[PATCH] drm/vboxvideo: Vmap/vunmap cursor BO in prepare_fb and cleanup_fb

Thomas Zimmermann tzimmermann at suse.de
Wed Feb 3 11:56:57 UTC 2021


Hi

Am 03.02.21 um 12:50 schrieb Hans de Goede:
> Hi,
> 
> On 2/3/21 12:14 PM, Thomas Zimmermann wrote:
>> Hi
>>
>> Am 03.02.21 um 11:44 schrieb Daniel Vetter:
>>> On Wed, Feb 03, 2021 at 11:34:21AM +0100, Thomas Zimmermann wrote:
>>>> Hi
>>>>
>>>> Am 03.02.21 um 11:29 schrieb Daniel Vetter:
>>>>> On Wed, Jan 27, 2021 at 03:05:03PM +0100, Thomas Zimmermann wrote:
>>>>>> Functions in the atomic commit tail are not allowed to acquire the
>>>>>> dmabuf's reservation lock. So we cannot legally call the GEM object's
>>>>>> vmap functionality in atomic_update.
>>>>>>
>>>>>> Instead vmap the cursor BO in prepare_fb and vunmap it in cleanup_fb.
>>>>>> The cursor plane state stores the mapping's address. The pinning of the
>>>>>> BO is implicitly done by vmap.
>>>>>>
>>>>>> As an extra benefit, there's no source of runtime errors left in
>>>>>> atomic_update.
>>>>>>
>>>>>> Signed-off-by: Thomas Zimmermann <tzimmermann at suse.de>
>>>>>
>>>>> Did you test this with my dma_fence_signalling annotations patches?
>>>>
>>>> Not with vbox. I did test similar code in my recent ast patchset. But I
>>>> think there's still a bug here, as there's no custom plane-reset function.
>>>
>>> Do right, KASAN should complain when you load the driver because the first
>>> state is a bit too small. But probably still within the kmalloc'ed block
>>> by sheer luck. Worth confirming that KASAN can catch this.
>>
>> I have KASAN enabled and I might just have missed the error message. I later saw the error with another driver after I already posted the vbox and ast patches.
>>
>> If you have the time, a look at the first half of the ast patchset might still be worth it. It removes the cursor-code abstraction and shouldn't be affected by the issue.
> 
> I must say I'm not entirely following this thread.
> 
> If I understand things correctly, there is some memory corruption
> introduced by this patch, so there will be a v2 fixing this ?
> 
> The reason why I'm asking is because I always try to test vboxvideo patches
> inside a vbox vm, but if a v2 is coming, there is not much use in me testing
> this version, correct ?

Yes, no point in testing ATM. There'll be a v2.

Best regards
Thomas

> 
> Regards,
> 
> Hans
> 
> 
> 
>>>>>> ---
>>>>>>     drivers/gpu/drm/vboxvideo/vbox_mode.c | 102 +++++++++++++++++++++-----
>>>>>>     1 file changed, 82 insertions(+), 20 deletions(-)
>>>>>>
>>>>>> diff --git a/drivers/gpu/drm/vboxvideo/vbox_mode.c b/drivers/gpu/drm/vboxvideo/vbox_mode.c
>>>>>> index dbc0dd53c69e..b5625a7d6cef 100644
>>>>>> --- a/drivers/gpu/drm/vboxvideo/vbox_mode.c
>>>>>> +++ b/drivers/gpu/drm/vboxvideo/vbox_mode.c
>>>>>> @@ -324,6 +324,19 @@ static void vbox_primary_atomic_disable(struct drm_plane *plane,
>>>>>>                         old_state->src_y >> 16);
>>>>>>     }
>>>>>> +struct vbox_cursor_plane_state {
>>>>>> +    struct drm_plane_state base;
>>>>>> +
>>>>>> +    /* Transitional state - do not export or duplicate */
>>>>>> +
>>>>>> +    struct dma_buf_map map;
>>>>>> +};
>>>>>> +
>>>>>> +static struct vbox_cursor_plane_state *to_vbox_cursor_plane_state(struct drm_plane_state *state)
>>>>>> +{
>>>>>> +    return container_of(state, struct vbox_cursor_plane_state, base);
>>>>>> +}
>>>>>> +
>>>>>>     static int vbox_cursor_atomic_check(struct drm_plane *plane,
>>>>>>                         struct drm_plane_state *new_state)
>>>>>>     {
>>>>>> @@ -381,14 +394,13 @@ static void vbox_cursor_atomic_update(struct drm_plane *plane,
>>>>>>             container_of(plane->dev, struct vbox_private, ddev);
>>>>>>         struct vbox_crtc *vbox_crtc = to_vbox_crtc(plane->state->crtc);
>>>>>>         struct drm_framebuffer *fb = plane->state->fb;
>>>>>> -    struct drm_gem_vram_object *gbo = drm_gem_vram_of_gem(fb->obj[0]);
>>>>>>         u32 width = plane->state->crtc_w;
>>>>>>         u32 height = plane->state->crtc_h;
>>>>>> +    struct vbox_cursor_plane_state *vbox_state = to_vbox_cursor_plane_state(plane->state);
>>>>>> +    struct dma_buf_map map = vbox_state->map;
>>>>>> +    u8 *src = map.vaddr; /* TODO: Use mapping abstraction properly */
>>>>>>         size_t data_size, mask_size;
>>>>>>         u32 flags;
>>>>>> -    struct dma_buf_map map;
>>>>>> -    int ret;
>>>>>> -    u8 *src;
>>>>>>         /*
>>>>>>          * VirtualBox uses the host windowing system to draw the cursor so
>>>>>> @@ -401,17 +413,6 @@ static void vbox_cursor_atomic_update(struct drm_plane *plane,
>>>>>>         vbox_crtc->cursor_enabled = true;
>>>>>> -    ret = drm_gem_vram_vmap(gbo, &map);
>>>>>> -    if (ret) {
>>>>>> -        /*
>>>>>> -         * BUG: we should have pinned the BO in prepare_fb().
>>>>>> -         */
>>>>>> -        mutex_unlock(&vbox->hw_mutex);
>>>>>> -        DRM_WARN("Could not map cursor bo, skipping update\n");
>>>>>> -        return;
>>>>>> -    }
>>>>>> -    src = map.vaddr; /* TODO: Use mapping abstraction properly */
>>>>>> -
>>>>>>         /*
>>>>>>          * The mask must be calculated based on the alpha
>>>>>>          * channel, one bit per ARGB word, and must be 32-bit
>>>>>> @@ -421,7 +422,6 @@ static void vbox_cursor_atomic_update(struct drm_plane *plane,
>>>>>>         data_size = width * height * 4 + mask_size;
>>>>>>         copy_cursor_image(src, vbox->cursor_data, width, height, mask_size);
>>>>>> -    drm_gem_vram_vunmap(gbo, &map);
>>>>>>         flags = VBOX_MOUSE_POINTER_VISIBLE | VBOX_MOUSE_POINTER_SHAPE |
>>>>>>             VBOX_MOUSE_POINTER_ALPHA;
>>>>>> @@ -458,6 +458,43 @@ static void vbox_cursor_atomic_disable(struct drm_plane *plane,
>>>>>>         mutex_unlock(&vbox->hw_mutex);
>>>>>>     }
>>>>>> +static int vbox_cursor_prepare_fb(struct drm_plane *plane, struct drm_plane_state *new_state)
>>>>>> +{
>>>>>> +    struct vbox_cursor_plane_state *new_vbox_state = to_vbox_cursor_plane_state(new_state);
>>>>>> +    struct drm_framebuffer *fb = new_state->fb;
>>>>>> +    struct drm_gem_vram_object *gbo;
>>>>>> +    struct dma_buf_map map;
>>>>>> +    int ret;
>>>>>> +
>>>>>> +    if (!fb)
>>>>>> +        return 0;
>>>>>> +
>>>>>> +    gbo = drm_gem_vram_of_gem(fb->obj[0]);
>>>>>> +
>>>>>> +    ret = drm_gem_vram_vmap(gbo, &map);
>>>>>> +    if (ret)
>>>>>> +        return ret;
>>>>>> +
>>>>>> +    new_vbox_state->map = map;
>>>>>> +
>>>>>> +    return 0;
>>>>>> +}
>>>>>> +
>>>>>> +static void vbox_cursor_cleanup_fb(struct drm_plane *plane, struct drm_plane_state *old_state)
>>>>>> +{
>>>>>> +    struct vbox_cursor_plane_state *old_vbox_state = to_vbox_cursor_plane_state(old_state);
>>>>>> +    struct drm_framebuffer *fb = old_state->fb;
>>>>>> +    struct dma_buf_map map = old_vbox_state->map;
>>>>>> +    struct drm_gem_vram_object *gbo;
>>>>>> +
>>>>>> +    if (!fb)
>>>>>> +        return;
>>>>>> +
>>>>>> +    gbo = drm_gem_vram_of_gem(fb->obj[0]);
>>>>>> +
>>>>>> +    drm_gem_vram_vunmap(gbo, &map);
>>>>>> +}
>>>>>> +
>>>>>>     static const u32 vbox_cursor_plane_formats[] = {
>>>>>>         DRM_FORMAT_ARGB8888,
>>>>>>     };
>>>>>> @@ -466,17 +503,42 @@ static const struct drm_plane_helper_funcs vbox_cursor_helper_funcs = {
>>>>>>         .atomic_check    = vbox_cursor_atomic_check,
>>>>>>         .atomic_update    = vbox_cursor_atomic_update,
>>>>>>         .atomic_disable    = vbox_cursor_atomic_disable,
>>>>>> -    .prepare_fb    = drm_gem_vram_plane_helper_prepare_fb,
>>>>>> -    .cleanup_fb    = drm_gem_vram_plane_helper_cleanup_fb,
>>>>>> +    .prepare_fb    = vbox_cursor_prepare_fb,
>>>>>> +    .cleanup_fb    = vbox_cursor_cleanup_fb,
>>>>>>     };
>>>>>> +static struct drm_plane_state *vbox_cursor_atomic_duplicate_state(struct drm_plane *plane)
>>>>>> +{
>>>>>> +    struct vbox_cursor_plane_state *new_vbox_state;
>>>>>> +    struct drm_device *dev = plane->dev;
>>>>>> +
>>>>>> +    if (drm_WARN_ON(dev, !plane->state))
>>>>>> +        return NULL;
>>>>>> +
>>>>>> +    new_vbox_state = kzalloc(sizeof(*new_vbox_state), GFP_KERNEL);
>>>>>> +    if (!new_vbox_state)
>>>>>> +        return NULL;
>>>>>> +    __drm_atomic_helper_plane_duplicate_state(plane, &new_vbox_state->base);
>>>>>> +
>>>>>> +    return &new_vbox_state->base;
>>>>>> +}
>>>>>> +
>>>>>> +static void vbox_cursor_atomic_destroy_state(struct drm_plane *plane,
>>>>>> +                         struct drm_plane_state *state)
>>>>>> +{
>>>>>> +    struct vbox_cursor_plane_state *vbox_state = to_vbox_cursor_plane_state(state);
>>>>>> +
>>>>>> +    __drm_atomic_helper_plane_destroy_state(&vbox_state->base);
>>>>>> +    kfree(vbox_state);
>>>>>> +}
>>>>>> +
>>>>>>     static const struct drm_plane_funcs vbox_cursor_plane_funcs = {
>>>>>>         .update_plane    = drm_atomic_helper_update_plane,
>>>>>>         .disable_plane    = drm_atomic_helper_disable_plane,
>>>>>>         .destroy    = drm_primary_helper_destroy,
>>>>>>         .reset        = drm_atomic_helper_plane_reset,
>>>>>> -    .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
>>>>>> -    .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
>>>>>> +    .atomic_duplicate_state = vbox_cursor_atomic_duplicate_state,
>>>>>> +    .atomic_destroy_state = vbox_cursor_atomic_destroy_state,
>>>>>>     };
>>>>>>     static const u32 vbox_primary_plane_formats[] = {
>>>>>>
>>>>>> base-commit: 3836b7fdfad40e2bac5dc882332f42bed6942cf4
>>>>>> prerequisite-patch-id: c2b2f08f0eccc9f5df0c0da49fa1d36267deb11d
>>>>>> -- 
>>>>>> 2.30.0
>>>>>>
>>>>>
>>>>
>>>> -- 
>>>> Thomas Zimmermann
>>>> Graphics Driver Developer
>>>> SUSE Software Solutions Germany GmbH
>>>> Maxfeldstr. 5, 90409 Nürnberg, Germany
>>>> (HRB 36809, AG Nürnberg)
>>>> Geschäftsführer: Felix Imendörffer
>>>>
>>>
>>>
>>>
>>>
>>
> 
> _______________________________________________
> dri-devel mailing list
> dri-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/dri-devel
> 

-- 
Thomas Zimmermann
Graphics Driver Developer
SUSE Software Solutions Germany GmbH
Maxfeldstr. 5, 90409 Nürnberg, Germany
(HRB 36809, AG Nürnberg)
Geschäftsführer: Felix Imendörffer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/dri-devel/attachments/20210203/9df0d6d5/attachment-0001.sig>


More information about the dri-devel mailing list