On Wed, 27 May 2020 11:47:57 +0200 Daniel Vetter <daniel.vetter@xxxxxxxx> wrote: > Only when vblanks are supported ofc. > > Some drivers do this already, but most unfortunately missed it. This > opens up bugs after driver load, before the crtc is enabled for the > first time. syzbot spotted this when loading vkms as a secondary > output. Given how many drivers are buggy it's best to solve this once > and for all in shared helper code. > > Aside from moving the few existing calls to drm_crtc_vblank_reset into > helpers (i915 doesn't use helpers, so keeps its own) I think the > regression risk is minimal: atomic helpers already rely on drivers > calling drm_crtc_vblank_on/off correctly in their hooks when they > support vblanks. And driver that's failing to handle vblanks after > this is missing those calls already, and vblanks could only work by > accident when enabling a CRTC for the first time right after boot. > > Big thanks to Tetsuo for helping track down what's going wrong here. > > There's only a few drivers which already had the necessary call and > needed some updating: > - komeda, atmel and tidss also needed to be changed to call > __drm_atomic_helper_crtc_reset() intead of open coding it > - tegra and msm even had it in the same place already, just code > motion, and malidp already uses __drm_atomic_helper_crtc_reset(). > > Only call left is in i915, which doesn't use drm_mode_config_reset, > but has its own fastboot infrastructure. So that's the only case where > we actually want this in the driver still. > > I've also reviewed all other drivers which set up vblank support with > drm_vblank_init. After the previous patch fixing mxsfb all atomic > drivers do call drm_crtc_vblank_on/off as they should, the remaining > drivers are either legacy kms or legacy dri1 drivers, so not affected > by this change to atomic helpers. > > Link: https://syzkaller.appspot.com/bug?id=0ba17d70d062b2595e1f061231474800f076c7cb > Reported-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > Reported-by: syzbot+0871b14ca2e2fb64f6e3@xxxxxxxxxxxxxxxxxxxxxxxxx > Cc: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx> > Cc: "James (Qian) Wang" <james.qian.wang@xxxxxxx> > Cc: Liviu Dudau <liviu.dudau@xxxxxxx> > Cc: Mihail Atanassov <mihail.atanassov@xxxxxxx> > Cc: Brian Starkey <brian.starkey@xxxxxxx> > Cc: Sam Ravnborg <sam@xxxxxxxxxxxx> > Cc: Boris Brezillon <bbrezillon@xxxxxxxxxx> > Cc: Nicolas Ferre <nicolas.ferre@xxxxxxxxxxxxx> > Cc: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxx> > Cc: Ludovic Desroches <ludovic.desroches@xxxxxxxxxxxxx> > Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx> > Cc: Maxime Ripard <mripard@xxxxxxxxxx> > Cc: Thomas Zimmermann <tzimmermann@xxxxxxx> > Cc: David Airlie <airlied@xxxxxxxx> > Cc: Daniel Vetter <daniel@xxxxxxxx> > Cc: Thierry Reding <thierry.reding@xxxxxxxxx> > Cc: Jonathan Hunter <jonathanh@xxxxxxxxxx> > Cc: Jyri Sarha <jsarha@xxxxxx> > Cc: Tomi Valkeinen <tomi.valkeinen@xxxxxx> > Cc: Rob Clark <robdclark@xxxxxxxxx> > Cc: Sean Paul <seanpaul@xxxxxxxxxxxx> > Cc: Brian Masney <masneyb@xxxxxxxxxxxxx> > Cc: Emil Velikov <emil.velikov@xxxxxxxxxxxxx> > Cc: zhengbin <zhengbin13@xxxxxxxxxx> > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: linux-tegra@xxxxxxxxxxxxxxx > Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx> > --- > drivers/gpu/drm/arm/display/komeda/komeda_crtc.c | 7 ++----- > drivers/gpu/drm/arm/malidp_drv.c | 1 - > drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c | 7 ++----- For atmel-hlcdc: Reviewed-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx> > drivers/gpu/drm/drm_atomic_state_helper.c | 4 ++++ > drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c | 2 -- > drivers/gpu/drm/tegra/dc.c | 1 - > drivers/gpu/drm/tidss/tidss_crtc.c | 3 +-- > drivers/gpu/drm/tidss/tidss_kms.c | 4 ---- > 8 files changed, 9 insertions(+), 20 deletions(-) > > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c > index 56bd938961ee..f33418d6e1a0 100644 > --- a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c > @@ -492,10 +492,8 @@ static void komeda_crtc_reset(struct drm_crtc *crtc) > crtc->state = NULL; > > state = kzalloc(sizeof(*state), GFP_KERNEL); > - if (state) { > - crtc->state = &state->base; > - crtc->state->crtc = crtc; > - } > + if (state) > + __drm_atomic_helper_crtc_reset(crtc, &state->base); > } > > static struct drm_crtc_state * > @@ -616,7 +614,6 @@ static int komeda_crtc_add(struct komeda_kms_dev *kms, > return err; > > drm_crtc_helper_add(crtc, &komeda_crtc_helper_funcs); > - drm_crtc_vblank_reset(crtc); > > crtc->port = kcrtc->master->of_output_port; > > diff --git a/drivers/gpu/drm/arm/malidp_drv.c b/drivers/gpu/drm/arm/malidp_drv.c > index c2507b7d8512..02904392e370 100644 > --- a/drivers/gpu/drm/arm/malidp_drv.c > +++ b/drivers/gpu/drm/arm/malidp_drv.c > @@ -870,7 +870,6 @@ static int malidp_bind(struct device *dev) > drm->irq_enabled = true; > > ret = drm_vblank_init(drm, drm->mode_config.num_crtc); > - drm_crtc_vblank_reset(&malidp->crtc); > if (ret < 0) { > DRM_ERROR("failed to initialise vblank\n"); > goto vblank_fail; > diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c > index 10985134ce0b..ce246b96330b 100644 > --- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c > +++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c > @@ -411,10 +411,8 @@ static void atmel_hlcdc_crtc_reset(struct drm_crtc *crtc) > } > > state = kzalloc(sizeof(*state), GFP_KERNEL); > - if (state) { > - crtc->state = &state->base; > - crtc->state->crtc = crtc; > - } > + if (state) > + __drm_atomic_helper_crtc_reset(crtc, &state->base); > } > > static struct drm_crtc_state * > @@ -528,7 +526,6 @@ int atmel_hlcdc_crtc_create(struct drm_device *dev) > } > > drm_crtc_helper_add(&crtc->base, &lcdc_crtc_helper_funcs); > - drm_crtc_vblank_reset(&crtc->base); > > drm_mode_crtc_set_gamma_size(&crtc->base, ATMEL_HLCDC_CLUT_SIZE); > drm_crtc_enable_color_mgmt(&crtc->base, 0, false, > diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c > index 8fce6a115dfe..843964252239 100644 > --- a/drivers/gpu/drm/drm_atomic_state_helper.c > +++ b/drivers/gpu/drm/drm_atomic_state_helper.c > @@ -32,6 +32,7 @@ > #include <drm/drm_device.h> > #include <drm/drm_plane.h> > #include <drm/drm_print.h> > +#include <drm/drm_vblank.h> > #include <drm/drm_writeback.h> > > #include <linux/slab.h> > @@ -93,6 +94,9 @@ __drm_atomic_helper_crtc_reset(struct drm_crtc *crtc, > if (crtc_state) > __drm_atomic_helper_crtc_state_reset(crtc_state, crtc); > > + if (crtc->dev->num_crtcs) > + drm_crtc_vblank_reset(crtc); > + > crtc->state = crtc_state; > } > EXPORT_SYMBOL(__drm_atomic_helper_crtc_reset); > diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c > index ca3368c828d0..9606185c284b 100644 > --- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c > +++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c > @@ -1117,8 +1117,6 @@ static void mdp5_crtc_reset(struct drm_crtc *crtc) > mdp5_crtc_destroy_state(crtc, crtc->state); > > __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base); > - > - drm_crtc_vblank_reset(crtc); > } > > static const struct drm_crtc_funcs mdp5_crtc_funcs = { > diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c > index 83f31c6e891c..9b308b572eac 100644 > --- a/drivers/gpu/drm/tegra/dc.c > +++ b/drivers/gpu/drm/tegra/dc.c > @@ -1168,7 +1168,6 @@ static void tegra_crtc_reset(struct drm_crtc *crtc) > tegra_crtc_atomic_destroy_state(crtc, crtc->state); > > __drm_atomic_helper_crtc_reset(crtc, &state->base); > - drm_crtc_vblank_reset(crtc); > } > > static struct drm_crtc_state * > diff --git a/drivers/gpu/drm/tidss/tidss_crtc.c b/drivers/gpu/drm/tidss/tidss_crtc.c > index 89a226912de8..4d01c4af61cd 100644 > --- a/drivers/gpu/drm/tidss/tidss_crtc.c > +++ b/drivers/gpu/drm/tidss/tidss_crtc.c > @@ -352,8 +352,7 @@ static void tidss_crtc_reset(struct drm_crtc *crtc) > return; > } > > - crtc->state = &tcrtc->base; > - crtc->state->crtc = crtc; > + __drm_atomic_helper_crtc_reset(crtc, &tcrtc->base); > } > > static struct drm_crtc_state *tidss_crtc_duplicate_state(struct drm_crtc *crtc) > diff --git a/drivers/gpu/drm/tidss/tidss_kms.c b/drivers/gpu/drm/tidss/tidss_kms.c > index 4b99e9fa84a5..e6ab59eed259 100644 > --- a/drivers/gpu/drm/tidss/tidss_kms.c > +++ b/drivers/gpu/drm/tidss/tidss_kms.c > @@ -278,10 +278,6 @@ int tidss_modeset_init(struct tidss_device *tidss) > if (ret) > return ret; > > - /* Start with vertical blanking interrupt reporting disabled. */ > - for (i = 0; i < tidss->num_crtcs; ++i) > - drm_crtc_vblank_reset(tidss->crtcs[i]); > - > drm_mode_config_reset(ddev); > > dev_dbg(tidss->dev, "%s done\n", __func__);