2 * SPDX-License-Identifier: MIT
4 * Copyright © 2008,2010 Intel Corporation
7 #include <linux/dma-resv.h>
8 #include <linux/highmem.h>
9 #include <linux/sync_file.h>
10 #include <linux/uaccess.h>
12 #include <drm/drm_auth.h>
13 #include <drm/drm_syncobj.h>
15 #include "display/intel_frontbuffer.h"
17 #include "gem/i915_gem_ioctls.h"
18 #include "gt/intel_context.h"
19 #include "gt/intel_gpu_commands.h"
20 #include "gt/intel_gt.h"
21 #include "gt/intel_gt_buffer_pool.h"
22 #include "gt/intel_gt_pm.h"
23 #include "gt/intel_ring.h"
25 #include "pxp/intel_pxp.h"
27 #include "i915_cmd_parser.h"
29 #include "i915_file_private.h"
30 #include "i915_gem_clflush.h"
31 #include "i915_gem_context.h"
32 #include "i915_gem_evict.h"
33 #include "i915_gem_ioctls.h"
35 #include "i915_trace.h"
36 #include "i915_user_extensions.h"
42 /** This vma's place in the execbuf reservation list */
43 struct drm_i915_gem_exec_object2 *exec;
44 struct list_head bind_link;
45 struct list_head reloc_link;
47 struct hlist_node node;
55 #define DBG_FORCE_RELOC 0 /* choose one of the above! */
58 /* __EXEC_OBJECT_ flags > BIT(29) defined in i915_vma.h */
59 #define __EXEC_OBJECT_HAS_PIN BIT(29)
60 #define __EXEC_OBJECT_HAS_FENCE BIT(28)
61 #define __EXEC_OBJECT_USERPTR_INIT BIT(27)
62 #define __EXEC_OBJECT_NEEDS_MAP BIT(26)
63 #define __EXEC_OBJECT_NEEDS_BIAS BIT(25)
64 #define __EXEC_OBJECT_INTERNAL_FLAGS (~0u << 25) /* all of the above + */
65 #define __EXEC_OBJECT_RESERVED (__EXEC_OBJECT_HAS_PIN | __EXEC_OBJECT_HAS_FENCE)
67 #define __EXEC_HAS_RELOC BIT(31)
68 #define __EXEC_ENGINE_PINNED BIT(30)
69 #define __EXEC_USERPTR_USED BIT(29)
70 #define __EXEC_INTERNAL_FLAGS (~0u << 29)
71 #define UPDATE PIN_OFFSET_FIXED
73 #define BATCH_OFFSET_BIAS (256*1024)
75 #define __I915_EXEC_ILLEGAL_FLAGS \
76 (__I915_EXEC_UNKNOWN_FLAGS | \
77 I915_EXEC_CONSTANTS_MASK | \
78 I915_EXEC_RESOURCE_STREAMER)
80 /* Catch emission of unexpected errors for CI! */
81 #if IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM)
84 DRM_DEBUG_DRIVER("EINVAL at %s:%d\n", __func__, __LINE__); \
90 * DOC: User command execution
92 * Userspace submits commands to be executed on the GPU as an instruction
93 * stream within a GEM object we call a batchbuffer. This instructions may
94 * refer to other GEM objects containing auxiliary state such as kernels,
95 * samplers, render targets and even secondary batchbuffers. Userspace does
96 * not know where in the GPU memory these objects reside and so before the
97 * batchbuffer is passed to the GPU for execution, those addresses in the
98 * batchbuffer and auxiliary objects are updated. This is known as relocation,
99 * or patching. To try and avoid having to relocate each object on the next
100 * execution, userspace is told the location of those objects in this pass,
101 * but this remains just a hint as the kernel may choose a new location for
102 * any object in the future.
104 * At the level of talking to the hardware, submitting a batchbuffer for the
105 * GPU to execute is to add content to a buffer from which the HW
106 * command streamer is reading.
108 * 1. Add a command to load the HW context. For Logical Ring Contexts, i.e.
109 * Execlists, this command is not placed on the same buffer as the
112 * 2. Add a command to invalidate caches to the buffer.
114 * 3. Add a batchbuffer start command to the buffer; the start command is
115 * essentially a token together with the GPU address of the batchbuffer
118 * 4. Add a pipeline flush to the buffer.
120 * 5. Add a memory write command to the buffer to record when the GPU
121 * is done executing the batchbuffer. The memory write writes the
122 * global sequence number of the request, ``i915_request::global_seqno``;
123 * the i915 driver uses the current value in the register to determine
124 * if the GPU has completed the batchbuffer.
126 * 6. Add a user interrupt command to the buffer. This command instructs
127 * the GPU to issue an interrupt when the command, pipeline flush and
128 * memory write are completed.
130 * 7. Inform the hardware of the additional commands added to the buffer
131 * (by updating the tail pointer).
133 * Processing an execbuf ioctl is conceptually split up into a few phases.
135 * 1. Validation - Ensure all the pointers, handles and flags are valid.
136 * 2. Reservation - Assign GPU address space for every object
137 * 3. Relocation - Update any addresses to point to the final locations
138 * 4. Serialisation - Order the request with respect to its dependencies
139 * 5. Construction - Construct a request to execute the batchbuffer
140 * 6. Submission (at some point in the future execution)
142 * Reserving resources for the execbuf is the most complicated phase. We
143 * neither want to have to migrate the object in the address space, nor do
144 * we want to have to update any relocations pointing to this object. Ideally,
145 * we want to leave the object where it is and for all the existing relocations
146 * to match. If the object is given a new address, or if userspace thinks the
147 * object is elsewhere, we have to parse all the relocation entries and update
148 * the addresses. Userspace can set the I915_EXEC_NORELOC flag to hint that
149 * all the target addresses in all of its objects match the value in the
150 * relocation entries and that they all match the presumed offsets given by the
151 * list of execbuffer objects. Using this knowledge, we know that if we haven't
152 * moved any buffers, all the relocation entries are valid and we can skip
153 * the update. (If userspace is wrong, the likely outcome is an impromptu GPU
154 * hang.) The requirement for using I915_EXEC_NO_RELOC are:
156 * The addresses written in the objects must match the corresponding
157 * reloc.presumed_offset which in turn must match the corresponding
160 * Any render targets written to in the batch must be flagged with
163 * To avoid stalling, execobject.offset should match the current
164 * address of that object within the active context.
166 * The reservation is done is multiple phases. First we try and keep any
167 * object already bound in its current location - so as long as meets the
168 * constraints imposed by the new execbuffer. Any object left unbound after the
169 * first pass is then fitted into any available idle space. If an object does
170 * not fit, all objects are removed from the reservation and the process rerun
171 * after sorting the objects into a priority order (more difficult to fit
172 * objects are tried first). Failing that, the entire VM is cleared and we try
173 * to fit the execbuf once last time before concluding that it simply will not
176 * A small complication to all of this is that we allow userspace not only to
177 * specify an alignment and a size for the object in the address space, but
178 * we also allow userspace to specify the exact offset. This objects are
179 * simpler to place (the location is known a priori) all we have to do is make
180 * sure the space is available.
182 * Once all the objects are in place, patching up the buried pointers to point
183 * to the final locations is a fairly simple job of walking over the relocation
184 * entry arrays, looking up the right address and rewriting the value into
185 * the object. Simple! ... The relocation entries are stored in user memory
186 * and so to access them we have to copy them into a local buffer. That copy
187 * has to avoid taking any pagefaults as they may lead back to a GEM object
188 * requiring the struct_mutex (i.e. recursive deadlock). So once again we split
189 * the relocation into multiple passes. First we try to do everything within an
190 * atomic context (avoid the pagefaults) which requires that we never wait. If
191 * we detect that we may wait, or if we need to fault, then we have to fallback
192 * to a slower path. The slowpath has to drop the mutex. (Can you hear alarm
193 * bells yet?) Dropping the mutex means that we lose all the state we have
194 * built up so far for the execbuf and we must reset any global data. However,
195 * we do leave the objects pinned in their final locations - which is a
196 * potential issue for concurrent execbufs. Once we have left the mutex, we can
197 * allocate and copy all the relocation entries into a large array at our
198 * leisure, reacquire the mutex, reclaim all the objects and other state and
199 * then proceed to update any incorrect addresses with the objects.
201 * As we process the relocation entries, we maintain a record of whether the
202 * object is being written to. Using NORELOC, we expect userspace to provide
203 * this information instead. We also check whether we can skip the relocation
204 * by comparing the expected value inside the relocation entry with the target's
205 * final address. If they differ, we have to map the current object and rewrite
206 * the 4 or 8 byte pointer within.
208 * Serialising an execbuf is quite simple according to the rules of the GEM
209 * ABI. Execution within each context is ordered by the order of submission.
210 * Writes to any GEM object are in order of submission and are exclusive. Reads
211 * from a GEM object are unordered with respect to other reads, but ordered by
212 * writes. A write submitted after a read cannot occur before the read, and
213 * similarly any read submitted after a write cannot occur before the write.
214 * Writes are ordered between engines such that only one write occurs at any
215 * time (completing any reads beforehand) - using semaphores where available
216 * and CPU serialisation otherwise. Other GEM access obey the same rules, any
217 * write (either via mmaps using set-domain, or via pwrite) must flush all GPU
218 * reads before starting, and any read (either using set-domain or pread) must
219 * flush all GPU writes before starting. (Note we only employ a barrier before,
220 * we currently rely on userspace not concurrently starting a new execution
221 * whilst reading or writing to an object. This may be an advantage or not
222 * depending on how much you trust userspace not to shoot themselves in the
223 * foot.) Serialisation may just result in the request being inserted into
224 * a DAG awaiting its turn, but most simple is to wait on the CPU until
225 * all dependencies are resolved.
227 * After all of that, is just a matter of closing the request and handing it to
228 * the hardware (well, leaving it in a queue to be executed). However, we also
229 * offer the ability for batchbuffers to be run with elevated privileges so
230 * that they access otherwise hidden registers. (Used to adjust L3 cache etc.)
231 * Before any batch is given extra privileges we first must check that it
232 * contains no nefarious instructions, we check that each instruction is from
233 * our whitelist and all registers are also from an allowed list. We first
234 * copy the user's batchbuffer to a shadow (so that the user doesn't have
235 * access to it, either by the CPU or GPU as we scan it) and then parse each
236 * instruction. If everything is ok, we set a flag telling the hardware to run
237 * the batchbuffer in trusted mode, otherwise the ioctl is rejected.
241 struct drm_syncobj *syncobj; /* Use with ptr_mask_bits() */
242 struct dma_fence *dma_fence;
244 struct dma_fence_chain *chain_fence;
247 struct i915_execbuffer {
248 struct drm_i915_private *i915; /** i915 backpointer */
249 struct drm_file *file; /** per-file lookup tables and limits */
250 struct drm_i915_gem_execbuffer2 *args; /** ioctl parameters */
251 struct drm_i915_gem_exec_object2 *exec; /** ioctl execobj[] */
254 struct intel_gt *gt; /* gt for the execbuf */
255 struct intel_context *context; /* logical state for the request */
256 struct i915_gem_context *gem_context; /** caller's context */
257 intel_wakeref_t wakeref;
258 intel_wakeref_t wakeref_gt0;
260 /** our requests to build */
261 struct i915_request *requests[MAX_ENGINE_INSTANCE + 1];
262 /** identity of the batch obj/vma */
263 struct eb_vma *batches[MAX_ENGINE_INSTANCE + 1];
264 struct i915_vma *trampoline; /** trampoline used for chaining */
266 /** used for excl fence in dma_resv objects when > 1 BB submitted */
267 struct dma_fence *composite_fence;
269 /** actual size of execobj[] as we may extend it for the cmdparser */
270 unsigned int buffer_count;
272 /* number of batches in execbuf IOCTL */
273 unsigned int num_batches;
275 /** list of vma not yet bound during reservation phase */
276 struct list_head unbound;
278 /** list of vma that have execobj.relocation_count */
279 struct list_head relocs;
281 struct i915_gem_ww_ctx ww;
284 * Track the most recently used object for relocations, as we
285 * frequently have to perform multiple relocations within the same
289 struct drm_mm_node node; /** temporary GTT binding */
290 unsigned long vaddr; /** Current kmap address */
291 unsigned long page; /** Currently mapped page index */
292 unsigned int graphics_ver; /** Cached value of GRAPHICS_VER */
293 bool use_64bit_reloc : 1;
296 bool needs_unfenced : 1;
299 u64 invalid_flags; /** Set of execobj.flags that are invalid */
301 /** Length of batch within object */
302 u64 batch_len[MAX_ENGINE_INSTANCE + 1];
303 u32 batch_start_offset; /** Location within object of batch */
304 u32 batch_flags; /** Flags composed for emit_bb_start() */
305 struct intel_gt_buffer_pool_node *batch_pool; /** pool node for batch buffer */
308 * Indicate either the size of the hastable used to resolve
309 * relocation handles, or if negative that we are using a direct
310 * index into the execobj[].
313 struct hlist_head *buckets; /** ht for relocation handles */
315 struct eb_fence *fences;
316 unsigned long num_fences;
317 #if IS_ENABLED(CONFIG_DRM_I915_CAPTURE_ERROR)
318 struct i915_capture_list *capture_lists[MAX_ENGINE_INSTANCE + 1];
322 static int eb_parse(struct i915_execbuffer *eb);
323 static int eb_pin_engine(struct i915_execbuffer *eb, bool throttle);
324 static void eb_unpin_engine(struct i915_execbuffer *eb);
325 static void eb_capture_release(struct i915_execbuffer *eb);
327 static bool eb_use_cmdparser(const struct i915_execbuffer *eb)
329 return intel_engine_requires_cmd_parser(eb->context->engine) ||
330 (intel_engine_using_cmd_parser(eb->context->engine) &&
331 eb->args->batch_len);
334 static int eb_create(struct i915_execbuffer *eb)
336 if (!(eb->args->flags & I915_EXEC_HANDLE_LUT)) {
337 unsigned int size = 1 + ilog2(eb->buffer_count);
340 * Without a 1:1 association between relocation handles and
341 * the execobject[] index, we instead create a hashtable.
342 * We size it dynamically based on available memory, starting
343 * first with 1:1 assocative hash and scaling back until
344 * the allocation succeeds.
346 * Later on we use a positive lut_size to indicate we are
347 * using this hashtable, and a negative value to indicate a
353 /* While we can still reduce the allocation size, don't
354 * raise a warning and allow the allocation to fail.
355 * On the last pass though, we want to try as hard
356 * as possible to perform the allocation and warn
361 flags |= __GFP_NORETRY | __GFP_NOWARN;
363 eb->buckets = kzalloc(sizeof(struct hlist_head) << size,
374 eb->lut_size = -eb->buffer_count;
381 eb_vma_misplaced(const struct drm_i915_gem_exec_object2 *entry,
382 const struct i915_vma *vma,
385 const u64 start = i915_vma_offset(vma);
386 const u64 size = i915_vma_size(vma);
388 if (size < entry->pad_to_size)
391 if (entry->alignment && !IS_ALIGNED(start, entry->alignment))
394 if (flags & EXEC_OBJECT_PINNED &&
395 start != entry->offset)
398 if (flags & __EXEC_OBJECT_NEEDS_BIAS &&
399 start < BATCH_OFFSET_BIAS)
402 if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) &&
403 (start + size + 4095) >> 32)
406 if (flags & __EXEC_OBJECT_NEEDS_MAP &&
407 !i915_vma_is_map_and_fenceable(vma))
413 static u64 eb_pin_flags(const struct drm_i915_gem_exec_object2 *entry,
414 unsigned int exec_flags)
418 if (exec_flags & EXEC_OBJECT_NEEDS_GTT)
419 pin_flags |= PIN_GLOBAL;
422 * Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset,
423 * limit address to the first 4GBs for unflagged objects.
425 if (!(exec_flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
426 pin_flags |= PIN_ZONE_4G;
428 if (exec_flags & __EXEC_OBJECT_NEEDS_MAP)
429 pin_flags |= PIN_MAPPABLE;
431 if (exec_flags & EXEC_OBJECT_PINNED)
432 pin_flags |= entry->offset | PIN_OFFSET_FIXED;
433 else if (exec_flags & __EXEC_OBJECT_NEEDS_BIAS)
434 pin_flags |= BATCH_OFFSET_BIAS | PIN_OFFSET_BIAS;
440 eb_pin_vma(struct i915_execbuffer *eb,
441 const struct drm_i915_gem_exec_object2 *entry,
444 struct i915_vma *vma = ev->vma;
449 pin_flags = __i915_vma_offset(vma);
451 pin_flags = entry->offset & PIN_OFFSET_MASK;
453 pin_flags |= PIN_USER | PIN_NOEVICT | PIN_OFFSET_FIXED | PIN_VALIDATE;
454 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_GTT))
455 pin_flags |= PIN_GLOBAL;
457 /* Attempt to reuse the current location if available */
458 err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, pin_flags);
463 if (entry->flags & EXEC_OBJECT_PINNED)
466 /* Failing that pick any _free_ space if suitable */
467 err = i915_vma_pin_ww(vma, &eb->ww,
470 eb_pin_flags(entry, ev->flags) |
471 PIN_USER | PIN_NOEVICT | PIN_VALIDATE);
476 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) {
477 err = i915_vma_pin_fence(vma);
482 ev->flags |= __EXEC_OBJECT_HAS_FENCE;
485 ev->flags |= __EXEC_OBJECT_HAS_PIN;
486 if (eb_vma_misplaced(entry, vma, ev->flags))
493 eb_unreserve_vma(struct eb_vma *ev)
495 if (unlikely(ev->flags & __EXEC_OBJECT_HAS_FENCE))
496 __i915_vma_unpin_fence(ev->vma);
498 ev->flags &= ~__EXEC_OBJECT_RESERVED;
502 eb_validate_vma(struct i915_execbuffer *eb,
503 struct drm_i915_gem_exec_object2 *entry,
504 struct i915_vma *vma)
506 /* Relocations are disallowed for all platforms after TGL-LP. This
507 * also covers all platforms with local memory.
509 if (entry->relocation_count &&
510 GRAPHICS_VER(eb->i915) >= 12 && !IS_TIGERLAKE(eb->i915))
513 if (unlikely(entry->flags & eb->invalid_flags))
516 if (unlikely(entry->alignment &&
517 !is_power_of_2_u64(entry->alignment)))
521 * Offset can be used as input (EXEC_OBJECT_PINNED), reject
522 * any non-page-aligned or non-canonical addresses.
524 if (unlikely(entry->flags & EXEC_OBJECT_PINNED &&
525 entry->offset != gen8_canonical_addr(entry->offset & I915_GTT_PAGE_MASK)))
528 /* pad_to_size was once a reserved field, so sanitize it */
529 if (entry->flags & EXEC_OBJECT_PAD_TO_SIZE) {
530 if (unlikely(offset_in_page(entry->pad_to_size)))
533 entry->pad_to_size = 0;
536 * From drm_mm perspective address space is continuous,
537 * so from this point we're always using non-canonical
540 entry->offset = gen8_noncanonical_addr(entry->offset);
542 if (!eb->reloc_cache.has_fence) {
543 entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE;
545 if ((entry->flags & EXEC_OBJECT_NEEDS_FENCE ||
546 eb->reloc_cache.needs_unfenced) &&
547 i915_gem_object_is_tiled(vma->obj))
548 entry->flags |= EXEC_OBJECT_NEEDS_GTT | __EXEC_OBJECT_NEEDS_MAP;
555 is_batch_buffer(struct i915_execbuffer *eb, unsigned int buffer_idx)
557 return eb->args->flags & I915_EXEC_BATCH_FIRST ?
558 buffer_idx < eb->num_batches :
559 buffer_idx >= eb->args->buffer_count - eb->num_batches;
563 eb_add_vma(struct i915_execbuffer *eb,
564 unsigned int *current_batch,
566 struct i915_vma *vma)
568 struct drm_i915_private *i915 = eb->i915;
569 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
570 struct eb_vma *ev = &eb->vma[i];
574 ev->flags = entry->flags;
576 if (eb->lut_size > 0) {
577 ev->handle = entry->handle;
578 hlist_add_head(&ev->node,
579 &eb->buckets[hash_32(entry->handle,
583 if (entry->relocation_count)
584 list_add_tail(&ev->reloc_link, &eb->relocs);
587 * SNA is doing fancy tricks with compressing batch buffers, which leads
588 * to negative relocation deltas. Usually that works out ok since the
589 * relocate address is still positive, except when the batch is placed
590 * very low in the GTT. Ensure this doesn't happen.
592 * Note that actual hangs have only been observed on gen7, but for
593 * paranoia do it everywhere.
595 if (is_batch_buffer(eb, i)) {
596 if (entry->relocation_count &&
597 !(ev->flags & EXEC_OBJECT_PINNED))
598 ev->flags |= __EXEC_OBJECT_NEEDS_BIAS;
599 if (eb->reloc_cache.has_fence)
600 ev->flags |= EXEC_OBJECT_NEEDS_FENCE;
602 eb->batches[*current_batch] = ev;
604 if (unlikely(ev->flags & EXEC_OBJECT_WRITE)) {
606 "Attempting to use self-modifying batch buffer\n");
610 if (range_overflows_t(u64,
611 eb->batch_start_offset,
614 drm_dbg(&i915->drm, "Attempting to use out-of-bounds batch\n");
618 if (eb->args->batch_len == 0)
619 eb->batch_len[*current_batch] = ev->vma->size -
620 eb->batch_start_offset;
622 eb->batch_len[*current_batch] = eb->args->batch_len;
623 if (unlikely(eb->batch_len[*current_batch] == 0)) { /* impossible! */
624 drm_dbg(&i915->drm, "Invalid batch length\n");
634 static int use_cpu_reloc(const struct reloc_cache *cache,
635 const struct drm_i915_gem_object *obj)
637 if (!i915_gem_object_has_struct_page(obj))
640 if (DBG_FORCE_RELOC == FORCE_CPU_RELOC)
643 if (DBG_FORCE_RELOC == FORCE_GTT_RELOC)
647 * For objects created by userspace through GEM_CREATE with pat_index
648 * set by set_pat extension, i915_gem_object_has_cache_level() always
649 * return true, otherwise the call would fall back to checking whether
650 * the object is un-cached.
652 return (cache->has_llc ||
654 !i915_gem_object_has_cache_level(obj, I915_CACHE_NONE));
657 static int eb_reserve_vma(struct i915_execbuffer *eb,
661 struct drm_i915_gem_exec_object2 *entry = ev->exec;
662 struct i915_vma *vma = ev->vma;
665 if (drm_mm_node_allocated(&vma->node) &&
666 eb_vma_misplaced(entry, vma, ev->flags)) {
667 err = i915_vma_unbind(vma);
672 err = i915_vma_pin_ww(vma, &eb->ww,
673 entry->pad_to_size, entry->alignment,
674 eb_pin_flags(entry, ev->flags) | pin_flags);
678 if (entry->offset != i915_vma_offset(vma)) {
679 entry->offset = i915_vma_offset(vma) | UPDATE;
680 eb->args->flags |= __EXEC_HAS_RELOC;
683 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) {
684 err = i915_vma_pin_fence(vma);
689 ev->flags |= __EXEC_OBJECT_HAS_FENCE;
692 ev->flags |= __EXEC_OBJECT_HAS_PIN;
693 GEM_BUG_ON(eb_vma_misplaced(entry, vma, ev->flags));
698 static bool eb_unbind(struct i915_execbuffer *eb, bool force)
700 const unsigned int count = eb->buffer_count;
702 struct list_head last;
703 bool unpinned = false;
705 /* Resort *all* the objects into priority order */
706 INIT_LIST_HEAD(&eb->unbound);
707 INIT_LIST_HEAD(&last);
709 for (i = 0; i < count; i++) {
710 struct eb_vma *ev = &eb->vma[i];
711 unsigned int flags = ev->flags;
713 if (!force && flags & EXEC_OBJECT_PINNED &&
714 flags & __EXEC_OBJECT_HAS_PIN)
718 eb_unreserve_vma(ev);
720 if (flags & EXEC_OBJECT_PINNED)
721 /* Pinned must have their slot */
722 list_add(&ev->bind_link, &eb->unbound);
723 else if (flags & __EXEC_OBJECT_NEEDS_MAP)
724 /* Map require the lowest 256MiB (aperture) */
725 list_add_tail(&ev->bind_link, &eb->unbound);
726 else if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
727 /* Prioritise 4GiB region for restricted bo */
728 list_add(&ev->bind_link, &last);
730 list_add_tail(&ev->bind_link, &last);
733 list_splice_tail(&last, &eb->unbound);
737 static int eb_reserve(struct i915_execbuffer *eb)
744 * We have one more buffers that we couldn't bind, which could be due to
745 * various reasons. To resolve this we have 4 passes, with every next
746 * level turning the screws tighter:
748 * 0. Unbind all objects that do not match the GTT constraints for the
749 * execbuffer (fenceable, mappable, alignment etc). Bind all new
750 * objects. This avoids unnecessary unbinding of later objects in order
751 * to make room for the earlier objects *unless* we need to defragment.
753 * 1. Reorder the buffers, where objects with the most restrictive
754 * placement requirements go first (ignoring fixed location buffers for
755 * now). For example, objects needing the mappable aperture (the first
756 * 256M of GTT), should go first vs objects that can be placed just
757 * about anywhere. Repeat the previous pass.
759 * 2. Consider buffers that are pinned at a fixed location. Also try to
760 * evict the entire VM this time, leaving only objects that we were
761 * unable to lock. Try again to bind the buffers. (still using the new
764 * 3. We likely have object lock contention for one or more stubborn
765 * objects in the VM, for which we need to evict to make forward
766 * progress (perhaps we are fighting the shrinker?). When evicting the
767 * VM this time around, anything that we can't lock we now track using
768 * the busy_bo, using the full lock (after dropping the vm->mutex to
769 * prevent deadlocks), instead of trylock. We then continue to evict the
770 * VM, this time with the stubborn object locked, which we can now
771 * hopefully unbind (if still bound in the VM). Repeat until the VM is
772 * evicted. Finally we should be able bind everything.
774 for (pass = 0; pass <= 3; pass++) {
775 int pin_flags = PIN_USER | PIN_VALIDATE;
778 pin_flags |= PIN_NONBLOCK;
781 eb_unbind(eb, pass >= 2);
784 err = mutex_lock_interruptible(&eb->context->vm->mutex);
786 err = i915_gem_evict_vm(eb->context->vm, &eb->ww, NULL);
787 mutex_unlock(&eb->context->vm->mutex);
795 err = mutex_lock_interruptible(&eb->context->vm->mutex);
797 struct drm_i915_gem_object *busy_bo = NULL;
799 err = i915_gem_evict_vm(eb->context->vm, &eb->ww, &busy_bo);
800 mutex_unlock(&eb->context->vm->mutex);
801 if (err && busy_bo) {
802 err = i915_gem_object_lock(busy_bo, &eb->ww);
803 i915_gem_object_put(busy_bo);
812 list_for_each_entry(ev, &eb->unbound, bind_link) {
813 err = eb_reserve_vma(eb, ev, pin_flags);
825 static int eb_select_context(struct i915_execbuffer *eb)
827 struct i915_gem_context *ctx;
829 ctx = i915_gem_context_lookup(eb->file->driver_priv, eb->args->rsvd1);
830 if (unlikely(IS_ERR(ctx)))
833 eb->gem_context = ctx;
834 if (i915_gem_context_has_full_ppgtt(ctx))
835 eb->invalid_flags |= EXEC_OBJECT_NEEDS_GTT;
840 static int __eb_add_lut(struct i915_execbuffer *eb,
841 u32 handle, struct i915_vma *vma)
843 struct i915_gem_context *ctx = eb->gem_context;
844 struct i915_lut_handle *lut;
847 lut = i915_lut_handle_alloc();
852 if (!atomic_fetch_inc(&vma->open_count))
853 i915_vma_reopen(vma);
854 lut->handle = handle;
857 /* Check that the context hasn't been closed in the meantime */
859 if (!mutex_lock_interruptible(&ctx->lut_mutex)) {
860 if (likely(!i915_gem_context_is_closed(ctx)))
861 err = radix_tree_insert(&ctx->handles_vma, handle, vma);
864 if (err == 0) { /* And nor has this handle */
865 struct drm_i915_gem_object *obj = vma->obj;
867 spin_lock(&obj->lut_lock);
868 if (idr_find(&eb->file->object_idr, handle) == obj) {
869 list_add(&lut->obj_link, &obj->lut_list);
871 radix_tree_delete(&ctx->handles_vma, handle);
874 spin_unlock(&obj->lut_lock);
876 mutex_unlock(&ctx->lut_mutex);
886 i915_lut_handle_free(lut);
890 static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle)
892 struct i915_address_space *vm = eb->context->vm;
895 struct drm_i915_gem_object *obj;
896 struct i915_vma *vma;
900 vma = radix_tree_lookup(&eb->gem_context->handles_vma, handle);
901 if (likely(vma && vma->vm == vm))
902 vma = i915_vma_tryget(vma);
907 obj = i915_gem_object_lookup(eb->file, handle);
909 return ERR_PTR(-ENOENT);
912 * If the user has opted-in for protected-object tracking, make
913 * sure the object encryption can be used.
914 * We only need to do this when the object is first used with
915 * this context, because the context itself will be banned when
916 * the protected objects become invalid.
918 if (i915_gem_context_uses_protected_content(eb->gem_context) &&
919 i915_gem_object_is_protected(obj)) {
920 err = intel_pxp_key_check(eb->i915->pxp, obj, true);
922 i915_gem_object_put(obj);
927 vma = i915_vma_instance(obj, vm, NULL);
929 i915_gem_object_put(obj);
933 err = __eb_add_lut(eb, handle, vma);
937 i915_gem_object_put(obj);
943 static int eb_lookup_vmas(struct i915_execbuffer *eb)
945 unsigned int i, current_batch = 0;
948 INIT_LIST_HEAD(&eb->relocs);
950 for (i = 0; i < eb->buffer_count; i++) {
951 struct i915_vma *vma;
953 vma = eb_lookup_vma(eb, eb->exec[i].handle);
959 err = eb_validate_vma(eb, &eb->exec[i], vma);
965 err = eb_add_vma(eb, ¤t_batch, i, vma);
969 if (i915_gem_object_is_userptr(vma->obj)) {
970 err = i915_gem_object_userptr_submit_init(vma->obj);
972 if (i + 1 < eb->buffer_count) {
974 * Execbuffer code expects last vma entry to be NULL,
975 * since we already initialized this entry,
976 * set the next value to NULL or we mess up
979 eb->vma[i + 1].vma = NULL;
985 eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT;
986 eb->args->flags |= __EXEC_USERPTR_USED;
993 eb->vma[i].vma = NULL;
997 static int eb_lock_vmas(struct i915_execbuffer *eb)
1002 for (i = 0; i < eb->buffer_count; i++) {
1003 struct eb_vma *ev = &eb->vma[i];
1004 struct i915_vma *vma = ev->vma;
1006 err = i915_gem_object_lock(vma->obj, &eb->ww);
1014 static int eb_validate_vmas(struct i915_execbuffer *eb)
1019 INIT_LIST_HEAD(&eb->unbound);
1021 err = eb_lock_vmas(eb);
1025 for (i = 0; i < eb->buffer_count; i++) {
1026 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
1027 struct eb_vma *ev = &eb->vma[i];
1028 struct i915_vma *vma = ev->vma;
1030 err = eb_pin_vma(eb, entry, ev);
1031 if (err == -EDEADLK)
1035 if (entry->offset != i915_vma_offset(vma)) {
1036 entry->offset = i915_vma_offset(vma) | UPDATE;
1037 eb->args->flags |= __EXEC_HAS_RELOC;
1040 eb_unreserve_vma(ev);
1042 list_add_tail(&ev->bind_link, &eb->unbound);
1043 if (drm_mm_node_allocated(&vma->node)) {
1044 err = i915_vma_unbind(vma);
1050 /* Reserve enough slots to accommodate composite fences */
1051 err = dma_resv_reserve_fences(vma->obj->base.resv, eb->num_batches);
1055 GEM_BUG_ON(drm_mm_node_allocated(&vma->node) &&
1056 eb_vma_misplaced(&eb->exec[i], vma, ev->flags));
1059 if (!list_empty(&eb->unbound))
1060 return eb_reserve(eb);
1065 static struct eb_vma *
1066 eb_get_vma(const struct i915_execbuffer *eb, unsigned long handle)
1068 if (eb->lut_size < 0) {
1069 if (handle >= -eb->lut_size)
1071 return &eb->vma[handle];
1073 struct hlist_head *head;
1076 head = &eb->buckets[hash_32(handle, eb->lut_size)];
1077 hlist_for_each_entry(ev, head, node) {
1078 if (ev->handle == handle)
1085 static void eb_release_vmas(struct i915_execbuffer *eb, bool final)
1087 const unsigned int count = eb->buffer_count;
1090 for (i = 0; i < count; i++) {
1091 struct eb_vma *ev = &eb->vma[i];
1092 struct i915_vma *vma = ev->vma;
1097 eb_unreserve_vma(ev);
1103 eb_capture_release(eb);
1104 eb_unpin_engine(eb);
1107 static void eb_destroy(const struct i915_execbuffer *eb)
1109 if (eb->lut_size > 0)
1114 relocation_target(const struct drm_i915_gem_relocation_entry *reloc,
1115 const struct i915_vma *target)
1117 return gen8_canonical_addr((int)reloc->delta + i915_vma_offset(target));
1120 static void reloc_cache_init(struct reloc_cache *cache,
1121 struct drm_i915_private *i915)
1125 /* Must be a variable in the struct to allow GCC to unroll. */
1126 cache->graphics_ver = GRAPHICS_VER(i915);
1127 cache->has_llc = HAS_LLC(i915);
1128 cache->use_64bit_reloc = HAS_64BIT_RELOC(i915);
1129 cache->has_fence = cache->graphics_ver < 4;
1130 cache->needs_unfenced = INTEL_INFO(i915)->unfenced_needs_alignment;
1131 cache->node.flags = 0;
1134 static void *unmask_page(unsigned long p)
1136 return (void *)(uintptr_t)(p & PAGE_MASK);
1139 static unsigned int unmask_flags(unsigned long p)
1141 return p & ~PAGE_MASK;
1144 #define KMAP 0x4 /* after CLFLUSH_FLAGS */
1146 static struct i915_ggtt *cache_to_ggtt(struct reloc_cache *cache)
1148 struct drm_i915_private *i915 =
1149 container_of(cache, struct i915_execbuffer, reloc_cache)->i915;
1150 return to_gt(i915)->ggtt;
1153 static void reloc_cache_unmap(struct reloc_cache *cache)
1160 vaddr = unmask_page(cache->vaddr);
1161 if (cache->vaddr & KMAP)
1162 kunmap_local(vaddr);
1164 io_mapping_unmap_atomic((void __iomem *)vaddr);
1167 static void reloc_cache_remap(struct reloc_cache *cache,
1168 struct drm_i915_gem_object *obj)
1175 if (cache->vaddr & KMAP) {
1176 struct page *page = i915_gem_object_get_page(obj, cache->page);
1178 vaddr = kmap_local_page(page);
1179 cache->vaddr = unmask_flags(cache->vaddr) |
1180 (unsigned long)vaddr;
1182 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1183 unsigned long offset;
1185 offset = cache->node.start;
1186 if (!drm_mm_node_allocated(&cache->node))
1187 offset += cache->page << PAGE_SHIFT;
1189 cache->vaddr = (unsigned long)
1190 io_mapping_map_atomic_wc(&ggtt->iomap, offset);
1194 static void reloc_cache_reset(struct reloc_cache *cache, struct i915_execbuffer *eb)
1201 vaddr = unmask_page(cache->vaddr);
1202 if (cache->vaddr & KMAP) {
1203 struct drm_i915_gem_object *obj =
1204 (struct drm_i915_gem_object *)cache->node.mm;
1205 if (cache->vaddr & CLFLUSH_AFTER)
1208 kunmap_local(vaddr);
1209 i915_gem_object_finish_access(obj);
1211 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1213 intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1214 io_mapping_unmap_atomic((void __iomem *)vaddr);
1216 if (drm_mm_node_allocated(&cache->node)) {
1217 ggtt->vm.clear_range(&ggtt->vm,
1220 mutex_lock(&ggtt->vm.mutex);
1221 drm_mm_remove_node(&cache->node);
1222 mutex_unlock(&ggtt->vm.mutex);
1224 i915_vma_unpin((struct i915_vma *)cache->node.mm);
1232 static void *reloc_kmap(struct drm_i915_gem_object *obj,
1233 struct reloc_cache *cache,
1234 unsigned long pageno)
1240 kunmap_local(unmask_page(cache->vaddr));
1242 unsigned int flushes;
1245 err = i915_gem_object_prepare_write(obj, &flushes);
1247 return ERR_PTR(err);
1249 BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS);
1250 BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & PAGE_MASK);
1252 cache->vaddr = flushes | KMAP;
1253 cache->node.mm = (void *)obj;
1258 page = i915_gem_object_get_page(obj, pageno);
1260 set_page_dirty(page);
1262 vaddr = kmap_local_page(page);
1263 cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr;
1264 cache->page = pageno;
1269 static void *reloc_iomap(struct i915_vma *batch,
1270 struct i915_execbuffer *eb,
1273 struct drm_i915_gem_object *obj = batch->obj;
1274 struct reloc_cache *cache = &eb->reloc_cache;
1275 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1276 unsigned long offset;
1280 intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1281 io_mapping_unmap_atomic((void __force __iomem *) unmask_page(cache->vaddr));
1283 struct i915_vma *vma = ERR_PTR(-ENODEV);
1286 if (i915_gem_object_is_tiled(obj))
1287 return ERR_PTR(-EINVAL);
1289 if (use_cpu_reloc(cache, obj))
1292 err = i915_gem_object_set_to_gtt_domain(obj, true);
1294 return ERR_PTR(err);
1297 * i915_gem_object_ggtt_pin_ww may attempt to remove the batch
1298 * VMA from the object list because we no longer pin.
1300 * Only attempt to pin the batch buffer to ggtt if the current batch
1301 * is not inside ggtt, or the batch buffer is not misplaced.
1303 if (!i915_is_ggtt(batch->vm) ||
1304 !i915_vma_misplaced(batch, 0, 0, PIN_MAPPABLE)) {
1305 vma = i915_gem_object_ggtt_pin_ww(obj, &eb->ww, NULL, 0, 0,
1307 PIN_NONBLOCK /* NOWARN */ |
1311 if (vma == ERR_PTR(-EDEADLK))
1315 memset(&cache->node, 0, sizeof(cache->node));
1316 mutex_lock(&ggtt->vm.mutex);
1317 err = drm_mm_insert_node_in_range
1318 (&ggtt->vm.mm, &cache->node,
1319 PAGE_SIZE, 0, I915_COLOR_UNEVICTABLE,
1320 0, ggtt->mappable_end,
1322 mutex_unlock(&ggtt->vm.mutex);
1323 if (err) /* no inactive aperture space, use cpu reloc */
1326 cache->node.start = i915_ggtt_offset(vma);
1327 cache->node.mm = (void *)vma;
1331 offset = cache->node.start;
1332 if (drm_mm_node_allocated(&cache->node)) {
1333 ggtt->vm.insert_page(&ggtt->vm,
1334 i915_gem_object_get_dma_address(obj, page),
1336 i915_gem_get_pat_index(ggtt->vm.i915,
1340 offset += page << PAGE_SHIFT;
1343 vaddr = (void __force *)io_mapping_map_atomic_wc(&ggtt->iomap,
1346 cache->vaddr = (unsigned long)vaddr;
1351 static void *reloc_vaddr(struct i915_vma *vma,
1352 struct i915_execbuffer *eb,
1355 struct reloc_cache *cache = &eb->reloc_cache;
1358 if (cache->page == page) {
1359 vaddr = unmask_page(cache->vaddr);
1362 if ((cache->vaddr & KMAP) == 0)
1363 vaddr = reloc_iomap(vma, eb, page);
1365 vaddr = reloc_kmap(vma->obj, cache, page);
1371 static void clflush_write32(u32 *addr, u32 value, unsigned int flushes)
1373 if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))) {
1374 if (flushes & CLFLUSH_BEFORE)
1375 drm_clflush_virt_range(addr, sizeof(*addr));
1380 * Writes to the same cacheline are serialised by the CPU
1381 * (including clflush). On the write path, we only require
1382 * that it hits memory in an orderly fashion and place
1383 * mb barriers at the start and end of the relocation phase
1384 * to ensure ordering of clflush wrt to the system.
1386 if (flushes & CLFLUSH_AFTER)
1387 drm_clflush_virt_range(addr, sizeof(*addr));
1393 relocate_entry(struct i915_vma *vma,
1394 const struct drm_i915_gem_relocation_entry *reloc,
1395 struct i915_execbuffer *eb,
1396 const struct i915_vma *target)
1398 u64 target_addr = relocation_target(reloc, target);
1399 u64 offset = reloc->offset;
1400 bool wide = eb->reloc_cache.use_64bit_reloc;
1404 vaddr = reloc_vaddr(vma, eb,
1405 offset >> PAGE_SHIFT);
1407 return PTR_ERR(vaddr);
1409 GEM_BUG_ON(!IS_ALIGNED(offset, sizeof(u32)));
1410 clflush_write32(vaddr + offset_in_page(offset),
1411 lower_32_bits(target_addr),
1412 eb->reloc_cache.vaddr);
1415 offset += sizeof(u32);
1421 return target->node.start | UPDATE;
1425 eb_relocate_entry(struct i915_execbuffer *eb,
1427 const struct drm_i915_gem_relocation_entry *reloc)
1429 struct drm_i915_private *i915 = eb->i915;
1430 struct eb_vma *target;
1433 /* we've already hold a reference to all valid objects */
1434 target = eb_get_vma(eb, reloc->target_handle);
1435 if (unlikely(!target))
1438 /* Validate that the target is in a valid r/w GPU domain */
1439 if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) {
1440 drm_dbg(&i915->drm, "reloc with multiple write domains: "
1441 "target %d offset %d "
1442 "read %08x write %08x\n",
1443 reloc->target_handle,
1444 (int) reloc->offset,
1445 reloc->read_domains,
1446 reloc->write_domain);
1449 if (unlikely((reloc->write_domain | reloc->read_domains)
1450 & ~I915_GEM_GPU_DOMAINS)) {
1451 drm_dbg(&i915->drm, "reloc with read/write non-GPU domains: "
1452 "target %d offset %d "
1453 "read %08x write %08x\n",
1454 reloc->target_handle,
1455 (int) reloc->offset,
1456 reloc->read_domains,
1457 reloc->write_domain);
1461 if (reloc->write_domain) {
1462 target->flags |= EXEC_OBJECT_WRITE;
1465 * Sandybridge PPGTT errata: We need a global gtt mapping
1466 * for MI and pipe_control writes because the gpu doesn't
1467 * properly redirect them through the ppgtt for non_secure
1470 if (reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION &&
1471 GRAPHICS_VER(eb->i915) == 6 &&
1472 !i915_vma_is_bound(target->vma, I915_VMA_GLOBAL_BIND)) {
1473 struct i915_vma *vma = target->vma;
1475 reloc_cache_unmap(&eb->reloc_cache);
1476 mutex_lock(&vma->vm->mutex);
1477 err = i915_vma_bind(target->vma,
1478 target->vma->obj->pat_index,
1479 PIN_GLOBAL, NULL, NULL);
1480 mutex_unlock(&vma->vm->mutex);
1481 reloc_cache_remap(&eb->reloc_cache, ev->vma->obj);
1488 * If the relocation already has the right value in it, no
1489 * more work needs to be done.
1491 if (!DBG_FORCE_RELOC &&
1492 gen8_canonical_addr(i915_vma_offset(target->vma)) == reloc->presumed_offset)
1495 /* Check that the relocation address is valid... */
1496 if (unlikely(reloc->offset >
1497 ev->vma->size - (eb->reloc_cache.use_64bit_reloc ? 8 : 4))) {
1498 drm_dbg(&i915->drm, "Relocation beyond object bounds: "
1499 "target %d offset %d size %d.\n",
1500 reloc->target_handle,
1502 (int)ev->vma->size);
1505 if (unlikely(reloc->offset & 3)) {
1506 drm_dbg(&i915->drm, "Relocation not 4-byte aligned: "
1507 "target %d offset %d.\n",
1508 reloc->target_handle,
1509 (int)reloc->offset);
1514 * If we write into the object, we need to force the synchronisation
1515 * barrier, either with an asynchronous clflush or if we executed the
1516 * patching using the GPU (though that should be serialised by the
1517 * timeline). To be completely sure, and since we are required to
1518 * do relocations we are already stalling, disable the user's opt
1519 * out of our synchronisation.
1521 ev->flags &= ~EXEC_OBJECT_ASYNC;
1523 /* and update the user's relocation entry */
1524 return relocate_entry(ev->vma, reloc, eb, target->vma);
1527 static int eb_relocate_vma(struct i915_execbuffer *eb, struct eb_vma *ev)
1529 #define N_RELOC(x) ((x) / sizeof(struct drm_i915_gem_relocation_entry))
1530 struct drm_i915_gem_relocation_entry stack[N_RELOC(512)];
1531 const struct drm_i915_gem_exec_object2 *entry = ev->exec;
1532 struct drm_i915_gem_relocation_entry __user *urelocs =
1533 u64_to_user_ptr(entry->relocs_ptr);
1534 unsigned long remain = entry->relocation_count;
1536 if (unlikely(remain > N_RELOC(ULONG_MAX)))
1540 * We must check that the entire relocation array is safe
1541 * to read. However, if the array is not writable the user loses
1542 * the updated relocation values.
1544 if (unlikely(!access_ok(urelocs, remain * sizeof(*urelocs))))
1548 struct drm_i915_gem_relocation_entry *r = stack;
1549 unsigned int count =
1550 min_t(unsigned long, remain, ARRAY_SIZE(stack));
1551 unsigned int copied;
1554 * This is the fast path and we cannot handle a pagefault
1555 * whilst holding the struct mutex lest the user pass in the
1556 * relocations contained within a mmaped bo. For in such a case
1557 * we, the page fault handler would call i915_gem_fault() and
1558 * we would try to acquire the struct mutex again. Obviously
1559 * this is bad and so lockdep complains vehemently.
1561 pagefault_disable();
1562 copied = __copy_from_user_inatomic(r, urelocs, count * sizeof(r[0]));
1564 if (unlikely(copied)) {
1571 u64 offset = eb_relocate_entry(eb, ev, r);
1573 if (likely(offset == 0)) {
1574 } else if ((s64)offset < 0) {
1575 remain = (int)offset;
1579 * Note that reporting an error now
1580 * leaves everything in an inconsistent
1581 * state as we have *already* changed
1582 * the relocation value inside the
1583 * object. As we have not changed the
1584 * reloc.presumed_offset or will not
1585 * change the execobject.offset, on the
1586 * call we may not rewrite the value
1587 * inside the object, leaving it
1588 * dangling and causing a GPU hang. Unless
1589 * userspace dynamically rebuilds the
1590 * relocations on each execbuf rather than
1591 * presume a static tree.
1593 * We did previously check if the relocations
1594 * were writable (access_ok), an error now
1595 * would be a strange race with mprotect,
1596 * having already demonstrated that we
1597 * can read from this userspace address.
1599 offset = gen8_canonical_addr(offset & ~UPDATE);
1601 &urelocs[r - stack].presumed_offset);
1603 } while (r++, --count);
1604 urelocs += ARRAY_SIZE(stack);
1607 reloc_cache_reset(&eb->reloc_cache, eb);
1612 eb_relocate_vma_slow(struct i915_execbuffer *eb, struct eb_vma *ev)
1614 const struct drm_i915_gem_exec_object2 *entry = ev->exec;
1615 struct drm_i915_gem_relocation_entry *relocs =
1616 u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1620 for (i = 0; i < entry->relocation_count; i++) {
1621 u64 offset = eb_relocate_entry(eb, ev, &relocs[i]);
1623 if ((s64)offset < 0) {
1630 reloc_cache_reset(&eb->reloc_cache, eb);
1634 static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
1636 const char __user *addr, *end;
1638 char __maybe_unused c;
1640 size = entry->relocation_count;
1644 if (size > N_RELOC(ULONG_MAX))
1647 addr = u64_to_user_ptr(entry->relocs_ptr);
1648 size *= sizeof(struct drm_i915_gem_relocation_entry);
1649 if (!access_ok(addr, size))
1653 for (; addr < end; addr += PAGE_SIZE) {
1654 int err = __get_user(c, addr);
1658 return __get_user(c, end - 1);
1661 static int eb_copy_relocations(const struct i915_execbuffer *eb)
1663 struct drm_i915_gem_relocation_entry *relocs;
1664 const unsigned int count = eb->buffer_count;
1668 for (i = 0; i < count; i++) {
1669 const unsigned int nreloc = eb->exec[i].relocation_count;
1670 struct drm_i915_gem_relocation_entry __user *urelocs;
1672 unsigned long copied;
1677 err = check_relocations(&eb->exec[i]);
1681 urelocs = u64_to_user_ptr(eb->exec[i].relocs_ptr);
1682 size = nreloc * sizeof(*relocs);
1684 relocs = kvmalloc_array(1, size, GFP_KERNEL);
1690 /* copy_from_user is limited to < 4GiB */
1694 min_t(u64, BIT_ULL(31), size - copied);
1696 if (__copy_from_user((char *)relocs + copied,
1697 (char __user *)urelocs + copied,
1702 } while (copied < size);
1705 * As we do not update the known relocation offsets after
1706 * relocating (due to the complexities in lock handling),
1707 * we need to mark them as invalid now so that we force the
1708 * relocation processing next time. Just in case the target
1709 * object is evicted and then rebound into its old
1710 * presumed_offset before the next execbuffer - if that
1711 * happened we would make the mistake of assuming that the
1712 * relocations were valid.
1714 if (!user_access_begin(urelocs, size))
1717 for (copied = 0; copied < nreloc; copied++)
1719 &urelocs[copied].presumed_offset,
1723 eb->exec[i].relocs_ptr = (uintptr_t)relocs;
1735 relocs = u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr);
1736 if (eb->exec[i].relocation_count)
1742 static int eb_prefault_relocations(const struct i915_execbuffer *eb)
1744 const unsigned int count = eb->buffer_count;
1747 for (i = 0; i < count; i++) {
1750 err = check_relocations(&eb->exec[i]);
1758 static int eb_reinit_userptr(struct i915_execbuffer *eb)
1760 const unsigned int count = eb->buffer_count;
1764 if (likely(!(eb->args->flags & __EXEC_USERPTR_USED)))
1767 for (i = 0; i < count; i++) {
1768 struct eb_vma *ev = &eb->vma[i];
1770 if (!i915_gem_object_is_userptr(ev->vma->obj))
1773 ret = i915_gem_object_userptr_submit_init(ev->vma->obj);
1777 ev->flags |= __EXEC_OBJECT_USERPTR_INIT;
1783 static noinline int eb_relocate_parse_slow(struct i915_execbuffer *eb)
1785 bool have_copy = false;
1790 if (signal_pending(current)) {
1795 /* We may process another execbuffer during the unlock... */
1796 eb_release_vmas(eb, false);
1797 i915_gem_ww_ctx_fini(&eb->ww);
1800 * We take 3 passes through the slowpatch.
1802 * 1 - we try to just prefault all the user relocation entries and
1803 * then attempt to reuse the atomic pagefault disabled fast path again.
1805 * 2 - we copy the user entries to a local buffer here outside of the
1806 * local and allow ourselves to wait upon any rendering before
1809 * 3 - we already have a local copy of the relocation entries, but
1810 * were interrupted (EAGAIN) whilst waiting for the objects, try again.
1813 err = eb_prefault_relocations(eb);
1814 } else if (!have_copy) {
1815 err = eb_copy_relocations(eb);
1816 have_copy = err == 0;
1823 err = eb_reinit_userptr(eb);
1825 i915_gem_ww_ctx_init(&eb->ww, true);
1829 /* reacquire the objects */
1831 err = eb_pin_engine(eb, false);
1835 err = eb_validate_vmas(eb);
1839 GEM_BUG_ON(!eb->batches[0]);
1841 list_for_each_entry(ev, &eb->relocs, reloc_link) {
1843 err = eb_relocate_vma(eb, ev);
1847 err = eb_relocate_vma_slow(eb, ev);
1853 if (err == -EDEADLK)
1856 if (err && !have_copy)
1862 /* as last step, parse the command buffer */
1868 * Leave the user relocations as are, this is the painfully slow path,
1869 * and we want to avoid the complication of dropping the lock whilst
1870 * having buffers reserved in the aperture and so causing spurious
1871 * ENOSPC for random operations.
1875 if (err == -EDEADLK) {
1876 eb_release_vmas(eb, false);
1877 err = i915_gem_ww_ctx_backoff(&eb->ww);
1879 goto repeat_validate;
1887 const unsigned int count = eb->buffer_count;
1890 for (i = 0; i < count; i++) {
1891 const struct drm_i915_gem_exec_object2 *entry =
1893 struct drm_i915_gem_relocation_entry *relocs;
1895 if (!entry->relocation_count)
1898 relocs = u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1906 static int eb_relocate_parse(struct i915_execbuffer *eb)
1909 bool throttle = true;
1912 err = eb_pin_engine(eb, throttle);
1914 if (err != -EDEADLK)
1920 /* only throttle once, even if we didn't need to throttle */
1923 err = eb_validate_vmas(eb);
1929 /* The objects are in their final locations, apply the relocations. */
1930 if (eb->args->flags & __EXEC_HAS_RELOC) {
1933 list_for_each_entry(ev, &eb->relocs, reloc_link) {
1934 err = eb_relocate_vma(eb, ev);
1939 if (err == -EDEADLK)
1949 if (err == -EDEADLK) {
1950 eb_release_vmas(eb, false);
1951 err = i915_gem_ww_ctx_backoff(&eb->ww);
1959 err = eb_relocate_parse_slow(eb);
1962 * If the user expects the execobject.offset and
1963 * reloc.presumed_offset to be an exact match,
1964 * as for using NO_RELOC, then we cannot update
1965 * the execobject.offset until we have completed
1968 eb->args->flags &= ~__EXEC_HAS_RELOC;
1974 * Using two helper loops for the order of which requests / batches are created
1975 * and added the to backend. Requests are created in order from the parent to
1976 * the last child. Requests are added in the reverse order, from the last child
1977 * to parent. This is done for locking reasons as the timeline lock is acquired
1978 * during request creation and released when the request is added to the
1979 * backend. To make lockdep happy (see intel_context_timeline_lock) this must be
1982 #define for_each_batch_create_order(_eb, _i) \
1983 for ((_i) = 0; (_i) < (_eb)->num_batches; ++(_i))
1984 #define for_each_batch_add_order(_eb, _i) \
1985 BUILD_BUG_ON(!typecheck(int, _i)); \
1986 for ((_i) = (_eb)->num_batches - 1; (_i) >= 0; --(_i))
1988 static struct i915_request *
1989 eb_find_first_request_added(struct i915_execbuffer *eb)
1993 for_each_batch_add_order(eb, i)
1994 if (eb->requests[i])
1995 return eb->requests[i];
1997 GEM_BUG_ON("Request not found");
2002 #if IS_ENABLED(CONFIG_DRM_I915_CAPTURE_ERROR)
2004 /* Stage with GFP_KERNEL allocations before we enter the signaling critical path */
2005 static int eb_capture_stage(struct i915_execbuffer *eb)
2007 const unsigned int count = eb->buffer_count;
2008 unsigned int i = count, j;
2011 struct eb_vma *ev = &eb->vma[i];
2012 struct i915_vma *vma = ev->vma;
2013 unsigned int flags = ev->flags;
2015 if (!(flags & EXEC_OBJECT_CAPTURE))
2018 if (i915_gem_context_is_recoverable(eb->gem_context) &&
2019 (IS_DGFX(eb->i915) || GRAPHICS_VER_FULL(eb->i915) > IP_VER(12, 0)))
2022 for_each_batch_create_order(eb, j) {
2023 struct i915_capture_list *capture;
2025 capture = kmalloc(sizeof(*capture), GFP_KERNEL);
2029 capture->next = eb->capture_lists[j];
2030 capture->vma_res = i915_vma_resource_get(vma->resource);
2031 eb->capture_lists[j] = capture;
2038 /* Commit once we're in the critical path */
2039 static void eb_capture_commit(struct i915_execbuffer *eb)
2043 for_each_batch_create_order(eb, j) {
2044 struct i915_request *rq = eb->requests[j];
2049 rq->capture_list = eb->capture_lists[j];
2050 eb->capture_lists[j] = NULL;
2055 * Release anything that didn't get committed due to errors.
2056 * The capture_list will otherwise be freed at request retire.
2058 static void eb_capture_release(struct i915_execbuffer *eb)
2062 for_each_batch_create_order(eb, j) {
2063 if (eb->capture_lists[j]) {
2064 i915_request_free_capture_list(eb->capture_lists[j]);
2065 eb->capture_lists[j] = NULL;
2070 static void eb_capture_list_clear(struct i915_execbuffer *eb)
2072 memset(eb->capture_lists, 0, sizeof(eb->capture_lists));
2077 static int eb_capture_stage(struct i915_execbuffer *eb)
2082 static void eb_capture_commit(struct i915_execbuffer *eb)
2086 static void eb_capture_release(struct i915_execbuffer *eb)
2090 static void eb_capture_list_clear(struct i915_execbuffer *eb)
2096 static int eb_move_to_gpu(struct i915_execbuffer *eb)
2098 const unsigned int count = eb->buffer_count;
2099 unsigned int i = count;
2103 struct eb_vma *ev = &eb->vma[i];
2104 struct i915_vma *vma = ev->vma;
2105 unsigned int flags = ev->flags;
2106 struct drm_i915_gem_object *obj = vma->obj;
2108 assert_vma_held(vma);
2111 * If the GPU is not _reading_ through the CPU cache, we need
2112 * to make sure that any writes (both previous GPU writes from
2113 * before a change in snooping levels and normal CPU writes)
2114 * caught in that cache are flushed to main memory.
2117 * obj->cache_dirty &&
2118 * !(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_READ)
2119 * but gcc's optimiser doesn't handle that as well and emits
2120 * two jumps instead of one. Maybe one day...
2122 * FIXME: There is also sync flushing in set_pages(), which
2123 * serves a different purpose(some of the time at least).
2125 * We should consider:
2127 * 1. Rip out the async flush code.
2129 * 2. Or make the sync flushing use the async clflush path
2130 * using mandatory fences underneath. Currently the below
2131 * async flush happens after we bind the object.
2133 if (unlikely(obj->cache_dirty & ~obj->cache_coherent)) {
2134 if (i915_gem_clflush_object(obj, 0))
2135 flags &= ~EXEC_OBJECT_ASYNC;
2138 /* We only need to await on the first request */
2139 if (err == 0 && !(flags & EXEC_OBJECT_ASYNC)) {
2140 err = i915_request_await_object
2141 (eb_find_first_request_added(eb), obj,
2142 flags & EXEC_OBJECT_WRITE);
2145 for_each_batch_add_order(eb, j) {
2148 if (!eb->requests[j])
2151 err = _i915_vma_move_to_active(vma, eb->requests[j],
2153 eb->composite_fence ?
2154 eb->composite_fence :
2155 &eb->requests[j]->fence,
2156 flags | __EXEC_OBJECT_NO_RESERVE |
2157 __EXEC_OBJECT_NO_REQUEST_AWAIT);
2161 #ifdef CONFIG_MMU_NOTIFIER
2162 if (!err && (eb->args->flags & __EXEC_USERPTR_USED)) {
2163 for (i = 0; i < count; i++) {
2164 struct eb_vma *ev = &eb->vma[i];
2165 struct drm_i915_gem_object *obj = ev->vma->obj;
2167 if (!i915_gem_object_is_userptr(obj))
2170 err = i915_gem_object_userptr_submit_done(obj);
2180 /* Unconditionally flush any chipset caches (for streaming writes). */
2181 intel_gt_chipset_flush(eb->gt);
2182 eb_capture_commit(eb);
2187 for_each_batch_create_order(eb, j) {
2188 if (!eb->requests[j])
2191 i915_request_set_error_once(eb->requests[j], err);
2196 static int i915_gem_check_execbuffer(struct drm_i915_private *i915,
2197 struct drm_i915_gem_execbuffer2 *exec)
2199 if (exec->flags & __I915_EXEC_ILLEGAL_FLAGS)
2202 /* Kernel clipping was a DRI1 misfeature */
2203 if (!(exec->flags & (I915_EXEC_FENCE_ARRAY |
2204 I915_EXEC_USE_EXTENSIONS))) {
2205 if (exec->num_cliprects || exec->cliprects_ptr)
2209 if (exec->DR4 == 0xffffffff) {
2210 drm_dbg(&i915->drm, "UXA submitting garbage DR4, fixing up\n");
2213 if (exec->DR1 || exec->DR4)
2216 if ((exec->batch_start_offset | exec->batch_len) & 0x7)
2222 static int i915_reset_gen7_sol_offsets(struct i915_request *rq)
2227 if (GRAPHICS_VER(rq->i915) != 7 || rq->engine->id != RCS0) {
2228 drm_dbg(&rq->i915->drm, "sol reset is gen7/rcs only\n");
2232 cs = intel_ring_begin(rq, 4 * 2 + 2);
2236 *cs++ = MI_LOAD_REGISTER_IMM(4);
2237 for (i = 0; i < 4; i++) {
2238 *cs++ = i915_mmio_reg_offset(GEN7_SO_WRITE_OFFSET(i));
2242 intel_ring_advance(rq, cs);
2247 static struct i915_vma *
2248 shadow_batch_pin(struct i915_execbuffer *eb,
2249 struct drm_i915_gem_object *obj,
2250 struct i915_address_space *vm,
2253 struct i915_vma *vma;
2256 vma = i915_vma_instance(obj, vm, NULL);
2260 err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, flags | PIN_VALIDATE);
2262 return ERR_PTR(err);
2267 static struct i915_vma *eb_dispatch_secure(struct i915_execbuffer *eb, struct i915_vma *vma)
2270 * snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
2271 * batch" bit. Hence we need to pin secure batches into the global gtt.
2272 * hsw should have this fixed, but bdw mucks it up again. */
2273 if (eb->batch_flags & I915_DISPATCH_SECURE)
2274 return i915_gem_object_ggtt_pin_ww(vma->obj, &eb->ww, NULL, 0, 0, PIN_VALIDATE);
2279 static int eb_parse(struct i915_execbuffer *eb)
2281 struct drm_i915_private *i915 = eb->i915;
2282 struct intel_gt_buffer_pool_node *pool = eb->batch_pool;
2283 struct i915_vma *shadow, *trampoline, *batch;
2287 if (!eb_use_cmdparser(eb)) {
2288 batch = eb_dispatch_secure(eb, eb->batches[0]->vma);
2290 return PTR_ERR(batch);
2295 if (intel_context_is_parallel(eb->context))
2298 len = eb->batch_len[0];
2299 if (!CMDPARSER_USES_GGTT(eb->i915)) {
2301 * ppGTT backed shadow buffers must be mapped RO, to prevent
2302 * post-scan tampering
2304 if (!eb->context->vm->has_read_only) {
2306 "Cannot prevent post-scan tampering without RO capable vm\n");
2310 len += I915_CMD_PARSER_TRAMPOLINE_SIZE;
2312 if (unlikely(len < eb->batch_len[0])) /* last paranoid check of overflow */
2316 pool = intel_gt_get_buffer_pool(eb->gt, len,
2319 return PTR_ERR(pool);
2320 eb->batch_pool = pool;
2323 err = i915_gem_object_lock(pool->obj, &eb->ww);
2327 shadow = shadow_batch_pin(eb, pool->obj, eb->context->vm, PIN_USER);
2329 return PTR_ERR(shadow);
2331 intel_gt_buffer_pool_mark_used(pool);
2332 i915_gem_object_set_readonly(shadow->obj);
2333 shadow->private = pool;
2336 if (CMDPARSER_USES_GGTT(eb->i915)) {
2337 trampoline = shadow;
2339 shadow = shadow_batch_pin(eb, pool->obj,
2343 return PTR_ERR(shadow);
2345 shadow->private = pool;
2347 eb->batch_flags |= I915_DISPATCH_SECURE;
2350 batch = eb_dispatch_secure(eb, shadow);
2352 return PTR_ERR(batch);
2354 err = dma_resv_reserve_fences(shadow->obj->base.resv, 1);
2358 err = intel_engine_cmd_parser(eb->context->engine,
2359 eb->batches[0]->vma,
2360 eb->batch_start_offset,
2362 shadow, trampoline);
2366 eb->batches[0] = &eb->vma[eb->buffer_count++];
2367 eb->batches[0]->vma = i915_vma_get(shadow);
2368 eb->batches[0]->flags = __EXEC_OBJECT_HAS_PIN;
2370 eb->trampoline = trampoline;
2371 eb->batch_start_offset = 0;
2375 if (intel_context_is_parallel(eb->context))
2378 eb->batches[0] = &eb->vma[eb->buffer_count++];
2379 eb->batches[0]->flags = __EXEC_OBJECT_HAS_PIN;
2380 eb->batches[0]->vma = i915_vma_get(batch);
2385 static int eb_request_submit(struct i915_execbuffer *eb,
2386 struct i915_request *rq,
2387 struct i915_vma *batch,
2392 if (intel_context_nopreempt(rq->context))
2393 __set_bit(I915_FENCE_FLAG_NOPREEMPT, &rq->fence.flags);
2395 if (eb->args->flags & I915_EXEC_GEN7_SOL_RESET) {
2396 err = i915_reset_gen7_sol_offsets(rq);
2402 * After we completed waiting for other engines (using HW semaphores)
2403 * then we can signal that this request/batch is ready to run. This
2404 * allows us to determine if the batch is still waiting on the GPU
2405 * or actually running by checking the breadcrumb.
2407 if (rq->context->engine->emit_init_breadcrumb) {
2408 err = rq->context->engine->emit_init_breadcrumb(rq);
2413 err = rq->context->engine->emit_bb_start(rq,
2414 i915_vma_offset(batch) +
2415 eb->batch_start_offset,
2421 if (eb->trampoline) {
2422 GEM_BUG_ON(intel_context_is_parallel(rq->context));
2423 GEM_BUG_ON(eb->batch_start_offset);
2424 err = rq->context->engine->emit_bb_start(rq,
2425 i915_vma_offset(eb->trampoline) +
2434 static int eb_submit(struct i915_execbuffer *eb)
2439 err = eb_move_to_gpu(eb);
2441 for_each_batch_create_order(eb, i) {
2442 if (!eb->requests[i])
2445 trace_i915_request_queue(eb->requests[i], eb->batch_flags);
2447 err = eb_request_submit(eb, eb->requests[i],
2448 eb->batches[i]->vma,
2456 * Find one BSD ring to dispatch the corresponding BSD command.
2457 * The engine index is returned.
2460 gen8_dispatch_bsd_engine(struct drm_i915_private *dev_priv,
2461 struct drm_file *file)
2463 struct drm_i915_file_private *file_priv = file->driver_priv;
2465 /* Check whether the file_priv has already selected one ring. */
2466 if ((int)file_priv->bsd_engine < 0)
2467 file_priv->bsd_engine =
2468 get_random_u32_below(dev_priv->engine_uabi_class_count[I915_ENGINE_CLASS_VIDEO]);
2470 return file_priv->bsd_engine;
2473 static const enum intel_engine_id user_ring_map[] = {
2474 [I915_EXEC_DEFAULT] = RCS0,
2475 [I915_EXEC_RENDER] = RCS0,
2476 [I915_EXEC_BLT] = BCS0,
2477 [I915_EXEC_BSD] = VCS0,
2478 [I915_EXEC_VEBOX] = VECS0
2481 static struct i915_request *eb_throttle(struct i915_execbuffer *eb, struct intel_context *ce)
2483 struct intel_ring *ring = ce->ring;
2484 struct intel_timeline *tl = ce->timeline;
2485 struct i915_request *rq;
2488 * Completely unscientific finger-in-the-air estimates for suitable
2489 * maximum user request size (to avoid blocking) and then backoff.
2491 if (intel_ring_update_space(ring) >= PAGE_SIZE)
2495 * Find a request that after waiting upon, there will be at least half
2496 * the ring available. The hysteresis allows us to compete for the
2497 * shared ring and should mean that we sleep less often prior to
2498 * claiming our resources, but not so long that the ring completely
2499 * drains before we can submit our next request.
2501 list_for_each_entry(rq, &tl->requests, link) {
2502 if (rq->ring != ring)
2505 if (__intel_ring_space(rq->postfix,
2506 ring->emit, ring->size) > ring->size / 2)
2509 if (&rq->link == &tl->requests)
2510 return NULL; /* weird, we will check again later for real */
2512 return i915_request_get(rq);
2515 static int eb_pin_timeline(struct i915_execbuffer *eb, struct intel_context *ce,
2518 struct intel_timeline *tl;
2519 struct i915_request *rq = NULL;
2522 * Take a local wakeref for preparing to dispatch the execbuf as
2523 * we expect to access the hardware fairly frequently in the
2524 * process, and require the engine to be kept awake between accesses.
2525 * Upon dispatch, we acquire another prolonged wakeref that we hold
2526 * until the timeline is idle, which in turn releases the wakeref
2527 * taken on the engine, and the parent device.
2529 tl = intel_context_timeline_lock(ce);
2533 intel_context_enter(ce);
2535 rq = eb_throttle(eb, ce);
2536 intel_context_timeline_unlock(tl);
2539 bool nonblock = eb->file->filp->f_flags & O_NONBLOCK;
2540 long timeout = nonblock ? 0 : MAX_SCHEDULE_TIMEOUT;
2542 if (i915_request_wait(rq, I915_WAIT_INTERRUPTIBLE,
2544 i915_request_put(rq);
2547 * Error path, cannot use intel_context_timeline_lock as
2548 * that is user interruptable and this clean up step
2551 mutex_lock(&ce->timeline->mutex);
2552 intel_context_exit(ce);
2553 mutex_unlock(&ce->timeline->mutex);
2556 return -EWOULDBLOCK;
2560 i915_request_put(rq);
2566 static int eb_pin_engine(struct i915_execbuffer *eb, bool throttle)
2568 struct intel_context *ce = eb->context, *child;
2572 GEM_BUG_ON(eb->args->flags & __EXEC_ENGINE_PINNED);
2574 if (unlikely(intel_context_is_banned(ce)))
2578 * Pinning the contexts may generate requests in order to acquire
2579 * GGTT space, so do this first before we reserve a seqno for
2582 err = intel_context_pin_ww(ce, &eb->ww);
2585 for_each_child(ce, child) {
2586 err = intel_context_pin_ww(child, &eb->ww);
2587 GEM_BUG_ON(err); /* perma-pinned should incr a counter */
2590 for_each_child(ce, child) {
2591 err = eb_pin_timeline(eb, child, throttle);
2596 err = eb_pin_timeline(eb, ce, throttle);
2600 eb->args->flags |= __EXEC_ENGINE_PINNED;
2604 for_each_child(ce, child) {
2606 mutex_lock(&child->timeline->mutex);
2607 intel_context_exit(child);
2608 mutex_unlock(&child->timeline->mutex);
2611 for_each_child(ce, child)
2612 intel_context_unpin(child);
2613 intel_context_unpin(ce);
2617 static void eb_unpin_engine(struct i915_execbuffer *eb)
2619 struct intel_context *ce = eb->context, *child;
2621 if (!(eb->args->flags & __EXEC_ENGINE_PINNED))
2624 eb->args->flags &= ~__EXEC_ENGINE_PINNED;
2626 for_each_child(ce, child) {
2627 mutex_lock(&child->timeline->mutex);
2628 intel_context_exit(child);
2629 mutex_unlock(&child->timeline->mutex);
2631 intel_context_unpin(child);
2634 mutex_lock(&ce->timeline->mutex);
2635 intel_context_exit(ce);
2636 mutex_unlock(&ce->timeline->mutex);
2638 intel_context_unpin(ce);
2642 eb_select_legacy_ring(struct i915_execbuffer *eb)
2644 struct drm_i915_private *i915 = eb->i915;
2645 struct drm_i915_gem_execbuffer2 *args = eb->args;
2646 unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK;
2648 if (user_ring_id != I915_EXEC_BSD &&
2649 (args->flags & I915_EXEC_BSD_MASK)) {
2651 "execbuf with non bsd ring but with invalid "
2652 "bsd dispatch flags: %d\n", (int)(args->flags));
2656 if (user_ring_id == I915_EXEC_BSD &&
2657 i915->engine_uabi_class_count[I915_ENGINE_CLASS_VIDEO] > 1) {
2658 unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK;
2660 if (bsd_idx == I915_EXEC_BSD_DEFAULT) {
2661 bsd_idx = gen8_dispatch_bsd_engine(i915, eb->file);
2662 } else if (bsd_idx >= I915_EXEC_BSD_RING1 &&
2663 bsd_idx <= I915_EXEC_BSD_RING2) {
2664 bsd_idx >>= I915_EXEC_BSD_SHIFT;
2668 "execbuf with unknown bsd ring: %u\n",
2673 return _VCS(bsd_idx);
2676 if (user_ring_id >= ARRAY_SIZE(user_ring_map)) {
2677 drm_dbg(&i915->drm, "execbuf with unknown ring: %u\n",
2682 return user_ring_map[user_ring_id];
2686 eb_select_engine(struct i915_execbuffer *eb)
2688 struct intel_context *ce, *child;
2689 struct intel_gt *gt;
2693 if (i915_gem_context_user_engines(eb->gem_context))
2694 idx = eb->args->flags & I915_EXEC_RING_MASK;
2696 idx = eb_select_legacy_ring(eb);
2698 ce = i915_gem_context_get_engine(eb->gem_context, idx);
2702 if (intel_context_is_parallel(ce)) {
2703 if (eb->buffer_count < ce->parallel.number_children + 1) {
2704 intel_context_put(ce);
2707 if (eb->batch_start_offset || eb->args->batch_len) {
2708 intel_context_put(ce);
2712 eb->num_batches = ce->parallel.number_children + 1;
2713 gt = ce->engine->gt;
2715 for_each_child(ce, child)
2716 intel_context_get(child);
2717 eb->wakeref = intel_gt_pm_get(ce->engine->gt);
2719 * Keep GT0 active on MTL so that i915_vma_parked() doesn't
2720 * free VMAs while execbuf ioctl is validating VMAs.
2723 eb->wakeref_gt0 = intel_gt_pm_get(to_gt(gt->i915));
2725 if (!test_bit(CONTEXT_ALLOC_BIT, &ce->flags)) {
2726 err = intel_context_alloc_state(ce);
2730 for_each_child(ce, child) {
2731 if (!test_bit(CONTEXT_ALLOC_BIT, &child->flags)) {
2732 err = intel_context_alloc_state(child);
2739 * ABI: Before userspace accesses the GPU (e.g. execbuffer), report
2740 * EIO if the GPU is already wedged.
2742 err = intel_gt_terminally_wedged(ce->engine->gt);
2746 if (!i915_vm_tryget(ce->vm)) {
2752 eb->gt = ce->engine->gt;
2755 * Make sure engine pool stays alive even if we call intel_context_put
2756 * during ww handling. The pool is destroyed when last pm reference
2757 * is dropped, which breaks our -EDEADLK handling.
2763 intel_gt_pm_put(to_gt(gt->i915), eb->wakeref_gt0);
2765 intel_gt_pm_put(ce->engine->gt, eb->wakeref);
2766 for_each_child(ce, child)
2767 intel_context_put(child);
2768 intel_context_put(ce);
2773 eb_put_engine(struct i915_execbuffer *eb)
2775 struct intel_context *child;
2777 i915_vm_put(eb->context->vm);
2779 * This works in conjunction with eb_select_engine() to prevent
2780 * i915_vma_parked() from interfering while execbuf validates vmas.
2782 if (eb->gt->info.id)
2783 intel_gt_pm_put(to_gt(eb->gt->i915), eb->wakeref_gt0);
2784 intel_gt_pm_put(eb->context->engine->gt, eb->wakeref);
2785 for_each_child(eb->context, child)
2786 intel_context_put(child);
2787 intel_context_put(eb->context);
2791 __free_fence_array(struct eb_fence *fences, unsigned int n)
2794 drm_syncobj_put(ptr_mask_bits(fences[n].syncobj, 2));
2795 dma_fence_put(fences[n].dma_fence);
2796 dma_fence_chain_free(fences[n].chain_fence);
2802 add_timeline_fence_array(struct i915_execbuffer *eb,
2803 const struct drm_i915_gem_execbuffer_ext_timeline_fences *timeline_fences)
2805 struct drm_i915_gem_exec_fence __user *user_fences;
2806 u64 __user *user_values;
2811 nfences = timeline_fences->fence_count;
2815 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2816 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2817 if (nfences > min_t(unsigned long,
2818 ULONG_MAX / sizeof(*user_fences),
2819 SIZE_MAX / sizeof(*f)) - eb->num_fences)
2822 user_fences = u64_to_user_ptr(timeline_fences->handles_ptr);
2823 if (!access_ok(user_fences, nfences * sizeof(*user_fences)))
2826 user_values = u64_to_user_ptr(timeline_fences->values_ptr);
2827 if (!access_ok(user_values, nfences * sizeof(*user_values)))
2830 f = krealloc(eb->fences,
2831 (eb->num_fences + nfences) * sizeof(*f),
2832 __GFP_NOWARN | GFP_KERNEL);
2837 f += eb->num_fences;
2839 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2840 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2843 struct drm_i915_gem_exec_fence user_fence;
2844 struct drm_syncobj *syncobj;
2845 struct dma_fence *fence = NULL;
2848 if (__copy_from_user(&user_fence,
2850 sizeof(user_fence)))
2853 if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS)
2856 if (__get_user(point, user_values++))
2859 syncobj = drm_syncobj_find(eb->file, user_fence.handle);
2861 drm_dbg(&eb->i915->drm,
2862 "Invalid syncobj handle provided\n");
2866 fence = drm_syncobj_fence_get(syncobj);
2868 if (!fence && user_fence.flags &&
2869 !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2870 drm_dbg(&eb->i915->drm,
2871 "Syncobj handle has no fence\n");
2872 drm_syncobj_put(syncobj);
2877 err = dma_fence_chain_find_seqno(&fence, point);
2879 if (err && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2880 drm_dbg(&eb->i915->drm,
2881 "Syncobj handle missing requested point %llu\n",
2883 dma_fence_put(fence);
2884 drm_syncobj_put(syncobj);
2889 * A point might have been signaled already and
2890 * garbage collected from the timeline. In this case
2891 * just ignore the point and carry on.
2893 if (!fence && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2894 drm_syncobj_put(syncobj);
2899 * For timeline syncobjs we need to preallocate chains for
2902 if (point != 0 && user_fence.flags & I915_EXEC_FENCE_SIGNAL) {
2904 * Waiting and signaling the same point (when point !=
2905 * 0) would break the timeline.
2907 if (user_fence.flags & I915_EXEC_FENCE_WAIT) {
2908 drm_dbg(&eb->i915->drm,
2909 "Trying to wait & signal the same timeline point.\n");
2910 dma_fence_put(fence);
2911 drm_syncobj_put(syncobj);
2915 f->chain_fence = dma_fence_chain_alloc();
2916 if (!f->chain_fence) {
2917 drm_syncobj_put(syncobj);
2918 dma_fence_put(fence);
2922 f->chain_fence = NULL;
2925 f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2);
2926 f->dma_fence = fence;
2935 static int add_fence_array(struct i915_execbuffer *eb)
2937 struct drm_i915_gem_execbuffer2 *args = eb->args;
2938 struct drm_i915_gem_exec_fence __user *user;
2939 unsigned long num_fences = args->num_cliprects;
2942 if (!(args->flags & I915_EXEC_FENCE_ARRAY))
2948 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2949 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2950 if (num_fences > min_t(unsigned long,
2951 ULONG_MAX / sizeof(*user),
2952 SIZE_MAX / sizeof(*f) - eb->num_fences))
2955 user = u64_to_user_ptr(args->cliprects_ptr);
2956 if (!access_ok(user, num_fences * sizeof(*user)))
2959 f = krealloc(eb->fences,
2960 (eb->num_fences + num_fences) * sizeof(*f),
2961 __GFP_NOWARN | GFP_KERNEL);
2966 f += eb->num_fences;
2967 while (num_fences--) {
2968 struct drm_i915_gem_exec_fence user_fence;
2969 struct drm_syncobj *syncobj;
2970 struct dma_fence *fence = NULL;
2972 if (__copy_from_user(&user_fence, user++, sizeof(user_fence)))
2975 if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS)
2978 syncobj = drm_syncobj_find(eb->file, user_fence.handle);
2980 drm_dbg(&eb->i915->drm,
2981 "Invalid syncobj handle provided\n");
2985 if (user_fence.flags & I915_EXEC_FENCE_WAIT) {
2986 fence = drm_syncobj_fence_get(syncobj);
2988 drm_dbg(&eb->i915->drm,
2989 "Syncobj handle has no fence\n");
2990 drm_syncobj_put(syncobj);
2995 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2996 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2998 f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2);
2999 f->dma_fence = fence;
3001 f->chain_fence = NULL;
3009 static void put_fence_array(struct eb_fence *fences, int num_fences)
3012 __free_fence_array(fences, num_fences);
3016 await_fence_array(struct i915_execbuffer *eb,
3017 struct i915_request *rq)
3022 for (n = 0; n < eb->num_fences; n++) {
3023 if (!eb->fences[n].dma_fence)
3026 err = i915_request_await_dma_fence(rq, eb->fences[n].dma_fence);
3034 static void signal_fence_array(const struct i915_execbuffer *eb,
3035 struct dma_fence * const fence)
3039 for (n = 0; n < eb->num_fences; n++) {
3040 struct drm_syncobj *syncobj;
3043 syncobj = ptr_unpack_bits(eb->fences[n].syncobj, &flags, 2);
3044 if (!(flags & I915_EXEC_FENCE_SIGNAL))
3047 if (eb->fences[n].chain_fence) {
3048 drm_syncobj_add_point(syncobj,
3049 eb->fences[n].chain_fence,
3051 eb->fences[n].value);
3053 * The chain's ownership is transferred to the
3056 eb->fences[n].chain_fence = NULL;
3058 drm_syncobj_replace_fence(syncobj, fence);
3064 parse_timeline_fences(struct i915_user_extension __user *ext, void *data)
3066 struct i915_execbuffer *eb = data;
3067 struct drm_i915_gem_execbuffer_ext_timeline_fences timeline_fences;
3069 if (copy_from_user(&timeline_fences, ext, sizeof(timeline_fences)))
3072 return add_timeline_fence_array(eb, &timeline_fences);
3075 static void retire_requests(struct intel_timeline *tl, struct i915_request *end)
3077 struct i915_request *rq, *rn;
3079 list_for_each_entry_safe(rq, rn, &tl->requests, link)
3080 if (rq == end || !i915_request_retire(rq))
3084 static int eb_request_add(struct i915_execbuffer *eb, struct i915_request *rq,
3085 int err, bool last_parallel)
3087 struct intel_timeline * const tl = i915_request_timeline(rq);
3088 struct i915_sched_attr attr = {};
3089 struct i915_request *prev;
3091 lockdep_assert_held(&tl->mutex);
3092 lockdep_unpin_lock(&tl->mutex, rq->cookie);
3094 trace_i915_request_add(rq);
3096 prev = __i915_request_commit(rq);
3098 /* Check that the context wasn't destroyed before submission */
3099 if (likely(!intel_context_is_closed(eb->context))) {
3100 attr = eb->gem_context->sched;
3102 /* Serialise with context_close via the add_to_timeline */
3103 i915_request_set_error_once(rq, -ENOENT);
3104 __i915_request_skip(rq);
3105 err = -ENOENT; /* override any transient errors */
3108 if (intel_context_is_parallel(eb->context)) {
3110 __i915_request_skip(rq);
3111 set_bit(I915_FENCE_FLAG_SKIP_PARALLEL,
3115 set_bit(I915_FENCE_FLAG_SUBMIT_PARALLEL,
3119 __i915_request_queue(rq, &attr);
3121 /* Try to clean up the client's timeline after submitting the request */
3123 retire_requests(tl, prev);
3125 mutex_unlock(&tl->mutex);
3130 static int eb_requests_add(struct i915_execbuffer *eb, int err)
3135 * We iterate in reverse order of creation to release timeline mutexes in
3138 for_each_batch_add_order(eb, i) {
3139 struct i915_request *rq = eb->requests[i];
3143 err |= eb_request_add(eb, rq, err, i == 0);
3149 static const i915_user_extension_fn execbuf_extensions[] = {
3150 [DRM_I915_GEM_EXECBUFFER_EXT_TIMELINE_FENCES] = parse_timeline_fences,
3154 parse_execbuf2_extensions(struct drm_i915_gem_execbuffer2 *args,
3155 struct i915_execbuffer *eb)
3157 if (!(args->flags & I915_EXEC_USE_EXTENSIONS))
3160 /* The execbuf2 extension mechanism reuses cliprects_ptr. So we cannot
3161 * have another flag also using it at the same time.
3163 if (eb->args->flags & I915_EXEC_FENCE_ARRAY)
3166 if (args->num_cliprects != 0)
3169 return i915_user_extensions(u64_to_user_ptr(args->cliprects_ptr),
3171 ARRAY_SIZE(execbuf_extensions),
3175 static void eb_requests_get(struct i915_execbuffer *eb)
3179 for_each_batch_create_order(eb, i) {
3180 if (!eb->requests[i])
3183 i915_request_get(eb->requests[i]);
3187 static void eb_requests_put(struct i915_execbuffer *eb)
3191 for_each_batch_create_order(eb, i) {
3192 if (!eb->requests[i])
3195 i915_request_put(eb->requests[i]);
3199 static struct sync_file *
3200 eb_composite_fence_create(struct i915_execbuffer *eb, int out_fence_fd)
3202 struct sync_file *out_fence = NULL;
3203 struct dma_fence_array *fence_array;
3204 struct dma_fence **fences;
3207 GEM_BUG_ON(!intel_context_is_parent(eb->context));
3209 fences = kmalloc_array(eb->num_batches, sizeof(*fences), GFP_KERNEL);
3211 return ERR_PTR(-ENOMEM);
3213 for_each_batch_create_order(eb, i) {
3214 fences[i] = &eb->requests[i]->fence;
3215 __set_bit(I915_FENCE_FLAG_COMPOSITE,
3216 &eb->requests[i]->fence.flags);
3219 fence_array = dma_fence_array_create(eb->num_batches,
3221 eb->context->parallel.fence_context,
3222 eb->context->parallel.seqno++,
3226 return ERR_PTR(-ENOMEM);
3229 /* Move ownership to the dma_fence_array created above */
3230 for_each_batch_create_order(eb, i)
3231 dma_fence_get(fences[i]);
3233 if (out_fence_fd != -1) {
3234 out_fence = sync_file_create(&fence_array->base);
3235 /* sync_file now owns fence_arry, drop creation ref */
3236 dma_fence_put(&fence_array->base);
3238 return ERR_PTR(-ENOMEM);
3241 eb->composite_fence = &fence_array->base;
3246 static struct sync_file *
3247 eb_fences_add(struct i915_execbuffer *eb, struct i915_request *rq,
3248 struct dma_fence *in_fence, int out_fence_fd)
3250 struct sync_file *out_fence = NULL;
3253 if (unlikely(eb->gem_context->syncobj)) {
3254 struct dma_fence *fence;
3256 fence = drm_syncobj_fence_get(eb->gem_context->syncobj);
3257 err = i915_request_await_dma_fence(rq, fence);
3258 dma_fence_put(fence);
3260 return ERR_PTR(err);
3264 if (eb->args->flags & I915_EXEC_FENCE_SUBMIT)
3265 err = i915_request_await_execution(rq, in_fence);
3267 err = i915_request_await_dma_fence(rq, in_fence);
3269 return ERR_PTR(err);
3273 err = await_fence_array(eb, rq);
3275 return ERR_PTR(err);
3278 if (intel_context_is_parallel(eb->context)) {
3279 out_fence = eb_composite_fence_create(eb, out_fence_fd);
3280 if (IS_ERR(out_fence))
3281 return ERR_PTR(-ENOMEM);
3282 } else if (out_fence_fd != -1) {
3283 out_fence = sync_file_create(&rq->fence);
3285 return ERR_PTR(-ENOMEM);
3291 static struct intel_context *
3292 eb_find_context(struct i915_execbuffer *eb, unsigned int context_number)
3294 struct intel_context *child;
3296 if (likely(context_number == 0))
3299 for_each_child(eb->context, child)
3300 if (!--context_number)
3303 GEM_BUG_ON("Context not found");
3308 static struct sync_file *
3309 eb_requests_create(struct i915_execbuffer *eb, struct dma_fence *in_fence,
3312 struct sync_file *out_fence = NULL;
3315 for_each_batch_create_order(eb, i) {
3316 /* Allocate a request for this batch buffer nice and early. */
3317 eb->requests[i] = i915_request_create(eb_find_context(eb, i));
3318 if (IS_ERR(eb->requests[i])) {
3319 out_fence = ERR_CAST(eb->requests[i]);
3320 eb->requests[i] = NULL;
3325 * Only the first request added (committed to backend) has to
3326 * take the in fences into account as all subsequent requests
3327 * will have fences inserted inbetween them.
3329 if (i + 1 == eb->num_batches) {
3330 out_fence = eb_fences_add(eb, eb->requests[i],
3331 in_fence, out_fence_fd);
3332 if (IS_ERR(out_fence))
3337 * Not really on stack, but we don't want to call
3338 * kfree on the batch_snapshot when we put it, so use the
3339 * _onstack interface.
3341 if (eb->batches[i]->vma)
3342 eb->requests[i]->batch_res =
3343 i915_vma_resource_get(eb->batches[i]->vma->resource);
3344 if (eb->batch_pool) {
3345 GEM_BUG_ON(intel_context_is_parallel(eb->context));
3346 intel_gt_buffer_pool_mark_active(eb->batch_pool,
3355 i915_gem_do_execbuffer(struct drm_device *dev,
3356 struct drm_file *file,
3357 struct drm_i915_gem_execbuffer2 *args,
3358 struct drm_i915_gem_exec_object2 *exec)
3360 struct drm_i915_private *i915 = to_i915(dev);
3361 struct i915_execbuffer eb;
3362 struct dma_fence *in_fence = NULL;
3363 struct sync_file *out_fence = NULL;
3364 int out_fence_fd = -1;
3367 BUILD_BUG_ON(__EXEC_INTERNAL_FLAGS & ~__I915_EXEC_ILLEGAL_FLAGS);
3368 BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS &
3369 ~__EXEC_OBJECT_UNKNOWN_FLAGS);
3374 if (DBG_FORCE_RELOC || !(args->flags & I915_EXEC_NO_RELOC))
3375 args->flags |= __EXEC_HAS_RELOC;
3378 eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1);
3379 eb.vma[0].vma = NULL;
3380 eb.batch_pool = NULL;
3382 eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
3383 reloc_cache_init(&eb.reloc_cache, eb.i915);
3385 eb.buffer_count = args->buffer_count;
3386 eb.batch_start_offset = args->batch_start_offset;
3387 eb.trampoline = NULL;
3392 eb_capture_list_clear(&eb);
3394 memset(eb.requests, 0, sizeof(struct i915_request *) *
3395 ARRAY_SIZE(eb.requests));
3396 eb.composite_fence = NULL;
3399 if (args->flags & I915_EXEC_SECURE) {
3400 if (GRAPHICS_VER(i915) >= 11)
3403 /* Return -EPERM to trigger fallback code on old binaries. */
3404 if (!HAS_SECURE_BATCHES(i915))
3407 if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN))
3410 eb.batch_flags |= I915_DISPATCH_SECURE;
3412 if (args->flags & I915_EXEC_IS_PINNED)
3413 eb.batch_flags |= I915_DISPATCH_PINNED;
3415 err = parse_execbuf2_extensions(args, &eb);
3419 err = add_fence_array(&eb);
3423 #define IN_FENCES (I915_EXEC_FENCE_IN | I915_EXEC_FENCE_SUBMIT)
3424 if (args->flags & IN_FENCES) {
3425 if ((args->flags & IN_FENCES) == IN_FENCES)
3428 in_fence = sync_file_get_fence(lower_32_bits(args->rsvd2));
3436 if (args->flags & I915_EXEC_FENCE_OUT) {
3437 out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
3438 if (out_fence_fd < 0) {
3444 err = eb_create(&eb);
3448 GEM_BUG_ON(!eb.lut_size);
3450 err = eb_select_context(&eb);
3454 err = eb_select_engine(&eb);
3458 err = eb_lookup_vmas(&eb);
3460 eb_release_vmas(&eb, true);
3464 i915_gem_ww_ctx_init(&eb.ww, true);
3466 err = eb_relocate_parse(&eb);
3469 * If the user expects the execobject.offset and
3470 * reloc.presumed_offset to be an exact match,
3471 * as for using NO_RELOC, then we cannot update
3472 * the execobject.offset until we have completed
3475 args->flags &= ~__EXEC_HAS_RELOC;
3479 ww_acquire_done(&eb.ww.ctx);
3480 err = eb_capture_stage(&eb);
3484 out_fence = eb_requests_create(&eb, in_fence, out_fence_fd);
3485 if (IS_ERR(out_fence)) {
3486 err = PTR_ERR(out_fence);
3494 err = eb_submit(&eb);
3497 eb_requests_get(&eb);
3498 err = eb_requests_add(&eb, err);
3501 signal_fence_array(&eb, eb.composite_fence ?
3502 eb.composite_fence :
3503 &eb.requests[0]->fence);
3505 if (unlikely(eb.gem_context->syncobj)) {
3506 drm_syncobj_replace_fence(eb.gem_context->syncobj,
3507 eb.composite_fence ?
3508 eb.composite_fence :
3509 &eb.requests[0]->fence);
3514 fd_install(out_fence_fd, out_fence->file);
3515 args->rsvd2 &= GENMASK_ULL(31, 0); /* keep in-fence */
3516 args->rsvd2 |= (u64)out_fence_fd << 32;
3519 fput(out_fence->file);
3523 if (!out_fence && eb.composite_fence)
3524 dma_fence_put(eb.composite_fence);
3526 eb_requests_put(&eb);
3529 eb_release_vmas(&eb, true);
3530 WARN_ON(err == -EDEADLK);
3531 i915_gem_ww_ctx_fini(&eb.ww);
3534 intel_gt_buffer_pool_put(eb.batch_pool);
3538 i915_gem_context_put(eb.gem_context);
3542 if (out_fence_fd != -1)
3543 put_unused_fd(out_fence_fd);
3545 dma_fence_put(in_fence);
3547 put_fence_array(eb.fences, eb.num_fences);
3551 static size_t eb_element_size(void)
3553 return sizeof(struct drm_i915_gem_exec_object2) + sizeof(struct eb_vma);
3556 static bool check_buffer_count(size_t count)
3558 const size_t sz = eb_element_size();
3561 * When using LUT_HANDLE, we impose a limit of INT_MAX for the lookup
3562 * array size (see eb_create()). Otherwise, we can accept an array as
3563 * large as can be addressed (though use large arrays at your peril)!
3566 return !(count < 1 || count > INT_MAX || count > SIZE_MAX / sz - 1);
3570 i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
3571 struct drm_file *file)
3573 struct drm_i915_private *i915 = to_i915(dev);
3574 struct drm_i915_gem_execbuffer2 *args = data;
3575 struct drm_i915_gem_exec_object2 *exec2_list;
3576 const size_t count = args->buffer_count;
3579 if (!check_buffer_count(count)) {
3580 drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count);
3584 err = i915_gem_check_execbuffer(i915, args);
3588 /* Allocate extra slots for use by the command parser */
3589 exec2_list = kvmalloc_array(count + 2, eb_element_size(),
3590 __GFP_NOWARN | GFP_KERNEL);
3591 if (exec2_list == NULL) {
3592 drm_dbg(&i915->drm, "Failed to allocate exec list for %zd buffers\n",
3596 if (copy_from_user(exec2_list,
3597 u64_to_user_ptr(args->buffers_ptr),
3598 sizeof(*exec2_list) * count)) {
3599 drm_dbg(&i915->drm, "copy %zd exec entries failed\n", count);
3604 err = i915_gem_do_execbuffer(dev, file, args, exec2_list);
3607 * Now that we have begun execution of the batchbuffer, we ignore
3608 * any new error after this point. Also given that we have already
3609 * updated the associated relocations, we try to write out the current
3610 * object locations irrespective of any error.
3612 if (args->flags & __EXEC_HAS_RELOC) {
3613 struct drm_i915_gem_exec_object2 __user *user_exec_list =
3614 u64_to_user_ptr(args->buffers_ptr);
3617 /* Copy the new buffer offsets back to the user's exec list. */
3619 * Note: count * sizeof(*user_exec_list) does not overflow,
3620 * because we checked 'count' in check_buffer_count().
3622 * And this range already got effectively checked earlier
3623 * when we did the "copy_from_user()" above.
3625 if (!user_write_access_begin(user_exec_list,
3626 count * sizeof(*user_exec_list)))
3629 for (i = 0; i < args->buffer_count; i++) {
3630 if (!(exec2_list[i].offset & UPDATE))
3633 exec2_list[i].offset =
3634 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
3635 unsafe_put_user(exec2_list[i].offset,
3636 &user_exec_list[i].offset,
3640 user_write_access_end();
3644 args->flags &= ~__I915_EXEC_UNKNOWN_FLAGS;
projects / linux-2.6-microblaze.git / blob