2 * SPDX-License-Identifier: MIT
4 * Copyright © 2008,2010 Intel Corporation
7 #include <linux/intel-iommu.h>
8 #include <linux/dma-resv.h>
9 #include <linux/sync_file.h>
10 #include <linux/uaccess.h>
12 #include <drm/drm_syncobj.h>
14 #include "display/intel_frontbuffer.h"
16 #include "gem/i915_gem_ioctls.h"
17 #include "gt/intel_context.h"
18 #include "gt/intel_gt.h"
19 #include "gt/intel_gt_buffer_pool.h"
20 #include "gt/intel_gt_pm.h"
21 #include "gt/intel_ring.h"
24 #include "i915_gem_clflush.h"
25 #include "i915_gem_context.h"
26 #include "i915_gem_ioctls.h"
27 #include "i915_trace.h"
28 #include "i915_user_extensions.h"
34 /** This vma's place in the execbuf reservation list */
35 struct drm_i915_gem_exec_object2 *exec;
36 struct list_head bind_link;
37 struct list_head reloc_link;
39 struct hlist_node node;
47 #define DBG_FORCE_RELOC 0 /* choose one of the above! */
50 #define __EXEC_OBJECT_HAS_PIN BIT(31)
51 #define __EXEC_OBJECT_HAS_FENCE BIT(30)
52 #define __EXEC_OBJECT_NEEDS_MAP BIT(29)
53 #define __EXEC_OBJECT_NEEDS_BIAS BIT(28)
54 #define __EXEC_OBJECT_INTERNAL_FLAGS (~0u << 28) /* all of the above */
55 #define __EXEC_OBJECT_RESERVED (__EXEC_OBJECT_HAS_PIN | __EXEC_OBJECT_HAS_FENCE)
57 #define __EXEC_HAS_RELOC BIT(31)
58 #define __EXEC_ENGINE_PINNED BIT(30)
59 #define __EXEC_INTERNAL_FLAGS (~0u << 30)
60 #define UPDATE PIN_OFFSET_FIXED
62 #define BATCH_OFFSET_BIAS (256*1024)
64 #define __I915_EXEC_ILLEGAL_FLAGS \
65 (__I915_EXEC_UNKNOWN_FLAGS | \
66 I915_EXEC_CONSTANTS_MASK | \
67 I915_EXEC_RESOURCE_STREAMER)
69 /* Catch emission of unexpected errors for CI! */
70 #if IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM)
73 DRM_DEBUG_DRIVER("EINVAL at %s:%d\n", __func__, __LINE__); \
79 * DOC: User command execution
81 * Userspace submits commands to be executed on the GPU as an instruction
82 * stream within a GEM object we call a batchbuffer. This instructions may
83 * refer to other GEM objects containing auxiliary state such as kernels,
84 * samplers, render targets and even secondary batchbuffers. Userspace does
85 * not know where in the GPU memory these objects reside and so before the
86 * batchbuffer is passed to the GPU for execution, those addresses in the
87 * batchbuffer and auxiliary objects are updated. This is known as relocation,
88 * or patching. To try and avoid having to relocate each object on the next
89 * execution, userspace is told the location of those objects in this pass,
90 * but this remains just a hint as the kernel may choose a new location for
91 * any object in the future.
93 * At the level of talking to the hardware, submitting a batchbuffer for the
94 * GPU to execute is to add content to a buffer from which the HW
95 * command streamer is reading.
97 * 1. Add a command to load the HW context. For Logical Ring Contexts, i.e.
98 * Execlists, this command is not placed on the same buffer as the
101 * 2. Add a command to invalidate caches to the buffer.
103 * 3. Add a batchbuffer start command to the buffer; the start command is
104 * essentially a token together with the GPU address of the batchbuffer
107 * 4. Add a pipeline flush to the buffer.
109 * 5. Add a memory write command to the buffer to record when the GPU
110 * is done executing the batchbuffer. The memory write writes the
111 * global sequence number of the request, ``i915_request::global_seqno``;
112 * the i915 driver uses the current value in the register to determine
113 * if the GPU has completed the batchbuffer.
115 * 6. Add a user interrupt command to the buffer. This command instructs
116 * the GPU to issue an interrupt when the command, pipeline flush and
117 * memory write are completed.
119 * 7. Inform the hardware of the additional commands added to the buffer
120 * (by updating the tail pointer).
122 * Processing an execbuf ioctl is conceptually split up into a few phases.
124 * 1. Validation - Ensure all the pointers, handles and flags are valid.
125 * 2. Reservation - Assign GPU address space for every object
126 * 3. Relocation - Update any addresses to point to the final locations
127 * 4. Serialisation - Order the request with respect to its dependencies
128 * 5. Construction - Construct a request to execute the batchbuffer
129 * 6. Submission (at some point in the future execution)
131 * Reserving resources for the execbuf is the most complicated phase. We
132 * neither want to have to migrate the object in the address space, nor do
133 * we want to have to update any relocations pointing to this object. Ideally,
134 * we want to leave the object where it is and for all the existing relocations
135 * to match. If the object is given a new address, or if userspace thinks the
136 * object is elsewhere, we have to parse all the relocation entries and update
137 * the addresses. Userspace can set the I915_EXEC_NORELOC flag to hint that
138 * all the target addresses in all of its objects match the value in the
139 * relocation entries and that they all match the presumed offsets given by the
140 * list of execbuffer objects. Using this knowledge, we know that if we haven't
141 * moved any buffers, all the relocation entries are valid and we can skip
142 * the update. (If userspace is wrong, the likely outcome is an impromptu GPU
143 * hang.) The requirement for using I915_EXEC_NO_RELOC are:
145 * The addresses written in the objects must match the corresponding
146 * reloc.presumed_offset which in turn must match the corresponding
149 * Any render targets written to in the batch must be flagged with
152 * To avoid stalling, execobject.offset should match the current
153 * address of that object within the active context.
155 * The reservation is done is multiple phases. First we try and keep any
156 * object already bound in its current location - so as long as meets the
157 * constraints imposed by the new execbuffer. Any object left unbound after the
158 * first pass is then fitted into any available idle space. If an object does
159 * not fit, all objects are removed from the reservation and the process rerun
160 * after sorting the objects into a priority order (more difficult to fit
161 * objects are tried first). Failing that, the entire VM is cleared and we try
162 * to fit the execbuf once last time before concluding that it simply will not
165 * A small complication to all of this is that we allow userspace not only to
166 * specify an alignment and a size for the object in the address space, but
167 * we also allow userspace to specify the exact offset. This objects are
168 * simpler to place (the location is known a priori) all we have to do is make
169 * sure the space is available.
171 * Once all the objects are in place, patching up the buried pointers to point
172 * to the final locations is a fairly simple job of walking over the relocation
173 * entry arrays, looking up the right address and rewriting the value into
174 * the object. Simple! ... The relocation entries are stored in user memory
175 * and so to access them we have to copy them into a local buffer. That copy
176 * has to avoid taking any pagefaults as they may lead back to a GEM object
177 * requiring the struct_mutex (i.e. recursive deadlock). So once again we split
178 * the relocation into multiple passes. First we try to do everything within an
179 * atomic context (avoid the pagefaults) which requires that we never wait. If
180 * we detect that we may wait, or if we need to fault, then we have to fallback
181 * to a slower path. The slowpath has to drop the mutex. (Can you hear alarm
182 * bells yet?) Dropping the mutex means that we lose all the state we have
183 * built up so far for the execbuf and we must reset any global data. However,
184 * we do leave the objects pinned in their final locations - which is a
185 * potential issue for concurrent execbufs. Once we have left the mutex, we can
186 * allocate and copy all the relocation entries into a large array at our
187 * leisure, reacquire the mutex, reclaim all the objects and other state and
188 * then proceed to update any incorrect addresses with the objects.
190 * As we process the relocation entries, we maintain a record of whether the
191 * object is being written to. Using NORELOC, we expect userspace to provide
192 * this information instead. We also check whether we can skip the relocation
193 * by comparing the expected value inside the relocation entry with the target's
194 * final address. If they differ, we have to map the current object and rewrite
195 * the 4 or 8 byte pointer within.
197 * Serialising an execbuf is quite simple according to the rules of the GEM
198 * ABI. Execution within each context is ordered by the order of submission.
199 * Writes to any GEM object are in order of submission and are exclusive. Reads
200 * from a GEM object are unordered with respect to other reads, but ordered by
201 * writes. A write submitted after a read cannot occur before the read, and
202 * similarly any read submitted after a write cannot occur before the write.
203 * Writes are ordered between engines such that only one write occurs at any
204 * time (completing any reads beforehand) - using semaphores where available
205 * and CPU serialisation otherwise. Other GEM access obey the same rules, any
206 * write (either via mmaps using set-domain, or via pwrite) must flush all GPU
207 * reads before starting, and any read (either using set-domain or pread) must
208 * flush all GPU writes before starting. (Note we only employ a barrier before,
209 * we currently rely on userspace not concurrently starting a new execution
210 * whilst reading or writing to an object. This may be an advantage or not
211 * depending on how much you trust userspace not to shoot themselves in the
212 * foot.) Serialisation may just result in the request being inserted into
213 * a DAG awaiting its turn, but most simple is to wait on the CPU until
214 * all dependencies are resolved.
216 * After all of that, is just a matter of closing the request and handing it to
217 * the hardware (well, leaving it in a queue to be executed). However, we also
218 * offer the ability for batchbuffers to be run with elevated privileges so
219 * that they access otherwise hidden registers. (Used to adjust L3 cache etc.)
220 * Before any batch is given extra privileges we first must check that it
221 * contains no nefarious instructions, we check that each instruction is from
222 * our whitelist and all registers are also from an allowed list. We first
223 * copy the user's batchbuffer to a shadow (so that the user doesn't have
224 * access to it, either by the CPU or GPU as we scan it) and then parse each
225 * instruction. If everything is ok, we set a flag telling the hardware to run
226 * the batchbuffer in trusted mode, otherwise the ioctl is rejected.
230 struct drm_syncobj *syncobj; /* Use with ptr_mask_bits() */
231 struct dma_fence *dma_fence;
233 struct dma_fence_chain *chain_fence;
236 struct i915_execbuffer {
237 struct drm_i915_private *i915; /** i915 backpointer */
238 struct drm_file *file; /** per-file lookup tables and limits */
239 struct drm_i915_gem_execbuffer2 *args; /** ioctl parameters */
240 struct drm_i915_gem_exec_object2 *exec; /** ioctl execobj[] */
243 struct intel_engine_cs *engine; /** engine to queue the request to */
244 struct intel_context *context; /* logical state for the request */
245 struct i915_gem_context *gem_context; /** caller's context */
247 struct i915_request *request; /** our request to build */
248 struct eb_vma *batch; /** identity of the batch obj/vma */
249 struct i915_vma *trampoline; /** trampoline used for chaining */
251 /** actual size of execobj[] as we may extend it for the cmdparser */
252 unsigned int buffer_count;
254 /** list of vma not yet bound during reservation phase */
255 struct list_head unbound;
257 /** list of vma that have execobj.relocation_count */
258 struct list_head relocs;
260 struct i915_gem_ww_ctx ww;
263 * Track the most recently used object for relocations, as we
264 * frequently have to perform multiple relocations within the same
268 struct drm_mm_node node; /** temporary GTT binding */
269 unsigned long vaddr; /** Current kmap address */
270 unsigned long page; /** Currently mapped page index */
271 unsigned int gen; /** Cached value of INTEL_GEN */
272 bool use_64bit_reloc : 1;
275 bool needs_unfenced : 1;
277 struct i915_request *rq;
279 unsigned int rq_size;
280 struct intel_gt_buffer_pool_node *pool;
283 struct intel_gt_buffer_pool_node *reloc_pool; /** relocation pool for -EDEADLK handling */
284 struct intel_context *reloc_context;
286 u64 invalid_flags; /** Set of execobj.flags that are invalid */
287 u32 context_flags; /** Set of execobj.flags to insert from the ctx */
289 u64 batch_len; /** Length of batch within object */
290 u32 batch_start_offset; /** Location within object of batch */
291 u32 batch_flags; /** Flags composed for emit_bb_start() */
292 struct intel_gt_buffer_pool_node *batch_pool; /** pool node for batch buffer */
295 * Indicate either the size of the hastable used to resolve
296 * relocation handles, or if negative that we are using a direct
297 * index into the execobj[].
300 struct hlist_head *buckets; /** ht for relocation handles */
302 struct eb_fence *fences;
303 unsigned long num_fences;
306 static int eb_parse(struct i915_execbuffer *eb);
307 static struct i915_request *eb_pin_engine(struct i915_execbuffer *eb,
309 static void eb_unpin_engine(struct i915_execbuffer *eb);
311 static inline bool eb_use_cmdparser(const struct i915_execbuffer *eb)
313 return intel_engine_requires_cmd_parser(eb->engine) ||
314 (intel_engine_using_cmd_parser(eb->engine) &&
315 eb->args->batch_len);
318 static int eb_create(struct i915_execbuffer *eb)
320 if (!(eb->args->flags & I915_EXEC_HANDLE_LUT)) {
321 unsigned int size = 1 + ilog2(eb->buffer_count);
324 * Without a 1:1 association between relocation handles and
325 * the execobject[] index, we instead create a hashtable.
326 * We size it dynamically based on available memory, starting
327 * first with 1:1 assocative hash and scaling back until
328 * the allocation succeeds.
330 * Later on we use a positive lut_size to indicate we are
331 * using this hashtable, and a negative value to indicate a
337 /* While we can still reduce the allocation size, don't
338 * raise a warning and allow the allocation to fail.
339 * On the last pass though, we want to try as hard
340 * as possible to perform the allocation and warn
345 flags |= __GFP_NORETRY | __GFP_NOWARN;
347 eb->buckets = kzalloc(sizeof(struct hlist_head) << size,
358 eb->lut_size = -eb->buffer_count;
365 eb_vma_misplaced(const struct drm_i915_gem_exec_object2 *entry,
366 const struct i915_vma *vma,
369 if (vma->node.size < entry->pad_to_size)
372 if (entry->alignment && !IS_ALIGNED(vma->node.start, entry->alignment))
375 if (flags & EXEC_OBJECT_PINNED &&
376 vma->node.start != entry->offset)
379 if (flags & __EXEC_OBJECT_NEEDS_BIAS &&
380 vma->node.start < BATCH_OFFSET_BIAS)
383 if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) &&
384 (vma->node.start + vma->node.size + 4095) >> 32)
387 if (flags & __EXEC_OBJECT_NEEDS_MAP &&
388 !i915_vma_is_map_and_fenceable(vma))
394 static u64 eb_pin_flags(const struct drm_i915_gem_exec_object2 *entry,
395 unsigned int exec_flags)
399 if (exec_flags & EXEC_OBJECT_NEEDS_GTT)
400 pin_flags |= PIN_GLOBAL;
403 * Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset,
404 * limit address to the first 4GBs for unflagged objects.
406 if (!(exec_flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
407 pin_flags |= PIN_ZONE_4G;
409 if (exec_flags & __EXEC_OBJECT_NEEDS_MAP)
410 pin_flags |= PIN_MAPPABLE;
412 if (exec_flags & EXEC_OBJECT_PINNED)
413 pin_flags |= entry->offset | PIN_OFFSET_FIXED;
414 else if (exec_flags & __EXEC_OBJECT_NEEDS_BIAS)
415 pin_flags |= BATCH_OFFSET_BIAS | PIN_OFFSET_BIAS;
421 eb_pin_vma(struct i915_execbuffer *eb,
422 const struct drm_i915_gem_exec_object2 *entry,
425 struct i915_vma *vma = ev->vma;
429 pin_flags = vma->node.start;
431 pin_flags = entry->offset & PIN_OFFSET_MASK;
433 pin_flags |= PIN_USER | PIN_NOEVICT | PIN_OFFSET_FIXED;
434 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_GTT))
435 pin_flags |= PIN_GLOBAL;
437 /* Attempt to reuse the current location if available */
438 /* TODO: Add -EDEADLK handling here */
439 if (unlikely(i915_vma_pin_ww(vma, &eb->ww, 0, 0, pin_flags))) {
440 if (entry->flags & EXEC_OBJECT_PINNED)
443 /* Failing that pick any _free_ space if suitable */
444 if (unlikely(i915_vma_pin_ww(vma, &eb->ww,
447 eb_pin_flags(entry, ev->flags) |
448 PIN_USER | PIN_NOEVICT)))
452 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) {
453 if (unlikely(i915_vma_pin_fence(vma))) {
459 ev->flags |= __EXEC_OBJECT_HAS_FENCE;
462 ev->flags |= __EXEC_OBJECT_HAS_PIN;
463 return !eb_vma_misplaced(entry, vma, ev->flags);
467 eb_unreserve_vma(struct eb_vma *ev)
469 if (!(ev->flags & __EXEC_OBJECT_HAS_PIN))
472 if (unlikely(ev->flags & __EXEC_OBJECT_HAS_FENCE))
473 __i915_vma_unpin_fence(ev->vma);
475 __i915_vma_unpin(ev->vma);
476 ev->flags &= ~__EXEC_OBJECT_RESERVED;
480 eb_validate_vma(struct i915_execbuffer *eb,
481 struct drm_i915_gem_exec_object2 *entry,
482 struct i915_vma *vma)
484 if (unlikely(entry->flags & eb->invalid_flags))
487 if (unlikely(entry->alignment &&
488 !is_power_of_2_u64(entry->alignment)))
492 * Offset can be used as input (EXEC_OBJECT_PINNED), reject
493 * any non-page-aligned or non-canonical addresses.
495 if (unlikely(entry->flags & EXEC_OBJECT_PINNED &&
496 entry->offset != gen8_canonical_addr(entry->offset & I915_GTT_PAGE_MASK)))
499 /* pad_to_size was once a reserved field, so sanitize it */
500 if (entry->flags & EXEC_OBJECT_PAD_TO_SIZE) {
501 if (unlikely(offset_in_page(entry->pad_to_size)))
504 entry->pad_to_size = 0;
507 * From drm_mm perspective address space is continuous,
508 * so from this point we're always using non-canonical
511 entry->offset = gen8_noncanonical_addr(entry->offset);
513 if (!eb->reloc_cache.has_fence) {
514 entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE;
516 if ((entry->flags & EXEC_OBJECT_NEEDS_FENCE ||
517 eb->reloc_cache.needs_unfenced) &&
518 i915_gem_object_is_tiled(vma->obj))
519 entry->flags |= EXEC_OBJECT_NEEDS_GTT | __EXEC_OBJECT_NEEDS_MAP;
522 if (!(entry->flags & EXEC_OBJECT_PINNED))
523 entry->flags |= eb->context_flags;
529 eb_add_vma(struct i915_execbuffer *eb,
530 unsigned int i, unsigned batch_idx,
531 struct i915_vma *vma)
533 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
534 struct eb_vma *ev = &eb->vma[i];
536 GEM_BUG_ON(i915_vma_is_closed(vma));
540 ev->flags = entry->flags;
542 if (eb->lut_size > 0) {
543 ev->handle = entry->handle;
544 hlist_add_head(&ev->node,
545 &eb->buckets[hash_32(entry->handle,
549 if (entry->relocation_count)
550 list_add_tail(&ev->reloc_link, &eb->relocs);
553 * SNA is doing fancy tricks with compressing batch buffers, which leads
554 * to negative relocation deltas. Usually that works out ok since the
555 * relocate address is still positive, except when the batch is placed
556 * very low in the GTT. Ensure this doesn't happen.
558 * Note that actual hangs have only been observed on gen7, but for
559 * paranoia do it everywhere.
561 if (i == batch_idx) {
562 if (entry->relocation_count &&
563 !(ev->flags & EXEC_OBJECT_PINNED))
564 ev->flags |= __EXEC_OBJECT_NEEDS_BIAS;
565 if (eb->reloc_cache.has_fence)
566 ev->flags |= EXEC_OBJECT_NEEDS_FENCE;
572 static inline int use_cpu_reloc(const struct reloc_cache *cache,
573 const struct drm_i915_gem_object *obj)
575 if (!i915_gem_object_has_struct_page(obj))
578 if (DBG_FORCE_RELOC == FORCE_CPU_RELOC)
581 if (DBG_FORCE_RELOC == FORCE_GTT_RELOC)
584 return (cache->has_llc ||
586 obj->cache_level != I915_CACHE_NONE);
589 static int eb_reserve_vma(struct i915_execbuffer *eb,
593 struct drm_i915_gem_exec_object2 *entry = ev->exec;
594 struct i915_vma *vma = ev->vma;
597 if (drm_mm_node_allocated(&vma->node) &&
598 eb_vma_misplaced(entry, vma, ev->flags)) {
599 err = i915_vma_unbind(vma);
604 err = i915_vma_pin_ww(vma, &eb->ww,
605 entry->pad_to_size, entry->alignment,
606 eb_pin_flags(entry, ev->flags) | pin_flags);
610 if (entry->offset != vma->node.start) {
611 entry->offset = vma->node.start | UPDATE;
612 eb->args->flags |= __EXEC_HAS_RELOC;
615 if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)) {
616 err = i915_vma_pin_fence(vma);
623 ev->flags |= __EXEC_OBJECT_HAS_FENCE;
626 ev->flags |= __EXEC_OBJECT_HAS_PIN;
627 GEM_BUG_ON(eb_vma_misplaced(entry, vma, ev->flags));
632 static int eb_reserve(struct i915_execbuffer *eb)
634 const unsigned int count = eb->buffer_count;
635 unsigned int pin_flags = PIN_USER | PIN_NONBLOCK;
636 struct list_head last;
638 unsigned int i, pass;
642 * Attempt to pin all of the buffers into the GTT.
643 * This is done in 3 phases:
645 * 1a. Unbind all objects that do not match the GTT constraints for
646 * the execbuffer (fenceable, mappable, alignment etc).
647 * 1b. Increment pin count for already bound objects.
648 * 2. Bind new objects.
649 * 3. Decrement pin count.
651 * This avoid unnecessary unbinding of later objects in order to make
652 * room for the earlier objects *unless* we need to defragment.
656 list_for_each_entry(ev, &eb->unbound, bind_link) {
657 err = eb_reserve_vma(eb, ev, pin_flags);
664 /* Resort *all* the objects into priority order */
665 INIT_LIST_HEAD(&eb->unbound);
666 INIT_LIST_HEAD(&last);
667 for (i = 0; i < count; i++) {
672 if (flags & EXEC_OBJECT_PINNED &&
673 flags & __EXEC_OBJECT_HAS_PIN)
676 eb_unreserve_vma(ev);
678 if (flags & EXEC_OBJECT_PINNED)
679 /* Pinned must have their slot */
680 list_add(&ev->bind_link, &eb->unbound);
681 else if (flags & __EXEC_OBJECT_NEEDS_MAP)
682 /* Map require the lowest 256MiB (aperture) */
683 list_add_tail(&ev->bind_link, &eb->unbound);
684 else if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
685 /* Prioritise 4GiB region for restricted bo */
686 list_add(&ev->bind_link, &last);
688 list_add_tail(&ev->bind_link, &last);
690 list_splice_tail(&last, &eb->unbound);
697 /* Too fragmented, unbind everything and retry */
698 mutex_lock(&eb->context->vm->mutex);
699 err = i915_gem_evict_vm(eb->context->vm);
700 mutex_unlock(&eb->context->vm->mutex);
709 pin_flags = PIN_USER;
713 static unsigned int eb_batch_index(const struct i915_execbuffer *eb)
715 if (eb->args->flags & I915_EXEC_BATCH_FIRST)
718 return eb->buffer_count - 1;
721 static int eb_select_context(struct i915_execbuffer *eb)
723 struct i915_gem_context *ctx;
725 ctx = i915_gem_context_lookup(eb->file->driver_priv, eb->args->rsvd1);
729 eb->gem_context = ctx;
730 if (rcu_access_pointer(ctx->vm))
731 eb->invalid_flags |= EXEC_OBJECT_NEEDS_GTT;
733 eb->context_flags = 0;
734 if (test_bit(UCONTEXT_NO_ZEROMAP, &ctx->user_flags))
735 eb->context_flags |= __EXEC_OBJECT_NEEDS_BIAS;
740 static int __eb_add_lut(struct i915_execbuffer *eb,
741 u32 handle, struct i915_vma *vma)
743 struct i915_gem_context *ctx = eb->gem_context;
744 struct i915_lut_handle *lut;
747 lut = i915_lut_handle_alloc();
752 if (!atomic_fetch_inc(&vma->open_count))
753 i915_vma_reopen(vma);
754 lut->handle = handle;
757 /* Check that the context hasn't been closed in the meantime */
759 if (!mutex_lock_interruptible(&ctx->lut_mutex)) {
760 struct i915_address_space *vm = rcu_access_pointer(ctx->vm);
762 if (unlikely(vm && vma->vm != vm))
763 err = -EAGAIN; /* user racing with ctx set-vm */
764 else if (likely(!i915_gem_context_is_closed(ctx)))
765 err = radix_tree_insert(&ctx->handles_vma, handle, vma);
768 if (err == 0) { /* And nor has this handle */
769 struct drm_i915_gem_object *obj = vma->obj;
771 spin_lock(&obj->lut_lock);
772 if (idr_find(&eb->file->object_idr, handle) == obj) {
773 list_add(&lut->obj_link, &obj->lut_list);
775 radix_tree_delete(&ctx->handles_vma, handle);
778 spin_unlock(&obj->lut_lock);
780 mutex_unlock(&ctx->lut_mutex);
790 i915_lut_handle_free(lut);
794 static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle)
796 struct i915_address_space *vm = eb->context->vm;
799 struct drm_i915_gem_object *obj;
800 struct i915_vma *vma;
804 vma = radix_tree_lookup(&eb->gem_context->handles_vma, handle);
805 if (likely(vma && vma->vm == vm))
806 vma = i915_vma_tryget(vma);
811 obj = i915_gem_object_lookup(eb->file, handle);
813 return ERR_PTR(-ENOENT);
815 vma = i915_vma_instance(obj, vm, NULL);
817 i915_gem_object_put(obj);
821 err = __eb_add_lut(eb, handle, vma);
825 i915_gem_object_put(obj);
831 static int eb_lookup_vmas(struct i915_execbuffer *eb)
833 struct drm_i915_private *i915 = eb->i915;
834 unsigned int batch = eb_batch_index(eb);
838 INIT_LIST_HEAD(&eb->relocs);
840 for (i = 0; i < eb->buffer_count; i++) {
841 struct i915_vma *vma;
843 vma = eb_lookup_vma(eb, eb->exec[i].handle);
849 err = eb_validate_vma(eb, &eb->exec[i], vma);
855 eb_add_vma(eb, i, batch, vma);
858 if (unlikely(eb->batch->flags & EXEC_OBJECT_WRITE)) {
860 "Attempting to use self-modifying batch buffer\n");
864 if (range_overflows_t(u64,
865 eb->batch_start_offset, eb->batch_len,
866 eb->batch->vma->size)) {
867 drm_dbg(&i915->drm, "Attempting to use out-of-bounds batch\n");
871 if (eb->batch_len == 0)
872 eb->batch_len = eb->batch->vma->size - eb->batch_start_offset;
873 if (unlikely(eb->batch_len == 0)) { /* impossible! */
874 drm_dbg(&i915->drm, "Invalid batch length\n");
881 eb->vma[i].vma = NULL;
885 static int eb_validate_vmas(struct i915_execbuffer *eb)
890 INIT_LIST_HEAD(&eb->unbound);
892 for (i = 0; i < eb->buffer_count; i++) {
893 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
894 struct eb_vma *ev = &eb->vma[i];
895 struct i915_vma *vma = ev->vma;
897 err = i915_gem_object_lock(vma->obj, &eb->ww);
901 if (eb_pin_vma(eb, entry, ev)) {
902 if (entry->offset != vma->node.start) {
903 entry->offset = vma->node.start | UPDATE;
904 eb->args->flags |= __EXEC_HAS_RELOC;
907 eb_unreserve_vma(ev);
909 list_add_tail(&ev->bind_link, &eb->unbound);
910 if (drm_mm_node_allocated(&vma->node)) {
911 err = i915_vma_unbind(vma);
917 GEM_BUG_ON(drm_mm_node_allocated(&vma->node) &&
918 eb_vma_misplaced(&eb->exec[i], vma, ev->flags));
921 if (!list_empty(&eb->unbound))
922 return eb_reserve(eb);
927 static struct eb_vma *
928 eb_get_vma(const struct i915_execbuffer *eb, unsigned long handle)
930 if (eb->lut_size < 0) {
931 if (handle >= -eb->lut_size)
933 return &eb->vma[handle];
935 struct hlist_head *head;
938 head = &eb->buckets[hash_32(handle, eb->lut_size)];
939 hlist_for_each_entry(ev, head, node) {
940 if (ev->handle == handle)
947 static void eb_release_vmas(struct i915_execbuffer *eb, bool final)
949 const unsigned int count = eb->buffer_count;
952 for (i = 0; i < count; i++) {
953 struct eb_vma *ev = &eb->vma[i];
954 struct i915_vma *vma = ev->vma;
959 eb_unreserve_vma(ev);
968 static void eb_destroy(const struct i915_execbuffer *eb)
970 GEM_BUG_ON(eb->reloc_cache.rq);
972 if (eb->lut_size > 0)
977 relocation_target(const struct drm_i915_gem_relocation_entry *reloc,
978 const struct i915_vma *target)
980 return gen8_canonical_addr((int)reloc->delta + target->node.start);
983 static void reloc_cache_clear(struct reloc_cache *cache)
986 cache->rq_cmd = NULL;
991 static void reloc_cache_init(struct reloc_cache *cache,
992 struct drm_i915_private *i915)
996 /* Must be a variable in the struct to allow GCC to unroll. */
997 cache->gen = INTEL_GEN(i915);
998 cache->has_llc = HAS_LLC(i915);
999 cache->use_64bit_reloc = HAS_64BIT_RELOC(i915);
1000 cache->has_fence = cache->gen < 4;
1001 cache->needs_unfenced = INTEL_INFO(i915)->unfenced_needs_alignment;
1002 cache->node.flags = 0;
1003 reloc_cache_clear(cache);
1006 static inline void *unmask_page(unsigned long p)
1008 return (void *)(uintptr_t)(p & PAGE_MASK);
1011 static inline unsigned int unmask_flags(unsigned long p)
1013 return p & ~PAGE_MASK;
1016 #define KMAP 0x4 /* after CLFLUSH_FLAGS */
1018 static inline struct i915_ggtt *cache_to_ggtt(struct reloc_cache *cache)
1020 struct drm_i915_private *i915 =
1021 container_of(cache, struct i915_execbuffer, reloc_cache)->i915;
1025 static void reloc_cache_put_pool(struct i915_execbuffer *eb, struct reloc_cache *cache)
1031 * This is a bit nasty, normally we keep objects locked until the end
1032 * of execbuffer, but we already submit this, and have to unlock before
1033 * dropping the reference. Fortunately we can only hold 1 pool node at
1034 * a time, so this should be harmless.
1036 i915_gem_ww_unlock_single(cache->pool->obj);
1037 intel_gt_buffer_pool_put(cache->pool);
1041 static void reloc_gpu_flush(struct i915_execbuffer *eb, struct reloc_cache *cache)
1043 struct drm_i915_gem_object *obj = cache->rq->batch->obj;
1045 GEM_BUG_ON(cache->rq_size >= obj->base.size / sizeof(u32));
1046 cache->rq_cmd[cache->rq_size] = MI_BATCH_BUFFER_END;
1048 i915_gem_object_flush_map(obj);
1049 i915_gem_object_unpin_map(obj);
1051 intel_gt_chipset_flush(cache->rq->engine->gt);
1053 i915_request_add(cache->rq);
1054 reloc_cache_put_pool(eb, cache);
1055 reloc_cache_clear(cache);
1057 eb->reloc_pool = NULL;
1060 static void reloc_cache_reset(struct reloc_cache *cache, struct i915_execbuffer *eb)
1065 reloc_gpu_flush(eb, cache);
1070 vaddr = unmask_page(cache->vaddr);
1071 if (cache->vaddr & KMAP) {
1072 struct drm_i915_gem_object *obj =
1073 (struct drm_i915_gem_object *)cache->node.mm;
1074 if (cache->vaddr & CLFLUSH_AFTER)
1077 kunmap_atomic(vaddr);
1078 i915_gem_object_finish_access(obj);
1080 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1082 intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1083 io_mapping_unmap_atomic((void __iomem *)vaddr);
1085 if (drm_mm_node_allocated(&cache->node)) {
1086 ggtt->vm.clear_range(&ggtt->vm,
1089 mutex_lock(&ggtt->vm.mutex);
1090 drm_mm_remove_node(&cache->node);
1091 mutex_unlock(&ggtt->vm.mutex);
1093 i915_vma_unpin((struct i915_vma *)cache->node.mm);
1101 static void *reloc_kmap(struct drm_i915_gem_object *obj,
1102 struct reloc_cache *cache,
1103 unsigned long pageno)
1109 kunmap_atomic(unmask_page(cache->vaddr));
1111 unsigned int flushes;
1114 err = i915_gem_object_prepare_write(obj, &flushes);
1116 return ERR_PTR(err);
1118 BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS);
1119 BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & PAGE_MASK);
1121 cache->vaddr = flushes | KMAP;
1122 cache->node.mm = (void *)obj;
1127 page = i915_gem_object_get_page(obj, pageno);
1129 set_page_dirty(page);
1131 vaddr = kmap_atomic(page);
1132 cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr;
1133 cache->page = pageno;
1138 static void *reloc_iomap(struct drm_i915_gem_object *obj,
1139 struct i915_execbuffer *eb,
1142 struct reloc_cache *cache = &eb->reloc_cache;
1143 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
1144 unsigned long offset;
1148 intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1149 io_mapping_unmap_atomic((void __force __iomem *) unmask_page(cache->vaddr));
1151 struct i915_vma *vma;
1154 if (i915_gem_object_is_tiled(obj))
1155 return ERR_PTR(-EINVAL);
1157 if (use_cpu_reloc(cache, obj))
1160 err = i915_gem_object_set_to_gtt_domain(obj, true);
1162 return ERR_PTR(err);
1164 vma = i915_gem_object_ggtt_pin_ww(obj, &eb->ww, NULL, 0, 0,
1166 PIN_NONBLOCK /* NOWARN */ |
1168 if (vma == ERR_PTR(-EDEADLK))
1172 memset(&cache->node, 0, sizeof(cache->node));
1173 mutex_lock(&ggtt->vm.mutex);
1174 err = drm_mm_insert_node_in_range
1175 (&ggtt->vm.mm, &cache->node,
1176 PAGE_SIZE, 0, I915_COLOR_UNEVICTABLE,
1177 0, ggtt->mappable_end,
1179 mutex_unlock(&ggtt->vm.mutex);
1180 if (err) /* no inactive aperture space, use cpu reloc */
1183 cache->node.start = vma->node.start;
1184 cache->node.mm = (void *)vma;
1188 offset = cache->node.start;
1189 if (drm_mm_node_allocated(&cache->node)) {
1190 ggtt->vm.insert_page(&ggtt->vm,
1191 i915_gem_object_get_dma_address(obj, page),
1192 offset, I915_CACHE_NONE, 0);
1194 offset += page << PAGE_SHIFT;
1197 vaddr = (void __force *)io_mapping_map_atomic_wc(&ggtt->iomap,
1200 cache->vaddr = (unsigned long)vaddr;
1205 static void *reloc_vaddr(struct drm_i915_gem_object *obj,
1206 struct i915_execbuffer *eb,
1209 struct reloc_cache *cache = &eb->reloc_cache;
1212 if (cache->page == page) {
1213 vaddr = unmask_page(cache->vaddr);
1216 if ((cache->vaddr & KMAP) == 0)
1217 vaddr = reloc_iomap(obj, eb, page);
1219 vaddr = reloc_kmap(obj, cache, page);
1225 static void clflush_write32(u32 *addr, u32 value, unsigned int flushes)
1227 if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))) {
1228 if (flushes & CLFLUSH_BEFORE) {
1236 * Writes to the same cacheline are serialised by the CPU
1237 * (including clflush). On the write path, we only require
1238 * that it hits memory in an orderly fashion and place
1239 * mb barriers at the start and end of the relocation phase
1240 * to ensure ordering of clflush wrt to the system.
1242 if (flushes & CLFLUSH_AFTER)
1248 static int reloc_move_to_gpu(struct i915_request *rq, struct i915_vma *vma)
1250 struct drm_i915_gem_object *obj = vma->obj;
1253 assert_vma_held(vma);
1255 if (obj->cache_dirty & ~obj->cache_coherent)
1256 i915_gem_clflush_object(obj, 0);
1257 obj->write_domain = 0;
1259 err = i915_request_await_object(rq, vma->obj, true);
1261 err = i915_vma_move_to_active(vma, rq, EXEC_OBJECT_WRITE);
1266 static int __reloc_gpu_alloc(struct i915_execbuffer *eb,
1267 struct intel_engine_cs *engine,
1268 struct i915_vma *vma,
1271 struct reloc_cache *cache = &eb->reloc_cache;
1272 struct intel_gt_buffer_pool_node *pool = eb->reloc_pool;
1273 struct i915_request *rq;
1274 struct i915_vma *batch;
1279 pool = intel_gt_get_buffer_pool(engine->gt, PAGE_SIZE);
1281 return PTR_ERR(pool);
1283 eb->reloc_pool = NULL;
1285 err = i915_gem_object_lock(pool->obj, &eb->ww);
1289 cmd = i915_gem_object_pin_map(pool->obj,
1298 memset32(cmd, 0, pool->obj->base.size / sizeof(u32));
1300 batch = i915_vma_instance(pool->obj, vma->vm, NULL);
1301 if (IS_ERR(batch)) {
1302 err = PTR_ERR(batch);
1306 err = i915_vma_pin_ww(batch, &eb->ww, 0, 0, PIN_USER | PIN_NONBLOCK);
1310 if (engine == eb->context->engine) {
1311 rq = i915_request_create(eb->context);
1313 struct intel_context *ce = eb->reloc_context;
1316 ce = intel_context_create(engine);
1322 i915_vm_put(ce->vm);
1323 ce->vm = i915_vm_get(eb->context->vm);
1324 eb->reloc_context = ce;
1327 err = intel_context_pin_ww(ce, &eb->ww);
1331 rq = i915_request_create(ce);
1332 intel_context_unpin(ce);
1339 err = intel_gt_buffer_pool_mark_active(pool, rq);
1343 err = reloc_move_to_gpu(rq, vma);
1347 err = eb->engine->emit_bb_start(rq,
1348 batch->node.start, PAGE_SIZE,
1349 cache->gen > 5 ? 0 : I915_DISPATCH_SECURE);
1353 assert_vma_held(batch);
1354 err = i915_request_await_object(rq, batch->obj, false);
1356 err = i915_vma_move_to_active(batch, rq, 0);
1361 i915_vma_unpin(batch);
1364 cache->rq_cmd = cmd;
1368 /* Return with batch mapping (cmd) still pinned */
1372 i915_request_set_error_once(rq, err);
1374 i915_request_add(rq);
1376 i915_vma_unpin(batch);
1378 i915_gem_object_unpin_map(pool->obj);
1380 eb->reloc_pool = pool;
1384 static bool reloc_can_use_engine(const struct intel_engine_cs *engine)
1386 return engine->class != VIDEO_DECODE_CLASS || !IS_GEN(engine->i915, 6);
1389 static u32 *reloc_gpu(struct i915_execbuffer *eb,
1390 struct i915_vma *vma,
1393 struct reloc_cache *cache = &eb->reloc_cache;
1396 if (cache->rq_size > PAGE_SIZE/sizeof(u32) - (len + 1))
1397 reloc_gpu_flush(eb, cache);
1399 if (unlikely(!cache->rq)) {
1401 struct intel_engine_cs *engine = eb->engine;
1403 /* If we need to copy for the cmdparser, we will stall anyway */
1404 if (eb_use_cmdparser(eb))
1405 return ERR_PTR(-EWOULDBLOCK);
1407 if (!reloc_can_use_engine(engine)) {
1408 engine = engine->gt->engine_class[COPY_ENGINE_CLASS][0];
1410 return ERR_PTR(-ENODEV);
1413 err = __reloc_gpu_alloc(eb, engine, vma, len);
1415 return ERR_PTR(err);
1418 cmd = cache->rq_cmd + cache->rq_size;
1419 cache->rq_size += len;
1424 static inline bool use_reloc_gpu(struct i915_vma *vma)
1426 if (DBG_FORCE_RELOC == FORCE_GPU_RELOC)
1429 if (DBG_FORCE_RELOC)
1432 return !dma_resv_test_signaled_rcu(vma->resv, true);
1435 static unsigned long vma_phys_addr(struct i915_vma *vma, u32 offset)
1440 GEM_BUG_ON(vma->pages != vma->obj->mm.pages);
1442 page = i915_gem_object_get_page(vma->obj, offset >> PAGE_SHIFT);
1443 addr = PFN_PHYS(page_to_pfn(page));
1444 GEM_BUG_ON(overflows_type(addr, u32)); /* expected dma32 */
1446 return addr + offset_in_page(offset);
1449 static int __reloc_entry_gpu(struct i915_execbuffer *eb,
1450 struct i915_vma *vma,
1454 const unsigned int gen = eb->reloc_cache.gen;
1460 len = offset & 7 ? 8 : 5;
1466 batch = reloc_gpu(eb, vma, len);
1467 if (batch == ERR_PTR(-EDEADLK))
1469 else if (IS_ERR(batch))
1472 addr = gen8_canonical_addr(vma->node.start + offset);
1475 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1476 *batch++ = lower_32_bits(addr);
1477 *batch++ = upper_32_bits(addr);
1478 *batch++ = lower_32_bits(target_addr);
1480 addr = gen8_canonical_addr(addr + 4);
1482 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1483 *batch++ = lower_32_bits(addr);
1484 *batch++ = upper_32_bits(addr);
1485 *batch++ = upper_32_bits(target_addr);
1487 *batch++ = (MI_STORE_DWORD_IMM_GEN4 | (1 << 21)) + 1;
1488 *batch++ = lower_32_bits(addr);
1489 *batch++ = upper_32_bits(addr);
1490 *batch++ = lower_32_bits(target_addr);
1491 *batch++ = upper_32_bits(target_addr);
1493 } else if (gen >= 6) {
1494 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1497 *batch++ = target_addr;
1498 } else if (IS_I965G(eb->i915)) {
1499 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1501 *batch++ = vma_phys_addr(vma, offset);
1502 *batch++ = target_addr;
1503 } else if (gen >= 4) {
1504 *batch++ = MI_STORE_DWORD_IMM_GEN4 | MI_USE_GGTT;
1507 *batch++ = target_addr;
1508 } else if (gen >= 3 &&
1509 !(IS_I915G(eb->i915) || IS_I915GM(eb->i915))) {
1510 *batch++ = MI_STORE_DWORD_IMM | MI_MEM_VIRTUAL;
1512 *batch++ = target_addr;
1514 *batch++ = MI_STORE_DWORD_IMM;
1515 *batch++ = vma_phys_addr(vma, offset);
1516 *batch++ = target_addr;
1522 static int reloc_entry_gpu(struct i915_execbuffer *eb,
1523 struct i915_vma *vma,
1527 if (eb->reloc_cache.vaddr)
1530 if (!use_reloc_gpu(vma))
1533 return __reloc_entry_gpu(eb, vma, offset, target_addr);
1537 relocate_entry(struct i915_vma *vma,
1538 const struct drm_i915_gem_relocation_entry *reloc,
1539 struct i915_execbuffer *eb,
1540 const struct i915_vma *target)
1542 u64 target_addr = relocation_target(reloc, target);
1543 u64 offset = reloc->offset;
1544 int reloc_gpu = reloc_entry_gpu(eb, vma, offset, target_addr);
1550 bool wide = eb->reloc_cache.use_64bit_reloc;
1554 vaddr = reloc_vaddr(vma->obj, eb,
1555 offset >> PAGE_SHIFT);
1557 return PTR_ERR(vaddr);
1559 GEM_BUG_ON(!IS_ALIGNED(offset, sizeof(u32)));
1560 clflush_write32(vaddr + offset_in_page(offset),
1561 lower_32_bits(target_addr),
1562 eb->reloc_cache.vaddr);
1565 offset += sizeof(u32);
1572 return target->node.start | UPDATE;
1576 eb_relocate_entry(struct i915_execbuffer *eb,
1578 const struct drm_i915_gem_relocation_entry *reloc)
1580 struct drm_i915_private *i915 = eb->i915;
1581 struct eb_vma *target;
1584 /* we've already hold a reference to all valid objects */
1585 target = eb_get_vma(eb, reloc->target_handle);
1586 if (unlikely(!target))
1589 /* Validate that the target is in a valid r/w GPU domain */
1590 if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) {
1591 drm_dbg(&i915->drm, "reloc with multiple write domains: "
1592 "target %d offset %d "
1593 "read %08x write %08x",
1594 reloc->target_handle,
1595 (int) reloc->offset,
1596 reloc->read_domains,
1597 reloc->write_domain);
1600 if (unlikely((reloc->write_domain | reloc->read_domains)
1601 & ~I915_GEM_GPU_DOMAINS)) {
1602 drm_dbg(&i915->drm, "reloc with read/write non-GPU domains: "
1603 "target %d offset %d "
1604 "read %08x write %08x",
1605 reloc->target_handle,
1606 (int) reloc->offset,
1607 reloc->read_domains,
1608 reloc->write_domain);
1612 if (reloc->write_domain) {
1613 target->flags |= EXEC_OBJECT_WRITE;
1616 * Sandybridge PPGTT errata: We need a global gtt mapping
1617 * for MI and pipe_control writes because the gpu doesn't
1618 * properly redirect them through the ppgtt for non_secure
1621 if (reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION &&
1622 IS_GEN(eb->i915, 6)) {
1623 err = i915_vma_bind(target->vma,
1624 target->vma->obj->cache_level,
1632 * If the relocation already has the right value in it, no
1633 * more work needs to be done.
1635 if (!DBG_FORCE_RELOC &&
1636 gen8_canonical_addr(target->vma->node.start) == reloc->presumed_offset)
1639 /* Check that the relocation address is valid... */
1640 if (unlikely(reloc->offset >
1641 ev->vma->size - (eb->reloc_cache.use_64bit_reloc ? 8 : 4))) {
1642 drm_dbg(&i915->drm, "Relocation beyond object bounds: "
1643 "target %d offset %d size %d.\n",
1644 reloc->target_handle,
1646 (int)ev->vma->size);
1649 if (unlikely(reloc->offset & 3)) {
1650 drm_dbg(&i915->drm, "Relocation not 4-byte aligned: "
1651 "target %d offset %d.\n",
1652 reloc->target_handle,
1653 (int)reloc->offset);
1658 * If we write into the object, we need to force the synchronisation
1659 * barrier, either with an asynchronous clflush or if we executed the
1660 * patching using the GPU (though that should be serialised by the
1661 * timeline). To be completely sure, and since we are required to
1662 * do relocations we are already stalling, disable the user's opt
1663 * out of our synchronisation.
1665 ev->flags &= ~EXEC_OBJECT_ASYNC;
1667 /* and update the user's relocation entry */
1668 return relocate_entry(ev->vma, reloc, eb, target->vma);
1671 static int eb_relocate_vma(struct i915_execbuffer *eb, struct eb_vma *ev)
1673 #define N_RELOC(x) ((x) / sizeof(struct drm_i915_gem_relocation_entry))
1674 struct drm_i915_gem_relocation_entry stack[N_RELOC(512)];
1675 const struct drm_i915_gem_exec_object2 *entry = ev->exec;
1676 struct drm_i915_gem_relocation_entry __user *urelocs =
1677 u64_to_user_ptr(entry->relocs_ptr);
1678 unsigned long remain = entry->relocation_count;
1680 if (unlikely(remain > N_RELOC(ULONG_MAX)))
1684 * We must check that the entire relocation array is safe
1685 * to read. However, if the array is not writable the user loses
1686 * the updated relocation values.
1688 if (unlikely(!access_ok(urelocs, remain * sizeof(*urelocs))))
1692 struct drm_i915_gem_relocation_entry *r = stack;
1693 unsigned int count =
1694 min_t(unsigned long, remain, ARRAY_SIZE(stack));
1695 unsigned int copied;
1698 * This is the fast path and we cannot handle a pagefault
1699 * whilst holding the struct mutex lest the user pass in the
1700 * relocations contained within a mmaped bo. For in such a case
1701 * we, the page fault handler would call i915_gem_fault() and
1702 * we would try to acquire the struct mutex again. Obviously
1703 * this is bad and so lockdep complains vehemently.
1705 pagefault_disable();
1706 copied = __copy_from_user_inatomic(r, urelocs, count * sizeof(r[0]));
1708 if (unlikely(copied)) {
1715 u64 offset = eb_relocate_entry(eb, ev, r);
1717 if (likely(offset == 0)) {
1718 } else if ((s64)offset < 0) {
1719 remain = (int)offset;
1723 * Note that reporting an error now
1724 * leaves everything in an inconsistent
1725 * state as we have *already* changed
1726 * the relocation value inside the
1727 * object. As we have not changed the
1728 * reloc.presumed_offset or will not
1729 * change the execobject.offset, on the
1730 * call we may not rewrite the value
1731 * inside the object, leaving it
1732 * dangling and causing a GPU hang. Unless
1733 * userspace dynamically rebuilds the
1734 * relocations on each execbuf rather than
1735 * presume a static tree.
1737 * We did previously check if the relocations
1738 * were writable (access_ok), an error now
1739 * would be a strange race with mprotect,
1740 * having already demonstrated that we
1741 * can read from this userspace address.
1743 offset = gen8_canonical_addr(offset & ~UPDATE);
1745 &urelocs[r - stack].presumed_offset);
1747 } while (r++, --count);
1748 urelocs += ARRAY_SIZE(stack);
1751 reloc_cache_reset(&eb->reloc_cache, eb);
1756 eb_relocate_vma_slow(struct i915_execbuffer *eb, struct eb_vma *ev)
1758 const struct drm_i915_gem_exec_object2 *entry = ev->exec;
1759 struct drm_i915_gem_relocation_entry *relocs =
1760 u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1764 for (i = 0; i < entry->relocation_count; i++) {
1765 u64 offset = eb_relocate_entry(eb, ev, &relocs[i]);
1767 if ((s64)offset < 0) {
1774 reloc_cache_reset(&eb->reloc_cache, eb);
1778 static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
1780 const char __user *addr, *end;
1782 char __maybe_unused c;
1784 size = entry->relocation_count;
1788 if (size > N_RELOC(ULONG_MAX))
1791 addr = u64_to_user_ptr(entry->relocs_ptr);
1792 size *= sizeof(struct drm_i915_gem_relocation_entry);
1793 if (!access_ok(addr, size))
1797 for (; addr < end; addr += PAGE_SIZE) {
1798 int err = __get_user(c, addr);
1802 return __get_user(c, end - 1);
1805 static int eb_copy_relocations(const struct i915_execbuffer *eb)
1807 struct drm_i915_gem_relocation_entry *relocs;
1808 const unsigned int count = eb->buffer_count;
1812 for (i = 0; i < count; i++) {
1813 const unsigned int nreloc = eb->exec[i].relocation_count;
1814 struct drm_i915_gem_relocation_entry __user *urelocs;
1816 unsigned long copied;
1821 err = check_relocations(&eb->exec[i]);
1825 urelocs = u64_to_user_ptr(eb->exec[i].relocs_ptr);
1826 size = nreloc * sizeof(*relocs);
1828 relocs = kvmalloc_array(size, 1, GFP_KERNEL);
1834 /* copy_from_user is limited to < 4GiB */
1838 min_t(u64, BIT_ULL(31), size - copied);
1840 if (__copy_from_user((char *)relocs + copied,
1841 (char __user *)urelocs + copied,
1846 } while (copied < size);
1849 * As we do not update the known relocation offsets after
1850 * relocating (due to the complexities in lock handling),
1851 * we need to mark them as invalid now so that we force the
1852 * relocation processing next time. Just in case the target
1853 * object is evicted and then rebound into its old
1854 * presumed_offset before the next execbuffer - if that
1855 * happened we would make the mistake of assuming that the
1856 * relocations were valid.
1858 if (!user_access_begin(urelocs, size))
1861 for (copied = 0; copied < nreloc; copied++)
1863 &urelocs[copied].presumed_offset,
1867 eb->exec[i].relocs_ptr = (uintptr_t)relocs;
1879 relocs = u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr);
1880 if (eb->exec[i].relocation_count)
1886 static int eb_prefault_relocations(const struct i915_execbuffer *eb)
1888 const unsigned int count = eb->buffer_count;
1891 for (i = 0; i < count; i++) {
1894 err = check_relocations(&eb->exec[i]);
1902 static noinline int eb_relocate_parse_slow(struct i915_execbuffer *eb,
1903 struct i915_request *rq)
1905 bool have_copy = false;
1910 if (signal_pending(current)) {
1915 /* We may process another execbuffer during the unlock... */
1916 eb_release_vmas(eb, false);
1917 i915_gem_ww_ctx_fini(&eb->ww);
1920 /* nonblocking is always false */
1921 if (i915_request_wait(rq, I915_WAIT_INTERRUPTIBLE,
1922 MAX_SCHEDULE_TIMEOUT) < 0) {
1923 i915_request_put(rq);
1930 i915_request_put(rq);
1935 * We take 3 passes through the slowpatch.
1937 * 1 - we try to just prefault all the user relocation entries and
1938 * then attempt to reuse the atomic pagefault disabled fast path again.
1940 * 2 - we copy the user entries to a local buffer here outside of the
1941 * local and allow ourselves to wait upon any rendering before
1944 * 3 - we already have a local copy of the relocation entries, but
1945 * were interrupted (EAGAIN) whilst waiting for the objects, try again.
1948 err = eb_prefault_relocations(eb);
1949 } else if (!have_copy) {
1950 err = eb_copy_relocations(eb);
1951 have_copy = err == 0;
1958 flush_workqueue(eb->i915->mm.userptr_wq);
1961 i915_gem_ww_ctx_init(&eb->ww, true);
1965 /* reacquire the objects */
1967 rq = eb_pin_engine(eb, false);
1974 /* We didn't throttle, should be NULL */
1977 err = eb_validate_vmas(eb);
1981 GEM_BUG_ON(!eb->batch);
1983 list_for_each_entry(ev, &eb->relocs, reloc_link) {
1985 pagefault_disable();
1986 err = eb_relocate_vma(eb, ev);
1991 err = eb_relocate_vma_slow(eb, ev);
1997 if (err == -EDEADLK)
2000 if (err && !have_copy)
2006 /* as last step, parse the command buffer */
2012 * Leave the user relocations as are, this is the painfully slow path,
2013 * and we want to avoid the complication of dropping the lock whilst
2014 * having buffers reserved in the aperture and so causing spurious
2015 * ENOSPC for random operations.
2019 if (err == -EDEADLK) {
2020 eb_release_vmas(eb, false);
2021 err = i915_gem_ww_ctx_backoff(&eb->ww);
2023 goto repeat_validate;
2031 const unsigned int count = eb->buffer_count;
2034 for (i = 0; i < count; i++) {
2035 const struct drm_i915_gem_exec_object2 *entry =
2037 struct drm_i915_gem_relocation_entry *relocs;
2039 if (!entry->relocation_count)
2042 relocs = u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
2048 i915_request_put(rq);
2053 static int eb_relocate_parse(struct i915_execbuffer *eb)
2056 struct i915_request *rq = NULL;
2057 bool throttle = true;
2060 rq = eb_pin_engine(eb, throttle);
2064 if (err != -EDEADLK)
2071 bool nonblock = eb->file->filp->f_flags & O_NONBLOCK;
2073 /* Need to drop all locks now for throttling, take slowpath */
2074 err = i915_request_wait(rq, I915_WAIT_INTERRUPTIBLE, 0);
2075 if (err == -ETIME) {
2078 i915_request_put(rq);
2083 i915_request_put(rq);
2087 /* only throttle once, even if we didn't need to throttle */
2090 err = eb_validate_vmas(eb);
2096 /* The objects are in their final locations, apply the relocations. */
2097 if (eb->args->flags & __EXEC_HAS_RELOC) {
2100 list_for_each_entry(ev, &eb->relocs, reloc_link) {
2101 err = eb_relocate_vma(eb, ev);
2106 if (err == -EDEADLK)
2116 if (err == -EDEADLK) {
2117 eb_release_vmas(eb, false);
2118 err = i915_gem_ww_ctx_backoff(&eb->ww);
2126 err = eb_relocate_parse_slow(eb, rq);
2129 * If the user expects the execobject.offset and
2130 * reloc.presumed_offset to be an exact match,
2131 * as for using NO_RELOC, then we cannot update
2132 * the execobject.offset until we have completed
2135 eb->args->flags &= ~__EXEC_HAS_RELOC;
2140 static int eb_move_to_gpu(struct i915_execbuffer *eb)
2142 const unsigned int count = eb->buffer_count;
2143 unsigned int i = count;
2147 struct eb_vma *ev = &eb->vma[i];
2148 struct i915_vma *vma = ev->vma;
2149 unsigned int flags = ev->flags;
2150 struct drm_i915_gem_object *obj = vma->obj;
2152 assert_vma_held(vma);
2154 if (flags & EXEC_OBJECT_CAPTURE) {
2155 struct i915_capture_list *capture;
2157 capture = kmalloc(sizeof(*capture), GFP_KERNEL);
2159 capture->next = eb->request->capture_list;
2161 eb->request->capture_list = capture;
2166 * If the GPU is not _reading_ through the CPU cache, we need
2167 * to make sure that any writes (both previous GPU writes from
2168 * before a change in snooping levels and normal CPU writes)
2169 * caught in that cache are flushed to main memory.
2172 * obj->cache_dirty &&
2173 * !(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_READ)
2174 * but gcc's optimiser doesn't handle that as well and emits
2175 * two jumps instead of one. Maybe one day...
2177 if (unlikely(obj->cache_dirty & ~obj->cache_coherent)) {
2178 if (i915_gem_clflush_object(obj, 0))
2179 flags &= ~EXEC_OBJECT_ASYNC;
2182 if (err == 0 && !(flags & EXEC_OBJECT_ASYNC)) {
2183 err = i915_request_await_object
2184 (eb->request, obj, flags & EXEC_OBJECT_WRITE);
2188 err = i915_vma_move_to_active(vma, eb->request, flags);
2194 /* Unconditionally flush any chipset caches (for streaming writes). */
2195 intel_gt_chipset_flush(eb->engine->gt);
2199 i915_request_set_error_once(eb->request, err);
2203 static int i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
2205 if (exec->flags & __I915_EXEC_ILLEGAL_FLAGS)
2208 /* Kernel clipping was a DRI1 misfeature */
2209 if (!(exec->flags & (I915_EXEC_FENCE_ARRAY |
2210 I915_EXEC_USE_EXTENSIONS))) {
2211 if (exec->num_cliprects || exec->cliprects_ptr)
2215 if (exec->DR4 == 0xffffffff) {
2216 DRM_DEBUG("UXA submitting garbage DR4, fixing up\n");
2219 if (exec->DR1 || exec->DR4)
2222 if ((exec->batch_start_offset | exec->batch_len) & 0x7)
2228 static int i915_reset_gen7_sol_offsets(struct i915_request *rq)
2233 if (!IS_GEN(rq->engine->i915, 7) || rq->engine->id != RCS0) {
2234 drm_dbg(&rq->engine->i915->drm, "sol reset is gen7/rcs only\n");
2238 cs = intel_ring_begin(rq, 4 * 2 + 2);
2242 *cs++ = MI_LOAD_REGISTER_IMM(4);
2243 for (i = 0; i < 4; i++) {
2244 *cs++ = i915_mmio_reg_offset(GEN7_SO_WRITE_OFFSET(i));
2248 intel_ring_advance(rq, cs);
2253 static struct i915_vma *
2254 shadow_batch_pin(struct i915_execbuffer *eb,
2255 struct drm_i915_gem_object *obj,
2256 struct i915_address_space *vm,
2259 struct i915_vma *vma;
2262 vma = i915_vma_instance(obj, vm, NULL);
2266 err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, flags);
2268 return ERR_PTR(err);
2273 static struct i915_vma *eb_dispatch_secure(struct i915_execbuffer *eb, struct i915_vma *vma)
2276 * snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
2277 * batch" bit. Hence we need to pin secure batches into the global gtt.
2278 * hsw should have this fixed, but bdw mucks it up again. */
2279 if (eb->batch_flags & I915_DISPATCH_SECURE)
2280 return i915_gem_object_ggtt_pin_ww(vma->obj, &eb->ww, NULL, 0, 0, 0);
2285 static int eb_parse(struct i915_execbuffer *eb)
2287 struct drm_i915_private *i915 = eb->i915;
2288 struct intel_gt_buffer_pool_node *pool = eb->batch_pool;
2289 struct i915_vma *shadow, *trampoline, *batch;
2293 if (!eb_use_cmdparser(eb)) {
2294 batch = eb_dispatch_secure(eb, eb->batch->vma);
2296 return PTR_ERR(batch);
2301 len = eb->batch_len;
2302 if (!CMDPARSER_USES_GGTT(eb->i915)) {
2304 * ppGTT backed shadow buffers must be mapped RO, to prevent
2305 * post-scan tampering
2307 if (!eb->context->vm->has_read_only) {
2309 "Cannot prevent post-scan tampering without RO capable vm\n");
2313 len += I915_CMD_PARSER_TRAMPOLINE_SIZE;
2315 if (unlikely(len < eb->batch_len)) /* last paranoid check of overflow */
2319 pool = intel_gt_get_buffer_pool(eb->engine->gt, len);
2321 return PTR_ERR(pool);
2322 eb->batch_pool = pool;
2325 err = i915_gem_object_lock(pool->obj, &eb->ww);
2329 shadow = shadow_batch_pin(eb, pool->obj, eb->context->vm, PIN_USER);
2330 if (IS_ERR(shadow)) {
2331 err = PTR_ERR(shadow);
2334 i915_gem_object_set_readonly(shadow->obj);
2335 shadow->private = pool;
2338 if (CMDPARSER_USES_GGTT(eb->i915)) {
2339 trampoline = shadow;
2341 shadow = shadow_batch_pin(eb, pool->obj,
2342 &eb->engine->gt->ggtt->vm,
2344 if (IS_ERR(shadow)) {
2345 err = PTR_ERR(shadow);
2346 shadow = trampoline;
2349 shadow->private = pool;
2351 eb->batch_flags |= I915_DISPATCH_SECURE;
2354 batch = eb_dispatch_secure(eb, shadow);
2355 if (IS_ERR(batch)) {
2356 err = PTR_ERR(batch);
2357 goto err_trampoline;
2360 err = intel_engine_cmd_parser(eb->engine,
2362 eb->batch_start_offset,
2364 shadow, trampoline);
2366 goto err_unpin_batch;
2368 eb->batch = &eb->vma[eb->buffer_count++];
2369 eb->batch->vma = i915_vma_get(shadow);
2370 eb->batch->flags = __EXEC_OBJECT_HAS_PIN;
2372 eb->trampoline = trampoline;
2373 eb->batch_start_offset = 0;
2377 eb->batch = &eb->vma[eb->buffer_count++];
2378 eb->batch->flags = __EXEC_OBJECT_HAS_PIN;
2379 eb->batch->vma = i915_vma_get(batch);
2385 i915_vma_unpin(batch);
2388 i915_vma_unpin(trampoline);
2390 i915_vma_unpin(shadow);
2395 static int eb_submit(struct i915_execbuffer *eb, struct i915_vma *batch)
2399 err = eb_move_to_gpu(eb);
2403 if (eb->args->flags & I915_EXEC_GEN7_SOL_RESET) {
2404 err = i915_reset_gen7_sol_offsets(eb->request);
2410 * After we completed waiting for other engines (using HW semaphores)
2411 * then we can signal that this request/batch is ready to run. This
2412 * allows us to determine if the batch is still waiting on the GPU
2413 * or actually running by checking the breadcrumb.
2415 if (eb->engine->emit_init_breadcrumb) {
2416 err = eb->engine->emit_init_breadcrumb(eb->request);
2421 err = eb->engine->emit_bb_start(eb->request,
2423 eb->batch_start_offset,
2429 if (eb->trampoline) {
2430 GEM_BUG_ON(eb->batch_start_offset);
2431 err = eb->engine->emit_bb_start(eb->request,
2432 eb->trampoline->node.start +
2439 if (intel_context_nopreempt(eb->context))
2440 __set_bit(I915_FENCE_FLAG_NOPREEMPT, &eb->request->fence.flags);
2445 static int num_vcs_engines(const struct drm_i915_private *i915)
2447 return hweight64(VDBOX_MASK(&i915->gt));
2451 * Find one BSD ring to dispatch the corresponding BSD command.
2452 * The engine index is returned.
2455 gen8_dispatch_bsd_engine(struct drm_i915_private *dev_priv,
2456 struct drm_file *file)
2458 struct drm_i915_file_private *file_priv = file->driver_priv;
2460 /* Check whether the file_priv has already selected one ring. */
2461 if ((int)file_priv->bsd_engine < 0)
2462 file_priv->bsd_engine =
2463 get_random_int() % num_vcs_engines(dev_priv);
2465 return file_priv->bsd_engine;
2468 static const enum intel_engine_id user_ring_map[] = {
2469 [I915_EXEC_DEFAULT] = RCS0,
2470 [I915_EXEC_RENDER] = RCS0,
2471 [I915_EXEC_BLT] = BCS0,
2472 [I915_EXEC_BSD] = VCS0,
2473 [I915_EXEC_VEBOX] = VECS0
2476 static struct i915_request *eb_throttle(struct i915_execbuffer *eb, struct intel_context *ce)
2478 struct intel_ring *ring = ce->ring;
2479 struct intel_timeline *tl = ce->timeline;
2480 struct i915_request *rq;
2483 * Completely unscientific finger-in-the-air estimates for suitable
2484 * maximum user request size (to avoid blocking) and then backoff.
2486 if (intel_ring_update_space(ring) >= PAGE_SIZE)
2490 * Find a request that after waiting upon, there will be at least half
2491 * the ring available. The hysteresis allows us to compete for the
2492 * shared ring and should mean that we sleep less often prior to
2493 * claiming our resources, but not so long that the ring completely
2494 * drains before we can submit our next request.
2496 list_for_each_entry(rq, &tl->requests, link) {
2497 if (rq->ring != ring)
2500 if (__intel_ring_space(rq->postfix,
2501 ring->emit, ring->size) > ring->size / 2)
2504 if (&rq->link == &tl->requests)
2505 return NULL; /* weird, we will check again later for real */
2507 return i915_request_get(rq);
2510 static struct i915_request *eb_pin_engine(struct i915_execbuffer *eb, bool throttle)
2512 struct intel_context *ce = eb->context;
2513 struct intel_timeline *tl;
2514 struct i915_request *rq = NULL;
2517 GEM_BUG_ON(eb->args->flags & __EXEC_ENGINE_PINNED);
2519 if (unlikely(intel_context_is_banned(ce)))
2520 return ERR_PTR(-EIO);
2523 * Pinning the contexts may generate requests in order to acquire
2524 * GGTT space, so do this first before we reserve a seqno for
2527 err = intel_context_pin_ww(ce, &eb->ww);
2529 return ERR_PTR(err);
2532 * Take a local wakeref for preparing to dispatch the execbuf as
2533 * we expect to access the hardware fairly frequently in the
2534 * process, and require the engine to be kept awake between accesses.
2535 * Upon dispatch, we acquire another prolonged wakeref that we hold
2536 * until the timeline is idle, which in turn releases the wakeref
2537 * taken on the engine, and the parent device.
2539 tl = intel_context_timeline_lock(ce);
2541 intel_context_unpin(ce);
2542 return ERR_CAST(tl);
2545 intel_context_enter(ce);
2547 rq = eb_throttle(eb, ce);
2548 intel_context_timeline_unlock(tl);
2550 eb->args->flags |= __EXEC_ENGINE_PINNED;
2554 static void eb_unpin_engine(struct i915_execbuffer *eb)
2556 struct intel_context *ce = eb->context;
2557 struct intel_timeline *tl = ce->timeline;
2559 if (!(eb->args->flags & __EXEC_ENGINE_PINNED))
2562 eb->args->flags &= ~__EXEC_ENGINE_PINNED;
2564 mutex_lock(&tl->mutex);
2565 intel_context_exit(ce);
2566 mutex_unlock(&tl->mutex);
2568 intel_context_unpin(ce);
2572 eb_select_legacy_ring(struct i915_execbuffer *eb)
2574 struct drm_i915_private *i915 = eb->i915;
2575 struct drm_i915_gem_execbuffer2 *args = eb->args;
2576 unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK;
2578 if (user_ring_id != I915_EXEC_BSD &&
2579 (args->flags & I915_EXEC_BSD_MASK)) {
2581 "execbuf with non bsd ring but with invalid "
2582 "bsd dispatch flags: %d\n", (int)(args->flags));
2586 if (user_ring_id == I915_EXEC_BSD && num_vcs_engines(i915) > 1) {
2587 unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK;
2589 if (bsd_idx == I915_EXEC_BSD_DEFAULT) {
2590 bsd_idx = gen8_dispatch_bsd_engine(i915, eb->file);
2591 } else if (bsd_idx >= I915_EXEC_BSD_RING1 &&
2592 bsd_idx <= I915_EXEC_BSD_RING2) {
2593 bsd_idx >>= I915_EXEC_BSD_SHIFT;
2597 "execbuf with unknown bsd ring: %u\n",
2602 return _VCS(bsd_idx);
2605 if (user_ring_id >= ARRAY_SIZE(user_ring_map)) {
2606 drm_dbg(&i915->drm, "execbuf with unknown ring: %u\n",
2611 return user_ring_map[user_ring_id];
2615 eb_select_engine(struct i915_execbuffer *eb)
2617 struct intel_context *ce;
2621 if (i915_gem_context_user_engines(eb->gem_context))
2622 idx = eb->args->flags & I915_EXEC_RING_MASK;
2624 idx = eb_select_legacy_ring(eb);
2626 ce = i915_gem_context_get_engine(eb->gem_context, idx);
2630 intel_gt_pm_get(ce->engine->gt);
2632 if (!test_bit(CONTEXT_ALLOC_BIT, &ce->flags)) {
2633 err = intel_context_alloc_state(ce);
2639 * ABI: Before userspace accesses the GPU (e.g. execbuffer), report
2640 * EIO if the GPU is already wedged.
2642 err = intel_gt_terminally_wedged(ce->engine->gt);
2647 eb->engine = ce->engine;
2650 * Make sure engine pool stays alive even if we call intel_context_put
2651 * during ww handling. The pool is destroyed when last pm reference
2652 * is dropped, which breaks our -EDEADLK handling.
2657 intel_gt_pm_put(ce->engine->gt);
2658 intel_context_put(ce);
2663 eb_put_engine(struct i915_execbuffer *eb)
2665 intel_gt_pm_put(eb->engine->gt);
2666 intel_context_put(eb->context);
2670 __free_fence_array(struct eb_fence *fences, unsigned int n)
2673 drm_syncobj_put(ptr_mask_bits(fences[n].syncobj, 2));
2674 dma_fence_put(fences[n].dma_fence);
2675 kfree(fences[n].chain_fence);
2681 add_timeline_fence_array(struct i915_execbuffer *eb,
2682 const struct drm_i915_gem_execbuffer_ext_timeline_fences *timeline_fences)
2684 struct drm_i915_gem_exec_fence __user *user_fences;
2685 u64 __user *user_values;
2690 nfences = timeline_fences->fence_count;
2694 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2695 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2696 if (nfences > min_t(unsigned long,
2697 ULONG_MAX / sizeof(*user_fences),
2698 SIZE_MAX / sizeof(*f)) - eb->num_fences)
2701 user_fences = u64_to_user_ptr(timeline_fences->handles_ptr);
2702 if (!access_ok(user_fences, nfences * sizeof(*user_fences)))
2705 user_values = u64_to_user_ptr(timeline_fences->values_ptr);
2706 if (!access_ok(user_values, nfences * sizeof(*user_values)))
2709 f = krealloc(eb->fences,
2710 (eb->num_fences + nfences) * sizeof(*f),
2711 __GFP_NOWARN | GFP_KERNEL);
2716 f += eb->num_fences;
2718 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2719 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2722 struct drm_i915_gem_exec_fence user_fence;
2723 struct drm_syncobj *syncobj;
2724 struct dma_fence *fence = NULL;
2727 if (__copy_from_user(&user_fence,
2729 sizeof(user_fence)))
2732 if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS)
2735 if (__get_user(point, user_values++))
2738 syncobj = drm_syncobj_find(eb->file, user_fence.handle);
2740 DRM_DEBUG("Invalid syncobj handle provided\n");
2744 fence = drm_syncobj_fence_get(syncobj);
2746 if (!fence && user_fence.flags &&
2747 !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2748 DRM_DEBUG("Syncobj handle has no fence\n");
2749 drm_syncobj_put(syncobj);
2754 err = dma_fence_chain_find_seqno(&fence, point);
2756 if (err && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2757 DRM_DEBUG("Syncobj handle missing requested point %llu\n", point);
2758 dma_fence_put(fence);
2759 drm_syncobj_put(syncobj);
2764 * A point might have been signaled already and
2765 * garbage collected from the timeline. In this case
2766 * just ignore the point and carry on.
2768 if (!fence && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL)) {
2769 drm_syncobj_put(syncobj);
2774 * For timeline syncobjs we need to preallocate chains for
2777 if (point != 0 && user_fence.flags & I915_EXEC_FENCE_SIGNAL) {
2779 * Waiting and signaling the same point (when point !=
2780 * 0) would break the timeline.
2782 if (user_fence.flags & I915_EXEC_FENCE_WAIT) {
2783 DRM_DEBUG("Trying to wait & signal the same timeline point.\n");
2784 dma_fence_put(fence);
2785 drm_syncobj_put(syncobj);
2790 kmalloc(sizeof(*f->chain_fence),
2792 if (!f->chain_fence) {
2793 drm_syncobj_put(syncobj);
2794 dma_fence_put(fence);
2798 f->chain_fence = NULL;
2801 f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2);
2802 f->dma_fence = fence;
2811 static int add_fence_array(struct i915_execbuffer *eb)
2813 struct drm_i915_gem_execbuffer2 *args = eb->args;
2814 struct drm_i915_gem_exec_fence __user *user;
2815 unsigned long num_fences = args->num_cliprects;
2818 if (!(args->flags & I915_EXEC_FENCE_ARRAY))
2824 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2825 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2826 if (num_fences > min_t(unsigned long,
2827 ULONG_MAX / sizeof(*user),
2828 SIZE_MAX / sizeof(*f) - eb->num_fences))
2831 user = u64_to_user_ptr(args->cliprects_ptr);
2832 if (!access_ok(user, num_fences * sizeof(*user)))
2835 f = krealloc(eb->fences,
2836 (eb->num_fences + num_fences) * sizeof(*f),
2837 __GFP_NOWARN | GFP_KERNEL);
2842 f += eb->num_fences;
2843 while (num_fences--) {
2844 struct drm_i915_gem_exec_fence user_fence;
2845 struct drm_syncobj *syncobj;
2846 struct dma_fence *fence = NULL;
2848 if (__copy_from_user(&user_fence, user++, sizeof(user_fence)))
2851 if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS)
2854 syncobj = drm_syncobj_find(eb->file, user_fence.handle);
2856 DRM_DEBUG("Invalid syncobj handle provided\n");
2860 if (user_fence.flags & I915_EXEC_FENCE_WAIT) {
2861 fence = drm_syncobj_fence_get(syncobj);
2863 DRM_DEBUG("Syncobj handle has no fence\n");
2864 drm_syncobj_put(syncobj);
2869 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2870 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2872 f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2);
2873 f->dma_fence = fence;
2875 f->chain_fence = NULL;
2883 static void put_fence_array(struct eb_fence *fences, int num_fences)
2886 __free_fence_array(fences, num_fences);
2890 await_fence_array(struct i915_execbuffer *eb)
2895 for (n = 0; n < eb->num_fences; n++) {
2896 struct drm_syncobj *syncobj;
2899 syncobj = ptr_unpack_bits(eb->fences[n].syncobj, &flags, 2);
2901 if (!eb->fences[n].dma_fence)
2904 err = i915_request_await_dma_fence(eb->request,
2905 eb->fences[n].dma_fence);
2913 static void signal_fence_array(const struct i915_execbuffer *eb)
2915 struct dma_fence * const fence = &eb->request->fence;
2918 for (n = 0; n < eb->num_fences; n++) {
2919 struct drm_syncobj *syncobj;
2922 syncobj = ptr_unpack_bits(eb->fences[n].syncobj, &flags, 2);
2923 if (!(flags & I915_EXEC_FENCE_SIGNAL))
2926 if (eb->fences[n].chain_fence) {
2927 drm_syncobj_add_point(syncobj,
2928 eb->fences[n].chain_fence,
2930 eb->fences[n].value);
2932 * The chain's ownership is transferred to the
2935 eb->fences[n].chain_fence = NULL;
2937 drm_syncobj_replace_fence(syncobj, fence);
2943 parse_timeline_fences(struct i915_user_extension __user *ext, void *data)
2945 struct i915_execbuffer *eb = data;
2946 struct drm_i915_gem_execbuffer_ext_timeline_fences timeline_fences;
2948 if (copy_from_user(&timeline_fences, ext, sizeof(timeline_fences)))
2951 return add_timeline_fence_array(eb, &timeline_fences);
2954 static void retire_requests(struct intel_timeline *tl, struct i915_request *end)
2956 struct i915_request *rq, *rn;
2958 list_for_each_entry_safe(rq, rn, &tl->requests, link)
2959 if (rq == end || !i915_request_retire(rq))
2963 static int eb_request_add(struct i915_execbuffer *eb, int err)
2965 struct i915_request *rq = eb->request;
2966 struct intel_timeline * const tl = i915_request_timeline(rq);
2967 struct i915_sched_attr attr = {};
2968 struct i915_request *prev;
2970 lockdep_assert_held(&tl->mutex);
2971 lockdep_unpin_lock(&tl->mutex, rq->cookie);
2973 trace_i915_request_add(rq);
2975 prev = __i915_request_commit(rq);
2977 /* Check that the context wasn't destroyed before submission */
2978 if (likely(!intel_context_is_closed(eb->context))) {
2979 attr = eb->gem_context->sched;
2981 /* Serialise with context_close via the add_to_timeline */
2982 i915_request_set_error_once(rq, -ENOENT);
2983 __i915_request_skip(rq);
2984 err = -ENOENT; /* override any transient errors */
2987 __i915_request_queue(rq, &attr);
2989 /* Try to clean up the client's timeline after submitting the request */
2991 retire_requests(tl, prev);
2993 mutex_unlock(&tl->mutex);
2998 static const i915_user_extension_fn execbuf_extensions[] = {
2999 [DRM_I915_GEM_EXECBUFFER_EXT_TIMELINE_FENCES] = parse_timeline_fences,
3003 parse_execbuf2_extensions(struct drm_i915_gem_execbuffer2 *args,
3004 struct i915_execbuffer *eb)
3006 if (!(args->flags & I915_EXEC_USE_EXTENSIONS))
3009 /* The execbuf2 extension mechanism reuses cliprects_ptr. So we cannot
3010 * have another flag also using it at the same time.
3012 if (eb->args->flags & I915_EXEC_FENCE_ARRAY)
3015 if (args->num_cliprects != 0)
3018 return i915_user_extensions(u64_to_user_ptr(args->cliprects_ptr),
3020 ARRAY_SIZE(execbuf_extensions),
3025 i915_gem_do_execbuffer(struct drm_device *dev,
3026 struct drm_file *file,
3027 struct drm_i915_gem_execbuffer2 *args,
3028 struct drm_i915_gem_exec_object2 *exec)
3030 struct drm_i915_private *i915 = to_i915(dev);
3031 struct i915_execbuffer eb;
3032 struct dma_fence *in_fence = NULL;
3033 struct sync_file *out_fence = NULL;
3034 struct i915_vma *batch;
3035 int out_fence_fd = -1;
3038 BUILD_BUG_ON(__EXEC_INTERNAL_FLAGS & ~__I915_EXEC_ILLEGAL_FLAGS);
3039 BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS &
3040 ~__EXEC_OBJECT_UNKNOWN_FLAGS);
3045 if (DBG_FORCE_RELOC || !(args->flags & I915_EXEC_NO_RELOC))
3046 args->flags |= __EXEC_HAS_RELOC;
3049 eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1);
3050 eb.vma[0].vma = NULL;
3051 eb.reloc_pool = eb.batch_pool = NULL;
3052 eb.reloc_context = NULL;
3054 eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
3055 reloc_cache_init(&eb.reloc_cache, eb.i915);
3057 eb.buffer_count = args->buffer_count;
3058 eb.batch_start_offset = args->batch_start_offset;
3059 eb.batch_len = args->batch_len;
3060 eb.trampoline = NULL;
3066 if (args->flags & I915_EXEC_SECURE) {
3067 if (INTEL_GEN(i915) >= 11)
3070 /* Return -EPERM to trigger fallback code on old binaries. */
3071 if (!HAS_SECURE_BATCHES(i915))
3074 if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN))
3077 eb.batch_flags |= I915_DISPATCH_SECURE;
3079 if (args->flags & I915_EXEC_IS_PINNED)
3080 eb.batch_flags |= I915_DISPATCH_PINNED;
3082 err = parse_execbuf2_extensions(args, &eb);
3086 err = add_fence_array(&eb);
3090 #define IN_FENCES (I915_EXEC_FENCE_IN | I915_EXEC_FENCE_SUBMIT)
3091 if (args->flags & IN_FENCES) {
3092 if ((args->flags & IN_FENCES) == IN_FENCES)
3095 in_fence = sync_file_get_fence(lower_32_bits(args->rsvd2));
3103 if (args->flags & I915_EXEC_FENCE_OUT) {
3104 out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
3105 if (out_fence_fd < 0) {
3111 err = eb_create(&eb);
3115 GEM_BUG_ON(!eb.lut_size);
3117 err = eb_select_context(&eb);
3121 err = eb_select_engine(&eb);
3125 err = eb_lookup_vmas(&eb);
3127 eb_release_vmas(&eb, true);
3131 i915_gem_ww_ctx_init(&eb.ww, true);
3133 err = eb_relocate_parse(&eb);
3136 * If the user expects the execobject.offset and
3137 * reloc.presumed_offset to be an exact match,
3138 * as for using NO_RELOC, then we cannot update
3139 * the execobject.offset until we have completed
3142 args->flags &= ~__EXEC_HAS_RELOC;
3146 ww_acquire_done(&eb.ww.ctx);
3148 batch = eb.batch->vma;
3150 /* All GPU relocation batches must be submitted prior to the user rq */
3151 GEM_BUG_ON(eb.reloc_cache.rq);
3153 /* Allocate a request for this batch buffer nice and early. */
3154 eb.request = i915_request_create(eb.context);
3155 if (IS_ERR(eb.request)) {
3156 err = PTR_ERR(eb.request);
3161 if (args->flags & I915_EXEC_FENCE_SUBMIT)
3162 err = i915_request_await_execution(eb.request,
3164 eb.engine->bond_execute);
3166 err = i915_request_await_dma_fence(eb.request,
3173 err = await_fence_array(&eb);
3178 if (out_fence_fd != -1) {
3179 out_fence = sync_file_create(&eb.request->fence);
3187 * Whilst this request exists, batch_obj will be on the
3188 * active_list, and so will hold the active reference. Only when this
3189 * request is retired will the the batch_obj be moved onto the
3190 * inactive_list and lose its active reference. Hence we do not need
3191 * to explicitly hold another reference here.
3193 eb.request->batch = batch;
3195 intel_gt_buffer_pool_mark_active(eb.batch_pool, eb.request);
3197 trace_i915_request_queue(eb.request, eb.batch_flags);
3198 err = eb_submit(&eb, batch);
3200 i915_request_get(eb.request);
3201 err = eb_request_add(&eb, err);
3204 signal_fence_array(&eb);
3208 fd_install(out_fence_fd, out_fence->file);
3209 args->rsvd2 &= GENMASK_ULL(31, 0); /* keep in-fence */
3210 args->rsvd2 |= (u64)out_fence_fd << 32;
3213 fput(out_fence->file);
3216 i915_request_put(eb.request);
3219 eb_release_vmas(&eb, true);
3221 i915_vma_unpin(eb.trampoline);
3222 WARN_ON(err == -EDEADLK);
3223 i915_gem_ww_ctx_fini(&eb.ww);
3226 intel_gt_buffer_pool_put(eb.batch_pool);
3228 intel_gt_buffer_pool_put(eb.reloc_pool);
3229 if (eb.reloc_context)
3230 intel_context_put(eb.reloc_context);
3234 i915_gem_context_put(eb.gem_context);
3238 if (out_fence_fd != -1)
3239 put_unused_fd(out_fence_fd);
3241 dma_fence_put(in_fence);
3243 put_fence_array(eb.fences, eb.num_fences);
3247 static size_t eb_element_size(void)
3249 return sizeof(struct drm_i915_gem_exec_object2) + sizeof(struct eb_vma);
3252 static bool check_buffer_count(size_t count)
3254 const size_t sz = eb_element_size();
3257 * When using LUT_HANDLE, we impose a limit of INT_MAX for the lookup
3258 * array size (see eb_create()). Otherwise, we can accept an array as
3259 * large as can be addressed (though use large arrays at your peril)!
3262 return !(count < 1 || count > INT_MAX || count > SIZE_MAX / sz - 1);
3266 * Legacy execbuffer just creates an exec2 list from the original exec object
3267 * list array and passes it to the real function.
3270 i915_gem_execbuffer_ioctl(struct drm_device *dev, void *data,
3271 struct drm_file *file)
3273 struct drm_i915_private *i915 = to_i915(dev);
3274 struct drm_i915_gem_execbuffer *args = data;
3275 struct drm_i915_gem_execbuffer2 exec2;
3276 struct drm_i915_gem_exec_object *exec_list = NULL;
3277 struct drm_i915_gem_exec_object2 *exec2_list = NULL;
3278 const size_t count = args->buffer_count;
3282 if (!check_buffer_count(count)) {
3283 drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count);
3287 exec2.buffers_ptr = args->buffers_ptr;
3288 exec2.buffer_count = args->buffer_count;
3289 exec2.batch_start_offset = args->batch_start_offset;
3290 exec2.batch_len = args->batch_len;
3291 exec2.DR1 = args->DR1;
3292 exec2.DR4 = args->DR4;
3293 exec2.num_cliprects = args->num_cliprects;
3294 exec2.cliprects_ptr = args->cliprects_ptr;
3295 exec2.flags = I915_EXEC_RENDER;
3296 i915_execbuffer2_set_context_id(exec2, 0);
3298 err = i915_gem_check_execbuffer(&exec2);
3302 /* Copy in the exec list from userland */
3303 exec_list = kvmalloc_array(count, sizeof(*exec_list),
3304 __GFP_NOWARN | GFP_KERNEL);
3306 /* Allocate extra slots for use by the command parser */
3307 exec2_list = kvmalloc_array(count + 2, eb_element_size(),
3308 __GFP_NOWARN | GFP_KERNEL);
3309 if (exec_list == NULL || exec2_list == NULL) {
3311 "Failed to allocate exec list for %d buffers\n",
3312 args->buffer_count);
3317 err = copy_from_user(exec_list,
3318 u64_to_user_ptr(args->buffers_ptr),
3319 sizeof(*exec_list) * count);
3321 drm_dbg(&i915->drm, "copy %d exec entries failed %d\n",
3322 args->buffer_count, err);
3328 for (i = 0; i < args->buffer_count; i++) {
3329 exec2_list[i].handle = exec_list[i].handle;
3330 exec2_list[i].relocation_count = exec_list[i].relocation_count;
3331 exec2_list[i].relocs_ptr = exec_list[i].relocs_ptr;
3332 exec2_list[i].alignment = exec_list[i].alignment;
3333 exec2_list[i].offset = exec_list[i].offset;
3334 if (INTEL_GEN(to_i915(dev)) < 4)
3335 exec2_list[i].flags = EXEC_OBJECT_NEEDS_FENCE;
3337 exec2_list[i].flags = 0;
3340 err = i915_gem_do_execbuffer(dev, file, &exec2, exec2_list);
3341 if (exec2.flags & __EXEC_HAS_RELOC) {
3342 struct drm_i915_gem_exec_object __user *user_exec_list =
3343 u64_to_user_ptr(args->buffers_ptr);
3345 /* Copy the new buffer offsets back to the user's exec list. */
3346 for (i = 0; i < args->buffer_count; i++) {
3347 if (!(exec2_list[i].offset & UPDATE))
3350 exec2_list[i].offset =
3351 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
3352 exec2_list[i].offset &= PIN_OFFSET_MASK;
3353 if (__copy_to_user(&user_exec_list[i].offset,
3354 &exec2_list[i].offset,
3355 sizeof(user_exec_list[i].offset)))
3366 i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
3367 struct drm_file *file)
3369 struct drm_i915_private *i915 = to_i915(dev);
3370 struct drm_i915_gem_execbuffer2 *args = data;
3371 struct drm_i915_gem_exec_object2 *exec2_list;
3372 const size_t count = args->buffer_count;
3375 if (!check_buffer_count(count)) {
3376 drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count);
3380 err = i915_gem_check_execbuffer(args);
3384 /* Allocate extra slots for use by the command parser */
3385 exec2_list = kvmalloc_array(count + 2, eb_element_size(),
3386 __GFP_NOWARN | GFP_KERNEL);
3387 if (exec2_list == NULL) {
3388 drm_dbg(&i915->drm, "Failed to allocate exec list for %zd buffers\n",
3392 if (copy_from_user(exec2_list,
3393 u64_to_user_ptr(args->buffers_ptr),
3394 sizeof(*exec2_list) * count)) {
3395 drm_dbg(&i915->drm, "copy %zd exec entries failed\n", count);
3400 err = i915_gem_do_execbuffer(dev, file, args, exec2_list);
3403 * Now that we have begun execution of the batchbuffer, we ignore
3404 * any new error after this point. Also given that we have already
3405 * updated the associated relocations, we try to write out the current
3406 * object locations irrespective of any error.
3408 if (args->flags & __EXEC_HAS_RELOC) {
3409 struct drm_i915_gem_exec_object2 __user *user_exec_list =
3410 u64_to_user_ptr(args->buffers_ptr);
3413 /* Copy the new buffer offsets back to the user's exec list. */
3415 * Note: count * sizeof(*user_exec_list) does not overflow,
3416 * because we checked 'count' in check_buffer_count().
3418 * And this range already got effectively checked earlier
3419 * when we did the "copy_from_user()" above.
3421 if (!user_write_access_begin(user_exec_list,
3422 count * sizeof(*user_exec_list)))
3425 for (i = 0; i < args->buffer_count; i++) {
3426 if (!(exec2_list[i].offset & UPDATE))
3429 exec2_list[i].offset =
3430 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
3431 unsafe_put_user(exec2_list[i].offset,
3432 &user_exec_list[i].offset,
3436 user_write_access_end();
3440 args->flags &= ~__I915_EXEC_UNKNOWN_FLAGS;
3445 #if IS_ENABLED(CONFIG_DRM_I915_SELFTEST)
3446 #include "selftests/i915_gem_execbuffer.c"
projects / releases.git / blob