[PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.

Mark Yacoub markyacoub at chromium.org
Thu Aug 12 19:51:19 UTC 2021


On Thu, Aug 12, 2021 at 5:26 AM Michel Dänzer <michel at daenzer.net> wrote:
>
> On 2021-08-11 7:55 p.m., Mark Yacoub wrote:
> > From: Mark Yacoub <markyacoub at google.com>
> >
> > [Why]
> > Userspace should get back a copy of the request that's been modified
> > even when drm_wait_vblank_ioctl returns a failure.
> >
> > Rationale:
> > drm_wait_vblank_ioctl modifies the request and expects the user to read
> > back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> > the sequence to become current_vblank_count + sequence (which was
> > relative), not it becomes absolute.
> > drmWaitVBlank (in libdrm), expects this to be the case as it modifies
> > the request to be Absolute as it expects the sequence to would have been
> > updated.
> >
> > The change is in compat_drm_wait_vblank, which is called by
> > drm_compat_ioctl. This change of copying the data back regardless of the
> > return number makes it en par with drm_ioctl, which always copies the
> > data before returning.
> >
> > [How]
> > Copy the drm_wait_vblank request.
> > Return from the function after everything has been copied to user.
> >
> > Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> > Tested on ChromeOS Trogdor(msm)
> >
> > Signed-off-by: Mark Yacoub <markyacoub at chromium.org>
> > ---
> >  drivers/gpu/drm/drm_ioc32.c | 8 +++++---
> >  1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> > index d29907955ff79..275b860df8fbe 100644
> > --- a/drivers/gpu/drm/drm_ioc32.c
> > +++ b/drivers/gpu/drm/drm_ioc32.c
> > @@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
> >       req.request.sequence = req32.request.sequence;
> >       req.request.signal = req32.request.signal;
> >       err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
> > -     if (err)
> > -             return err;
> >
> >       req32.reply.type = req.reply.type;
> >       req32.reply.sequence = req.reply.sequence;
> >       req32.reply.tval_sec = req.reply.tval_sec;
> >       req32.reply.tval_usec = req.reply.tval_usec;
> > +     /* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
> > +     req32.request.type = req.request.type;
> > +     req32.request.sequence = req.request.sequence;
> > +     req32.request.signal = req.request.signal;
>
> The added assignments are superfluous, since req32.reply and req32.request are members of the same union.
Noted.
>
>
> >       if (copy_to_user(argp, &req32, sizeof(req32)))
> >               return -EFAULT;
> >
> > -     return 0;
> > +     return err;
> >  }
>
> The other changes look correct.
Thanks! updated v2:
https://patchwork.freedesktop.org/patch/449768/?series=93605&rev=2
>
>
> --
> Earthling Michel Dänzer               |               https://redhat.com
> Libre software enthusiast             |             Mesa and X developer


More information about the dri-devel mailing list