On Wed, May 27, 2020 at 2:08 PM Liviu Dudau <liviu.dudau@xxxxxxx> wrote: > > On Wed, May 27, 2020 at 01:07:05PM +0200, Daniel Vetter wrote: > > On Wed, May 27, 2020 at 12:57 PM Liviu Dudau <liviu.dudau@xxxxxxx> wrote: > > > > > > Hi Daniel, > > > > > > On Wed, May 27, 2020 at 11:53:32AM +0200, Daniel Vetter wrote: > > > > Only when vblanks are supported ofc. > > > > > > > > Some drivers do this already, but most unfortunately missed it. This > > > > opens up bugs after driver load, before the crtc is enabled for the > > > > first time. syzbot spotted this when loading vkms as a secondary > > > > output. Given how many drivers are buggy it's best to solve this once > > > > and for all in shared helper code. > > > > > > > > Aside from moving the few existing calls to drm_crtc_vblank_reset into > > > > helpers (i915 doesn't use helpers, so keeps its own) I think the > > > > regression risk is minimal: atomic helpers already rely on drivers > > > > calling drm_crtc_vblank_on/off correctly in their hooks when they > > > > support vblanks. And driver that's failing to handle vblanks after > > > > this is missing those calls already, and vblanks could only work by > > > > accident when enabling a CRTC for the first time right after boot. > > > > > > > > Big thanks to Tetsuo for helping track down what's going wrong here. > > > > > > > > There's only a few drivers which already had the necessary call and > > > > needed some updating: > > > > - komeda, atmel and tidss also needed to be changed to call > > > > __drm_atomic_helper_crtc_reset() intead of open coding it > > > > - tegra and msm even had it in the same place already, just code > > > > motion, and malidp already uses __drm_atomic_helper_crtc_reset(). > > > > > > > > Only call left is in i915, which doesn't use drm_mode_config_reset, > > > > but has its own fastboot infrastructure. So that's the only case where > > > > we actually want this in the driver still. > > > > > > > > I've also reviewed all other drivers which set up vblank support with > > > > drm_vblank_init. After the previous patch fixing mxsfb all atomic > > > > drivers do call drm_crtc_vblank_on/off as they should, the remaining > > > > drivers are either legacy kms or legacy dri1 drivers, so not affected > > > > by this change to atomic helpers. > > > > > > > > v2: Use the drm_dev_has_vblank() helper. > > > > > > > > Link: https://syzkaller.appspot.com/bug?id=0ba17d70d062b2595e1f061231474800f076c7cb > > > > Reported-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > > > > Reported-by: syzbot+0871b14ca2e2fb64f6e3@xxxxxxxxxxxxxxxxxxxxxxxxx > > > > Cc: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > > > > Cc: "James (Qian) Wang" <james.qian.wang@xxxxxxx> > > > > Cc: Liviu Dudau <liviu.dudau@xxxxxxx> > > > > Cc: Mihail Atanassov <mihail.atanassov@xxxxxxx> > > > > Cc: Brian Starkey <brian.starkey@xxxxxxx> > > > > Cc: Sam Ravnborg <sam@xxxxxxxxxxxx> > > > > Cc: Boris Brezillon <bbrezillon@xxxxxxxxxx> > > > > Cc: Nicolas Ferre <nicolas.ferre@xxxxxxxxxxxxx> > > > > Cc: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxx> > > > > Cc: Ludovic Desroches <ludovic.desroches@xxxxxxxxxxxxx> > > > > Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx> > > > > Cc: Maxime Ripard <mripard@xxxxxxxxxx> > > > > Cc: Thomas Zimmermann <tzimmermann@xxxxxxx> > > > > Cc: David Airlie <airlied@xxxxxxxx> > > > > Cc: Daniel Vetter <daniel@xxxxxxxx> > > > > Cc: Thierry Reding <thierry.reding@xxxxxxxxx> > > > > Cc: Jonathan Hunter <jonathanh@xxxxxxxxxx> > > > > Cc: Jyri Sarha <jsarha@xxxxxx> > > > > Cc: Tomi Valkeinen <tomi.valkeinen@xxxxxx> > > > > Cc: Rob Clark <robdclark@xxxxxxxxx> > > > > Cc: Sean Paul <seanpaul@xxxxxxxxxxxx> > > > > Cc: Brian Masney <masneyb@xxxxxxxxxxxxx> > > > > Cc: Emil Velikov <emil.velikov@xxxxxxxxxxxxx> > > > > Cc: zhengbin <zhengbin13@xxxxxxxxxx> > > > > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > > > > Cc: linux-tegra@xxxxxxxxxxxxxxx > > > > Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx> > > > > --- > > > > drivers/gpu/drm/arm/display/komeda/komeda_crtc.c | 7 ++----- > > > > drivers/gpu/drm/arm/malidp_drv.c | 1 - > > > > drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c | 7 ++----- > > > > drivers/gpu/drm/drm_atomic_state_helper.c | 4 ++++ > > > > drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 2 -- > > > > drivers/gpu/drm/tegra/dc.c | 1 - > > > > drivers/gpu/drm/tidss/tidss_crtc.c | 3 +-- > > > > drivers/gpu/drm/tidss/tidss_kms.c | 4 ---- > > > > 8 files changed, 9 insertions(+), 20 deletions(-) > > > > > > > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c > > > > index 56bd938961ee..f33418d6e1a0 100644 > > > > --- a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c > > > > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c > > > > @@ -492,10 +492,8 @@ static void komeda_crtc_reset(struct drm_crtc *crtc) > > > > crtc->state = NULL; > > > > > > > > state = kzalloc(sizeof(*state), GFP_KERNEL); > > > > - if (state) { > > > > - crtc->state = &state->base; > > > > - crtc->state->crtc = crtc; > > > > - } > > > > + if (state) > > > > + __drm_atomic_helper_crtc_reset(crtc, &state->base); > > > > } > > > > > > > > static struct drm_crtc_state * > > > > @@ -616,7 +614,6 @@ static int komeda_crtc_add(struct komeda_kms_dev *kms, > > > > return err; > > > > > > > > drm_crtc_helper_add(crtc, &komeda_crtc_helper_funcs); > > > > - drm_crtc_vblank_reset(crtc); > > > > > > > > crtc->port = kcrtc->master->of_output_port; > > > > > > > > diff --git a/drivers/gpu/drm/arm/malidp_drv.c b/drivers/gpu/drm/arm/malidp_drv.c > > > > index c2507b7d8512..02904392e370 100644 > > > > --- a/drivers/gpu/drm/arm/malidp_drv.c > > > > +++ b/drivers/gpu/drm/arm/malidp_drv.c > > > > @@ -870,7 +870,6 @@ static int malidp_bind(struct device *dev) > > > > drm->irq_enabled = true; > > > > > > > > ret = drm_vblank_init(drm, drm->mode_config.num_crtc); > > > > - drm_crtc_vblank_reset(&malidp->crtc); > > > > > > It was a couple of years ago but I remember Alexandru-Cosmin tracking an issue around > > > this. The reason for reseting the vblank so early after calling drm_vblank_init was that > > > you could have userspace calling drm_wait_vblank() before crtc activation and in our > > > case it will trigger some warnings in the driver (details are fuzzy right now). The > > > relevant commit was cabce6343fd ("drm: mali-dp: Call drm_crtc_vblank_reset on device > > > init"). > > > > > > Have you done any testing with that scenario on any of the drivers? > > > > This is exactly the scenario that syzbot found and which goes boom > > (well infinite busy loop in the hrtimer) with vkms. So I looked at > > drivers and noticed that an overwhelming majority of them get this > > wrong, hence decided to do this once and for all in helpers. > > > > If you read the patch carefully, I'm only moving it, not removing it. > > That is what I'm questioning. The drm_crtc_vblank_reset() was placed right after > drm_vblank_init() for a good reason, by moving it the warning might come back. > I guess your answer will be that I need to do the testing on my own platform to find > out, I was just asking about status on other platforms. Userspace can't sneak in before we call drm_dev_register. Both before and after this patch the call to drm_crtc_vblank_reset() happens before that point, so if your only concern is userspace sneaking in a vblank ioctl, then it's all still safe. If there's other concerns, then that's different ofc. But before calling drm_mode_config_reset() any atomic commit will Oops, so there's really not a hole lot of code that might expect vblanks to work before that. I didn't find any in the driver (grep for vblank wait functions does that job). -Daniel > > Best regards, > Liviu > > > -Daniel > > > > > > > > Best regards, > > > Liviu > > > > > > > if (ret < 0) { > > > > DRM_ERROR("failed to initialise vblank\n"); > > > > goto vblank_fail; > > > > diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c > > > > index 10985134ce0b..ce246b96330b 100644 > > > > --- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c > > > > +++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c > > > > @@ -411,10 +411,8 @@ static void atmel_hlcdc_crtc_reset(struct drm_crtc *crtc) > > > > } > > > > > > > > state = kzalloc(sizeof(*state), GFP_KERNEL); > > > > - if (state) { > > > > - crtc->state = &state->base; > > > > - crtc->state->crtc = crtc; > > > > - } > > > > + if (state) > > > > + __drm_atomic_helper_crtc_reset(crtc, &state->base); > > > > } > > > > > > > > static struct drm_crtc_state * > > > > @@ -528,7 +526,6 @@ int atmel_hlcdc_crtc_create(struct drm_device *dev) > > > > } > > > > > > > > drm_crtc_helper_add(&crtc->base, &lcdc_crtc_helper_funcs); > > > > - drm_crtc_vblank_reset(&crtc->base); > > > > > > > > drm_mode_crtc_set_gamma_size(&crtc->base, ATMEL_HLCDC_CLUT_SIZE); > > > > drm_crtc_enable_color_mgmt(&crtc->base, 0, false, > > > > diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c > > > > index 8fce6a115dfe..9ad74045158e 100644 > > > > --- a/drivers/gpu/drm/drm_atomic_state_helper.c > > > > +++ b/drivers/gpu/drm/drm_atomic_state_helper.c > > > > @@ -32,6 +32,7 @@ > > > > #include <drm/drm_device.h> > > > > #include <drm/drm_plane.h> > > > > #include <drm/drm_print.h> > > > > +#include <drm/drm_vblank.h> > > > > #include <drm/drm_writeback.h> > > > > > > > > #include <linux/slab.h> > > > > @@ -93,6 +94,9 @@ __drm_atomic_helper_crtc_reset(struct drm_crtc *crtc, > > > > if (crtc_state) > > > > __drm_atomic_helper_crtc_state_reset(crtc_state, crtc); > > > > > > > > + if (drm_dev_has_vblank(crtc->dev)) > > > > + drm_crtc_vblank_reset(crtc); > > > > + > > > > crtc->state = crtc_state; > > > > } > > > > EXPORT_SYMBOL(__drm_atomic_helper_crtc_reset); > > > > diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c > > > > index ca3368c828d0..9606185c284b 100644 > > > > --- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c > > > > +++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c > > > > @@ -1117,8 +1117,6 @@ static void mdp5_crtc_reset(struct drm_crtc *crtc) > > > > mdp5_crtc_destroy_state(crtc, crtc->state); > > > > > > > > __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base); > > > > - > > > > - drm_crtc_vblank_reset(crtc); > > > > } > > > > > > > > static const struct drm_crtc_funcs mdp5_crtc_funcs = { > > > > diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c > > > > index 83f31c6e891c..9b308b572eac 100644 > > > > --- a/drivers/gpu/drm/tegra/dc.c > > > > +++ b/drivers/gpu/drm/tegra/dc.c > > > > @@ -1168,7 +1168,6 @@ static void tegra_crtc_reset(struct drm_crtc *crtc) > > > > tegra_crtc_atomic_destroy_state(crtc, crtc->state); > > > > > > > > __drm_atomic_helper_crtc_reset(crtc, &state->base); > > > > - drm_crtc_vblank_reset(crtc); > > > > } > > > > > > > > static struct drm_crtc_state * > > > > diff --git a/drivers/gpu/drm/tidss/tidss_crtc.c b/drivers/gpu/drm/tidss/tidss_crtc.c > > > > index 89a226912de8..4d01c4af61cd 100644 > > > > --- a/drivers/gpu/drm/tidss/tidss_crtc.c > > > > +++ b/drivers/gpu/drm/tidss/tidss_crtc.c > > > > @@ -352,8 +352,7 @@ static void tidss_crtc_reset(struct drm_crtc *crtc) > > > > return; > > > > } > > > > > > > > - crtc->state = &tcrtc->base; > > > > - crtc->state->crtc = crtc; > > > > + __drm_atomic_helper_crtc_reset(crtc, &tcrtc->base); > > > > } > > > > > > > > static struct drm_crtc_state *tidss_crtc_duplicate_state(struct drm_crtc *crtc) > > > > diff --git a/drivers/gpu/drm/tidss/tidss_kms.c b/drivers/gpu/drm/tidss/tidss_kms.c > > > > index 4b99e9fa84a5..e6ab59eed259 100644 > > > > --- a/drivers/gpu/drm/tidss/tidss_kms.c > > > > +++ b/drivers/gpu/drm/tidss/tidss_kms.c > > > > @@ -278,10 +278,6 @@ int tidss_modeset_init(struct tidss_device *tidss) > > > > if (ret) > > > > return ret; > > > > > > > > - /* Start with vertical blanking interrupt reporting disabled. */ > > > > - for (i = 0; i < tidss->num_crtcs; ++i) > > > > - drm_crtc_vblank_reset(tidss->crtcs[i]); > > > > - > > > > drm_mode_config_reset(ddev); > > > > > > > > dev_dbg(tidss->dev, "%s done\n", __func__); > > > > -- > > > > 2.26.2 > > > > > > > > > > -- > > > ==================== > > > | I would like to | > > > | fix the world, | > > > | but they're not | > > > | giving me the | > > > \ source code! / > > > --------------- > > > ¯\_(ツ)_/¯ > > > > > > > > -- > > Daniel Vetter > > Software Engineer, Intel Corporation > > +41 (0) 79 365 57 48 - http://blog.ffwll.ch > > -- > ==================== > | I would like to | > | fix the world, | > | but they're not | > | giving me the | > \ source code! / > --------------- > ¯\_(ツ)_/¯ -- Daniel Vetter Software Engineer, Intel Corporation +41 (0) 79 365 57 48 - http://blog.ffwll.ch