This is a note to let you know that I've just added the patch titled
drm: Fixup racy refcounting in plane_force_disable
to the 3.19-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
drm-fixup-racy-refcounting-in-plane_force_disable.patch
and it can be found in the queue-3.19 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 8218c3f4df3bb1c637c17552405039a6dd3c1ee1 Mon Sep 17 00:00:00 2001
From: Daniel Vetter <[email protected]>
Date: Fri, 27 Feb 2015 12:58:13 +0100
Subject: drm: Fixup racy refcounting in plane_force_disable
From: Daniel Vetter <[email protected]>
commit 8218c3f4df3bb1c637c17552405039a6dd3c1ee1 upstream.
Originally it was impossible to be dropping the last refcount in this
function since there was always one around still from the idr. But in
commit 83f45fc360c8e16a330474860ebda872d1384c8c
Author: Daniel Vetter <[email protected]>
Date: Wed Aug 6 09:10:18 2014 +0200
drm: Don't grab an fb reference for the idr
we've switched to weak references, broke that assumption but forgot to
fix it up.
Since we still force-disable planes it's only possible to hit this
when racing multiple rmfb with fbdev restoring or similar evil things.
As long as userspace is nice it's impossible to hit the BUG_ON.
But the BUG_ON would most likely be hit from fbdev code, which usually
invovles the console_lock besides all modeset locks. So very likely
we'd never get the bug reports if this was hit in the wild, hence
better be safe than sorry and backport.
Spotted by Matt Roper while reviewing other patches.
[airlied: pull this back into 4.0 - the oops happens there]
Cc: Matt Roper <[email protected]>
Reviewed-by: Matt Roper <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Signed-off-by: Dave Airlie <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpu/drm/drm_crtc.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
--- a/drivers/gpu/drm/drm_crtc.c
+++ b/drivers/gpu/drm/drm_crtc.c
@@ -531,17 +531,6 @@ void drm_framebuffer_reference(struct dr
}
EXPORT_SYMBOL(drm_framebuffer_reference);
-static void drm_framebuffer_free_bug(struct kref *kref)
-{
- BUG();
-}
-
-static void __drm_framebuffer_unreference(struct drm_framebuffer *fb)
-{
- DRM_DEBUG("%p: FB ID: %d (%d)\n", fb, fb->base.id,
atomic_read(&fb->refcount.refcount));
- kref_put(&fb->refcount, drm_framebuffer_free_bug);
-}
-
/**
* drm_framebuffer_unregister_private - unregister a private fb from the
lookup idr
* @fb: fb to unregister
@@ -1322,7 +1311,7 @@ void drm_plane_force_disable(struct drm_
return;
}
/* disconnect the plane from the fb and crtc: */
- __drm_framebuffer_unreference(plane->old_fb);
+ drm_framebuffer_unreference(plane->old_fb);
plane->old_fb = NULL;
plane->fb = NULL;
plane->crtc = NULL;
Patches currently in stable-queue which might be from [email protected] are
queue-3.19/drm-i915-align-initial-plane-backing-objects-correctly.patch
queue-3.19/drm-i915-chv-remove-wait-for-a-previous-gfx-force-off.patch
queue-3.19/drm-edid-set-eld-for-firmware-and-debugfs-override-edids.patch
queue-3.19/drm-fixup-racy-refcounting-in-plane_force_disable.patch
queue-3.19/drm-i915-reject-the-colorkey-ioctls-for-primary-and-cursor-planes.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
