1 /* 2 * SPDX-License-Identifier: MIT 3 * 4 * Copyright © 2008,2010 Intel Corporation 5 */ 6 7 #include <linux/intel-iommu.h> 8 #include <linux/dma-resv.h> 9 #include <linux/sync_file.h> 10 #include <linux/uaccess.h> 11 12 #include <drm/drm_syncobj.h> 13 14 #include "display/intel_frontbuffer.h" 15 16 #include "gem/i915_gem_ioctls.h" 17 #include "gt/intel_context.h" 18 #include "gt/intel_engine_pool.h" 19 #include "gt/intel_gt.h" 20 #include "gt/intel_gt_pm.h" 21 #include "gt/intel_ring.h" 22 23 #include "i915_drv.h" 24 #include "i915_gem_clflush.h" 25 #include "i915_gem_context.h" 26 #include "i915_gem_ioctls.h" 27 #include "i915_sw_fence_work.h" 28 #include "i915_trace.h" 29 30 struct eb_vma { 31 struct i915_vma *vma; 32 unsigned int flags; 33 34 /** This vma's place in the execbuf reservation list */ 35 struct drm_i915_gem_exec_object2 *exec; 36 struct list_head bind_link; 37 struct list_head reloc_link; 38 39 struct hlist_node node; 40 u32 handle; 41 }; 42 43 enum { 44 FORCE_CPU_RELOC = 1, 45 FORCE_GTT_RELOC, 46 FORCE_GPU_RELOC, 47 #define DBG_FORCE_RELOC 0 /* choose one of the above! */ 48 }; 49 50 #define __EXEC_OBJECT_HAS_PIN BIT(31) 51 #define __EXEC_OBJECT_HAS_FENCE BIT(30) 52 #define __EXEC_OBJECT_NEEDS_MAP BIT(29) 53 #define __EXEC_OBJECT_NEEDS_BIAS BIT(28) 54 #define __EXEC_OBJECT_INTERNAL_FLAGS (~0u << 28) /* all of the above */ 55 #define __EXEC_OBJECT_RESERVED (__EXEC_OBJECT_HAS_PIN | __EXEC_OBJECT_HAS_FENCE) 56 57 #define __EXEC_HAS_RELOC BIT(31) 58 #define __EXEC_INTERNAL_FLAGS (~0u << 31) 59 #define UPDATE PIN_OFFSET_FIXED 60 61 #define BATCH_OFFSET_BIAS (256*1024) 62 63 #define __I915_EXEC_ILLEGAL_FLAGS \ 64 (__I915_EXEC_UNKNOWN_FLAGS | \ 65 I915_EXEC_CONSTANTS_MASK | \ 66 I915_EXEC_RESOURCE_STREAMER) 67 68 /* Catch emission of unexpected errors for CI! */ 69 #if IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM) 70 #undef EINVAL 71 #define EINVAL ({ \ 72 DRM_DEBUG_DRIVER("EINVAL at %s:%d\n", __func__, __LINE__); \ 73 22; \ 74 }) 75 #endif 76 77 /** 78 * DOC: User command execution 79 * 80 * Userspace submits commands to be executed on the GPU as an instruction 81 * stream within a GEM object we call a batchbuffer. This instructions may 82 * refer to other GEM objects containing auxiliary state such as kernels, 83 * samplers, render targets and even secondary batchbuffers. Userspace does 84 * not know where in the GPU memory these objects reside and so before the 85 * batchbuffer is passed to the GPU for execution, those addresses in the 86 * batchbuffer and auxiliary objects are updated. This is known as relocation, 87 * or patching. To try and avoid having to relocate each object on the next 88 * execution, userspace is told the location of those objects in this pass, 89 * but this remains just a hint as the kernel may choose a new location for 90 * any object in the future. 91 * 92 * At the level of talking to the hardware, submitting a batchbuffer for the 93 * GPU to execute is to add content to a buffer from which the HW 94 * command streamer is reading. 95 * 96 * 1. Add a command to load the HW context. For Logical Ring Contexts, i.e. 97 * Execlists, this command is not placed on the same buffer as the 98 * remaining items. 99 * 100 * 2. Add a command to invalidate caches to the buffer. 101 * 102 * 3. Add a batchbuffer start command to the buffer; the start command is 103 * essentially a token together with the GPU address of the batchbuffer 104 * to be executed. 105 * 106 * 4. Add a pipeline flush to the buffer. 107 * 108 * 5. Add a memory write command to the buffer to record when the GPU 109 * is done executing the batchbuffer. The memory write writes the 110 * global sequence number of the request, ``i915_request::global_seqno``; 111 * the i915 driver uses the current value in the register to determine 112 * if the GPU has completed the batchbuffer. 113 * 114 * 6. Add a user interrupt command to the buffer. This command instructs 115 * the GPU to issue an interrupt when the command, pipeline flush and 116 * memory write are completed. 117 * 118 * 7. Inform the hardware of the additional commands added to the buffer 119 * (by updating the tail pointer). 120 * 121 * Processing an execbuf ioctl is conceptually split up into a few phases. 122 * 123 * 1. Validation - Ensure all the pointers, handles and flags are valid. 124 * 2. Reservation - Assign GPU address space for every object 125 * 3. Relocation - Update any addresses to point to the final locations 126 * 4. Serialisation - Order the request with respect to its dependencies 127 * 5. Construction - Construct a request to execute the batchbuffer 128 * 6. Submission (at some point in the future execution) 129 * 130 * Reserving resources for the execbuf is the most complicated phase. We 131 * neither want to have to migrate the object in the address space, nor do 132 * we want to have to update any relocations pointing to this object. Ideally, 133 * we want to leave the object where it is and for all the existing relocations 134 * to match. If the object is given a new address, or if userspace thinks the 135 * object is elsewhere, we have to parse all the relocation entries and update 136 * the addresses. Userspace can set the I915_EXEC_NORELOC flag to hint that 137 * all the target addresses in all of its objects match the value in the 138 * relocation entries and that they all match the presumed offsets given by the 139 * list of execbuffer objects. Using this knowledge, we know that if we haven't 140 * moved any buffers, all the relocation entries are valid and we can skip 141 * the update. (If userspace is wrong, the likely outcome is an impromptu GPU 142 * hang.) The requirement for using I915_EXEC_NO_RELOC are: 143 * 144 * The addresses written in the objects must match the corresponding 145 * reloc.presumed_offset which in turn must match the corresponding 146 * execobject.offset. 147 * 148 * Any render targets written to in the batch must be flagged with 149 * EXEC_OBJECT_WRITE. 150 * 151 * To avoid stalling, execobject.offset should match the current 152 * address of that object within the active context. 153 * 154 * The reservation is done is multiple phases. First we try and keep any 155 * object already bound in its current location - so as long as meets the 156 * constraints imposed by the new execbuffer. Any object left unbound after the 157 * first pass is then fitted into any available idle space. If an object does 158 * not fit, all objects are removed from the reservation and the process rerun 159 * after sorting the objects into a priority order (more difficult to fit 160 * objects are tried first). Failing that, the entire VM is cleared and we try 161 * to fit the execbuf once last time before concluding that it simply will not 162 * fit. 163 * 164 * A small complication to all of this is that we allow userspace not only to 165 * specify an alignment and a size for the object in the address space, but 166 * we also allow userspace to specify the exact offset. This objects are 167 * simpler to place (the location is known a priori) all we have to do is make 168 * sure the space is available. 169 * 170 * Once all the objects are in place, patching up the buried pointers to point 171 * to the final locations is a fairly simple job of walking over the relocation 172 * entry arrays, looking up the right address and rewriting the value into 173 * the object. Simple! ... The relocation entries are stored in user memory 174 * and so to access them we have to copy them into a local buffer. That copy 175 * has to avoid taking any pagefaults as they may lead back to a GEM object 176 * requiring the struct_mutex (i.e. recursive deadlock). So once again we split 177 * the relocation into multiple passes. First we try to do everything within an 178 * atomic context (avoid the pagefaults) which requires that we never wait. If 179 * we detect that we may wait, or if we need to fault, then we have to fallback 180 * to a slower path. The slowpath has to drop the mutex. (Can you hear alarm 181 * bells yet?) Dropping the mutex means that we lose all the state we have 182 * built up so far for the execbuf and we must reset any global data. However, 183 * we do leave the objects pinned in their final locations - which is a 184 * potential issue for concurrent execbufs. Once we have left the mutex, we can 185 * allocate and copy all the relocation entries into a large array at our 186 * leisure, reacquire the mutex, reclaim all the objects and other state and 187 * then proceed to update any incorrect addresses with the objects. 188 * 189 * As we process the relocation entries, we maintain a record of whether the 190 * object is being written to. Using NORELOC, we expect userspace to provide 191 * this information instead. We also check whether we can skip the relocation 192 * by comparing the expected value inside the relocation entry with the target's 193 * final address. If they differ, we have to map the current object and rewrite 194 * the 4 or 8 byte pointer within. 195 * 196 * Serialising an execbuf is quite simple according to the rules of the GEM 197 * ABI. Execution within each context is ordered by the order of submission. 198 * Writes to any GEM object are in order of submission and are exclusive. Reads 199 * from a GEM object are unordered with respect to other reads, but ordered by 200 * writes. A write submitted after a read cannot occur before the read, and 201 * similarly any read submitted after a write cannot occur before the write. 202 * Writes are ordered between engines such that only one write occurs at any 203 * time (completing any reads beforehand) - using semaphores where available 204 * and CPU serialisation otherwise. Other GEM access obey the same rules, any 205 * write (either via mmaps using set-domain, or via pwrite) must flush all GPU 206 * reads before starting, and any read (either using set-domain or pread) must 207 * flush all GPU writes before starting. (Note we only employ a barrier before, 208 * we currently rely on userspace not concurrently starting a new execution 209 * whilst reading or writing to an object. This may be an advantage or not 210 * depending on how much you trust userspace not to shoot themselves in the 211 * foot.) Serialisation may just result in the request being inserted into 212 * a DAG awaiting its turn, but most simple is to wait on the CPU until 213 * all dependencies are resolved. 214 * 215 * After all of that, is just a matter of closing the request and handing it to 216 * the hardware (well, leaving it in a queue to be executed). However, we also 217 * offer the ability for batchbuffers to be run with elevated privileges so 218 * that they access otherwise hidden registers. (Used to adjust L3 cache etc.) 219 * Before any batch is given extra privileges we first must check that it 220 * contains no nefarious instructions, we check that each instruction is from 221 * our whitelist and all registers are also from an allowed list. We first 222 * copy the user's batchbuffer to a shadow (so that the user doesn't have 223 * access to it, either by the CPU or GPU as we scan it) and then parse each 224 * instruction. If everything is ok, we set a flag telling the hardware to run 225 * the batchbuffer in trusted mode, otherwise the ioctl is rejected. 226 */ 227 228 struct i915_execbuffer { 229 struct drm_i915_private *i915; /** i915 backpointer */ 230 struct drm_file *file; /** per-file lookup tables and limits */ 231 struct drm_i915_gem_execbuffer2 *args; /** ioctl parameters */ 232 struct drm_i915_gem_exec_object2 *exec; /** ioctl execobj[] */ 233 struct eb_vma *vma; 234 235 struct intel_engine_cs *engine; /** engine to queue the request to */ 236 struct intel_context *context; /* logical state for the request */ 237 struct i915_gem_context *gem_context; /** caller's context */ 238 239 struct i915_request *request; /** our request to build */ 240 struct eb_vma *batch; /** identity of the batch obj/vma */ 241 struct i915_vma *trampoline; /** trampoline used for chaining */ 242 243 /** actual size of execobj[] as we may extend it for the cmdparser */ 244 unsigned int buffer_count; 245 246 /** list of vma not yet bound during reservation phase */ 247 struct list_head unbound; 248 249 /** list of vma that have execobj.relocation_count */ 250 struct list_head relocs; 251 252 /** 253 * Track the most recently used object for relocations, as we 254 * frequently have to perform multiple relocations within the same 255 * obj/page 256 */ 257 struct reloc_cache { 258 struct drm_mm_node node; /** temporary GTT binding */ 259 unsigned long vaddr; /** Current kmap address */ 260 unsigned long page; /** Currently mapped page index */ 261 unsigned int gen; /** Cached value of INTEL_GEN */ 262 bool use_64bit_reloc : 1; 263 bool has_llc : 1; 264 bool has_fence : 1; 265 bool needs_unfenced : 1; 266 267 struct i915_request *rq; 268 u32 *rq_cmd; 269 unsigned int rq_size; 270 } reloc_cache; 271 272 u64 invalid_flags; /** Set of execobj.flags that are invalid */ 273 u32 context_flags; /** Set of execobj.flags to insert from the ctx */ 274 275 u32 batch_start_offset; /** Location within object of batch */ 276 u32 batch_len; /** Length of batch within object */ 277 u32 batch_flags; /** Flags composed for emit_bb_start() */ 278 279 /** 280 * Indicate either the size of the hastable used to resolve 281 * relocation handles, or if negative that we are using a direct 282 * index into the execobj[]. 283 */ 284 int lut_size; 285 struct hlist_head *buckets; /** ht for relocation handles */ 286 }; 287 288 static inline bool eb_use_cmdparser(const struct i915_execbuffer *eb) 289 { 290 return intel_engine_requires_cmd_parser(eb->engine) || 291 (intel_engine_using_cmd_parser(eb->engine) && 292 eb->args->batch_len); 293 } 294 295 static int eb_create(struct i915_execbuffer *eb) 296 { 297 if (!(eb->args->flags & I915_EXEC_HANDLE_LUT)) { 298 unsigned int size = 1 + ilog2(eb->buffer_count); 299 300 /* 301 * Without a 1:1 association between relocation handles and 302 * the execobject[] index, we instead create a hashtable. 303 * We size it dynamically based on available memory, starting 304 * first with 1:1 assocative hash and scaling back until 305 * the allocation succeeds. 306 * 307 * Later on we use a positive lut_size to indicate we are 308 * using this hashtable, and a negative value to indicate a 309 * direct lookup. 310 */ 311 do { 312 gfp_t flags; 313 314 /* While we can still reduce the allocation size, don't 315 * raise a warning and allow the allocation to fail. 316 * On the last pass though, we want to try as hard 317 * as possible to perform the allocation and warn 318 * if it fails. 319 */ 320 flags = GFP_KERNEL; 321 if (size > 1) 322 flags |= __GFP_NORETRY | __GFP_NOWARN; 323 324 eb->buckets = kzalloc(sizeof(struct hlist_head) << size, 325 flags); 326 if (eb->buckets) 327 break; 328 } while (--size); 329 330 if (unlikely(!size)) 331 return -ENOMEM; 332 333 eb->lut_size = size; 334 } else { 335 eb->lut_size = -eb->buffer_count; 336 } 337 338 return 0; 339 } 340 341 static bool 342 eb_vma_misplaced(const struct drm_i915_gem_exec_object2 *entry, 343 const struct i915_vma *vma, 344 unsigned int flags) 345 { 346 if (vma->node.size < entry->pad_to_size) 347 return true; 348 349 if (entry->alignment && !IS_ALIGNED(vma->node.start, entry->alignment)) 350 return true; 351 352 if (flags & EXEC_OBJECT_PINNED && 353 vma->node.start != entry->offset) 354 return true; 355 356 if (flags & __EXEC_OBJECT_NEEDS_BIAS && 357 vma->node.start < BATCH_OFFSET_BIAS) 358 return true; 359 360 if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) && 361 (vma->node.start + vma->node.size - 1) >> 32) 362 return true; 363 364 if (flags & __EXEC_OBJECT_NEEDS_MAP && 365 !i915_vma_is_map_and_fenceable(vma)) 366 return true; 367 368 return false; 369 } 370 371 static inline bool 372 eb_pin_vma(struct i915_execbuffer *eb, 373 const struct drm_i915_gem_exec_object2 *entry, 374 struct eb_vma *ev) 375 { 376 struct i915_vma *vma = ev->vma; 377 u64 pin_flags; 378 379 if (vma->node.size) 380 pin_flags = vma->node.start; 381 else 382 pin_flags = entry->offset & PIN_OFFSET_MASK; 383 384 pin_flags |= PIN_USER | PIN_NOEVICT | PIN_OFFSET_FIXED; 385 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_GTT)) 386 pin_flags |= PIN_GLOBAL; 387 388 if (unlikely(i915_vma_pin(vma, 0, 0, pin_flags))) 389 return false; 390 391 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) { 392 if (unlikely(i915_vma_pin_fence(vma))) { 393 i915_vma_unpin(vma); 394 return false; 395 } 396 397 if (vma->fence) 398 ev->flags |= __EXEC_OBJECT_HAS_FENCE; 399 } 400 401 ev->flags |= __EXEC_OBJECT_HAS_PIN; 402 return !eb_vma_misplaced(entry, vma, ev->flags); 403 } 404 405 static inline void __eb_unreserve_vma(struct i915_vma *vma, unsigned int flags) 406 { 407 GEM_BUG_ON(!(flags & __EXEC_OBJECT_HAS_PIN)); 408 409 if (unlikely(flags & __EXEC_OBJECT_HAS_FENCE)) 410 __i915_vma_unpin_fence(vma); 411 412 __i915_vma_unpin(vma); 413 } 414 415 static inline void 416 eb_unreserve_vma(struct eb_vma *ev) 417 { 418 if (!(ev->flags & __EXEC_OBJECT_HAS_PIN)) 419 return; 420 421 __eb_unreserve_vma(ev->vma, ev->flags); 422 ev->flags &= ~__EXEC_OBJECT_RESERVED; 423 } 424 425 static int 426 eb_validate_vma(struct i915_execbuffer *eb, 427 struct drm_i915_gem_exec_object2 *entry, 428 struct i915_vma *vma) 429 { 430 if (unlikely(entry->flags & eb->invalid_flags)) 431 return -EINVAL; 432 433 if (unlikely(entry->alignment && 434 !is_power_of_2_u64(entry->alignment))) 435 return -EINVAL; 436 437 /* 438 * Offset can be used as input (EXEC_OBJECT_PINNED), reject 439 * any non-page-aligned or non-canonical addresses. 440 */ 441 if (unlikely(entry->flags & EXEC_OBJECT_PINNED && 442 entry->offset != gen8_canonical_addr(entry->offset & I915_GTT_PAGE_MASK))) 443 return -EINVAL; 444 445 /* pad_to_size was once a reserved field, so sanitize it */ 446 if (entry->flags & EXEC_OBJECT_PAD_TO_SIZE) { 447 if (unlikely(offset_in_page(entry->pad_to_size))) 448 return -EINVAL; 449 } else { 450 entry->pad_to_size = 0; 451 } 452 /* 453 * From drm_mm perspective address space is continuous, 454 * so from this point we're always using non-canonical 455 * form internally. 456 */ 457 entry->offset = gen8_noncanonical_addr(entry->offset); 458 459 if (!eb->reloc_cache.has_fence) { 460 entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE; 461 } else { 462 if ((entry->flags & EXEC_OBJECT_NEEDS_FENCE || 463 eb->reloc_cache.needs_unfenced) && 464 i915_gem_object_is_tiled(vma->obj)) 465 entry->flags |= EXEC_OBJECT_NEEDS_GTT | __EXEC_OBJECT_NEEDS_MAP; 466 } 467 468 if (!(entry->flags & EXEC_OBJECT_PINNED)) 469 entry->flags |= eb->context_flags; 470 471 return 0; 472 } 473 474 static void 475 eb_add_vma(struct i915_execbuffer *eb, 476 unsigned int i, unsigned batch_idx, 477 struct i915_vma *vma) 478 { 479 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i]; 480 struct eb_vma *ev = &eb->vma[i]; 481 482 GEM_BUG_ON(i915_vma_is_closed(vma)); 483 484 ev->vma = i915_vma_get(vma); 485 ev->exec = entry; 486 ev->flags = entry->flags; 487 488 if (eb->lut_size > 0) { 489 ev->handle = entry->handle; 490 hlist_add_head(&ev->node, 491 &eb->buckets[hash_32(entry->handle, 492 eb->lut_size)]); 493 } 494 495 if (entry->relocation_count) 496 list_add_tail(&ev->reloc_link, &eb->relocs); 497 498 /* 499 * SNA is doing fancy tricks with compressing batch buffers, which leads 500 * to negative relocation deltas. Usually that works out ok since the 501 * relocate address is still positive, except when the batch is placed 502 * very low in the GTT. Ensure this doesn't happen. 503 * 504 * Note that actual hangs have only been observed on gen7, but for 505 * paranoia do it everywhere. 506 */ 507 if (i == batch_idx) { 508 if (entry->relocation_count && 509 !(ev->flags & EXEC_OBJECT_PINNED)) 510 ev->flags |= __EXEC_OBJECT_NEEDS_BIAS; 511 if (eb->reloc_cache.has_fence) 512 ev->flags |= EXEC_OBJECT_NEEDS_FENCE; 513 514 eb->batch = ev; 515 } 516 517 if (eb_pin_vma(eb, entry, ev)) { 518 if (entry->offset != vma->node.start) { 519 entry->offset = vma->node.start | UPDATE; 520 eb->args->flags |= __EXEC_HAS_RELOC; 521 } 522 } else { 523 eb_unreserve_vma(ev); 524 list_add_tail(&ev->bind_link, &eb->unbound); 525 } 526 } 527 528 static inline int use_cpu_reloc(const struct reloc_cache *cache, 529 const struct drm_i915_gem_object *obj) 530 { 531 if (!i915_gem_object_has_struct_page(obj)) 532 return false; 533 534 if (DBG_FORCE_RELOC == FORCE_CPU_RELOC) 535 return true; 536 537 if (DBG_FORCE_RELOC == FORCE_GTT_RELOC) 538 return false; 539 540 return (cache->has_llc || 541 obj->cache_dirty || 542 obj->cache_level != I915_CACHE_NONE); 543 } 544 545 static int eb_reserve_vma(const struct i915_execbuffer *eb, 546 struct eb_vma *ev, 547 u64 pin_flags) 548 { 549 struct drm_i915_gem_exec_object2 *entry = ev->exec; 550 unsigned int exec_flags = ev->flags; 551 struct i915_vma *vma = ev->vma; 552 int err; 553 554 if (exec_flags & EXEC_OBJECT_NEEDS_GTT) 555 pin_flags |= PIN_GLOBAL; 556 557 /* 558 * Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset, 559 * limit address to the first 4GBs for unflagged objects. 560 */ 561 if (!(exec_flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS)) 562 pin_flags |= PIN_ZONE_4G; 563 564 if (exec_flags & __EXEC_OBJECT_NEEDS_MAP) 565 pin_flags |= PIN_MAPPABLE; 566 567 if (exec_flags & EXEC_OBJECT_PINNED) 568 pin_flags |= entry->offset | PIN_OFFSET_FIXED; 569 else if (exec_flags & __EXEC_OBJECT_NEEDS_BIAS) 570 pin_flags |= BATCH_OFFSET_BIAS | PIN_OFFSET_BIAS; 571 572 if (drm_mm_node_allocated(&vma->node) && 573 eb_vma_misplaced(entry, vma, ev->flags)) { 574 err = i915_vma_unbind(vma); 575 if (err) 576 return err; 577 } 578 579 err = i915_vma_pin(vma, 580 entry->pad_to_size, entry->alignment, 581 pin_flags); 582 if (err) 583 return err; 584 585 if (entry->offset != vma->node.start) { 586 entry->offset = vma->node.start | UPDATE; 587 eb->args->flags |= __EXEC_HAS_RELOC; 588 } 589 590 if (unlikely(exec_flags & EXEC_OBJECT_NEEDS_FENCE)) { 591 err = i915_vma_pin_fence(vma); 592 if (unlikely(err)) { 593 i915_vma_unpin(vma); 594 return err; 595 } 596 597 if (vma->fence) 598 exec_flags |= __EXEC_OBJECT_HAS_FENCE; 599 } 600 601 ev->flags = exec_flags | __EXEC_OBJECT_HAS_PIN; 602 GEM_BUG_ON(eb_vma_misplaced(entry, vma, ev->flags)); 603 604 return 0; 605 } 606 607 static int eb_reserve(struct i915_execbuffer *eb) 608 { 609 const unsigned int count = eb->buffer_count; 610 unsigned int pin_flags = PIN_USER | PIN_NONBLOCK; 611 struct list_head last; 612 struct eb_vma *ev; 613 unsigned int i, pass; 614 int err = 0; 615 616 /* 617 * Attempt to pin all of the buffers into the GTT. 618 * This is done in 3 phases: 619 * 620 * 1a. Unbind all objects that do not match the GTT constraints for 621 * the execbuffer (fenceable, mappable, alignment etc). 622 * 1b. Increment pin count for already bound objects. 623 * 2. Bind new objects. 624 * 3. Decrement pin count. 625 * 626 * This avoid unnecessary unbinding of later objects in order to make 627 * room for the earlier objects *unless* we need to defragment. 628 */ 629 630 if (mutex_lock_interruptible(&eb->i915->drm.struct_mutex)) 631 return -EINTR; 632 633 pass = 0; 634 do { 635 list_for_each_entry(ev, &eb->unbound, bind_link) { 636 err = eb_reserve_vma(eb, ev, pin_flags); 637 if (err) 638 break; 639 } 640 if (!(err == -ENOSPC || err == -EAGAIN)) 641 break; 642 643 /* Resort *all* the objects into priority order */ 644 INIT_LIST_HEAD(&eb->unbound); 645 INIT_LIST_HEAD(&last); 646 for (i = 0; i < count; i++) { 647 unsigned int flags; 648 649 ev = &eb->vma[i]; 650 flags = ev->flags; 651 if (flags & EXEC_OBJECT_PINNED && 652 flags & __EXEC_OBJECT_HAS_PIN) 653 continue; 654 655 eb_unreserve_vma(ev); 656 657 if (flags & EXEC_OBJECT_PINNED) 658 /* Pinned must have their slot */ 659 list_add(&ev->bind_link, &eb->unbound); 660 else if (flags & __EXEC_OBJECT_NEEDS_MAP) 661 /* Map require the lowest 256MiB (aperture) */ 662 list_add_tail(&ev->bind_link, &eb->unbound); 663 else if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS)) 664 /* Prioritise 4GiB region for restricted bo */ 665 list_add(&ev->bind_link, &last); 666 else 667 list_add_tail(&ev->bind_link, &last); 668 } 669 list_splice_tail(&last, &eb->unbound); 670 671 if (err == -EAGAIN) { 672 mutex_unlock(&eb->i915->drm.struct_mutex); 673 flush_workqueue(eb->i915->mm.userptr_wq); 674 mutex_lock(&eb->i915->drm.struct_mutex); 675 continue; 676 } 677 678 switch (pass++) { 679 case 0: 680 break; 681 682 case 1: 683 /* Too fragmented, unbind everything and retry */ 684 mutex_lock(&eb->context->vm->mutex); 685 err = i915_gem_evict_vm(eb->context->vm); 686 mutex_unlock(&eb->context->vm->mutex); 687 if (err) 688 goto unlock; 689 break; 690 691 default: 692 err = -ENOSPC; 693 goto unlock; 694 } 695 696 pin_flags = PIN_USER; 697 } while (1); 698 699 unlock: 700 mutex_unlock(&eb->i915->drm.struct_mutex); 701 return err; 702 } 703 704 static unsigned int eb_batch_index(const struct i915_execbuffer *eb) 705 { 706 if (eb->args->flags & I915_EXEC_BATCH_FIRST) 707 return 0; 708 else 709 return eb->buffer_count - 1; 710 } 711 712 static int eb_select_context(struct i915_execbuffer *eb) 713 { 714 struct i915_gem_context *ctx; 715 716 ctx = i915_gem_context_lookup(eb->file->driver_priv, eb->args->rsvd1); 717 if (unlikely(!ctx)) 718 return -ENOENT; 719 720 eb->gem_context = ctx; 721 if (rcu_access_pointer(ctx->vm)) 722 eb->invalid_flags |= EXEC_OBJECT_NEEDS_GTT; 723 724 eb->context_flags = 0; 725 if (test_bit(UCONTEXT_NO_ZEROMAP, &ctx->user_flags)) 726 eb->context_flags |= __EXEC_OBJECT_NEEDS_BIAS; 727 728 return 0; 729 } 730 731 static int eb_lookup_vmas(struct i915_execbuffer *eb) 732 { 733 struct radix_tree_root *handles_vma = &eb->gem_context->handles_vma; 734 struct drm_i915_gem_object *obj; 735 unsigned int i, batch; 736 int err; 737 738 if (unlikely(i915_gem_context_is_closed(eb->gem_context))) 739 return -ENOENT; 740 741 INIT_LIST_HEAD(&eb->relocs); 742 INIT_LIST_HEAD(&eb->unbound); 743 744 batch = eb_batch_index(eb); 745 746 for (i = 0; i < eb->buffer_count; i++) { 747 u32 handle = eb->exec[i].handle; 748 struct i915_lut_handle *lut; 749 struct i915_vma *vma; 750 751 vma = radix_tree_lookup(handles_vma, handle); 752 if (likely(vma)) 753 goto add_vma; 754 755 obj = i915_gem_object_lookup(eb->file, handle); 756 if (unlikely(!obj)) { 757 err = -ENOENT; 758 goto err_vma; 759 } 760 761 vma = i915_vma_instance(obj, eb->context->vm, NULL); 762 if (IS_ERR(vma)) { 763 err = PTR_ERR(vma); 764 goto err_obj; 765 } 766 767 lut = i915_lut_handle_alloc(); 768 if (unlikely(!lut)) { 769 err = -ENOMEM; 770 goto err_obj; 771 } 772 773 err = radix_tree_insert(handles_vma, handle, vma); 774 if (unlikely(err)) { 775 i915_lut_handle_free(lut); 776 goto err_obj; 777 } 778 779 /* transfer ref to lut */ 780 if (!atomic_fetch_inc(&vma->open_count)) 781 i915_vma_reopen(vma); 782 lut->handle = handle; 783 lut->ctx = eb->gem_context; 784 785 i915_gem_object_lock(obj); 786 list_add(&lut->obj_link, &obj->lut_list); 787 i915_gem_object_unlock(obj); 788 789 add_vma: 790 err = eb_validate_vma(eb, &eb->exec[i], vma); 791 if (unlikely(err)) 792 goto err_vma; 793 794 eb_add_vma(eb, i, batch, vma); 795 } 796 797 return 0; 798 799 err_obj: 800 i915_gem_object_put(obj); 801 err_vma: 802 eb->vma[i].vma = NULL; 803 return err; 804 } 805 806 static struct eb_vma * 807 eb_get_vma(const struct i915_execbuffer *eb, unsigned long handle) 808 { 809 if (eb->lut_size < 0) { 810 if (handle >= -eb->lut_size) 811 return NULL; 812 return &eb->vma[handle]; 813 } else { 814 struct hlist_head *head; 815 struct eb_vma *ev; 816 817 head = &eb->buckets[hash_32(handle, eb->lut_size)]; 818 hlist_for_each_entry(ev, head, node) { 819 if (ev->handle == handle) 820 return ev; 821 } 822 return NULL; 823 } 824 } 825 826 static void eb_release_vmas(const struct i915_execbuffer *eb) 827 { 828 const unsigned int count = eb->buffer_count; 829 unsigned int i; 830 831 for (i = 0; i < count; i++) { 832 struct eb_vma *ev = &eb->vma[i]; 833 struct i915_vma *vma = ev->vma; 834 835 if (!vma) 836 break; 837 838 eb->vma[i].vma = NULL; 839 840 if (ev->flags & __EXEC_OBJECT_HAS_PIN) 841 __eb_unreserve_vma(vma, ev->flags); 842 843 i915_vma_put(vma); 844 } 845 } 846 847 static void eb_destroy(const struct i915_execbuffer *eb) 848 { 849 GEM_BUG_ON(eb->reloc_cache.rq); 850 851 if (eb->lut_size > 0) 852 kfree(eb->buckets); 853 } 854 855 static inline u64 856 relocation_target(const struct drm_i915_gem_relocation_entry *reloc, 857 const struct i915_vma *target) 858 { 859 return gen8_canonical_addr((int)reloc->delta + target->node.start); 860 } 861 862 static void reloc_cache_init(struct reloc_cache *cache, 863 struct drm_i915_private *i915) 864 { 865 cache->page = -1; 866 cache->vaddr = 0; 867 /* Must be a variable in the struct to allow GCC to unroll. */ 868 cache->gen = INTEL_GEN(i915); 869 cache->has_llc = HAS_LLC(i915); 870 cache->use_64bit_reloc = HAS_64BIT_RELOC(i915); 871 cache->has_fence = cache->gen < 4; 872 cache->needs_unfenced = INTEL_INFO(i915)->unfenced_needs_alignment; 873 cache->node.flags = 0; 874 cache->rq = NULL; 875 cache->rq_size = 0; 876 } 877 878 static inline void *unmask_page(unsigned long p) 879 { 880 return (void *)(uintptr_t)(p & PAGE_MASK); 881 } 882 883 static inline unsigned int unmask_flags(unsigned long p) 884 { 885 return p & ~PAGE_MASK; 886 } 887 888 #define KMAP 0x4 /* after CLFLUSH_FLAGS */ 889 890 static inline struct i915_ggtt *cache_to_ggtt(struct reloc_cache *cache) 891 { 892 struct drm_i915_private *i915 = 893 container_of(cache, struct i915_execbuffer, reloc_cache)->i915; 894 return &i915->ggtt; 895 } 896 897 static void reloc_gpu_flush(struct reloc_cache *cache) 898 { 899 struct drm_i915_gem_object *obj = cache->rq->batch->obj; 900 901 GEM_BUG_ON(cache->rq_size >= obj->base.size / sizeof(u32)); 902 cache->rq_cmd[cache->rq_size] = MI_BATCH_BUFFER_END; 903 904 __i915_gem_object_flush_map(obj, 0, sizeof(u32) * (cache->rq_size + 1)); 905 i915_gem_object_unpin_map(obj); 906 907 intel_gt_chipset_flush(cache->rq->engine->gt); 908 909 i915_request_add(cache->rq); 910 cache->rq = NULL; 911 } 912 913 static void reloc_cache_reset(struct reloc_cache *cache) 914 { 915 void *vaddr; 916 917 if (cache->rq) 918 reloc_gpu_flush(cache); 919 920 if (!cache->vaddr) 921 return; 922 923 vaddr = unmask_page(cache->vaddr); 924 if (cache->vaddr & KMAP) { 925 if (cache->vaddr & CLFLUSH_AFTER) 926 mb(); 927 928 kunmap_atomic(vaddr); 929 i915_gem_object_finish_access((struct drm_i915_gem_object *)cache->node.mm); 930 } else { 931 struct i915_ggtt *ggtt = cache_to_ggtt(cache); 932 933 intel_gt_flush_ggtt_writes(ggtt->vm.gt); 934 io_mapping_unmap_atomic((void __iomem *)vaddr); 935 936 if (drm_mm_node_allocated(&cache->node)) { 937 ggtt->vm.clear_range(&ggtt->vm, 938 cache->node.start, 939 cache->node.size); 940 mutex_lock(&ggtt->vm.mutex); 941 drm_mm_remove_node(&cache->node); 942 mutex_unlock(&ggtt->vm.mutex); 943 } else { 944 i915_vma_unpin((struct i915_vma *)cache->node.mm); 945 } 946 } 947 948 cache->vaddr = 0; 949 cache->page = -1; 950 } 951 952 static void *reloc_kmap(struct drm_i915_gem_object *obj, 953 struct reloc_cache *cache, 954 unsigned long page) 955 { 956 void *vaddr; 957 958 if (cache->vaddr) { 959 kunmap_atomic(unmask_page(cache->vaddr)); 960 } else { 961 unsigned int flushes; 962 int err; 963 964 err = i915_gem_object_prepare_write(obj, &flushes); 965 if (err) 966 return ERR_PTR(err); 967 968 BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS); 969 BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & PAGE_MASK); 970 971 cache->vaddr = flushes | KMAP; 972 cache->node.mm = (void *)obj; 973 if (flushes) 974 mb(); 975 } 976 977 vaddr = kmap_atomic(i915_gem_object_get_dirty_page(obj, page)); 978 cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr; 979 cache->page = page; 980 981 return vaddr; 982 } 983 984 static void *reloc_iomap(struct drm_i915_gem_object *obj, 985 struct reloc_cache *cache, 986 unsigned long page) 987 { 988 struct i915_ggtt *ggtt = cache_to_ggtt(cache); 989 unsigned long offset; 990 void *vaddr; 991 992 if (cache->vaddr) { 993 intel_gt_flush_ggtt_writes(ggtt->vm.gt); 994 io_mapping_unmap_atomic((void __force __iomem *) unmask_page(cache->vaddr)); 995 } else { 996 struct i915_vma *vma; 997 int err; 998 999 if (i915_gem_object_is_tiled(obj)) 1000 return ERR_PTR(-EINVAL); 1001 1002 if (use_cpu_reloc(cache, obj)) 1003 return NULL; 1004 1005 i915_gem_object_lock(obj); 1006 err = i915_gem_object_set_to_gtt_domain(obj, true); 1007 i915_gem_object_unlock(obj); 1008 if (err) 1009 return ERR_PTR(err); 1010 1011 vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0, 1012 PIN_MAPPABLE | 1013 PIN_NONBLOCK /* NOWARN */ | 1014 PIN_NOEVICT); 1015 if (IS_ERR(vma)) { 1016 memset(&cache->node, 0, sizeof(cache->node)); 1017 mutex_lock(&ggtt->vm.mutex); 1018 err = drm_mm_insert_node_in_range 1019 (&ggtt->vm.mm, &cache->node, 1020 PAGE_SIZE, 0, I915_COLOR_UNEVICTABLE, 1021 0, ggtt->mappable_end, 1022 DRM_MM_INSERT_LOW); 1023 mutex_unlock(&ggtt->vm.mutex); 1024 if (err) /* no inactive aperture space, use cpu reloc */ 1025 return NULL; 1026 } else { 1027 cache->node.start = vma->node.start; 1028 cache->node.mm = (void *)vma; 1029 } 1030 } 1031 1032 offset = cache->node.start; 1033 if (drm_mm_node_allocated(&cache->node)) { 1034 ggtt->vm.insert_page(&ggtt->vm, 1035 i915_gem_object_get_dma_address(obj, page), 1036 offset, I915_CACHE_NONE, 0); 1037 } else { 1038 offset += page << PAGE_SHIFT; 1039 } 1040 1041 vaddr = (void __force *)io_mapping_map_atomic_wc(&ggtt->iomap, 1042 offset); 1043 cache->page = page; 1044 cache->vaddr = (unsigned long)vaddr; 1045 1046 return vaddr; 1047 } 1048 1049 static void *reloc_vaddr(struct drm_i915_gem_object *obj, 1050 struct reloc_cache *cache, 1051 unsigned long page) 1052 { 1053 void *vaddr; 1054 1055 if (cache->page == page) { 1056 vaddr = unmask_page(cache->vaddr); 1057 } else { 1058 vaddr = NULL; 1059 if ((cache->vaddr & KMAP) == 0) 1060 vaddr = reloc_iomap(obj, cache, page); 1061 if (!vaddr) 1062 vaddr = reloc_kmap(obj, cache, page); 1063 } 1064 1065 return vaddr; 1066 } 1067 1068 static void clflush_write32(u32 *addr, u32 value, unsigned int flushes) 1069 { 1070 if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))) { 1071 if (flushes & CLFLUSH_BEFORE) { 1072 clflushopt(addr); 1073 mb(); 1074 } 1075 1076 *addr = value; 1077 1078 /* 1079 * Writes to the same cacheline are serialised by the CPU 1080 * (including clflush). On the write path, we only require 1081 * that it hits memory in an orderly fashion and place 1082 * mb barriers at the start and end of the relocation phase 1083 * to ensure ordering of clflush wrt to the system. 1084 */ 1085 if (flushes & CLFLUSH_AFTER) 1086 clflushopt(addr); 1087 } else 1088 *addr = value; 1089 } 1090 1091 static int reloc_move_to_gpu(struct i915_request *rq, struct i915_vma *vma) 1092 { 1093 struct drm_i915_gem_object *obj = vma->obj; 1094 int err; 1095 1096 i915_vma_lock(vma); 1097 1098 if (obj->cache_dirty & ~obj->cache_coherent) 1099 i915_gem_clflush_object(obj, 0); 1100 obj->write_domain = 0; 1101 1102 err = i915_request_await_object(rq, vma->obj, true); 1103 if (err == 0) 1104 err = i915_vma_move_to_active(vma, rq, EXEC_OBJECT_WRITE); 1105 1106 i915_vma_unlock(vma); 1107 1108 return err; 1109 } 1110 1111 static int __reloc_gpu_alloc(struct i915_execbuffer *eb, 1112 struct i915_vma *vma, 1113 unsigned int len) 1114 { 1115 struct reloc_cache *cache = &eb->reloc_cache; 1116 struct intel_engine_pool_node *pool; 1117 struct i915_request *rq; 1118 struct i915_vma *batch; 1119 u32 *cmd; 1120 int err; 1121 1122 pool = intel_engine_get_pool(eb->engine, PAGE_SIZE); 1123 if (IS_ERR(pool)) 1124 return PTR_ERR(pool); 1125 1126 cmd = i915_gem_object_pin_map(pool->obj, 1127 cache->has_llc ? 1128 I915_MAP_FORCE_WB : 1129 I915_MAP_FORCE_WC); 1130 if (IS_ERR(cmd)) { 1131 err = PTR_ERR(cmd); 1132 goto out_pool; 1133 } 1134 1135 batch = i915_vma_instance(pool->obj, vma->vm, NULL); 1136 if (IS_ERR(batch)) { 1137 err = PTR_ERR(batch); 1138 goto err_unmap; 1139 } 1140 1141 err = i915_vma_pin(batch, 0, 0, PIN_USER | PIN_NONBLOCK); 1142 if (err) 1143 goto err_unmap; 1144 1145 rq = i915_request_create(eb->context); 1146 if (IS_ERR(rq)) { 1147 err = PTR_ERR(rq); 1148 goto err_unpin; 1149 } 1150 1151 err = intel_engine_pool_mark_active(pool, rq); 1152 if (err) 1153 goto err_request; 1154 1155 err = reloc_move_to_gpu(rq, vma); 1156 if (err) 1157 goto err_request; 1158 1159 err = eb->engine->emit_bb_start(rq, 1160 batch->node.start, PAGE_SIZE, 1161 cache->gen > 5 ? 0 : I915_DISPATCH_SECURE); 1162 if (err) 1163 goto skip_request; 1164 1165 i915_vma_lock(batch); 1166 err = i915_request_await_object(rq, batch->obj, false); 1167 if (err == 0) 1168 err = i915_vma_move_to_active(batch, rq, 0); 1169 i915_vma_unlock(batch); 1170 if (err) 1171 goto skip_request; 1172 1173 rq->batch = batch; 1174 i915_vma_unpin(batch); 1175 1176 cache->rq = rq; 1177 cache->rq_cmd = cmd; 1178 cache->rq_size = 0; 1179 1180 /* Return with batch mapping (cmd) still pinned */ 1181 goto out_pool; 1182 1183 skip_request: 1184 i915_request_set_error_once(rq, err); 1185 err_request: 1186 i915_request_add(rq); 1187 err_unpin: 1188 i915_vma_unpin(batch); 1189 err_unmap: 1190 i915_gem_object_unpin_map(pool->obj); 1191 out_pool: 1192 intel_engine_pool_put(pool); 1193 return err; 1194 } 1195 1196 static u32 *reloc_gpu(struct i915_execbuffer *eb, 1197 struct i915_vma *vma, 1198 unsigned int len) 1199 { 1200 struct reloc_cache *cache = &eb->reloc_cache; 1201 u32 *cmd; 1202 1203 if (cache->rq_size > PAGE_SIZE/sizeof(u32) - (len + 1)) 1204 reloc_gpu_flush(cache); 1205 1206 if (unlikely(!cache->rq)) { 1207 int err; 1208 1209 if (!intel_engine_can_store_dword(eb->engine)) 1210 return ERR_PTR(-ENODEV); 1211 1212 err = __reloc_gpu_alloc(eb, vma, len); 1213 if (unlikely(err)) 1214 return ERR_PTR(err); 1215 } 1216 1217 cmd = cache->rq_cmd + cache->rq_size; 1218 cache->rq_size += len; 1219 1220 return cmd; 1221 } 1222 1223 static u64 1224 relocate_entry(struct i915_vma *vma, 1225 const struct drm_i915_gem_relocation_entry *reloc, 1226 struct i915_execbuffer *eb, 1227 const struct i915_vma *target) 1228 { 1229 u64 offset = reloc->offset; 1230 u64 target_offset = relocation_target(reloc, target); 1231 bool wide = eb->reloc_cache.use_64bit_reloc; 1232 void *vaddr; 1233 1234 if (!eb->reloc_cache.vaddr && 1235 (DBG_FORCE_RELOC == FORCE_GPU_RELOC || 1236 !dma_resv_test_signaled_rcu(vma->resv, true))) { 1237 const unsigned int gen = eb->reloc_cache.gen; 1238 unsigned int len; 1239 u32 *batch; 1240 u64 addr; 1241 1242 if (wide) 1243 len = offset & 7 ? 8 : 5; 1244 else if (gen >= 4) 1245 len = 4; 1246 else 1247 len = 3; 1248 1249 batch = reloc_gpu(eb, vma, len); 1250 if (IS_ERR(batch)) 1251 goto repeat; 1252 1253 addr = gen8_canonical_addr(vma->node.start + offset); 1254 if (wide) { 1255 if (offset & 7) { 1256 *batch++ = MI_STORE_DWORD_IMM_GEN4; 1257 *batch++ = lower_32_bits(addr); 1258 *batch++ = upper_32_bits(addr); 1259 *batch++ = lower_32_bits(target_offset); 1260 1261 addr = gen8_canonical_addr(addr + 4); 1262 1263 *batch++ = MI_STORE_DWORD_IMM_GEN4; 1264 *batch++ = lower_32_bits(addr); 1265 *batch++ = upper_32_bits(addr); 1266 *batch++ = upper_32_bits(target_offset); 1267 } else { 1268 *batch++ = (MI_STORE_DWORD_IMM_GEN4 | (1 << 21)) + 1; 1269 *batch++ = lower_32_bits(addr); 1270 *batch++ = upper_32_bits(addr); 1271 *batch++ = lower_32_bits(target_offset); 1272 *batch++ = upper_32_bits(target_offset); 1273 } 1274 } else if (gen >= 6) { 1275 *batch++ = MI_STORE_DWORD_IMM_GEN4; 1276 *batch++ = 0; 1277 *batch++ = addr; 1278 *batch++ = target_offset; 1279 } else if (gen >= 4) { 1280 *batch++ = MI_STORE_DWORD_IMM_GEN4 | MI_USE_GGTT; 1281 *batch++ = 0; 1282 *batch++ = addr; 1283 *batch++ = target_offset; 1284 } else { 1285 *batch++ = MI_STORE_DWORD_IMM | MI_MEM_VIRTUAL; 1286 *batch++ = addr; 1287 *batch++ = target_offset; 1288 } 1289 1290 goto out; 1291 } 1292 1293 repeat: 1294 vaddr = reloc_vaddr(vma->obj, &eb->reloc_cache, offset >> PAGE_SHIFT); 1295 if (IS_ERR(vaddr)) 1296 return PTR_ERR(vaddr); 1297 1298 clflush_write32(vaddr + offset_in_page(offset), 1299 lower_32_bits(target_offset), 1300 eb->reloc_cache.vaddr); 1301 1302 if (wide) { 1303 offset += sizeof(u32); 1304 target_offset >>= 32; 1305 wide = false; 1306 goto repeat; 1307 } 1308 1309 out: 1310 return target->node.start | UPDATE; 1311 } 1312 1313 static u64 1314 eb_relocate_entry(struct i915_execbuffer *eb, 1315 struct eb_vma *ev, 1316 const struct drm_i915_gem_relocation_entry *reloc) 1317 { 1318 struct drm_i915_private *i915 = eb->i915; 1319 struct eb_vma *target; 1320 int err; 1321 1322 /* we've already hold a reference to all valid objects */ 1323 target = eb_get_vma(eb, reloc->target_handle); 1324 if (unlikely(!target)) 1325 return -ENOENT; 1326 1327 /* Validate that the target is in a valid r/w GPU domain */ 1328 if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) { 1329 drm_dbg(&i915->drm, "reloc with multiple write domains: " 1330 "target %d offset %d " 1331 "read %08x write %08x", 1332 reloc->target_handle, 1333 (int) reloc->offset, 1334 reloc->read_domains, 1335 reloc->write_domain); 1336 return -EINVAL; 1337 } 1338 if (unlikely((reloc->write_domain | reloc->read_domains) 1339 & ~I915_GEM_GPU_DOMAINS)) { 1340 drm_dbg(&i915->drm, "reloc with read/write non-GPU domains: " 1341 "target %d offset %d " 1342 "read %08x write %08x", 1343 reloc->target_handle, 1344 (int) reloc->offset, 1345 reloc->read_domains, 1346 reloc->write_domain); 1347 return -EINVAL; 1348 } 1349 1350 if (reloc->write_domain) { 1351 target->flags |= EXEC_OBJECT_WRITE; 1352 1353 /* 1354 * Sandybridge PPGTT errata: We need a global gtt mapping 1355 * for MI and pipe_control writes because the gpu doesn't 1356 * properly redirect them through the ppgtt for non_secure 1357 * batchbuffers. 1358 */ 1359 if (reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION && 1360 IS_GEN(eb->i915, 6)) { 1361 err = i915_vma_bind(target->vma, 1362 target->vma->obj->cache_level, 1363 PIN_GLOBAL, NULL); 1364 if (WARN_ONCE(err, 1365 "Unexpected failure to bind target VMA!")) 1366 return err; 1367 } 1368 } 1369 1370 /* 1371 * If the relocation already has the right value in it, no 1372 * more work needs to be done. 1373 */ 1374 if (!DBG_FORCE_RELOC && 1375 gen8_canonical_addr(target->vma->node.start) == reloc->presumed_offset) 1376 return 0; 1377 1378 /* Check that the relocation address is valid... */ 1379 if (unlikely(reloc->offset > 1380 ev->vma->size - (eb->reloc_cache.use_64bit_reloc ? 8 : 4))) { 1381 drm_dbg(&i915->drm, "Relocation beyond object bounds: " 1382 "target %d offset %d size %d.\n", 1383 reloc->target_handle, 1384 (int)reloc->offset, 1385 (int)ev->vma->size); 1386 return -EINVAL; 1387 } 1388 if (unlikely(reloc->offset & 3)) { 1389 drm_dbg(&i915->drm, "Relocation not 4-byte aligned: " 1390 "target %d offset %d.\n", 1391 reloc->target_handle, 1392 (int)reloc->offset); 1393 return -EINVAL; 1394 } 1395 1396 /* 1397 * If we write into the object, we need to force the synchronisation 1398 * barrier, either with an asynchronous clflush or if we executed the 1399 * patching using the GPU (though that should be serialised by the 1400 * timeline). To be completely sure, and since we are required to 1401 * do relocations we are already stalling, disable the user's opt 1402 * out of our synchronisation. 1403 */ 1404 ev->flags &= ~EXEC_OBJECT_ASYNC; 1405 1406 /* and update the user's relocation entry */ 1407 return relocate_entry(ev->vma, reloc, eb, target->vma); 1408 } 1409 1410 static int eb_relocate_vma(struct i915_execbuffer *eb, struct eb_vma *ev) 1411 { 1412 #define N_RELOC(x) ((x) / sizeof(struct drm_i915_gem_relocation_entry)) 1413 struct drm_i915_gem_relocation_entry stack[N_RELOC(512)]; 1414 struct drm_i915_gem_relocation_entry __user *urelocs; 1415 const struct drm_i915_gem_exec_object2 *entry = ev->exec; 1416 unsigned int remain; 1417 1418 urelocs = u64_to_user_ptr(entry->relocs_ptr); 1419 remain = entry->relocation_count; 1420 if (unlikely(remain > N_RELOC(ULONG_MAX))) 1421 return -EINVAL; 1422 1423 /* 1424 * We must check that the entire relocation array is safe 1425 * to read. However, if the array is not writable the user loses 1426 * the updated relocation values. 1427 */ 1428 if (unlikely(!access_ok(urelocs, remain*sizeof(*urelocs)))) 1429 return -EFAULT; 1430 1431 do { 1432 struct drm_i915_gem_relocation_entry *r = stack; 1433 unsigned int count = 1434 min_t(unsigned int, remain, ARRAY_SIZE(stack)); 1435 unsigned int copied; 1436 1437 /* 1438 * This is the fast path and we cannot handle a pagefault 1439 * whilst holding the struct mutex lest the user pass in the 1440 * relocations contained within a mmaped bo. For in such a case 1441 * we, the page fault handler would call i915_gem_fault() and 1442 * we would try to acquire the struct mutex again. Obviously 1443 * this is bad and so lockdep complains vehemently. 1444 */ 1445 copied = __copy_from_user(r, urelocs, count * sizeof(r[0])); 1446 if (unlikely(copied)) { 1447 remain = -EFAULT; 1448 goto out; 1449 } 1450 1451 remain -= count; 1452 do { 1453 u64 offset = eb_relocate_entry(eb, ev, r); 1454 1455 if (likely(offset == 0)) { 1456 } else if ((s64)offset < 0) { 1457 remain = (int)offset; 1458 goto out; 1459 } else { 1460 /* 1461 * Note that reporting an error now 1462 * leaves everything in an inconsistent 1463 * state as we have *already* changed 1464 * the relocation value inside the 1465 * object. As we have not changed the 1466 * reloc.presumed_offset or will not 1467 * change the execobject.offset, on the 1468 * call we may not rewrite the value 1469 * inside the object, leaving it 1470 * dangling and causing a GPU hang. Unless 1471 * userspace dynamically rebuilds the 1472 * relocations on each execbuf rather than 1473 * presume a static tree. 1474 * 1475 * We did previously check if the relocations 1476 * were writable (access_ok), an error now 1477 * would be a strange race with mprotect, 1478 * having already demonstrated that we 1479 * can read from this userspace address. 1480 */ 1481 offset = gen8_canonical_addr(offset & ~UPDATE); 1482 __put_user(offset, 1483 &urelocs[r - stack].presumed_offset); 1484 } 1485 } while (r++, --count); 1486 urelocs += ARRAY_SIZE(stack); 1487 } while (remain); 1488 out: 1489 reloc_cache_reset(&eb->reloc_cache); 1490 return remain; 1491 } 1492 1493 static int eb_relocate(struct i915_execbuffer *eb) 1494 { 1495 int err; 1496 1497 mutex_lock(&eb->gem_context->mutex); 1498 err = eb_lookup_vmas(eb); 1499 mutex_unlock(&eb->gem_context->mutex); 1500 if (err) 1501 return err; 1502 1503 if (!list_empty(&eb->unbound)) { 1504 err = eb_reserve(eb); 1505 if (err) 1506 return err; 1507 } 1508 1509 /* The objects are in their final locations, apply the relocations. */ 1510 if (eb->args->flags & __EXEC_HAS_RELOC) { 1511 struct eb_vma *ev; 1512 1513 list_for_each_entry(ev, &eb->relocs, reloc_link) { 1514 err = eb_relocate_vma(eb, ev); 1515 if (err) 1516 return err; 1517 } 1518 } 1519 1520 return 0; 1521 } 1522 1523 static int eb_move_to_gpu(struct i915_execbuffer *eb) 1524 { 1525 const unsigned int count = eb->buffer_count; 1526 struct ww_acquire_ctx acquire; 1527 unsigned int i; 1528 int err = 0; 1529 1530 ww_acquire_init(&acquire, &reservation_ww_class); 1531 1532 for (i = 0; i < count; i++) { 1533 struct eb_vma *ev = &eb->vma[i]; 1534 struct i915_vma *vma = ev->vma; 1535 1536 err = ww_mutex_lock_interruptible(&vma->resv->lock, &acquire); 1537 if (err == -EDEADLK) { 1538 GEM_BUG_ON(i == 0); 1539 do { 1540 int j = i - 1; 1541 1542 ww_mutex_unlock(&eb->vma[j].vma->resv->lock); 1543 1544 swap(eb->vma[i], eb->vma[j]); 1545 } while (--i); 1546 1547 err = ww_mutex_lock_slow_interruptible(&vma->resv->lock, 1548 &acquire); 1549 } 1550 if (err) 1551 break; 1552 } 1553 ww_acquire_done(&acquire); 1554 1555 while (i--) { 1556 struct eb_vma *ev = &eb->vma[i]; 1557 struct i915_vma *vma = ev->vma; 1558 unsigned int flags = ev->flags; 1559 struct drm_i915_gem_object *obj = vma->obj; 1560 1561 assert_vma_held(vma); 1562 1563 if (flags & EXEC_OBJECT_CAPTURE) { 1564 struct i915_capture_list *capture; 1565 1566 capture = kmalloc(sizeof(*capture), GFP_KERNEL); 1567 if (capture) { 1568 capture->next = eb->request->capture_list; 1569 capture->vma = vma; 1570 eb->request->capture_list = capture; 1571 } 1572 } 1573 1574 /* 1575 * If the GPU is not _reading_ through the CPU cache, we need 1576 * to make sure that any writes (both previous GPU writes from 1577 * before a change in snooping levels and normal CPU writes) 1578 * caught in that cache are flushed to main memory. 1579 * 1580 * We want to say 1581 * obj->cache_dirty && 1582 * !(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_READ) 1583 * but gcc's optimiser doesn't handle that as well and emits 1584 * two jumps instead of one. Maybe one day... 1585 */ 1586 if (unlikely(obj->cache_dirty & ~obj->cache_coherent)) { 1587 if (i915_gem_clflush_object(obj, 0)) 1588 flags &= ~EXEC_OBJECT_ASYNC; 1589 } 1590 1591 if (err == 0 && !(flags & EXEC_OBJECT_ASYNC)) { 1592 err = i915_request_await_object 1593 (eb->request, obj, flags & EXEC_OBJECT_WRITE); 1594 } 1595 1596 if (err == 0) 1597 err = i915_vma_move_to_active(vma, eb->request, flags); 1598 1599 i915_vma_unlock(vma); 1600 1601 __eb_unreserve_vma(vma, flags); 1602 i915_vma_put(vma); 1603 1604 ev->vma = NULL; 1605 } 1606 ww_acquire_fini(&acquire); 1607 1608 if (unlikely(err)) 1609 goto err_skip; 1610 1611 eb->exec = NULL; 1612 1613 /* Unconditionally flush any chipset caches (for streaming writes). */ 1614 intel_gt_chipset_flush(eb->engine->gt); 1615 return 0; 1616 1617 err_skip: 1618 i915_request_set_error_once(eb->request, err); 1619 return err; 1620 } 1621 1622 static int i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec) 1623 { 1624 if (exec->flags & __I915_EXEC_ILLEGAL_FLAGS) 1625 return -EINVAL; 1626 1627 /* Kernel clipping was a DRI1 misfeature */ 1628 if (!(exec->flags & I915_EXEC_FENCE_ARRAY)) { 1629 if (exec->num_cliprects || exec->cliprects_ptr) 1630 return -EINVAL; 1631 } 1632 1633 if (exec->DR4 == 0xffffffff) { 1634 DRM_DEBUG("UXA submitting garbage DR4, fixing up\n"); 1635 exec->DR4 = 0; 1636 } 1637 if (exec->DR1 || exec->DR4) 1638 return -EINVAL; 1639 1640 if ((exec->batch_start_offset | exec->batch_len) & 0x7) 1641 return -EINVAL; 1642 1643 return 0; 1644 } 1645 1646 static int i915_reset_gen7_sol_offsets(struct i915_request *rq) 1647 { 1648 u32 *cs; 1649 int i; 1650 1651 if (!IS_GEN(rq->i915, 7) || rq->engine->id != RCS0) { 1652 drm_dbg(&rq->i915->drm, "sol reset is gen7/rcs only\n"); 1653 return -EINVAL; 1654 } 1655 1656 cs = intel_ring_begin(rq, 4 * 2 + 2); 1657 if (IS_ERR(cs)) 1658 return PTR_ERR(cs); 1659 1660 *cs++ = MI_LOAD_REGISTER_IMM(4); 1661 for (i = 0; i < 4; i++) { 1662 *cs++ = i915_mmio_reg_offset(GEN7_SO_WRITE_OFFSET(i)); 1663 *cs++ = 0; 1664 } 1665 *cs++ = MI_NOOP; 1666 intel_ring_advance(rq, cs); 1667 1668 return 0; 1669 } 1670 1671 static struct i915_vma * 1672 shadow_batch_pin(struct drm_i915_gem_object *obj, 1673 struct i915_address_space *vm, 1674 unsigned int flags) 1675 { 1676 struct i915_vma *vma; 1677 int err; 1678 1679 vma = i915_vma_instance(obj, vm, NULL); 1680 if (IS_ERR(vma)) 1681 return vma; 1682 1683 err = i915_vma_pin(vma, 0, 0, flags); 1684 if (err) 1685 return ERR_PTR(err); 1686 1687 return vma; 1688 } 1689 1690 struct eb_parse_work { 1691 struct dma_fence_work base; 1692 struct intel_engine_cs *engine; 1693 struct i915_vma *batch; 1694 struct i915_vma *shadow; 1695 struct i915_vma *trampoline; 1696 unsigned int batch_offset; 1697 unsigned int batch_length; 1698 }; 1699 1700 static int __eb_parse(struct dma_fence_work *work) 1701 { 1702 struct eb_parse_work *pw = container_of(work, typeof(*pw), base); 1703 1704 return intel_engine_cmd_parser(pw->engine, 1705 pw->batch, 1706 pw->batch_offset, 1707 pw->batch_length, 1708 pw->shadow, 1709 pw->trampoline); 1710 } 1711 1712 static void __eb_parse_release(struct dma_fence_work *work) 1713 { 1714 struct eb_parse_work *pw = container_of(work, typeof(*pw), base); 1715 1716 if (pw->trampoline) 1717 i915_active_release(&pw->trampoline->active); 1718 i915_active_release(&pw->shadow->active); 1719 i915_active_release(&pw->batch->active); 1720 } 1721 1722 static const struct dma_fence_work_ops eb_parse_ops = { 1723 .name = "eb_parse", 1724 .work = __eb_parse, 1725 .release = __eb_parse_release, 1726 }; 1727 1728 static int eb_parse_pipeline(struct i915_execbuffer *eb, 1729 struct i915_vma *shadow, 1730 struct i915_vma *trampoline) 1731 { 1732 struct eb_parse_work *pw; 1733 int err; 1734 1735 pw = kzalloc(sizeof(*pw), GFP_KERNEL); 1736 if (!pw) 1737 return -ENOMEM; 1738 1739 err = i915_active_acquire(&eb->batch->vma->active); 1740 if (err) 1741 goto err_free; 1742 1743 err = i915_active_acquire(&shadow->active); 1744 if (err) 1745 goto err_batch; 1746 1747 if (trampoline) { 1748 err = i915_active_acquire(&trampoline->active); 1749 if (err) 1750 goto err_shadow; 1751 } 1752 1753 dma_fence_work_init(&pw->base, &eb_parse_ops); 1754 1755 pw->engine = eb->engine; 1756 pw->batch = eb->batch->vma; 1757 pw->batch_offset = eb->batch_start_offset; 1758 pw->batch_length = eb->batch_len; 1759 pw->shadow = shadow; 1760 pw->trampoline = trampoline; 1761 1762 err = dma_resv_lock_interruptible(pw->batch->resv, NULL); 1763 if (err) 1764 goto err_trampoline; 1765 1766 err = dma_resv_reserve_shared(pw->batch->resv, 1); 1767 if (err) 1768 goto err_batch_unlock; 1769 1770 /* Wait for all writes (and relocs) into the batch to complete */ 1771 err = i915_sw_fence_await_reservation(&pw->base.chain, 1772 pw->batch->resv, NULL, false, 1773 0, I915_FENCE_GFP); 1774 if (err < 0) 1775 goto err_batch_unlock; 1776 1777 /* Keep the batch alive and unwritten as we parse */ 1778 dma_resv_add_shared_fence(pw->batch->resv, &pw->base.dma); 1779 1780 dma_resv_unlock(pw->batch->resv); 1781 1782 /* Force execution to wait for completion of the parser */ 1783 dma_resv_lock(shadow->resv, NULL); 1784 dma_resv_add_excl_fence(shadow->resv, &pw->base.dma); 1785 dma_resv_unlock(shadow->resv); 1786 1787 dma_fence_work_commit(&pw->base); 1788 return 0; 1789 1790 err_batch_unlock: 1791 dma_resv_unlock(pw->batch->resv); 1792 err_trampoline: 1793 if (trampoline) 1794 i915_active_release(&trampoline->active); 1795 err_shadow: 1796 i915_active_release(&shadow->active); 1797 err_batch: 1798 i915_active_release(&eb->batch->vma->active); 1799 err_free: 1800 kfree(pw); 1801 return err; 1802 } 1803 1804 static int eb_parse(struct i915_execbuffer *eb) 1805 { 1806 struct drm_i915_private *i915 = eb->i915; 1807 struct intel_engine_pool_node *pool; 1808 struct i915_vma *shadow, *trampoline; 1809 unsigned int len; 1810 int err; 1811 1812 if (!eb_use_cmdparser(eb)) 1813 return 0; 1814 1815 len = eb->batch_len; 1816 if (!CMDPARSER_USES_GGTT(eb->i915)) { 1817 /* 1818 * ppGTT backed shadow buffers must be mapped RO, to prevent 1819 * post-scan tampering 1820 */ 1821 if (!eb->context->vm->has_read_only) { 1822 drm_dbg(&i915->drm, 1823 "Cannot prevent post-scan tampering without RO capable vm\n"); 1824 return -EINVAL; 1825 } 1826 } else { 1827 len += I915_CMD_PARSER_TRAMPOLINE_SIZE; 1828 } 1829 1830 pool = intel_engine_get_pool(eb->engine, len); 1831 if (IS_ERR(pool)) 1832 return PTR_ERR(pool); 1833 1834 shadow = shadow_batch_pin(pool->obj, eb->context->vm, PIN_USER); 1835 if (IS_ERR(shadow)) { 1836 err = PTR_ERR(shadow); 1837 goto err; 1838 } 1839 i915_gem_object_set_readonly(shadow->obj); 1840 1841 trampoline = NULL; 1842 if (CMDPARSER_USES_GGTT(eb->i915)) { 1843 trampoline = shadow; 1844 1845 shadow = shadow_batch_pin(pool->obj, 1846 &eb->engine->gt->ggtt->vm, 1847 PIN_GLOBAL); 1848 if (IS_ERR(shadow)) { 1849 err = PTR_ERR(shadow); 1850 shadow = trampoline; 1851 goto err_shadow; 1852 } 1853 1854 eb->batch_flags |= I915_DISPATCH_SECURE; 1855 } 1856 1857 err = eb_parse_pipeline(eb, shadow, trampoline); 1858 if (err) 1859 goto err_trampoline; 1860 1861 eb->vma[eb->buffer_count].vma = i915_vma_get(shadow); 1862 eb->vma[eb->buffer_count].flags = __EXEC_OBJECT_HAS_PIN; 1863 eb->batch = &eb->vma[eb->buffer_count++]; 1864 1865 eb->trampoline = trampoline; 1866 eb->batch_start_offset = 0; 1867 1868 shadow->private = pool; 1869 return 0; 1870 1871 err_trampoline: 1872 if (trampoline) 1873 i915_vma_unpin(trampoline); 1874 err_shadow: 1875 i915_vma_unpin(shadow); 1876 err: 1877 intel_engine_pool_put(pool); 1878 return err; 1879 } 1880 1881 static void 1882 add_to_client(struct i915_request *rq, struct drm_file *file) 1883 { 1884 struct drm_i915_file_private *file_priv = file->driver_priv; 1885 1886 rq->file_priv = file_priv; 1887 1888 spin_lock(&file_priv->mm.lock); 1889 list_add_tail(&rq->client_link, &file_priv->mm.request_list); 1890 spin_unlock(&file_priv->mm.lock); 1891 } 1892 1893 static int eb_submit(struct i915_execbuffer *eb, struct i915_vma *batch) 1894 { 1895 int err; 1896 1897 err = eb_move_to_gpu(eb); 1898 if (err) 1899 return err; 1900 1901 if (eb->args->flags & I915_EXEC_GEN7_SOL_RESET) { 1902 err = i915_reset_gen7_sol_offsets(eb->request); 1903 if (err) 1904 return err; 1905 } 1906 1907 /* 1908 * After we completed waiting for other engines (using HW semaphores) 1909 * then we can signal that this request/batch is ready to run. This 1910 * allows us to determine if the batch is still waiting on the GPU 1911 * or actually running by checking the breadcrumb. 1912 */ 1913 if (eb->engine->emit_init_breadcrumb) { 1914 err = eb->engine->emit_init_breadcrumb(eb->request); 1915 if (err) 1916 return err; 1917 } 1918 1919 err = eb->engine->emit_bb_start(eb->request, 1920 batch->node.start + 1921 eb->batch_start_offset, 1922 eb->batch_len, 1923 eb->batch_flags); 1924 if (err) 1925 return err; 1926 1927 if (eb->trampoline) { 1928 GEM_BUG_ON(eb->batch_start_offset); 1929 err = eb->engine->emit_bb_start(eb->request, 1930 eb->trampoline->node.start + 1931 eb->batch_len, 1932 0, 0); 1933 if (err) 1934 return err; 1935 } 1936 1937 if (intel_context_nopreempt(eb->context)) 1938 __set_bit(I915_FENCE_FLAG_NOPREEMPT, &eb->request->fence.flags); 1939 1940 return 0; 1941 } 1942 1943 static int num_vcs_engines(const struct drm_i915_private *i915) 1944 { 1945 return hweight64(INTEL_INFO(i915)->engine_mask & 1946 GENMASK_ULL(VCS0 + I915_MAX_VCS - 1, VCS0)); 1947 } 1948 1949 /* 1950 * Find one BSD ring to dispatch the corresponding BSD command. 1951 * The engine index is returned. 1952 */ 1953 static unsigned int 1954 gen8_dispatch_bsd_engine(struct drm_i915_private *dev_priv, 1955 struct drm_file *file) 1956 { 1957 struct drm_i915_file_private *file_priv = file->driver_priv; 1958 1959 /* Check whether the file_priv has already selected one ring. */ 1960 if ((int)file_priv->bsd_engine < 0) 1961 file_priv->bsd_engine = 1962 get_random_int() % num_vcs_engines(dev_priv); 1963 1964 return file_priv->bsd_engine; 1965 } 1966 1967 static const enum intel_engine_id user_ring_map[] = { 1968 [I915_EXEC_DEFAULT] = RCS0, 1969 [I915_EXEC_RENDER] = RCS0, 1970 [I915_EXEC_BLT] = BCS0, 1971 [I915_EXEC_BSD] = VCS0, 1972 [I915_EXEC_VEBOX] = VECS0 1973 }; 1974 1975 static struct i915_request *eb_throttle(struct intel_context *ce) 1976 { 1977 struct intel_ring *ring = ce->ring; 1978 struct intel_timeline *tl = ce->timeline; 1979 struct i915_request *rq; 1980 1981 /* 1982 * Completely unscientific finger-in-the-air estimates for suitable 1983 * maximum user request size (to avoid blocking) and then backoff. 1984 */ 1985 if (intel_ring_update_space(ring) >= PAGE_SIZE) 1986 return NULL; 1987 1988 /* 1989 * Find a request that after waiting upon, there will be at least half 1990 * the ring available. The hysteresis allows us to compete for the 1991 * shared ring and should mean that we sleep less often prior to 1992 * claiming our resources, but not so long that the ring completely 1993 * drains before we can submit our next request. 1994 */ 1995 list_for_each_entry(rq, &tl->requests, link) { 1996 if (rq->ring != ring) 1997 continue; 1998 1999 if (__intel_ring_space(rq->postfix, 2000 ring->emit, ring->size) > ring->size / 2) 2001 break; 2002 } 2003 if (&rq->link == &tl->requests) 2004 return NULL; /* weird, we will check again later for real */ 2005 2006 return i915_request_get(rq); 2007 } 2008 2009 static int __eb_pin_engine(struct i915_execbuffer *eb, struct intel_context *ce) 2010 { 2011 struct intel_timeline *tl; 2012 struct i915_request *rq; 2013 int err; 2014 2015 /* 2016 * ABI: Before userspace accesses the GPU (e.g. execbuffer), report 2017 * EIO if the GPU is already wedged. 2018 */ 2019 err = intel_gt_terminally_wedged(ce->engine->gt); 2020 if (err) 2021 return err; 2022 2023 if (unlikely(intel_context_is_banned(ce))) 2024 return -EIO; 2025 2026 /* 2027 * Pinning the contexts may generate requests in order to acquire 2028 * GGTT space, so do this first before we reserve a seqno for 2029 * ourselves. 2030 */ 2031 err = intel_context_pin(ce); 2032 if (err) 2033 return err; 2034 2035 /* 2036 * Take a local wakeref for preparing to dispatch the execbuf as 2037 * we expect to access the hardware fairly frequently in the 2038 * process, and require the engine to be kept awake between accesses. 2039 * Upon dispatch, we acquire another prolonged wakeref that we hold 2040 * until the timeline is idle, which in turn releases the wakeref 2041 * taken on the engine, and the parent device. 2042 */ 2043 tl = intel_context_timeline_lock(ce); 2044 if (IS_ERR(tl)) { 2045 err = PTR_ERR(tl); 2046 goto err_unpin; 2047 } 2048 2049 intel_context_enter(ce); 2050 rq = eb_throttle(ce); 2051 2052 intel_context_timeline_unlock(tl); 2053 2054 if (rq) { 2055 bool nonblock = eb->file->filp->f_flags & O_NONBLOCK; 2056 long timeout; 2057 2058 timeout = MAX_SCHEDULE_TIMEOUT; 2059 if (nonblock) 2060 timeout = 0; 2061 2062 timeout = i915_request_wait(rq, 2063 I915_WAIT_INTERRUPTIBLE, 2064 timeout); 2065 i915_request_put(rq); 2066 2067 if (timeout < 0) { 2068 err = nonblock ? -EWOULDBLOCK : timeout; 2069 goto err_exit; 2070 } 2071 } 2072 2073 eb->engine = ce->engine; 2074 eb->context = ce; 2075 return 0; 2076 2077 err_exit: 2078 mutex_lock(&tl->mutex); 2079 intel_context_exit(ce); 2080 intel_context_timeline_unlock(tl); 2081 err_unpin: 2082 intel_context_unpin(ce); 2083 return err; 2084 } 2085 2086 static void eb_unpin_engine(struct i915_execbuffer *eb) 2087 { 2088 struct intel_context *ce = eb->context; 2089 struct intel_timeline *tl = ce->timeline; 2090 2091 mutex_lock(&tl->mutex); 2092 intel_context_exit(ce); 2093 mutex_unlock(&tl->mutex); 2094 2095 intel_context_unpin(ce); 2096 } 2097 2098 static unsigned int 2099 eb_select_legacy_ring(struct i915_execbuffer *eb, 2100 struct drm_file *file, 2101 struct drm_i915_gem_execbuffer2 *args) 2102 { 2103 struct drm_i915_private *i915 = eb->i915; 2104 unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK; 2105 2106 if (user_ring_id != I915_EXEC_BSD && 2107 (args->flags & I915_EXEC_BSD_MASK)) { 2108 drm_dbg(&i915->drm, 2109 "execbuf with non bsd ring but with invalid " 2110 "bsd dispatch flags: %d\n", (int)(args->flags)); 2111 return -1; 2112 } 2113 2114 if (user_ring_id == I915_EXEC_BSD && num_vcs_engines(i915) > 1) { 2115 unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK; 2116 2117 if (bsd_idx == I915_EXEC_BSD_DEFAULT) { 2118 bsd_idx = gen8_dispatch_bsd_engine(i915, file); 2119 } else if (bsd_idx >= I915_EXEC_BSD_RING1 && 2120 bsd_idx <= I915_EXEC_BSD_RING2) { 2121 bsd_idx >>= I915_EXEC_BSD_SHIFT; 2122 bsd_idx--; 2123 } else { 2124 drm_dbg(&i915->drm, 2125 "execbuf with unknown bsd ring: %u\n", 2126 bsd_idx); 2127 return -1; 2128 } 2129 2130 return _VCS(bsd_idx); 2131 } 2132 2133 if (user_ring_id >= ARRAY_SIZE(user_ring_map)) { 2134 drm_dbg(&i915->drm, "execbuf with unknown ring: %u\n", 2135 user_ring_id); 2136 return -1; 2137 } 2138 2139 return user_ring_map[user_ring_id]; 2140 } 2141 2142 static int 2143 eb_pin_engine(struct i915_execbuffer *eb, 2144 struct drm_file *file, 2145 struct drm_i915_gem_execbuffer2 *args) 2146 { 2147 struct intel_context *ce; 2148 unsigned int idx; 2149 int err; 2150 2151 if (i915_gem_context_user_engines(eb->gem_context)) 2152 idx = args->flags & I915_EXEC_RING_MASK; 2153 else 2154 idx = eb_select_legacy_ring(eb, file, args); 2155 2156 ce = i915_gem_context_get_engine(eb->gem_context, idx); 2157 if (IS_ERR(ce)) 2158 return PTR_ERR(ce); 2159 2160 err = __eb_pin_engine(eb, ce); 2161 intel_context_put(ce); 2162 2163 return err; 2164 } 2165 2166 static void 2167 __free_fence_array(struct drm_syncobj **fences, unsigned int n) 2168 { 2169 while (n--) 2170 drm_syncobj_put(ptr_mask_bits(fences[n], 2)); 2171 kvfree(fences); 2172 } 2173 2174 static struct drm_syncobj ** 2175 get_fence_array(struct drm_i915_gem_execbuffer2 *args, 2176 struct drm_file *file) 2177 { 2178 const unsigned long nfences = args->num_cliprects; 2179 struct drm_i915_gem_exec_fence __user *user; 2180 struct drm_syncobj **fences; 2181 unsigned long n; 2182 int err; 2183 2184 if (!(args->flags & I915_EXEC_FENCE_ARRAY)) 2185 return NULL; 2186 2187 /* Check multiplication overflow for access_ok() and kvmalloc_array() */ 2188 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long)); 2189 if (nfences > min_t(unsigned long, 2190 ULONG_MAX / sizeof(*user), 2191 SIZE_MAX / sizeof(*fences))) 2192 return ERR_PTR(-EINVAL); 2193 2194 user = u64_to_user_ptr(args->cliprects_ptr); 2195 if (!access_ok(user, nfences * sizeof(*user))) 2196 return ERR_PTR(-EFAULT); 2197 2198 fences = kvmalloc_array(nfences, sizeof(*fences), 2199 __GFP_NOWARN | GFP_KERNEL); 2200 if (!fences) 2201 return ERR_PTR(-ENOMEM); 2202 2203 for (n = 0; n < nfences; n++) { 2204 struct drm_i915_gem_exec_fence fence; 2205 struct drm_syncobj *syncobj; 2206 2207 if (__copy_from_user(&fence, user++, sizeof(fence))) { 2208 err = -EFAULT; 2209 goto err; 2210 } 2211 2212 if (fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS) { 2213 err = -EINVAL; 2214 goto err; 2215 } 2216 2217 syncobj = drm_syncobj_find(file, fence.handle); 2218 if (!syncobj) { 2219 DRM_DEBUG("Invalid syncobj handle provided\n"); 2220 err = -ENOENT; 2221 goto err; 2222 } 2223 2224 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) & 2225 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS); 2226 2227 fences[n] = ptr_pack_bits(syncobj, fence.flags, 2); 2228 } 2229 2230 return fences; 2231 2232 err: 2233 __free_fence_array(fences, n); 2234 return ERR_PTR(err); 2235 } 2236 2237 static void 2238 put_fence_array(struct drm_i915_gem_execbuffer2 *args, 2239 struct drm_syncobj **fences) 2240 { 2241 if (fences) 2242 __free_fence_array(fences, args->num_cliprects); 2243 } 2244 2245 static int 2246 await_fence_array(struct i915_execbuffer *eb, 2247 struct drm_syncobj **fences) 2248 { 2249 const unsigned int nfences = eb->args->num_cliprects; 2250 unsigned int n; 2251 int err; 2252 2253 for (n = 0; n < nfences; n++) { 2254 struct drm_syncobj *syncobj; 2255 struct dma_fence *fence; 2256 unsigned int flags; 2257 2258 syncobj = ptr_unpack_bits(fences[n], &flags, 2); 2259 if (!(flags & I915_EXEC_FENCE_WAIT)) 2260 continue; 2261 2262 fence = drm_syncobj_fence_get(syncobj); 2263 if (!fence) 2264 return -EINVAL; 2265 2266 err = i915_request_await_dma_fence(eb->request, fence); 2267 dma_fence_put(fence); 2268 if (err < 0) 2269 return err; 2270 } 2271 2272 return 0; 2273 } 2274 2275 static void 2276 signal_fence_array(struct i915_execbuffer *eb, 2277 struct drm_syncobj **fences) 2278 { 2279 const unsigned int nfences = eb->args->num_cliprects; 2280 struct dma_fence * const fence = &eb->request->fence; 2281 unsigned int n; 2282 2283 for (n = 0; n < nfences; n++) { 2284 struct drm_syncobj *syncobj; 2285 unsigned int flags; 2286 2287 syncobj = ptr_unpack_bits(fences[n], &flags, 2); 2288 if (!(flags & I915_EXEC_FENCE_SIGNAL)) 2289 continue; 2290 2291 drm_syncobj_replace_fence(syncobj, fence); 2292 } 2293 } 2294 2295 static void retire_requests(struct intel_timeline *tl, struct i915_request *end) 2296 { 2297 struct i915_request *rq, *rn; 2298 2299 list_for_each_entry_safe(rq, rn, &tl->requests, link) 2300 if (rq == end || !i915_request_retire(rq)) 2301 break; 2302 } 2303 2304 static void eb_request_add(struct i915_execbuffer *eb) 2305 { 2306 struct i915_request *rq = eb->request; 2307 struct intel_timeline * const tl = i915_request_timeline(rq); 2308 struct i915_sched_attr attr = {}; 2309 struct i915_request *prev; 2310 2311 lockdep_assert_held(&tl->mutex); 2312 lockdep_unpin_lock(&tl->mutex, rq->cookie); 2313 2314 trace_i915_request_add(rq); 2315 2316 prev = __i915_request_commit(rq); 2317 2318 /* Check that the context wasn't destroyed before submission */ 2319 if (likely(!intel_context_is_closed(eb->context))) { 2320 attr = eb->gem_context->sched; 2321 2322 /* 2323 * Boost actual workloads past semaphores! 2324 * 2325 * With semaphores we spin on one engine waiting for another, 2326 * simply to reduce the latency of starting our work when 2327 * the signaler completes. However, if there is any other 2328 * work that we could be doing on this engine instead, that 2329 * is better utilisation and will reduce the overall duration 2330 * of the current work. To avoid PI boosting a semaphore 2331 * far in the distance past over useful work, we keep a history 2332 * of any semaphore use along our dependency chain. 2333 */ 2334 if (!(rq->sched.flags & I915_SCHED_HAS_SEMAPHORE_CHAIN)) 2335 attr.priority |= I915_PRIORITY_NOSEMAPHORE; 2336 2337 /* 2338 * Boost priorities to new clients (new request flows). 2339 * 2340 * Allow interactive/synchronous clients to jump ahead of 2341 * the bulk clients. (FQ_CODEL) 2342 */ 2343 if (list_empty(&rq->sched.signalers_list)) 2344 attr.priority |= I915_PRIORITY_WAIT; 2345 } else { 2346 /* Serialise with context_close via the add_to_timeline */ 2347 i915_request_set_error_once(rq, -ENOENT); 2348 __i915_request_skip(rq); 2349 } 2350 2351 local_bh_disable(); 2352 __i915_request_queue(rq, &attr); 2353 local_bh_enable(); /* Kick the execlists tasklet if just scheduled */ 2354 2355 /* Try to clean up the client's timeline after submitting the request */ 2356 if (prev) 2357 retire_requests(tl, prev); 2358 2359 mutex_unlock(&tl->mutex); 2360 } 2361 2362 static int 2363 i915_gem_do_execbuffer(struct drm_device *dev, 2364 struct drm_file *file, 2365 struct drm_i915_gem_execbuffer2 *args, 2366 struct drm_i915_gem_exec_object2 *exec, 2367 struct drm_syncobj **fences) 2368 { 2369 struct drm_i915_private *i915 = to_i915(dev); 2370 struct i915_execbuffer eb; 2371 struct dma_fence *in_fence = NULL; 2372 struct dma_fence *exec_fence = NULL; 2373 struct sync_file *out_fence = NULL; 2374 struct i915_vma *batch; 2375 int out_fence_fd = -1; 2376 int err; 2377 2378 BUILD_BUG_ON(__EXEC_INTERNAL_FLAGS & ~__I915_EXEC_ILLEGAL_FLAGS); 2379 BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS & 2380 ~__EXEC_OBJECT_UNKNOWN_FLAGS); 2381 2382 eb.i915 = i915; 2383 eb.file = file; 2384 eb.args = args; 2385 if (DBG_FORCE_RELOC || !(args->flags & I915_EXEC_NO_RELOC)) 2386 args->flags |= __EXEC_HAS_RELOC; 2387 2388 eb.exec = exec; 2389 eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1); 2390 eb.vma[0].vma = NULL; 2391 2392 eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS; 2393 reloc_cache_init(&eb.reloc_cache, eb.i915); 2394 2395 eb.buffer_count = args->buffer_count; 2396 eb.batch_start_offset = args->batch_start_offset; 2397 eb.batch_len = args->batch_len; 2398 eb.trampoline = NULL; 2399 2400 eb.batch_flags = 0; 2401 if (args->flags & I915_EXEC_SECURE) { 2402 if (INTEL_GEN(i915) >= 11) 2403 return -ENODEV; 2404 2405 /* Return -EPERM to trigger fallback code on old binaries. */ 2406 if (!HAS_SECURE_BATCHES(i915)) 2407 return -EPERM; 2408 2409 if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN)) 2410 return -EPERM; 2411 2412 eb.batch_flags |= I915_DISPATCH_SECURE; 2413 } 2414 if (args->flags & I915_EXEC_IS_PINNED) 2415 eb.batch_flags |= I915_DISPATCH_PINNED; 2416 2417 if (args->flags & I915_EXEC_FENCE_IN) { 2418 in_fence = sync_file_get_fence(lower_32_bits(args->rsvd2)); 2419 if (!in_fence) 2420 return -EINVAL; 2421 } 2422 2423 if (args->flags & I915_EXEC_FENCE_SUBMIT) { 2424 if (in_fence) { 2425 err = -EINVAL; 2426 goto err_in_fence; 2427 } 2428 2429 exec_fence = sync_file_get_fence(lower_32_bits(args->rsvd2)); 2430 if (!exec_fence) { 2431 err = -EINVAL; 2432 goto err_in_fence; 2433 } 2434 } 2435 2436 if (args->flags & I915_EXEC_FENCE_OUT) { 2437 out_fence_fd = get_unused_fd_flags(O_CLOEXEC); 2438 if (out_fence_fd < 0) { 2439 err = out_fence_fd; 2440 goto err_exec_fence; 2441 } 2442 } 2443 2444 err = eb_create(&eb); 2445 if (err) 2446 goto err_out_fence; 2447 2448 GEM_BUG_ON(!eb.lut_size); 2449 2450 err = eb_select_context(&eb); 2451 if (unlikely(err)) 2452 goto err_destroy; 2453 2454 err = eb_pin_engine(&eb, file, args); 2455 if (unlikely(err)) 2456 goto err_context; 2457 2458 err = eb_relocate(&eb); 2459 if (err) { 2460 /* 2461 * If the user expects the execobject.offset and 2462 * reloc.presumed_offset to be an exact match, 2463 * as for using NO_RELOC, then we cannot update 2464 * the execobject.offset until we have completed 2465 * relocation. 2466 */ 2467 args->flags &= ~__EXEC_HAS_RELOC; 2468 goto err_vma; 2469 } 2470 2471 if (unlikely(eb.batch->flags & EXEC_OBJECT_WRITE)) { 2472 drm_dbg(&i915->drm, 2473 "Attempting to use self-modifying batch buffer\n"); 2474 err = -EINVAL; 2475 goto err_vma; 2476 } 2477 2478 if (range_overflows_t(u64, 2479 eb.batch_start_offset, eb.batch_len, 2480 eb.batch->vma->size)) { 2481 drm_dbg(&i915->drm, "Attempting to use out-of-bounds batch\n"); 2482 err = -EINVAL; 2483 goto err_vma; 2484 } 2485 2486 if (eb.batch_len == 0) 2487 eb.batch_len = eb.batch->vma->size - eb.batch_start_offset; 2488 2489 err = eb_parse(&eb); 2490 if (err) 2491 goto err_vma; 2492 2493 /* 2494 * snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure 2495 * batch" bit. Hence we need to pin secure batches into the global gtt. 2496 * hsw should have this fixed, but bdw mucks it up again. */ 2497 batch = eb.batch->vma; 2498 if (eb.batch_flags & I915_DISPATCH_SECURE) { 2499 struct i915_vma *vma; 2500 2501 /* 2502 * So on first glance it looks freaky that we pin the batch here 2503 * outside of the reservation loop. But: 2504 * - The batch is already pinned into the relevant ppgtt, so we 2505 * already have the backing storage fully allocated. 2506 * - No other BO uses the global gtt (well contexts, but meh), 2507 * so we don't really have issues with multiple objects not 2508 * fitting due to fragmentation. 2509 * So this is actually safe. 2510 */ 2511 vma = i915_gem_object_ggtt_pin(batch->obj, NULL, 0, 0, 0); 2512 if (IS_ERR(vma)) { 2513 err = PTR_ERR(vma); 2514 goto err_parse; 2515 } 2516 2517 batch = vma; 2518 } 2519 2520 /* All GPU relocation batches must be submitted prior to the user rq */ 2521 GEM_BUG_ON(eb.reloc_cache.rq); 2522 2523 /* Allocate a request for this batch buffer nice and early. */ 2524 eb.request = i915_request_create(eb.context); 2525 if (IS_ERR(eb.request)) { 2526 err = PTR_ERR(eb.request); 2527 goto err_batch_unpin; 2528 } 2529 2530 if (in_fence) { 2531 err = i915_request_await_dma_fence(eb.request, in_fence); 2532 if (err < 0) 2533 goto err_request; 2534 } 2535 2536 if (exec_fence) { 2537 err = i915_request_await_execution(eb.request, exec_fence, 2538 eb.engine->bond_execute); 2539 if (err < 0) 2540 goto err_request; 2541 } 2542 2543 if (fences) { 2544 err = await_fence_array(&eb, fences); 2545 if (err) 2546 goto err_request; 2547 } 2548 2549 if (out_fence_fd != -1) { 2550 out_fence = sync_file_create(&eb.request->fence); 2551 if (!out_fence) { 2552 err = -ENOMEM; 2553 goto err_request; 2554 } 2555 } 2556 2557 /* 2558 * Whilst this request exists, batch_obj will be on the 2559 * active_list, and so will hold the active reference. Only when this 2560 * request is retired will the the batch_obj be moved onto the 2561 * inactive_list and lose its active reference. Hence we do not need 2562 * to explicitly hold another reference here. 2563 */ 2564 eb.request->batch = batch; 2565 if (batch->private) 2566 intel_engine_pool_mark_active(batch->private, eb.request); 2567 2568 trace_i915_request_queue(eb.request, eb.batch_flags); 2569 err = eb_submit(&eb, batch); 2570 err_request: 2571 add_to_client(eb.request, file); 2572 i915_request_get(eb.request); 2573 eb_request_add(&eb); 2574 2575 if (fences) 2576 signal_fence_array(&eb, fences); 2577 2578 if (out_fence) { 2579 if (err == 0) { 2580 fd_install(out_fence_fd, out_fence->file); 2581 args->rsvd2 &= GENMASK_ULL(31, 0); /* keep in-fence */ 2582 args->rsvd2 |= (u64)out_fence_fd << 32; 2583 out_fence_fd = -1; 2584 } else { 2585 fput(out_fence->file); 2586 } 2587 } 2588 i915_request_put(eb.request); 2589 2590 err_batch_unpin: 2591 if (eb.batch_flags & I915_DISPATCH_SECURE) 2592 i915_vma_unpin(batch); 2593 err_parse: 2594 if (batch->private) 2595 intel_engine_pool_put(batch->private); 2596 err_vma: 2597 if (eb.exec) 2598 eb_release_vmas(&eb); 2599 if (eb.trampoline) 2600 i915_vma_unpin(eb.trampoline); 2601 eb_unpin_engine(&eb); 2602 err_context: 2603 i915_gem_context_put(eb.gem_context); 2604 err_destroy: 2605 eb_destroy(&eb); 2606 err_out_fence: 2607 if (out_fence_fd != -1) 2608 put_unused_fd(out_fence_fd); 2609 err_exec_fence: 2610 dma_fence_put(exec_fence); 2611 err_in_fence: 2612 dma_fence_put(in_fence); 2613 return err; 2614 } 2615 2616 static size_t eb_element_size(void) 2617 { 2618 return sizeof(struct drm_i915_gem_exec_object2) + sizeof(struct eb_vma); 2619 } 2620 2621 static bool check_buffer_count(size_t count) 2622 { 2623 const size_t sz = eb_element_size(); 2624 2625 /* 2626 * When using LUT_HANDLE, we impose a limit of INT_MAX for the lookup 2627 * array size (see eb_create()). Otherwise, we can accept an array as 2628 * large as can be addressed (though use large arrays at your peril)! 2629 */ 2630 2631 return !(count < 1 || count > INT_MAX || count > SIZE_MAX / sz - 1); 2632 } 2633 2634 /* 2635 * Legacy execbuffer just creates an exec2 list from the original exec object 2636 * list array and passes it to the real function. 2637 */ 2638 int 2639 i915_gem_execbuffer_ioctl(struct drm_device *dev, void *data, 2640 struct drm_file *file) 2641 { 2642 struct drm_i915_private *i915 = to_i915(dev); 2643 struct drm_i915_gem_execbuffer *args = data; 2644 struct drm_i915_gem_execbuffer2 exec2; 2645 struct drm_i915_gem_exec_object *exec_list = NULL; 2646 struct drm_i915_gem_exec_object2 *exec2_list = NULL; 2647 const size_t count = args->buffer_count; 2648 unsigned int i; 2649 int err; 2650 2651 if (!check_buffer_count(count)) { 2652 drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count); 2653 return -EINVAL; 2654 } 2655 2656 exec2.buffers_ptr = args->buffers_ptr; 2657 exec2.buffer_count = args->buffer_count; 2658 exec2.batch_start_offset = args->batch_start_offset; 2659 exec2.batch_len = args->batch_len; 2660 exec2.DR1 = args->DR1; 2661 exec2.DR4 = args->DR4; 2662 exec2.num_cliprects = args->num_cliprects; 2663 exec2.cliprects_ptr = args->cliprects_ptr; 2664 exec2.flags = I915_EXEC_RENDER; 2665 i915_execbuffer2_set_context_id(exec2, 0); 2666 2667 err = i915_gem_check_execbuffer(&exec2); 2668 if (err) 2669 return err; 2670 2671 /* Copy in the exec list from userland */ 2672 exec_list = kvmalloc_array(count, sizeof(*exec_list), 2673 __GFP_NOWARN | GFP_KERNEL); 2674 exec2_list = kvmalloc_array(count + 1, eb_element_size(), 2675 __GFP_NOWARN | GFP_KERNEL); 2676 if (exec_list == NULL || exec2_list == NULL) { 2677 drm_dbg(&i915->drm, 2678 "Failed to allocate exec list for %d buffers\n", 2679 args->buffer_count); 2680 kvfree(exec_list); 2681 kvfree(exec2_list); 2682 return -ENOMEM; 2683 } 2684 err = copy_from_user(exec_list, 2685 u64_to_user_ptr(args->buffers_ptr), 2686 sizeof(*exec_list) * count); 2687 if (err) { 2688 drm_dbg(&i915->drm, "copy %d exec entries failed %d\n", 2689 args->buffer_count, err); 2690 kvfree(exec_list); 2691 kvfree(exec2_list); 2692 return -EFAULT; 2693 } 2694 2695 for (i = 0; i < args->buffer_count; i++) { 2696 exec2_list[i].handle = exec_list[i].handle; 2697 exec2_list[i].relocation_count = exec_list[i].relocation_count; 2698 exec2_list[i].relocs_ptr = exec_list[i].relocs_ptr; 2699 exec2_list[i].alignment = exec_list[i].alignment; 2700 exec2_list[i].offset = exec_list[i].offset; 2701 if (INTEL_GEN(to_i915(dev)) < 4) 2702 exec2_list[i].flags = EXEC_OBJECT_NEEDS_FENCE; 2703 else 2704 exec2_list[i].flags = 0; 2705 } 2706 2707 err = i915_gem_do_execbuffer(dev, file, &exec2, exec2_list, NULL); 2708 if (exec2.flags & __EXEC_HAS_RELOC) { 2709 struct drm_i915_gem_exec_object __user *user_exec_list = 2710 u64_to_user_ptr(args->buffers_ptr); 2711 2712 /* Copy the new buffer offsets back to the user's exec list. */ 2713 for (i = 0; i < args->buffer_count; i++) { 2714 if (!(exec2_list[i].offset & UPDATE)) 2715 continue; 2716 2717 exec2_list[i].offset = 2718 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK); 2719 exec2_list[i].offset &= PIN_OFFSET_MASK; 2720 if (__copy_to_user(&user_exec_list[i].offset, 2721 &exec2_list[i].offset, 2722 sizeof(user_exec_list[i].offset))) 2723 break; 2724 } 2725 } 2726 2727 kvfree(exec_list); 2728 kvfree(exec2_list); 2729 return err; 2730 } 2731 2732 int 2733 i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data, 2734 struct drm_file *file) 2735 { 2736 struct drm_i915_private *i915 = to_i915(dev); 2737 struct drm_i915_gem_execbuffer2 *args = data; 2738 struct drm_i915_gem_exec_object2 *exec2_list; 2739 struct drm_syncobj **fences = NULL; 2740 const size_t count = args->buffer_count; 2741 int err; 2742 2743 if (!check_buffer_count(count)) { 2744 drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count); 2745 return -EINVAL; 2746 } 2747 2748 err = i915_gem_check_execbuffer(args); 2749 if (err) 2750 return err; 2751 2752 /* Allocate an extra slot for use by the command parser */ 2753 exec2_list = kvmalloc_array(count + 1, eb_element_size(), 2754 __GFP_NOWARN | GFP_KERNEL); 2755 if (exec2_list == NULL) { 2756 drm_dbg(&i915->drm, "Failed to allocate exec list for %zd buffers\n", 2757 count); 2758 return -ENOMEM; 2759 } 2760 if (copy_from_user(exec2_list, 2761 u64_to_user_ptr(args->buffers_ptr), 2762 sizeof(*exec2_list) * count)) { 2763 drm_dbg(&i915->drm, "copy %zd exec entries failed\n", count); 2764 kvfree(exec2_list); 2765 return -EFAULT; 2766 } 2767 2768 if (args->flags & I915_EXEC_FENCE_ARRAY) { 2769 fences = get_fence_array(args, file); 2770 if (IS_ERR(fences)) { 2771 kvfree(exec2_list); 2772 return PTR_ERR(fences); 2773 } 2774 } 2775 2776 err = i915_gem_do_execbuffer(dev, file, args, exec2_list, fences); 2777 2778 /* 2779 * Now that we have begun execution of the batchbuffer, we ignore 2780 * any new error after this point. Also given that we have already 2781 * updated the associated relocations, we try to write out the current 2782 * object locations irrespective of any error. 2783 */ 2784 if (args->flags & __EXEC_HAS_RELOC) { 2785 struct drm_i915_gem_exec_object2 __user *user_exec_list = 2786 u64_to_user_ptr(args->buffers_ptr); 2787 unsigned int i; 2788 2789 /* Copy the new buffer offsets back to the user's exec list. */ 2790 /* 2791 * Note: count * sizeof(*user_exec_list) does not overflow, 2792 * because we checked 'count' in check_buffer_count(). 2793 * 2794 * And this range already got effectively checked earlier 2795 * when we did the "copy_from_user()" above. 2796 */ 2797 if (!user_access_begin(user_exec_list, count * sizeof(*user_exec_list))) 2798 goto end; 2799 2800 for (i = 0; i < args->buffer_count; i++) { 2801 if (!(exec2_list[i].offset & UPDATE)) 2802 continue; 2803 2804 exec2_list[i].offset = 2805 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK); 2806 unsafe_put_user(exec2_list[i].offset, 2807 &user_exec_list[i].offset, 2808 end_user); 2809 } 2810 end_user: 2811 user_access_end(); 2812 end:; 2813 } 2814 2815 args->flags &= ~__I915_EXEC_UNKNOWN_FLAGS; 2816 put_fence_array(args, fences); 2817 kvfree(exec2_list); 2818 return err; 2819 } 2820