On Thu, Mar 31, 2022 at 05:14:29PM +0200, Daniel Vetter wrote:
On Thu, Mar 31, 2022 at 04:25:13PM +0300, Ville Syrjälä wrote:
On Thu, Mar 31, 2022 at 03:05:45PM +0200, Maxime Ripard wrote:
From: Daniel Vetter daniel.vetter@ffwll.ch
The stuff never really worked, and leads to lots of fun because it out-of-order frees atomic states. Which upsets KASAN, among other things.
For async updates we now have a more solid solution with the ->atomic_async_check and ->atomic_async_commit hooks. Support for that for msm and vc4 landed. nouveau and i915 have their own commit routines, doing something similar.
For everyone else it's probably better to remove the use-after-free bug, and encourage folks to use the async support instead. The affected drivers which register a legacy cursor plane and don't either use the new async stuff or their own commit routine are: amdgpu, atmel, mediatek, qxl, rockchip, sti, sun4i, tegra, virtio, and vmwgfx.
Inspired by an amdgpu bug report.
v2: Drop RFC, I think with amdgpu converted over to use atomic_async_check/commit done in
commit 674e78acae0dfb4beb56132e41cbae5b60f7d662 Author: Nicholas Kazlauskas nicholas.kazlauskas@amd.com Date: Wed Dec 5 14:59:07 2018 -0500
drm/amd/display: Add fast path for cursor plane updateswe don't have any driver anymore where we have userspace expecting solid legacy cursor support _and_ they are using the atomic helpers in their fully glory. So we can retire this.
v3: Paper over msm and i915 regression. The complete_all is the only thing missing afaict.
v4: Rebased on recent kernel, added extra link for vc4 bug.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199425 Link: https://lore.kernel.org/all/20220221134155.125447-9-maxime@cerno.tech/ Cc: mikita.lipski@amd.com Cc: Michel Dänzer michel@daenzer.net Cc: harry.wentland@amd.com Cc: Rob Clark robdclark@gmail.com Cc: "Kazlauskas, Nicholas" nicholas.kazlauskas@amd.com Tested-by: Maxime Ripard maxime@cerno.tech Signed-off-by: Daniel Vetter daniel.vetter@intel.com Signed-off-by: Maxime Ripard maxime@cerno.tech
drivers/gpu/drm/drm_atomic_helper.c | 13 ------------- drivers/gpu/drm/i915/display/intel_display.c | 13 +++++++++++++ drivers/gpu/drm/msm/msm_atomic.c | 2 ++ 3 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c index 9603193d2fa1..a2899af82b4a 100644 --- a/drivers/gpu/drm/drm_atomic_helper.c +++ b/drivers/gpu/drm/drm_atomic_helper.c @@ -1498,13 +1498,6 @@ drm_atomic_helper_wait_for_vblanks(struct drm_device *dev, int i, ret; unsigned int crtc_mask = 0;
/** Legacy cursor ioctls are completely unsynced, and userspace* relies on that (by doing tons of cursor updates).*/- if (old_state->legacy_cursor_update)
return;- for_each_oldnew_crtc_in_state(old_state, crtc, old_crtc_state, new_crtc_state, i) { if (!new_crtc_state->active) continue;
@@ -2135,12 +2128,6 @@ int drm_atomic_helper_setup_commit(struct drm_atomic_state *state, continue; }
/* Legacy cursor updates are fully unsynced. */if (state->legacy_cursor_update) {complete_all(&commit->flip_done);continue;}- if (!new_crtc_state->event) { commit->event = kzalloc(sizeof(*commit->event), GFP_KERNEL);
diff --git a/drivers/gpu/drm/i915/display/intel_display.c b/drivers/gpu/drm/i915/display/intel_display.c index bf7ce684dd8e..bde32f5a33cb 100644 --- a/drivers/gpu/drm/i915/display/intel_display.c +++ b/drivers/gpu/drm/i915/display/intel_display.c @@ -8855,6 +8855,19 @@ static int intel_atomic_commit(struct drm_device *dev, state->base.legacy_cursor_update = false; }
- /*
* FIXME: Cut over to (async) commit helpers instead of hand-rolling* everything.*/Intel cursors can't even do async updates so this is rather nonsensical. What we need is some kind of reasonable mailbox support.
This is not the async plane update you're thinking of. i915 really should switch over more to atomic helpers.
The comment should be clarified then. As is I have no real idea what it's trying to say.