From: "Ville Syrjälä" <ville.syrjala@linux.intel.com>
To: Chris Wilson <chris@chris-wilson.co.uk>
Cc: intel-gfx@lists.freedesktop.org
Subject: Re: [Intel-gfx] [PATCH] drm/i915/gt: Validation rotated vma bounds are within the object
Date: Thu, 9 Jan 2020 21:01:28 +0200 [thread overview]
Message-ID: <20200109190127.GH13686@intel.com> (raw)
In-Reply-To: <20200109183709.GG13686@intel.com>
On Thu, Jan 09, 2020 at 08:37:09PM +0200, Ville Syrjälä wrote:
> On Thu, Jan 09, 2020 at 04:52:41PM +0200, Ville Syrjälä wrote:
> > On Thu, Jan 09, 2020 at 02:11:52PM +0000, Chris Wilson wrote:
> > > Quite understandably, we bug out when asked to find a page that doesn't
> > > belong to the object. However, we should report the error back to the
> > > user long before we attempt the out-of-bound access! In this case, it is
> > > insufficient validation on the rotated vma, with the simplest/cheapest
> > > point for us to insert a bound check when we are computing the rotated
> > > page lookups.
> > >
> > > Similarly, it might be wise to see if we can validate the user input
> > > upon creating the rotated framebuffer.
> >
> > We do. Did someone break it?
>
> One theory on how this could happens is that we are using a stale gtt
> view here. But AFAICS the only way that could happen is that we take
> a shortcut out from the plane check somewhere before populating
> plane_state->gtt_view afresh, after using a rotated fb previously so
> that plane_state->gtt_view has been populated with a rotated view.
>
> The first such path I see is:
> intel_plane_atomic_check_with_state()
> {
> ...
> if (!new_plane_state->hw.crtc && !old_plane_state->hw.crtc)
> return 0;
>
> but that should also imply new_plane_state->hw.fb==NULL and so we
> should not end up pinning the fb.
>
> The second path is:
> intel_plane_compute_gtt()
> {
> const struct intel_framebuffer *fb =
> to_intel_framebuffer(plane_state->hw.fb);
>
> if (!fb)
> return 0;
>
> and so we won't have a new fb there either and so shouldn't try
> to pin it.
>
> So can't see how that could happen from these normal paths. Which
> leads me to wonder if this might have something to do with nv12
> slave planes...
That may well be it. Looks like we may not end up calling
intel_plane_copy_uapi_to_hw_state() for old slave planes at all,
thus leaving a stale plane_state->hw.fb pointer behind.
--
Ville Syrjälä
Intel
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/intel-gfx
next prev parent reply other threads:[~2020-01-09 19:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-09 14:11 [Intel-gfx] [PATCH] drm/i915/gt: Validation rotated vma bounds are within the object Chris Wilson
2020-01-09 14:52 ` Ville Syrjälä
2020-01-09 18:37 ` Ville Syrjälä
2020-01-09 19:01 ` Ville Syrjälä [this message]
2020-01-09 23:28 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for " Patchwork
2020-01-09 23:53 ` [Intel-gfx] ✗ Fi.CI.BAT: failure " Patchwork
2020-01-10 15:53 ` [Intel-gfx] [PATCH v2] drm/i915/gt: Validate " Chris Wilson
2020-01-10 15:57 ` Chris Wilson
2020-01-10 20:21 ` [Intel-gfx] ✗ Fi.CI.CHECKPATCH: warning for drm/i915/gt: Validation rotated vma bounds are within the object (rev2) Patchwork
2020-01-10 20:51 ` [Intel-gfx] ✓ Fi.CI.BAT: success " Patchwork
2020-01-14 14:41 ` [Intel-gfx] ✓ Fi.CI.IGT: " Patchwork
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200109190127.GH13686@intel.com \
--to=ville.syrjala@linux.intel.com \
--cc=chris@chris-wilson.co.uk \
--cc=intel-gfx@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox