Received: by 10.223.185.116 with SMTP id b49csp4175808wrg;
        Mon, 26 Feb 2018 12:35:09 -0800 (PST)
X-Google-Smtp-Source: AH8x227DWEPzhicyFiMuQ8AfIBCZg0yNx2nf7XvLQ/mhiX6EP/xKb2pT1x0B7Y0hZC87ObYEbnAL
X-Received: by 2002:a17:902:7e87:: with SMTP id c7-v6mr12187822plm.138.1519677309641;
        Mon, 26 Feb 2018 12:35:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519677309; cv=none;
        d=google.com; s=arc-20160816;
        b=krOKx2IFgzI0s3XfGFc9CdvgW0uhksK/uVZSOs5qbnHQxJdWo5b/nxHPlhu0iAXx8w
         lRUqNngo9Kv0ZBqxLtTGWwukIDysrGbIbrYdxRISJBvDRj9OARD8ysLqT0HDwy9H6+e0
         dK/SfuB/L4HyZ9onU535BaC0sRKoptVxv5lgwJSw29N+kFm6FzVKx4jH2v5kjH42nOiy
         QSDg3YGkYr7WLD5tTV0p8v4y8p4wEbDX4Rwhxr+kOehzfeUbFVGEsyqwe9LniTN7xM8p
         tFn/jACj+P7pcSYt6K6NvZ2jt3X8r1xXWZfbDqhJVyrGX/VwnnpU+0J4NR61eqT7k5xz
         FwGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=VGhFRnGB6+sLVFDz0r0q/m+AarCmxnhhxdrtmrYqZYc=;
        b=M+/Cag3uT8slnox+QhMdGLn3HJsN4MK8ENWYh29VlHhBzKOFAXGjL6+SrjScQ/mLyo
         E32+eWSDr0mFdt+yVgMVXILcNAFLMiHst893sYOf7LnXpyHkrhX7+rI7XY12Z7g0bvAW
         kvi6QVP4iPZKkerbnAdB37pzg/LfDDFOp46n1pLqq09oaz0t0bopYfoF/FLQR+2/YQ6G
         268KVmvg573jEooaLQ64gw1z96XOcAymQezVkPUvZR8Dy/H2K8KTbWx0DEUehr8+N4zf
         77QNQ45ZkQa2pxArvI/rGQSm1wltxrM3CqfHHO0R1BnOfjx7CmUeieHZ/3YQtOrDe7Y6
         FrVg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v22si5980761pgc.724.2018.02.26.12.34.53;
        Mon, 26 Feb 2018 12:35:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932106AbeBZU2c (ORCPT <rfc822;sujaykul91@gmail.com> + 99 others);
        Mon, 26 Feb 2018 15:28:32 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:37230 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932084AbeBZU23 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Feb 2018 15:28:29 -0500
Received: from localhost (clnet-b04-243.ikbnet.co.at [83.175.124.243])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 961D5E75;
        Mon, 26 Feb 2018 20:28:28 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, "Leo (Sunpeng) Li" <sunpeng.li@amd.com>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Sean Paul <seanpaul@chromium.org>
Subject: [PATCH 4.15 54/64] drm/atomic: Fix memleak on ERESTARTSYS during non-blocking commits
Date:   Mon, 26 Feb 2018 21:22:31 +0100
Message-Id: <20180226202155.744688286@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180226202153.453363333@linuxfoundation.org>
References: <20180226202153.453363333@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Leo (Sunpeng) Li <sunpeng.li@amd.com>

commit 54f809cfbd6b4a43959039f5d33596ed3297ce16 upstream.

During a non-blocking commit, it is possible to return before the
commit_tail work is queued (-ERESTARTSYS, for example).

Since a reference on the crtc commit object is obtained for the pending
vblank event when preparing the commit, the above situation will leave
us with an extra reference.

Therefore, if the commit_tail worker has not consumed the event at the
end of a commit, release it's reference.

Changes since v1:
- Also check for state->event->base.completion being set, to
  handle the case where stall_checks() fails in setup_crtc_commit().
Changes since v2:
- Add a flag to drm_crtc_commit, to prevent dereferencing a freed event.
  i915 may unreference the state in a worker.

Fixes: 24835e442f28 ("drm: reference count event->completion")
Cc: <stable@vger.kernel.org> # v4.11+
Signed-off-by: Leo (Sunpeng) Li <sunpeng.li@amd.com>
Acked-by: Harry Wentland <harry.wentland@amd.com> #v1
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180117115108.29608-1-maarten.lankhorst@linux.intel.com
Reviewed-by: Sean Paul <seanpaul@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/gpu/drm/drm_atomic_helper.c |   15 +++++++++++++++
 include/drm/drm_atomic.h            |    9 +++++++++
 2 files changed, 24 insertions(+)

--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1778,6 +1778,8 @@ int drm_atomic_helper_setup_commit(struc
 		new_crtc_state->event->base.completion = &commit->flip_done;
 		new_crtc_state->event->base.completion_release = release_crtc_commit;
 		drm_crtc_commit_get(commit);
+
+		commit->abort_completion = true;
 	}
 
 	for_each_oldnew_connector_in_state(state, conn, old_conn_state, new_conn_state, i) {
@@ -3327,8 +3329,21 @@ EXPORT_SYMBOL(drm_atomic_helper_crtc_dup
 void __drm_atomic_helper_crtc_destroy_state(struct drm_crtc_state *state)
 {
 	if (state->commit) {
+		/*
+		 * In the event that a non-blocking commit returns
+		 * -ERESTARTSYS before the commit_tail work is queued, we will
+		 * have an extra reference to the commit object. Release it, if
+		 * the event has not been consumed by the worker.
+		 *
+		 * state->event may be freed, so we can't directly look at
+		 * state->event->base.completion.
+		 */
+		if (state->event && state->commit->abort_completion)
+			drm_crtc_commit_put(state->commit);
+
 		kfree(state->commit->event);
 		state->commit->event = NULL;
+
 		drm_crtc_commit_put(state->commit);
 	}
 
--- a/include/drm/drm_atomic.h
+++ b/include/drm/drm_atomic.h
@@ -134,6 +134,15 @@ struct drm_crtc_commit {
 	 * &drm_pending_vblank_event pointer to clean up private events.
 	 */
 	struct drm_pending_vblank_event *event;
+
+	/**
+	 * @abort_completion:
+	 *
+	 * A flag that's set after drm_atomic_helper_setup_commit takes a second
+	 * reference for the completion of $drm_crtc_state.event. It's used by
+	 * the free code to remove the second reference if commit fails.
+	 */
+	bool abort_completion;
 };
 
 struct __drm_planes_state {