[PATCH] drm: Fixup racy refcounting in plane_force_disable

Matt Roper matthew.d.roper at intel.com
Fri Feb 27 07:04:10 PST 2015 

On Fri, Feb 27, 2015 at 01:03:37PM +0100, Daniel Vetter wrote:
> Originally it was impossible to be dropping the last refcount in this
> function since there was always one around still from the idr. But in
> 
> commit 83f45fc360c8e16a330474860ebda872d1384c8c
> Author: Daniel Vetter <daniel.vetter at ffwll.ch>
> Date:   Wed Aug 6 09:10:18 2014 +0200
> 
>     drm: Don't grab an fb reference for the idr
> 
> we've switched to weak references, broke that assumption but forgot to
> fix it up.
> 
> Since we still force-disable planes it's only possible to hit this
> when racing multiple rmfb with fbdev restoring or similar evil things.
> As long as userspace is nice it's impossible to hit the BUG_ON.
> 
> But the BUG_ON would most likely be hit from fbdev code, which usually
> invovles the console_lock besides all modeset locks. So very likely
> we'd never get the bug reports if this was hit in the wild, hence
> better be safe than sorry and backport.
> 
> Spotted by Matt Roper while reviewing other patches.
> 
> Cc: stable at vger.kernel.org
> Cc: Matt Roper <matthew.d.roper at intel.com>
> Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>

Reviewed-by: Matt Roper <matthew.d.roper at intel.com>

> ---
>  drivers/gpu/drm/drm_crtc.c | 13 +------------
>  1 file changed, 1 insertion(+), 12 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
> index cc548ecd3634..897f51beaadd 100644
> --- a/drivers/gpu/drm/drm_crtc.c
> +++ b/drivers/gpu/drm/drm_crtc.c
> @@ -524,17 +524,6 @@ void drm_framebuffer_reference(struct drm_framebuffer *fb)
>  }
>  EXPORT_SYMBOL(drm_framebuffer_reference);
>  
> -static void drm_framebuffer_free_bug(struct kref *kref)
> -{
> -	BUG();
> -}
> -
> -static void __drm_framebuffer_unreference(struct drm_framebuffer *fb)
> -{
> -	DRM_DEBUG("%p: FB ID: %d (%d)\n", fb, fb->base.id, atomic_read(&fb->refcount.refcount));
> -	kref_put(&fb->refcount, drm_framebuffer_free_bug);
> -}
> -
>  /**
>   * drm_framebuffer_unregister_private - unregister a private fb from the lookup idr
>   * @fb: fb to unregister
> @@ -1319,7 +1308,7 @@ void drm_plane_force_disable(struct drm_plane *plane)
>  		return;
>  	}
>  	/* disconnect the plane from the fb and crtc: */
> -	__drm_framebuffer_unreference(plane->old_fb);
> +	drm_framebuffer_unreference(plane->old_fb);
>  	plane->old_fb = NULL;
>  	plane->fb = NULL;
>  	plane->crtc = NULL;
> -- 
> 2.1.4
> 

-- 
Matt Roper
Graphics Software Engineer
IoTG Platform Enabling & Development
Intel Corporation
(916) 356-2795

More information about the dri-devel mailing list