Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
On Wed, Jan 31, 2024 at 12:26:45PM +0200, Dmitry Baryshkov wrote: > On Wed, 31 Jan 2024 at 11:11, Daniel Vetter wrote: > > > > On Wed, Jan 31, 2024 at 05:17:08AM +, Jason-JH Lin (林睿祥) wrote: > > > On Thu, 2024-01-25 at 19:17 +0100, Daniel Vetter wrote: > > > > > > > > External email : Please do not click links or open attachments until > > > > you have verified the sender or the content. > > > > On Tue, Jan 23, 2024 at 06:09:05AM +, Jason-JH Lin (林睿祥) wrote: > > > > > Hi Maxime, Daniel, > > > > > > > > > > We encountered similar issue with mediatek SoCs. > > > > > > > > > > We have found that in drm_atomic_helper_commit_rpm(), when > > > > disabling > > > > > the cursor plane, the old_state->legacy_cursor_update in > > > > > drm_atomic_wait_for_vblank() is set to true. > > > > > As the result, we are not actually waiting for a vlbank to wait for > > > > our > > > > > hardware to close the cursor plane. Subsequently, the execution > > > > > proceeds to drm_atomic_helper_cleanup_planes() to free the cursor > > > > > buffer. This can lead to use-after-free issues with our hardware. > > > > > > > > > > Could you please apply this patch to fix our problem? > > > > > Or are there any considerations for not applying this patch? > > > > > > > > Mostly it needs someone to collect a pile of acks/tested-by and then > > > > land > > > > it. > > > > > > > > > > Got it. I would add tested-by tag for mediatek SoC. > > > > > > > I'd be _very_ happy if someone else can take care of that ... > > > > > > > > There's also the potential issue that it might slow down some of the > > > > legacy X11 use-cases that really needed a non-blocking cursor, but I > > > > think > > > > all the drivers where this matters have switched over to the async > > > > plane > > > > update stuff meanwhile. So hopefully that's good. > > > > > > > > > > I think all the drivers should have switched to async plane update. > > > > > > Can we add the checking condition to see if atomic_async_update/check > > > function are implemented? > > > > Pretty sure not all have done that, so really it boils down to whether we > > break a real user's use-case. Which pretty much can only be checked by > > merging the patch (hence the requirement to get as many acks as possible > > from display drivers) and then being willing to handle any fallout that's > > reported as regressions for a specific driver. > > > > It's a pile of work, at least when it goes south, that's why I'm looking > > for volunteers. > > I can check this on all sensible msm generations, including mdp4, but > it will be next week, after the FOSDEM. > > BTW, for technical reasons one of the msm platforms still has the > legacy cursor implementation might it be related? Yeah, msm is one of the drivers I had to change with some hacks to avoid really bad fallout. It should still work like before, but that's one that definitely needs testing. -Sima > > > > > Note that handling the fallout doesn't mean you have to fix that specific > > driver, the only realistic option might be to reinstate the legacy cursor > > behaviour, but as an explicit opt-in that only that specific driver > > enables. > > > > So maybe for next round of that patch it might be good to have a 2nd patch > > which implements this fallback plan in the shared atomic modeset code? > > > > Cheers, Sima > > > -- > With best wishes > Dmitry -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
Re: Re: Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Hi, On Wed, Jan 31, 2024 at 05:27:14AM +, Jason-JH Lin (林睿祥) wrote: > > On Sun, 2024-01-28 at 10:24 +0100, Maxime Ripard wrote: > > On Thu, Jan 25, 2024 at 07:17:21PM +0100, Daniel Vetter wrote: > > > On Tue, Jan 23, 2024 at 06:09:05AM +, Jason-JH Lin (林睿祥) wrote: > > > > Hi Maxime, Daniel, > > > > > > > > We encountered similar issue with mediatek SoCs. > > > > > > > > We have found that in drm_atomic_helper_commit_rpm(), when > > > > disabling > > > > the cursor plane, the old_state->legacy_cursor_update in > > > > drm_atomic_wait_for_vblank() is set to true. > > > > As the result, we are not actually waiting for a vlbank to wait > > > > for our > > > > hardware to close the cursor plane. Subsequently, the execution > > > > proceeds to drm_atomic_helper_cleanup_planes() to free the > > > > cursor > > > > buffer. This can lead to use-after-free issues with our hardware. > > > > > > > > Could you please apply this patch to fix our problem? > > > > Or are there any considerations for not applying this patch? > > > > > > Mostly it needs someone to collect a pile of acks/tested-by and > > > then land > > > it. > > > > > > I'd be _very_ happy if someone else can take care of that ... > > > > > > There's also the potential issue that it might slow down some of > > > the > > > legacy X11 use-cases that really needed a non-blocking cursor, but > > > I think > > > all the drivers where this matters have switched over to the async > > > plane > > > update stuff meanwhile. So hopefully that's good. > > > > I think there was also a regression with msm no one really figured > > out? > > OK... > But I am only available on MediaTek platform. I think most of us are in that situation, and which is part of the reason it kind of stalled :) > Does it also causes a regression with msn if I re-send a patch for > drm_atomic_helper.c only? Yes, that's my recollection at least. Fortunately, Dmitry might be able to clear that up. Maxime signature.asc Description: PGP signature
Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
On Wed, 31 Jan 2024 at 11:11, Daniel Vetter wrote: > > On Wed, Jan 31, 2024 at 05:17:08AM +, Jason-JH Lin (林睿祥) wrote: > > On Thu, 2024-01-25 at 19:17 +0100, Daniel Vetter wrote: > > > > > > External email : Please do not click links or open attachments until > > > you have verified the sender or the content. > > > On Tue, Jan 23, 2024 at 06:09:05AM +, Jason-JH Lin (林睿祥) wrote: > > > > Hi Maxime, Daniel, > > > > > > > > We encountered similar issue with mediatek SoCs. > > > > > > > > We have found that in drm_atomic_helper_commit_rpm(), when > > > disabling > > > > the cursor plane, the old_state->legacy_cursor_update in > > > > drm_atomic_wait_for_vblank() is set to true. > > > > As the result, we are not actually waiting for a vlbank to wait for > > > our > > > > hardware to close the cursor plane. Subsequently, the execution > > > > proceeds to drm_atomic_helper_cleanup_planes() to free the cursor > > > > buffer. This can lead to use-after-free issues with our hardware. > > > > > > > > Could you please apply this patch to fix our problem? > > > > Or are there any considerations for not applying this patch? > > > > > > Mostly it needs someone to collect a pile of acks/tested-by and then > > > land > > > it. > > > > > > > Got it. I would add tested-by tag for mediatek SoC. > > > > > I'd be _very_ happy if someone else can take care of that ... > > > > > > There's also the potential issue that it might slow down some of the > > > legacy X11 use-cases that really needed a non-blocking cursor, but I > > > think > > > all the drivers where this matters have switched over to the async > > > plane > > > update stuff meanwhile. So hopefully that's good. > > > > > > > I think all the drivers should have switched to async plane update. > > > > Can we add the checking condition to see if atomic_async_update/check > > function are implemented? > > Pretty sure not all have done that, so really it boils down to whether we > break a real user's use-case. Which pretty much can only be checked by > merging the patch (hence the requirement to get as many acks as possible > from display drivers) and then being willing to handle any fallout that's > reported as regressions for a specific driver. > > It's a pile of work, at least when it goes south, that's why I'm looking > for volunteers. I can check this on all sensible msm generations, including mdp4, but it will be next week, after the FOSDEM. BTW, for technical reasons one of the msm platforms still has the legacy cursor implementation might it be related? > > Note that handling the fallout doesn't mean you have to fix that specific > driver, the only realistic option might be to reinstate the legacy cursor > behaviour, but as an explicit opt-in that only that specific driver > enables. > > So maybe for next round of that patch it might be good to have a 2nd patch > which implements this fallback plan in the shared atomic modeset code? > > Cheers, Sima -- With best wishes Dmitry
Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
On Wed, Jan 31, 2024 at 05:17:08AM +, Jason-JH Lin (林睿祥) wrote: > On Thu, 2024-01-25 at 19:17 +0100, Daniel Vetter wrote: > > > > External email : Please do not click links or open attachments until > > you have verified the sender or the content. > > On Tue, Jan 23, 2024 at 06:09:05AM +, Jason-JH Lin (林睿祥) wrote: > > > Hi Maxime, Daniel, > > > > > > We encountered similar issue with mediatek SoCs. > > > > > > We have found that in drm_atomic_helper_commit_rpm(), when > > disabling > > > the cursor plane, the old_state->legacy_cursor_update in > > > drm_atomic_wait_for_vblank() is set to true. > > > As the result, we are not actually waiting for a vlbank to wait for > > our > > > hardware to close the cursor plane. Subsequently, the execution > > > proceeds to drm_atomic_helper_cleanup_planes() to free the cursor > > > buffer. This can lead to use-after-free issues with our hardware. > > > > > > Could you please apply this patch to fix our problem? > > > Or are there any considerations for not applying this patch? > > > > Mostly it needs someone to collect a pile of acks/tested-by and then > > land > > it. > > > > Got it. I would add tested-by tag for mediatek SoC. > > > I'd be _very_ happy if someone else can take care of that ... > > > > There's also the potential issue that it might slow down some of the > > legacy X11 use-cases that really needed a non-blocking cursor, but I > > think > > all the drivers where this matters have switched over to the async > > plane > > update stuff meanwhile. So hopefully that's good. > > > > I think all the drivers should have switched to async plane update. > > Can we add the checking condition to see if atomic_async_update/check > function are implemented? Pretty sure not all have done that, so really it boils down to whether we break a real user's use-case. Which pretty much can only be checked by merging the patch (hence the requirement to get as many acks as possible from display drivers) and then being willing to handle any fallout that's reported as regressions for a specific driver. It's a pile of work, at least when it goes south, that's why I'm looking for volunteers. Note that handling the fallout doesn't mean you have to fix that specific driver, the only realistic option might be to reinstate the legacy cursor behaviour, but as an explicit opt-in that only that specific driver enables. So maybe for next round of that patch it might be good to have a 2nd patch which implements this fallback plan in the shared atomic modeset code? Cheers, Sima > > Regards, > Jason-JH.Lin > > > Cheers, Sima > > > > > > Regards, > > > Jason-JH.Lin > > > > > > On Tue, 2023-03-07 at 15:56 +0100, Maxime Ripard wrote: > > > > Hi, > > > > > > > > On Thu, Feb 16, 2023 at 12:12:13PM +0100, Daniel Vetter wrote: > > > > > The stuff never really worked, and leads to lots of fun because > > it > > > > > out-of-order frees atomic states. Which upsets KASAN, among > > other > > > > > things. > > > > > > > > > > For async updates we now have a more solid solution with the > > > > > ->atomic_async_check and ->atomic_async_commit hooks. Support > > for > > > > > that > > > > > for msm and vc4 landed. nouveau and i915 have their own commit > > > > > routines, doing something similar. > > > > > > > > > > For everyone else it's probably better to remove the use-after- > > free > > > > > bug, and encourage folks to use the async support instead. The > > > > > affected drivers which register a legacy cursor plane and don't > > > > > either > > > > > use the new async stuff or their own commit routine are: > > amdgpu, > > > > > atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and > > > > > vmwgfx. > > > > > > > > > > Inspired by an amdgpu bug report. > > > > > > > > Thanks for submitting that patch. It's been in the downstream RPi > > > > tree > > > > for a while, so I'd really like it to be merged eventually :) > > > > > > > > Acked-by: Maxime Ripard > > > > > > > > Maxime > > -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
Re: Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Re: Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
On Thu, Jan 25, 2024 at 07:17:21PM +0100, Daniel Vetter wrote: > On Tue, Jan 23, 2024 at 06:09:05AM +, Jason-JH Lin (林睿祥) wrote: > > Hi Maxime, Daniel, > > > > We encountered similar issue with mediatek SoCs. > > > > We have found that in drm_atomic_helper_commit_rpm(), when disabling > > the cursor plane, the old_state->legacy_cursor_update in > > drm_atomic_wait_for_vblank() is set to true. > > As the result, we are not actually waiting for a vlbank to wait for our > > hardware to close the cursor plane. Subsequently, the execution > > proceeds to drm_atomic_helper_cleanup_planes() to free the cursor > > buffer. This can lead to use-after-free issues with our hardware. > > > > Could you please apply this patch to fix our problem? > > Or are there any considerations for not applying this patch? > > Mostly it needs someone to collect a pile of acks/tested-by and then land > it. > > I'd be _very_ happy if someone else can take care of that ... > > There's also the potential issue that it might slow down some of the > legacy X11 use-cases that really needed a non-blocking cursor, but I think > all the drivers where this matters have switched over to the async plane > update stuff meanwhile. So hopefully that's good. I think there was also a regression with msm no one really figured out? Maxime signature.asc Description: PGP signature
Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
On Tue, Jan 23, 2024 at 06:09:05AM +, Jason-JH Lin (林睿祥) wrote: > Hi Maxime, Daniel, > > We encountered similar issue with mediatek SoCs. > > We have found that in drm_atomic_helper_commit_rpm(), when disabling > the cursor plane, the old_state->legacy_cursor_update in > drm_atomic_wait_for_vblank() is set to true. > As the result, we are not actually waiting for a vlbank to wait for our > hardware to close the cursor plane. Subsequently, the execution > proceeds to drm_atomic_helper_cleanup_planes() to free the cursor > buffer. This can lead to use-after-free issues with our hardware. > > Could you please apply this patch to fix our problem? > Or are there any considerations for not applying this patch? Mostly it needs someone to collect a pile of acks/tested-by and then land it. I'd be _very_ happy if someone else can take care of that ... There's also the potential issue that it might slow down some of the legacy X11 use-cases that really needed a non-blocking cursor, but I think all the drivers where this matters have switched over to the async plane update stuff meanwhile. So hopefully that's good. Cheers, Sima > > Regards, > Jason-JH.Lin > > On Tue, 2023-03-07 at 15:56 +0100, Maxime Ripard wrote: > > Hi, > > > > On Thu, Feb 16, 2023 at 12:12:13PM +0100, Daniel Vetter wrote: > > > The stuff never really worked, and leads to lots of fun because it > > > out-of-order frees atomic states. Which upsets KASAN, among other > > > things. > > > > > > For async updates we now have a more solid solution with the > > > ->atomic_async_check and ->atomic_async_commit hooks. Support for > > > that > > > for msm and vc4 landed. nouveau and i915 have their own commit > > > routines, doing something similar. > > > > > > For everyone else it's probably better to remove the use-after-free > > > bug, and encourage folks to use the async support instead. The > > > affected drivers which register a legacy cursor plane and don't > > > either > > > use the new async stuff or their own commit routine are: amdgpu, > > > atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and > > > vmwgfx. > > > > > > Inspired by an amdgpu bug report. > > > > Thanks for submitting that patch. It's been in the downstream RPi > > tree > > for a while, so I'd really like it to be merged eventually :) > > > > Acked-by: Maxime Ripard > > > > Maxime -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch
