vmwgfx: Clean up pending event references to struct drm_file objects on close
Thomas Hellstrom [Thu, 9 Feb 2012 15:56:42 +0000 (16:56 +0100)]
Pending events may have stale pointer references to struct drm_file objects
after a file has been closed, but before the event is supposed to be
attached to the drm file. Remove such events on file close.

Tested with "modetest".

Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

drivers/gpu/drm/vmwgfx/vmwgfx_drv.c
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
drivers/gpu/drm/vmwgfx/vmwgfx_fence.h

index f390f5f..28f59a3 100644 (file)
@@ -688,6 +688,15 @@ static int vmw_driver_unload(struct drm_device *dev)
        return 0;
 }
 
+static void vmw_preclose(struct drm_device *dev,
+                        struct drm_file *file_priv)
+{
+       struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv);
+       struct vmw_private *dev_priv = vmw_priv(dev);
+
+       vmw_event_fence_fpriv_gone(dev_priv->fman, &vmw_fp->fence_events);
+}
+
 static void vmw_postclose(struct drm_device *dev,
                         struct drm_file *file_priv)
 {
@@ -710,6 +719,7 @@ static int vmw_driver_open(struct drm_device *dev, struct drm_file *file_priv)
        if (unlikely(vmw_fp == NULL))
                return ret;
 
+       INIT_LIST_HEAD(&vmw_fp->fence_events);
        vmw_fp->tfile = ttm_object_file_init(dev_priv->tdev, 10);
        if (unlikely(vmw_fp->tfile == NULL))
                goto out_no_tfile;
@@ -1102,6 +1112,7 @@ static struct drm_driver driver = {
        .master_set = vmw_master_set,
        .master_drop = vmw_master_drop,
        .open = vmw_driver_open,
+       .preclose = vmw_preclose,
        .postclose = vmw_postclose,
        .fops = &vmwgfx_driver_fops,
        .name = VMWGFX_DRIVER_NAME,
index 7f09db1..93505ce 100644 (file)
@@ -62,6 +62,7 @@
 struct vmw_fpriv {
        struct drm_master *locked_master;
        struct ttm_object_file *tfile;
+       struct list_head fence_events;
 };
 
 struct vmw_dma_buffer {
index ea9d045..f2fb8f1 100644 (file)
@@ -70,6 +70,7 @@ struct vmw_user_fence {
  */
 struct vmw_event_fence_action {
        struct vmw_fence_action action;
+       struct list_head fpriv_head;
 
        struct drm_pending_event *event;
        struct vmw_fence_obj *fence;
@@ -783,6 +784,43 @@ int vmw_fence_obj_unref_ioctl(struct drm_device *dev, void *data,
                                         TTM_REF_USAGE);
 }
 
+/**
+ * vmw_event_fence_fpriv_gone - Remove references to struct drm_file objects
+ *
+ * @fman: Pointer to a struct vmw_fence_manager
+ * @event_list: Pointer to linked list of struct vmw_event_fence_action objects
+ * with pointers to a struct drm_file object about to be closed.
+ *
+ * This function removes all pending fence events with references to a
+ * specific struct drm_file object about to be closed. The caller is required
+ * to pass a list of all struct vmw_event_fence_action objects with such
+ * events attached. This function is typically called before the
+ * struct drm_file object's event management is taken down.
+ */
+void vmw_event_fence_fpriv_gone(struct vmw_fence_manager *fman,
+                               struct list_head *event_list)
+{
+       struct vmw_event_fence_action *eaction;
+       struct drm_pending_event *event;
+       unsigned long irq_flags;
+
+       while (1) {
+               spin_lock_irqsave(&fman->lock, irq_flags);
+               if (list_empty(event_list))
+                       goto out_unlock;
+               eaction = list_first_entry(event_list,
+                                          struct vmw_event_fence_action,
+                                          fpriv_head);
+               list_del_init(&eaction->fpriv_head);
+               event = eaction->event;
+               eaction->event = NULL;
+               spin_unlock_irqrestore(&fman->lock, irq_flags);
+               event->destroy(event);
+       }
+out_unlock:
+       spin_unlock_irqrestore(&fman->lock, irq_flags);
+}
+
 
 /**
  * vmw_event_fence_action_seq_passed
@@ -800,9 +838,14 @@ static void vmw_event_fence_action_seq_passed(struct vmw_fence_action *action)
        struct vmw_event_fence_action *eaction =
                container_of(action, struct vmw_event_fence_action, action);
        struct drm_device *dev = eaction->dev;
-       struct drm_file *file_priv = eaction->event->file_priv;
+       struct drm_pending_event *event = eaction->event;
+       struct drm_file *file_priv;
        unsigned long irq_flags;
 
+       if (unlikely(event == NULL))
+               return;
+
+       file_priv = event->file_priv;
        spin_lock_irqsave(&dev->event_lock, irq_flags);
 
        if (likely(eaction->tv_sec != NULL)) {
@@ -813,7 +856,9 @@ static void vmw_event_fence_action_seq_passed(struct vmw_fence_action *action)
                *eaction->tv_usec = tv.tv_usec;
        }
 
+       list_del_init(&eaction->fpriv_head);
        list_add_tail(&eaction->event->link, &file_priv->event_list);
+       eaction->event = NULL;
        wake_up_all(&file_priv->event_wait);
        spin_unlock_irqrestore(&dev->event_lock, irq_flags);
 }
@@ -831,6 +876,12 @@ static void vmw_event_fence_action_cleanup(struct vmw_fence_action *action)
 {
        struct vmw_event_fence_action *eaction =
                container_of(action, struct vmw_event_fence_action, action);
+       struct vmw_fence_manager *fman = eaction->fence->fman;
+       unsigned long irq_flags;
+
+       spin_lock_irqsave(&fman->lock, irq_flags);
+       list_del(&eaction->fpriv_head);
+       spin_unlock_irqrestore(&fman->lock, irq_flags);
 
        vmw_fence_obj_unreference(&eaction->fence);
        kfree(eaction);
@@ -910,7 +961,8 @@ int vmw_event_fence_action_queue(struct drm_file *file_priv,
 {
        struct vmw_event_fence_action *eaction;
        struct vmw_fence_manager *fman = fence->fman;
-
+       struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv);
+       unsigned long irq_flags;
 
        eaction = kzalloc(sizeof(*eaction), GFP_KERNEL);
        if (unlikely(eaction == NULL))
@@ -927,6 +979,10 @@ int vmw_event_fence_action_queue(struct drm_file *file_priv,
        eaction->tv_sec = tv_sec;
        eaction->tv_usec = tv_usec;
 
+       spin_lock_irqsave(&fman->lock, irq_flags);
+       list_add_tail(&eaction->fpriv_head, &vmw_fp->fence_events);
+       spin_unlock_irqrestore(&fman->lock, irq_flags);
+
        vmw_fence_obj_add_action(fence, &eaction->action);
 
        return 0;
index 0854a20..8767fc1 100644 (file)
@@ -109,5 +109,8 @@ extern int vmw_fence_obj_unref_ioctl(struct drm_device *dev, void *data,
                                     struct drm_file *file_priv);
 extern int vmw_fence_event_ioctl(struct drm_device *dev, void *data,
                                 struct drm_file *file_priv);
+extern void vmw_event_fence_fpriv_gone(struct vmw_fence_manager *fman,
+                                      struct list_head *event_list);
+
 
 #endif /* _VMWGFX_FENCE_H_ */