From: Rob Clark <robdclark@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: "DRI Development" <dri-devel@lists.freedesktop.org>,
"Intel Graphics Development" <intel-gfx@lists.freedesktop.org>,
"Abhinav Kumar" <quic_abhinavk@quicinc.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Maxime Ripard" <maxime@cerno.tech>,
mikita.lipski@amd.com, "Michel Dänzer" <michel@daenzer.net>,
harry.wentland@amd.com, "Kazlauskas,
Nicholas" <nicholas.kazlauskas@amd.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Dmitry Baryshkov" <dmitry.baryshkov@linaro.org>,
"Sean Paul" <sean@poorly.run>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"AngeloGioacchino Del Regno"
<angelogioacchino.delregno@collabora.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Jani Nikula" <jani.nikula@intel.com>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Imre Deak" <imre.deak@intel.com>,
"Manasi Navare" <manasi.d.navare@intel.com>,
linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Rob Clark" <robdclark@chromium.org>
Subject: Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Date: Wed, 22 Feb 2023 15:14:27 -0800 [thread overview]
Message-ID: <CAF6AEGvFN-9_cr2EyGxuW5NVgk8CA99rVuv_Y80M+gvMviPcuA@mail.gmail.com> (raw)
In-Reply-To: <20230216111214.3489223-1-daniel.vetter@ffwll.ch>
On Thu, Feb 16, 2023 at 3:12 AM Daniel Vetter <daniel.vetter@ffwll.ch> wrote:
>
> The stuff never really worked, and leads to lots of fun because it
> out-of-order frees atomic states. Which upsets KASAN, among other
> things.
>
> For async updates we now have a more solid solution with the
> ->atomic_async_check and ->atomic_async_commit hooks. Support for that
> for msm and vc4 landed. nouveau and i915 have their own commit
> routines, doing something similar.
>
> For everyone else it's probably better to remove the use-after-free
> bug, and encourage folks to use the async support instead. The
> affected drivers which register a legacy cursor plane and don't either
> use the new async stuff or their own commit routine are: amdgpu,
> atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.
>
> Inspired by an amdgpu bug report.
>
> v2: Drop RFC, I think with amdgpu converted over to use
> atomic_async_check/commit done in
>
> commit 674e78acae0dfb4beb56132e41cbae5b60f7d662
> Author: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
> Date: Wed Dec 5 14:59:07 2018 -0500
>
> drm/amd/display: Add fast path for cursor plane updates
>
> we don't have any driver anymore where we have userspace expecting
> solid legacy cursor support _and_ they are using the atomic helpers in
> their fully glory. So we can retire this.
>
> v3: Paper over msm and i915 regression. The complete_all is the only
> thing missing afaict.
>
> v4: Fixup i915 fixup ...
>
> v5: Unallocate the crtc->event in msm to avoid hitting a WARN_ON in
> dpu_crtc_atomic_flush(). This is a bit a hack, but simplest way to
> untangle this all. Thanks to Abhinav Kumar for the debug help.
Hmm, are you sure about that double-put?
[ +0.501263] ------------[ cut here ]------------
[ +0.000032] refcount_t: underflow; use-after-free.
[ +0.000033] WARNING: CPU: 6 PID: 1854 at lib/refcount.c:28
refcount_warn_saturate+0xf8/0x134
[ +0.000043] Modules linked in: uinput rfcomm algif_hash
algif_skcipher af_alg veth venus_dec venus_enc xt_cgroup xt_MASQUERADE
qcom_spmi_temp_alarm qcom_spmi_adc_tm5 qcom_spmi_adc5 qcom_vadc_common
cros_ec_typec typec 8021q hci_uart btqca qcom_stats venus_core
coresight_etm4x coresight_tmc snd_soc_lpass_sc7180
coresight_replicator coresight_funnel coresight snd_soc_sc7180
ip6table_nat fuse ath10k_snoc ath10k_core ath mac80211 iio_trig_sysfs
bluetooth cros_ec_sensors cfg80211 cros_ec_sensors_core
industrialio_triggered_buffer kfifo_buf ecdh_generic ecc
cros_ec_sensorhub lzo_rle lzo_compress r8153_ecm cdc_ether usbnet
r8152 mii zram hid_vivaldi hid_google_hammer hid_vivaldi_common joydev
[ +0.000189] CPU: 6 PID: 1854 Comm: DrmThread Not tainted
5.15.93-16271-g5ecce40dbcd4 #46
cf9752a1c9e5b13fd13216094f52d77fa5a5f8f3
[ +0.000016] Hardware name: Google Wormdingler rev1+ INX panel board (DT)
[ +0.000008] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.000013] pc : refcount_warn_saturate+0xf8/0x134
[ +0.000011] lr : refcount_warn_saturate+0xf8/0x134
[ +0.000011] sp : ffffffc012e43930
[ +0.000008] x29: ffffffc012e43930 x28: ffffff80d31aa300 x27: 000000000000024e
[ +0.000017] x26: 00000000000003bd x25: 0000000000000040 x24: 0000000000000040
[ +0.000014] x23: ffffff8083eb1000 x22: 0000000000000002 x21: ffffff80845bc800
[ +0.000013] x20: 0000000000000040 x19: ffffff80d0cecb00 x18: 0000000060014024
[ +0.000012] x17: 0000000000000000 x16: 000000000000003c x15: ffffffd97e21a1c0
[ +0.000012] x14: 0000000000000003 x13: 0000000000000004 x12: 0000000000000001
[ +0.000014] x11: c0000000ffffdfff x10: ffffffd97f560f50 x9 : 5749cdb403550d00
[ +0.000014] x8 : 5749cdb403550d00 x7 : 0000000000000000 x6 : 372e31332020205b
[ +0.000012] x5 : ffffffd97f7b8b24 x4 : 0000000000000000 x3 : ffffffc012e43588
[ +0.000013] x2 : ffffffc012e43590 x1 : 00000000ffffdfff x0 : 0000000000000026
[ +0.000014] Call trace:
[ +0.000008] refcount_warn_saturate+0xf8/0x134
[ +0.000013] drm_crtc_commit_put+0x54/0x74
[ +0.000013] __drm_atomic_helper_plane_destroy_state+0x64/0x68
[ +0.000013] dpu_plane_destroy_state+0x24/0x3c
[ +0.000017] drm_atomic_state_default_clear+0x13c/0x2d8
[ +0.000015] __drm_atomic_state_free+0x88/0xa0
[ +0.000015] drm_atomic_helper_update_plane+0x158/0x188
[ +0.000014] __setplane_atomic+0xf4/0x138
[ +0.000012] drm_mode_cursor_common+0x2e8/0x40c
[ +0.000009] drm_mode_cursor_ioctl+0x48/0x70
[ +0.000008] drm_ioctl_kernel+0xe0/0x158
[ +0.000014] drm_ioctl+0x214/0x480
[ +0.000012] __arm64_sys_ioctl+0x94/0xd4
[ +0.000010] invoke_syscall+0x4c/0x100
[ +0.000013] do_el0_svc+0xa4/0x168
[ +0.000012] el0_svc+0x20/0x50
[ +0.000009] el0t_64_sync_handler+0x20/0x110
[ +0.000008] el0t_64_sync+0x1a4/0x1a8
[ +0.000010] ---[ end trace 35bb2d245a684c9a ]---
BR,
-R
> Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Maxime Ripard <maxime@cerno.tech>
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> References: https://lore.kernel.org/all/20220221134155.125447-9-maxime@cerno.tech/
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> Cc: Maxime Ripard <maxime@cerno.tech>
> Tested-by: Maxime Ripard <maxime@cerno.tech>
> Cc: mikita.lipski@amd.com
> Cc: Michel Dänzer <michel@daenzer.net>
> Cc: harry.wentland@amd.com
> Cc: Rob Clark <robdclark@gmail.com>
> Cc: "Kazlauskas, Nicholas" <nicholas.kazlauskas@amd.com>
> Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Cc: Sean Paul <sean@poorly.run>
> Cc: Matthias Brugger <matthias.bgg@gmail.com>
> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
> Cc: Imre Deak <imre.deak@intel.com>
> Cc: Manasi Navare <manasi.d.navare@intel.com>
> Cc: linux-arm-msm@vger.kernel.org
> Cc: freedreno@lists.freedesktop.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-arm-kernel@lists.infradead.org
> Cc: linux-mediatek@lists.infradead.org
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/drm_atomic_helper.c | 13 -------------
> drivers/gpu/drm/i915/display/intel_display.c | 14 ++++++++++++++
> drivers/gpu/drm/msm/msm_atomic.c | 15 +++++++++++++++
> 3 files changed, 29 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index d579fd8f7cb8..f6b4c3a00684 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1587,13 +1587,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev,
> int i, ret;
> unsigned int crtc_mask = 0;
>
> - /*
> - * Legacy cursor ioctls are completely unsynced, and userspace
> - * relies on that (by doing tons of cursor updates).
> - */
> - if (old_state->legacy_cursor_update)
> - return;
> -
> for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) {
> if (!new_crtc_state->active)
> continue;
> @@ -2244,12 +2237,6 @@ int drm_atomic_helper_setup_commit(struct drm_atomic_state *state,
> continue;
> }
>
> - /* Legacy cursor updates are fully unsynced. */
> - if (state->legacy_cursor_update) {
> - complete_all(&commit->flip_done);
> - continue;
> - }
> -
> if (!new_crtc_state->event) {
> commit->event = kzalloc(sizeof(*commit->event),
> GFP_KERNEL);
> diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c
> index 3479125fbda6..2454451fcf95 100644
> --- a/drivers/gpu/drm/i915/display/intel_display.c
> +++ b/drivers/gpu/drm/i915/display/intel_display.c
> @@ -7651,6 +7651,20 @@ static int intel_atomic_commit(struct drm_device *dev,
> intel_runtime_pm_put(&dev_priv->runtime_pm, state->wakeref);
> return ret;
> }
> +
> + /*
> + * FIXME: Cut over to (async) commit helpers instead of hand-rolling
> + * everything.
> + */
> + if (state->base.legacy_cursor_update) {
> + struct intel_crtc_state *new_crtc_state;
> + struct intel_crtc *crtc;
> + int i;
> +
> + for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i)
> + complete_all(&new_crtc_state->uapi.commit->flip_done);
> + }
> +
> intel_shared_dpll_swap_state(state);
> intel_atomic_track_fbs(state);
>
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
> index 1686fbb611fd..b7151767b567 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -189,6 +189,19 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> bool async = kms->funcs->vsync_time &&
> can_do_async(state, &async_crtc);
>
> + /*
> + * FIXME: Convert to async plane helpers and remove the various hacks to
> + * keep the old legacy_cursor_way of doing async commits working for the
> + * dpu code, like the expectation that these don't have a crtc->event.
> + */
> + if (async) {
> + /* both ->event itself and the pointer hold a reference! */
> + drm_crtc_commit_put(async_crtc->state->commit);
> + drm_crtc_commit_put(async_crtc->state->commit);
> + kfree(async_crtc->state->event);
> + async_crtc->state->event = NULL;
> + }
> +
> trace_msm_atomic_commit_tail_start(async, crtc_mask);
>
> kms->funcs->enable_commit(kms);
> @@ -222,6 +235,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> /* async updates are limited to single-crtc updates: */
> WARN_ON(crtc_mask != drm_crtc_mask(async_crtc));
>
> + complete_all(&async_crtc->state->commit->flip_done);
> +
> /*
> * Start timer if we don't already have an update pending
> * on this crtc:
> --
> 2.39.0
>
WARNING: multiple messages have this Message-ID (diff)
From: Rob Clark <robdclark@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: "DRI Development" <dri-devel@lists.freedesktop.org>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Rob Clark" <robdclark@chromium.org>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
linux-arm-msm@vger.kernel.org,
"Michel Dänzer" <michel@daenzer.net>,
"Jani Nikula" <jani.nikula@intel.com>,
"Intel Graphics Development" <intel-gfx@lists.freedesktop.org>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Abhinav Kumar" <quic_abhinavk@quicinc.com>,
linux-mediatek@lists.infradead.org,
"Maxime Ripard" <maxime@cerno.tech>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
mikita.lipski@amd.com, "Sean Paul" <sean@poorly.run>,
linux-arm-kernel@lists.infradead.org,
"AngeloGioacchino Del Regno"
<angelogioacchino.delregno@collabora.com>,
linux-kernel@vger.kernel.org,
"Manasi Navare" <manasi.d.navare@intel.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Dmitry Baryshkov" <dmitry.baryshkov@linaro.org>,
freedreno@lists.freedesktop.org, "Kazlauskas,
Nicholas" <nicholas.kazlauskas@amd.com>
Subject: Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Date: Wed, 22 Feb 2023 15:14:27 -0800 [thread overview]
Message-ID: <CAF6AEGvFN-9_cr2EyGxuW5NVgk8CA99rVuv_Y80M+gvMviPcuA@mail.gmail.com> (raw)
In-Reply-To: <20230216111214.3489223-1-daniel.vetter@ffwll.ch>
On Thu, Feb 16, 2023 at 3:12 AM Daniel Vetter <daniel.vetter@ffwll.ch> wrote:
>
> The stuff never really worked, and leads to lots of fun because it
> out-of-order frees atomic states. Which upsets KASAN, among other
> things.
>
> For async updates we now have a more solid solution with the
> ->atomic_async_check and ->atomic_async_commit hooks. Support for that
> for msm and vc4 landed. nouveau and i915 have their own commit
> routines, doing something similar.
>
> For everyone else it's probably better to remove the use-after-free
> bug, and encourage folks to use the async support instead. The
> affected drivers which register a legacy cursor plane and don't either
> use the new async stuff or their own commit routine are: amdgpu,
> atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.
>
> Inspired by an amdgpu bug report.
>
> v2: Drop RFC, I think with amdgpu converted over to use
> atomic_async_check/commit done in
>
> commit 674e78acae0dfb4beb56132e41cbae5b60f7d662
> Author: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
> Date: Wed Dec 5 14:59:07 2018 -0500
>
> drm/amd/display: Add fast path for cursor plane updates
>
> we don't have any driver anymore where we have userspace expecting
> solid legacy cursor support _and_ they are using the atomic helpers in
> their fully glory. So we can retire this.
>
> v3: Paper over msm and i915 regression. The complete_all is the only
> thing missing afaict.
>
> v4: Fixup i915 fixup ...
>
> v5: Unallocate the crtc->event in msm to avoid hitting a WARN_ON in
> dpu_crtc_atomic_flush(). This is a bit a hack, but simplest way to
> untangle this all. Thanks to Abhinav Kumar for the debug help.
Hmm, are you sure about that double-put?
[ +0.501263] ------------[ cut here ]------------
[ +0.000032] refcount_t: underflow; use-after-free.
[ +0.000033] WARNING: CPU: 6 PID: 1854 at lib/refcount.c:28
refcount_warn_saturate+0xf8/0x134
[ +0.000043] Modules linked in: uinput rfcomm algif_hash
algif_skcipher af_alg veth venus_dec venus_enc xt_cgroup xt_MASQUERADE
qcom_spmi_temp_alarm qcom_spmi_adc_tm5 qcom_spmi_adc5 qcom_vadc_common
cros_ec_typec typec 8021q hci_uart btqca qcom_stats venus_core
coresight_etm4x coresight_tmc snd_soc_lpass_sc7180
coresight_replicator coresight_funnel coresight snd_soc_sc7180
ip6table_nat fuse ath10k_snoc ath10k_core ath mac80211 iio_trig_sysfs
bluetooth cros_ec_sensors cfg80211 cros_ec_sensors_core
industrialio_triggered_buffer kfifo_buf ecdh_generic ecc
cros_ec_sensorhub lzo_rle lzo_compress r8153_ecm cdc_ether usbnet
r8152 mii zram hid_vivaldi hid_google_hammer hid_vivaldi_common joydev
[ +0.000189] CPU: 6 PID: 1854 Comm: DrmThread Not tainted
5.15.93-16271-g5ecce40dbcd4 #46
cf9752a1c9e5b13fd13216094f52d77fa5a5f8f3
[ +0.000016] Hardware name: Google Wormdingler rev1+ INX panel board (DT)
[ +0.000008] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.000013] pc : refcount_warn_saturate+0xf8/0x134
[ +0.000011] lr : refcount_warn_saturate+0xf8/0x134
[ +0.000011] sp : ffffffc012e43930
[ +0.000008] x29: ffffffc012e43930 x28: ffffff80d31aa300 x27: 000000000000024e
[ +0.000017] x26: 00000000000003bd x25: 0000000000000040 x24: 0000000000000040
[ +0.000014] x23: ffffff8083eb1000 x22: 0000000000000002 x21: ffffff80845bc800
[ +0.000013] x20: 0000000000000040 x19: ffffff80d0cecb00 x18: 0000000060014024
[ +0.000012] x17: 0000000000000000 x16: 000000000000003c x15: ffffffd97e21a1c0
[ +0.000012] x14: 0000000000000003 x13: 0000000000000004 x12: 0000000000000001
[ +0.000014] x11: c0000000ffffdfff x10: ffffffd97f560f50 x9 : 5749cdb403550d00
[ +0.000014] x8 : 5749cdb403550d00 x7 : 0000000000000000 x6 : 372e31332020205b
[ +0.000012] x5 : ffffffd97f7b8b24 x4 : 0000000000000000 x3 : ffffffc012e43588
[ +0.000013] x2 : ffffffc012e43590 x1 : 00000000ffffdfff x0 : 0000000000000026
[ +0.000014] Call trace:
[ +0.000008] refcount_warn_saturate+0xf8/0x134
[ +0.000013] drm_crtc_commit_put+0x54/0x74
[ +0.000013] __drm_atomic_helper_plane_destroy_state+0x64/0x68
[ +0.000013] dpu_plane_destroy_state+0x24/0x3c
[ +0.000017] drm_atomic_state_default_clear+0x13c/0x2d8
[ +0.000015] __drm_atomic_state_free+0x88/0xa0
[ +0.000015] drm_atomic_helper_update_plane+0x158/0x188
[ +0.000014] __setplane_atomic+0xf4/0x138
[ +0.000012] drm_mode_cursor_common+0x2e8/0x40c
[ +0.000009] drm_mode_cursor_ioctl+0x48/0x70
[ +0.000008] drm_ioctl_kernel+0xe0/0x158
[ +0.000014] drm_ioctl+0x214/0x480
[ +0.000012] __arm64_sys_ioctl+0x94/0xd4
[ +0.000010] invoke_syscall+0x4c/0x100
[ +0.000013] do_el0_svc+0xa4/0x168
[ +0.000012] el0_svc+0x20/0x50
[ +0.000009] el0t_64_sync_handler+0x20/0x110
[ +0.000008] el0t_64_sync+0x1a4/0x1a8
[ +0.000010] ---[ end trace 35bb2d245a684c9a ]---
BR,
-R
> Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Maxime Ripard <maxime@cerno.tech>
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> References: https://lore.kernel.org/all/20220221134155.125447-9-maxime@cerno.tech/
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> Cc: Maxime Ripard <maxime@cerno.tech>
> Tested-by: Maxime Ripard <maxime@cerno.tech>
> Cc: mikita.lipski@amd.com
> Cc: Michel Dänzer <michel@daenzer.net>
> Cc: harry.wentland@amd.com
> Cc: Rob Clark <robdclark@gmail.com>
> Cc: "Kazlauskas, Nicholas" <nicholas.kazlauskas@amd.com>
> Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Cc: Sean Paul <sean@poorly.run>
> Cc: Matthias Brugger <matthias.bgg@gmail.com>
> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
> Cc: Imre Deak <imre.deak@intel.com>
> Cc: Manasi Navare <manasi.d.navare@intel.com>
> Cc: linux-arm-msm@vger.kernel.org
> Cc: freedreno@lists.freedesktop.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-arm-kernel@lists.infradead.org
> Cc: linux-mediatek@lists.infradead.org
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/drm_atomic_helper.c | 13 -------------
> drivers/gpu/drm/i915/display/intel_display.c | 14 ++++++++++++++
> drivers/gpu/drm/msm/msm_atomic.c | 15 +++++++++++++++
> 3 files changed, 29 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index d579fd8f7cb8..f6b4c3a00684 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1587,13 +1587,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev,
> int i, ret;
> unsigned int crtc_mask = 0;
>
> - /*
> - * Legacy cursor ioctls are completely unsynced, and userspace
> - * relies on that (by doing tons of cursor updates).
> - */
> - if (old_state->legacy_cursor_update)
> - return;
> -
> for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) {
> if (!new_crtc_state->active)
> continue;
> @@ -2244,12 +2237,6 @@ int drm_atomic_helper_setup_commit(struct drm_atomic_state *state,
> continue;
> }
>
> - /* Legacy cursor updates are fully unsynced. */
> - if (state->legacy_cursor_update) {
> - complete_all(&commit->flip_done);
> - continue;
> - }
> -
> if (!new_crtc_state->event) {
> commit->event = kzalloc(sizeof(*commit->event),
> GFP_KERNEL);
> diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c
> index 3479125fbda6..2454451fcf95 100644
> --- a/drivers/gpu/drm/i915/display/intel_display.c
> +++ b/drivers/gpu/drm/i915/display/intel_display.c
> @@ -7651,6 +7651,20 @@ static int intel_atomic_commit(struct drm_device *dev,
> intel_runtime_pm_put(&dev_priv->runtime_pm, state->wakeref);
> return ret;
> }
> +
> + /*
> + * FIXME: Cut over to (async) commit helpers instead of hand-rolling
> + * everything.
> + */
> + if (state->base.legacy_cursor_update) {
> + struct intel_crtc_state *new_crtc_state;
> + struct intel_crtc *crtc;
> + int i;
> +
> + for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i)
> + complete_all(&new_crtc_state->uapi.commit->flip_done);
> + }
> +
> intel_shared_dpll_swap_state(state);
> intel_atomic_track_fbs(state);
>
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
> index 1686fbb611fd..b7151767b567 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -189,6 +189,19 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> bool async = kms->funcs->vsync_time &&
> can_do_async(state, &async_crtc);
>
> + /*
> + * FIXME: Convert to async plane helpers and remove the various hacks to
> + * keep the old legacy_cursor_way of doing async commits working for the
> + * dpu code, like the expectation that these don't have a crtc->event.
> + */
> + if (async) {
> + /* both ->event itself and the pointer hold a reference! */
> + drm_crtc_commit_put(async_crtc->state->commit);
> + drm_crtc_commit_put(async_crtc->state->commit);
> + kfree(async_crtc->state->event);
> + async_crtc->state->event = NULL;
> + }
> +
> trace_msm_atomic_commit_tail_start(async, crtc_mask);
>
> kms->funcs->enable_commit(kms);
> @@ -222,6 +235,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> /* async updates are limited to single-crtc updates: */
> WARN_ON(crtc_mask != drm_crtc_mask(async_crtc));
>
> + complete_all(&async_crtc->state->commit->flip_done);
> +
> /*
> * Start timer if we don't already have an update pending
> * on this crtc:
> --
> 2.39.0
>
WARNING: multiple messages have this Message-ID (diff)
From: Rob Clark <robdclark@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: "DRI Development" <dri-devel@lists.freedesktop.org>,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Rob Clark" <robdclark@chromium.org>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
linux-arm-msm@vger.kernel.org, harry.wentland@amd.com,
"Michel Dänzer" <michel@daenzer.net>,
"Jani Nikula" <jani.nikula@intel.com>,
"Intel Graphics Development" <intel-gfx@lists.freedesktop.org>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Abhinav Kumar" <quic_abhinavk@quicinc.com>,
linux-mediatek@lists.infradead.org,
"Maxime Ripard" <maxime@cerno.tech>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
mikita.lipski@amd.com, linux-arm-kernel@lists.infradead.org,
"AngeloGioacchino Del Regno"
<angelogioacchino.delregno@collabora.com>,
linux-kernel@vger.kernel.org,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Dmitry Baryshkov" <dmitry.baryshkov@linaro.org>,
freedreno@lists.freedesktop.org, "Kazlauskas,
Nicholas" <nicholas.kazlauskas@amd.com>
Subject: Re: [Intel-gfx] [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Date: Wed, 22 Feb 2023 15:14:27 -0800 [thread overview]
Message-ID: <CAF6AEGvFN-9_cr2EyGxuW5NVgk8CA99rVuv_Y80M+gvMviPcuA@mail.gmail.com> (raw)
In-Reply-To: <20230216111214.3489223-1-daniel.vetter@ffwll.ch>
On Thu, Feb 16, 2023 at 3:12 AM Daniel Vetter <daniel.vetter@ffwll.ch> wrote:
>
> The stuff never really worked, and leads to lots of fun because it
> out-of-order frees atomic states. Which upsets KASAN, among other
> things.
>
> For async updates we now have a more solid solution with the
> ->atomic_async_check and ->atomic_async_commit hooks. Support for that
> for msm and vc4 landed. nouveau and i915 have their own commit
> routines, doing something similar.
>
> For everyone else it's probably better to remove the use-after-free
> bug, and encourage folks to use the async support instead. The
> affected drivers which register a legacy cursor plane and don't either
> use the new async stuff or their own commit routine are: amdgpu,
> atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.
>
> Inspired by an amdgpu bug report.
>
> v2: Drop RFC, I think with amdgpu converted over to use
> atomic_async_check/commit done in
>
> commit 674e78acae0dfb4beb56132e41cbae5b60f7d662
> Author: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
> Date: Wed Dec 5 14:59:07 2018 -0500
>
> drm/amd/display: Add fast path for cursor plane updates
>
> we don't have any driver anymore where we have userspace expecting
> solid legacy cursor support _and_ they are using the atomic helpers in
> their fully glory. So we can retire this.
>
> v3: Paper over msm and i915 regression. The complete_all is the only
> thing missing afaict.
>
> v4: Fixup i915 fixup ...
>
> v5: Unallocate the crtc->event in msm to avoid hitting a WARN_ON in
> dpu_crtc_atomic_flush(). This is a bit a hack, but simplest way to
> untangle this all. Thanks to Abhinav Kumar for the debug help.
Hmm, are you sure about that double-put?
[ +0.501263] ------------[ cut here ]------------
[ +0.000032] refcount_t: underflow; use-after-free.
[ +0.000033] WARNING: CPU: 6 PID: 1854 at lib/refcount.c:28
refcount_warn_saturate+0xf8/0x134
[ +0.000043] Modules linked in: uinput rfcomm algif_hash
algif_skcipher af_alg veth venus_dec venus_enc xt_cgroup xt_MASQUERADE
qcom_spmi_temp_alarm qcom_spmi_adc_tm5 qcom_spmi_adc5 qcom_vadc_common
cros_ec_typec typec 8021q hci_uart btqca qcom_stats venus_core
coresight_etm4x coresight_tmc snd_soc_lpass_sc7180
coresight_replicator coresight_funnel coresight snd_soc_sc7180
ip6table_nat fuse ath10k_snoc ath10k_core ath mac80211 iio_trig_sysfs
bluetooth cros_ec_sensors cfg80211 cros_ec_sensors_core
industrialio_triggered_buffer kfifo_buf ecdh_generic ecc
cros_ec_sensorhub lzo_rle lzo_compress r8153_ecm cdc_ether usbnet
r8152 mii zram hid_vivaldi hid_google_hammer hid_vivaldi_common joydev
[ +0.000189] CPU: 6 PID: 1854 Comm: DrmThread Not tainted
5.15.93-16271-g5ecce40dbcd4 #46
cf9752a1c9e5b13fd13216094f52d77fa5a5f8f3
[ +0.000016] Hardware name: Google Wormdingler rev1+ INX panel board (DT)
[ +0.000008] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.000013] pc : refcount_warn_saturate+0xf8/0x134
[ +0.000011] lr : refcount_warn_saturate+0xf8/0x134
[ +0.000011] sp : ffffffc012e43930
[ +0.000008] x29: ffffffc012e43930 x28: ffffff80d31aa300 x27: 000000000000024e
[ +0.000017] x26: 00000000000003bd x25: 0000000000000040 x24: 0000000000000040
[ +0.000014] x23: ffffff8083eb1000 x22: 0000000000000002 x21: ffffff80845bc800
[ +0.000013] x20: 0000000000000040 x19: ffffff80d0cecb00 x18: 0000000060014024
[ +0.000012] x17: 0000000000000000 x16: 000000000000003c x15: ffffffd97e21a1c0
[ +0.000012] x14: 0000000000000003 x13: 0000000000000004 x12: 0000000000000001
[ +0.000014] x11: c0000000ffffdfff x10: ffffffd97f560f50 x9 : 5749cdb403550d00
[ +0.000014] x8 : 5749cdb403550d00 x7 : 0000000000000000 x6 : 372e31332020205b
[ +0.000012] x5 : ffffffd97f7b8b24 x4 : 0000000000000000 x3 : ffffffc012e43588
[ +0.000013] x2 : ffffffc012e43590 x1 : 00000000ffffdfff x0 : 0000000000000026
[ +0.000014] Call trace:
[ +0.000008] refcount_warn_saturate+0xf8/0x134
[ +0.000013] drm_crtc_commit_put+0x54/0x74
[ +0.000013] __drm_atomic_helper_plane_destroy_state+0x64/0x68
[ +0.000013] dpu_plane_destroy_state+0x24/0x3c
[ +0.000017] drm_atomic_state_default_clear+0x13c/0x2d8
[ +0.000015] __drm_atomic_state_free+0x88/0xa0
[ +0.000015] drm_atomic_helper_update_plane+0x158/0x188
[ +0.000014] __setplane_atomic+0xf4/0x138
[ +0.000012] drm_mode_cursor_common+0x2e8/0x40c
[ +0.000009] drm_mode_cursor_ioctl+0x48/0x70
[ +0.000008] drm_ioctl_kernel+0xe0/0x158
[ +0.000014] drm_ioctl+0x214/0x480
[ +0.000012] __arm64_sys_ioctl+0x94/0xd4
[ +0.000010] invoke_syscall+0x4c/0x100
[ +0.000013] do_el0_svc+0xa4/0x168
[ +0.000012] el0_svc+0x20/0x50
[ +0.000009] el0t_64_sync_handler+0x20/0x110
[ +0.000008] el0t_64_sync+0x1a4/0x1a8
[ +0.000010] ---[ end trace 35bb2d245a684c9a ]---
BR,
-R
> Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Maxime Ripard <maxime@cerno.tech>
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> References: https://lore.kernel.org/all/20220221134155.125447-9-maxime@cerno.tech/
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> Cc: Maxime Ripard <maxime@cerno.tech>
> Tested-by: Maxime Ripard <maxime@cerno.tech>
> Cc: mikita.lipski@amd.com
> Cc: Michel Dänzer <michel@daenzer.net>
> Cc: harry.wentland@amd.com
> Cc: Rob Clark <robdclark@gmail.com>
> Cc: "Kazlauskas, Nicholas" <nicholas.kazlauskas@amd.com>
> Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Cc: Sean Paul <sean@poorly.run>
> Cc: Matthias Brugger <matthias.bgg@gmail.com>
> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
> Cc: Imre Deak <imre.deak@intel.com>
> Cc: Manasi Navare <manasi.d.navare@intel.com>
> Cc: linux-arm-msm@vger.kernel.org
> Cc: freedreno@lists.freedesktop.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-arm-kernel@lists.infradead.org
> Cc: linux-mediatek@lists.infradead.org
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/drm_atomic_helper.c | 13 -------------
> drivers/gpu/drm/i915/display/intel_display.c | 14 ++++++++++++++
> drivers/gpu/drm/msm/msm_atomic.c | 15 +++++++++++++++
> 3 files changed, 29 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index d579fd8f7cb8..f6b4c3a00684 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1587,13 +1587,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev,
> int i, ret;
> unsigned int crtc_mask = 0;
>
> - /*
> - * Legacy cursor ioctls are completely unsynced, and userspace
> - * relies on that (by doing tons of cursor updates).
> - */
> - if (old_state->legacy_cursor_update)
> - return;
> -
> for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) {
> if (!new_crtc_state->active)
> continue;
> @@ -2244,12 +2237,6 @@ int drm_atomic_helper_setup_commit(struct drm_atomic_state *state,
> continue;
> }
>
> - /* Legacy cursor updates are fully unsynced. */
> - if (state->legacy_cursor_update) {
> - complete_all(&commit->flip_done);
> - continue;
> - }
> -
> if (!new_crtc_state->event) {
> commit->event = kzalloc(sizeof(*commit->event),
> GFP_KERNEL);
> diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c
> index 3479125fbda6..2454451fcf95 100644
> --- a/drivers/gpu/drm/i915/display/intel_display.c
> +++ b/drivers/gpu/drm/i915/display/intel_display.c
> @@ -7651,6 +7651,20 @@ static int intel_atomic_commit(struct drm_device *dev,
> intel_runtime_pm_put(&dev_priv->runtime_pm, state->wakeref);
> return ret;
> }
> +
> + /*
> + * FIXME: Cut over to (async) commit helpers instead of hand-rolling
> + * everything.
> + */
> + if (state->base.legacy_cursor_update) {
> + struct intel_crtc_state *new_crtc_state;
> + struct intel_crtc *crtc;
> + int i;
> +
> + for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i)
> + complete_all(&new_crtc_state->uapi.commit->flip_done);
> + }
> +
> intel_shared_dpll_swap_state(state);
> intel_atomic_track_fbs(state);
>
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
> index 1686fbb611fd..b7151767b567 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -189,6 +189,19 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> bool async = kms->funcs->vsync_time &&
> can_do_async(state, &async_crtc);
>
> + /*
> + * FIXME: Convert to async plane helpers and remove the various hacks to
> + * keep the old legacy_cursor_way of doing async commits working for the
> + * dpu code, like the expectation that these don't have a crtc->event.
> + */
> + if (async) {
> + /* both ->event itself and the pointer hold a reference! */
> + drm_crtc_commit_put(async_crtc->state->commit);
> + drm_crtc_commit_put(async_crtc->state->commit);
> + kfree(async_crtc->state->event);
> + async_crtc->state->event = NULL;
> + }
> +
> trace_msm_atomic_commit_tail_start(async, crtc_mask);
>
> kms->funcs->enable_commit(kms);
> @@ -222,6 +235,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> /* async updates are limited to single-crtc updates: */
> WARN_ON(crtc_mask != drm_crtc_mask(async_crtc));
>
> + complete_all(&async_crtc->state->commit->flip_done);
> +
> /*
> * Start timer if we don't already have an update pending
> * on this crtc:
> --
> 2.39.0
>
WARNING: multiple messages have this Message-ID (diff)
From: Rob Clark <robdclark@gmail.com>
To: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: "DRI Development" <dri-devel@lists.freedesktop.org>,
"Intel Graphics Development" <intel-gfx@lists.freedesktop.org>,
"Abhinav Kumar" <quic_abhinavk@quicinc.com>,
"Thomas Zimmermann" <tzimmermann@suse.de>,
"Maxime Ripard" <maxime@cerno.tech>,
mikita.lipski@amd.com, "Michel Dänzer" <michel@daenzer.net>,
harry.wentland@amd.com, "Kazlauskas,
Nicholas" <nicholas.kazlauskas@amd.com>,
"Dmitry Osipenko" <dmitry.osipenko@collabora.com>,
"Maarten Lankhorst" <maarten.lankhorst@linux.intel.com>,
"Dmitry Baryshkov" <dmitry.baryshkov@linaro.org>,
"Sean Paul" <sean@poorly.run>,
"Matthias Brugger" <matthias.bgg@gmail.com>,
"AngeloGioacchino Del Regno"
<angelogioacchino.delregno@collabora.com>,
"Ville Syrjälä" <ville.syrjala@linux.intel.com>,
"Jani Nikula" <jani.nikula@intel.com>,
"Lucas De Marchi" <lucas.demarchi@intel.com>,
"Imre Deak" <imre.deak@intel.com>,
"Manasi Navare" <manasi.d.navare@intel.com>,
linux-arm-msm@vger.kernel.org, freedreno@lists.freedesktop.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org,
"Daniel Vetter" <daniel.vetter@intel.com>,
"Rob Clark" <robdclark@chromium.org>
Subject: Re: [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks
Date: Wed, 22 Feb 2023 15:14:27 -0800 [thread overview]
Message-ID: <CAF6AEGvFN-9_cr2EyGxuW5NVgk8CA99rVuv_Y80M+gvMviPcuA@mail.gmail.com> (raw)
In-Reply-To: <20230216111214.3489223-1-daniel.vetter@ffwll.ch>
On Thu, Feb 16, 2023 at 3:12 AM Daniel Vetter <daniel.vetter@ffwll.ch> wrote:
>
> The stuff never really worked, and leads to lots of fun because it
> out-of-order frees atomic states. Which upsets KASAN, among other
> things.
>
> For async updates we now have a more solid solution with the
> ->atomic_async_check and ->atomic_async_commit hooks. Support for that
> for msm and vc4 landed. nouveau and i915 have their own commit
> routines, doing something similar.
>
> For everyone else it's probably better to remove the use-after-free
> bug, and encourage folks to use the async support instead. The
> affected drivers which register a legacy cursor plane and don't either
> use the new async stuff or their own commit routine are: amdgpu,
> atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.
>
> Inspired by an amdgpu bug report.
>
> v2: Drop RFC, I think with amdgpu converted over to use
> atomic_async_check/commit done in
>
> commit 674e78acae0dfb4beb56132e41cbae5b60f7d662
> Author: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
> Date: Wed Dec 5 14:59:07 2018 -0500
>
> drm/amd/display: Add fast path for cursor plane updates
>
> we don't have any driver anymore where we have userspace expecting
> solid legacy cursor support _and_ they are using the atomic helpers in
> their fully glory. So we can retire this.
>
> v3: Paper over msm and i915 regression. The complete_all is the only
> thing missing afaict.
>
> v4: Fixup i915 fixup ...
>
> v5: Unallocate the crtc->event in msm to avoid hitting a WARN_ON in
> dpu_crtc_atomic_flush(). This is a bit a hack, but simplest way to
> untangle this all. Thanks to Abhinav Kumar for the debug help.
Hmm, are you sure about that double-put?
[ +0.501263] ------------[ cut here ]------------
[ +0.000032] refcount_t: underflow; use-after-free.
[ +0.000033] WARNING: CPU: 6 PID: 1854 at lib/refcount.c:28
refcount_warn_saturate+0xf8/0x134
[ +0.000043] Modules linked in: uinput rfcomm algif_hash
algif_skcipher af_alg veth venus_dec venus_enc xt_cgroup xt_MASQUERADE
qcom_spmi_temp_alarm qcom_spmi_adc_tm5 qcom_spmi_adc5 qcom_vadc_common
cros_ec_typec typec 8021q hci_uart btqca qcom_stats venus_core
coresight_etm4x coresight_tmc snd_soc_lpass_sc7180
coresight_replicator coresight_funnel coresight snd_soc_sc7180
ip6table_nat fuse ath10k_snoc ath10k_core ath mac80211 iio_trig_sysfs
bluetooth cros_ec_sensors cfg80211 cros_ec_sensors_core
industrialio_triggered_buffer kfifo_buf ecdh_generic ecc
cros_ec_sensorhub lzo_rle lzo_compress r8153_ecm cdc_ether usbnet
r8152 mii zram hid_vivaldi hid_google_hammer hid_vivaldi_common joydev
[ +0.000189] CPU: 6 PID: 1854 Comm: DrmThread Not tainted
5.15.93-16271-g5ecce40dbcd4 #46
cf9752a1c9e5b13fd13216094f52d77fa5a5f8f3
[ +0.000016] Hardware name: Google Wormdingler rev1+ INX panel board (DT)
[ +0.000008] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ +0.000013] pc : refcount_warn_saturate+0xf8/0x134
[ +0.000011] lr : refcount_warn_saturate+0xf8/0x134
[ +0.000011] sp : ffffffc012e43930
[ +0.000008] x29: ffffffc012e43930 x28: ffffff80d31aa300 x27: 000000000000024e
[ +0.000017] x26: 00000000000003bd x25: 0000000000000040 x24: 0000000000000040
[ +0.000014] x23: ffffff8083eb1000 x22: 0000000000000002 x21: ffffff80845bc800
[ +0.000013] x20: 0000000000000040 x19: ffffff80d0cecb00 x18: 0000000060014024
[ +0.000012] x17: 0000000000000000 x16: 000000000000003c x15: ffffffd97e21a1c0
[ +0.000012] x14: 0000000000000003 x13: 0000000000000004 x12: 0000000000000001
[ +0.000014] x11: c0000000ffffdfff x10: ffffffd97f560f50 x9 : 5749cdb403550d00
[ +0.000014] x8 : 5749cdb403550d00 x7 : 0000000000000000 x6 : 372e31332020205b
[ +0.000012] x5 : ffffffd97f7b8b24 x4 : 0000000000000000 x3 : ffffffc012e43588
[ +0.000013] x2 : ffffffc012e43590 x1 : 00000000ffffdfff x0 : 0000000000000026
[ +0.000014] Call trace:
[ +0.000008] refcount_warn_saturate+0xf8/0x134
[ +0.000013] drm_crtc_commit_put+0x54/0x74
[ +0.000013] __drm_atomic_helper_plane_destroy_state+0x64/0x68
[ +0.000013] dpu_plane_destroy_state+0x24/0x3c
[ +0.000017] drm_atomic_state_default_clear+0x13c/0x2d8
[ +0.000015] __drm_atomic_state_free+0x88/0xa0
[ +0.000015] drm_atomic_helper_update_plane+0x158/0x188
[ +0.000014] __setplane_atomic+0xf4/0x138
[ +0.000012] drm_mode_cursor_common+0x2e8/0x40c
[ +0.000009] drm_mode_cursor_ioctl+0x48/0x70
[ +0.000008] drm_ioctl_kernel+0xe0/0x158
[ +0.000014] drm_ioctl+0x214/0x480
[ +0.000012] __arm64_sys_ioctl+0x94/0xd4
[ +0.000010] invoke_syscall+0x4c/0x100
[ +0.000013] do_el0_svc+0xa4/0x168
[ +0.000012] el0_svc+0x20/0x50
[ +0.000009] el0t_64_sync_handler+0x20/0x110
[ +0.000008] el0t_64_sync+0x1a4/0x1a8
[ +0.000010] ---[ end trace 35bb2d245a684c9a ]---
BR,
-R
> Cc: Abhinav Kumar <quic_abhinavk@quicinc.com>
> Cc: Thomas Zimmermann <tzimmermann@suse.de>
> Cc: Maxime Ripard <maxime@cerno.tech>
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> References: https://lore.kernel.org/all/20220221134155.125447-9-maxime@cerno.tech/
> References: https://bugzilla.kernel.org/show_bug.cgi?id=199425
> Cc: Maxime Ripard <maxime@cerno.tech>
> Tested-by: Maxime Ripard <maxime@cerno.tech>
> Cc: mikita.lipski@amd.com
> Cc: Michel Dänzer <michel@daenzer.net>
> Cc: harry.wentland@amd.com
> Cc: Rob Clark <robdclark@gmail.com>
> Cc: "Kazlauskas, Nicholas" <nicholas.kazlauskas@amd.com>
> Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
> Cc: Sean Paul <sean@poorly.run>
> Cc: Matthias Brugger <matthias.bgg@gmail.com>
> Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
> Cc: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
> Cc: Jani Nikula <jani.nikula@intel.com>
> Cc: Lucas De Marchi <lucas.demarchi@intel.com>
> Cc: Imre Deak <imre.deak@intel.com>
> Cc: Manasi Navare <manasi.d.navare@intel.com>
> Cc: linux-arm-msm@vger.kernel.org
> Cc: freedreno@lists.freedesktop.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-arm-kernel@lists.infradead.org
> Cc: linux-mediatek@lists.infradead.org
> Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
> ---
> drivers/gpu/drm/drm_atomic_helper.c | 13 -------------
> drivers/gpu/drm/i915/display/intel_display.c | 14 ++++++++++++++
> drivers/gpu/drm/msm/msm_atomic.c | 15 +++++++++++++++
> 3 files changed, 29 insertions(+), 13 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
> index d579fd8f7cb8..f6b4c3a00684 100644
> --- a/drivers/gpu/drm/drm_atomic_helper.c
> +++ b/drivers/gpu/drm/drm_atomic_helper.c
> @@ -1587,13 +1587,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev,
> int i, ret;
> unsigned int crtc_mask = 0;
>
> - /*
> - * Legacy cursor ioctls are completely unsynced, and userspace
> - * relies on that (by doing tons of cursor updates).
> - */
> - if (old_state->legacy_cursor_update)
> - return;
> -
> for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) {
> if (!new_crtc_state->active)
> continue;
> @@ -2244,12 +2237,6 @@ int drm_atomic_helper_setup_commit(struct drm_atomic_state *state,
> continue;
> }
>
> - /* Legacy cursor updates are fully unsynced. */
> - if (state->legacy_cursor_update) {
> - complete_all(&commit->flip_done);
> - continue;
> - }
> -
> if (!new_crtc_state->event) {
> commit->event = kzalloc(sizeof(*commit->event),
> GFP_KERNEL);
> diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c
> index 3479125fbda6..2454451fcf95 100644
> --- a/drivers/gpu/drm/i915/display/intel_display.c
> +++ b/drivers/gpu/drm/i915/display/intel_display.c
> @@ -7651,6 +7651,20 @@ static int intel_atomic_commit(struct drm_device *dev,
> intel_runtime_pm_put(&dev_priv->runtime_pm, state->wakeref);
> return ret;
> }
> +
> + /*
> + * FIXME: Cut over to (async) commit helpers instead of hand-rolling
> + * everything.
> + */
> + if (state->base.legacy_cursor_update) {
> + struct intel_crtc_state *new_crtc_state;
> + struct intel_crtc *crtc;
> + int i;
> +
> + for_each_new_intel_crtc_in_state(state, crtc, new_crtc_state, i)
> + complete_all(&new_crtc_state->uapi.commit->flip_done);
> + }
> +
> intel_shared_dpll_swap_state(state);
> intel_atomic_track_fbs(state);
>
> diff --git a/drivers/gpu/drm/msm/msm_atomic.c b/drivers/gpu/drm/msm/msm_atomic.c
> index 1686fbb611fd..b7151767b567 100644
> --- a/drivers/gpu/drm/msm/msm_atomic.c
> +++ b/drivers/gpu/drm/msm/msm_atomic.c
> @@ -189,6 +189,19 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> bool async = kms->funcs->vsync_time &&
> can_do_async(state, &async_crtc);
>
> + /*
> + * FIXME: Convert to async plane helpers and remove the various hacks to
> + * keep the old legacy_cursor_way of doing async commits working for the
> + * dpu code, like the expectation that these don't have a crtc->event.
> + */
> + if (async) {
> + /* both ->event itself and the pointer hold a reference! */
> + drm_crtc_commit_put(async_crtc->state->commit);
> + drm_crtc_commit_put(async_crtc->state->commit);
> + kfree(async_crtc->state->event);
> + async_crtc->state->event = NULL;
> + }
> +
> trace_msm_atomic_commit_tail_start(async, crtc_mask);
>
> kms->funcs->enable_commit(kms);
> @@ -222,6 +235,8 @@ void msm_atomic_commit_tail(struct drm_atomic_state *state)
> /* async updates are limited to single-crtc updates: */
> WARN_ON(crtc_mask != drm_crtc_mask(async_crtc));
>
> + complete_all(&async_crtc->state->commit->flip_done);
> +
> /*
> * Start timer if we don't already have an update pending
> * on this crtc:
> --
> 2.39.0
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2023-02-22 23:14 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-16 11:12 [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks Daniel Vetter
2023-02-16 11:12 ` Daniel Vetter
2023-02-16 11:12 ` [Intel-gfx] " Daniel Vetter
2023-02-16 11:12 ` Daniel Vetter
2023-02-16 15:07 ` [Intel-gfx] ✓ Fi.CI.BAT: success for drm/atomic-helpers: remove legacy_cursor_update hacks (rev3) Patchwork
2023-02-17 1:11 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
2023-02-22 23:14 ` Rob Clark [this message]
2023-02-22 23:14 ` [PATCH] drm/atomic-helpers: remove legacy_cursor_update hacks Rob Clark
2023-02-22 23:14 ` [Intel-gfx] " Rob Clark
2023-02-22 23:14 ` Rob Clark
2023-02-22 23:21 ` Rob Clark
2023-02-22 23:21 ` Rob Clark
2023-02-22 23:21 ` [Intel-gfx] " Rob Clark
2023-02-22 23:21 ` Rob Clark
2023-03-07 14:56 ` Maxime Ripard
2023-03-07 14:56 ` Maxime Ripard
2023-03-07 14:56 ` Maxime Ripard
2023-03-07 14:56 ` [Intel-gfx] " Maxime Ripard
2024-01-23 6:09 ` Jason-JH Lin (林睿祥)
2024-01-23 6:09 ` Jason-JH Lin (林睿祥)
2024-01-23 6:09 ` Jason-JH Lin (林睿祥)
2024-01-23 6:09 ` Jason-JH Lin (林睿祥)
2024-01-23 6:09 ` Jason-JH Lin (林睿祥)
2024-01-25 18:17 ` Daniel Vetter
2024-01-25 18:17 ` Daniel Vetter
2024-01-25 18:17 ` Daniel Vetter
2024-01-25 18:17 ` Daniel Vetter
2024-01-25 18:17 ` Daniel Vetter
2024-01-28 9:24 ` Maxime Ripard
2024-01-28 9:24 ` Maxime Ripard
2024-01-31 5:27 ` Jason-JH Lin (林睿祥)
2024-01-31 5:27 ` Jason-JH Lin (林睿祥)
2024-01-31 5:27 ` Jason-JH Lin (林睿祥)
2024-01-31 10:57 ` mripard
2024-01-31 10:57 ` mripard
2024-01-31 10:57 ` mripard
2024-01-31 10:57 ` mripard
2024-01-31 10:57 ` mripard
2024-01-31 5:17 ` Jason-JH Lin (林睿祥)
2024-01-31 5:17 ` Jason-JH Lin (林睿祥)
2024-01-31 5:17 ` Jason-JH Lin (林睿祥)
2024-01-31 5:17 ` Jason-JH Lin (林睿祥)
2024-01-31 5:17 ` Jason-JH Lin (林睿祥)
2024-01-31 9:11 ` Daniel Vetter
2024-01-31 9:11 ` Daniel Vetter
2024-01-31 9:11 ` Daniel Vetter
2024-01-31 9:11 ` Daniel Vetter
2024-01-31 9:11 ` Daniel Vetter
2024-01-31 10:26 ` Dmitry Baryshkov
2024-01-31 10:26 ` Dmitry Baryshkov
2024-01-31 10:26 ` Dmitry Baryshkov
2024-01-31 11:28 ` Daniel Vetter
2024-01-31 11:28 ` Daniel Vetter
2024-01-31 11:28 ` Daniel Vetter
2024-01-31 11:28 ` Daniel Vetter
2024-01-31 11:28 ` Daniel Vetter
-- strict thread matches above, loose matches on Subject: below --
2022-03-31 15:20 Daniel Vetter
2022-04-01 8:39 ` Maxime Ripard
2022-04-06 21:57 ` Rob Clark
2022-04-07 1:27 ` Jessica Zhang
2022-04-07 9:33 ` Daniel Vetter
2022-04-07 22:51 ` Rob Clark
2022-04-07 22:59 ` Abhinav Kumar
2022-04-07 23:12 ` Rob Clark
2022-04-09 4:04 ` Abhinav Kumar
2022-04-12 23:36 ` Abhinav Kumar
2022-04-13 11:20 ` Daniel Vetter
2022-04-28 8:08 ` Maxime Ripard
2022-04-28 12:09 ` Daniel Vetter
2022-05-12 8:08 ` Maxime Ripard
2022-09-26 15:06 ` Melissa Wen
2022-04-07 7:49 ` Thomas Zimmermann
2022-04-07 9:30 ` Daniel Vetter
2020-10-21 16:32 [PATCH 1/3] " Daniel Vetter
2020-10-23 12:26 ` [PATCH] " Daniel Vetter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAF6AEGvFN-9_cr2EyGxuW5NVgk8CA99rVuv_Y80M+gvMviPcuA@mail.gmail.com \
--to=robdclark@gmail.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=daniel.vetter@ffwll.ch \
--cc=daniel.vetter@intel.com \
--cc=dmitry.baryshkov@linaro.org \
--cc=dmitry.osipenko@collabora.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=freedreno@lists.freedesktop.org \
--cc=harry.wentland@amd.com \
--cc=imre.deak@intel.com \
--cc=intel-gfx@lists.freedesktop.org \
--cc=jani.nikula@intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=lucas.demarchi@intel.com \
--cc=maarten.lankhorst@linux.intel.com \
--cc=manasi.d.navare@intel.com \
--cc=matthias.bgg@gmail.com \
--cc=maxime@cerno.tech \
--cc=michel@daenzer.net \
--cc=mikita.lipski@amd.com \
--cc=nicholas.kazlauskas@amd.com \
--cc=quic_abhinavk@quicinc.com \
--cc=robdclark@chromium.org \
--cc=sean@poorly.run \
--cc=tzimmermann@suse.de \
--cc=ville.syrjala@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.