Hi Gustavo,
On Thu, Oct 20, 2016 at 06:30:17PM -0200, Gustavo Padovan wrote:
>Hi Brian,
>
>2016-10-20 Brian Starkey <brian.starkey at arm.com>:
>
>> Hi Gustavo,
>>
>> I notice your branch has the sync_file refcount change in, but this
>> doesn't seem to take account for that. Will you be dropping that
>> change to match the semantics of fence_array?
>
>I will drop the fence_get() in the out-fence patch because we already
>hold the ref when we create the fence. The sync_file refcount patch will
>remain.
>
OK, I'll work on that basis, thanks.
>>
>> Couple more comments below.
>>
>> On Thu, Oct 20, 2016 at 12:50:05PM -0200, Gustavo Padovan wrote:
>> > From: Gustavo Padovan <gustavo.padovan at collabora.co.uk>
>> >
>> > Support DRM out-fences by creating a sync_file with a fence for each CRTC
>> > that sets the OUT_FENCE_PTR property.
>> >
>> > We use the out_fence pointer received in the OUT_FENCE_PTR prop to send
>> > the sync_file fd back to userspace.
>> >
>> > The sync_file and fd are allocated/created before commit, but the
>> > fd_install operation only happens after we know that commit succeed.
>> >
>> > In case of error userspace should receive a fd number of -1.
>> >
>> > v2: Comment by Rob Clark:
>> > - Squash commit that adds DRM_MODE_ATOMIC_OUT_FENCE flag here.
>> >
>> > Comment by Daniel Vetter:
>> > - Add clean up code for out_fences
>> >
>> > v3: Comments by Daniel Vetter:
>> > - create DRM_MODE_ATOMIC_EVENT_MASK
>> > - userspace should fill out_fences_ptr with the crtc_ids for which
>> > it wants fences back.
>> >
>> > v4: Create OUT_FENCE_PTR properties and remove old approach.
>> >
>> > Signed-off-by: Gustavo Padovan <gustavo.padovan at collabora.co.uk>
>> > ---
>> > drivers/gpu/drm/drm_atomic.c | 116
>> > ++++++++++++++++++++++++++++++++++---------
>> > drivers/gpu/drm/drm_crtc.c | 8 +++
>> > include/drm/drm_crtc.h | 19 +++++++
>> > 3 files changed, 119 insertions(+), 24 deletions(-)
>> >
>> > diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c
>> > index b3284b2..07775fc 100644
>> > --- a/drivers/gpu/drm/drm_atomic.c
>> > +++ b/drivers/gpu/drm/drm_atomic.c
>> > @@ -490,6 +490,8 @@ int drm_atomic_crtc_set_property(struct drm_crtc *crtc,
>> > &replaced);
>> > state->color_mgmt_changed |= replaced;
>> > return ret;
>> > + } else if (property == config->prop_out_fence_ptr) {
>> > + state->out_fence_ptr = u64_to_user_ptr(val);
>> > } else if (crtc->funcs->atomic_set_property)
>> > return crtc->funcs->atomic_set_property(crtc, state, property,
>> > val);
>> > else
>> > @@ -532,6 +534,8 @@ drm_atomic_crtc_get_property(struct drm_crtc *crtc,
>> > *val = (state->ctm) ? state->ctm->base.id : 0;
>> > else if (property == config->gamma_lut_property)
>> > *val = (state->gamma_lut) ? state->gamma_lut->base.id : 0;
>> > + else if (property == config->prop_out_fence_ptr)
>> > + *val = 0;
>> > else if (crtc->funcs->atomic_get_property)
>> > return crtc->funcs->atomic_get_property(crtc, state, property,
>> > val);
>> > else
>> > @@ -1474,11 +1478,9 @@ EXPORT_SYMBOL(drm_atomic_nonblocking_commit);
>> > */
>> >
>> > static struct drm_pending_vblank_event *create_vblank_event(
>> > - struct drm_device *dev, struct drm_file *file_priv,
>> > - struct fence *fence, uint64_t user_data)
>> > + struct drm_device *dev, uint64_t user_data)
>> > {
>> > struct drm_pending_vblank_event *e = NULL;
>> > - int ret;
>> >
>> > e = kzalloc(sizeof *e, GFP_KERNEL);
>> > if (!e)
>> > @@ -1488,17 +1490,6 @@ static struct drm_pending_vblank_event
>> > *create_vblank_event(
>> > e->event.base.length = sizeof(e->event);
>> > e->event.user_data = user_data;
>> >
>> > - if (file_priv) {
>> > - ret = drm_event_reserve_init(dev, file_priv, &e->base,
>> > - &e->event.base);
>> > - if (ret) {
>> > - kfree(e);
>> > - return NULL;
>> > - }
>> > - }
>> > -
>> > - e->base.fence = fence;
>> > -
>> > return e;
>> > }
>> >
>> > @@ -1603,6 +1594,40 @@ void drm_atomic_clean_old_fb(struct drm_device *dev,
>> > }
>> > EXPORT_SYMBOL(drm_atomic_clean_old_fb);
>> >
>> > +static int crtc_setup_out_fence(struct drm_crtc *crtc,
>> > + struct drm_crtc_state *crtc_state,
>> > + struct drm_out_fence_state *fence_state)
>> > +{
>> > + struct fence *fence;
>> > +
>> > + fence_state->fd = get_unused_fd_flags(O_CLOEXEC);
>> > + if (fence_state->fd < 0) {
>> > + return fence_state->fd;
>> > + }
>> > +
>> > + fence_state->out_fence_ptr = crtc_state->out_fence_ptr;
>> > + crtc_state->out_fence_ptr = NULL;
>> > +
>> > + if (put_user(fence_state->fd, fence_state->out_fence_ptr))
>> > + return -EFAULT;
>> > +
>> > + fence = kzalloc(sizeof(*fence), GFP_KERNEL);
>> > + if (!fence)
>> > + return -ENOMEM;
>> > +
>> > + fence_init(fence, &drm_crtc_fence_ops, &crtc->fence_lock,
>> > + crtc->fence_context, ++crtc->fence_seqno);
>> > +
>> > + fence_state->sync_file = sync_file_create(fence);
>> > + if(!fence_state->sync_file) {
>> > + fence_put(fence);
>> > + return -ENOMEM;
>> > + }
>> > +
>> > + crtc_state->event->base.fence = fence_get(fence);
>> > + return 0;
>> > +}
>> > +
>> > int drm_mode_atomic_ioctl(struct drm_device *dev,
>> > void *data, struct drm_file *file_priv)
>> > {
>> > @@ -1617,9 +1642,10 @@ int drm_mode_atomic_ioctl(struct drm_device *dev,
>> > struct drm_plane *plane;
>> > struct drm_crtc *crtc;
>> > struct drm_crtc_state *crtc_state;
>> > + struct drm_out_fence_state *fence_state;
I just hit another crash - looks like fence_state needs to be
initialised to NULL here, otherwise if property lookup/set fails we
kfree() a bad pointer.
>> > unsigned plane_mask;
>> > int ret = 0;
>> > - unsigned int i, j;
>> > + unsigned int i, j, fence_idx = 0;
>> >
>> > /* disallow for drivers not supporting atomic: */
>> > if (!drm_core_check_feature(dev, DRIVER_ATOMIC))
>> > @@ -1734,12 +1760,19 @@ retry:
>> > drm_mode_object_unreference(obj);
>> > }
>> >
>> > - if (arg->flags & DRM_MODE_PAGE_FLIP_EVENT) {
>> > - for_each_crtc_in_state(state, crtc, crtc_state, i) {
>> > + fence_state = kcalloc(dev->mode_config.num_crtc, sizeof(*fence_state),
>> > + GFP_KERNEL);
>> > + if (!fence_state) {
>> > + ret = -ENOMEM;
>> > + goto out;
>> > + }
>> > +
>> > + for_each_crtc_in_state(state, crtc, crtc_state, i) {
>> > + if (arg->flags & DRM_MODE_PAGE_FLIP_EVENT ||
>> > + crtc_state->out_fence_ptr) {
>> > struct drm_pending_vblank_event *e;
>> >
>> > - e = create_vblank_event(dev, file_priv, NULL,
>> > - arg->user_data);
>> > + e = create_vblank_event(dev, arg->user_data);
>> > if (!e) {
>> > ret = -ENOMEM;
>> > goto out;
>> > @@ -1747,6 +1780,28 @@ retry:
>> >
>> > crtc_state->event = e;
>> > }
>> > +
>> > + if (arg->flags & DRM_MODE_PAGE_FLIP_EVENT) {
>> > + struct drm_pending_vblank_event *e = crtc_state->event;
>> > +
>> > + if (!file_priv)
>> > + continue;
>> > +
>> > + ret = drm_event_reserve_init(dev, file_priv, &e->base,
>> > + &e->event.base);
>> > + if (ret) {
>> > + kfree(e);
>> > + crtc_state->event = NULL;
>> > + goto out;
>> > + }
>> > + }
>> > +
>> > + if (crtc_state->out_fence_ptr) {
>> > + ret = crtc_setup_out_fence(crtc, crtc_state,
>> > + &fence_state[fence_idx++]);
>> > + if (ret)
>> > + goto out;
>> > + }
>> > }
>> >
>> > if (arg->flags & DRM_MODE_ATOMIC_TEST_ONLY) {
>> > @@ -1761,24 +1816,37 @@ retry:
>> > ret = drm_atomic_commit(state);
>> > }
>> >
>> > + for (i = 0; i < fence_idx; i++)
>> > + fd_install(fence_state[i].fd, fence_state[i].sync_file->file);
>> > +
>> > out:
>> > drm_atomic_clean_old_fb(dev, plane_mask, ret);
>> >
>> > - if (ret && arg->flags & DRM_MODE_PAGE_FLIP_EVENT) {
>> > + for_each_crtc_in_state(state, crtc, crtc_state, i) {
>>
>> I think a check on ret is still needed before you iterate the CRTCs.
>> If the commit is successful then state has already been freed by this
>> point, and I get a splat.
>
>Yes, I believe I only tested with non-blocking requests.
>
Right, I suppose you should get here before the free in that case.
>>
>> > /*
>> > * TEST_ONLY and PAGE_FLIP_EVENT are mutually exclusive,
>> > * if they weren't, this code should be called on success
>> > * for TEST_ONLY too.
>> > */
>> > + if (ret && crtc_state->event)
>> > + drm_event_cancel_free(dev, &crtc_state->event->base);
>> > + }
>> >
>> > - for_each_crtc_in_state(state, crtc, crtc_state, i) {
>> > - if (!crtc_state->event)
>> > - continue;
>> > + if (ret && fence_state) {
>> > + for (i = 0; i < fence_idx; i++) {
>> > + if (fence_state[i].fd >= 0)
>> > + put_unused_fd(fence_state[i].fd);
>> > + if (fence_state[i].sync_file)
>> > + fput(fence_state[i].sync_file->file);
>> >
>> > - drm_event_cancel_free(dev, &crtc_state->event->base);
>> > + /* If this fails, there's not much we can do about it */
>> > + if (put_user(-1, fence_state->out_fence_ptr))
>> > + DRM_ERROR("Couldn't clear out_fence_ptr\n");
>> > }
>> > }
>> >
>> > + kfree(fence_state);
>> > +
>> > if (ret == -EDEADLK) {
>> > drm_atomic_state_clear(state);
>> > drm_modeset_backoff(&ctx);
>> > diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
>> > index b99090f..40bce97 100644
>> > --- a/drivers/gpu/drm/drm_crtc.c
>> > +++ b/drivers/gpu/drm/drm_crtc.c
>> > @@ -274,6 +274,8 @@ int drm_crtc_init_with_planes(struct drm_device *dev,
>> > struct drm_crtc *crtc,
>> > if (drm_core_check_feature(dev, DRIVER_ATOMIC)) {
>> > drm_object_attach_property(&crtc->base, config->prop_active, 0);
>> > drm_object_attach_property(&crtc->base, config->prop_mode_id,
>> > 0);
>> > + drm_object_attach_property(&crtc->base,
>> > + config->prop_out_fence_ptr, 0);
>> > }
>> >
>> > return 0;
>> > @@ -434,6 +436,12 @@ static int drm_mode_create_standard_properties(struct
>> > drm_device *dev)
>> > return -ENOMEM;
>> > dev->mode_config.prop_in_fence_fd = prop;
>> >
>> > + prop = drm_property_create_range(dev, DRM_MODE_PROP_ATOMIC,
>> > + "OUT_FENCE_PTR", 0, U64_MAX);
>> > + if (!prop)
>> > + return -ENOMEM;
>> > + dev->mode_config.prop_out_fence_ptr = prop;
>> > +
>> > prop = drm_property_create_object(dev, DRM_MODE_PROP_ATOMIC,
>> > "CRTC_ID", DRM_MODE_OBJECT_CRTC);
>> > if (!prop)
>> > diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h
>> > index 657a33a..b898604 100644
>> > --- a/include/drm/drm_crtc.h
>> > +++ b/include/drm/drm_crtc.h
>> > @@ -165,6 +165,8 @@ struct drm_crtc_state {
>> > struct drm_property_blob *ctm;
>> > struct drm_property_blob *gamma_lut;
>> >
>> > + u64 __user *out_fence_ptr;
>> > +
>>
>> I'm somewhat not convinced about stashing a __user pointer in the
>> CRTC atomic state. I know it gets cleared before the driver sees it,
>> but if anything I think that hints that this isn't the right place to
>> store it.
>>
>> I've been trying to think of other ways to get from a property to
>> something drm_mode_atomic_ioctl can use - maybe we can store some
>> stuff in drm_atomic_state which only lives for the length of the ioctl
>> call and put this pointer in there.
>
>The drm_atomic_state is still visible by the drivers. Between there and
>crtc_state, I would keep in the crtc_state for now.
>
Mm, yeah I suppose they could get to it if they went looking for it
in ->atomic_set_property or something, but I was thinking of freeing
it before the drm_atomic_commit.
Anyway, this way is certainly simpler, and setting it to NULL should
be enough to limit the damage a driver can do :-)
Thanks,
Brian
>Gustavo
>
