From: Daniel Vetter <daniel@ffwll.ch>
To: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: intel-gfx@lists.freedesktop.org, dri-devel@lists.freedesktop.org
Subject: Re: [Intel-gfx] [PATCH 1/2] drm/core: Preserve the framebuffer after removing it.
Date: Wed, 9 Sep 2015 17:56:15 +0200 [thread overview]
Message-ID: <20150909155615.GU2767@phenom.ffwll.local> (raw)
In-Reply-To: <55F0547C.10204@linux.intel.com>
On Wed, Sep 09, 2015 at 04:47:08PM +0100, Tvrtko Ursulin wrote:
>
> On 09/09/2015 04:29 PM, Daniel Vetter wrote:
> >On Wed, Sep 09, 2015 at 04:18:02PM +0100, Tvrtko Ursulin wrote:
> >>
> >>On 09/09/2015 04:04 PM, Daniel Vetter wrote:
> >>>On Wed, Sep 09, 2015 at 03:51:50PM +0100, Tvrtko Ursulin wrote:
> >>>>
> >>>>Hi,
> >>>>
> >>>>On 09/09/2015 03:40 PM, Maarten Lankhorst wrote:
> >>>>>Previously RMFB and fd close chose to disable any plane that had
> >>>>>an active framebuffer from this file. If it was a primary plane the
> >>>>>crtc was disabled. However the fbdev code or any system compositor
> >>>>>should restore the planes anyway so there's no need to do it twice.
> >>>>>
> >>>>>The old fb_id is zero'd, so there's no danger of being able to
> >>>>>restore the fb from fb_id.
> >>>>
> >>>>What does this mean, say if the compositor dies last frame will remain on
> >>>>the screen?
> >>>
> >>>Yes, and the commit message should mention that. It should also mention
> >>>that other applications can't get at the data since we clear fb id still,
> >>>so no information leak there.
> >>
> >>Perhaps I replied to the wrong patch from the series.
> >>
> >>Why is all this needed anyway? It sound pretty undesirable from the security
> >>point of view to me. If it is exploitable to leave something sensitive on
> >>screen that's not good.
> >
> >fd close is a super-painful context to do a full-blown modeset. It's
> >userspace but we can't restart anything because no one ever checks the
> >return value of close(). We could fix it by pushing this to a work item,
> >but given that the rule itself seems dubious it's easier to adjust the abi
> >imo. Framebuffers are somewhat global, so not deleting them makes imo
> >sense.
> >
> >The big change is patch 2, which will make them survive for real.
>
> I don't follow this closely but it still sounds wrong. If modeset is a
> concern then disable the planes and/or clear them?
This is generic core code, you can't disable/clear planes in a generic way
without doing a full modeset.
> It really doesn't feel preservation of fb content is a good thing to do. If
> the higher goal is to enable some smooth transitions clients should engineer
> that themselves.
>
> In any case leaving content on screen sounds really bad to me.
>
> Reminds me of screen locker bugs which sometimes did not clear the screen
> when displaying the unlock dialog. That was pretty common for a long period
> in KDE. And this sounds like it could be attackable in a similar way.
Afaik that's just userspace coordination fail - system deamons go into
suspend without telling and waiting for the screenlocker to lock the
screen. Hilarious, but not really something we can fix in the kernel.
-Daniel
--
Daniel Vetter
Software Engineer, Intel Corporation
http://blog.ffwll.ch
_______________________________________________
dri-devel mailing list
dri-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/dri-devel
next prev parent reply other threads:[~2015-09-09 15:56 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-09 14:40 [PATCH 0/2] Preserve framebuffer during rmfb / drm fd close Maarten Lankhorst
2015-09-09 14:40 ` [PATCH 1/2] drm/core: Preserve the framebuffer after removing it Maarten Lankhorst
2015-09-09 14:51 ` Tvrtko Ursulin
2015-09-09 15:04 ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:18 ` Tvrtko Ursulin
2015-09-09 15:29 ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:47 ` Tvrtko Ursulin
2015-09-09 15:56 ` Daniel Vetter [this message]
2015-09-09 16:03 ` Tvrtko Ursulin
2015-09-09 16:07 ` Daniel Vetter
2015-09-09 16:15 ` Tvrtko Ursulin
2015-09-09 16:26 ` Maarten Lankhorst
2015-09-09 16:36 ` Tvrtko Ursulin
2015-09-09 19:06 ` [Intel-gfx] " Daniel Vetter
2015-09-10 9:07 ` Tvrtko Ursulin
2015-09-10 9:56 ` Daniel Vetter
2015-09-10 10:15 ` Tvrtko Ursulin
2015-09-22 14:53 ` David Herrmann
2015-09-22 15:21 ` Tvrtko Ursulin
2015-10-01 16:04 ` [Intel-gfx] " Vincent ABRIOU
2015-09-09 15:02 ` Daniel Vetter
2015-09-22 14:43 ` David Herrmann
2015-09-09 14:40 ` [PATCH 2/2] drm/core: Preserve the fb id on close Maarten Lankhorst
2015-09-22 14:55 ` David Herrmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150909155615.GU2767@phenom.ffwll.local \
--to=daniel@ffwll.ch \
--cc=dri-devel@lists.freedesktop.org \
--cc=intel-gfx@lists.freedesktop.org \
--cc=tvrtko.ursulin@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox