linux/drivers/gpu/drm
Daniel Vetter 9128b040eb drm/i915: Fix modeset state confusion in the load detect code
This is a tricky story of the new atomic state handling and the legacy
code fighting over each another. The bug at hand is an underrun of the
framebuffer reference with subsequent hilarity caused by the load
detect code. Which is peculiar since the the exact same code works
fine as the implementation of the legacy setcrtc ioctl.

Let's look at the ingredients:

- Currently our code is a crazy mix of legacy modeset interfaces to
  set the parameters and half-baked atomic state tracking underneath.
  While this transition is going we're using the transitional plane
  helpers to update the atomic side (drm_plane_helper_disable/update
  and friends), i.e. plane->state->fb. Since the state structure owns
  the fb those functions take care of that themselves.

  The legacy state (specifically crtc->primary->fb) is still managed
  by the old code (and mostly by the drm core), with the fb reference
  counting done by callers (core drm for the ioctl or the i915 load
  detect code). The relevant commit is

  commit ea2c67bb4a
  Author: Matt Roper <matthew.d.roper@intel.com>
  Date:   Tue Dec 23 10:41:52 2014 -0800

      drm/i915: Move to atomic plane helpers (v9)

- drm_plane_helper_disable has special code to handle multiple calls
  in a row - it checks plane->crtc == NULL and bails out. This is to
  match the proper atomic implementation which needs the crtc to get
  at the implied locking context atomic updates always need. See

  commit acf24a395c
  Author: Daniel Vetter <daniel.vetter@ffwll.ch>
  Date:   Tue Jul 29 15:33:05 2014 +0200

      drm/plane-helper: transitional atomic plane helpers

- The universal plane code split out the implicit primary plane from
  the CRTC into it's own full-blown drm_plane object. As part of that
  the setcrtc ioctl (which updated both the crtc mode and primary
  plane) learned to set crtc->primary->crtc on modeset to make sure
  the plane->crtc assignments statate up to date in

  commit e13161af80
  Author: Matt Roper <matthew.d.roper@intel.com>
  Date:   Tue Apr 1 15:22:38 2014 -0700

      drm: Add drm_crtc_init_with_planes() (v2)

  Unfortunately we've forgotten to update the load detect code. Which
  wasn't a problem since the load detect modeset is temporary and
  always undone before we drop the locks.

- Finally there is a organically grown history (i.e. don't ask) around
  who sets the legacy plane->fb for the various driver entry points.
  Originally updating that was the drivers duty, but for almost all
  places we've moved that (plus updating the refcounts) into the core.
  Again the exception is the load detect code.

Taking all together the following happens:
- The load detect code doesn't set crtc->primary->crtc. This is only
  really an issue on crtcs never before used or when userspace
  explicitly disabled the primary plane.

- The plane helper glue code short-circuits because of that and leaves
  a non-NULL fb behind in plane->state->fb and plane->fb. The state
  fb isn't a real problem (it's properly refcounted on its own), it's
  just the canary.

- Load detect code drops the reference for that fb, but doesn't set
  plane->fb = NULL. This is ok since it's still living in that old
  world where drivers had to clear the pointer but the core/callers
  handled the refcounting.

- On the next modeset the drm core notices plane->fb and takes care of
  refcounting it properly by doing another unref. This drops the
  refcount to zero, leaving state->plane now pointing at freed memory.

- intel_plane_duplicate_state still assume it owns a reference to that
  very state->fb and bad things start to happen.

Fix this all by applying the same duct-tape as for the legacy setcrtc
ioctl code and set crtc->primary->crtc properly.

Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: Rob Clark <robdclark@gmail.com>
Cc: Paulo Zanoni <przanoni@gmail.com>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Matt Roper <matthew.d.roper@intel.com>
Reported-and-tested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-03-03 09:04:33 -08:00
..
amd drm/amdkfd: don't set get_pipes_num() as inline 2015-02-23 10:48:02 +02:00
armada Merge tag 'topic/core-stuff-2014-12-19' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-01-09 09:13:41 +10:00
ast drm/fb-helper: Propagate errors from initial config failure 2015-01-21 14:57:03 +01:00
atmel-hlcdc drm: atmel-hlcdc: remove clock polarity from crtc driver 2015-02-26 14:19:13 +01:00
bochs drm/fb-helper: Propagate errors from initial config failure 2015-01-21 14:57:03 +01:00
bridge drm/bridge: dw-hdmi: Adapt to bridge API change 2015-01-28 10:01:30 +01:00
cirrus Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2015-02-16 15:48:00 -08:00
exynos Merge branch 'exynos-drm-next' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-next 2015-02-13 13:02:49 +10:00
gma500 drm/fb-helper: Propagate errors from initial config failure 2015-01-21 14:57:03 +01:00
i2c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux into drm-next 2015-01-29 11:45:31 +10:00
i810
i915 drm/i915: Fix modeset state confusion in the load detect code 2015-03-03 09:04:33 -08:00
imx imx-drm fixes for IPUv3 DC and i.MX5 IPUv3 IC and TVE 2015-02-11 15:35:26 +10:00
mga
mgag200 drm/fb-helper: Propagate errors from initial config failure 2015-01-21 14:57:03 +01:00
msm drm/msm: add moduleparam to disable fbdev 2015-02-01 15:34:04 -05:00
nouveau Merge tag 'topic/core-stuff-2015-01-23' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-01-27 08:54:11 +10:00
omapdrm drm/fb-helper: Propagate errors from initial config failure 2015-01-21 14:57:03 +01:00
panel drm: panel/simple: add backlight dependency 2015-01-31 10:11:45 +10:00
qxl drm/fb-helper: Propagate errors from initial config failure 2015-01-21 14:57:03 +01:00
r128 drm: remove unnecessary sizeof(u8) 2014-11-20 11:30:37 +10:00
radeon drm/radeon: only enable DP audio if the monitor supports it 2015-02-25 16:06:10 -05:00
rcar-du drm: Kconfig: Let all DRM_GEM_CMA_HELPER related macros depend on HAVE_DMA_ATTRS 2015-02-03 11:12:37 +10:00
rockchip drm: rockchip: add reset controller dependency 2015-01-31 10:11:48 +10:00
savage
shmobile drm: Kconfig: Let all DRM_GEM_CMA_HELPER related macros depend on HAVE_DMA_ATTRS 2015-02-03 11:12:37 +10:00
sis
sti drm: sti: HDMI add audio infoframe 2015-02-05 16:21:19 +01:00
tdfx
tegra drm/tegra: dc: Move more code into ->init() 2015-02-19 14:21:51 +01:00
tilcdc drm: Kconfig: Let all DRM_GEM_CMA_HELPER related macros depend on HAVE_DMA_ATTRS 2015-02-03 11:12:37 +10:00
ttm drm/ttm: optionally move duplicates to a separate list 2014-12-03 18:26:52 -05:00
udl drm/udl: properly set active_16 flag in udl_crtc_page_flip(). (v2) 2015-01-31 10:12:23 +10:00
via
vmwgfx drm/vmwgfx: Replace the hw mutex with a hw spinlock 2015-01-19 03:02:13 -08:00
ati_pcigart.c
drm_agpsupport.c
drm_atomic_helper.c Merge tag 'topic/atomic-core-2015-01-27' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-01-28 09:34:27 +10:00
drm_atomic.c Merge tag 'topic/atomic-core-2015-01-27' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-01-28 09:34:27 +10:00
drm_auth.c
drm_bridge.c drm/bridge: make bridge registration independent of drm flow 2015-01-28 08:45:40 +01:00
drm_bufs.c
drm_cache.c drm/cache: Use wbinvd helpers 2014-12-16 08:56:55 +01:00
drm_context.c
drm_crtc_helper.c drm/atomic: Introduce state->obj backpointers 2014-12-17 20:23:23 +01:00
drm_crtc_internal.h drm/atomic: Hide drm.ko internal interfaces 2015-01-05 13:55:30 +01:00
drm_crtc.c drm: Fix deadlock due to getconnector locking changes 2015-02-24 11:05:20 +10:00
drm_debugfs.c
drm_dma.c
drm_dp_helper.c drm/dp: add drm_dp_link_power_down() helper 2015-02-01 15:06:42 -05:00
drm_dp_mst_topology.c drm/tile: expose the tile property to userspace (v3) 2014-12-09 09:56:48 +10:00
drm_drv.c drm: add atomic properties 2015-01-05 13:54:38 +01:00
drm_edid_load.c drm/edid: Deletion of an unnecessary check before the function call "release_firmware" 2014-11-21 12:16:27 +10:00
drm_edid.c Merge tag 'topic/core-stuff-2014-12-10' of git://anongit.freedesktop.org/drm-intel into drm-next 2014-12-11 10:12:57 +10:00
drm_encoder_slave.c
drm_fb_cma_helper.c
drm_fb_helper.c Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2015-02-16 15:48:00 -08:00
drm_flip_work.c drm: flip-work: change drm_flip_work_init prototype 2014-11-15 09:29:14 +10:00
drm_fops.c drm: Make drm_read() more robust against multithreaded races 2015-01-21 14:57:03 +01:00
drm_gem_cma_helper.c
drm_gem.c drm: Sanitize DRM_IOCTL_MODE_CREATE_DUMB input 2014-11-15 09:50:21 +10:00
drm_global.c
drm_hashtab.c
drm_info.c drm/info: Remove unused code 2014-12-16 18:44:34 +01:00
drm_internal.h drm/info: Remove unused code 2014-12-16 18:44:34 +01:00
drm_ioc32.c
drm_ioctl.c drm: Ensure universal_planes is set for atomic 2015-01-05 13:55:30 +01:00
drm_irq.c drm/irq: Don't disable vblank interrupts when already disabled 2015-01-29 12:50:03 +01:00
drm_legacy.h
drm_lock.c
drm_memory.c
drm_mipi_dsi.c drm/mipi-dsi: Avoid potential NULL pointer dereference 2015-01-28 08:45:37 +01:00
drm_mm.c
drm_modes.c drm/modes: Print the mode status in human readable form 2015-02-03 09:09:22 +01:00
drm_modeset_lock.c
drm_of.c
drm_panel.c
drm_pci.c
drm_plane_helper.c Merge tag 'topic/atomic-core-2015-01-27' of git://anongit.freedesktop.org/drm-intel into drm-next 2015-01-28 09:34:27 +10:00
drm_platform.c
drm_prime.c drm: Miscellaneous fixes for v3.19-rc1 2014-11-15 09:37:20 +10:00
drm_probe_helper.c drm/probe-helper: clamp unknown connector status in the poll work 2015-01-22 06:11:39 +01:00
drm_rect.c
drm_scatter.c
drm_sysfs.c drm: Use static attribute groups for managing connector sysfs entries 2015-02-04 15:02:00 +01:00
drm_trace_points.c
drm_trace.h
drm_vm.c
drm_vma_manager.c mm: remove rest usage of VM_NONLINEAR and pte_file() 2015-02-10 14:30:31 -08:00
Kconfig drm: Kconfig: Let all DRM_GEM_CMA_HELPER related macros depend on HAVE_DMA_ATTRS 2015-02-03 11:12:37 +10:00
Makefile drm/bridge: make bridge registration independent of drm flow 2015-01-28 08:45:40 +01:00