diff options
Diffstat (limited to 'drivers/gpu/drm/radeon/r600_cs.c')
-rw-r--r-- | drivers/gpu/drm/radeon/r600_cs.c | 901 |
1 files changed, 766 insertions, 135 deletions
diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c index e4c45ec1650..c39c1bc1301 100644 --- a/drivers/gpu/drm/radeon/r600_cs.c +++ b/drivers/gpu/drm/radeon/r600_cs.c @@ -28,6 +28,7 @@ #include "drmP.h" #include "radeon.h" #include "r600d.h" +#include "r600_reg_safe.h" static int r600_cs_packet_next_reloc_mm(struct radeon_cs_parser *p, struct radeon_cs_reloc **cs_reloc); @@ -35,11 +36,316 @@ static int r600_cs_packet_next_reloc_nomm(struct radeon_cs_parser *p, struct radeon_cs_reloc **cs_reloc); typedef int (*next_reloc_t)(struct radeon_cs_parser*, struct radeon_cs_reloc**); static next_reloc_t r600_cs_packet_next_reloc = &r600_cs_packet_next_reloc_mm; +extern void r600_cs_legacy_get_tiling_conf(struct drm_device *dev, u32 *npipes, u32 *nbanks, u32 *group_size); + struct r600_cs_track { - u32 cb_color0_base_last; + /* configuration we miror so that we use same code btw kms/ums */ + u32 group_size; + u32 nbanks; + u32 npipes; + /* value we track */ + u32 sq_config; + u32 nsamples; + u32 cb_color_base_last[8]; + struct radeon_bo *cb_color_bo[8]; + u32 cb_color_bo_offset[8]; + struct radeon_bo *cb_color_frag_bo[8]; + struct radeon_bo *cb_color_tile_bo[8]; + u32 cb_color_info[8]; + u32 cb_color_size_idx[8]; + u32 cb_target_mask; + u32 cb_shader_mask; + u32 cb_color_size[8]; + u32 vgt_strmout_en; + u32 vgt_strmout_buffer_en; + u32 db_depth_control; + u32 db_depth_info; + u32 db_depth_size_idx; + u32 db_depth_view; + u32 db_depth_size; + u32 db_offset; + struct radeon_bo *db_bo; }; +static inline int r600_bpe_from_format(u32 *bpe, u32 format) +{ + switch (format) { + case V_038004_COLOR_8: + case V_038004_COLOR_4_4: + case V_038004_COLOR_3_3_2: + case V_038004_FMT_1: + *bpe = 1; + break; + case V_038004_COLOR_16: + case V_038004_COLOR_16_FLOAT: + case V_038004_COLOR_8_8: + case V_038004_COLOR_5_6_5: + case V_038004_COLOR_6_5_5: + case V_038004_COLOR_1_5_5_5: + case V_038004_COLOR_4_4_4_4: + case V_038004_COLOR_5_5_5_1: + *bpe = 2; + break; + case V_038004_FMT_8_8_8: + *bpe = 3; + break; + case V_038004_COLOR_32: + case V_038004_COLOR_32_FLOAT: + case V_038004_COLOR_16_16: + case V_038004_COLOR_16_16_FLOAT: + case V_038004_COLOR_8_24: + case V_038004_COLOR_8_24_FLOAT: + case V_038004_COLOR_24_8: + case V_038004_COLOR_24_8_FLOAT: + case V_038004_COLOR_10_11_11: + case V_038004_COLOR_10_11_11_FLOAT: + case V_038004_COLOR_11_11_10: + case V_038004_COLOR_11_11_10_FLOAT: + case V_038004_COLOR_2_10_10_10: + case V_038004_COLOR_8_8_8_8: + case V_038004_COLOR_10_10_10_2: + case V_038004_FMT_5_9_9_9_SHAREDEXP: + case V_038004_FMT_32_AS_8: + case V_038004_FMT_32_AS_8_8: + *bpe = 4; + break; + case V_038004_COLOR_X24_8_32_FLOAT: + case V_038004_COLOR_32_32: + case V_038004_COLOR_32_32_FLOAT: + case V_038004_COLOR_16_16_16_16: + case V_038004_COLOR_16_16_16_16_FLOAT: + *bpe = 8; + break; + case V_038004_FMT_16_16_16: + case V_038004_FMT_16_16_16_FLOAT: + *bpe = 6; + break; + case V_038004_FMT_32_32_32: + case V_038004_FMT_32_32_32_FLOAT: + *bpe = 12; + break; + case V_038004_COLOR_32_32_32_32: + case V_038004_COLOR_32_32_32_32_FLOAT: + *bpe = 16; + break; + case V_038004_FMT_GB_GR: + case V_038004_FMT_BG_RG: + case V_038004_COLOR_INVALID: + *bpe = 16; + return -EINVAL; + } + return 0; +} + +static void r600_cs_track_init(struct r600_cs_track *track) +{ + int i; + + /* assume DX9 mode */ + track->sq_config = DX9_CONSTS; + for (i = 0; i < 8; i++) { + track->cb_color_base_last[i] = 0; + track->cb_color_size[i] = 0; + track->cb_color_size_idx[i] = 0; + track->cb_color_info[i] = 0; + track->cb_color_bo[i] = NULL; + track->cb_color_bo_offset[i] = 0xFFFFFFFF; + } + track->cb_target_mask = 0xFFFFFFFF; + track->cb_shader_mask = 0xFFFFFFFF; + track->db_bo = NULL; + /* assume the biggest format and that htile is enabled */ + track->db_depth_info = 7 | (1 << 25); + track->db_depth_view = 0xFFFFC000; + track->db_depth_size = 0xFFFFFFFF; + track->db_depth_size_idx = 0; + track->db_depth_control = 0xFFFFFFFF; +} + +static inline int r600_cs_track_validate_cb(struct radeon_cs_parser *p, int i) +{ + struct r600_cs_track *track = p->track; + u32 bpe = 0, pitch, slice_tile_max, size, tmp, height; + volatile u32 *ib = p->ib->ptr; + + if (G_0280A0_TILE_MODE(track->cb_color_info[i])) { + dev_warn(p->dev, "FMASK or CMASK buffer are not supported by this kernel\n"); + return -EINVAL; + } + size = radeon_bo_size(track->cb_color_bo[i]); + if (r600_bpe_from_format(&bpe, G_0280A0_FORMAT(track->cb_color_info[i]))) { + dev_warn(p->dev, "%s:%d cb invalid format %d for %d (0x%08X)\n", + __func__, __LINE__, G_0280A0_FORMAT(track->cb_color_info[i]), + i, track->cb_color_info[i]); + return -EINVAL; + } + pitch = (G_028060_PITCH_TILE_MAX(track->cb_color_size[i]) + 1) << 3; + slice_tile_max = G_028060_SLICE_TILE_MAX(track->cb_color_size[i]) + 1; + if (!pitch) { + dev_warn(p->dev, "%s:%d cb pitch (%d) for %d invalid (0x%08X)\n", + __func__, __LINE__, pitch, i, track->cb_color_size[i]); + return -EINVAL; + } + height = size / (pitch * bpe); + if (height > 8192) + height = 8192; + switch (G_0280A0_ARRAY_MODE(track->cb_color_info[i])) { + case V_0280A0_ARRAY_LINEAR_GENERAL: + case V_0280A0_ARRAY_LINEAR_ALIGNED: + if (pitch & 0x3f) { + dev_warn(p->dev, "%s:%d cb pitch (%d x %d = %d) invalid\n", + __func__, __LINE__, pitch, bpe, pitch * bpe); + return -EINVAL; + } + if ((pitch * bpe) & (track->group_size - 1)) { + dev_warn(p->dev, "%s:%d cb pitch (%d) invalid\n", + __func__, __LINE__, pitch); + return -EINVAL; + } + break; + case V_0280A0_ARRAY_1D_TILED_THIN1: + if ((pitch * 8 * bpe * track->nsamples) & (track->group_size - 1)) { + dev_warn(p->dev, "%s:%d cb pitch (%d) invalid\n", + __func__, __LINE__, pitch); + return -EINVAL; + } + height &= ~0x7; + if (!height) + height = 8; + break; + case V_0280A0_ARRAY_2D_TILED_THIN1: + if (pitch & ((8 * track->nbanks) - 1)) { + dev_warn(p->dev, "%s:%d cb pitch (%d) invalid\n", + __func__, __LINE__, pitch); + return -EINVAL; + } + tmp = pitch * 8 * bpe * track->nsamples; + tmp = tmp / track->nbanks; + if (tmp & (track->group_size - 1)) { + dev_warn(p->dev, "%s:%d cb pitch (%d) invalid\n", + __func__, __LINE__, pitch); + return -EINVAL; + } + height &= ~((16 * track->npipes) - 1); + if (!height) + height = 16 * track->npipes; + break; + default: + dev_warn(p->dev, "%s invalid tiling %d for %d (0x%08X)\n", __func__, + G_0280A0_ARRAY_MODE(track->cb_color_info[i]), i, + track->cb_color_info[i]); + return -EINVAL; + } + /* check offset */ + tmp = height * pitch; + if ((tmp + track->cb_color_bo_offset[i]) > radeon_bo_size(track->cb_color_bo[i])) { + dev_warn(p->dev, "%s offset[%d] %d to big\n", __func__, i, track->cb_color_bo_offset[i]); + return -EINVAL; + } + /* limit max tile */ + tmp = (height * pitch) >> 6; + if (tmp < slice_tile_max) + slice_tile_max = tmp; + tmp = S_028060_PITCH_TILE_MAX((pitch >> 3) - 1) | + S_028060_SLICE_TILE_MAX(slice_tile_max - 1); + ib[track->cb_color_size_idx[i]] = tmp; + return 0; +} + +static int r600_cs_track_check(struct radeon_cs_parser *p) +{ + struct r600_cs_track *track = p->track; + u32 tmp; + int r, i; + volatile u32 *ib = p->ib->ptr; + + /* on legacy kernel we don't perform advanced check */ + if (p->rdev == NULL) + return 0; + /* we don't support out buffer yet */ + if (track->vgt_strmout_en || track->vgt_strmout_buffer_en) { + dev_warn(p->dev, "this kernel doesn't support SMX output buffer\n"); + return -EINVAL; + } + /* check that we have a cb for each enabled target, we don't check + * shader_mask because it seems mesa isn't always setting it :( + */ + tmp = track->cb_target_mask; + for (i = 0; i < 8; i++) { + if ((tmp >> (i * 4)) & 0xF) { + /* at least one component is enabled */ + if (track->cb_color_bo[i] == NULL) { + dev_warn(p->dev, "%s:%d mask 0x%08X | 0x%08X no cb for %d\n", + __func__, __LINE__, track->cb_target_mask, track->cb_shader_mask, i); + return -EINVAL; + } + /* perform rewrite of CB_COLOR[0-7]_SIZE */ + r = r600_cs_track_validate_cb(p, i); + if (r) + return r; + } + } + /* Check depth buffer */ + if (G_028800_STENCIL_ENABLE(track->db_depth_control) || + G_028800_Z_ENABLE(track->db_depth_control)) { + u32 nviews, bpe, ntiles; + if (track->db_bo == NULL) { + dev_warn(p->dev, "z/stencil with no depth buffer\n"); + return -EINVAL; + } + if (G_028010_TILE_SURFACE_ENABLE(track->db_depth_info)) { + dev_warn(p->dev, "this kernel doesn't support z/stencil htile\n"); + return -EINVAL; + } + switch (G_028010_FORMAT(track->db_depth_info)) { + case V_028010_DEPTH_16: + bpe = 2; + break; + case V_028010_DEPTH_X8_24: + case V_028010_DEPTH_8_24: + case V_028010_DEPTH_X8_24_FLOAT: + case V_028010_DEPTH_8_24_FLOAT: + case V_028010_DEPTH_32_FLOAT: + bpe = 4; + break; + case V_028010_DEPTH_X24_8_32_FLOAT: + bpe = 8; + break; + default: + dev_warn(p->dev, "z/stencil with invalid format %d\n", G_028010_FORMAT(track->db_depth_info)); + return -EINVAL; + } + if ((track->db_depth_size & 0xFFFFFC00) == 0xFFFFFC00) { + if (!track->db_depth_size_idx) { + dev_warn(p->dev, "z/stencil buffer size not set\n"); + return -EINVAL; + } + printk_once(KERN_WARNING "You have old & broken userspace please consider updating mesa\n"); + tmp = radeon_bo_size(track->db_bo) - track->db_offset; + tmp = (tmp / bpe) >> 6; + if (!tmp) { + dev_warn(p->dev, "z/stencil buffer too small (0x%08X %d %d %ld)\n", + track->db_depth_size, bpe, track->db_offset, + radeon_bo_size(track->db_bo)); + return -EINVAL; + } + ib[track->db_depth_size_idx] = S_028000_SLICE_TILE_MAX(tmp - 1) | (track->db_depth_size & 0x3FF); + } else { + ntiles = G_028000_SLICE_TILE_MAX(track->db_depth_size) + 1; + nviews = G_028004_SLICE_MAX(track->db_depth_view) + 1; + tmp = ntiles * bpe * 64 * nviews; + if ((tmp + track->db_offset) > radeon_bo_size(track->db_bo)) { + dev_warn(p->dev, "z/stencil buffer too small (0x%08X %d %d %d -> %d have %ld)\n", + track->db_depth_size, ntiles, nviews, bpe, tmp + track->db_offset, + radeon_bo_size(track->db_bo)); + return -EINVAL; + } + } + } + return 0; +} + /** * r600_cs_packet_parse() - parse cp packet and point ib index to next packet * @parser: parser structure holding parsing context. @@ -359,6 +665,385 @@ static int r600_cs_parse_packet0(struct radeon_cs_parser *p, return 0; } +/** + * r600_cs_check_reg() - check if register is authorized or not + * @parser: parser structure holding parsing context + * @reg: register we are testing + * @idx: index into the cs buffer + * + * This function will test against r600_reg_safe_bm and return 0 + * if register is safe. If register is not flag as safe this function + * will test it against a list of register needind special handling. + */ +static inline int r600_cs_check_reg(struct radeon_cs_parser *p, u32 reg, u32 idx) +{ + struct r600_cs_track *track = (struct r600_cs_track *)p->track; + struct radeon_cs_reloc *reloc; + u32 last_reg = ARRAY_SIZE(r600_reg_safe_bm); + u32 m, i, tmp, *ib; + int r; + + i = (reg >> 7); + if (i > last_reg) { + dev_warn(p->dev, "forbidden register 0x%08x at %d\n", reg, idx); + return -EINVAL; + } + m = 1 << ((reg >> 2) & 31); + if (!(r600_reg_safe_bm[i] & m)) + return 0; + ib = p->ib->ptr; + switch (reg) { + /* force following reg to 0 in an attemp to disable out buffer + * which will need us to better understand how it works to perform + * security check on it (Jerome) + */ + case R_0288A8_SQ_ESGS_RING_ITEMSIZE: + case R_008C44_SQ_ESGS_RING_SIZE: + case R_0288B0_SQ_ESTMP_RING_ITEMSIZE: + case R_008C54_SQ_ESTMP_RING_SIZE: + case R_0288C0_SQ_FBUF_RING_ITEMSIZE: + case R_008C74_SQ_FBUF_RING_SIZE: + case R_0288B4_SQ_GSTMP_RING_ITEMSIZE: + case R_008C5C_SQ_GSTMP_RING_SIZE: + case R_0288AC_SQ_GSVS_RING_ITEMSIZE: + case R_008C4C_SQ_GSVS_RING_SIZE: + case R_0288BC_SQ_PSTMP_RING_ITEMSIZE: + case R_008C6C_SQ_PSTMP_RING_SIZE: + case R_0288C4_SQ_REDUC_RING_ITEMSIZE: + case R_008C7C_SQ_REDUC_RING_SIZE: + case R_0288B8_SQ_VSTMP_RING_ITEMSIZE: + case R_008C64_SQ_VSTMP_RING_SIZE: + case R_0288C8_SQ_GS_VERT_ITEMSIZE: + /* get value to populate the IB don't remove */ + tmp =radeon_get_ib_value(p, idx); + ib[idx] = 0; + break; + case SQ_CONFIG: + track->sq_config = radeon_get_ib_value(p, idx); + break; + case R_028800_DB_DEPTH_CONTROL: + track->db_depth_control = radeon_get_ib_value(p, idx); + break; + case R_028010_DB_DEPTH_INFO: + track->db_depth_info = radeon_get_ib_value(p, idx); + break; + case R_028004_DB_DEPTH_VIEW: + track->db_depth_view = radeon_get_ib_value(p, idx); + break; + case R_028000_DB_DEPTH_SIZE: + track->db_depth_size = radeon_get_ib_value(p, idx); + track->db_depth_size_idx = idx; + break; + case R_028AB0_VGT_STRMOUT_EN: + track->vgt_strmout_en = radeon_get_ib_value(p, idx); + break; + case R_028B20_VGT_STRMOUT_BUFFER_EN: + track->vgt_strmout_buffer_en = radeon_get_ib_value(p, idx); + break; + case R_028238_CB_TARGET_MASK: + track->cb_target_mask = radeon_get_ib_value(p, idx); + break; + case R_02823C_CB_SHADER_MASK: + track->cb_shader_mask = radeon_get_ib_value(p, idx); + break; + case R_028C04_PA_SC_AA_CONFIG: + tmp = G_028C04_MSAA_NUM_SAMPLES(radeon_get_ib_value(p, idx)); + track->nsamples = 1 << tmp; + break; + case R_0280A0_CB_COLOR0_INFO: + case R_0280A4_CB_COLOR1_INFO: + case R_0280A8_CB_COLOR2_INFO: + case R_0280AC_CB_COLOR3_INFO: + case R_0280B0_CB_COLOR4_INFO: + case R_0280B4_CB_COLOR5_INFO: + case R_0280B8_CB_COLOR6_INFO: + case R_0280BC_CB_COLOR7_INFO: + tmp = (reg - R_0280A0_CB_COLOR0_INFO) / 4; + track->cb_color_info[tmp] = radeon_get_ib_value(p, idx); + break; + case R_028060_CB_COLOR0_SIZE: + case R_028064_CB_COLOR1_SIZE: + case R_028068_CB_COLOR2_SIZE: + case R_02806C_CB_COLOR3_SIZE: + case R_028070_CB_COLOR4_SIZE: + case R_028074_CB_COLOR5_SIZE: + case R_028078_CB_COLOR6_SIZE: + case R_02807C_CB_COLOR7_SIZE: + tmp = (reg - R_028060_CB_COLOR0_SIZE) / 4; + track->cb_color_size[tmp] = radeon_get_ib_value(p, idx); + track->cb_color_size_idx[tmp] = idx; + break; + /* This register were added late, there is userspace + * which does provide relocation for those but set + * 0 offset. In order to avoid breaking old userspace + * we detect this and set address to point to last + * CB_COLOR0_BASE, note that if userspace doesn't set + * CB_COLOR0_BASE before this register we will report + * error. Old userspace always set CB_COLOR0_BASE + * before any of this. + */ + case R_0280E0_CB_COLOR0_FRAG: + case R_0280E4_CB_COLOR1_FRAG: + case R_0280E8_CB_COLOR2_FRAG: + case R_0280EC_CB_COLOR3_FRAG: + case R_0280F0_CB_COLOR4_FRAG: + case R_0280F4_CB_COLOR5_FRAG: + case R_0280F8_CB_COLOR6_FRAG: + case R_0280FC_CB_COLOR7_FRAG: + tmp = (reg - R_0280E0_CB_COLOR0_FRAG) / 4; + if (!r600_cs_packet_next_is_pkt3_nop(p)) { + if (!track->cb_color_base_last[tmp]) { + dev_err(p->dev, "Broken old userspace ? no cb_color0_base supplied before trying to write 0x%08X\n", reg); + return -EINVAL; + } + ib[idx] = track->cb_color_base_last[tmp]; + printk_once(KERN_WARNING "You have old & broken userspace " + "please consider updating mesa & xf86-video-ati\n"); + track->cb_color_frag_bo[tmp] = track->cb_color_bo[tmp]; + } else { + r = r600_cs_packet_next_reloc(p, &reloc); + if (r) { + dev_err(p->dev, "bad SET_CONTEXT_REG 0x%04X\n", reg); + return -EINVAL; + } + ib[idx] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + track->cb_color_frag_bo[tmp] = reloc->robj; + } + break; + case R_0280C0_CB_COLOR0_TILE: + case R_0280C4_CB_COLOR1_TILE: + case R_0280C8_CB_COLOR2_TILE: + case R_0280CC_CB_COLOR3_TILE: + case R_0280D0_CB_COLOR4_TILE: + case R_0280D4_CB_COLOR5_TILE: + case R_0280D8_CB_COLOR6_TILE: + case R_0280DC_CB_COLOR7_TILE: + tmp = (reg - R_0280C0_CB_COLOR0_TILE) / 4; + if (!r600_cs_packet_next_is_pkt3_nop(p)) { + if (!track->cb_color_base_last[tmp]) { + dev_err(p->dev, "Broken old userspace ? no cb_color0_base supplied before trying to write 0x%08X\n", reg); + return -EINVAL; + } + ib[idx] = track->cb_color_base_last[tmp]; + printk_once(KERN_WARNING "You have old & broken userspace " + "please consider updating mesa & xf86-video-ati\n"); + track->cb_color_tile_bo[tmp] = track->cb_color_bo[tmp]; + } else { + r = r600_cs_packet_next_reloc(p, &reloc); + if (r) { + dev_err(p->dev, "bad SET_CONTEXT_REG 0x%04X\n", reg); + return -EINVAL; + } + ib[idx] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + track->cb_color_tile_bo[tmp] = reloc->robj; + } + break; + case CB_COLOR0_BASE: + case CB_COLOR1_BASE: + case CB_COLOR2_BASE: + case CB_COLOR3_BASE: + case CB_COLOR4_BASE: + case CB_COLOR5_BASE: + case CB_COLOR6_BASE: + case CB_COLOR7_BASE: + r = r600_cs_packet_next_reloc(p, &reloc); + if (r) { + dev_warn(p->dev, "bad SET_CONTEXT_REG " + "0x%04X\n", reg); + return -EINVAL; + } + tmp = (reg - CB_COLOR0_BASE) / 4; + track->cb_color_bo_offset[tmp] = radeon_get_ib_value(p, idx); + ib[idx] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + track->cb_color_base_last[tmp] = ib[idx]; + track->cb_color_bo[tmp] = reloc->robj; + break; + case DB_DEPTH_BASE: + r = r600_cs_packet_next_reloc(p, &reloc); + if (r) { + dev_warn(p->dev, "bad SET_CONTEXT_REG " + "0x%04X\n", reg); + return -EINVAL; + } + track->db_offset = radeon_get_ib_value(p, idx); + ib[idx] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + track->db_bo = reloc->robj; + break; + case DB_HTILE_DATA_BASE: + case SQ_PGM_START_FS: + case SQ_PGM_START_ES: + case SQ_PGM_START_VS: + case SQ_PGM_START_GS: + case SQ_PGM_START_PS: + case SQ_ALU_CONST_CACHE_GS_0: + case SQ_ALU_CONST_CACHE_GS_1: + case SQ_ALU_CONST_CACHE_GS_2: + case SQ_ALU_CONST_CACHE_GS_3: + case SQ_ALU_CONST_CACHE_GS_4: + case SQ_ALU_CONST_CACHE_GS_5: + case SQ_ALU_CONST_CACHE_GS_6: + case SQ_ALU_CONST_CACHE_GS_7: + case SQ_ALU_CONST_CACHE_GS_8: + case SQ_ALU_CONST_CACHE_GS_9: + case SQ_ALU_CONST_CACHE_GS_10: + case SQ_ALU_CONST_CACHE_GS_11: + case SQ_ALU_CONST_CACHE_GS_12: + case SQ_ALU_CONST_CACHE_GS_13: + case SQ_ALU_CONST_CACHE_GS_14: + case SQ_ALU_CONST_CACHE_GS_15: + case SQ_ALU_CONST_CACHE_PS_0: + case SQ_ALU_CONST_CACHE_PS_1: + case SQ_ALU_CONST_CACHE_PS_2: + case SQ_ALU_CONST_CACHE_PS_3: + case SQ_ALU_CONST_CACHE_PS_4: + case SQ_ALU_CONST_CACHE_PS_5: + case SQ_ALU_CONST_CACHE_PS_6: + case SQ_ALU_CONST_CACHE_PS_7: + case SQ_ALU_CONST_CACHE_PS_8: + case SQ_ALU_CONST_CACHE_PS_9: + case SQ_ALU_CONST_CACHE_PS_10: + case SQ_ALU_CONST_CACHE_PS_11: + case SQ_ALU_CONST_CACHE_PS_12: + case SQ_ALU_CONST_CACHE_PS_13: + case SQ_ALU_CONST_CACHE_PS_14: + case SQ_ALU_CONST_CACHE_PS_15: + case SQ_ALU_CONST_CACHE_VS_0: + case SQ_ALU_CONST_CACHE_VS_1: + case SQ_ALU_CONST_CACHE_VS_2: + case SQ_ALU_CONST_CACHE_VS_3: + case SQ_ALU_CONST_CACHE_VS_4: + case SQ_ALU_CONST_CACHE_VS_5: + case SQ_ALU_CONST_CACHE_VS_6: + case SQ_ALU_CONST_CACHE_VS_7: + case SQ_ALU_CONST_CACHE_VS_8: + case SQ_ALU_CONST_CACHE_VS_9: + case SQ_ALU_CONST_CACHE_VS_10: + case SQ_ALU_CONST_CACHE_VS_11: + case SQ_ALU_CONST_CACHE_VS_12: + case SQ_ALU_CONST_CACHE_VS_13: + case SQ_ALU_CONST_CACHE_VS_14: + case SQ_ALU_CONST_CACHE_VS_15: + r = r600_cs_packet_next_reloc(p, &reloc); + if (r) { + dev_warn(p->dev, "bad SET_CONTEXT_REG " + "0x%04X\n", reg); + return -EINVAL; + } + ib[idx] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + break; + default: + dev_warn(p->dev, "forbidden register 0x%08x at %d\n", reg, idx); + return -EINVAL; + } + return 0; +} + +static inline unsigned minify(unsigned size, unsigned levels) +{ + size = size >> levels; + if (size < 1) + size = 1; + return size; +} + +static void r600_texture_size(unsigned nfaces, unsigned blevel, unsigned nlevels, + unsigned w0, unsigned h0, unsigned d0, unsigned bpe, + unsigned *l0_size, unsigned *mipmap_size) +{ + unsigned offset, i, level, face; + unsigned width, height, depth, rowstride, size; + + w0 = minify(w0, 0); + h0 = minify(h0, 0); + d0 = minify(d0, 0); + for(i = 0, offset = 0, level = blevel; i < nlevels; i++, level++) { + width = minify(w0, i); + height = minify(h0, i); + depth = minify(d0, i); + for(face = 0; face < nfaces; face++) { + rowstride = ((width * bpe) + 255) & ~255; + size = height * rowstride * depth; + offset += size; + offset = (offset + 0x1f) & ~0x1f; + } + } + *l0_size = (((w0 * bpe) + 255) & ~255) * h0 * d0; + *mipmap_size = offset; + if (!blevel) + *mipmap_size -= *l0_size; + if (!nlevels) + *mipmap_size = *l0_size; +} + +/** + * r600_check_texture_resource() - check if register is authorized or not + * @p: parser structure holding parsing context + * @idx: index into the cs buffer + * @texture: texture's bo structure + * @mipmap: mipmap's bo structure + * + * This function will check that the resource has valid field and that + * the texture and mipmap bo object are big enough to cover this resource. + */ +static inline int r600_check_texture_resource(struct radeon_cs_parser *p, u32 idx, + struct radeon_bo *texture, + struct radeon_bo *mipmap) +{ + u32 nfaces, nlevels, blevel, w0, h0, d0, bpe = 0; + u32 word0, word1, l0_size, mipmap_size; + + /* on legacy kernel we don't perform advanced check */ + if (p->rdev == NULL) + return 0; + word0 = radeon_get_ib_value(p, idx + 0); + word1 = radeon_get_ib_value(p, idx + 1); + w0 = G_038000_TEX_WIDTH(word0) + 1; + h0 = G_038004_TEX_HEIGHT(word1) + 1; + d0 = G_038004_TEX_DEPTH(word1); + nfaces = 1; + switch (G_038000_DIM(word0)) { + case V_038000_SQ_TEX_DIM_1D: + case V_038000_SQ_TEX_DIM_2D: + case V_038000_SQ_TEX_DIM_3D: + break; + case V_038000_SQ_TEX_DIM_CUBEMAP: + nfaces = 6; + break; + case V_038000_SQ_TEX_DIM_1D_ARRAY: + case V_038000_SQ_TEX_DIM_2D_ARRAY: + case V_038000_SQ_TEX_DIM_2D_MSAA: + case V_038000_SQ_TEX_DIM_2D_ARRAY_MSAA: + default: + dev_warn(p->dev, "this kernel doesn't support %d texture dim\n", G_038000_DIM(word0)); + return -EINVAL; + } + if (r600_bpe_from_format(&bpe, G_038004_DATA_FORMAT(word1))) { + dev_warn(p->dev, "%s:%d texture invalid format %d\n", + __func__, __LINE__, G_038004_DATA_FORMAT(word1)); + return -EINVAL; + } + word0 = radeon_get_ib_value(p, idx + 4); + word1 = radeon_get_ib_value(p, idx + 5); + blevel = G_038010_BASE_LEVEL(word0); + nlevels = G_038014_LAST_LEVEL(word1); + r600_texture_size(nfaces, blevel, nlevels, w0, h0, d0, bpe, &l0_size, &mipmap_size); + /* using get ib will give us the offset into the texture bo */ + word0 = radeon_get_ib_value(p, idx + 2); + if ((l0_size + word0) > radeon_bo_size(texture)) { + dev_warn(p->dev, "texture bo too small (%d %d %d %d -> %d have %ld)\n", + w0, h0, bpe, word0, l0_size, radeon_bo_size(texture)); + return -EINVAL; + } + /* using get ib will give us the offset into the mipmap bo */ + word0 = radeon_get_ib_value(p, idx + 3); + if ((mipmap_size + word0) > radeon_bo_size(mipmap)) { + dev_warn(p->dev, "mipmap bo too small (%d %d %d %d %d %d -> %d have %ld)\n", + w0, h0, bpe, blevel, nlevels, word0, mipmap_size, radeon_bo_size(texture)); + return -EINVAL; + } + return 0; +} + static int r600_packet3_check(struct radeon_cs_parser *p, struct radeon_cs_packet *pkt) { @@ -408,12 +1093,22 @@ static int r600_packet3_check(struct radeon_cs_parser *p, } ib[idx+0] = idx_value + (u32)(reloc->lobj.gpu_offset & 0xffffffff); ib[idx+1] += upper_32_bits(reloc->lobj.gpu_offset) & 0xff; + r = r600_cs_track_check(p); + if (r) { + dev_warn(p->dev, "%s:%d invalid cmd stream\n", __func__, __LINE__); + return r; + } break; case PACKET3_DRAW_INDEX_AUTO: if (pkt->count != 1) { DRM_ERROR("bad DRAW_INDEX_AUTO\n"); return -EINVAL; } + r = r600_cs_track_check(p); + if (r) { + dev_warn(p->dev, "%s:%d invalid cmd stream %d\n", __func__, __LINE__, idx); + return r; + } break; case PACKET3_DRAW_INDEX_IMMD_BE: case PACKET3_DRAW_INDEX_IMMD: @@ -421,6 +1116,11 @@ static int r600_packet3_check(struct radeon_cs_parser *p, DRM_ERROR("bad DRAW_INDEX_IMMD\n"); return -EINVAL; } + r = r600_cs_track_check(p); + if (r) { + dev_warn(p->dev, "%s:%d invalid cmd stream\n", __func__, __LINE__); + return r; + } break; case PACKET3_WAIT_REG_MEM: if (pkt->count != 5) { @@ -493,30 +1193,9 @@ static int r600_packet3_check(struct radeon_cs_parser *p, } for (i = 0; i < pkt->count; i++) { reg = start_reg + (4 * i); - switch (reg) { - case SQ_ESGS_RING_BASE: - case SQ_GSVS_RING_BASE: - case SQ_ESTMP_RING_BASE: - case SQ_GSTMP_RING_BASE: - case SQ_VSTMP_RING_BASE: - case SQ_PSTMP_RING_BASE: - case SQ_FBUF_RING_BASE: - case SQ_REDUC_RING_BASE: - case SX_MEMORY_EXPORT_BASE: - r = r600_cs_packet_next_reloc(p, &reloc); - if (r) { - DRM_ERROR("bad SET_CONFIG_REG " - "0x%04X\n", reg); - return -EINVAL; - } - ib[idx+1+i] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); - break; - case CP_COHER_BASE: - /* use PACKET3_SURFACE_SYNC */ - return -EINVAL; - default: - break; - } + r = r600_cs_check_reg(p, reg, idx+1+i); + if (r) + return r; } break; case PACKET3_SET_CONTEXT_REG: @@ -530,106 +1209,9 @@ static int r600_packet3_check(struct radeon_cs_parser *p, } for (i = 0; i < pkt->count; i++) { reg = start_reg + (4 * i); - switch (reg) { - /* This register were added late, there is userspace - * which does provide relocation for those but set - * 0 offset. In order to avoid breaking old userspace - * we detect this and set address to point to last - * CB_COLOR0_BASE, note that if userspace doesn't set - * CB_COLOR0_BASE before this register we will report - * error. Old userspace always set CB_COLOR0_BASE - * before any of this. - */ - case R_0280E0_CB_COLOR0_FRAG: - case R_0280E4_CB_COLOR1_FRAG: - case R_0280E8_CB_COLOR2_FRAG: - case R_0280EC_CB_COLOR3_FRAG: - case R_0280F0_CB_COLOR4_FRAG: - case R_0280F4_CB_COLOR5_FRAG: - case R_0280F8_CB_COLOR6_FRAG: - case R_0280FC_CB_COLOR7_FRAG: - case R_0280C0_CB_COLOR0_TILE: - case R_0280C4_CB_COLOR1_TILE: - case R_0280C8_CB_COLOR2_TILE: - case R_0280CC_CB_COLOR3_TILE: - case R_0280D0_CB_COLOR4_TILE: - case R_0280D4_CB_COLOR5_TILE: - case R_0280D8_CB_COLOR6_TILE: - case R_0280DC_CB_COLOR7_TILE: - if (!r600_cs_packet_next_is_pkt3_nop(p)) { - if (!track->cb_color0_base_last) { - dev_err(p->dev, "Broken old userspace ? no cb_color0_base supplied before trying to write 0x%08X\n", reg); - return -EINVAL; - } - ib[idx+1+i] = track->cb_color0_base_last; - printk_once(KERN_WARNING "radeon: You have old & broken userspace " - "please consider updating mesa & xf86-video-ati\n"); - } else { - r = r600_cs_packet_next_reloc(p, &reloc); - if (r) { - dev_err(p->dev, "bad SET_CONTEXT_REG 0x%04X\n", reg); - return -EINVAL; - } - ib[idx+1+i] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); - } - break; - case DB_DEPTH_BASE: - case DB_HTILE_DATA_BASE: - case CB_COLOR0_BASE: - r = r600_cs_packet_next_reloc(p, &reloc); - if (r) { - DRM_ERROR("bad SET_CONTEXT_REG " - "0x%04X\n", reg); - return -EINVAL; - } - ib[idx+1+i] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); - track->cb_color0_base_last = ib[idx+1+i]; - break; - case CB_COLOR1_BASE: - case CB_COLOR2_BASE: - case CB_COLOR3_BASE: - case CB_COLOR4_BASE: - case CB_COLOR5_BASE: - case CB_COLOR6_BASE: - case CB_COLOR7_BASE: - case SQ_PGM_START_FS: - case SQ_PGM_START_ES: - case SQ_PGM_START_VS: - case SQ_PGM_START_GS: - case SQ_PGM_START_PS: - r = r600_cs_packet_next_reloc(p, &reloc); - if (r) { - DRM_ERROR("bad SET_CONTEXT_REG " - "0x%04X\n", reg); - return -EINVAL; - } - ib[idx+1+i] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); - break; - case VGT_DMA_BASE: - case VGT_DMA_BASE_HI: - /* These should be handled by DRAW_INDEX packet 3 */ - case VGT_STRMOUT_BASE_OFFSET_0: - case VGT_STRMOUT_BASE_OFFSET_1: - case VGT_STRMOUT_BASE_OFFSET_2: - case VGT_STRMOUT_BASE_OFFSET_3: - case VGT_STRMOUT_BASE_OFFSET_HI_0: - case VGT_STRMOUT_BASE_OFFSET_HI_1: - case VGT_STRMOUT_BASE_OFFSET_HI_2: - case VGT_STRMOUT_BASE_OFFSET_HI_3: - case VGT_STRMOUT_BUFFER_BASE_0: - case VGT_STRMOUT_BUFFER_BASE_1: - case VGT_STRMOUT_BUFFER_BASE_2: - case VGT_STRMOUT_BUFFER_BASE_3: - case VGT_STRMOUT_BUFFER_OFFSET_0: - case VGT_STRMOUT_BUFFER_OFFSET_1: - case VGT_STRMOUT_BUFFER_OFFSET_2: - case VGT_STRMOUT_BUFFER_OFFSET_3: - /* These should be handled by STRMOUT_BUFFER packet 3 */ - DRM_ERROR("bad context reg: 0x%08x\n", reg); - return -EINVAL; - default: - break; - } + r = r600_cs_check_reg(p, reg, idx+1+i); + if (r) + return r; } break; case PACKET3_SET_RESOURCE: @@ -646,6 +1228,9 @@ static int r600_packet3_check(struct radeon_cs_parser *p, return -EINVAL; } for (i = 0; i < (pkt->count / 7); i++) { + struct radeon_bo *texture, *mipmap; + u32 size, offset; + switch (G__SQ_VTX_CONSTANT_TYPE(radeon_get_ib_value(p, idx+(i*7)+6+1))) { case SQ_TEX_VTX_VALID_TEXTURE: /* tex base */ @@ -655,6 +1240,7 @@ static int r600_packet3_check(struct radeon_cs_parser *p, return -EINVAL; } ib[idx+1+(i*7)+2] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + texture = reloc->robj; /* tex mip base */ r = r600_cs_packet_next_reloc(p, &reloc); if (r) { @@ -662,6 +1248,11 @@ static int r600_packet3_check(struct radeon_cs_parser *p, return -EINVAL; } ib[idx+1+(i*7)+3] += (u32)((reloc->lobj.gpu_offset >> 8) & 0xffffffff); + mipmap = reloc->robj; + r = r600_check_texture_resource(p, idx+(i*7)+1, + texture, mipmap); + if (r) + return r; break; case SQ_TEX_VTX_VALID_BUFFER: /* vtx base */ @@ -670,6 +1261,13 @@ static int r600_packet3_check(struct radeon_cs_parser *p, DRM_ERROR("bad SET_RESOURCE\n"); return -EINVAL; } + offset = radeon_get_ib_value(p, idx+1+(i*7)+0); + size = radeon_get_ib_value(p, idx+1+(i*7)+1); + if (p->rdev && (size + offset) > radeon_bo_size(reloc->robj)) { + /* force size to size of the buffer */ + dev_warn(p->dev, "vbo resource seems too big for the bo\n"); + ib[idx+1+(i*7)+1] = radeon_bo_size(reloc->robj); + } ib[idx+1+(i*7)+0] += (u32)((reloc->lobj.gpu_offset) & 0xffffffff); ib[idx+1+(i*7)+2] += upper_32_bits(reloc->lobj.gpu_offset) & 0xff; break; @@ -682,13 +1280,15 @@ static int r600_packet3_check(struct radeon_cs_parser *p, } break; case PACKET3_SET_ALU_CONST: - start_reg = (idx_value << 2) + PACKET3_SET_ALU_CONST_OFFSET; - end_reg = 4 * pkt->count + start_reg - 4; - if ((start_reg < PACKET3_SET_ALU_CONST_OFFSET) || - (start_reg >= PACKET3_SET_ALU_CONST_END) || - (end_reg >= PACKET3_SET_ALU_CONST_END)) { - DRM_ERROR("bad SET_ALU_CONST\n"); - return -EINVAL; + if (track->sq_config & DX9_CONSTS) { + start_reg = (idx_value << 2) + PACKET3_SET_ALU_CONST_OFFSET; + end_reg = 4 * pkt->count + start_reg - 4; + if ((start_reg < PACKET3_SET_ALU_CONST_OFFSET) || + (start_reg >= PACKET3_SET_ALU_CONST_END) || + (end_reg >= PACKET3_SET_ALU_CONST_END)) { + DRM_ERROR("bad SET_ALU_CONST\n"); + return -EINVAL; + } } break; case PACKET3_SET_BOOL_CONST: @@ -760,11 +1360,28 @@ int r600_cs_parse(struct radeon_cs_parser *p) struct r600_cs_track *track; int r; - track = kzalloc(sizeof(*track), GFP_KERNEL); - p->track = track; + if (p->track == NULL) { + /* initialize tracker, we are in kms */ + track = kzalloc(sizeof(*track), GFP_KERNEL); + if (track == NULL) + return -ENOMEM; + r600_cs_track_init(track); + if (p->rdev->family < CHIP_RV770) { + track->npipes = p->rdev->config.r600.tiling_npipes; + track->nbanks = p->rdev->config.r600.tiling_nbanks; + track->group_size = p->rdev->config.r600.tiling_group_size; + } else if (p->rdev->family <= CHIP_RV740) { + track->npipes = p->rdev->config.rv770.tiling_npipes; + track->nbanks = p->rdev->config.rv770.tiling_nbanks; + track->group_size = p->rdev->config.rv770.tiling_group_size; + } + p->track = track; + } do { r = r600_cs_packet_parse(p, &pkt, p->idx); if (r) { + kfree(p->track); + p->track = NULL; return r; } p->idx += pkt.count + 2; @@ -779,9 +1396,13 @@ int r600_cs_parse(struct radeon_cs_parser *p) break; default: DRM_ERROR("Unknown packet type %d !\n", pkt.type); + kfree(p->track); + p->track = NULL; return -EINVAL; } if (r) { + kfree(p->track); + p->track = NULL; return r; } } while (p->idx < p->chunks[p->chunk_ib_idx].length_dw); @@ -791,6 +1412,8 @@ int r600_cs_parse(struct radeon_cs_parser *p) mdelay(1); } #endif + kfree(p->track); + p->track = NULL; return 0; } @@ -833,9 +1456,16 @@ int r600_cs_legacy(struct drm_device *dev, void *data, struct drm_file *filp, { struct radeon_cs_parser parser; struct radeon_cs_chunk *ib_chunk; - struct radeon_ib fake_ib; + struct radeon_ib fake_ib; + struct r600_cs_track *track; int r; + /* initialize tracker */ + track = kzalloc(sizeof(*track), GFP_KERNEL); + if (track == NULL) + return -ENOMEM; + r600_cs_track_init(track); + r600_cs_legacy_get_tiling_conf(dev, &track->npipes, &track->nbanks, &track->group_size); /* initialize parser */ memset(&parser, 0, sizeof(struct radeon_cs_parser)); parser.filp = filp; @@ -843,6 +1473,7 @@ int r600_cs_legacy(struct drm_device *dev, void *data, struct drm_file *filp, parser.rdev = NULL; parser.family = family; parser.ib = &fake_ib; + parser.track = track; fake_ib.ptr = ib; r = radeon_cs_parser_init(&parser, data); if (r) { |