Starting with commit
commit 28cc504e8d52248962f5b485bdc65f539e3fe21d
Author: Rob Clark <robdclark at gmail.com>
Date: Tue Aug 25 15:36:00 2015 -0400
drm/i915: enable atomic fb-helper
I've been seeing some panics on i915 when the DRM master shuts down that appear
to be caused by using an already-freed framebuffer (i.e., we're unexpectedly
dropping our initial FB's reference count to 0 and freeing it, which causes a
crash when we try to restore it later). Digging deeper, the state FB
refcounting is working as expected, but we seem to be missing proper
refcounting on the legacy plane->fb pointers in the new atomic fbdev code.
Tracking plane->old_fb and then doing a ref/unref at the end of the
fbdev restore like we do in the legacy ioctl's ensures we don't miscount
references on plane->fb and avoids the panics.
Cc: Rob Clark <robdclark at gmail.com>
Cc: intel-gfx at lists.freedesktop.org
Signed-off-by: Matt Roper <matthew.d.roper at intel.com>
---
I don't see any existing bugzilla's (or mailing list complaints) for this,
which surprises me a bit since it seems to be very easy to reproduce for me on
latest drm-intel-nightly running on IVB...boot the system, load X, kill X,
panic.
drivers/gpu/drm/drm_fb_helper.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 64fc5ca..2149ac7 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -352,6 +352,8 @@ retry:
drm_for_each_plane(plane, dev) {
struct drm_plane_state *plane_state;
+ plane->old_fb = plane->fb;
+
plane_state = drm_atomic_get_plane_state(state, plane);
if (IS_ERR(plane_state)) {
ret = PTR_ERR(plane_state);
@@ -385,6 +387,14 @@ retry:
if (ret != 0)
goto fail;
+ drm_for_each_plane(plane, dev) {
+ if (plane->fb)
+ drm_framebuffer_reference(plane->fb);
+ if (plane->old_fb)
+ drm_framebuffer_unreference(plane->old_fb);
+ plane->old_fb = NULL;
+ }
+
return 0;
fail:
--
2.1.4
