From patchwork Fri Nov 9 07:39:30 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Inki Dae X-Patchwork-Id: 1719511 Return-Path: X-Original-To: patchwork-dri-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177]) by patchwork2.kernel.org (Postfix) with ESMTP id DB4A2DF264 for ; Fri, 9 Nov 2012 07:40:23 +0000 (UTC) Received: from gabe.freedesktop.org (localhost [127.0.0.1]) by gabe.freedesktop.org (Postfix) with ESMTP id B7A1FA0B02 for ; Thu, 8 Nov 2012 23:40:23 -0800 (PST) X-Original-To: dri-devel@lists.freedesktop.org Delivered-To: dri-devel@lists.freedesktop.org Received: from mailout1.samsung.com (mailout1.samsung.com [203.254.224.24]) by gabe.freedesktop.org (Postfix) with ESMTP id 76CAC9E83B for ; Thu, 8 Nov 2012 23:40:08 -0800 (PST) Received: from epcpsbgm2.samsung.com (epcpsbgm2 [203.254.230.27]) by mailout1.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0MD700ETKMMAT1H0@mailout1.samsung.com> for dri-devel@lists.freedesktop.org; Fri, 09 Nov 2012 16:39:46 +0900 (KST) Received: from epcpsbgm2.samsung.com ( [203.254.230.45]) by epcpsbgm2.samsung.com (EPCPMTA) with SMTP id 2E.7E.12699.243BC905; Fri, 09 Nov 2012 16:39:46 +0900 (KST) X-AuditID: cbfee61b-b7f616d00000319b-bb-509cb3421a78 Received: from epmmp2 ( [203.254.227.17]) by epcpsbgm2.samsung.com (EPCPMTA) with SMTP id 4D.7E.12699.243BC905; Fri, 09 Nov 2012 16:39:46 +0900 (KST) Received: from daeinki-desktop.10.32.193.11 ([10.90.51.53]) by mmp2.samsung.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPA id <0MD700GO3MLVC780@mmp2.samsung.com> for dri-devel@lists.freedesktop.org; Fri, 09 Nov 2012 16:39:46 +0900 (KST) From: Inki Dae To: airlied@linux.ie, dri-devel@lists.freedesktop.org Subject: [PATCH] drm: fix drm_framebuffer cleanup. Date: Fri, 09 Nov 2012 16:39:30 +0900 Message-id: <1352446770-28855-1-git-send-email-inki.dae@samsung.com> X-Mailer: git-send-email 1.7.4.1 DLP-Filter: Pass X-MTR: 20000000000000000@CPGS X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMLMWRmVeSWpSXmKPExsVy+t8zXV2nzXMCDCY8kra48vU9mwOjx/3u 40wBjFFcNimpOZllqUX6dglcGb0r3zEVnBGtmLLmHnMD4yPBLkZODgkBE4kVbyeyQthiEhfu rWcDsYUEljFKTOzygamZO+M4cxcjF1B8OqPElG0LoZz1TBI9s58wg1SxCahKTFxxH6xbRMBU omPSUhYQm1mgUGJhz1MwW1jASGLy/f9g21iA6rfc2QfWyyvgInHnKUSNhICCxIJ7b9kgagQk vk0+BBTnAIrLSmw6wAxRsoNN4vu1fAhbUuLgihssExgFFzAyrGIUTS1ILihOSs810itOzC0u zUvXS87P3cQICSnpHYyrGiwOMQpwMCrx8CY+mB0gxJpYVlyZe4hRgoNZSYR3buacACHelMTK qtSi/Pii0pzU4kOMPkCHTGSWEk3OB4Z7Xkm8obGBsaGhpaGZqaWpAQ5hJXHeZo+UACGB9MSS 1OzU1ILUIphxTBycUg2MQXt8DVPeTP/KGle9bPasN1+3XL+V4Nq28G3VnZRF0nLLmtqeSk+L 8uSsL7QSdtN2vCCY3fLJ7OB+i4xuzXVO70RPrdXuFuR//Dd2nd/jz7bpzF9UVrbdePdk8qnw rGMW7E2pz4P28OubCl1rPS9r8kVH0F7SXk9N2+xswUSRavNe0yrRTWFKLMUZiYZazEXFiQAT y4D8VgIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrCLMWRmVeSWpSXmKPExsVy+t9jQV2nzXMCDNomCFtc+fqezYHR4373 caYAxqgGRpuM1MSU1CKF1Lzk/JTMvHRbJe/geOd4UzMDQ11DSwtzJYW8xNxUWyUXnwBdt8wc oLFKCmWJOaVAoYDE4mIlfTtME0JD3HQtYBojdH1DguB6jAzQQMI6xozele+YCs6IVkxZc4+5 gfGRYBcjJ4eEgInE3BnHmSFsMYkL99azdTFycQgJTGeUmLJtITOEs55Jomf2E7AqNgFViYkr 7rOB2CICphIdk5aygNjMAoUSC3uegtnCAkYSk+//ZwWxWYDqt9zZB9bLK+AicecpRI2EgILE gntv2SYwci9gZFjFKJpakFxQnJSea6RXnJhbXJqXrpecn7uJERy0z6R3MK5qsDjEKMDBqMTD m/hgdoAQa2JZcWXuIUYJDmYlEd65mXMChHhTEiurUovy44tKc1KLDzH6AG2fyCwlmpwPjKi8 knhDYxMzI0sjM2MTc2NjHMJK4rzNHikBQgLpiSWp2ampBalFMOOYODilGhjdayZZe7+3ELQX +OBqlWBXz+4UNk3htlTho5W/WB7U3zv1rOkel3r13N5531dkdAS9drYSSb15a7GmXJNtUl/Y fOsLn8T0V7y6I8RwZ7pEPcOehm3VskGRE072eNq3zDnnfcPQ78o268fCVyOUFvz6cktmV9d3 3rCSdf63fblOld+Y+jlg0hQlluKMREMt5qLiRAC9Z7eehwIAAA== X-CFilter-Loop: Reflected Cc: kyungmin.park@samsung.com, sw0312.kim@samsung.com X-BeenThere: dri-devel@lists.freedesktop.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: Direct Rendering Infrastructure - Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org Errors-To: dri-devel-bounces+patchwork-dri-devel=patchwork.kernel.org@lists.freedesktop.org This patch fixes access issue to invalid memory region. crtc had only one drm_framebuffer object so when framebuffer cleanup was requested after page flip, it'd try to disable hardware overlay to current crtc. But if current crtc points to another drm_framebuffer, This may induce invalid memory access. Assume that some application are doing page flip with two drm_framebuffer objects. At this time, if second drm_framebuffer is set to current crtc and the cleanup to first drm_framebuffer is requested once drm release is requested, then first drm_framebuffer would be cleaned up without disabling hardware overlay because current crtc points to second drm_framebuffer. After that, gem buffer to first drm_framebuffer would be released and this makes dma access invalid memory region. This patch adds drm_framebuffer to drm_crtc structure as member and makes drm_framebuffer_cleanup function check if fb->crtc is same as desired fb. And also when setcrtc and pageflip are requested, it makes each drm_framebuffer point to current crtc. Signed-off-by: Inki Dae Signed-off-by: Kyungmin Park --- drivers/gpu/drm/drm_crtc.c | 7 ++++--- include/drm/drm_crtc.h | 1 + 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index ef1b221..5c04bd4 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -386,7 +386,7 @@ void drm_framebuffer_remove(struct drm_framebuffer *fb) /* remove from any CRTC */ list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) { - if (crtc->fb == fb) { + if (fb->crtc == crtc) { /* should turn off the crtc */ memset(&set, 0, sizeof(struct drm_mode_set)); set.crtc = crtc; @@ -2027,6 +2027,7 @@ int drm_mode_setcrtc(struct drm_device *dev, void *data, set.mode = mode; set.connectors = connector_set; set.num_connectors = crtc_req->count_connectors; + fb->crtc = crtc; set.fb = fb; ret = crtc->funcs->set_config(&set); @@ -3635,8 +3636,8 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev, spin_unlock_irqrestore(&dev->event_lock, flags); kfree(e); } - } - + } else + fb->crtc = crtc; out: mutex_unlock(&dev->mode_config.mutex); return ret; diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h index 3fa18b7..92889be 100644 --- a/include/drm/drm_crtc.h +++ b/include/drm/drm_crtc.h @@ -256,6 +256,7 @@ struct drm_framebuffer { struct kref refcount; struct list_head head; struct drm_mode_object base; + struct drm_crtc *crtc; const struct drm_framebuffer_funcs *funcs; unsigned int pitches[4]; unsigned int offsets[4];