]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/commit
UBUNTU: SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
authorJon Bloomfield <jon.bloomfield@intel.com>
Tue, 22 May 2018 20:59:06 +0000 (13:59 -0700)
committerStefan Bader <stefan.bader@canonical.com>
Mon, 4 Nov 2019 17:03:27 +0000 (18:03 +0100)
commita885680d5d2cd4801cd9117b674f5a131e39b63a
tree5587a2a306be0194dcf122160b27fd0a7e948a99
parent1ea5cf23df359786e344318c713a0a2ec36c4503
UBUNTU: SAUCE: drm/i915: Support ro ppgtt mapped cmdparser shadow buffers

CVE-2019-0155

For Gen7, the original cmdparser motive was to permit limited
use of register read/write instructions in unprivileged BB's.
This worked by copying the user supplied bb to a kmd owned
bb, and running it in secure mode, from the ggtt, only if
the scanner finds no unsafe commands or registers.

For Gen8+ we can't use this same technique because running bb's
from the ggtt also disables access to ppgtt space. But we also
do not actually require 'secure' execution since we are only
trying to reduce the available command/register set. Instead we
will copy the user buffer to a kmd owned read-only bb in ppgtt,
and run in the usual non-secure mode.

Note that ro pages are only supported by ppgtt (not ggtt), but
luckily that's exactly what we need.

Add the required paths to map the shadow buffer to ppgtt ro for Gen8+

v2: IS_GEN7/IS_GEN (Mika)
v3: rebase
v4: rebase
v5: rebase

Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
[tyhicks: Backport to 5.3
 - Adjust for different parameters, stack variables, and jump labels in
   eb_parse()]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Timo Aaltonen <tjaalton@ubuntu.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c
drivers/gpu/drm/i915/i915_drv.h
drivers/gpu/drm/i915/i915_gem.c