LXR linux/drivers/gpu/drm/i915/i915_gem

   1/*
   2 * Copyright © 2008,2010 Intel Corporation
   3 *
   4 * Permission is hereby granted, free of charge, to any person obtaining a
   5 * copy of this software and associated documentation files (the "Software"),
   6 * to deal in the Software without restriction, including without limitation
   7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
   8 * and/or sell copies of the Software, and to permit persons to whom the
   9 * Software is furnished to do so, subject to the following conditions:
  10 *
  11 * The above copyright notice and this permission notice (including the next
  12 * paragraph) shall be included in all copies or substantial portions of the
  13 * Software.
  14 *
  15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
  21 * IN THE SOFTWARE.
  22 *
  23 * Authors:
  24 *    Eric Anholt <eric@anholt.net>
  25 *    Chris Wilson <chris@chris-wilson.co.uk>
  26 *
  27 */
  28
  29#include <linux/dma_remapping.h>
  30#include <linux/reservation.h>
  31#include <linux/uaccess.h>
  32
  33#include <drm/drmP.h>
  34#include <drm/i915_drm.h>
  35
  36#include "i915_drv.h"
  37#include "i915_gem_dmabuf.h"
  38#include "i915_trace.h"
  39#include "intel_drv.h"
  40#include "intel_frontbuffer.h"
  41
  42#define DBG_USE_CPU_RELOC 0 /* -1 force GTT relocs; 1 force CPU relocs */
  43
  44#define  __EXEC_OBJECT_HAS_PIN          (1<<31)
  45#define  __EXEC_OBJECT_HAS_FENCE        (1<<30)
  46#define  __EXEC_OBJECT_NEEDS_MAP        (1<<29)
  47#define  __EXEC_OBJECT_NEEDS_BIAS       (1<<28)
  48#define  __EXEC_OBJECT_INTERNAL_FLAGS (0xf<<28) /* all of the above */
  49
  50#define BATCH_OFFSET_BIAS (256*1024)
  51
  52struct i915_execbuffer_params {
  53        struct drm_device               *dev;
  54        struct drm_file                 *file;
  55        struct i915_vma                 *batch;
  56        u32                             dispatch_flags;
  57        u32                             args_batch_start_offset;
  58        struct intel_engine_cs          *engine;
  59        struct i915_gem_context         *ctx;
  60        struct drm_i915_gem_request     *request;
  61};
  62
  63struct eb_vmas {
  64        struct drm_i915_private *i915;
  65        struct list_head vmas;
  66        int and;
  67        union {
  68                struct i915_vma *lut[0];
  69                struct hlist_head buckets[0];
  70        };
  71};
  72
  73static struct eb_vmas *
  74eb_create(struct drm_i915_private *i915,
  75          struct drm_i915_gem_execbuffer2 *args)
  76{
  77        struct eb_vmas *eb = NULL;
  78
  79        if (args->flags & I915_EXEC_HANDLE_LUT) {
  80                unsigned size = args->buffer_count;
  81                size *= sizeof(struct i915_vma *);
  82                size += sizeof(struct eb_vmas);
  83                eb = kmalloc(size, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
  84        }
  85
  86        if (eb == NULL) {
  87                unsigned size = args->buffer_count;
  88                unsigned count = PAGE_SIZE / sizeof(struct hlist_head) / 2;
  89                BUILD_BUG_ON_NOT_POWER_OF_2(PAGE_SIZE / sizeof(struct hlist_head));
  90                while (count > 2*size)
  91                        count >>= 1;
  92                eb = kzalloc(count*sizeof(struct hlist_head) +
  93                             sizeof(struct eb_vmas),
  94                             GFP_TEMPORARY);
  95                if (eb == NULL)
  96                        return eb;
  97
  98                eb->and = count - 1;
  99        } else
 100                eb->and = -args->buffer_count;
 101
 102        eb->i915 = i915;
 103        INIT_LIST_HEAD(&eb->vmas);
 104        return eb;
 105}
 106
 107static void
 108eb_reset(struct eb_vmas *eb)
 109{
 110        if (eb->and >= 0)
 111                memset(eb->buckets, 0, (eb->and+1)*sizeof(struct hlist_head));
 112}
 113
 114static struct i915_vma *
 115eb_get_batch(struct eb_vmas *eb)
 116{
 117        struct i915_vma *vma = list_entry(eb->vmas.prev, typeof(*vma), exec_list);
 118
 119        /*
 120         * SNA is doing fancy tricks with compressing batch buffers, which leads
 121         * to negative relocation deltas. Usually that works out ok since the
 122         * relocate address is still positive, except when the batch is placed
 123         * very low in the GTT. Ensure this doesn't happen.
 124         *
 125         * Note that actual hangs have only been observed on gen7, but for
 126         * paranoia do it everywhere.
 127         */
 128        if ((vma->exec_entry->flags & EXEC_OBJECT_PINNED) == 0)
 129                vma->exec_entry->flags |= __EXEC_OBJECT_NEEDS_BIAS;
 130
 131        return vma;
 132}
 133
 134static int
 135eb_lookup_vmas(struct eb_vmas *eb,
 136               struct drm_i915_gem_exec_object2 *exec,
 137               const struct drm_i915_gem_execbuffer2 *args,
 138               struct i915_address_space *vm,
 139               struct drm_file *file)
 140{
 141        struct drm_i915_gem_object *obj;
 142        struct list_head objects;
 143        int i, ret;
 144
 145        INIT_LIST_HEAD(&objects);
 146        spin_lock(&file->table_lock);
 147        /* Grab a reference to the object and release the lock so we can lookup
 148         * or create the VMA without using GFP_ATOMIC */
 149        for (i = 0; i < args->buffer_count; i++) {
 150                obj = to_intel_bo(idr_find(&file->object_idr, exec[i].handle));
 151                if (obj == NULL) {
 152                        spin_unlock(&file->table_lock);
 153                        DRM_DEBUG("Invalid object handle %d at index %d\n",
 154                                   exec[i].handle, i);
 155                        ret = -ENOENT;
 156                        goto err;
 157                }
 158
 159                if (!list_empty(&obj->obj_exec_link)) {
 160                        spin_unlock(&file->table_lock);
 161                        DRM_DEBUG("Object %p [handle %d, index %d] appears more than once in object list\n",
 162                                   obj, exec[i].handle, i);
 163                        ret = -EINVAL;
 164                        goto err;
 165                }
 166
 167                i915_gem_object_get(obj);
 168                list_add_tail(&obj->obj_exec_link, &objects);
 169        }
 170        spin_unlock(&file->table_lock);
 171
 172        i = 0;
 173        while (!list_empty(&objects)) {
 174                struct i915_vma *vma;
 175
 176                obj = list_first_entry(&objects,
 177                                       struct drm_i915_gem_object,
 178                                       obj_exec_link);
 179
 180                /*
 181                 * NOTE: We can leak any vmas created here when something fails
 182                 * later on. But that's no issue since vma_unbind can deal with
 183                 * vmas which are not actually bound. And since only
 184                 * lookup_or_create exists as an interface to get at the vma
 185                 * from the (obj, vm) we don't run the risk of creating
 186                 * duplicated vmas for the same vm.
 187                 */
 188                vma = i915_gem_obj_lookup_or_create_vma(obj, vm, NULL);
 189                if (unlikely(IS_ERR(vma))) {
 190                        DRM_DEBUG("Failed to lookup VMA\n");
 191                        ret = PTR_ERR(vma);
 192                        goto err;
 193                }
 194
 195                /* Transfer ownership from the objects list to the vmas list. */
 196                list_add_tail(&vma->exec_list, &eb->vmas);
 197                list_del_init(&obj->obj_exec_link);
 198
 199                vma->exec_entry = &exec[i];
 200                if (eb->and < 0) {
 201                        eb->lut[i] = vma;
 202                } else {
 203                        uint32_t handle = args->flags & I915_EXEC_HANDLE_LUT ? i : exec[i].handle;
 204                        vma->exec_handle = handle;
 205                        hlist_add_head(&vma->exec_node,
 206                                       &eb->buckets[handle & eb->and]);
 207                }
 208                ++i;
 209        }
 210
 211        return 0;
 212
 213
 214err:
 215        while (!list_empty(&objects)) {
 216                obj = list_first_entry(&objects,
 217                                       struct drm_i915_gem_object,
 218                                       obj_exec_link);
 219                list_del_init(&obj->obj_exec_link);
 220                i915_gem_object_put(obj);
 221        }
 222        /*
 223         * Objects already transfered to the vmas list will be unreferenced by
 224         * eb_destroy.
 225         */
 226
 227        return ret;
 228}
 229
 230static struct i915_vma *eb_get_vma(struct eb_vmas *eb, unsigned long handle)
 231{
 232        if (eb->and < 0) {
 233                if (handle >= -eb->and)
 234                        return NULL;
 235                return eb->lut[handle];
 236        } else {
 237                struct hlist_head *head;
 238                struct i915_vma *vma;
 239
 240                head = &eb->buckets[handle & eb->and];
 241                hlist_for_each_entry(vma, head, exec_node) {
 242                        if (vma->exec_handle == handle)
 243                                return vma;
 244                }
 245                return NULL;
 246        }
 247}
 248
 249static void
 250i915_gem_execbuffer_unreserve_vma(struct i915_vma *vma)
 251{
 252        struct drm_i915_gem_exec_object2 *entry;
 253
 254        if (!drm_mm_node_allocated(&vma->node))
 255                return;
 256
 257        entry = vma->exec_entry;
 258
 259        if (entry->flags & __EXEC_OBJECT_HAS_FENCE)
 260                i915_vma_unpin_fence(vma);
 261
 262        if (entry->flags & __EXEC_OBJECT_HAS_PIN)
 263                __i915_vma_unpin(vma);
 264
 265        entry->flags &= ~(__EXEC_OBJECT_HAS_FENCE | __EXEC_OBJECT_HAS_PIN);
 266}
 267
 268static void eb_destroy(struct eb_vmas *eb)
 269{
 270        while (!list_empty(&eb->vmas)) {
 271                struct i915_vma *vma;
 272
 273                vma = list_first_entry(&eb->vmas,
 274                                       struct i915_vma,
 275                                       exec_list);
 276                list_del_init(&vma->exec_list);
 277                i915_gem_execbuffer_unreserve_vma(vma);
 278                i915_vma_put(vma);
 279        }
 280        kfree(eb);
 281}
 282
 283static inline int use_cpu_reloc(struct drm_i915_gem_object *obj)
 284{
 285        if (!i915_gem_object_has_struct_page(obj))
 286                return false;
 287
 288        if (DBG_USE_CPU_RELOC)
 289                return DBG_USE_CPU_RELOC > 0;
 290
 291        return (HAS_LLC(obj->base.dev) ||
 292                obj->base.write_domain == I915_GEM_DOMAIN_CPU ||
 293                obj->cache_level != I915_CACHE_NONE);
 294}
 295
 296/* Used to convert any address to canonical form.
 297 * Starting from gen8, some commands (e.g. STATE_BASE_ADDRESS,
 298 * MI_LOAD_REGISTER_MEM and others, see Broadwell PRM Vol2a) require the
 299 * addresses to be in a canonical form:
 300 * "GraphicsAddress[63:48] are ignored by the HW and assumed to be in correct
 301 * canonical form [63:48] == [47]."
 302 */
 303#define GEN8_HIGH_ADDRESS_BIT 47
 304static inline uint64_t gen8_canonical_addr(uint64_t address)
 305{
 306        return sign_extend64(address, GEN8_HIGH_ADDRESS_BIT);
 307}
 308
 309static inline uint64_t gen8_noncanonical_addr(uint64_t address)
 310{
 311        return address & ((1ULL << (GEN8_HIGH_ADDRESS_BIT + 1)) - 1);
 312}
 313
 314static inline uint64_t
 315relocation_target(const struct drm_i915_gem_relocation_entry *reloc,
 316                  uint64_t target_offset)
 317{
 318        return gen8_canonical_addr((int)reloc->delta + target_offset);
 319}
 320
 321struct reloc_cache {
 322        struct drm_i915_private *i915;
 323        struct drm_mm_node node;
 324        unsigned long vaddr;
 325        unsigned int page;
 326        bool use_64bit_reloc;
 327};
 328
 329static void reloc_cache_init(struct reloc_cache *cache,
 330                             struct drm_i915_private *i915)
 331{
 332        cache->page = -1;
 333        cache->vaddr = 0;
 334        cache->i915 = i915;
 335        cache->use_64bit_reloc = INTEL_GEN(cache->i915) >= 8;
 336        cache->node.allocated = false;
 337}
 338
 339static inline void *unmask_page(unsigned long p)
 340{
 341        return (void *)(uintptr_t)(p & PAGE_MASK);
 342}
 343
 344static inline unsigned int unmask_flags(unsigned long p)
 345{
 346        return p & ~PAGE_MASK;
 347}
 348
 349#define KMAP 0x4 /* after CLFLUSH_FLAGS */
 350
 351static void reloc_cache_fini(struct reloc_cache *cache)
 352{
 353        void *vaddr;
 354
 355        if (!cache->vaddr)
 356                return;
 357
 358        vaddr = unmask_page(cache->vaddr);
 359        if (cache->vaddr & KMAP) {
 360                if (cache->vaddr & CLFLUSH_AFTER)
 361                        mb();
 362
 363                kunmap_atomic(vaddr);
 364                i915_gem_obj_finish_shmem_access((struct drm_i915_gem_object *)cache->node.mm);
 365        } else {
 366                wmb();
 367                io_mapping_unmap_atomic((void __iomem *)vaddr);
 368                if (cache->node.allocated) {
 369                        struct i915_ggtt *ggtt = &cache->i915->ggtt;
 370
 371                        ggtt->base.clear_range(&ggtt->base,
 372                                               cache->node.start,
 373                                               cache->node.size,
 374                                               true);
 375                        drm_mm_remove_node(&cache->node);
 376                } else {
 377                        i915_vma_unpin((struct i915_vma *)cache->node.mm);
 378                }
 379        }
 380}
 381
 382static void *reloc_kmap(struct drm_i915_gem_object *obj,
 383                        struct reloc_cache *cache,
 384                        int page)
 385{
 386        void *vaddr;
 387
 388        if (cache->vaddr) {
 389                kunmap_atomic(unmask_page(cache->vaddr));
 390        } else {
 391                unsigned int flushes;
 392                int ret;
 393
 394                ret = i915_gem_obj_prepare_shmem_write(obj, &flushes);
 395                if (ret)
 396                        return ERR_PTR(ret);
 397
 398                BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS);
 399                BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & PAGE_MASK);
 400
 401                cache->vaddr = flushes | KMAP;
 402                cache->node.mm = (void *)obj;
 403                if (flushes)
 404                        mb();
 405        }
 406
 407        vaddr = kmap_atomic(i915_gem_object_get_dirty_page(obj, page));
 408        cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr;
 409        cache->page = page;
 410
 411        return vaddr;
 412}
 413
 414static void *reloc_iomap(struct drm_i915_gem_object *obj,
 415                         struct reloc_cache *cache,
 416                         int page)
 417{
 418        struct i915_ggtt *ggtt = &cache->i915->ggtt;
 419        unsigned long offset;
 420        void *vaddr;
 421
 422        if (cache->node.allocated) {
 423                wmb();
 424                ggtt->base.insert_page(&ggtt->base,
 425                                       i915_gem_object_get_dma_address(obj, page),
 426                                       cache->node.start, I915_CACHE_NONE, 0);
 427                cache->page = page;
 428                return unmask_page(cache->vaddr);
 429        }
 430
 431        if (cache->vaddr) {
 432                io_mapping_unmap_atomic(unmask_page(cache->vaddr));
 433        } else {
 434                struct i915_vma *vma;
 435                int ret;
 436
 437                if (use_cpu_reloc(obj))
 438                        return NULL;
 439
 440                ret = i915_gem_object_set_to_gtt_domain(obj, true);
 441                if (ret)
 442                        return ERR_PTR(ret);
 443
 444                vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0,
 445                                               PIN_MAPPABLE | PIN_NONBLOCK);
 446                if (IS_ERR(vma)) {
 447                        memset(&cache->node, 0, sizeof(cache->node));
 448                        ret = drm_mm_insert_node_in_range_generic
 449                                (&ggtt->base.mm, &cache->node,
 450                                 4096, 0, 0,
 451                                 0, ggtt->mappable_end,
 452                                 DRM_MM_SEARCH_DEFAULT,
 453                                 DRM_MM_CREATE_DEFAULT);
 454                        if (ret) /* no inactive aperture space, use cpu reloc */
 455                                return NULL;
 456                } else {
 457                        ret = i915_vma_put_fence(vma);
 458                        if (ret) {
 459                                i915_vma_unpin(vma);
 460                                return ERR_PTR(ret);
 461                        }
 462
 463                        cache->node.start = vma->node.start;
 464                        cache->node.mm = (void *)vma;
 465                }
 466        }
 467
 468        offset = cache->node.start;
 469        if (cache->node.allocated) {
 470                ggtt->base.insert_page(&ggtt->base,
 471                                       i915_gem_object_get_dma_address(obj, page),
 472                                       offset, I915_CACHE_NONE, 0);
 473        } else {
 474                offset += page << PAGE_SHIFT;
 475        }
 476
 477        vaddr = io_mapping_map_atomic_wc(&cache->i915->ggtt.mappable, offset);
 478        cache->page = page;
 479        cache->vaddr = (unsigned long)vaddr;
 480
 481        return vaddr;
 482}
 483
 484static void *reloc_vaddr(struct drm_i915_gem_object *obj,
 485                         struct reloc_cache *cache,
 486                         int page)
 487{
 488        void *vaddr;
 489
 490        if (cache->page == page) {
 491                vaddr = unmask_page(cache->vaddr);
 492        } else {
 493                vaddr = NULL;
 494                if ((cache->vaddr & KMAP) == 0)
 495                        vaddr = reloc_iomap(obj, cache, page);
 496                if (!vaddr)
 497                        vaddr = reloc_kmap(obj, cache, page);
 498        }
 499
 500        return vaddr;
 501}
 502
 503static void clflush_write32(u32 *addr, u32 value, unsigned int flushes)
 504{
 505        if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))) {
 506                if (flushes & CLFLUSH_BEFORE) {
 507                        clflushopt(addr);
 508                        mb();
 509                }
 510
 511                *addr = value;
 512
 513                /* Writes to the same cacheline are serialised by the CPU
 514                 * (including clflush). On the write path, we only require
 515                 * that it hits memory in an orderly fashion and place
 516                 * mb barriers at the start and end of the relocation phase
 517                 * to ensure ordering of clflush wrt to the system.
 518                 */
 519                if (flushes & CLFLUSH_AFTER)
 520                        clflushopt(addr);
 521        } else
 522                *addr = value;
 523}
 524
 525static int
 526relocate_entry(struct drm_i915_gem_object *obj,
 527               const struct drm_i915_gem_relocation_entry *reloc,
 528               struct reloc_cache *cache,
 529               u64 target_offset)
 530{
 531        u64 offset = reloc->offset;
 532        bool wide = cache->use_64bit_reloc;
 533        void *vaddr;
 534
 535        target_offset = relocation_target(reloc, target_offset);
 536repeat:
 537        vaddr = reloc_vaddr(obj, cache, offset >> PAGE_SHIFT);
 538        if (IS_ERR(vaddr))
 539                return PTR_ERR(vaddr);
 540
 541        clflush_write32(vaddr + offset_in_page(offset),
 542                        lower_32_bits(target_offset),
 543                        cache->vaddr);
 544
 545        if (wide) {
 546                offset += sizeof(u32);
 547                target_offset >>= 32;
 548                wide = false;
 549                goto repeat;
 550        }
 551
 552        return 0;
 553}
 554
 555static bool object_is_idle(struct drm_i915_gem_object *obj)
 556{
 557        unsigned long active = i915_gem_object_get_active(obj);
 558        int idx;
 559
 560        for_each_active(active, idx) {
 561                if (!i915_gem_active_is_idle(&obj->last_read[idx],
 562                                             &obj->base.dev->struct_mutex))
 563                        return false;
 564        }
 565
 566        return true;
 567}
 568
 569static int
 570i915_gem_execbuffer_relocate_entry(struct drm_i915_gem_object *obj,
 571                                   struct eb_vmas *eb,
 572                                   struct drm_i915_gem_relocation_entry *reloc,
 573                                   struct reloc_cache *cache)
 574{
 575        struct drm_device *dev = obj->base.dev;
 576        struct drm_gem_object *target_obj;
 577        struct drm_i915_gem_object *target_i915_obj;
 578        struct i915_vma *target_vma;
 579        uint64_t target_offset;
 580        int ret;
 581
 582        /* we've already hold a reference to all valid objects */
 583        target_vma = eb_get_vma(eb, reloc->target_handle);
 584        if (unlikely(target_vma == NULL))
 585                return -ENOENT;
 586        target_i915_obj = target_vma->obj;
 587        target_obj = &target_vma->obj->base;
 588
 589        target_offset = gen8_canonical_addr(target_vma->node.start);
 590
 591        /* Sandybridge PPGTT errata: We need a global gtt mapping for MI and
 592         * pipe_control writes because the gpu doesn't properly redirect them
 593         * through the ppgtt for non_secure batchbuffers. */
 594        if (unlikely(IS_GEN6(dev) &&
 595            reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION)) {
 596                ret = i915_vma_bind(target_vma, target_i915_obj->cache_level,
 597                                    PIN_GLOBAL);
 598                if (WARN_ONCE(ret, "Unexpected failure to bind target VMA!"))
 599                        return ret;
 600        }
 601
 602        /* Validate that the target is in a valid r/w GPU domain */
 603        if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) {
 604                DRM_DEBUG("reloc with multiple write domains: "
 605                          "obj %p target %d offset %d "
 606                          "read %08x write %08x",
 607                          obj, reloc->target_handle,
 608                          (int) reloc->offset,
 609                          reloc->read_domains,
 610                          reloc->write_domain);
 611                return -EINVAL;
 612        }
 613        if (unlikely((reloc->write_domain | reloc->read_domains)
 614                     & ~I915_GEM_GPU_DOMAINS)) {
 615                DRM_DEBUG("reloc with read/write non-GPU domains: "
 616                          "obj %p target %d offset %d "
 617                          "read %08x write %08x",
 618                          obj, reloc->target_handle,
 619                          (int) reloc->offset,
 620                          reloc->read_domains,
 621                          reloc->write_domain);
 622                return -EINVAL;
 623        }
 624
 625        target_obj->pending_read_domains |= reloc->read_domains;
 626        target_obj->pending_write_domain |= reloc->write_domain;
 627
 628        /* If the relocation already has the right value in it, no
 629         * more work needs to be done.
 630         */
 631        if (target_offset == reloc->presumed_offset)
 632                return 0;
 633
 634        /* Check that the relocation address is valid... */
 635        if (unlikely(reloc->offset >
 636                     obj->base.size - (cache->use_64bit_reloc ? 8 : 4))) {
 637                DRM_DEBUG("Relocation beyond object bounds: "
 638                          "obj %p target %d offset %d size %d.\n",
 639                          obj, reloc->target_handle,
 640                          (int) reloc->offset,
 641                          (int) obj->base.size);
 642                return -EINVAL;
 643        }
 644        if (unlikely(reloc->offset & 3)) {
 645                DRM_DEBUG("Relocation not 4-byte aligned: "
 646                          "obj %p target %d offset %d.\n",
 647                          obj, reloc->target_handle,
 648                          (int) reloc->offset);
 649                return -EINVAL;
 650        }
 651
 652        /* We can't wait for rendering with pagefaults disabled */
 653        if (pagefault_disabled() && !object_is_idle(obj))
 654                return -EFAULT;
 655
 656        ret = relocate_entry(obj, reloc, cache, target_offset);
 657        if (ret)
 658                return ret;
 659
 660        /* and update the user's relocation entry */
 661        reloc->presumed_offset = target_offset;
 662        return 0;
 663}
 664
 665static int
 666i915_gem_execbuffer_relocate_vma(struct i915_vma *vma,
 667                                 struct eb_vmas *eb)
 668{
 669#define N_RELOC(x) ((x) / sizeof(struct drm_i915_gem_relocation_entry))
 670        struct drm_i915_gem_relocation_entry stack_reloc[N_RELOC(512)];
 671        struct drm_i915_gem_relocation_entry __user *user_relocs;
 672        struct drm_i915_gem_exec_object2 *entry = vma->exec_entry;
 673        struct reloc_cache cache;
 674        int remain, ret = 0;
 675
 676        user_relocs = u64_to_user_ptr(entry->relocs_ptr);
 677        reloc_cache_init(&cache, eb->i915);
 678
 679        remain = entry->relocation_count;
 680        while (remain) {
 681                struct drm_i915_gem_relocation_entry *r = stack_reloc;
 682                int count = remain;
 683                if (count > ARRAY_SIZE(stack_reloc))
 684                        count = ARRAY_SIZE(stack_reloc);
 685                remain -= count;
 686
 687                if (__copy_from_user_inatomic(r, user_relocs, count*sizeof(r[0]))) {
 688                        ret = -EFAULT;
 689                        goto out;
 690                }
 691
 692                do {
 693                        u64 offset = r->presumed_offset;
 694
 695                        ret = i915_gem_execbuffer_relocate_entry(vma->obj, eb, r, &cache);
 696                        if (ret)
 697                                goto out;
 698
 699                        if (r->presumed_offset != offset &&
 700                            __put_user(r->presumed_offset,
 701                                       &user_relocs->presumed_offset)) {
 702                                ret = -EFAULT;
 703                                goto out;
 704                        }
 705
 706                        user_relocs++;
 707                        r++;
 708                } while (--count);
 709        }
 710
 711out:
 712        reloc_cache_fini(&cache);
 713        return ret;
 714#undef N_RELOC
 715}
 716
 717static int
 718i915_gem_execbuffer_relocate_vma_slow(struct i915_vma *vma,
 719                                      struct eb_vmas *eb,
 720                                      struct drm_i915_gem_relocation_entry *relocs)
 721{
 722        const struct drm_i915_gem_exec_object2 *entry = vma->exec_entry;
 723        struct reloc_cache cache;
 724        int i, ret = 0;
 725
 726        reloc_cache_init(&cache, eb->i915);
 727        for (i = 0; i < entry->relocation_count; i++) {
 728                ret = i915_gem_execbuffer_relocate_entry(vma->obj, eb, &relocs[i], &cache);
 729                if (ret)
 730                        break;
 731        }
 732        reloc_cache_fini(&cache);
 733
 734        return ret;
 735}
 736
 737static int
 738i915_gem_execbuffer_relocate(struct eb_vmas *eb)
 739{
 740        struct i915_vma *vma;
 741        int ret = 0;
 742
 743        /* This is the fast path and we cannot handle a pagefault whilst
 744         * holding the struct mutex lest the user pass in the relocations
 745         * contained within a mmaped bo. For in such a case we, the page
 746         * fault handler would call i915_gem_fault() and we would try to
 747         * acquire the struct mutex again. Obviously this is bad and so
 748         * lockdep complains vehemently.
 749         */
 750        pagefault_disable();
 751        list_for_each_entry(vma, &eb->vmas, exec_list) {
 752                ret = i915_gem_execbuffer_relocate_vma(vma, eb);
 753                if (ret)
 754                        break;
 755        }
 756        pagefault_enable();
 757
 758        return ret;
 759}
 760
 761static bool only_mappable_for_reloc(unsigned int flags)
 762{
 763        return (flags & (EXEC_OBJECT_NEEDS_FENCE | __EXEC_OBJECT_NEEDS_MAP)) ==
 764                __EXEC_OBJECT_NEEDS_MAP;
 765}
 766
 767static int
 768i915_gem_execbuffer_reserve_vma(struct i915_vma *vma,
 769                                struct intel_engine_cs *engine,
 770                                bool *need_reloc)
 771{
 772        struct drm_i915_gem_object *obj = vma->obj;
 773        struct drm_i915_gem_exec_object2 *entry = vma->exec_entry;
 774        uint64_t flags;
 775        int ret;
 776
 777        flags = PIN_USER;
 778        if (entry->flags & EXEC_OBJECT_NEEDS_GTT)
 779                flags |= PIN_GLOBAL;
 780
 781        if (!drm_mm_node_allocated(&vma->node)) {
 782                /* Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset,
 783                 * limit address to the first 4GBs for unflagged objects.
 784                 */
 785                if ((entry->flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) == 0)
 786                        flags |= PIN_ZONE_4G;
 787                if (entry->flags & __EXEC_OBJECT_NEEDS_MAP)
 788                        flags |= PIN_GLOBAL | PIN_MAPPABLE;
 789                if (entry->flags & __EXEC_OBJECT_NEEDS_BIAS)
 790                        flags |= BATCH_OFFSET_BIAS | PIN_OFFSET_BIAS;
 791                if (entry->flags & EXEC_OBJECT_PINNED)
 792                        flags |= entry->offset | PIN_OFFSET_FIXED;
 793                if ((flags & PIN_MAPPABLE) == 0)
 794                        flags |= PIN_HIGH;
 795        }
 796
 797        ret = i915_vma_pin(vma,
 798                           entry->pad_to_size,
 799                           entry->alignment,
 800                           flags);
 801        if ((ret == -ENOSPC || ret == -E2BIG) &&
 802            only_mappable_for_reloc(entry->flags))
 803                ret = i915_vma_pin(vma,
 804                                   entry->pad_to_size,
 805                                   entry->alignment,
 806                                   flags & ~PIN_MAPPABLE);
 807        if (ret)
 808                return ret;
 809
 810        entry->flags |= __EXEC_OBJECT_HAS_PIN;
 811
 812        if (entry->flags & EXEC_OBJECT_NEEDS_FENCE) {
 813                ret = i915_vma_get_fence(vma);
 814                if (ret)
 815                        return ret;
 816
 817                if (i915_vma_pin_fence(vma))
 818                        entry->flags |= __EXEC_OBJECT_HAS_FENCE;
 819        }
 820
 821        if (entry->offset != vma->node.start) {
 822                entry->offset = vma->node.start;
 823                *need_reloc = true;
 824        }
 825
 826        if (entry->flags & EXEC_OBJECT_WRITE) {
 827                obj->base.pending_read_domains = I915_GEM_DOMAIN_RENDER;
 828                obj->base.pending_write_domain = I915_GEM_DOMAIN_RENDER;
 829        }
 830
 831        return 0;
 832}
 833
 834static bool
 835need_reloc_mappable(struct i915_vma *vma)
 836{
 837        struct drm_i915_gem_exec_object2 *entry = vma->exec_entry;
 838
 839        if (entry->relocation_count == 0)
 840                return false;
 841
 842        if (!i915_vma_is_ggtt(vma))
 843                return false;
 844
 845        /* See also use_cpu_reloc() */
 846        if (HAS_LLC(vma->obj->base.dev))
 847                return false;
 848
 849        if (vma->obj->base.write_domain == I915_GEM_DOMAIN_CPU)
 850                return false;
 851
 852        return true;
 853}
 854
 855static bool
 856eb_vma_misplaced(struct i915_vma *vma)
 857{
 858        struct drm_i915_gem_exec_object2 *entry = vma->exec_entry;
 859
 860        WARN_ON(entry->flags & __EXEC_OBJECT_NEEDS_MAP &&
 861                !i915_vma_is_ggtt(vma));
 862
 863        if (entry->alignment &&
 864            vma->node.start & (entry->alignment - 1))
 865                return true;
 866
 867        if (vma->node.size < entry->pad_to_size)
 868                return true;
 869
 870        if (entry->flags & EXEC_OBJECT_PINNED &&
 871            vma->node.start != entry->offset)
 872                return true;
 873
 874        if (entry->flags & __EXEC_OBJECT_NEEDS_BIAS &&
 875            vma->node.start < BATCH_OFFSET_BIAS)
 876                return true;
 877
 878        /* avoid costly ping-pong once a batch bo ended up non-mappable */
 879        if (entry->flags & __EXEC_OBJECT_NEEDS_MAP &&
 880            !i915_vma_is_map_and_fenceable(vma))
 881                return !only_mappable_for_reloc(entry->flags);
 882
 883        if ((entry->flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) == 0 &&
 884            (vma->node.start + vma->node.size - 1) >> 32)
 885                return true;
 886
 887        return false;
 888}
 889
 890static int
 891i915_gem_execbuffer_reserve(struct intel_engine_cs *engine,
 892                            struct list_head *vmas,
 893                            struct i915_gem_context *ctx,
 894                            bool *need_relocs)
 895{
 896        struct drm_i915_gem_object *obj;
 897        struct i915_vma *vma;
 898        struct i915_address_space *vm;
 899        struct list_head ordered_vmas;
 900        struct list_head pinned_vmas;
 901        bool has_fenced_gpu_access = INTEL_GEN(engine->i915) < 4;
 902        int retry;
 903
 904        vm = list_first_entry(vmas, struct i915_vma, exec_list)->vm;
 905
 906        INIT_LIST_HEAD(&ordered_vmas);
 907        INIT_LIST_HEAD(&pinned_vmas);
 908        while (!list_empty(vmas)) {
 909                struct drm_i915_gem_exec_object2 *entry;
 910                bool need_fence, need_mappable;
 911
 912                vma = list_first_entry(vmas, struct i915_vma, exec_list);
 913                obj = vma->obj;
 914                entry = vma->exec_entry;
 915
 916                if (ctx->flags & CONTEXT_NO_ZEROMAP)
 917                        entry->flags |= __EXEC_OBJECT_NEEDS_BIAS;
 918
 919                if (!has_fenced_gpu_access)
 920                        entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE;
 921                need_fence =
 922                        entry->flags & EXEC_OBJECT_NEEDS_FENCE &&
 923                        i915_gem_object_is_tiled(obj);
 924                need_mappable = need_fence || need_reloc_mappable(vma);
 925
 926                if (entry->flags & EXEC_OBJECT_PINNED)
 927                        list_move_tail(&vma->exec_list, &pinned_vmas);
 928                else if (need_mappable) {
 929                        entry->flags |= __EXEC_OBJECT_NEEDS_MAP;
 930                        list_move(&vma->exec_list, &ordered_vmas);
 931                } else
 932                        list_move_tail(&vma->exec_list, &ordered_vmas);
 933
 934                obj->base.pending_read_domains = I915_GEM_GPU_DOMAINS & ~I915_GEM_DOMAIN_COMMAND;
 935                obj->base.pending_write_domain = 0;
 936        }
 937        list_splice(&ordered_vmas, vmas);
 938        list_splice(&pinned_vmas, vmas);
 939
 940        /* Attempt to pin all of the buffers into the GTT.
 941         * This is done in 3 phases:
 942         *
 943         * 1a. Unbind all objects that do not match the GTT constraints for
 944         *     the execbuffer (fenceable, mappable, alignment etc).
 945         * 1b. Increment pin count for already bound objects.
 946         * 2.  Bind new objects.
 947         * 3.  Decrement pin count.
 948         *
 949         * This avoid unnecessary unbinding of later objects in order to make
 950         * room for the earlier objects *unless* we need to defragment.
 951         */
 952        retry = 0;
 953        do {
 954                int ret = 0;
 955
 956                /* Unbind any ill-fitting objects or pin. */
 957                list_for_each_entry(vma, vmas, exec_list) {
 958                        if (!drm_mm_node_allocated(&vma->node))
 959                                continue;
 960
 961                        if (eb_vma_misplaced(vma))
 962                                ret = i915_vma_unbind(vma);
 963                        else
 964                                ret = i915_gem_execbuffer_reserve_vma(vma,
 965                                                                      engine,
 966                                                                      need_relocs);
 967                        if (ret)
 968                                goto err;
 969                }
 970
 971                /* Bind fresh objects */
 972                list_for_each_entry(vma, vmas, exec_list) {
 973                        if (drm_mm_node_allocated(&vma->node))
 974                                continue;
 975
 976                        ret = i915_gem_execbuffer_reserve_vma(vma, engine,
 977                                                              need_relocs);
 978                        if (ret)
 979                                goto err;
 980                }
 981
 982err:
 983                if (ret != -ENOSPC || retry++)
 984                        return ret;
 985
 986                /* Decrement pin count for bound objects */
 987                list_for_each_entry(vma, vmas, exec_list)
 988                        i915_gem_execbuffer_unreserve_vma(vma);
 989
 990                ret = i915_gem_evict_vm(vm, true);
 991                if (ret)
 992                        return ret;
 993        } while (1);
 994}
 995
 996static int
 997i915_gem_execbuffer_relocate_slow(struct drm_device *dev,
 998                                  struct drm_i915_gem_execbuffer2 *args,
 999                                  struct drm_file *file,
1000                                  struct intel_engine_cs *engine,

1001                                  struct eb_vmas *eb,
1002                                  struct drm_i915_gem_exec_object2 *exec,
1003                                  struct i915_gem_context *ctx)
1004{
1005        struct drm_i915_gem_relocation_entry *reloc;
1006        struct i915_address_space *vm;
1007        struct i915_vma *vma;
1008        bool need_relocs;
1009        int *reloc_offset;
1010        int i, total, ret;
1011        unsigned count = args->buffer_count;
1012
1013        vm = list_first_entry(&eb->vmas, struct i915_vma, exec_list)->vm;
1014
1015        /* We may process another execbuffer during the unlock... */
1016        while (!list_empty(&eb->vmas)) {
1017                vma = list_first_entry(&eb->vmas, struct i915_vma, exec_list);
1018                list_del_init(&vma->exec_list);
1019                i915_gem_execbuffer_unreserve_vma(vma);
1020                i915_vma_put(vma);
1021        }
1022
1023        mutex_unlock(&dev->struct_mutex);
1024
1025        total = 0;
1026        for (i = 0; i < count; i++)
1027                total += exec[i].relocation_count;
1028
1029        reloc_offset = drm_malloc_ab(count, sizeof(*reloc_offset));
1030        reloc = drm_malloc_ab(total, sizeof(*reloc));
1031        if (reloc == NULL || reloc_offset == NULL) {
1032                drm_free_large(reloc);
1033                drm_free_large(reloc_offset);
1034                mutex_lock(&dev->struct_mutex);
1035                return -ENOMEM;
1036        }
1037
1038        total = 0;
1039        for (i = 0; i < count; i++) {
1040                struct drm_i915_gem_relocation_entry __user *user_relocs;
1041                u64 invalid_offset = (u64)-1;
1042                int j;
1043
1044                user_relocs = u64_to_user_ptr(exec[i].relocs_ptr);
1045
1046                if (copy_from_user(reloc+total, user_relocs,
1047                                   exec[i].relocation_count * sizeof(*reloc))) {
1048                        ret = -EFAULT;
1049                        mutex_lock(&dev->struct_mutex);
1050                        goto err;
1051                }
1052
1053                /* As we do not update the known relocation offsets after
1054                 * relocating (due to the complexities in lock handling),
1055                 * we need to mark them as invalid now so that we force the
1056                 * relocation processing next time. Just in case the target
1057                 * object is evicted and then rebound into its old
1058                 * presumed_offset before the next execbuffer - if that
1059                 * happened we would make the mistake of assuming that the
1060                 * relocations were valid.
1061                 */
1062                for (j = 0; j < exec[i].relocation_count; j++) {
1063                        if (__copy_to_user(&user_relocs[j].presumed_offset,
1064                                           &invalid_offset,
1065                                           sizeof(invalid_offset))) {
1066                                ret = -EFAULT;
1067                                mutex_lock(&dev->struct_mutex);
1068                                goto err;
1069                        }
1070                }
1071
1072                reloc_offset[i] = total;
1073                total += exec[i].relocation_count;
1074        }
1075
1076        ret = i915_mutex_lock_interruptible(dev);
1077        if (ret) {
1078                mutex_lock(&dev->struct_mutex);
1079                goto err;
1080        }
1081
1082        /* reacquire the objects */
1083        eb_reset(eb);
1084        ret = eb_lookup_vmas(eb, exec, args, vm, file);
1085        if (ret)
1086                goto err;
1087
1088        need_relocs = (args->flags & I915_EXEC_NO_RELOC) == 0;
1089        ret = i915_gem_execbuffer_reserve(engine, &eb->vmas, ctx,
1090                                          &need_relocs);
1091        if (ret)
1092                goto err;
1093
1094        list_for_each_entry(vma, &eb->vmas, exec_list) {
1095                int offset = vma->exec_entry - exec;
1096                ret = i915_gem_execbuffer_relocate_vma_slow(vma, eb,
1097                                                            reloc + reloc_offset[offset]);
1098                if (ret)
1099                        goto err;
1100        }
1101
1102        /* Leave the user relocations as are, this is the painfully slow path,
1103         * and we want to avoid the complication of dropping the lock whilst
1104         * having buffers reserved in the aperture and so causing spurious
1105         * ENOSPC for random operations.
1106         */
1107
1108err:
1109        drm_free_large(reloc);
1110        drm_free_large(reloc_offset);
1111        return ret;
1112}
1113
1114static unsigned int eb_other_engines(struct drm_i915_gem_request *req)
1115{
1116        unsigned int mask;
1117
1118        mask = ~intel_engine_flag(req->engine) & I915_BO_ACTIVE_MASK;
1119        mask <<= I915_BO_ACTIVE_SHIFT;
1120
1121        return mask;
1122}
1123
1124static int
1125i915_gem_execbuffer_move_to_gpu(struct drm_i915_gem_request *req,
1126                                struct list_head *vmas)
1127{
1128        const unsigned int other_rings = eb_other_engines(req);
1129        struct i915_vma *vma;
1130        int ret;
1131
1132        list_for_each_entry(vma, vmas, exec_list) {
1133                struct drm_i915_gem_object *obj = vma->obj;
1134                struct reservation_object *resv;
1135
1136                if (obj->flags & other_rings) {
1137                        ret = i915_gem_request_await_object
1138                                (req, obj, obj->base.pending_write_domain);
1139                        if (ret)
1140                                return ret;
1141                }
1142
1143                resv = i915_gem_object_get_dmabuf_resv(obj);
1144                if (resv) {
1145                        ret = i915_sw_fence_await_reservation
1146                                (&req->submit, resv, &i915_fence_ops,
1147                                 obj->base.pending_write_domain, 10*HZ,
1148                                 GFP_KERNEL | __GFP_NOWARN);
1149                        if (ret < 0)
1150                                return ret;
1151                }
1152
1153                if (obj->base.write_domain & I915_GEM_DOMAIN_CPU)
1154                        i915_gem_clflush_object(obj, false);
1155        }
1156
1157        /* Unconditionally flush any chipset caches (for streaming writes). */
1158        i915_gem_chipset_flush(req->engine->i915);
1159
1160        /* Unconditionally invalidate GPU caches and TLBs. */
1161        return req->engine->emit_flush(req, EMIT_INVALIDATE);
1162}
1163
1164static bool
1165i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
1166{
1167        if (exec->flags & __I915_EXEC_UNKNOWN_FLAGS)
1168                return false;
1169
1170        /* Kernel clipping was a DRI1 misfeature */
1171        if (exec->num_cliprects || exec->cliprects_ptr)
1172                return false;
1173
1174        if (exec->DR4 == 0xffffffff) {
1175                DRM_DEBUG("UXA submitting garbage DR4, fixing up\n");
1176                exec->DR4 = 0;
1177        }
1178        if (exec->DR1 || exec->DR4)
1179                return false;
1180
1181        if ((exec->batch_start_offset | exec->batch_len) & 0x7)
1182                return false;
1183
1184        return true;
1185}
1186
1187static int
1188validate_exec_list(struct drm_device *dev,
1189                   struct drm_i915_gem_exec_object2 *exec,
1190                   int count)
1191{
1192        unsigned relocs_total = 0;
1193        unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
1194        unsigned invalid_flags;
1195        int i;
1196
1197        /* INTERNAL flags must not overlap with external ones */
1198        BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS & ~__EXEC_OBJECT_UNKNOWN_FLAGS);
1199
1200        invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
1201        if (USES_FULL_PPGTT(dev))
1202                invalid_flags |= EXEC_OBJECT_NEEDS_GTT;
1203
1204        for (i = 0; i < count; i++) {
1205                char __user *ptr = u64_to_user_ptr(exec[i].relocs_ptr);
1206                int length; /* limited by fault_in_pages_readable() */
1207
1208                if (exec[i].flags & invalid_flags)
1209                        return -EINVAL;
1210
1211                /* Offset can be used as input (EXEC_OBJECT_PINNED), reject
1212                 * any non-page-aligned or non-canonical addresses.
1213                 */
1214                if (exec[i].flags & EXEC_OBJECT_PINNED) {
1215                        if (exec[i].offset !=
1216                            gen8_canonical_addr(exec[i].offset & PAGE_MASK))
1217                                return -EINVAL;
1218
1219                        /* From drm_mm perspective address space is continuous,
1220                         * so from this point we're always using non-canonical
1221                         * form internally.
1222                         */
1223                        exec[i].offset = gen8_noncanonical_addr(exec[i].offset);
1224                }
1225
1226                if (exec[i].alignment && !is_power_of_2(exec[i].alignment))
1227                        return -EINVAL;
1228
1229                /* pad_to_size was once a reserved field, so sanitize it */
1230                if (exec[i].flags & EXEC_OBJECT_PAD_TO_SIZE) {
1231                        if (offset_in_page(exec[i].pad_to_size))
1232                                return -EINVAL;
1233                } else {
1234                        exec[i].pad_to_size = 0;
1235                }
1236
1237                /* First check for malicious input causing overflow in
1238                 * the worst case where we need to allocate the entire
1239                 * relocation tree as a single array.
1240                 */
1241                if (exec[i].relocation_count > relocs_max - relocs_total)
1242                        return -EINVAL;
1243                relocs_total += exec[i].relocation_count;
1244
1245                length = exec[i].relocation_count *
1246                        sizeof(struct drm_i915_gem_relocation_entry);
1247                /*
1248                 * We must check that the entire relocation array is safe
1249                 * to read, but since we may need to update the presumed
1250                 * offsets during execution, check for full write access.
1251                 */
1252                if (!access_ok(VERIFY_WRITE, ptr, length))
1253                        return -EFAULT;
1254
1255                if (likely(!i915.prefault_disable)) {
1256                        if (fault_in_pages_readable(ptr, length))
1257                                return -EFAULT;
1258                }
1259        }
1260
1261        return 0;
1262}
1263
1264static struct i915_gem_context *
1265i915_gem_validate_context(struct drm_device *dev, struct drm_file *file,
1266                          struct intel_engine_cs *engine, const u32 ctx_id)
1267{
1268        struct i915_gem_context *ctx;
1269        struct i915_ctx_hang_stats *hs;
1270
1271        ctx = i915_gem_context_lookup(file->driver_priv, ctx_id);
1272        if (IS_ERR(ctx))
1273                return ctx;
1274
1275        hs = &ctx->hang_stats;
1276        if (hs->banned) {
1277                DRM_DEBUG("Context %u tried to submit while banned\n", ctx_id);
1278                return ERR_PTR(-EIO);
1279        }
1280
1281        return ctx;
1282}
1283
1284static bool gpu_write_needs_clflush(struct drm_i915_gem_object *obj)
1285{
1286        return !(obj->cache_level == I915_CACHE_NONE ||
1287                 obj->cache_level == I915_CACHE_WT);
1288}
1289
1290void i915_vma_move_to_active(struct i915_vma *vma,
1291                             struct drm_i915_gem_request *req,
1292                             unsigned int flags)
1293{
1294        struct drm_i915_gem_object *obj = vma->obj;
1295        const unsigned int idx = req->engine->id;
1296
1297        GEM_BUG_ON(!drm_mm_node_allocated(&vma->node));
1298
1299        obj->dirty = 1; /* be paranoid  */
1300
1301        /* Add a reference if we're newly entering the active list.
1302         * The order in which we add operations to the retirement queue is
1303         * vital here: mark_active adds to the start of the callback list,
1304         * such that subsequent callbacks are called first. Therefore we
1305         * add the active reference first and queue for it to be dropped
1306         * *last*.
1307         */
1308        if (!i915_gem_object_is_active(obj))
1309                i915_gem_object_get(obj);
1310        i915_gem_object_set_active(obj, idx);
1311        i915_gem_active_set(&obj->last_read[idx], req);
1312
1313        if (flags & EXEC_OBJECT_WRITE) {
1314                i915_gem_active_set(&obj->last_write, req);
1315
1316                intel_fb_obj_invalidate(obj, ORIGIN_CS);
1317
1318                /* update for the implicit flush after a batch */
1319                obj->base.write_domain &= ~I915_GEM_GPU_DOMAINS;
1320                if (!obj->cache_dirty && gpu_write_needs_clflush(obj))
1321                        obj->cache_dirty = true;
1322        }
1323
1324        if (flags & EXEC_OBJECT_NEEDS_FENCE)
1325                i915_gem_active_set(&vma->last_fence, req);
1326
1327        i915_vma_set_active(vma, idx);
1328        i915_gem_active_set(&vma->last_read[idx], req);
1329        list_move_tail(&vma->vm_link, &vma->vm->active_list);
1330}
1331
1332static void eb_export_fence(struct drm_i915_gem_object *obj,
1333                            struct drm_i915_gem_request *req,
1334                            unsigned int flags)
1335{
1336        struct reservation_object *resv;
1337
1338        resv = i915_gem_object_get_dmabuf_resv(obj);
1339        if (!resv)
1340                return;
1341
1342        /* Ignore errors from failing to allocate the new fence, we can't
1343         * handle an error right now. Worst case should be missed
1344         * synchronisation leading to rendering corruption.
1345         */
1346        ww_mutex_lock(&resv->lock, NULL);
1347        if (flags & EXEC_OBJECT_WRITE)
1348                reservation_object_add_excl_fence(resv, &req->fence);
1349        else if (reservation_object_reserve_shared(resv) == 0)
1350                reservation_object_add_shared_fence(resv, &req->fence);
1351        ww_mutex_unlock(&resv->lock);
1352}
1353
1354static void
1355i915_gem_execbuffer_move_to_active(struct list_head *vmas,
1356                                   struct drm_i915_gem_request *req)
1357{
1358        struct i915_vma *vma;
1359
1360        list_for_each_entry(vma, vmas, exec_list) {
1361                struct drm_i915_gem_object *obj = vma->obj;
1362                u32 old_read = obj->base.read_domains;
1363                u32 old_write = obj->base.write_domain;
1364
1365                obj->base.write_domain = obj->base.pending_write_domain;
1366                if (obj->base.write_domain)
1367                        vma->exec_entry->flags |= EXEC_OBJECT_WRITE;
1368                else
1369                        obj->base.pending_read_domains |= obj->base.read_domains;
1370                obj->base.read_domains = obj->base.pending_read_domains;
1371
1372                i915_vma_move_to_active(vma, req, vma->exec_entry->flags);
1373                eb_export_fence(obj, req, vma->exec_entry->flags);
1374                trace_i915_gem_object_change_domain(obj, old_read, old_write);
1375        }
1376}
1377
1378static int
1379i915_reset_gen7_sol_offsets(struct drm_i915_gem_request *req)
1380{
1381        struct intel_ring *ring = req->ring;
1382        int ret, i;
1383
1384        if (!IS_GEN7(req->i915) || req->engine->id != RCS) {
1385                DRM_DEBUG("sol reset is gen7/rcs only\n");
1386                return -EINVAL;
1387        }
1388
1389        ret = intel_ring_begin(req, 4 * 3);
1390        if (ret)
1391                return ret;
1392
1393        for (i = 0; i < 4; i++) {
1394                intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(1));
1395                intel_ring_emit_reg(ring, GEN7_SO_WRITE_OFFSET(i));
1396                intel_ring_emit(ring, 0);
1397        }
1398
1399        intel_ring_advance(ring);
1400
1401        return 0;
1402}
1403
1404static struct i915_vma *
1405i915_gem_execbuffer_parse(struct intel_engine_cs *engine,
1406                          struct drm_i915_gem_exec_object2 *shadow_exec_entry,
1407                          struct drm_i915_gem_object *batch_obj,
1408                          struct eb_vmas *eb,
1409                          u32 batch_start_offset,
1410                          u32 batch_len,
1411                          bool is_master)
1412{
1413        struct drm_i915_gem_object *shadow_batch_obj;
1414        struct i915_vma *vma;
1415        int ret;
1416
1417        shadow_batch_obj = i915_gem_batch_pool_get(&engine->batch_pool,
1418                                                   PAGE_ALIGN(batch_len));
1419        if (IS_ERR(shadow_batch_obj))
1420                return ERR_CAST(shadow_batch_obj);
1421
1422        ret = intel_engine_cmd_parser(engine,
1423                                      batch_obj,
1424                                      shadow_batch_obj,
1425                                      batch_start_offset,
1426                                      batch_len,
1427                                      is_master);
1428        if (ret) {
1429                if (ret == -EACCES) /* unhandled chained batch */
1430                        vma = NULL;
1431                else
1432                        vma = ERR_PTR(ret);
1433                goto out;
1434        }
1435
1436        vma = i915_gem_object_ggtt_pin(shadow_batch_obj, NULL, 0, 0, 0);
1437        if (IS_ERR(vma))
1438                goto out;
1439
1440        memset(shadow_exec_entry, 0, sizeof(*shadow_exec_entry));
1441
1442        vma->exec_entry = shadow_exec_entry;
1443        vma->exec_entry->flags = __EXEC_OBJECT_HAS_PIN;
1444        i915_gem_object_get(shadow_batch_obj);
1445        list_add_tail(&vma->exec_list, &eb->vmas);
1446
1447out:
1448        i915_gem_object_unpin_pages(shadow_batch_obj);
1449        return vma;
1450}
1451
1452static int
1453execbuf_submit(struct i915_execbuffer_params *params,
1454               struct drm_i915_gem_execbuffer2 *args,
1455               struct list_head *vmas)
1456{
1457        struct drm_i915_private *dev_priv = params->request->i915;
1458        u64 exec_start, exec_len;
1459        int instp_mode;
1460        u32 instp_mask;
1461        int ret;
1462
1463        ret = i915_gem_execbuffer_move_to_gpu(params->request, vmas);
1464        if (ret)
1465                return ret;
1466
1467        ret = i915_switch_context(params->request);
1468        if (ret)
1469                return ret;
1470
1471        instp_mode = args->flags & I915_EXEC_CONSTANTS_MASK;
1472        instp_mask = I915_EXEC_CONSTANTS_MASK;
1473        switch (instp_mode) {
1474        case I915_EXEC_CONSTANTS_REL_GENERAL:
1475        case I915_EXEC_CONSTANTS_ABSOLUTE:
1476        case I915_EXEC_CONSTANTS_REL_SURFACE:
1477                if (instp_mode != 0 && params->engine->id != RCS) {
1478                        DRM_DEBUG("non-0 rel constants mode on non-RCS\n");
1479                        return -EINVAL;
1480                }
1481
1482                if (instp_mode != dev_priv->relative_constants_mode) {
1483                        if (INTEL_INFO(dev_priv)->gen < 4) {
1484                                DRM_DEBUG("no rel constants on pre-gen4\n");
1485                                return -EINVAL;
1486                        }
1487
1488                        if (INTEL_INFO(dev_priv)->gen > 5 &&
1489                            instp_mode == I915_EXEC_CONSTANTS_REL_SURFACE) {
1490                                DRM_DEBUG("rel surface constants mode invalid on gen5+\n");
1491                                return -EINVAL;
1492                        }
1493
1494                        /* The HW changed the meaning on this bit on gen6 */
1495                        if (INTEL_INFO(dev_priv)->gen >= 6)
1496                                instp_mask &= ~I915_EXEC_CONSTANTS_REL_SURFACE;
1497                }
1498                break;
1499        default:
1500                DRM_DEBUG("execbuf with unknown constants: %d\n", instp_mode);
1501                return -EINVAL;
1502        }
1503
1504        if (params->engine->id == RCS &&
1505            instp_mode != dev_priv->relative_constants_mode) {
1506                struct intel_ring *ring = params->request->ring;
1507
1508                ret = intel_ring_begin(params->request, 4);
1509                if (ret)
1510                        return ret;
1511
1512                intel_ring_emit(ring, MI_NOOP);
1513                intel_ring_emit(ring, MI_LOAD_REGISTER_IMM(1));
1514                intel_ring_emit_reg(ring, INSTPM);
1515                intel_ring_emit(ring, instp_mask << 16 | instp_mode);
1516                intel_ring_advance(ring);
1517
1518                dev_priv->relative_constants_mode = instp_mode;
1519        }
1520
1521        if (args->flags & I915_EXEC_GEN7_SOL_RESET) {
1522                ret = i915_reset_gen7_sol_offsets(params->request);
1523                if (ret)
1524                        return ret;
1525        }
1526
1527        exec_len   = args->batch_len;
1528        exec_start = params->batch->node.start +
1529                     params->args_batch_start_offset;
1530
1531        if (exec_len == 0)
1532                exec_len = params->batch->size - params->args_batch_start_offset;
1533
1534        ret = params->engine->emit_bb_start(params->request,
1535                                            exec_start, exec_len,
1536                                            params->dispatch_flags);
1537        if (ret)
1538                return ret;
1539
1540        trace_i915_gem_ring_dispatch(params->request, params->dispatch_flags);
1541
1542        i915_gem_execbuffer_move_to_active(vmas, params->request);
1543
1544        return 0;
1545}
1546
1547/**
1548 * Find one BSD ring to dispatch the corresponding BSD command.
1549 * The engine index is returned.
1550 */
1551static unsigned int
1552gen8_dispatch_bsd_engine(struct drm_i915_private *dev_priv,
1553                         struct drm_file *file)
1554{
1555        struct drm_i915_file_private *file_priv = file->driver_priv;
1556
1557        /* Check whether the file_priv has already selected one ring. */
1558        if ((int)file_priv->bsd_engine < 0)
1559                file_priv->bsd_engine = atomic_fetch_xor(1,
1560                         &dev_priv->mm.bsd_engine_dispatch_index);
1561
1562        return file_priv->bsd_engine;
1563}
1564
1565#define I915_USER_RINGS (4)
1566
1567static const enum intel_engine_id user_ring_map[I915_USER_RINGS + 1] = {
1568        [I915_EXEC_DEFAULT]     = RCS,
1569        [I915_EXEC_RENDER]      = RCS,
1570        [I915_EXEC_BLT]         = BCS,
1571        [I915_EXEC_BSD]         = VCS,
1572        [I915_EXEC_VEBOX]       = VECS
1573};
1574
1575static struct intel_engine_cs *
1576eb_select_engine(struct drm_i915_private *dev_priv,
1577                 struct drm_file *file,
1578                 struct drm_i915_gem_execbuffer2 *args)
1579{
1580        unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK;
1581        struct intel_engine_cs *engine;
1582
1583        if (user_ring_id > I915_USER_RINGS) {
1584                DRM_DEBUG("execbuf with unknown ring: %u\n", user_ring_id);
1585                return NULL;
1586        }
1587
1588        if ((user_ring_id != I915_EXEC_BSD) &&
1589            ((args->flags & I915_EXEC_BSD_MASK) != 0)) {
1590                DRM_DEBUG("execbuf with non bsd ring but with invalid "
1591                          "bsd dispatch flags: %d\n", (int)(args->flags));
1592                return NULL;
1593        }
1594
1595        if (user_ring_id == I915_EXEC_BSD && HAS_BSD2(dev_priv)) {
1596                unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK;
1597
1598                if (bsd_idx == I915_EXEC_BSD_DEFAULT) {
1599                        bsd_idx = gen8_dispatch_bsd_engine(dev_priv, file);
1600                } else if (bsd_idx >= I915_EXEC_BSD_RING1 &&
1601                           bsd_idx <= I915_EXEC_BSD_RING2) {
1602                        bsd_idx >>= I915_EXEC_BSD_SHIFT;
1603                        bsd_idx--;
1604                } else {
1605                        DRM_DEBUG("execbuf with unknown bsd ring: %u\n",
1606                                  bsd_idx);
1607                        return NULL;
1608                }
1609
1610                engine = &dev_priv->engine[_VCS(bsd_idx)];
1611        } else {
1612                engine = &dev_priv->engine[user_ring_map[user_ring_id]];
1613        }
1614
1615        if (!intel_engine_initialized(engine)) {
1616                DRM_DEBUG("execbuf with invalid ring: %u\n", user_ring_id);
1617                return NULL;
1618        }
1619
1620        return engine;
1621}
1622
1623static int
1624i915_gem_do_execbuffer(struct drm_device *dev, void *data,
1625                       struct drm_file *file,
1626                       struct drm_i915_gem_execbuffer2 *args,
1627                       struct drm_i915_gem_exec_object2 *exec)
1628{
1629        struct drm_i915_private *dev_priv = to_i915(dev);
1630        struct i915_ggtt *ggtt = &dev_priv->ggtt;
1631        struct eb_vmas *eb;
1632        struct drm_i915_gem_exec_object2 shadow_exec_entry;
1633        struct intel_engine_cs *engine;
1634        struct i915_gem_context *ctx;
1635        struct i915_address_space *vm;
1636        struct i915_execbuffer_params params_master; /* XXX: will be removed later */
1637        struct i915_execbuffer_params *params = &params_master;
1638        const u32 ctx_id = i915_execbuffer2_get_context_id(*args);
1639        u32 dispatch_flags;
1640        int ret;
1641        bool need_relocs;
1642
1643        if (!i915_gem_check_execbuffer(args))
1644                return -EINVAL;
1645
1646        ret = validate_exec_list(dev, exec, args->buffer_count);
1647        if (ret)
1648                return ret;
1649
1650        dispatch_flags = 0;
1651        if (args->flags & I915_EXEC_SECURE) {
1652                if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN))
1653                    return -EPERM;
1654
1655                dispatch_flags |= I915_DISPATCH_SECURE;
1656        }
1657        if (args->flags & I915_EXEC_IS_PINNED)
1658                dispatch_flags |= I915_DISPATCH_PINNED;
1659
1660        engine = eb_select_engine(dev_priv, file, args);
1661        if (!engine)
1662                return -EINVAL;
1663
1664        if (args->buffer_count < 1) {
1665                DRM_DEBUG("execbuf with %d buffers\n", args->buffer_count);
1666                return -EINVAL;
1667        }
1668
1669        if (args->flags & I915_EXEC_RESOURCE_STREAMER) {
1670                if (!HAS_RESOURCE_STREAMER(dev)) {
1671                        DRM_DEBUG("RS is only allowed for Haswell, Gen8 and above\n");
1672                        return -EINVAL;
1673                }
1674                if (engine->id != RCS) {
1675                        DRM_DEBUG("RS is not available on %s\n",
1676                                 engine->name);
1677                        return -EINVAL;
1678                }
1679
1680                dispatch_flags |= I915_DISPATCH_RS;
1681        }
1682
1683        /* Take a local wakeref for preparing to dispatch the execbuf as
1684         * we expect to access the hardware fairly frequently in the
1685         * process. Upon first dispatch, we acquire another prolonged
1686         * wakeref that we hold until the GPU has been idle for at least
1687         * 100ms.
1688         */
1689        intel_runtime_pm_get(dev_priv);
1690
1691        ret = i915_mutex_lock_interruptible(dev);
1692        if (ret)
1693                goto pre_mutex_err;
1694
1695        ctx = i915_gem_validate_context(dev, file, engine, ctx_id);
1696        if (IS_ERR(ctx)) {
1697                mutex_unlock(&dev->struct_mutex);
1698                ret = PTR_ERR(ctx);
1699                goto pre_mutex_err;
1700        }
1701
1702        i915_gem_context_get(ctx);
1703
1704        if (ctx->ppgtt)
1705                vm = &ctx->ppgtt->base;
1706        else
1707                vm = &ggtt->base;
1708
1709        memset(&params_master, 0x00, sizeof(params_master));
1710
1711        eb = eb_create(dev_priv, args);
1712        if (eb == NULL) {
1713                i915_gem_context_put(ctx);
1714                mutex_unlock(&dev->struct_mutex);
1715                ret = -ENOMEM;
1716                goto pre_mutex_err;
1717        }
1718
1719        /* Look up object handles */
1720        ret = eb_lookup_vmas(eb, exec, args, vm, file);
1721        if (ret)
1722                goto err;
1723
1724        /* take note of the batch buffer before we might reorder the lists */
1725        params->batch = eb_get_batch(eb);
1726
1727        /* Move the objects en-masse into the GTT, evicting if necessary. */
1728        need_relocs = (args->flags & I915_EXEC_NO_RELOC) == 0;
1729        ret = i915_gem_execbuffer_reserve(engine, &eb->vmas, ctx,
1730                                          &need_relocs);
1731        if (ret)
1732                goto err;
1733
1734        /* The objects are in their final locations, apply the relocations. */
1735        if (need_relocs)
1736                ret = i915_gem_execbuffer_relocate(eb);
1737        if (ret) {
1738                if (ret == -EFAULT) {
1739                        ret = i915_gem_execbuffer_relocate_slow(dev, args, file,
1740                                                                engine,
1741                                                                eb, exec, ctx);
1742                        BUG_ON(!mutex_is_locked(&dev->struct_mutex));
1743                }
1744                if (ret)
1745                        goto err;
1746        }
1747
1748        /* Set the pending read domains for the batch buffer to COMMAND */
1749        if (params->batch->obj->base.pending_write_domain) {
1750                DRM_DEBUG("Attempting to use self-modifying batch buffer\n");
1751                ret = -EINVAL;
1752                goto err;
1753        }
1754        if (args->batch_start_offset > params->batch->size ||
1755            args->batch_len > params->batch->size - args->batch_start_offset) {
1756                DRM_DEBUG("Attempting to use out-of-bounds batch\n");
1757                ret = -EINVAL;
1758                goto err;
1759        }
1760
1761        params->args_batch_start_offset = args->batch_start_offset;
1762        if (intel_engine_needs_cmd_parser(engine) && args->batch_len) {
1763                struct i915_vma *vma;
1764
1765                vma = i915_gem_execbuffer_parse(engine, &shadow_exec_entry,
1766                                                params->batch->obj,
1767                                                eb,
1768                                                args->batch_start_offset,
1769                                                args->batch_len,
1770                                                drm_is_current_master(file));
1771                if (IS_ERR(vma)) {
1772                        ret = PTR_ERR(vma);
1773                        goto err;
1774                }
1775
1776                if (vma) {
1777                        /*
1778                         * Batch parsed and accepted:
1779                         *
1780                         * Set the DISPATCH_SECURE bit to remove the NON_SECURE
1781                         * bit from MI_BATCH_BUFFER_START commands issued in
1782                         * the dispatch_execbuffer implementations. We
1783                         * specifically don't want that set on batches the
1784                         * command parser has accepted.
1785                         */
1786                        dispatch_flags |= I915_DISPATCH_SECURE;
1787                        params->args_batch_start_offset = 0;
1788                        params->batch = vma;
1789                }
1790        }
1791
1792        params->batch->obj->base.pending_read_domains |= I915_GEM_DOMAIN_COMMAND;
1793
1794        /* snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
1795         * batch" bit. Hence we need to pin secure batches into the global gtt.
1796         * hsw should have this fixed, but bdw mucks it up again. */
1797        if (dispatch_flags & I915_DISPATCH_SECURE) {
1798                struct drm_i915_gem_object *obj = params->batch->obj;
1799                struct i915_vma *vma;
1800
1801                /*
1802                 * So on first glance it looks freaky that we pin the batch here
1803                 * outside of the reservation loop. But:
1804                 * - The batch is already pinned into the relevant ppgtt, so we
1805                 *   already have the backing storage fully allocated.
1806                 * - No other BO uses the global gtt (well contexts, but meh),
1807                 *   so we don't really have issues with multiple objects not
1808                 *   fitting due to fragmentation.
1809                 * So this is actually safe.
1810                 */
1811                vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0, 0);
1812                if (IS_ERR(vma)) {
1813                        ret = PTR_ERR(vma);
1814                        goto err;
1815                }
1816
1817                params->batch = vma;
1818        }
1819
1820        /* Allocate a request for this batch buffer nice and early. */
1821        params->request = i915_gem_request_alloc(engine, ctx);
1822        if (IS_ERR(params->request)) {
1823                ret = PTR_ERR(params->request);
1824                goto err_batch_unpin;
1825        }
1826
1827        /* Whilst this request exists, batch_obj will be on the
1828         * active_list, and so will hold the active reference. Only when this
1829         * request is retired will the the batch_obj be moved onto the
1830         * inactive_list and lose its active reference. Hence we do not need
1831         * to explicitly hold another reference here.
1832         */
1833        params->request->batch = params->batch;
1834
1835        ret = i915_gem_request_add_to_client(params->request, file);
1836        if (ret)
1837                goto err_request;
1838
1839        /*
1840         * Save assorted stuff away to pass through to *_submission().
1841         * NB: This data should be 'persistent' and not local as it will
1842         * kept around beyond the duration of the IOCTL once the GPU
1843         * scheduler arrives.
1844         */
1845        params->dev                     = dev;
1846        params->file                    = file;
1847        params->engine                    = engine;
1848        params->dispatch_flags          = dispatch_flags;
1849        params->ctx                     = ctx;
1850
1851        ret = execbuf_submit(params, args, &eb->vmas);
1852err_request:
1853        __i915_add_request(params->request, ret == 0);
1854
1855err_batch_unpin:
1856        /*
1857         * FIXME: We crucially rely upon the active tracking for the (ppgtt)
1858         * batch vma for correctness. For less ugly and less fragility this
1859         * needs to be adjusted to also track the ggtt batch vma properly as
1860         * active.
1861         */
1862        if (dispatch_flags & I915_DISPATCH_SECURE)
1863                i915_vma_unpin(params->batch);
1864err:
1865        /* the request owns the ref now */
1866        i915_gem_context_put(ctx);
1867        eb_destroy(eb);
1868
1869        mutex_unlock(&dev->struct_mutex);
1870
1871pre_mutex_err:
1872        /* intel_gpu_busy should also get a ref, so it will free when the device
1873         * is really idle. */
1874        intel_runtime_pm_put(dev_priv);
1875        return ret;
1876}
1877
1878/*
1879 * Legacy execbuffer just creates an exec2 list from the original exec object
1880 * list array and passes it to the real function.
1881 */
1882int
1883i915_gem_execbuffer(struct drm_device *dev, void *data,
1884                    struct drm_file *file)
1885{
1886        struct drm_i915_gem_execbuffer *args = data;
1887        struct drm_i915_gem_execbuffer2 exec2;
1888        struct drm_i915_gem_exec_object *exec_list = NULL;
1889        struct drm_i915_gem_exec_object2 *exec2_list = NULL;
1890        int ret, i;
1891
1892        if (args->buffer_count < 1) {
1893                DRM_DEBUG("execbuf with %d buffers\n", args->buffer_count);
1894                return -EINVAL;
1895        }
1896
1897        /* Copy in the exec list from userland */
1898        exec_list = drm_malloc_ab(sizeof(*exec_list), args->buffer_count);
1899        exec2_list = drm_malloc_ab(sizeof(*exec2_list), args->buffer_count);
1900        if (exec_list == NULL || exec2_list == NULL) {
1901                DRM_DEBUG("Failed to allocate exec list for %d buffers\n",
1902                          args->buffer_count);
1903                drm_free_large(exec_list);
1904                drm_free_large(exec2_list);
1905                return -ENOMEM;
1906        }
1907        ret = copy_from_user(exec_list,
1908                             u64_to_user_ptr(args->buffers_ptr),
1909                             sizeof(*exec_list) * args->buffer_count);
1910        if (ret != 0) {
1911                DRM_DEBUG("copy %d exec entries failed %d\n",
1912                          args->buffer_count, ret);
1913                drm_free_large(exec_list);
1914                drm_free_large(exec2_list);
1915                return -EFAULT;
1916        }
1917
1918        for (i = 0; i < args->buffer_count; i++) {
1919                exec2_list[i].handle = exec_list[i].handle;
1920                exec2_list[i].relocation_count = exec_list[i].relocation_count;
1921                exec2_list[i].relocs_ptr = exec_list[i].relocs_ptr;
1922                exec2_list[i].alignment = exec_list[i].alignment;
1923                exec2_list[i].offset = exec_list[i].offset;
1924                if (INTEL_INFO(dev)->gen < 4)
1925                        exec2_list[i].flags = EXEC_OBJECT_NEEDS_FENCE;
1926                else
1927                        exec2_list[i].flags = 0;
1928        }
1929
1930        exec2.buffers_ptr = args->buffers_ptr;
1931        exec2.buffer_count = args->buffer_count;
1932        exec2.batch_start_offset = args->batch_start_offset;
1933        exec2.batch_len = args->batch_len;
1934        exec2.DR1 = args->DR1;
1935        exec2.DR4 = args->DR4;
1936        exec2.num_cliprects = args->num_cliprects;
1937        exec2.cliprects_ptr = args->cliprects_ptr;
1938        exec2.flags = I915_EXEC_RENDER;
1939        i915_execbuffer2_set_context_id(exec2, 0);
1940
1941        ret = i915_gem_do_execbuffer(dev, data, file, &exec2, exec2_list);
1942        if (!ret) {
1943                struct drm_i915_gem_exec_object __user *user_exec_list =
1944                        u64_to_user_ptr(args->buffers_ptr);
1945
1946                /* Copy the new buffer offsets back to the user's exec list. */
1947                for (i = 0; i < args->buffer_count; i++) {
1948                        exec2_list[i].offset =
1949                                gen8_canonical_addr(exec2_list[i].offset);
1950                        ret = __copy_to_user(&user_exec_list[i].offset,
1951                                             &exec2_list[i].offset,
1952                                             sizeof(user_exec_list[i].offset));
1953                        if (ret) {
1954                                ret = -EFAULT;
1955                                DRM_DEBUG("failed to copy %d exec entries "
1956                                          "back to user (%d)\n",
1957                                          args->buffer_count, ret);
1958                                break;
1959                        }
1960                }
1961        }
1962
1963        drm_free_large(exec_list);
1964        drm_free_large(exec2_list);
1965        return ret;
1966}
1967
1968int
1969i915_gem_execbuffer2(struct drm_device *dev, void *data,
1970                     struct drm_file *file)
1971{
1972        struct drm_i915_gem_execbuffer2 *args = data;
1973        struct drm_i915_gem_exec_object2 *exec2_list = NULL;
1974        int ret;
1975
1976        if (args->buffer_count < 1 ||
1977            args->buffer_count > UINT_MAX / sizeof(*exec2_list)) {
1978                DRM_DEBUG("execbuf2 with %d buffers\n", args->buffer_count);
1979                return -EINVAL;
1980        }
1981
1982        if (args->rsvd2 != 0) {
1983                DRM_DEBUG("dirty rvsd2 field\n");
1984                return -EINVAL;
1985        }
1986
1987        exec2_list = drm_malloc_gfp(args->buffer_count,
1988                                    sizeof(*exec2_list),
1989                                    GFP_TEMPORARY);
1990        if (exec2_list == NULL) {
1991                DRM_DEBUG("Failed to allocate exec list for %d buffers\n",
1992                          args->buffer_count);
1993                return -ENOMEM;
1994        }
1995        ret = copy_from_user(exec2_list,
1996                             u64_to_user_ptr(args->buffers_ptr),
1997                             sizeof(*exec2_list) * args->buffer_count);
1998        if (ret != 0) {
1999                DRM_DEBUG("copy %d exec entries failed %d\n",
2000                          args->buffer_count, ret);

2001                drm_free_large(exec2_list);
2002                return -EFAULT;
2003        }
2004
2005        ret = i915_gem_do_execbuffer(dev, data, file, args, exec2_list);
2006        if (!ret) {
2007                /* Copy the new buffer offsets back to the user's exec list. */
2008                struct drm_i915_gem_exec_object2 __user *user_exec_list =
2009                                   u64_to_user_ptr(args->buffers_ptr);
2010                int i;
2011
2012                for (i = 0; i < args->buffer_count; i++) {
2013                        exec2_list[i].offset =
2014                                gen8_canonical_addr(exec2_list[i].offset);
2015                        ret = __copy_to_user(&user_exec_list[i].offset,
2016                                             &exec2_list[i].offset,
2017                                             sizeof(user_exec_list[i].offset));
2018                        if (ret) {
2019                                ret = -EFAULT;
2020                                DRM_DEBUG("failed to copy %d exec entries "
2021                                          "back to user\n",
2022                                          args->buffer_count);
2023                                break;
2024                        }
2025                }
2026        }
2027
2028        drm_free_large(exec2_list);
2029        return ret;
2030}
2031