From patchwork Sat Oct 11 23:01:18 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Russell King <rmk+kernel@arm.linux.org.uk>
X-Patchwork-Id: 5071181
Return-Path: <dri-devel-bounces@lists.freedesktop.org>
X-Original-To: patchwork-dri-devel@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 97ED7C11AC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sun, 12 Oct 2014 15:53:42 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id C10652017A
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sun, 12 Oct 2014 15:53:41 +0000 (UTC)
Received: from gabe.freedesktop.org (gabe.freedesktop.org [131.252.210.177])
	by mail.kernel.org (Postfix) with ESMTP id AE074201BC
	for <patchwork-dri-devel@patchwork.kernel.org>;
	Sun, 12 Oct 2014 15:53:40 +0000 (UTC)
Received: from gabe.freedesktop.org (localhost [127.0.0.1])
	by gabe.freedesktop.org (Postfix) with ESMTP id A134889E36;
	Sun, 12 Oct 2014 08:53:38 -0700 (PDT)
X-Original-To: dri-devel@lists.freedesktop.org
Delivered-To: dri-devel@lists.freedesktop.org
X-Greylist: delayed 303 seconds by postgrey-1.34 at gabe;
	Sat, 11 Oct 2014 16:06:32 PDT
Received: from pandora.arm.linux.org.uk (gw-1.arm.linux.org.uk
	[78.32.30.217])
	by gabe.freedesktop.org (Postfix) with ESMTP id 658C089B0D
	for <dri-devel@lists.freedesktop.org>;
	Sat, 11 Oct 2014 16:06:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=arm.linux.org.uk; s=pandora-2014;
	h=Date:Sender:Message-Id:Content-Type:Content-Transfer-Encoding:MIME-Version:Subject:Cc:To:From;
	bh=j0f+NHEXranyWLyW0a5XCAR7dF/qvXRn0izSsi0ZUtk=;
	b=f8ZfFXJz3ZFOSrYOYbnRjVuTLMNdZ3gIvv7slluVUUTw/AiSBAg6kHMiUgS4iZLsrubKUWoXN2ITB8HGs53inSuBOqKd6KzrHT2pmbIElTSVXYASakKuPvpq7LsQGTFV4hj1Tf3ABUfsiJJjbWGZnRw5vDNRNBfdcKZACuzaBz4=;
Received: from e0022681537dd.dyn.arm.linux.org.uk
	([fd8f:7570:feb6:1:222:68ff:fe15:37dd]:47860
	helo=rmk-PC.arm.linux.org.uk)
	by pandora.arm.linux.org.uk with esmtpsa
	(TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.82_1-5b7a7c0-XX) (envelope-from <rmk@arm.linux.org.uk>)
	id 1Xd5f6-0005kx-9j; Sun, 12 Oct 2014 00:01:20 +0100
Received: from rmk by rmk-PC.arm.linux.org.uk with local (Exim 4.76)
	(envelope-from <rmk@arm.linux.org.uk>)
	id 1Xd5f4-0005K2-VO; Sun, 12 Oct 2014 00:01:19 +0100
From: Russell King <rmk+kernel@arm.linux.org.uk>
To: Daniel Vetter <daniel@ffwll.ch>
Subject: [PATCH 1/2] drm/armada: fix page_flip refcounting leak
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <E1Xd5f4-0005K2-VO@rmk-PC.arm.linux.org.uk>
Date: Sun, 12 Oct 2014 00:01:18 +0100
X-Mailman-Approved-At: Sun, 12 Oct 2014 08:53:35 -0700
Cc: dri-devel@lists.freedesktop.org
X-BeenThere: dri-devel@lists.freedesktop.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Direct Rendering Infrastructure - Development
	<dri-devel.lists.freedesktop.org>
List-Unsubscribe: <http://lists.freedesktop.org/mailman/options/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=unsubscribe>
List-Archive: <http://lists.freedesktop.org/archives/dri-devel>
List-Post: <mailto:dri-devel@lists.freedesktop.org>
List-Help: <mailto:dri-devel-request@lists.freedesktop.org?subject=help>
List-Subscribe: <http://lists.freedesktop.org/mailman/listinfo/dri-devel>,
	<mailto:dri-devel-request@lists.freedesktop.org?subject=subscribe>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED, T_DKIM_INVALID, T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

A refcounting leak was found of the original frame buffer attached to
the CRTC when using the page_flip ioctl, resulting in the frame buffer
never being freed.

This was not obvious initially, as if the page flip subsequently
re-attaches the original frame buffer, the refcounts will be balanced.
However, if the original frame buffer is freed, then it will be leaked.

Fix this by ensuring that we take a reference on the incoming fb, but
rely on the queued work to drop that ref count.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
---
 drivers/gpu/drm/armada/armada_crtc.c | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/armada/armada_crtc.c b/drivers/gpu/drm/armada/armada_crtc.c
index 1f0875c26dc5..ac2d73f4af45 100644
--- a/drivers/gpu/drm/armada/armada_crtc.c
+++ b/drivers/gpu/drm/armada/armada_crtc.c
@@ -945,18 +945,15 @@ static int armada_drm_crtc_page_flip(struct drm_crtc *crtc,
 	armada_reg_queue_end(work->regs, i);
 
 	/*
-	 * Hold the old framebuffer for the work - DRM appears to drop our
-	 * reference to the old framebuffer in drm_mode_page_flip_ioctl().
+	 * Ensure that we hold a reference on the new framebuffer.
+	 * This has to match the behaviour in mode_set.
 	 */
-	drm_framebuffer_reference(work->old_fb);
+	drm_framebuffer_reference(fb);
 
 	ret = armada_drm_crtc_queue_frame_work(dcrtc, work);
 	if (ret) {
-		/*
-		 * Undo our reference above; DRM does not drop the reference
-		 * to this object on error, so that's okay.
-		 */
-		drm_framebuffer_unreference(work->old_fb);
+		/* Undo our reference above */
+		drm_framebuffer_unreference(fb);
 		kfree(work);
 		return ret;
 	}