/usr/src/sys/dev/pci/drm/i915/gem/i915_gem

Bug Summary

File:	dev/pci/drm/i915/gem/i915_gem_execbuffer.c
Warning:	line 366, column 52 The result of the left shift is undefined due to shifting by '4294967295', which is greater or equal to the width of type 'unsigned long'
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple amd64-unknown-openbsd7.4 -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name i915_gem_execbuffer.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model static -mframe-pointer=all -relaxed-aliasing -ffp-contract=on -fno-rounding-math -mconstructor-aliases -ffreestanding -mcmodel=kernel -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -target-feature -sse2 -target-feature -sse -target-feature -3dnow -target-feature -mmx -target-feature +save-args -target-feature +retpoline-external-thunk -disable-red-zone -no-implicit-float -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -nostdsysteminc -nobuiltininc -resource-dir /usr/local/llvm16/lib/clang/16 -I /usr/src/sys -I /usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -I /usr/src/sys/arch -I /usr/src/sys/dev/pci/drm/include -I /usr/src/sys/dev/pci/drm/include/uapi -I /usr/src/sys/dev/pci/drm/amd/include/asic_reg -I /usr/src/sys/dev/pci/drm/amd/include -I /usr/src/sys/dev/pci/drm/amd/amdgpu -I /usr/src/sys/dev/pci/drm/amd/display -I /usr/src/sys/dev/pci/drm/amd/display/include -I /usr/src/sys/dev/pci/drm/amd/display/dc -I /usr/src/sys/dev/pci/drm/amd/display/amdgpu_dm -I /usr/src/sys/dev/pci/drm/amd/pm/inc -I /usr/src/sys/dev/pci/drm/amd/pm/legacy-dpm -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu11 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu12 -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/smu13 -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/inc -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/hwmgr -I /usr/src/sys/dev/pci/drm/amd/pm/powerplay/smumgr -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc -I /usr/src/sys/dev/pci/drm/amd/pm/swsmu/inc/pmfw_if -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc -I /usr/src/sys/dev/pci/drm/amd/display/dc/inc/hw -I /usr/src/sys/dev/pci/drm/amd/display/dc/clk_mgr -I /usr/src/sys/dev/pci/drm/amd/display/modules/inc -I /usr/src/sys/dev/pci/drm/amd/display/modules/hdcp -I /usr/src/sys/dev/pci/drm/amd/display/dmub/inc -I /usr/src/sys/dev/pci/drm/i915 -D DDB -D DIAGNOSTIC -D KTRACE -D ACCOUNTING -D KMEMSTATS -D PTRACE -D POOL_DEBUG -D CRYPTO -D SYSVMSG -D SYSVSEM -D SYSVSHM -D UVM_SWAP_ENCRYPT -D FFS -D FFS2 -D FFS_SOFTUPDATES -D UFS_DIRHASH -D QUOTA -D EXT2FS -D MFS -D NFSCLIENT -D NFSSERVER -D CD9660 -D UDF -D MSDOSFS -D FIFO -D FUSE -D SOCKET_SPLICE -D TCP_ECN -D TCP_SIGNATURE -D INET6 -D IPSEC -D PPP_BSDCOMP -D PPP_DEFLATE -D PIPEX -D MROUTING -D MPLS -D BOOT_CONFIG -D USER_PCICONF -D APERTURE -D MTRR -D NTFS -D SUSPEND -D HIBERNATE -D PCIVERBOSE -D USBVERBOSE -D WSDISPLAY_COMPAT_USL -D WSDISPLAY_COMPAT_RAWKBD -D WSDISPLAY_DEFAULTSCREENS=6 -D X86EMU -D ONEWIREVERBOSE -D MULTIPROCESSOR -D MAXUSERS=80 -D _KERNEL -O2 -Wno-pointer-sign -Wno-address-of-packed-member -Wno-constant-conversion -Wno-unused-but-set-variable -Wno-gnu-folding-constant -fdebug-compilation-dir=/usr/src/sys/arch/amd64/compile/GENERIC.MP/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fcf-protection=branch -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -o /home/ben/Projects/scan/2024-01-11-110808-61670-1 -x c /usr/src/sys/dev/pci/drm/i915/gem/i915_gem_execbuffer.c
1/*
* SPDX-License-Identifier: MIT
*
* Copyright © 2008,2010 Intel Corporation
*/

7#include <linux/dma-resv.h>
8#include <linux/highmem.h>
9#include <linux/sync_file.h>
10#include <linux/uaccess.h>

12#include <drm/drm_syncobj.h>

14#include <dev/pci/pcivar.h>
15#include <dev/pci/agpvar.h>

17#include "display/intel_frontbuffer.h"

19#include "gem/i915_gem_ioctls.h"
20#include "gt/intel_context.h"
21#include "gt/intel_gpu_commands.h"
22#include "gt/intel_gt.h"
23#include "gt/intel_gt_buffer_pool.h"
24#include "gt/intel_gt_pm.h"
25#include "gt/intel_ring.h"

27#include "pxp/intel_pxp.h"

29#include "i915_cmd_parser.h"
30#include "i915_drv.h"
31#include "i915_file_private.h"
32#include "i915_gem_clflush.h"
33#include "i915_gem_context.h"
34#include "i915_gem_evict.h"
35#include "i915_gem_ioctls.h"
36#include "i915_trace.h"
37#include "i915_user_extensions.h"

39struct eb_vma {
struct i915_vma *vma;
unsigned int flags;

/** This vma's place in the execbuf reservation list */
struct drm_i915_gem_exec_object2 *exec;
struct list_head bind_link;
struct list_head reloc_link;

struct hlist_node node;
u32 handle;
50};

52enum {
FORCE_CPU_RELOC = 1,
FORCE_GTT_RELOC,
FORCE_GPU_RELOC,
56#define DBG_FORCE_RELOC0 0 /* choose one of the above! */
57};

59/* __EXEC_OBJECT_NO_RESERVE is BIT(31), defined in i915_vma.h */
60#define __EXEC_OBJECT_HAS_PIN(1UL << (30))		BIT(30)(1UL << (30))
61#define __EXEC_OBJECT_HAS_FENCE(1UL << (29))		BIT(29)(1UL << (29))
62#define __EXEC_OBJECT_USERPTR_INIT(1UL << (28))	BIT(28)(1UL << (28))
63#define __EXEC_OBJECT_NEEDS_MAP(1UL << (27))		BIT(27)(1UL << (27))
64#define __EXEC_OBJECT_NEEDS_BIAS(1UL << (26))	BIT(26)(1UL << (26))
65#define __EXEC_OBJECT_INTERNAL_FLAGS(~0u << 26)	(~0u << 26) /* all of the above + */
66#define __EXEC_OBJECT_RESERVED((1UL << (30)) | (1UL << (29))) (__EXEC_OBJECT_HAS_PIN(1UL << (30)) | __EXEC_OBJECT_HAS_FENCE(1UL << (29)))

68#define __EXEC_HAS_RELOC(1UL << (31))	BIT(31)(1UL << (31))
69#define __EXEC_ENGINE_PINNED(1UL << (30))	BIT(30)(1UL << (30))
70#define __EXEC_USERPTR_USED(1UL << (29))	BIT(29)(1UL << (29))
71#define __EXEC_INTERNAL_FLAGS(~0u << 29)	(~0u << 29)
72#define UPDATE(1ULL << (7))			PIN_OFFSET_FIXED(1ULL << (7))

74#define BATCH_OFFSET_BIAS(256*1024) (256*1024)

76#define __I915_EXEC_ILLEGAL_FLAGS((-((1 << 21) << 1)) | (3<<6) | (1<<15
)) \
(__I915_EXEC_UNKNOWN_FLAGS(-((1 << 21) << 1)) | \
I915_EXEC_CONSTANTS_MASK(3<<6)  | \
I915_EXEC_RESOURCE_STREAMER(1<<15))

81/* Catch emission of unexpected errors for CI! */
82#if IS_ENABLED(CONFIG_DRM_I915_DEBUG_GEM)0
83#undef EINVAL22
84#define EINVAL22 ({ \
DRM_DEBUG_DRIVER("EINVAL at %s:%d\n", __func__, __LINE__)___drm_dbg(((void *)0), DRM_UT_DRIVER, "EINVAL at %s:%d\n", __func__
, 85); \
22; \
87})
88#endif

90/**
* DOC: User command execution
*
* Userspace submits commands to be executed on the GPU as an instruction
* stream within a GEM object we call a batchbuffer. This instructions may
* refer to other GEM objects containing auxiliary state such as kernels,
* samplers, render targets and even secondary batchbuffers. Userspace does
* not know where in the GPU memory these objects reside and so before the
* batchbuffer is passed to the GPU for execution, those addresses in the
* batchbuffer and auxiliary objects are updated. This is known as relocation,
* or patching. To try and avoid having to relocate each object on the next
* execution, userspace is told the location of those objects in this pass,
* but this remains just a hint as the kernel may choose a new location for
* any object in the future.
*
* At the level of talking to the hardware, submitting a batchbuffer for the
* GPU to execute is to add content to a buffer from which the HW
* command streamer is reading.
*
* 1. Add a command to load the HW context. For Logical Ring Contexts, i.e.
*    Execlists, this command is not placed on the same buffer as the
*    remaining items.
*
* 2. Add a command to invalidate caches to the buffer.
*
* 3. Add a batchbuffer start command to the buffer; the start command is
*    essentially a token together with the GPU address of the batchbuffer
*    to be executed.
*
* 4. Add a pipeline flush to the buffer.
*
* 5. Add a memory write command to the buffer to record when the GPU
*    is done executing the batchbuffer. The memory write writes the
*    global sequence number of the request, ``i915_request::global_seqno``;
*    the i915 driver uses the current value in the register to determine
*    if the GPU has completed the batchbuffer.
*
* 6. Add a user interrupt command to the buffer. This command instructs
*    the GPU to issue an interrupt when the command, pipeline flush and
*    memory write are completed.
*
* 7. Inform the hardware of the additional commands added to the buffer
*    (by updating the tail pointer).
*
* Processing an execbuf ioctl is conceptually split up into a few phases.
*
* 1. Validation - Ensure all the pointers, handles and flags are valid.
* 2. Reservation - Assign GPU address space for every object
* 3. Relocation - Update any addresses to point to the final locations
* 4. Serialisation - Order the request with respect to its dependencies
* 5. Construction - Construct a request to execute the batchbuffer
* 6. Submission (at some point in the future execution)
*
* Reserving resources for the execbuf is the most complicated phase. We
* neither want to have to migrate the object in the address space, nor do
* we want to have to update any relocations pointing to this object. Ideally,
* we want to leave the object where it is and for all the existing relocations
* to match. If the object is given a new address, or if userspace thinks the
* object is elsewhere, we have to parse all the relocation entries and update
* the addresses. Userspace can set the I915_EXEC_NORELOC flag to hint that
* all the target addresses in all of its objects match the value in the
* relocation entries and that they all match the presumed offsets given by the
* list of execbuffer objects. Using this knowledge, we know that if we haven't
* moved any buffers, all the relocation entries are valid and we can skip
* the update. (If userspace is wrong, the likely outcome is an impromptu GPU
* hang.) The requirement for using I915_EXEC_NO_RELOC are:
*
*      The addresses written in the objects must match the corresponding
*      reloc.presumed_offset which in turn must match the corresponding
*      execobject.offset.
*
*      Any render targets written to in the batch must be flagged with
*      EXEC_OBJECT_WRITE.
*
*      To avoid stalling, execobject.offset should match the current
*      address of that object within the active context.
*
* The reservation is done is multiple phases. First we try and keep any
* object already bound in its current location - so as long as meets the
* constraints imposed by the new execbuffer. Any object left unbound after the
* first pass is then fitted into any available idle space. If an object does
* not fit, all objects are removed from the reservation and the process rerun
* after sorting the objects into a priority order (more difficult to fit
* objects are tried first). Failing that, the entire VM is cleared and we try
* to fit the execbuf once last time before concluding that it simply will not
* fit.
*
* A small complication to all of this is that we allow userspace not only to
* specify an alignment and a size for the object in the address space, but
* we also allow userspace to specify the exact offset. This objects are
* simpler to place (the location is known a priori) all we have to do is make
* sure the space is available.
*
* Once all the objects are in place, patching up the buried pointers to point
* to the final locations is a fairly simple job of walking over the relocation
* entry arrays, looking up the right address and rewriting the value into
* the object. Simple! ... The relocation entries are stored in user memory
* and so to access them we have to copy them into a local buffer. That copy
* has to avoid taking any pagefaults as they may lead back to a GEM object
* requiring the struct_mutex (i.e. recursive deadlock). So once again we split
* the relocation into multiple passes. First we try to do everything within an
* atomic context (avoid the pagefaults) which requires that we never wait. If
* we detect that we may wait, or if we need to fault, then we have to fallback
* to a slower path. The slowpath has to drop the mutex. (Can you hear alarm
* bells yet?) Dropping the mutex means that we lose all the state we have
* built up so far for the execbuf and we must reset any global data. However,
* we do leave the objects pinned in their final locations - which is a
* potential issue for concurrent execbufs. Once we have left the mutex, we can
* allocate and copy all the relocation entries into a large array at our
* leisure, reacquire the mutex, reclaim all the objects and other state and
* then proceed to update any incorrect addresses with the objects.
*
* As we process the relocation entries, we maintain a record of whether the
* object is being written to. Using NORELOC, we expect userspace to provide
* this information instead. We also check whether we can skip the relocation
* by comparing the expected value inside the relocation entry with the target's
* final address. If they differ, we have to map the current object and rewrite
* the 4 or 8 byte pointer within.
*
* Serialising an execbuf is quite simple according to the rules of the GEM
* ABI. Execution within each context is ordered by the order of submission.
* Writes to any GEM object are in order of submission and are exclusive. Reads
* from a GEM object are unordered with respect to other reads, but ordered by
* writes. A write submitted after a read cannot occur before the read, and
* similarly any read submitted after a write cannot occur before the write.
* Writes are ordered between engines such that only one write occurs at any
* time (completing any reads beforehand) - using semaphores where available
* and CPU serialisation otherwise. Other GEM access obey the same rules, any
* write (either via mmaps using set-domain, or via pwrite) must flush all GPU
* reads before starting, and any read (either using set-domain or pread) must
* flush all GPU writes before starting. (Note we only employ a barrier before,
* we currently rely on userspace not concurrently starting a new execution
* whilst reading or writing to an object. This may be an advantage or not
* depending on how much you trust userspace not to shoot themselves in the
* foot.) Serialisation may just result in the request being inserted into
* a DAG awaiting its turn, but most simple is to wait on the CPU until
* all dependencies are resolved.
*
* After all of that, is just a matter of closing the request and handing it to
* the hardware (well, leaving it in a queue to be executed). However, we also
* offer the ability for batchbuffers to be run with elevated privileges so
* that they access otherwise hidden registers. (Used to adjust L3 cache etc.)
* Before any batch is given extra privileges we first must check that it
* contains no nefarious instructions, we check that each instruction is from
* our whitelist and all registers are also from an allowed list. We first
* copy the user's batchbuffer to a shadow (so that the user doesn't have
* access to it, either by the CPU or GPU as we scan it) and then parse each
* instruction. If everything is ok, we set a flag telling the hardware to run
* the batchbuffer in trusted mode, otherwise the ioctl is rejected.
*/

241struct eb_fence {
struct drm_syncobj *syncobj; /* Use with ptr_mask_bits() */
struct dma_fence *dma_fence;
u64 value;
struct dma_fence_chain *chain_fence;
246};

248struct i915_execbuffer {
struct drm_i915_privateinteldrm_softc *i915; /** i915 backpointer */
struct drm_file *file; /** per-file lookup tables and limits */
struct drm_i915_gem_execbuffer2 *args; /** ioctl parameters */
struct drm_i915_gem_exec_object2 *exec; /** ioctl execobj[] */
struct eb_vma *vma;

struct intel_gt *gt; /* gt for the execbuf */
struct intel_context *context; /* logical state for the request */
struct i915_gem_context *gem_context; /** caller's context */

/** our requests to build */
struct i915_request *requests[MAX_ENGINE_INSTANCE8 + 1];
/** identity of the batch obj/vma */
struct eb_vma *batches[MAX_ENGINE_INSTANCE8 + 1];
struct i915_vma *trampoline; /** trampoline used for chaining */

/** used for excl fence in dma_resv objects when > 1 BB submitted */
struct dma_fence *composite_fence;

/** actual size of execobj[] as we may extend it for the cmdparser */
unsigned int buffer_count;

/* number of batches in execbuf IOCTL */
unsigned int num_batches;

/** list of vma not yet bound during reservation phase */
struct list_head unbound;

/** list of vma that have execobj.relocation_count */
struct list_head relocs;

struct i915_gem_ww_ctx ww;

/**
* Track the most recently used object for relocations, as we
* frequently have to perform multiple relocations within the same
* obj/page
*/
struct reloc_cache {
struct drm_mm_node node; /** temporary GTT binding */
unsigned long vaddr; /** Current kmap address */
unsigned long page; /** Currently mapped page index */
unsigned int graphics_ver; /** Cached value of GRAPHICS_VER */
bool_Bool use_64bit_reloc : 1;
bool_Bool has_llc : 1;
bool_Bool has_fence : 1;
bool_Bool needs_unfenced : 1;

struct agp_map *map;
bus_space_tag_t iot;
bus_space_handle_t ioh;
} reloc_cache;

u64 invalid_flags; /** Set of execobj.flags that are invalid */

/** Length of batch within object */
u64 batch_len[MAX_ENGINE_INSTANCE8 + 1];
u32 batch_start_offset; /** Location within object of batch */
u32 batch_flags; /** Flags composed for emit_bb_start() */
struct intel_gt_buffer_pool_node *batch_pool; /** pool node for batch buffer */

/**
* Indicate either the size of the hastable used to resolve
* relocation handles, or if negative that we are using a direct
* index into the execobj[].
*/
int lut_size;
struct hlist_head *buckets; /** ht for relocation handles */

struct eb_fence *fences;
unsigned long num_fences;
320#if IS_ENABLED(CONFIG_DRM_I915_CAPTURE_ERROR)1
struct i915_capture_list *capture_lists[MAX_ENGINE_INSTANCE8 + 1];
322#endif
323};

325static int eb_parse(struct i915_execbuffer *eb);
326static int eb_pin_engine(struct i915_execbuffer *eb, bool_Bool throttle);
327static void eb_unpin_engine(struct i915_execbuffer *eb);
328static void eb_capture_release(struct i915_execbuffer *eb);

330static inline bool_Bool eb_use_cmdparser(const struct i915_execbuffer *eb)
331{
return intel_engine_requires_cmd_parser(eb->context->engine) ||
(intel_engine_using_cmd_parser(eb->context->engine) &&
 eb->args->batch_len);
335}

337static int eb_create(struct i915_execbuffer *eb)
338{
if (!(eb->args->flags & I915_EXEC_HANDLE_LUT(1<<12))) {
39
←
Assuming the condition is true→
40
←
Taking true branch→
unsigned int size = 1 + ilog2(eb->buffer_count)((sizeof(eb->buffer_count) <= 4) ? (fls(eb->buffer_count
) - 1) : (flsl(eb->buffer_count) - 1));
41
←
'?' condition is true→

/*
 * Without a 1:1 association between relocation handles and
 * the execobject[] index, we instead create a hashtable.
 * We size it dynamically based on available memory, starting
 * first with 1:1 assocative hash and scaling back until
 * the allocation succeeds.
 *
 * Later on we use a positive lut_size to indicate we are
 * using this hashtable, and a negative value to indicate a
 * direct lookup.
 */
do {
47
←
Loop condition is true. Execution continues on line 354→
	gfp_t flags;

	/* While we can still reduce the allocation size, don't
	 * raise a warning and allow the allocation to fail.
	 * On the last pass though, we want to try as hard
	 * as possible to perform the allocation and warn
	 * if it fails.
	 */
	flags = GFP_KERNEL(0x0001 | 0x0004);
	if (size47.1
'size' is > 1
 > 1)
42
←
Assuming 'size' is <= 1→
43
←
Taking false branch→
48
←
Taking true branch→
		flags |= __GFP_NORETRY0 | __GFP_NOWARN0;

	eb->buckets = kzalloc(sizeof(struct hlist_head) << size,
49
←
The result of the left shift is undefined due to shifting by '4294967295', which is greater or equal to the width of type 'unsigned long'
			      flags);
	if (eb->buckets)
44
←
Assuming field 'buckets' is null→
45
←
Taking false branch→
		break;
} while (--size);
46
←
Value assigned to 'size'→

if (unlikely(!size)__builtin_expect(!!(!size), 0))
	return -ENOMEM12;

eb->lut_size = size;
} else {
eb->lut_size = -eb->buffer_count;
}

return 0;
381}

383static bool_Bool
384eb_vma_misplaced(const struct drm_i915_gem_exec_object2 *entry,
 const struct i915_vma *vma,
 unsigned int flags)
387{
if (vma->node.size < entry->pad_to_size)
return true1;

if (entry->alignment && !IS_ALIGNED(vma->node.start, entry->alignment)(((vma->node.start) & ((entry->alignment) - 1)) == 0
))
return true1;

if (flags & EXEC_OBJECT_PINNED(1<<4) &&
   vma->node.start != entry->offset)
return true1;

if (flags & __EXEC_OBJECT_NEEDS_BIAS(1UL << (26)) &&
   vma->node.start < BATCH_OFFSET_BIAS(256*1024))
return true1;

if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS(1<<3)) &&
   (vma->node.start + vma->node.size + 4095) >> 32)
return true1;

if (flags & __EXEC_OBJECT_NEEDS_MAP(1UL << (27)) &&
   !i915_vma_is_map_and_fenceable(vma))
return true1;

return false0;
411}

413static u64 eb_pin_flags(const struct drm_i915_gem_exec_object2 *entry,
	unsigned int exec_flags)
415{
u64 pin_flags = 0;

if (exec_flags & EXEC_OBJECT_NEEDS_GTT(1<<1))
pin_flags |= PIN_GLOBAL(1ULL << (10));

/*
* Wa32bitGeneralStateOffset & Wa32bitInstructionBaseOffset,
* limit address to the first 4GBs for unflagged objects.
*/
if (!(exec_flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS(1<<3)))
pin_flags |= PIN_ZONE_4G(1ULL << (4));

if (exec_flags & __EXEC_OBJECT_NEEDS_MAP(1UL << (27)))
pin_flags |= PIN_MAPPABLE(1ULL << (3));

if (exec_flags & EXEC_OBJECT_PINNED(1<<4))
pin_flags |= entry->offset | PIN_OFFSET_FIXED(1ULL << (7));
else if (exec_flags & __EXEC_OBJECT_NEEDS_BIAS(1UL << (26)))
pin_flags |= BATCH_OFFSET_BIAS(256*1024) | PIN_OFFSET_BIAS(1ULL << (6));

return pin_flags;
437}

439static inline int
440eb_pin_vma(struct i915_execbuffer *eb,
  const struct drm_i915_gem_exec_object2 *entry,
  struct eb_vma *ev)
443{
struct i915_vma *vma = ev->vma;
u64 pin_flags;
int err;

if (vma->node.size)
pin_flags = vma->node.start;
else
pin_flags = entry->offset & PIN_OFFSET_MASK-(1ULL << (12));

pin_flags |= PIN_USER(1ULL << (11)) | PIN_NOEVICT(1ULL << (0)) | PIN_OFFSET_FIXED(1ULL << (7)) | PIN_VALIDATE(1ULL << (8));
if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_GTT)__builtin_expect(!!(ev->flags & (1<<1)), 0))
pin_flags |= PIN_GLOBAL(1ULL << (10));

/* Attempt to reuse the current location if available */
err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, pin_flags);
if (err == -EDEADLK11)
return err;

if (unlikely(err)__builtin_expect(!!(err), 0)) {
if (entry->flags & EXEC_OBJECT_PINNED(1<<4))
	return err;

/* Failing that pick any _free_ space if suitable */
err = i915_vma_pin_ww(vma, &eb->ww,
			     entry->pad_to_size,
			     entry->alignment,
			     eb_pin_flags(entry, ev->flags) |
			     PIN_USER(1ULL << (11)) | PIN_NOEVICT(1ULL << (0)) | PIN_VALIDATE(1ULL << (8)));
if (unlikely(err)__builtin_expect(!!(err), 0))
	return err;
}

if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)__builtin_expect(!!(ev->flags & (1<<0)), 0)) {
err = i915_vma_pin_fence(vma);
if (unlikely(err)__builtin_expect(!!(err), 0))
	return err;

if (vma->fence)
	ev->flags |= __EXEC_OBJECT_HAS_FENCE(1UL << (29));
}

ev->flags |= __EXEC_OBJECT_HAS_PIN(1UL << (30));
if (eb_vma_misplaced(entry, vma, ev->flags))
return -EBADSLT22;

return 0;
490}

492static inline void
493eb_unreserve_vma(struct eb_vma *ev)
494{
if (unlikely(ev->flags & __EXEC_OBJECT_HAS_FENCE)__builtin_expect(!!(ev->flags & (1UL << (29))), 0
))
__i915_vma_unpin_fence(ev->vma);

ev->flags &= ~__EXEC_OBJECT_RESERVED((1UL << (30)) | (1UL << (29)));
499}

501static int
502eb_validate_vma(struct i915_execbuffer *eb,
struct drm_i915_gem_exec_object2 *entry,
struct i915_vma *vma)
505{
/* Relocations are disallowed for all platforms after TGL-LP.  This
* also covers all platforms with local memory.
*/
if (entry->relocation_count &&
   GRAPHICS_VER(eb->i915)((&(eb->i915)->__runtime)->graphics.ip.ver) >= 12 && !IS_TIGERLAKE(eb->i915)IS_PLATFORM(eb->i915, INTEL_TIGERLAKE))
return -EINVAL22;

if (unlikely(entry->flags & eb->invalid_flags)__builtin_expect(!!(entry->flags & eb->invalid_flags
), 0))
return -EINVAL22;

if (unlikely(entry->alignment &&__builtin_expect(!!(entry->alignment && !is_power_of_2_u64
(entry->alignment)), 0)
     !is_power_of_2_u64(entry->alignment))__builtin_expect(!!(entry->alignment && !is_power_of_2_u64
(entry->alignment)), 0))
return -EINVAL22;

/*
* Offset can be used as input (EXEC_OBJECT_PINNED), reject
* any non-page-aligned or non-canonical addresses.
*/
if (unlikely(entry->flags & EXEC_OBJECT_PINNED &&__builtin_expect(!!(entry->flags & (1<<4) &&
 entry->offset != gen8_canonical_addr(entry->offset &
 -(1ULL << (12)))), 0)
     entry->offset != gen8_canonical_addr(entry->offset & I915_GTT_PAGE_MASK))__builtin_expect(!!(entry->flags & (1<<4) &&
 entry->offset != gen8_canonical_addr(entry->offset &
 -(1ULL << (12)))), 0))
return -EINVAL22;

/* pad_to_size was once a reserved field, so sanitize it */
if (entry->flags & EXEC_OBJECT_PAD_TO_SIZE(1<<5)) {
if (unlikely(offset_in_page(entry->pad_to_size))__builtin_expect(!!(((vaddr_t)(entry->pad_to_size) & (
(1 << 12) - 1))), 0))
	return -EINVAL22;
} else {
entry->pad_to_size = 0;
}
/*
* From drm_mm perspective address space is continuous,
* so from this point we're always using non-canonical
* form internally.
*/
entry->offset = gen8_noncanonical_addr(entry->offset);

if (!eb->reloc_cache.has_fence) {
entry->flags &= ~EXEC_OBJECT_NEEDS_FENCE(1<<0);
} else {
if ((entry->flags & EXEC_OBJECT_NEEDS_FENCE(1<<0) ||
     eb->reloc_cache.needs_unfenced) &&
    i915_gem_object_is_tiled(vma->obj))
	entry->flags |= EXEC_OBJECT_NEEDS_GTT(1<<1) | __EXEC_OBJECT_NEEDS_MAP(1UL << (27));
}

return 0;
552}

554static inline bool_Bool
555is_batch_buffer(struct i915_execbuffer *eb, unsigned int buffer_idx)
556{
return eb->args->flags & I915_EXEC_BATCH_FIRST(1<<18) ?
buffer_idx < eb->num_batches :
buffer_idx >= eb->args->buffer_count - eb->num_batches;
560}

562static int
563eb_add_vma(struct i915_execbuffer *eb,
  unsigned int *current_batch,
  unsigned int i,
  struct i915_vma *vma)
567{
struct drm_i915_privateinteldrm_softc *i915 = eb->i915;
struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
struct eb_vma *ev = &eb->vma[i];

ev->vma = vma;
ev->exec = entry;
ev->flags = entry->flags;

if (eb->lut_size > 0) {
ev->handle = entry->handle;
hlist_add_head(&ev->node,
	       &eb->buckets[hash_32(entry->handle,
				    eb->lut_size)]);
}

if (entry->relocation_count)
list_add_tail(&ev->reloc_link, &eb->relocs);

/*
* SNA is doing fancy tricks with compressing batch buffers, which leads
* to negative relocation deltas. Usually that works out ok since the
* relocate address is still positive, except when the batch is placed
* very low in the GTT. Ensure this doesn't happen.
*
* Note that actual hangs have only been observed on gen7, but for
* paranoia do it everywhere.
*/
if (is_batch_buffer(eb, i)) {
if (entry->relocation_count &&
    !(ev->flags & EXEC_OBJECT_PINNED(1<<4)))
	ev->flags |= __EXEC_OBJECT_NEEDS_BIAS(1UL << (26));
if (eb->reloc_cache.has_fence)
	ev->flags |= EXEC_OBJECT_NEEDS_FENCE(1<<0);

eb->batches[*current_batch] = ev;

if (unlikely(ev->flags & EXEC_OBJECT_WRITE)__builtin_expect(!!(ev->flags & (1<<2)), 0)) {
	drm_dbg(&i915->drm,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Attempting to use self-modifying batch buffer\n"
)
		"Attempting to use self-modifying batch buffer\n")__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Attempting to use self-modifying batch buffer\n"
);
	return -EINVAL22;
}

if (range_overflows_t(u64,({ typeof((u64)(eb->batch_start_offset)) start__ = ((u64)(
eb->batch_start_offset)); typeof((u64)(eb->args->batch_len
)) size__ = ((u64)(eb->args->batch_len)); typeof((u64)(
ev->vma->size)) max__ = ((u64)(ev->vma->size)); (
void)(&start__ == &size__); (void)(&start__ == &
max__); start__ >= max__ || size__ > max__ - start__; }
)
		      eb->batch_start_offset,({ typeof((u64)(eb->batch_start_offset)) start__ = ((u64)(
eb->batch_start_offset)); typeof((u64)(eb->args->batch_len
)) size__ = ((u64)(eb->args->batch_len)); typeof((u64)(
ev->vma->size)) max__ = ((u64)(ev->vma->size)); (
void)(&start__ == &size__); (void)(&start__ == &
max__); start__ >= max__ || size__ > max__ - start__; }
)
		      eb->args->batch_len,({ typeof((u64)(eb->batch_start_offset)) start__ = ((u64)(
eb->batch_start_offset)); typeof((u64)(eb->args->batch_len
)) size__ = ((u64)(eb->args->batch_len)); typeof((u64)(
ev->vma->size)) max__ = ((u64)(ev->vma->size)); (
void)(&start__ == &size__); (void)(&start__ == &
max__); start__ >= max__ || size__ > max__ - start__; }
)
		      ev->vma->size)({ typeof((u64)(eb->batch_start_offset)) start__ = ((u64)(
eb->batch_start_offset)); typeof((u64)(eb->args->batch_len
)) size__ = ((u64)(eb->args->batch_len)); typeof((u64)(
ev->vma->size)) max__ = ((u64)(ev->vma->size)); (
void)(&start__ == &size__); (void)(&start__ == &
max__); start__ >= max__ || size__ > max__ - start__; }
)) {
	drm_dbg(&i915->drm, "Attempting to use out-of-bounds batch\n")__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Attempting to use out-of-bounds batch\n"
);
	return -EINVAL22;
}

if (eb->args->batch_len == 0)
	eb->batch_len[*current_batch] = ev->vma->size -
		eb->batch_start_offset;
else
	eb->batch_len[*current_batch] = eb->args->batch_len;
if (unlikely(eb->batch_len[*current_batch] == 0)__builtin_expect(!!(eb->batch_len[*current_batch] == 0), 0
)) { /* impossible! */
	drm_dbg(&i915->drm, "Invalid batch length\n")__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Invalid batch length\n"
);
	return -EINVAL22;
}

++*current_batch;
}

return 0;
632}

634static inline int use_cpu_reloc(const struct reloc_cache *cache,
		const struct drm_i915_gem_object *obj)
636{
if (!i915_gem_object_has_struct_page(obj))
return false0;

if (DBG_FORCE_RELOC0 == FORCE_CPU_RELOC)
return true1;

if (DBG_FORCE_RELOC0 == FORCE_GTT_RELOC)
return false0;

return (cache->has_llc ||
obj->cache_dirty ||
obj->cache_level != I915_CACHE_NONE);
649}

651static int eb_reserve_vma(struct i915_execbuffer *eb,
	  struct eb_vma *ev,
	  u64 pin_flags)
654{
struct drm_i915_gem_exec_object2 *entry = ev->exec;
struct i915_vma *vma = ev->vma;
int err;

if (drm_mm_node_allocated(&vma->node) &&
   eb_vma_misplaced(entry, vma, ev->flags)) {
err = i915_vma_unbind(vma);
if (err)
	return err;
}

err = i915_vma_pin_ww(vma, &eb->ww,
	   entry->pad_to_size, entry->alignment,
	   eb_pin_flags(entry, ev->flags) | pin_flags);
if (err)
return err;

if (entry->offset != vma->node.start) {
entry->offset = vma->node.start | UPDATE(1ULL << (7));
eb->args->flags |= __EXEC_HAS_RELOC(1UL << (31));
}

if (unlikely(ev->flags & EXEC_OBJECT_NEEDS_FENCE)__builtin_expect(!!(ev->flags & (1<<0)), 0)) {
err = i915_vma_pin_fence(vma);
if (unlikely(err)__builtin_expect(!!(err), 0))
	return err;

if (vma->fence)
	ev->flags |= __EXEC_OBJECT_HAS_FENCE(1UL << (29));
}

ev->flags |= __EXEC_OBJECT_HAS_PIN(1UL << (30));
GEM_BUG_ON(eb_vma_misplaced(entry, vma, ev->flags))((void)0);

return 0;
690}

692static bool_Bool eb_unbind(struct i915_execbuffer *eb, bool_Bool force)
693{
const unsigned int count = eb->buffer_count;
unsigned int i;
struct list_head last;
bool_Bool unpinned = false0;

/* Resort *all* the objects into priority order */
INIT_LIST_HEAD(&eb->unbound);
INIT_LIST_HEAD(&last);

for (i = 0; i < count; i++) {
struct eb_vma *ev = &eb->vma[i];
unsigned int flags = ev->flags;

if (!force && flags & EXEC_OBJECT_PINNED(1<<4) &&
    flags & __EXEC_OBJECT_HAS_PIN(1UL << (30)))
	continue;

unpinned = true1;
eb_unreserve_vma(ev);

if (flags & EXEC_OBJECT_PINNED(1<<4))
	/* Pinned must have their slot */
	list_add(&ev->bind_link, &eb->unbound);
else if (flags & __EXEC_OBJECT_NEEDS_MAP(1UL << (27)))
	/* Map require the lowest 256MiB (aperture) */
	list_add_tail(&ev->bind_link, &eb->unbound);
else if (!(flags & EXEC_OBJECT_SUPPORTS_48B_ADDRESS(1<<3)))
	/* Prioritise 4GiB region for restricted bo */
	list_add(&ev->bind_link, &last);
else
	list_add_tail(&ev->bind_link, &last);
}

list_splice_tail(&last, &eb->unbound);
return unpinned;
729}

731static int eb_reserve(struct i915_execbuffer *eb)
732{
struct eb_vma *ev;
unsigned int pass;
int err = 0;
bool_Bool unpinned;

/*
* We have one more buffers that we couldn't bind, which could be due to
* various reasons. To resolve this we have 4 passes, with every next
* level turning the screws tighter:
*
* 0. Unbind all objects that do not match the GTT constraints for the
* execbuffer (fenceable, mappable, alignment etc). Bind all new
* objects.  This avoids unnecessary unbinding of later objects in order
* to make room for the earlier objects *unless* we need to defragment.
*
* 1. Reorder the buffers, where objects with the most restrictive
* placement requirements go first (ignoring fixed location buffers for
* now).  For example, objects needing the mappable aperture (the first
* 256M of GTT), should go first vs objects that can be placed just
* about anywhere. Repeat the previous pass.
*
* 2. Consider buffers that are pinned at a fixed location. Also try to
* evict the entire VM this time, leaving only objects that we were
* unable to lock. Try again to bind the buffers. (still using the new
* buffer order).
*
* 3. We likely have object lock contention for one or more stubborn
* objects in the VM, for which we need to evict to make forward
* progress (perhaps we are fighting the shrinker?). When evicting the
* VM this time around, anything that we can't lock we now track using
* the busy_bo, using the full lock (after dropping the vm->mutex to
* prevent deadlocks), instead of trylock. We then continue to evict the
* VM, this time with the stubborn object locked, which we can now
* hopefully unbind (if still bound in the VM). Repeat until the VM is
* evicted. Finally we should be able bind everything.
*/
for (pass = 0; pass <= 3; pass++) {
int pin_flags = PIN_USER(1ULL << (11)) | PIN_VALIDATE(1ULL << (8));

if (pass == 0)
	pin_flags |= PIN_NONBLOCK(1ULL << (2));

if (pass >= 1)
	unpinned = eb_unbind(eb, pass >= 2);

if (pass == 2) {
	err = mutex_lock_interruptible(&eb->context->vm->mutex);
	if (!err) {
		err = i915_gem_evict_vm(eb->context->vm, &eb->ww, NULL((void *)0));
		mutex_unlock(&eb->context->vm->mutex)rw_exit_write(&eb->context->vm->mutex);
	}
	if (err)
		return err;
}

if (pass == 3) {
789retry:
	err = mutex_lock_interruptible(&eb->context->vm->mutex);
	if (!err) {
		struct drm_i915_gem_object *busy_bo = NULL((void *)0);

		err = i915_gem_evict_vm(eb->context->vm, &eb->ww, &busy_bo);
		mutex_unlock(&eb->context->vm->mutex)rw_exit_write(&eb->context->vm->mutex);
		if (err && busy_bo) {
			err = i915_gem_object_lock(busy_bo, &eb->ww);
			i915_gem_object_put(busy_bo);
			if (!err)
				goto retry;
		}
	}
	if (err)
		return err;
}

list_for_each_entry(ev, &eb->unbound, bind_link)for (ev = ({ const __typeof( ((__typeof(*ev) *)0)->bind_link
 ) *__mptr = ((&eb->unbound)->next); (__typeof(*ev)
 *)( (char *)__mptr - __builtin_offsetof(__typeof(*ev), bind_link
) );}); &ev->bind_link != (&eb->unbound); ev = (
{ const __typeof( ((__typeof(*ev) *)0)->bind_link ) *__mptr
 = (ev->bind_link.next); (__typeof(*ev) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*ev), bind_link) );})) {
	err = eb_reserve_vma(eb, ev, pin_flags);
	if (err)
		break;
}

if (err != -ENOSPC28)
	break;
}

return err;
818}

820static int eb_select_context(struct i915_execbuffer *eb)
821{
struct i915_gem_context *ctx;

ctx = i915_gem_context_lookup(eb->file->driver_priv, eb->args->rsvd1);
if (unlikely(IS_ERR(ctx))__builtin_expect(!!(IS_ERR(ctx)), 0))
return PTR_ERR(ctx);

eb->gem_context = ctx;
if (i915_gem_context_has_full_ppgtt(ctx))
eb->invalid_flags |= EXEC_OBJECT_NEEDS_GTT(1<<1);

return 0;
833}

835static int __eb_add_lut(struct i915_execbuffer *eb,
	u32 handle, struct i915_vma *vma)
837{
struct i915_gem_context *ctx = eb->gem_context;
struct i915_lut_handle *lut;
int err;

lut = i915_lut_handle_alloc();
if (unlikely(!lut)__builtin_expect(!!(!lut), 0))
return -ENOMEM12;

i915_vma_get(vma);
if (!atomic_fetch_inc(&vma->open_count)__sync_fetch_and_add(&vma->open_count, 1))
i915_vma_reopen(vma);
lut->handle = handle;
lut->ctx = ctx;

/* Check that the context hasn't been closed in the meantime */
err = -EINTR4;
if (!mutex_lock_interruptible(&ctx->lut_mutex)) {
if (likely(!i915_gem_context_is_closed(ctx))__builtin_expect(!!(!i915_gem_context_is_closed(ctx)), 1))
	err = radix_tree_insert(&ctx->handles_vma, handle, vma);
else
	err = -ENOENT2;
if (err == 0) { /* And nor has this handle */
	struct drm_i915_gem_object *obj = vma->obj;

	spin_lock(&obj->lut_lock)mtx_enter(&obj->lut_lock);
	if (idr_find(&eb->file->object_idr, handle) == obj) {
		list_add(&lut->obj_link, &obj->lut_list);
	} else {
		radix_tree_delete(&ctx->handles_vma, handle);
		err = -ENOENT2;
	}
	spin_unlock(&obj->lut_lock)mtx_leave(&obj->lut_lock);
}
mutex_unlock(&ctx->lut_mutex)rw_exit_write(&ctx->lut_mutex);
}
if (unlikely(err)__builtin_expect(!!(err), 0))
goto err;

return 0;

878err:
i915_vma_close(vma);
i915_vma_put(vma);
i915_lut_handle_free(lut);
return err;
883}

885static struct i915_vma *eb_lookup_vma(struct i915_execbuffer *eb, u32 handle)
886{
struct i915_address_space *vm = eb->context->vm;

do {
struct drm_i915_gem_object *obj;
struct i915_vma *vma;
int err;

rcu_read_lock();
vma = radix_tree_lookup(&eb->gem_context->handles_vma, handle);
if (likely(vma && vma->vm == vm)__builtin_expect(!!(vma && vma->vm == vm), 1))
	vma = i915_vma_tryget(vma);
rcu_read_unlock();
if (likely(vma)__builtin_expect(!!(vma), 1))
	return vma;

obj = i915_gem_object_lookup(eb->file, handle);
if (unlikely(!obj)__builtin_expect(!!(!obj), 0))
	return ERR_PTR(-ENOENT2);

/*
 * If the user has opted-in for protected-object tracking, make
 * sure the object encryption can be used.
 * We only need to do this when the object is first used with
 * this context, because the context itself will be banned when
 * the protected objects become invalid.
 */
if (i915_gem_context_uses_protected_content(eb->gem_context) &&
    i915_gem_object_is_protected(obj)) {
	err = intel_pxp_key_check(&vm->gt->pxp, obj, true1);
	if (err) {
		i915_gem_object_put(obj);
		return ERR_PTR(err);
	}
}

vma = i915_vma_instance(obj, vm, NULL((void *)0));
if (IS_ERR(vma)) {
	i915_gem_object_put(obj);
	return vma;
}

err = __eb_add_lut(eb, handle, vma);
if (likely(!err)__builtin_expect(!!(!err), 1))
	return vma;

i915_gem_object_put(obj);
if (err != -EEXIST17)
	return ERR_PTR(err);
} while (1);
936}

938static int eb_lookup_vmas(struct i915_execbuffer *eb)
939{
unsigned int i, current_batch = 0;
int err = 0;

INIT_LIST_HEAD(&eb->relocs);

for (i = 0; i < eb->buffer_count; i++) {
struct i915_vma *vma;

vma = eb_lookup_vma(eb, eb->exec[i].handle);
if (IS_ERR(vma)) {
	err = PTR_ERR(vma);
	goto err;
}

err = eb_validate_vma(eb, &eb->exec[i], vma);
if (unlikely(err)__builtin_expect(!!(err), 0)) {
	i915_vma_put(vma);
	goto err;
}

err = eb_add_vma(eb, &current_batch, i, vma);
if (err)
	return err;

if (i915_gem_object_is_userptr(vma->obj)) {
	err = i915_gem_object_userptr_submit_init(vma->obj);
	if (err) {
		if (i + 1 < eb->buffer_count) {
			/*
			 * Execbuffer code expects last vma entry to be NULL,
			 * since we already initialized this entry,
			 * set the next value to NULL or we mess up
			 * cleanup handling.
			 */
			eb->vma[i + 1].vma = NULL((void *)0);
		}

		return err;
	}

	eb->vma[i].flags |= __EXEC_OBJECT_USERPTR_INIT(1UL << (28));
	eb->args->flags |= __EXEC_USERPTR_USED(1UL << (29));
}
}

return 0;

987err:
eb->vma[i].vma = NULL((void *)0);
return err;
990}

992static int eb_lock_vmas(struct i915_execbuffer *eb)
993{
unsigned int i;
int err;

for (i = 0; i < eb->buffer_count; i++) {
struct eb_vma *ev = &eb->vma[i];
struct i915_vma *vma = ev->vma;

err = i915_gem_object_lock(vma->obj, &eb->ww);
if (err)
	return err;
}

return 0;
1007}

1009static int eb_validate_vmas(struct i915_execbuffer *eb)
1010{
unsigned int i;
int err;

INIT_LIST_HEAD(&eb->unbound);

err = eb_lock_vmas(eb);
if (err)
return err;

for (i = 0; i < eb->buffer_count; i++) {
struct drm_i915_gem_exec_object2 *entry = &eb->exec[i];
struct eb_vma *ev = &eb->vma[i];
struct i915_vma *vma = ev->vma;

err = eb_pin_vma(eb, entry, ev);
if (err == -EDEADLK11)
	return err;

if (!err) {
	if (entry->offset != vma->node.start) {
		entry->offset = vma->node.start | UPDATE(1ULL << (7));
		eb->args->flags |= __EXEC_HAS_RELOC(1UL << (31));
	}
} else {
	eb_unreserve_vma(ev);

	list_add_tail(&ev->bind_link, &eb->unbound);
	if (drm_mm_node_allocated(&vma->node)) {
		err = i915_vma_unbind(vma);
		if (err)
			return err;
	}
}

/* Reserve enough slots to accommodate composite fences */
err = dma_resv_reserve_fences(vma->obj->base.resv, eb->num_batches);
if (err)
	return err;

GEM_BUG_ON(drm_mm_node_allocated(&vma->node) &&((void)0)
	   eb_vma_misplaced(&eb->exec[i], vma, ev->flags))((void)0);
}

if (!list_empty(&eb->unbound))
return eb_reserve(eb);

return 0;
1058}

1060static struct eb_vma *
1061eb_get_vma(const struct i915_execbuffer *eb, unsigned long handle)
1062{
if (eb->lut_size < 0) {
if (handle >= -eb->lut_size)
	return NULL((void *)0);
return &eb->vma[handle];
} else {
struct hlist_head *head;
struct eb_vma *ev;

head = &eb->buckets[hash_32(handle, eb->lut_size)];
hlist_for_each_entry(ev, head, node)for (ev = (((head)->first) ? ({ const __typeof( ((__typeof
(*ev) *)0)->node ) *__mptr = ((head)->first); (__typeof
(*ev) *)( (char *)__mptr - __builtin_offsetof(__typeof(*ev), node
) );}) : ((void *)0)); ev != ((void *)0); ev = (((ev)->node
.next) ? ({ const __typeof( ((__typeof(*ev) *)0)->node ) *
__mptr = ((ev)->node.next); (__typeof(*ev) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*ev), node) );}) : ((void *)0)
)) {
	if (ev->handle == handle)
		return ev;
}
return NULL((void *)0);
}
1078}

1080static void eb_release_vmas(struct i915_execbuffer *eb, bool_Bool final)
1081{
const unsigned int count = eb->buffer_count;
unsigned int i;

for (i = 0; i < count; i++) {
struct eb_vma *ev = &eb->vma[i];
struct i915_vma *vma = ev->vma;

if (!vma)
	break;

eb_unreserve_vma(ev);

if (final)
	i915_vma_put(vma);
}

eb_capture_release(eb);
eb_unpin_engine(eb);
1100}

1102static void eb_destroy(const struct i915_execbuffer *eb)
1103{
if (eb->lut_size > 0)
kfree(eb->buckets);
1106}

1108static inline u64
1109relocation_target(const struct drm_i915_gem_relocation_entry *reloc,
  const struct i915_vma *target)
1111{
return gen8_canonical_addr((int)reloc->delta + target->node.start);
1113}

1115static void reloc_cache_init(struct reloc_cache *cache,
	     struct drm_i915_privateinteldrm_softc *i915)
1117{
cache->page = -1;
cache->vaddr = 0;
/* Must be a variable in the struct to allow GCC to unroll. */
cache->graphics_ver = GRAPHICS_VER(i915)((&(i915)->__runtime)->graphics.ip.ver);
cache->has_llc = HAS_LLC(i915)((&(i915)->__info)->has_llc);
cache->use_64bit_reloc = HAS_64BIT_RELOC(i915)((&(i915)->__info)->has_64bit_reloc);
cache->has_fence = cache->graphics_ver < 4;
cache->needs_unfenced = INTEL_INFO(i915)(&(i915)->__info)->unfenced_needs_alignment;
cache->node.flags = 0;

cache->map = i915->agph;
cache->iot = i915->bst;
1130}

1132static inline void *unmask_page(unsigned long p)
1133{
return (void *)(uintptr_t)(p & LINUX_PAGE_MASK(~((1 << 12) - 1)));
1135}

1137static inline unsigned int unmask_flags(unsigned long p)
1138{
return p & ~LINUX_PAGE_MASK(~((1 << 12) - 1));
1140}

1142#define KMAP0x4 0x4 /* after CLFLUSH_FLAGS */

1144static inline struct i915_ggtt *cache_to_ggtt(struct reloc_cache *cache)
1145{
struct drm_i915_privateinteldrm_softc *i915 =
container_of(cache, struct i915_execbuffer, reloc_cache)({ const __typeof( ((struct i915_execbuffer *)0)->reloc_cache
 ) *__mptr = (cache); (struct i915_execbuffer *)( (char *)__mptr
 - __builtin_offsetof(struct i915_execbuffer, reloc_cache) );
})->i915;
return to_gt(i915)->ggtt;
1149}

1151static void reloc_cache_unmap(struct reloc_cache *cache)
1152{
void *vaddr;

if (!cache->vaddr)
return;

vaddr = unmask_page(cache->vaddr);
if (cache->vaddr & KMAP0x4)
kunmap_atomic(vaddr);
else
1162#ifdef __linux__
io_mapping_unmap_atomic((void __iomem *)vaddr);
1164#else
agp_unmap_atomic(cache->map, cache->ioh);
1166#endif
1167}

1169static void reloc_cache_remap(struct reloc_cache *cache,
	      struct drm_i915_gem_object *obj)
1171{
void *vaddr;

if (!cache->vaddr)
return;

if (cache->vaddr & KMAP0x4) {
struct vm_page *page = i915_gem_object_get_page(obj, cache->page);

vaddr = kmap_atomic(page);
cache->vaddr = unmask_flags(cache->vaddr) |
	(unsigned long)vaddr;
} else {
struct i915_ggtt *ggtt = cache_to_ggtt(cache);
unsigned long offset;

offset = cache->node.start;
if (!drm_mm_node_allocated(&cache->node))
	offset += cache->page << PAGE_SHIFT12;

1191#ifdef __linux__
cache->vaddr = (unsigned long)
	io_mapping_map_atomic_wc(&ggtt->iomap, offset);
1194#else
agp_map_atomic(cache->map, offset, &cache->ioh);
cache->vaddr = (unsigned long)
	bus_space_vaddr(cache->iot, cache->ioh)((cache->iot)->vaddr((cache->ioh)));
1198#endif
}
1200}

1202static void reloc_cache_reset(struct reloc_cache *cache, struct i915_execbuffer *eb)
1203{
void *vaddr;

if (!cache->vaddr)
return;

vaddr = unmask_page(cache->vaddr);
if (cache->vaddr & KMAP0x4) {
struct drm_i915_gem_object *obj =
	(struct drm_i915_gem_object *)cache->node.mm;
if (cache->vaddr & CLFLUSH_AFTER(1UL << (1)))
	mb()do { __asm volatile("mfence" ::: "memory"); } while (0);

kunmap_atomic(vaddr);
i915_gem_object_finish_access(obj);
} else {
struct i915_ggtt *ggtt = cache_to_ggtt(cache);

intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1222#ifdef __linux__
io_mapping_unmap_atomic((void __iomem *)vaddr);
1224#else
agp_unmap_atomic(cache->map, cache->ioh);
1226#endif

if (drm_mm_node_allocated(&cache->node)) {
	ggtt->vm.clear_range(&ggtt->vm,
			     cache->node.start,
			     cache->node.size);
	mutex_lock(&ggtt->vm.mutex)rw_enter_write(&ggtt->vm.mutex);
	drm_mm_remove_node(&cache->node);
	mutex_unlock(&ggtt->vm.mutex)rw_exit_write(&ggtt->vm.mutex);
} else {
	i915_vma_unpin((struct i915_vma *)cache->node.mm);
}
}

cache->vaddr = 0;
cache->page = -1;
1242}

1244static void *reloc_kmap(struct drm_i915_gem_object *obj,
	struct reloc_cache *cache,
	unsigned long pageno)
1247{
void *vaddr;
struct vm_page *page;

if (cache->vaddr) {
kunmap_atomic(unmask_page(cache->vaddr));
} else {
unsigned int flushes;
int err;

err = i915_gem_object_prepare_write(obj, &flushes);
if (err)
	return ERR_PTR(err);

BUILD_BUG_ON(KMAP & CLFLUSH_FLAGS)extern char _ctassert[(!(0x4 & ((1UL << (0)) | (1UL
 << (1))))) ? 1 : -1 ] __attribute__((__unused__));
BUILD_BUG_ON((KMAP | CLFLUSH_FLAGS) & LINUX_PAGE_MASK)extern char _ctassert[(!((0x4 | ((1UL << (0)) | (1UL <<
 (1)))) & (~((1 << 12) - 1)))) ? 1 : -1 ] __attribute__
((__unused__));

cache->vaddr = flushes | KMAP0x4;
cache->node.mm = (void *)obj;
if (flushes)
	mb()do { __asm volatile("mfence" ::: "memory"); } while (0);
}

page = i915_gem_object_get_page(obj, pageno);
if (!obj->mm.dirty)
set_page_dirty(page)x86_atomic_clearbits_u32(&page->pg_flags, 0x00000008);

vaddr = kmap_atomic(page);
cache->vaddr = unmask_flags(cache->vaddr) | (unsigned long)vaddr;
cache->page = pageno;

return vaddr;
1279}

1281static void *reloc_iomap(struct i915_vma *batch,
	 struct i915_execbuffer *eb,
	 unsigned long page)
1284{
struct drm_i915_gem_object *obj = batch->obj;
struct reloc_cache *cache = &eb->reloc_cache;
struct i915_ggtt *ggtt = cache_to_ggtt(cache);
unsigned long offset;
void *vaddr;

if (cache->vaddr) {
intel_gt_flush_ggtt_writes(ggtt->vm.gt);
1293#ifdef __linux__
io_mapping_unmap_atomic((void __force __iomem *) unmask_page(cache->vaddr));
1295#else
agp_unmap_atomic(cache->map, cache->ioh);
1297#endif
} else {
struct i915_vma *vma = ERR_PTR(-ENODEV19);
int err;

if (i915_gem_object_is_tiled(obj))
	return ERR_PTR(-EINVAL22);

if (use_cpu_reloc(cache, obj))
	return NULL((void *)0);

err = i915_gem_object_set_to_gtt_domain(obj, true1);
if (err)
	return ERR_PTR(err);

/*
 * i915_gem_object_ggtt_pin_ww may attempt to remove the batch
 * VMA from the object list because we no longer pin.
 *
 * Only attempt to pin the batch buffer to ggtt if the current batch
 * is not inside ggtt, or the batch buffer is not misplaced.
 */
if (!i915_is_ggtt(batch->vm)((batch->vm)->is_ggtt) ||
    !i915_vma_misplaced(batch, 0, 0, PIN_MAPPABLE(1ULL << (3)))) {
	vma = i915_gem_object_ggtt_pin_ww(obj, &eb->ww, NULL((void *)0), 0, 0,
					  PIN_MAPPABLE(1ULL << (3)) |
					  PIN_NONBLOCK(1ULL << (2)) /* NOWARN */ |
					  PIN_NOEVICT(1ULL << (0)));
}

if (vma == ERR_PTR(-EDEADLK11))
	return vma;

if (IS_ERR(vma)) {
	memset(&cache->node, 0, sizeof(cache->node))__builtin_memset((&cache->node), (0), (sizeof(cache->
node)));
	mutex_lock(&ggtt->vm.mutex)rw_enter_write(&ggtt->vm.mutex);
	err = drm_mm_insert_node_in_range
		(&ggtt->vm.mm, &cache->node,
		 PAGE_SIZE(1 << 12), 0, I915_COLOR_UNEVICTABLE(-1),
		 0, ggtt->mappable_end,
		 DRM_MM_INSERT_LOW);
	mutex_unlock(&ggtt->vm.mutex)rw_exit_write(&ggtt->vm.mutex);
	if (err) /* no inactive aperture space, use cpu reloc */
		return NULL((void *)0);
} else {
	cache->node.start = vma->node.start;
	cache->node.mm = (void *)vma;
}
}

offset = cache->node.start;
if (drm_mm_node_allocated(&cache->node)) {
ggtt->vm.insert_page(&ggtt->vm,
		     i915_gem_object_get_dma_address(obj, page),
		     offset, I915_CACHE_NONE, 0);
} else {
offset += page << PAGE_SHIFT12;
}

1356#ifdef __linux__
vaddr = (void __force *)io_mapping_map_atomic_wc(&ggtt->iomap,
					 offset);
1359#else
agp_map_atomic(cache->map, offset, &cache->ioh);
vaddr = bus_space_vaddr(cache->iot, cache->ioh)((cache->iot)->vaddr((cache->ioh)));
1362#endif
cache->page = page;
cache->vaddr = (unsigned long)vaddr;

return vaddr;
1367}

1369static void *reloc_vaddr(struct i915_vma *vma,
	 struct i915_execbuffer *eb,
	 unsigned long page)
1372{
struct reloc_cache *cache = &eb->reloc_cache;
void *vaddr;

if (cache->page == page) {
vaddr = unmask_page(cache->vaddr);
} else {
vaddr = NULL((void *)0);
if ((cache->vaddr & KMAP0x4) == 0)
	vaddr = reloc_iomap(vma, eb, page);
if (!vaddr)
	vaddr = reloc_kmap(vma->obj, cache, page);
}

return vaddr;
1387}

1389static void clflush_write32(u32 *addr, u32 value, unsigned int flushes)
1390{
if (unlikely(flushes & (CLFLUSH_BEFORE | CLFLUSH_AFTER))__builtin_expect(!!(flushes & ((1UL << (0)) | (1UL <<
 (1)))), 0)) {
if (flushes & CLFLUSH_BEFORE(1UL << (0)))
	drm_clflush_virt_range(addr, sizeof(*addr));

*addr = value;

/*
 * Writes to the same cacheline are serialised by the CPU
 * (including clflush). On the write path, we only require
 * that it hits memory in an orderly fashion and place
 * mb barriers at the start and end of the relocation phase
 * to ensure ordering of clflush wrt to the system.
 */
if (flushes & CLFLUSH_AFTER(1UL << (1)))
	drm_clflush_virt_range(addr, sizeof(*addr));
} else
*addr = value;
1408}

1410static u64
1411relocate_entry(struct i915_vma *vma,
      const struct drm_i915_gem_relocation_entry *reloc,
      struct i915_execbuffer *eb,
      const struct i915_vma *target)
1415{
u64 target_addr = relocation_target(reloc, target);
u64 offset = reloc->offset;
bool_Bool wide = eb->reloc_cache.use_64bit_reloc;
void *vaddr;

1421repeat:
vaddr = reloc_vaddr(vma, eb,
	    offset >> PAGE_SHIFT12);
if (IS_ERR(vaddr))
return PTR_ERR(vaddr);

GEM_BUG_ON(!IS_ALIGNED(offset, sizeof(u32)))((void)0);
clflush_write32(vaddr + offset_in_page(offset)((vaddr_t)(offset) & ((1 << 12) - 1)),
	lower_32_bits(target_addr)((u32)(target_addr)),
	eb->reloc_cache.vaddr);

if (wide) {
offset += sizeof(u32);
target_addr >>= 32;
wide = false0;
goto repeat;
}

return target->node.start | UPDATE(1ULL << (7));
1440}

1442static u64
1443eb_relocate_entry(struct i915_execbuffer *eb,
  struct eb_vma *ev,
  const struct drm_i915_gem_relocation_entry *reloc)
1446{
struct drm_i915_privateinteldrm_softc *i915 = eb->i915;
struct eb_vma *target;
int err;

/* we've already hold a reference to all valid objects */
target = eb_get_vma(eb, reloc->target_handle);
if (unlikely(!target)__builtin_expect(!!(!target), 0))
return -ENOENT2;

/* Validate that the target is in a valid r/w GPU domain */
if (unlikely(reloc->write_domain & (reloc->write_domain - 1))__builtin_expect(!!(reloc->write_domain & (reloc->write_domain
 - 1)), 0)) {
drm_dbg(&i915->drm, "reloc with multiple write domains: "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  "target %d offset %d "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  "read %08x write %08x",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  reloc->target_handle,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  (int) reloc->offset,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  reloc->read_domains,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  reloc->write_domain)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with multiple write domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
);
return -EINVAL22;
}
if (unlikely((reloc->write_domain | reloc->read_domains)__builtin_expect(!!((reloc->write_domain | reloc->read_domains
) & ~(0x00000002 | 0x00000004 | 0x00000008 | 0x00000010 |
 0x00000020)), 0)
     & ~I915_GEM_GPU_DOMAINS)__builtin_expect(!!((reloc->write_domain | reloc->read_domains
) & ~(0x00000002 | 0x00000004 | 0x00000008 | 0x00000010 |
 0x00000020)), 0)) {
drm_dbg(&i915->drm, "reloc with read/write non-GPU domains: "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  "target %d offset %d "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  "read %08x write %08x",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  reloc->target_handle,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  (int) reloc->offset,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  reloc->read_domains,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
)
	  reloc->write_domain)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "reloc with read/write non-GPU domains: "
 "target %d offset %d " "read %08x write %08x", reloc->target_handle
, (int) reloc->offset, reloc->read_domains, reloc->write_domain
);
return -EINVAL22;
}

if (reloc->write_domain) {
target->flags |= EXEC_OBJECT_WRITE(1<<2);

/*
 * Sandybridge PPGTT errata: We need a global gtt mapping
 * for MI and pipe_control writes because the gpu doesn't
 * properly redirect them through the ppgtt for non_secure
 * batchbuffers.
 */
if (reloc->write_domain == I915_GEM_DOMAIN_INSTRUCTION0x00000010 &&
    GRAPHICS_VER(eb->i915)((&(eb->i915)->__runtime)->graphics.ip.ver) == 6 &&
    !i915_vma_is_bound(target->vma, I915_VMA_GLOBAL_BIND((int)(1UL << (10))))) {
	struct i915_vma *vma = target->vma;

	reloc_cache_unmap(&eb->reloc_cache);
	mutex_lock(&vma->vm->mutex)rw_enter_write(&vma->vm->mutex);
	err = i915_vma_bind(target->vma,
			    target->vma->obj->cache_level,
			    PIN_GLOBAL(1ULL << (10)), NULL((void *)0), NULL((void *)0));
	mutex_unlock(&vma->vm->mutex)rw_exit_write(&vma->vm->mutex);
	reloc_cache_remap(&eb->reloc_cache, ev->vma->obj);
	if (err)
		return err;
}
}

/*
* If the relocation already has the right value in it, no
* more work needs to be done.
*/
if (!DBG_FORCE_RELOC0 &&
   gen8_canonical_addr(target->vma->node.start) == reloc->presumed_offset)
return 0;

/* Check that the relocation address is valid... */
if (unlikely(reloc->offset >__builtin_expect(!!(reloc->offset > ev->vma->size
 - (eb->reloc_cache.use_64bit_reloc ? 8 : 4)), 0)
     ev->vma->size - (eb->reloc_cache.use_64bit_reloc ? 8 : 4))__builtin_expect(!!(reloc->offset > ev->vma->size
 - (eb->reloc_cache.use_64bit_reloc ? 8 : 4)), 0)) {
drm_dbg(&i915->drm, "Relocation beyond object bounds: "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation beyond object bounds: "
 "target %d offset %d size %d.\n", reloc->target_handle, (
int)reloc->offset, (int)ev->vma->size)
	  "target %d offset %d size %d.\n",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation beyond object bounds: "
 "target %d offset %d size %d.\n", reloc->target_handle, (
int)reloc->offset, (int)ev->vma->size)
	  reloc->target_handle,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation beyond object bounds: "
 "target %d offset %d size %d.\n", reloc->target_handle, (
int)reloc->offset, (int)ev->vma->size)
	  (int)reloc->offset,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation beyond object bounds: "
 "target %d offset %d size %d.\n", reloc->target_handle, (
int)reloc->offset, (int)ev->vma->size)
	  (int)ev->vma->size)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation beyond object bounds: "
 "target %d offset %d size %d.\n", reloc->target_handle, (
int)reloc->offset, (int)ev->vma->size);
return -EINVAL22;
}
if (unlikely(reloc->offset & 3)__builtin_expect(!!(reloc->offset & 3), 0)) {
drm_dbg(&i915->drm, "Relocation not 4-byte aligned: "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation not 4-byte aligned: "
 "target %d offset %d.\n", reloc->target_handle, (int)reloc
->offset)
	  "target %d offset %d.\n",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation not 4-byte aligned: "
 "target %d offset %d.\n", reloc->target_handle, (int)reloc
->offset)
	  reloc->target_handle,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation not 4-byte aligned: "
 "target %d offset %d.\n", reloc->target_handle, (int)reloc
->offset)
	  (int)reloc->offset)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Relocation not 4-byte aligned: "
 "target %d offset %d.\n", reloc->target_handle, (int)reloc
->offset);
return -EINVAL22;
}

/*
* If we write into the object, we need to force the synchronisation
* barrier, either with an asynchronous clflush or if we executed the
* patching using the GPU (though that should be serialised by the
* timeline). To be completely sure, and since we are required to
* do relocations we are already stalling, disable the user's opt
* out of our synchronisation.
*/
ev->flags &= ~EXEC_OBJECT_ASYNC(1<<6);

/* and update the user's relocation entry */
return relocate_entry(ev->vma, reloc, eb, target->vma);
1543}

1545static int eb_relocate_vma(struct i915_execbuffer *eb, struct eb_vma *ev)
1546{
1547#define N_RELOC(x)((x) / sizeof(struct drm_i915_gem_relocation_entry)) ((x) / sizeof(struct drm_i915_gem_relocation_entry))
struct drm_i915_gem_relocation_entry stack[N_RELOC(512)((512) / sizeof(struct drm_i915_gem_relocation_entry))];
const struct drm_i915_gem_exec_object2 *entry = ev->exec;
struct drm_i915_gem_relocation_entry __user *urelocs =
u64_to_user_ptr(entry->relocs_ptr)((void *)(uintptr_t)(entry->relocs_ptr));
unsigned long remain = entry->relocation_count;

if (unlikely(remain > N_RELOC(ULONG_MAX))__builtin_expect(!!(remain > ((0xffffffffffffffffUL) / sizeof
(struct drm_i915_gem_relocation_entry))), 0))
return -EINVAL22;

/*
* We must check that the entire relocation array is safe
* to read. However, if the array is not writable the user loses
* the updated relocation values.
*/
if (unlikely(!access_ok(urelocs, remain * sizeof(*urelocs)))__builtin_expect(!!(!access_ok(urelocs, remain * sizeof(*urelocs
))), 0))
return -EFAULT14;

do {
struct drm_i915_gem_relocation_entry *r = stack;
unsigned int count =
	min_t(unsigned long, remain, ARRAY_SIZE(stack))({ unsigned long __min_a = (remain); unsigned long __min_b = (
(sizeof((stack)) / sizeof((stack)[0]))); __min_a < __min_b
 ? __min_a : __min_b; });
unsigned int copied;

/*
 * This is the fast path and we cannot handle a pagefault
 * whilst holding the struct mutex lest the user pass in the
 * relocations contained within a mmaped bo. For in such a case
 * we, the page fault handler would call i915_gem_fault() and
 * we would try to acquire the struct mutex again. Obviously
 * this is bad and so lockdep complains vehemently.
 */
pagefault_disable();
copied = __copy_from_user_inatomic(r, urelocs, count * sizeof(r[0]));
pagefault_enable();
if (unlikely(copied)__builtin_expect(!!(copied), 0)) {
	remain = -EFAULT14;
	goto out;
}

remain -= count;
do {
	u64 offset = eb_relocate_entry(eb, ev, r);

	if (likely(offset == 0)__builtin_expect(!!(offset == 0), 1)) {
	} else if ((s64)offset < 0) {
		remain = (int)offset;
		goto out;
	} else {
		/*
		 * Note that reporting an error now
		 * leaves everything in an inconsistent
		 * state as we have *already* changed
		 * the relocation value inside the
		 * object. As we have not changed the
		 * reloc.presumed_offset or will not
		 * change the execobject.offset, on the
		 * call we may not rewrite the value
		 * inside the object, leaving it
		 * dangling and causing a GPU hang. Unless
		 * userspace dynamically rebuilds the
		 * relocations on each execbuf rather than
		 * presume a static tree.
		 *
		 * We did previously check if the relocations
		 * were writable (access_ok), an error now
		 * would be a strange race with mprotect,
		 * having already demonstrated that we
		 * can read from this userspace address.
		 */
		offset = gen8_canonical_addr(offset & ~UPDATE(1ULL << (7)));
		__put_user(offset,({ __typeof(((offset))) __tmp = ((offset)); -copyout(&(__tmp
), (&urelocs[r - stack].presumed_offset), sizeof(__tmp));
 })
			   &urelocs[r - stack].presumed_offset)({ __typeof(((offset))) __tmp = ((offset)); -copyout(&(__tmp
), (&urelocs[r - stack].presumed_offset), sizeof(__tmp));
 });
	}
} while (r++, --count);
urelocs += ARRAY_SIZE(stack)(sizeof((stack)) / sizeof((stack)[0]));
} while (remain);
1624out:
reloc_cache_reset(&eb->reloc_cache, eb);
return remain;
1627}

1629static int
1630eb_relocate_vma_slow(struct i915_execbuffer *eb, struct eb_vma *ev)
1631{
const struct drm_i915_gem_exec_object2 *entry = ev->exec;
struct drm_i915_gem_relocation_entry *relocs =
u64_to_ptr(typeof(*relocs), entry->relocs_ptr)({ 1; (typeof(*relocs) *)(uintptr_t)(entry->relocs_ptr); }
);
unsigned int i;
int err;

for (i = 0; i < entry->relocation_count; i++) {
u64 offset = eb_relocate_entry(eb, ev, &relocs[i]);

if ((s64)offset < 0) {
	err = (int)offset;
	goto err;
}
}
err = 0;
1647err:
reloc_cache_reset(&eb->reloc_cache, eb);
return err;
1650}

1652static int check_relocations(const struct drm_i915_gem_exec_object2 *entry)
1653{
const char __user *addr, *end;
unsigned long size;
char __maybe_unused__attribute__((__unused__)) c;

size = entry->relocation_count;
if (size == 0)
return 0;

if (size > N_RELOC(ULONG_MAX)((0xffffffffffffffffUL) / sizeof(struct drm_i915_gem_relocation_entry
)))
return -EINVAL22;

addr = u64_to_user_ptr(entry->relocs_ptr)((void *)(uintptr_t)(entry->relocs_ptr));
size *= sizeof(struct drm_i915_gem_relocation_entry);
if (!access_ok(addr, size))
return -EFAULT14;

end = addr + size;
for (; addr < end; addr += PAGE_SIZE(1 << 12)) {
int err = __get_user(c, addr)-copyin((addr), &((c)), sizeof((c)));
if (err)
	return err;
}
return __get_user(c, end - 1)-copyin((end - 1), &((c)), sizeof((c)));
1677}

1679static int eb_copy_relocations(const struct i915_execbuffer *eb)
1680{
struct drm_i915_gem_relocation_entry *relocs;
const unsigned int count = eb->buffer_count;
unsigned int i;
int err;

for (i = 0; i < count; i++) {
const unsigned int nreloc = eb->exec[i].relocation_count;
struct drm_i915_gem_relocation_entry __user *urelocs;
unsigned long size;
unsigned long copied;

if (nreloc == 0)
	continue;

err = check_relocations(&eb->exec[i]);
if (err)
	goto err;

urelocs = u64_to_user_ptr(eb->exec[i].relocs_ptr)((void *)(uintptr_t)(eb->exec[i].relocs_ptr));
size = nreloc * sizeof(*relocs);

relocs = kvmalloc_array(size, 1, GFP_KERNEL(0x0001 | 0x0004));
if (!relocs) {
	err = -ENOMEM12;
	goto err;
}

/* copy_from_user is limited to < 4GiB */
copied = 0;
do {
	unsigned int len =
		min_t(u64, BIT_ULL(31), size - copied)({ u64 __min_a = ((1ULL << (31))); u64 __min_b = (size -
 copied); __min_a < __min_b ? __min_a : __min_b; });

	if (__copy_from_user((char *)relocs + copied,
			     (char __user *)urelocs + copied,
			     len))
		goto end;

	copied += len;
} while (copied < size);

/*
 * As we do not update the known relocation offsets after
 * relocating (due to the complexities in lock handling),
 * we need to mark them as invalid now so that we force the
 * relocation processing next time. Just in case the target
 * object is evicted and then rebound into its old
 * presumed_offset before the next execbuffer - if that
 * happened we would make the mistake of assuming that the
 * relocations were valid.
 */
if (!user_access_begin(urelocs, size)access_ok(urelocs, size))
	goto end;

for (copied = 0; copied < nreloc; copied++)
	unsafe_put_user(-1,({ __typeof((-1)) __tmp = (-1); if (copyout(&(__tmp), &
urelocs[copied].presumed_offset, sizeof(__tmp)) != 0) goto end_user
; })
			&urelocs[copied].presumed_offset,({ __typeof((-1)) __tmp = (-1); if (copyout(&(__tmp), &
urelocs[copied].presumed_offset, sizeof(__tmp)) != 0) goto end_user
; })
			end_user)({ __typeof((-1)) __tmp = (-1); if (copyout(&(__tmp), &
urelocs[copied].presumed_offset, sizeof(__tmp)) != 0) goto end_user
; });
user_access_end();

eb->exec[i].relocs_ptr = (uintptr_t)relocs;
}

return 0;

1746end_user:
user_access_end();
1748end:
kvfree(relocs);
err = -EFAULT14;
1751err:
while (i--) {
relocs = u64_to_ptr(typeof(*relocs), eb->exec[i].relocs_ptr)({ 1; (typeof(*relocs) *)(uintptr_t)(eb->exec[i].relocs_ptr
); });
if (eb->exec[i].relocation_count)
	kvfree(relocs);
}
return err;
1758}

1760static int eb_prefault_relocations(const struct i915_execbuffer *eb)
1761{
const unsigned int count = eb->buffer_count;
unsigned int i;

for (i = 0; i < count; i++) {
int err;

err = check_relocations(&eb->exec[i]);
if (err)
	return err;
}

return 0;
1774}

1776static int eb_reinit_userptr(struct i915_execbuffer *eb)
1777{
const unsigned int count = eb->buffer_count;
unsigned int i;
int ret;

if (likely(!(eb->args->flags & __EXEC_USERPTR_USED))__builtin_expect(!!(!(eb->args->flags & (1UL <<
 (29)))), 1))
return 0;

for (i = 0; i < count; i++) {
struct eb_vma *ev = &eb->vma[i];

if (!i915_gem_object_is_userptr(ev->vma->obj))
	continue;

ret = i915_gem_object_userptr_submit_init(ev->vma->obj);
if (ret)
	return ret;

ev->flags |= __EXEC_OBJECT_USERPTR_INIT(1UL << (28));
}

return 0;
1799}

1801static noinline__attribute__((__noinline__)) int eb_relocate_parse_slow(struct i915_execbuffer *eb)
1802{
bool_Bool have_copy = false0;
struct eb_vma *ev;
int err = 0;

1807repeat:
if (signal_pending(current)(((({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0" :
 "=r" (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self
))); __ci;})->ci_curproc)->p_siglist | (({struct cpu_info
 *__ci; asm volatile("movq %%gs:%P1,%0" : "=r" (__ci) :"n" (__builtin_offsetof
(struct cpu_info, ci_self))); __ci;})->ci_curproc)->p_p
->ps_siglist) & ~(({struct cpu_info *__ci; asm volatile
("movq %%gs:%P1,%0" : "=r" (__ci) :"n" (__builtin_offsetof(struct
 cpu_info, ci_self))); __ci;})->ci_curproc)->p_sigmask)) {
err = -ERESTARTSYS4;
goto out;
}

/* We may process another execbuffer during the unlock... */
eb_release_vmas(eb, false0);
i915_gem_ww_ctx_fini(&eb->ww);

/*
* We take 3 passes through the slowpatch.
*
* 1 - we try to just prefault all the user relocation entries and
* then attempt to reuse the atomic pagefault disabled fast path again.
*
* 2 - we copy the user entries to a local buffer here outside of the
* local and allow ourselves to wait upon any rendering before
* relocations
*
* 3 - we already have a local copy of the relocation entries, but
* were interrupted (EAGAIN) whilst waiting for the objects, try again.
*/
if (!err) {
err = eb_prefault_relocations(eb);
} else if (!have_copy) {
err = eb_copy_relocations(eb);
have_copy = err == 0;
} else {
cond_resched()do { if (({struct cpu_info *__ci; asm volatile("movq %%gs:%P1,%0"
 : "=r" (__ci) :"n" (__builtin_offsetof(struct cpu_info, ci_self
))); __ci;})->ci_schedstate.spc_schedflags & 0x0002) yield
(); } while (0);
err = 0;
}

if (!err)
err = eb_reinit_userptr(eb);

i915_gem_ww_ctx_init(&eb->ww, true1);
if (err)
goto out;

/* reacquire the objects */
1848repeat_validate:
err = eb_pin_engine(eb, false0);
if (err)
goto err;

err = eb_validate_vmas(eb);
if (err)
goto err;

GEM_BUG_ON(!eb->batches[0])((void)0);

list_for_each_entry(ev, &eb->relocs, reloc_link)for (ev = ({ const __typeof( ((__typeof(*ev) *)0)->reloc_link
 ) *__mptr = ((&eb->relocs)->next); (__typeof(*ev) *
)( (char *)__mptr - __builtin_offsetof(__typeof(*ev), reloc_link
) );}); &ev->reloc_link != (&eb->relocs); ev = (
{ const __typeof( ((__typeof(*ev) *)0)->reloc_link ) *__mptr
 = (ev->reloc_link.next); (__typeof(*ev) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*ev), reloc_link) );})) {
if (!have_copy) {
	err = eb_relocate_vma(eb, ev);
	if (err)
		break;
} else {
	err = eb_relocate_vma_slow(eb, ev);
	if (err)
		break;
}
}

if (err == -EDEADLK11)
goto err;

if (err && !have_copy)
goto repeat;

if (err)
goto err;

/* as last step, parse the command buffer */
err = eb_parse(eb);
if (err)
goto err;

/*
* Leave the user relocations as are, this is the painfully slow path,
* and we want to avoid the complication of dropping the lock whilst
* having buffers reserved in the aperture and so causing spurious
* ENOSPC for random operations.
*/

1892err:
if (err == -EDEADLK11) {
eb_release_vmas(eb, false0);
err = i915_gem_ww_ctx_backoff(&eb->ww);
if (!err)
	goto repeat_validate;
}

if (err == -EAGAIN35)
goto repeat;

1903out:
if (have_copy) {
const unsigned int count = eb->buffer_count;
unsigned int i;

for (i = 0; i < count; i++) {
	const struct drm_i915_gem_exec_object2 *entry =
		&eb->exec[i];
	struct drm_i915_gem_relocation_entry *relocs;

	if (!entry->relocation_count)
		continue;

	relocs = u64_to_ptr(typeof(*relocs), entry->relocs_ptr)({ 1; (typeof(*relocs) *)(uintptr_t)(entry->relocs_ptr); }
);
	kvfree(relocs);
}
}

return err;
1922}

1924static int eb_relocate_parse(struct i915_execbuffer *eb)
1925{
int err;
bool_Bool throttle = true1;

1929retry:
err = eb_pin_engine(eb, throttle);
if (err) {
if (err != -EDEADLK11)
	return err;

goto err;
}

/* only throttle once, even if we didn't need to throttle */
throttle = false0;

err = eb_validate_vmas(eb);
if (err == -EAGAIN35)
goto slow;
else if (err)
goto err;

/* The objects are in their final locations, apply the relocations. */
if (eb->args->flags & __EXEC_HAS_RELOC(1UL << (31))) {
struct eb_vma *ev;

list_for_each_entry(ev, &eb->relocs, reloc_link)for (ev = ({ const __typeof( ((__typeof(*ev) *)0)->reloc_link
 ) *__mptr = ((&eb->relocs)->next); (__typeof(*ev) *
)( (char *)__mptr - __builtin_offsetof(__typeof(*ev), reloc_link
) );}); &ev->reloc_link != (&eb->relocs); ev = (
{ const __typeof( ((__typeof(*ev) *)0)->reloc_link ) *__mptr
 = (ev->reloc_link.next); (__typeof(*ev) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*ev), reloc_link) );})) {
	err = eb_relocate_vma(eb, ev);
	if (err)
		break;
}

if (err == -EDEADLK11)
	goto err;
else if (err)
	goto slow;
}

if (!err)
err = eb_parse(eb);

1966err:
if (err == -EDEADLK11) {
eb_release_vmas(eb, false0);
err = i915_gem_ww_ctx_backoff(&eb->ww);
if (!err)
	goto retry;
}

return err;

1976slow:
err = eb_relocate_parse_slow(eb);
if (err)
/*
 * If the user expects the execobject.offset and
 * reloc.presumed_offset to be an exact match,
 * as for using NO_RELOC, then we cannot update
 * the execobject.offset until we have completed
 * relocation.
 */
eb->args->flags &= ~__EXEC_HAS_RELOC(1UL << (31));

return err;
1989}

1991/*
* Using two helper loops for the order of which requests / batches are created
* and added the to backend. Requests are created in order from the parent to
* the last child. Requests are added in the reverse order, from the last child
* to parent. This is done for locking reasons as the timeline lock is acquired
* during request creation and released when the request is added to the
* backend. To make lockdep happy (see intel_context_timeline_lock) this must be
* the ordering.
*/
2000#define for_each_batch_create_order(_eb, _i)for ((_i) = 0; (_i) < (_eb)->num_batches; ++(_i)) \
for ((_i) = 0; (_i) < (_eb)->num_batches; ++(_i))
2002#define for_each_batch_add_order(_eb, _i)extern char _ctassert[(!(!1)) ? 1 : -1 ] __attribute__((__unused__
)); for ((_i) = (_eb)->num_batches - 1; (_i) >= 0; --(_i
)) \
BUILD_BUG_ON(!typecheck(int, _i))extern char _ctassert[(!(!1)) ? 1 : -1 ] __attribute__((__unused__
)); \
for ((_i) = (_eb)->num_batches - 1; (_i) >= 0; --(_i))

2006static struct i915_request *
2007eb_find_first_request_added(struct i915_execbuffer *eb)
2008{
int i;

for_each_batch_add_order(eb, i)extern char _ctassert[(!(!1)) ? 1 : -1 ] __attribute__((__unused__
)); for ((i) = (eb)->num_batches - 1; (i) >= 0; --(i))
if (eb->requests[i])
	return eb->requests[i];

GEM_BUG_ON("Request not found")((void)0);

return NULL((void *)0);
2018}

2020#if IS_ENABLED(CONFIG_DRM_I915_CAPTURE_ERROR)1

2022/* Stage with GFP_KERNEL allocations before we enter the signaling critical path */
2023static int eb_capture_stage(struct i915_execbuffer *eb)
2024{
const unsigned int count = eb->buffer_count;
unsigned int i = count, j;

while (i--) {
struct eb_vma *ev = &eb->vma[i];
struct i915_vma *vma = ev->vma;
unsigned int flags = ev->flags;

if (!(flags & EXEC_OBJECT_CAPTURE(1<<7)))
	continue;

if (i915_gem_context_is_recoverable(eb->gem_context) &&
    (IS_DGFX(eb->i915)((&(eb->i915)->__info)->is_dgfx) || GRAPHICS_VER_FULL(eb->i915)(((&(eb->i915)->__runtime)->graphics.ip.ver) <<
| ((&(eb->i915)->__runtime)->graphics.ip.rel)
) > IP_VER(12, 0)((12) << 8 | (0))))
	return -EINVAL22;

for_each_batch_create_order(eb, j)for ((j) = 0; (j) < (eb)->num_batches; ++(j)) {
	struct i915_capture_list *capture;

	capture = kmalloc(sizeof(*capture), GFP_KERNEL(0x0001 | 0x0004));
	if (!capture)
		continue;

	capture->next = eb->capture_lists[j];
	capture->vma_res = i915_vma_resource_get(vma->resource);
	eb->capture_lists[j] = capture;
}
}

return 0;
2054}

2056/* Commit once we're in the critical path */
2057static void eb_capture_commit(struct i915_execbuffer *eb)
2058{
unsigned int j;

for_each_batch_create_order(eb, j)for ((j) = 0; (j) < (eb)->num_batches; ++(j)) {
struct i915_request *rq = eb->requests[j];

if (!rq)
	break;

rq->capture_list = eb->capture_lists[j];
eb->capture_lists[j] = NULL((void *)0);
}
2070}

2072/*
* Release anything that didn't get committed due to errors.
* The capture_list will otherwise be freed at request retire.
*/
2076static void eb_capture_release(struct i915_execbuffer *eb)
2077{
unsigned int j;

for_each_batch_create_order(eb, j)for ((j) = 0; (j) < (eb)->num_batches; ++(j)) {
if (eb->capture_lists[j]) {
	i915_request_free_capture_list(eb->capture_lists[j]);
	eb->capture_lists[j] = NULL((void *)0);
}
}
2086}

2088static void eb_capture_list_clear(struct i915_execbuffer *eb)
2089{
memset(eb->capture_lists, 0, sizeof(eb->capture_lists))__builtin_memset((eb->capture_lists), (0), (sizeof(eb->
capture_lists)));
2091}
10
←
Returning without writing to 'eb->buckets', which participates in a condition later→

2093#else

2095static int eb_capture_stage(struct i915_execbuffer *eb)
2096{
return 0;
2098}

2100static void eb_capture_commit(struct i915_execbuffer *eb)
2101{
2102}

2104static void eb_capture_release(struct i915_execbuffer *eb)
2105{
2106}

2108static void eb_capture_list_clear(struct i915_execbuffer *eb)
2109{
2110}

2112#endif

2114static int eb_move_to_gpu(struct i915_execbuffer *eb)
2115{
const unsigned int count = eb->buffer_count;
unsigned int i = count;
int err = 0, j;

while (i--) {
struct eb_vma *ev = &eb->vma[i];
struct i915_vma *vma = ev->vma;
unsigned int flags = ev->flags;
struct drm_i915_gem_object *obj = vma->obj;

assert_vma_held(vma)do { (void)(&((vma)->obj->base.resv)->lock.base)
; } while(0);

/*
 * If the GPU is not _reading_ through the CPU cache, we need
 * to make sure that any writes (both previous GPU writes from
 * before a change in snooping levels and normal CPU writes)
 * caught in that cache are flushed to main memory.
 *
 * We want to say
 *   obj->cache_dirty &&
 *   !(obj->cache_coherent & I915_BO_CACHE_COHERENT_FOR_READ)
 * but gcc's optimiser doesn't handle that as well and emits
 * two jumps instead of one. Maybe one day...
 *
 * FIXME: There is also sync flushing in set_pages(), which
 * serves a different purpose(some of the time at least).
 *
 * We should consider:
 *
 *   1. Rip out the async flush code.
 *
 *   2. Or make the sync flushing use the async clflush path
 *   using mandatory fences underneath. Currently the below
 *   async flush happens after we bind the object.
 */
if (unlikely(obj->cache_dirty & ~obj->cache_coherent)__builtin_expect(!!(obj->cache_dirty & ~obj->cache_coherent
), 0)) {
	if (i915_gem_clflush_object(obj, 0))
		flags &= ~EXEC_OBJECT_ASYNC(1<<6);
}

/* We only need to await on the first request */
if (err == 0 && !(flags & EXEC_OBJECT_ASYNC(1<<6))) {
	err = i915_request_await_object
		(eb_find_first_request_added(eb), obj,
		 flags & EXEC_OBJECT_WRITE(1<<2));
}

for_each_batch_add_order(eb, j)extern char _ctassert[(!(!1)) ? 1 : -1 ] __attribute__((__unused__
)); for ((j) = (eb)->num_batches - 1; (j) >= 0; --(j)) {
	if (err)
		break;
	if (!eb->requests[j])
		continue;

	err = _i915_vma_move_to_active(vma, eb->requests[j],
				       j ? NULL((void *)0) :
				       eb->composite_fence ?
				       eb->composite_fence :
				       &eb->requests[j]->fence,
				       flags | __EXEC_OBJECT_NO_RESERVE(1UL << (31)));
}
}

2178#ifdef CONFIG_MMU_NOTIFIER
if (!err && (eb->args->flags & __EXEC_USERPTR_USED(1UL << (29)))) {
read_lock(&eb->i915->mm.notifier_lock)mtx_enter(&eb->i915->mm.notifier_lock);

/*
 * count is always at least 1, otherwise __EXEC_USERPTR_USED
 * could not have been set
 */
for (i = 0; i < count; i++) {
	struct eb_vma *ev = &eb->vma[i];
	struct drm_i915_gem_object *obj = ev->vma->obj;

	if (!i915_gem_object_is_userptr(obj))
		continue;

	err = i915_gem_object_userptr_submit_done(obj);
	if (err)
		break;
}

read_unlock(&eb->i915->mm.notifier_lock)mtx_leave(&eb->i915->mm.notifier_lock);
}
2200#endif

if (unlikely(err)__builtin_expect(!!(err), 0))
goto err_skip;

/* Unconditionally flush any chipset caches (for streaming writes). */
intel_gt_chipset_flush(eb->gt);
eb_capture_commit(eb);

return 0;

2211err_skip:
for_each_batch_create_order(eb, j)for ((j) = 0; (j) < (eb)->num_batches; ++(j)) {
if (!eb->requests[j])
	break;

i915_request_set_error_once(eb->requests[j], err);
}
return err;
2219}

2221static int i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
2222{
if (exec->flags & __I915_EXEC_ILLEGAL_FLAGS((-((1 << 21) << 1)) | (3<<6) | (1<<15
)))
return -EINVAL22;

/* Kernel clipping was a DRI1 misfeature */
if (!(exec->flags & (I915_EXEC_FENCE_ARRAY(1<<19) |
	     I915_EXEC_USE_EXTENSIONS(1 << 21)))) {
if (exec->num_cliprects || exec->cliprects_ptr)
	return -EINVAL22;
}

if (exec->DR4 == 0xffffffff) {
DRM_DEBUG("UXA submitting garbage DR4, fixing up\n")___drm_dbg(((void *)0), DRM_UT_CORE, "UXA submitting garbage DR4, fixing up\n"
);
exec->DR4 = 0;
}
if (exec->DR1 || exec->DR4)
return -EINVAL22;

if ((exec->batch_start_offset | exec->batch_len) & 0x7)
return -EINVAL22;

return 0;
2244}

2246static int i915_reset_gen7_sol_offsets(struct i915_request *rq)
2247{
u32 *cs;
int i;

if (GRAPHICS_VER(rq->engine->i915)((&(rq->engine->i915)->__runtime)->graphics.ip
.ver) != 7 || rq->engine->id != RCS0) {
drm_dbg(&rq->engine->i915->drm, "sol reset is gen7/rcs only\n")__drm_dev_dbg(((void *)0), (&rq->engine->i915->drm
) ? (&rq->engine->i915->drm)->dev : ((void *)
0), DRM_UT_DRIVER, "sol reset is gen7/rcs only\n");
return -EINVAL22;
}

cs = intel_ring_begin(rq, 4 * 2 + 2);
if (IS_ERR(cs))
return PTR_ERR(cs);

*cs++ = MI_LOAD_REGISTER_IMM(4)(((0x0) << 29) | (0x22) << 23 | (2*(4)-1));
for (i = 0; i < 4; i++) {
*cs++ = i915_mmio_reg_offset(GEN7_SO_WRITE_OFFSET(i)((const i915_reg_t){ .reg = (0x5280 + (i) * 4) }));
*cs++ = 0;
}
*cs++ = MI_NOOP(((0x0) << 29) | (0) << 23 | (0));
intel_ring_advance(rq, cs);

return 0;
2269}

2271static struct i915_vma *
2272shadow_batch_pin(struct i915_execbuffer *eb,
 struct drm_i915_gem_object *obj,
 struct i915_address_space *vm,
 unsigned int flags)
2276{
struct i915_vma *vma;
int err;

vma = i915_vma_instance(obj, vm, NULL((void *)0));
if (IS_ERR(vma))
return vma;

err = i915_vma_pin_ww(vma, &eb->ww, 0, 0, flags | PIN_VALIDATE(1ULL << (8)));
if (err)
return ERR_PTR(err);

return vma;
2289}

2291static struct i915_vma *eb_dispatch_secure(struct i915_execbuffer *eb, struct i915_vma *vma)
2292{
/*
* snb/ivb/vlv conflate the "batch in ppgtt" bit with the "non-secure
* batch" bit. Hence we need to pin secure batches into the global gtt.
* hsw should have this fixed, but bdw mucks it up again. */
if (eb->batch_flags & I915_DISPATCH_SECURE(1UL << (0)))
return i915_gem_object_ggtt_pin_ww(vma->obj, &eb->ww, NULL((void *)0), 0, 0, PIN_VALIDATE(1ULL << (8)));

return NULL((void *)0);
2301}

2303static int eb_parse(struct i915_execbuffer *eb)
2304{
struct drm_i915_privateinteldrm_softc *i915 = eb->i915;
struct intel_gt_buffer_pool_node *pool = eb->batch_pool;
struct i915_vma *shadow, *trampoline, *batch;
unsigned long len;
int err;

if (!eb_use_cmdparser(eb)) {
batch = eb_dispatch_secure(eb, eb->batches[0]->vma);
if (IS_ERR(batch))
	return PTR_ERR(batch);

goto secure_batch;
}

if (intel_context_is_parallel(eb->context))
return -EINVAL22;

len = eb->batch_len[0];
if (!CMDPARSER_USES_GGTT(eb->i915)(((&(eb->i915)->__runtime)->graphics.ip.ver) == 7
)) {
/*
 * ppGTT backed shadow buffers must be mapped RO, to prevent
 * post-scan tampering
 */
if (!eb->context->vm->has_read_only) {
	drm_dbg(&i915->drm,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Cannot prevent post-scan tampering without RO capable vm\n"
)
		"Cannot prevent post-scan tampering without RO capable vm\n")__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Cannot prevent post-scan tampering without RO capable vm\n"
);
	return -EINVAL22;
}
} else {
len += I915_CMD_PARSER_TRAMPOLINE_SIZE8;
}
if (unlikely(len < eb->batch_len[0])__builtin_expect(!!(len < eb->batch_len[0]), 0)) /* last paranoid check of overflow */
return -EINVAL22;

if (!pool) {
pool = intel_gt_get_buffer_pool(eb->gt, len,
				I915_MAP_WB);
if (IS_ERR(pool))
	return PTR_ERR(pool);
eb->batch_pool = pool;
}

err = i915_gem_object_lock(pool->obj, &eb->ww);
if (err)
return err;

shadow = shadow_batch_pin(eb, pool->obj, eb->context->vm, PIN_USER(1ULL << (11)));
if (IS_ERR(shadow))
return PTR_ERR(shadow);

intel_gt_buffer_pool_mark_used(pool);
i915_gem_object_set_readonly(shadow->obj);
shadow->private = pool;

trampoline = NULL((void *)0);
if (CMDPARSER_USES_GGTT(eb->i915)(((&(eb->i915)->__runtime)->graphics.ip.ver) == 7
)) {
trampoline = shadow;

shadow = shadow_batch_pin(eb, pool->obj,
			  &eb->gt->ggtt->vm,
			  PIN_GLOBAL(1ULL << (10)));
if (IS_ERR(shadow))
	return PTR_ERR(shadow);

shadow->private = pool;

eb->batch_flags |= I915_DISPATCH_SECURE(1UL << (0));
}

batch = eb_dispatch_secure(eb, shadow);
if (IS_ERR(batch))
return PTR_ERR(batch);

err = dma_resv_reserve_fences(shadow->obj->base.resv, 1);
if (err)
return err;

err = intel_engine_cmd_parser(eb->context->engine,
		      eb->batches[0]->vma,
		      eb->batch_start_offset,
		      eb->batch_len[0],
		      shadow, trampoline);
if (err)
return err;

eb->batches[0] = &eb->vma[eb->buffer_count++];
eb->batches[0]->vma = i915_vma_get(shadow);
eb->batches[0]->flags = __EXEC_OBJECT_HAS_PIN(1UL << (30));

eb->trampoline = trampoline;
eb->batch_start_offset = 0;

2397secure_batch:
if (batch) {
if (intel_context_is_parallel(eb->context))
	return -EINVAL22;

eb->batches[0] = &eb->vma[eb->buffer_count++];
eb->batches[0]->flags = __EXEC_OBJECT_HAS_PIN(1UL << (30));
eb->batches[0]->vma = i915_vma_get(batch);
}
return 0;
2407}

2409static int eb_request_submit(struct i915_execbuffer *eb,
	     struct i915_request *rq,
	     struct i915_vma *batch,
	     u64 batch_len)
2413{
int err;

if (intel_context_nopreempt(rq->context))
__set_bit(I915_FENCE_FLAG_NOPREEMPT, &rq->fence.flags);

if (eb->args->flags & I915_EXEC_GEN7_SOL_RESET(1<<8)) {
err = i915_reset_gen7_sol_offsets(rq);
if (err)
	return err;
}

/*
* After we completed waiting for other engines (using HW semaphores)
* then we can signal that this request/batch is ready to run. This
* allows us to determine if the batch is still waiting on the GPU
* or actually running by checking the breadcrumb.
*/
if (rq->context->engine->emit_init_breadcrumb) {
err = rq->context->engine->emit_init_breadcrumb(rq);
if (err)
	return err;
}

err = rq->context->engine->emit_bb_start(rq,
				 batch->node.start +
				 eb->batch_start_offset,
				 batch_len,
				 eb->batch_flags);
if (err)
return err;

if (eb->trampoline) {
GEM_BUG_ON(intel_context_is_parallel(rq->context))((void)0);
GEM_BUG_ON(eb->batch_start_offset)((void)0);
err = rq->context->engine->emit_bb_start(rq,
					 eb->trampoline->node.start +
					 batch_len, 0, 0);
if (err)
	return err;
}

return 0;
2456}

2458static int eb_submit(struct i915_execbuffer *eb)
2459{
unsigned int i;
int err;

err = eb_move_to_gpu(eb);

for_each_batch_create_order(eb, i)for ((i) = 0; (i) < (eb)->num_batches; ++(i)) {
if (!eb->requests[i])
	break;

trace_i915_request_queue(eb->requests[i], eb->batch_flags);
if (!err)
	err = eb_request_submit(eb, eb->requests[i],
				eb->batches[i]->vma,
				eb->batch_len[i]);
}

return err;
2477}

2479static int num_vcs_engines(struct drm_i915_privateinteldrm_softc *i915)
2480{
return hweight_long(VDBOX_MASK(to_gt(i915))({ unsigned int first__ = (VCS0); unsigned int count__ = (8);
 ((to_gt(i915))->info.engine_mask & (((~0UL) >> (
- (first__ + count__ - 1) - 1)) & ((~0UL) << (first__
)))) >> first__; }));
2482}

2484/*
* Find one BSD ring to dispatch the corresponding BSD command.
* The engine index is returned.
*/
2488static unsigned int
2489gen8_dispatch_bsd_engine(struct drm_i915_privateinteldrm_softc *dev_priv,
	 struct drm_file *file)
2491{
struct drm_i915_file_private *file_priv = file->driver_priv;

/* Check whether the file_priv has already selected one ring. */
if ((int)file_priv->bsd_engine < 0)
file_priv->bsd_engine =
	prandom_u32_max(num_vcs_engines(dev_priv));

return file_priv->bsd_engine;
2500}

2502static const enum intel_engine_id user_ring_map[] = {
[I915_EXEC_DEFAULT(0<<0)]	= RCS0,
[I915_EXEC_RENDER(1<<0)]	= RCS0,
[I915_EXEC_BLT(3<<0)]		= BCS0,
[I915_EXEC_BSD(2<<0)]		= VCS0,
[I915_EXEC_VEBOX(4<<0)]	= VECS0
2508};

2510static struct i915_request *eb_throttle(struct i915_execbuffer *eb, struct intel_context *ce)
2511{
struct intel_ring *ring = ce->ring;
struct intel_timeline *tl = ce->timeline;
struct i915_request *rq;

/*
* Completely unscientific finger-in-the-air estimates for suitable
* maximum user request size (to avoid blocking) and then backoff.
*/
if (intel_ring_update_space(ring) >= PAGE_SIZE(1 << 12))
return NULL((void *)0);

/*
* Find a request that after waiting upon, there will be at least half
* the ring available. The hysteresis allows us to compete for the
* shared ring and should mean that we sleep less often prior to
* claiming our resources, but not so long that the ring completely
* drains before we can submit our next request.
*/
list_for_each_entry(rq, &tl->requests, link)for (rq = ({ const __typeof( ((__typeof(*rq) *)0)->link ) *
__mptr = ((&tl->requests)->next); (__typeof(*rq) *)
( (char *)__mptr - __builtin_offsetof(__typeof(*rq), link) );
}); &rq->link != (&tl->requests); rq = ({ const
 __typeof( ((__typeof(*rq) *)0)->link ) *__mptr = (rq->
link.next); (__typeof(*rq) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*rq), link) );})) {
if (rq->ring != ring)
	continue;

if (__intel_ring_space(rq->postfix,
		       ring->emit, ring->size) > ring->size / 2)
	break;
}
if (&rq->link == &tl->requests)
return NULL((void *)0); /* weird, we will check again later for real */

return i915_request_get(rq);
2542}

2544static int eb_pin_timeline(struct i915_execbuffer *eb, struct intel_context *ce,
	   bool_Bool throttle)
2546{
struct intel_timeline *tl;
struct i915_request *rq = NULL((void *)0);

/*
* Take a local wakeref for preparing to dispatch the execbuf as
* we expect to access the hardware fairly frequently in the
* process, and require the engine to be kept awake between accesses.
* Upon dispatch, we acquire another prolonged wakeref that we hold
* until the timeline is idle, which in turn releases the wakeref
* taken on the engine, and the parent device.
*/
tl = intel_context_timeline_lock(ce);
if (IS_ERR(tl))
return PTR_ERR(tl);

intel_context_enter(ce);
if (throttle)
rq = eb_throttle(eb, ce);
intel_context_timeline_unlock(tl);

if (rq) {
2568#ifdef __linux__
bool_Bool nonblock = eb->file->filp->f_flags & O_NONBLOCK0x0004;
2570#else
bool_Bool nonblock = eb->file->filp->f_flag & FNONBLOCK0x0004;
2572#endif
long timeout = nonblock ? 0 : MAX_SCHEDULE_TIMEOUT(0x7fffffff);

if (i915_request_wait(rq, I915_WAIT_INTERRUPTIBLE(1UL << (0)),
		      timeout) < 0) {
	i915_request_put(rq);

	/*
	 * Error path, cannot use intel_context_timeline_lock as
	 * that is user interruptable and this clean up step
	 * must be done.
	 */
	mutex_lock(&ce->timeline->mutex)rw_enter_write(&ce->timeline->mutex);
	intel_context_exit(ce);
	mutex_unlock(&ce->timeline->mutex)rw_exit_write(&ce->timeline->mutex);

	if (nonblock)
		return -EWOULDBLOCK35;
	else
		return -EINTR4;
}
i915_request_put(rq);
}

return 0;
2597}

2599static int eb_pin_engine(struct i915_execbuffer *eb, bool_Bool throttle)
2600{
struct intel_context *ce = eb->context, *child;
int err;
int i = 0, j = 0;

GEM_BUG_ON(eb->args->flags & __EXEC_ENGINE_PINNED)((void)0);

if (unlikely(intel_context_is_banned(ce))__builtin_expect(!!(intel_context_is_banned(ce)), 0))
return -EIO5;

/*
* Pinning the contexts may generate requests in order to acquire
* GGTT space, so do this first before we reserve a seqno for
* ourselves.
*/
err = intel_context_pin_ww(ce, &eb->ww);
if (err)
return err;
for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );})) {
err = intel_context_pin_ww(child, &eb->ww);
GEM_BUG_ON(err)((void)0);	/* perma-pinned should incr a counter */
}

for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );})) {
err = eb_pin_timeline(eb, child, throttle);
if (err)
	goto unwind;
++i;
}
err = eb_pin_timeline(eb, ce, throttle);
if (err)
goto unwind;

eb->args->flags |= __EXEC_ENGINE_PINNED(1UL << (30));
return 0;

2636unwind:
for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );})) {
if (j++ < i) {
	mutex_lock(&child->timeline->mutex)rw_enter_write(&child->timeline->mutex);
	intel_context_exit(child);
	mutex_unlock(&child->timeline->mutex)rw_exit_write(&child->timeline->mutex);
}
}
for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );}))
intel_context_unpin(child);
intel_context_unpin(ce);
return err;
2648}

2650static void eb_unpin_engine(struct i915_execbuffer *eb)
2651{
struct intel_context *ce = eb->context, *child;

if (!(eb->args->flags & __EXEC_ENGINE_PINNED(1UL << (30))))
return;

eb->args->flags &= ~__EXEC_ENGINE_PINNED(1UL << (30));

for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );})) {
mutex_lock(&child->timeline->mutex)rw_enter_write(&child->timeline->mutex);
intel_context_exit(child);
mutex_unlock(&child->timeline->mutex)rw_exit_write(&child->timeline->mutex);

intel_context_unpin(child);
}

mutex_lock(&ce->timeline->mutex)rw_enter_write(&ce->timeline->mutex);
intel_context_exit(ce);
mutex_unlock(&ce->timeline->mutex)rw_exit_write(&ce->timeline->mutex);

intel_context_unpin(ce);
2672}

2674static unsigned int
2675eb_select_legacy_ring(struct i915_execbuffer *eb)
2676{
struct drm_i915_privateinteldrm_softc *i915 = eb->i915;
struct drm_i915_gem_execbuffer2 *args = eb->args;
unsigned int user_ring_id = args->flags & I915_EXEC_RING_MASK(0x3f);

if (user_ring_id != I915_EXEC_BSD(2<<0) &&
   (args->flags & I915_EXEC_BSD_MASK(3 << (13)))) {
drm_dbg(&i915->drm,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with non bsd ring but with invalid "
 "bsd dispatch flags: %d\n", (int)(args->flags))
	"execbuf with non bsd ring but with invalid "__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with non bsd ring but with invalid "
 "bsd dispatch flags: %d\n", (int)(args->flags))
	"bsd dispatch flags: %d\n", (int)(args->flags))__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with non bsd ring but with invalid "
 "bsd dispatch flags: %d\n", (int)(args->flags));
return -1;
}

if (user_ring_id == I915_EXEC_BSD(2<<0) && num_vcs_engines(i915) > 1) {
unsigned int bsd_idx = args->flags & I915_EXEC_BSD_MASK(3 << (13));

if (bsd_idx == I915_EXEC_BSD_DEFAULT(0 << (13))) {
	bsd_idx = gen8_dispatch_bsd_engine(i915, eb->file);
} else if (bsd_idx >= I915_EXEC_BSD_RING1(1 << (13)) &&
	   bsd_idx <= I915_EXEC_BSD_RING2(2 << (13))) {
	bsd_idx >>= I915_EXEC_BSD_SHIFT(13);
	bsd_idx--;
} else {
	drm_dbg(&i915->drm,__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with unknown bsd ring: %u\n"
, bsd_idx)
		"execbuf with unknown bsd ring: %u\n",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with unknown bsd ring: %u\n"
, bsd_idx)
		bsd_idx)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with unknown bsd ring: %u\n"
, bsd_idx);
	return -1;
}

return _VCS(bsd_idx)(VCS0 + (bsd_idx));
}

if (user_ring_id >= ARRAY_SIZE(user_ring_map)(sizeof((user_ring_map)) / sizeof((user_ring_map)[0]))) {
drm_dbg(&i915->drm, "execbuf with unknown ring: %u\n",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with unknown ring: %u\n"
, user_ring_id)
	user_ring_id)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf with unknown ring: %u\n"
, user_ring_id);
return -1;
}

return user_ring_map[user_ring_id];
2715}

2717static int
2718eb_select_engine(struct i915_execbuffer *eb)
2719{
struct intel_context *ce, *child;
unsigned int idx;
int err;

if (i915_gem_context_user_engines(eb->gem_context))
idx = eb->args->flags & I915_EXEC_RING_MASK(0x3f);
else
idx = eb_select_legacy_ring(eb);

ce = i915_gem_context_get_engine(eb->gem_context, idx);
if (IS_ERR(ce))
return PTR_ERR(ce);

if (intel_context_is_parallel(ce)) {
if (eb->buffer_count < ce->parallel.number_children + 1) {
	intel_context_put(ce);
	return -EINVAL22;
}
if (eb->batch_start_offset || eb->args->batch_len) {
	intel_context_put(ce);
	return -EINVAL22;
}
}
eb->num_batches = ce->parallel.number_children + 1;

for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );}))
intel_context_get(child);
intel_gt_pm_get(ce->engine->gt);

if (!test_bit(CONTEXT_ALLOC_BIT1, &ce->flags)) {
err = intel_context_alloc_state(ce);
if (err)
	goto err;
}
for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );})) {
if (!test_bit(CONTEXT_ALLOC_BIT1, &child->flags)) {
	err = intel_context_alloc_state(child);
	if (err)
		goto err;
}
}

/*
* ABI: Before userspace accesses the GPU (e.g. execbuffer), report
* EIO if the GPU is already wedged.
*/
err = intel_gt_terminally_wedged(ce->engine->gt);
if (err)
goto err;

if (!i915_vm_tryget(ce->vm)) {
err = -ENOENT2;
goto err;
}

eb->context = ce;
eb->gt = ce->engine->gt;

/*
* Make sure engine pool stays alive even if we call intel_context_put
* during ww handling. The pool is destroyed when last pm reference
* is dropped, which breaks our -EDEADLK handling.
*/
return err;

2785err:
intel_gt_pm_put(ce->engine->gt);
for_each_child(ce, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(ce)->parallel.child_list)->
next); (__typeof(*child) *)( (char *)__mptr - __builtin_offsetof
(__typeof(*child), parallel.child_link) );}); &child->
parallel.child_link != (&(ce)->parallel.child_list); child
 = ({ const __typeof( ((__typeof(*child) *)0)->parallel.child_link
 ) *__mptr = (child->parallel.child_link.next); (__typeof(
*child) *)( (char *)__mptr - __builtin_offsetof(__typeof(*child
), parallel.child_link) );}))
intel_context_put(child);
intel_context_put(ce);
return err;
2791}

2793static void
2794eb_put_engine(struct i915_execbuffer *eb)
2795{
struct intel_context *child;

i915_vm_put(eb->context->vm);
intel_gt_pm_put(eb->gt);
for_each_child(eb->context, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(eb->context)->parallel.
child_list)->next); (__typeof(*child) *)( (char *)__mptr -
 __builtin_offsetof(__typeof(*child), parallel.child_link) );
}); &child->parallel.child_link != (&(eb->context
)->parallel.child_list); child = ({ const __typeof( ((__typeof
(*child) *)0)->parallel.child_link ) *__mptr = (child->
parallel.child_link.next); (__typeof(*child) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*child), parallel.child_link) )
;}))
intel_context_put(child);
intel_context_put(eb->context);
2803}

2805static void
2806__free_fence_array(struct eb_fence *fences, unsigned int n)
2807{
while (n--) {
drm_syncobj_put(ptr_mask_bits(fences[n].syncobj, 2)({ unsigned long __v = (unsigned long)(fences[n].syncobj); (typeof
(fences[n].syncobj))(__v & -(1UL << (2))); }));
dma_fence_put(fences[n].dma_fence);
dma_fence_chain_free(fences[n].chain_fence);
}
kvfree(fences);
2814}

2816static int
2817add_timeline_fence_array(struct i915_execbuffer *eb,
	 const struct drm_i915_gem_execbuffer_ext_timeline_fences *timeline_fences)
2819{
struct drm_i915_gem_exec_fence __user *user_fences;
u64 __user *user_values;
struct eb_fence *f;
u64 nfences;
int err = 0;

nfences = timeline_fences->fence_count;
if (!nfences)
return 0;

/* Check multiplication overflow for access_ok() and kvmalloc_array() */
BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long))extern char _ctassert[(!(sizeof(size_t) > sizeof(unsigned long
))) ? 1 : -1 ] __attribute__((__unused__));
if (nfences > min_t(unsigned long,({ unsigned long __min_a = (0xffffffffffffffffUL / sizeof(*user_fences
)); unsigned long __min_b = (0xffffffffffffffffUL / sizeof(*f
)); __min_a < __min_b ? __min_a : __min_b; })
	    ULONG_MAX / sizeof(*user_fences),({ unsigned long __min_a = (0xffffffffffffffffUL / sizeof(*user_fences
)); unsigned long __min_b = (0xffffffffffffffffUL / sizeof(*f
)); __min_a < __min_b ? __min_a : __min_b; })
	    SIZE_MAX / sizeof(*f))({ unsigned long __min_a = (0xffffffffffffffffUL / sizeof(*user_fences
)); unsigned long __min_b = (0xffffffffffffffffUL / sizeof(*f
)); __min_a < __min_b ? __min_a : __min_b; }) - eb->num_fences)
return -EINVAL22;

user_fences = u64_to_user_ptr(timeline_fences->handles_ptr)((void *)(uintptr_t)(timeline_fences->handles_ptr));
if (!access_ok(user_fences, nfences * sizeof(*user_fences)))
return -EFAULT14;

user_values = u64_to_user_ptr(timeline_fences->values_ptr)((void *)(uintptr_t)(timeline_fences->values_ptr));
if (!access_ok(user_values, nfences * sizeof(*user_values)))
return -EFAULT14;

2845#ifdef __linux__
f = krealloc(eb->fences,
     (eb->num_fences + nfences) * sizeof(*f),
     __GFP_NOWARN0 | GFP_KERNEL(0x0001 | 0x0004));
if (!f)
return -ENOMEM12;
2851#else
f = kmalloc((eb->num_fences + nfences) * sizeof(*f),
     __GFP_NOWARN0 | GFP_KERNEL(0x0001 | 0x0004));
if (!f)
return -ENOMEM12;
memcpy(f, eb->fences, eb->num_fences * sizeof(*f))__builtin_memcpy((f), (eb->fences), (eb->num_fences * sizeof
(*f)));
kfree(eb->fences);
2858#endif

eb->fences = f;
f += eb->num_fences;

2863#ifdef notyet
BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &extern char _ctassert[(!(~(64 - 1) & ~(-((1<<1) <<
 1)))) ? 1 : -1 ] __attribute__((__unused__))
     ~__I915_EXEC_FENCE_UNKNOWN_FLAGS)extern char _ctassert[(!(~(64 - 1) & ~(-((1<<1) <<
 1)))) ? 1 : -1 ] __attribute__((__unused__));
2866#endif

while (nfences--) {
struct drm_i915_gem_exec_fence user_fence;
struct drm_syncobj *syncobj;
struct dma_fence *fence = NULL((void *)0);
u64 point;

if (__copy_from_user(&user_fence,
		     user_fences++,
		     sizeof(user_fence)))
	return -EFAULT14;

if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS(-((1<<1) << 1)))
	return -EINVAL22;

if (__get_user(point, user_values++)-copyin((user_values++), &((point)), sizeof((point))))
	return -EFAULT14;

syncobj = drm_syncobj_find(eb->file, user_fence.handle);
if (!syncobj) {
	DRM_DEBUG("Invalid syncobj handle provided\n")___drm_dbg(((void *)0), DRM_UT_CORE, "Invalid syncobj handle provided\n"
);
	return -ENOENT2;
}

fence = drm_syncobj_fence_get(syncobj);

if (!fence && user_fence.flags &&
    !(user_fence.flags & I915_EXEC_FENCE_SIGNAL(1<<1))) {
	DRM_DEBUG("Syncobj handle has no fence\n")___drm_dbg(((void *)0), DRM_UT_CORE, "Syncobj handle has no fence\n"
);
	drm_syncobj_put(syncobj);
	return -EINVAL22;
}

if (fence)
	err = dma_fence_chain_find_seqno(&fence, point);

if (err && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL(1<<1))) {
	DRM_DEBUG("Syncobj handle missing requested point %llu\n", point)___drm_dbg(((void *)0), DRM_UT_CORE, "Syncobj handle missing requested point %llu\n"
, point);
	dma_fence_put(fence);
	drm_syncobj_put(syncobj);
	return err;
}

/*
 * A point might have been signaled already and
 * garbage collected from the timeline. In this case
 * just ignore the point and carry on.
 */
if (!fence && !(user_fence.flags & I915_EXEC_FENCE_SIGNAL(1<<1))) {
	drm_syncobj_put(syncobj);
	continue;
}

/*
 * For timeline syncobjs we need to preallocate chains for
 * later signaling.
 */
if (point != 0 && user_fence.flags & I915_EXEC_FENCE_SIGNAL(1<<1)) {
	/*
	 * Waiting and signaling the same point (when point !=
	 * 0) would break the timeline.
	 */
	if (user_fence.flags & I915_EXEC_FENCE_WAIT(1<<0)) {
		DRM_DEBUG("Trying to wait & signal the same timeline point.\n")___drm_dbg(((void *)0), DRM_UT_CORE, "Trying to wait & signal the same timeline point.\n"
);
		dma_fence_put(fence);
		drm_syncobj_put(syncobj);
		return -EINVAL22;
	}

	f->chain_fence = dma_fence_chain_alloc();
	if (!f->chain_fence) {
		drm_syncobj_put(syncobj);
		dma_fence_put(fence);
		return -ENOMEM12;
	}
} else {
	f->chain_fence = NULL((void *)0);
}

f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2)({ unsigned long __bits = (user_fence.flags); ((void)0); ((typeof
(syncobj))((unsigned long)(syncobj) | __bits)); });
f->dma_fence = fence;
f->value = point;
f++;
eb->num_fences++;
}

return 0;
2954}

2956static int add_fence_array(struct i915_execbuffer *eb)
2957{
struct drm_i915_gem_execbuffer2 *args = eb->args;
struct drm_i915_gem_exec_fence __user *user;
unsigned long num_fences = args->num_cliprects;
struct eb_fence *f;

if (!(args->flags & I915_EXEC_FENCE_ARRAY(1<<19)))
27
←
Assuming the condition is false→
28
←
Taking false branch→
return 0;

if (!num_fences)
29
←
Assuming 'num_fences' is 0→
30
←
Taking true branch→
return 0;
31
←
Returning without writing to 'eb->buckets', which participates in a condition later→

/* Check multiplication overflow for access_ok() and kvmalloc_array() */
BUILD_BUG_ON(sizeof(size_t) > sizeof(unsigned long))extern char _ctassert[(!(sizeof(size_t) > sizeof(unsigned long
))) ? 1 : -1 ] __attribute__((__unused__));
if (num_fences > min_t(unsigned long,({ unsigned long __min_a = (0xffffffffffffffffUL / sizeof(*user
)); unsigned long __min_b = (0xffffffffffffffffUL / sizeof(*f
) - eb->num_fences); __min_a < __min_b ? __min_a : __min_b
; })
	       ULONG_MAX / sizeof(*user),({ unsigned long __min_a = (0xffffffffffffffffUL / sizeof(*user
)); unsigned long __min_b = (0xffffffffffffffffUL / sizeof(*f
) - eb->num_fences); __min_a < __min_b ? __min_a : __min_b
; })
	       SIZE_MAX / sizeof(*f) - eb->num_fences)({ unsigned long __min_a = (0xffffffffffffffffUL / sizeof(*user
)); unsigned long __min_b = (0xffffffffffffffffUL / sizeof(*f
) - eb->num_fences); __min_a < __min_b ? __min_a : __min_b
; }))
return -EINVAL22;

user = u64_to_user_ptr(args->cliprects_ptr)((void *)(uintptr_t)(args->cliprects_ptr));
if (!access_ok(user, num_fences * sizeof(*user)))
return -EFAULT14;

2980#ifdef __linux__
f = krealloc(eb->fences,
     (eb->num_fences + num_fences) * sizeof(*f),
     __GFP_NOWARN0 | GFP_KERNEL(0x0001 | 0x0004));
if (!f)
return -ENOMEM12;
2986#else
f = kmalloc((eb->num_fences + num_fences) * sizeof(*f),
     __GFP_NOWARN0 | GFP_KERNEL(0x0001 | 0x0004));
if (!f)
return -ENOMEM12;
memcpy(f, eb->fences, eb->num_fences * sizeof(*f))__builtin_memcpy((f), (eb->fences), (eb->num_fences * sizeof
(*f)));
kfree(eb->fences);
2993#endif

eb->fences = f;
f += eb->num_fences;
while (num_fences--) {
struct drm_i915_gem_exec_fence user_fence;
struct drm_syncobj *syncobj;
struct dma_fence *fence = NULL((void *)0);

if (__copy_from_user(&user_fence, user++, sizeof(user_fence)))
	return -EFAULT14;

if (user_fence.flags & __I915_EXEC_FENCE_UNKNOWN_FLAGS(-((1<<1) << 1)))
	return -EINVAL22;

syncobj = drm_syncobj_find(eb->file, user_fence.handle);
if (!syncobj) {
	DRM_DEBUG("Invalid syncobj handle provided\n")___drm_dbg(((void *)0), DRM_UT_CORE, "Invalid syncobj handle provided\n"
);
	return -ENOENT2;
}

if (user_fence.flags & I915_EXEC_FENCE_WAIT(1<<0)) {
	fence = drm_syncobj_fence_get(syncobj);
	if (!fence) {
		DRM_DEBUG("Syncobj handle has no fence\n")___drm_dbg(((void *)0), DRM_UT_CORE, "Syncobj handle has no fence\n"
);
		drm_syncobj_put(syncobj);
		return -EINVAL22;
	}
}

3023#ifdef notyet
BUILD_BUG_ON(~(ARCH_KMALLOC_MINALIGN - 1) &extern char _ctassert[(!(~(64 - 1) & ~(-((1<<1) <<
 1)))) ? 1 : -1 ] __attribute__((__unused__))
	     ~__I915_EXEC_FENCE_UNKNOWN_FLAGS)extern char _ctassert[(!(~(64 - 1) & ~(-((1<<1) <<
 1)))) ? 1 : -1 ] __attribute__((__unused__));
3026#endif

f->syncobj = ptr_pack_bits(syncobj, user_fence.flags, 2)({ unsigned long __bits = (user_fence.flags); ((void)0); ((typeof
(syncobj))((unsigned long)(syncobj) | __bits)); });
f->dma_fence = fence;
f->value = 0;
f->chain_fence = NULL((void *)0);
f++;
eb->num_fences++;
}

return 0;
3037}

3039static void put_fence_array(struct eb_fence *fences, int num_fences)
3040{
if (fences)
__free_fence_array(fences, num_fences);
3043}

3045static int
3046await_fence_array(struct i915_execbuffer *eb,
  struct i915_request *rq)
3048{
unsigned int n;
int err;

for (n = 0; n < eb->num_fences; n++) {
struct drm_syncobj *syncobj;
unsigned int flags;

syncobj = ptr_unpack_bits(eb->fences[n].syncobj, &flags, 2)({ unsigned long __v = (unsigned long)(eb->fences[n].syncobj
); *(&flags) = __v & ((1UL << (2)) - 1); (typeof
(eb->fences[n].syncobj))(__v & -(1UL << (2))); }
);

if (!eb->fences[n].dma_fence)
	continue;

err = i915_request_await_dma_fence(rq, eb->fences[n].dma_fence);
if (err < 0)
	return err;
}

return 0;
3067}

3069static void signal_fence_array(const struct i915_execbuffer *eb,
	       struct dma_fence * const fence)
3071{
unsigned int n;

for (n = 0; n < eb->num_fences; n++) {
struct drm_syncobj *syncobj;
unsigned int flags;

syncobj = ptr_unpack_bits(eb->fences[n].syncobj, &flags, 2)({ unsigned long __v = (unsigned long)(eb->fences[n].syncobj
); *(&flags) = __v & ((1UL << (2)) - 1); (typeof
(eb->fences[n].syncobj))(__v & -(1UL << (2))); }
);
if (!(flags & I915_EXEC_FENCE_SIGNAL(1<<1)))
	continue;

if (eb->fences[n].chain_fence) {
	drm_syncobj_add_point(syncobj,
			      eb->fences[n].chain_fence,
			      fence,
			      eb->fences[n].value);
	/*
	 * The chain's ownership is transferred to the
	 * timeline.
	 */
	eb->fences[n].chain_fence = NULL((void *)0);
} else {
	drm_syncobj_replace_fence(syncobj, fence);
}
}
3096}

3098static int
3099parse_timeline_fences(struct i915_user_extension __user *ext, void *data)
3100{
struct i915_execbuffer *eb = data;
struct drm_i915_gem_execbuffer_ext_timeline_fences timeline_fences;

if (copy_from_user(&timeline_fences, ext, sizeof(timeline_fences)))
return -EFAULT14;

return add_timeline_fence_array(eb, &timeline_fences);
3108}

3110static void retire_requests(struct intel_timeline *tl, struct i915_request *end)
3111{
struct i915_request *rq, *rn;

list_for_each_entry_safe(rq, rn, &tl->requests, link)for (rq = ({ const __typeof( ((__typeof(*rq) *)0)->link ) *
__mptr = ((&tl->requests)->next); (__typeof(*rq) *)
( (char *)__mptr - __builtin_offsetof(__typeof(*rq), link) );
}), rn = ({ const __typeof( ((__typeof(*rq) *)0)->link ) *
__mptr = (rq->link.next); (__typeof(*rq) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*rq), link) );}); &rq->
link != (&tl->requests); rq = rn, rn = ({ const __typeof
( ((__typeof(*rn) *)0)->link ) *__mptr = (rn->link.next
); (__typeof(*rn) *)( (char *)__mptr - __builtin_offsetof(__typeof
(*rn), link) );}))
if (rq == end || !i915_request_retire(rq))
	break;
3117}

3119static int eb_request_add(struct i915_execbuffer *eb, struct i915_request *rq,
	  int err, bool_Bool last_parallel)
3121{
struct intel_timeline * const tl = i915_request_timeline(rq);
struct i915_sched_attr attr = {};
struct i915_request *prev;

lockdep_assert_held(&tl->mutex)do { (void)(&tl->mutex); } while(0);
lockdep_unpin_lock(&tl->mutex, rq->cookie);

trace_i915_request_add(rq);

prev = __i915_request_commit(rq);

/* Check that the context wasn't destroyed before submission */
if (likely(!intel_context_is_closed(eb->context))__builtin_expect(!!(!intel_context_is_closed(eb->context))
, 1)) {
attr = eb->gem_context->sched;
} else {
/* Serialise with context_close via the add_to_timeline */
i915_request_set_error_once(rq, -ENOENT2);
__i915_request_skip(rq);
err = -ENOENT2; /* override any transient errors */
}

if (intel_context_is_parallel(eb->context)) {
if (err) {
	__i915_request_skip(rq);
	set_bit(I915_FENCE_FLAG_SKIP_PARALLEL,
		&rq->fence.flags);
}
if (last_parallel)
	set_bit(I915_FENCE_FLAG_SUBMIT_PARALLEL,
		&rq->fence.flags);
}

__i915_request_queue(rq, &attr);

/* Try to clean up the client's timeline after submitting the request */
if (prev)
retire_requests(tl, prev);

mutex_unlock(&tl->mutex)rw_exit_write(&tl->mutex);

return err;
3163}

3165static int eb_requests_add(struct i915_execbuffer *eb, int err)
3166{
int i;

/*
* We iterate in reverse order of creation to release timeline mutexes in
* same order.
*/
for_each_batch_add_order(eb, i)extern char _ctassert[(!(!1)) ? 1 : -1 ] __attribute__((__unused__
)); for ((i) = (eb)->num_batches - 1; (i) >= 0; --(i)) {
struct i915_request *rq = eb->requests[i];

if (!rq)
	continue;
err |= eb_request_add(eb, rq, err, i == 0);
}

return err;
3182}

3184static const i915_user_extension_fn execbuf_extensions[] = {
[DRM_I915_GEM_EXECBUFFER_EXT_TIMELINE_FENCES0] = parse_timeline_fences,
3186};

3188static int
3189parse_execbuf2_extensions(struct drm_i915_gem_execbuffer2 *args,
	  struct i915_execbuffer *eb)
3191{
if (!(args->flags & I915_EXEC_USE_EXTENSIONS(1 << 21)))
17
←
Assuming the condition is false→
18
←
Taking false branch→
return 0;

/* The execbuf2 extension mechanism reuses cliprects_ptr. So we cannot
* have another flag also using it at the same time.
*/
if (eb->args->flags & I915_EXEC_FENCE_ARRAY(1<<19))
19
←
Assuming the condition is false→
20
←
Taking false branch→
return -EINVAL22;

if (args->num_cliprects != 0)
21
←
Assuming field 'num_cliprects' is equal to 0→
22
←
Taking false branch→
return -EINVAL22;

return i915_user_extensions(u64_to_user_ptr(args->cliprects_ptr)((void *)(uintptr_t)(args->cliprects_ptr)),
		    execbuf_extensions,
		    ARRAY_SIZE(execbuf_extensions)(sizeof((execbuf_extensions)) / sizeof((execbuf_extensions)[0
])),
		    eb);
3208}

3210static void eb_requests_get(struct i915_execbuffer *eb)
3211{
unsigned int i;

for_each_batch_create_order(eb, i)for ((i) = 0; (i) < (eb)->num_batches; ++(i)) {
if (!eb->requests[i])
	break;

i915_request_get(eb->requests[i]);
}
3220}

3222static void eb_requests_put(struct i915_execbuffer *eb)
3223{
unsigned int i;

for_each_batch_create_order(eb, i)for ((i) = 0; (i) < (eb)->num_batches; ++(i)) {
if (!eb->requests[i])
	break;

i915_request_put(eb->requests[i]);
}
3232}

3234static struct sync_file *
3235eb_composite_fence_create(struct i915_execbuffer *eb, int out_fence_fd)
3236{
struct sync_file *out_fence = NULL((void *)0);
struct dma_fence_array *fence_array;
struct dma_fence **fences;
unsigned int i;

GEM_BUG_ON(!intel_context_is_parent(eb->context))((void)0);

fences = kmalloc_array(eb->num_batches, sizeof(*fences), GFP_KERNEL(0x0001 | 0x0004));
if (!fences)
return ERR_PTR(-ENOMEM12);

for_each_batch_create_order(eb, i)for ((i) = 0; (i) < (eb)->num_batches; ++(i)) {
fences[i] = &eb->requests[i]->fence;
__set_bit(I915_FENCE_FLAG_COMPOSITE,
	  &eb->requests[i]->fence.flags);
}

fence_array = dma_fence_array_create(eb->num_batches,
			     fences,
			     eb->context->parallel.fence_context,
			     eb->context->parallel.seqno++,
			     false0);
if (!fence_array) {
kfree(fences);
return ERR_PTR(-ENOMEM12);
}

/* Move ownership to the dma_fence_array created above */
for_each_batch_create_order(eb, i)for ((i) = 0; (i) < (eb)->num_batches; ++(i))
dma_fence_get(fences[i]);

if (out_fence_fd != -1) {
out_fence = sync_file_create(&fence_array->base);
/* sync_file now owns fence_arry, drop creation ref */
dma_fence_put(&fence_array->base);
if (!out_fence)
	return ERR_PTR(-ENOMEM12);
}

eb->composite_fence = &fence_array->base;

return out_fence;
3279}

3281static struct sync_file *
3282eb_fences_add(struct i915_execbuffer *eb, struct i915_request *rq,
     struct dma_fence *in_fence, int out_fence_fd)
3284{
struct sync_file *out_fence = NULL((void *)0);
int err;

if (unlikely(eb->gem_context->syncobj)__builtin_expect(!!(eb->gem_context->syncobj), 0)) {
struct dma_fence *fence;

fence = drm_syncobj_fence_get(eb->gem_context->syncobj);
err = i915_request_await_dma_fence(rq, fence);
dma_fence_put(fence);
if (err)
	return ERR_PTR(err);
}

if (in_fence) {
if (eb->args->flags & I915_EXEC_FENCE_SUBMIT(1 << 20))
	err = i915_request_await_execution(rq, in_fence);
else
	err = i915_request_await_dma_fence(rq, in_fence);
if (err < 0)
	return ERR_PTR(err);
}

if (eb->fences) {
err = await_fence_array(eb, rq);
if (err)
	return ERR_PTR(err);
}

if (intel_context_is_parallel(eb->context)) {
out_fence = eb_composite_fence_create(eb, out_fence_fd);
if (IS_ERR(out_fence))
	return ERR_PTR(-ENOMEM12);
} else if (out_fence_fd != -1) {
out_fence = sync_file_create(&rq->fence);
if (!out_fence)
	return ERR_PTR(-ENOMEM12);
}

return out_fence;
3324}

3326static struct intel_context *
3327eb_find_context(struct i915_execbuffer *eb, unsigned int context_number)
3328{
struct intel_context *child;

if (likely(context_number == 0)__builtin_expect(!!(context_number == 0), 1))
return eb->context;

for_each_child(eb->context, child)for (child = ({ const __typeof( ((__typeof(*child) *)0)->parallel
.child_link ) *__mptr = ((&(eb->context)->parallel.
child_list)->next); (__typeof(*child) *)( (char *)__mptr -
 __builtin_offsetof(__typeof(*child), parallel.child_link) );
}); &child->parallel.child_link != (&(eb->context
)->parallel.child_list); child = ({ const __typeof( ((__typeof
(*child) *)0)->parallel.child_link ) *__mptr = (child->
parallel.child_link.next); (__typeof(*child) *)( (char *)__mptr
 - __builtin_offsetof(__typeof(*child), parallel.child_link) )
;}))
if (!--context_number)
	return child;

GEM_BUG_ON("Context not found")((void)0);

return NULL((void *)0);
3341}

3343static struct sync_file *
3344eb_requests_create(struct i915_execbuffer *eb, struct dma_fence *in_fence,
   int out_fence_fd)
3346{
struct sync_file *out_fence = NULL((void *)0);
unsigned int i;

for_each_batch_create_order(eb, i)for ((i) = 0; (i) < (eb)->num_batches; ++(i)) {
/* Allocate a request for this batch buffer nice and early. */
eb->requests[i] = i915_request_create(eb_find_context(eb, i));
if (IS_ERR(eb->requests[i])) {
	out_fence = ERR_CAST(eb->requests[i]);
	eb->requests[i] = NULL((void *)0);
	return out_fence;
}

/*
 * Only the first request added (committed to backend) has to
 * take the in fences into account as all subsequent requests
 * will have fences inserted inbetween them.
 */
if (i + 1 == eb->num_batches) {
	out_fence = eb_fences_add(eb, eb->requests[i],
				  in_fence, out_fence_fd);
	if (IS_ERR(out_fence))
		return out_fence;
}

/*
 * Not really on stack, but we don't want to call
 * kfree on the batch_snapshot when we put it, so use the
 * _onstack interface.
 */
if (eb->batches[i]->vma)
	eb->requests[i]->batch_res =
		i915_vma_resource_get(eb->batches[i]->vma->resource);
if (eb->batch_pool) {
	GEM_BUG_ON(intel_context_is_parallel(eb->context))((void)0);
	intel_gt_buffer_pool_mark_active(eb->batch_pool,
					 eb->requests[i]);
}
}

return out_fence;
3387}

3389static int
3390i915_gem_do_execbuffer(struct drm_device *dev,
       struct drm_file *file,
       struct drm_i915_gem_execbuffer2 *args,
       struct drm_i915_gem_exec_object2 *exec)
3394{
struct drm_i915_privateinteldrm_softc *i915 = to_i915(dev);
struct i915_execbuffer eb;
struct dma_fence *in_fence = NULL((void *)0);
struct sync_file *out_fence = NULL((void *)0);
int out_fence_fd = -1;
int err;

BUILD_BUG_ON(__EXEC_INTERNAL_FLAGS & ~__I915_EXEC_ILLEGAL_FLAGS)extern char _ctassert[(!((~0u << 29) & ~((-((1 <<
 21) << 1)) | (3<<6) | (1<<15)))) ? 1 : -1 ]
 __attribute__((__unused__));
BUILD_BUG_ON(__EXEC_OBJECT_INTERNAL_FLAGS &extern char _ctassert[(!((~0u << 26) & ~-((1<<
7)<<1))) ? 1 : -1 ] __attribute__((__unused__))
     ~__EXEC_OBJECT_UNKNOWN_FLAGS)extern char _ctassert[(!((~0u << 26) & ~-((1<<
7)<<1))) ? 1 : -1 ] __attribute__((__unused__));

eb.i915 = i915;
eb.file = file;
eb.args = args;
if (DBG_FORCE_RELOC0 || !(args->flags & I915_EXEC_NO_RELOC(1<<11)))
7
←
Assuming the condition is false→
8
←
Taking false branch→
args->flags |= __EXEC_HAS_RELOC(1UL << (31));

eb.exec = exec;
eb.vma = (struct eb_vma *)(exec + args->buffer_count + 1);
eb.vma[0].vma = NULL((void *)0);
eb.batch_pool = NULL((void *)0);

eb.invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS-((1<<7)<<1);
reloc_cache_init(&eb.reloc_cache, eb.i915);

eb.buffer_count = args->buffer_count;
eb.batch_start_offset = args->batch_start_offset;
eb.trampoline = NULL((void *)0);

eb.fences = NULL((void *)0);
eb.num_fences = 0;

eb_capture_list_clear(&eb);
9
←
Calling 'eb_capture_list_clear'→
11
←
Returning from 'eb_capture_list_clear'→

memset(eb.requests, 0, sizeof(struct i915_request *) *__builtin_memset((eb.requests), (0), (sizeof(struct i915_request
 *) * (sizeof((eb.requests)) / sizeof((eb.requests)[0]))))
      ARRAY_SIZE(eb.requests))__builtin_memset((eb.requests), (0), (sizeof(struct i915_request
 *) * (sizeof((eb.requests)) / sizeof((eb.requests)[0]))));
eb.composite_fence = NULL((void *)0);

eb.batch_flags = 0;
if (args->flags & I915_EXEC_SECURE(1<<9)) {
12
←
Assuming the condition is false→
13
←
Taking false branch→
if (GRAPHICS_VER(i915)((&(i915)->__runtime)->graphics.ip.ver) >= 11)
	return -ENODEV19;

/* Return -EPERM to trigger fallback code on old binaries. */
if (!HAS_SECURE_BATCHES(i915)(((&(i915)->__runtime)->graphics.ip.ver) < 6))
	return -EPERM1;

if (!drm_is_current_master(file) || !capable(CAP_SYS_ADMIN0x1))
	return -EPERM1;

eb.batch_flags |= I915_DISPATCH_SECURE(1UL << (0));
}
if (args->flags & I915_EXEC_IS_PINNED(1<<10))
14
←
Assuming the condition is false→
15
←
Taking false branch→
eb.batch_flags |= I915_DISPATCH_PINNED(1UL << (1));

err = parse_execbuf2_extensions(args, &eb);
16
←
Calling 'parse_execbuf2_extensions'→
23
←
Returning from 'parse_execbuf2_extensions'→
if (err)
24
←
Assuming 'err' is 0→
25
←
Taking false branch→
goto err_ext;

err = add_fence_array(&eb);
26
←
Calling 'add_fence_array'→
32
←
Returning from 'add_fence_array'→
if (err32.1
'err' is 0
)
33
←
Taking false branch→
goto err_ext;

3458#define IN_FENCES (I915_EXEC_FENCE_IN(1<<16) | I915_EXEC_FENCE_SUBMIT(1 << 20))
if (args->flags & IN_FENCES) {
34
←
Assuming the condition is false→
35
←
Taking false branch→
if ((args->flags & IN_FENCES) == IN_FENCES)
	return -EINVAL22;

in_fence = sync_file_get_fence(lower_32_bits(args->rsvd2)((u32)(args->rsvd2)));
if (!in_fence) {
	err = -EINVAL22;
	goto err_ext;
}
}
3469#undef IN_FENCES

if (args->flags & I915_EXEC_FENCE_OUT(1<<17)) {
36
←
Assuming the condition is false→
37
←
Taking false branch→
out_fence_fd = get_unused_fd_flags(O_CLOEXEC0x10000);
if (out_fence_fd < 0) {
	err = out_fence_fd;
	goto err_in_fence;
}
}

err = eb_create(&eb);
38
←
Calling 'eb_create'→
if (err)
goto err_out_fence;

GEM_BUG_ON(!eb.lut_size)((void)0);

err = eb_select_context(&eb);
if (unlikely(err)__builtin_expect(!!(err), 0))
goto err_destroy;

err = eb_select_engine(&eb);
if (unlikely(err)__builtin_expect(!!(err), 0))
goto err_context;

err = eb_lookup_vmas(&eb);
if (err) {
eb_release_vmas(&eb, true1);
goto err_engine;
}

i915_gem_ww_ctx_init(&eb.ww, true1);

err = eb_relocate_parse(&eb);
if (err) {
/*
 * If the user expects the execobject.offset and
 * reloc.presumed_offset to be an exact match,
 * as for using NO_RELOC, then we cannot update
 * the execobject.offset until we have completed
 * relocation.
 */
args->flags &= ~__EXEC_HAS_RELOC(1UL << (31));
goto err_vma;
}

ww_acquire_done(&eb.ww.ctx);
err = eb_capture_stage(&eb);
if (err)
goto err_vma;

out_fence = eb_requests_create(&eb, in_fence, out_fence_fd);
if (IS_ERR(out_fence)) {
err = PTR_ERR(out_fence);
out_fence = NULL((void *)0);
if (eb.requests[0])
	goto err_request;
else
	goto err_vma;
}

err = eb_submit(&eb);

3531err_request:
eb_requests_get(&eb);
err = eb_requests_add(&eb, err);

if (eb.fences)
signal_fence_array(&eb, eb.composite_fence ?
		   eb.composite_fence :
		   &eb.requests[0]->fence);

if (unlikely(eb.gem_context->syncobj)__builtin_expect(!!(eb.gem_context->syncobj), 0)) {
drm_syncobj_replace_fence(eb.gem_context->syncobj,
			  eb.composite_fence ?
			  eb.composite_fence :
			  &eb.requests[0]->fence);
}

if (out_fence) {
if (err == 0) {
	fd_install(out_fence_fd, out_fence->file);
	args->rsvd2 &= GENMASK_ULL(31, 0)(((~0ULL) >> (64 - (31) - 1)) & ((~0ULL) << (
0))); /* keep in-fence */
	args->rsvd2 |= (u64)out_fence_fd << 32;
	out_fence_fd = -1;
} else {
	fput(out_fence->file);
}
}

if (!out_fence && eb.composite_fence)
dma_fence_put(eb.composite_fence);

eb_requests_put(&eb);

3563err_vma:
eb_release_vmas(&eb, true1);
WARN_ON(err == -EDEADLK)({ int __ret = !!(err == -11); if (__ret) printf("WARNING %s failed at %s:%d\n"
, "err == -11", "/usr/src/sys/dev/pci/drm/i915/gem/i915_gem_execbuffer.c"
, 3565); __builtin_expect(!!(__ret), 0); });
i915_gem_ww_ctx_fini(&eb.ww);

if (eb.batch_pool)
intel_gt_buffer_pool_put(eb.batch_pool);
3570err_engine:
eb_put_engine(&eb);
3572err_context:
i915_gem_context_put(eb.gem_context);
3574err_destroy:
eb_destroy(&eb);
3576err_out_fence:
if (out_fence_fd != -1)
put_unused_fd(out_fence_fd);
3579err_in_fence:
dma_fence_put(in_fence);
3581err_ext:
put_fence_array(eb.fences, eb.num_fences);
return err;
3584}

3586static size_t eb_element_size(void)
3587{
return sizeof(struct drm_i915_gem_exec_object2) + sizeof(struct eb_vma);
3589}

3591static bool_Bool check_buffer_count(size_t count)
3592{
const size_t sz = eb_element_size();

/*
* When using LUT_HANDLE, we impose a limit of INT_MAX for the lookup
* array size (see eb_create()). Otherwise, we can accept an array as
* large as can be addressed (though use large arrays at your peril)!
*/

return !(count < 1 || count > INT_MAX0x7fffffff || count > SIZE_MAX0xffffffffffffffffUL / sz - 1);
3602}

3604int
3605i915_gem_execbuffer2_ioctl(struct drm_device *dev, void *data,
	   struct drm_file *file)
3607{
struct drm_i915_privateinteldrm_softc *i915 = to_i915(dev);
struct drm_i915_gem_execbuffer2 *args = data;
struct drm_i915_gem_exec_object2 *exec2_list;
const size_t count = args->buffer_count;
int err;

if (!check_buffer_count(count)) {
1
Taking false branch→
drm_dbg(&i915->drm, "execbuf2 with %zd buffers\n", count)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "execbuf2 with %zd buffers\n"
, count);
return -EINVAL22;
}

err = i915_gem_check_execbuffer(args);
if (err1.1
'err' is 0
)
2
←
Taking false branch→
return err;

/* Allocate extra slots for use by the command parser */
exec2_list = kvmalloc_array(count + 2, eb_element_size(),
		    __GFP_NOWARN0 | GFP_KERNEL(0x0001 | 0x0004));
if (exec2_list == NULL((void *)0)) {
3
←
Assuming 'exec2_list' is not equal to NULL→
4
←
Taking false branch→
drm_dbg(&i915->drm, "Failed to allocate exec list for %zd buffers\n",__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Failed to allocate exec list for %zd buffers\n"
, count)
	count)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "Failed to allocate exec list for %zd buffers\n"
, count);
return -ENOMEM12;
}
if (copy_from_user(exec2_list,
5
←
Taking false branch→
	   u64_to_user_ptr(args->buffers_ptr)((void *)(uintptr_t)(args->buffers_ptr)),
	   sizeof(*exec2_list) * count)) {
drm_dbg(&i915->drm, "copy %zd exec entries failed\n", count)__drm_dev_dbg(((void *)0), (&i915->drm) ? (&i915->
drm)->dev : ((void *)0), DRM_UT_DRIVER, "copy %zd exec entries failed\n"
, count);
kvfree(exec2_list);
return -EFAULT14;
}

err = i915_gem_do_execbuffer(dev, file, args, exec2_list);
6
←
Calling 'i915_gem_do_execbuffer'→

/*
* Now that we have begun execution of the batchbuffer, we ignore
* any new error after this point. Also given that we have already
* updated the associated relocations, we try to write out the current
* object locations irrespective of any error.
*/
if (args->flags & __EXEC_HAS_RELOC(1UL << (31))) {
struct drm_i915_gem_exec_object2 __user *user_exec_list =
	u64_to_user_ptr(args->buffers_ptr)((void *)(uintptr_t)(args->buffers_ptr));
unsigned int i;

/* Copy the new buffer offsets back to the user's exec list. */
/*
 * Note: count * sizeof(*user_exec_list) does not overflow,
 * because we checked 'count' in check_buffer_count().
 *
 * And this range already got effectively checked earlier
 * when we did the "copy_from_user()" above.
 */
if (!user_write_access_begin(user_exec_list,access_ok(user_exec_list, count * sizeof(*user_exec_list))
			     count * sizeof(*user_exec_list))access_ok(user_exec_list, count * sizeof(*user_exec_list)))
	goto end;

for (i = 0; i < args->buffer_count; i++) {
	if (!(exec2_list[i].offset & UPDATE(1ULL << (7))))
		continue;

	exec2_list[i].offset =
		gen8_canonical_addr(exec2_list[i].offset & PIN_OFFSET_MASK-(1ULL << (12)));
	unsafe_put_user(exec2_list[i].offset,({ __typeof((exec2_list[i].offset)) __tmp = (exec2_list[i].offset
); if (copyout(&(__tmp), &user_exec_list[i].offset, sizeof
(__tmp)) != 0) goto end_user; })
			&user_exec_list[i].offset,({ __typeof((exec2_list[i].offset)) __tmp = (exec2_list[i].offset
); if (copyout(&(__tmp), &user_exec_list[i].offset, sizeof
(__tmp)) != 0) goto end_user; })
			end_user)({ __typeof((exec2_list[i].offset)) __tmp = (exec2_list[i].offset
); if (copyout(&(__tmp), &user_exec_list[i].offset, sizeof
(__tmp)) != 0) goto end_user; });
}
3674end_user:
user_write_access_end();
3676end:;
}

args->flags &= ~__I915_EXEC_UNKNOWN_FLAGS(-((1 << 21) << 1));
kvfree(exec2_list);
return err;
3682}