<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="text-align:left; direction:ltr;">
<div>Hi, Hsin-yi:</div>
<div><br>
</div>
<div>On Fri, 2024-02-23 at 13:23 -0800, Hsin-Yi Wang wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left" width="100%" style="width:100.0%;background:#77FFCC">
<tbody>
<tr>
<td width="9" style="width:7.0pt;background:#EA0621;padding:5.25pt 1.5pt
 5.25pt 1.5pt">
</td>
<td width="100%" style="width:100.0%;background:#FFD4D4;padding:5.25pt
 3.75pt 5.25pt 11.25pt">
<div>
<p class="MsoNormal" style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly">
<span lang="EN-US" style="font-size:9.5pt;font-family:"Segoe
 UI",sans-serif;color:#212121">External email : Please do not click links or open attachments until you have verified the sender or the content.<o:p></o:p></span></p>
</div>
</td>
</tr>
</tbody>
</table>
<!--}-->
<pre>It's possible that mtk_crtc->event is NULL in</pre>
<pre>mtk_drm_crtc_finish_page_flip().</pre>
<pre><br></pre>
<pre>pending_needs_vblank value is set by mtk_crtc->event, but in</pre>
<pre>mtk_drm_crtc_atomic_flush(), it's is not guarded by the same</pre>
<pre>lock in mtk_drm_finish_page_flip(), thus a race condition happens.</pre>
<pre><br></pre>
<pre>Consider the following case:</pre>
<pre><br></pre>
<pre>CPU1                              CPU2</pre>
<pre>step 1:</pre>
<pre>mtk_drm_crtc_atomic_begin()</pre>
<pre>mtk_crtc->event is not null,</pre>
<pre>                                  step 1:</pre>
<pre>                                  mtk_drm_crtc_atomic_flush:</pre>
<pre>                                  mtk_drm_crtc_update_config(</pre>
<pre>                                      !!mtk_crtc->event)</pre>
<pre>step 2:</pre>
<pre>mtk_crtc_ddp_irq -></pre>
<pre>mtk_drm_finish_page_flip:</pre>
<pre>lock</pre>
<pre>mtk_crtc->event set to null,</pre>
<pre>pending_needs_vblank set to false</pre>
<pre>unlock</pre>
<pre>                                  pending_needs_vblank set to true,</pre>
<pre><br></pre>
<pre>                                  step 2:</pre>
<pre>                                  mtk_crtc_ddp_irq -></pre>
<pre>                                  mtk_drm_finish_page_flip called again,</pre>
<pre>                                  pending_needs_vblank is still true</pre>
<pre>                                  //null pointer</pre>
<pre><br></pre>
<pre>Instead of guarding the entire mtk_drm_crtc_atomic_flush(), it's more</pre>
<pre>efficient to just check if mtk_crtc->event is null before use.</pre>
<pre><br></pre>
<pre>Signed-off-by: Hsin-Yi Wang <<a href="mailto:hsinyi@chromium.org">hsinyi@chromium.org</a>></pre>
<pre>Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")</pre>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>Reviewed-by: CK Hu <ck.hu@mediatek.com></div>
<div><br>
</div>
<div><br>
</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
<pre>---</pre>
<pre> drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 12 +++++++-----</pre>
<pre> 1 file changed, 7 insertions(+), 5 deletions(-)</pre>
<pre><br></pre>
<pre>diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c</pre>
<pre>index db43f9dff912..d645b85f9721 100644</pre>
<pre>--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c</pre>
<pre>+++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c</pre>
<pre>@@ -95,11 +95,13 @@ static void mtk_drm_crtc_finish_page_flip(struct mtk_drm_crtc *mtk_crtc)</pre>
<pre>     struct drm_crtc *crtc = &mtk_crtc->base;</pre>
<pre>     unsigned long flags;</pre>
<pre> </pre>
<pre>-    spin_lock_irqsave(&crtc->dev->event_lock, flags);</pre>
<pre>-    drm_crtc_send_vblank_event(crtc, mtk_crtc->event);</pre>
<pre>-    drm_crtc_vblank_put(crtc);</pre>
<pre>-    mtk_crtc->event = NULL;</pre>
<pre>-    spin_unlock_irqrestore(&crtc->dev->event_lock, flags);</pre>
<pre>+    if (mtk_crtc->event) {</pre>
<pre>+            spin_lock_irqsave(&crtc->dev->event_lock, flags);</pre>
<pre>+            drm_crtc_send_vblank_event(crtc, mtk_crtc->event);</pre>
<pre>+            drm_crtc_vblank_put(crtc);</pre>
<pre>+            mtk_crtc->event = NULL;</pre>
<pre>+            spin_unlock_irqrestore(&crtc->dev->event_lock, flags);</pre>
<pre>+    }</pre>
<pre> }</pre>
<pre> </pre>
<pre> static void mtk_drm_finish_page_flip(struct mtk_drm_crtc *mtk_crtc)</pre>
<pre>-- </pre>
<pre>2.44.0.rc0.258.g7320e95886-goog</pre>
<pre><br></pre>
</blockquote>
</body>
</html>
<!--type:text--><!--{--><pre>************* MEDIATEK Confidentiality Notice ********************
The information contained in this e-mail message (including any 
attachments) may be confidential, proprietary, privileged, or otherwise
exempt from disclosure under applicable laws. It is intended to be 
conveyed only to the designated recipient(s). Any use, dissemination, 
distribution, printing, retaining or copying of this e-mail (including its 
attachments) by unintended recipient(s) is strictly prohibited and may 
be unlawful. If you are not an intended recipient of this e-mail, or believe 
that you have received this e-mail in error, please notify the sender 
immediately (by replying to this e-mail), delete any and all copies of 
this e-mail (including any attachments) from your system, and do not
disclose the content of this e-mail to any other person. Thank you!
</pre><!--}-->