1 /* 2 * Copyright (c) 2016 Intel Corporation 3 * 4 * Permission to use, copy, modify, distribute, and sell this software and its 5 * documentation for any purpose is hereby granted without fee, provided that 6 * the above copyright notice appear in all copies and that both that copyright 7 * notice and this permission notice appear in supporting documentation, and 8 * that the name of the copyright holders not be used in advertising or 9 * publicity pertaining to distribution of the software without specific, 10 * written prior permission. The copyright holders make no representations 11 * about the suitability of this software for any purpose. It is provided "as 12 * is" without express or implied warranty. 13 * 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 20 * OF THIS SOFTWARE. 21 */ 22 23 #include <linux/export.h> 24 #include <drm/drmP.h> 25 #include <drm/drm_auth.h> 26 #include <drm/drm_framebuffer.h> 27 #include <drm/drm_atomic.h> 28 #include <drm/drm_atomic_uapi.h> 29 #include <drm/drm_print.h> 30 31 #include "drm_internal.h" 32 #include "drm_crtc_internal.h" 33 34 /** 35 * DOC: overview 36 * 37 * Frame buffers are abstract memory objects that provide a source of pixels to 38 * scanout to a CRTC. Applications explicitly request the creation of frame 39 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque 40 * handle that can be passed to the KMS CRTC control, plane configuration and 41 * page flip functions. 42 * 43 * Frame buffers rely on the underlying memory manager for allocating backing 44 * storage. When creating a frame buffer applications pass a memory handle 45 * (or a list of memory handles for multi-planar formats) through the 46 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace 47 * buffer management interface this would be a GEM handle. Drivers are however 48 * free to use their own backing storage object handles, e.g. vmwgfx directly 49 * exposes special TTM handles to userspace and so expects TTM handles in the 50 * create ioctl and not GEM handles. 51 * 52 * Framebuffers are tracked with &struct drm_framebuffer. They are published 53 * using drm_framebuffer_init() - after calling that function userspace can use 54 * and access the framebuffer object. The helper function 55 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required 56 * metadata fields. 57 * 58 * The lifetime of a drm framebuffer is controlled with a reference count, 59 * drivers can grab additional references with drm_framebuffer_get() and drop 60 * them again with drm_framebuffer_put(). For driver-private framebuffers for 61 * which the last reference is never dropped (e.g. for the fbdev framebuffer 62 * when the struct &struct drm_framebuffer is embedded into the fbdev helper 63 * struct) drivers can manually clean up a framebuffer at module unload time 64 * with drm_framebuffer_unregister_private(). But doing this is not 65 * recommended, and it's better to have a normal free-standing &struct 66 * drm_framebuffer. 67 */ 68 69 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y, 70 uint32_t src_w, uint32_t src_h, 71 const struct drm_framebuffer *fb) 72 { 73 unsigned int fb_width, fb_height; 74 75 fb_width = fb->width << 16; 76 fb_height = fb->height << 16; 77 78 /* Make sure source coordinates are inside the fb. */ 79 if (src_w > fb_width || 80 src_x > fb_width - src_w || 81 src_h > fb_height || 82 src_y > fb_height - src_h) { 83 DRM_DEBUG_KMS("Invalid source coordinates " 84 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n", 85 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10, 86 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10, 87 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10, 88 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10, 89 fb->width, fb->height); 90 return -ENOSPC; 91 } 92 93 return 0; 94 } 95 96 /** 97 * drm_mode_addfb - add an FB to the graphics configuration 98 * @dev: drm device for the ioctl 99 * @or: pointer to request structure 100 * @file_priv: drm file 101 * 102 * Add a new FB to the specified CRTC, given a user request. This is the 103 * original addfb ioctl which only supported RGB formats. 104 * 105 * Called by the user via ioctl, or by an in-kernel client. 106 * 107 * Returns: 108 * Zero on success, negative errno on failure. 109 */ 110 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or, 111 struct drm_file *file_priv) 112 { 113 struct drm_mode_fb_cmd2 r = {}; 114 int ret; 115 116 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 117 return -EOPNOTSUPP; 118 119 r.pixel_format = drm_mode_legacy_fb_format(or->bpp, or->depth); 120 if (r.pixel_format == DRM_FORMAT_INVALID) { 121 DRM_DEBUG("bad {bpp:%d, depth:%d}\n", or->bpp, or->depth); 122 return -EINVAL; 123 } 124 125 /* convert to new format and call new ioctl */ 126 r.fb_id = or->fb_id; 127 r.width = or->width; 128 r.height = or->height; 129 r.pitches[0] = or->pitch; 130 r.handles[0] = or->handle; 131 132 if (dev->mode_config.quirk_addfb_prefer_xbgr_30bpp && 133 r.pixel_format == DRM_FORMAT_XRGB2101010) 134 r.pixel_format = DRM_FORMAT_XBGR2101010; 135 136 if (dev->mode_config.quirk_addfb_prefer_host_byte_order) { 137 if (r.pixel_format == DRM_FORMAT_XRGB8888) 138 r.pixel_format = DRM_FORMAT_HOST_XRGB8888; 139 if (r.pixel_format == DRM_FORMAT_ARGB8888) 140 r.pixel_format = DRM_FORMAT_HOST_ARGB8888; 141 if (r.pixel_format == DRM_FORMAT_RGB565) 142 r.pixel_format = DRM_FORMAT_HOST_RGB565; 143 if (r.pixel_format == DRM_FORMAT_XRGB1555) 144 r.pixel_format = DRM_FORMAT_HOST_XRGB1555; 145 } 146 147 ret = drm_mode_addfb2(dev, &r, file_priv); 148 if (ret) 149 return ret; 150 151 or->fb_id = r.fb_id; 152 153 return 0; 154 } 155 156 int drm_mode_addfb_ioctl(struct drm_device *dev, 157 void *data, struct drm_file *file_priv) 158 { 159 return drm_mode_addfb(dev, data, file_priv); 160 } 161 162 static int fb_plane_width(int width, 163 const struct drm_format_info *format, int plane) 164 { 165 if (plane == 0) 166 return width; 167 168 return DIV_ROUND_UP(width, format->hsub); 169 } 170 171 static int fb_plane_height(int height, 172 const struct drm_format_info *format, int plane) 173 { 174 if (plane == 0) 175 return height; 176 177 return DIV_ROUND_UP(height, format->vsub); 178 } 179 180 static int framebuffer_check(struct drm_device *dev, 181 const struct drm_mode_fb_cmd2 *r) 182 { 183 const struct drm_format_info *info; 184 int i; 185 186 /* check if the format is supported at all */ 187 info = __drm_format_info(r->pixel_format); 188 if (!info) { 189 struct drm_format_name_buf format_name; 190 191 DRM_DEBUG_KMS("bad framebuffer format %s\n", 192 drm_get_format_name(r->pixel_format, 193 &format_name)); 194 return -EINVAL; 195 } 196 197 /* now let the driver pick its own format info */ 198 info = drm_get_format_info(dev, r); 199 200 if (r->width == 0) { 201 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width); 202 return -EINVAL; 203 } 204 205 if (r->height == 0) { 206 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height); 207 return -EINVAL; 208 } 209 210 for (i = 0; i < info->num_planes; i++) { 211 unsigned int width = fb_plane_width(r->width, info, i); 212 unsigned int height = fb_plane_height(r->height, info, i); 213 unsigned int cpp = info->cpp[i]; 214 215 if (!r->handles[i]) { 216 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i); 217 return -EINVAL; 218 } 219 220 if ((uint64_t) width * cpp > UINT_MAX) 221 return -ERANGE; 222 223 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) 224 return -ERANGE; 225 226 if (r->pitches[i] < width * cpp) { 227 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i); 228 return -EINVAL; 229 } 230 231 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) { 232 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n", 233 r->modifier[i], i); 234 return -EINVAL; 235 } 236 237 if (r->flags & DRM_MODE_FB_MODIFIERS && 238 r->modifier[i] != r->modifier[0]) { 239 DRM_DEBUG_KMS("bad fb modifier %llu for plane %d\n", 240 r->modifier[i], i); 241 return -EINVAL; 242 } 243 244 /* modifier specific checks: */ 245 switch (r->modifier[i]) { 246 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE: 247 /* NOTE: the pitch restriction may be lifted later if it turns 248 * out that no hw has this restriction: 249 */ 250 if (r->pixel_format != DRM_FORMAT_NV12 || 251 width % 128 || height % 32 || 252 r->pitches[i] % 128) { 253 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i); 254 return -EINVAL; 255 } 256 break; 257 258 default: 259 break; 260 } 261 } 262 263 for (i = info->num_planes; i < 4; i++) { 264 if (r->modifier[i]) { 265 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i); 266 return -EINVAL; 267 } 268 269 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */ 270 if (!(r->flags & DRM_MODE_FB_MODIFIERS)) 271 continue; 272 273 if (r->handles[i]) { 274 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i); 275 return -EINVAL; 276 } 277 278 if (r->pitches[i]) { 279 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i); 280 return -EINVAL; 281 } 282 283 if (r->offsets[i]) { 284 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i); 285 return -EINVAL; 286 } 287 } 288 289 return 0; 290 } 291 292 struct drm_framebuffer * 293 drm_internal_framebuffer_create(struct drm_device *dev, 294 const struct drm_mode_fb_cmd2 *r, 295 struct drm_file *file_priv) 296 { 297 struct drm_mode_config *config = &dev->mode_config; 298 struct drm_framebuffer *fb; 299 int ret; 300 301 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) { 302 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags); 303 return ERR_PTR(-EINVAL); 304 } 305 306 if ((config->min_width > r->width) || (r->width > config->max_width)) { 307 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n", 308 r->width, config->min_width, config->max_width); 309 return ERR_PTR(-EINVAL); 310 } 311 if ((config->min_height > r->height) || (r->height > config->max_height)) { 312 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n", 313 r->height, config->min_height, config->max_height); 314 return ERR_PTR(-EINVAL); 315 } 316 317 if (r->flags & DRM_MODE_FB_MODIFIERS && 318 !dev->mode_config.allow_fb_modifiers) { 319 DRM_DEBUG_KMS("driver does not support fb modifiers\n"); 320 return ERR_PTR(-EINVAL); 321 } 322 323 ret = framebuffer_check(dev, r); 324 if (ret) 325 return ERR_PTR(ret); 326 327 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r); 328 if (IS_ERR(fb)) { 329 DRM_DEBUG_KMS("could not create framebuffer\n"); 330 return fb; 331 } 332 333 return fb; 334 } 335 336 /** 337 * drm_mode_addfb2 - add an FB to the graphics configuration 338 * @dev: drm device for the ioctl 339 * @data: data pointer for the ioctl 340 * @file_priv: drm file for the ioctl call 341 * 342 * Add a new FB to the specified CRTC, given a user request with format. This is 343 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers 344 * and uses fourcc codes as pixel format specifiers. 345 * 346 * Called by the user via ioctl. 347 * 348 * Returns: 349 * Zero on success, negative errno on failure. 350 */ 351 int drm_mode_addfb2(struct drm_device *dev, 352 void *data, struct drm_file *file_priv) 353 { 354 struct drm_mode_fb_cmd2 *r = data; 355 struct drm_framebuffer *fb; 356 357 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 358 return -EOPNOTSUPP; 359 360 fb = drm_internal_framebuffer_create(dev, r, file_priv); 361 if (IS_ERR(fb)) 362 return PTR_ERR(fb); 363 364 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id); 365 r->fb_id = fb->base.id; 366 367 /* Transfer ownership to the filp for reaping on close */ 368 mutex_lock(&file_priv->fbs_lock); 369 list_add(&fb->filp_head, &file_priv->fbs); 370 mutex_unlock(&file_priv->fbs_lock); 371 372 return 0; 373 } 374 375 int drm_mode_addfb2_ioctl(struct drm_device *dev, 376 void *data, struct drm_file *file_priv) 377 { 378 #ifdef __BIG_ENDIAN 379 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) { 380 /* 381 * Drivers must set the 382 * quirk_addfb_prefer_host_byte_order quirk to make 383 * the drm_mode_addfb() compat code work correctly on 384 * bigendian machines. 385 * 386 * If they don't they interpret pixel_format values 387 * incorrectly for bug compatibility, which in turn 388 * implies the ADDFB2 ioctl does not work correctly 389 * then. So block it to make userspace fallback to 390 * ADDFB. 391 */ 392 DRM_DEBUG_KMS("addfb2 broken on bigendian"); 393 return -EOPNOTSUPP; 394 } 395 #endif 396 return drm_mode_addfb2(dev, data, file_priv); 397 } 398 399 struct drm_mode_rmfb_work { 400 struct work_struct work; 401 struct list_head fbs; 402 }; 403 404 static void drm_mode_rmfb_work_fn(struct work_struct *w) 405 { 406 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); 407 408 while (!list_empty(&arg->fbs)) { 409 struct drm_framebuffer *fb = 410 list_first_entry(&arg->fbs, typeof(*fb), filp_head); 411 412 list_del_init(&fb->filp_head); 413 drm_framebuffer_remove(fb); 414 } 415 } 416 417 /** 418 * drm_mode_rmfb - remove an FB from the configuration 419 * @dev: drm device 420 * @fb_id: id of framebuffer to remove 421 * @file_priv: drm file 422 * 423 * Remove the specified FB. 424 * 425 * Called by the user via ioctl, or by an in-kernel client. 426 * 427 * Returns: 428 * Zero on success, negative errno on failure. 429 */ 430 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id, 431 struct drm_file *file_priv) 432 { 433 struct drm_framebuffer *fb = NULL; 434 struct drm_framebuffer *fbl = NULL; 435 int found = 0; 436 437 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 438 return -EOPNOTSUPP; 439 440 fb = drm_framebuffer_lookup(dev, file_priv, fb_id); 441 if (!fb) 442 return -ENOENT; 443 444 mutex_lock(&file_priv->fbs_lock); 445 list_for_each_entry(fbl, &file_priv->fbs, filp_head) 446 if (fb == fbl) 447 found = 1; 448 if (!found) { 449 mutex_unlock(&file_priv->fbs_lock); 450 goto fail_unref; 451 } 452 453 list_del_init(&fb->filp_head); 454 mutex_unlock(&file_priv->fbs_lock); 455 456 /* drop the reference we picked up in framebuffer lookup */ 457 drm_framebuffer_put(fb); 458 459 /* 460 * we now own the reference that was stored in the fbs list 461 * 462 * drm_framebuffer_remove may fail with -EINTR on pending signals, 463 * so run this in a separate stack as there's no way to correctly 464 * handle this after the fb is already removed from the lookup table. 465 */ 466 if (drm_framebuffer_read_refcount(fb) > 1) { 467 struct drm_mode_rmfb_work arg; 468 469 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 470 INIT_LIST_HEAD(&arg.fbs); 471 list_add_tail(&fb->filp_head, &arg.fbs); 472 473 schedule_work(&arg.work); 474 flush_work(&arg.work); 475 destroy_work_on_stack(&arg.work); 476 } else 477 drm_framebuffer_put(fb); 478 479 return 0; 480 481 fail_unref: 482 drm_framebuffer_put(fb); 483 return -ENOENT; 484 } 485 486 int drm_mode_rmfb_ioctl(struct drm_device *dev, 487 void *data, struct drm_file *file_priv) 488 { 489 uint32_t *fb_id = data; 490 491 return drm_mode_rmfb(dev, *fb_id, file_priv); 492 } 493 494 /** 495 * drm_mode_getfb - get FB info 496 * @dev: drm device for the ioctl 497 * @data: data pointer for the ioctl 498 * @file_priv: drm file for the ioctl call 499 * 500 * Lookup the FB given its ID and return info about it. 501 * 502 * Called by the user via ioctl. 503 * 504 * Returns: 505 * Zero on success, negative errno on failure. 506 */ 507 int drm_mode_getfb(struct drm_device *dev, 508 void *data, struct drm_file *file_priv) 509 { 510 struct drm_mode_fb_cmd *r = data; 511 struct drm_framebuffer *fb; 512 int ret; 513 514 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 515 return -EOPNOTSUPP; 516 517 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 518 if (!fb) 519 return -ENOENT; 520 521 /* Multi-planar framebuffers need getfb2. */ 522 if (fb->format->num_planes > 1) { 523 ret = -EINVAL; 524 goto out; 525 } 526 527 if (!fb->funcs->create_handle) { 528 ret = -ENODEV; 529 goto out; 530 } 531 532 r->height = fb->height; 533 r->width = fb->width; 534 r->depth = fb->format->depth; 535 r->bpp = fb->format->cpp[0] * 8; 536 r->pitch = fb->pitches[0]; 537 538 /* GET_FB() is an unprivileged ioctl so we must not return a 539 * buffer-handle to non-master processes! For 540 * backwards-compatibility reasons, we cannot make GET_FB() privileged, 541 * so just return an invalid handle for non-masters. 542 */ 543 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 544 r->handle = 0; 545 ret = 0; 546 goto out; 547 } 548 549 ret = fb->funcs->create_handle(fb, file_priv, &r->handle); 550 551 out: 552 drm_framebuffer_put(fb); 553 554 return ret; 555 } 556 557 /** 558 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB 559 * @dev: drm device for the ioctl 560 * @data: data pointer for the ioctl 561 * @file_priv: drm file for the ioctl call 562 * 563 * Lookup the FB and flush out the damaged area supplied by userspace as a clip 564 * rectangle list. Generic userspace which does frontbuffer rendering must call 565 * this ioctl to flush out the changes on manual-update display outputs, e.g. 566 * usb display-link, mipi manual update panels or edp panel self refresh modes. 567 * 568 * Modesetting drivers which always update the frontbuffer do not need to 569 * implement the corresponding &drm_framebuffer_funcs.dirty callback. 570 * 571 * Called by the user via ioctl. 572 * 573 * Returns: 574 * Zero on success, negative errno on failure. 575 */ 576 int drm_mode_dirtyfb_ioctl(struct drm_device *dev, 577 void *data, struct drm_file *file_priv) 578 { 579 struct drm_clip_rect __user *clips_ptr; 580 struct drm_clip_rect *clips = NULL; 581 struct drm_mode_fb_dirty_cmd *r = data; 582 struct drm_framebuffer *fb; 583 unsigned flags; 584 int num_clips; 585 int ret; 586 587 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 588 return -EOPNOTSUPP; 589 590 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 591 if (!fb) 592 return -ENOENT; 593 594 num_clips = r->num_clips; 595 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; 596 597 if (!num_clips != !clips_ptr) { 598 ret = -EINVAL; 599 goto out_err1; 600 } 601 602 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags; 603 604 /* If userspace annotates copy, clips must come in pairs */ 605 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) { 606 ret = -EINVAL; 607 goto out_err1; 608 } 609 610 if (num_clips && clips_ptr) { 611 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { 612 ret = -EINVAL; 613 goto out_err1; 614 } 615 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL); 616 if (!clips) { 617 ret = -ENOMEM; 618 goto out_err1; 619 } 620 621 ret = copy_from_user(clips, clips_ptr, 622 num_clips * sizeof(*clips)); 623 if (ret) { 624 ret = -EFAULT; 625 goto out_err2; 626 } 627 } 628 629 if (fb->funcs->dirty) { 630 ret = fb->funcs->dirty(fb, file_priv, flags, r->color, 631 clips, num_clips); 632 } else { 633 ret = -ENOSYS; 634 } 635 636 out_err2: 637 kfree(clips); 638 out_err1: 639 drm_framebuffer_put(fb); 640 641 return ret; 642 } 643 644 /** 645 * drm_fb_release - remove and free the FBs on this file 646 * @priv: drm file for the ioctl 647 * 648 * Destroy all the FBs associated with @filp. 649 * 650 * Called by the user via ioctl. 651 * 652 * Returns: 653 * Zero on success, negative errno on failure. 654 */ 655 void drm_fb_release(struct drm_file *priv) 656 { 657 struct drm_framebuffer *fb, *tfb; 658 struct drm_mode_rmfb_work arg; 659 660 INIT_LIST_HEAD(&arg.fbs); 661 662 /* 663 * When the file gets released that means no one else can access the fb 664 * list any more, so no need to grab fpriv->fbs_lock. And we need to 665 * avoid upsetting lockdep since the universal cursor code adds a 666 * framebuffer while holding mutex locks. 667 * 668 * Note that a real deadlock between fpriv->fbs_lock and the modeset 669 * locks is impossible here since no one else but this function can get 670 * at it any more. 671 */ 672 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { 673 if (drm_framebuffer_read_refcount(fb) > 1) { 674 list_move_tail(&fb->filp_head, &arg.fbs); 675 } else { 676 list_del_init(&fb->filp_head); 677 678 /* This drops the fpriv->fbs reference. */ 679 drm_framebuffer_put(fb); 680 } 681 } 682 683 if (!list_empty(&arg.fbs)) { 684 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 685 686 schedule_work(&arg.work); 687 flush_work(&arg.work); 688 destroy_work_on_stack(&arg.work); 689 } 690 } 691 692 void drm_framebuffer_free(struct kref *kref) 693 { 694 struct drm_framebuffer *fb = 695 container_of(kref, struct drm_framebuffer, base.refcount); 696 struct drm_device *dev = fb->dev; 697 698 /* 699 * The lookup idr holds a weak reference, which has not necessarily been 700 * removed at this point. Check for that. 701 */ 702 drm_mode_object_unregister(dev, &fb->base); 703 704 fb->funcs->destroy(fb); 705 } 706 707 /** 708 * drm_framebuffer_init - initialize a framebuffer 709 * @dev: DRM device 710 * @fb: framebuffer to be initialized 711 * @funcs: ... with these functions 712 * 713 * Allocates an ID for the framebuffer's parent mode object, sets its mode 714 * functions & device file and adds it to the master fd list. 715 * 716 * IMPORTANT: 717 * This functions publishes the fb and makes it available for concurrent access 718 * by other users. Which means by this point the fb _must_ be fully set up - 719 * since all the fb attributes are invariant over its lifetime, no further 720 * locking but only correct reference counting is required. 721 * 722 * Returns: 723 * Zero on success, error code on failure. 724 */ 725 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, 726 const struct drm_framebuffer_funcs *funcs) 727 { 728 int ret; 729 730 if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) 731 return -EINVAL; 732 733 INIT_LIST_HEAD(&fb->filp_head); 734 735 fb->funcs = funcs; 736 strcpy(fb->comm, current->comm); 737 738 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, 739 false, drm_framebuffer_free); 740 if (ret) 741 goto out; 742 743 mutex_lock(&dev->mode_config.fb_lock); 744 dev->mode_config.num_fb++; 745 list_add(&fb->head, &dev->mode_config.fb_list); 746 mutex_unlock(&dev->mode_config.fb_lock); 747 748 drm_mode_object_register(dev, &fb->base); 749 out: 750 return ret; 751 } 752 EXPORT_SYMBOL(drm_framebuffer_init); 753 754 /** 755 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference 756 * @dev: drm device 757 * @file_priv: drm file to check for lease against. 758 * @id: id of the fb object 759 * 760 * If successful, this grabs an additional reference to the framebuffer - 761 * callers need to make sure to eventually unreference the returned framebuffer 762 * again, using drm_framebuffer_put(). 763 */ 764 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev, 765 struct drm_file *file_priv, 766 uint32_t id) 767 { 768 struct drm_mode_object *obj; 769 struct drm_framebuffer *fb = NULL; 770 771 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB); 772 if (obj) 773 fb = obj_to_fb(obj); 774 return fb; 775 } 776 EXPORT_SYMBOL(drm_framebuffer_lookup); 777 778 /** 779 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr 780 * @fb: fb to unregister 781 * 782 * Drivers need to call this when cleaning up driver-private framebuffers, e.g. 783 * those used for fbdev. Note that the caller must hold a reference of it's own, 784 * i.e. the object may not be destroyed through this call (since it'll lead to a 785 * locking inversion). 786 * 787 * NOTE: This function is deprecated. For driver-private framebuffers it is not 788 * recommended to embed a framebuffer struct info fbdev struct, instead, a 789 * framebuffer pointer is preferred and drm_framebuffer_put() should be called 790 * when the framebuffer is to be cleaned up. 791 */ 792 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb) 793 { 794 struct drm_device *dev; 795 796 if (!fb) 797 return; 798 799 dev = fb->dev; 800 801 /* Mark fb as reaped and drop idr ref. */ 802 drm_mode_object_unregister(dev, &fb->base); 803 } 804 EXPORT_SYMBOL(drm_framebuffer_unregister_private); 805 806 /** 807 * drm_framebuffer_cleanup - remove a framebuffer object 808 * @fb: framebuffer to remove 809 * 810 * Cleanup framebuffer. This function is intended to be used from the drivers 811 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up 812 * driver private framebuffers embedded into a larger structure. 813 * 814 * Note that this function does not remove the fb from active usage - if it is 815 * still used anywhere, hilarity can ensue since userspace could call getfb on 816 * the id and get back -EINVAL. Obviously no concern at driver unload time. 817 * 818 * Also, the framebuffer will not be removed from the lookup idr - for 819 * user-created framebuffers this will happen in in the rmfb ioctl. For 820 * driver-private objects (e.g. for fbdev) drivers need to explicitly call 821 * drm_framebuffer_unregister_private. 822 */ 823 void drm_framebuffer_cleanup(struct drm_framebuffer *fb) 824 { 825 struct drm_device *dev = fb->dev; 826 827 mutex_lock(&dev->mode_config.fb_lock); 828 list_del(&fb->head); 829 dev->mode_config.num_fb--; 830 mutex_unlock(&dev->mode_config.fb_lock); 831 } 832 EXPORT_SYMBOL(drm_framebuffer_cleanup); 833 834 static int atomic_remove_fb(struct drm_framebuffer *fb) 835 { 836 struct drm_modeset_acquire_ctx ctx; 837 struct drm_device *dev = fb->dev; 838 struct drm_atomic_state *state; 839 struct drm_plane *plane; 840 struct drm_connector *conn; 841 struct drm_connector_state *conn_state; 842 int i, ret; 843 unsigned plane_mask; 844 bool disable_crtcs = false; 845 846 retry_disable: 847 drm_modeset_acquire_init(&ctx, 0); 848 849 state = drm_atomic_state_alloc(dev); 850 if (!state) { 851 ret = -ENOMEM; 852 goto out; 853 } 854 state->acquire_ctx = &ctx; 855 856 retry: 857 plane_mask = 0; 858 ret = drm_modeset_lock_all_ctx(dev, &ctx); 859 if (ret) 860 goto unlock; 861 862 drm_for_each_plane(plane, dev) { 863 struct drm_plane_state *plane_state; 864 865 if (plane->state->fb != fb) 866 continue; 867 868 plane_state = drm_atomic_get_plane_state(state, plane); 869 if (IS_ERR(plane_state)) { 870 ret = PTR_ERR(plane_state); 871 goto unlock; 872 } 873 874 if (disable_crtcs && plane_state->crtc->primary == plane) { 875 struct drm_crtc_state *crtc_state; 876 877 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc); 878 879 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc); 880 if (ret) 881 goto unlock; 882 883 crtc_state->active = false; 884 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); 885 if (ret) 886 goto unlock; 887 } 888 889 drm_atomic_set_fb_for_plane(plane_state, NULL); 890 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL); 891 if (ret) 892 goto unlock; 893 894 plane_mask |= drm_plane_mask(plane); 895 } 896 897 /* This list is only filled when disable_crtcs is set. */ 898 for_each_new_connector_in_state(state, conn, conn_state, i) { 899 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); 900 901 if (ret) 902 goto unlock; 903 } 904 905 if (plane_mask) 906 ret = drm_atomic_commit(state); 907 908 unlock: 909 if (ret == -EDEADLK) { 910 drm_atomic_state_clear(state); 911 drm_modeset_backoff(&ctx); 912 goto retry; 913 } 914 915 drm_atomic_state_put(state); 916 917 out: 918 drm_modeset_drop_locks(&ctx); 919 drm_modeset_acquire_fini(&ctx); 920 921 if (ret == -EINVAL && !disable_crtcs) { 922 disable_crtcs = true; 923 goto retry_disable; 924 } 925 926 return ret; 927 } 928 929 static void legacy_remove_fb(struct drm_framebuffer *fb) 930 { 931 struct drm_device *dev = fb->dev; 932 struct drm_crtc *crtc; 933 struct drm_plane *plane; 934 935 drm_modeset_lock_all(dev); 936 /* remove from any CRTC */ 937 drm_for_each_crtc(crtc, dev) { 938 if (crtc->primary->fb == fb) { 939 /* should turn off the crtc */ 940 if (drm_crtc_force_disable(crtc)) 941 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc); 942 } 943 } 944 945 drm_for_each_plane(plane, dev) { 946 if (plane->fb == fb) 947 drm_plane_force_disable(plane); 948 } 949 drm_modeset_unlock_all(dev); 950 } 951 952 /** 953 * drm_framebuffer_remove - remove and unreference a framebuffer object 954 * @fb: framebuffer to remove 955 * 956 * Scans all the CRTCs and planes in @dev's mode_config. If they're 957 * using @fb, removes it, setting it to NULL. Then drops the reference to the 958 * passed-in framebuffer. Might take the modeset locks. 959 * 960 * Note that this function optimizes the cleanup away if the caller holds the 961 * last reference to the framebuffer. It is also guaranteed to not take the 962 * modeset locks in this case. 963 */ 964 void drm_framebuffer_remove(struct drm_framebuffer *fb) 965 { 966 struct drm_device *dev; 967 968 if (!fb) 969 return; 970 971 dev = fb->dev; 972 973 WARN_ON(!list_empty(&fb->filp_head)); 974 975 /* 976 * drm ABI mandates that we remove any deleted framebuffers from active 977 * useage. But since most sane clients only remove framebuffers they no 978 * longer need, try to optimize this away. 979 * 980 * Since we're holding a reference ourselves, observing a refcount of 1 981 * means that we're the last holder and can skip it. Also, the refcount 982 * can never increase from 1 again, so we don't need any barriers or 983 * locks. 984 * 985 * Note that userspace could try to race with use and instate a new 986 * usage _after_ we've cleared all current ones. End result will be an 987 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot 988 * in this manner. 989 */ 990 if (drm_framebuffer_read_refcount(fb) > 1) { 991 if (drm_drv_uses_atomic_modeset(dev)) { 992 int ret = atomic_remove_fb(fb); 993 WARN(ret, "atomic remove_fb failed with %i\n", ret); 994 } else 995 legacy_remove_fb(fb); 996 } 997 998 drm_framebuffer_put(fb); 999 } 1000 EXPORT_SYMBOL(drm_framebuffer_remove); 1001 1002 /** 1003 * drm_framebuffer_plane_width - width of the plane given the first plane 1004 * @width: width of the first plane 1005 * @fb: the framebuffer 1006 * @plane: plane index 1007 * 1008 * Returns: 1009 * The width of @plane, given that the width of the first plane is @width. 1010 */ 1011 int drm_framebuffer_plane_width(int width, 1012 const struct drm_framebuffer *fb, int plane) 1013 { 1014 if (plane >= fb->format->num_planes) 1015 return 0; 1016 1017 return fb_plane_width(width, fb->format, plane); 1018 } 1019 EXPORT_SYMBOL(drm_framebuffer_plane_width); 1020 1021 /** 1022 * drm_framebuffer_plane_height - height of the plane given the first plane 1023 * @height: height of the first plane 1024 * @fb: the framebuffer 1025 * @plane: plane index 1026 * 1027 * Returns: 1028 * The height of @plane, given that the height of the first plane is @height. 1029 */ 1030 int drm_framebuffer_plane_height(int height, 1031 const struct drm_framebuffer *fb, int plane) 1032 { 1033 if (plane >= fb->format->num_planes) 1034 return 0; 1035 1036 return fb_plane_height(height, fb->format, plane); 1037 } 1038 EXPORT_SYMBOL(drm_framebuffer_plane_height); 1039 1040 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent, 1041 const struct drm_framebuffer *fb) 1042 { 1043 struct drm_format_name_buf format_name; 1044 unsigned int i; 1045 1046 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm); 1047 drm_printf_indent(p, indent, "refcount=%u\n", 1048 drm_framebuffer_read_refcount(fb)); 1049 drm_printf_indent(p, indent, "format=%s\n", 1050 drm_get_format_name(fb->format->format, &format_name)); 1051 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier); 1052 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height); 1053 drm_printf_indent(p, indent, "layers:\n"); 1054 1055 for (i = 0; i < fb->format->num_planes; i++) { 1056 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i, 1057 drm_framebuffer_plane_width(fb->width, fb, i), 1058 drm_framebuffer_plane_height(fb->height, fb, i)); 1059 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]); 1060 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]); 1061 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i, 1062 fb->obj[i] ? "" : "(null)"); 1063 if (fb->obj[i]) 1064 drm_gem_print_info(p, indent + 2, fb->obj[i]); 1065 } 1066 } 1067 1068 #ifdef CONFIG_DEBUG_FS 1069 static int drm_framebuffer_info(struct seq_file *m, void *data) 1070 { 1071 struct drm_info_node *node = m->private; 1072 struct drm_device *dev = node->minor->dev; 1073 struct drm_printer p = drm_seq_file_printer(m); 1074 struct drm_framebuffer *fb; 1075 1076 mutex_lock(&dev->mode_config.fb_lock); 1077 drm_for_each_fb(fb, dev) { 1078 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); 1079 drm_framebuffer_print_info(&p, 1, fb); 1080 } 1081 mutex_unlock(&dev->mode_config.fb_lock); 1082 1083 return 0; 1084 } 1085 1086 static const struct drm_info_list drm_framebuffer_debugfs_list[] = { 1087 { "framebuffer", drm_framebuffer_info, 0 }, 1088 }; 1089 1090 int drm_framebuffer_debugfs_init(struct drm_minor *minor) 1091 { 1092 return drm_debugfs_create_files(drm_framebuffer_debugfs_list, 1093 ARRAY_SIZE(drm_framebuffer_debugfs_list), 1094 minor->debugfs_root, minor); 1095 } 1096 #endif 1097