Herton Ronaldo Krzesinski 9e769ff3f5 fb: avoid possible deadlock caused by fb_set_suspend
A lock ordering issue can cause deadlocks: in framebuffer/console code,
all needed struct fb_info locks are taken before acquire_console_sem(),
in places which need to take console semaphore.

But fb_set_suspend is always called with console semaphore held, and
inside it we call lock_fb_info which gets the fb_info lock, inverse
locking order of what the rest of the code does. This causes a real
deadlock issue, when we write to state fb sysfs attribute (which calls
fb_set_suspend) while a framebuffer is being unregistered by
remove_conflicting_framebuffers, as can be shown by following show
blocked state trace on a test program which loads i915 and runs another
forked processes writing to state attribute:

Test process with semaphore held and trying to get fb_info lock:
..
fb-test2      D 0000000000000000     0   237    228 0x00000000
 ffff8800774f3d68 0000000000000082 00000000000135c0 00000000000135c0
 ffff880000000000 ffff8800774f3fd8 ffff8800774f3fd8 ffff880076ee4530
 00000000000135c0 ffff8800774f3fd8 ffff8800774f2000 00000000000135c0
Call Trace:
 [<ffffffff8141287a>] __mutex_lock_slowpath+0x11a/0x1e0
 [<ffffffff814142f2>] ? _raw_spin_lock_irq+0x22/0x40
 [<ffffffff814123d3>] mutex_lock+0x23/0x50
 [<ffffffff8125dfc5>] lock_fb_info+0x25/0x60
 [<ffffffff8125e3f0>] fb_set_suspend+0x20/0x80
 [<ffffffff81263e2f>] store_fbstate+0x4f/0x70
 [<ffffffff812e7f70>] dev_attr_store+0x20/0x30
 [<ffffffff811c46b4>] sysfs_write_file+0xd4/0x160
 [<ffffffff81155a26>] vfs_write+0xc6/0x190
 [<ffffffff81155d51>] sys_write+0x51/0x90
 [<ffffffff8100c012>] system_call_fastpath+0x16/0x1b
..
modprobe process stalled because has the fb_info lock (got inside
unregister_framebuffer) but waiting for the semaphore held by the
test process which is waiting to get the fb_info lock:
..
modprobe      D 0000000000000000     0   230    218 0x00000000
 ffff880077a4d618 0000000000000082 0000000000000001 0000000000000001
 ffff880000000000 ffff880077a4dfd8 ffff880077a4dfd8 ffff8800775a2e20
 00000000000135c0 ffff880077a4dfd8 ffff880077a4c000 00000000000135c0
Call Trace:
 [<ffffffff81411fe5>] schedule_timeout+0x215/0x310
 [<ffffffff81058051>] ? get_parent_ip+0x11/0x50
 [<ffffffff814130dd>] __down+0x6d/0xb0
 [<ffffffff81089f71>] down+0x41/0x50
 [<ffffffff810629ac>] acquire_console_sem+0x2c/0x50
 [<ffffffff812ca53d>] unbind_con_driver+0xad/0x2d0
 [<ffffffff8126f5f7>] fbcon_event_notify+0x457/0x890
 [<ffffffff814144ff>] ? _raw_spin_unlock_irqrestore+0x1f/0x50
 [<ffffffff81058051>] ? get_parent_ip+0x11/0x50
 [<ffffffff8141836d>] notifier_call_chain+0x4d/0x70
 [<ffffffff8108a3b8>] __blocking_notifier_call_chain+0x58/0x80
 [<ffffffff8108a3f6>] blocking_notifier_call_chain+0x16/0x20
 [<ffffffff8125dabb>] fb_notifier_call_chain+0x1b/0x20
 [<ffffffff8125e6ac>] unregister_framebuffer+0x7c/0x130
 [<ffffffff8125e8b3>] remove_conflicting_framebuffers+0x153/0x180
 [<ffffffff8125eef3>] register_framebuffer+0x93/0x2c0
 [<ffffffffa0331112>] drm_fb_helper_single_fb_probe+0x252/0x2f0 [drm_kms_helper]
 [<ffffffffa03314a3>] drm_fb_helper_initial_config+0x2f3/0x6d0 [drm_kms_helper]
 [<ffffffffa03318dd>] ? drm_fb_helper_single_add_all_connectors+0x5d/0x1c0 [drm_kms_helper]
 [<ffffffffa037b588>] intel_fbdev_init+0xa8/0x160 [i915]
 [<ffffffffa0343d74>] i915_driver_load+0x854/0x12b0 [i915]
 [<ffffffffa02f0e7e>] drm_get_pci_dev+0x19e/0x360 [drm]
 [<ffffffff8141821d>] ? sub_preempt_count+0x9d/0xd0
 [<ffffffffa0386f91>] i915_pci_probe+0x15/0x17 [i915]
 [<ffffffff8124481f>] local_pci_probe+0x5f/0xd0
 [<ffffffff81244f89>] pci_device_probe+0x119/0x120
 [<ffffffff812eccaa>] ? driver_sysfs_add+0x7a/0xb0
 [<ffffffff812ed003>] driver_probe_device+0xa3/0x290
 [<ffffffff812ed1f0>] ? __driver_attach+0x0/0xb0
 [<ffffffff812ed29b>] __driver_attach+0xab/0xb0
 [<ffffffff812ed1f0>] ? __driver_attach+0x0/0xb0
 [<ffffffff812ebd3e>] bus_for_each_dev+0x5e/0x90
 [<ffffffff812ecc2e>] driver_attach+0x1e/0x20
 [<ffffffff812ec6f2>] bus_add_driver+0xe2/0x320
 [<ffffffffa03aa000>] ? i915_init+0x0/0x96 [i915]
 [<ffffffff812ed536>] driver_register+0x76/0x140
 [<ffffffffa03aa000>] ? i915_init+0x0/0x96 [i915]
 [<ffffffff81245216>] __pci_register_driver+0x56/0xd0
 [<ffffffffa02f1264>] drm_pci_init+0xe4/0xf0 [drm]
 [<ffffffffa03aa000>] ? i915_init+0x0/0x96 [i915]
 [<ffffffffa02e84a8>] drm_init+0x58/0x70 [drm]
 [<ffffffffa03aa094>] i915_init+0x94/0x96 [i915]
 [<ffffffff81002194>] do_one_initcall+0x44/0x190
 [<ffffffff810a066b>] sys_init_module+0xcb/0x210
 [<ffffffff8100c012>] system_call_fastpath+0x16/0x1b
..

fb-test2 which reproduces above is available on kernel.org bug #26232.
To solve this issue, avoid calling lock_fb_info inside fb_set_suspend,
and move it out to where needed (callers of fb_set_suspend must call
lock_fb_info before if needed). So far, the only place which needs to
call lock_fb_info is store_fbstate, all other places which calls
fb_set_suspend are suspend/resume hooks that should not need the lock as
they should be run only when processes are already frozen in
suspend/resume.

References: https://bugzilla.kernel.org/show_bug.cgi?id=26232
Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: stable@kernel.org
2011-09-02 17:58:29 +00:00

575 lines
14 KiB
C

/*
* fbsysfs.c - framebuffer device class and attributes
*
* Copyright (c) 2004 James Simmons <jsimmons@infradead.org>
*
* This program is free software you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version
* 2 of the License, or (at your option) any later version.
*/
/*
* Note: currently there's only stubs for framebuffer_alloc and
* framebuffer_release here. The reson for that is that until all drivers
* are converted to use it a sysfsification will open OOPSable races.
*/
#include <linux/kernel.h>
#include <linux/slab.h>
#include <linux/fb.h>
#include <linux/console.h>
#include <linux/module.h>
#define FB_SYSFS_FLAG_ATTR 1
/**
* framebuffer_alloc - creates a new frame buffer info structure
*
* @size: size of driver private data, can be zero
* @dev: pointer to the device for this fb, this can be NULL
*
* Creates a new frame buffer info structure. Also reserves @size bytes
* for driver private data (info->par). info->par (if any) will be
* aligned to sizeof(long).
*
* Returns the new structure, or NULL if an error occurred.
*
*/
struct fb_info *framebuffer_alloc(size_t size, struct device *dev)
{
#define BYTES_PER_LONG (BITS_PER_LONG/8)
#define PADDING (BYTES_PER_LONG - (sizeof(struct fb_info) % BYTES_PER_LONG))
int fb_info_size = sizeof(struct fb_info);
struct fb_info *info;
char *p;
if (size)
fb_info_size += PADDING;
p = kzalloc(fb_info_size + size, GFP_KERNEL);
if (!p)
return NULL;
info = (struct fb_info *) p;
if (size)
info->par = p + fb_info_size;
info->device = dev;
#ifdef CONFIG_FB_BACKLIGHT
mutex_init(&info->bl_curve_mutex);
#endif
return info;
#undef PADDING
#undef BYTES_PER_LONG
}
EXPORT_SYMBOL(framebuffer_alloc);
/**
* framebuffer_release - marks the structure available for freeing
*
* @info: frame buffer info structure
*
* Drop the reference count of the device embedded in the
* framebuffer info structure.
*
*/
void framebuffer_release(struct fb_info *info)
{
kfree(info->apertures);
kfree(info);
}
EXPORT_SYMBOL(framebuffer_release);
static int activate(struct fb_info *fb_info, struct fb_var_screeninfo *var)
{
int err;
var->activate |= FB_ACTIVATE_FORCE;
console_lock();
fb_info->flags |= FBINFO_MISC_USEREVENT;
err = fb_set_var(fb_info, var);
fb_info->flags &= ~FBINFO_MISC_USEREVENT;
console_unlock();
if (err)
return err;
return 0;
}
static int mode_string(char *buf, unsigned int offset,
const struct fb_videomode *mode)
{
char m = 'U';
char v = 'p';
if (mode->flag & FB_MODE_IS_DETAILED)
m = 'D';
if (mode->flag & FB_MODE_IS_VESA)
m = 'V';
if (mode->flag & FB_MODE_IS_STANDARD)
m = 'S';
if (mode->vmode & FB_VMODE_INTERLACED)
v = 'i';
if (mode->vmode & FB_VMODE_DOUBLE)
v = 'd';
return snprintf(&buf[offset], PAGE_SIZE - offset, "%c:%dx%d%c-%d\n",
m, mode->xres, mode->yres, v, mode->refresh);
}
static ssize_t store_mode(struct device *device, struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
char mstr[100];
struct fb_var_screeninfo var;
struct fb_modelist *modelist;
struct fb_videomode *mode;
struct list_head *pos;
size_t i;
int err;
memset(&var, 0, sizeof(var));
list_for_each(pos, &fb_info->modelist) {
modelist = list_entry(pos, struct fb_modelist, list);
mode = &modelist->mode;
i = mode_string(mstr, 0, mode);
if (strncmp(mstr, buf, max(count, i)) == 0) {
var = fb_info->var;
fb_videomode_to_var(&var, mode);
if ((err = activate(fb_info, &var)))
return err;
fb_info->mode = mode;
return count;
}
}
return -EINVAL;
}
static ssize_t show_mode(struct device *device, struct device_attribute *attr,
char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
if (!fb_info->mode)
return 0;
return mode_string(buf, 0, fb_info->mode);
}
static ssize_t store_modes(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
LIST_HEAD(old_list);
int i = count / sizeof(struct fb_videomode);
if (i * sizeof(struct fb_videomode) != count)
return -EINVAL;
console_lock();
list_splice(&fb_info->modelist, &old_list);
fb_videomode_to_modelist((const struct fb_videomode *)buf, i,
&fb_info->modelist);
if (fb_new_modelist(fb_info)) {
fb_destroy_modelist(&fb_info->modelist);
list_splice(&old_list, &fb_info->modelist);
} else
fb_destroy_modelist(&old_list);
console_unlock();
return 0;
}
static ssize_t show_modes(struct device *device, struct device_attribute *attr,
char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
unsigned int i;
struct list_head *pos;
struct fb_modelist *modelist;
const struct fb_videomode *mode;
i = 0;
list_for_each(pos, &fb_info->modelist) {
modelist = list_entry(pos, struct fb_modelist, list);
mode = &modelist->mode;
i += mode_string(buf, i, mode);
}
return i;
}
static ssize_t store_bpp(struct device *device, struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
struct fb_var_screeninfo var;
char ** last = NULL;
int err;
var = fb_info->var;
var.bits_per_pixel = simple_strtoul(buf, last, 0);
if ((err = activate(fb_info, &var)))
return err;
return count;
}
static ssize_t show_bpp(struct device *device, struct device_attribute *attr,
char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%d\n", fb_info->var.bits_per_pixel);
}
static ssize_t store_rotate(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
struct fb_var_screeninfo var;
char **last = NULL;
int err;
var = fb_info->var;
var.rotate = simple_strtoul(buf, last, 0);
if ((err = activate(fb_info, &var)))
return err;
return count;
}
static ssize_t show_rotate(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%d\n", fb_info->var.rotate);
}
static ssize_t store_virtual(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
struct fb_var_screeninfo var;
char *last = NULL;
int err;
var = fb_info->var;
var.xres_virtual = simple_strtoul(buf, &last, 0);
last++;
if (last - buf >= count)
return -EINVAL;
var.yres_virtual = simple_strtoul(last, &last, 0);
if ((err = activate(fb_info, &var)))
return err;
return count;
}
static ssize_t show_virtual(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%d,%d\n", fb_info->var.xres_virtual,
fb_info->var.yres_virtual);
}
static ssize_t show_stride(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%d\n", fb_info->fix.line_length);
}
static ssize_t store_blank(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
char *last = NULL;
int err;
console_lock();
fb_info->flags |= FBINFO_MISC_USEREVENT;
err = fb_blank(fb_info, simple_strtoul(buf, &last, 0));
fb_info->flags &= ~FBINFO_MISC_USEREVENT;
console_unlock();
if (err < 0)
return err;
return count;
}
static ssize_t show_blank(struct device *device,
struct device_attribute *attr, char *buf)
{
// struct fb_info *fb_info = dev_get_drvdata(device);
return 0;
}
static ssize_t store_console(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
// struct fb_info *fb_info = dev_get_drvdata(device);
return 0;
}
static ssize_t show_console(struct device *device,
struct device_attribute *attr, char *buf)
{
// struct fb_info *fb_info = dev_get_drvdata(device);
return 0;
}
static ssize_t store_cursor(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
// struct fb_info *fb_info = dev_get_drvdata(device);
return 0;
}
static ssize_t show_cursor(struct device *device,
struct device_attribute *attr, char *buf)
{
// struct fb_info *fb_info = dev_get_drvdata(device);
return 0;
}
static ssize_t store_pan(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
struct fb_var_screeninfo var;
char *last = NULL;
int err;
var = fb_info->var;
var.xoffset = simple_strtoul(buf, &last, 0);
last++;
if (last - buf >= count)
return -EINVAL;
var.yoffset = simple_strtoul(last, &last, 0);
console_lock();
err = fb_pan_display(fb_info, &var);
console_unlock();
if (err < 0)
return err;
return count;
}
static ssize_t show_pan(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%d,%d\n", fb_info->var.xoffset,
fb_info->var.yoffset);
}
static ssize_t show_name(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%s\n", fb_info->fix.id);
}
static ssize_t store_fbstate(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
u32 state;
char *last = NULL;
state = simple_strtoul(buf, &last, 0);
if (!lock_fb_info(fb_info))
return -ENODEV;
console_lock();
fb_set_suspend(fb_info, (int)state);
console_unlock();
unlock_fb_info(fb_info);
return count;
}
static ssize_t show_fbstate(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
return snprintf(buf, PAGE_SIZE, "%d\n", fb_info->state);
}
#ifdef CONFIG_FB_BACKLIGHT
static ssize_t store_bl_curve(struct device *device,
struct device_attribute *attr,
const char *buf, size_t count)
{
struct fb_info *fb_info = dev_get_drvdata(device);
u8 tmp_curve[FB_BACKLIGHT_LEVELS];
unsigned int i;
/* Some drivers don't use framebuffer_alloc(), but those also
* don't have backlights.
*/
if (!fb_info || !fb_info->bl_dev)
return -ENODEV;
if (count != (FB_BACKLIGHT_LEVELS / 8 * 24))
return -EINVAL;
for (i = 0; i < (FB_BACKLIGHT_LEVELS / 8); ++i)
if (sscanf(&buf[i * 24],
"%2hhx %2hhx %2hhx %2hhx %2hhx %2hhx %2hhx %2hhx\n",
&tmp_curve[i * 8 + 0],
&tmp_curve[i * 8 + 1],
&tmp_curve[i * 8 + 2],
&tmp_curve[i * 8 + 3],
&tmp_curve[i * 8 + 4],
&tmp_curve[i * 8 + 5],
&tmp_curve[i * 8 + 6],
&tmp_curve[i * 8 + 7]) != 8)
return -EINVAL;
/* If there has been an error in the input data, we won't
* reach this loop.
*/
mutex_lock(&fb_info->bl_curve_mutex);
for (i = 0; i < FB_BACKLIGHT_LEVELS; ++i)
fb_info->bl_curve[i] = tmp_curve[i];
mutex_unlock(&fb_info->bl_curve_mutex);
return count;
}
static ssize_t show_bl_curve(struct device *device,
struct device_attribute *attr, char *buf)
{
struct fb_info *fb_info = dev_get_drvdata(device);
ssize_t len = 0;
unsigned int i;
/* Some drivers don't use framebuffer_alloc(), but those also
* don't have backlights.
*/
if (!fb_info || !fb_info->bl_dev)
return -ENODEV;
mutex_lock(&fb_info->bl_curve_mutex);
for (i = 0; i < FB_BACKLIGHT_LEVELS; i += 8)
len += snprintf(&buf[len], PAGE_SIZE,
"%02x %02x %02x %02x %02x %02x %02x %02x\n",
fb_info->bl_curve[i + 0],
fb_info->bl_curve[i + 1],
fb_info->bl_curve[i + 2],
fb_info->bl_curve[i + 3],
fb_info->bl_curve[i + 4],
fb_info->bl_curve[i + 5],
fb_info->bl_curve[i + 6],
fb_info->bl_curve[i + 7]);
mutex_unlock(&fb_info->bl_curve_mutex);
return len;
}
#endif
/* When cmap is added back in it should be a binary attribute
* not a text one. Consideration should also be given to converting
* fbdev to use configfs instead of sysfs */
static struct device_attribute device_attrs[] = {
__ATTR(bits_per_pixel, S_IRUGO|S_IWUSR, show_bpp, store_bpp),
__ATTR(blank, S_IRUGO|S_IWUSR, show_blank, store_blank),
__ATTR(console, S_IRUGO|S_IWUSR, show_console, store_console),
__ATTR(cursor, S_IRUGO|S_IWUSR, show_cursor, store_cursor),
__ATTR(mode, S_IRUGO|S_IWUSR, show_mode, store_mode),
__ATTR(modes, S_IRUGO|S_IWUSR, show_modes, store_modes),
__ATTR(pan, S_IRUGO|S_IWUSR, show_pan, store_pan),
__ATTR(virtual_size, S_IRUGO|S_IWUSR, show_virtual, store_virtual),
__ATTR(name, S_IRUGO, show_name, NULL),
__ATTR(stride, S_IRUGO, show_stride, NULL),
__ATTR(rotate, S_IRUGO|S_IWUSR, show_rotate, store_rotate),
__ATTR(state, S_IRUGO|S_IWUSR, show_fbstate, store_fbstate),
#ifdef CONFIG_FB_BACKLIGHT
__ATTR(bl_curve, S_IRUGO|S_IWUSR, show_bl_curve, store_bl_curve),
#endif
};
int fb_init_device(struct fb_info *fb_info)
{
int i, error = 0;
dev_set_drvdata(fb_info->dev, fb_info);
fb_info->class_flag |= FB_SYSFS_FLAG_ATTR;
for (i = 0; i < ARRAY_SIZE(device_attrs); i++) {
error = device_create_file(fb_info->dev, &device_attrs[i]);
if (error)
break;
}
if (error) {
while (--i >= 0)
device_remove_file(fb_info->dev, &device_attrs[i]);
fb_info->class_flag &= ~FB_SYSFS_FLAG_ATTR;
}
return 0;
}
void fb_cleanup_device(struct fb_info *fb_info)
{
unsigned int i;
if (fb_info->class_flag & FB_SYSFS_FLAG_ATTR) {
for (i = 0; i < ARRAY_SIZE(device_attrs); i++)
device_remove_file(fb_info->dev, &device_attrs[i]);
fb_info->class_flag &= ~FB_SYSFS_FLAG_ATTR;
}
}
#ifdef CONFIG_FB_BACKLIGHT
/* This function generates a linear backlight curve
*
* 0: off
* 1-7: min
* 8-127: linear from min to max
*/
void fb_bl_default_curve(struct fb_info *fb_info, u8 off, u8 min, u8 max)
{
unsigned int i, flat, count, range = (max - min);
mutex_lock(&fb_info->bl_curve_mutex);
fb_info->bl_curve[0] = off;
for (flat = 1; flat < (FB_BACKLIGHT_LEVELS / 16); ++flat)
fb_info->bl_curve[flat] = min;
count = FB_BACKLIGHT_LEVELS * 15 / 16;
for (i = 0; i < count; ++i)
fb_info->bl_curve[flat + i] = min + (range * (i + 1) / count);
mutex_unlock(&fb_info->bl_curve_mutex);
}
EXPORT_SYMBOL_GPL(fb_bl_default_curve);
#endif