| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200915155439.GA22371@jcrouse1-lnx.qualcomm.com>
Date: Tue, 15 Sep 2020 09:54:39 -0600
From: Jordan Crouse <jcrouse@...eaurora.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Rob Clark <robdclark@...omium.org>
Subject: Re: [PATCH 5.4 105/132] drm/msm: Split the a5xx preemption record
On Tue, Sep 15, 2020 at 04:13:27PM +0200, Greg Kroah-Hartman wrote:
> From: Jordan Crouse <jcrouse@...eaurora.org>
>
> commit 34221545d2069dc947131f42392fd4cebabe1b39 upstream.
>
> The main a5xx preemption record can be marked as privileged to
> protect it from user access but the counters storage needs to be
> remain unprivileged. Split the buffers and mark the critical memory
> as privileged.
>
> Cc: stable@...r.kernel.org
> Signed-off-by: Jordan Crouse <jcrouse@...eaurora.org>
> Signed-off-by: Rob Clark <robdclark@...omium.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Hi. The MSM_BO_MAP_PRIV feature was added after 5.4.
Since we are pulling in 7b3f3948c8b7 ("drm/msm: Disable preemption on all
5xx targets)" preemption will be disabled in the 5.4 stable tree which is enough
to cover the security concern that this patch helped address.
This patch can be dropped.
Jordan
> ---
> drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
> drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 25 ++++++++++++++++++++-----
> 2 files changed, 21 insertions(+), 5 deletions(-)
>
> --- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
> +++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
> @@ -31,6 +31,7 @@ struct a5xx_gpu {
> struct msm_ringbuffer *next_ring;
>
> struct drm_gem_object *preempt_bo[MSM_GPU_MAX_RINGS];
> + struct drm_gem_object *preempt_counters_bo[MSM_GPU_MAX_RINGS];
> struct a5xx_preempt_record *preempt[MSM_GPU_MAX_RINGS];
> uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
>
> --- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
> +++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
> @@ -226,19 +226,31 @@ static int preempt_init_ring(struct a5xx
> struct adreno_gpu *adreno_gpu = &a5xx_gpu->base;
> struct msm_gpu *gpu = &adreno_gpu->base;
> struct a5xx_preempt_record *ptr;
> - struct drm_gem_object *bo = NULL;
> - u64 iova = 0;
> + void *counters;
> + struct drm_gem_object *bo = NULL, *counters_bo = NULL;
> + u64 iova = 0, counters_iova = 0;
>
> ptr = msm_gem_kernel_new(gpu->dev,
> A5XX_PREEMPT_RECORD_SIZE + A5XX_PREEMPT_COUNTER_SIZE,
> - MSM_BO_UNCACHED, gpu->aspace, &bo, &iova);
> + MSM_BO_UNCACHED | MSM_BO_MAP_PRIV, gpu->aspace, &bo, &iova);
>
> if (IS_ERR(ptr))
> return PTR_ERR(ptr);
>
> + /* The buffer to store counters needs to be unprivileged */
> + counters = msm_gem_kernel_new(gpu->dev,
> + A5XX_PREEMPT_COUNTER_SIZE,
> + MSM_BO_UNCACHED, gpu->aspace, &counters_bo, &counters_iova);
> + if (IS_ERR(counters)) {
> + msm_gem_kernel_put(bo, gpu->aspace, true);
> + return PTR_ERR(counters);
> + }
> +
> msm_gem_object_set_name(bo, "preempt");
> + msm_gem_object_set_name(counters_bo, "preempt_counters");
>
> a5xx_gpu->preempt_bo[ring->id] = bo;
> + a5xx_gpu->preempt_counters_bo[ring->id] = counters_bo;
> a5xx_gpu->preempt_iova[ring->id] = iova;
> a5xx_gpu->preempt[ring->id] = ptr;
>
> @@ -249,7 +261,7 @@ static int preempt_init_ring(struct a5xx
> ptr->data = 0;
> ptr->cntl = MSM_GPU_RB_CNTL_DEFAULT;
> ptr->rptr_addr = rbmemptr(ring, rptr);
> - ptr->counter = iova + A5XX_PREEMPT_RECORD_SIZE;
> + ptr->counter = counters_iova;
>
> return 0;
> }
> @@ -260,8 +272,11 @@ void a5xx_preempt_fini(struct msm_gpu *g
> struct a5xx_gpu *a5xx_gpu = to_a5xx_gpu(adreno_gpu);
> int i;
>
> - for (i = 0; i < gpu->nr_rings; i++)
> + for (i = 0; i < gpu->nr_rings; i++) {
> msm_gem_kernel_put(a5xx_gpu->preempt_bo[i], gpu->aspace, true);
> + msm_gem_kernel_put(a5xx_gpu->preempt_counters_bo[i],
> + gpu->aspace, true);
> + }
> }
>
> void a5xx_preempt_init(struct msm_gpu *gpu)
>
>
--
The Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
Powered by blists - more mailing lists