Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
MIME-Version: 1.0
References: <20191104173737.142558-1-robdclark@gmail.com>
In-Reply-To: <20191104173737.142558-1-robdclark@gmail.com>
From:   Rob Clark <robdclark@chromium.org>
Date:   Tue, 5 Nov 2019 19:46:59 -0800
Message-ID: <CAJs_Fx4qbQXdDmxB4-F+vJTBr7y2YkSvGbOVGid6T1=HGZer6Q@mail.gmail.com>
Subject: Re: [PATCH 1/2 v2] drm/atomic: fix self-refresh helpers crtc state dereference
To:     Rob Clark <robdclark@gmail.com>
Cc:     dri-devel <dri-devel@lists.freedesktop.org>,
        Sean Paul <seanpaul@chromium.org>,
        Maarten Lankhorst <maarten.lankhorst@linux.intel.com>,
        Maxime Ripard <mripard@kernel.org>,
        Sean Paul <sean@poorly.run>, David Airlie <airlied@linux.ie>,
        Daniel Vetter <daniel@ffwll.ch>,
        open list <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Mon, Nov 4, 2019 at 9:39 AM Rob Clark <robdclark@gmail.com> wrote:
>
> From: Rob Clark <robdclark@chromium.org>
>
> drm_self_refresh_helper_update_avg_times() was incorrectly accessing the
> new incoming state after drm_atomic_helper_commit_hw_done().  But this
> state might have already been superceeded by an !nonblock atomic update
> resulting in dereferencing an already free'd crtc_state.
>
> TODO I *think* this will more or less do the right thing.. althought I'm
> not 100% sure if, for example, we enter psr in a nonblock commit, and
> then leave psr in a !nonblock commit that overtakes the completion of
> the nonblock commit.  Not sure if this sort of scenario can happen in
> practice.  But not crashing is better than crashing, so I guess we
> should either take this patch or rever the self-refresh helpers until
> Sean can figure out a better solution.

btw, I think we can drop this TODO para from the commit msg.. but
would be nice to get this (1/2) landed in v5.4-fixes as it fixes an
actual regressions..

patch 2/2 probably shouldn't be for v5.4, since according to kbuild
robot it is turning up some other problems.. but I still think it is
probably a good idea

BR,
-R

>
> Fixes: d4da4e33341c ("drm: Measure Self Refresh Entry/Exit times to avoid thrashing")
> Cc: Sean Paul <seanpaul@chromium.org>
> Signed-off-by: Rob Clark <robdclark@chromium.org>
> ---
>  drivers/gpu/drm/drm_atomic_helper.c       | 14 +++++++++++++-
>  drivers/gpu/drm/drm_self_refresh_helper.c | 15 +++++++++------
>  include/drm/drm_self_refresh_helper.h     |  3 ++-
>  3 files changed, 24 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index 3ef2ac52ce94..648494c813e5 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1581,8 +1581,11 @@ static void commit_tail(struct drm_atomic_state *old_state)
>  {
>         struct drm_device *dev = old_state->dev;
>         const struct drm_mode_config_helper_funcs *funcs;
> +       struct drm_crtc_state *new_crtc_state;
> +       struct drm_crtc *crtc;
>         ktime_t start;
>         s64 commit_time_ms;
> +       unsigned i, new_self_refresh_mask = 0;
>
>         funcs = dev->mode_config.helper_private;
>
> @@ -1602,6 +1605,14 @@ static void commit_tail(struct drm_atomic_state *old_state)
>
>         drm_atomic_helper_wait_for_dependencies(old_state);
>
> +       /*
> +        * We cannot safely access new_crtc_state after drm_atomic_helper_commit_hw_done()
> +        * so figure out which crtc's have self-refresh active beforehand:
> +        */
> +       for_each_new_crtc_in_state(old_state, crtc, new_crtc_state, i)
> +               if (new_crtc_state->self_refresh_active)
> +                       new_self_refresh_mask |= BIT(i);
> +
>         if (funcs && funcs->atomic_commit_tail)
>                 funcs->atomic_commit_tail(old_state);
>         else
> @@ -1610,7 +1621,8 @@ static void commit_tail(struct drm_atomic_state *old_state)
>         commit_time_ms = ktime_ms_delta(ktime_get(), start);
>         if (commit_time_ms > 0)
>                 drm_self_refresh_helper_update_avg_times(old_state,
> -                                                (unsigned long)commit_time_ms);
> +                                                (unsigned long)commit_time_ms,
> +                                                new_self_refresh_mask);
>
>         drm_atomic_helper_commit_cleanup_done(old_state);
>
> diff --git a/drivers/gpu/drm/drm_self_refresh_helper.c b/drivers/gpu/drm/drm_self_refresh_helper.c
> index 68f4765a5896..011b8d5f7dd6 100644
> --- a/drivers/gpu/drm/drm_self_refresh_helper.c
> +++ b/drivers/gpu/drm/drm_self_refresh_helper.c
> @@ -133,6 +133,8 @@ static void drm_self_refresh_helper_entry_work(struct work_struct *work)
>   * drm_self_refresh_helper_update_avg_times - Updates a crtc's SR time averages
>   * @state: the state which has just been applied to hardware
>   * @commit_time_ms: the amount of time in ms that this commit took to complete
> + * @new_self_refresh_mask: bitmask of crtc's that have self_refresh_active in
> + *    new state
>   *
>   * Called after &drm_mode_config_funcs.atomic_commit_tail, this function will
>   * update the average entry/exit self refresh times on self refresh transitions.
> @@ -140,22 +142,23 @@ static void drm_self_refresh_helper_entry_work(struct work_struct *work)
>   * entering self refresh mode after activity.
>   */
>  void drm_self_refresh_helper_update_avg_times(struct drm_atomic_state *state,
> -                                             unsigned int commit_time_ms)
> +                                             unsigned int commit_time_ms,
> +                                             unsigned int new_self_refresh_mask)
>  {
>         struct drm_crtc *crtc;
> -       struct drm_crtc_state *old_crtc_state, *new_crtc_state;
> +       struct drm_crtc_state *old_crtc_state;
>         int i;
>
> -       for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state,
> -                                     new_crtc_state, i) {
> +       for_each_old_crtc_in_state(state, crtc, old_crtc_state, i) {
> +               bool new_self_refresh_active = new_self_refresh_mask & BIT(i);
>                 struct drm_self_refresh_data *sr_data = crtc->self_refresh_data;
>                 struct ewma_psr_time *time;
>
>                 if (old_crtc_state->self_refresh_active ==
> -                   new_crtc_state->self_refresh_active)
> +                   new_self_refresh_active)
>                         continue;
>
> -               if (new_crtc_state->self_refresh_active)
> +               if (new_self_refresh_active)
>                         time = &sr_data->entry_avg_ms;
>                 else
>                         time = &sr_data->exit_avg_ms;
> diff --git a/include/drm/drm_self_refresh_helper.h b/include/drm/drm_self_refresh_helper.h
> index 5b79d253fb46..b2c08b328aa1 100644
> --- a/include/drm/drm_self_refresh_helper.h
> +++ b/include/drm/drm_self_refresh_helper.h
> @@ -13,7 +13,8 @@ struct drm_crtc;
>
>  void drm_self_refresh_helper_alter_state(struct drm_atomic_state *state);
>  void drm_self_refresh_helper_update_avg_times(struct drm_atomic_state *state,
> -                                             unsigned int commit_time_ms);
> +                                             unsigned int commit_time_ms,
> +                                             unsigned int new_self_refresh_mask);
>
>  int drm_self_refresh_helper_init(struct drm_crtc *crtc);
>  void drm_self_refresh_helper_cleanup(struct drm_crtc *crtc);
> --
> 2.23.0
>