[PATCH] drm: Fix possible deadlock in drm_mode_config_cleanup()

Marek Szyprowski m.szyprowski at samsung.com
Wed Dec 13 00:57:20 PST 2017


drm_mode_config_cleanup() might be called from a workqueue context (for
example in error path handling of deferred probe), so it must not call
flush_scheduled_work(), because it would deadlock in such case. Replace
that call with explicit counting of the scheduled connector free works
and waiting until it reaches zero.

Fixes: a703c55004e1 ("drm: safely free connectors from connector_iter")
Signed-off-by: Marek Szyprowski <m.szyprowski at samsung.com>
---
This fixes the issue discussed in the following thread:
https://www.spinics.net/lists/arm-kernel/msg622332.html
---
 drivers/gpu/drm/drm_connector.c   |  6 +++++-
 drivers/gpu/drm/drm_mode_config.c |  6 +++++-
 include/drm/drm_mode_config.h     | 13 +++++++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_connector.c b/drivers/gpu/drm/drm_connector.c
index 0b7e0974e6da..7620ac1ad1b1 100644
--- a/drivers/gpu/drm/drm_connector.c
+++ b/drivers/gpu/drm/drm_connector.c
@@ -161,6 +161,8 @@ static void drm_connector_free_work_fn(struct work_struct *work)
 
 	drm_mode_object_unregister(dev, &connector->base);
 	connector->funcs->destroy(connector);
+	atomic_dec(&dev->mode_config.connector_free_works);
+	wake_up_all(&dev->mode_config.connector_free_queue);
 }
 
 /**
@@ -552,8 +554,10 @@ EXPORT_SYMBOL(drm_connector_list_iter_begin);
 static void
 drm_connector_put_safe(struct drm_connector *conn)
 {
-	if (refcount_dec_and_test(&conn->base.refcount.refcount))
+	if (refcount_dec_and_test(&conn->base.refcount.refcount)) {
+		atomic_inc(&conn->dev->mode_config.connector_free_works);
 		schedule_work(&conn->free_work);
+	}
 }
 
 /**
diff --git a/drivers/gpu/drm/drm_mode_config.c b/drivers/gpu/drm/drm_mode_config.c
index 6ffe952142e6..cca443faebd8 100644
--- a/drivers/gpu/drm/drm_mode_config.c
+++ b/drivers/gpu/drm/drm_mode_config.c
@@ -381,6 +381,7 @@ void drm_mode_config_init(struct drm_device *dev)
 	idr_init(&dev->mode_config.tile_idr);
 	ida_init(&dev->mode_config.connector_ida);
 	spin_lock_init(&dev->mode_config.connector_list_lock);
+	init_waitqueue_head(&dev->mode_config.connector_free_queue);
 
 	drm_mode_create_standard_properties(dev);
 
@@ -431,8 +432,11 @@ void drm_mode_config_cleanup(struct drm_device *dev)
 		drm_connector_put(connector);
 	}
 	drm_connector_list_iter_end(&conn_iter);
+
 	/* connector_iter drops references in a work item. */
-	flush_scheduled_work();
+	wait_event(dev->mode_config.connector_free_queue,
+		   !atomic_read(&dev->mode_config.connector_free_works));
+
 	if (WARN_ON(!list_empty(&dev->mode_config.connector_list))) {
 		drm_connector_list_iter_begin(dev, &conn_iter);
 		drm_for_each_connector_iter(connector, &conn_iter)
diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
index a0afeb591dcb..83a7db997e83 100644
--- a/include/drm/drm_mode_config.h
+++ b/include/drm/drm_mode_config.h
@@ -413,6 +413,19 @@ struct drm_mode_config {
 	 * &struct drm_connector_list_iter to walk this list.
 	 */
 	struct list_head connector_list;
+	/**
+	 * @pending_connector_free_works:
+	 *
+	 * Number of scheduled connector->free_work instances, see
+	 * drm_connector_put_safe().
+	 */
+	atomic_t connector_free_works;
+	/**
+	 * @pending_connector_free_queue:
+	 *
+	 * Wait queue for waiting until connector->free_work is finished.
+	 */
+	wait_queue_head_t connector_free_queue;
 	/**
 	 * @num_encoder:
 	 *
-- 
2.15.0




More information about the linux-arm-kernel mailing list