[bug report] drm/i915/gvt: update vreg on inhibit context lri command

Dan Carpenter dan.carpenter at oracle.com
Thu Apr 28 12:25:26 UTC 2022 

Hello Hang Yuan,

The patch 6cef21a19649: "drm/i915/gvt: update vreg on inhibit context
lri command" from Jul 3, 2018, leads to the following Smatch static
checker warning:

drivers/gpu/drm/i915/gvt/cmd_parser.c:1017 cmd_reg_handler() error: uninitialized symbol 'ctx_sr_ctl'.
drivers/gpu/drm/i915/gvt/scheduler.c:1652 intel_vgpu_create_workload() error: uninitialized symbol 'head'.
drivers/gpu/drm/i915/gvt/scheduler.c:1655 intel_vgpu_create_workload() warn: uninitialized special assign 'tail &= ((1 << 21) - (1 << 3))'
drivers/gpu/drm/i915/gvt/scheduler.c:1683 intel_vgpu_create_workload() error: uninitialized symbol 'start'.
drivers/gpu/drm/i915/gvt/scheduler.c:1684 intel_vgpu_create_workload() error: uninitialized symbol 'ctl'.
drivers/gpu/drm/i915/gvt/scheduler.c:1709 intel_vgpu_create_workload() error: uninitialized symbol 'indirect_ctx'.
drivers/gpu/drm/i915/gvt/scheduler.c:1726 intel_vgpu_create_workload() error: uninitialized symbol 'per_ctx'.
drivers/gpu/drm/i915/gvt/handlers.c:2847 handle_mmio() error: potentially dereferencing uninitialized 'info'.

drivers/gpu/drm/i915/gvt/cmd_parser.c
    889 static int cmd_reg_handler(struct parser_exec_state *s,
    890         unsigned int offset, unsigned int index, char *cmd)
    891 {
    892         struct intel_vgpu *vgpu = s->vgpu;
    893         struct intel_gvt *gvt = vgpu->gvt;
    894         u32 ctx_sr_ctl;
    895         u32 *vreg, vreg_old;
    896 

[ snip ]

    997 
    998         /* only patch cmd. restore vreg value if changed in mmio write handler*/
    999         *vreg = vreg_old;
    1000 
    1001         /* TODO
    1002          * In order to let workload with inhibit context to generate
    1003          * correct image data into memory, vregs values will be loaded to
    1004          * hw via LRIs in the workload with inhibit context. But as
    1005          * indirect context is loaded prior to LRIs in workload, we don't
    1006          * want reg values specified in indirect context overwritten by
    1007          * LRIs in workloads. So, when scanning an indirect context, we
    1008          * update reg values in it into vregs, so LRIs in workload with
    1009          * inhibit context will restore with correct values
    1010          */
    1011         if (GRAPHICS_VER(s->engine->i915) == 9 &&
    1012             intel_gvt_mmio_is_sr_in_ctx(gvt, offset) &&
    1013             !strncmp(cmd, "lri", 3)) {
    1014                 intel_gvt_read_gpa(s->vgpu,
    1015                         s->workload->ring_context_gpa + 12, &ctx_sr_ctl, 4);

There is no error checking for if intel_gvt_read_gpa() fails.  It looks
like ctx_sr_ctl comes from copy_from_user() so it could easily fail.

    1016                 /* check inhibit context */
--> 1017                 if (ctx_sr_ctl & 1) {
                             ^^^^^^^^^^
Uninitialized on error path.  The other warnings seem to be similar.

    1018                         u32 data = cmd_val(s, index + 1);
    1019 
    1020                         if (intel_gvt_mmio_has_mode_mask(s->vgpu->gvt, offset))
    1021                                 intel_vgpu_mask_mmio_write(vgpu,
    1022                                                         offset, &data, 4);
    1023                         else
    1024                                 vgpu_vreg(vgpu, offset) = data;
    1025                 }
    1026         }
    1027 
    1028         return 0;
    1029 }

regards,
dan carpenter

More information about the intel-gvt-dev mailing list