[PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.

Mark Yacoub markyacoub at chromium.org
Wed Aug 11 17:55:25 UTC 2021 

From: Mark Yacoub <markyacoub at google.com>

[Why]
Userspace should get back a copy of the request that's been modified
even when drm_wait_vblank_ioctl returns a failure.

Rationale:
drm_wait_vblank_ioctl modifies the request and expects the user to read
back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
the sequence to become current_vblank_count + sequence (which was
relative), not it becomes absolute.
drmWaitVBlank (in libdrm), expects this to be the case as it modifies
the request to be Absolute as it expects the sequence to would have been
updated.

The change is in compat_drm_wait_vblank, which is called by
drm_compat_ioctl. This change of copying the data back regardless of the
return number makes it en par with drm_ioctl, which always copies the
data before returning.

[How]
Copy the drm_wait_vblank request.
Return from the function after everything has been copied to user.

Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
Tested on ChromeOS Trogdor(msm)

Signed-off-by: Mark Yacoub <markyacoub at chromium.org>
---
 drivers/gpu/drm/drm_ioc32.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index d29907955ff79..275b860df8fbe 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
 	req.request.sequence = req32.request.sequence;
 	req.request.signal = req32.request.signal;
 	err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
-	if (err)
-		return err;
 
 	req32.reply.type = req.reply.type;
 	req32.reply.sequence = req.reply.sequence;
 	req32.reply.tval_sec = req.reply.tval_sec;
 	req32.reply.tval_usec = req.reply.tval_usec;
+	/* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
+	req32.request.type = req.request.type;
+	req32.request.sequence = req.request.sequence;
+	req32.request.signal = req.request.signal;
 	if (copy_to_user(argp, &req32, sizeof(req32)))
 		return -EFAULT;
 
-	return 0;
+	return err;
 }
 
 #if defined(CONFIG_X86)
-- 
2.33.0.rc1.237.g0d66db33f3-goog

More information about the dri-devel mailing list