1/* $NetBSD: drm_framebuffer.c,v 1.6 2021/12/19 09:47:44 riastradh Exp $ */ 2 3/* 4 * Copyright (c) 2016 Intel Corporation 5 * 6 * Permission to use, copy, modify, distribute, and sell this software and its 7 * documentation for any purpose is hereby granted without fee, provided that 8 * the above copyright notice appear in all copies and that both that copyright 9 * notice and this permission notice appear in supporting documentation, and 10 * that the name of the copyright holders not be used in advertising or 11 * publicity pertaining to distribution of the software without specific, 12 * written prior permission. The copyright holders make no representations 13 * about the suitability of this software for any purpose. It is provided "as 14 * is" without express or implied warranty. 15 * 16 * THE COPYRIGHT HOLDERS DISCLAIM ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 17 * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 18 * EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY SPECIAL, INDIRECT OR 19 * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, 20 * DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 21 * TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE 22 * OF THIS SOFTWARE. 23 */ 24 25#include <sys/cdefs.h> 26__KERNEL_RCSID(0, "$NetBSD: drm_framebuffer.c,v 1.6 2021/12/19 09:47:44 riastradh Exp $"); 27 28#include <linux/export.h> 29#include <linux/capability.h> 30#include <linux/uaccess.h> 31 32#include <drm/drm_atomic.h> 33#include <drm/drm_atomic_uapi.h> 34#include <drm/drm_auth.h> 35#include <drm/drm_debugfs.h> 36#include <drm/drm_drv.h> 37#include <drm/drm_file.h> 38#include <drm/drm_fourcc.h> 39#include <drm/drm_framebuffer.h> 40#include <drm/drm_print.h> 41#include <drm/drm_util.h> 42 43#include "drm_crtc_internal.h" 44#include "drm_internal.h" 45 46/** 47 * DOC: overview 48 * 49 * Frame buffers are abstract memory objects that provide a source of pixels to 50 * scanout to a CRTC. Applications explicitly request the creation of frame 51 * buffers through the DRM_IOCTL_MODE_ADDFB(2) ioctls and receive an opaque 52 * handle that can be passed to the KMS CRTC control, plane configuration and 53 * page flip functions. 54 * 55 * Frame buffers rely on the underlying memory manager for allocating backing 56 * storage. When creating a frame buffer applications pass a memory handle 57 * (or a list of memory handles for multi-planar formats) through the 58 * &struct drm_mode_fb_cmd2 argument. For drivers using GEM as their userspace 59 * buffer management interface this would be a GEM handle. Drivers are however 60 * free to use their own backing storage object handles, e.g. vmwgfx directly 61 * exposes special TTM handles to userspace and so expects TTM handles in the 62 * create ioctl and not GEM handles. 63 * 64 * Framebuffers are tracked with &struct drm_framebuffer. They are published 65 * using drm_framebuffer_init() - after calling that function userspace can use 66 * and access the framebuffer object. The helper function 67 * drm_helper_mode_fill_fb_struct() can be used to pre-fill the required 68 * metadata fields. 69 * 70 * The lifetime of a drm framebuffer is controlled with a reference count, 71 * drivers can grab additional references with drm_framebuffer_get() and drop 72 * them again with drm_framebuffer_put(). For driver-private framebuffers for 73 * which the last reference is never dropped (e.g. for the fbdev framebuffer 74 * when the struct &struct drm_framebuffer is embedded into the fbdev helper 75 * struct) drivers can manually clean up a framebuffer at module unload time 76 * with drm_framebuffer_unregister_private(). But doing this is not 77 * recommended, and it's better to have a normal free-standing &struct 78 * drm_framebuffer. 79 */ 80 81int drm_framebuffer_check_src_coords(uint32_t src_x, uint32_t src_y, 82 uint32_t src_w, uint32_t src_h, 83 const struct drm_framebuffer *fb) 84{ 85 unsigned int fb_width, fb_height; 86 87 fb_width = fb->width << 16; 88 fb_height = fb->height << 16; 89 90 /* Make sure source coordinates are inside the fb. */ 91 if (src_w > fb_width || 92 src_x > fb_width - src_w || 93 src_h > fb_height || 94 src_y > fb_height - src_h) { 95 DRM_DEBUG_KMS("Invalid source coordinates " 96 "%u.%06ux%u.%06u+%u.%06u+%u.%06u (fb %ux%u)\n", 97 src_w >> 16, ((src_w & 0xffff) * 15625) >> 10, 98 src_h >> 16, ((src_h & 0xffff) * 15625) >> 10, 99 src_x >> 16, ((src_x & 0xffff) * 15625) >> 10, 100 src_y >> 16, ((src_y & 0xffff) * 15625) >> 10, 101 fb->width, fb->height); 102 return -ENOSPC; 103 } 104 105 return 0; 106} 107 108/** 109 * drm_mode_addfb - add an FB to the graphics configuration 110 * @dev: drm device for the ioctl 111 * @or: pointer to request structure 112 * @file_priv: drm file 113 * 114 * Add a new FB to the specified CRTC, given a user request. This is the 115 * original addfb ioctl which only supported RGB formats. 116 * 117 * Called by the user via ioctl, or by an in-kernel client. 118 * 119 * Returns: 120 * Zero on success, negative errno on failure. 121 */ 122int drm_mode_addfb(struct drm_device *dev, struct drm_mode_fb_cmd *or, 123 struct drm_file *file_priv) 124{ 125 struct drm_mode_fb_cmd2 r = {}; 126 int ret; 127 128 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 129 return -EOPNOTSUPP; 130 131 r.pixel_format = drm_driver_legacy_fb_format(dev, or->bpp, or->depth); 132 if (r.pixel_format == DRM_FORMAT_INVALID) { 133 DRM_DEBUG("bad {bpp:%d, depth:%d}\n", or->bpp, or->depth); 134 return -EINVAL; 135 } 136 137 /* convert to new format and call new ioctl */ 138 r.fb_id = or->fb_id; 139 r.width = or->width; 140 r.height = or->height; 141 r.pitches[0] = or->pitch; 142 r.handles[0] = or->handle; 143 144 ret = drm_mode_addfb2(dev, &r, file_priv); 145 if (ret) 146 return ret; 147 148 or->fb_id = r.fb_id; 149 150 return 0; 151} 152 153int drm_mode_addfb_ioctl(struct drm_device *dev, 154 void *data, struct drm_file *file_priv) 155{ 156 return drm_mode_addfb(dev, data, file_priv); 157} 158 159static int fb_plane_width(int width, 160 const struct drm_format_info *format, int plane) 161{ 162 if (plane == 0) 163 return width; 164 165 return DIV_ROUND_UP(width, format->hsub); 166} 167 168static int fb_plane_height(int height, 169 const struct drm_format_info *format, int plane) 170{ 171 if (plane == 0) 172 return height; 173 174 return DIV_ROUND_UP(height, format->vsub); 175} 176 177static int framebuffer_check(struct drm_device *dev, 178 const struct drm_mode_fb_cmd2 *r) 179{ 180 const struct drm_format_info *info; 181 int i; 182 183 /* check if the format is supported at all */ 184 info = __drm_format_info(r->pixel_format); 185 if (!info) { 186 struct drm_format_name_buf format_name; 187 188 DRM_DEBUG_KMS("bad framebuffer format %s\n", 189 drm_get_format_name(r->pixel_format, 190 &format_name)); 191 return -EINVAL; 192 } 193 194 /* now let the driver pick its own format info */ 195 info = drm_get_format_info(dev, r); 196 197 if (r->width == 0) { 198 DRM_DEBUG_KMS("bad framebuffer width %u\n", r->width); 199 return -EINVAL; 200 } 201 202 if (r->height == 0) { 203 DRM_DEBUG_KMS("bad framebuffer height %u\n", r->height); 204 return -EINVAL; 205 } 206 207 for (i = 0; i < info->num_planes; i++) { 208 unsigned int width = fb_plane_width(r->width, info, i); 209 unsigned int height = fb_plane_height(r->height, info, i); 210 unsigned int block_size = info->char_per_block[i]; 211 u64 min_pitch = drm_format_info_min_pitch(info, i, width); 212 213 if (!block_size && (r->modifier[i] == DRM_FORMAT_MOD_LINEAR)) { 214 DRM_DEBUG_KMS("Format requires non-linear modifier for plane %d\n", i); 215 return -EINVAL; 216 } 217 218 if (!r->handles[i]) { 219 DRM_DEBUG_KMS("no buffer object handle for plane %d\n", i); 220 return -EINVAL; 221 } 222 223 if (min_pitch > UINT_MAX) 224 return -ERANGE; 225 226 if ((uint64_t) height * r->pitches[i] + r->offsets[i] > UINT_MAX) 227 return -ERANGE; 228 229 if (block_size && r->pitches[i] < min_pitch) { 230 DRM_DEBUG_KMS("bad pitch %u for plane %d\n", r->pitches[i], i); 231 return -EINVAL; 232 } 233 234 if (r->modifier[i] && !(r->flags & DRM_MODE_FB_MODIFIERS)) { 235 DRM_DEBUG_KMS("bad fb modifier %"PRIu64" for plane %d\n", 236 r->modifier[i], i); 237 return -EINVAL; 238 } 239 240 if (r->flags & DRM_MODE_FB_MODIFIERS && 241 r->modifier[i] != r->modifier[0]) { 242 DRM_DEBUG_KMS("bad fb modifier %"PRIu64" for plane %d\n", 243 r->modifier[i], i); 244 return -EINVAL; 245 } 246 247 /* modifier specific checks: */ 248 switch (r->modifier[i]) { 249 case DRM_FORMAT_MOD_SAMSUNG_64_32_TILE: 250 /* NOTE: the pitch restriction may be lifted later if it turns 251 * out that no hw has this restriction: 252 */ 253 if (r->pixel_format != DRM_FORMAT_NV12 || 254 width % 128 || height % 32 || 255 r->pitches[i] % 128) { 256 DRM_DEBUG_KMS("bad modifier data for plane %d\n", i); 257 return -EINVAL; 258 } 259 break; 260 261 default: 262 break; 263 } 264 } 265 266 for (i = info->num_planes; i < 4; i++) { 267 if (r->modifier[i]) { 268 DRM_DEBUG_KMS("non-zero modifier for unused plane %d\n", i); 269 return -EINVAL; 270 } 271 272 /* Pre-FB_MODIFIERS userspace didn't clear the structs properly. */ 273 if (!(r->flags & DRM_MODE_FB_MODIFIERS)) 274 continue; 275 276 if (r->handles[i]) { 277 DRM_DEBUG_KMS("buffer object handle for unused plane %d\n", i); 278 return -EINVAL; 279 } 280 281 if (r->pitches[i]) { 282 DRM_DEBUG_KMS("non-zero pitch for unused plane %d\n", i); 283 return -EINVAL; 284 } 285 286 if (r->offsets[i]) { 287 DRM_DEBUG_KMS("non-zero offset for unused plane %d\n", i); 288 return -EINVAL; 289 } 290 } 291 292 return 0; 293} 294 295struct drm_framebuffer * 296drm_internal_framebuffer_create(struct drm_device *dev, 297 const struct drm_mode_fb_cmd2 *r, 298 struct drm_file *file_priv) 299{ 300 struct drm_mode_config *config = &dev->mode_config; 301 struct drm_framebuffer *fb; 302 int ret; 303 304 if (r->flags & ~(DRM_MODE_FB_INTERLACED | DRM_MODE_FB_MODIFIERS)) { 305 DRM_DEBUG_KMS("bad framebuffer flags 0x%08x\n", r->flags); 306 return ERR_PTR(-EINVAL); 307 } 308 309 if ((config->min_width > r->width) || (r->width > config->max_width)) { 310 DRM_DEBUG_KMS("bad framebuffer width %d, should be >= %d && <= %d\n", 311 r->width, config->min_width, config->max_width); 312 return ERR_PTR(-EINVAL); 313 } 314 if ((config->min_height > r->height) || (r->height > config->max_height)) { 315 DRM_DEBUG_KMS("bad framebuffer height %d, should be >= %d && <= %d\n", 316 r->height, config->min_height, config->max_height); 317 return ERR_PTR(-EINVAL); 318 } 319 320 if (r->flags & DRM_MODE_FB_MODIFIERS && 321 !dev->mode_config.allow_fb_modifiers) { 322 DRM_DEBUG_KMS("driver does not support fb modifiers\n"); 323 return ERR_PTR(-EINVAL); 324 } 325 326 ret = framebuffer_check(dev, r); 327 if (ret) 328 return ERR_PTR(ret); 329 330 fb = dev->mode_config.funcs->fb_create(dev, file_priv, r); 331 if (IS_ERR(fb)) { 332 DRM_DEBUG_KMS("could not create framebuffer\n"); 333 return fb; 334 } 335 336 return fb; 337} 338EXPORT_SYMBOL_FOR_TESTS_ONLY(drm_internal_framebuffer_create); 339 340/** 341 * drm_mode_addfb2 - add an FB to the graphics configuration 342 * @dev: drm device for the ioctl 343 * @data: data pointer for the ioctl 344 * @file_priv: drm file for the ioctl call 345 * 346 * Add a new FB to the specified CRTC, given a user request with format. This is 347 * the 2nd version of the addfb ioctl, which supports multi-planar framebuffers 348 * and uses fourcc codes as pixel format specifiers. 349 * 350 * Called by the user via ioctl. 351 * 352 * Returns: 353 * Zero on success, negative errno on failure. 354 */ 355int drm_mode_addfb2(struct drm_device *dev, 356 void *data, struct drm_file *file_priv) 357{ 358 struct drm_mode_fb_cmd2 *r = data; 359 struct drm_framebuffer *fb; 360 361 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 362 return -EOPNOTSUPP; 363 364 fb = drm_internal_framebuffer_create(dev, r, file_priv); 365 if (IS_ERR(fb)) 366 return PTR_ERR(fb); 367 368 DRM_DEBUG_KMS("[FB:%d]\n", fb->base.id); 369 r->fb_id = fb->base.id; 370 371 /* Transfer ownership to the filp for reaping on close */ 372 mutex_lock(&file_priv->fbs_lock); 373 list_add(&fb->filp_head, &file_priv->fbs); 374 mutex_unlock(&file_priv->fbs_lock); 375 376 return 0; 377} 378 379int drm_mode_addfb2_ioctl(struct drm_device *dev, 380 void *data, struct drm_file *file_priv) 381{ 382#ifdef __BIG_ENDIAN 383 if (!dev->mode_config.quirk_addfb_prefer_host_byte_order) { 384 /* 385 * Drivers must set the 386 * quirk_addfb_prefer_host_byte_order quirk to make 387 * the drm_mode_addfb() compat code work correctly on 388 * bigendian machines. 389 * 390 * If they don't they interpret pixel_format values 391 * incorrectly for bug compatibility, which in turn 392 * implies the ADDFB2 ioctl does not work correctly 393 * then. So block it to make userspace fallback to 394 * ADDFB. 395 */ 396 DRM_DEBUG_KMS("addfb2 broken on bigendian"); 397 return -EOPNOTSUPP; 398 } 399#endif 400 return drm_mode_addfb2(dev, data, file_priv); 401} 402 403struct drm_mode_rmfb_work { 404 struct work_struct work; 405 struct list_head fbs; 406}; 407 408static void drm_mode_rmfb_work_fn(struct work_struct *w) 409{ 410 struct drm_mode_rmfb_work *arg = container_of(w, typeof(*arg), work); 411 412 while (!list_empty(&arg->fbs)) { 413 struct drm_framebuffer *fb = 414 list_first_entry(&arg->fbs, typeof(*fb), filp_head); 415 416 list_del_init(&fb->filp_head); 417 drm_framebuffer_remove(fb); 418 } 419} 420 421/** 422 * drm_mode_rmfb - remove an FB from the configuration 423 * @dev: drm device 424 * @fb_id: id of framebuffer to remove 425 * @file_priv: drm file 426 * 427 * Remove the specified FB. 428 * 429 * Called by the user via ioctl, or by an in-kernel client. 430 * 431 * Returns: 432 * Zero on success, negative errno on failure. 433 */ 434int drm_mode_rmfb(struct drm_device *dev, u32 fb_id, 435 struct drm_file *file_priv) 436{ 437 struct drm_framebuffer *fb = NULL; 438 struct drm_framebuffer *fbl = NULL; 439 int found = 0; 440 441 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 442 return -EOPNOTSUPP; 443 444 fb = drm_framebuffer_lookup(dev, file_priv, fb_id); 445 if (!fb) 446 return -ENOENT; 447 448 mutex_lock(&file_priv->fbs_lock); 449 list_for_each_entry(fbl, &file_priv->fbs, filp_head) 450 if (fb == fbl) 451 found = 1; 452 if (!found) { 453 mutex_unlock(&file_priv->fbs_lock); 454 goto fail_unref; 455 } 456 457 list_del_init(&fb->filp_head); 458 mutex_unlock(&file_priv->fbs_lock); 459 460 /* drop the reference we picked up in framebuffer lookup */ 461 drm_framebuffer_put(fb); 462 463 /* 464 * we now own the reference that was stored in the fbs list 465 * 466 * drm_framebuffer_remove may fail with -EINTR on pending signals, 467 * so run this in a separate stack as there's no way to correctly 468 * handle this after the fb is already removed from the lookup table. 469 */ 470 if (drm_framebuffer_read_refcount(fb) > 1) { 471 struct drm_mode_rmfb_work arg; 472 473 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 474 INIT_LIST_HEAD(&arg.fbs); 475 list_add_tail(&fb->filp_head, &arg.fbs); 476 477 schedule_work(&arg.work); 478 flush_work(&arg.work); 479 destroy_work_on_stack(&arg.work); 480 } else 481 drm_framebuffer_put(fb); 482 483 return 0; 484 485fail_unref: 486 drm_framebuffer_put(fb); 487 return -ENOENT; 488} 489 490int drm_mode_rmfb_ioctl(struct drm_device *dev, 491 void *data, struct drm_file *file_priv) 492{ 493 uint32_t *fb_id = data; 494 495 return drm_mode_rmfb(dev, *fb_id, file_priv); 496} 497 498/** 499 * drm_mode_getfb - get FB info 500 * @dev: drm device for the ioctl 501 * @data: data pointer for the ioctl 502 * @file_priv: drm file for the ioctl call 503 * 504 * Lookup the FB given its ID and return info about it. 505 * 506 * Called by the user via ioctl. 507 * 508 * Returns: 509 * Zero on success, negative errno on failure. 510 */ 511int drm_mode_getfb(struct drm_device *dev, 512 void *data, struct drm_file *file_priv) 513{ 514 struct drm_mode_fb_cmd *r = data; 515 struct drm_framebuffer *fb; 516 int ret; 517 518 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 519 return -EOPNOTSUPP; 520 521 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 522 if (!fb) 523 return -ENOENT; 524 525 /* Multi-planar framebuffers need getfb2. */ 526 if (fb->format->num_planes > 1) { 527 ret = -EINVAL; 528 goto out; 529 } 530 531 if (!fb->funcs->create_handle) { 532 ret = -ENODEV; 533 goto out; 534 } 535 536 r->height = fb->height; 537 r->width = fb->width; 538 r->depth = fb->format->depth; 539 r->bpp = fb->format->cpp[0] * 8; 540 r->pitch = fb->pitches[0]; 541 542 /* GET_FB() is an unprivileged ioctl so we must not return a 543 * buffer-handle to non-master processes! For 544 * backwards-compatibility reasons, we cannot make GET_FB() privileged, 545 * so just return an invalid handle for non-masters. 546 */ 547 if (!drm_is_current_master(file_priv) && !capable(CAP_SYS_ADMIN)) { 548 r->handle = 0; 549 ret = 0; 550 goto out; 551 } 552 553 ret = fb->funcs->create_handle(fb, file_priv, &r->handle); 554 555out: 556 drm_framebuffer_put(fb); 557 558 return ret; 559} 560 561/** 562 * drm_mode_dirtyfb_ioctl - flush frontbuffer rendering on an FB 563 * @dev: drm device for the ioctl 564 * @data: data pointer for the ioctl 565 * @file_priv: drm file for the ioctl call 566 * 567 * Lookup the FB and flush out the damaged area supplied by userspace as a clip 568 * rectangle list. Generic userspace which does frontbuffer rendering must call 569 * this ioctl to flush out the changes on manual-update display outputs, e.g. 570 * usb display-link, mipi manual update panels or edp panel self refresh modes. 571 * 572 * Modesetting drivers which always update the frontbuffer do not need to 573 * implement the corresponding &drm_framebuffer_funcs.dirty callback. 574 * 575 * Called by the user via ioctl. 576 * 577 * Returns: 578 * Zero on success, negative errno on failure. 579 */ 580int drm_mode_dirtyfb_ioctl(struct drm_device *dev, 581 void *data, struct drm_file *file_priv) 582{ 583 struct drm_clip_rect __user *clips_ptr; 584 struct drm_clip_rect *clips = NULL; 585 struct drm_mode_fb_dirty_cmd *r = data; 586 struct drm_framebuffer *fb; 587 unsigned flags; 588 int num_clips; 589 int ret; 590 591 if (!drm_core_check_feature(dev, DRIVER_MODESET)) 592 return -EOPNOTSUPP; 593 594 fb = drm_framebuffer_lookup(dev, file_priv, r->fb_id); 595 if (!fb) 596 return -ENOENT; 597 598 num_clips = r->num_clips; 599 clips_ptr = (struct drm_clip_rect __user *)(unsigned long)r->clips_ptr; 600 601 if (!num_clips != !clips_ptr) { 602 ret = -EINVAL; 603 goto out_err1; 604 } 605 606 flags = DRM_MODE_FB_DIRTY_FLAGS & r->flags; 607 608 /* If userspace annotates copy, clips must come in pairs */ 609 if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY && (num_clips % 2)) { 610 ret = -EINVAL; 611 goto out_err1; 612 } 613 614 if (num_clips && clips_ptr) { 615 if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { 616 ret = -EINVAL; 617 goto out_err1; 618 } 619 clips = kcalloc(num_clips, sizeof(*clips), GFP_KERNEL); 620 if (!clips) { 621 ret = -ENOMEM; 622 goto out_err1; 623 } 624 625 ret = copy_from_user(clips, clips_ptr, 626 num_clips * sizeof(*clips)); 627 if (ret) { 628 ret = -EFAULT; 629 goto out_err2; 630 } 631 } 632 633 if (fb->funcs->dirty) { 634 ret = fb->funcs->dirty(fb, file_priv, flags, r->color, 635 clips, num_clips); 636 } else { 637 ret = -ENOSYS; 638 } 639 640out_err2: 641 kfree(clips); 642out_err1: 643 drm_framebuffer_put(fb); 644 645 return ret; 646} 647 648/** 649 * drm_fb_release - remove and free the FBs on this file 650 * @priv: drm file for the ioctl 651 * 652 * Destroy all the FBs associated with @filp. 653 * 654 * Called by the user via ioctl. 655 * 656 * Returns: 657 * Zero on success, negative errno on failure. 658 */ 659void drm_fb_release(struct drm_file *priv) 660{ 661 struct drm_framebuffer *fb, *tfb; 662 struct drm_mode_rmfb_work arg; 663 664 INIT_LIST_HEAD(&arg.fbs); 665 666 /* 667 * When the file gets released that means no one else can access the fb 668 * list any more, so no need to grab fpriv->fbs_lock. And we need to 669 * avoid upsetting lockdep since the universal cursor code adds a 670 * framebuffer while holding mutex locks. 671 * 672 * Note that a real deadlock between fpriv->fbs_lock and the modeset 673 * locks is impossible here since no one else but this function can get 674 * at it any more. 675 */ 676 list_for_each_entry_safe(fb, tfb, &priv->fbs, filp_head) { 677 if (drm_framebuffer_read_refcount(fb) > 1) { 678 list_move_tail(&fb->filp_head, &arg.fbs); 679 } else { 680 list_del_init(&fb->filp_head); 681 682 /* This drops the fpriv->fbs reference. */ 683 drm_framebuffer_put(fb); 684 } 685 } 686 687 if (!list_empty(&arg.fbs)) { 688 INIT_WORK_ONSTACK(&arg.work, drm_mode_rmfb_work_fn); 689 690 schedule_work(&arg.work); 691 flush_work(&arg.work); 692 destroy_work_on_stack(&arg.work); 693 } 694} 695 696void drm_framebuffer_free(struct kref *kref) 697{ 698 struct drm_framebuffer *fb = 699 container_of(kref, struct drm_framebuffer, base.refcount); 700 struct drm_device *dev = fb->dev; 701 702 /* 703 * The lookup idr holds a weak reference, which has not necessarily been 704 * removed at this point. Check for that. 705 */ 706 drm_mode_object_unregister(dev, &fb->base); 707 708 fb->funcs->destroy(fb); 709} 710 711/** 712 * drm_framebuffer_init - initialize a framebuffer 713 * @dev: DRM device 714 * @fb: framebuffer to be initialized 715 * @funcs: ... with these functions 716 * 717 * Allocates an ID for the framebuffer's parent mode object, sets its mode 718 * functions & device file and adds it to the master fd list. 719 * 720 * IMPORTANT: 721 * This functions publishes the fb and makes it available for concurrent access 722 * by other users. Which means by this point the fb _must_ be fully set up - 723 * since all the fb attributes are invariant over its lifetime, no further 724 * locking but only correct reference counting is required. 725 * 726 * Returns: 727 * Zero on success, error code on failure. 728 */ 729int drm_framebuffer_init(struct drm_device *dev, struct drm_framebuffer *fb, 730 const struct drm_framebuffer_funcs *funcs) 731{ 732 int ret; 733 734 if (WARN_ON_ONCE(fb->dev != dev || !fb->format)) 735 return -EINVAL; 736 737 INIT_LIST_HEAD(&fb->filp_head); 738 739 fb->funcs = funcs; 740#ifdef __NetBSD__ 741 strlcpy(fb->comm, curproc->p_comm, sizeof fb->comm); 742#else 743 strcpy(fb->comm, current->comm); 744#endif 745 746 ret = __drm_mode_object_add(dev, &fb->base, DRM_MODE_OBJECT_FB, 747 false, drm_framebuffer_free); 748 if (ret) 749 goto out; 750 751 mutex_lock(&dev->mode_config.fb_lock); 752 dev->mode_config.num_fb++; 753 list_add(&fb->head, &dev->mode_config.fb_list); 754 mutex_unlock(&dev->mode_config.fb_lock); 755 756 drm_mode_object_register(dev, &fb->base); 757out: 758 return ret; 759} 760EXPORT_SYMBOL(drm_framebuffer_init); 761 762/** 763 * drm_framebuffer_lookup - look up a drm framebuffer and grab a reference 764 * @dev: drm device 765 * @file_priv: drm file to check for lease against. 766 * @id: id of the fb object 767 * 768 * If successful, this grabs an additional reference to the framebuffer - 769 * callers need to make sure to eventually unreference the returned framebuffer 770 * again, using drm_framebuffer_put(). 771 */ 772struct drm_framebuffer *drm_framebuffer_lookup(struct drm_device *dev, 773 struct drm_file *file_priv, 774 uint32_t id) 775{ 776 struct drm_mode_object *obj; 777 struct drm_framebuffer *fb = NULL; 778 779 obj = __drm_mode_object_find(dev, file_priv, id, DRM_MODE_OBJECT_FB); 780 if (obj) 781 fb = obj_to_fb(obj); 782 return fb; 783} 784EXPORT_SYMBOL(drm_framebuffer_lookup); 785 786/** 787 * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr 788 * @fb: fb to unregister 789 * 790 * Drivers need to call this when cleaning up driver-private framebuffers, e.g. 791 * those used for fbdev. Note that the caller must hold a reference of its own, 792 * i.e. the object may not be destroyed through this call (since it'll lead to a 793 * locking inversion). 794 * 795 * NOTE: This function is deprecated. For driver-private framebuffers it is not 796 * recommended to embed a framebuffer struct info fbdev struct, instead, a 797 * framebuffer pointer is preferred and drm_framebuffer_put() should be called 798 * when the framebuffer is to be cleaned up. 799 */ 800void drm_framebuffer_unregister_private(struct drm_framebuffer *fb) 801{ 802 struct drm_device *dev; 803 804 if (!fb) 805 return; 806 807 dev = fb->dev; 808 809 /* Mark fb as reaped and drop idr ref. */ 810 drm_mode_object_unregister(dev, &fb->base); 811} 812EXPORT_SYMBOL(drm_framebuffer_unregister_private); 813 814/** 815 * drm_framebuffer_cleanup - remove a framebuffer object 816 * @fb: framebuffer to remove 817 * 818 * Cleanup framebuffer. This function is intended to be used from the drivers 819 * &drm_framebuffer_funcs.destroy callback. It can also be used to clean up 820 * driver private framebuffers embedded into a larger structure. 821 * 822 * Note that this function does not remove the fb from active usage - if it is 823 * still used anywhere, hilarity can ensue since userspace could call getfb on 824 * the id and get back -EINVAL. Obviously no concern at driver unload time. 825 * 826 * Also, the framebuffer will not be removed from the lookup idr - for 827 * user-created framebuffers this will happen in in the rmfb ioctl. For 828 * driver-private objects (e.g. for fbdev) drivers need to explicitly call 829 * drm_framebuffer_unregister_private. 830 */ 831void drm_framebuffer_cleanup(struct drm_framebuffer *fb) 832{ 833 struct drm_device *dev = fb->dev; 834 835 mutex_lock(&dev->mode_config.fb_lock); 836 list_del(&fb->head); 837 dev->mode_config.num_fb--; 838 mutex_unlock(&dev->mode_config.fb_lock); 839} 840EXPORT_SYMBOL(drm_framebuffer_cleanup); 841 842static int atomic_remove_fb(struct drm_framebuffer *fb) 843{ 844 struct drm_modeset_acquire_ctx ctx; 845 struct drm_device *dev = fb->dev; 846 struct drm_atomic_state *state; 847 struct drm_plane *plane; 848 struct drm_connector *conn __maybe_unused; 849 struct drm_connector_state *conn_state; 850 int i, ret; 851 unsigned plane_mask; 852 bool disable_crtcs = false; 853 854retry_disable: 855 drm_modeset_acquire_init(&ctx, 0); 856 857 state = drm_atomic_state_alloc(dev); 858 if (!state) { 859 ret = -ENOMEM; 860 goto out; 861 } 862 state->acquire_ctx = &ctx; 863 864retry: 865 plane_mask = 0; 866 ret = drm_modeset_lock_all_ctx(dev, &ctx); 867 if (ret) 868 goto unlock; 869 870 drm_for_each_plane(plane, dev) { 871 struct drm_plane_state *plane_state; 872 873 if (plane->state->fb != fb) 874 continue; 875 876 plane_state = drm_atomic_get_plane_state(state, plane); 877 if (IS_ERR(plane_state)) { 878 ret = PTR_ERR(plane_state); 879 goto unlock; 880 } 881 882 if (disable_crtcs && plane_state->crtc->primary == plane) { 883 struct drm_crtc_state *crtc_state; 884 885 crtc_state = drm_atomic_get_existing_crtc_state(state, plane_state->crtc); 886 887 ret = drm_atomic_add_affected_connectors(state, plane_state->crtc); 888 if (ret) 889 goto unlock; 890 891 crtc_state->active = false; 892 ret = drm_atomic_set_mode_for_crtc(crtc_state, NULL); 893 if (ret) 894 goto unlock; 895 } 896 897 drm_atomic_set_fb_for_plane(plane_state, NULL); 898 ret = drm_atomic_set_crtc_for_plane(plane_state, NULL); 899 if (ret) 900 goto unlock; 901 902 plane_mask |= drm_plane_mask(plane); 903 } 904 905 /* This list is only filled when disable_crtcs is set. */ 906 for_each_new_connector_in_state(state, conn, conn_state, i) { 907 ret = drm_atomic_set_crtc_for_connector(conn_state, NULL); 908 909 if (ret) 910 goto unlock; 911 } 912 913 if (plane_mask) 914 ret = drm_atomic_commit(state); 915 916unlock: 917 if (ret == -EDEADLK) { 918 drm_atomic_state_clear(state); 919 drm_modeset_backoff(&ctx); 920 goto retry; 921 } 922 923 drm_atomic_state_put(state); 924 925out: 926 drm_modeset_drop_locks(&ctx); 927 drm_modeset_acquire_fini(&ctx); 928 929 if (ret == -EINVAL && !disable_crtcs) { 930 disable_crtcs = true; 931 goto retry_disable; 932 } 933 934 return ret; 935} 936 937static void legacy_remove_fb(struct drm_framebuffer *fb) 938{ 939 struct drm_device *dev = fb->dev; 940 struct drm_crtc *crtc; 941 struct drm_plane *plane; 942 943 drm_modeset_lock_all(dev); 944 /* remove from any CRTC */ 945 drm_for_each_crtc(crtc, dev) { 946 if (crtc->primary->fb == fb) { 947 /* should turn off the crtc */ 948 if (drm_crtc_force_disable(crtc)) 949 DRM_ERROR("failed to reset crtc %p when fb was deleted\n", crtc); 950 } 951 } 952 953 drm_for_each_plane(plane, dev) { 954 if (plane->fb == fb) 955 drm_plane_force_disable(plane); 956 } 957 drm_modeset_unlock_all(dev); 958} 959 960/** 961 * drm_framebuffer_remove - remove and unreference a framebuffer object 962 * @fb: framebuffer to remove 963 * 964 * Scans all the CRTCs and planes in @dev's mode_config. If they're 965 * using @fb, removes it, setting it to NULL. Then drops the reference to the 966 * passed-in framebuffer. Might take the modeset locks. 967 * 968 * Note that this function optimizes the cleanup away if the caller holds the 969 * last reference to the framebuffer. It is also guaranteed to not take the 970 * modeset locks in this case. 971 */ 972void drm_framebuffer_remove(struct drm_framebuffer *fb) 973{ 974 struct drm_device *dev; 975 976 if (!fb) 977 return; 978 979 dev = fb->dev; 980 981 WARN_ON(!list_empty(&fb->filp_head)); 982 983 /* 984 * drm ABI mandates that we remove any deleted framebuffers from active 985 * useage. But since most sane clients only remove framebuffers they no 986 * longer need, try to optimize this away. 987 * 988 * Since we're holding a reference ourselves, observing a refcount of 1 989 * means that we're the last holder and can skip it. Also, the refcount 990 * can never increase from 1 again, so we don't need any barriers or 991 * locks. 992 * 993 * Note that userspace could try to race with use and instate a new 994 * usage _after_ we've cleared all current ones. End result will be an 995 * in-use fb with fb-id == 0. Userspace is allowed to shoot its own foot 996 * in this manner. 997 */ 998 if (drm_framebuffer_read_refcount(fb) > 1) { 999 if (drm_drv_uses_atomic_modeset(dev)) { 1000 int ret = atomic_remove_fb(fb); 1001 WARN(ret, "atomic remove_fb failed with %i\n", ret); 1002 } else 1003 legacy_remove_fb(fb); 1004 } 1005 1006 drm_framebuffer_put(fb); 1007} 1008EXPORT_SYMBOL(drm_framebuffer_remove); 1009 1010/** 1011 * drm_framebuffer_plane_width - width of the plane given the first plane 1012 * @width: width of the first plane 1013 * @fb: the framebuffer 1014 * @plane: plane index 1015 * 1016 * Returns: 1017 * The width of @plane, given that the width of the first plane is @width. 1018 */ 1019int drm_framebuffer_plane_width(int width, 1020 const struct drm_framebuffer *fb, int plane) 1021{ 1022 if (plane >= fb->format->num_planes) 1023 return 0; 1024 1025 return fb_plane_width(width, fb->format, plane); 1026} 1027EXPORT_SYMBOL(drm_framebuffer_plane_width); 1028 1029/** 1030 * drm_framebuffer_plane_height - height of the plane given the first plane 1031 * @height: height of the first plane 1032 * @fb: the framebuffer 1033 * @plane: plane index 1034 * 1035 * Returns: 1036 * The height of @plane, given that the height of the first plane is @height. 1037 */ 1038int drm_framebuffer_plane_height(int height, 1039 const struct drm_framebuffer *fb, int plane) 1040{ 1041 if (plane >= fb->format->num_planes) 1042 return 0; 1043 1044 return fb_plane_height(height, fb->format, plane); 1045} 1046EXPORT_SYMBOL(drm_framebuffer_plane_height); 1047 1048void drm_framebuffer_print_info(struct drm_printer *p, unsigned int indent, 1049 const struct drm_framebuffer *fb) 1050{ 1051 struct drm_format_name_buf format_name; 1052 unsigned int i; 1053 1054 drm_printf_indent(p, indent, "allocated by = %s\n", fb->comm); 1055 drm_printf_indent(p, indent, "refcount=%u\n", 1056 drm_framebuffer_read_refcount(fb)); 1057 drm_printf_indent(p, indent, "format=%s\n", 1058 drm_get_format_name(fb->format->format, &format_name)); 1059 drm_printf_indent(p, indent, "modifier=0x%"PRIx64"\n", fb->modifier); 1060 drm_printf_indent(p, indent, "size=%ux%u\n", fb->width, fb->height); 1061 drm_printf_indent(p, indent, "layers:\n"); 1062 1063 for (i = 0; i < fb->format->num_planes; i++) { 1064 drm_printf_indent(p, indent + 1, "size[%u]=%dx%d\n", i, 1065 drm_framebuffer_plane_width(fb->width, fb, i), 1066 drm_framebuffer_plane_height(fb->height, fb, i)); 1067 drm_printf_indent(p, indent + 1, "pitch[%u]=%u\n", i, fb->pitches[i]); 1068 drm_printf_indent(p, indent + 1, "offset[%u]=%u\n", i, fb->offsets[i]); 1069 drm_printf_indent(p, indent + 1, "obj[%u]:%s\n", i, 1070 fb->obj[i] ? "" : "(null)"); 1071 if (fb->obj[i]) 1072 drm_gem_print_info(p, indent + 2, fb->obj[i]); 1073 } 1074} 1075 1076#ifdef CONFIG_DEBUG_FS 1077static int drm_framebuffer_info(struct seq_file *m, void *data) 1078{ 1079 struct drm_info_node *node = m->private; 1080 struct drm_device *dev = node->minor->dev; 1081 struct drm_printer p = drm_seq_file_printer(m); 1082 struct drm_framebuffer *fb; 1083 1084 mutex_lock(&dev->mode_config.fb_lock); 1085 drm_for_each_fb(fb, dev) { 1086 drm_printf(&p, "framebuffer[%u]:\n", fb->base.id); 1087 drm_framebuffer_print_info(&p, 1, fb); 1088 } 1089 mutex_unlock(&dev->mode_config.fb_lock); 1090 1091 return 0; 1092} 1093 1094static const struct drm_info_list drm_framebuffer_debugfs_list[] = { 1095 { "framebuffer", drm_framebuffer_info, 0 }, 1096}; 1097 1098int drm_framebuffer_debugfs_init(struct drm_minor *minor) 1099{ 1100 return drm_debugfs_create_files(drm_framebuffer_debugfs_list, 1101 ARRAY_SIZE(drm_framebuffer_debugfs_list), 1102 minor->debugfs_root, minor); 1103} 1104#endif 1105