From patchwork Mon Sep 15 18:52:17 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Drake <drake@endlessm.com>
X-Patchwork-Id: 4907391
Return-Path: <linux-samsung-soc-owner@kernel.org>
X-Original-To: patchwork-linux-samsung-soc@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id E0DB99F32F
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Mon, 15 Sep 2014 18:49:52 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 4556A201CE
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Mon, 15 Sep 2014 18:52:31 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id DEE6B201B4
	for <patchwork-linux-samsung-soc@patchwork.kernel.org>;
	Mon, 15 Sep 2014 18:52:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754185AbaIOSw3 (ORCPT
	<rfc822;patchwork-linux-samsung-soc@patchwork.kernel.org>);
	Mon, 15 Sep 2014 14:52:29 -0400
Received: from mail-yk0-f177.google.com ([209.85.160.177]:34046 "EHLO
	mail-yk0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753571AbaIOSw2 (ORCPT
	<rfc822;linux-samsung-soc@vger.kernel.org>);
	Mon, 15 Sep 2014 14:52:28 -0400
Received: by mail-yk0-f177.google.com with SMTP id 79so2327442ykr.36
	for <linux-samsung-soc@vger.kernel.org>;
	Mon, 15 Sep 2014 11:52:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=YgjNwaED0Hem0KYuaCM5B+yHAISowRSgzfVtmDXJf3Y=;
	b=KHHJKcYzmNbK6yOcJLu6UF3CQEGnA7eIcL4rFtTImsof4Z4Iqg+ogwzUQvMtDR1aTP
	Y+EOO646VIqgzrTmLZ1h/J2fVK2NG7MM52HB4W2a+GkhKHs+4xOEQx3wgka8pXfTnU1f
	/8GT+aICL5Iuo3DKXTqJU+L3G5yMFf9d70S/mJq31fcgkUqLOwANW6V8+E9B+UnA1cEu
	QxqeTv6/yAPIc3X8aRo4DCI8ZrXdDpWWm3o61BR4GBwyL6qMtzVjz+Isu8svTRCuqkda
	hzJAfXtxbtXGm3bDRaVAEn9S3slkDfAuwwIfJFPWZyAAkMPnxkLgZD7kzA1JmtX30wfh
	xReQ==
X-Gm-Message-State: 
 ALoCoQkSO64Le2dk5b82YE9Z6Fwf1gfLF408ypVoqPvU0JSBamO1UWa4R3CO/s5ZIVs1+lXbxrRq
X-Received: by 10.236.190.133 with SMTP id e5mr36369007yhn.13.1410807147625;
	Mon, 15 Sep 2014 11:52:27 -0700 (PDT)
Received: from dsd-ubuntu.gallo.pinto ([190.181.183.137])
	by mx.google.com with ESMTPSA id
	g22sm5555558yhb.18.2014.09.15.11.52.24 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 15 Sep 2014 11:52:26 -0700 (PDT)
From: Daniel Drake <drake@endlessm.com>
To: inki.dae@samsung.com, jy0922.shim@samsung.com,
	sw0312.kim@samsung.com, kyungmin.park@samsung.com
Cc: dri-devel@lists.freedesktop.org, a.hajda@samsung.com,
	linux-samsung-soc@vger.kernel.org
Subject: [PATCH] drm/exynos: fix plane-framebuffer linkage
Date: Mon, 15 Sep 2014 12:52:17 -0600
Message-Id: <1410807137-8323-1-git-send-email-drake@endlessm.com>
X-Mailer: git-send-email 1.9.1
Sender: linux-samsung-soc-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-samsung-soc.vger.kernel.org>
X-Mailing-List: linux-samsung-soc@vger.kernel.org
X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Pageflipping currently causes some inconsistencies that lead to
crashes. Just run an app that causes a CRTC pageflip in a raw X session
and check that it exits cleanly and can be restarted - you'll see
crashes like:
 Unable to handle kernel NULL pointer dereference at virtual address 00000334
 PC is at exynos_drm_crtc_plane_commit+0x20/0x40
 LR is at exynos_drm_crtc_plane_commit+0x20/0x40
 [<c03749b4>] (exynos_drm_crtc_plane_commit) from [<c03741bc>] (exynos_drm_crtc_commit+0x44/0x70)
 [<c03741bc>] (exynos_drm_crtc_commit) from [<c03743a0>] (exynos_drm_crtc_mode_set_commit.isra.2+0xb4/0xc4)
 [<c03743a0>] (exynos_drm_crtc_mode_set_commit.isra.2) from [<c03744f4>] (exynos_drm_crtc_page_flip+0x140/0x1a8)
 [<c03744f4>] (exynos_drm_crtc_page_flip) from [<c036b20c>] (drm_mode_page_flip_ioctl+0x224/0x2dc)
 [<c036b20c>] (drm_mode_page_flip_ioctl) from [<c035c324>] (drm_ioctl+0x338/0x4fc)

These crashes happen because drm_plane_force_disable has previously set
plane->crtc to NULL.

When drm_mode_page_flip_ioctl() is used to flip another framebuffer
onto the primary plane, crtc->primary->fb is correctly updated (this is
a virtual plane created by plane_helper), but plane->fb is not (this
plane is the real one, created by exynos_drm_crtc_create).

We then come to handle rmfb of the backbuffer, which the "real" primary
plane is incorrectly pointing at. So drm_framebuffer_remove() decides that
the buffer is actually active on a plane and force-disables the plane.

Ensuring that plane->fb is kept up-to-date solves that issue, but
exposes a reference counting problem. Now we see crashes when rmfb is
called on the front-buffer, because the rmfb code expects to drop 3
references here, and there are only 2.

That can be fixed by adopting the reference management found in omapdrm:
Framebuffer references are not taken directly in crtc mode_set context,
but rather in the context of updating the plane, which also covers
flips. Like omapdrm we also unreference the old framebuffer here.

Signed-off-by: Daniel Drake <drake@endlessm.com>
---
 drivers/gpu/drm/exynos/exynos_drm_crtc.c  | 12 ++----------
 drivers/gpu/drm/exynos/exynos_drm_plane.c |  8 ++++++++
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/gpu/drm/exynos/exynos_drm_crtc.c b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
index b68e58f..7aa9dee 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_crtc.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_crtc.c
@@ -140,16 +140,8 @@ exynos_drm_crtc_mode_set(struct drm_crtc *crtc, struct drm_display_mode *mode,
 	if (manager->ops->mode_set)
 		manager->ops->mode_set(manager, &crtc->mode);
 
-	ret = exynos_plane_mode_set(plane, crtc, crtc->primary->fb, 0, 0, crtc_w, crtc_h,
-				    x, y, crtc_w, crtc_h);
-	if (ret)
-		return ret;
-
-	plane->crtc = crtc;
-	plane->fb = crtc->primary->fb;
-	drm_framebuffer_reference(plane->fb);
-
-	return 0;
+	return exynos_plane_mode_set(plane, crtc, crtc->primary->fb, 0, 0,
+				     crtc_w, crtc_h, x, y, crtc_w, crtc_h);
 }
 
 static int exynos_drm_crtc_mode_set_commit(struct drm_crtc *crtc, int x, int y,
diff --git a/drivers/gpu/drm/exynos/exynos_drm_plane.c b/drivers/gpu/drm/exynos/exynos_drm_plane.c
index 8371cbd..df27e35 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_plane.c
+++ b/drivers/gpu/drm/exynos/exynos_drm_plane.c
@@ -139,6 +139,14 @@ int exynos_plane_mode_set(struct drm_plane *plane, struct drm_crtc *crtc,
 			overlay->crtc_x, overlay->crtc_y,
 			overlay->crtc_width, overlay->crtc_height);
 
+	if (plane->fb)
+		drm_framebuffer_unreference(plane->fb);
+
+	drm_framebuffer_reference(fb);
+
+	plane->fb = fb;
+	plane->crtc = crtc;
+
 	exynos_drm_crtc_plane_mode_set(crtc, overlay);
 
 	return 0;