Now this whole setup matches the kernel's file layout much more closely.
src/gallium/drivers/svga/Makefile
src/gallium/drivers/trace/Makefile
src/gallium/drivers/vc4/Makefile
+ src/gallium/drivers/vc4/kernel/Makefile
src/gallium/state_trackers/clover/Makefile
src/gallium/state_trackers/dri/Makefile
src/gallium/state_trackers/egl/Makefile
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
# IN THE SOFTWARE.
+SUBDIRS = kernel
+
include Makefile.sources
include $(top_srcdir)/src/gallium/Automake.inc
noinst_LTLIBRARIES = libvc4.la
libvc4_la_SOURCES = $(C_SOURCES)
-libvc4_la_LIBADD = $(SIM_LIB)
+libvc4_la_LIBADD = $(SIM_LIB) kernel/libvc4_kernel.la
libvc4_la_LDFLAGS = $(SIM_LDFLAGS)
vc4_screen.c \
vc4_screen.h \
vc4_simulator.c \
- vc4_simulator_validate.c \
vc4_simulator_validate.h \
- vc4_simulator_validate_shaders.c \
vc4_state.c \
vc4_tiling.c \
vc4_tiling.h \
+ kernel/vc4_gem.c \
+ kernel/vc4_validate.c \
+ kernel/vc4_validate_shaders.c \
$()
--- /dev/null
+# Copyright © 2014 Broadcom
+#
+# Permission is hereby granted, free of charge, to any person obtaining a
+# copy of this software and associated documentation files (the "Software"),
+# to deal in the Software without restriction, including without limitation
+# the rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Software, and to permit persons to whom the
+# Software is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice (including the next
+# paragraph) shall be included in all copies or substantial portions of the
+# Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+include Makefile.sources
+include $(top_srcdir)/src/gallium/Automake.inc
+
+if USE_VC4_SIMULATOR
+SIM_CFLAGS = -DUSE_VC4_SIMULATOR=1
+endif
+
+AM_CFLAGS = \
+ $(LIBDRM_CFLAGS) \
+ $(GALLIUM_DRIVER_CFLAGS) \
+ $(SIM_CFLAGS) \
+ -I$(top_srcdir)/src/mesa/ \
+ -I$(srcdir)/../ \
+ $()
+
+noinst_LTLIBRARIES = libvc4_kernel.la
+
+libvc4_kernel_la_SOURCES = $(C_SOURCES)
+libvc4_kernel_la_LDFLAGS = $(SIM_LDFLAGS)
--- /dev/null
+C_SOURCES := \
+ vc4_gem.c \
+ vc4_validate.c \
+ vc4_validate_shaders.c \
+ $()
--- /dev/null
+This is a mirror of the kernel validation code into the userspace GL library.
+It is only built when USE_VC4_SIMULATOR is defined, for compiling the driver
+on an x86 system with the simpenrose simulator. It allows testing of changes
+across the kernel and userspace with exposure to most of the software stack,
+on a higher-performance and more-debuggable environment than the native
+hardware.
--- /dev/null
+/*
+ * Copyright © 2014 Broadcom
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#ifndef VC4_DRV_H
+#define VC4_DRV_H
+
+#include "vc4_simulator_validate.h"
+
+enum vc4_bo_mode {
+ VC4_MODE_UNDECIDED,
+ VC4_MODE_TILE_ALLOC,
+ VC4_MODE_TSDA,
+ VC4_MODE_RENDER,
+ VC4_MODE_SHADER,
+};
+
+struct vc4_bo_exec_state {
+ struct drm_gem_cma_object *bo;
+ enum vc4_bo_mode mode;
+};
+
+struct exec_info {
+ /* Kernel-space copy of the ioctl arguments */
+ struct drm_vc4_submit_cl *args;
+
+ /* This is the array of BOs that were looked up at the start of exec.
+ * Command validation will use indices into this array.
+ */
+ struct vc4_bo_exec_state *bo;
+ uint32_t bo_count;
+
+ /* Current unvalidated indices into @bo loaded by the non-hardware
+ * VC4_PACKET_GEM_HANDLES.
+ */
+ uint32_t bo_index[2];
+
+ /* This is the BO where we store the validated command lists, shader
+ * records, and uniforms.
+ */
+ struct drm_gem_cma_object *exec_bo;
+
+ /**
+ * This tracks the per-shader-record state (packet 64) that
+ * determines the length of the shader record and the offset
+ * it's expected to be found at. It gets read in from the
+ * command lists.
+ */
+ struct vc4_shader_state {
+ uint8_t packet;
+ uint32_t addr;
+ /* Maximum vertex index referenced by any primitive using this
+ * shader state.
+ */
+ uint32_t max_index;
+ } *shader_state;
+
+ /** How many shader states the user declared they were using. */
+ uint32_t shader_state_size;
+ /** How many shader state records the validator has seen. */
+ uint32_t shader_state_count;
+
+ bool found_tile_binning_mode_config_packet;
+ bool found_tile_rendering_mode_config_packet;
+ bool found_start_tile_binning_packet;
+ uint8_t bin_tiles_x, bin_tiles_y;
+ uint32_t fb_width, fb_height;
+ uint32_t tile_alloc_init_block_size;
+ struct drm_gem_cma_object *tile_alloc_bo;
+
+ /**
+ * Computed addresses pointing into exec_bo where we start the
+ * bin thread (ct0) and render thread (ct1).
+ */
+ uint32_t ct0ca, ct0ea;
+ uint32_t ct1ca, ct1ea;
+
+ /* Pointers to the shader recs. These paddr gets incremented as CL
+ * packets are relocated in validate_gl_shader_state, and the vaddrs
+ * (u and v) get incremented and size decremented as the shader recs
+ * themselves are validated.
+ */
+ void *shader_rec_u;
+ void *shader_rec_v;
+ uint32_t shader_rec_p;
+ uint32_t shader_rec_size;
+
+ /* Pointers to the uniform data. These pointers are incremented, and
+ * size decremented, as each batch of uniforms is uploaded.
+ */
+ void *uniforms_u;
+ void *uniforms_v;
+ uint32_t uniforms_p;
+ uint32_t uniforms_size;
+};
+
+/**
+ * struct vc4_texture_sample_info - saves the offsets into the UBO for texture
+ * setup parameters.
+ *
+ * This will be used at draw time to relocate the reference to the texture
+ * contents in p0, and validate that the offset combined with
+ * width/height/stride/etc. from p1 and p2/p3 doesn't sample outside the BO.
+ * Note that the hardware treats unprovided config parameters as 0, so not all
+ * of them need to be set up for every texure sample, and we'll store ~0 as
+ * the offset to mark the unused ones.
+ *
+ * See the VC4 3D architecture guide page 41 ("Texture and Memory Lookup Unit
+ * Setup") for definitions of the texture parameters.
+ */
+struct vc4_texture_sample_info {
+ uint32_t p_offset[4];
+};
+
+/**
+ * struct vc4_validated_shader_info - information about validated shaders that
+ * needs to be used from command list validation.
+ *
+ * For a given shader, each time a shader state record references it, we need
+ * to verify that the shader doesn't read more uniforms than the shader state
+ * record's uniform BO pointer can provide, and we need to apply relocations
+ * and validate the shader state record's uniforms that define the texture
+ * samples.
+ */
+struct vc4_validated_shader_info
+{
+ uint32_t uniforms_size;
+ uint32_t uniforms_src_size;
+ uint32_t num_texture_samples;
+ struct vc4_texture_sample_info *texture_samples;
+};
+
+/* vc4_validate.c */
+int
+vc4_validate_cl(struct drm_device *dev,
+ void *validated,
+ void *unvalidated,
+ uint32_t len,
+ bool is_bin,
+ struct exec_info *exec);
+
+int
+vc4_validate_shader_recs(struct drm_device *dev, struct exec_info *exec);
+
+struct vc4_validated_shader_info *
+vc4_validate_shader(struct drm_gem_cma_object *shader_obj,
+ uint32_t start_offset);
+
+#endif /* VC4_DRV_H */
--- /dev/null
+/*
+ * Copyright © 2014 Broadcom
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#ifdef USE_VC4_SIMULATOR
+
+#include "vc4_drv.h"
+
+int
+vc4_cl_validate(struct drm_device *dev, struct exec_info *exec)
+{
+ struct drm_vc4_submit_cl *args = exec->args;
+ void *temp = NULL;
+ void *bin, *render;
+ int ret = 0;
+ uint32_t bin_offset = 0;
+ uint32_t render_offset = bin_offset + args->bin_cl_size;
+ uint32_t shader_rec_offset = roundup(render_offset +
+ args->render_cl_size, 16);
+ uint32_t uniforms_offset = shader_rec_offset + args->shader_rec_size;
+ uint32_t exec_size = uniforms_offset + args->uniforms_size;
+ uint32_t temp_size = exec_size + (sizeof(struct vc4_shader_state) *
+ args->shader_rec_count);
+
+ if (shader_rec_offset < render_offset ||
+ uniforms_offset < shader_rec_offset ||
+ exec_size < uniforms_offset ||
+ args->shader_rec_count >= (UINT_MAX /
+ sizeof(struct vc4_shader_state)) ||
+ temp_size < exec_size) {
+ DRM_ERROR("overflow in exec arguments\n");
+ goto fail;
+ }
+
+ /* Allocate space where we'll store the copied in user command lists
+ * and shader records.
+ *
+ * We don't just copy directly into the BOs because we need to
+ * read the contents back for validation, and I think the
+ * bo->vaddr is uncached access.
+ */
+ temp = kmalloc(temp_size, GFP_KERNEL);
+ if (!temp) {
+ DRM_ERROR("Failed to allocate storage for copying "
+ "in bin/render CLs.\n");
+ ret = -ENOMEM;
+ goto fail;
+ }
+ bin = temp + bin_offset;
+ render = temp + render_offset;
+ exec->shader_rec_u = temp + shader_rec_offset;
+ exec->uniforms_u = temp + uniforms_offset;
+ exec->shader_state = temp + exec_size;
+ exec->shader_state_size = args->shader_rec_count;
+
+ ret = copy_from_user(bin, args->bin_cl, args->bin_cl_size);
+ if (ret) {
+ DRM_ERROR("Failed to copy in bin cl\n");
+ goto fail;
+ }
+
+ ret = copy_from_user(render, args->render_cl, args->render_cl_size);
+ if (ret) {
+ DRM_ERROR("Failed to copy in render cl\n");
+ goto fail;
+ }
+
+ ret = copy_from_user(exec->shader_rec_u, args->shader_rec,
+ args->shader_rec_size);
+ if (ret) {
+ DRM_ERROR("Failed to copy in shader recs\n");
+ goto fail;
+ }
+
+ ret = copy_from_user(exec->uniforms_u, args->uniforms,
+ args->uniforms_size);
+ if (ret) {
+ DRM_ERROR("Failed to copy in uniforms cl\n");
+ goto fail;
+ }
+
+ exec->exec_bo = drm_gem_cma_create(dev, exec_size);
+#if 0
+ if (IS_ERR(exec->exec_bo)) {
+ DRM_ERROR("Couldn't allocate BO for exec\n");
+ ret = PTR_ERR(exec->exec_bo);
+ exec->exec_bo = NULL;
+ goto fail;
+ }
+#endif
+
+ exec->ct0ca = exec->exec_bo->paddr + bin_offset;
+ exec->ct1ca = exec->exec_bo->paddr + render_offset;
+
+ exec->shader_rec_v = exec->exec_bo->vaddr + shader_rec_offset;
+ exec->shader_rec_p = exec->exec_bo->paddr + shader_rec_offset;
+ exec->shader_rec_size = args->shader_rec_size;
+
+ exec->uniforms_v = exec->exec_bo->vaddr + uniforms_offset;
+ exec->uniforms_p = exec->exec_bo->paddr + uniforms_offset;
+ exec->uniforms_size = args->uniforms_size;
+
+ ret = vc4_validate_cl(dev,
+ exec->exec_bo->vaddr + bin_offset,
+ bin,
+ args->bin_cl_size,
+ true,
+ exec);
+ if (ret)
+ goto fail;
+
+ ret = vc4_validate_cl(dev,
+ exec->exec_bo->vaddr + render_offset,
+ render,
+ args->render_cl_size,
+ false,
+ exec);
+ if (ret)
+ goto fail;
+
+ ret = vc4_validate_shader_recs(dev, exec);
+
+fail:
+ kfree(temp);
+ return ret;
+}
+
+#endif /* USE_VC4_SIMULATOR */
--- /dev/null
+/*
+ * Copyright © 2014 Broadcom
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+/**
+ * Command list validator for VC4.
+ *
+ * The VC4 has no IOMMU between it and system memory. So, a user with
+ * access to execute command lists could escalate privilege by
+ * overwriting system memory (drawing to it as a framebuffer) or
+ * reading system memory it shouldn't (reading it as a texture, or
+ * uniform data, or vertex data).
+ *
+ * This validates command lists to ensure that all accesses are within
+ * the bounds of the GEM objects referenced. It explicitly whitelists
+ * packets, and looks at the offsets in any address fields to make
+ * sure they're constrained within the BOs they reference.
+ *
+ * Note that because of the validation that's happening anyway, this
+ * is where GEM relocation processing happens.
+ */
+
+#include "vc4_drv.h"
+#include "vc4_packet.h"
+
+#define VALIDATE_ARGS \
+ struct exec_info *exec, \
+ void *validated, \
+ void *untrusted
+
+
+/** Return the width in pixels of a 64-byte microtile. */
+static uint32_t
+utile_width(int cpp)
+{
+ switch (cpp) {
+ case 1:
+ case 2:
+ return 8;
+ case 4:
+ return 4;
+ case 8:
+ return 2;
+ default:
+ DRM_ERROR("unknown cpp: %d\n", cpp);
+ return 1;
+ }
+}
+
+/** Return the height in pixels of a 64-byte microtile. */
+static uint32_t
+utile_height(int cpp)
+{
+ switch (cpp) {
+ case 1:
+ return 8;
+ case 2:
+ case 4:
+ case 8:
+ return 4;
+ default:
+ DRM_ERROR("unknown cpp: %d\n", cpp);
+ return 1;
+ }
+}
+
+/**
+ * The texture unit decides what tiling format a particular miplevel is using
+ * this function, so we lay out our miptrees accordingly.
+ */
+static bool
+size_is_lt(uint32_t width, uint32_t height, int cpp)
+{
+ return (width <= 4 * utile_width(cpp) ||
+ height <= 4 * utile_height(cpp));
+}
+
+static bool
+vc4_use_bo(struct exec_info *exec,
+ uint32_t hindex,
+ enum vc4_bo_mode mode,
+ struct drm_gem_cma_object **obj)
+{
+ *obj = NULL;
+
+ if (hindex >= exec->bo_count) {
+ DRM_ERROR("BO index %d greater than BO count %d\n",
+ hindex, exec->bo_count);
+ return false;
+ }
+
+ if (exec->bo[hindex].mode != mode) {
+ if (exec->bo[hindex].mode == VC4_MODE_UNDECIDED) {
+ exec->bo[hindex].mode = mode;
+ } else {
+ DRM_ERROR("BO index %d reused with mode %d vs %d\n",
+ hindex, exec->bo[hindex].mode, mode);
+ return false;
+ }
+ }
+
+ *obj = exec->bo[hindex].bo;
+ return true;
+}
+
+static bool
+vc4_use_handle(struct exec_info *exec,
+ uint32_t gem_handles_packet_index,
+ enum vc4_bo_mode mode,
+ struct drm_gem_cma_object **obj)
+{
+ return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index],
+ mode, obj);
+}
+
+static uint32_t
+gl_shader_rec_size(uint32_t pointer_bits)
+{
+ uint32_t attribute_count = pointer_bits & 7;
+ bool extended = pointer_bits & 8;
+
+ if (attribute_count == 0)
+ attribute_count = 8;
+
+ if (extended)
+ return 100 + attribute_count * 4;
+ else
+ return 36 + attribute_count * 8;
+}
+
+static bool
+check_tex_size(struct exec_info *exec, struct drm_gem_cma_object *fbo,
+ uint32_t offset, uint8_t tiling_format,
+ uint32_t width, uint32_t height, uint8_t cpp)
+{
+ uint32_t aligned_width, aligned_height, stride, size;
+ uint32_t utile_w = utile_width(cpp);
+ uint32_t utile_h = utile_height(cpp);
+
+ /* The values are limited by the packet/texture parameter bitfields,
+ * so we don't need to worry as much about integer overflow.
+ */
+ BUG_ON(width > 65535);
+ BUG_ON(height > 65535);
+
+ switch (tiling_format) {
+ case VC4_TILING_FORMAT_LINEAR:
+ aligned_width = roundup(width, 16 / cpp);
+ aligned_height = height;
+ break;
+ case VC4_TILING_FORMAT_T:
+ aligned_width = roundup(width, utile_w * 8);
+ aligned_height = roundup(height, utile_h * 8);
+ break;
+ case VC4_TILING_FORMAT_LT:
+ aligned_width = roundup(width, utile_w);
+ aligned_height = roundup(height, utile_h);
+ break;
+ default:
+ DRM_ERROR("buffer tiling %d unsupported\n", tiling_format);
+ return false;
+ }
+
+ stride = aligned_width * cpp;
+
+ if (INT_MAX / stride < aligned_height) {
+ DRM_ERROR("Overflow in fbo size (%dx%d -> %dx%d)\n",
+ width, height,
+ aligned_width, aligned_height);
+ return false;
+ }
+ size = stride * aligned_height;
+
+ if (size + offset < size ||
+ size + offset > fbo->base.size) {
+ DRM_ERROR("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %d)\n",
+ width, height,
+ aligned_width, aligned_height,
+ size, offset, fbo->base.size);
+ return false;
+ }
+
+ return true;
+}
+
+static int
+validate_start_tile_binning(VALIDATE_ARGS)
+{
+ if (exec->found_start_tile_binning_packet) {
+ DRM_ERROR("Duplicate VC4_PACKET_START_TILE_BINNING\n");
+ return -EINVAL;
+ }
+ exec->found_start_tile_binning_packet = true;
+
+ if (!exec->found_tile_binning_mode_config_packet) {
+ DRM_ERROR("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int
+validate_branch_to_sublist(VALIDATE_ARGS)
+{
+ struct drm_gem_cma_object *target;
+ uint32_t offset;
+
+ if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &target))
+ return -EINVAL;
+
+ if (target != exec->tile_alloc_bo) {
+ DRM_ERROR("Jumping to BOs other than tile alloc unsupported\n");
+ return -EINVAL;
+ }
+
+ offset = *(uint32_t *)(untrusted + 0);
+ if (offset % exec->tile_alloc_init_block_size ||
+ offset / exec->tile_alloc_init_block_size >
+ exec->bin_tiles_x * exec->bin_tiles_y) {
+ DRM_ERROR("VC4_PACKET_BRANCH_TO_SUB_LIST must jump to initial "
+ "tile allocation space.\n");
+ return -EINVAL;
+ }
+
+ *(uint32_t *)(validated + 0) = target->paddr + offset;
+
+ return 0;
+}
+
+/**
+ * validate_loadstore_tile_buffer_general() - Validation for
+ * VC4_PACKET_LOAD_TILE_BUFFER_GENERAL and
+ * VC4_PACKET_STORE_TILE_BUFFER_GENERAL.
+ *
+ * The two packets are nearly the same, except for the TLB-clearing management
+ * bits not being present for loads. Additionally, while stores are executed
+ * immediately (using the current tile coordinates), loads are queued to be
+ * executed when the tile coordinates packet occurs.
+ *
+ * Note that coordinates packets are validated to be within the declared
+ * bin_x/y, which themselves are verified to match the rendering-configuration
+ * FB width and height (which the hardware uses to clip loads and stores).
+ */
+static int
+validate_loadstore_tile_buffer_general(VALIDATE_ARGS)
+{
+ uint32_t packet_b0 = *(uint8_t *)(untrusted + 0);
+ uint32_t packet_b1 = *(uint8_t *)(untrusted + 1);
+ struct drm_gem_cma_object *fbo;
+ uint32_t buffer_type = packet_b0 & 0xf;
+ uint32_t offset, cpp;
+
+ switch (buffer_type) {
+ case VC4_LOADSTORE_TILE_BUFFER_NONE:
+ return 0;
+ case VC4_LOADSTORE_TILE_BUFFER_COLOR:
+ if ((packet_b1 & VC4_LOADSTORE_TILE_BUFFER_MASK) ==
+ VC4_LOADSTORE_TILE_BUFFER_RGBA8888) {
+ cpp = 4;
+ } else {
+ cpp = 2;
+ }
+ break;
+
+ case VC4_LOADSTORE_TILE_BUFFER_Z:
+ case VC4_LOADSTORE_TILE_BUFFER_ZS:
+ cpp = 4;
+ break;
+
+ default:
+ DRM_ERROR("Load/store type %d unsupported\n", buffer_type);
+ return -EINVAL;
+ }
+
+ if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo))
+ return -EINVAL;
+
+ offset = *(uint32_t *)(untrusted + 2) & ~0xf;
+
+ if (!check_tex_size(exec, fbo, offset,
+ ((packet_b0 &
+ VC4_LOADSTORE_TILE_BUFFER_FORMAT_MASK) >>
+ VC4_LOADSTORE_TILE_BUFFER_FORMAT_SHIFT),
+ exec->fb_width, exec->fb_height, cpp)) {
+ return -EINVAL;
+ }
+
+ *(uint32_t *)(validated + 2) = offset + fbo->paddr;
+
+ return 0;
+}
+
+static int
+validate_indexed_prim_list(VALIDATE_ARGS)
+{
+ struct drm_gem_cma_object *ib;
+ uint32_t length = *(uint32_t *)(untrusted + 1);
+ uint32_t offset = *(uint32_t *)(untrusted + 5);
+ uint32_t max_index = *(uint32_t *)(untrusted + 9);
+ uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
+ struct vc4_shader_state *shader_state;
+
+ /* Check overflow condition */
+ if (exec->shader_state_count == 0) {
+ DRM_ERROR("shader state must precede primitives\n");
+ return -EINVAL;
+ }
+ shader_state = &exec->shader_state[exec->shader_state_count - 1];
+
+ if (max_index > shader_state->max_index)
+ shader_state->max_index = max_index;
+
+ if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &ib))
+ return -EINVAL;
+
+ if (offset > ib->base.size ||
+ (ib->base.size - offset) / index_size < length) {
+ DRM_ERROR("IB access overflow (%d + %d*%d > %d)\n",
+ offset, length, index_size, ib->base.size);
+ return -EINVAL;
+ }
+
+ *(uint32_t *)(validated + 5) = ib->paddr + offset;
+
+ return 0;
+}
+
+static int
+validate_gl_array_primitive(VALIDATE_ARGS)
+{
+ uint32_t length = *(uint32_t *)(untrusted + 1);
+ uint32_t base_index = *(uint32_t *)(untrusted + 5);
+ uint32_t max_index;
+ struct vc4_shader_state *shader_state;
+
+ /* Check overflow condition */
+ if (exec->shader_state_count == 0) {
+ DRM_ERROR("shader state must precede primitives\n");
+ return -EINVAL;
+ }
+ shader_state = &exec->shader_state[exec->shader_state_count - 1];
+
+ if (length + base_index < length) {
+ DRM_ERROR("primitive vertex count overflow\n");
+ return -EINVAL;
+ }
+ max_index = length + base_index - 1;
+
+ if (max_index > shader_state->max_index)
+ shader_state->max_index = max_index;
+
+ return 0;
+}
+
+static int
+validate_gl_shader_state(VALIDATE_ARGS)
+{
+ uint32_t i = exec->shader_state_count++;
+
+ if (i >= exec->shader_state_size) {
+ DRM_ERROR("More requests for shader states than declared\n");
+ return -EINVAL;
+ }
+
+ exec->shader_state[i].packet = VC4_PACKET_GL_SHADER_STATE;
+ exec->shader_state[i].addr = *(uint32_t *)untrusted;
+ exec->shader_state[i].max_index = 0;
+
+ if (exec->shader_state[i].addr & ~0xf) {
+ DRM_ERROR("high bits set in GL shader rec reference\n");
+ return -EINVAL;
+ }
+
+ *(uint32_t *)validated = (exec->shader_rec_p +
+ exec->shader_state[i].addr);
+
+ exec->shader_rec_p +=
+ roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
+
+ return 0;
+}
+
+static int
+validate_nv_shader_state(VALIDATE_ARGS)
+{
+ uint32_t i = exec->shader_state_count++;
+
+ if (i >= exec->shader_state_size) {
+ DRM_ERROR("More requests for shader states than declared\n");
+ return -EINVAL;
+ }
+
+ exec->shader_state[i].packet = VC4_PACKET_NV_SHADER_STATE;
+ exec->shader_state[i].addr = *(uint32_t *)untrusted;
+
+ if (exec->shader_state[i].addr & 15) {
+ DRM_ERROR("NV shader state address 0x%08x misaligned\n",
+ exec->shader_state[i].addr);
+ return -EINVAL;
+ }
+
+ *(uint32_t *)validated = (exec->shader_state[i].addr +
+ exec->shader_rec_p);
+
+ return 0;
+}
+
+static int
+validate_tile_binning_config(VALIDATE_ARGS)
+{
+ struct drm_gem_cma_object *tile_allocation;
+ struct drm_gem_cma_object *tile_state_data_array;
+ uint8_t flags;
+ uint32_t tile_allocation_size;
+
+ if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &tile_allocation) ||
+ !vc4_use_handle(exec, 1, VC4_MODE_TSDA, &tile_state_data_array))
+ return -EINVAL;
+
+ if (exec->found_tile_binning_mode_config_packet) {
+ DRM_ERROR("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
+ return -EINVAL;
+ }
+ exec->found_tile_binning_mode_config_packet = true;
+
+ exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
+ exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
+ flags = *(uint8_t *)(untrusted + 14);
+
+ if (exec->bin_tiles_x == 0 ||
+ exec->bin_tiles_y == 0) {
+ DRM_ERROR("Tile binning config of %dx%d too small\n",
+ exec->bin_tiles_x, exec->bin_tiles_y);
+ return -EINVAL;
+ }
+
+ /* Our validation relies on the user not getting to set up their own
+ * tile state/tile allocation BO contents.
+ */
+ if (!(flags & VC4_BIN_CONFIG_AUTO_INIT_TSDA)) {
+ DRM_ERROR("binning config missing "
+ "VC4_BIN_CONFIG_AUTO_INIT_TSDA\n");
+ return -EINVAL;
+ }
+
+ if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
+ VC4_BIN_CONFIG_TILE_BUFFER_64BIT |
+ VC4_BIN_CONFIG_MS_MODE_4X)) {
+ DRM_ERROR("unsupported bining config flags 0x%02x\n", flags);
+ return -EINVAL;
+ }
+
+ if (*(uint32_t *)(untrusted + 0) != 0) {
+ DRM_ERROR("tile allocation offset != 0 unsupported\n");
+ return -EINVAL;
+ }
+ tile_allocation_size = *(uint32_t *)(untrusted + 4);
+ if (tile_allocation_size > tile_allocation->base.size) {
+ DRM_ERROR("tile allocation size %d > BO size %d",
+ tile_allocation_size, tile_allocation->base.size);
+ return -EINVAL;
+ }
+ *(uint32_t *)validated = tile_allocation->paddr;
+ exec->tile_alloc_bo = tile_allocation;
+
+ exec->tile_alloc_init_block_size = 1 << (5 + ((flags >> 5) & 3));
+ if (exec->bin_tiles_x * exec->bin_tiles_y *
+ exec->tile_alloc_init_block_size > tile_allocation_size) {
+ DRM_ERROR("tile init exceeds tile alloc size (%d vs %d)\n",
+ exec->bin_tiles_x * exec->bin_tiles_y *
+ exec->tile_alloc_init_block_size,
+ tile_allocation_size);
+ return -EINVAL;
+ }
+ if (*(uint32_t *)(untrusted + 8) != 0) {
+ DRM_ERROR("TSDA offset != 0 unsupported\n");
+ return -EINVAL;
+ }
+ if (exec->bin_tiles_x * exec->bin_tiles_y * 48 >
+ tile_state_data_array->base.size) {
+ DRM_ERROR("TSDA of %db too small for %dx%d bin config\n",
+ tile_state_data_array->base.size,
+ exec->bin_tiles_x, exec->bin_tiles_y);
+ }
+ *(uint32_t *)(validated + 8) = tile_state_data_array->paddr;
+
+ return 0;
+}
+
+static int
+validate_tile_rendering_mode_config(VALIDATE_ARGS)
+{
+ struct drm_gem_cma_object *fbo;
+ uint32_t flags, offset, cpp;
+
+ if (exec->found_tile_rendering_mode_config_packet) {
+ DRM_ERROR("Duplicate VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n");
+ return -EINVAL;
+ }
+ exec->found_tile_rendering_mode_config_packet = true;
+
+ if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo))
+ return -EINVAL;
+
+ exec->fb_width = *(uint16_t *)(untrusted + 4);
+ exec->fb_height = *(uint16_t *)(untrusted + 6);
+
+ /* Make sure that the fb width/height matches the binning config -- we
+ * rely on being able to interchange these for various assertions.
+ * (Within a tile, loads and stores will be clipped to the
+ * width/height, but we allow load/storing to any binned tile).
+ */
+ if (exec->fb_width <= (exec->bin_tiles_x - 1) * 64 ||
+ exec->fb_width > exec->bin_tiles_x * 64 ||
+ exec->fb_height <= (exec->bin_tiles_y - 1) * 64 ||
+ exec->fb_height > exec->bin_tiles_y * 64) {
+ DRM_ERROR("bin config %dx%d doesn't match FB %dx%d\n",
+ exec->bin_tiles_x, exec->bin_tiles_y,
+ exec->fb_width, exec->fb_height);
+ return -EINVAL;
+ }
+
+ flags = *(uint16_t *)(untrusted + 8);
+ if ((flags & VC4_RENDER_CONFIG_FORMAT_MASK) ==
+ VC4_RENDER_CONFIG_FORMAT_RGBA8888) {
+ cpp = 4;
+ } else {
+ cpp = 2;
+ }
+
+ offset = *(uint32_t *)untrusted;
+ if (!check_tex_size(exec, fbo, offset,
+ ((flags &
+ VC4_RENDER_CONFIG_MEMORY_FORMAT_MASK) >>
+ VC4_RENDER_CONFIG_MEMORY_FORMAT_SHIFT),
+ exec->fb_width, exec->fb_height, cpp)) {
+ return -EINVAL;
+ }
+
+ *(uint32_t *)validated = fbo->paddr + offset;
+
+ return 0;
+}
+
+static int
+validate_tile_coordinates(VALIDATE_ARGS)
+{
+ uint8_t tile_x = *(uint8_t *)(untrusted + 0);
+ uint8_t tile_y = *(uint8_t *)(untrusted + 1);
+
+ if (tile_x >= exec->bin_tiles_x ||
+ tile_y >= exec->bin_tiles_y) {
+ DRM_ERROR("Tile coordinates %d,%d > bin config %d,%d\n",
+ tile_x,
+ tile_y,
+ exec->bin_tiles_x,
+ exec->bin_tiles_y);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+static int
+validate_gem_handles(VALIDATE_ARGS)
+{
+ memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
+ return 0;
+}
+
+static const struct cmd_info {
+ bool bin;
+ bool render;
+ uint16_t len;
+ const char *name;
+ int (*func)(struct exec_info *exec, void *validated, void *untrusted);
+} cmd_info[] = {
+ [VC4_PACKET_HALT] = { 1, 1, 1, "halt", NULL },
+ [VC4_PACKET_NOP] = { 1, 1, 1, "nop", NULL },
+ [VC4_PACKET_FLUSH] = { 1, 1, 1, "flush", NULL },
+ [VC4_PACKET_FLUSH_ALL] = { 1, 0, 1, "flush all state", NULL },
+ [VC4_PACKET_START_TILE_BINNING] = { 1, 0, 1, "start tile binning", validate_start_tile_binning },
+ [VC4_PACKET_INCREMENT_SEMAPHORE] = { 1, 0, 1, "increment semaphore", NULL },
+ [VC4_PACKET_WAIT_ON_SEMAPHORE] = { 1, 1, 1, "wait on semaphore", NULL },
+ /* BRANCH_TO_SUB_LIST is actually supported in the binner as well, but
+ * we only use it from the render CL in order to jump into the tile
+ * allocation BO.
+ */
+ [VC4_PACKET_BRANCH_TO_SUB_LIST] = { 0, 1, 5, "branch to sublist", validate_branch_to_sublist },
+ [VC4_PACKET_STORE_MS_TILE_BUFFER] = { 0, 1, 1, "store MS resolved tile color buffer", NULL },
+ [VC4_PACKET_STORE_MS_TILE_BUFFER_AND_EOF] = { 0, 1, 1, "store MS resolved tile color buffer and EOF", NULL },
+
+ [VC4_PACKET_STORE_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Store Tile Buffer General", validate_loadstore_tile_buffer_general },
+ [VC4_PACKET_LOAD_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Load Tile Buffer General", validate_loadstore_tile_buffer_general },
+
+ [VC4_PACKET_GL_INDEXED_PRIMITIVE] = { 1, 1, 14, "Indexed Primitive List", validate_indexed_prim_list },
+
+ [VC4_PACKET_GL_ARRAY_PRIMITIVE] = { 1, 1, 10, "Vertex Array Primitives", validate_gl_array_primitive },
+
+ /* This is only used by clipped primitives (packets 48 and 49), which
+ * we don't support parsing yet.
+ */
+ [VC4_PACKET_PRIMITIVE_LIST_FORMAT] = { 1, 1, 2, "primitive list format", NULL },
+
+ [VC4_PACKET_GL_SHADER_STATE] = { 1, 1, 5, "GL Shader State", validate_gl_shader_state },
+ [VC4_PACKET_NV_SHADER_STATE] = { 1, 1, 5, "NV Shader State", validate_nv_shader_state },
+
+ [VC4_PACKET_CONFIGURATION_BITS] = { 1, 1, 4, "configuration bits", NULL },
+ [VC4_PACKET_FLAT_SHADE_FLAGS] = { 1, 1, 5, "flat shade flags", NULL },
+ [VC4_PACKET_POINT_SIZE] = { 1, 1, 5, "point size", NULL },
+ [VC4_PACKET_LINE_WIDTH] = { 1, 1, 5, "line width", NULL },
+ [VC4_PACKET_RHT_X_BOUNDARY] = { 1, 1, 3, "RHT X boundary", NULL },
+ [VC4_PACKET_DEPTH_OFFSET] = { 1, 1, 5, "Depth Offset", NULL },
+ [VC4_PACKET_CLIP_WINDOW] = { 1, 1, 9, "Clip Window", NULL },
+ [VC4_PACKET_VIEWPORT_OFFSET] = { 1, 1, 5, "Viewport Offset", NULL },
+ [VC4_PACKET_CLIPPER_XY_SCALING] = { 1, 1, 9, "Clipper XY Scaling", NULL },
+ /* Note: The docs say this was also 105, but it was 106 in the
+ * initial userland code drop.
+ */
+ [VC4_PACKET_CLIPPER_Z_SCALING] = { 1, 1, 9, "Clipper Z Scale and Offset", NULL },
+
+ [VC4_PACKET_TILE_BINNING_MODE_CONFIG] = { 1, 0, 16, "tile binning configuration", validate_tile_binning_config },
+
+ [VC4_PACKET_TILE_RENDERING_MODE_CONFIG] = { 0, 1, 11, "tile rendering mode configuration", validate_tile_rendering_mode_config},
+
+ [VC4_PACKET_CLEAR_COLORS] = { 0, 1, 14, "Clear Colors", NULL },
+
+ [VC4_PACKET_TILE_COORDINATES] = { 0, 1, 3, "Tile Coordinates", validate_tile_coordinates },
+
+ [VC4_PACKET_GEM_HANDLES] = { 1, 1, 9, "GEM handles", validate_gem_handles },
+};
+
+int
+vc4_validate_cl(struct drm_device *dev,
+ void *validated,
+ void *unvalidated,
+ uint32_t len,
+ bool is_bin,
+ struct exec_info *exec)
+{
+ uint32_t dst_offset = 0;
+ uint32_t src_offset = 0;
+
+ while (src_offset < len) {
+ void *dst_pkt = validated + dst_offset;
+ void *src_pkt = unvalidated + src_offset;
+ u8 cmd = *(uint8_t *)src_pkt;
+ const struct cmd_info *info;
+
+ if (cmd > ARRAY_SIZE(cmd_info)) {
+ DRM_ERROR("0x%08x: packet %d out of bounds\n",
+ src_offset, cmd);
+ return -EINVAL;
+ }
+
+ info = &cmd_info[cmd];
+ if (!info->name) {
+ DRM_ERROR("0x%08x: packet %d invalid\n",
+ src_offset, cmd);
+ return -EINVAL;
+ }
+
+#if 0
+ DRM_INFO("0x%08x: packet %d (%s) size %d processing...\n",
+ src_offset, cmd, info->name, info->len);
+#endif
+
+ if ((is_bin && !info->bin) ||
+ (!is_bin && !info->render)) {
+ DRM_ERROR("0x%08x: packet %d (%s) invalid for %s\n",
+ src_offset, cmd, info->name,
+ is_bin ? "binner" : "render");
+ return -EINVAL;
+ }
+
+ if (src_offset + info->len > len) {
+ DRM_ERROR("0x%08x: packet %d (%s) length 0x%08x "
+ "exceeds bounds (0x%08x)\n",
+ src_offset, cmd, info->name, info->len,
+ src_offset + len);
+ return -EINVAL;
+ }
+
+ if (cmd != VC4_PACKET_GEM_HANDLES)
+ memcpy(dst_pkt, src_pkt, info->len);
+
+ if (info->func && info->func(exec,
+ dst_pkt + 1,
+ src_pkt + 1)) {
+ DRM_ERROR("0x%08x: packet %d (%s) failed to "
+ "validate\n",
+ src_offset, cmd, info->name);
+ return -EINVAL;
+ }
+
+ src_offset += info->len;
+ /* GEM handle loading doesn't produce HW packets. */
+ if (cmd != VC4_PACKET_GEM_HANDLES)
+ dst_offset += info->len;
+
+ /* When the CL hits halt, it'll stop reading anything else. */
+ if (cmd == VC4_PACKET_HALT)
+ break;
+ }
+
+ if (is_bin) {
+ exec->ct0ea = exec->ct0ca + dst_offset;
+
+ if (!exec->found_start_tile_binning_packet) {
+ DRM_ERROR("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
+ return -EINVAL;
+ }
+ } else {
+ if (!exec->found_tile_rendering_mode_config_packet) {
+ DRM_ERROR("Render CL missing VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n");
+ return -EINVAL;
+ }
+ exec->ct1ea = exec->ct1ca + dst_offset;
+ }
+
+ return 0;
+}
+
+static bool
+reloc_tex(struct exec_info *exec,
+ void *uniform_data_u,
+ struct vc4_texture_sample_info *sample,
+ uint32_t texture_handle_index)
+
+{
+ struct drm_gem_cma_object *tex;
+ uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
+ uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
+ uint32_t p2 = (sample->p_offset[2] != ~0 ?
+ *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
+ uint32_t p3 = (sample->p_offset[3] != ~0 ?
+ *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
+ uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
+ uint32_t offset = p0 & ~0xfff;
+ uint32_t miplevels = (p0 & 15);
+ uint32_t width = (p1 >> 8) & 2047;
+ uint32_t height = (p1 >> 20) & 2047;
+ uint32_t cpp, tiling_format, utile_w, utile_h;
+ uint32_t i;
+ uint32_t cube_map_stride = 0;
+ enum vc4_texture_data_type type;
+
+ if (width == 0)
+ width = 2048;
+ if (height == 0)
+ height = 2048;
+
+ if (p0 & (1 << 9)) {
+ if ((p2 & (3 << 30)) == (1 << 30))
+ cube_map_stride = p2 & 0x3ffff000;
+ if ((p3 & (3 << 30)) == (1 << 30)) {
+ if (cube_map_stride) {
+ DRM_ERROR("Cube map stride set twice\n");
+ return -EINVAL;
+ }
+
+ cube_map_stride = p3 & 0x3ffff000;
+ }
+ if (!cube_map_stride) {
+ DRM_ERROR("Cube map stride not set\n");
+ return -EINVAL;
+ }
+ }
+
+ type = ((p0 >> 4) & 15) | ((p1 >> 31) << 4);
+
+ switch (type) {
+ case VC4_TEXTURE_TYPE_RGBA8888:
+ case VC4_TEXTURE_TYPE_RGBX8888:
+ case VC4_TEXTURE_TYPE_RGBA32R:
+ cpp = 4;
+ break;
+ case VC4_TEXTURE_TYPE_RGBA4444:
+ case VC4_TEXTURE_TYPE_RGBA5551:
+ case VC4_TEXTURE_TYPE_RGB565:
+ case VC4_TEXTURE_TYPE_LUMALPHA:
+ case VC4_TEXTURE_TYPE_S16F:
+ case VC4_TEXTURE_TYPE_S16:
+ cpp = 2;
+ break;
+ case VC4_TEXTURE_TYPE_LUMINANCE:
+ case VC4_TEXTURE_TYPE_ALPHA:
+ case VC4_TEXTURE_TYPE_S8:
+ cpp = 1;
+ break;
+ case VC4_TEXTURE_TYPE_ETC1:
+ case VC4_TEXTURE_TYPE_BW1:
+ case VC4_TEXTURE_TYPE_A4:
+ case VC4_TEXTURE_TYPE_A1:
+ case VC4_TEXTURE_TYPE_RGBA64:
+ case VC4_TEXTURE_TYPE_YUV422R:
+ default:
+ DRM_ERROR("Texture format %d unsupported\n", type);
+ return false;
+ }
+ utile_w = utile_width(cpp);
+ utile_h = utile_height(cpp);
+
+ if (type == VC4_TEXTURE_TYPE_RGBA32R) {
+ tiling_format = VC4_TILING_FORMAT_LINEAR;
+ } else {
+ if (size_is_lt(width, height, cpp))
+ tiling_format = VC4_TILING_FORMAT_LT;
+ else
+ tiling_format = VC4_TILING_FORMAT_T;
+ }
+
+ if (!vc4_use_bo(exec, texture_handle_index, VC4_MODE_RENDER, &tex))
+ return false;
+
+ if (!check_tex_size(exec, tex, offset + cube_map_stride * 5,
+ tiling_format, width, height, cpp)) {
+ return false;
+ }
+
+ /* The mipmap levels are stored before the base of the texture. Make
+ * sure there is actually space in the BO.
+ */
+ for (i = 1; i <= miplevels; i++) {
+ uint32_t level_width = max(width >> i, 1u);
+ uint32_t level_height = max(height >> i, 1u);
+ uint32_t aligned_width, aligned_height;
+ uint32_t level_size;
+
+ /* Once the levels get small enough, they drop from T to LT. */
+ if (tiling_format == VC4_TILING_FORMAT_T &&
+ size_is_lt(level_width, level_height, cpp)) {
+ tiling_format = VC4_TILING_FORMAT_LT;
+ }
+
+ switch (tiling_format) {
+ case VC4_TILING_FORMAT_T:
+ aligned_width = roundup(level_width, utile_w * 8);
+ aligned_height = roundup(level_height, utile_h * 8);
+ break;
+ case VC4_TILING_FORMAT_LT:
+ aligned_width = roundup(level_width, utile_w);
+ aligned_height = roundup(level_height, utile_h);
+ break;
+ default:
+ aligned_width = roundup(level_width, 16 / cpp);
+ aligned_height = level_height;
+ break;
+ }
+
+ level_size = aligned_width * cpp * aligned_height;
+
+ if (offset < level_size) {
+ DRM_ERROR("Level %d (%dx%d -> %dx%d) size %db "
+ "overflowed buffer bounds (offset %d)\n",
+ i, level_width, level_height,
+ aligned_width, aligned_height,
+ level_size, offset);
+ return false;
+ }
+
+ offset -= level_size;
+ }
+
+ *validated_p0 = tex->paddr + p0;
+
+ return true;
+}
+
+static int
+validate_shader_rec(struct drm_device *dev,
+ struct exec_info *exec,
+ struct vc4_shader_state *state)
+{
+ uint32_t *src_handles;
+ void *pkt_u, *pkt_v;
+ enum shader_rec_reloc_type {
+ RELOC_CODE,
+ RELOC_VBO,
+ };
+ struct shader_rec_reloc {
+ enum shader_rec_reloc_type type;
+ uint32_t offset;
+ };
+ static const struct shader_rec_reloc gl_relocs[] = {
+ { RELOC_CODE, 4 }, /* fs */
+ { RELOC_CODE, 16 }, /* vs */
+ { RELOC_CODE, 28 }, /* cs */
+ };
+ static const struct shader_rec_reloc nv_relocs[] = {
+ { RELOC_CODE, 4 }, /* fs */
+ { RELOC_VBO, 12 }
+ };
+ const struct shader_rec_reloc *relocs;
+ struct drm_gem_cma_object *bo[ARRAY_SIZE(gl_relocs) + 8];
+ uint32_t nr_attributes = 0, nr_fixed_relocs, nr_relocs, packet_size;
+ int i;
+ struct vc4_validated_shader_info *validated_shader = NULL;
+
+ if (state->packet == VC4_PACKET_NV_SHADER_STATE) {
+ relocs = nv_relocs;
+ nr_fixed_relocs = ARRAY_SIZE(nv_relocs);
+
+ packet_size = 16;
+ } else {
+ relocs = gl_relocs;
+ nr_fixed_relocs = ARRAY_SIZE(gl_relocs);
+
+ nr_attributes = state->addr & 0x7;
+ if (nr_attributes == 0)
+ nr_attributes = 8;
+ packet_size = gl_shader_rec_size(state->addr);
+ }
+ nr_relocs = nr_fixed_relocs + nr_attributes;
+
+ if (nr_relocs * 4 > exec->shader_rec_size) {
+ DRM_ERROR("overflowed shader recs reading %d handles "
+ "from %d bytes left\n",
+ nr_relocs, exec->shader_rec_size);
+ return -EINVAL;
+ }
+ src_handles = exec->shader_rec_u;
+ exec->shader_rec_u += nr_relocs * 4;
+ exec->shader_rec_size -= nr_relocs * 4;
+
+ if (packet_size > exec->shader_rec_size) {
+ DRM_ERROR("overflowed shader recs copying %db packet "
+ "from %d bytes left\n",
+ packet_size, exec->shader_rec_size);
+ return -EINVAL;
+ }
+ pkt_u = exec->shader_rec_u;
+ pkt_v = exec->shader_rec_v;
+ memcpy(pkt_v, pkt_u, packet_size);
+ exec->shader_rec_u += packet_size;
+ /* Shader recs have to be aligned to 16 bytes (due to the attribute
+ * flags being in the low bytes), so round the next validated shader
+ * rec address up. This should be safe, since we've got so many
+ * relocations in a shader rec packet.
+ */
+ BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
+ exec->shader_rec_v += roundup(packet_size, 16);
+ exec->shader_rec_size -= packet_size;
+
+ for (i = 0; i < nr_relocs; i++) {
+ enum vc4_bo_mode mode;
+
+ if (i < nr_fixed_relocs && relocs[i].type == RELOC_CODE)
+ mode = VC4_MODE_SHADER;
+ else
+ mode = VC4_MODE_RENDER;
+
+ if (!vc4_use_bo(exec, src_handles[i], mode, &bo[i])) {
+ return false;
+ }
+ }
+
+ for (i = 0; i < nr_fixed_relocs; i++) {
+ uint32_t o = relocs[i].offset;
+ uint32_t src_offset = *(uint32_t *)(pkt_u + o);
+ uint32_t *texture_handles_u;
+ void *uniform_data_u;
+ uint32_t tex;
+
+ *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset;
+
+ switch (relocs[i].type) {
+ case RELOC_CODE:
+ kfree(validated_shader);
+ validated_shader = vc4_validate_shader(bo[i],
+ src_offset);
+ if (!validated_shader)
+ goto fail;
+
+ if (validated_shader->uniforms_src_size >
+ exec->uniforms_size) {
+ DRM_ERROR("Uniforms src buffer overflow\n");
+ goto fail;
+ }
+
+ texture_handles_u = exec->uniforms_u;
+ uniform_data_u = (texture_handles_u +
+ validated_shader->num_texture_samples);
+
+ memcpy(exec->uniforms_v, uniform_data_u,
+ validated_shader->uniforms_size);
+
+ for (tex = 0;
+ tex < validated_shader->num_texture_samples;
+ tex++) {
+ if (!reloc_tex(exec,
+ uniform_data_u,
+ &validated_shader->texture_samples[tex],
+ texture_handles_u[tex])) {
+ goto fail;
+ }
+ }
+
+ *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
+
+ exec->uniforms_u += validated_shader->uniforms_src_size;
+ exec->uniforms_v += validated_shader->uniforms_size;
+ exec->uniforms_p += validated_shader->uniforms_size;
+
+ break;
+
+ case RELOC_VBO:
+ break;
+ }
+ }
+
+ for (i = 0; i < nr_attributes; i++) {
+ struct drm_gem_cma_object *vbo = bo[nr_fixed_relocs + i];
+ uint32_t o = 36 + i * 8;
+ uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
+ uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
+ uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
+ uint32_t max_index;
+
+ if (state->addr & 0x8)
+ stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
+
+ if (vbo->base.size < offset ||
+ vbo->base.size - offset < attr_size) {
+ DRM_ERROR("BO offset overflow (%d + %d > %d)\n",
+ offset, attr_size, vbo->base.size);
+ return -EINVAL;
+ }
+
+ if (stride != 0) {
+ max_index = ((vbo->base.size - offset - attr_size) /
+ stride);
+ if (state->max_index > max_index) {
+ DRM_ERROR("primitives use index %d out of supplied %d\n",
+ state->max_index, max_index);
+ return -EINVAL;
+ }
+ }
+
+ *(uint32_t *)(pkt_v + o) = vbo->paddr + offset;
+ }
+
+ kfree(validated_shader);
+
+ return 0;
+
+fail:
+ kfree(validated_shader);
+ return -EINVAL;
+}
+
+int
+vc4_validate_shader_recs(struct drm_device *dev,
+ struct exec_info *exec)
+{
+ uint32_t i;
+ int ret = 0;
+
+ for (i = 0; i < exec->shader_state_count; i++) {
+ ret = validate_shader_rec(dev, exec, &exec->shader_state[i]);
+ if (ret)
+ return ret;
+ }
+
+ return ret;
+}
--- /dev/null
+/*
+ * Copyright © 2014 Broadcom
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+/**
+ * DOC: Shader validator for VC4.
+ *
+ * The VC4 has no IOMMU between it and system memory. So, a user with access
+ * to execute shaders could escalate privilege by overwriting system memory
+ * (using the VPM write address register in the general-purpose DMA mode) or
+ * reading system memory it shouldn't (reading it as a texture, or uniform
+ * data, or vertex data).
+ *
+ * This walks over a shader starting from some offset within a BO, ensuring
+ * that its accesses are appropriately bounded, and recording how many texture
+ * accesses are made and where so that we can do relocations for them in the
+ * uniform stream.
+ *
+ * The kernel API has shaders stored in user-mapped BOs. The BOs will be
+ * forcibly unmapped from the process before validation, and any cache of
+ * validated state will be flushed if the mapping is faulted back in.
+ *
+ * Storing the shaders in BOs means that the validation process will be slow
+ * due to uncached reads, but since shaders are long-lived and shader BOs are
+ * never actually modified, this shouldn't be a problem.
+ */
+
+#include "vc4_drv.h"
+#include "vc4_qpu.h"
+#include "vc4_qpu_defines.h"
+
+struct vc4_shader_validation_state {
+ struct vc4_texture_sample_info tmu_setup[2];
+ int tmu_write_count[2];
+};
+
+static bool
+is_tmu_write(uint32_t waddr)
+{
+ return (waddr >= QPU_W_TMU0_S &&
+ waddr <= QPU_W_TMU1_B);
+}
+
+static bool
+record_validated_texture_sample(struct vc4_validated_shader_info *validated_shader,
+ struct vc4_shader_validation_state *validation_state,
+ int tmu)
+{
+ uint32_t s = validated_shader->num_texture_samples;
+ int i;
+ struct vc4_texture_sample_info *temp_samples;
+
+ temp_samples = krealloc(validated_shader->texture_samples,
+ (s + 1) * sizeof(*temp_samples),
+ GFP_KERNEL);
+ if (!temp_samples)
+ return false;
+
+ memcpy(temp_samples[s].p_offset,
+ validation_state->tmu_setup[tmu].p_offset,
+ validation_state->tmu_write_count[tmu] * sizeof(uint32_t));
+ for (i = validation_state->tmu_write_count[tmu]; i < 4; i++)
+ temp_samples[s].p_offset[i] = ~0;
+
+ validated_shader->num_texture_samples = s + 1;
+ validated_shader->texture_samples = temp_samples;
+
+ return true;
+}
+
+static bool
+check_tmu_write(struct vc4_validated_shader_info *validated_shader,
+ struct vc4_shader_validation_state *validation_state,
+ uint32_t waddr)
+{
+ int tmu = waddr > QPU_W_TMU0_B;
+
+ if (!is_tmu_write(waddr))
+ return true;
+
+ if (validation_state->tmu_write_count[tmu] >= 4) {
+ DRM_ERROR("TMU%d got too many parameters before dispatch\n",
+ tmu);
+ return false;
+ }
+ validation_state->tmu_setup[tmu].p_offset[validation_state->tmu_write_count[tmu]] =
+ validated_shader->uniforms_size;
+ validation_state->tmu_write_count[tmu]++;
+ validated_shader->uniforms_size += 4;
+
+ if (waddr == QPU_W_TMU0_S || waddr == QPU_W_TMU1_S) {
+ if (!record_validated_texture_sample(validated_shader,
+ validation_state, tmu)) {
+ return false;
+ }
+
+ validation_state->tmu_write_count[tmu] = 0;
+ }
+
+ return true;
+}
+
+static bool
+check_register_write(struct vc4_validated_shader_info *validated_shader,
+ struct vc4_shader_validation_state *validation_state,
+ uint32_t waddr)
+{
+ switch (waddr) {
+ case QPU_W_UNIFORMS_ADDRESS:
+ /* XXX: We'll probably need to support this for reladdr, but
+ * it's definitely a security-related one.
+ */
+ DRM_ERROR("uniforms address load unsupported\n");
+ return false;
+
+ case QPU_W_TLB_COLOR_MS:
+ case QPU_W_TLB_COLOR_ALL:
+ case QPU_W_TLB_Z:
+ /* These only interact with the tile buffer, not main memory,
+ * so they're safe.
+ */
+ return true;
+
+ case QPU_W_TMU0_S:
+ case QPU_W_TMU0_T:
+ case QPU_W_TMU0_R:
+ case QPU_W_TMU0_B:
+ case QPU_W_TMU1_S:
+ case QPU_W_TMU1_T:
+ case QPU_W_TMU1_R:
+ case QPU_W_TMU1_B:
+ return check_tmu_write(validated_shader, validation_state,
+ waddr);
+
+ case QPU_W_HOST_INT:
+ case QPU_W_TMU_NOSWAP:
+ case QPU_W_TLB_ALPHA_MASK:
+ case QPU_W_MUTEX_RELEASE:
+ /* XXX: I haven't thought about these, so don't support them
+ * for now.
+ */
+ DRM_ERROR("Unsupported waddr %d\n", waddr);
+ return false;
+
+ case QPU_W_VPM_ADDR:
+ DRM_ERROR("General VPM DMA unsupported\n");
+ return false;
+
+ case QPU_W_VPM:
+ case QPU_W_VPMVCD_SETUP:
+ /* We allow VPM setup in general, even including VPM DMA
+ * configuration setup, because the (unsafe) DMA can only be
+ * triggered by QPU_W_VPM_ADDR writes.
+ */
+ return true;
+
+ case QPU_W_TLB_STENCIL_SETUP:
+ return true;
+ }
+
+ return true;
+}
+
+static bool
+check_instruction_writes(uint64_t inst,
+ struct vc4_validated_shader_info *validated_shader,
+ struct vc4_shader_validation_state *validation_state)
+{
+ uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD);
+ uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL);
+
+ if (is_tmu_write(waddr_add) && is_tmu_write(waddr_mul)) {
+ DRM_ERROR("ADD and MUL both set up textures\n");
+ return false;
+ }
+
+ return (check_register_write(validated_shader, validation_state, waddr_add) &&
+ check_register_write(validated_shader, validation_state, waddr_mul));
+}
+
+static bool
+check_instruction_reads(uint64_t inst,
+ struct vc4_validated_shader_info *validated_shader)
+{
+ uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD);
+ uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL);
+ uint32_t raddr_a = QPU_GET_FIELD(inst, QPU_RADDR_A);
+ uint32_t raddr_b = QPU_GET_FIELD(inst, QPU_RADDR_B);
+
+ if (raddr_a == QPU_R_UNIF ||
+ raddr_b == QPU_R_UNIF) {
+ if (is_tmu_write(waddr_add) || is_tmu_write(waddr_mul)) {
+ DRM_ERROR("uniform read in the same instruction as "
+ "texture setup");
+ return false;
+ }
+
+ /* This can't overflow the uint32_t, because we're reading 8
+ * bytes of instruction to increment by 4 here, so we'd
+ * already be OOM.
+ */
+ validated_shader->uniforms_size += 4;
+ }
+
+ return true;
+}
+
+struct vc4_validated_shader_info *
+vc4_validate_shader(struct drm_gem_cma_object *shader_obj,
+ uint32_t start_offset)
+{
+ bool found_shader_end = false;
+ int shader_end_ip = 0;
+ uint32_t ip, max_ip;
+ uint64_t *shader;
+ struct vc4_validated_shader_info *validated_shader;
+ struct vc4_shader_validation_state validation_state;
+
+ memset(&validation_state, 0, sizeof(validation_state));
+
+ if (start_offset + sizeof(uint64_t) > shader_obj->base.size) {
+ DRM_ERROR("shader starting at %d outside of BO sized %d\n",
+ start_offset,
+ shader_obj->base.size);
+ return NULL;
+ }
+ shader = shader_obj->vaddr + start_offset;
+ max_ip = (shader_obj->base.size - start_offset) / sizeof(uint64_t);
+
+ validated_shader = kcalloc(sizeof(*validated_shader), 1, GFP_KERNEL);
+ if (!validated_shader)
+ return NULL;
+
+ for (ip = 0; ip < max_ip; ip++) {
+ uint64_t inst = shader[ip];
+ uint32_t sig = QPU_GET_FIELD(inst, QPU_SIG);
+
+ switch (sig) {
+ case QPU_SIG_NONE:
+ case QPU_SIG_WAIT_FOR_SCOREBOARD:
+ case QPU_SIG_SCOREBOARD_UNLOCK:
+ case QPU_SIG_COLOR_LOAD:
+ case QPU_SIG_LOAD_TMU0:
+ case QPU_SIG_LOAD_TMU1:
+ if (!check_instruction_writes(inst, validated_shader,
+ &validation_state)) {
+ DRM_ERROR("Bad write at ip %d\n", ip);
+ goto fail;
+ }
+
+ if (!check_instruction_reads(inst, validated_shader))
+ goto fail;
+
+ break;
+
+ case QPU_SIG_LOAD_IMM:
+ if (!check_instruction_writes(inst, validated_shader,
+ &validation_state)) {
+ DRM_ERROR("Bad LOAD_IMM write at ip %d\n", ip);
+ goto fail;
+ }
+ break;
+
+ case QPU_SIG_PROG_END:
+ found_shader_end = true;
+ shader_end_ip = ip;
+ break;
+
+ default:
+ DRM_ERROR("Unsupported QPU signal %d at "
+ "instruction %d\n", sig, ip);
+ goto fail;
+ }
+
+ /* There are two delay slots after program end is signaled
+ * that are still executed, then we're finished.
+ */
+ if (found_shader_end && ip == shader_end_ip + 2)
+ break;
+ }
+
+ if (ip == max_ip) {
+ DRM_ERROR("shader starting at %d failed to terminate before "
+ "shader BO end at %d\n",
+ start_offset,
+ shader_obj->base.size);
+ goto fail;
+ }
+
+ /* Again, no chance of integer overflow here because the worst case
+ * scenario is 8 bytes of uniforms plus handles per 8-byte
+ * instruction.
+ */
+ validated_shader->uniforms_src_size =
+ (validated_shader->uniforms_size +
+ 4 * validated_shader->num_texture_samples);
+
+ return validated_shader;
+
+fail:
+ kfree(validated_shader);
+ return NULL;
+}
#include "vc4_screen.h"
#include "vc4_context.h"
+#include "kernel/vc4_drv.h"
#include "vc4_simulator_validate.h"
#include "simpenrose/simpenrose.h"
return obj;
}
-static struct drm_gem_cma_object *
+struct drm_gem_cma_object *
drm_gem_cma_create(struct drm_device *dev, size_t size)
{
struct vc4_context *vc4 = dev->vc4;
return 0;
}
-static int
-vc4_cl_validate(struct drm_device *dev, struct exec_info *exec)
-{
- struct drm_vc4_submit_cl *args = exec->args;
- void *temp = NULL;
- void *bin, *render;
- int ret = 0;
- uint32_t bin_offset = 0;
- uint32_t render_offset = bin_offset + args->bin_cl_size;
- uint32_t shader_rec_offset = roundup(render_offset +
- args->render_cl_size, 16);
- uint32_t uniforms_offset = shader_rec_offset + args->shader_rec_size;
- uint32_t exec_size = uniforms_offset + args->uniforms_size;
- uint32_t temp_size = exec_size + (sizeof(struct vc4_shader_state) *
- args->shader_rec_count);
-
- if (shader_rec_offset < render_offset ||
- uniforms_offset < shader_rec_offset ||
- exec_size < uniforms_offset ||
- args->shader_rec_count >= (UINT_MAX /
- sizeof(struct vc4_shader_state)) ||
- temp_size < exec_size) {
- DRM_ERROR("overflow in exec arguments\n");
- goto fail;
- }
-
- /* Allocate space where we'll store the copied in user command lists
- * and shader records.
- *
- * We don't just copy directly into the BOs because we need to
- * read the contents back for validation, and I think the
- * bo->vaddr is uncached access.
- */
- temp = kmalloc(temp_size, GFP_KERNEL);
- if (!temp) {
- DRM_ERROR("Failed to allocate storage for copying "
- "in bin/render CLs.\n");
- ret = -ENOMEM;
- goto fail;
- }
- bin = temp + bin_offset;
- render = temp + render_offset;
- exec->shader_rec_u = temp + shader_rec_offset;
- exec->uniforms_u = temp + uniforms_offset;
- exec->shader_state = temp + exec_size;
- exec->shader_state_size = args->shader_rec_count;
-
- ret = copy_from_user(bin, args->bin_cl, args->bin_cl_size);
- if (ret) {
- DRM_ERROR("Failed to copy in bin cl\n");
- goto fail;
- }
-
- ret = copy_from_user(render, args->render_cl, args->render_cl_size);
- if (ret) {
- DRM_ERROR("Failed to copy in render cl\n");
- goto fail;
- }
-
- ret = copy_from_user(exec->shader_rec_u, args->shader_rec,
- args->shader_rec_size);
- if (ret) {
- DRM_ERROR("Failed to copy in shader recs\n");
- goto fail;
- }
-
- ret = copy_from_user(exec->uniforms_u, args->uniforms,
- args->uniforms_size);
- if (ret) {
- DRM_ERROR("Failed to copy in uniforms cl\n");
- goto fail;
- }
-
- exec->exec_bo = drm_gem_cma_create(dev, exec_size);
-#if 0
- if (IS_ERR(exec->exec_bo)) {
- DRM_ERROR("Couldn't allocate BO for exec\n");
- ret = PTR_ERR(exec->exec_bo);
- exec->exec_bo = NULL;
- goto fail;
- }
-#endif
-
- exec->ct0ca = exec->exec_bo->paddr + bin_offset;
- exec->ct1ca = exec->exec_bo->paddr + render_offset;
-
- exec->shader_rec_v = exec->exec_bo->vaddr + shader_rec_offset;
- exec->shader_rec_p = exec->exec_bo->paddr + shader_rec_offset;
- exec->shader_rec_size = args->shader_rec_size;
-
- exec->uniforms_v = exec->exec_bo->vaddr + uniforms_offset;
- exec->uniforms_p = exec->exec_bo->paddr + uniforms_offset;
- exec->uniforms_size = args->uniforms_size;
-
- ret = vc4_validate_cl(dev,
- exec->exec_bo->vaddr + bin_offset,
- bin,
- args->bin_cl_size,
- true,
- exec);
- if (ret)
- goto fail;
-
- ret = vc4_validate_cl(dev,
- exec->exec_bo->vaddr + render_offset,
- render,
- args->render_cl_size,
- false,
- exec);
- if (ret)
- goto fail;
-
- ret = vc4_validate_shader_recs(dev, exec);
-
-fail:
- kfree(temp);
- return ret;
-}
-
int
vc4_simulator_flush(struct vc4_context *vc4, struct drm_vc4_submit_cl *args)
{
+++ /dev/null
-/*
- * Copyright © 2014 Broadcom
- *
- * Permission is hereby granted, free of charge, to any person obtaining a
- * copy of this software and associated documentation files (the "Software"),
- * to deal in the Software without restriction, including without limitation
- * the rights to use, copy, modify, merge, publish, distribute, sublicense,
- * and/or sell copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice (including the next
- * paragraph) shall be included in all copies or substantial portions of the
- * Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
- * IN THE SOFTWARE.
- */
-
-/**
- * Command list validator for VC4.
- *
- * The VC4 has no IOMMU between it and system memory. So, a user with
- * access to execute command lists could escalate privilege by
- * overwriting system memory (drawing to it as a framebuffer) or
- * reading system memory it shouldn't (reading it as a texture, or
- * uniform data, or vertex data).
- *
- * This validates command lists to ensure that all accesses are within
- * the bounds of the GEM objects referenced. It explicitly whitelists
- * packets, and looks at the offsets in any address fields to make
- * sure they're constrained within the BOs they reference.
- *
- * Note that because of the validation that's happening anyway, this
- * is where GEM relocation processing happens.
- */
-
-#include "vc4_simulator_validate.h"
-#include "vc4_packet.h"
-
-#define VALIDATE_ARGS \
- struct exec_info *exec, \
- void *validated, \
- void *untrusted
-
-
-/** Return the width in pixels of a 64-byte microtile. */
-static uint32_t
-utile_width(int cpp)
-{
- switch (cpp) {
- case 1:
- case 2:
- return 8;
- case 4:
- return 4;
- case 8:
- return 2;
- default:
- DRM_ERROR("unknown cpp: %d\n", cpp);
- return 1;
- }
-}
-
-/** Return the height in pixels of a 64-byte microtile. */
-static uint32_t
-utile_height(int cpp)
-{
- switch (cpp) {
- case 1:
- return 8;
- case 2:
- case 4:
- case 8:
- return 4;
- default:
- DRM_ERROR("unknown cpp: %d\n", cpp);
- return 1;
- }
-}
-
-/**
- * The texture unit decides what tiling format a particular miplevel is using
- * this function, so we lay out our miptrees accordingly.
- */
-static bool
-size_is_lt(uint32_t width, uint32_t height, int cpp)
-{
- return (width <= 4 * utile_width(cpp) ||
- height <= 4 * utile_height(cpp));
-}
-
-static bool
-vc4_use_bo(struct exec_info *exec,
- uint32_t hindex,
- enum vc4_bo_mode mode,
- struct drm_gem_cma_object **obj)
-{
- *obj = NULL;
-
- if (hindex >= exec->bo_count) {
- DRM_ERROR("BO index %d greater than BO count %d\n",
- hindex, exec->bo_count);
- return false;
- }
-
- if (exec->bo[hindex].mode != mode) {
- if (exec->bo[hindex].mode == VC4_MODE_UNDECIDED) {
- exec->bo[hindex].mode = mode;
- } else {
- DRM_ERROR("BO index %d reused with mode %d vs %d\n",
- hindex, exec->bo[hindex].mode, mode);
- return false;
- }
- }
-
- *obj = exec->bo[hindex].bo;
- return true;
-}
-
-static bool
-vc4_use_handle(struct exec_info *exec,
- uint32_t gem_handles_packet_index,
- enum vc4_bo_mode mode,
- struct drm_gem_cma_object **obj)
-{
- return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index],
- mode, obj);
-}
-
-static uint32_t
-gl_shader_rec_size(uint32_t pointer_bits)
-{
- uint32_t attribute_count = pointer_bits & 7;
- bool extended = pointer_bits & 8;
-
- if (attribute_count == 0)
- attribute_count = 8;
-
- if (extended)
- return 100 + attribute_count * 4;
- else
- return 36 + attribute_count * 8;
-}
-
-static bool
-check_tex_size(struct exec_info *exec, struct drm_gem_cma_object *fbo,
- uint32_t offset, uint8_t tiling_format,
- uint32_t width, uint32_t height, uint8_t cpp)
-{
- uint32_t aligned_width, aligned_height, stride, size;
- uint32_t utile_w = utile_width(cpp);
- uint32_t utile_h = utile_height(cpp);
-
- /* The values are limited by the packet/texture parameter bitfields,
- * so we don't need to worry as much about integer overflow.
- */
- BUG_ON(width > 65535);
- BUG_ON(height > 65535);
-
- switch (tiling_format) {
- case VC4_TILING_FORMAT_LINEAR:
- aligned_width = roundup(width, 16 / cpp);
- aligned_height = height;
- break;
- case VC4_TILING_FORMAT_T:
- aligned_width = roundup(width, utile_w * 8);
- aligned_height = roundup(height, utile_h * 8);
- break;
- case VC4_TILING_FORMAT_LT:
- aligned_width = roundup(width, utile_w);
- aligned_height = roundup(height, utile_h);
- break;
- default:
- DRM_ERROR("buffer tiling %d unsupported\n", tiling_format);
- return false;
- }
-
- stride = aligned_width * cpp;
-
- if (INT_MAX / stride < aligned_height) {
- DRM_ERROR("Overflow in fbo size (%dx%d -> %dx%d)\n",
- width, height,
- aligned_width, aligned_height);
- return false;
- }
- size = stride * aligned_height;
-
- if (size + offset < size ||
- size + offset > fbo->base.size) {
- DRM_ERROR("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %d)\n",
- width, height,
- aligned_width, aligned_height,
- size, offset, fbo->base.size);
- return false;
- }
-
- return true;
-}
-
-static int
-validate_start_tile_binning(VALIDATE_ARGS)
-{
- if (exec->found_start_tile_binning_packet) {
- DRM_ERROR("Duplicate VC4_PACKET_START_TILE_BINNING\n");
- return -EINVAL;
- }
- exec->found_start_tile_binning_packet = true;
-
- if (!exec->found_tile_binning_mode_config_packet) {
- DRM_ERROR("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
- return -EINVAL;
- }
-
- return 0;
-}
-
-static int
-validate_branch_to_sublist(VALIDATE_ARGS)
-{
- struct drm_gem_cma_object *target;
- uint32_t offset;
-
- if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &target))
- return -EINVAL;
-
- if (target != exec->tile_alloc_bo) {
- DRM_ERROR("Jumping to BOs other than tile alloc unsupported\n");
- return -EINVAL;
- }
-
- offset = *(uint32_t *)(untrusted + 0);
- if (offset % exec->tile_alloc_init_block_size ||
- offset / exec->tile_alloc_init_block_size >
- exec->bin_tiles_x * exec->bin_tiles_y) {
- DRM_ERROR("VC4_PACKET_BRANCH_TO_SUB_LIST must jump to initial "
- "tile allocation space.\n");
- return -EINVAL;
- }
-
- *(uint32_t *)(validated + 0) = target->paddr + offset;
-
- return 0;
-}
-
-/**
- * validate_loadstore_tile_buffer_general() - Validation for
- * VC4_PACKET_LOAD_TILE_BUFFER_GENERAL and
- * VC4_PACKET_STORE_TILE_BUFFER_GENERAL.
- *
- * The two packets are nearly the same, except for the TLB-clearing management
- * bits not being present for loads. Additionally, while stores are executed
- * immediately (using the current tile coordinates), loads are queued to be
- * executed when the tile coordinates packet occurs.
- *
- * Note that coordinates packets are validated to be within the declared
- * bin_x/y, which themselves are verified to match the rendering-configuration
- * FB width and height (which the hardware uses to clip loads and stores).
- */
-static int
-validate_loadstore_tile_buffer_general(VALIDATE_ARGS)
-{
- uint32_t packet_b0 = *(uint8_t *)(untrusted + 0);
- uint32_t packet_b1 = *(uint8_t *)(untrusted + 1);
- struct drm_gem_cma_object *fbo;
- uint32_t buffer_type = packet_b0 & 0xf;
- uint32_t offset, cpp;
-
- switch (buffer_type) {
- case VC4_LOADSTORE_TILE_BUFFER_NONE:
- return 0;
- case VC4_LOADSTORE_TILE_BUFFER_COLOR:
- if ((packet_b1 & VC4_LOADSTORE_TILE_BUFFER_MASK) ==
- VC4_LOADSTORE_TILE_BUFFER_RGBA8888) {
- cpp = 4;
- } else {
- cpp = 2;
- }
- break;
-
- case VC4_LOADSTORE_TILE_BUFFER_Z:
- case VC4_LOADSTORE_TILE_BUFFER_ZS:
- cpp = 4;
- break;
-
- default:
- DRM_ERROR("Load/store type %d unsupported\n", buffer_type);
- return -EINVAL;
- }
-
- if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo))
- return -EINVAL;
-
- offset = *(uint32_t *)(untrusted + 2) & ~0xf;
-
- if (!check_tex_size(exec, fbo, offset,
- ((packet_b0 &
- VC4_LOADSTORE_TILE_BUFFER_FORMAT_MASK) >>
- VC4_LOADSTORE_TILE_BUFFER_FORMAT_SHIFT),
- exec->fb_width, exec->fb_height, cpp)) {
- return -EINVAL;
- }
-
- *(uint32_t *)(validated + 2) = offset + fbo->paddr;
-
- return 0;
-}
-
-static int
-validate_indexed_prim_list(VALIDATE_ARGS)
-{
- struct drm_gem_cma_object *ib;
- uint32_t length = *(uint32_t *)(untrusted + 1);
- uint32_t offset = *(uint32_t *)(untrusted + 5);
- uint32_t max_index = *(uint32_t *)(untrusted + 9);
- uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
- struct vc4_shader_state *shader_state;
-
- /* Check overflow condition */
- if (exec->shader_state_count == 0) {
- DRM_ERROR("shader state must precede primitives\n");
- return -EINVAL;
- }
- shader_state = &exec->shader_state[exec->shader_state_count - 1];
-
- if (max_index > shader_state->max_index)
- shader_state->max_index = max_index;
-
- if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &ib))
- return -EINVAL;
-
- if (offset > ib->base.size ||
- (ib->base.size - offset) / index_size < length) {
- DRM_ERROR("IB access overflow (%d + %d*%d > %d)\n",
- offset, length, index_size, ib->base.size);
- return -EINVAL;
- }
-
- *(uint32_t *)(validated + 5) = ib->paddr + offset;
-
- return 0;
-}
-
-static int
-validate_gl_array_primitive(VALIDATE_ARGS)
-{
- uint32_t length = *(uint32_t *)(untrusted + 1);
- uint32_t base_index = *(uint32_t *)(untrusted + 5);
- uint32_t max_index;
- struct vc4_shader_state *shader_state;
-
- /* Check overflow condition */
- if (exec->shader_state_count == 0) {
- DRM_ERROR("shader state must precede primitives\n");
- return -EINVAL;
- }
- shader_state = &exec->shader_state[exec->shader_state_count - 1];
-
- if (length + base_index < length) {
- DRM_ERROR("primitive vertex count overflow\n");
- return -EINVAL;
- }
- max_index = length + base_index - 1;
-
- if (max_index > shader_state->max_index)
- shader_state->max_index = max_index;
-
- return 0;
-}
-
-static int
-validate_gl_shader_state(VALIDATE_ARGS)
-{
- uint32_t i = exec->shader_state_count++;
-
- if (i >= exec->shader_state_size) {
- DRM_ERROR("More requests for shader states than declared\n");
- return -EINVAL;
- }
-
- exec->shader_state[i].packet = VC4_PACKET_GL_SHADER_STATE;
- exec->shader_state[i].addr = *(uint32_t *)untrusted;
- exec->shader_state[i].max_index = 0;
-
- if (exec->shader_state[i].addr & ~0xf) {
- DRM_ERROR("high bits set in GL shader rec reference\n");
- return -EINVAL;
- }
-
- *(uint32_t *)validated = (exec->shader_rec_p +
- exec->shader_state[i].addr);
-
- exec->shader_rec_p +=
- roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
-
- return 0;
-}
-
-static int
-validate_nv_shader_state(VALIDATE_ARGS)
-{
- uint32_t i = exec->shader_state_count++;
-
- if (i >= exec->shader_state_size) {
- DRM_ERROR("More requests for shader states than declared\n");
- return -EINVAL;
- }
-
- exec->shader_state[i].packet = VC4_PACKET_NV_SHADER_STATE;
- exec->shader_state[i].addr = *(uint32_t *)untrusted;
-
- if (exec->shader_state[i].addr & 15) {
- DRM_ERROR("NV shader state address 0x%08x misaligned\n",
- exec->shader_state[i].addr);
- return -EINVAL;
- }
-
- *(uint32_t *)validated = (exec->shader_state[i].addr +
- exec->shader_rec_p);
-
- return 0;
-}
-
-static int
-validate_tile_binning_config(VALIDATE_ARGS)
-{
- struct drm_gem_cma_object *tile_allocation;
- struct drm_gem_cma_object *tile_state_data_array;
- uint8_t flags;
- uint32_t tile_allocation_size;
-
- if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &tile_allocation) ||
- !vc4_use_handle(exec, 1, VC4_MODE_TSDA, &tile_state_data_array))
- return -EINVAL;
-
- if (exec->found_tile_binning_mode_config_packet) {
- DRM_ERROR("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
- return -EINVAL;
- }
- exec->found_tile_binning_mode_config_packet = true;
-
- exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
- exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
- flags = *(uint8_t *)(untrusted + 14);
-
- if (exec->bin_tiles_x == 0 ||
- exec->bin_tiles_y == 0) {
- DRM_ERROR("Tile binning config of %dx%d too small\n",
- exec->bin_tiles_x, exec->bin_tiles_y);
- return -EINVAL;
- }
-
- /* Our validation relies on the user not getting to set up their own
- * tile state/tile allocation BO contents.
- */
- if (!(flags & VC4_BIN_CONFIG_AUTO_INIT_TSDA)) {
- DRM_ERROR("binning config missing "
- "VC4_BIN_CONFIG_AUTO_INIT_TSDA\n");
- return -EINVAL;
- }
-
- if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
- VC4_BIN_CONFIG_TILE_BUFFER_64BIT |
- VC4_BIN_CONFIG_MS_MODE_4X)) {
- DRM_ERROR("unsupported bining config flags 0x%02x\n", flags);
- return -EINVAL;
- }
-
- if (*(uint32_t *)(untrusted + 0) != 0) {
- DRM_ERROR("tile allocation offset != 0 unsupported\n");
- return -EINVAL;
- }
- tile_allocation_size = *(uint32_t *)(untrusted + 4);
- if (tile_allocation_size > tile_allocation->base.size) {
- DRM_ERROR("tile allocation size %d > BO size %d",
- tile_allocation_size, tile_allocation->base.size);
- return -EINVAL;
- }
- *(uint32_t *)validated = tile_allocation->paddr;
- exec->tile_alloc_bo = tile_allocation;
-
- exec->tile_alloc_init_block_size = 1 << (5 + ((flags >> 5) & 3));
- if (exec->bin_tiles_x * exec->bin_tiles_y *
- exec->tile_alloc_init_block_size > tile_allocation_size) {
- DRM_ERROR("tile init exceeds tile alloc size (%d vs %d)\n",
- exec->bin_tiles_x * exec->bin_tiles_y *
- exec->tile_alloc_init_block_size,
- tile_allocation_size);
- return -EINVAL;
- }
- if (*(uint32_t *)(untrusted + 8) != 0) {
- DRM_ERROR("TSDA offset != 0 unsupported\n");
- return -EINVAL;
- }
- if (exec->bin_tiles_x * exec->bin_tiles_y * 48 >
- tile_state_data_array->base.size) {
- DRM_ERROR("TSDA of %db too small for %dx%d bin config\n",
- tile_state_data_array->base.size,
- exec->bin_tiles_x, exec->bin_tiles_y);
- }
- *(uint32_t *)(validated + 8) = tile_state_data_array->paddr;
-
- return 0;
-}
-
-static int
-validate_tile_rendering_mode_config(VALIDATE_ARGS)
-{
- struct drm_gem_cma_object *fbo;
- uint32_t flags, offset, cpp;
-
- if (exec->found_tile_rendering_mode_config_packet) {
- DRM_ERROR("Duplicate VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n");
- return -EINVAL;
- }
- exec->found_tile_rendering_mode_config_packet = true;
-
- if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo))
- return -EINVAL;
-
- exec->fb_width = *(uint16_t *)(untrusted + 4);
- exec->fb_height = *(uint16_t *)(untrusted + 6);
-
- /* Make sure that the fb width/height matches the binning config -- we
- * rely on being able to interchange these for various assertions.
- * (Within a tile, loads and stores will be clipped to the
- * width/height, but we allow load/storing to any binned tile).
- */
- if (exec->fb_width <= (exec->bin_tiles_x - 1) * 64 ||
- exec->fb_width > exec->bin_tiles_x * 64 ||
- exec->fb_height <= (exec->bin_tiles_y - 1) * 64 ||
- exec->fb_height > exec->bin_tiles_y * 64) {
- DRM_ERROR("bin config %dx%d doesn't match FB %dx%d\n",
- exec->bin_tiles_x, exec->bin_tiles_y,
- exec->fb_width, exec->fb_height);
- return -EINVAL;
- }
-
- flags = *(uint16_t *)(untrusted + 8);
- if ((flags & VC4_RENDER_CONFIG_FORMAT_MASK) ==
- VC4_RENDER_CONFIG_FORMAT_RGBA8888) {
- cpp = 4;
- } else {
- cpp = 2;
- }
-
- offset = *(uint32_t *)untrusted;
- if (!check_tex_size(exec, fbo, offset,
- ((flags &
- VC4_RENDER_CONFIG_MEMORY_FORMAT_MASK) >>
- VC4_RENDER_CONFIG_MEMORY_FORMAT_SHIFT),
- exec->fb_width, exec->fb_height, cpp)) {
- return -EINVAL;
- }
-
- *(uint32_t *)validated = fbo->paddr + offset;
-
- return 0;
-}
-
-static int
-validate_tile_coordinates(VALIDATE_ARGS)
-{
- uint8_t tile_x = *(uint8_t *)(untrusted + 0);
- uint8_t tile_y = *(uint8_t *)(untrusted + 1);
-
- if (tile_x >= exec->bin_tiles_x ||
- tile_y >= exec->bin_tiles_y) {
- DRM_ERROR("Tile coordinates %d,%d > bin config %d,%d\n",
- tile_x,
- tile_y,
- exec->bin_tiles_x,
- exec->bin_tiles_y);
- return -EINVAL;
- }
-
- return 0;
-}
-
-static int
-validate_gem_handles(VALIDATE_ARGS)
-{
- memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
- return 0;
-}
-
-static const struct cmd_info {
- bool bin;
- bool render;
- uint16_t len;
- const char *name;
- int (*func)(struct exec_info *exec, void *validated, void *untrusted);
-} cmd_info[] = {
- [VC4_PACKET_HALT] = { 1, 1, 1, "halt", NULL },
- [VC4_PACKET_NOP] = { 1, 1, 1, "nop", NULL },
- [VC4_PACKET_FLUSH] = { 1, 1, 1, "flush", NULL },
- [VC4_PACKET_FLUSH_ALL] = { 1, 0, 1, "flush all state", NULL },
- [VC4_PACKET_START_TILE_BINNING] = { 1, 0, 1, "start tile binning", validate_start_tile_binning },
- [VC4_PACKET_INCREMENT_SEMAPHORE] = { 1, 0, 1, "increment semaphore", NULL },
- [VC4_PACKET_WAIT_ON_SEMAPHORE] = { 1, 1, 1, "wait on semaphore", NULL },
- /* BRANCH_TO_SUB_LIST is actually supported in the binner as well, but
- * we only use it from the render CL in order to jump into the tile
- * allocation BO.
- */
- [VC4_PACKET_BRANCH_TO_SUB_LIST] = { 0, 1, 5, "branch to sublist", validate_branch_to_sublist },
- [VC4_PACKET_STORE_MS_TILE_BUFFER] = { 0, 1, 1, "store MS resolved tile color buffer", NULL },
- [VC4_PACKET_STORE_MS_TILE_BUFFER_AND_EOF] = { 0, 1, 1, "store MS resolved tile color buffer and EOF", NULL },
-
- [VC4_PACKET_STORE_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Store Tile Buffer General", validate_loadstore_tile_buffer_general },
- [VC4_PACKET_LOAD_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Load Tile Buffer General", validate_loadstore_tile_buffer_general },
-
- [VC4_PACKET_GL_INDEXED_PRIMITIVE] = { 1, 1, 14, "Indexed Primitive List", validate_indexed_prim_list },
-
- [VC4_PACKET_GL_ARRAY_PRIMITIVE] = { 1, 1, 10, "Vertex Array Primitives", validate_gl_array_primitive },
-
- /* This is only used by clipped primitives (packets 48 and 49), which
- * we don't support parsing yet.
- */
- [VC4_PACKET_PRIMITIVE_LIST_FORMAT] = { 1, 1, 2, "primitive list format", NULL },
-
- [VC4_PACKET_GL_SHADER_STATE] = { 1, 1, 5, "GL Shader State", validate_gl_shader_state },
- [VC4_PACKET_NV_SHADER_STATE] = { 1, 1, 5, "NV Shader State", validate_nv_shader_state },
-
- [VC4_PACKET_CONFIGURATION_BITS] = { 1, 1, 4, "configuration bits", NULL },
- [VC4_PACKET_FLAT_SHADE_FLAGS] = { 1, 1, 5, "flat shade flags", NULL },
- [VC4_PACKET_POINT_SIZE] = { 1, 1, 5, "point size", NULL },
- [VC4_PACKET_LINE_WIDTH] = { 1, 1, 5, "line width", NULL },
- [VC4_PACKET_RHT_X_BOUNDARY] = { 1, 1, 3, "RHT X boundary", NULL },
- [VC4_PACKET_DEPTH_OFFSET] = { 1, 1, 5, "Depth Offset", NULL },
- [VC4_PACKET_CLIP_WINDOW] = { 1, 1, 9, "Clip Window", NULL },
- [VC4_PACKET_VIEWPORT_OFFSET] = { 1, 1, 5, "Viewport Offset", NULL },
- [VC4_PACKET_CLIPPER_XY_SCALING] = { 1, 1, 9, "Clipper XY Scaling", NULL },
- /* Note: The docs say this was also 105, but it was 106 in the
- * initial userland code drop.
- */
- [VC4_PACKET_CLIPPER_Z_SCALING] = { 1, 1, 9, "Clipper Z Scale and Offset", NULL },
-
- [VC4_PACKET_TILE_BINNING_MODE_CONFIG] = { 1, 0, 16, "tile binning configuration", validate_tile_binning_config },
-
- [VC4_PACKET_TILE_RENDERING_MODE_CONFIG] = { 0, 1, 11, "tile rendering mode configuration", validate_tile_rendering_mode_config},
-
- [VC4_PACKET_CLEAR_COLORS] = { 0, 1, 14, "Clear Colors", NULL },
-
- [VC4_PACKET_TILE_COORDINATES] = { 0, 1, 3, "Tile Coordinates", validate_tile_coordinates },
-
- [VC4_PACKET_GEM_HANDLES] = { 1, 1, 9, "GEM handles", validate_gem_handles },
-};
-
-int
-vc4_validate_cl(struct drm_device *dev,
- void *validated,
- void *unvalidated,
- uint32_t len,
- bool is_bin,
- struct exec_info *exec)
-{
- uint32_t dst_offset = 0;
- uint32_t src_offset = 0;
-
- while (src_offset < len) {
- void *dst_pkt = validated + dst_offset;
- void *src_pkt = unvalidated + src_offset;
- u8 cmd = *(uint8_t *)src_pkt;
- const struct cmd_info *info;
-
- if (cmd > ARRAY_SIZE(cmd_info)) {
- DRM_ERROR("0x%08x: packet %d out of bounds\n",
- src_offset, cmd);
- return -EINVAL;
- }
-
- info = &cmd_info[cmd];
- if (!info->name) {
- DRM_ERROR("0x%08x: packet %d invalid\n",
- src_offset, cmd);
- return -EINVAL;
- }
-
-#if 0
- DRM_INFO("0x%08x: packet %d (%s) size %d processing...\n",
- src_offset, cmd, info->name, info->len);
-#endif
-
- if ((is_bin && !info->bin) ||
- (!is_bin && !info->render)) {
- DRM_ERROR("0x%08x: packet %d (%s) invalid for %s\n",
- src_offset, cmd, info->name,
- is_bin ? "binner" : "render");
- return -EINVAL;
- }
-
- if (src_offset + info->len > len) {
- DRM_ERROR("0x%08x: packet %d (%s) length 0x%08x "
- "exceeds bounds (0x%08x)\n",
- src_offset, cmd, info->name, info->len,
- src_offset + len);
- return -EINVAL;
- }
-
- if (cmd != VC4_PACKET_GEM_HANDLES)
- memcpy(dst_pkt, src_pkt, info->len);
-
- if (info->func && info->func(exec,
- dst_pkt + 1,
- src_pkt + 1)) {
- DRM_ERROR("0x%08x: packet %d (%s) failed to "
- "validate\n",
- src_offset, cmd, info->name);
- return -EINVAL;
- }
-
- src_offset += info->len;
- /* GEM handle loading doesn't produce HW packets. */
- if (cmd != VC4_PACKET_GEM_HANDLES)
- dst_offset += info->len;
-
- /* When the CL hits halt, it'll stop reading anything else. */
- if (cmd == VC4_PACKET_HALT)
- break;
- }
-
- if (is_bin) {
- exec->ct0ea = exec->ct0ca + dst_offset;
-
- if (!exec->found_start_tile_binning_packet) {
- DRM_ERROR("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
- return -EINVAL;
- }
- } else {
- if (!exec->found_tile_rendering_mode_config_packet) {
- DRM_ERROR("Render CL missing VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n");
- return -EINVAL;
- }
- exec->ct1ea = exec->ct1ca + dst_offset;
- }
-
- return 0;
-}
-
-static bool
-reloc_tex(struct exec_info *exec,
- void *uniform_data_u,
- struct vc4_texture_sample_info *sample,
- uint32_t texture_handle_index)
-
-{
- struct drm_gem_cma_object *tex;
- uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
- uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
- uint32_t p2 = (sample->p_offset[2] != ~0 ?
- *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
- uint32_t p3 = (sample->p_offset[3] != ~0 ?
- *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
- uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
- uint32_t offset = p0 & ~0xfff;
- uint32_t miplevels = (p0 & 15);
- uint32_t width = (p1 >> 8) & 2047;
- uint32_t height = (p1 >> 20) & 2047;
- uint32_t cpp, tiling_format, utile_w, utile_h;
- uint32_t i;
- uint32_t cube_map_stride = 0;
- enum vc4_texture_data_type type;
-
- if (width == 0)
- width = 2048;
- if (height == 0)
- height = 2048;
-
- if (p0 & (1 << 9)) {
- if ((p2 & (3 << 30)) == (1 << 30))
- cube_map_stride = p2 & 0x3ffff000;
- if ((p3 & (3 << 30)) == (1 << 30)) {
- if (cube_map_stride) {
- DRM_ERROR("Cube map stride set twice\n");
- return -EINVAL;
- }
-
- cube_map_stride = p3 & 0x3ffff000;
- }
- if (!cube_map_stride) {
- DRM_ERROR("Cube map stride not set\n");
- return -EINVAL;
- }
- }
-
- type = ((p0 >> 4) & 15) | ((p1 >> 31) << 4);
-
- switch (type) {
- case VC4_TEXTURE_TYPE_RGBA8888:
- case VC4_TEXTURE_TYPE_RGBX8888:
- case VC4_TEXTURE_TYPE_RGBA32R:
- cpp = 4;
- break;
- case VC4_TEXTURE_TYPE_RGBA4444:
- case VC4_TEXTURE_TYPE_RGBA5551:
- case VC4_TEXTURE_TYPE_RGB565:
- case VC4_TEXTURE_TYPE_LUMALPHA:
- case VC4_TEXTURE_TYPE_S16F:
- case VC4_TEXTURE_TYPE_S16:
- cpp = 2;
- break;
- case VC4_TEXTURE_TYPE_LUMINANCE:
- case VC4_TEXTURE_TYPE_ALPHA:
- case VC4_TEXTURE_TYPE_S8:
- cpp = 1;
- break;
- case VC4_TEXTURE_TYPE_ETC1:
- case VC4_TEXTURE_TYPE_BW1:
- case VC4_TEXTURE_TYPE_A4:
- case VC4_TEXTURE_TYPE_A1:
- case VC4_TEXTURE_TYPE_RGBA64:
- case VC4_TEXTURE_TYPE_YUV422R:
- default:
- DRM_ERROR("Texture format %d unsupported\n", type);
- return false;
- }
- utile_w = utile_width(cpp);
- utile_h = utile_height(cpp);
-
- if (type == VC4_TEXTURE_TYPE_RGBA32R) {
- tiling_format = VC4_TILING_FORMAT_LINEAR;
- } else {
- if (size_is_lt(width, height, cpp))
- tiling_format = VC4_TILING_FORMAT_LT;
- else
- tiling_format = VC4_TILING_FORMAT_T;
- }
-
- if (!vc4_use_bo(exec, texture_handle_index, VC4_MODE_RENDER, &tex))
- return false;
-
- if (!check_tex_size(exec, tex, offset + cube_map_stride * 5,
- tiling_format, width, height, cpp)) {
- return false;
- }
-
- /* The mipmap levels are stored before the base of the texture. Make
- * sure there is actually space in the BO.
- */
- for (i = 1; i <= miplevels; i++) {
- uint32_t level_width = max(width >> i, 1u);
- uint32_t level_height = max(height >> i, 1u);
- uint32_t aligned_width, aligned_height;
- uint32_t level_size;
-
- /* Once the levels get small enough, they drop from T to LT. */
- if (tiling_format == VC4_TILING_FORMAT_T &&
- size_is_lt(level_width, level_height, cpp)) {
- tiling_format = VC4_TILING_FORMAT_LT;
- }
-
- switch (tiling_format) {
- case VC4_TILING_FORMAT_T:
- aligned_width = roundup(level_width, utile_w * 8);
- aligned_height = roundup(level_height, utile_h * 8);
- break;
- case VC4_TILING_FORMAT_LT:
- aligned_width = roundup(level_width, utile_w);
- aligned_height = roundup(level_height, utile_h);
- break;
- default:
- aligned_width = roundup(level_width, 16 / cpp);
- aligned_height = level_height;
- break;
- }
-
- level_size = aligned_width * cpp * aligned_height;
-
- if (offset < level_size) {
- DRM_ERROR("Level %d (%dx%d -> %dx%d) size %db "
- "overflowed buffer bounds (offset %d)\n",
- i, level_width, level_height,
- aligned_width, aligned_height,
- level_size, offset);
- return false;
- }
-
- offset -= level_size;
- }
-
- *validated_p0 = tex->paddr + p0;
-
- return true;
-}
-
-static int
-validate_shader_rec(struct drm_device *dev,
- struct exec_info *exec,
- struct vc4_shader_state *state)
-{
- uint32_t *src_handles;
- void *pkt_u, *pkt_v;
- enum shader_rec_reloc_type {
- RELOC_CODE,
- RELOC_VBO,
- };
- struct shader_rec_reloc {
- enum shader_rec_reloc_type type;
- uint32_t offset;
- };
- static const struct shader_rec_reloc gl_relocs[] = {
- { RELOC_CODE, 4 }, /* fs */
- { RELOC_CODE, 16 }, /* vs */
- { RELOC_CODE, 28 }, /* cs */
- };
- static const struct shader_rec_reloc nv_relocs[] = {
- { RELOC_CODE, 4 }, /* fs */
- { RELOC_VBO, 12 }
- };
- const struct shader_rec_reloc *relocs;
- struct drm_gem_cma_object *bo[ARRAY_SIZE(gl_relocs) + 8];
- uint32_t nr_attributes = 0, nr_fixed_relocs, nr_relocs, packet_size;
- int i;
- struct vc4_validated_shader_info *validated_shader = NULL;
-
- if (state->packet == VC4_PACKET_NV_SHADER_STATE) {
- relocs = nv_relocs;
- nr_fixed_relocs = ARRAY_SIZE(nv_relocs);
-
- packet_size = 16;
- } else {
- relocs = gl_relocs;
- nr_fixed_relocs = ARRAY_SIZE(gl_relocs);
-
- nr_attributes = state->addr & 0x7;
- if (nr_attributes == 0)
- nr_attributes = 8;
- packet_size = gl_shader_rec_size(state->addr);
- }
- nr_relocs = nr_fixed_relocs + nr_attributes;
-
- if (nr_relocs * 4 > exec->shader_rec_size) {
- DRM_ERROR("overflowed shader recs reading %d handles "
- "from %d bytes left\n",
- nr_relocs, exec->shader_rec_size);
- return -EINVAL;
- }
- src_handles = exec->shader_rec_u;
- exec->shader_rec_u += nr_relocs * 4;
- exec->shader_rec_size -= nr_relocs * 4;
-
- if (packet_size > exec->shader_rec_size) {
- DRM_ERROR("overflowed shader recs copying %db packet "
- "from %d bytes left\n",
- packet_size, exec->shader_rec_size);
- return -EINVAL;
- }
- pkt_u = exec->shader_rec_u;
- pkt_v = exec->shader_rec_v;
- memcpy(pkt_v, pkt_u, packet_size);
- exec->shader_rec_u += packet_size;
- /* Shader recs have to be aligned to 16 bytes (due to the attribute
- * flags being in the low bytes), so round the next validated shader
- * rec address up. This should be safe, since we've got so many
- * relocations in a shader rec packet.
- */
- BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
- exec->shader_rec_v += roundup(packet_size, 16);
- exec->shader_rec_size -= packet_size;
-
- for (i = 0; i < nr_relocs; i++) {
- enum vc4_bo_mode mode;
-
- if (i < nr_fixed_relocs && relocs[i].type == RELOC_CODE)
- mode = VC4_MODE_SHADER;
- else
- mode = VC4_MODE_RENDER;
-
- if (!vc4_use_bo(exec, src_handles[i], mode, &bo[i])) {
- return false;
- }
- }
-
- for (i = 0; i < nr_fixed_relocs; i++) {
- uint32_t o = relocs[i].offset;
- uint32_t src_offset = *(uint32_t *)(pkt_u + o);
- uint32_t *texture_handles_u;
- void *uniform_data_u;
- uint32_t tex;
-
- *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset;
-
- switch (relocs[i].type) {
- case RELOC_CODE:
- kfree(validated_shader);
- validated_shader = vc4_validate_shader(bo[i],
- src_offset);
- if (!validated_shader)
- goto fail;
-
- if (validated_shader->uniforms_src_size >
- exec->uniforms_size) {
- DRM_ERROR("Uniforms src buffer overflow\n");
- goto fail;
- }
-
- texture_handles_u = exec->uniforms_u;
- uniform_data_u = (texture_handles_u +
- validated_shader->num_texture_samples);
-
- memcpy(exec->uniforms_v, uniform_data_u,
- validated_shader->uniforms_size);
-
- for (tex = 0;
- tex < validated_shader->num_texture_samples;
- tex++) {
- if (!reloc_tex(exec,
- uniform_data_u,
- &validated_shader->texture_samples[tex],
- texture_handles_u[tex])) {
- goto fail;
- }
- }
-
- *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
-
- exec->uniforms_u += validated_shader->uniforms_src_size;
- exec->uniforms_v += validated_shader->uniforms_size;
- exec->uniforms_p += validated_shader->uniforms_size;
-
- break;
-
- case RELOC_VBO:
- break;
- }
- }
-
- for (i = 0; i < nr_attributes; i++) {
- struct drm_gem_cma_object *vbo = bo[nr_fixed_relocs + i];
- uint32_t o = 36 + i * 8;
- uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
- uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
- uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
- uint32_t max_index;
-
- if (state->addr & 0x8)
- stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
-
- if (vbo->base.size < offset ||
- vbo->base.size - offset < attr_size) {
- DRM_ERROR("BO offset overflow (%d + %d > %d)\n",
- offset, attr_size, vbo->base.size);
- return -EINVAL;
- }
-
- if (stride != 0) {
- max_index = ((vbo->base.size - offset - attr_size) /
- stride);
- if (state->max_index > max_index) {
- DRM_ERROR("primitives use index %d out of supplied %d\n",
- state->max_index, max_index);
- return -EINVAL;
- }
- }
-
- *(uint32_t *)(pkt_v + o) = vbo->paddr + offset;
- }
-
- kfree(validated_shader);
-
- return 0;
-
-fail:
- kfree(validated_shader);
- return -EINVAL;
-}
-
-int
-vc4_validate_shader_recs(struct drm_device *dev,
- struct exec_info *exec)
-{
- uint32_t i;
- int ret = 0;
-
- for (i = 0; i < exec->shader_state_count; i++) {
- ret = validate_shader_rec(dev, exec, &exec->shader_state[i]);
- if (ret)
- return ret;
- }
-
- return ret;
-}
#include "vc4_context.h"
#include "vc4_qpu_defines.h"
+struct exec_info;
+
#define DRM_INFO(...) fprintf(stderr, __VA_ARGS__)
#define DRM_ERROR(...) fprintf(stderr, __VA_ARGS__)
#define kmalloc(size, arg) malloc(size)
void *vaddr;
};
-enum vc4_bo_mode {
- VC4_MODE_UNDECIDED,
- VC4_MODE_TILE_ALLOC,
- VC4_MODE_TSDA,
- VC4_MODE_RENDER,
- VC4_MODE_SHADER,
-};
-
-struct vc4_bo_exec_state {
- struct drm_gem_cma_object *bo;
- enum vc4_bo_mode mode;
-};
-
-struct exec_info {
- /* Kernel-space copy of the ioctl arguments */
- struct drm_vc4_submit_cl *args;
-
- /* This is the array of BOs that were looked up at the start of exec.
- * Command validation will use indices into this array.
- */
- struct vc4_bo_exec_state *bo;
- uint32_t bo_count;
-
- /* Current unvalidated indices into @bo loaded by the non-hardware
- * VC4_PACKET_GEM_HANDLES.
- */
- uint32_t bo_index[2];
-
- /* This is the BO where we store the validated command lists, shader
- * records, and uniforms.
- */
- struct drm_gem_cma_object *exec_bo;
-
- /**
- * This tracks the per-shader-record state (packet 64) that
- * determines the length of the shader record and the offset
- * it's expected to be found at. It gets read in from the
- * command lists.
- */
- struct vc4_shader_state {
- uint8_t packet;
- uint32_t addr;
- /* Maximum vertex index referenced by any primitive using this
- * shader state.
- */
- uint32_t max_index;
- } *shader_state;
-
- /** How many shader states the user declared they were using. */
- uint32_t shader_state_size;
- /** How many shader state records the validator has seen. */
- uint32_t shader_state_count;
-
- bool found_tile_binning_mode_config_packet;
- bool found_tile_rendering_mode_config_packet;
- bool found_start_tile_binning_packet;
- uint8_t bin_tiles_x, bin_tiles_y;
- uint32_t fb_width, fb_height;
- uint32_t tile_alloc_init_block_size;
- struct drm_gem_cma_object *tile_alloc_bo;
-
- /**
- * Computed addresses pointing into exec_bo where we start the
- * bin thread (ct0) and render thread (ct1).
- */
- uint32_t ct0ca, ct0ea;
- uint32_t ct1ca, ct1ea;
-
- /* Pointers to the shader recs. These paddr gets incremented as CL
- * packets are relocated in validate_gl_shader_state, and the vaddrs
- * (u and v) get incremented and size decremented as the shader recs
- * themselves are validated.
- */
- void *shader_rec_u;
- void *shader_rec_v;
- uint32_t shader_rec_p;
- uint32_t shader_rec_size;
-
- /* Pointers to the uniform data. These pointers are incremented, and
- * size decremented, as each batch of uniforms is uploaded.
- */
- void *uniforms_u;
- void *uniforms_v;
- uint32_t uniforms_p;
- uint32_t uniforms_size;
-};
-
-/**
- * struct vc4_texture_sample_info - saves the offsets into the UBO for texture
- * setup parameters.
- *
- * This will be used at draw time to relocate the reference to the texture
- * contents in p0, and validate that the offset combined with
- * width/height/stride/etc. from p1 and p2/p3 doesn't sample outside the BO.
- * Note that the hardware treats unprovided config parameters as 0, so not all
- * of them need to be set up for every texure sample, and we'll store ~0 as
- * the offset to mark the unused ones.
- *
- * See the VC4 3D architecture guide page 41 ("Texture and Memory Lookup Unit
- * Setup") for definitions of the texture parameters.
- */
-struct vc4_texture_sample_info {
- uint32_t p_offset[4];
-};
-
-/**
- * struct vc4_validated_shader_info - information about validated shaders that
- * needs to be used from command list validation.
- *
- * For a given shader, each time a shader state record references it, we need
- * to verify that the shader doesn't read more uniforms than the shader state
- * record's uniform BO pointer can provide, and we need to apply relocations
- * and validate the shader state record's uniforms that define the texture
- * samples.
- */
-struct vc4_validated_shader_info
-{
- uint32_t uniforms_size;
- uint32_t uniforms_src_size;
- uint32_t num_texture_samples;
- struct vc4_texture_sample_info *texture_samples;
-};
-
-int vc4_validate_cl(struct drm_device *dev,
- void *validated,
- void *unvalidated,
- uint32_t len,
- bool is_bin,
- struct exec_info *exec);
-int vc4_validate_shader_recs(struct drm_device *dev, struct exec_info *exec);
+struct drm_gem_cma_object *
+drm_gem_cma_create(struct drm_device *dev, size_t size);
-struct vc4_validated_shader_info *
-vc4_validate_shader(struct drm_gem_cma_object *shader_obj,
- uint32_t start_offset);
+int
+vc4_cl_validate(struct drm_device *dev, struct exec_info *exec);
#endif /* VC4_SIMULATOR_VALIDATE_H */
+++ /dev/null
-/*
- * Copyright © 2014 Broadcom
- *
- * Permission is hereby granted, free of charge, to any person obtaining a
- * copy of this software and associated documentation files (the "Software"),
- * to deal in the Software without restriction, including without limitation
- * the rights to use, copy, modify, merge, publish, distribute, sublicense,
- * and/or sell copies of the Software, and to permit persons to whom the
- * Software is furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice (including the next
- * paragraph) shall be included in all copies or substantial portions of the
- * Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
- * IN THE SOFTWARE.
- */
-
-/**
- * DOC: Shader validator for VC4.
- *
- * The VC4 has no IOMMU between it and system memory. So, a user with access
- * to execute shaders could escalate privilege by overwriting system memory
- * (using the VPM write address register in the general-purpose DMA mode) or
- * reading system memory it shouldn't (reading it as a texture, or uniform
- * data, or vertex data).
- *
- * This walks over a shader starting from some offset within a BO, ensuring
- * that its accesses are appropriately bounded, and recording how many texture
- * accesses are made and where so that we can do relocations for them in the
- * uniform stream.
- *
- * The kernel API has shaders stored in user-mapped BOs. The BOs will be
- * forcibly unmapped from the process before validation, and any cache of
- * validated state will be flushed if the mapping is faulted back in.
- *
- * Storing the shaders in BOs means that the validation process will be slow
- * due to uncached reads, but since shaders are long-lived and shader BOs are
- * never actually modified, this shouldn't be a problem.
- */
-
-#include "vc4_simulator_validate.h"
-#include "vc4_qpu.h"
-#include "vc4_qpu_defines.h"
-
-struct vc4_shader_validation_state {
- struct vc4_texture_sample_info tmu_setup[2];
- int tmu_write_count[2];
-};
-
-static bool
-is_tmu_write(uint32_t waddr)
-{
- return (waddr >= QPU_W_TMU0_S &&
- waddr <= QPU_W_TMU1_B);
-}
-
-static bool
-record_validated_texture_sample(struct vc4_validated_shader_info *validated_shader,
- struct vc4_shader_validation_state *validation_state,
- int tmu)
-{
- uint32_t s = validated_shader->num_texture_samples;
- int i;
- struct vc4_texture_sample_info *temp_samples;
-
- temp_samples = krealloc(validated_shader->texture_samples,
- (s + 1) * sizeof(*temp_samples),
- GFP_KERNEL);
- if (!temp_samples)
- return false;
-
- memcpy(temp_samples[s].p_offset,
- validation_state->tmu_setup[tmu].p_offset,
- validation_state->tmu_write_count[tmu] * sizeof(uint32_t));
- for (i = validation_state->tmu_write_count[tmu]; i < 4; i++)
- temp_samples[s].p_offset[i] = ~0;
-
- validated_shader->num_texture_samples = s + 1;
- validated_shader->texture_samples = temp_samples;
-
- return true;
-}
-
-static bool
-check_tmu_write(struct vc4_validated_shader_info *validated_shader,
- struct vc4_shader_validation_state *validation_state,
- uint32_t waddr)
-{
- int tmu = waddr > QPU_W_TMU0_B;
-
- if (!is_tmu_write(waddr))
- return true;
-
- if (validation_state->tmu_write_count[tmu] >= 4) {
- DRM_ERROR("TMU%d got too many parameters before dispatch\n",
- tmu);
- return false;
- }
- validation_state->tmu_setup[tmu].p_offset[validation_state->tmu_write_count[tmu]] =
- validated_shader->uniforms_size;
- validation_state->tmu_write_count[tmu]++;
- validated_shader->uniforms_size += 4;
-
- if (waddr == QPU_W_TMU0_S || waddr == QPU_W_TMU1_S) {
- if (!record_validated_texture_sample(validated_shader,
- validation_state, tmu)) {
- return false;
- }
-
- validation_state->tmu_write_count[tmu] = 0;
- }
-
- return true;
-}
-
-static bool
-check_register_write(struct vc4_validated_shader_info *validated_shader,
- struct vc4_shader_validation_state *validation_state,
- uint32_t waddr)
-{
- switch (waddr) {
- case QPU_W_UNIFORMS_ADDRESS:
- /* XXX: We'll probably need to support this for reladdr, but
- * it's definitely a security-related one.
- */
- DRM_ERROR("uniforms address load unsupported\n");
- return false;
-
- case QPU_W_TLB_COLOR_MS:
- case QPU_W_TLB_COLOR_ALL:
- case QPU_W_TLB_Z:
- /* These only interact with the tile buffer, not main memory,
- * so they're safe.
- */
- return true;
-
- case QPU_W_TMU0_S:
- case QPU_W_TMU0_T:
- case QPU_W_TMU0_R:
- case QPU_W_TMU0_B:
- case QPU_W_TMU1_S:
- case QPU_W_TMU1_T:
- case QPU_W_TMU1_R:
- case QPU_W_TMU1_B:
- return check_tmu_write(validated_shader, validation_state,
- waddr);
-
- case QPU_W_HOST_INT:
- case QPU_W_TMU_NOSWAP:
- case QPU_W_TLB_ALPHA_MASK:
- case QPU_W_MUTEX_RELEASE:
- /* XXX: I haven't thought about these, so don't support them
- * for now.
- */
- DRM_ERROR("Unsupported waddr %d\n", waddr);
- return false;
-
- case QPU_W_VPM_ADDR:
- DRM_ERROR("General VPM DMA unsupported\n");
- return false;
-
- case QPU_W_VPM:
- case QPU_W_VPMVCD_SETUP:
- /* We allow VPM setup in general, even including VPM DMA
- * configuration setup, because the (unsafe) DMA can only be
- * triggered by QPU_W_VPM_ADDR writes.
- */
- return true;
-
- case QPU_W_TLB_STENCIL_SETUP:
- return true;
- }
-
- return true;
-}
-
-static bool
-check_instruction_writes(uint64_t inst,
- struct vc4_validated_shader_info *validated_shader,
- struct vc4_shader_validation_state *validation_state)
-{
- uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD);
- uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL);
-
- if (is_tmu_write(waddr_add) && is_tmu_write(waddr_mul)) {
- DRM_ERROR("ADD and MUL both set up textures\n");
- return false;
- }
-
- return (check_register_write(validated_shader, validation_state, waddr_add) &&
- check_register_write(validated_shader, validation_state, waddr_mul));
-}
-
-static bool
-check_instruction_reads(uint64_t inst,
- struct vc4_validated_shader_info *validated_shader)
-{
- uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD);
- uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL);
- uint32_t raddr_a = QPU_GET_FIELD(inst, QPU_RADDR_A);
- uint32_t raddr_b = QPU_GET_FIELD(inst, QPU_RADDR_B);
-
- if (raddr_a == QPU_R_UNIF ||
- raddr_b == QPU_R_UNIF) {
- if (is_tmu_write(waddr_add) || is_tmu_write(waddr_mul)) {
- DRM_ERROR("uniform read in the same instruction as "
- "texture setup");
- return false;
- }
-
- /* This can't overflow the uint32_t, because we're reading 8
- * bytes of instruction to increment by 4 here, so we'd
- * already be OOM.
- */
- validated_shader->uniforms_size += 4;
- }
-
- return true;
-}
-
-struct vc4_validated_shader_info *
-vc4_validate_shader(struct drm_gem_cma_object *shader_obj,
- uint32_t start_offset)
-{
- bool found_shader_end = false;
- int shader_end_ip = 0;
- uint32_t ip, max_ip;
- uint64_t *shader;
- struct vc4_validated_shader_info *validated_shader;
- struct vc4_shader_validation_state validation_state;
-
- memset(&validation_state, 0, sizeof(validation_state));
-
- if (start_offset + sizeof(uint64_t) > shader_obj->base.size) {
- DRM_ERROR("shader starting at %d outside of BO sized %d\n",
- start_offset,
- shader_obj->base.size);
- return NULL;
- }
- shader = shader_obj->vaddr + start_offset;
- max_ip = (shader_obj->base.size - start_offset) / sizeof(uint64_t);
-
- validated_shader = kcalloc(sizeof(*validated_shader), 1, GFP_KERNEL);
- if (!validated_shader)
- return NULL;
-
- for (ip = 0; ip < max_ip; ip++) {
- uint64_t inst = shader[ip];
- uint32_t sig = QPU_GET_FIELD(inst, QPU_SIG);
-
- switch (sig) {
- case QPU_SIG_NONE:
- case QPU_SIG_WAIT_FOR_SCOREBOARD:
- case QPU_SIG_SCOREBOARD_UNLOCK:
- case QPU_SIG_COLOR_LOAD:
- case QPU_SIG_LOAD_TMU0:
- case QPU_SIG_LOAD_TMU1:
- if (!check_instruction_writes(inst, validated_shader,
- &validation_state)) {
- DRM_ERROR("Bad write at ip %d\n", ip);
- goto fail;
- }
-
- if (!check_instruction_reads(inst, validated_shader))
- goto fail;
-
- break;
-
- case QPU_SIG_LOAD_IMM:
- if (!check_instruction_writes(inst, validated_shader,
- &validation_state)) {
- DRM_ERROR("Bad LOAD_IMM write at ip %d\n", ip);
- goto fail;
- }
- break;
-
- case QPU_SIG_PROG_END:
- found_shader_end = true;
- shader_end_ip = ip;
- break;
-
- default:
- DRM_ERROR("Unsupported QPU signal %d at "
- "instruction %d\n", sig, ip);
- goto fail;
- }
-
- /* There are two delay slots after program end is signaled
- * that are still executed, then we're finished.
- */
- if (found_shader_end && ip == shader_end_ip + 2)
- break;
- }
-
- if (ip == max_ip) {
- DRM_ERROR("shader starting at %d failed to terminate before "
- "shader BO end at %d\n",
- start_offset,
- shader_obj->base.size);
- goto fail;
- }
-
- /* Again, no chance of integer overflow here because the worst case
- * scenario is 8 bytes of uniforms plus handles per 8-byte
- * instruction.
- */
- validated_shader->uniforms_src_size =
- (validated_shader->uniforms_size +
- 4 * validated_shader->num_texture_samples);
-
- return validated_shader;
-
-fail:
- kfree(validated_shader);
- return NULL;
-}
projects / mesa.git / commitdiff