From 21a01abbe32a3cbeb903378a24e504bfd9fe0648 Mon Sep 17 00:00:00 2001 From: Maarten Lankhorst Date: Mon, 4 Sep 2017 12:48:37 +0200 Subject: drm/atomic: Fix freeing connector/plane state too early by tracking commits, v3. Currently we neatly track the crtc state, but forget to look at plane/connector state. When doing a nonblocking modeset, immediately followed by a setprop before the modeset completes, the setprop will see the modesets new state as the old state and free it. This has to be solved by waiting for hw_done on the connector, even if it's not assigned to a crtc. When a connector is unbound we take the last crtc commit, and when it stays unbound we create a new fake crtc commit for that gets signaled on hw_done for all the planes/connectors. We wait for it the same way as we do for crtc's, which will make sure we never run into a use-after-free situation. Changes since v1: - Only create a single disable commit. (danvet) - Fix leak in intel_legacy_cursor_update. Changes since v2: - Make reference counting in drm_atomic_helper_setup_commit more obvious. (pinchartl) - Call cleanup_done for fake commit. (danvet) - Add comments to drm_atomic_helper_setup_commit. (danvet, pinchartl) - Add comment to drm_atomic_helper_swap_state. (pinchartl) Signed-off-by: Maarten Lankhorst Testcase: kms_atomic_transition.plane-use-after-nonblocking-unbind* Cc: Laurent Pinchart Link: https://patchwork.freedesktop.org/patch/msgid/20170904104838.23822-6-maarten.lankhorst@linux.intel.com Reviewed-by: Daniel Vetter --- include/drm/drm_plane.h | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'include/drm/drm_plane.h') diff --git a/include/drm/drm_plane.h b/include/drm/drm_plane.h index 73f90f9d057f..7d96116fd4c4 100644 --- a/include/drm/drm_plane.h +++ b/include/drm/drm_plane.h @@ -123,6 +123,13 @@ struct drm_plane_state { */ bool visible; + /** + * @commit: Tracks the pending commit to prevent use-after-free conditions. + * + * Is only set when @crtc is NULL. + */ + struct drm_crtc_commit *commit; + struct drm_atomic_state *state; }; -- cgit v1.2.3