[PATCH] drm/amd/display: Fix possible buffer overflow in 'find_dcfclk_for_voltage()'

[PATCH] drm/amd/display: Fix possible buffer overflow in 'find_dcfclk_for_voltage()'

[Srinivasan Shanmugam]

when 'find_dcfclk_for_voltage()' function is looping over
VG_NUM_SOC_VOLTAGE_LEVELS (which is 8), but the size of the DcfClocks
array is VG_NUM_DCFCLK_DPM_LEVELS (which is 7).

When the loop variable i reaches 7, the function tries to access
clock_table->DcfClocks[7]. However, since the size of the DcfClocks
array is 7, the valid indices are 0 to 6. Index 7 is beyond the size of
the array, leading to a buffer overflow.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn301/vg_clk_mgr.c:550 find_dcfclk_for_voltage() error: buffer overflow 'clock_table->DcfClocks' 7 <= 7

Fixes: 3a83e4e64bb1 ("drm/amd/display: Add dcn3.01 support to DC (v2)")
Cc: Roman Li <Roman.Li@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
---
 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
index a5489fe6875f..aa9fd1dc550a 100644
--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
@@ -546,6 +546,8 @@ static unsigned int find_dcfclk_for_voltage(const struct vg_dpm_clocks *clock_ta
 	int i;
 
 	for (i = 0; i < VG_NUM_SOC_VOLTAGE_LEVELS; i++) {
+		if (i >= VG_NUM_DCFCLK_DPM_LEVELS)
+			break;
 		if (clock_table->SocVoltage[i] == voltage)
 			return clock_table->DcfClocks[i];
 	}
-- 
2.34.1

[PATCH] drm/amd/display: Fix possible NULL dereference on device remove/driver unload

[Srinivasan Shanmugam]

As part of a cleanup amdgpu_dm_fini() function, which is typically
called when a device is being shut down or a driver is being unloaded

The below error message suggests that there is a potential null pointer
dereference issue with adev->dm.dc.

In the below, line of code where adev->dm.dc is used without a preceding
null check:

for (i = 0; i < adev->dm.dc->caps.max_links; i++) {

To fix this issue, add a null check for adev->dm.dc before this line.

Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:1959 amdgpu_dm_fini() error: we previously assumed 'adev->dm.dc' could be null (see line 1943)

Fixes: 006c26a0f1c8 ("drm/amd/display: Fix crash on device remove/driver unload")
Cc: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index b3a5e730be24..d4c1415f4562 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -1956,7 +1956,7 @@ static void amdgpu_dm_fini(struct amdgpu_device *adev)
 				      &adev->dm.dmub_bo_gpu_addr,
 				      &adev->dm.dmub_bo_cpu_addr);
 
-	if (adev->dm.hpd_rx_offload_wq) {
+	if (adev->dm.hpd_rx_offload_wq && adev->dm.dc) {
 		for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
 			if (adev->dm.hpd_rx_offload_wq[i].wq) {
 				destroy_workqueue(adev->dm.hpd_rx_offload_wq[i].wq);
-- 
2.34.1

[PATCH] drm/amd/display: Fix possible use of uninitialized 'max_chunks_fbc_mode' in 'calculate_bandwidth()'

[Srinivasan Shanmugam]

'max_chunks_fbc_mode' is only declared and assigned a value under a
specific condition in the following lines:

if (data->fbc_en[i] == 1) {
	max_chunks_fbc_mode = 128 - dmif_chunk_buff_margin;
}

If 'data->fbc_en[i]' is not equal to 1 for any i, max_chunks_fbc_mode
will not be initialized if it's used outside of this for loop.

Ensure that 'max_chunks_fbc_mode' is properly initialized before it's
used. Initialize it to a default value right after its declaration to
ensure that it gets a value assigned under all possible control flow
paths.

Thus fixing the below:
drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dce_calcs.c:914 calculate_bandwidth() error: uninitialized symbol 'max_chunks_fbc_mode'.
drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dce_calcs.c:917 calculate_bandwidth() error: uninitialized symbol 'max_chunks_fbc_mode'.

Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
---
 drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c b/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
index f2dfa96f9ef5..39530b2ea495 100644
--- a/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
+++ b/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
@@ -94,7 +94,7 @@ static void calculate_bandwidth(
 	const uint32_t s_high = 7;
 	const uint32_t dmif_chunk_buff_margin = 1;
 
-	uint32_t max_chunks_fbc_mode;
+	uint32_t max_chunks_fbc_mode = 0;
 	int32_t num_cursor_lines;
 
 	int32_t i, j, k;
-- 
2.34.1

[PATCH] drm/amd/display: Initialize 'wait_time_microsec' variable in link_dp_training_dpia.c

[Srinivasan Shanmugam]

wait_time_microsec = max(wait_time_microsec, (uint32_t)
DPIA_CLK_SYNC_DELAY);

Above line is trying to assign the maximum value between
'wait_time_microsec' and 'DPIA_CLK_SYNC_DELAY' to wait_time_microsec.
However, 'wait_time_microsec' has not been assigned a value before this
line, initialize 'wait_time_microsec' at the point of declaration.

Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_dp_training_dpia.c:697 dpia_training_eq_non_transparent() error: uninitialized symbol 'wait_time_microsec'.

Fixes: 630168a97314 ("drm/amd/display: move dp link training logic to link_dp_training")
Cc: Wenjing Liu <wenjing.liu@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
---
 .../drm/amd/display/dc/link/protocols/link_dp_training_dpia.c   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c
index e8dda44b23cb..5d36bab0029c 100644
--- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c
+++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c
@@ -619,7 +619,7 @@ static enum link_training_result dpia_training_eq_non_transparent(
 	uint32_t retries_eq = 0;
 	enum dc_status status;
 	enum dc_dp_training_pattern tr_pattern;
-	uint32_t wait_time_microsec;
+	uint32_t wait_time_microsec = 0;
 	enum dc_lane_count lane_count = lt_settings->link_settings.lane_count;
 	union lane_align_status_updated dpcd_lane_status_updated = {0};
 	union lane_status dpcd_lane_status[LANE_COUNT_DP_MAX] = {0};
-- 
2.34.1

RE: [PATCH] drm/amd/display: Fix possible buffer overflow in 'find_dcfclk_for_voltage()'

[Li, Roman]

[Public]

> -----Original Message-----
> From: SHANMUGAM, SRINIVASAN <SRINIVASAN.SHANMUGAM@amd.com>
> Sent: Tuesday, February 6, 2024 11:55 PM
> To: Siqueira, Rodrigo <Rodrigo.Siqueira@amd.com>; Pillai, Aurabindo
> <Aurabindo.Pillai@amd.com>
> Cc: amd-gfx@lists.freedesktop.org; SHANMUGAM, SRINIVASAN
> <SRINIVASAN.SHANMUGAM@amd.com>; Li, Roman <Roman.Li@amd.com>
> Subject: [PATCH] drm/amd/display: Fix possible buffer overflow in
> 'find_dcfclk_for_voltage()'
>
> when 'find_dcfclk_for_voltage()' function is looping over
> VG_NUM_SOC_VOLTAGE_LEVELS (which is 8), but the size of the DcfClocks
> array is VG_NUM_DCFCLK_DPM_LEVELS (which is 7).
>
> When the loop variable i reaches 7, the function tries to access clock_table-
> >DcfClocks[7]. However, since the size of the DcfClocks array is 7, the valid
> indices are 0 to 6. Index 7 is beyond the size of the array, leading to a buffer
> overflow.
>
> Fixes the below:
> drivers/gpu/drm/amd/amdgpu/../display/dc/clk_mgr/dcn301/vg_clk_mgr.c:
> 550 find_dcfclk_for_voltage() error: buffer overflow 'clock_table->DcfClocks' 7
> <= 7

I recommend mentioning that this is a static analysis tool error.
With that:
Reviewed-by: Roman Li <roman.li@amd.com>

>
> Fixes: 3a83e4e64bb1 ("drm/amd/display: Add dcn3.01 support to DC (v2)")
> Cc: Roman Li <Roman.Li@amd.com>
> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
> Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
> ---
>  drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
> b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
> index a5489fe6875f..aa9fd1dc550a 100644
> --- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
> +++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn301/vg_clk_mgr.c
> @@ -546,6 +546,8 @@ static unsigned int find_dcfclk_for_voltage(const
> struct vg_dpm_clocks *clock_ta
>       int i;
>
>       for (i = 0; i < VG_NUM_SOC_VOLTAGE_LEVELS; i++) {
> +             if (i >= VG_NUM_DCFCLK_DPM_LEVELS)
> +                     break;
>               if (clock_table->SocVoltage[i] == voltage)
>                       return clock_table->DcfClocks[i];
>       }
> --
> 2.34.1

RE: [PATCH] drm/amd/display: Initialize 'wait_time_microsec' variable in link_dp_training_dpia.c

[Li, Roman]

[Public]

Reviewed-by: Roman Li <roman.li@amd.com>

> -----Original Message-----
> From: amd-gfx <amd-gfx-bounces@lists.freedesktop.org> On Behalf Of
> Srinivasan Shanmugam
> Sent: Tuesday, February 6, 2024 11:55 PM
> To: Siqueira, Rodrigo <Rodrigo.Siqueira@amd.com>; Pillai, Aurabindo
> <Aurabindo.Pillai@amd.com>
> Cc: amd-gfx@lists.freedesktop.org; SHANMUGAM, SRINIVASAN
> <SRINIVASAN.SHANMUGAM@amd.com>; Liu, Wenjing
> <Wenjing.Liu@amd.com>
> Subject: [PATCH] drm/amd/display: Initialize 'wait_time_microsec' variable in
> link_dp_training_dpia.c
>
> wait_time_microsec = max(wait_time_microsec, (uint32_t)
> DPIA_CLK_SYNC_DELAY);
>
> Above line is trying to assign the maximum value between
> 'wait_time_microsec' and 'DPIA_CLK_SYNC_DELAY' to wait_time_microsec.
> However, 'wait_time_microsec' has not been assigned a value before this line,
> initialize 'wait_time_microsec' at the point of declaration.
>
> Fixes the below:
> drivers/gpu/drm/amd/amdgpu/../display/dc/link/protocols/link_dp_training
> _dpia.c:697 dpia_training_eq_non_transparent() error: uninitialized symbol
> 'wait_time_microsec'.
>
> Fixes: 630168a97314 ("drm/amd/display: move dp link training logic to
> link_dp_training")
> Cc: Wenjing Liu <wenjing.liu@amd.com>
> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
> Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
> ---
>  .../drm/amd/display/dc/link/protocols/link_dp_training_dpia.c   | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git
> a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c
> b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c
> index e8dda44b23cb..5d36bab0029c 100644
> --- a/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpia.c
> +++ b/drivers/gpu/drm/amd/display/dc/link/protocols/link_dp_training_dpi
> +++ a.c
> @@ -619,7 +619,7 @@ static enum link_training_result
> dpia_training_eq_non_transparent(
>       uint32_t retries_eq = 0;
>       enum dc_status status;
>       enum dc_dp_training_pattern tr_pattern;
> -     uint32_t wait_time_microsec;
> +     uint32_t wait_time_microsec = 0;
>       enum dc_lane_count lane_count = lt_settings-
> >link_settings.lane_count;
>       union lane_align_status_updated dpcd_lane_status_updated = {0};
>       union lane_status dpcd_lane_status[LANE_COUNT_DP_MAX] = {0};
> --
> 2.34.1

RE: [PATCH] drm/amd/display: Fix possible use of uninitialized 'max_chunks_fbc_mode' in 'calculate_bandwidth()'

[Li, Roman]

[Public]

Reviewed-by: Roman Li <roman.li@amd.com>

> -----Original Message-----
> From: amd-gfx <amd-gfx-bounces@lists.freedesktop.org> On Behalf Of
> Srinivasan Shanmugam
> Sent: Tuesday, February 6, 2024 11:55 PM
> To: Siqueira, Rodrigo <Rodrigo.Siqueira@amd.com>; Pillai, Aurabindo
> <Aurabindo.Pillai@amd.com>
> Cc: amd-gfx@lists.freedesktop.org; SHANMUGAM, SRINIVASAN
> <SRINIVASAN.SHANMUGAM@amd.com>; Wentland, Harry
> <Harry.Wentland@amd.com>; Deucher, Alexander
> <Alexander.Deucher@amd.com>
> Subject: [PATCH] drm/amd/display: Fix possible use of uninitialized
> 'max_chunks_fbc_mode' in 'calculate_bandwidth()'
>
> 'max_chunks_fbc_mode' is only declared and assigned a value under a specific
> condition in the following lines:
>
> if (data->fbc_en[i] == 1) {
>       max_chunks_fbc_mode = 128 - dmif_chunk_buff_margin; }
>
> If 'data->fbc_en[i]' is not equal to 1 for any i, max_chunks_fbc_mode will not
> be initialized if it's used outside of this for loop.
>
> Ensure that 'max_chunks_fbc_mode' is properly initialized before it's used.
> Initialize it to a default value right after its declaration to ensure that it gets a
> value assigned under all possible control flow paths.
>
> Thus fixing the below:
> drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dce_calcs.c:914
> calculate_bandwidth() error: uninitialized symbol 'max_chunks_fbc_mode'.
> drivers/gpu/drm/amd/amdgpu/../display/dc/basics/dce_calcs.c:917
> calculate_bandwidth() error: uninitialized symbol 'max_chunks_fbc_mode'.
>
> Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)")
> Cc: Harry Wentland <harry.wentland@amd.com>
> Cc: Alex Deucher <alexander.deucher@amd.com>
> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
> Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
> ---
>  drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
> b/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
> index f2dfa96f9ef5..39530b2ea495 100644
> --- a/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
> +++ b/drivers/gpu/drm/amd/display/dc/basics/dce_calcs.c
> @@ -94,7 +94,7 @@ static void calculate_bandwidth(
>       const uint32_t s_high = 7;
>       const uint32_t dmif_chunk_buff_margin = 1;
>
> -     uint32_t max_chunks_fbc_mode;
> +     uint32_t max_chunks_fbc_mode = 0;
>       int32_t num_cursor_lines;
>
>       int32_t i, j, k;
> --
> 2.34.1

RE: [PATCH] drm/amd/display: Fix possible NULL dereference on device remove/driver unload

[Li, Roman]

[AMD Official Use Only - General]

Reviewed-by: Roman Li <roman.li@amd.com>

> -----Original Message-----
> From: amd-gfx <amd-gfx-bounces@lists.freedesktop.org> On Behalf Of
> Srinivasan Shanmugam
> Sent: Tuesday, February 6, 2024 11:55 PM
> To: Siqueira, Rodrigo <Rodrigo.Siqueira@amd.com>; Pillai, Aurabindo
> <Aurabindo.Pillai@amd.com>
> Cc: amd-gfx@lists.freedesktop.org; SHANMUGAM, SRINIVASAN
> <SRINIVASAN.SHANMUGAM@amd.com>; Andrey Grodzovsky
> <andrey.grodzovsky@amd.com>; Wentland, Harry
> <Harry.Wentland@amd.com>
> Subject: [PATCH] drm/amd/display: Fix possible NULL dereference on device
> remove/driver unload
>
> As part of a cleanup amdgpu_dm_fini() function, which is typically called when
> a device is being shut down or a driver is being unloaded
>
> The below error message suggests that there is a potential null pointer
> dereference issue with adev->dm.dc.
>
> In the below, line of code where adev->dm.dc is used without a preceding null
> check:
>
> for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
>
> To fix this issue, add a null check for adev->dm.dc before this line.
>
> Reported by smatch:
> drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:1959
> amdgpu_dm_fini() error: we previously assumed 'adev->dm.dc' could be null
> (see line 1943)
>
> Fixes: 006c26a0f1c8 ("drm/amd/display: Fix crash on device remove/driver
> unload")
> Cc: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
> Cc: Harry Wentland <harry.wentland@amd.com>
> Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
> Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
> Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
> ---
>  drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> index b3a5e730be24..d4c1415f4562 100644
> --- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> +++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
> @@ -1956,7 +1956,7 @@ static void amdgpu_dm_fini(struct amdgpu_device
> *adev)
>                                     &adev->dm.dmub_bo_gpu_addr,
>                                     &adev->dm.dmub_bo_cpu_addr);
>
> -     if (adev->dm.hpd_rx_offload_wq) {
> +     if (adev->dm.hpd_rx_offload_wq && adev->dm.dc) {
>               for (i = 0; i < adev->dm.dc->caps.max_links; i++) {
>                       if (adev->dm.hpd_rx_offload_wq[i].wq) {
>                               destroy_workqueue(adev-
> >dm.hpd_rx_offload_wq[i].wq);
> --
> 2.34.1