From 7f5d6dac548b983702dd7aac1d463bd88dff50a8 Mon Sep 17 00:00:00 2001
From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Date: Mon, 14 Aug 2017 12:07:21 +0200
Subject: [PATCH] drm/atomic: Handle -EDEADLK with out-fences correctly

complete_crtc_signaling is freeing fence_state, but when retrying
num_fences and fence_state are not zero'd. This caused duplicate
fd's in the fence_state array, followed by a BUG_ON in fs/file.c
because we reallocate freed memory, and installing over an existing
fd, or potential other fun.

Zero fence_state and num_fences correctly in the retry loop, which
allows kms_atomic_transition to pass.

Fixes: beaf5af48034 ("drm/fence: add out-fences support")
Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Cc: Brian Starkey <brian.starkey@arm.com> (v10)
Cc: Sean Paul <seanpaul@chromium.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Cc: David Airlie <airlied@linux.ie>
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: <stable@vger.kernel.org> # v4.10+
Testcase: kms_atomic_transitions.plane-all-modeset-transition-fencing
(with CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y)
Link: https://patchwork.freedesktop.org/patch/msgid/20170814100721.13340-1-maarten.lankhorst@linux.intel.com
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> #intel-gfx on irc
---
 drivers/gpu/drm/drm_atomic.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
index c0f336d23f9c..b43939f24812 100644
--- a/drivers/gpu/drm/drm_atomic.c
+++ b/drivers/gpu/drm/drm_atomic.c
@@ -2167,10 +2167,10 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
 	struct drm_atomic_state *state;
 	struct drm_modeset_acquire_ctx ctx;
 	struct drm_plane *plane;
-	struct drm_out_fence_state *fence_state = NULL;
+	struct drm_out_fence_state *fence_state;
 	unsigned plane_mask;
 	int ret = 0;
-	unsigned int i, j, num_fences = 0;
+	unsigned int i, j, num_fences;
 
 	/* disallow for drivers not supporting atomic: */
 	if (!drm_core_check_feature(dev, DRIVER_ATOMIC))
@@ -2211,6 +2211,8 @@ retry:
 	plane_mask = 0;
 	copied_objs = 0;
 	copied_props = 0;
+	fence_state = NULL;
+	num_fences = 0;
 
 	for (i = 0; i < arg->count_objs; i++) {
 		uint32_t obj_id, count_props;
-- 
2.11.0