1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2010-2020 NVIDIA Corporation */
3 
4 #include "drm.h"
5 #include "submit.h"
6 #include "uapi.h"
7 
8 struct tegra_drm_firewall {
9 	struct tegra_drm_submit_data *submit;
10 	struct tegra_drm_client *client;
11 	u32 *data;
12 	u32 pos;
13 	u32 end;
14 	u32 class;
15 };
16 
fw_next(struct tegra_drm_firewall * fw,u32 * word)17 static int fw_next(struct tegra_drm_firewall *fw, u32 *word)
18 {
19 	if (fw->pos == fw->end)
20 		return -EINVAL;
21 
22 	*word = fw->data[fw->pos++];
23 
24 	return 0;
25 }
26 
fw_check_addr_valid(struct tegra_drm_firewall * fw,u32 offset)27 static bool fw_check_addr_valid(struct tegra_drm_firewall *fw, u32 offset)
28 {
29 	u32 i;
30 
31 	for (i = 0; i < fw->submit->num_used_mappings; i++) {
32 		struct tegra_drm_mapping *m = fw->submit->used_mappings[i].mapping;
33 
34 		if (offset >= m->iova && offset <= m->iova_end)
35 			return true;
36 	}
37 
38 	return false;
39 }
40 
fw_check_reg(struct tegra_drm_firewall * fw,u32 offset)41 static int fw_check_reg(struct tegra_drm_firewall *fw, u32 offset)
42 {
43 	bool is_addr;
44 	u32 word;
45 	int err;
46 
47 	err = fw_next(fw, &word);
48 	if (err)
49 		return err;
50 
51 	if (!fw->client->ops->is_addr_reg)
52 		return 0;
53 
54 	is_addr = fw->client->ops->is_addr_reg(fw->client->base.dev, fw->class,
55 					       offset);
56 
57 	if (!is_addr)
58 		return 0;
59 
60 	if (!fw_check_addr_valid(fw, word))
61 		return -EINVAL;
62 
63 	return 0;
64 }
65 
fw_check_regs_seq(struct tegra_drm_firewall * fw,u32 offset,u32 count,bool incr)66 static int fw_check_regs_seq(struct tegra_drm_firewall *fw, u32 offset,
67 			     u32 count, bool incr)
68 {
69 	u32 i;
70 
71 	for (i = 0; i < count; i++) {
72 		if (fw_check_reg(fw, offset))
73 			return -EINVAL;
74 
75 		if (incr)
76 			offset++;
77 	}
78 
79 	return 0;
80 }
81 
fw_check_regs_mask(struct tegra_drm_firewall * fw,u32 offset,u16 mask)82 static int fw_check_regs_mask(struct tegra_drm_firewall *fw, u32 offset,
83 			      u16 mask)
84 {
85 	unsigned long bmask = mask;
86 	unsigned int bit;
87 
88 	for_each_set_bit(bit, &bmask, 16) {
89 		if (fw_check_reg(fw, offset+bit))
90 			return -EINVAL;
91 	}
92 
93 	return 0;
94 }
95 
fw_check_regs_imm(struct tegra_drm_firewall * fw,u32 offset)96 static int fw_check_regs_imm(struct tegra_drm_firewall *fw, u32 offset)
97 {
98 	bool is_addr;
99 
100 	if (!fw->client->ops->is_addr_reg)
101 		return 0;
102 
103 	is_addr = fw->client->ops->is_addr_reg(fw->client->base.dev, fw->class,
104 					       offset);
105 	if (is_addr)
106 		return -EINVAL;
107 
108 	return 0;
109 }
110 
fw_check_class(struct tegra_drm_firewall * fw,u32 class)111 static int fw_check_class(struct tegra_drm_firewall *fw, u32 class)
112 {
113 	if (!fw->client->ops->is_valid_class) {
114 		if (class == fw->client->base.class)
115 			return 0;
116 		else
117 			return -EINVAL;
118 	}
119 
120 	if (!fw->client->ops->is_valid_class(class))
121 		return -EINVAL;
122 
123 	return 0;
124 }
125 
126 enum {
127 	HOST1X_OPCODE_SETCLASS  = 0x00,
128 	HOST1X_OPCODE_INCR      = 0x01,
129 	HOST1X_OPCODE_NONINCR   = 0x02,
130 	HOST1X_OPCODE_MASK      = 0x03,
131 	HOST1X_OPCODE_IMM       = 0x04,
132 	HOST1X_OPCODE_RESTART   = 0x05,
133 	HOST1X_OPCODE_GATHER    = 0x06,
134 	HOST1X_OPCODE_SETSTRMID = 0x07,
135 	HOST1X_OPCODE_SETAPPID  = 0x08,
136 	HOST1X_OPCODE_SETPYLD   = 0x09,
137 	HOST1X_OPCODE_INCR_W    = 0x0a,
138 	HOST1X_OPCODE_NONINCR_W = 0x0b,
139 	HOST1X_OPCODE_GATHER_W  = 0x0c,
140 	HOST1X_OPCODE_RESTART_W = 0x0d,
141 	HOST1X_OPCODE_EXTEND    = 0x0e,
142 };
143 
tegra_drm_fw_validate(struct tegra_drm_client * client,u32 * data,u32 start,u32 words,struct tegra_drm_submit_data * submit,u32 * job_class)144 int tegra_drm_fw_validate(struct tegra_drm_client *client, u32 *data, u32 start,
145 			  u32 words, struct tegra_drm_submit_data *submit,
146 			  u32 *job_class)
147 {
148 	struct tegra_drm_firewall fw = {
149 		.submit = submit,
150 		.client = client,
151 		.data = data,
152 		.pos = start,
153 		.end = start+words,
154 		.class = *job_class,
155 	};
156 	bool payload_valid = false;
157 	u32 payload;
158 	int err;
159 
160 	while (fw.pos != fw.end) {
161 		u32 word, opcode, offset, count, mask, class;
162 
163 		err = fw_next(&fw, &word);
164 		if (err)
165 			return err;
166 
167 		opcode = (word & 0xf0000000) >> 28;
168 
169 		switch (opcode) {
170 		case HOST1X_OPCODE_SETCLASS:
171 			offset = word >> 16 & 0xfff;
172 			mask = word & 0x3f;
173 			class = (word >> 6) & 0x3ff;
174 			err = fw_check_class(&fw, class);
175 			fw.class = class;
176 			*job_class = class;
177 			if (!err)
178 				err = fw_check_regs_mask(&fw, offset, mask);
179 			if (err)
180 				dev_warn(client->base.dev,
181 					 "illegal SETCLASS(offset=0x%x, mask=0x%x, class=0x%x) at word %u",
182 					 offset, mask, class, fw.pos-1);
183 			break;
184 		case HOST1X_OPCODE_INCR:
185 			offset = (word >> 16) & 0xfff;
186 			count = word & 0xffff;
187 			err = fw_check_regs_seq(&fw, offset, count, true);
188 			if (err)
189 				dev_warn(client->base.dev,
190 					 "illegal INCR(offset=0x%x, count=%u) in class 0x%x at word %u",
191 					 offset, count, fw.class, fw.pos-1);
192 			break;
193 		case HOST1X_OPCODE_NONINCR:
194 			offset = (word >> 16) & 0xfff;
195 			count = word & 0xffff;
196 			err = fw_check_regs_seq(&fw, offset, count, false);
197 			if (err)
198 				dev_warn(client->base.dev,
199 					 "illegal NONINCR(offset=0x%x, count=%u) in class 0x%x at word %u",
200 					 offset, count, fw.class, fw.pos-1);
201 			break;
202 		case HOST1X_OPCODE_MASK:
203 			offset = (word >> 16) & 0xfff;
204 			mask = word & 0xffff;
205 			err = fw_check_regs_mask(&fw, offset, mask);
206 			if (err)
207 				dev_warn(client->base.dev,
208 					 "illegal MASK(offset=0x%x, mask=0x%x) in class 0x%x at word %u",
209 					 offset, mask, fw.class, fw.pos-1);
210 			break;
211 		case HOST1X_OPCODE_IMM:
212 			/* IMM cannot reasonably be used to write a pointer */
213 			offset = (word >> 16) & 0xfff;
214 			err = fw_check_regs_imm(&fw, offset);
215 			if (err)
216 				dev_warn(client->base.dev,
217 					 "illegal IMM(offset=0x%x) in class 0x%x at word %u",
218 					 offset, fw.class, fw.pos-1);
219 			break;
220 		case HOST1X_OPCODE_SETPYLD:
221 			payload = word & 0xffff;
222 			payload_valid = true;
223 			break;
224 		case HOST1X_OPCODE_INCR_W:
225 			if (!payload_valid)
226 				return -EINVAL;
227 
228 			offset = word & 0x3fffff;
229 			err = fw_check_regs_seq(&fw, offset, payload, true);
230 			if (err)
231 				dev_warn(client->base.dev,
232 					 "illegal INCR_W(offset=0x%x) in class 0x%x at word %u",
233 					 offset, fw.class, fw.pos-1);
234 			break;
235 		case HOST1X_OPCODE_NONINCR_W:
236 			if (!payload_valid)
237 				return -EINVAL;
238 
239 			offset = word & 0x3fffff;
240 			err = fw_check_regs_seq(&fw, offset, payload, false);
241 			if (err)
242 				dev_warn(client->base.dev,
243 					 "illegal NONINCR(offset=0x%x) in class 0x%x at word %u",
244 					 offset, fw.class, fw.pos-1);
245 			break;
246 		default:
247 			dev_warn(client->base.dev, "illegal opcode at word %u",
248 				 fw.pos-1);
249 			return -EINVAL;
250 		}
251 
252 		if (err)
253 			return err;
254 	}
255 
256 	return 0;
257 }
258