• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2013 Red Hat
4  * Author: Rob Clark <robdclark@gmail.com>
5  */
6 
7 #include <linux/file.h>
8 #include <linux/sync_file.h>
9 #include <linux/uaccess.h>
10 
11 #include <drm/drm_drv.h>
12 #include <drm/drm_file.h>
13 #include <drm/drm_syncobj.h>
14 
15 #include "msm_drv.h"
16 #include "msm_gpu.h"
17 #include "msm_gem.h"
18 #include "msm_gpu_trace.h"
19 
20 /*
21  * Cmdstream submission:
22  */
23 
24 /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */
25 #define BO_VALID    0x8000   /* is current addr in cmdstream correct/valid? */
26 #define BO_LOCKED   0x4000   /* obj lock is held */
27 #define BO_ACTIVE   0x2000   /* active refcnt is held */
28 #define BO_PINNED   0x1000   /* obj is pinned and on active list */
29 
submit_create(struct drm_device * dev,struct msm_gpu * gpu,struct msm_gpu_submitqueue * queue,uint32_t nr_bos,uint32_t nr_cmds)30 static struct msm_gem_submit *submit_create(struct drm_device *dev,
31 		struct msm_gpu *gpu,
32 		struct msm_gpu_submitqueue *queue, uint32_t nr_bos,
33 		uint32_t nr_cmds)
34 {
35 	struct msm_gem_submit *submit;
36 	uint64_t sz;
37 	int ret;
38 
39 	sz = struct_size(submit, bos, nr_bos) +
40 			((u64)nr_cmds * sizeof(submit->cmd[0]));
41 
42 	if (sz > SIZE_MAX)
43 		return ERR_PTR(-ENOMEM);
44 
45 	submit = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
46 	if (!submit)
47 		return ERR_PTR(-ENOMEM);
48 
49 	ret = drm_sched_job_init(&submit->base, queue->entity, queue);
50 	if (ret) {
51 		kfree(submit);
52 		return ERR_PTR(ret);
53 	}
54 
55 	xa_init_flags(&submit->deps, XA_FLAGS_ALLOC);
56 
57 	kref_init(&submit->ref);
58 	submit->dev = dev;
59 	submit->aspace = queue->ctx->aspace;
60 	submit->gpu = gpu;
61 	submit->cmd = (void *)&submit->bos[nr_bos];
62 	submit->queue = queue;
63 	submit->ring = gpu->rb[queue->ring_nr];
64 	submit->fault_dumped = false;
65 
66 	INIT_LIST_HEAD(&submit->node);
67 
68 	return submit;
69 }
70 
__msm_gem_submit_destroy(struct kref * kref)71 void __msm_gem_submit_destroy(struct kref *kref)
72 {
73 	struct msm_gem_submit *submit =
74 			container_of(kref, struct msm_gem_submit, ref);
75 	unsigned long index;
76 	struct dma_fence *fence;
77 	unsigned i;
78 
79 	if (submit->fence_id) {
80 		mutex_lock(&submit->queue->lock);
81 		idr_remove(&submit->queue->fence_idr, submit->fence_id);
82 		mutex_unlock(&submit->queue->lock);
83 	}
84 
85 	xa_for_each (&submit->deps, index, fence) {
86 		dma_fence_put(fence);
87 	}
88 
89 	xa_destroy(&submit->deps);
90 
91 	dma_fence_put(submit->user_fence);
92 	dma_fence_put(submit->hw_fence);
93 
94 	put_pid(submit->pid);
95 	msm_submitqueue_put(submit->queue);
96 
97 	for (i = 0; i < submit->nr_cmds; i++)
98 		kfree(submit->cmd[i].relocs);
99 
100 	kfree(submit);
101 }
102 
submit_lookup_objects(struct msm_gem_submit * submit,struct drm_msm_gem_submit * args,struct drm_file * file)103 static int submit_lookup_objects(struct msm_gem_submit *submit,
104 		struct drm_msm_gem_submit *args, struct drm_file *file)
105 {
106 	unsigned i;
107 	int ret = 0;
108 
109 	for (i = 0; i < args->nr_bos; i++) {
110 		struct drm_msm_gem_submit_bo submit_bo;
111 		void __user *userptr =
112 			u64_to_user_ptr(args->bos + (i * sizeof(submit_bo)));
113 
114 		/* make sure we don't have garbage flags, in case we hit
115 		 * error path before flags is initialized:
116 		 */
117 		submit->bos[i].flags = 0;
118 
119 		if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) {
120 			ret = -EFAULT;
121 			i = 0;
122 			goto out;
123 		}
124 
125 /* at least one of READ and/or WRITE flags should be set: */
126 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
127 
128 		if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) ||
129 			!(submit_bo.flags & MANDATORY_FLAGS)) {
130 			DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
131 			ret = -EINVAL;
132 			i = 0;
133 			goto out;
134 		}
135 
136 		submit->bos[i].handle = submit_bo.handle;
137 		submit->bos[i].flags = submit_bo.flags;
138 		/* in validate_objects() we figure out if this is true: */
139 		submit->bos[i].iova  = submit_bo.presumed;
140 	}
141 
142 	spin_lock(&file->table_lock);
143 
144 	for (i = 0; i < args->nr_bos; i++) {
145 		struct drm_gem_object *obj;
146 
147 		/* normally use drm_gem_object_lookup(), but for bulk lookup
148 		 * all under single table_lock just hit object_idr directly:
149 		 */
150 		obj = idr_find(&file->object_idr, submit->bos[i].handle);
151 		if (!obj) {
152 			DRM_ERROR("invalid handle %u at index %u\n", submit->bos[i].handle, i);
153 			ret = -EINVAL;
154 			goto out_unlock;
155 		}
156 
157 		drm_gem_object_get(obj);
158 
159 		submit->bos[i].obj = to_msm_bo(obj);
160 	}
161 
162 out_unlock:
163 	spin_unlock(&file->table_lock);
164 
165 out:
166 	submit->nr_bos = i;
167 
168 	return ret;
169 }
170 
submit_lookup_cmds(struct msm_gem_submit * submit,struct drm_msm_gem_submit * args,struct drm_file * file)171 static int submit_lookup_cmds(struct msm_gem_submit *submit,
172 		struct drm_msm_gem_submit *args, struct drm_file *file)
173 {
174 	unsigned i;
175 	size_t sz;
176 	int ret = 0;
177 
178 	for (i = 0; i < args->nr_cmds; i++) {
179 		struct drm_msm_gem_submit_cmd submit_cmd;
180 		void __user *userptr =
181 			u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
182 
183 		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
184 		if (ret) {
185 			ret = -EFAULT;
186 			goto out;
187 		}
188 
189 		/* validate input from userspace: */
190 		switch (submit_cmd.type) {
191 		case MSM_SUBMIT_CMD_BUF:
192 		case MSM_SUBMIT_CMD_IB_TARGET_BUF:
193 		case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
194 			break;
195 		default:
196 			DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
197 			return -EINVAL;
198 		}
199 
200 		if (submit_cmd.size % 4) {
201 			DRM_ERROR("non-aligned cmdstream buffer size: %u\n",
202 					submit_cmd.size);
203 			ret = -EINVAL;
204 			goto out;
205 		}
206 
207 		submit->cmd[i].type = submit_cmd.type;
208 		submit->cmd[i].size = submit_cmd.size / 4;
209 		submit->cmd[i].offset = submit_cmd.submit_offset / 4;
210 		submit->cmd[i].idx  = submit_cmd.submit_idx;
211 		submit->cmd[i].nr_relocs = submit_cmd.nr_relocs;
212 
213 		userptr = u64_to_user_ptr(submit_cmd.relocs);
214 
215 		sz = array_size(submit_cmd.nr_relocs,
216 				sizeof(struct drm_msm_gem_submit_reloc));
217 		/* check for overflow: */
218 		if (sz == SIZE_MAX) {
219 			ret = -ENOMEM;
220 			goto out;
221 		}
222 		submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL);
223 		if (!submit->cmd[i].relocs) {
224 			ret = -ENOMEM;
225 			goto out;
226 		}
227 		ret = copy_from_user(submit->cmd[i].relocs, userptr, sz);
228 		if (ret) {
229 			ret = -EFAULT;
230 			goto out;
231 		}
232 	}
233 
234 out:
235 	return ret;
236 }
237 
238 /* Unwind bo state, according to cleanup_flags.  In the success case, only
239  * the lock is dropped at the end of the submit (and active/pin ref is dropped
240  * later when the submit is retired).
241  */
submit_cleanup_bo(struct msm_gem_submit * submit,int i,unsigned cleanup_flags)242 static void submit_cleanup_bo(struct msm_gem_submit *submit, int i,
243 		unsigned cleanup_flags)
244 {
245 	struct drm_gem_object *obj = &submit->bos[i].obj->base;
246 	unsigned flags = submit->bos[i].flags & cleanup_flags;
247 
248 	if (flags & BO_PINNED)
249 		msm_gem_unpin_iova_locked(obj, submit->aspace);
250 
251 	if (flags & BO_ACTIVE)
252 		msm_gem_active_put(obj);
253 
254 	if (flags & BO_LOCKED)
255 		dma_resv_unlock(obj->resv);
256 
257 	submit->bos[i].flags &= ~cleanup_flags;
258 }
259 
submit_unlock_unpin_bo(struct msm_gem_submit * submit,int i)260 static void submit_unlock_unpin_bo(struct msm_gem_submit *submit, int i)
261 {
262 	submit_cleanup_bo(submit, i, BO_PINNED | BO_ACTIVE | BO_LOCKED);
263 
264 	if (!(submit->bos[i].flags & BO_VALID))
265 		submit->bos[i].iova = 0;
266 }
267 
268 /* This is where we make sure all the bo's are reserved and pin'd: */
submit_lock_objects(struct msm_gem_submit * submit)269 static int submit_lock_objects(struct msm_gem_submit *submit)
270 {
271 	int contended, slow_locked = -1, i, ret = 0;
272 
273 retry:
274 	for (i = 0; i < submit->nr_bos; i++) {
275 		struct msm_gem_object *msm_obj = submit->bos[i].obj;
276 
277 		if (slow_locked == i)
278 			slow_locked = -1;
279 
280 		contended = i;
281 
282 		if (!(submit->bos[i].flags & BO_LOCKED)) {
283 			ret = dma_resv_lock_interruptible(msm_obj->base.resv,
284 							  &submit->ticket);
285 			if (ret)
286 				goto fail;
287 			submit->bos[i].flags |= BO_LOCKED;
288 		}
289 	}
290 
291 	ww_acquire_done(&submit->ticket);
292 
293 	return 0;
294 
295 fail:
296 	if (ret == -EALREADY) {
297 		DRM_ERROR("handle %u at index %u already on submit list\n",
298 				submit->bos[i].handle, i);
299 		ret = -EINVAL;
300 	}
301 
302 	for (; i >= 0; i--)
303 		submit_unlock_unpin_bo(submit, i);
304 
305 	if (slow_locked > 0)
306 		submit_unlock_unpin_bo(submit, slow_locked);
307 
308 	if (ret == -EDEADLK) {
309 		struct msm_gem_object *msm_obj = submit->bos[contended].obj;
310 		/* we lost out in a seqno race, lock and retry.. */
311 		ret = dma_resv_lock_slow_interruptible(msm_obj->base.resv,
312 						       &submit->ticket);
313 		if (!ret) {
314 			submit->bos[contended].flags |= BO_LOCKED;
315 			slow_locked = contended;
316 			goto retry;
317 		}
318 
319 		/* Not expecting -EALREADY here, if the bo was already
320 		 * locked, we should have gotten -EALREADY already from
321 		 * the dma_resv_lock_interruptable() call.
322 		 */
323 		WARN_ON_ONCE(ret == -EALREADY);
324 	}
325 
326 	return ret;
327 }
328 
submit_fence_sync(struct msm_gem_submit * submit,bool no_implicit)329 static int submit_fence_sync(struct msm_gem_submit *submit, bool no_implicit)
330 {
331 	int i, ret = 0;
332 
333 	for (i = 0; i < submit->nr_bos; i++) {
334 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
335 		bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE;
336 
337 		if (!write) {
338 			/* NOTE: _reserve_shared() must happen before
339 			 * _add_shared_fence(), which makes this a slightly
340 			 * strange place to call it.  OTOH this is a
341 			 * convenient can-fail point to hook it in.
342 			 */
343 			ret = dma_resv_reserve_shared(obj->resv, 1);
344 			if (ret)
345 				return ret;
346 		}
347 
348 		if (no_implicit)
349 			continue;
350 
351 		ret = drm_gem_fence_array_add_implicit(&submit->deps, obj,
352 			write);
353 		if (ret)
354 			break;
355 	}
356 
357 	return ret;
358 }
359 
submit_pin_objects(struct msm_gem_submit * submit)360 static int submit_pin_objects(struct msm_gem_submit *submit)
361 {
362 	int i, ret = 0;
363 
364 	submit->valid = true;
365 
366 	/*
367 	 * Increment active_count first, so if under memory pressure, we
368 	 * don't inadvertently evict a bo needed by the submit in order
369 	 * to pin an earlier bo in the same submit.
370 	 */
371 	for (i = 0; i < submit->nr_bos; i++) {
372 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
373 
374 		msm_gem_active_get(obj, submit->gpu);
375 		submit->bos[i].flags |= BO_ACTIVE;
376 	}
377 
378 	for (i = 0; i < submit->nr_bos; i++) {
379 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
380 		uint64_t iova;
381 
382 		/* if locking succeeded, pin bo: */
383 		ret = msm_gem_get_and_pin_iova_locked(obj,
384 				submit->aspace, &iova);
385 
386 		if (ret)
387 			break;
388 
389 		submit->bos[i].flags |= BO_PINNED;
390 
391 		if (iova == submit->bos[i].iova) {
392 			submit->bos[i].flags |= BO_VALID;
393 		} else {
394 			submit->bos[i].iova = iova;
395 			/* iova changed, so address in cmdstream is not valid: */
396 			submit->bos[i].flags &= ~BO_VALID;
397 			submit->valid = false;
398 		}
399 	}
400 
401 	return ret;
402 }
403 
submit_attach_object_fences(struct msm_gem_submit * submit)404 static void submit_attach_object_fences(struct msm_gem_submit *submit)
405 {
406 	int i;
407 
408 	for (i = 0; i < submit->nr_bos; i++) {
409 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
410 
411 		if (submit->bos[i].flags & MSM_SUBMIT_BO_WRITE)
412 			dma_resv_add_excl_fence(obj->resv, submit->user_fence);
413 		else if (submit->bos[i].flags & MSM_SUBMIT_BO_READ)
414 			dma_resv_add_shared_fence(obj->resv, submit->user_fence);
415 	}
416 }
417 
submit_bo(struct msm_gem_submit * submit,uint32_t idx,struct msm_gem_object ** obj,uint64_t * iova,bool * valid)418 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx,
419 		struct msm_gem_object **obj, uint64_t *iova, bool *valid)
420 {
421 	if (idx >= submit->nr_bos) {
422 		DRM_ERROR("invalid buffer index: %u (out of %u)\n",
423 				idx, submit->nr_bos);
424 		return -EINVAL;
425 	}
426 
427 	if (obj)
428 		*obj = submit->bos[idx].obj;
429 	if (iova)
430 		*iova = submit->bos[idx].iova;
431 	if (valid)
432 		*valid = !!(submit->bos[idx].flags & BO_VALID);
433 
434 	return 0;
435 }
436 
437 /* process the reloc's and patch up the cmdstream as needed: */
submit_reloc(struct msm_gem_submit * submit,struct msm_gem_object * obj,uint32_t offset,uint32_t nr_relocs,struct drm_msm_gem_submit_reloc * relocs)438 static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *obj,
439 		uint32_t offset, uint32_t nr_relocs, struct drm_msm_gem_submit_reloc *relocs)
440 {
441 	uint32_t i, last_offset = 0;
442 	uint32_t *ptr;
443 	int ret = 0;
444 
445 	if (!nr_relocs)
446 		return 0;
447 
448 	if (offset % 4) {
449 		DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset);
450 		return -EINVAL;
451 	}
452 
453 	/* For now, just map the entire thing.  Eventually we probably
454 	 * to do it page-by-page, w/ kmap() if not vmap()d..
455 	 */
456 	ptr = msm_gem_get_vaddr_locked(&obj->base);
457 
458 	if (IS_ERR(ptr)) {
459 		ret = PTR_ERR(ptr);
460 		DBG("failed to map: %d", ret);
461 		return ret;
462 	}
463 
464 	for (i = 0; i < nr_relocs; i++) {
465 		struct drm_msm_gem_submit_reloc submit_reloc = relocs[i];
466 		uint32_t off;
467 		uint64_t iova;
468 		bool valid;
469 
470 		if (submit_reloc.submit_offset % 4) {
471 			DRM_ERROR("non-aligned reloc offset: %u\n",
472 					submit_reloc.submit_offset);
473 			ret = -EINVAL;
474 			goto out;
475 		}
476 
477 		/* offset in dwords: */
478 		off = submit_reloc.submit_offset / 4;
479 
480 		if ((off >= (obj->base.size / 4)) ||
481 				(off < last_offset)) {
482 			DRM_ERROR("invalid offset %u at reloc %u\n", off, i);
483 			ret = -EINVAL;
484 			goto out;
485 		}
486 
487 		ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid);
488 		if (ret)
489 			goto out;
490 
491 		if (valid)
492 			continue;
493 
494 		iova += submit_reloc.reloc_offset;
495 
496 		if (submit_reloc.shift < 0)
497 			iova >>= -submit_reloc.shift;
498 		else
499 			iova <<= submit_reloc.shift;
500 
501 		ptr[off] = iova | submit_reloc.or;
502 
503 		last_offset = off;
504 	}
505 
506 out:
507 	msm_gem_put_vaddr_locked(&obj->base);
508 
509 	return ret;
510 }
511 
512 /* Cleanup submit at end of ioctl.  In the error case, this also drops
513  * references, unpins, and drops active refcnt.  In the non-error case,
514  * this is done when the submit is retired.
515  */
submit_cleanup(struct msm_gem_submit * submit,bool error)516 static void submit_cleanup(struct msm_gem_submit *submit, bool error)
517 {
518 	unsigned cleanup_flags = BO_LOCKED;
519 	unsigned i;
520 
521 	if (error)
522 		cleanup_flags |= BO_PINNED | BO_ACTIVE;
523 
524 	for (i = 0; i < submit->nr_bos; i++) {
525 		struct msm_gem_object *msm_obj = submit->bos[i].obj;
526 		submit_cleanup_bo(submit, i, cleanup_flags);
527 		if (error)
528 			drm_gem_object_put(&msm_obj->base);
529 	}
530 }
531 
msm_submit_retire(struct msm_gem_submit * submit)532 void msm_submit_retire(struct msm_gem_submit *submit)
533 {
534 	int i;
535 
536 	for (i = 0; i < submit->nr_bos; i++) {
537 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
538 
539 		msm_gem_lock(obj);
540 		submit_cleanup_bo(submit, i, BO_PINNED | BO_ACTIVE);
541 		msm_gem_unlock(obj);
542 		drm_gem_object_put(obj);
543 	}
544 }
545 
546 struct msm_submit_post_dep {
547 	struct drm_syncobj *syncobj;
548 	uint64_t point;
549 	struct dma_fence_chain *chain;
550 };
551 
msm_parse_deps(struct msm_gem_submit * submit,struct drm_file * file,uint64_t in_syncobjs_addr,uint32_t nr_in_syncobjs,size_t syncobj_stride,struct msm_ringbuffer * ring)552 static struct drm_syncobj **msm_parse_deps(struct msm_gem_submit *submit,
553                                            struct drm_file *file,
554                                            uint64_t in_syncobjs_addr,
555                                            uint32_t nr_in_syncobjs,
556                                            size_t syncobj_stride,
557                                            struct msm_ringbuffer *ring)
558 {
559 	struct drm_syncobj **syncobjs = NULL;
560 	struct drm_msm_gem_submit_syncobj syncobj_desc = {0};
561 	int ret = 0;
562 	uint32_t i, j;
563 
564 	syncobjs = kcalloc(nr_in_syncobjs, sizeof(*syncobjs),
565 	                   GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
566 	if (!syncobjs)
567 		return ERR_PTR(-ENOMEM);
568 
569 	for (i = 0; i < nr_in_syncobjs; ++i) {
570 		uint64_t address = in_syncobjs_addr + i * syncobj_stride;
571 		struct dma_fence *fence;
572 
573 		if (copy_from_user(&syncobj_desc,
574 			           u64_to_user_ptr(address),
575 			           min(syncobj_stride, sizeof(syncobj_desc)))) {
576 			ret = -EFAULT;
577 			break;
578 		}
579 
580 		if (syncobj_desc.point &&
581 		    !drm_core_check_feature(submit->dev, DRIVER_SYNCOBJ_TIMELINE)) {
582 			ret = -EOPNOTSUPP;
583 			break;
584 		}
585 
586 		if (syncobj_desc.flags & ~MSM_SUBMIT_SYNCOBJ_FLAGS) {
587 			ret = -EINVAL;
588 			break;
589 		}
590 
591 		ret = drm_syncobj_find_fence(file, syncobj_desc.handle,
592 		                             syncobj_desc.point, 0, &fence);
593 		if (ret)
594 			break;
595 
596 		ret = drm_gem_fence_array_add(&submit->deps, fence);
597 		if (ret)
598 			break;
599 
600 		if (syncobj_desc.flags & MSM_SUBMIT_SYNCOBJ_RESET) {
601 			syncobjs[i] =
602 				drm_syncobj_find(file, syncobj_desc.handle);
603 			if (!syncobjs[i]) {
604 				ret = -EINVAL;
605 				break;
606 			}
607 		}
608 	}
609 
610 	if (ret) {
611 		for (j = 0; j <= i; ++j) {
612 			if (syncobjs[j])
613 				drm_syncobj_put(syncobjs[j]);
614 		}
615 		kfree(syncobjs);
616 		return ERR_PTR(ret);
617 	}
618 	return syncobjs;
619 }
620 
msm_reset_syncobjs(struct drm_syncobj ** syncobjs,uint32_t nr_syncobjs)621 static void msm_reset_syncobjs(struct drm_syncobj **syncobjs,
622                                uint32_t nr_syncobjs)
623 {
624 	uint32_t i;
625 
626 	for (i = 0; syncobjs && i < nr_syncobjs; ++i) {
627 		if (syncobjs[i])
628 			drm_syncobj_replace_fence(syncobjs[i], NULL);
629 	}
630 }
631 
msm_parse_post_deps(struct drm_device * dev,struct drm_file * file,uint64_t syncobjs_addr,uint32_t nr_syncobjs,size_t syncobj_stride)632 static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
633                                                        struct drm_file *file,
634                                                        uint64_t syncobjs_addr,
635                                                        uint32_t nr_syncobjs,
636                                                        size_t syncobj_stride)
637 {
638 	struct msm_submit_post_dep *post_deps;
639 	struct drm_msm_gem_submit_syncobj syncobj_desc = {0};
640 	int ret = 0;
641 	uint32_t i, j;
642 
643 	post_deps = kcalloc(nr_syncobjs, sizeof(*post_deps),
644 			    GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
645 	if (!post_deps)
646 		return ERR_PTR(-ENOMEM);
647 
648 	for (i = 0; i < nr_syncobjs; ++i) {
649 		uint64_t address = syncobjs_addr + i * syncobj_stride;
650 
651 		if (copy_from_user(&syncobj_desc,
652 			           u64_to_user_ptr(address),
653 			           min(syncobj_stride, sizeof(syncobj_desc)))) {
654 			ret = -EFAULT;
655 			break;
656 		}
657 
658 		post_deps[i].point = syncobj_desc.point;
659 
660 		if (syncobj_desc.flags) {
661 			ret = -EINVAL;
662 			break;
663 		}
664 
665 		if (syncobj_desc.point) {
666 			if (!drm_core_check_feature(dev,
667 			                            DRIVER_SYNCOBJ_TIMELINE)) {
668 				ret = -EOPNOTSUPP;
669 				break;
670 			}
671 
672 			post_deps[i].chain = dma_fence_chain_alloc();
673 			if (!post_deps[i].chain) {
674 				ret = -ENOMEM;
675 				break;
676 			}
677 		}
678 
679 		post_deps[i].syncobj =
680 			drm_syncobj_find(file, syncobj_desc.handle);
681 		if (!post_deps[i].syncobj) {
682 			ret = -EINVAL;
683 			break;
684 		}
685 	}
686 
687 	if (ret) {
688 		for (j = 0; j <= i; ++j) {
689 			dma_fence_chain_free(post_deps[j].chain);
690 			if (post_deps[j].syncobj)
691 				drm_syncobj_put(post_deps[j].syncobj);
692 		}
693 
694 		kfree(post_deps);
695 		return ERR_PTR(ret);
696 	}
697 
698 	return post_deps;
699 }
700 
msm_process_post_deps(struct msm_submit_post_dep * post_deps,uint32_t count,struct dma_fence * fence)701 static void msm_process_post_deps(struct msm_submit_post_dep *post_deps,
702                                   uint32_t count, struct dma_fence *fence)
703 {
704 	uint32_t i;
705 
706 	for (i = 0; post_deps && i < count; ++i) {
707 		if (post_deps[i].chain) {
708 			drm_syncobj_add_point(post_deps[i].syncobj,
709 			                      post_deps[i].chain,
710 			                      fence, post_deps[i].point);
711 			post_deps[i].chain = NULL;
712 		} else {
713 			drm_syncobj_replace_fence(post_deps[i].syncobj,
714 			                          fence);
715 		}
716 	}
717 }
718 
msm_ioctl_gem_submit(struct drm_device * dev,void * data,struct drm_file * file)719 int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
720 		struct drm_file *file)
721 {
722 	static atomic_t ident = ATOMIC_INIT(0);
723 	struct msm_drm_private *priv = dev->dev_private;
724 	struct drm_msm_gem_submit *args = data;
725 	struct msm_file_private *ctx = file->driver_priv;
726 	struct msm_gem_submit *submit = NULL;
727 	struct msm_gpu *gpu = priv->gpu;
728 	struct msm_gpu_submitqueue *queue;
729 	struct msm_ringbuffer *ring;
730 	struct msm_submit_post_dep *post_deps = NULL;
731 	struct drm_syncobj **syncobjs_to_reset = NULL;
732 	int out_fence_fd = -1;
733 	struct pid *pid = get_pid(task_pid(current));
734 	bool has_ww_ticket = false;
735 	unsigned i;
736 	int ret, submitid;
737 
738 	if (!gpu)
739 		return -ENXIO;
740 
741 	if (args->pad)
742 		return -EINVAL;
743 
744 	/* for now, we just have 3d pipe.. eventually this would need to
745 	 * be more clever to dispatch to appropriate gpu module:
746 	 */
747 	if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0)
748 		return -EINVAL;
749 
750 	if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS)
751 		return -EINVAL;
752 
753 	if (args->flags & MSM_SUBMIT_SUDO) {
754 		if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) ||
755 		    !capable(CAP_SYS_RAWIO))
756 			return -EINVAL;
757 	}
758 
759 	queue = msm_submitqueue_get(ctx, args->queueid);
760 	if (!queue)
761 		return -ENOENT;
762 
763 	/* Get a unique identifier for the submission for logging purposes */
764 	submitid = atomic_inc_return(&ident) - 1;
765 
766 	ring = gpu->rb[queue->ring_nr];
767 	trace_msm_gpu_submit(pid_nr(pid), ring->id, submitid,
768 		args->nr_bos, args->nr_cmds);
769 
770 	ret = mutex_lock_interruptible(&queue->lock);
771 	if (ret)
772 		goto out_post_unlock;
773 
774 	if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
775 		out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
776 		if (out_fence_fd < 0) {
777 			ret = out_fence_fd;
778 			goto out_unlock;
779 		}
780 	}
781 
782 	submit = submit_create(dev, gpu, queue, args->nr_bos,
783 		args->nr_cmds);
784 	if (IS_ERR(submit)) {
785 		ret = PTR_ERR(submit);
786 		submit = NULL;
787 		goto out_unlock;
788 	}
789 
790 	submit->pid = pid;
791 	submit->ident = submitid;
792 
793 	if (args->flags & MSM_SUBMIT_SUDO)
794 		submit->in_rb = true;
795 
796 	if (args->flags & MSM_SUBMIT_FENCE_FD_IN) {
797 		struct dma_fence *in_fence;
798 
799 		in_fence = sync_file_get_fence(args->fence_fd);
800 
801 		if (!in_fence) {
802 			ret = -EINVAL;
803 			goto out_unlock;
804 		}
805 
806 		ret = drm_gem_fence_array_add(&submit->deps, in_fence);
807 		if (ret)
808 			goto out_unlock;
809 	}
810 
811 	if (args->flags & MSM_SUBMIT_SYNCOBJ_IN) {
812 		syncobjs_to_reset = msm_parse_deps(submit, file,
813 		                                   args->in_syncobjs,
814 		                                   args->nr_in_syncobjs,
815 		                                   args->syncobj_stride, ring);
816 		if (IS_ERR(syncobjs_to_reset)) {
817 			ret = PTR_ERR(syncobjs_to_reset);
818 			goto out_unlock;
819 		}
820 	}
821 
822 	if (args->flags & MSM_SUBMIT_SYNCOBJ_OUT) {
823 		post_deps = msm_parse_post_deps(dev, file,
824 		                                args->out_syncobjs,
825 		                                args->nr_out_syncobjs,
826 		                                args->syncobj_stride);
827 		if (IS_ERR(post_deps)) {
828 			ret = PTR_ERR(post_deps);
829 			goto out_unlock;
830 		}
831 	}
832 
833 	ret = submit_lookup_objects(submit, args, file);
834 	if (ret)
835 		goto out;
836 
837 	ret = submit_lookup_cmds(submit, args, file);
838 	if (ret)
839 		goto out;
840 
841 	/* copy_*_user while holding a ww ticket upsets lockdep */
842 	ww_acquire_init(&submit->ticket, &reservation_ww_class);
843 	has_ww_ticket = true;
844 	ret = submit_lock_objects(submit);
845 	if (ret)
846 		goto out;
847 
848 	ret = submit_fence_sync(submit, !!(args->flags & MSM_SUBMIT_NO_IMPLICIT));
849 	if (ret)
850 		goto out;
851 
852 	ret = submit_pin_objects(submit);
853 	if (ret)
854 		goto out;
855 
856 	for (i = 0; i < args->nr_cmds; i++) {
857 		struct msm_gem_object *msm_obj;
858 		uint64_t iova;
859 
860 		ret = submit_bo(submit, submit->cmd[i].idx,
861 				&msm_obj, &iova, NULL);
862 		if (ret)
863 			goto out;
864 
865 		if (!submit->cmd[i].size ||
866 			((submit->cmd[i].size + submit->cmd[i].offset) >
867 				msm_obj->base.size / 4)) {
868 			DRM_ERROR("invalid cmdstream size: %u\n", submit->cmd[i].size * 4);
869 			ret = -EINVAL;
870 			goto out;
871 		}
872 
873 		submit->cmd[i].iova = iova + (submit->cmd[i].offset * 4);
874 
875 		if (submit->valid)
876 			continue;
877 
878 		ret = submit_reloc(submit, msm_obj, submit->cmd[i].offset * 4,
879 				submit->cmd[i].nr_relocs, submit->cmd[i].relocs);
880 		if (ret)
881 			goto out;
882 	}
883 
884 	submit->nr_cmds = i;
885 
886 	submit->user_fence = dma_fence_get(&submit->base.s_fence->finished);
887 
888 	/*
889 	 * Allocate an id which can be used by WAIT_FENCE ioctl to map back
890 	 * to the underlying fence.
891 	 */
892 	submit->fence_id = idr_alloc_cyclic(&queue->fence_idr,
893 			submit->user_fence, 1, INT_MAX, GFP_KERNEL);
894 	if (submit->fence_id < 0) {
895 		ret = submit->fence_id;
896 		submit->fence_id = 0;
897 		goto out;
898 	}
899 
900 	if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
901 		struct sync_file *sync_file = sync_file_create(submit->user_fence);
902 		if (!sync_file) {
903 			ret = -ENOMEM;
904 			goto out;
905 		}
906 		fd_install(out_fence_fd, sync_file->file);
907 		args->fence_fd = out_fence_fd;
908 	}
909 
910 	submit_attach_object_fences(submit);
911 
912 	/* The scheduler owns a ref now: */
913 	msm_gem_submit_get(submit);
914 
915 	drm_sched_entity_push_job(&submit->base, queue->entity);
916 
917 	args->fence = submit->fence_id;
918 	queue->last_fence = submit->fence_id;
919 
920 	msm_reset_syncobjs(syncobjs_to_reset, args->nr_in_syncobjs);
921 	msm_process_post_deps(post_deps, args->nr_out_syncobjs,
922 	                      submit->user_fence);
923 
924 
925 out:
926 	submit_cleanup(submit, !!ret);
927 	if (has_ww_ticket)
928 		ww_acquire_fini(&submit->ticket);
929 out_unlock:
930 	if (ret && (out_fence_fd >= 0))
931 		put_unused_fd(out_fence_fd);
932 	mutex_unlock(&queue->lock);
933 	if (submit)
934 		msm_gem_submit_put(submit);
935 out_post_unlock:
936 	if (!IS_ERR_OR_NULL(post_deps)) {
937 		for (i = 0; i < args->nr_out_syncobjs; ++i) {
938 			kfree(post_deps[i].chain);
939 			drm_syncobj_put(post_deps[i].syncobj);
940 		}
941 		kfree(post_deps);
942 	}
943 
944 	if (!IS_ERR_OR_NULL(syncobjs_to_reset)) {
945 		for (i = 0; i < args->nr_in_syncobjs; ++i) {
946 			if (syncobjs_to_reset[i])
947 				drm_syncobj_put(syncobjs_to_reset[i]);
948 		}
949 		kfree(syncobjs_to_reset);
950 	}
951 
952 	return ret;
953 }
954