Skip to content

Commit 9d78f02

Browse files
robclarkrobclark
committed
drm/msm/a6xx+: Don't let IB_SIZE overflow
IB_SIZE is only b0..b19. Starting with a6xx gen3, additional fields were added above the IB_SIZE. Accidentially setting them can cause badness. Fix this by properly defining the CP_INDIRECT_BUFFER packet and using the generated builder macro to ensure unintended bits are not set. v2: add missing type attribute for IB_BASE v3: fix offset attribute in xml Reported-by: Connor Abbott <[email protected]> Fixes: a83366e ("drm/msm/a6xx: add A640/A650 to gpulist") Signed-off-by: Rob Clark <[email protected]> Patchwork: https://patchwork.freedesktop.org/patch/643396/
1 parent ddfa00a commit 9d78f02

File tree

2 files changed

+11
-4
lines changed

2 files changed

+11
-4
lines changed

drivers/gpu/drm/msm/adreno/a6xx_gpu.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -242,10 +242,10 @@ static void a6xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
242242
break;
243243
fallthrough;
244244
case MSM_SUBMIT_CMD_BUF:
245-
OUT_PKT7(ring, CP_INDIRECT_BUFFER_PFE, 3);
245+
OUT_PKT7(ring, CP_INDIRECT_BUFFER, 3);
246246
OUT_RING(ring, lower_32_bits(submit->cmd[i].iova));
247247
OUT_RING(ring, upper_32_bits(submit->cmd[i].iova));
248-
OUT_RING(ring, submit->cmd[i].size);
248+
OUT_RING(ring, A5XX_CP_INDIRECT_BUFFER_2_IB_SIZE(submit->cmd[i].size));
249249
ibs++;
250250
break;
251251
}
@@ -377,10 +377,10 @@ static void a7xx_submit(struct msm_gpu *gpu, struct msm_gem_submit *submit)
377377
break;
378378
fallthrough;
379379
case MSM_SUBMIT_CMD_BUF:
380-
OUT_PKT7(ring, CP_INDIRECT_BUFFER_PFE, 3);
380+
OUT_PKT7(ring, CP_INDIRECT_BUFFER, 3);
381381
OUT_RING(ring, lower_32_bits(submit->cmd[i].iova));
382382
OUT_RING(ring, upper_32_bits(submit->cmd[i].iova));
383-
OUT_RING(ring, submit->cmd[i].size);
383+
OUT_RING(ring, A5XX_CP_INDIRECT_BUFFER_2_IB_SIZE(submit->cmd[i].size));
384384
ibs++;
385385
break;
386386
}

drivers/gpu/drm/msm/registers/adreno/adreno_pm4.xml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2259,5 +2259,12 @@ opcode: CP_LOAD_STATE4 (30) (4 dwords)
22592259
</reg32>
22602260
</domain>
22612261

2262+
<domain name="CP_INDIRECT_BUFFER" width="32" varset="chip" prefix="chip" variants="A5XX-">
2263+
<reg64 offset="0" name="IB_BASE" type="address"/>
2264+
<reg32 offset="2" name="2">
2265+
<bitfield name="IB_SIZE" low="0" high="19"/>
2266+
</reg32>
2267+
</domain>
2268+
22622269
</database>
22632270

0 commit comments

Comments
 (0)