forked from Minki/linux
7194b62c8c
When msm_framebuffer_init() fails before calling drm_framebuffer_init(), drm_framebuffer_cleanup() [called in msm_framebuffer_destroy()] is still being called even though drm_framebuffer_init() was not called for that buffer. Thus a NULL pointer derefencing: [ 247.529691] Unable to handle kernel NULL pointer dereference at virtual address 0000027c ... [ 247.563996] PC is at __mutex_lock_slowpath+0x94/0x3a8 ... [ 247.823025] [<c07c3c78>] (__mutex_lock_slowpath) from [<c07c3fac>] (mutex_lock+0x20/0x3c) [ 247.831186] [<c07c3fac>] (mutex_lock) from [<c0347cf0>] (drm_framebuffer_cleanup+0x18/0x38) [ 247.839520] [<c0347cf0>] (drm_framebuffer_cleanup) from [<c036d138>] (msm_framebuffer_destroy+0x48/0x100) [ 247.849066] [<c036d138>] (msm_framebuffer_destroy) from [<c036d580>] (msm_framebuffer_init+0x1e8/0x228) [ 247.858439] [<c036d580>] (msm_framebuffer_init) from [<c036d630>] (msm_framebuffer_create+0x70/0x134) [ 247.867642] [<c036d630>] (msm_framebuffer_create) from [<c03493ec>] (internal_framebuffer_create+0x67c/0x7b4) [ 247.877537] [<c03493ec>] (internal_framebuffer_create) from [<c034ce34>] (drm_mode_addfb2+0x20/0x98) [ 247.886650] [<c034ce34>] (drm_mode_addfb2) from [<c034071c>] (drm_ioctl+0x240/0x420) [ 247.894378] [<c034071c>] (drm_ioctl) from [<c011df7c>] (do_vfs_ioctl+0x4e4/0x5a4) ... Signed-off-by: Stephane Viau <sviau@codeaurora.org> [plus initialize msm_fb to NULL to -Rob] Signed-off-by: Rob Clark <robdclark@gmail.com>
246 lines
6.4 KiB
C
246 lines
6.4 KiB
C
/*
|
|
* Copyright (C) 2013 Red Hat
|
|
* Author: Rob Clark <robdclark@gmail.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 as published by
|
|
* the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|
* more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with
|
|
* this program. If not, see <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#include "msm_drv.h"
|
|
#include "msm_kms.h"
|
|
|
|
#include "drm_crtc.h"
|
|
#include "drm_crtc_helper.h"
|
|
|
|
struct msm_framebuffer {
|
|
struct drm_framebuffer base;
|
|
const struct msm_format *format;
|
|
struct drm_gem_object *planes[MAX_PLANE];
|
|
};
|
|
#define to_msm_framebuffer(x) container_of(x, struct msm_framebuffer, base)
|
|
|
|
|
|
static int msm_framebuffer_create_handle(struct drm_framebuffer *fb,
|
|
struct drm_file *file_priv,
|
|
unsigned int *handle)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
return drm_gem_handle_create(file_priv,
|
|
msm_fb->planes[0], handle);
|
|
}
|
|
|
|
static void msm_framebuffer_destroy(struct drm_framebuffer *fb)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
int i, n = drm_format_num_planes(fb->pixel_format);
|
|
|
|
DBG("destroy: FB ID: %d (%p)", fb->base.id, fb);
|
|
|
|
drm_framebuffer_cleanup(fb);
|
|
|
|
for (i = 0; i < n; i++) {
|
|
struct drm_gem_object *bo = msm_fb->planes[i];
|
|
if (bo)
|
|
drm_gem_object_unreference_unlocked(bo);
|
|
}
|
|
|
|
kfree(msm_fb);
|
|
}
|
|
|
|
static int msm_framebuffer_dirty(struct drm_framebuffer *fb,
|
|
struct drm_file *file_priv, unsigned flags, unsigned color,
|
|
struct drm_clip_rect *clips, unsigned num_clips)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static const struct drm_framebuffer_funcs msm_framebuffer_funcs = {
|
|
.create_handle = msm_framebuffer_create_handle,
|
|
.destroy = msm_framebuffer_destroy,
|
|
.dirty = msm_framebuffer_dirty,
|
|
};
|
|
|
|
#ifdef CONFIG_DEBUG_FS
|
|
void msm_framebuffer_describe(struct drm_framebuffer *fb, struct seq_file *m)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
int i, n = drm_format_num_planes(fb->pixel_format);
|
|
|
|
seq_printf(m, "fb: %dx%d@%4.4s (%2d, ID:%d)\n",
|
|
fb->width, fb->height, (char *)&fb->pixel_format,
|
|
fb->refcount.refcount.counter, fb->base.id);
|
|
|
|
for (i = 0; i < n; i++) {
|
|
seq_printf(m, " %d: offset=%d pitch=%d, obj: ",
|
|
i, fb->offsets[i], fb->pitches[i]);
|
|
msm_gem_describe(msm_fb->planes[i], m);
|
|
}
|
|
}
|
|
#endif
|
|
|
|
/* prepare/pin all the fb's bo's for scanout. Note that it is not valid
|
|
* to prepare an fb more multiple different initiator 'id's. But that
|
|
* should be fine, since only the scanout (mdpN) side of things needs
|
|
* this, the gpu doesn't care about fb's.
|
|
*/
|
|
int msm_framebuffer_prepare(struct drm_framebuffer *fb, int id)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
int ret, i, n = drm_format_num_planes(fb->pixel_format);
|
|
uint32_t iova;
|
|
|
|
for (i = 0; i < n; i++) {
|
|
ret = msm_gem_get_iova(msm_fb->planes[i], id, &iova);
|
|
DBG("FB[%u]: iova[%d]: %08x (%d)", fb->base.id, i, iova, ret);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void msm_framebuffer_cleanup(struct drm_framebuffer *fb, int id)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
int i, n = drm_format_num_planes(fb->pixel_format);
|
|
|
|
for (i = 0; i < n; i++)
|
|
msm_gem_put_iova(msm_fb->planes[i], id);
|
|
}
|
|
|
|
uint32_t msm_framebuffer_iova(struct drm_framebuffer *fb, int id, int plane)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
if (!msm_fb->planes[plane])
|
|
return 0;
|
|
return msm_gem_iova(msm_fb->planes[plane], id) + fb->offsets[plane];
|
|
}
|
|
|
|
struct drm_gem_object *msm_framebuffer_bo(struct drm_framebuffer *fb, int plane)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
return msm_fb->planes[plane];
|
|
}
|
|
|
|
const struct msm_format *msm_framebuffer_format(struct drm_framebuffer *fb)
|
|
{
|
|
struct msm_framebuffer *msm_fb = to_msm_framebuffer(fb);
|
|
return msm_fb->format;
|
|
}
|
|
|
|
struct drm_framebuffer *msm_framebuffer_create(struct drm_device *dev,
|
|
struct drm_file *file, struct drm_mode_fb_cmd2 *mode_cmd)
|
|
{
|
|
struct drm_gem_object *bos[4] = {0};
|
|
struct drm_framebuffer *fb;
|
|
int ret, i, n = drm_format_num_planes(mode_cmd->pixel_format);
|
|
|
|
for (i = 0; i < n; i++) {
|
|
bos[i] = drm_gem_object_lookup(dev, file,
|
|
mode_cmd->handles[i]);
|
|
if (!bos[i]) {
|
|
ret = -ENXIO;
|
|
goto out_unref;
|
|
}
|
|
}
|
|
|
|
fb = msm_framebuffer_init(dev, mode_cmd, bos);
|
|
if (IS_ERR(fb)) {
|
|
ret = PTR_ERR(fb);
|
|
goto out_unref;
|
|
}
|
|
|
|
return fb;
|
|
|
|
out_unref:
|
|
for (i = 0; i < n; i++)
|
|
drm_gem_object_unreference_unlocked(bos[i]);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
struct drm_framebuffer *msm_framebuffer_init(struct drm_device *dev,
|
|
struct drm_mode_fb_cmd2 *mode_cmd, struct drm_gem_object **bos)
|
|
{
|
|
struct msm_drm_private *priv = dev->dev_private;
|
|
struct msm_kms *kms = priv->kms;
|
|
struct msm_framebuffer *msm_fb = NULL;
|
|
struct drm_framebuffer *fb;
|
|
const struct msm_format *format;
|
|
int ret, i, n;
|
|
unsigned int hsub, vsub;
|
|
|
|
DBG("create framebuffer: dev=%p, mode_cmd=%p (%dx%d@%4.4s)",
|
|
dev, mode_cmd, mode_cmd->width, mode_cmd->height,
|
|
(char *)&mode_cmd->pixel_format);
|
|
|
|
n = drm_format_num_planes(mode_cmd->pixel_format);
|
|
hsub = drm_format_horz_chroma_subsampling(mode_cmd->pixel_format);
|
|
vsub = drm_format_vert_chroma_subsampling(mode_cmd->pixel_format);
|
|
|
|
format = kms->funcs->get_format(kms, mode_cmd->pixel_format);
|
|
if (!format) {
|
|
dev_err(dev->dev, "unsupported pixel format: %4.4s\n",
|
|
(char *)&mode_cmd->pixel_format);
|
|
ret = -EINVAL;
|
|
goto fail;
|
|
}
|
|
|
|
msm_fb = kzalloc(sizeof(*msm_fb), GFP_KERNEL);
|
|
if (!msm_fb) {
|
|
ret = -ENOMEM;
|
|
goto fail;
|
|
}
|
|
|
|
fb = &msm_fb->base;
|
|
|
|
msm_fb->format = format;
|
|
|
|
if (n > ARRAY_SIZE(msm_fb->planes)) {
|
|
ret = -EINVAL;
|
|
goto fail;
|
|
}
|
|
|
|
for (i = 0; i < n; i++) {
|
|
unsigned int width = mode_cmd->width / (i ? hsub : 1);
|
|
unsigned int height = mode_cmd->height / (i ? vsub : 1);
|
|
unsigned int min_size;
|
|
|
|
min_size = (height - 1) * mode_cmd->pitches[i]
|
|
+ width * drm_format_plane_cpp(mode_cmd->pixel_format, i)
|
|
+ mode_cmd->offsets[i];
|
|
|
|
if (bos[i]->size < min_size) {
|
|
ret = -EINVAL;
|
|
goto fail;
|
|
}
|
|
|
|
msm_fb->planes[i] = bos[i];
|
|
}
|
|
|
|
drm_helper_mode_fill_fb_struct(fb, mode_cmd);
|
|
|
|
ret = drm_framebuffer_init(dev, fb, &msm_framebuffer_funcs);
|
|
if (ret) {
|
|
dev_err(dev->dev, "framebuffer init failed: %d\n", ret);
|
|
goto fail;
|
|
}
|
|
|
|
DBG("create: FB ID: %d (%p)", fb->base.id, fb);
|
|
|
|
return fb;
|
|
|
|
fail:
|
|
kfree(msm_fb);
|
|
|
|
return ERR_PTR(ret);
|
|
}
|