lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230216111214.3489223-1-daniel.vetter@ffwll.ch>
Date:   Thu, 16 Feb 2023 12:12:13 +0100
From:   Daniel Vetter <daniel.vetter@...ll.ch>
To:     DRI Development <dri-devel@...ts.freedesktop.org>
Cc:     Intel Graphics Development <intel-gfx@...ts.freedesktop.org>,
        Daniel Vetter <daniel.vetter@...ll.ch>,
        Abhinav Kumar <quic_abhinavk@...cinc.com>,
        Thomas Zimmermann <tzimmermann@...e.de>,
        Maxime Ripard <maxime@...no.tech>, mikita.lipski@....com,
        Michel Dänzer <michel@...nzer.net>,
        harry.wentland@....com, Rob Clark <robdclark@...il.com>,
        "Kazlauskas, Nicholas" <nicholas.kazlauskas@....com>,
        Dmitry Osipenko <dmitry.osipenko@...labora.com>,
        Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
        Dmitry Baryshkov <dmitry.baryshkov@...aro.org>,
        Sean Paul <sean@...rly.run>,
        Matthias Brugger <matthias.bgg@...il.com>,
        AngeloGioacchino Del Regno 
        <angelogioacchino.delregno@...labora.com>,
        Ville Syrjälä 
        <ville.syrjala@...ux.intel.com>,
        Jani Nikula <jani.nikula@...el.com>,
        Lucas De Marchi <lucas.demarchi@...el.com>,
        Imre Deak <imre.deak@...el.com>,
        Manasi Navare <manasi.d.navare@...el.com>,
        linux-arm-msm@...r.kernel.org, freedreno@...ts.freedesktop.org,
        linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org,
        Daniel Vetter <daniel.vetter@...el.com>
Subject: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks

The stuff never really worked, and leads to lots of fun because it
out-of-order frees atomic states. Which upsets KASAN, among other
things.

For async updates we now have a more solid solution with the
->atomic_async_check and ->atomic_async_commit hooks. Support for that
for msm and vc4 landed. nouveau and i915 have their own commit
routines, doing something similar.

For everyone else it's probably better to remove the use-after-free
bug, and encourage folks to use the async support instead. The
affected drivers which register a legacy cursor plane and don't either
use the new async stuff or their own commit routine are: amdgpu,
atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.

Inspired by an amdgpu bug report.

v2: Drop RFC, I think with amdgpu converted over to use
atomic_async_check/commit done in

commit 674e78acae0dfb4beb56132e41cbae5b60f7d662
Author: Nicholas Kazlauskas <nicholas.kazlauskas@....com>
Date:   Wed Dec 5 14:59:07 2018 -0500

    drm/amd/display: Add fast path for cursor plane updates

we don't have any driver anymore where we have userspace expecting
solid legacy cursor support _and_ they are using the atomic helpers in
their fully glory. So we can retire this.

v3: Paper over msm and i915 regression. The complete_all is the only
thing missing afaict.

v4: Fixup i915 fixup ...

v5: Unallocate the crtc->event in msm to avoid hitting a WARN_ON in
dpu_crtc_atomic_flush(). This is a bit a hack, but simplest way to
untangle this all. Thanks to Abhinav Kumar for the debug help.

Cc: Abhinav Kumar <quic_abhinavk@...cinc.com>
Cc: Thomas Zimmermann <tzimmermann@...e.de>
Cc: Maxime Ripard <maxime@...no.tech>
References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
References: https://lore.kernel.org/all/20220221134155.125447-9-maxime@cerno.tech/
References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
Cc: Maxime Ripard <maxime@...no.tech>
Tested-by: Maxime Ripard <maxime@...no.tech>
Cc: mikita.lipski@....com
Cc: Michel Dänzer <michel@...nzer.net>
Cc: harry.wentland@....com
Cc: Rob Clark <robdclark@...il.com>
Cc: "Kazlauskas, Nicholas" <nicholas.kazlauskas@....com>
Cc: Dmitry Osipenko <dmitry.osipenko@...labora.com>
Cc: Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>
Cc: Dmitry Baryshkov <dmitry.baryshkov@...aro.org>
Cc: Sean Paul <sean@...rly.run>
Cc: Matthias Brugger <matthias.bgg@...il.com>
Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>
Cc: "Ville Syrjälä" <ville.syrjala@...ux.intel.com>
Cc: Jani Nikula <jani.nikula@...el.com>
Cc: Lucas De Marchi <lucas.demarchi@...el.com>
Cc: Imre Deak <imre.deak@...el.com>
Cc: Manasi Navare <manasi.d.navare@...el.com>
Cc: linux-arm-msm@...r.kernel.org
Cc: freedreno@...ts.freedesktop.org
Cc: linux-kernel@...r.kernel.org
Cc: linux-arm-kernel@...ts.infradead.org
Cc: linux-mediatek@...ts.infradead.org
Signed-off-by: Daniel Vetter <daniel.vetter@...el.com>
---
 drivers/gpu/drm/drm_atomic_helper.c          | 13 -------------
 drivers/gpu/drm/i915/display/intel_display.c | 14 ++++++++++++++
 drivers/gpu/drm/msm/msm_atomic.c             | 15 +++++++++++++++
 3 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
index d579fd8f7cb8..f6b4c3a00684 100644
--- a/drivers/gpu/drm/drm_atomic_helper.c
+++ b/drivers/gpu/drm/drm_atomic_helper.c
@@ -1587,13 +1587,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev,
 	int i, ret;
 	unsigned int crtc_mask = 0;
 
-	 /*
-	  * Legacy cursor ioctls are completely unsynced, and userspace
-	  * relies on that (by doing tons of cursor updates).
-	  */
-	if (old_state->legacy_cursor_update)
-		return;
-
 	for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) {
 		if (!new_crtc_state->active)
 			continue;
@@ -2244,12 +2237,6 @@ int drm_atomic_helper_setup_commit(struct drm_atomic_state *state,
 			continue;
 		}
 
-		/* Legacy cursor updates are fully unsynced. */
-		if (state->legacy_cursor_update) {
-			complete_all(&commit->flip_done);
-			continue;
-		}
-
 		if (!new_crtc_state->event) {
 			commit->event = kzalloc(sizeof(*commit->event),
 						GFP_KERNEL);
diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c
index 3479125fbda6..2454451fcf95 100644
--- a/drivers/gpu/drm/i915/display/intel_display.c
+++ b/drivers/gpu/drm/i915/display/intel_display.c
@@ -7651,6 +7651,20 @@ static int intel_atomic_commit(struct drm_device *dev,
 		intel_runtime_pm_put(&dev_priv->runtime_pm, state->wakeref);
 		return ret;
 	}
+
+	/*
+	 * FIXME: Cut over to (async) commit helpers instead of hand-rolling
+	 * everything.
+	 */
+	if (state->base.legacy_cursor_update) {
+		struct intel_crtc_state *new_crtc_state;
+		struct intel_crtc *crtc;
+		int i;
+
+		for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i)
+			complete_all(&new_crtc_state->uapi.commit->flip_done);
+	}
+
 	intel_shared_dpll_swap_state(state);
 	intel_atomic_track_fbs(state);
 
diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
index 1686fbb611fd..b7151767b567 100644
--- a/drivers/gpu/drm/msm/msm_atomic.c
+++ b/drivers/gpu/drm/msm/msm_atomic.c
@@ -189,6 +189,19 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
 	bool async = kms->funcs->vsync_time &&
 			can_do_async(state, &async_crtc);
 
+	/*
+	 * FIXME: Convert to async plane helpers and remove the various hacks to
+	 * keep the old legacy_cursor_way of doing async commits working for the
+	 * dpu code, like the expectation that these don't have a crtc->event.
+	 */
+	if (async) {
+		/* both ->event itself and the pointer hold a reference! */
+		drm_crtc_commit_put(async_crtc->state->commit);
+		drm_crtc_commit_put(async_crtc->state->commit);
+		kfree(async_crtc->state->event);
+		async_crtc->state->event = NULL;
+	}
+
 	trace_msm_atomic_commit_tail_start(async, crtc_mask);
 
 	kms->funcs->enable_commit(kms);
@@ -222,6 +235,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
 		/* async updates are limited to single-crtc updates: */
 		WARN_ON(crtc_mask != drm_crtc_mask(async_crtc));
 
+		complete_all(&async_crtc->state->commit->flip_done);
+
 		/*
 		 * Start timer if we don't already have an update pending
 		 * on this crtc:
-- 
2.39.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ