[PATCH] drm/fb-helper: Use proper plane mask for fb cleanup
Maarten Lankhorst
maarten.lankhorst at linux.intel.com
Tue Dec 22 00:37:28 PST 2015
Op 19-12-15 om 02:27 schreef Matt Roper:
> pan_display_atomic() calls drm_atomic_clean_old_fb() to sanitize the
> legacy FB fields (plane->fb and plane->old_fb). However it was building
> the plane mask to pass to this function incorrectly (the bitwise OR was
> using plane indices rather than plane masks). The end result was that
> sometimes the legacy pointers would become out of sync with the atomic
> pointers. If another operation tried to re-set the same FB onto the
> plane, we might end up with the pointers back in sync, but improper
> reference counts, which would eventually lead to system crashes when we
> accessed a pointer to a prematurely-destroyed FB.
>
> The cause here was a very subtle bug introduced in commit:
>
> commit 07d3bad6c1210bd21e85d084807ef4ee4ac43a78
> Author: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> Date: Wed Nov 11 11:29:11 2015 +0100
>
> drm/core: Fix old_fb handling in pan_display_atomic.
>
> I found the crashes were most easily reproduced (on i915 at least) by
> starting X and then VT switching to a VT that wasn't running a console
> instance...the sequence of vt/fbcon entries that happen in that case
> trigger a reference count mismatch and crash the system.
>
> Cc: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> Cc: Daniel Vetter <daniel.vetter at ffwll.ch>
> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93313
> Signed-off-by: Matt Roper <matthew.d.roper at intel.com>
> ---
> drivers/gpu/drm/drm_fb_helper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> index 69cbab5..1e103c4 100644
> --- a/drivers/gpu/drm/drm_fb_helper.c
> +++ b/drivers/gpu/drm/drm_fb_helper.c
> @@ -1251,7 +1251,7 @@ retry:
> goto fail;
>
> plane = mode_set->crtc->primary;
> - plane_mask |= drm_plane_index(plane);
> + plane_mask |= (1 << drm_plane_index(plane));
> plane->old_fb = plane->fb;
> }
>
Signed-off-by: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
More information about the dri-devel
mailing list