linux/drivers/gpu/drm/msm/msm_fb.c

246 lines
6.4 KiB
C
Raw Normal View History

/*
* Copyright (C) 2013 Red Hat
* Author: Rob Clark <robdclark@gmail.com>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 as published by
* the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
* more details.
*
* You should have received a copy of the GNU General Public License along with
* this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "msm_drv.h"
#include "msm_kms.h"
#include "drm_crtc.h"
#include "drm_crtc_helper.h"
struct msm_framebuffer {
struct drm_framebuffer base;
const struct msm_format *format;
struct drm_gem_object *planes[MAX_PLANE];
};
#define to_msm_framebuffer(x) container_of(x, struct msm_framebuffer, base)
static int msm_framebuffer_create_handle(struct drm_framebuffer *fb,
struct drm_file *file_priv,
unsigned int *handle)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
return drm_gem_handle_create(file_priv,
msm_fb->planes[0], handle);
}
static void msm_framebuffer_destroy(struct drm_framebuffer *fb)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
int i, n = drm_format_num_planes(fb->pixel_format);
DBG("destroy: FB ID: %d (%p)", fb->base.id, fb);
drm_framebuffer_cleanup(fb);
for (i = 0; i < n; i++) {
struct drm_gem_object *bo = msm_fb->planes[i];
if (bo)
drm_gem_object_unreference_unlocked(bo);
}
kfree(msm_fb);
}
static int msm_framebuffer_dirty(struct drm_framebuffer *fb,
struct drm_file *file_priv, unsigned flags, unsigned color,
struct drm_clip_rect *clips, unsigned num_clips)
{
return 0;
}
static const struct drm_framebuffer_funcs msm_framebuffer_funcs = {
.create_handle = msm_framebuffer_create_handle,
.destroy = msm_framebuffer_destroy,
.dirty = msm_framebuffer_dirty,
};
#ifdef CONFIG_DEBUG_FS
void msm_framebuffer_describe(struct drm_framebuffer *fb, struct seq_file *m)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
int i, n = drm_format_num_planes(fb->pixel_format);
seq_printf(m, "fb: %dx%d@%4.4s (%2d, ID:%d)\n",
fb->width, fb->height, (char *)&fb->pixel_format,
drm_framebuffer_read_refcount(fb), fb->base.id);
for (i = 0; i < n; i++) {
seq_printf(m, " %d: offset=%d pitch=%d, obj: ",
i, fb->offsets[i], fb->pitches[i]);
msm_gem_describe(msm_fb->planes[i], m);
}
}
#endif
/* prepare/pin all the fb's bo's for scanout. Note that it is not valid
* to prepare an fb more multiple different initiator 'id's. But that
* should be fine, since only the scanout (mdpN) side of things needs
* this, the gpu doesn't care about fb's.
*/
int msm_framebuffer_prepare(struct drm_framebuffer *fb, int id)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
int ret, i, n = drm_format_num_planes(fb->pixel_format);
uint32_t iova;
for (i = 0; i < n; i++) {
ret = msm_gem_get_iova(msm_fb->planes[i], id, &iova);
DBG("FB[%u]: iova[%d]: %08x (%d)", fb->base.id, i, iova, ret);
if (ret)
return ret;
}
return 0;
}
void msm_framebuffer_cleanup(struct drm_framebuffer *fb, int id)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
int i, n = drm_format_num_planes(fb->pixel_format);
for (i = 0; i < n; i++)
msm_gem_put_iova(msm_fb->planes[i], id);
}
uint32_t msm_framebuffer_iova(struct drm_framebuffer *fb, int id, int plane)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
if (!msm_fb->planes[plane])
return 0;
return msm_gem_iova(msm_fb->planes[plane], id) + fb->offsets[plane];
}
struct drm_gem_object *msm_framebuffer_bo(struct drm_framebuffer *fb, int plane)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
return msm_fb->planes[plane];
}
const struct msm_format *msm_framebuffer_format(struct drm_framebuffer *fb)
{
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
return msm_fb->format;
}
struct drm_framebuffer *msm_framebuffer_create(struct drm_device *dev,
struct drm_file *file, const struct drm_mode_fb_cmd2 *mode_cmd)
{
struct drm_gem_object *bos[4] = {0};
struct drm_framebuffer *fb;
int ret, i, n = drm_format_num_planes(mode_cmd->pixel_format);
for (i = 0; i < n; i++) {
bos[i] = drm_gem_object_lookup(dev, file,
mode_cmd->handles[i]);
if (!bos[i]) {
ret = -ENXIO;
goto out_unref;
}
}
fb = msm_framebuffer_init(dev, mode_cmd, bos);
if (IS_ERR(fb)) {
ret = PTR_ERR(fb);
goto out_unref;
}
return fb;
out_unref:
for (i = 0; i < n; i++)
drm_gem_object_unreference_unlocked(bos[i]);
return ERR_PTR(ret);
}
struct drm_framebuffer *msm_framebuffer_init(struct drm_device *dev,
const struct drm_mode_fb_cmd2 *mode_cmd, struct drm_gem_object **bos)
{
struct msm_drm_private *priv = dev->dev_private;
struct msm_kms *kms = priv->kms;
drm/msm: fix unbalanced DRM framebuffer init/destroy When msm_framebuffer_init() fails before calling drm_framebuffer_init(), drm_framebuffer_cleanup() [called in msm_framebuffer_destroy()] is still being called even though drm_framebuffer_init() was not called for that buffer. Thus a NULL pointer derefencing: [ 247.529691] Unable to handle kernel NULL pointer dereference at virtual address 0000027c ... [ 247.563996] PC is at __mutex_lock_slowpath+0x94/0x3a8 ... [ 247.823025] [<c07c3c78>] (__mutex_lock_slowpath) from [<c07c3fac>] (mutex_lock+0x20/0x3c) [ 247.831186] [<c07c3fac>] (mutex_lock) from [<c0347cf0>] (drm_framebuffer_cleanup+0x18/0x38) [ 247.839520] [<c0347cf0>] (drm_framebuffer_cleanup) from [<c036d138>] (msm_framebuffer_destroy+0x48/0x100) [ 247.849066] [<c036d138>] (msm_framebuffer_destroy) from [<c036d580>] (msm_framebuffer_init+0x1e8/0x228) [ 247.858439] [<c036d580>] (msm_framebuffer_init) from [<c036d630>] (msm_framebuffer_create+0x70/0x134) [ 247.867642] [<c036d630>] (msm_framebuffer_create) from [<c03493ec>] (internal_framebuffer_create+0x67c/0x7b4) [ 247.877537] [<c03493ec>] (internal_framebuffer_create) from [<c034ce34>] (drm_mode_addfb2+0x20/0x98) [ 247.886650] [<c034ce34>] (drm_mode_addfb2) from [<c034071c>] (drm_ioctl+0x240/0x420) [ 247.894378] [<c034071c>] (drm_ioctl) from [<c011df7c>] (do_vfs_ioctl+0x4e4/0x5a4) ... Signed-off-by: Stephane Viau <sviau@codeaurora.org> [plus initialize msm_fb to NULL to -Rob] Signed-off-by: Rob Clark <robdclark@gmail.com>
2015-05-05 21:47:57 +08:00
struct msm_framebuffer *msm_fb = NULL;
struct drm_framebuffer *fb;
const struct msm_format *format;
int ret, i, n;
unsigned int hsub, vsub;
DBG("create framebuffer: dev=%p, mode_cmd=%p (%dx%d@%4.4s)",
dev, mode_cmd, mode_cmd->width, mode_cmd->height,
(char *)&mode_cmd->pixel_format);
n = drm_format_num_planes(mode_cmd->pixel_format);
hsub = drm_format_horz_chroma_subsampling(mode_cmd->pixel_format);
vsub = drm_format_vert_chroma_subsampling(mode_cmd->pixel_format);
format = kms->funcs->get_format(kms, mode_cmd->pixel_format);
if (!format) {
dev_err(dev->dev, "unsupported pixel format: %4.4s\n",
(char *)&mode_cmd->pixel_format);
ret = -EINVAL;
goto fail;
}
msm_fb = kzalloc(sizeof(*msm_fb), GFP_KERNEL);
if (!msm_fb) {
ret = -ENOMEM;
goto fail;
}
fb = &msm_fb->base;
msm_fb->format = format;
if (n > ARRAY_SIZE(msm_fb->planes)) {
ret = -EINVAL;
goto fail;
}
for (i = 0; i < n; i++) {
unsigned int width = mode_cmd->width / (i ? hsub : 1);
unsigned int height = mode_cmd->height / (i ? vsub : 1);
unsigned int min_size;
min_size = (height - 1) * mode_cmd->pitches[i]
+ width * drm_format_plane_cpp(mode_cmd->pixel_format, i)
+ mode_cmd->offsets[i];
if (bos[i]->size < min_size) {
ret = -EINVAL;
goto fail;
}
msm_fb->planes[i] = bos[i];
}
drm_helper_mode_fill_fb_struct(fb, mode_cmd);
ret = drm_framebuffer_init(dev, fb, &msm_framebuffer_funcs);
if (ret) {
dev_err(dev->dev, "framebuffer init failed: %d\n", ret);
goto fail;
}
DBG("create: FB ID: %d (%p)", fb->base.id, fb);
return fb;
fail:
drm/msm: fix unbalanced DRM framebuffer init/destroy When msm_framebuffer_init() fails before calling drm_framebuffer_init(), drm_framebuffer_cleanup() [called in msm_framebuffer_destroy()] is still being called even though drm_framebuffer_init() was not called for that buffer. Thus a NULL pointer derefencing: [ 247.529691] Unable to handle kernel NULL pointer dereference at virtual address 0000027c ... [ 247.563996] PC is at __mutex_lock_slowpath+0x94/0x3a8 ... [ 247.823025] [<c07c3c78>] (__mutex_lock_slowpath) from [<c07c3fac>] (mutex_lock+0x20/0x3c) [ 247.831186] [<c07c3fac>] (mutex_lock) from [<c0347cf0>] (drm_framebuffer_cleanup+0x18/0x38) [ 247.839520] [<c0347cf0>] (drm_framebuffer_cleanup) from [<c036d138>] (msm_framebuffer_destroy+0x48/0x100) [ 247.849066] [<c036d138>] (msm_framebuffer_destroy) from [<c036d580>] (msm_framebuffer_init+0x1e8/0x228) [ 247.858439] [<c036d580>] (msm_framebuffer_init) from [<c036d630>] (msm_framebuffer_create+0x70/0x134) [ 247.867642] [<c036d630>] (msm_framebuffer_create) from [<c03493ec>] (internal_framebuffer_create+0x67c/0x7b4) [ 247.877537] [<c03493ec>] (internal_framebuffer_create) from [<c034ce34>] (drm_mode_addfb2+0x20/0x98) [ 247.886650] [<c034ce34>] (drm_mode_addfb2) from [<c034071c>] (drm_ioctl+0x240/0x420) [ 247.894378] [<c034071c>] (drm_ioctl) from [<c011df7c>] (do_vfs_ioctl+0x4e4/0x5a4) ... Signed-off-by: Stephane Viau <sviau@codeaurora.org> [plus initialize msm_fb to NULL to -Rob] Signed-off-by: Rob Clark <robdclark@gmail.com>
2015-05-05 21:47:57 +08:00
kfree(msm_fb);
return ERR_PTR(ret);
}