LXR linux/drivers/gpu/drm/vc4/vc4

   1/*
   2 * Copyright © 2014 Broadcom
   3 *
   4 * Permission is hereby granted, free of charge, to any person obtaining a
   5 * copy of this software and associated documentation files (the "Software"),
   6 * to deal in the Software without restriction, including without limitation
   7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
   8 * and/or sell copies of the Software, and to permit persons to whom the
   9 * Software is furnished to do so, subject to the following conditions:
  10 *
  11 * The above copyright notice and this permission notice (including the next
  12 * paragraph) shall be included in all copies or substantial portions of the
  13 * Software.
  14 *
  15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
  21 * IN THE SOFTWARE.
  22 */
  23
  24/**
  25 * DOC: Command list validator for VC4.
  26 *
  27 * Since the VC4 has no IOMMU between it and system memory, a user
  28 * with access to execute command lists could escalate privilege by
  29 * overwriting system memory (drawing to it as a framebuffer) or
  30 * reading system memory it shouldn't (reading it as a vertex buffer
  31 * or index buffer)
  32 *
  33 * We validate binner command lists to ensure that all accesses are
  34 * within the bounds of the GEM objects referenced by the submitted
  35 * job.  It explicitly whitelists packets, and looks at the offsets in
  36 * any address fields to make sure they're contained within the BOs
  37 * they reference.
  38 *
  39 * Note that because CL validation is already reading the
  40 * user-submitted CL and writing the validated copy out to the memory
  41 * that the GPU will actually read, this is also where GEM relocation
  42 * processing (turning BO references into actual addresses for the GPU
  43 * to use) happens.
  44 */
  45
  46#include "uapi/drm/vc4_drm.h"
  47#include "vc4_drv.h"
  48#include "vc4_packet.h"
  49
  50#define VALIDATE_ARGS \
  51        struct vc4_exec_info *exec,                     \
  52        void *validated,                                \
  53        void *untrusted
  54
  55/** Return the width in pixels of a 64-byte microtile. */
  56static uint32_t
  57utile_width(int cpp)
  58{
  59        switch (cpp) {
  60        case 1:
  61        case 2:
  62                return 8;
  63        case 4:
  64                return 4;
  65        case 8:
  66                return 2;
  67        default:
  68                DRM_ERROR("unknown cpp: %d\n", cpp);
  69                return 1;
  70        }
  71}
  72
  73/** Return the height in pixels of a 64-byte microtile. */
  74static uint32_t
  75utile_height(int cpp)
  76{
  77        switch (cpp) {
  78        case 1:
  79                return 8;
  80        case 2:
  81        case 4:
  82        case 8:
  83                return 4;
  84        default:
  85                DRM_ERROR("unknown cpp: %d\n", cpp);
  86                return 1;
  87        }
  88}
  89
  90/**
  91 * size_is_lt() - Returns whether a miplevel of the given size will
  92 * use the lineartile (LT) tiling layout rather than the normal T
  93 * tiling layout.
  94 * @width: Width in pixels of the miplevel
  95 * @height: Height in pixels of the miplevel
  96 * @cpp: Bytes per pixel of the pixel format
  97 */
  98static bool
  99size_is_lt(uint32_t width, uint32_t height, int cpp)
 100{
 101        return (width <= 4 * utile_width(cpp) ||
 102                height <= 4 * utile_height(cpp));
 103}
 104
 105struct drm_gem_cma_object *
 106vc4_use_bo(struct vc4_exec_info *exec, uint32_t hindex)
 107{
 108        struct drm_gem_cma_object *obj;
 109        struct vc4_bo *bo;
 110
 111        if (hindex >= exec->bo_count) {
 112                DRM_ERROR("BO index %d greater than BO count %d\n",
 113                          hindex, exec->bo_count);
 114                return NULL;
 115        }
 116        obj = exec->bo[hindex];
 117        bo = to_vc4_bo(&obj->base);
 118
 119        if (bo->validated_shader) {
 120                DRM_ERROR("Trying to use shader BO as something other than "
 121                          "a shader\n");
 122                return NULL;
 123        }
 124
 125        return obj;
 126}
 127
 128static struct drm_gem_cma_object *
 129vc4_use_handle(struct vc4_exec_info *exec, uint32_t gem_handles_packet_index)
 130{
 131        return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index]);
 132}
 133
 134static bool
 135validate_bin_pos(struct vc4_exec_info *exec, void *untrusted, uint32_t pos)
 136{
 137        /* Note that the untrusted pointer passed to these functions is
 138         * incremented past the packet byte.
 139         */
 140        return (untrusted - 1 == exec->bin_u + pos);
 141}
 142
 143static uint32_t
 144gl_shader_rec_size(uint32_t pointer_bits)
 145{
 146        uint32_t attribute_count = pointer_bits & 7;
 147        bool extended = pointer_bits & 8;
 148
 149        if (attribute_count == 0)
 150                attribute_count = 8;
 151
 152        if (extended)
 153                return 100 + attribute_count * 4;
 154        else
 155                return 36 + attribute_count * 8;
 156}
 157
 158bool
 159vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_cma_object *fbo,
 160                   uint32_t offset, uint8_t tiling_format,
 161                   uint32_t width, uint32_t height, uint8_t cpp)
 162{
 163        uint32_t aligned_width, aligned_height, stride, size;
 164        uint32_t utile_w = utile_width(cpp);
 165        uint32_t utile_h = utile_height(cpp);
 166
 167        /* The shaded vertex format stores signed 12.4 fixed point
 168         * (-2048,2047) offsets from the viewport center, so we should
 169         * never have a render target larger than 4096.  The texture
 170         * unit can only sample from 2048x2048, so it's even more
 171         * restricted.  This lets us avoid worrying about overflow in
 172         * our math.
 173         */
 174        if (width > 4096 || height > 4096) {
 175                DRM_ERROR("Surface dimesions (%d,%d) too large", width, height);
 176                return false;
 177        }
 178
 179        switch (tiling_format) {
 180        case VC4_TILING_FORMAT_LINEAR:
 181                aligned_width = round_up(width, utile_w);
 182                aligned_height = height;
 183                break;
 184        case VC4_TILING_FORMAT_T:
 185                aligned_width = round_up(width, utile_w * 8);
 186                aligned_height = round_up(height, utile_h * 8);
 187                break;
 188        case VC4_TILING_FORMAT_LT:
 189                aligned_width = round_up(width, utile_w);
 190                aligned_height = round_up(height, utile_h);
 191                break;
 192        default:
 193                DRM_ERROR("buffer tiling %d unsupported\n", tiling_format);
 194                return false;
 195        }
 196
 197        stride = aligned_width * cpp;
 198        size = stride * aligned_height;
 199
 200        if (size + offset < size ||
 201            size + offset > fbo->base.size) {
 202                DRM_ERROR("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
 203                          width, height,
 204                          aligned_width, aligned_height,
 205                          size, offset, fbo->base.size);
 206                return false;
 207        }
 208
 209        return true;
 210}
 211
 212static int
 213validate_flush(VALIDATE_ARGS)
 214{
 215        if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 1)) {
 216                DRM_ERROR("Bin CL must end with VC4_PACKET_FLUSH\n");
 217                return -EINVAL;
 218        }
 219        exec->found_flush = true;
 220
 221        return 0;
 222}
 223
 224static int
 225validate_start_tile_binning(VALIDATE_ARGS)
 226{
 227        if (exec->found_start_tile_binning_packet) {
 228                DRM_ERROR("Duplicate VC4_PACKET_START_TILE_BINNING\n");
 229                return -EINVAL;
 230        }
 231        exec->found_start_tile_binning_packet = true;
 232
 233        if (!exec->found_tile_binning_mode_config_packet) {
 234                DRM_ERROR("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
 235                return -EINVAL;
 236        }
 237
 238        return 0;
 239}
 240
 241static int
 242validate_increment_semaphore(VALIDATE_ARGS)
 243{
 244        if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 2)) {
 245                DRM_ERROR("Bin CL must end with "
 246                          "VC4_PACKET_INCREMENT_SEMAPHORE\n");
 247                return -EINVAL;
 248        }
 249        exec->found_increment_semaphore_packet = true;
 250
 251        return 0;
 252}
 253
 254static int
 255validate_indexed_prim_list(VALIDATE_ARGS)
 256{
 257        struct drm_gem_cma_object *ib;
 258        uint32_t length = *(uint32_t *)(untrusted + 1);
 259        uint32_t offset = *(uint32_t *)(untrusted + 5);
 260        uint32_t max_index = *(uint32_t *)(untrusted + 9);
 261        uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
 262        struct vc4_shader_state *shader_state;
 263
 264        /* Check overflow condition */
 265        if (exec->shader_state_count == 0) {
 266                DRM_ERROR("shader state must precede primitives\n");
 267                return -EINVAL;
 268        }
 269        shader_state = &exec->shader_state[exec->shader_state_count - 1];
 270
 271        if (max_index > shader_state->max_index)
 272                shader_state->max_index = max_index;
 273
 274        ib = vc4_use_handle(exec, 0);
 275        if (!ib)
 276                return -EINVAL;
 277
 278        exec->bin_dep_seqno = max(exec->bin_dep_seqno,
 279                                  to_vc4_bo(&ib->base)->write_seqno);
 280
 281        if (offset > ib->base.size ||
 282            (ib->base.size - offset) / index_size < length) {
 283                DRM_ERROR("IB access overflow (%d + %d*%d > %zd)\n",
 284                          offset, length, index_size, ib->base.size);
 285                return -EINVAL;
 286        }
 287
 288        *(uint32_t *)(validated + 5) = ib->paddr + offset;
 289
 290        return 0;
 291}
 292
 293static int
 294validate_gl_array_primitive(VALIDATE_ARGS)
 295{
 296        uint32_t length = *(uint32_t *)(untrusted + 1);
 297        uint32_t base_index = *(uint32_t *)(untrusted + 5);
 298        uint32_t max_index;
 299        struct vc4_shader_state *shader_state;
 300
 301        /* Check overflow condition */
 302        if (exec->shader_state_count == 0) {
 303                DRM_ERROR("shader state must precede primitives\n");
 304                return -EINVAL;
 305        }
 306        shader_state = &exec->shader_state[exec->shader_state_count - 1];
 307
 308        if (length + base_index < length) {
 309                DRM_ERROR("primitive vertex count overflow\n");
 310                return -EINVAL;
 311        }
 312        max_index = length + base_index - 1;
 313
 314        if (max_index > shader_state->max_index)
 315                shader_state->max_index = max_index;
 316
 317        return 0;
 318}
 319
 320static int
 321validate_gl_shader_state(VALIDATE_ARGS)
 322{
 323        uint32_t i = exec->shader_state_count++;
 324
 325        if (i >= exec->shader_state_size) {
 326                DRM_ERROR("More requests for shader states than declared\n");
 327                return -EINVAL;
 328        }
 329
 330        exec->shader_state[i].addr = *(uint32_t *)untrusted;
 331        exec->shader_state[i].max_index = 0;
 332
 333        if (exec->shader_state[i].addr & ~0xf) {
 334                DRM_ERROR("high bits set in GL shader rec reference\n");
 335                return -EINVAL;
 336        }
 337
 338        *(uint32_t *)validated = (exec->shader_rec_p +
 339                                  exec->shader_state[i].addr);
 340
 341        exec->shader_rec_p +=
 342                roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
 343
 344        return 0;
 345}
 346
 347static int
 348validate_tile_binning_config(VALIDATE_ARGS)
 349{
 350        struct drm_device *dev = exec->exec_bo->base.dev;
 351        struct vc4_bo *tile_bo;
 352        uint8_t flags;
 353        uint32_t tile_state_size, tile_alloc_size;
 354        uint32_t tile_count;
 355
 356        if (exec->found_tile_binning_mode_config_packet) {
 357                DRM_ERROR("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
 358                return -EINVAL;
 359        }
 360        exec->found_tile_binning_mode_config_packet = true;
 361
 362        exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
 363        exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
 364        tile_count = exec->bin_tiles_x * exec->bin_tiles_y;
 365        flags = *(uint8_t *)(untrusted + 14);
 366
 367        if (exec->bin_tiles_x == 0 ||
 368            exec->bin_tiles_y == 0) {
 369                DRM_ERROR("Tile binning config of %dx%d too small\n",
 370                          exec->bin_tiles_x, exec->bin_tiles_y);
 371                return -EINVAL;
 372        }
 373
 374        if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
 375                     VC4_BIN_CONFIG_TILE_BUFFER_64BIT)) {
 376                DRM_ERROR("unsupported binning config flags 0x%02x\n", flags);
 377                return -EINVAL;
 378        }
 379
 380        /* The tile state data array is 48 bytes per tile, and we put it at
 381         * the start of a BO containing both it and the tile alloc.
 382         */
 383        tile_state_size = 48 * tile_count;
 384
 385        /* Since the tile alloc array will follow us, align. */
 386        exec->tile_alloc_offset = roundup(tile_state_size, 4096);
 387
 388        *(uint8_t *)(validated + 14) =
 389                ((flags & ~(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_MASK |
 390                            VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_MASK)) |
 391                 VC4_BIN_CONFIG_AUTO_INIT_TSDA |
 392                 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_32,
 393                               VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE) |
 394                 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_128,
 395                               VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE));
 396
 397        /* Initial block size. */
 398        tile_alloc_size = 32 * tile_count;
 399
 400        /*
 401         * The initial allocation gets rounded to the next 256 bytes before
 402         * the hardware starts fulfilling further allocations.
 403         */
 404        tile_alloc_size = roundup(tile_alloc_size, 256);
 405
 406        /* Add space for the extra allocations.  This is what gets used first,
 407         * before overflow memory.  It must have at least 4096 bytes, but we
 408         * want to avoid overflow memory usage if possible.
 409         */
 410        tile_alloc_size += 1024 * 1024;
 411
 412        tile_bo = vc4_bo_create(dev, exec->tile_alloc_offset + tile_alloc_size,
 413                                true);
 414        exec->tile_bo = &tile_bo->base;
 415        if (IS_ERR(exec->tile_bo))
 416                return PTR_ERR(exec->tile_bo);
 417        list_add_tail(&tile_bo->unref_head, &exec->unref_list);
 418
 419        /* tile alloc address. */
 420        *(uint32_t *)(validated + 0) = (exec->tile_bo->paddr +
 421                                        exec->tile_alloc_offset);
 422        /* tile alloc size. */
 423        *(uint32_t *)(validated + 4) = tile_alloc_size;
 424        /* tile state address. */
 425        *(uint32_t *)(validated + 8) = exec->tile_bo->paddr;
 426
 427        return 0;
 428}
 429
 430static int
 431validate_gem_handles(VALIDATE_ARGS)
 432{
 433        memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
 434        return 0;
 435}
 436
 437#define VC4_DEFINE_PACKET(packet, func) \
 438        [packet] = { packet ## _SIZE, #packet, func }
 439
 440static const struct cmd_info {
 441        uint16_t len;
 442        const char *name;
 443        int (*func)(struct vc4_exec_info *exec, void *validated,
 444                    void *untrusted);
 445} cmd_info[] = {
 446        VC4_DEFINE_PACKET(VC4_PACKET_HALT, NULL),
 447        VC4_DEFINE_PACKET(VC4_PACKET_NOP, NULL),
 448        VC4_DEFINE_PACKET(VC4_PACKET_FLUSH, validate_flush),
 449        VC4_DEFINE_PACKET(VC4_PACKET_FLUSH_ALL, NULL),
 450        VC4_DEFINE_PACKET(VC4_PACKET_START_TILE_BINNING,
 451                          validate_start_tile_binning),
 452        VC4_DEFINE_PACKET(VC4_PACKET_INCREMENT_SEMAPHORE,
 453                          validate_increment_semaphore),
 454
 455        VC4_DEFINE_PACKET(VC4_PACKET_GL_INDEXED_PRIMITIVE,
 456                          validate_indexed_prim_list),
 457        VC4_DEFINE_PACKET(VC4_PACKET_GL_ARRAY_PRIMITIVE,
 458                          validate_gl_array_primitive),
 459
 460        VC4_DEFINE_PACKET(VC4_PACKET_PRIMITIVE_LIST_FORMAT, NULL),
 461
 462        VC4_DEFINE_PACKET(VC4_PACKET_GL_SHADER_STATE, validate_gl_shader_state),
 463
 464        VC4_DEFINE_PACKET(VC4_PACKET_CONFIGURATION_BITS, NULL),
 465        VC4_DEFINE_PACKET(VC4_PACKET_FLAT_SHADE_FLAGS, NULL),
 466        VC4_DEFINE_PACKET(VC4_PACKET_POINT_SIZE, NULL),
 467        VC4_DEFINE_PACKET(VC4_PACKET_LINE_WIDTH, NULL),
 468        VC4_DEFINE_PACKET(VC4_PACKET_RHT_X_BOUNDARY, NULL),
 469        VC4_DEFINE_PACKET(VC4_PACKET_DEPTH_OFFSET, NULL),
 470        VC4_DEFINE_PACKET(VC4_PACKET_CLIP_WINDOW, NULL),
 471        VC4_DEFINE_PACKET(VC4_PACKET_VIEWPORT_OFFSET, NULL),
 472        VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_XY_SCALING, NULL),
 473        /* Note: The docs say this was also 105, but it was 106 in the
 474         * initial userland code drop.
 475         */
 476        VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_Z_SCALING, NULL),
 477
 478        VC4_DEFINE_PACKET(VC4_PACKET_TILE_BINNING_MODE_CONFIG,
 479                          validate_tile_binning_config),
 480
 481        VC4_DEFINE_PACKET(VC4_PACKET_GEM_HANDLES, validate_gem_handles),
 482};
 483
 484int
 485vc4_validate_bin_cl(struct drm_device *dev,
 486                    void *validated,
 487                    void *unvalidated,
 488                    struct vc4_exec_info *exec)
 489{
 490        uint32_t len = exec->args->bin_cl_size;
 491        uint32_t dst_offset = 0;
 492        uint32_t src_offset = 0;
 493
 494        while (src_offset < len) {
 495                void *dst_pkt = validated + dst_offset;
 496                void *src_pkt = unvalidated + src_offset;
 497                u8 cmd = *(uint8_t *)src_pkt;
 498                const struct cmd_info *info;
 499
 500                if (cmd >= ARRAY_SIZE(cmd_info)) {
 501                        DRM_ERROR("0x%08x: packet %d out of bounds\n",
 502                                  src_offset, cmd);
 503                        return -EINVAL;
 504                }
 505
 506                info = &cmd_info[cmd];
 507                if (!info->name) {
 508                        DRM_ERROR("0x%08x: packet %d invalid\n",
 509                                  src_offset, cmd);
 510                        return -EINVAL;
 511                }
 512
 513                if (src_offset + info->len > len) {
 514                        DRM_ERROR("0x%08x: packet %d (%s) length 0x%08x "
 515                                  "exceeds bounds (0x%08x)\n",
 516                                  src_offset, cmd, info->name, info->len,
 517                                  src_offset + len);
 518                        return -EINVAL;
 519                }
 520
 521                if (cmd != VC4_PACKET_GEM_HANDLES)
 522                        memcpy(dst_pkt, src_pkt, info->len);
 523
 524                if (info->func && info->func(exec,
 525                                             dst_pkt + 1,
 526                                             src_pkt + 1)) {
 527                        DRM_ERROR("0x%08x: packet %d (%s) failed to validate\n",
 528                                  src_offset, cmd, info->name);
 529                        return -EINVAL;
 530                }
 531
 532                src_offset += info->len;
 533                /* GEM handle loading doesn't produce HW packets. */
 534                if (cmd != VC4_PACKET_GEM_HANDLES)
 535                        dst_offset += info->len;
 536
 537                /* When the CL hits halt, it'll stop reading anything else. */
 538                if (cmd == VC4_PACKET_HALT)
 539                        break;
 540        }
 541
 542        exec->ct0ea = exec->ct0ca + dst_offset;
 543
 544        if (!exec->found_start_tile_binning_packet) {
 545                DRM_ERROR("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
 546                return -EINVAL;
 547        }
 548
 549        /* The bin CL must be ended with INCREMENT_SEMAPHORE and FLUSH.  The
 550         * semaphore is used to trigger the render CL to start up, and the
 551         * FLUSH is what caps the bin lists with
 552         * VC4_PACKET_RETURN_FROM_SUB_LIST (so they jump back to the main
 553         * render CL when they get called to) and actually triggers the queued
 554         * semaphore increment.
 555         */
 556        if (!exec->found_increment_semaphore_packet || !exec->found_flush) {
 557                DRM_ERROR("Bin CL missing VC4_PACKET_INCREMENT_SEMAPHORE + "
 558                          "VC4_PACKET_FLUSH\n");
 559                return -EINVAL;
 560        }
 561
 562        return 0;
 563}
 564
 565static bool
 566reloc_tex(struct vc4_exec_info *exec,
 567          void *uniform_data_u,
 568          struct vc4_texture_sample_info *sample,
 569          uint32_t texture_handle_index, bool is_cs)
 570{
 571        struct drm_gem_cma_object *tex;
 572        uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
 573        uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
 574        uint32_t p2 = (sample->p_offset[2] != ~0 ?
 575                       *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
 576        uint32_t p3 = (sample->p_offset[3] != ~0 ?
 577                       *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
 578        uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
 579        uint32_t offset = p0 & VC4_TEX_P0_OFFSET_MASK;
 580        uint32_t miplevels = VC4_GET_FIELD(p0, VC4_TEX_P0_MIPLVLS);
 581        uint32_t width = VC4_GET_FIELD(p1, VC4_TEX_P1_WIDTH);
 582        uint32_t height = VC4_GET_FIELD(p1, VC4_TEX_P1_HEIGHT);
 583        uint32_t cpp, tiling_format, utile_w, utile_h;
 584        uint32_t i;
 585        uint32_t cube_map_stride = 0;
 586        enum vc4_texture_data_type type;
 587
 588        tex = vc4_use_bo(exec, texture_handle_index);
 589        if (!tex)
 590                return false;
 591
 592        if (sample->is_direct) {
 593                uint32_t remaining_size = tex->base.size - p0;
 594
 595                if (p0 > tex->base.size - 4) {
 596                        DRM_ERROR("UBO offset greater than UBO size\n");
 597                        goto fail;
 598                }
 599                if (p1 > remaining_size - 4) {
 600                        DRM_ERROR("UBO clamp would allow reads "
 601                                  "outside of UBO\n");
 602                        goto fail;
 603                }
 604                *validated_p0 = tex->paddr + p0;
 605                return true;
 606        }
 607
 608        if (width == 0)
 609                width = 2048;
 610        if (height == 0)
 611                height = 2048;
 612
 613        if (p0 & VC4_TEX_P0_CMMODE_MASK) {
 614                if (VC4_GET_FIELD(p2, VC4_TEX_P2_PTYPE) ==
 615                    VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE)
 616                        cube_map_stride = p2 & VC4_TEX_P2_CMST_MASK;
 617                if (VC4_GET_FIELD(p3, VC4_TEX_P2_PTYPE) ==
 618                    VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE) {
 619                        if (cube_map_stride) {
 620                                DRM_ERROR("Cube map stride set twice\n");
 621                                goto fail;
 622                        }
 623
 624                        cube_map_stride = p3 & VC4_TEX_P2_CMST_MASK;
 625                }
 626                if (!cube_map_stride) {
 627                        DRM_ERROR("Cube map stride not set\n");
 628                        goto fail;
 629                }
 630        }
 631
 632        type = (VC4_GET_FIELD(p0, VC4_TEX_P0_TYPE) |
 633                (VC4_GET_FIELD(p1, VC4_TEX_P1_TYPE4) << 4));
 634
 635        switch (type) {
 636        case VC4_TEXTURE_TYPE_RGBA8888:
 637        case VC4_TEXTURE_TYPE_RGBX8888:
 638        case VC4_TEXTURE_TYPE_RGBA32R:
 639                cpp = 4;
 640                break;
 641        case VC4_TEXTURE_TYPE_RGBA4444:
 642        case VC4_TEXTURE_TYPE_RGBA5551:
 643        case VC4_TEXTURE_TYPE_RGB565:
 644        case VC4_TEXTURE_TYPE_LUMALPHA:
 645        case VC4_TEXTURE_TYPE_S16F:
 646        case VC4_TEXTURE_TYPE_S16:
 647                cpp = 2;
 648                break;
 649        case VC4_TEXTURE_TYPE_LUMINANCE:
 650        case VC4_TEXTURE_TYPE_ALPHA:
 651        case VC4_TEXTURE_TYPE_S8:
 652                cpp = 1;
 653                break;
 654        case VC4_TEXTURE_TYPE_ETC1:
 655                /* ETC1 is arranged as 64-bit blocks, where each block is 4x4
 656                 * pixels.
 657                 */
 658                cpp = 8;
 659                width = (width + 3) >> 2;
 660                height = (height + 3) >> 2;
 661                break;
 662        case VC4_TEXTURE_TYPE_BW1:
 663        case VC4_TEXTURE_TYPE_A4:
 664        case VC4_TEXTURE_TYPE_A1:
 665        case VC4_TEXTURE_TYPE_RGBA64:
 666        case VC4_TEXTURE_TYPE_YUV422R:
 667        default:
 668                DRM_ERROR("Texture format %d unsupported\n", type);
 669                goto fail;
 670        }
 671        utile_w = utile_width(cpp);
 672        utile_h = utile_height(cpp);
 673
 674        if (type == VC4_TEXTURE_TYPE_RGBA32R) {
 675                tiling_format = VC4_TILING_FORMAT_LINEAR;
 676        } else {
 677                if (size_is_lt(width, height, cpp))
 678                        tiling_format = VC4_TILING_FORMAT_LT;
 679                else
 680                        tiling_format = VC4_TILING_FORMAT_T;
 681        }
 682
 683        if (!vc4_check_tex_size(exec, tex, offset + cube_map_stride * 5,
 684                                tiling_format, width, height, cpp)) {
 685                goto fail;
 686        }
 687
 688        /* The mipmap levels are stored before the base of the texture.  Make
 689         * sure there is actually space in the BO.
 690         */
 691        for (i = 1; i <= miplevels; i++) {
 692                uint32_t level_width = max(width >> i, 1u);
 693                uint32_t level_height = max(height >> i, 1u);
 694                uint32_t aligned_width, aligned_height;
 695                uint32_t level_size;
 696
 697                /* Once the levels get small enough, they drop from T to LT. */
 698                if (tiling_format == VC4_TILING_FORMAT_T &&
 699                    size_is_lt(level_width, level_height, cpp)) {
 700                        tiling_format = VC4_TILING_FORMAT_LT;
 701                }
 702
 703                switch (tiling_format) {
 704                case VC4_TILING_FORMAT_T:
 705                        aligned_width = round_up(level_width, utile_w * 8);
 706                        aligned_height = round_up(level_height, utile_h * 8);
 707                        break;
 708                case VC4_TILING_FORMAT_LT:
 709                        aligned_width = round_up(level_width, utile_w);
 710                        aligned_height = round_up(level_height, utile_h);
 711                        break;
 712                default:
 713                        aligned_width = round_up(level_width, utile_w);
 714                        aligned_height = level_height;
 715                        break;
 716                }
 717
 718                level_size = aligned_width * cpp * aligned_height;
 719
 720                if (offset < level_size) {
 721                        DRM_ERROR("Level %d (%dx%d -> %dx%d) size %db "
 722                                  "overflowed buffer bounds (offset %d)\n",
 723                                  i, level_width, level_height,
 724                                  aligned_width, aligned_height,
 725                                  level_size, offset);
 726                        goto fail;
 727                }
 728
 729                offset -= level_size;
 730        }
 731
 732        *validated_p0 = tex->paddr + p0;
 733
 734        if (is_cs) {
 735                exec->bin_dep_seqno = max(exec->bin_dep_seqno,
 736                                          to_vc4_bo(&tex->base)->write_seqno);
 737        }
 738
 739        return true;
 740 fail:
 741        DRM_INFO("Texture p0 at %d: 0x%08x\n", sample->p_offset[0], p0);
 742        DRM_INFO("Texture p1 at %d: 0x%08x\n", sample->p_offset[1], p1);
 743        DRM_INFO("Texture p2 at %d: 0x%08x\n", sample->p_offset[2], p2);
 744        DRM_INFO("Texture p3 at %d: 0x%08x\n", sample->p_offset[3], p3);
 745        return false;
 746}
 747
 748static int
 749validate_gl_shader_rec(struct drm_device *dev,
 750                       struct vc4_exec_info *exec,
 751                       struct vc4_shader_state *state)
 752{
 753        uint32_t *src_handles;
 754        void *pkt_u, *pkt_v;
 755        static const uint32_t shader_reloc_offsets[] = {
 756                4, /* fs */
 757                16, /* vs */
 758                28, /* cs */
 759        };
 760        uint32_t shader_reloc_count = ARRAY_SIZE(shader_reloc_offsets);
 761        struct drm_gem_cma_object *bo[shader_reloc_count + 8];
 762        uint32_t nr_attributes, nr_relocs, packet_size;
 763        int i;
 764
 765        nr_attributes = state->addr & 0x7;
 766        if (nr_attributes == 0)
 767                nr_attributes = 8;
 768        packet_size = gl_shader_rec_size(state->addr);
 769
 770        nr_relocs = ARRAY_SIZE(shader_reloc_offsets) + nr_attributes;
 771        if (nr_relocs * 4 > exec->shader_rec_size) {
 772                DRM_ERROR("overflowed shader recs reading %d handles "
 773                          "from %d bytes left\n",
 774                          nr_relocs, exec->shader_rec_size);
 775                return -EINVAL;
 776        }
 777        src_handles = exec->shader_rec_u;
 778        exec->shader_rec_u += nr_relocs * 4;
 779        exec->shader_rec_size -= nr_relocs * 4;
 780
 781        if (packet_size > exec->shader_rec_size) {
 782                DRM_ERROR("overflowed shader recs copying %db packet "
 783                          "from %d bytes left\n",
 784                          packet_size, exec->shader_rec_size);
 785                return -EINVAL;
 786        }
 787        pkt_u = exec->shader_rec_u;
 788        pkt_v = exec->shader_rec_v;
 789        memcpy(pkt_v, pkt_u, packet_size);
 790        exec->shader_rec_u += packet_size;
 791        /* Shader recs have to be aligned to 16 bytes (due to the attribute
 792         * flags being in the low bytes), so round the next validated shader
 793         * rec address up.  This should be safe, since we've got so many
 794         * relocations in a shader rec packet.
 795         */
 796        BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
 797        exec->shader_rec_v += roundup(packet_size, 16);
 798        exec->shader_rec_size -= packet_size;
 799
 800        for (i = 0; i < shader_reloc_count; i++) {
 801                if (src_handles[i] > exec->bo_count) {
 802                        DRM_ERROR("Shader handle %d too big\n", src_handles[i]);
 803                        return -EINVAL;
 804                }
 805
 806                bo[i] = exec->bo[src_handles[i]];
 807                if (!bo[i])
 808                        return -EINVAL;
 809        }
 810        for (i = shader_reloc_count; i < nr_relocs; i++) {
 811                bo[i] = vc4_use_bo(exec, src_handles[i]);
 812                if (!bo[i])
 813                        return -EINVAL;
 814        }
 815
 816        if (((*(uint16_t *)pkt_u & VC4_SHADER_FLAG_FS_SINGLE_THREAD) == 0) !=
 817            to_vc4_bo(&bo[0]->base)->validated_shader->is_threaded) {
 818                DRM_ERROR("Thread mode of CL and FS do not match\n");
 819                return -EINVAL;
 820        }
 821
 822        if (to_vc4_bo(&bo[1]->base)->validated_shader->is_threaded ||
 823            to_vc4_bo(&bo[2]->base)->validated_shader->is_threaded) {
 824                DRM_ERROR("cs and vs cannot be threaded\n");
 825                return -EINVAL;
 826        }
 827
 828        for (i = 0; i < shader_reloc_count; i++) {
 829                struct vc4_validated_shader_info *validated_shader;
 830                uint32_t o = shader_reloc_offsets[i];
 831                uint32_t src_offset = *(uint32_t *)(pkt_u + o);
 832                uint32_t *texture_handles_u;
 833                void *uniform_data_u;
 834                uint32_t tex, uni;
 835
 836                *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset;
 837
 838                if (src_offset != 0) {
 839                        DRM_ERROR("Shaders must be at offset 0 of "
 840                                  "the BO.\n");
 841                        return -EINVAL;
 842                }
 843
 844                validated_shader = to_vc4_bo(&bo[i]->base)->validated_shader;
 845                if (!validated_shader)
 846                        return -EINVAL;
 847
 848                if (validated_shader->uniforms_src_size >
 849                    exec->uniforms_size) {
 850                        DRM_ERROR("Uniforms src buffer overflow\n");
 851                        return -EINVAL;
 852                }
 853
 854                texture_handles_u = exec->uniforms_u;
 855                uniform_data_u = (texture_handles_u +
 856                                  validated_shader->num_texture_samples);
 857
 858                memcpy(exec->uniforms_v, uniform_data_u,
 859                       validated_shader->uniforms_size);
 860
 861                for (tex = 0;
 862                     tex < validated_shader->num_texture_samples;
 863                     tex++) {
 864                        if (!reloc_tex(exec,
 865                                       uniform_data_u,
 866                                       &validated_shader->texture_samples[tex],
 867                                       texture_handles_u[tex],
 868                                       i == 2)) {
 869                                return -EINVAL;
 870                        }
 871                }
 872
 873                /* Fill in the uniform slots that need this shader's
 874                 * start-of-uniforms address (used for resetting the uniform
 875                 * stream in the presence of control flow).
 876                 */
 877                for (uni = 0;
 878                     uni < validated_shader->num_uniform_addr_offsets;
 879                     uni++) {
 880                        uint32_t o = validated_shader->uniform_addr_offsets[uni];
 881                        ((uint32_t *)exec->uniforms_v)[o] = exec->uniforms_p;
 882                }
 883
 884                *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
 885
 886                exec->uniforms_u += validated_shader->uniforms_src_size;
 887                exec->uniforms_v += validated_shader->uniforms_size;
 888                exec->uniforms_p += validated_shader->uniforms_size;
 889        }
 890
 891        for (i = 0; i < nr_attributes; i++) {
 892                struct drm_gem_cma_object *vbo =
 893                        bo[ARRAY_SIZE(shader_reloc_offsets) + i];
 894                uint32_t o = 36 + i * 8;
 895                uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
 896                uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
 897                uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
 898                uint32_t max_index;
 899
 900                exec->bin_dep_seqno = max(exec->bin_dep_seqno,
 901                                          to_vc4_bo(&vbo->base)->write_seqno);
 902
 903                if (state->addr & 0x8)
 904                        stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
 905
 906                if (vbo->base.size < offset ||
 907                    vbo->base.size - offset < attr_size) {
 908                        DRM_ERROR("BO offset overflow (%d + %d > %zu)\n",
 909                                  offset, attr_size, vbo->base.size);
 910                        return -EINVAL;
 911                }
 912
 913                if (stride != 0) {
 914                        max_index = ((vbo->base.size - offset - attr_size) /
 915                                     stride);
 916                        if (state->max_index > max_index) {
 917                                DRM_ERROR("primitives use index %d out of "
 918                                          "supplied %d\n",
 919                                          state->max_index, max_index);
 920                                return -EINVAL;
 921                        }
 922                }
 923
 924                *(uint32_t *)(pkt_v + o) = vbo->paddr + offset;
 925        }
 926
 927        return 0;
 928}
 929
 930int
 931vc4_validate_shader_recs(struct drm_device *dev,
 932                         struct vc4_exec_info *exec)
 933{
 934        uint32_t i;
 935        int ret = 0;
 936
 937        for (i = 0; i < exec->shader_state_count; i++) {
 938                ret = validate_gl_shader_rec(dev, exec, &exec->shader_state[i]);
 939                if (ret)
 940                        return ret;
 941        }
 942
 943        return ret;
 944}
 945