1 /*
2 * Copyright © 2014 Broadcom
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 */
23
24 /**
25 * DOC: Command list validator for VC4.
26 *
27 * Since the VC4 has no IOMMU between it and system memory, a user
28 * with access to execute command lists could escalate privilege by
29 * overwriting system memory (drawing to it as a framebuffer) or
30 * reading system memory it shouldn't (reading it as a vertex buffer
31 * or index buffer)
32 *
33 * We validate binner command lists to ensure that all accesses are
34 * within the bounds of the GEM objects referenced by the submitted
35 * job. It explicitly whitelists packets, and looks at the offsets in
36 * any address fields to make sure they're contained within the BOs
37 * they reference.
38 *
39 * Note that because CL validation is already reading the
40 * user-submitted CL and writing the validated copy out to the memory
41 * that the GPU will actually read, this is also where GEM relocation
42 * processing (turning BO references into actual addresses for the GPU
43 * to use) happens.
44 */
45
46 #include "uapi/drm/vc4_drm.h"
47 #include "vc4_drv.h"
48 #include "vc4_packet.h"
49
50 #define VALIDATE_ARGS \
51 struct vc4_exec_info *exec, \
52 void *validated, \
53 void *untrusted
54
55 /** Return the width in pixels of a 64-byte microtile. */
56 static uint32_t
utile_width(int cpp)57 utile_width(int cpp)
58 {
59 switch (cpp) {
60 case 1:
61 case 2:
62 return 8;
63 case 4:
64 return 4;
65 case 8:
66 return 2;
67 default:
68 DRM_ERROR("unknown cpp: %d\n", cpp);
69 return 1;
70 }
71 }
72
73 /** Return the height in pixels of a 64-byte microtile. */
74 static uint32_t
utile_height(int cpp)75 utile_height(int cpp)
76 {
77 switch (cpp) {
78 case 1:
79 return 8;
80 case 2:
81 case 4:
82 case 8:
83 return 4;
84 default:
85 DRM_ERROR("unknown cpp: %d\n", cpp);
86 return 1;
87 }
88 }
89
90 /**
91 * size_is_lt() - Returns whether a miplevel of the given size will
92 * use the lineartile (LT) tiling layout rather than the normal T
93 * tiling layout.
94 * @width: Width in pixels of the miplevel
95 * @height: Height in pixels of the miplevel
96 * @cpp: Bytes per pixel of the pixel format
97 */
98 static bool
size_is_lt(uint32_t width,uint32_t height,int cpp)99 size_is_lt(uint32_t width, uint32_t height, int cpp)
100 {
101 return (width <= 4 * utile_width(cpp) ||
102 height <= 4 * utile_height(cpp));
103 }
104
105 struct drm_gem_cma_object *
vc4_use_bo(struct vc4_exec_info * exec,uint32_t hindex)106 vc4_use_bo(struct vc4_exec_info *exec, uint32_t hindex)
107 {
108 struct drm_gem_cma_object *obj;
109 struct vc4_bo *bo;
110
111 if (hindex >= exec->bo_count) {
112 DRM_DEBUG("BO index %d greater than BO count %d\n",
113 hindex, exec->bo_count);
114 return NULL;
115 }
116 obj = exec->bo[hindex];
117 bo = to_vc4_bo(&obj->base);
118
119 if (bo->validated_shader) {
120 DRM_DEBUG("Trying to use shader BO as something other than "
121 "a shader\n");
122 return NULL;
123 }
124
125 return obj;
126 }
127
128 static struct drm_gem_cma_object *
vc4_use_handle(struct vc4_exec_info * exec,uint32_t gem_handles_packet_index)129 vc4_use_handle(struct vc4_exec_info *exec, uint32_t gem_handles_packet_index)
130 {
131 return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index]);
132 }
133
134 static bool
validate_bin_pos(struct vc4_exec_info * exec,void * untrusted,uint32_t pos)135 validate_bin_pos(struct vc4_exec_info *exec, void *untrusted, uint32_t pos)
136 {
137 /* Note that the untrusted pointer passed to these functions is
138 * incremented past the packet byte.
139 */
140 return (untrusted - 1 == exec->bin_u + pos);
141 }
142
143 static uint32_t
gl_shader_rec_size(uint32_t pointer_bits)144 gl_shader_rec_size(uint32_t pointer_bits)
145 {
146 uint32_t attribute_count = pointer_bits & 7;
147 bool extended = pointer_bits & 8;
148
149 if (attribute_count == 0)
150 attribute_count = 8;
151
152 if (extended)
153 return 100 + attribute_count * 4;
154 else
155 return 36 + attribute_count * 8;
156 }
157
158 bool
vc4_check_tex_size(struct vc4_exec_info * exec,struct drm_gem_cma_object * fbo,uint32_t offset,uint8_t tiling_format,uint32_t width,uint32_t height,uint8_t cpp)159 vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_cma_object *fbo,
160 uint32_t offset, uint8_t tiling_format,
161 uint32_t width, uint32_t height, uint8_t cpp)
162 {
163 uint32_t aligned_width, aligned_height, stride, size;
164 uint32_t utile_w = utile_width(cpp);
165 uint32_t utile_h = utile_height(cpp);
166
167 /* The shaded vertex format stores signed 12.4 fixed point
168 * (-2048,2047) offsets from the viewport center, so we should
169 * never have a render target larger than 4096. The texture
170 * unit can only sample from 2048x2048, so it's even more
171 * restricted. This lets us avoid worrying about overflow in
172 * our math.
173 */
174 if (width > 4096 || height > 4096) {
175 DRM_DEBUG("Surface dimensions (%d,%d) too large",
176 width, height);
177 return false;
178 }
179
180 switch (tiling_format) {
181 case VC4_TILING_FORMAT_LINEAR:
182 aligned_width = round_up(width, utile_w);
183 aligned_height = height;
184 break;
185 case VC4_TILING_FORMAT_T:
186 aligned_width = round_up(width, utile_w * 8);
187 aligned_height = round_up(height, utile_h * 8);
188 break;
189 case VC4_TILING_FORMAT_LT:
190 aligned_width = round_up(width, utile_w);
191 aligned_height = round_up(height, utile_h);
192 break;
193 default:
194 DRM_DEBUG("buffer tiling %d unsupported\n", tiling_format);
195 return false;
196 }
197
198 stride = aligned_width * cpp;
199 size = stride * aligned_height;
200
201 if (size + offset < size ||
202 size + offset > fbo->base.size) {
203 DRM_DEBUG("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
204 width, height,
205 aligned_width, aligned_height,
206 size, offset, fbo->base.size);
207 return false;
208 }
209
210 return true;
211 }
212
213 static int
validate_flush(VALIDATE_ARGS)214 validate_flush(VALIDATE_ARGS)
215 {
216 if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 1)) {
217 DRM_DEBUG("Bin CL must end with VC4_PACKET_FLUSH\n");
218 return -EINVAL;
219 }
220 exec->found_flush = true;
221
222 return 0;
223 }
224
225 static int
validate_start_tile_binning(VALIDATE_ARGS)226 validate_start_tile_binning(VALIDATE_ARGS)
227 {
228 if (exec->found_start_tile_binning_packet) {
229 DRM_DEBUG("Duplicate VC4_PACKET_START_TILE_BINNING\n");
230 return -EINVAL;
231 }
232 exec->found_start_tile_binning_packet = true;
233
234 if (!exec->found_tile_binning_mode_config_packet) {
235 DRM_DEBUG("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
236 return -EINVAL;
237 }
238
239 return 0;
240 }
241
242 static int
validate_increment_semaphore(VALIDATE_ARGS)243 validate_increment_semaphore(VALIDATE_ARGS)
244 {
245 if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 2)) {
246 DRM_DEBUG("Bin CL must end with "
247 "VC4_PACKET_INCREMENT_SEMAPHORE\n");
248 return -EINVAL;
249 }
250 exec->found_increment_semaphore_packet = true;
251
252 return 0;
253 }
254
255 static int
validate_indexed_prim_list(VALIDATE_ARGS)256 validate_indexed_prim_list(VALIDATE_ARGS)
257 {
258 struct drm_gem_cma_object *ib;
259 uint32_t length = *(uint32_t *)(untrusted + 1);
260 uint32_t offset = *(uint32_t *)(untrusted + 5);
261 uint32_t max_index = *(uint32_t *)(untrusted + 9);
262 uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
263 struct vc4_shader_state *shader_state;
264
265 /* Check overflow condition */
266 if (exec->shader_state_count == 0) {
267 DRM_DEBUG("shader state must precede primitives\n");
268 return -EINVAL;
269 }
270 shader_state = &exec->shader_state[exec->shader_state_count - 1];
271
272 if (max_index > shader_state->max_index)
273 shader_state->max_index = max_index;
274
275 ib = vc4_use_handle(exec, 0);
276 if (!ib)
277 return -EINVAL;
278
279 exec->bin_dep_seqno = max(exec->bin_dep_seqno,
280 to_vc4_bo(&ib->base)->write_seqno);
281
282 if (offset > ib->base.size ||
283 (ib->base.size - offset) / index_size < length) {
284 DRM_DEBUG("IB access overflow (%d + %d*%d > %zd)\n",
285 offset, length, index_size, ib->base.size);
286 return -EINVAL;
287 }
288
289 *(uint32_t *)(validated + 5) = ib->paddr + offset;
290
291 return 0;
292 }
293
294 static int
validate_gl_array_primitive(VALIDATE_ARGS)295 validate_gl_array_primitive(VALIDATE_ARGS)
296 {
297 uint32_t length = *(uint32_t *)(untrusted + 1);
298 uint32_t base_index = *(uint32_t *)(untrusted + 5);
299 uint32_t max_index;
300 struct vc4_shader_state *shader_state;
301
302 /* Check overflow condition */
303 if (exec->shader_state_count == 0) {
304 DRM_DEBUG("shader state must precede primitives\n");
305 return -EINVAL;
306 }
307 shader_state = &exec->shader_state[exec->shader_state_count - 1];
308
309 if (length + base_index < length) {
310 DRM_DEBUG("primitive vertex count overflow\n");
311 return -EINVAL;
312 }
313 max_index = length + base_index - 1;
314
315 if (max_index > shader_state->max_index)
316 shader_state->max_index = max_index;
317
318 return 0;
319 }
320
321 static int
validate_gl_shader_state(VALIDATE_ARGS)322 validate_gl_shader_state(VALIDATE_ARGS)
323 {
324 uint32_t i = exec->shader_state_count++;
325
326 if (i >= exec->shader_state_size) {
327 DRM_DEBUG("More requests for shader states than declared\n");
328 return -EINVAL;
329 }
330
331 exec->shader_state[i].addr = *(uint32_t *)untrusted;
332 exec->shader_state[i].max_index = 0;
333
334 if (exec->shader_state[i].addr & ~0xf) {
335 DRM_DEBUG("high bits set in GL shader rec reference\n");
336 return -EINVAL;
337 }
338
339 *(uint32_t *)validated = (exec->shader_rec_p +
340 exec->shader_state[i].addr);
341
342 exec->shader_rec_p +=
343 roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
344
345 return 0;
346 }
347
348 static int
validate_tile_binning_config(VALIDATE_ARGS)349 validate_tile_binning_config(VALIDATE_ARGS)
350 {
351 struct drm_device *dev = exec->exec_bo->base.dev;
352 struct vc4_dev *vc4 = to_vc4_dev(dev);
353 uint8_t flags;
354 uint32_t tile_state_size;
355 uint32_t tile_count, bin_addr;
356 int bin_slot;
357
358 if (exec->found_tile_binning_mode_config_packet) {
359 DRM_DEBUG("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
360 return -EINVAL;
361 }
362 exec->found_tile_binning_mode_config_packet = true;
363
364 exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
365 exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
366 tile_count = exec->bin_tiles_x * exec->bin_tiles_y;
367 flags = *(uint8_t *)(untrusted + 14);
368
369 if (exec->bin_tiles_x == 0 ||
370 exec->bin_tiles_y == 0) {
371 DRM_DEBUG("Tile binning config of %dx%d too small\n",
372 exec->bin_tiles_x, exec->bin_tiles_y);
373 return -EINVAL;
374 }
375
376 if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
377 VC4_BIN_CONFIG_TILE_BUFFER_64BIT)) {
378 DRM_DEBUG("unsupported binning config flags 0x%02x\n", flags);
379 return -EINVAL;
380 }
381
382 bin_slot = vc4_v3d_get_bin_slot(vc4);
383 if (bin_slot < 0) {
384 if (bin_slot != -EINTR && bin_slot != -ERESTARTSYS) {
385 DRM_ERROR("Failed to allocate binner memory: %d\n",
386 bin_slot);
387 }
388 return bin_slot;
389 }
390
391 /* The slot we allocated will only be used by this job, and is
392 * free when the job completes rendering.
393 */
394 exec->bin_slots |= BIT(bin_slot);
395 bin_addr = vc4->bin_bo->base.paddr + bin_slot * vc4->bin_alloc_size;
396
397 /* The tile state data array is 48 bytes per tile, and we put it at
398 * the start of a BO containing both it and the tile alloc.
399 */
400 tile_state_size = 48 * tile_count;
401
402 /* Since the tile alloc array will follow us, align. */
403 exec->tile_alloc_offset = bin_addr + roundup(tile_state_size, 4096);
404
405 *(uint8_t *)(validated + 14) =
406 ((flags & ~(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_MASK |
407 VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_MASK)) |
408 VC4_BIN_CONFIG_AUTO_INIT_TSDA |
409 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_32,
410 VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE) |
411 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_128,
412 VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE));
413
414 /* tile alloc address. */
415 *(uint32_t *)(validated + 0) = exec->tile_alloc_offset;
416 /* tile alloc size. */
417 *(uint32_t *)(validated + 4) = (bin_addr + vc4->bin_alloc_size -
418 exec->tile_alloc_offset);
419 /* tile state address. */
420 *(uint32_t *)(validated + 8) = bin_addr;
421
422 return 0;
423 }
424
425 static int
validate_gem_handles(VALIDATE_ARGS)426 validate_gem_handles(VALIDATE_ARGS)
427 {
428 memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
429 return 0;
430 }
431
432 #define VC4_DEFINE_PACKET(packet, func) \
433 [packet] = { packet ## _SIZE, #packet, func }
434
435 static const struct cmd_info {
436 uint16_t len;
437 const char *name;
438 int (*func)(struct vc4_exec_info *exec, void *validated,
439 void *untrusted);
440 } cmd_info[] = {
441 VC4_DEFINE_PACKET(VC4_PACKET_HALT, NULL),
442 VC4_DEFINE_PACKET(VC4_PACKET_NOP, NULL),
443 VC4_DEFINE_PACKET(VC4_PACKET_FLUSH, validate_flush),
444 VC4_DEFINE_PACKET(VC4_PACKET_FLUSH_ALL, NULL),
445 VC4_DEFINE_PACKET(VC4_PACKET_START_TILE_BINNING,
446 validate_start_tile_binning),
447 VC4_DEFINE_PACKET(VC4_PACKET_INCREMENT_SEMAPHORE,
448 validate_increment_semaphore),
449
450 VC4_DEFINE_PACKET(VC4_PACKET_GL_INDEXED_PRIMITIVE,
451 validate_indexed_prim_list),
452 VC4_DEFINE_PACKET(VC4_PACKET_GL_ARRAY_PRIMITIVE,
453 validate_gl_array_primitive),
454
455 VC4_DEFINE_PACKET(VC4_PACKET_PRIMITIVE_LIST_FORMAT, NULL),
456
457 VC4_DEFINE_PACKET(VC4_PACKET_GL_SHADER_STATE, validate_gl_shader_state),
458
459 VC4_DEFINE_PACKET(VC4_PACKET_CONFIGURATION_BITS, NULL),
460 VC4_DEFINE_PACKET(VC4_PACKET_FLAT_SHADE_FLAGS, NULL),
461 VC4_DEFINE_PACKET(VC4_PACKET_POINT_SIZE, NULL),
462 VC4_DEFINE_PACKET(VC4_PACKET_LINE_WIDTH, NULL),
463 VC4_DEFINE_PACKET(VC4_PACKET_RHT_X_BOUNDARY, NULL),
464 VC4_DEFINE_PACKET(VC4_PACKET_DEPTH_OFFSET, NULL),
465 VC4_DEFINE_PACKET(VC4_PACKET_CLIP_WINDOW, NULL),
466 VC4_DEFINE_PACKET(VC4_PACKET_VIEWPORT_OFFSET, NULL),
467 VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_XY_SCALING, NULL),
468 /* Note: The docs say this was also 105, but it was 106 in the
469 * initial userland code drop.
470 */
471 VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_Z_SCALING, NULL),
472
473 VC4_DEFINE_PACKET(VC4_PACKET_TILE_BINNING_MODE_CONFIG,
474 validate_tile_binning_config),
475
476 VC4_DEFINE_PACKET(VC4_PACKET_GEM_HANDLES, validate_gem_handles),
477 };
478
479 int
vc4_validate_bin_cl(struct drm_device * dev,void * validated,void * unvalidated,struct vc4_exec_info * exec)480 vc4_validate_bin_cl(struct drm_device *dev,
481 void *validated,
482 void *unvalidated,
483 struct vc4_exec_info *exec)
484 {
485 uint32_t len = exec->args->bin_cl_size;
486 uint32_t dst_offset = 0;
487 uint32_t src_offset = 0;
488
489 while (src_offset < len) {
490 void *dst_pkt = validated + dst_offset;
491 void *src_pkt = unvalidated + src_offset;
492 u8 cmd = *(uint8_t *)src_pkt;
493 const struct cmd_info *info;
494
495 if (cmd >= ARRAY_SIZE(cmd_info)) {
496 DRM_DEBUG("0x%08x: packet %d out of bounds\n",
497 src_offset, cmd);
498 return -EINVAL;
499 }
500
501 info = &cmd_info[cmd];
502 if (!info->name) {
503 DRM_DEBUG("0x%08x: packet %d invalid\n",
504 src_offset, cmd);
505 return -EINVAL;
506 }
507
508 if (src_offset + info->len > len) {
509 DRM_DEBUG("0x%08x: packet %d (%s) length 0x%08x "
510 "exceeds bounds (0x%08x)\n",
511 src_offset, cmd, info->name, info->len,
512 src_offset + len);
513 return -EINVAL;
514 }
515
516 if (cmd != VC4_PACKET_GEM_HANDLES)
517 memcpy(dst_pkt, src_pkt, info->len);
518
519 if (info->func && info->func(exec,
520 dst_pkt + 1,
521 src_pkt + 1)) {
522 DRM_DEBUG("0x%08x: packet %d (%s) failed to validate\n",
523 src_offset, cmd, info->name);
524 return -EINVAL;
525 }
526
527 src_offset += info->len;
528 /* GEM handle loading doesn't produce HW packets. */
529 if (cmd != VC4_PACKET_GEM_HANDLES)
530 dst_offset += info->len;
531
532 /* When the CL hits halt, it'll stop reading anything else. */
533 if (cmd == VC4_PACKET_HALT)
534 break;
535 }
536
537 exec->ct0ea = exec->ct0ca + dst_offset;
538
539 if (!exec->found_start_tile_binning_packet) {
540 DRM_DEBUG("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
541 return -EINVAL;
542 }
543
544 /* The bin CL must be ended with INCREMENT_SEMAPHORE and FLUSH. The
545 * semaphore is used to trigger the render CL to start up, and the
546 * FLUSH is what caps the bin lists with
547 * VC4_PACKET_RETURN_FROM_SUB_LIST (so they jump back to the main
548 * render CL when they get called to) and actually triggers the queued
549 * semaphore increment.
550 */
551 if (!exec->found_increment_semaphore_packet || !exec->found_flush) {
552 DRM_DEBUG("Bin CL missing VC4_PACKET_INCREMENT_SEMAPHORE + "
553 "VC4_PACKET_FLUSH\n");
554 return -EINVAL;
555 }
556
557 return 0;
558 }
559
560 static bool
reloc_tex(struct vc4_exec_info * exec,void * uniform_data_u,struct vc4_texture_sample_info * sample,uint32_t texture_handle_index,bool is_cs)561 reloc_tex(struct vc4_exec_info *exec,
562 void *uniform_data_u,
563 struct vc4_texture_sample_info *sample,
564 uint32_t texture_handle_index, bool is_cs)
565 {
566 struct drm_gem_cma_object *tex;
567 uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
568 uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
569 uint32_t p2 = (sample->p_offset[2] != ~0 ?
570 *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
571 uint32_t p3 = (sample->p_offset[3] != ~0 ?
572 *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
573 uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
574 uint32_t offset = p0 & VC4_TEX_P0_OFFSET_MASK;
575 uint32_t miplevels = VC4_GET_FIELD(p0, VC4_TEX_P0_MIPLVLS);
576 uint32_t width = VC4_GET_FIELD(p1, VC4_TEX_P1_WIDTH);
577 uint32_t height = VC4_GET_FIELD(p1, VC4_TEX_P1_HEIGHT);
578 uint32_t cpp, tiling_format, utile_w, utile_h;
579 uint32_t i;
580 uint32_t cube_map_stride = 0;
581 enum vc4_texture_data_type type;
582
583 tex = vc4_use_bo(exec, texture_handle_index);
584 if (!tex)
585 return false;
586
587 if (sample->is_direct) {
588 uint32_t remaining_size = tex->base.size - p0;
589
590 if (p0 > tex->base.size - 4) {
591 DRM_DEBUG("UBO offset greater than UBO size\n");
592 goto fail;
593 }
594 if (p1 > remaining_size - 4) {
595 DRM_DEBUG("UBO clamp would allow reads "
596 "outside of UBO\n");
597 goto fail;
598 }
599 *validated_p0 = tex->paddr + p0;
600 return true;
601 }
602
603 if (width == 0)
604 width = 2048;
605 if (height == 0)
606 height = 2048;
607
608 if (p0 & VC4_TEX_P0_CMMODE_MASK) {
609 if (VC4_GET_FIELD(p2, VC4_TEX_P2_PTYPE) ==
610 VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE)
611 cube_map_stride = p2 & VC4_TEX_P2_CMST_MASK;
612 if (VC4_GET_FIELD(p3, VC4_TEX_P2_PTYPE) ==
613 VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE) {
614 if (cube_map_stride) {
615 DRM_DEBUG("Cube map stride set twice\n");
616 goto fail;
617 }
618
619 cube_map_stride = p3 & VC4_TEX_P2_CMST_MASK;
620 }
621 if (!cube_map_stride) {
622 DRM_DEBUG("Cube map stride not set\n");
623 goto fail;
624 }
625 }
626
627 type = (VC4_GET_FIELD(p0, VC4_TEX_P0_TYPE) |
628 (VC4_GET_FIELD(p1, VC4_TEX_P1_TYPE4) << 4));
629
630 switch (type) {
631 case VC4_TEXTURE_TYPE_RGBA8888:
632 case VC4_TEXTURE_TYPE_RGBX8888:
633 case VC4_TEXTURE_TYPE_RGBA32R:
634 cpp = 4;
635 break;
636 case VC4_TEXTURE_TYPE_RGBA4444:
637 case VC4_TEXTURE_TYPE_RGBA5551:
638 case VC4_TEXTURE_TYPE_RGB565:
639 case VC4_TEXTURE_TYPE_LUMALPHA:
640 case VC4_TEXTURE_TYPE_S16F:
641 case VC4_TEXTURE_TYPE_S16:
642 cpp = 2;
643 break;
644 case VC4_TEXTURE_TYPE_LUMINANCE:
645 case VC4_TEXTURE_TYPE_ALPHA:
646 case VC4_TEXTURE_TYPE_S8:
647 cpp = 1;
648 break;
649 case VC4_TEXTURE_TYPE_ETC1:
650 /* ETC1 is arranged as 64-bit blocks, where each block is 4x4
651 * pixels.
652 */
653 cpp = 8;
654 width = (width + 3) >> 2;
655 height = (height + 3) >> 2;
656 break;
657 case VC4_TEXTURE_TYPE_BW1:
658 case VC4_TEXTURE_TYPE_A4:
659 case VC4_TEXTURE_TYPE_A1:
660 case VC4_TEXTURE_TYPE_RGBA64:
661 case VC4_TEXTURE_TYPE_YUV422R:
662 default:
663 DRM_DEBUG("Texture format %d unsupported\n", type);
664 goto fail;
665 }
666 utile_w = utile_width(cpp);
667 utile_h = utile_height(cpp);
668
669 if (type == VC4_TEXTURE_TYPE_RGBA32R) {
670 tiling_format = VC4_TILING_FORMAT_LINEAR;
671 } else {
672 if (size_is_lt(width, height, cpp))
673 tiling_format = VC4_TILING_FORMAT_LT;
674 else
675 tiling_format = VC4_TILING_FORMAT_T;
676 }
677
678 if (!vc4_check_tex_size(exec, tex, offset + cube_map_stride * 5,
679 tiling_format, width, height, cpp)) {
680 goto fail;
681 }
682
683 /* The mipmap levels are stored before the base of the texture. Make
684 * sure there is actually space in the BO.
685 */
686 for (i = 1; i <= miplevels; i++) {
687 uint32_t level_width = max(width >> i, 1u);
688 uint32_t level_height = max(height >> i, 1u);
689 uint32_t aligned_width, aligned_height;
690 uint32_t level_size;
691
692 /* Once the levels get small enough, they drop from T to LT. */
693 if (tiling_format == VC4_TILING_FORMAT_T &&
694 size_is_lt(level_width, level_height, cpp)) {
695 tiling_format = VC4_TILING_FORMAT_LT;
696 }
697
698 switch (tiling_format) {
699 case VC4_TILING_FORMAT_T:
700 aligned_width = round_up(level_width, utile_w * 8);
701 aligned_height = round_up(level_height, utile_h * 8);
702 break;
703 case VC4_TILING_FORMAT_LT:
704 aligned_width = round_up(level_width, utile_w);
705 aligned_height = round_up(level_height, utile_h);
706 break;
707 default:
708 aligned_width = round_up(level_width, utile_w);
709 aligned_height = level_height;
710 break;
711 }
712
713 level_size = aligned_width * cpp * aligned_height;
714
715 if (offset < level_size) {
716 DRM_DEBUG("Level %d (%dx%d -> %dx%d) size %db "
717 "overflowed buffer bounds (offset %d)\n",
718 i, level_width, level_height,
719 aligned_width, aligned_height,
720 level_size, offset);
721 goto fail;
722 }
723
724 offset -= level_size;
725 }
726
727 *validated_p0 = tex->paddr + p0;
728
729 if (is_cs) {
730 exec->bin_dep_seqno = max(exec->bin_dep_seqno,
731 to_vc4_bo(&tex->base)->write_seqno);
732 }
733
734 return true;
735 fail:
736 DRM_INFO("Texture p0 at %d: 0x%08x\n", sample->p_offset[0], p0);
737 DRM_INFO("Texture p1 at %d: 0x%08x\n", sample->p_offset[1], p1);
738 DRM_INFO("Texture p2 at %d: 0x%08x\n", sample->p_offset[2], p2);
739 DRM_INFO("Texture p3 at %d: 0x%08x\n", sample->p_offset[3], p3);
740 return false;
741 }
742
743 static int
validate_gl_shader_rec(struct drm_device * dev,struct vc4_exec_info * exec,struct vc4_shader_state * state)744 validate_gl_shader_rec(struct drm_device *dev,
745 struct vc4_exec_info *exec,
746 struct vc4_shader_state *state)
747 {
748 uint32_t *src_handles;
749 void *pkt_u, *pkt_v;
750 static const uint32_t shader_reloc_offsets[] = {
751 4, /* fs */
752 16, /* vs */
753 28, /* cs */
754 };
755 uint32_t shader_reloc_count = ARRAY_SIZE(shader_reloc_offsets);
756 struct drm_gem_cma_object *bo[ARRAY_SIZE(shader_reloc_offsets) + 8];
757 uint32_t nr_attributes, nr_relocs, packet_size;
758 int i;
759
760 nr_attributes = state->addr & 0x7;
761 if (nr_attributes == 0)
762 nr_attributes = 8;
763 packet_size = gl_shader_rec_size(state->addr);
764
765 nr_relocs = ARRAY_SIZE(shader_reloc_offsets) + nr_attributes;
766 if (nr_relocs * 4 > exec->shader_rec_size) {
767 DRM_DEBUG("overflowed shader recs reading %d handles "
768 "from %d bytes left\n",
769 nr_relocs, exec->shader_rec_size);
770 return -EINVAL;
771 }
772 src_handles = exec->shader_rec_u;
773 exec->shader_rec_u += nr_relocs * 4;
774 exec->shader_rec_size -= nr_relocs * 4;
775
776 if (packet_size > exec->shader_rec_size) {
777 DRM_DEBUG("overflowed shader recs copying %db packet "
778 "from %d bytes left\n",
779 packet_size, exec->shader_rec_size);
780 return -EINVAL;
781 }
782 pkt_u = exec->shader_rec_u;
783 pkt_v = exec->shader_rec_v;
784 memcpy(pkt_v, pkt_u, packet_size);
785 exec->shader_rec_u += packet_size;
786 /* Shader recs have to be aligned to 16 bytes (due to the attribute
787 * flags being in the low bytes), so round the next validated shader
788 * rec address up. This should be safe, since we've got so many
789 * relocations in a shader rec packet.
790 */
791 BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
792 exec->shader_rec_v += roundup(packet_size, 16);
793 exec->shader_rec_size -= packet_size;
794
795 for (i = 0; i < shader_reloc_count; i++) {
796 if (src_handles[i] > exec->bo_count) {
797 DRM_DEBUG("Shader handle %d too big\n", src_handles[i]);
798 return -EINVAL;
799 }
800
801 bo[i] = exec->bo[src_handles[i]];
802 if (!bo[i])
803 return -EINVAL;
804 }
805 for (i = shader_reloc_count; i < nr_relocs; i++) {
806 bo[i] = vc4_use_bo(exec, src_handles[i]);
807 if (!bo[i])
808 return -EINVAL;
809 }
810
811 if (((*(uint16_t *)pkt_u & VC4_SHADER_FLAG_FS_SINGLE_THREAD) == 0) !=
812 to_vc4_bo(&bo[0]->base)->validated_shader->is_threaded) {
813 DRM_DEBUG("Thread mode of CL and FS do not match\n");
814 return -EINVAL;
815 }
816
817 if (to_vc4_bo(&bo[1]->base)->validated_shader->is_threaded ||
818 to_vc4_bo(&bo[2]->base)->validated_shader->is_threaded) {
819 DRM_DEBUG("cs and vs cannot be threaded\n");
820 return -EINVAL;
821 }
822
823 for (i = 0; i < shader_reloc_count; i++) {
824 struct vc4_validated_shader_info *validated_shader;
825 uint32_t o = shader_reloc_offsets[i];
826 uint32_t src_offset = *(uint32_t *)(pkt_u + o);
827 uint32_t *texture_handles_u;
828 void *uniform_data_u;
829 uint32_t tex, uni;
830
831 *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset;
832
833 if (src_offset != 0) {
834 DRM_DEBUG("Shaders must be at offset 0 of "
835 "the BO.\n");
836 return -EINVAL;
837 }
838
839 validated_shader = to_vc4_bo(&bo[i]->base)->validated_shader;
840 if (!validated_shader)
841 return -EINVAL;
842
843 if (validated_shader->uniforms_src_size >
844 exec->uniforms_size) {
845 DRM_DEBUG("Uniforms src buffer overflow\n");
846 return -EINVAL;
847 }
848
849 texture_handles_u = exec->uniforms_u;
850 uniform_data_u = (texture_handles_u +
851 validated_shader->num_texture_samples);
852
853 memcpy(exec->uniforms_v, uniform_data_u,
854 validated_shader->uniforms_size);
855
856 for (tex = 0;
857 tex < validated_shader->num_texture_samples;
858 tex++) {
859 if (!reloc_tex(exec,
860 uniform_data_u,
861 &validated_shader->texture_samples[tex],
862 texture_handles_u[tex],
863 i == 2)) {
864 return -EINVAL;
865 }
866 }
867
868 /* Fill in the uniform slots that need this shader's
869 * start-of-uniforms address (used for resetting the uniform
870 * stream in the presence of control flow).
871 */
872 for (uni = 0;
873 uni < validated_shader->num_uniform_addr_offsets;
874 uni++) {
875 uint32_t o = validated_shader->uniform_addr_offsets[uni];
876 ((uint32_t *)exec->uniforms_v)[o] = exec->uniforms_p;
877 }
878
879 *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
880
881 exec->uniforms_u += validated_shader->uniforms_src_size;
882 exec->uniforms_v += validated_shader->uniforms_size;
883 exec->uniforms_p += validated_shader->uniforms_size;
884 }
885
886 for (i = 0; i < nr_attributes; i++) {
887 struct drm_gem_cma_object *vbo =
888 bo[ARRAY_SIZE(shader_reloc_offsets) + i];
889 uint32_t o = 36 + i * 8;
890 uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
891 uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
892 uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
893 uint32_t max_index;
894
895 exec->bin_dep_seqno = max(exec->bin_dep_seqno,
896 to_vc4_bo(&vbo->base)->write_seqno);
897
898 if (state->addr & 0x8)
899 stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
900
901 if (vbo->base.size < offset ||
902 vbo->base.size - offset < attr_size) {
903 DRM_DEBUG("BO offset overflow (%d + %d > %zu)\n",
904 offset, attr_size, vbo->base.size);
905 return -EINVAL;
906 }
907
908 if (stride != 0) {
909 max_index = ((vbo->base.size - offset - attr_size) /
910 stride);
911 if (state->max_index > max_index) {
912 DRM_DEBUG("primitives use index %d out of "
913 "supplied %d\n",
914 state->max_index, max_index);
915 return -EINVAL;
916 }
917 }
918
919 *(uint32_t *)(pkt_v + o) = vbo->paddr + offset;
920 }
921
922 return 0;
923 }
924
925 int
vc4_validate_shader_recs(struct drm_device * dev,struct vc4_exec_info * exec)926 vc4_validate_shader_recs(struct drm_device *dev,
927 struct vc4_exec_info *exec)
928 {
929 uint32_t i;
930 int ret = 0;
931
932 for (i = 0; i < exec->shader_state_count; i++) {
933 ret = validate_gl_shader_rec(dev, exec, &exec->shader_state[i]);
934 if (ret)
935 return ret;
936 }
937
938 return ret;
939 }
940