[v2] drm/virtio: Fix handling CONFIG_DRM_VIRTIO_GPU_KMS option

Message ID 20230306143234.1561759-1-dmitry.osipenko@collabora.com
State New
Headers
Series [v2] drm/virtio: Fix handling CONFIG_DRM_VIRTIO_GPU_KMS option |

Commit Message

Dmitry Osipenko March 6, 2023, 2:32 p.m. UTC
  VirtIO-GPU got a new config option for disabling KMS. There were two
problems left unnoticed during review when the new option was added:

1. The IS_ENABLED(CONFIG_DRM_VIRTIO_GPU_KMS) check in the code was
inverted, hence KMS was disabled when it should be enabled and vice versa.

2. The disabled KMS crashed kernel with a NULL dereference in
drm_kms_helper_hotplug_event(), which shall not be invoked with a
disabled KMS.

Fix the inverted config option check in the code and skip handling the
VIRTIO_GPU_EVENT_DISPLAY sent by host when KMS is disabled in guest to fix
the crash.

Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
---

Changelog:

v2: - Moved the "has_edid" under the "num_scanouts" condition, like was
      suggested by Gerd Hoffmann.

 drivers/gpu/drm/virtio/virtgpu_kms.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
  

Comments

Gerd Hoffmann March 6, 2023, 2:46 p.m. UTC | #1
On Mon, Mar 06, 2023 at 05:32:34PM +0300, Dmitry Osipenko wrote:
> VirtIO-GPU got a new config option for disabling KMS. There were two
> problems left unnoticed during review when the new option was added:
> 
> 1. The IS_ENABLED(CONFIG_DRM_VIRTIO_GPU_KMS) check in the code was
> inverted, hence KMS was disabled when it should be enabled and vice versa.
> 
> 2. The disabled KMS crashed kernel with a NULL dereference in
> drm_kms_helper_hotplug_event(), which shall not be invoked with a
> disabled KMS.
> 
> Fix the inverted config option check in the code and skip handling the
> VIRTIO_GPU_EVENT_DISPLAY sent by host when KMS is disabled in guest to fix
> the crash.
> 
> Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
> 
> Changelog:
> 
> v2: - Moved the "has_edid" under the "num_scanouts" condition, like was
>       suggested by Gerd Hoffmann.

Acked-by: Gerd Hoffmann <kraxel@redhat.com>
  
Emil Velikov March 6, 2023, 3:02 p.m. UTC | #2
On 2023/03/06, Dmitry Osipenko wrote:
> VirtIO-GPU got a new config option for disabling KMS. There were two
> problems left unnoticed during review when the new option was added:
> 
> 1. The IS_ENABLED(CONFIG_DRM_VIRTIO_GPU_KMS) check in the code was
> inverted, hence KMS was disabled when it should be enabled and vice versa.
> 
> 2. The disabled KMS crashed kernel with a NULL dereference in
> drm_kms_helper_hotplug_event(), which shall not be invoked with a
> disabled KMS.
> 
> Fix the inverted config option check in the code and skip handling the
> VIRTIO_GPU_EVENT_DISPLAY sent by host when KMS is disabled in guest to fix
> the crash.
> 
> Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
> 
> Changelog:
> 
> v2: - Moved the "has_edid" under the "num_scanouts" condition, like was
>       suggested by Gerd Hoffmann.
> 

Hi Dmitry, I think there's more than one piece like that in the driver.

>  drivers/gpu/drm/virtio/virtgpu_kms.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
> index 874ad6c2621a..15f2519988e7 100644
> --- a/drivers/gpu/drm/virtio/virtgpu_kms.c
> +++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
> @@ -43,11 +43,13 @@ static void virtio_gpu_config_changed_work_func(struct work_struct *work)
>  	virtio_cread_le(vgdev->vdev, struct virtio_gpu_config,
>  			events_read, &events_read);
>  	if (events_read & VIRTIO_GPU_EVENT_DISPLAY) {
> -		if (vgdev->has_edid)
> -			virtio_gpu_cmd_get_edids(vgdev);
> -		virtio_gpu_cmd_get_display_info(vgdev);
> -		virtio_gpu_notify(vgdev);
> -		drm_helper_hpd_irq_event(vgdev->ddev);
> +		if (vgdev->num_scanouts) {
> +			if (vgdev->has_edid)
> +				virtio_gpu_cmd_get_edids(vgdev);

Worth doing the same thing in virtio_gpu_init()? Aka move the has_edid
&& get_edids within the num_scanouts if block.

HTH
Emil
  
Dmitry Osipenko March 6, 2023, 3:55 p.m. UTC | #3
On 3/6/23 18:02, Emil Velikov wrote:
> On 2023/03/06, Dmitry Osipenko wrote:
>> VirtIO-GPU got a new config option for disabling KMS. There were two
>> problems left unnoticed during review when the new option was added:
>>
>> 1. The IS_ENABLED(CONFIG_DRM_VIRTIO_GPU_KMS) check in the code was
>> inverted, hence KMS was disabled when it should be enabled and vice versa.
>>
>> 2. The disabled KMS crashed kernel with a NULL dereference in
>> drm_kms_helper_hotplug_event(), which shall not be invoked with a
>> disabled KMS.
>>
>> Fix the inverted config option check in the code and skip handling the
>> VIRTIO_GPU_EVENT_DISPLAY sent by host when KMS is disabled in guest to fix
>> the crash.
>>
>> Fixes: 72122c69d717 ("drm/virtio: Add option to disable KMS support")
>> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
>> ---
>>
>> Changelog:
>>
>> v2: - Moved the "has_edid" under the "num_scanouts" condition, like was
>>       suggested by Gerd Hoffmann.
>>
> 
> Hi Dmitry, I think there's more than one piece like that in the driver.
> 
>>  drivers/gpu/drm/virtio/virtgpu_kms.c | 14 ++++++++------
>>  1 file changed, 8 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
>> index 874ad6c2621a..15f2519988e7 100644
>> --- a/drivers/gpu/drm/virtio/virtgpu_kms.c
>> +++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
>> @@ -43,11 +43,13 @@ static void virtio_gpu_config_changed_work_func(struct work_struct *work)
>>  	virtio_cread_le(vgdev->vdev, struct virtio_gpu_config,
>>  			events_read, &events_read);
>>  	if (events_read & VIRTIO_GPU_EVENT_DISPLAY) {
>> -		if (vgdev->has_edid)
>> -			virtio_gpu_cmd_get_edids(vgdev);
>> -		virtio_gpu_cmd_get_display_info(vgdev);
>> -		virtio_gpu_notify(vgdev);
>> -		drm_helper_hpd_irq_event(vgdev->ddev);
>> +		if (vgdev->num_scanouts) {
>> +			if (vgdev->has_edid)
>> +				virtio_gpu_cmd_get_edids(vgdev);
> 
> Worth doing the same thing in virtio_gpu_init()? Aka move the has_edid
> && get_edids within the num_scanouts if block.

Good catch, that could be done for consistency.
  

Patch

diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
index 874ad6c2621a..15f2519988e7 100644
--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
+++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
@@ -43,11 +43,13 @@  static void virtio_gpu_config_changed_work_func(struct work_struct *work)
 	virtio_cread_le(vgdev->vdev, struct virtio_gpu_config,
 			events_read, &events_read);
 	if (events_read & VIRTIO_GPU_EVENT_DISPLAY) {
-		if (vgdev->has_edid)
-			virtio_gpu_cmd_get_edids(vgdev);
-		virtio_gpu_cmd_get_display_info(vgdev);
-		virtio_gpu_notify(vgdev);
-		drm_helper_hpd_irq_event(vgdev->ddev);
+		if (vgdev->num_scanouts) {
+			if (vgdev->has_edid)
+				virtio_gpu_cmd_get_edids(vgdev);
+			virtio_gpu_cmd_get_display_info(vgdev);
+			virtio_gpu_notify(vgdev);
+			drm_helper_hpd_irq_event(vgdev->ddev);
+		}
 		events_clear |= VIRTIO_GPU_EVENT_DISPLAY;
 	}
 	virtio_cwrite_le(vgdev->vdev, struct virtio_gpu_config,
@@ -224,7 +226,7 @@  int virtio_gpu_init(struct virtio_device *vdev, struct drm_device *dev)
 	vgdev->num_scanouts = min_t(uint32_t, num_scanouts,
 				    VIRTIO_GPU_MAX_SCANOUTS);
 
-	if (IS_ENABLED(CONFIG_DRM_VIRTIO_GPU_KMS) || !vgdev->num_scanouts) {
+	if (!IS_ENABLED(CONFIG_DRM_VIRTIO_GPU_KMS) || !vgdev->num_scanouts) {
 		DRM_INFO("KMS disabled\n");
 		vgdev->num_scanouts = 0;
 		vgdev->has_edid = false;