Re: [Intel-gfx] [PATCH] [i915] avoid infinite retries in GuC/HuC loading

[John Harrison <john.c.harrison@intel.com>]

On 3/26/2023 02:46, Alexandre Oliva wrote:
> Hello, John,
>
> On Mar 24, 2023, John Harrison <john.c.harrison@intel.com> wrote:
>
>> On 3/12/2023 12:56, Alexandre Oliva wrote:
>>> If two or more suitable entries with the same filename are found in
>>> __uc_fw_auto_select's fw_blobs, and that filename fails to load in the
>>> first attempt and in the retry, when __uc_fw_auto_select is called for
>>> the third time, the coincidence of strings will cause it to clear
>>> file_selected.path at the first hit, so it will return the second hit
>>> over and over again, indefinitely.
>>>
>>> Of course this doesn't occur with the pristine blob lists, but a
>>> modified version could run into this, e.g., patching in a duplicate
>>> entry, or (as in our case) disarming blob loading by remapping their
>>> names to "/*(DEBLOBBED)*/", given a toolchain that unifies identical
>>> string literals.
>> Not sure what you mean by disarming?
> Our users find loading nonfree firmware harmful.
>
>> I think what you are saying is that you made a change similar to this?
>>      #define __MAKE_UC_FW_PATH_MMP(prefix_, name_, major_, minor_,
>> patch_) "i915/invalid_file_name.bin"
> Yeah, that's the jist of it.  The name we use is "/*(DEBLOBBED)*/", so
> that it can't possibly be satisfied.
>
>> So all entries in the table have the exact same filename.
> *nod*
>
>> And with the toolchain unification comment, that means not just a
>> matching string but the same string pointer. Thus, the search code is
>> getting confused.
> Exactly
>
>> I'm not sure that is really a valid use case that the driver code
>> should be expected to support.
> It's most certainly not.  As I wrote, I'd be happy to keep on carrying
> the patch that adjusts the code to cope with our changes.  I just
> thought the same issue could come up by, say, mistakenly applying a
> patch twice to add support for a new card, a circumstance in which one
> might not have the card readily available to try it out.
Not following this argument. You can't add support for a card that you 
don't have access to. GuC firmware is produced internally by Intel so it 
isn't going to be added by some third party person. And internally, we 
have CI systems up and running for each platform before the patches to 
support that platform land in the upstream tree. So any such error most 
certainly should be caught by pre-merge CI.

>> Even without the infinite loop, the driver is not
>> going to load because you have removed the firmware files?
> Oh, no, the driver loads just fine even without those blobs, and that's
> much nicer of you than other drivers for hardware that doesn't really
> require blobs, but that insist on bailing out if the firmware can't be
> loaded.  i915 hasn't been hostile like that.
That situation won't last...

> When you override the firmware filenames, and it fails to load, the
> driver makes it a (reasonable IMHO) hard fail, but when it just fails to
> find the regular firmware files, it's nice that it proceeds that does
> the best it can.
>
>> However, I think you are saying that the problem would also exist if
>> there was some kind of genuine duplication in the table?
> Yes.  Not the kind you mention, for different platforms, but an actual
> duplicate entry, such as what you might get if you applied a patch that
> added an entry for a new card, and then applied it again, resolving the
> conflicts in a way that retained the duplicate entries.
I would consider that a bug that should never make it past either 
pre-merge CI or code review.

Also, that is what we have the table verification code for - ensuring 
that bugs don't creep in to the table. So if you have spotted a hole in 
that verification then I do think it needs plugging.

Unfortunately for you, I think that is the best way forward for 
i915/Intel. Enhancing the verification step to ensure that such bugs 
can't happen before it gets to do the search. However, I think there are 
easier ways for you to modify the driver to prevent firmware loading. 
E.g. rather than modifying the table, just force an early exit from the 
loading code itself. And if you really do need to remove the firmware 
files from the compiled binary completely, then replacing them with 
unique names would also work - '/*(DEBLOBBED_1)*/', '/*(DEBLOBBED_2)*/', 
etc.


>
>> So there can only be a problem if a single platform specifies the same
>> filename multiple times? Which would be a bug in the table because
>> why? It would be redundant entries that have no purpose.
> Agreed.
>
>> Note that I'm not saying we don't want to take your change. But I
>> would like to understand if there is a genuine issue that maybe needs
>> a better fix. E.g. should the table verification code be enhanced to
>> just reject the table entirely if there are such errors present.
> Table verification might wish to detect and report duplicate filenames
> for the same platform, to catch even alternating duplicates (e.g. "a",
> then "b", then "a" again), but it would be kind if you didn't make that
> a hard error, otherwise we'd have to tweak it to cope with our own
> "/*(DEBLOBBED)*/" duplicates.
>
> Another approach, that would probably be more efficient as the table
> grows, is to store in uc_fw a pointer to or index of the current or next
> entry to be searched, so that the code doesn't have to iterate over the
> table at every try (O(n^2)), and instead takes it from exactly where it
> left off, running overall a single time over the whole table (O(n)), at
> the cost of a pointer or index in uc_fw.  Then, duplicates in the table
> wouldn't matter at all.
>
>> Also, is this string unification thing a part of the current gcc
>> toolchain?
> Yeah, compilers and linkers have been unifying (read-only) string
> literals for a very long time.
That's what I would have assumed. Which is why I was confused that you 
were saying 'if you use a toolchain that does this'. It seemed that you 
were implying that most don't and this was a special situation.

John.

>
> Thanks,
>