search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bpf: Prevent memory disambiguation attack
[linux/fpc-iii.git] / drivers / gpu / drm / vc4 / vc4_gem.c
blobc94cce96544c8b0196f16b2e9151e15430a28690
1 /*
2 * Copyright © 2014 Broadcom
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 */
23
24 #include <linux/module.h>
25 #include <linux/platform_device.h>
26 #include <linux/pm_runtime.h>
27 #include <linux/device.h>
28 #include <linux/io.h>
29 #include <linux/sched/signal.h>
30
31 #include "uapi/drm/vc4_drm.h"
32 #include "vc4_drv.h"
33 #include "vc4_regs.h"
34 #include "vc4_trace.h"
35
36 static void
37 vc4_queue_hangcheck(struct drm_device *dev)
38 {
39 struct vc4_dev *vc4 = to_vc4_dev(dev);
40
41 mod_timer(&vc4->hangcheck.timer,
42 round_jiffies_up(jiffies + msecs_to_jiffies(100)));
43 }
44
45 struct vc4_hang_state {
46 struct drm_vc4_get_hang_state user_state;
47
48 u32 bo_count;
49 struct drm_gem_object **bo;
50 };
51
52 static void
53 vc4_free_hang_state(struct drm_device *dev, struct vc4_hang_state *state)
54 {
55 unsigned int i;
56
57 for (i = 0; i < state->user_state.bo_count; i++)
58 drm_gem_object_put_unlocked(state->bo[i]);
59
60 kfree(state);
61 }
62
63 int
64 vc4_get_hang_state_ioctl(struct drm_device *dev, void *data,
65 struct drm_file *file_priv)
66 {
67 struct drm_vc4_get_hang_state *get_state = data;
68 struct drm_vc4_get_hang_state_bo *bo_state;
69 struct vc4_hang_state *kernel_state;
70 struct drm_vc4_get_hang_state *state;
71 struct vc4_dev *vc4 = to_vc4_dev(dev);
72 unsigned long irqflags;
73 u32 i;
74 int ret = 0;
75
76 spin_lock_irqsave(&vc4->job_lock, irqflags);
77 kernel_state = vc4->hang_state;
78 if (!kernel_state) {
79 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
80 return -ENOENT;
81 }
82 state = &kernel_state->user_state;
83
84 /* If the user's array isn't big enough, just return the
85 * required array size.
86 */
87 if (get_state->bo_count < state->bo_count) {
88 get_state->bo_count = state->bo_count;
89 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
90 return 0;
91 }
92
93 vc4->hang_state = NULL;
94 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
95
96 /* Save the user's BO pointer, so we don't stomp it with the memcpy. */
97 state->bo = get_state->bo;
98 memcpy(get_state, state, sizeof(*state));
99
100 bo_state = kcalloc(state->bo_count, sizeof(*bo_state), GFP_KERNEL);
101 if (!bo_state) {
102 ret = -ENOMEM;
103 goto err_free;
104 }
105
106 for (i = 0; i < state->bo_count; i++) {
107 struct vc4_bo *vc4_bo = to_vc4_bo(kernel_state->bo[i]);
108 u32 handle;
109
110 ret = drm_gem_handle_create(file_priv, kernel_state->bo[i],
111 &handle);
112
113 if (ret) {
114 state->bo_count = i;
115 goto err_delete_handle;
116 }
117 bo_state[i].handle = handle;
118 bo_state[i].paddr = vc4_bo->base.paddr;
119 bo_state[i].size = vc4_bo->base.base.size;
120 }
121
122 if (copy_to_user(u64_to_user_ptr(get_state->bo),
123 bo_state,
124 state->bo_count * sizeof(*bo_state)))
125 ret = -EFAULT;
126
127 err_delete_handle:
128 if (ret) {
129 for (i = 0; i < state->bo_count; i++)
130 drm_gem_handle_delete(file_priv, bo_state[i].handle);
131 }
132
133 err_free:
134 vc4_free_hang_state(dev, kernel_state);
135 kfree(bo_state);
136
137 return ret;
138 }
139
140 static void
141 vc4_save_hang_state(struct drm_device *dev)
142 {
143 struct vc4_dev *vc4 = to_vc4_dev(dev);
144 struct drm_vc4_get_hang_state *state;
145 struct vc4_hang_state *kernel_state;
146 struct vc4_exec_info *exec[2];
147 struct vc4_bo *bo;
148 unsigned long irqflags;
149 unsigned int i, j, k, unref_list_count;
150
151 kernel_state = kcalloc(1, sizeof(*kernel_state), GFP_KERNEL);
152 if (!kernel_state)
153 return;
154
155 state = &kernel_state->user_state;
156
157 spin_lock_irqsave(&vc4->job_lock, irqflags);
158 exec[0] = vc4_first_bin_job(vc4);
159 exec[1] = vc4_first_render_job(vc4);
160 if (!exec[0] && !exec[1]) {
161 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
162 return;
163 }
164
165 /* Get the bos from both binner and renderer into hang state. */
166 state->bo_count = 0;
167 for (i = 0; i < 2; i++) {
168 if (!exec[i])
169 continue;
170
171 unref_list_count = 0;
172 list_for_each_entry(bo, &exec[i]->unref_list, unref_head)
173 unref_list_count++;
174 state->bo_count += exec[i]->bo_count + unref_list_count;
175 }
176
177 kernel_state->bo = kcalloc(state->bo_count,
178 sizeof(*kernel_state->bo), GFP_ATOMIC);
179
180 if (!kernel_state->bo) {
181 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
182 return;
183 }
184
185 k = 0;
186 for (i = 0; i < 2; i++) {
187 if (!exec[i])
188 continue;
189
190 for (j = 0; j < exec[i]->bo_count; j++) {
191 bo = to_vc4_bo(&exec[i]->bo[j]->base);
192
193 /* Retain BOs just in case they were marked purgeable.
194 * This prevents the BO from being purged before
195 * someone had a chance to dump the hang state.
196 */
197 WARN_ON(!refcount_read(&bo->usecnt));
198 refcount_inc(&bo->usecnt);
199 drm_gem_object_get(&exec[i]->bo[j]->base);
200 kernel_state->bo[k++] = &exec[i]->bo[j]->base;
201 }
202
203 list_for_each_entry(bo, &exec[i]->unref_list, unref_head) {
204 /* No need to retain BOs coming from the ->unref_list
205 * because they are naturally unpurgeable.
206 */
207 drm_gem_object_get(&bo->base.base);
208 kernel_state->bo[k++] = &bo->base.base;
209 }
210 }
211
212 WARN_ON_ONCE(k != state->bo_count);
213
214 if (exec[0])
215 state->start_bin = exec[0]->ct0ca;
216 if (exec[1])
217 state->start_render = exec[1]->ct1ca;
218
219 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
220
221 state->ct0ca = V3D_READ(V3D_CTNCA(0));
222 state->ct0ea = V3D_READ(V3D_CTNEA(0));
223
224 state->ct1ca = V3D_READ(V3D_CTNCA(1));
225 state->ct1ea = V3D_READ(V3D_CTNEA(1));
226
227 state->ct0cs = V3D_READ(V3D_CTNCS(0));
228 state->ct1cs = V3D_READ(V3D_CTNCS(1));
229
230 state->ct0ra0 = V3D_READ(V3D_CT00RA0);
231 state->ct1ra0 = V3D_READ(V3D_CT01RA0);
232
233 state->bpca = V3D_READ(V3D_BPCA);
234 state->bpcs = V3D_READ(V3D_BPCS);
235 state->bpoa = V3D_READ(V3D_BPOA);
236 state->bpos = V3D_READ(V3D_BPOS);
237
238 state->vpmbase = V3D_READ(V3D_VPMBASE);
239
240 state->dbge = V3D_READ(V3D_DBGE);
241 state->fdbgo = V3D_READ(V3D_FDBGO);
242 state->fdbgb = V3D_READ(V3D_FDBGB);
243 state->fdbgr = V3D_READ(V3D_FDBGR);
244 state->fdbgs = V3D_READ(V3D_FDBGS);
245 state->errstat = V3D_READ(V3D_ERRSTAT);
246
247 /* We need to turn purgeable BOs into unpurgeable ones so that
248 * userspace has a chance to dump the hang state before the kernel
249 * decides to purge those BOs.
250 * Note that BO consistency at dump time cannot be guaranteed. For
251 * example, if the owner of these BOs decides to re-use them or mark
252 * them purgeable again there's nothing we can do to prevent it.
253 */
254 for (i = 0; i < kernel_state->user_state.bo_count; i++) {
255 struct vc4_bo *bo = to_vc4_bo(kernel_state->bo[i]);
256
257 if (bo->madv == __VC4_MADV_NOTSUPP)
258 continue;
259
260 mutex_lock(&bo->madv_lock);
261 if (!WARN_ON(bo->madv == __VC4_MADV_PURGED))
262 bo->madv = VC4_MADV_WILLNEED;
263 refcount_dec(&bo->usecnt);
264 mutex_unlock(&bo->madv_lock);
265 }
266
267 spin_lock_irqsave(&vc4->job_lock, irqflags);
268 if (vc4->hang_state) {
269 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
270 vc4_free_hang_state(dev, kernel_state);
271 } else {
272 vc4->hang_state = kernel_state;
273 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
274 }
275 }
276
277 static void
278 vc4_reset(struct drm_device *dev)
279 {
280 struct vc4_dev *vc4 = to_vc4_dev(dev);
281
282 DRM_INFO("Resetting GPU.\n");
283
284 mutex_lock(&vc4->power_lock);
285 if (vc4->power_refcount) {
286 /* Power the device off and back on the by dropping the
287 * reference on runtime PM.
288 */
289 pm_runtime_put_sync_suspend(&vc4->v3d->pdev->dev);
290 pm_runtime_get_sync(&vc4->v3d->pdev->dev);
291 }
292 mutex_unlock(&vc4->power_lock);
293
294 vc4_irq_reset(dev);
295
296 /* Rearm the hangcheck -- another job might have been waiting
297 * for our hung one to get kicked off, and vc4_irq_reset()
298 * would have started it.
299 */
300 vc4_queue_hangcheck(dev);
301 }
302
303 static void
304 vc4_reset_work(struct work_struct *work)
305 {
306 struct vc4_dev *vc4 =
307 container_of(work, struct vc4_dev, hangcheck.reset_work);
308
309 vc4_save_hang_state(vc4->dev);
310
311 vc4_reset(vc4->dev);
312 }
313
314 static void
315 vc4_hangcheck_elapsed(struct timer_list *t)
316 {
317 struct vc4_dev *vc4 = from_timer(vc4, t, hangcheck.timer);
318 struct drm_device *dev = vc4->dev;
319 uint32_t ct0ca, ct1ca;
320 unsigned long irqflags;
321 struct vc4_exec_info *bin_exec, *render_exec;
322
323 spin_lock_irqsave(&vc4->job_lock, irqflags);
324
325 bin_exec = vc4_first_bin_job(vc4);
326 render_exec = vc4_first_render_job(vc4);
327
328 /* If idle, we can stop watching for hangs. */
329 if (!bin_exec && !render_exec) {
330 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
331 return;
332 }
333
334 ct0ca = V3D_READ(V3D_CTNCA(0));
335 ct1ca = V3D_READ(V3D_CTNCA(1));
336
337 /* If we've made any progress in execution, rearm the timer
338 * and wait.
339 */
340 if ((bin_exec && ct0ca != bin_exec->last_ct0ca) ||
341 (render_exec && ct1ca != render_exec->last_ct1ca)) {
342 if (bin_exec)
343 bin_exec->last_ct0ca = ct0ca;
344 if (render_exec)
345 render_exec->last_ct1ca = ct1ca;
346 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
347 vc4_queue_hangcheck(dev);
348 return;
349 }
350
351 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
352
353 /* We've gone too long with no progress, reset. This has to
354 * be done from a work struct, since resetting can sleep and
355 * this timer hook isn't allowed to.
356 */
357 schedule_work(&vc4->hangcheck.reset_work);
358 }
359
360 static void
361 submit_cl(struct drm_device *dev, uint32_t thread, uint32_t start, uint32_t end)
362 {
363 struct vc4_dev *vc4 = to_vc4_dev(dev);
364
365 /* Set the current and end address of the control list.
366 * Writing the end register is what starts the job.
367 */
368 V3D_WRITE(V3D_CTNCA(thread), start);
369 V3D_WRITE(V3D_CTNEA(thread), end);
370 }
371
372 int
373 vc4_wait_for_seqno(struct drm_device *dev, uint64_t seqno, uint64_t timeout_ns,
374 bool interruptible)
375 {
376 struct vc4_dev *vc4 = to_vc4_dev(dev);
377 int ret = 0;
378 unsigned long timeout_expire;
379 DEFINE_WAIT(wait);
380
381 if (vc4->finished_seqno >= seqno)
382 return 0;
383
384 if (timeout_ns == 0)
385 return -ETIME;
386
387 timeout_expire = jiffies + nsecs_to_jiffies(timeout_ns);
388
389 trace_vc4_wait_for_seqno_begin(dev, seqno, timeout_ns);
390 for (;;) {
391 prepare_to_wait(&vc4->job_wait_queue, &wait,
392 interruptible ? TASK_INTERRUPTIBLE :
393 TASK_UNINTERRUPTIBLE);
394
395 if (interruptible && signal_pending(current)) {
396 ret = -ERESTARTSYS;
397 break;
398 }
399
400 if (vc4->finished_seqno >= seqno)
401 break;
402
403 if (timeout_ns != ~0ull) {
404 if (time_after_eq(jiffies, timeout_expire)) {
405 ret = -ETIME;
406 break;
407 }
408 schedule_timeout(timeout_expire - jiffies);
409 } else {
410 schedule();
411 }
412 }
413
414 finish_wait(&vc4->job_wait_queue, &wait);
415 trace_vc4_wait_for_seqno_end(dev, seqno);
416
417 return ret;
418 }
419
420 static void
421 vc4_flush_caches(struct drm_device *dev)
422 {
423 struct vc4_dev *vc4 = to_vc4_dev(dev);
424
425 /* Flush the GPU L2 caches. These caches sit on top of system
426 * L3 (the 128kb or so shared with the CPU), and are
427 * non-allocating in the L3.
428 */
429 V3D_WRITE(V3D_L2CACTL,
430 V3D_L2CACTL_L2CCLR);
431
432 V3D_WRITE(V3D_SLCACTL,
433 VC4_SET_FIELD(0xf, V3D_SLCACTL_T1CC) |
434 VC4_SET_FIELD(0xf, V3D_SLCACTL_T0CC) |
435 VC4_SET_FIELD(0xf, V3D_SLCACTL_UCC) |
436 VC4_SET_FIELD(0xf, V3D_SLCACTL_ICC));
437 }
438
439 static void
440 vc4_flush_texture_caches(struct drm_device *dev)
441 {
442 struct vc4_dev *vc4 = to_vc4_dev(dev);
443
444 V3D_WRITE(V3D_L2CACTL,
445 V3D_L2CACTL_L2CCLR);
446
447 V3D_WRITE(V3D_SLCACTL,
448 VC4_SET_FIELD(0xf, V3D_SLCACTL_T1CC) |
449 VC4_SET_FIELD(0xf, V3D_SLCACTL_T0CC));
450 }
451
452 /* Sets the registers for the next job to be actually be executed in
453 * the hardware.
454 *
455 * The job_lock should be held during this.
456 */
457 void
458 vc4_submit_next_bin_job(struct drm_device *dev)
459 {
460 struct vc4_dev *vc4 = to_vc4_dev(dev);
461 struct vc4_exec_info *exec;
462
463 again:
464 exec = vc4_first_bin_job(vc4);
465 if (!exec)
466 return;
467
468 vc4_flush_caches(dev);
469
470 /* Either put the job in the binner if it uses the binner, or
471 * immediately move it to the to-be-rendered queue.
472 */
473 if (exec->ct0ca != exec->ct0ea) {
474 submit_cl(dev, 0, exec->ct0ca, exec->ct0ea);
475 } else {
476 vc4_move_job_to_render(dev, exec);
477 goto again;
478 }
479 }
480
481 void
482 vc4_submit_next_render_job(struct drm_device *dev)
483 {
484 struct vc4_dev *vc4 = to_vc4_dev(dev);
485 struct vc4_exec_info *exec = vc4_first_render_job(vc4);
486
487 if (!exec)
488 return;
489
490 /* A previous RCL may have written to one of our textures, and
491 * our full cache flush at bin time may have occurred before
492 * that RCL completed. Flush the texture cache now, but not
493 * the instructions or uniforms (since we don't write those
494 * from an RCL).
495 */
496 vc4_flush_texture_caches(dev);
497
498 submit_cl(dev, 1, exec->ct1ca, exec->ct1ea);
499 }
500
501 void
502 vc4_move_job_to_render(struct drm_device *dev, struct vc4_exec_info *exec)
503 {
504 struct vc4_dev *vc4 = to_vc4_dev(dev);
505 bool was_empty = list_empty(&vc4->render_job_list);
506
507 list_move_tail(&exec->head, &vc4->render_job_list);
508 if (was_empty)
509 vc4_submit_next_render_job(dev);
510 }
511
512 static void
513 vc4_update_bo_seqnos(struct vc4_exec_info *exec, uint64_t seqno)
514 {
515 struct vc4_bo *bo;
516 unsigned i;
517
518 for (i = 0; i < exec->bo_count; i++) {
519 bo = to_vc4_bo(&exec->bo[i]->base);
520 bo->seqno = seqno;
521
522 reservation_object_add_shared_fence(bo->resv, exec->fence);
523 }
524
525 list_for_each_entry(bo, &exec->unref_list, unref_head) {
526 bo->seqno = seqno;
527 }
528
529 for (i = 0; i < exec->rcl_write_bo_count; i++) {
530 bo = to_vc4_bo(&exec->rcl_write_bo[i]->base);
531 bo->write_seqno = seqno;
532
533 reservation_object_add_excl_fence(bo->resv, exec->fence);
534 }
535 }
536
537 static void
538 vc4_unlock_bo_reservations(struct drm_device *dev,
539 struct vc4_exec_info *exec,
540 struct ww_acquire_ctx *acquire_ctx)
541 {
542 int i;
543
544 for (i = 0; i < exec->bo_count; i++) {
545 struct vc4_bo *bo = to_vc4_bo(&exec->bo[i]->base);
546
547 ww_mutex_unlock(&bo->resv->lock);
548 }
549
550 ww_acquire_fini(acquire_ctx);
551 }
552
553 /* Takes the reservation lock on all the BOs being referenced, so that
554 * at queue submit time we can update the reservations.
555 *
556 * We don't lock the RCL the tile alloc/state BOs, or overflow memory
557 * (all of which are on exec->unref_list). They're entirely private
558 * to vc4, so we don't attach dma-buf fences to them.
559 */
560 static int
561 vc4_lock_bo_reservations(struct drm_device *dev,
562 struct vc4_exec_info *exec,
563 struct ww_acquire_ctx *acquire_ctx)
564 {
565 int contended_lock = -1;
566 int i, ret;
567 struct vc4_bo *bo;
568
569 ww_acquire_init(acquire_ctx, &reservation_ww_class);
570
571 retry:
572 if (contended_lock != -1) {
573 bo = to_vc4_bo(&exec->bo[contended_lock]->base);
574 ret = ww_mutex_lock_slow_interruptible(&bo->resv->lock,
575 acquire_ctx);
576 if (ret) {
577 ww_acquire_done(acquire_ctx);
578 return ret;
579 }
580 }
581
582 for (i = 0; i < exec->bo_count; i++) {
583 if (i == contended_lock)
584 continue;
585
586 bo = to_vc4_bo(&exec->bo[i]->base);
587
588 ret = ww_mutex_lock_interruptible(&bo->resv->lock, acquire_ctx);
589 if (ret) {
590 int j;
591
592 for (j = 0; j < i; j++) {
593 bo = to_vc4_bo(&exec->bo[j]->base);
594 ww_mutex_unlock(&bo->resv->lock);
595 }
596
597 if (contended_lock != -1 && contended_lock >= i) {
598 bo = to_vc4_bo(&exec->bo[contended_lock]->base);
599
600 ww_mutex_unlock(&bo->resv->lock);
601 }
602
603 if (ret == -EDEADLK) {
604 contended_lock = i;
605 goto retry;
606 }
607
608 ww_acquire_done(acquire_ctx);
609 return ret;
610 }
611 }
612
613 ww_acquire_done(acquire_ctx);
614
615 /* Reserve space for our shared (read-only) fence references,
616 * before we commit the CL to the hardware.
617 */
618 for (i = 0; i < exec->bo_count; i++) {
619 bo = to_vc4_bo(&exec->bo[i]->base);
620
621 ret = reservation_object_reserve_shared(bo->resv);
622 if (ret) {
623 vc4_unlock_bo_reservations(dev, exec, acquire_ctx);
624 return ret;
625 }
626 }
627
628 return 0;
629 }
630
631 /* Queues a struct vc4_exec_info for execution. If no job is
632 * currently executing, then submits it.
633 *
634 * Unlike most GPUs, our hardware only handles one command list at a
635 * time. To queue multiple jobs at once, we'd need to edit the
636 * previous command list to have a jump to the new one at the end, and
637 * then bump the end address. That's a change for a later date,
638 * though.
639 */
640 static int
641 vc4_queue_submit(struct drm_device *dev, struct vc4_exec_info *exec,
642 struct ww_acquire_ctx *acquire_ctx)
643 {
644 struct vc4_dev *vc4 = to_vc4_dev(dev);
645 uint64_t seqno;
646 unsigned long irqflags;
647 struct vc4_fence *fence;
648
649 fence = kzalloc(sizeof(*fence), GFP_KERNEL);
650 if (!fence)
651 return -ENOMEM;
652 fence->dev = dev;
653
654 spin_lock_irqsave(&vc4->job_lock, irqflags);
655
656 seqno = ++vc4->emit_seqno;
657 exec->seqno = seqno;
658
659 dma_fence_init(&fence->base, &vc4_fence_ops, &vc4->job_lock,
660 vc4->dma_fence_context, exec->seqno);
661 fence->seqno = exec->seqno;
662 exec->fence = &fence->base;
663
664 vc4_update_bo_seqnos(exec, seqno);
665
666 vc4_unlock_bo_reservations(dev, exec, acquire_ctx);
667
668 list_add_tail(&exec->head, &vc4->bin_job_list);
669
670 /* If no job was executing, kick ours off. Otherwise, it'll
671 * get started when the previous job's flush done interrupt
672 * occurs.
673 */
674 if (vc4_first_bin_job(vc4) == exec) {
675 vc4_submit_next_bin_job(dev);
676 vc4_queue_hangcheck(dev);
677 }
678
679 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
680
681 return 0;
682 }
683
684 /**
685 * vc4_cl_lookup_bos() - Sets up exec->bo[] with the GEM objects
686 * referenced by the job.
687 * @dev: DRM device
688 * @file_priv: DRM file for this fd
689 * @exec: V3D job being set up
690 *
691 * The command validator needs to reference BOs by their index within
692 * the submitted job's BO list. This does the validation of the job's
693 * BO list and reference counting for the lifetime of the job.
694 */
695 static int
696 vc4_cl_lookup_bos(struct drm_device *dev,
697 struct drm_file *file_priv,
698 struct vc4_exec_info *exec)
699 {
700 struct drm_vc4_submit_cl *args = exec->args;
701 uint32_t *handles;
702 int ret = 0;
703 int i;
704
705 exec->bo_count = args->bo_handle_count;
706
707 if (!exec->bo_count) {
708 /* See comment on bo_index for why we have to check
709 * this.
710 */
711 DRM_DEBUG("Rendering requires BOs to validate\n");
712 return -EINVAL;
713 }
714
715 exec->bo = kvmalloc_array(exec->bo_count,
716 sizeof(struct drm_gem_cma_object *),
717 GFP_KERNEL | __GFP_ZERO);
718 if (!exec->bo) {
719 DRM_ERROR("Failed to allocate validated BO pointers\n");
720 return -ENOMEM;
721 }
722
723 handles = kvmalloc_array(exec->bo_count, sizeof(uint32_t), GFP_KERNEL);
724 if (!handles) {
725 ret = -ENOMEM;
726 DRM_ERROR("Failed to allocate incoming GEM handles\n");
727 goto fail;
728 }
729
730 if (copy_from_user(handles, u64_to_user_ptr(args->bo_handles),
731 exec->bo_count * sizeof(uint32_t))) {
732 ret = -EFAULT;
733 DRM_ERROR("Failed to copy in GEM handles\n");
734 goto fail;
735 }
736
737 spin_lock(&file_priv->table_lock);
738 for (i = 0; i < exec->bo_count; i++) {
739 struct drm_gem_object *bo = idr_find(&file_priv->object_idr,
740 handles[i]);
741 if (!bo) {
742 DRM_DEBUG("Failed to look up GEM BO %d: %d\n",
743 i, handles[i]);
744 ret = -EINVAL;
745 break;
746 }
747
748 drm_gem_object_get(bo);
749 exec->bo[i] = (struct drm_gem_cma_object *)bo;
750 }
751 spin_unlock(&file_priv->table_lock);
752
753 if (ret)
754 goto fail_put_bo;
755
756 for (i = 0; i < exec->bo_count; i++) {
757 ret = vc4_bo_inc_usecnt(to_vc4_bo(&exec->bo[i]->base));
758 if (ret)
759 goto fail_dec_usecnt;
760 }
761
762 kvfree(handles);
763 return 0;
764
765 fail_dec_usecnt:
766 /* Decrease usecnt on acquired objects.
767 * We cannot rely on vc4_complete_exec() to release resources here,
768 * because vc4_complete_exec() has no information about which BO has
769 * had its ->usecnt incremented.
770 * To make things easier we just free everything explicitly and set
771 * exec->bo to NULL so that vc4_complete_exec() skips the 'BO release'
772 * step.
773 */
774 for (i-- ; i >= 0; i--)
775 vc4_bo_dec_usecnt(to_vc4_bo(&exec->bo[i]->base));
776
777 fail_put_bo:
778 /* Release any reference to acquired objects. */
779 for (i = 0; i < exec->bo_count && exec->bo[i]; i++)
780 drm_gem_object_put_unlocked(&exec->bo[i]->base);
781
782 fail:
783 kvfree(handles);
784 kvfree(exec->bo);
785 exec->bo = NULL;
786 return ret;
787 }
788
789 static int
790 vc4_get_bcl(struct drm_device *dev, struct vc4_exec_info *exec)
791 {
792 struct drm_vc4_submit_cl *args = exec->args;
793 void *temp = NULL;
794 void *bin;
795 int ret = 0;
796 uint32_t bin_offset = 0;
797 uint32_t shader_rec_offset = roundup(bin_offset + args->bin_cl_size,
798 16);
799 uint32_t uniforms_offset = shader_rec_offset + args->shader_rec_size;
800 uint32_t exec_size = uniforms_offset + args->uniforms_size;
801 uint32_t temp_size = exec_size + (sizeof(struct vc4_shader_state) *
802 args->shader_rec_count);
803 struct vc4_bo *bo;
804
805 if (shader_rec_offset < args->bin_cl_size ||
806 uniforms_offset < shader_rec_offset ||
807 exec_size < uniforms_offset ||
808 args->shader_rec_count >= (UINT_MAX /
809 sizeof(struct vc4_shader_state)) ||
810 temp_size < exec_size) {
811 DRM_DEBUG("overflow in exec arguments\n");
812 ret = -EINVAL;
813 goto fail;
814 }
815
816 /* Allocate space where we'll store the copied in user command lists
817 * and shader records.
818 *
819 * We don't just copy directly into the BOs because we need to
820 * read the contents back for validation, and I think the
821 * bo->vaddr is uncached access.
822 */
823 temp = kvmalloc_array(temp_size, 1, GFP_KERNEL);
824 if (!temp) {
825 DRM_ERROR("Failed to allocate storage for copying "
826 "in bin/render CLs.\n");
827 ret = -ENOMEM;
828 goto fail;
829 }
830 bin = temp + bin_offset;
831 exec->shader_rec_u = temp + shader_rec_offset;
832 exec->uniforms_u = temp + uniforms_offset;
833 exec->shader_state = temp + exec_size;
834 exec->shader_state_size = args->shader_rec_count;
835
836 if (copy_from_user(bin,
837 u64_to_user_ptr(args->bin_cl),
838 args->bin_cl_size)) {
839 ret = -EFAULT;
840 goto fail;
841 }
842
843 if (copy_from_user(exec->shader_rec_u,
844 u64_to_user_ptr(args->shader_rec),
845 args->shader_rec_size)) {
846 ret = -EFAULT;
847 goto fail;
848 }
849
850 if (copy_from_user(exec->uniforms_u,
851 u64_to_user_ptr(args->uniforms),
852 args->uniforms_size)) {
853 ret = -EFAULT;
854 goto fail;
855 }
856
857 bo = vc4_bo_create(dev, exec_size, true, VC4_BO_TYPE_BCL);
858 if (IS_ERR(bo)) {
859 DRM_ERROR("Couldn't allocate BO for binning\n");
860 ret = PTR_ERR(bo);
861 goto fail;
862 }
863 exec->exec_bo = &bo->base;
864
865 list_add_tail(&to_vc4_bo(&exec->exec_bo->base)->unref_head,
866 &exec->unref_list);
867
868 exec->ct0ca = exec->exec_bo->paddr + bin_offset;
869
870 exec->bin_u = bin;
871
872 exec->shader_rec_v = exec->exec_bo->vaddr + shader_rec_offset;
873 exec->shader_rec_p = exec->exec_bo->paddr + shader_rec_offset;
874 exec->shader_rec_size = args->shader_rec_size;
875
876 exec->uniforms_v = exec->exec_bo->vaddr + uniforms_offset;
877 exec->uniforms_p = exec->exec_bo->paddr + uniforms_offset;
878 exec->uniforms_size = args->uniforms_size;
879
880 ret = vc4_validate_bin_cl(dev,
881 exec->exec_bo->vaddr + bin_offset,
882 bin,
883 exec);
884 if (ret)
885 goto fail;
886
887 ret = vc4_validate_shader_recs(dev, exec);
888 if (ret)
889 goto fail;
890
891 /* Block waiting on any previous rendering into the CS's VBO,
892 * IB, or textures, so that pixels are actually written by the
893 * time we try to read them.
894 */
895 ret = vc4_wait_for_seqno(dev, exec->bin_dep_seqno, ~0ull, true);
896
897 fail:
898 kvfree(temp);
899 return ret;
900 }
901
902 static void
903 vc4_complete_exec(struct drm_device *dev, struct vc4_exec_info *exec)
904 {
905 struct vc4_dev *vc4 = to_vc4_dev(dev);
906 unsigned long irqflags;
907 unsigned i;
908
909 /* If we got force-completed because of GPU reset rather than
910 * through our IRQ handler, signal the fence now.
911 */
912 if (exec->fence) {
913 dma_fence_signal(exec->fence);
914 dma_fence_put(exec->fence);
915 }
916
917 if (exec->bo) {
918 for (i = 0; i < exec->bo_count; i++) {
919 struct vc4_bo *bo = to_vc4_bo(&exec->bo[i]->base);
920
921 vc4_bo_dec_usecnt(bo);
922 drm_gem_object_put_unlocked(&exec->bo[i]->base);
923 }
924 kvfree(exec->bo);
925 }
926
927 while (!list_empty(&exec->unref_list)) {
928 struct vc4_bo *bo = list_first_entry(&exec->unref_list,
929 struct vc4_bo, unref_head);
930 list_del(&bo->unref_head);
931 drm_gem_object_put_unlocked(&bo->base.base);
932 }
933
934 /* Free up the allocation of any bin slots we used. */
935 spin_lock_irqsave(&vc4->job_lock, irqflags);
936 vc4->bin_alloc_used &= ~exec->bin_slots;
937 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
938
939 mutex_lock(&vc4->power_lock);
940 if (--vc4->power_refcount == 0) {
941 pm_runtime_mark_last_busy(&vc4->v3d->pdev->dev);
942 pm_runtime_put_autosuspend(&vc4->v3d->pdev->dev);
943 }
944 mutex_unlock(&vc4->power_lock);
945
946 kfree(exec);
947 }
948
949 void
950 vc4_job_handle_completed(struct vc4_dev *vc4)
951 {
952 unsigned long irqflags;
953 struct vc4_seqno_cb *cb, *cb_temp;
954
955 spin_lock_irqsave(&vc4->job_lock, irqflags);
956 while (!list_empty(&vc4->job_done_list)) {
957 struct vc4_exec_info *exec =
958 list_first_entry(&vc4->job_done_list,
959 struct vc4_exec_info, head);
960 list_del(&exec->head);
961
962 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
963 vc4_complete_exec(vc4->dev, exec);
964 spin_lock_irqsave(&vc4->job_lock, irqflags);
965 }
966
967 list_for_each_entry_safe(cb, cb_temp, &vc4->seqno_cb_list, work.entry) {
968 if (cb->seqno <= vc4->finished_seqno) {
969 list_del_init(&cb->work.entry);
970 schedule_work(&cb->work);
971 }
972 }
973
974 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
975 }
976
977 static void vc4_seqno_cb_work(struct work_struct *work)
978 {
979 struct vc4_seqno_cb *cb = container_of(work, struct vc4_seqno_cb, work);
980
981 cb->func(cb);
982 }
983
984 int vc4_queue_seqno_cb(struct drm_device *dev,
985 struct vc4_seqno_cb *cb, uint64_t seqno,
986 void (*func)(struct vc4_seqno_cb *cb))
987 {
988 struct vc4_dev *vc4 = to_vc4_dev(dev);
989 int ret = 0;
990 unsigned long irqflags;
991
992 cb->func = func;
993 INIT_WORK(&cb->work, vc4_seqno_cb_work);
994
995 spin_lock_irqsave(&vc4->job_lock, irqflags);
996 if (seqno > vc4->finished_seqno) {
997 cb->seqno = seqno;
998 list_add_tail(&cb->work.entry, &vc4->seqno_cb_list);
999 } else {
1000 schedule_work(&cb->work);
1001 }
1002 spin_unlock_irqrestore(&vc4->job_lock, irqflags);
1003
1004 return ret;
1005 }
1006
1007 /* Scheduled when any job has been completed, this walks the list of
1008 * jobs that had completed and unrefs their BOs and frees their exec
1009 * structs.
1010 */
1011 static void
1012 vc4_job_done_work(struct work_struct *work)
1013 {
1014 struct vc4_dev *vc4 =
1015 container_of(work, struct vc4_dev, job_done_work);
1016
1017 vc4_job_handle_completed(vc4);
1018 }
1019
1020 static int
1021 vc4_wait_for_seqno_ioctl_helper(struct drm_device *dev,
1022 uint64_t seqno,
1023 uint64_t *timeout_ns)
1024 {
1025 unsigned long start = jiffies;
1026 int ret = vc4_wait_for_seqno(dev, seqno, *timeout_ns, true);
1027
1028 if ((ret == -EINTR || ret == -ERESTARTSYS) && *timeout_ns != ~0ull) {
1029 uint64_t delta = jiffies_to_nsecs(jiffies - start);
1030
1031 if (*timeout_ns >= delta)
1032 *timeout_ns -= delta;
1033 }
1034
1035 return ret;
1036 }
1037
1038 int
1039 vc4_wait_seqno_ioctl(struct drm_device *dev, void *data,
1040 struct drm_file *file_priv)
1041 {
1042 struct drm_vc4_wait_seqno *args = data;
1043
1044 return vc4_wait_for_seqno_ioctl_helper(dev, args->seqno,
1045 &args->timeout_ns);
1046 }
1047
1048 int
1049 vc4_wait_bo_ioctl(struct drm_device *dev, void *data,
1050 struct drm_file *file_priv)
1051 {
1052 int ret;
1053 struct drm_vc4_wait_bo *args = data;
1054 struct drm_gem_object *gem_obj;
1055 struct vc4_bo *bo;
1056
1057 if (args->pad != 0)
1058 return -EINVAL;
1059
1060 gem_obj = drm_gem_object_lookup(file_priv, args->handle);
1061 if (!gem_obj) {
1062 DRM_DEBUG("Failed to look up GEM BO %d\n", args->handle);
1063 return -EINVAL;
1064 }
1065 bo = to_vc4_bo(gem_obj);
1066
1067 ret = vc4_wait_for_seqno_ioctl_helper(dev, bo->seqno,
1068 &args->timeout_ns);
1069
1070 drm_gem_object_put_unlocked(gem_obj);
1071 return ret;
1072 }
1073
1074 /**
1075 * vc4_submit_cl_ioctl() - Submits a job (frame) to the VC4.
1076 * @dev: DRM device
1077 * @data: ioctl argument
1078 * @file_priv: DRM file for this fd
1079 *
1080 * This is the main entrypoint for userspace to submit a 3D frame to
1081 * the GPU. Userspace provides the binner command list (if
1082 * applicable), and the kernel sets up the render command list to draw
1083 * to the framebuffer described in the ioctl, using the command lists
1084 * that the 3D engine's binner will produce.
1085 */
1086 int
1087 vc4_submit_cl_ioctl(struct drm_device *dev, void *data,
1088 struct drm_file *file_priv)
1089 {
1090 struct vc4_dev *vc4 = to_vc4_dev(dev);
1091 struct drm_vc4_submit_cl *args = data;
1092 struct vc4_exec_info *exec;
1093 struct ww_acquire_ctx acquire_ctx;
1094 int ret = 0;
1095
1096 if ((args->flags & ~(VC4_SUBMIT_CL_USE_CLEAR_COLOR |
1097 VC4_SUBMIT_CL_FIXED_RCL_ORDER |
1098 VC4_SUBMIT_CL_RCL_ORDER_INCREASING_X |
1099 VC4_SUBMIT_CL_RCL_ORDER_INCREASING_Y)) != 0) {
1100 DRM_DEBUG("Unknown flags: 0x%02x\n", args->flags);
1101 return -EINVAL;
1102 }
1103
1104 exec = kcalloc(1, sizeof(*exec), GFP_KERNEL);
1105 if (!exec) {
1106 DRM_ERROR("malloc failure on exec struct\n");
1107 return -ENOMEM;
1108 }
1109
1110 mutex_lock(&vc4->power_lock);
1111 if (vc4->power_refcount++ == 0) {
1112 ret = pm_runtime_get_sync(&vc4->v3d->pdev->dev);
1113 if (ret < 0) {
1114 mutex_unlock(&vc4->power_lock);
1115 vc4->power_refcount--;
1116 kfree(exec);
1117 return ret;
1118 }
1119 }
1120 mutex_unlock(&vc4->power_lock);
1121
1122 exec->args = args;
1123 INIT_LIST_HEAD(&exec->unref_list);
1124
1125 ret = vc4_cl_lookup_bos(dev, file_priv, exec);
1126 if (ret)
1127 goto fail;
1128
1129 if (exec->args->bin_cl_size != 0) {
1130 ret = vc4_get_bcl(dev, exec);
1131 if (ret)
1132 goto fail;
1133 } else {
1134 exec->ct0ca = 0;
1135 exec->ct0ea = 0;
1136 }
1137
1138 ret = vc4_get_rcl(dev, exec);
1139 if (ret)
1140 goto fail;
1141
1142 ret = vc4_lock_bo_reservations(dev, exec, &acquire_ctx);
1143 if (ret)
1144 goto fail;
1145
1146 /* Clear this out of the struct we'll be putting in the queue,
1147 * since it's part of our stack.
1148 */
1149 exec->args = NULL;
1150
1151 ret = vc4_queue_submit(dev, exec, &acquire_ctx);
1152 if (ret)
1153 goto fail;
1154
1155 /* Return the seqno for our job. */
1156 args->seqno = vc4->emit_seqno;
1157
1158 return 0;
1159
1160 fail:
1161 vc4_complete_exec(vc4->dev, exec);
1162
1163 return ret;
1164 }
1165
1166 void
1167 vc4_gem_init(struct drm_device *dev)
1168 {
1169 struct vc4_dev *vc4 = to_vc4_dev(dev);
1170
1171 vc4->dma_fence_context = dma_fence_context_alloc(1);
1172
1173 INIT_LIST_HEAD(&vc4->bin_job_list);
1174 INIT_LIST_HEAD(&vc4->render_job_list);
1175 INIT_LIST_HEAD(&vc4->job_done_list);
1176 INIT_LIST_HEAD(&vc4->seqno_cb_list);
1177 spin_lock_init(&vc4->job_lock);
1178
1179 INIT_WORK(&vc4->hangcheck.reset_work, vc4_reset_work);
1180 timer_setup(&vc4->hangcheck.timer, vc4_hangcheck_elapsed, 0);
1181
1182 INIT_WORK(&vc4->job_done_work, vc4_job_done_work);
1183
1184 mutex_init(&vc4->power_lock);
1185
1186 INIT_LIST_HEAD(&vc4->purgeable.list);
1187 mutex_init(&vc4->purgeable.lock);
1188 }
1189
1190 void
1191 vc4_gem_destroy(struct drm_device *dev)
1192 {
1193 struct vc4_dev *vc4 = to_vc4_dev(dev);
1194
1195 /* Waiting for exec to finish would need to be done before
1196 * unregistering V3D.
1197 */
1198 WARN_ON(vc4->emit_seqno != vc4->finished_seqno);
1199
1200 /* V3D should already have disabled its interrupt and cleared
1201 * the overflow allocation registers. Now free the object.
1202 */
1203 if (vc4->bin_bo) {
1204 drm_gem_object_put_unlocked(&vc4->bin_bo->base.base);
1205 vc4->bin_bo = NULL;
1206 }
1207
1208 if (vc4->hang_state)
1209 vc4_free_hang_state(dev, vc4->hang_state);
1210 }
1211
1212 int vc4_gem_madvise_ioctl(struct drm_device *dev, void *data,
1213 struct drm_file *file_priv)
1214 {
1215 struct drm_vc4_gem_madvise *args = data;
1216 struct drm_gem_object *gem_obj;
1217 struct vc4_bo *bo;
1218 int ret;
1219
1220 switch (args->madv) {
1221 case VC4_MADV_DONTNEED:
1222 case VC4_MADV_WILLNEED:
1223 break;
1224 default:
1225 return -EINVAL;
1226 }
1227
1228 if (args->pad != 0)
1229 return -EINVAL;
1230
1231 gem_obj = drm_gem_object_lookup(file_priv, args->handle);
1232 if (!gem_obj) {
1233 DRM_DEBUG("Failed to look up GEM BO %d\n", args->handle);
1234 return -ENOENT;
1235 }
1236
1237 bo = to_vc4_bo(gem_obj);
1238
1239 /* Only BOs exposed to userspace can be purged. */
1240 if (bo->madv == __VC4_MADV_NOTSUPP) {
1241 DRM_DEBUG("madvise not supported on this BO\n");
1242 ret = -EINVAL;
1243 goto out_put_gem;
1244 }
1245
1246 /* Not sure it's safe to purge imported BOs. Let's just assume it's
1247 * not until proven otherwise.
1248 */
1249 if (gem_obj->import_attach) {
1250 DRM_DEBUG("madvise not supported on imported BOs\n");
1251 ret = -EINVAL;
1252 goto out_put_gem;
1253 }
1254
1255 mutex_lock(&bo->madv_lock);
1256
1257 if (args->madv == VC4_MADV_DONTNEED && bo->madv == VC4_MADV_WILLNEED &&
1258 !refcount_read(&bo->usecnt)) {
1259 /* If the BO is about to be marked as purgeable, is not used
1260 * and is not already purgeable or purged, add it to the
1261 * purgeable list.
1262 */
1263 vc4_bo_add_to_purgeable_pool(bo);
1264 } else if (args->madv == VC4_MADV_WILLNEED &&
1265 bo->madv == VC4_MADV_DONTNEED &&
1266 !refcount_read(&bo->usecnt)) {
1267 /* The BO has not been purged yet, just remove it from
1268 * the purgeable list.
1269 */
1270 vc4_bo_remove_from_purgeable_pool(bo);
1271 }
1272
1273 /* Save the purged state. */
1274 args->retained = bo->madv != __VC4_MADV_PURGED;
1275
1276 /* Update internal madv state only if the bo was not purged. */
1277 if (bo->madv != __VC4_MADV_PURGED)
1278 bo->madv = args->madv;
1279
1280 mutex_unlock(&bo->madv_lock);
1281
1282 ret = 0;
1283
1284 out_put_gem:
1285 drm_gem_object_put_unlocked(gem_obj);
1286
1287 return ret;
1288 }
Linux with added FPC-III support