lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240305115043.37c621ac.pekka.paalanen@collabora.com>
Date: Tue, 5 Mar 2024 11:50:43 +0200
From: Pekka Paalanen <pekka.paalanen@...labora.com>
To: Louis Chauvet <louis.chauvet@...tlin.com>
Cc: Rodrigo Siqueira <rodrigosiqueiramelo@...il.com>, Melissa Wen
 <melissa.srw@...il.com>, Maíra Canal
 <mairacanal@...eup.net>, Haneen Mohammed <hamohammed.sa@...il.com>, Daniel
 Vetter <daniel@...ll.ch>, Maarten Lankhorst
 <maarten.lankhorst@...ux.intel.com>, Maxime Ripard <mripard@...nel.org>,
 Thomas Zimmermann <tzimmermann@...e.de>, David Airlie <airlied@...il.com>,
 arthurgrillo@...eup.net, Jonathan Corbet <corbet@....net>,
 dri-devel@...ts.freedesktop.org, linux-kernel@...r.kernel.org,
 jeremie.dautheribes@...tlin.com, miquel.raynal@...tlin.com,
 thomas.petazzoni@...tlin.com
Subject: Re: [PATCH v2 4/9] drm/vkms: Add typedef and documentation for
 pixel_read and pixel_write functions

On Mon, 4 Mar 2024 16:28:32 +0100
Louis Chauvet <louis.chauvet@...tlin.com> wrote:

> Le 29/02/24 - 11:07, Pekka Paalanen a écrit :
> > On Tue, 27 Feb 2024 16:02:13 +0100
> > Louis Chauvet <louis.chauvet@...tlin.com> wrote:
> >   
> > > Le 26/02/24 - 13:36, Pekka Paalanen a écrit :  
> > > > On Fri, 23 Feb 2024 12:37:24 +0100
> > > > Louis Chauvet <louis.chauvet@...tlin.com> wrote:
> > > >     
> > > > > Introduce two typedefs: pixel_read_t and pixel_write_t. It allows the
> > > > > compiler to check if the passed functions take the correct arguments.
> > > > > Such typedefs will help ensuring consistency across the code base in
> > > > > case of update of these prototypes.
> > > > > 
> > > > > Introduce a check around the get_pixel_*_functions to avoid using a
> > > > > nullptr as a function.
> > > > > 
> > > > > Document for those typedefs.
> > > > > 
> > > > > Signed-off-by: Louis Chauvet <louis.chauvet@...tlin.com>
> > > > > ---
> > > > >  drivers/gpu/drm/vkms/vkms_drv.h       | 23 +++++++++++++++++++++--
> > > > >  drivers/gpu/drm/vkms/vkms_formats.c   |  8 ++++----
> > > > >  drivers/gpu/drm/vkms/vkms_formats.h   |  4 ++--
> > > > >  drivers/gpu/drm/vkms/vkms_plane.c     |  9 ++++++++-
> > > > >  drivers/gpu/drm/vkms/vkms_writeback.c |  9 ++++++++-
> > > > >  5 files changed, 43 insertions(+), 10 deletions(-)
> > > > > 
> > > > > diff --git a/drivers/gpu/drm/vkms/vkms_drv.h b/drivers/gpu/drm/vkms/vkms_drv.h
> > > > > index 18086423a3a7..886c885c8cf5 100644
> > > > > --- a/drivers/gpu/drm/vkms/vkms_drv.h
> > > > > +++ b/drivers/gpu/drm/vkms/vkms_drv.h
> > > > > @@ -53,12 +53,31 @@ struct line_buffer {
> > > > >  	struct pixel_argb_u16 *pixels;
> > > > >  };
> > > > >  
> > > > > +/**
> > > > > + * typedef pixel_write_t - These functions are used to read a pixel from a
> > > > > + * `struct pixel_argb_u16*`, convert it in a specific format and write it in the @dst_pixels
> > > > > + * buffer.
> > > > > + *
> > > > > + * @dst_pixel: destination address to write the pixel
> > > > > + * @in_pixel: pixel to write
> > > > > + */
> > > > > +typedef void (*pixel_write_t)(u8 *dst_pixels, struct pixel_argb_u16 *in_pixel);    
> > > > 
> > > > There are some inconsistencies in pixel_write_t and pixel_read_t. At
> > > > this point of the series they still operate on a single pixel, but you
> > > > use dst_pixels and src_pixels, plural. Yet the documentation correctly
> > > > talks about processing a single pixel.    
> > > 
> > > I will fix this for v4.
> > >    
> > > > I would also expect the source to be always const, but that's a whole
> > > > another patch to change.    
> > > 
> > > The v4 will contains a new patch "drm/vkms: Use const pointer for 
> > > pixel_read and pixel_write functions"  
> > 
> > Sounds good!
> >   
> > > 
> > > [...]
> > >   
> > > > > diff --git a/drivers/gpu/drm/vkms/vkms_plane.c b/drivers/gpu/drm/vkms/vkms_plane.c
> > > > > index d5203f531d96..f68b1b03d632 100644
> > > > > --- a/drivers/gpu/drm/vkms/vkms_plane.c
> > > > > +++ b/drivers/gpu/drm/vkms/vkms_plane.c
> > > > > @@ -106,6 +106,13 @@ static void vkms_plane_atomic_update(struct drm_plane *plane,
> > > > >  		return;
> > > > >  
> > > > >  	fmt = fb->format->format;
> > > > > +	pixel_read_t pixel_read = get_pixel_read_function(fmt);
> > > > > +
> > > > > +	if (!pixel_read) {
> > > > > +		DRM_WARN("Pixel format is not supported by VKMS planes. State is inchanged\n");    
> > > > 
> > > > DRM_WARN() is the kernel equivalent to userspace assert(), right?    
> > > 
> > > For the DRM_WARN it is just a standard prinkt(KERN_WARN, ...) (hidden 
> > > behind drm internal macros).  
> > 
> > My concern here is that does hitting this cause additional breakage of
> > the UAPI contract? For example, the UAPI contract expects that the old
> > FB is unreffed and the new FB is reffed by the plane in question. If
> > this early return causes that FB swap to be skipped, it could cause
> > secondary unexpected failures or misbehaviour for userspace later. That
> > could mislead debugging to think that there is a userspace bug.
> >
> > Even if you cannot actually read FB due to an internal bug, it would be
> > good to still apply all the state changes that the UAPI contract
> > mandates.
> > 
> > Unless, this is a kernel bug kind of thing which explodes very
> > verbosely, but DRM_WARN is not that.  
> 
> You are right. In this case I maybe can just create a dummy 
> "pixel_read" which always return black? (The v4 will have it so you can 
> see how it look)
> 
> This way, I can:
> - keep the check and avoid null function pointers (and OOPS);
> - log (WARN, DRM_WARN, DRM_ERROR or whatever suggested by DRM maintainers 
> to warn very loudly);
> - Apply the requested change from userspace (and don't break the UAPI 
> contract).
> 
> The resulting behavior will be "the virtual plane is black", which is, I
> think, not very important. As the primary usage of VKMS is testing, it
> will just broke all the tests, and a quick look at the kernel logs will
> show this bug.

That's fine by me. After all, atomic check should have already
prevented this, and this can only happen due to a kernel bug AFAIU.


> > > > In that failing the check means an internal invariant was violated,
> > > > which means a code bug in kernel?
> > > >
> > > > Maybe this could be more specific about what invariant was violated?
> > > > E.g. atomic check should have rejected this attempt already.    
> > > 
> > > I'm not an expert (yet) in DRM, so please correct me:
> > > When atomic_update is called, the new state is always validated by 
> > > atomic_check before? There is no way to pass something not validated by 
> > > atomic_check to atomic_update? If this is the case, yes, it should be an 
> > > ERROR and not a WARN as an invalid format passed the atomic_check 
> > > verification.  
> > 
> > I only know about the UAPI, I'm not familiar with kernel internals.
> > 
> > We see that atomic_update returns void, so I think it simply cannot
> > return errors. To my understanding, atomic_check needs to ensure that
> > atomic_update cannot fail. There is even UAPI to exercise atomic_check
> > alone: the atomic commit TEST_ONLY flag. Userspace trusts that flag, and
> > will not expect an identical atomic commit to fail without TEST_ONLY
> > when it succeeded with TEST_ONLY.  
> 
> That my understanding of the UAPI/DRM internals too, is my suggestion 
> above sufficient? It will always succeed, no kernel OOPS.
> 
> > > If so, is this better?
> > > 
> > > 	if (!pixel_read) {
> > > 		/*
> > > 		 * This is a bug as the vkms_plane_atomic_check must forbid all unsupported formats.
> > > 		 */
> > > 		DRM_ERROR("Pixel format %4cc is not supported by VKMS planes.\n", fmt);
> > > 		return;
> > > 	}
> > > 
> > > I will put the same code in vkms_writeback.c.  
> > 
> > Maybe maintainers can comment whether even DRM_ERROR is strong enough.
> > 
> > As for the message, what you wrote in the comment is the most important
> > part that I'd put in the log. It explains what's going on, while that
> > "format not supported" is a detail without context.
> >   
> 
> Is something like this better?
> 
> 	/*
> 	 * This is a bug in vkms_plane_atomic_check. All the supported 
> 	 * format must:
> 	 * - Be listed in vkms_formats
> 	 * - Have a pixel_read_line callback
> 	 */
> 	WARN(true, "Pixel format %4cc is not supported by VKMS planes. This is a kernel bug. Atomic check must forbid this configuration.\n", fmt)
> 

Sure.


Thanks,
pq

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ