On Thu, Oct 02, 2025 at 04:59:51PM +0300, Jani Nikula wrote: > On Thu, 02 Oct 2025, Ville Syrjala <[email protected]> wrote: > > From: Ville Syrjälä <[email protected]> > > > > intel_frontbuffer_get() is what locks out subsequent set_tiling > > changes to the bo. Thus the fence vs. modifier check must be done > > after intel_frontbuffer_get(), or else a concurrent set_tiling ioctl > > might sneak in and change the fence after the check has been done. > > > > Close the race again. See commit dd689287b977 ("drm/i915: Prevent > > concurrent tiling/framebuffer modifications") for the previous > > instance. > > > > Cc: Jouni Högander <[email protected]> > > Fixes: 10690b8a49bc ("drm/i915/display: Add intel_fb_bo_framebuffer_fini") > > Signed-off-by: Ville Syrjälä <[email protected]> > > --- > > drivers/gpu/drm/i915/display/intel_fb.c | 38 +++++++++++++------------ > > 1 file changed, 20 insertions(+), 18 deletions(-) > > > > diff --git a/drivers/gpu/drm/i915/display/intel_fb.c > > b/drivers/gpu/drm/i915/display/intel_fb.c > > index 69237dabdae8..c5bbca7f2e8b 100644 > > --- a/drivers/gpu/drm/i915/display/intel_fb.c > > +++ b/drivers/gpu/drm/i915/display/intel_fb.c > > @@ -2218,15 +2218,17 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > int ret = -EINVAL; > > int i; > > > > - ret = intel_fb_bo_framebuffer_init(fb, obj, mode_cmd); > > - if (ret) > > - return ret; > > - > > + /* > > + * intel_frontbuffer_get() must be done before > > + * intel_fb_bo_framebuffer_init() to avoid set_tiling vs. addfb race. > > + */ > > intel_fb->frontbuffer = intel_frontbuffer_get(obj); > > - if (!intel_fb->frontbuffer) { > > - ret = -ENOMEM; > > - goto err; > > - } > > + if (!intel_fb->frontbuffer) > > + return -ENOMEM; > > + > > + ret = intel_fb_bo_framebuffer_init(fb, obj, mode_cmd); > > + if (ret) > > + goto err_frontbuffer_put; > > Do you think we should modify intel_user_framebuffer_destroy() to also > have the same put & fini order here, just for consistency?
Sounds reasonable. I'll send a v2. > > I think this should be merged before my leak fix, and that should be > rebased [1], to make the backports easier. > > Reviewed-by: Jani Nikula <[email protected]> > > > [1] https://lore.kernel.org/r/[email protected] > > > > > ret = -EINVAL; > > if (!drm_any_plane_has_format(display->drm, > > @@ -2235,7 +2237,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > drm_dbg_kms(display->drm, > > "unsupported pixel format %p4cc / modifier > > 0x%llx\n", > > &mode_cmd->pixel_format, mode_cmd->modifier[0]); > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > } > > > > max_stride = intel_fb_max_stride(display, mode_cmd->pixel_format, > > @@ -2246,7 +2248,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > mode_cmd->modifier[0] != DRM_FORMAT_MOD_LINEAR ? > > "tiled" : "linear", > > mode_cmd->pitches[0], max_stride); > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > } > > > > /* FIXME need to adjust LINOFF/TILEOFF accordingly. */ > > @@ -2254,7 +2256,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > drm_dbg_kms(display->drm, > > "plane 0 offset (0x%08x) must be 0\n", > > mode_cmd->offsets[0]); > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > } > > > > drm_helper_mode_fill_fb_struct(display->drm, fb, info, mode_cmd); > > @@ -2264,7 +2266,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > > > if (mode_cmd->handles[i] != mode_cmd->handles[0]) { > > drm_dbg_kms(display->drm, "bad plane %d handle\n", i); > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > } > > > > stride_alignment = intel_fb_stride_alignment(fb, i); > > @@ -2272,7 +2274,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > drm_dbg_kms(display->drm, > > "plane %d pitch (%d) must be at least %u > > byte aligned\n", > > i, fb->pitches[i], stride_alignment); > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > } > > > > if (intel_fb_is_gen12_ccs_aux_plane(fb, i)) { > > @@ -2282,7 +2284,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > drm_dbg_kms(display->drm, > > "ccs aux plane %d pitch (%d) must > > be %d\n", > > i, fb->pitches[i], ccs_aux_stride); > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > } > > } > > > > @@ -2291,7 +2293,7 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > > > ret = intel_fill_fb_info(display, intel_fb); > > if (ret) > > - goto err_frontbuffer_put; > > + goto err_bo_framebuffer_fini; > > > > if (intel_fb_uses_dpt(fb)) { > > struct i915_address_space *vm; > > @@ -2317,10 +2319,10 @@ int intel_framebuffer_init(struct intel_framebuffer > > *intel_fb, > > err_free_dpt: > > if (intel_fb_uses_dpt(fb)) > > intel_dpt_destroy(intel_fb->dpt_vm); > > -err_frontbuffer_put: > > - intel_frontbuffer_put(intel_fb->frontbuffer); > > -err: > > +err_bo_framebuffer_fini: > > intel_fb_bo_framebuffer_fini(obj); > > +err_frontbuffer_put: > > + intel_frontbuffer_put(intel_fb->frontbuffer); > > return ret; > > } > > -- > Jani Nikula, Intel -- Ville Syrjälä Intel
