[PATCH drm-misc-next 2/3] drm/vc4: plane: protect device resources after removal

From: Danilo Krummrich
Date: Thu Aug 18 2022 - 20:29:25 EST


(Hardware) resources which are bound to the driver and device lifecycle
must not be accessed after the device and driver are unbound.

However, the DRM device isn't freed as long as the last user closed it,
hence userspace can still call into the driver.

Therefore protect the critical sections which are accessing those
resources with drm_dev_enter() and drm_dev_exit().

Fixes: 9872c7a31921 ("drm/vc4: plane: Switch to drmm_universal_plane_alloc()")
Signed-off-by: Danilo Krummrich <dakr@xxxxxxxxxx>
---
drivers/gpu/drm/vc4/vc4_drv.h | 1 +
drivers/gpu/drm/vc4/vc4_plane.c | 25 +++++++++++++++++++++++++
2 files changed, 26 insertions(+)

diff --git a/drivers/gpu/drm/vc4/vc4_drv.h b/drivers/gpu/drm/vc4/vc4_drv.h
index 418a8242691f..80da9a9337cc 100644
--- a/drivers/gpu/drm/vc4/vc4_drv.h
+++ b/drivers/gpu/drm/vc4/vc4_drv.h
@@ -341,6 +341,7 @@ struct vc4_hvs {

struct vc4_plane {
struct drm_plane base;
+ struct drm_device *dev;
};

static inline struct vc4_plane *
diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c
index eff9c63adfa7..cb13bb583546 100644
--- a/drivers/gpu/drm/vc4/vc4_plane.c
+++ b/drivers/gpu/drm/vc4/vc4_plane.c
@@ -19,6 +19,7 @@
#include <drm/drm_atomic_helper.h>
#include <drm/drm_atomic_uapi.h>
#include <drm/drm_blend.h>
+#include <drm/drm_drv.h>
#include <drm/drm_fb_dma_helper.h>
#include <drm/drm_fourcc.h>
#include <drm/drm_framebuffer.h>
@@ -1218,14 +1219,22 @@ static void vc4_plane_atomic_update(struct drm_plane *plane,
u32 vc4_plane_write_dlist(struct drm_plane *plane, u32 __iomem *dlist)
{
struct vc4_plane_state *vc4_state = to_vc4_plane_state(plane->state);
+ struct vc4_plane *vc4_plane = to_vc4_plane(plane);
int i;
+ int idx;

vc4_state->hw_dlist = dlist;

+ if (!drm_dev_enter(vc4_plane->dev, &idx))
+ goto out;
+
/* Can't memcpy_toio() because it needs to be 32-bit writes. */
for (i = 0; i < vc4_state->dlist_count; i++)
writel(vc4_state->dlist[i], &dlist[i]);

+ drm_dev_exit(idx);
+
+out:
return vc4_state->dlist_count;
}

@@ -1243,8 +1252,10 @@ u32 vc4_plane_dlist_size(const struct drm_plane_state *state)
void vc4_plane_async_set_fb(struct drm_plane *plane, struct drm_framebuffer *fb)
{
struct vc4_plane_state *vc4_state = to_vc4_plane_state(plane->state);
+ struct vc4_plane *vc4_plane = to_vc4_plane(plane);
struct drm_gem_dma_object *bo = drm_fb_dma_get_gem_obj(fb, 0);
uint32_t addr;
+ int idx;

/* We're skipping the address adjustment for negative origin,
* because this is only called on the primary plane.
@@ -1252,12 +1263,17 @@ void vc4_plane_async_set_fb(struct drm_plane *plane, struct drm_framebuffer *fb)
WARN_ON_ONCE(plane->state->crtc_x < 0 || plane->state->crtc_y < 0);
addr = bo->dma_addr + fb->offsets[0];

+ if (!drm_dev_enter(vc4_plane->dev, &idx))
+ return;
+
/* Write the new address into the hardware immediately. The
* scanout will start from this address as soon as the FIFO
* needs to refill with pixels.
*/
writel(addr, &vc4_state->hw_dlist[vc4_state->ptr0_offset]);

+ drm_dev_exit(idx);
+
/* Also update the CPU-side dlist copy, so that any later
* atomic updates that don't do a new modeset on our plane
* also use our updated address.
@@ -1271,6 +1287,8 @@ static void vc4_plane_atomic_async_update(struct drm_plane *plane,
struct drm_plane_state *new_plane_state = drm_atomic_get_new_plane_state(state,
plane);
struct vc4_plane_state *vc4_state, *new_vc4_state;
+ struct vc4_plane *vc4_plane = to_vc4_plane(plane);
+ int idx;

swap(plane->state->fb, new_plane_state->fb);
plane->state->crtc_x = new_plane_state->crtc_x;
@@ -1323,6 +1341,9 @@ static void vc4_plane_atomic_async_update(struct drm_plane *plane,
vc4_state->dlist[vc4_state->ptr0_offset] =
new_vc4_state->dlist[vc4_state->ptr0_offset];

+ if (!drm_dev_enter(vc4_plane->dev, &idx))
+ return;
+
/* Note that we can't just call vc4_plane_write_dlist()
* because that would smash the context data that the HVS is
* currently using.
@@ -1333,6 +1354,8 @@ static void vc4_plane_atomic_async_update(struct drm_plane *plane,
&vc4_state->hw_dlist[vc4_state->pos2_offset]);
writel(vc4_state->dlist[vc4_state->ptr0_offset],
&vc4_state->hw_dlist[vc4_state->ptr0_offset]);
+
+ drm_dev_exit(idx);
}

static int vc4_plane_atomic_async_check(struct drm_plane *plane,
@@ -1521,6 +1544,8 @@ struct drm_plane *vc4_plane_init(struct drm_device *dev,
modifiers, type, NULL);
if (IS_ERR(vc4_plane))
return ERR_CAST(vc4_plane);
+
+ vc4_plane->dev = dev;
plane = &vc4_plane->base;

if (vc4->is_vc5)
--
2.37.2