linux/drivers/gpu/drm/vc4/vc4_validate.c
<<
>>
Prefs
   1/*
   2 * Copyright © 2014 Broadcom
   3 *
   4 * Permission is hereby granted, free of charge, to any person obtaining a
   5 * copy of this software and associated documentation files (the "Software"),
   6 * to deal in the Software without restriction, including without limitation
   7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
   8 * and/or sell copies of the Software, and to permit persons to whom the
   9 * Software is furnished to do so, subject to the following conditions:
  10 *
  11 * The above copyright notice and this permission notice (including the next
  12 * paragraph) shall be included in all copies or substantial portions of the
  13 * Software.
  14 *
  15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
  21 * IN THE SOFTWARE.
  22 */
  23
  24/**
  25 * DOC: Command list validator for VC4.
  26 *
  27 * Since the VC4 has no IOMMU between it and system memory, a user
  28 * with access to execute command lists could escalate privilege by
  29 * overwriting system memory (drawing to it as a framebuffer) or
  30 * reading system memory it shouldn't (reading it as a vertex buffer
  31 * or index buffer)
  32 *
  33 * We validate binner command lists to ensure that all accesses are
  34 * within the bounds of the GEM objects referenced by the submitted
  35 * job.  It explicitly whitelists packets, and looks at the offsets in
  36 * any address fields to make sure they're contained within the BOs
  37 * they reference.
  38 *
  39 * Note that because CL validation is already reading the
  40 * user-submitted CL and writing the validated copy out to the memory
  41 * that the GPU will actually read, this is also where GEM relocation
  42 * processing (turning BO references into actual addresses for the GPU
  43 * to use) happens.
  44 */
  45
  46#include "uapi/drm/vc4_drm.h"
  47#include "vc4_drv.h"
  48#include "vc4_packet.h"
  49
  50#define VALIDATE_ARGS \
  51        struct vc4_exec_info *exec,                     \
  52        void *validated,                                \
  53        void *untrusted
  54
  55/** Return the width in pixels of a 64-byte microtile. */
  56static uint32_t
  57utile_width(int cpp)
  58{
  59        switch (cpp) {
  60        case 1:
  61        case 2:
  62                return 8;
  63        case 4:
  64                return 4;
  65        case 8:
  66                return 2;
  67        default:
  68                DRM_ERROR("unknown cpp: %d\n", cpp);
  69                return 1;
  70        }
  71}
  72
  73/** Return the height in pixels of a 64-byte microtile. */
  74static uint32_t
  75utile_height(int cpp)
  76{
  77        switch (cpp) {
  78        case 1:
  79                return 8;
  80        case 2:
  81        case 4:
  82        case 8:
  83                return 4;
  84        default:
  85                DRM_ERROR("unknown cpp: %d\n", cpp);
  86                return 1;
  87        }
  88}
  89
  90/**
  91 * size_is_lt() - Returns whether a miplevel of the given size will
  92 * use the lineartile (LT) tiling layout rather than the normal T
  93 * tiling layout.
  94 * @width: Width in pixels of the miplevel
  95 * @height: Height in pixels of the miplevel
  96 * @cpp: Bytes per pixel of the pixel format
  97 */
  98static bool
  99size_is_lt(uint32_t width, uint32_t height, int cpp)
 100{
 101        return (width <= 4 * utile_width(cpp) ||
 102                height <= 4 * utile_height(cpp));
 103}
 104
 105struct drm_gem_cma_object *
 106vc4_use_bo(struct vc4_exec_info *exec, uint32_t hindex)
 107{
 108        struct drm_gem_cma_object *obj;
 109        struct vc4_bo *bo;
 110
 111        if (hindex >= exec->bo_count) {
 112                DRM_DEBUG("BO index %d greater than BO count %d\n",
 113                          hindex, exec->bo_count);
 114                return NULL;
 115        }
 116        obj = exec->bo[hindex];
 117        bo = to_vc4_bo(&obj->base);
 118
 119        if (bo->validated_shader) {
 120                DRM_DEBUG("Trying to use shader BO as something other than "
 121                          "a shader\n");
 122                return NULL;
 123        }
 124
 125        return obj;
 126}
 127
 128static struct drm_gem_cma_object *
 129vc4_use_handle(struct vc4_exec_info *exec, uint32_t gem_handles_packet_index)
 130{
 131        return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index]);
 132}
 133
 134static bool
 135validate_bin_pos(struct vc4_exec_info *exec, void *untrusted, uint32_t pos)
 136{
 137        /* Note that the untrusted pointer passed to these functions is
 138         * incremented past the packet byte.
 139         */
 140        return (untrusted - 1 == exec->bin_u + pos);
 141}
 142
 143static uint32_t
 144gl_shader_rec_size(uint32_t pointer_bits)
 145{
 146        uint32_t attribute_count = pointer_bits & 7;
 147        bool extended = pointer_bits & 8;
 148
 149        if (attribute_count == 0)
 150                attribute_count = 8;
 151
 152        if (extended)
 153                return 100 + attribute_count * 4;
 154        else
 155                return 36 + attribute_count * 8;
 156}
 157
 158bool
 159vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_cma_object *fbo,
 160                   uint32_t offset, uint8_t tiling_format,
 161                   uint32_t width, uint32_t height, uint8_t cpp)
 162{
 163        uint32_t aligned_width, aligned_height, stride, size;
 164        uint32_t utile_w = utile_width(cpp);
 165        uint32_t utile_h = utile_height(cpp);
 166
 167        /* The shaded vertex format stores signed 12.4 fixed point
 168         * (-2048,2047) offsets from the viewport center, so we should
 169         * never have a render target larger than 4096.  The texture
 170         * unit can only sample from 2048x2048, so it's even more
 171         * restricted.  This lets us avoid worrying about overflow in
 172         * our math.
 173         */
 174        if (width > 4096 || height > 4096) {
 175                DRM_DEBUG("Surface dimensions (%d,%d) too large",
 176                          width, height);
 177                return false;
 178        }
 179
 180        switch (tiling_format) {
 181        case VC4_TILING_FORMAT_LINEAR:
 182                aligned_width = round_up(width, utile_w);
 183                aligned_height = height;
 184                break;
 185        case VC4_TILING_FORMAT_T:
 186                aligned_width = round_up(width, utile_w * 8);
 187                aligned_height = round_up(height, utile_h * 8);
 188                break;
 189        case VC4_TILING_FORMAT_LT:
 190                aligned_width = round_up(width, utile_w);
 191                aligned_height = round_up(height, utile_h);
 192                break;
 193        default:
 194                DRM_DEBUG("buffer tiling %d unsupported\n", tiling_format);
 195                return false;
 196        }
 197
 198        stride = aligned_width * cpp;
 199        size = stride * aligned_height;
 200
 201        if (size + offset < size ||
 202            size + offset > fbo->base.size) {
 203                DRM_DEBUG("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
 204                          width, height,
 205                          aligned_width, aligned_height,
 206                          size, offset, fbo->base.size);
 207                return false;
 208        }
 209
 210        return true;
 211}
 212
 213static int
 214validate_flush(VALIDATE_ARGS)
 215{
 216        if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 1)) {
 217                DRM_DEBUG("Bin CL must end with VC4_PACKET_FLUSH\n");
 218                return -EINVAL;
 219        }
 220        exec->found_flush = true;
 221
 222        return 0;
 223}
 224
 225static int
 226validate_start_tile_binning(VALIDATE_ARGS)
 227{
 228        if (exec->found_start_tile_binning_packet) {
 229                DRM_DEBUG("Duplicate VC4_PACKET_START_TILE_BINNING\n");
 230                return -EINVAL;
 231        }
 232        exec->found_start_tile_binning_packet = true;
 233
 234        if (!exec->found_tile_binning_mode_config_packet) {
 235                DRM_DEBUG("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
 236                return -EINVAL;
 237        }
 238
 239        return 0;
 240}
 241
 242static int
 243validate_increment_semaphore(VALIDATE_ARGS)
 244{
 245        if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 2)) {
 246                DRM_DEBUG("Bin CL must end with "
 247                          "VC4_PACKET_INCREMENT_SEMAPHORE\n");
 248                return -EINVAL;
 249        }
 250        exec->found_increment_semaphore_packet = true;
 251
 252        return 0;
 253}
 254
 255static int
 256validate_indexed_prim_list(VALIDATE_ARGS)
 257{
 258        struct drm_gem_cma_object *ib;
 259        uint32_t length = *(uint32_t *)(untrusted + 1);
 260        uint32_t offset = *(uint32_t *)(untrusted + 5);
 261        uint32_t max_index = *(uint32_t *)(untrusted + 9);
 262        uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
 263        struct vc4_shader_state *shader_state;
 264
 265        /* Check overflow condition */
 266        if (exec->shader_state_count == 0) {
 267                DRM_DEBUG("shader state must precede primitives\n");
 268                return -EINVAL;
 269        }
 270        shader_state = &exec->shader_state[exec->shader_state_count - 1];
 271
 272        if (max_index > shader_state->max_index)
 273                shader_state->max_index = max_index;
 274
 275        ib = vc4_use_handle(exec, 0);
 276        if (!ib)
 277                return -EINVAL;
 278
 279        exec->bin_dep_seqno = max(exec->bin_dep_seqno,
 280                                  to_vc4_bo(&ib->base)->write_seqno);
 281
 282        if (offset > ib->base.size ||
 283            (ib->base.size - offset) / index_size < length) {
 284                DRM_DEBUG("IB access overflow (%d + %d*%d > %zd)\n",
 285                          offset, length, index_size, ib->base.size);
 286                return -EINVAL;
 287        }
 288
 289        *(uint32_t *)(validated + 5) = ib->paddr + offset;
 290
 291        return 0;
 292}
 293
 294static int
 295validate_gl_array_primitive(VALIDATE_ARGS)
 296{
 297        uint32_t length = *(uint32_t *)(untrusted + 1);
 298        uint32_t base_index = *(uint32_t *)(untrusted + 5);
 299        uint32_t max_index;
 300        struct vc4_shader_state *shader_state;
 301
 302        /* Check overflow condition */
 303        if (exec->shader_state_count == 0) {
 304                DRM_DEBUG("shader state must precede primitives\n");
 305                return -EINVAL;
 306        }
 307        shader_state = &exec->shader_state[exec->shader_state_count - 1];
 308
 309        if (length + base_index < length) {
 310                DRM_DEBUG("primitive vertex count overflow\n");
 311                return -EINVAL;
 312        }
 313        max_index = length + base_index - 1;
 314
 315        if (max_index > shader_state->max_index)
 316                shader_state->max_index = max_index;
 317
 318        return 0;
 319}
 320
 321static int
 322validate_gl_shader_state(VALIDATE_ARGS)
 323{
 324        uint32_t i = exec->shader_state_count++;
 325
 326        if (i >= exec->shader_state_size) {
 327                DRM_DEBUG("More requests for shader states than declared\n");
 328                return -EINVAL;
 329        }
 330
 331        exec->shader_state[i].addr = *(uint32_t *)untrusted;
 332        exec->shader_state[i].max_index = 0;
 333
 334        if (exec->shader_state[i].addr & ~0xf) {
 335                DRM_DEBUG("high bits set in GL shader rec reference\n");
 336                return -EINVAL;
 337        }
 338
 339        *(uint32_t *)validated = (exec->shader_rec_p +
 340                                  exec->shader_state[i].addr);
 341
 342        exec->shader_rec_p +=
 343                roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
 344
 345        return 0;
 346}
 347
 348static int
 349validate_tile_binning_config(VALIDATE_ARGS)
 350{
 351        struct drm_device *dev = exec->exec_bo->base.dev;
 352        struct vc4_dev *vc4 = to_vc4_dev(dev);
 353        uint8_t flags;
 354        uint32_t tile_state_size;
 355        uint32_t tile_count, bin_addr;
 356        int bin_slot;
 357
 358        if (exec->found_tile_binning_mode_config_packet) {
 359                DRM_DEBUG("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
 360                return -EINVAL;
 361        }
 362        exec->found_tile_binning_mode_config_packet = true;
 363
 364        exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
 365        exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
 366        tile_count = exec->bin_tiles_x * exec->bin_tiles_y;
 367        flags = *(uint8_t *)(untrusted + 14);
 368
 369        if (exec->bin_tiles_x == 0 ||
 370            exec->bin_tiles_y == 0) {
 371                DRM_DEBUG("Tile binning config of %dx%d too small\n",
 372                          exec->bin_tiles_x, exec->bin_tiles_y);
 373                return -EINVAL;
 374        }
 375
 376        if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
 377                     VC4_BIN_CONFIG_TILE_BUFFER_64BIT)) {
 378                DRM_DEBUG("unsupported binning config flags 0x%02x\n", flags);
 379                return -EINVAL;
 380        }
 381
 382        bin_slot = vc4_v3d_get_bin_slot(vc4);
 383        if (bin_slot < 0) {
 384                if (bin_slot != -EINTR && bin_slot != -ERESTARTSYS) {
 385                        DRM_ERROR("Failed to allocate binner memory: %d\n",
 386                                  bin_slot);
 387                }
 388                return bin_slot;
 389        }
 390
 391        /* The slot we allocated will only be used by this job, and is
 392         * free when the job completes rendering.
 393         */
 394        exec->bin_slots |= BIT(bin_slot);
 395        bin_addr = vc4->bin_bo->base.paddr + bin_slot * vc4->bin_alloc_size;
 396
 397        /* The tile state data array is 48 bytes per tile, and we put it at
 398         * the start of a BO containing both it and the tile alloc.
 399         */
 400        tile_state_size = 48 * tile_count;
 401
 402        /* Since the tile alloc array will follow us, align. */
 403        exec->tile_alloc_offset = bin_addr + roundup(tile_state_size, 4096);
 404
 405        *(uint8_t *)(validated + 14) =
 406                ((flags & ~(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_MASK |
 407                            VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_MASK)) |
 408                 VC4_BIN_CONFIG_AUTO_INIT_TSDA |
 409                 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_32,
 410                               VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE) |
 411                 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_128,
 412                               VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE));
 413
 414        /* tile alloc address. */
 415        *(uint32_t *)(validated + 0) = exec->tile_alloc_offset;
 416        /* tile alloc size. */
 417        *(uint32_t *)(validated + 4) = (bin_addr + vc4->bin_alloc_size -
 418                                        exec->tile_alloc_offset);
 419        /* tile state address. */
 420        *(uint32_t *)(validated + 8) = bin_addr;
 421
 422        return 0;
 423}
 424
 425static int
 426validate_gem_handles(VALIDATE_ARGS)
 427{
 428        memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
 429        return 0;
 430}
 431
 432#define VC4_DEFINE_PACKET(packet, func) \
 433        [packet] = { packet ## _SIZE, #packet, func }
 434
 435static const struct cmd_info {
 436        uint16_t len;
 437        const char *name;
 438        int (*func)(struct vc4_exec_info *exec, void *validated,
 439                    void *untrusted);
 440} cmd_info[] = {
 441        VC4_DEFINE_PACKET(VC4_PACKET_HALT, NULL),
 442        VC4_DEFINE_PACKET(VC4_PACKET_NOP, NULL),
 443        VC4_DEFINE_PACKET(VC4_PACKET_FLUSH, validate_flush),
 444        VC4_DEFINE_PACKET(VC4_PACKET_FLUSH_ALL, NULL),
 445        VC4_DEFINE_PACKET(VC4_PACKET_START_TILE_BINNING,
 446                          validate_start_tile_binning),
 447        VC4_DEFINE_PACKET(VC4_PACKET_INCREMENT_SEMAPHORE,
 448                          validate_increment_semaphore),
 449
 450        VC4_DEFINE_PACKET(VC4_PACKET_GL_INDEXED_PRIMITIVE,
 451                          validate_indexed_prim_list),
 452        VC4_DEFINE_PACKET(VC4_PACKET_GL_ARRAY_PRIMITIVE,
 453                          validate_gl_array_primitive),
 454
 455        VC4_DEFINE_PACKET(VC4_PACKET_PRIMITIVE_LIST_FORMAT, NULL),
 456
 457        VC4_DEFINE_PACKET(VC4_PACKET_GL_SHADER_STATE, validate_gl_shader_state),
 458
 459        VC4_DEFINE_PACKET(VC4_PACKET_CONFIGURATION_BITS, NULL),
 460        VC4_DEFINE_PACKET(VC4_PACKET_FLAT_SHADE_FLAGS, NULL),
 461        VC4_DEFINE_PACKET(VC4_PACKET_POINT_SIZE, NULL),
 462        VC4_DEFINE_PACKET(VC4_PACKET_LINE_WIDTH, NULL),
 463        VC4_DEFINE_PACKET(VC4_PACKET_RHT_X_BOUNDARY, NULL),
 464        VC4_DEFINE_PACKET(VC4_PACKET_DEPTH_OFFSET, NULL),
 465        VC4_DEFINE_PACKET(VC4_PACKET_CLIP_WINDOW, NULL),
 466        VC4_DEFINE_PACKET(VC4_PACKET_VIEWPORT_OFFSET, NULL),
 467        VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_XY_SCALING, NULL),
 468        /* Note: The docs say this was also 105, but it was 106 in the
 469         * initial userland code drop.
 470         */
 471        VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_Z_SCALING, NULL),
 472
 473        VC4_DEFINE_PACKET(VC4_PACKET_TILE_BINNING_MODE_CONFIG,
 474                          validate_tile_binning_config),
 475
 476        VC4_DEFINE_PACKET(VC4_PACKET_GEM_HANDLES, validate_gem_handles),
 477};
 478
 479int
 480vc4_validate_bin_cl(struct drm_device *dev,
 481                    void *validated,
 482                    void *unvalidated,
 483                    struct vc4_exec_info *exec)
 484{
 485        uint32_t len = exec->args->bin_cl_size;
 486        uint32_t dst_offset = 0;
 487        uint32_t src_offset = 0;
 488
 489        while (src_offset < len) {
 490                void *dst_pkt = validated + dst_offset;
 491                void *src_pkt = unvalidated + src_offset;
 492                u8 cmd = *(uint8_t *)src_pkt;
 493                const struct cmd_info *info;
 494
 495                if (cmd >= ARRAY_SIZE(cmd_info)) {
 496                        DRM_DEBUG("0x%08x: packet %d out of bounds\n",
 497                                  src_offset, cmd);
 498                        return -EINVAL;
 499                }
 500
 501                info = &cmd_info[cmd];
 502                if (!info->name) {
 503                        DRM_DEBUG("0x%08x: packet %d invalid\n",
 504                                  src_offset, cmd);
 505                        return -EINVAL;
 506                }
 507
 508                if (src_offset + info->len > len) {
 509                        DRM_DEBUG("0x%08x: packet %d (%s) length 0x%08x "
 510                                  "exceeds bounds (0x%08x)\n",
 511                                  src_offset, cmd, info->name, info->len,
 512                                  src_offset + len);
 513                        return -EINVAL;
 514                }
 515
 516                if (cmd != VC4_PACKET_GEM_HANDLES)
 517                        memcpy(dst_pkt, src_pkt, info->len);
 518
 519                if (info->func && info->func(exec,
 520                                             dst_pkt + 1,
 521                                             src_pkt + 1)) {
 522                        DRM_DEBUG("0x%08x: packet %d (%s) failed to validate\n",
 523                                  src_offset, cmd, info->name);
 524                        return -EINVAL;
 525                }
 526
 527                src_offset += info->len;
 528                /* GEM handle loading doesn't produce HW packets. */
 529                if (cmd != VC4_PACKET_GEM_HANDLES)
 530                        dst_offset += info->len;
 531
 532                /* When the CL hits halt, it'll stop reading anything else. */
 533                if (cmd == VC4_PACKET_HALT)
 534                        break;
 535        }
 536
 537        exec->ct0ea = exec->ct0ca + dst_offset;
 538
 539        if (!exec->found_start_tile_binning_packet) {
 540                DRM_DEBUG("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
 541                return -EINVAL;
 542        }
 543
 544        /* The bin CL must be ended with INCREMENT_SEMAPHORE and FLUSH.  The
 545         * semaphore is used to trigger the render CL to start up, and the
 546         * FLUSH is what caps the bin lists with
 547         * VC4_PACKET_RETURN_FROM_SUB_LIST (so they jump back to the main
 548         * render CL when they get called to) and actually triggers the queued
 549         * semaphore increment.
 550         */
 551        if (!exec->found_increment_semaphore_packet || !exec->found_flush) {
 552                DRM_DEBUG("Bin CL missing VC4_PACKET_INCREMENT_SEMAPHORE + "
 553                          "VC4_PACKET_FLUSH\n");
 554                return -EINVAL;
 555        }
 556
 557        return 0;
 558}
 559
 560static bool
 561reloc_tex(struct vc4_exec_info *exec,
 562          void *uniform_data_u,
 563          struct vc4_texture_sample_info *sample,
 564          uint32_t texture_handle_index, bool is_cs)
 565{
 566        struct drm_gem_cma_object *tex;
 567        uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
 568        uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
 569        uint32_t p2 = (sample->p_offset[2] != ~0 ?
 570                       *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
 571        uint32_t p3 = (sample->p_offset[3] != ~0 ?
 572                       *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
 573        uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
 574        uint32_t offset = p0 & VC4_TEX_P0_OFFSET_MASK;
 575        uint32_t miplevels = VC4_GET_FIELD(p0, VC4_TEX_P0_MIPLVLS);
 576        uint32_t width = VC4_GET_FIELD(p1, VC4_TEX_P1_WIDTH);
 577        uint32_t height = VC4_GET_FIELD(p1, VC4_TEX_P1_HEIGHT);
 578        uint32_t cpp, tiling_format, utile_w, utile_h;
 579        uint32_t i;
 580        uint32_t cube_map_stride = 0;
 581        enum vc4_texture_data_type type;
 582
 583        tex = vc4_use_bo(exec, texture_handle_index);
 584        if (!tex)
 585                return false;
 586
 587        if (sample->is_direct) {
 588                uint32_t remaining_size = tex->base.size - p0;
 589
 590                if (p0 > tex->base.size - 4) {
 591                        DRM_DEBUG("UBO offset greater than UBO size\n");
 592                        goto fail;
 593                }
 594                if (p1 > remaining_size - 4) {
 595                        DRM_DEBUG("UBO clamp would allow reads "
 596                                  "outside of UBO\n");
 597                        goto fail;
 598                }
 599                *validated_p0 = tex->paddr + p0;
 600                return true;
 601        }
 602
 603        if (width == 0)
 604                width = 2048;
 605        if (height == 0)
 606                height = 2048;
 607
 608        if (p0 & VC4_TEX_P0_CMMODE_MASK) {
 609                if (VC4_GET_FIELD(p2, VC4_TEX_P2_PTYPE) ==
 610                    VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE)
 611                        cube_map_stride = p2 & VC4_TEX_P2_CMST_MASK;
 612                if (VC4_GET_FIELD(p3, VC4_TEX_P2_PTYPE) ==
 613                    VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE) {
 614                        if (cube_map_stride) {
 615                                DRM_DEBUG("Cube map stride set twice\n");
 616                                goto fail;
 617                        }
 618
 619                        cube_map_stride = p3 & VC4_TEX_P2_CMST_MASK;
 620                }
 621                if (!cube_map_stride) {
 622                        DRM_DEBUG("Cube map stride not set\n");
 623                        goto fail;
 624                }
 625        }
 626
 627        type = (VC4_GET_FIELD(p0, VC4_TEX_P0_TYPE) |
 628                (VC4_GET_FIELD(p1, VC4_TEX_P1_TYPE4) << 4));
 629
 630        switch (type) {
 631        case VC4_TEXTURE_TYPE_RGBA8888:
 632        case VC4_TEXTURE_TYPE_RGBX8888:
 633        case VC4_TEXTURE_TYPE_RGBA32R:
 634                cpp = 4;
 635                break;
 636        case VC4_TEXTURE_TYPE_RGBA4444:
 637        case VC4_TEXTURE_TYPE_RGBA5551:
 638        case VC4_TEXTURE_TYPE_RGB565:
 639        case VC4_TEXTURE_TYPE_LUMALPHA:
 640        case VC4_TEXTURE_TYPE_S16F:
 641        case VC4_TEXTURE_TYPE_S16:
 642                cpp = 2;
 643                break;
 644        case VC4_TEXTURE_TYPE_LUMINANCE:
 645        case VC4_TEXTURE_TYPE_ALPHA:
 646        case VC4_TEXTURE_TYPE_S8:
 647                cpp = 1;
 648                break;
 649        case VC4_TEXTURE_TYPE_ETC1:
 650                /* ETC1 is arranged as 64-bit blocks, where each block is 4x4
 651                 * pixels.
 652                 */
 653                cpp = 8;
 654                width = (width + 3) >> 2;
 655                height = (height + 3) >> 2;
 656                break;
 657        case VC4_TEXTURE_TYPE_BW1:
 658        case VC4_TEXTURE_TYPE_A4:
 659        case VC4_TEXTURE_TYPE_A1:
 660        case VC4_TEXTURE_TYPE_RGBA64:
 661        case VC4_TEXTURE_TYPE_YUV422R:
 662        default:
 663                DRM_DEBUG("Texture format %d unsupported\n", type);
 664                goto fail;
 665        }
 666        utile_w = utile_width(cpp);
 667        utile_h = utile_height(cpp);
 668
 669        if (type == VC4_TEXTURE_TYPE_RGBA32R) {
 670                tiling_format = VC4_TILING_FORMAT_LINEAR;
 671        } else {
 672                if (size_is_lt(width, height, cpp))
 673                        tiling_format = VC4_TILING_FORMAT_LT;
 674                else
 675                        tiling_format = VC4_TILING_FORMAT_T;
 676        }
 677
 678        if (!vc4_check_tex_size(exec, tex, offset + cube_map_stride * 5,
 679                                tiling_format, width, height, cpp)) {
 680                goto fail;
 681        }
 682
 683        /* The mipmap levels are stored before the base of the texture.  Make
 684         * sure there is actually space in the BO.
 685         */
 686        for (i = 1; i <= miplevels; i++) {
 687                uint32_t level_width = max(width >> i, 1u);
 688                uint32_t level_height = max(height >> i, 1u);
 689                uint32_t aligned_width, aligned_height;
 690                uint32_t level_size;
 691
 692                /* Once the levels get small enough, they drop from T to LT. */
 693                if (tiling_format == VC4_TILING_FORMAT_T &&
 694                    size_is_lt(level_width, level_height, cpp)) {
 695                        tiling_format = VC4_TILING_FORMAT_LT;
 696                }
 697
 698                switch (tiling_format) {
 699                case VC4_TILING_FORMAT_T:
 700                        aligned_width = round_up(level_width, utile_w * 8);
 701                        aligned_height = round_up(level_height, utile_h * 8);
 702                        break;
 703                case VC4_TILING_FORMAT_LT:
 704                        aligned_width = round_up(level_width, utile_w);
 705                        aligned_height = round_up(level_height, utile_h);
 706                        break;
 707                default:
 708                        aligned_width = round_up(level_width, utile_w);
 709                        aligned_height = level_height;
 710                        break;
 711                }
 712
 713                level_size = aligned_width * cpp * aligned_height;
 714
 715                if (offset < level_size) {
 716                        DRM_DEBUG("Level %d (%dx%d -> %dx%d) size %db "
 717                                  "overflowed buffer bounds (offset %d)\n",
 718                                  i, level_width, level_height,
 719                                  aligned_width, aligned_height,
 720                                  level_size, offset);
 721                        goto fail;
 722                }
 723
 724                offset -= level_size;
 725        }
 726
 727        *validated_p0 = tex->paddr + p0;
 728
 729        if (is_cs) {
 730                exec->bin_dep_seqno = max(exec->bin_dep_seqno,
 731                                          to_vc4_bo(&tex->base)->write_seqno);
 732        }
 733
 734        return true;
 735 fail:
 736        DRM_INFO("Texture p0 at %d: 0x%08x\n", sample->p_offset[0], p0);
 737        DRM_INFO("Texture p1 at %d: 0x%08x\n", sample->p_offset[1], p1);
 738        DRM_INFO("Texture p2 at %d: 0x%08x\n", sample->p_offset[2], p2);
 739        DRM_INFO("Texture p3 at %d: 0x%08x\n", sample->p_offset[3], p3);
 740        return false;
 741}
 742
 743static int
 744validate_gl_shader_rec(struct drm_device *dev,
 745                       struct vc4_exec_info *exec,
 746                       struct vc4_shader_state *state)
 747{
 748        uint32_t *src_handles;
 749        void *pkt_u, *pkt_v;
 750        static const uint32_t shader_reloc_offsets[] = {
 751                4, /* fs */
 752                16, /* vs */
 753                28, /* cs */
 754        };
 755        uint32_t shader_reloc_count = ARRAY_SIZE(shader_reloc_offsets);
 756        struct drm_gem_cma_object *bo[shader_reloc_count + 8];
 757        uint32_t nr_attributes, nr_relocs, packet_size;
 758        int i;
 759
 760        nr_attributes = state->addr & 0x7;
 761        if (nr_attributes == 0)
 762                nr_attributes = 8;
 763        packet_size = gl_shader_rec_size(state->addr);
 764
 765        nr_relocs = ARRAY_SIZE(shader_reloc_offsets) + nr_attributes;
 766        if (nr_relocs * 4 > exec->shader_rec_size) {
 767                DRM_DEBUG("overflowed shader recs reading %d handles "
 768                          "from %d bytes left\n",
 769                          nr_relocs, exec->shader_rec_size);
 770                return -EINVAL;
 771        }
 772        src_handles = exec->shader_rec_u;
 773        exec->shader_rec_u += nr_relocs * 4;
 774        exec->shader_rec_size -= nr_relocs * 4;
 775
 776        if (packet_size > exec->shader_rec_size) {
 777                DRM_DEBUG("overflowed shader recs copying %db packet "
 778                          "from %d bytes left\n",
 779                          packet_size, exec->shader_rec_size);
 780                return -EINVAL;
 781        }
 782        pkt_u = exec->shader_rec_u;
 783        pkt_v = exec->shader_rec_v;
 784        memcpy(pkt_v, pkt_u, packet_size);
 785        exec->shader_rec_u += packet_size;
 786        /* Shader recs have to be aligned to 16 bytes (due to the attribute
 787         * flags being in the low bytes), so round the next validated shader
 788         * rec address up.  This should be safe, since we've got so many
 789         * relocations in a shader rec packet.
 790         */
 791        BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
 792        exec->shader_rec_v += roundup(packet_size, 16);
 793        exec->shader_rec_size -= packet_size;
 794
 795        for (i = 0; i < shader_reloc_count; i++) {
 796                if (src_handles[i] > exec->bo_count) {
 797                        DRM_DEBUG("Shader handle %d too big\n", src_handles[i]);
 798                        return -EINVAL;
 799                }
 800
 801                bo[i] = exec->bo[src_handles[i]];
 802                if (!bo[i])
 803                        return -EINVAL;
 804        }
 805        for (i = shader_reloc_count; i < nr_relocs; i++) {
 806                bo[i] = vc4_use_bo(exec, src_handles[i]);
 807                if (!bo[i])
 808                        return -EINVAL;
 809        }
 810
 811        if (((*(uint16_t *)pkt_u & VC4_SHADER_FLAG_FS_SINGLE_THREAD) == 0) !=
 812            to_vc4_bo(&bo[0]->base)->validated_shader->is_threaded) {
 813                DRM_DEBUG("Thread mode of CL and FS do not match\n");
 814                return -EINVAL;
 815        }
 816
 817        if (to_vc4_bo(&bo[1]->base)->validated_shader->is_threaded ||
 818            to_vc4_bo(&bo[2]->base)->validated_shader->is_threaded) {
 819                DRM_DEBUG("cs and vs cannot be threaded\n");
 820                return -EINVAL;
 821        }
 822
 823        for (i = 0; i < shader_reloc_count; i++) {
 824                struct vc4_validated_shader_info *validated_shader;
 825                uint32_t o = shader_reloc_offsets[i];
 826                uint32_t src_offset = *(uint32_t *)(pkt_u + o);
 827                uint32_t *texture_handles_u;
 828                void *uniform_data_u;
 829                uint32_t tex, uni;
 830
 831                *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset;
 832
 833                if (src_offset != 0) {
 834                        DRM_DEBUG("Shaders must be at offset 0 of "
 835                                  "the BO.\n");
 836                        return -EINVAL;
 837                }
 838
 839                validated_shader = to_vc4_bo(&bo[i]->base)->validated_shader;
 840                if (!validated_shader)
 841                        return -EINVAL;
 842
 843                if (validated_shader->uniforms_src_size >
 844                    exec->uniforms_size) {
 845                        DRM_DEBUG("Uniforms src buffer overflow\n");
 846                        return -EINVAL;
 847                }
 848
 849                texture_handles_u = exec->uniforms_u;
 850                uniform_data_u = (texture_handles_u +
 851                                  validated_shader->num_texture_samples);
 852
 853                memcpy(exec->uniforms_v, uniform_data_u,
 854                       validated_shader->uniforms_size);
 855
 856                for (tex = 0;
 857                     tex < validated_shader->num_texture_samples;
 858                     tex++) {
 859                        if (!reloc_tex(exec,
 860                                       uniform_data_u,
 861                                       &validated_shader->texture_samples[tex],
 862                                       texture_handles_u[tex],
 863                                       i == 2)) {
 864                                return -EINVAL;
 865                        }
 866                }
 867
 868                /* Fill in the uniform slots that need this shader's
 869                 * start-of-uniforms address (used for resetting the uniform
 870                 * stream in the presence of control flow).
 871                 */
 872                for (uni = 0;
 873                     uni < validated_shader->num_uniform_addr_offsets;
 874                     uni++) {
 875                        uint32_t o = validated_shader->uniform_addr_offsets[uni];
 876                        ((uint32_t *)exec->uniforms_v)[o] = exec->uniforms_p;
 877                }
 878
 879                *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
 880
 881                exec->uniforms_u += validated_shader->uniforms_src_size;
 882                exec->uniforms_v += validated_shader->uniforms_size;
 883                exec->uniforms_p += validated_shader->uniforms_size;
 884        }
 885
 886        for (i = 0; i < nr_attributes; i++) {
 887                struct drm_gem_cma_object *vbo =
 888                        bo[ARRAY_SIZE(shader_reloc_offsets) + i];
 889                uint32_t o = 36 + i * 8;
 890                uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
 891                uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
 892                uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
 893                uint32_t max_index;
 894
 895                exec->bin_dep_seqno = max(exec->bin_dep_seqno,
 896                                          to_vc4_bo(&vbo->base)->write_seqno);
 897
 898                if (state->addr & 0x8)
 899                        stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
 900
 901                if (vbo->base.size < offset ||
 902                    vbo->base.size - offset < attr_size) {
 903                        DRM_DEBUG("BO offset overflow (%d + %d > %zu)\n",
 904                                  offset, attr_size, vbo->base.size);
 905                        return -EINVAL;
 906                }
 907
 908                if (stride != 0) {
 909                        max_index = ((vbo->base.size - offset - attr_size) /
 910                                     stride);
 911                        if (state->max_index > max_index) {
 912                                DRM_DEBUG("primitives use index %d out of "
 913                                          "supplied %d\n",
 914                                          state->max_index, max_index);
 915                                return -EINVAL;
 916                        }
 917                }
 918
 919                *(uint32_t *)(pkt_v + o) = vbo->paddr + offset;
 920        }
 921
 922        return 0;
 923}
 924
 925int
 926vc4_validate_shader_recs(struct drm_device *dev,
 927                         struct vc4_exec_info *exec)
 928{
 929        uint32_t i;
 930        int ret = 0;
 931
 932        for (i = 0; i < exec->shader_state_count; i++) {
 933                ret = validate_gl_shader_rec(dev, exec, &exec->shader_state[i]);
 934                if (ret)
 935                        return ret;
 936        }
 937
 938        return ret;
 939}
 940