From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Victor Zhao <Victor.Zhao@amd.com>,
Jingwen Chen <Jingwen.Chen2@amd.com>, Monk Liu <monk.liu@amd.com>,
Alex Deucher <alexander.deucher@amd.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.12 44/48] drm/amd/amdgpu:save psp ring wptr to avoid attack
Date: Wed, 16 Jun 2021 17:33:54 +0200 [thread overview]
Message-ID: <20210616152838.032034749@linuxfoundation.org> (raw)
In-Reply-To: <20210616152836.655643420@linuxfoundation.org>
From: Victor Zhao <Victor.Zhao@amd.com>
[ Upstream commit 2370eba9f552eaae3d8aa1f70b8e9eec5c560f9e ]
[Why]
When some tools performing psp mailbox attack, the readback value
of register can be a random value which may break psp.
[How]
Use a psp wptr cache machanism to aovid the change made by attack.
v2: unify change and add detailed reason
Signed-off-by: Victor Zhao <Victor.Zhao@amd.com>
Signed-off-by: Jingwen Chen <Jingwen.Chen2@amd.com>
Reviewed-by: Monk Liu <monk.liu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h | 1 +
drivers/gpu/drm/amd/amdgpu/psp_v11_0.c | 3 ++-
drivers/gpu/drm/amd/amdgpu/psp_v3_1.c | 3 ++-
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h
index cb50ba445f8c..0fd62a8e68c2 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.h
@@ -76,6 +76,7 @@ struct psp_ring
uint64_t ring_mem_mc_addr;
void *ring_mem_handle;
uint32_t ring_size;
+ uint32_t ring_wptr;
};
/* More registers may will be supported */
diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c
index c325d6f53a71..d39735a89a25 100644
--- a/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/psp_v11_0.c
@@ -720,7 +720,7 @@ static uint32_t psp_v11_0_ring_get_wptr(struct psp_context *psp)
struct amdgpu_device *adev = psp->adev;
if (amdgpu_sriov_vf(adev))
- data = RREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_102);
+ data = psp->km_ring.ring_wptr;
else
data = RREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_67);
@@ -734,6 +734,7 @@ static void psp_v11_0_ring_set_wptr(struct psp_context *psp, uint32_t value)
if (amdgpu_sriov_vf(adev)) {
WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_102, value);
WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_101, GFX_CTRL_CMD_ID_CONSUME_CMD);
+ psp->km_ring.ring_wptr = value;
} else
WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_67, value);
}
diff --git a/drivers/gpu/drm/amd/amdgpu/psp_v3_1.c b/drivers/gpu/drm/amd/amdgpu/psp_v3_1.c
index f2e725f72d2f..908664a5774b 100644
--- a/drivers/gpu/drm/amd/amdgpu/psp_v3_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/psp_v3_1.c
@@ -379,7 +379,7 @@ static uint32_t psp_v3_1_ring_get_wptr(struct psp_context *psp)
struct amdgpu_device *adev = psp->adev;
if (amdgpu_sriov_vf(adev))
- data = RREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_102);
+ data = psp->km_ring.ring_wptr;
else
data = RREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_67);
return data;
@@ -394,6 +394,7 @@ static void psp_v3_1_ring_set_wptr(struct psp_context *psp, uint32_t value)
/* send interrupt to PSP for SRIOV ring write pointer update */
WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_101,
GFX_CTRL_CMD_ID_CONSUME_CMD);
+ psp->km_ring.ring_wptr = value;
} else
WREG32_SOC15(MP0, 0, mmMP0_SMN_C2PMSG_67, value);
}
--
2.30.2
next prev parent reply other threads:[~2021-06-16 15:42 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-16 15:33 [PATCH 5.12 00/48] 5.12.12-rc1 review Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 01/48] net: ieee802154: fix null deref in parse dev addr Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 02/48] HID: asus: Filter keyboard EC for old ROG keyboard Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 03/48] HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 04/48] HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K15A keyboard-dock Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 05/48] HID: a4tech: use A4_2WHEEL_MOUSE_HACK_B8 for A4TECH NB-95 Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 06/48] HID: hid-input: add mapping for emoji picker key Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 07/48] HID: hid-sensor-hub: Return error for hid_set_field() failure Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 08/48] HID: asus: filter G713/G733 key event to prevent shutdown Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 09/48] HID: quirks: Add quirk for Lenovo optical mouse Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 10/48] HID: multitouch: set Stylus suffix for Stylus-application devices, too Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 11/48] HID: Add BUS_VIRTUAL to hid_connect logging Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 12/48] HID: usbhid: fix info leak in hid_submit_ctrl Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 13/48] mt76: mt7921: fix max aggregation subframes setting Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 14/48] drm/tegra: sor: Do not leak runtime PM reference Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 15/48] gpu: host1x: Split up client initalization and registration Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 16/48] drm/tegra: sor: Fully initialize SOR before registration Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 17/48] hwmon/pmbus: (q54sj108a2) The PMBUS_MFR_ID is actually 6 chars instead of 5 Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 18/48] ARM: OMAP1: Fix use of possibly uninitialized irq variable Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 19/48] ARM: OMAP2+: Fix build warning when mmc_omap is not built Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 20/48] gfs2: Prevent direct-I/O write fallback errors from getting lost Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 21/48] gfs2: fix a deadlock on withdraw-during-mount Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 22/48] gfs2: Clean up revokes on normal withdraws Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 23/48] HID: multitouch: Disable event reporting on suspend on the Asus T101HA touchpad Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 24/48] HID: gt683r: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 25/48] HID: intel-ish-hid: ipc: Add Alder Lake device IDs Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 26/48] riscv: Use -mno-relax when using lld linker Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 27/48] ALSA: hda: Add AlderLake-M PCI ID Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 28/48] mt76: mt7921: remove leftover 80+80 HE capability Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 29/48] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 30/48] scsi: target: core: Fix warning on realtime kernels Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 31/48] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 32/48] scsi: qedf: Do not put host in qedf_vport_create() unconditionally Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 33/48] Bluetooth: Add a new USB ID for RTL8822CE Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 34/48] scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 35/48] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 36/48] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 37/48] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 38/48] nvme-loop: do not warn for deleted controllers during reset Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 39/48] net: ipconfig: Dont override command-line hostnames or domains Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 40/48] drm/amd/display: Allow bandwidth validation for 0 streams Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 41/48] drm/amdgpu: refine amdgpu_fru_get_product_info Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 42/48] drm/amd/display: Fix overlay validation by considering cursors Greg Kroah-Hartman
2021-06-16 16:02 ` Harry Wentland
2021-06-16 15:33 ` [PATCH 5.12 43/48] drm/amd/display: Fix potential memory leak in DMUB hw_init Greg Kroah-Hartman
2021-06-16 15:33 ` Greg Kroah-Hartman [this message]
2021-06-16 15:33 ` [PATCH 5.12 45/48] rtnetlink: Fix missing error code in rtnl_bridge_notify() Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 46/48] net/x25: Return the correct errno code Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 47/48] net: " Greg Kroah-Hartman
2021-06-16 15:33 ` [PATCH 5.12 48/48] fib: " Greg Kroah-Hartman
2021-06-16 18:39 ` [PATCH 5.12 00/48] 5.12.12-rc1 review Fox Chen
2021-06-16 18:49 ` Jon Hunter
2021-06-16 22:18 ` Justin Forbes
2021-06-16 22:54 ` Florian Fainelli
2021-06-17 4:57 ` Naresh Kamboju
2021-06-17 21:40 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210616152838.032034749@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Jingwen.Chen2@amd.com \
--cc=Victor.Zhao@amd.com \
--cc=alexander.deucher@amd.com \
--cc=linux-kernel@vger.kernel.org \
--cc=monk.liu@amd.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.