From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ville =?iso-8859-1?Q?Syrj=E4l=E4?= Subject: Re: [PATCH] drm: Don't assign fbs for universal cursor support to files Date: Fri, 27 Feb 2015 09:52:59 +0200 Message-ID: <20150227075259.GH11371@intel.com> References: <1424871926-4640-1-git-send-email-chris@chris-wilson.co.uk> <20150227025019.GA18829@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: Content-Disposition: inline In-Reply-To: <20150227025019.GA18829@intel.com> Sender: stable-owner@vger.kernel.org To: Matt Roper Cc: Chris Wilson , dri-devel@lists.freedesktop.org, Daniel Vetter , Rob Clark , Dave Airlie , stable@vger.kernel.org List-Id: dri-devel@lists.freedesktop.org On Thu, Feb 26, 2015 at 06:50:19PM -0800, Matt Roper wrote: > On Wed, Feb 25, 2015 at 01:45:26PM +0000, Chris Wilson wrote: > > The internal framebuffers we create to remap legacy cursor ioctls t= o > > plane operations for the universal plane support shouldn't be linke= to > > the file like normal userspace framebuffers. This bug goes back to = the > > original universal cursor plane support introduced in > >=20 > > commit 161d0dc1dccb17ff7a38f462c7c0d4ef8bcc5662 > > Author: Matt Roper > > Date: Tue Jun 10 08:28:10 2014 -0700 > >=20 > > drm: Support legacy cursor ioctls via universal planes when pos= sible (v4) > >=20 > > The isn't too disastrous since fbs are small, we only create one wh= en the > > cursor bo gets changed and ultimately they'll be reaped when the wi= ndow > > server restarts. > >=20 > > Conceptually we'd want to just pass NULL for file_priv when creatin= g it, > > but the driver needs the file to lookup the underlying buffer objec= t for > > cursor id. Instead let's move the file_priv linking out of > > add_framebuffer_internal() into the addfb ioctl implementation, whi= ch is > > the only place it is needed. And also rename the function for a mor= e > > accurate since it only creates the fb, but doesn't add it anywhere. > >=20 > > Signed-off-by: Daniel Vetter (fix & commi= t msg) > > Signed-off-by: Chris Wilson (provider of= lipstick) > > Cc: Ville Syrj=E4l=E4 > > Cc: Matt Roper > > Cc: Rob Clark > > Cc: Dave Airlie > > Cc: stable@vger.kernel.org > > --- > > drivers/gpu/drm/drm_crtc.c | 35 +++++++++++++++++++---------------= - > > 1 file changed, 19 insertions(+), 16 deletions(-) > >=20 > > diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.= c > > index 927f3445ff38..4c78d12c5418 100644 > > --- a/drivers/gpu/drm/drm_crtc.c > > +++ b/drivers/gpu/drm/drm_crtc.c > > @@ -43,9 +43,10 @@ > > #include "drm_crtc_internal.h" > > #include "drm_internal.h" > > =20 > > -static struct drm_framebuffer *add_framebuffer_internal(struct drm= _device *dev, > > - struct drm_mode_fb_cmd2 *r, > > - struct drm_file *file_priv); > > +static struct drm_framebuffer * > > +internal_framebuffer_create(struct drm_device *dev, > > + struct drm_mode_fb_cmd2 *r, > > + struct drm_file *file_priv); > > =20 > > /* Avoid boilerplate. I'm tired of typing. */ > > #define DRM_ENUM_NAME_FN(fnname, list) \ > > @@ -2919,13 +2920,11 @@ static int drm_mode_cursor_universal(struct= drm_crtc *crtc, > > */ > > if (req->flags & DRM_MODE_CURSOR_BO) { > > if (req->handle) { > > - fb =3D add_framebuffer_internal(dev, &fbreq, file_priv); > > + fb =3D internal_framebuffer_create(dev, &fbreq, file_priv); > > if (IS_ERR(fb)) { > > DRM_DEBUG_KMS("failed to wrap cursor buffer in drm framebuffer= \n"); > > return PTR_ERR(fb); > > } > > - > > - drm_framebuffer_reference(fb); >=20 > Sorry for the delay reviewing this. I'll provide an i-g-t test that > checks for these memory leaks shortly. >=20 > If I'm not mistaken, this patch will work properly for normal operati= on, > but I think we might run into problems if your display server gets > killed while a wrapped cursor is onscreen and we need to restore the > fbdev mode. =20 >=20 > >From what I can see, we'll wind up in drm_plane_force_disable() whic= h > does: >=20 > plane->old_fb =3D plane->fb; > ret =3D plane->funcs->disable_plane(plane); > if (ret) { > DRM_ERROR("failed to disable plane with busy fb\n"); > plane->old_fb =3D NULL; > return; > } > /* disconnect the plane from the fb and crtc: */ > __drm_framebuffer_unreference(plane->old_fb); >=20 > Note the internal __drm_framebuffer_unreference() here rather than a > traditional drm_framebuffer_unreference(). The internal version is o= nly > supposed to be used when we know we're not releasing the last referen= ce > and BUG()'s out if we actually take the reference count down to zero > (which is exactly what we do in this case). >=20 > I guess we need to just do away with __drm_framebuffer_unreference() = now since > its only call-site is no longer guaranteed to be working on framebuff= ers that > still have a remaining reference. Since the fb is no longer on the file_priv->fbs list drm_plane_force_di= sable() shouldn't actually get called. But that does mean that when a master is killed (or just closes the fd without turning off the cursor first) it leaves the internal cursor fb behind, and the next guy to come along can then see it. That won't happen to any other fb since everything els= e is on the fbs list. I was arguing on irc to Daniel that we should track these internal fbs separately then for each fd to make sure they get cleaned up like every= thing else. Daniel had the notion that we should just remove the force disable on release for everything. But that may have some security implications as a master can't really control when it gets killed and s= o it might end up leaking something a bit sensitive in whatever buffers were getting scanned out at the time. Daniel had the idea that there should be some kind of nanny logind doing such cleanup on behalf of everyone that gets killed, but that seems overly complicated to me. Also force disabling everything has been there since forever so simply changing it seems a bit questionable. Anyway, my feeling is we shouldn't really expose anything to outside parties unless the process has explicitly indicated that it's OK. --=20 Ville Syrj=E4l=E4 Intel OTC