1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2013 Red Hat 4 * Author: Rob Clark <robdclark@gmail.com> 5 */ 6 7 #include <linux/file.h> 8 #include <linux/sync_file.h> 9 #include <linux/uaccess.h> 10 11 #include <drm/drm_drv.h> 12 #include <drm/drm_file.h> 13 #include <drm/drm_syncobj.h> 14 15 #include "msm_drv.h" 16 #include "msm_gpu.h" 17 #include "msm_gem.h" 18 #include "msm_gpu_trace.h" 19 20 /* 21 * Cmdstream submission: 22 */ 23 24 /* make sure these don't conflict w/ MSM_SUBMIT_BO_x */ 25 #define BO_VALID 0x8000 /* is current addr in cmdstream correct/valid? */ 26 #define BO_LOCKED 0x4000 27 #define BO_PINNED 0x2000 28 29 static struct msm_gem_submit *submit_create(struct drm_device *dev, 30 struct msm_gpu *gpu, struct msm_gem_address_space *aspace, 31 struct msm_gpu_submitqueue *queue, uint32_t nr_bos, 32 uint32_t nr_cmds) 33 { 34 struct msm_gem_submit *submit; 35 uint64_t sz = struct_size(submit, bos, nr_bos) + 36 ((u64)nr_cmds * sizeof(submit->cmd[0])); 37 38 if (sz > SIZE_MAX) 39 return NULL; 40 41 submit = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 42 if (!submit) 43 return NULL; 44 45 submit->dev = dev; 46 submit->aspace = aspace; 47 submit->gpu = gpu; 48 submit->fence = NULL; 49 submit->cmd = (void *)&submit->bos[nr_bos]; 50 submit->queue = queue; 51 submit->ring = gpu->rb[queue->prio]; 52 53 /* initially, until copy_from_user() and bo lookup succeeds: */ 54 submit->nr_bos = 0; 55 submit->nr_cmds = 0; 56 57 INIT_LIST_HEAD(&submit->node); 58 INIT_LIST_HEAD(&submit->bo_list); 59 60 return submit; 61 } 62 63 void msm_gem_submit_free(struct msm_gem_submit *submit) 64 { 65 dma_fence_put(submit->fence); 66 list_del(&submit->node); 67 put_pid(submit->pid); 68 msm_submitqueue_put(submit->queue); 69 70 kfree(submit); 71 } 72 73 static int submit_lookup_objects(struct msm_gem_submit *submit, 74 struct drm_msm_gem_submit *args, struct drm_file *file) 75 { 76 unsigned i; 77 int ret = 0; 78 79 for (i = 0; i < args->nr_bos; i++) { 80 struct drm_msm_gem_submit_bo submit_bo; 81 void __user *userptr = 82 u64_to_user_ptr(args->bos + (i * sizeof(submit_bo))); 83 84 /* make sure we don't have garbage flags, in case we hit 85 * error path before flags is initialized: 86 */ 87 submit->bos[i].flags = 0; 88 89 if (copy_from_user(&submit_bo, userptr, sizeof(submit_bo))) { 90 ret = -EFAULT; 91 i = 0; 92 goto out; 93 } 94 95 /* at least one of READ and/or WRITE flags should be set: */ 96 #define MANDATORY_FLAGS (MSM_SUBMIT_BO_READ | MSM_SUBMIT_BO_WRITE) 97 98 if ((submit_bo.flags & ~MSM_SUBMIT_BO_FLAGS) || 99 !(submit_bo.flags & MANDATORY_FLAGS)) { 100 DRM_ERROR("invalid flags: %x\n", submit_bo.flags); 101 ret = -EINVAL; 102 i = 0; 103 goto out; 104 } 105 106 submit->bos[i].handle = submit_bo.handle; 107 submit->bos[i].flags = submit_bo.flags; 108 /* in validate_objects() we figure out if this is true: */ 109 submit->bos[i].iova = submit_bo.presumed; 110 } 111 112 spin_lock(&file->table_lock); 113 114 for (i = 0; i < args->nr_bos; i++) { 115 struct drm_gem_object *obj; 116 struct msm_gem_object *msm_obj; 117 118 /* normally use drm_gem_object_lookup(), but for bulk lookup 119 * all under single table_lock just hit object_idr directly: 120 */ 121 obj = idr_find(&file->object_idr, submit->bos[i].handle); 122 if (!obj) { 123 DRM_ERROR("invalid handle %u at index %u\n", submit->bos[i].handle, i); 124 ret = -EINVAL; 125 goto out_unlock; 126 } 127 128 msm_obj = to_msm_bo(obj); 129 130 if (!list_empty(&msm_obj->submit_entry)) { 131 DRM_ERROR("handle %u at index %u already on submit list\n", 132 submit->bos[i].handle, i); 133 ret = -EINVAL; 134 goto out_unlock; 135 } 136 137 drm_gem_object_get(obj); 138 139 submit->bos[i].obj = msm_obj; 140 141 list_add_tail(&msm_obj->submit_entry, &submit->bo_list); 142 } 143 144 out_unlock: 145 spin_unlock(&file->table_lock); 146 147 out: 148 submit->nr_bos = i; 149 150 return ret; 151 } 152 153 static void submit_unlock_unpin_bo(struct msm_gem_submit *submit, 154 int i, bool backoff) 155 { 156 struct msm_gem_object *msm_obj = submit->bos[i].obj; 157 158 if (submit->bos[i].flags & BO_PINNED) 159 msm_gem_unpin_iova(&msm_obj->base, submit->aspace); 160 161 if (submit->bos[i].flags & BO_LOCKED) 162 dma_resv_unlock(msm_obj->base.resv); 163 164 if (backoff && !(submit->bos[i].flags & BO_VALID)) 165 submit->bos[i].iova = 0; 166 167 submit->bos[i].flags &= ~(BO_LOCKED | BO_PINNED); 168 } 169 170 /* This is where we make sure all the bo's are reserved and pin'd: */ 171 static int submit_lock_objects(struct msm_gem_submit *submit) 172 { 173 int contended, slow_locked = -1, i, ret = 0; 174 175 retry: 176 for (i = 0; i < submit->nr_bos; i++) { 177 struct msm_gem_object *msm_obj = submit->bos[i].obj; 178 179 if (slow_locked == i) 180 slow_locked = -1; 181 182 contended = i; 183 184 if (!(submit->bos[i].flags & BO_LOCKED)) { 185 ret = dma_resv_lock_interruptible(msm_obj->base.resv, 186 &submit->ticket); 187 if (ret) 188 goto fail; 189 submit->bos[i].flags |= BO_LOCKED; 190 } 191 } 192 193 ww_acquire_done(&submit->ticket); 194 195 return 0; 196 197 fail: 198 for (; i >= 0; i--) 199 submit_unlock_unpin_bo(submit, i, true); 200 201 if (slow_locked > 0) 202 submit_unlock_unpin_bo(submit, slow_locked, true); 203 204 if (ret == -EDEADLK) { 205 struct msm_gem_object *msm_obj = submit->bos[contended].obj; 206 /* we lost out in a seqno race, lock and retry.. */ 207 ret = dma_resv_lock_slow_interruptible(msm_obj->base.resv, 208 &submit->ticket); 209 if (!ret) { 210 submit->bos[contended].flags |= BO_LOCKED; 211 slow_locked = contended; 212 goto retry; 213 } 214 } 215 216 return ret; 217 } 218 219 static int submit_fence_sync(struct msm_gem_submit *submit, bool no_implicit) 220 { 221 int i, ret = 0; 222 223 for (i = 0; i < submit->nr_bos; i++) { 224 struct msm_gem_object *msm_obj = submit->bos[i].obj; 225 bool write = submit->bos[i].flags & MSM_SUBMIT_BO_WRITE; 226 227 if (!write) { 228 /* NOTE: _reserve_shared() must happen before 229 * _add_shared_fence(), which makes this a slightly 230 * strange place to call it. OTOH this is a 231 * convenient can-fail point to hook it in. 232 */ 233 ret = dma_resv_reserve_shared(msm_obj->base.resv, 234 1); 235 if (ret) 236 return ret; 237 } 238 239 if (no_implicit) 240 continue; 241 242 ret = msm_gem_sync_object(&msm_obj->base, submit->ring->fctx, 243 write); 244 if (ret) 245 break; 246 } 247 248 return ret; 249 } 250 251 static int submit_pin_objects(struct msm_gem_submit *submit) 252 { 253 int i, ret = 0; 254 255 submit->valid = true; 256 257 for (i = 0; i < submit->nr_bos; i++) { 258 struct msm_gem_object *msm_obj = submit->bos[i].obj; 259 uint64_t iova; 260 261 /* if locking succeeded, pin bo: */ 262 ret = msm_gem_get_and_pin_iova(&msm_obj->base, 263 submit->aspace, &iova); 264 265 if (ret) 266 break; 267 268 submit->bos[i].flags |= BO_PINNED; 269 270 if (iova == submit->bos[i].iova) { 271 submit->bos[i].flags |= BO_VALID; 272 } else { 273 submit->bos[i].iova = iova; 274 /* iova changed, so address in cmdstream is not valid: */ 275 submit->bos[i].flags &= ~BO_VALID; 276 submit->valid = false; 277 } 278 } 279 280 return ret; 281 } 282 283 static int submit_bo(struct msm_gem_submit *submit, uint32_t idx, 284 struct msm_gem_object **obj, uint64_t *iova, bool *valid) 285 { 286 if (idx >= submit->nr_bos) { 287 DRM_ERROR("invalid buffer index: %u (out of %u)\n", 288 idx, submit->nr_bos); 289 return -EINVAL; 290 } 291 292 if (obj) 293 *obj = submit->bos[idx].obj; 294 if (iova) 295 *iova = submit->bos[idx].iova; 296 if (valid) 297 *valid = !!(submit->bos[idx].flags & BO_VALID); 298 299 return 0; 300 } 301 302 /* process the reloc's and patch up the cmdstream as needed: */ 303 static int submit_reloc(struct msm_gem_submit *submit, struct msm_gem_object *obj, 304 uint32_t offset, uint32_t nr_relocs, uint64_t relocs) 305 { 306 uint32_t i, last_offset = 0; 307 uint32_t *ptr; 308 int ret = 0; 309 310 if (!nr_relocs) 311 return 0; 312 313 if (offset % 4) { 314 DRM_ERROR("non-aligned cmdstream buffer: %u\n", offset); 315 return -EINVAL; 316 } 317 318 /* For now, just map the entire thing. Eventually we probably 319 * to do it page-by-page, w/ kmap() if not vmap()d.. 320 */ 321 ptr = msm_gem_get_vaddr(&obj->base); 322 323 if (IS_ERR(ptr)) { 324 ret = PTR_ERR(ptr); 325 DBG("failed to map: %d", ret); 326 return ret; 327 } 328 329 for (i = 0; i < nr_relocs; i++) { 330 struct drm_msm_gem_submit_reloc submit_reloc; 331 void __user *userptr = 332 u64_to_user_ptr(relocs + (i * sizeof(submit_reloc))); 333 uint32_t off; 334 uint64_t iova; 335 bool valid; 336 337 if (copy_from_user(&submit_reloc, userptr, sizeof(submit_reloc))) { 338 ret = -EFAULT; 339 goto out; 340 } 341 342 if (submit_reloc.submit_offset % 4) { 343 DRM_ERROR("non-aligned reloc offset: %u\n", 344 submit_reloc.submit_offset); 345 ret = -EINVAL; 346 goto out; 347 } 348 349 /* offset in dwords: */ 350 off = submit_reloc.submit_offset / 4; 351 352 if ((off >= (obj->base.size / 4)) || 353 (off < last_offset)) { 354 DRM_ERROR("invalid offset %u at reloc %u\n", off, i); 355 ret = -EINVAL; 356 goto out; 357 } 358 359 ret = submit_bo(submit, submit_reloc.reloc_idx, NULL, &iova, &valid); 360 if (ret) 361 goto out; 362 363 if (valid) 364 continue; 365 366 iova += submit_reloc.reloc_offset; 367 368 if (submit_reloc.shift < 0) 369 iova >>= -submit_reloc.shift; 370 else 371 iova <<= submit_reloc.shift; 372 373 ptr[off] = iova | submit_reloc.or; 374 375 last_offset = off; 376 } 377 378 out: 379 msm_gem_put_vaddr(&obj->base); 380 381 return ret; 382 } 383 384 static void submit_cleanup(struct msm_gem_submit *submit) 385 { 386 unsigned i; 387 388 for (i = 0; i < submit->nr_bos; i++) { 389 struct msm_gem_object *msm_obj = submit->bos[i].obj; 390 submit_unlock_unpin_bo(submit, i, false); 391 list_del_init(&msm_obj->submit_entry); 392 drm_gem_object_put(&msm_obj->base); 393 } 394 } 395 396 397 struct msm_submit_post_dep { 398 struct drm_syncobj *syncobj; 399 uint64_t point; 400 struct dma_fence_chain *chain; 401 }; 402 403 static struct drm_syncobj **msm_wait_deps(struct drm_device *dev, 404 struct drm_file *file, 405 uint64_t in_syncobjs_addr, 406 uint32_t nr_in_syncobjs, 407 size_t syncobj_stride, 408 struct msm_ringbuffer *ring) 409 { 410 struct drm_syncobj **syncobjs = NULL; 411 struct drm_msm_gem_submit_syncobj syncobj_desc = {0}; 412 int ret = 0; 413 uint32_t i, j; 414 415 syncobjs = kcalloc(nr_in_syncobjs, sizeof(*syncobjs), 416 GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 417 if (!syncobjs) 418 return ERR_PTR(-ENOMEM); 419 420 for (i = 0; i < nr_in_syncobjs; ++i) { 421 uint64_t address = in_syncobjs_addr + i * syncobj_stride; 422 struct dma_fence *fence; 423 424 if (copy_from_user(&syncobj_desc, 425 u64_to_user_ptr(address), 426 min(syncobj_stride, sizeof(syncobj_desc)))) { 427 ret = -EFAULT; 428 break; 429 } 430 431 if (syncobj_desc.point && 432 !drm_core_check_feature(dev, DRIVER_SYNCOBJ_TIMELINE)) { 433 ret = -EOPNOTSUPP; 434 break; 435 } 436 437 if (syncobj_desc.flags & ~MSM_SUBMIT_SYNCOBJ_FLAGS) { 438 ret = -EINVAL; 439 break; 440 } 441 442 ret = drm_syncobj_find_fence(file, syncobj_desc.handle, 443 syncobj_desc.point, 0, &fence); 444 if (ret) 445 break; 446 447 if (!dma_fence_match_context(fence, ring->fctx->context)) 448 ret = dma_fence_wait(fence, true); 449 450 dma_fence_put(fence); 451 if (ret) 452 break; 453 454 if (syncobj_desc.flags & MSM_SUBMIT_SYNCOBJ_RESET) { 455 syncobjs[i] = 456 drm_syncobj_find(file, syncobj_desc.handle); 457 if (!syncobjs[i]) { 458 ret = -EINVAL; 459 break; 460 } 461 } 462 } 463 464 if (ret) { 465 for (j = 0; j <= i; ++j) { 466 if (syncobjs[j]) 467 drm_syncobj_put(syncobjs[j]); 468 } 469 kfree(syncobjs); 470 return ERR_PTR(ret); 471 } 472 return syncobjs; 473 } 474 475 static void msm_reset_syncobjs(struct drm_syncobj **syncobjs, 476 uint32_t nr_syncobjs) 477 { 478 uint32_t i; 479 480 for (i = 0; syncobjs && i < nr_syncobjs; ++i) { 481 if (syncobjs[i]) 482 drm_syncobj_replace_fence(syncobjs[i], NULL); 483 } 484 } 485 486 static struct msm_submit_post_dep *msm_parse_post_deps(struct drm_device *dev, 487 struct drm_file *file, 488 uint64_t syncobjs_addr, 489 uint32_t nr_syncobjs, 490 size_t syncobj_stride) 491 { 492 struct msm_submit_post_dep *post_deps; 493 struct drm_msm_gem_submit_syncobj syncobj_desc = {0}; 494 int ret = 0; 495 uint32_t i, j; 496 497 post_deps = kmalloc_array(nr_syncobjs, sizeof(*post_deps), 498 GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY); 499 if (!post_deps) 500 return ERR_PTR(-ENOMEM); 501 502 for (i = 0; i < nr_syncobjs; ++i) { 503 uint64_t address = syncobjs_addr + i * syncobj_stride; 504 505 if (copy_from_user(&syncobj_desc, 506 u64_to_user_ptr(address), 507 min(syncobj_stride, sizeof(syncobj_desc)))) { 508 ret = -EFAULT; 509 break; 510 } 511 512 post_deps[i].point = syncobj_desc.point; 513 post_deps[i].chain = NULL; 514 515 if (syncobj_desc.flags) { 516 ret = -EINVAL; 517 break; 518 } 519 520 if (syncobj_desc.point) { 521 if (!drm_core_check_feature(dev, 522 DRIVER_SYNCOBJ_TIMELINE)) { 523 ret = -EOPNOTSUPP; 524 break; 525 } 526 527 post_deps[i].chain = 528 kmalloc(sizeof(*post_deps[i].chain), 529 GFP_KERNEL); 530 if (!post_deps[i].chain) { 531 ret = -ENOMEM; 532 break; 533 } 534 } 535 536 post_deps[i].syncobj = 537 drm_syncobj_find(file, syncobj_desc.handle); 538 if (!post_deps[i].syncobj) { 539 ret = -EINVAL; 540 break; 541 } 542 } 543 544 if (ret) { 545 for (j = 0; j <= i; ++j) { 546 kfree(post_deps[j].chain); 547 if (post_deps[j].syncobj) 548 drm_syncobj_put(post_deps[j].syncobj); 549 } 550 551 kfree(post_deps); 552 return ERR_PTR(ret); 553 } 554 555 return post_deps; 556 } 557 558 static void msm_process_post_deps(struct msm_submit_post_dep *post_deps, 559 uint32_t count, struct dma_fence *fence) 560 { 561 uint32_t i; 562 563 for (i = 0; post_deps && i < count; ++i) { 564 if (post_deps[i].chain) { 565 drm_syncobj_add_point(post_deps[i].syncobj, 566 post_deps[i].chain, 567 fence, post_deps[i].point); 568 post_deps[i].chain = NULL; 569 } else { 570 drm_syncobj_replace_fence(post_deps[i].syncobj, 571 fence); 572 } 573 } 574 } 575 576 int msm_ioctl_gem_submit(struct drm_device *dev, void *data, 577 struct drm_file *file) 578 { 579 static atomic_t ident = ATOMIC_INIT(0); 580 struct msm_drm_private *priv = dev->dev_private; 581 struct drm_msm_gem_submit *args = data; 582 struct msm_file_private *ctx = file->driver_priv; 583 struct msm_gem_submit *submit; 584 struct msm_gpu *gpu = priv->gpu; 585 struct sync_file *sync_file = NULL; 586 struct msm_gpu_submitqueue *queue; 587 struct msm_ringbuffer *ring; 588 struct msm_submit_post_dep *post_deps = NULL; 589 struct drm_syncobj **syncobjs_to_reset = NULL; 590 int out_fence_fd = -1; 591 struct pid *pid = get_pid(task_pid(current)); 592 bool has_ww_ticket = false; 593 unsigned i; 594 int ret, submitid; 595 if (!gpu) 596 return -ENXIO; 597 598 if (args->pad) 599 return -EINVAL; 600 601 /* for now, we just have 3d pipe.. eventually this would need to 602 * be more clever to dispatch to appropriate gpu module: 603 */ 604 if (MSM_PIPE_ID(args->flags) != MSM_PIPE_3D0) 605 return -EINVAL; 606 607 if (MSM_PIPE_FLAGS(args->flags) & ~MSM_SUBMIT_FLAGS) 608 return -EINVAL; 609 610 if (args->flags & MSM_SUBMIT_SUDO) { 611 if (!IS_ENABLED(CONFIG_DRM_MSM_GPU_SUDO) || 612 !capable(CAP_SYS_RAWIO)) 613 return -EINVAL; 614 } 615 616 queue = msm_submitqueue_get(ctx, args->queueid); 617 if (!queue) 618 return -ENOENT; 619 620 /* Get a unique identifier for the submission for logging purposes */ 621 submitid = atomic_inc_return(&ident) - 1; 622 623 ring = gpu->rb[queue->prio]; 624 trace_msm_gpu_submit(pid_nr(pid), ring->id, submitid, 625 args->nr_bos, args->nr_cmds); 626 627 if (args->flags & MSM_SUBMIT_FENCE_FD_IN) { 628 struct dma_fence *in_fence; 629 630 in_fence = sync_file_get_fence(args->fence_fd); 631 632 if (!in_fence) 633 return -EINVAL; 634 635 /* 636 * Wait if the fence is from a foreign context, or if the fence 637 * array contains any fence from a foreign context. 638 */ 639 ret = 0; 640 if (!dma_fence_match_context(in_fence, ring->fctx->context)) 641 ret = dma_fence_wait(in_fence, true); 642 643 dma_fence_put(in_fence); 644 if (ret) 645 return ret; 646 } 647 648 if (args->flags & MSM_SUBMIT_SYNCOBJ_IN) { 649 syncobjs_to_reset = msm_wait_deps(dev, file, 650 args->in_syncobjs, 651 args->nr_in_syncobjs, 652 args->syncobj_stride, ring); 653 if (IS_ERR(syncobjs_to_reset)) 654 return PTR_ERR(syncobjs_to_reset); 655 } 656 657 if (args->flags & MSM_SUBMIT_SYNCOBJ_OUT) { 658 post_deps = msm_parse_post_deps(dev, file, 659 args->out_syncobjs, 660 args->nr_out_syncobjs, 661 args->syncobj_stride); 662 if (IS_ERR(post_deps)) { 663 ret = PTR_ERR(post_deps); 664 goto out_post_unlock; 665 } 666 } 667 668 ret = mutex_lock_interruptible(&dev->struct_mutex); 669 if (ret) 670 goto out_post_unlock; 671 672 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 673 out_fence_fd = get_unused_fd_flags(O_CLOEXEC); 674 if (out_fence_fd < 0) { 675 ret = out_fence_fd; 676 goto out_unlock; 677 } 678 } 679 680 submit = submit_create(dev, gpu, ctx->aspace, queue, args->nr_bos, 681 args->nr_cmds); 682 if (!submit) { 683 ret = -ENOMEM; 684 goto out_unlock; 685 } 686 687 submit->pid = pid; 688 submit->ident = submitid; 689 690 if (args->flags & MSM_SUBMIT_SUDO) 691 submit->in_rb = true; 692 693 ret = submit_lookup_objects(submit, args, file); 694 if (ret) 695 goto out; 696 697 /* copy_*_user while holding a ww ticket upsets lockdep */ 698 ww_acquire_init(&submit->ticket, &reservation_ww_class); 699 has_ww_ticket = true; 700 ret = submit_lock_objects(submit); 701 if (ret) 702 goto out; 703 704 ret = submit_fence_sync(submit, !!(args->flags & MSM_SUBMIT_NO_IMPLICIT)); 705 if (ret) 706 goto out; 707 708 ret = submit_pin_objects(submit); 709 if (ret) 710 goto out; 711 712 for (i = 0; i < args->nr_cmds; i++) { 713 struct drm_msm_gem_submit_cmd submit_cmd; 714 void __user *userptr = 715 u64_to_user_ptr(args->cmds + (i * sizeof(submit_cmd))); 716 struct msm_gem_object *msm_obj; 717 uint64_t iova; 718 719 ret = copy_from_user(&submit_cmd, userptr, sizeof(submit_cmd)); 720 if (ret) { 721 ret = -EFAULT; 722 goto out; 723 } 724 725 /* validate input from userspace: */ 726 switch (submit_cmd.type) { 727 case MSM_SUBMIT_CMD_BUF: 728 case MSM_SUBMIT_CMD_IB_TARGET_BUF: 729 case MSM_SUBMIT_CMD_CTX_RESTORE_BUF: 730 break; 731 default: 732 DRM_ERROR("invalid type: %08x\n", submit_cmd.type); 733 ret = -EINVAL; 734 goto out; 735 } 736 737 ret = submit_bo(submit, submit_cmd.submit_idx, 738 &msm_obj, &iova, NULL); 739 if (ret) 740 goto out; 741 742 if (submit_cmd.size % 4) { 743 DRM_ERROR("non-aligned cmdstream buffer size: %u\n", 744 submit_cmd.size); 745 ret = -EINVAL; 746 goto out; 747 } 748 749 if (!submit_cmd.size || 750 ((submit_cmd.size + submit_cmd.submit_offset) > 751 msm_obj->base.size)) { 752 DRM_ERROR("invalid cmdstream size: %u\n", submit_cmd.size); 753 ret = -EINVAL; 754 goto out; 755 } 756 757 submit->cmd[i].type = submit_cmd.type; 758 submit->cmd[i].size = submit_cmd.size / 4; 759 submit->cmd[i].iova = iova + submit_cmd.submit_offset; 760 submit->cmd[i].idx = submit_cmd.submit_idx; 761 762 if (submit->valid) 763 continue; 764 765 ret = submit_reloc(submit, msm_obj, submit_cmd.submit_offset, 766 submit_cmd.nr_relocs, submit_cmd.relocs); 767 if (ret) 768 goto out; 769 } 770 771 submit->nr_cmds = i; 772 773 submit->fence = msm_fence_alloc(ring->fctx); 774 if (IS_ERR(submit->fence)) { 775 ret = PTR_ERR(submit->fence); 776 submit->fence = NULL; 777 goto out; 778 } 779 780 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 781 sync_file = sync_file_create(submit->fence); 782 if (!sync_file) { 783 ret = -ENOMEM; 784 goto out; 785 } 786 } 787 788 msm_gpu_submit(gpu, submit, ctx); 789 790 args->fence = submit->fence->seqno; 791 792 if (args->flags & MSM_SUBMIT_FENCE_FD_OUT) { 793 fd_install(out_fence_fd, sync_file->file); 794 args->fence_fd = out_fence_fd; 795 } 796 797 msm_reset_syncobjs(syncobjs_to_reset, args->nr_in_syncobjs); 798 msm_process_post_deps(post_deps, args->nr_out_syncobjs, 799 submit->fence); 800 801 802 out: 803 submit_cleanup(submit); 804 if (has_ww_ticket) 805 ww_acquire_fini(&submit->ticket); 806 if (ret) 807 msm_gem_submit_free(submit); 808 out_unlock: 809 if (ret && (out_fence_fd >= 0)) 810 put_unused_fd(out_fence_fd); 811 mutex_unlock(&dev->struct_mutex); 812 813 out_post_unlock: 814 if (!IS_ERR_OR_NULL(post_deps)) { 815 for (i = 0; i < args->nr_out_syncobjs; ++i) { 816 kfree(post_deps[i].chain); 817 drm_syncobj_put(post_deps[i].syncobj); 818 } 819 kfree(post_deps); 820 } 821 822 if (!IS_ERR_OR_NULL(syncobjs_to_reset)) { 823 for (i = 0; i < args->nr_in_syncobjs; ++i) { 824 if (syncobjs_to_reset[i]) 825 drm_syncobj_put(syncobjs_to_reset[i]); 826 } 827 kfree(syncobjs_to_reset); 828 } 829 830 return ret; 831 } 832