drm: damage_helper: Fix race checking plane->state->fb

Message ID	20190904202938.110207-1-sean@poorly.run (mailing list archive)
State	New, archived
Headers	show Return-Path: <SRS0=vQWr=W7=lists.freedesktop.org=dri-devel-bounces@kernel.org> DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8E8B221726 From: Sean Paul <sean@poorly.run> To: dri-devel@lists.freedesktop.org Subject: [PATCH] drm: damage_helper: Fix race checking plane->state->fb Date: Wed, 4 Sep 2019 16:29:13 -0400 Message-Id: <20190904202938.110207-1-sean@poorly.run> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=poorly.run; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=8GtbizlkMPrZXUURKhwXVzGIR9K6zwzCUzTAta15LT4=; b=LV1epChq+XeeoVIIhc5b8513dZ1Zaf5mhdGuMY6vqmzkhclsDa1eGolRtdkXM05Aor w27i24ss9e34HGiNmSXw9xlXVWFa7L7bS55caQXhF5SNwIW4bigdsPmUmi5ZszvwtQhp 2DclMTptrrcpuzJPkjqnWOLwZmyQ80dlQYlImQFvFGdAol6unqCvrwteSpvTrjOS84k9 HpVoUr+OnIUpIkpUvmMYDBTkxWCaxOirHuVTISnl26naDe9SPyYJDD7Rv1DhrdzErEQG pQc6wBcNy+/NokXcc6+ftNYqeoI1IKfdq6/V0nR5/l+IQHzvLx/dIPIc2rQfLl0kkppk 6HmQ== Precedence: list Cc: Thomas Hellstrom <thellstrom@vmware.com>, Maxime Ripard <maxime.ripard@bootlin.com>, Daniel Vetter <daniel.vetter@ffwll.ch>, stable@vger.kernel.org, David Airlie <airlied@linux.ie>, Sean Paul <seanpaul@chromium.org>, Deepak Rawat <drawat@vmware.com>, Sean Paul <sean@poorly.run> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	drm: damage_helper: Fix race checking plane->state->fb \| expand drm: damage_helper: Fix race checking plane->state->fb

Message ID

20190904202938.110207-1-sean@poorly.run (mailing list archive)

State

New, archived

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8E8B221726
From: Sean Paul <sean@poorly.run>
To: dri-devel@lists.freedesktop.org
Subject: [PATCH] drm: damage_helper: Fix race checking plane->state->fb
Date: Wed,  4 Sep 2019 16:29:13 -0400
Message-Id: <20190904202938.110207-1-sean@poorly.run>
MIME-Version: 1.0
Precedence: list
Cc: Thomas Hellstrom <thellstrom@vmware.com>,
 Maxime Ripard <maxime.ripard@bootlin.com>,
 Daniel Vetter <daniel.vetter@ffwll.ch>, stable@vger.kernel.org,
 David Airlie <airlied@linux.ie>, Sean Paul <seanpaul@chromium.org>,
 Deepak Rawat <drawat@vmware.com>, Sean Paul <sean@poorly.run>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

drm: damage_helper: Fix race checking plane->state->fb | expand

Commit Message

Sean Paul Sept. 4, 2019, 8:29 p.m. UTC

From: Sean Paul <seanpaul@chromium.org>

Since the dirtyfb ioctl doesn't give us any hints as to which plane is
scanning out the fb it's marking as damaged, we need to loop through
planes to find it.

Currently we just reach into plane state and check, but that can race
with another commit changing the fb out from under us. This patch locks
the plane before checking the fb and will release the lock if the plane
is not displaying the dirty fb.

Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
Cc: Rob Clark <robdclark@gmail.com>
Cc: Deepak Rawat <drawat@vmware.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Thomas Hellstrom <thellstrom@vmware.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Cc: Sean Paul <sean@poorly.run>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.0+
Reported-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
---
 drivers/gpu/drm/drm_damage_helper.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Daniel Vetter Sept. 5, 2019, 10:41 a.m. UTC | #1

On Wed, Sep 4, 2019 at 10:29 PM Sean Paul <sean@poorly.run> wrote:
>
> From: Sean Paul <seanpaul@chromium.org>
>
> Since the dirtyfb ioctl doesn't give us any hints as to which plane is
> scanning out the fb it's marking as damaged, we need to loop through
> planes to find it.
>
> Currently we just reach into plane state and check, but that can race
> with another commit changing the fb out from under us. This patch locks
> the plane before checking the fb and will release the lock if the plane
> is not displaying the dirty fb.
>
> Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
> Cc: Rob Clark <robdclark@gmail.com>
> Cc: Deepak Rawat <drawat@vmware.com>
> Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> Cc: Thomas Hellstrom <thellstrom@vmware.com>
> Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> Cc: Maxime Ripard <maxime.ripard@bootlin.com>
> Cc: Sean Paul <sean@poorly.run>
> Cc: David Airlie <airlied@linux.ie>
> Cc: Daniel Vetter <daniel@ffwll.ch>
> Cc: dri-devel@lists.freedesktop.org
> Cc: <stable@vger.kernel.org> # v5.0+
> Reported-by: Daniel Vetter <daniel@ffwll.ch>
> Signed-off-by: Sean Paul <seanpaul@chromium.org>
> ---
>  drivers/gpu/drm/drm_damage_helper.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
> index 8230dac01a89..3a4126dc2520 100644
> --- a/drivers/gpu/drm/drm_damage_helper.c
> +++ b/drivers/gpu/drm/drm_damage_helper.c
> @@ -212,8 +212,14 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
>         drm_for_each_plane(plane, fb->dev) {
>                 struct drm_plane_state *plane_state;
>
> -               if (plane->state->fb != fb)
> +               ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx);
> +               if (ret)

I think for paranoid safety we should have a WARN_ON(ret == -EALREADY)
here. It should be impossible, but if it's not for some oddball
reason, we'll blow up.

With that: Reviewed-by: Daniel Vetter <daniel@ffwll.ch>

But please give this a spin with some workloads and the ww_mutex
slowpath debugging enabled, just to makre sure.
-Daniel

> +                       goto out;
> +
> +               if (plane->state->fb != fb) {
> +                       drm_modeset_unlock(&plane->mutex);
>                         continue;
> +               }
>
>                 plane_state = drm_atomic_get_plane_state(state, plane);
>                 if (IS_ERR(plane_state)) {
> --
> Sean Paul, Software Engineer, Google / Chromium OS
>

Sean Paul Sept. 19, 2019, 3:04 p.m. UTC | #2

On Thu, Sep 05, 2019 at 12:41:27PM +0200, Daniel Vetter wrote:
> On Wed, Sep 4, 2019 at 10:29 PM Sean Paul <sean@poorly.run> wrote:
> >
> > From: Sean Paul <seanpaul@chromium.org>
> >
> > Since the dirtyfb ioctl doesn't give us any hints as to which plane is
> > scanning out the fb it's marking as damaged, we need to loop through
> > planes to find it.
> >
> > Currently we just reach into plane state and check, but that can race
> > with another commit changing the fb out from under us. This patch locks
> > the plane before checking the fb and will release the lock if the plane
> > is not displaying the dirty fb.
> >
> > Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
> > Cc: Rob Clark <robdclark@gmail.com>
> > Cc: Deepak Rawat <drawat@vmware.com>
> > Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> > Cc: Thomas Hellstrom <thellstrom@vmware.com>
> > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> > Cc: Maxime Ripard <maxime.ripard@bootlin.com>
> > Cc: Sean Paul <sean@poorly.run>
> > Cc: David Airlie <airlied@linux.ie>
> > Cc: Daniel Vetter <daniel@ffwll.ch>
> > Cc: dri-devel@lists.freedesktop.org
> > Cc: <stable@vger.kernel.org> # v5.0+
> > Reported-by: Daniel Vetter <daniel@ffwll.ch>
> > Signed-off-by: Sean Paul <seanpaul@chromium.org>
> > ---
> >  drivers/gpu/drm/drm_damage_helper.c | 8 +++++++-
> >  1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
> > index 8230dac01a89..3a4126dc2520 100644
> > --- a/drivers/gpu/drm/drm_damage_helper.c
> > +++ b/drivers/gpu/drm/drm_damage_helper.c
> > @@ -212,8 +212,14 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
> >         drm_for_each_plane(plane, fb->dev) {
> >                 struct drm_plane_state *plane_state;
> >
> > -               if (plane->state->fb != fb)
> > +               ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx);
> > +               if (ret)
> 
> I think for paranoid safety we should have a WARN_ON(ret == -EALREADY)
> here. It should be impossible, but if it's not for some oddball
> reason, we'll blow up.

drm_modeset_lock eats EALREADY and returns 0 for that case, so I guess it
depends _how_ paranoid you want to be here :-)

> 
> With that: Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
> 
> But please give this a spin with some workloads and the ww_mutex
> slowpath debugging enabled, just to makre sure.

Ok, had a chance to run through some tests this morning with
CONFIG_DEBUG_WW_MUTEX_SLOWPATH and things lgtm

Sean

> -Daniel
> 
> > +                       goto out;
> > +
> > +               if (plane->state->fb != fb) {
> > +                       drm_modeset_unlock(&plane->mutex);
> >                         continue;
> > +               }
> >
> >                 plane_state = drm_atomic_get_plane_state(state, plane);
> >                 if (IS_ERR(plane_state)) {
> > --
> > Sean Paul, Software Engineer, Google / Chromium OS
> >
> 
> 
> -- 
> Daniel Vetter
> Software Engineer, Intel Corporation
> +41 (0) 79 365 57 48 - http://blog.ffwll.ch

Daniel Vetter Oct. 8, 2019, 9:50 a.m. UTC | #3

On Thu, Sep 19, 2019 at 11:04:01AM -0400, Sean Paul wrote:
> On Thu, Sep 05, 2019 at 12:41:27PM +0200, Daniel Vetter wrote:
> > On Wed, Sep 4, 2019 at 10:29 PM Sean Paul <sean@poorly.run> wrote:
> > >
> > > From: Sean Paul <seanpaul@chromium.org>
> > >
> > > Since the dirtyfb ioctl doesn't give us any hints as to which plane is
> > > scanning out the fb it's marking as damaged, we need to loop through
> > > planes to find it.
> > >
> > > Currently we just reach into plane state and check, but that can race
> > > with another commit changing the fb out from under us. This patch locks
> > > the plane before checking the fb and will release the lock if the plane
> > > is not displaying the dirty fb.
> > >
> > > Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
> > > Cc: Rob Clark <robdclark@gmail.com>
> > > Cc: Deepak Rawat <drawat@vmware.com>
> > > Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> > > Cc: Thomas Hellstrom <thellstrom@vmware.com>
> > > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> > > Cc: Maxime Ripard <maxime.ripard@bootlin.com>
> > > Cc: Sean Paul <sean@poorly.run>
> > > Cc: David Airlie <airlied@linux.ie>
> > > Cc: Daniel Vetter <daniel@ffwll.ch>
> > > Cc: dri-devel@lists.freedesktop.org
> > > Cc: <stable@vger.kernel.org> # v5.0+
> > > Reported-by: Daniel Vetter <daniel@ffwll.ch>
> > > Signed-off-by: Sean Paul <seanpaul@chromium.org>
> > > ---
> > >  drivers/gpu/drm/drm_damage_helper.c | 8 +++++++-
> > >  1 file changed, 7 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
> > > index 8230dac01a89..3a4126dc2520 100644
> > > --- a/drivers/gpu/drm/drm_damage_helper.c
> > > +++ b/drivers/gpu/drm/drm_damage_helper.c
> > > @@ -212,8 +212,14 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
> > >         drm_for_each_plane(plane, fb->dev) {
> > >                 struct drm_plane_state *plane_state;
> > >
> > > -               if (plane->state->fb != fb)
> > > +               ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx);
> > > +               if (ret)
> > 
> > I think for paranoid safety we should have a WARN_ON(ret == -EALREADY)
> > here. It should be impossible, but if it's not for some oddball
> > reason, we'll blow up.
> 
> drm_modeset_lock eats EALREADY and returns 0 for that case, so I guess it
> depends _how_ paranoid you want to be here :-)

Ah silly me, r-b as-is then.
-Daniel

> 
> > 
> > With that: Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
> > 
> > But please give this a spin with some workloads and the ww_mutex
> > slowpath debugging enabled, just to makre sure.
> 
> Ok, had a chance to run through some tests this morning with
> CONFIG_DEBUG_WW_MUTEX_SLOWPATH and things lgtm
> 
> Sean
> 
> > -Daniel
> > 
> > > +                       goto out;
> > > +
> > > +               if (plane->state->fb != fb) {
> > > +                       drm_modeset_unlock(&plane->mutex);
> > >                         continue;
> > > +               }
> > >
> > >                 plane_state = drm_atomic_get_plane_state(state, plane);
> > >                 if (IS_ERR(plane_state)) {
> > > --
> > > Sean Paul, Software Engineer, Google / Chromium OS
> > >
> > 
> > 
> > -- 
> > Daniel Vetter
> > Software Engineer, Intel Corporation
> > +41 (0) 79 365 57 48 - http://blog.ffwll.ch
> 
> -- 
> Sean Paul, Software Engineer, Google / Chromium OS

Sean Paul Oct. 8, 2019, 2 p.m. UTC | #4

On Tue, Oct 08, 2019 at 11:50:33AM +0200, Daniel Vetter wrote:
> On Thu, Sep 19, 2019 at 11:04:01AM -0400, Sean Paul wrote:
> > On Thu, Sep 05, 2019 at 12:41:27PM +0200, Daniel Vetter wrote:
> > > On Wed, Sep 4, 2019 at 10:29 PM Sean Paul <sean@poorly.run> wrote:
> > > >
> > > > From: Sean Paul <seanpaul@chromium.org>
> > > >
> > > > Since the dirtyfb ioctl doesn't give us any hints as to which plane is
> > > > scanning out the fb it's marking as damaged, we need to loop through
> > > > planes to find it.
> > > >
> > > > Currently we just reach into plane state and check, but that can race
> > > > with another commit changing the fb out from under us. This patch locks
> > > > the plane before checking the fb and will release the lock if the plane
> > > > is not displaying the dirty fb.
> > > >
> > > > Fixes: b9fc5e01d1ce ("drm: Add helper to implement legacy dirtyfb")
> > > > Cc: Rob Clark <robdclark@gmail.com>
> > > > Cc: Deepak Rawat <drawat@vmware.com>
> > > > Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
> > > > Cc: Thomas Hellstrom <thellstrom@vmware.com>
> > > > Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
> > > > Cc: Maxime Ripard <maxime.ripard@bootlin.com>
> > > > Cc: Sean Paul <sean@poorly.run>
> > > > Cc: David Airlie <airlied@linux.ie>
> > > > Cc: Daniel Vetter <daniel@ffwll.ch>
> > > > Cc: dri-devel@lists.freedesktop.org
> > > > Cc: <stable@vger.kernel.org> # v5.0+
> > > > Reported-by: Daniel Vetter <daniel@ffwll.ch>
> > > > Signed-off-by: Sean Paul <seanpaul@chromium.org>
> > > > ---
> > > >  drivers/gpu/drm/drm_damage_helper.c | 8 +++++++-
> > > >  1 file changed, 7 insertions(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
> > > > index 8230dac01a89..3a4126dc2520 100644
> > > > --- a/drivers/gpu/drm/drm_damage_helper.c
> > > > +++ b/drivers/gpu/drm/drm_damage_helper.c
> > > > @@ -212,8 +212,14 @@ int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
> > > >         drm_for_each_plane(plane, fb->dev) {
> > > >                 struct drm_plane_state *plane_state;
> > > >
> > > > -               if (plane->state->fb != fb)
> > > > +               ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx);
> > > > +               if (ret)
> > > 
> > > I think for paranoid safety we should have a WARN_ON(ret == -EALREADY)
> > > here. It should be impossible, but if it's not for some oddball
> > > reason, we'll blow up.
> > 
> > drm_modeset_lock eats EALREADY and returns 0 for that case, so I guess it
> > depends _how_ paranoid you want to be here :-)
> 
> Ah silly me, r-b as-is then.

Thanks, pushed to -misc-next

Sean

> -Daniel
> 
> > 
> > > 
> > > With that: Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
> > > 
> > > But please give this a spin with some workloads and the ww_mutex
> > > slowpath debugging enabled, just to makre sure.
> > 
> > Ok, had a chance to run through some tests this morning with
> > CONFIG_DEBUG_WW_MUTEX_SLOWPATH and things lgtm
> > 
> > Sean
> > 
> > > -Daniel
> > > 
> > > > +                       goto out;
> > > > +
> > > > +               if (plane->state->fb != fb) {
> > > > +                       drm_modeset_unlock(&plane->mutex);
> > > >                         continue;
> > > > +               }
> > > >
> > > >                 plane_state = drm_atomic_get_plane_state(state, plane);
> > > >                 if (IS_ERR(plane_state)) {
> > > > --
> > > > Sean Paul, Software Engineer, Google / Chromium OS
> > > >
> > > 
> > > 
> > > -- 
> > > Daniel Vetter
> > > Software Engineer, Intel Corporation
> > > +41 (0) 79 365 57 48 - http://blog.ffwll.ch
> > 
> > -- 
> > Sean Paul, Software Engineer, Google / Chromium OS
> 
> -- 
> Daniel Vetter
> Software Engineer, Intel Corporation
> http://blog.ffwll.ch

diff --git a/drivers/gpu/drm/drm_damage_helper.c b/drivers/gpu/drm/drm_damage_helper.c
index 8230dac01a89..3a4126dc2520 100644
--- a/drivers/gpu/drm/drm_damage_helper.c
+++ b/drivers/gpu/drm/drm_damage_helper.c
@@ -212,8 +212,14 @@  int drm_atomic_helper_dirtyfb(struct drm_framebuffer *fb,
 	drm_for_each_plane(plane, fb->dev) {
 		struct drm_plane_state *plane_state;
 
-		if (plane->state->fb != fb)
+		ret = drm_modeset_lock(&plane->mutex, state->acquire_ctx);
+		if (ret)
+			goto out;
+
+		if (plane->state->fb != fb) {
+			drm_modeset_unlock(&plane->mutex);
 			continue;
+		}
 
 		plane_state = drm_atomic_get_plane_state(state, plane);
 		if (IS_ERR(plane_state)) {

drm: damage_helper: Fix race checking plane->state->fb

Commit Message

Comments

Patch