redonkable/remarkable-linux
redonkable/remarkable-linux
1
0
Fork 0
Code Releases Activity

drm/radeon: Fix memory allocation failures in the preKMS command stream checking.

Browse source 
Allocation of single large block of memory may fail under memory
presure. drm_buffer object can hold one large block of data in
multiple independ pages which preents alloation failures.

This patch converts all access to command stream to use drm_buffer
interface. All direct access to array has to go tough drm_buffer
functions to get correct pointer.

Outputting the command stream to ring buffer needs to be awear of
the split nature of drm_buffer. The output operation requires the
new OUT_RING_DRM_BUFFER.

Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
This commit is contained in:
Pauli Nieminen 2010-02-01 19:11:16 +02:00 committed by Dave Airlie
parent 7a9f0dd9c4
commit b4fe945405
3 changed files with 262 additions and 247 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

280
drivers/gpu/drm/radeon/r300_cmdbuf.c
View file

@ -33,6 +33,7 @@
#include "drmP.h" #include "drmP.h"
#include "drm.h" #include "drm.h"
#include "drm_buffer.h"
#include "radeon_drm.h" #include "radeon_drm.h"
#include "radeon_drv.h" #include "radeon_drv.h"
#include "r300_reg.h" #include "r300_reg.h"
@ -299,46 +300,42 @@ static __inline__ int r300_emit_carefully_checked_packet0(drm_radeon_private_t *
int reg; int reg;
int sz; int sz;
int i; int i;
int values[64]; u32 *value;
RING_LOCALS; RING_LOCALS;
sz = header.packet0.count; sz = header.packet0.count;
reg = (header.packet0.reghi << 8) | header.packet0.reglo; reg = (header.packet0.reghi << 8) | header.packet0.reglo;
if ((sz > 64) || (sz < 0)) { if ((sz > 64) || (sz < 0)) {
DRM_ERROR DRM_ERROR("Cannot emit more than 64 values at a time (reg=%04x sz=%d)\n",
("Cannot emit more than 64 values at a time (reg=%04x sz=%d)\n", reg, sz);
reg, sz);
return -EINVAL; return -EINVAL;
} }
for (i = 0; i < sz; i++) { for (i = 0; i < sz; i++) {
values[i] = ((int *)cmdbuf->buf)[i];
switch (r300_reg_flags[(reg >> 2) + i]) { switch (r300_reg_flags[(reg >> 2) + i]) {
case MARK_SAFE: case MARK_SAFE:
break; break;
case MARK_CHECK_OFFSET: case MARK_CHECK_OFFSET:
if (!radeon_check_offset(dev_priv, (u32) values[i])) { value = drm_buffer_pointer_to_dword(cmdbuf->buffer, i);
DRM_ERROR if (!radeon_check_offset(dev_priv, *value)) {
("Offset failed range check (reg=%04x sz=%d)\n", DRM_ERROR("Offset failed range check (reg=%04x sz=%d)\n",
reg, sz); reg, sz);
return -EINVAL; return -EINVAL;
} }
break; break;
default: default:
DRM_ERROR("Register %04x failed check as flag=%02x\n", DRM_ERROR("Register %04x failed check as flag=%02x\n",
reg + i * 4, r300_reg_flags[(reg >> 2) + i]); reg + i * 4, r300_reg_flags[(reg >> 2) + i]);
return -EINVAL; return -EINVAL;
} }
} }
BEGIN_RING(1 + sz); BEGIN_RING(1 + sz);
OUT_RING(CP_PACKET0(reg, sz - 1)); OUT_RING(CP_PACKET0(reg, sz - 1));
OUT_RING_TABLE(values, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * 4;
cmdbuf->bufsz -= sz * 4;
return 0; return 0;
} }
@ -362,7 +359,7 @@ static __inline__ int r300_emit_packet0(drm_radeon_private_t *dev_priv,
if (!sz) if (!sz)
return 0; return 0;
if (sz * 4 > cmdbuf->bufsz) if (sz * 4 > drm_buffer_unprocessed(cmdbuf->buffer))
return -EINVAL; return -EINVAL;
if (reg + sz * 4 >= 0x10000) { if (reg + sz * 4 >= 0x10000) {
@ -380,12 +377,9 @@ static __inline__ int r300_emit_packet0(drm_radeon_private_t *dev_priv,
BEGIN_RING(1 + sz); BEGIN_RING(1 + sz);
OUT_RING(CP_PACKET0(reg, sz - 1)); OUT_RING(CP_PACKET0(reg, sz - 1));
OUT_RING_TABLE((int *)cmdbuf->buf, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * 4;
cmdbuf->bufsz -= sz * 4;
return 0; return 0;
} }
@ -407,7 +401,7 @@ static __inline__ int r300_emit_vpu(drm_radeon_private_t *dev_priv,
if (!sz) if (!sz)
return 0; return 0;
if (sz * 16 > cmdbuf->bufsz) if (sz * 16 > drm_buffer_unprocessed(cmdbuf->buffer))
return -EINVAL; return -EINVAL;
/* VAP is very sensitive so we purge cache before we program it /* VAP is very sensitive so we purge cache before we program it
@ -426,7 +420,7 @@ static __inline__ int r300_emit_vpu(drm_radeon_private_t *dev_priv,
BEGIN_RING(3 + sz * 4); BEGIN_RING(3 + sz * 4);
OUT_RING_REG(R300_VAP_PVS_UPLOAD_ADDRESS, addr); OUT_RING_REG(R300_VAP_PVS_UPLOAD_ADDRESS, addr);
OUT_RING(CP_PACKET0_TABLE(R300_VAP_PVS_UPLOAD_DATA, sz * 4 - 1)); OUT_RING(CP_PACKET0_TABLE(R300_VAP_PVS_UPLOAD_DATA, sz * 4 - 1));
OUT_RING_TABLE((int *)cmdbuf->buf, sz * 4); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz * 4);
ADVANCE_RING(); ADVANCE_RING();
BEGIN_RING(2); BEGIN_RING(2);
@ -434,9 +428,6 @@ static __inline__ int r300_emit_vpu(drm_radeon_private_t *dev_priv,
OUT_RING(0); OUT_RING(0);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * 16;
cmdbuf->bufsz -= sz * 16;
return 0; return 0;
} }
@ -449,14 +440,14 @@ static __inline__ int r300_emit_clear(drm_radeon_private_t *dev_priv,
{ {
RING_LOCALS; RING_LOCALS;
if (8 * 4 > cmdbuf->bufsz) if (8 * 4 > drm_buffer_unprocessed(cmdbuf->buffer))
return -EINVAL; return -EINVAL;
BEGIN_RING(10); BEGIN_RING(10);
OUT_RING(CP_PACKET3(R200_3D_DRAW_IMMD_2, 8)); OUT_RING(CP_PACKET3(R200_3D_DRAW_IMMD_2, 8));
OUT_RING(R300_PRIM_TYPE_POINT | R300_PRIM_WALK_RING | OUT_RING(R300_PRIM_TYPE_POINT | R300_PRIM_WALK_RING |
(1 << R300_PRIM_NUM_VERTICES_SHIFT)); (1 << R300_PRIM_NUM_VERTICES_SHIFT));
OUT_RING_TABLE((int *)cmdbuf->buf, 8); OUT_RING_DRM_BUFFER(cmdbuf->buffer, 8);
ADVANCE_RING(); ADVANCE_RING();
BEGIN_RING(4); BEGIN_RING(4);
@ -468,9 +459,6 @@ static __inline__ int r300_emit_clear(drm_radeon_private_t *dev_priv,
/* set flush flag */ /* set flush flag */
dev_priv->track_flush |= RADEON_FLUSH_EMITED; dev_priv->track_flush |= RADEON_FLUSH_EMITED;
cmdbuf->buf += 8 * 4;
cmdbuf->bufsz -= 8 * 4;
return 0; return 0;
} }
@ -480,28 +468,29 @@ static __inline__ int r300_emit_3d_load_vbpntr(drm_radeon_private_t *dev_priv,
{ {
int count, i, k; int count, i, k;
#define MAX_ARRAY_PACKET 64 #define MAX_ARRAY_PACKET 64
u32 payload[MAX_ARRAY_PACKET]; u32 *data;
u32 narrays; u32 narrays;
RING_LOCALS; RING_LOCALS;
count = (header >> 16) & 0x3fff; count = (header & RADEON_CP_PACKET_COUNT_MASK) >> 16;
if ((count + 1) > MAX_ARRAY_PACKET) { if ((count + 1) > MAX_ARRAY_PACKET) {
DRM_ERROR("Too large payload in 3D_LOAD_VBPNTR (count=%d)\n", DRM_ERROR("Too large payload in 3D_LOAD_VBPNTR (count=%d)\n",
count); count);
return -EINVAL; return -EINVAL;
} }
memset(payload, 0, MAX_ARRAY_PACKET * 4);
memcpy(payload, cmdbuf->buf + 4, (count + 1) * 4);
/* carefully check packet contents */ /* carefully check packet contents */
narrays = payload[0]; /* We have already read the header so advance the buffer. */
drm_buffer_advance(cmdbuf->buffer, 4);
narrays = *(u32 *)drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
k = 0; k = 0;
i = 1; i = 1;
while ((k < narrays) && (i < (count + 1))) { while ((k < narrays) && (i < (count + 1))) {
i++; /* skip attribute field */ i++; /* skip attribute field */
if (!radeon_check_offset(dev_priv, payload[i])) { data = drm_buffer_pointer_to_dword(cmdbuf->buffer, i);
if (!radeon_check_offset(dev_priv, *data)) {
DRM_ERROR DRM_ERROR
("Offset failed range check (k=%d i=%d) while processing 3D_LOAD_VBPNTR packet.\n", ("Offset failed range check (k=%d i=%d) while processing 3D_LOAD_VBPNTR packet.\n",
k, i); k, i);
@ -512,7 +501,8 @@ static __inline__ int r300_emit_3d_load_vbpntr(drm_radeon_private_t *dev_priv,
if (k == narrays) if (k == narrays)
break; break;
/* have one more to process, they come in pairs */ /* have one more to process, they come in pairs */
if (!radeon_check_offset(dev_priv, payload[i])) { data = drm_buffer_pointer_to_dword(cmdbuf->buffer, i);
if (!radeon_check_offset(dev_priv, *data)) {
DRM_ERROR DRM_ERROR
("Offset failed range check (k=%d i=%d) while processing 3D_LOAD_VBPNTR packet.\n", ("Offset failed range check (k=%d i=%d) while processing 3D_LOAD_VBPNTR packet.\n",
k, i); k, i);
@ -533,30 +523,30 @@ static __inline__ int r300_emit_3d_load_vbpntr(drm_radeon_private_t *dev_priv,
BEGIN_RING(count + 2); BEGIN_RING(count + 2);
OUT_RING(header); OUT_RING(header);
OUT_RING_TABLE(payload, count + 1); OUT_RING_DRM_BUFFER(cmdbuf->buffer, count + 1);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += (count + 2) * 4;
cmdbuf->bufsz -= (count + 2) * 4;
return 0; return 0;
} }
static __inline__ int r300_emit_bitblt_multi(drm_radeon_private_t *dev_priv, static __inline__ int r300_emit_bitblt_multi(drm_radeon_private_t *dev_priv,
drm_radeon_kcmd_buffer_t *cmdbuf) drm_radeon_kcmd_buffer_t *cmdbuf)
{ {
u32 *cmd = (u32 *) cmdbuf->buf; u32 *cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
int count, ret; int count, ret;
RING_LOCALS; RING_LOCALS;
count=(cmd[0]>>16) & 0x3fff;
if (cmd[0] & 0x8000) { count = (*cmd & RADEON_CP_PACKET_COUNT_MASK) >> 16;
if (*cmd & 0x8000) {
u32 offset; u32 offset;
u32 *cmd1 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
if (cmd[1] & (RADEON_GMC_SRC_PITCH_OFFSET_CNTL if (*cmd1 & (RADEON_GMC_SRC_PITCH_OFFSET_CNTL
| RADEON_GMC_DST_PITCH_OFFSET_CNTL)) { | RADEON_GMC_DST_PITCH_OFFSET_CNTL)) {
offset = cmd[2] << 10;
u32 *cmd2 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 2);
offset = *cmd2 << 10;
ret = !radeon_check_offset(dev_priv, offset); ret = !radeon_check_offset(dev_priv, offset);
if (ret) { if (ret) {
DRM_ERROR("Invalid bitblt first offset is %08X\n", offset); DRM_ERROR("Invalid bitblt first offset is %08X\n", offset);
@ -564,9 +554,10 @@ static __inline__ int r300_emit_bitblt_multi(drm_radeon_private_t *dev_priv,
} }
} }
if ((cmd[1] & RADEON_GMC_SRC_PITCH_OFFSET_CNTL) && if ((*cmd1 & RADEON_GMC_SRC_PITCH_OFFSET_CNTL) &&
(cmd[1] & RADEON_GMC_DST_PITCH_OFFSET_CNTL)) { (*cmd1 & RADEON_GMC_DST_PITCH_OFFSET_CNTL)) {
offset = cmd[3] << 10; u32 *cmd3 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 3);
offset = *cmd3 << 10;
ret = !radeon_check_offset(dev_priv, offset); ret = !radeon_check_offset(dev_priv, offset);
if (ret) { if (ret) {
DRM_ERROR("Invalid bitblt second offset is %08X\n", offset); DRM_ERROR("Invalid bitblt second offset is %08X\n", offset);
@ -577,28 +568,25 @@ static __inline__ int r300_emit_bitblt_multi(drm_radeon_private_t *dev_priv,
} }
BEGIN_RING(count+2); BEGIN_RING(count+2);
OUT_RING(cmd[0]); OUT_RING_DRM_BUFFER(cmdbuf->buffer, count + 2);
OUT_RING_TABLE((int *)(cmdbuf->buf + 4), count + 1);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += (count+2)*4;
cmdbuf->bufsz -= (count+2)*4;
return 0; return 0;
} }
static __inline__ int r300_emit_draw_indx_2(drm_radeon_private_t *dev_priv, static __inline__ int r300_emit_draw_indx_2(drm_radeon_private_t *dev_priv,
drm_radeon_kcmd_buffer_t *cmdbuf) drm_radeon_kcmd_buffer_t *cmdbuf)
{ {
u32 *cmd; u32 *cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
u32 *cmd1 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
int count; int count;
int expected_count; int expected_count;
RING_LOCALS; RING_LOCALS;
cmd = (u32 *) cmdbuf->buf; count = (*cmd & RADEON_CP_PACKET_COUNT_MASK) >> 16;
count = (cmd[0]>>16) & 0x3fff;
expected_count = cmd[1] >> 16; expected_count = *cmd1 >> 16;
if (!(cmd[1] & R300_VAP_VF_CNTL__INDEX_SIZE_32bit)) if (!(*cmd1 & R300_VAP_VF_CNTL__INDEX_SIZE_32bit))
expected_count = (expected_count+1)/2; expected_count = (expected_count+1)/2;
if (count && count != expected_count) { if (count && count != expected_count) {
@ -608,55 +596,53 @@ static __inline__ int r300_emit_draw_indx_2(drm_radeon_private_t *dev_priv,
} }
BEGIN_RING(count+2); BEGIN_RING(count+2);
OUT_RING(cmd[0]); OUT_RING_DRM_BUFFER(cmdbuf->buffer, count + 2);
OUT_RING_TABLE((int *)(cmdbuf->buf + 4), count + 1);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += (count+2)*4;
cmdbuf->bufsz -= (count+2)*4;
if (!count) { if (!count) {
drm_r300_cmd_header_t header; drm_r300_cmd_header_t stack_header, *header;
u32 *cmd1, *cmd2, *cmd3;
if (cmdbuf->bufsz < 4*4 + sizeof(header)) { if (drm_buffer_unprocessed(cmdbuf->buffer)
< 4*4 + sizeof(stack_header)) {
DRM_ERROR("3D_DRAW_INDX_2: expect subsequent INDX_BUFFER, but stream is too short.\n"); DRM_ERROR("3D_DRAW_INDX_2: expect subsequent INDX_BUFFER, but stream is too short.\n");
return -EINVAL; return -EINVAL;
} }
header.u = *(unsigned int *)cmdbuf->buf; header = drm_buffer_read_object(cmdbuf->buffer,
sizeof(stack_header), &stack_header);
cmdbuf->buf += sizeof(header); cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
cmdbuf->bufsz -= sizeof(header); cmd1 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
cmd = (u32 *) cmdbuf->buf; cmd2 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 2);
cmd3 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 3);
if (header.header.cmd_type != R300_CMD_PACKET3 || if (header->header.cmd_type != R300_CMD_PACKET3 ||
header.packet3.packet != R300_CMD_PACKET3_RAW || header->packet3.packet != R300_CMD_PACKET3_RAW ||
cmd[0] != CP_PACKET3(RADEON_CP_INDX_BUFFER, 2)) { *cmd != CP_PACKET3(RADEON_CP_INDX_BUFFER, 2)) {
DRM_ERROR("3D_DRAW_INDX_2: expect subsequent INDX_BUFFER.\n"); DRM_ERROR("3D_DRAW_INDX_2: expect subsequent INDX_BUFFER.\n");
return -EINVAL; return -EINVAL;
} }
if ((cmd[1] & 0x8000ffff) != 0x80000810) { if ((*cmd1 & 0x8000ffff) != 0x80000810) {
DRM_ERROR("Invalid indx_buffer reg address %08X\n", cmd[1]); DRM_ERROR("Invalid indx_buffer reg address %08X\n",
*cmd1);
return -EINVAL; return -EINVAL;
} }
if (!radeon_check_offset(dev_priv, cmd[2])) { if (!radeon_check_offset(dev_priv, *cmd2)) {
DRM_ERROR("Invalid indx_buffer offset is %08X\n", cmd[2]); DRM_ERROR("Invalid indx_buffer offset is %08X\n",
*cmd2);
return -EINVAL; return -EINVAL;
} }
if (cmd[3] != expected_count) { if (*cmd3 != expected_count) {
DRM_ERROR("INDX_BUFFER: buffer size %i, expected %i\n", DRM_ERROR("INDX_BUFFER: buffer size %i, expected %i\n",
cmd[3], expected_count); *cmd3, expected_count);
return -EINVAL; return -EINVAL;
} }
BEGIN_RING(4); BEGIN_RING(4);
OUT_RING(cmd[0]); OUT_RING_DRM_BUFFER(cmdbuf->buffer, 4);
OUT_RING_TABLE((int *)(cmdbuf->buf + 4), 3);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += 4*4;
cmdbuf->bufsz -= 4*4;
} }
return 0; return 0;
@ -665,39 +651,39 @@ static __inline__ int r300_emit_draw_indx_2(drm_radeon_private_t *dev_priv,
static __inline__ int r300_emit_raw_packet3(drm_radeon_private_t *dev_priv, static __inline__ int r300_emit_raw_packet3(drm_radeon_private_t *dev_priv,
drm_radeon_kcmd_buffer_t *cmdbuf) drm_radeon_kcmd_buffer_t *cmdbuf)
{ {
u32 header; u32 *header;
int count; int count;
RING_LOCALS; RING_LOCALS;
if (4 > cmdbuf->bufsz) if (4 > drm_buffer_unprocessed(cmdbuf->buffer))
return -EINVAL; return -EINVAL;
/* Fixme !! This simply emits a packet without much checking. /* Fixme !! This simply emits a packet without much checking.
We need to be smarter. */ We need to be smarter. */
/* obtain first word - actual packet3 header */ /* obtain first word - actual packet3 header */
header = *(u32 *) cmdbuf->buf; header = drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
/* Is it packet 3 ? */ /* Is it packet 3 ? */
if ((header >> 30) != 0x3) { if ((*header >> 30) != 0x3) {
DRM_ERROR("Not a packet3 header (0x%08x)\n", header); DRM_ERROR("Not a packet3 header (0x%08x)\n", *header);
return -EINVAL; return -EINVAL;
} }
count = (header >> 16) & 0x3fff; count = (*header >> 16) & 0x3fff;
/* Check again now that we know how much data to expect */ /* Check again now that we know how much data to expect */
if ((count + 2) * 4 > cmdbuf->bufsz) { if ((count + 2) * 4 > drm_buffer_unprocessed(cmdbuf->buffer)) {
DRM_ERROR DRM_ERROR
("Expected packet3 of length %d but have only %d bytes left\n", ("Expected packet3 of length %d but have only %d bytes left\n",
(count + 2) * 4, cmdbuf->bufsz); (count + 2) * 4, drm_buffer_unprocessed(cmdbuf->buffer));
return -EINVAL; return -EINVAL;
} }
/* Is it a packet type we know about ? */ /* Is it a packet type we know about ? */
switch (header & 0xff00) { switch (*header & 0xff00) {
case RADEON_3D_LOAD_VBPNTR: /* load vertex array pointers */ case RADEON_3D_LOAD_VBPNTR: /* load vertex array pointers */
return r300_emit_3d_load_vbpntr(dev_priv, cmdbuf, header); return r300_emit_3d_load_vbpntr(dev_priv, cmdbuf, *header);
case RADEON_CNTL_BITBLT_MULTI: case RADEON_CNTL_BITBLT_MULTI:
return r300_emit_bitblt_multi(dev_priv, cmdbuf); return r300_emit_bitblt_multi(dev_priv, cmdbuf);
@ -723,18 +709,14 @@ static __inline__ int r300_emit_raw_packet3(drm_radeon_private_t *dev_priv,
/* these packets are safe */ /* these packets are safe */
break; break;
default: default:
DRM_ERROR("Unknown packet3 header (0x%08x)\n", header); DRM_ERROR("Unknown packet3 header (0x%08x)\n", *header);
return -EINVAL; return -EINVAL;
} }
BEGIN_RING(count + 2); BEGIN_RING(count + 2);
OUT_RING(header); OUT_RING_DRM_BUFFER(cmdbuf->buffer, count + 2);
OUT_RING_TABLE((int *)(cmdbuf->buf + 4), count + 1);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += (count + 2) * 4;
cmdbuf->bufsz -= (count + 2) * 4;
return 0; return 0;
} }
@ -748,8 +730,7 @@ static __inline__ int r300_emit_packet3(drm_radeon_private_t *dev_priv,
{ {
int n; int n;
int ret; int ret;
char *orig_buf = cmdbuf->buf; int orig_iter = cmdbuf->buffer->iterator;
int orig_bufsz = cmdbuf->bufsz;
/* This is a do-while-loop so that we run the interior at least once, /* This is a do-while-loop so that we run the interior at least once,
* even if cmdbuf->nbox is 0. Compare r300_emit_cliprects for rationale. * even if cmdbuf->nbox is 0. Compare r300_emit_cliprects for rationale.
@ -761,8 +742,7 @@ static __inline__ int r300_emit_packet3(drm_radeon_private_t *dev_priv,
if (ret) if (ret)
return ret; return ret;
cmdbuf->buf = orig_buf; cmdbuf->buffer->iterator = orig_iter;
cmdbuf->bufsz = orig_bufsz;
} }
switch (header.packet3.packet) { switch (header.packet3.packet) {
@ -785,9 +765,9 @@ static __inline__ int r300_emit_packet3(drm_radeon_private_t *dev_priv,
break; break;
default: default:
DRM_ERROR("bad packet3 type %i at %p\n", DRM_ERROR("bad packet3 type %i at byte %d\n",
header.packet3.packet, header.packet3.packet,
cmdbuf->buf - sizeof(header)); cmdbuf->buffer->iterator - sizeof(header));
return -EINVAL; return -EINVAL;
} }
@ -923,12 +903,13 @@ static int r300_scratch(drm_radeon_private_t *dev_priv,
drm_r300_cmd_header_t header) drm_r300_cmd_header_t header)
{ {
u32 *ref_age_base; u32 *ref_age_base;
u32 i, buf_idx, h_pending; u32 i, *buf_idx, h_pending;
u64 ptr_addr; u64 *ptr_addr;
u64 stack_ptr_addr;
RING_LOCALS; RING_LOCALS;
if (cmdbuf->bufsz < if (drm_buffer_unprocessed(cmdbuf->buffer) <
(sizeof(u64) + header.scratch.n_bufs * sizeof(buf_idx))) { (sizeof(u64) + header.scratch.n_bufs * sizeof(*buf_idx))) {
return -EINVAL; return -EINVAL;
} }
@ -938,36 +919,35 @@ static int r300_scratch(drm_radeon_private_t *dev_priv,
dev_priv->scratch_ages[header.scratch.reg]++; dev_priv->scratch_ages[header.scratch.reg]++;
ptr_addr = get_unaligned((u64 *)cmdbuf->buf); ptr_addr = drm_buffer_read_object(cmdbuf->buffer,
ref_age_base = (u32 *)(unsigned long)ptr_addr; sizeof(stack_ptr_addr), &stack_ptr_addr);
ref_age_base = (u32 *)(unsigned long)*ptr_addr;
cmdbuf->buf += sizeof(u64);
cmdbuf->bufsz -= sizeof(u64);
for (i=0; i < header.scratch.n_bufs; i++) { for (i=0; i < header.scratch.n_bufs; i++) {
buf_idx = *(u32 *)cmdbuf->buf; buf_idx = drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
buf_idx *= 2; /* 8 bytes per buf */ *buf_idx *= 2; /* 8 bytes per buf */
if (DRM_COPY_TO_USER(ref_age_base + buf_idx, &dev_priv->scratch_ages[header.scratch.reg], sizeof(u32))) { if (DRM_COPY_TO_USER(ref_age_base + *buf_idx,
&dev_priv->scratch_ages[header.scratch.reg],
sizeof(u32)))
return -EINVAL; return -EINVAL;
}
if (DRM_COPY_FROM_USER(&h_pending, ref_age_base + buf_idx + 1, sizeof(u32))) { if (DRM_COPY_FROM_USER(&h_pending,
ref_age_base + *buf_idx + 1,
sizeof(u32)))
return -EINVAL; return -EINVAL;
}
if (h_pending == 0) { if (h_pending == 0)
return -EINVAL; return -EINVAL;
}
h_pending--; h_pending--;
if (DRM_COPY_TO_USER(ref_age_base + buf_idx + 1, &h_pending, sizeof(u32))) { if (DRM_COPY_TO_USER(ref_age_base + *buf_idx + 1,
&h_pending,
sizeof(u32)))
return -EINVAL; return -EINVAL;
}
cmdbuf->buf += sizeof(buf_idx); drm_buffer_advance(cmdbuf->buffer, sizeof(*buf_idx));
cmdbuf->bufsz -= sizeof(buf_idx);
} }
BEGIN_RING(2); BEGIN_RING(2);
@ -1009,19 +989,16 @@ static inline int r300_emit_r500fp(drm_radeon_private_t *dev_priv,
DRM_DEBUG("r500fp %d %d type: %d\n", sz, addr, type); DRM_DEBUG("r500fp %d %d type: %d\n", sz, addr, type);
if (!sz) if (!sz)
return 0; return 0;
if (sz * stride * 4 > cmdbuf->bufsz) if (sz * stride * 4 > drm_buffer_unprocessed(cmdbuf->buffer))
return -EINVAL; return -EINVAL;
BEGIN_RING(3 + sz * stride); BEGIN_RING(3 + sz * stride);
OUT_RING_REG(R500_GA_US_VECTOR_INDEX, addr); OUT_RING_REG(R500_GA_US_VECTOR_INDEX, addr);
OUT_RING(CP_PACKET0_TABLE(R500_GA_US_VECTOR_DATA, sz * stride - 1)); OUT_RING(CP_PACKET0_TABLE(R500_GA_US_VECTOR_DATA, sz * stride - 1));
OUT_RING_TABLE((int *)cmdbuf->buf, sz * stride); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz * stride);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * stride * 4;
cmdbuf->bufsz -= sz * stride * 4;
return 0; return 0;
} }
@ -1053,19 +1030,18 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
goto cleanup; goto cleanup;
} }
while (cmdbuf->bufsz >= sizeof(drm_r300_cmd_header_t)) { while (drm_buffer_unprocessed(cmdbuf->buffer)
>= sizeof(drm_r300_cmd_header_t)) {
int idx; int idx;
drm_r300_cmd_header_t header; drm_r300_cmd_header_t *header, stack_header;
header.u = *(unsigned int *)cmdbuf->buf; header = drm_buffer_read_object(cmdbuf->buffer,
sizeof(stack_header), &stack_header);
cmdbuf->buf += sizeof(header); switch (header->header.cmd_type) {
cmdbuf->bufsz -= sizeof(header);
switch (header.header.cmd_type) {
case R300_CMD_PACKET0: case R300_CMD_PACKET0:
DRM_DEBUG("R300_CMD_PACKET0\n"); DRM_DEBUG("R300_CMD_PACKET0\n");
ret = r300_emit_packet0(dev_priv, cmdbuf, header); ret = r300_emit_packet0(dev_priv, cmdbuf, *header);
if (ret) { if (ret) {
DRM_ERROR("r300_emit_packet0 failed\n"); DRM_ERROR("r300_emit_packet0 failed\n");
goto cleanup; goto cleanup;
@ -1074,7 +1050,7 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
case R300_CMD_VPU: case R300_CMD_VPU:
DRM_DEBUG("R300_CMD_VPU\n"); DRM_DEBUG("R300_CMD_VPU\n");
ret = r300_emit_vpu(dev_priv, cmdbuf, header); ret = r300_emit_vpu(dev_priv, cmdbuf, *header);
if (ret) { if (ret) {
DRM_ERROR("r300_emit_vpu failed\n"); DRM_ERROR("r300_emit_vpu failed\n");
goto cleanup; goto cleanup;
@ -1083,7 +1059,7 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
case R300_CMD_PACKET3: case R300_CMD_PACKET3:
DRM_DEBUG("R300_CMD_PACKET3\n"); DRM_DEBUG("R300_CMD_PACKET3\n");
ret = r300_emit_packet3(dev_priv, cmdbuf, header); ret = r300_emit_packet3(dev_priv, cmdbuf, *header);
if (ret) { if (ret) {
DRM_ERROR("r300_emit_packet3 failed\n"); DRM_ERROR("r300_emit_packet3 failed\n");
goto cleanup; goto cleanup;
@ -1117,8 +1093,8 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
int i; int i;
RING_LOCALS; RING_LOCALS;
BEGIN_RING(header.delay.count); BEGIN_RING(header->delay.count);
for (i = 0; i < header.delay.count; i++) for (i = 0; i < header->delay.count; i++)
OUT_RING(RADEON_CP_PACKET2); OUT_RING(RADEON_CP_PACKET2);
ADVANCE_RING(); ADVANCE_RING();
} }
@ -1126,7 +1102,7 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
case R300_CMD_DMA_DISCARD: case R300_CMD_DMA_DISCARD:
DRM_DEBUG("RADEON_CMD_DMA_DISCARD\n"); DRM_DEBUG("RADEON_CMD_DMA_DISCARD\n");
idx = header.dma.buf_idx; idx = header->dma.buf_idx;
if (idx < 0 || idx >= dma->buf_count) { if (idx < 0 || idx >= dma->buf_count) {
DRM_ERROR("buffer index %d (of %d max)\n", DRM_ERROR("buffer index %d (of %d max)\n",
idx, dma->buf_count - 1); idx, dma->buf_count - 1);
@ -1149,12 +1125,12 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
case R300_CMD_WAIT: case R300_CMD_WAIT:
DRM_DEBUG("R300_CMD_WAIT\n"); DRM_DEBUG("R300_CMD_WAIT\n");
r300_cmd_wait(dev_priv, header); r300_cmd_wait(dev_priv, *header);
break; break;
case R300_CMD_SCRATCH: case R300_CMD_SCRATCH:
DRM_DEBUG("R300_CMD_SCRATCH\n"); DRM_DEBUG("R300_CMD_SCRATCH\n");
ret = r300_scratch(dev_priv, cmdbuf, header); ret = r300_scratch(dev_priv, cmdbuf, *header);
if (ret) { if (ret) {
DRM_ERROR("r300_scratch failed\n"); DRM_ERROR("r300_scratch failed\n");
goto cleanup; goto cleanup;
@ -1168,16 +1144,16 @@ int r300_do_cp_cmdbuf(struct drm_device *dev,
goto cleanup; goto cleanup;
} }
DRM_DEBUG("R300_CMD_R500FP\n"); DRM_DEBUG("R300_CMD_R500FP\n");
ret = r300_emit_r500fp(dev_priv, cmdbuf, header); ret = r300_emit_r500fp(dev_priv, cmdbuf, *header);
if (ret) { if (ret) {
DRM_ERROR("r300_emit_r500fp failed\n"); DRM_ERROR("r300_emit_r500fp failed\n");
goto cleanup; goto cleanup;
} }
break; break;
default: default:
DRM_ERROR("bad cmd_type %i at %p\n", DRM_ERROR("bad cmd_type %i at byte %d\n",
header.header.cmd_type, header->header.cmd_type,
cmdbuf->buf - sizeof(header)); cmdbuf->buffer->iterator - sizeof(*header));
ret = -EINVAL; ret = -EINVAL;
goto cleanup; goto cleanup;
} }

32
drivers/gpu/drm/radeon/radeon_drv.h
View file

@ -312,9 +312,11 @@ typedef struct drm_radeon_buf_priv {
u32 age; u32 age;
} drm_radeon_buf_priv_t; } drm_radeon_buf_priv_t;
struct drm_buffer;
typedef struct drm_radeon_kcmd_buffer { typedef struct drm_radeon_kcmd_buffer {
int bufsz; int bufsz;
char *buf; struct drm_buffer *buffer;
int nbox; int nbox;
struct drm_clip_rect __user *boxes; struct drm_clip_rect __user *boxes;
} drm_radeon_kcmd_buffer_t; } drm_radeon_kcmd_buffer_t;
@ -2124,4 +2126,32 @@ extern void radeon_commit_ring(drm_radeon_private_t *dev_priv);
write &= mask; \ write &= mask; \
} while (0) } while (0)
/**
* Copy given number of dwords from drm buffer to the ring buffer.
*/
#define OUT_RING_DRM_BUFFER(buf, sz) do { \
int _size = (sz) * 4; \
struct drm_buffer *_buf = (buf); \
int _part_size; \
while (_size > 0) { \
_part_size = _size; \
\
if (write + _part_size/4 > mask) \
_part_size = ((mask + 1) - write)*4; \
\
if (drm_buffer_index(_buf) + _part_size > PAGE_SIZE) \
_part_size = PAGE_SIZE - drm_buffer_index(_buf);\
\
\
\
memcpy(ring + write, &_buf->data[drm_buffer_page(_buf)] \
[drm_buffer_index(_buf)], _part_size); \
\
_size -= _part_size; \
write = (write + _part_size/4) & mask; \
drm_buffer_advance(_buf, _part_size); \
} \
} while (0)
#endif /* __RADEON_DRV_H__ */ #endif /* __RADEON_DRV_H__ */

197
drivers/gpu/drm/radeon/radeon_state.c
View file

@ -29,6 +29,7 @@
#include "drmP.h" #include "drmP.h"
#include "drm.h" #include "drm.h"
#include "drm_buffer.h"
#include "drm_sarea.h" #include "drm_sarea.h"
#include "radeon_drm.h" #include "radeon_drm.h"
#include "radeon_drv.h" #include "radeon_drv.h"
@ -91,21 +92,26 @@ static __inline__ int radeon_check_and_fixup_offset(drm_radeon_private_t *
static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t * static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t *
dev_priv, dev_priv,
struct drm_file *file_priv, struct drm_file *file_priv,
int id, u32 *data) int id, struct drm_buffer *buf)
{ {
u32 *data;
switch (id) { switch (id) {
case RADEON_EMIT_PP_MISC: case RADEON_EMIT_PP_MISC:
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data = drm_buffer_pointer_to_dword(buf,
&data[(RADEON_RB3D_DEPTHOFFSET - RADEON_PP_MISC) / 4])) { (RADEON_RB3D_DEPTHOFFSET - RADEON_PP_MISC) / 4);
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data)) {
DRM_ERROR("Invalid depth buffer offset\n"); DRM_ERROR("Invalid depth buffer offset\n");
return -EINVAL; return -EINVAL;
} }
break; break;
case RADEON_EMIT_PP_CNTL: case RADEON_EMIT_PP_CNTL:
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data = drm_buffer_pointer_to_dword(buf,
&data[(RADEON_RB3D_COLOROFFSET - RADEON_PP_CNTL) / 4])) { (RADEON_RB3D_COLOROFFSET - RADEON_PP_CNTL) / 4);
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data)) {
DRM_ERROR("Invalid colour buffer offset\n"); DRM_ERROR("Invalid colour buffer offset\n");
return -EINVAL; return -EINVAL;
} }
@ -117,8 +123,8 @@ static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t *
case R200_EMIT_PP_TXOFFSET_3: case R200_EMIT_PP_TXOFFSET_3:
case R200_EMIT_PP_TXOFFSET_4: case R200_EMIT_PP_TXOFFSET_4:
case R200_EMIT_PP_TXOFFSET_5: case R200_EMIT_PP_TXOFFSET_5:
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data = drm_buffer_pointer_to_dword(buf, 0);
&data[0])) { if (radeon_check_and_fixup_offset(dev_priv, file_priv, data)) {
DRM_ERROR("Invalid R200 texture offset\n"); DRM_ERROR("Invalid R200 texture offset\n");
return -EINVAL; return -EINVAL;
} }
@ -127,8 +133,9 @@ static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t *
case RADEON_EMIT_PP_TXFILTER_0: case RADEON_EMIT_PP_TXFILTER_0:
case RADEON_EMIT_PP_TXFILTER_1: case RADEON_EMIT_PP_TXFILTER_1:
case RADEON_EMIT_PP_TXFILTER_2: case RADEON_EMIT_PP_TXFILTER_2:
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data = drm_buffer_pointer_to_dword(buf,
&data[(RADEON_PP_TXOFFSET_0 - RADEON_PP_TXFILTER_0) / 4])) { (RADEON_PP_TXOFFSET_0 - RADEON_PP_TXFILTER_0) / 4);
if (radeon_check_and_fixup_offset(dev_priv, file_priv, data)) {
DRM_ERROR("Invalid R100 texture offset\n"); DRM_ERROR("Invalid R100 texture offset\n");
return -EINVAL; return -EINVAL;
} }
@ -142,9 +149,10 @@ static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t *
case R200_EMIT_PP_CUBIC_OFFSETS_5:{ case R200_EMIT_PP_CUBIC_OFFSETS_5:{
int i; int i;
for (i = 0; i < 5; i++) { for (i = 0; i < 5; i++) {
data = drm_buffer_pointer_to_dword(buf, i);
if (radeon_check_and_fixup_offset(dev_priv, if (radeon_check_and_fixup_offset(dev_priv,
file_priv, file_priv,
&data[i])) { data)) {
DRM_ERROR DRM_ERROR
("Invalid R200 cubic texture offset\n"); ("Invalid R200 cubic texture offset\n");
return -EINVAL; return -EINVAL;
@ -158,9 +166,10 @@ static __inline__ int radeon_check_and_fixup_packets(drm_radeon_private_t *
case RADEON_EMIT_PP_CUBIC_OFFSETS_T2:{ case RADEON_EMIT_PP_CUBIC_OFFSETS_T2:{
int i; int i;
for (i = 0; i < 5; i++) { for (i = 0; i < 5; i++) {
data = drm_buffer_pointer_to_dword(buf, i);
if (radeon_check_and_fixup_offset(dev_priv, if (radeon_check_and_fixup_offset(dev_priv,
file_priv, file_priv,
&data[i])) { data)) {
DRM_ERROR DRM_ERROR
("Invalid R100 cubic texture offset\n"); ("Invalid R100 cubic texture offset\n");
return -EINVAL; return -EINVAL;
@ -269,23 +278,24 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
cmdbuf, cmdbuf,
unsigned int *cmdsz) unsigned int *cmdsz)
{ {
u32 *cmd = (u32 *) cmdbuf->buf; u32 *cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 0);
u32 offset, narrays; u32 offset, narrays;
int count, i, k; int count, i, k;
*cmdsz = 2 + ((cmd[0] & RADEON_CP_PACKET_COUNT_MASK) >> 16); count = ((*cmd & RADEON_CP_PACKET_COUNT_MASK) >> 16);
*cmdsz = 2 + count;
if ((cmd[0] & 0xc0000000) != RADEON_CP_PACKET3) { if ((*cmd & 0xc0000000) != RADEON_CP_PACKET3) {
DRM_ERROR("Not a type 3 packet\n"); DRM_ERROR("Not a type 3 packet\n");
return -EINVAL; return -EINVAL;
} }
if (4 * *cmdsz > cmdbuf->bufsz) { if (4 * *cmdsz > drm_buffer_unprocessed(cmdbuf->buffer)) {
DRM_ERROR("Packet size larger than size of data provided\n"); DRM_ERROR("Packet size larger than size of data provided\n");
return -EINVAL; return -EINVAL;
} }
switch(cmd[0] & 0xff00) { switch (*cmd & 0xff00) {
/* XXX Are there old drivers needing other packets? */ /* XXX Are there old drivers needing other packets? */
case RADEON_3D_DRAW_IMMD: case RADEON_3D_DRAW_IMMD:
@ -312,7 +322,6 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
break; break;
case RADEON_3D_LOAD_VBPNTR: case RADEON_3D_LOAD_VBPNTR:
count = (cmd[0] >> 16) & 0x3fff;
if (count > 18) { /* 12 arrays max */ if (count > 18) { /* 12 arrays max */
DRM_ERROR("Too large payload in 3D_LOAD_VBPNTR (count=%d)\n", DRM_ERROR("Too large payload in 3D_LOAD_VBPNTR (count=%d)\n",
@ -321,13 +330,16 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
} }
/* carefully check packet contents */ /* carefully check packet contents */
narrays = cmd[1] & ~0xc000; cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
narrays = *cmd & ~0xc000;
k = 0; k = 0;
i = 2; i = 2;
while ((k < narrays) && (i < (count + 2))) { while ((k < narrays) && (i < (count + 2))) {
i++; /* skip attribute field */ i++; /* skip attribute field */
cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, i);
if (radeon_check_and_fixup_offset(dev_priv, file_priv, if (radeon_check_and_fixup_offset(dev_priv, file_priv,
&cmd[i])) { cmd)) {
DRM_ERROR DRM_ERROR
("Invalid offset (k=%d i=%d) in 3D_LOAD_VBPNTR packet.\n", ("Invalid offset (k=%d i=%d) in 3D_LOAD_VBPNTR packet.\n",
k, i); k, i);
@ -338,8 +350,10 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
if (k == narrays) if (k == narrays)
break; break;
/* have one more to process, they come in pairs */ /* have one more to process, they come in pairs */
cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, i);
if (radeon_check_and_fixup_offset(dev_priv, if (radeon_check_and_fixup_offset(dev_priv,
file_priv, &cmd[i])) file_priv, cmd))
{ {
DRM_ERROR DRM_ERROR
("Invalid offset (k=%d i=%d) in 3D_LOAD_VBPNTR packet.\n", ("Invalid offset (k=%d i=%d) in 3D_LOAD_VBPNTR packet.\n",
@ -363,7 +377,9 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
DRM_ERROR("Invalid 3d packet for r200-class chip\n"); DRM_ERROR("Invalid 3d packet for r200-class chip\n");
return -EINVAL; return -EINVAL;
} }
if (radeon_check_and_fixup_offset(dev_priv, file_priv, &cmd[1])) {
cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
if (radeon_check_and_fixup_offset(dev_priv, file_priv, cmd)) {
DRM_ERROR("Invalid rndr_gen_indx offset\n"); DRM_ERROR("Invalid rndr_gen_indx offset\n");
return -EINVAL; return -EINVAL;
} }
@ -374,12 +390,15 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
DRM_ERROR("Invalid 3d packet for r100-class chip\n"); DRM_ERROR("Invalid 3d packet for r100-class chip\n");
return -EINVAL; return -EINVAL;
} }
if ((cmd[1] & 0x8000ffff) != 0x80000810) {
DRM_ERROR("Invalid indx_buffer reg address %08X\n", cmd[1]); cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
if ((*cmd & 0x8000ffff) != 0x80000810) {
DRM_ERROR("Invalid indx_buffer reg address %08X\n", *cmd);
return -EINVAL; return -EINVAL;
} }
if (radeon_check_and_fixup_offset(dev_priv, file_priv, &cmd[2])) { cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 2);
DRM_ERROR("Invalid indx_buffer offset is %08X\n", cmd[2]); if (radeon_check_and_fixup_offset(dev_priv, file_priv, cmd)) {
DRM_ERROR("Invalid indx_buffer offset is %08X\n", *cmd);
return -EINVAL; return -EINVAL;
} }
break; break;
@ -388,31 +407,34 @@ static __inline__ int radeon_check_and_fixup_packet3(drm_radeon_private_t *
case RADEON_CNTL_PAINT_MULTI: case RADEON_CNTL_PAINT_MULTI:
case RADEON_CNTL_BITBLT_MULTI: case RADEON_CNTL_BITBLT_MULTI:
/* MSB of opcode: next DWORD GUI_CNTL */ /* MSB of opcode: next DWORD GUI_CNTL */
if (cmd[1] & (RADEON_GMC_SRC_PITCH_OFFSET_CNTL cmd = drm_buffer_pointer_to_dword(cmdbuf->buffer, 1);
if (*cmd & (RADEON_GMC_SRC_PITCH_OFFSET_CNTL
| RADEON_GMC_DST_PITCH_OFFSET_CNTL)) { | RADEON_GMC_DST_PITCH_OFFSET_CNTL)) {
offset = cmd[2] << 10; u32 *cmd2 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 2);
offset = *cmd2 << 10;
if (radeon_check_and_fixup_offset if (radeon_check_and_fixup_offset
(dev_priv, file_priv, &offset)) { (dev_priv, file_priv, &offset)) {
DRM_ERROR("Invalid first packet offset\n"); DRM_ERROR("Invalid first packet offset\n");
return -EINVAL; return -EINVAL;
} }
cmd[2] = (cmd[2] & 0xffc00000) | offset >> 10; *cmd2 = (*cmd2 & 0xffc00000) | offset >> 10;
} }
if ((cmd[1] & RADEON_GMC_SRC_PITCH_OFFSET_CNTL) && if ((*cmd & RADEON_GMC_SRC_PITCH_OFFSET_CNTL) &&
(cmd[1] & RADEON_GMC_DST_PITCH_OFFSET_CNTL)) { (*cmd & RADEON_GMC_DST_PITCH_OFFSET_CNTL)) {
offset = cmd[3] << 10; u32 *cmd3 = drm_buffer_pointer_to_dword(cmdbuf->buffer, 3);
offset = *cmd << 10;
if (radeon_check_and_fixup_offset if (radeon_check_and_fixup_offset
(dev_priv, file_priv, &offset)) { (dev_priv, file_priv, &offset)) {
DRM_ERROR("Invalid second packet offset\n"); DRM_ERROR("Invalid second packet offset\n");
return -EINVAL; return -EINVAL;
} }
cmd[3] = (cmd[3] & 0xffc00000) | offset >> 10; *cmd3 = (*cmd3 & 0xffc00000) | offset >> 10;
} }
break; break;
default: default:
DRM_ERROR("Invalid packet type %x\n", cmd[0] & 0xff00); DRM_ERROR("Invalid packet type %x\n", *cmd & 0xff00);
return -EINVAL; return -EINVAL;
} }
@ -2611,7 +2633,6 @@ static int radeon_emit_packets(drm_radeon_private_t * dev_priv,
{ {
int id = (int)header.packet.packet_id; int id = (int)header.packet.packet_id;
int sz, reg; int sz, reg;
int *data = (int *)cmdbuf->buf;
RING_LOCALS; RING_LOCALS;
if (id >= RADEON_MAX_STATE_PACKETS) if (id >= RADEON_MAX_STATE_PACKETS)
@ -2620,23 +2641,22 @@ static int radeon_emit_packets(drm_radeon_private_t * dev_priv,
sz = packet[id].len; sz = packet[id].len;
reg = packet[id].start; reg = packet[id].start;
if (sz * sizeof(int) > cmdbuf->bufsz) { if (sz * sizeof(u32) > drm_buffer_unprocessed(cmdbuf->buffer)) {
DRM_ERROR("Packet size provided larger than data provided\n"); DRM_ERROR("Packet size provided larger than data provided\n");
return -EINVAL; return -EINVAL;
} }
if (radeon_check_and_fixup_packets(dev_priv, file_priv, id, data)) { if (radeon_check_and_fixup_packets(dev_priv, file_priv, id,
cmdbuf->buffer)) {
DRM_ERROR("Packet verification failed\n"); DRM_ERROR("Packet verification failed\n");
return -EINVAL; return -EINVAL;
} }
BEGIN_RING(sz + 1); BEGIN_RING(sz + 1);
OUT_RING(CP_PACKET0(reg, (sz - 1))); OUT_RING(CP_PACKET0(reg, (sz - 1)));
OUT_RING_TABLE(data, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * sizeof(int);
cmdbuf->bufsz -= sz * sizeof(int);
return 0; return 0;
} }
@ -2653,10 +2673,8 @@ static __inline__ int radeon_emit_scalars(drm_radeon_private_t *dev_priv,
OUT_RING(CP_PACKET0(RADEON_SE_TCL_SCALAR_INDX_REG, 0)); OUT_RING(CP_PACKET0(RADEON_SE_TCL_SCALAR_INDX_REG, 0));
OUT_RING(start | (stride << RADEON_SCAL_INDX_DWORD_STRIDE_SHIFT)); OUT_RING(start | (stride << RADEON_SCAL_INDX_DWORD_STRIDE_SHIFT));
OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_SCALAR_DATA_REG, sz - 1)); OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_SCALAR_DATA_REG, sz - 1));
OUT_RING_TABLE(cmdbuf->buf, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * sizeof(int);
cmdbuf->bufsz -= sz * sizeof(int);
return 0; return 0;
} }
@ -2675,10 +2693,8 @@ static __inline__ int radeon_emit_scalars2(drm_radeon_private_t *dev_priv,
OUT_RING(CP_PACKET0(RADEON_SE_TCL_SCALAR_INDX_REG, 0)); OUT_RING(CP_PACKET0(RADEON_SE_TCL_SCALAR_INDX_REG, 0));
OUT_RING(start | (stride << RADEON_SCAL_INDX_DWORD_STRIDE_SHIFT)); OUT_RING(start | (stride << RADEON_SCAL_INDX_DWORD_STRIDE_SHIFT));
OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_SCALAR_DATA_REG, sz - 1)); OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_SCALAR_DATA_REG, sz - 1));
OUT_RING_TABLE(cmdbuf->buf, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * sizeof(int);
cmdbuf->bufsz -= sz * sizeof(int);
return 0; return 0;
} }
@ -2696,11 +2712,9 @@ static __inline__ int radeon_emit_vectors(drm_radeon_private_t *dev_priv,
OUT_RING(CP_PACKET0(RADEON_SE_TCL_VECTOR_INDX_REG, 0)); OUT_RING(CP_PACKET0(RADEON_SE_TCL_VECTOR_INDX_REG, 0));
OUT_RING(start | (stride << RADEON_VEC_INDX_OCTWORD_STRIDE_SHIFT)); OUT_RING(start | (stride << RADEON_VEC_INDX_OCTWORD_STRIDE_SHIFT));
OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_VECTOR_DATA_REG, (sz - 1))); OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_VECTOR_DATA_REG, (sz - 1)));
OUT_RING_TABLE(cmdbuf->buf, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * sizeof(int);
cmdbuf->bufsz -= sz * sizeof(int);
return 0; return 0;
} }
@ -2714,7 +2728,7 @@ static __inline__ int radeon_emit_veclinear(drm_radeon_private_t *dev_priv,
if (!sz) if (!sz)
return 0; return 0;
if (sz * 4 > cmdbuf->bufsz) if (sz * 4 > drm_buffer_unprocessed(cmdbuf->buffer))
return -EINVAL; return -EINVAL;
BEGIN_RING(5 + sz); BEGIN_RING(5 + sz);
@ -2722,11 +2736,9 @@ static __inline__ int radeon_emit_veclinear(drm_radeon_private_t *dev_priv,
OUT_RING(CP_PACKET0(RADEON_SE_TCL_VECTOR_INDX_REG, 0)); OUT_RING(CP_PACKET0(RADEON_SE_TCL_VECTOR_INDX_REG, 0));
OUT_RING(start | (1 << RADEON_VEC_INDX_OCTWORD_STRIDE_SHIFT)); OUT_RING(start | (1 << RADEON_VEC_INDX_OCTWORD_STRIDE_SHIFT));
OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_VECTOR_DATA_REG, (sz - 1))); OUT_RING(CP_PACKET0_TABLE(RADEON_SE_TCL_VECTOR_DATA_REG, (sz - 1)));
OUT_RING_TABLE(cmdbuf->buf, sz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, sz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += sz * sizeof(int);
cmdbuf->bufsz -= sz * sizeof(int);
return 0; return 0;
} }
@ -2748,11 +2760,9 @@ static int radeon_emit_packet3(struct drm_device * dev,
} }
BEGIN_RING(cmdsz); BEGIN_RING(cmdsz);
OUT_RING_TABLE(cmdbuf->buf, cmdsz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, cmdsz);
ADVANCE_RING(); ADVANCE_RING();
cmdbuf->buf += cmdsz * 4;
cmdbuf->bufsz -= cmdsz * 4;
return 0; return 0;
} }
@ -2805,16 +2815,16 @@ static int radeon_emit_packet3_cliprect(struct drm_device *dev,
} }
BEGIN_RING(cmdsz); BEGIN_RING(cmdsz);
OUT_RING_TABLE(cmdbuf->buf, cmdsz); OUT_RING_DRM_BUFFER(cmdbuf->buffer, cmdsz);
ADVANCE_RING(); ADVANCE_RING();
} while (++i < cmdbuf->nbox); } while (++i < cmdbuf->nbox);
if (cmdbuf->nbox == 1) if (cmdbuf->nbox == 1)
cmdbuf->nbox = 0; cmdbuf->nbox = 0;
return 0;
out: out:
cmdbuf->buf += cmdsz * 4; drm_buffer_advance(cmdbuf->buffer, cmdsz * 4);
cmdbuf->bufsz -= cmdsz * 4;
return 0; return 0;
} }
@ -2847,16 +2857,16 @@ static int radeon_emit_wait(struct drm_device * dev, int flags)
return 0; return 0;
} }
static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file *file_priv) static int radeon_cp_cmdbuf(struct drm_device *dev, void *data,
struct drm_file *file_priv)
{ {
drm_radeon_private_t *dev_priv = dev->dev_private; drm_radeon_private_t *dev_priv = dev->dev_private;
struct drm_device_dma *dma = dev->dma; struct drm_device_dma *dma = dev->dma;
struct drm_buf *buf = NULL; struct drm_buf *buf = NULL;
drm_radeon_cmd_header_t stack_header;
int idx; int idx;
drm_radeon_kcmd_buffer_t *cmdbuf = data; drm_radeon_kcmd_buffer_t *cmdbuf = data;
drm_radeon_cmd_header_t header; int orig_nbox;
int orig_nbox, orig_bufsz;
char *kbuf = NULL;
LOCK_TEST_WITH_RETURN(dev, file_priv); LOCK_TEST_WITH_RETURN(dev, file_priv);
@ -2871,17 +2881,16 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
* races between checking values and using those values in other code, * races between checking values and using those values in other code,
* and simply to avoid a lot of function calls to copy in data. * and simply to avoid a lot of function calls to copy in data.
*/ */
orig_bufsz = cmdbuf->bufsz; if (cmdbuf->bufsz != 0) {
if (orig_bufsz != 0) { int rv;
kbuf = kmalloc(cmdbuf->bufsz, GFP_KERNEL); void __user *buffer = cmdbuf->buffer;
if (kbuf == NULL) rv = drm_buffer_alloc(&cmdbuf->buffer, cmdbuf->bufsz);
return -ENOMEM; if (rv)
if (DRM_COPY_FROM_USER(kbuf, (void __user *)cmdbuf->buf, return rv;
cmdbuf->bufsz)) { rv = drm_buffer_copy_from_user(cmdbuf->buffer, buffer,
kfree(kbuf); cmdbuf->bufsz);
return -EFAULT; if (rv)
} return rv;
cmdbuf->buf = kbuf;
} }
orig_nbox = cmdbuf->nbox; orig_nbox = cmdbuf->nbox;
@ -2890,24 +2899,24 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
int temp; int temp;
temp = r300_do_cp_cmdbuf(dev, file_priv, cmdbuf); temp = r300_do_cp_cmdbuf(dev, file_priv, cmdbuf);
if (orig_bufsz != 0) if (cmdbuf->bufsz != 0)
kfree(kbuf); drm_buffer_free(cmdbuf->buffer);
return temp; return temp;
} }
/* microcode_version != r300 */ /* microcode_version != r300 */
while (cmdbuf->bufsz >= sizeof(header)) { while (drm_buffer_unprocessed(cmdbuf->buffer) >= sizeof(stack_header)) {
header.i = *(int *)cmdbuf->buf; drm_radeon_cmd_header_t *header;
cmdbuf->buf += sizeof(header); header = drm_buffer_read_object(cmdbuf->buffer,
cmdbuf->bufsz -= sizeof(header); sizeof(stack_header), &stack_header);
switch (header.header.cmd_type) { switch (header->header.cmd_type) {
case RADEON_CMD_PACKET: case RADEON_CMD_PACKET:
DRM_DEBUG("RADEON_CMD_PACKET\n"); DRM_DEBUG("RADEON_CMD_PACKET\n");
if (radeon_emit_packets if (radeon_emit_packets
(dev_priv, file_priv, header, cmdbuf)) { (dev_priv, file_priv, *header, cmdbuf)) {
DRM_ERROR("radeon_emit_packets failed\n"); DRM_ERROR("radeon_emit_packets failed\n");
goto err; goto err;
} }
@ -2915,7 +2924,7 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
case RADEON_CMD_SCALARS: case RADEON_CMD_SCALARS:
DRM_DEBUG("RADEON_CMD_SCALARS\n"); DRM_DEBUG("RADEON_CMD_SCALARS\n");
if (radeon_emit_scalars(dev_priv, header, cmdbuf)) { if (radeon_emit_scalars(dev_priv, *header, cmdbuf)) {
DRM_ERROR("radeon_emit_scalars failed\n"); DRM_ERROR("radeon_emit_scalars failed\n");
goto err; goto err;
} }
@ -2923,7 +2932,7 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
case RADEON_CMD_VECTORS: case RADEON_CMD_VECTORS:
DRM_DEBUG("RADEON_CMD_VECTORS\n"); DRM_DEBUG("RADEON_CMD_VECTORS\n");
if (radeon_emit_vectors(dev_priv, header, cmdbuf)) { if (radeon_emit_vectors(dev_priv, *header, cmdbuf)) {
DRM_ERROR("radeon_emit_vectors failed\n"); DRM_ERROR("radeon_emit_vectors failed\n");
goto err; goto err;
} }
@ -2931,7 +2940,7 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
case RADEON_CMD_DMA_DISCARD: case RADEON_CMD_DMA_DISCARD:
DRM_DEBUG("RADEON_CMD_DMA_DISCARD\n"); DRM_DEBUG("RADEON_CMD_DMA_DISCARD\n");
idx = header.dma.buf_idx; idx = header->dma.buf_idx;
if (idx < 0 || idx >= dma->buf_count) { if (idx < 0 || idx >= dma->buf_count) {
DRM_ERROR("buffer index %d (of %d max)\n", DRM_ERROR("buffer index %d (of %d max)\n",
idx, dma->buf_count - 1); idx, dma->buf_count - 1);
@ -2968,7 +2977,7 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
case RADEON_CMD_SCALARS2: case RADEON_CMD_SCALARS2:
DRM_DEBUG("RADEON_CMD_SCALARS2\n"); DRM_DEBUG("RADEON_CMD_SCALARS2\n");
if (radeon_emit_scalars2(dev_priv, header, cmdbuf)) { if (radeon_emit_scalars2(dev_priv, *header, cmdbuf)) {
DRM_ERROR("radeon_emit_scalars2 failed\n"); DRM_ERROR("radeon_emit_scalars2 failed\n");
goto err; goto err;
} }
@ -2976,37 +2985,37 @@ static int radeon_cp_cmdbuf(struct drm_device *dev, void *data, struct drm_file
case RADEON_CMD_WAIT: case RADEON_CMD_WAIT:
DRM_DEBUG("RADEON_CMD_WAIT\n"); DRM_DEBUG("RADEON_CMD_WAIT\n");
if (radeon_emit_wait(dev, header.wait.flags)) { if (radeon_emit_wait(dev, header->wait.flags)) {
DRM_ERROR("radeon_emit_wait failed\n"); DRM_ERROR("radeon_emit_wait failed\n");
goto err; goto err;
} }
break; break;
case RADEON_CMD_VECLINEAR: case RADEON_CMD_VECLINEAR:
DRM_DEBUG("RADEON_CMD_VECLINEAR\n"); DRM_DEBUG("RADEON_CMD_VECLINEAR\n");
if (radeon_emit_veclinear(dev_priv, header, cmdbuf)) { if (radeon_emit_veclinear(dev_priv, *header, cmdbuf)) {
DRM_ERROR("radeon_emit_veclinear failed\n"); DRM_ERROR("radeon_emit_veclinear failed\n");
goto err; goto err;
} }
break; break;
default: default:
DRM_ERROR("bad cmd_type %d at %p\n", DRM_ERROR("bad cmd_type %d at byte %d\n",
header.header.cmd_type, header->header.cmd_type,
cmdbuf->buf - sizeof(header)); cmdbuf->buffer->iterator);
goto err; goto err;
} }
} }
if (orig_bufsz != 0) if (cmdbuf->bufsz != 0)
kfree(kbuf); drm_buffer_free(cmdbuf->buffer);
DRM_DEBUG("DONE\n"); DRM_DEBUG("DONE\n");
COMMIT_RING(); COMMIT_RING();
return 0; return 0;
err: err:
if (orig_bufsz != 0) if (cmdbuf->bufsz != 0)
kfree(kbuf); drm_buffer_free(cmdbuf->buffer);
return -EINVAL; return -EINVAL;
} }