public inbox for intel-gfx@lists.freedesktop.org
 help / color / mirror / Atom feed
From: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
To: Daniel Vetter <daniel@ffwll.ch>
Cc: intel-gfx <intel-gfx@lists.freedesktop.org>,
	dri-devel <dri-devel@lists.freedesktop.org>
Subject: Re: [PATCH 1/2] drm/core: Preserve the framebuffer after removing it.
Date: Thu, 10 Sep 2015 11:15:48 +0100	[thread overview]
Message-ID: <55F15854.2090307@linux.intel.com> (raw)
In-Reply-To: <20150910095602.GX2767@phenom.ffwll.local>


On 09/10/2015 10:56 AM, Daniel Vetter wrote:
> On Thu, Sep 10, 2015 at 10:07:41AM +0100, Tvrtko Ursulin wrote:
>>
>> On 09/09/2015 08:06 PM, Daniel Vetter wrote:
>>> On Wed, Sep 9, 2015 at 6:36 PM, Tvrtko Ursulin
>>> <tvrtko.ursulin@linux.intel.com> wrote:
>>>> I am not even going that far, just talking about last frame stuck on screen.
>>>> For me making that easier is a regression.
>>>
>>> So let's look at various systems:
>>> - super-modern fbdev less system: logind keeps a dup of every
>>> master-capabel drm fd. Compositor crashing won't ever result in
>>> close() getting called since logind still has its copy. Cleanup needs
>>> to be done manually anyway with the system compositor.
>>> - Current systems: Compositor restarts and cleans up the mess we left behind.
>>
>> What if the compositor doesn't restart? Or logind crashes in the former
>> case?
>>
>> Maybe I don't understand something, but I don't see how it is not quite bad
>> to expect userspace to clean up the kernel structures after the previous
>> userspace client.
>
> That's not different from the compositor just freezing instead of
> crashing: Screen contents stays on and nothing happens. Imo this really is
> all just broken userspace, and the kernel can't make sure userspace
> doesn't randomly fall over.
>
> What we need to make sure is that assuming things work ok-ish there's no
> observed regression. And I still think that's the case here.

I would disagree on the no regressions when things work okay-ish 
principle, there should be no regressions in the pessimistic scenario 
when security is concerned.

If we can agree the stuck frame on screen is not desirable from the 
security point of view, then this change does enlarge the attack surface.

Because, apart from freezing the compositor, it now also works to crash 
it and prevent restart. Maybe it is far fetched, but as I said, 
attackers have much better imagination with these things.

So for me changes like this one shouldn't be pushed in easily.

>> What happens if something keeps crashing leaving framebuffers around?
>
> Only the active ones would be kept around, we still clean up everything
> else. So the leak is very limited from a memory pov.
>
>> If the only reason is to avoid modeset, why SETPLANE with NULL fb to disable
>> planes associated with a framebuffers to be released wouldn't work?
>
> Because in general drivers don't support that - primary plane helpers
> cant' do that and for many drivers that's the only thing we have.

Could that be extended so that primary plane helpers would try to 
disable planes for which framebuffers need to be removed?

Then drivers who can't disable planes keep doing a modeset and the ones 
that can just disable planes and correctly clean up framebuffers?

Regards,

Tvrtko
_______________________________________________
Intel-gfx mailing list
Intel-gfx@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/intel-gfx

  reply	other threads:[~2015-09-10 10:15 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-09-09 14:40 [PATCH 0/2] Preserve framebuffer during rmfb / drm fd close Maarten Lankhorst
2015-09-09 14:40 ` [PATCH 1/2] drm/core: Preserve the framebuffer after removing it Maarten Lankhorst
2015-09-09 14:51   ` Tvrtko Ursulin
2015-09-09 15:04     ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:18       ` Tvrtko Ursulin
2015-09-09 15:29         ` [Intel-gfx] " Daniel Vetter
2015-09-09 15:47           ` Tvrtko Ursulin
2015-09-09 15:56             ` [Intel-gfx] " Daniel Vetter
2015-09-09 16:03               ` Tvrtko Ursulin
2015-09-09 16:07                 ` Daniel Vetter
2015-09-09 16:15                   ` Tvrtko Ursulin
2015-09-09 16:26                     ` Maarten Lankhorst
2015-09-09 16:36                       ` Tvrtko Ursulin
2015-09-09 19:06                         ` [Intel-gfx] " Daniel Vetter
2015-09-10  9:07                           ` Tvrtko Ursulin
2015-09-10  9:56                             ` Daniel Vetter
2015-09-10 10:15                               ` Tvrtko Ursulin [this message]
2015-09-22 14:53                                 ` David Herrmann
2015-09-22 15:21                                   ` Tvrtko Ursulin
2015-10-01 16:04                                     ` [Intel-gfx] " Vincent ABRIOU
2015-09-09 15:02   ` Daniel Vetter
2015-09-22 14:43     ` David Herrmann
2015-09-09 14:40 ` [PATCH 2/2] drm/core: Preserve the fb id on close Maarten Lankhorst
2015-09-22 14:55   ` David Herrmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=55F15854.2090307@linux.intel.com \
    --to=tvrtko.ursulin@linux.intel.com \
    --cc=daniel@ffwll.ch \
    --cc=dri-devel@lists.freedesktop.org \
    --cc=intel-gfx@lists.freedesktop.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox