drm/i915/gen9: Clear residual context state on context switch

Intel GPU Hardware prior to Gen11 does not clear EU state during a context switch. This can result in information leakage between contexts. For Gen8 and Gen9, hardware provides a mechanism for fast cleardown of the EU state, by issuing a PIPE_CONTROL with bit 27 set. We can use this in a context batch buffer to explicitly cleardown the state on every context switch. As this workaround is already in place for gen8, we can borrow the code verbatim for Gen9. Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com> Signed-off-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com> CVE-2019-14615 (backported from commit bc8a76a1) [tyhicks: Backport to 4.4: - Apply patch to i915_bpo driver since it handles gen9 chips - Use (i915_scratch_offset(engine->i915) + 2 * CACHELINE_BYTES) in place of LRC_PPHWSP_SCRATCH_ADDR and PIPE_CONTROL_GLOBAL_GTT_IVB in place of PIPE_CONTROL_STORE_DATA_INDEX since we're missing commit e1237523 ("drm/i915/execlists: Use per-process HWSP as scratch") - Remove unused dev_priv variable - Replace the existing WaClearSlmSpaceAtContextSwitch that was being used for pre-production Kaby Lake] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Connor Kuehl <connor.kuehl@canonical.com> Acked-by: Khalid Elmously <khalid.elmously@canonical.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>

drm/i915/gen9: Clear residual context state on context switch
Intel GPU Hardware prior to Gen11 does not clear EU state during a context switch. This can result in information leakage between contexts. For Gen8 and Gen9, hardware provides a mechanism for fast cleardown of the EU state, by issuing a PIPE_CONTROL with bit 27 set. We can use this in a context batch buffer to explicitly cleardown the state on every context switch. As this workaround is already in place for gen8, we can borrow the code verbatim for Gen9. Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com> Signed-off-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com> CVE-2019-14615 (backported from commit bc8a76a1) [tyhicks: Backport to 4.4: - Apply patch to i915_bpo driver since it handles gen9 chips - Use (i915_scratch_offset(engine->i915) + 2 * CACHELINE_BYTES) in place of LRC_PPHWSP_SCRATCH_ADDR and PIPE_CONTROL_GLOBAL_GTT_IVB in place of PIPE_CONTROL_STORE_DATA_INDEX since we're missing commit e1237523 ("drm/i915/execlists: Use per-process HWSP as scratch") - Remove unused dev_priv variable - Replace the existing WaClearSlmSpaceAtContextSwitch that was being used for pre-production Kaby Lake] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Connor Kuehl <connor.kuehl@canonical.com> Acked-by: Khalid Elmously <khalid.elmously@canonical.com> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
152427f3 · Akeem G Abodunrin · Marcelo Henrique Cerri · 2a7a10eb · 152427f3
Commit 152427f3 authored Jan 14, 2020 by Akeem G Abodunrin Committed by Marcelo Henrique Cerri Jan 14, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 17 deletions

ubuntu/i915/intel_lrc.c ubuntu/i915/intel_lrc.c +13 -17

No files found.
--- a/ubuntu/i915/intel_lrc.c
+++ b/ubuntu/i915/intel_lrc.c
@@ -1275,8 +1275,8 @@ static int gen9_init_indirectctx_bb(struct intel_engine_cs *engine,
 {
 	int ret;
 	struct drm_device *dev = engine->dev;
-	struct drm_i915_private *dev_priv = dev->dev_private;
 	uint32_t index = wa_ctx_start(wa_ctx, *offset, CACHELINE_DWORDS);
+	uint32_t scratch_addr;
 	/* WaDisableCtxRestoreArbitration:skl,bxt */
 	if (IS_SKL_REVID(dev, 0, SKL_REVID_D0) ||
@@ -1289,22 +1289,18 @@ static int gen9_init_indirectctx_bb(struct intel_engine_cs *engine,
 		return ret;
 	index = ret;
-	/* WaClearSlmSpaceAtContextSwitch:kbl */
+	/* WaClearSlmSpaceAtContextSwitch:skl,bxt,kbl,glk,cfl */
-	/* Actual scratch location is at 128 bytes offset */
+	scratch_addr = engine->scratch.gtt_offset + 2*CACHELINE_BYTES;
-	if (IS_KBL_REVID(dev_priv, 0, KBL_REVID_A0)) {
+	wa_ctx_emit(batch, index, GFX_OP_PIPE_CONTROL(6));
-		uint32_t scratch_addr
+	wa_ctx_emit(batch, index, (PIPE_CONTROL_FLUSH_L3 |
-			= engine->scratch.gtt_offset + 2*CACHELINE_BYTES;
+				   PIPE_CONTROL_GLOBAL_GTT_IVB |
+				   PIPE_CONTROL_CS_STALL |
-		wa_ctx_emit(batch, index, GFX_OP_PIPE_CONTROL(6));
+				   PIPE_CONTROL_QW_WRITE));
-		wa_ctx_emit(batch, index, (PIPE_CONTROL_FLUSH_L3 |
+	wa_ctx_emit(batch, index, scratch_addr);
-					   PIPE_CONTROL_GLOBAL_GTT_IVB |
+	wa_ctx_emit(batch, index, 0);
-					   PIPE_CONTROL_CS_STALL |
+	wa_ctx_emit(batch, index, 0);
-					   PIPE_CONTROL_QW_WRITE));
+	wa_ctx_emit(batch, index, 0);
-		wa_ctx_emit(batch, index, scratch_addr);
-		wa_ctx_emit(batch, index, 0);
-		wa_ctx_emit(batch, index, 0);
-		wa_ctx_emit(batch, index, 0);
-	}
 	/* Pad to end of cacheline */
 	while (index % CACHELINE_DWORDS)
 		wa_ctx_emit(batch, index, MI_NOOP);