diff options
| author | Daniel Vetter <daniel.vetter@ffwll.ch> | 2015-02-27 06:58:13 -0500 |
|---|---|---|
| committer | Dave Airlie <airlied@redhat.com> | 2015-03-23 22:04:35 -0400 |
| commit | 8218c3f4df3bb1c637c17552405039a6dd3c1ee1 (patch) | |
| tree | 982545a11600b7a261574e0327d6c0d69d8e215c | |
| parent | 90a5a895cc8b284ac522757a01de15e36710c2b9 (diff) | |
drm: Fixup racy refcounting in plane_force_disable
Originally it was impossible to be dropping the last refcount in this
function since there was always one around still from the idr. But in
commit 83f45fc360c8e16a330474860ebda872d1384c8c
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date: Wed Aug 6 09:10:18 2014 +0200
drm: Don't grab an fb reference for the idr
we've switched to weak references, broke that assumption but forgot to
fix it up.
Since we still force-disable planes it's only possible to hit this
when racing multiple rmfb with fbdev restoring or similar evil things.
As long as userspace is nice it's impossible to hit the BUG_ON.
But the BUG_ON would most likely be hit from fbdev code, which usually
invovles the console_lock besides all modeset locks. So very likely
we'd never get the bug reports if this was hit in the wild, hence
better be safe than sorry and backport.
Spotted by Matt Roper while reviewing other patches.
[airlied: pull this back into 4.0 - the oops happens there]
Cc: stable@vger.kernel.org
Cc: Matt Roper <matthew.d.roper@intel.com>
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
| -rw-r--r-- | drivers/gpu/drm/drm_crtc.c | 13 |
1 files changed, 1 insertions, 12 deletions
diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index f6d04c7b5115..679b10e34fb5 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c | |||
| @@ -525,17 +525,6 @@ void drm_framebuffer_reference(struct drm_framebuffer *fb) | |||
| 525 | } | 525 | } |
| 526 | EXPORT_SYMBOL(drm_framebuffer_reference); | 526 | EXPORT_SYMBOL(drm_framebuffer_reference); |
| 527 | 527 | ||
| 528 | static void drm_framebuffer_free_bug(struct kref *kref) | ||
| 529 | { | ||
| 530 | BUG(); | ||
| 531 | } | ||
| 532 | |||
| 533 | static void __drm_framebuffer_unreference(struct drm_framebuffer *fb) | ||
| 534 | { | ||
| 535 | DRM_DEBUG("%p: FB ID: %d (%d)\n", fb, fb->base.id, atomic_read(&fb->refcount.refcount)); | ||
| 536 | kref_put(&fb->refcount, drm_framebuffer_free_bug); | ||
| 537 | } | ||
| 538 | |||
| 539 | /** | 528 | /** |
| 540 | * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr | 529 | * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr |
| 541 | * @fb: fb to unregister | 530 | * @fb: fb to unregister |
| @@ -1320,7 +1309,7 @@ void drm_plane_force_disable(struct drm_plane *plane) | |||
| 1320 | return; | 1309 | return; |
| 1321 | } | 1310 | } |
| 1322 | /* disconnect the plane from the fb and crtc: */ | 1311 | /* disconnect the plane from the fb and crtc: */ |
| 1323 | __drm_framebuffer_unreference(plane->old_fb); | 1312 | drm_framebuffer_unreference(plane->old_fb); |
| 1324 | plane->old_fb = NULL; | 1313 | plane->old_fb = NULL; |
| 1325 | plane->fb = NULL; | 1314 | plane->fb = NULL; |
| 1326 | plane->crtc = NULL; | 1315 | plane->crtc = NULL; |