Job submission currently relies on the fact that struct drm_tegra_reloc
and struct host1x_reloc are the same size and uses a simple call to the
copy_from_user() function to copy them to kernel space. This causes the
handle to be stored in the buffer object field, which then needs a cast
to a 32 bit integer to resolve it to a proper buffer object pointer and
store it back in the buffer object field.
On 64-bit architectures that will no longer work, since pointers are 64
bits wide whereas handles will remain 32 bits. This causes the sizes of
both structures to because different and copying will no longer work.
Fix this by adding a new function, host1x_reloc_get_user(), that copies
the structures field by field.
While at it, use substructures for the command and target buffers in
struct host1x_reloc for better readability. Also use unsized types to
make it more obvious that this isn't part of userspace ABI.
Signed-off-by: Thierry Reding <treding@nvidia.com>
When patching gathers, we don't need to check against
gathers with lower indices than the current one, as
they are guaranteed to already have been handled.
Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Acked-By: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Expose the buffer objects, syncpoint and channel functionality in the
public public header so that drivers can use them.
Signed-off-by: Thierry Reding <treding@nvidia.com>
The same code sequence is used in various places to validate a register
access in the command stream. This can be refactored into a separate
function.
Signed-off-by: Thierry Reding <treding@nvidia.com>
The value stored in this field is a pointer to a command buffer, not an
ID. Avoid some confusion by reflecting that in the field's name.
Signed-off-by: Thierry Reding <treding@nvidia.com>
Arguments on subsequent lines should be aligned with the first argument.
This one occurrence went unnoticed during code review.
Signed-off-by: Thierry Reding <treding@nvidia.com>
The num_relocs count are passed to the kernel per job, not per gather.
For multi-gather jobs, we would previously fail if there were relocs in
other gathers aside from the first one.
Fix this by simply moving the check until all gathers have been
consumed.
Signed-off-by: Erik Faye-Lund <kusmabite@gmail.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Acked-By: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
There is a mistake here so it returns PTR_ERR(NULL) which is success
instead of -ENOMEM.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Tegra is a 32 bit arch. On 32 bit systems then size_t is 32 bits so
"total" will never be higher than UINT_MAX because of integer overflows.
We need cast to u64 first before doing the math.
Also the addition earlier:
unsigned int num_unpins = num_cmdbufs + num_relocs;
That can overflow as well, but I think it's still safe because we check
both "num_cmdbufs" and "num_relocs" again in this test.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
The firewall verified gather buffers before copying them. This
allowed a malicious application to rewrite the buffer content by
timing the rewrite carefully.
This patch makes the buffer validation occur after copying the
buffers.
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
The firewall was reinitialised for each gather. Because the filter
was reinitialised, it did not track the class over gather boundaries.
This allowed the user application to set host1x class to one class
in one gather and use that class in another gather without firewall
having knowledge about that.
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
The firewall assumed that the user space always delivers a relocation
table when it is accessing address registers. If userspace did not
deliver a relocation table and tried to access the address registers,
the code performed bad memory accesses.
This patch modifies the firewall to check correctly that the firewall
table is available before accessing it. In addition, check_reloc() is
converted to use boolean return value (true when the reloc is valid,
false when invalid).
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Acked-By: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
The firewall code used a wrong loop condition (pointer to a
structure) while checking INCR opcode. This patch fixes the code to
use correct loop condition (number of words remaining).
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Add support for host1x client modules, and host1x channels to submit
work to the clients.
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Thierry Reding <thierry.reding@avionic-design.de>
Tested-by: Thierry Reding <thierry.reding@avionic-design.de>
Tested-by: Erik Faye-Lund <kusmabite@gmail.com>
Signed-off-by: Thierry Reding <thierry.reding@avionic-design.de>