73 lines
3.0 KiB
Diff
73 lines
3.0 KiB
Diff
From: Uma Shankar <uma.shankar@intel.com>
|
|
Date: Tue, 7 Aug 2018 21:15:35 +0530
|
|
Subject: drm/i915: Lower RM timeout to avoid DSI hard hangs
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-0154
|
|
|
|
commit 1d85a299c4db57c55e0229615132c964d17aa765 upstream.
|
|
|
|
In BXT/APL, device 2 MMIO reads from MIPI controller requires its PLL
|
|
to be turned ON. When MIPI PLL is turned off (MIPI Display is not
|
|
active or connected), and someone (host or GT engine) tries to read
|
|
MIPI registers, it causes hard hang. This is a hardware restriction
|
|
or limitation.
|
|
|
|
Driver by itself doesn't read MIPI registers when MIPI display is off.
|
|
But any userspace application can submit unprivileged batch buffer for
|
|
execution. In that batch buffer there can be mmio reads. And these
|
|
reads are allowed even for unprivileged applications. If these
|
|
register reads are for MIPI DSI controller and MIPI display is not
|
|
active during that time, then the MMIO read operation causes system
|
|
hard hang and only way to recover is hard reboot. A genuine
|
|
process/application won't submit batch buffer like this and doesn't
|
|
cause any issue. But on a compromised system, a malign userspace
|
|
process/app can generate such batch buffer and can trigger system
|
|
hard hang (denial of service attack).
|
|
|
|
The fix is to lower the internal MMIO timeout value to an optimum
|
|
value of 950us as recommended by hardware team. If the timeout is
|
|
beyond 1ms (which will hit for any value we choose if MMIO READ on a
|
|
DSI specific register is performed without PLL ON), it causes the
|
|
system hang. But if the timeout value is lower than it will be below
|
|
the threshold (even if timeout happens) and system will not get into
|
|
a hung state. This will avoid a system hang without losing any
|
|
programming or GT interrupts, taking the worst case of lowest CDCLK
|
|
frequency and early DC5 abort into account.
|
|
|
|
Signed-off-by: Uma Shankar <uma.shankar@intel.com>
|
|
Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com>
|
|
---
|
|
drivers/gpu/drm/i915/i915_reg.h | 4 ++++
|
|
drivers/gpu/drm/i915/intel_pm.c | 8 ++++++++
|
|
2 files changed, 12 insertions(+)
|
|
|
|
--- a/drivers/gpu/drm/i915/i915_reg.h
|
|
+++ b/drivers/gpu/drm/i915/i915_reg.h
|
|
@@ -7009,6 +7009,10 @@ enum {
|
|
#define SKL_CSR_DC5_DC6_COUNT _MMIO(0x8002C)
|
|
#define BXT_CSR_DC3_DC5_COUNT _MMIO(0x80038)
|
|
|
|
+/* Display Internal Timeout Register */
|
|
+#define RM_TIMEOUT _MMIO(0x42060)
|
|
+#define MMIO_TIMEOUT_US(us) ((us) << 0)
|
|
+
|
|
/* interrupts */
|
|
#define DE_MASTER_IRQ_CONTROL (1 << 31)
|
|
#define DE_SPRITEB_FLIP_DONE (1 << 29)
|
|
--- a/drivers/gpu/drm/i915/intel_pm.c
|
|
+++ b/drivers/gpu/drm/i915/intel_pm.c
|
|
@@ -114,6 +114,14 @@ static void bxt_init_clock_gating(struct
|
|
*/
|
|
I915_WRITE(GEN9_CLKGATE_DIS_0, I915_READ(GEN9_CLKGATE_DIS_0) |
|
|
PWM1_GATING_DIS | PWM2_GATING_DIS);
|
|
+
|
|
+ /*
|
|
+ * Lower the display internal timeout.
|
|
+ * This is needed to avoid any hard hangs when DSI port PLL
|
|
+ * is off and a MMIO access is attempted by any privilege
|
|
+ * application, using batch buffers or any other means.
|
|
+ */
|
|
+ I915_WRITE(RM_TIMEOUT, MMIO_TIMEOUT_US(950));
|
|
}
|
|
|
|
static void glk_init_clock_gating(struct drm_i915_private *dev_priv)
|