qxl_bo structure has two reference counters, one in the GEM object and
another in the TTM object. The GEM object keep a counter to the TTM object
so when GEM counter reached zero the TTM counter (using qxl_bo_unref) was
decremented. The qxl object is fully freed (both GEM and TTM part are cleaned)
when the TTM counter reach zero.
One issue was that surface idr structure has no owning on qxl_bo objects however
it contains a pointer to qxl_bo object. This caused some nasty race condition
for instance qxl_bo object was reaped even after counter was already zero.
This patch fix these races moving main counter (the one used by qxl_bo_(un)ref)
to GEM object which cleanup routine (qxl_gem_object_free) remove the idr pointer
(using qxl_surface_evict) when the counters are still valid.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
void qxl_gem_object_free(struct drm_gem_object *gobj)
{
struct qxl_bo *qobj = gem_to_qxl_bo(gobj);
+ struct qxl_device *qdev;
+ struct ttm_buffer_object *tbo;
- if (qobj)
- qxl_bo_unref(&qobj);
+ qdev = (struct qxl_device *)gobj->dev->dev_private;
+
+ qxl_surface_evict(qdev, qobj, false);
+
+ tbo = &qobj->tbo;
+ ttm_bo_unref(&tbo);
}
int qxl_gem_object_create(struct qxl_device *qdev, int size,
void qxl_bo_unref(struct qxl_bo **bo)
{
- struct ttm_buffer_object *tbo;
-
if ((*bo) == NULL)
return;
- tbo = &((*bo)->tbo);
- ttm_bo_unref(&tbo);
- if (tbo == NULL)
- *bo = NULL;
+
+ drm_gem_object_unreference_unlocked(&(*bo)->gem_base);
+ *bo = NULL;
}
struct qxl_bo *qxl_bo_ref(struct qxl_bo *bo)
{
- ttm_bo_reference(&bo->tbo);
+ drm_gem_object_reference(&bo->gem_base);
return bo;
}