leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1800ad255c
linux/drivers/gpu/drm/mgag200/mgag200_cursor.c
Wang, Rui Y f6619ef750 drm/mgag200: fix kernel hang in cursor code. 
The machine hang completely with the following message on the console:

[  487.777538] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[  487.777554] IP: [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30
[  487.777557] PGD 42e9f7067 PUD 42f2fa067 PMD 0
[  487.777560] Oops: 0002 [#1] SMP
...
[  487.777618] CPU: 21 PID: 3190 Comm: Xorg Tainted: G            E   4.4.0-rc1-3-default+ #6
[  487.777620] Hardware name: Intel Corporation BRICKLAND/BRICKLAND, BIOS BRHSXSD1.86B.0059.R00.1501081238 01/08/2015
[  487.777621] task: ffff880853ae4680 ti: ffff8808696d4000 task.ti: ffff8808696d4000
[  487.777625] RIP: 0010:[<ffffffff8158aaee>]  [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30
[  487.777627] RSP: 0018:ffff8808696d79c0  EFLAGS: 00010246
[  487.777628] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  487.777629] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000060
[  487.777630] RBP: ffff8808696d79e0 R08: 0000000000000000 R09: ffff88086924a780
[  487.777631] R10: 000000000001bb40 R11: 0000000000003246 R12: 0000000000000000
[  487.777632] R13: ffff880463a27360 R14: ffff88046ca50218 R15: 0000000000000080
[  487.777634] FS:  00007f3f81c5a8c0(0000) GS:ffff88086f060000(0000) knlGS:0000000000000000
[  487.777635] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  487.777636] CR2: 0000000000000060 CR3: 000000042e678000 CR4: 00000000001406e0
[  487.777638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  487.777639] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  487.777639] Stack:
[  487.777642]  ffffffffa00eb5fa ffff8808696d7b60 ffff88086b87d800 0000000000000000
[  487.777644]  ffff8808696d7ac8 ffffffffa01694b6 ffff8808696d7ae8 ffffffff8109c8d5
[  487.777647]  ffff880469158740 ffff880463a27000 ffff88086b87d800 ffff88086b87d800
[  487.777647] Call Trace:
[  487.777674]  [<ffffffffa00eb5fa>] ? drm_gem_object_lookup+0x1a/0xa0 [drm]
[  487.777681]  [<ffffffffa01694b6>] mga_crtc_cursor_set+0xc6/0xb60 [mgag200]
[  487.777691]  [<ffffffff8109c8d5>] ? find_busiest_group+0x35/0x4a0
[  487.777696]  [<ffffffff81086294>] ? __might_sleep+0x44/0x80
[  487.777699]  [<ffffffff815888c2>] ? __ww_mutex_lock+0x22/0x9c
[  487.777722]  [<ffffffffa0104f64>] ? drm_modeset_lock+0x34/0xf0 [drm]
[  487.777733]  [<ffffffffa0148d9e>] restore_fbdev_mode+0xee/0x2a0 [drm_kms_helper]
[  487.777742]  [<ffffffffa014afce>] drm_fb_helper_restore_fbdev_mode_unlocked+0x2e/0x70 [drm_kms_helper]
[  487.777748]  [<ffffffffa014b037>] drm_fb_helper_set_par+0x27/0x50 [drm_kms_helper]
[  487.777752]  [<ffffffff8134560c>] fb_set_var+0x18c/0x3f0
[  487.777777]  [<ffffffffa02a9b0a>] ? __ext4_handle_dirty_metadata+0x8a/0x210 [ext4]
[  487.777783]  [<ffffffff8133cb97>] fbcon_blank+0x1b7/0x2b0
[  487.777790]  [<ffffffff813be2a3>] do_unblank_screen+0xb3/0x1c0
[  487.777795]  [<ffffffff813b5aba>] vt_ioctl+0x118a/0x1210
[  487.777801]  [<ffffffff813a8fe0>] tty_ioctl+0x3f0/0xc90
[  487.777808]  [<ffffffff81172018>] ? kzfree+0x28/0x30
[  487.777813]  [<ffffffff811e053f>] ? mntput+0x1f/0x30
[  487.777817]  [<ffffffff811d3f5d>] do_vfs_ioctl+0x30d/0x570
[  487.777822]  [<ffffffff8107ed3a>] ? task_work_run+0x8a/0xa0
[  487.777825]  [<ffffffff811d4234>] SyS_ioctl+0x74/0x80
[  487.777829]  [<ffffffff8158aeae>] entry_SYSCALL_64_fastpath+0x12/0x71
[  487.777851] Code: 65 ff 0d ce 02 a8 7e 5d c3 ba 01 00 00 00 f0 0f b1 17 85 c0 75 e8 b0 01 5d c3 0f 1f 00 65 ff 05 b1 02 a8 7e 31 c0 ba 01 00 00 00 <f0> 0f b1 17 85 c0 75 01 c3 55 89 c6 48 89 e5 e8 4e f5 b1 ff 5d
[  487.777854] RIP  [<ffffffff8158aaee>] _raw_spin_lock+0xe/0x30
[  487.777855]  RSP <ffff8808696d79c0>
[  487.777856] CR2: 0000000000000060
[  487.777860] ---[ end trace 672a2cd555e0ebd3 ]---

The cursor code may be entered with file_priv == NULL && handle == NULL.
The problem was introduced by:

"bf89209 drm/mga200g: Hold a proper reference for cursor_set"

which calls drm_gem_object_lookup(dev, file_priv...). Previously this wasn't
a problem because we checked the handle. Move the check early in the function
can fix the problem.

Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-11-19 13:20:01 +10:00

275 lines
7.2 KiB
C
Raw Blame History

/*
* Copyright 2013 Matrox Graphics
*
* This file is subject to the terms and conditions of the GNU General
* Public License version 2. See the file COPYING in the main
* directory of this archive for more details.
*
* Author: Christopher Harvey <charvey@matrox.com>
*/
#include <drm/drmP.h>
#include "mgag200_drv.h"
static bool warn_transparent = true;
static bool warn_palette = true;
/*
Hide the cursor off screen. We can't disable the cursor hardware because it
takes too long to re-activate and causes momentary corruption
*/
static void mga_hide_cursor(struct mga_device *mdev)
{
WREG8(MGA_CURPOSXL, 0);
WREG8(MGA_CURPOSXH, 0);
if (mdev->cursor.pixels_1->pin_count)
mgag200_bo_unpin(mdev->cursor.pixels_1);
if (mdev->cursor.pixels_2->pin_count)
mgag200_bo_unpin(mdev->cursor.pixels_2);
}
int mga_crtc_cursor_set(struct drm_crtc *crtc,
struct drm_file *file_priv,
uint32_t handle,
uint32_t width,
uint32_t height)
{
struct drm_device *dev = crtc->dev;
struct mga_device *mdev = (struct mga_device *)dev->dev_private;
struct mgag200_bo *pixels_1 = mdev->cursor.pixels_1;
struct mgag200_bo *pixels_2 = mdev->cursor.pixels_2;
struct mgag200_bo *pixels_current = mdev->cursor.pixels_current;
struct mgag200_bo *pixels_prev = mdev->cursor.pixels_prev;
struct drm_gem_object *obj;
struct mgag200_bo *bo = NULL;
int ret = 0;
unsigned int i, row, col;
uint32_t colour_set[16];
uint32_t *next_space = &colour_set[0];
uint32_t *palette_iter;
uint32_t this_colour;
bool found = false;
int colour_count = 0;
u64 gpu_addr;
u8 reg_index;
u8 this_row[48];
if (!pixels_1 || !pixels_2) {
WREG8(MGA_CURPOSXL, 0);
WREG8(MGA_CURPOSXH, 0);
return -ENOTSUPP; /* Didn't allocate space for cursors */
}
if ((width != 64 || height != 64) && handle) {
WREG8(MGA_CURPOSXL, 0);
WREG8(MGA_CURPOSXH, 0);
return -EINVAL;
}
BUG_ON(pixels_1 != pixels_current && pixels_1 != pixels_prev);
BUG_ON(pixels_2 != pixels_current && pixels_2 != pixels_prev);
BUG_ON(pixels_current == pixels_prev);
if (!handle || !file_priv) {
mga_hide_cursor(mdev);
return 0;
}
obj = drm_gem_object_lookup(dev, file_priv, handle);
if (!obj)
return -ENOENT;
ret = mgag200_bo_reserve(pixels_1, true);
if (ret) {
WREG8(MGA_CURPOSXL, 0);
WREG8(MGA_CURPOSXH, 0);
goto out_unref;
}
ret = mgag200_bo_reserve(pixels_2, true);
if (ret) {
WREG8(MGA_CURPOSXL, 0);
WREG8(MGA_CURPOSXH, 0);
mgag200_bo_unreserve(pixels_1);
goto out_unreserve1;
}
/* Move cursor buffers into VRAM if they aren't already */
if (!pixels_1->pin_count) {
ret = mgag200_bo_pin(pixels_1, TTM_PL_FLAG_VRAM,
&mdev->cursor.pixels_1_gpu_addr);
if (ret)
goto out1;
}
if (!pixels_2->pin_count) {
ret = mgag200_bo_pin(pixels_2, TTM_PL_FLAG_VRAM,
&mdev->cursor.pixels_2_gpu_addr);
if (ret) {
mgag200_bo_unpin(pixels_1);
goto out1;
}
}
bo = gem_to_mga_bo(obj);
ret = mgag200_bo_reserve(bo, true);
if (ret) {
dev_err(&dev->pdev->dev, "failed to reserve user bo\n");
goto out1;
}
if (!bo->kmap.virtual) {
ret = ttm_bo_kmap(&bo->bo, 0, bo->bo.num_pages, &bo->kmap);
if (ret) {
dev_err(&dev->pdev->dev, "failed to kmap user buffer updates\n");
goto out2;
}
}
memset(&colour_set[0], 0, sizeof(uint32_t)*16);
/* width*height*4 = 16384 */
for (i = 0; i < 16384; i += 4) {
this_colour = ioread32(bo->kmap.virtual + i);
/* No transparency */
if (this_colour>>24 != 0xff &&
this_colour>>24 != 0x0) {
if (warn_transparent) {
dev_info(&dev->pdev->dev, "Video card doesn't support cursors with partial transparency.\n");
dev_info(&dev->pdev->dev, "Not enabling hardware cursor.\n");
warn_transparent = false; /* Only tell the user once. */
}
ret = -EINVAL;
goto out3;
}
/* Don't need to store transparent pixels as colours */
if (this_colour>>24 == 0x0)
continue;
found = false;
for (palette_iter = &colour_set[0]; palette_iter != next_space; palette_iter++) {
if (*palette_iter == this_colour) {
found = true;
break;
}
}
if (found)
continue;
/* We only support 4bit paletted cursors */
if (colour_count >= 16) {
if (warn_palette) {
dev_info(&dev->pdev->dev, "Video card only supports cursors with up to 16 colours.\n");
dev_info(&dev->pdev->dev, "Not enabling hardware cursor.\n");
warn_palette = false; /* Only tell the user once. */
}
ret = -EINVAL;
goto out3;
}
*next_space = this_colour;
next_space++;
colour_count++;
}
/* Program colours from cursor icon into palette */
for (i = 0; i < colour_count; i++) {
if (i <= 2)
reg_index = 0x8 + i*0x4;
else
reg_index = 0x60 + i*0x3;
WREG_DAC(reg_index, colour_set[i] & 0xff);
WREG_DAC(reg_index+1, colour_set[i]>>8 & 0xff);
WREG_DAC(reg_index+2, colour_set[i]>>16 & 0xff);
BUG_ON((colour_set[i]>>24 & 0xff) != 0xff);
}
/* Map up-coming buffer to write colour indices */
if (!pixels_prev->kmap.virtual) {
ret = ttm_bo_kmap(&pixels_prev->bo, 0,
pixels_prev->bo.num_pages,
&pixels_prev->kmap);
if (ret) {
dev_err(&dev->pdev->dev, "failed to kmap cursor updates\n");
goto out3;
}
}
/* now write colour indices into hardware cursor buffer */
for (row = 0; row < 64; row++) {
memset(&this_row[0], 0, 48);
for (col = 0; col < 64; col++) {
this_colour = ioread32(bo->kmap.virtual + 4*(col + 64*row));
/* write transparent pixels */
if (this_colour>>24 == 0x0) {
this_row[47 - col/8] |= 0x80>>(col%8);
continue;
}
/* write colour index here */
for (i = 0; i < colour_count; i++) {
if (colour_set[i] == this_colour) {
if (col % 2)
this_row[col/2] |= i<<4;
else
this_row[col/2] |= i;
break;
}
}
}
memcpy_toio(pixels_prev->kmap.virtual + row*48, &this_row[0], 48);
}
/* Program gpu address of cursor buffer */
if (pixels_prev == pixels_1)
gpu_addr = mdev->cursor.pixels_1_gpu_addr;
else
gpu_addr = mdev->cursor.pixels_2_gpu_addr;
WREG_DAC(MGA1064_CURSOR_BASE_ADR_LOW, (u8)((gpu_addr>>10) & 0xff));
WREG_DAC(MGA1064_CURSOR_BASE_ADR_HI, (u8)((gpu_addr>>18) & 0x3f));
/* Adjust cursor control register to turn on the cursor */
WREG_DAC(MGA1064_CURSOR_CTL, 4); /* 16-colour palletized cursor mode */
/* Now swap internal buffer pointers */
if (mdev->cursor.pixels_1 == mdev->cursor.pixels_prev) {
mdev->cursor.pixels_prev = mdev->cursor.pixels_2;
mdev->cursor.pixels_current = mdev->cursor.pixels_1;
} else if (mdev->cursor.pixels_1 == mdev->cursor.pixels_current) {
mdev->cursor.pixels_prev = mdev->cursor.pixels_1;
mdev->cursor.pixels_current = mdev->cursor.pixels_2;
} else {
BUG();
}
ret = 0;
ttm_bo_kunmap(&pixels_prev->kmap);
out3:
ttm_bo_kunmap(&bo->kmap);
out2:
mgag200_bo_unreserve(bo);
out1:
if (ret)
mga_hide_cursor(mdev);
mgag200_bo_unreserve(pixels_1);
out_unreserve1:
mgag200_bo_unreserve(pixels_2);
out_unref:
drm_gem_object_unreference_unlocked(obj);
return ret;
}
int mga_crtc_cursor_move(struct drm_crtc *crtc, int x, int y)
{
struct mga_device *mdev = (struct mga_device *)crtc->dev->dev_private;
/* Our origin is at (64,64) */
x += 64;
y += 64;
BUG_ON(x <= 0);
BUG_ON(y <= 0);
BUG_ON(x & ~0xffff);
BUG_ON(y & ~0xffff);
WREG8(MGA_CURPOSXL, x & 0xff);
WREG8(MGA_CURPOSXH, (x>>8) & 0xff);
WREG8(MGA_CURPOSYL, y & 0xff);
WREG8(MGA_CURPOSYH, (y>>8) & 0xff);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink