projects / mesa.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
broadcom/vc4: Fix use-after-free for flushing when writing to a texture.
[mesa.git] / src / gallium / drivers / vc4 / vc4_job.c
1 /*
2 * Copyright © 2014-2015 Broadcom
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 */
23
24 /** @file vc4_job.c
25 *
26 * Functions for submitting VC4 render jobs to the kernel.
27 */
28
29 #include <xf86drm.h>
30 #include "vc4_cl_dump.h"
31 #include "vc4_context.h"
32 #include "util/hash_table.h"
33
34 static void
35 remove_from_ht(struct hash_table *ht, void *key)
36 {
37 struct hash_entry *entry = _mesa_hash_table_search(ht, key);
38 _mesa_hash_table_remove(ht, entry);
39 }
40
41 static void
42 vc4_job_free(struct vc4_context *vc4, struct vc4_job *job)
43 {
44 struct vc4_bo **referenced_bos = job->bo_pointers.base;
45 for (int i = 0; i < cl_offset(&job->bo_handles) / 4; i++) {
46 vc4_bo_unreference(&referenced_bos[i]);
47 }
48
49 remove_from_ht(vc4->jobs, &job->key);
50
51 if (job->color_write) {
52 remove_from_ht(vc4->write_jobs, job->color_write->texture);
53 pipe_surface_reference(&job->color_write, NULL);
54 }
55 if (job->msaa_color_write) {
56 remove_from_ht(vc4->write_jobs, job->msaa_color_write->texture);
57 pipe_surface_reference(&job->msaa_color_write, NULL);
58 }
59 if (job->zs_write) {
60 remove_from_ht(vc4->write_jobs, job->zs_write->texture);
61 pipe_surface_reference(&job->zs_write, NULL);
62 }
63 if (job->msaa_zs_write) {
64 remove_from_ht(vc4->write_jobs, job->msaa_zs_write->texture);
65 pipe_surface_reference(&job->msaa_zs_write, NULL);
66 }
67
68 pipe_surface_reference(&job->color_read, NULL);
69 pipe_surface_reference(&job->zs_read, NULL);
70
71 if (vc4->job == job)
72 vc4->job = NULL;
73
74 ralloc_free(job);
75 }
76
77 static struct vc4_job *
78 vc4_job_create(struct vc4_context *vc4)
79 {
80 struct vc4_job *job = rzalloc(vc4, struct vc4_job);
81
82 vc4_init_cl(job, &job->bcl);
83 vc4_init_cl(job, &job->shader_rec);
84 vc4_init_cl(job, &job->uniforms);
85 vc4_init_cl(job, &job->bo_handles);
86 vc4_init_cl(job, &job->bo_pointers);
87
88 job->draw_min_x = ~0;
89 job->draw_min_y = ~0;
90 job->draw_max_x = 0;
91 job->draw_max_y = 0;
92
93 return job;
94 }
95
96 void
97 vc4_flush_jobs_writing_resource(struct vc4_context *vc4,
98 struct pipe_resource *prsc)
99 {
100 struct hash_entry *entry = _mesa_hash_table_search(vc4->write_jobs,
101 prsc);
102 if (entry) {
103 struct vc4_job *job = entry->data;
104 vc4_job_submit(vc4, job);
105 }
106 }
107
108 void
109 vc4_flush_jobs_reading_resource(struct vc4_context *vc4,
110 struct pipe_resource *prsc)
111 {
112 struct vc4_resource *rsc = vc4_resource(prsc);
113
114 vc4_flush_jobs_writing_resource(vc4, prsc);
115
116 struct hash_entry *entry;
117 hash_table_foreach(vc4->jobs, entry) {
118 struct vc4_job *job = entry->data;
119
120 struct vc4_bo **referenced_bos = job->bo_pointers.base;
121 bool found = false;
122 for (int i = 0; i < cl_offset(&job->bo_handles) / 4; i++) {
123 if (referenced_bos[i] == rsc->bo) {
124 found = true;
125 break;
126 }
127 }
128 if (found) {
129 vc4_job_submit(vc4, job);
130 continue;
131 }
132
133 /* Also check for the Z/color buffers, since the references to
134 * those are only added immediately before submit.
135 */
136 if (job->color_read && !(job->cleared & PIPE_CLEAR_COLOR)) {
137 struct vc4_resource *ctex =
138 vc4_resource(job->color_read->texture);
139 if (ctex->bo == rsc->bo) {
140 vc4_job_submit(vc4, job);
141 continue;
142 }
143 }
144
145 if (job->zs_read && !(job->cleared &
146 (PIPE_CLEAR_DEPTH | PIPE_CLEAR_STENCIL))) {
147 struct vc4_resource *ztex =
148 vc4_resource(job->zs_read->texture);
149 if (ztex->bo == rsc->bo) {
150 vc4_job_submit(vc4, job);
151 continue;
152 }
153 }
154 }
155 }
156
157 /**
158 * Returns a vc4_job struture for tracking V3D rendering to a particular FBO.
159 *
160 * If we've already started rendering to this FBO, then return old same job,
161 * otherwise make a new one. If we're beginning rendering to an FBO, make
162 * sure that any previous reads of the FBO (or writes to its color/Z surfaces)
163 * have been flushed.
164 */
165 struct vc4_job *
166 vc4_get_job(struct vc4_context *vc4,
167 struct pipe_surface *cbuf, struct pipe_surface *zsbuf)
168 {
169 /* Return the existing job for this FBO if we have one */
170 struct vc4_job_key local_key = {.cbuf = cbuf, .zsbuf = zsbuf};
171 struct hash_entry *entry = _mesa_hash_table_search(vc4->jobs,
172 &local_key);
173 if (entry)
174 return entry->data;
175
176 /* Creating a new job. Make sure that any previous jobs reading or
177 * writing these buffers are flushed.
178 */
179 if (cbuf)
180 vc4_flush_jobs_reading_resource(vc4, cbuf->texture);
181 if (zsbuf)
182 vc4_flush_jobs_reading_resource(vc4, zsbuf->texture);
183
184 struct vc4_job *job = vc4_job_create(vc4);
185
186 if (cbuf) {
187 if (cbuf->texture->nr_samples > 1) {
188 job->msaa = true;
189 pipe_surface_reference(&job->msaa_color_write, cbuf);
190 } else {
191 pipe_surface_reference(&job->color_write, cbuf);
192 }
193 }
194
195 if (zsbuf) {
196 if (zsbuf->texture->nr_samples > 1) {
197 job->msaa = true;
198 pipe_surface_reference(&job->msaa_zs_write, zsbuf);
199 } else {
200 pipe_surface_reference(&job->zs_write, zsbuf);
201 }
202 }
203
204 if (job->msaa) {
205 job->tile_width = 32;
206 job->tile_height = 32;
207 } else {
208 job->tile_width = 64;
209 job->tile_height = 64;
210 }
211
212 if (cbuf)
213 _mesa_hash_table_insert(vc4->write_jobs, cbuf->texture, job);
214 if (zsbuf)
215 _mesa_hash_table_insert(vc4->write_jobs, zsbuf->texture, job);
216
217 job->key.cbuf = cbuf;
218 job->key.zsbuf = zsbuf;
219 _mesa_hash_table_insert(vc4->jobs, &job->key, job);
220
221 return job;
222 }
223
224 struct vc4_job *
225 vc4_get_job_for_fbo(struct vc4_context *vc4)
226 {
227 if (vc4->job)
228 return vc4->job;
229
230 struct pipe_surface *cbuf = vc4->framebuffer.cbufs[0];
231 struct pipe_surface *zsbuf = vc4->framebuffer.zsbuf;
232 struct vc4_job *job = vc4_get_job(vc4, cbuf, zsbuf);
233
234 /* The dirty flags are tracking what's been updated while vc4->job has
235 * been bound, so set them all to ~0 when switching between jobs. We
236 * also need to reset all state at the start of rendering.
237 */
238 vc4->dirty = ~0;
239
240 /* Set up the read surfaces in the job. If they aren't actually
241 * getting read (due to a clear starting the frame), job->cleared will
242 * mask out the read.
243 */
244 pipe_surface_reference(&job->color_read, cbuf);
245 pipe_surface_reference(&job->zs_read, zsbuf);
246
247 /* If we're binding to uninitialized buffers, no need to load their
248 * contents before drawing.
249 */
250 if (cbuf) {
251 struct vc4_resource *rsc = vc4_resource(cbuf->texture);
252 if (!rsc->writes)
253 job->cleared |= PIPE_CLEAR_COLOR0;
254 }
255
256 if (zsbuf) {
257 struct vc4_resource *rsc = vc4_resource(zsbuf->texture);
258 if (!rsc->writes)
259 job->cleared |= PIPE_CLEAR_DEPTH | PIPE_CLEAR_STENCIL;
260 }
261
262 job->draw_tiles_x = DIV_ROUND_UP(vc4->framebuffer.width,
263 job->tile_width);
264 job->draw_tiles_y = DIV_ROUND_UP(vc4->framebuffer.height,
265 job->tile_height);
266
267 vc4->job = job;
268
269 return job;
270 }
271
272 static void
273 vc4_submit_setup_rcl_surface(struct vc4_job *job,
274 struct drm_vc4_submit_rcl_surface *submit_surf,
275 struct pipe_surface *psurf,
276 bool is_depth, bool is_write)
277 {
278 struct vc4_surface *surf = vc4_surface(psurf);
279
280 if (!surf)
281 return;
282
283 struct vc4_resource *rsc = vc4_resource(psurf->texture);
284 submit_surf->hindex = vc4_gem_hindex(job, rsc->bo);
285 submit_surf->offset = surf->offset;
286
287 if (psurf->texture->nr_samples <= 1) {
288 if (is_depth) {
289 submit_surf->bits =
290 VC4_SET_FIELD(VC4_LOADSTORE_TILE_BUFFER_ZS,
291 VC4_LOADSTORE_TILE_BUFFER_BUFFER);
292
293 } else {
294 submit_surf->bits =
295 VC4_SET_FIELD(VC4_LOADSTORE_TILE_BUFFER_COLOR,
296 VC4_LOADSTORE_TILE_BUFFER_BUFFER) |
297 VC4_SET_FIELD(vc4_rt_format_is_565(psurf->format) ?
298 VC4_LOADSTORE_TILE_BUFFER_BGR565 :
299 VC4_LOADSTORE_TILE_BUFFER_RGBA8888,
300 VC4_LOADSTORE_TILE_BUFFER_FORMAT);
301 }
302 submit_surf->bits |=
303 VC4_SET_FIELD(surf->tiling,
304 VC4_LOADSTORE_TILE_BUFFER_TILING);
305 } else {
306 assert(!is_write);
307 submit_surf->flags |= VC4_SUBMIT_RCL_SURFACE_READ_IS_FULL_RES;
308 }
309
310 if (is_write)
311 rsc->writes++;
312 }
313
314 static void
315 vc4_submit_setup_rcl_render_config_surface(struct vc4_job *job,
316 struct drm_vc4_submit_rcl_surface *submit_surf,
317 struct pipe_surface *psurf)
318 {
319 struct vc4_surface *surf = vc4_surface(psurf);
320
321 if (!surf)
322 return;
323
324 struct vc4_resource *rsc = vc4_resource(psurf->texture);
325 submit_surf->hindex = vc4_gem_hindex(job, rsc->bo);
326 submit_surf->offset = surf->offset;
327
328 if (psurf->texture->nr_samples <= 1) {
329 submit_surf->bits =
330 VC4_SET_FIELD(vc4_rt_format_is_565(surf->base.format) ?
331 VC4_RENDER_CONFIG_FORMAT_BGR565 :
332 VC4_RENDER_CONFIG_FORMAT_RGBA8888,
333 VC4_RENDER_CONFIG_FORMAT) |
334 VC4_SET_FIELD(surf->tiling,
335 VC4_RENDER_CONFIG_MEMORY_FORMAT);
336 }
337
338 rsc->writes++;
339 }
340
341 static void
342 vc4_submit_setup_rcl_msaa_surface(struct vc4_job *job,
343 struct drm_vc4_submit_rcl_surface *submit_surf,
344 struct pipe_surface *psurf)
345 {
346 struct vc4_surface *surf = vc4_surface(psurf);
347
348 if (!surf)
349 return;
350
351 struct vc4_resource *rsc = vc4_resource(psurf->texture);
352 submit_surf->hindex = vc4_gem_hindex(job, rsc->bo);
353 submit_surf->offset = surf->offset;
354 submit_surf->bits = 0;
355 rsc->writes++;
356 }
357
358 /**
359 * Submits the job to the kernel and then reinitializes it.
360 */
361 void
362 vc4_job_submit(struct vc4_context *vc4, struct vc4_job *job)
363 {
364 if (!job->needs_flush)
365 goto done;
366
367 /* The RCL setup would choke if the draw bounds cause no drawing, so
368 * just drop the drawing if that's the case.
369 */
370 if (job->draw_max_x <= job->draw_min_x ||
371 job->draw_max_y <= job->draw_min_y) {
372 goto done;
373 }
374
375 if (vc4_debug & VC4_DEBUG_CL) {
376 fprintf(stderr, "BCL:\n");
377 vc4_dump_cl(job->bcl.base, cl_offset(&job->bcl), false);
378 }
379
380 if (cl_offset(&job->bcl) > 0) {
381 /* Increment the semaphore indicating that binning is done and
382 * unblocking the render thread. Note that this doesn't act
383 * until the FLUSH completes.
384 */
385 cl_ensure_space(&job->bcl, 8);
386 cl_emit(&job->bcl, INCREMENT_SEMAPHORE, incr);
387 /* The FLUSH caps all of our bin lists with a
388 * VC4_PACKET_RETURN.
389 */
390 cl_emit(&job->bcl, FLUSH, flush);
391 }
392 struct drm_vc4_submit_cl submit = {
393 .color_read.hindex = ~0,
394 .zs_read.hindex = ~0,
395 .color_write.hindex = ~0,
396 .msaa_color_write.hindex = ~0,
397 .zs_write.hindex = ~0,
398 .msaa_zs_write.hindex = ~0,
399 };
400
401 cl_ensure_space(&job->bo_handles, 6 * sizeof(uint32_t));
402 cl_ensure_space(&job->bo_pointers, 6 * sizeof(struct vc4_bo *));
403
404 if (job->resolve & PIPE_CLEAR_COLOR) {
405 if (!(job->cleared & PIPE_CLEAR_COLOR)) {
406 vc4_submit_setup_rcl_surface(job, &submit.color_read,
407 job->color_read,
408 false, false);
409 }
410 vc4_submit_setup_rcl_render_config_surface(job,
411 &submit.color_write,
412 job->color_write);
413 vc4_submit_setup_rcl_msaa_surface(job,
414 &submit.msaa_color_write,
415 job->msaa_color_write);
416 }
417 if (job->resolve & (PIPE_CLEAR_DEPTH | PIPE_CLEAR_STENCIL)) {
418 if (!(job->cleared & (PIPE_CLEAR_DEPTH | PIPE_CLEAR_STENCIL))) {
419 vc4_submit_setup_rcl_surface(job, &submit.zs_read,
420 job->zs_read, true, false);
421 }
422 vc4_submit_setup_rcl_surface(job, &submit.zs_write,
423 job->zs_write, true, true);
424 vc4_submit_setup_rcl_msaa_surface(job, &submit.msaa_zs_write,
425 job->msaa_zs_write);
426 }
427
428 if (job->msaa) {
429 /* This bit controls how many pixels the general
430 * (i.e. subsampled) loads/stores are iterating over
431 * (multisample loads replicate out to the other samples).
432 */
433 submit.color_write.bits |= VC4_RENDER_CONFIG_MS_MODE_4X;
434 /* Controls whether color_write's
435 * VC4_PACKET_STORE_MS_TILE_BUFFER does 4x decimation
436 */
437 submit.color_write.bits |= VC4_RENDER_CONFIG_DECIMATE_MODE_4X;
438 }
439
440 submit.bo_handles = (uintptr_t)job->bo_handles.base;
441 submit.bo_handle_count = cl_offset(&job->bo_handles) / 4;
442 submit.bin_cl = (uintptr_t)job->bcl.base;
443 submit.bin_cl_size = cl_offset(&job->bcl);
444 submit.shader_rec = (uintptr_t)job->shader_rec.base;
445 submit.shader_rec_size = cl_offset(&job->shader_rec);
446 submit.shader_rec_count = job->shader_rec_count;
447 submit.uniforms = (uintptr_t)job->uniforms.base;
448 submit.uniforms_size = cl_offset(&job->uniforms);
449
450 assert(job->draw_min_x != ~0 && job->draw_min_y != ~0);
451 submit.min_x_tile = job->draw_min_x / job->tile_width;
452 submit.min_y_tile = job->draw_min_y / job->tile_height;
453 submit.max_x_tile = (job->draw_max_x - 1) / job->tile_width;
454 submit.max_y_tile = (job->draw_max_y - 1) / job->tile_height;
455 submit.width = job->draw_width;
456 submit.height = job->draw_height;
457 if (job->cleared) {
458 submit.flags |= VC4_SUBMIT_CL_USE_CLEAR_COLOR;
459 submit.clear_color[0] = job->clear_color[0];
460 submit.clear_color[1] = job->clear_color[1];
461 submit.clear_z = job->clear_depth;
462 submit.clear_s = job->clear_stencil;
463 }
464
465 if (!(vc4_debug & VC4_DEBUG_NORAST)) {
466 int ret;
467
468 #ifndef USE_VC4_SIMULATOR
469 ret = drmIoctl(vc4->fd, DRM_IOCTL_VC4_SUBMIT_CL, &submit);
470 #else
471 ret = vc4_simulator_flush(vc4, &submit, job);
472 #endif
473 static bool warned = false;
474 if (ret && !warned) {
475 fprintf(stderr, "Draw call returned %s. "
476 "Expect corruption.\n", strerror(errno));
477 warned = true;
478 } else if (!ret) {
479 vc4->last_emit_seqno = submit.seqno;
480 }
481 }
482
483 if (vc4->last_emit_seqno - vc4->screen->finished_seqno > 5) {
484 if (!vc4_wait_seqno(vc4->screen,
485 vc4->last_emit_seqno - 5,
486 PIPE_TIMEOUT_INFINITE,
487 "job throttling")) {
488 fprintf(stderr, "Job throttling failed\n");
489 }
490 }
491
492 if (vc4_debug & VC4_DEBUG_ALWAYS_SYNC) {
493 if (!vc4_wait_seqno(vc4->screen, vc4->last_emit_seqno,
494 PIPE_TIMEOUT_INFINITE, "sync")) {
495 fprintf(stderr, "Wait failed.\n");
496 abort();
497 }
498 }
499
500 done:
501 vc4_job_free(vc4, job);
502 }
503
504 static bool
505 vc4_job_compare(const void *a, const void *b)
506 {
507 return memcmp(a, b, sizeof(struct vc4_job_key)) == 0;
508 }
509
510 static uint32_t
511 vc4_job_hash(const void *key)
512 {
513 return _mesa_hash_data(key, sizeof(struct vc4_job_key));
514 }
515
516 void
517 vc4_job_init(struct vc4_context *vc4)
518 {
519 vc4->jobs = _mesa_hash_table_create(vc4,
520 vc4_job_hash,
521 vc4_job_compare);
522 vc4->write_jobs = _mesa_hash_table_create(vc4,
523 _mesa_hash_pointer,
524 _mesa_key_pointer_equal);
525 }
526