msm: kgsl: Keep postamble packets in a privileged buffer
Postamble packets are executed in privileged mode by gpu. So we should keep
them in a privileged scratch buffer to block userspace access. For
targets with APRIV feature support, we can mark the preemption scratch
buffer as privileged too to avoid similar issues in future.
Bug: 276750663
Change-Id: Ifda360dda251083f38dfde80ce1b5dc83daae902
Signed-off-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
Signed-off-by: Kaushal Sanadhya <quic_ksanadhy@quicinc.com>
Signed-off-by: Sean Callanan <spyffe@google.com>
diff --git a/drivers/gpu/msm/adreno.h b/drivers/gpu/msm/adreno.h
index a3016d7..4a02fc4 100644
--- a/drivers/gpu/msm/adreno.h
+++ b/drivers/gpu/msm/adreno.h
@@ -1,5 +1,5 @@
/* Copyright (c) 2008-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -35,9 +35,6 @@
#define DEVICE_3D_NAME "kgsl-3d"
#define DEVICE_3D0_NAME "kgsl-3d0"
-/* Index to preemption scratch buffer to store KMD postamble */
-#define KMD_POSTAMBLE_IDX 100
-
/* ADRENO_DEVICE - Given a kgsl_device return the adreno device struct */
#define ADRENO_DEVICE(device) \
container_of(device, struct adreno_device, dev)
diff --git a/drivers/gpu/msm/adreno_a6xx_preempt.c b/drivers/gpu/msm/adreno_a6xx_preempt.c
index 7c4c621..a82c639 100644
--- a/drivers/gpu/msm/adreno_a6xx_preempt.c
+++ b/drivers/gpu/msm/adreno_a6xx_preempt.c
@@ -1,5 +1,5 @@
/* Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
- * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -561,8 +561,8 @@
* preemption
*/
if (!adreno_dev->perfcounter) {
- u64 kmd_postamble_addr =
- PREEMPT_SCRATCH_ADDR(adreno_dev, KMD_POSTAMBLE_IDX);
+ u64 kmd_postamble_addr = SCRATCH_POSTAMBLE_ADDR
+ (KGSL_DEVICE(adreno_dev));
*cmds++ = cp_type7_packet(CP_SET_AMBLE, 3);
*cmds++ = lower_32_bits(kmd_postamble_addr);
@@ -806,14 +806,15 @@
}
/*
- * First 8 dwords of the preemption scratch buffer is used to store the
- * address for CP to save/restore VPC data. Reserve 11 dwords in the
- * preemption scratch buffer from index KMD_POSTAMBLE_IDX for KMD
- * postamble pm4 packets
+ * First 28 dwords of the device scratch buffer are used to store
+ * shadow rb data. Reserve 11 dwords in the device scratch buffer
+ * from SCRATCH_POSTAMBLE_OFFSET for KMD postamble pm4 packets.
+ * This should be in *device->scratch* so that userspace cannot
+ * access it.
*/
if (!adreno_dev->perfcounter) {
- u32 *postamble = preempt->scratch.hostptr +
- (KMD_POSTAMBLE_IDX * sizeof(u64));
+ u32 *postamble = device->scratch.hostptr +
+ SCRATCH_POSTAMBLE_OFFSET;
u32 count = 0;
postamble[count++] = cp_type7_packet(CP_REG_RMW, 3);
diff --git a/drivers/gpu/msm/kgsl.h b/drivers/gpu/msm/kgsl.h
index 93b59a8..44441f5 100644
--- a/drivers/gpu/msm/kgsl.h
+++ b/drivers/gpu/msm/kgsl.h
@@ -1,4 +1,5 @@
/* Copyright (c) 2008-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -83,6 +84,11 @@
#define SCRATCH_RPTR_GPU_ADDR(dev, id) \
((dev)->scratch.gpuaddr + SCRATCH_RPTR_OFFSET(id))
+/* OFFSET to KMD postamble packets in scratch buffer */
+#define SCRATCH_POSTAMBLE_OFFSET (100 * sizeof(u64))
+#define SCRATCH_POSTAMBLE_ADDR(dev) \
+ ((dev)->scratch.gpuaddr + SCRATCH_POSTAMBLE_OFFSET)
+
/* Timestamp window used to detect rollovers (half of integer range) */
#define KGSL_TIMESTAMP_WINDOW 0x80000000
