[Intel-gfx] [PATCH] drm/fbdev: Update legacy plane->fb refcounting for atomic restore

Matt Roper matthew.d.roper at intel.com
Mon Sep 21 17:21:48 PDT 2015


Starting with commit

        commit 28cc504e8d52248962f5b485bdc65f539e3fe21d
        Author: Rob Clark <robdclark at gmail.com>
        Date:   Tue Aug 25 15:36:00 2015 -0400

            drm/i915: enable atomic fb-helper

I've been seeing some panics on i915 when the DRM master shuts down that appear
to be caused by using an already-freed framebuffer (i.e., we're unexpectedly
dropping our initial FB's reference count to 0 and freeing it, which causes a
crash when we try to restore it later).  Digging deeper, the state FB
refcounting is working as expected, but we seem to be missing proper
refcounting on the legacy plane->fb pointers in the new atomic fbdev code.

Tracking plane->old_fb and then doing a ref/unref at the end of the
fbdev restore like we do in the legacy ioctl's ensures we don't miscount
references on plane->fb and avoids the panics.

Cc: Rob Clark <robdclark at gmail.com>
Cc: intel-gfx at lists.freedesktop.org
Signed-off-by: Matt Roper <matthew.d.roper at intel.com>
---
I don't see any existing bugzilla's (or mailing list complaints) for this,
which surprises me a bit since it seems to be very easy to reproduce for me on
latest drm-intel-nightly running on IVB...boot the system, load X, kill X,
panic.

 drivers/gpu/drm/drm_fb_helper.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 64fc5ca..2149ac7 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -352,6 +352,8 @@ retry:
 	drm_for_each_plane(plane, dev) {
 		struct drm_plane_state *plane_state;
 
+		plane->old_fb = plane->fb;
+
 		plane_state = drm_atomic_get_plane_state(state, plane);
 		if (IS_ERR(plane_state)) {
 			ret = PTR_ERR(plane_state);
@@ -385,6 +387,14 @@ retry:
 	if (ret != 0)
 		goto fail;
 
+	drm_for_each_plane(plane, dev) {
+		if (plane->fb)
+			drm_framebuffer_reference(plane->fb);
+		if (plane->old_fb)
+			drm_framebuffer_unreference(plane->old_fb);
+		plane->old_fb = NULL;
+	}
+
 	return 0;
 
 fail:
-- 
2.1.4



More information about the Intel-gfx mailing list