Re: [PATCH] drm/omap: Take a fb reference in omap_plane_update()

Rob Clark <robdclark@xxxxxxxxx> · Tue, 9 Apr 2013 08:34:42 -0400



On Tue, Apr 9, 2013 at 8:26 AM, Archit Taneja <archit@xxxxxx> wrote:
> When userspace calls SET_PLANE ioctl, drm core takes a reference of the fb and
> passes control to the update_plane op defined by the drm driver.
>
> In omapdrm, we have a worker thread which queues framebuffers objects received
> from update_plane and displays them at the appropriate time.
>
> It is possible that the framebuffer is destoryed by userspace between the time
> of calling the ioctl and apply-worker being scheduled. If this happens, the
> apply-worker holds a pointer to a framebuffer which is already destroyed.
>
> Take an extra refernece/unreference of the fb in omap_plane_update() to prevent
> this from happening. A reference is taken of the fb passed to update_plane(),
> the previous framebuffer (held by plane->fb) is unreferenced. This will prevent
> drm from destroying the framebuffer till the time it's unreferenced by the
> apply-worker.
>
> This is in addition to the exisitng reference/unreference in update_pin(),
> which is taken for the scanout of the plane's current framebuffer, and an
> unreference the previous framebuffer.
>
> Signed-off-by: Archit Taneja <archit@xxxxxx>
> Cc: Rob Clark <robdclark@xxxxxxxxx>

Good catch

Signed-off-by: Rob Clark <robdclark@xxxxxxxxx>

> ---
>  drivers/gpu/drm/omapdrm/omap_plane.c |    6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/omapdrm/omap_plane.c b/drivers/gpu/drm/omapdrm/omap_plane.c
> index 2882cda..8d225d7 100644
> --- a/drivers/gpu/drm/omapdrm/omap_plane.c
> +++ b/drivers/gpu/drm/omapdrm/omap_plane.c
> @@ -247,6 +247,12 @@ static int omap_plane_update(struct drm_plane *plane,
>  {
>         struct omap_plane *omap_plane = to_omap_plane(plane);
>         omap_plane->enabled = true;
> +
> +       if (plane->fb)
> +               drm_framebuffer_unreference(plane->fb);
> +
> +       drm_framebuffer_reference(fb);
> +
>         return omap_plane_mode_set(plane, crtc, fb,
>                         crtc_x, crtc_y, crtc_w, crtc_h,
>                         src_x, src_y, src_w, src_h,
> --
> 1.7.10.4
>
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html