Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp2279253imb; Mon, 4 Mar 2019 00:36:20 -0800 (PST) X-Google-Smtp-Source: APXvYqy9BbEkmeVHUBTVhIaawQydnS0el1xhciYWwGtICHsVWYI6crVeQaZ9HICV/DrY18aTNHNz X-Received: by 2002:a17:902:b117:: with SMTP id q23mr19619513plr.160.1551688580541; Mon, 04 Mar 2019 00:36:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551688580; cv=none; d=google.com; s=arc-20160816; b=UpViTFr/bso40YG0TSln/nSvuXk42td4Tqe9X/qiysPVEZt6U5rS+s36KknnRKS8z6 kpFDBDSRaWXjkRbpehvMF7Vuhxzm77VMoKvYl1IO1kvvFuVnNjjh0A0+pVTsovEGSV48 X7yUU+Jk9zFODNCbd772bxaWjZKqu8D8D5EGiJ1NEqkWLbALJc7DzzY/WGKeW8pPLGQv 0yfn0aQywpxi1Ol27A0wr3IX0ecWXIAoSQN1UChAz+BgzyrPkJm6yctG/gNvnhRX6jCV SQkK23IYQspQ6FJFQVdvZhoUf7hHmypH4UTw5GI7rilRjedo83zP3M3EZjnFg8Rh8FIk gDUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=E18iaVuAC4PKtB8fhIqtsvEC9J5ns5m3NGSy60Sh0lM=; b=FA11N9r1wbFF/OKtMuUk/8hzNejOqQKgD6KtxYHSCrr882tyuY/KcEVOapgxKzH/bN CpNWJz+Z/MHDX9W+LxfJT7wfoe8kc77M8ZPi/3FnCBONrZ+GxRmltOtb4QajcNfeUig2 2wk60+9Et3l6c6CfHOM3OkNt+0KnNVpX1/3MWT3ZFJs4uik1tsYdo81M1kitY0qkaPiu alyQmFMVSe1J6B15wKudNmfK8dBXhT6WMf2QhuZr45PVXJ+MHikyt/qBY5F0Z1yWbNq8 9OgCTktWr9xXLPUBxQzyHZpIx0a4BWu/aTPnonU8ygT2kg04BGq9y9aOZaosXQHXfXrk +Rjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TJPDzxec; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k91si5092437pld.86.2019.03.04.00.36.02; Mon, 04 Mar 2019 00:36:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TJPDzxec; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728494AbfCDIfm (ORCPT + 99 others); Mon, 4 Mar 2019 03:35:42 -0500 Received: from mail.kernel.org ([198.145.29.99]:43962 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728481AbfCDIfk (ORCPT ); Mon, 4 Mar 2019 03:35:40 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 16FE521473; Mon, 4 Mar 2019 08:35:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551688539; bh=FCNvQ+y3/Xuhgyc+0HGBq/fjquQaiqFj9VNWsQKipdo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TJPDzxec1N716XyPu/3yZQGjVbmhGi1eRxEhtcvPceEFJmXg0tBEBZLD6Za/MuC7K 0KfdgOMDYTaMlB8S4SzsdPCHpof9FfHwtm3pte+hHocPCwrxb5tMXV4kiPXXOB19wX 1hbJCDPTJEvgi4KXNOTZcA5sR6g2QF+hOinRcY1I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Vetter , Harry Wentland , Andrey Grodzovsky , Nicholas Kazlauskas , Daniel Vetter , Dave Airlie Subject: [PATCH 4.20 76/88] drm: Block fb changes for async plane updates Date: Mon, 4 Mar 2019 09:22:59 +0100 Message-Id: <20190304081633.653211310@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190304081630.610632175@linuxfoundation.org> References: <20190304081630.610632175@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Nicholas Kazlauskas commit 2216322919c8608a448d7ebc560a845238a5d6b6 upstream. The prepare_fb call always happens on new_plane_state. The drm_atomic_helper_cleanup_planes checks to see if plane state pointer has changed when deciding to call cleanup_fb on either the new_plane_state or the old_plane_state. For a non-async atomic commit the state pointer is swapped, so this helper calls prepare_fb on the new_plane_state and cleanup_fb on the old_plane_state. This makes sense, since we want to prepare the framebuffer we are going to use and cleanup the the framebuffer we are no longer using. For the async atomic update helpers this differs. The async atomic update helpers perform in-place updates on the existing state. They call drm_atomic_helper_cleanup_planes but the state pointer is not swapped. This means that prepare_fb is called on the new_plane_state and cleanup_fb is called on the new_plane_state (not the old). In the case where old_plane_state->fb == new_plane_state->fb then there should be no behavioral difference between an async update and a non-async commit. But there are issues that arise when old_plane_state->fb != new_plane_state->fb. The first is that the new_plane_state->fb is immediately cleaned up after it has been prepared, so we're using a fb that we shouldn't be. The second occurs during a sequence of async atomic updates and non-async regular atomic commits. Suppose there are two framebuffers being interleaved in a double-buffering scenario, fb1 and fb2: - Async update, oldfb = NULL, newfb = fb1, prepare fb1, cleanup fb1 - Async update, oldfb = fb1, newfb = fb2, prepare fb2, cleanup fb2 - Non-async commit, oldfb = fb2, newfb = fb1, prepare fb1, cleanup fb2 We call cleanup_fb on fb2 twice in this example scenario, and any further use will result in use-after-free. The simple fix to this problem is to block framebuffer changes in the drm_atomic_helper_async_check function for now. v2: Move check by itself, add a FIXME (Daniel) Cc: Daniel Vetter Cc: Harry Wentland Cc: Andrey Grodzovsky Cc: # v4.14+ Fixes: fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update") Signed-off-by: Nicholas Kazlauskas Acked-by: Andrey Grodzovsky Acked-by: Harry Wentland Reviewed-by: Daniel Vetter Signed-off-by: Harry Wentland Link: https://patchwork.freedesktop.org/patch/275364/ Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/drm_atomic_helper.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -1584,6 +1584,15 @@ int drm_atomic_helper_async_check(struct old_plane_state->crtc != new_plane_state->crtc) return -EINVAL; + /* + * FIXME: Since prepare_fb and cleanup_fb are always called on + * the new_plane_state for async updates we need to block framebuffer + * changes. This prevents use of a fb that's been cleaned up and + * double cleanups from occuring. + */ + if (old_plane_state->fb != new_plane_state->fb) + return -EINVAL; + funcs = plane->helper_private; if (!funcs->atomic_async_update) return -EINVAL;