1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (C) 2013 Red Hat
4  * Author: Rob Clark <robdclark@gmail.com>
5  */
6 
7 #include <linux/file.h>
8 #include <linux/sync_file.h>
9 #include <linux/uaccess.h>
10 
11 #include <drm/drm_drv.h>
12 #include <drm/drm_file.h>
13 #include <drm/drm_syncobj.h>
14 
15 #include "msm_drv.h"
16 #include "msm_gpu.h"
17 #include "msm_gem.h"
18 #include "msm_gpu_trace.h"
19 
20 /*
21  * Cmdstream submission:
22  */
23 
submit_create(struct drm_device * dev,struct msm_gpu * gpu,struct msm_gpu_submitqueue * queue,uint32_t nr_bos,uint32_t nr_cmds)24 static struct msm_gem_submit *submit_create(struct drm_device *dev,
25 		struct msm_gpu *gpu,
26 		struct msm_gpu_submitqueue *queue, uint32_t nr_bos,
27 		uint32_t nr_cmds)
28 {
29 	static atomic_t ident = ATOMIC_INIT(0);
30 	struct msm_gem_submit *submit;
31 	uint64_t sz;
32 	int ret;
33 
34 	sz = struct_size(submit, bos, nr_bos) +
35 			((u64)nr_cmds * sizeof(submit->cmd[0]));
36 
37 	if (sz > SIZE_MAX)
38 		return ERR_PTR(-ENOMEM);
39 
40 	submit = kzalloc(sz, GFP_KERNEL);
41 	if (!submit)
42 		return ERR_PTR(-ENOMEM);
43 
44 	ret = drm_sched_job_init(&submit->base, queue->entity, queue);
45 	if (ret) {
46 		kfree(submit);
47 		return ERR_PTR(ret);
48 	}
49 
50 	kref_init(&submit->ref);
51 	submit->dev = dev;
52 	submit->aspace = queue->ctx->aspace;
53 	submit->gpu = gpu;
54 	submit->cmd = (void *)&submit->bos[nr_bos];
55 	submit->queue = queue;
56 	submit->pid = get_pid(task_pid(current));
57 	submit->ring = gpu->rb[queue->ring_nr];
58 	submit->fault_dumped = false;
59 
60 	/* Get a unique identifier for the submission for logging purposes */
61 	submit->ident = atomic_inc_return(&ident) - 1;
62 
63 	INIT_LIST_HEAD(&submit->node);
64 
65 	return submit;
66 }
67 
__msm_gem_submit_destroy(struct kref * kref)68 void __msm_gem_submit_destroy(struct kref *kref)
69 {
70 	struct msm_gem_submit *submit =
71 			container_of(kref, struct msm_gem_submit, ref);
72 	unsigned i;
73 
74 	if (submit->fence_id) {
75 		mutex_lock(&submit->queue->idr_lock);
76 		idr_remove(&submit->queue->fence_idr, submit->fence_id);
77 		mutex_unlock(&submit->queue->idr_lock);
78 	}
79 
80 	dma_fence_put(submit->user_fence);
81 	dma_fence_put(submit->hw_fence);
82 
83 	put_pid(submit->pid);
84 	msm_submitqueue_put(submit->queue);
85 
86 	for (i = 0; i < submit->nr_cmds; i++)
87 		kfree(submit->cmd[i].relocs);
88 
89 	kfree(submit);
90 }
91 
submit_lookup_objects(struct msm_gem_submit * submit,struct drm_msm_gem_submit * args,struct drm_file * file)92 static int submit_lookup_objects(struct msm_gem_submit *submit,
93 		struct drm_msm_gem_submit *args, struct drm_file *file)
94 {
95 	unsigned i;
96 	int ret = 0;
97 
98 	for (i = 0; i < args->nr_bos; i++) {
99 		struct drm_msm_gem_submit_bo submit_bo;
100 		void __user *userptr =
101 			u64_to_user_ptr(args->bos + (i * sizeof(submit_bo)));
102 
103 		/* make sure we don't have garbage flags, in case we hit
104 		 * error path before flags is initialized:
105 		 */
106 		submit->bos[i].flags = 0;
107 
108 		if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) {
109 			ret = -EFAULT;
110 			i = 0;
111 			goto out;
112 		}
113 
114 /* at least one of READ and/or WRITE flags should be set: */
115 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE)
116 
117 		if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) ||
118 			!(submit_bo.flags & MANDATORY_FLAGS)) {
119 			DRM_ERROR("invalid flags: %x\n", submit_bo.flags);
120 			ret = -EINVAL;
121 			i = 0;
122 			goto out;
123 		}
124 
125 		submit->bos[i].handle = submit_bo.handle;
126 		submit->bos[i].flags = submit_bo.flags;
127 		/* in validate_objects() we figure out if this is true: */
128 		submit->bos[i].iova  = submit_bo.presumed;
129 	}
130 
131 	spin_lock(&file->table_lock);
132 
133 	for (i = 0; i < args->nr_bos; i++) {
134 		struct drm_gem_object *obj;
135 
136 		/* normally use drm_gem_object_lookup(), but for bulk lookup
137 		 * all under single table_lock just hit object_idr directly:
138 		 */
139 		obj = idr_find(&file->object_idr, submit->bos[i].handle);
140 		if (!obj) {
141 			DRM_ERROR("invalid handle %u at index %u\n", submit->bos[i].handle, i);
142 			ret = -EINVAL;
143 			goto out_unlock;
144 		}
145 
146 		drm_gem_object_get(obj);
147 
148 		submit->bos[i].obj = to_msm_bo(obj);
149 	}
150 
151 out_unlock:
152 	spin_unlock(&file->table_lock);
153 
154 out:
155 	submit->nr_bos = i;
156 
157 	return ret;
158 }
159 
submit_lookup_cmds(struct msm_gem_submit * submit,struct drm_msm_gem_submit * args,struct drm_file * file)160 static int submit_lookup_cmds(struct msm_gem_submit *submit,
161 		struct drm_msm_gem_submit *args, struct drm_file *file)
162 {
163 	unsigned i;
164 	size_t sz;
165 	int ret = 0;
166 
167 	for (i = 0; i < args->nr_cmds; i++) {
168 		struct drm_msm_gem_submit_cmd submit_cmd;
169 		void __user *userptr =
170 			u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd)));
171 
172 		ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd));
173 		if (ret) {
174 			ret = -EFAULT;
175 			goto out;
176 		}
177 
178 		/* validate input from userspace: */
179 		switch (submit_cmd.type) {
180 		case MSM_SUBMIT_CMD_BUF:
181 		case MSM_SUBMIT_CMD_IB_TARGET_BUF:
182 		case MSM_SUBMIT_CMD_CTX_RESTORE_BUF:
183 			break;
184 		default:
185 			DRM_ERROR("invalid type: %08x\n", submit_cmd.type);
186 			return -EINVAL;
187 		}
188 
189 		if (submit_cmd.size % 4) {
190 			DRM_ERROR("non-aligned cmdstream buffer size: %u\n",
191 					submit_cmd.size);
192 			ret = -EINVAL;
193 			goto out;
194 		}
195 
196 		submit->cmd[i].type = submit_cmd.type;
197 		submit->cmd[i].size = submit_cmd.size / 4;
198 		submit->cmd[i].offset = submit_cmd.submit_offset / 4;
199 		submit->cmd[i].idx  = submit_cmd.submit_idx;
200 		submit->cmd[i].nr_relocs = submit_cmd.nr_relocs;
201 
202 		userptr = u64_to_user_ptr(submit_cmd.relocs);
203 
204 		sz = array_size(submit_cmd.nr_relocs,
205 				sizeof(struct drm_msm_gem_submit_reloc));
206 		/* check for overflow: */
207 		if (sz == SIZE_MAX) {
208 			ret = -ENOMEM;
209 			goto out;
210 		}
211 		submit->cmd[i].relocs = kmalloc(sz, GFP_KERNEL);
212 		ret = copy_from_user(submit->cmd[i].relocs, userptr, sz);
213 		if (ret) {
214 			ret = -EFAULT;
215 			goto out;
216 		}
217 	}
218 
219 out:
220 	return ret;
221 }
222 
223 /* Unwind bo state, according to cleanup_flags.  In the success case, only
224  * the lock is dropped at the end of the submit (and active/pin ref is dropped
225  * later when the submit is retired).
226  */
submit_cleanup_bo(struct msm_gem_submit * submit,int i,unsigned cleanup_flags)227 static void submit_cleanup_bo(struct msm_gem_submit *submit, int i,
228 		unsigned cleanup_flags)
229 {
230 	struct drm_gem_object *obj = &submit->bos[i].obj->base;
231 	unsigned flags = submit->bos[i].flags & cleanup_flags;
232 
233 	/*
234 	 * Clear flags bit before dropping lock, so that the msm_job_run()
235 	 * path isn't racing with submit_cleanup() (ie. the read/modify/
236 	 * write is protected by the obj lock in all paths)
237 	 */
238 	submit->bos[i].flags &= ~cleanup_flags;
239 
240 	if (flags & BO_VMA_PINNED)
241 		msm_gem_unpin_vma(submit->bos[i].vma);
242 
243 	if (flags & BO_OBJ_PINNED)
244 		msm_gem_unpin_locked(obj);
245 
246 	if (flags & BO_LOCKED)
247 		dma_resv_unlock(obj->resv);
248 }
249 
submit_unlock_unpin_bo(struct msm_gem_submit * submit,int i)250 static void submit_unlock_unpin_bo(struct msm_gem_submit *submit, int i)
251 {
252 	unsigned cleanup_flags = BO_VMA_PINNED | BO_OBJ_PINNED | BO_LOCKED;
253 	submit_cleanup_bo(submit, i, cleanup_flags);
254 
255 	if (!(submit->bos[i].flags & BO_VALID))
256 		submit->bos[i].iova = 0;
257 }
258 
259 /* This is where we make sure all the bo's are reserved and pin'd: */
submit_lock_objects(struct msm_gem_submit * submit)260 static int submit_lock_objects(struct msm_gem_submit *submit)
261 {
262 	int contended, slow_locked = -1, i, ret = 0;
263 
264 retry:
265 	for (i = 0; i < submit->nr_bos; i++) {
266 		struct msm_gem_object *msm_obj = submit->bos[i].obj;
267 
268 		if (slow_locked == i)
269 			slow_locked = -1;
270 
271 		contended = i;
272 
273 		if (!(submit->bos[i].flags & BO_LOCKED)) {
274 			ret = dma_resv_lock_interruptible(msm_obj->base.resv,
275 							  &submit->ticket);
276 			if (ret)
277 				goto fail;
278 			submit->bos[i].flags |= BO_LOCKED;
279 		}
280 	}
281 
282 	ww_acquire_done(&submit->ticket);
283 
284 	return 0;
285 
286 fail:
287 	if (ret == -EALREADY) {
288 		DRM_ERROR("handle %u at index %u already on submit list\n",
289 				submit->bos[i].handle, i);
290 		ret = -EINVAL;
291 	}
292 
293 	for (; i >= 0; i--)
294 		submit_unlock_unpin_bo(submit, i);
295 
296 	if (slow_locked > 0)
297 		submit_unlock_unpin_bo(submit, slow_locked);
298 
299 	if (ret == -EDEADLK) {
300 		struct msm_gem_object *msm_obj = submit->bos[contended].obj;
301 		/* we lost out in a seqno race, lock and retry.. */
302 		ret = dma_resv_lock_slow_interruptible(msm_obj->base.resv,
303 						       &submit->ticket);
304 		if (!ret) {
305 			submit->bos[contended].flags |= BO_LOCKED;
306 			slow_locked = contended;
307 			goto retry;
308 		}
309 
310 		/* Not expecting -EALREADY here, if the bo was already
311 		 * locked, we should have gotten -EALREADY already from
312 		 * the dma_resv_lock_interruptable() call.
313 		 */
314 		WARN_ON_ONCE(ret == -EALREADY);
315 	}
316 
317 	return ret;
318 }
319 
submit_fence_sync(struct msm_gem_submit * submit,bool no_implicit)320 static int submit_fence_sync(struct msm_gem_submit *submit, bool no_implicit)
321 {
322 	int i, ret = 0;
323 
324 	for (i = 0; i < submit->nr_bos; i++) {
325 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
326 		bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE;
327 
328 		/* NOTE: _reserve_shared() must happen before
329 		 * _add_shared_fence(), which makes this a slightly
330 		 * strange place to call it.  OTOH this is a
331 		 * convenient can-fail point to hook it in.
332 		 */
333 		ret = dma_resv_reserve_fences(obj->resv, 1);
334 		if (ret)
335 			return ret;
336 
337 		/* exclusive fences must be ordered */
338 		if (no_implicit && !write)
339 			continue;
340 
341 		ret = drm_sched_job_add_implicit_dependencies(&submit->base,
342 							      obj,
343 							      write);
344 		if (ret)
345 			break;
346 	}
347 
348 	return ret;
349 }
350 
submit_pin_objects(struct msm_gem_submit * submit)351 static int submit_pin_objects(struct msm_gem_submit *submit)
352 {
353 	int i, ret = 0;
354 
355 	submit->valid = true;
356 
357 	for (i = 0; i < submit->nr_bos; i++) {
358 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
359 		struct msm_gem_vma *vma;
360 
361 		/* if locking succeeded, pin bo: */
362 		vma = msm_gem_get_vma_locked(obj, submit->aspace);
363 		if (IS_ERR(vma)) {
364 			ret = PTR_ERR(vma);
365 			break;
366 		}
367 
368 		ret = msm_gem_pin_vma_locked(obj, vma);
369 		if (ret)
370 			break;
371 
372 		submit->bos[i].flags |= BO_OBJ_PINNED | BO_VMA_PINNED;
373 		submit->bos[i].vma = vma;
374 
375 		if (vma->iova == submit->bos[i].iova) {
376 			submit->bos[i].flags |= BO_VALID;
377 		} else {
378 			submit->bos[i].iova = vma->iova;
379 			/* iova changed, so address in cmdstream is not valid: */
380 			submit->bos[i].flags &= ~BO_VALID;
381 			submit->valid = false;
382 		}
383 	}
384 
385 	return ret;
386 }
387 
submit_attach_object_fences(struct msm_gem_submit * submit)388 static void submit_attach_object_fences(struct msm_gem_submit *submit)
389 {
390 	int i;
391 
392 	for (i = 0; i < submit->nr_bos; i++) {
393 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
394 
395 		if (submit->bos[i].flags & MSM_SUBMIT_BO_WRITE)
396 			dma_resv_add_fence(obj->resv, submit->user_fence,
397 					   DMA_RESV_USAGE_WRITE);
398 		else if (submit->bos[i].flags & MSM_SUBMIT_BO_READ)
399 			dma_resv_add_fence(obj->resv, submit->user_fence,
400 					   DMA_RESV_USAGE_READ);
401 	}
402 }
403 
submit_bo(struct msm_gem_submit * submit,uint32_t idx,struct msm_gem_object ** obj,uint64_t * iova,bool * valid)404 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx,
405 		struct msm_gem_object **obj, uint64_t *iova, bool *valid)
406 {
407 	if (idx >= submit->nr_bos) {
408 		DRM_ERROR("invalid buffer index: %u (out of %u)\n",
409 				idx, submit->nr_bos);
410 		return -EINVAL;
411 	}
412 
413 	if (obj)
414 		*obj = submit->bos[idx].obj;
415 	if (iova)
416 		*iova = submit->bos[idx].iova;
417 	if (valid)
418 		*valid = !!(submit->bos[idx].flags & BO_VALID);
419 
420 	return 0;
421 }
422 
423 /* process the reloc's and patch up the cmdstream as needed: */
submit_reloc(struct msm_gem_submit * submit,struct msm_gem_object * obj,uint32_t offset,uint32_t nr_relocs,struct drm_msm_gem_submit_reloc * relocs)424 static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *obj,
425 		uint32_t offset, uint32_t nr_relocs, struct drm_msm_gem_submit_reloc *relocs)
426 {
427 	uint32_t i, last_offset = 0;
428 	uint32_t *ptr;
429 	int ret = 0;
430 
431 	if (!nr_relocs)
432 		return 0;
433 
434 	if (offset % 4) {
435 		DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset);
436 		return -EINVAL;
437 	}
438 
439 	/* For now, just map the entire thing.  Eventually we probably
440 	 * to do it page-by-page, w/ kmap() if not vmap()d..
441 	 */
442 	ptr = msm_gem_get_vaddr_locked(&obj->base);
443 
444 	if (IS_ERR(ptr)) {
445 		ret = PTR_ERR(ptr);
446 		DBG("failed to map: %d", ret);
447 		return ret;
448 	}
449 
450 	for (i = 0; i < nr_relocs; i++) {
451 		struct drm_msm_gem_submit_reloc submit_reloc = relocs[i];
452 		uint32_t off;
453 		uint64_t iova;
454 		bool valid;
455 
456 		if (submit_reloc.submit_offset % 4) {
457 			DRM_ERROR("non-aligned reloc offset: %u\n",
458 					submit_reloc.submit_offset);
459 			ret = -EINVAL;
460 			goto out;
461 		}
462 
463 		/* offset in dwords: */
464 		off = submit_reloc.submit_offset / 4;
465 
466 		if ((off >= (obj->base.size / 4)) ||
467 				(off < last_offset)) {
468 			DRM_ERROR("invalid offset %u at reloc %u\n", off, i);
469 			ret = -EINVAL;
470 			goto out;
471 		}
472 
473 		ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid);
474 		if (ret)
475 			goto out;
476 
477 		if (valid)
478 			continue;
479 
480 		iova += submit_reloc.reloc_offset;
481 
482 		if (submit_reloc.shift < 0)
483 			iova >>= -submit_reloc.shift;
484 		else
485 			iova <<= submit_reloc.shift;
486 
487 		ptr[off] = iova | submit_reloc.or;
488 
489 		last_offset = off;
490 	}
491 
492 out:
493 	msm_gem_put_vaddr_locked(&obj->base);
494 
495 	return ret;
496 }
497 
498 /* Cleanup submit at end of ioctl.  In the error case, this also drops
499  * references, unpins, and drops active refcnt.  In the non-error case,
500  * this is done when the submit is retired.
501  */
submit_cleanup(struct msm_gem_submit * submit,bool error)502 static void submit_cleanup(struct msm_gem_submit *submit, bool error)
503 {
504 	unsigned cleanup_flags = BO_LOCKED;
505 	unsigned i;
506 
507 	if (error)
508 		cleanup_flags |= BO_VMA_PINNED | BO_OBJ_PINNED;
509 
510 	for (i = 0; i < submit->nr_bos; i++) {
511 		struct msm_gem_object *msm_obj = submit->bos[i].obj;
512 		submit_cleanup_bo(submit, i, cleanup_flags);
513 		if (error)
514 			drm_gem_object_put(&msm_obj->base);
515 	}
516 }
517 
msm_submit_retire(struct msm_gem_submit * submit)518 void msm_submit_retire(struct msm_gem_submit *submit)
519 {
520 	int i;
521 
522 	for (i = 0; i < submit->nr_bos; i++) {
523 		struct drm_gem_object *obj = &submit->bos[i].obj->base;
524 
525 		drm_gem_object_put(obj);
526 	}
527 }
528 
529 struct msm_submit_post_dep {
530 	struct drm_syncobj *syncobj;
531 	uint64_t point;
532 	struct dma_fence_chain *chain;
533 };
534 
msm_parse_deps(struct msm_gem_submit * submit,struct drm_file * file,uint64_t in_syncobjs_addr,uint32_t nr_in_syncobjs,size_t syncobj_stride,struct msm_ringbuffer * ring)535 static struct drm_syncobj **msm_parse_deps(struct msm_gem_submit *submit,
536                                            struct drm_file *file,
537                                            uint64_t in_syncobjs_addr,
538                                            uint32_t nr_in_syncobjs,
539                                            size_t syncobj_stride,
540                                            struct msm_ringbuffer *ring)
541 {
542 	struct drm_syncobj **syncobjs = NULL;
543 	struct drm_msm_gem_submit_syncobj syncobj_desc = {0};
544 	int ret = 0;
545 	uint32_t i, j;
546 
547 	syncobjs = kcalloc(nr_in_syncobjs, sizeof(*syncobjs),
548 	                   GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
549 	if (!syncobjs)
550 		return ERR_PTR(-ENOMEM);
551 
552 	for (i = 0; i < nr_in_syncobjs; ++i) {
553 		uint64_t address = in_syncobjs_addr + i * syncobj_stride;
554 		struct dma_fence *fence;
555 
556 		if (copy_from_user(&syncobj_desc,
557 			           u64_to_user_ptr(address),
558 			           min(syncobj_stride, sizeof(syncobj_desc)))) {
559 			ret = -EFAULT;
560 			break;
561 		}
562 
563 		if (syncobj_desc.point &&
564 		    !drm_core_check_feature(submit->dev, DRIVER_SYNCOBJ_TIMELINE)) {
565 			ret = -EOPNOTSUPP;
566 			break;
567 		}
568 
569 		if (syncobj_desc.flags & ~MSM_SUBMIT_SYNCOBJ_FLAGS) {
570 			ret = -EINVAL;
571 			break;
572 		}
573 
574 		ret = drm_syncobj_find_fence(file, syncobj_desc.handle,
575 		                             syncobj_desc.point, 0, &fence);
576 		if (ret)
577 			break;
578 
579 		ret = drm_sched_job_add_dependency(&submit->base, fence);
580 		if (ret)
581 			break;
582 
583 		if (syncobj_desc.flags & MSM_SUBMIT_SYNCOBJ_RESET) {
584 			syncobjs[i] =
585 				drm_syncobj_find(file, syncobj_desc.handle);
586 			if (!syncobjs[i]) {
587 				ret = -EINVAL;
588 				break;
589 			}
590 		}
591 	}
592 
593 	if (ret) {
594 		for (j = 0; j <= i; ++j) {
595 			if (syncobjs[j])
596 				drm_syncobj_put(syncobjs[j]);
597 		}
598 		kfree(syncobjs);
599 		return ERR_PTR(ret);
600 	}
601 	return syncobjs;
602 }
603 
msm_reset_syncobjs(struct drm_syncobj ** syncobjs,uint32_t nr_syncobjs)604 static void msm_reset_syncobjs(struct drm_syncobj **syncobjs,
605                                uint32_t nr_syncobjs)
606 {
607 	uint32_t i;
608 
609 	for (i = 0; syncobjs && i < nr_syncobjs; ++i) {
610 		if (syncobjs[i])
611 			drm_syncobj_replace_fence(syncobjs[i], NULL);
612 	}
613 }
614 
msm_parse_post_deps(struct drm_device * dev,struct drm_file * file,uint64_t syncobjs_addr,uint32_t nr_syncobjs,size_t syncobj_stride)615 static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev,
616                                                        struct drm_file *file,
617                                                        uint64_t syncobjs_addr,
618                                                        uint32_t nr_syncobjs,
619                                                        size_t syncobj_stride)
620 {
621 	struct msm_submit_post_dep *post_deps;
622 	struct drm_msm_gem_submit_syncobj syncobj_desc = {0};
623 	int ret = 0;
624 	uint32_t i, j;
625 
626 	post_deps = kmalloc_array(nr_syncobjs, sizeof(*post_deps),
627 	                          GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
628 	if (!post_deps)
629 		return ERR_PTR(-ENOMEM);
630 
631 	for (i = 0; i < nr_syncobjs; ++i) {
632 		uint64_t address = syncobjs_addr + i * syncobj_stride;
633 
634 		if (copy_from_user(&syncobj_desc,
635 			           u64_to_user_ptr(address),
636 			           min(syncobj_stride, sizeof(syncobj_desc)))) {
637 			ret = -EFAULT;
638 			break;
639 		}
640 
641 		post_deps[i].point = syncobj_desc.point;
642 		post_deps[i].chain = NULL;
643 
644 		if (syncobj_desc.flags) {
645 			ret = -EINVAL;
646 			break;
647 		}
648 
649 		if (syncobj_desc.point) {
650 			if (!drm_core_check_feature(dev,
651 			                            DRIVER_SYNCOBJ_TIMELINE)) {
652 				ret = -EOPNOTSUPP;
653 				break;
654 			}
655 
656 			post_deps[i].chain = dma_fence_chain_alloc();
657 			if (!post_deps[i].chain) {
658 				ret = -ENOMEM;
659 				break;
660 			}
661 		}
662 
663 		post_deps[i].syncobj =
664 			drm_syncobj_find(file, syncobj_desc.handle);
665 		if (!post_deps[i].syncobj) {
666 			ret = -EINVAL;
667 			break;
668 		}
669 	}
670 
671 	if (ret) {
672 		for (j = 0; j <= i; ++j) {
673 			dma_fence_chain_free(post_deps[j].chain);
674 			if (post_deps[j].syncobj)
675 				drm_syncobj_put(post_deps[j].syncobj);
676 		}
677 
678 		kfree(post_deps);
679 		return ERR_PTR(ret);
680 	}
681 
682 	return post_deps;
683 }
684 
msm_process_post_deps(struct msm_submit_post_dep * post_deps,uint32_t count,struct dma_fence * fence)685 static void msm_process_post_deps(struct msm_submit_post_dep *post_deps,
686                                   uint32_t count, struct dma_fence *fence)
687 {
688 	uint32_t i;
689 
690 	for (i = 0; post_deps && i < count; ++i) {
691 		if (post_deps[i].chain) {
692 			drm_syncobj_add_point(post_deps[i].syncobj,
693 			                      post_deps[i].chain,
694 			                      fence, post_deps[i].point);
695 			post_deps[i].chain = NULL;
696 		} else {
697 			drm_syncobj_replace_fence(post_deps[i].syncobj,
698 			                          fence);
699 		}
700 	}
701 }
702 
msm_ioctl_gem_submit(struct drm_device * dev,void * data,struct drm_file * file)703 int msm_ioctl_gem_submit(struct drm_device *dev, void *data,
704 		struct drm_file *file)
705 {
706 	struct msm_drm_private *priv = dev->dev_private;
707 	struct drm_msm_gem_submit *args = data;
708 	struct msm_file_private *ctx = file->driver_priv;
709 	struct msm_gem_submit *submit;
710 	struct msm_gpu *gpu = priv->gpu;
711 	struct msm_gpu_submitqueue *queue;
712 	struct msm_ringbuffer *ring;
713 	struct msm_submit_post_dep *post_deps = NULL;
714 	struct drm_syncobj **syncobjs_to_reset = NULL;
715 	int out_fence_fd = -1;
716 	bool has_ww_ticket = false;
717 	unsigned i;
718 	int ret;
719 
720 	if (!gpu)
721 		return -ENXIO;
722 
723 	if (args->pad)
724 		return -EINVAL;
725 
726 	if (unlikely(!ctx->aspace) && !capable(CAP_SYS_RAWIO)) {
727 		DRM_ERROR_RATELIMITED("IOMMU support or CAP_SYS_RAWIO required!\n");
728 		return -EPERM;
729 	}
730 
731 	/* for now, we just have 3d pipe.. eventually this would need to
732 	 * be more clever to dispatch to appropriate gpu module:
733 	 */
734 	if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0)
735 		return -EINVAL;
736 
737 	if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS)
738 		return -EINVAL;
739 
740 	if (args->flags & MSM_SUBMIT_SUDO) {
741 		if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) ||
742 		    !capable(CAP_SYS_RAWIO))
743 			return -EINVAL;
744 	}
745 
746 	queue = msm_submitqueue_get(ctx, args->queueid);
747 	if (!queue)
748 		return -ENOENT;
749 
750 	ring = gpu->rb[queue->ring_nr];
751 
752 	if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
753 		out_fence_fd = get_unused_fd_flags(O_CLOEXEC);
754 		if (out_fence_fd < 0) {
755 			ret = out_fence_fd;
756 			return ret;
757 		}
758 	}
759 
760 	submit = submit_create(dev, gpu, queue, args->nr_bos, args->nr_cmds);
761 	if (IS_ERR(submit))
762 		return PTR_ERR(submit);
763 
764 	trace_msm_gpu_submit(pid_nr(submit->pid), ring->id, submit->ident,
765 		args->nr_bos, args->nr_cmds);
766 
767 	ret = mutex_lock_interruptible(&queue->lock);
768 	if (ret)
769 		goto out_post_unlock;
770 
771 	if (args->flags & MSM_SUBMIT_SUDO)
772 		submit->in_rb = true;
773 
774 	if (args->flags & MSM_SUBMIT_FENCE_FD_IN) {
775 		struct dma_fence *in_fence;
776 
777 		in_fence = sync_file_get_fence(args->fence_fd);
778 
779 		if (!in_fence) {
780 			ret = -EINVAL;
781 			goto out_unlock;
782 		}
783 
784 		ret = drm_sched_job_add_dependency(&submit->base, in_fence);
785 		if (ret)
786 			goto out_unlock;
787 	}
788 
789 	if (args->flags & MSM_SUBMIT_SYNCOBJ_IN) {
790 		syncobjs_to_reset = msm_parse_deps(submit, file,
791 		                                   args->in_syncobjs,
792 		                                   args->nr_in_syncobjs,
793 		                                   args->syncobj_stride, ring);
794 		if (IS_ERR(syncobjs_to_reset)) {
795 			ret = PTR_ERR(syncobjs_to_reset);
796 			goto out_unlock;
797 		}
798 	}
799 
800 	if (args->flags & MSM_SUBMIT_SYNCOBJ_OUT) {
801 		post_deps = msm_parse_post_deps(dev, file,
802 		                                args->out_syncobjs,
803 		                                args->nr_out_syncobjs,
804 		                                args->syncobj_stride);
805 		if (IS_ERR(post_deps)) {
806 			ret = PTR_ERR(post_deps);
807 			goto out_unlock;
808 		}
809 	}
810 
811 	ret = submit_lookup_objects(submit, args, file);
812 	if (ret)
813 		goto out;
814 
815 	ret = submit_lookup_cmds(submit, args, file);
816 	if (ret)
817 		goto out;
818 
819 	/* copy_*_user while holding a ww ticket upsets lockdep */
820 	ww_acquire_init(&submit->ticket, &reservation_ww_class);
821 	has_ww_ticket = true;
822 	ret = submit_lock_objects(submit);
823 	if (ret)
824 		goto out;
825 
826 	ret = submit_fence_sync(submit, !!(args->flags & MSM_SUBMIT_NO_IMPLICIT));
827 	if (ret)
828 		goto out;
829 
830 	ret = submit_pin_objects(submit);
831 	if (ret)
832 		goto out;
833 
834 	for (i = 0; i < args->nr_cmds; i++) {
835 		struct msm_gem_object *msm_obj;
836 		uint64_t iova;
837 
838 		ret = submit_bo(submit, submit->cmd[i].idx,
839 				&msm_obj, &iova, NULL);
840 		if (ret)
841 			goto out;
842 
843 		if (!submit->cmd[i].size ||
844 			((submit->cmd[i].size + submit->cmd[i].offset) >
845 				msm_obj->base.size / 4)) {
846 			DRM_ERROR("invalid cmdstream size: %u\n", submit->cmd[i].size * 4);
847 			ret = -EINVAL;
848 			goto out;
849 		}
850 
851 		submit->cmd[i].iova = iova + (submit->cmd[i].offset * 4);
852 
853 		if (submit->valid)
854 			continue;
855 
856 		ret = submit_reloc(submit, msm_obj, submit->cmd[i].offset * 4,
857 				submit->cmd[i].nr_relocs, submit->cmd[i].relocs);
858 		if (ret)
859 			goto out;
860 	}
861 
862 	submit->nr_cmds = i;
863 
864 	mutex_lock(&queue->idr_lock);
865 
866 	/*
867 	 * If using userspace provided seqno fence, validate that the id
868 	 * is available before arming sched job.  Since access to fence_idr
869 	 * is serialized on the queue lock, the slot should be still avail
870 	 * after the job is armed
871 	 */
872 	if ((args->flags & MSM_SUBMIT_FENCE_SN_IN) &&
873 			idr_find(&queue->fence_idr, args->fence)) {
874 		mutex_unlock(&queue->idr_lock);
875 		ret = -EINVAL;
876 		goto out;
877 	}
878 
879 	drm_sched_job_arm(&submit->base);
880 
881 	submit->user_fence = dma_fence_get(&submit->base.s_fence->finished);
882 
883 	if (args->flags & MSM_SUBMIT_FENCE_SN_IN) {
884 		/*
885 		 * Userspace has assigned the seqno fence that it wants
886 		 * us to use.  It is an error to pick a fence sequence
887 		 * number that is not available.
888 		 */
889 		submit->fence_id = args->fence;
890 		ret = idr_alloc_u32(&queue->fence_idr, submit->user_fence,
891 				    &submit->fence_id, submit->fence_id,
892 				    GFP_KERNEL);
893 		/*
894 		 * We've already validated that the fence_id slot is valid,
895 		 * so if idr_alloc_u32 failed, it is a kernel bug
896 		 */
897 		WARN_ON(ret);
898 	} else {
899 		/*
900 		 * Allocate an id which can be used by WAIT_FENCE ioctl to map
901 		 * back to the underlying fence.
902 		 */
903 		submit->fence_id = idr_alloc_cyclic(&queue->fence_idr,
904 						    submit->user_fence, 1,
905 						    INT_MAX, GFP_KERNEL);
906 	}
907 
908 	mutex_unlock(&queue->idr_lock);
909 
910 	if (submit->fence_id < 0) {
911 		ret = submit->fence_id;
912 		submit->fence_id = 0;
913 	}
914 
915 	if (ret == 0 && args->flags & MSM_SUBMIT_FENCE_FD_OUT) {
916 		struct sync_file *sync_file = sync_file_create(submit->user_fence);
917 		if (!sync_file) {
918 			ret = -ENOMEM;
919 		} else {
920 			fd_install(out_fence_fd, sync_file->file);
921 			args->fence_fd = out_fence_fd;
922 		}
923 	}
924 
925 	submit_attach_object_fences(submit);
926 
927 	/* The scheduler owns a ref now: */
928 	msm_gem_submit_get(submit);
929 
930 	drm_sched_entity_push_job(&submit->base);
931 
932 	args->fence = submit->fence_id;
933 	queue->last_fence = submit->fence_id;
934 
935 	msm_reset_syncobjs(syncobjs_to_reset, args->nr_in_syncobjs);
936 	msm_process_post_deps(post_deps, args->nr_out_syncobjs,
937 	                      submit->user_fence);
938 
939 
940 out:
941 	submit_cleanup(submit, !!ret);
942 	if (has_ww_ticket)
943 		ww_acquire_fini(&submit->ticket);
944 out_unlock:
945 	if (ret && (out_fence_fd >= 0))
946 		put_unused_fd(out_fence_fd);
947 	mutex_unlock(&queue->lock);
948 out_post_unlock:
949 	msm_gem_submit_put(submit);
950 	if (!IS_ERR_OR_NULL(post_deps)) {
951 		for (i = 0; i < args->nr_out_syncobjs; ++i) {
952 			kfree(post_deps[i].chain);
953 			drm_syncobj_put(post_deps[i].syncobj);
954 		}
955 		kfree(post_deps);
956 	}
957 
958 	if (!IS_ERR_OR_NULL(syncobjs_to_reset)) {
959 		for (i = 0; i < args->nr_in_syncobjs; ++i) {
960 			if (syncobjs_to_reset[i])
961 				drm_syncobj_put(syncobjs_to_reset[i]);
962 		}
963 		kfree(syncobjs_to_reset);
964 	}
965 
966 	return ret;
967 }
968