From 0b96a086cbb4bcf0a5aab1fee6d77c1e40295297 Mon Sep 17 00:00:00 2001 From: Eric Anholt Date: Tue, 30 Sep 2014 16:25:48 -0700 Subject: vc4: Move the mirrored kernel code to a kernel/ directory. Now this whole setup matches the kernel's file layout much more closely. --- configure.ac | 1 + src/gallium/drivers/vc4/Makefile.am | 4 +- src/gallium/drivers/vc4/Makefile.sources | 5 +- src/gallium/drivers/vc4/kernel/Makefile.am | 40 + src/gallium/drivers/vc4/kernel/Makefile.sources | 5 + src/gallium/drivers/vc4/kernel/README | 6 + src/gallium/drivers/vc4/kernel/vc4_drv.h | 168 +++ src/gallium/drivers/vc4/kernel/vc4_gem.c | 147 +++ src/gallium/drivers/vc4/kernel/vc4_validate.c | 1086 ++++++++++++++++++++ .../drivers/vc4/kernel/vc4_validate_shaders.c | 322 ++++++ src/gallium/drivers/vc4/vc4_simulator.c | 122 +-- src/gallium/drivers/vc4/vc4_simulator_validate.c | 1086 -------------------- src/gallium/drivers/vc4/vc4_simulator_validate.h | 139 +-- .../drivers/vc4/vc4_simulator_validate_shaders.c | 322 ------ 14 files changed, 1789 insertions(+), 1664 deletions(-) create mode 100644 src/gallium/drivers/vc4/kernel/Makefile.am create mode 100644 src/gallium/drivers/vc4/kernel/Makefile.sources create mode 100644 src/gallium/drivers/vc4/kernel/README create mode 100644 src/gallium/drivers/vc4/kernel/vc4_drv.h create mode 100644 src/gallium/drivers/vc4/kernel/vc4_gem.c create mode 100644 src/gallium/drivers/vc4/kernel/vc4_validate.c create mode 100644 src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c delete mode 100644 src/gallium/drivers/vc4/vc4_simulator_validate.c delete mode 100644 src/gallium/drivers/vc4/vc4_simulator_validate_shaders.c diff --git a/configure.ac b/configure.ac index 2a5c143b623..680dff4ab42 100644 --- a/configure.ac +++ b/configure.ac @@ -2163,6 +2163,7 @@ AC_CONFIG_FILES([Makefile src/gallium/drivers/svga/Makefile src/gallium/drivers/trace/Makefile src/gallium/drivers/vc4/Makefile + src/gallium/drivers/vc4/kernel/Makefile src/gallium/state_trackers/clover/Makefile src/gallium/state_trackers/dri/Makefile src/gallium/state_trackers/egl/Makefile diff --git a/src/gallium/drivers/vc4/Makefile.am b/src/gallium/drivers/vc4/Makefile.am index 774463138d0..3fc591f10c1 100644 --- a/src/gallium/drivers/vc4/Makefile.am +++ b/src/gallium/drivers/vc4/Makefile.am @@ -19,6 +19,8 @@ # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS # IN THE SOFTWARE. +SUBDIRS = kernel + include Makefile.sources include $(top_srcdir)/src/gallium/Automake.inc @@ -37,5 +39,5 @@ AM_CFLAGS = \ noinst_LTLIBRARIES = libvc4.la libvc4_la_SOURCES = $(C_SOURCES) -libvc4_la_LIBADD = $(SIM_LIB) +libvc4_la_LIBADD = $(SIM_LIB) kernel/libvc4_kernel.la libvc4_la_LDFLAGS = $(SIM_LDFLAGS) diff --git a/src/gallium/drivers/vc4/Makefile.sources b/src/gallium/drivers/vc4/Makefile.sources index a41237ab94c..1befb9f676f 100644 --- a/src/gallium/drivers/vc4/Makefile.sources +++ b/src/gallium/drivers/vc4/Makefile.sources @@ -32,10 +32,11 @@ C_SOURCES := \ vc4_screen.c \ vc4_screen.h \ vc4_simulator.c \ - vc4_simulator_validate.c \ vc4_simulator_validate.h \ - vc4_simulator_validate_shaders.c \ vc4_state.c \ vc4_tiling.c \ vc4_tiling.h \ + kernel/vc4_gem.c \ + kernel/vc4_validate.c \ + kernel/vc4_validate_shaders.c \ $() diff --git a/src/gallium/drivers/vc4/kernel/Makefile.am b/src/gallium/drivers/vc4/kernel/Makefile.am new file mode 100644 index 00000000000..1ae5f1c2e83 --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/Makefile.am @@ -0,0 +1,40 @@ +# Copyright © 2014 Broadcom +# +# Permission is hereby granted, free of charge, to any person obtaining a +# copy of this software and associated documentation files (the "Software"), +# to deal in the Software without restriction, including without limitation +# the rights to use, copy, modify, merge, publish, distribute, sublicense, +# and/or sell copies of the Software, and to permit persons to whom the +# Software is furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice (including the next +# paragraph) shall be included in all copies or substantial portions of the +# Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL +# THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +# IN THE SOFTWARE. + +include Makefile.sources +include $(top_srcdir)/src/gallium/Automake.inc + +if USE_VC4_SIMULATOR +SIM_CFLAGS = -DUSE_VC4_SIMULATOR=1 +endif + +AM_CFLAGS = \ + $(LIBDRM_CFLAGS) \ + $(GALLIUM_DRIVER_CFLAGS) \ + $(SIM_CFLAGS) \ + -I$(top_srcdir)/src/mesa/ \ + -I$(srcdir)/../ \ + $() + +noinst_LTLIBRARIES = libvc4_kernel.la + +libvc4_kernel_la_SOURCES = $(C_SOURCES) +libvc4_kernel_la_LDFLAGS = $(SIM_LDFLAGS) diff --git a/src/gallium/drivers/vc4/kernel/Makefile.sources b/src/gallium/drivers/vc4/kernel/Makefile.sources new file mode 100644 index 00000000000..d1d70dd8284 --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/Makefile.sources @@ -0,0 +1,5 @@ +C_SOURCES := \ + vc4_gem.c \ + vc4_validate.c \ + vc4_validate_shaders.c \ + $() diff --git a/src/gallium/drivers/vc4/kernel/README b/src/gallium/drivers/vc4/kernel/README new file mode 100644 index 00000000000..89e4442b451 --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/README @@ -0,0 +1,6 @@ +This is a mirror of the kernel validation code into the userspace GL library. +It is only built when USE_VC4_SIMULATOR is defined, for compiling the driver +on an x86 system with the simpenrose simulator. It allows testing of changes +across the kernel and userspace with exposure to most of the software stack, +on a higher-performance and more-debuggable environment than the native +hardware. diff --git a/src/gallium/drivers/vc4/kernel/vc4_drv.h b/src/gallium/drivers/vc4/kernel/vc4_drv.h new file mode 100644 index 00000000000..45d9c40f97f --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/vc4_drv.h @@ -0,0 +1,168 @@ +/* + * Copyright © 2014 Broadcom + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +#ifndef VC4_DRV_H +#define VC4_DRV_H + +#include "vc4_simulator_validate.h" + +enum vc4_bo_mode { + VC4_MODE_UNDECIDED, + VC4_MODE_TILE_ALLOC, + VC4_MODE_TSDA, + VC4_MODE_RENDER, + VC4_MODE_SHADER, +}; + +struct vc4_bo_exec_state { + struct drm_gem_cma_object *bo; + enum vc4_bo_mode mode; +}; + +struct exec_info { + /* Kernel-space copy of the ioctl arguments */ + struct drm_vc4_submit_cl *args; + + /* This is the array of BOs that were looked up at the start of exec. + * Command validation will use indices into this array. + */ + struct vc4_bo_exec_state *bo; + uint32_t bo_count; + + /* Current unvalidated indices into @bo loaded by the non-hardware + * VC4_PACKET_GEM_HANDLES. + */ + uint32_t bo_index[2]; + + /* This is the BO where we store the validated command lists, shader + * records, and uniforms. + */ + struct drm_gem_cma_object *exec_bo; + + /** + * This tracks the per-shader-record state (packet 64) that + * determines the length of the shader record and the offset + * it's expected to be found at. It gets read in from the + * command lists. + */ + struct vc4_shader_state { + uint8_t packet; + uint32_t addr; + /* Maximum vertex index referenced by any primitive using this + * shader state. + */ + uint32_t max_index; + } *shader_state; + + /** How many shader states the user declared they were using. */ + uint32_t shader_state_size; + /** How many shader state records the validator has seen. */ + uint32_t shader_state_count; + + bool found_tile_binning_mode_config_packet; + bool found_tile_rendering_mode_config_packet; + bool found_start_tile_binning_packet; + uint8_t bin_tiles_x, bin_tiles_y; + uint32_t fb_width, fb_height; + uint32_t tile_alloc_init_block_size; + struct drm_gem_cma_object *tile_alloc_bo; + + /** + * Computed addresses pointing into exec_bo where we start the + * bin thread (ct0) and render thread (ct1). + */ + uint32_t ct0ca, ct0ea; + uint32_t ct1ca, ct1ea; + + /* Pointers to the shader recs. These paddr gets incremented as CL + * packets are relocated in validate_gl_shader_state, and the vaddrs + * (u and v) get incremented and size decremented as the shader recs + * themselves are validated. + */ + void *shader_rec_u; + void *shader_rec_v; + uint32_t shader_rec_p; + uint32_t shader_rec_size; + + /* Pointers to the uniform data. These pointers are incremented, and + * size decremented, as each batch of uniforms is uploaded. + */ + void *uniforms_u; + void *uniforms_v; + uint32_t uniforms_p; + uint32_t uniforms_size; +}; + +/** + * struct vc4_texture_sample_info - saves the offsets into the UBO for texture + * setup parameters. + * + * This will be used at draw time to relocate the reference to the texture + * contents in p0, and validate that the offset combined with + * width/height/stride/etc. from p1 and p2/p3 doesn't sample outside the BO. + * Note that the hardware treats unprovided config parameters as 0, so not all + * of them need to be set up for every texure sample, and we'll store ~0 as + * the offset to mark the unused ones. + * + * See the VC4 3D architecture guide page 41 ("Texture and Memory Lookup Unit + * Setup") for definitions of the texture parameters. + */ +struct vc4_texture_sample_info { + uint32_t p_offset[4]; +}; + +/** + * struct vc4_validated_shader_info - information about validated shaders that + * needs to be used from command list validation. + * + * For a given shader, each time a shader state record references it, we need + * to verify that the shader doesn't read more uniforms than the shader state + * record's uniform BO pointer can provide, and we need to apply relocations + * and validate the shader state record's uniforms that define the texture + * samples. + */ +struct vc4_validated_shader_info +{ + uint32_t uniforms_size; + uint32_t uniforms_src_size; + uint32_t num_texture_samples; + struct vc4_texture_sample_info *texture_samples; +}; + +/* vc4_validate.c */ +int +vc4_validate_cl(struct drm_device *dev, + void *validated, + void *unvalidated, + uint32_t len, + bool is_bin, + struct exec_info *exec); + +int +vc4_validate_shader_recs(struct drm_device *dev, struct exec_info *exec); + +struct vc4_validated_shader_info * +vc4_validate_shader(struct drm_gem_cma_object *shader_obj, + uint32_t start_offset); + +#endif /* VC4_DRV_H */ diff --git a/src/gallium/drivers/vc4/kernel/vc4_gem.c b/src/gallium/drivers/vc4/kernel/vc4_gem.c new file mode 100644 index 00000000000..1ea17aa4e8c --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/vc4_gem.c @@ -0,0 +1,147 @@ +/* + * Copyright © 2014 Broadcom + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +#ifdef USE_VC4_SIMULATOR + +#include "vc4_drv.h" + +int +vc4_cl_validate(struct drm_device *dev, struct exec_info *exec) +{ + struct drm_vc4_submit_cl *args = exec->args; + void *temp = NULL; + void *bin, *render; + int ret = 0; + uint32_t bin_offset = 0; + uint32_t render_offset = bin_offset + args->bin_cl_size; + uint32_t shader_rec_offset = roundup(render_offset + + args->render_cl_size, 16); + uint32_t uniforms_offset = shader_rec_offset + args->shader_rec_size; + uint32_t exec_size = uniforms_offset + args->uniforms_size; + uint32_t temp_size = exec_size + (sizeof(struct vc4_shader_state) * + args->shader_rec_count); + + if (shader_rec_offset < render_offset || + uniforms_offset < shader_rec_offset || + exec_size < uniforms_offset || + args->shader_rec_count >= (UINT_MAX / + sizeof(struct vc4_shader_state)) || + temp_size < exec_size) { + DRM_ERROR("overflow in exec arguments\n"); + goto fail; + } + + /* Allocate space where we'll store the copied in user command lists + * and shader records. + * + * We don't just copy directly into the BOs because we need to + * read the contents back for validation, and I think the + * bo->vaddr is uncached access. + */ + temp = kmalloc(temp_size, GFP_KERNEL); + if (!temp) { + DRM_ERROR("Failed to allocate storage for copying " + "in bin/render CLs.\n"); + ret = -ENOMEM; + goto fail; + } + bin = temp + bin_offset; + render = temp + render_offset; + exec->shader_rec_u = temp + shader_rec_offset; + exec->uniforms_u = temp + uniforms_offset; + exec->shader_state = temp + exec_size; + exec->shader_state_size = args->shader_rec_count; + + ret = copy_from_user(bin, args->bin_cl, args->bin_cl_size); + if (ret) { + DRM_ERROR("Failed to copy in bin cl\n"); + goto fail; + } + + ret = copy_from_user(render, args->render_cl, args->render_cl_size); + if (ret) { + DRM_ERROR("Failed to copy in render cl\n"); + goto fail; + } + + ret = copy_from_user(exec->shader_rec_u, args->shader_rec, + args->shader_rec_size); + if (ret) { + DRM_ERROR("Failed to copy in shader recs\n"); + goto fail; + } + + ret = copy_from_user(exec->uniforms_u, args->uniforms, + args->uniforms_size); + if (ret) { + DRM_ERROR("Failed to copy in uniforms cl\n"); + goto fail; + } + + exec->exec_bo = drm_gem_cma_create(dev, exec_size); +#if 0 + if (IS_ERR(exec->exec_bo)) { + DRM_ERROR("Couldn't allocate BO for exec\n"); + ret = PTR_ERR(exec->exec_bo); + exec->exec_bo = NULL; + goto fail; + } +#endif + + exec->ct0ca = exec->exec_bo->paddr + bin_offset; + exec->ct1ca = exec->exec_bo->paddr + render_offset; + + exec->shader_rec_v = exec->exec_bo->vaddr + shader_rec_offset; + exec->shader_rec_p = exec->exec_bo->paddr + shader_rec_offset; + exec->shader_rec_size = args->shader_rec_size; + + exec->uniforms_v = exec->exec_bo->vaddr + uniforms_offset; + exec->uniforms_p = exec->exec_bo->paddr + uniforms_offset; + exec->uniforms_size = args->uniforms_size; + + ret = vc4_validate_cl(dev, + exec->exec_bo->vaddr + bin_offset, + bin, + args->bin_cl_size, + true, + exec); + if (ret) + goto fail; + + ret = vc4_validate_cl(dev, + exec->exec_bo->vaddr + render_offset, + render, + args->render_cl_size, + false, + exec); + if (ret) + goto fail; + + ret = vc4_validate_shader_recs(dev, exec); + +fail: + kfree(temp); + return ret; +} + +#endif /* USE_VC4_SIMULATOR */ diff --git a/src/gallium/drivers/vc4/kernel/vc4_validate.c b/src/gallium/drivers/vc4/kernel/vc4_validate.c new file mode 100644 index 00000000000..fe2cd44d8e7 --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/vc4_validate.c @@ -0,0 +1,1086 @@ +/* + * Copyright © 2014 Broadcom + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +/** + * Command list validator for VC4. + * + * The VC4 has no IOMMU between it and system memory. So, a user with + * access to execute command lists could escalate privilege by + * overwriting system memory (drawing to it as a framebuffer) or + * reading system memory it shouldn't (reading it as a texture, or + * uniform data, or vertex data). + * + * This validates command lists to ensure that all accesses are within + * the bounds of the GEM objects referenced. It explicitly whitelists + * packets, and looks at the offsets in any address fields to make + * sure they're constrained within the BOs they reference. + * + * Note that because of the validation that's happening anyway, this + * is where GEM relocation processing happens. + */ + +#include "vc4_drv.h" +#include "vc4_packet.h" + +#define VALIDATE_ARGS \ + struct exec_info *exec, \ + void *validated, \ + void *untrusted + + +/** Return the width in pixels of a 64-byte microtile. */ +static uint32_t +utile_width(int cpp) +{ + switch (cpp) { + case 1: + case 2: + return 8; + case 4: + return 4; + case 8: + return 2; + default: + DRM_ERROR("unknown cpp: %d\n", cpp); + return 1; + } +} + +/** Return the height in pixels of a 64-byte microtile. */ +static uint32_t +utile_height(int cpp) +{ + switch (cpp) { + case 1: + return 8; + case 2: + case 4: + case 8: + return 4; + default: + DRM_ERROR("unknown cpp: %d\n", cpp); + return 1; + } +} + +/** + * The texture unit decides what tiling format a particular miplevel is using + * this function, so we lay out our miptrees accordingly. + */ +static bool +size_is_lt(uint32_t width, uint32_t height, int cpp) +{ + return (width <= 4 * utile_width(cpp) || + height <= 4 * utile_height(cpp)); +} + +static bool +vc4_use_bo(struct exec_info *exec, + uint32_t hindex, + enum vc4_bo_mode mode, + struct drm_gem_cma_object **obj) +{ + *obj = NULL; + + if (hindex >= exec->bo_count) { + DRM_ERROR("BO index %d greater than BO count %d\n", + hindex, exec->bo_count); + return false; + } + + if (exec->bo[hindex].mode != mode) { + if (exec->bo[hindex].mode == VC4_MODE_UNDECIDED) { + exec->bo[hindex].mode = mode; + } else { + DRM_ERROR("BO index %d reused with mode %d vs %d\n", + hindex, exec->bo[hindex].mode, mode); + return false; + } + } + + *obj = exec->bo[hindex].bo; + return true; +} + +static bool +vc4_use_handle(struct exec_info *exec, + uint32_t gem_handles_packet_index, + enum vc4_bo_mode mode, + struct drm_gem_cma_object **obj) +{ + return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index], + mode, obj); +} + +static uint32_t +gl_shader_rec_size(uint32_t pointer_bits) +{ + uint32_t attribute_count = pointer_bits & 7; + bool extended = pointer_bits & 8; + + if (attribute_count == 0) + attribute_count = 8; + + if (extended) + return 100 + attribute_count * 4; + else + return 36 + attribute_count * 8; +} + +static bool +check_tex_size(struct exec_info *exec, struct drm_gem_cma_object *fbo, + uint32_t offset, uint8_t tiling_format, + uint32_t width, uint32_t height, uint8_t cpp) +{ + uint32_t aligned_width, aligned_height, stride, size; + uint32_t utile_w = utile_width(cpp); + uint32_t utile_h = utile_height(cpp); + + /* The values are limited by the packet/texture parameter bitfields, + * so we don't need to worry as much about integer overflow. + */ + BUG_ON(width > 65535); + BUG_ON(height > 65535); + + switch (tiling_format) { + case VC4_TILING_FORMAT_LINEAR: + aligned_width = roundup(width, 16 / cpp); + aligned_height = height; + break; + case VC4_TILING_FORMAT_T: + aligned_width = roundup(width, utile_w * 8); + aligned_height = roundup(height, utile_h * 8); + break; + case VC4_TILING_FORMAT_LT: + aligned_width = roundup(width, utile_w); + aligned_height = roundup(height, utile_h); + break; + default: + DRM_ERROR("buffer tiling %d unsupported\n", tiling_format); + return false; + } + + stride = aligned_width * cpp; + + if (INT_MAX / stride < aligned_height) { + DRM_ERROR("Overflow in fbo size (%dx%d -> %dx%d)\n", + width, height, + aligned_width, aligned_height); + return false; + } + size = stride * aligned_height; + + if (size + offset < size || + size + offset > fbo->base.size) { + DRM_ERROR("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %d)\n", + width, height, + aligned_width, aligned_height, + size, offset, fbo->base.size); + return false; + } + + return true; +} + +static int +validate_start_tile_binning(VALIDATE_ARGS) +{ + if (exec->found_start_tile_binning_packet) { + DRM_ERROR("Duplicate VC4_PACKET_START_TILE_BINNING\n"); + return -EINVAL; + } + exec->found_start_tile_binning_packet = true; + + if (!exec->found_tile_binning_mode_config_packet) { + DRM_ERROR("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n"); + return -EINVAL; + } + + return 0; +} + +static int +validate_branch_to_sublist(VALIDATE_ARGS) +{ + struct drm_gem_cma_object *target; + uint32_t offset; + + if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &target)) + return -EINVAL; + + if (target != exec->tile_alloc_bo) { + DRM_ERROR("Jumping to BOs other than tile alloc unsupported\n"); + return -EINVAL; + } + + offset = *(uint32_t *)(untrusted + 0); + if (offset % exec->tile_alloc_init_block_size || + offset / exec->tile_alloc_init_block_size > + exec->bin_tiles_x * exec->bin_tiles_y) { + DRM_ERROR("VC4_PACKET_BRANCH_TO_SUB_LIST must jump to initial " + "tile allocation space.\n"); + return -EINVAL; + } + + *(uint32_t *)(validated + 0) = target->paddr + offset; + + return 0; +} + +/** + * validate_loadstore_tile_buffer_general() - Validation for + * VC4_PACKET_LOAD_TILE_BUFFER_GENERAL and + * VC4_PACKET_STORE_TILE_BUFFER_GENERAL. + * + * The two packets are nearly the same, except for the TLB-clearing management + * bits not being present for loads. Additionally, while stores are executed + * immediately (using the current tile coordinates), loads are queued to be + * executed when the tile coordinates packet occurs. + * + * Note that coordinates packets are validated to be within the declared + * bin_x/y, which themselves are verified to match the rendering-configuration + * FB width and height (which the hardware uses to clip loads and stores). + */ +static int +validate_loadstore_tile_buffer_general(VALIDATE_ARGS) +{ + uint32_t packet_b0 = *(uint8_t *)(untrusted + 0); + uint32_t packet_b1 = *(uint8_t *)(untrusted + 1); + struct drm_gem_cma_object *fbo; + uint32_t buffer_type = packet_b0 & 0xf; + uint32_t offset, cpp; + + switch (buffer_type) { + case VC4_LOADSTORE_TILE_BUFFER_NONE: + return 0; + case VC4_LOADSTORE_TILE_BUFFER_COLOR: + if ((packet_b1 & VC4_LOADSTORE_TILE_BUFFER_MASK) == + VC4_LOADSTORE_TILE_BUFFER_RGBA8888) { + cpp = 4; + } else { + cpp = 2; + } + break; + + case VC4_LOADSTORE_TILE_BUFFER_Z: + case VC4_LOADSTORE_TILE_BUFFER_ZS: + cpp = 4; + break; + + default: + DRM_ERROR("Load/store type %d unsupported\n", buffer_type); + return -EINVAL; + } + + if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo)) + return -EINVAL; + + offset = *(uint32_t *)(untrusted + 2) & ~0xf; + + if (!check_tex_size(exec, fbo, offset, + ((packet_b0 & + VC4_LOADSTORE_TILE_BUFFER_FORMAT_MASK) >> + VC4_LOADSTORE_TILE_BUFFER_FORMAT_SHIFT), + exec->fb_width, exec->fb_height, cpp)) { + return -EINVAL; + } + + *(uint32_t *)(validated + 2) = offset + fbo->paddr; + + return 0; +} + +static int +validate_indexed_prim_list(VALIDATE_ARGS) +{ + struct drm_gem_cma_object *ib; + uint32_t length = *(uint32_t *)(untrusted + 1); + uint32_t offset = *(uint32_t *)(untrusted + 5); + uint32_t max_index = *(uint32_t *)(untrusted + 9); + uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1; + struct vc4_shader_state *shader_state; + + /* Check overflow condition */ + if (exec->shader_state_count == 0) { + DRM_ERROR("shader state must precede primitives\n"); + return -EINVAL; + } + shader_state = &exec->shader_state[exec->shader_state_count - 1]; + + if (max_index > shader_state->max_index) + shader_state->max_index = max_index; + + if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &ib)) + return -EINVAL; + + if (offset > ib->base.size || + (ib->base.size - offset) / index_size < length) { + DRM_ERROR("IB access overflow (%d + %d*%d > %d)\n", + offset, length, index_size, ib->base.size); + return -EINVAL; + } + + *(uint32_t *)(validated + 5) = ib->paddr + offset; + + return 0; +} + +static int +validate_gl_array_primitive(VALIDATE_ARGS) +{ + uint32_t length = *(uint32_t *)(untrusted + 1); + uint32_t base_index = *(uint32_t *)(untrusted + 5); + uint32_t max_index; + struct vc4_shader_state *shader_state; + + /* Check overflow condition */ + if (exec->shader_state_count == 0) { + DRM_ERROR("shader state must precede primitives\n"); + return -EINVAL; + } + shader_state = &exec->shader_state[exec->shader_state_count - 1]; + + if (length + base_index < length) { + DRM_ERROR("primitive vertex count overflow\n"); + return -EINVAL; + } + max_index = length + base_index - 1; + + if (max_index > shader_state->max_index) + shader_state->max_index = max_index; + + return 0; +} + +static int +validate_gl_shader_state(VALIDATE_ARGS) +{ + uint32_t i = exec->shader_state_count++; + + if (i >= exec->shader_state_size) { + DRM_ERROR("More requests for shader states than declared\n"); + return -EINVAL; + } + + exec->shader_state[i].packet = VC4_PACKET_GL_SHADER_STATE; + exec->shader_state[i].addr = *(uint32_t *)untrusted; + exec->shader_state[i].max_index = 0; + + if (exec->shader_state[i].addr & ~0xf) { + DRM_ERROR("high bits set in GL shader rec reference\n"); + return -EINVAL; + } + + *(uint32_t *)validated = (exec->shader_rec_p + + exec->shader_state[i].addr); + + exec->shader_rec_p += + roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16); + + return 0; +} + +static int +validate_nv_shader_state(VALIDATE_ARGS) +{ + uint32_t i = exec->shader_state_count++; + + if (i >= exec->shader_state_size) { + DRM_ERROR("More requests for shader states than declared\n"); + return -EINVAL; + } + + exec->shader_state[i].packet = VC4_PACKET_NV_SHADER_STATE; + exec->shader_state[i].addr = *(uint32_t *)untrusted; + + if (exec->shader_state[i].addr & 15) { + DRM_ERROR("NV shader state address 0x%08x misaligned\n", + exec->shader_state[i].addr); + return -EINVAL; + } + + *(uint32_t *)validated = (exec->shader_state[i].addr + + exec->shader_rec_p); + + return 0; +} + +static int +validate_tile_binning_config(VALIDATE_ARGS) +{ + struct drm_gem_cma_object *tile_allocation; + struct drm_gem_cma_object *tile_state_data_array; + uint8_t flags; + uint32_t tile_allocation_size; + + if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &tile_allocation) || + !vc4_use_handle(exec, 1, VC4_MODE_TSDA, &tile_state_data_array)) + return -EINVAL; + + if (exec->found_tile_binning_mode_config_packet) { + DRM_ERROR("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n"); + return -EINVAL; + } + exec->found_tile_binning_mode_config_packet = true; + + exec->bin_tiles_x = *(uint8_t *)(untrusted + 12); + exec->bin_tiles_y = *(uint8_t *)(untrusted + 13); + flags = *(uint8_t *)(untrusted + 14); + + if (exec->bin_tiles_x == 0 || + exec->bin_tiles_y == 0) { + DRM_ERROR("Tile binning config of %dx%d too small\n", + exec->bin_tiles_x, exec->bin_tiles_y); + return -EINVAL; + } + + /* Our validation relies on the user not getting to set up their own + * tile state/tile allocation BO contents. + */ + if (!(flags & VC4_BIN_CONFIG_AUTO_INIT_TSDA)) { + DRM_ERROR("binning config missing " + "VC4_BIN_CONFIG_AUTO_INIT_TSDA\n"); + return -EINVAL; + } + + if (flags & (VC4_BIN_CONFIG_DB_NON_MS | + VC4_BIN_CONFIG_TILE_BUFFER_64BIT | + VC4_BIN_CONFIG_MS_MODE_4X)) { + DRM_ERROR("unsupported bining config flags 0x%02x\n", flags); + return -EINVAL; + } + + if (*(uint32_t *)(untrusted + 0) != 0) { + DRM_ERROR("tile allocation offset != 0 unsupported\n"); + return -EINVAL; + } + tile_allocation_size = *(uint32_t *)(untrusted + 4); + if (tile_allocation_size > tile_allocation->base.size) { + DRM_ERROR("tile allocation size %d > BO size %d", + tile_allocation_size, tile_allocation->base.size); + return -EINVAL; + } + *(uint32_t *)validated = tile_allocation->paddr; + exec->tile_alloc_bo = tile_allocation; + + exec->tile_alloc_init_block_size = 1 << (5 + ((flags >> 5) & 3)); + if (exec->bin_tiles_x * exec->bin_tiles_y * + exec->tile_alloc_init_block_size > tile_allocation_size) { + DRM_ERROR("tile init exceeds tile alloc size (%d vs %d)\n", + exec->bin_tiles_x * exec->bin_tiles_y * + exec->tile_alloc_init_block_size, + tile_allocation_size); + return -EINVAL; + } + if (*(uint32_t *)(untrusted + 8) != 0) { + DRM_ERROR("TSDA offset != 0 unsupported\n"); + return -EINVAL; + } + if (exec->bin_tiles_x * exec->bin_tiles_y * 48 > + tile_state_data_array->base.size) { + DRM_ERROR("TSDA of %db too small for %dx%d bin config\n", + tile_state_data_array->base.size, + exec->bin_tiles_x, exec->bin_tiles_y); + } + *(uint32_t *)(validated + 8) = tile_state_data_array->paddr; + + return 0; +} + +static int +validate_tile_rendering_mode_config(VALIDATE_ARGS) +{ + struct drm_gem_cma_object *fbo; + uint32_t flags, offset, cpp; + + if (exec->found_tile_rendering_mode_config_packet) { + DRM_ERROR("Duplicate VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n"); + return -EINVAL; + } + exec->found_tile_rendering_mode_config_packet = true; + + if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo)) + return -EINVAL; + + exec->fb_width = *(uint16_t *)(untrusted + 4); + exec->fb_height = *(uint16_t *)(untrusted + 6); + + /* Make sure that the fb width/height matches the binning config -- we + * rely on being able to interchange these for various assertions. + * (Within a tile, loads and stores will be clipped to the + * width/height, but we allow load/storing to any binned tile). + */ + if (exec->fb_width <= (exec->bin_tiles_x - 1) * 64 || + exec->fb_width > exec->bin_tiles_x * 64 || + exec->fb_height <= (exec->bin_tiles_y - 1) * 64 || + exec->fb_height > exec->bin_tiles_y * 64) { + DRM_ERROR("bin config %dx%d doesn't match FB %dx%d\n", + exec->bin_tiles_x, exec->bin_tiles_y, + exec->fb_width, exec->fb_height); + return -EINVAL; + } + + flags = *(uint16_t *)(untrusted + 8); + if ((flags & VC4_RENDER_CONFIG_FORMAT_MASK) == + VC4_RENDER_CONFIG_FORMAT_RGBA8888) { + cpp = 4; + } else { + cpp = 2; + } + + offset = *(uint32_t *)untrusted; + if (!check_tex_size(exec, fbo, offset, + ((flags & + VC4_RENDER_CONFIG_MEMORY_FORMAT_MASK) >> + VC4_RENDER_CONFIG_MEMORY_FORMAT_SHIFT), + exec->fb_width, exec->fb_height, cpp)) { + return -EINVAL; + } + + *(uint32_t *)validated = fbo->paddr + offset; + + return 0; +} + +static int +validate_tile_coordinates(VALIDATE_ARGS) +{ + uint8_t tile_x = *(uint8_t *)(untrusted + 0); + uint8_t tile_y = *(uint8_t *)(untrusted + 1); + + if (tile_x >= exec->bin_tiles_x || + tile_y >= exec->bin_tiles_y) { + DRM_ERROR("Tile coordinates %d,%d > bin config %d,%d\n", + tile_x, + tile_y, + exec->bin_tiles_x, + exec->bin_tiles_y); + return -EINVAL; + } + + return 0; +} + +static int +validate_gem_handles(VALIDATE_ARGS) +{ + memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index)); + return 0; +} + +static const struct cmd_info { + bool bin; + bool render; + uint16_t len; + const char *name; + int (*func)(struct exec_info *exec, void *validated, void *untrusted); +} cmd_info[] = { + [VC4_PACKET_HALT] = { 1, 1, 1, "halt", NULL }, + [VC4_PACKET_NOP] = { 1, 1, 1, "nop", NULL }, + [VC4_PACKET_FLUSH] = { 1, 1, 1, "flush", NULL }, + [VC4_PACKET_FLUSH_ALL] = { 1, 0, 1, "flush all state", NULL }, + [VC4_PACKET_START_TILE_BINNING] = { 1, 0, 1, "start tile binning", validate_start_tile_binning }, + [VC4_PACKET_INCREMENT_SEMAPHORE] = { 1, 0, 1, "increment semaphore", NULL }, + [VC4_PACKET_WAIT_ON_SEMAPHORE] = { 1, 1, 1, "wait on semaphore", NULL }, + /* BRANCH_TO_SUB_LIST is actually supported in the binner as well, but + * we only use it from the render CL in order to jump into the tile + * allocation BO. + */ + [VC4_PACKET_BRANCH_TO_SUB_LIST] = { 0, 1, 5, "branch to sublist", validate_branch_to_sublist }, + [VC4_PACKET_STORE_MS_TILE_BUFFER] = { 0, 1, 1, "store MS resolved tile color buffer", NULL }, + [VC4_PACKET_STORE_MS_TILE_BUFFER_AND_EOF] = { 0, 1, 1, "store MS resolved tile color buffer and EOF", NULL }, + + [VC4_PACKET_STORE_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Store Tile Buffer General", validate_loadstore_tile_buffer_general }, + [VC4_PACKET_LOAD_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Load Tile Buffer General", validate_loadstore_tile_buffer_general }, + + [VC4_PACKET_GL_INDEXED_PRIMITIVE] = { 1, 1, 14, "Indexed Primitive List", validate_indexed_prim_list }, + + [VC4_PACKET_GL_ARRAY_PRIMITIVE] = { 1, 1, 10, "Vertex Array Primitives", validate_gl_array_primitive }, + + /* This is only used by clipped primitives (packets 48 and 49), which + * we don't support parsing yet. + */ + [VC4_PACKET_PRIMITIVE_LIST_FORMAT] = { 1, 1, 2, "primitive list format", NULL }, + + [VC4_PACKET_GL_SHADER_STATE] = { 1, 1, 5, "GL Shader State", validate_gl_shader_state }, + [VC4_PACKET_NV_SHADER_STATE] = { 1, 1, 5, "NV Shader State", validate_nv_shader_state }, + + [VC4_PACKET_CONFIGURATION_BITS] = { 1, 1, 4, "configuration bits", NULL }, + [VC4_PACKET_FLAT_SHADE_FLAGS] = { 1, 1, 5, "flat shade flags", NULL }, + [VC4_PACKET_POINT_SIZE] = { 1, 1, 5, "point size", NULL }, + [VC4_PACKET_LINE_WIDTH] = { 1, 1, 5, "line width", NULL }, + [VC4_PACKET_RHT_X_BOUNDARY] = { 1, 1, 3, "RHT X boundary", NULL }, + [VC4_PACKET_DEPTH_OFFSET] = { 1, 1, 5, "Depth Offset", NULL }, + [VC4_PACKET_CLIP_WINDOW] = { 1, 1, 9, "Clip Window", NULL }, + [VC4_PACKET_VIEWPORT_OFFSET] = { 1, 1, 5, "Viewport Offset", NULL }, + [VC4_PACKET_CLIPPER_XY_SCALING] = { 1, 1, 9, "Clipper XY Scaling", NULL }, + /* Note: The docs say this was also 105, but it was 106 in the + * initial userland code drop. + */ + [VC4_PACKET_CLIPPER_Z_SCALING] = { 1, 1, 9, "Clipper Z Scale and Offset", NULL }, + + [VC4_PACKET_TILE_BINNING_MODE_CONFIG] = { 1, 0, 16, "tile binning configuration", validate_tile_binning_config }, + + [VC4_PACKET_TILE_RENDERING_MODE_CONFIG] = { 0, 1, 11, "tile rendering mode configuration", validate_tile_rendering_mode_config}, + + [VC4_PACKET_CLEAR_COLORS] = { 0, 1, 14, "Clear Colors", NULL }, + + [VC4_PACKET_TILE_COORDINATES] = { 0, 1, 3, "Tile Coordinates", validate_tile_coordinates }, + + [VC4_PACKET_GEM_HANDLES] = { 1, 1, 9, "GEM handles", validate_gem_handles }, +}; + +int +vc4_validate_cl(struct drm_device *dev, + void *validated, + void *unvalidated, + uint32_t len, + bool is_bin, + struct exec_info *exec) +{ + uint32_t dst_offset = 0; + uint32_t src_offset = 0; + + while (src_offset < len) { + void *dst_pkt = validated + dst_offset; + void *src_pkt = unvalidated + src_offset; + u8 cmd = *(uint8_t *)src_pkt; + const struct cmd_info *info; + + if (cmd > ARRAY_SIZE(cmd_info)) { + DRM_ERROR("0x%08x: packet %d out of bounds\n", + src_offset, cmd); + return -EINVAL; + } + + info = &cmd_info[cmd]; + if (!info->name) { + DRM_ERROR("0x%08x: packet %d invalid\n", + src_offset, cmd); + return -EINVAL; + } + +#if 0 + DRM_INFO("0x%08x: packet %d (%s) size %d processing...\n", + src_offset, cmd, info->name, info->len); +#endif + + if ((is_bin && !info->bin) || + (!is_bin && !info->render)) { + DRM_ERROR("0x%08x: packet %d (%s) invalid for %s\n", + src_offset, cmd, info->name, + is_bin ? "binner" : "render"); + return -EINVAL; + } + + if (src_offset + info->len > len) { + DRM_ERROR("0x%08x: packet %d (%s) length 0x%08x " + "exceeds bounds (0x%08x)\n", + src_offset, cmd, info->name, info->len, + src_offset + len); + return -EINVAL; + } + + if (cmd != VC4_PACKET_GEM_HANDLES) + memcpy(dst_pkt, src_pkt, info->len); + + if (info->func && info->func(exec, + dst_pkt + 1, + src_pkt + 1)) { + DRM_ERROR("0x%08x: packet %d (%s) failed to " + "validate\n", + src_offset, cmd, info->name); + return -EINVAL; + } + + src_offset += info->len; + /* GEM handle loading doesn't produce HW packets. */ + if (cmd != VC4_PACKET_GEM_HANDLES) + dst_offset += info->len; + + /* When the CL hits halt, it'll stop reading anything else. */ + if (cmd == VC4_PACKET_HALT) + break; + } + + if (is_bin) { + exec->ct0ea = exec->ct0ca + dst_offset; + + if (!exec->found_start_tile_binning_packet) { + DRM_ERROR("Bin CL missing VC4_PACKET_START_TILE_BINNING\n"); + return -EINVAL; + } + } else { + if (!exec->found_tile_rendering_mode_config_packet) { + DRM_ERROR("Render CL missing VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n"); + return -EINVAL; + } + exec->ct1ea = exec->ct1ca + dst_offset; + } + + return 0; +} + +static bool +reloc_tex(struct exec_info *exec, + void *uniform_data_u, + struct vc4_texture_sample_info *sample, + uint32_t texture_handle_index) + +{ + struct drm_gem_cma_object *tex; + uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]); + uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]); + uint32_t p2 = (sample->p_offset[2] != ~0 ? + *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0); + uint32_t p3 = (sample->p_offset[3] != ~0 ? + *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0); + uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0]; + uint32_t offset = p0 & ~0xfff; + uint32_t miplevels = (p0 & 15); + uint32_t width = (p1 >> 8) & 2047; + uint32_t height = (p1 >> 20) & 2047; + uint32_t cpp, tiling_format, utile_w, utile_h; + uint32_t i; + uint32_t cube_map_stride = 0; + enum vc4_texture_data_type type; + + if (width == 0) + width = 2048; + if (height == 0) + height = 2048; + + if (p0 & (1 << 9)) { + if ((p2 & (3 << 30)) == (1 << 30)) + cube_map_stride = p2 & 0x3ffff000; + if ((p3 & (3 << 30)) == (1 << 30)) { + if (cube_map_stride) { + DRM_ERROR("Cube map stride set twice\n"); + return -EINVAL; + } + + cube_map_stride = p3 & 0x3ffff000; + } + if (!cube_map_stride) { + DRM_ERROR("Cube map stride not set\n"); + return -EINVAL; + } + } + + type = ((p0 >> 4) & 15) | ((p1 >> 31) << 4); + + switch (type) { + case VC4_TEXTURE_TYPE_RGBA8888: + case VC4_TEXTURE_TYPE_RGBX8888: + case VC4_TEXTURE_TYPE_RGBA32R: + cpp = 4; + break; + case VC4_TEXTURE_TYPE_RGBA4444: + case VC4_TEXTURE_TYPE_RGBA5551: + case VC4_TEXTURE_TYPE_RGB565: + case VC4_TEXTURE_TYPE_LUMALPHA: + case VC4_TEXTURE_TYPE_S16F: + case VC4_TEXTURE_TYPE_S16: + cpp = 2; + break; + case VC4_TEXTURE_TYPE_LUMINANCE: + case VC4_TEXTURE_TYPE_ALPHA: + case VC4_TEXTURE_TYPE_S8: + cpp = 1; + break; + case VC4_TEXTURE_TYPE_ETC1: + case VC4_TEXTURE_TYPE_BW1: + case VC4_TEXTURE_TYPE_A4: + case VC4_TEXTURE_TYPE_A1: + case VC4_TEXTURE_TYPE_RGBA64: + case VC4_TEXTURE_TYPE_YUV422R: + default: + DRM_ERROR("Texture format %d unsupported\n", type); + return false; + } + utile_w = utile_width(cpp); + utile_h = utile_height(cpp); + + if (type == VC4_TEXTURE_TYPE_RGBA32R) { + tiling_format = VC4_TILING_FORMAT_LINEAR; + } else { + if (size_is_lt(width, height, cpp)) + tiling_format = VC4_TILING_FORMAT_LT; + else + tiling_format = VC4_TILING_FORMAT_T; + } + + if (!vc4_use_bo(exec, texture_handle_index, VC4_MODE_RENDER, &tex)) + return false; + + if (!check_tex_size(exec, tex, offset + cube_map_stride * 5, + tiling_format, width, height, cpp)) { + return false; + } + + /* The mipmap levels are stored before the base of the texture. Make + * sure there is actually space in the BO. + */ + for (i = 1; i <= miplevels; i++) { + uint32_t level_width = max(width >> i, 1u); + uint32_t level_height = max(height >> i, 1u); + uint32_t aligned_width, aligned_height; + uint32_t level_size; + + /* Once the levels get small enough, they drop from T to LT. */ + if (tiling_format == VC4_TILING_FORMAT_T && + size_is_lt(level_width, level_height, cpp)) { + tiling_format = VC4_TILING_FORMAT_LT; + } + + switch (tiling_format) { + case VC4_TILING_FORMAT_T: + aligned_width = roundup(level_width, utile_w * 8); + aligned_height = roundup(level_height, utile_h * 8); + break; + case VC4_TILING_FORMAT_LT: + aligned_width = roundup(level_width, utile_w); + aligned_height = roundup(level_height, utile_h); + break; + default: + aligned_width = roundup(level_width, 16 / cpp); + aligned_height = level_height; + break; + } + + level_size = aligned_width * cpp * aligned_height; + + if (offset < level_size) { + DRM_ERROR("Level %d (%dx%d -> %dx%d) size %db " + "overflowed buffer bounds (offset %d)\n", + i, level_width, level_height, + aligned_width, aligned_height, + level_size, offset); + return false; + } + + offset -= level_size; + } + + *validated_p0 = tex->paddr + p0; + + return true; +} + +static int +validate_shader_rec(struct drm_device *dev, + struct exec_info *exec, + struct vc4_shader_state *state) +{ + uint32_t *src_handles; + void *pkt_u, *pkt_v; + enum shader_rec_reloc_type { + RELOC_CODE, + RELOC_VBO, + }; + struct shader_rec_reloc { + enum shader_rec_reloc_type type; + uint32_t offset; + }; + static const struct shader_rec_reloc gl_relocs[] = { + { RELOC_CODE, 4 }, /* fs */ + { RELOC_CODE, 16 }, /* vs */ + { RELOC_CODE, 28 }, /* cs */ + }; + static const struct shader_rec_reloc nv_relocs[] = { + { RELOC_CODE, 4 }, /* fs */ + { RELOC_VBO, 12 } + }; + const struct shader_rec_reloc *relocs; + struct drm_gem_cma_object *bo[ARRAY_SIZE(gl_relocs) + 8]; + uint32_t nr_attributes = 0, nr_fixed_relocs, nr_relocs, packet_size; + int i; + struct vc4_validated_shader_info *validated_shader = NULL; + + if (state->packet == VC4_PACKET_NV_SHADER_STATE) { + relocs = nv_relocs; + nr_fixed_relocs = ARRAY_SIZE(nv_relocs); + + packet_size = 16; + } else { + relocs = gl_relocs; + nr_fixed_relocs = ARRAY_SIZE(gl_relocs); + + nr_attributes = state->addr & 0x7; + if (nr_attributes == 0) + nr_attributes = 8; + packet_size = gl_shader_rec_size(state->addr); + } + nr_relocs = nr_fixed_relocs + nr_attributes; + + if (nr_relocs * 4 > exec->shader_rec_size) { + DRM_ERROR("overflowed shader recs reading %d handles " + "from %d bytes left\n", + nr_relocs, exec->shader_rec_size); + return -EINVAL; + } + src_handles = exec->shader_rec_u; + exec->shader_rec_u += nr_relocs * 4; + exec->shader_rec_size -= nr_relocs * 4; + + if (packet_size > exec->shader_rec_size) { + DRM_ERROR("overflowed shader recs copying %db packet " + "from %d bytes left\n", + packet_size, exec->shader_rec_size); + return -EINVAL; + } + pkt_u = exec->shader_rec_u; + pkt_v = exec->shader_rec_v; + memcpy(pkt_v, pkt_u, packet_size); + exec->shader_rec_u += packet_size; + /* Shader recs have to be aligned to 16 bytes (due to the attribute + * flags being in the low bytes), so round the next validated shader + * rec address up. This should be safe, since we've got so many + * relocations in a shader rec packet. + */ + BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4); + exec->shader_rec_v += roundup(packet_size, 16); + exec->shader_rec_size -= packet_size; + + for (i = 0; i < nr_relocs; i++) { + enum vc4_bo_mode mode; + + if (i < nr_fixed_relocs && relocs[i].type == RELOC_CODE) + mode = VC4_MODE_SHADER; + else + mode = VC4_MODE_RENDER; + + if (!vc4_use_bo(exec, src_handles[i], mode, &bo[i])) { + return false; + } + } + + for (i = 0; i < nr_fixed_relocs; i++) { + uint32_t o = relocs[i].offset; + uint32_t src_offset = *(uint32_t *)(pkt_u + o); + uint32_t *texture_handles_u; + void *uniform_data_u; + uint32_t tex; + + *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset; + + switch (relocs[i].type) { + case RELOC_CODE: + kfree(validated_shader); + validated_shader = vc4_validate_shader(bo[i], + src_offset); + if (!validated_shader) + goto fail; + + if (validated_shader->uniforms_src_size > + exec->uniforms_size) { + DRM_ERROR("Uniforms src buffer overflow\n"); + goto fail; + } + + texture_handles_u = exec->uniforms_u; + uniform_data_u = (texture_handles_u + + validated_shader->num_texture_samples); + + memcpy(exec->uniforms_v, uniform_data_u, + validated_shader->uniforms_size); + + for (tex = 0; + tex < validated_shader->num_texture_samples; + tex++) { + if (!reloc_tex(exec, + uniform_data_u, + &validated_shader->texture_samples[tex], + texture_handles_u[tex])) { + goto fail; + } + } + + *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p; + + exec->uniforms_u += validated_shader->uniforms_src_size; + exec->uniforms_v += validated_shader->uniforms_size; + exec->uniforms_p += validated_shader->uniforms_size; + + break; + + case RELOC_VBO: + break; + } + } + + for (i = 0; i < nr_attributes; i++) { + struct drm_gem_cma_object *vbo = bo[nr_fixed_relocs + i]; + uint32_t o = 36 + i * 8; + uint32_t offset = *(uint32_t *)(pkt_u + o + 0); + uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1; + uint32_t stride = *(uint8_t *)(pkt_u + o + 5); + uint32_t max_index; + + if (state->addr & 0x8) + stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff; + + if (vbo->base.size < offset || + vbo->base.size - offset < attr_size) { + DRM_ERROR("BO offset overflow (%d + %d > %d)\n", + offset, attr_size, vbo->base.size); + return -EINVAL; + } + + if (stride != 0) { + max_index = ((vbo->base.size - offset - attr_size) / + stride); + if (state->max_index > max_index) { + DRM_ERROR("primitives use index %d out of supplied %d\n", + state->max_index, max_index); + return -EINVAL; + } + } + + *(uint32_t *)(pkt_v + o) = vbo->paddr + offset; + } + + kfree(validated_shader); + + return 0; + +fail: + kfree(validated_shader); + return -EINVAL; +} + +int +vc4_validate_shader_recs(struct drm_device *dev, + struct exec_info *exec) +{ + uint32_t i; + int ret = 0; + + for (i = 0; i < exec->shader_state_count; i++) { + ret = validate_shader_rec(dev, exec, &exec->shader_state[i]); + if (ret) + return ret; + } + + return ret; +} diff --git a/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c b/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c new file mode 100644 index 00000000000..dc958c7bf0f --- /dev/null +++ b/src/gallium/drivers/vc4/kernel/vc4_validate_shaders.c @@ -0,0 +1,322 @@ +/* + * Copyright © 2014 Broadcom + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ + +/** + * DOC: Shader validator for VC4. + * + * The VC4 has no IOMMU between it and system memory. So, a user with access + * to execute shaders could escalate privilege by overwriting system memory + * (using the VPM write address register in the general-purpose DMA mode) or + * reading system memory it shouldn't (reading it as a texture, or uniform + * data, or vertex data). + * + * This walks over a shader starting from some offset within a BO, ensuring + * that its accesses are appropriately bounded, and recording how many texture + * accesses are made and where so that we can do relocations for them in the + * uniform stream. + * + * The kernel API has shaders stored in user-mapped BOs. The BOs will be + * forcibly unmapped from the process before validation, and any cache of + * validated state will be flushed if the mapping is faulted back in. + * + * Storing the shaders in BOs means that the validation process will be slow + * due to uncached reads, but since shaders are long-lived and shader BOs are + * never actually modified, this shouldn't be a problem. + */ + +#include "vc4_drv.h" +#include "vc4_qpu.h" +#include "vc4_qpu_defines.h" + +struct vc4_shader_validation_state { + struct vc4_texture_sample_info tmu_setup[2]; + int tmu_write_count[2]; +}; + +static bool +is_tmu_write(uint32_t waddr) +{ + return (waddr >= QPU_W_TMU0_S && + waddr <= QPU_W_TMU1_B); +} + +static bool +record_validated_texture_sample(struct vc4_validated_shader_info *validated_shader, + struct vc4_shader_validation_state *validation_state, + int tmu) +{ + uint32_t s = validated_shader->num_texture_samples; + int i; + struct vc4_texture_sample_info *temp_samples; + + temp_samples = krealloc(validated_shader->texture_samples, + (s + 1) * sizeof(*temp_samples), + GFP_KERNEL); + if (!temp_samples) + return false; + + memcpy(temp_samples[s].p_offset, + validation_state->tmu_setup[tmu].p_offset, + validation_state->tmu_write_count[tmu] * sizeof(uint32_t)); + for (i = validation_state->tmu_write_count[tmu]; i < 4; i++) + temp_samples[s].p_offset[i] = ~0; + + validated_shader->num_texture_samples = s + 1; + validated_shader->texture_samples = temp_samples; + + return true; +} + +static bool +check_tmu_write(struct vc4_validated_shader_info *validated_shader, + struct vc4_shader_validation_state *validation_state, + uint32_t waddr) +{ + int tmu = waddr > QPU_W_TMU0_B; + + if (!is_tmu_write(waddr)) + return true; + + if (validation_state->tmu_write_count[tmu] >= 4) { + DRM_ERROR("TMU%d got too many parameters before dispatch\n", + tmu); + return false; + } + validation_state->tmu_setup[tmu].p_offset[validation_state->tmu_write_count[tmu]] = + validated_shader->uniforms_size; + validation_state->tmu_write_count[tmu]++; + validated_shader->uniforms_size += 4; + + if (waddr == QPU_W_TMU0_S || waddr == QPU_W_TMU1_S) { + if (!record_validated_texture_sample(validated_shader, + validation_state, tmu)) { + return false; + } + + validation_state->tmu_write_count[tmu] = 0; + } + + return true; +} + +static bool +check_register_write(struct vc4_validated_shader_info *validated_shader, + struct vc4_shader_validation_state *validation_state, + uint32_t waddr) +{ + switch (waddr) { + case QPU_W_UNIFORMS_ADDRESS: + /* XXX: We'll probably need to support this for reladdr, but + * it's definitely a security-related one. + */ + DRM_ERROR("uniforms address load unsupported\n"); + return false; + + case QPU_W_TLB_COLOR_MS: + case QPU_W_TLB_COLOR_ALL: + case QPU_W_TLB_Z: + /* These only interact with the tile buffer, not main memory, + * so they're safe. + */ + return true; + + case QPU_W_TMU0_S: + case QPU_W_TMU0_T: + case QPU_W_TMU0_R: + case QPU_W_TMU0_B: + case QPU_W_TMU1_S: + case QPU_W_TMU1_T: + case QPU_W_TMU1_R: + case QPU_W_TMU1_B: + return check_tmu_write(validated_shader, validation_state, + waddr); + + case QPU_W_HOST_INT: + case QPU_W_TMU_NOSWAP: + case QPU_W_TLB_ALPHA_MASK: + case QPU_W_MUTEX_RELEASE: + /* XXX: I haven't thought about these, so don't support them + * for now. + */ + DRM_ERROR("Unsupported waddr %d\n", waddr); + return false; + + case QPU_W_VPM_ADDR: + DRM_ERROR("General VPM DMA unsupported\n"); + return false; + + case QPU_W_VPM: + case QPU_W_VPMVCD_SETUP: + /* We allow VPM setup in general, even including VPM DMA + * configuration setup, because the (unsafe) DMA can only be + * triggered by QPU_W_VPM_ADDR writes. + */ + return true; + + case QPU_W_TLB_STENCIL_SETUP: + return true; + } + + return true; +} + +static bool +check_instruction_writes(uint64_t inst, + struct vc4_validated_shader_info *validated_shader, + struct vc4_shader_validation_state *validation_state) +{ + uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD); + uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL); + + if (is_tmu_write(waddr_add) && is_tmu_write(waddr_mul)) { + DRM_ERROR("ADD and MUL both set up textures\n"); + return false; + } + + return (check_register_write(validated_shader, validation_state, waddr_add) && + check_register_write(validated_shader, validation_state, waddr_mul)); +} + +static bool +check_instruction_reads(uint64_t inst, + struct vc4_validated_shader_info *validated_shader) +{ + uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD); + uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL); + uint32_t raddr_a = QPU_GET_FIELD(inst, QPU_RADDR_A); + uint32_t raddr_b = QPU_GET_FIELD(inst, QPU_RADDR_B); + + if (raddr_a == QPU_R_UNIF || + raddr_b == QPU_R_UNIF) { + if (is_tmu_write(waddr_add) || is_tmu_write(waddr_mul)) { + DRM_ERROR("uniform read in the same instruction as " + "texture setup"); + return false; + } + + /* This can't overflow the uint32_t, because we're reading 8 + * bytes of instruction to increment by 4 here, so we'd + * already be OOM. + */ + validated_shader->uniforms_size += 4; + } + + return true; +} + +struct vc4_validated_shader_info * +vc4_validate_shader(struct drm_gem_cma_object *shader_obj, + uint32_t start_offset) +{ + bool found_shader_end = false; + int shader_end_ip = 0; + uint32_t ip, max_ip; + uint64_t *shader; + struct vc4_validated_shader_info *validated_shader; + struct vc4_shader_validation_state validation_state; + + memset(&validation_state, 0, sizeof(validation_state)); + + if (start_offset + sizeof(uint64_t) > shader_obj->base.size) { + DRM_ERROR("shader starting at %d outside of BO sized %d\n", + start_offset, + shader_obj->base.size); + return NULL; + } + shader = shader_obj->vaddr + start_offset; + max_ip = (shader_obj->base.size - start_offset) / sizeof(uint64_t); + + validated_shader = kcalloc(sizeof(*validated_shader), 1, GFP_KERNEL); + if (!validated_shader) + return NULL; + + for (ip = 0; ip < max_ip; ip++) { + uint64_t inst = shader[ip]; + uint32_t sig = QPU_GET_FIELD(inst, QPU_SIG); + + switch (sig) { + case QPU_SIG_NONE: + case QPU_SIG_WAIT_FOR_SCOREBOARD: + case QPU_SIG_SCOREBOARD_UNLOCK: + case QPU_SIG_COLOR_LOAD: + case QPU_SIG_LOAD_TMU0: + case QPU_SIG_LOAD_TMU1: + if (!check_instruction_writes(inst, validated_shader, + &validation_state)) { + DRM_ERROR("Bad write at ip %d\n", ip); + goto fail; + } + + if (!check_instruction_reads(inst, validated_shader)) + goto fail; + + break; + + case QPU_SIG_LOAD_IMM: + if (!check_instruction_writes(inst, validated_shader, + &validation_state)) { + DRM_ERROR("Bad LOAD_IMM write at ip %d\n", ip); + goto fail; + } + break; + + case QPU_SIG_PROG_END: + found_shader_end = true; + shader_end_ip = ip; + break; + + default: + DRM_ERROR("Unsupported QPU signal %d at " + "instruction %d\n", sig, ip); + goto fail; + } + + /* There are two delay slots after program end is signaled + * that are still executed, then we're finished. + */ + if (found_shader_end && ip == shader_end_ip + 2) + break; + } + + if (ip == max_ip) { + DRM_ERROR("shader starting at %d failed to terminate before " + "shader BO end at %d\n", + start_offset, + shader_obj->base.size); + goto fail; + } + + /* Again, no chance of integer overflow here because the worst case + * scenario is 8 bytes of uniforms plus handles per 8-byte + * instruction. + */ + validated_shader->uniforms_src_size = + (validated_shader->uniforms_size + + 4 * validated_shader->num_texture_samples); + + return validated_shader; + +fail: + kfree(validated_shader); + return NULL; +} diff --git a/src/gallium/drivers/vc4/vc4_simulator.c b/src/gallium/drivers/vc4/vc4_simulator.c index e122c0a8668..34262f5362c 100644 --- a/src/gallium/drivers/vc4/vc4_simulator.c +++ b/src/gallium/drivers/vc4/vc4_simulator.c @@ -27,6 +27,7 @@ #include "vc4_screen.h" #include "vc4_context.h" +#include "kernel/vc4_drv.h" #include "vc4_simulator_validate.h" #include "simpenrose/simpenrose.h" @@ -52,7 +53,7 @@ vc4_wrap_bo_with_cma(struct drm_device *dev, struct vc4_bo *bo) return obj; } -static struct drm_gem_cma_object * +struct drm_gem_cma_object * drm_gem_cma_create(struct drm_device *dev, size_t size) { struct vc4_context *vc4 = dev->vc4; @@ -104,125 +105,6 @@ vc4_simulator_unpin_bos(struct exec_info *exec) return 0; } -static int -vc4_cl_validate(struct drm_device *dev, struct exec_info *exec) -{ - struct drm_vc4_submit_cl *args = exec->args; - void *temp = NULL; - void *bin, *render; - int ret = 0; - uint32_t bin_offset = 0; - uint32_t render_offset = bin_offset + args->bin_cl_size; - uint32_t shader_rec_offset = roundup(render_offset + - args->render_cl_size, 16); - uint32_t uniforms_offset = shader_rec_offset + args->shader_rec_size; - uint32_t exec_size = uniforms_offset + args->uniforms_size; - uint32_t temp_size = exec_size + (sizeof(struct vc4_shader_state) * - args->shader_rec_count); - - if (shader_rec_offset < render_offset || - uniforms_offset < shader_rec_offset || - exec_size < uniforms_offset || - args->shader_rec_count >= (UINT_MAX / - sizeof(struct vc4_shader_state)) || - temp_size < exec_size) { - DRM_ERROR("overflow in exec arguments\n"); - goto fail; - } - - /* Allocate space where we'll store the copied in user command lists - * and shader records. - * - * We don't just copy directly into the BOs because we need to - * read the contents back for validation, and I think the - * bo->vaddr is uncached access. - */ - temp = kmalloc(temp_size, GFP_KERNEL); - if (!temp) { - DRM_ERROR("Failed to allocate storage for copying " - "in bin/render CLs.\n"); - ret = -ENOMEM; - goto fail; - } - bin = temp + bin_offset; - render = temp + render_offset; - exec->shader_rec_u = temp + shader_rec_offset; - exec->uniforms_u = temp + uniforms_offset; - exec->shader_state = temp + exec_size; - exec->shader_state_size = args->shader_rec_count; - - ret = copy_from_user(bin, args->bin_cl, args->bin_cl_size); - if (ret) { - DRM_ERROR("Failed to copy in bin cl\n"); - goto fail; - } - - ret = copy_from_user(render, args->render_cl, args->render_cl_size); - if (ret) { - DRM_ERROR("Failed to copy in render cl\n"); - goto fail; - } - - ret = copy_from_user(exec->shader_rec_u, args->shader_rec, - args->shader_rec_size); - if (ret) { - DRM_ERROR("Failed to copy in shader recs\n"); - goto fail; - } - - ret = copy_from_user(exec->uniforms_u, args->uniforms, - args->uniforms_size); - if (ret) { - DRM_ERROR("Failed to copy in uniforms cl\n"); - goto fail; - } - - exec->exec_bo = drm_gem_cma_create(dev, exec_size); -#if 0 - if (IS_ERR(exec->exec_bo)) { - DRM_ERROR("Couldn't allocate BO for exec\n"); - ret = PTR_ERR(exec->exec_bo); - exec->exec_bo = NULL; - goto fail; - } -#endif - - exec->ct0ca = exec->exec_bo->paddr + bin_offset; - exec->ct1ca = exec->exec_bo->paddr + render_offset; - - exec->shader_rec_v = exec->exec_bo->vaddr + shader_rec_offset; - exec->shader_rec_p = exec->exec_bo->paddr + shader_rec_offset; - exec->shader_rec_size = args->shader_rec_size; - - exec->uniforms_v = exec->exec_bo->vaddr + uniforms_offset; - exec->uniforms_p = exec->exec_bo->paddr + uniforms_offset; - exec->uniforms_size = args->uniforms_size; - - ret = vc4_validate_cl(dev, - exec->exec_bo->vaddr + bin_offset, - bin, - args->bin_cl_size, - true, - exec); - if (ret) - goto fail; - - ret = vc4_validate_cl(dev, - exec->exec_bo->vaddr + render_offset, - render, - args->render_cl_size, - false, - exec); - if (ret) - goto fail; - - ret = vc4_validate_shader_recs(dev, exec); - -fail: - kfree(temp); - return ret; -} - int vc4_simulator_flush(struct vc4_context *vc4, struct drm_vc4_submit_cl *args) { diff --git a/src/gallium/drivers/vc4/vc4_simulator_validate.c b/src/gallium/drivers/vc4/vc4_simulator_validate.c deleted file mode 100644 index 99f01b238bd..00000000000 --- a/src/gallium/drivers/vc4/vc4_simulator_validate.c +++ /dev/null @@ -1,1086 +0,0 @@ -/* - * Copyright © 2014 Broadcom - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice (including the next - * paragraph) shall be included in all copies or substantial portions of the - * Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL - * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - * IN THE SOFTWARE. - */ - -/** - * Command list validator for VC4. - * - * The VC4 has no IOMMU between it and system memory. So, a user with - * access to execute command lists could escalate privilege by - * overwriting system memory (drawing to it as a framebuffer) or - * reading system memory it shouldn't (reading it as a texture, or - * uniform data, or vertex data). - * - * This validates command lists to ensure that all accesses are within - * the bounds of the GEM objects referenced. It explicitly whitelists - * packets, and looks at the offsets in any address fields to make - * sure they're constrained within the BOs they reference. - * - * Note that because of the validation that's happening anyway, this - * is where GEM relocation processing happens. - */ - -#include "vc4_simulator_validate.h" -#include "vc4_packet.h" - -#define VALIDATE_ARGS \ - struct exec_info *exec, \ - void *validated, \ - void *untrusted - - -/** Return the width in pixels of a 64-byte microtile. */ -static uint32_t -utile_width(int cpp) -{ - switch (cpp) { - case 1: - case 2: - return 8; - case 4: - return 4; - case 8: - return 2; - default: - DRM_ERROR("unknown cpp: %d\n", cpp); - return 1; - } -} - -/** Return the height in pixels of a 64-byte microtile. */ -static uint32_t -utile_height(int cpp) -{ - switch (cpp) { - case 1: - return 8; - case 2: - case 4: - case 8: - return 4; - default: - DRM_ERROR("unknown cpp: %d\n", cpp); - return 1; - } -} - -/** - * The texture unit decides what tiling format a particular miplevel is using - * this function, so we lay out our miptrees accordingly. - */ -static bool -size_is_lt(uint32_t width, uint32_t height, int cpp) -{ - return (width <= 4 * utile_width(cpp) || - height <= 4 * utile_height(cpp)); -} - -static bool -vc4_use_bo(struct exec_info *exec, - uint32_t hindex, - enum vc4_bo_mode mode, - struct drm_gem_cma_object **obj) -{ - *obj = NULL; - - if (hindex >= exec->bo_count) { - DRM_ERROR("BO index %d greater than BO count %d\n", - hindex, exec->bo_count); - return false; - } - - if (exec->bo[hindex].mode != mode) { - if (exec->bo[hindex].mode == VC4_MODE_UNDECIDED) { - exec->bo[hindex].mode = mode; - } else { - DRM_ERROR("BO index %d reused with mode %d vs %d\n", - hindex, exec->bo[hindex].mode, mode); - return false; - } - } - - *obj = exec->bo[hindex].bo; - return true; -} - -static bool -vc4_use_handle(struct exec_info *exec, - uint32_t gem_handles_packet_index, - enum vc4_bo_mode mode, - struct drm_gem_cma_object **obj) -{ - return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index], - mode, obj); -} - -static uint32_t -gl_shader_rec_size(uint32_t pointer_bits) -{ - uint32_t attribute_count = pointer_bits & 7; - bool extended = pointer_bits & 8; - - if (attribute_count == 0) - attribute_count = 8; - - if (extended) - return 100 + attribute_count * 4; - else - return 36 + attribute_count * 8; -} - -static bool -check_tex_size(struct exec_info *exec, struct drm_gem_cma_object *fbo, - uint32_t offset, uint8_t tiling_format, - uint32_t width, uint32_t height, uint8_t cpp) -{ - uint32_t aligned_width, aligned_height, stride, size; - uint32_t utile_w = utile_width(cpp); - uint32_t utile_h = utile_height(cpp); - - /* The values are limited by the packet/texture parameter bitfields, - * so we don't need to worry as much about integer overflow. - */ - BUG_ON(width > 65535); - BUG_ON(height > 65535); - - switch (tiling_format) { - case VC4_TILING_FORMAT_LINEAR: - aligned_width = roundup(width, 16 / cpp); - aligned_height = height; - break; - case VC4_TILING_FORMAT_T: - aligned_width = roundup(width, utile_w * 8); - aligned_height = roundup(height, utile_h * 8); - break; - case VC4_TILING_FORMAT_LT: - aligned_width = roundup(width, utile_w); - aligned_height = roundup(height, utile_h); - break; - default: - DRM_ERROR("buffer tiling %d unsupported\n", tiling_format); - return false; - } - - stride = aligned_width * cpp; - - if (INT_MAX / stride < aligned_height) { - DRM_ERROR("Overflow in fbo size (%dx%d -> %dx%d)\n", - width, height, - aligned_width, aligned_height); - return false; - } - size = stride * aligned_height; - - if (size + offset < size || - size + offset > fbo->base.size) { - DRM_ERROR("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %d)\n", - width, height, - aligned_width, aligned_height, - size, offset, fbo->base.size); - return false; - } - - return true; -} - -static int -validate_start_tile_binning(VALIDATE_ARGS) -{ - if (exec->found_start_tile_binning_packet) { - DRM_ERROR("Duplicate VC4_PACKET_START_TILE_BINNING\n"); - return -EINVAL; - } - exec->found_start_tile_binning_packet = true; - - if (!exec->found_tile_binning_mode_config_packet) { - DRM_ERROR("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n"); - return -EINVAL; - } - - return 0; -} - -static int -validate_branch_to_sublist(VALIDATE_ARGS) -{ - struct drm_gem_cma_object *target; - uint32_t offset; - - if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &target)) - return -EINVAL; - - if (target != exec->tile_alloc_bo) { - DRM_ERROR("Jumping to BOs other than tile alloc unsupported\n"); - return -EINVAL; - } - - offset = *(uint32_t *)(untrusted + 0); - if (offset % exec->tile_alloc_init_block_size || - offset / exec->tile_alloc_init_block_size > - exec->bin_tiles_x * exec->bin_tiles_y) { - DRM_ERROR("VC4_PACKET_BRANCH_TO_SUB_LIST must jump to initial " - "tile allocation space.\n"); - return -EINVAL; - } - - *(uint32_t *)(validated + 0) = target->paddr + offset; - - return 0; -} - -/** - * validate_loadstore_tile_buffer_general() - Validation for - * VC4_PACKET_LOAD_TILE_BUFFER_GENERAL and - * VC4_PACKET_STORE_TILE_BUFFER_GENERAL. - * - * The two packets are nearly the same, except for the TLB-clearing management - * bits not being present for loads. Additionally, while stores are executed - * immediately (using the current tile coordinates), loads are queued to be - * executed when the tile coordinates packet occurs. - * - * Note that coordinates packets are validated to be within the declared - * bin_x/y, which themselves are verified to match the rendering-configuration - * FB width and height (which the hardware uses to clip loads and stores). - */ -static int -validate_loadstore_tile_buffer_general(VALIDATE_ARGS) -{ - uint32_t packet_b0 = *(uint8_t *)(untrusted + 0); - uint32_t packet_b1 = *(uint8_t *)(untrusted + 1); - struct drm_gem_cma_object *fbo; - uint32_t buffer_type = packet_b0 & 0xf; - uint32_t offset, cpp; - - switch (buffer_type) { - case VC4_LOADSTORE_TILE_BUFFER_NONE: - return 0; - case VC4_LOADSTORE_TILE_BUFFER_COLOR: - if ((packet_b1 & VC4_LOADSTORE_TILE_BUFFER_MASK) == - VC4_LOADSTORE_TILE_BUFFER_RGBA8888) { - cpp = 4; - } else { - cpp = 2; - } - break; - - case VC4_LOADSTORE_TILE_BUFFER_Z: - case VC4_LOADSTORE_TILE_BUFFER_ZS: - cpp = 4; - break; - - default: - DRM_ERROR("Load/store type %d unsupported\n", buffer_type); - return -EINVAL; - } - - if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo)) - return -EINVAL; - - offset = *(uint32_t *)(untrusted + 2) & ~0xf; - - if (!check_tex_size(exec, fbo, offset, - ((packet_b0 & - VC4_LOADSTORE_TILE_BUFFER_FORMAT_MASK) >> - VC4_LOADSTORE_TILE_BUFFER_FORMAT_SHIFT), - exec->fb_width, exec->fb_height, cpp)) { - return -EINVAL; - } - - *(uint32_t *)(validated + 2) = offset + fbo->paddr; - - return 0; -} - -static int -validate_indexed_prim_list(VALIDATE_ARGS) -{ - struct drm_gem_cma_object *ib; - uint32_t length = *(uint32_t *)(untrusted + 1); - uint32_t offset = *(uint32_t *)(untrusted + 5); - uint32_t max_index = *(uint32_t *)(untrusted + 9); - uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1; - struct vc4_shader_state *shader_state; - - /* Check overflow condition */ - if (exec->shader_state_count == 0) { - DRM_ERROR("shader state must precede primitives\n"); - return -EINVAL; - } - shader_state = &exec->shader_state[exec->shader_state_count - 1]; - - if (max_index > shader_state->max_index) - shader_state->max_index = max_index; - - if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &ib)) - return -EINVAL; - - if (offset > ib->base.size || - (ib->base.size - offset) / index_size < length) { - DRM_ERROR("IB access overflow (%d + %d*%d > %d)\n", - offset, length, index_size, ib->base.size); - return -EINVAL; - } - - *(uint32_t *)(validated + 5) = ib->paddr + offset; - - return 0; -} - -static int -validate_gl_array_primitive(VALIDATE_ARGS) -{ - uint32_t length = *(uint32_t *)(untrusted + 1); - uint32_t base_index = *(uint32_t *)(untrusted + 5); - uint32_t max_index; - struct vc4_shader_state *shader_state; - - /* Check overflow condition */ - if (exec->shader_state_count == 0) { - DRM_ERROR("shader state must precede primitives\n"); - return -EINVAL; - } - shader_state = &exec->shader_state[exec->shader_state_count - 1]; - - if (length + base_index < length) { - DRM_ERROR("primitive vertex count overflow\n"); - return -EINVAL; - } - max_index = length + base_index - 1; - - if (max_index > shader_state->max_index) - shader_state->max_index = max_index; - - return 0; -} - -static int -validate_gl_shader_state(VALIDATE_ARGS) -{ - uint32_t i = exec->shader_state_count++; - - if (i >= exec->shader_state_size) { - DRM_ERROR("More requests for shader states than declared\n"); - return -EINVAL; - } - - exec->shader_state[i].packet = VC4_PACKET_GL_SHADER_STATE; - exec->shader_state[i].addr = *(uint32_t *)untrusted; - exec->shader_state[i].max_index = 0; - - if (exec->shader_state[i].addr & ~0xf) { - DRM_ERROR("high bits set in GL shader rec reference\n"); - return -EINVAL; - } - - *(uint32_t *)validated = (exec->shader_rec_p + - exec->shader_state[i].addr); - - exec->shader_rec_p += - roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16); - - return 0; -} - -static int -validate_nv_shader_state(VALIDATE_ARGS) -{ - uint32_t i = exec->shader_state_count++; - - if (i >= exec->shader_state_size) { - DRM_ERROR("More requests for shader states than declared\n"); - return -EINVAL; - } - - exec->shader_state[i].packet = VC4_PACKET_NV_SHADER_STATE; - exec->shader_state[i].addr = *(uint32_t *)untrusted; - - if (exec->shader_state[i].addr & 15) { - DRM_ERROR("NV shader state address 0x%08x misaligned\n", - exec->shader_state[i].addr); - return -EINVAL; - } - - *(uint32_t *)validated = (exec->shader_state[i].addr + - exec->shader_rec_p); - - return 0; -} - -static int -validate_tile_binning_config(VALIDATE_ARGS) -{ - struct drm_gem_cma_object *tile_allocation; - struct drm_gem_cma_object *tile_state_data_array; - uint8_t flags; - uint32_t tile_allocation_size; - - if (!vc4_use_handle(exec, 0, VC4_MODE_TILE_ALLOC, &tile_allocation) || - !vc4_use_handle(exec, 1, VC4_MODE_TSDA, &tile_state_data_array)) - return -EINVAL; - - if (exec->found_tile_binning_mode_config_packet) { - DRM_ERROR("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n"); - return -EINVAL; - } - exec->found_tile_binning_mode_config_packet = true; - - exec->bin_tiles_x = *(uint8_t *)(untrusted + 12); - exec->bin_tiles_y = *(uint8_t *)(untrusted + 13); - flags = *(uint8_t *)(untrusted + 14); - - if (exec->bin_tiles_x == 0 || - exec->bin_tiles_y == 0) { - DRM_ERROR("Tile binning config of %dx%d too small\n", - exec->bin_tiles_x, exec->bin_tiles_y); - return -EINVAL; - } - - /* Our validation relies on the user not getting to set up their own - * tile state/tile allocation BO contents. - */ - if (!(flags & VC4_BIN_CONFIG_AUTO_INIT_TSDA)) { - DRM_ERROR("binning config missing " - "VC4_BIN_CONFIG_AUTO_INIT_TSDA\n"); - return -EINVAL; - } - - if (flags & (VC4_BIN_CONFIG_DB_NON_MS | - VC4_BIN_CONFIG_TILE_BUFFER_64BIT | - VC4_BIN_CONFIG_MS_MODE_4X)) { - DRM_ERROR("unsupported bining config flags 0x%02x\n", flags); - return -EINVAL; - } - - if (*(uint32_t *)(untrusted + 0) != 0) { - DRM_ERROR("tile allocation offset != 0 unsupported\n"); - return -EINVAL; - } - tile_allocation_size = *(uint32_t *)(untrusted + 4); - if (tile_allocation_size > tile_allocation->base.size) { - DRM_ERROR("tile allocation size %d > BO size %d", - tile_allocation_size, tile_allocation->base.size); - return -EINVAL; - } - *(uint32_t *)validated = tile_allocation->paddr; - exec->tile_alloc_bo = tile_allocation; - - exec->tile_alloc_init_block_size = 1 << (5 + ((flags >> 5) & 3)); - if (exec->bin_tiles_x * exec->bin_tiles_y * - exec->tile_alloc_init_block_size > tile_allocation_size) { - DRM_ERROR("tile init exceeds tile alloc size (%d vs %d)\n", - exec->bin_tiles_x * exec->bin_tiles_y * - exec->tile_alloc_init_block_size, - tile_allocation_size); - return -EINVAL; - } - if (*(uint32_t *)(untrusted + 8) != 0) { - DRM_ERROR("TSDA offset != 0 unsupported\n"); - return -EINVAL; - } - if (exec->bin_tiles_x * exec->bin_tiles_y * 48 > - tile_state_data_array->base.size) { - DRM_ERROR("TSDA of %db too small for %dx%d bin config\n", - tile_state_data_array->base.size, - exec->bin_tiles_x, exec->bin_tiles_y); - } - *(uint32_t *)(validated + 8) = tile_state_data_array->paddr; - - return 0; -} - -static int -validate_tile_rendering_mode_config(VALIDATE_ARGS) -{ - struct drm_gem_cma_object *fbo; - uint32_t flags, offset, cpp; - - if (exec->found_tile_rendering_mode_config_packet) { - DRM_ERROR("Duplicate VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n"); - return -EINVAL; - } - exec->found_tile_rendering_mode_config_packet = true; - - if (!vc4_use_handle(exec, 0, VC4_MODE_RENDER, &fbo)) - return -EINVAL; - - exec->fb_width = *(uint16_t *)(untrusted + 4); - exec->fb_height = *(uint16_t *)(untrusted + 6); - - /* Make sure that the fb width/height matches the binning config -- we - * rely on being able to interchange these for various assertions. - * (Within a tile, loads and stores will be clipped to the - * width/height, but we allow load/storing to any binned tile). - */ - if (exec->fb_width <= (exec->bin_tiles_x - 1) * 64 || - exec->fb_width > exec->bin_tiles_x * 64 || - exec->fb_height <= (exec->bin_tiles_y - 1) * 64 || - exec->fb_height > exec->bin_tiles_y * 64) { - DRM_ERROR("bin config %dx%d doesn't match FB %dx%d\n", - exec->bin_tiles_x, exec->bin_tiles_y, - exec->fb_width, exec->fb_height); - return -EINVAL; - } - - flags = *(uint16_t *)(untrusted + 8); - if ((flags & VC4_RENDER_CONFIG_FORMAT_MASK) == - VC4_RENDER_CONFIG_FORMAT_RGBA8888) { - cpp = 4; - } else { - cpp = 2; - } - - offset = *(uint32_t *)untrusted; - if (!check_tex_size(exec, fbo, offset, - ((flags & - VC4_RENDER_CONFIG_MEMORY_FORMAT_MASK) >> - VC4_RENDER_CONFIG_MEMORY_FORMAT_SHIFT), - exec->fb_width, exec->fb_height, cpp)) { - return -EINVAL; - } - - *(uint32_t *)validated = fbo->paddr + offset; - - return 0; -} - -static int -validate_tile_coordinates(VALIDATE_ARGS) -{ - uint8_t tile_x = *(uint8_t *)(untrusted + 0); - uint8_t tile_y = *(uint8_t *)(untrusted + 1); - - if (tile_x >= exec->bin_tiles_x || - tile_y >= exec->bin_tiles_y) { - DRM_ERROR("Tile coordinates %d,%d > bin config %d,%d\n", - tile_x, - tile_y, - exec->bin_tiles_x, - exec->bin_tiles_y); - return -EINVAL; - } - - return 0; -} - -static int -validate_gem_handles(VALIDATE_ARGS) -{ - memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index)); - return 0; -} - -static const struct cmd_info { - bool bin; - bool render; - uint16_t len; - const char *name; - int (*func)(struct exec_info *exec, void *validated, void *untrusted); -} cmd_info[] = { - [VC4_PACKET_HALT] = { 1, 1, 1, "halt", NULL }, - [VC4_PACKET_NOP] = { 1, 1, 1, "nop", NULL }, - [VC4_PACKET_FLUSH] = { 1, 1, 1, "flush", NULL }, - [VC4_PACKET_FLUSH_ALL] = { 1, 0, 1, "flush all state", NULL }, - [VC4_PACKET_START_TILE_BINNING] = { 1, 0, 1, "start tile binning", validate_start_tile_binning }, - [VC4_PACKET_INCREMENT_SEMAPHORE] = { 1, 0, 1, "increment semaphore", NULL }, - [VC4_PACKET_WAIT_ON_SEMAPHORE] = { 1, 1, 1, "wait on semaphore", NULL }, - /* BRANCH_TO_SUB_LIST is actually supported in the binner as well, but - * we only use it from the render CL in order to jump into the tile - * allocation BO. - */ - [VC4_PACKET_BRANCH_TO_SUB_LIST] = { 0, 1, 5, "branch to sublist", validate_branch_to_sublist }, - [VC4_PACKET_STORE_MS_TILE_BUFFER] = { 0, 1, 1, "store MS resolved tile color buffer", NULL }, - [VC4_PACKET_STORE_MS_TILE_BUFFER_AND_EOF] = { 0, 1, 1, "store MS resolved tile color buffer and EOF", NULL }, - - [VC4_PACKET_STORE_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Store Tile Buffer General", validate_loadstore_tile_buffer_general }, - [VC4_PACKET_LOAD_TILE_BUFFER_GENERAL] = { 0, 1, 7, "Load Tile Buffer General", validate_loadstore_tile_buffer_general }, - - [VC4_PACKET_GL_INDEXED_PRIMITIVE] = { 1, 1, 14, "Indexed Primitive List", validate_indexed_prim_list }, - - [VC4_PACKET_GL_ARRAY_PRIMITIVE] = { 1, 1, 10, "Vertex Array Primitives", validate_gl_array_primitive }, - - /* This is only used by clipped primitives (packets 48 and 49), which - * we don't support parsing yet. - */ - [VC4_PACKET_PRIMITIVE_LIST_FORMAT] = { 1, 1, 2, "primitive list format", NULL }, - - [VC4_PACKET_GL_SHADER_STATE] = { 1, 1, 5, "GL Shader State", validate_gl_shader_state }, - [VC4_PACKET_NV_SHADER_STATE] = { 1, 1, 5, "NV Shader State", validate_nv_shader_state }, - - [VC4_PACKET_CONFIGURATION_BITS] = { 1, 1, 4, "configuration bits", NULL }, - [VC4_PACKET_FLAT_SHADE_FLAGS] = { 1, 1, 5, "flat shade flags", NULL }, - [VC4_PACKET_POINT_SIZE] = { 1, 1, 5, "point size", NULL }, - [VC4_PACKET_LINE_WIDTH] = { 1, 1, 5, "line width", NULL }, - [VC4_PACKET_RHT_X_BOUNDARY] = { 1, 1, 3, "RHT X boundary", NULL }, - [VC4_PACKET_DEPTH_OFFSET] = { 1, 1, 5, "Depth Offset", NULL }, - [VC4_PACKET_CLIP_WINDOW] = { 1, 1, 9, "Clip Window", NULL }, - [VC4_PACKET_VIEWPORT_OFFSET] = { 1, 1, 5, "Viewport Offset", NULL }, - [VC4_PACKET_CLIPPER_XY_SCALING] = { 1, 1, 9, "Clipper XY Scaling", NULL }, - /* Note: The docs say this was also 105, but it was 106 in the - * initial userland code drop. - */ - [VC4_PACKET_CLIPPER_Z_SCALING] = { 1, 1, 9, "Clipper Z Scale and Offset", NULL }, - - [VC4_PACKET_TILE_BINNING_MODE_CONFIG] = { 1, 0, 16, "tile binning configuration", validate_tile_binning_config }, - - [VC4_PACKET_TILE_RENDERING_MODE_CONFIG] = { 0, 1, 11, "tile rendering mode configuration", validate_tile_rendering_mode_config}, - - [VC4_PACKET_CLEAR_COLORS] = { 0, 1, 14, "Clear Colors", NULL }, - - [VC4_PACKET_TILE_COORDINATES] = { 0, 1, 3, "Tile Coordinates", validate_tile_coordinates }, - - [VC4_PACKET_GEM_HANDLES] = { 1, 1, 9, "GEM handles", validate_gem_handles }, -}; - -int -vc4_validate_cl(struct drm_device *dev, - void *validated, - void *unvalidated, - uint32_t len, - bool is_bin, - struct exec_info *exec) -{ - uint32_t dst_offset = 0; - uint32_t src_offset = 0; - - while (src_offset < len) { - void *dst_pkt = validated + dst_offset; - void *src_pkt = unvalidated + src_offset; - u8 cmd = *(uint8_t *)src_pkt; - const struct cmd_info *info; - - if (cmd > ARRAY_SIZE(cmd_info)) { - DRM_ERROR("0x%08x: packet %d out of bounds\n", - src_offset, cmd); - return -EINVAL; - } - - info = &cmd_info[cmd]; - if (!info->name) { - DRM_ERROR("0x%08x: packet %d invalid\n", - src_offset, cmd); - return -EINVAL; - } - -#if 0 - DRM_INFO("0x%08x: packet %d (%s) size %d processing...\n", - src_offset, cmd, info->name, info->len); -#endif - - if ((is_bin && !info->bin) || - (!is_bin && !info->render)) { - DRM_ERROR("0x%08x: packet %d (%s) invalid for %s\n", - src_offset, cmd, info->name, - is_bin ? "binner" : "render"); - return -EINVAL; - } - - if (src_offset + info->len > len) { - DRM_ERROR("0x%08x: packet %d (%s) length 0x%08x " - "exceeds bounds (0x%08x)\n", - src_offset, cmd, info->name, info->len, - src_offset + len); - return -EINVAL; - } - - if (cmd != VC4_PACKET_GEM_HANDLES) - memcpy(dst_pkt, src_pkt, info->len); - - if (info->func && info->func(exec, - dst_pkt + 1, - src_pkt + 1)) { - DRM_ERROR("0x%08x: packet %d (%s) failed to " - "validate\n", - src_offset, cmd, info->name); - return -EINVAL; - } - - src_offset += info->len; - /* GEM handle loading doesn't produce HW packets. */ - if (cmd != VC4_PACKET_GEM_HANDLES) - dst_offset += info->len; - - /* When the CL hits halt, it'll stop reading anything else. */ - if (cmd == VC4_PACKET_HALT) - break; - } - - if (is_bin) { - exec->ct0ea = exec->ct0ca + dst_offset; - - if (!exec->found_start_tile_binning_packet) { - DRM_ERROR("Bin CL missing VC4_PACKET_START_TILE_BINNING\n"); - return -EINVAL; - } - } else { - if (!exec->found_tile_rendering_mode_config_packet) { - DRM_ERROR("Render CL missing VC4_PACKET_TILE_RENDERING_MODE_CONFIG\n"); - return -EINVAL; - } - exec->ct1ea = exec->ct1ca + dst_offset; - } - - return 0; -} - -static bool -reloc_tex(struct exec_info *exec, - void *uniform_data_u, - struct vc4_texture_sample_info *sample, - uint32_t texture_handle_index) - -{ - struct drm_gem_cma_object *tex; - uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]); - uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]); - uint32_t p2 = (sample->p_offset[2] != ~0 ? - *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0); - uint32_t p3 = (sample->p_offset[3] != ~0 ? - *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0); - uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0]; - uint32_t offset = p0 & ~0xfff; - uint32_t miplevels = (p0 & 15); - uint32_t width = (p1 >> 8) & 2047; - uint32_t height = (p1 >> 20) & 2047; - uint32_t cpp, tiling_format, utile_w, utile_h; - uint32_t i; - uint32_t cube_map_stride = 0; - enum vc4_texture_data_type type; - - if (width == 0) - width = 2048; - if (height == 0) - height = 2048; - - if (p0 & (1 << 9)) { - if ((p2 & (3 << 30)) == (1 << 30)) - cube_map_stride = p2 & 0x3ffff000; - if ((p3 & (3 << 30)) == (1 << 30)) { - if (cube_map_stride) { - DRM_ERROR("Cube map stride set twice\n"); - return -EINVAL; - } - - cube_map_stride = p3 & 0x3ffff000; - } - if (!cube_map_stride) { - DRM_ERROR("Cube map stride not set\n"); - return -EINVAL; - } - } - - type = ((p0 >> 4) & 15) | ((p1 >> 31) << 4); - - switch (type) { - case VC4_TEXTURE_TYPE_RGBA8888: - case VC4_TEXTURE_TYPE_RGBX8888: - case VC4_TEXTURE_TYPE_RGBA32R: - cpp = 4; - break; - case VC4_TEXTURE_TYPE_RGBA4444: - case VC4_TEXTURE_TYPE_RGBA5551: - case VC4_TEXTURE_TYPE_RGB565: - case VC4_TEXTURE_TYPE_LUMALPHA: - case VC4_TEXTURE_TYPE_S16F: - case VC4_TEXTURE_TYPE_S16: - cpp = 2; - break; - case VC4_TEXTURE_TYPE_LUMINANCE: - case VC4_TEXTURE_TYPE_ALPHA: - case VC4_TEXTURE_TYPE_S8: - cpp = 1; - break; - case VC4_TEXTURE_TYPE_ETC1: - case VC4_TEXTURE_TYPE_BW1: - case VC4_TEXTURE_TYPE_A4: - case VC4_TEXTURE_TYPE_A1: - case VC4_TEXTURE_TYPE_RGBA64: - case VC4_TEXTURE_TYPE_YUV422R: - default: - DRM_ERROR("Texture format %d unsupported\n", type); - return false; - } - utile_w = utile_width(cpp); - utile_h = utile_height(cpp); - - if (type == VC4_TEXTURE_TYPE_RGBA32R) { - tiling_format = VC4_TILING_FORMAT_LINEAR; - } else { - if (size_is_lt(width, height, cpp)) - tiling_format = VC4_TILING_FORMAT_LT; - else - tiling_format = VC4_TILING_FORMAT_T; - } - - if (!vc4_use_bo(exec, texture_handle_index, VC4_MODE_RENDER, &tex)) - return false; - - if (!check_tex_size(exec, tex, offset + cube_map_stride * 5, - tiling_format, width, height, cpp)) { - return false; - } - - /* The mipmap levels are stored before the base of the texture. Make - * sure there is actually space in the BO. - */ - for (i = 1; i <= miplevels; i++) { - uint32_t level_width = max(width >> i, 1u); - uint32_t level_height = max(height >> i, 1u); - uint32_t aligned_width, aligned_height; - uint32_t level_size; - - /* Once the levels get small enough, they drop from T to LT. */ - if (tiling_format == VC4_TILING_FORMAT_T && - size_is_lt(level_width, level_height, cpp)) { - tiling_format = VC4_TILING_FORMAT_LT; - } - - switch (tiling_format) { - case VC4_TILING_FORMAT_T: - aligned_width = roundup(level_width, utile_w * 8); - aligned_height = roundup(level_height, utile_h * 8); - break; - case VC4_TILING_FORMAT_LT: - aligned_width = roundup(level_width, utile_w); - aligned_height = roundup(level_height, utile_h); - break; - default: - aligned_width = roundup(level_width, 16 / cpp); - aligned_height = level_height; - break; - } - - level_size = aligned_width * cpp * aligned_height; - - if (offset < level_size) { - DRM_ERROR("Level %d (%dx%d -> %dx%d) size %db " - "overflowed buffer bounds (offset %d)\n", - i, level_width, level_height, - aligned_width, aligned_height, - level_size, offset); - return false; - } - - offset -= level_size; - } - - *validated_p0 = tex->paddr + p0; - - return true; -} - -static int -validate_shader_rec(struct drm_device *dev, - struct exec_info *exec, - struct vc4_shader_state *state) -{ - uint32_t *src_handles; - void *pkt_u, *pkt_v; - enum shader_rec_reloc_type { - RELOC_CODE, - RELOC_VBO, - }; - struct shader_rec_reloc { - enum shader_rec_reloc_type type; - uint32_t offset; - }; - static const struct shader_rec_reloc gl_relocs[] = { - { RELOC_CODE, 4 }, /* fs */ - { RELOC_CODE, 16 }, /* vs */ - { RELOC_CODE, 28 }, /* cs */ - }; - static const struct shader_rec_reloc nv_relocs[] = { - { RELOC_CODE, 4 }, /* fs */ - { RELOC_VBO, 12 } - }; - const struct shader_rec_reloc *relocs; - struct drm_gem_cma_object *bo[ARRAY_SIZE(gl_relocs) + 8]; - uint32_t nr_attributes = 0, nr_fixed_relocs, nr_relocs, packet_size; - int i; - struct vc4_validated_shader_info *validated_shader = NULL; - - if (state->packet == VC4_PACKET_NV_SHADER_STATE) { - relocs = nv_relocs; - nr_fixed_relocs = ARRAY_SIZE(nv_relocs); - - packet_size = 16; - } else { - relocs = gl_relocs; - nr_fixed_relocs = ARRAY_SIZE(gl_relocs); - - nr_attributes = state->addr & 0x7; - if (nr_attributes == 0) - nr_attributes = 8; - packet_size = gl_shader_rec_size(state->addr); - } - nr_relocs = nr_fixed_relocs + nr_attributes; - - if (nr_relocs * 4 > exec->shader_rec_size) { - DRM_ERROR("overflowed shader recs reading %d handles " - "from %d bytes left\n", - nr_relocs, exec->shader_rec_size); - return -EINVAL; - } - src_handles = exec->shader_rec_u; - exec->shader_rec_u += nr_relocs * 4; - exec->shader_rec_size -= nr_relocs * 4; - - if (packet_size > exec->shader_rec_size) { - DRM_ERROR("overflowed shader recs copying %db packet " - "from %d bytes left\n", - packet_size, exec->shader_rec_size); - return -EINVAL; - } - pkt_u = exec->shader_rec_u; - pkt_v = exec->shader_rec_v; - memcpy(pkt_v, pkt_u, packet_size); - exec->shader_rec_u += packet_size; - /* Shader recs have to be aligned to 16 bytes (due to the attribute - * flags being in the low bytes), so round the next validated shader - * rec address up. This should be safe, since we've got so many - * relocations in a shader rec packet. - */ - BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4); - exec->shader_rec_v += roundup(packet_size, 16); - exec->shader_rec_size -= packet_size; - - for (i = 0; i < nr_relocs; i++) { - enum vc4_bo_mode mode; - - if (i < nr_fixed_relocs && relocs[i].type == RELOC_CODE) - mode = VC4_MODE_SHADER; - else - mode = VC4_MODE_RENDER; - - if (!vc4_use_bo(exec, src_handles[i], mode, &bo[i])) { - return false; - } - } - - for (i = 0; i < nr_fixed_relocs; i++) { - uint32_t o = relocs[i].offset; - uint32_t src_offset = *(uint32_t *)(pkt_u + o); - uint32_t *texture_handles_u; - void *uniform_data_u; - uint32_t tex; - - *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset; - - switch (relocs[i].type) { - case RELOC_CODE: - kfree(validated_shader); - validated_shader = vc4_validate_shader(bo[i], - src_offset); - if (!validated_shader) - goto fail; - - if (validated_shader->uniforms_src_size > - exec->uniforms_size) { - DRM_ERROR("Uniforms src buffer overflow\n"); - goto fail; - } - - texture_handles_u = exec->uniforms_u; - uniform_data_u = (texture_handles_u + - validated_shader->num_texture_samples); - - memcpy(exec->uniforms_v, uniform_data_u, - validated_shader->uniforms_size); - - for (tex = 0; - tex < validated_shader->num_texture_samples; - tex++) { - if (!reloc_tex(exec, - uniform_data_u, - &validated_shader->texture_samples[tex], - texture_handles_u[tex])) { - goto fail; - } - } - - *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p; - - exec->uniforms_u += validated_shader->uniforms_src_size; - exec->uniforms_v += validated_shader->uniforms_size; - exec->uniforms_p += validated_shader->uniforms_size; - - break; - - case RELOC_VBO: - break; - } - } - - for (i = 0; i < nr_attributes; i++) { - struct drm_gem_cma_object *vbo = bo[nr_fixed_relocs + i]; - uint32_t o = 36 + i * 8; - uint32_t offset = *(uint32_t *)(pkt_u + o + 0); - uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1; - uint32_t stride = *(uint8_t *)(pkt_u + o + 5); - uint32_t max_index; - - if (state->addr & 0x8) - stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff; - - if (vbo->base.size < offset || - vbo->base.size - offset < attr_size) { - DRM_ERROR("BO offset overflow (%d + %d > %d)\n", - offset, attr_size, vbo->base.size); - return -EINVAL; - } - - if (stride != 0) { - max_index = ((vbo->base.size - offset - attr_size) / - stride); - if (state->max_index > max_index) { - DRM_ERROR("primitives use index %d out of supplied %d\n", - state->max_index, max_index); - return -EINVAL; - } - } - - *(uint32_t *)(pkt_v + o) = vbo->paddr + offset; - } - - kfree(validated_shader); - - return 0; - -fail: - kfree(validated_shader); - return -EINVAL; -} - -int -vc4_validate_shader_recs(struct drm_device *dev, - struct exec_info *exec) -{ - uint32_t i; - int ret = 0; - - for (i = 0; i < exec->shader_state_count; i++) { - ret = validate_shader_rec(dev, exec, &exec->shader_state[i]); - if (ret) - return ret; - } - - return ret; -} diff --git a/src/gallium/drivers/vc4/vc4_simulator_validate.h b/src/gallium/drivers/vc4/vc4_simulator_validate.h index 39419b42078..d6c2aec51c1 100644 --- a/src/gallium/drivers/vc4/vc4_simulator_validate.h +++ b/src/gallium/drivers/vc4/vc4_simulator_validate.h @@ -34,6 +34,8 @@ #include "vc4_context.h" #include "vc4_qpu_defines.h" +struct exec_info; + #define DRM_INFO(...) fprintf(stderr, __VA_ARGS__) #define DRM_ERROR(...) fprintf(stderr, __VA_ARGS__) #define kmalloc(size, arg) malloc(size) @@ -71,140 +73,11 @@ struct drm_gem_cma_object { void *vaddr; }; -enum vc4_bo_mode { - VC4_MODE_UNDECIDED, - VC4_MODE_TILE_ALLOC, - VC4_MODE_TSDA, - VC4_MODE_RENDER, - VC4_MODE_SHADER, -}; - -struct vc4_bo_exec_state { - struct drm_gem_cma_object *bo; - enum vc4_bo_mode mode; -}; - -struct exec_info { - /* Kernel-space copy of the ioctl arguments */ - struct drm_vc4_submit_cl *args; - - /* This is the array of BOs that were looked up at the start of exec. - * Command validation will use indices into this array. - */ - struct vc4_bo_exec_state *bo; - uint32_t bo_count; - - /* Current unvalidated indices into @bo loaded by the non-hardware - * VC4_PACKET_GEM_HANDLES. - */ - uint32_t bo_index[2]; - - /* This is the BO where we store the validated command lists, shader - * records, and uniforms. - */ - struct drm_gem_cma_object *exec_bo; - - /** - * This tracks the per-shader-record state (packet 64) that - * determines the length of the shader record and the offset - * it's expected to be found at. It gets read in from the - * command lists. - */ - struct vc4_shader_state { - uint8_t packet; - uint32_t addr; - /* Maximum vertex index referenced by any primitive using this - * shader state. - */ - uint32_t max_index; - } *shader_state; - - /** How many shader states the user declared they were using. */ - uint32_t shader_state_size; - /** How many shader state records the validator has seen. */ - uint32_t shader_state_count; - - bool found_tile_binning_mode_config_packet; - bool found_tile_rendering_mode_config_packet; - bool found_start_tile_binning_packet; - uint8_t bin_tiles_x, bin_tiles_y; - uint32_t fb_width, fb_height; - uint32_t tile_alloc_init_block_size; - struct drm_gem_cma_object *tile_alloc_bo; - - /** - * Computed addresses pointing into exec_bo where we start the - * bin thread (ct0) and render thread (ct1). - */ - uint32_t ct0ca, ct0ea; - uint32_t ct1ca, ct1ea; - - /* Pointers to the shader recs. These paddr gets incremented as CL - * packets are relocated in validate_gl_shader_state, and the vaddrs - * (u and v) get incremented and size decremented as the shader recs - * themselves are validated. - */ - void *shader_rec_u; - void *shader_rec_v; - uint32_t shader_rec_p; - uint32_t shader_rec_size; - - /* Pointers to the uniform data. These pointers are incremented, and - * size decremented, as each batch of uniforms is uploaded. - */ - void *uniforms_u; - void *uniforms_v; - uint32_t uniforms_p; - uint32_t uniforms_size; -}; - -/** - * struct vc4_texture_sample_info - saves the offsets into the UBO for texture - * setup parameters. - * - * This will be used at draw time to relocate the reference to the texture - * contents in p0, and validate that the offset combined with - * width/height/stride/etc. from p1 and p2/p3 doesn't sample outside the BO. - * Note that the hardware treats unprovided config parameters as 0, so not all - * of them need to be set up for every texure sample, and we'll store ~0 as - * the offset to mark the unused ones. - * - * See the VC4 3D architecture guide page 41 ("Texture and Memory Lookup Unit - * Setup") for definitions of the texture parameters. - */ -struct vc4_texture_sample_info { - uint32_t p_offset[4]; -}; - -/** - * struct vc4_validated_shader_info - information about validated shaders that - * needs to be used from command list validation. - * - * For a given shader, each time a shader state record references it, we need - * to verify that the shader doesn't read more uniforms than the shader state - * record's uniform BO pointer can provide, and we need to apply relocations - * and validate the shader state record's uniforms that define the texture - * samples. - */ -struct vc4_validated_shader_info -{ - uint32_t uniforms_size; - uint32_t uniforms_src_size; - uint32_t num_texture_samples; - struct vc4_texture_sample_info *texture_samples; -}; - -int vc4_validate_cl(struct drm_device *dev, - void *validated, - void *unvalidated, - uint32_t len, - bool is_bin, - struct exec_info *exec); -int vc4_validate_shader_recs(struct drm_device *dev, struct exec_info *exec); +struct drm_gem_cma_object * +drm_gem_cma_create(struct drm_device *dev, size_t size); -struct vc4_validated_shader_info * -vc4_validate_shader(struct drm_gem_cma_object *shader_obj, - uint32_t start_offset); +int +vc4_cl_validate(struct drm_device *dev, struct exec_info *exec); #endif /* VC4_SIMULATOR_VALIDATE_H */ diff --git a/src/gallium/drivers/vc4/vc4_simulator_validate_shaders.c b/src/gallium/drivers/vc4/vc4_simulator_validate_shaders.c deleted file mode 100644 index 183cd4c977e..00000000000 --- a/src/gallium/drivers/vc4/vc4_simulator_validate_shaders.c +++ /dev/null @@ -1,322 +0,0 @@ -/* - * Copyright © 2014 Broadcom - * - * Permission is hereby granted, free of charge, to any person obtaining a - * copy of this software and associated documentation files (the "Software"), - * to deal in the Software without restriction, including without limitation - * the rights to use, copy, modify, merge, publish, distribute, sublicense, - * and/or sell copies of the Software, and to permit persons to whom the - * Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice (including the next - * paragraph) shall be included in all copies or substantial portions of the - * Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL - * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING - * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS - * IN THE SOFTWARE. - */ - -/** - * DOC: Shader validator for VC4. - * - * The VC4 has no IOMMU between it and system memory. So, a user with access - * to execute shaders could escalate privilege by overwriting system memory - * (using the VPM write address register in the general-purpose DMA mode) or - * reading system memory it shouldn't (reading it as a texture, or uniform - * data, or vertex data). - * - * This walks over a shader starting from some offset within a BO, ensuring - * that its accesses are appropriately bounded, and recording how many texture - * accesses are made and where so that we can do relocations for them in the - * uniform stream. - * - * The kernel API has shaders stored in user-mapped BOs. The BOs will be - * forcibly unmapped from the process before validation, and any cache of - * validated state will be flushed if the mapping is faulted back in. - * - * Storing the shaders in BOs means that the validation process will be slow - * due to uncached reads, but since shaders are long-lived and shader BOs are - * never actually modified, this shouldn't be a problem. - */ - -#include "vc4_simulator_validate.h" -#include "vc4_qpu.h" -#include "vc4_qpu_defines.h" - -struct vc4_shader_validation_state { - struct vc4_texture_sample_info tmu_setup[2]; - int tmu_write_count[2]; -}; - -static bool -is_tmu_write(uint32_t waddr) -{ - return (waddr >= QPU_W_TMU0_S && - waddr <= QPU_W_TMU1_B); -} - -static bool -record_validated_texture_sample(struct vc4_validated_shader_info *validated_shader, - struct vc4_shader_validation_state *validation_state, - int tmu) -{ - uint32_t s = validated_shader->num_texture_samples; - int i; - struct vc4_texture_sample_info *temp_samples; - - temp_samples = krealloc(validated_shader->texture_samples, - (s + 1) * sizeof(*temp_samples), - GFP_KERNEL); - if (!temp_samples) - return false; - - memcpy(temp_samples[s].p_offset, - validation_state->tmu_setup[tmu].p_offset, - validation_state->tmu_write_count[tmu] * sizeof(uint32_t)); - for (i = validation_state->tmu_write_count[tmu]; i < 4; i++) - temp_samples[s].p_offset[i] = ~0; - - validated_shader->num_texture_samples = s + 1; - validated_shader->texture_samples = temp_samples; - - return true; -} - -static bool -check_tmu_write(struct vc4_validated_shader_info *validated_shader, - struct vc4_shader_validation_state *validation_state, - uint32_t waddr) -{ - int tmu = waddr > QPU_W_TMU0_B; - - if (!is_tmu_write(waddr)) - return true; - - if (validation_state->tmu_write_count[tmu] >= 4) { - DRM_ERROR("TMU%d got too many parameters before dispatch\n", - tmu); - return false; - } - validation_state->tmu_setup[tmu].p_offset[validation_state->tmu_write_count[tmu]] = - validated_shader->uniforms_size; - validation_state->tmu_write_count[tmu]++; - validated_shader->uniforms_size += 4; - - if (waddr == QPU_W_TMU0_S || waddr == QPU_W_TMU1_S) { - if (!record_validated_texture_sample(validated_shader, - validation_state, tmu)) { - return false; - } - - validation_state->tmu_write_count[tmu] = 0; - } - - return true; -} - -static bool -check_register_write(struct vc4_validated_shader_info *validated_shader, - struct vc4_shader_validation_state *validation_state, - uint32_t waddr) -{ - switch (waddr) { - case QPU_W_UNIFORMS_ADDRESS: - /* XXX: We'll probably need to support this for reladdr, but - * it's definitely a security-related one. - */ - DRM_ERROR("uniforms address load unsupported\n"); - return false; - - case QPU_W_TLB_COLOR_MS: - case QPU_W_TLB_COLOR_ALL: - case QPU_W_TLB_Z: - /* These only interact with the tile buffer, not main memory, - * so they're safe. - */ - return true; - - case QPU_W_TMU0_S: - case QPU_W_TMU0_T: - case QPU_W_TMU0_R: - case QPU_W_TMU0_B: - case QPU_W_TMU1_S: - case QPU_W_TMU1_T: - case QPU_W_TMU1_R: - case QPU_W_TMU1_B: - return check_tmu_write(validated_shader, validation_state, - waddr); - - case QPU_W_HOST_INT: - case QPU_W_TMU_NOSWAP: - case QPU_W_TLB_ALPHA_MASK: - case QPU_W_MUTEX_RELEASE: - /* XXX: I haven't thought about these, so don't support them - * for now. - */ - DRM_ERROR("Unsupported waddr %d\n", waddr); - return false; - - case QPU_W_VPM_ADDR: - DRM_ERROR("General VPM DMA unsupported\n"); - return false; - - case QPU_W_VPM: - case QPU_W_VPMVCD_SETUP: - /* We allow VPM setup in general, even including VPM DMA - * configuration setup, because the (unsafe) DMA can only be - * triggered by QPU_W_VPM_ADDR writes. - */ - return true; - - case QPU_W_TLB_STENCIL_SETUP: - return true; - } - - return true; -} - -static bool -check_instruction_writes(uint64_t inst, - struct vc4_validated_shader_info *validated_shader, - struct vc4_shader_validation_state *validation_state) -{ - uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD); - uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL); - - if (is_tmu_write(waddr_add) && is_tmu_write(waddr_mul)) { - DRM_ERROR("ADD and MUL both set up textures\n"); - return false; - } - - return (check_register_write(validated_shader, validation_state, waddr_add) && - check_register_write(validated_shader, validation_state, waddr_mul)); -} - -static bool -check_instruction_reads(uint64_t inst, - struct vc4_validated_shader_info *validated_shader) -{ - uint32_t waddr_add = QPU_GET_FIELD(inst, QPU_WADDR_ADD); - uint32_t waddr_mul = QPU_GET_FIELD(inst, QPU_WADDR_MUL); - uint32_t raddr_a = QPU_GET_FIELD(inst, QPU_RADDR_A); - uint32_t raddr_b = QPU_GET_FIELD(inst, QPU_RADDR_B); - - if (raddr_a == QPU_R_UNIF || - raddr_b == QPU_R_UNIF) { - if (is_tmu_write(waddr_add) || is_tmu_write(waddr_mul)) { - DRM_ERROR("uniform read in the same instruction as " - "texture setup"); - return false; - } - - /* This can't overflow the uint32_t, because we're reading 8 - * bytes of instruction to increment by 4 here, so we'd - * already be OOM. - */ - validated_shader->uniforms_size += 4; - } - - return true; -} - -struct vc4_validated_shader_info * -vc4_validate_shader(struct drm_gem_cma_object *shader_obj, - uint32_t start_offset) -{ - bool found_shader_end = false; - int shader_end_ip = 0; - uint32_t ip, max_ip; - uint64_t *shader; - struct vc4_validated_shader_info *validated_shader; - struct vc4_shader_validation_state validation_state; - - memset(&validation_state, 0, sizeof(validation_state)); - - if (start_offset + sizeof(uint64_t) > shader_obj->base.size) { - DRM_ERROR("shader starting at %d outside of BO sized %d\n", - start_offset, - shader_obj->base.size); - return NULL; - } - shader = shader_obj->vaddr + start_offset; - max_ip = (shader_obj->base.size - start_offset) / sizeof(uint64_t); - - validated_shader = kcalloc(sizeof(*validated_shader), 1, GFP_KERNEL); - if (!validated_shader) - return NULL; - - for (ip = 0; ip < max_ip; ip++) { - uint64_t inst = shader[ip]; - uint32_t sig = QPU_GET_FIELD(inst, QPU_SIG); - - switch (sig) { - case QPU_SIG_NONE: - case QPU_SIG_WAIT_FOR_SCOREBOARD: - case QPU_SIG_SCOREBOARD_UNLOCK: - case QPU_SIG_COLOR_LOAD: - case QPU_SIG_LOAD_TMU0: - case QPU_SIG_LOAD_TMU1: - if (!check_instruction_writes(inst, validated_shader, - &validation_state)) { - DRM_ERROR("Bad write at ip %d\n", ip); - goto fail; - } - - if (!check_instruction_reads(inst, validated_shader)) - goto fail; - - break; - - case QPU_SIG_LOAD_IMM: - if (!check_instruction_writes(inst, validated_shader, - &validation_state)) { - DRM_ERROR("Bad LOAD_IMM write at ip %d\n", ip); - goto fail; - } - break; - - case QPU_SIG_PROG_END: - found_shader_end = true; - shader_end_ip = ip; - break; - - default: - DRM_ERROR("Unsupported QPU signal %d at " - "instruction %d\n", sig, ip); - goto fail; - } - - /* There are two delay slots after program end is signaled - * that are still executed, then we're finished. - */ - if (found_shader_end && ip == shader_end_ip + 2) - break; - } - - if (ip == max_ip) { - DRM_ERROR("shader starting at %d failed to terminate before " - "shader BO end at %d\n", - start_offset, - shader_obj->base.size); - goto fail; - } - - /* Again, no chance of integer overflow here because the worst case - * scenario is 8 bytes of uniforms plus handles per 8-byte - * instruction. - */ - validated_shader->uniforms_src_size = - (validated_shader->uniforms_size + - 4 * validated_shader->num_texture_samples); - - return validated_shader; - -fail: - kfree(validated_shader); - return NULL; -} -- cgit v1.2.3