1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2010-2020 NVIDIA Corporation */
3
4 #include "drm.h"
5 #include "submit.h"
6 #include "uapi.h"
7
8 struct tegra_drm_firewall {
9 struct tegra_drm_submit_data *submit;
10 struct tegra_drm_client *client;
11 u32 *data;
12 u32 pos;
13 u32 end;
14 u32 class;
15 };
16
fw_next(struct tegra_drm_firewall * fw,u32 * word)17 static int fw_next(struct tegra_drm_firewall *fw, u32 *word)
18 {
19 if (fw->pos == fw->end)
20 return -EINVAL;
21
22 *word = fw->data[fw->pos++];
23
24 return 0;
25 }
26
fw_check_addr_valid(struct tegra_drm_firewall * fw,u32 offset)27 static bool fw_check_addr_valid(struct tegra_drm_firewall *fw, u32 offset)
28 {
29 u32 i;
30
31 for (i = 0; i < fw->submit->num_used_mappings; i++) {
32 struct tegra_drm_mapping *m = fw->submit->used_mappings[i].mapping;
33
34 if (offset >= m->iova && offset <= m->iova_end)
35 return true;
36 }
37
38 return false;
39 }
40
fw_check_reg(struct tegra_drm_firewall * fw,u32 offset)41 static int fw_check_reg(struct tegra_drm_firewall *fw, u32 offset)
42 {
43 bool is_addr;
44 u32 word;
45 int err;
46
47 err = fw_next(fw, &word);
48 if (err)
49 return err;
50
51 if (!fw->client->ops->is_addr_reg)
52 return 0;
53
54 is_addr = fw->client->ops->is_addr_reg(fw->client->base.dev, fw->class,
55 offset);
56
57 if (!is_addr)
58 return 0;
59
60 if (!fw_check_addr_valid(fw, word))
61 return -EINVAL;
62
63 return 0;
64 }
65
fw_check_regs_seq(struct tegra_drm_firewall * fw,u32 offset,u32 count,bool incr)66 static int fw_check_regs_seq(struct tegra_drm_firewall *fw, u32 offset,
67 u32 count, bool incr)
68 {
69 u32 i;
70
71 for (i = 0; i < count; i++) {
72 if (fw_check_reg(fw, offset))
73 return -EINVAL;
74
75 if (incr)
76 offset++;
77 }
78
79 return 0;
80 }
81
fw_check_regs_mask(struct tegra_drm_firewall * fw,u32 offset,u16 mask)82 static int fw_check_regs_mask(struct tegra_drm_firewall *fw, u32 offset,
83 u16 mask)
84 {
85 unsigned long bmask = mask;
86 unsigned int bit;
87
88 for_each_set_bit(bit, &bmask, 16) {
89 if (fw_check_reg(fw, offset+bit))
90 return -EINVAL;
91 }
92
93 return 0;
94 }
95
fw_check_regs_imm(struct tegra_drm_firewall * fw,u32 offset)96 static int fw_check_regs_imm(struct tegra_drm_firewall *fw, u32 offset)
97 {
98 bool is_addr;
99
100 is_addr = fw->client->ops->is_addr_reg(fw->client->base.dev, fw->class,
101 offset);
102 if (is_addr)
103 return -EINVAL;
104
105 return 0;
106 }
107
fw_check_class(struct tegra_drm_firewall * fw,u32 class)108 static int fw_check_class(struct tegra_drm_firewall *fw, u32 class)
109 {
110 if (!fw->client->ops->is_valid_class) {
111 if (class == fw->client->base.class)
112 return 0;
113 else
114 return -EINVAL;
115 }
116
117 if (!fw->client->ops->is_valid_class(class))
118 return -EINVAL;
119
120 return 0;
121 }
122
123 enum {
124 HOST1X_OPCODE_SETCLASS = 0x00,
125 HOST1X_OPCODE_INCR = 0x01,
126 HOST1X_OPCODE_NONINCR = 0x02,
127 HOST1X_OPCODE_MASK = 0x03,
128 HOST1X_OPCODE_IMM = 0x04,
129 HOST1X_OPCODE_RESTART = 0x05,
130 HOST1X_OPCODE_GATHER = 0x06,
131 HOST1X_OPCODE_SETSTRMID = 0x07,
132 HOST1X_OPCODE_SETAPPID = 0x08,
133 HOST1X_OPCODE_SETPYLD = 0x09,
134 HOST1X_OPCODE_INCR_W = 0x0a,
135 HOST1X_OPCODE_NONINCR_W = 0x0b,
136 HOST1X_OPCODE_GATHER_W = 0x0c,
137 HOST1X_OPCODE_RESTART_W = 0x0d,
138 HOST1X_OPCODE_EXTEND = 0x0e,
139 };
140
tegra_drm_fw_validate(struct tegra_drm_client * client,u32 * data,u32 start,u32 words,struct tegra_drm_submit_data * submit,u32 * job_class)141 int tegra_drm_fw_validate(struct tegra_drm_client *client, u32 *data, u32 start,
142 u32 words, struct tegra_drm_submit_data *submit,
143 u32 *job_class)
144 {
145 struct tegra_drm_firewall fw = {
146 .submit = submit,
147 .client = client,
148 .data = data,
149 .pos = start,
150 .end = start+words,
151 .class = *job_class,
152 };
153 bool payload_valid = false;
154 u32 payload;
155 int err;
156
157 while (fw.pos != fw.end) {
158 u32 word, opcode, offset, count, mask, class;
159
160 err = fw_next(&fw, &word);
161 if (err)
162 return err;
163
164 opcode = (word & 0xf0000000) >> 28;
165
166 switch (opcode) {
167 case HOST1X_OPCODE_SETCLASS:
168 offset = word >> 16 & 0xfff;
169 mask = word & 0x3f;
170 class = (word >> 6) & 0x3ff;
171 err = fw_check_class(&fw, class);
172 fw.class = class;
173 *job_class = class;
174 if (!err)
175 err = fw_check_regs_mask(&fw, offset, mask);
176 if (err)
177 dev_warn(client->base.dev,
178 "illegal SETCLASS(offset=0x%x, mask=0x%x, class=0x%x) at word %u",
179 offset, mask, class, fw.pos-1);
180 break;
181 case HOST1X_OPCODE_INCR:
182 offset = (word >> 16) & 0xfff;
183 count = word & 0xffff;
184 err = fw_check_regs_seq(&fw, offset, count, true);
185 if (err)
186 dev_warn(client->base.dev,
187 "illegal INCR(offset=0x%x, count=%u) in class 0x%x at word %u",
188 offset, count, fw.class, fw.pos-1);
189 break;
190 case HOST1X_OPCODE_NONINCR:
191 offset = (word >> 16) & 0xfff;
192 count = word & 0xffff;
193 err = fw_check_regs_seq(&fw, offset, count, false);
194 if (err)
195 dev_warn(client->base.dev,
196 "illegal NONINCR(offset=0x%x, count=%u) in class 0x%x at word %u",
197 offset, count, fw.class, fw.pos-1);
198 break;
199 case HOST1X_OPCODE_MASK:
200 offset = (word >> 16) & 0xfff;
201 mask = word & 0xffff;
202 err = fw_check_regs_mask(&fw, offset, mask);
203 if (err)
204 dev_warn(client->base.dev,
205 "illegal MASK(offset=0x%x, mask=0x%x) in class 0x%x at word %u",
206 offset, mask, fw.class, fw.pos-1);
207 break;
208 case HOST1X_OPCODE_IMM:
209 /* IMM cannot reasonably be used to write a pointer */
210 offset = (word >> 16) & 0xfff;
211 err = fw_check_regs_imm(&fw, offset);
212 if (err)
213 dev_warn(client->base.dev,
214 "illegal IMM(offset=0x%x) in class 0x%x at word %u",
215 offset, fw.class, fw.pos-1);
216 break;
217 case HOST1X_OPCODE_SETPYLD:
218 payload = word & 0xffff;
219 payload_valid = true;
220 break;
221 case HOST1X_OPCODE_INCR_W:
222 if (!payload_valid)
223 return -EINVAL;
224
225 offset = word & 0x3fffff;
226 err = fw_check_regs_seq(&fw, offset, payload, true);
227 if (err)
228 dev_warn(client->base.dev,
229 "illegal INCR_W(offset=0x%x) in class 0x%x at word %u",
230 offset, fw.class, fw.pos-1);
231 break;
232 case HOST1X_OPCODE_NONINCR_W:
233 if (!payload_valid)
234 return -EINVAL;
235
236 offset = word & 0x3fffff;
237 err = fw_check_regs_seq(&fw, offset, payload, false);
238 if (err)
239 dev_warn(client->base.dev,
240 "illegal NONINCR(offset=0x%x) in class 0x%x at word %u",
241 offset, fw.class, fw.pos-1);
242 break;
243 default:
244 dev_warn(client->base.dev, "illegal opcode at word %u",
245 fw.pos-1);
246 return -EINVAL;
247 }
248
249 if (err)
250 return err;
251 }
252
253 return 0;
254 }
255