1 // SPDX-License-Identifier: MIT
2 /*
3 * Copyright © 2008,2010 Intel Corporation
4 */
5
6 #include <linux/dma-resv.h>
7 #include <linux/highmem.h>
8 #include <linux/sync_file.h>
9 #include <linux/uaccess.h>
10
11 #include <drm/drm_auth.h>
12 #include <drm/drm_syncobj.h>
13
14 #include "gem/i915_gem_ioctls.h"
15 #include "gt/intel_context.h"
16 #include "gt/intel_gpu_commands.h"
17 #include "gt/intel_gt.h"
18 #include "gt/intel_gt_buffer_pool.h"
19 #include "gt/intel_gt_pm.h"
20 #include "gt/intel_ring.h"
21
22 #include "pxp/intel_pxp.h"
23
24 #include "i915_cmd_parser.h"
25 #include "i915_drv.h"
26 #include "i915_file_private.h"
27 #include "i915_gem_clflush.h"
28 #include "i915_gem_context.h"
29 #include "i915_gem_evict.h"
30 #include "i915_gem_ioctls.h"
31 #include "i915_reg.h"
32 #include "i915_trace.h"
33 #include "i915_user_extensions.h"
34
35 struct eb_vma {
36 struct i915_vma *vma;
37 unsigned int flags;
38
39 /** This vma's place in the execbuf reservation list */
40 struct drm_i915_gem_exec_object2 *exec;
41 struct list_head bind_link;
42 struct list_head reloc_link;
43
44 struct hlist_node node;
45 u32 handle;
46 };
47
48 enum {
49 FORCE_CPU_RELOC = 1,
50 FORCE_GTT_RELOC,
51 FORCE_GPU_RELOC,
52 #define DBG_FORCE_RELOC 0 /* choose one of the above! */
53 };
54
55 /* __EXEC_OBJECT_ flags > BIT(29) defined in i915_vma.h */
56 #define __EXEC_OBJECT_HAS_PIN BIT(29)
57 #define __EXEC_OBJECT_HAS_FENCE BIT(28)
58 #define __EXEC_OBJECT_USERPTR_INIT BIT(27)
59 #define __EXEC_OBJECT_NEEDS_MAP BIT(26)
60 #define __EXEC_OBJECT_NEEDS_BIAS BIT(25)
61 #define __EXEC_OBJECT_INTERNAL_FLAGS (~0u << 25) /* all of the above + */
62 #define __EXEC_OBJECT_RESERVED (__EXEC_OBJECT_HAS_PIN | __EXEC_OBJECT_HAS_FENCE)
63
64 #define __EXEC_HAS_RELOC BIT(31)
65 #define __EXEC_ENGINE_PINNED BIT(30)
66 #define __EXEC_USERPTR_USED BIT(29)
67 #define __EXEC_INTERNAL_FLAGS (~0u << 29)
68 #define UPDATE PIN_OFFSET_FIXED
69
70 #define BATCH_OFFSET_BIAS (256*1024)
71
72 #define __I915_EXEC_ILLEGAL_FLAGS \
73 (__I915_EXEC_UNKNOWN_FLAGS | \
74 I915_EXEC_CONSTANTS_MASK | \
75 I915_EXEC_RESOURCE_STREAMER)
76
77 /* Catch emission of unexpected errors for CI! */
78 #if IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM)
79 #undef EINVAL
80 #define EINVAL ({ \
81 DRM_DEBUG_DRIVER("EINVAL at %s:%d\n", __func__, __LINE__); \
82 22; \
83 })
84 #endif
85
86 /**
87 * DOC: User command execution
88 *
89 * Userspace submits commands to be executed on the GPU as an instruction
90 * stream within a GEM object we call a batchbuffer. This instructions may
91 * refer to other GEM objects containing auxiliary state such as kernels,
92 * samplers, render targets and even secondary batchbuffers. Userspace does
93 * not know where in the GPU memory these objects reside and so before the
94 * batchbuffer is passed to the GPU for execution, those addresses in the
95 * batchbuffer and auxiliary objects are updated. This is known as relocation,
96 * or patching. To try and avoid having to relocate each object on the next
97 * execution, userspace is told the location of those objects in this pass,
98 * but this remains just a hint as the kernel may choose a new location for
99 * any object in the future.
100 *
101 * At the level of talking to the hardware, submitting a batchbuffer for the
102 * GPU to execute is to add content to a buffer from which the HW
103 * command streamer is reading.
104 *
105 * 1. Add a command to load the HW context. For Logical Ring Contexts, i.e.
106 * Execlists, this command is not placed on the same buffer as the
107 * remaining items.
108 *
109 * 2. Add a command to invalidate caches to the buffer.
110 *
111 * 3. Add a batchbuffer start command to the buffer; the start command is
112 * essentially a token together with the GPU address of the batchbuffer
113 * to be executed.
114 *
115 * 4. Add a pipeline flush to the buffer.
116 *
117 * 5. Add a memory write command to the buffer to record when the GPU
118 * is done executing the batchbuffer. The memory write writes the
119 * global sequence number of the request, ``i915_request::global_seqno``;
120 * the i915 driver uses the current value in the register to determine
121 * if the GPU has completed the batchbuffer.
122 *
123 * 6. Add a user interrupt command to the buffer. This command instructs
124 * the GPU to issue an interrupt when the command, pipeline flush and
125 * memory write are completed.
126 *
127 * 7. Inform the hardware of the additional commands added to the buffer
128 * (by updating the tail pointer).
129 *
130 * Processing an execbuf ioctl is conceptually split up into a few phases.
131 *
132 * 1. Validation - Ensure all the pointers, handles and flags are valid.
133 * 2. Reservation - Assign GPU address space for every object
134 * 3. Relocation - Update any addresses to point to the final locations
135 * 4. Serialisation - Order the request with respect to its dependencies
136 * 5. Construction - Construct a request to execute the batchbuffer
137 * 6. Submission (at some point in the future execution)
138 *
139 * Reserving resources for the execbuf is the most complicated phase. We
140 * neither want to have to migrate the object in the address space, nor do
141 * we want to have to update any relocations pointing to this object. Ideally,
142 * we want to leave the object where it is and for all the existing relocations
143 * to match. If the object is given a new address, or if userspace thinks the
144 * object is elsewhere, we have to parse all the relocation entries and update
145 * the addresses. Userspace can set the I915_EXEC_NORELOC flag to hint that
146 * all the target addresses in all of its objects match the value in the
147 * relocation entries and that they all match the presumed offsets given by the
148 * list of execbuffer objects. Using this knowledge, we know that if we haven't
149 * moved any buffers, all the relocation entries are valid and we can skip
150 * the update. (If userspace is wrong, the likely outcome is an impromptu GPU
151 * hang.) The requirement for using I915_EXEC_NO_RELOC are:
152 *
153 * The addresses written in the objects must match the corresponding
154 * reloc.presumed_offset which in turn must match the corresponding
155 * execobject.offset.
156 *
157 * Any render targets written to in the batch must be flagged with
158 * EXEC_OBJECT_WRITE.
159 *
160 * To avoid stalling, execobject.offset should match the current
161 * address of that object within the active context.
162 *
163 * The reservation is done is multiple phases. First we try and keep any
164 * object already bound in its current location - so as long as meets the
165 * constraints imposed by the new execbuffer. Any object left unbound after the
166 * first pass is then fitted into any available idle space. If an object does
167 * not fit, all objects are removed from the reservation and the process rerun
168 * after sorting the objects into a priority order (more difficult to fit
169 * objects are tried first). Failing that, the entire VM is cleared and we try
170 * to fit the execbuf once last time before concluding that it simply will not
171 * fit.
172 *
173 * A small complication to all of this is that we allow userspace not only to
174 * specify an alignment and a size for the object in the address space, but
175 * we also allow userspace to specify the exact offset. This objects are
176 * simpler to place (the location is known a priori) all we have to do is make
177 * sure the space is available.
178 *
179 * Once all the objects are in place, patching up the buried pointers to point
180 * to the final locations is a fairly simple job of walking over the relocation
181 * entry arrays, looking up the right address and rewriting the value into
182 * the object. Simple! ... The relocation entries are stored in user memory
183 * and so to access them we have to copy them into a local buffer. That copy
184 * has to avoid taking any pagefaults as they may lead back to a GEM object
185 * requiring the struct_mutex (i.e. recursive deadlock). So once again we split
186 * the relocation into multiple passes. First we try to do everything within an
187 * atomic context (avoid the pagefaults) which requires that we never wait. If
188 * we detect that we may wait, or if we need to fault, then we have to fallback
189 * to a slower path. The slowpath has to drop the mutex. (Can you hear alarm
190 * bells yet?) Dropping the mutex means that we lose all the state we have
191 * built up so far for the execbuf and we must reset any global data. However,
192 * we do leave the objects pinned in their final locations - which is a
193 * potential issue for concurrent execbufs. Once we have left the mutex, we can
194 * allocate and copy all the relocation entries into a large array at our
195 * leisure, reacquire the mutex, reclaim all the objects and other state and
196 * then proceed to update any incorrect addresses with the objects.
197 *
198 * As we process the relocation entries, we maintain a record of whether the
199 * object is being written to. Using NORELOC, we expect userspace to provide
200 * this information instead. We also check whether we can skip the relocation
201 * by comparing the expected value inside the relocation entry with the target's
202 * final address. If they differ, we have to map the current object and rewrite
203 * the 4 or 8 byte pointer within.
204 *
205 * Serialising an execbuf is quite simple according to the rules of the GEM
206 * ABI. Execution within each context is ordered by the order of submission.
207 * Writes to any GEM object are in order of submission and are exclusive. Reads
208 * from a GEM object are unordered with respect to other reads, but ordered by
209 * writes. A write submitted after a read cannot occur before the read, and
210 * similarly any read submitted after a write cannot occur before the write.
211 * Writes are ordered between engines such that only one write occurs at any
212 * time (completing any reads beforehand) - using semaphores where available
213 * and CPU serialisation otherwise. Other GEM access obey the same rules, any
214 * write (either via mmaps using set-domain, or via pwrite) must flush all GPU
215 * reads before starting, and any read (either using set-domain or pread) must
216 * flush all GPU writes before starting. (Note we only employ a barrier before,
217 * we currently rely on userspace not concurrently starting a new execution
218 * whilst reading or writing to an object. This may be an advantage or not
219 * depending on how much you trust userspace not to shoot themselves in the
220 * foot.) Serialisation may just result in the request being inserted into
221 * a DAG awaiting its turn, but most simple is to wait on the CPU until
222 * all dependencies are resolved.
223 *
224 * After all of that, is just a matter of closing the request and handing it to
225 * the hardware (well, leaving it in a queue to be executed). However, we also
226 * offer the ability for batchbuffers to be run with elevated privileges so
227 * that they access otherwise hidden registers. (Used to adjust L3 cache etc.)
228 * Before any batch is given extra privileges we first must check that it
229 * contains no nefarious instructions, we check that each instruction is from
230 * our whitelist and all registers are also from an allowed list. We first
231 * copy the user's batchbuffer to a shadow (so that the user doesn't have
232 * access to it, either by the CPU or GPU as we scan it) and then parse each
233 * instruction. If everything is ok, we set a flag telling the hardware to run
234 * the batchbuffer in trusted mode, otherwise the ioctl is rejected.
235 */
236
237 struct eb_fence {
238 struct drm_syncobj *syncobj; /* Use with ptr_mask_bits() */
239 struct dma_fence *dma_fence;
240 u64 value;
241 struct dma_fence_chain *chain_fence;
242 };
243
244 struct i915_execbuffer {
245 struct drm_i915_private *i915; /** i915 backpointer */
246 struct drm_file *file; /** per-file lookup tables and limits */
247 struct drm_i915_gem_execbuffer2 *args; /** ioctl parameters */
248 struct drm_i915_gem_exec_object2 *exec; /** ioctl execobj[] */
249 struct eb_vma *vma;
250
251 struct intel_gt *gt; /* gt for the execbuf */
252 struct intel_context *context; /* logical state for the request */
253 struct i915_gem_context *gem_context; /** caller's context */
254 intel_wakeref_t wakeref;
255 intel_wakeref_t wakeref_gt0;
256
257 /** our requests to build */
258 struct i915_request *requests[MAX_ENGINE_INSTANCE + 1];
259 /** identity of the batch obj/vma */
260 struct eb_vma *batches[MAX_ENGINE_INSTANCE + 1];
261 struct i915_vma *trampoline; /** trampoline used for chaining */
262
263 /** used for excl fence in dma_resv objects when > 1 BB submitted */
264 struct dma_fence *composite_fence;
265
266 /** actual size of execobj[] as we may extend it for the cmdparser */
267 unsigned int buffer_count;
268
269 /* number of batches in execbuf IOCTL */
270 unsigned int num_batches;
271
272 /** list of vma not yet bound during reservation phase */
273 struct list_head unbound;
274
275 /** list of vma that have execobj.relocation_count */
276 struct list_head relocs;
277
278 struct i915_gem_ww_ctx ww;
279
280 /**
281 * Track the most recently used object for relocations, as we
282 * frequently have to perform multiple relocations within the same
283 * obj/page
284 */
285 struct reloc_cache {
286 struct drm_mm_node node; /** temporary GTT binding */
287 unsigned long vaddr; /** Current kmap address */
288 unsigned long page; /** Currently mapped page index */
289 unsigned int graphics_ver; /** Cached value of GRAPHICS_VER */
290 bool use_64bit_reloc : 1;
291 bool has_llc : 1;
292 bool has_fence : 1;
293 bool needs_unfenced : 1;
294 } reloc_cache;
295
296 u64 invalid_flags; /** Set of execobj.flags that are invalid */
297
298 /** Length of batch within object */
299 u64 batch_len[MAX_ENGINE_INSTANCE + 1];
300 u32 batch_start_offset; /** Location within object of batch */
301 u32 batch_flags; /** Flags composed for emit_bb_start() */
302 struct intel_gt_buffer_pool_node *batch_pool; /** pool node for batch buffer */
303
304 /**
305 * Indicate either the size of the hashtable used to resolve
306 * relocation handles, or if negative that we are using a direct
307 * index into the execobj[].
308 */
309 int lut_size;
310 struct hlist_head *buckets; /** ht for relocation handles */
311
312 struct eb_fence *fences;
313 unsigned long num_fences;
314 #if IS_ENABLED(CONFIG_DRM_I915_CAPTURE_ERROR)
315 struct i915_capture_list *capture_lists[MAX_ENGINE_INSTANCE + 1];
316 #endif
317 };
318
319 static int eb_parse(struct i915_execbuffer *eb);
320 static int eb_pin_engine(struct i915_execbuffer *eb, bool throttle);
321 static void eb_unpin_engine(struct i915_execbuffer *eb);
322 static void eb_capture_release(struct i915_execbuffer *eb);
323
eb_use_cmdparser(const struct i915_execbuffer * eb)324 static bool eb_use_cmdparser(const struct i915_execbuffer *eb)
325 {
326 return intel_engine_requires_cmd_parser(eb->context->engine) ||
327 (intel_engine_using_cmd_parser(eb->context->engine) &&
328 eb->args->batch_len);
329 }
330
eb_create(struct i915_execbuffer * eb)331 static int eb_create(struct i915_execbuffer *eb)
332 {
333 if (!(eb->args->flags & I915_EXEC_HANDLE_LUT)) {
334 unsigned int size = 1 + ilog2(eb->buffer_count);
335
336 /*
337 * Without a 1:1 association between relocation handles and
338 * the execobject[] index, we instead create a hashtable.
339 * We size it dynamically based on available memory, starting
340 * first with 1:1 associative hash and scaling back until
341 * the allocation succeeds.
342 *
343 * Later on we use a positive lut_size to indicate we are
344 * using this hashtable, and a negative value to indicate a
345 * direct lookup.
346 */
347 do {
348 gfp_t flags;
349
350 /* While we can still reduce the allocation size, don't
351 * raise a warning and allow the allocation to fail.
352 * On the last pass though, we want to try as hard
353 * as possible to perform the allocation and warn
354 * if it fails.
355 */
356 flags = GFP_KERNEL;
357 if (size > 1)
358 flags |= __GFP_NORETRY | __GFP_NOWARN;
359
360 eb->buckets = kzalloc(sizeof(struct hlist_head) << size,
361 flags);
362 if (eb->buckets)
363 break;
364 } while (--size);
365
366 if (unlikely(!size))
367 return -ENOMEM;
368
369 eb->lut_size = size;
370 } else {
371 eb->lut_size = -eb->buffer_count;
372 }
373
374 return 0;
375 }
376
377 static bool
eb_vma_misplaced(const struct drm_i915_gem_exec_object2 * entry,const struct i915_vma * vma,unsigned int flags)378 eb_vma_misplaced(const struct drm_i915_gem_exec_object2 *entry,
379 const struct i915_vma *vma,
380 unsigned int flags)
381 {
382 const u64 start = i915_vma_offset(vma);
383 const u64 size = i915_vma_size(vma);
384
385 if (size < entry->pad_to_size)
386 return true;
387
388 if (entry->alignment && !IS_ALIGNED(start, entry->alignment))
389 return true;
390
391 if (flags & EXEC_OBJECT_PINNED &&
392 start != entry->offset)
393 return true;
394
395 if (flags & __EXEC_OBJECT_NEEDS_BIAS &&
396 start < BATCH_OFFSET_BIAS)
397 return true;
398
399 if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) &&
400 (start + size + 4095) >> 32)
401 return true;
402
403 if (flags & __EXEC_OBJECT_NEEDS_MAP &&
404 !i915_vma_is_map_and_fenceable(vma))
405 return true;
406
407 return false;
408 }
409
eb_pin_flags(const struct drm_i915_gem_exec_object2 * entry,unsigned int exec_flags)410 static u64 eb_pin_flags(const struct drm_i915_gem_exec_object2 *entry,
411 unsigned int exec_flags)
412 {
413 u64 pin_flags = 0;
414
415 if (exec_flags & EXEC_OBJECT_NEEDS_GTT)
416 pin_flags |= PIN_GLOBAL;
417
418 /*
419 * Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset,
420 * limit address to the first 4GBs for unflagged objects.
421 */
422 if (!(exec_flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
423 pin_flags |= PIN_ZONE_4G;
424
425 if (exec_flags & __EXEC_OBJECT_NEEDS_MAP)
426 pin_flags |= PIN_MAPPABLE;
427
428 if (exec_flags & EXEC_OBJECT_PINNED)
429 pin_flags |= entry->offset | PIN_OFFSET_FIXED;
430 else if (exec_flags & __EXEC_OBJECT_NEEDS_BIAS)
431 pin_flags |= BATCH_OFFSET_BIAS | PIN_OFFSET_BIAS;
432
433 return pin_flags;
434 }
435
436 static int
eb_pin_vma(struct i915_execbuffer * eb,const struct drm_i915_gem_exec_object2 * entry,struct eb_vma * ev)437 eb_pin_vma(struct i915_execbuffer *eb,
438 const struct drm_i915_gem_exec_object2 *entry,
439 struct eb_vma *ev)
440 {
441 struct i915_vma *vma = ev->vma;
442 u64 pin_flags;
443 int err;
444
445 if (vma->node.size)
446 pin_flags = __i915_vma_offset(vma);
447 else
448 pin_flags = entry->offset & PIN_OFFSET_MASK;
449
450 pin_flags |= PIN_USER | PIN_NOEVICT | PIN_OFFSET_FIXED | PIN_VALIDATE;
451 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_GTT))
452 pin_flags |= PIN_GLOBAL;
453
454 /* Attempt to reuse the current location if available */
455 err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, pin_flags);
456 if (err == -EDEADLK)
457 return err;
458
459 if (unlikely(err)) {
460 if (entry->flags & EXEC_OBJECT_PINNED)
461 return err;
462
463 /* Failing that pick any _free_ space if suitable */
464 err = i915_vma_pin_ww(vma, &eb->ww,
465 entry->pad_to_size,
466 entry->alignment,
467 eb_pin_flags(entry, ev->flags) |
468 PIN_USER | PIN_NOEVICT | PIN_VALIDATE);
469 if (unlikely(err))
470 return err;
471 }
472
473 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) {
474 err = i915_vma_pin_fence(vma);
475 if (unlikely(err))
476 return err;
477
478 if (vma->fence)
479 ev->flags |= __EXEC_OBJECT_HAS_FENCE;
480 }
481
482 ev->flags |= __EXEC_OBJECT_HAS_PIN;
483 if (eb_vma_misplaced(entry, vma, ev->flags))
484 return -EBADSLT;
485
486 return 0;
487 }
488
489 static void
eb_unreserve_vma(struct eb_vma * ev)490 eb_unreserve_vma(struct eb_vma *ev)
491 {
492 if (unlikely(ev->flags & __EXEC_OBJECT_HAS_FENCE))
493 __i915_vma_unpin_fence(ev->vma);
494
495 ev->flags &= ~__EXEC_OBJECT_RESERVED;
496 }
497
498 static int
eb_validate_vma(struct i915_execbuffer * eb,struct drm_i915_gem_exec_object2 * entry,struct i915_vma * vma)499 eb_validate_vma(struct i915_execbuffer *eb,
500 struct drm_i915_gem_exec_object2 *entry,
501 struct i915_vma *vma)
502 {
503 /* Relocations are disallowed for all platforms after TGL-LP. This
504 * also covers all platforms with local memory.
505 */
506 if (entry->relocation_count &&
507 GRAPHICS_VER(eb->i915) >= 12 && !IS_TIGERLAKE(eb->i915))
508 return -EINVAL;
509
510 if (unlikely(entry->flags & eb->invalid_flags))
511 return -EINVAL;
512
513 if (unlikely(entry->alignment &&
514 !is_power_of_2_u64(entry->alignment)))
515 return -EINVAL;
516
517 /*
518 * Offset can be used as input (EXEC_OBJECT_PINNED), reject
519 * any non-page-aligned or non-canonical addresses.
520 */
521 if (unlikely(entry->flags & EXEC_OBJECT_PINNED &&
522 entry->offset != gen8_canonical_addr(entry->offset & I915_GTT_PAGE_MASK)))
523 return -EINVAL;
524
525 /* pad_to_size was once a reserved field, so sanitize it */
526 if (entry->flags & EXEC_OBJECT_PAD_TO_SIZE) {
527 if (unlikely(offset_in_page(entry->pad_to_size)))
528 return -EINVAL;
529 } else {
530 entry->pad_to_size = 0;
531 }
532 /*
533 * From drm_mm perspective address space is continuous,
534 * so from this point we're always using non-canonical
535 * form internally.
536 */
537 entry->offset = gen8_noncanonical_addr(entry->offset);
538
539 if (!eb->reloc_cache.has_fence) {
540 entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE;
541 } else {
542 if ((entry->flags & EXEC_OBJECT_NEEDS_FENCE ||
543 eb->reloc_cache.needs_unfenced) &&
544 i915_gem_object_is_tiled(vma->obj))
545 entry->flags |= EXEC_OBJECT_NEEDS_GTT | __EXEC_OBJECT_NEEDS_MAP;
546 }
547
548 return 0;
549 }
550
551 static bool
is_batch_buffer(struct i915_execbuffer * eb,unsigned int buffer_idx)552 is_batch_buffer(struct i915_execbuffer *eb, unsigned int buffer_idx)
553 {
554 return eb->args->flags & I915_EXEC_BATCH_FIRST ?
555 buffer_idx < eb->num_batches :
556 buffer_idx >= eb->args->buffer_count - eb->num_batches;
557 }
558
559 static int
eb_add_vma(struct i915_execbuffer * eb,unsigned int * current_batch,unsigned int i,struct i915_vma * vma)560 eb_add_vma(struct i915_execbuffer *eb,
561 unsigned int *current_batch,
562 unsigned int i,
563 struct i915_vma *vma)
564 {
565 struct drm_i915_private *i915 = eb->i915;
566 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
567 struct eb_vma *ev = &eb->vma[i];
568
569 ev->vma = vma;
570 ev->exec = entry;
571 ev->flags = entry->flags;
572
573 if (eb->lut_size > 0) {
574 ev->handle = entry->handle;
575 hlist_add_head(&ev->node,
576 &eb->buckets[hash_32(entry->handle,
577 eb->lut_size)]);
578 }
579
580 if (entry->relocation_count)
581 list_add_tail(&ev->reloc_link, &eb->relocs);
582
583 /*
584 * SNA is doing fancy tricks with compressing batch buffers, which leads
585 * to negative relocation deltas. Usually that works out ok since the
586 * relocate address is still positive, except when the batch is placed
587 * very low in the GTT. Ensure this doesn't happen.
588 *
589 * Note that actual hangs have only been observed on gen7, but for
590 * paranoia do it everywhere.
591 */
592 if (is_batch_buffer(eb, i)) {
593 if (entry->relocation_count &&
594 !(ev->flags & EXEC_OBJECT_PINNED))
595 ev->flags |= __EXEC_OBJECT_NEEDS_BIAS;
596 if (eb->reloc_cache.has_fence)
597 ev->flags |= EXEC_OBJECT_NEEDS_FENCE;
598
599 eb->batches[*current_batch] = ev;
600
601 if (unlikely(ev->flags & EXEC_OBJECT_WRITE)) {
602 drm_dbg(&i915->drm,
603 "Attempting to use self-modifying batch buffer\n");
604 return -EINVAL;
605 }
606
607 if (range_overflows_t(u64,
608 eb->batch_start_offset,
609 eb->args->batch_len,
610 ev->vma->size)) {
611 drm_dbg(&i915->drm, "Attempting to use out-of-bounds batch\n");
612 return -EINVAL;
613 }
614
615 if (eb->args->batch_len == 0)
616 eb->batch_len[*current_batch] = ev->vma->size -
617 eb->batch_start_offset;
618 else
619 eb->batch_len[*current_batch] = eb->args->batch_len;
620 if (unlikely(eb->batch_len[*current_batch] == 0)) { /* impossible! */
621 drm_dbg(&i915->drm, "Invalid batch length\n");
622 return -EINVAL;
623 }
624
625 ++*current_batch;
626 }
627
628 return 0;
629 }
630
use_cpu_reloc(const struct reloc_cache * cache,const struct drm_i915_gem_object * obj)631 static int use_cpu_reloc(const struct reloc_cache *cache,
632 const struct drm_i915_gem_object *obj)
633 {
634 if (!i915_gem_object_has_struct_page(obj))
635 return false;
636
637 if (DBG_FORCE_RELOC == FORCE_CPU_RELOC)
638 return true;
639
640 if (DBG_FORCE_RELOC == FORCE_GTT_RELOC)
641 return false;
642
643 /*
644 * For objects created by userspace through GEM_CREATE with pat_index
645 * set by set_pat extension, i915_gem_object_has_cache_level() always
646 * return true, otherwise the call would fall back to checking whether
647 * the object is un-cached.
648 */
649 return (cache->has_llc ||
650 obj->cache_dirty ||
651 !i915_gem_object_has_cache_level(obj, I915_CACHE_NONE));
652 }
653
eb_reserve_vma(struct i915_execbuffer * eb,struct eb_vma * ev,u64 pin_flags)654 static int eb_reserve_vma(struct i915_execbuffer *eb,
655 struct eb_vma *ev,
656 u64 pin_flags)
657 {
658 struct drm_i915_gem_exec_object2 *entry = ev->exec;
659 struct i915_vma *vma = ev->vma;
660 int err;
661
662 if (drm_mm_node_allocated(&vma->node) &&
663 eb_vma_misplaced(entry, vma, ev->flags)) {
664 err = i915_vma_unbind(vma);
665 if (err)
666 return err;
667 }
668
669 err = i915_vma_pin_ww(vma, &eb->ww,
670 entry->pad_to_size, entry->alignment,
671 eb_pin_flags(entry, ev->flags) | pin_flags);
672 if (err)
673 return err;
674
675 if (entry->offset != i915_vma_offset(vma)) {
676 entry->offset = i915_vma_offset(vma) | UPDATE;
677 eb->args->flags |= __EXEC_HAS_RELOC;
678 }
679
680 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) {
681 err = i915_vma_pin_fence(vma);
682 if (unlikely(err))
683 return err;
684
685 if (vma->fence)
686 ev->flags |= __EXEC_OBJECT_HAS_FENCE;
687 }
688
689 ev->flags |= __EXEC_OBJECT_HAS_PIN;
690 GEM_BUG_ON(eb_vma_misplaced(entry, vma, ev->flags));
691
692 return 0;
693 }
694
eb_unbind(struct i915_execbuffer * eb,bool force)695 static bool eb_unbind(struct i915_execbuffer *eb, bool force)
696 {
697 const unsigned int count = eb->buffer_count;
698 unsigned int i;
699 struct list_head last;
700 bool unpinned = false;
701
702 /* Resort *all* the objects into priority order */
703 INIT_LIST_HEAD(&eb->unbound);
704 INIT_LIST_HEAD(&last);
705
706 for (i = 0; i < count; i++) {
707 struct eb_vma *ev = &eb->vma[i];
708 unsigned int flags = ev->flags;
709
710 if (!force && flags & EXEC_OBJECT_PINNED &&
711 flags & __EXEC_OBJECT_HAS_PIN)
712 continue;
713
714 unpinned = true;
715 eb_unreserve_vma(ev);
716
717 if (flags & EXEC_OBJECT_PINNED)
718 /* Pinned must have their slot */
719 list_add(&ev->bind_link, &eb->unbound);
720 else if (flags & __EXEC_OBJECT_NEEDS_MAP)
721 /* Map require the lowest 256MiB (aperture) */
722 list_add_tail(&ev->bind_link, &eb->unbound);
723 else if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
724 /* Prioritise 4GiB region for restricted bo */
725 list_add(&ev->bind_link, &last);
726 else
727 list_add_tail(&ev->bind_link, &last);
728 }
729
730 list_splice_tail(&last, &eb->unbound);
731 return unpinned;
732 }
733
eb_reserve(struct i915_execbuffer * eb)734 static int eb_reserve(struct i915_execbuffer *eb)
735 {
736 struct eb_vma *ev;
737 unsigned int pass;
738 int err = 0;
739
740 /*
741 * We have one more buffers that we couldn't bind, which could be due to
742 * various reasons. To resolve this we have 4 passes, with every next
743 * level turning the screws tighter:
744 *
745 * 0. Unbind all objects that do not match the GTT constraints for the
746 * execbuffer (fenceable, mappable, alignment etc). Bind all new
747 * objects. This avoids unnecessary unbinding of later objects in order
748 * to make room for the earlier objects *unless* we need to defragment.
749 *
750 * 1. Reorder the buffers, where objects with the most restrictive
751 * placement requirements go first (ignoring fixed location buffers for
752 * now). For example, objects needing the mappable aperture (the first
753 * 256M of GTT), should go first vs objects that can be placed just
754 * about anywhere. Repeat the previous pass.
755 *
756 * 2. Consider buffers that are pinned at a fixed location. Also try to
757 * evict the entire VM this time, leaving only objects that we were
758 * unable to lock. Try again to bind the buffers. (still using the new
759 * buffer order).
760 *
761 * 3. We likely have object lock contention for one or more stubborn
762 * objects in the VM, for which we need to evict to make forward
763 * progress (perhaps we are fighting the shrinker?). When evicting the
764 * VM this time around, anything that we can't lock we now track using
765 * the busy_bo, using the full lock (after dropping the vm->mutex to
766 * prevent deadlocks), instead of trylock. We then continue to evict the
767 * VM, this time with the stubborn object locked, which we can now
768 * hopefully unbind (if still bound in the VM). Repeat until the VM is
769 * evicted. Finally we should be able bind everything.
770 */
771 for (pass = 0; pass <= 3; pass++) {
772 int pin_flags = PIN_USER | PIN_VALIDATE;
773
774 if (pass == 0)
775 pin_flags |= PIN_NONBLOCK;
776
777 if (pass >= 1)
778 eb_unbind(eb, pass >= 2);
779
780 if (pass == 2) {
781 err = mutex_lock_interruptible(&eb->context->vm->mutex);
782 if (!err) {
783 err = i915_gem_evict_vm(eb->context->vm, &eb->ww, NULL);
784 mutex_unlock(&eb->context->vm->mutex);
785 }
786 if (err)
787 return err;
788 }
789
790 if (pass == 3) {
791 retry:
792 err = mutex_lock_interruptible(&eb->context->vm->mutex);
793 if (!err) {
794 struct drm_i915_gem_object *busy_bo = NULL;
795
796 err = i915_gem_evict_vm(eb->context->vm, &eb->ww, &busy_bo);
797 mutex_unlock(&eb->context->vm->mutex);
798 if (err && busy_bo) {
799 err = i915_gem_object_lock(busy_bo, &eb->ww);
800 i915_gem_object_put(busy_bo);
801 if (!err)
802 goto retry;
803 }
804 }
805 if (err)
806 return err;
807 }
808
809 list_for_each_entry(ev, &eb->unbound, bind_link) {
810 err = eb_reserve_vma(eb, ev, pin_flags);
811 if (err)
812 break;
813 }
814
815 if (err != -ENOSPC)
816 break;
817 }
818
819 return err;
820 }
821
eb_select_context(struct i915_execbuffer * eb)822 static int eb_select_context(struct i915_execbuffer *eb)
823 {
824 struct i915_gem_context *ctx;
825
826 ctx = i915_gem_context_lookup(eb->file->driver_priv, eb->args->rsvd1);
827 if (IS_ERR(ctx))
828 return PTR_ERR(ctx);
829
830 eb->gem_context = ctx;
831 if (i915_gem_context_has_full_ppgtt(ctx))
832 eb->invalid_flags |= EXEC_OBJECT_NEEDS_GTT;
833
834 return 0;
835 }
836
__eb_add_lut(struct i915_execbuffer * eb,u32 handle,struct i915_vma * vma)837 static int __eb_add_lut(struct i915_execbuffer *eb,
838 u32 handle, struct i915_vma *vma)
839 {
840 struct i915_gem_context *ctx = eb->gem_context;
841 struct i915_lut_handle *lut;
842 int err;
843
844 lut = i915_lut_handle_alloc();
845 if (unlikely(!lut))
846 return -ENOMEM;
847
848 i915_vma_get(vma);
849 if (!atomic_fetch_inc(&vma->open_count))
850 i915_vma_reopen(vma);
851 lut->handle = handle;
852 lut->ctx = ctx;
853
854 /* Check that the context hasn't been closed in the meantime */
855 err = -EINTR;
856 if (!mutex_lock_interruptible(&ctx->lut_mutex)) {
857 if (likely(!i915_gem_context_is_closed(ctx)))
858 err = radix_tree_insert(&ctx->handles_vma, handle, vma);
859 else
860 err = -ENOENT;
861 if (err == 0) { /* And nor has this handle */
862 struct drm_i915_gem_object *obj = vma->obj;
863
864 spin_lock(&obj->lut_lock);
865 if (idr_find(&eb->file->object_idr, handle) == obj) {
866 list_add(&lut->obj_link, &obj->lut_list);
867 } else {
868 radix_tree_delete(&ctx->handles_vma, handle);
869 err = -ENOENT;
870 }
871 spin_unlock(&obj->lut_lock);
872 }
873 mutex_unlock(&ctx->lut_mutex);
874 }
875 if (unlikely(err))
876 goto err;
877
878 return 0;
879
880 err:
881 i915_vma_close(vma);
882 i915_vma_put(vma);
883 i915_lut_handle_free(lut);
884 return err;
885 }
886
eb_lookup_vma(struct i915_execbuffer * eb,u32 handle)887 static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle)
888 {
889 struct i915_address_space *vm = eb->context->vm;
890
891 do {
892 struct drm_i915_gem_object *obj;
893 struct i915_vma *vma;
894 int err;
895
896 rcu_read_lock();
897 vma = radix_tree_lookup(&eb->gem_context->handles_vma, handle);
898 if (likely(vma && vma->vm == vm))
899 vma = i915_vma_tryget(vma);
900 rcu_read_unlock();
901 if (likely(vma))
902 return vma;
903
904 obj = i915_gem_object_lookup(eb->file, handle);
905 if (unlikely(!obj))
906 return ERR_PTR(-ENOENT);
907
908 /*
909 * If the user has opted-in for protected-object tracking, make
910 * sure the object encryption can be used.
911 * We only need to do this when the object is first used with
912 * this context, because the context itself will be banned when
913 * the protected objects become invalid.
914 */
915 if (i915_gem_context_uses_protected_content(eb->gem_context) &&
916 i915_gem_object_is_protected(obj)) {
917 err = intel_pxp_key_check(intel_bo_to_drm_bo(obj), true);
918 if (err) {
919 i915_gem_object_put(obj);
920 return ERR_PTR(err);
921 }
922 }
923
924 vma = i915_vma_instance(obj, vm, NULL);
925 if (IS_ERR(vma)) {
926 i915_gem_object_put(obj);
927 return vma;
928 }
929
930 err = __eb_add_lut(eb, handle, vma);
931 if (likely(!err))
932 return vma;
933
934 i915_gem_object_put(obj);
935 if (err != -EEXIST)
936 return ERR_PTR(err);
937 } while (1);
938 }
939
eb_lookup_vmas(struct i915_execbuffer * eb)940 static int eb_lookup_vmas(struct i915_execbuffer *eb)
941 {
942 unsigned int i, current_batch = 0;
943 int err = 0;
944
945 INIT_LIST_HEAD(&eb->relocs);
946
947 for (i = 0; i < eb->buffer_count; i++) {
948 struct i915_vma *vma;
949
950 vma = eb_lookup_vma(eb, eb->exec[i].handle);
951 if (IS_ERR(vma)) {
952 err = PTR_ERR(vma);
953 goto err;
954 }
955
956 err = eb_validate_vma(eb, &eb->exec[i], vma);
957 if (unlikely(err)) {
958 i915_vma_put(vma);
959 goto err;
960 }
961
962 err = eb_add_vma(eb, ¤t_batch, i, vma);
963 if (err)
964 return err;
965
966 if (i915_gem_object_is_userptr(vma->obj)) {
967 err = i915_gem_object_userptr_submit_init(vma->obj);
968 if (err) {
969 if (i + 1 < eb->buffer_count) {
970 /*
971 * Execbuffer code expects last vma entry to be NULL,
972 * since we already initialized this entry,
973 * set the next value to NULL or we mess up
974 * cleanup handling.
975 */
976 eb->vma[i + 1].vma = NULL;
977 }
978
979 return err;
980 }
981
982 eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT;
983 eb->args->flags |= __EXEC_USERPTR_USED;
984 }
985 }
986
987 return 0;
988
989 err:
990 eb->vma[i].vma = NULL;
991 return err;
992 }
993
eb_lock_vmas(struct i915_execbuffer * eb)994 static int eb_lock_vmas(struct i915_execbuffer *eb)
995 {
996 unsigned int i;
997 int err;
998
999 for (i = 0; i < eb->buffer_count; i++) {
1000 struct eb_vma *ev = &eb->vma[i];
1001 struct i915_vma *vma = ev->vma;
1002
1003 err = i915_gem_object_lock(vma->obj, &eb->ww);
1004 if (err)
1005 return err;
1006 }
1007
1008 return 0;
1009 }
1010
eb_validate_vmas(struct i915_execbuffer * eb)1011 static int eb_validate_vmas(struct i915_execbuffer *eb)
1012 {
1013 unsigned int i;
1014 int err;
1015
1016 INIT_LIST_HEAD(&eb->unbound);
1017
1018 err = eb_lock_vmas(eb);
1019 if (err)
1020 return err;
1021
1022 for (i = 0; i < eb->buffer_count; i++) {
1023 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
1024 struct eb_vma *ev = &eb->vma[i];
1025 struct i915_vma *vma = ev->vma;
1026
1027 err = eb_pin_vma(eb, entry, ev);
1028 if (err == -EDEADLK)
1029 return err;
1030
1031 if (!err) {
1032 if (entry->offset != i915_vma_offset(vma)) {
1033 entry->offset = i915_vma_offset(vma) | UPDATE;
1034 eb->args->flags |= __EXEC_HAS_RELOC;
1035 }
1036 } else {
1037 eb_unreserve_vma(ev);
1038
1039 list_add_tail(&ev->bind_link, &eb->unbound);
1040 if (drm_mm_node_allocated(&vma->node)) {
1041 err = i915_vma_unbind(vma);
1042 if (err)
1043 return err;
1044 }
1045 }
1046
1047 /* Reserve enough slots to accommodate composite fences */
1048 err = dma_resv_reserve_fences(vma->obj->base.resv, eb->num_batches);
1049 if (err)
1050 return err;
1051
1052 GEM_BUG_ON(drm_mm_node_allocated(&vma->node) &&
1053 eb_vma_misplaced(&eb->exec[i], vma, ev->flags));
1054 }
1055
1056 if (!list_empty(&eb->unbound))
1057 return eb_reserve(eb);
1058
1059 return 0;
1060 }
1061
1062 static struct eb_vma *
eb_get_vma(const struct i915_execbuffer * eb,unsigned long handle)1063 eb_get_vma(const struct i915_execbuffer *eb, unsigned long handle)
1064 {
1065 if (eb->lut_size < 0) {
1066 if (handle >= -eb->lut_size)
1067 return NULL;
1068 return &eb->vma[handle];
1069 } else {
1070 struct hlist_head *head;
1071 struct eb_vma *ev;
1072
1073 head = &eb->buckets[hash_32(handle, eb->lut_size)];
1074 hlist_for_each_entry(ev, head, node) {
1075 if (ev->handle == handle)
1076 return ev;
1077 }
1078 return NULL;
1079 }
1080 }
1081
eb_release_vmas(struct i915_execbuffer * eb,bool final)1082 static void eb_release_vmas(struct i915_execbuffer *eb, bool final)
1083 {
1084 const unsigned int count = eb->buffer_count;
1085 unsigned int i;
1086
1087 for (i = 0; i < count; i++) {
1088 struct eb_vma *ev = &eb->vma[i];
1089 struct i915_vma *vma = ev->vma;
1090
1091 if (!vma)
1092 break;
1093
1094 eb_unreserve_vma(ev);
1095
1096 if (final)
1097 i915_vma_put(vma);
1098 }
1099
1100 eb_capture_release(eb);
1101 eb_unpin_engine(eb);
1102 }
1103
eb_destroy(const struct i915_execbuffer * eb)1104 static void eb_destroy(const struct i915_execbuffer *eb)
1105 {
1106 if (eb->lut_size > 0)
1107 kfree(eb->buckets);
1108 }
1109
1110 static u64
relocation_target(const struct drm_i915_gem_relocation_entry * reloc,const struct i915_vma * target)1111 relocation_target(const struct drm_i915_gem_relocation_entry *reloc,
1112 const struct i915_vma *target)
1113 {
1114 return gen8_canonical_addr((int)reloc->delta + i915_vma_offset(target));
1115 }
1116
reloc_cache_init(struct reloc_cache * cache,struct drm_i915_private * i915)1117 static void reloc_cache_init(struct reloc_cache *cache,
1118 struct drm_i915_private *i915)
1119 {
1120 cache->page = -1;
1121 cache->vaddr = 0;
1122 /* Must be a variable in the struct to allow GCC to unroll. */
1123 cache->graphics_ver = GRAPHICS_VER(i915);
1124 cache->has_llc = HAS_LLC(i915);
1125 cache->use_64bit_reloc = HAS_64BIT_RELOC(i915);
1126 cache->has_fence = cache->graphics_ver < 4;
1127 cache->needs_unfenced = INTEL_INFO(i915)->unfenced_needs_alignment;
1128 cache->node.flags = 0;
1129 }
1130
unmask_page(unsigned long p)1131 static void *unmask_page(unsigned long p)
1132 {
1133 return (void *)(uintptr_t)(p & PAGE_MASK);
1134 }
1135
unmask_flags(unsigned long p)1136 static unsigned int unmask_flags(unsigned long p)
1137 {
1138 return p & ~PAGE_MASK;
1139 }
1140
1141 #define KMAP 0x4 /* after CLFLUSH_FLAGS */
1142
cache_to_ggtt(struct reloc_cache * cache)1143 static struct i915_ggtt *cache_to_ggtt(struct reloc_cache *cache)
1144 {
1145 struct drm_i915_private *i915 =
1146 container_of(cache, struct i915_execbuffer, reloc_cache)->i915;
1147 return to_gt(i915)->ggtt;
1148 }
1149
reloc_cache_unmap(struct reloc_cache * cache)1150 static void reloc_cache_unmap(struct reloc_cache *cache)
1151 {
1152 void *vaddr;
1153
1154 if (!cache->vaddr)
1155 return;
1156
1157 vaddr = unmask_page(cache->vaddr);
1158 if (cache->vaddr & KMAP)
1159 kunmap_local(vaddr);
1160 else
1161 io_mapping_unmap_atomic((void __iomem *)vaddr);
1162 }
1163
reloc_cache_remap(struct reloc_cache * cache,struct drm_i915_gem_object * obj)1164 static void reloc_cache_remap(struct reloc_cache *cache,
1165 struct drm_i915_gem_object *obj)
1166 {
1167 void *vaddr;
1168
1169 if (!cache->vaddr)
1170 return;
1171
1172 if (cache->vaddr & KMAP) {
1173 struct page *page = i915_gem_object_get_page(obj, cache->page);
1174
1175 vaddr = kmap_local_page(page);
1176 cache->vaddr = unmask_flags(cache->vaddr) |
1177 (unsigned long)vaddr;
1178 } else {
1179 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1180 unsigned long offset;
1181
1182 offset = cache->node.start;
1183 if (!drm_mm_node_allocated(&cache->node))
1184 offset += cache->page << PAGE_SHIFT;
1185
1186 cache->vaddr = (unsigned long)
1187 io_mapping_map_atomic_wc(&ggtt->iomap, offset);
1188 }
1189 }
1190
reloc_cache_reset(struct reloc_cache * cache,struct i915_execbuffer * eb)1191 static void reloc_cache_reset(struct reloc_cache *cache, struct i915_execbuffer *eb)
1192 {
1193 void *vaddr;
1194
1195 if (!cache->vaddr)
1196 return;
1197
1198 vaddr = unmask_page(cache->vaddr);
1199 if (cache->vaddr & KMAP) {
1200 struct drm_i915_gem_object *obj =
1201 (struct drm_i915_gem_object *)cache->node.mm;
1202 if (cache->vaddr & CLFLUSH_AFTER)
1203 mb();
1204
1205 kunmap_local(vaddr);
1206 i915_gem_object_finish_access(obj);
1207 } else {
1208 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1209
1210 intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1211 io_mapping_unmap_atomic((void __iomem *)vaddr);
1212
1213 if (drm_mm_node_allocated(&cache->node)) {
1214 ggtt->vm.clear_range(&ggtt->vm,
1215 cache->node.start,
1216 cache->node.size);
1217 mutex_lock(&ggtt->vm.mutex);
1218 drm_mm_remove_node(&cache->node);
1219 mutex_unlock(&ggtt->vm.mutex);
1220 } else {
1221 i915_vma_unpin((struct i915_vma *)cache->node.mm);
1222 }
1223 }
1224
1225 cache->vaddr = 0;
1226 cache->page = -1;
1227 }
1228
reloc_kmap(struct drm_i915_gem_object * obj,struct reloc_cache * cache,unsigned long pageno)1229 static void *reloc_kmap(struct drm_i915_gem_object *obj,
1230 struct reloc_cache *cache,
1231 unsigned long pageno)
1232 {
1233 void *vaddr;
1234 struct page *page;
1235
1236 if (cache->vaddr) {
1237 kunmap_local(unmask_page(cache->vaddr));
1238 } else {
1239 unsigned int flushes;
1240 int err;
1241
1242 err = i915_gem_object_prepare_write(obj, &flushes);
1243 if (err)
1244 return ERR_PTR(err);
1245
1246 BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS);
1247 BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & PAGE_MASK);
1248
1249 cache->vaddr = flushes | KMAP;
1250 cache->node.mm = (void *)obj;
1251 if (flushes)
1252 mb();
1253 }
1254
1255 page = i915_gem_object_get_page(obj, pageno);
1256 if (!obj->mm.dirty)
1257 set_page_dirty(page);
1258
1259 vaddr = kmap_local_page(page);
1260 cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr;
1261 cache->page = pageno;
1262
1263 return vaddr;
1264 }
1265
reloc_iomap(struct i915_vma * batch,struct i915_execbuffer * eb,unsigned long page)1266 static void *reloc_iomap(struct i915_vma *batch,
1267 struct i915_execbuffer *eb,
1268 unsigned long page)
1269 {
1270 struct drm_i915_gem_object *obj = batch->obj;
1271 struct reloc_cache *cache = &eb->reloc_cache;
1272 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1273 unsigned long offset;
1274 void *vaddr;
1275
1276 if (cache->vaddr) {
1277 intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1278 io_mapping_unmap_atomic((void __force __iomem *) unmask_page(cache->vaddr));
1279 } else {
1280 struct i915_vma *vma = ERR_PTR(-ENODEV);
1281 int err;
1282
1283 if (i915_gem_object_is_tiled(obj))
1284 return ERR_PTR(-EINVAL);
1285
1286 if (use_cpu_reloc(cache, obj))
1287 return NULL;
1288
1289 err = i915_gem_object_set_to_gtt_domain(obj, true);
1290 if (err)
1291 return ERR_PTR(err);
1292
1293 /*
1294 * i915_gem_object_ggtt_pin_ww may attempt to remove the batch
1295 * VMA from the object list because we no longer pin.
1296 *
1297 * Only attempt to pin the batch buffer to ggtt if the current batch
1298 * is not inside ggtt, or the batch buffer is not misplaced.
1299 */
1300 if (!i915_is_ggtt(batch->vm) ||
1301 !i915_vma_misplaced(batch, 0, 0, PIN_MAPPABLE)) {
1302 vma = i915_gem_object_ggtt_pin_ww(obj, &eb->ww, NULL, 0, 0,
1303 PIN_MAPPABLE |
1304 PIN_NONBLOCK /* NOWARN */ |
1305 PIN_NOEVICT);
1306 }
1307
1308 if (vma == ERR_PTR(-EDEADLK))
1309 return vma;
1310
1311 if (IS_ERR(vma)) {
1312 memset(&cache->node, 0, sizeof(cache->node));
1313 mutex_lock(&ggtt->vm.mutex);
1314 err = drm_mm_insert_node_in_range
1315 (&ggtt->vm.mm, &cache->node,
1316 PAGE_SIZE, 0, I915_COLOR_UNEVICTABLE,
1317 0, ggtt->mappable_end,
1318 DRM_MM_INSERT_LOW);
1319 mutex_unlock(&ggtt->vm.mutex);
1320 if (err) /* no inactive aperture space, use cpu reloc */
1321 return NULL;
1322 } else {
1323 cache->node.start = i915_ggtt_offset(vma);
1324 cache->node.mm = (void *)vma;
1325 }
1326 }
1327
1328 offset = cache->node.start;
1329 if (drm_mm_node_allocated(&cache->node)) {
1330 ggtt->vm.insert_page(&ggtt->vm,
1331 i915_gem_object_get_dma_address(obj, page),
1332 offset,
1333 i915_gem_get_pat_index(ggtt->vm.i915,
1334 I915_CACHE_NONE),
1335 0);
1336 } else {
1337 offset += page << PAGE_SHIFT;
1338 }
1339
1340 vaddr = (void __force *)io_mapping_map_atomic_wc(&ggtt->iomap,
1341 offset);
1342 cache->page = page;
1343 cache->vaddr = (unsigned long)vaddr;
1344
1345 return vaddr;
1346 }
1347
reloc_vaddr(struct i915_vma * vma,struct i915_execbuffer * eb,unsigned long page)1348 static void *reloc_vaddr(struct i915_vma *vma,
1349 struct i915_execbuffer *eb,
1350 unsigned long page)
1351 {
1352 struct reloc_cache *cache = &eb->reloc_cache;
1353 void *vaddr;
1354
1355 if (cache->page == page) {
1356 vaddr = unmask_page(cache->vaddr);
1357 } else {
1358 vaddr = NULL;
1359 if ((cache->vaddr & KMAP) == 0)
1360 vaddr = reloc_iomap(vma, eb, page);
1361 if (!vaddr)
1362 vaddr = reloc_kmap(vma->obj, cache, page);
1363 }
1364
1365 return vaddr;
1366 }
1367
clflush_write32(u32 * addr,u32 value,unsigned int flushes)1368 static void clflush_write32(u32 *addr, u32 value, unsigned int flushes)
1369 {
1370 if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))) {
1371 if (flushes & CLFLUSH_BEFORE)
1372 drm_clflush_virt_range(addr, sizeof(*addr));
1373
1374 *addr = value;
1375
1376 /*
1377 * Writes to the same cacheline are serialised by the CPU
1378 * (including clflush). On the write path, we only require
1379 * that it hits memory in an orderly fashion and place
1380 * mb barriers at the start and end of the relocation phase
1381 * to ensure ordering of clflush wrt to the system.
1382 */
1383 if (flushes & CLFLUSH_AFTER)
1384 drm_clflush_virt_range(addr, sizeof(*addr));
1385 } else
1386 *addr = value;
1387 }
1388
1389 static u64
relocate_entry(struct i915_vma * vma,const struct drm_i915_gem_relocation_entry * reloc,struct i915_execbuffer * eb,const struct i915_vma * target)1390 relocate_entry(struct i915_vma *vma,
1391 const struct drm_i915_gem_relocation_entry *reloc,
1392 struct i915_execbuffer *eb,
1393 const struct i915_vma *target)
1394 {
1395 u64 target_addr = relocation_target(reloc, target);
1396 u64 offset = reloc->offset;
1397 bool wide = eb->reloc_cache.use_64bit_reloc;
1398 void *vaddr;
1399
1400 repeat:
1401 vaddr = reloc_vaddr(vma, eb,
1402 offset >> PAGE_SHIFT);
1403 if (IS_ERR(vaddr))
1404 return PTR_ERR(vaddr);
1405
1406 GEM_BUG_ON(!IS_ALIGNED(offset, sizeof(u32)));
1407 clflush_write32(vaddr + offset_in_page(offset),
1408 lower_32_bits(target_addr),
1409 eb->reloc_cache.vaddr);
1410
1411 if (wide) {
1412 offset += sizeof(u32);
1413 target_addr >>= 32;
1414 wide = false;
1415 goto repeat;
1416 }
1417
1418 return target->node.start | UPDATE;
1419 }
1420
1421 static u64
eb_relocate_entry(struct i915_execbuffer * eb,struct eb_vma * ev,const struct drm_i915_gem_relocation_entry * reloc)1422 eb_relocate_entry(struct i915_execbuffer *eb,
1423 struct eb_vma *ev,
1424 const struct drm_i915_gem_relocation_entry *reloc)
1425 {
1426 struct drm_i915_private *i915 = eb->i915;
1427 struct eb_vma *target;
1428 int err;
1429
1430 /* we've already hold a reference to all valid objects */
1431 target = eb_get_vma(eb, reloc->target_handle);
1432 if (unlikely(!target))
1433 return -ENOENT;
1434
1435 /* Validate that the target is in a valid r/w GPU domain */
1436 if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) {
1437 drm_dbg(&i915->drm, "reloc with multiple write domains: "
1438 "target %d offset %d "
1439 "read %08x write %08x\n",
1440 reloc->target_handle,
1441 (int) reloc->offset,
1442 reloc->read_domains,
1443 reloc->write_domain);
1444 return -EINVAL;
1445 }
1446 if (unlikely((reloc->write_domain | reloc->read_domains)
1447 & ~I915_GEM_GPU_DOMAINS)) {
1448 drm_dbg(&i915->drm, "reloc with read/write non-GPU domains: "
1449 "target %d offset %d "
1450 "read %08x write %08x\n",
1451 reloc->target_handle,
1452 (int) reloc->offset,
1453 reloc->read_domains,
1454 reloc->write_domain);
1455 return -EINVAL;
1456 }
1457
1458 if (reloc->write_domain) {
1459 target->flags |= EXEC_OBJECT_WRITE;
1460
1461 /*
1462 * Sandybridge PPGTT errata: We need a global gtt mapping
1463 * for MI and pipe_control writes because the gpu doesn't
1464 * properly redirect them through the ppgtt for non_secure
1465 * batchbuffers.
1466 */
1467 if (reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION &&
1468 GRAPHICS_VER(eb->i915) == 6 &&
1469 !i915_vma_is_bound(target->vma, I915_VMA_GLOBAL_BIND)) {
1470 struct i915_vma *vma = target->vma;
1471
1472 reloc_cache_unmap(&eb->reloc_cache);
1473 mutex_lock(&vma->vm->mutex);
1474 err = i915_vma_bind(target->vma,
1475 target->vma->obj->pat_index,
1476 PIN_GLOBAL, NULL, NULL);
1477 mutex_unlock(&vma->vm->mutex);
1478 reloc_cache_remap(&eb->reloc_cache, ev->vma->obj);
1479 if (err)
1480 return err;
1481 }
1482 }
1483
1484 /*
1485 * If the relocation already has the right value in it, no
1486 * more work needs to be done.
1487 */
1488 if (!DBG_FORCE_RELOC &&
1489 gen8_canonical_addr(i915_vma_offset(target->vma)) == reloc->presumed_offset)
1490 return 0;
1491
1492 /* Check that the relocation address is valid... */
1493 if (unlikely(reloc->offset >
1494 ev->vma->size - (eb->reloc_cache.use_64bit_reloc ? 8 : 4))) {
1495 drm_dbg(&i915->drm, "Relocation beyond object bounds: "
1496 "target %d offset %d size %d.\n",
1497 reloc->target_handle,
1498 (int)reloc->offset,
1499 (int)ev->vma->size);
1500 return -EINVAL;
1501 }
1502 if (unlikely(reloc->offset & 3)) {
1503 drm_dbg(&i915->drm, "Relocation not 4-byte aligned: "
1504 "target %d offset %d.\n",
1505 reloc->target_handle,
1506 (int)reloc->offset);
1507 return -EINVAL;
1508 }
1509
1510 /*
1511 * If we write into the object, we need to force the synchronisation
1512 * barrier, either with an asynchronous clflush or if we executed the
1513 * patching using the GPU (though that should be serialised by the
1514 * timeline). To be completely sure, and since we are required to
1515 * do relocations we are already stalling, disable the user's opt
1516 * out of our synchronisation.
1517 */
1518 ev->flags &= ~EXEC_OBJECT_ASYNC;
1519
1520 /* and update the user's relocation entry */
1521 return relocate_entry(ev->vma, reloc, eb, target->vma);
1522 }
1523
eb_relocate_vma(struct i915_execbuffer * eb,struct eb_vma * ev)1524 static int eb_relocate_vma(struct i915_execbuffer *eb, struct eb_vma *ev)
1525 {
1526 #define N_RELOC(x) ((x) / sizeof(struct drm_i915_gem_relocation_entry))
1527 struct drm_i915_gem_relocation_entry stack[N_RELOC(512)];
1528 const struct drm_i915_gem_exec_object2 *entry = ev->exec;
1529 struct drm_i915_gem_relocation_entry __user *urelocs =
1530 u64_to_user_ptr(entry->relocs_ptr);
1531 unsigned long remain = entry->relocation_count;
1532
1533 if (unlikely(remain > N_RELOC(INT_MAX)))
1534 return -EINVAL;
1535
1536 /*
1537 * We must check that the entire relocation array is safe
1538 * to read. However, if the array is not writable the user loses
1539 * the updated relocation values.
1540 */
1541 if (unlikely(!access_ok(urelocs, remain * sizeof(*urelocs))))
1542 return -EFAULT;
1543
1544 do {
1545 struct drm_i915_gem_relocation_entry *r = stack;
1546 unsigned int count =
1547 min_t(unsigned long, remain, ARRAY_SIZE(stack));
1548 unsigned int copied;
1549
1550 /*
1551 * This is the fast path and we cannot handle a pagefault
1552 * whilst holding the struct mutex lest the user pass in the
1553 * relocations contained within a mmaped bo. For in such a case
1554 * we, the page fault handler would call i915_gem_fault() and
1555 * we would try to acquire the struct mutex again. Obviously
1556 * this is bad and so lockdep complains vehemently.
1557 */
1558 pagefault_disable();
1559 copied = __copy_from_user_inatomic(r, urelocs, count * sizeof(r[0]));
1560 pagefault_enable();
1561 if (unlikely(copied)) {
1562 remain = -EFAULT;
1563 goto out;
1564 }
1565
1566 remain -= count;
1567 do {
1568 u64 offset = eb_relocate_entry(eb, ev, r);
1569
1570 if (likely(offset == 0)) {
1571 } else if ((s64)offset < 0) {
1572 remain = (int)offset;
1573 goto out;
1574 } else {
1575 /*
1576 * Note that reporting an error now
1577 * leaves everything in an inconsistent
1578 * state as we have *already* changed
1579 * the relocation value inside the
1580 * object. As we have not changed the
1581 * reloc.presumed_offset or will not
1582 * change the execobject.offset, on the
1583 * call we may not rewrite the value
1584 * inside the object, leaving it
1585 * dangling and causing a GPU hang. Unless
1586 * userspace dynamically rebuilds the
1587 * relocations on each execbuf rather than
1588 * presume a static tree.
1589 *
1590 * We did previously check if the relocations
1591 * were writable (access_ok), an error now
1592 * would be a strange race with mprotect,
1593 * having already demonstrated that we
1594 * can read from this userspace address.
1595 */
1596 offset = gen8_canonical_addr(offset & ~UPDATE);
1597 __put_user(offset,
1598 &urelocs[r - stack].presumed_offset);
1599 }
1600 } while (r++, --count);
1601 urelocs += ARRAY_SIZE(stack);
1602 } while (remain);
1603 out:
1604 reloc_cache_reset(&eb->reloc_cache, eb);
1605 return remain;
1606 }
1607
1608 static int
eb_relocate_vma_slow(struct i915_execbuffer * eb,struct eb_vma * ev)1609 eb_relocate_vma_slow(struct i915_execbuffer *eb, struct eb_vma *ev)
1610 {
1611 const struct drm_i915_gem_exec_object2 *entry = ev->exec;
1612 struct drm_i915_gem_relocation_entry *relocs =
1613 u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1614 unsigned int i;
1615 int err;
1616
1617 for (i = 0; i < entry->relocation_count; i++) {
1618 u64 offset = eb_relocate_entry(eb, ev, &relocs[i]);
1619
1620 if ((s64)offset < 0) {
1621 err = (int)offset;
1622 goto err;
1623 }
1624 }
1625 err = 0;
1626 err:
1627 reloc_cache_reset(&eb->reloc_cache, eb);
1628 return err;
1629 }
1630
check_relocations(const struct drm_i915_gem_exec_object2 * entry)1631 static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
1632 {
1633 const char __user *addr, *end;
1634 unsigned long size;
1635 char __maybe_unused c;
1636
1637 size = entry->relocation_count;
1638 if (size == 0)
1639 return 0;
1640
1641 if (size > N_RELOC(INT_MAX))
1642 return -EINVAL;
1643
1644 addr = u64_to_user_ptr(entry->relocs_ptr);
1645 size *= sizeof(struct drm_i915_gem_relocation_entry);
1646 if (!access_ok(addr, size))
1647 return -EFAULT;
1648
1649 end = addr + size;
1650 for (; addr < end; addr += PAGE_SIZE) {
1651 int err = __get_user(c, addr);
1652 if (err)
1653 return err;
1654 }
1655 return __get_user(c, end - 1);
1656 }
1657
eb_copy_relocations(const struct i915_execbuffer * eb)1658 static int eb_copy_relocations(const struct i915_execbuffer *eb)
1659 {
1660 struct drm_i915_gem_relocation_entry *relocs;
1661 const unsigned int count = eb->buffer_count;
1662 unsigned int i;
1663 int err;
1664
1665 for (i = 0; i < count; i++) {
1666 const unsigned int nreloc = eb->exec[i].relocation_count;
1667 struct drm_i915_gem_relocation_entry __user *urelocs;
1668 unsigned long size;
1669 unsigned long copied;
1670
1671 if (nreloc == 0)
1672 continue;
1673
1674 err = check_relocations(&eb->exec[i]);
1675 if (err)
1676 goto err;
1677
1678 urelocs = u64_to_user_ptr(eb->exec[i].relocs_ptr);
1679 size = nreloc * sizeof(*relocs);
1680
1681 relocs = kvmalloc_array(1, size, GFP_KERNEL);
1682 if (!relocs) {
1683 err = -ENOMEM;
1684 goto err;
1685 }
1686
1687 /* copy_from_user is limited to < 4GiB */
1688 copied = 0;
1689 do {
1690 unsigned int len =
1691 min_t(u64, BIT_ULL(31), size - copied);
1692
1693 if (__copy_from_user((char *)relocs + copied,
1694 (char __user *)urelocs + copied,
1695 len))
1696 goto end;
1697
1698 copied += len;
1699 } while (copied < size);
1700
1701 /*
1702 * As we do not update the known relocation offsets after
1703 * relocating (due to the complexities in lock handling),
1704 * we need to mark them as invalid now so that we force the
1705 * relocation processing next time. Just in case the target
1706 * object is evicted and then rebound into its old
1707 * presumed_offset before the next execbuffer - if that
1708 * happened we would make the mistake of assuming that the
1709 * relocations were valid.
1710 */
1711 if (!user_access_begin(urelocs, size))
1712 goto end;
1713
1714 for (copied = 0; copied < nreloc; copied++)
1715 unsafe_put_user(-1,
1716 &urelocs[copied].presumed_offset,
1717 end_user);
1718 user_access_end();
1719
1720 eb->exec[i].relocs_ptr = (uintptr_t)relocs;
1721 }
1722
1723 return 0;
1724
1725 end_user:
1726 user_access_end();
1727 end:
1728 kvfree(relocs);
1729 err = -EFAULT;
1730 err:
1731 while (i--) {
1732 relocs = u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr);
1733 if (eb->exec[i].relocation_count)
1734 kvfree(relocs);
1735 }
1736 return err;
1737 }
1738
eb_prefault_relocations(const struct i915_execbuffer * eb)1739 static int eb_prefault_relocations(const struct i915_execbuffer *eb)
1740 {
1741 const unsigned int count = eb->buffer_count;
1742 unsigned int i;
1743
1744 for (i = 0; i < count; i++) {
1745 int err;
1746
1747 err = check_relocations(&eb->exec[i]);
1748 if (err)
1749 return err;
1750 }
1751
1752 return 0;
1753 }
1754
eb_reinit_userptr(struct i915_execbuffer * eb)1755 static int eb_reinit_userptr(struct i915_execbuffer *eb)
1756 {
1757 const unsigned int count = eb->buffer_count;
1758 unsigned int i;
1759 int ret;
1760
1761 if (likely(!(eb->args->flags & __EXEC_USERPTR_USED)))
1762 return 0;
1763
1764 for (i = 0; i < count; i++) {
1765 struct eb_vma *ev = &eb->vma[i];
1766
1767 if (!i915_gem_object_is_userptr(ev->vma->obj))
1768 continue;
1769
1770 ret = i915_gem_object_userptr_submit_init(ev->vma->obj);
1771 if (ret)
1772 return ret;
1773
1774 ev->flags |= __EXEC_OBJECT_USERPTR_INIT;
1775 }
1776
1777 return 0;
1778 }
1779
eb_relocate_parse_slow(struct i915_execbuffer * eb)1780 static noinline int eb_relocate_parse_slow(struct i915_execbuffer *eb)
1781 {
1782 bool have_copy = false;
1783 struct eb_vma *ev;
1784 int err = 0;
1785
1786 repeat:
1787 if (signal_pending(current)) {
1788 err = -ERESTARTSYS;
1789 goto out;
1790 }
1791
1792 /* We may process another execbuffer during the unlock... */
1793 eb_release_vmas(eb, false);
1794 i915_gem_ww_ctx_fini(&eb->ww);
1795
1796 /*
1797 * We take 3 passes through the slowpatch.
1798 *
1799 * 1 - we try to just prefault all the user relocation entries and
1800 * then attempt to reuse the atomic pagefault disabled fast path again.
1801 *
1802 * 2 - we copy the user entries to a local buffer here outside of the
1803 * local and allow ourselves to wait upon any rendering before
1804 * relocations
1805 *
1806 * 3 - we already have a local copy of the relocation entries, but
1807 * were interrupted (EAGAIN) whilst waiting for the objects, try again.
1808 */
1809 if (!err) {
1810 err = eb_prefault_relocations(eb);
1811 } else if (!have_copy) {
1812 err = eb_copy_relocations(eb);
1813 have_copy = err == 0;
1814 } else {
1815 cond_resched();
1816 err = 0;
1817 }
1818
1819 if (!err)
1820 err = eb_reinit_userptr(eb);
1821
1822 i915_gem_ww_ctx_init(&eb->ww, true);
1823 if (err)
1824 goto out;
1825
1826 /* reacquire the objects */
1827 repeat_validate:
1828 err = eb_pin_engine(eb, false);
1829 if (err)
1830 goto err;
1831
1832 err = eb_validate_vmas(eb);
1833 if (err)
1834 goto err;
1835
1836 GEM_BUG_ON(!eb->batches[0]);
1837
1838 list_for_each_entry(ev, &eb->relocs, reloc_link) {
1839 if (!have_copy) {
1840 err = eb_relocate_vma(eb, ev);
1841 if (err)
1842 break;
1843 } else {
1844 err = eb_relocate_vma_slow(eb, ev);
1845 if (err)
1846 break;
1847 }
1848 }
1849
1850 if (err == -EDEADLK)
1851 goto err;
1852
1853 if (err && !have_copy)
1854 goto repeat;
1855
1856 if (err)
1857 goto err;
1858
1859 /* as last step, parse the command buffer */
1860 err = eb_parse(eb);
1861 if (err)
1862 goto err;
1863
1864 /*
1865 * Leave the user relocations as are, this is the painfully slow path,
1866 * and we want to avoid the complication of dropping the lock whilst
1867 * having buffers reserved in the aperture and so causing spurious
1868 * ENOSPC for random operations.
1869 */
1870
1871 err:
1872 if (err == -EDEADLK) {
1873 eb_release_vmas(eb, false);
1874 err = i915_gem_ww_ctx_backoff(&eb->ww);
1875 if (!err)
1876 goto repeat_validate;
1877 }
1878
1879 if (err == -EAGAIN)
1880 goto repeat;
1881
1882 out:
1883 if (have_copy) {
1884 const unsigned int count = eb->buffer_count;
1885 unsigned int i;
1886
1887 for (i = 0; i < count; i++) {
1888 const struct drm_i915_gem_exec_object2 *entry =
1889 &eb->exec[i];
1890 struct drm_i915_gem_relocation_entry *relocs;
1891
1892 if (!entry->relocation_count)
1893 continue;
1894
1895 relocs = u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1896 kvfree(relocs);
1897 }
1898 }
1899
1900 return err;
1901 }
1902
eb_relocate_parse(struct i915_execbuffer * eb)1903 static int eb_relocate_parse(struct i915_execbuffer *eb)
1904 {
1905 int err;
1906 bool throttle = true;
1907
1908 retry:
1909 err = eb_pin_engine(eb, throttle);
1910 if (err) {
1911 if (err != -EDEADLK)
1912 return err;
1913
1914 goto err;
1915 }
1916
1917 /* only throttle once, even if we didn't need to throttle */
1918 throttle = false;
1919
1920 err = eb_validate_vmas(eb);
1921 if (err == -EAGAIN)
1922 goto slow;
1923 else if (err)
1924 goto err;
1925
1926 /* The objects are in their final locations, apply the relocations. */
1927 if (eb->args->flags & __EXEC_HAS_RELOC) {
1928 struct eb_vma *ev;
1929
1930 list_for_each_entry(ev, &eb->relocs, reloc_link) {
1931 err = eb_relocate_vma(eb, ev);
1932 if (err)
1933 break;
1934 }
1935
1936 if (err == -EDEADLK)
1937 goto err;
1938 else if (err)
1939 goto slow;
1940 }
1941
1942 if (!err)
1943 err = eb_parse(eb);
1944
1945 err:
1946 if (err == -EDEADLK) {
1947 eb_release_vmas(eb, false);
1948 err = i915_gem_ww_ctx_backoff(&eb->ww);
1949 if (!err)
1950 goto retry;
1951 }
1952
1953 return err;
1954
1955 slow:
1956 err = eb_relocate_parse_slow(eb);
1957 if (err)
1958 /*
1959 * If the user expects the execobject.offset and
1960 * reloc.presumed_offset to be an exact match,
1961 * as for using NO_RELOC, then we cannot update
1962 * the execobject.offset until we have completed
1963 * relocation.
1964 */
1965 eb->args->flags &= ~__EXEC_HAS_RELOC;
1966
1967 return err;
1968 }
1969
1970 /*
1971 * Using two helper loops for the order of which requests / batches are created
1972 * and added the to backend. Requests are created in order from the parent to
1973 * the last child. Requests are added in the reverse order, from the last child
1974 * to parent. This is done for locking reasons as the timeline lock is acquired
1975 * during request creation and released when the request is added to the
1976 * backend. To make lockdep happy (see intel_context_timeline_lock) this must be
1977 * the ordering.
1978 */
1979 #define for_each_batch_create_order(_eb, _i) \
1980 for ((_i) = 0; (_i) < (_eb)->num_batches; ++(_i))
1981 #define for_each_batch_add_order(_eb, _i) \
1982 BUILD_BUG_ON(!typecheck(int, _i)); \
1983 for ((_i) = (_eb)->num_batches - 1; (_i) >= 0; --(_i))
1984
1985 static struct i915_request *
eb_find_first_request_added(struct i915_execbuffer * eb)1986 eb_find_first_request_added(struct i915_execbuffer *eb)
1987 {
1988 int i;
1989
1990 for_each_batch_add_order(eb, i)
1991 if (eb->requests[i])
1992 return eb->requests[i];
1993
1994 GEM_BUG_ON("Request not found");
1995
1996 return NULL;
1997 }
1998
1999 #if IS_ENABLED(CONFIG_DRM_I915_CAPTURE_ERROR)
2000
2001 /* Stage with GFP_KERNEL allocations before we enter the signaling critical path */
eb_capture_stage(struct i915_execbuffer * eb)2002 static int eb_capture_stage(struct i915_execbuffer *eb)
2003 {
2004 const unsigned int count = eb->buffer_count;
2005 unsigned int i = count, j;
2006
2007 while (i--) {
2008 struct eb_vma *ev = &eb->vma[i];
2009 struct i915_vma *vma = ev->vma;
2010 unsigned int flags = ev->flags;
2011
2012 if (!(flags & EXEC_OBJECT_CAPTURE))
2013 continue;
2014
2015 if (i915_gem_context_is_recoverable(eb->gem_context) &&
2016 (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))
2017 return -EINVAL;
2018
2019 for_each_batch_create_order(eb, j) {
2020 struct i915_capture_list *capture;
2021
2022 capture = kmalloc(sizeof(*capture), GFP_KERNEL);
2023 if (!capture)
2024 continue;
2025
2026 capture->next = eb->capture_lists[j];
2027 capture->vma_res = i915_vma_resource_get(vma->resource);
2028 eb->capture_lists[j] = capture;
2029 }
2030 }
2031
2032 return 0;
2033 }
2034
2035 /* Commit once we're in the critical path */
eb_capture_commit(struct i915_execbuffer * eb)2036 static void eb_capture_commit(struct i915_execbuffer *eb)
2037 {
2038 unsigned int j;
2039
2040 for_each_batch_create_order(eb, j) {
2041 struct i915_request *rq = eb->requests[j];
2042
2043 if (!rq)
2044 break;
2045
2046 rq->capture_list = eb->capture_lists[j];
2047 eb->capture_lists[j] = NULL;
2048 }
2049 }
2050
2051 /*
2052 * Release anything that didn't get committed due to errors.
2053 * The capture_list will otherwise be freed at request retire.
2054 */
eb_capture_release(struct i915_execbuffer * eb)2055 static void eb_capture_release(struct i915_execbuffer *eb)
2056 {
2057 unsigned int j;
2058
2059 for_each_batch_create_order(eb, j) {
2060 if (eb->capture_lists[j]) {
2061 i915_request_free_capture_list(eb->capture_lists[j]);
2062 eb->capture_lists[j] = NULL;
2063 }
2064 }
2065 }
2066
eb_capture_list_clear(struct i915_execbuffer * eb)2067 static void eb_capture_list_clear(struct i915_execbuffer *eb)
2068 {
2069 memset(eb->capture_lists, 0, sizeof(eb->capture_lists));
2070 }
2071
2072 #else
2073
eb_capture_stage(struct i915_execbuffer * eb)2074 static int eb_capture_stage(struct i915_execbuffer *eb)
2075 {
2076 return 0;
2077 }
2078
eb_capture_commit(struct i915_execbuffer * eb)2079 static void eb_capture_commit(struct i915_execbuffer *eb)
2080 {
2081 }
2082
eb_capture_release(struct i915_execbuffer * eb)2083 static void eb_capture_release(struct i915_execbuffer *eb)
2084 {
2085 }
2086
eb_capture_list_clear(struct i915_execbuffer * eb)2087 static void eb_capture_list_clear(struct i915_execbuffer *eb)
2088 {
2089 }
2090
2091 #endif
2092
eb_move_to_gpu(struct i915_execbuffer * eb)2093 static int eb_move_to_gpu(struct i915_execbuffer *eb)
2094 {
2095 const unsigned int count = eb->buffer_count;
2096 unsigned int i = count;
2097 int err = 0, j;
2098
2099 while (i--) {
2100 struct eb_vma *ev = &eb->vma[i];
2101 struct i915_vma *vma = ev->vma;
2102 unsigned int flags = ev->flags;
2103 struct drm_i915_gem_object *obj = vma->obj;
2104
2105 assert_vma_held(vma);
2106
2107 /*
2108 * If the GPU is not _reading_ through the CPU cache, we need
2109 * to make sure that any writes (both previous GPU writes from
2110 * before a change in snooping levels and normal CPU writes)
2111 * caught in that cache are flushed to main memory.
2112 *
2113 * We want to say
2114 * obj->cache_dirty &&
2115 * !(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_READ)
2116 * but gcc's optimiser doesn't handle that as well and emits
2117 * two jumps instead of one. Maybe one day...
2118 *
2119 * FIXME: There is also sync flushing in set_pages(), which
2120 * serves a different purpose(some of the time at least).
2121 *
2122 * We should consider:
2123 *
2124 * 1. Rip out the async flush code.
2125 *
2126 * 2. Or make the sync flushing use the async clflush path
2127 * using mandatory fences underneath. Currently the below
2128 * async flush happens after we bind the object.
2129 */
2130 if (unlikely(obj->cache_dirty & ~obj->cache_coherent)) {
2131 if (i915_gem_clflush_object(obj, 0))
2132 flags &= ~EXEC_OBJECT_ASYNC;
2133 }
2134
2135 /* We only need to await on the first request */
2136 if (err == 0 && !(flags & EXEC_OBJECT_ASYNC)) {
2137 err = i915_request_await_object
2138 (eb_find_first_request_added(eb), obj,
2139 flags & EXEC_OBJECT_WRITE);
2140 }
2141
2142 for_each_batch_add_order(eb, j) {
2143 if (err)
2144 break;
2145 if (!eb->requests[j])
2146 continue;
2147
2148 err = _i915_vma_move_to_active(vma, eb->requests[j],
2149 j ? NULL :
2150 eb->composite_fence ?
2151 eb->composite_fence :
2152 &eb->requests[j]->fence,
2153 flags | __EXEC_OBJECT_NO_RESERVE |
2154 __EXEC_OBJECT_NO_REQUEST_AWAIT);
2155 }
2156 }
2157
2158 #ifdef CONFIG_MMU_NOTIFIER
2159 if (!err && (eb->args->flags & __EXEC_USERPTR_USED)) {
2160 for (i = 0; i < count; i++) {
2161 struct eb_vma *ev = &eb->vma[i];
2162 struct drm_i915_gem_object *obj = ev->vma->obj;
2163
2164 if (!i915_gem_object_is_userptr(obj))
2165 continue;
2166
2167 err = i915_gem_object_userptr_submit_done(obj);
2168 if (err)
2169 break;
2170 }
2171 }
2172 #endif
2173
2174 if (unlikely(err))
2175 goto err_skip;
2176
2177 /* Unconditionally flush any chipset caches (for streaming writes). */
2178 intel_gt_chipset_flush(eb->gt);
2179 eb_capture_commit(eb);
2180
2181 return 0;
2182
2183 err_skip:
2184 for_each_batch_create_order(eb, j) {
2185 if (!eb->requests[j])
2186 break;
2187
2188 i915_request_set_error_once(eb->requests[j], err);
2189 }
2190 return err;
2191 }
2192
i915_gem_check_execbuffer(struct drm_i915_private * i915,struct drm_i915_gem_execbuffer2 * exec)2193 static int i915_gem_check_execbuffer(struct drm_i915_private *i915,
2194 struct drm_i915_gem_execbuffer2 *exec)
2195 {
2196 if (exec->flags & __I915_EXEC_ILLEGAL_FLAGS)
2197 return -EINVAL;
2198
2199 /* Kernel clipping was a DRI1 misfeature */
2200 if (!(exec->flags & (I915_EXEC_FENCE_ARRAY |
2201 I915_EXEC_USE_EXTENSIONS))) {
2202 if (exec->num_cliprects || exec->cliprects_ptr)
2203 return -EINVAL;
2204 }
2205
2206 if (exec->DR4 == 0xffffffff) {
2207 drm_dbg(&i915->drm, "UXA submitting garbage DR4, fixing up\n");
2208 exec->DR4 = 0;
2209 }
2210 if (exec->DR1 || exec->DR4)
2211 return -EINVAL;
2212
2213 if ((exec->batch_start_offset | exec->batch_len) & 0x7)
2214 return -EINVAL;
2215
2216 return 0;
2217 }
2218
i915_reset_gen7_sol_offsets(struct i915_request * rq)2219 static int i915_reset_gen7_sol_offsets(struct i915_request *rq)
2220 {
2221 u32 *cs;
2222 int i;
2223
2224 if (GRAPHICS_VER(rq->i915) != 7 || rq->engine->id != RCS0) {
2225 drm_dbg(&rq->i915->drm, "sol reset is gen7/rcs only\n");
2226 return -EINVAL;
2227 }
2228
2229 cs = intel_ring_begin(rq, 4 * 2 + 2);
2230 if (IS_ERR(cs))
2231 return PTR_ERR(cs);
2232
2233 *cs++ = MI_LOAD_REGISTER_IMM(4);
2234 for (i = 0; i < 4; i++) {
2235 *cs++ = i915_mmio_reg_offset(GEN7_SO_WRITE_OFFSET(i));
2236 *cs++ = 0;
2237 }
2238 *cs++ = MI_NOOP;
2239 intel_ring_advance(rq, cs);
2240
2241 return 0;
2242 }
2243
2244 static struct i915_vma *
shadow_batch_pin(struct i915_execbuffer * eb,struct drm_i915_gem_object * obj,struct i915_address_space * vm,unsigned int flags)2245 shadow_batch_pin(struct i915_execbuffer *eb,
2246 struct drm_i915_gem_object *obj,
2247 struct i915_address_space *vm,
2248 unsigned int flags)
2249 {
2250 struct i915_vma *vma;
2251 int err;
2252
2253 vma = i915_vma_instance(obj, vm, NULL);
2254 if (IS_ERR(vma))
2255 return vma;
2256
2257 err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, flags | PIN_VALIDATE);
2258 if (err)
2259 return ERR_PTR(err);
2260
2261 return vma;
2262 }
2263
eb_dispatch_secure(struct i915_execbuffer * eb,struct i915_vma * vma)2264 static struct i915_vma *eb_dispatch_secure(struct i915_execbuffer *eb, struct i915_vma *vma)
2265 {
2266 /*
2267 * snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
2268 * batch" bit. Hence we need to pin secure batches into the global gtt.
2269 * hsw should have this fixed, but bdw mucks it up again. */
2270 if (eb->batch_flags & I915_DISPATCH_SECURE)
2271 return i915_gem_object_ggtt_pin_ww(vma->obj, &eb->ww, NULL, 0, 0, PIN_VALIDATE);
2272
2273 return NULL;
2274 }
2275
eb_parse(struct i915_execbuffer * eb)2276 static int eb_parse(struct i915_execbuffer *eb)
2277 {
2278 struct drm_i915_private *i915 = eb->i915;
2279 struct intel_gt_buffer_pool_node *pool = eb->batch_pool;
2280 struct i915_vma *shadow, *trampoline, *batch;
2281 unsigned long len;
2282 int err;
2283
2284 if (!eb_use_cmdparser(eb)) {
2285 batch = eb_dispatch_secure(eb, eb->batches[0]->vma);
2286 if (IS_ERR(batch))
2287 return PTR_ERR(batch);
2288
2289 goto secure_batch;
2290 }
2291
2292 if (intel_context_is_parallel(eb->context))
2293 return -EINVAL;
2294
2295 len = eb->batch_len[0];
2296 if (!CMDPARSER_USES_GGTT(eb->i915)) {
2297 /*
2298 * ppGTT backed shadow buffers must be mapped RO, to prevent
2299 * post-scan tampering
2300 */
2301 if (!eb->context->vm->has_read_only) {
2302 drm_dbg(&i915->drm,
2303 "Cannot prevent post-scan tampering without RO capable vm\n");
2304 return -EINVAL;
2305 }
2306 } else {
2307 len += I915_CMD_PARSER_TRAMPOLINE_SIZE;
2308 }
2309 if (unlikely(len < eb->batch_len[0])) /* last paranoid check of overflow */
2310 return -EINVAL;
2311
2312 if (!pool) {
2313 pool = intel_gt_get_buffer_pool(eb->gt, len,
2314 I915_MAP_WB);
2315 if (IS_ERR(pool))
2316 return PTR_ERR(pool);
2317 eb->batch_pool = pool;
2318 }
2319
2320 err = i915_gem_object_lock(pool->obj, &eb->ww);
2321 if (err)
2322 return err;
2323
2324 shadow = shadow_batch_pin(eb, pool->obj, eb->context->vm, PIN_USER);
2325 if (IS_ERR(shadow))
2326 return PTR_ERR(shadow);
2327
2328 intel_gt_buffer_pool_mark_used(pool);
2329 i915_gem_object_set_readonly(shadow->obj);
2330 shadow->private = pool;
2331
2332 trampoline = NULL;
2333 if (CMDPARSER_USES_GGTT(eb->i915)) {
2334 trampoline = shadow;
2335
2336 shadow = shadow_batch_pin(eb, pool->obj,
2337 &eb->gt->ggtt->vm,
2338 PIN_GLOBAL);
2339 if (IS_ERR(shadow))
2340 return PTR_ERR(shadow);
2341
2342 shadow->private = pool;
2343
2344 eb->batch_flags |= I915_DISPATCH_SECURE;
2345 }
2346
2347 batch = eb_dispatch_secure(eb, shadow);
2348 if (IS_ERR(batch))
2349 return PTR_ERR(batch);
2350
2351 err = dma_resv_reserve_fences(shadow->obj->base.resv, 1);
2352 if (err)
2353 return err;
2354
2355 err = intel_engine_cmd_parser(eb->context->engine,
2356 eb->batches[0]->vma,
2357 eb->batch_start_offset,
2358 eb->batch_len[0],
2359 shadow, trampoline);
2360 if (err)
2361 return err;
2362
2363 eb->batches[0] = &eb->vma[eb->buffer_count++];
2364 eb->batches[0]->vma = i915_vma_get(shadow);
2365 eb->batches[0]->flags = __EXEC_OBJECT_HAS_PIN;
2366
2367 eb->trampoline = trampoline;
2368 eb->batch_start_offset = 0;
2369
2370 secure_batch:
2371 if (batch) {
2372 if (intel_context_is_parallel(eb->context))
2373 return -EINVAL;
2374
2375 eb->batches[0] = &eb->vma[eb->buffer_count++];
2376 eb->batches[0]->flags = __EXEC_OBJECT_HAS_PIN;
2377 eb->batches[0]->vma = i915_vma_get(batch);
2378 }
2379 return 0;
2380 }
2381
eb_request_submit(struct i915_execbuffer * eb,struct i915_request * rq,struct i915_vma * batch,u64 batch_len)2382 static int eb_request_submit(struct i915_execbuffer *eb,
2383 struct i915_request *rq,
2384 struct i915_vma *batch,
2385 u64 batch_len)
2386 {
2387 int err;
2388
2389 if (intel_context_nopreempt(rq->context))
2390 __set_bit(I915_FENCE_FLAG_NOPREEMPT, &rq->fence.flags);
2391
2392 if (eb->args->flags & I915_EXEC_GEN7_SOL_RESET) {
2393 err = i915_reset_gen7_sol_offsets(rq);
2394 if (err)
2395 return err;
2396 }
2397
2398 /*
2399 * After we completed waiting for other engines (using HW semaphores)
2400 * then we can signal that this request/batch is ready to run. This
2401 * allows us to determine if the batch is still waiting on the GPU
2402 * or actually running by checking the breadcrumb.
2403 */
2404 if (rq->context->engine->emit_init_breadcrumb) {
2405 err = rq->context->engine->emit_init_breadcrumb(rq);
2406 if (err)
2407 return err;
2408 }
2409
2410 err = rq->context->engine->emit_bb_start(rq,
2411 i915_vma_offset(batch) +
2412 eb->batch_start_offset,
2413 batch_len,
2414 eb->batch_flags);
2415 if (err)
2416 return err;
2417
2418 if (eb->trampoline) {
2419 GEM_BUG_ON(intel_context_is_parallel(rq->context));
2420 GEM_BUG_ON(eb->batch_start_offset);
2421 err = rq->context->engine->emit_bb_start(rq,
2422 i915_vma_offset(eb->trampoline) +
2423 batch_len, 0, 0);
2424 if (err)
2425 return err;
2426 }
2427
2428 return 0;
2429 }
2430
eb_submit(struct i915_execbuffer * eb)2431 static int eb_submit(struct i915_execbuffer *eb)
2432 {
2433 unsigned int i;
2434 int err;
2435
2436 err = eb_move_to_gpu(eb);
2437
2438 for_each_batch_create_order(eb, i) {
2439 if (!eb->requests[i])
2440 break;
2441
2442 trace_i915_request_queue(eb->requests[i], eb->batch_flags);
2443 if (!err)
2444 err = eb_request_submit(eb, eb->requests[i],
2445 eb->batches[i]->vma,
2446 eb->batch_len[i]);
2447 }
2448
2449 return err;
2450 }
2451
2452 /*
2453 * Find one BSD ring to dispatch the corresponding BSD command.
2454 * The engine index is returned.
2455 */
2456 static unsigned int
gen8_dispatch_bsd_engine(struct drm_i915_private * i915,struct drm_file * file)2457 gen8_dispatch_bsd_engine(struct drm_i915_private *i915,
2458 struct drm_file *file)
2459 {
2460 struct drm_i915_file_private *file_priv = file->driver_priv;
2461
2462 /* Check whether the file_priv has already selected one ring. */
2463 if ((int)file_priv->bsd_engine < 0)
2464 file_priv->bsd_engine =
2465 get_random_u32_below(i915->engine_uabi_class_count[I915_ENGINE_CLASS_VIDEO]);
2466
2467 return file_priv->bsd_engine;
2468 }
2469
2470 static const enum intel_engine_id user_ring_map[] = {
2471 [I915_EXEC_DEFAULT] = RCS0,
2472 [I915_EXEC_RENDER] = RCS0,
2473 [I915_EXEC_BLT] = BCS0,
2474 [I915_EXEC_BSD] = VCS0,
2475 [I915_EXEC_VEBOX] = VECS0
2476 };
2477
eb_throttle(struct i915_execbuffer * eb,struct intel_context * ce)2478 static struct i915_request *eb_throttle(struct i915_execbuffer *eb, struct intel_context *ce)
2479 {
2480 struct intel_ring *ring = ce->ring;
2481 struct intel_timeline *tl = ce->timeline;
2482 struct i915_request *rq;
2483
2484 /*
2485 * Completely unscientific finger-in-the-air estimates for suitable
2486 * maximum user request size (to avoid blocking) and then backoff.
2487 */
2488 if (intel_ring_update_space(ring) >= PAGE_SIZE)
2489 return NULL;
2490
2491 /*
2492 * Find a request that after waiting upon, there will be at least half
2493 * the ring available. The hysteresis allows us to compete for the
2494 * shared ring and should mean that we sleep less often prior to
2495 * claiming our resources, but not so long that the ring completely
2496 * drains before we can submit our next request.
2497 */
2498 list_for_each_entry(rq, &tl->requests, link) {
2499 if (rq->ring != ring)
2500 continue;
2501
2502 if (__intel_ring_space(rq->postfix,
2503 ring->emit, ring->size) > ring->size / 2)
2504 break;
2505 }
2506 if (&rq->link == &tl->requests)
2507 return NULL; /* weird, we will check again later for real */
2508
2509 return i915_request_get(rq);
2510 }
2511
eb_pin_timeline(struct i915_execbuffer * eb,struct intel_context * ce,bool throttle)2512 static int eb_pin_timeline(struct i915_execbuffer *eb, struct intel_context *ce,
2513 bool throttle)
2514 {
2515 struct intel_timeline *tl;
2516 struct i915_request *rq = NULL;
2517
2518 /*
2519 * Take a local wakeref for preparing to dispatch the execbuf as
2520 * we expect to access the hardware fairly frequently in the
2521 * process, and require the engine to be kept awake between accesses.
2522 * Upon dispatch, we acquire another prolonged wakeref that we hold
2523 * until the timeline is idle, which in turn releases the wakeref
2524 * taken on the engine, and the parent device.
2525 */
2526 tl = intel_context_timeline_lock(ce);
2527 if (IS_ERR(tl))
2528 return PTR_ERR(tl);
2529
2530 intel_context_enter(ce);
2531 if (throttle)
2532 rq = eb_throttle(eb, ce);
2533 intel_context_timeline_unlock(tl);
2534
2535 if (rq) {
2536 bool nonblock = eb->file->filp->f_flags & O_NONBLOCK;
2537 long timeout = nonblock ? 0 : MAX_SCHEDULE_TIMEOUT;
2538
2539 if (i915_request_wait(rq, I915_WAIT_INTERRUPTIBLE,
2540 timeout) < 0) {
2541 i915_request_put(rq);
2542
2543 /*
2544 * Error path, cannot use intel_context_timeline_lock as
2545 * that is user interruptible and this clean up step
2546 * must be done.
2547 */
2548 mutex_lock(&ce->timeline->mutex);
2549 intel_context_exit(ce);
2550 mutex_unlock(&ce->timeline->mutex);
2551
2552 if (nonblock)
2553 return -EWOULDBLOCK;
2554 else
2555 return -EINTR;
2556 }
2557 i915_request_put(rq);
2558 }
2559
2560 return 0;
2561 }
2562
eb_pin_engine(struct i915_execbuffer * eb,bool throttle)2563 static int eb_pin_engine(struct i915_execbuffer *eb, bool throttle)
2564 {
2565 struct intel_context *ce = eb->context, *child;
2566 int err;
2567 int i = 0, j = 0;
2568
2569 GEM_BUG_ON(eb->args->flags & __EXEC_ENGINE_PINNED);
2570
2571 if (unlikely(intel_context_is_banned(ce)))
2572 return -EIO;
2573
2574 /*
2575 * Pinning the contexts may generate requests in order to acquire
2576 * GGTT space, so do this first before we reserve a seqno for
2577 * ourselves.
2578 */
2579 err = intel_context_pin_ww(ce, &eb->ww);
2580 if (err)
2581 return err;
2582 for_each_child(ce, child) {
2583 err = intel_context_pin_ww(child, &eb->ww);
2584 GEM_BUG_ON(err); /* perma-pinned should incr a counter */
2585 }
2586
2587 for_each_child(ce, child) {
2588 err = eb_pin_timeline(eb, child, throttle);
2589 if (err)
2590 goto unwind;
2591 ++i;
2592 }
2593 err = eb_pin_timeline(eb, ce, throttle);
2594 if (err)
2595 goto unwind;
2596
2597 eb->args->flags |= __EXEC_ENGINE_PINNED;
2598 return 0;
2599
2600 unwind:
2601 for_each_child(ce, child) {
2602 if (j++ < i) {
2603 mutex_lock(&child->timeline->mutex);
2604 intel_context_exit(child);
2605 mutex_unlock(&child->timeline->mutex);
2606 }
2607 }
2608 for_each_child(ce, child)
2609 intel_context_unpin(child);
2610 intel_context_unpin(ce);
2611 return err;
2612 }
2613
eb_unpin_engine(struct i915_execbuffer * eb)2614 static void eb_unpin_engine(struct i915_execbuffer *eb)
2615 {
2616 struct intel_context *ce = eb->context, *child;
2617
2618 if (!(eb->args->flags & __EXEC_ENGINE_PINNED))
2619 return;
2620
2621 eb->args->flags &= ~__EXEC_ENGINE_PINNED;
2622
2623 for_each_child(ce, child) {
2624 mutex_lock(&child->timeline->mutex);
2625 intel_context_exit(child);
2626 mutex_unlock(&child->timeline->mutex);
2627
2628 intel_context_unpin(child);
2629 }
2630
2631 mutex_lock(&ce->timeline->mutex);
2632 intel_context_exit(ce);
2633 mutex_unlock(&ce->timeline->mutex);
2634
2635 intel_context_unpin(ce);
2636 }
2637
2638 static unsigned int
eb_select_legacy_ring(struct i915_execbuffer * eb)2639 eb_select_legacy_ring(struct i915_execbuffer *eb)
2640 {
2641 struct drm_i915_private *i915 = eb->i915;
2642 struct drm_i915_gem_execbuffer2 *args = eb->args;
2643 unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK;
2644
2645 if (user_ring_id != I915_EXEC_BSD &&
2646 (args->flags & I915_EXEC_BSD_MASK)) {
2647 drm_dbg(&i915->drm,
2648 "execbuf with non bsd ring but with invalid "
2649 "bsd dispatch flags: %d\n", (int)(args->flags));
2650 return -1;
2651 }
2652
2653 if (user_ring_id == I915_EXEC_BSD &&
2654 i915->engine_uabi_class_count[I915_ENGINE_CLASS_VIDEO] > 1) {
2655 unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK;
2656
2657 if (bsd_idx == I915_EXEC_BSD_DEFAULT) {
2658 bsd_idx = gen8_dispatch_bsd_engine(i915, eb->file);
2659 } else if (bsd_idx >= I915_EXEC_BSD_RING1 &&
2660 bsd_idx <= I915_EXEC_BSD_RING2) {
2661 bsd_idx >>= I915_EXEC_BSD_SHIFT;
2662 bsd_idx--;
2663 } else {
2664 drm_dbg(&i915->drm,
2665 "execbuf with unknown bsd ring: %u\n",
2666 bsd_idx);
2667 return -1;
2668 }
2669
2670 return _VCS(bsd_idx);
2671 }
2672
2673 if (user_ring_id >= ARRAY_SIZE(user_ring_map)) {
2674 drm_dbg(&i915->drm, "execbuf with unknown ring: %u\n",
2675 user_ring_id);
2676 return -1;
2677 }
2678
2679 return user_ring_map[user_ring_id];
2680 }
2681
2682 static int
eb_select_engine(struct i915_execbuffer * eb)2683 eb_select_engine(struct i915_execbuffer *eb)
2684 {
2685 struct intel_context *ce, *child;
2686 struct intel_gt *gt;
2687 unsigned int idx;
2688 int err;
2689
2690 if (i915_gem_context_user_engines(eb->gem_context))
2691 idx = eb->args->flags & I915_EXEC_RING_MASK;
2692 else
2693 idx = eb_select_legacy_ring(eb);
2694
2695 ce = i915_gem_context_get_engine(eb->gem_context, idx);
2696 if (IS_ERR(ce))
2697 return PTR_ERR(ce);
2698
2699 if (intel_context_is_parallel(ce)) {
2700 if (eb->buffer_count < ce->parallel.number_children + 1) {
2701 intel_context_put(ce);
2702 return -EINVAL;
2703 }
2704 if (eb->batch_start_offset || eb->args->batch_len) {
2705 intel_context_put(ce);
2706 return -EINVAL;
2707 }
2708 }
2709 eb->num_batches = ce->parallel.number_children + 1;
2710 gt = ce->engine->gt;
2711
2712 for_each_child(ce, child)
2713 intel_context_get(child);
2714 eb->wakeref = intel_gt_pm_get(ce->engine->gt);
2715 /*
2716 * Keep GT0 active on MTL so that i915_vma_parked() doesn't
2717 * free VMAs while execbuf ioctl is validating VMAs.
2718 */
2719 if (gt->info.id)
2720 eb->wakeref_gt0 = intel_gt_pm_get(to_gt(gt->i915));
2721
2722 if (!test_bit(CONTEXT_ALLOC_BIT, &ce->flags)) {
2723 err = intel_context_alloc_state(ce);
2724 if (err)
2725 goto err;
2726 }
2727 for_each_child(ce, child) {
2728 if (!test_bit(CONTEXT_ALLOC_BIT, &child->flags)) {
2729 err = intel_context_alloc_state(child);
2730 if (err)
2731 goto err;
2732 }
2733 }
2734
2735 /*
2736 * ABI: Before userspace accesses the GPU (e.g. execbuffer), report
2737 * EIO if the GPU is already wedged.
2738 */
2739 err = intel_gt_terminally_wedged(ce->engine->gt);
2740 if (err)
2741 goto err;
2742
2743 if (!i915_vm_tryget(ce->vm)) {
2744 err = -ENOENT;
2745 goto err;
2746 }
2747
2748 eb->context = ce;
2749 eb->gt = ce->engine->gt;
2750
2751 /*
2752 * Make sure engine pool stays alive even if we call intel_context_put
2753 * during ww handling. The pool is destroyed when last pm reference
2754 * is dropped, which breaks our -EDEADLK handling.
2755 */
2756 return err;
2757
2758 err:
2759 if (gt->info.id)
2760 intel_gt_pm_put(to_gt(gt->i915), eb->wakeref_gt0);
2761
2762 intel_gt_pm_put(ce->engine->gt, eb->wakeref);
2763 for_each_child(ce, child)
2764 intel_context_put(child);
2765 intel_context_put(ce);
2766 return err;
2767 }
2768
2769 static void
eb_put_engine(struct i915_execbuffer * eb)2770 eb_put_engine(struct i915_execbuffer *eb)
2771 {
2772 struct intel_context *child;
2773
2774 i915_vm_put(eb->context->vm);
2775 /*
2776 * This works in conjunction with eb_select_engine() to prevent
2777 * i915_vma_parked() from interfering while execbuf validates vmas.
2778 */
2779 if (eb->gt->info.id)
2780 intel_gt_pm_put(to_gt(eb->gt->i915), eb->wakeref_gt0);
2781 intel_gt_pm_put(eb->context->engine->gt, eb->wakeref);
2782 for_each_child(eb->context, child)
2783 intel_context_put(child);
2784 intel_context_put(eb->context);
2785 }
2786
2787 static void
__free_fence_array(struct eb_fence * fences,unsigned int n)2788 __free_fence_array(struct eb_fence *fences, unsigned int n)
2789 {
2790 while (n--) {
2791 drm_syncobj_put(ptr_mask_bits(fences[n].syncobj, 2));
2792 dma_fence_put(fences[n].dma_fence);
2793 dma_fence_chain_free(fences[n].chain_fence);
2794 }
2795 kvfree(fences);
2796 }
2797
2798 static int
add_timeline_fence_array(struct i915_execbuffer * eb,const struct drm_i915_gem_execbuffer_ext_timeline_fences * timeline_fences)2799 add_timeline_fence_array(struct i915_execbuffer *eb,
2800 const struct drm_i915_gem_execbuffer_ext_timeline_fences *timeline_fences)
2801 {
2802 struct drm_i915_gem_exec_fence __user *user_fences;
2803 u64 __user *user_values;
2804 struct eb_fence *f;
2805 u64 nfences;
2806 int err = 0;
2807
2808 nfences = timeline_fences->fence_count;
2809 if (!nfences)
2810 return 0;
2811
2812 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2813 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2814 if (nfences > min_t(unsigned long,
2815 ULONG_MAX / sizeof(*user_fences),
2816 SIZE_MAX / sizeof(*f)) - eb->num_fences)
2817 return -EINVAL;
2818
2819 user_fences = u64_to_user_ptr(timeline_fences->handles_ptr);
2820 if (!access_ok(user_fences, nfences * sizeof(*user_fences)))
2821 return -EFAULT;
2822
2823 user_values = u64_to_user_ptr(timeline_fences->values_ptr);
2824 if (!access_ok(user_values, nfences * sizeof(*user_values)))
2825 return -EFAULT;
2826
2827 f = krealloc(eb->fences,
2828 (eb->num_fences + nfences) * sizeof(*f),
2829 __GFP_NOWARN | GFP_KERNEL);
2830 if (!f)
2831 return -ENOMEM;
2832
2833 eb->fences = f;
2834 f += eb->num_fences;
2835
2836 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2837 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2838
2839 while (nfences--) {
2840 struct drm_i915_gem_exec_fence user_fence;
2841 struct drm_syncobj *syncobj;
2842 struct dma_fence *fence = NULL;
2843 u64 point;
2844
2845 if (__copy_from_user(&user_fence,
2846 user_fences++,
2847 sizeof(user_fence)))
2848 return -EFAULT;
2849
2850 if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS)
2851 return -EINVAL;
2852
2853 if (__get_user(point, user_values++))
2854 return -EFAULT;
2855
2856 syncobj = drm_syncobj_find(eb->file, user_fence.handle);
2857 if (!syncobj) {
2858 drm_dbg(&eb->i915->drm,
2859 "Invalid syncobj handle provided\n");
2860 return -ENOENT;
2861 }
2862
2863 fence = drm_syncobj_fence_get(syncobj);
2864
2865 if (!fence && user_fence.flags &&
2866 !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2867 drm_dbg(&eb->i915->drm,
2868 "Syncobj handle has no fence\n");
2869 drm_syncobj_put(syncobj);
2870 return -EINVAL;
2871 }
2872
2873 if (fence)
2874 err = dma_fence_chain_find_seqno(&fence, point);
2875
2876 if (err && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2877 drm_dbg(&eb->i915->drm,
2878 "Syncobj handle missing requested point %llu\n",
2879 point);
2880 dma_fence_put(fence);
2881 drm_syncobj_put(syncobj);
2882 return err;
2883 }
2884
2885 /*
2886 * A point might have been signaled already and
2887 * garbage collected from the timeline. In this case
2888 * just ignore the point and carry on.
2889 */
2890 if (!fence && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2891 drm_syncobj_put(syncobj);
2892 continue;
2893 }
2894
2895 /*
2896 * For timeline syncobjs we need to preallocate chains for
2897 * later signaling.
2898 */
2899 if (point != 0 && user_fence.flags & I915_EXEC_FENCE_SIGNAL) {
2900 /*
2901 * Waiting and signaling the same point (when point !=
2902 * 0) would break the timeline.
2903 */
2904 if (user_fence.flags & I915_EXEC_FENCE_WAIT) {
2905 drm_dbg(&eb->i915->drm,
2906 "Trying to wait & signal the same timeline point.\n");
2907 dma_fence_put(fence);
2908 drm_syncobj_put(syncobj);
2909 return -EINVAL;
2910 }
2911
2912 f->chain_fence = dma_fence_chain_alloc();
2913 if (!f->chain_fence) {
2914 drm_syncobj_put(syncobj);
2915 dma_fence_put(fence);
2916 return -ENOMEM;
2917 }
2918 } else {
2919 f->chain_fence = NULL;
2920 }
2921
2922 f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2);
2923 f->dma_fence = fence;
2924 f->value = point;
2925 f++;
2926 eb->num_fences++;
2927 }
2928
2929 return 0;
2930 }
2931
add_fence_array(struct i915_execbuffer * eb)2932 static int add_fence_array(struct i915_execbuffer *eb)
2933 {
2934 struct drm_i915_gem_execbuffer2 *args = eb->args;
2935 struct drm_i915_gem_exec_fence __user *user;
2936 unsigned long num_fences = args->num_cliprects;
2937 struct eb_fence *f;
2938
2939 if (!(args->flags & I915_EXEC_FENCE_ARRAY))
2940 return 0;
2941
2942 if (!num_fences)
2943 return 0;
2944
2945 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2946 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2947 if (num_fences > min_t(unsigned long,
2948 ULONG_MAX / sizeof(*user),
2949 SIZE_MAX / sizeof(*f) - eb->num_fences))
2950 return -EINVAL;
2951
2952 user = u64_to_user_ptr(args->cliprects_ptr);
2953 if (!access_ok(user, num_fences * sizeof(*user)))
2954 return -EFAULT;
2955
2956 f = krealloc(eb->fences,
2957 (eb->num_fences + num_fences) * sizeof(*f),
2958 __GFP_NOWARN | GFP_KERNEL);
2959 if (!f)
2960 return -ENOMEM;
2961
2962 eb->fences = f;
2963 f += eb->num_fences;
2964 while (num_fences--) {
2965 struct drm_i915_gem_exec_fence user_fence;
2966 struct drm_syncobj *syncobj;
2967 struct dma_fence *fence = NULL;
2968
2969 if (__copy_from_user(&user_fence, user++, sizeof(user_fence)))
2970 return -EFAULT;
2971
2972 if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS)
2973 return -EINVAL;
2974
2975 syncobj = drm_syncobj_find(eb->file, user_fence.handle);
2976 if (!syncobj) {
2977 drm_dbg(&eb->i915->drm,
2978 "Invalid syncobj handle provided\n");
2979 return -ENOENT;
2980 }
2981
2982 if (user_fence.flags & I915_EXEC_FENCE_WAIT) {
2983 fence = drm_syncobj_fence_get(syncobj);
2984 if (!fence) {
2985 drm_dbg(&eb->i915->drm,
2986 "Syncobj handle has no fence\n");
2987 drm_syncobj_put(syncobj);
2988 return -EINVAL;
2989 }
2990 }
2991
2992 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2993 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2994
2995 f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2);
2996 f->dma_fence = fence;
2997 f->value = 0;
2998 f->chain_fence = NULL;
2999 f++;
3000 eb->num_fences++;
3001 }
3002
3003 return 0;
3004 }
3005
put_fence_array(struct eb_fence * fences,int num_fences)3006 static void put_fence_array(struct eb_fence *fences, int num_fences)
3007 {
3008 if (fences)
3009 __free_fence_array(fences, num_fences);
3010 }
3011
3012 static int
await_fence_array(struct i915_execbuffer * eb,struct i915_request * rq)3013 await_fence_array(struct i915_execbuffer *eb,
3014 struct i915_request *rq)
3015 {
3016 unsigned int n;
3017 int err;
3018
3019 for (n = 0; n < eb->num_fences; n++) {
3020 if (!eb->fences[n].dma_fence)
3021 continue;
3022
3023 err = i915_request_await_dma_fence(rq, eb->fences[n].dma_fence);
3024 if (err < 0)
3025 return err;
3026 }
3027
3028 return 0;
3029 }
3030
signal_fence_array(const struct i915_execbuffer * eb,struct dma_fence * const fence)3031 static void signal_fence_array(const struct i915_execbuffer *eb,
3032 struct dma_fence * const fence)
3033 {
3034 unsigned int n;
3035
3036 for (n = 0; n < eb->num_fences; n++) {
3037 struct drm_syncobj *syncobj;
3038 unsigned int flags;
3039
3040 syncobj = ptr_unpack_bits(eb->fences[n].syncobj, &flags, 2);
3041 if (!(flags & I915_EXEC_FENCE_SIGNAL))
3042 continue;
3043
3044 if (eb->fences[n].chain_fence) {
3045 drm_syncobj_add_point(syncobj,
3046 eb->fences[n].chain_fence,
3047 fence,
3048 eb->fences[n].value);
3049 /*
3050 * The chain's ownership is transferred to the
3051 * timeline.
3052 */
3053 eb->fences[n].chain_fence = NULL;
3054 } else {
3055 drm_syncobj_replace_fence(syncobj, fence);
3056 }
3057 }
3058 }
3059
3060 static int
parse_timeline_fences(struct i915_user_extension __user * ext,void * data)3061 parse_timeline_fences(struct i915_user_extension __user *ext, void *data)
3062 {
3063 struct i915_execbuffer *eb = data;
3064 struct drm_i915_gem_execbuffer_ext_timeline_fences timeline_fences;
3065
3066 if (copy_from_user(&timeline_fences, ext, sizeof(timeline_fences)))
3067 return -EFAULT;
3068
3069 return add_timeline_fence_array(eb, &timeline_fences);
3070 }
3071
retire_requests(struct intel_timeline * tl,struct i915_request * end)3072 static void retire_requests(struct intel_timeline *tl, struct i915_request *end)
3073 {
3074 struct i915_request *rq, *rn;
3075
3076 list_for_each_entry_safe(rq, rn, &tl->requests, link)
3077 if (rq == end || !i915_request_retire(rq))
3078 break;
3079 }
3080
eb_request_add(struct i915_execbuffer * eb,struct i915_request * rq,int err,bool last_parallel)3081 static int eb_request_add(struct i915_execbuffer *eb, struct i915_request *rq,
3082 int err, bool last_parallel)
3083 {
3084 struct intel_timeline * const tl = i915_request_timeline(rq);
3085 struct i915_sched_attr attr = {};
3086 struct i915_request *prev;
3087
3088 lockdep_assert_held(&tl->mutex);
3089 lockdep_unpin_lock(&tl->mutex, rq->cookie);
3090
3091 trace_i915_request_add(rq);
3092
3093 prev = __i915_request_commit(rq);
3094
3095 /* Check that the context wasn't destroyed before submission */
3096 if (likely(!intel_context_is_closed(eb->context))) {
3097 attr = eb->gem_context->sched;
3098 } else {
3099 /* Serialise with context_close via the add_to_timeline */
3100 i915_request_set_error_once(rq, -ENOENT);
3101 __i915_request_skip(rq);
3102 err = -ENOENT; /* override any transient errors */
3103 }
3104
3105 if (intel_context_is_parallel(eb->context)) {
3106 if (err) {
3107 __i915_request_skip(rq);
3108 set_bit(I915_FENCE_FLAG_SKIP_PARALLEL,
3109 &rq->fence.flags);
3110 }
3111 if (last_parallel)
3112 set_bit(I915_FENCE_FLAG_SUBMIT_PARALLEL,
3113 &rq->fence.flags);
3114 }
3115
3116 __i915_request_queue(rq, &attr);
3117
3118 /* Try to clean up the client's timeline after submitting the request */
3119 if (prev)
3120 retire_requests(tl, prev);
3121
3122 mutex_unlock(&tl->mutex);
3123
3124 return err;
3125 }
3126
eb_requests_add(struct i915_execbuffer * eb,int err)3127 static int eb_requests_add(struct i915_execbuffer *eb, int err)
3128 {
3129 int i;
3130
3131 /*
3132 * We iterate in reverse order of creation to release timeline mutexes in
3133 * same order.
3134 */
3135 for_each_batch_add_order(eb, i) {
3136 struct i915_request *rq = eb->requests[i];
3137
3138 if (!rq)
3139 continue;
3140 err |= eb_request_add(eb, rq, err, i == 0);
3141 }
3142
3143 return err;
3144 }
3145
3146 static const i915_user_extension_fn execbuf_extensions[] = {
3147 [DRM_I915_GEM_EXECBUFFER_EXT_TIMELINE_FENCES] = parse_timeline_fences,
3148 };
3149
3150 static int
parse_execbuf2_extensions(struct drm_i915_gem_execbuffer2 * args,struct i915_execbuffer * eb)3151 parse_execbuf2_extensions(struct drm_i915_gem_execbuffer2 *args,
3152 struct i915_execbuffer *eb)
3153 {
3154 if (!(args->flags & I915_EXEC_USE_EXTENSIONS))
3155 return 0;
3156
3157 /* The execbuf2 extension mechanism reuses cliprects_ptr. So we cannot
3158 * have another flag also using it at the same time.
3159 */
3160 if (eb->args->flags & I915_EXEC_FENCE_ARRAY)
3161 return -EINVAL;
3162
3163 if (args->num_cliprects != 0)
3164 return -EINVAL;
3165
3166 return i915_user_extensions(u64_to_user_ptr(args->cliprects_ptr),
3167 execbuf_extensions,
3168 ARRAY_SIZE(execbuf_extensions),
3169 eb);
3170 }
3171
eb_requests_get(struct i915_execbuffer * eb)3172 static void eb_requests_get(struct i915_execbuffer *eb)
3173 {
3174 unsigned int i;
3175
3176 for_each_batch_create_order(eb, i) {
3177 if (!eb->requests[i])
3178 break;
3179
3180 i915_request_get(eb->requests[i]);
3181 }
3182 }
3183
eb_requests_put(struct i915_execbuffer * eb)3184 static void eb_requests_put(struct i915_execbuffer *eb)
3185 {
3186 unsigned int i;
3187
3188 for_each_batch_create_order(eb, i) {
3189 if (!eb->requests[i])
3190 break;
3191
3192 i915_request_put(eb->requests[i]);
3193 }
3194 }
3195
3196 static struct sync_file *
eb_composite_fence_create(struct i915_execbuffer * eb,int out_fence_fd)3197 eb_composite_fence_create(struct i915_execbuffer *eb, int out_fence_fd)
3198 {
3199 struct sync_file *out_fence = NULL;
3200 struct dma_fence_array *fence_array;
3201 struct dma_fence **fences;
3202 unsigned int i;
3203
3204 GEM_BUG_ON(!intel_context_is_parent(eb->context));
3205
3206 fences = kmalloc_array(eb->num_batches, sizeof(*fences), GFP_KERNEL);
3207 if (!fences)
3208 return ERR_PTR(-ENOMEM);
3209
3210 for_each_batch_create_order(eb, i) {
3211 fences[i] = &eb->requests[i]->fence;
3212 __set_bit(I915_FENCE_FLAG_COMPOSITE,
3213 &eb->requests[i]->fence.flags);
3214 }
3215
3216 fence_array = dma_fence_array_create(eb->num_batches,
3217 fences,
3218 eb->context->parallel.fence_context,
3219 eb->context->parallel.seqno++,
3220 false);
3221 if (!fence_array) {
3222 kfree(fences);
3223 return ERR_PTR(-ENOMEM);
3224 }
3225
3226 /* Move ownership to the dma_fence_array created above */
3227 for_each_batch_create_order(eb, i)
3228 dma_fence_get(fences[i]);
3229
3230 if (out_fence_fd != -1) {
3231 out_fence = sync_file_create(&fence_array->base);
3232 /* sync_file now owns fence_arry, drop creation ref */
3233 dma_fence_put(&fence_array->base);
3234 if (!out_fence)
3235 return ERR_PTR(-ENOMEM);
3236 }
3237
3238 eb->composite_fence = &fence_array->base;
3239
3240 return out_fence;
3241 }
3242
3243 static struct sync_file *
eb_fences_add(struct i915_execbuffer * eb,struct i915_request * rq,struct dma_fence * in_fence,int out_fence_fd)3244 eb_fences_add(struct i915_execbuffer *eb, struct i915_request *rq,
3245 struct dma_fence *in_fence, int out_fence_fd)
3246 {
3247 struct sync_file *out_fence = NULL;
3248 int err;
3249
3250 if (unlikely(eb->gem_context->syncobj)) {
3251 struct dma_fence *fence;
3252
3253 fence = drm_syncobj_fence_get(eb->gem_context->syncobj);
3254 err = i915_request_await_dma_fence(rq, fence);
3255 dma_fence_put(fence);
3256 if (err)
3257 return ERR_PTR(err);
3258 }
3259
3260 if (in_fence) {
3261 if (eb->args->flags & I915_EXEC_FENCE_SUBMIT)
3262 err = i915_request_await_execution(rq, in_fence);
3263 else
3264 err = i915_request_await_dma_fence(rq, in_fence);
3265 if (err < 0)
3266 return ERR_PTR(err);
3267 }
3268
3269 if (eb->fences) {
3270 err = await_fence_array(eb, rq);
3271 if (err)
3272 return ERR_PTR(err);
3273 }
3274
3275 if (intel_context_is_parallel(eb->context)) {
3276 out_fence = eb_composite_fence_create(eb, out_fence_fd);
3277 if (IS_ERR(out_fence))
3278 return ERR_PTR(-ENOMEM);
3279 } else if (out_fence_fd != -1) {
3280 out_fence = sync_file_create(&rq->fence);
3281 if (!out_fence)
3282 return ERR_PTR(-ENOMEM);
3283 }
3284
3285 return out_fence;
3286 }
3287
3288 static struct intel_context *
eb_find_context(struct i915_execbuffer * eb,unsigned int context_number)3289 eb_find_context(struct i915_execbuffer *eb, unsigned int context_number)
3290 {
3291 struct intel_context *child;
3292
3293 if (likely(context_number == 0))
3294 return eb->context;
3295
3296 for_each_child(eb->context, child)
3297 if (!--context_number)
3298 return child;
3299
3300 GEM_BUG_ON("Context not found");
3301
3302 return NULL;
3303 }
3304
3305 static struct sync_file *
eb_requests_create(struct i915_execbuffer * eb,struct dma_fence * in_fence,int out_fence_fd)3306 eb_requests_create(struct i915_execbuffer *eb, struct dma_fence *in_fence,
3307 int out_fence_fd)
3308 {
3309 struct sync_file *out_fence = NULL;
3310 unsigned int i;
3311
3312 for_each_batch_create_order(eb, i) {
3313 /* Allocate a request for this batch buffer nice and early. */
3314 eb->requests[i] = i915_request_create(eb_find_context(eb, i));
3315 if (IS_ERR(eb->requests[i])) {
3316 out_fence = ERR_CAST(eb->requests[i]);
3317 eb->requests[i] = NULL;
3318 return out_fence;
3319 }
3320
3321 /*
3322 * Only the first request added (committed to backend) has to
3323 * take the in fences into account as all subsequent requests
3324 * will have fences inserted inbetween them.
3325 */
3326 if (i + 1 == eb->num_batches) {
3327 out_fence = eb_fences_add(eb, eb->requests[i],
3328 in_fence, out_fence_fd);
3329 if (IS_ERR(out_fence))
3330 return out_fence;
3331 }
3332
3333 /*
3334 * Not really on stack, but we don't want to call
3335 * kfree on the batch_snapshot when we put it, so use the
3336 * _onstack interface.
3337 */
3338 if (eb->batches[i]->vma)
3339 eb->requests[i]->batch_res =
3340 i915_vma_resource_get(eb->batches[i]->vma->resource);
3341 if (eb->batch_pool) {
3342 GEM_BUG_ON(intel_context_is_parallel(eb->context));
3343 intel_gt_buffer_pool_mark_active(eb->batch_pool,
3344 eb->requests[i]);
3345 }
3346 }
3347
3348 return out_fence;
3349 }
3350
3351 static int
i915_gem_do_execbuffer(struct drm_device * dev,struct drm_file * file,struct drm_i915_gem_execbuffer2 * args,struct drm_i915_gem_exec_object2 * exec)3352 i915_gem_do_execbuffer(struct drm_device *dev,
3353 struct drm_file *file,
3354 struct drm_i915_gem_execbuffer2 *args,
3355 struct drm_i915_gem_exec_object2 *exec)
3356 {
3357 struct drm_i915_private *i915 = to_i915(dev);
3358 struct i915_execbuffer eb;
3359 struct dma_fence *in_fence = NULL;
3360 struct sync_file *out_fence = NULL;
3361 int out_fence_fd = -1;
3362 int err;
3363
3364 BUILD_BUG_ON(__EXEC_INTERNAL_FLAGS & ~__I915_EXEC_ILLEGAL_FLAGS);
3365 BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS &
3366 ~__EXEC_OBJECT_UNKNOWN_FLAGS);
3367
3368 eb.i915 = i915;
3369 eb.file = file;
3370 eb.args = args;
3371 if (DBG_FORCE_RELOC || !(args->flags & I915_EXEC_NO_RELOC))
3372 args->flags |= __EXEC_HAS_RELOC;
3373
3374 eb.exec = exec;
3375 eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1);
3376 eb.vma[0].vma = NULL;
3377 eb.batch_pool = NULL;
3378
3379 eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
3380 reloc_cache_init(&eb.reloc_cache, eb.i915);
3381
3382 eb.buffer_count = args->buffer_count;
3383 eb.batch_start_offset = args->batch_start_offset;
3384 eb.trampoline = NULL;
3385
3386 eb.fences = NULL;
3387 eb.num_fences = 0;
3388
3389 eb_capture_list_clear(&eb);
3390
3391 memset(eb.requests, 0, sizeof(struct i915_request *) *
3392 ARRAY_SIZE(eb.requests));
3393 eb.composite_fence = NULL;
3394
3395 eb.batch_flags = 0;
3396 if (args->flags & I915_EXEC_SECURE) {
3397 if (GRAPHICS_VER(i915) >= 11)
3398 return -ENODEV;
3399
3400 /* Return -EPERM to trigger fallback code on old binaries. */
3401 if (!HAS_SECURE_BATCHES(i915))
3402 return -EPERM;
3403
3404 if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN))
3405 return -EPERM;
3406
3407 eb.batch_flags |= I915_DISPATCH_SECURE;
3408 }
3409 if (args->flags & I915_EXEC_IS_PINNED)
3410 eb.batch_flags |= I915_DISPATCH_PINNED;
3411
3412 err = parse_execbuf2_extensions(args, &eb);
3413 if (err)
3414 goto err_ext;
3415
3416 err = add_fence_array(&eb);
3417 if (err)
3418 goto err_ext;
3419
3420 #define IN_FENCES (I915_EXEC_FENCE_IN | I915_EXEC_FENCE_SUBMIT)
3421 if (args->flags & IN_FENCES) {
3422 if ((args->flags & IN_FENCES) == IN_FENCES)
3423 return -EINVAL;
3424
3425 in_fence = sync_file_get_fence(lower_32_bits(args->rsvd2));
3426 if (!in_fence) {
3427 err = -EINVAL;
3428 goto err_ext;
3429 }
3430 }
3431 #undef IN_FENCES
3432
3433 if (args->flags & I915_EXEC_FENCE_OUT) {
3434 out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
3435 if (out_fence_fd < 0) {
3436 err = out_fence_fd;
3437 goto err_in_fence;
3438 }
3439 }
3440
3441 err = eb_create(&eb);
3442 if (err)
3443 goto err_out_fence;
3444
3445 GEM_BUG_ON(!eb.lut_size);
3446
3447 err = eb_select_context(&eb);
3448 if (unlikely(err))
3449 goto err_destroy;
3450
3451 err = eb_select_engine(&eb);
3452 if (unlikely(err))
3453 goto err_context;
3454
3455 err = eb_lookup_vmas(&eb);
3456 if (err) {
3457 eb_release_vmas(&eb, true);
3458 goto err_engine;
3459 }
3460
3461 i915_gem_ww_ctx_init(&eb.ww, true);
3462
3463 err = eb_relocate_parse(&eb);
3464 if (err) {
3465 /*
3466 * If the user expects the execobject.offset and
3467 * reloc.presumed_offset to be an exact match,
3468 * as for using NO_RELOC, then we cannot update
3469 * the execobject.offset until we have completed
3470 * relocation.
3471 */
3472 args->flags &= ~__EXEC_HAS_RELOC;
3473 goto err_vma;
3474 }
3475
3476 ww_acquire_done(&eb.ww.ctx);
3477 err = eb_capture_stage(&eb);
3478 if (err)
3479 goto err_vma;
3480
3481 out_fence = eb_requests_create(&eb, in_fence, out_fence_fd);
3482 if (IS_ERR(out_fence)) {
3483 err = PTR_ERR(out_fence);
3484 out_fence = NULL;
3485 if (eb.requests[0])
3486 goto err_request;
3487 else
3488 goto err_vma;
3489 }
3490
3491 err = eb_submit(&eb);
3492
3493 err_request:
3494 eb_requests_get(&eb);
3495 err = eb_requests_add(&eb, err);
3496
3497 if (eb.fences)
3498 signal_fence_array(&eb, eb.composite_fence ?
3499 eb.composite_fence :
3500 &eb.requests[0]->fence);
3501
3502 if (unlikely(eb.gem_context->syncobj)) {
3503 drm_syncobj_replace_fence(eb.gem_context->syncobj,
3504 eb.composite_fence ?
3505 eb.composite_fence :
3506 &eb.requests[0]->fence);
3507 }
3508
3509 if (out_fence) {
3510 if (err == 0) {
3511 fd_install(out_fence_fd, out_fence->file);
3512 args->rsvd2 &= GENMASK_ULL(31, 0); /* keep in-fence */
3513 args->rsvd2 |= (u64)out_fence_fd << 32;
3514 out_fence_fd = -1;
3515 } else {
3516 fput(out_fence->file);
3517 }
3518 }
3519
3520 if (!out_fence && eb.composite_fence)
3521 dma_fence_put(eb.composite_fence);
3522
3523 eb_requests_put(&eb);
3524
3525 err_vma:
3526 eb_release_vmas(&eb, true);
3527 WARN_ON(err == -EDEADLK);
3528 i915_gem_ww_ctx_fini(&eb.ww);
3529
3530 if (eb.batch_pool)
3531 intel_gt_buffer_pool_put(eb.batch_pool);
3532 err_engine:
3533 eb_put_engine(&eb);
3534 err_context:
3535 i915_gem_context_put(eb.gem_context);
3536 err_destroy:
3537 eb_destroy(&eb);
3538 err_out_fence:
3539 if (out_fence_fd != -1)
3540 put_unused_fd(out_fence_fd);
3541 err_in_fence:
3542 dma_fence_put(in_fence);
3543 err_ext:
3544 put_fence_array(eb.fences, eb.num_fences);
3545 return err;
3546 }
3547
eb_element_size(void)3548 static size_t eb_element_size(void)
3549 {
3550 return sizeof(struct drm_i915_gem_exec_object2) + sizeof(struct eb_vma);
3551 }
3552
check_buffer_count(size_t count)3553 static bool check_buffer_count(size_t count)
3554 {
3555 const size_t sz = eb_element_size();
3556
3557 /*
3558 * When using LUT_HANDLE, we impose a limit of INT_MAX for the lookup
3559 * array size (see eb_create()). Otherwise, we can accept an array as
3560 * large as can be addressed (though use large arrays at your peril)!
3561 */
3562
3563 return !(count < 1 || count > INT_MAX || count > SIZE_MAX / sz - 1);
3564 }
3565
3566 int
i915_gem_execbuffer2_ioctl(struct drm_device * dev,void * data,struct drm_file * file)3567 i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
3568 struct drm_file *file)
3569 {
3570 struct drm_i915_private *i915 = to_i915(dev);
3571 struct drm_i915_gem_execbuffer2 *args = data;
3572 struct drm_i915_gem_exec_object2 *exec2_list;
3573 const size_t count = args->buffer_count;
3574 int err;
3575
3576 if (!check_buffer_count(count)) {
3577 drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count);
3578 return -EINVAL;
3579 }
3580
3581 err = i915_gem_check_execbuffer(i915, args);
3582 if (err)
3583 return err;
3584
3585 /* Allocate extra slots for use by the command parser */
3586 exec2_list = kvmalloc_array(count + 2, eb_element_size(),
3587 __GFP_NOWARN | GFP_KERNEL);
3588 if (exec2_list == NULL) {
3589 drm_dbg(&i915->drm, "Failed to allocate exec list for %zd buffers\n",
3590 count);
3591 return -ENOMEM;
3592 }
3593 if (copy_from_user(exec2_list,
3594 u64_to_user_ptr(args->buffers_ptr),
3595 sizeof(*exec2_list) * count)) {
3596 drm_dbg(&i915->drm, "copy %zd exec entries failed\n", count);
3597 kvfree(exec2_list);
3598 return -EFAULT;
3599 }
3600
3601 err = i915_gem_do_execbuffer(dev, file, args, exec2_list);
3602
3603 /*
3604 * Now that we have begun execution of the batchbuffer, we ignore
3605 * any new error after this point. Also given that we have already
3606 * updated the associated relocations, we try to write out the current
3607 * object locations irrespective of any error.
3608 */
3609 if (args->flags & __EXEC_HAS_RELOC) {
3610 struct drm_i915_gem_exec_object2 __user *user_exec_list =
3611 u64_to_user_ptr(args->buffers_ptr);
3612 unsigned int i;
3613
3614 /* Copy the new buffer offsets back to the user's exec list. */
3615 /*
3616 * Note: count * sizeof(*user_exec_list) does not overflow,
3617 * because we checked 'count' in check_buffer_count().
3618 *
3619 * And this range already got effectively checked earlier
3620 * when we did the "copy_from_user()" above.
3621 */
3622 if (!user_write_access_begin(user_exec_list,
3623 count * sizeof(*user_exec_list)))
3624 goto end;
3625
3626 for (i = 0; i < args->buffer_count; i++) {
3627 if (!(exec2_list[i].offset & UPDATE))
3628 continue;
3629
3630 exec2_list[i].offset =
3631 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
3632 unsafe_put_user(exec2_list[i].offset,
3633 &user_exec_list[i].offset,
3634 end_user);
3635 }
3636 end_user:
3637 user_write_access_end();
3638 end:;
3639 }
3640
3641 args->flags &= ~__I915_EXEC_UNKNOWN_FLAGS;
3642 kvfree(exec2_list);
3643 return err;
3644 }
3645