1 /* 2 * Copyright (c) 2016 Intel Corporation 3 * 4 * Permission to use, copy, modify, distribute, and sell this software and its 5 * documentation for any purpose is hereby granted without fee, provided that 6 * the above copyright notice appear in all copies and that both that copyright 7 * notice and this permission notice appear in supporting documentation, and 8 * that the name of the copyright holders not be used in advertising or 9 * publicity pertaining to distribution of the software without specific, 10 * written prior permission. The copyright holders make no representations 11 * about the suitability of this software for any purpose. It is provided "as 12 * is" without express or implied warranty. 13 * 14 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 15 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 16 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 17 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 18 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 19 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 20 * OF THIS SOFTWARE. 21 */ 22 23 #include <linux/export.h> 24 #include <linux/uaccess.h> 25 26 #include <drm/drm_atomic.h> 27 #include <drm/drm_atomic_uapi.h> 28 #include <drm/drm_auth.h> 29 #include <drm/drm_debugfs.h> 30 #include <drm/drm_drv.h> 31 #include <drm/drm_file.h> 32 #include <drm/drm_fourcc.h> 33 #include <drm/drm_framebuffer.h> 34 #include <drm/drm_gem.h> 35 #include <drm/drm_print.h> 36 #include <drm/drm_util.h> 37 38 #include "drm_crtc_internal.h" 39 #include "drm_internal.h" 40 41 /** 42 * DOC: overview 43 * 44 * Frame buffers are abstract memory objects that provide a source of pixels to 45 * scanout to a CRTC. Applications explicitly request the creation of frame 46 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque 47 * handle that can be passed to the KMS CRTC control, plane configuration and 48 * page flip functions. 49 * 50 * Frame buffers rely on the underlying memory manager for allocating backing 51 * storage. When creating a frame buffer applications pass a memory handle 52 * (or a list of memory handles for multi-planar formats) through the 53 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace 54 * buffer management interface this would be a GEM handle. Drivers are however 55 * free to use their own backing storage object handles, e.g. vmwgfx directly 56 * exposes special TTM handles to userspace and so expects TTM handles in the 57 * create ioctl and not GEM handles. 58 * 59 * Framebuffers are tracked with &struct drm_framebuffer. They are published 60 * using drm_framebuffer_init() - after calling that function userspace can use 61 * and access the framebuffer object. The helper function 62 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required 63 * metadata fields. 64 * 65 * The lifetime of a drm framebuffer is controlled with a reference count, 66 * drivers can grab additional references with drm_framebuffer_get() and drop 67 * them again with drm_framebuffer_put(). For driver-private framebuffers for 68 * which the last reference is never dropped (e.g. for the fbdev framebuffer 69 * when the struct &struct drm_framebuffer is embedded into the fbdev helper 70 * struct) drivers can manually clean up a framebuffer at module unload time 71 * with drm_framebuffer_unregister_private(). But doing this is not 72 * recommended, and it's better to have a normal free-standing &struct 73 * drm_framebuffer. 74 */ 75 drm_framebuffer_check_src_coords(uint32_t src_x,uint32_t src_y,uint32_t src_w,uint32_t src_h,const struct drm_framebuffer * fb)76 int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y, 77 uint32_t src_w, uint32_t src_h, 78 const struct drm_framebuffer *fb) 79 { 80 unsigned int fb_width, fb_height; 81 82 fb_width = fb->width << 16; 83 fb_height = fb->height << 16; 84 85 /* Make sure source coordinates are inside the fb. */ 86 if (src_w > fb_width || 87 src_x > fb_width - src_w || 88 src_h > fb_height || 89 src_y > fb_height - src_h) { 90 drm_dbg_kms(fb->dev, "Invalid source coordinates " 91 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n", 92 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10, 93 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10, 94 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10, 95 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10, 96 fb->width, fb->height); 97 return -ENOSPC; 98 } 99 100 return 0; 101 } 102 103 /** 104 * drm_mode_addfb - add an FB to the graphics configuration 105 * @dev: drm device for the ioctl 106 * @or: pointer to request structure 107 * @file_priv: drm file 108 * 109 * Add a new FB to the specified CRTC, given a user request. This is the 110 * original addfb ioctl which only supported RGB formats. 111 * 112 * Called by the user via ioctl, or by an in-kernel client. 113 * 114 * Returns: 115 * Zero on success, negative errno on failure. 116 */ drm_mode_addfb(struct drm_device * dev,struct drm_mode_fb_cmd * or,struct drm_file * file_priv)117 int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or, 118 struct drm_file *file_priv) 119 { 120 struct drm_mode_fb_cmd2 r = {}; 121 int ret; 122 123 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 124 return -EOPNOTSUPP; 125 126 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth); 127 if (r.pixel_format == DRM_FORMAT_INVALID) { 128 drm_dbg_kms(dev, "bad {bpp:%d, depth:%d}\n", or->bpp, or->depth); 129 return -EINVAL; 130 } 131 132 /* convert to new format and call new ioctl */ 133 r.fb_id = or->fb_id; 134 r.width = or->width; 135 r.height = or->height; 136 r.pitches[0] = or->pitch; 137 r.handles[0] = or->handle; 138 139 ret = drm_mode_addfb2(dev, &r, file_priv); 140 if (ret) 141 return ret; 142 143 or->fb_id = r.fb_id; 144 145 return 0; 146 } 147 drm_mode_addfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)148 int drm_mode_addfb_ioctl(struct drm_device *dev, 149 void *data, struct drm_file *file_priv) 150 { 151 return drm_mode_addfb(dev, data, file_priv); 152 } 153 framebuffer_check(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r)154 static int framebuffer_check(struct drm_device *dev, 155 const struct drm_mode_fb_cmd2 *r) 156 { 157 const struct drm_format_info *info; 158 int i; 159 160 /* check if the format is supported at all */ 161 if (!__drm_format_info(r->pixel_format)) { 162 drm_dbg_kms(dev, "bad framebuffer format %p4cc\n", 163 &r->pixel_format); 164 return -EINVAL; 165 } 166 167 if (r->width == 0) { 168 drm_dbg_kms(dev, "bad framebuffer width %u\n", r->width); 169 return -EINVAL; 170 } 171 172 if (r->height == 0) { 173 drm_dbg_kms(dev, "bad framebuffer height %u\n", r->height); 174 return -EINVAL; 175 } 176 177 /* now let the driver pick its own format info */ 178 info = drm_get_format_info(dev, r); 179 180 for (i = 0; i < info->num_planes; i++) { 181 unsigned int width = drm_format_info_plane_width(info, r->width, i); 182 unsigned int height = drm_format_info_plane_height(info, r->height, i); 183 unsigned int block_size = info->char_per_block[i]; 184 u64 min_pitch = drm_format_info_min_pitch(info, i, width); 185 186 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) { 187 drm_dbg_kms(dev, "Format requires non-linear modifier for plane %d\n", i); 188 return -EINVAL; 189 } 190 191 if (!r->handles[i]) { 192 drm_dbg_kms(dev, "no buffer object handle for plane %d\n", i); 193 return -EINVAL; 194 } 195 196 if (min_pitch > UINT_MAX) 197 return -ERANGE; 198 199 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) 200 return -ERANGE; 201 202 if (block_size && r->pitches[i] < min_pitch) { 203 drm_dbg_kms(dev, "bad pitch %u for plane %d\n", r->pitches[i], i); 204 return -EINVAL; 205 } 206 207 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) { 208 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n", 209 r->modifier[i], i); 210 return -EINVAL; 211 } 212 213 if (r->flags & DRM_MODE_FB_MODIFIERS && 214 r->modifier[i] != r->modifier[0]) { 215 drm_dbg_kms(dev, "bad fb modifier %llu for plane %d\n", 216 r->modifier[i], i); 217 return -EINVAL; 218 } 219 220 /* modifier specific checks: */ 221 switch (r->modifier[i]) { 222 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE: 223 /* NOTE: the pitch restriction may be lifted later if it turns 224 * out that no hw has this restriction: 225 */ 226 if (r->pixel_format != DRM_FORMAT_NV12 || 227 width % 128 || height % 32 || 228 r->pitches[i] % 128) { 229 drm_dbg_kms(dev, "bad modifier data for plane %d\n", i); 230 return -EINVAL; 231 } 232 break; 233 234 default: 235 break; 236 } 237 } 238 239 for (i = info->num_planes; i < 4; i++) { 240 if (r->modifier[i]) { 241 drm_dbg_kms(dev, "non-zero modifier for unused plane %d\n", i); 242 return -EINVAL; 243 } 244 245 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */ 246 if (!(r->flags & DRM_MODE_FB_MODIFIERS)) 247 continue; 248 249 if (r->handles[i]) { 250 drm_dbg_kms(dev, "buffer object handle for unused plane %d\n", i); 251 return -EINVAL; 252 } 253 254 if (r->pitches[i]) { 255 drm_dbg_kms(dev, "non-zero pitch for unused plane %d\n", i); 256 return -EINVAL; 257 } 258 259 if (r->offsets[i]) { 260 drm_dbg_kms(dev, "non-zero offset for unused plane %d\n", i); 261 return -EINVAL; 262 } 263 } 264 265 return 0; 266 } 267 268 struct drm_framebuffer * drm_internal_framebuffer_create(struct drm_device * dev,const struct drm_mode_fb_cmd2 * r,struct drm_file * file_priv)269 drm_internal_framebuffer_create(struct drm_device *dev, 270 const struct drm_mode_fb_cmd2 *r, 271 struct drm_file *file_priv) 272 { 273 struct drm_mode_config *config = &dev->mode_config; 274 struct drm_framebuffer *fb; 275 int ret; 276 277 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) { 278 drm_dbg_kms(dev, "bad framebuffer flags 0x%08x\n", r->flags); 279 return ERR_PTR(-EINVAL); 280 } 281 282 if ((config->min_width > r->width) || (r->width > config->max_width)) { 283 drm_dbg_kms(dev, "bad framebuffer width %d, should be >= %d && <= %d\n", 284 r->width, config->min_width, config->max_width); 285 return ERR_PTR(-EINVAL); 286 } 287 if ((config->min_height > r->height) || (r->height > config->max_height)) { 288 drm_dbg_kms(dev, "bad framebuffer height %d, should be >= %d && <= %d\n", 289 r->height, config->min_height, config->max_height); 290 return ERR_PTR(-EINVAL); 291 } 292 293 if (r->flags & DRM_MODE_FB_MODIFIERS && 294 dev->mode_config.fb_modifiers_not_supported) { 295 drm_dbg_kms(dev, "driver does not support fb modifiers\n"); 296 return ERR_PTR(-EINVAL); 297 } 298 299 ret = framebuffer_check(dev, r); 300 if (ret) 301 return ERR_PTR(ret); 302 303 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r); 304 if (IS_ERR(fb)) { 305 drm_dbg_kms(dev, "could not create framebuffer\n"); 306 return fb; 307 } 308 309 return fb; 310 } 311 EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create); 312 313 /** 314 * drm_mode_addfb2 - add an FB to the graphics configuration 315 * @dev: drm device for the ioctl 316 * @data: data pointer for the ioctl 317 * @file_priv: drm file for the ioctl call 318 * 319 * Add a new FB to the specified CRTC, given a user request with format. This is 320 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers 321 * and uses fourcc codes as pixel format specifiers. 322 * 323 * Called by the user via ioctl. 324 * 325 * Returns: 326 * Zero on success, negative errno on failure. 327 */ drm_mode_addfb2(struct drm_device * dev,void * data,struct drm_file * file_priv)328 int drm_mode_addfb2(struct drm_device *dev, 329 void *data, struct drm_file *file_priv) 330 { 331 struct drm_mode_fb_cmd2 *r = data; 332 struct drm_framebuffer *fb; 333 334 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 335 return -EOPNOTSUPP; 336 337 fb = drm_internal_framebuffer_create(dev, r, file_priv); 338 if (IS_ERR(fb)) 339 return PTR_ERR(fb); 340 341 drm_dbg_kms(dev, "[FB:%d]\n", fb->base.id); 342 r->fb_id = fb->base.id; 343 344 /* Transfer ownership to the filp for reaping on close */ 345 mutex_lock(&file_priv->fbs_lock); 346 list_add(&fb->filp_head, &file_priv->fbs); 347 mutex_unlock(&file_priv->fbs_lock); 348 349 return 0; 350 } 351 drm_mode_addfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)352 int drm_mode_addfb2_ioctl(struct drm_device *dev, 353 void *data, struct drm_file *file_priv) 354 { 355 #ifdef __BIG_ENDIAN 356 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) { 357 /* 358 * Drivers must set the 359 * quirk_addfb_prefer_host_byte_order quirk to make 360 * the drm_mode_addfb() compat code work correctly on 361 * bigendian machines. 362 * 363 * If they don't they interpret pixel_format values 364 * incorrectly for bug compatibility, which in turn 365 * implies the ADDFB2 ioctl does not work correctly 366 * then. So block it to make userspace fallback to 367 * ADDFB. 368 */ 369 drm_dbg_kms(dev, "addfb2 broken on bigendian"); 370 return -EOPNOTSUPP; 371 } 372 #endif 373 return drm_mode_addfb2(dev, data, file_priv); 374 } 375 376 struct drm_mode_rmfb_work { 377 struct work_struct work; 378 struct list_head fbs; 379 }; 380 drm_mode_rmfb_work_fn(struct work_struct * w)381 static void drm_mode_rmfb_work_fn(struct work_struct *w) 382 { 383 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); 384 385 while (!list_empty(&arg->fbs)) { 386 struct drm_framebuffer *fb = 387 list_first_entry(&arg->fbs, typeof(*fb), filp_head); 388 389 drm_dbg_kms(fb->dev, 390 "Removing [FB:%d] from all active usage due to RMFB ioctl\n", 391 fb->base.id); 392 list_del_init(&fb->filp_head); 393 drm_framebuffer_remove(fb); 394 } 395 } 396 drm_mode_closefb(struct drm_framebuffer * fb,struct drm_file * file_priv)397 static int drm_mode_closefb(struct drm_framebuffer *fb, 398 struct drm_file *file_priv) 399 { 400 struct drm_framebuffer *fbl; 401 bool found = false; 402 403 mutex_lock(&file_priv->fbs_lock); 404 list_for_each_entry(fbl, &file_priv->fbs, filp_head) 405 if (fb == fbl) 406 found = true; 407 408 if (!found) { 409 mutex_unlock(&file_priv->fbs_lock); 410 return -ENOENT; 411 } 412 413 list_del_init(&fb->filp_head); 414 mutex_unlock(&file_priv->fbs_lock); 415 416 /* Drop the reference that was stored in the fbs list */ 417 drm_framebuffer_put(fb); 418 419 return 0; 420 } 421 422 /** 423 * drm_mode_rmfb - remove an FB from the configuration 424 * @dev: drm device 425 * @fb_id: id of framebuffer to remove 426 * @file_priv: drm file 427 * 428 * Remove the specified FB. 429 * 430 * Called by the user via ioctl, or by an in-kernel client. 431 * 432 * Returns: 433 * Zero on success, negative errno on failure. 434 */ drm_mode_rmfb(struct drm_device * dev,u32 fb_id,struct drm_file * file_priv)435 int drm_mode_rmfb(struct drm_device *dev, u32 fb_id, 436 struct drm_file *file_priv) 437 { 438 struct drm_framebuffer *fb; 439 int ret; 440 441 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 442 return -EOPNOTSUPP; 443 444 fb = drm_framebuffer_lookup(dev, file_priv, fb_id); 445 if (!fb) 446 return -ENOENT; 447 448 ret = drm_mode_closefb(fb, file_priv); 449 if (ret != 0) { 450 drm_framebuffer_put(fb); 451 return ret; 452 } 453 454 /* 455 * drm_framebuffer_remove may fail with -EINTR on pending signals, 456 * so run this in a separate stack as there's no way to correctly 457 * handle this after the fb is already removed from the lookup table. 458 */ 459 if (drm_framebuffer_read_refcount(fb) > 1) { 460 struct drm_mode_rmfb_work arg; 461 462 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 463 INIT_LIST_HEAD(&arg.fbs); 464 drm_WARN_ON(dev, !list_empty(&fb->filp_head)); 465 list_add_tail(&fb->filp_head, &arg.fbs); 466 467 schedule_work(&arg.work); 468 flush_work(&arg.work); 469 destroy_work_on_stack(&arg.work); 470 } else 471 drm_framebuffer_put(fb); 472 473 return 0; 474 } 475 drm_mode_rmfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)476 int drm_mode_rmfb_ioctl(struct drm_device *dev, 477 void *data, struct drm_file *file_priv) 478 { 479 uint32_t *fb_id = data; 480 481 return drm_mode_rmfb(dev, *fb_id, file_priv); 482 } 483 drm_mode_closefb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)484 int drm_mode_closefb_ioctl(struct drm_device *dev, 485 void *data, struct drm_file *file_priv) 486 { 487 struct drm_mode_closefb *r = data; 488 struct drm_framebuffer *fb; 489 int ret; 490 491 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 492 return -EOPNOTSUPP; 493 494 if (r->pad) 495 return -EINVAL; 496 497 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 498 if (!fb) 499 return -ENOENT; 500 501 ret = drm_mode_closefb(fb, file_priv); 502 drm_framebuffer_put(fb); 503 return ret; 504 } 505 506 /** 507 * drm_mode_getfb - get FB info 508 * @dev: drm device for the ioctl 509 * @data: data pointer for the ioctl 510 * @file_priv: drm file for the ioctl call 511 * 512 * Lookup the FB given its ID and return info about it. 513 * 514 * Called by the user via ioctl. 515 * 516 * Returns: 517 * Zero on success, negative errno on failure. 518 */ drm_mode_getfb(struct drm_device * dev,void * data,struct drm_file * file_priv)519 int drm_mode_getfb(struct drm_device *dev, 520 void *data, struct drm_file *file_priv) 521 { 522 struct drm_mode_fb_cmd *r = data; 523 struct drm_framebuffer *fb; 524 int ret; 525 526 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 527 return -EOPNOTSUPP; 528 529 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 530 if (!fb) 531 return -ENOENT; 532 533 /* Multi-planar framebuffers need getfb2. */ 534 if (fb->format->num_planes > 1) { 535 ret = -EINVAL; 536 goto out; 537 } 538 539 if (!fb->funcs->create_handle) { 540 ret = -ENODEV; 541 goto out; 542 } 543 544 r->height = fb->height; 545 r->width = fb->width; 546 r->depth = fb->format->depth; 547 r->bpp = drm_format_info_bpp(fb->format, 0); 548 r->pitch = fb->pitches[0]; 549 550 /* GET_FB() is an unprivileged ioctl so we must not return a 551 * buffer-handle to non-master processes! For 552 * backwards-compatibility reasons, we cannot make GET_FB() privileged, 553 * so just return an invalid handle for non-masters. 554 */ 555 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 556 r->handle = 0; 557 ret = 0; 558 goto out; 559 } 560 561 ret = fb->funcs->create_handle(fb, file_priv, &r->handle); 562 563 out: 564 drm_framebuffer_put(fb); 565 return ret; 566 } 567 568 /** 569 * drm_mode_getfb2_ioctl - get extended FB info 570 * @dev: drm device for the ioctl 571 * @data: data pointer for the ioctl 572 * @file_priv: drm file for the ioctl call 573 * 574 * Lookup the FB given its ID and return info about it. 575 * 576 * Called by the user via ioctl. 577 * 578 * Returns: 579 * Zero on success, negative errno on failure. 580 */ drm_mode_getfb2_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)581 int drm_mode_getfb2_ioctl(struct drm_device *dev, 582 void *data, struct drm_file *file_priv) 583 { 584 struct drm_mode_fb_cmd2 *r = data; 585 struct drm_framebuffer *fb; 586 unsigned int i; 587 int ret = 0; 588 589 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 590 return -EINVAL; 591 592 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 593 if (!fb) 594 return -ENOENT; 595 596 /* For multi-plane framebuffers, we require the driver to place the 597 * GEM objects directly in the drm_framebuffer. For single-plane 598 * framebuffers, we can fall back to create_handle. 599 */ 600 if (!fb->obj[0] && 601 (fb->format->num_planes > 1 || !fb->funcs->create_handle)) { 602 ret = -ENODEV; 603 goto out; 604 } 605 606 r->height = fb->height; 607 r->width = fb->width; 608 r->pixel_format = fb->format->format; 609 610 r->flags = 0; 611 if (!dev->mode_config.fb_modifiers_not_supported) 612 r->flags |= DRM_MODE_FB_MODIFIERS; 613 614 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 615 r->handles[i] = 0; 616 r->pitches[i] = 0; 617 r->offsets[i] = 0; 618 r->modifier[i] = 0; 619 } 620 621 for (i = 0; i < fb->format->num_planes; i++) { 622 r->pitches[i] = fb->pitches[i]; 623 r->offsets[i] = fb->offsets[i]; 624 if (!dev->mode_config.fb_modifiers_not_supported) 625 r->modifier[i] = fb->modifier; 626 } 627 628 /* GET_FB2() is an unprivileged ioctl so we must not return a 629 * buffer-handle to non master/root processes! To match GET_FB() 630 * just return invalid handles (0) for non masters/root 631 * rather than making GET_FB2() privileged. 632 */ 633 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 634 ret = 0; 635 goto out; 636 } 637 638 for (i = 0; i < fb->format->num_planes; i++) { 639 int j; 640 641 /* If we reuse the same object for multiple planes, also 642 * return the same handle. 643 */ 644 for (j = 0; j < i; j++) { 645 if (fb->obj[i] == fb->obj[j]) { 646 r->handles[i] = r->handles[j]; 647 break; 648 } 649 } 650 651 if (r->handles[i]) 652 continue; 653 654 if (fb->obj[i]) { 655 ret = drm_gem_handle_create(file_priv, fb->obj[i], 656 &r->handles[i]); 657 } else { 658 WARN_ON(i > 0); 659 ret = fb->funcs->create_handle(fb, file_priv, 660 &r->handles[i]); 661 } 662 663 if (ret != 0) 664 goto out; 665 } 666 667 out: 668 if (ret != 0) { 669 /* Delete any previously-created handles on failure. */ 670 for (i = 0; i < ARRAY_SIZE(r->handles); i++) { 671 int j; 672 673 if (r->handles[i]) 674 drm_gem_handle_delete(file_priv, r->handles[i]); 675 676 /* Zero out any handles identical to the one we just 677 * deleted. 678 */ 679 for (j = i + 1; j < ARRAY_SIZE(r->handles); j++) { 680 if (r->handles[j] == r->handles[i]) 681 r->handles[j] = 0; 682 } 683 } 684 } 685 686 drm_framebuffer_put(fb); 687 return ret; 688 } 689 690 /** 691 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB 692 * @dev: drm device for the ioctl 693 * @data: data pointer for the ioctl 694 * @file_priv: drm file for the ioctl call 695 * 696 * Lookup the FB and flush out the damaged area supplied by userspace as a clip 697 * rectangle list. Generic userspace which does frontbuffer rendering must call 698 * this ioctl to flush out the changes on manual-update display outputs, e.g. 699 * usb display-link, mipi manual update panels or edp panel self refresh modes. 700 * 701 * Modesetting drivers which always update the frontbuffer do not need to 702 * implement the corresponding &drm_framebuffer_funcs.dirty callback. 703 * 704 * Called by the user via ioctl. 705 * 706 * Returns: 707 * Zero on success, negative errno on failure. 708 */ drm_mode_dirtyfb_ioctl(struct drm_device * dev,void * data,struct drm_file * file_priv)709 int drm_mode_dirtyfb_ioctl(struct drm_device *dev, 710 void *data, struct drm_file *file_priv) 711 { 712 struct drm_clip_rect __user *clips_ptr; 713 struct drm_clip_rect *clips = NULL; 714 struct drm_mode_fb_dirty_cmd *r = data; 715 struct drm_framebuffer *fb; 716 unsigned flags; 717 int num_clips; 718 int ret; 719 720 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 721 return -EOPNOTSUPP; 722 723 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 724 if (!fb) 725 return -ENOENT; 726 727 num_clips = r->num_clips; 728 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; 729 730 if (!num_clips != !clips_ptr) { 731 ret = -EINVAL; 732 goto out_err1; 733 } 734 735 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags; 736 737 /* If userspace annotates copy, clips must come in pairs */ 738 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) { 739 ret = -EINVAL; 740 goto out_err1; 741 } 742 743 if (num_clips && clips_ptr) { 744 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { 745 ret = -EINVAL; 746 goto out_err1; 747 } 748 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL); 749 if (!clips) { 750 ret = -ENOMEM; 751 goto out_err1; 752 } 753 754 ret = copy_from_user(clips, clips_ptr, 755 num_clips * sizeof(*clips)); 756 if (ret) { 757 ret = -EFAULT; 758 goto out_err2; 759 } 760 } 761 762 if (fb->funcs->dirty) { 763 ret = fb->funcs->dirty(fb, file_priv, flags, r->color, 764 clips, num_clips); 765 } else { 766 ret = -ENOSYS; 767 } 768 769 out_err2: 770 kfree(clips); 771 out_err1: 772 drm_framebuffer_put(fb); 773 774 return ret; 775 } 776 777 /** 778 * drm_fb_release - remove and free the FBs on this file 779 * @priv: drm file for the ioctl 780 * 781 * Destroy all the FBs associated with @filp. 782 * 783 * Called by the user via ioctl. 784 * 785 * Returns: 786 * Zero on success, negative errno on failure. 787 */ drm_fb_release(struct drm_file * priv)788 void drm_fb_release(struct drm_file *priv) 789 { 790 struct drm_framebuffer *fb, *tfb; 791 struct drm_mode_rmfb_work arg; 792 793 INIT_LIST_HEAD(&arg.fbs); 794 795 /* 796 * When the file gets released that means no one else can access the fb 797 * list any more, so no need to grab fpriv->fbs_lock. And we need to 798 * avoid upsetting lockdep since the universal cursor code adds a 799 * framebuffer while holding mutex locks. 800 * 801 * Note that a real deadlock between fpriv->fbs_lock and the modeset 802 * locks is impossible here since no one else but this function can get 803 * at it any more. 804 */ 805 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { 806 if (drm_framebuffer_read_refcount(fb) > 1) { 807 list_move_tail(&fb->filp_head, &arg.fbs); 808 } else { 809 list_del_init(&fb->filp_head); 810 811 /* This drops the fpriv->fbs reference. */ 812 drm_framebuffer_put(fb); 813 } 814 } 815 816 if (!list_empty(&arg.fbs)) { 817 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 818 819 schedule_work(&arg.work); 820 flush_work(&arg.work); 821 destroy_work_on_stack(&arg.work); 822 } 823 } 824 drm_framebuffer_free(struct kref * kref)825 void drm_framebuffer_free(struct kref *kref) 826 { 827 struct drm_framebuffer *fb = 828 container_of(kref, struct drm_framebuffer, base.refcount); 829 struct drm_device *dev = fb->dev; 830 831 drm_WARN_ON(dev, !list_empty(&fb->filp_head)); 832 833 /* 834 * The lookup idr holds a weak reference, which has not necessarily been 835 * removed at this point. Check for that. 836 */ 837 drm_mode_object_unregister(dev, &fb->base); 838 839 fb->funcs->destroy(fb); 840 } 841 842 /** 843 * drm_framebuffer_init - initialize a framebuffer 844 * @dev: DRM device 845 * @fb: framebuffer to be initialized 846 * @funcs: ... with these functions 847 * 848 * Allocates an ID for the framebuffer's parent mode object, sets its mode 849 * functions & device file and adds it to the master fd list. 850 * 851 * IMPORTANT: 852 * This functions publishes the fb and makes it available for concurrent access 853 * by other users. Which means by this point the fb _must_ be fully set up - 854 * since all the fb attributes are invariant over its lifetime, no further 855 * locking but only correct reference counting is required. 856 * 857 * Returns: 858 * Zero on success, error code on failure. 859 */ drm_framebuffer_init(struct drm_device * dev,struct drm_framebuffer * fb,const struct drm_framebuffer_funcs * funcs)860 int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, 861 const struct drm_framebuffer_funcs *funcs) 862 { 863 int ret; 864 865 if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) 866 return -EINVAL; 867 868 INIT_LIST_HEAD(&fb->filp_head); 869 870 fb->funcs = funcs; 871 strcpy(fb->comm, current->comm); 872 873 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, 874 false, drm_framebuffer_free); 875 if (ret) 876 goto out; 877 878 mutex_lock(&dev->mode_config.fb_lock); 879 dev->mode_config.num_fb++; 880 list_add(&fb->head, &dev->mode_config.fb_list); 881 mutex_unlock(&dev->mode_config.fb_lock); 882 883 drm_mode_object_register(dev, &fb->base); 884 out: 885 return ret; 886 } 887 EXPORT_SYMBOL(drm_framebuffer_init); 888 889 /** 890 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference 891 * @dev: drm device 892 * @file_priv: drm file to check for lease against. 893 * @id: id of the fb object 894 * 895 * If successful, this grabs an additional reference to the framebuffer - 896 * callers need to make sure to eventually unreference the returned framebuffer 897 * again, using drm_framebuffer_put(). 898 */ drm_framebuffer_lookup(struct drm_device * dev,struct drm_file * file_priv,uint32_t id)899 struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev, 900 struct drm_file *file_priv, 901 uint32_t id) 902 { 903 struct drm_mode_object *obj; 904 struct drm_framebuffer *fb = NULL; 905 906 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB); 907 if (obj) 908 fb = obj_to_fb(obj); 909 return fb; 910 } 911 EXPORT_SYMBOL(drm_framebuffer_lookup); 912 913 /** 914 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr 915 * @fb: fb to unregister 916 * 917 * Drivers need to call this when cleaning up driver-private framebuffers, e.g. 918 * those used for fbdev. Note that the caller must hold a reference of its own, 919 * i.e. the object may not be destroyed through this call (since it'll lead to a 920 * locking inversion). 921 * 922 * NOTE: This function is deprecated. For driver-private framebuffers it is not 923 * recommended to embed a framebuffer struct info fbdev struct, instead, a 924 * framebuffer pointer is preferred and drm_framebuffer_put() should be called 925 * when the framebuffer is to be cleaned up. 926 */ drm_framebuffer_unregister_private(struct drm_framebuffer * fb)927 void drm_framebuffer_unregister_private(struct drm_framebuffer *fb) 928 { 929 struct drm_device *dev; 930 931 if (!fb) 932 return; 933 934 dev = fb->dev; 935 936 /* Mark fb as reaped and drop idr ref. */ 937 drm_mode_object_unregister(dev, &fb->base); 938 } 939 EXPORT_SYMBOL(drm_framebuffer_unregister_private); 940 941 /** 942 * drm_framebuffer_cleanup - remove a framebuffer object 943 * @fb: framebuffer to remove 944 * 945 * Cleanup framebuffer. This function is intended to be used from the drivers 946 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up 947 * driver private framebuffers embedded into a larger structure. 948 * 949 * Note that this function does not remove the fb from active usage - if it is 950 * still used anywhere, hilarity can ensue since userspace could call getfb on 951 * the id and get back -EINVAL. Obviously no concern at driver unload time. 952 * 953 * Also, the framebuffer will not be removed from the lookup idr - for 954 * user-created framebuffers this will happen in the rmfb ioctl. For 955 * driver-private objects (e.g. for fbdev) drivers need to explicitly call 956 * drm_framebuffer_unregister_private. 957 */ drm_framebuffer_cleanup(struct drm_framebuffer * fb)958 void drm_framebuffer_cleanup(struct drm_framebuffer *fb) 959 { 960 struct drm_device *dev = fb->dev; 961 962 mutex_lock(&dev->mode_config.fb_lock); 963 list_del(&fb->head); 964 dev->mode_config.num_fb--; 965 mutex_unlock(&dev->mode_config.fb_lock); 966 } 967 EXPORT_SYMBOL(drm_framebuffer_cleanup); 968 atomic_remove_fb(struct drm_framebuffer * fb)969 static int atomic_remove_fb(struct drm_framebuffer *fb) 970 { 971 struct drm_modeset_acquire_ctx ctx; 972 struct drm_device *dev = fb->dev; 973 struct drm_atomic_state *state; 974 struct drm_plane *plane; 975 struct drm_connector *conn __maybe_unused; 976 struct drm_connector_state *conn_state; 977 int i, ret; 978 unsigned plane_mask; 979 bool disable_crtcs = false; 980 981 retry_disable: 982 drm_modeset_acquire_init(&ctx, 0); 983 984 state = drm_atomic_state_alloc(dev); 985 if (!state) { 986 ret = -ENOMEM; 987 goto out; 988 } 989 state->acquire_ctx = &ctx; 990 991 retry: 992 plane_mask = 0; 993 ret = drm_modeset_lock_all_ctx(dev, &ctx); 994 if (ret) 995 goto unlock; 996 997 drm_for_each_plane(plane, dev) { 998 struct drm_plane_state *plane_state; 999 1000 if (plane->state->fb != fb) 1001 continue; 1002 1003 drm_dbg_kms(dev, 1004 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n", 1005 plane->base.id, plane->name, fb->base.id); 1006 1007 plane_state = drm_atomic_get_plane_state(state, plane); 1008 if (IS_ERR(plane_state)) { 1009 ret = PTR_ERR(plane_state); 1010 goto unlock; 1011 } 1012 1013 if (disable_crtcs && plane_state->crtc->primary == plane) { 1014 struct drm_crtc_state *crtc_state; 1015 1016 drm_dbg_kms(dev, 1017 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n", 1018 plane_state->crtc->base.id, 1019 plane_state->crtc->name, fb->base.id); 1020 1021 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc); 1022 1023 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc); 1024 if (ret) 1025 goto unlock; 1026 1027 crtc_state->active = false; 1028 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); 1029 if (ret) 1030 goto unlock; 1031 } 1032 1033 drm_atomic_set_fb_for_plane(plane_state, NULL); 1034 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL); 1035 if (ret) 1036 goto unlock; 1037 1038 plane_mask |= drm_plane_mask(plane); 1039 } 1040 1041 /* This list is only filled when disable_crtcs is set. */ 1042 for_each_new_connector_in_state(state, conn, conn_state, i) { 1043 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); 1044 1045 if (ret) 1046 goto unlock; 1047 } 1048 1049 if (plane_mask) 1050 ret = drm_atomic_commit(state); 1051 1052 unlock: 1053 if (ret == -EDEADLK) { 1054 drm_atomic_state_clear(state); 1055 drm_modeset_backoff(&ctx); 1056 goto retry; 1057 } 1058 1059 drm_atomic_state_put(state); 1060 1061 out: 1062 drm_modeset_drop_locks(&ctx); 1063 drm_modeset_acquire_fini(&ctx); 1064 1065 if (ret == -EINVAL && !disable_crtcs) { 1066 disable_crtcs = true; 1067 goto retry_disable; 1068 } 1069 1070 return ret; 1071 } 1072 legacy_remove_fb(struct drm_framebuffer * fb)1073 static void legacy_remove_fb(struct drm_framebuffer *fb) 1074 { 1075 struct drm_device *dev = fb->dev; 1076 struct drm_crtc *crtc; 1077 struct drm_plane *plane; 1078 1079 drm_modeset_lock_all(dev); 1080 /* remove from any CRTC */ 1081 drm_for_each_crtc(crtc, dev) { 1082 if (crtc->primary->fb == fb) { 1083 drm_dbg_kms(dev, 1084 "Disabling [CRTC:%d:%s] because [FB:%d] is removed\n", 1085 crtc->base.id, crtc->name, fb->base.id); 1086 1087 /* should turn off the crtc */ 1088 if (drm_crtc_force_disable(crtc)) 1089 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc); 1090 } 1091 } 1092 1093 drm_for_each_plane(plane, dev) { 1094 if (plane->fb == fb) { 1095 drm_dbg_kms(dev, 1096 "Disabling [PLANE:%d:%s] because [FB:%d] is removed\n", 1097 plane->base.id, plane->name, fb->base.id); 1098 drm_plane_force_disable(plane); 1099 } 1100 } 1101 drm_modeset_unlock_all(dev); 1102 } 1103 1104 /** 1105 * drm_framebuffer_remove - remove and unreference a framebuffer object 1106 * @fb: framebuffer to remove 1107 * 1108 * Scans all the CRTCs and planes in @dev's mode_config. If they're 1109 * using @fb, removes it, setting it to NULL. Then drops the reference to the 1110 * passed-in framebuffer. Might take the modeset locks. 1111 * 1112 * Note that this function optimizes the cleanup away if the caller holds the 1113 * last reference to the framebuffer. It is also guaranteed to not take the 1114 * modeset locks in this case. 1115 */ drm_framebuffer_remove(struct drm_framebuffer * fb)1116 void drm_framebuffer_remove(struct drm_framebuffer *fb) 1117 { 1118 struct drm_device *dev; 1119 1120 if (!fb) 1121 return; 1122 1123 dev = fb->dev; 1124 1125 drm_WARN_ON(dev, !list_empty(&fb->filp_head)); 1126 1127 /* 1128 * drm ABI mandates that we remove any deleted framebuffers from active 1129 * usage. But since most sane clients only remove framebuffers they no 1130 * longer need, try to optimize this away. 1131 * 1132 * Since we're holding a reference ourselves, observing a refcount of 1 1133 * means that we're the last holder and can skip it. Also, the refcount 1134 * can never increase from 1 again, so we don't need any barriers or 1135 * locks. 1136 * 1137 * Note that userspace could try to race with use and instate a new 1138 * usage _after_ we've cleared all current ones. End result will be an 1139 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot 1140 * in this manner. 1141 */ 1142 if (drm_framebuffer_read_refcount(fb) > 1) { 1143 if (drm_drv_uses_atomic_modeset(dev)) { 1144 int ret = atomic_remove_fb(fb); 1145 1146 WARN(ret, "atomic remove_fb failed with %i\n", ret); 1147 } else 1148 legacy_remove_fb(fb); 1149 } 1150 1151 drm_framebuffer_put(fb); 1152 } 1153 EXPORT_SYMBOL(drm_framebuffer_remove); 1154 drm_framebuffer_print_info(struct drm_printer * p,unsigned int indent,const struct drm_framebuffer * fb)1155 void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent, 1156 const struct drm_framebuffer *fb) 1157 { 1158 unsigned int i; 1159 1160 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm); 1161 drm_printf_indent(p, indent, "refcount=%u\n", 1162 drm_framebuffer_read_refcount(fb)); 1163 drm_printf_indent(p, indent, "format=%p4cc\n", &fb->format->format); 1164 drm_printf_indent(p, indent, "modifier=0x%llx\n", fb->modifier); 1165 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height); 1166 drm_printf_indent(p, indent, "layers:\n"); 1167 1168 for (i = 0; i < fb->format->num_planes; i++) { 1169 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i, 1170 drm_format_info_plane_width(fb->format, fb->width, i), 1171 drm_format_info_plane_height(fb->format, fb->height, i)); 1172 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]); 1173 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]); 1174 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i, 1175 fb->obj[i] ? "" : "(null)"); 1176 if (fb->obj[i]) 1177 drm_gem_print_info(p, indent + 2, fb->obj[i]); 1178 } 1179 } 1180 1181 #ifdef CONFIG_DEBUG_FS drm_framebuffer_info(struct seq_file * m,void * data)1182 static int drm_framebuffer_info(struct seq_file *m, void *data) 1183 { 1184 struct drm_debugfs_entry *entry = m->private; 1185 struct drm_device *dev = entry->dev; 1186 struct drm_printer p = drm_seq_file_printer(m); 1187 struct drm_framebuffer *fb; 1188 1189 mutex_lock(&dev->mode_config.fb_lock); 1190 drm_for_each_fb(fb, dev) { 1191 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); 1192 drm_framebuffer_print_info(&p, 1, fb); 1193 } 1194 mutex_unlock(&dev->mode_config.fb_lock); 1195 1196 return 0; 1197 } 1198 1199 static const struct drm_debugfs_info drm_framebuffer_debugfs_list[] = { 1200 { "framebuffer", drm_framebuffer_info, 0 }, 1201 }; 1202 drm_framebuffer_debugfs_init(struct drm_device * dev)1203 void drm_framebuffer_debugfs_init(struct drm_device *dev) 1204 { 1205 drm_debugfs_add_files(dev, drm_framebuffer_debugfs_list, 1206 ARRAY_SIZE(drm_framebuffer_debugfs_list)); 1207 } 1208 #endif 1209