drm/i915: initialize fence registers to zero when loading GEM
[linux-2.6] / drivers / gpu / drm / i915 / i915_gem.c
1 /*
2  * Copyright © 2008 Intel Corporation
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining a
5  * copy of this software and associated documentation files (the "Software"),
6  * to deal in the Software without restriction, including without limitation
7  * the rights to use, copy, modify, merge, publish, distribute, sublicense,
8  * and/or sell copies of the Software, and to permit persons to whom the
9  * Software is furnished to do so, subject to the following conditions:
10  *
11  * The above copyright notice and this permission notice (including the next
12  * paragraph) shall be included in all copies or substantial portions of the
13  * Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
18  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
21  * IN THE SOFTWARE.
22  *
23  * Authors:
24  *    Eric Anholt <eric@anholt.net>
25  *
26  */
27
28 #include "drmP.h"
29 #include "drm.h"
30 #include "i915_drm.h"
31 #include "i915_drv.h"
32 #include <linux/swap.h>
33 #include <linux/pci.h>
34
35 #define I915_GEM_GPU_DOMAINS    (~(I915_GEM_DOMAIN_CPU | I915_GEM_DOMAIN_GTT))
36
37 static void i915_gem_object_flush_gpu_write_domain(struct drm_gem_object *obj);
38 static void i915_gem_object_flush_gtt_write_domain(struct drm_gem_object *obj);
39 static void i915_gem_object_flush_cpu_write_domain(struct drm_gem_object *obj);
40 static int i915_gem_object_set_to_cpu_domain(struct drm_gem_object *obj,
41                                              int write);
42 static int i915_gem_object_set_cpu_read_domain_range(struct drm_gem_object *obj,
43                                                      uint64_t offset,
44                                                      uint64_t size);
45 static void i915_gem_object_set_to_full_cpu_read_domain(struct drm_gem_object *obj);
46 static int i915_gem_object_wait_rendering(struct drm_gem_object *obj);
47 static int i915_gem_object_bind_to_gtt(struct drm_gem_object *obj,
48                                            unsigned alignment);
49 static void i915_gem_clear_fence_reg(struct drm_gem_object *obj);
50 static int i915_gem_evict_something(struct drm_device *dev);
51 static int i915_gem_phys_pwrite(struct drm_device *dev, struct drm_gem_object *obj,
52                                 struct drm_i915_gem_pwrite *args,
53                                 struct drm_file *file_priv);
54
55 int i915_gem_do_init(struct drm_device *dev, unsigned long start,
56                      unsigned long end)
57 {
58         drm_i915_private_t *dev_priv = dev->dev_private;
59
60         if (start >= end ||
61             (start & (PAGE_SIZE - 1)) != 0 ||
62             (end & (PAGE_SIZE - 1)) != 0) {
63                 return -EINVAL;
64         }
65
66         drm_mm_init(&dev_priv->mm.gtt_space, start,
67                     end - start);
68
69         dev->gtt_total = (uint32_t) (end - start);
70
71         return 0;
72 }
73
74 int
75 i915_gem_init_ioctl(struct drm_device *dev, void *data,
76                     struct drm_file *file_priv)
77 {
78         struct drm_i915_gem_init *args = data;
79         int ret;
80
81         mutex_lock(&dev->struct_mutex);
82         ret = i915_gem_do_init(dev, args->gtt_start, args->gtt_end);
83         mutex_unlock(&dev->struct_mutex);
84
85         return ret;
86 }
87
88 int
89 i915_gem_get_aperture_ioctl(struct drm_device *dev, void *data,
90                             struct drm_file *file_priv)
91 {
92         struct drm_i915_gem_get_aperture *args = data;
93
94         if (!(dev->driver->driver_features & DRIVER_GEM))
95                 return -ENODEV;
96
97         args->aper_size = dev->gtt_total;
98         args->aper_available_size = (args->aper_size -
99                                      atomic_read(&dev->pin_memory));
100
101         return 0;
102 }
103
104
105 /**
106  * Creates a new mm object and returns a handle to it.
107  */
108 int
109 i915_gem_create_ioctl(struct drm_device *dev, void *data,
110                       struct drm_file *file_priv)
111 {
112         struct drm_i915_gem_create *args = data;
113         struct drm_gem_object *obj;
114         int handle, ret;
115
116         args->size = roundup(args->size, PAGE_SIZE);
117
118         /* Allocate the new object */
119         obj = drm_gem_object_alloc(dev, args->size);
120         if (obj == NULL)
121                 return -ENOMEM;
122
123         ret = drm_gem_handle_create(file_priv, obj, &handle);
124         mutex_lock(&dev->struct_mutex);
125         drm_gem_object_handle_unreference(obj);
126         mutex_unlock(&dev->struct_mutex);
127
128         if (ret)
129                 return ret;
130
131         args->handle = handle;
132
133         return 0;
134 }
135
136 static inline int
137 fast_shmem_read(struct page **pages,
138                 loff_t page_base, int page_offset,
139                 char __user *data,
140                 int length)
141 {
142         char __iomem *vaddr;
143         int unwritten;
144
145         vaddr = kmap_atomic(pages[page_base >> PAGE_SHIFT], KM_USER0);
146         if (vaddr == NULL)
147                 return -ENOMEM;
148         unwritten = __copy_to_user_inatomic(data, vaddr + page_offset, length);
149         kunmap_atomic(vaddr, KM_USER0);
150
151         if (unwritten)
152                 return -EFAULT;
153
154         return 0;
155 }
156
157 static int i915_gem_object_needs_bit17_swizzle(struct drm_gem_object *obj)
158 {
159         drm_i915_private_t *dev_priv = obj->dev->dev_private;
160         struct drm_i915_gem_object *obj_priv = obj->driver_private;
161
162         return dev_priv->mm.bit_6_swizzle_x == I915_BIT_6_SWIZZLE_9_10_17 &&
163                 obj_priv->tiling_mode != I915_TILING_NONE;
164 }
165
166 static inline int
167 slow_shmem_copy(struct page *dst_page,
168                 int dst_offset,
169                 struct page *src_page,
170                 int src_offset,
171                 int length)
172 {
173         char *dst_vaddr, *src_vaddr;
174
175         dst_vaddr = kmap_atomic(dst_page, KM_USER0);
176         if (dst_vaddr == NULL)
177                 return -ENOMEM;
178
179         src_vaddr = kmap_atomic(src_page, KM_USER1);
180         if (src_vaddr == NULL) {
181                 kunmap_atomic(dst_vaddr, KM_USER0);
182                 return -ENOMEM;
183         }
184
185         memcpy(dst_vaddr + dst_offset, src_vaddr + src_offset, length);
186
187         kunmap_atomic(src_vaddr, KM_USER1);
188         kunmap_atomic(dst_vaddr, KM_USER0);
189
190         return 0;
191 }
192
193 static inline int
194 slow_shmem_bit17_copy(struct page *gpu_page,
195                       int gpu_offset,
196                       struct page *cpu_page,
197                       int cpu_offset,
198                       int length,
199                       int is_read)
200 {
201         char *gpu_vaddr, *cpu_vaddr;
202
203         /* Use the unswizzled path if this page isn't affected. */
204         if ((page_to_phys(gpu_page) & (1 << 17)) == 0) {
205                 if (is_read)
206                         return slow_shmem_copy(cpu_page, cpu_offset,
207                                                gpu_page, gpu_offset, length);
208                 else
209                         return slow_shmem_copy(gpu_page, gpu_offset,
210                                                cpu_page, cpu_offset, length);
211         }
212
213         gpu_vaddr = kmap_atomic(gpu_page, KM_USER0);
214         if (gpu_vaddr == NULL)
215                 return -ENOMEM;
216
217         cpu_vaddr = kmap_atomic(cpu_page, KM_USER1);
218         if (cpu_vaddr == NULL) {
219                 kunmap_atomic(gpu_vaddr, KM_USER0);
220                 return -ENOMEM;
221         }
222
223         /* Copy the data, XORing A6 with A17 (1). The user already knows he's
224          * XORing with the other bits (A9 for Y, A9 and A10 for X)
225          */
226         while (length > 0) {
227                 int cacheline_end = ALIGN(gpu_offset + 1, 64);
228                 int this_length = min(cacheline_end - gpu_offset, length);
229                 int swizzled_gpu_offset = gpu_offset ^ 64;
230
231                 if (is_read) {
232                         memcpy(cpu_vaddr + cpu_offset,
233                                gpu_vaddr + swizzled_gpu_offset,
234                                this_length);
235                 } else {
236                         memcpy(gpu_vaddr + swizzled_gpu_offset,
237                                cpu_vaddr + cpu_offset,
238                                this_length);
239                 }
240                 cpu_offset += this_length;
241                 gpu_offset += this_length;
242                 length -= this_length;
243         }
244
245         kunmap_atomic(cpu_vaddr, KM_USER1);
246         kunmap_atomic(gpu_vaddr, KM_USER0);
247
248         return 0;
249 }
250
251 /**
252  * This is the fast shmem pread path, which attempts to copy_from_user directly
253  * from the backing pages of the object to the user's address space.  On a
254  * fault, it fails so we can fall back to i915_gem_shmem_pwrite_slow().
255  */
256 static int
257 i915_gem_shmem_pread_fast(struct drm_device *dev, struct drm_gem_object *obj,
258                           struct drm_i915_gem_pread *args,
259                           struct drm_file *file_priv)
260 {
261         struct drm_i915_gem_object *obj_priv = obj->driver_private;
262         ssize_t remain;
263         loff_t offset, page_base;
264         char __user *user_data;
265         int page_offset, page_length;
266         int ret;
267
268         user_data = (char __user *) (uintptr_t) args->data_ptr;
269         remain = args->size;
270
271         mutex_lock(&dev->struct_mutex);
272
273         ret = i915_gem_object_get_pages(obj);
274         if (ret != 0)
275                 goto fail_unlock;
276
277         ret = i915_gem_object_set_cpu_read_domain_range(obj, args->offset,
278                                                         args->size);
279         if (ret != 0)
280                 goto fail_put_pages;
281
282         obj_priv = obj->driver_private;
283         offset = args->offset;
284
285         while (remain > 0) {
286                 /* Operation in this page
287                  *
288                  * page_base = page offset within aperture
289                  * page_offset = offset within page
290                  * page_length = bytes to copy for this page
291                  */
292                 page_base = (offset & ~(PAGE_SIZE-1));
293                 page_offset = offset & (PAGE_SIZE-1);
294                 page_length = remain;
295                 if ((page_offset + remain) > PAGE_SIZE)
296                         page_length = PAGE_SIZE - page_offset;
297
298                 ret = fast_shmem_read(obj_priv->pages,
299                                       page_base, page_offset,
300                                       user_data, page_length);
301                 if (ret)
302                         goto fail_put_pages;
303
304                 remain -= page_length;
305                 user_data += page_length;
306                 offset += page_length;
307         }
308
309 fail_put_pages:
310         i915_gem_object_put_pages(obj);
311 fail_unlock:
312         mutex_unlock(&dev->struct_mutex);
313
314         return ret;
315 }
316
317 /**
318  * This is the fallback shmem pread path, which allocates temporary storage
319  * in kernel space to copy_to_user into outside of the struct_mutex, so we
320  * can copy out of the object's backing pages while holding the struct mutex
321  * and not take page faults.
322  */
323 static int
324 i915_gem_shmem_pread_slow(struct drm_device *dev, struct drm_gem_object *obj,
325                           struct drm_i915_gem_pread *args,
326                           struct drm_file *file_priv)
327 {
328         struct drm_i915_gem_object *obj_priv = obj->driver_private;
329         struct mm_struct *mm = current->mm;
330         struct page **user_pages;
331         ssize_t remain;
332         loff_t offset, pinned_pages, i;
333         loff_t first_data_page, last_data_page, num_pages;
334         int shmem_page_index, shmem_page_offset;
335         int data_page_index,  data_page_offset;
336         int page_length;
337         int ret;
338         uint64_t data_ptr = args->data_ptr;
339         int do_bit17_swizzling;
340
341         remain = args->size;
342
343         /* Pin the user pages containing the data.  We can't fault while
344          * holding the struct mutex, yet we want to hold it while
345          * dereferencing the user data.
346          */
347         first_data_page = data_ptr / PAGE_SIZE;
348         last_data_page = (data_ptr + args->size - 1) / PAGE_SIZE;
349         num_pages = last_data_page - first_data_page + 1;
350
351         user_pages = drm_calloc_large(num_pages, sizeof(struct page *));
352         if (user_pages == NULL)
353                 return -ENOMEM;
354
355         down_read(&mm->mmap_sem);
356         pinned_pages = get_user_pages(current, mm, (uintptr_t)args->data_ptr,
357                                       num_pages, 1, 0, user_pages, NULL);
358         up_read(&mm->mmap_sem);
359         if (pinned_pages < num_pages) {
360                 ret = -EFAULT;
361                 goto fail_put_user_pages;
362         }
363
364         do_bit17_swizzling = i915_gem_object_needs_bit17_swizzle(obj);
365
366         mutex_lock(&dev->struct_mutex);
367
368         ret = i915_gem_object_get_pages(obj);
369         if (ret != 0)
370                 goto fail_unlock;
371
372         ret = i915_gem_object_set_cpu_read_domain_range(obj, args->offset,
373                                                         args->size);
374         if (ret != 0)
375                 goto fail_put_pages;
376
377         obj_priv = obj->driver_private;
378         offset = args->offset;
379
380         while (remain > 0) {
381                 /* Operation in this page
382                  *
383                  * shmem_page_index = page number within shmem file
384                  * shmem_page_offset = offset within page in shmem file
385                  * data_page_index = page number in get_user_pages return
386                  * data_page_offset = offset with data_page_index page.
387                  * page_length = bytes to copy for this page
388                  */
389                 shmem_page_index = offset / PAGE_SIZE;
390                 shmem_page_offset = offset & ~PAGE_MASK;
391                 data_page_index = data_ptr / PAGE_SIZE - first_data_page;
392                 data_page_offset = data_ptr & ~PAGE_MASK;
393
394                 page_length = remain;
395                 if ((shmem_page_offset + page_length) > PAGE_SIZE)
396                         page_length = PAGE_SIZE - shmem_page_offset;
397                 if ((data_page_offset + page_length) > PAGE_SIZE)
398                         page_length = PAGE_SIZE - data_page_offset;
399
400                 if (do_bit17_swizzling) {
401                         ret = slow_shmem_bit17_copy(obj_priv->pages[shmem_page_index],
402                                                     shmem_page_offset,
403                                                     user_pages[data_page_index],
404                                                     data_page_offset,
405                                                     page_length,
406                                                     1);
407                 } else {
408                         ret = slow_shmem_copy(user_pages[data_page_index],
409                                               data_page_offset,
410                                               obj_priv->pages[shmem_page_index],
411                                               shmem_page_offset,
412                                               page_length);
413                 }
414                 if (ret)
415                         goto fail_put_pages;
416
417                 remain -= page_length;
418                 data_ptr += page_length;
419                 offset += page_length;
420         }
421
422 fail_put_pages:
423         i915_gem_object_put_pages(obj);
424 fail_unlock:
425         mutex_unlock(&dev->struct_mutex);
426 fail_put_user_pages:
427         for (i = 0; i < pinned_pages; i++) {
428                 SetPageDirty(user_pages[i]);
429                 page_cache_release(user_pages[i]);
430         }
431         drm_free_large(user_pages);
432
433         return ret;
434 }
435
436 /**
437  * Reads data from the object referenced by handle.
438  *
439  * On error, the contents of *data are undefined.
440  */
441 int
442 i915_gem_pread_ioctl(struct drm_device *dev, void *data,
443                      struct drm_file *file_priv)
444 {
445         struct drm_i915_gem_pread *args = data;
446         struct drm_gem_object *obj;
447         struct drm_i915_gem_object *obj_priv;
448         int ret;
449
450         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
451         if (obj == NULL)
452                 return -EBADF;
453         obj_priv = obj->driver_private;
454
455         /* Bounds check source.
456          *
457          * XXX: This could use review for overflow issues...
458          */
459         if (args->offset > obj->size || args->size > obj->size ||
460             args->offset + args->size > obj->size) {
461                 drm_gem_object_unreference(obj);
462                 return -EINVAL;
463         }
464
465         if (i915_gem_object_needs_bit17_swizzle(obj)) {
466                 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
467         } else {
468                 ret = i915_gem_shmem_pread_fast(dev, obj, args, file_priv);
469                 if (ret != 0)
470                         ret = i915_gem_shmem_pread_slow(dev, obj, args,
471                                                         file_priv);
472         }
473
474         drm_gem_object_unreference(obj);
475
476         return ret;
477 }
478
479 /* This is the fast write path which cannot handle
480  * page faults in the source data
481  */
482
483 static inline int
484 fast_user_write(struct io_mapping *mapping,
485                 loff_t page_base, int page_offset,
486                 char __user *user_data,
487                 int length)
488 {
489         char *vaddr_atomic;
490         unsigned long unwritten;
491
492         vaddr_atomic = io_mapping_map_atomic_wc(mapping, page_base);
493         unwritten = __copy_from_user_inatomic_nocache(vaddr_atomic + page_offset,
494                                                       user_data, length);
495         io_mapping_unmap_atomic(vaddr_atomic);
496         if (unwritten)
497                 return -EFAULT;
498         return 0;
499 }
500
501 /* Here's the write path which can sleep for
502  * page faults
503  */
504
505 static inline int
506 slow_kernel_write(struct io_mapping *mapping,
507                   loff_t gtt_base, int gtt_offset,
508                   struct page *user_page, int user_offset,
509                   int length)
510 {
511         char *src_vaddr, *dst_vaddr;
512         unsigned long unwritten;
513
514         dst_vaddr = io_mapping_map_atomic_wc(mapping, gtt_base);
515         src_vaddr = kmap_atomic(user_page, KM_USER1);
516         unwritten = __copy_from_user_inatomic_nocache(dst_vaddr + gtt_offset,
517                                                       src_vaddr + user_offset,
518                                                       length);
519         kunmap_atomic(src_vaddr, KM_USER1);
520         io_mapping_unmap_atomic(dst_vaddr);
521         if (unwritten)
522                 return -EFAULT;
523         return 0;
524 }
525
526 static inline int
527 fast_shmem_write(struct page **pages,
528                  loff_t page_base, int page_offset,
529                  char __user *data,
530                  int length)
531 {
532         char __iomem *vaddr;
533         unsigned long unwritten;
534
535         vaddr = kmap_atomic(pages[page_base >> PAGE_SHIFT], KM_USER0);
536         if (vaddr == NULL)
537                 return -ENOMEM;
538         unwritten = __copy_from_user_inatomic(vaddr + page_offset, data, length);
539         kunmap_atomic(vaddr, KM_USER0);
540
541         if (unwritten)
542                 return -EFAULT;
543         return 0;
544 }
545
546 /**
547  * This is the fast pwrite path, where we copy the data directly from the
548  * user into the GTT, uncached.
549  */
550 static int
551 i915_gem_gtt_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
552                          struct drm_i915_gem_pwrite *args,
553                          struct drm_file *file_priv)
554 {
555         struct drm_i915_gem_object *obj_priv = obj->driver_private;
556         drm_i915_private_t *dev_priv = dev->dev_private;
557         ssize_t remain;
558         loff_t offset, page_base;
559         char __user *user_data;
560         int page_offset, page_length;
561         int ret;
562
563         user_data = (char __user *) (uintptr_t) args->data_ptr;
564         remain = args->size;
565         if (!access_ok(VERIFY_READ, user_data, remain))
566                 return -EFAULT;
567
568
569         mutex_lock(&dev->struct_mutex);
570         ret = i915_gem_object_pin(obj, 0);
571         if (ret) {
572                 mutex_unlock(&dev->struct_mutex);
573                 return ret;
574         }
575         ret = i915_gem_object_set_to_gtt_domain(obj, 1);
576         if (ret)
577                 goto fail;
578
579         obj_priv = obj->driver_private;
580         offset = obj_priv->gtt_offset + args->offset;
581
582         while (remain > 0) {
583                 /* Operation in this page
584                  *
585                  * page_base = page offset within aperture
586                  * page_offset = offset within page
587                  * page_length = bytes to copy for this page
588                  */
589                 page_base = (offset & ~(PAGE_SIZE-1));
590                 page_offset = offset & (PAGE_SIZE-1);
591                 page_length = remain;
592                 if ((page_offset + remain) > PAGE_SIZE)
593                         page_length = PAGE_SIZE - page_offset;
594
595                 ret = fast_user_write (dev_priv->mm.gtt_mapping, page_base,
596                                        page_offset, user_data, page_length);
597
598                 /* If we get a fault while copying data, then (presumably) our
599                  * source page isn't available.  Return the error and we'll
600                  * retry in the slow path.
601                  */
602                 if (ret)
603                         goto fail;
604
605                 remain -= page_length;
606                 user_data += page_length;
607                 offset += page_length;
608         }
609
610 fail:
611         i915_gem_object_unpin(obj);
612         mutex_unlock(&dev->struct_mutex);
613
614         return ret;
615 }
616
617 /**
618  * This is the fallback GTT pwrite path, which uses get_user_pages to pin
619  * the memory and maps it using kmap_atomic for copying.
620  *
621  * This code resulted in x11perf -rgb10text consuming about 10% more CPU
622  * than using i915_gem_gtt_pwrite_fast on a G45 (32-bit).
623  */
624 static int
625 i915_gem_gtt_pwrite_slow(struct drm_device *dev, struct drm_gem_object *obj,
626                          struct drm_i915_gem_pwrite *args,
627                          struct drm_file *file_priv)
628 {
629         struct drm_i915_gem_object *obj_priv = obj->driver_private;
630         drm_i915_private_t *dev_priv = dev->dev_private;
631         ssize_t remain;
632         loff_t gtt_page_base, offset;
633         loff_t first_data_page, last_data_page, num_pages;
634         loff_t pinned_pages, i;
635         struct page **user_pages;
636         struct mm_struct *mm = current->mm;
637         int gtt_page_offset, data_page_offset, data_page_index, page_length;
638         int ret;
639         uint64_t data_ptr = args->data_ptr;
640
641         remain = args->size;
642
643         /* Pin the user pages containing the data.  We can't fault while
644          * holding the struct mutex, and all of the pwrite implementations
645          * want to hold it while dereferencing the user data.
646          */
647         first_data_page = data_ptr / PAGE_SIZE;
648         last_data_page = (data_ptr + args->size - 1) / PAGE_SIZE;
649         num_pages = last_data_page - first_data_page + 1;
650
651         user_pages = drm_calloc_large(num_pages, sizeof(struct page *));
652         if (user_pages == NULL)
653                 return -ENOMEM;
654
655         down_read(&mm->mmap_sem);
656         pinned_pages = get_user_pages(current, mm, (uintptr_t)args->data_ptr,
657                                       num_pages, 0, 0, user_pages, NULL);
658         up_read(&mm->mmap_sem);
659         if (pinned_pages < num_pages) {
660                 ret = -EFAULT;
661                 goto out_unpin_pages;
662         }
663
664         mutex_lock(&dev->struct_mutex);
665         ret = i915_gem_object_pin(obj, 0);
666         if (ret)
667                 goto out_unlock;
668
669         ret = i915_gem_object_set_to_gtt_domain(obj, 1);
670         if (ret)
671                 goto out_unpin_object;
672
673         obj_priv = obj->driver_private;
674         offset = obj_priv->gtt_offset + args->offset;
675
676         while (remain > 0) {
677                 /* Operation in this page
678                  *
679                  * gtt_page_base = page offset within aperture
680                  * gtt_page_offset = offset within page in aperture
681                  * data_page_index = page number in get_user_pages return
682                  * data_page_offset = offset with data_page_index page.
683                  * page_length = bytes to copy for this page
684                  */
685                 gtt_page_base = offset & PAGE_MASK;
686                 gtt_page_offset = offset & ~PAGE_MASK;
687                 data_page_index = data_ptr / PAGE_SIZE - first_data_page;
688                 data_page_offset = data_ptr & ~PAGE_MASK;
689
690                 page_length = remain;
691                 if ((gtt_page_offset + page_length) > PAGE_SIZE)
692                         page_length = PAGE_SIZE - gtt_page_offset;
693                 if ((data_page_offset + page_length) > PAGE_SIZE)
694                         page_length = PAGE_SIZE - data_page_offset;
695
696                 ret = slow_kernel_write(dev_priv->mm.gtt_mapping,
697                                         gtt_page_base, gtt_page_offset,
698                                         user_pages[data_page_index],
699                                         data_page_offset,
700                                         page_length);
701
702                 /* If we get a fault while copying data, then (presumably) our
703                  * source page isn't available.  Return the error and we'll
704                  * retry in the slow path.
705                  */
706                 if (ret)
707                         goto out_unpin_object;
708
709                 remain -= page_length;
710                 offset += page_length;
711                 data_ptr += page_length;
712         }
713
714 out_unpin_object:
715         i915_gem_object_unpin(obj);
716 out_unlock:
717         mutex_unlock(&dev->struct_mutex);
718 out_unpin_pages:
719         for (i = 0; i < pinned_pages; i++)
720                 page_cache_release(user_pages[i]);
721         drm_free_large(user_pages);
722
723         return ret;
724 }
725
726 /**
727  * This is the fast shmem pwrite path, which attempts to directly
728  * copy_from_user into the kmapped pages backing the object.
729  */
730 static int
731 i915_gem_shmem_pwrite_fast(struct drm_device *dev, struct drm_gem_object *obj,
732                            struct drm_i915_gem_pwrite *args,
733                            struct drm_file *file_priv)
734 {
735         struct drm_i915_gem_object *obj_priv = obj->driver_private;
736         ssize_t remain;
737         loff_t offset, page_base;
738         char __user *user_data;
739         int page_offset, page_length;
740         int ret;
741
742         user_data = (char __user *) (uintptr_t) args->data_ptr;
743         remain = args->size;
744
745         mutex_lock(&dev->struct_mutex);
746
747         ret = i915_gem_object_get_pages(obj);
748         if (ret != 0)
749                 goto fail_unlock;
750
751         ret = i915_gem_object_set_to_cpu_domain(obj, 1);
752         if (ret != 0)
753                 goto fail_put_pages;
754
755         obj_priv = obj->driver_private;
756         offset = args->offset;
757         obj_priv->dirty = 1;
758
759         while (remain > 0) {
760                 /* Operation in this page
761                  *
762                  * page_base = page offset within aperture
763                  * page_offset = offset within page
764                  * page_length = bytes to copy for this page
765                  */
766                 page_base = (offset & ~(PAGE_SIZE-1));
767                 page_offset = offset & (PAGE_SIZE-1);
768                 page_length = remain;
769                 if ((page_offset + remain) > PAGE_SIZE)
770                         page_length = PAGE_SIZE - page_offset;
771
772                 ret = fast_shmem_write(obj_priv->pages,
773                                        page_base, page_offset,
774                                        user_data, page_length);
775                 if (ret)
776                         goto fail_put_pages;
777
778                 remain -= page_length;
779                 user_data += page_length;
780                 offset += page_length;
781         }
782
783 fail_put_pages:
784         i915_gem_object_put_pages(obj);
785 fail_unlock:
786         mutex_unlock(&dev->struct_mutex);
787
788         return ret;
789 }
790
791 /**
792  * This is the fallback shmem pwrite path, which uses get_user_pages to pin
793  * the memory and maps it using kmap_atomic for copying.
794  *
795  * This avoids taking mmap_sem for faulting on the user's address while the
796  * struct_mutex is held.
797  */
798 static int
799 i915_gem_shmem_pwrite_slow(struct drm_device *dev, struct drm_gem_object *obj,
800                            struct drm_i915_gem_pwrite *args,
801                            struct drm_file *file_priv)
802 {
803         struct drm_i915_gem_object *obj_priv = obj->driver_private;
804         struct mm_struct *mm = current->mm;
805         struct page **user_pages;
806         ssize_t remain;
807         loff_t offset, pinned_pages, i;
808         loff_t first_data_page, last_data_page, num_pages;
809         int shmem_page_index, shmem_page_offset;
810         int data_page_index,  data_page_offset;
811         int page_length;
812         int ret;
813         uint64_t data_ptr = args->data_ptr;
814         int do_bit17_swizzling;
815
816         remain = args->size;
817
818         /* Pin the user pages containing the data.  We can't fault while
819          * holding the struct mutex, and all of the pwrite implementations
820          * want to hold it while dereferencing the user data.
821          */
822         first_data_page = data_ptr / PAGE_SIZE;
823         last_data_page = (data_ptr + args->size - 1) / PAGE_SIZE;
824         num_pages = last_data_page - first_data_page + 1;
825
826         user_pages = drm_calloc_large(num_pages, sizeof(struct page *));
827         if (user_pages == NULL)
828                 return -ENOMEM;
829
830         down_read(&mm->mmap_sem);
831         pinned_pages = get_user_pages(current, mm, (uintptr_t)args->data_ptr,
832                                       num_pages, 0, 0, user_pages, NULL);
833         up_read(&mm->mmap_sem);
834         if (pinned_pages < num_pages) {
835                 ret = -EFAULT;
836                 goto fail_put_user_pages;
837         }
838
839         do_bit17_swizzling = i915_gem_object_needs_bit17_swizzle(obj);
840
841         mutex_lock(&dev->struct_mutex);
842
843         ret = i915_gem_object_get_pages(obj);
844         if (ret != 0)
845                 goto fail_unlock;
846
847         ret = i915_gem_object_set_to_cpu_domain(obj, 1);
848         if (ret != 0)
849                 goto fail_put_pages;
850
851         obj_priv = obj->driver_private;
852         offset = args->offset;
853         obj_priv->dirty = 1;
854
855         while (remain > 0) {
856                 /* Operation in this page
857                  *
858                  * shmem_page_index = page number within shmem file
859                  * shmem_page_offset = offset within page in shmem file
860                  * data_page_index = page number in get_user_pages return
861                  * data_page_offset = offset with data_page_index page.
862                  * page_length = bytes to copy for this page
863                  */
864                 shmem_page_index = offset / PAGE_SIZE;
865                 shmem_page_offset = offset & ~PAGE_MASK;
866                 data_page_index = data_ptr / PAGE_SIZE - first_data_page;
867                 data_page_offset = data_ptr & ~PAGE_MASK;
868
869                 page_length = remain;
870                 if ((shmem_page_offset + page_length) > PAGE_SIZE)
871                         page_length = PAGE_SIZE - shmem_page_offset;
872                 if ((data_page_offset + page_length) > PAGE_SIZE)
873                         page_length = PAGE_SIZE - data_page_offset;
874
875                 if (do_bit17_swizzling) {
876                         ret = slow_shmem_bit17_copy(obj_priv->pages[shmem_page_index],
877                                                     shmem_page_offset,
878                                                     user_pages[data_page_index],
879                                                     data_page_offset,
880                                                     page_length,
881                                                     0);
882                 } else {
883                         ret = slow_shmem_copy(obj_priv->pages[shmem_page_index],
884                                               shmem_page_offset,
885                                               user_pages[data_page_index],
886                                               data_page_offset,
887                                               page_length);
888                 }
889                 if (ret)
890                         goto fail_put_pages;
891
892                 remain -= page_length;
893                 data_ptr += page_length;
894                 offset += page_length;
895         }
896
897 fail_put_pages:
898         i915_gem_object_put_pages(obj);
899 fail_unlock:
900         mutex_unlock(&dev->struct_mutex);
901 fail_put_user_pages:
902         for (i = 0; i < pinned_pages; i++)
903                 page_cache_release(user_pages[i]);
904         drm_free_large(user_pages);
905
906         return ret;
907 }
908
909 /**
910  * Writes data to the object referenced by handle.
911  *
912  * On error, the contents of the buffer that were to be modified are undefined.
913  */
914 int
915 i915_gem_pwrite_ioctl(struct drm_device *dev, void *data,
916                       struct drm_file *file_priv)
917 {
918         struct drm_i915_gem_pwrite *args = data;
919         struct drm_gem_object *obj;
920         struct drm_i915_gem_object *obj_priv;
921         int ret = 0;
922
923         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
924         if (obj == NULL)
925                 return -EBADF;
926         obj_priv = obj->driver_private;
927
928         /* Bounds check destination.
929          *
930          * XXX: This could use review for overflow issues...
931          */
932         if (args->offset > obj->size || args->size > obj->size ||
933             args->offset + args->size > obj->size) {
934                 drm_gem_object_unreference(obj);
935                 return -EINVAL;
936         }
937
938         /* We can only do the GTT pwrite on untiled buffers, as otherwise
939          * it would end up going through the fenced access, and we'll get
940          * different detiling behavior between reading and writing.
941          * pread/pwrite currently are reading and writing from the CPU
942          * perspective, requiring manual detiling by the client.
943          */
944         if (obj_priv->phys_obj)
945                 ret = i915_gem_phys_pwrite(dev, obj, args, file_priv);
946         else if (obj_priv->tiling_mode == I915_TILING_NONE &&
947                  dev->gtt_total != 0) {
948                 ret = i915_gem_gtt_pwrite_fast(dev, obj, args, file_priv);
949                 if (ret == -EFAULT) {
950                         ret = i915_gem_gtt_pwrite_slow(dev, obj, args,
951                                                        file_priv);
952                 }
953         } else if (i915_gem_object_needs_bit17_swizzle(obj)) {
954                 ret = i915_gem_shmem_pwrite_slow(dev, obj, args, file_priv);
955         } else {
956                 ret = i915_gem_shmem_pwrite_fast(dev, obj, args, file_priv);
957                 if (ret == -EFAULT) {
958                         ret = i915_gem_shmem_pwrite_slow(dev, obj, args,
959                                                          file_priv);
960                 }
961         }
962
963 #if WATCH_PWRITE
964         if (ret)
965                 DRM_INFO("pwrite failed %d\n", ret);
966 #endif
967
968         drm_gem_object_unreference(obj);
969
970         return ret;
971 }
972
973 /**
974  * Called when user space prepares to use an object with the CPU, either
975  * through the mmap ioctl's mapping or a GTT mapping.
976  */
977 int
978 i915_gem_set_domain_ioctl(struct drm_device *dev, void *data,
979                           struct drm_file *file_priv)
980 {
981         struct drm_i915_gem_set_domain *args = data;
982         struct drm_gem_object *obj;
983         uint32_t read_domains = args->read_domains;
984         uint32_t write_domain = args->write_domain;
985         int ret;
986
987         if (!(dev->driver->driver_features & DRIVER_GEM))
988                 return -ENODEV;
989
990         /* Only handle setting domains to types used by the CPU. */
991         if (write_domain & I915_GEM_GPU_DOMAINS)
992                 return -EINVAL;
993
994         if (read_domains & I915_GEM_GPU_DOMAINS)
995                 return -EINVAL;
996
997         /* Having something in the write domain implies it's in the read
998          * domain, and only that read domain.  Enforce that in the request.
999          */
1000         if (write_domain != 0 && read_domains != write_domain)
1001                 return -EINVAL;
1002
1003         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1004         if (obj == NULL)
1005                 return -EBADF;
1006
1007         mutex_lock(&dev->struct_mutex);
1008 #if WATCH_BUF
1009         DRM_INFO("set_domain_ioctl %p(%zd), %08x %08x\n",
1010                  obj, obj->size, read_domains, write_domain);
1011 #endif
1012         if (read_domains & I915_GEM_DOMAIN_GTT) {
1013                 ret = i915_gem_object_set_to_gtt_domain(obj, write_domain != 0);
1014
1015                 /* Silently promote "you're not bound, there was nothing to do"
1016                  * to success, since the client was just asking us to
1017                  * make sure everything was done.
1018                  */
1019                 if (ret == -EINVAL)
1020                         ret = 0;
1021         } else {
1022                 ret = i915_gem_object_set_to_cpu_domain(obj, write_domain != 0);
1023         }
1024
1025         drm_gem_object_unreference(obj);
1026         mutex_unlock(&dev->struct_mutex);
1027         return ret;
1028 }
1029
1030 /**
1031  * Called when user space has done writes to this buffer
1032  */
1033 int
1034 i915_gem_sw_finish_ioctl(struct drm_device *dev, void *data,
1035                       struct drm_file *file_priv)
1036 {
1037         struct drm_i915_gem_sw_finish *args = data;
1038         struct drm_gem_object *obj;
1039         struct drm_i915_gem_object *obj_priv;
1040         int ret = 0;
1041
1042         if (!(dev->driver->driver_features & DRIVER_GEM))
1043                 return -ENODEV;
1044
1045         mutex_lock(&dev->struct_mutex);
1046         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1047         if (obj == NULL) {
1048                 mutex_unlock(&dev->struct_mutex);
1049                 return -EBADF;
1050         }
1051
1052 #if WATCH_BUF
1053         DRM_INFO("%s: sw_finish %d (%p %zd)\n",
1054                  __func__, args->handle, obj, obj->size);
1055 #endif
1056         obj_priv = obj->driver_private;
1057
1058         /* Pinned buffers may be scanout, so flush the cache */
1059         if (obj_priv->pin_count)
1060                 i915_gem_object_flush_cpu_write_domain(obj);
1061
1062         drm_gem_object_unreference(obj);
1063         mutex_unlock(&dev->struct_mutex);
1064         return ret;
1065 }
1066
1067 /**
1068  * Maps the contents of an object, returning the address it is mapped
1069  * into.
1070  *
1071  * While the mapping holds a reference on the contents of the object, it doesn't
1072  * imply a ref on the object itself.
1073  */
1074 int
1075 i915_gem_mmap_ioctl(struct drm_device *dev, void *data,
1076                    struct drm_file *file_priv)
1077 {
1078         struct drm_i915_gem_mmap *args = data;
1079         struct drm_gem_object *obj;
1080         loff_t offset;
1081         unsigned long addr;
1082
1083         if (!(dev->driver->driver_features & DRIVER_GEM))
1084                 return -ENODEV;
1085
1086         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1087         if (obj == NULL)
1088                 return -EBADF;
1089
1090         offset = args->offset;
1091
1092         down_write(&current->mm->mmap_sem);
1093         addr = do_mmap(obj->filp, 0, args->size,
1094                        PROT_READ | PROT_WRITE, MAP_SHARED,
1095                        args->offset);
1096         up_write(&current->mm->mmap_sem);
1097         mutex_lock(&dev->struct_mutex);
1098         drm_gem_object_unreference(obj);
1099         mutex_unlock(&dev->struct_mutex);
1100         if (IS_ERR((void *)addr))
1101                 return addr;
1102
1103         args->addr_ptr = (uint64_t) addr;
1104
1105         return 0;
1106 }
1107
1108 /**
1109  * i915_gem_fault - fault a page into the GTT
1110  * vma: VMA in question
1111  * vmf: fault info
1112  *
1113  * The fault handler is set up by drm_gem_mmap() when a object is GTT mapped
1114  * from userspace.  The fault handler takes care of binding the object to
1115  * the GTT (if needed), allocating and programming a fence register (again,
1116  * only if needed based on whether the old reg is still valid or the object
1117  * is tiled) and inserting a new PTE into the faulting process.
1118  *
1119  * Note that the faulting process may involve evicting existing objects
1120  * from the GTT and/or fence registers to make room.  So performance may
1121  * suffer if the GTT working set is large or there are few fence registers
1122  * left.
1123  */
1124 int i915_gem_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
1125 {
1126         struct drm_gem_object *obj = vma->vm_private_data;
1127         struct drm_device *dev = obj->dev;
1128         struct drm_i915_private *dev_priv = dev->dev_private;
1129         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1130         pgoff_t page_offset;
1131         unsigned long pfn;
1132         int ret = 0;
1133         bool write = !!(vmf->flags & FAULT_FLAG_WRITE);
1134
1135         /* We don't use vmf->pgoff since that has the fake offset */
1136         page_offset = ((unsigned long)vmf->virtual_address - vma->vm_start) >>
1137                 PAGE_SHIFT;
1138
1139         /* Now bind it into the GTT if needed */
1140         mutex_lock(&dev->struct_mutex);
1141         if (!obj_priv->gtt_space) {
1142                 ret = i915_gem_object_bind_to_gtt(obj, obj_priv->gtt_alignment);
1143                 if (ret) {
1144                         mutex_unlock(&dev->struct_mutex);
1145                         return VM_FAULT_SIGBUS;
1146                 }
1147
1148                 ret = i915_gem_object_set_to_gtt_domain(obj, write);
1149                 if (ret) {
1150                         mutex_unlock(&dev->struct_mutex);
1151                         return VM_FAULT_SIGBUS;
1152                 }
1153
1154                 list_add_tail(&obj_priv->list, &dev_priv->mm.inactive_list);
1155         }
1156
1157         /* Need a new fence register? */
1158         if (obj_priv->fence_reg == I915_FENCE_REG_NONE &&
1159             obj_priv->tiling_mode != I915_TILING_NONE) {
1160                 ret = i915_gem_object_get_fence_reg(obj);
1161                 if (ret) {
1162                         mutex_unlock(&dev->struct_mutex);
1163                         return VM_FAULT_SIGBUS;
1164                 }
1165         }
1166
1167         pfn = ((dev->agp->base + obj_priv->gtt_offset) >> PAGE_SHIFT) +
1168                 page_offset;
1169
1170         /* Finally, remap it using the new GTT offset */
1171         ret = vm_insert_pfn(vma, (unsigned long)vmf->virtual_address, pfn);
1172
1173         mutex_unlock(&dev->struct_mutex);
1174
1175         switch (ret) {
1176         case -ENOMEM:
1177         case -EAGAIN:
1178                 return VM_FAULT_OOM;
1179         case -EFAULT:
1180         case -EINVAL:
1181                 return VM_FAULT_SIGBUS;
1182         default:
1183                 return VM_FAULT_NOPAGE;
1184         }
1185 }
1186
1187 /**
1188  * i915_gem_create_mmap_offset - create a fake mmap offset for an object
1189  * @obj: obj in question
1190  *
1191  * GEM memory mapping works by handing back to userspace a fake mmap offset
1192  * it can use in a subsequent mmap(2) call.  The DRM core code then looks
1193  * up the object based on the offset and sets up the various memory mapping
1194  * structures.
1195  *
1196  * This routine allocates and attaches a fake offset for @obj.
1197  */
1198 static int
1199 i915_gem_create_mmap_offset(struct drm_gem_object *obj)
1200 {
1201         struct drm_device *dev = obj->dev;
1202         struct drm_gem_mm *mm = dev->mm_private;
1203         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1204         struct drm_map_list *list;
1205         struct drm_local_map *map;
1206         int ret = 0;
1207
1208         /* Set the object up for mmap'ing */
1209         list = &obj->map_list;
1210         list->map = kzalloc(sizeof(struct drm_map_list), GFP_KERNEL);
1211         if (!list->map)
1212                 return -ENOMEM;
1213
1214         map = list->map;
1215         map->type = _DRM_GEM;
1216         map->size = obj->size;
1217         map->handle = obj;
1218
1219         /* Get a DRM GEM mmap offset allocated... */
1220         list->file_offset_node = drm_mm_search_free(&mm->offset_manager,
1221                                                     obj->size / PAGE_SIZE, 0, 0);
1222         if (!list->file_offset_node) {
1223                 DRM_ERROR("failed to allocate offset for bo %d\n", obj->name);
1224                 ret = -ENOMEM;
1225                 goto out_free_list;
1226         }
1227
1228         list->file_offset_node = drm_mm_get_block(list->file_offset_node,
1229                                                   obj->size / PAGE_SIZE, 0);
1230         if (!list->file_offset_node) {
1231                 ret = -ENOMEM;
1232                 goto out_free_list;
1233         }
1234
1235         list->hash.key = list->file_offset_node->start;
1236         if (drm_ht_insert_item(&mm->offset_hash, &list->hash)) {
1237                 DRM_ERROR("failed to add to map hash\n");
1238                 goto out_free_mm;
1239         }
1240
1241         /* By now we should be all set, any drm_mmap request on the offset
1242          * below will get to our mmap & fault handler */
1243         obj_priv->mmap_offset = ((uint64_t) list->hash.key) << PAGE_SHIFT;
1244
1245         return 0;
1246
1247 out_free_mm:
1248         drm_mm_put_block(list->file_offset_node);
1249 out_free_list:
1250         kfree(list->map);
1251
1252         return ret;
1253 }
1254
1255 static void
1256 i915_gem_free_mmap_offset(struct drm_gem_object *obj)
1257 {
1258         struct drm_device *dev = obj->dev;
1259         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1260         struct drm_gem_mm *mm = dev->mm_private;
1261         struct drm_map_list *list;
1262
1263         list = &obj->map_list;
1264         drm_ht_remove_item(&mm->offset_hash, &list->hash);
1265
1266         if (list->file_offset_node) {
1267                 drm_mm_put_block(list->file_offset_node);
1268                 list->file_offset_node = NULL;
1269         }
1270
1271         if (list->map) {
1272                 kfree(list->map);
1273                 list->map = NULL;
1274         }
1275
1276         obj_priv->mmap_offset = 0;
1277 }
1278
1279 /**
1280  * i915_gem_get_gtt_alignment - return required GTT alignment for an object
1281  * @obj: object to check
1282  *
1283  * Return the required GTT alignment for an object, taking into account
1284  * potential fence register mapping if needed.
1285  */
1286 static uint32_t
1287 i915_gem_get_gtt_alignment(struct drm_gem_object *obj)
1288 {
1289         struct drm_device *dev = obj->dev;
1290         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1291         int start, i;
1292
1293         /*
1294          * Minimum alignment is 4k (GTT page size), but might be greater
1295          * if a fence register is needed for the object.
1296          */
1297         if (IS_I965G(dev) || obj_priv->tiling_mode == I915_TILING_NONE)
1298                 return 4096;
1299
1300         /*
1301          * Previous chips need to be aligned to the size of the smallest
1302          * fence register that can contain the object.
1303          */
1304         if (IS_I9XX(dev))
1305                 start = 1024*1024;
1306         else
1307                 start = 512*1024;
1308
1309         for (i = start; i < obj->size; i <<= 1)
1310                 ;
1311
1312         return i;
1313 }
1314
1315 /**
1316  * i915_gem_mmap_gtt_ioctl - prepare an object for GTT mmap'ing
1317  * @dev: DRM device
1318  * @data: GTT mapping ioctl data
1319  * @file_priv: GEM object info
1320  *
1321  * Simply returns the fake offset to userspace so it can mmap it.
1322  * The mmap call will end up in drm_gem_mmap(), which will set things
1323  * up so we can get faults in the handler above.
1324  *
1325  * The fault handler will take care of binding the object into the GTT
1326  * (since it may have been evicted to make room for something), allocating
1327  * a fence register, and mapping the appropriate aperture address into
1328  * userspace.
1329  */
1330 int
1331 i915_gem_mmap_gtt_ioctl(struct drm_device *dev, void *data,
1332                         struct drm_file *file_priv)
1333 {
1334         struct drm_i915_gem_mmap_gtt *args = data;
1335         struct drm_i915_private *dev_priv = dev->dev_private;
1336         struct drm_gem_object *obj;
1337         struct drm_i915_gem_object *obj_priv;
1338         int ret;
1339
1340         if (!(dev->driver->driver_features & DRIVER_GEM))
1341                 return -ENODEV;
1342
1343         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
1344         if (obj == NULL)
1345                 return -EBADF;
1346
1347         mutex_lock(&dev->struct_mutex);
1348
1349         obj_priv = obj->driver_private;
1350
1351         if (!obj_priv->mmap_offset) {
1352                 ret = i915_gem_create_mmap_offset(obj);
1353                 if (ret) {
1354                         drm_gem_object_unreference(obj);
1355                         mutex_unlock(&dev->struct_mutex);
1356                         return ret;
1357                 }
1358         }
1359
1360         args->offset = obj_priv->mmap_offset;
1361
1362         obj_priv->gtt_alignment = i915_gem_get_gtt_alignment(obj);
1363
1364         /* Make sure the alignment is correct for fence regs etc */
1365         if (obj_priv->agp_mem &&
1366             (obj_priv->gtt_offset & (obj_priv->gtt_alignment - 1))) {
1367                 drm_gem_object_unreference(obj);
1368                 mutex_unlock(&dev->struct_mutex);
1369                 return -EINVAL;
1370         }
1371
1372         /*
1373          * Pull it into the GTT so that we have a page list (makes the
1374          * initial fault faster and any subsequent flushing possible).
1375          */
1376         if (!obj_priv->agp_mem) {
1377                 ret = i915_gem_object_bind_to_gtt(obj, obj_priv->gtt_alignment);
1378                 if (ret) {
1379                         drm_gem_object_unreference(obj);
1380                         mutex_unlock(&dev->struct_mutex);
1381                         return ret;
1382                 }
1383                 list_add_tail(&obj_priv->list, &dev_priv->mm.inactive_list);
1384         }
1385
1386         drm_gem_object_unreference(obj);
1387         mutex_unlock(&dev->struct_mutex);
1388
1389         return 0;
1390 }
1391
1392 void
1393 i915_gem_object_put_pages(struct drm_gem_object *obj)
1394 {
1395         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1396         int page_count = obj->size / PAGE_SIZE;
1397         int i;
1398
1399         BUG_ON(obj_priv->pages_refcount == 0);
1400
1401         if (--obj_priv->pages_refcount != 0)
1402                 return;
1403
1404         if (obj_priv->tiling_mode != I915_TILING_NONE)
1405                 i915_gem_object_save_bit_17_swizzle(obj);
1406
1407         for (i = 0; i < page_count; i++)
1408                 if (obj_priv->pages[i] != NULL) {
1409                         if (obj_priv->dirty)
1410                                 set_page_dirty(obj_priv->pages[i]);
1411                         mark_page_accessed(obj_priv->pages[i]);
1412                         page_cache_release(obj_priv->pages[i]);
1413                 }
1414         obj_priv->dirty = 0;
1415
1416         drm_free_large(obj_priv->pages);
1417         obj_priv->pages = NULL;
1418 }
1419
1420 static void
1421 i915_gem_object_move_to_active(struct drm_gem_object *obj, uint32_t seqno)
1422 {
1423         struct drm_device *dev = obj->dev;
1424         drm_i915_private_t *dev_priv = dev->dev_private;
1425         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1426
1427         /* Add a reference if we're newly entering the active list. */
1428         if (!obj_priv->active) {
1429                 drm_gem_object_reference(obj);
1430                 obj_priv->active = 1;
1431         }
1432         /* Move from whatever list we were on to the tail of execution. */
1433         spin_lock(&dev_priv->mm.active_list_lock);
1434         list_move_tail(&obj_priv->list,
1435                        &dev_priv->mm.active_list);
1436         spin_unlock(&dev_priv->mm.active_list_lock);
1437         obj_priv->last_rendering_seqno = seqno;
1438 }
1439
1440 static void
1441 i915_gem_object_move_to_flushing(struct drm_gem_object *obj)
1442 {
1443         struct drm_device *dev = obj->dev;
1444         drm_i915_private_t *dev_priv = dev->dev_private;
1445         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1446
1447         BUG_ON(!obj_priv->active);
1448         list_move_tail(&obj_priv->list, &dev_priv->mm.flushing_list);
1449         obj_priv->last_rendering_seqno = 0;
1450 }
1451
1452 static void
1453 i915_gem_object_move_to_inactive(struct drm_gem_object *obj)
1454 {
1455         struct drm_device *dev = obj->dev;
1456         drm_i915_private_t *dev_priv = dev->dev_private;
1457         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1458
1459         i915_verify_inactive(dev, __FILE__, __LINE__);
1460         if (obj_priv->pin_count != 0)
1461                 list_del_init(&obj_priv->list);
1462         else
1463                 list_move_tail(&obj_priv->list, &dev_priv->mm.inactive_list);
1464
1465         obj_priv->last_rendering_seqno = 0;
1466         if (obj_priv->active) {
1467                 obj_priv->active = 0;
1468                 drm_gem_object_unreference(obj);
1469         }
1470         i915_verify_inactive(dev, __FILE__, __LINE__);
1471 }
1472
1473 /**
1474  * Creates a new sequence number, emitting a write of it to the status page
1475  * plus an interrupt, which will trigger i915_user_interrupt_handler.
1476  *
1477  * Must be called with struct_lock held.
1478  *
1479  * Returned sequence numbers are nonzero on success.
1480  */
1481 static uint32_t
1482 i915_add_request(struct drm_device *dev, struct drm_file *file_priv,
1483                  uint32_t flush_domains)
1484 {
1485         drm_i915_private_t *dev_priv = dev->dev_private;
1486         struct drm_i915_file_private *i915_file_priv = NULL;
1487         struct drm_i915_gem_request *request;
1488         uint32_t seqno;
1489         int was_empty;
1490         RING_LOCALS;
1491
1492         if (file_priv != NULL)
1493                 i915_file_priv = file_priv->driver_priv;
1494
1495         request = kzalloc(sizeof(*request), GFP_KERNEL);
1496         if (request == NULL)
1497                 return 0;
1498
1499         /* Grab the seqno we're going to make this request be, and bump the
1500          * next (skipping 0 so it can be the reserved no-seqno value).
1501          */
1502         seqno = dev_priv->mm.next_gem_seqno;
1503         dev_priv->mm.next_gem_seqno++;
1504         if (dev_priv->mm.next_gem_seqno == 0)
1505                 dev_priv->mm.next_gem_seqno++;
1506
1507         BEGIN_LP_RING(4);
1508         OUT_RING(MI_STORE_DWORD_INDEX);
1509         OUT_RING(I915_GEM_HWS_INDEX << MI_STORE_DWORD_INDEX_SHIFT);
1510         OUT_RING(seqno);
1511
1512         OUT_RING(MI_USER_INTERRUPT);
1513         ADVANCE_LP_RING();
1514
1515         DRM_DEBUG("%d\n", seqno);
1516
1517         request->seqno = seqno;
1518         request->emitted_jiffies = jiffies;
1519         was_empty = list_empty(&dev_priv->mm.request_list);
1520         list_add_tail(&request->list, &dev_priv->mm.request_list);
1521         if (i915_file_priv) {
1522                 list_add_tail(&request->client_list,
1523                               &i915_file_priv->mm.request_list);
1524         } else {
1525                 INIT_LIST_HEAD(&request->client_list);
1526         }
1527
1528         /* Associate any objects on the flushing list matching the write
1529          * domain we're flushing with our flush.
1530          */
1531         if (flush_domains != 0) {
1532                 struct drm_i915_gem_object *obj_priv, *next;
1533
1534                 list_for_each_entry_safe(obj_priv, next,
1535                                          &dev_priv->mm.flushing_list, list) {
1536                         struct drm_gem_object *obj = obj_priv->obj;
1537
1538                         if ((obj->write_domain & flush_domains) ==
1539                             obj->write_domain) {
1540                                 obj->write_domain = 0;
1541                                 i915_gem_object_move_to_active(obj, seqno);
1542                         }
1543                 }
1544
1545         }
1546
1547         if (was_empty && !dev_priv->mm.suspended)
1548                 schedule_delayed_work(&dev_priv->mm.retire_work, HZ);
1549         return seqno;
1550 }
1551
1552 /**
1553  * Command execution barrier
1554  *
1555  * Ensures that all commands in the ring are finished
1556  * before signalling the CPU
1557  */
1558 static uint32_t
1559 i915_retire_commands(struct drm_device *dev)
1560 {
1561         drm_i915_private_t *dev_priv = dev->dev_private;
1562         uint32_t cmd = MI_FLUSH | MI_NO_WRITE_FLUSH;
1563         uint32_t flush_domains = 0;
1564         RING_LOCALS;
1565
1566         /* The sampler always gets flushed on i965 (sigh) */
1567         if (IS_I965G(dev))
1568                 flush_domains |= I915_GEM_DOMAIN_SAMPLER;
1569         BEGIN_LP_RING(2);
1570         OUT_RING(cmd);
1571         OUT_RING(0); /* noop */
1572         ADVANCE_LP_RING();
1573         return flush_domains;
1574 }
1575
1576 /**
1577  * Moves buffers associated only with the given active seqno from the active
1578  * to inactive list, potentially freeing them.
1579  */
1580 static void
1581 i915_gem_retire_request(struct drm_device *dev,
1582                         struct drm_i915_gem_request *request)
1583 {
1584         drm_i915_private_t *dev_priv = dev->dev_private;
1585
1586         /* Move any buffers on the active list that are no longer referenced
1587          * by the ringbuffer to the flushing/inactive lists as appropriate.
1588          */
1589         spin_lock(&dev_priv->mm.active_list_lock);
1590         while (!list_empty(&dev_priv->mm.active_list)) {
1591                 struct drm_gem_object *obj;
1592                 struct drm_i915_gem_object *obj_priv;
1593
1594                 obj_priv = list_first_entry(&dev_priv->mm.active_list,
1595                                             struct drm_i915_gem_object,
1596                                             list);
1597                 obj = obj_priv->obj;
1598
1599                 /* If the seqno being retired doesn't match the oldest in the
1600                  * list, then the oldest in the list must still be newer than
1601                  * this seqno.
1602                  */
1603                 if (obj_priv->last_rendering_seqno != request->seqno)
1604                         goto out;
1605
1606 #if WATCH_LRU
1607                 DRM_INFO("%s: retire %d moves to inactive list %p\n",
1608                          __func__, request->seqno, obj);
1609 #endif
1610
1611                 if (obj->write_domain != 0)
1612                         i915_gem_object_move_to_flushing(obj);
1613                 else {
1614                         /* Take a reference on the object so it won't be
1615                          * freed while the spinlock is held.  The list
1616                          * protection for this spinlock is safe when breaking
1617                          * the lock like this since the next thing we do
1618                          * is just get the head of the list again.
1619                          */
1620                         drm_gem_object_reference(obj);
1621                         i915_gem_object_move_to_inactive(obj);
1622                         spin_unlock(&dev_priv->mm.active_list_lock);
1623                         drm_gem_object_unreference(obj);
1624                         spin_lock(&dev_priv->mm.active_list_lock);
1625                 }
1626         }
1627 out:
1628         spin_unlock(&dev_priv->mm.active_list_lock);
1629 }
1630
1631 /**
1632  * Returns true if seq1 is later than seq2.
1633  */
1634 static int
1635 i915_seqno_passed(uint32_t seq1, uint32_t seq2)
1636 {
1637         return (int32_t)(seq1 - seq2) >= 0;
1638 }
1639
1640 uint32_t
1641 i915_get_gem_seqno(struct drm_device *dev)
1642 {
1643         drm_i915_private_t *dev_priv = dev->dev_private;
1644
1645         return READ_HWSP(dev_priv, I915_GEM_HWS_INDEX);
1646 }
1647
1648 /**
1649  * This function clears the request list as sequence numbers are passed.
1650  */
1651 void
1652 i915_gem_retire_requests(struct drm_device *dev)
1653 {
1654         drm_i915_private_t *dev_priv = dev->dev_private;
1655         uint32_t seqno;
1656
1657         if (!dev_priv->hw_status_page)
1658                 return;
1659
1660         seqno = i915_get_gem_seqno(dev);
1661
1662         while (!list_empty(&dev_priv->mm.request_list)) {
1663                 struct drm_i915_gem_request *request;
1664                 uint32_t retiring_seqno;
1665
1666                 request = list_first_entry(&dev_priv->mm.request_list,
1667                                            struct drm_i915_gem_request,
1668                                            list);
1669                 retiring_seqno = request->seqno;
1670
1671                 if (i915_seqno_passed(seqno, retiring_seqno) ||
1672                     dev_priv->mm.wedged) {
1673                         i915_gem_retire_request(dev, request);
1674
1675                         list_del(&request->list);
1676                         list_del(&request->client_list);
1677                         kfree(request);
1678                 } else
1679                         break;
1680         }
1681 }
1682
1683 void
1684 i915_gem_retire_work_handler(struct work_struct *work)
1685 {
1686         drm_i915_private_t *dev_priv;
1687         struct drm_device *dev;
1688
1689         dev_priv = container_of(work, drm_i915_private_t,
1690                                 mm.retire_work.work);
1691         dev = dev_priv->dev;
1692
1693         mutex_lock(&dev->struct_mutex);
1694         i915_gem_retire_requests(dev);
1695         if (!dev_priv->mm.suspended &&
1696             !list_empty(&dev_priv->mm.request_list))
1697                 schedule_delayed_work(&dev_priv->mm.retire_work, HZ);
1698         mutex_unlock(&dev->struct_mutex);
1699 }
1700
1701 /**
1702  * Waits for a sequence number to be signaled, and cleans up the
1703  * request and object lists appropriately for that event.
1704  */
1705 static int
1706 i915_wait_request(struct drm_device *dev, uint32_t seqno)
1707 {
1708         drm_i915_private_t *dev_priv = dev->dev_private;
1709         u32 ier;
1710         int ret = 0;
1711
1712         BUG_ON(seqno == 0);
1713
1714         if (!i915_seqno_passed(i915_get_gem_seqno(dev), seqno)) {
1715                 if (IS_IGDNG(dev))
1716                         ier = I915_READ(DEIER) | I915_READ(GTIER);
1717                 else
1718                         ier = I915_READ(IER);
1719                 if (!ier) {
1720                         DRM_ERROR("something (likely vbetool) disabled "
1721                                   "interrupts, re-enabling\n");
1722                         i915_driver_irq_preinstall(dev);
1723                         i915_driver_irq_postinstall(dev);
1724                 }
1725
1726                 dev_priv->mm.waiting_gem_seqno = seqno;
1727                 i915_user_irq_get(dev);
1728                 ret = wait_event_interruptible(dev_priv->irq_queue,
1729                                                i915_seqno_passed(i915_get_gem_seqno(dev),
1730                                                                  seqno) ||
1731                                                dev_priv->mm.wedged);
1732                 i915_user_irq_put(dev);
1733                 dev_priv->mm.waiting_gem_seqno = 0;
1734         }
1735         if (dev_priv->mm.wedged)
1736                 ret = -EIO;
1737
1738         if (ret && ret != -ERESTARTSYS)
1739                 DRM_ERROR("%s returns %d (awaiting %d at %d)\n",
1740                           __func__, ret, seqno, i915_get_gem_seqno(dev));
1741
1742         /* Directly dispatch request retiring.  While we have the work queue
1743          * to handle this, the waiter on a request often wants an associated
1744          * buffer to have made it to the inactive list, and we would need
1745          * a separate wait queue to handle that.
1746          */
1747         if (ret == 0)
1748                 i915_gem_retire_requests(dev);
1749
1750         return ret;
1751 }
1752
1753 static void
1754 i915_gem_flush(struct drm_device *dev,
1755                uint32_t invalidate_domains,
1756                uint32_t flush_domains)
1757 {
1758         drm_i915_private_t *dev_priv = dev->dev_private;
1759         uint32_t cmd;
1760         RING_LOCALS;
1761
1762 #if WATCH_EXEC
1763         DRM_INFO("%s: invalidate %08x flush %08x\n", __func__,
1764                   invalidate_domains, flush_domains);
1765 #endif
1766
1767         if (flush_domains & I915_GEM_DOMAIN_CPU)
1768                 drm_agp_chipset_flush(dev);
1769
1770         if ((invalidate_domains | flush_domains) & I915_GEM_GPU_DOMAINS) {
1771                 /*
1772                  * read/write caches:
1773                  *
1774                  * I915_GEM_DOMAIN_RENDER is always invalidated, but is
1775                  * only flushed if MI_NO_WRITE_FLUSH is unset.  On 965, it is
1776                  * also flushed at 2d versus 3d pipeline switches.
1777                  *
1778                  * read-only caches:
1779                  *
1780                  * I915_GEM_DOMAIN_SAMPLER is flushed on pre-965 if
1781                  * MI_READ_FLUSH is set, and is always flushed on 965.
1782                  *
1783                  * I915_GEM_DOMAIN_COMMAND may not exist?
1784                  *
1785                  * I915_GEM_DOMAIN_INSTRUCTION, which exists on 965, is
1786                  * invalidated when MI_EXE_FLUSH is set.
1787                  *
1788                  * I915_GEM_DOMAIN_VERTEX, which exists on 965, is
1789                  * invalidated with every MI_FLUSH.
1790                  *
1791                  * TLBs:
1792                  *
1793                  * On 965, TLBs associated with I915_GEM_DOMAIN_COMMAND
1794                  * and I915_GEM_DOMAIN_CPU in are invalidated at PTE write and
1795                  * I915_GEM_DOMAIN_RENDER and I915_GEM_DOMAIN_SAMPLER
1796                  * are flushed at any MI_FLUSH.
1797                  */
1798
1799                 cmd = MI_FLUSH | MI_NO_WRITE_FLUSH;
1800                 if ((invalidate_domains|flush_domains) &
1801                     I915_GEM_DOMAIN_RENDER)
1802                         cmd &= ~MI_NO_WRITE_FLUSH;
1803                 if (!IS_I965G(dev)) {
1804                         /*
1805                          * On the 965, the sampler cache always gets flushed
1806                          * and this bit is reserved.
1807                          */
1808                         if (invalidate_domains & I915_GEM_DOMAIN_SAMPLER)
1809                                 cmd |= MI_READ_FLUSH;
1810                 }
1811                 if (invalidate_domains & I915_GEM_DOMAIN_INSTRUCTION)
1812                         cmd |= MI_EXE_FLUSH;
1813
1814 #if WATCH_EXEC
1815                 DRM_INFO("%s: queue flush %08x to ring\n", __func__, cmd);
1816 #endif
1817                 BEGIN_LP_RING(2);
1818                 OUT_RING(cmd);
1819                 OUT_RING(0); /* noop */
1820                 ADVANCE_LP_RING();
1821         }
1822 }
1823
1824 /**
1825  * Ensures that all rendering to the object has completed and the object is
1826  * safe to unbind from the GTT or access from the CPU.
1827  */
1828 static int
1829 i915_gem_object_wait_rendering(struct drm_gem_object *obj)
1830 {
1831         struct drm_device *dev = obj->dev;
1832         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1833         int ret;
1834
1835         /* This function only exists to support waiting for existing rendering,
1836          * not for emitting required flushes.
1837          */
1838         BUG_ON((obj->write_domain & I915_GEM_GPU_DOMAINS) != 0);
1839
1840         /* If there is rendering queued on the buffer being evicted, wait for
1841          * it.
1842          */
1843         if (obj_priv->active) {
1844 #if WATCH_BUF
1845                 DRM_INFO("%s: object %p wait for seqno %08x\n",
1846                           __func__, obj, obj_priv->last_rendering_seqno);
1847 #endif
1848                 ret = i915_wait_request(dev, obj_priv->last_rendering_seqno);
1849                 if (ret != 0)
1850                         return ret;
1851         }
1852
1853         return 0;
1854 }
1855
1856 /**
1857  * Unbinds an object from the GTT aperture.
1858  */
1859 int
1860 i915_gem_object_unbind(struct drm_gem_object *obj)
1861 {
1862         struct drm_device *dev = obj->dev;
1863         struct drm_i915_gem_object *obj_priv = obj->driver_private;
1864         loff_t offset;
1865         int ret = 0;
1866
1867 #if WATCH_BUF
1868         DRM_INFO("%s:%d %p\n", __func__, __LINE__, obj);
1869         DRM_INFO("gtt_space %p\n", obj_priv->gtt_space);
1870 #endif
1871         if (obj_priv->gtt_space == NULL)
1872                 return 0;
1873
1874         if (obj_priv->pin_count != 0) {
1875                 DRM_ERROR("Attempting to unbind pinned buffer\n");
1876                 return -EINVAL;
1877         }
1878
1879         /* Move the object to the CPU domain to ensure that
1880          * any possible CPU writes while it's not in the GTT
1881          * are flushed when we go to remap it. This will
1882          * also ensure that all pending GPU writes are finished
1883          * before we unbind.
1884          */
1885         ret = i915_gem_object_set_to_cpu_domain(obj, 1);
1886         if (ret) {
1887                 if (ret != -ERESTARTSYS)
1888                         DRM_ERROR("set_domain failed: %d\n", ret);
1889                 return ret;
1890         }
1891
1892         if (obj_priv->agp_mem != NULL) {
1893                 drm_unbind_agp(obj_priv->agp_mem);
1894                 drm_free_agp(obj_priv->agp_mem, obj->size / PAGE_SIZE);
1895                 obj_priv->agp_mem = NULL;
1896         }
1897
1898         BUG_ON(obj_priv->active);
1899
1900         /* blow away mappings if mapped through GTT */
1901         offset = ((loff_t) obj->map_list.hash.key) << PAGE_SHIFT;
1902         if (dev->dev_mapping)
1903                 unmap_mapping_range(dev->dev_mapping, offset, obj->size, 1);
1904
1905         if (obj_priv->fence_reg != I915_FENCE_REG_NONE)
1906                 i915_gem_clear_fence_reg(obj);
1907
1908         i915_gem_object_put_pages(obj);
1909
1910         if (obj_priv->gtt_space) {
1911                 atomic_dec(&dev->gtt_count);
1912                 atomic_sub(obj->size, &dev->gtt_memory);
1913
1914                 drm_mm_put_block(obj_priv->gtt_space);
1915                 obj_priv->gtt_space = NULL;
1916         }
1917
1918         /* Remove ourselves from the LRU list if present. */
1919         if (!list_empty(&obj_priv->list))
1920                 list_del_init(&obj_priv->list);
1921
1922         return 0;
1923 }
1924
1925 static int
1926 i915_gem_evict_something(struct drm_device *dev)
1927 {
1928         drm_i915_private_t *dev_priv = dev->dev_private;
1929         struct drm_gem_object *obj;
1930         struct drm_i915_gem_object *obj_priv;
1931         int ret = 0;
1932
1933         for (;;) {
1934                 /* If there's an inactive buffer available now, grab it
1935                  * and be done.
1936                  */
1937                 if (!list_empty(&dev_priv->mm.inactive_list)) {
1938                         obj_priv = list_first_entry(&dev_priv->mm.inactive_list,
1939                                                     struct drm_i915_gem_object,
1940                                                     list);
1941                         obj = obj_priv->obj;
1942                         BUG_ON(obj_priv->pin_count != 0);
1943 #if WATCH_LRU
1944                         DRM_INFO("%s: evicting %p\n", __func__, obj);
1945 #endif
1946                         BUG_ON(obj_priv->active);
1947
1948                         /* Wait on the rendering and unbind the buffer. */
1949                         ret = i915_gem_object_unbind(obj);
1950                         break;
1951                 }
1952
1953                 /* If we didn't get anything, but the ring is still processing
1954                  * things, wait for one of those things to finish and hopefully
1955                  * leave us a buffer to evict.
1956                  */
1957                 if (!list_empty(&dev_priv->mm.request_list)) {
1958                         struct drm_i915_gem_request *request;
1959
1960                         request = list_first_entry(&dev_priv->mm.request_list,
1961                                                    struct drm_i915_gem_request,
1962                                                    list);
1963
1964                         ret = i915_wait_request(dev, request->seqno);
1965                         if (ret)
1966                                 break;
1967
1968                         /* if waiting caused an object to become inactive,
1969                          * then loop around and wait for it. Otherwise, we
1970                          * assume that waiting freed and unbound something,
1971                          * so there should now be some space in the GTT
1972                          */
1973                         if (!list_empty(&dev_priv->mm.inactive_list))
1974                                 continue;
1975                         break;
1976                 }
1977
1978                 /* If we didn't have anything on the request list but there
1979                  * are buffers awaiting a flush, emit one and try again.
1980                  * When we wait on it, those buffers waiting for that flush
1981                  * will get moved to inactive.
1982                  */
1983                 if (!list_empty(&dev_priv->mm.flushing_list)) {
1984                         obj_priv = list_first_entry(&dev_priv->mm.flushing_list,
1985                                                     struct drm_i915_gem_object,
1986                                                     list);
1987                         obj = obj_priv->obj;
1988
1989                         i915_gem_flush(dev,
1990                                        obj->write_domain,
1991                                        obj->write_domain);
1992                         i915_add_request(dev, NULL, obj->write_domain);
1993
1994                         obj = NULL;
1995                         continue;
1996                 }
1997
1998                 DRM_ERROR("inactive empty %d request empty %d "
1999                           "flushing empty %d\n",
2000                           list_empty(&dev_priv->mm.inactive_list),
2001                           list_empty(&dev_priv->mm.request_list),
2002                           list_empty(&dev_priv->mm.flushing_list));
2003                 /* If we didn't do any of the above, there's nothing to be done
2004                  * and we just can't fit it in.
2005                  */
2006                 return -ENOSPC;
2007         }
2008         return ret;
2009 }
2010
2011 static int
2012 i915_gem_evict_everything(struct drm_device *dev)
2013 {
2014         int ret;
2015
2016         for (;;) {
2017                 ret = i915_gem_evict_something(dev);
2018                 if (ret != 0)
2019                         break;
2020         }
2021         if (ret == -ENOSPC)
2022                 return 0;
2023         return ret;
2024 }
2025
2026 int
2027 i915_gem_object_get_pages(struct drm_gem_object *obj)
2028 {
2029         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2030         int page_count, i;
2031         struct address_space *mapping;
2032         struct inode *inode;
2033         struct page *page;
2034         int ret;
2035
2036         if (obj_priv->pages_refcount++ != 0)
2037                 return 0;
2038
2039         /* Get the list of pages out of our struct file.  They'll be pinned
2040          * at this point until we release them.
2041          */
2042         page_count = obj->size / PAGE_SIZE;
2043         BUG_ON(obj_priv->pages != NULL);
2044         obj_priv->pages = drm_calloc_large(page_count, sizeof(struct page *));
2045         if (obj_priv->pages == NULL) {
2046                 DRM_ERROR("Faled to allocate page list\n");
2047                 obj_priv->pages_refcount--;
2048                 return -ENOMEM;
2049         }
2050
2051         inode = obj->filp->f_path.dentry->d_inode;
2052         mapping = inode->i_mapping;
2053         for (i = 0; i < page_count; i++) {
2054                 page = read_mapping_page(mapping, i, NULL);
2055                 if (IS_ERR(page)) {
2056                         ret = PTR_ERR(page);
2057                         DRM_ERROR("read_mapping_page failed: %d\n", ret);
2058                         i915_gem_object_put_pages(obj);
2059                         return ret;
2060                 }
2061                 obj_priv->pages[i] = page;
2062         }
2063
2064         if (obj_priv->tiling_mode != I915_TILING_NONE)
2065                 i915_gem_object_do_bit_17_swizzle(obj);
2066
2067         return 0;
2068 }
2069
2070 static void i965_write_fence_reg(struct drm_i915_fence_reg *reg)
2071 {
2072         struct drm_gem_object *obj = reg->obj;
2073         struct drm_device *dev = obj->dev;
2074         drm_i915_private_t *dev_priv = dev->dev_private;
2075         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2076         int regnum = obj_priv->fence_reg;
2077         uint64_t val;
2078
2079         val = (uint64_t)((obj_priv->gtt_offset + obj->size - 4096) &
2080                     0xfffff000) << 32;
2081         val |= obj_priv->gtt_offset & 0xfffff000;
2082         val |= ((obj_priv->stride / 128) - 1) << I965_FENCE_PITCH_SHIFT;
2083         if (obj_priv->tiling_mode == I915_TILING_Y)
2084                 val |= 1 << I965_FENCE_TILING_Y_SHIFT;
2085         val |= I965_FENCE_REG_VALID;
2086
2087         I915_WRITE64(FENCE_REG_965_0 + (regnum * 8), val);
2088 }
2089
2090 static void i915_write_fence_reg(struct drm_i915_fence_reg *reg)
2091 {
2092         struct drm_gem_object *obj = reg->obj;
2093         struct drm_device *dev = obj->dev;
2094         drm_i915_private_t *dev_priv = dev->dev_private;
2095         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2096         int regnum = obj_priv->fence_reg;
2097         int tile_width;
2098         uint32_t fence_reg, val;
2099         uint32_t pitch_val;
2100
2101         if ((obj_priv->gtt_offset & ~I915_FENCE_START_MASK) ||
2102             (obj_priv->gtt_offset & (obj->size - 1))) {
2103                 WARN(1, "%s: object 0x%08x not 1M or size (0x%zx) aligned\n",
2104                      __func__, obj_priv->gtt_offset, obj->size);
2105                 return;
2106         }
2107
2108         if (obj_priv->tiling_mode == I915_TILING_Y &&
2109             HAS_128_BYTE_Y_TILING(dev))
2110                 tile_width = 128;
2111         else
2112                 tile_width = 512;
2113
2114         /* Note: pitch better be a power of two tile widths */
2115         pitch_val = obj_priv->stride / tile_width;
2116         pitch_val = ffs(pitch_val) - 1;
2117
2118         val = obj_priv->gtt_offset;
2119         if (obj_priv->tiling_mode == I915_TILING_Y)
2120                 val |= 1 << I830_FENCE_TILING_Y_SHIFT;
2121         val |= I915_FENCE_SIZE_BITS(obj->size);
2122         val |= pitch_val << I830_FENCE_PITCH_SHIFT;
2123         val |= I830_FENCE_REG_VALID;
2124
2125         if (regnum < 8)
2126                 fence_reg = FENCE_REG_830_0 + (regnum * 4);
2127         else
2128                 fence_reg = FENCE_REG_945_8 + ((regnum - 8) * 4);
2129         I915_WRITE(fence_reg, val);
2130 }
2131
2132 static void i830_write_fence_reg(struct drm_i915_fence_reg *reg)
2133 {
2134         struct drm_gem_object *obj = reg->obj;
2135         struct drm_device *dev = obj->dev;
2136         drm_i915_private_t *dev_priv = dev->dev_private;
2137         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2138         int regnum = obj_priv->fence_reg;
2139         uint32_t val;
2140         uint32_t pitch_val;
2141         uint32_t fence_size_bits;
2142
2143         if ((obj_priv->gtt_offset & ~I830_FENCE_START_MASK) ||
2144             (obj_priv->gtt_offset & (obj->size - 1))) {
2145                 WARN(1, "%s: object 0x%08x not 512K or size aligned\n",
2146                      __func__, obj_priv->gtt_offset);
2147                 return;
2148         }
2149
2150         pitch_val = obj_priv->stride / 128;
2151         pitch_val = ffs(pitch_val) - 1;
2152         WARN_ON(pitch_val > I830_FENCE_MAX_PITCH_VAL);
2153
2154         val = obj_priv->gtt_offset;
2155         if (obj_priv->tiling_mode == I915_TILING_Y)
2156                 val |= 1 << I830_FENCE_TILING_Y_SHIFT;
2157         fence_size_bits = I830_FENCE_SIZE_BITS(obj->size);
2158         WARN_ON(fence_size_bits & ~0x00000f00);
2159         val |= fence_size_bits;
2160         val |= pitch_val << I830_FENCE_PITCH_SHIFT;
2161         val |= I830_FENCE_REG_VALID;
2162
2163         I915_WRITE(FENCE_REG_830_0 + (regnum * 4), val);
2164 }
2165
2166 /**
2167  * i915_gem_object_get_fence_reg - set up a fence reg for an object
2168  * @obj: object to map through a fence reg
2169  *
2170  * When mapping objects through the GTT, userspace wants to be able to write
2171  * to them without having to worry about swizzling if the object is tiled.
2172  *
2173  * This function walks the fence regs looking for a free one for @obj,
2174  * stealing one if it can't find any.
2175  *
2176  * It then sets up the reg based on the object's properties: address, pitch
2177  * and tiling format.
2178  */
2179 int
2180 i915_gem_object_get_fence_reg(struct drm_gem_object *obj)
2181 {
2182         struct drm_device *dev = obj->dev;
2183         struct drm_i915_private *dev_priv = dev->dev_private;
2184         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2185         struct drm_i915_fence_reg *reg = NULL;
2186         struct drm_i915_gem_object *old_obj_priv = NULL;
2187         int i, ret, avail;
2188
2189         switch (obj_priv->tiling_mode) {
2190         case I915_TILING_NONE:
2191                 WARN(1, "allocating a fence for non-tiled object?\n");
2192                 break;
2193         case I915_TILING_X:
2194                 if (!obj_priv->stride)
2195                         return -EINVAL;
2196                 WARN((obj_priv->stride & (512 - 1)),
2197                      "object 0x%08x is X tiled but has non-512B pitch\n",
2198                      obj_priv->gtt_offset);
2199                 break;
2200         case I915_TILING_Y:
2201                 if (!obj_priv->stride)
2202                         return -EINVAL;
2203                 WARN((obj_priv->stride & (128 - 1)),
2204                      "object 0x%08x is Y tiled but has non-128B pitch\n",
2205                      obj_priv->gtt_offset);
2206                 break;
2207         }
2208
2209         /* First try to find a free reg */
2210 try_again:
2211         avail = 0;
2212         for (i = dev_priv->fence_reg_start; i < dev_priv->num_fence_regs; i++) {
2213                 reg = &dev_priv->fence_regs[i];
2214                 if (!reg->obj)
2215                         break;
2216
2217                 old_obj_priv = reg->obj->driver_private;
2218                 if (!old_obj_priv->pin_count)
2219                     avail++;
2220         }
2221
2222         /* None available, try to steal one or wait for a user to finish */
2223         if (i == dev_priv->num_fence_regs) {
2224                 uint32_t seqno = dev_priv->mm.next_gem_seqno;
2225                 loff_t offset;
2226
2227                 if (avail == 0)
2228                         return -ENOSPC;
2229
2230                 for (i = dev_priv->fence_reg_start;
2231                      i < dev_priv->num_fence_regs; i++) {
2232                         uint32_t this_seqno;
2233
2234                         reg = &dev_priv->fence_regs[i];
2235                         old_obj_priv = reg->obj->driver_private;
2236
2237                         if (old_obj_priv->pin_count)
2238                                 continue;
2239
2240                         /* i915 uses fences for GPU access to tiled buffers */
2241                         if (IS_I965G(dev) || !old_obj_priv->active)
2242                                 break;
2243
2244                         /* find the seqno of the first available fence */
2245                         this_seqno = old_obj_priv->last_rendering_seqno;
2246                         if (this_seqno != 0 &&
2247                             reg->obj->write_domain == 0 &&
2248                             i915_seqno_passed(seqno, this_seqno))
2249                                 seqno = this_seqno;
2250                 }
2251
2252                 /*
2253                  * Now things get ugly... we have to wait for one of the
2254                  * objects to finish before trying again.
2255                  */
2256                 if (i == dev_priv->num_fence_regs) {
2257                         if (seqno == dev_priv->mm.next_gem_seqno) {
2258                                 i915_gem_flush(dev,
2259                                                I915_GEM_GPU_DOMAINS,
2260                                                I915_GEM_GPU_DOMAINS);
2261                                 seqno = i915_add_request(dev, NULL,
2262                                                          I915_GEM_GPU_DOMAINS);
2263                                 if (seqno == 0)
2264                                         return -ENOMEM;
2265                         }
2266
2267                         ret = i915_wait_request(dev, seqno);
2268                         if (ret)
2269                                 return ret;
2270                         goto try_again;
2271                 }
2272
2273                 /*
2274                  * Zap this virtual mapping so we can set up a fence again
2275                  * for this object next time we need it.
2276                  */
2277                 offset = ((loff_t) reg->obj->map_list.hash.key) << PAGE_SHIFT;
2278                 if (dev->dev_mapping)
2279                         unmap_mapping_range(dev->dev_mapping, offset,
2280                                             reg->obj->size, 1);
2281                 old_obj_priv->fence_reg = I915_FENCE_REG_NONE;
2282         }
2283
2284         obj_priv->fence_reg = i;
2285         reg->obj = obj;
2286
2287         if (IS_I965G(dev))
2288                 i965_write_fence_reg(reg);
2289         else if (IS_I9XX(dev))
2290                 i915_write_fence_reg(reg);
2291         else
2292                 i830_write_fence_reg(reg);
2293
2294         return 0;
2295 }
2296
2297 /**
2298  * i915_gem_clear_fence_reg - clear out fence register info
2299  * @obj: object to clear
2300  *
2301  * Zeroes out the fence register itself and clears out the associated
2302  * data structures in dev_priv and obj_priv.
2303  */
2304 static void
2305 i915_gem_clear_fence_reg(struct drm_gem_object *obj)
2306 {
2307         struct drm_device *dev = obj->dev;
2308         drm_i915_private_t *dev_priv = dev->dev_private;
2309         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2310
2311         if (IS_I965G(dev))
2312                 I915_WRITE64(FENCE_REG_965_0 + (obj_priv->fence_reg * 8), 0);
2313         else {
2314                 uint32_t fence_reg;
2315
2316                 if (obj_priv->fence_reg < 8)
2317                         fence_reg = FENCE_REG_830_0 + obj_priv->fence_reg * 4;
2318                 else
2319                         fence_reg = FENCE_REG_945_8 + (obj_priv->fence_reg -
2320                                                        8) * 4;
2321
2322                 I915_WRITE(fence_reg, 0);
2323         }
2324
2325         dev_priv->fence_regs[obj_priv->fence_reg].obj = NULL;
2326         obj_priv->fence_reg = I915_FENCE_REG_NONE;
2327 }
2328
2329 /**
2330  * i915_gem_object_put_fence_reg - waits on outstanding fenced access
2331  * to the buffer to finish, and then resets the fence register.
2332  * @obj: tiled object holding a fence register.
2333  *
2334  * Zeroes out the fence register itself and clears out the associated
2335  * data structures in dev_priv and obj_priv.
2336  */
2337 int
2338 i915_gem_object_put_fence_reg(struct drm_gem_object *obj)
2339 {
2340         struct drm_device *dev = obj->dev;
2341         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2342
2343         if (obj_priv->fence_reg == I915_FENCE_REG_NONE)
2344                 return 0;
2345
2346         /* On the i915, GPU access to tiled buffers is via a fence,
2347          * therefore we must wait for any outstanding access to complete
2348          * before clearing the fence.
2349          */
2350         if (!IS_I965G(dev)) {
2351                 int ret;
2352
2353                 i915_gem_object_flush_gpu_write_domain(obj);
2354                 i915_gem_object_flush_gtt_write_domain(obj);
2355                 ret = i915_gem_object_wait_rendering(obj);
2356                 if (ret != 0)
2357                         return ret;
2358         }
2359
2360         i915_gem_clear_fence_reg (obj);
2361
2362         return 0;
2363 }
2364
2365 /**
2366  * Finds free space in the GTT aperture and binds the object there.
2367  */
2368 static int
2369 i915_gem_object_bind_to_gtt(struct drm_gem_object *obj, unsigned alignment)
2370 {
2371         struct drm_device *dev = obj->dev;
2372         drm_i915_private_t *dev_priv = dev->dev_private;
2373         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2374         struct drm_mm_node *free_space;
2375         int page_count, ret;
2376
2377         if (dev_priv->mm.suspended)
2378                 return -EBUSY;
2379         if (alignment == 0)
2380                 alignment = i915_gem_get_gtt_alignment(obj);
2381         if (alignment & (i915_gem_get_gtt_alignment(obj) - 1)) {
2382                 DRM_ERROR("Invalid object alignment requested %u\n", alignment);
2383                 return -EINVAL;
2384         }
2385
2386  search_free:
2387         free_space = drm_mm_search_free(&dev_priv->mm.gtt_space,
2388                                         obj->size, alignment, 0);
2389         if (free_space != NULL) {
2390                 obj_priv->gtt_space = drm_mm_get_block(free_space, obj->size,
2391                                                        alignment);
2392                 if (obj_priv->gtt_space != NULL) {
2393                         obj_priv->gtt_space->private = obj;
2394                         obj_priv->gtt_offset = obj_priv->gtt_space->start;
2395                 }
2396         }
2397         if (obj_priv->gtt_space == NULL) {
2398                 bool lists_empty;
2399
2400                 /* If the gtt is empty and we're still having trouble
2401                  * fitting our object in, we're out of memory.
2402                  */
2403 #if WATCH_LRU
2404                 DRM_INFO("%s: GTT full, evicting something\n", __func__);
2405 #endif
2406                 spin_lock(&dev_priv->mm.active_list_lock);
2407                 lists_empty = (list_empty(&dev_priv->mm.inactive_list) &&
2408                                list_empty(&dev_priv->mm.flushing_list) &&
2409                                list_empty(&dev_priv->mm.active_list));
2410                 spin_unlock(&dev_priv->mm.active_list_lock);
2411                 if (lists_empty) {
2412                         DRM_ERROR("GTT full, but LRU list empty\n");
2413                         return -ENOSPC;
2414                 }
2415
2416                 ret = i915_gem_evict_something(dev);
2417                 if (ret != 0) {
2418                         if (ret != -ERESTARTSYS)
2419                                 DRM_ERROR("Failed to evict a buffer %d\n", ret);
2420                         return ret;
2421                 }
2422                 goto search_free;
2423         }
2424
2425 #if WATCH_BUF
2426         DRM_INFO("Binding object of size %zd at 0x%08x\n",
2427                  obj->size, obj_priv->gtt_offset);
2428 #endif
2429         ret = i915_gem_object_get_pages(obj);
2430         if (ret) {
2431                 drm_mm_put_block(obj_priv->gtt_space);
2432                 obj_priv->gtt_space = NULL;
2433                 return ret;
2434         }
2435
2436         page_count = obj->size / PAGE_SIZE;
2437         /* Create an AGP memory structure pointing at our pages, and bind it
2438          * into the GTT.
2439          */
2440         obj_priv->agp_mem = drm_agp_bind_pages(dev,
2441                                                obj_priv->pages,
2442                                                page_count,
2443                                                obj_priv->gtt_offset,
2444                                                obj_priv->agp_type);
2445         if (obj_priv->agp_mem == NULL) {
2446                 i915_gem_object_put_pages(obj);
2447                 drm_mm_put_block(obj_priv->gtt_space);
2448                 obj_priv->gtt_space = NULL;
2449                 return -ENOMEM;
2450         }
2451         atomic_inc(&dev->gtt_count);
2452         atomic_add(obj->size, &dev->gtt_memory);
2453
2454         /* Assert that the object is not currently in any GPU domain. As it
2455          * wasn't in the GTT, there shouldn't be any way it could have been in
2456          * a GPU cache
2457          */
2458         BUG_ON(obj->read_domains & I915_GEM_GPU_DOMAINS);
2459         BUG_ON(obj->write_domain & I915_GEM_GPU_DOMAINS);
2460
2461         return 0;
2462 }
2463
2464 void
2465 i915_gem_clflush_object(struct drm_gem_object *obj)
2466 {
2467         struct drm_i915_gem_object      *obj_priv = obj->driver_private;
2468
2469         /* If we don't have a page list set up, then we're not pinned
2470          * to GPU, and we can ignore the cache flush because it'll happen
2471          * again at bind time.
2472          */
2473         if (obj_priv->pages == NULL)
2474                 return;
2475
2476         /* XXX: The 865 in particular appears to be weird in how it handles
2477          * cache flushing.  We haven't figured it out, but the
2478          * clflush+agp_chipset_flush doesn't appear to successfully get the
2479          * data visible to the PGU, while wbinvd + agp_chipset_flush does.
2480          */
2481         if (IS_I865G(obj->dev)) {
2482                 wbinvd();
2483                 return;
2484         }
2485
2486         drm_clflush_pages(obj_priv->pages, obj->size / PAGE_SIZE);
2487 }
2488
2489 /** Flushes any GPU write domain for the object if it's dirty. */
2490 static void
2491 i915_gem_object_flush_gpu_write_domain(struct drm_gem_object *obj)
2492 {
2493         struct drm_device *dev = obj->dev;
2494         uint32_t seqno;
2495
2496         if ((obj->write_domain & I915_GEM_GPU_DOMAINS) == 0)
2497                 return;
2498
2499         /* Queue the GPU write cache flushing we need. */
2500         i915_gem_flush(dev, 0, obj->write_domain);
2501         seqno = i915_add_request(dev, NULL, obj->write_domain);
2502         obj->write_domain = 0;
2503         i915_gem_object_move_to_active(obj, seqno);
2504 }
2505
2506 /** Flushes the GTT write domain for the object if it's dirty. */
2507 static void
2508 i915_gem_object_flush_gtt_write_domain(struct drm_gem_object *obj)
2509 {
2510         if (obj->write_domain != I915_GEM_DOMAIN_GTT)
2511                 return;
2512
2513         /* No actual flushing is required for the GTT write domain.   Writes
2514          * to it immediately go to main memory as far as we know, so there's
2515          * no chipset flush.  It also doesn't land in render cache.
2516          */
2517         obj->write_domain = 0;
2518 }
2519
2520 /** Flushes the CPU write domain for the object if it's dirty. */
2521 static void
2522 i915_gem_object_flush_cpu_write_domain(struct drm_gem_object *obj)
2523 {
2524         struct drm_device *dev = obj->dev;
2525
2526         if (obj->write_domain != I915_GEM_DOMAIN_CPU)
2527                 return;
2528
2529         i915_gem_clflush_object(obj);
2530         drm_agp_chipset_flush(dev);
2531         obj->write_domain = 0;
2532 }
2533
2534 /**
2535  * Moves a single object to the GTT read, and possibly write domain.
2536  *
2537  * This function returns when the move is complete, including waiting on
2538  * flushes to occur.
2539  */
2540 int
2541 i915_gem_object_set_to_gtt_domain(struct drm_gem_object *obj, int write)
2542 {
2543         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2544         int ret;
2545
2546         /* Not valid to be called on unbound objects. */
2547         if (obj_priv->gtt_space == NULL)
2548                 return -EINVAL;
2549
2550         i915_gem_object_flush_gpu_write_domain(obj);
2551         /* Wait on any GPU rendering and flushing to occur. */
2552         ret = i915_gem_object_wait_rendering(obj);
2553         if (ret != 0)
2554                 return ret;
2555
2556         /* If we're writing through the GTT domain, then CPU and GPU caches
2557          * will need to be invalidated at next use.
2558          */
2559         if (write)
2560                 obj->read_domains &= I915_GEM_DOMAIN_GTT;
2561
2562         i915_gem_object_flush_cpu_write_domain(obj);
2563
2564         /* It should now be out of any other write domains, and we can update
2565          * the domain values for our changes.
2566          */
2567         BUG_ON((obj->write_domain & ~I915_GEM_DOMAIN_GTT) != 0);
2568         obj->read_domains |= I915_GEM_DOMAIN_GTT;
2569         if (write) {
2570                 obj->write_domain = I915_GEM_DOMAIN_GTT;
2571                 obj_priv->dirty = 1;
2572         }
2573
2574         return 0;
2575 }
2576
2577 /**
2578  * Moves a single object to the CPU read, and possibly write domain.
2579  *
2580  * This function returns when the move is complete, including waiting on
2581  * flushes to occur.
2582  */
2583 static int
2584 i915_gem_object_set_to_cpu_domain(struct drm_gem_object *obj, int write)
2585 {
2586         int ret;
2587
2588         i915_gem_object_flush_gpu_write_domain(obj);
2589         /* Wait on any GPU rendering and flushing to occur. */
2590         ret = i915_gem_object_wait_rendering(obj);
2591         if (ret != 0)
2592                 return ret;
2593
2594         i915_gem_object_flush_gtt_write_domain(obj);
2595
2596         /* If we have a partially-valid cache of the object in the CPU,
2597          * finish invalidating it and free the per-page flags.
2598          */
2599         i915_gem_object_set_to_full_cpu_read_domain(obj);
2600
2601         /* Flush the CPU cache if it's still invalid. */
2602         if ((obj->read_domains & I915_GEM_DOMAIN_CPU) == 0) {
2603                 i915_gem_clflush_object(obj);
2604
2605                 obj->read_domains |= I915_GEM_DOMAIN_CPU;
2606         }
2607
2608         /* It should now be out of any other write domains, and we can update
2609          * the domain values for our changes.
2610          */
2611         BUG_ON((obj->write_domain & ~I915_GEM_DOMAIN_CPU) != 0);
2612
2613         /* If we're writing through the CPU, then the GPU read domains will
2614          * need to be invalidated at next use.
2615          */
2616         if (write) {
2617                 obj->read_domains &= I915_GEM_DOMAIN_CPU;
2618                 obj->write_domain = I915_GEM_DOMAIN_CPU;
2619         }
2620
2621         return 0;
2622 }
2623
2624 /*
2625  * Set the next domain for the specified object. This
2626  * may not actually perform the necessary flushing/invaliding though,
2627  * as that may want to be batched with other set_domain operations
2628  *
2629  * This is (we hope) the only really tricky part of gem. The goal
2630  * is fairly simple -- track which caches hold bits of the object
2631  * and make sure they remain coherent. A few concrete examples may
2632  * help to explain how it works. For shorthand, we use the notation
2633  * (read_domains, write_domain), e.g. (CPU, CPU) to indicate the
2634  * a pair of read and write domain masks.
2635  *
2636  * Case 1: the batch buffer
2637  *
2638  *      1. Allocated
2639  *      2. Written by CPU
2640  *      3. Mapped to GTT
2641  *      4. Read by GPU
2642  *      5. Unmapped from GTT
2643  *      6. Freed
2644  *
2645  *      Let's take these a step at a time
2646  *
2647  *      1. Allocated
2648  *              Pages allocated from the kernel may still have
2649  *              cache contents, so we set them to (CPU, CPU) always.
2650  *      2. Written by CPU (using pwrite)
2651  *              The pwrite function calls set_domain (CPU, CPU) and
2652  *              this function does nothing (as nothing changes)
2653  *      3. Mapped by GTT
2654  *              This function asserts that the object is not
2655  *              currently in any GPU-based read or write domains
2656  *      4. Read by GPU
2657  *              i915_gem_execbuffer calls set_domain (COMMAND, 0).
2658  *              As write_domain is zero, this function adds in the
2659  *              current read domains (CPU+COMMAND, 0).
2660  *              flush_domains is set to CPU.
2661  *              invalidate_domains is set to COMMAND
2662  *              clflush is run to get data out of the CPU caches
2663  *              then i915_dev_set_domain calls i915_gem_flush to
2664  *              emit an MI_FLUSH and drm_agp_chipset_flush
2665  *      5. Unmapped from GTT
2666  *              i915_gem_object_unbind calls set_domain (CPU, CPU)
2667  *              flush_domains and invalidate_domains end up both zero
2668  *              so no flushing/invalidating happens
2669  *      6. Freed
2670  *              yay, done
2671  *
2672  * Case 2: The shared render buffer
2673  *
2674  *      1. Allocated
2675  *      2. Mapped to GTT
2676  *      3. Read/written by GPU
2677  *      4. set_domain to (CPU,CPU)
2678  *      5. Read/written by CPU
2679  *      6. Read/written by GPU
2680  *
2681  *      1. Allocated
2682  *              Same as last example, (CPU, CPU)
2683  *      2. Mapped to GTT
2684  *              Nothing changes (assertions find that it is not in the GPU)
2685  *      3. Read/written by GPU
2686  *              execbuffer calls set_domain (RENDER, RENDER)
2687  *              flush_domains gets CPU
2688  *              invalidate_domains gets GPU
2689  *              clflush (obj)
2690  *              MI_FLUSH and drm_agp_chipset_flush
2691  *      4. set_domain (CPU, CPU)
2692  *              flush_domains gets GPU
2693  *              invalidate_domains gets CPU
2694  *              wait_rendering (obj) to make sure all drawing is complete.
2695  *              This will include an MI_FLUSH to get the data from GPU
2696  *              to memory
2697  *              clflush (obj) to invalidate the CPU cache
2698  *              Another MI_FLUSH in i915_gem_flush (eliminate this somehow?)
2699  *      5. Read/written by CPU
2700  *              cache lines are loaded and dirtied
2701  *      6. Read written by GPU
2702  *              Same as last GPU access
2703  *
2704  * Case 3: The constant buffer
2705  *
2706  *      1. Allocated
2707  *      2. Written by CPU
2708  *      3. Read by GPU
2709  *      4. Updated (written) by CPU again
2710  *      5. Read by GPU
2711  *
2712  *      1. Allocated
2713  *              (CPU, CPU)
2714  *      2. Written by CPU
2715  *              (CPU, CPU)
2716  *      3. Read by GPU
2717  *              (CPU+RENDER, 0)
2718  *              flush_domains = CPU
2719  *              invalidate_domains = RENDER
2720  *              clflush (obj)
2721  *              MI_FLUSH
2722  *              drm_agp_chipset_flush
2723  *      4. Updated (written) by CPU again
2724  *              (CPU, CPU)
2725  *              flush_domains = 0 (no previous write domain)
2726  *              invalidate_domains = 0 (no new read domains)
2727  *      5. Read by GPU
2728  *              (CPU+RENDER, 0)
2729  *              flush_domains = CPU
2730  *              invalidate_domains = RENDER
2731  *              clflush (obj)
2732  *              MI_FLUSH
2733  *              drm_agp_chipset_flush
2734  */
2735 static void
2736 i915_gem_object_set_to_gpu_domain(struct drm_gem_object *obj)
2737 {
2738         struct drm_device               *dev = obj->dev;
2739         struct drm_i915_gem_object      *obj_priv = obj->driver_private;
2740         uint32_t                        invalidate_domains = 0;
2741         uint32_t                        flush_domains = 0;
2742
2743         BUG_ON(obj->pending_read_domains & I915_GEM_DOMAIN_CPU);
2744         BUG_ON(obj->pending_write_domain == I915_GEM_DOMAIN_CPU);
2745
2746 #if WATCH_BUF
2747         DRM_INFO("%s: object %p read %08x -> %08x write %08x -> %08x\n",
2748                  __func__, obj,
2749                  obj->read_domains, obj->pending_read_domains,
2750                  obj->write_domain, obj->pending_write_domain);
2751 #endif
2752         /*
2753          * If the object isn't moving to a new write domain,
2754          * let the object stay in multiple read domains
2755          */
2756         if (obj->pending_write_domain == 0)
2757                 obj->pending_read_domains |= obj->read_domains;
2758         else
2759                 obj_priv->dirty = 1;
2760
2761         /*
2762          * Flush the current write domain if
2763          * the new read domains don't match. Invalidate
2764          * any read domains which differ from the old
2765          * write domain
2766          */
2767         if (obj->write_domain &&
2768             obj->write_domain != obj->pending_read_domains) {
2769                 flush_domains |= obj->write_domain;
2770                 invalidate_domains |=
2771                         obj->pending_read_domains & ~obj->write_domain;
2772         }
2773         /*
2774          * Invalidate any read caches which may have
2775          * stale data. That is, any new read domains.
2776          */
2777         invalidate_domains |= obj->pending_read_domains & ~obj->read_domains;
2778         if ((flush_domains | invalidate_domains) & I915_GEM_DOMAIN_CPU) {
2779 #if WATCH_BUF
2780                 DRM_INFO("%s: CPU domain flush %08x invalidate %08x\n",
2781                          __func__, flush_domains, invalidate_domains);
2782 #endif
2783                 i915_gem_clflush_object(obj);
2784         }
2785
2786         /* The actual obj->write_domain will be updated with
2787          * pending_write_domain after we emit the accumulated flush for all
2788          * of our domain changes in execbuffers (which clears objects'
2789          * write_domains).  So if we have a current write domain that we
2790          * aren't changing, set pending_write_domain to that.
2791          */
2792         if (flush_domains == 0 && obj->pending_write_domain == 0)
2793                 obj->pending_write_domain = obj->write_domain;
2794         obj->read_domains = obj->pending_read_domains;
2795
2796         dev->invalidate_domains |= invalidate_domains;
2797         dev->flush_domains |= flush_domains;
2798 #if WATCH_BUF
2799         DRM_INFO("%s: read %08x write %08x invalidate %08x flush %08x\n",
2800                  __func__,
2801                  obj->read_domains, obj->write_domain,
2802                  dev->invalidate_domains, dev->flush_domains);
2803 #endif
2804 }
2805
2806 /**
2807  * Moves the object from a partially CPU read to a full one.
2808  *
2809  * Note that this only resolves i915_gem_object_set_cpu_read_domain_range(),
2810  * and doesn't handle transitioning from !(read_domains & I915_GEM_DOMAIN_CPU).
2811  */
2812 static void
2813 i915_gem_object_set_to_full_cpu_read_domain(struct drm_gem_object *obj)
2814 {
2815         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2816
2817         if (!obj_priv->page_cpu_valid)
2818                 return;
2819
2820         /* If we're partially in the CPU read domain, finish moving it in.
2821          */
2822         if (obj->read_domains & I915_GEM_DOMAIN_CPU) {
2823                 int i;
2824
2825                 for (i = 0; i <= (obj->size - 1) / PAGE_SIZE; i++) {
2826                         if (obj_priv->page_cpu_valid[i])
2827                                 continue;
2828                         drm_clflush_pages(obj_priv->pages + i, 1);
2829                 }
2830         }
2831
2832         /* Free the page_cpu_valid mappings which are now stale, whether
2833          * or not we've got I915_GEM_DOMAIN_CPU.
2834          */
2835         kfree(obj_priv->page_cpu_valid);
2836         obj_priv->page_cpu_valid = NULL;
2837 }
2838
2839 /**
2840  * Set the CPU read domain on a range of the object.
2841  *
2842  * The object ends up with I915_GEM_DOMAIN_CPU in its read flags although it's
2843  * not entirely valid.  The page_cpu_valid member of the object flags which
2844  * pages have been flushed, and will be respected by
2845  * i915_gem_object_set_to_cpu_domain() if it's called on to get a valid mapping
2846  * of the whole object.
2847  *
2848  * This function returns when the move is complete, including waiting on
2849  * flushes to occur.
2850  */
2851 static int
2852 i915_gem_object_set_cpu_read_domain_range(struct drm_gem_object *obj,
2853                                           uint64_t offset, uint64_t size)
2854 {
2855         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2856         int i, ret;
2857
2858         if (offset == 0 && size == obj->size)
2859                 return i915_gem_object_set_to_cpu_domain(obj, 0);
2860
2861         i915_gem_object_flush_gpu_write_domain(obj);
2862         /* Wait on any GPU rendering and flushing to occur. */
2863         ret = i915_gem_object_wait_rendering(obj);
2864         if (ret != 0)
2865                 return ret;
2866         i915_gem_object_flush_gtt_write_domain(obj);
2867
2868         /* If we're already fully in the CPU read domain, we're done. */
2869         if (obj_priv->page_cpu_valid == NULL &&
2870             (obj->read_domains & I915_GEM_DOMAIN_CPU) != 0)
2871                 return 0;
2872
2873         /* Otherwise, create/clear the per-page CPU read domain flag if we're
2874          * newly adding I915_GEM_DOMAIN_CPU
2875          */
2876         if (obj_priv->page_cpu_valid == NULL) {
2877                 obj_priv->page_cpu_valid = kzalloc(obj->size / PAGE_SIZE,
2878                                                    GFP_KERNEL);
2879                 if (obj_priv->page_cpu_valid == NULL)
2880                         return -ENOMEM;
2881         } else if ((obj->read_domains & I915_GEM_DOMAIN_CPU) == 0)
2882                 memset(obj_priv->page_cpu_valid, 0, obj->size / PAGE_SIZE);
2883
2884         /* Flush the cache on any pages that are still invalid from the CPU's
2885          * perspective.
2886          */
2887         for (i = offset / PAGE_SIZE; i <= (offset + size - 1) / PAGE_SIZE;
2888              i++) {
2889                 if (obj_priv->page_cpu_valid[i])
2890                         continue;
2891
2892                 drm_clflush_pages(obj_priv->pages + i, 1);
2893
2894                 obj_priv->page_cpu_valid[i] = 1;
2895         }
2896
2897         /* It should now be out of any other write domains, and we can update
2898          * the domain values for our changes.
2899          */
2900         BUG_ON((obj->write_domain & ~I915_GEM_DOMAIN_CPU) != 0);
2901
2902         obj->read_domains |= I915_GEM_DOMAIN_CPU;
2903
2904         return 0;
2905 }
2906
2907 /**
2908  * Pin an object to the GTT and evaluate the relocations landing in it.
2909  */
2910 static int
2911 i915_gem_object_pin_and_relocate(struct drm_gem_object *obj,
2912                                  struct drm_file *file_priv,
2913                                  struct drm_i915_gem_exec_object *entry,
2914                                  struct drm_i915_gem_relocation_entry *relocs)
2915 {
2916         struct drm_device *dev = obj->dev;
2917         drm_i915_private_t *dev_priv = dev->dev_private;
2918         struct drm_i915_gem_object *obj_priv = obj->driver_private;
2919         int i, ret;
2920         void __iomem *reloc_page;
2921
2922         /* Choose the GTT offset for our buffer and put it there. */
2923         ret = i915_gem_object_pin(obj, (uint32_t) entry->alignment);
2924         if (ret)
2925                 return ret;
2926
2927         entry->offset = obj_priv->gtt_offset;
2928
2929         /* Apply the relocations, using the GTT aperture to avoid cache
2930          * flushing requirements.
2931          */
2932         for (i = 0; i < entry->relocation_count; i++) {
2933                 struct drm_i915_gem_relocation_entry *reloc= &relocs[i];
2934                 struct drm_gem_object *target_obj;
2935                 struct drm_i915_gem_object *target_obj_priv;
2936                 uint32_t reloc_val, reloc_offset;
2937                 uint32_t __iomem *reloc_entry;
2938
2939                 target_obj = drm_gem_object_lookup(obj->dev, file_priv,
2940                                                    reloc->target_handle);
2941                 if (target_obj == NULL) {
2942                         i915_gem_object_unpin(obj);
2943                         return -EBADF;
2944                 }
2945                 target_obj_priv = target_obj->driver_private;
2946
2947                 /* The target buffer should have appeared before us in the
2948                  * exec_object list, so it should have a GTT space bound by now.
2949                  */
2950                 if (target_obj_priv->gtt_space == NULL) {
2951                         DRM_ERROR("No GTT space found for object %d\n",
2952                                   reloc->target_handle);
2953                         drm_gem_object_unreference(target_obj);
2954                         i915_gem_object_unpin(obj);
2955                         return -EINVAL;
2956                 }
2957
2958                 if (reloc->offset > obj->size - 4) {
2959                         DRM_ERROR("Relocation beyond object bounds: "
2960                                   "obj %p target %d offset %d size %d.\n",
2961                                   obj, reloc->target_handle,
2962                                   (int) reloc->offset, (int) obj->size);
2963                         drm_gem_object_unreference(target_obj);
2964                         i915_gem_object_unpin(obj);
2965                         return -EINVAL;
2966                 }
2967                 if (reloc->offset & 3) {
2968                         DRM_ERROR("Relocation not 4-byte aligned: "
2969                                   "obj %p target %d offset %d.\n",
2970                                   obj, reloc->target_handle,
2971                                   (int) reloc->offset);
2972                         drm_gem_object_unreference(target_obj);
2973                         i915_gem_object_unpin(obj);
2974                         return -EINVAL;
2975                 }
2976
2977                 if (reloc->write_domain & I915_GEM_DOMAIN_CPU ||
2978                     reloc->read_domains & I915_GEM_DOMAIN_CPU) {
2979                         DRM_ERROR("reloc with read/write CPU domains: "
2980                                   "obj %p target %d offset %d "
2981                                   "read %08x write %08x",
2982                                   obj, reloc->target_handle,
2983                                   (int) reloc->offset,
2984                                   reloc->read_domains,
2985                                   reloc->write_domain);
2986                         drm_gem_object_unreference(target_obj);
2987                         i915_gem_object_unpin(obj);
2988                         return -EINVAL;
2989                 }
2990
2991                 if (reloc->write_domain && target_obj->pending_write_domain &&
2992                     reloc->write_domain != target_obj->pending_write_domain) {
2993                         DRM_ERROR("Write domain conflict: "
2994                                   "obj %p target %d offset %d "
2995                                   "new %08x old %08x\n",
2996                                   obj, reloc->target_handle,
2997                                   (int) reloc->offset,
2998                                   reloc->write_domain,
2999                                   target_obj->pending_write_domain);
3000                         drm_gem_object_unreference(target_obj);
3001                         i915_gem_object_unpin(obj);
3002                         return -EINVAL;
3003                 }
3004
3005 #if WATCH_RELOC
3006                 DRM_INFO("%s: obj %p offset %08x target %d "
3007                          "read %08x write %08x gtt %08x "
3008                          "presumed %08x delta %08x\n",
3009                          __func__,
3010                          obj,
3011                          (int) reloc->offset,
3012                          (int) reloc->target_handle,
3013                          (int) reloc->read_domains,
3014                          (int) reloc->write_domain,
3015                          (int) target_obj_priv->gtt_offset,
3016                          (int) reloc->presumed_offset,
3017                          reloc->delta);
3018 #endif
3019
3020                 target_obj->pending_read_domains |= reloc->read_domains;
3021                 target_obj->pending_write_domain |= reloc->write_domain;
3022
3023                 /* If the relocation already has the right value in it, no
3024                  * more work needs to be done.
3025                  */
3026                 if (target_obj_priv->gtt_offset == reloc->presumed_offset) {
3027                         drm_gem_object_unreference(target_obj);
3028                         continue;
3029                 }
3030
3031                 ret = i915_gem_object_set_to_gtt_domain(obj, 1);
3032                 if (ret != 0) {
3033                         drm_gem_object_unreference(target_obj);
3034                         i915_gem_object_unpin(obj);
3035                         return -EINVAL;
3036                 }
3037
3038                 /* Map the page containing the relocation we're going to
3039                  * perform.
3040                  */
3041                 reloc_offset = obj_priv->gtt_offset + reloc->offset;
3042                 reloc_page = io_mapping_map_atomic_wc(dev_priv->mm.gtt_mapping,
3043                                                       (reloc_offset &
3044                                                        ~(PAGE_SIZE - 1)));
3045                 reloc_entry = (uint32_t __iomem *)(reloc_page +
3046                                                    (reloc_offset & (PAGE_SIZE - 1)));
3047                 reloc_val = target_obj_priv->gtt_offset + reloc->delta;
3048
3049 #if WATCH_BUF
3050                 DRM_INFO("Applied relocation: %p@0x%08x %08x -> %08x\n",
3051                           obj, (unsigned int) reloc->offset,
3052                           readl(reloc_entry), reloc_val);
3053 #endif
3054                 writel(reloc_val, reloc_entry);
3055                 io_mapping_unmap_atomic(reloc_page);
3056
3057                 /* The updated presumed offset for this entry will be
3058                  * copied back out to the user.
3059                  */
3060                 reloc->presumed_offset = target_obj_priv->gtt_offset;
3061
3062                 drm_gem_object_unreference(target_obj);
3063         }
3064
3065 #if WATCH_BUF
3066         if (0)
3067                 i915_gem_dump_object(obj, 128, __func__, ~0);
3068 #endif
3069         return 0;
3070 }
3071
3072 /** Dispatch a batchbuffer to the ring
3073  */
3074 static int
3075 i915_dispatch_gem_execbuffer(struct drm_device *dev,
3076                               struct drm_i915_gem_execbuffer *exec,
3077                               struct drm_clip_rect *cliprects,
3078                               uint64_t exec_offset)
3079 {
3080         drm_i915_private_t *dev_priv = dev->dev_private;
3081         int nbox = exec->num_cliprects;
3082         int i = 0, count;
3083         uint32_t exec_start, exec_len;
3084         RING_LOCALS;
3085
3086         exec_start = (uint32_t) exec_offset + exec->batch_start_offset;
3087         exec_len = (uint32_t) exec->batch_len;
3088
3089         count = nbox ? nbox : 1;
3090
3091         for (i = 0; i < count; i++) {
3092                 if (i < nbox) {
3093                         int ret = i915_emit_box(dev, cliprects, i,
3094                                                 exec->DR1, exec->DR4);
3095                         if (ret)
3096                                 return ret;
3097                 }
3098
3099                 if (IS_I830(dev) || IS_845G(dev)) {
3100                         BEGIN_LP_RING(4);
3101                         OUT_RING(MI_BATCH_BUFFER);
3102                         OUT_RING(exec_start | MI_BATCH_NON_SECURE);
3103                         OUT_RING(exec_start + exec_len - 4);
3104                         OUT_RING(0);
3105                         ADVANCE_LP_RING();
3106                 } else {
3107                         BEGIN_LP_RING(2);
3108                         if (IS_I965G(dev)) {
3109                                 OUT_RING(MI_BATCH_BUFFER_START |
3110                                          (2 << 6) |
3111                                          MI_BATCH_NON_SECURE_I965);
3112                                 OUT_RING(exec_start);
3113                         } else {
3114                                 OUT_RING(MI_BATCH_BUFFER_START |
3115                                          (2 << 6));
3116                                 OUT_RING(exec_start | MI_BATCH_NON_SECURE);
3117                         }
3118                         ADVANCE_LP_RING();
3119                 }
3120         }
3121
3122         /* XXX breadcrumb */
3123         return 0;
3124 }
3125
3126 /* Throttle our rendering by waiting until the ring has completed our requests
3127  * emitted over 20 msec ago.
3128  *
3129  * Note that if we were to use the current jiffies each time around the loop,
3130  * we wouldn't escape the function with any frames outstanding if the time to
3131  * render a frame was over 20ms.
3132  *
3133  * This should get us reasonable parallelism between CPU and GPU but also
3134  * relatively low latency when blocking on a particular request to finish.
3135  */
3136 static int
3137 i915_gem_ring_throttle(struct drm_device *dev, struct drm_file *file_priv)
3138 {
3139         struct drm_i915_file_private *i915_file_priv = file_priv->driver_priv;
3140         int ret = 0;
3141         unsigned long recent_enough = jiffies - msecs_to_jiffies(20);
3142
3143         mutex_lock(&dev->struct_mutex);
3144         while (!list_empty(&i915_file_priv->mm.request_list)) {
3145                 struct drm_i915_gem_request *request;
3146
3147                 request = list_first_entry(&i915_file_priv->mm.request_list,
3148                                            struct drm_i915_gem_request,
3149                                            client_list);
3150
3151                 if (time_after_eq(request->emitted_jiffies, recent_enough))
3152                         break;
3153
3154                 ret = i915_wait_request(dev, request->seqno);
3155                 if (ret != 0)
3156                         break;
3157         }
3158         mutex_unlock(&dev->struct_mutex);
3159
3160         return ret;
3161 }
3162
3163 static int
3164 i915_gem_get_relocs_from_user(struct drm_i915_gem_exec_object *exec_list,
3165                               uint32_t buffer_count,
3166                               struct drm_i915_gem_relocation_entry **relocs)
3167 {
3168         uint32_t reloc_count = 0, reloc_index = 0, i;
3169         int ret;
3170
3171         *relocs = NULL;
3172         for (i = 0; i < buffer_count; i++) {
3173                 if (reloc_count + exec_list[i].relocation_count < reloc_count)
3174                         return -EINVAL;
3175                 reloc_count += exec_list[i].relocation_count;
3176         }
3177
3178         *relocs = drm_calloc_large(reloc_count, sizeof(**relocs));
3179         if (*relocs == NULL)
3180                 return -ENOMEM;
3181
3182         for (i = 0; i < buffer_count; i++) {
3183                 struct drm_i915_gem_relocation_entry __user *user_relocs;
3184
3185                 user_relocs = (void __user *)(uintptr_t)exec_list[i].relocs_ptr;
3186
3187                 ret = copy_from_user(&(*relocs)[reloc_index],
3188                                      user_relocs,
3189                                      exec_list[i].relocation_count *
3190                                      sizeof(**relocs));
3191                 if (ret != 0) {
3192                         drm_free_large(*relocs);
3193                         *relocs = NULL;
3194                         return -EFAULT;
3195                 }
3196
3197                 reloc_index += exec_list[i].relocation_count;
3198         }
3199
3200         return 0;
3201 }
3202
3203 static int
3204 i915_gem_put_relocs_to_user(struct drm_i915_gem_exec_object *exec_list,
3205                             uint32_t buffer_count,
3206                             struct drm_i915_gem_relocation_entry *relocs)
3207 {
3208         uint32_t reloc_count = 0, i;
3209         int ret = 0;
3210
3211         for (i = 0; i < buffer_count; i++) {
3212                 struct drm_i915_gem_relocation_entry __user *user_relocs;
3213                 int unwritten;
3214
3215                 user_relocs = (void __user *)(uintptr_t)exec_list[i].relocs_ptr;
3216
3217                 unwritten = copy_to_user(user_relocs,
3218                                          &relocs[reloc_count],
3219                                          exec_list[i].relocation_count *
3220                                          sizeof(*relocs));
3221
3222                 if (unwritten) {
3223                         ret = -EFAULT;
3224                         goto err;
3225                 }
3226
3227                 reloc_count += exec_list[i].relocation_count;
3228         }
3229
3230 err:
3231         drm_free_large(relocs);
3232
3233         return ret;
3234 }
3235
3236 static int
3237 i915_gem_check_execbuffer (struct drm_i915_gem_execbuffer *exec,
3238                            uint64_t exec_offset)
3239 {
3240         uint32_t exec_start, exec_len;
3241
3242         exec_start = (uint32_t) exec_offset + exec->batch_start_offset;
3243         exec_len = (uint32_t) exec->batch_len;
3244
3245         if ((exec_start | exec_len) & 0x7)
3246                 return -EINVAL;
3247
3248         if (!exec_start)
3249                 return -EINVAL;
3250
3251         return 0;
3252 }
3253
3254 int
3255 i915_gem_execbuffer(struct drm_device *dev, void *data,
3256                     struct drm_file *file_priv)
3257 {
3258         drm_i915_private_t *dev_priv = dev->dev_private;
3259         struct drm_i915_gem_execbuffer *args = data;
3260         struct drm_i915_gem_exec_object *exec_list = NULL;
3261         struct drm_gem_object **object_list = NULL;
3262         struct drm_gem_object *batch_obj;
3263         struct drm_i915_gem_object *obj_priv;
3264         struct drm_clip_rect *cliprects = NULL;
3265         struct drm_i915_gem_relocation_entry *relocs;
3266         int ret, ret2, i, pinned = 0;
3267         uint64_t exec_offset;
3268         uint32_t seqno, flush_domains, reloc_index;
3269         int pin_tries;
3270
3271 #if WATCH_EXEC
3272         DRM_INFO("buffers_ptr %d buffer_count %d len %08x\n",
3273                   (int) args->buffers_ptr, args->buffer_count, args->batch_len);
3274 #endif
3275
3276         if (args->buffer_count < 1) {
3277                 DRM_ERROR("execbuf with %d buffers\n", args->buffer_count);
3278                 return -EINVAL;
3279         }
3280         /* Copy in the exec list from userland */
3281         exec_list = drm_calloc_large(sizeof(*exec_list), args->buffer_count);
3282         object_list = drm_calloc_large(sizeof(*object_list), args->buffer_count);
3283         if (exec_list == NULL || object_list == NULL) {
3284                 DRM_ERROR("Failed to allocate exec or object list "
3285                           "for %d buffers\n",
3286                           args->buffer_count);
3287                 ret = -ENOMEM;
3288                 goto pre_mutex_err;
3289         }
3290         ret = copy_from_user(exec_list,
3291                              (struct drm_i915_relocation_entry __user *)
3292                              (uintptr_t) args->buffers_ptr,
3293                              sizeof(*exec_list) * args->buffer_count);
3294         if (ret != 0) {
3295                 DRM_ERROR("copy %d exec entries failed %d\n",
3296                           args->buffer_count, ret);
3297                 goto pre_mutex_err;
3298         }
3299
3300         if (args->num_cliprects != 0) {
3301                 cliprects = kcalloc(args->num_cliprects, sizeof(*cliprects),
3302                                     GFP_KERNEL);
3303                 if (cliprects == NULL)
3304                         goto pre_mutex_err;
3305
3306                 ret = copy_from_user(cliprects,
3307                                      (struct drm_clip_rect __user *)
3308                                      (uintptr_t) args->cliprects_ptr,
3309                                      sizeof(*cliprects) * args->num_cliprects);
3310                 if (ret != 0) {
3311                         DRM_ERROR("copy %d cliprects failed: %d\n",
3312                                   args->num_cliprects, ret);
3313                         goto pre_mutex_err;
3314                 }
3315         }
3316
3317         ret = i915_gem_get_relocs_from_user(exec_list, args->buffer_count,
3318                                             &relocs);
3319         if (ret != 0)
3320                 goto pre_mutex_err;
3321
3322         mutex_lock(&dev->struct_mutex);
3323
3324         i915_verify_inactive(dev, __FILE__, __LINE__);
3325
3326         if (dev_priv->mm.wedged) {
3327                 DRM_ERROR("Execbuf while wedged\n");
3328                 mutex_unlock(&dev->struct_mutex);
3329                 ret = -EIO;
3330                 goto pre_mutex_err;
3331         }
3332
3333         if (dev_priv->mm.suspended) {
3334                 DRM_ERROR("Execbuf while VT-switched.\n");
3335                 mutex_unlock(&dev->struct_mutex);
3336                 ret = -EBUSY;
3337                 goto pre_mutex_err;
3338         }
3339
3340         /* Look up object handles */
3341         for (i = 0; i < args->buffer_count; i++) {
3342                 object_list[i] = drm_gem_object_lookup(dev, file_priv,
3343                                                        exec_list[i].handle);
3344                 if (object_list[i] == NULL) {
3345                         DRM_ERROR("Invalid object handle %d at index %d\n",
3346                                    exec_list[i].handle, i);
3347                         ret = -EBADF;
3348                         goto err;
3349                 }
3350
3351                 obj_priv = object_list[i]->driver_private;
3352                 if (obj_priv->in_execbuffer) {
3353                         DRM_ERROR("Object %p appears more than once in object list\n",
3354                                    object_list[i]);
3355                         ret = -EBADF;
3356                         goto err;
3357                 }
3358                 obj_priv->in_execbuffer = true;
3359         }
3360
3361         /* Pin and relocate */
3362         for (pin_tries = 0; ; pin_tries++) {
3363                 ret = 0;
3364                 reloc_index = 0;
3365
3366                 for (i = 0; i < args->buffer_count; i++) {
3367                         object_list[i]->pending_read_domains = 0;
3368                         object_list[i]->pending_write_domain = 0;
3369                         ret = i915_gem_object_pin_and_relocate(object_list[i],
3370                                                                file_priv,
3371                                                                &exec_list[i],
3372                                                                &relocs[reloc_index]);
3373                         if (ret)
3374                                 break;
3375                         pinned = i + 1;
3376                         reloc_index += exec_list[i].relocation_count;
3377                 }
3378                 /* success */
3379                 if (ret == 0)
3380                         break;
3381
3382                 /* error other than GTT full, or we've already tried again */
3383                 if (ret != -ENOSPC || pin_tries >= 1) {
3384                         if (ret != -ERESTARTSYS)
3385                                 DRM_ERROR("Failed to pin buffers %d\n", ret);
3386                         goto err;
3387                 }
3388
3389                 /* unpin all of our buffers */
3390                 for (i = 0; i < pinned; i++)
3391                         i915_gem_object_unpin(object_list[i]);
3392                 pinned = 0;
3393
3394                 /* evict everyone we can from the aperture */
3395                 ret = i915_gem_evict_everything(dev);
3396                 if (ret)
3397                         goto err;
3398         }
3399
3400         /* Set the pending read domains for the batch buffer to COMMAND */
3401         batch_obj = object_list[args->buffer_count-1];
3402         if (batch_obj->pending_write_domain) {
3403                 DRM_ERROR("Attempting to use self-modifying batch buffer\n");
3404                 ret = -EINVAL;
3405                 goto err;
3406         }
3407         batch_obj->pending_read_domains |= I915_GEM_DOMAIN_COMMAND;
3408
3409         /* Sanity check the batch buffer, prior to moving objects */
3410         exec_offset = exec_list[args->buffer_count - 1].offset;
3411         ret = i915_gem_check_execbuffer (args, exec_offset);
3412         if (ret != 0) {
3413                 DRM_ERROR("execbuf with invalid offset/length\n");
3414                 goto err;
3415         }
3416
3417         i915_verify_inactive(dev, __FILE__, __LINE__);
3418
3419         /* Zero the global flush/invalidate flags. These
3420          * will be modified as new domains are computed
3421          * for each object
3422          */
3423         dev->invalidate_domains = 0;
3424         dev->flush_domains = 0;
3425
3426         for (i = 0; i < args->buffer_count; i++) {
3427                 struct drm_gem_object *obj = object_list[i];
3428
3429                 /* Compute new gpu domains and update invalidate/flush */
3430                 i915_gem_object_set_to_gpu_domain(obj);
3431         }
3432
3433         i915_verify_inactive(dev, __FILE__, __LINE__);
3434
3435         if (dev->invalidate_domains | dev->flush_domains) {
3436 #if WATCH_EXEC
3437                 DRM_INFO("%s: invalidate_domains %08x flush_domains %08x\n",
3438                           __func__,
3439                          dev->invalidate_domains,
3440                          dev->flush_domains);
3441 #endif
3442                 i915_gem_flush(dev,
3443                                dev->invalidate_domains,
3444                                dev->flush_domains);
3445                 if (dev->flush_domains)
3446                         (void)i915_add_request(dev, file_priv,
3447                                                dev->flush_domains);
3448         }
3449
3450         for (i = 0; i < args->buffer_count; i++) {
3451                 struct drm_gem_object *obj = object_list[i];
3452
3453                 obj->write_domain = obj->pending_write_domain;
3454         }
3455
3456         i915_verify_inactive(dev, __FILE__, __LINE__);
3457
3458 #if WATCH_COHERENCY
3459         for (i = 0; i < args->buffer_count; i++) {
3460                 i915_gem_object_check_coherency(object_list[i],
3461                                                 exec_list[i].handle);
3462         }
3463 #endif
3464
3465 #if WATCH_EXEC
3466         i915_gem_dump_object(batch_obj,
3467                               args->batch_len,
3468                               __func__,
3469                               ~0);
3470 #endif
3471
3472         /* Exec the batchbuffer */
3473         ret = i915_dispatch_gem_execbuffer(dev, args, cliprects, exec_offset);
3474         if (ret) {
3475                 DRM_ERROR("dispatch failed %d\n", ret);
3476                 goto err;
3477         }
3478
3479         /*
3480          * Ensure that the commands in the batch buffer are
3481          * finished before the interrupt fires
3482          */
3483         flush_domains = i915_retire_commands(dev);
3484
3485         i915_verify_inactive(dev, __FILE__, __LINE__);
3486
3487         /*
3488          * Get a seqno representing the execution of the current buffer,
3489          * which we can wait on.  We would like to mitigate these interrupts,
3490          * likely by only creating seqnos occasionally (so that we have
3491          * *some* interrupts representing completion of buffers that we can
3492          * wait on when trying to clear up gtt space).
3493          */
3494         seqno = i915_add_request(dev, file_priv, flush_domains);
3495         BUG_ON(seqno == 0);
3496         for (i = 0; i < args->buffer_count; i++) {
3497                 struct drm_gem_object *obj = object_list[i];
3498
3499                 i915_gem_object_move_to_active(obj, seqno);
3500 #if WATCH_LRU
3501                 DRM_INFO("%s: move to exec list %p\n", __func__, obj);
3502 #endif
3503         }
3504 #if WATCH_LRU
3505         i915_dump_lru(dev, __func__);
3506 #endif
3507
3508         i915_verify_inactive(dev, __FILE__, __LINE__);
3509
3510 err:
3511         for (i = 0; i < pinned; i++)
3512                 i915_gem_object_unpin(object_list[i]);
3513
3514         for (i = 0; i < args->buffer_count; i++) {
3515                 if (object_list[i]) {
3516                         obj_priv = object_list[i]->driver_private;
3517                         obj_priv->in_execbuffer = false;
3518                 }
3519                 drm_gem_object_unreference(object_list[i]);
3520         }
3521
3522         mutex_unlock(&dev->struct_mutex);
3523
3524         if (!ret) {
3525                 /* Copy the new buffer offsets back to the user's exec list. */
3526                 ret = copy_to_user((struct drm_i915_relocation_entry __user *)
3527                                    (uintptr_t) args->buffers_ptr,
3528                                    exec_list,
3529                                    sizeof(*exec_list) * args->buffer_count);
3530                 if (ret) {
3531                         ret = -EFAULT;
3532                         DRM_ERROR("failed to copy %d exec entries "
3533                                   "back to user (%d)\n",
3534                                   args->buffer_count, ret);
3535                 }
3536         }
3537
3538         /* Copy the updated relocations out regardless of current error
3539          * state.  Failure to update the relocs would mean that the next
3540          * time userland calls execbuf, it would do so with presumed offset
3541          * state that didn't match the actual object state.
3542          */
3543         ret2 = i915_gem_put_relocs_to_user(exec_list, args->buffer_count,
3544                                            relocs);
3545         if (ret2 != 0) {
3546                 DRM_ERROR("Failed to copy relocations back out: %d\n", ret2);
3547
3548                 if (ret == 0)
3549                         ret = ret2;
3550         }
3551
3552 pre_mutex_err:
3553         drm_free_large(object_list);
3554         drm_free_large(exec_list);
3555         kfree(cliprects);
3556
3557         return ret;
3558 }
3559
3560 int
3561 i915_gem_object_pin(struct drm_gem_object *obj, uint32_t alignment)
3562 {
3563         struct drm_device *dev = obj->dev;
3564         struct drm_i915_gem_object *obj_priv = obj->driver_private;
3565         int ret;
3566
3567         i915_verify_inactive(dev, __FILE__, __LINE__);
3568         if (obj_priv->gtt_space == NULL) {
3569                 ret = i915_gem_object_bind_to_gtt(obj, alignment);
3570                 if (ret != 0) {
3571                         if (ret != -EBUSY && ret != -ERESTARTSYS)
3572                                 DRM_ERROR("Failure to bind: %d\n", ret);
3573                         return ret;
3574                 }
3575         }
3576         /*
3577          * Pre-965 chips need a fence register set up in order to
3578          * properly handle tiled surfaces.
3579          */
3580         if (!IS_I965G(dev) &&
3581             obj_priv->fence_reg == I915_FENCE_REG_NONE &&
3582             obj_priv->tiling_mode != I915_TILING_NONE) {
3583                 ret = i915_gem_object_get_fence_reg(obj);
3584                 if (ret != 0) {
3585                         if (ret != -EBUSY && ret != -ERESTARTSYS)
3586                                 DRM_ERROR("Failure to install fence: %d\n",
3587                                           ret);
3588                         return ret;
3589                 }
3590         }
3591         obj_priv->pin_count++;
3592
3593         /* If the object is not active and not pending a flush,
3594          * remove it from the inactive list
3595          */
3596         if (obj_priv->pin_count == 1) {
3597                 atomic_inc(&dev->pin_count);
3598                 atomic_add(obj->size, &dev->pin_memory);
3599                 if (!obj_priv->active &&
3600                     (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
3601                     !list_empty(&obj_priv->list))
3602                         list_del_init(&obj_priv->list);
3603         }
3604         i915_verify_inactive(dev, __FILE__, __LINE__);
3605
3606         return 0;
3607 }
3608
3609 void
3610 i915_gem_object_unpin(struct drm_gem_object *obj)
3611 {
3612         struct drm_device *dev = obj->dev;
3613         drm_i915_private_t *dev_priv = dev->dev_private;
3614         struct drm_i915_gem_object *obj_priv = obj->driver_private;
3615
3616         i915_verify_inactive(dev, __FILE__, __LINE__);
3617         obj_priv->pin_count--;
3618         BUG_ON(obj_priv->pin_count < 0);
3619         BUG_ON(obj_priv->gtt_space == NULL);
3620
3621         /* If the object is no longer pinned, and is
3622          * neither active nor being flushed, then stick it on
3623          * the inactive list
3624          */
3625         if (obj_priv->pin_count == 0) {
3626                 if (!obj_priv->active &&
3627                     (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0)
3628                         list_move_tail(&obj_priv->list,
3629                                        &dev_priv->mm.inactive_list);
3630                 atomic_dec(&dev->pin_count);
3631                 atomic_sub(obj->size, &dev->pin_memory);
3632         }
3633         i915_verify_inactive(dev, __FILE__, __LINE__);
3634 }
3635
3636 int
3637 i915_gem_pin_ioctl(struct drm_device *dev, void *data,
3638                    struct drm_file *file_priv)
3639 {
3640         struct drm_i915_gem_pin *args = data;
3641         struct drm_gem_object *obj;
3642         struct drm_i915_gem_object *obj_priv;
3643         int ret;
3644
3645         mutex_lock(&dev->struct_mutex);
3646
3647         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
3648         if (obj == NULL) {
3649                 DRM_ERROR("Bad handle in i915_gem_pin_ioctl(): %d\n",
3650                           args->handle);
3651                 mutex_unlock(&dev->struct_mutex);
3652                 return -EBADF;
3653         }
3654         obj_priv = obj->driver_private;
3655
3656         if (obj_priv->pin_filp != NULL && obj_priv->pin_filp != file_priv) {
3657                 DRM_ERROR("Already pinned in i915_gem_pin_ioctl(): %d\n",
3658                           args->handle);
3659                 drm_gem_object_unreference(obj);
3660                 mutex_unlock(&dev->struct_mutex);
3661                 return -EINVAL;
3662         }
3663
3664         obj_priv->user_pin_count++;
3665         obj_priv->pin_filp = file_priv;
3666         if (obj_priv->user_pin_count == 1) {
3667                 ret = i915_gem_object_pin(obj, args->alignment);
3668                 if (ret != 0) {
3669                         drm_gem_object_unreference(obj);
3670                         mutex_unlock(&dev->struct_mutex);
3671                         return ret;
3672                 }
3673         }
3674
3675         /* XXX - flush the CPU caches for pinned objects
3676          * as the X server doesn't manage domains yet
3677          */
3678         i915_gem_object_flush_cpu_write_domain(obj);
3679         args->offset = obj_priv->gtt_offset;
3680         drm_gem_object_unreference(obj);
3681         mutex_unlock(&dev->struct_mutex);
3682
3683         return 0;
3684 }
3685
3686 int
3687 i915_gem_unpin_ioctl(struct drm_device *dev, void *data,
3688                      struct drm_file *file_priv)
3689 {
3690         struct drm_i915_gem_pin *args = data;
3691         struct drm_gem_object *obj;
3692         struct drm_i915_gem_object *obj_priv;
3693
3694         mutex_lock(&dev->struct_mutex);
3695
3696         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
3697         if (obj == NULL) {
3698                 DRM_ERROR("Bad handle in i915_gem_unpin_ioctl(): %d\n",
3699                           args->handle);
3700                 mutex_unlock(&dev->struct_mutex);
3701                 return -EBADF;
3702         }
3703
3704         obj_priv = obj->driver_private;
3705         if (obj_priv->pin_filp != file_priv) {
3706                 DRM_ERROR("Not pinned by caller in i915_gem_pin_ioctl(): %d\n",
3707                           args->handle);
3708                 drm_gem_object_unreference(obj);
3709                 mutex_unlock(&dev->struct_mutex);
3710                 return -EINVAL;
3711         }
3712         obj_priv->user_pin_count--;
3713         if (obj_priv->user_pin_count == 0) {
3714                 obj_priv->pin_filp = NULL;
3715                 i915_gem_object_unpin(obj);
3716         }
3717
3718         drm_gem_object_unreference(obj);
3719         mutex_unlock(&dev->struct_mutex);
3720         return 0;
3721 }
3722
3723 int
3724 i915_gem_busy_ioctl(struct drm_device *dev, void *data,
3725                     struct drm_file *file_priv)
3726 {
3727         struct drm_i915_gem_busy *args = data;
3728         struct drm_gem_object *obj;
3729         struct drm_i915_gem_object *obj_priv;
3730
3731         obj = drm_gem_object_lookup(dev, file_priv, args->handle);
3732         if (obj == NULL) {
3733                 DRM_ERROR("Bad handle in i915_gem_busy_ioctl(): %d\n",
3734                           args->handle);
3735                 return -EBADF;
3736         }
3737
3738         mutex_lock(&dev->struct_mutex);
3739         /* Update the active list for the hardware's current position.
3740          * Otherwise this only updates on a delayed timer or when irqs are
3741          * actually unmasked, and our working set ends up being larger than
3742          * required.
3743          */
3744         i915_gem_retire_requests(dev);
3745
3746         obj_priv = obj->driver_private;
3747         /* Don't count being on the flushing list against the object being
3748          * done.  Otherwise, a buffer left on the flushing list but not getting
3749          * flushed (because nobody's flushing that domain) won't ever return
3750          * unbusy and get reused by libdrm's bo cache.  The other expected
3751          * consumer of this interface, OpenGL's occlusion queries, also specs
3752          * that the objects get unbusy "eventually" without any interference.
3753          */
3754         args->busy = obj_priv->active && obj_priv->last_rendering_seqno != 0;
3755
3756         drm_gem_object_unreference(obj);
3757         mutex_unlock(&dev->struct_mutex);
3758         return 0;
3759 }
3760
3761 int
3762 i915_gem_throttle_ioctl(struct drm_device *dev, void *data,
3763                         struct drm_file *file_priv)
3764 {
3765     return i915_gem_ring_throttle(dev, file_priv);
3766 }
3767
3768 int i915_gem_init_object(struct drm_gem_object *obj)
3769 {
3770         struct drm_i915_gem_object *obj_priv;
3771
3772         obj_priv = kzalloc(sizeof(*obj_priv), GFP_KERNEL);
3773         if (obj_priv == NULL)
3774                 return -ENOMEM;
3775
3776         /*
3777          * We've just allocated pages from the kernel,
3778          * so they've just been written by the CPU with
3779          * zeros. They'll need to be clflushed before we
3780          * use them with the GPU.
3781          */
3782         obj->write_domain = I915_GEM_DOMAIN_CPU;
3783         obj->read_domains = I915_GEM_DOMAIN_CPU;
3784
3785         obj_priv->agp_type = AGP_USER_MEMORY;
3786
3787         obj->driver_private = obj_priv;
3788         obj_priv->obj = obj;
3789         obj_priv->fence_reg = I915_FENCE_REG_NONE;
3790         INIT_LIST_HEAD(&obj_priv->list);
3791
3792         return 0;
3793 }
3794
3795 void i915_gem_free_object(struct drm_gem_object *obj)
3796 {
3797         struct drm_device *dev = obj->dev;
3798         struct drm_i915_gem_object *obj_priv = obj->driver_private;
3799
3800         while (obj_priv->pin_count > 0)
3801                 i915_gem_object_unpin(obj);
3802
3803         if (obj_priv->phys_obj)
3804                 i915_gem_detach_phys_object(dev, obj);
3805
3806         i915_gem_object_unbind(obj);
3807
3808         i915_gem_free_mmap_offset(obj);
3809
3810         kfree(obj_priv->page_cpu_valid);
3811         kfree(obj_priv->bit_17);
3812         kfree(obj->driver_private);
3813 }
3814
3815 /** Unbinds all objects that are on the given buffer list. */
3816 static int
3817 i915_gem_evict_from_list(struct drm_device *dev, struct list_head *head)
3818 {
3819         struct drm_gem_object *obj;
3820         struct drm_i915_gem_object *obj_priv;
3821         int ret;
3822
3823         while (!list_empty(head)) {
3824                 obj_priv = list_first_entry(head,
3825                                             struct drm_i915_gem_object,
3826                                             list);
3827                 obj = obj_priv->obj;
3828
3829                 if (obj_priv->pin_count != 0) {
3830                         DRM_ERROR("Pinned object in unbind list\n");
3831                         mutex_unlock(&dev->struct_mutex);
3832                         return -EINVAL;
3833                 }
3834
3835                 ret = i915_gem_object_unbind(obj);
3836                 if (ret != 0) {
3837                         DRM_ERROR("Error unbinding object in LeaveVT: %d\n",
3838                                   ret);
3839                         mutex_unlock(&dev->struct_mutex);
3840                         return ret;
3841                 }
3842         }
3843
3844
3845         return 0;
3846 }
3847
3848 int
3849 i915_gem_idle(struct drm_device *dev)
3850 {
3851         drm_i915_private_t *dev_priv = dev->dev_private;
3852         uint32_t seqno, cur_seqno, last_seqno;
3853         int stuck, ret;
3854
3855         mutex_lock(&dev->struct_mutex);
3856
3857         if (dev_priv->mm.suspended || dev_priv->ring.ring_obj == NULL) {
3858                 mutex_unlock(&dev->struct_mutex);
3859                 return 0;
3860         }
3861
3862         /* Hack!  Don't let anybody do execbuf while we don't control the chip.
3863          * We need to replace this with a semaphore, or something.
3864          */
3865         dev_priv->mm.suspended = 1;
3866
3867         /* Cancel the retire work handler, wait for it to finish if running
3868          */
3869         mutex_unlock(&dev->struct_mutex);
3870         cancel_delayed_work_sync(&dev_priv->mm.retire_work);
3871         mutex_lock(&dev->struct_mutex);
3872
3873         i915_kernel_lost_context(dev);
3874
3875         /* Flush the GPU along with all non-CPU write domains
3876          */
3877         i915_gem_flush(dev, I915_GEM_GPU_DOMAINS, I915_GEM_GPU_DOMAINS);
3878         seqno = i915_add_request(dev, NULL, I915_GEM_GPU_DOMAINS);
3879
3880         if (seqno == 0) {
3881                 mutex_unlock(&dev->struct_mutex);
3882                 return -ENOMEM;
3883         }
3884
3885         dev_priv->mm.waiting_gem_seqno = seqno;
3886         last_seqno = 0;
3887         stuck = 0;
3888         for (;;) {
3889                 cur_seqno = i915_get_gem_seqno(dev);
3890                 if (i915_seqno_passed(cur_seqno, seqno))
3891                         break;
3892                 if (last_seqno == cur_seqno) {
3893                         if (stuck++ > 100) {
3894                                 DRM_ERROR("hardware wedged\n");
3895                                 dev_priv->mm.wedged = 1;
3896                                 DRM_WAKEUP(&dev_priv->irq_queue);
3897                                 break;
3898                         }
3899                 }
3900                 msleep(10);
3901                 last_seqno = cur_seqno;
3902         }
3903         dev_priv->mm.waiting_gem_seqno = 0;
3904
3905         i915_gem_retire_requests(dev);
3906
3907         spin_lock(&dev_priv->mm.active_list_lock);
3908         if (!dev_priv->mm.wedged) {
3909                 /* Active and flushing should now be empty as we've
3910                  * waited for a sequence higher than any pending execbuffer
3911                  */
3912                 WARN_ON(!list_empty(&dev_priv->mm.active_list));
3913                 WARN_ON(!list_empty(&dev_priv->mm.flushing_list));
3914                 /* Request should now be empty as we've also waited
3915                  * for the last request in the list
3916                  */
3917                 WARN_ON(!list_empty(&dev_priv->mm.request_list));
3918         }
3919
3920         /* Empty the active and flushing lists to inactive.  If there's
3921          * anything left at this point, it means that we're wedged and
3922          * nothing good's going to happen by leaving them there.  So strip
3923          * the GPU domains and just stuff them onto inactive.
3924          */
3925         while (!list_empty(&dev_priv->mm.active_list)) {
3926                 struct drm_i915_gem_object *obj_priv;
3927
3928                 obj_priv = list_first_entry(&dev_priv->mm.active_list,
3929                                             struct drm_i915_gem_object,
3930                                             list);
3931                 obj_priv->obj->write_domain &= ~I915_GEM_GPU_DOMAINS;
3932                 i915_gem_object_move_to_inactive(obj_priv->obj);
3933         }
3934         spin_unlock(&dev_priv->mm.active_list_lock);
3935
3936         while (!list_empty(&dev_priv->mm.flushing_list)) {
3937                 struct drm_i915_gem_object *obj_priv;
3938
3939                 obj_priv = list_first_entry(&dev_priv->mm.flushing_list,
3940                                             struct drm_i915_gem_object,
3941                                             list);
3942                 obj_priv->obj->write_domain &= ~I915_GEM_GPU_DOMAINS;
3943                 i915_gem_object_move_to_inactive(obj_priv->obj);
3944         }
3945
3946
3947         /* Move all inactive buffers out of the GTT. */
3948         ret = i915_gem_evict_from_list(dev, &dev_priv->mm.inactive_list);
3949         WARN_ON(!list_empty(&dev_priv->mm.inactive_list));
3950         if (ret) {
3951                 mutex_unlock(&dev->struct_mutex);
3952                 return ret;
3953         }
3954
3955         i915_gem_cleanup_ringbuffer(dev);
3956         mutex_unlock(&dev->struct_mutex);
3957
3958         return 0;
3959 }
3960
3961 static int
3962 i915_gem_init_hws(struct drm_device *dev)
3963 {
3964         drm_i915_private_t *dev_priv = dev->dev_private;
3965         struct drm_gem_object *obj;
3966         struct drm_i915_gem_object *obj_priv;
3967         int ret;
3968
3969         /* If we need a physical address for the status page, it's already
3970          * initialized at driver load time.
3971          */
3972         if (!I915_NEED_GFX_HWS(dev))
3973                 return 0;
3974
3975         obj = drm_gem_object_alloc(dev, 4096);
3976         if (obj == NULL) {
3977                 DRM_ERROR("Failed to allocate status page\n");
3978                 return -ENOMEM;
3979         }
3980         obj_priv = obj->driver_private;
3981         obj_priv->agp_type = AGP_USER_CACHED_MEMORY;
3982
3983         ret = i915_gem_object_pin(obj, 4096);
3984         if (ret != 0) {
3985                 drm_gem_object_unreference(obj);
3986                 return ret;
3987         }
3988
3989         dev_priv->status_gfx_addr = obj_priv->gtt_offset;
3990
3991         dev_priv->hw_status_page = kmap(obj_priv->pages[0]);
3992         if (dev_priv->hw_status_page == NULL) {
3993                 DRM_ERROR("Failed to map status page.\n");
3994                 memset(&dev_priv->hws_map, 0, sizeof(dev_priv->hws_map));
3995                 i915_gem_object_unpin(obj);
3996                 drm_gem_object_unreference(obj);
3997                 return -EINVAL;
3998         }
3999         dev_priv->hws_obj = obj;
4000         memset(dev_priv->hw_status_page, 0, PAGE_SIZE);
4001         I915_WRITE(HWS_PGA, dev_priv->status_gfx_addr);
4002         I915_READ(HWS_PGA); /* posting read */
4003         DRM_DEBUG("hws offset: 0x%08x\n", dev_priv->status_gfx_addr);
4004
4005         return 0;
4006 }
4007
4008 static void
4009 i915_gem_cleanup_hws(struct drm_device *dev)
4010 {
4011         drm_i915_private_t *dev_priv = dev->dev_private;
4012         struct drm_gem_object *obj;
4013         struct drm_i915_gem_object *obj_priv;
4014
4015         if (dev_priv->hws_obj == NULL)
4016                 return;
4017
4018         obj = dev_priv->hws_obj;
4019         obj_priv = obj->driver_private;
4020
4021         kunmap(obj_priv->pages[0]);
4022         i915_gem_object_unpin(obj);
4023         drm_gem_object_unreference(obj);
4024         dev_priv->hws_obj = NULL;
4025
4026         memset(&dev_priv->hws_map, 0, sizeof(dev_priv->hws_map));
4027         dev_priv->hw_status_page = NULL;
4028
4029         /* Write high address into HWS_PGA when disabling. */
4030         I915_WRITE(HWS_PGA, 0x1ffff000);
4031 }
4032
4033 int
4034 i915_gem_init_ringbuffer(struct drm_device *dev)
4035 {
4036         drm_i915_private_t *dev_priv = dev->dev_private;
4037         struct drm_gem_object *obj;
4038         struct drm_i915_gem_object *obj_priv;
4039         drm_i915_ring_buffer_t *ring = &dev_priv->ring;
4040         int ret;
4041         u32 head;
4042
4043         ret = i915_gem_init_hws(dev);
4044         if (ret != 0)
4045                 return ret;
4046
4047         obj = drm_gem_object_alloc(dev, 128 * 1024);
4048         if (obj == NULL) {
4049                 DRM_ERROR("Failed to allocate ringbuffer\n");
4050                 i915_gem_cleanup_hws(dev);
4051                 return -ENOMEM;
4052         }
4053         obj_priv = obj->driver_private;
4054
4055         ret = i915_gem_object_pin(obj, 4096);
4056         if (ret != 0) {
4057                 drm_gem_object_unreference(obj);
4058                 i915_gem_cleanup_hws(dev);
4059                 return ret;
4060         }
4061
4062         /* Set up the kernel mapping for the ring. */
4063         ring->Size = obj->size;
4064         ring->tail_mask = obj->size - 1;
4065
4066         ring->map.offset = dev->agp->base + obj_priv->gtt_offset;
4067         ring->map.size = obj->size;
4068         ring->map.type = 0;
4069         ring->map.flags = 0;
4070         ring->map.mtrr = 0;
4071
4072         drm_core_ioremap_wc(&ring->map, dev);
4073         if (ring->map.handle == NULL) {
4074                 DRM_ERROR("Failed to map ringbuffer.\n");
4075                 memset(&dev_priv->ring, 0, sizeof(dev_priv->ring));
4076                 i915_gem_object_unpin(obj);
4077                 drm_gem_object_unreference(obj);
4078                 i915_gem_cleanup_hws(dev);
4079                 return -EINVAL;
4080         }
4081         ring->ring_obj = obj;
4082         ring->virtual_start = ring->map.handle;
4083
4084         /* Stop the ring if it's running. */
4085         I915_WRITE(PRB0_CTL, 0);
4086         I915_WRITE(PRB0_TAIL, 0);
4087         I915_WRITE(PRB0_HEAD, 0);
4088
4089         /* Initialize the ring. */
4090         I915_WRITE(PRB0_START, obj_priv->gtt_offset);
4091         head = I915_READ(PRB0_HEAD) & HEAD_ADDR;
4092
4093         /* G45 ring initialization fails to reset head to zero */
4094         if (head != 0) {
4095                 DRM_ERROR("Ring head not reset to zero "
4096                           "ctl %08x head %08x tail %08x start %08x\n",
4097                           I915_READ(PRB0_CTL),
4098                           I915_READ(PRB0_HEAD),
4099                           I915_READ(PRB0_TAIL),
4100                           I915_READ(PRB0_START));
4101                 I915_WRITE(PRB0_HEAD, 0);
4102
4103                 DRM_ERROR("Ring head forced to zero "
4104                           "ctl %08x head %08x tail %08x start %08x\n",
4105                           I915_READ(PRB0_CTL),
4106                           I915_READ(PRB0_HEAD),
4107                           I915_READ(PRB0_TAIL),
4108                           I915_READ(PRB0_START));
4109         }
4110
4111         I915_WRITE(PRB0_CTL,
4112                    ((obj->size - 4096) & RING_NR_PAGES) |
4113                    RING_NO_REPORT |
4114                    RING_VALID);
4115
4116         head = I915_READ(PRB0_HEAD) & HEAD_ADDR;
4117
4118         /* If the head is still not zero, the ring is dead */
4119         if (head != 0) {
4120                 DRM_ERROR("Ring initialization failed "
4121                           "ctl %08x head %08x tail %08x start %08x\n",
4122                           I915_READ(PRB0_CTL),
4123                           I915_READ(PRB0_HEAD),
4124                           I915_READ(PRB0_TAIL),
4125                           I915_READ(PRB0_START));
4126                 return -EIO;
4127         }
4128
4129         /* Update our cache of the ring state */
4130         if (!drm_core_check_feature(dev, DRIVER_MODESET))
4131                 i915_kernel_lost_context(dev);
4132         else {
4133                 ring->head = I915_READ(PRB0_HEAD) & HEAD_ADDR;
4134                 ring->tail = I915_READ(PRB0_TAIL) & TAIL_ADDR;
4135                 ring->space = ring->head - (ring->tail + 8);
4136                 if (ring->space < 0)
4137                         ring->space += ring->Size;
4138         }
4139
4140         return 0;
4141 }
4142
4143 void
4144 i915_gem_cleanup_ringbuffer(struct drm_device *dev)
4145 {
4146         drm_i915_private_t *dev_priv = dev->dev_private;
4147
4148         if (dev_priv->ring.ring_obj == NULL)
4149                 return;
4150
4151         drm_core_ioremapfree(&dev_priv->ring.map, dev);
4152
4153         i915_gem_object_unpin(dev_priv->ring.ring_obj);
4154         drm_gem_object_unreference(dev_priv->ring.ring_obj);
4155         dev_priv->ring.ring_obj = NULL;
4156         memset(&dev_priv->ring, 0, sizeof(dev_priv->ring));
4157
4158         i915_gem_cleanup_hws(dev);
4159 }
4160
4161 int
4162 i915_gem_entervt_ioctl(struct drm_device *dev, void *data,
4163                        struct drm_file *file_priv)
4164 {
4165         drm_i915_private_t *dev_priv = dev->dev_private;
4166         int ret;
4167
4168         if (drm_core_check_feature(dev, DRIVER_MODESET))
4169                 return 0;
4170
4171         if (dev_priv->mm.wedged) {
4172                 DRM_ERROR("Reenabling wedged hardware, good luck\n");
4173                 dev_priv->mm.wedged = 0;
4174         }
4175
4176         mutex_lock(&dev->struct_mutex);
4177         dev_priv->mm.suspended = 0;
4178
4179         ret = i915_gem_init_ringbuffer(dev);
4180         if (ret != 0) {
4181                 mutex_unlock(&dev->struct_mutex);
4182                 return ret;
4183         }
4184
4185         spin_lock(&dev_priv->mm.active_list_lock);
4186         BUG_ON(!list_empty(&dev_priv->mm.active_list));
4187         spin_unlock(&dev_priv->mm.active_list_lock);
4188
4189         BUG_ON(!list_empty(&dev_priv->mm.flushing_list));
4190         BUG_ON(!list_empty(&dev_priv->mm.inactive_list));
4191         BUG_ON(!list_empty(&dev_priv->mm.request_list));
4192         mutex_unlock(&dev->struct_mutex);
4193
4194         drm_irq_install(dev);
4195
4196         return 0;
4197 }
4198
4199 int
4200 i915_gem_leavevt_ioctl(struct drm_device *dev, void *data,
4201                        struct drm_file *file_priv)
4202 {
4203         int ret;
4204
4205         if (drm_core_check_feature(dev, DRIVER_MODESET))
4206                 return 0;
4207
4208         ret = i915_gem_idle(dev);
4209         drm_irq_uninstall(dev);
4210
4211         return ret;
4212 }
4213
4214 void
4215 i915_gem_lastclose(struct drm_device *dev)
4216 {
4217         int ret;
4218
4219         if (drm_core_check_feature(dev, DRIVER_MODESET))
4220                 return;
4221
4222         ret = i915_gem_idle(dev);
4223         if (ret)
4224                 DRM_ERROR("failed to idle hardware: %d\n", ret);
4225 }
4226
4227 void
4228 i915_gem_load(struct drm_device *dev)
4229 {
4230         int i;
4231         drm_i915_private_t *dev_priv = dev->dev_private;
4232
4233         spin_lock_init(&dev_priv->mm.active_list_lock);
4234         INIT_LIST_HEAD(&dev_priv->mm.active_list);
4235         INIT_LIST_HEAD(&dev_priv->mm.flushing_list);
4236         INIT_LIST_HEAD(&dev_priv->mm.inactive_list);
4237         INIT_LIST_HEAD(&dev_priv->mm.request_list);
4238         INIT_DELAYED_WORK(&dev_priv->mm.retire_work,
4239                           i915_gem_retire_work_handler);
4240         dev_priv->mm.next_gem_seqno = 1;
4241
4242         /* Old X drivers will take 0-2 for front, back, depth buffers */
4243         dev_priv->fence_reg_start = 3;
4244
4245         if (IS_I965G(dev) || IS_I945G(dev) || IS_I945GM(dev) || IS_G33(dev))
4246                 dev_priv->num_fence_regs = 16;
4247         else
4248                 dev_priv->num_fence_regs = 8;
4249
4250         /* Initialize fence registers to zero */
4251         if (IS_I965G(dev)) {
4252                 for (i = 0; i < 16; i++)
4253                         I915_WRITE64(FENCE_REG_965_0 + (i * 8), 0);
4254         } else {
4255                 for (i = 0; i < 8; i++)
4256                         I915_WRITE(FENCE_REG_830_0 + (i * 4), 0);
4257                 if (IS_I945G(dev) || IS_I945GM(dev) || IS_G33(dev))
4258                         for (i = 0; i < 8; i++)
4259                                 I915_WRITE(FENCE_REG_945_8 + (i * 4), 0);
4260         }
4261
4262         i915_gem_detect_bit_6_swizzle(dev);
4263 }
4264
4265 /*
4266  * Create a physically contiguous memory object for this object
4267  * e.g. for cursor + overlay regs
4268  */
4269 int i915_gem_init_phys_object(struct drm_device *dev,
4270                               int id, int size)
4271 {
4272         drm_i915_private_t *dev_priv = dev->dev_private;
4273         struct drm_i915_gem_phys_object *phys_obj;
4274         int ret;
4275
4276         if (dev_priv->mm.phys_objs[id - 1] || !size)
4277                 return 0;
4278
4279         phys_obj = kzalloc(sizeof(struct drm_i915_gem_phys_object), GFP_KERNEL);
4280         if (!phys_obj)
4281                 return -ENOMEM;
4282
4283         phys_obj->id = id;
4284
4285         phys_obj->handle = drm_pci_alloc(dev, size, 0, 0xffffffff);
4286         if (!phys_obj->handle) {
4287                 ret = -ENOMEM;
4288                 goto kfree_obj;
4289         }
4290 #ifdef CONFIG_X86
4291         set_memory_wc((unsigned long)phys_obj->handle->vaddr, phys_obj->handle->size / PAGE_SIZE);
4292 #endif
4293
4294         dev_priv->mm.phys_objs[id - 1] = phys_obj;
4295
4296         return 0;
4297 kfree_obj:
4298         kfree(phys_obj);
4299         return ret;
4300 }
4301
4302 void i915_gem_free_phys_object(struct drm_device *dev, int id)
4303 {
4304         drm_i915_private_t *dev_priv = dev->dev_private;
4305         struct drm_i915_gem_phys_object *phys_obj;
4306
4307         if (!dev_priv->mm.phys_objs[id - 1])
4308                 return;
4309
4310         phys_obj = dev_priv->mm.phys_objs[id - 1];
4311         if (phys_obj->cur_obj) {
4312                 i915_gem_detach_phys_object(dev, phys_obj->cur_obj);
4313         }
4314
4315 #ifdef CONFIG_X86
4316         set_memory_wb((unsigned long)phys_obj->handle->vaddr, phys_obj->handle->size / PAGE_SIZE);
4317 #endif
4318         drm_pci_free(dev, phys_obj->handle);
4319         kfree(phys_obj);
4320         dev_priv->mm.phys_objs[id - 1] = NULL;
4321 }
4322
4323 void i915_gem_free_all_phys_object(struct drm_device *dev)
4324 {
4325         int i;
4326
4327         for (i = I915_GEM_PHYS_CURSOR_0; i <= I915_MAX_PHYS_OBJECT; i++)
4328                 i915_gem_free_phys_object(dev, i);
4329 }
4330
4331 void i915_gem_detach_phys_object(struct drm_device *dev,
4332                                  struct drm_gem_object *obj)
4333 {
4334         struct drm_i915_gem_object *obj_priv;
4335         int i;
4336         int ret;
4337         int page_count;
4338
4339         obj_priv = obj->driver_private;
4340         if (!obj_priv->phys_obj)
4341                 return;
4342
4343         ret = i915_gem_object_get_pages(obj);
4344         if (ret)
4345                 goto out;
4346
4347         page_count = obj->size / PAGE_SIZE;
4348
4349         for (i = 0; i < page_count; i++) {
4350                 char *dst = kmap_atomic(obj_priv->pages[i], KM_USER0);
4351                 char *src = obj_priv->phys_obj->handle->vaddr + (i * PAGE_SIZE);
4352
4353                 memcpy(dst, src, PAGE_SIZE);
4354                 kunmap_atomic(dst, KM_USER0);
4355         }
4356         drm_clflush_pages(obj_priv->pages, page_count);
4357         drm_agp_chipset_flush(dev);
4358
4359         i915_gem_object_put_pages(obj);
4360 out:
4361         obj_priv->phys_obj->cur_obj = NULL;
4362         obj_priv->phys_obj = NULL;
4363 }
4364
4365 int
4366 i915_gem_attach_phys_object(struct drm_device *dev,
4367                             struct drm_gem_object *obj, int id)
4368 {
4369         drm_i915_private_t *dev_priv = dev->dev_private;
4370         struct drm_i915_gem_object *obj_priv;
4371         int ret = 0;
4372         int page_count;
4373         int i;
4374
4375         if (id > I915_MAX_PHYS_OBJECT)
4376                 return -EINVAL;
4377
4378         obj_priv = obj->driver_private;
4379
4380         if (obj_priv->phys_obj) {
4381                 if (obj_priv->phys_obj->id == id)
4382                         return 0;
4383                 i915_gem_detach_phys_object(dev, obj);
4384         }
4385
4386
4387         /* create a new object */
4388         if (!dev_priv->mm.phys_objs[id - 1]) {
4389                 ret = i915_gem_init_phys_object(dev, id,
4390                                                 obj->size);
4391                 if (ret) {
4392                         DRM_ERROR("failed to init phys object %d size: %zu\n", id, obj->size);
4393                         goto out;
4394                 }
4395         }
4396
4397         /* bind to the object */
4398         obj_priv->phys_obj = dev_priv->mm.phys_objs[id - 1];
4399         obj_priv->phys_obj->cur_obj = obj;
4400
4401         ret = i915_gem_object_get_pages(obj);
4402         if (ret) {
4403                 DRM_ERROR("failed to get page list\n");
4404                 goto out;
4405         }
4406
4407         page_count = obj->size / PAGE_SIZE;
4408
4409         for (i = 0; i < page_count; i++) {
4410                 char *src = kmap_atomic(obj_priv->pages[i], KM_USER0);
4411                 char *dst = obj_priv->phys_obj->handle->vaddr + (i * PAGE_SIZE);
4412
4413                 memcpy(dst, src, PAGE_SIZE);
4414                 kunmap_atomic(src, KM_USER0);
4415         }
4416
4417         i915_gem_object_put_pages(obj);
4418
4419         return 0;
4420 out:
4421         return ret;
4422 }
4423
4424 static int
4425 i915_gem_phys_pwrite(struct drm_device *dev, struct drm_gem_object *obj,
4426                      struct drm_i915_gem_pwrite *args,
4427                      struct drm_file *file_priv)
4428 {
4429         struct drm_i915_gem_object *obj_priv = obj->driver_private;
4430         void *obj_addr;
4431         int ret;
4432         char __user *user_data;
4433
4434         user_data = (char __user *) (uintptr_t) args->data_ptr;
4435         obj_addr = obj_priv->phys_obj->handle->vaddr + args->offset;
4436
4437         DRM_DEBUG("obj_addr %p, %lld\n", obj_addr, args->size);
4438         ret = copy_from_user(obj_addr, user_data, args->size);
4439         if (ret)
4440                 return -EFAULT;
4441
4442         drm_agp_chipset_flush(dev);
4443         return 0;
4444 }
4445
4446 void i915_gem_release(struct drm_device * dev, struct drm_file *file_priv)
4447 {
4448         struct drm_i915_file_private *i915_file_priv = file_priv->driver_priv;
4449
4450         /* Clean up our request list when the client is going away, so that
4451          * later retire_requests won't dereference our soon-to-be-gone
4452          * file_priv.
4453          */
4454         mutex_lock(&dev->struct_mutex);
4455         while (!list_empty(&i915_file_priv->mm.request_list))
4456                 list_del_init(i915_file_priv->mm.request_list.next);
4457         mutex_unlock(&dev->struct_mutex);
4458 }