projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
drm/i915: Move mmap and friends to its own file
[linux-block.git] / drivers / gpu / drm / i915 / i915_gem_execbuffer.c
CommitLineData
54cf91dc
CW		 1/*
2 * Copyright © 2008,2010 Intel Corporation
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining a
5 * copy of this software and associated documentation files (the "Software"),
6 * to deal in the Software without restriction, including without limitation
7 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8 * and/or sell copies of the Software, and to permit persons to whom the
9 * Software is furnished to do so, subject to the following conditions:
10 *
11 * The above copyright notice and this permission notice (including the next
12 * paragraph) shall be included in all copies or substantial portions of the
13 * Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21 * IN THE SOFTWARE.
22 *
23 * Authors:
24 * Eric Anholt <eric@anholt.net>
25 * Chris Wilson <chris@chris-wilson.co.uk>
26 *
27 */
28
daedaa33 29#include <linux/intel-iommu.h>
ad778f89 30#include <linux/reservation.h>
fec0445c 31#include <linux/sync_file.h>
ad778f89
CW		 32#include <linux/uaccess.h>
33
cf6e7bac 34#include <drm/drm_syncobj.h>
760285e7 35#include <drm/i915_drm.h>
ad778f89 36
afa13085 37#include "gem/i915_gem_ioctls.h"
8f2a1057
CW		 38#include "gt/intel_gt_pm.h"
39
54cf91dc 40#include "i915_drv.h"
57822dc6 41#include "i915_gem_clflush.h"
54cf91dc
CW		 42#include "i915_trace.h"
43#include "intel_drv.h"
5d723d7a 44#include "intel_frontbuffer.h"
54cf91dc 45
7dd4f672
CW		 46enum {
47 FORCE_CPU_RELOC = 1,
48 FORCE_GTT_RELOC,
49 FORCE_GPU_RELOC,
50#define DBG_FORCE_RELOC 0 /* choose one of the above! */
51};
d50415cc 52
dade2a61
CW		 53#define __EXEC_OBJECT_HAS_REF BIT(31)
54#define __EXEC_OBJECT_HAS_PIN BIT(30)
55#define __EXEC_OBJECT_HAS_FENCE BIT(29)
56#define __EXEC_OBJECT_NEEDS_MAP BIT(28)
57#define __EXEC_OBJECT_NEEDS_BIAS BIT(27)
58#define __EXEC_OBJECT_INTERNAL_FLAGS (~0u << 27) /* all of the above */
2889caa9
CW		 59#define __EXEC_OBJECT_RESERVED (__EXEC_OBJECT_HAS_PIN | __EXEC_OBJECT_HAS_FENCE)
60
61#define __EXEC_HAS_RELOC BIT(31)
62#define __EXEC_VALIDATED BIT(30)
74c1c694 63#define __EXEC_INTERNAL_FLAGS (~0u << 30)
2889caa9 64#define UPDATE PIN_OFFSET_FIXED
d23db88c
CW		 65
66#define BATCH_OFFSET_BIAS (256*1024)
a415d355 67
650bc635 68#define __I915_EXEC_ILLEGAL_FLAGS \
08e3e21a
LDM		 69 (__I915_EXEC_UNKNOWN_FLAGS | \
70 I915_EXEC_CONSTANTS_MASK | \
71 I915_EXEC_RESOURCE_STREAMER)
5b043f4e 72
d20ac620
CW		 73/* Catch emission of unexpected errors for CI! */
74#if IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM)
75#undef EINVAL
76#define EINVAL ({ \
77 DRM_DEBUG_DRIVER("EINVAL at %s:%d\n", __func__, __LINE__); \
78 22; \
79})
80#endif
81
2889caa9
CW		 82/**
83 * DOC: User command execution
84 *
85 * Userspace submits commands to be executed on the GPU as an instruction
86 * stream within a GEM object we call a batchbuffer. This instructions may
87 * refer to other GEM objects containing auxiliary state such as kernels,
88 * samplers, render targets and even secondary batchbuffers. Userspace does
89 * not know where in the GPU memory these objects reside and so before the
90 * batchbuffer is passed to the GPU for execution, those addresses in the
91 * batchbuffer and auxiliary objects are updated. This is known as relocation,
92 * or patching. To try and avoid having to relocate each object on the next
93 * execution, userspace is told the location of those objects in this pass,
94 * but this remains just a hint as the kernel may choose a new location for
95 * any object in the future.
96 *
99d7e4ee
KR		 97 * At the level of talking to the hardware, submitting a batchbuffer for the
98 * GPU to execute is to add content to a buffer from which the HW
99 * command streamer is reading.
100 *
101 * 1. Add a command to load the HW context. For Logical Ring Contexts, i.e.
102 * Execlists, this command is not placed on the same buffer as the
103 * remaining items.
104 *
105 * 2. Add a command to invalidate caches to the buffer.
106 *
107 * 3. Add a batchbuffer start command to the buffer; the start command is
108 * essentially a token together with the GPU address of the batchbuffer
109 * to be executed.
110 *
111 * 4. Add a pipeline flush to the buffer.
112 *
113 * 5. Add a memory write command to the buffer to record when the GPU
114 * is done executing the batchbuffer. The memory write writes the
115 * global sequence number of the request, ``i915_request::global_seqno``;
116 * the i915 driver uses the current value in the register to determine
117 * if the GPU has completed the batchbuffer.
118 *
119 * 6. Add a user interrupt command to the buffer. This command instructs
120 * the GPU to issue an interrupt when the command, pipeline flush and
121 * memory write are completed.
122 *
123 * 7. Inform the hardware of the additional commands added to the buffer
124 * (by updating the tail pointer).
125 *
2889caa9
CW		 126 * Processing an execbuf ioctl is conceptually split up into a few phases.
127 *
128 * 1. Validation - Ensure all the pointers, handles and flags are valid.
129 * 2. Reservation - Assign GPU address space for every object
130 * 3. Relocation - Update any addresses to point to the final locations
131 * 4. Serialisation - Order the request with respect to its dependencies
132 * 5. Construction - Construct a request to execute the batchbuffer
133 * 6. Submission (at some point in the future execution)
134 *
135 * Reserving resources for the execbuf is the most complicated phase. We
136 * neither want to have to migrate the object in the address space, nor do
137 * we want to have to update any relocations pointing to this object. Ideally,
138 * we want to leave the object where it is and for all the existing relocations
139 * to match. If the object is given a new address, or if userspace thinks the
140 * object is elsewhere, we have to parse all the relocation entries and update
141 * the addresses. Userspace can set the I915_EXEC_NORELOC flag to hint that
142 * all the target addresses in all of its objects match the value in the
143 * relocation entries and that they all match the presumed offsets given by the
144 * list of execbuffer objects. Using this knowledge, we know that if we haven't
145 * moved any buffers, all the relocation entries are valid and we can skip
146 * the update. (If userspace is wrong, the likely outcome is an impromptu GPU
147 * hang.) The requirement for using I915_EXEC_NO_RELOC are:
148 *
149 * The addresses written in the objects must match the corresponding
150 * reloc.presumed_offset which in turn must match the corresponding
151 * execobject.offset.
152 *
153 * Any render targets written to in the batch must be flagged with
154 * EXEC_OBJECT_WRITE.
155 *
156 * To avoid stalling, execobject.offset should match the current
157 * address of that object within the active context.
158 *
159 * The reservation is done is multiple phases. First we try and keep any
160 * object already bound in its current location - so as long as meets the
161 * constraints imposed by the new execbuffer. Any object left unbound after the
162 * first pass is then fitted into any available idle space. If an object does
163 * not fit, all objects are removed from the reservation and the process rerun
164 * after sorting the objects into a priority order (more difficult to fit
165 * objects are tried first). Failing that, the entire VM is cleared and we try
166 * to fit the execbuf once last time before concluding that it simply will not
167 * fit.
168 *
169 * A small complication to all of this is that we allow userspace not only to
170 * specify an alignment and a size for the object in the address space, but
171 * we also allow userspace to specify the exact offset. This objects are
172 * simpler to place (the location is known a priori) all we have to do is make
173 * sure the space is available.
174 *
175 * Once all the objects are in place, patching up the buried pointers to point
176 * to the final locations is a fairly simple job of walking over the relocation
177 * entry arrays, looking up the right address and rewriting the value into
178 * the object. Simple! ... The relocation entries are stored in user memory
179 * and so to access them we have to copy them into a local buffer. That copy
180 * has to avoid taking any pagefaults as they may lead back to a GEM object
181 * requiring the struct_mutex (i.e. recursive deadlock). So once again we split
182 * the relocation into multiple passes. First we try to do everything within an
183 * atomic context (avoid the pagefaults) which requires that we never wait. If
184 * we detect that we may wait, or if we need to fault, then we have to fallback
185 * to a slower path. The slowpath has to drop the mutex. (Can you hear alarm
186 * bells yet?) Dropping the mutex means that we lose all the state we have
187 * built up so far for the execbuf and we must reset any global data. However,
188 * we do leave the objects pinned in their final locations - which is a
189 * potential issue for concurrent execbufs. Once we have left the mutex, we can
190 * allocate and copy all the relocation entries into a large array at our
191 * leisure, reacquire the mutex, reclaim all the objects and other state and
192 * then proceed to update any incorrect addresses with the objects.
193 *
194 * As we process the relocation entries, we maintain a record of whether the
195 * object is being written to. Using NORELOC, we expect userspace to provide
196 * this information instead. We also check whether we can skip the relocation
197 * by comparing the expected value inside the relocation entry with the target's
198 * final address. If they differ, we have to map the current object and rewrite
199 * the 4 or 8 byte pointer within.
200 *
201 * Serialising an execbuf is quite simple according to the rules of the GEM
202 * ABI. Execution within each context is ordered by the order of submission.
203 * Writes to any GEM object are in order of submission and are exclusive. Reads
204 * from a GEM object are unordered with respect to other reads, but ordered by
205 * writes. A write submitted after a read cannot occur before the read, and
206 * similarly any read submitted after a write cannot occur before the write.
207 * Writes are ordered between engines such that only one write occurs at any
208 * time (completing any reads beforehand) - using semaphores where available
209 * and CPU serialisation otherwise. Other GEM access obey the same rules, any
210 * write (either via mmaps using set-domain, or via pwrite) must flush all GPU
211 * reads before starting, and any read (either using set-domain or pread) must
212 * flush all GPU writes before starting. (Note we only employ a barrier before,
213 * we currently rely on userspace not concurrently starting a new execution
214 * whilst reading or writing to an object. This may be an advantage or not
215 * depending on how much you trust userspace not to shoot themselves in the
216 * foot.) Serialisation may just result in the request being inserted into
217 * a DAG awaiting its turn, but most simple is to wait on the CPU until
218 * all dependencies are resolved.
219 *
220 * After all of that, is just a matter of closing the request and handing it to
221 * the hardware (well, leaving it in a queue to be executed). However, we also
222 * offer the ability for batchbuffers to be run with elevated privileges so
223 * that they access otherwise hidden registers. (Used to adjust L3 cache etc.)
224 * Before any batch is given extra privileges we first must check that it
225 * contains no nefarious instructions, we check that each instruction is from
226 * our whitelist and all registers are also from an allowed list. We first
227 * copy the user's batchbuffer to a shadow (so that the user doesn't have
228 * access to it, either by the CPU or GPU as we scan it) and then parse each
229 * instruction. If everything is ok, we set a flag telling the hardware to run
230 * the batchbuffer in trusted mode, otherwise the ioctl is rejected.
231 */
232
650bc635 233struct i915_execbuffer {
2889caa9
CW		 234 struct drm_i915_private *i915; /** i915 backpointer */
235 struct drm_file *file; /** per-file lookup tables and limits */
236 struct drm_i915_gem_execbuffer2 *args; /** ioctl parameters */
237 struct drm_i915_gem_exec_object2 *exec; /** ioctl execobj[] */
c7c6e46f
CW		 238 struct i915_vma **vma;
239 unsigned int *flags;
2889caa9
CW		 240
241 struct intel_engine_cs *engine; /** engine to queue the request to */
8f2a1057
CW		 242 struct intel_context *context; /* logical state for the request */
243 struct i915_gem_context *gem_context; /** caller's context */
2889caa9
CW		 244 struct i915_address_space *vm; /** GTT and vma for the request */
245
e61e0f51 246 struct i915_request *request; /** our request to build */
2889caa9
CW		 247 struct i915_vma *batch; /** identity of the batch obj/vma */
248
249 /** actual size of execobj[] as we may extend it for the cmdparser */
250 unsigned int buffer_count;
251
252 /** list of vma not yet bound during reservation phase */
253 struct list_head unbound;
254
255 /** list of vma that have execobj.relocation_count */
256 struct list_head relocs;
257
258 /**
259 * Track the most recently used object for relocations, as we
260 * frequently have to perform multiple relocations within the same
261 * obj/page
262 */
650bc635 263 struct reloc_cache {
2889caa9
CW		 264 struct drm_mm_node node; /** temporary GTT binding */
265 unsigned long vaddr; /** Current kmap address */
266 unsigned long page; /** Currently mapped page index */
7dd4f672 267 unsigned int gen; /** Cached value of INTEL_GEN */
650bc635 268 bool use_64bit_reloc : 1;
2889caa9
CW		 269 bool has_llc : 1;
270 bool has_fence : 1;
271 bool needs_unfenced : 1;
7dd4f672 272
e61e0f51 273 struct i915_request *rq;
7dd4f672
CW		 274 u32 *rq_cmd;
275 unsigned int rq_size;
650bc635 276 } reloc_cache;
2889caa9
CW		 277
278 u64 invalid_flags; /** Set of execobj.flags that are invalid */
279 u32 context_flags; /** Set of execobj.flags to insert from the ctx */
280
281 u32 batch_start_offset; /** Location within object of batch */
282 u32 batch_len; /** Length of batch within object */
283 u32 batch_flags; /** Flags composed for emit_bb_start() */
284
285 /**
286 * Indicate either the size of the hastable used to resolve
287 * relocation handles, or if negative that we are using a direct
288 * index into the execobj[].
289 */
290 int lut_size;
291 struct hlist_head *buckets; /** ht for relocation handles */
67731b87
CW		 292};
293
c7c6e46f 294#define exec_entry(EB, VMA) (&(EB)->exec[(VMA)->exec_flags - (EB)->flags])
4ff4b44c 295
2889caa9
CW		 296/*
297 * Used to convert any address to canonical form.
298 * Starting from gen8, some commands (e.g. STATE_BASE_ADDRESS,
299 * MI_LOAD_REGISTER_MEM and others, see Broadwell PRM Vol2a) require the
300 * addresses to be in a canonical form:
301 * "GraphicsAddress[63:48] are ignored by the HW and assumed to be in correct
302 * canonical form [63:48] == [47]."
303 */
304#define GEN8_HIGH_ADDRESS_BIT 47
305static inline u64 gen8_canonical_addr(u64 address)
306{
307 return sign_extend64(address, GEN8_HIGH_ADDRESS_BIT);
308}
309
310static inline u64 gen8_noncanonical_addr(u64 address)
311{
312 return address & GENMASK_ULL(GEN8_HIGH_ADDRESS_BIT, 0);
313}
314
3dbf26ed
CW		 315static inline bool eb_use_cmdparser(const struct i915_execbuffer *eb)
316{
439e2ee4 317 return intel_engine_needs_cmd_parser(eb->engine) && eb->batch_len;
3dbf26ed
CW		 318}
319
650bc635 320static int eb_create(struct i915_execbuffer *eb)
67731b87 321{
2889caa9
CW		 322 if (!(eb->args->flags & I915_EXEC_HANDLE_LUT)) {
323 unsigned int size = 1 + ilog2(eb->buffer_count);
4ff4b44c 324
2889caa9
CW		 325 /*
326 * Without a 1:1 association between relocation handles and
327 * the execobject[] index, we instead create a hashtable.
328 * We size it dynamically based on available memory, starting
329 * first with 1:1 assocative hash and scaling back until
330 * the allocation succeeds.
331 *
332 * Later on we use a positive lut_size to indicate we are
333 * using this hashtable, and a negative value to indicate a
334 * direct lookup.
335 */
4ff4b44c 336 do {
0d95c883 337 gfp_t flags;
4d470f73
CW		 338
339 /* While we can still reduce the allocation size, don't
340 * raise a warning and allow the allocation to fail.
341 * On the last pass though, we want to try as hard
342 * as possible to perform the allocation and warn
343 * if it fails.
344 */
0ee931c4 345 flags = GFP_KERNEL;
4d470f73
CW		 346 if (size > 1)
347 flags |= __GFP_NORETRY | __GFP_NOWARN;
348
4ff4b44c 349 eb->buckets = kzalloc(sizeof(struct hlist_head) << size,
4d470f73 350 flags);
4ff4b44c
CW		 351 if (eb->buckets)
352 break;
353 } while (--size);
354
4d470f73
CW		 355 if (unlikely(!size))
356 return -ENOMEM;
eef90ccb 357
2889caa9 358 eb->lut_size = size;
650bc635 359 } else {
2889caa9 360 eb->lut_size = -eb->buffer_count;
650bc635 361 }
eef90ccb 362
650bc635 363 return 0;
67731b87
CW		 364}
365
2889caa9
CW		 366static bool
367eb_vma_misplaced(const struct drm_i915_gem_exec_object2 *entry,
c7c6e46f
CW		 368 const struct i915_vma *vma,
369 unsigned int flags)
2889caa9 370{
2889caa9
CW		 371 if (vma->node.size < entry->pad_to_size)
372 return true;
373
374 if (entry->alignment && !IS_ALIGNED(vma->node.start, entry->alignment))
375 return true;
376
c7c6e46f 377 if (flags & EXEC_OBJECT_PINNED &&
2889caa9
CW		 378 vma->node.start != entry->offset)
379 return true;
380
c7c6e46f 381 if (flags & __EXEC_OBJECT_NEEDS_BIAS &&
2889caa9
CW		 382 vma->node.start < BATCH_OFFSET_BIAS)
383 return true;
384
c7c6e46f 385 if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS) &&
2889caa9
CW		 386 (vma->node.start + vma->node.size - 1) >> 32)
387 return true;
388
1d033beb
CW		 389 if (flags & __EXEC_OBJECT_NEEDS_MAP &&
390 !i915_vma_is_map_and_fenceable(vma))
391 return true;
392
2889caa9
CW		 393 return false;
394}
395
c7c6e46f 396static inline bool
2889caa9 397eb_pin_vma(struct i915_execbuffer *eb,
c7c6e46f 398 const struct drm_i915_gem_exec_object2 *entry,
2889caa9
CW		 399 struct i915_vma *vma)
400{
c7c6e46f
CW		 401 unsigned int exec_flags = *vma->exec_flags;
402 u64 pin_flags;
2889caa9 403
616d9cee 404 if (vma->node.size)
c7c6e46f 405 pin_flags = vma->node.start;
616d9cee 406 else
c7c6e46f 407 pin_flags = entry->offset & PIN_OFFSET_MASK;
616d9cee 408
c7c6e46f
CW		 409 pin_flags |= PIN_USER | PIN_NOEVICT | PIN_OFFSET_FIXED;
410 if (unlikely(exec_flags & EXEC_OBJECT_NEEDS_GTT))
411 pin_flags |= PIN_GLOBAL;
616d9cee 412
c7c6e46f
CW		 413 if (unlikely(i915_vma_pin(vma, 0, 0, pin_flags)))
414 return false;
2889caa9 415
c7c6e46f 416 if (unlikely(exec_flags & EXEC_OBJECT_NEEDS_FENCE)) {
3bd40735 417 if (unlikely(i915_vma_pin_fence(vma))) {
2889caa9 418 i915_vma_unpin(vma);
c7c6e46f 419 return false;
2889caa9
CW		 420 }
421
3bd40735 422 if (vma->fence)
c7c6e46f 423 exec_flags |= __EXEC_OBJECT_HAS_FENCE;
2889caa9
CW		 424 }
425
c7c6e46f
CW		 426 *vma->exec_flags = exec_flags | __EXEC_OBJECT_HAS_PIN;
427 return !eb_vma_misplaced(entry, vma, exec_flags);
2889caa9
CW		 428}
429
c7c6e46f 430static inline void __eb_unreserve_vma(struct i915_vma *vma, unsigned int flags)
d55495b4 431{
c7c6e46f 432 GEM_BUG_ON(!(flags & __EXEC_OBJECT_HAS_PIN));
2889caa9 433
c7c6e46f 434 if (unlikely(flags & __EXEC_OBJECT_HAS_FENCE))
3bd40735 435 __i915_vma_unpin_fence(vma);
d55495b4 436
2889caa9 437 __i915_vma_unpin(vma);
d55495b4
CW		 438}
439
2889caa9 440static inline void
c7c6e46f 441eb_unreserve_vma(struct i915_vma *vma, unsigned int *flags)
d55495b4 442{
c7c6e46f 443 if (!(*flags & __EXEC_OBJECT_HAS_PIN))
2889caa9 444 return;
d55495b4 445
c7c6e46f
CW		 446 __eb_unreserve_vma(vma, *flags);
447 *flags &= ~__EXEC_OBJECT_RESERVED;
d55495b4
CW		 448}
449
2889caa9
CW		 450static int
451eb_validate_vma(struct i915_execbuffer *eb,
452 struct drm_i915_gem_exec_object2 *entry,
453 struct i915_vma *vma)
67731b87 454{
2889caa9
CW		 455 if (unlikely(entry->flags & eb->invalid_flags))
456 return -EINVAL;
d55495b4 457
2889caa9
CW		 458 if (unlikely(entry->alignment && !is_power_of_2(entry->alignment)))
459 return -EINVAL;
460
461 /*
462 * Offset can be used as input (EXEC_OBJECT_PINNED), reject
463 * any non-page-aligned or non-canonical addresses.
464 */
465 if (unlikely(entry->flags & EXEC_OBJECT_PINNED &&
6fc4e48f 466 entry->offset != gen8_canonical_addr(entry->offset & I915_GTT_PAGE_MASK)))
2889caa9
CW		 467 return -EINVAL;
468
469 /* pad_to_size was once a reserved field, so sanitize it */
470 if (entry->flags & EXEC_OBJECT_PAD_TO_SIZE) {
471 if (unlikely(offset_in_page(entry->pad_to_size)))
472 return -EINVAL;
473 } else {
474 entry->pad_to_size = 0;
d55495b4
CW		 475 }
476
c7c6e46f 477 if (unlikely(vma->exec_flags)) {
2889caa9
CW		 478 DRM_DEBUG("Object [handle %d, index %d] appears more than once in object list\n",
479 entry->handle, (int)(entry - eb->exec));
480 return -EINVAL;
481 }
482
483 /*
484 * From drm_mm perspective address space is continuous,
485 * so from this point we're always using non-canonical
486 * form internally.
487 */
488 entry->offset = gen8_noncanonical_addr(entry->offset);
489
c7c6e46f
CW		 490 if (!eb->reloc_cache.has_fence) {
491 entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE;
492 } else {
493 if ((entry->flags & EXEC_OBJECT_NEEDS_FENCE ||
494 eb->reloc_cache.needs_unfenced) &&
495 i915_gem_object_is_tiled(vma->obj))
496 entry->flags |= EXEC_OBJECT_NEEDS_GTT | __EXEC_OBJECT_NEEDS_MAP;
497 }
498
499 if (!(entry->flags & EXEC_OBJECT_PINNED))
500 entry->flags |= eb->context_flags;
501
2889caa9 502 return 0;
67731b87
CW		 503}
504
2889caa9 505static int
746c8f14
CW		 506eb_add_vma(struct i915_execbuffer *eb,
507 unsigned int i, unsigned batch_idx,
508 struct i915_vma *vma)
59bfa124 509{
c7c6e46f 510 struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
2889caa9
CW		 511 int err;
512
513 GEM_BUG_ON(i915_vma_is_closed(vma));
514
515 if (!(eb->args->flags & __EXEC_VALIDATED)) {
516 err = eb_validate_vma(eb, entry, vma);
517 if (unlikely(err))
518 return err;
4ff4b44c 519 }
4ff4b44c 520
4d470f73 521 if (eb->lut_size > 0) {
2889caa9 522 vma->exec_handle = entry->handle;
4ff4b44c 523 hlist_add_head(&vma->exec_node,
2889caa9
CW		 524 &eb->buckets[hash_32(entry->handle,
525 eb->lut_size)]);
4ff4b44c 526 }
59bfa124 527
2889caa9
CW		 528 if (entry->relocation_count)
529 list_add_tail(&vma->reloc_link, &eb->relocs);
530
2889caa9
CW		 531 /*
532 * Stash a pointer from the vma to execobj, so we can query its flags,
533 * size, alignment etc as provided by the user. Also we stash a pointer
534 * to the vma inside the execobj so that we can use a direct lookup
535 * to find the right target VMA when doing relocations.
536 */
c7c6e46f 537 eb->vma[i] = vma;
d1b48c1e 538 eb->flags[i] = entry->flags;
c7c6e46f 539 vma->exec_flags = &eb->flags[i];
2889caa9 540
746c8f14
CW		 541 /*
542 * SNA is doing fancy tricks with compressing batch buffers, which leads
543 * to negative relocation deltas. Usually that works out ok since the
544 * relocate address is still positive, except when the batch is placed
545 * very low in the GTT. Ensure this doesn't happen.
546 *
547 * Note that actual hangs have only been observed on gen7, but for
548 * paranoia do it everywhere.
549 */
550 if (i == batch_idx) {
827db9d8
CW		 551 if (entry->relocation_count &&
552 !(eb->flags[i] & EXEC_OBJECT_PINNED))
746c8f14
CW		 553 eb->flags[i] |= __EXEC_OBJECT_NEEDS_BIAS;
554 if (eb->reloc_cache.has_fence)
555 eb->flags[i] |= EXEC_OBJECT_NEEDS_FENCE;
556
557 eb->batch = vma;
558 }
559
2889caa9 560 err = 0;
c7c6e46f 561 if (eb_pin_vma(eb, entry, vma)) {
2889caa9
CW		 562 if (entry->offset != vma->node.start) {
563 entry->offset = vma->node.start | UPDATE;
564 eb->args->flags |= __EXEC_HAS_RELOC;
565 }
c7c6e46f
CW		 566 } else {
567 eb_unreserve_vma(vma, vma->exec_flags);
568
569 list_add_tail(&vma->exec_link, &eb->unbound);
570 if (drm_mm_node_allocated(&vma->node))
571 err = i915_vma_unbind(vma);
ed2f3532
CW		 572 if (unlikely(err))
573 vma->exec_flags = NULL;
2889caa9
CW		 574 }
575 return err;
576}
577
578static inline int use_cpu_reloc(const struct reloc_cache *cache,
579 const struct drm_i915_gem_object *obj)
580{
581 if (!i915_gem_object_has_struct_page(obj))
582 return false;
583
7dd4f672
CW		 584 if (DBG_FORCE_RELOC == FORCE_CPU_RELOC)
585 return true;
586
587 if (DBG_FORCE_RELOC == FORCE_GTT_RELOC)
588 return false;
2889caa9
CW		 589
590 return (cache->has_llc ||
591 obj->cache_dirty ||
592 obj->cache_level != I915_CACHE_NONE);
593}
594
595static int eb_reserve_vma(const struct i915_execbuffer *eb,
596 struct i915_vma *vma)
597{
c7c6e46f
CW		 598 struct drm_i915_gem_exec_object2 *entry = exec_entry(eb, vma);
599 unsigned int exec_flags = *vma->exec_flags;
600 u64 pin_flags;
2889caa9
CW		 601 int err;
602
c7c6e46f
CW		 603 pin_flags = PIN_USER | PIN_NONBLOCK;
604 if (exec_flags & EXEC_OBJECT_NEEDS_GTT)
605 pin_flags |= PIN_GLOBAL;
2889caa9
CW		 606
607 /*
608 * Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset,
609 * limit address to the first 4GBs for unflagged objects.
610 */
c7c6e46f
CW		 611 if (!(exec_flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
612 pin_flags |= PIN_ZONE_4G;
2889caa9 613
c7c6e46f
CW		 614 if (exec_flags & __EXEC_OBJECT_NEEDS_MAP)
615 pin_flags |= PIN_MAPPABLE;
2889caa9 616
c7c6e46f
CW		 617 if (exec_flags & EXEC_OBJECT_PINNED) {
618 pin_flags |= entry->offset | PIN_OFFSET_FIXED;
619 pin_flags &= ~PIN_NONBLOCK; /* force overlapping checks */
620 } else if (exec_flags & __EXEC_OBJECT_NEEDS_BIAS) {
621 pin_flags |= BATCH_OFFSET_BIAS | PIN_OFFSET_BIAS;
2889caa9
CW		 622 }
623
c7c6e46f
CW		 624 err = i915_vma_pin(vma,
625 entry->pad_to_size, entry->alignment,
626 pin_flags);
2889caa9
CW		 627 if (err)
628 return err;
629
630 if (entry->offset != vma->node.start) {
631 entry->offset = vma->node.start | UPDATE;
632 eb->args->flags |= __EXEC_HAS_RELOC;
633 }
634
c7c6e46f 635 if (unlikely(exec_flags & EXEC_OBJECT_NEEDS_FENCE)) {
3bd40735 636 err = i915_vma_pin_fence(vma);
2889caa9
CW		 637 if (unlikely(err)) {
638 i915_vma_unpin(vma);
639 return err;
640 }
641
3bd40735 642 if (vma->fence)
c7c6e46f 643 exec_flags |= __EXEC_OBJECT_HAS_FENCE;
2889caa9
CW		 644 }
645
c7c6e46f
CW		 646 *vma->exec_flags = exec_flags | __EXEC_OBJECT_HAS_PIN;
647 GEM_BUG_ON(eb_vma_misplaced(entry, vma, exec_flags));
1da7b54c 648
2889caa9
CW		 649 return 0;
650}
651
652static int eb_reserve(struct i915_execbuffer *eb)
653{
654 const unsigned int count = eb->buffer_count;
655 struct list_head last;
656 struct i915_vma *vma;
657 unsigned int i, pass;
658 int err;
659
660 /*
661 * Attempt to pin all of the buffers into the GTT.
662 * This is done in 3 phases:
663 *
664 * 1a. Unbind all objects that do not match the GTT constraints for
665 * the execbuffer (fenceable, mappable, alignment etc).
666 * 1b. Increment pin count for already bound objects.
667 * 2. Bind new objects.
668 * 3. Decrement pin count.
669 *
670 * This avoid unnecessary unbinding of later objects in order to make
671 * room for the earlier objects *unless* we need to defragment.
672 */
673
674 pass = 0;
675 err = 0;
676 do {
677 list_for_each_entry(vma, &eb->unbound, exec_link) {
678 err = eb_reserve_vma(eb, vma);
679 if (err)
680 break;
681 }
682 if (err != -ENOSPC)
683 return err;
684
685 /* Resort *all* the objects into priority order */
686 INIT_LIST_HEAD(&eb->unbound);
687 INIT_LIST_HEAD(&last);
688 for (i = 0; i < count; i++) {
c7c6e46f
CW		 689 unsigned int flags = eb->flags[i];
690 struct i915_vma *vma = eb->vma[i];
2889caa9 691
c7c6e46f
CW		 692 if (flags & EXEC_OBJECT_PINNED &&
693 flags & __EXEC_OBJECT_HAS_PIN)
2889caa9
CW		 694 continue;
695
c7c6e46f 696 eb_unreserve_vma(vma, &eb->flags[i]);
2889caa9 697
c7c6e46f 698 if (flags & EXEC_OBJECT_PINNED)
35e882a4 699 /* Pinned must have their slot */
2889caa9 700 list_add(&vma->exec_link, &eb->unbound);
c7c6e46f 701 else if (flags & __EXEC_OBJECT_NEEDS_MAP)
35e882a4 702 /* Map require the lowest 256MiB (aperture) */
2889caa9 703 list_add_tail(&vma->exec_link, &eb->unbound);
35e882a4
CW		 704 else if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS))
705 /* Prioritise 4GiB region for restricted bo */
706 list_add(&vma->exec_link, &last);
2889caa9
CW		 707 else
708 list_add_tail(&vma->exec_link, &last);
709 }
710 list_splice_tail(&last, &eb->unbound);
711
712 switch (pass++) {
713 case 0:
714 break;
715
716 case 1:
717 /* Too fragmented, unbind everything and retry */
718 err = i915_gem_evict_vm(eb->vm);
719 if (err)
720 return err;
721 break;
722
723 default:
724 return -ENOSPC;
725 }
726 } while (1);
4ff4b44c 727}
59bfa124 728
2889caa9
CW		 729static unsigned int eb_batch_index(const struct i915_execbuffer *eb)
730{
1a71cf2f
CW		 731 if (eb->args->flags & I915_EXEC_BATCH_FIRST)
732 return 0;
733 else
734 return eb->buffer_count - 1;
2889caa9
CW		 735}
736
737static int eb_select_context(struct i915_execbuffer *eb)
738{
739 struct i915_gem_context *ctx;
740
741 ctx = i915_gem_context_lookup(eb->file->driver_priv, eb->args->rsvd1);
1acfc104
CW		 742 if (unlikely(!ctx))
743 return -ENOENT;
2889caa9 744
8f2a1057 745 eb->gem_context = ctx;
4f2c7337
CW		 746 if (ctx->ppgtt) {
747 eb->vm = &ctx->ppgtt->vm;
748 eb->invalid_flags |= EXEC_OBJECT_NEEDS_GTT;
749 } else {
750 eb->vm = &eb->i915->ggtt.vm;
751 }
2889caa9
CW		 752
753 eb->context_flags = 0;
d3f3e5e4 754 if (test_bit(UCONTEXT_NO_ZEROMAP, &ctx->user_flags))
2889caa9
CW		 755 eb->context_flags |= __EXEC_OBJECT_NEEDS_BIAS;
756
757 return 0;
758}
759
d6f328bf
CW		 760static struct i915_request *__eb_wait_for_ring(struct intel_ring *ring)
761{
762 struct i915_request *rq;
763
764 /*
765 * Completely unscientific finger-in-the-air estimates for suitable
766 * maximum user request size (to avoid blocking) and then backoff.
767 */
768 if (intel_ring_update_space(ring) >= PAGE_SIZE)
769 return NULL;
770
771 /*
772 * Find a request that after waiting upon, there will be at least half
773 * the ring available. The hysteresis allows us to compete for the
774 * shared ring and should mean that we sleep less often prior to
775 * claiming our resources, but not so long that the ring completely
776 * drains before we can submit our next request.
777 */
778 list_for_each_entry(rq, &ring->request_list, ring_link) {
779 if (__intel_ring_space(rq->postfix,
780 ring->emit, ring->size) > ring->size / 2)
781 break;
782 }
783 if (&rq->ring_link == &ring->request_list)
784 return NULL; /* weird, we will check again later for real */
785
786 return i915_request_get(rq);
787}
788
789static int eb_wait_for_ring(const struct i915_execbuffer *eb)
790{
d6f328bf
CW		 791 struct i915_request *rq;
792 int ret = 0;
793
794 /*
795 * Apply a light amount of backpressure to prevent excessive hogs
796 * from blocking waiting for space whilst holding struct_mutex and
797 * keeping all of their resources pinned.
798 */
799
8f2a1057 800 rq = __eb_wait_for_ring(eb->context->ring);
d6f328bf
CW		 801 if (rq) {
802 mutex_unlock(&eb->i915->drm.struct_mutex);
803
804 if (i915_request_wait(rq,
805 I915_WAIT_INTERRUPTIBLE,
806 MAX_SCHEDULE_TIMEOUT) < 0)
807 ret = -EINTR;
808
809 i915_request_put(rq);
810
811 mutex_lock(&eb->i915->drm.struct_mutex);
812 }
813
814 return ret;
815}
816
2889caa9 817static int eb_lookup_vmas(struct i915_execbuffer *eb)
3b96eff4 818{
8f2a1057 819 struct radix_tree_root *handles_vma = &eb->gem_context->handles_vma;
ac70ebe8 820 struct drm_i915_gem_object *obj;
746c8f14 821 unsigned int i, batch;
2889caa9 822 int err;
3b96eff4 823
8f2a1057 824 if (unlikely(i915_gem_context_is_closed(eb->gem_context)))
8bcbfb12
CW		 825 return -ENOENT;
826
8f2a1057 827 if (unlikely(i915_gem_context_is_banned(eb->gem_context)))
8bcbfb12
CW		 828 return -EIO;
829
2889caa9
CW		 830 INIT_LIST_HEAD(&eb->relocs);
831 INIT_LIST_HEAD(&eb->unbound);
d55495b4 832
746c8f14
CW		 833 batch = eb_batch_index(eb);
834
170fa29b
CW		 835 for (i = 0; i < eb->buffer_count; i++) {
836 u32 handle = eb->exec[i].handle;
d1b48c1e 837 struct i915_lut_handle *lut;
170fa29b 838 struct i915_vma *vma;
4ff4b44c 839
d1b48c1e
CW		 840 vma = radix_tree_lookup(handles_vma, handle);
841 if (likely(vma))
170fa29b 842 goto add_vma;
4ff4b44c 843
170fa29b 844 obj = i915_gem_object_lookup(eb->file, handle);
4ff4b44c 845 if (unlikely(!obj)) {
2889caa9 846 err = -ENOENT;
170fa29b 847 goto err_vma;
3b96eff4
CW		 848 }
849
650bc635 850 vma = i915_vma_instance(obj, eb->vm, NULL);
772b5408 851 if (IS_ERR(vma)) {
2889caa9 852 err = PTR_ERR(vma);
170fa29b 853 goto err_obj;
27173f1f
BW		 854 }
855
13f1bfd3 856 lut = i915_lut_handle_alloc();
d1b48c1e
CW		 857 if (unlikely(!lut)) {
858 err = -ENOMEM;
859 goto err_obj;
860 }
861
862 err = radix_tree_insert(handles_vma, handle, vma);
863 if (unlikely(err)) {
13f1bfd3 864 i915_lut_handle_free(lut);
d1b48c1e 865 goto err_obj;
eef90ccb 866 }
4ff4b44c 867
ac70ebe8 868 /* transfer ref to ctx */
3365e226
CW		 869 if (!vma->open_count++)
870 i915_vma_reopen(vma);
d1b48c1e 871 list_add(&lut->obj_link, &obj->lut_list);
8f2a1057
CW		 872 list_add(&lut->ctx_link, &eb->gem_context->handles_list);
873 lut->ctx = eb->gem_context;
d1b48c1e
CW		 874 lut->handle = handle;
875
170fa29b 876add_vma:
746c8f14 877 err = eb_add_vma(eb, i, batch, vma);
2889caa9 878 if (unlikely(err))
ac70ebe8 879 goto err_vma;
dade2a61 880
c7c6e46f
CW		 881 GEM_BUG_ON(vma != eb->vma[i]);
882 GEM_BUG_ON(vma->exec_flags != &eb->flags[i]);
746c8f14
CW		 883 GEM_BUG_ON(drm_mm_node_allocated(&vma->node) &&
884 eb_vma_misplaced(&eb->exec[i], vma, eb->flags[i]));
4ff4b44c
CW		 885 }
886
2889caa9
CW		 887 eb->args->flags |= __EXEC_VALIDATED;
888 return eb_reserve(eb);
889
170fa29b 890err_obj:
ac70ebe8 891 i915_gem_object_put(obj);
170fa29b
CW		 892err_vma:
893 eb->vma[i] = NULL;
2889caa9 894 return err;
3b96eff4
CW		 895}
896
4ff4b44c 897static struct i915_vma *
2889caa9 898eb_get_vma(const struct i915_execbuffer *eb, unsigned long handle)
67731b87 899{
2889caa9
CW		 900 if (eb->lut_size < 0) {
901 if (handle >= -eb->lut_size)
eef90ccb 902 return NULL;
c7c6e46f 903 return eb->vma[handle];
eef90ccb
CW		 904 } else {
905 struct hlist_head *head;
aa45950b 906 struct i915_vma *vma;
67731b87 907
2889caa9 908 head = &eb->buckets[hash_32(handle, eb->lut_size)];
aa45950b 909 hlist_for_each_entry(vma, head, exec_node) {
27173f1f
BW		 910 if (vma->exec_handle == handle)
911 return vma;
eef90ccb
CW		 912 }
913 return NULL;
914 }
67731b87
CW		 915}
916
2889caa9 917static void eb_release_vmas(const struct i915_execbuffer *eb)
a415d355 918{
2889caa9
CW		 919 const unsigned int count = eb->buffer_count;
920 unsigned int i;
921
922 for (i = 0; i < count; i++) {
c7c6e46f
CW		 923 struct i915_vma *vma = eb->vma[i];
924 unsigned int flags = eb->flags[i];
650bc635 925
2889caa9 926 if (!vma)
170fa29b 927 break;
bcffc3fa 928
c7c6e46f
CW		 929 GEM_BUG_ON(vma->exec_flags != &eb->flags[i]);
930 vma->exec_flags = NULL;
931 eb->vma[i] = NULL;
9e53d9be 932
c7c6e46f
CW		 933 if (flags & __EXEC_OBJECT_HAS_PIN)
934 __eb_unreserve_vma(vma, flags);
dade2a61 935
c7c6e46f 936 if (flags & __EXEC_OBJECT_HAS_REF)
dade2a61 937 i915_vma_put(vma);
2889caa9 938 }
dabdfe02
CW		 939}
940
2889caa9 941static void eb_reset_vmas(const struct i915_execbuffer *eb)
934acce3 942{
2889caa9 943 eb_release_vmas(eb);
4d470f73 944 if (eb->lut_size > 0)
2889caa9
CW		 945 memset(eb->buckets, 0,
946 sizeof(struct hlist_head) << eb->lut_size);
934acce3
MW		 947}
948
2889caa9 949static void eb_destroy(const struct i915_execbuffer *eb)
934acce3 950{
7dd4f672
CW		 951 GEM_BUG_ON(eb->reloc_cache.rq);
952
4d470f73 953 if (eb->lut_size > 0)
2889caa9 954 kfree(eb->buckets);
934acce3
MW		 955}
956
2889caa9 957static inline u64
d50415cc 958relocation_target(const struct drm_i915_gem_relocation_entry *reloc,
2889caa9 959 const struct i915_vma *target)
934acce3 960{
2889caa9 961 return gen8_canonical_addr((int)reloc->delta + target->node.start);
934acce3
MW		 962}
963
d50415cc
CW		 964static void reloc_cache_init(struct reloc_cache *cache,
965 struct drm_i915_private *i915)
5032d871 966{
31a39207 967 cache->page = -1;
d50415cc 968 cache->vaddr = 0;
dfc5148f 969 /* Must be a variable in the struct to allow GCC to unroll. */
7dd4f672 970 cache->gen = INTEL_GEN(i915);
2889caa9 971 cache->has_llc = HAS_LLC(i915);
dfc5148f 972 cache->use_64bit_reloc = HAS_64BIT_RELOC(i915);
7dd4f672
CW		 973 cache->has_fence = cache->gen < 4;
974 cache->needs_unfenced = INTEL_INFO(i915)->unfenced_needs_alignment;
e8cb909a 975 cache->node.allocated = false;
7dd4f672
CW		 976 cache->rq = NULL;
977 cache->rq_size = 0;
d50415cc 978}
5032d871 979
d50415cc
CW		 980static inline void *unmask_page(unsigned long p)
981{
982 return (void *)(uintptr_t)(p & PAGE_MASK);
983}
984
985static inline unsigned int unmask_flags(unsigned long p)
986{
987 return p & ~PAGE_MASK;
31a39207
CW		 988}
989
d50415cc
CW		 990#define KMAP 0x4 /* after CLFLUSH_FLAGS */
991
650bc635
CW		 992static inline struct i915_ggtt *cache_to_ggtt(struct reloc_cache *cache)
993{
994 struct drm_i915_private *i915 =
995 container_of(cache, struct i915_execbuffer, reloc_cache)->i915;
996 return &i915->ggtt;
997}
998
7dd4f672
CW		 999static void reloc_gpu_flush(struct reloc_cache *cache)
1000{
1001 GEM_BUG_ON(cache->rq_size >= cache->rq->batch->obj->base.size / sizeof(u32));
1002 cache->rq_cmd[cache->rq_size] = MI_BATCH_BUFFER_END;
a679f58d
CW		 1003
1004 __i915_gem_object_flush_map(cache->rq->batch->obj, 0, cache->rq_size);
7dd4f672 1005 i915_gem_object_unpin_map(cache->rq->batch->obj);
a679f58d 1006
7dd4f672
CW		 1007 i915_gem_chipset_flush(cache->rq->i915);
1008
697b9a87 1009 i915_request_add(cache->rq);
7dd4f672
CW		 1010 cache->rq = NULL;
1011}
1012
650bc635 1013static void reloc_cache_reset(struct reloc_cache *cache)
31a39207 1014{
d50415cc 1015 void *vaddr;
5032d871 1016
7dd4f672
CW		 1017 if (cache->rq)
1018 reloc_gpu_flush(cache);
1019
31a39207
CW		 1020 if (!cache->vaddr)
1021 return;
3c94ceee 1022
d50415cc
CW		 1023 vaddr = unmask_page(cache->vaddr);
1024 if (cache->vaddr & KMAP) {
1025 if (cache->vaddr & CLFLUSH_AFTER)
1026 mb();
3c94ceee 1027
d50415cc
CW		 1028 kunmap_atomic(vaddr);
1029 i915_gem_obj_finish_shmem_access((struct drm_i915_gem_object *)cache->node.mm);
1030 } else {
e8cb909a 1031 wmb();
d50415cc 1032 io_mapping_unmap_atomic((void __iomem *)vaddr);
e8cb909a 1033 if (cache->node.allocated) {
650bc635 1034 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
e8cb909a 1035
82ad6443
CW		 1036 ggtt->vm.clear_range(&ggtt->vm,
1037 cache->node.start,
1038 cache->node.size);
e8cb909a
CW		 1039 drm_mm_remove_node(&cache->node);
1040 } else {
1041 i915_vma_unpin((struct i915_vma *)cache->node.mm);
3c94ceee 1042 }
31a39207 1043 }
650bc635
CW		 1044
1045 cache->vaddr = 0;
1046 cache->page = -1;
31a39207
CW		 1047}
1048
1049static void *reloc_kmap(struct drm_i915_gem_object *obj,
1050 struct reloc_cache *cache,
2889caa9 1051 unsigned long page)
31a39207 1052{
d50415cc
CW		 1053 void *vaddr;
1054
1055 if (cache->vaddr) {
1056 kunmap_atomic(unmask_page(cache->vaddr));
1057 } else {
1058 unsigned int flushes;
2889caa9 1059 int err;
31a39207 1060
2889caa9
CW		 1061 err = i915_gem_obj_prepare_shmem_write(obj, &flushes);
1062 if (err)
1063 return ERR_PTR(err);
d50415cc
CW		 1064
1065 BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS);
1066 BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & PAGE_MASK);
3c94ceee 1067
d50415cc
CW		 1068 cache->vaddr = flushes | KMAP;
1069 cache->node.mm = (void *)obj;
1070 if (flushes)
1071 mb();
3c94ceee
BW		 1072 }
1073
d50415cc
CW		 1074 vaddr = kmap_atomic(i915_gem_object_get_dirty_page(obj, page));
1075 cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr;
31a39207 1076 cache->page = page;
5032d871 1077
d50415cc 1078 return vaddr;
5032d871
RB		 1079}
1080
d50415cc
CW		 1081static void *reloc_iomap(struct drm_i915_gem_object *obj,
1082 struct reloc_cache *cache,
2889caa9 1083 unsigned long page)
5032d871 1084{
650bc635 1085 struct i915_ggtt *ggtt = cache_to_ggtt(cache);
e8cb909a 1086 unsigned long offset;
d50415cc 1087 void *vaddr;
5032d871 1088
d50415cc 1089 if (cache->vaddr) {
615e5000 1090 io_mapping_unmap_atomic((void __force __iomem *) unmask_page(cache->vaddr));
d50415cc
CW		 1091 } else {
1092 struct i915_vma *vma;
2889caa9 1093 int err;
5032d871 1094
2889caa9 1095 if (use_cpu_reloc(cache, obj))
d50415cc 1096 return NULL;
3c94ceee 1097
2889caa9
CW		 1098 err = i915_gem_object_set_to_gtt_domain(obj, true);
1099 if (err)
1100 return ERR_PTR(err);
3c94ceee 1101
d50415cc 1102 vma = i915_gem_object_ggtt_pin(obj, NULL, 0, 0,
3c755c5b
CW		 1103 PIN_MAPPABLE |
1104 PIN_NONBLOCK |
1105 PIN_NONFAULT);
e8cb909a
CW		 1106 if (IS_ERR(vma)) {
1107 memset(&cache->node, 0, sizeof(cache->node));
2889caa9 1108 err = drm_mm_insert_node_in_range
82ad6443 1109 (&ggtt->vm.mm, &cache->node,
f51455d4 1110 PAGE_SIZE, 0, I915_COLOR_UNEVICTABLE,
e8cb909a 1111 0, ggtt->mappable_end,
4e64e553 1112 DRM_MM_INSERT_LOW);
2889caa9 1113 if (err) /* no inactive aperture space, use cpu reloc */
c92fa4fe 1114 return NULL;
e8cb909a 1115 } else {
2889caa9
CW		 1116 err = i915_vma_put_fence(vma);
1117 if (err) {
e8cb909a 1118 i915_vma_unpin(vma);
2889caa9 1119 return ERR_PTR(err);
e8cb909a 1120 }
5032d871 1121
e8cb909a
CW		 1122 cache->node.start = vma->node.start;
1123 cache->node.mm = (void *)vma;
3c94ceee 1124 }
e8cb909a 1125 }
3c94ceee 1126
e8cb909a
CW		 1127 offset = cache->node.start;
1128 if (cache->node.allocated) {
fc099090 1129 wmb();
82ad6443
CW		 1130 ggtt->vm.insert_page(&ggtt->vm,
1131 i915_gem_object_get_dma_address(obj, page),
1132 offset, I915_CACHE_NONE, 0);
e8cb909a
CW		 1133 } else {
1134 offset += page << PAGE_SHIFT;
3c94ceee
BW		 1135 }
1136
73ebd503 1137 vaddr = (void __force *)io_mapping_map_atomic_wc(&ggtt->iomap,
650bc635 1138 offset);
d50415cc
CW		 1139 cache->page = page;
1140 cache->vaddr = (unsigned long)vaddr;
5032d871 1141
d50415cc 1142 return vaddr;
5032d871
RB		 1143}
1144
d50415cc
CW		 1145static void *reloc_vaddr(struct drm_i915_gem_object *obj,
1146 struct reloc_cache *cache,
2889caa9 1147 unsigned long page)
edf4427b 1148{
d50415cc 1149 void *vaddr;
5032d871 1150
d50415cc
CW		 1151 if (cache->page == page) {
1152 vaddr = unmask_page(cache->vaddr);
1153 } else {
1154 vaddr = NULL;
1155 if ((cache->vaddr & KMAP) == 0)
1156 vaddr = reloc_iomap(obj, cache, page);
1157 if (!vaddr)
1158 vaddr = reloc_kmap(obj, cache, page);
3c94ceee
BW		 1159 }
1160
d50415cc 1161 return vaddr;
edf4427b
CW		 1162}
1163
d50415cc 1164static void clflush_write32(u32 *addr, u32 value, unsigned int flushes)
edf4427b 1165{
d50415cc
CW		 1166 if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))) {
1167 if (flushes & CLFLUSH_BEFORE) {
1168 clflushopt(addr);
1169 mb();
1170 }
edf4427b 1171
d50415cc 1172 *addr = value;
edf4427b 1173
2889caa9
CW		 1174 /*
1175 * Writes to the same cacheline are serialised by the CPU
d50415cc
CW		 1176 * (including clflush). On the write path, we only require
1177 * that it hits memory in an orderly fashion and place
1178 * mb barriers at the start and end of the relocation phase
1179 * to ensure ordering of clflush wrt to the system.
1180 */
1181 if (flushes & CLFLUSH_AFTER)
1182 clflushopt(addr);
1183 } else
1184 *addr = value;
edf4427b 1185}
edf4427b 1186
7dd4f672
CW		 1187static int __reloc_gpu_alloc(struct i915_execbuffer *eb,
1188 struct i915_vma *vma,
1189 unsigned int len)
1190{
1191 struct reloc_cache *cache = &eb->reloc_cache;
1192 struct drm_i915_gem_object *obj;
e61e0f51 1193 struct i915_request *rq;
7dd4f672
CW		 1194 struct i915_vma *batch;
1195 u32 *cmd;
1196 int err;
1197
46223993
CW		 1198 if (DBG_FORCE_RELOC == FORCE_GPU_RELOC) {
1199 obj = vma->obj;
1200 if (obj->cache_dirty & ~obj->cache_coherent)
1201 i915_gem_clflush_object(obj, 0);
1202 obj->write_domain = 0;
1203 }
1204
c0a51fd0 1205 GEM_BUG_ON(vma->obj->write_domain & I915_GEM_DOMAIN_CPU);
7dd4f672
CW		 1206
1207 obj = i915_gem_batch_pool_get(&eb->engine->batch_pool, PAGE_SIZE);
1208 if (IS_ERR(obj))
1209 return PTR_ERR(obj);
1210
1211 cmd = i915_gem_object_pin_map(obj,
a575c676
CW		 1212 cache->has_llc ?
1213 I915_MAP_FORCE_WB :
1214 I915_MAP_FORCE_WC);
7dd4f672
CW		 1215 i915_gem_object_unpin_pages(obj);
1216 if (IS_ERR(cmd))
1217 return PTR_ERR(cmd);
1218
7dd4f672
CW		 1219 batch = i915_vma_instance(obj, vma->vm, NULL);
1220 if (IS_ERR(batch)) {
1221 err = PTR_ERR(batch);
1222 goto err_unmap;
1223 }
1224
1225 err = i915_vma_pin(batch, 0, 0, PIN_USER | PIN_NONBLOCK);
1226 if (err)
1227 goto err_unmap;
1228
8f2a1057 1229 rq = i915_request_create(eb->context);
7dd4f672
CW		 1230 if (IS_ERR(rq)) {
1231 err = PTR_ERR(rq);
1232 goto err_unpin;
1233 }
1234
e61e0f51 1235 err = i915_request_await_object(rq, vma->obj, true);
7dd4f672
CW		 1236 if (err)
1237 goto err_request;
1238
7dd4f672
CW		 1239 err = eb->engine->emit_bb_start(rq,
1240 batch->node.start, PAGE_SIZE,
1241 cache->gen > 5 ? 0 : I915_DISPATCH_SECURE);
1242 if (err)
1243 goto err_request;
1244
95ff7c7d 1245 GEM_BUG_ON(!reservation_object_test_signaled_rcu(batch->resv, true));
a5236978
CW		 1246 err = i915_vma_move_to_active(batch, rq, 0);
1247 if (err)
1248 goto skip_request;
7dd4f672 1249
a5236978
CW		 1250 err = i915_vma_move_to_active(vma, rq, EXEC_OBJECT_WRITE);
1251 if (err)
1252 goto skip_request;
7dd4f672
CW		 1253
1254 rq->batch = batch;
a5236978 1255 i915_vma_unpin(batch);
7dd4f672
CW		 1256
1257 cache->rq = rq;
1258 cache->rq_cmd = cmd;
1259 cache->rq_size = 0;
1260
1261 /* Return with batch mapping (cmd) still pinned */
1262 return 0;
1263
a5236978
CW		 1264skip_request:
1265 i915_request_skip(rq, err);
7dd4f672 1266err_request:
e61e0f51 1267 i915_request_add(rq);
7dd4f672
CW		 1268err_unpin:
1269 i915_vma_unpin(batch);
1270err_unmap:
1271 i915_gem_object_unpin_map(obj);
1272 return err;
1273}
1274
1275static u32 *reloc_gpu(struct i915_execbuffer *eb,
1276 struct i915_vma *vma,
1277 unsigned int len)
1278{
1279 struct reloc_cache *cache = &eb->reloc_cache;
1280 u32 *cmd;
1281
1282 if (cache->rq_size > PAGE_SIZE/sizeof(u32) - (len + 1))
1283 reloc_gpu_flush(cache);
1284
1285 if (unlikely(!cache->rq)) {
1286 int err;
1287
3dbf26ed
CW		 1288 /* If we need to copy for the cmdparser, we will stall anyway */
1289 if (eb_use_cmdparser(eb))
1290 return ERR_PTR(-EWOULDBLOCK);
1291
90cad095
CW		 1292 if (!intel_engine_can_store_dword(eb->engine))
1293 return ERR_PTR(-ENODEV);
1294
7dd4f672
CW		 1295 err = __reloc_gpu_alloc(eb, vma, len);
1296 if (unlikely(err))
1297 return ERR_PTR(err);
1298 }
1299
1300 cmd = cache->rq_cmd + cache->rq_size;
1301 cache->rq_size += len;
1302
1303 return cmd;
1304}
1305
2889caa9
CW		 1306static u64
1307relocate_entry(struct i915_vma *vma,
d50415cc 1308 const struct drm_i915_gem_relocation_entry *reloc,
2889caa9
CW		 1309 struct i915_execbuffer *eb,
1310 const struct i915_vma *target)
edf4427b 1311{
d50415cc 1312 u64 offset = reloc->offset;
2889caa9
CW		 1313 u64 target_offset = relocation_target(reloc, target);
1314 bool wide = eb->reloc_cache.use_64bit_reloc;
d50415cc 1315 void *vaddr;
edf4427b 1316
7dd4f672
CW		 1317 if (!eb->reloc_cache.vaddr &&
1318 (DBG_FORCE_RELOC == FORCE_GPU_RELOC ||
90cad095 1319 !reservation_object_test_signaled_rcu(vma->resv, true))) {
7dd4f672
CW		 1320 const unsigned int gen = eb->reloc_cache.gen;
1321 unsigned int len;
1322 u32 *batch;
1323 u64 addr;
1324
1325 if (wide)
1326 len = offset & 7 ? 8 : 5;
1327 else if (gen >= 4)
1328 len = 4;
f2f5c061 1329 else
a889580c 1330 len = 3;
7dd4f672
CW		 1331
1332 batch = reloc_gpu(eb, vma, len);
1333 if (IS_ERR(batch))
1334 goto repeat;
1335
1336 addr = gen8_canonical_addr(vma->node.start + offset);
1337 if (wide) {
1338 if (offset & 7) {
1339 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1340 *batch++ = lower_32_bits(addr);
1341 *batch++ = upper_32_bits(addr);
1342 *batch++ = lower_32_bits(target_offset);
1343
1344 addr = gen8_canonical_addr(addr + 4);
1345
1346 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1347 *batch++ = lower_32_bits(addr);
1348 *batch++ = upper_32_bits(addr);
1349 *batch++ = upper_32_bits(target_offset);
1350 } else {
1351 *batch++ = (MI_STORE_DWORD_IMM_GEN4 | (1 << 21)) + 1;
1352 *batch++ = lower_32_bits(addr);
1353 *batch++ = upper_32_bits(addr);
1354 *batch++ = lower_32_bits(target_offset);
1355 *batch++ = upper_32_bits(target_offset);
1356 }
1357 } else if (gen >= 6) {
1358 *batch++ = MI_STORE_DWORD_IMM_GEN4;
1359 *batch++ = 0;
1360 *batch++ = addr;
1361 *batch++ = target_offset;
1362 } else if (gen >= 4) {
1363 *batch++ = MI_STORE_DWORD_IMM_GEN4 | MI_USE_GGTT;
1364 *batch++ = 0;
1365 *batch++ = addr;
1366 *batch++ = target_offset;
1367 } else {
1368 *batch++ = MI_STORE_DWORD_IMM | MI_MEM_VIRTUAL;
1369 *batch++ = addr;
1370 *batch++ = target_offset;
1371 }
1372
1373 goto out;
1374 }
1375
d50415cc 1376repeat:
95ff7c7d 1377 vaddr = reloc_vaddr(vma->obj, &eb->reloc_cache, offset >> PAGE_SHIFT);
d50415cc
CW		 1378 if (IS_ERR(vaddr))
1379 return PTR_ERR(vaddr);
1380
1381 clflush_write32(vaddr + offset_in_page(offset),
1382 lower_32_bits(target_offset),
2889caa9 1383 eb->reloc_cache.vaddr);
d50415cc
CW		 1384
1385 if (wide) {
1386 offset += sizeof(u32);
1387 target_offset >>= 32;
1388 wide = false;
1389 goto repeat;
edf4427b 1390 }
edf4427b 1391
7dd4f672 1392out:
2889caa9 1393 return target->node.start | UPDATE;
edf4427b 1394}
edf4427b 1395
2889caa9
CW		 1396static u64
1397eb_relocate_entry(struct i915_execbuffer *eb,
1398 struct i915_vma *vma,
1399 const struct drm_i915_gem_relocation_entry *reloc)
54cf91dc 1400{
507d977f 1401 struct i915_vma *target;
2889caa9 1402 int err;
54cf91dc 1403
67731b87 1404 /* we've already hold a reference to all valid objects */
507d977f
CW		 1405 target = eb_get_vma(eb, reloc->target_handle);
1406 if (unlikely(!target))
54cf91dc 1407 return -ENOENT;
e844b990 1408
54cf91dc 1409 /* Validate that the target is in a valid r/w GPU domain */
b8f7ab17 1410 if (unlikely(reloc->write_domain & (reloc->write_domain - 1))) {
ff240199 1411 DRM_DEBUG("reloc with multiple write domains: "
507d977f 1412 "target %d offset %d "
54cf91dc 1413 "read %08x write %08x",
507d977f 1414 reloc->target_handle,
54cf91dc
CW		 1415 (int) reloc->offset,
1416 reloc->read_domains,
1417 reloc->write_domain);
8b78f0e5 1418 return -EINVAL;
54cf91dc 1419 }
4ca4a250
DV		 1420 if (unlikely((reloc->write_domain | reloc->read_domains)
1421 & ~I915_GEM_GPU_DOMAINS)) {
ff240199 1422 DRM_DEBUG("reloc with read/write non-GPU domains: "
507d977f 1423 "target %d offset %d "
54cf91dc 1424 "read %08x write %08x",
507d977f 1425 reloc->target_handle,
54cf91dc
CW		 1426 (int) reloc->offset,
1427 reloc->read_domains,
1428 reloc->write_domain);
8b78f0e5 1429 return -EINVAL;
54cf91dc 1430 }
54cf91dc 1431
2889caa9 1432 if (reloc->write_domain) {
c7c6e46f 1433 *target->exec_flags |= EXEC_OBJECT_WRITE;
507d977f 1434
2889caa9
CW		 1435 /*
1436 * Sandybridge PPGTT errata: We need a global gtt mapping
1437 * for MI and pipe_control writes because the gpu doesn't
1438 * properly redirect them through the ppgtt for non_secure
1439 * batchbuffers.
1440 */
1441 if (reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION &&
cf819eff 1442 IS_GEN(eb->i915, 6)) {
2889caa9
CW		 1443 err = i915_vma_bind(target, target->obj->cache_level,
1444 PIN_GLOBAL);
1445 if (WARN_ONCE(err,
1446 "Unexpected failure to bind target VMA!"))
1447 return err;
1448 }
507d977f 1449 }
54cf91dc 1450
2889caa9
CW		 1451 /*
1452 * If the relocation already has the right value in it, no
54cf91dc
CW		 1453 * more work needs to be done.
1454 */
7dd4f672
CW		 1455 if (!DBG_FORCE_RELOC &&
1456 gen8_canonical_addr(target->node.start) == reloc->presumed_offset)
67731b87 1457 return 0;
54cf91dc
CW		 1458
1459 /* Check that the relocation address is valid... */
3c94ceee 1460 if (unlikely(reloc->offset >
507d977f 1461 vma->size - (eb->reloc_cache.use_64bit_reloc ? 8 : 4))) {
ff240199 1462 DRM_DEBUG("Relocation beyond object bounds: "
507d977f
CW		 1463 "target %d offset %d size %d.\n",
1464 reloc->target_handle,
1465 (int)reloc->offset,
1466 (int)vma->size);
8b78f0e5 1467 return -EINVAL;
54cf91dc 1468 }
b8f7ab17 1469 if (unlikely(reloc->offset & 3)) {
ff240199 1470 DRM_DEBUG("Relocation not 4-byte aligned: "
507d977f
CW		 1471 "target %d offset %d.\n",
1472 reloc->target_handle,
1473 (int)reloc->offset);
8b78f0e5 1474 return -EINVAL;
54cf91dc
CW		 1475 }
1476
071750e5
CW		 1477 /*
1478 * If we write into the object, we need to force the synchronisation
1479 * barrier, either with an asynchronous clflush or if we executed the
1480 * patching using the GPU (though that should be serialised by the
1481 * timeline). To be completely sure, and since we are required to
1482 * do relocations we are already stalling, disable the user's opt
0519bcb1 1483 * out of our synchronisation.
071750e5 1484 */
c7c6e46f 1485 *vma->exec_flags &= ~EXEC_OBJECT_ASYNC;
071750e5 1486
54cf91dc 1487 /* and update the user's relocation entry */
2889caa9 1488 return relocate_entry(vma, reloc, eb, target);
54cf91dc
CW		 1489}
1490
2889caa9 1491static int eb_relocate_vma(struct i915_execbuffer *eb, struct i915_vma *vma)
54cf91dc 1492{
1d83f442 1493#define N_RELOC(x) ((x) / sizeof(struct drm_i915_gem_relocation_entry))
2889caa9
CW		 1494 struct drm_i915_gem_relocation_entry stack[N_RELOC(512)];
1495 struct drm_i915_gem_relocation_entry __user *urelocs;
c7c6e46f 1496 const struct drm_i915_gem_exec_object2 *entry = exec_entry(eb, vma);
2889caa9 1497 unsigned int remain;
54cf91dc 1498
2889caa9 1499 urelocs = u64_to_user_ptr(entry->relocs_ptr);
1d83f442 1500 remain = entry->relocation_count;
2889caa9
CW		 1501 if (unlikely(remain > N_RELOC(ULONG_MAX)))
1502 return -EINVAL;
ebc0808f 1503
2889caa9
CW		 1504 /*
1505 * We must check that the entire relocation array is safe
1506 * to read. However, if the array is not writable the user loses
1507 * the updated relocation values.
1508 */
96d4f267 1509 if (unlikely(!access_ok(urelocs, remain*sizeof(*urelocs))))
2889caa9
CW		 1510 return -EFAULT;
1511
1512 do {
1513 struct drm_i915_gem_relocation_entry *r = stack;
1514 unsigned int count =
1515 min_t(unsigned int, remain, ARRAY_SIZE(stack));
1516 unsigned int copied;
1d83f442 1517
2889caa9
CW		 1518 /*
1519 * This is the fast path and we cannot handle a pagefault
ebc0808f
CW		 1520 * whilst holding the struct mutex lest the user pass in the
1521 * relocations contained within a mmaped bo. For in such a case
1522 * we, the page fault handler would call i915_gem_fault() and
1523 * we would try to acquire the struct mutex again. Obviously
1524 * this is bad and so lockdep complains vehemently.
1525 */
1526 pagefault_disable();
2889caa9 1527 copied = __copy_from_user_inatomic(r, urelocs, count * sizeof(r[0]));
ebc0808f 1528 pagefault_enable();
2889caa9
CW		 1529 if (unlikely(copied)) {
1530 remain = -EFAULT;
31a39207
CW		 1531 goto out;
1532 }
54cf91dc 1533
2889caa9 1534 remain -= count;
1d83f442 1535 do {
2889caa9 1536 u64 offset = eb_relocate_entry(eb, vma, r);
54cf91dc 1537
2889caa9
CW		 1538 if (likely(offset == 0)) {
1539 } else if ((s64)offset < 0) {
1540 remain = (int)offset;
31a39207 1541 goto out;
2889caa9
CW		 1542 } else {
1543 /*
1544 * Note that reporting an error now
1545 * leaves everything in an inconsistent
1546 * state as we have *already* changed
1547 * the relocation value inside the
1548 * object. As we have not changed the
1549 * reloc.presumed_offset or will not
1550 * change the execobject.offset, on the
1551 * call we may not rewrite the value
1552 * inside the object, leaving it
1553 * dangling and causing a GPU hang. Unless
1554 * userspace dynamically rebuilds the
1555 * relocations on each execbuf rather than
1556 * presume a static tree.
1557 *
1558 * We did previously check if the relocations
1559 * were writable (access_ok), an error now
1560 * would be a strange race with mprotect,
1561 * having already demonstrated that we
1562 * can read from this userspace address.
1563 */
1564 offset = gen8_canonical_addr(offset & ~UPDATE);
fddcd00a
CW		 1565 if (unlikely(__put_user(offset, &urelocs[r-stack].presumed_offset))) {
1566 remain = -EFAULT;
1567 goto out;
1568 }
1d83f442 1569 }
2889caa9
CW		 1570 } while (r++, --count);
1571 urelocs += ARRAY_SIZE(stack);
1572 } while (remain);
31a39207 1573out:
650bc635 1574 reloc_cache_reset(&eb->reloc_cache);
2889caa9 1575 return remain;
54cf91dc
CW		 1576}
1577
1578static int
2889caa9 1579eb_relocate_vma_slow(struct i915_execbuffer *eb, struct i915_vma *vma)
54cf91dc 1580{
c7c6e46f 1581 const struct drm_i915_gem_exec_object2 *entry = exec_entry(eb, vma);
2889caa9
CW		 1582 struct drm_i915_gem_relocation_entry *relocs =
1583 u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1584 unsigned int i;
1585 int err;
54cf91dc
CW		 1586
1587 for (i = 0; i < entry->relocation_count; i++) {
2889caa9 1588 u64 offset = eb_relocate_entry(eb, vma, &relocs[i]);
d4aeee77 1589
2889caa9
CW		 1590 if ((s64)offset < 0) {
1591 err = (int)offset;
1592 goto err;
1593 }
54cf91dc 1594 }
2889caa9
CW		 1595 err = 0;
1596err:
1597 reloc_cache_reset(&eb->reloc_cache);
1598 return err;
edf4427b
CW		 1599}
1600
2889caa9 1601static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
1690e1eb 1602{
2889caa9
CW		 1603 const char __user *addr, *end;
1604 unsigned long size;
1605 char __maybe_unused c;
1690e1eb 1606
2889caa9
CW		 1607 size = entry->relocation_count;
1608 if (size == 0)
1609 return 0;
7788a765 1610
2889caa9
CW		 1611 if (size > N_RELOC(ULONG_MAX))
1612 return -EINVAL;
9a5a53b3 1613
2889caa9
CW		 1614 addr = u64_to_user_ptr(entry->relocs_ptr);
1615 size *= sizeof(struct drm_i915_gem_relocation_entry);
96d4f267 1616 if (!access_ok(addr, size))
2889caa9 1617 return -EFAULT;
1690e1eb 1618
2889caa9
CW		 1619 end = addr + size;
1620 for (; addr < end; addr += PAGE_SIZE) {
1621 int err = __get_user(c, addr);
1622 if (err)
1623 return err;
ed5982e6 1624 }
2889caa9 1625 return __get_user(c, end - 1);
7788a765 1626}
1690e1eb 1627
2889caa9 1628static int eb_copy_relocations(const struct i915_execbuffer *eb)
d23db88c 1629{
2889caa9
CW		 1630 const unsigned int count = eb->buffer_count;
1631 unsigned int i;
1632 int err;
e6a84468 1633
2889caa9
CW		 1634 for (i = 0; i < count; i++) {
1635 const unsigned int nreloc = eb->exec[i].relocation_count;
1636 struct drm_i915_gem_relocation_entry __user *urelocs;
1637 struct drm_i915_gem_relocation_entry *relocs;
1638 unsigned long size;
1639 unsigned long copied;
e6a84468 1640
2889caa9
CW		 1641 if (nreloc == 0)
1642 continue;
e6a84468 1643
2889caa9
CW		 1644 err = check_relocations(&eb->exec[i]);
1645 if (err)
1646 goto err;
d23db88c 1647
2889caa9
CW		 1648 urelocs = u64_to_user_ptr(eb->exec[i].relocs_ptr);
1649 size = nreloc * sizeof(*relocs);
d23db88c 1650
0ee931c4 1651 relocs = kvmalloc_array(size, 1, GFP_KERNEL);
2889caa9 1652 if (!relocs) {
2889caa9
CW		 1653 err = -ENOMEM;
1654 goto err;
1655 }
d23db88c 1656
2889caa9
CW		 1657 /* copy_from_user is limited to < 4GiB */
1658 copied = 0;
1659 do {
1660 unsigned int len =
1661 min_t(u64, BIT_ULL(31), size - copied);
1662
1663 if (__copy_from_user((char *)relocs + copied,
908a6105 1664 (char __user *)urelocs + copied,
2889caa9 1665 len)) {
fddcd00a 1666end_user:
0b2c8f8b 1667 user_access_end();
8f4faed0 1668end:
2889caa9
CW		 1669 kvfree(relocs);
1670 err = -EFAULT;
1671 goto err;
1672 }
91b2db6f 1673
2889caa9
CW		 1674 copied += len;
1675 } while (copied < size);
506a8e87 1676
2889caa9
CW		 1677 /*
1678 * As we do not update the known relocation offsets after
1679 * relocating (due to the complexities in lock handling),
1680 * we need to mark them as invalid now so that we force the
1681 * relocation processing next time. Just in case the target
1682 * object is evicted and then rebound into its old
1683 * presumed_offset before the next execbuffer - if that
1684 * happened we would make the mistake of assuming that the
1685 * relocations were valid.
1686 */
594cc251 1687 if (!user_access_begin(urelocs, size))
8f4faed0 1688 goto end;
594cc251 1689
2889caa9
CW		 1690 for (copied = 0; copied < nreloc; copied++)
1691 unsafe_put_user(-1,
1692 &urelocs[copied].presumed_offset,
1693 end_user);
2889caa9 1694 user_access_end();
d23db88c 1695
2889caa9
CW		 1696 eb->exec[i].relocs_ptr = (uintptr_t)relocs;
1697 }
edf4427b 1698
2889caa9 1699 return 0;
101b506a 1700
2889caa9
CW		 1701err:
1702 while (i--) {
1703 struct drm_i915_gem_relocation_entry *relocs =
1704 u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr);
1705 if (eb->exec[i].relocation_count)
1706 kvfree(relocs);
1707 }
1708 return err;
d23db88c
CW		 1709}
1710
2889caa9 1711static int eb_prefault_relocations(const struct i915_execbuffer *eb)
54cf91dc 1712{
2889caa9
CW		 1713 const unsigned int count = eb->buffer_count;
1714 unsigned int i;
54cf91dc 1715
4f044a88 1716 if (unlikely(i915_modparams.prefault_disable))
2889caa9 1717 return 0;
54cf91dc 1718
2889caa9
CW		 1719 for (i = 0; i < count; i++) {
1720 int err;
54cf91dc 1721
2889caa9
CW		 1722 err = check_relocations(&eb->exec[i]);
1723 if (err)
1724 return err;
1725 }
a415d355 1726
2889caa9 1727 return 0;
54cf91dc
CW		 1728}
1729
2889caa9 1730static noinline int eb_relocate_slow(struct i915_execbuffer *eb)
54cf91dc 1731{
650bc635 1732 struct drm_device *dev = &eb->i915->drm;
2889caa9 1733 bool have_copy = false;
27173f1f 1734 struct i915_vma *vma;
2889caa9
CW		 1735 int err = 0;
1736
1737repeat:
1738 if (signal_pending(current)) {
1739 err = -ERESTARTSYS;
1740 goto out;
1741 }
27173f1f 1742
67731b87 1743 /* We may process another execbuffer during the unlock... */
2889caa9 1744 eb_reset_vmas(eb);
54cf91dc
CW		 1745 mutex_unlock(&dev->struct_mutex);
1746
2889caa9
CW		 1747 /*
1748 * We take 3 passes through the slowpatch.
1749 *
1750 * 1 - we try to just prefault all the user relocation entries and
1751 * then attempt to reuse the atomic pagefault disabled fast path again.
1752 *
1753 * 2 - we copy the user entries to a local buffer here outside of the
1754 * local and allow ourselves to wait upon any rendering before
1755 * relocations
1756 *
1757 * 3 - we already have a local copy of the relocation entries, but
1758 * were interrupted (EAGAIN) whilst waiting for the objects, try again.
1759 */
1760 if (!err) {
1761 err = eb_prefault_relocations(eb);
1762 } else if (!have_copy) {
1763 err = eb_copy_relocations(eb);
1764 have_copy = err == 0;
1765 } else {
1766 cond_resched();
1767 err = 0;
54cf91dc 1768 }
2889caa9
CW		 1769 if (err) {
1770 mutex_lock(&dev->struct_mutex);
1771 goto out;
54cf91dc
CW		 1772 }
1773
8a2421bd
CW		 1774 /* A frequent cause for EAGAIN are currently unavailable client pages */
1775 flush_workqueue(eb->i915->mm.userptr_wq);
1776
2889caa9
CW		 1777 err = i915_mutex_lock_interruptible(dev);
1778 if (err) {
54cf91dc 1779 mutex_lock(&dev->struct_mutex);
2889caa9 1780 goto out;
54cf91dc
CW		 1781 }
1782
67731b87 1783 /* reacquire the objects */
2889caa9
CW		 1784 err = eb_lookup_vmas(eb);
1785 if (err)
3b96eff4 1786 goto err;
67731b87 1787
c7c6e46f
CW		 1788 GEM_BUG_ON(!eb->batch);
1789
2889caa9
CW		 1790 list_for_each_entry(vma, &eb->relocs, reloc_link) {
1791 if (!have_copy) {
1792 pagefault_disable();
1793 err = eb_relocate_vma(eb, vma);
1794 pagefault_enable();
1795 if (err)
1796 goto repeat;
1797 } else {
1798 err = eb_relocate_vma_slow(eb, vma);
1799 if (err)
1800 goto err;
1801 }
54cf91dc
CW		 1802 }
1803
2889caa9
CW		 1804 /*
1805 * Leave the user relocations as are, this is the painfully slow path,
54cf91dc
CW		 1806 * and we want to avoid the complication of dropping the lock whilst
1807 * having buffers reserved in the aperture and so causing spurious
1808 * ENOSPC for random operations.
1809 */
1810
1811err:
2889caa9
CW		 1812 if (err == -EAGAIN)
1813 goto repeat;
1814
1815out:
1816 if (have_copy) {
1817 const unsigned int count = eb->buffer_count;
1818 unsigned int i;
1819
1820 for (i = 0; i < count; i++) {
1821 const struct drm_i915_gem_exec_object2 *entry =
1822 &eb->exec[i];
1823 struct drm_i915_gem_relocation_entry *relocs;
1824
1825 if (!entry->relocation_count)
1826 continue;
1827
1828 relocs = u64_to_ptr(typeof(*relocs), entry->relocs_ptr);
1829 kvfree(relocs);
1830 }
1831 }
1832
1f727d9e 1833 return err;
54cf91dc
CW		 1834}
1835
2889caa9 1836static int eb_relocate(struct i915_execbuffer *eb)
54cf91dc 1837{
2889caa9
CW		 1838 if (eb_lookup_vmas(eb))
1839 goto slow;
1840
1841 /* The objects are in their final locations, apply the relocations. */
1842 if (eb->args->flags & __EXEC_HAS_RELOC) {
1843 struct i915_vma *vma;
1844
1845 list_for_each_entry(vma, &eb->relocs, reloc_link) {
1846 if (eb_relocate_vma(eb, vma))
1847 goto slow;
1848 }
1849 }
1850
1851 return 0;
1852
1853slow:
1854 return eb_relocate_slow(eb);
1855}
1856
2889caa9
CW		 1857static int eb_move_to_gpu(struct i915_execbuffer *eb)
1858{
1859 const unsigned int count = eb->buffer_count;
1860 unsigned int i;
1861 int err;
54cf91dc 1862
2889caa9 1863 for (i = 0; i < count; i++) {
c7c6e46f
CW		 1864 unsigned int flags = eb->flags[i];
1865 struct i915_vma *vma = eb->vma[i];
27173f1f 1866 struct drm_i915_gem_object *obj = vma->obj;
03ade511 1867
c7c6e46f 1868 if (flags & EXEC_OBJECT_CAPTURE) {
e61e0f51 1869 struct i915_capture_list *capture;
b0fd47ad
CW		 1870
1871 capture = kmalloc(sizeof(*capture), GFP_KERNEL);
1872 if (unlikely(!capture))
1873 return -ENOMEM;
1874
650bc635 1875 capture->next = eb->request->capture_list;
c7c6e46f 1876 capture->vma = eb->vma[i];
650bc635 1877 eb->request->capture_list = capture;
b0fd47ad
CW		 1878 }
1879
b8f55be6
CW		 1880 /*
1881 * If the GPU is not _reading_ through the CPU cache, we need
1882 * to make sure that any writes (both previous GPU writes from
1883 * before a change in snooping levels and normal CPU writes)
1884 * caught in that cache are flushed to main memory.
1885 *
1886 * We want to say
1887 * obj->cache_dirty &&
1888 * !(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_READ)
1889 * but gcc's optimiser doesn't handle that as well and emits
1890 * two jumps instead of one. Maybe one day...
1891 */
1892 if (unlikely(obj->cache_dirty & ~obj->cache_coherent)) {
0f46daa1 1893 if (i915_gem_clflush_object(obj, 0))
c7c6e46f 1894 flags &= ~EXEC_OBJECT_ASYNC;
0f46daa1
CW		 1895 }
1896
c7c6e46f
CW		 1897 if (flags & EXEC_OBJECT_ASYNC)
1898 continue;
77ae9957 1899
e61e0f51 1900 err = i915_request_await_object
c7c6e46f 1901 (eb->request, obj, flags & EXEC_OBJECT_WRITE);
2889caa9
CW		 1902 if (err)
1903 return err;
2889caa9
CW		 1904 }
1905
1906 for (i = 0; i < count; i++) {
c7c6e46f
CW		 1907 unsigned int flags = eb->flags[i];
1908 struct i915_vma *vma = eb->vma[i];
1909
a5236978
CW		 1910 err = i915_vma_move_to_active(vma, eb->request, flags);
1911 if (unlikely(err)) {
1912 i915_request_skip(eb->request, err);
1913 return err;
1914 }
2889caa9 1915
c7c6e46f
CW		 1916 __eb_unreserve_vma(vma, flags);
1917 vma->exec_flags = NULL;
1918
1919 if (unlikely(flags & __EXEC_OBJECT_HAS_REF))
dade2a61 1920 i915_vma_put(vma);
c59a333f 1921 }
2889caa9 1922 eb->exec = NULL;
c59a333f 1923
dcd79934 1924 /* Unconditionally flush any chipset caches (for streaming writes). */
650bc635 1925 i915_gem_chipset_flush(eb->i915);
6ac42f41 1926
2113184c 1927 return 0;
54cf91dc
CW		 1928}
1929
2889caa9 1930static bool i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
54cf91dc 1931{
650bc635 1932 if (exec->flags & __I915_EXEC_ILLEGAL_FLAGS)
ed5982e6
DV		 1933 return false;
1934
2f5945bc 1935 /* Kernel clipping was a DRI1 misfeature */
cf6e7bac
JE		 1936 if (!(exec->flags & I915_EXEC_FENCE_ARRAY)) {
1937 if (exec->num_cliprects || exec->cliprects_ptr)
1938 return false;
1939 }
2f5945bc
CW		 1940
1941 if (exec->DR4 == 0xffffffff) {
1942 DRM_DEBUG("UXA submitting garbage DR4, fixing up\n");
1943 exec->DR4 = 0;
1944 }
1945 if (exec->DR1 || exec->DR4)
1946 return false;
1947
1948 if ((exec->batch_start_offset | exec->batch_len) & 0x7)
1949 return false;
1950
1951 return true;
54cf91dc
CW		 1952}
1953
e61e0f51 1954static int i915_reset_gen7_sol_offsets(struct i915_request *rq)
ae662d31 1955{
73dec95e
TU		 1956 u32 *cs;
1957 int i;
ae662d31 1958
8a68d464 1959 if (!IS_GEN(rq->i915, 7) || rq->engine->id != RCS0) {
9d662da8
DV		 1960 DRM_DEBUG("sol reset is gen7/rcs only\n");
1961 return -EINVAL;
1962 }
ae662d31 1963
e61e0f51 1964 cs = intel_ring_begin(rq, 4 * 2 + 2);
73dec95e
TU		 1965 if (IS_ERR(cs))
1966 return PTR_ERR(cs);
ae662d31 1967
2889caa9 1968 *cs++ = MI_LOAD_REGISTER_IMM(4);
ae662d31 1969 for (i = 0; i < 4; i++) {
73dec95e
TU		 1970 *cs++ = i915_mmio_reg_offset(GEN7_SO_WRITE_OFFSET(i));
1971 *cs++ = 0;
ae662d31 1972 }
2889caa9 1973 *cs++ = MI_NOOP;
e61e0f51 1974 intel_ring_advance(rq, cs);
ae662d31
EA		 1975
1976 return 0;
1977}
1978
650bc635 1979static struct i915_vma *eb_parse(struct i915_execbuffer *eb, bool is_master)
71745376 1980{
71745376 1981 struct drm_i915_gem_object *shadow_batch_obj;
17cabf57 1982 struct i915_vma *vma;
2889caa9 1983 int err;
71745376 1984
650bc635
CW		 1985 shadow_batch_obj = i915_gem_batch_pool_get(&eb->engine->batch_pool,
1986 PAGE_ALIGN(eb->batch_len));
71745376 1987 if (IS_ERR(shadow_batch_obj))
59bfa124 1988 return ERR_CAST(shadow_batch_obj);
71745376 1989
2889caa9 1990 err = intel_engine_cmd_parser(eb->engine,
650bc635 1991 eb->batch->obj,
33a051a5 1992 shadow_batch_obj,
650bc635
CW		 1993 eb->batch_start_offset,
1994 eb->batch_len,
33a051a5 1995 is_master);
2889caa9
CW		 1996 if (err) {
1997 if (err == -EACCES) /* unhandled chained batch */
058d88c4
CW		 1998 vma = NULL;
1999 else
2889caa9 2000 vma = ERR_PTR(err);
058d88c4
CW		 2001 goto out;
2002 }
71745376 2003
058d88c4
CW		 2004 vma = i915_gem_object_ggtt_pin(shadow_batch_obj, NULL, 0, 0, 0);
2005 if (IS_ERR(vma))
2006 goto out;
de4e783a 2007
c7c6e46f
CW		 2008 eb->vma[eb->buffer_count] = i915_vma_get(vma);
2009 eb->flags[eb->buffer_count] =
2010 __EXEC_OBJECT_HAS_PIN | __EXEC_OBJECT_HAS_REF;
2011 vma->exec_flags = &eb->flags[eb->buffer_count];
2012 eb->buffer_count++;
71745376 2013
058d88c4 2014out:
de4e783a 2015 i915_gem_object_unpin_pages(shadow_batch_obj);
058d88c4 2016 return vma;
71745376 2017}
5c6c6003 2018
c8659efa 2019static void
e61e0f51 2020add_to_client(struct i915_request *rq, struct drm_file *file)
c8659efa 2021{
e61e0f51
CW		 2022 rq->file_priv = file->driver_priv;
2023 list_add_tail(&rq->client_link, &rq->file_priv->mm.request_list);
c8659efa
CW		 2024}
2025
2889caa9 2026static int eb_submit(struct i915_execbuffer *eb)
78382593 2027{
2889caa9 2028 int err;
78382593 2029
2889caa9
CW		 2030 err = eb_move_to_gpu(eb);
2031 if (err)
2032 return err;
78382593 2033
650bc635 2034 if (eb->args->flags & I915_EXEC_GEN7_SOL_RESET) {
2889caa9
CW		 2035 err = i915_reset_gen7_sol_offsets(eb->request);
2036 if (err)
2037 return err;
78382593
OM		 2038 }
2039
85474441
CW		 2040 /*
2041 * After we completed waiting for other engines (using HW semaphores)
2042 * then we can signal that this request/batch is ready to run. This
2043 * allows us to determine if the batch is still waiting on the GPU
2044 * or actually running by checking the breadcrumb.
2045 */
2046 if (eb->engine->emit_init_breadcrumb) {
2047 err = eb->engine->emit_init_breadcrumb(eb->request);
2048 if (err)
2049 return err;
2050 }
2051
2889caa9 2052 err = eb->engine->emit_bb_start(eb->request,
650bc635
CW		 2053 eb->batch->node.start +
2054 eb->batch_start_offset,
2055 eb->batch_len,
2889caa9
CW		 2056 eb->batch_flags);
2057 if (err)
2058 return err;
78382593 2059
2f5945bc 2060 return 0;
78382593
OM		 2061}
2062
204bcfef 2063/*
a8ebba75 2064 * Find one BSD ring to dispatch the corresponding BSD command.
c80ff16e 2065 * The engine index is returned.
a8ebba75 2066 */
de1add36 2067static unsigned int
c80ff16e
CW		 2068gen8_dispatch_bsd_engine(struct drm_i915_private *dev_priv,
2069 struct drm_file *file)
a8ebba75 2070{
a8ebba75
ZY		 2071 struct drm_i915_file_private *file_priv = file->driver_priv;
2072
de1add36 2073 /* Check whether the file_priv has already selected one ring. */
6f633402
JL		 2074 if ((int)file_priv->bsd_engine < 0)
2075 file_priv->bsd_engine = atomic_fetch_xor(1,
2076 &dev_priv->mm.bsd_engine_dispatch_index);
d23db88c 2077
c80ff16e 2078 return file_priv->bsd_engine;
d23db88c
CW		 2079}
2080
5e2a0419 2081static const enum intel_engine_id user_ring_map[] = {
8a68d464
CW		 2082 [I915_EXEC_DEFAULT] = RCS0,
2083 [I915_EXEC_RENDER] = RCS0,
2084 [I915_EXEC_BLT] = BCS0,
2085 [I915_EXEC_BSD] = VCS0,
2086 [I915_EXEC_VEBOX] = VECS0
de1add36
TU		 2087};
2088
5e2a0419 2089static int eb_pin_context(struct i915_execbuffer *eb, struct intel_context *ce)
de1add36 2090{
8f2a1057 2091 int err;
de1add36 2092
8f2a1057
CW		 2093 /*
2094 * ABI: Before userspace accesses the GPU (e.g. execbuffer), report
2095 * EIO if the GPU is already wedged.
2096 */
2097 err = i915_terminally_wedged(eb->i915);
2098 if (err)
2099 return err;
2100
2101 /*
2102 * Pinning the contexts may generate requests in order to acquire
2103 * GGTT space, so do this first before we reserve a seqno for
2104 * ourselves.
2105 */
fa9f6681 2106 err = intel_context_pin(ce);
fa9f6681
CW		 2107 if (err)
2108 return err;
8f2a1057 2109
5e2a0419 2110 eb->engine = ce->engine;
8f2a1057
CW		 2111 eb->context = ce;
2112 return 0;
2113}
2114
2115static void eb_unpin_context(struct i915_execbuffer *eb)
2116{
2117 intel_context_unpin(eb->context);
2118}
de1add36 2119
5e2a0419
CW		 2120static unsigned int
2121eb_select_legacy_ring(struct i915_execbuffer *eb,
2122 struct drm_file *file,
2123 struct drm_i915_gem_execbuffer2 *args)
de1add36 2124{
8f2a1057 2125 struct drm_i915_private *i915 = eb->i915;
de1add36 2126 unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK;
de1add36 2127
5e2a0419
CW		 2128 if (user_ring_id != I915_EXEC_BSD &&
2129 (args->flags & I915_EXEC_BSD_MASK)) {
de1add36
TU		 2130 DRM_DEBUG("execbuf with non bsd ring but with invalid "
2131 "bsd dispatch flags: %d\n", (int)(args->flags));
5e2a0419 2132 return -1;
de1add36
TU		 2133 }
2134
8f2a1057 2135 if (user_ring_id == I915_EXEC_BSD && HAS_ENGINE(i915, VCS1)) {
de1add36
TU		 2136 unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK;
2137
2138 if (bsd_idx == I915_EXEC_BSD_DEFAULT) {
8f2a1057 2139 bsd_idx = gen8_dispatch_bsd_engine(i915, file);
de1add36
TU		 2140 } else if (bsd_idx >= I915_EXEC_BSD_RING1 &&
2141 bsd_idx <= I915_EXEC_BSD_RING2) {
d9da6aa0 2142 bsd_idx >>= I915_EXEC_BSD_SHIFT;
de1add36
TU		 2143 bsd_idx--;
2144 } else {
2145 DRM_DEBUG("execbuf with unknown bsd ring: %u\n",
2146 bsd_idx);
5e2a0419 2147 return -1;
de1add36
TU		 2148 }
2149
5e2a0419 2150 return _VCS(bsd_idx);
de1add36
TU		 2151 }
2152
5e2a0419
CW		 2153 if (user_ring_id >= ARRAY_SIZE(user_ring_map)) {
2154 DRM_DEBUG("execbuf with unknown ring: %u\n", user_ring_id);
2155 return -1;
de1add36
TU		 2156 }
2157
5e2a0419
CW		 2158 return user_ring_map[user_ring_id];
2159}
2160
2161static int
2162eb_select_engine(struct i915_execbuffer *eb,
2163 struct drm_file *file,
2164 struct drm_i915_gem_execbuffer2 *args)
2165{
2166 struct intel_context *ce;
2167 unsigned int idx;
2168 int err;
2169
976b55f0
CW		 2170 if (i915_gem_context_user_engines(eb->gem_context))
2171 idx = args->flags & I915_EXEC_RING_MASK;
2172 else
2173 idx = eb_select_legacy_ring(eb, file, args);
5e2a0419
CW		 2174
2175 ce = i915_gem_context_get_engine(eb->gem_context, idx);
2176 if (IS_ERR(ce))
2177 return PTR_ERR(ce);
2178
2179 err = eb_pin_context(eb, ce);
2180 intel_context_put(ce);
2181
2182 return err;
de1add36
TU		 2183}
2184
cf6e7bac
JE		 2185static void
2186__free_fence_array(struct drm_syncobj **fences, unsigned int n)
2187{
2188 while (n--)
2189 drm_syncobj_put(ptr_mask_bits(fences[n], 2));
2190 kvfree(fences);
2191}
2192
2193static struct drm_syncobj **
2194get_fence_array(struct drm_i915_gem_execbuffer2 *args,
2195 struct drm_file *file)
2196{
d710fc16 2197 const unsigned long nfences = args->num_cliprects;
cf6e7bac
JE		 2198 struct drm_i915_gem_exec_fence __user *user;
2199 struct drm_syncobj **fences;
d710fc16 2200 unsigned long n;
cf6e7bac
JE		 2201 int err;
2202
2203 if (!(args->flags & I915_EXEC_FENCE_ARRAY))
2204 return NULL;
2205
d710fc16
CW		 2206 /* Check multiplication overflow for access_ok() and kvmalloc_array() */
2207 BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long));
2208 if (nfences > min_t(unsigned long,
2209 ULONG_MAX / sizeof(*user),
2210 SIZE_MAX / sizeof(*fences)))
cf6e7bac
JE		 2211 return ERR_PTR(-EINVAL);
2212
2213 user = u64_to_user_ptr(args->cliprects_ptr);
96d4f267 2214 if (!access_ok(user, nfences * sizeof(*user)))
cf6e7bac
JE		 2215 return ERR_PTR(-EFAULT);
2216
d710fc16 2217 fences = kvmalloc_array(nfences, sizeof(*fences),
0ee931c4 2218 __GFP_NOWARN | GFP_KERNEL);
cf6e7bac
JE		 2219 if (!fences)
2220 return ERR_PTR(-ENOMEM);
2221
2222 for (n = 0; n < nfences; n++) {
2223 struct drm_i915_gem_exec_fence fence;
2224 struct drm_syncobj *syncobj;
2225
2226 if (__copy_from_user(&fence, user++, sizeof(fence))) {
2227 err = -EFAULT;
2228 goto err;
2229 }
2230
ebcaa1ff
TU		 2231 if (fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS) {
2232 err = -EINVAL;
2233 goto err;
2234 }
2235
cf6e7bac
JE		 2236 syncobj = drm_syncobj_find(file, fence.handle);
2237 if (!syncobj) {
2238 DRM_DEBUG("Invalid syncobj handle provided\n");
2239 err = -ENOENT;
2240 goto err;
2241 }
2242
ebcaa1ff
TU		 2243 BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &
2244 ~__I915_EXEC_FENCE_UNKNOWN_FLAGS);
2245
cf6e7bac
JE		 2246 fences[n] = ptr_pack_bits(syncobj, fence.flags, 2);
2247 }
2248
2249 return fences;
2250
2251err:
2252 __free_fence_array(fences, n);
2253 return ERR_PTR(err);
2254}
2255
2256static void
2257put_fence_array(struct drm_i915_gem_execbuffer2 *args,
2258 struct drm_syncobj **fences)
2259{
2260 if (fences)
2261 __free_fence_array(fences, args->num_cliprects);
2262}
2263
2264static int
2265await_fence_array(struct i915_execbuffer *eb,
2266 struct drm_syncobj **fences)
2267{
2268 const unsigned int nfences = eb->args->num_cliprects;
2269 unsigned int n;
2270 int err;
2271
2272 for (n = 0; n < nfences; n++) {
2273 struct drm_syncobj *syncobj;
2274 struct dma_fence *fence;
2275 unsigned int flags;
2276
2277 syncobj = ptr_unpack_bits(fences[n], &flags, 2);
2278 if (!(flags & I915_EXEC_FENCE_WAIT))
2279 continue;
2280
afca4216 2281 fence = drm_syncobj_fence_get(syncobj);
cf6e7bac
JE		 2282 if (!fence)
2283 return -EINVAL;
2284
e61e0f51 2285 err = i915_request_await_dma_fence(eb->request, fence);
cf6e7bac
JE		 2286 dma_fence_put(fence);
2287 if (err < 0)
2288 return err;
2289 }
2290
2291 return 0;
2292}
2293
2294static void
2295signal_fence_array(struct i915_execbuffer *eb,
2296 struct drm_syncobj **fences)
2297{
2298 const unsigned int nfences = eb->args->num_cliprects;
2299 struct dma_fence * const fence = &eb->request->fence;
2300 unsigned int n;
2301
2302 for (n = 0; n < nfences; n++) {
2303 struct drm_syncobj *syncobj;
2304 unsigned int flags;
2305
2306 syncobj = ptr_unpack_bits(fences[n], &flags, 2);
2307 if (!(flags & I915_EXEC_FENCE_SIGNAL))
2308 continue;
2309
0b258ed1 2310 drm_syncobj_replace_fence(syncobj, fence);
cf6e7bac
JE		 2311 }
2312}
2313
54cf91dc 2314static int
650bc635 2315i915_gem_do_execbuffer(struct drm_device *dev,
54cf91dc
CW		 2316 struct drm_file *file,
2317 struct drm_i915_gem_execbuffer2 *args,
cf6e7bac
JE		 2318 struct drm_i915_gem_exec_object2 *exec,
2319 struct drm_syncobj **fences)
54cf91dc 2320{
650bc635 2321 struct i915_execbuffer eb;
fec0445c 2322 struct dma_fence *in_fence = NULL;
a88b6e4c 2323 struct dma_fence *exec_fence = NULL;
fec0445c
CW		 2324 struct sync_file *out_fence = NULL;
2325 int out_fence_fd = -1;
2889caa9 2326 int err;
432e58ed 2327
74c1c694 2328 BUILD_BUG_ON(__EXEC_INTERNAL_FLAGS & ~__I915_EXEC_ILLEGAL_FLAGS);
2889caa9
CW		 2329 BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS &
2330 ~__EXEC_OBJECT_UNKNOWN_FLAGS);
54cf91dc 2331
650bc635
CW		 2332 eb.i915 = to_i915(dev);
2333 eb.file = file;
2334 eb.args = args;
7dd4f672 2335 if (DBG_FORCE_RELOC || !(args->flags & I915_EXEC_NO_RELOC))
2889caa9 2336 args->flags |= __EXEC_HAS_RELOC;
c7c6e46f 2337
650bc635 2338 eb.exec = exec;
170fa29b
CW		 2339 eb.vma = (struct i915_vma **)(exec + args->buffer_count + 1);
2340 eb.vma[0] = NULL;
c7c6e46f
CW		 2341 eb.flags = (unsigned int *)(eb.vma + args->buffer_count + 1);
2342
2889caa9 2343 eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
650bc635
CW		 2344 reloc_cache_init(&eb.reloc_cache, eb.i915);
2345
2889caa9 2346 eb.buffer_count = args->buffer_count;
650bc635
CW		 2347 eb.batch_start_offset = args->batch_start_offset;
2348 eb.batch_len = args->batch_len;
2349
2889caa9 2350 eb.batch_flags = 0;
d7d4eedd 2351 if (args->flags & I915_EXEC_SECURE) {
b3ac9f25 2352 if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN))
d7d4eedd
CW		 2353 return -EPERM;
2354
2889caa9 2355 eb.batch_flags |= I915_DISPATCH_SECURE;
d7d4eedd 2356 }
b45305fc 2357 if (args->flags & I915_EXEC_IS_PINNED)
2889caa9 2358 eb.batch_flags |= I915_DISPATCH_PINNED;
54cf91dc 2359
fec0445c
CW		 2360 if (args->flags & I915_EXEC_FENCE_IN) {
2361 in_fence = sync_file_get_fence(lower_32_bits(args->rsvd2));
4a04e371
DCS		 2362 if (!in_fence)
2363 return -EINVAL;
fec0445c
CW		 2364 }
2365
a88b6e4c
CW		 2366 if (args->flags & I915_EXEC_FENCE_SUBMIT) {
2367 if (in_fence) {
2368 err = -EINVAL;
2369 goto err_in_fence;
2370 }
2371
2372 exec_fence = sync_file_get_fence(lower_32_bits(args->rsvd2));
2373 if (!exec_fence) {
2374 err = -EINVAL;
2375 goto err_in_fence;
2376 }
2377 }
2378
fec0445c
CW		 2379 if (args->flags & I915_EXEC_FENCE_OUT) {
2380 out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
2381 if (out_fence_fd < 0) {
2889caa9 2382 err = out_fence_fd;
a88b6e4c 2383 goto err_exec_fence;
fec0445c
CW		 2384 }
2385 }
2386
4d470f73
CW		 2387 err = eb_create(&eb);
2388 if (err)
2389 goto err_out_fence;
2390
2391 GEM_BUG_ON(!eb.lut_size);
2889caa9 2392
1acfc104
CW		 2393 err = eb_select_context(&eb);
2394 if (unlikely(err))
2395 goto err_destroy;
2396
2889caa9
CW		 2397 /*
2398 * Take a local wakeref for preparing to dispatch the execbuf as
67d97da3
CW		 2399 * we expect to access the hardware fairly frequently in the
2400 * process. Upon first dispatch, we acquire another prolonged
2401 * wakeref that we hold until the GPU has been idle for at least
2402 * 100ms.
2403 */
8f2a1057 2404 intel_gt_pm_get(eb.i915);
1acfc104 2405
2889caa9
CW		 2406 err = i915_mutex_lock_interruptible(dev);
2407 if (err)
2408 goto err_rpm;
f65c9168 2409
8f2a1057 2410 err = eb_select_engine(&eb, file, args);
d6f328bf
CW		 2411 if (unlikely(err))
2412 goto err_unlock;
2413
8f2a1057
CW		 2414 err = eb_wait_for_ring(&eb); /* may temporarily drop struct_mutex */
2415 if (unlikely(err))
2416 goto err_engine;
2417
2889caa9 2418 err = eb_relocate(&eb);
1f727d9e 2419 if (err) {
2889caa9
CW		 2420 /*
2421 * If the user expects the execobject.offset and
2422 * reloc.presumed_offset to be an exact match,
2423 * as for using NO_RELOC, then we cannot update
2424 * the execobject.offset until we have completed
2425 * relocation.
2426 */
2427 args->flags &= ~__EXEC_HAS_RELOC;
2889caa9 2428 goto err_vma;
1f727d9e 2429 }
54cf91dc 2430
c7c6e46f 2431 if (unlikely(*eb.batch->exec_flags & EXEC_OBJECT_WRITE)) {
ff240199 2432 DRM_DEBUG("Attempting to use self-modifying batch buffer\n");
2889caa9
CW		 2433 err = -EINVAL;
2434 goto err_vma;
54cf91dc 2435 }
650bc635
CW		 2436 if (eb.batch_start_offset > eb.batch->size ||
2437 eb.batch_len > eb.batch->size - eb.batch_start_offset) {
0b537272 2438 DRM_DEBUG("Attempting to use out-of-bounds batch\n");
2889caa9
CW		 2439 err = -EINVAL;
2440 goto err_vma;
0b537272 2441 }
54cf91dc 2442
3dbf26ed 2443 if (eb_use_cmdparser(&eb)) {
59bfa124
CW		 2444 struct i915_vma *vma;
2445
650bc635 2446 vma = eb_parse(&eb, drm_is_current_master(file));
59bfa124 2447 if (IS_ERR(vma)) {
2889caa9
CW		 2448 err = PTR_ERR(vma);
2449 goto err_vma;
78a42377 2450 }
17cabf57 2451
59bfa124 2452 if (vma) {
c7c7372e
RP		 2453 /*
2454 * Batch parsed and accepted:
2455 *
2456 * Set the DISPATCH_SECURE bit to remove the NON_SECURE
2457 * bit from MI_BATCH_BUFFER_START commands issued in
2458 * the dispatch_execbuffer implementations. We
2459 * specifically don't want that set on batches the
2460 * command parser has accepted.
2461 */
2889caa9 2462 eb.batch_flags |= I915_DISPATCH_SECURE;
650bc635
CW		 2463 eb.batch_start_offset = 0;
2464 eb.batch = vma;
c7c7372e 2465 }
351e3db2
BV		 2466 }
2467
650bc635
CW		 2468 if (eb.batch_len == 0)
2469 eb.batch_len = eb.batch->size - eb.batch_start_offset;
78a42377 2470
2889caa9
CW		 2471 /*
2472 * snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
d7d4eedd 2473 * batch" bit. Hence we need to pin secure batches into the global gtt.
28cf5415 2474 * hsw should have this fixed, but bdw mucks it up again. */
2889caa9 2475 if (eb.batch_flags & I915_DISPATCH_SECURE) {
058d88c4 2476 struct i915_vma *vma;
59bfa124 2477
da51a1e7
DV		 2478 /*
2479 * So on first glance it looks freaky that we pin the batch here
2480 * outside of the reservation loop. But:
2481 * - The batch is already pinned into the relevant ppgtt, so we
2482 * already have the backing storage fully allocated.
2483 * - No other BO uses the global gtt (well contexts, but meh),
fd0753cf 2484 * so we don't really have issues with multiple objects not
da51a1e7
DV		 2485 * fitting due to fragmentation.
2486 * So this is actually safe.
2487 */
2889caa9 2488 vma = i915_gem_object_ggtt_pin(eb.batch->obj, NULL, 0, 0, 0);
058d88c4 2489 if (IS_ERR(vma)) {
2889caa9
CW		 2490 err = PTR_ERR(vma);
2491 goto err_vma;
058d88c4 2492 }
d7d4eedd 2493
650bc635 2494 eb.batch = vma;
59bfa124 2495 }
d7d4eedd 2496
7dd4f672
CW		 2497 /* All GPU relocation batches must be submitted prior to the user rq */
2498 GEM_BUG_ON(eb.reloc_cache.rq);
2499
0c8dac88 2500 /* Allocate a request for this batch buffer nice and early. */
8f2a1057 2501 eb.request = i915_request_create(eb.context);
650bc635 2502 if (IS_ERR(eb.request)) {
2889caa9 2503 err = PTR_ERR(eb.request);
0c8dac88 2504 goto err_batch_unpin;
26827088 2505 }
0c8dac88 2506
fec0445c 2507 if (in_fence) {
e61e0f51 2508 err = i915_request_await_dma_fence(eb.request, in_fence);
2889caa9 2509 if (err < 0)
fec0445c
CW		 2510 goto err_request;
2511 }
2512
a88b6e4c
CW		 2513 if (exec_fence) {
2514 err = i915_request_await_execution(eb.request, exec_fence,
2515 eb.engine->bond_execute);
2516 if (err < 0)
2517 goto err_request;
2518 }
2519
cf6e7bac
JE		 2520 if (fences) {
2521 err = await_fence_array(&eb, fences);
2522 if (err)
2523 goto err_request;
2524 }
2525
fec0445c 2526 if (out_fence_fd != -1) {
650bc635 2527 out_fence = sync_file_create(&eb.request->fence);
fec0445c 2528 if (!out_fence) {
2889caa9 2529 err = -ENOMEM;
fec0445c
CW		 2530 goto err_request;
2531 }
2532 }
2533
2889caa9
CW		 2534 /*
2535 * Whilst this request exists, batch_obj will be on the
17f298cf
CW		 2536 * active_list, and so will hold the active reference. Only when this
2537 * request is retired will the the batch_obj be moved onto the
2538 * inactive_list and lose its active reference. Hence we do not need
2539 * to explicitly hold another reference here.
2540 */
650bc635 2541 eb.request->batch = eb.batch;
5f19e2bf 2542
e61e0f51 2543 trace_i915_request_queue(eb.request, eb.batch_flags);
2889caa9 2544 err = eb_submit(&eb);
aa9b7810 2545err_request:
650bc635 2546 add_to_client(eb.request, file);
8f2a1057 2547 i915_request_add(eb.request);
c8659efa 2548
cf6e7bac
JE		 2549 if (fences)
2550 signal_fence_array(&eb, fences);
2551
fec0445c 2552 if (out_fence) {
2889caa9 2553 if (err == 0) {
fec0445c 2554 fd_install(out_fence_fd, out_fence->file);
b6a88e4a 2555 args->rsvd2 &= GENMASK_ULL(31, 0); /* keep in-fence */
fec0445c
CW		 2556 args->rsvd2 |= (u64)out_fence_fd << 32;
2557 out_fence_fd = -1;
2558 } else {
2559 fput(out_fence->file);
2560 }
2561 }
54cf91dc 2562
0c8dac88 2563err_batch_unpin:
2889caa9 2564 if (eb.batch_flags & I915_DISPATCH_SECURE)
650bc635 2565 i915_vma_unpin(eb.batch);
2889caa9
CW		 2566err_vma:
2567 if (eb.exec)
2568 eb_release_vmas(&eb);
8f2a1057
CW		 2569err_engine:
2570 eb_unpin_context(&eb);
d6f328bf 2571err_unlock:
54cf91dc 2572 mutex_unlock(&dev->struct_mutex);
2889caa9 2573err_rpm:
8f2a1057
CW		 2574 intel_gt_pm_put(eb.i915);
2575 i915_gem_context_put(eb.gem_context);
1acfc104 2576err_destroy:
2889caa9 2577 eb_destroy(&eb);
4d470f73 2578err_out_fence:
fec0445c
CW		 2579 if (out_fence_fd != -1)
2580 put_unused_fd(out_fence_fd);
a88b6e4c
CW		 2581err_exec_fence:
2582 dma_fence_put(exec_fence);
4a04e371 2583err_in_fence:
fec0445c 2584 dma_fence_put(in_fence);
2889caa9 2585 return err;
54cf91dc
CW		 2586}
2587
d710fc16
CW		 2588static size_t eb_element_size(void)
2589{
2590 return (sizeof(struct drm_i915_gem_exec_object2) +
2591 sizeof(struct i915_vma *) +
2592 sizeof(unsigned int));
2593}
2594
2595static bool check_buffer_count(size_t count)
2596{
2597 const size_t sz = eb_element_size();
2598
2599 /*
2600 * When using LUT_HANDLE, we impose a limit of INT_MAX for the lookup
2601 * array size (see eb_create()). Otherwise, we can accept an array as
2602 * large as can be addressed (though use large arrays at your peril)!
2603 */
2604
2605 return !(count < 1 || count > INT_MAX || count > SIZE_MAX / sz - 1);
2606}
2607
54cf91dc
CW		 2608/*
2609 * Legacy execbuffer just creates an exec2 list from the original exec object
2610 * list array and passes it to the real function.
2611 */
2612int
6a20fe7b
VS		 2613i915_gem_execbuffer_ioctl(struct drm_device *dev, void *data,
2614 struct drm_file *file)
54cf91dc
CW		 2615{
2616 struct drm_i915_gem_execbuffer *args = data;
2617 struct drm_i915_gem_execbuffer2 exec2;
2618 struct drm_i915_gem_exec_object *exec_list = NULL;
2619 struct drm_i915_gem_exec_object2 *exec2_list = NULL;
d710fc16 2620 const size_t count = args->buffer_count;
2889caa9
CW		 2621 unsigned int i;
2622 int err;
54cf91dc 2623
d710fc16
CW		 2624 if (!check_buffer_count(count)) {
2625 DRM_DEBUG("execbuf2 with %zd buffers\n", count);
54cf91dc
CW		 2626 return -EINVAL;
2627 }
2628
2889caa9
CW		 2629 exec2.buffers_ptr = args->buffers_ptr;
2630 exec2.buffer_count = args->buffer_count;
2631 exec2.batch_start_offset = args->batch_start_offset;
2632 exec2.batch_len = args->batch_len;
2633 exec2.DR1 = args->DR1;
2634 exec2.DR4 = args->DR4;
2635 exec2.num_cliprects = args->num_cliprects;
2636 exec2.cliprects_ptr = args->cliprects_ptr;
2637 exec2.flags = I915_EXEC_RENDER;
2638 i915_execbuffer2_set_context_id(exec2, 0);
2639
2640 if (!i915_gem_check_execbuffer(&exec2))
2641 return -EINVAL;
2642
54cf91dc 2643 /* Copy in the exec list from userland */
d710fc16 2644 exec_list = kvmalloc_array(count, sizeof(*exec_list),
0ee931c4 2645 __GFP_NOWARN | GFP_KERNEL);
d710fc16 2646 exec2_list = kvmalloc_array(count + 1, eb_element_size(),
0ee931c4 2647 __GFP_NOWARN | GFP_KERNEL);
54cf91dc 2648 if (exec_list == NULL || exec2_list == NULL) {
ff240199 2649 DRM_DEBUG("Failed to allocate exec list for %d buffers\n",
54cf91dc 2650 args->buffer_count);
2098105e
MH		 2651 kvfree(exec_list);
2652 kvfree(exec2_list);
54cf91dc
CW		 2653 return -ENOMEM;
2654 }
2889caa9 2655 err = copy_from_user(exec_list,
3ed605bc 2656 u64_to_user_ptr(args->buffers_ptr),
d710fc16 2657 sizeof(*exec_list) * count);
2889caa9 2658 if (err) {
ff240199 2659 DRM_DEBUG("copy %d exec entries failed %d\n",
2889caa9 2660 args->buffer_count, err);
2098105e
MH		 2661 kvfree(exec_list);
2662 kvfree(exec2_list);
54cf91dc
CW		 2663 return -EFAULT;
2664 }
2665
2666 for (i = 0; i < args->buffer_count; i++) {
2667 exec2_list[i].handle = exec_list[i].handle;
2668 exec2_list[i].relocation_count = exec_list[i].relocation_count;
2669 exec2_list[i].relocs_ptr = exec_list[i].relocs_ptr;
2670 exec2_list[i].alignment = exec_list[i].alignment;
2671 exec2_list[i].offset = exec_list[i].offset;
f0836b72 2672 if (INTEL_GEN(to_i915(dev)) < 4)
54cf91dc
CW		 2673 exec2_list[i].flags = EXEC_OBJECT_NEEDS_FENCE;
2674 else
2675 exec2_list[i].flags = 0;
2676 }
2677
cf6e7bac 2678 err = i915_gem_do_execbuffer(dev, file, &exec2, exec2_list, NULL);
2889caa9 2679 if (exec2.flags & __EXEC_HAS_RELOC) {
9aab8bff 2680 struct drm_i915_gem_exec_object __user *user_exec_list =
3ed605bc 2681 u64_to_user_ptr(args->buffers_ptr);
9aab8bff 2682
54cf91dc 2683 /* Copy the new buffer offsets back to the user's exec list. */
9aab8bff 2684 for (i = 0; i < args->buffer_count; i++) {
2889caa9
CW		 2685 if (!(exec2_list[i].offset & UPDATE))
2686 continue;
2687
934acce3 2688 exec2_list[i].offset =
2889caa9
CW		 2689 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
2690 exec2_list[i].offset &= PIN_OFFSET_MASK;
2691 if (__copy_to_user(&user_exec_list[i].offset,
2692 &exec2_list[i].offset,
2693 sizeof(user_exec_list[i].offset)))
9aab8bff 2694 break;
54cf91dc
CW		 2695 }
2696 }
2697
2098105e
MH		 2698 kvfree(exec_list);
2699 kvfree(exec2_list);
2889caa9 2700 return err;
54cf91dc
CW		 2701}
2702
2703int
6a20fe7b
VS		 2704i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
2705 struct drm_file *file)
54cf91dc
CW		 2706{
2707 struct drm_i915_gem_execbuffer2 *args = data;
2889caa9 2708 struct drm_i915_gem_exec_object2 *exec2_list;
cf6e7bac 2709 struct drm_syncobj **fences = NULL;
d710fc16 2710 const size_t count = args->buffer_count;
2889caa9 2711 int err;
54cf91dc 2712
d710fc16
CW		 2713 if (!check_buffer_count(count)) {
2714 DRM_DEBUG("execbuf2 with %zd buffers\n", count);
54cf91dc
CW		 2715 return -EINVAL;
2716 }
2717
2889caa9
CW		 2718 if (!i915_gem_check_execbuffer(args))
2719 return -EINVAL;
2720
2721 /* Allocate an extra slot for use by the command parser */
d710fc16 2722 exec2_list = kvmalloc_array(count + 1, eb_element_size(),
0ee931c4 2723 __GFP_NOWARN | GFP_KERNEL);
54cf91dc 2724 if (exec2_list == NULL) {
d710fc16
CW		 2725 DRM_DEBUG("Failed to allocate exec list for %zd buffers\n",
2726 count);
54cf91dc
CW		 2727 return -ENOMEM;
2728 }
2889caa9
CW		 2729 if (copy_from_user(exec2_list,
2730 u64_to_user_ptr(args->buffers_ptr),
d710fc16
CW		 2731 sizeof(*exec2_list) * count)) {
2732 DRM_DEBUG("copy %zd exec entries failed\n", count);
2098105e 2733 kvfree(exec2_list);
54cf91dc
CW		 2734 return -EFAULT;
2735 }
2736
cf6e7bac
JE		 2737 if (args->flags & I915_EXEC_FENCE_ARRAY) {
2738 fences = get_fence_array(args, file);
2739 if (IS_ERR(fences)) {
2740 kvfree(exec2_list);
2741 return PTR_ERR(fences);
2742 }
2743 }
2744
2745 err = i915_gem_do_execbuffer(dev, file, args, exec2_list, fences);
2889caa9
CW		 2746
2747 /*
2748 * Now that we have begun execution of the batchbuffer, we ignore
2749 * any new error after this point. Also given that we have already
2750 * updated the associated relocations, we try to write out the current
2751 * object locations irrespective of any error.
2752 */
2753 if (args->flags & __EXEC_HAS_RELOC) {
d593d992 2754 struct drm_i915_gem_exec_object2 __user *user_exec_list =
2889caa9
CW		 2755 u64_to_user_ptr(args->buffers_ptr);
2756 unsigned int i;
9aab8bff 2757
2889caa9 2758 /* Copy the new buffer offsets back to the user's exec list. */
594cc251
LT		 2759 /*
2760 * Note: count * sizeof(*user_exec_list) does not overflow,
2761 * because we checked 'count' in check_buffer_count().
2762 *
2763 * And this range already got effectively checked earlier
2764 * when we did the "copy_from_user()" above.
2765 */
2766 if (!user_access_begin(user_exec_list, count * sizeof(*user_exec_list)))
8f4faed0 2767 goto end;
594cc251 2768
9aab8bff 2769 for (i = 0; i < args->buffer_count; i++) {
2889caa9
CW		 2770 if (!(exec2_list[i].offset & UPDATE))
2771 continue;
2772
934acce3 2773 exec2_list[i].offset =
2889caa9
CW		 2774 gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK);
2775 unsafe_put_user(exec2_list[i].offset,
2776 &user_exec_list[i].offset,
2777 end_user);
54cf91dc 2778 }
2889caa9
CW		 2779end_user:
2780 user_access_end();
8f4faed0 2781end:;
54cf91dc
CW		 2782 }
2783
2889caa9 2784 args->flags &= ~__I915_EXEC_UNKNOWN_FLAGS;
cf6e7bac 2785 put_fence_array(args, fences);
2098105e 2786 kvfree(exec2_list);
2889caa9 2787 return err;
54cf91dc 2788}
Linux 6.x block layer and io_uring tree(s)