Re: Potential Bug in drm/amd/display/dc_link

From: Harry Wentland <harry.wentland@amd.com>
To: Yizhuo Zhai <yzhai003@ucr.edu>,
	sunpeng.li@amd.com, Rodrigo.Siqueira@amd.com,
	David Airlie <airlied@linux.ie>, Daniel Vetter <daniel@ffwll.ch>,
	amd-gfx@lists.freedesktop.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: Potential Bug in drm/amd/display/dc_link
Date: Thu, 9 Dec 2021 17:30:06 -0500	[thread overview]
Message-ID: <52f808a3-7e2d-7ae2-ca62-400137a0b92f@amd.com> (raw)
In-Reply-To: <CABvMjLSXpg00KKkqXH35C7Op0xC3mPaOAhj_xbAOEXL_4Ys_aw@mail.gmail.com>

On 2021-12-09 03:02, Yizhuo Zhai wrote:
> Hi All:
> I just found a bug in the cramfs using the static analysis tool, but
> not sure if this could happen in reality, could you please advise me
> here? Thanks for your attention : ) And please ignore the last one
> with HTML format if you did not filter it out.
> 
> In function enable_stream_features(), the variable
> "old_downspread.raw" could be uninitialized if core_link_read_dpcd
> fails(), however, it is used in the later if statement, and further,
> core_link_write_dpcd() may write random value, which is potentially
> unsafe. But this function does not return the error code to the up
> caller and I got stuck in drafting the patch, could you please advise
> me here?
> 

Thanks for highlighting this.

Unfortunately we frequently ignore DPCD error codes.

In this case I would do a memset as shown below.

> The related code:
> static void enable_stream_features(struct pipe_ctx *pipe_ctx)
> {
>      union down_spread_ctrl old_downspread;

	memset(&old_downspread, 0, sizeof(old_downspread));

>     core_link_read_dpcd(link, DP_DOWNSPREAD_CTRL,
>                          &old_downspread.raw, sizeof(old_downspread);
> 
>         //old_downspread.raw used here
>         if (new_downspread.raw != old_downspread.raw) {
>                core_link_write_dpcd(link, DP_DOWNSPREAD_CTRL,
>                          &new_downspread.raw, sizeof(new_downspread));
>         }
> }
> enum dc_status core_link_read_dpcd(
>     struct dc_link *link,
>     uint32_t address,
>     uint8_t *data,
>     uint32_t size)
> {
>         //data could be uninitialized if the helpers fails and log
> some error info
>         if (!dm_helpers_dp_read_dpcd(link->ctx,
>                link,address, data, size))
>                       return DC_ERROR_UNEXPECTED;
>         return DC_OK;
> }
> 
> The same issue in function wait_for_training_aux_rd_interval() in
> drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c

I don't see this. Do you mean this one?

> void dp_wait_for_training_aux_rd_interval(
> 	struct dc_link *link,
> 	uint32_t wait_in_micro_secs)
> {
> #if defined(CONFIG_DRM_AMD_DC_DCN)
> 	if (wait_in_micro_secs > 16000)
> 		msleep(wait_in_micro_secs/1000);
> 	else
> 		udelay(wait_in_micro_secs);
> #else
> 	udelay(wait_in_micro_secs);
> #endif
> 
> 	DC_LOG_HW_LINK_TRAINING("%s:\n wait = %d\n",
> 		__func__,
> 		wait_in_micro_secs);
> }

Thanks,
Harry

> 