[PATCH] drm/fb-helper: Use proper plane mask for fb cleanup

Daniel Vetter daniel at ffwll.ch
Mon Dec 21 00:55:57 PST 2015 

On Fri, Dec 18, 2015 at 05:27:01PM -0800, Matt Roper wrote:
> pan_display_atomic() calls drm_atomic_clean_old_fb() to sanitize the
> legacy FB fields (plane->fb and plane->old_fb).  However it was building
> the plane mask to pass to this function incorrectly (the bitwise OR was
> using plane indices rather than plane masks).  The end result was that
> sometimes the legacy pointers would become out of sync with the atomic
> pointers.  If another operation tried to re-set the same FB onto the
> plane, we might end up with the pointers back in sync, but improper
> reference counts, which would eventually lead to system crashes when we
> accessed a pointer to a prematurely-destroyed FB.
> 
> The cause here was a very subtle bug introduced in commit:
> 
>         commit 07d3bad6c1210bd21e85d084807ef4ee4ac43a78
>         Author: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
>         Date:   Wed Nov 11 11:29:11 2015 +0100
> 
>             drm/core: Fix old_fb handling in pan_display_atomic.
> 
> I found the crashes were most easily reproduced (on i915 at least) by
> starting X and then VT switching to a VT that wasn't running a console
> instance...the sequence of vt/fbcon entries that happen in that case
> trigger a reference count mismatch and crash the system.
> 
> Cc: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93313
> Signed-off-by: Matt Roper <matthew.d.roper at intel.com>

Applied to drm-misc, thanks.
-Daniel

> ---
>  drivers/gpu/drm/drm_fb_helper.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> index 69cbab5..1e103c4 100644
> --- a/drivers/gpu/drm/drm_fb_helper.c
> +++ b/drivers/gpu/drm/drm_fb_helper.c
> @@ -1251,7 +1251,7 @@ retry:
>  			goto fail;
>  
>  		plane = mode_set->crtc->primary;
> -		plane_mask |= drm_plane_index(plane);
> +		plane_mask |= (1 << drm_plane_index(plane));
>  		plane->old_fb = plane->fb;
>  	}
>  
> -- 
> 2.1.4
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/dri-devel

-- 
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch

More information about the dri-devel mailing list