Commit Graph

17 Commits

Author SHA1 Message Date
Gabriel Krisman Bertazi
c0411316ab drm: bochs: Prevent double-free of fb helper
If fbdev registration fails for whatever reason, the error path of
bochs_fbdev_init() will call bochs_fbdev_fini(), but since an fbdev
initialization error is not fatal to the probe function, a subsequent
device removal will try to call bochs_fbdev_fini() again, hitting the
Oops below.

This was detected by 0-day with a failing framebuffer registration and
CONFIG_DEBUG_TEST_DRIVER_REMOVE=y.  This reproduces the scenario I
mentioned above at insmod time, because the test attempts to remove the
device right after probing.

root@debian:~# insmod bochs-drm.ko
[   17.609635] [drm] Found bochs VGA, ID 0xb0c0.
[   17.612974] [drm] Framebuffer size 16384 kB @ 0xfa000000, mmio @ 0xfebf2000.
[   17.613938] [TTM] Zone  kernel: Available graphics memory: 1022244 kiB
[   17.614701] [TTM] Initializing pool allocator
[   17.615427] [TTM] Initializing DMA pool allocator
[   17.619143] fbcon: bochsdrmfb (fb0) is primary device
[   17.619428] Console: switching to colour frame buffer device 128x48
[   17.621047] bochs-drm 0000:00:02.0: fb0: bochsdrmfb frame buffer device
[   17.641111] [drm] Initialized bochs-drm 1.0.0 20130925 for 0000:00:02.0 on minor 0
[   17.642380] general protection fault: 0000 [#1] SMP
[   17.642985] Modules linked in: bochs_drm(+)
[   17.643259] CPU: 4 PID: 3279 Comm: insmod Tainted: G        W       4.11.0-rc1+ #119
[   17.643259] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
[   17.643259] task: ffff88007af35e00 task.stack: ffffc90000d84000
[   17.643259] RIP: 0010:drm_fb_helper_fini+0x8e/0x110
[   17.643259] RSP: 0018:ffffc90000d87ad0 EFLAGS: 00010202
[   17.643259] RAX: dead000000000200 RBX: ffff8800790d5770 RCX: 0000000000000000
[   17.652101] RDX: dead000000000100 RSI: 000000007fffffff RDI: ffffffff81eaf820
[   17.652101] RBP: ffffc90000d87ae0 R08: 0000000000000000 R09: ffff88007271d918
[   17.652101] R10: ffffc90000d87a88 R11: 0000000000000000 R12: 0000000000000000
[   17.652101] R13: ffff8800790d56d0 R14: 0000000000000000 R15: 0000000000000000
[   17.652101] FS:  00007f9285995700(0000) GS:ffff88007cf00000(0000) knlGS:0000000000000000
[   17.652101] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   17.652101] CR2: 0000564f1cf9f1e8 CR3: 0000000079686000 CR4: 00000000000006e0
[   17.652101] Call Trace:
[   17.652101]  bochs_fbdev_fini+0x24/0x90 [bochs_drm]
[   17.652101]  bochs_unload+0x16/0x50 [bochs_drm]
[   17.652101]  drm_dev_unregister+0x37/0xd0
[   17.652101]  drm_put_dev+0x31/0x60
[   17.652101]  bochs_pci_remove+0x10/0x20 [bochs_drm]
[   17.652101]  pci_device_remove+0x34/0xb0
[   17.652101]  driver_probe_device+0xd0/0x370
[   17.652101]  __driver_attach+0x96/0xa0
[   17.652101]  ? driver_probe_device+0x370/0x370
[   17.652101]  bus_for_each_dev+0x5b/0x90
[   17.652101]  driver_attach+0x19/0x20
[   17.652101]  bus_add_driver+0x11c/0x220
[   17.652101]  driver_register+0x5b/0xd0
[   17.652101]  ? 0xffffffffa0006000
[   17.652101]  __pci_register_driver+0x47/0x50
[   17.652101]  drm_pci_init+0xe1/0xf0
[   17.652101]  ? 0xffffffffa0006000
[   17.652101]  bochs_init+0x3c/0x1000 [bochs_drm]
[   17.652101]  do_one_initcall+0x3e/0x180
[   17.652101]  ? kmem_cache_alloc_trace+0x33/0x150
[   17.652101]  do_init_module+0x5a/0x1eb
[   17.652101]  load_module+0x1ea0/0x2650
[   17.652101]  ? __symbol_put+0x40/0x40
[   17.652101]  ? kernel_read_file+0x19e/0x1c0
[   17.652101]  ? kernel_read_file_from_fd+0x44/0x70
[   17.652101]  SYSC_finit_module+0xba/0xc0
[   17.652101]  SyS_finit_module+0x9/0x10
[   17.652101]  entry_SYSCALL_64_fastpath+0x1a/0xa9
[   17.652101] RIP: 0033:0x7f92854da119
[   17.652101] RSP: 002b:00007ffcd0390498 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[   17.652101] RAX: ffffffffffffffda RBX: 00007f928578eb58 RCX: 00007f92854da119
[   17.652101] RDX: 0000000000000000 RSI: 0000564f1c8bd638 RDI: 0000000000000003
[   17.652101] RBP: 000000000000270e R08: 0000000000000000 R09: 00007f9285790ea0
[   17.652101] R10: 0000000000000003 R11: 0000000000000246 R12: 00007f928578eb58
[   17.652101] R13: 0000000000001020 R14: 0000564f1cf9e1c0 R15: 00007f928578eb00
[   17.652101] Code: c7 20 f8 ea 81 e8 b3 3e 50 00 48 8b 83 d0 00 00 00 48 8d 93 d0 00 00 00 48 39 c2 74 46 48 8b 83 d8 00 00 00 48 8b 93 d0 00 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 0000 ad de 48 89 83 d0
[   17.652101] RIP: drm_fb_helper_fini+0x8e/0x110 RSP: ffffc90000d87ad0
[   17.653331] ---[ end trace 542fd75a2e60a6a4 ]---

Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Link: http://patchwork.freedesktop.org/patch/msgid/20170324045444.11912-1-krisman@collabora.co.uk
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-03-27 10:34:52 +02:00
Gabriel Krisman Bertazi
4fa13dbe8c drm: bochs: Don't remove uninitialized fbdev framebuffer
In the same spirit of the fix for QXL in commit 861078381b ("drm: qxl:
Don't alloc fbdev if emulation is not supported"), prevent the Oops in
the unbind path of Bochs if fbdev emulation is disabled.

[  112.176009] Oops: 0002 [#1] SMP
[  112.176009] Modules linked in: bochs_drm
[  112.176009] CPU: 0 PID: 3002 Comm: bash Not tainted 4.11.0-rc1+ #111
[  112.176009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-20161025_171302-gandalf 04/01/2014
[  112.176009] task: ffff8800743bbac0 task.stack: ffffc90000b5c000
[  112.176009] RIP: 0010:mutex_lock+0x18/0x30
[  112.176009] RSP: 0018:ffffc90000b5fc78 EFLAGS: 00010246
[  112.176009] RAX: 0000000000000000 RBX: 0000000000000260 RCX: 0000000000000000
[  112.176009] RDX: ffff8800743bbac0 RSI: ffff8800787176e0 RDI: 0000000000000260
[  112.176009] RBP: ffffc90000b5fc80 R08: ffffffff00000000 R09: 00000000ffffffff
[  112.176009] R10: ffff88007b463650 R11: 0000000000000000 R12: 0000000000000260
[  112.176009] R13: ffff8800787176e0 R14: ffffffffa0003068 R15: 0000000000000060
[  112.176009] FS:  00007f20564c7b40(0000) GS:ffff88007ce00000(0000) knlGS:0000000000000000
[  112.176009] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  112.176009] CR2: 0000000000000260 CR3: 000000006b89c000 CR4: 00000000000006f0
[  112.176009] Call Trace:
[  112.176009]  drm_mode_object_unregister+0x1e/0x50
[  112.176009]  drm_framebuffer_unregister_private+0x15/0x20
[  112.176009]  bochs_fbdev_fini+0x57/0x70 [bochs_drm]
[  112.176009]  bochs_unload+0x16/0x50 [bochs_drm]
[  112.176009]  drm_dev_unregister+0x37/0xd0
[  112.176009]  drm_put_dev+0x31/0x60
[  112.176009]  bochs_pci_remove+0x10/0x20 [bochs_drm]
[  112.176009]  pci_device_remove+0x34/0xb0
[  112.176009]  device_release_driver_internal+0x150/0x200
[  112.176009]  device_release_driver+0xd/0x10
[  112.176009]  unbind_store+0x108/0x150
[  112.176009]  drv_attr_store+0x20/0x30
[  112.176009]  sysfs_kf_write+0x32/0x40
[  112.176009]  kernfs_fop_write+0x10b/0x190
[  112.176009]  __vfs_write+0x23/0x120
[  112.176009]  ? security_file_permission+0x36/0xb0
[  112.176009]  ? rw_verify_area+0x49/0xb0
[  112.176009]  vfs_write+0xb0/0x190
[  112.176009]  SyS_write+0x41/0xa0
[  112.176009]  entry_SYSCALL_64_fastpath+0x1a/0xa9
[  112.176009] RIP: 0033:0x7f2055bd5620
[  112.176009] RSP: 002b:00007ffed2f487d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  112.176009] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f2055bd5620
[  112.176009] RDX: 000000000000000d RSI: 0000000000ee0008 RDI: 0000000000000001
[  112.176009] RBP: 0000000000000001 R08: 00007f2055e94760 R09: 00007f20564c7b40
[  112.176009] R10: 0000000000000073 R11: 0000000000000246 R12: 0000000000000000
[  112.176009] R13: 00007ffed2f48d70 R14: 0000000000000000 R15: 0000000000000000
[  112.176009] Code: 00 00 00 55 be 02 00 00 00 48 89 e5 e8 62 fb ff ff 5d c3 55 48 89 e5 53 48 89 fb e8 53 e9 ff ff 65 48 8b 14 25 40 c4 00 00 31 c0 <f0> 48 0f b1 13 48 85 c0 74 08 48 89 df e8c6 ff ff ff 5b 5d c3
[  112.176009] RIP: mutex_lock+0x18/0x30 RSP: ffffc90000b5fc78
[  112.176009] CR2: 0000000000000260
[  112.205622] ---[ end trace 76189cd7a9bdd155 ]---

Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Link: http://patchwork.freedesktop.org/patch/msgid/20170317181409.4183-1-krisman@collabora.co.uk
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2017-03-20 10:51:39 +01:00
Daniel Vetter
da7bdda2af drm/fb-helper: Automatically clean up fb_info
Noticed that everyone duplicates the same logic here and we could safe
a few lines per driver. Yay for lots of drivers to make such tiny
refactors worth-while!

v2: Forgot to git add everything :(

v3: Actually remove release_fbi (Sean, Emil, Chris) ...

Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Noralf Trønnes <noralf@tronnes.org>
Cc: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170207161603.17611-1-daniel.vetter@ffwll.ch
2017-02-07 21:36:28 +01:00
Gabriel Krisman Bertazi
e4563f6ba7 drm: Rely on mode_config data for fb_helper initialization
Instead of receiving the num_crts as a parameter, we can read it
directly from the mode_config structure.  I audited the drivers that
invoke this helper and I believe all of them initialize the mode_config
struct accordingly, prior to calling the fb_helper.

I used the following coccinelle hack to make this transformation, except
for the function headers and comment updates.  The first and second
rules are split because I couldn't find a way to remove the unused
temporary variables at the same time I removed the parameter.

// <smpl>
@r@
expression A,B,D,E;
identifier C;
@@
(
- drm_fb_helper_init(A,B,C,D)
+ drm_fb_helper_init(A,B,D)
|
- drm_fbdev_cma_init_with_funcs(A,B,C,D,E)
+ drm_fbdev_cma_init_with_funcs(A,B,D,E)
|
- drm_fbdev_cma_init(A,B,C,D)
+ drm_fbdev_cma_init(A,B,D)
)

@@
expression A,B,C,D,E;
@@
(
- drm_fb_helper_init(A,B,C,D)
+ drm_fb_helper_init(A,B,D)
|
- drm_fbdev_cma_init_with_funcs(A,B,C,D,E)
+ drm_fbdev_cma_init_with_funcs(A,B,D,E)
|
- drm_fbdev_cma_init(A,B,C,D)
+ drm_fbdev_cma_init(A,B,D)
)

@@
identifier r.C;
type T;
expression V;
@@
- T C;
<...
when != C
- C = V;
...>
// </smpl>

Changes since v1:
 - Rebased on top of the tip of drm-misc-next.
 - Remove mention to sti since a proper fix got merged.

Suggested-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20170202162640.27261-1-krisman@collabora.co.uk
2017-02-02 19:12:00 +01:00
Ville Syrjälä
b00c600e91 drm: Nuke fb->depth
Replace uses of fb->depth with fb->format->depth. Less duplicate
information is a good thing.

@@
struct drm_framebuffer *fb;
expression E;
@@
 drm_helper_mode_fill_fb_struct(...) {
	...
-	fb->depth = E;
	...
 }

@@
struct nouveau_framebuffer *fb;
@@
- fb->base.depth
+ fb->base.format->depth

@@
struct drm_framebuffer fb;
@@
- fb.depth
+ fb.format->depth

@@
struct drm_framebuffer *fb;
@@
- fb->depth
+ fb->format->depth

@@
struct drm_framebuffer fb;
@@
- (fb.format->depth)
+ fb.format->depth

@@
struct drm_framebuffer *fb;
@@
- (fb->format->depth)
+ fb->format->depth

@@
@@
 struct drm_framebuffer {
	 ...
-	 unsigned int depth;
	 ...
 };

v2: Drop the vmw stuff (Daniel)
    Rerun spatch due to code changes

Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1481751095-18249-1-git-send-email-ville.syrjala@linux.intel.com
2016-12-15 14:55:33 +02:00
Stefan Christ
d4d938c9bd drm/bochs: use DRM_FB_HELPER_DEFAULT_OPS for fb_ops
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Stefan Christ <contact@stefanchrist.eu>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1479078208-25221-6-git-send-email-contact@stefanchrist.eu
2016-11-14 07:54:38 +01:00
Christian König
dfd5e50ea4 drm/ttm: remove use_ticket parameter from ttm_bo_reserve
Not used any more.

Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2016-05-04 20:21:21 -04:00
Daniel Vetter
bd983323e6 drm/bochs: Drop fake gamma support
Only really needed for fbdev emulation at 8bpp. And bochs doesn't do
that. And either way bochs only does 32bit rgb, so this is all pretty
much wasted dead code.

The only consideration is that we need to not set up any gamma size
either.

Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1459331485-28376-5-git-send-email-daniel.vetter@ffwll.ch
2016-04-12 13:14:08 +02:00
Ville Syrjälä
1eb83451ba drm: Pass the user drm_mode_fb_cmd2 as const to .fb_create()
Drivers shouldn't clobber the passed in addfb ioctl parameters.
i915 was doing just that. To prevent it from happening again,
pass the struct around as const, starting all the way from
internal_framebuffer_create().

Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2015-11-24 11:47:38 +01:00
Archit Taneja
6a752972a3 drm/bochs: Use new drm_fb_helper functions
Use the newly created wrapper drm_fb_helper functions instead of calling
core fbdev functions directly. They also simplify the fb_info creation.

v3:
- Don't touch remove_conflicting_framebuffers

v2:
- remove unused variable device in bochsfb_create

Cc: David Airlie <airlied@linux.ie>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2015-08-06 14:13:06 +02:00
Thierry Reding
01934c2a69 drm/fb-helper: Propagate errors from initial config failure
Make drm_fb_helper_initial_config() return an int rather than a bool so
that the error can be properly propagated. While at it, update drivers
to propagate errors further rather than just ignore them.

v2:
- cirrus: No cleanup is required, the top-level cirrus_driver_load()
  will do it as part of cirrus_driver_unload() in its cleanup path.
  Reported-by: Fengguang Wu <fengguang.wu@intel.com>

Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Cc: Rob Clark <robdclark@gmail.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Christian König <christian.koenig@amd.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
[danvet: Squash in simplification patch from kbuild.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2015-01-21 14:57:03 +01:00
Gerd Hoffmann
49b70a31c1 bochs: fix bochsdrmfb mmap
Remove the mapping offset from the bo backing the fbdev framebuffer.
Wire up fbdev mmap function to map the backing bo using ttm_fbdev_mmap.
With that patch in place mmap(/dev/fb0) works as expected.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-11-20 11:27:09 +10:00
Thierry Reding
ee3939e079 drm/ttm: Fix a few sparse warnings
The final parameter to ttm_bo_reserve() is a pointer, therefore callers
should use NULL instead of 0.

Fixes a bunch of sparse warnings of this type:

	warning: Using plain integer as NULL pointer

Signed-off-by: Thierry Reding <treding@nvidia.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-07-22 10:58:21 +10:00
Thierry Reding
10a2310265 drm: Introduce drm_fb_helper_prepare()
To implement hotplug detection in a race-free manner, drivers must call
drm_kms_helper_poll_init() before hotplug events can be triggered. Such
events can be triggered right after any of the encoders or connectors
are initialized. At the same time, if the drm_fb_helper_hotplug_event()
helper is used by a driver, then the poll helper requires some parts of
the FB helper to be initialized to prevent a crash.

At the same time, drm_fb_helper_init() requires information that is not
necessarily available at such an early stage (number of CRTCs and
connectors), so it cannot be used yet.

Add a new helper, drm_fb_helper_prepare(), that initializes the bare
minimum needed to allow drm_kms_helper_poll_init() to execute and any
subsequent hotplug events to be processed properly.

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-07-08 11:31:28 +10:00
Thierry Reding
3a4938799d drm: Constify struct drm_fb_helper_funcs
There's no need for this to be modifiable. Make it const so that it can
be put into the .rodata section.

Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-07-08 11:31:15 +10:00
Gerd Hoffmann
c044330baa drm: bochs: drop unused struct fields
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2014-04-18 13:31:50 +10:00
Gerd Hoffmann
0a6659bdc5 drm/bochs: new driver
DRM driver for (virtual) vga cards using the bochs dispi
interface, such as the qemu standard vga (qemu -vga std).

Don't bother supporting anything but 32bpp for now, even
though the virtual hardware is able to do that.

Known issue: mmap(/dev/fb0) doesn't work.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-12-23 11:02:39 +10:00