On Thu, Apr 10, 2014 at 02:47:52PM +0300, Tomi Valkeinen wrote:
Hi,
I've been debugging omapdrm issues on top of the latest drm mainline changes. Sometimes a drm_framebuffer ref count drops to -1 when aborting a drm application, or unloading the modules.
The setup is very basic, just a single crtc with the crtc's primary plane.
What seems to happen is:
App is started
fb is created, and taken into use by omapdrm. omapdrm takes a ref to
the fb.
the app is starts to shut down
drm_framebuffer_remove is called
fb->refcount.refcount > 1, so it goes to disable stuff
drm_plane_force_disable is called for the primary plane
drm_plane_force_disable does plane->disable_plane, which on omapdrm
puts stuff on a workqueue as plane cannot be disabled immediately
drm_plane_force_disable calls __drm_framebuffer_unreference()
at the end of drm_framebuffer_remove(), there's
drm_framebuffer_unreference, which causes ref count to go to zero, and the fb to be destroyed
- a bit later, the queued work is ran, which does
drm_framebuffer_unreference(), and ref count goes to -1. Here omapdrm is removing the ref that had been taken in the beginning.
So the explicit unref done by drm_plane_force_disable() seems a bit out of place. I can't figure out which drm_framebuffer_reference() would be the matching one for the unref done by drm_plane_force_disable().
Any ideas what ref is that? Or is the __drm_framebuffer_unreference() extra in drm_plane_force_disable()?
plane->fb is holding a reference which should have been acquired in drm_mode_setplane. It's not really explicit since drm_framebuffer_lookup implicitly grabs a ref for you.
Hence when we disable the plane and set plane->fb = NULL we must drop that ref again. So that's not the bug, but clearly something goes wrong somewhere. -Daniel