Loading...
1/*
2 * Copyright © 2014 Broadcom
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 */
23
24/**
25 * Command list validator for VC4.
26 *
27 * The VC4 has no IOMMU between it and system memory. So, a user with
28 * access to execute command lists could escalate privilege by
29 * overwriting system memory (drawing to it as a framebuffer) or
30 * reading system memory it shouldn't (reading it as a texture, or
31 * uniform data, or vertex data).
32 *
33 * This validates command lists to ensure that all accesses are within
34 * the bounds of the GEM objects referenced. It explicitly whitelists
35 * packets, and looks at the offsets in any address fields to make
36 * sure they're constrained within the BOs they reference.
37 *
38 * Note that because of the validation that's happening anyway, this
39 * is where GEM relocation processing happens.
40 */
41
42#include "uapi/drm/vc4_drm.h"
43#include "vc4_drv.h"
44#include "vc4_packet.h"
45
46#define VALIDATE_ARGS \
47 struct vc4_exec_info *exec, \
48 void *validated, \
49 void *untrusted
50
51/** Return the width in pixels of a 64-byte microtile. */
52static uint32_t
53utile_width(int cpp)
54{
55 switch (cpp) {
56 case 1:
57 case 2:
58 return 8;
59 case 4:
60 return 4;
61 case 8:
62 return 2;
63 default:
64 DRM_ERROR("unknown cpp: %d\n", cpp);
65 return 1;
66 }
67}
68
69/** Return the height in pixels of a 64-byte microtile. */
70static uint32_t
71utile_height(int cpp)
72{
73 switch (cpp) {
74 case 1:
75 return 8;
76 case 2:
77 case 4:
78 case 8:
79 return 4;
80 default:
81 DRM_ERROR("unknown cpp: %d\n", cpp);
82 return 1;
83 }
84}
85
86/**
87 * The texture unit decides what tiling format a particular miplevel is using
88 * this function, so we lay out our miptrees accordingly.
89 */
90static bool
91size_is_lt(uint32_t width, uint32_t height, int cpp)
92{
93 return (width <= 4 * utile_width(cpp) ||
94 height <= 4 * utile_height(cpp));
95}
96
97struct drm_gem_cma_object *
98vc4_use_bo(struct vc4_exec_info *exec, uint32_t hindex)
99{
100 struct drm_gem_cma_object *obj;
101 struct vc4_bo *bo;
102
103 if (hindex >= exec->bo_count) {
104 DRM_ERROR("BO index %d greater than BO count %d\n",
105 hindex, exec->bo_count);
106 return NULL;
107 }
108 obj = exec->bo[hindex];
109 bo = to_vc4_bo(&obj->base);
110
111 if (bo->validated_shader) {
112 DRM_ERROR("Trying to use shader BO as something other than "
113 "a shader\n");
114 return NULL;
115 }
116
117 return obj;
118}
119
120static struct drm_gem_cma_object *
121vc4_use_handle(struct vc4_exec_info *exec, uint32_t gem_handles_packet_index)
122{
123 return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index]);
124}
125
126static bool
127validate_bin_pos(struct vc4_exec_info *exec, void *untrusted, uint32_t pos)
128{
129 /* Note that the untrusted pointer passed to these functions is
130 * incremented past the packet byte.
131 */
132 return (untrusted - 1 == exec->bin_u + pos);
133}
134
135static uint32_t
136gl_shader_rec_size(uint32_t pointer_bits)
137{
138 uint32_t attribute_count = pointer_bits & 7;
139 bool extended = pointer_bits & 8;
140
141 if (attribute_count == 0)
142 attribute_count = 8;
143
144 if (extended)
145 return 100 + attribute_count * 4;
146 else
147 return 36 + attribute_count * 8;
148}
149
150bool
151vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_cma_object *fbo,
152 uint32_t offset, uint8_t tiling_format,
153 uint32_t width, uint32_t height, uint8_t cpp)
154{
155 uint32_t aligned_width, aligned_height, stride, size;
156 uint32_t utile_w = utile_width(cpp);
157 uint32_t utile_h = utile_height(cpp);
158
159 /* The shaded vertex format stores signed 12.4 fixed point
160 * (-2048,2047) offsets from the viewport center, so we should
161 * never have a render target larger than 4096. The texture
162 * unit can only sample from 2048x2048, so it's even more
163 * restricted. This lets us avoid worrying about overflow in
164 * our math.
165 */
166 if (width > 4096 || height > 4096) {
167 DRM_ERROR("Surface dimesions (%d,%d) too large", width, height);
168 return false;
169 }
170
171 switch (tiling_format) {
172 case VC4_TILING_FORMAT_LINEAR:
173 aligned_width = round_up(width, utile_w);
174 aligned_height = height;
175 break;
176 case VC4_TILING_FORMAT_T:
177 aligned_width = round_up(width, utile_w * 8);
178 aligned_height = round_up(height, utile_h * 8);
179 break;
180 case VC4_TILING_FORMAT_LT:
181 aligned_width = round_up(width, utile_w);
182 aligned_height = round_up(height, utile_h);
183 break;
184 default:
185 DRM_ERROR("buffer tiling %d unsupported\n", tiling_format);
186 return false;
187 }
188
189 stride = aligned_width * cpp;
190 size = stride * aligned_height;
191
192 if (size + offset < size ||
193 size + offset > fbo->base.size) {
194 DRM_ERROR("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
195 width, height,
196 aligned_width, aligned_height,
197 size, offset, fbo->base.size);
198 return false;
199 }
200
201 return true;
202}
203
204static int
205validate_flush(VALIDATE_ARGS)
206{
207 if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 1)) {
208 DRM_ERROR("Bin CL must end with VC4_PACKET_FLUSH\n");
209 return -EINVAL;
210 }
211 exec->found_flush = true;
212
213 return 0;
214}
215
216static int
217validate_start_tile_binning(VALIDATE_ARGS)
218{
219 if (exec->found_start_tile_binning_packet) {
220 DRM_ERROR("Duplicate VC4_PACKET_START_TILE_BINNING\n");
221 return -EINVAL;
222 }
223 exec->found_start_tile_binning_packet = true;
224
225 if (!exec->found_tile_binning_mode_config_packet) {
226 DRM_ERROR("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
227 return -EINVAL;
228 }
229
230 return 0;
231}
232
233static int
234validate_increment_semaphore(VALIDATE_ARGS)
235{
236 if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 2)) {
237 DRM_ERROR("Bin CL must end with "
238 "VC4_PACKET_INCREMENT_SEMAPHORE\n");
239 return -EINVAL;
240 }
241 exec->found_increment_semaphore_packet = true;
242
243 return 0;
244}
245
246static int
247validate_indexed_prim_list(VALIDATE_ARGS)
248{
249 struct drm_gem_cma_object *ib;
250 uint32_t length = *(uint32_t *)(untrusted + 1);
251 uint32_t offset = *(uint32_t *)(untrusted + 5);
252 uint32_t max_index = *(uint32_t *)(untrusted + 9);
253 uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
254 struct vc4_shader_state *shader_state;
255
256 /* Check overflow condition */
257 if (exec->shader_state_count == 0) {
258 DRM_ERROR("shader state must precede primitives\n");
259 return -EINVAL;
260 }
261 shader_state = &exec->shader_state[exec->shader_state_count - 1];
262
263 if (max_index > shader_state->max_index)
264 shader_state->max_index = max_index;
265
266 ib = vc4_use_handle(exec, 0);
267 if (!ib)
268 return -EINVAL;
269
270 if (offset > ib->base.size ||
271 (ib->base.size - offset) / index_size < length) {
272 DRM_ERROR("IB access overflow (%d + %d*%d > %zd)\n",
273 offset, length, index_size, ib->base.size);
274 return -EINVAL;
275 }
276
277 *(uint32_t *)(validated + 5) = ib->paddr + offset;
278
279 return 0;
280}
281
282static int
283validate_gl_array_primitive(VALIDATE_ARGS)
284{
285 uint32_t length = *(uint32_t *)(untrusted + 1);
286 uint32_t base_index = *(uint32_t *)(untrusted + 5);
287 uint32_t max_index;
288 struct vc4_shader_state *shader_state;
289
290 /* Check overflow condition */
291 if (exec->shader_state_count == 0) {
292 DRM_ERROR("shader state must precede primitives\n");
293 return -EINVAL;
294 }
295 shader_state = &exec->shader_state[exec->shader_state_count - 1];
296
297 if (length + base_index < length) {
298 DRM_ERROR("primitive vertex count overflow\n");
299 return -EINVAL;
300 }
301 max_index = length + base_index - 1;
302
303 if (max_index > shader_state->max_index)
304 shader_state->max_index = max_index;
305
306 return 0;
307}
308
309static int
310validate_gl_shader_state(VALIDATE_ARGS)
311{
312 uint32_t i = exec->shader_state_count++;
313
314 if (i >= exec->shader_state_size) {
315 DRM_ERROR("More requests for shader states than declared\n");
316 return -EINVAL;
317 }
318
319 exec->shader_state[i].addr = *(uint32_t *)untrusted;
320 exec->shader_state[i].max_index = 0;
321
322 if (exec->shader_state[i].addr & ~0xf) {
323 DRM_ERROR("high bits set in GL shader rec reference\n");
324 return -EINVAL;
325 }
326
327 *(uint32_t *)validated = (exec->shader_rec_p +
328 exec->shader_state[i].addr);
329
330 exec->shader_rec_p +=
331 roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
332
333 return 0;
334}
335
336static int
337validate_tile_binning_config(VALIDATE_ARGS)
338{
339 struct drm_device *dev = exec->exec_bo->base.dev;
340 struct vc4_bo *tile_bo;
341 uint8_t flags;
342 uint32_t tile_state_size, tile_alloc_size;
343 uint32_t tile_count;
344
345 if (exec->found_tile_binning_mode_config_packet) {
346 DRM_ERROR("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
347 return -EINVAL;
348 }
349 exec->found_tile_binning_mode_config_packet = true;
350
351 exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
352 exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
353 tile_count = exec->bin_tiles_x * exec->bin_tiles_y;
354 flags = *(uint8_t *)(untrusted + 14);
355
356 if (exec->bin_tiles_x == 0 ||
357 exec->bin_tiles_y == 0) {
358 DRM_ERROR("Tile binning config of %dx%d too small\n",
359 exec->bin_tiles_x, exec->bin_tiles_y);
360 return -EINVAL;
361 }
362
363 if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
364 VC4_BIN_CONFIG_TILE_BUFFER_64BIT)) {
365 DRM_ERROR("unsupported binning config flags 0x%02x\n", flags);
366 return -EINVAL;
367 }
368
369 /* The tile state data array is 48 bytes per tile, and we put it at
370 * the start of a BO containing both it and the tile alloc.
371 */
372 tile_state_size = 48 * tile_count;
373
374 /* Since the tile alloc array will follow us, align. */
375 exec->tile_alloc_offset = roundup(tile_state_size, 4096);
376
377 *(uint8_t *)(validated + 14) =
378 ((flags & ~(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_MASK |
379 VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_MASK)) |
380 VC4_BIN_CONFIG_AUTO_INIT_TSDA |
381 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_32,
382 VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE) |
383 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_128,
384 VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE));
385
386 /* Initial block size. */
387 tile_alloc_size = 32 * tile_count;
388
389 /*
390 * The initial allocation gets rounded to the next 256 bytes before
391 * the hardware starts fulfilling further allocations.
392 */
393 tile_alloc_size = roundup(tile_alloc_size, 256);
394
395 /* Add space for the extra allocations. This is what gets used first,
396 * before overflow memory. It must have at least 4096 bytes, but we
397 * want to avoid overflow memory usage if possible.
398 */
399 tile_alloc_size += 1024 * 1024;
400
401 tile_bo = vc4_bo_create(dev, exec->tile_alloc_offset + tile_alloc_size,
402 true);
403 exec->tile_bo = &tile_bo->base;
404 if (IS_ERR(exec->tile_bo))
405 return PTR_ERR(exec->tile_bo);
406 list_add_tail(&tile_bo->unref_head, &exec->unref_list);
407
408 /* tile alloc address. */
409 *(uint32_t *)(validated + 0) = (exec->tile_bo->paddr +
410 exec->tile_alloc_offset);
411 /* tile alloc size. */
412 *(uint32_t *)(validated + 4) = tile_alloc_size;
413 /* tile state address. */
414 *(uint32_t *)(validated + 8) = exec->tile_bo->paddr;
415
416 return 0;
417}
418
419static int
420validate_gem_handles(VALIDATE_ARGS)
421{
422 memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
423 return 0;
424}
425
426#define VC4_DEFINE_PACKET(packet, func) \
427 [packet] = { packet ## _SIZE, #packet, func }
428
429static const struct cmd_info {
430 uint16_t len;
431 const char *name;
432 int (*func)(struct vc4_exec_info *exec, void *validated,
433 void *untrusted);
434} cmd_info[] = {
435 VC4_DEFINE_PACKET(VC4_PACKET_HALT, NULL),
436 VC4_DEFINE_PACKET(VC4_PACKET_NOP, NULL),
437 VC4_DEFINE_PACKET(VC4_PACKET_FLUSH, validate_flush),
438 VC4_DEFINE_PACKET(VC4_PACKET_FLUSH_ALL, NULL),
439 VC4_DEFINE_PACKET(VC4_PACKET_START_TILE_BINNING,
440 validate_start_tile_binning),
441 VC4_DEFINE_PACKET(VC4_PACKET_INCREMENT_SEMAPHORE,
442 validate_increment_semaphore),
443
444 VC4_DEFINE_PACKET(VC4_PACKET_GL_INDEXED_PRIMITIVE,
445 validate_indexed_prim_list),
446 VC4_DEFINE_PACKET(VC4_PACKET_GL_ARRAY_PRIMITIVE,
447 validate_gl_array_primitive),
448
449 VC4_DEFINE_PACKET(VC4_PACKET_PRIMITIVE_LIST_FORMAT, NULL),
450
451 VC4_DEFINE_PACKET(VC4_PACKET_GL_SHADER_STATE, validate_gl_shader_state),
452
453 VC4_DEFINE_PACKET(VC4_PACKET_CONFIGURATION_BITS, NULL),
454 VC4_DEFINE_PACKET(VC4_PACKET_FLAT_SHADE_FLAGS, NULL),
455 VC4_DEFINE_PACKET(VC4_PACKET_POINT_SIZE, NULL),
456 VC4_DEFINE_PACKET(VC4_PACKET_LINE_WIDTH, NULL),
457 VC4_DEFINE_PACKET(VC4_PACKET_RHT_X_BOUNDARY, NULL),
458 VC4_DEFINE_PACKET(VC4_PACKET_DEPTH_OFFSET, NULL),
459 VC4_DEFINE_PACKET(VC4_PACKET_CLIP_WINDOW, NULL),
460 VC4_DEFINE_PACKET(VC4_PACKET_VIEWPORT_OFFSET, NULL),
461 VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_XY_SCALING, NULL),
462 /* Note: The docs say this was also 105, but it was 106 in the
463 * initial userland code drop.
464 */
465 VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_Z_SCALING, NULL),
466
467 VC4_DEFINE_PACKET(VC4_PACKET_TILE_BINNING_MODE_CONFIG,
468 validate_tile_binning_config),
469
470 VC4_DEFINE_PACKET(VC4_PACKET_GEM_HANDLES, validate_gem_handles),
471};
472
473int
474vc4_validate_bin_cl(struct drm_device *dev,
475 void *validated,
476 void *unvalidated,
477 struct vc4_exec_info *exec)
478{
479 uint32_t len = exec->args->bin_cl_size;
480 uint32_t dst_offset = 0;
481 uint32_t src_offset = 0;
482
483 while (src_offset < len) {
484 void *dst_pkt = validated + dst_offset;
485 void *src_pkt = unvalidated + src_offset;
486 u8 cmd = *(uint8_t *)src_pkt;
487 const struct cmd_info *info;
488
489 if (cmd >= ARRAY_SIZE(cmd_info)) {
490 DRM_ERROR("0x%08x: packet %d out of bounds\n",
491 src_offset, cmd);
492 return -EINVAL;
493 }
494
495 info = &cmd_info[cmd];
496 if (!info->name) {
497 DRM_ERROR("0x%08x: packet %d invalid\n",
498 src_offset, cmd);
499 return -EINVAL;
500 }
501
502 if (src_offset + info->len > len) {
503 DRM_ERROR("0x%08x: packet %d (%s) length 0x%08x "
504 "exceeds bounds (0x%08x)\n",
505 src_offset, cmd, info->name, info->len,
506 src_offset + len);
507 return -EINVAL;
508 }
509
510 if (cmd != VC4_PACKET_GEM_HANDLES)
511 memcpy(dst_pkt, src_pkt, info->len);
512
513 if (info->func && info->func(exec,
514 dst_pkt + 1,
515 src_pkt + 1)) {
516 DRM_ERROR("0x%08x: packet %d (%s) failed to validate\n",
517 src_offset, cmd, info->name);
518 return -EINVAL;
519 }
520
521 src_offset += info->len;
522 /* GEM handle loading doesn't produce HW packets. */
523 if (cmd != VC4_PACKET_GEM_HANDLES)
524 dst_offset += info->len;
525
526 /* When the CL hits halt, it'll stop reading anything else. */
527 if (cmd == VC4_PACKET_HALT)
528 break;
529 }
530
531 exec->ct0ea = exec->ct0ca + dst_offset;
532
533 if (!exec->found_start_tile_binning_packet) {
534 DRM_ERROR("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
535 return -EINVAL;
536 }
537
538 /* The bin CL must be ended with INCREMENT_SEMAPHORE and FLUSH. The
539 * semaphore is used to trigger the render CL to start up, and the
540 * FLUSH is what caps the bin lists with
541 * VC4_PACKET_RETURN_FROM_SUB_LIST (so they jump back to the main
542 * render CL when they get called to) and actually triggers the queued
543 * semaphore increment.
544 */
545 if (!exec->found_increment_semaphore_packet || !exec->found_flush) {
546 DRM_ERROR("Bin CL missing VC4_PACKET_INCREMENT_SEMAPHORE + "
547 "VC4_PACKET_FLUSH\n");
548 return -EINVAL;
549 }
550
551 return 0;
552}
553
554static bool
555reloc_tex(struct vc4_exec_info *exec,
556 void *uniform_data_u,
557 struct vc4_texture_sample_info *sample,
558 uint32_t texture_handle_index)
559
560{
561 struct drm_gem_cma_object *tex;
562 uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
563 uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
564 uint32_t p2 = (sample->p_offset[2] != ~0 ?
565 *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
566 uint32_t p3 = (sample->p_offset[3] != ~0 ?
567 *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
568 uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
569 uint32_t offset = p0 & VC4_TEX_P0_OFFSET_MASK;
570 uint32_t miplevels = VC4_GET_FIELD(p0, VC4_TEX_P0_MIPLVLS);
571 uint32_t width = VC4_GET_FIELD(p1, VC4_TEX_P1_WIDTH);
572 uint32_t height = VC4_GET_FIELD(p1, VC4_TEX_P1_HEIGHT);
573 uint32_t cpp, tiling_format, utile_w, utile_h;
574 uint32_t i;
575 uint32_t cube_map_stride = 0;
576 enum vc4_texture_data_type type;
577
578 tex = vc4_use_bo(exec, texture_handle_index);
579 if (!tex)
580 return false;
581
582 if (sample->is_direct) {
583 uint32_t remaining_size = tex->base.size - p0;
584
585 if (p0 > tex->base.size - 4) {
586 DRM_ERROR("UBO offset greater than UBO size\n");
587 goto fail;
588 }
589 if (p1 > remaining_size - 4) {
590 DRM_ERROR("UBO clamp would allow reads "
591 "outside of UBO\n");
592 goto fail;
593 }
594 *validated_p0 = tex->paddr + p0;
595 return true;
596 }
597
598 if (width == 0)
599 width = 2048;
600 if (height == 0)
601 height = 2048;
602
603 if (p0 & VC4_TEX_P0_CMMODE_MASK) {
604 if (VC4_GET_FIELD(p2, VC4_TEX_P2_PTYPE) ==
605 VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE)
606 cube_map_stride = p2 & VC4_TEX_P2_CMST_MASK;
607 if (VC4_GET_FIELD(p3, VC4_TEX_P2_PTYPE) ==
608 VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE) {
609 if (cube_map_stride) {
610 DRM_ERROR("Cube map stride set twice\n");
611 goto fail;
612 }
613
614 cube_map_stride = p3 & VC4_TEX_P2_CMST_MASK;
615 }
616 if (!cube_map_stride) {
617 DRM_ERROR("Cube map stride not set\n");
618 goto fail;
619 }
620 }
621
622 type = (VC4_GET_FIELD(p0, VC4_TEX_P0_TYPE) |
623 (VC4_GET_FIELD(p1, VC4_TEX_P1_TYPE4) << 4));
624
625 switch (type) {
626 case VC4_TEXTURE_TYPE_RGBA8888:
627 case VC4_TEXTURE_TYPE_RGBX8888:
628 case VC4_TEXTURE_TYPE_RGBA32R:
629 cpp = 4;
630 break;
631 case VC4_TEXTURE_TYPE_RGBA4444:
632 case VC4_TEXTURE_TYPE_RGBA5551:
633 case VC4_TEXTURE_TYPE_RGB565:
634 case VC4_TEXTURE_TYPE_LUMALPHA:
635 case VC4_TEXTURE_TYPE_S16F:
636 case VC4_TEXTURE_TYPE_S16:
637 cpp = 2;
638 break;
639 case VC4_TEXTURE_TYPE_LUMINANCE:
640 case VC4_TEXTURE_TYPE_ALPHA:
641 case VC4_TEXTURE_TYPE_S8:
642 cpp = 1;
643 break;
644 case VC4_TEXTURE_TYPE_ETC1:
645 case VC4_TEXTURE_TYPE_BW1:
646 case VC4_TEXTURE_TYPE_A4:
647 case VC4_TEXTURE_TYPE_A1:
648 case VC4_TEXTURE_TYPE_RGBA64:
649 case VC4_TEXTURE_TYPE_YUV422R:
650 default:
651 DRM_ERROR("Texture format %d unsupported\n", type);
652 goto fail;
653 }
654 utile_w = utile_width(cpp);
655 utile_h = utile_height(cpp);
656
657 if (type == VC4_TEXTURE_TYPE_RGBA32R) {
658 tiling_format = VC4_TILING_FORMAT_LINEAR;
659 } else {
660 if (size_is_lt(width, height, cpp))
661 tiling_format = VC4_TILING_FORMAT_LT;
662 else
663 tiling_format = VC4_TILING_FORMAT_T;
664 }
665
666 if (!vc4_check_tex_size(exec, tex, offset + cube_map_stride * 5,
667 tiling_format, width, height, cpp)) {
668 goto fail;
669 }
670
671 /* The mipmap levels are stored before the base of the texture. Make
672 * sure there is actually space in the BO.
673 */
674 for (i = 1; i <= miplevels; i++) {
675 uint32_t level_width = max(width >> i, 1u);
676 uint32_t level_height = max(height >> i, 1u);
677 uint32_t aligned_width, aligned_height;
678 uint32_t level_size;
679
680 /* Once the levels get small enough, they drop from T to LT. */
681 if (tiling_format == VC4_TILING_FORMAT_T &&
682 size_is_lt(level_width, level_height, cpp)) {
683 tiling_format = VC4_TILING_FORMAT_LT;
684 }
685
686 switch (tiling_format) {
687 case VC4_TILING_FORMAT_T:
688 aligned_width = round_up(level_width, utile_w * 8);
689 aligned_height = round_up(level_height, utile_h * 8);
690 break;
691 case VC4_TILING_FORMAT_LT:
692 aligned_width = round_up(level_width, utile_w);
693 aligned_height = round_up(level_height, utile_h);
694 break;
695 default:
696 aligned_width = round_up(level_width, utile_w);
697 aligned_height = level_height;
698 break;
699 }
700
701 level_size = aligned_width * cpp * aligned_height;
702
703 if (offset < level_size) {
704 DRM_ERROR("Level %d (%dx%d -> %dx%d) size %db "
705 "overflowed buffer bounds (offset %d)\n",
706 i, level_width, level_height,
707 aligned_width, aligned_height,
708 level_size, offset);
709 goto fail;
710 }
711
712 offset -= level_size;
713 }
714
715 *validated_p0 = tex->paddr + p0;
716
717 return true;
718 fail:
719 DRM_INFO("Texture p0 at %d: 0x%08x\n", sample->p_offset[0], p0);
720 DRM_INFO("Texture p1 at %d: 0x%08x\n", sample->p_offset[1], p1);
721 DRM_INFO("Texture p2 at %d: 0x%08x\n", sample->p_offset[2], p2);
722 DRM_INFO("Texture p3 at %d: 0x%08x\n", sample->p_offset[3], p3);
723 return false;
724}
725
726static int
727validate_gl_shader_rec(struct drm_device *dev,
728 struct vc4_exec_info *exec,
729 struct vc4_shader_state *state)
730{
731 uint32_t *src_handles;
732 void *pkt_u, *pkt_v;
733 static const uint32_t shader_reloc_offsets[] = {
734 4, /* fs */
735 16, /* vs */
736 28, /* cs */
737 };
738 uint32_t shader_reloc_count = ARRAY_SIZE(shader_reloc_offsets);
739 struct drm_gem_cma_object *bo[shader_reloc_count + 8];
740 uint32_t nr_attributes, nr_relocs, packet_size;
741 int i;
742
743 nr_attributes = state->addr & 0x7;
744 if (nr_attributes == 0)
745 nr_attributes = 8;
746 packet_size = gl_shader_rec_size(state->addr);
747
748 nr_relocs = ARRAY_SIZE(shader_reloc_offsets) + nr_attributes;
749 if (nr_relocs * 4 > exec->shader_rec_size) {
750 DRM_ERROR("overflowed shader recs reading %d handles "
751 "from %d bytes left\n",
752 nr_relocs, exec->shader_rec_size);
753 return -EINVAL;
754 }
755 src_handles = exec->shader_rec_u;
756 exec->shader_rec_u += nr_relocs * 4;
757 exec->shader_rec_size -= nr_relocs * 4;
758
759 if (packet_size > exec->shader_rec_size) {
760 DRM_ERROR("overflowed shader recs copying %db packet "
761 "from %d bytes left\n",
762 packet_size, exec->shader_rec_size);
763 return -EINVAL;
764 }
765 pkt_u = exec->shader_rec_u;
766 pkt_v = exec->shader_rec_v;
767 memcpy(pkt_v, pkt_u, packet_size);
768 exec->shader_rec_u += packet_size;
769 /* Shader recs have to be aligned to 16 bytes (due to the attribute
770 * flags being in the low bytes), so round the next validated shader
771 * rec address up. This should be safe, since we've got so many
772 * relocations in a shader rec packet.
773 */
774 BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
775 exec->shader_rec_v += roundup(packet_size, 16);
776 exec->shader_rec_size -= packet_size;
777
778 if (!(*(uint16_t *)pkt_u & VC4_SHADER_FLAG_FS_SINGLE_THREAD)) {
779 DRM_ERROR("Multi-threaded fragment shaders not supported.\n");
780 return -EINVAL;
781 }
782
783 for (i = 0; i < shader_reloc_count; i++) {
784 if (src_handles[i] > exec->bo_count) {
785 DRM_ERROR("Shader handle %d too big\n", src_handles[i]);
786 return -EINVAL;
787 }
788
789 bo[i] = exec->bo[src_handles[i]];
790 if (!bo[i])
791 return -EINVAL;
792 }
793 for (i = shader_reloc_count; i < nr_relocs; i++) {
794 bo[i] = vc4_use_bo(exec, src_handles[i]);
795 if (!bo[i])
796 return -EINVAL;
797 }
798
799 for (i = 0; i < shader_reloc_count; i++) {
800 struct vc4_validated_shader_info *validated_shader;
801 uint32_t o = shader_reloc_offsets[i];
802 uint32_t src_offset = *(uint32_t *)(pkt_u + o);
803 uint32_t *texture_handles_u;
804 void *uniform_data_u;
805 uint32_t tex;
806
807 *(uint32_t *)(pkt_v + o) = bo[i]->paddr + src_offset;
808
809 if (src_offset != 0) {
810 DRM_ERROR("Shaders must be at offset 0 of "
811 "the BO.\n");
812 return -EINVAL;
813 }
814
815 validated_shader = to_vc4_bo(&bo[i]->base)->validated_shader;
816 if (!validated_shader)
817 return -EINVAL;
818
819 if (validated_shader->uniforms_src_size >
820 exec->uniforms_size) {
821 DRM_ERROR("Uniforms src buffer overflow\n");
822 return -EINVAL;
823 }
824
825 texture_handles_u = exec->uniforms_u;
826 uniform_data_u = (texture_handles_u +
827 validated_shader->num_texture_samples);
828
829 memcpy(exec->uniforms_v, uniform_data_u,
830 validated_shader->uniforms_size);
831
832 for (tex = 0;
833 tex < validated_shader->num_texture_samples;
834 tex++) {
835 if (!reloc_tex(exec,
836 uniform_data_u,
837 &validated_shader->texture_samples[tex],
838 texture_handles_u[tex])) {
839 return -EINVAL;
840 }
841 }
842
843 *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
844
845 exec->uniforms_u += validated_shader->uniforms_src_size;
846 exec->uniforms_v += validated_shader->uniforms_size;
847 exec->uniforms_p += validated_shader->uniforms_size;
848 }
849
850 for (i = 0; i < nr_attributes; i++) {
851 struct drm_gem_cma_object *vbo =
852 bo[ARRAY_SIZE(shader_reloc_offsets) + i];
853 uint32_t o = 36 + i * 8;
854 uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
855 uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
856 uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
857 uint32_t max_index;
858
859 if (state->addr & 0x8)
860 stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
861
862 if (vbo->base.size < offset ||
863 vbo->base.size - offset < attr_size) {
864 DRM_ERROR("BO offset overflow (%d + %d > %zu)\n",
865 offset, attr_size, vbo->base.size);
866 return -EINVAL;
867 }
868
869 if (stride != 0) {
870 max_index = ((vbo->base.size - offset - attr_size) /
871 stride);
872 if (state->max_index > max_index) {
873 DRM_ERROR("primitives use index %d out of "
874 "supplied %d\n",
875 state->max_index, max_index);
876 return -EINVAL;
877 }
878 }
879
880 *(uint32_t *)(pkt_v + o) = vbo->paddr + offset;
881 }
882
883 return 0;
884}
885
886int
887vc4_validate_shader_recs(struct drm_device *dev,
888 struct vc4_exec_info *exec)
889{
890 uint32_t i;
891 int ret = 0;
892
893 for (i = 0; i < exec->shader_state_count; i++) {
894 ret = validate_gl_shader_rec(dev, exec, &exec->shader_state[i]);
895 if (ret)
896 return ret;
897 }
898
899 return ret;
900}
1/*
2 * Copyright © 2014 Broadcom
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 */
23
24/**
25 * DOC: Command list validator for VC4.
26 *
27 * Since the VC4 has no IOMMU between it and system memory, a user
28 * with access to execute command lists could escalate privilege by
29 * overwriting system memory (drawing to it as a framebuffer) or
30 * reading system memory it shouldn't (reading it as a vertex buffer
31 * or index buffer)
32 *
33 * We validate binner command lists to ensure that all accesses are
34 * within the bounds of the GEM objects referenced by the submitted
35 * job. It explicitly whitelists packets, and looks at the offsets in
36 * any address fields to make sure they're contained within the BOs
37 * they reference.
38 *
39 * Note that because CL validation is already reading the
40 * user-submitted CL and writing the validated copy out to the memory
41 * that the GPU will actually read, this is also where GEM relocation
42 * processing (turning BO references into actual addresses for the GPU
43 * to use) happens.
44 */
45
46#include "uapi/drm/vc4_drm.h"
47#include "vc4_drv.h"
48#include "vc4_packet.h"
49
50#define VALIDATE_ARGS \
51 struct vc4_exec_info *exec, \
52 void *validated, \
53 void *untrusted
54
55/** Return the width in pixels of a 64-byte microtile. */
56static uint32_t
57utile_width(int cpp)
58{
59 switch (cpp) {
60 case 1:
61 case 2:
62 return 8;
63 case 4:
64 return 4;
65 case 8:
66 return 2;
67 default:
68 pr_err("unknown cpp: %d\n", cpp);
69 return 1;
70 }
71}
72
73/** Return the height in pixels of a 64-byte microtile. */
74static uint32_t
75utile_height(int cpp)
76{
77 switch (cpp) {
78 case 1:
79 return 8;
80 case 2:
81 case 4:
82 case 8:
83 return 4;
84 default:
85 pr_err("unknown cpp: %d\n", cpp);
86 return 1;
87 }
88}
89
90/**
91 * size_is_lt() - Returns whether a miplevel of the given size will
92 * use the lineartile (LT) tiling layout rather than the normal T
93 * tiling layout.
94 * @width: Width in pixels of the miplevel
95 * @height: Height in pixels of the miplevel
96 * @cpp: Bytes per pixel of the pixel format
97 */
98static bool
99size_is_lt(uint32_t width, uint32_t height, int cpp)
100{
101 return (width <= 4 * utile_width(cpp) ||
102 height <= 4 * utile_height(cpp));
103}
104
105struct drm_gem_dma_object *
106vc4_use_bo(struct vc4_exec_info *exec, uint32_t hindex)
107{
108 struct vc4_dev *vc4 = exec->dev;
109 struct drm_gem_dma_object *obj;
110 struct vc4_bo *bo;
111
112 if (WARN_ON_ONCE(vc4->gen > VC4_GEN_4))
113 return NULL;
114
115 if (hindex >= exec->bo_count) {
116 DRM_DEBUG("BO index %d greater than BO count %d\n",
117 hindex, exec->bo_count);
118 return NULL;
119 }
120 obj = to_drm_gem_dma_obj(exec->bo[hindex]);
121 bo = to_vc4_bo(&obj->base);
122
123 if (bo->validated_shader) {
124 DRM_DEBUG("Trying to use shader BO as something other than "
125 "a shader\n");
126 return NULL;
127 }
128
129 return obj;
130}
131
132static struct drm_gem_dma_object *
133vc4_use_handle(struct vc4_exec_info *exec, uint32_t gem_handles_packet_index)
134{
135 return vc4_use_bo(exec, exec->bo_index[gem_handles_packet_index]);
136}
137
138static bool
139validate_bin_pos(struct vc4_exec_info *exec, void *untrusted, uint32_t pos)
140{
141 /* Note that the untrusted pointer passed to these functions is
142 * incremented past the packet byte.
143 */
144 return (untrusted - 1 == exec->bin_u + pos);
145}
146
147static uint32_t
148gl_shader_rec_size(uint32_t pointer_bits)
149{
150 uint32_t attribute_count = pointer_bits & 7;
151 bool extended = pointer_bits & 8;
152
153 if (attribute_count == 0)
154 attribute_count = 8;
155
156 if (extended)
157 return 100 + attribute_count * 4;
158 else
159 return 36 + attribute_count * 8;
160}
161
162bool
163vc4_check_tex_size(struct vc4_exec_info *exec, struct drm_gem_dma_object *fbo,
164 uint32_t offset, uint8_t tiling_format,
165 uint32_t width, uint32_t height, uint8_t cpp)
166{
167 struct vc4_dev *vc4 = exec->dev;
168 uint32_t aligned_width, aligned_height, stride, size;
169 uint32_t utile_w = utile_width(cpp);
170 uint32_t utile_h = utile_height(cpp);
171
172 if (WARN_ON_ONCE(vc4->gen > VC4_GEN_4))
173 return false;
174
175 /* The shaded vertex format stores signed 12.4 fixed point
176 * (-2048,2047) offsets from the viewport center, so we should
177 * never have a render target larger than 4096. The texture
178 * unit can only sample from 2048x2048, so it's even more
179 * restricted. This lets us avoid worrying about overflow in
180 * our math.
181 */
182 if (width > 4096 || height > 4096) {
183 DRM_DEBUG("Surface dimensions (%d,%d) too large",
184 width, height);
185 return false;
186 }
187
188 switch (tiling_format) {
189 case VC4_TILING_FORMAT_LINEAR:
190 aligned_width = round_up(width, utile_w);
191 aligned_height = height;
192 break;
193 case VC4_TILING_FORMAT_T:
194 aligned_width = round_up(width, utile_w * 8);
195 aligned_height = round_up(height, utile_h * 8);
196 break;
197 case VC4_TILING_FORMAT_LT:
198 aligned_width = round_up(width, utile_w);
199 aligned_height = round_up(height, utile_h);
200 break;
201 default:
202 DRM_DEBUG("buffer tiling %d unsupported\n", tiling_format);
203 return false;
204 }
205
206 stride = aligned_width * cpp;
207 size = stride * aligned_height;
208
209 if (size + offset < size ||
210 size + offset > fbo->base.size) {
211 DRM_DEBUG("Overflow in %dx%d (%dx%d) fbo size (%d + %d > %zd)\n",
212 width, height,
213 aligned_width, aligned_height,
214 size, offset, fbo->base.size);
215 return false;
216 }
217
218 return true;
219}
220
221static int
222validate_flush(VALIDATE_ARGS)
223{
224 if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 1)) {
225 DRM_DEBUG("Bin CL must end with VC4_PACKET_FLUSH\n");
226 return -EINVAL;
227 }
228 exec->found_flush = true;
229
230 return 0;
231}
232
233static int
234validate_start_tile_binning(VALIDATE_ARGS)
235{
236 if (exec->found_start_tile_binning_packet) {
237 DRM_DEBUG("Duplicate VC4_PACKET_START_TILE_BINNING\n");
238 return -EINVAL;
239 }
240 exec->found_start_tile_binning_packet = true;
241
242 if (!exec->found_tile_binning_mode_config_packet) {
243 DRM_DEBUG("missing VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
244 return -EINVAL;
245 }
246
247 return 0;
248}
249
250static int
251validate_increment_semaphore(VALIDATE_ARGS)
252{
253 if (!validate_bin_pos(exec, untrusted, exec->args->bin_cl_size - 2)) {
254 DRM_DEBUG("Bin CL must end with "
255 "VC4_PACKET_INCREMENT_SEMAPHORE\n");
256 return -EINVAL;
257 }
258 exec->found_increment_semaphore_packet = true;
259
260 return 0;
261}
262
263static int
264validate_indexed_prim_list(VALIDATE_ARGS)
265{
266 struct drm_gem_dma_object *ib;
267 uint32_t length = *(uint32_t *)(untrusted + 1);
268 uint32_t offset = *(uint32_t *)(untrusted + 5);
269 uint32_t max_index = *(uint32_t *)(untrusted + 9);
270 uint32_t index_size = (*(uint8_t *)(untrusted + 0) >> 4) ? 2 : 1;
271 struct vc4_shader_state *shader_state;
272
273 /* Check overflow condition */
274 if (exec->shader_state_count == 0) {
275 DRM_DEBUG("shader state must precede primitives\n");
276 return -EINVAL;
277 }
278 shader_state = &exec->shader_state[exec->shader_state_count - 1];
279
280 if (max_index > shader_state->max_index)
281 shader_state->max_index = max_index;
282
283 ib = vc4_use_handle(exec, 0);
284 if (!ib)
285 return -EINVAL;
286
287 exec->bin_dep_seqno = max(exec->bin_dep_seqno,
288 to_vc4_bo(&ib->base)->write_seqno);
289
290 if (offset > ib->base.size ||
291 (ib->base.size - offset) / index_size < length) {
292 DRM_DEBUG("IB access overflow (%d + %d*%d > %zd)\n",
293 offset, length, index_size, ib->base.size);
294 return -EINVAL;
295 }
296
297 *(uint32_t *)(validated + 5) = ib->dma_addr + offset;
298
299 return 0;
300}
301
302static int
303validate_gl_array_primitive(VALIDATE_ARGS)
304{
305 uint32_t length = *(uint32_t *)(untrusted + 1);
306 uint32_t base_index = *(uint32_t *)(untrusted + 5);
307 uint32_t max_index;
308 struct vc4_shader_state *shader_state;
309
310 /* Check overflow condition */
311 if (exec->shader_state_count == 0) {
312 DRM_DEBUG("shader state must precede primitives\n");
313 return -EINVAL;
314 }
315 shader_state = &exec->shader_state[exec->shader_state_count - 1];
316
317 if (length + base_index < length) {
318 DRM_DEBUG("primitive vertex count overflow\n");
319 return -EINVAL;
320 }
321 max_index = length + base_index - 1;
322
323 if (max_index > shader_state->max_index)
324 shader_state->max_index = max_index;
325
326 return 0;
327}
328
329static int
330validate_gl_shader_state(VALIDATE_ARGS)
331{
332 uint32_t i = exec->shader_state_count++;
333
334 if (i >= exec->shader_state_size) {
335 DRM_DEBUG("More requests for shader states than declared\n");
336 return -EINVAL;
337 }
338
339 exec->shader_state[i].addr = *(uint32_t *)untrusted;
340 exec->shader_state[i].max_index = 0;
341
342 if (exec->shader_state[i].addr & ~0xf) {
343 DRM_DEBUG("high bits set in GL shader rec reference\n");
344 return -EINVAL;
345 }
346
347 *(uint32_t *)validated = (exec->shader_rec_p +
348 exec->shader_state[i].addr);
349
350 exec->shader_rec_p +=
351 roundup(gl_shader_rec_size(exec->shader_state[i].addr), 16);
352
353 return 0;
354}
355
356static int
357validate_tile_binning_config(VALIDATE_ARGS)
358{
359 struct drm_device *dev = exec->exec_bo->base.dev;
360 struct vc4_dev *vc4 = to_vc4_dev(dev);
361 uint8_t flags;
362 uint32_t tile_state_size;
363 uint32_t tile_count, bin_addr;
364 int bin_slot;
365
366 if (exec->found_tile_binning_mode_config_packet) {
367 DRM_DEBUG("Duplicate VC4_PACKET_TILE_BINNING_MODE_CONFIG\n");
368 return -EINVAL;
369 }
370 exec->found_tile_binning_mode_config_packet = true;
371
372 exec->bin_tiles_x = *(uint8_t *)(untrusted + 12);
373 exec->bin_tiles_y = *(uint8_t *)(untrusted + 13);
374 tile_count = exec->bin_tiles_x * exec->bin_tiles_y;
375 flags = *(uint8_t *)(untrusted + 14);
376
377 if (exec->bin_tiles_x == 0 ||
378 exec->bin_tiles_y == 0) {
379 DRM_DEBUG("Tile binning config of %dx%d too small\n",
380 exec->bin_tiles_x, exec->bin_tiles_y);
381 return -EINVAL;
382 }
383
384 if (flags & (VC4_BIN_CONFIG_DB_NON_MS |
385 VC4_BIN_CONFIG_TILE_BUFFER_64BIT)) {
386 DRM_DEBUG("unsupported binning config flags 0x%02x\n", flags);
387 return -EINVAL;
388 }
389
390 bin_slot = vc4_v3d_get_bin_slot(vc4);
391 if (bin_slot < 0) {
392 if (bin_slot != -EINTR && bin_slot != -ERESTARTSYS) {
393 drm_err(dev, "Failed to allocate binner memory: %d\n",
394 bin_slot);
395 }
396 return bin_slot;
397 }
398
399 /* The slot we allocated will only be used by this job, and is
400 * free when the job completes rendering.
401 */
402 exec->bin_slots |= BIT(bin_slot);
403 bin_addr = vc4->bin_bo->base.dma_addr + bin_slot * vc4->bin_alloc_size;
404
405 /* The tile state data array is 48 bytes per tile, and we put it at
406 * the start of a BO containing both it and the tile alloc.
407 */
408 tile_state_size = 48 * tile_count;
409
410 /* Since the tile alloc array will follow us, align. */
411 exec->tile_alloc_offset = bin_addr + roundup(tile_state_size, 4096);
412
413 *(uint8_t *)(validated + 14) =
414 ((flags & ~(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_MASK |
415 VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_MASK)) |
416 VC4_BIN_CONFIG_AUTO_INIT_TSDA |
417 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE_32,
418 VC4_BIN_CONFIG_ALLOC_INIT_BLOCK_SIZE) |
419 VC4_SET_FIELD(VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE_128,
420 VC4_BIN_CONFIG_ALLOC_BLOCK_SIZE));
421
422 /* tile alloc address. */
423 *(uint32_t *)(validated + 0) = exec->tile_alloc_offset;
424 /* tile alloc size. */
425 *(uint32_t *)(validated + 4) = (bin_addr + vc4->bin_alloc_size -
426 exec->tile_alloc_offset);
427 /* tile state address. */
428 *(uint32_t *)(validated + 8) = bin_addr;
429
430 return 0;
431}
432
433static int
434validate_gem_handles(VALIDATE_ARGS)
435{
436 memcpy(exec->bo_index, untrusted, sizeof(exec->bo_index));
437 return 0;
438}
439
440#define VC4_DEFINE_PACKET(packet, func) \
441 [packet] = { packet ## _SIZE, #packet, func }
442
443static const struct cmd_info {
444 uint16_t len;
445 const char *name;
446 int (*func)(struct vc4_exec_info *exec, void *validated,
447 void *untrusted);
448} cmd_info[] = {
449 VC4_DEFINE_PACKET(VC4_PACKET_HALT, NULL),
450 VC4_DEFINE_PACKET(VC4_PACKET_NOP, NULL),
451 VC4_DEFINE_PACKET(VC4_PACKET_FLUSH, validate_flush),
452 VC4_DEFINE_PACKET(VC4_PACKET_FLUSH_ALL, NULL),
453 VC4_DEFINE_PACKET(VC4_PACKET_START_TILE_BINNING,
454 validate_start_tile_binning),
455 VC4_DEFINE_PACKET(VC4_PACKET_INCREMENT_SEMAPHORE,
456 validate_increment_semaphore),
457
458 VC4_DEFINE_PACKET(VC4_PACKET_GL_INDEXED_PRIMITIVE,
459 validate_indexed_prim_list),
460 VC4_DEFINE_PACKET(VC4_PACKET_GL_ARRAY_PRIMITIVE,
461 validate_gl_array_primitive),
462
463 VC4_DEFINE_PACKET(VC4_PACKET_PRIMITIVE_LIST_FORMAT, NULL),
464
465 VC4_DEFINE_PACKET(VC4_PACKET_GL_SHADER_STATE, validate_gl_shader_state),
466
467 VC4_DEFINE_PACKET(VC4_PACKET_CONFIGURATION_BITS, NULL),
468 VC4_DEFINE_PACKET(VC4_PACKET_FLAT_SHADE_FLAGS, NULL),
469 VC4_DEFINE_PACKET(VC4_PACKET_POINT_SIZE, NULL),
470 VC4_DEFINE_PACKET(VC4_PACKET_LINE_WIDTH, NULL),
471 VC4_DEFINE_PACKET(VC4_PACKET_RHT_X_BOUNDARY, NULL),
472 VC4_DEFINE_PACKET(VC4_PACKET_DEPTH_OFFSET, NULL),
473 VC4_DEFINE_PACKET(VC4_PACKET_CLIP_WINDOW, NULL),
474 VC4_DEFINE_PACKET(VC4_PACKET_VIEWPORT_OFFSET, NULL),
475 VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_XY_SCALING, NULL),
476 /* Note: The docs say this was also 105, but it was 106 in the
477 * initial userland code drop.
478 */
479 VC4_DEFINE_PACKET(VC4_PACKET_CLIPPER_Z_SCALING, NULL),
480
481 VC4_DEFINE_PACKET(VC4_PACKET_TILE_BINNING_MODE_CONFIG,
482 validate_tile_binning_config),
483
484 VC4_DEFINE_PACKET(VC4_PACKET_GEM_HANDLES, validate_gem_handles),
485};
486
487int
488vc4_validate_bin_cl(struct drm_device *dev,
489 void *validated,
490 void *unvalidated,
491 struct vc4_exec_info *exec)
492{
493 struct vc4_dev *vc4 = to_vc4_dev(dev);
494 uint32_t len = exec->args->bin_cl_size;
495 uint32_t dst_offset = 0;
496 uint32_t src_offset = 0;
497
498 if (WARN_ON_ONCE(vc4->gen > VC4_GEN_4))
499 return -ENODEV;
500
501 while (src_offset < len) {
502 void *dst_pkt = validated + dst_offset;
503 void *src_pkt = unvalidated + src_offset;
504 u8 cmd = *(uint8_t *)src_pkt;
505 const struct cmd_info *info;
506
507 if (cmd >= ARRAY_SIZE(cmd_info)) {
508 DRM_DEBUG("0x%08x: packet %d out of bounds\n",
509 src_offset, cmd);
510 return -EINVAL;
511 }
512
513 info = &cmd_info[cmd];
514 if (!info->name) {
515 DRM_DEBUG("0x%08x: packet %d invalid\n",
516 src_offset, cmd);
517 return -EINVAL;
518 }
519
520 if (src_offset + info->len > len) {
521 DRM_DEBUG("0x%08x: packet %d (%s) length 0x%08x "
522 "exceeds bounds (0x%08x)\n",
523 src_offset, cmd, info->name, info->len,
524 src_offset + len);
525 return -EINVAL;
526 }
527
528 if (cmd != VC4_PACKET_GEM_HANDLES)
529 memcpy(dst_pkt, src_pkt, info->len);
530
531 if (info->func && info->func(exec,
532 dst_pkt + 1,
533 src_pkt + 1)) {
534 DRM_DEBUG("0x%08x: packet %d (%s) failed to validate\n",
535 src_offset, cmd, info->name);
536 return -EINVAL;
537 }
538
539 src_offset += info->len;
540 /* GEM handle loading doesn't produce HW packets. */
541 if (cmd != VC4_PACKET_GEM_HANDLES)
542 dst_offset += info->len;
543
544 /* When the CL hits halt, it'll stop reading anything else. */
545 if (cmd == VC4_PACKET_HALT)
546 break;
547 }
548
549 exec->ct0ea = exec->ct0ca + dst_offset;
550
551 if (!exec->found_start_tile_binning_packet) {
552 DRM_DEBUG("Bin CL missing VC4_PACKET_START_TILE_BINNING\n");
553 return -EINVAL;
554 }
555
556 /* The bin CL must be ended with INCREMENT_SEMAPHORE and FLUSH. The
557 * semaphore is used to trigger the render CL to start up, and the
558 * FLUSH is what caps the bin lists with
559 * VC4_PACKET_RETURN_FROM_SUB_LIST (so they jump back to the main
560 * render CL when they get called to) and actually triggers the queued
561 * semaphore increment.
562 */
563 if (!exec->found_increment_semaphore_packet || !exec->found_flush) {
564 DRM_DEBUG("Bin CL missing VC4_PACKET_INCREMENT_SEMAPHORE + "
565 "VC4_PACKET_FLUSH\n");
566 return -EINVAL;
567 }
568
569 return 0;
570}
571
572static bool
573reloc_tex(struct vc4_exec_info *exec,
574 void *uniform_data_u,
575 struct vc4_texture_sample_info *sample,
576 uint32_t texture_handle_index, bool is_cs)
577{
578 struct drm_gem_dma_object *tex;
579 uint32_t p0 = *(uint32_t *)(uniform_data_u + sample->p_offset[0]);
580 uint32_t p1 = *(uint32_t *)(uniform_data_u + sample->p_offset[1]);
581 uint32_t p2 = (sample->p_offset[2] != ~0 ?
582 *(uint32_t *)(uniform_data_u + sample->p_offset[2]) : 0);
583 uint32_t p3 = (sample->p_offset[3] != ~0 ?
584 *(uint32_t *)(uniform_data_u + sample->p_offset[3]) : 0);
585 uint32_t *validated_p0 = exec->uniforms_v + sample->p_offset[0];
586 uint32_t offset = p0 & VC4_TEX_P0_OFFSET_MASK;
587 uint32_t miplevels = VC4_GET_FIELD(p0, VC4_TEX_P0_MIPLVLS);
588 uint32_t width = VC4_GET_FIELD(p1, VC4_TEX_P1_WIDTH);
589 uint32_t height = VC4_GET_FIELD(p1, VC4_TEX_P1_HEIGHT);
590 uint32_t cpp, tiling_format, utile_w, utile_h;
591 uint32_t i;
592 uint32_t cube_map_stride = 0;
593 enum vc4_texture_data_type type;
594
595 tex = vc4_use_bo(exec, texture_handle_index);
596 if (!tex)
597 return false;
598
599 if (sample->is_direct) {
600 uint32_t remaining_size = tex->base.size - p0;
601
602 if (p0 > tex->base.size - 4) {
603 DRM_DEBUG("UBO offset greater than UBO size\n");
604 goto fail;
605 }
606 if (p1 > remaining_size - 4) {
607 DRM_DEBUG("UBO clamp would allow reads "
608 "outside of UBO\n");
609 goto fail;
610 }
611 *validated_p0 = tex->dma_addr + p0;
612 return true;
613 }
614
615 if (width == 0)
616 width = 2048;
617 if (height == 0)
618 height = 2048;
619
620 if (p0 & VC4_TEX_P0_CMMODE_MASK) {
621 if (VC4_GET_FIELD(p2, VC4_TEX_P2_PTYPE) ==
622 VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE)
623 cube_map_stride = p2 & VC4_TEX_P2_CMST_MASK;
624 if (VC4_GET_FIELD(p3, VC4_TEX_P2_PTYPE) ==
625 VC4_TEX_P2_PTYPE_CUBE_MAP_STRIDE) {
626 if (cube_map_stride) {
627 DRM_DEBUG("Cube map stride set twice\n");
628 goto fail;
629 }
630
631 cube_map_stride = p3 & VC4_TEX_P2_CMST_MASK;
632 }
633 if (!cube_map_stride) {
634 DRM_DEBUG("Cube map stride not set\n");
635 goto fail;
636 }
637 }
638
639 type = (VC4_GET_FIELD(p0, VC4_TEX_P0_TYPE) |
640 (VC4_GET_FIELD(p1, VC4_TEX_P1_TYPE4) << 4));
641
642 switch (type) {
643 case VC4_TEXTURE_TYPE_RGBA8888:
644 case VC4_TEXTURE_TYPE_RGBX8888:
645 case VC4_TEXTURE_TYPE_RGBA32R:
646 cpp = 4;
647 break;
648 case VC4_TEXTURE_TYPE_RGBA4444:
649 case VC4_TEXTURE_TYPE_RGBA5551:
650 case VC4_TEXTURE_TYPE_RGB565:
651 case VC4_TEXTURE_TYPE_LUMALPHA:
652 case VC4_TEXTURE_TYPE_S16F:
653 case VC4_TEXTURE_TYPE_S16:
654 cpp = 2;
655 break;
656 case VC4_TEXTURE_TYPE_LUMINANCE:
657 case VC4_TEXTURE_TYPE_ALPHA:
658 case VC4_TEXTURE_TYPE_S8:
659 cpp = 1;
660 break;
661 case VC4_TEXTURE_TYPE_ETC1:
662 /* ETC1 is arranged as 64-bit blocks, where each block is 4x4
663 * pixels.
664 */
665 cpp = 8;
666 width = (width + 3) >> 2;
667 height = (height + 3) >> 2;
668 break;
669 case VC4_TEXTURE_TYPE_BW1:
670 case VC4_TEXTURE_TYPE_A4:
671 case VC4_TEXTURE_TYPE_A1:
672 case VC4_TEXTURE_TYPE_RGBA64:
673 case VC4_TEXTURE_TYPE_YUV422R:
674 default:
675 DRM_DEBUG("Texture format %d unsupported\n", type);
676 goto fail;
677 }
678 utile_w = utile_width(cpp);
679 utile_h = utile_height(cpp);
680
681 if (type == VC4_TEXTURE_TYPE_RGBA32R) {
682 tiling_format = VC4_TILING_FORMAT_LINEAR;
683 } else {
684 if (size_is_lt(width, height, cpp))
685 tiling_format = VC4_TILING_FORMAT_LT;
686 else
687 tiling_format = VC4_TILING_FORMAT_T;
688 }
689
690 if (!vc4_check_tex_size(exec, tex, offset + cube_map_stride * 5,
691 tiling_format, width, height, cpp)) {
692 goto fail;
693 }
694
695 /* The mipmap levels are stored before the base of the texture. Make
696 * sure there is actually space in the BO.
697 */
698 for (i = 1; i <= miplevels; i++) {
699 uint32_t level_width = max(width >> i, 1u);
700 uint32_t level_height = max(height >> i, 1u);
701 uint32_t aligned_width, aligned_height;
702 uint32_t level_size;
703
704 /* Once the levels get small enough, they drop from T to LT. */
705 if (tiling_format == VC4_TILING_FORMAT_T &&
706 size_is_lt(level_width, level_height, cpp)) {
707 tiling_format = VC4_TILING_FORMAT_LT;
708 }
709
710 switch (tiling_format) {
711 case VC4_TILING_FORMAT_T:
712 aligned_width = round_up(level_width, utile_w * 8);
713 aligned_height = round_up(level_height, utile_h * 8);
714 break;
715 case VC4_TILING_FORMAT_LT:
716 aligned_width = round_up(level_width, utile_w);
717 aligned_height = round_up(level_height, utile_h);
718 break;
719 default:
720 aligned_width = round_up(level_width, utile_w);
721 aligned_height = level_height;
722 break;
723 }
724
725 level_size = aligned_width * cpp * aligned_height;
726
727 if (offset < level_size) {
728 DRM_DEBUG("Level %d (%dx%d -> %dx%d) size %db "
729 "overflowed buffer bounds (offset %d)\n",
730 i, level_width, level_height,
731 aligned_width, aligned_height,
732 level_size, offset);
733 goto fail;
734 }
735
736 offset -= level_size;
737 }
738
739 *validated_p0 = tex->dma_addr + p0;
740
741 if (is_cs) {
742 exec->bin_dep_seqno = max(exec->bin_dep_seqno,
743 to_vc4_bo(&tex->base)->write_seqno);
744 }
745
746 return true;
747 fail:
748 DRM_INFO("Texture p0 at %d: 0x%08x\n", sample->p_offset[0], p0);
749 DRM_INFO("Texture p1 at %d: 0x%08x\n", sample->p_offset[1], p1);
750 DRM_INFO("Texture p2 at %d: 0x%08x\n", sample->p_offset[2], p2);
751 DRM_INFO("Texture p3 at %d: 0x%08x\n", sample->p_offset[3], p3);
752 return false;
753}
754
755static int
756validate_gl_shader_rec(struct drm_device *dev,
757 struct vc4_exec_info *exec,
758 struct vc4_shader_state *state)
759{
760 uint32_t *src_handles;
761 void *pkt_u, *pkt_v;
762 static const uint32_t shader_reloc_offsets[] = {
763 4, /* fs */
764 16, /* vs */
765 28, /* cs */
766 };
767 uint32_t shader_reloc_count = ARRAY_SIZE(shader_reloc_offsets);
768 struct drm_gem_dma_object *bo[ARRAY_SIZE(shader_reloc_offsets) + 8];
769 uint32_t nr_attributes, nr_relocs, packet_size;
770 int i;
771
772 nr_attributes = state->addr & 0x7;
773 if (nr_attributes == 0)
774 nr_attributes = 8;
775 packet_size = gl_shader_rec_size(state->addr);
776
777 nr_relocs = ARRAY_SIZE(shader_reloc_offsets) + nr_attributes;
778 if (nr_relocs * 4 > exec->shader_rec_size) {
779 DRM_DEBUG("overflowed shader recs reading %d handles "
780 "from %d bytes left\n",
781 nr_relocs, exec->shader_rec_size);
782 return -EINVAL;
783 }
784 src_handles = exec->shader_rec_u;
785 exec->shader_rec_u += nr_relocs * 4;
786 exec->shader_rec_size -= nr_relocs * 4;
787
788 if (packet_size > exec->shader_rec_size) {
789 DRM_DEBUG("overflowed shader recs copying %db packet "
790 "from %d bytes left\n",
791 packet_size, exec->shader_rec_size);
792 return -EINVAL;
793 }
794 pkt_u = exec->shader_rec_u;
795 pkt_v = exec->shader_rec_v;
796 memcpy(pkt_v, pkt_u, packet_size);
797 exec->shader_rec_u += packet_size;
798 /* Shader recs have to be aligned to 16 bytes (due to the attribute
799 * flags being in the low bytes), so round the next validated shader
800 * rec address up. This should be safe, since we've got so many
801 * relocations in a shader rec packet.
802 */
803 BUG_ON(roundup(packet_size, 16) - packet_size > nr_relocs * 4);
804 exec->shader_rec_v += roundup(packet_size, 16);
805 exec->shader_rec_size -= packet_size;
806
807 for (i = 0; i < shader_reloc_count; i++) {
808 if (src_handles[i] > exec->bo_count) {
809 DRM_DEBUG("Shader handle %d too big\n", src_handles[i]);
810 return -EINVAL;
811 }
812
813 bo[i] = to_drm_gem_dma_obj(exec->bo[src_handles[i]]);
814 if (!bo[i])
815 return -EINVAL;
816 }
817 for (i = shader_reloc_count; i < nr_relocs; i++) {
818 bo[i] = vc4_use_bo(exec, src_handles[i]);
819 if (!bo[i])
820 return -EINVAL;
821 }
822
823 if (((*(uint16_t *)pkt_u & VC4_SHADER_FLAG_FS_SINGLE_THREAD) == 0) !=
824 to_vc4_bo(&bo[0]->base)->validated_shader->is_threaded) {
825 DRM_DEBUG("Thread mode of CL and FS do not match\n");
826 return -EINVAL;
827 }
828
829 if (to_vc4_bo(&bo[1]->base)->validated_shader->is_threaded ||
830 to_vc4_bo(&bo[2]->base)->validated_shader->is_threaded) {
831 DRM_DEBUG("cs and vs cannot be threaded\n");
832 return -EINVAL;
833 }
834
835 for (i = 0; i < shader_reloc_count; i++) {
836 struct vc4_validated_shader_info *validated_shader;
837 uint32_t o = shader_reloc_offsets[i];
838 uint32_t src_offset = *(uint32_t *)(pkt_u + o);
839 uint32_t *texture_handles_u;
840 void *uniform_data_u;
841 uint32_t tex, uni;
842
843 *(uint32_t *)(pkt_v + o) = bo[i]->dma_addr + src_offset;
844
845 if (src_offset != 0) {
846 DRM_DEBUG("Shaders must be at offset 0 of "
847 "the BO.\n");
848 return -EINVAL;
849 }
850
851 validated_shader = to_vc4_bo(&bo[i]->base)->validated_shader;
852 if (!validated_shader)
853 return -EINVAL;
854
855 if (validated_shader->uniforms_src_size >
856 exec->uniforms_size) {
857 DRM_DEBUG("Uniforms src buffer overflow\n");
858 return -EINVAL;
859 }
860
861 texture_handles_u = exec->uniforms_u;
862 uniform_data_u = (texture_handles_u +
863 validated_shader->num_texture_samples);
864
865 memcpy(exec->uniforms_v, uniform_data_u,
866 validated_shader->uniforms_size);
867
868 for (tex = 0;
869 tex < validated_shader->num_texture_samples;
870 tex++) {
871 if (!reloc_tex(exec,
872 uniform_data_u,
873 &validated_shader->texture_samples[tex],
874 texture_handles_u[tex],
875 i == 2)) {
876 return -EINVAL;
877 }
878 }
879
880 /* Fill in the uniform slots that need this shader's
881 * start-of-uniforms address (used for resetting the uniform
882 * stream in the presence of control flow).
883 */
884 for (uni = 0;
885 uni < validated_shader->num_uniform_addr_offsets;
886 uni++) {
887 uint32_t o = validated_shader->uniform_addr_offsets[uni];
888 ((uint32_t *)exec->uniforms_v)[o] = exec->uniforms_p;
889 }
890
891 *(uint32_t *)(pkt_v + o + 4) = exec->uniforms_p;
892
893 exec->uniforms_u += validated_shader->uniforms_src_size;
894 exec->uniforms_v += validated_shader->uniforms_size;
895 exec->uniforms_p += validated_shader->uniforms_size;
896 }
897
898 for (i = 0; i < nr_attributes; i++) {
899 struct drm_gem_dma_object *vbo =
900 bo[ARRAY_SIZE(shader_reloc_offsets) + i];
901 uint32_t o = 36 + i * 8;
902 uint32_t offset = *(uint32_t *)(pkt_u + o + 0);
903 uint32_t attr_size = *(uint8_t *)(pkt_u + o + 4) + 1;
904 uint32_t stride = *(uint8_t *)(pkt_u + o + 5);
905 uint32_t max_index;
906
907 exec->bin_dep_seqno = max(exec->bin_dep_seqno,
908 to_vc4_bo(&vbo->base)->write_seqno);
909
910 if (state->addr & 0x8)
911 stride |= (*(uint32_t *)(pkt_u + 100 + i * 4)) & ~0xff;
912
913 if (vbo->base.size < offset ||
914 vbo->base.size - offset < attr_size) {
915 DRM_DEBUG("BO offset overflow (%d + %d > %zu)\n",
916 offset, attr_size, vbo->base.size);
917 return -EINVAL;
918 }
919
920 if (stride != 0) {
921 max_index = ((vbo->base.size - offset - attr_size) /
922 stride);
923 if (state->max_index > max_index) {
924 DRM_DEBUG("primitives use index %d out of "
925 "supplied %d\n",
926 state->max_index, max_index);
927 return -EINVAL;
928 }
929 }
930
931 *(uint32_t *)(pkt_v + o) = vbo->dma_addr + offset;
932 }
933
934 return 0;
935}
936
937int
938vc4_validate_shader_recs(struct drm_device *dev,
939 struct vc4_exec_info *exec)
940{
941 struct vc4_dev *vc4 = to_vc4_dev(dev);
942 uint32_t i;
943 int ret = 0;
944
945 if (WARN_ON_ONCE(vc4->gen > VC4_GEN_4))
946 return -ENODEV;
947
948 for (i = 0; i < exec->shader_state_count; i++) {
949 ret = validate_gl_shader_rec(dev, exec, &exec->shader_state[i]);
950 if (ret)
951 return ret;
952 }
953
954 return ret;
955}