Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp3095lqz;
        Fri, 29 Mar 2024 06:57:31 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCVIBZ7AqmMhR750Dp41DpJ9/LHVcAZAGah3FIO9ScLwQg/REYFpYDzHRAw66CeO4iqivLBiOz6xf2NE5Gey06cYhHljIichRa7X+qc8mg==
X-Google-Smtp-Source: AGHT+IGwnkwuzGbYvhs/+ijy6i+ZcF+UUaeCAGlyTQXn7D/32DM52/ZVKCqNlgwRUqm6L4DsELrP
X-Received: by 2002:a17:906:33d1:b0:a4b:56be:1e9c with SMTP id w17-20020a17090633d100b00a4b56be1e9cmr1515190eja.36.1711720650994;
        Fri, 29 Mar 2024 06:57:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711720650; cv=pass;
        d=google.com; s=arc-20160816;
        b=D5dfgOFaFzOc9rLZ+37WeJV3adjIrE3qoqjLEbnSSo266tFj/lmCmy8ArhDQyi/+Ct
         41KQex6tg9jTBE8bpB1ilXRlnohk0IBuXrMYTCcgPJE2nbemvTGR5nTDd2TK2VaUkeb4
         TFCpXSlr6tBv1uRTOqAzCTgDqMCqF0DbMJzRHQ4RKoCndhVsTSRrjh8OxxPkmVUdf9pa
         wXuj7UY6IWohnFidopV8DsGR03oNf1iuqFNodSwM1UdPq3069BLEO+O4zzbEAGVnleWb
         u+0oGgPTqgE1TMQFazswzgIpN0oD4rEIViOUzrK2rEdNeCYuM2P5cWkx0+KWHpleLV1e
         w3QQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=VnyHsR56l07R1g7dg8glWdVtCijEDdKfEkmnBMQBZPE=;
        fh=PQRyfTGyOvYlntCZwKi1O0dQHQHpFS3b9UXCI97BCcY=;
        b=lz8P7Fi0u+GxtVpqGKhDIIZ2a2UpYRjqs1RBHZ4vGwaF25aLQXXJ6z0WI2IGvZUMGQ
         YtcoO/NW8WbBXXkzZ54YUt8Gge+EhGMpQTDszxaitTSVf7rKwNSMJwuNCiCYXUaNE2hF
         6BRvRGEzYFyVD/9/VzxZSPMfwxc5kN82o15yvrCHeqXkqqyZuv6ybYgesV9JRotOaqYJ
         +WKKcsJuWGXyoHQfMV5DjLZl2kedHPFb0ZPgQd5DbauelStN6xwI+zlyKnBgWyaRzJ5m
         WDz+67Ijxx3Daf3Uiw42WmULStkFSh1P+I+JcDSg3bkuj/zVTEwSrN65qVkfs8AhTPaS
         i9vg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=S6sNthHT;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-124810-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124810-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel+bounces-124810-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id z9-20020a1709060ac900b00a49b5e830d6si1730509ejf.442.2024.03.29.06.57.30
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Mar 2024 06:57:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-124810-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=S6sNthHT;
       arc=pass (i=1 dkim=pass dkdomain=kernel.org);
       spf=pass (google.com: domain of linux-kernel+bounces-124810-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124810-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 8E0561F21DB4
	for <linux.lists.archive@gmail.com>; Fri, 29 Mar 2024 13:57:30 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 37A4513AD18;
	Fri, 29 Mar 2024 12:43:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="S6sNthHT"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 49D2C13A3EB;
	Fri, 29 Mar 2024 12:43:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711716212; cv=none; b=BugxyDEfMqKDTY7o5osOXGouGesUhSU9mdfstPc7vMUQAe+4r6gVF+4qPR6ffxyihRwj2vAtZiMXQGxxInjnGWmHlrVzXT6BmJdFGZmJFBree3gK6coVpo5QgGHCBjI214yTwQgV31sSn1uQC3McSC9RSS2y0t+2lCBtdw+HHK0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711716212; c=relaxed/simple;
	bh=B+UPqiZhHjHusSKbhDQ5UfjOH+MzF07nuUtbkag2bOY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=CysOlHJAzfl9U0B7bdXGpqI2eeEc3EFpsTk6OGagcP0izPh0qXzR12bzfkGQU3nR2p5B10a/DuUcDsSJhTasE9zpc3cbG9hPGlwi5g+OEtNG/rS2cEOdmfbBWEsP42URdtDiTBTRvGmOpr0tp7buXDf0JIZcUsLJmFlWY5XceQA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=S6sNthHT; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BBC87C433F1;
	Fri, 29 Mar 2024 12:43:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1711716211;
	bh=B+UPqiZhHjHusSKbhDQ5UfjOH+MzF07nuUtbkag2bOY=;
	h=From:To:Cc:Subject:Date:From;
	b=S6sNthHToLA6IuSMh63ZiENOw+/IVEBEOCFGJJgrONR/TxBxy89+65nVYyshfRVie
	 QY6queLY3A5gIdfjQN1gxsnvjYRshRarQU5xklaNr7znAEOrlTCIApo56iYYohEGiR
	 4ruk8Hlod2NXiwdApDZ/wzvTs2JJfmMfJEYKXT0FhvvycrlnjnXG4W2pToU4vtE4MZ
	 S2iP7ZH9YuYpPb99iukMRJ9gjLQ5KSh0h+SEOyOBUo4sw/FQOqW7tmM7x0I2mJS2bH
	 voJsr9FyVUM3XMyVufgtsigt/fRCPpvGlG3TqSMBnDyAHF+EnyKo/zN4r3ONFQgg3g
	 jrIRhCOjCcOww==
From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Cc: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>,
	Maxime Ripard <mripard@kernel.org>,
	Sasha Levin <sashal@kernel.org>,
	maarten.lankhorst@linux.intel.com,
	tzimmermann@suse.de,
	airlied@gmail.com,
	daniel@ffwll.ch,
	dri-devel@lists.freedesktop.org
Subject: [PATCH AUTOSEL 6.6 01/75] drm/vc4: don't check if plane->state->fb == state->fb
Date: Fri, 29 Mar 2024 08:41:42 -0400
Message-ID: <20240329124330.3089520-1-sashal@kernel.org>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-stable: review
X-Patchwork-Hint: Ignore
X-stable-base: Linux 6.6.23
Content-Transfer-Encoding: 8bit

From: Maíra Canal <mcanal@igalia.com>

[ Upstream commit 5ee0d47dcf33efd8950b347dcf4d20bab12a3fa9 ]

Currently, when using non-blocking commits, we can see the following
kernel warning:

[  110.908514] ------------[ cut here ]------------
[  110.908529] refcount_t: underflow; use-after-free.
[  110.908620] WARNING: CPU: 0 PID: 1866 at lib/refcount.c:87 refcount_dec_not_one+0xb8/0xc0
[  110.908664] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device cmac algif_hash aes_arm64 aes_generic algif_skcipher af_alg bnep hid_logitech_hidpp vc4 brcmfmac hci_uart btbcm brcmutil bluetooth snd_soc_hdmi_codec cfg80211 cec drm_display_helper drm_dma_helper drm_kms_helper snd_soc_core snd_compress snd_pcm_dmaengine fb_sys_fops sysimgblt syscopyarea sysfillrect raspberrypi_hwmon ecdh_generic ecc rfkill libaes i2c_bcm2835 binfmt_misc joydev snd_bcm2835(C) bcm2835_codec(C) bcm2835_isp(C) v4l2_mem2mem videobuf2_dma_contig snd_pcm bcm2835_v4l2(C) raspberrypi_gpiomem bcm2835_mmal_vchiq(C) videobuf2_v4l2 snd_timer videobuf2_vmalloc videobuf2_memops videobuf2_common snd videodev vc_sm_cma(C) mc hid_logitech_dj uio_pdrv_genirq uio i2c_dev drm fuse dm_mod drm_panel_orientation_quirks backlight ip_tables x_tables ipv6
[  110.909086] CPU: 0 PID: 1866 Comm: kodi.bin Tainted: G         C         6.1.66-v8+ #32
[  110.909104] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
[  110.909114] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[  110.909132] pc : refcount_dec_not_one+0xb8/0xc0
[  110.909152] lr : refcount_dec_not_one+0xb4/0xc0
[  110.909170] sp : ffffffc00913b9c0
[  110.909177] x29: ffffffc00913b9c0 x28: 000000556969bbb0 x27: 000000556990df60
[  110.909205] x26: 0000000000000002 x25: 0000000000000004 x24: ffffff8004448480
[  110.909230] x23: ffffff800570b500 x22: ffffff802e03a7bc x21: ffffffecfca68c78
[  110.909257] x20: ffffff8002b42000 x19: ffffff802e03a600 x18: 0000000000000000
[  110.909283] x17: 0000000000000011 x16: ffffffffffffffff x15: 0000000000000004
[  110.909308] x14: 0000000000000fff x13: ffffffed577e47e0 x12: 0000000000000003
[  110.909333] x11: 0000000000000000 x10: 0000000000000027 x9 : c912d0d083728c00
[  110.909359] x8 : c912d0d083728c00 x7 : 65646e75203a745f x6 : 746e756f63666572
[  110.909384] x5 : ffffffed579f62ee x4 : ffffffed579eb01e x3 : 0000000000000000
[  110.909409] x2 : 0000000000000000 x1 : ffffffc00913b750 x0 : 0000000000000001
[  110.909434] Call trace:
[  110.909441]  refcount_dec_not_one+0xb8/0xc0
[  110.909461]  vc4_bo_dec_usecnt+0x4c/0x1b0 [vc4]
[  110.909903]  vc4_cleanup_fb+0x44/0x50 [vc4]
[  110.910315]  drm_atomic_helper_cleanup_planes+0x88/0xa4 [drm_kms_helper]
[  110.910669]  vc4_atomic_commit_tail+0x390/0x9dc [vc4]
[  110.911079]  commit_tail+0xb0/0x164 [drm_kms_helper]
[  110.911397]  drm_atomic_helper_commit+0x1d0/0x1f0 [drm_kms_helper]
[  110.911716]  drm_atomic_commit+0xb0/0xdc [drm]
[  110.912569]  drm_mode_atomic_ioctl+0x348/0x4b8 [drm]
[  110.913330]  drm_ioctl_kernel+0xec/0x15c [drm]
[  110.914091]  drm_ioctl+0x24c/0x3b0 [drm]
[  110.914850]  __arm64_sys_ioctl+0x9c/0xd4
[  110.914873]  invoke_syscall+0x4c/0x114
[  110.914897]  el0_svc_common+0xd0/0x118
[  110.914917]  do_el0_svc+0x38/0xd0
[  110.914936]  el0_svc+0x30/0x8c
[  110.914958]  el0t_64_sync_handler+0x84/0xf0
[  110.914979]  el0t_64_sync+0x18c/0x190
[  110.914996] ---[ end trace 0000000000000000 ]---

This happens because, although `prepare_fb` and `cleanup_fb` are
perfectly balanced, we cannot guarantee consistency in the check
plane->state->fb == state->fb. This means that sometimes we can increase
the refcount in `prepare_fb` and don't decrease it in `cleanup_fb`. The
opposite can also be true.

In fact, the struct drm_plane .state shouldn't be accessed directly
but instead, the `drm_atomic_get_new_plane_state()` helper function should
be used. So, we could stick to this check, but using
`drm_atomic_get_new_plane_state()`. But actually, this check is not really
needed. We can increase and decrease the refcount symmetrically without
problems.

This is going to make the code more simple and consistent.

Signed-off-by: Maíra Canal <mcanal@igalia.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240105175908.242000-1-mcanal@igalia.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/vc4/vc4_plane.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
index 00e713faecd5a..5948e34f7f813 100644
--- a/drivers/gpu/drm/vc4/vc4_plane.c
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
@@ -1505,9 +1505,6 @@ static int vc4_prepare_fb(struct drm_plane *plane,
 
 	drm_gem_plane_helper_prepare_fb(plane, state);
 
-	if (plane->state->fb == state->fb)
-		return 0;
-
 	return vc4_bo_inc_usecnt(bo);
 }
 
@@ -1516,7 +1513,7 @@ static void vc4_cleanup_fb(struct drm_plane *plane,
 {
 	struct vc4_bo *bo;
 
-	if (plane->state->fb == state->fb || !state->fb)
+	if (!state->fb)
 		return;
 
 	bo = to_vc4_bo(&drm_fb_dma_get_gem_obj(state->fb, 0)->base);
-- 
2.43.0