From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 14 Jan 2020 18:10:38 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.210~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf3cb4c93eba2db70088382eb6ac3099dfc94fbf;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	drm-i915-gen9-clear-residual-context-state-on-context-switch.patch
---

diff --git a/queue-4.4/drm-i915-gen9-clear-residual-context-state-on-context-switch.patch b/queue-4.4/drm-i915-gen9-clear-residual-context-state-on-context-switch.patch
new file mode 100644
index 00000000000..d27a92f2359
--- /dev/null
+++ b/queue-4.4/drm-i915-gen9-clear-residual-context-state-on-context-switch.patch
@@ -0,0 +1,66 @@
+From e03841db73cd0733579b1884cbd5aceec3b9a191 Mon Sep 17 00:00:00 2001
+From: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
+Date: Wed, 8 Jan 2020 12:50:43 -0800
+Subject: drm/i915/gen9: Clear residual context state on context switch
+
+From: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
+
+commit bc8a76a152c5f9ef3b48104154a65a68a8b76946 upstream.
+
+Intel ID: PSIRT-TA-201910-001
+CVEID: CVE-2019-14615
+
+Intel GPU Hardware prior to Gen11 does not clear EU state
+during a context switch. This can result in information
+leakage between contexts.
+
+For Gen8 and Gen9, hardware provides a mechanism for
+fast cleardown of the EU state, by issuing a PIPE_CONTROL
+with bit 27 set. We can use this in a context batch buffer
+to explicitly cleardown the state on every context switch.
+
+As this workaround is already in place for gen8, we can borrow
+the code verbatim for Gen9.
+
+Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Signed-off-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com>
+Cc: Kumar Valsan Prathap <prathap.kumar.valsan@intel.com>
+Cc: Chris Wilson <chris.p.wilson@intel.com>
+Cc: Balestrieri Francesco <francesco.balestrieri@intel.com>
+Cc: Bloomfield Jon <jon.bloomfield@intel.com>
+Cc: Dutt Sudeep <sudeep.dutt@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/intel_lrc.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/gpu/drm/i915/intel_lrc.c
++++ b/drivers/gpu/drm/i915/intel_lrc.c
+@@ -1312,6 +1312,7 @@ static int gen9_init_indirectctx_bb(stru
+ 	int ret;
+ 	struct drm_device *dev = ring->dev;
+ 	uint32_t index = wa_ctx_start(wa_ctx, *offset, CACHELINE_DWORDS);
++	uint32_t scratch_addr;
+ 
+ 	/* WaDisableCtxRestoreArbitration:skl,bxt */
+ 	if ((IS_SKYLAKE(dev) && (INTEL_REVID(dev) <= SKL_REVID_D0)) ||
+@@ -1324,6 +1325,19 @@ static int gen9_init_indirectctx_bb(stru
+ 		return ret;
+ 	index = ret;
+ 
++	/* WaClearSlmSpaceAtContextSwitch:skl,bxt,kbl,glk,cfl */
++	/* Actual scratch location is at 128 bytes offset */
++	scratch_addr = ring->scratch.gtt_offset + 2 * CACHELINE_BYTES;
++	wa_ctx_emit(batch, index, GFX_OP_PIPE_CONTROL(6));
++	wa_ctx_emit(batch, index, (PIPE_CONTROL_FLUSH_L3 |
++				   PIPE_CONTROL_GLOBAL_GTT_IVB |
++				   PIPE_CONTROL_CS_STALL |
++				   PIPE_CONTROL_QW_WRITE));
++	wa_ctx_emit(batch, index, scratch_addr);
++	wa_ctx_emit(batch, index, 0);
++	wa_ctx_emit(batch, index, 0);
++	wa_ctx_emit(batch, index, 0);
++
+ 	/* Pad to end of cacheline */
+ 	while (index % CACHELINE_DWORDS)
+ 		wa_ctx_emit(batch, index, MI_NOOP);
diff --git a/queue-4.4/series b/queue-4.4/series
index f68b5bc5327..a3d723654a5 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -26,3 +26,4 @@ rtl8xxxu-prevent-leaking-urb.patch
 usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch
 netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch
 netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch
+drm-i915-gen9-clear-residual-context-state-on-context-switch.patch