Commit Graph

35 Commits

Author SHA1 Message Date
Vasily Averin
933db73351 drm/qxl: qxl_release use after free
qxl_release should not be accesses after qxl_push_*_ring_release() calls:
userspace driver can process submitted command quickly, move qxl_release
into release_ring, generate interrupt and trigger garbage collector.

It can lead to crashes in qxl driver or trigger memory corruption
in some kmalloc-192 slab object

Gerd Hoffmann proposes to swap the qxl_release_fence_buffer_objects() +
qxl_push_{cursor,command}_ring_release() calls to close that race window.

cc: stable@vger.kernel.org
Fixes: f64122c1f6 ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/fa17b338-66ae-f299-68fe-8d32419d9071@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-04-29 13:21:34 +02:00
Vasily Averin
a65aa9c367 drm/qxl: qxl_release leak in qxl_hw_surface_alloc()
Cc: stable@vger.kernel.org
Fixes: 8002db6336 ("qxl: convert qxl driver to proper use for reservations")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Link: http://patchwork.freedesktop.org/patch/msgid/2e5a13ae-9ab2-5401-aa4d-03d5f5593423@virtuozzo.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-04-28 12:03:48 +02:00
Gustavo A. R. Silva
0f0658636d drm/qxl: replace zero-length array with flexible-array member
The current codebase makes use of the zero-length array language
extension to the C90 standard, but the preferred mechanism to declare
variable-length types such as these ones is a flexible array member[1][2],
introduced in C99:

struct foo {
        int stuff;
        struct boo array[];
};

By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last in the structure, which
will help us prevent some kind of undefined behavior bugs from being
inadvertenly introduced[3] to the codebase from now on.

Also, notice that, dynamic memory allocations won't be affected by
this change:

"Flexible array members have incomplete type, and so the sizeof operator
may not be applied. As a quirk of the original implementation of
zero-length arrays, sizeof evaluates to zero."[1]

This issue was found with the help of Coccinelle.

[1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html
[2] https://github.com/KSPP/linux/issues/21
[3] commit 7649773293 ("cxgb3/l2t: Fix undefined behaviour")

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20200212193344.GA27929@embeddedor
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2020-02-13 11:11:59 +01:00
Gerd Hoffmann
e0828d54c8 drm/qxl: use embedded gem object
Drop drm_gem_object from qxl_bo, use the
ttm_buffer_object.base instead.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Christian König <christian.koenig@amd.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20190805140119.7337-4-kraxel@redhat.com
2019-08-06 08:21:54 +02:00
Sam Ravnborg
c0f4b75c06 drm/qxl: drop use of drmP.h
Drop use of the deprecated drmP.h header file.
While touching the files divided includes in blocks,
and when needed sort the blocks.
Fix fallout.

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Emil Velikov <emil.velikov@collabora.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: virtualization@lists.linux-foundation.org
Cc: spice-devel@lists.freedesktop.org
Link: https://patchwork.freedesktop.org/patch/msgid/20190630061922.7254-10-sam@ravnborg.org
2019-07-15 18:11:30 +02:00
Gerd Hoffmann
4979904c62 drm/qxl: use shadow bo directly
Pass the shadow bo to qxl_io_create_primary() instead of expecting
qxl_io_create_primary to check bo->shadow.  Set is_primary flag on the
shadow bo.  Move the is_primary tracking into qxl_io_create_primary()
and qxl_io_destroy_primary() functions.

That simplifies primary surface tracking and the workflow in
qxl_primary_atomic_update().

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Noralf Trønnes <noralf@tronnes.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20190118122020.27596-14-kraxel@redhat.com

qxl_io_create/destroy_primary: primary_bo tracking [fixup]
2019-01-28 14:24:53 +01:00
Gerd Hoffmann
166205444b drm/qxl: track primary bo
Track which bo is used as primary surface.  With that in place we don't
need the primary_created flag any more, we can just check the primary bo
pointer instead.

Also verify we don't already have a primary surface in
qxl_io_create_primary().

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Noralf Trønnes <noralf@tronnes.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20190118122020.27596-13-kraxel@redhat.com
2019-01-28 14:24:53 +01:00
Gerd Hoffmann
fb7ebc0119 drm/qxl: drop unused offset parameter from qxl_io_create_primary()
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Noralf Trønnes <noralf@tronnes.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20190118122020.27596-12-kraxel@redhat.com
2019-01-28 14:24:53 +01:00
Gerd Hoffmann
edd38a1e59 drm/qxl: drop ttm_mem_reg arg from qxl_hw_surface_alloc()
Not used, is always NULL.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Acked-by: Noralf Trønnes <noralf@tronnes.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20190118122020.27596-2-kraxel@redhat.com
2019-01-28 14:24:52 +01:00
Sam Ravnborg
e9eafcb589 drm: move drm_can_sleep() to drm_util.h
Move drm_can_sleep() out of drmP.h to allow users
to get rid of the drmP.h include.

There was no header file that was a good match for this helper function.
So add this to drm_util with the relevant includes.

Add include of drm_util.h to all users.

v2:
- Update comments to use kernel-doc style (Daniel)
- Add FIXME to drm_can_sleep and add note that this
  function should not be used in new code (Daniel)

v3:
- Fix kernel-doc syntax (Daniel)
- Plug drm_util.h into drm-internels.rst (Daniel)

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <maxime.ripard@bootlin.com>
Cc: Sean Paul <sean@poorly.run>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: "Christian König" <christian.koenig@amd.com>
Cc: "David (ChunMing) Zhou" <David1.Zhou@amd.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Rob Clark <robdclark@gmail.com>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: Eric Anholt <eric@anholt.net>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20190112193251.20450-2-sam@ravnborg.org
2019-01-14 10:58:37 +01:00
Shayenne da Luz Moura
1b00049497 drm/qxl: Use 'unsigned int' instead of 'usigned'
Use 'usigned int' instead of 'usigned' to remove the checkpath.pl warning:

WARNING: Prefer 'unsigned int' to bare use of 'unsigned'

Signed-off-by: Shayenne da Luz Moura <shayenneluzmoura@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/52604806eb18bc25e7e429f5b229fe8c1d271b5c.1540579956.git.shayenneluzmoura@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-30 07:20:00 +01:00
Shayenne da Luz Moura
d964985c0d drm/qxl: Remove exceding whiteline
Remove extra whiteline to clean the checkpatch.pl check:

CHECK: Please don't use multiple blank lines

Signed-off-by: Shayenne da Luz Moura <shayenneluzmoura@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/5b95e1d4d515d02d01b829ddc5b3ca80af29e2e2.1540579956.git.shayenneluzmoura@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-30 07:19:59 +01:00
Shayenne da Luz Moura
408799eb4a drm/qxl: Add line after variable declarations
Add whiteline after variable declarations to remove the checkpath.pl
warning:

WARNING: Missing a blank line after declarations

Signed-off-by: Shayenne da Luz Moura <shayenneluzmoura@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/a1d44c4a30f9b52d0aa7113e4e5093e843f9913b.1540579956.git.shayenneluzmoura@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2018-10-30 07:19:59 +01:00
Maarten Lankhorst
94cc2fde36 Merge remote-tracking branch 'drm/drm-next' into drm-misc-next
drm-misc-next is still based on v4.16-rc7, and was getting a bit stale.

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
2018-05-11 18:08:10 +02:00
Gerd Hoffmann
a6d3c4d798 qxl: hook monitors_config updates into crtc, not encoder.
The encoder callbacks are only called in case the video mode changes.
So any layout changes without mode changes will go unnoticed.

Add qxl_crtc_update_monitors_config(), based on the old
qxl_write_monitors_config_for_encoder() function.  Hook it into the
enable, disable and flush atomic crtc callbacks.  Remove monitors_config
updates from all other places.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1544322
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20180420071904.24276-4-kraxel@redhat.com
2018-04-27 08:58:05 +02:00
Gerd Hoffmann
735581a0a1 qxl: remove qxl_io_log()
qxl_io_log() sends messages over to the host (qemu) for logging.
Remove the function and all callers, we can just use standard
DRM_DEBUG calls (and if needed a serial console).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20180420071904.24276-2-kraxel@redhat.com
2018-04-27 08:58:04 +02:00
Gerd Hoffmann
7a31805ba2 qxl: keep separate release_bo pointer
qxl expects that list_first_entry(release->bos) returns the first
element qxl added to the list.  ttm_eu_reserve_buffers() may reorder
the list though.

Add a release_bo field to struct qxl_release and use that instead.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20180418054257.15388-3-kraxel@redhat.com
Signed-off-by: Sean Paul <seanpaul@chromium.org>
2018-04-25 15:03:12 -04:00
Gerd Hoffmann
62676d10b4 qxl: alloc & use shadow for dumb buffers
This patch changes the way the primary surface is used for dumb
framebuffers.  Instead of configuring the bo itself as primary surface
a shadow bo is created and used instead.  Framebuffers can share the
shadow bo in case they have the same format and resolution.

On atomic plane updates we don't have to update the primary surface in
case we pageflip from one framebuffer to another framebuffer which
shares the same shadow.  This in turn avoids the flicker caused by the
primary-destroy + primary-create cycle, which is very annonying when
running wayland on qxl.

The qxl driver never actually writes to the shadow bo.  It sends qxl
blit commands which update it though, and the spice server might
actually execute them (and thereby write to the shadow) in case the
local rendering is kicked for some reason.  This happens for example in
case qemu is asked to write out a dump of the guest display (screendump
monitor command).

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20171019062150.28090-3-kraxel@redhat.com
2017-10-23 08:23:11 +02:00
Gerd Hoffmann
56cbcb6c41 drm/qxl: replace QXL_INFO with DRM_DEBUG_DRIVER
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20171019062150.28090-2-kraxel@redhat.com
2017-10-23 08:22:56 +02:00
Christophe Fergeau
e4a76442ef qxl: Mark some internal functions as static
They are not used outside of their respective source file

Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
Message-id: 20161108091209.25568-2-cfergeau@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2016-11-15 09:45:31 +01:00
Bhaktipriya Shridhar
7b2d16f55c drm/qxl: Remove deprecated create_singlethread_workqueue
System workqueues have been able to handle high level of concurrency
for a long time now and there's no reason to use dedicated workqueues
just to gain concurrency. Since the workqueue in the QXL graphics device
driver is involved in freeing and processing the release ring
(workitem &qdev->gc_workqxl, maps to gc_work which calls
qxl_garbage_collect) and is not being used on a memory reclaim path,
dedicated gc_queue has been replaced with the use of system_wq.

Unlike a dedicated per-cpu workqueue created with create_workqueue(),
system_wq allows multiple work items to overlap executions even on
the same CPU; however, a per-cpu workqueue doesn't have any CPU
locality or global ordering guarantees unless the target CPU is
explicitly specified and thus the increase of local concurrency
shouldn't make any difference.

flush_work() has been called in qxl_device_fini() to ensure that there
are no pending tasks while disconnecting the driver.

Signed-off-by: Bhaktipriya Shridhar <bhaktipriya96@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20160702110209.GA3560@Karyakshetra
2016-07-12 14:44:23 +02:00
Christian König
8aa6d4fc5f drm/ttm: remove lazy parameter from ttm_bo_wait
Not used any more.

Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2016-05-04 20:21:26 -04:00
Frediano Ziglio
72ec5650a8 drm/qxl: Remove format string errors
Enable format string checks for qxl_io_log and remove resulting warnings
which could lead to memory errors on different platform or just printing
wrong information.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-06-05 11:00:51 +10:00
Frediano Ziglio
c610c7137c drm/qxl: Handle all errors in qxl_surface_evict
Only EBUSY error was handled. This could cause code to believe
reserve was successful while it failed.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-06-05 11:00:49 +10:00
Frediano Ziglio
2fa19535ca drm/qxl: Do not cause spice-server to clean our objects
If objects are moved back from system memory to VRAM (and spice id
created again) memory is already initialized so we need to set flag
to not clear memory.
If you don't do it after a while using desktop many images turns to
black or transparents.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2015-06-05 11:00:27 +10:00
Maarten Lankhorst
2f453ed403 drm/qxl: rework to new fence interface
Final driver! \o/

This is not a proper dma_fence because the hardware may never signal
anything, so don't use dma-buf with qxl, ever.

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
2014-09-02 16:41:50 +02:00
Maarten Lankhorst
dd7cfd6412 drm/ttm: kill fence_lock
No users are left, kill it off! :D
Conversion to the reservation api is next on the list, after
that the functionality can be restored with rcu.

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
2014-09-01 10:16:43 +02:00
Dave Airlie
8002db6336 qxl: convert qxl driver to proper use for reservations
The recent addition of lockdep support to reservations and their subsequent
use by TTM showed up a number of potential problems with the way qxl was using
TTM objects.

a) it was allocating objects, and reserving them later without validating
underneath the reservation, which meant in extreme conditions the objects could
be evicted before the reservation ever used them.

b) it was reserving objects straight after allocating them, but with no
ability to back off should the reservations fail. It now allocates the necessary
objects then does a complete reservation pass on them to avoid deadlocks.

c) it had two lists per release tracking objects, unnecessary complicating
the reservation process.

This patch removes the dual object tracking, adds reservations ticket support
to the release and fence object handling. It then ports the internal fb
drawing code and the userspace facing ioctl to use the new interfaces properly,
along with cleanup up the error path handling in some codepaths.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-07-24 11:58:10 +10:00
Dave Airlie
4f49ec92be qxl: allow creation of pre-pinned objects and use for releases.
In order to fix an issue with reservations we need to create the releases
as pre-pinned objects, this changes the placement interface and bo creation
interface to allow creating pinned objects to save nested reservations later.

This is just a stepping stone to main fix which follows to actually fix how
qxl deals with reservations.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-07-24 11:58:10 +10:00
Dave Airlie
1e209117db qxl: add ring prep code for s/r
This prepare the ring code for s/r additions, the release ring will need
reinitialising.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-07-05 10:44:17 +10:00
Dave Airlie
07f8d9bdb2 drm/qxl: add support for > 1 output
This adds support for a default of 4 heads, with a command line
parameter to change the default number.

It also overhauls the modesetting code to handle this case properly,
and send the correct things to the hardware at the right time.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-07-05 10:44:10 +10:00
Dave Airlie
a6ac1bc341 drm/qxl: fix ioport interactions for kernel submitted commands.
So qxl has ioports, but it really really really doesn't want you
to write to them twice, but if you write and get a signal before
the irq arrives to let you know its completed, you have to think
ahead and avoid writing another time.

However this works fine for update area where really multiple
writes aren't the end of the world, however with create primary
surface, you can't ever do multiple writes. So this stop internal
kernel writes from doing interruptible waits, because otherwise
we have no idea if this write is a new one or a continuation of
a previous one.

virtual hw sucks more than real hw.

This fixes lockups and VM crashes when resizing and starting/stopping
X.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-05-17 11:45:44 +10:00
Dave Airlie
307b9c0227 qxl: update to new idr interfaces.
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-05-03 10:37:20 +10:00
Dave Airlie
6d01f1f54c drm/qxl: make lots of things static.
/usr/lib/gcc/x86_64-linux-gnu/4.7/include/stddef.h:414:9: sparse: preprocessor token offsetof redefined
include/linux/stddef.h:17:9: this was the original definition
>> drivers/gpu/drm/qxl/qxl_drv.c:49:5: sparse: symbol 'qxl_modeset' was not declared. Should it be static?

Reported-by: kbuild test robot.
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-04-16 13:33:36 +10:00
Dave Airlie
f64122c1f6 drm: add new QXL driver. (v1.4)
QXL is a paravirtual graphics device used by the Spice virtual desktop
interface.

The drivers uses GEM and TTM to manage memory, the qxl hw fencing however
is quite different than normal TTM expects, we have to keep track of a number
of non-linear fence ids per bo that we need to have released by the hardware.

The releases are freed from a workqueue that wakes up and processes the
release ring.

releases are suballocated from a BO, there are 3 release categories, drawables,
surfaces and cursor cmds. The hw also has 3 rings for commands, cursor and release handling.

The hardware also have a surface id tracking mechnaism and the driver encapsulates it completely inside the kernel, userspace never sees the actual hw surface
ids.

This requires a newer version of the QXL userspace driver, so shouldn't be
enabled until that has been placed into your distro of choice.

Authors: Dave Airlie, Alon Levy

v1.1: fixup some issues in the ioctl interface with padding
v1.2: add module device table
v1.3: fix nomodeset, fbcon leak, dumb bo create, release ring irq,
      don't try flush release ring (broken hw), fix -modesetting.
v1.4: fbcon cpu usage reduction + suitable accel flags.

Signed-off-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2013-04-12 13:51:07 +10:00