| Message ID | 20191213205417.3871055-4-arnd@arndb.de |
|---|---|
| State | Superseded |
| Headers | show |
| Series | None | expand |
Hi, On Fri, Dec 13, 2019 at 09:53:41PM +0100, Arnd Bergmann wrote: > Most kernel interfaces that take a timespec require normalized > representation with tv_nsec between 0 and NSEC_PER_SEC. > > Passing values larger than 0x100000000ull further behaves differently > on 32-bit and 64-bit kernels, and can cause the latter to spend a long > time counting seconds in timespec64_sub()/set_normalized_timespec64(). > > Reject those large values at the user interface to enforce sane and > portable behavior. > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > drivers/gpu/drm/etnaviv/etnaviv_drv.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c > index 1f9c01be40d7..95d72dc00280 100644 > --- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c > +++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c > @@ -297,6 +297,9 @@ static int etnaviv_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, > if (args->op & ~(ETNA_PREP_READ | ETNA_PREP_WRITE | ETNA_PREP_NOSYNC)) > return -EINVAL; > > + if (args->timeout.tv_nsec > NSEC_PER_SEC) > + return -EINVAL; > + > obj = drm_gem_object_lookup(file, args->handle); > if (!obj) > return -ENOENT; > @@ -360,6 +363,9 @@ static int etnaviv_ioctl_wait_fence(struct drm_device *dev, void *data, > if (args->flags & ~(ETNA_WAIT_NONBLOCK)) > return -EINVAL; > > + if (args->timeout.tv_nsec > NSEC_PER_SEC) > + return -EINVAL; > + > if (args->pipe >= ETNA_MAX_PIPES) > return -EINVAL; > > @@ -411,6 +417,9 @@ static int etnaviv_ioctl_gem_wait(struct drm_device *dev, void *data, > if (args->flags & ~(ETNA_WAIT_NONBLOCK)) > return -EINVAL; > > + if (args->timeout.tv_nsec > NSEC_PER_SEC) > + return -EINVAL; > + > if (args->pipe >= ETNA_MAX_PIPES) > return -EINVAL; > This breaks rendering here on arm64/gc7000 due to ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 This is due to get_abs_timeout(&req.timeout, 5000000000); in etna_bo_cpu_prep which can exceed NSEC_PER_SEC. Should i send a patch to revert that change since it breaks existing userspace? Cheers, -- Guido > -- > 2.20.0 > > _______________________________________________ > etnaviv mailing list > etnaviv@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/etnaviv > _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
On Fr, 2020-01-17 at 16:47 +0100, Guido Günther wrote: > Hi, > On Fri, Dec 13, 2019 at 09:53:41PM +0100, Arnd Bergmann wrote: > > Most kernel interfaces that take a timespec require normalized > > representation with tv_nsec between 0 and NSEC_PER_SEC. > > > > Passing values larger than 0x100000000ull further behaves differently > > on 32-bit and 64-bit kernels, and can cause the latter to spend a long > > time counting seconds in timespec64_sub()/set_normalized_timespec64(). > > > > Reject those large values at the user interface to enforce sane and > > portable behavior. > > > > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > > --- > > drivers/gpu/drm/etnaviv/etnaviv_drv.c | 9 +++++++++ > > 1 file changed, 9 insertions(+) > > > > diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c > > index 1f9c01be40d7..95d72dc00280 100644 > > --- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c > > +++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c > > @@ -297,6 +297,9 @@ static int etnaviv_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, > > if (args->op & ~(ETNA_PREP_READ | ETNA_PREP_WRITE | ETNA_PREP_NOSYNC)) > > return -EINVAL; > > > > + if (args->timeout.tv_nsec > NSEC_PER_SEC) > > + return -EINVAL; > > + > > obj = drm_gem_object_lookup(file, args->handle); > > if (!obj) > > return -ENOENT; > > @@ -360,6 +363,9 @@ static int etnaviv_ioctl_wait_fence(struct drm_device *dev, void *data, > > if (args->flags & ~(ETNA_WAIT_NONBLOCK)) > > return -EINVAL; > > > > + if (args->timeout.tv_nsec > NSEC_PER_SEC) > > + return -EINVAL; > > + > > if (args->pipe >= ETNA_MAX_PIPES) > > return -EINVAL; > > > > @@ -411,6 +417,9 @@ static int etnaviv_ioctl_gem_wait(struct drm_device *dev, void *data, > > if (args->flags & ~(ETNA_WAIT_NONBLOCK)) > > return -EINVAL; > > > > + if (args->timeout.tv_nsec > NSEC_PER_SEC) > > + return -EINVAL; > > + > > if (args->pipe >= ETNA_MAX_PIPES) > > return -EINVAL; > > > > This breaks rendering here on arm64/gc7000 due to > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > This is due to > > get_abs_timeout(&req.timeout, 5000000000); > > in etna_bo_cpu_prep which can exceed NSEC_PER_SEC. > > Should i send a patch to revert that change since it breaks existing userspace? No need to revert. This patch has not been applied to the etnaviv tree yet, I guess it's just in one of Arnds branches feeding into -next. That part of userspace is pretty dumb, as it misses to renormalize tv_nsec when it overflows the second boundary. So if what I see is correct it should be enough to allow 2 * NSEC_PER_SEC, which should both reject broken large timeout and keep existing userspace working. Regards, Lucas
On Mon, Jan 20, 2020 at 6:48 PM Lucas Stach <l.stach@pengutronix.de> wrote: > On Fr, 2020-01-17 at 16:47 +0100, Guido Günther wrote: > > > > This breaks rendering here on arm64/gc7000 due to > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > > This is due to > > > > get_abs_timeout(&req.timeout, 5000000000); > > > > in etna_bo_cpu_prep which can exceed NSEC_PER_SEC. > > > > Should i send a patch to revert that change since it breaks existing userspace? > > No need to revert. This patch has not been applied to the etnaviv tree > yet, I guess it's just in one of Arnds branches feeding into -next. > > That part of userspace is pretty dumb, as it misses to renormalize > tv_nsec when it overflows the second boundary. So if what I see is > correct it should be enough to allow 2 * NSEC_PER_SEC, which should > both reject broken large timeout and keep existing userspace working. Ah, so it's never more than 2 billion nanoseconds in known user space? I can definitely change my patch (actually add one on top) to allow that and handle it as before, or alternatively accept any 64-bit nanosecond value as arm64 already did, but make it less inefficient to handle. Arnd
On Mo, 2020-01-20 at 19:47 +0100, Arnd Bergmann wrote: > On Mon, Jan 20, 2020 at 6:48 PM Lucas Stach <l.stach@pengutronix.de> wrote: > > On Fr, 2020-01-17 at 16:47 +0100, Guido Günther wrote: > > > This breaks rendering here on arm64/gc7000 due to > > > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > > > > This is due to > > > > > > get_abs_timeout(&req.timeout, 5000000000); > > > > > > in etna_bo_cpu_prep which can exceed NSEC_PER_SEC. > > > > > > Should i send a patch to revert that change since it breaks existing userspace? > > > > No need to revert. This patch has not been applied to the etnaviv tree > > yet, I guess it's just in one of Arnds branches feeding into -next. > > > > That part of userspace is pretty dumb, as it misses to renormalize > > tv_nsec when it overflows the second boundary. So if what I see is > > correct it should be enough to allow 2 * NSEC_PER_SEC, which should > > both reject broken large timeout and keep existing userspace working. > > Ah, so it's never more than 2 billion nanoseconds in known user space? > I can definitely change my patch (actually add one on top) to allow that > and handle it as before, or alternatively accept any 64-bit nanosecond value > as arm64 already did, but make it less inefficient to handle. So the broken userspace code looks like this: static inline void get_abs_timeout(struct drm_etnaviv_timespec *tv, uint64_t ns) { struct timespec t; uint32_t s = ns / 1000000000; clock_gettime(CLOCK_MONOTONIC, &t); tv->tv_sec = t.tv_sec + s; tv->tv_nsec = t.tv_nsec + ns - (s * 1000000000); } Which means it _tries_ to do the right thing by putting the billion part into the tv_sec member and only the remaining ns part is added to tv_nsec, but then it fails to propagate a tv_nsec overflow over NSEC_PER_SEC into tv_sec. Which means the tv_nsec should never be more than 2 * NSEC_PER_SEC in known userspace. I would prefer if we could make the interface as strict as possible (i.e. no arbitrary large numbers in tv_nsec), while keeping this specific corner case working. Regards, Lucas
On Tue, Jan 21, 2020 at 11:22 AM Lucas Stach <l.stach@pengutronix.de> wrote: > > On Mo, 2020-01-20 at 19:47 +0100, Arnd Bergmann wrote: > > On Mon, Jan 20, 2020 at 6:48 PM Lucas Stach <l.stach@pengutronix.de> wrote: > > > On Fr, 2020-01-17 at 16:47 +0100, Guido Günther wrote: > > > > This breaks rendering here on arm64/gc7000 due to > > > > > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_PREP or DRM_IOCTL_MSM_GEM_CPU_PREP, 0xfffff7888680) = -1 EINVAL (Invalid argument) > > > > ioctl(6, DRM_IOCTL_ETNAVIV_GEM_CPU_FINI or DRM_IOCTL_QXL_CLIENTCAP, 0xfffff78885e0) = 0 > > > > > > > > This is due to > > > > > > > > get_abs_timeout(&req.timeout, 5000000000); > > > > > > > > in etna_bo_cpu_prep which can exceed NSEC_PER_SEC. > > > > > > > > Should i send a patch to revert that change since it breaks existing userspace? > > > > > > No need to revert. This patch has not been applied to the etnaviv tree > > > yet, I guess it's just in one of Arnds branches feeding into -next. > > > > > > That part of userspace is pretty dumb, as it misses to renormalize > > > tv_nsec when it overflows the second boundary. So if what I see is > > > correct it should be enough to allow 2 * NSEC_PER_SEC, which should > > > both reject broken large timeout and keep existing userspace working. > > > > Ah, so it's never more than 2 billion nanoseconds in known user space? > > I can definitely change my patch (actually add one on top) to allow that > > and handle it as before, or alternatively accept any 64-bit nanosecond value > > as arm64 already did, but make it less inefficient to handle. > > So the broken userspace code looks like this: > > static inline void get_abs_timeout(struct drm_etnaviv_timespec *tv, uint64_t ns) > { > struct timespec t; > uint32_t s = ns / 1000000000; > clock_gettime(CLOCK_MONOTONIC, &t); > tv->tv_sec = t.tv_sec + s; > tv->tv_nsec = t.tv_nsec + ns - (s * 1000000000); > } > > Which means it _tries_ to do the right thing by putting the billion > part into the tv_sec member and only the remaining ns part is added to > tv_nsec, but then it fails to propagate a tv_nsec overflow over > NSEC_PER_SEC into tv_sec. > > Which means the tv_nsec should never be more than 2 * NSEC_PER_SEC in > known userspace. I would prefer if we could make the interface as > strict as possible (i.e. no arbitrary large numbers in tv_nsec), while > keeping this specific corner case working. I've added a patch on top of my 2038 branch, please have a look at that. Arnd
diff --git a/drivers/gpu/drm/etnaviv/etnaviv_drv.c b/drivers/gpu/drm/etnaviv/etnaviv_drv.c index 1f9c01be40d7..95d72dc00280 100644 --- a/drivers/gpu/drm/etnaviv/etnaviv_drv.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_drv.c @@ -297,6 +297,9 @@ static int etnaviv_ioctl_gem_cpu_prep(struct drm_device *dev, void *data, if (args->op & ~(ETNA_PREP_READ | ETNA_PREP_WRITE | ETNA_PREP_NOSYNC)) return -EINVAL; + if (args->timeout.tv_nsec > NSEC_PER_SEC) + return -EINVAL; + obj = drm_gem_object_lookup(file, args->handle); if (!obj) return -ENOENT; @@ -360,6 +363,9 @@ static int etnaviv_ioctl_wait_fence(struct drm_device *dev, void *data, if (args->flags & ~(ETNA_WAIT_NONBLOCK)) return -EINVAL; + if (args->timeout.tv_nsec > NSEC_PER_SEC) + return -EINVAL; + if (args->pipe >= ETNA_MAX_PIPES) return -EINVAL; @@ -411,6 +417,9 @@ static int etnaviv_ioctl_gem_wait(struct drm_device *dev, void *data, if (args->flags & ~(ETNA_WAIT_NONBLOCK)) return -EINVAL; + if (args->timeout.tv_nsec > NSEC_PER_SEC) + return -EINVAL; + if (args->pipe >= ETNA_MAX_PIPES) return -EINVAL;
Most kernel interfaces that take a timespec require normalized representation with tv_nsec between 0 and NSEC_PER_SEC. Passing values larger than 0x100000000ull further behaves differently on 32-bit and 64-bit kernels, and can cause the latter to spend a long time counting seconds in timespec64_sub()/set_normalized_timespec64(). Reject those large values at the user interface to enforce sane and portable behavior. Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- drivers/gpu/drm/etnaviv/etnaviv_drv.c | 9 +++++++++ 1 file changed, 9 insertions(+) -- 2.20.0 _______________________________________________ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel