Since commit a39be606f99d ("drm: Do a full device unregister when unplugging") drm_unplug_dev has been calling drm_dev_unregister followed by a drm_put_dev when open_count reaches 0. This drm_put_dev calls drm_dev_unregister again. Since drm_dev_unregister is not protected against being called multiple times this leads to havoc.
This commit fixes this by calling drm_dev_unref instead of drm_put_dev.
This commit also moves the mutex_lock(&drm_global_mutex) to above the drm_dev_unregister call to avoid a race between drm_unplug_dev and drm_release still leading to drm_dev_unregister getting called twice.
Note that calling drm_dev_unregister with the drm_global_mutex locked is fine, drm_release already did this (through drm_put_dev).
Fixes: a39be606f99d ("drm: Do a full device unregister when unplugging") Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Marco Diego Aurélio Mesquita marcodiegomesquita@gmail.com Reported-by: Marco Diego Aurélio Mesquita marcodiegomesquita@gmail.com Signed-off-by: Hans de Goede hdegoede@redhat.com --- Note I don't have any USB display devices at hand for testing atm so this patch has only been compile tested. --- drivers/gpu/drm/drm_drv.c | 10 +++++----- drivers/gpu/drm/drm_file.c | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b5c6bb46a425..9f31d5d629d1 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -357,16 +357,16 @@ EXPORT_SYMBOL(drm_put_dev);
void drm_unplug_dev(struct drm_device *dev) { + mutex_lock(&drm_global_mutex); + /* for a USB device */ drm_dev_unregister(dev);
- mutex_lock(&drm_global_mutex); - drm_device_set_unplugged(dev);
- if (dev->open_count == 0) { - drm_put_dev(dev); - } + if (dev->open_count == 0) + drm_dev_unref(dev); + mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_unplug_dev); diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c index 3783b659cd38..edba71c8ccc3 100644 --- a/drivers/gpu/drm/drm_file.c +++ b/drivers/gpu/drm/drm_file.c @@ -424,7 +424,7 @@ int drm_release(struct inode *inode, struct file *filp) if (!--dev->open_count) { drm_lastclose(dev); if (drm_device_is_unplugged(dev)) - drm_put_dev(dev); + drm_dev_unref(dev); } mutex_unlock(&drm_global_mutex);
On 28-05-17 19:10, Hans de Goede wrote:
Since commit a39be606f99d ("drm: Do a full device unregister when unplugging") drm_unplug_dev has been calling drm_dev_unregister followed by a drm_put_dev when open_count reaches 0. This drm_put_dev calls drm_dev_unregister again. Since drm_dev_unregister is not protected against being called multiple times this leads to havoc.
This commit fixes this by calling drm_dev_unref instead of drm_put_dev.
This commit also moves the mutex_lock(&drm_global_mutex) to above the drm_dev_unregister call to avoid a race between drm_unplug_dev and drm_release still leading to drm_dev_unregister getting called twice.
Note that calling drm_dev_unregister with the drm_global_mutex locked is fine, drm_release already did this (through drm_put_dev).
Ugh I just realized that the whole moving of the mutex thing is not necessary as I ended up changing the drm_put_dev in drm_release to drm_dev_unref too. I will send a v2 shortly.
Regards,
Hans
Fixes: a39be606f99d ("drm: Do a full device unregister when unplugging") Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Marco Diego Aurélio Mesquita marcodiegomesquita@gmail.com Reported-by: Marco Diego Aurélio Mesquita marcodiegomesquita@gmail.com Signed-off-by: Hans de Goede hdegoede@redhat.com
Note I don't have any USB display devices at hand for testing atm so this patch has only been compile tested.
drivers/gpu/drm/drm_drv.c | 10 +++++----- drivers/gpu/drm/drm_file.c | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c index b5c6bb46a425..9f31d5d629d1 100644 --- a/drivers/gpu/drm/drm_drv.c +++ b/drivers/gpu/drm/drm_drv.c @@ -357,16 +357,16 @@ EXPORT_SYMBOL(drm_put_dev);
void drm_unplug_dev(struct drm_device *dev) {
- mutex_lock(&drm_global_mutex);
- /* for a USB device */ drm_dev_unregister(dev);
mutex_lock(&drm_global_mutex);
drm_device_set_unplugged(dev);
if (dev->open_count == 0) {
drm_put_dev(dev);}
- if (dev->open_count == 0)
drm_dev_unref(dev);- mutex_unlock(&drm_global_mutex); } EXPORT_SYMBOL(drm_unplug_dev);
diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c index 3783b659cd38..edba71c8ccc3 100644 --- a/drivers/gpu/drm/drm_file.c +++ b/drivers/gpu/drm/drm_file.c @@ -424,7 +424,7 @@ int drm_release(struct inode *inode, struct file *filp) if (!--dev->open_count) { drm_lastclose(dev); if (drm_device_is_unplugged(dev))
drm_put_dev(dev);
drm_dev_unref(dev);
dri-devel@lists.freedesktop.org
-
Hans de Goede