From: Dmitry Osipenko <digetx@gmail.com>
Date: Thu, 15 Jun 2017 02:18:37 +0300
Subject: gpu: host1x: Forbid unrelated SETCLASS opcode in the firewall
Git-commit: 0f563a4bf66e5182f0882efee398f7e6bc0bb1be
Patch-mainline: v4.13-rc1
References: FATE#326289 FATE#326079 FATE#326049 FATE#322398 FATE#326166
Several channels could be made to write the same unit concurrently via
the SETCLASS opcode, trusting userspace is a bad idea. It should be
possible to drop the per-client channel reservation and add a per-unit
locking by inserting MLOCK's to the command stream to re-allow the
SETCLASS opcode, but it will be much more work. Let's forbid the
unit-unrelated class changes for now.
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Reviewed-by: Erik Faye-Lund <kusmabite@gmail.com>
Reviewed-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Acked-by: Petr Tesarik <ptesarik@suse.com>
---
drivers/gpu/drm/tegra/drm.c | 1 +
drivers/gpu/drm/tegra/drm.h | 1 +
drivers/gpu/drm/tegra/gr2d.c | 7 +++++++
drivers/gpu/host1x/job.c | 24 ++++++++++++++++++++----
include/linux/host1x.h | 3 +++
5 files changed, 32 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/tegra/drm.c
+++ b/drivers/gpu/drm/tegra/drm.c
@@ -532,6 +532,7 @@ int tegra_drm_submit(struct tegra_drm_co
}
job->is_addr_reg = context->client->ops->is_addr_reg;
+ job->is_valid_class = context->client->ops->is_valid_class;
job->syncpt_incrs = syncpt.incrs;
job->syncpt_id = syncpt.id;
job->timeout = 10000;
--- a/drivers/gpu/drm/tegra/drm.h
+++ b/drivers/gpu/drm/tegra/drm.h
@@ -83,6 +83,7 @@ struct tegra_drm_client_ops {
struct tegra_drm_context *context);
void (*close_channel)(struct tegra_drm_context *context);
int (*is_addr_reg)(struct device *dev, u32 class, u32 offset);
+ int (*is_valid_class)(u32 class);
int (*submit)(struct tegra_drm_context *context,
struct drm_tegra_submit *args, struct drm_device *drm,
struct drm_file *file);
--- a/drivers/gpu/drm/tegra/gr2d.c
+++ b/drivers/gpu/drm/tegra/gr2d.c
@@ -109,10 +109,17 @@ static int gr2d_is_addr_reg(struct devic
return 0;
}
+static int gr2d_is_valid_class(u32 class)
+{
+ return (class == HOST1X_CLASS_GR2D ||
+ class == HOST1X_CLASS_GR2D_SB);
+}
+
static const struct tegra_drm_client_ops gr2d_ops = {
.open_channel = gr2d_open_channel,
.close_channel = gr2d_close_channel,
.is_addr_reg = gr2d_is_addr_reg,
+ .is_valid_class = gr2d_is_valid_class,
.submit = tegra_drm_submit,
};
--- a/drivers/gpu/host1x/job.c
+++ b/drivers/gpu/host1x/job.c
@@ -341,6 +341,9 @@ struct host1x_firewall {
static int check_register(struct host1x_firewall *fw, unsigned long offset)
{
+ if (!fw->job->is_addr_reg)
+ return 0;
+
if (fw->job->is_addr_reg(fw->dev, fw->class, offset)) {
if (!fw->num_relocs)
return -EINVAL;
@@ -355,6 +358,19 @@ static int check_register(struct host1x_
return 0;
}
+static int check_class(struct host1x_firewall *fw, u32 class)
+{
+ if (!fw->job->is_valid_class) {
+ if (fw->class != class)
+ return -EINVAL;
+ } else {
+ if (!fw->job->is_valid_class(fw->class))
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
static int check_mask(struct host1x_firewall *fw)
{
u32 mask = fw->mask;
@@ -428,11 +444,9 @@ static int validate(struct host1x_firewa
{
u32 *cmdbuf_base = (u32 *)fw->job->gather_copy_mapped +
(g->offset / sizeof(u32));
+ u32 job_class = fw->class;
int err = 0;
- if (!fw->job->is_addr_reg)
- return 0;
-
fw->words = g->words;
fw->cmdbuf = g->bo;
fw->offset = 0;
@@ -452,7 +466,9 @@ static int validate(struct host1x_firewa
fw->class = word >> 6 & 0x3ff;
fw->mask = word & 0x3f;
fw->reg = word >> 16 & 0xfff;
- err = check_mask(fw);
+ err = check_class(fw, job_class);
+ if (!err)
+ err = check_mask(fw);
if (err)
goto out;
break;
--- a/include/linux/host1x.h
+++ b/include/linux/host1x.h
@@ -235,6 +235,9 @@ struct host1x_job {
/* Check if register is marked as an address reg */
int (*is_addr_reg)(struct device *dev, u32 reg, u32 class);
+ /* Check if class belongs to the unit */
+ int (*is_valid_class)(u32 class);
+
/* Request a SETCLASS to this class */
u32 class;