5.4.y missing upstream commits 7beb691f and 51f644b4, causing: WARNING in vkms_vblank_simulate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Greg,
During Syzkaller reproducer testing on 5.4.y ( 5.4.121-rc1) the following warning occurred: 

WARNING in vkms_vblank_simulate
https://syzkaller.appspot.com//bug?id=0ba17d70d062b2595e1f061231474800f076c7cb
First, upstream commit 7beb691f was cherry-pick'd to 5.4.y as upstream commit 51f644b4 is dependent on it. 
drm: Initialize struct drm_crtc_state.no_vblank from device settings
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7beb691f1e6f349c9df3384a85e7a53c5601aaaf
Second, upstream commit 51f644b4 was cherry-pick'd to 5.4.y, the conflicts were resolved, and the warning no longer occurs (rebooted 10 times with the fix commits - no "WARNING in vkms_vblank_simulate" messages). 
drm/atomic-helper: reset vblank on crtc reset
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51f644b40b4b794b28b982fdd5d0dd8ee63f9272
Cherry-pick'd upstream commit 51f644b4 with conflicts resolved (showing the cherry-pick'd commit ID): 

commit 39f1d9e81159fd1ff11c541b3310c0a204f8718e
Author: Daniel Vetter <daniel.vetter@xxxxxxxx>
Date:   Fri Jun 12 18:00:49 2020 +0200

    drm/atomic-helper: reset vblank on crtc reset

    Only when vblanks are supported ofc.

    Some drivers do this already, but most unfortunately missed it. This
    opens up bugs after driver load, before the crtc is enabled for the
    first time. syzbot spotted this when loading vkms as a secondary
    output. Given how many drivers are buggy it's best to solve this once
    and for all in shared helper code.

    Aside from moving the few existing calls to drm_crtc_vblank_reset into
    helpers (i915 doesn't use helpers, so keeps its own) I think the
    regression risk is minimal: atomic helpers already rely on drivers
    calling drm_crtc_vblank_on/off correctly in their hooks when they
    support vblanks. And driver that's failing to handle vblanks after
    this is missing those calls already, and vblanks could only work by
    accident when enabling a CRTC for the first time right after boot.

    Big thanks to Tetsuo for helping track down what's going wrong here.

    There's only a few drivers which already had the necessary call and
    needed some updating:
    - komeda, atmel and tidss also needed to be changed to call
      __drm_atomic_helper_crtc_reset() intead of open coding it
    - tegra and msm even had it in the same place already, just code
      motion, and malidp already uses __drm_atomic_helper_crtc_reset().
    - Laurent noticed that rcar-du and omap open-code their crtc reset and
      hence would actually be broken by this patch now. So fix them up by
      reusing the helpers, which brings the drm_crtc_vblank_reset() back.

    Only call left is in i915, which doesn't use drm_mode_config_reset,
    but has its own fastboot infrastructure. So that's the only case where
    we actually want this in the driver still.

    I've also reviewed all other drivers which set up vblank support with
    drm_vblank_init. After the previous patch fixing mxsfb all atomic
    drivers do call drm_crtc_vblank_on/off as they should, the remaining
    drivers are either legacy kms or legacy dri1 drivers, so not affected
    by this change to atomic helpers.

    v2: Use the drm_dev_has_vblank() helper.

    v3: Laurent pointed out that omap and rcar-du used drm_crtc_vblank_off
    instead of drm_crtc_vblank_reset. Adjust them too.

    v4: Laurent noticed that rcar-du and omap open-code their crtc reset
    and hence would actually be broken by this patch now. So fix them up
    by reusing the helpers, which brings the drm_crtc_vblank_reset() back.

    v5: also mention rcar-du and ompadrm in the proper commit message
    above (Laurent).

    Reviewed-by: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
    Acked-by: Maxime Ripard <mripard@xxxxxxxxxx>
    Cc: Laurent Pinchart <laurent.pinchart@xxxxxxxxxxxxxxxx>
    Reviewed-by: Boris Brezillon <boris.brezillon@xxxxxxxxxxxxx>
    Acked-by: Liviu Dudau <liviu.dudau@xxxxxxx>
    Acked-by: Thierry Reding <treding@xxxxxxxxxx>
    Link: https://syzkaller.appspot.com/bug?id=0ba17d70d062b2595e1f061231474800f076c7cb 
    Reported-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
    Reported-by: syzbot+0871b14ca2e2fb64f6e3@xxxxxxxxxxxxxxxxxxxxxxxxx
    Cc: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
    Cc: "James (Qian) Wang" <james.qian.wang@xxxxxxx>
    Cc: Liviu Dudau <liviu.dudau@xxxxxxx>
    Cc: Mihail Atanassov <mihail.atanassov@xxxxxxx>
    Cc: Brian Starkey <brian.starkey@xxxxxxx>
    Cc: Sam Ravnborg <sam@xxxxxxxxxxxx>
    Cc: Boris Brezillon <bbrezillon@xxxxxxxxxx>
    Cc: Nicolas Ferre <nicolas.ferre@xxxxxxxxxxxxx>
    Cc: Alexandre Belloni <alexandre.belloni@xxxxxxxxxxx>
    Cc: Ludovic Desroches <ludovic.desroches@xxxxxxxxxxxxx>
    Cc: Maarten Lankhorst <maarten.lankhorst@xxxxxxxxxxxxxxx>
    Cc: Maxime Ripard <mripard@xxxxxxxxxx>
    Cc: Thomas Zimmermann <tzimmermann@xxxxxxx>
    Cc: David Airlie <airlied@xxxxxxxx>
    Cc: Daniel Vetter <daniel@xxxxxxxx>
    Cc: Thierry Reding <thierry.reding@xxxxxxxxx>
    Cc: Jonathan Hunter <jonathanh@xxxxxxxxxx>
    Cc: Jyri Sarha <jsarha@xxxxxx>
    Cc: Tomi Valkeinen <tomi.valkeinen@xxxxxx>
    Cc: Rob Clark <robdclark@xxxxxxxxx>
    Cc: Sean Paul <seanpaul@xxxxxxxxxxxx>
    Cc: Brian Masney <masneyb@xxxxxxxxxxxxx>
    Cc: Emil Velikov <emil.velikov@xxxxxxxxxxxxx>
    Cc: zhengbin <zhengbin13@xxxxxxxxxx>
    Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
    Cc: linux-tegra@xxxxxxxxxxxxxxx
    Cc: Kieran Bingham <kieran.bingham+renesas@xxxxxxxxxxxxxxxx>
    Cc: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx
    Cc: linux-renesas-soc@xxxxxxxxxxxxxxx
    Signed-off-by: Daniel Vetter <daniel.vetter@xxxxxxxxx>
    Link: https://patchwork.freedesktop.org/patch/msgid/20200612160056.2082681-1-daniel.vetter@xxxxxxxx 
    (cherry picked from commit 51f644b40b4b794b28b982fdd5d0dd8ee63f9272)
    Signed-off-by: George Kennedy <george.kennedy@xxxxxxxxxx>

    Conflicts:
        drivers/gpu/drm/tidss/tidss_crtc.c
        drivers/gpu/drm/tidss/tidss_kms.c
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c 
index 52c4256..d301e55 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_crtc.c
@@ -440,10 +440,8 @@ static void komeda_crtc_reset(struct drm_crtc *crtc)
     crtc->state = NULL;

     state = kzalloc(sizeof(*state), GFP_KERNEL);
-    if (state) {
-        crtc->state = &state->base;
-        crtc->state->crtc = crtc;
-    }
+    if (state)
+        __drm_atomic_helper_crtc_reset(crtc, &state->base);
 }

 static struct drm_crtc_state *
@@ -564,7 +562,6 @@ static int komeda_crtc_add(struct komeda_kms_dev *kms,
         return err;

     drm_crtc_helper_add(crtc, &komeda_crtc_helper_funcs);
-    drm_crtc_vblank_reset(crtc);

     crtc->port = kcrtc->master->of_output_port;
diff --git a/drivers/gpu/drm/arm/malidp_drv.c b/drivers/gpu/drm/arm/malidp_drv.c 
index 333b88a..566b183 100644
--- a/drivers/gpu/drm/arm/malidp_drv.c
+++ b/drivers/gpu/drm/arm/malidp_drv.c
@@ -865,7 +865,6 @@ static int malidp_bind(struct device *dev)
     drm->irq_enabled = true;

     ret = drm_vblank_init(drm, drm->mode_config.num_crtc);
-    drm_crtc_vblank_reset(&malidp->crtc);
     if (ret < 0) {
         DRM_ERROR("failed to initialise vblank\n");
         goto vblank_fail;
diff --git a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c 
index 1098513..ce246b9 100644
--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
+++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c
@@ -411,10 +411,8 @@ static void atmel_hlcdc_crtc_reset(struct drm_crtc *crtc) 
     }

     state = kzalloc(sizeof(*state), GFP_KERNEL);
-    if (state) {
-        crtc->state = &state->base;
-        crtc->state->crtc = crtc;
-    }
+    if (state)
+        __drm_atomic_helper_crtc_reset(crtc, &state->base);
 }

 static struct drm_crtc_state *
@@ -528,7 +526,6 @@ int atmel_hlcdc_crtc_create(struct drm_device *dev)
     }

     drm_crtc_helper_add(&crtc->base, &lcdc_crtc_helper_funcs);
-    drm_crtc_vblank_reset(&crtc->base);

     drm_mode_crtc_set_gamma_size(&crtc->base, ATMEL_HLCDC_CLUT_SIZE);
     drm_crtc_enable_color_mgmt(&crtc->base, 0, false,
diff --git a/drivers/gpu/drm/drm_atomic_state_helper.c b/drivers/gpu/drm/drm_atomic_state_helper.c 
index d0a937f..9c16936 100644
--- a/drivers/gpu/drm/drm_atomic_state_helper.c
+++ b/drivers/gpu/drm/drm_atomic_state_helper.c
@@ -31,6 +31,7 @@
 #include <drm/drm_device.h>
 #include <drm/drm_plane.h>
 #include <drm/drm_print.h>
+#include <drm/drm_vblank.h>
 #include <drm/drm_writeback.h>

 #include <linux/slab.h>
@@ -76,6 +77,9 @@
     if (crtc_state)
         crtc_state->crtc = crtc;

+    if (drm_dev_has_vblank(crtc->dev))
+        drm_crtc_vblank_reset(crtc);
+
     crtc->state = crtc_state;
 }
 EXPORT_SYMBOL(__drm_atomic_helper_crtc_reset);
diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c 
index 3951468..dbfd113 100644
--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
+++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_crtc.c
@@ -1043,8 +1043,6 @@ static void mdp5_crtc_reset(struct drm_crtc *crtc)
         mdp5_crtc_destroy_state(crtc, crtc->state);

     __drm_atomic_helper_crtc_reset(crtc, &mdp5_cstate->base);
-
-    drm_crtc_vblank_reset(crtc);
 }

 static const struct drm_crtc_funcs mdp5_crtc_funcs = {
diff --git a/drivers/gpu/drm/omapdrm/omap_crtc.c b/drivers/gpu/drm/omapdrm/omap_crtc.c 
index f5e1880..cfeb424 100644
--- a/drivers/gpu/drm/omapdrm/omap_crtc.c
+++ b/drivers/gpu/drm/omapdrm/omap_crtc.c
@@ -698,14 +698,16 @@ static int omap_crtc_atomic_get_property(struct drm_crtc *crtc, 

 static void omap_crtc_reset(struct drm_crtc *crtc)
 {
+    struct omap_crtc_state *state;
+
     if (crtc->state)
         __drm_atomic_helper_crtc_destroy_state(crtc->state);

     kfree(crtc->state);
-    crtc->state = kzalloc(sizeof(struct omap_crtc_state), GFP_KERNEL);

-    if (crtc->state)
-        crtc->state->crtc = crtc;
+    state = kzalloc(sizeof(*state), GFP_KERNEL);
+    if (state)
 }

 static struct drm_crtc_state *
diff --git a/drivers/gpu/drm/omapdrm/omap_drv.c b/drivers/gpu/drm/omapdrm/omap_drv.c 
index 2983c00..672b0d3 100644
--- a/drivers/gpu/drm/omapdrm/omap_drv.c
+++ b/drivers/gpu/drm/omapdrm/omap_drv.c
@@ -557,7 +557,6 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) 
 {
     const struct soc_device_attribute *soc;
     struct drm_device *ddev;
-    unsigned int i;
     int ret;

     DBG("%s", dev_name(dev));
@@ -604,9 +603,6 @@ static int omapdrm_init(struct omap_drm_private *priv, struct device *dev) 
         goto err_cleanup_modeset;
     }

-    for (i = 0; i < priv->num_pipes; i++)
-        drm_crtc_vblank_off(priv->pipes[i].crtc);
-
     omap_fbdev_init(ddev);

     drm_kms_helper_poll_init(ddev);
diff --git a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c 
index 2da46e3..6d0280c 100644
--- a/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
+++ b/drivers/gpu/drm/rcar-du/rcar_du_crtc.c
@@ -910,8 +910,7 @@ static void rcar_du_crtc_reset(struct drm_crtc *crtc)
     state->crc.source = VSP1_DU_CRC_NONE;
     state->crc.index = 0;

-    crtc->state = &state->state;
-    crtc->state->crtc = crtc;
+    __drm_atomic_helper_crtc_reset(crtc, &state->state);
 }

 static int rcar_du_crtc_enable_vblank(struct drm_crtc *crtc)
@@ -1196,9 +1195,6 @@ int rcar_du_crtc_create(struct rcar_du_group *rgrp, unsigned int swindex, 

     drm_crtc_helper_add(crtc, &crtc_helper_funcs);

-    /* Start with vertical blanking interrupt reporting disabled. */
-    drm_crtc_vblank_off(crtc);
-
     /* Register the interrupt handler. */
     if (rcar_du_has(rcdu, RCAR_DU_FEATURE_CRTC_IRQ_CLOCK)) {
         /* The IRQ's are associated with the CRTC (sw)index. */
diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
index 617cbe4..75c7068 100644
--- a/drivers/gpu/drm/tegra/dc.c
+++ b/drivers/gpu/drm/tegra/dc.c
@@ -1166,7 +1166,6 @@ static void tegra_crtc_reset(struct drm_crtc *crtc)
         tegra_crtc_atomic_destroy_state(crtc, crtc->state);

     __drm_atomic_helper_crtc_reset(crtc, &state->base);
-    drm_crtc_vblank_reset(crtc);
 }

 static struct drm_crtc_state *


[  101.335429] ------------[ cut here ]------------
[  101.336576] WARNING: CPU: 1 PID: 0 at drivers/gpu/drm/vkms/vkms_crtc.c:91 vkms_get_vblank_timestamp+0x10a/0x140 
[  101.338952] Modules linked in:
[  101.339701] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.4.121-rc1-syzk #1
[  101.344331] RIP: 0010:vkms_get_vblank_timestamp+0x10a/0x140
[  101.345660] Code: 03 80 3c 02 00 75 4f 4d 2b b5 80 10 00 00 4d 89 34 24 e8 d9 4e a7 fc b8 01 00 00 00 5b 41 5c 41 5d 41 5e 5d c3 e8 c6 4e a7 fc <0f> 0b eb e4 e8 3d a0 e6 fc e9 27 ff ff ff e8 33 a0 e6 fc eb 91 4c [  101.351293] RAX: ffff888107a65d00 RBX: 000000179647991a RCX: ffffffff84cde2af [  101.352976] RDX: 0000000000000100 RSI: ffffffff84cde2fa RDI: 0000000000000006 [  101.354662] RBP: ffff88810b289ba8 R08: ffff888107a65d00 R09: ffffed1021651398 [  101.356361] R10: ffffed1021651398 R11: 0000000000000003 R12: ffff88810b289cb0 [  101.358037] R13: ffff88810a89c000 R14: 000000179647991a R15: 0000000000004e20 [  101.359718] FS:  0000000000000000(0000) GS:ffff88810b280000(0000) knlGS:0000000000000000 
[  101.361627] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  101.362992] CR2: 00007f82b0154000 CR3: 0000000109460000 CR4: 00000000000006e0 [  101.364684] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [  101.366369] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 
[  101.368043] Call Trace:
[  101.368652]  <IRQ>
[  101.369159]  ? vkms_crtc_atomic_flush+0x2d0/0x2d0
[  101.370296]  drm_get_last_vbltimestamp+0x106/0x1b0
[  101.371446]  ? drm_crtc_set_max_vblank_count+0x1a0/0x1a0
[  101.372715]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  101.374001]  drm_update_vblank_count+0x17a/0x800
[  101.375107]  ? store_vblank+0x1d0/0x1d0
[  101.376038]  ? __kasan_check_write+0x14/0x20
[  101.377071]  drm_vblank_disable_and_save+0x13a/0x3d0
[  101.378265]  ? vblank_disable_fn+0x101/0x180
[  101.379296]  vblank_disable_fn+0x14b/0x180
[  101.380282]  ? drm_vblank_disable_and_save+0x3d0/0x3d0
[  101.381508]  call_timer_fn+0x50/0x310
[  101.382393]  ? drm_vblank_disable_and_save+0x3d0/0x3d0
[  101.383621]  ? drm_vblank_disable_and_save+0x3d0/0x3d0
[  101.384849]  run_timer_softirq+0x76f/0x13e0
[  101.385857]  ? del_timer_sync+0xb0/0xb0
[  101.386792]  ? irq_work_interrupt+0xf/0x20
[  101.387776]  ? irq_work_interrupt+0xa/0x20
[  101.388761]  __do_softirq+0x18d/0x623
[  101.389647]  irq_exit+0x1fc/0x220
[  101.390454]  smp_apic_timer_interrupt+0xf0/0x380
[  101.391565]  apic_timer_interrupt+0xf/0x20
[  101.392547]  </IRQ>
[  101.393073] RIP: 0010:native_safe_halt+0x12/0x20
[  101.394178] Code: 96 fe ff ff 48 89 df e8 ac c1 fc f3 eb 92 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 e9 07 00 00 00 0f 00 2d 10 ee 50 00 fb f4 <5d> c3 66 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 e9 07 00 00 [  101.398541] RSP: 0018:ffff888107aafd48 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [  101.400326] RAX: ffffffff8db7b830 RBX: ffff888107a65d00 RCX: ffffffff8db7c532 [  101.402004] RDX: 1ffff11020f4cba0 RSI: 0000000000000008 RDI: ffff888107a65d00 [  101.403680] RBP: ffff888107aafd48 R08: ffffed1020f4cba1 R09: ffffed1020f4cba1 [  101.405361] R10: ffffed1020f4cba0 R11: ffff888107a65d07 R12: 0000000000000001 [  101.407041] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 
[  101.408729]  ? __cpuidle_text_start+0x8/0x8
[  101.409735]  ? default_idle_call+0x32/0x70
[  101.410722]  default_idle+0x24/0x2c0
[  101.411589]  arch_cpu_idle+0x15/0x20
[  101.412459]  default_idle_call+0x5f/0x70
[  101.413405]  do_idle+0x30f/0x3d0
[  101.414185]  ? arch_cpu_idle_exit+0x40/0x40
[  101.415188]  ? complete+0x67/0x80
[  101.415992]  cpu_startup_entry+0x1d/0x20
[  101.416937]  start_secondary+0x2ec/0x3d0
[  101.417879]  ? set_cpu_sibling_map+0x2620/0x2620
[  101.418986]  secondary_startup_64+0xb6/0xc0
[  101.420001] ---[ end trace 6143b67a4d795a3a ]---

Thank you,
George
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux