drm/i915: reuse i915_gpu_idle helper
[daniel-s-linux-stuff:linux-kernel.git] / drivers / gpu / drm / i915 / i915_gem.c
1 /*
2  * Copyright © 2008 Intel Corporation
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining a
5  * copy of this software and associated documentation files (the "Software"),
6  * to deal in the Software without restriction, including without limitation
7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8  * and/or sell copies of the Software, and to permit persons to whom the
9  * Software is furnished to do so, subject to the following conditions:
10  *
11  * The above copyright notice and this permission notice (including the next
12  * paragraph) shall be included in all copies or substantial portions of the
13  * Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
18  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21  * IN THE SOFTWARE.
22  *
23  * Authors:
24  *    Eric Anholt <eric@anholt.net>
25  *
26  */
27
28 #include "drmP.h"
29 #include "drm.h"
30 #include "i915_drm.h"
31 #include "i915_drv.h"
32 #include "i915_trace.h"
33 #include "intel_drv.h"
34 #include <linux/swap.h>
35 #include <linux/pci.h>
36
37 #define I915_GEM_GPU_DOMAINS    (~(I915_GEM_DOMAIN_CPU | I915_GEM_DOMAIN_GTT))
38
39 static void i915_gem_object_flush_gpu_write_domain(struct drm_gem_object *obj);
40 static void i915_gem_object_flush_gtt_write_domain(struct drm_gem_object *obj);
41 static void i915_gem_object_flush_cpu_write_domain(struct drm_gem_object *obj);
42 static int i915_gem_object_set_to_cpu_domain(struct drm_gem_object *obj,
43                                              int write);
44 static int i915_gem_object_set_cpu_read_domain_range(struct drm_gem_object *obj,
45                                                      uint64_t offset,
46                                                      uint64_t size);
47 static void i915_gem_object_set_to_full_cpu_read_domain(struct drm_gem_object *obj);
48 static int i915_gem_object_wait_rendering(struct drm_gem_object *obj);
49 static int i915_gem_object_bind_to_gtt(struct drm_gem_object *obj,
50                                            unsigned alignment);
51 static void i915_gem_clear_fence_reg(struct drm_gem_object *obj);
52 static int i915_gem_evict_something(struct drm_device *dev, int min_size);
53 static int i915_gem_evict_from_inactive_list(struct drm_device *dev);
54 static int i915_gem_phys_pwrite(struct drm_device *dev, struct drm_gem_object *obj,
55                                 struct drm_i915_gem_pwrite *args,
56                                 struct drm_file *file_priv);
57
58 static LIST_HEAD(shrink_list);
59 static DEFINE_SPINLOCK(shrink_list_lock);
60
61 int i915_gem_do_init(struct drm_device *dev, unsigned long start,
62                      unsigned long end)
63 {
64         drm_i915_private_t *dev_priv = dev->dev_private;
65
66         if (start >= end ||
67             (start & (PAGE_SIZE - 1)) != 0 ||
68             (end & (PAGE_SIZE - 1)) != 0) {
69                 return -EINVAL;
70         }
71
72         drm_mm_init(&dev_priv->mm.gtt_space, start,
73                     end - start);
74
75         dev->gtt_total = (uint32_t) (end - start);
76
77         return 0;
78 }
79
80 int
81 i915_gem_init_ioctl(struct drm_device *dev, void *data,
82                     struct drm_file *file_priv)
83 {
84         struct drm_i915_gem_init *args = data;
85         int ret;
86
87         mutex_lock(&dev->struct_mutex);
88         ret = i915_gem_do_init(dev, args->gtt_start, args->gtt_end);
89         mutex_unlock(&dev->struct_mutex);
90
91         return ret;
92 }
93
94 int
95 i915_gem_get_aperture_ioctl(struct drm_device *dev, void *data,
96                             struct drm_file *file_priv)
97 {
98         struct drm_i915_gem_get_aperture *args = data;
99
100         if (!(dev->driver->driver_features & DRIVER_GEM))
101                 return -ENODEV;
102
103         args->aper_size = dev->gtt_total;
104         args->aper_available_size = (args->aper_size -
105                                      atomic_read(&dev->pin_memory));
106
107         return 0;
108 }
109
110
111 /**
112  * Creates a new mm object and returns a handle to it.
113  */
114 int
115 i915_gem_create_ioctl(struct drm_device *dev, void *data,
116                       struct drm_file *file_priv)
117 {
118         struct drm_i915_gem_create *args = data;
119         struct drm_gem_object *obj;
120         int ret;
121         u32 handle;
122
123         args->size = roundup(args->size, PAGE_SIZE);
124
125         /* Allocate the new object */
126         obj = drm_gem_object_alloc(dev, args->size);
127         if (obj == NULL)
128                 return -ENOMEM;
129
130         ret = drm_gem_handle_create(file_priv, obj, &handle);
131         drm_gem_object_handle_unreference_unlocked(obj);
132
133         if (ret)
134                 return ret;
135
136         args->handle = handle;
137
138         return 0;
139 }
140
141 static inline int
142 fast_shmem_read(struct page **pages,
143                 loff_t page_base, int page_offset,
144                 char __user *data,
145                 int length)
146 {
147         char __iomem *vaddr;
148         int unwritten;
149
150         vaddr = kmap_atomic(pages[page_base >> PAGE_SHIFT], KM_USER0);
151         if (vaddr == NULL)
152                 return -ENOMEM;
153         unwritten = __copy_to_user_inatomic(data, vaddr + page_offset, length);
154         kunmap_atomic(vaddr, KM_USER0);
155
156         if (unwritten)
157                 return -EFAULT;
158
159         return 0;
160 }
161
162 static int i915_gem_object_needs_bit17_swizzle(struct drm_gem_object *obj)
163 {
164         drm_i915_private_t *dev_priv = obj->dev->dev_private;
165         struct drm_i915_gem_object *obj_priv = obj->driver_private;
166
167         return dev_priv->mm.bit_6_swizzle_x == I915_BIT_6_SWIZZLE_9_10_17 &&
168                 obj_priv->tiling_mode != I915_TILING_NONE;
169 }
170
171 static inline int
172 slow_shmem_copy(struct page *dst_page,
173                 int dst_offset,
174                 struct page *src_page,
175                 int src_offset,
176                 int length)
177 {
178         char *dst_vaddr, *src_vaddr;
179
180         dst_vaddr = kmap_atomic(dst_page, KM_USER0);
181         if (dst_vaddr == NULL)
182                 return -ENOMEM;
183
184         src_vaddr = kmap_atomic(src_page, KM_USER1);
185         if (src_vaddr == NULL) {
186                 kunmap_atomic(dst_vaddr, KM_USER0);
187                 return -ENOMEM;
188         }
189
190         memcpy(dst_vaddr + dst_offset, src_vaddr + src_offset, length);
191
192         kunmap_atomic(src_vaddr, KM_USER1);
193         kunmap_atomic(dst_vaddr, KM_USER0);
194
195         return 0;
196 }
197
198 static inline int
199 slow_shmem_bit17_copy(struct page *gpu_page,
200                       int gpu_offset,
201                       struct page *cpu_page,
202                       int cpu_offset,
203                       int length,
204                       int is_read)
205 {
206         char *gpu_vaddr, *cpu_vaddr;
207
208         /* Use the unswizzled path if this page isn't affected. */
209         if ((page_to_phys(gpu_page) & (1 << 17)) == 0) {
210                 if (is_read)
211                         return slow_shmem_copy(cpu_page, cpu_offset,
212                                                gpu_page, gpu_offset, length);
213                 else
214                         return slow_shmem_copy(gpu_page, gpu_offset,
215                                                cpu_page, cpu_offset, length);
216         }
217
218         gpu_vaddr = kmap_atomic(gpu_page, KM_USER0);
219         if (gpu_vaddr == NULL)
220                 return -ENOMEM;
221
222         cpu_vaddr = kmap_atomic(cpu_page, KM_USER1);
223         if (cpu_vaddr == NULL) {
224                 kunmap_atomic(gpu_vaddr, KM_USER0);
225                 return -ENOMEM;
226         }
227
228         /* Copy the data, XORing A6 with A17 (1). The user already knows he's
229          * XORing with the other bits (A9 for Y, A9 and A10 for X)
230          */
231         while (length > 0) {
232                 int cacheline_end = ALIGN(gpu_offset + 1, 64);
233                 int this_length = min(cacheline_end - gpu_offset, length);
234                 int swizzled_gpu_offset = gpu_offset ^ 64;
235
236                 if (is_read) {
237                         memcpy(cpu_vaddr + cpu_offset,
238                                gpu_vaddr + swizzled_gpu_offset,
239                                this_length);
240                 } else {
241                         memcpy(gpu_vaddr + swizzled_gpu_offset,
242                                cpu_vaddr + cpu_offset,
243                                this_length);
244                 }
245                 cpu_offset += this_length;
246                 gpu_offset += this_length;
247                 length -= this_length;
248         }
249
250         kunmap_atomic(cpu_vaddr, KM_USER1);
251         kunmap_atomic(gpu_vaddr, KM_USER0);
252
253         return 0;
254 }
255
256 /**
257  * This is the fast shmem pread path, which attempts to copy_from_user directly
258  * from the backing pages of the object to the user's address space.  On a
259  * fault, it fails so we can fall back to i915_gem_shmem_pwrite_slow().
260  */
261 static int
262 i915_gem_shmem_pread_fast(struct drm_device *dev, struct drm_gem_object *obj,
263                           struct drm_i915_gem_pread *args,
264                           struct drm_file *file_priv)
265 {
266         struct drm_i915_gem_object *obj_priv = obj->driver_private;
267         ssize_t remain;
268         loff_t offset, page_base;
269         char __user *user_data;
270         int page_offset, page_length;
271         int ret;
272
273         user_data = (char __user *) (uintptr_t) args->data_ptr;
274         remain = args->size;
275
276         mutex_lock(&dev->struct_mutex);
277
278         ret = i915_gem_object_get_pages(obj, 0);
279         if (ret != 0)
280                 goto fail_unlock;
281
282         ret = i915_gem_object_set_cpu_read_domain_range(obj, args->offset,
283                                                         args->size);
284         if (ret != 0)
285                 goto fail_put_pages;
286
287         obj_priv = obj->driver_private;
288         offset = args->offset;
289
290         while (remain > 0) {
291                 /* Operation in this page
292                  *
293                  * page_base = page offset within aperture
294                  * page_offset = offset within page
295                  * page_length = bytes to copy for this page
296                  */
297                 page_base = (offset & ~(PAGE_SIZE-1));
298                 page_offset = offset & (PAGE_SIZE-1);
299                 page_length = remain;
300                 if ((page_offset + remain) > PAGE_SIZE)
301                         page_length = PAGE_SIZE - page_offset;
302
303                 ret = fast_shmem_read(obj_priv->pages,
304                                       page_base, page_offset,
305                                       user_data, page_length);
306                 if (ret)
307                         goto fail_put_pages;
308
309                 remain -= page_length;
310                 user_data += page_length;
311                 offset += page_length;
312         }
313
314 fail_put_pages:
315         i915_gem_object_put_pages(obj);
316 fail_unlock:
317         mutex_unlock(&dev->struct_mutex);
318
319         return ret;
320 }
321
322 static int
323 i915_gem_object_get_pages_or_evict(struct drm_gem_object *obj)
324 {
325         int ret;
326
327         ret = i915_gem_object_get_pages(obj, __GFP_NORETRY | __GFP_NOWARN);
328
329         /* If we've insufficient memory to map in the pages, attempt
330          * to make some space by throwing out some old buffers.
331          */
332         if (ret == -ENOMEM) {
333                 struct drm_device *dev = obj->dev;
334
335                 ret = i915_gem_evict_something(dev, obj->size);
336                 if (ret)
337                         return ret;
338
339                 ret = i915_gem_object_get_pages(obj, 0);
340         }
341
342         return ret;
343 }
344
345 /**
346  * This is the fallback shmem pread path, which allocates temporary storage
347  * in kernel space to copy_to_user into outside of the struct_mutex, so we
348  * can copy out of the object's backing pages while holding the struct mutex
349  * and not take page faults.
350  */
351 static int
352 i915_gem_shmem_pread_slow(struct drm_device *dev, struct drm_gem_object *obj,
353                           struct drm_i915_gem_pread *args,
354                           struct drm_file *file_priv)
355 {
356         struct drm_i915_gem_object *obj_priv = obj->driver_private;
357         struct mm_struct *mm = current->mm;
358         struct page **user_pages;
359         ssize_t remain;
360         loff_t offset, pinned_pages, i;
361         loff_t first_data_page, last_data_page, num_pages;
362         int shmem_page_index, shmem_page_offset;
363         int data_page_index,  data_page_offset;
364         int page_length;
365         int ret;
366         uint64_t data_ptr = args->data_ptr;
367         int do_bit17_swizzling;
368
369         remain = args->size;
370
371         /* Pin the user pages containing the data.  We can't fault while
372          * holding the struct mutex, yet we want to hold it while
373          * dereferencing the user data.
374          */
375         first_data_page = data_ptr / PAGE_SIZE;
376         last_data_page = (data_ptr + args->size - 1) / PAGE_SIZE;
377         num_pages = last_data_page - first_data_page + 1;
378
379         user_pages = drm_calloc_large(num_pages, sizeof(struct page *));
380         if (user_pages == NULL)
381                 return -ENOMEM;
382
383         down_read(&mm->mmap_sem);
384         pinned_pages = get_user_pages(current, mm, (uintptr_t)args->data_ptr,
385                                       num_pages, 1, 0, user_pages, NULL);
386         up_read(&mm->mmap_sem);
387         if (pinned_pages < num_pages) {
388                 ret = -EFAULT;
389                 goto fail_put_user_pages;
390         }
391
392         do_bit17_swizzling = i915_gem_object_needs_bit17_swizzle(obj);
393
394         mutex_lock(&dev->struct_mutex);
395
396         ret = i915_gem_object_get_pages_or_evict(obj);
397         if (ret)
398                 goto fail_unlock;
399
400         ret = i915_gem_object_set_cpu_read_domain_range(obj, args->offset,
401                                                         args->size);
402         if (ret != 0)
403                 goto fail_put_pages;
404
405         obj_priv = obj->driver_private;
406         offset = args->offset;
407
408         while (remain > 0) {
409                 /* Operation in this page
410                  *
411                  * shmem_page_index = page number within shmem file
412                  * shmem_page_offset = offset within page in shmem file
413                  * data_page_index = page number in get_user_pages return
414                  * data_page_offset = offset with data_page_index page.
415                  * page_length = bytes to copy for this page
416                  */
417                 shmem_page_index = offset / PAGE_SIZE;
418                 shmem_page_offset = offset & ~PAGE_MASK;
419                 data_page_index = data_ptr / PAGE_SIZE - first_data_page;
420                 data_page_offset = data_ptr & ~PAGE_MASK;
421
422                 page_length = remain;
423                 if ((shmem_page_offset + page_length) > PAGE_SIZE)
424                         page_length = PAGE_SIZE - shmem_page_offset;
425                 if ((data_page_offset + page_length) > PAGE_SIZE)
426                         page_length = PAGE_SIZE - data_page_offset;
427
428                 if (do_bit17_swizzling) {
429                         ret = slow_shmem_bit17_copy(obj_priv->pages[shmem_page_index],
430                                                     shmem_page_offset,
431                                                     user_pages[data_page_index],
432                                                     data_page_offset,
433                                                     page_length,
434                                                     1);
435                 } else {
436                         ret = slow_shmem_copy(user_pages[data_page_index],
437                                               data_page_offset,
438                                               obj_priv->pages[shmem_page_index],
439                                               shmem_page_offset,
440                                               page_length);
441                 }
442                 if (ret)
443                         goto fail_put_pages;
444
445                 remain -= page_length;
446                 data_ptr += page_length;
447                 offset += page_length;
448         }
449
450 fail_put_pages:
451         i915_gem_object_put_pages(obj);
452 fail_unlock:
453         mutex_unlock(&dev->struct_mutex);
454 fail_put_user_pages:
455         for (i = 0; i < pinned_pages; i++) {
456                 SetPageDirty(user_pages[i]);
457                 page_cache_release(user_pages[i]);
458         }
459         drm_free_large(user_pages);
460
461         return ret;
462 }
463
464 /**
465  * Reads data from the object referenced by handle.
466  *
467  * On error, the contents of *data are undefined.
468  */
469 int
470 i915_gem_pread_ioctl(struct drm_device *dev, void *data,
471                      struct drm_file *file_priv)
472 {
473         struct drm_i915_gem_pread *args = data;
474         struct drm_gem_object *obj;
475         struct drm_i915_gem_object *obj_priv;
476         int ret;
477
478         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
479         if (obj == NULL)
480                 return -EBADF;
481         obj_priv = obj->driver_private;
482
483         /* Bounds check source.
484          *
485          * XXX: This could use review for overflow issues...
486          */
487         if (args->offset > obj->size || args->size > obj->size ||
488             args->offset + args->size > obj->size) {
489                 drm_gem_object_unreference_unlocked(obj);
490                 return -EINVAL;
491         }
492
493         if (i915_gem_object_needs_bit17_swizzle(obj)) {
494                 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
495         } else {
496                 ret = i915_gem_shmem_pread_fast(dev, obj, args, file_priv);
497                 if (ret != 0)
498                         ret = i915_gem_shmem_pread_slow(dev, obj, args,
499                                                         file_priv);
500         }
501
502         drm_gem_object_unreference_unlocked(obj);
503
504         return ret;
505 }
506
507 /* This is the fast write path which cannot handle
508  * page faults in the source data
509  */
510
511 static inline int
512 fast_user_write(struct io_mapping *mapping,
513                 loff_t page_base, int page_offset,
514                 char __user *user_data,
515                 int length)
516 {
517         char *vaddr_atomic;
518         unsigned long unwritten;
519
520         vaddr_atomic = io_mapping_map_atomic_wc(mapping, page_base);
521         unwritten = __copy_from_user_inatomic_nocache(vaddr_atomic + page_offset,
522                                                       user_data, length);
523         io_mapping_unmap_atomic(vaddr_atomic);
524         if (unwritten)
525                 return -EFAULT;
526         return 0;
527 }
528
529 /* Here's the write path which can sleep for
530  * page faults
531  */
532
533 static inline int
534 slow_kernel_write(struct io_mapping *mapping,
535                   loff_t gtt_base, int gtt_offset,
536                   struct page *user_page, int user_offset,
537                   int length)
538 {
539         char *src_vaddr, *dst_vaddr;
540         unsigned long unwritten;
541
542         dst_vaddr = io_mapping_map_atomic_wc(mapping, gtt_base);
543         src_vaddr = kmap_atomic(user_page, KM_USER1);
544         unwritten = __copy_from_user_inatomic_nocache(dst_vaddr + gtt_offset,
545                                                       src_vaddr + user_offset,
546                                                       length);
547         kunmap_atomic(src_vaddr, KM_USER1);
548         io_mapping_unmap_atomic(dst_vaddr);
549         if (unwritten)
550                 return -EFAULT;
551         return 0;
552 }
553
554 static inline int
555 fast_shmem_write(struct page **pages,
556                  loff_t page_base, int page_offset,
557                  char __user *data,
558                  int length)
559 {
560         char __iomem *vaddr;
561         unsigned long unwritten;
562
563         vaddr = kmap_atomic(pages[page_base >> PAGE_SHIFT], KM_USER0);
564         if (vaddr == NULL)
565                 return -ENOMEM;
566         unwritten = __copy_from_user_inatomic(vaddr + page_offset, data, length);
567         kunmap_atomic(vaddr, KM_USER0);
568
569         if (unwritten)
570                 return -EFAULT;
571         return 0;
572 }
573
574 /**
575  * This is the fast pwrite path, where we copy the data directly from the
576  * user into the GTT, uncached.
577  */
578 static int
579 i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
580                          struct drm_i915_gem_pwrite *args,
581                          struct drm_file *file_priv)
582 {
583         struct drm_i915_gem_object *obj_priv = obj->driver_private;
584         drm_i915_private_t *dev_priv = dev->dev_private;
585         ssize_t remain;
586         loff_t offset, page_base;
587         char __user *user_data;
588         int page_offset, page_length;
589         int ret;
590
591         user_data = (char __user *) (uintptr_t) args->data_ptr;
592         remain = args->size;
593         if (!access_ok(VERIFY_READ, user_data, remain))
594                 return -EFAULT;
595
596
597         mutex_lock(&dev->struct_mutex);
598         ret = i915_gem_object_pin(obj, 0);
599         if (ret) {
600                 mutex_unlock(&dev->struct_mutex);
601                 return ret;
602         }
603         ret = i915_gem_object_set_to_gtt_domain(obj, 1);
604         if (ret)
605                 goto fail;
606
607         obj_priv = obj->driver_private;
608         offset = obj_priv->gtt_offset + args->offset;
609
610         while (remain > 0) {
611                 /* Operation in this page
612                  *
613                  * page_base = page offset within aperture
614                  * page_offset = offset within page
615                  * page_length = bytes to copy for this page
616                  */
617                 page_base = (offset & ~(PAGE_SIZE-1));
618                 page_offset = offset & (PAGE_SIZE-1);
619                 page_length = remain;
620                 if ((page_offset + remain) > PAGE_SIZE)
621                         page_length = PAGE_SIZE - page_offset;
622
623                 ret = fast_user_write (dev_priv->mm.gtt_mapping, page_base,
624                                        page_offset, user_data, page_length);
625
626                 /* If we get a fault while copying data, then (presumably) our
627                  * source page isn't available.  Return the error and we'll
628                  * retry in the slow path.
629                  */
630                 if (ret)
631                         goto fail;
632
633                 remain -= page_length;
634                 user_data += page_length;
635                 offset += page_length;
636         }
637
638 fail:
639         i915_gem_object_unpin(obj);
640         mutex_unlock(&dev->struct_mutex);
641
642         return ret;
643 }
644
645 /**
646  * This is the fallback GTT pwrite path, which uses get_user_pages to pin
647  * the memory and maps it using kmap_atomic for copying.
648  *
649  * This code resulted in x11perf -rgb10text consuming about 10% more CPU
650  * than using i915_gem_gtt_pwrite_fast on a G45 (32-bit).
651  */
652 static int
653 i915_gem_gtt_pwrite_slow(struct drm_device *dev, struct drm_gem_object *obj,
654                          struct drm_i915_gem_pwrite *args,
655                          struct drm_file *file_priv)
656 {
657         struct drm_i915_gem_object *obj_priv = obj->driver_private;
658         drm_i915_private_t *dev_priv = dev->dev_private;
659         ssize_t remain;
660         loff_t gtt_page_base, offset;
661         loff_t first_data_page, last_data_page, num_pages;
662         loff_t pinned_pages, i;
663         struct page **user_pages;
664         struct mm_struct *mm = current->mm;
665         int gtt_page_offset, data_page_offset, data_page_index, page_length;
666         int ret;
667         uint64_t data_ptr = args->data_ptr;
668
669         remain = args->size;
670
671         /* Pin the user pages containing the data.  We can't fault while
672          * holding the struct mutex, and all of the pwrite implementations
673          * want to hold it while dereferencing the user data.
674          */
675         first_data_page = data_ptr / PAGE_SIZE;
676         last_data_page = (data_ptr + args->size - 1) / PAGE_SIZE;
677         num_pages = last_data_page - first_data_page + 1;
678
679         user_pages = drm_calloc_large(num_pages, sizeof(struct page *));
680         if (user_pages == NULL)
681                 return -ENOMEM;
682
683         down_read(&mm->mmap_sem);
684         pinned_pages = get_user_pages(current, mm, (uintptr_t)args->data_ptr,
685                                       num_pages, 0, 0, user_pages, NULL);
686         up_read(&mm->mmap_sem);
687         if (pinned_pages < num_pages) {
688                 ret = -EFAULT;
689                 goto out_unpin_pages;
690         }
691
692         mutex_lock(&dev->struct_mutex);
693         ret = i915_gem_object_pin(obj, 0);
694         if (ret)
695                 goto out_unlock;
696
697         ret = i915_gem_object_set_to_gtt_domain(obj, 1);
698         if (ret)
699                 goto out_unpin_object;
700
701         obj_priv = obj->driver_private;
702         offset = obj_priv->gtt_offset + args->offset;
703
704         while (remain > 0) {
705                 /* Operation in this page
706                  *
707                  * gtt_page_base = page offset within aperture
708                  * gtt_page_offset = offset within page in aperture
709                  * data_page_index = page number in get_user_pages return
710                  * data_page_offset = offset with data_page_index page.
711                  * page_length = bytes to copy for this page
712                  */
713                 gtt_page_base = offset & PAGE_MASK;
714                 gtt_page_offset = offset & ~PAGE_MASK;
715                 data_page_index = data_ptr / PAGE_SIZE - first_data_page;
716                 data_page_offset = data_ptr & ~PAGE_MASK;
717
718                 page_length = remain;
719                 if ((gtt_page_offset + page_length) > PAGE_SIZE)
720                         page_length = PAGE_SIZE - gtt_page_offset;
721                 if ((data_page_offset + page_length) > PAGE_SIZE)
722                         page_length = PAGE_SIZE - data_page_offset;
723
724                 ret = slow_kernel_write(dev_priv->mm.gtt_mapping,
725                                         gtt_page_base, gtt_page_offset,
726                                         user_pages[data_page_index],
727                                         data_page_offset,
728                                         page_length);
729
730                 /* If we get a fault while copying data, then (presumably) our
731                  * source page isn't available.  Return the error and we'll
732                  * retry in the slow path.
733                  */
734                 if (ret)
735                         goto out_unpin_object;
736
737                 remain -= page_length;
738                 offset += page_length;
739                 data_ptr += page_length;
740         }
741
742 out_unpin_object:
743         i915_gem_object_unpin(obj);
744 out_unlock:
745         mutex_unlock(&dev->struct_mutex);
746 out_unpin_pages:
747         for (i = 0; i < pinned_pages; i++)
748                 page_cache_release(user_pages[i]);
749         drm_free_large(user_pages);
750
751         return ret;
752 }
753
754 /**
755  * This is the fast shmem pwrite path, which attempts to directly
756  * copy_from_user into the kmapped pages backing the object.
757  */
758 static int
759 i915_gem_shmem_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
760                            struct drm_i915_gem_pwrite *args,
761                            struct drm_file *file_priv)
762 {
763         struct drm_i915_gem_object *obj_priv = obj->driver_private;
764         ssize_t remain;
765         loff_t offset, page_base;
766         char __user *user_data;
767         int page_offset, page_length;
768         int ret;
769
770         user_data = (char __user *) (uintptr_t) args->data_ptr;
771         remain = args->size;
772
773         mutex_lock(&dev->struct_mutex);
774
775         ret = i915_gem_object_get_pages(obj, 0);
776         if (ret != 0)
777                 goto fail_unlock;
778
779         ret = i915_gem_object_set_to_cpu_domain(obj, 1);
780         if (ret != 0)
781                 goto fail_put_pages;
782
783         obj_priv = obj->driver_private;
784         offset = args->offset;
785         obj_priv->dirty = 1;
786
787         while (remain > 0) {
788                 /* Operation in this page
789                  *
790                  * page_base = page offset within aperture
791                  * page_offset = offset within page
792                  * page_length = bytes to copy for this page
793                  */
794                 page_base = (offset & ~(PAGE_SIZE-1));
795                 page_offset = offset & (PAGE_SIZE-1);
796                 page_length = remain;
797                 if ((page_offset + remain) > PAGE_SIZE)
798                         page_length = PAGE_SIZE - page_offset;
799
800                 ret = fast_shmem_write(obj_priv->pages,
801                                        page_base, page_offset,
802                                        user_data, page_length);
803                 if (ret)
804                         goto fail_put_pages;
805
806                 remain -= page_length;
807                 user_data += page_length;
808                 offset += page_length;
809         }
810
811 fail_put_pages:
812         i915_gem_object_put_pages(obj);
813 fail_unlock:
814         mutex_unlock(&dev->struct_mutex);
815
816         return ret;
817 }
818
819 /**
820  * This is the fallback shmem pwrite path, which uses get_user_pages to pin
821  * the memory and maps it using kmap_atomic for copying.
822  *
823  * This avoids taking mmap_sem for faulting on the user's address while the
824  * struct_mutex is held.
825  */
826 static int
827 i915_gem_shmem_pwrite_slow(struct drm_device *dev, struct drm_gem_object *obj,
828                            struct drm_i915_gem_pwrite *args,
829                            struct drm_file *file_priv)
830 {
831         struct drm_i915_gem_object *obj_priv = obj->driver_private;
832         struct mm_struct *mm = current->mm;
833         struct page **user_pages;
834         ssize_t remain;
835         loff_t offset, pinned_pages, i;
836         loff_t first_data_page, last_data_page, num_pages;
837         int shmem_page_index, shmem_page_offset;
838         int data_page_index,  data_page_offset;
839         int page_length;
840         int ret;
841         uint64_t data_ptr = args->data_ptr;
842         int do_bit17_swizzling;
843
844         remain = args->size;
845
846         /* Pin the user pages containing the data.  We can't fault while
847          * holding the struct mutex, and all of the pwrite implementations
848          * want to hold it while dereferencing the user data.
849          */
850         first_data_page = data_ptr / PAGE_SIZE;
851         last_data_page = (data_ptr + args->size - 1) / PAGE_SIZE;
852         num_pages = last_data_page - first_data_page + 1;
853
854         user_pages = drm_calloc_large(num_pages, sizeof(struct page *));
855         if (user_pages == NULL)
856                 return -ENOMEM;
857
858         down_read(&mm->mmap_sem);
859         pinned_pages = get_user_pages(current, mm, (uintptr_t)args->data_ptr,
860                                       num_pages, 0, 0, user_pages, NULL);
861         up_read(&mm->mmap_sem);
862         if (pinned_pages < num_pages) {
863                 ret = -EFAULT;
864                 goto fail_put_user_pages;
865         }
866
867         do_bit17_swizzling = i915_gem_object_needs_bit17_swizzle(obj);
868
869         mutex_lock(&dev->struct_mutex);
870
871         ret = i915_gem_object_get_pages_or_evict(obj);
872         if (ret)
873                 goto fail_unlock;
874
875         ret = i915_gem_object_set_to_cpu_domain(obj, 1);
876         if (ret != 0)
877                 goto fail_put_pages;
878
879         obj_priv = obj->driver_private;
880         offset = args->offset;
881         obj_priv->dirty = 1;
882
883         while (remain > 0) {
884                 /* Operation in this page
885                  *
886                  * shmem_page_index = page number within shmem file
887                  * shmem_page_offset = offset within page in shmem file
888                  * data_page_index = page number in get_user_pages return
889                  * data_page_offset = offset with data_page_index page.
890                  * page_length = bytes to copy for this page
891                  */
892                 shmem_page_index = offset / PAGE_SIZE;
893                 shmem_page_offset = offset & ~PAGE_MASK;
894                 data_page_index = data_ptr / PAGE_SIZE - first_data_page;
895                 data_page_offset = data_ptr & ~PAGE_MASK;
896
897                 page_length = remain;
898                 if ((shmem_page_offset + page_length) > PAGE_SIZE)
899                         page_length = PAGE_SIZE - shmem_page_offset;
900                 if ((data_page_offset + page_length) > PAGE_SIZE)
901                         page_length = PAGE_SIZE - data_page_offset;
902
903                 if (do_bit17_swizzling) {
904                         ret = slow_shmem_bit17_copy(obj_priv->pages[shmem_page_index],
905                                                     shmem_page_offset,
906                                                     user_pages[data_page_index],
907                                                     data_page_offset,
908                                                     page_length,
909                                                     0);
910                 } else {
911                         ret = slow_shmem_copy(obj_priv->pages[shmem_page_index],
912                                               shmem_page_offset,
913                                               user_pages[data_page_index],
914                                               data_page_offset,
915                                               page_length);
916                 }
917                 if (ret)
918                         goto fail_put_pages;
919
920                 remain -= page_length;
921                 data_ptr += page_length;
922                 offset += page_length;
923         }
924
925 fail_put_pages:
926         i915_gem_object_put_pages(obj);
927 fail_unlock:
928         mutex_unlock(&dev->struct_mutex);
929 fail_put_user_pages:
930         for (i = 0; i < pinned_pages; i++)
931                 page_cache_release(user_pages[i]);
932         drm_free_large(user_pages);
933
934         return ret;
935 }
936
937 /**
938  * Writes data to the object referenced by handle.
939  *
940  * On error, the contents of the buffer that were to be modified are undefined.
941  */
942 int
943 i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
944                       struct drm_file *file_priv)
945 {
946         struct drm_i915_gem_pwrite *args = data;
947         struct drm_gem_object *obj;
948         struct drm_i915_gem_object *obj_priv;
949         int ret = 0;
950
951         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
952         if (obj == NULL)
953                 return -EBADF;
954         obj_priv = obj->driver_private;
955
956         /* Bounds check destination.
957          *
958          * XXX: This could use review for overflow issues...
959          */
960         if (args->offset > obj->size || args->size > obj->size ||
961             args->offset + args->size > obj->size) {
962                 drm_gem_object_unreference_unlocked(obj);
963                 return -EINVAL;
964         }
965
966         /* We can only do the GTT pwrite on untiled buffers, as otherwise
967          * it would end up going through the fenced access, and we'll get
968          * different detiling behavior between reading and writing.
969          * pread/pwrite currently are reading and writing from the CPU
970          * perspective, requiring manual detiling by the client.
971          */
972         if (obj_priv->phys_obj)
973                 ret = i915_gem_phys_pwrite(dev, obj, args, file_priv);
974         else if (obj_priv->tiling_mode == I915_TILING_NONE &&
975                  dev->gtt_total != 0) {
976                 ret = i915_gem_gtt_pwrite_fast(dev, obj, args, file_priv);
977                 if (ret == -EFAULT) {
978                         ret = i915_gem_gtt_pwrite_slow(dev, obj, args,
979                                                        file_priv);
980                 }
981         } else if (i915_gem_object_needs_bit17_swizzle(obj)) {
982                 ret = i915_gem_shmem_pwrite_slow(dev, obj, args, file_priv);
983         } else {
984                 ret = i915_gem_shmem_pwrite_fast(dev, obj, args, file_priv);
985                 if (ret == -EFAULT) {
986                         ret = i915_gem_shmem_pwrite_slow(dev, obj, args,
987                                                          file_priv);
988                 }
989         }
990
991 #if WATCH_PWRITE
992         if (ret)
993                 DRM_INFO("pwrite failed %d\n", ret);
994 #endif
995
996         drm_gem_object_unreference_unlocked(obj);
997
998         return ret;
999 }
1000
1001 /**
1002  * Called when user space prepares to use an object with the CPU, either
1003  * through the mmap ioctl's mapping or a GTT mapping.
1004  */
1005 int
1006 i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
1007                           struct drm_file *file_priv)
1008 {
1009         struct drm_i915_private *dev_priv = dev->dev_private;
1010         struct drm_i915_gem_set_domain *args = data;
1011         struct drm_gem_object *obj;
1012         struct drm_i915_gem_object *obj_priv;
1013         uint32_t read_domains = args->read_domains;
1014         uint32_t write_domain = args->write_domain;
1015         int ret;
1016
1017         if (!(dev->driver->driver_features & DRIVER_GEM))
1018                 return -ENODEV;
1019
1020         /* Only handle setting domains to types used by the CPU. */
1021         if (write_domain & I915_GEM_GPU_DOMAINS)
1022                 return -EINVAL;
1023
1024         if (read_domains & I915_GEM_GPU_DOMAINS)
1025                 return -EINVAL;
1026
1027         /* Having something in the write domain implies it's in the read
1028          * domain, and only that read domain.  Enforce that in the request.
1029          */
1030         if (write_domain != 0 && read_domains != write_domain)
1031                 return -EINVAL;
1032
1033         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1034         if (obj == NULL)
1035                 return -EBADF;
1036         obj_priv = obj->driver_private;
1037
1038         mutex_lock(&dev->struct_mutex);
1039
1040         intel_mark_busy(dev, obj);
1041
1042 #if WATCH_BUF
1043         DRM_INFO("set_domain_ioctl %p(%zd), %08x %08x\n",
1044                  obj, obj->size, read_domains, write_domain);
1045 #endif
1046         if (read_domains & I915_GEM_DOMAIN_GTT) {
1047                 ret = i915_gem_object_set_to_gtt_domain(obj, write_domain != 0);
1048
1049                 /* Update the LRU on the fence for the CPU access that's
1050                  * about to occur.
1051                  */
1052                 if (obj_priv->fence_reg != I915_FENCE_REG_NONE) {
1053                         list_move_tail(&obj_priv->fence_list,
1054                                        &dev_priv->mm.fence_list);
1055                 }
1056
1057                 /* Silently promote "you're not bound, there was nothing to do"
1058                  * to success, since the client was just asking us to
1059                  * make sure everything was done.
1060                  */
1061                 if (ret == -EINVAL)
1062                         ret = 0;
1063         } else {
1064                 ret = i915_gem_object_set_to_cpu_domain(obj, write_domain != 0);
1065         }
1066
1067         drm_gem_object_unreference(obj);
1068         mutex_unlock(&dev->struct_mutex);
1069         return ret;
1070 }
1071
1072 /**
1073  * Called when user space has done writes to this buffer
1074  */
1075 int
1076 i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
1077                       struct drm_file *file_priv)
1078 {
1079         struct drm_i915_gem_sw_finish *args = data;
1080         struct drm_gem_object *obj;
1081         struct drm_i915_gem_object *obj_priv;
1082         int ret = 0;
1083
1084         if (!(dev->driver->driver_features & DRIVER_GEM))
1085                 return -ENODEV;
1086
1087         mutex_lock(&dev->struct_mutex);
1088         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1089         if (obj == NULL) {
1090                 mutex_unlock(&dev->struct_mutex);
1091                 return -EBADF;
1092         }
1093
1094 #if WATCH_BUF
1095         DRM_INFO("%s: sw_finish %d (%p %zd)\n",
1096                  __func__, args->handle, obj, obj->size);
1097 #endif
1098         obj_priv = obj->driver_private;
1099
1100         /* Pinned buffers may be scanout, so flush the cache */
1101         if (obj_priv->pin_count)
1102                 i915_gem_object_flush_cpu_write_domain(obj);
1103
1104         drm_gem_object_unreference(obj);
1105         mutex_unlock(&dev->struct_mutex);
1106         return ret;
1107 }
1108
1109 /**
1110  * Maps the contents of an object, returning the address it is mapped
1111  * into.
1112  *
1113  * While the mapping holds a reference on the contents of the object, it doesn't
1114  * imply a ref on the object itself.
1115  */
1116 int
1117 i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
1118                    struct drm_file *file_priv)
1119 {
1120         struct drm_i915_gem_mmap *args = data;
1121         struct drm_gem_object *obj;
1122         loff_t offset;
1123         unsigned long addr;
1124
1125         if (!(dev->driver->driver_features & DRIVER_GEM))
1126                 return -ENODEV;
1127
1128         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1129         if (obj == NULL)
1130                 return -EBADF;
1131
1132         offset = args->offset;
1133
1134         down_write(&current->mm->mmap_sem);
1135         addr = do_mmap(obj->filp, 0, args->size,
1136                        PROT_READ | PROT_WRITE, MAP_SHARED,
1137                        args->offset);
1138         up_write(&current->mm->mmap_sem);
1139         drm_gem_object_unreference_unlocked(obj);
1140         if (IS_ERR((void *)addr))
1141                 return addr;
1142
1143         args->addr_ptr = (uint64_t) addr;
1144
1145         return 0;
1146 }
1147
1148 /**
1149  * i915_gem_fault - fault a page into the GTT
1150  * vma: VMA in question
1151  * vmf: fault info
1152  *
1153  * The fault handler is set up by drm_gem_mmap() when a object is GTT mapped
1154  * from userspace.  The fault handler takes care of binding the object to
1155  * the GTT (if needed), allocating and programming a fence register (again,
1156  * only if needed based on whether the old reg is still valid or the object
1157  * is tiled) and inserting a new PTE into the faulting process.
1158  *
1159  * Note that the faulting process may involve evicting existing objects
1160  * from the GTT and/or fence registers to make room.  So performance may
1161  * suffer if the GTT working set is large or there are few fence registers
1162  * left.
1163  */
1164 int i915_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
1165 {
1166         struct drm_gem_object *obj = vma->vm_private_data;
1167         struct drm_device *dev = obj->dev;
1168         struct drm_i915_private *dev_priv = dev->dev_private;
1169         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1170         pgoff_t page_offset;
1171         unsigned long pfn;
1172         int ret = 0;
1173         bool write = !!(vmf->flags & FAULT_FLAG_WRITE);
1174
1175         /* We don't use vmf->pgoff since that has the fake offset */
1176         page_offset = ((unsigned long)vmf->virtual_address - vma->vm_start) >>
1177                 PAGE_SHIFT;
1178
1179         /* Now bind it into the GTT if needed */
1180         mutex_lock(&dev->struct_mutex);
1181         if (!obj_priv->gtt_space) {
1182                 ret = i915_gem_object_bind_to_gtt(obj, 0);
1183                 if (ret)
1184                         goto unlock;
1185
1186                 list_add_tail(&obj_priv->list, &dev_priv->mm.inactive_list);
1187
1188                 ret = i915_gem_object_set_to_gtt_domain(obj, write);
1189                 if (ret)
1190                         goto unlock;
1191         }
1192
1193         /* Need a new fence register? */
1194         if (obj_priv->tiling_mode != I915_TILING_NONE) {
1195                 ret = i915_gem_object_get_fence_reg(obj);
1196                 if (ret)
1197                         goto unlock;
1198         }
1199
1200         pfn = ((dev->agp->base + obj_priv->gtt_offset) >> PAGE_SHIFT) +
1201                 page_offset;
1202
1203         /* Finally, remap it using the new GTT offset */
1204         ret = vm_insert_pfn(vma, (unsigned long)vmf->virtual_address, pfn);
1205 unlock:
1206         mutex_unlock(&dev->struct_mutex);
1207
1208         switch (ret) {
1209         case 0:
1210         case -ERESTARTSYS:
1211                 return VM_FAULT_NOPAGE;
1212         case -ENOMEM:
1213         case -EAGAIN:
1214                 return VM_FAULT_OOM;
1215         default:
1216                 return VM_FAULT_SIGBUS;
1217         }
1218 }
1219
1220 /**
1221  * i915_gem_create_mmap_offset - create a fake mmap offset for an object
1222  * @obj: obj in question
1223  *
1224  * GEM memory mapping works by handing back to userspace a fake mmap offset
1225  * it can use in a subsequent mmap(2) call.  The DRM core code then looks
1226  * up the object based on the offset and sets up the various memory mapping
1227  * structures.
1228  *
1229  * This routine allocates and attaches a fake offset for @obj.
1230  */
1231 static int
1232 i915_gem_create_mmap_offset(struct drm_gem_object *obj)
1233 {
1234         struct drm_device *dev = obj->dev;
1235         struct drm_gem_mm *mm = dev->mm_private;
1236         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1237         struct drm_map_list *list;
1238         struct drm_local_map *map;
1239         int ret = 0;
1240
1241         /* Set the object up for mmap'ing */
1242         list = &obj->map_list;
1243         list->map = kzalloc(sizeof(struct drm_map_list), GFP_KERNEL);
1244         if (!list->map)
1245                 return -ENOMEM;
1246
1247         map = list->map;
1248         map->type = _DRM_GEM;
1249         map->size = obj->size;
1250         map->handle = obj;
1251
1252         /* Get a DRM GEM mmap offset allocated... */
1253         list->file_offset_node = drm_mm_search_free(&mm->offset_manager,
1254                                                     obj->size / PAGE_SIZE, 0, 0);
1255         if (!list->file_offset_node) {
1256                 DRM_ERROR("failed to allocate offset for bo %d\n", obj->name);
1257                 ret = -ENOMEM;
1258                 goto out_free_list;
1259         }
1260
1261         list->file_offset_node = drm_mm_get_block(list->file_offset_node,
1262                                                   obj->size / PAGE_SIZE, 0);
1263         if (!list->file_offset_node) {
1264                 ret = -ENOMEM;
1265                 goto out_free_list;
1266         }
1267
1268         list->hash.key = list->file_offset_node->start;
1269         if (drm_ht_insert_item(&mm->offset_hash, &list->hash)) {
1270                 DRM_ERROR("failed to add to map hash\n");
1271                 ret = -ENOMEM;
1272                 goto out_free_mm;
1273         }
1274
1275         /* By now we should be all set, any drm_mmap request on the offset
1276          * below will get to our mmap & fault handler */
1277         obj_priv->mmap_offset = ((uint64_t) list->hash.key) << PAGE_SHIFT;
1278
1279         return 0;
1280
1281 out_free_mm:
1282         drm_mm_put_block(list->file_offset_node);
1283 out_free_list:
1284         kfree(list->map);
1285
1286         return ret;
1287 }
1288
1289 /**
1290  * i915_gem_release_mmap - remove physical page mappings
1291  * @obj: obj in question
1292  *
1293  * Preserve the reservation of the mmapping with the DRM core code, but
1294  * relinquish ownership of the pages back to the system.
1295  *
1296  * It is vital that we remove the page mapping if we have mapped a tiled
1297  * object through the GTT and then lose the fence register due to
1298  * resource pressure. Similarly if the object has been moved out of the
1299  * aperture, than pages mapped into userspace must be revoked. Removing the
1300  * mapping will then trigger a page fault on the next user access, allowing
1301  * fixup by i915_gem_fault().
1302  */
1303 void
1304 i915_gem_release_mmap(struct drm_gem_object *obj)
1305 {
1306         struct drm_device *dev = obj->dev;
1307         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1308
1309         if (dev->dev_mapping)
1310                 unmap_mapping_range(dev->dev_mapping,
1311                                     obj_priv->mmap_offset, obj->size, 1);
1312 }
1313
1314 static void
1315 i915_gem_free_mmap_offset(struct drm_gem_object *obj)
1316 {
1317         struct drm_device *dev = obj->dev;
1318         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1319         struct drm_gem_mm *mm = dev->mm_private;
1320         struct drm_map_list *list;
1321
1322         list = &obj->map_list;
1323         drm_ht_remove_item(&mm->offset_hash, &list->hash);
1324
1325         if (list->file_offset_node) {
1326                 drm_mm_put_block(list->file_offset_node);
1327                 list->file_offset_node = NULL;
1328         }
1329
1330         if (list->map) {
1331                 kfree(list->map);
1332                 list->map = NULL;
1333         }
1334
1335         obj_priv->mmap_offset = 0;
1336 }
1337
1338 /**
1339  * i915_gem_get_gtt_alignment - return required GTT alignment for an object
1340  * @obj: object to check
1341  *
1342  * Return the required GTT alignment for an object, taking into account
1343  * potential fence register mapping if needed.
1344  */
1345 static uint32_t
1346 i915_gem_get_gtt_alignment(struct drm_gem_object *obj)
1347 {
1348         struct drm_device *dev = obj->dev;
1349         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1350         int start, i;
1351
1352         /*
1353          * Minimum alignment is 4k (GTT page size), but might be greater
1354          * if a fence register is needed for the object.
1355          */
1356         if (IS_I965G(dev) || obj_priv->tiling_mode == I915_TILING_NONE)
1357                 return 4096;
1358
1359         /*
1360          * Previous chips need to be aligned to the size of the smallest
1361          * fence register that can contain the object.
1362          */
1363         if (IS_I9XX(dev))
1364                 start = 1024*1024;
1365         else
1366                 start = 512*1024;
1367
1368         for (i = start; i < obj->size; i <<= 1)
1369                 ;
1370
1371         return i;
1372 }
1373
1374 /**
1375  * i915_gem_mmap_gtt_ioctl - prepare an object for GTT mmap'ing
1376  * @dev: DRM device
1377  * @data: GTT mapping ioctl data
1378  * @file_priv: GEM object info
1379  *
1380  * Simply returns the fake offset to userspace so it can mmap it.
1381  * The mmap call will end up in drm_gem_mmap(), which will set things
1382  * up so we can get faults in the handler above.
1383  *
1384  * The fault handler will take care of binding the object into the GTT
1385  * (since it may have been evicted to make room for something), allocating
1386  * a fence register, and mapping the appropriate aperture address into
1387  * userspace.
1388  */
1389 int
1390 i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data,
1391                         struct drm_file *file_priv)
1392 {
1393         struct drm_i915_gem_mmap_gtt *args = data;
1394         struct drm_i915_private *dev_priv = dev->dev_private;
1395         struct drm_gem_object *obj;
1396         struct drm_i915_gem_object *obj_priv;
1397         int ret;
1398
1399         if (!(dev->driver->driver_features & DRIVER_GEM))
1400                 return -ENODEV;
1401
1402         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1403         if (obj == NULL)
1404                 return -EBADF;
1405
1406         mutex_lock(&dev->struct_mutex);
1407
1408         obj_priv = obj->driver_private;
1409
1410         if (obj_priv->madv != I915_MADV_WILLNEED) {
1411                 DRM_ERROR("Attempting to mmap a purgeable buffer\n");
1412                 drm_gem_object_unreference(obj);
1413                 mutex_unlock(&dev->struct_mutex);
1414                 return -EINVAL;
1415         }
1416
1417
1418         if (!obj_priv->mmap_offset) {
1419                 ret = i915_gem_create_mmap_offset(obj);
1420                 if (ret) {
1421                         drm_gem_object_unreference(obj);
1422                         mutex_unlock(&dev->struct_mutex);
1423                         return ret;
1424                 }
1425         }
1426
1427         args->offset = obj_priv->mmap_offset;
1428
1429         /*
1430          * Pull it into the GTT so that we have a page list (makes the
1431          * initial fault faster and any subsequent flushing possible).
1432          */
1433         if (!obj_priv->agp_mem) {
1434                 ret = i915_gem_object_bind_to_gtt(obj, 0);
1435                 if (ret) {
1436                         drm_gem_object_unreference(obj);
1437                         mutex_unlock(&dev->struct_mutex);
1438                         return ret;
1439                 }
1440                 list_add_tail(&obj_priv->list, &dev_priv->mm.inactive_list);
1441         }
1442
1443         drm_gem_object_unreference(obj);
1444         mutex_unlock(&dev->struct_mutex);
1445
1446         return 0;
1447 }
1448
1449 void
1450 i915_gem_object_put_pages(struct drm_gem_object *obj)
1451 {
1452         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1453         int page_count = obj->size / PAGE_SIZE;
1454         int i;
1455
1456         BUG_ON(obj_priv->pages_refcount == 0);
1457         BUG_ON(obj_priv->madv == __I915_MADV_PURGED);
1458
1459         if (--obj_priv->pages_refcount != 0)
1460                 return;
1461
1462         if (obj_priv->tiling_mode != I915_TILING_NONE)
1463                 i915_gem_object_save_bit_17_swizzle(obj);
1464
1465         if (obj_priv->madv == I915_MADV_DONTNEED)
1466                 obj_priv->dirty = 0;
1467
1468         for (i = 0; i < page_count; i++) {
1469                 if (obj_priv->pages[i] == NULL)
1470                         break;
1471
1472                 if (obj_priv->dirty)
1473                         set_page_dirty(obj_priv->pages[i]);
1474
1475                 if (obj_priv->madv == I915_MADV_WILLNEED)
1476                         mark_page_accessed(obj_priv->pages[i]);
1477
1478                 page_cache_release(obj_priv->pages[i]);
1479         }
1480         obj_priv->dirty = 0;
1481
1482         drm_free_large(obj_priv->pages);
1483         obj_priv->pages = NULL;
1484 }
1485
1486 static void
1487 i915_gem_object_move_to_active(struct drm_gem_object *obj, uint32_t seqno)
1488 {
1489         struct drm_device *dev = obj->dev;
1490         drm_i915_private_t *dev_priv = dev->dev_private;
1491         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1492
1493         /* Add a reference if we're newly entering the active list. */
1494         if (!obj_priv->active) {
1495                 drm_gem_object_reference(obj);
1496                 obj_priv->active = 1;
1497         }
1498         /* Move from whatever list we were on to the tail of execution. */
1499         spin_lock(&dev_priv->mm.active_list_lock);
1500         list_move_tail(&obj_priv->list,
1501                        &dev_priv->mm.active_list);
1502         spin_unlock(&dev_priv->mm.active_list_lock);
1503         obj_priv->last_rendering_seqno = seqno;
1504 }
1505
1506 static void
1507 i915_gem_object_move_to_flushing(struct drm_gem_object *obj)
1508 {
1509         struct drm_device *dev = obj->dev;
1510         drm_i915_private_t *dev_priv = dev->dev_private;
1511         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1512
1513         BUG_ON(!obj_priv->active);
1514         list_move_tail(&obj_priv->list, &dev_priv->mm.flushing_list);
1515         obj_priv->last_rendering_seqno = 0;
1516 }
1517
1518 /* Immediately discard the backing storage */
1519 static void
1520 i915_gem_object_truncate(struct drm_gem_object *obj)
1521 {
1522         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1523         struct inode *inode;
1524
1525         inode = obj->filp->f_path.dentry->d_inode;
1526         if (inode->i_op->truncate)
1527                 inode->i_op->truncate (inode);
1528
1529         obj_priv->madv = __I915_MADV_PURGED;
1530 }
1531
1532 static inline int
1533 i915_gem_object_is_purgeable(struct drm_i915_gem_object *obj_priv)
1534 {
1535         return obj_priv->madv == I915_MADV_DONTNEED;
1536 }
1537
1538 static void
1539 i915_gem_object_move_to_inactive(struct drm_gem_object *obj)
1540 {
1541         struct drm_device *dev = obj->dev;
1542         drm_i915_private_t *dev_priv = dev->dev_private;
1543         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1544
1545         i915_verify_inactive(dev, __FILE__, __LINE__);
1546         if (obj_priv->pin_count != 0)
1547                 list_del_init(&obj_priv->list);
1548         else
1549                 list_move_tail(&obj_priv->list, &dev_priv->mm.inactive_list);
1550
1551         BUG_ON(!list_empty(&obj_priv->gpu_write_list));
1552
1553         obj_priv->last_rendering_seqno = 0;
1554         if (obj_priv->active) {
1555                 obj_priv->active = 0;
1556                 drm_gem_object_unreference(obj);
1557         }
1558         i915_verify_inactive(dev, __FILE__, __LINE__);
1559 }
1560
1561 static void
1562 i915_gem_process_flushing_list(struct drm_device *dev,
1563                                uint32_t flush_domains, uint32_t seqno)
1564 {
1565         drm_i915_private_t *dev_priv = dev->dev_private;
1566         struct drm_i915_gem_object *obj_priv, *next;
1567
1568         list_for_each_entry_safe(obj_priv, next,
1569                                  &dev_priv->mm.gpu_write_list,
1570                                  gpu_write_list) {
1571                 struct drm_gem_object *obj = obj_priv->obj;
1572
1573                 if ((obj->write_domain & flush_domains) ==
1574                     obj->write_domain) {
1575                         uint32_t old_write_domain = obj->write_domain;
1576
1577                         obj->write_domain = 0;
1578                         list_del_init(&obj_priv->gpu_write_list);
1579                         i915_gem_object_move_to_active(obj, seqno);
1580
1581                         /* update the fence lru list */
1582                         if (obj_priv->fence_reg != I915_FENCE_REG_NONE)
1583                                 list_move_tail(&obj_priv->fence_list,
1584                                                 &dev_priv->mm.fence_list);
1585
1586                         trace_i915_gem_object_change_domain(obj,
1587                                                             obj->read_domains,
1588                                                             old_write_domain);
1589                 }
1590         }
1591 }
1592
1593 /**
1594  * Creates a new sequence number, emitting a write of it to the status page
1595  * plus an interrupt, which will trigger i915_user_interrupt_handler.
1596  *
1597  * Must be called with struct_lock held.
1598  *
1599  * Returned sequence numbers are nonzero on success.
1600  */
1601 uint32_t
1602 i915_add_request(struct drm_device *dev, struct drm_file *file_priv,
1603                  uint32_t flush_domains)
1604 {
1605         drm_i915_private_t *dev_priv = dev->dev_private;
1606         struct drm_i915_file_private *i915_file_priv = NULL;
1607         struct drm_i915_gem_request *request;
1608         uint32_t seqno;
1609         int was_empty;
1610         RING_LOCALS;
1611
1612         if (file_priv != NULL)
1613                 i915_file_priv = file_priv->driver_priv;
1614
1615         request = kzalloc(sizeof(*request), GFP_KERNEL);
1616         if (request == NULL)
1617                 return 0;
1618
1619         /* Grab the seqno we're going to make this request be, and bump the
1620          * next (skipping 0 so it can be the reserved no-seqno value).
1621          */
1622         seqno = dev_priv->mm.next_gem_seqno;
1623         dev_priv->mm.next_gem_seqno++;
1624         if (dev_priv->mm.next_gem_seqno == 0)
1625                 dev_priv->mm.next_gem_seqno++;
1626
1627         BEGIN_LP_RING(4);
1628         OUT_RING(MI_STORE_DWORD_INDEX);
1629         OUT_RING(I915_GEM_HWS_INDEX << MI_STORE_DWORD_INDEX_SHIFT);
1630         OUT_RING(seqno);
1631
1632         OUT_RING(MI_USER_INTERRUPT);
1633         ADVANCE_LP_RING();
1634
1635         DRM_DEBUG_DRIVER("%d\n", seqno);
1636
1637         request->seqno = seqno;
1638         request->emitted_jiffies = jiffies;
1639         was_empty = list_empty(&dev_priv->mm.request_list);
1640         list_add_tail(&request->list, &dev_priv->mm.request_list);
1641         if (i915_file_priv) {
1642                 list_add_tail(&request->client_list,
1643                               &i915_file_priv->mm.request_list);
1644         } else {
1645                 INIT_LIST_HEAD(&request->client_list);
1646         }
1647
1648         /* Associate any objects on the flushing list matching the write
1649          * domain we're flushing with our flush.
1650          */
1651         if (flush_domains != 0) 
1652                 i915_gem_process_flushing_list(dev, flush_domains, seqno);
1653
1654         if (!dev_priv->mm.suspended) {
1655                 mod_timer(&dev_priv->hangcheck_timer, jiffies + DRM_I915_HANGCHECK_PERIOD);
1656                 if (was_empty)
1657                         queue_delayed_work(dev_priv->wq, &dev_priv->mm.retire_work, HZ);
1658         }
1659         return seqno;
1660 }
1661
1662 /**
1663  * Command execution barrier
1664  *
1665  * Ensures that all commands in the ring are finished
1666  * before signalling the CPU
1667  */
1668 static uint32_t
1669 i915_retire_commands(struct drm_device *dev)
1670 {
1671         drm_i915_private_t *dev_priv = dev->dev_private;
1672         uint32_t cmd = MI_FLUSH | MI_NO_WRITE_FLUSH;
1673         uint32_t flush_domains = 0;
1674         RING_LOCALS;
1675
1676         /* The sampler always gets flushed on i965 (sigh) */
1677         if (IS_I965G(dev))
1678                 flush_domains |= I915_GEM_DOMAIN_SAMPLER;
1679         BEGIN_LP_RING(2);
1680         OUT_RING(cmd);
1681         OUT_RING(0); /* noop */
1682         ADVANCE_LP_RING();
1683         return flush_domains;
1684 }
1685
1686 /**
1687  * Moves buffers associated only with the given active seqno from the active
1688  * to inactive list, potentially freeing them.
1689  */
1690 static void
1691 i915_gem_retire_request(struct drm_device *dev,
1692                         struct drm_i915_gem_request *request)
1693 {
1694         drm_i915_private_t *dev_priv = dev->dev_private;
1695
1696         trace_i915_gem_request_retire(dev, request->seqno);
1697
1698         /* Move any buffers on the active list that are no longer referenced
1699          * by the ringbuffer to the flushing/inactive lists as appropriate.
1700          */
1701         spin_lock(&dev_priv->mm.active_list_lock);
1702         while (!list_empty(&dev_priv->mm.active_list)) {
1703                 struct drm_gem_object *obj;
1704                 struct drm_i915_gem_object *obj_priv;
1705
1706                 obj_priv = list_first_entry(&dev_priv->mm.active_list,
1707                                             struct drm_i915_gem_object,
1708                                             list);
1709                 obj = obj_priv->obj;
1710
1711                 /* If the seqno being retired doesn't match the oldest in the
1712                  * list, then the oldest in the list must still be newer than
1713                  * this seqno.
1714                  */
1715                 if (obj_priv->last_rendering_seqno != request->seqno)
1716                         goto out;
1717
1718 #if WATCH_LRU
1719                 DRM_INFO("%s: retire %d moves to inactive list %p\n",
1720                          __func__, request->seqno, obj);
1721 #endif
1722
1723                 if (obj->write_domain != 0)
1724                         i915_gem_object_move_to_flushing(obj);
1725                 else {
1726                         /* Take a reference on the object so it won't be
1727                          * freed while the spinlock is held.  The list
1728                          * protection for this spinlock is safe when breaking
1729                          * the lock like this since the next thing we do
1730                          * is just get the head of the list again.
1731                          */
1732                         drm_gem_object_reference(obj);
1733                         i915_gem_object_move_to_inactive(obj);
1734                         spin_unlock(&dev_priv->mm.active_list_lock);
1735                         drm_gem_object_unreference(obj);
1736                         spin_lock(&dev_priv->mm.active_list_lock);
1737                 }
1738         }
1739 out:
1740         spin_unlock(&dev_priv->mm.active_list_lock);
1741 }
1742
1743 /**
1744  * Returns true if seq1 is later than seq2.
1745  */
1746 bool
1747 i915_seqno_passed(uint32_t seq1, uint32_t seq2)
1748 {
1749         return (int32_t)(seq1 - seq2) >= 0;
1750 }
1751
1752 uint32_t
1753 i915_get_gem_seqno(struct drm_device *dev)
1754 {
1755         drm_i915_private_t *dev_priv = dev->dev_private;
1756
1757         return READ_HWSP(dev_priv, I915_GEM_HWS_INDEX);
1758 }
1759
1760 /**
1761  * This function clears the request list as sequence numbers are passed.
1762  */
1763 void
1764 i915_gem_retire_requests(struct drm_device *dev)
1765 {
1766         drm_i915_private_t *dev_priv = dev->dev_private;
1767         uint32_t seqno;
1768
1769         if (!dev_priv->hw_status_page || list_empty(&dev_priv->mm.request_list))
1770                 return;
1771
1772         seqno = i915_get_gem_seqno(dev);
1773
1774         while (!list_empty(&dev_priv->mm.request_list)) {
1775                 struct drm_i915_gem_request *request;
1776                 uint32_t retiring_seqno;
1777
1778                 request = list_first_entry(&dev_priv->mm.request_list,
1779                                            struct drm_i915_gem_request,
1780                                            list);
1781                 retiring_seqno = request->seqno;
1782
1783                 if (i915_seqno_passed(seqno, retiring_seqno) ||
1784                     atomic_read(&dev_priv->mm.wedged)) {
1785                         i915_gem_retire_request(dev, request);
1786
1787                         list_del(&request->list);
1788                         list_del(&request->client_list);
1789                         kfree(request);
1790                 } else
1791                         break;
1792         }
1793
1794         if (unlikely (dev_priv->trace_irq_seqno &&
1795                       i915_seqno_passed(dev_priv->trace_irq_seqno, seqno))) {
1796                 i915_user_irq_put(dev);
1797                 dev_priv->trace_irq_seqno = 0;
1798         }
1799 }
1800
1801 void
1802 i915_gem_retire_work_handler(struct work_struct *work)
1803 {
1804         drm_i915_private_t *dev_priv;
1805         struct drm_device *dev;
1806
1807         dev_priv = container_of(work, drm_i915_private_t,
1808                                 mm.retire_work.work);
1809         dev = dev_priv->dev;
1810
1811         mutex_lock(&dev->struct_mutex);
1812         i915_gem_retire_requests(dev);
1813         if (!dev_priv->mm.suspended &&
1814             !list_empty(&dev_priv->mm.request_list))
1815                 queue_delayed_work(dev_priv->wq, &dev_priv->mm.retire_work, HZ);
1816         mutex_unlock(&dev->struct_mutex);
1817 }
1818
1819 int
1820 i915_do_wait_request(struct drm_device *dev, uint32_t seqno, int interruptible)
1821 {
1822         drm_i915_private_t *dev_priv = dev->dev_private;
1823         u32 ier;
1824         int ret = 0;
1825
1826         BUG_ON(seqno == 0);
1827
1828         if (atomic_read(&dev_priv->mm.wedged))
1829                 return -EIO;
1830
1831         if (!i915_seqno_passed(i915_get_gem_seqno(dev), seqno)) {
1832                 if (HAS_PCH_SPLIT(dev))
1833                         ier = I915_READ(DEIER) | I915_READ(GTIER);
1834                 else
1835                         ier = I915_READ(IER);
1836                 if (!ier) {
1837                         DRM_ERROR("something (likely vbetool) disabled "
1838                                   "interrupts, re-enabling\n");
1839                         i915_driver_irq_preinstall(dev);
1840                         i915_driver_irq_postinstall(dev);
1841                 }
1842
1843                 trace_i915_gem_request_wait_begin(dev, seqno);
1844
1845                 dev_priv->mm.waiting_gem_seqno = seqno;
1846                 i915_user_irq_get(dev);
1847                 if (interruptible)
1848                         ret = wait_event_interruptible(dev_priv->irq_queue,
1849                                 i915_seqno_passed(i915_get_gem_seqno(dev), seqno) ||
1850                                 atomic_read(&dev_priv->mm.wedged));
1851                 else
1852                         wait_event(dev_priv->irq_queue,
1853                                 i915_seqno_passed(i915_get_gem_seqno(dev), seqno) ||
1854                                 atomic_read(&dev_priv->mm.wedged));
1855
1856                 i915_user_irq_put(dev);
1857                 dev_priv->mm.waiting_gem_seqno = 0;
1858
1859                 trace_i915_gem_request_wait_end(dev, seqno);
1860         }
1861         if (atomic_read(&dev_priv->mm.wedged))
1862                 ret = -EIO;
1863
1864         if (ret && ret != -ERESTARTSYS)
1865                 DRM_ERROR("%s returns %d (awaiting %d at %d)\n",
1866                           __func__, ret, seqno, i915_get_gem_seqno(dev));
1867
1868         /* Directly dispatch request retiring.  While we have the work queue
1869          * to handle this, the waiter on a request often wants an associated
1870          * buffer to have made it to the inactive list, and we would need
1871          * a separate wait queue to handle that.
1872          */
1873         if (ret == 0)
1874                 i915_gem_retire_requests(dev);
1875
1876         return ret;
1877 }
1878
1879 /**
1880  * Waits for a sequence number to be signaled, and cleans up the
1881  * request and object lists appropriately for that event.
1882  */
1883 static int
1884 i915_wait_request(struct drm_device *dev, uint32_t seqno)
1885 {
1886         return i915_do_wait_request(dev, seqno, 1);
1887 }
1888
1889 static void
1890 i915_gem_flush(struct drm_device *dev,
1891                uint32_t invalidate_domains,
1892                uint32_t flush_domains)
1893 {
1894         drm_i915_private_t *dev_priv = dev->dev_private;
1895         uint32_t cmd;
1896         RING_LOCALS;
1897
1898 #if WATCH_EXEC
1899         DRM_INFO("%s: invalidate %08x flush %08x\n", __func__,
1900                   invalidate_domains, flush_domains);
1901 #endif
1902         trace_i915_gem_request_flush(dev, dev_priv->mm.next_gem_seqno,
1903                                      invalidate_domains, flush_domains);
1904
1905         if (flush_domains & I915_GEM_DOMAIN_CPU)
1906                 drm_agp_chipset_flush(dev);
1907
1908         if ((invalidate_domains | flush_domains) & I915_GEM_GPU_DOMAINS) {
1909                 /*
1910                  * read/write caches:
1911                  *
1912                  * I915_GEM_DOMAIN_RENDER is always invalidated, but is
1913                  * only flushed if MI_NO_WRITE_FLUSH is unset.  On 965, it is
1914                  * also flushed at 2d versus 3d pipeline switches.
1915                  *
1916                  * read-only caches:
1917                  *
1918                  * I915_GEM_DOMAIN_SAMPLER is flushed on pre-965 if
1919                  * MI_READ_FLUSH is set, and is always flushed on 965.
1920                  *
1921                  * I915_GEM_DOMAIN_COMMAND may not exist?
1922                  *
1923                  * I915_GEM_DOMAIN_INSTRUCTION, which exists on 965, is
1924                  * invalidated when MI_EXE_FLUSH is set.
1925                  *
1926                  * I915_GEM_DOMAIN_VERTEX, which exists on 965, is
1927                  * invalidated with every MI_FLUSH.
1928                  *
1929                  * TLBs:
1930                  *
1931                  * On 965, TLBs associated with I915_GEM_DOMAIN_COMMAND
1932                  * and I915_GEM_DOMAIN_CPU in are invalidated at PTE write and
1933                  * I915_GEM_DOMAIN_RENDER and I915_GEM_DOMAIN_SAMPLER
1934                  * are flushed at any MI_FLUSH.
1935                  */
1936
1937                 cmd = MI_FLUSH | MI_NO_WRITE_FLUSH;
1938                 if ((invalidate_domains|flush_domains) &
1939                     I915_GEM_DOMAIN_RENDER)
1940                         cmd &= ~MI_NO_WRITE_FLUSH;
1941                 if (!IS_I965G(dev)) {
1942                         /*
1943                          * On the 965, the sampler cache always gets flushed
1944                          * and this bit is reserved.
1945                          */
1946                         if (invalidate_domains & I915_GEM_DOMAIN_SAMPLER)
1947                                 cmd |= MI_READ_FLUSH;
1948                 }
1949                 if (invalidate_domains & I915_GEM_DOMAIN_INSTRUCTION)
1950                         cmd |= MI_EXE_FLUSH;
1951
1952 #if WATCH_EXEC
1953                 DRM_INFO("%s: queue flush %08x to ring\n", __func__, cmd);
1954 #endif
1955                 BEGIN_LP_RING(2);
1956                 OUT_RING(cmd);
1957                 OUT_RING(MI_NOOP);
1958                 ADVANCE_LP_RING();
1959         }
1960 }
1961
1962 /**
1963  * Ensures that all rendering to the object has completed and the object is
1964  * safe to unbind from the GTT or access from the CPU.
1965  */
1966 static int
1967 i915_gem_object_wait_rendering(struct drm_gem_object *obj)
1968 {
1969         struct drm_device *dev = obj->dev;
1970         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1971         int ret;
1972
1973         /* This function only exists to support waiting for existing rendering,
1974          * not for emitting required flushes.
1975          */
1976         BUG_ON((obj->write_domain & I915_GEM_GPU_DOMAINS) != 0);
1977
1978         /* If there is rendering queued on the buffer being evicted, wait for
1979          * it.
1980          */
1981         if (obj_priv->active) {
1982 #if WATCH_BUF
1983                 DRM_INFO("%s: object %p wait for seqno %08x\n",
1984                           __func__, obj, obj_priv->last_rendering_seqno);
1985 #endif
1986                 ret = i915_wait_request(dev, obj_priv->last_rendering_seqno);
1987                 if (ret != 0)
1988                         return ret;
1989         }
1990
1991         return 0;
1992 }
1993
1994 /**
1995  * Unbinds an object from the GTT aperture.
1996  */
1997 int
1998 i915_gem_object_unbind(struct drm_gem_object *obj)
1999 {
2000         struct drm_device *dev = obj->dev;
2001         drm_i915_private_t *dev_priv = dev->dev_private;
2002         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2003         int ret = 0;
2004
2005 #if WATCH_BUF
2006         DRM_INFO("%s:%d %p\n", __func__, __LINE__, obj);
2007         DRM_INFO("gtt_space %p\n", obj_priv->gtt_space);
2008 #endif
2009         if (obj_priv->gtt_space == NULL)
2010                 return 0;
2011
2012         if (obj_priv->pin_count != 0) {
2013                 DRM_ERROR("Attempting to unbind pinned buffer\n");
2014                 return -EINVAL;
2015         }
2016
2017         /* blow away mappings if mapped through GTT */
2018         i915_gem_release_mmap(obj);
2019
2020         /* Move the object to the CPU domain to ensure that
2021          * any possible CPU writes while it's not in the GTT
2022          * are flushed when we go to remap it. This will
2023          * also ensure that all pending GPU writes are finished
2024          * before we unbind.
2025          */
2026         ret = i915_gem_object_set_to_cpu_domain(obj, 1);
2027         if (ret) {
2028                 if (ret != -ERESTARTSYS)
2029                         DRM_ERROR("set_domain failed: %d\n", ret);
2030                 return ret;
2031         }
2032
2033         BUG_ON(obj_priv->active);
2034
2035         /* release the fence reg _after_ flushing */
2036         if (obj_priv->fence_reg != I915_FENCE_REG_NONE)
2037                 i915_gem_clear_fence_reg(obj);
2038
2039         if (obj_priv->agp_mem != NULL) {
2040                 drm_unbind_agp(obj_priv->agp_mem);
2041                 drm_free_agp(obj_priv->agp_mem, obj->size / PAGE_SIZE);
2042                 obj_priv->agp_mem = NULL;
2043         }
2044
2045         i915_gem_object_put_pages(obj);
2046         BUG_ON(obj_priv->pages_refcount);
2047
2048         if (obj_priv->gtt_space) {
2049                 atomic_dec(&dev->gtt_count);
2050                 atomic_sub(obj->size, &dev->gtt_memory);
2051
2052                 drm_mm_put_block(obj_priv->gtt_space);
2053                 obj_priv->gtt_space = NULL;
2054         }
2055
2056         /* Remove ourselves from the LRU list if present. */
2057         spin_lock(&dev_priv->mm.active_list_lock);
2058         if (!list_empty(&obj_priv->list))
2059                 list_del_init(&obj_priv->list);
2060         spin_unlock(&dev_priv->mm.active_list_lock);
2061
2062         if (i915_gem_object_is_purgeable(obj_priv))
2063                 i915_gem_object_truncate(obj);
2064
2065         trace_i915_gem_object_unbind(obj);
2066
2067         return 0;
2068 }
2069
2070 static struct drm_gem_object *
2071 i915_gem_find_inactive_object(struct drm_device *dev, int min_size)
2072 {
2073         drm_i915_private_t *dev_priv = dev->dev_private;
2074         struct drm_i915_gem_object *obj_priv;
2075         struct drm_gem_object *best = NULL;
2076         struct drm_gem_object *first = NULL;
2077
2078         /* Try to find the smallest clean object */
2079         list_for_each_entry(obj_priv, &dev_priv->mm.inactive_list, list) {
2080                 struct drm_gem_object *obj = obj_priv->obj;
2081                 if (obj->size >= min_size) {
2082                         if ((!obj_priv->dirty ||
2083                              i915_gem_object_is_purgeable(obj_priv)) &&
2084                             (!best || obj->size < best->size)) {
2085                                 best = obj;
2086                                 if (best->size == min_size)
2087                                         return best;
2088                         }
2089                         if (!first)
2090                             first = obj;
2091                 }
2092         }
2093
2094         return best ? best : first;
2095 }
2096
2097 static int
2098 i915_gpu_idle(struct drm_device *dev)
2099 {
2100         drm_i915_private_t *dev_priv = dev->dev_private;
2101         bool lists_empty;
2102         uint32_t seqno;
2103
2104         spin_lock(&dev_priv->mm.active_list_lock);
2105         lists_empty = list_empty(&dev_priv->mm.flushing_list) &&
2106                       list_empty(&dev_priv->mm.active_list);
2107         spin_unlock(&dev_priv->mm.active_list_lock);
2108
2109         if (lists_empty)
2110                 return 0;
2111
2112         /* Flush everything onto the inactive list. */
2113         i915_gem_flush(dev, I915_GEM_GPU_DOMAINS, I915_GEM_GPU_DOMAINS);
2114         seqno = i915_add_request(dev, NULL, I915_GEM_GPU_DOMAINS);
2115         if (seqno == 0)
2116                 return -ENOMEM;
2117
2118         return i915_wait_request(dev, seqno);
2119 }
2120
2121 static int
2122 i915_gem_evict_everything(struct drm_device *dev)
2123 {
2124         drm_i915_private_t *dev_priv = dev->dev_private;
2125         int ret;
2126         bool lists_empty;
2127
2128         spin_lock(&dev_priv->mm.active_list_lock);
2129         lists_empty = (list_empty(&dev_priv->mm.inactive_list) &&
2130                        list_empty(&dev_priv->mm.flushing_list) &&
2131                        list_empty(&dev_priv->mm.active_list));
2132         spin_unlock(&dev_priv->mm.active_list_lock);
2133
2134         if (lists_empty)
2135                 return -ENOSPC;
2136
2137         /* Flush everything (on to the inactive lists) and evict */
2138         ret = i915_gpu_idle(dev);
2139         if (ret)
2140                 return ret;
2141
2142         BUG_ON(!list_empty(&dev_priv->mm.flushing_list));
2143
2144         ret = i915_gem_evict_from_inactive_list(dev);
2145         if (ret)
2146                 return ret;
2147
2148         spin_lock(&dev_priv->mm.active_list_lock);
2149         lists_empty = (list_empty(&dev_priv->mm.inactive_list) &&
2150                        list_empty(&dev_priv->mm.flushing_list) &&
2151                        list_empty(&dev_priv->mm.active_list));
2152         spin_unlock(&dev_priv->mm.active_list_lock);
2153         BUG_ON(!lists_empty);
2154
2155         return 0;
2156 }
2157
2158 static int
2159 i915_gem_evict_something(struct drm_device *dev, int min_size)
2160 {
2161         drm_i915_private_t *dev_priv = dev->dev_private;
2162         struct drm_gem_object *obj;
2163         int ret;
2164
2165         for (;;) {
2166                 i915_gem_retire_requests(dev);
2167
2168                 /* If there's an inactive buffer available now, grab it
2169                  * and be done.
2170                  */
2171                 obj = i915_gem_find_inactive_object(dev, min_size);
2172                 if (obj) {
2173                         struct drm_i915_gem_object *obj_priv;
2174
2175 #if WATCH_LRU
2176                         DRM_INFO("%s: evicting %p\n", __func__, obj);
2177 #endif
2178                         obj_priv = obj->driver_private;
2179                         BUG_ON(obj_priv->pin_count != 0);
2180                         BUG_ON(obj_priv->active);
2181
2182                         /* Wait on the rendering and unbind the buffer. */
2183                         return i915_gem_object_unbind(obj);
2184                 }
2185
2186                 /* If we didn't get anything, but the ring is still processing
2187                  * things, wait for the next to finish and hopefully leave us
2188                  * a buffer to evict.
2189                  */
2190                 if (!list_empty(&dev_priv->mm.request_list)) {
2191                         struct drm_i915_gem_request *request;
2192
2193                         request = list_first_entry(&dev_priv->mm.request_list,
2194                                                    struct drm_i915_gem_request,
2195                                                    list);
2196
2197                         ret = i915_wait_request(dev, request->seqno);
2198                         if (ret)
2199                                 return ret;
2200
2201                         continue;
2202                 }
2203
2204                 /* If we didn't have anything on the request list but there
2205                  * are buffers awaiting a flush, emit one and try again.
2206                  * When we wait on it, those buffers waiting for that flush
2207                  * will get moved to inactive.
2208                  */
2209                 if (!list_empty(&dev_priv->mm.flushing_list)) {
2210                         struct drm_i915_gem_object *obj_priv;
2211
2212                         /* Find an object that we can immediately reuse */
2213                         list_for_each_entry(obj_priv, &dev_priv->mm.flushing_list, list) {
2214                                 obj = obj_priv->obj;
2215                                 if (obj->size >= min_size)
2216                                         break;
2217
2218                                 obj = NULL;
2219                         }
2220
2221                         if (obj != NULL) {
2222                                 uint32_t seqno;
2223
2224                                 i915_gem_flush(dev,
2225                                                obj->write_domain,
2226                                                obj->write_domain);
2227                                 seqno = i915_add_request(dev, NULL, obj->write_domain);
2228                                 if (seqno == 0)
2229                                         return -ENOMEM;
2230
2231                                 ret = i915_wait_request(dev, seqno);
2232                                 if (ret)
2233                                         return ret;
2234
2235                                 continue;
2236                         }
2237                 }
2238
2239                 /* If we didn't do any of the above, there's no single buffer
2240                  * large enough to swap out for the new one, so just evict
2241                  * everything and start again. (This should be rare.)
2242                  */
2243                 if (!list_empty (&dev_priv->mm.inactive_list))
2244                         return i915_gem_evict_from_inactive_list(dev);
2245                 else
2246                         return i915_gem_evict_everything(dev);
2247         }
2248 }
2249
2250 int
2251 i915_gem_object_get_pages(struct drm_gem_object *obj,
2252                           gfp_t gfpmask)
2253 {
2254         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2255         int page_count, i;
2256         struct address_space *mapping;
2257         struct inode *inode;
2258         struct page *page;
2259         int ret;
2260
2261         if (obj_priv->pages_refcount++ != 0)
2262                 return 0;
2263
2264         /* Get the list of pages out of our struct file.  They'll be pinned
2265          * at this point until we release them.
2266          */
2267         page_count = obj->size / PAGE_SIZE;
2268         BUG_ON(obj_priv->pages != NULL);
2269         obj_priv->pages = drm_calloc_large(page_count, sizeof(struct page *));
2270         if (obj_priv->pages == NULL) {
2271                 obj_priv->pages_refcount--;
2272                 return -ENOMEM;
2273         }
2274
2275         inode = obj->filp->f_path.dentry->d_inode;
2276         mapping = inode->i_mapping;
2277         for (i = 0; i < page_count; i++) {
2278                 page = read_cache_page_gfp(mapping, i,
2279                                            mapping_gfp_mask (mapping) |
2280                                            __GFP_COLD |
2281                                            gfpmask);
2282                 if (IS_ERR(page)) {
2283                         ret = PTR_ERR(page);
2284                         i915_gem_object_put_pages(obj);
2285                         return ret;
2286                 }
2287                 obj_priv->pages[i] = page;
2288         }
2289
2290         if (obj_priv->tiling_mode != I915_TILING_NONE)
2291                 i915_gem_object_do_bit_17_swizzle(obj);
2292
2293         return 0;
2294 }
2295
2296 static void sandybridge_write_fence_reg(struct drm_i915_fence_reg *reg)
2297 {
2298         struct drm_gem_object *obj = reg->obj;
2299         struct drm_device *dev = obj->dev;
2300         drm_i915_private_t *dev_priv = dev->dev_private;
2301         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2302         int regnum = obj_priv->fence_reg;
2303         uint64_t val;
2304
2305         val = (uint64_t)((obj_priv->gtt_offset + obj->size - 4096) &
2306                     0xfffff000) << 32;
2307         val |= obj_priv->gtt_offset & 0xfffff000;
2308         val |= (uint64_t)((obj_priv->stride / 128) - 1) <<
2309                 SANDYBRIDGE_FENCE_PITCH_SHIFT;
2310
2311         if (obj_priv->tiling_mode == I915_TILING_Y)
2312                 val |= 1 << I965_FENCE_TILING_Y_SHIFT;
2313         val |= I965_FENCE_REG_VALID;
2314
2315         I915_WRITE64(FENCE_REG_SANDYBRIDGE_0 + (regnum * 8), val);
2316 }
2317
2318 static void i965_write_fence_reg(struct drm_i915_fence_reg *reg)
2319 {
2320         struct drm_gem_object *obj = reg->obj;
2321         struct drm_device *dev = obj->dev;
2322         drm_i915_private_t *dev_priv = dev->dev_private;
2323         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2324         int regnum = obj_priv->fence_reg;
2325         uint64_t val;
2326
2327         val = (uint64_t)((obj_priv->gtt_offset + obj->size - 4096) &
2328                     0xfffff000) << 32;
2329         val |= obj_priv->gtt_offset & 0xfffff000;
2330         val |= ((obj_priv->stride / 128) - 1) << I965_FENCE_PITCH_SHIFT;
2331         if (obj_priv->tiling_mode == I915_TILING_Y)
2332                 val |= 1 << I965_FENCE_TILING_Y_SHIFT;
2333         val |= I965_FENCE_REG_VALID;
2334
2335         I915_WRITE64(FENCE_REG_965_0 + (regnum * 8), val);
2336 }
2337
2338 static void i915_write_fence_reg(struct drm_i915_fence_reg *reg)
2339 {
2340         struct drm_gem_object *obj = reg->obj;
2341         struct drm_device *dev = obj->dev;
2342         drm_i915_private_t *dev_priv = dev->dev_private;
2343         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2344         int regnum = obj_priv->fence_reg;
2345         int tile_width;
2346         uint32_t fence_reg, val;
2347         uint32_t pitch_val;
2348
2349         if ((obj_priv->gtt_offset & ~I915_FENCE_START_MASK) ||
2350             (obj_priv->gtt_offset & (obj->size - 1))) {
2351                 WARN(1, "%s: object 0x%08x not 1M or size (0x%zx) aligned\n",
2352                      __func__, obj_priv->gtt_offset, obj->size);
2353                 return;
2354         }
2355
2356         if (obj_priv->tiling_mode == I915_TILING_Y &&
2357             HAS_128_BYTE_Y_TILING(dev))
2358                 tile_width = 128;
2359         else
2360                 tile_width = 512;
2361
2362         /* Note: pitch better be a power of two tile widths */
2363         pitch_val = obj_priv->stride / tile_width;
2364         pitch_val = ffs(pitch_val) - 1;
2365
2366         val = obj_priv->gtt_offset;
2367         if (obj_priv->tiling_mode == I915_TILING_Y)
2368                 val |= 1 << I830_FENCE_TILING_Y_SHIFT;
2369         val |= I915_FENCE_SIZE_BITS(obj->size);
2370         val |= pitch_val << I830_FENCE_PITCH_SHIFT;
2371         val |= I830_FENCE_REG_VALID;
2372
2373         if (regnum < 8)
2374                 fence_reg = FENCE_REG_830_0 + (regnum * 4);
2375         else
2376                 fence_reg = FENCE_REG_945_8 + ((regnum - 8) * 4);
2377         I915_WRITE(fence_reg, val);
2378 }
2379
2380 static void i830_write_fence_reg(struct drm_i915_fence_reg *reg)
2381 {
2382         struct drm_gem_object *obj = reg->obj;
2383         struct drm_device *dev = obj->dev;
2384         drm_i915_private_t *dev_priv = dev->dev_private;
2385         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2386         int regnum = obj_priv->fence_reg;
2387         uint32_t val;
2388         uint32_t pitch_val;
2389         uint32_t fence_size_bits;
2390
2391         if ((obj_priv->gtt_offset & ~I830_FENCE_START_MASK) ||
2392             (obj_priv->gtt_offset & (obj->size - 1))) {
2393                 WARN(1, "%s: object 0x%08x not 512K or size aligned\n",
2394                      __func__, obj_priv->gtt_offset);
2395                 return;
2396         }
2397
2398         pitch_val = obj_priv->stride / 128;
2399         pitch_val = ffs(pitch_val) - 1;
2400         WARN_ON(pitch_val > I830_FENCE_MAX_PITCH_VAL);
2401
2402         val = obj_priv->gtt_offset;
2403         if (obj_priv->tiling_mode == I915_TILING_Y)
2404                 val |= 1 << I830_FENCE_TILING_Y_SHIFT;
2405         fence_size_bits = I830_FENCE_SIZE_BITS(obj->size);
2406         WARN_ON(fence_size_bits & ~0x00000f00);
2407         val |= fence_size_bits;
2408         val |= pitch_val << I830_FENCE_PITCH_SHIFT;
2409         val |= I830_FENCE_REG_VALID;
2410
2411         I915_WRITE(FENCE_REG_830_0 + (regnum * 4), val);
2412 }
2413
2414 static int i915_find_fence_reg(struct drm_device *dev)
2415 {
2416         struct drm_i915_fence_reg *reg = NULL;
2417         struct drm_i915_gem_object *obj_priv = NULL;
2418         struct drm_i915_private *dev_priv = dev->dev_private;
2419         struct drm_gem_object *obj = NULL;
2420         int i, avail, ret;
2421
2422         /* First try to find a free reg */
2423         avail = 0;
2424         for (i = dev_priv->fence_reg_start; i < dev_priv->num_fence_regs; i++) {
2425                 reg = &dev_priv->fence_regs[i];
2426                 if (!reg->obj)
2427                         return i;
2428
2429                 obj_priv = reg->obj->driver_private;
2430                 if (!obj_priv->pin_count)
2431                     avail++;
2432         }
2433
2434         if (avail == 0)
2435                 return -ENOSPC;
2436
2437         /* None available, try to steal one or wait for a user to finish */
2438         i = I915_FENCE_REG_NONE;
2439         list_for_each_entry(obj_priv, &dev_priv->mm.fence_list,
2440                             fence_list) {
2441                 obj = obj_priv->obj;
2442
2443                 if (obj_priv->pin_count)
2444                         continue;
2445
2446                 /* found one! */
2447                 i = obj_priv->fence_reg;
2448                 break;
2449         }
2450
2451         BUG_ON(i == I915_FENCE_REG_NONE);
2452
2453         /* We only have a reference on obj from the active list. put_fence_reg
2454          * might drop that one, causing a use-after-free in it. So hold a
2455          * private reference to obj like the other callers of put_fence_reg
2456          * (set_tiling ioctl) do. */
2457         drm_gem_object_reference(obj);
2458         ret = i915_gem_object_put_fence_reg(obj);
2459         drm_gem_object_unreference(obj);
2460         if (ret != 0)
2461                 return ret;
2462
2463         return i;
2464 }
2465
2466 /**
2467  * i915_gem_object_get_fence_reg - set up a fence reg for an object
2468  * @obj: object to map through a fence reg
2469  *
2470  * When mapping objects through the GTT, userspace wants to be able to write
2471  * to them without having to worry about swizzling if the object is tiled.
2472  *
2473  * This function walks the fence regs looking for a free one for @obj,
2474  * stealing one if it can't find any.
2475  *
2476  * It then sets up the reg based on the object's properties: address, pitch
2477  * and tiling format.
2478  */
2479 int
2480 i915_gem_object_get_fence_reg(struct drm_gem_object *obj)
2481 {
2482         struct drm_device *dev = obj->dev;
2483         struct drm_i915_private *dev_priv = dev->dev_private;