[PATCH v2 0/7] xfree86: Handle drm race condition

Maarten Lankhorst maarten.lankhorst at canonical.com
Tue Mar 19 05:18:47 PDT 2013 

Op 19-03-13 12:10, Dave Airlie schreef:
>> Because of the delayed fput in recent kernels, it is possible for plymouth to exit and not drop master right away.
>> It's put onto a workqueue to be freed slightly later. Xorg-server starts in the meantime, opens a fd, but because the fd
>> hasn't been closed by plymouth yet, it didn't get implicitly authenticated and it didn't get drm master either.
>>
> I thought plymouth explicitly dropped master, and closed later. I know
> we "ab"use that fact on Fedora so X can grab the bo from plymouth
> before it exits.
>
> Dave.
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>
Well from trying the dropmaster kernel patch, it simply looks like there are just too many places that could get affected by this assumption.

Lets just try something ugly in the flush callback that's called before final fput instead, that should fix all our problems!

XXX: the big if is duplicated from drm_release, and it should probably be split into a separate function.
However if you're hit by the plymouth race, this might be a good thing to try.

The fix for drivers other than radeon/i915 is left as an excercise for the reader.

diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
index f369429..ecf8689 100644
--- a/drivers/gpu/drm/drm_fops.c
+++ b/drivers/gpu/drm/drm_fops.c
@@ -177,6 +177,50 @@ err:
 }
 EXPORT_SYMBOL(drm_open);
 
+int drm_flush(struct file *filp, fl_owner_t id)
+{
+	struct drm_file *file_priv = filp->private_data;
+	struct drm_device *dev = file_priv->minor->dev;
+
+	if (atomic_long_read(&filp->f_count) != 1 || !file_priv->is_master)
+		return 0;
+
+	mutex_lock(&dev->struct_mutex);
+
+	if (file_priv->is_master) {
+		struct drm_master *master = file_priv->master;
+		struct drm_file *temp;
+		list_for_each_entry(temp, &dev->filelist, lhead) {
+			if ((temp->master == file_priv->master) &&
+			    (temp != file_priv))
+				temp->authenticated = 0;
+		}
+
+		/**
+		 * Since the master is disappearing, so is the
+		 * possibility to lock.
+		 */
+
+		if (master->lock.hw_lock) {
+			if (dev->sigdata.lock == master->lock.hw_lock)
+				dev->sigdata.lock = NULL;
+			master->lock.hw_lock = NULL;
+			master->lock.file_priv = NULL;
+			wake_up_interruptible_all(&master->lock.lock_queue);
+		}
+
+		if (file_priv->minor->master == file_priv->master) {
+			/* drop the reference held my the minor */
+			if (dev->driver->master_drop)
+				dev->driver->master_drop(dev, file_priv, true);
+			drm_master_put(&file_priv->minor->master);
+		}
+	}
+	mutex_unlock(&dev->struct_mutex);
+	return 0;
+}
+EXPORT_SYMBOL(drm_flush);
+
 /**
  * File \c open operation.
  *
diff --git a/drivers/gpu/drm/i915/i915_drv.c b/drivers/gpu/drm/i915/i915_drv.c
index 62aaf8d..6dcfec3 100644
--- a/drivers/gpu/drm/i915/i915_drv.c
+++ b/drivers/gpu/drm/i915/i915_drv.c
@@ -1018,6 +1018,7 @@ static const struct vm_operations_struct i915_gem_vm_ops = {
 static const struct file_operations i915_driver_fops = {
 	.owner = THIS_MODULE,
 	.open = drm_open,
+	.flush = drm_flush,
 	.release = drm_release,
 	.unlocked_ioctl = drm_ioctl,
 	.mmap = drm_gem_mmap,
diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c
index 5cdd684..2c439f9 100644
--- a/drivers/gpu/drm/radeon/radeon_drv.c
+++ b/drivers/gpu/drm/radeon/radeon_drv.c
@@ -361,6 +361,7 @@ radeon_pci_resume(struct pci_dev *pdev)
 static const struct file_operations radeon_driver_kms_fops = {
 	.owner = THIS_MODULE,
 	.open = drm_open,
+	.flush = drm_flush,
 	.release = drm_release,
 	.unlocked_ioctl = drm_ioctl,
 	.mmap = radeon_mmap,
diff --git a/include/drm/drmP.h b/include/drm/drmP.h
index 6cd30db..2a4f97d 100644
--- a/include/drm/drmP.h
+++ b/include/drm/drmP.h
@@ -1320,6 +1320,8 @@ extern int drm_stub_open(struct inode *inode, struct file *filp);
 extern int drm_fasync(int fd, struct file *filp, int on);
 extern ssize_t drm_read(struct file *filp, char __user *buffer,
 			size_t count, loff_t *offset);
+
+extern int drm_flush(struct file *filp, fl_owner_t id);
 extern int drm_release(struct inode *inode, struct file *filp);
 
 				/* Mapping support (drm_vm.h) */

More information about the xorg-devel mailing list