drm: Undo damage to page_flip_ioctl

I screwed up rebasing of my patch in commit 43968d7b80 Author: Daniel Vetter <daniel.vetter@ffwll.ch> Date: Wed Sep 21 10:59:24 2016 +0200 drm: Extract drm_plane.[hc] which meant on error paths drm_crtc_vblank_put could be called without a get, leading to an underrun of the refcount. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98020 Reported-and-tested-by: Andy Furniss <adf.lists@gmail.com> Cc: Sean Paul <seanpaul@chromium.org> Cc: Michel Dänzer <michel@daenzer.net> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Link: http://patchwork.freedesktop.org/patch/msgid/20161003082827.11586-1-daniel.vetter@ffwll.ch Signed-off-by: Dave Airlie <airlied@redhat.com>
2016-10-03 10:28:27 +02:00 · 2016-10-03 10:28:27 +02:00 · 2adb29b18e
commit 2adb29b18e
parent e86fa21b77
1 changed files with 39 additions and 42 deletions
--- a/drivers/gpu/drm/drm_plane.c
+++ b/drivers/gpu/drm/drm_plane.c
@ -783,6 +783,45 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev,
 	if (!crtc)
 		return -ENOENT;

+	if (crtc->funcs->page_flip_target) {
+		u32 current_vblank;
+		int r;
+
+		r = drm_crtc_vblank_get(crtc);
+		if (r)
+			return r;
+
+		current_vblank = drm_crtc_vblank_count(crtc);
+
+		switch (page_flip->flags & DRM_MODE_PAGE_FLIP_TARGET) {
+		case DRM_MODE_PAGE_FLIP_TARGET_ABSOLUTE:
+			if ((int)(target_vblank - current_vblank) > 1) {
+				DRM_DEBUG("Invalid absolute flip target %u, "
+					  "must be <= %u\n", target_vblank,
+					  current_vblank + 1);
+				drm_crtc_vblank_put(crtc);
+				return -EINVAL;
+			}
+			break;
+		case DRM_MODE_PAGE_FLIP_TARGET_RELATIVE:
+			if (target_vblank != 0 && target_vblank != 1) {
+				DRM_DEBUG("Invalid relative flip target %u, "
+					  "must be 0 or 1\n", target_vblank);
+				drm_crtc_vblank_put(crtc);
+				return -EINVAL;
+			}
+			target_vblank += current_vblank;
+			break;
+		default:
+			target_vblank = current_vblank +
+				!(page_flip->flags & DRM_MODE_PAGE_FLIP_ASYNC);
+			break;
+		}
+	} else if (crtc->funcs->page_flip == NULL ||
+		   (page_flip->flags & DRM_MODE_PAGE_FLIP_TARGET)) {
+		return -EINVAL;
+	}
+
 	drm_modeset_lock_crtc(crtc, crtc->primary);
 	if (crtc->primary->fb == NULL) {
 		/* The framebuffer is currently unbound, presumably
@ -793,9 +832,6 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev,
 		goto out;
 	}

-	if (crtc->funcs->page_flip == NULL)
-		goto out;
-
 	fb = drm_framebuffer_lookup(dev, page_flip->fb_id);
 	if (!fb) {
 		ret = -ENOENT;
@ -839,45 +875,6 @@ int drm_mode_page_flip_ioctl(struct drm_device *dev,
 	}

 	crtc->primary->old_fb = crtc->primary->fb;
-	if (crtc->funcs->page_flip_target) {
-		u32 current_vblank;
-		int r;
-
-		r = drm_crtc_vblank_get(crtc);
-		if (r)
-			return r;
-
-		current_vblank = drm_crtc_vblank_count(crtc);
-
-		switch (page_flip->flags & DRM_MODE_PAGE_FLIP_TARGET) {
-		case DRM_MODE_PAGE_FLIP_TARGET_ABSOLUTE:
-			if ((int)(target_vblank - current_vblank) > 1) {
-				DRM_DEBUG("Invalid absolute flip target %u, "
-					  "must be <= %u\n", target_vblank,
-					  current_vblank + 1);
-				drm_crtc_vblank_put(crtc);
-				return -EINVAL;
-			}
-			break;
-		case DRM_MODE_PAGE_FLIP_TARGET_RELATIVE:
-			if (target_vblank != 0 && target_vblank != 1) {
-				DRM_DEBUG("Invalid relative flip target %u, "
-					  "must be 0 or 1\n", target_vblank);
-				drm_crtc_vblank_put(crtc);
-				return -EINVAL;
-			}
-			target_vblank += current_vblank;
-			break;
-		default:
-			target_vblank = current_vblank +
-				!(page_flip->flags & DRM_MODE_PAGE_FLIP_ASYNC);
-			break;
-		}
-	} else if (crtc->funcs->page_flip == NULL ||
-		   (page_flip->flags & DRM_MODE_PAGE_FLIP_TARGET)) {
-		return -EINVAL;
-	}
-
 	if (crtc->funcs->page_flip_target)
 		ret = crtc->funcs->page_flip_target(crtc, fb, e,
 						    page_flip->flags,