From c74d8eb5649386c2cfcd65cc960fd283ba876877 Mon Sep 17 00:00:00 2001 From: Inki Dae Date: Tue, 5 Jan 2016 19:50:31 +0900 Subject: [PATCH] drm/exynos: fix kernel panic issue at drm releasing This patch fixes a kernel panic issue which happened when drm driver is closed while modetest. This issue could be reproduced easily by launching modetest with page flip repeatedly. The reason is that invalid drm_file object could be accessed by send_vblank_event function when finishing page flip if the drm_file object was removed by drm_release and there was a pended page flip event which was already committed to hardware. So this patch makes the pended page flip event to be cancelled by preclose callback which is called at front of drm_release function. Changelog v2: - free vblank event objects belonging to the request process, increment event space and decrease pending_update when cancelling the event Signed-off-by: Inki Dae Reviewed-by: Daniel Stone Acked-by: Daniel Vetter --- drivers/gpu/drm/exynos/exynos_drm_crtc.c | 26 ++++++++++++++++++++++++ drivers/gpu/drm/exynos/exynos_drm_crtc.h | 4 ++++ drivers/gpu/drm/exynos/exynos_drm_drv.c | 5 +++++ 3 files changed, 35 insertions(+) diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c index cd9498164dc1..e36579c1c025 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c @@ -226,3 +226,29 @@ void exynos_drm_crtc_te_handler(struct drm_crtc *crtc) if (exynos_crtc->ops->te_handler) exynos_crtc->ops->te_handler(exynos_crtc); } + +void exynos_drm_crtc_cancel_page_flip(struct drm_crtc *crtc, + struct drm_file *file) +{ + struct exynos_drm_crtc *exynos_crtc = to_exynos_crtc(crtc); + struct drm_pending_vblank_event *e; + unsigned long flags; + + spin_lock_irqsave(&crtc->dev->event_lock, flags); + e = exynos_crtc->event; + if (e && e->base.file_priv == file) { + exynos_crtc->event = NULL; + /* + * event will be destroyed by core part + * so below line should be removed later with core changes + */ + e->base.destroy(&e->base); + /* + * event_space will be increased by core part + * so below line should be removed later with core changes. + */ + file->event_space += sizeof(e->event); + atomic_dec(&exynos_crtc->pending_update); + } + spin_unlock_irqrestore(&crtc->dev->event_lock, flags); +} diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.h b/drivers/gpu/drm/exynos/exynos_drm_crtc.h index 6a581a8af465..cfdcf3e4eb1b 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_crtc.h +++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.h @@ -40,4 +40,8 @@ int exynos_drm_crtc_get_pipe_from_type(struct drm_device *drm_dev, */ void exynos_drm_crtc_te_handler(struct drm_crtc *crtc); +/* This function cancels a page flip request. */ +void exynos_drm_crtc_cancel_page_flip(struct drm_crtc *crtc, + struct drm_file *file); + #endif diff --git a/drivers/gpu/drm/exynos/exynos_drm_drv.c b/drivers/gpu/drm/exynos/exynos_drm_drv.c index 9756797a15a5..68f0f36f6e7e 100644 --- a/drivers/gpu/drm/exynos/exynos_drm_drv.c +++ b/drivers/gpu/drm/exynos/exynos_drm_drv.c @@ -330,7 +330,12 @@ err_file_priv_free: static void exynos_drm_preclose(struct drm_device *dev, struct drm_file *file) { + struct drm_crtc *crtc; + exynos_drm_subdrv_close(dev, file); + + list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) + exynos_drm_crtc_cancel_page_flip(crtc, file); } static void exynos_drm_postclose(struct drm_device *dev, struct drm_file *file) -- 2.20.1