Message ID | 1450488421-5771-1-git-send-email-matthew.d.roper@intel.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Fri, Dec 18, 2015 at 05:27:01PM -0800, Matt Roper wrote: > pan_display_atomic() calls drm_atomic_clean_old_fb() to sanitize the > legacy FB fields (plane->fb and plane->old_fb). However it was building > the plane mask to pass to this function incorrectly (the bitwise OR was > using plane indices rather than plane masks). The end result was that > sometimes the legacy pointers would become out of sync with the atomic > pointers. If another operation tried to re-set the same FB onto the > plane, we might end up with the pointers back in sync, but improper > reference counts, which would eventually lead to system crashes when we > accessed a pointer to a prematurely-destroyed FB. > > The cause here was a very subtle bug introduced in commit: > > commit 07d3bad6c1210bd21e85d084807ef4ee4ac43a78 > Author: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > Date: Wed Nov 11 11:29:11 2015 +0100 > > drm/core: Fix old_fb handling in pan_display_atomic. > > I found the crashes were most easily reproduced (on i915 at least) by > starting X and then VT switching to a VT that wasn't running a console > instance...the sequence of vt/fbcon entries that happen in that case > trigger a reference count mismatch and crash the system. > > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93313 > Signed-off-by: Matt Roper <matthew.d.roper@intel.com> Applied to drm-misc, thanks. -Daniel > --- > drivers/gpu/drm/drm_fb_helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c > index 69cbab5..1e103c4 100644 > --- a/drivers/gpu/drm/drm_fb_helper.c > +++ b/drivers/gpu/drm/drm_fb_helper.c > @@ -1251,7 +1251,7 @@ retry: > goto fail; > > plane = mode_set->crtc->primary; > - plane_mask |= drm_plane_index(plane); > + plane_mask |= (1 << drm_plane_index(plane)); > plane->old_fb = plane->fb; > } > > -- > 2.1.4 > > _______________________________________________ > dri-devel mailing list > dri-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/dri-devel
Op 19-12-15 om 02:27 schreef Matt Roper: > pan_display_atomic() calls drm_atomic_clean_old_fb() to sanitize the > legacy FB fields (plane->fb and plane->old_fb). However it was building > the plane mask to pass to this function incorrectly (the bitwise OR was > using plane indices rather than plane masks). The end result was that > sometimes the legacy pointers would become out of sync with the atomic > pointers. If another operation tried to re-set the same FB onto the > plane, we might end up with the pointers back in sync, but improper > reference counts, which would eventually lead to system crashes when we > accessed a pointer to a prematurely-destroyed FB. > > The cause here was a very subtle bug introduced in commit: > > commit 07d3bad6c1210bd21e85d084807ef4ee4ac43a78 > Author: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > Date: Wed Nov 11 11:29:11 2015 +0100 > > drm/core: Fix old_fb handling in pan_display_atomic. > > I found the crashes were most easily reproduced (on i915 at least) by > starting X and then VT switching to a VT that wasn't running a console > instance...the sequence of vt/fbcon entries that happen in that case > trigger a reference count mismatch and crash the system. > > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch> > Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93313 > Signed-off-by: Matt Roper <matthew.d.roper@intel.com> > --- > drivers/gpu/drm/drm_fb_helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c > index 69cbab5..1e103c4 100644 > --- a/drivers/gpu/drm/drm_fb_helper.c > +++ b/drivers/gpu/drm/drm_fb_helper.c > @@ -1251,7 +1251,7 @@ retry: > goto fail; > > plane = mode_set->crtc->primary; > - plane_mask |= drm_plane_index(plane); > + plane_mask |= (1 << drm_plane_index(plane)); > plane->old_fb = plane->fb; > } > Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c index 69cbab5..1e103c4 100644 --- a/drivers/gpu/drm/drm_fb_helper.c +++ b/drivers/gpu/drm/drm_fb_helper.c @@ -1251,7 +1251,7 @@ retry: goto fail; plane = mode_set->crtc->primary; - plane_mask |= drm_plane_index(plane); + plane_mask |= (1 << drm_plane_index(plane)); plane->old_fb = plane->fb; }
pan_display_atomic() calls drm_atomic_clean_old_fb() to sanitize the legacy FB fields (plane->fb and plane->old_fb). However it was building the plane mask to pass to this function incorrectly (the bitwise OR was using plane indices rather than plane masks). The end result was that sometimes the legacy pointers would become out of sync with the atomic pointers. If another operation tried to re-set the same FB onto the plane, we might end up with the pointers back in sync, but improper reference counts, which would eventually lead to system crashes when we accessed a pointer to a prematurely-destroyed FB. The cause here was a very subtle bug introduced in commit: commit 07d3bad6c1210bd21e85d084807ef4ee4ac43a78 Author: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Date: Wed Nov 11 11:29:11 2015 +0100 drm/core: Fix old_fb handling in pan_display_atomic. I found the crashes were most easily reproduced (on i915 at least) by starting X and then VT switching to a VT that wasn't running a console instance...the sequence of vt/fbcon entries that happen in that case trigger a reference count mismatch and crash the system. Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=93313 Signed-off-by: Matt Roper <matthew.d.roper@intel.com> --- drivers/gpu/drm/drm_fb_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)