drm/i915/fb: Fix the set_tiling vs. addfb race, again

intel_frontbuffer_get() is what locks out subsequent set_tiling
changes to the bo. Thus the fence vs. modifier check must be done
after intel_frontbuffer_get(), or else a concurrent set_tiling ioctl
might sneak in and change the fence after the check has been done.

Close the race again. See commit dd689287b977 ("drm/i915: Prevent
concurrent tiling/framebuffer modifications") for the previous
instance.

v2: Reorder intel_user_framebuffer_destroy() to match the unwind (Jani)

Cc: Jouni Högander <jouni.hogander@intel.com>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Fixes: 10690b8a49bc ("drm/i915/display: Add intel_fb_bo_framebuffer_fini")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20251003145734.7634-3-ville.syrjala@linux.intel.com
(cherry picked from commit 1d1e4ded216017f8febd91332ee337f0e0e79285)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

diff --git a/drivers/gpu/drm/i915/display/intel_fb.c b/drivers/gpu/drm/i915/display/intel_fb.c
index 22a4a1575d2236099ed8f6f69d7d86039f5328ad..b817ff44c043989610764a8b5b4eec1bb3e2e66f 100644 (file)
--- a/drivers/gpu/drm/i915/display/intel_fb.c
+++ b/drivers/gpu/drm/i915/display/intel_fb.c
@@ -2113,10 +2113,10 @@ static void intel_user_framebuffer_destroy(struct drm_framebuffer *fb)
        if (intel_fb_uses_dpt(fb))
                intel_dpt_destroy(intel_fb->dpt_vm);
 
-       intel_frontbuffer_put(intel_fb->frontbuffer);
-
        intel_fb_bo_framebuffer_fini(intel_fb_bo(fb));
 
+       intel_frontbuffer_put(intel_fb->frontbuffer);
+
        kfree(intel_fb);
 }
 
@@ -2218,15 +2218,17 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
        int ret = -EINVAL;
        int i;
 
+       /*
+        * intel_frontbuffer_get() must be done before
+        * intel_fb_bo_framebuffer_init() to avoid set_tiling vs. addfb race.
+        */
+       intel_fb->frontbuffer = intel_frontbuffer_get(obj);
+       if (!intel_fb->frontbuffer)
+               return -ENOMEM;
+
        ret = intel_fb_bo_framebuffer_init(fb, obj, mode_cmd);
        if (ret)
-               return ret;
-
-       intel_fb->frontbuffer = intel_frontbuffer_get(obj);
-       if (!intel_fb->frontbuffer) {
-               ret = -ENOMEM;
-               goto err;
-       }
+               goto err_frontbuffer_put;
 
        ret = -EINVAL;
        if (!drm_any_plane_has_format(display->drm,
@@ -2235,7 +2237,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
                drm_dbg_kms(display->drm,
                            "unsupported pixel format %p4cc / modifier 0x%llx\n",
                            &mode_cmd->pixel_format, mode_cmd->modifier[0]);
-               goto err_frontbuffer_put;
+               goto err_bo_framebuffer_fini;
        }
 
        max_stride = intel_fb_max_stride(display, mode_cmd->pixel_format,
@@ -2246,7 +2248,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
                            mode_cmd->modifier[0] != DRM_FORMAT_MOD_LINEAR ?
                            "tiled" : "linear",
                            mode_cmd->pitches[0], max_stride);
-               goto err_frontbuffer_put;
+               goto err_bo_framebuffer_fini;
        }
 
        /* FIXME need to adjust LINOFF/TILEOFF accordingly. */
@@ -2254,7 +2256,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
                drm_dbg_kms(display->drm,
                            "plane 0 offset (0x%08x) must be 0\n",
                            mode_cmd->offsets[0]);
-               goto err_frontbuffer_put;
+               goto err_bo_framebuffer_fini;
        }
 
        drm_helper_mode_fill_fb_struct(display->drm, fb, info, mode_cmd);
@@ -2264,7 +2266,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
 
                if (mode_cmd->handles[i] != mode_cmd->handles[0]) {
                        drm_dbg_kms(display->drm, "bad plane %d handle\n", i);
-                       goto err_frontbuffer_put;
+                       goto err_bo_framebuffer_fini;
                }
 
                stride_alignment = intel_fb_stride_alignment(fb, i);
@@ -2272,7 +2274,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
                        drm_dbg_kms(display->drm,
                                    "plane %d pitch (%d) must be at least %u byte aligned\n",
                                    i, fb->pitches[i], stride_alignment);
-                       goto err_frontbuffer_put;
+                       goto err_bo_framebuffer_fini;
                }
 
                if (intel_fb_is_gen12_ccs_aux_plane(fb, i)) {
@@ -2282,7 +2284,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
                                drm_dbg_kms(display->drm,
                                            "ccs aux plane %d pitch (%d) must be %d\n",
                                            i, fb->pitches[i], ccs_aux_stride);
-                               goto err_frontbuffer_put;
+                               goto err_bo_framebuffer_fini;
                        }
                }
 
@@ -2291,7 +2293,7 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
 
        ret = intel_fill_fb_info(display, intel_fb);
        if (ret)
-               goto err_frontbuffer_put;
+               goto err_bo_framebuffer_fini;
 
        if (intel_fb_uses_dpt(fb)) {
                struct i915_address_space *vm;
@@ -2317,10 +2319,10 @@ int intel_framebuffer_init(struct intel_framebuffer *intel_fb,
 err_free_dpt:
        if (intel_fb_uses_dpt(fb))
                intel_dpt_destroy(intel_fb->dpt_vm);
+err_bo_framebuffer_fini:
+       intel_fb_bo_framebuffer_fini(obj);
 err_frontbuffer_put:
        intel_frontbuffer_put(intel_fb->frontbuffer);
-err:
-       intel_fb_bo_framebuffer_fini(obj);
        return ret;
 }