height of the first plane is @height. 1146 */ 1147 int drm_framebuffer_plane_height(int height, 1148 const struct drm_framebuffer *fb, int plane) 1149 { 1150 if (plane >= fb->format->num_planes) 1151 return 0; 1152 1153 return fb_plane_height(height, fb->format, plane); 1154 } 1155 EXPORT_SYMBOL(drm_framebuffer_plane_height); 1156 1157 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent, 1158 const struct drm_framebuffer *fb) 1159 { 1160 unsigned int i; 1161 1162 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm); 1163 drm_printf_indent(p, indent, "refcount=%u\n", 1164 drm_framebuffer_read_refcount(fb)); 1165 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format); 1166 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier); 1167 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height); 1168 drm_printf_indent(p, indent, "layers:\n"); 1169 1170 for (i = 0; i < fb->format->num_planes; i++) { 1171 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i, 1172 drm_framebuffer_plane_width(fb->width, fb, i), 1173 drm_framebuffer_plane_height(fb->height, fb, i)); 1174 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]); 1175 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]); 1176 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i, 1177 fb->obj[i] ? "" : "(null)"); 1178 if (fb->obj[i]) 1179 drm_gem_print_info(p, indent + 2, fb->obj[i]); 1180 } 1181 } 1182 1183 #ifdef CONFIG_DEBUG_FS 1184 static int drm_framebuffer_info(struct seq_file *m, void *data) 1185 { 1186 struct drm_info_node *node = m->private; 1187 struct drm_device *dev = node->minor->dev; 1188 struct drm_printer p = drm_seq_file_printer(m); 1189 struct drm_framebuffer *fb; 1190 1191 mutex_lock(&dev->mode_config.fb_lock); 1192 drm_for_each_fb(fb, dev) { 1193 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); 1194 drm_framebuffer_print_info(&p, 1, fb); 1195 } 1196 mutex_unlock(&dev->mode_config.fb_lock); 1197 1198 return 0; 1199 } 1200 1201 static const struct drm_info_list drm_framebuffer_debugfs_list[] = { 1202 { "framebuffer", drm_framebuffer_info, 0 }, 1203 }; 1204 1205 void drm_framebuffer_debugfs_init(struct drm_minor *minor) 1206 { 1207 drm_debugfs_create_files(drm_framebuffer_debugfs_list, 1208 ARRAY_SIZE(drm_framebuffer_debugfs_list), 1209 minor->debugfs_root, minor); 1210 } 1211 #endif 1212