Commit 40a5f0de authored by Eric Anholt's avatar Eric Anholt

drm/i915: Fix lock order reversal in GEM relocation entry copying.

Signed-off-by: default avatarEric Anholt <eric@anholt.net>
Reviewed-by: default avatarKeith Packard <keithp@keithp.com>
parent 201361a5
...@@ -2713,12 +2713,11 @@ i915_gem_object_set_cpu_read_domain_range(struct drm_gem_object *obj, ...@@ -2713,12 +2713,11 @@ i915_gem_object_set_cpu_read_domain_range(struct drm_gem_object *obj,
static int static int
i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
struct drm_file *file_priv, struct drm_file *file_priv,
struct drm_i915_gem_exec_object *entry) struct drm_i915_gem_exec_object *entry,
struct drm_i915_gem_relocation_entry *relocs)
{ {
struct drm_device *dev = obj->dev; struct drm_device *dev = obj->dev;
drm_i915_private_t *dev_priv = dev->dev_private; drm_i915_private_t *dev_priv = dev->dev_private;
struct drm_i915_gem_relocation_entry reloc;
struct drm_i915_gem_relocation_entry __user *relocs;
struct drm_i915_gem_object *obj_priv = obj->driver_private; struct drm_i915_gem_object *obj_priv = obj->driver_private;
int i, ret; int i, ret;
void __iomem *reloc_page; void __iomem *reloc_page;
...@@ -2730,25 +2729,18 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, ...@@ -2730,25 +2729,18 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
entry->offset = obj_priv->gtt_offset; entry->offset = obj_priv->gtt_offset;
relocs = (struct drm_i915_gem_relocation_entry __user *)
(uintptr_t) entry->relocs_ptr;
/* Apply the relocations, using the GTT aperture to avoid cache /* Apply the relocations, using the GTT aperture to avoid cache
* flushing requirements. * flushing requirements.
*/ */
for (i = 0; i < entry->relocation_count; i++) { for (i = 0; i < entry->relocation_count; i++) {
struct drm_i915_gem_relocation_entry *reloc= &relocs[i];
struct drm_gem_object *target_obj; struct drm_gem_object *target_obj;
struct drm_i915_gem_object *target_obj_priv; struct drm_i915_gem_object *target_obj_priv;
uint32_t reloc_val, reloc_offset; uint32_t reloc_val, reloc_offset;
uint32_t __iomem *reloc_entry; uint32_t __iomem *reloc_entry;
ret = copy_from_user(&reloc, relocs + i, sizeof(reloc));
if (ret != 0) {
i915_gem_object_unpin(obj);
return ret;
}
target_obj = drm_gem_object_lookup(obj->dev, file_priv, target_obj = drm_gem_object_lookup(obj->dev, file_priv,
reloc.target_handle); reloc->target_handle);
if (target_obj == NULL) { if (target_obj == NULL) {
i915_gem_object_unpin(obj); i915_gem_object_unpin(obj);
return -EBADF; return -EBADF;
...@@ -2760,53 +2752,53 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, ...@@ -2760,53 +2752,53 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
*/ */
if (target_obj_priv->gtt_space == NULL) { if (target_obj_priv->gtt_space == NULL) {
DRM_ERROR("No GTT space found for object %d\n", DRM_ERROR("No GTT space found for object %d\n",
reloc.target_handle); reloc->target_handle);
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
i915_gem_object_unpin(obj); i915_gem_object_unpin(obj);
return -EINVAL; return -EINVAL;
} }
if (reloc.offset > obj->size - 4) { if (reloc->offset > obj->size - 4) {
DRM_ERROR("Relocation beyond object bounds: " DRM_ERROR("Relocation beyond object bounds: "
"obj %p target %d offset %d size %d.\n", "obj %p target %d offset %d size %d.\n",
obj, reloc.target_handle, obj, reloc->target_handle,
(int) reloc.offset, (int) obj->size); (int) reloc->offset, (int) obj->size);
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
i915_gem_object_unpin(obj); i915_gem_object_unpin(obj);
return -EINVAL; return -EINVAL;
} }
if (reloc.offset & 3) { if (reloc->offset & 3) {
DRM_ERROR("Relocation not 4-byte aligned: " DRM_ERROR("Relocation not 4-byte aligned: "
"obj %p target %d offset %d.\n", "obj %p target %d offset %d.\n",
obj, reloc.target_handle, obj, reloc->target_handle,
(int) reloc.offset); (int) reloc->offset);
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
i915_gem_object_unpin(obj); i915_gem_object_unpin(obj);
return -EINVAL; return -EINVAL;
} }
if (reloc.write_domain & I915_GEM_DOMAIN_CPU || if (reloc->write_domain & I915_GEM_DOMAIN_CPU ||
reloc.read_domains & I915_GEM_DOMAIN_CPU) { reloc->read_domains & I915_GEM_DOMAIN_CPU) {
DRM_ERROR("reloc with read/write CPU domains: " DRM_ERROR("reloc with read/write CPU domains: "
"obj %p target %d offset %d " "obj %p target %d offset %d "
"read %08x write %08x", "read %08x write %08x",
obj, reloc.target_handle, obj, reloc->target_handle,
(int) reloc.offset, (int) reloc->offset,
reloc.read_domains, reloc->read_domains,
reloc.write_domain); reloc->write_domain);
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
i915_gem_object_unpin(obj); i915_gem_object_unpin(obj);
return -EINVAL; return -EINVAL;
} }
if (reloc.write_domain && target_obj->pending_write_domain && if (reloc->write_domain && target_obj->pending_write_domain &&
reloc.write_domain != target_obj->pending_write_domain) { reloc->write_domain != target_obj->pending_write_domain) {
DRM_ERROR("Write domain conflict: " DRM_ERROR("Write domain conflict: "
"obj %p target %d offset %d " "obj %p target %d offset %d "
"new %08x old %08x\n", "new %08x old %08x\n",
obj, reloc.target_handle, obj, reloc->target_handle,
(int) reloc.offset, (int) reloc->offset,
reloc.write_domain, reloc->write_domain,
target_obj->pending_write_domain); target_obj->pending_write_domain);
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
i915_gem_object_unpin(obj); i915_gem_object_unpin(obj);
...@@ -2819,22 +2811,22 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, ...@@ -2819,22 +2811,22 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
"presumed %08x delta %08x\n", "presumed %08x delta %08x\n",
__func__, __func__,
obj, obj,
(int) reloc.offset, (int) reloc->offset,
(int) reloc.target_handle, (int) reloc->target_handle,
(int) reloc.read_domains, (int) reloc->read_domains,
(int) reloc.write_domain, (int) reloc->write_domain,
(int) target_obj_priv->gtt_offset, (int) target_obj_priv->gtt_offset,
(int) reloc.presumed_offset, (int) reloc->presumed_offset,
reloc.delta); reloc->delta);
#endif #endif
target_obj->pending_read_domains |= reloc.read_domains; target_obj->pending_read_domains |= reloc->read_domains;
target_obj->pending_write_domain |= reloc.write_domain; target_obj->pending_write_domain |= reloc->write_domain;
/* If the relocation already has the right value in it, no /* If the relocation already has the right value in it, no
* more work needs to be done. * more work needs to be done.
*/ */
if (target_obj_priv->gtt_offset == reloc.presumed_offset) { if (target_obj_priv->gtt_offset == reloc->presumed_offset) {
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
continue; continue;
} }
...@@ -2849,32 +2841,26 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj, ...@@ -2849,32 +2841,26 @@ i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
/* Map the page containing the relocation we're going to /* Map the page containing the relocation we're going to
* perform. * perform.
*/ */
reloc_offset = obj_priv->gtt_offset + reloc.offset; reloc_offset = obj_priv->gtt_offset + reloc->offset;
reloc_page = io_mapping_map_atomic_wc(dev_priv->mm.gtt_mapping, reloc_page = io_mapping_map_atomic_wc(dev_priv->mm.gtt_mapping,
(reloc_offset & (reloc_offset &
~(PAGE_SIZE - 1))); ~(PAGE_SIZE - 1)));
reloc_entry = (uint32_t __iomem *)(reloc_page + reloc_entry = (uint32_t __iomem *)(reloc_page +
(reloc_offset & (PAGE_SIZE - 1))); (reloc_offset & (PAGE_SIZE - 1)));
reloc_val = target_obj_priv->gtt_offset + reloc.delta; reloc_val = target_obj_priv->gtt_offset + reloc->delta;
#if WATCH_BUF #if WATCH_BUF
DRM_INFO("Applied relocation: %p@0x%08x %08x -> %08x\n", DRM_INFO("Applied relocation: %p@0x%08x %08x -> %08x\n",
obj, (unsigned int) reloc.offset, obj, (unsigned int) reloc->offset,
readl(reloc_entry), reloc_val); readl(reloc_entry), reloc_val);
#endif #endif
writel(reloc_val, reloc_entry); writel(reloc_val, reloc_entry);
io_mapping_unmap_atomic(reloc_page); io_mapping_unmap_atomic(reloc_page);
/* Write the updated presumed offset for this entry back out /* The updated presumed offset for this entry will be
* to the user. * copied back out to the user.
*/ */
reloc.presumed_offset = target_obj_priv->gtt_offset; reloc->presumed_offset = target_obj_priv->gtt_offset;
ret = copy_to_user(relocs + i, &reloc, sizeof(reloc));
if (ret != 0) {
drm_gem_object_unreference(target_obj);
i915_gem_object_unpin(obj);
return ret;
}
drm_gem_object_unreference(target_obj); drm_gem_object_unreference(target_obj);
} }
...@@ -2971,6 +2957,75 @@ i915_gem_ring_throttle(struct drm_device *dev, struct drm_file *file_priv) ...@@ -2971,6 +2957,75 @@ i915_gem_ring_throttle(struct drm_device *dev, struct drm_file *file_priv)
return ret; return ret;
} }
static int
i915_gem_get_relocs_from_user(struct drm_i915_gem_exec_object *exec_list,
uint32_t buffer_count,
struct drm_i915_gem_relocation_entry **relocs)
{
uint32_t reloc_count = 0, reloc_index = 0, i;
int ret;
*relocs = NULL;
for (i = 0; i < buffer_count; i++) {
if (reloc_count + exec_list[i].relocation_count < reloc_count)
return -EINVAL;
reloc_count += exec_list[i].relocation_count;
}
*relocs = drm_calloc(reloc_count, sizeof(**relocs), DRM_MEM_DRIVER);
if (*relocs == NULL)
return -ENOMEM;
for (i = 0; i < buffer_count; i++) {
struct drm_i915_gem_relocation_entry __user *user_relocs;
user_relocs = (void __user *)(uintptr_t)exec_list[i].relocs_ptr;
ret = copy_from_user(&(*relocs)[reloc_index],
user_relocs,
exec_list[i].relocation_count *
sizeof(**relocs));
if (ret != 0) {
drm_free(*relocs, reloc_count * sizeof(**relocs),
DRM_MEM_DRIVER);
*relocs = NULL;
return ret;
}
reloc_index += exec_list[i].relocation_count;
}
return ret;
}
static int
i915_gem_put_relocs_to_user(struct drm_i915_gem_exec_object *exec_list,
uint32_t buffer_count,
struct drm_i915_gem_relocation_entry *relocs)
{
uint32_t reloc_count = 0, i;
int ret;
for (i = 0; i < buffer_count; i++) {
struct drm_i915_gem_relocation_entry __user *user_relocs;
user_relocs = (void __user *)(uintptr_t)exec_list[i].relocs_ptr;
if (ret == 0) {
ret = copy_to_user(user_relocs,
&relocs[reloc_count],
exec_list[i].relocation_count *
sizeof(*relocs));
}
reloc_count += exec_list[i].relocation_count;
}
drm_free(relocs, reloc_count * sizeof(*relocs), DRM_MEM_DRIVER);
return ret;
}
int int
i915_gem_execbuffer(struct drm_device *dev, void *data, i915_gem_execbuffer(struct drm_device *dev, void *data,
struct drm_file *file_priv) struct drm_file *file_priv)
...@@ -2983,9 +3038,10 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, ...@@ -2983,9 +3038,10 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
struct drm_gem_object *batch_obj; struct drm_gem_object *batch_obj;
struct drm_i915_gem_object *obj_priv; struct drm_i915_gem_object *obj_priv;
struct drm_clip_rect *cliprects = NULL; struct drm_clip_rect *cliprects = NULL;
int ret, i, pinned = 0; struct drm_i915_gem_relocation_entry *relocs;
int ret, ret2, i, pinned = 0;
uint64_t exec_offset; uint64_t exec_offset;
uint32_t seqno, flush_domains; uint32_t seqno, flush_domains, reloc_index;
int pin_tries; int pin_tries;
#if WATCH_EXEC #if WATCH_EXEC
...@@ -3036,6 +3092,11 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, ...@@ -3036,6 +3092,11 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
} }
} }
ret = i915_gem_get_relocs_from_user(exec_list, args->buffer_count,
&relocs);
if (ret != 0)
goto pre_mutex_err;
mutex_lock(&dev->struct_mutex); mutex_lock(&dev->struct_mutex);
i915_verify_inactive(dev, __FILE__, __LINE__); i915_verify_inactive(dev, __FILE__, __LINE__);
...@@ -3078,15 +3139,19 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, ...@@ -3078,15 +3139,19 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
/* Pin and relocate */ /* Pin and relocate */
for (pin_tries = 0; ; pin_tries++) { for (pin_tries = 0; ; pin_tries++) {
ret = 0; ret = 0;
reloc_index = 0;
for (i = 0; i < args->buffer_count; i++) { for (i = 0; i < args->buffer_count; i++) {
object_list[i]->pending_read_domains = 0; object_list[i]->pending_read_domains = 0;
object_list[i]->pending_write_domain = 0; object_list[i]->pending_write_domain = 0;
ret = i915_gem_object_pin_and_relocate(object_list[i], ret = i915_gem_object_pin_and_relocate(object_list[i],
file_priv, file_priv,
&exec_list[i]); &exec_list[i],
&relocs[reloc_index]);
if (ret) if (ret)
break; break;
pinned = i + 1; pinned = i + 1;
reloc_index += exec_list[i].relocation_count;
} }
/* success */ /* success */
if (ret == 0) if (ret == 0)
...@@ -3236,6 +3301,20 @@ i915_gem_execbuffer(struct drm_device *dev, void *data, ...@@ -3236,6 +3301,20 @@ i915_gem_execbuffer(struct drm_device *dev, void *data,
args->buffer_count, ret); args->buffer_count, ret);
} }
/* Copy the updated relocations out regardless of current error
* state. Failure to update the relocs would mean that the next
* time userland calls execbuf, it would do so with presumed offset
* state that didn't match the actual object state.
*/
ret2 = i915_gem_put_relocs_to_user(exec_list, args->buffer_count,
relocs);
if (ret2 != 0) {
DRM_ERROR("Failed to copy relocations back out: %d\n", ret2);
if (ret == 0)
ret = ret2;
}
pre_mutex_err: pre_mutex_err:
drm_free(object_list, sizeof(*object_list) * args->buffer_count, drm_free(object_list, sizeof(*object_list) * args->buffer_count,
DRM_MEM_DRIVER); DRM_MEM_DRIVER);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment