drivers/gpu/drm/i915/i915_cmd_parser.c - maze/linux - Git at Google

 /*
  * Copyright © 2013 Intel Corporation
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
  * to deal in the Software without restriction, including without limitation
  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
  * and/or sell copies of the Software, and to permit persons to whom the
  * Software is furnished to do so, subject to the following conditions:
  *
  * The above copyright notice and this permission notice (including the next
  * paragraph) shall be included in all copies or substantial portions of the
  * Software.
  *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
  * IN THE SOFTWARE.
  *
  * Authors:
  *    Brad Volkin <bradley.d.volkin@intel.com>
  *
  */

 #include "i915_drv.h"

 /**
  * DOC: i915 batch buffer command parser
  *
  * Motivation:
  * Certain OpenGL features (e.g. transform feedback, performance monitoring)
  * require userspace code to submit batches containing commands such as
  * MI_LOAD_REGISTER_IMM to access various registers. Unfortunately, some
  * generations of the hardware will noop these commands in "unsecure" batches
  * (which includes all userspace batches submitted via i915) even though the
  * commands may be safe and represent the intended programming model of the
  * device.
  *
  * The software command parser is similar in operation to the command parsing
  * done in hardware for unsecure batches. However, the software parser allows
  * some operations that would be noop'd by hardware, if the parser determines
  * the operation is safe, and submits the batch as "secure" to prevent hardware
  * parsing.
  *
  * Threats:
  * At a high level, the hardware (and software) checks attempt to prevent
  * granting userspace undue privileges. There are three categories of privilege.
  *
  * First, commands which are explicitly defined as privileged or which should
  * only be used by the kernel driver. The parser generally rejects such
  * commands, though it may allow some from the drm master process.
  *
  * Second, commands which access registers. To support correct/enhanced
  * userspace functionality, particularly certain OpenGL extensions, the parser
  * provides a whitelist of registers which userspace may safely access (for both
  * normal and drm master processes).
  *
  * Third, commands which access privileged memory (i.e. GGTT, HWS page, etc).
  * The parser always rejects such commands.
  *
  * The majority of the problematic commands fall in the MI_* range, with only a
  * few specific commands on each ring (e.g. PIPE_CONTROL and MI_FLUSH_DW).
  *
  * Implementation:
  * Each ring maintains tables of commands and registers which the parser uses in
  * scanning batch buffers submitted to that ring.
  *
  * Since the set of commands that the parser must check for is significantly
  * smaller than the number of commands supported, the parser tables contain only
  * those commands required by the parser. This generally works because command
  * opcode ranges have standard command length encodings. So for commands that
  * the parser does not need to check, it can easily skip them. This is
  * implementated via a per-ring length decoding vfunc.
  *
  * Unfortunately, there are a number of commands that do not follow the standard
  * length encoding for their opcode range, primarily amongst the MI_* commands.
  * To handle this, the parser provides a way to define explicit "skip" entries
  * in the per-ring command tables.
  *
  * Other command table entries map fairly directly to high level categories
  * mentioned above: rejected, master-only, register whitelist. The parser
  * implements a number of checks, including the privileged memory checks, via a
  * general bitmasking mechanism.
  */

 static u32 gen7_render_get_cmd_length_mask(u32 cmd_header)
 {
 	u32 client = (cmd_header & INSTR_CLIENT_MASK) >> INSTR_CLIENT_SHIFT;
 	u32 subclient =
 		(cmd_header & INSTR_SUBCLIENT_MASK) >> INSTR_SUBCLIENT_SHIFT;

 	if (client == INSTR_MI_CLIENT)
 		return 0x3F;
 	else if (client == INSTR_RC_CLIENT) {
 		if (subclient == INSTR_MEDIA_SUBCLIENT)
 			return 0xFFFF;
 		else
 			return 0xFF;
 	}

 	DRM_DEBUG_DRIVER("CMD: Abnormal rcs cmd length! 0x%08X\n", cmd_header);
 	return 0;
 }

 static u32 gen7_bsd_get_cmd_length_mask(u32 cmd_header)
 {
 	u32 client = (cmd_header & INSTR_CLIENT_MASK) >> INSTR_CLIENT_SHIFT;
 	u32 subclient =
 		(cmd_header & INSTR_SUBCLIENT_MASK) >> INSTR_SUBCLIENT_SHIFT;

 	if (client == INSTR_MI_CLIENT)
 		return 0x3F;
 	else if (client == INSTR_RC_CLIENT) {
 		if (subclient == INSTR_MEDIA_SUBCLIENT)
 			return 0xFFF;
 		else
 			return 0xFF;
 	}

 	DRM_DEBUG_DRIVER("CMD: Abnormal bsd cmd length! 0x%08X\n", cmd_header);
 	return 0;
 }

 static u32 gen7_blt_get_cmd_length_mask(u32 cmd_header)
 {
 	u32 client = (cmd_header & INSTR_CLIENT_MASK) >> INSTR_CLIENT_SHIFT;

 	if (client == INSTR_MI_CLIENT)
 		return 0x3F;
 	else if (client == INSTR_BC_CLIENT)
 		return 0xFF;

 	DRM_DEBUG_DRIVER("CMD: Abnormal blt cmd length! 0x%08X\n", cmd_header);
 	return 0;
 }

 static void validate_cmds_sorted(struct intel_ring_buffer *ring)
 {
 	int i;

 	if (!ring->cmd_tables || ring->cmd_table_count == 0)
 		return;

 	for (i = 0; i < ring->cmd_table_count; i++) {
 		const struct drm_i915_cmd_table *table = &ring->cmd_tables[i];
 		u32 previous = 0;
 		int j;

 		for (j = 0; j < table->count; j++) {
 			const struct drm_i915_cmd_descriptor *desc =
 				&table->table[i];
 			u32 curr = desc->cmd.value & desc->cmd.mask;

 			if (curr < previous)
 				DRM_ERROR("CMD: table not sorted ring=%d table=%d entry=%d cmd=0x%08X prev=0x%08X\n",
 					  ring->id, i, j, curr, previous);

 			previous = curr;
 		}
 	}
 }

 static void check_sorted(int ring_id, const u32 *reg_table, int reg_count)
 {
 	int i;
 	u32 previous = 0;

 	for (i = 0; i < reg_count; i++) {
 		u32 curr = reg_table[i];

 		if (curr < previous)
 			DRM_ERROR("CMD: table not sorted ring=%d entry=%d reg=0x%08X prev=0x%08X\n",
 				  ring_id, i, curr, previous);

 		previous = curr;
 	}
 }

 static void validate_regs_sorted(struct intel_ring_buffer *ring)
 {
 	check_sorted(ring->id, ring->reg_table, ring->reg_count);
 	check_sorted(ring->id, ring->master_reg_table, ring->master_reg_count);
 }

 /**
  * i915_cmd_parser_init_ring() - set cmd parser related fields for a ringbuffer
  * @ring: the ringbuffer to initialize
  *
  * Optionally initializes fields related to batch buffer command parsing in the
  * struct intel_ring_buffer based on whether the platform requires software
  * command parsing.
  */
 void i915_cmd_parser_init_ring(struct intel_ring_buffer *ring)
 {
 	if (!IS_GEN7(ring->dev))
 		return;

 	switch (ring->id) {
 	case RCS:
 		ring->get_cmd_length_mask = gen7_render_get_cmd_length_mask;
 		break;
 	case VCS:
 		ring->get_cmd_length_mask = gen7_bsd_get_cmd_length_mask;
 		break;
 	case BCS:
 		ring->get_cmd_length_mask = gen7_blt_get_cmd_length_mask;
 		break;
 	case VECS:
 		/* VECS can use the same length_mask function as VCS */
 		ring->get_cmd_length_mask = gen7_bsd_get_cmd_length_mask;
 		break;
 	default:
 		DRM_ERROR("CMD: cmd_parser_init with unknown ring: %d\n",
 			  ring->id);
 		BUG();
 	}

 	validate_cmds_sorted(ring);
 	validate_regs_sorted(ring);
 }

 static const struct drm_i915_cmd_descriptor*
 find_cmd_in_table(const struct drm_i915_cmd_table *table,
 		  u32 cmd_header)
 {
 	int i;

 	for (i = 0; i < table->count; i++) {
 		const struct drm_i915_cmd_descriptor *desc = &table->table[i];
 		u32 masked_cmd = desc->cmd.mask & cmd_header;
 		u32 masked_value = desc->cmd.value & desc->cmd.mask;

 		if (masked_cmd == masked_value)
 			return desc;
 	}

 	return NULL;
 }

 /*
  * Returns a pointer to a descriptor for the command specified by cmd_header.
  *
  * The caller must supply space for a default descriptor via the default_desc
  * parameter. If no descriptor for the specified command exists in the ring's
  * command parser tables, this function fills in default_desc based on the
  * ring's default length encoding and returns default_desc.
  */
 static const struct drm_i915_cmd_descriptor*
 find_cmd(struct intel_ring_buffer *ring,
 	 u32 cmd_header,
 	 struct drm_i915_cmd_descriptor *default_desc)
 {
 	u32 mask;
 	int i;

 	for (i = 0; i < ring->cmd_table_count; i++) {
 		const struct drm_i915_cmd_descriptor *desc;

 		desc = find_cmd_in_table(&ring->cmd_tables[i], cmd_header);
 		if (desc)
 			return desc;
 	}

 	mask = ring->get_cmd_length_mask(cmd_header);
 	if (!mask)
 		return NULL;

 	BUG_ON(!default_desc);
 	default_desc->flags = CMD_DESC_SKIP;
 	default_desc->length.mask = mask;

 	return default_desc;
 }

 static bool valid_reg(const u32 *table, int count, u32 addr)
 {
 	if (table && count != 0) {
 		int i;

 		for (i = 0; i < count; i++) {
 			if (table[i] == addr)
 				return true;
 		}
 	}

 	return false;
 }

 static u32 *vmap_batch(struct drm_i915_gem_object *obj)
 {
 	int i;
 	void *addr = NULL;
 	struct sg_page_iter sg_iter;
 	struct page **pages;

 	pages = drm_malloc_ab(obj->base.size >> PAGE_SHIFT, sizeof(*pages));
 	if (pages == NULL) {
 		DRM_DEBUG_DRIVER("Failed to get space for pages\n");
 		goto finish;
 	}

 	i = 0;
 	for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) {
 		pages[i] = sg_page_iter_page(&sg_iter);
 		i++;
 	}

 	addr = vmap(pages, i, 0, PAGE_KERNEL);
 	if (addr == NULL) {
 		DRM_DEBUG_DRIVER("Failed to vmap pages\n");
 		goto finish;
 	}

 finish:
 	if (pages)
 		drm_free_large(pages);
 	return (u32*)addr;
 }

 /**
  * i915_needs_cmd_parser() - should a given ring use software command parsing?
  * @ring: the ring in question
  *
  * Only certain platforms require software batch buffer command parsing, and
  * only when enabled via module paramter.
  *
  * Return: true if the ring requires software command parsing
  */
 bool i915_needs_cmd_parser(struct intel_ring_buffer *ring)
 {
 	/* No command tables indicates a platform without parsing */
 	if (!ring->cmd_tables)
 		return false;

 	return (i915.enable_cmd_parser == 1);
 }

 #define LENGTH_BIAS 2

 /**
  * i915_parse_cmds() - parse a submitted batch buffer for privilege violations
  * @ring: the ring on which the batch is to execute
  * @batch_obj: the batch buffer in question
  * @batch_start_offset: byte offset in the batch at which execution starts
  * @is_master: is the submitting process the drm master?
  *
  * Parses the specified batch buffer looking for privilege violations as
  * described in the overview.
  *
  * Return: non-zero if the parser finds violations or otherwise fails
  */
 int i915_parse_cmds(struct intel_ring_buffer *ring,
 		    struct drm_i915_gem_object *batch_obj,
 		    u32 batch_start_offset,
 		    bool is_master)
 {
 	int ret = 0;
 	u32 *cmd, *batch_base, *batch_end;
 	struct drm_i915_cmd_descriptor default_desc = { 0 };
 	int needs_clflush = 0;

 	ret = i915_gem_obj_prepare_shmem_read(batch_obj, &needs_clflush);
 	if (ret) {
 		DRM_DEBUG_DRIVER("CMD: failed to prep read\n");
 		return ret;
 	}

 	batch_base = vmap_batch(batch_obj);
 	if (!batch_base) {
 		DRM_DEBUG_DRIVER("CMD: Failed to vmap batch\n");
 		i915_gem_object_unpin_pages(batch_obj);
 		return -ENOMEM;
 	}

 	if (needs_clflush)
 		drm_clflush_virt_range((char *)batch_base, batch_obj->base.size);

 	cmd = batch_base + (batch_start_offset / sizeof(*cmd));
 	batch_end = cmd + (batch_obj->base.size / sizeof(*batch_end));

 	while (cmd < batch_end) {
 		const struct drm_i915_cmd_descriptor *desc;
 		u32 length;

 		if (*cmd == MI_BATCH_BUFFER_END)
 			break;

 		desc = find_cmd(ring, *cmd, &default_desc);
 		if (!desc) {
 			DRM_DEBUG_DRIVER("CMD: Unrecognized command: 0x%08X\n",
 					 *cmd);
 			ret = -EINVAL;
 			break;
 		}

 		if (desc->flags & CMD_DESC_FIXED)
 			length = desc->length.fixed;
 		else
 			length = ((*cmd & desc->length.mask) + LENGTH_BIAS);

 		if ((batch_end - cmd) < length) {
 			DRM_DEBUG_DRIVER("CMD: Command length exceeds batch length: 0x%08X length=%d batchlen=%td\n",
 					 *cmd,
 					 length,
 					 (unsigned long)(batch_end - cmd));
 			ret = -EINVAL;
 			break;
 		}

 		if (desc->flags & CMD_DESC_REJECT) {
 			DRM_DEBUG_DRIVER("CMD: Rejected command: 0x%08X\n", *cmd);
 			ret = -EINVAL;
 			break;
 		}

 		if ((desc->flags & CMD_DESC_MASTER) && !is_master) {
 			DRM_DEBUG_DRIVER("CMD: Rejected master-only command: 0x%08X\n",
 					 *cmd);
 			ret = -EINVAL;
 			break;
 		}

 		if (desc->flags & CMD_DESC_REGISTER) {
 			u32 reg_addr = cmd[desc->reg.offset] & desc->reg.mask;

 			if (!valid_reg(ring->reg_table,
 				       ring->reg_count, reg_addr)) {
 				if (!is_master ||
 				    !valid_reg(ring->master_reg_table,
 					       ring->master_reg_count,
 					       reg_addr)) {
 					DRM_DEBUG_DRIVER("CMD: Rejected register 0x%08X in command: 0x%08X (ring=%d)\n",
 							 reg_addr,
 							 *cmd,
 							 ring->id);
 					ret = -EINVAL;
 					break;
 				}
 			}
 		}

 		if (desc->flags & CMD_DESC_BITMASK) {
 			int i;

 			for (i = 0; i < MAX_CMD_DESC_BITMASKS; i++) {
 				u32 dword;

 				if (desc->bits[i].mask == 0)
 					break;

 				dword = cmd[desc->bits[i].offset] &
 					desc->bits[i].mask;

 				if (dword != desc->bits[i].expected) {
 					DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X for bitmask 0x%08X (exp=0x%08X act=0x%08X) (ring=%d)\n",
 							 *cmd,
 							 desc->bits[i].mask,
 							 desc->bits[i].expected,
 							 dword, ring->id);
 					ret = -EINVAL;
 					break;
 				}
 			}

 			if (ret)
 				break;
 		}

 		cmd += length;
 	}

 	if (cmd >= batch_end) {
 		DRM_DEBUG_DRIVER("CMD: Got to the end of the buffer w/o a BBE cmd!\n");
 		ret = -EINVAL;
 	}

 	vunmap(batch_base);

 	i915_gem_object_unpin_pages(batch_obj);

 	return ret;
 }
	/*
	* Copyright © 2013 Intel Corporation
	*
	* Permission is hereby granted, free of charge, to any person obtaining a
	* copy of this software and associated documentation files (the "Software"),
	* to deal in the Software without restriction, including without limitation
	* the rights to use, copy, modify, merge, publish, distribute, sublicense,
	* and/or sell copies of the Software, and to permit persons to whom the
	* Software is furnished to do so, subject to the following conditions:
	*
	* The above copyright notice and this permission notice (including the next
	* paragraph) shall be included in all copies or substantial portions of the
	* Software.
	*
	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
	* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
	* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
	* IN THE SOFTWARE.
	*
	* Authors:
	* Brad Volkin <bradley.d.volkin@intel.com>
	*
	*/

	#include "i915_drv.h"

	/**
	* DOC: i915 batch buffer command parser
	*
	* Motivation:
	* Certain OpenGL features (e.g. transform feedback, performance monitoring)
	* require userspace code to submit batches containing commands such as
	* MI_LOAD_REGISTER_IMM to access various registers. Unfortunately, some
	* generations of the hardware will noop these commands in "unsecure" batches
	* (which includes all userspace batches submitted via i915) even though the
	* commands may be safe and represent the intended programming model of the
	* device.
	*
	* The software command parser is similar in operation to the command parsing
	* done in hardware for unsecure batches. However, the software parser allows
	* some operations that would be noop'd by hardware, if the parser determines
	* the operation is safe, and submits the batch as "secure" to prevent hardware
	* parsing.
	*
	* Threats:
	* At a high level, the hardware (and software) checks attempt to prevent
	* granting userspace undue privileges. There are three categories of privilege.
	*
	* First, commands which are explicitly defined as privileged or which should
	* only be used by the kernel driver. The parser generally rejects such
	* commands, though it may allow some from the drm master process.
	*
	* Second, commands which access registers. To support correct/enhanced
	* userspace functionality, particularly certain OpenGL extensions, the parser
	* provides a whitelist of registers which userspace may safely access (for both
	* normal and drm master processes).
	*
	* Third, commands which access privileged memory (i.e. GGTT, HWS page, etc).
	* The parser always rejects such commands.
	*
	* The majority of the problematic commands fall in the MI_* range, with only a
	* few specific commands on each ring (e.g. PIPE_CONTROL and MI_FLUSH_DW).
	*
	* Implementation:
	* Each ring maintains tables of commands and registers which the parser uses in
	* scanning batch buffers submitted to that ring.
	*
	* Since the set of commands that the parser must check for is significantly
	* smaller than the number of commands supported, the parser tables contain only
	* those commands required by the parser. This generally works because command
	* opcode ranges have standard command length encodings. So for commands that
	* the parser does not need to check, it can easily skip them. This is
	* implementated via a per-ring length decoding vfunc.
	*
	* Unfortunately, there are a number of commands that do not follow the standard
	* length encoding for their opcode range, primarily amongst the MI_* commands.
	* To handle this, the parser provides a way to define explicit "skip" entries
	* in the per-ring command tables.
	*
	* Other command table entries map fairly directly to high level categories
	* mentioned above: rejected, master-only, register whitelist. The parser
	* implements a number of checks, including the privileged memory checks, via a
	* general bitmasking mechanism.
	*/

	static u32 gen7_render_get_cmd_length_mask(u32 cmd_header)
	{
	u32 client = (cmd_header & INSTR_CLIENT_MASK) >> INSTR_CLIENT_SHIFT;
	u32 subclient =
	(cmd_header & INSTR_SUBCLIENT_MASK) >> INSTR_SUBCLIENT_SHIFT;

	if (client == INSTR_MI_CLIENT)
	return 0x3F;
	else if (client == INSTR_RC_CLIENT) {
	if (subclient == INSTR_MEDIA_SUBCLIENT)
	return 0xFFFF;
	else
	return 0xFF;
	}

	DRM_DEBUG_DRIVER("CMD: Abnormal rcs cmd length! 0x%08X\n", cmd_header);
	return 0;
	}

	static u32 gen7_bsd_get_cmd_length_mask(u32 cmd_header)
	{
	u32 client = (cmd_header & INSTR_CLIENT_MASK) >> INSTR_CLIENT_SHIFT;
	u32 subclient =
	(cmd_header & INSTR_SUBCLIENT_MASK) >> INSTR_SUBCLIENT_SHIFT;

	if (client == INSTR_MI_CLIENT)
	return 0x3F;
	else if (client == INSTR_RC_CLIENT) {
	if (subclient == INSTR_MEDIA_SUBCLIENT)
	return 0xFFF;
	else
	return 0xFF;
	}

	DRM_DEBUG_DRIVER("CMD: Abnormal bsd cmd length! 0x%08X\n", cmd_header);
	return 0;
	}

	static u32 gen7_blt_get_cmd_length_mask(u32 cmd_header)
	{
	u32 client = (cmd_header & INSTR_CLIENT_MASK) >> INSTR_CLIENT_SHIFT;

	if (client == INSTR_MI_CLIENT)
	return 0x3F;
	else if (client == INSTR_BC_CLIENT)
	return 0xFF;

	DRM_DEBUG_DRIVER("CMD: Abnormal blt cmd length! 0x%08X\n", cmd_header);
	return 0;
	}

	static void validate_cmds_sorted(struct intel_ring_buffer *ring)
	{
	int i;

	if (!ring->cmd_tables \|\| ring->cmd_table_count == 0)
	return;

	for (i = 0; i < ring->cmd_table_count; i++) {
	const struct drm_i915_cmd_table *table = &ring->cmd_tables[i];
	u32 previous = 0;
	int j;

	for (j = 0; j < table->count; j++) {
	const struct drm_i915_cmd_descriptor *desc =
	&table->table[i];
	u32 curr = desc->cmd.value & desc->cmd.mask;

	if (curr < previous)
	DRM_ERROR("CMD: table not sorted ring=%d table=%d entry=%d cmd=0x%08X prev=0x%08X\n",
	ring->id, i, j, curr, previous);

	previous = curr;
	}
	}
	}

	static void check_sorted(int ring_id, const u32 *reg_table, int reg_count)
	{
	int i;
	u32 previous = 0;

	for (i = 0; i < reg_count; i++) {
	u32 curr = reg_table[i];

	if (curr < previous)
	DRM_ERROR("CMD: table not sorted ring=%d entry=%d reg=0x%08X prev=0x%08X\n",
	ring_id, i, curr, previous);

	previous = curr;
	}
	}

	static void validate_regs_sorted(struct intel_ring_buffer *ring)
	{
	check_sorted(ring->id, ring->reg_table, ring->reg_count);
	check_sorted(ring->id, ring->master_reg_table, ring->master_reg_count);
	}

	/**
	* i915_cmd_parser_init_ring() - set cmd parser related fields for a ringbuffer
	* @ring: the ringbuffer to initialize
	*
	* Optionally initializes fields related to batch buffer command parsing in the
	* struct intel_ring_buffer based on whether the platform requires software
	* command parsing.
	*/
	void i915_cmd_parser_init_ring(struct intel_ring_buffer *ring)
	{
	if (!IS_GEN7(ring->dev))
	return;

	switch (ring->id) {
	case RCS:
	ring->get_cmd_length_mask = gen7_render_get_cmd_length_mask;
	break;
	case VCS:
	ring->get_cmd_length_mask = gen7_bsd_get_cmd_length_mask;
	break;
	case BCS:
	ring->get_cmd_length_mask = gen7_blt_get_cmd_length_mask;
	break;
	case VECS:
	/* VECS can use the same length_mask function as VCS */
	ring->get_cmd_length_mask = gen7_bsd_get_cmd_length_mask;
	break;
	default:
	DRM_ERROR("CMD: cmd_parser_init with unknown ring: %d\n",
	ring->id);
	BUG();
	}

	validate_cmds_sorted(ring);
	validate_regs_sorted(ring);
	}

	static const struct drm_i915_cmd_descriptor*
	find_cmd_in_table(const struct drm_i915_cmd_table *table,
	u32 cmd_header)
	{
	int i;

	for (i = 0; i < table->count; i++) {
	const struct drm_i915_cmd_descriptor *desc = &table->table[i];
	u32 masked_cmd = desc->cmd.mask & cmd_header;
	u32 masked_value = desc->cmd.value & desc->cmd.mask;

	if (masked_cmd == masked_value)
	return desc;
	}

	return NULL;
	}

	/*
	* Returns a pointer to a descriptor for the command specified by cmd_header.
	*
	* The caller must supply space for a default descriptor via the default_desc
	* parameter. If no descriptor for the specified command exists in the ring's
	* command parser tables, this function fills in default_desc based on the
	* ring's default length encoding and returns default_desc.
	*/
	static const struct drm_i915_cmd_descriptor*
	find_cmd(struct intel_ring_buffer *ring,
	u32 cmd_header,
	struct drm_i915_cmd_descriptor *default_desc)
	{
	u32 mask;
	int i;

	for (i = 0; i < ring->cmd_table_count; i++) {
	const struct drm_i915_cmd_descriptor *desc;

	desc = find_cmd_in_table(&ring->cmd_tables[i], cmd_header);
	if (desc)
	return desc;
	}

	mask = ring->get_cmd_length_mask(cmd_header);
	if (!mask)
	return NULL;

	BUG_ON(!default_desc);
	default_desc->flags = CMD_DESC_SKIP;
	default_desc->length.mask = mask;

	return default_desc;
	}

	static bool valid_reg(const u32 *table, int count, u32 addr)
	{
	if (table && count != 0) {
	int i;

	for (i = 0; i < count; i++) {
	if (table[i] == addr)
	return true;
	}
	}

	return false;
	}

	static u32 vmap_batch(struct drm_i915_gem_object obj)
	{
	int i;
	void *addr = NULL;
	struct sg_page_iter sg_iter;
	struct page **pages;

	pages = drm_malloc_ab(obj->base.size >> PAGE_SHIFT, sizeof(*pages));
	if (pages == NULL) {
	DRM_DEBUG_DRIVER("Failed to get space for pages\n");
	goto finish;
	}

	i = 0;
	for_each_sg_page(obj->pages->sgl, &sg_iter, obj->pages->nents, 0) {
	pages[i] = sg_page_iter_page(&sg_iter);
	i++;
	}

	addr = vmap(pages, i, 0, PAGE_KERNEL);
	if (addr == NULL) {
	DRM_DEBUG_DRIVER("Failed to vmap pages\n");
	goto finish;
	}

	finish:
	if (pages)
	drm_free_large(pages);
	return (u32*)addr;
	}

	/**
	* i915_needs_cmd_parser() - should a given ring use software command parsing?
	* @ring: the ring in question
	*
	* Only certain platforms require software batch buffer command parsing, and
	* only when enabled via module paramter.
	*
	* Return: true if the ring requires software command parsing
	*/
	bool i915_needs_cmd_parser(struct intel_ring_buffer *ring)
	{
	/* No command tables indicates a platform without parsing */
	if (!ring->cmd_tables)
	return false;

	return (i915.enable_cmd_parser == 1);
	}

	#define LENGTH_BIAS 2

	/**
	* i915_parse_cmds() - parse a submitted batch buffer for privilege violations
	* @ring: the ring on which the batch is to execute
	* @batch_obj: the batch buffer in question
	* @batch_start_offset: byte offset in the batch at which execution starts
	* @is_master: is the submitting process the drm master?
	*
	* Parses the specified batch buffer looking for privilege violations as
	* described in the overview.
	*
	* Return: non-zero if the parser finds violations or otherwise fails
	*/
	int i915_parse_cmds(struct intel_ring_buffer *ring,
	struct drm_i915_gem_object *batch_obj,
	u32 batch_start_offset,
	bool is_master)
	{
	int ret = 0;
	u32 cmd, batch_base, *batch_end;
	struct drm_i915_cmd_descriptor default_desc = { 0 };
	int needs_clflush = 0;

	ret = i915_gem_obj_prepare_shmem_read(batch_obj, &needs_clflush);
	if (ret) {
	DRM_DEBUG_DRIVER("CMD: failed to prep read\n");
	return ret;
	}

	batch_base = vmap_batch(batch_obj);
	if (!batch_base) {
	DRM_DEBUG_DRIVER("CMD: Failed to vmap batch\n");
	i915_gem_object_unpin_pages(batch_obj);
	return -ENOMEM;
	}

	if (needs_clflush)
	drm_clflush_virt_range((char *)batch_base, batch_obj->base.size);

	cmd = batch_base + (batch_start_offset / sizeof(*cmd));
	batch_end = cmd + (batch_obj->base.size / sizeof(*batch_end));

	while (cmd < batch_end) {
	const struct drm_i915_cmd_descriptor *desc;
	u32 length;

	if (*cmd == MI_BATCH_BUFFER_END)
	break;

	desc = find_cmd(ring, *cmd, &default_desc);
	if (!desc) {
	DRM_DEBUG_DRIVER("CMD: Unrecognized command: 0x%08X\n",
	*cmd);
	ret = -EINVAL;
	break;
	}

	if (desc->flags & CMD_DESC_FIXED)
	length = desc->length.fixed;
	else
	length = ((*cmd & desc->length.mask) + LENGTH_BIAS);

	if ((batch_end - cmd) < length) {
	DRM_DEBUG_DRIVER("CMD: Command length exceeds batch length: 0x%08X length=%d batchlen=%td\n",
	*cmd,
	length,
	(unsigned long)(batch_end - cmd));
	ret = -EINVAL;
	break;
	}

	if (desc->flags & CMD_DESC_REJECT) {
	DRM_DEBUG_DRIVER("CMD: Rejected command: 0x%08X\n", *cmd);
	ret = -EINVAL;
	break;
	}

	if ((desc->flags & CMD_DESC_MASTER) && !is_master) {
	DRM_DEBUG_DRIVER("CMD: Rejected master-only command: 0x%08X\n",
	*cmd);
	ret = -EINVAL;
	break;
	}

	if (desc->flags & CMD_DESC_REGISTER) {
	u32 reg_addr = cmd[desc->reg.offset] & desc->reg.mask;

	if (!valid_reg(ring->reg_table,
	ring->reg_count, reg_addr)) {
	if (!is_master \|\|
	!valid_reg(ring->master_reg_table,
	ring->master_reg_count,
	reg_addr)) {
	DRM_DEBUG_DRIVER("CMD: Rejected register 0x%08X in command: 0x%08X (ring=%d)\n",
	reg_addr,
	*cmd,
	ring->id);
	ret = -EINVAL;
	break;
	}
	}
	}

	if (desc->flags & CMD_DESC_BITMASK) {
	int i;

	for (i = 0; i < MAX_CMD_DESC_BITMASKS; i++) {
	u32 dword;

	if (desc->bits[i].mask == 0)
	break;

	dword = cmd[desc->bits[i].offset] &
	desc->bits[i].mask;

	if (dword != desc->bits[i].expected) {
	DRM_DEBUG_DRIVER("CMD: Rejected command 0x%08X for bitmask 0x%08X (exp=0x%08X act=0x%08X) (ring=%d)\n",
	*cmd,
	desc->bits[i].mask,
	desc->bits[i].expected,
	dword, ring->id);
	ret = -EINVAL;
	break;
	}
	}

	if (ret)
	break;
	}

	cmd += length;
	}

	if (cmd >= batch_end) {
	DRM_DEBUG_DRIVER("CMD: Got to the end of the buffer w/o a BBE cmd!\n");
	ret = -EINVAL;
	}

	vunmap(batch_base);

	i915_gem_object_unpin_pages(batch_obj);

	return ret;
	}