accel/ivpu: Prevent recovery invocation during probe and resume
BugLink: https://bugs.launchpad.net/bugs/2101915
[ Upstream commit 5eaa497411197c41b0813d61ba3fbd6267049082 ]
Refactor IPC send and receive functions to allow correct
handling of operations that should not trigger a recovery process.
Expose ivpu_send_receive_internal(), which is now utilized by the D0i3
entry, DCT initialization, and HWS initialization functions.
These functions have been modified to return error codes gracefully,
rather than initiating recovery.
The updated functions are invoked within ivpu_probe() and ivpu_resume(),
ensuring that any errors encountered during these stages result in a proper
teardown or shutdown sequence. The previous approach of triggering recovery
within these functions could lead to a race condition, potentially causing
undefined behavior and kernel crashes due to null pointer dereferences.
Fixes: 45e45362e0 ("accel/ivpu: Introduce ivpu_ipc_send_receive_active()")
Signed-off-by: Karol Wachowski <karol.wachowski@intel.com>
Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240930195322.461209-23-jacek.lawrynowicz@linux.intel.com
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[koichiroden: dropped some hunks due to missing commits:
a19bffb10c46 ("accel/ivpu: Implement DCT handling")
cf40fbaf7088 ("accel/ivpu: Add HWS JSM messages")]
CVE-2024-56540
Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
This commit is contained in:
Karol Wachowski
committed by
Stefan Bader
Stefan Bader
parent
aa56ca745b
commit
7d5427dcb6
@@ -292,15 +292,16 @@ int ivpu_ipc_receive(struct ivpu_device *vdev, struct ivpu_ipc_consumer *cons,
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
int
|
||||
ivpu_ipc_send_receive_internal(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp_type,
|
||||
struct vpu_jsm_msg *resp, u32 channel,
|
||||
unsigned long timeout_ms)
|
||||
struct vpu_jsm_msg *resp, u32 channel, unsigned long timeout_ms)
|
||||
{
|
||||
struct ivpu_ipc_consumer cons;
|
||||
int ret;
|
||||
|
||||
drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev));
|
||||
|
||||
ivpu_ipc_consumer_add(vdev, &cons, channel, NULL);
|
||||
|
||||
ret = ivpu_ipc_send(vdev, &cons, req);
|
||||
@@ -326,19 +327,21 @@ consumer_del:
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ivpu_ipc_send_receive_active(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp, struct vpu_jsm_msg *resp,
|
||||
u32 channel, unsigned long timeout_ms)
|
||||
int ivpu_ipc_send_receive(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp, struct vpu_jsm_msg *resp,
|
||||
u32 channel, unsigned long timeout_ms)
|
||||
{
|
||||
struct vpu_jsm_msg hb_req = { .type = VPU_JSM_MSG_QUERY_ENGINE_HB };
|
||||
struct vpu_jsm_msg hb_resp;
|
||||
int ret, hb_ret;
|
||||
|
||||
drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev));
|
||||
ret = ivpu_rpm_get(vdev);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = ivpu_ipc_send_receive_internal(vdev, req, expected_resp, resp, channel, timeout_ms);
|
||||
if (ret != -ETIMEDOUT)
|
||||
return ret;
|
||||
goto rpm_put;
|
||||
|
||||
hb_ret = ivpu_ipc_send_receive_internal(vdev, &hb_req, VPU_JSM_MSG_QUERY_ENGINE_HB_DONE,
|
||||
&hb_resp, VPU_IPC_CHAN_ASYNC_CMD,
|
||||
@@ -346,21 +349,7 @@ int ivpu_ipc_send_receive_active(struct ivpu_device *vdev, struct vpu_jsm_msg *r
|
||||
if (hb_ret == -ETIMEDOUT)
|
||||
ivpu_pm_trigger_recovery(vdev, "IPC timeout");
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ivpu_ipc_send_receive(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp, struct vpu_jsm_msg *resp,
|
||||
u32 channel, unsigned long timeout_ms)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = ivpu_rpm_get(vdev);
|
||||
if (ret < 0)
|
||||
return ret;
|
||||
|
||||
ret = ivpu_ipc_send_receive_active(vdev, req, expected_resp, resp, channel, timeout_ms);
|
||||
|
||||
rpm_put:
|
||||
ivpu_rpm_put(vdev);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -99,10 +99,9 @@ void ivpu_ipc_consumer_del(struct ivpu_device *vdev, struct ivpu_ipc_consumer *c
|
||||
int ivpu_ipc_receive(struct ivpu_device *vdev, struct ivpu_ipc_consumer *cons,
|
||||
struct ivpu_ipc_hdr *ipc_buf, struct vpu_jsm_msg *jsm_msg,
|
||||
unsigned long timeout_ms);
|
||||
|
||||
int ivpu_ipc_send_receive_active(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp, struct vpu_jsm_msg *resp,
|
||||
u32 channel, unsigned long timeout_ms);
|
||||
int ivpu_ipc_send_receive_internal(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp_type,
|
||||
struct vpu_jsm_msg *resp, u32 channel, unsigned long timeout_ms);
|
||||
int ivpu_ipc_send_receive(struct ivpu_device *vdev, struct vpu_jsm_msg *req,
|
||||
enum vpu_ipc_msg_type expected_resp, struct vpu_jsm_msg *resp,
|
||||
u32 channel, unsigned long timeout_ms);
|
||||
|
||||
@@ -273,9 +273,8 @@ int ivpu_jsm_pwr_d0i3_enter(struct ivpu_device *vdev)
|
||||
|
||||
req.payload.pwr_d0i3_enter.send_response = 1;
|
||||
|
||||
ret = ivpu_ipc_send_receive_active(vdev, &req, VPU_JSM_MSG_PWR_D0I3_ENTER_DONE,
|
||||
&resp, VPU_IPC_CHAN_GEN_CMD,
|
||||
vdev->timeout.d0i3_entry_msg);
|
||||
ret = ivpu_ipc_send_receive_internal(vdev, &req, VPU_JSM_MSG_PWR_D0I3_ENTER_DONE, &resp,
|
||||
VPU_IPC_CHAN_GEN_CMD, vdev->timeout.d0i3_entry_msg);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
|
||||
Reference in New Issue
Block a user