[Intel-gfx] [CI 1/2] drm/i915/guc: Fix null pointer dereference when GuC FW is not available

Michal Wajdeczko michal.wajdeczko at intel.com
Fri Mar 23 19:04:49 UTC 2018

On Fri, 23 Mar 2018 19:40:10 +0100, Yaodong Li <yaodong.li at intel.com>  

> On 03/23/2018 11:26 AM, Michal Wajdeczko wrote:
>> On Fri, 23 Mar 2018 19:03:47 +0100, Yaodong Li <yaodong.li at intel.com>  
>> wrote:
>>> On 03/23/2018 05:27 AM, Michal Wajdeczko wrote:
>>>> On Fri, 23 Mar 2018 13:07:15 +0100, Sagar Arun Kamble  
>>>> <sagar.a.kamble at intel.com> wrote:
>>>>> On 3/23/2018 4:53 PM, Piotr Piórkowski wrote:
>>>>>> If GuC firmware is not available on the system and we load i915  
>>>>>> with enable
>>>>>> GuC, then we hit this null pointer dereference issue:
>>>>> Patch looks good but I have query on usage of enable_guc modparam.
>>>>> enable_guc modparam will enable GuC/HuC only if firmware is  
>>>>> available.
>>>> During modparam sanitization phase, code will only check for firmware
>>>> name, code will attempt to check if firmware file exists.
>>> Is it better if we won't even call into upload FW once we found the FW  
>>> fetching was failed?
>>>>> If user sets to forcefully enable GuC/HuC on systems that don't have  
>>>>> firmware then it is user's fault.
>>>> Sure its user's fault, but event in such case we should just  
>>>> gracefully
>>>> abort driver load, without any NULL pointer BUG ;)
>>>> And note, that we will hit this bug not only when user force GuC with:
>>>>     enable_guc=1 guc_firmware_path=/does/not/exist
>>>> but also when user just specify auto mode:
>>>>     enable_guc=-1
>>>> when predefined firmwares are not present (not installed or removed)
>>> it feels like it's still user's fault even with the auto mode. why the  
>>> user even set
>>> the enable_guc to -1 after known the fact that the FWs are not present?
>>> I mean should users be expected to know the fact that the auto mode
>>> enable_guc = -1 will enable the GuC and HuC, if the guc_firmware_path  
>>> was left
>>> to be none?
>> GuC fw path will not be none, as we have some hardcoded paths in the  
>> code.
>> And we don't tell the user that after turning on 'auto' mode, he has to
>> do something special. Only later in case of fw fetch errors, we are just
>> printing error message with extra help:
>> "%s: Failed to fetch firmware %s (error %d)\n"
>> "%s: Firmware can be downloaded from %s\n"
> In this case, back to my question: maybe it's a better idea to make  
> things stops here
> instead of continuing to call following functions such as uc_init,  
> uc_init_hw -> fw_upload?

We can stop at many places, but we should be still prepared for broken/
unsigned firmware, and signature will be verified during fw_upload

>>> I agree we should make sure correct pointer access. it's a  
>>> non-excusable fault:)
>>> The thing actually frustrated me was that we failed to screen such an  
>>> error
>>> with the CI, but suddenly it broke things and tests with incorrect  
>>> configurations
>>> (enable_guc set to 1 or -1 + No FW available). so maybe we should add  
>>> a case to
>>> cover such a case in CI as well if we did have such test  
>>> configurations.
>> I guess you can write such test on your own and submit patch to igt-dev  
>> ;)
> :-)
> Regards,
> -Jackie

More information about the Intel-gfx mailing list