On Tue, Sep 15, 2020 at 04:13:27PM +0200, Greg Kroah-Hartman wrote:
From: Jordan Crouse jcrouse@codeaurora.org
commit 34221545d2069dc947131f42392fd4cebabe1b39 upstream.
The main a5xx preemption record can be marked as privileged to protect it from user access but the counters storage needs to be remain unprivileged. Split the buffers and mark the critical memory as privileged.
Cc: stable@vger.kernel.org Signed-off-by: Jordan Crouse jcrouse@codeaurora.org Signed-off-by: Rob Clark robdclark@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Hi. The MSM_BO_MAP_PRIV feature was added after 5.4.
Since we are pulling in 7b3f3948c8b7 ("drm/msm: Disable preemption on all 5xx targets)" preemption will be disabled in the 5.4 stable tree which is enough to cover the security concern that this patch helped address.
This patch can be dropped.
Jordan
drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 + drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h +++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h @@ -31,6 +31,7 @@ struct a5xx_gpu { struct msm_ringbuffer *next_ring; struct drm_gem_object *preempt_bo[MSM_GPU_MAX_RINGS];
- struct drm_gem_object *preempt_counters_bo[MSM_GPU_MAX_RINGS]; struct a5xx_preempt_record *preempt[MSM_GPU_MAX_RINGS]; uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c +++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c @@ -226,19 +226,31 @@ static int preempt_init_ring(struct a5xx struct adreno_gpu *adreno_gpu = &a5xx_gpu->base; struct msm_gpu *gpu = &adreno_gpu->base; struct a5xx_preempt_record *ptr;
- struct drm_gem_object *bo = NULL;
- u64 iova = 0;
- void *counters;
- struct drm_gem_object *bo = NULL, *counters_bo = NULL;
- u64 iova = 0, counters_iova = 0;
ptr = msm_gem_kernel_new(gpu->dev, A5XX_PREEMPT_RECORD_SIZE + A5XX_PREEMPT_COUNTER_SIZE,
MSM_BO_UNCACHED, gpu->aspace, &bo, &iova);
MSM_BO_UNCACHED | MSM_BO_MAP_PRIV, gpu->aspace, &bo, &iova);if (IS_ERR(ptr)) return PTR_ERR(ptr);
- /* The buffer to store counters needs to be unprivileged */
- counters = msm_gem_kernel_new(gpu->dev,
A5XX_PREEMPT_COUNTER_SIZE,MSM_BO_UNCACHED, gpu->aspace, &counters_bo, &counters_iova);- if (IS_ERR(counters)) {
msm_gem_kernel_put(bo, gpu->aspace, true);return PTR_ERR(counters);- }
- msm_gem_object_set_name(bo, "preempt");
- msm_gem_object_set_name(counters_bo, "preempt_counters");
a5xx_gpu->preempt_bo[ring->id] = bo;
- a5xx_gpu->preempt_counters_bo[ring->id] = counters_bo; a5xx_gpu->preempt_iova[ring->id] = iova; a5xx_gpu->preempt[ring->id] = ptr;
@@ -249,7 +261,7 @@ static int preempt_init_ring(struct a5xx ptr->data = 0; ptr->cntl = MSM_GPU_RB_CNTL_DEFAULT; ptr->rptr_addr = rbmemptr(ring, rptr);
- ptr->counter = iova + A5XX_PREEMPT_RECORD_SIZE;
- ptr->counter = counters_iova;
return 0; } @@ -260,8 +272,11 @@ void a5xx_preempt_fini(struct msm_gpu *g struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu); int i;
- for (i = 0; i < gpu->nr_rings; i++)
- for (i = 0; i < gpu->nr_rings; i++) { msm_gem_kernel_put(a5xx_gpu->preempt_bo[i], gpu->aspace, true);
msm_gem_kernel_put(a5xx_gpu->preempt_counters_bo[i],gpu->aspace, true);- }
} void a5xx_preempt_init(struct msm_gpu *gpu)