Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp1070560lqh; Fri, 29 Mar 2024 06:30:52 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXqJLBoLc9/gpq26wplAObJdbapezRomLuCFOyvI/pPTEjWLZqQv8T/B2q+zx89pgEHWSPmfWEk9scye0w//HHGWJiwvXG4AtO1HXep5A== X-Google-Smtp-Source: AGHT+IFp346mNFQQWKZo1o2JmRQvefgMtGbBGBGvTgf3NQbpCQ8gg4HU/Pw9Kr5ojmvx7cFrZbed X-Received: by 2002:a17:90a:8283:b0:2a0:2f77:842a with SMTP id g3-20020a17090a828300b002a02f77842amr2330015pjn.42.1711719052588; Fri, 29 Mar 2024 06:30:52 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711719052; cv=pass; d=google.com; s=arc-20160816; b=v3rM4xMtIpNLUw+TxYrycwWnVT8tNXpGRVd7sBx5IIN7Pqn7B6LJk0Z/7YOkZiZRcn StSzvo/7tqyrV04b7Wb/PbZWmK1xa3usY+n1eT6K0C/vCXRxZhY/9IiL1YY3GrZh/xfU oN784CfKc/HC7Ws399/7a1wrEua/IqxPJnBqhDdR/iELw+K2urSljYVV3/xYc+TRwj9E FIlNdbOWTcCqsBu15prX5d0fCjNJxOGM010CXr0D5ul4bQwj01amcUHg4S6zITrI7sgC uJXhN6vr5xApbi6V5bUovX8bd4dzjwYAeUPOhpdCJnCLHpe8vTBw6ng+vrBOnanPBebr izYg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=VnyHsR56l07R1g7dg8glWdVtCijEDdKfEkmnBMQBZPE=; fh=PQRyfTGyOvYlntCZwKi1O0dQHQHpFS3b9UXCI97BCcY=; b=Vwlx9zgwIwOxHlS30UD8HJJ8MPeTjLn47h8YUUdR/Yxuc3/iB46W/gSM6+EGlyBKSc rglhu0S8xnbjRp3o+T+2jCrtD5POdHZv1eNwNFWbanYGzfsM43oKGK0M7hOcDFVn+Ww/ 8fGy9/mglUn/ZDBPbglICRB9aQkNHT4YbQlaLhSUTpdbYFjnpt70DXzVaxcElZWmSD/0 cOar5d9hhZp7keUii/KOn/lMtdarnlVnrp1bsXH7uUHdDl/occp/GxA4DtxIzqm6LUt/ 4/S5NWqWg6eb4pI8i5Ego5VZDZ00iQfyO0jylmJMKLN8E1P+QTjKLEqcKxX36BemJBrG XJpg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=car6bcuB; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124710-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124710-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id mm23-20020a17090b359700b002a1f97cc32esi3631352pjb.171.2024.03.29.06.30.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 06:30:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-124710-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=car6bcuB; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124710-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124710-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 457D929441D for ; Fri, 29 Mar 2024 13:30:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8E84E144319; Fri, 29 Mar 2024 12:39:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="car6bcuB" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 896DB12DDA5; Fri, 29 Mar 2024 12:39:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711715960; cv=none; b=PSJiasAy0b/Ftt/dpTBkcjfI73gdgWCbhs4FspM4stP2rRGRvJK19dU3CwqPSpo1qlchHEZnQL8vxVCbgJi9mwsw1vY6JMsJK1KRbbam4c6rAgkyc5HF1eagEi0DEuseuzj4P9UpLpJtQ0mhR4PuvTmCnMMAD3CaYkW0AJDnNiE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711715960; c=relaxed/simple; bh=B+UPqiZhHjHusSKbhDQ5UfjOH+MzF07nuUtbkag2bOY=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=J36Q6yJGOUczWti+Nrp9zwkw4Yip6hNwXABhHExuj67/qGyw7v2a03cn1rc1qfTqK5AxhBBV9WYthGRegkSo9+rSxpPH00OP8ckkWqdFY+f8zutt69eFLM9DgH36gW3jwSL1UTfE+xMzN2pidBQbuPW/vUqy73Z28lG4OOX8BCI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=car6bcuB; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1A1DCC43390; Fri, 29 Mar 2024 12:39:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711715960; bh=B+UPqiZhHjHusSKbhDQ5UfjOH+MzF07nuUtbkag2bOY=; h=From:To:Cc:Subject:Date:From; b=car6bcuB6FeQzd5FXirYpsi6jUnfFdsVXKavDUthNvE8K3jfcuS/wwX1ZOSwssZve d6Ma7IhKc34P4mdMx1k1ylrLQelG0Hd+b7Bzf7sgWQbtN8AmQ15NC3eTGTKRCpgk0G 3sSAkNjYJHdBr9pFmB20meGMBBk3qchmEBrvUWbjcmzGZJhf9kZurU9Fa/7vKecEQ9 8iODmxIy9a3f87+tqHOV5clGLt80eNmfh++Qs9/xbIj0eItfIFvQ0frkE8rUCCYqd+ hUM4MDCWT7C2OqTvAF7MKASn0jSfa2Op5PftFbAfGA/I2aZ7Fiuwj0LV+nZtCYCNfn Im9yBjNfNcDeQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: =?UTF-8?q?Ma=C3=ADra=20Canal?= , Maxime Ripard , Sasha Levin , maarten.lankhorst@linux.intel.com, tzimmermann@suse.de, airlied@gmail.com, daniel@ffwll.ch, dri-devel@lists.freedesktop.org Subject: [PATCH AUTOSEL 6.8 01/98] drm/vc4: don't check if plane->state->fb == state->fb Date: Fri, 29 Mar 2024 08:36:32 -0400 Message-ID: <20240329123919.3087149-1-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.8.2 Content-Transfer-Encoding: 8bit From: Maíra Canal [ Upstream commit 5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9 ] Currently, when using non-blocking commits, we can see the following kernel warning: [ 110.908514] ------------[ cut here ]------------ [ 110.908529] refcount_t: underflow; use-after-free. [ 110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0 [ 110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6 [ 110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G C 6.1.66-v8+ #32 [ 110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT) [ 110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 110.909132] pc : refcount_dec_not_one+0xb8/0xc0 [ 110.909152] lr : refcount_dec_not_one+0xb4/0xc0 [ 110.909170] sp : ffffffc00913b9c0 [ 110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60 [ 110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480 [ 110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78 [ 110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000 [ 110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004 [ 110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003 [ 110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00 [ 110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572 [ 110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000 [ 110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001 [ 110.909434] Call trace: [ 110.909441] refcount_dec_not_one+0xb8/0xc0 [ 110.909461] vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4] [ 110.909903] vc4_cleanup_fb+0x44/0x50 [vc4] [ 110.910315] drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper] [ 110.910669] vc4_atomic_commit_tail+0x390/0x9dc [vc4] [ 110.911079] commit_tail+0xb0/0x164 [drm_kms_helper] [ 110.911397] drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper] [ 110.911716] drm_atomic_commit+0xb0/0xdc [drm] [ 110.912569] drm_mode_atomic_ioctl+0x348/0x4b8 [drm] [ 110.913330] drm_ioctl_kernel+0xec/0x15c [drm] [ 110.914091] drm_ioctl+0x24c/0x3b0 [drm] [ 110.914850] __arm64_sys_ioctl+0x9c/0xd4 [ 110.914873] invoke_syscall+0x4c/0x114 [ 110.914897] el0_svc_common+0xd0/0x118 [ 110.914917] do_el0_svc+0x38/0xd0 [ 110.914936] el0_svc+0x30/0x8c [ 110.914958] el0t_64_sync_handler+0x84/0xf0 [ 110.914979] el0t_64_sync+0x18c/0x190 [ 110.914996] ---[ end trace 0000000000000000 ]--- This happens because, although `prepare_fb` and `cleanup_fb` are perfectly balanced, we cannot guarantee consistency in the check plane->state->fb == state->fb. This means that sometimes we can increase the refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The opposite can also be true. In fact, the struct drm_plane .state shouldn't be accessed directly but instead, the `drm_atomic_get_new_plane_state()` helper function should be used. So, we could stick to this check, but using `drm_atomic_get_new_plane_state()`. But actually, this check is not really needed. We can increase and decrease the refcount symmetrically without problems. This is going to make the code more simple and consistent. Signed-off-by: Maíra Canal Acked-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20240105175908.242000-1-mcanal@igalia.com Signed-off-by: Sasha Levin --- drivers/gpu/drm/vc4/vc4_plane.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c index 00e713faecd5a..5948e34f7f813 100644 --- a/drivers/gpu/drm/vc4/vc4_plane.c +++ b/drivers/gpu/drm/vc4/vc4_plane.c @@ -1505,9 +1505,6 @@ static int vc4_prepare_fb(struct drm_plane *plane, drm_gem_plane_helper_prepare_fb(plane, state); - if (plane->state->fb == state->fb) - return 0; - return vc4_bo_inc_usecnt(bo); } @@ -1516,7 +1513,7 @@ static void vc4_cleanup_fb(struct drm_plane *plane, { struct vc4_bo *bo; - if (plane->state->fb == state->fb || !state->fb) + if (!state->fb) return; bo = to_vc4_bo(&drm_fb_dma_get_gem_obj(state->fb, 0)->base); -- 2.43.0