[PATCH] drm/atomic-helper: reset vblank on crtc reset

Daniel Vetter daniel.vetter at ffwll.ch
Wed May 27 14:21:34 UTC 2020


On Wed, May 27, 2020 at 2:08 PM Liviu Dudau <liviu.dudau at arm.com> wrote:
>
> On Wed, May 27, 2020 at 01:07:05PM +0200, Daniel Vetter wrote:
> > On Wed, May 27, 2020 at 12:57 PM Liviu Dudau <liviu.dudau at arm.com> wrote:
> > >
> > > Hi Daniel,
> > >
> > > On Wed, May 27, 2020 at 11:53:32AM +0200, Daniel Vetter wrote:
> > > > Only when vblanks are supported ofc.
> > > >
> > > > Some drivers do this already, but most unfortunately missed it. This
> > > > opens up bugs after driver load, before the crtc is enabled for the
> > > > first time. syzbot spotted this when loading vkms as a secondary
> > > > output. Given how many drivers are buggy it's best to solve this once
> > > > and for all in shared helper code.
> > > >
> > > > Aside from moving the few existing calls to drm_crtc_vblank_reset into
> > > > helpers (i915 doesn't use helpers, so keeps its own) I think the
> > > > regression risk is minimal: atomic helpers already rely on drivers
> > > > calling drm_crtc_vblank_on/off correctly in their hooks when they
> > > > support vblanks. And driver that's failing to handle vblanks after
> > > > this is missing those calls already, and vblanks could only work by
> > > > accident when enabling a CRTC for the first time right after boot.
> > > >
> > > > Big thanks to Tetsuo for helping track down what's going wrong here.
> > > >
> > > > There's only a few drivers which already had the necessary call and
> > > > needed some updating:
> > > > - komeda, atmel and tidss also needed to be changed to call
> > > >   __drm_atomic_helper_crtc_reset() intead of open coding it
> > > > - tegra and msm even had it in the same place already, just code
> > > >   motion, and malidp already uses __drm_atomic_helper_crtc_reset().
> > > >
> > > > Only call left is in i915, which doesn't use drm_mode_config_reset,
> > > > but has its own fastboot infrastructure. So that's the only case where
> > > > we actually want this in the driver still.
> > > >
> > > > I've also reviewed all other drivers which set up vblank support with
> > > > drm_vblank_init. After the previous patch fixing mxsfb all atomic
> > > > drivers do call drm_crtc_vblank_on/off as they should, the remaining
> > > > drivers are either legacy kms or legacy dri1 drivers, so not affected
> > > > by this change to atomic helpers.
> > > >
> > > > v2: Use the drm_dev_has_vblank() helper.
> > > >
> > > > Link: https://syzkaller.appspot.com/bug?id=0ba17d70d062b2595e1f061231474800f076c7cb
> > > > Reported-by: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
> > > > Reported-by: syzbot+0871b14ca2e2fb64f6e3 at syzkaller.appspotmail.com
> > > > Cc: Tetsuo Handa <penguin-kernel at I-love.SAKURA.ne.jp>
> > > > Cc: "James (Qian) Wang" <james.qian.wang at arm.com>
> > > > Cc: Liviu Dudau <liviu.dudau at arm.com>
> > > > Cc: Mihail Atanassov <mihail.atanassov at arm.com>
> > > > Cc: Brian Starkey <brian.starkey at arm.com>
> > > > Cc: Sam Ravnborg <sam at ravnborg.org>
> > > > Cc: Boris Brezillon <bbrezillon at kernel.org>
> > > > Cc: Nicolas Ferre <nicolas.ferre at microchip.com>
> > > > Cc: Alexandre Belloni <alexandre.belloni at bootlin.com>
> > > > Cc: Ludovic Desroches <ludovic.desroches at microchip.com>
> > > > Cc: Maarten Lankhorst <maarten.lankhorst at linux.intel.com>
> > > > Cc: Maxime Ripard <mripard at kernel.org>
> > > > Cc: Thomas Zimmermann <tzimmermann at suse.de>
> > > > Cc: David Airlie <airlied at linux.ie>
> > > > Cc: Daniel Vetter <daniel at ffwll.ch>
> > > > Cc: Thierry Reding <thierry.reding at gmail.com>
> > > > Cc: Jonathan Hunter <jonathanh at nvidia.com>
> > > > Cc: Jyri Sarha <jsarha at ti.com>
> > > > Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
> > > > Cc: Rob Clark <robdclark at gmail.com>
> > > > Cc: Sean Paul <seanpaul at chromium.org>
> > > > Cc: Brian Masney <masneyb at onstation.org>
> > > > Cc: Emil Velikov <emil.velikov at collabora.com>
> > > > Cc: zhengbin <zhengbin13 at huawei.com>
> > > > Cc: Thomas Gleixner <tglx at linutronix.de>
> > > > Cc: linux-tegra at vger.kernel.org
> > > > Signed-off-by: Daniel Vetter <daniel.vetter at intel.com>
> > > > ---
> > > >  drivers/gpu/drm/arm/display/komeda/komeda_crtc.c | 7 ++-----
> > > >  drivers/gpu/drm/arm/malidp_drv.c                 | 1 -
> > > >  drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c   | 7 ++-----
> > > >  drivers/gpu/drm/drm_atomic_state_helper.c        | 4 ++++
> > > >  drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c        | 2 --
> > > >  drivers/gpu/drm/tegra/dc.c                       | 1 -
> > > >  drivers/gpu/drm/tidss/tidss_crtc.c               | 3 +--
> > > >  drivers/gpu/drm/tidss/tidss_kms.c                | 4 ----
> > > >  8 files changed, 9 insertions(+), 20 deletions(-)
> > > >
> > > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
> > > > index 56bd938961ee..f33418d6e1a0 100644
> > > > --- a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
> > > > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
> > > > @@ -492,10 +492,8 @@ static void komeda_crtc_reset(struct drm_crtc *crtc)
> > > >       crtc->state = NULL;
> > > >
> > > >       state = kzalloc(sizeof(*state), GFP_KERNEL);
> > > > -     if (state) {
> > > > -             crtc->state = &state->base;
> > > > -             crtc->state->crtc = crtc;
> > > > -     }
> > > > +     if (state)
> > > > +             __drm_atomic_helper_crtc_reset(crtc, &state->base);
> > > >  }
> > > >
> > > >  static struct drm_crtc_state *
> > > > @@ -616,7 +614,6 @@ static int komeda_crtc_add(struct komeda_kms_dev *kms,
> > > >               return err;
> > > >
> > > >       drm_crtc_helper_add(crtc, &komeda_crtc_helper_funcs);
> > > > -     drm_crtc_vblank_reset(crtc);
> > > >
> > > >       crtc->port = kcrtc->master->of_output_port;
> > > >
> > > > diff --git a/drivers/gpu/drm/arm/malidp_drv.c b/drivers/gpu/drm/arm/malidp_drv.c
> > > > index c2507b7d8512..02904392e370 100644
> > > > --- a/drivers/gpu/drm/arm/malidp_drv.c
> > > > +++ b/drivers/gpu/drm/arm/malidp_drv.c
> > > > @@ -870,7 +870,6 @@ static int malidp_bind(struct device *dev)
> > > >       drm->irq_enabled = true;
> > > >
> > > >       ret = drm_vblank_init(drm, drm->mode_config.num_crtc);
> > > > -     drm_crtc_vblank_reset(&malidp->crtc);
> > >
> > > It was a couple of years ago but I remember Alexandru-Cosmin tracking an issue around
> > > this. The reason for reseting the vblank so early after calling drm_vblank_init was that
> > > you could have userspace calling drm_wait_vblank() before crtc activation and in our
> > > case it will trigger some warnings in the driver (details are fuzzy right now). The
> > > relevant commit was cabce6343fd ("drm: mali-dp: Call drm_crtc_vblank_reset on device
> > > init").
> > >
> > > Have you done any testing with that scenario on any of the drivers?
> >
> > This is exactly the scenario that syzbot found and which goes boom
> > (well infinite busy loop in the hrtimer) with vkms. So I looked at
> > drivers and noticed that an overwhelming majority of them get this
> > wrong, hence decided to do this once and for all in helpers.
> >
> > If you read the patch carefully, I'm only moving it, not removing it.
>
> That is what I'm questioning. The drm_crtc_vblank_reset() was placed right after
> drm_vblank_init() for a good reason, by moving it the warning might come back.
> I guess your answer will be that I need to do the testing on my own platform to find
> out, I was just asking about status on other platforms.

Userspace can't sneak in before we call drm_dev_register. Both before
and after this patch the call to drm_crtc_vblank_reset() happens
before that point, so if your only concern is userspace sneaking in a
vblank ioctl, then it's all still safe.

If there's other concerns, then that's different ofc. But before
calling drm_mode_config_reset() any atomic commit will Oops, so
there's really not a hole lot of code that might expect vblanks to
work before that. I didn't find any in the driver (grep for vblank
wait functions does that job).
-Daniel

>
> Best regards,
> Liviu
>
> > -Daniel
> >
> > >
> > > Best regards,
> > > Liviu
> > >
> > > >       if (ret < 0) {
> > > >               DRM_ERROR("failed to initialise vblank\n");
> > > >               goto vblank_fail;
> > > > diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
> > > > index 10985134ce0b..ce246b96330b 100644
> > > > --- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
> > > > +++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
> > > > @@ -411,10 +411,8 @@ static void atmel_hlcdc_crtc_reset(struct drm_crtc *crtc)
> > > >       }
> > > >
> > > >       state = kzalloc(sizeof(*state), GFP_KERNEL);
> > > > -     if (state) {
> > > > -             crtc->state = &state->base;
> > > > -             crtc->state->crtc = crtc;
> > > > -     }
> > > > +     if (state)
> > > > +             __drm_atomic_helper_crtc_reset(crtc, &state->base);
> > > >  }
> > > >
> > > >  static struct drm_crtc_state *
> > > > @@ -528,7 +526,6 @@ int atmel_hlcdc_crtc_create(struct drm_device *dev)
> > > >       }
> > > >
> > > >       drm_crtc_helper_add(&crtc->base, &lcdc_crtc_helper_funcs);
> > > > -     drm_crtc_vblank_reset(&crtc->base);
> > > >
> > > >       drm_mode_crtc_set_gamma_size(&crtc->base, ATMEL_HLCDC_CLUT_SIZE);
> > > >       drm_crtc_enable_color_mgmt(&crtc->base, 0, false,
> > > > diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c
> > > > index 8fce6a115dfe..9ad74045158e 100644
> > > > --- a/drivers/gpu/drm/drm_atomic_state_helper.c
> > > > +++ b/drivers/gpu/drm/drm_atomic_state_helper.c
> > > > @@ -32,6 +32,7 @@
> > > >  #include <drm/drm_device.h>
> > > >  #include <drm/drm_plane.h>
> > > >  #include <drm/drm_print.h>
> > > > +#include <drm/drm_vblank.h>
> > > >  #include <drm/drm_writeback.h>
> > > >
> > > >  #include <linux/slab.h>
> > > > @@ -93,6 +94,9 @@ __drm_atomic_helper_crtc_reset(struct drm_crtc *crtc,
> > > >       if (crtc_state)
> > > >               __drm_atomic_helper_crtc_state_reset(crtc_state, crtc);
> > > >
> > > > +     if (drm_dev_has_vblank(crtc->dev))
> > > > +             drm_crtc_vblank_reset(crtc);
> > > > +
> > > >       crtc->state = crtc_state;
> > > >  }
> > > >  EXPORT_SYMBOL(__drm_atomic_helper_crtc_reset);
> > > > diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
> > > > index ca3368c828d0..9606185c284b 100644
> > > > --- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
> > > > +++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
> > > > @@ -1117,8 +1117,6 @@ static void mdp5_crtc_reset(struct drm_crtc *crtc)
> > > >               mdp5_crtc_destroy_state(crtc, crtc->state);
> > > >
> > > >       __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base);
> > > > -
> > > > -     drm_crtc_vblank_reset(crtc);
> > > >  }
> > > >
> > > >  static const struct drm_crtc_funcs mdp5_crtc_funcs = {
> > > > diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
> > > > index 83f31c6e891c..9b308b572eac 100644
> > > > --- a/drivers/gpu/drm/tegra/dc.c
> > > > +++ b/drivers/gpu/drm/tegra/dc.c
> > > > @@ -1168,7 +1168,6 @@ static void tegra_crtc_reset(struct drm_crtc *crtc)
> > > >               tegra_crtc_atomic_destroy_state(crtc, crtc->state);
> > > >
> > > >       __drm_atomic_helper_crtc_reset(crtc, &state->base);
> > > > -     drm_crtc_vblank_reset(crtc);
> > > >  }
> > > >
> > > >  static struct drm_crtc_state *
> > > > diff --git a/drivers/gpu/drm/tidss/tidss_crtc.c b/drivers/gpu/drm/tidss/tidss_crtc.c
> > > > index 89a226912de8..4d01c4af61cd 100644
> > > > --- a/drivers/gpu/drm/tidss/tidss_crtc.c
> > > > +++ b/drivers/gpu/drm/tidss/tidss_crtc.c
> > > > @@ -352,8 +352,7 @@ static void tidss_crtc_reset(struct drm_crtc *crtc)
> > > >               return;
> > > >       }
> > > >
> > > > -     crtc->state = &tcrtc->base;
> > > > -     crtc->state->crtc = crtc;
> > > > +     __drm_atomic_helper_crtc_reset(crtc, &tcrtc->base);
> > > >  }
> > > >
> > > >  static struct drm_crtc_state *tidss_crtc_duplicate_state(struct drm_crtc *crtc)
> > > > diff --git a/drivers/gpu/drm/tidss/tidss_kms.c b/drivers/gpu/drm/tidss/tidss_kms.c
> > > > index 4b99e9fa84a5..e6ab59eed259 100644
> > > > --- a/drivers/gpu/drm/tidss/tidss_kms.c
> > > > +++ b/drivers/gpu/drm/tidss/tidss_kms.c
> > > > @@ -278,10 +278,6 @@ int tidss_modeset_init(struct tidss_device *tidss)
> > > >       if (ret)
> > > >               return ret;
> > > >
> > > > -     /* Start with vertical blanking interrupt reporting disabled. */
> > > > -     for (i = 0; i < tidss->num_crtcs; ++i)
> > > > -             drm_crtc_vblank_reset(tidss->crtcs[i]);
> > > > -
> > > >       drm_mode_config_reset(ddev);
> > > >
> > > >       dev_dbg(tidss->dev, "%s done\n", __func__);
> > > > --
> > > > 2.26.2
> > > >
> > >
> > > --
> > > ====================
> > > | I would like to |
> > > | fix the world,  |
> > > | but they're not |
> > > | giving me the   |
> > >  \ source code!  /
> > >   ---------------
> > >     ¯\_(ツ)_/¯
> >
> >
> >
> > --
> > Daniel Vetter
> > Software Engineer, Intel Corporation
> > +41 (0) 79 365 57 48 - http://blog.ffwll.ch
>
> --
> ====================
> | I would like to |
> | fix the world,  |
> | but they're not |
> | giving me the   |
>  \ source code!  /
>   ---------------
>     ¯\_(ツ)_/¯



-- 
Daniel Vetter
Software Engineer, Intel Corporation
+41 (0) 79 365 57 48 - http://blog.ffwll.ch


More information about the dri-devel mailing list