On Thu, Mar 31, 2022 at 03:05:45PM +0200, Maxime Ripard wrote:
> From: Daniel Vetter <daniel.vet...@ffwll.ch>
>
> The stuff never really worked, and leads to lots of fun because it
> out-of-order frees atomic states. Which upsets KASAN, among other
> things.
>
> For async updates we now have a more solid solution with the
> ->atomic_async_check and ->atomic_async_commit hooks. Support for that
> for msm and vc4 landed. nouveau and i915 have their own commit
> routines, doing something similar.
>
> For everyone else it's probably better to remove the use-after-free
> bug, and encourage folks to use the async support instead. The
> affected drivers which register a legacy cursor plane and don't either
> use the new async stuff or their own commit routine are: amdgpu,
> atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.
>
> Inspired by an amdgpu bug report.
>
> v2: Drop RFC, I think with amdgpu converted over to use
> atomic_async_check/commit done in
>
> commit 674e78acae0dfb4beb56132e41cbae5b60f7d662
> Author: Nicholas Kazlauskas <nicholas.kazlaus...@amd.com>
> Date: Wed Dec 5 14:59:07 2018 -0500
>
> drm/amd/display: Add fast path for cursor plane updates
>
> we don't have any driver anymore where we have userspace expecting
> solid legacy cursor support _and_ they are using the atomic helpers in
> their fully glory. So we can retire this.
>
> v3: Paper over msm and i915 regression. The complete_all is the only
> thing missing afaict.
>
> v4: Rebased on recent kernel, added extra link for vc4 bug.
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> Link: https://lore.kernel.org/all/20220221134155.125447-9-max...@cerno.tech/
> Cc: mikita.lip...@amd.com
> Cc: Michel Dänzer <mic...@daenzer.net>
> Cc: harry.wentl...@amd.com
> Cc: Rob Clark <robdcl...@gmail.com>
> Cc: "Kazlauskas, Nicholas" <nicholas.kazlaus...@amd.com>
> Tested-by: Maxime Ripard <max...@cerno.tech>
> Signed-off-by: Daniel Vetter <daniel.vet...@intel.com>
> Signed-off-by: Maxime Ripard <max...@cerno.tech>
> ---
> drivers/gpu/drm/drm_atomic_helper.c | 13 -------------
> drivers/gpu/drm/i915/display/intel_display.c | 13 +++++++++++++
> drivers/gpu/drm/msm/msm_atomic.c | 2 ++
> 3 files changed, 15 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c
> b/drivers/gpu/drm/drm_atomic_helper.c
> index 9603193d2fa1..a2899af82b4a 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1498,13 +1498,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device
> *dev,
> int i, ret;
> unsigned int crtc_mask = 0;
>
> - /*
> - * Legacy cursor ioctls are completely unsynced, and userspace
> - * relies on that (by doing tons of cursor updates).
> - */
> - if (old_state->legacy_cursor_update)
> - return;
> -
> for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state,
> new_crtc_state, i) {
> if (!new_crtc_state->active)
> continue;
> @@ -2135,12 +2128,6 @@ int drm_atomic_helper_setup_commit(struct
> drm_atomic_state *state,
> continue;
> }
>
> - /* Legacy cursor updates are fully unsynced. */
> - if (state->legacy_cursor_update) {
> - complete_all(&commit->flip_done);
> - continue;
> - }
> -
> if (!new_crtc_state->event) {
> commit->event = kzalloc(sizeof(*commit->event),
> GFP_KERNEL);
> diff --git a/drivers/gpu/drm/i915/display/intel_display.c
> b/drivers/gpu/drm/i915/display/intel_display.c
> index bf7ce684dd8e..bde32f5a33cb 100644
> --- a/drivers/gpu/drm/i915/display/intel_display.c
> +++ b/drivers/gpu/drm/i915/display/intel_display.c
> @@ -8855,6 +8855,19 @@ static int intel_atomic_commit(struct drm_device *dev,
> state->base.legacy_cursor_update = false;
> }
>
> + /*
> + * FIXME: Cut over to (async) commit helpers instead of hand-rolling
> + * everything.
> + */
Intel cursors can't even do async updates so this is rather
nonsensical. What we need is some kind of reasonable mailbox
support.
> + if (state->base.legacy_cursor_update) {
> + struct intel_crtc_state *new_crtc_state;
> + struct intel_crtc *crtc;
> + int i;
> +
> + for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i)
> + complete_all(&new_crtc_state->uapi.commit->flip_done);
> + }
You can complete what doesn't yet exist. Missing cc: intel-gfx for fireworks.
> +
> ret = intel_atomic_prepare_commit(state);
> if (ret) {
> drm_dbg_atomic(&dev_priv->drm,
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c
> b/drivers/gpu/drm/msm/msm_atomic.c
> index 27c9ae563f2f..6ed14fafa40c 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -237,6 +237,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state
> *state)
> /* async updates are limited to single-crtc updates: */
> WARN_ON(crtc_mask != drm_crtc_mask(async_crtc));
>
> + complete_all(&async_crtc->state->commit->flip_done);
> +
> /*
> * Start timer if we don't already have an update pending
> * on this crtc:
> --
> 2.35.1
--
Ville Syrjälä
Intel
