* [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.
@ 2021-08-11 17:55 Mark Yacoub
2021-08-12 9:26 ` Michel Dänzer
2021-08-12 19:49 ` [PATCH v2] drm: Copy drm_wait_vblank to user before returning Mark Yacoub
0 siblings, 2 replies; 7+ messages in thread
From: Mark Yacoub @ 2021-08-11 17:55 UTC (permalink / raw)
To: seanpaul, abhinavk, robdclark, irlied, dri-devel; +Cc: Mark Yacoub, Mark Yacoub
From: Mark Yacoub <markyacoub@google.com>
[Why]
Userspace should get back a copy of the request that's been modified
even when drm_wait_vblank_ioctl returns a failure.
Rationale:
drm_wait_vblank_ioctl modifies the request and expects the user to read
back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
the sequence to become current_vblank_count + sequence (which was
relative), not it becomes absolute.
drmWaitVBlank (in libdrm), expects this to be the case as it modifies
the request to be Absolute as it expects the sequence to would have been
updated.
The change is in compat_drm_wait_vblank, which is called by
drm_compat_ioctl. This change of copying the data back regardless of the
return number makes it en par with drm_ioctl, which always copies the
data before returning.
[How]
Copy the drm_wait_vblank request.
Return from the function after everything has been copied to user.
Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
Tested on ChromeOS Trogdor(msm)
Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
---
drivers/gpu/drm/drm_ioc32.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index d29907955ff79..275b860df8fbe 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
req.request.sequence = req32.request.sequence;
req.request.signal = req32.request.signal;
err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
- if (err)
- return err;
req32.reply.type = req.reply.type;
req32.reply.sequence = req.reply.sequence;
req32.reply.tval_sec = req.reply.tval_sec;
req32.reply.tval_usec = req.reply.tval_usec;
+ /* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
+ req32.request.type = req.request.type;
+ req32.request.sequence = req.request.sequence;
+ req32.request.signal = req.request.signal;
if (copy_to_user(argp, &req32, sizeof(req32)))
return -EFAULT;
- return 0;
+ return err;
}
#if defined(CONFIG_X86)
--
2.33.0.rc1.237.g0d66db33f3-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.
2021-08-11 17:55 [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return Mark Yacoub
@ 2021-08-12 9:26 ` Michel Dänzer
2021-08-12 19:51 ` Mark Yacoub
2021-08-12 19:49 ` [PATCH v2] drm: Copy drm_wait_vblank to user before returning Mark Yacoub
1 sibling, 1 reply; 7+ messages in thread
From: Michel Dänzer @ 2021-08-12 9:26 UTC (permalink / raw)
To: Mark Yacoub, seanpaul, abhinavk, robdclark, irlied, dri-devel; +Cc: Mark Yacoub
On 2021-08-11 7:55 p.m., Mark Yacoub wrote:
> From: Mark Yacoub <markyacoub@google.com>
>
> [Why]
> Userspace should get back a copy of the request that's been modified
> even when drm_wait_vblank_ioctl returns a failure.
>
> Rationale:
> drm_wait_vblank_ioctl modifies the request and expects the user to read
> back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> the sequence to become current_vblank_count + sequence (which was
> relative), not it becomes absolute.
> drmWaitVBlank (in libdrm), expects this to be the case as it modifies
> the request to be Absolute as it expects the sequence to would have been
> updated.
>
> The change is in compat_drm_wait_vblank, which is called by
> drm_compat_ioctl. This change of copying the data back regardless of the
> return number makes it en par with drm_ioctl, which always copies the
> data before returning.
>
> [How]
> Copy the drm_wait_vblank request.
> Return from the function after everything has been copied to user.
>
> Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> Tested on ChromeOS Trogdor(msm)
>
> Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
> ---
> drivers/gpu/drm/drm_ioc32.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> index d29907955ff79..275b860df8fbe 100644
> --- a/drivers/gpu/drm/drm_ioc32.c
> +++ b/drivers/gpu/drm/drm_ioc32.c
> @@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
> req.request.sequence = req32.request.sequence;
> req.request.signal = req32.request.signal;
> err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
> - if (err)
> - return err;
>
> req32.reply.type = req.reply.type;
> req32.reply.sequence = req.reply.sequence;
> req32.reply.tval_sec = req.reply.tval_sec;
> req32.reply.tval_usec = req.reply.tval_usec;
> + /* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
> + req32.request.type = req.request.type;
> + req32.request.sequence = req.request.sequence;
> + req32.request.signal = req.request.signal;
The added assignments are superfluous, since req32.reply and req32.request are members of the same union.
> if (copy_to_user(argp, &req32, sizeof(req32)))
> return -EFAULT;
>
> - return 0;
> + return err;
> }
The other changes look correct.
--
Earthling Michel Dänzer | https://redhat.com
Libre software enthusiast | Mesa and X developer
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return.
2021-08-12 9:26 ` Michel Dänzer
@ 2021-08-12 19:51 ` Mark Yacoub
0 siblings, 0 replies; 7+ messages in thread
From: Mark Yacoub @ 2021-08-12 19:51 UTC (permalink / raw)
To: Michel Dänzer
Cc: Sean Paul, abhinavk, Rob Clark, Maling list - DRI developers,
Mark Yacoub
On Thu, Aug 12, 2021 at 5:26 AM Michel Dänzer <michel@daenzer.net> wrote:
>
> On 2021-08-11 7:55 p.m., Mark Yacoub wrote:
> > From: Mark Yacoub <markyacoub@google.com>
> >
> > [Why]
> > Userspace should get back a copy of the request that's been modified
> > even when drm_wait_vblank_ioctl returns a failure.
> >
> > Rationale:
> > drm_wait_vblank_ioctl modifies the request and expects the user to read
> > back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> > the sequence to become current_vblank_count + sequence (which was
> > relative), not it becomes absolute.
> > drmWaitVBlank (in libdrm), expects this to be the case as it modifies
> > the request to be Absolute as it expects the sequence to would have been
> > updated.
> >
> > The change is in compat_drm_wait_vblank, which is called by
> > drm_compat_ioctl. This change of copying the data back regardless of the
> > return number makes it en par with drm_ioctl, which always copies the
> > data before returning.
> >
> > [How]
> > Copy the drm_wait_vblank request.
> > Return from the function after everything has been copied to user.
> >
> > Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> > Tested on ChromeOS Trogdor(msm)
> >
> > Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
> > ---
> > drivers/gpu/drm/drm_ioc32.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
> > index d29907955ff79..275b860df8fbe 100644
> > --- a/drivers/gpu/drm/drm_ioc32.c
> > +++ b/drivers/gpu/drm/drm_ioc32.c
> > @@ -855,17 +855,19 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
> > req.request.sequence = req32.request.sequence;
> > req.request.signal = req32.request.signal;
> > err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
> > - if (err)
> > - return err;
> >
> > req32.reply.type = req.reply.type;
> > req32.reply.sequence = req.reply.sequence;
> > req32.reply.tval_sec = req.reply.tval_sec;
> > req32.reply.tval_usec = req.reply.tval_usec;
> > + /* drm_wait_vblank_ioctl modifies Request, update their values here as well. */
> > + req32.request.type = req.request.type;
> > + req32.request.sequence = req.request.sequence;
> > + req32.request.signal = req.request.signal;
>
> The added assignments are superfluous, since req32.reply and req32.request are members of the same union.
Noted.
>
>
> > if (copy_to_user(argp, &req32, sizeof(req32)))
> > return -EFAULT;
> >
> > - return 0;
> > + return err;
> > }
>
> The other changes look correct.
Thanks! updated v2:
https://patchwork.freedesktop.org/patch/449768/?series=93605&rev=2
>
>
> --
> Earthling Michel Dänzer | https://redhat.com
> Libre software enthusiast | Mesa and X developer
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH v2] drm: Copy drm_wait_vblank to user before returning
2021-08-11 17:55 [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return Mark Yacoub
2021-08-12 9:26 ` Michel Dänzer
@ 2021-08-12 19:49 ` Mark Yacoub
2021-08-13 7:32 ` Michel Dänzer
1 sibling, 1 reply; 7+ messages in thread
From: Mark Yacoub @ 2021-08-12 19:49 UTC (permalink / raw)
To: dri-devel
Cc: seanpaul, abhinavk, robdclark, michel, airlied, Mark Yacoub, Mark Yacoub
From: Mark Yacoub <markyacoub@google.com>
[Why]
Userspace should get back a copy of drm_wait_vblank that's been modified
even when drm_wait_vblank_ioctl returns a failure.
Rationale:
drm_wait_vblank_ioctl modifies the request and expects the user to read
it back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
the sequence to become current_vblank_count + sequence (which was
RELATIVE), but now it became ABSOLUTE.
drmWaitVBlank (in libdrm) expects this to be the case as it modifies
the request to be Absolute so it expects the sequence to would have been
updated.
The change is in compat_drm_wait_vblank, which is called by
drm_compat_ioctl. This change of copying the data back regardless of the
return number makes it en par with drm_ioctl, which always copies the
data before returning.
[How]
Return from the function after everything has been copied to user.
Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
Tested on ChromeOS Trogdor(msm)
Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
Change-Id: I98da279a5f1329c66a9d1e06b88d40b247b51313
---
drivers/gpu/drm/drm_ioc32.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
index d29907955ff79..5d82891c32223 100644
--- a/drivers/gpu/drm/drm_ioc32.c
+++ b/drivers/gpu/drm/drm_ioc32.c
@@ -855,8 +855,6 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
req.request.sequence = req32.request.sequence;
req.request.signal = req32.request.signal;
err = drm_ioctl_kernel(file, drm_wait_vblank_ioctl, &req, DRM_UNLOCKED);
- if (err)
- return err;
req32.reply.type = req.reply.type;
req32.reply.sequence = req.reply.sequence;
@@ -865,7 +863,7 @@ static int compat_drm_wait_vblank(struct file *file, unsigned int cmd,
if (copy_to_user(argp, &req32, sizeof(req32)))
return -EFAULT;
- return 0;
+ return err;
}
#if defined(CONFIG_X86)
--
2.33.0.rc1.237.g0d66db33f3-goog
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v2] drm: Copy drm_wait_vblank to user before returning
2021-08-12 19:49 ` [PATCH v2] drm: Copy drm_wait_vblank to user before returning Mark Yacoub
@ 2021-08-13 7:32 ` Michel Dänzer
2021-08-13 15:48 ` Mark Yacoub
0 siblings, 1 reply; 7+ messages in thread
From: Michel Dänzer @ 2021-08-13 7:32 UTC (permalink / raw)
To: Mark Yacoub, dri-devel
Cc: seanpaul, abhinavk, robdclark, airlied, Mark Yacoub
On 2021-08-12 9:49 p.m., Mark Yacoub wrote:
> From: Mark Yacoub <markyacoub@google.com>
>
> [Why]
> Userspace should get back a copy of drm_wait_vblank that's been modified
> even when drm_wait_vblank_ioctl returns a failure.
>
> Rationale:
> drm_wait_vblank_ioctl modifies the request and expects the user to read
> it back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> the sequence to become current_vblank_count + sequence (which was
> RELATIVE), but now it became ABSOLUTE.
> drmWaitVBlank (in libdrm) expects this to be the case as it modifies
> the request to be Absolute so it expects the sequence to would have been
> updated.
>
> The change is in compat_drm_wait_vblank, which is called by
> drm_compat_ioctl. This change of copying the data back regardless of the
> return number makes it en par with drm_ioctl, which always copies the
> data before returning.
>
> [How]
> Return from the function after everything has been copied to user.
>
> Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> Tested on ChromeOS Trogdor(msm)
>
> Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
> Change-Id: I98da279a5f1329c66a9d1e06b88d40b247b51313
With the Gerrit Change-Id removed,
Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
--
Earthling Michel Dänzer | https://redhat.com
Libre software enthusiast | Mesa and X developer
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] drm: Copy drm_wait_vblank to user before returning
2021-08-13 7:32 ` Michel Dänzer
@ 2021-08-13 15:48 ` Mark Yacoub
2021-08-17 17:59 ` Sean Paul
0 siblings, 1 reply; 7+ messages in thread
From: Mark Yacoub @ 2021-08-13 15:48 UTC (permalink / raw)
To: Michel Dänzer
Cc: Maling list - DRI developers, Sean Paul, abhinavk, Rob Clark,
airlied, Mark Yacoub
Thanks for your review Michel!
@MAINTAINER, could you please strip the Change-Id when applying.
Thanks!
On Fri, Aug 13, 2021 at 3:33 AM Michel Dänzer <michel@daenzer.net> wrote:
>
> On 2021-08-12 9:49 p.m., Mark Yacoub wrote:
> > From: Mark Yacoub <markyacoub@google.com>
> >
> > [Why]
> > Userspace should get back a copy of drm_wait_vblank that's been modified
> > even when drm_wait_vblank_ioctl returns a failure.
> >
> > Rationale:
> > drm_wait_vblank_ioctl modifies the request and expects the user to read
> > it back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> > the sequence to become current_vblank_count + sequence (which was
> > RELATIVE), but now it became ABSOLUTE.
> > drmWaitVBlank (in libdrm) expects this to be the case as it modifies
> > the request to be Absolute so it expects the sequence to would have been
> > updated.
> >
> > The change is in compat_drm_wait_vblank, which is called by
> > drm_compat_ioctl. This change of copying the data back regardless of the
> > return number makes it en par with drm_ioctl, which always copies the
> > data before returning.
> >
> > [How]
> > Return from the function after everything has been copied to user.
> >
> > Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> > Tested on ChromeOS Trogdor(msm)
> >
> > Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
> > Change-Id: I98da279a5f1329c66a9d1e06b88d40b247b51313
>
> With the Gerrit Change-Id removed,
>
> Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
>
>
> --
> Earthling Michel Dänzer | https://redhat.com
> Libre software enthusiast | Mesa and X developer
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] drm: Copy drm_wait_vblank to user before returning
2021-08-13 15:48 ` Mark Yacoub
@ 2021-08-17 17:59 ` Sean Paul
0 siblings, 0 replies; 7+ messages in thread
From: Sean Paul @ 2021-08-17 17:59 UTC (permalink / raw)
To: Mark Yacoub
Cc: Michel Dänzer, Maling list - DRI developers, abhinavk,
Rob Clark, Dave Airlie, Mark Yacoub
On Fri, Aug 13, 2021 at 11:48 AM Mark Yacoub <markyacoub@chromium.org> wrote:
>
> Thanks for your review Michel!
> @MAINTAINER, could you please strip the Change-Id when applying.
> Thanks!
Applied to drm-misc-fixes with the Change-Id removed.
Thank you for your patch!
Sean
>
> On Fri, Aug 13, 2021 at 3:33 AM Michel Dänzer <michel@daenzer.net> wrote:
> >
> > On 2021-08-12 9:49 p.m., Mark Yacoub wrote:
> > > From: Mark Yacoub <markyacoub@google.com>
> > >
> > > [Why]
> > > Userspace should get back a copy of drm_wait_vblank that's been modified
> > > even when drm_wait_vblank_ioctl returns a failure.
> > >
> > > Rationale:
> > > drm_wait_vblank_ioctl modifies the request and expects the user to read
> > > it back. When the type is RELATIVE, it modifies it to ABSOLUTE and updates
> > > the sequence to become current_vblank_count + sequence (which was
> > > RELATIVE), but now it became ABSOLUTE.
> > > drmWaitVBlank (in libdrm) expects this to be the case as it modifies
> > > the request to be Absolute so it expects the sequence to would have been
> > > updated.
> > >
> > > The change is in compat_drm_wait_vblank, which is called by
> > > drm_compat_ioctl. This change of copying the data back regardless of the
> > > return number makes it en par with drm_ioctl, which always copies the
> > > data before returning.
> > >
> > > [How]
> > > Return from the function after everything has been copied to user.
> > >
> > > Fixes: IGT:kms_flip::modeset-vs-vblank-race-interruptible
> > > Tested on ChromeOS Trogdor(msm)
> > >
> > > Signed-off-by: Mark Yacoub <markyacoub@chromium.org>
> > > Change-Id: I98da279a5f1329c66a9d1e06b88d40b247b51313
> >
> > With the Gerrit Change-Id removed,
> >
> > Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
> >
> >
> > --
> > Earthling Michel Dänzer | https://redhat.com
> > Libre software enthusiast | Mesa and X developer
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-17 17:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-11 17:55 [PATCH] drm: Copy drm_wait_vblank request and copy_to_user before return Mark Yacoub
2021-08-12 9:26 ` Michel Dänzer
2021-08-12 19:51 ` Mark Yacoub
2021-08-12 19:49 ` [PATCH v2] drm: Copy drm_wait_vblank to user before returning Mark Yacoub
2021-08-13 7:32 ` Michel Dänzer
2021-08-13 15:48 ` Mark Yacoub
2021-08-17 17:59 ` Sean Paul
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).