Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
On Fri, Apr 05, 2024 at 11:39:33PM +0300, Dmitry Baryshkov wrote: > On Fri, 5 Apr 2024 at 22:17, Ville Syrjälä > wrote: > > > > On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote: > > > On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote: > > > > From: Ville Syrjälä > > > > > > > > The modes[] array contains pointers to modes on the connectors' > > > > mode lists, which are protected by dev->mode_config.mutex. > > > > Thus we need to extend modes[] the same protection or by the > > > > time we use it the elements may already be pointing to > > > > freed/reused memory. > > > > > > > > Cc: sta...@vger.kernel.org > > > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 > > > > Signed-off-by: Ville Syrjälä > > > > > > Reviewed-by: Dmitry Baryshkov > > > > > > I tried looking for the proper Fixes tag, but it looks like it might be > > > something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup > > > properly.") > > > > The history is rather messy. I think it was originally completely > > lockless and broken, and got fixed piecemeal later in these: > > commit 7394371d8569 ("drm: Take lock around probes for > > drm_fb_helper_hotplug_event") > > commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst > > setting up crtcs") > > > > commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for > > internals") > > looks to me like where the race might have been re-introduced. > > But didn't do a thorough analysis so not 100% sure. It's all > > rather ancient history by now so a Fixes tag doesn't seem all > > that useful anyway. > > Well, you have added stable to cc list, so you expect to have this > patch backported. Then it should either have a kernel version as a > 'starting' point or a Fixes tag to assist the sable team. It'll get backported just fine without either. -- Ville Syrjälä Intel
Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
On Fri, 5 Apr 2024 at 22:17, Ville Syrjälä wrote: > > On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote: > > On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote: > > > From: Ville Syrjälä > > > > > > The modes[] array contains pointers to modes on the connectors' > > > mode lists, which are protected by dev->mode_config.mutex. > > > Thus we need to extend modes[] the same protection or by the > > > time we use it the elements may already be pointing to > > > freed/reused memory. > > > > > > Cc: sta...@vger.kernel.org > > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 > > > Signed-off-by: Ville Syrjälä > > > > Reviewed-by: Dmitry Baryshkov > > > > I tried looking for the proper Fixes tag, but it looks like it might be > > something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup > > properly.") > > The history is rather messy. I think it was originally completely > lockless and broken, and got fixed piecemeal later in these: > commit 7394371d8569 ("drm: Take lock around probes for > drm_fb_helper_hotplug_event") > commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst > setting up crtcs") > > commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for > internals") > looks to me like where the race might have been re-introduced. > But didn't do a thorough analysis so not 100% sure. It's all > rather ancient history by now so a Fixes tag doesn't seem all > that useful anyway. Well, you have added stable to cc list, so you expect to have this patch backported. Then it should either have a kernel version as a 'starting' point or a Fixes tag to assist the sable team. -- With best wishes Dmitry
Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
On Fri, Apr 05, 2024 at 06:24:01AM +0300, Dmitry Baryshkov wrote: > On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote: > > From: Ville Syrjälä > > > > The modes[] array contains pointers to modes on the connectors' > > mode lists, which are protected by dev->mode_config.mutex. > > Thus we need to extend modes[] the same protection or by the > > time we use it the elements may already be pointing to > > freed/reused memory. > > > > Cc: sta...@vger.kernel.org > > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 > > Signed-off-by: Ville Syrjälä > > Reviewed-by: Dmitry Baryshkov > > I tried looking for the proper Fixes tag, but it looks like it might be > something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup > properly.") The history is rather messy. I think it was originally completely lockless and broken, and got fixed piecemeal later in these: commit 7394371d8569 ("drm: Take lock around probes for drm_fb_helper_hotplug_event") commit 966a6a13c666 ("drm: Hold mode_config.lock to prevent hotplug whilst setting up crtcs") commit e13a05831050 ("drm/fb-helper: Stop using mode_config.mutex for internals") looks to me like where the race might have been re-introduced. But didn't do a thorough analysis so not 100% sure. It's all rather ancient history by now so a Fixes tag doesn't seem all that useful anyway. -- Ville Syrjälä Intel
Re: [PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
On Thu, Apr 04, 2024 at 11:33:25PM +0300, Ville Syrjala wrote: > From: Ville Syrjälä > > The modes[] array contains pointers to modes on the connectors' > mode lists, which are protected by dev->mode_config.mutex. > Thus we need to extend modes[] the same protection or by the > time we use it the elements may already be pointing to > freed/reused memory. > > Cc: sta...@vger.kernel.org > Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 > Signed-off-by: Ville Syrjälä Reviewed-by: Dmitry Baryshkov I tried looking for the proper Fixes tag, but it looks like it might be something like 386516744ba4 ("drm/fb: fix fbdev object model + cleanup properly.") > --- > drivers/gpu/drm/drm_client_modeset.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_client_modeset.c > b/drivers/gpu/drm/drm_client_modeset.c > index 871e4e2129d6..0683a129b362 100644 > --- a/drivers/gpu/drm/drm_client_modeset.c > +++ b/drivers/gpu/drm/drm_client_modeset.c > @@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_client_dev > *client, unsigned int width, > unsigned int total_modes_count = 0; > struct drm_client_offset *offsets; > unsigned int connector_count = 0; > + /* points to modes protected by mode_config.mutex */ > struct drm_display_mode **modes; > struct drm_crtc **crtcs; > int i, ret = 0; > @@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_client_dev > *client, unsigned int width, > drm_client_pick_crtcs(client, connectors, connector_count, > crtcs, modes, 0, width, height); > } > - mutex_unlock(>mode_config.mutex); > > drm_client_modeset_release(client); > > @@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_client_dev > *client, unsigned int width, > modeset->y = offset->y; > } > } > + mutex_unlock(>mode_config.mutex); > > mutex_unlock(>modeset_mutex); > out: > -- > 2.43.2 > -- With best wishes Dmitry
[PATCH 01/12] drm/client: Fully protect modes[] with dev->mode_config.mutex
From: Ville Syrjälä The modes[] array contains pointers to modes on the connectors' mode lists, which are protected by dev->mode_config.mutex. Thus we need to extend modes[] the same protection or by the time we use it the elements may already be pointing to freed/reused memory. Cc: sta...@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/10583 Signed-off-by: Ville Syrjälä --- drivers/gpu/drm/drm_client_modeset.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/drm_client_modeset.c b/drivers/gpu/drm/drm_client_modeset.c index 871e4e2129d6..0683a129b362 100644 --- a/drivers/gpu/drm/drm_client_modeset.c +++ b/drivers/gpu/drm/drm_client_modeset.c @@ -777,6 +777,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, unsigned int total_modes_count = 0; struct drm_client_offset *offsets; unsigned int connector_count = 0; + /* points to modes protected by mode_config.mutex */ struct drm_display_mode **modes; struct drm_crtc **crtcs; int i, ret = 0; @@ -845,7 +846,6 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, drm_client_pick_crtcs(client, connectors, connector_count, crtcs, modes, 0, width, height); } - mutex_unlock(>mode_config.mutex); drm_client_modeset_release(client); @@ -875,6 +875,7 @@ int drm_client_modeset_probe(struct drm_client_dev *client, unsigned int width, modeset->y = offset->y; } } + mutex_unlock(>mode_config.mutex); mutex_unlock(>modeset_mutex); out: -- 2.43.2