[PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.

From: Mark Yacoub <markyacoub@chromium.org>
To: seanpaul@chromium.org, abhinavk@codeaurora.org,
	robdclark@chromium.org, irlied@linux.ie,
	dri-devel@lists.freedesktop.org
Cc: Mark Yacoub <markyacoub@google.com>,
	Mark Yacoub <markyacoub@chromium.org>
Subject: [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.
Date: Wed, 11 Aug 2021 13:55:25 -0400	[thread overview]
Message-ID: <20210811175525.2125964-1-markyacoub@chromium.org> (raw)

From: Mark Yacoub <markyacoub@google.com>

[Why]
Userspace should get back a copy of the request that's been modified
even when drm_wait_vblank_ioctl returns a failure.

Rationale:
drm_wait_vblank_ioctl modifies the request and expects the user to read
back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
the sequence to become current_vblank_count + sequence (which was
relative), not it becomes absolute.
drmWaitVBlank (in libdrm), expects this to be the case as it modifies
the request to be Absolute as it expects the sequence to would have been
updated.

The change is in compat_drm_wait_vblank, which is called by
drm_compat_ioctl. This change of copying the data back regardless of the
return number makes it en par with drm_ioctl, which always copies the
data before returning.

[How]
Copy the drm_wait_vblank request.
Return from the function after everything has been copied to user.

Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
Tested on ChromeOS Trogdor(msm)

Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
---
 drivers/gpu/drm/drm_ioc32.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index d29907955ff79..275b860df8fbe 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
 	req.request.sequence = req32.request.sequence;
 	req.request.signal = req32.request.signal;
 	err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
-	if (err)
-		return err;
 
 	req32.reply.type = req.reply.type;
 	req32.reply.sequence = req.reply.sequence;
 	req32.reply.tval_sec = req.reply.tval_sec;
 	req32.reply.tval_usec = req.reply.tval_usec;
+	/* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
+	req32.request.type = req.request.type;
+	req32.request.sequence = req.request.sequence;
+	req32.request.signal = req.request.signal;
 	if (copy_to_user(argp, &req32, sizeof(req32)))
 		return -EFAULT;
 
-	return 0;
+	return err;
 }
 
 #if defined(CONFIG_X86)
-- 
2.33.0.rc1.237.g0d66db33f3-goog

