[PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.

Michel Dänzer michel at daenzer.net
Thu Aug 12 09:26:28 UTC 2021 

On 2021-08-11 7:55 p.m., Mark Yacoub wrote:
> From: Mark Yacoub <markyacoub at google.com>
> 
> [Why]
> Userspace should get back a copy of the request that's been modified
> even when drm_wait_vblank_ioctl returns a failure.
> 
> Rationale:
> drm_wait_vblank_ioctl modifies the request and expects the user to read
> back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> the sequence to become current_vblank_count + sequence (which was
> relative), not it becomes absolute.
> drmWaitVBlank (in libdrm), expects this to be the case as it modifies
> the request to be Absolute as it expects the sequence to would have been
> updated.
> 
> The change is in compat_drm_wait_vblank, which is called by
> drm_compat_ioctl. This change of copying the data back regardless of the
> return number makes it en par with drm_ioctl, which always copies the
> data before returning.
> 
> [How]
> Copy the drm_wait_vblank request.
> Return from the function after everything has been copied to user.
> 
> Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> Tested on ChromeOS Trogdor(msm)
> 
> Signed-off-by: Mark Yacoub <markyacoub at chromium.org>
> ---
>  drivers/gpu/drm/drm_ioc32.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> index d29907955ff79..275b860df8fbe 100644
> --- a/drivers/gpu/drm/drm_ioc32.c
> +++ b/drivers/gpu/drm/drm_ioc32.c
> @@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
>  	req.request.sequence = req32.request.sequence;
>  	req.request.signal = req32.request.signal;
>  	err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
> -	if (err)
> -		return err;
>  
>  	req32.reply.type = req.reply.type;
>  	req32.reply.sequence = req.reply.sequence;
>  	req32.reply.tval_sec = req.reply.tval_sec;
>  	req32.reply.tval_usec = req.reply.tval_usec;
> +	/* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
> +	req32.request.type = req.request.type;
> +	req32.request.sequence = req.request.sequence;
> +	req32.request.signal = req.request.signal;

The added assignments are superfluous, since req32.reply and req32.request are members of the same union.


>  	if (copy_to_user(argp, &req32, sizeof(req32)))
>  		return -EFAULT;
>  
> -	return 0;
> +	return err;
>  }

The other changes look correct.


-- 
Earthling Michel Dänzer               |               https://redhat.com
Libre software enthusiast             |             Mesa and X developer

More information about the dri-devel mailing list